OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 
62 /*
63  * Crypto initialization flags
64  */
65 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
66 #define CF_INIT_TLS_MULTI (1<<1)
67 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
68 
69 static void do_init_first_time(struct context *c);
70 
71 void
72 context_clear(struct context *c)
73 {
74  CLEAR(*c);
75 }
76 
77 void
78 context_clear_1(struct context *c)
79 {
80  CLEAR(c->c1);
81 }
82 
83 void
84 context_clear_2(struct context *c)
85 {
86  CLEAR(c->c2);
87 }
88 
89 void
90 context_clear_all_except_first_time(struct context *c)
91 {
92  const bool first_time_save = c->first_time;
93  const struct context_persist cpsave = c->persist;
94  context_clear(c);
95  c->first_time = first_time_save;
96  c->persist = cpsave;
97 }
98 
99 /*
100  * Pass tunnel endpoint and MTU parms to a user-supplied script.
101  * Used to execute the up/down script/plugins.
102  */
103 static void
104 run_up_down(const char *command,
105  const struct plugin_list *plugins,
106  int plugin_type,
107  const char *arg,
108 #ifdef _WIN32
109  DWORD adapter_index,
110 #endif
111  const char *dev_type,
112  int tun_mtu,
113  int link_mtu,
114  const char *ifconfig_local,
115  const char *ifconfig_remote,
116  const char *context,
117  const char *signal_text,
118  const char *script_type,
119  struct env_set *es)
120 {
121  struct gc_arena gc = gc_new();
122 
123  if (signal_text)
124  {
125  setenv_str(es, "signal", signal_text);
126  }
127  setenv_str(es, "script_context", context);
128  setenv_int(es, "tun_mtu", tun_mtu);
129  setenv_int(es, "link_mtu", link_mtu);
130  setenv_str(es, "dev", arg);
131  if (dev_type)
132  {
133  setenv_str(es, "dev_type", dev_type);
134  }
135 #ifdef _WIN32
136  setenv_int(es, "dev_idx", adapter_index);
137 #endif
138 
139  if (!ifconfig_local)
140  {
141  ifconfig_local = "";
142  }
143  if (!ifconfig_remote)
144  {
145  ifconfig_remote = "";
146  }
147  if (!context)
148  {
149  context = "";
150  }
151 
152  if (plugin_defined(plugins, plugin_type))
153  {
154  struct argv argv = argv_new();
155  ASSERT(arg);
156  argv_printf(&argv,
157  "%s %d %d %s %s %s",
158  arg,
159  tun_mtu, link_mtu,
160  ifconfig_local, ifconfig_remote,
161  context);
162 
163  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
164  {
165  msg(M_FATAL, "ERROR: up/down plugin call failed");
166  }
167 
168  argv_free(&argv);
169  }
170 
171  if (command)
172  {
173  struct argv argv = argv_new();
174  ASSERT(arg);
175  setenv_str(es, "script_type", script_type);
176  argv_parse_cmd(&argv, command);
177  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
178  ifconfig_local, ifconfig_remote, context);
179  argv_msg(M_INFO, &argv);
180  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
181  argv_free(&argv);
182  }
183 
184  gc_free(&gc);
185 }
186 
187 /*
188  * Should be called after options->ce is modified at the top
189  * of a SIGUSR1 restart.
190  */
191 static void
192 update_options_ce_post(struct options *options)
193 {
194 #if P2MP
195  /*
196  * In pull mode, we usually import --ping/--ping-restart parameters from
197  * the server. However we should also set an initial default --ping-restart
198  * for the period of time before we pull the --ping-restart parameter
199  * from the server.
200  */
201  if (options->pull
202  && options->ping_rec_timeout_action == PING_UNDEF
203  && proto_is_dgram(options->ce.proto))
204  {
205  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
206  options->ping_rec_timeout_action = PING_RESTART;
207  }
208 #endif
209 }
210 
211 #ifdef ENABLE_MANAGEMENT
212 static bool
213 management_callback_proxy_cmd(void *arg, const char **p)
214 {
215  struct context *c = arg;
216  struct connection_entry *ce = &c->options.ce;
217  struct gc_arena *gc = &c->c2.gc;
218  bool ret = false;
219 
220  update_time();
221  if (streq(p[1], "NONE"))
222  {
223  ret = true;
224  }
225  else if (p[2] && p[3])
226  {
227  if (streq(p[1], "HTTP"))
228  {
229  struct http_proxy_options *ho;
230  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
231  {
232  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
233  return false;
234  }
235  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
236  ho->server = string_alloc(p[2], gc);
237  ho->port = string_alloc(p[3], gc);
238  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
239  ret = true;
240  }
241  else if (streq(p[1], "SOCKS"))
242  {
243  ce->socks_proxy_server = string_alloc(p[2], gc);
244  ce->socks_proxy_port = string_alloc(p[3], gc);
245  ret = true;
246  }
247  }
248  else
249  {
250  msg(M_WARN, "Bad proxy command");
251  }
252 
253  ce->flags &= ~CE_MAN_QUERY_PROXY;
254 
255  return ret;
256 }
257 
258 static bool
259 ce_management_query_proxy(struct context *c)
260 {
261  const struct connection_list *l = c->options.connection_list;
262  struct connection_entry *ce = &c->options.ce;
263  struct gc_arena gc;
264  bool ret = true;
265 
266  update_time();
267  if (management)
268  {
269  gc = gc_new();
270  {
271  struct buffer out = alloc_buf_gc(256, &gc);
272  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
273  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
274  management_notify_generic(management, BSTR(&out));
275  management->persist.special_state_msg = BSTR(&out);
276  }
277  ce->flags |= CE_MAN_QUERY_PROXY;
278  while (ce->flags & CE_MAN_QUERY_PROXY)
279  {
280  management_event_loop_n_seconds(management, 1);
281  if (IS_SIG(c))
282  {
283  ret = false;
284  break;
285  }
286  }
287  management->persist.special_state_msg = NULL;
288  gc_free(&gc);
289  }
290 
291  return ret;
292 }
293 
294 
295 static bool
296 management_callback_remote_cmd(void *arg, const char **p)
297 {
298  struct context *c = (struct context *) arg;
299  struct connection_entry *ce = &c->options.ce;
300  int ret = false;
301  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
302  {
303  int flags = 0;
304  if (!strcmp(p[1], "ACCEPT"))
305  {
306  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
307  ret = true;
308  }
309  else if (!strcmp(p[1], "SKIP"))
310  {
311  flags = CE_MAN_QUERY_REMOTE_SKIP;
312  ret = true;
313  }
314  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
315  {
316  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
317  {
318  struct remote_host_store *rhs = c->options.rh_store;
319  if (!rhs)
320  {
321  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
322  c->options.rh_store = rhs;
323  }
324  strncpynt(rhs->host, p[2], RH_HOST_LEN);
325  strncpynt(rhs->port, p[3], RH_PORT_LEN);
326 
327  ce->remote = rhs->host;
328  ce->remote_port = rhs->port;
329  flags = CE_MAN_QUERY_REMOTE_MOD;
330  ret = true;
331  }
332  }
333  if (ret)
334  {
335  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
336  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
337  }
338  }
339  return ret;
340 }
341 
342 static bool
343 ce_management_query_remote(struct context *c)
344 {
345  struct gc_arena gc = gc_new();
346  volatile struct connection_entry *ce = &c->options.ce;
347  int ce_changed = true; /* presume the connection entry will be changed */
348 
349  update_time();
350  if (management)
351  {
352  struct buffer out = alloc_buf_gc(256, &gc);
353 
354  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
355  proto2ascii(ce->proto, ce->af, false));
356  management_notify_generic(management, BSTR(&out));
357  management->persist.special_state_msg = BSTR(&out);
358 
359  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
360  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
361  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
362  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
363  {
364  management_event_loop_n_seconds(management, 1);
365  if (IS_SIG(c))
366  {
367  ce_changed = false; /* connection entry have not been set */
368  break;
369  }
370  }
371  management->persist.special_state_msg = NULL;
372  }
373  gc_free(&gc);
374 
375  if (ce_changed)
376  {
377  /* If it is likely a connection entry was modified,
378  * check what changed in the flags and that it was not skipped
379  */
380  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
381  & CE_MAN_QUERY_REMOTE_MASK);
382  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
383  }
384  return ce_changed;
385 }
386 #endif /* ENABLE_MANAGEMENT */
387 
388 /*
389  * Initialize and possibly randomize connection list.
390  */
391 static void
392 init_connection_list(struct context *c)
393 {
394  struct connection_list *l = c->options.connection_list;
395 
396  l->current = -1;
397  if (c->options.remote_random)
398  {
399  int i;
400  for (i = 0; i < l->len; ++i)
401  {
402  const int j = get_random() % l->len;
403  if (i != j)
404  {
405  struct connection_entry *tmp;
406  tmp = l->array[i];
407  l->array[i] = l->array[j];
408  l->array[j] = tmp;
409  }
410  }
411  }
412 }
413 
414 /*
415  * Clear the remote address list
416  */
417 static void
418 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
419 {
420  if (lsa->remote_list && free)
421  {
422  freeaddrinfo(lsa->remote_list);
423  }
424  lsa->remote_list = NULL;
425  lsa->current_remote = NULL;
426 }
427 
428 /*
429  * Increment to next connection entry
430  */
431 static void
432 next_connection_entry(struct context *c)
433 {
434  struct connection_list *l = c->options.connection_list;
435  bool ce_defined;
436  struct connection_entry *ce;
437  int n_cycles = 0;
438 
439  do
440  {
441  ce_defined = true;
442  if (c->options.no_advance && l->current >= 0)
443  {
444  c->options.no_advance = false;
445  }
446  else
447  {
448  /* Check if there is another resolved address to try for
449  * the current connection */
450  if (c->c1.link_socket_addr.current_remote
451  && c->c1.link_socket_addr.current_remote->ai_next)
452  {
453  c->c1.link_socket_addr.current_remote =
454  c->c1.link_socket_addr.current_remote->ai_next;
455  }
456  else
457  {
458  /* FIXME (schwabe) fix the persist-remote-ip option for real,
459  * this is broken probably ever since connection lists and multiple
460  * remote existed
461  */
462  if (!c->options.persist_remote_ip)
463  {
464  /* close_instance should have cleared the addrinfo objects */
465  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
466  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
467  }
468  else
469  {
470  c->c1.link_socket_addr.current_remote =
471  c->c1.link_socket_addr.remote_list;
472  }
473 
474  /*
475  * Increase the number of connection attempts
476  * If this is connect-retry-max * size(l)
477  * OpenVPN will quit
478  */
479 
480  c->options.unsuccessful_attempts++;
481 
482  if (++l->current >= l->len)
483  {
484 
485  l->current = 0;
486  if (++n_cycles >= 2)
487  {
488  msg(M_FATAL, "No usable connection profiles are present");
489  }
490  }
491  }
492  }
493 
494  ce = l->array[l->current];
495 
496  if (ce->flags & CE_DISABLED)
497  {
498  ce_defined = false;
499  }
500 
501  c->options.ce = *ce;
502 #ifdef ENABLE_MANAGEMENT
503  if (ce_defined && management && management_query_remote_enabled(management))
504  {
505  /* allow management interface to override connection entry details */
506  ce_defined = ce_management_query_remote(c);
507  if (IS_SIG(c))
508  {
509  break;
510  }
511  }
512  else if (ce_defined && management && management_query_proxy_enabled(management))
513  {
514  ce_defined = ce_management_query_proxy(c);
515  if (IS_SIG(c))
516  {
517  break;
518  }
519  }
520 #endif
521  } while (!ce_defined);
522 
523  /* Check if this connection attempt would bring us over the limit */
524  if (c->options.connect_retry_max > 0
525  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
526  {
527  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
528  c->options.connect_retry_max);
529  }
530  update_options_ce_post(&c->options);
531 }
532 
533 /*
534  * Query for private key and auth-user-pass username/passwords
535  */
536 void
537 init_query_passwords(const struct context *c)
538 {
539  /* Certificate password input */
540  if (c->options.key_pass_file)
541  {
542  pem_password_setup(c->options.key_pass_file);
543  }
544 
545 #if P2MP
546  /* Auth user/pass input */
547  if (c->options.auth_user_pass_file)
548  {
549 #ifdef ENABLE_MANAGEMENT
550  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
551 #else
552  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
553 #endif
554  }
555 #endif
556 }
557 
558 /*
559  * Initialize/Uninitialize HTTP or SOCKS proxy
560  */
561 
562 static void
563 uninit_proxy_dowork(struct context *c)
564 {
565  if (c->c1.http_proxy_owned && c->c1.http_proxy)
566  {
567  http_proxy_close(c->c1.http_proxy);
568  c->c1.http_proxy = NULL;
569  c->c1.http_proxy_owned = false;
570  }
571  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
572  {
573  socks_proxy_close(c->c1.socks_proxy);
574  c->c1.socks_proxy = NULL;
575  c->c1.socks_proxy_owned = false;
576  }
577 }
578 
579 static void
580 init_proxy_dowork(struct context *c)
581 {
582  bool did_http = false;
583 
584  uninit_proxy_dowork(c);
585 
586  if (c->options.ce.http_proxy_options)
587  {
588  /* Possible HTTP proxy user/pass input */
589  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
590  if (c->c1.http_proxy)
591  {
592  did_http = true;
593  c->c1.http_proxy_owned = true;
594  }
595  }
596 
597  if (!did_http && c->options.ce.socks_proxy_server)
598  {
599  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
600  c->options.ce.socks_proxy_port,
601  c->options.ce.socks_proxy_authfile);
602  if (c->c1.socks_proxy)
603  {
604  c->c1.socks_proxy_owned = true;
605  }
606  }
607 }
608 
609 static void
610 init_proxy(struct context *c)
611 {
612  init_proxy_dowork(c);
613 }
614 
615 static void
616 uninit_proxy(struct context *c)
617 {
618  uninit_proxy_dowork(c);
619 }
620 
621 /*
622  * Saves the initial state of NCP-regotiable
623  * options into a storage which persists over SIGUSR1.
624  */
625 static void
626 save_ncp_options(struct context *c)
627 {
628  c->c1.ciphername = c->options.ciphername;
629  c->c1.authname = c->options.authname;
630  c->c1.keysize = c->options.keysize;
631 }
632 
633 /* Restores NCP-negotiable options to original values */
634 static void
635 restore_ncp_options(struct context *c)
636 {
637  c->options.ciphername = c->c1.ciphername;
638  c->options.authname = c->c1.authname;
639  c->options.keysize = c->c1.keysize;
640 }
641 
642 void
643 context_init_1(struct context *c)
644 {
645  context_clear_1(c);
646 
647  packet_id_persist_init(&c->c1.pid_persist);
648 
649  init_connection_list(c);
650 
651  save_ncp_options(c);
652 
653 #if defined(ENABLE_PKCS11)
654  if (c->first_time)
655  {
656  int i;
657  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
658  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
659  {
660  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
661  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
662  }
663  }
664 #endif
665 
666 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
667  {
668  /*
669  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
670  */
671  struct user_pass up;
672  CLEAR(up);
673  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
674  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
675  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
676  * 'needok' command, usually 'ok' or 'cancel'. */
677  }
678 #endif
679 
680 #ifdef ENABLE_SYSTEMD
681  /* We can report the PID via getpid() to systemd here as OpenVPN will not
682  * do any fork due to daemon() a future call.
683  * See possibly_become_daemon() [init.c] for more details.
