OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 #include "auth_token.h"
55 
56 #include "memdbg.h"
57 
58 
59 static struct context *static_context; /* GLOBAL */
60 
61 /*
62  * Crypto initialization flags
63  */
64 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
65 #define CF_INIT_TLS_MULTI (1<<1)
66 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
67 
68 static void do_init_first_time(struct context *c);
69 
70 void
71 context_clear(struct context *c)
72 {
73  CLEAR(*c);
74 }
75 
76 void
77 context_clear_1(struct context *c)
78 {
79  CLEAR(c->c1);
80 }
81 
82 void
83 context_clear_2(struct context *c)
84 {
85  CLEAR(c->c2);
86 }
87 
88 void
89 context_clear_all_except_first_time(struct context *c)
90 {
91  const bool first_time_save = c->first_time;
92  const struct context_persist cpsave = c->persist;
93  context_clear(c);
94  c->first_time = first_time_save;
95  c->persist = cpsave;
96 }
97 
98 /*
99  * Pass tunnel endpoint and MTU parms to a user-supplied script.
100  * Used to execute the up/down script/plugins.
101  */
102 static void
103 run_up_down(const char *command,
104  const struct plugin_list *plugins,
105  int plugin_type,
106  const char *arg,
107 #ifdef _WIN32
108  DWORD adapter_index,
109 #endif
110  const char *dev_type,
111  int tun_mtu,
112  int link_mtu,
113  const char *ifconfig_local,
114  const char *ifconfig_remote,
115  const char *context,
116  const char *signal_text,
117  const char *script_type,
118  struct env_set *es)
119 {
120  struct gc_arena gc = gc_new();
121 
122  if (signal_text)
123  {
124  setenv_str(es, "signal", signal_text);
125  }
126  setenv_str(es, "script_context", context);
127  setenv_int(es, "tun_mtu", tun_mtu);
128  setenv_int(es, "link_mtu", link_mtu);
129  setenv_str(es, "dev", arg);
130  if (dev_type)
131  {
132  setenv_str(es, "dev_type", dev_type);
133  }
134 #ifdef _WIN32
135  setenv_int(es, "dev_idx", adapter_index);
136 #endif
137 
138  if (!ifconfig_local)
139  {
140  ifconfig_local = "";
141  }
142  if (!ifconfig_remote)
143  {
144  ifconfig_remote = "";
145  }
146  if (!context)
147  {
148  context = "";
149  }
150 
151  if (plugin_defined(plugins, plugin_type))
152  {
153  struct argv argv = argv_new();
154  ASSERT(arg);
155  argv_printf(&argv,
156  "%s %d %d %s %s %s",
157  arg,
158  tun_mtu, link_mtu,
159  ifconfig_local, ifconfig_remote,
160  context);
161 
162  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163  {
164  msg(M_FATAL, "ERROR: up/down plugin call failed");
165  }
166 
167  argv_reset(&argv);
168  }
169 
170  if (command)
171  {
172  struct argv argv = argv_new();
173  ASSERT(arg);
174  setenv_str(es, "script_type", script_type);
175  argv_parse_cmd(&argv, command);
176  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
177  ifconfig_local, ifconfig_remote, context);
178  argv_msg(M_INFO, &argv);
179  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
180  argv_reset(&argv);
181  }
182 
183  gc_free(&gc);
184 }
185 
186 /*
187  * Should be called after options->ce is modified at the top
188  * of a SIGUSR1 restart.
189  */
190 static void
191 update_options_ce_post(struct options *options)
192 {
193 #if P2MP
194  /*
195  * In pull mode, we usually import --ping/--ping-restart parameters from
196  * the server. However we should also set an initial default --ping-restart
197  * for the period of time before we pull the --ping-restart parameter
198  * from the server.