684  */
685  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
686  (unsigned long) getpid());
687 #endif
688 
689 }
690 
691 void
692 context_gc_free(struct context *c)
693 {
694  gc_free(&c->c2.gc);
695  gc_free(&c->options.gc);
696  gc_free(&c->gc);
697 }
698 
699 #if PORT_SHARE
700 
701 static void
702 close_port_share(void)
703 {
704  if (port_share)
705  {
706  port_share_close(port_share);
707  port_share = NULL;
708  }
709 }
710 
711 static void
712 init_port_share(struct context *c)
713 {
714  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
715  {
716  port_share = port_share_open(c->options.port_share_host,
717  c->options.port_share_port,
718  MAX_RW_SIZE_LINK(&c->c2.frame),
719  c->options.port_share_journal_dir);
720  if (port_share == NULL)
721  {
722  msg(M_FATAL, "Fatal error: Port sharing failed");
723  }
724  }
725 }
726 
727 #endif /* if PORT_SHARE */
728 
729 
730 bool
731 init_static(void)
732 {
733  /* configure_path (); */
734 
735 #if defined(DMALLOC)
736  crypto_init_dmalloc();
737 #endif
738 
739 
740  /*
741  * Initialize random number seed. random() is only used
742  * when "weak" random numbers are acceptable.
743  * SSL library routines are always used when cryptographically
744  * strong random numbers are required.
745  */
746  struct timeval tv;
747  if (!gettimeofday(&tv, NULL))
748  {
749  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
750  srandom(seed);
751  }
752 
753  error_reset(); /* initialize error.c */
754  reset_check_status(); /* initialize status check code in socket.c */
755 
756 #ifdef _WIN32
757  init_win32();
758 #endif
759 
760 #ifdef OPENVPN_DEBUG_COMMAND_LINE
761  {
762  int i;
763  for (i = 0; i < argc; ++i)
764  {
765  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
766  }
767  }
768 #endif
769 
770  update_time();
771 
772  init_ssl_lib();
773 
774  /* init PRNG used for IV generation */
775  /* When forking, copy this to more places in the code to avoid fork
776  * random-state predictability */
777  prng_init(NULL, 0);
778 
779 #ifdef PID_TEST
780  packet_id_interactive_test(); /* test the sequence number code */
781  return false;
782 #endif
783 
784 #ifdef SCHEDULE_TEST
785  schedule_test();
786  return false;
787 #endif
788 
789 #ifdef LIST_TEST
790  list_test();
791  return false;
792 #endif
793 
794 #ifdef IFCONFIG_POOL_TEST
795  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
796  return false;
797 #endif
798 
799 #ifdef CHARACTER_CLASS_DEBUG
800  character_class_debug();
801  return false;
802 #endif
803 
804 #ifdef EXTRACT_X509_FIELD_TEST
805  extract_x509_field_test();
806  return false;
807 #endif
808 
809 #ifdef TIME_TEST
810  time_test();
811  return false;
812 #endif
813 
814 #ifdef TEST_GET_DEFAULT_GATEWAY
815  {
816  struct route_gateway_info rgi;
817  struct route_ipv6_gateway_info rgi6;
818  get_default_gateway(&rgi);
819  get_default_gateway_ipv6(&rgi6, NULL);
820  print_default_gateway(M_INFO, &rgi, &rgi6);
821  return false;
822  }
823 #endif
824 
825 #ifdef GEN_PATH_TEST
826  {
827  struct gc_arena gc = gc_new();
828  const char *fn = gen_path("foo",
829  "bar",
830  &gc);
831  printf("%s\n", fn);
832  gc_free(&gc);
833  }
834  return false;
835 #endif
836 
837 #ifdef STATUS_PRINTF_TEST
838  {
839  struct gc_arena gc = gc_new();
840  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
841  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
842  status_printf(so, "%s", "foo");
843  status_printf(so, "%s", "bar");
844  if (!status_close(so))
845  {
846  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
847  }
848  gc_free(&gc);
849  }
850  return false;
851 #endif
852 
853 #ifdef PRNG_TEST
854  {
855  struct gc_arena gc = gc_new();
856  uint8_t rndbuf[8];
857  int i;
858  prng_init("sha1", 16);
859  /*prng_init (NULL, 0);*/
860  const int factor = 1;
861  for (i = 0; i < factor * 8; ++i)
862  {
863 #if 1
864  prng_bytes(rndbuf, sizeof(rndbuf));
865 #else
866  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
867 #endif
868  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
869  }
870  gc_free(&gc);
871  prng_uninit();
872  return false;
873  }
874 #endif /* ifdef PRNG_TEST */
875 
876 #ifdef BUFFER_LIST_AGGREGATE_TEST
877  /* test buffer_list_aggregate function */
878  {
879  static const char *text[] = {
880  "It was a bright cold day in April, ",
881  "and the clocks were striking ",
882  "thirteen. ",
883  "Winston Smith, ",
884  "his chin nuzzled into his breast in an ",
885  "effort to escape the vile wind, ",
886  "slipped quickly through the glass doors ",
887  "of Victory Mansions, though not quickly ",
888  "enough to prevent a swirl of gritty dust from ",
889  "entering along with him."
890  };
891 
892  int iter, listcap;
893  for (listcap = 0; listcap < 12; ++listcap)
894  {
895  for (iter = 0; iter < 512; ++iter)
896  {
897  struct buffer_list *bl = buffer_list_new(listcap);
898  {
899  int i;
900  for (i = 0; i < SIZE(text); ++i)
901  {
902  buffer_list_push(bl, (unsigned char *)text[i]);
903  }
904  }
905  printf("[cap=%d i=%d] *************************\n", listcap, iter);
906  if (!(iter & 8))
907  {
908  buffer_list_aggregate(bl, iter/2);
909  }
910  if (!(iter & 16))
911  {
912  buffer_list_push(bl, (unsigned char *)"Even more text...");
913  }
914  buffer_list_aggregate(bl, iter);
915  if (!(iter & 1))
916  {
917  buffer_list_push(bl, (unsigned char *)"More text...");
918  }
919  {
920  struct buffer *buf;
921  while ((buf = buffer_list_peek(bl)))
922  {
923  int c;
924  printf("'");
925  while ((c = buf_read_u8(buf)) >= 0)
926  {
927  putchar(c);
928  }
929  printf("'\n");
930  buffer_list_advance(bl, 0);
931  }
932  }
933  buffer_list_free(bl);
934  }
935  }
936  return false;
937  }
938 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
939 
940 #ifdef MSTATS_TEST
941  {
942  int i;
943  mstats_open("/dev/shm/mstats.dat");
944  for (i = 0; i < 30; ++i)
945  {
946  mmap_stats->n_clients += 1;
947  mmap_stats->link_write_bytes += 8;
948  mmap_stats->link_read_bytes += 16;
949  sleep(1);
950  }
951  mstats_close();
952  return false;
953  }
954 #endif
955 
956  return true;
957 }
958 
959 void
960 uninit_static(void)
961 {
962  free_ssl_lib();
963 
964 #ifdef ENABLE_PKCS11
965  pkcs11_terminate();
966 #endif
967 
968 #if PORT_SHARE
969  close_port_share();
970 #endif
971 
972 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
973  show_tls_performance_stats();
974 #endif
975 }
976 
977 void
978 init_verb_mute(struct context *c, unsigned int flags)
979 {
980  if (flags & IVM_LEVEL_1)
981  {
982  /* set verbosity and mute levels */
983  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
984  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
985  set_mute_cutoff(c->options.mute);
986  }
987 
988  /* special D_LOG_RW mode */
989  if (flags & IVM_LEVEL_2)
990  {
991  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
992  }
993 }
994 
995 /*
996  * Possibly set --dev based on --dev-node.
997  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
998  * set --dev to tun.
999  */
1000 void
1001 init_options_dev(struct options *options)
1002 {
1003  if (!options->dev && options->dev_node)
1004  {
1005  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1006  options->dev = basename(dev_node);
1007  }
1008 }
1009 
1010 bool
1011 print_openssl_info(const struct options *options)
1012 {
1013  /*
1014  * OpenSSL info print mode?
1015  */
1016  if (options->show_ciphers || options->show_digests || options->show_engines
1017  || options->show_tls_ciphers || options->show_curves)
1018  {
1019  if (options->show_ciphers)
1020  {
1021  show_available_ciphers();
1022  }
1023  if (options->show_digests)
1024  {
1025  show_available_digests();
1026  }
1027  if (options->show_engines)
1028  {
1029  show_available_engines();
1030  }
1031  if (options->show_tls_ciphers)
1032  {
1033  show_available_tls_ciphers(options->cipher_list,
1034  options->cipher_list_tls13,
1035  options->tls_cert_profile);
1036  }
1037  if (options->show_curves)
1038  {
1039  show_available_curves();
1040  }
1041  return true;
1042  }
1043  return false;
1044 }
1045 
1046 /*
1047  * Static pre-shared key generation mode?
1048  */
1049 bool
1050 do_genkey(const struct options *options)
1051 {
1052  /* should we disable paging? */
1053  if (options->mlock && (options->genkey))
1054  {
1055  platform_mlockall(true);
1056  }
1057 
1058  /*
1059  * We do not want user to use --genkey with --secret. In the transistion
1060  * phase we for secret.
1061  */
1062  if (options->genkey && options->genkey_type != GENKEY_SECRET
1063  && options->shared_secret_file)
1064  {
1065  msg(M_USAGE, "Using --genkey type with --secret filename is "
1066  "not supported. Use --genkey type filename instead.");
1067  }
1068  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1069  {
1070  int nbits_written;
1071  const char *genkey_filename = options->genkey_filename;
1072  if (options->shared_secret_file && options->genkey_filename)
1073  {
1074  msg(M_USAGE, "You must provide a filename to either --genkey "
1075  "or --secret, not both");
1076  }
1077 
1078  /*
1079  * Copy filename from shared_secret_file to genkey_filename to support
1080  * the old --genkey --secret foo.file syntax.
1081  */
1082  if (options->shared_secret_file)
1083  {
1084  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1085  "DEPRECATED. Use --genkey secret filename instead.");
1086  genkey_filename = options->shared_secret_file;
1087  }
1088 
1089  nbits_written = write_key_file(2, genkey_filename);
1090  if (nbits_written < 0)
1091  {
1092  msg(M_FATAL, "Failed to write key file");
1093  }
1094 
1095  msg(D_GENKEY | M_NOPREFIX,
1096  "Randomly generated %d bit key written to %s", nbits_written,
1097  options->shared_secret_file);
1098  return true;
1099  }
1100  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1101  {
1102  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1103  return true;
1104  }
1105  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1106  {
1107  if (!options->tls_crypt_v2_file)
1108  {
1109  msg(M_USAGE,
1110  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1111  }
1112 
1113  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1114  options->genkey_extra_data, options->tls_crypt_v2_file,
1115  options->tls_crypt_v2_file_inline);
1116  return true;
1117  }
1118  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1119  {
1120  auth_token_write_server_key_file(options->genkey_filename);
1121  return true;
1122  }
1123  else
1124  {
1125  return false;
1126  }
1127 }
1128 
1129 /*
1130  * Persistent TUN/TAP device management mode?
1131  */
1132 bool
1133 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1134 {
1135  if (options->persist_config)
1136  {
1137  /* sanity check on options for --mktun or --rmtun */
1138  notnull(options->dev, "TUN/TAP device (--dev)");
1139  if (options->ce.remote || options->ifconfig_local
1140  || options->ifconfig_remote_netmask
1141  || options->shared_secret_file
1142  || options->tls_server || options->tls_client
1143  )
1144  {
1145  msg(M_FATAL|M_OPTERR,
1146  "options --mktun or --rmtun should only be used together with --dev");
1147  }
1148 #ifdef ENABLE_FEATURE_TUN_PERSIST
1149  tuncfg(options->dev, options->dev_type, options->dev_node,
1150  options->persist_mode,
1151  options->username, options->groupname, &options->tuntap_options,
1152  ctx);
1153  if (options->persist_mode && options->lladdr)
1154  {
1155  set_lladdr(options->dev, options->lladdr, NULL);
1156  }
1157  return true;
1158 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1159  msg( M_FATAL|M_OPTERR,
1160  "options --mktun and --rmtun are not available on your operating "
1161  "system. Please check 'man tun' (or 'tap'), whether your system "
1162  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1163  "persistent tunnel interfaces.", options->dev );
1164 #endif
1165  }
1166  return false;
1167 }
1168 
1169 /*
1170  * Should we become a daemon?
1171  * Return true if we did it.
1172  */
1173 bool
1174 possibly_become_daemon(const struct options *options)
1175 {
1176  bool ret = false;
1177 
1178 #ifdef ENABLE_SYSTEMD
1179  /* return without forking if we are running from systemd */
1180  if (sd_notify(0, "READY=0") > 0)
1181  {
1182  return ret;
1183  }
1184 #endif
1185 
1186  if (options->daemon)
1187  {
1188  ASSERT(!options->inetd);
1189  /* Don't chdir immediately, but the end of the init sequence, if needed */
1190  if (daemon(1, options->log) < 0)
1191  {
1192  msg(M_ERR, "daemon() failed or unsupported");
1193  }
1194  restore_signal_state();
1195  if (options->log)
1196  {
1197  set_std_files_to_null(true);
1198  }
1199 
1200  ret = true;
1201  }
1202  return ret;
1203 }
1204 
1205 /*
1206  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1207  */
1208 static void
1209 do_uid_gid_chroot(struct context *c, bool no_delay)
1210 {
1211  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1212  struct context_0 *c0 = c->c0;
1213 
1214  if (c0 && !c0->uid_gid_chroot_set)
1215  {
1216  /* chroot if requested */
1217  if (c->options.chroot_dir)
1218  {
1219  if (no_delay)
1220  {
1221  platform_chroot(c->options.chroot_dir);
1222  }
1223  else if (c->first_time)
1224  {
1225  msg(M_INFO, "NOTE: chroot %s", why_not);
1226  }
1227  }
1228 
1229  /* set user and/or group if we want to setuid/setgid */
1230  if (c0->uid_gid_specified)
1231  {
1232  if (no_delay)
1233  {
1234  platform_group_set(&c0->platform_state_group);
1235  platform_user_set(&c0->platform_state_user);
1236  }
1237  else if (c->first_time)
1238  {
1239  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1240  }
1241  }
1242 
1243 #ifdef ENABLE_MEMSTATS
1244  if (c->first_time && c->options.memstats_fn)
1245  {
1246  mstats_open(c->options.memstats_fn);
1247  }
1248 #endif
1249 
1250 #ifdef ENABLE_SELINUX
1251  /* Apply a SELinux context in order to restrict what OpenVPN can do
1252  * to _only_ what it is supposed to do after initialization is complete
1253  * (basically just network I/O operations). Doing it after chroot
1254  * requires /proc to be mounted in the chroot (which is annoying indeed
1255  * but doing it before requires more complex SELinux policies.
1256  */
1257  if (c->options.selinux_context)
1258  {
1259  if (no_delay)
1260  {
1261  if (-1 == setcon(c->options.selinux_context))
1262  {
1263  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1264  }
1265  else
1266  {
1267  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1268  }
1269  }
1270  else if (c->first_time)
1271  {
1272  msg(M_INFO, "NOTE: setcon %s", why_not);
1273  }
1274  }
1275 #endif
1276 
1277  /* Privileges are going to be dropped by now (if requested), be sure
1278  * to prevent any future privilege dropping attempts from now on.
1279  */
1280  if (no_delay)
1281  {
1282  c0->uid_gid_chroot_set = true;
1283  }
1284  }
1285 }
1286 
1287 /*
1288  * Return common name in a way that is formatted for
1289  * prepending to msg() output.
1290  */
1291 const char *
1292 format_common_name(struct context *c, struct gc_arena *gc)
1293 {
1294  struct buffer out = alloc_buf_gc(256, gc);
1295  if (c->c2.tls_multi)
1296  {
1297  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1298  }
1299  return BSTR(&out);
1300 }
1301 
1302 void
1303 pre_setup(const struct options *options)
1304 {
1305 #ifdef _WIN32
1306  if (options->exit_event_name)
1307  {
1308  win32_signal_open(&win32_signal,
1309  WSO_FORCE_SERVICE,
1310  options->exit_event_name,
1311  options->exit_event_initial_state);
1312  }
1313  else
1314  {
1315  win32_signal_open(&win32_signal,
1316  WSO_FORCE_CONSOLE,
1317  NULL,
1318  false);
1319 
1320  /* put a title on the top window bar */
1321  if (win32_signal.mode == WSO_MODE_CONSOLE)
1322  {
1323  window_title_save(&window_title);
1324  window_title_generate(options->config);
1325  }
1326  }
1327 #endif /* ifdef _WIN32 */
1328 }
1329 
1330 void
1331 reset_coarse_timers(struct context *c)
1332 {
1333  c->c2.coarse_timer_wakeup = 0;
1334 }
1335 
1336 /*
1337  * Initialise the server poll timeout timer
1338  * This timer is used in the http/socks proxy setup so it needs to be setup
1339  * before
1340  */
1341 static void
1342 do_init_server_poll_timeout(struct context *c)
1343 {
1344  update_time();
1345  if (c->options.ce.connect_timeout)
1346  {
1347  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1348  }
1349 }
1350 
1351 /*
1352  * Initialize timers
1353  */
1354 static void
1355 do_init_timers(struct context *c, bool deferred)
1356 {
1357  update_time();
1358  reset_coarse_timers(c);
1359 
1360  /* initialize inactivity timeout */
1361  if (c->options.inactivity_timeout)
1362  {
1363  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1364  }
1365 
1366  /* initialize pings */
1367 
1368  if (c->options.ping_send_timeout)
1369  {
1370  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1371  }
1372 
1373  if (c->options.ping_rec_timeout)
1374  {
1375  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1376  }
1377 
1378  if (!deferred)
1379  {
1380  /* initialize connection establishment timer */
1381  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1382 
1383 #ifdef ENABLE_OCC
1384  /* initialize occ timers */
1385 
1386  if (c->options.occ
1387  && !TLS_MODE(c)
1388  && c->c2.options_string_local && c->c2.options_string_remote)
1389  {
1390  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1391  }
1392 
1393  if (c->options.mtu_test)
1394  {
1395  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1396  }
1397 #endif
1398 
1399  /* initialize packet_id persistence timer */
1400  if (c->options.packet_id_file)
1401  {
1402  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1403  }
1404 
1405  /* initialize tmp_int optimization that limits the number of times we call
1406  * tls_multi_process in the main event loop */
1407  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1408  }
1409 }
1410 
1411 /*
1412  * Initialize traffic shaper.
1413  */
1414 static void
1415 do_init_traffic_shaper(struct context *c)
1416 {
1417 #ifdef ENABLE_FEATURE_SHAPER
1418  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1419  if (c->options.shaper)
1420  {
1421  shaper_init(&c->c2.shaper, c->options.shaper);
1422  shaper_msg(&c->c2.shaper);
1423  }
1424 #endif
1425 }
1426 
1427 /*
1428  * Allocate route list structures for IPv4 and IPv6
1429  * (we do this for IPv4 even if no --route option has been seen, as other
1430  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1431  */
1432 static void
1433 do_alloc_route_list(struct context *c)
1434 {
1435  if (!c->c1.route_list)
1436  {
1437  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1438  }
1439  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1440  {
1441  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1442  }
1443 }
1444 
1445 
1446 /*
1447  * Initialize the route list, resolving any DNS names in route
1448  * options and saving routes in the environment.
1449  */
1450 static void
1451 do_init_route_list(const struct options *options,
1452  struct route_list *route_list,
1453  const struct link_socket_info *link_socket_info,
1454  struct env_set *es,
1455  openvpn_net_ctx_t *ctx)
1456 {
1457  const char *gw = NULL;
1458  int dev = dev_type_enum(options->dev, options->dev_type);
1459  int metric = 0;
1460 
1461  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1462  {
1463  gw = options->ifconfig_remote_netmask;
1464  }
1465  if (options->route_default_gateway)
1466  {
1467  gw = options->route_default_gateway;
1468  }
1469  if (options->route_default_metric)
1470  {
1471  metric = options->route_default_metric;
1472  }
1473 
1474  if (init_route_list(route_list,
1475  options->routes,
1476  gw,
1477  metric,
1478  link_socket_current_remote(link_socket_info),
1479  es,
1480  ctx))
1481  {
1482  /* copy routes to environment */
1483  setenv_routes(es, route_list);
1484  }
1485 }
1486 
1487 static void
1488 do_init_route_ipv6_list(const struct options *options,
1489  struct route_ipv6_list *route_ipv6_list,
1490  const struct link_socket_info *link_socket_info,
1491  struct env_set *es,
1492  openvpn_net_ctx_t *ctx)
1493 {
1494  const char *gw = NULL;
1495  int metric = -1; /* no metric set */
1496 
1497  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1498  if (options->route_ipv6_default_gateway)
1499  {
1500  gw = options->route_ipv6_default_gateway;
1501  }
1502 
1503  if (options->route_default_metric)
1504  {
1505  metric = options->route_default_metric;
1506  }
1507 
1508  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1509  */
1510  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1511  {
1512  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1513  int i;
1514 
1515  for (i = 0; opt_list[i]; i++)
1516  {
1517  add_route_ipv6_to_option_list( options->routes_ipv6,
1518  string_alloc(opt_list[i], options->routes_ipv6->gc),
1519  NULL, NULL );
1520  }
1521  }
1522 
1523  if (init_route_ipv6_list(route_ipv6_list,
1524  options->routes_ipv6,
1525  gw,
1526  metric,
1527  link_socket_current_remote_ipv6(link_socket_info),
1528  es,
1529  ctx))
1530  {
1531  /* copy routes to environment */
1532  setenv_routes_ipv6(es, route_ipv6_list);
1533  }
1534 }
1535 
1536 
1537 /*
1538  * Called after all initialization has been completed.
1539  */
1540 void
1541 initialization_sequence_completed(struct context *c, const unsigned int flags)
1542 {
1543  static const char message[] = "Initialization Sequence Completed";
1544 
1545  /* Reset the unsuccessful connection counter on complete initialisation */
1546  c->options.unsuccessful_attempts = 0;
1547 
1548  /* If we delayed UID/GID downgrade or chroot, do it now */
1549  do_uid_gid_chroot(c, true);
1550 
1551 
1552  /*
1553  * In some cases (i.e. when receiving auth-token via
1554  * push-reply) the auth-nocache option configured on the
1555  * client is overridden; for this reason we have to wait
1556  * for the push-reply message before attempting to wipe
1557  * the user/pass entered by the user
1558  */
1559  if (c->options.mode == MODE_POINT_TO_POINT)
1560  {
1561  delayed_auth_pass_purge();
1562  }
1563 
1564  /* Test if errors */
1565  if (flags & ISC_ERRORS)
1566  {
1567 #ifdef _WIN32
1568  show_routes(M_INFO|M_NOPREFIX);
1569  show_adapters(M_INFO|M_NOPREFIX);
1570  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1571 #else
1572 #ifdef ENABLE_SYSTEMD
1573  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1574 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1575  msg(M_INFO, "%s With Errors", message);
1576 #endif
1577  }
1578  else
1579  {
1580 #ifdef ENABLE_SYSTEMD
1581  sd_notifyf(0, "STATUS=%s", message);
1582 #endif
1583  msg(M_INFO, "%s", message);
1584  }
1585 
1586  /* Flag that we initialized */
1587  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1588  {
1589  c->options.no_advance = true;
1590  }
1591 
1592 #ifdef _WIN32
1593  fork_register_dns_action(c->c1.tuntap);
1594 #endif
1595 
1596 #ifdef ENABLE_MANAGEMENT
1597  /* Tell management interface that we initialized */
1598  if (management)
1599  {
1600  in_addr_t *tun_local = NULL;
1601  struct in6_addr *tun_local6 = NULL;
1602  struct openvpn_sockaddr local, remote;
1603  struct link_socket_actual *actual;
1604  socklen_t sa_len = sizeof(local);
1605  const char *detail = "SUCCESS";
1606  if (flags & ISC_ERRORS)
1607  {
1608  detail = "ERROR";
1609  }
1610 
1611  CLEAR(local);
1612  actual = &get_link_socket_info(c)->lsa->actual;
1613  remote = actual->dest;
1614  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1615 #if ENABLE_IP_PKTINFO
1616  if (!addr_defined(&local))
1617  {
1618  switch (local.addr.sa.sa_family)
1619  {
1620  case AF_INET:
1621 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1622  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1623 #else
1624  local.addr.in4.sin_addr = actual->pi.in4;
1625 #endif
1626  break;
1627 
1628  case AF_INET6:
1629  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1630  break;
1631  }
1632  }
1633 #endif
1634 
1635  if (c->c1.tuntap)
1636  {
1637  tun_local = &c->c1.tuntap->local;
1638  tun_local6 = &c->c1.tuntap->local_ipv6;
1639  }
1640  management_set_state(management,
1641  OPENVPN_STATE_CONNECTED,
1642  detail,
1643  tun_local,
1644  tun_local6,
1645  &local,
1646  &remote);
1647  if (tun_local)
1648  {
1649  management_post_tunnel_open(management, *tun_local);
1650  }
1651  }
1652 #endif /* ifdef ENABLE_MANAGEMENT */
1653 }
1654 
1655 /*
1656  * Possibly add routes and/or call route-up script
1657  * based on options.
1658  */
1659 void
1660 do_route(const struct options *options,
1661  struct route_list *route_list,
1662  struct route_ipv6_list *route_ipv6_list,
1663  const struct tuntap *tt,
1664  const struct plugin_list *plugins,
1665  struct env_set *es,
1666  openvpn_net_ctx_t *ctx)
1667 {
1668  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1669  {
1670  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1671  es, ctx);
1672  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1673  }
1674 #ifdef ENABLE_MANAGEMENT
1675  if (management)
1676  {
1677  management_up_down(management, "UP", es);
1678  }
1679 #endif
1680 
1681  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1682  {
1683  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1684  {
1685  msg(M_WARN, "WARNING: route-up plugin call failed");
1686  }
1687  }
1688 
1689  if (options->route_script)
1690  {
1691  struct argv argv = argv_new();
1692  setenv_str(es, "script_type", "route-up");
1693  argv_parse_cmd(&argv, options->route_script);
1694  openvpn_run_script(&argv, es, 0, "--route-up");
1695  argv_free(&argv);
1696  }
1697 
1698 #ifdef _WIN32
1699  if (options->show_net_up)
1700  {
1701  show_routes(M_INFO|M_NOPREFIX);
1702  show_adapters(M_INFO|M_NOPREFIX);
1703  }
1704  else if (check_debug_level(D_SHOW_NET))
1705  {
1706  show_routes(D_SHOW_NET|M_NOPREFIX);
1707  show_adapters(D_SHOW_NET|M_NOPREFIX);
1708  }
1709 #endif
1710 }
1711 
1712 /*
1713  * initialize tun/tap device object
1714  */
1715 static void
1716 do_init_tun(struct context *c)
1717 {
1718  c->c1.tuntap = init_tun(c->options.dev,
1719  c->options.dev_type,
1720  c->options.topology,
1721  c->options.ifconfig_local,
1722  c->options.ifconfig_remote_netmask,
1723  c->options.ifconfig_ipv6_local,
1724  c->options.ifconfig_ipv6_netbits,
1725  c->options.ifconfig_ipv6_remote,
1726  c->c1.link_socket_addr.bind_local,
1727  c->c1.link_socket_addr.remote_list,
1728  !c->options.ifconfig_nowarn,
1729  c->c2.es,
1730  &c->net_ctx);
1731 
1732 #ifdef _WIN32
1733  c->c1.tuntap->windows_driver = c->options.windows_driver;
1734 #endif
1735 
1736  init_tun_post(c->c1.tuntap,
1737  &c->c2.frame,
1738  &c->options.tuntap_options);
1739 
1740  c->c1.tuntap_owned = true;
1741 }
1742 
1743 /*
1744  * Open tun/tap device, ifconfig, call up script, etc.
1745  */
1746 
1747 static bool
1748 do_open_tun(struct context *c)
1749 {
1750  struct gc_arena gc = gc_new();
1751  bool ret = false;
1752 
1753 #ifndef TARGET_ANDROID
1754  if (!c->c1.tuntap)
1755  {
1756 #endif
1757 
1758 #ifdef TARGET_ANDROID
1759  /* If we emulate persist-tun on android we still have to open a new tun and
1760  * then close the old */
1761  int oldtunfd = -1;
1762  if (c->c1.tuntap)
1763  {
1764  oldtunfd = c->c1.tuntap->fd;
1765  free(c->c1.tuntap);
1766  c->c1.tuntap = NULL;
1767  c->c1.tuntap_owned = false;
1768  }
1769 #endif
1770 
1771  /* initialize (but do not open) tun/tap object */
1772  do_init_tun(c);
1773 
1774 #ifdef _WIN32
1775  /* store (hide) interactive service handle in tuntap_options */
1776  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1777  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1778 #endif
1779 
1780  /* allocate route list structure */
1781  do_alloc_route_list(c);
1782 
1783  /* parse and resolve the route option list */
1784  ASSERT(c->c2.link_socket);
1785  if (c->options.routes && c->c1.route_list)
1786  {
1787  do_init_route_list(&c->options, c->c1.route_list,
1788  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1789  }
1790  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1791  {
1792  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1793  &c->c2.link_socket->info, c->c2.es,
1794  &c->net_ctx);
1795  }
1796 
1797  /* do ifconfig */
1798  if (!c->options.ifconfig_noexec
1799  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1800  {
1801  /* guess actual tun/tap unit number that will be returned
1802  * by open_tun */
1803  const char *guess = guess_tuntap_dev(c->options.dev,
1804  c->options.dev_type,
1805  c->options.dev_node,
1806  &gc);
1807  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1808  &c->net_ctx);
1809  }
1810 
1811  /* possibly add routes */
1812  if (route_order() == ROUTE_BEFORE_TUN)
1813  {
1814  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1815  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1816  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1817  }
1818 #ifdef TARGET_ANDROID
1819  /* Store the old fd inside the fd so open_tun can use it */
1820  c->c1.tuntap->fd = oldtunfd;
1821 #endif
1822  /* open the tun device */
1823  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1824  c->c1.tuntap);
1825 
1826  /* set the hardware address */
1827  if (c->options.lladdr)
1828  {
1829  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1830  }
1831 
1832  /* do ifconfig */
1833  if (!c->options.ifconfig_noexec
1834  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1835  {
1836  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1837  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1838  }
1839 
1840  /* run the up script */
1841  run_up_down(c->options.up_script,
1842  c->plugins,
1843  OPENVPN_PLUGIN_UP,
1844  c->c1.tuntap->actual_name,
1845 #ifdef _WIN32
1846  c->c1.tuntap->adapter_index,
1847 #endif
1848  dev_type_string(c->options.dev, c->options.dev_type),
1849  TUN_MTU_SIZE(&c->c2.frame),
1850  EXPANDED_SIZE(&c->c2.frame),
1851  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1852  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1853  "init",
1854  NULL,
1855  "up",
1856  c->c2.es);
1857 
1858 #if defined(_WIN32)
1859  if (c->options.block_outside_dns)
1860  {
1861  dmsg(D_LOW, "Blocking outside DNS");
1862  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1863  {
1864  msg(M_FATAL, "Blocking DNS failed!");
1865  }
1866  }
1867 #endif
1868 
1869  /* possibly add routes */
1870  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1871  {
1872  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1873  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1874  }
1875 
1876  /*
1877  * Did tun/tap driver give us an MTU?