199  */
200  if (options->pull
201  && options->ping_rec_timeout_action == PING_UNDEF
202  && proto_is_dgram(options->ce.proto))
203  {
204  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
205  options->ping_rec_timeout_action = PING_RESTART;
206  }
207 #endif
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
234  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
258 ce_management_query_proxy(struct context *c)
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
273  management_notify_generic(management, BSTR(&out));
274  }
275  ce->flags |= CE_MAN_QUERY_PROXY;
276  while (ce->flags & CE_MAN_QUERY_PROXY)
277  {
278  management_event_loop_n_seconds(management, 1);
279  if (IS_SIG(c))
280  {
281  ret = false;
282  break;
283  }
284  }
285  gc_free(&gc);
286  }
287 
288  return ret;
289 }
290 
291 
292 static bool
293 management_callback_remote_cmd(void *arg, const char **p)
294 {
295  struct context *c = (struct context *) arg;
296  struct connection_entry *ce = &c->options.ce;
297  int ret = false;
298  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
299  {
300  int flags = 0;
301  if (!strcmp(p[1], "ACCEPT"))
302  {
303  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
304  ret = true;
305  }
306  else if (!strcmp(p[1], "SKIP"))
307  {
308  flags = CE_MAN_QUERY_REMOTE_SKIP;
309  ret = true;
310  }
311  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
312  {
313  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
314  {
315  struct remote_host_store *rhs = c->options.rh_store;
316  if (!rhs)
317  {
318  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
319  c->options.rh_store = rhs;
320  }
321  strncpynt(rhs->host, p[2], RH_HOST_LEN);
322  strncpynt(rhs->port, p[3], RH_PORT_LEN);
323 
324  ce->remote = rhs->host;
325  ce->remote_port = rhs->port;
326  flags = CE_MAN_QUERY_REMOTE_MOD;
327  ret = true;
328  }
329  }
330  if (ret)
331  {
332  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
333  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
334  }
335  }
336  return ret;
337 }
338 
339 static bool
340 ce_management_query_remote(struct context *c)
341 {
342  struct gc_arena gc = gc_new();
343  volatile struct connection_entry *ce = &c->options.ce;
344  int ce_changed = true; /* presume the connection entry will be changed */
345 
346  update_time();
347  if (management)
348  {
349  struct buffer out = alloc_buf_gc(256, &gc);
350 
351  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
352  proto2ascii(ce->proto, ce->af, false));
353  management_notify_generic(management, BSTR(&out));
354 
355  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
356  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
357  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
358  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
359  {
360  management_event_loop_n_seconds(management, 1);
361  if (IS_SIG(c))
362  {
363  ce_changed = false; /* connection entry have not been set */
364  break;
365  }
366  }
367  }
368  gc_free(&gc);
369 
370  if (ce_changed)
371  {
372  /* If it is likely a connection entry was modified,
373  * check what changed in the flags and that it was not skipped
374  */
375  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
376  & CE_MAN_QUERY_REMOTE_MASK);
377  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
378  }
379  return ce_changed;
380 }
381 #endif /* ENABLE_MANAGEMENT */
382 
383 /*
384  * Initialize and possibly randomize connection list.
385  */
386 static void
387 init_connection_list(struct context *c)
388 {
389  struct connection_list *l = c->options.connection_list;
390 
391  l->current = -1;
392  if (c->options.remote_random)
393  {
394  int i;
395  for (i = 0; i < l->len; ++i)
396  {
397  const int j = get_random() % l->len;
398  if (i != j)
399  {
400  struct connection_entry *tmp;
401  tmp = l->array[i];
402  l->array[i] = l->array[j];
403  l->array[j] = tmp;
404  }
405  }
406  }
407 }
408 
409 /*
410  * Clear the remote address list
411  */
412 static void
413 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
414 {
415  if (lsa->remote_list && free)
416  {
417  freeaddrinfo(lsa->remote_list);
418  }
419  lsa->remote_list = NULL;
420  lsa->current_remote = NULL;
421 }
422 
423 /*
424  * Increment to next connection entry
425  */
426 static void
427 next_connection_entry(struct context *c)
428 {
429  struct connection_list *l = c->options.connection_list;
430  bool ce_defined;
431  struct connection_entry *ce;
432  int n_cycles = 0;