1878  */
1879  if (c->c1.tuntap->post_open_mtu)
1880  {
1881  frame_set_mtu_dynamic(&c->c2.frame,
1882  c->c1.tuntap->post_open_mtu,
1883  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1884  }
1885 
1886  ret = true;
1887  static_context = c;
1888 #ifndef TARGET_ANDROID
1889 }
1890 else
1891 {
1892  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1893  c->c1.tuntap->actual_name);
1894 
1895  /* explicitly set the ifconfig_* env vars */
1896  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1897 
1898  /* run the up script if user specified --up-restart */
1899  if (c->options.up_restart)
1900  {
1901  run_up_down(c->options.up_script,
1902  c->plugins,
1903  OPENVPN_PLUGIN_UP,
1904  c->c1.tuntap->actual_name,
1905 #ifdef _WIN32
1906  c->c1.tuntap->adapter_index,
1907 #endif
1908  dev_type_string(c->options.dev, c->options.dev_type),
1909  TUN_MTU_SIZE(&c->c2.frame),
1910  EXPANDED_SIZE(&c->c2.frame),
1911  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1912  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1913  "restart",
1914  NULL,
1915  "up",
1916  c->c2.es);
1917  }
1918 #if defined(_WIN32)
1919  if (c->options.block_outside_dns)
1920  {
1921  dmsg(D_LOW, "Blocking outside DNS");
1922  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1923  {
1924  msg(M_FATAL, "Blocking DNS failed!");
1925  }
1926  }
1927 #endif
1928 
1929 }
1930 #endif /* ifndef TARGET_ANDROID */
1931  gc_free(&gc);
1932  return ret;
1933 }
1934 
1935 /*
1936  * Close TUN/TAP device
1937  */
1938 
1939 static void
1940 do_close_tun_simple(struct context *c)
1941 {
1942  msg(D_CLOSE, "Closing TUN/TAP interface");
1943  if (c->c1.tuntap)
1944  {
1945  close_tun(c->c1.tuntap, &c->net_ctx);
1946  c->c1.tuntap = NULL;
1947  }
1948  c->c1.tuntap_owned = false;
1949 #if P2MP
1950  CLEAR(c->c1.pulled_options_digest_save);
1951 #endif
1952 }
1953 
1954 static void
1955 do_close_tun(struct context *c, bool force)
1956 {
1957  struct gc_arena gc = gc_new();
1958  if (c->c1.tuntap && c->c1.tuntap_owned)
1959  {
1960  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1961 #ifdef _WIN32
1962  DWORD adapter_index = c->c1.tuntap->adapter_index;
1963 #endif
1964  const in_addr_t local = c->c1.tuntap->local;
1965  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1966 
1967  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1968  {
1969  static_context = NULL;
1970 
1971 #ifdef ENABLE_MANAGEMENT
1972  /* tell management layer we are about to close the TUN/TAP device */
1973  if (management)
1974  {
1975  management_pre_tunnel_close(management);
1976  management_up_down(management, "DOWN", c->c2.es);
1977  }
1978 #endif
1979 
1980  /* delete any routes we added */
1981  if (c->c1.route_list || c->c1.route_ipv6_list)
1982  {
1983  run_up_down(c->options.route_predown_script,
1984  c->plugins,
1985  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1986  tuntap_actual,
1987 #ifdef _WIN32
1988  adapter_index,
1989 #endif
1990  NULL,
1991  TUN_MTU_SIZE(&c->c2.frame),
1992  EXPANDED_SIZE(&c->c2.frame),
1993  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1994  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1995  "init",
1996  signal_description(c->sig->signal_received,
1997  c->sig->signal_text),
1998  "route-pre-down",
1999  c->c2.es);
2000 
2001  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2002  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2003  c->c2.es, &c->net_ctx);
2004  }
2005 
2006  /* actually close tun/tap device based on --down-pre flag */
2007  if (!c->options.down_pre)
2008  {
2009  do_close_tun_simple(c);
2010  }
2011 
2012  /* Run the down script -- note that it will run at reduced
2013  * privilege if, for example, "--user nobody" was used. */
2014  run_up_down(c->options.down_script,
2015  c->plugins,
2016  OPENVPN_PLUGIN_DOWN,
2017  tuntap_actual,
2018 #ifdef _WIN32
2019  adapter_index,
2020 #endif
2021  NULL,
2022  TUN_MTU_SIZE(&c->c2.frame),
2023  EXPANDED_SIZE(&c->c2.frame),
2024  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2025  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2026  "init",
2027  signal_description(c->sig->signal_received,
2028  c->sig->signal_text),
2029  "down",
2030  c->c2.es);
2031 
2032 #if defined(_WIN32)
2033  if (c->options.block_outside_dns)
2034  {
2035  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2036  {
2037  msg(M_FATAL, "Uninitialising WFP failed!");
2038  }
2039  }
2040 #endif
2041 
2042  /* actually close tun/tap device based on --down-pre flag */
2043  if (c->options.down_pre)
2044  {
2045  do_close_tun_simple(c);
2046  }
2047  }
2048  else
2049  {
2050  /* run the down script on this restart if --up-restart was specified */
2051  if (c->options.up_restart)
2052  {
2053  run_up_down(c->options.down_script,
2054  c->plugins,
2055  OPENVPN_PLUGIN_DOWN,
2056  tuntap_actual,
2057 #ifdef _WIN32
2058  adapter_index,
2059 #endif
2060  NULL,
2061  TUN_MTU_SIZE(&c->c2.frame),
2062  EXPANDED_SIZE(&c->c2.frame),
2063  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2064  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2065  "restart",
2066  signal_description(c->sig->signal_received,
2067  c->sig->signal_text),
2068  "down",
2069  c->c2.es);
2070  }
2071 
2072 #if defined(_WIN32)
2073  if (c->options.block_outside_dns)
2074  {
2075  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2076  {
2077  msg(M_FATAL, "Uninitialising WFP failed!");
2078  }
2079  }
2080 #endif
2081 
2082  }
2083  }
2084  gc_free(&gc);
2085 }
2086 
2087 void
2088 tun_abort(void)
2089 {
2090  struct context *c = static_context;
2091  if (c)
2092  {
2093  static_context = NULL;
2094  do_close_tun(c, true);
2095  }
2096 }
2097 
2098 /*
2099  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2100  */
2101 
2102 #if P2MP
2103 
2107 static bool
2108 options_hash_changed_or_zero(const struct sha256_digest *a,
2109  const struct sha256_digest *b)
2110 {
2111  const struct sha256_digest zero = {{0}};
2112  return memcmp(a, b, sizeof(struct sha256_digest))
2113  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2114 }
2115 #endif /* P2MP */
2116 
2117 bool
2118 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2119 {
2120  if (!c->c2.do_up_ran)
2121  {
2122  reset_coarse_timers(c);
2123 
2124  if (pulled_options)
2125  {
2126  if (!do_deferred_options(c, option_types_found))
2127  {
2128  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2129  return false;
2130  }
2131  }
2132 
2133  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2134  if (c->options.up_delay || PULL_DEFINED(&c->options))
2135  {
2136  c->c2.did_open_tun = do_open_tun(c);
2137  update_time();
2138 
2139 #if P2MP
2140  /*
2141  * Was tun interface object persisted from previous restart iteration,
2142  * and if so did pulled options string change from previous iteration?
2143  */
2144  if (!c->c2.did_open_tun
2145  && PULL_DEFINED(&c->options)
2146  && c->c1.tuntap
2147  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2148  &c->c2.pulled_options_digest))
2149  {
2150  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2151  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2152  do_close_tun(c, true);
2153  management_sleep(1);
2154  c->c2.did_open_tun = do_open_tun(c);
2155  update_time();
2156  }
2157 #endif
2158  }
2159 
2160  if (c->c2.did_open_tun)
2161  {
2162 #if P2MP
2163  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2164 #endif
2165 
2166  /* if --route-delay was specified, start timer */
2167  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2168  {
2169  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2170  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2171  if (c->c1.tuntap)
2172  {
2173  tun_standby_init(c->c1.tuntap);
2174  }
2175  }
2176  else
2177  {
2178  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2179  }
2180  }
2181  else if (c->options.mode == MODE_POINT_TO_POINT)
2182  {
2183  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2184  }
2185 
2186  c->c2.do_up_ran = true;
2187  }
2188  return true;
2189 }
2190 
2191 /*
2192  * These are the option categories which will be accepted by pull.
2193  */
2194 unsigned int
2195 pull_permission_mask(const struct context *c)
2196 {
2197  unsigned int flags =
2198  OPT_P_UP
2199  | OPT_P_ROUTE_EXTRAS
2200  | OPT_P_SOCKBUF
2201  | OPT_P_SOCKFLAGS
2202  | OPT_P_SETENV
2203  | OPT_P_SHAPER
2204  | OPT_P_TIMER
2205  | OPT_P_COMP
2206  | OPT_P_PERSIST
2207  | OPT_P_MESSAGES
2208  | OPT_P_EXPLICIT_NOTIFY
2209  | OPT_P_ECHO
2210  | OPT_P_PULL_MODE
2211  | OPT_P_PEER_ID;
2212 
2213  if (!c->options.route_nopull)
2214  {
2215  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2216  }
2217 
2218  if (c->options.ncp_enabled)
2219  {
2220  flags |= OPT_P_NCP;
2221  }
2222 
2223  return flags;
2224 }
2225 
2226 /*
2227  * Handle non-tun-related pulled options.
2228  */
2229 bool
2230 do_deferred_options(struct context *c, const unsigned int found)
2231 {
2232  if (found & OPT_P_MESSAGES)
2233  {
2234  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2235  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2236  }
2237  if (found & OPT_P_TIMER)
2238  {
2239  do_init_timers(c, true);
2240  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2241  }
2242 
2243 #ifdef ENABLE_OCC
2244  if (found & OPT_P_EXPLICIT_NOTIFY)
2245  {
2246  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2249  c->options.ce.explicit_exit_notification = 0;
2250  }
2251  else
2252  {
2253  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2254  }
2255  }
2256 #endif
2257 
2258 #ifdef USE_COMP
2259  if (found & OPT_P_COMP)
2260  {
2261  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2262  comp_uninit(c->c2.comp_context);
2263  c->c2.comp_context = comp_init(&c->options.comp);
2264  }
2265 #endif
2266 
2267  if (found & OPT_P_SHAPER)
2268  {
2269  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2270  do_init_traffic_shaper(c);
2271  }
2272 
2273  if (found & OPT_P_SOCKBUF)
2274  {
2275  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2276  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2277  }
2278 
2279  if (found & OPT_P_SOCKFLAGS)
2280  {
2281  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2282  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2283  }
2284 
2285  if (found & OPT_P_PERSIST)
2286  {
2287  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2288  }
2289  if (found & OPT_P_UP)
2290  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2292  }
2293  if (found & OPT_P_ROUTE)
2294  {
2295  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2296  }
2297  if (found & OPT_P_ROUTE_EXTRAS)
2298  {
2299  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2300  }
2301  if (found & OPT_P_IPWIN32)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2304  }
2305  if (found & OPT_P_SETENV)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2308  }
2309 
2310  if (found & OPT_P_PEER_ID)
2311  {
2312  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2313  c->c2.tls_multi->use_peer_id = true;
2314  c->c2.tls_multi->peer_id = c->options.peer_id;
2315  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2316  if (!c->options.ce.link_mtu_defined)
2317  {
2318  frame_add_to_link_mtu(&c->c2.frame, +3);
2319  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2320  EXPANDED_SIZE(&c->c2.frame));
2321  }
2322  else
2323  {
2324  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2325  " fixed by config - reducing tun-mtu to %d, expect"
2326  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2327  }
2328  }
2329 
2330  /* process (potentially pushed) crypto options */
2331  if (c->options.pull)
2332  {
2333  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2334  if (found & OPT_P_NCP)
2335  {
2336  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2337  }
2338  else if (c->options.ncp_enabled)
2339  {
2340  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2341  }
2342  struct frame *frame_fragment = NULL;
2343 #ifdef ENABLE_FRAGMENT
2344  if (c->options.ce.fragment)
2345  {
2346  frame_fragment = &c->c2.frame_fragment;
2347  }
2348 #endif
2349 
2350  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2351  frame_fragment))
2352  {
2353  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2354  return false;
2355  }
2356  }
2357 
2358  return true;
2359 }
2360 
2361 /*
2362  * Possible hold on initialization, holdtime is the
2363  * time OpenVPN would wait without management
2364  */
2365 static bool
2366 do_hold(int holdtime)
2367 {
2368 #ifdef ENABLE_MANAGEMENT
2369  if (management)
2370  {
2371  /* block until management hold is released */
2372  if (management_hold(management, holdtime))
2373  {
2374  return true;
2375  }
2376  }
2377 #endif
2378  return false;
2379 }
2380 
2381 /*
2382  * Sleep before restart.
2383  */
2384 static void
2385 socket_restart_pause(struct context *c)
2386 {
2387  int sec = 2;
2388  int backoff = 0;
2389 
2390  switch (c->options.ce.proto)
2391  {
2392  case PROTO_TCP_SERVER:
2393  sec = 1;
2394  break;
2395 
2396  case PROTO_UDP:
2397  case PROTO_TCP_CLIENT:
2398  sec = c->options.ce.connect_retry_seconds;
2399  break;
2400  }
2401 
2402 #ifdef ENABLE_DEBUG
2403  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2404  {
2405  sec = 0;
2406  }
2407 #endif
2408 
2409 #if P2MP
2410  if (auth_retry_get() == AR_NOINTERACT)
2411  {
2412  sec = 10;
2413  }
2414 #endif
2415 
2416  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2417  if (c->options.ce.proto != PROTO_TCP_SERVER)
2418  {
2419  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2420  if (backoff > 0)
2421  {
2422  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2423  sec = max_int(sec, 1) << min_int(backoff, 15);
2424  }
2425 
2426  if (sec > c->options.ce.connect_retry_seconds_max)
2427  {
2428  sec = c->options.ce.connect_retry_seconds_max;
2429  }
2430  }
2431 
2432  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2433  {
2434  sec = c->persist.restart_sleep_seconds;
2435  }
2436  else if (c->persist.restart_sleep_seconds == -1)
2437  {
2438  sec = 0;
2439  }
2440  c->persist.restart_sleep_seconds = 0;
2441 
2442  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2443  if (do_hold(sec))
2444  {
2445  sec = 0;
2446  }
2447 
2448  if (sec)
2449  {
2450  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2451  management_sleep(sec);
2452  }
2453 }
2454 
2455 /*
2456  * Do a possible pause on context_2 initialization.
2457  */
2458 static void
2459 do_startup_pause(struct context *c)
2460 {
2461  if (!c->first_time)
2462  {
2463  socket_restart_pause(c);
2464  }
2465  else
2466  {
2467  do_hold(0); /* do management hold on first context initialization */
2468  }
2469 }
2470 
2471 /*
2472  * Finalize MTU parameters based on command line or config file options.
2473  */
2474 static void
2475 frame_finalize_options(struct context *c, const struct options *o)
2476 {
2477  if (!o)
2478  {
2479  o = &c->options;
2480  }
2481 
2482  /*
2483  * Set adjustment factor for buffer alignment when no
2484  * cipher is used.
2485  */
2486  if (!CIPHER_ENABLED(c))
2487  {
2488  frame_align_to_extra_frame(&c->c2.frame);
2489  frame_or_align_flags(&c->c2.frame,
2490  FRAME_HEADROOM_MARKER_FRAGMENT
2491  |FRAME_HEADROOM_MARKER_READ_LINK
2492  |FRAME_HEADROOM_MARKER_READ_STREAM);
2493  }
2494 
2495  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2496  frame_finalize(&c->c2.frame,
2497  o->ce.link_mtu_defined,
2498  o->ce.link_mtu,
2499  o->ce.tun_mtu_defined,
2500  o->ce.tun_mtu);
2501 }
2502 
2503 /*
2504  * Free a key schedule, including OpenSSL components.