433 
434  do
435  {
436  ce_defined = true;
437  if (c->options.no_advance && l->current >= 0)
438  {
439  c->options.no_advance = false;
440  }
441  else
442  {
443  /* Check if there is another resolved address to try for
444  * the current connection */
445  if (c->c1.link_socket_addr.current_remote
446  && c->c1.link_socket_addr.current_remote->ai_next)
447  {
448  c->c1.link_socket_addr.current_remote =
449  c->c1.link_socket_addr.current_remote->ai_next;
450  }
451  else
452  {
453  /* FIXME (schwabe) fix the persist-remote-ip option for real,
454  * this is broken probably ever since connection lists and multiple
455  * remote existed
456  */
457  if (!c->options.persist_remote_ip)
458  {
459  /* close_instance should have cleared the addrinfo objects */
460  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
461  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
462  }
463  else
464  {
465  c->c1.link_socket_addr.current_remote =
466  c->c1.link_socket_addr.remote_list;
467  }
468 
469  /*
470  * Increase the number of connection attempts
471  * If this is connect-retry-max * size(l)
472  * OpenVPN will quit
473  */
474 
475  c->options.unsuccessful_attempts++;
476 
477  if (++l->current >= l->len)
478  {
479 
480  l->current = 0;
481  if (++n_cycles >= 2)
482  {
483  msg(M_FATAL, "No usable connection profiles are present");
484  }
485  }
486  }
487  }
488 
489  ce = l->array[l->current];
490 
491  if (ce->flags & CE_DISABLED)
492  {
493  ce_defined = false;
494  }
495 
496  c->options.ce = *ce;
497 #ifdef ENABLE_MANAGEMENT
498  if (ce_defined && management && management_query_remote_enabled(management))
499  {
500  /* allow management interface to override connection entry details */
501  ce_defined = ce_management_query_remote(c);
502  if (IS_SIG(c))
503  {
504  break;
505  }
506  }
507  else if (ce_defined && management && management_query_proxy_enabled(management))
508  {
509  ce_defined = ce_management_query_proxy(c);
510  if (IS_SIG(c))
511  {
512  break;
513  }
514  }
515 #endif
516  } while (!ce_defined);
517 
518  /* Check if this connection attempt would bring us over the limit */
519  if (c->options.connect_retry_max > 0
520  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
521  {
522  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
523  c->options.connect_retry_max);
524  }
525  update_options_ce_post(&c->options);
526 }
527 
528 /*
529  * Query for private key and auth-user-pass username/passwords
530  */
531 void
532 init_query_passwords(const struct context *c)
533 {
534  /* Certificate password input */
535  if (c->options.key_pass_file)
536  {
537  pem_password_setup(c->options.key_pass_file);
538  }
539 
540 #if P2MP
541  /* Auth user/pass input */
542  if (c->options.auth_user_pass_file)
543  {
544 #ifdef ENABLE_MANAGEMENT
545  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
546 #else
547  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
548 #endif
549  }
550 #endif
551 }
552 
553 /*
554  * Initialize/Uninitialize HTTP or SOCKS proxy
555  */
556 
557 static void
558 uninit_proxy_dowork(struct context *c)
559 {
560  if (c->c1.http_proxy_owned && c->c1.http_proxy)
561  {
562  http_proxy_close(c->c1.http_proxy);
563  c->c1.http_proxy = NULL;
564  c->c1.http_proxy_owned = false;
565  }
566  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
567  {
568  socks_proxy_close(c->c1.socks_proxy);
569  c->c1.socks_proxy = NULL;
570  c->c1.socks_proxy_owned = false;
571  }
572 }
573 
574 static void
575 init_proxy_dowork(struct context *c)
576 {
577  bool did_http = false;
578 
579  uninit_proxy_dowork(c);
580 
581  if (c->options.ce.http_proxy_options)
582  {
583  /* Possible HTTP proxy user/pass input */
584  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
585  if (c->c1.http_proxy)
586  {
587  did_http = true;
588  c->c1.http_proxy_owned = true;
589  }
590  }
591 
592  if (!did_http && c->options.ce.socks_proxy_server)
593  {
594  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
595  c->options.ce.socks_proxy_port,
596  c->options.ce.socks_proxy_authfile);
597  if (c->c1.socks_proxy)
598  {
599  c->c1.socks_proxy_owned = true;
600  }
601  }
602 }
603 
604 static void
605 init_proxy(struct context *c)
606 {
607  init_proxy_dowork(c);
608 }
609 
610 static void
611 uninit_proxy(struct context *c)
612 {
613  uninit_proxy_dowork(c);
614 }
615 
616 /*
617  * Saves the initial state of NCP-regotiable
618  * options into a storage which persists over SIGUSR1.
619  */
620 static void
621 save_ncp_options(struct context *c)
622 {
623  c->c1.ciphername = c->options.ciphername;
624  c->c1.authname = c->options.authname;
625  c->c1.keysize = c->options.keysize;
626 }
627 
628 /* Restores NCP-negotiable options to original values */
629 static void
630 restore_ncp_options(struct context *c)
631 {
632  c->options.ciphername = c->c1.ciphername;
633  c->options.authname = c->c1.authname;
634  c->options.keysize = c->c1.keysize;
635 }
636 
637 void
638 context_init_1(struct context *c)
639 {
640  context_clear_1(c);
641 
642  packet_id_persist_init(&c->c1.pid_persist);
643 
644  init_connection_list(c);
645 
646  save_ncp_options(c);
647 
648 #if defined(ENABLE_PKCS11)
649  if (c->first_time)
650  {
651  int i;
652  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
653  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
654  {
655  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
656  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
657  }
658  }
659 #endif
660 
661 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
662  {
663  /*
664  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
665  */
666  struct user_pass up;
667  CLEAR(up);
668  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
669  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
670  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
671  * 'needok' command, usually 'ok' or 'cancel'. */
672  }
673 #endif
674 
675 #ifdef ENABLE_SYSTEMD
676  /* We can report the PID via getpid() to systemd here as OpenVPN will not
677  * do any fork due to daemon() a future call.
678  * See possibly_become_daemon() [init.c] for more details.
679  */
680  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
681  (unsigned long) getpid());
682 #endif
683 
684 }
685 
686 void
687 context_gc_free(struct context *c)
688 {
689  gc_free(&c->c2.gc);
690  gc_free(&c->options.gc);
691  gc_free(&c->gc);
692 }
693 
694 #if PORT_SHARE
695 
696 static void
697 close_port_share(void)
698 {
699  if (port_share)
700  {
701  port_share_close(port_share);
702  port_share = NULL;
703  }
704 }
705 
706 static void
707 init_port_share(struct context *c)
708 {
709  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
710  {
711  port_share = port_share_open(c->options.port_share_host,
712  c->options.port_share_port,
713  MAX_RW_SIZE_LINK(&c->c2.frame),
714  c->options.port_share_journal_dir);
715  if (port_share == NULL)
716  {
717  msg(M_FATAL, "Fatal error: Port sharing failed");
718  }
719  }
720 }
721 
722 #endif /* if PORT_SHARE */
723 
724 
725 bool
726 init_static(void)
727 {
728  /* configure_path (); */
729 
730 #if defined(DMALLOC)
731  crypto_init_dmalloc();
732 #endif
733 
734 
735  /*
736  * Initialize random number seed. random() is only used
737  * when "weak" random numbers are acceptable.
738  * SSL library routines are always used when cryptographically
739  * strong random numbers are required.
740  */
741  struct timeval tv;
742  if (!gettimeofday(&tv, NULL))
743  {
744  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
745  srandom(seed);
746  }
747 
748  error_reset(); /* initialize error.c */
749  reset_check_status(); /* initialize status check code in socket.c */
750 
751 #ifdef _WIN32
752  init_win32();
753 #endif
754 
755 #ifdef OPENVPN_DEBUG_COMMAND_LINE
756  {
757  int i;
758  for (i = 0; i < argc; ++i)
759  {
760  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
761  }
762  }
763 #endif
764 
765  update_time();
766 
767  init_ssl_lib();
768 
769  /* init PRNG used for IV generation */
770  /* When forking, copy this to more places in the code to avoid fork
771  * random-state predictability */
772  prng_init(NULL, 0);
773 
774 #ifdef PID_TEST
775  packet_id_interactive_test(); /* test the sequence number code */
776  return false;
777 #endif
778 
779 #ifdef SCHEDULE_TEST
780  schedule_test();
781  return false;
782 #endif
783 
784 #ifdef LIST_TEST
785  list_test();
786  return false;
787 #endif
788 
789 #ifdef IFCONFIG_POOL_TEST
790  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
791  return false;
792 #endif
793 
794 #ifdef CHARACTER_CLASS_DEBUG
795  character_class_debug();
796  return false;
797 #endif
798 
799 #ifdef EXTRACT_X509_FIELD_TEST
800  extract_x509_field_test();
801  return false;
802 #endif
803 
804 #ifdef TIME_TEST
805  time_test();
806  return false;