2505  */
2506 static void
2507 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2508 {
2509  free_key_ctx_bi(&ks->static_key);
2510  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2511  {
2512  tls_ctx_free(&ks->ssl_ctx);
2513  free_key_ctx(&ks->tls_crypt_v2_server_key);
2514  }
2515  CLEAR(*ks);
2516 }
2517 
2518 static void
2519 init_crypto_pre(struct context *c, const unsigned int flags)
2520 {
2521  if (c->options.engine)
2522  {
2523  crypto_init_lib_engine(c->options.engine);
2524  }
2525 
2526  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2527  {
2528  /* load a persisted packet-id for cross-session replay-protection */
2529  if (c->options.packet_id_file)
2530  {
2531  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2532  }
2533  }
2534 
2535 #ifdef ENABLE_PREDICTION_RESISTANCE
2536  if (c->options.use_prediction_resistance)
2537  {
2538  rand_ctx_enable_prediction_resistance();
2539  }
2540 #endif
2541 }
2542 
2543 /*
2544  * Static Key Mode (using a pre-shared key)
2545  */
2546 static void
2547 do_init_crypto_static(struct context *c, const unsigned int flags)
2548 {
2549  const struct options *options = &c->options;
2550  ASSERT(options->shared_secret_file);
2551 
2552  init_crypto_pre(c, flags);
2553 
2554  /* Initialize flags */
2555  if (c->options.mute_replay_warnings)
2556  {
2557  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2558  }
2559 
2560  /* Initialize packet ID tracking */
2561  if (options->replay)
2562  {
2563  packet_id_init(&c->c2.crypto_options.packet_id,
2564  options->replay_window,
2565  options->replay_time,
2566  "STATIC", 0);
2567  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2568  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2569  packet_id_persist_load_obj(&c->c1.pid_persist,
2570  &c->c2.crypto_options.packet_id);
2571  }
2572 
2573  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2574  {
2575  /* Get cipher & hash algorithms */
2576  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2577  options->keysize, options->test_crypto, true);
2578 
2579  /* Read cipher and hmac keys from shared secret file */
2580  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2581  options->shared_secret_file,
2582  options->shared_secret_file_inline,
2583  options->key_direction, "Static Key Encryption",
2584  "secret");
2585  }
2586  else
2587  {
2588  msg(M_INFO, "Re-using pre-shared static key");
2589  }
2590 
2591  /* Get key schedule */
2592  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2593 
2594  /* Compute MTU parameters */
2595  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2596  options->replay, true);
2597 
2598  /* Sanity check on sequence number, and cipher mode options */
2599  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2600 }
2601 
2602 /*
2603  * Initialize the tls-auth/crypt key context
2604  */
2605 static void
2606 do_init_tls_wrap_key(struct context *c)
2607 {
2608  const struct options *options = &c->options;
2609 
2610  /* TLS handshake authentication (--tls-auth) */
2611  if (options->ce.tls_auth_file)
2612  {
2613  /* Initialize key_type for tls-auth with auth only */
2614  CLEAR(c->c1.ks.tls_auth_key_type);
2615  if (!streq(options->authname, "none"))
2616  {
2617  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2618  c->c1.ks.tls_auth_key_type.hmac_length =
2619  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2620  }
2621  else
2622  {
2623  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2624  "algorithm specified ('%s')", options->authname);
2625  }
2626 
2627  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2628  &c->c1.ks.tls_wrap_key,
2629  options->ce.tls_auth_file,
2630  options->ce.tls_auth_file_inline,
2631  options->ce.key_direction,
2632  "Control Channel Authentication", "tls-auth");
2633  }
2634 
2635  /* TLS handshake encryption+authentication (--tls-crypt) */
2636  if (options->ce.tls_crypt_file)
2637  {
2638  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2639  options->ce.tls_crypt_file,
2640  options->ce.tls_crypt_file_inline,
2641  options->tls_server);
2642  }
2643 
2644  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2645  if (options->ce.tls_crypt_v2_file)
2646  {
2647  if (options->tls_server)
2648  {
2649  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2650  true, options->ce.tls_crypt_v2_file,
2651  options->ce.tls_crypt_v2_file_inline);
2652  }
2653  else
2654  {
2655  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2656  &c->c1.ks.tls_crypt_v2_wkc,
2657  options->ce.tls_crypt_v2_file,
2658  options->ce.tls_crypt_v2_file_inline);
2659  }
2660  }
2661 
2662 
2663 }
2664 
2665 /*
2666  * Initialise the auth-token key context
2667  */
2668 static void
2669 do_init_auth_token_key(struct context *c)
2670 {
2671  if (!c->options.auth_token_generate)
2672  {
2673  return;
2674  }
2675 
2676  auth_token_init_secret(&c->c1.ks.auth_token_key,
2677  c->options.auth_token_secret_file,
2678  c->options.auth_token_secret_file_inline);
2679 }
2680 
2681 /*
2682  * Initialize the persistent component of OpenVPN's TLS mode,
2683  * which is preserved across SIGUSR1 resets.
2684  */
2685 static void
2686 do_init_crypto_tls_c1(struct context *c)
2687 {
2688  const struct options *options = &c->options;
2689 
2690  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2691  {
2692  /*
2693  * Initialize the OpenSSL library's global
2694  * SSL context.
2695  */
2696  init_ssl(options, &(c->c1.ks.ssl_ctx));
2697  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2698  {
2699 #if P2MP
2700  switch (auth_retry_get())
2701  {
2702  case AR_NONE:
2703  msg(M_FATAL, "Error: private key password verification failed");
2704  break;
2705 
2706  case AR_INTERACT:
2707  ssl_purge_auth(false);
2708 
2709  case AR_NOINTERACT:
2710  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2711  break;
2712 
2713  default:
2714  ASSERT(0);
2715  }
2716  c->sig->signal_text = "private-key-password-failure";
2717  return;
2718 #else /* if P2MP */
2719  msg(M_FATAL, "Error: private key password verification failed");
2720 #endif /* if P2MP */
2721  }
2722 
2723  /* Get cipher & hash algorithms */
2724  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2725  options->keysize, true, true);
2726 
2727  /* Initialize PRNG with config-specified digest */
2728  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2729 
2730  /* initialize tls-auth/crypt/crypt-v2 key */
2731  do_init_tls_wrap_key(c);
2732 
2733  /* initialise auth-token crypto support */
2734  do_init_auth_token_key(c);
2735 
2736 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2737  if (options->priv_key_file_inline)
2738  {
2739  string_clear(c->options.priv_key_file_inline);
2740  c->options.priv_key_file_inline = NULL;
2741  }
2742 #endif
2743  }
2744  else
2745  {
2746  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2747 
2748  /*
2749  * tls-auth/crypt key can be configured per connection block, therefore
2750  * we must reload it as it may have changed
2751  */
2752  do_init_tls_wrap_key(c);
2753  }
2754 }
2755 
2756 static void
2757 do_init_crypto_tls(struct context *c, const unsigned int flags)
2758 {
2759  const struct options *options = &c->options;
2760  struct tls_options to;
2761  bool packet_id_long_form;
2762 
2763  ASSERT(options->tls_server || options->tls_client);
2764  ASSERT(!options->test_crypto);
2765 
2766  init_crypto_pre(c, flags);
2767 
2768  /* Make sure we are either a TLS client or server but not both */
2769  ASSERT(options->tls_server == !options->tls_client);
2770 
2771  /* initialize persistent component */
2772  do_init_crypto_tls_c1(c);
2773  if (IS_SIG(c))
2774  {
2775  return;
2776  }
2777 
2778  /* Sanity check on sequence number, and cipher mode options */
2779  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2780 
2781  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2782  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2783 
2784  /* Compute MTU parameters (postpone if we push/pull options) */
2785  if (c->options.pull || c->options.mode == MODE_SERVER)
2786  {
2787  /* Account for worst-case crypto overhead before allocating buffers */
2788  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2789  }
2790  else
2791  {
2792  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2793  options->replay, packet_id_long_form);
2794  }
2795  tls_adjust_frame_parameters(&c->c2.frame);
2796 
2797  /* Set all command-line TLS-related options */
2798  CLEAR(to);
2799 
2800  if (options->mute_replay_warnings)
2801  {
2802  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2803  }
2804 
2805  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2806  if (packet_id_long_form)
2807  {
2808  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2809  }
2810 
2811  to.ssl_ctx = c->c1.ks.ssl_ctx;
2812  to.key_type = c->c1.ks.key_type;
2813  to.server = options->tls_server;
2814  to.key_method = options->key_method;
2815  to.replay = options->replay;
2816  to.replay_window = options->replay_window;
2817  to.replay_time = options->replay_time;
2818  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2819  to.config_ciphername = c->c1.ciphername;
2820  to.config_ncp_ciphers = options->ncp_ciphers;
2821  to.ncp_enabled = options->ncp_enabled;
2822  to.transition_window = options->transition_window;
2823  to.handshake_window = options->handshake_window;
2824  to.packet_timeout = options->tls_timeout;
2825  to.renegotiate_bytes = options->renegotiate_bytes;
2826  to.renegotiate_packets = options->renegotiate_packets;
2827  if (options->renegotiate_seconds_min < 0)
2828  {
2829  /* Add 10% jitter to reneg-sec by default (server side only) */
2830  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2831  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2832  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2833  }
2834  else
2835  {
2836  /* Add user-specified jitter to reneg-sec */
2837  to.renegotiate_seconds = options->renegotiate_seconds
2838  -(get_random() % max_int(options->renegotiate_seconds
2839  - options->renegotiate_seconds_min, 1));
2840  }
2841  to.single_session = options->single_session;
2842  to.mode = options->mode;
2843  to.pull = options->pull;
2844  if (options->push_peer_info) /* all there is */
2845  {
2846  to.push_peer_info_detail = 2;
2847  }
2848  else if (options->pull) /* pull clients send some details */
2849  {
2850  to.push_peer_info_detail = 1;
2851  }
2852  else /* default: no peer-info at all */
2853  {
2854  to.push_peer_info_detail = 0;
2855  }
2856 
2857  /* should we not xmit any packets until we get an initial
2858  * response from client? */
2859  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2860  {
2861  to.xmit_hold = true;
2862  }
2863 
2864 #ifdef ENABLE_OCC
2865  to.disable_occ = !options->occ;
2866 #endif
2867 
2868  to.verify_command = options->tls_verify;
2869  to.verify_export_cert = options->tls_export_cert;
2870  to.verify_x509_type = (options->verify_x509_type & 0xff);
2871  to.verify_x509_name = options->verify_x509_name;
2872  to.crl_file = options->crl_file;
2873  to.crl_file_inline = options->crl_file_inline;
2874  to.ssl_flags = options->ssl_flags;
2875  to.ns_cert_type = options->ns_cert_type;
2876  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2877  to.remote_cert_eku = options->remote_cert_eku;
2878  to.verify_hash = options->verify_hash;
2879  to.verify_hash_algo = options->verify_hash_algo;
2880 #ifdef ENABLE_X509ALTUSERNAME
2881  to.x509_username_field = (char *) options->x509_username_field;
2882 #else
2883  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2884 #endif
2885  to.es = c->c2.es;
2886  to.net_ctx = &c->net_ctx;
2887 
2888 #ifdef ENABLE_DEBUG
2889  to.gremlin = c->options.gremlin;
2890 #endif
2891 
2892  to.plugins = c->plugins;
2893 
2894 #ifdef MANAGEMENT_DEF_AUTH
2895  to.mda_context = &c->c2.mda_context;
2896 #endif
2897 
2898  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2899  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2900  to.tmp_dir = options->tmp_dir;
2901  if (options->ccd_exclusive)
2902  {
2903  to.client_config_dir_exclusive = options->client_config_dir;
2904  }
2905  to.auth_user_pass_file = options->auth_user_pass_file;
2906  to.auth_token_generate = options->auth_token_generate;
2907  to.auth_token_lifetime = options->auth_token_lifetime;
2908  to.auth_token_call_auth = options->auth_token_call_auth;
2909  to.auth_token_key = c->c1.ks.auth_token_key;
2910 
2911  to.x509_track = options->x509_track;
2912 
2913 #if P2MP
2914 #ifdef ENABLE_MANAGEMENT
2915  to.sci = &options->sc_info;
2916 #endif
2917 #endif
2918 
2919 #ifdef USE_COMP
2920  to.comp_options = options->comp;
2921 #endif
2922 
2923 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2924  if (options->keying_material_exporter_label)
2925  {
2926  to.ekm_size = options->keying_material_exporter_length;
2927  if (to.ekm_size < 16 || to.ekm_size > 4095)
2928  {
2929  to.ekm_size = 0;
2930  }
2931 
2932  to.ekm_label = options->keying_material_exporter_label;
2933  to.ekm_label_size = strlen(to.ekm_label);
2934  }
2935  else
2936  {
2937  to.ekm_size = 0;
2938  }
2939 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2940 
2941  /* TLS handshake authentication (--tls-auth) */
2942  if (options->ce.tls_auth_file)
2943  {
2944  to.tls_wrap.mode = TLS_WRAP_AUTH;
2945  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2946  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2947  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2948  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2949  true, true);
2950  }
2951 
2952  /* TLS handshake encryption (--tls-crypt) */
2953  if (options->ce.tls_crypt_file
2954  || (options->ce.tls_crypt_v2_file && options->tls_client))
2955  {
2956  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2957  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2958  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2959  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2960  tls_crypt_adjust_frame_parameters(&to.frame);
2961 
2962  if (options->ce.tls_crypt_v2_file)
2963  {
2964  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2965  }
2966  }
2967 
2968  if (options->ce.tls_crypt_v2_file)
2969  {
2970  to.tls_crypt_v2 = true;
2971  if (options->tls_server)
2972  {
2973  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2974  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2975  }
2976  }
2977 
2978  /* If we are running over TCP, allow for
2979  * length prefix */
2980  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2981 
2982  /*
2983  * Initialize OpenVPN's master TLS-mode object.
2984  */
2985  if (flags & CF_INIT_TLS_MULTI)
2986  {
2987  c->c2.tls_multi = tls_multi_init(&to);
2988  }
2989 
2990  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2991  {
2992  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2993  }
2994 }
2995 
2996 static void
2997 do_init_finalize_tls_frame(struct context *c)
2998 {
2999  if (c->c2.tls_multi)
3000  {
3001  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3002  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3003  EXPANDED_SIZE(&c->c2.frame));
3004  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3005  "Control Channel MTU parms");
3006  }
3007  if (c->c2.tls_auth_standalone)
3008  {
3009  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3010  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3011  "TLS-Auth MTU parms");
3012  }
3013 }
3014 
3015 /*
3016  * No encryption or authentication.
3017  */
3018 static void
3019 do_init_crypto_none(const struct context *c)
3020 {
3021  ASSERT(!c->options.test_crypto);
3022  msg(M_WARN,
3023  "******* WARNING *******: All encryption and authentication features "
3024  "disabled -- All data will be tunnelled as clear text and will not be "
3025  "protected against man-in-the-middle changes. "
3026  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3027 }
3028 
3029 static void
3030 do_init_crypto(struct context *c, const unsigned int flags)
3031 {
3032  if (c->options.shared_secret_file)
3033  {
3034  do_init_crypto_static(c, flags);
3035  }
3036  else if (c->options.tls_server || c->options.tls_client)
3037  {
3038  do_init_crypto_tls(c, flags);
3039  }
3040  else /* no encryption or authentication. */
3041  {
3042  do_init_crypto_none(c);
3043  }
3044 }
3045 
3046 static void
3047 do_init_frame(struct context *c)
3048 {
3049 #ifdef USE_COMP
3050  /*
3051  * modify frame parameters if compression is enabled
3052  */
3053  if (comp_enabled(&c->options.comp))
3054  {
3055  comp_add_to_extra_frame(&c->c2.frame);
3056 
3057 #if !defined(ENABLE_LZ4)
3058  /*
3059  * Compression usage affects buffer alignment when non-swapped algs
3060  * such as LZO is used.
3061  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3062  * any special alignment because of the control-byte swap approach.
3063  * LZO alignment (on the other hand) is problematic because
3064  * the presence of the control byte means that either the output of
3065  * decryption must be written to an unaligned buffer, or the input
3066  * to compression (or packet dispatch if packet is uncompressed)
3067  * must be read from an unaligned buffer.