807 #endif
808 
809 #ifdef TEST_GET_DEFAULT_GATEWAY
810  {
811  struct route_gateway_info rgi;
812  struct route_ipv6_gateway_info rgi6;
813  get_default_gateway(&rgi);
814  get_default_gateway_ipv6(&rgi6, NULL);
815  print_default_gateway(M_INFO, &rgi, &rgi6);
816  return false;
817  }
818 #endif
819 
820 #ifdef GEN_PATH_TEST
821  {
822  struct gc_arena gc = gc_new();
823  const char *fn = gen_path("foo",
824  "bar",
825  &gc);
826  printf("%s\n", fn);
827  gc_free(&gc);
828  }
829  return false;
830 #endif
831 
832 #ifdef STATUS_PRINTF_TEST
833  {
834  struct gc_arena gc = gc_new();
835  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
836  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
837  status_printf(so, "%s", "foo");
838  status_printf(so, "%s", "bar");
839  if (!status_close(so))
840  {
841  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
842  }
843  gc_free(&gc);
844  }
845  return false;
846 #endif
847 
848 #ifdef ARGV_TEST
849  {
850  void argv_test(void);
851 
852  argv_test();
853  return false;
854  }
855 #endif
856 
857 #ifdef PRNG_TEST
858  {
859  struct gc_arena gc = gc_new();
860  uint8_t rndbuf[8];
861  int i;
862  prng_init("sha1", 16);
863  /*prng_init (NULL, 0);*/
864  const int factor = 1;
865  for (i = 0; i < factor * 8; ++i)
866  {
867 #if 1
868  prng_bytes(rndbuf, sizeof(rndbuf));
869 #else
870  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
871 #endif
872  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
873  }
874  gc_free(&gc);
875  prng_uninit();
876  return false;
877  }
878 #endif /* ifdef PRNG_TEST */
879 
880 #ifdef BUFFER_LIST_AGGREGATE_TEST
881  /* test buffer_list_aggregate function */
882  {
883  static const char *text[] = {
884  "It was a bright cold day in April, ",
885  "and the clocks were striking ",
886  "thirteen. ",
887  "Winston Smith, ",
888  "his chin nuzzled into his breast in an ",
889  "effort to escape the vile wind, ",
890  "slipped quickly through the glass doors ",
891  "of Victory Mansions, though not quickly ",
892  "enough to prevent a swirl of gritty dust from ",
893  "entering along with him."
894  };
895 
896  int iter, listcap;
897  for (listcap = 0; listcap < 12; ++listcap)
898  {
899  for (iter = 0; iter < 512; ++iter)
900  {
901  struct buffer_list *bl = buffer_list_new(listcap);
902  {
903  int i;
904  for (i = 0; i < SIZE(text); ++i)
905  {
906  buffer_list_push(bl, (unsigned char *)text[i]);
907  }
908  }
909  printf("[cap=%d i=%d] *************************\n", listcap, iter);
910  if (!(iter & 8))
911  {
912  buffer_list_aggregate(bl, iter/2);
913  }
914  if (!(iter & 16))
915  {
916  buffer_list_push(bl, (unsigned char *)"Even more text...");
917  }
918  buffer_list_aggregate(bl, iter);
919  if (!(iter & 1))
920  {
921  buffer_list_push(bl, (unsigned char *)"More text...");
922  }
923  {
924  struct buffer *buf;
925  while ((buf = buffer_list_peek(bl)))
926  {
927  int c;
928  printf("'");
929  while ((c = buf_read_u8(buf)) >= 0)
930  {
931  putchar(c);
932  }
933  printf("'\n");
934  buffer_list_advance(bl, 0);
935  }
936  }
937  buffer_list_free(bl);
938  }
939  }
940  return false;
941  }
942 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
943 
944 #ifdef MSTATS_TEST
945  {
946  int i;
947  mstats_open("/dev/shm/mstats.dat");
948  for (i = 0; i < 30; ++i)
949  {
950  mmap_stats->n_clients += 1;
951  mmap_stats->link_write_bytes += 8;
952  mmap_stats->link_read_bytes += 16;
953  sleep(1);
954  }
955  mstats_close();
956  return false;
957  }
958 #endif
959 
960  return true;
961 }
962 
963 void
964 uninit_static(void)
965 {
966  free_ssl_lib();
967 
968 #ifdef ENABLE_PKCS11
969  pkcs11_terminate();
970 #endif
971 
972 #if PORT_SHARE
973  close_port_share();
974 #endif
975 
976 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
977  show_tls_performance_stats();
978 #endif
979 }
980 
981 void
982 init_verb_mute(struct context *c, unsigned int flags)
983 {
984  if (flags & IVM_LEVEL_1)
985  {
986  /* set verbosity and mute levels */
987  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
988  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
989  set_mute_cutoff(c->options.mute);
990  }
991 
992  /* special D_LOG_RW mode */
993  if (flags & IVM_LEVEL_2)
994  {
995  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
996  }
997 }
998 
999 /*
1000  * Possibly set --dev based on --dev-node.