3068  * This code tries to align the input to compression (or packet
3069  * dispatch if packet is uncompressed) at the cost of requiring
3070  * decryption output to be written to an unaligned buffer, so
3071  * it's more of a tradeoff than an optimal solution and we don't
3072  * include it when we are doing a modern build with LZ4.
3073  * Strictly speaking, on the server it would be better to execute
3074  * this code for every connection after we decide the compression
3075  * method, but currently the frame code doesn't appear to be
3076  * flexible enough for this, since the frame is already established
3077  * before it is known which compression options will be pushed.
3078  */
3079  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3080  {
3081  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3082  frame_or_align_flags(&c->c2.frame,
3083  FRAME_HEADROOM_MARKER_FRAGMENT
3084  |FRAME_HEADROOM_MARKER_DECRYPT);
3085  }
3086 #endif
3087 
3088 #ifdef ENABLE_FRAGMENT
3089  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3090 #endif
3091  }
3092 #endif /* USE_COMP */
3093 
3094  /*
3095  * Adjust frame size for UDP Socks support.
3096  */
3097  if (c->options.ce.socks_proxy_server)
3098  {
3099  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3100  }
3101 
3102  /*
3103  * Adjust frame size based on the --tun-mtu-extra parameter.
3104  */
3105  if (c->options.ce.tun_mtu_extra_defined)
3106  {
3107  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3108  }
3109 
3110  /*
3111  * Adjust frame size based on link socket parameters.
3112  * (Since TCP is a stream protocol, we need to insert
3113  * a packet length uint16_t in the buffer.)
3114  */
3115  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3116 
3117  /*
3118  * Fill in the blanks in the frame parameters structure,
3119  * make sure values are rational, etc.
3120  */
3121  frame_finalize_options(c, NULL);
3122 
3123 #ifdef USE_COMP
3124  /*
3125  * Modify frame parameters if compression is compiled in.
3126  * Should be called after frame_finalize_options.
3127  */
3128  comp_add_to_extra_buffer(&c->c2.frame);
3129 #ifdef ENABLE_FRAGMENT
3130  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3131 #endif
3132 #endif /* USE_COMP */
3133 
3134  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3135  * and need link_mtu+3 bytes on socket reception (on server).
3136  *
3137  * accommodate receive path in f->extra_link, which has the side effect of
3138  * also increasing send buffers (BUF_SIZE() macro), which need to be
3139  * allocated big enough before receiving peer-id option from server.
3140  *
3141  * f->extra_frame is adjusted when peer-id option is push-received
3142  */
3143  frame_add_to_extra_link(&c->c2.frame, 3);
3144 
3145 #ifdef ENABLE_FRAGMENT
3146  /*
3147  * Set frame parameter for fragment code. This is necessary because
3148  * the fragmentation code deals with payloads which have already been
3149  * passed through the compression code.
3150  */
3151  c->c2.frame_fragment = c->c2.frame;
3152  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3153  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3154 #endif
3155 
3156 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3157  /*
3158  * MTU advisories
3159  */
3160  if (c->options.ce.fragment && c->options.mtu_test)
3161  {
3162  msg(M_WARN,
3163  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3164  }
3165 #endif
3166 
3167 #ifdef ENABLE_FRAGMENT
3168  if ((c->options.ce.mssfix || c->options.ce.fragment)
3169  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3170  {
3171  msg(M_WARN,
3172  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3173  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3174  }
3175 #endif
3176 }
3177 
3178 static void
3179 do_option_warnings(struct context *c)
3180 {
3181  const struct options *o = &c->options;
3182 
3183  if (o->ping_send_timeout && !o->ping_rec_timeout)
3184  {
3185  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3186  }
3187 
3188  if (o->username || o->groupname || o->chroot_dir
3189 #ifdef ENABLE_SELINUX
3190  || o->selinux_context
3191 #endif
3192  )
3193  {
3194  if (!o->persist_tun)
3195  {
3196  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3197  }
3198  if (!o->persist_key
3199 #ifdef ENABLE_PKCS11
3200  && !o->pkcs11_id
3201 #endif
3202  )
3203  {
3204  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3205  }
3206  }
3207 
3208  if (o->chroot_dir && !(o->username && o->groupname))
3209  {
3210  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3211  }
3212 
3213 #if P2MP
3214  if (o->pull && o->ifconfig_local && c->first_time)
3215  {
3216  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3217  }
3218 
3219  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3220  {
3221  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3222  }
3223 
3224  if (o->mode == MODE_SERVER)
3225  {
3226  if (o->duplicate_cn && o->client_config_dir)
3227  {
3228  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3229  }
3230  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3231  {
3232  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3233  }
3234  if (!o->keepalive_ping || !o->keepalive_timeout)
3235  {
3236  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3237  }
3238  }
3239 #endif /* if P2MP */
3240 
3241  if (!o->replay)
3242  {
3243  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3244  }
3245 
3246  if (o->tls_server)
3247  {
3248  warn_on_use_of_common_subnets(&c->net_ctx);
3249  }
3250  if (o->tls_client
3251  && !o->tls_verify
3252  && o->verify_x509_type == VERIFY_X509_NONE
3253  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3254  && !o->remote_cert_eku)
3255  {
3256  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3257  }
3258  if (o->ns_cert_type)
3259  {
3260  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3261  }
3262 
3263  /* If a script is used, print appropriate warnings */
3264  if (o->user_script_used)
3265  {
3266  if (script_security() >= SSEC_SCRIPTS)
3267  {
3268  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3269  }
3270  else if (script_security() >= SSEC_PW_ENV)
3271  {
3272  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3273  }
3274  else
3275  {
3276  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3277  }
3278  }
3279 }
3280 
3281 static void
3282 do_init_frame_tls(struct context *c)
3283 {
3284  do_init_finalize_tls_frame(c);
3285 }
3286 
3287 struct context_buffers *
3288 init_context_buffers(const struct frame *frame)
3289 {
3290  struct context_buffers *b;
3291 
3292  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3293 
3294  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3295  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3296 
3297  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3298 
3299  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3300  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3301 
3302 #ifdef USE_COMP
3303  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3304  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3305 #endif
3306 
3307  return b;
3308 }
3309 
3310 void
3311 free_context_buffers(struct context_buffers *b)
3312 {
3313  if (b)
3314  {
3315  free_buf(&b->read_link_buf);
3316  free_buf(&b->read_tun_buf);
3317  free_buf(&b->aux_buf);
3318 
3319 #ifdef USE_COMP
3320  free_buf(&b->compress_buf);
3321  free_buf(&b->decompress_buf);
3322 #endif
3323 
3324  free_buf(&b->encrypt_buf);
3325  free_buf(&b->decrypt_buf);
3326 
3327  free(b);
3328  }
3329 }
3330 
3331 /*
3332  * Now that we know all frame parameters, initialize
3333  * our buffers.
3334  */
3335 static void
3336 do_init_buffers(struct context *c)
3337 {
3338  c->c2.buffers = init_context_buffers(&c->c2.frame);
3339  c->c2.buffers_owned = true;
3340 }
3341 
3342 #ifdef ENABLE_FRAGMENT
3343 /*
3344  * Fragmenting code has buffers to initialize
3345  * once frame parameters are known.
3346  */
3347 static void
3348 do_init_fragment(struct context *c)
3349 {
3350  ASSERT(c->options.ce.fragment);
3351  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3352  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3353  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3354 }
3355 #endif
3356 
3357 /*
3358  * Allocate our socket object.
3359  */
3360 static void
3361 do_link_socket_new(struct context *c)
3362 {
3363  ASSERT(!c->c2.link_socket);
3364  c->c2.link_socket = link_socket_new();
3365  c->c2.link_socket_owned = true;
3366 }
3367 
3368 /*
3369  * bind the TCP/UDP socket
3370  */
3371 static void
3372 do_init_socket_1(struct context *c, const int mode)
3373 {
3374  unsigned int sockflags = c->options.sockflags;
3375 
3376 #if PORT_SHARE
3377  if (c->options.port_share_host && c->options.port_share_port)
3378  {
3379  sockflags |= SF_PORT_SHARE;
3380  }
3381 #endif
3382 
3383  link_socket_init_phase1(c->c2.link_socket,
3384  c->options.ce.local,
3385  c->options.ce.local_port,
3386  c->options.ce.remote,
3387  c->options.ce.remote_port,
3388  c->c1.dns_cache,
3389  c->options.ce.proto,
3390  c->options.ce.af,
3391  c->options.ce.bind_ipv6_only,
3392  mode,
3393  c->c2.accept_from,
3394  c->c1.http_proxy,
3395  c->c1.socks_proxy,
3396 #ifdef ENABLE_DEBUG
3397  c->options.gremlin,
3398 #endif
3399  c->options.ce.bind_local,
3400  c->options.ce.remote_float,
3401  c->options.inetd,
3402  &c->c1.link_socket_addr,
3403  c->options.ipchange,
3404  c->plugins,
3405  c->options.resolve_retry_seconds,
3406  c->options.ce.mtu_discover_type,
3407  c->options.rcvbuf,
3408  c->options.sndbuf,
3409  c->options.mark,
3410  &c->c2.server_poll_interval,
3411  sockflags);
3412 }
3413 
3414 /*
3415  * finalize the TCP/UDP socket
3416  */
3417 static void
3418 do_init_socket_2(struct context *c)
3419 {
3420  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3421  c->sig);
3422 }
3423 
3424 /*
3425  * Print MTU INFO
3426  */
3427 static void
3428 do_print_data_channel_mtu_parms(struct context *c)
3429 {
3430  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3431 #ifdef ENABLE_FRAGMENT
3432  if (c->c2.fragment)
3433  {
3434  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3435  "Fragmentation MTU parms");
3436  }
3437 #endif
3438 }
3439 
3440 #ifdef ENABLE_OCC
3441 /*
3442  * Get local and remote options compatibility strings.
3443  */
3444 static void
3445 do_compute_occ_strings(struct context *c)
3446 {
3447  struct gc_arena gc = gc_new();
3448 
3449  c->c2.options_string_local =
3450  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3451  false, &gc);
3452  c->c2.options_string_remote =
3453  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3454  true, &gc);
3455 
3456  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3457  options_string_version(c->c2.options_string_local, &gc),
3458  c->c2.options_string_local);
3459  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3460  options_string_version(c->c2.options_string_remote, &gc),
3461  c->c2.options_string_remote);
3462 
3463  if (c->c2.tls_multi)
3464  {
3465  tls_multi_init_set_options(c->c2.tls_multi,
3466  c->c2.options_string_local,
3467  c->c2.options_string_remote);
3468  }
3469 
3470  gc_free(&gc);
3471 }
3472 #endif /* ifdef ENABLE_OCC */
3473 
3474 /*
3475  * These things can only be executed once per program instantiation.
3476  * Set up for possible UID/GID downgrade, but don't do it yet.
3477  * Daemonize if requested.
3478  */
3479 static void
3480 do_init_first_time(struct context *c)
3481 {
3482  if (c->first_time && !c->c0)
3483  {
3484  struct context_0 *c0;
3485 
3486  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3487  c0 = c->c0;
3488 
3489  /* get user and/or group that we want to setuid/setgid to */
3490  c0->uid_gid_specified =
3491  platform_group_get(c->options.groupname, &c0->platform_state_group)
3492  |platform_user_get(c->options.username, &c0->platform_state_user);
3493 
3494  /* perform postponed chdir if --daemon */
3495  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3496  {
3497  platform_chdir("/");
3498  }
3499 
3500  /* should we change scheduling priority? */
3501  platform_nice(c->options.nice);
3502  }
3503 }
3504 
3505 /*
3506  * If xinetd/inetd mode, don't allow restart.
3507  */
3508 static void
3509 do_close_check_if_restart_permitted(struct context *c)
3510 {
3511  if (c->options.inetd
3512  && (c->sig->signal_received == SIGHUP
3513  || c->sig->signal_received == SIGUSR1))
3514  {
3515  c->sig->signal_received = SIGTERM;
3516  msg(M_INFO,
3517  PACKAGE_NAME
3518  " started by inetd/xinetd cannot restart... Exiting.");
3519  }
3520 }
3521 
3522 /*
3523  * free buffers
3524  */
3525 static void
3526 do_close_free_buf(struct context *c)
3527 {
3528  if (c->c2.buffers_owned)
3529  {
3530  free_context_buffers(c->c2.buffers);
3531  c->c2.buffers = NULL;
3532  c->c2.buffers_owned = false;
3533  }
3534 }
3535 
3536 /*
3537  * close TLS
3538  */
3539 static void
3540 do_close_tls(struct context *c)
3541 {
3542  if (c->c2.tls_multi)
3543  {
3544  tls_multi_free(c->c2.tls_multi, true);
3545  c->c2.tls_multi = NULL;
3546  }
3547 
3548 #ifdef ENABLE_OCC
3549  /* free options compatibility strings */
3550  if (c->c2.options_string_local)
3551  {
3552  free(c->c2.options_string_local);
3553  }
3554  if (c->c2.options_string_remote)
3555  {
3556  free(c->c2.options_string_remote);
3557  }
3558  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3559 #endif
3560 
3561  if (c->c2.pulled_options_state)
3562  {
3563  md_ctx_cleanup(c->c2.pulled_options_state);
3564  md_ctx_free(c->c2.pulled_options_state);
3565  }
3566 }
3567 
3568 /*
3569  * Free key schedules
3570  */
3571 static void
3572 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3573 {
3574  /*
3575  * always free the tls_auth/crypt key. If persist_key is true, the key will
3576  * be reloaded from memory (pre-cached)
3577  */
3578  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3579  CLEAR(c->c1.ks.tls_wrap_key);
3580  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3581  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3582 
3583  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3584  {
3585  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3586  }
3587 }
3588 
3589 /*
3590  * Close TCP/UDP connection
3591  */
3592 static void
3593 do_close_link_socket(struct context *c)
3594 {
3595  if (c->c2.link_socket && c->c2.link_socket_owned)
3596  {
3597  link_socket_close(c->c2.link_socket);
3598  c->c2.link_socket = NULL;
3599  }
3600 
3601 
3602  /* Preserve the resolved list of remote if the user request to or if we want
3603  * reconnect to the same host again or there are still addresses that need
3604  * to be tried */
3605  if (!(c->sig->signal_received == SIGUSR1
3606  && ( (c->options.persist_remote_ip)
3607  ||
3608  ( c->sig->source != SIG_SOURCE_HARD
3609  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3610  || c->options.no_advance))
3611  )))
3612  {
3613  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3614  }
3615 
3616  /* Clear the remote actual address when persist_remote_ip is not in use */
3617  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3618  {
3619  CLEAR(c->c1.link_socket_addr.actual);
3620  }
3621 
3622  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3623  {
3624  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3625  {
3626  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3627  }
3628 
3629  c->c1.link_socket_addr.bind_local = NULL;
3630  }
3631 }
3632 
3633 /*
3634  * Close packet-id persistence file
3635  */
3636 static void
3637 do_close_packet_id(struct context *c)
3638 {
3639  packet_id_free(&c->c2.crypto_options.packet_id);
3640  packet_id_persist_save(&c->c1.pid_persist);
3641  if (!(c->sig->signal_received == SIGUSR1))
3642  {
3643  packet_id_persist_close(&c->c1.pid_persist);
3644  }
3645 }
3646 
3647 #ifdef ENABLE_FRAGMENT
3648 /*
3649  * Close fragmentation handler.
3650  */
3651 static void
3652 do_close_fragment(struct context *c)
3653 {
3654  if (c->c2.fragment)
3655  {
3656  fragment_free(c->c2.fragment);
3657  c->c2.fragment = NULL;
3658  }
3659 }
3660 #endif
3661 
3662 /*
3663  * Open and close our event objects.
3664  */
3665 
3666 static void
3667 do_event_set_init(struct context *c,
3668  bool need_us_timeout)
3669 {
3670  unsigned int flags = 0;
3671 
3672  c->c2.event_set_max = BASE_N_EVENTS;
3673 
3674  flags |= EVENT_METHOD_FAST;
3675 
3676  if (need_us_timeout)
3677  {
3678  flags |= EVENT_METHOD_US_TIMEOUT;
3679  }
3680 
3681  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3682  c->c2.event_set_owned = true;
3683 }
3684 
3685 static void
3686 do_close_event_set(struct context *c)
3687 {
3688  if (c->c2.event_set && c->c2.event_set_owned)
3689  {
3690  event_free(c->c2.event_set);
3691  c->c2.event_set = NULL;
3692  c->c2.event_set_owned = false;
3693  }
3694 }
3695 
3696 /*
3697  * Open and close --status file
3698  */
3699 
3700 static void
3701 do_open_status_output(struct context *c)
3702 {
3703  if (!c->c1.status_output)
3704  {
3705  c->c1.status_output = status_open(c->options.status_file,
3706  c->options.status_file_update_freq,
3707  -1,
3708  NULL,
3709  STATUS_OUTPUT_WRITE);
3710  c->c1.status_output_owned = true;
3711  }
3712 }
3713 
3714 static void
3715 do_close_status_output(struct context *c)
3716 {
3717  if (!(c->sig->signal_received == SIGUSR1))
3718  {
3719  if (c->c1.status_output_owned && c->c1.status_output)
3720  {
3721  status_close(c->c1.status_output);
3722  c->c1.status_output = NULL;
3723  c->c1.status_output_owned = false;
3724  }
3725  }
3726 }
3727 
3728 /*
3729  * Handle ifconfig-pool persistence object.
3730  */
3731 static void
3732 do_open_ifconfig_pool_persist(struct context *c)
3733 {
3734  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3735  {
3736  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3737  c->options.ifconfig_pool_persist_refresh_freq);
3738  c->c1.ifconfig_pool_persist_owned = true;
3739  }
3740 }
3741 
3742 static void
3743 do_close_ifconfig_pool_persist(struct context *c)
3744 {
3745  if (!(c->sig->signal_received == SIGUSR1))
3746  {
3747  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3748  {
3749  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3750  c->c1.ifconfig_pool_persist = NULL;
3751  c->c1.ifconfig_pool_persist_owned = false;
3752  }
3753  }
3754 }
3755 
3756 /*
3757  * Inherit environmental variables
3758  */
3759 
3760 static void
3761 do_inherit_env(struct context *c, const struct env_set *src)
3762 {
3763  c->c2.es = env_set_create(NULL);
3764  c->c2.es_owned = true;
3765  env_set_inherit(c->c2.es, src);
3766 }
3767 
3768 static void
3769 do_env_set_destroy(struct context *c)
3770 {
3771  if (c->c2.es && c->c2.es_owned)
3772  {
3773  env_set_destroy(c->c2.es);
3774  c->c2.es = NULL;
3775  c->c2.es_owned = false;
3776  }
3777 }
3778 
3779 /*
3780  * Fast I/O setup. Fast I/O is an optimization which only works
3781  * if all of the following are true:
3782  *
3783  * (1) The platform is not Windows
3784  * (2) --proto udp is enabled
3785  * (3) --shaper is disabled
3786  */
3787 static void
3788 do_setup_fast_io(struct context *c)
3789 {
3790  if (c->options.fast_io)
3791  {
3792 #ifdef _WIN32
3793  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3794 #else
3795  if (!proto_is_udp(c->options.ce.proto))
3796  {
3797  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3798  }
3799  else
3800  {
3801 #ifdef ENABLE_FEATURE_SHAPER
3802  if (c->options.shaper)
3803  {
3804  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3805  }
3806  else
3807 #endif
3808  {
3809  c->c2.fast_io = true;
3810  }
3811  }
3812 #endif
3813  }
3814 }
3815 
3816 static void
3817 do_signal_on_tls_errors(struct context *c)
3818 {
3819  if (c->options.tls_exit)
3820  {
3821  c->c2.tls_exit_signal = SIGTERM;
3822  }
3823  else
3824  {
3825  c->c2.tls_exit_signal = SIGUSR1;
3826  }
3827 }
3828 
3829 #ifdef ENABLE_PLUGIN
3830 
3831 void
3832 init_plugins(struct context *c)
3833 {
3834  if (c->options.plugin_list && !c->plugins)
3835  {
3836  c->plugins = plugin_list_init(c->options.plugin_list);
3837  c->plugins_owned = true;
3838  }
3839 }
3840 
3841 void
3842 open_plugins(struct context *c, const bool import_options, int init_point)
3843 {
3844  if (c->plugins && c->plugins_owned)
3845  {
3846  if (import_options)
3847  {
3848  struct plugin_return pr, config;
3849  plugin_return_init(&pr);
3850  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3851  plugin_return_get_column(&pr, &config, "config");
3852  if (plugin_return_defined(&config))
3853  {
3854  int i;
3855  for (i = 0; i < config.n; ++i)
3856  {
3857  unsigned int option_types_found = 0;
3858  if (config.list[i] && config.list[i]->value)
3859  {
3860  options_string_import(&c->options,
3861  config.list[i]->value,
3862  D_IMPORT_ERRORS|M_OPTERR,
3863  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3864  &option_types_found,
3865  c->es);
3866  }
3867  }
3868  }
3869  plugin_return_free(&pr);
3870  }
3871  else
3872  {
3873  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3874  }
3875  }
3876 }
3877 
3878 static void
3879 do_close_plugins(struct context *c)
3880 {
3881  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3882  {
3883  plugin_list_close(c->plugins);
3884  c->plugins = NULL;
3885  c->plugins_owned = false;
3886  }
3887 }
3888 
3889 static void
3890 do_inherit_plugins(struct context *c, const struct context *src)
3891 {
3892  if (!c->plugins && src->plugins)
3893  {
3894  c->plugins = plugin_list_inherit(src->plugins);
3895  c->plugins_owned = true;
3896  }
3897 }
3898 
3899 #endif /* ifdef ENABLE_PLUGIN */
3900 
3901 #ifdef ENABLE_MANAGEMENT
3902 
3903 static void
3904 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3905 {
3906  struct context *c = (struct context *) arg;
3907  print_status(c, so);
3908 }
3909 
3910 void
3911 management_show_net_callback(void *arg, const int msglevel)
3912 {
3913 #ifdef _WIN32
3914  show_routes(msglevel);
3915  show_adapters(msglevel);
3916  msg(msglevel, "END");
3917 #else
3918  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3919 #endif
3920 }
3921 
3922 #ifdef TARGET_ANDROID
3923 int
3924 management_callback_network_change(void *arg, bool samenetwork)
3925 {
3926  /* Check if the client should translate the network change to a SIGUSR1 to
3927  * reestablish the connection or just reprotect the socket
3928  *
3929  * At the moment just assume that, for all settings that use pull (not
3930  * --static) and are not using peer-id reestablishing the connection is
3931  * required (unless the network is the same)
3932  *
3933  * The function returns -1 on invalid fd and -2 if the socket cannot be
3934  * reused. On the -2 return value the man_network_change function triggers
3935  * a SIGUSR1 to force a reconnect.
3936  */
3937 
3938  int socketfd = -1;
3939  struct context *c = (struct context *) arg;
3940  if (!c->c2.link_socket)
3941  {
3942  return -1;
3943  }
3944  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3945  {
3946  return -1;
3947  }
3948 
3949  socketfd = c->c2.link_socket->sd;
3950  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3951  {
3952  return socketfd;
3953  }
3954  else
3955  {
3956  return -2;
3957  }
3958 }
3959 #endif /* ifdef TARGET_ANDROID */
3960 
3961 #endif /* ifdef ENABLE_MANAGEMENT */
3962 
3963 void
3964 init_management_callback_p2p(struct context *c)
3965 {
3966 #ifdef ENABLE_MANAGEMENT
3967  if (management)
3968  {
3969  struct management_callback cb;
3970  CLEAR(cb);
3971  cb.arg = c;
3972  cb.status = management_callback_status_p2p;
3973  cb.show_net = management_show_net_callback;
3974  cb.proxy_cmd = management_callback_proxy_cmd;
3975  cb.remote_cmd = management_callback_remote_cmd;
3976 #ifdef TARGET_ANDROID
3977  cb.network_change = management_callback_network_change;
3978 #endif
3979  management_set_callback(management, &cb);
3980  }
3981 #endif
3982 }
3983 
3984 #ifdef ENABLE_MANAGEMENT
3985 
3986 void
3987 init_management(void)
3988 {
3989  if (!management)
3990  {
3991  management = management_init();
3992  }
3993 }
3994 
3995 bool
3996 open_management(struct context *c)
3997 {
3998  /* initialize management layer */
3999  if (management)
4000  {
4001  if (c->options.management_addr)
4002  {
4003  unsigned int flags = c->options.management_flags;
4004  if (c->options.mode == MODE_SERVER)
4005  {
4006  flags |= MF_SERVER;
4007  }
4008  if (management_open(management,
4009  c->options.management_addr,
4010  c->options.management_port,
4011  c->options.management_user_pass,
4012  c->options.management_client_user,
4013  c->options.management_client_group,
4014  c->options.management_log_history_cache,
4015  c->options.management_echo_buffer_size,
4016  c->options.management_state_buffer_size,
4017  c->options.management_write_peer_info_file,
4018  c->options.remap_sigusr1,
4019  flags))
4020  {
4021  management_set_state(management,
4022  OPENVPN_STATE_CONNECTING,
4023  NULL,
4024  NULL,
4025  NULL,
4026  NULL,
4027  NULL);
4028  }
4029 
4030  /* initial management hold, called early, before first context initialization */
4031  do_hold(0);
4032  if (IS_SIG(c))
4033  {
4034  msg(M_WARN, "Signal received from management interface, exiting");
4035  return false;
4036  }
4037  }
4038  else
4039  {
4040  close_management();
4041  }
4042  }
4043  return true;
4044 }
4045 
4046 void
4047 close_management(void)
4048 {
4049  if (management)
4050  {
4051  management_close(management);
4052  management = NULL;
4053  }
4054 }
4055 
4056 #endif /* ifdef ENABLE_MANAGEMENT */
4057 
4058 
4059 void
4060 uninit_management_callback(void)
4061 {
4062 #ifdef ENABLE_MANAGEMENT
4063  if (management)
4064  {
4065  management_clear_callback(management);
4066  }
4067 #endif
4068 }
4069 
4070 /*
4071  * Initialize a tunnel instance, handle pre and post-init
4072  * signal settings.
4073  */
4074 void
4075 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4076 {
4077  pre_init_signal_catch();
4078  init_instance(c, env, flags);
4079  post_init_signal_catch();
4080 
4081  /*
4082  * This is done so that signals thrown during
4083  * initialization can bring us back to
4084  * a management hold.
4085  */
4086  if (IS_SIG(c))
4087  {
4088  remap_signal(c);
4089  uninit_management_callback();
4090  }
4091 }
4092 
4093 /*
4094  * Initialize a tunnel instance.
4095  */
4096 void
4097 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4098 {
4099  const struct options *options = &c->options;
4100  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4101  int link_socket_mode = LS_MODE_DEFAULT;
4102 
4103  /* init garbage collection level */
4104  gc_init(&c->c2.gc);
4105 
4106  /* inherit environmental variables */
4107  if (env)
4108  {
4109  do_inherit_env(c, env);
4110  }
4111 
4112  /* signals caught here will abort */
4113  c->sig->signal_received = 0;
4114  c->sig->signal_text = NULL;
4115  c->sig->source = SIG_SOURCE_SOFT;
4116 
4117  if (c->mode == CM_P2P)
4118  {
4119  init_management_callback_p2p(c);
4120  }
4121 
4122  /* possible sleep or management hold if restart */
4123  if (c->mode == CM_P2P || c->mode == CM_TOP)
4124  {
4125  do_startup_pause(c);
4126  if (IS_SIG(c))
4127  {
4128  goto sig;
4129  }
4130  }
4131 
4132  if (c->options.resolve_in_advance)
4133  {
4134  do_preresolve(c);
4135  if (IS_SIG(c))
4136  {
4137  goto sig;
4138  }
4139  }
4140 
4141  /* map in current connection entry */
4142  next_connection_entry(c);
4143 
4144  /* link_socket_mode allows CM_CHILD_TCP
4145  * instances to inherit acceptable fds
4146  * from a top-level parent */
4147  if (c->options.ce.proto == PROTO_TCP_SERVER)
4148  {
4149  if (c->mode == CM_TOP)
4150  {
4151  link_socket_mode = LS_MODE_TCP_LISTEN;
4152  }
4153  else if (c->mode == CM_CHILD_TCP)
4154  {
4155  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4156  }
4157  }
4158 
4159  /* should we disable paging? */
4160  if (c->first_time && options->mlock)
4161  {
4162  platform_mlockall(true);
4163  }
4164 
4165 #if P2MP
4166  /* get passwords if undefined */
4167  if (auth_retry_get() == AR_INTERACT)
4168  {
4169  init_query_passwords(c);
4170  }
4171 #endif
4172 
4173  /* initialize context level 2 --verb/--mute parms */
4174  init_verb_mute(c, IVM_LEVEL_2);
4175 
4176  /* set error message delay for non-server modes */
4177  if (c->mode == CM_P2P)
4178  {
4179  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4180  }
4181 
4182  /* warn about inconsistent options */
4183  if (c->mode == CM_P2P || c->mode == CM_TOP)
4184  {
4185  do_option_warnings(c);
4186  }
4187 
4188 #ifdef ENABLE_PLUGIN
4189  /* initialize plugins */
4190  if (c->mode == CM_P2P || c->mode == CM_TOP)
4191  {
4192  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4193  }
4194 #endif
4195 
4196  /* should we enable fast I/O? */
4197  if (c->mode == CM_P2P || c->mode == CM_TOP)
4198  {
4199  do_setup_fast_io(c);
4200  }
4201 
4202  /* should we throw a signal on TLS errors? */
4203  do_signal_on_tls_errors(c);
4204 
4205  /* open --status file */
4206  if (c->mode == CM_P2P || c->mode == CM_TOP)
4207  {
4208  do_open_status_output(c);
4209  }
4210 
4211  /* open --ifconfig-pool-persist file */
4212  if (c->mode == CM_TOP)
4213  {
4214  do_open_ifconfig_pool_persist(c);
4215  }
4216 
4217 #ifdef ENABLE_OCC
4218  /* reset OCC state */
4219  if (c->mode == CM_P2P || child)
4220  {
4221  c->c2.occ_op = occ_reset_op();
4222  }
4223 #endif
4224 
4225  /* our wait-for-i/o objects, different for posix vs. win32 */
4226  if (c->mode == CM_P2P)
4227  {
4228  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4229  }
4230  else if (c->mode == CM_CHILD_TCP)
4231  {
4232  do_event_set_init(c, false);
4233  }
4234 
4235  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4236  init_proxy(c);
4237 
4238  /* allocate our socket object */
4239  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4240  {
4241  do_link_socket_new(c);
4242  }
4243 
4244 #ifdef ENABLE_FRAGMENT
4245  /* initialize internal fragmentation object */
4246  if (options->ce.fragment && (c->mode == CM_P2P || child))
4247  {
4248  c->c2.fragment = fragment_init(&c->c2.frame);
4249  }
4250 #endif
4251 
4252  /* init crypto layer */
4253  {
4254  unsigned int crypto_flags = 0;
4255  if (c->mode == CM_TOP)
4256  {
4257  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4258  }
4259  else if (c->mode == CM_P2P)
4260  {
4261  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4262  }
4263  else if (child)
4264  {
4265  crypto_flags = CF_INIT_TLS_MULTI;
4266  }
4267  do_init_crypto(c, crypto_flags);
4268  if (IS_SIG(c) && !child)
4269  {
4270  goto sig;
4271  }
4272  }
4273 
4274 #ifdef USE_COMP
4275  /* initialize compression library. */
4276  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4277  {
4278  c->c2.comp_context = comp_init(&options->comp);
4279  }
4280 #endif
4281 
4282  /* initialize MTU variables */
4283  do_init_frame(c);
4284 
4285  /* initialize TLS MTU variables */
4286  do_init_frame_tls(c);
4287 
4288  /* init workspace buffers whose size is derived from frame size */
4289  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4290  {
4291  do_init_buffers(c);
4292  }
4293 
4294 #ifdef ENABLE_FRAGMENT
4295  /* initialize internal fragmentation capability with known frame size */
4296  if (options->ce.fragment && (c->mode == CM_P2P || child))
4297  {
4298  do_init_fragment(c);
4299  }
4300 #endif
4301 
4302  /* initialize dynamic MTU variable */
4303  frame_init_mssfix(&c->c2.frame, &c->options);
4304 
4305  /* bind the TCP/UDP socket */
4306  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4307  {
4308  do_init_socket_1(c, link_socket_mode);
4309  }
4310 
4311  /* initialize tun/tap device object,
4312  * open tun/tap device, ifconfig, run up script, etc. */
4313  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4314  {
4315  c->c2.did_open_tun = do_open_tun(c);
4316  }
4317 
4318  c->c2.frame_initial = c->c2.frame;
4319 
4320  /* print MTU info */
4321  do_print_data_channel_mtu_parms(c);
4322 
4323 #ifdef ENABLE_OCC
4324  /* get local and remote options compatibility strings */
4325  if (c->mode == CM_P2P || child)
4326  {
4327  do_compute_occ_strings(c);
4328  }
4329 #endif
4330 
4331  /* initialize output speed limiter */
4332  if (c->mode == CM_P2P)
4333  {
4334  do_init_traffic_shaper(c);
4335  }
4336 
4337  /* do one-time inits, and possibly become a daemon here */
4338  do_init_first_time(c);
4339 
4340 #ifdef ENABLE_PLUGIN
4341  /* initialize plugins */
4342  if (c->mode == CM_P2P || c->mode == CM_TOP)
4343  {
4344  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4345  }
4346 #endif
4347 
4348  /* initialise connect timeout timer */
4349  do_init_server_poll_timeout(c);
4350 
4351  /* finalize the TCP/UDP socket */
4352  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4353  {
4354  do_init_socket_2(c);
4355  }
4356 
4357  /*
4358  * Actually do UID/GID downgrade, and chroot, if requested.
4359  * May be delayed by --client, --pull, or --up-delay.
4360  */
4361  do_uid_gid_chroot(c, c->c2.did_open_tun);
4362 
4363  /* initialize timers */
4364  if (c->mode == CM_P2P || child)
4365  {
4366  do_init_timers(c, false);
4367  }
4368 
4369 #ifdef ENABLE_PLUGIN
4370  /* initialize plugins */
4371  if (c->mode == CM_P2P || c->mode == CM_TOP)
4372  {
4373  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4374  }
4375 #endif
4376 
4377 #if PORT_SHARE
4378  /* share OpenVPN port with foreign (such as HTTPS) server */
4379  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4380  {
4381  init_port_share(c);
4382  }
4383 #endif
4384 
4385 #ifdef ENABLE_PF
4386  if (child)
4387  {
4388  pf_init_context(c);
4389  }
4390 #endif
4391 
4392  /* Check for signals */
4393  if (IS_SIG(c))
4394  {
4395  goto sig;
4396  }
4397 
4398  return;
4399 
4400 sig:
4401  if (!c->sig->signal_text)
4402  {
4403  c->sig->signal_text = "init_instance";
4404  }
4405  close_context(c, -1, flags);
4406  return;
4407 }
4408 
4409 /*
4410  * Close a tunnel instance.
4411  */
4412 void
4413 close_instance(struct context *c)
4414 {
4415  /* close event objects */
4416  do_close_event_set(c);
4417 
4418  if (c->mode == CM_P2P
4419  || c->mode == CM_CHILD_TCP
4420  || c->mode == CM_CHILD_UDP
4421  || c->mode == CM_TOP)
4422  {
4423  /* if xinetd/inetd mode, don't allow restart */
4424  do_close_check_if_restart_permitted(c);
4425 
4426 #ifdef USE_COMP
4427  if (c->c2.comp_context)
4428  {
4429  comp_uninit(c->c2.comp_context);
4430  c->c2.comp_context = NULL;
4431  }
4432 #endif
4433 
4434  /* free buffers */
4435  do_close_free_buf(c);
4436 
4437  /* close TLS */
4438  do_close_tls(c);
4439 
4440  /* free key schedules */
4441  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4442 
4443  restore_ncp_options(c);
4444 
4445  /* close TCP/UDP connection */
4446  do_close_link_socket(c);
4447 
4448  /* close TUN/TAP device */
4449  do_close_tun(c, false);
4450 
4451 #ifdef MANAGEMENT_DEF_AUTH
4452  if (management)
4453  {
4454  management_notify_client_close(management, &c->c2.mda_context, NULL);
4455  }
4456 #endif
4457 
4458 #ifdef ENABLE_PF
4459  pf_destroy_context(&c->c2.pf);
4460 #endif
4461 
4462 #ifdef ENABLE_PLUGIN
4463  /* call plugin close functions and unload */
4464  do_close_plugins(c);
4465 #endif
4466 
4467  /* close packet-id persistence file */
4468  do_close_packet_id(c);
4469 
4470  /* close --status file */
4471  do_close_status_output(c);
4472 
4473 #ifdef ENABLE_FRAGMENT
4474  /* close fragmentation handler */
4475  do_close_fragment(c);
4476 #endif
4477 
4478  /* close --ifconfig-pool-persist obj */
4479  do_close_ifconfig_pool_persist(c);
4480 
4481  /* free up environmental variable store */
4482  do_env_set_destroy(c);
4483 
4484  /* close HTTP or SOCKS proxy */
4485  uninit_proxy(c);
4486 
4487  /* garbage collect */
4488  gc_free(&c->c2.gc);
4489  }
4490 }
4491 
4492 void
4493 inherit_context_child(struct context *dest,
4494  const struct context *src)
4495 {
4496  CLEAR(*dest);
4497 
4498  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4499  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4500 
4501  dest->gc = gc_new();
4502 
4503  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4504 
4505  /* c1 init */
4506  packet_id_persist_init(&dest->c1.pid_persist);
4507 
4508  dest->c1.ks.key_type = src->c1.ks.key_type;
4509  /* inherit SSL context */
4510  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4511  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4512  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4513  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4514  /* inherit pre-NCP ciphers */
4515  dest->c1.ciphername = src->c1.ciphername;
4516  dest->c1.authname = src->c1.authname;
4517  dest->c1.keysize = src->c1.keysize;
4518 
4519  /* inherit auth-token */
4520  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4521 
4522  /* options */
4523  dest->options = src->options;
4524  options_detach(&dest->options);
4525 
4526  if (dest->mode == CM_CHILD_TCP)
4527  {
4528  /*
4529  * The CM_TOP context does the socket listen(),
4530  * and the CM_CHILD_TCP context does the accept().
4531  */
4532  dest->c2.accept_from = src->c2.link_socket;
4533  }
4534 
4535 #ifdef ENABLE_PLUGIN
4536  /* inherit plugins */
4537  do_inherit_plugins(dest, src);
4538 #endif
4539 
4540  /* context init */
4541  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4542  if (IS_SIG(dest))
4543  {
4544  return;
4545  }
4546 
4547  /* inherit tun/tap interface object */
4548  dest->c1.tuntap = src->c1.tuntap;
4549 
4550  /* UDP inherits some extra things which TCP does not */
4551  if (dest->mode == CM_CHILD_UDP)
4552  {
4553  /* inherit buffers */
4554  dest->c2.buffers = src->c2.buffers;
4555 
4556  /* inherit parent link_socket and tuntap */
4557  dest->c2.link_socket = src->c2.link_socket;
4558 
4559  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4560  *dest->c2.link_socket_info = src->c2.link_socket->info;
4561 
4562  /* locally override some link_socket_info fields */
4563  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4564  dest->c2.link_socket_info->connection_established = false;
4565  }
4566 }
4567 
4568 void
4569 inherit_context_top(struct context *dest,
4570  const struct context *src)
4571 {
4572  /* copy parent */
4573  *dest = *src;
4574 
4575  /*
4576  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4577  * resources owned by the parent.
4578  *
4579  * Also note that CM_TOP_CLONE context objects are
4580  * closed by multi_top_free in multi.c.
4581  */
4582  dest->mode = CM_TOP_CLONE;
4583 
4584  dest->first_time = false;
4585  dest->c0 = NULL;
4586 
4587  options_detach(&dest->options);
4588  gc_detach(&dest->gc);
4589  gc_detach(&dest->c2.gc);
4590 
4591  /* detach plugins */
4592  dest->plugins_owned = false;
4593 
4594  dest->c2.tls_multi = NULL;
4595 
4596  /* detach c1 ownership */
4597  dest->c1.tuntap_owned = false;
4598  dest->c1.status_output_owned = false;
4599  dest->c1.ifconfig_pool_persist_owned = false;
4600 
4601  /* detach c2 ownership */
4602  dest->c2.event_set_owned = false;
4603  dest->c2.link_socket_owned = false;
4604  dest->c2.buffers_owned = false;
4605  dest->c2.es_owned = false;
4606 
4607  dest->c2.event_set = NULL;
4608  if (proto_is_dgram(src->options.ce.proto))
4609  {
4610  do_event_set_init(dest, false);
4611  }
4612 
4613 #ifdef USE_COMP
4614  dest->c2.comp_context = NULL;
4615 #endif
4616 }
4617 
4618 void
4619 close_context(struct context *c, int sig, unsigned int flags)
4620 {
4621  ASSERT(c);
4622  ASSERT(c->sig);
4623 
4624  if (sig >= 0)
4625  {
4626  c->sig->signal_received = sig;
4627  }
4628 
4629  if (c->sig->signal_received == SIGUSR1)
4630  {
4631  if ((flags & CC_USR1_TO_HUP)
4632  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4633  {
4634  c->sig->signal_received = SIGHUP;
4635  c->sig->signal_text = "close_context usr1 to hup";
4636  }
4637  }
4638 
4639  if (!(flags & CC_NO_CLOSE))
4640  {
4641  close_instance(c);
4642  }
4643 
4644  if (flags & CC_GC_FREE)
4645  {
4646  context_gc_free(c);
4647  }
4648 }
4649 
4650 /*
4651  * Do a loopback test
4652  * on the crypto subsystem.
4653  */
4654 static void *
4655 test_crypto_thread(void *arg)
4656 {
4657  struct context *c = (struct context *) arg;
4658  const struct options *options = &c->options;
4659 
4660  ASSERT(options->test_crypto);
4661  init_verb_mute(c, IVM_LEVEL_1);
4662  context_init_1(c);
4663  next_connection_entry(c);
4664  do_init_crypto_static(c, 0);
4665 
4666  frame_finalize_options(c, options);
4667 
4668  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4669 
4670  key_schedule_free(&c->c1.ks, true);
4671  packet_id_free(&c->c2.crypto_options.packet_id);
4672 
4673  context_gc_free(c);
4674  return NULL;
4675 }
4676 
4677 bool
4678 do_test_crypto(const struct options *o)
4679 {
4680  if (o->test_crypto)
4681  {
4682  struct context c;
4683 
4684  /* print version number */
4685  msg(M_INFO, "%s", title_string);
4686 
4687  context_clear(&c);
4688  c.options = *o;
4689  options_detach(&c.options);
4690  c.first_time = true;
4691  test_crypto_thread((void *) &c);
4692  return true;
4693  }
4694  return false;
4695 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:303
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:302
context_2::es
struct env_set * es
Definition: openvpn.h:426
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:184
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:458
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2519
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:338
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:435
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:247
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:292
options::sndbuf
int sndbuf
Definition: options.h:351
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:370
context_2::log_rw
bool log_rw
Definition: openvpn.h:386
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:464
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:267
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:319
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:389
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:563
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:693
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1488
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:252
tuntap
Definition: tun.h:145
options::ncp_enabled
bool ncp_enabled
Definition: options.h:509
options::management_flags
unsigned int management_flags
Definition: options.h:395
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1955
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:905
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2547
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:284
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:633
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:298
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1321
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:308
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:499
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:963
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:390
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:517
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1100
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5480
options::show_curves
bool show_curves
Definition: options.h:222
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:630
options::cipher_list
const char * cipher_list
Definition: options.h:542
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:527
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1433
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:296
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:978
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3671
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:609
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2108
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:580
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1735
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:393
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:326
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:544
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:386
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:350
streq
#define streq(x, y)
Definition: options.h:657
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:434
options::chroot_dir
const char * chroot_dir
Definition: options.h:308
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3890
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3686
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2686
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:421
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:247
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:166
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:288
tls_options::mode
int mode
Definition: ssl_common.h:269
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2118
options::auth_token_generate
bool auth_token_generate
Definition: options.h:477
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:325
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4330
tun_abort
void tun_abort(void)
Definition: init.c:2088
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:497
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:568
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3769
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2606
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:715
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:355
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:520
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
management::persist
struct man_persist persist
Definition: manage.h:320
srandom
#define srandom
Definition: syshead.h:45
auth_token.h
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3174
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:377
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:213
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:686
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4619
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3418
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:505
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6401
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:183
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:638
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3964
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:338
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:327
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:146
close_instance
void close_instance(struct context *c)
Definition: init.c:4413
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:583
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:331
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1348
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:665
options::persist_key
bool persist_key
Definition: options.h:293
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:153
options::replay_window
int replay_window
Definition: options.h:518
options::persist_mode
int persist_mode
Definition: options.h:215
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:418
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:320
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3817
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:373
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:282
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:296
options::rcvbuf
int rcvbuf
Definition: options.h:350
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:305
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:252
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:432
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:273
options::connection_list
struct connection_list * connection_list
Definition: options.h:231
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:296
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:181
options::exit_event_name
const char * exit_event_name
Definition: options.h:629
AR_NONE
#define AR_NONE
Definition: options.h:843
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:253
options::route_noexec
bool route_noexec
Definition: options.h:365
options::sockflags
unsigned int sockflags
Definition: options.h:357
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2475
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:167
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3540
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:226
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:343
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:360
tls_poor_mans_ncp
void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
"Poor man&#39;s NCP": Use peer cipher if it is an allowed (NCP) cipher.
Definition: ssl_ncp.c:262
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:388
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:299
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:481
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:164
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:141
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3047
options::config
const char * config
Definition: options.h:201
options::route_delay
int route_delay
Definition: options.h:366
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:524
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:315
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:361
tls_options::gremlin
int gremlin
Definition: ssl_common.h:367
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3842
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:370
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:260
options::down_pre
bool down_pre
Definition: options.h:317
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:276
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:687
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:155
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:322
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1415
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:560
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:537
options::push_peer_info
bool push_peer_info
Definition: options.h:618
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:667
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:151
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:584
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3710
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:141
PING_RESTART
#define PING_RESTART
Definition: options.h:287
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2997
options::handshake_window
int handshake_window
Definition: options.h:588
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3879
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:129
tls_options
Definition: ssl_common.h:241
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:333
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:224
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:298
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:243
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:589
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:340
options::verify_x509_type
int verify_x509_type
Definition: options.h:547
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:237
close_management
void close_management(void)
Definition: init.c:4047
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:479
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:304
options::prng_hash
const char * prng_hash
Definition: options.h:513
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1956
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:282
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:257
options::fast_io
bool fast_io
Definition: options.h:343
options::key_direction
int key_direction
Definition: options.h:507
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:275
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:192
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1419
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:158
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:75
init_static
bool init_static(void)
Definition: init.c:731
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:266
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:205
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:582
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:297
options::route_delay_defined
bool route_delay_defined
Definition: options.h:368
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:509
options::tls_exit
bool tls_exit
Definition: options.h:620
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1011
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1017
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:779
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:696
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:291
options::route_nopull
bool route_nopull
Definition: options.h:372
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3652
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1209
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6515
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:67
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:549
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:362
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:510
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4075
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:322
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:138
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:537