1001  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1002  * set --dev to tun.
1003  */
1004 void
1005 init_options_dev(struct options *options)
1006 {
1007  if (!options->dev && options->dev_node)
1008  {
1009  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1010  options->dev = basename(dev_node);
1011  }
1012 }
1013 
1014 bool
1015 print_openssl_info(const struct options *options)
1016 {
1017  /*
1018  * OpenSSL info print mode?
1019  */
1020  if (options->show_ciphers || options->show_digests || options->show_engines
1021  || options->show_tls_ciphers || options->show_curves)
1022  {
1023  if (options->show_ciphers)
1024  {
1025  show_available_ciphers();
1026  }
1027  if (options->show_digests)
1028  {
1029  show_available_digests();
1030  }
1031  if (options->show_engines)
1032  {
1033  show_available_engines();
1034  }
1035  if (options->show_tls_ciphers)
1036  {
1037  show_available_tls_ciphers(options->cipher_list,
1038  options->cipher_list_tls13,
1039  options->tls_cert_profile);
1040  }
1041  if (options->show_curves)
1042  {
1043  show_available_curves();
1044  }
1045  return true;
1046  }
1047  return false;
1048 }
1049 
1050 /*
1051  * Static pre-shared key generation mode?
1052  */
1053 bool
1054 do_genkey(const struct options *options)
1055 {
1056  /* should we disable paging? */
1057  if (options->mlock && (options->genkey))
1058  {
1059  platform_mlockall(true);
1060  }
1061 
1062  /*
1063  * We do not want user to use --genkey with --secret. In the transistion
1064  * phase we for secret.
1065  */
1066  if (options->genkey && options->genkey_type != GENKEY_SECRET
1067  && options->shared_secret_file)
1068  {
1069  msg(M_USAGE, "Using --genkey type with --secret filename is "
1070  "not supported. Use --genkey type filename instead.");
1071  }
1072  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1073  {
1074  int nbits_written;
1075  const char *genkey_filename = options->genkey_filename;
1076  if (options->shared_secret_file && options->genkey_filename)
1077  {
1078  msg(M_USAGE, "You must provide a filename to either --genkey "
1079  "or --secret, not both");
1080  }
1081 
1082  /*
1083  * Copy filename from shared_secret_file to genkey_filename to support
1084  * the old --genkey --secret foo.file syntax.
1085  */
1086  if (options->shared_secret_file)
1087  {
1088  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1089  "DEPRECATED. Use --genkey secret filename instead.");
1090  genkey_filename = options->shared_secret_file;
1091  }
1092 
1093  nbits_written = write_key_file(2, genkey_filename);
1094  if (nbits_written < 0)
1095  {
1096  msg(M_FATAL, "Failed to write key file");
1097  }
1098 
1099  msg(D_GENKEY | M_NOPREFIX,
1100  "Randomly generated %d bit key written to %s", nbits_written,
1101  options->shared_secret_file);
1102  return true;
1103  }
1104  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1105  {
1106  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1107  return true;
1108  }
1109  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1110  {
1111  if (!options->tls_crypt_v2_file)
1112  {
1113  msg(M_USAGE,
1114  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1115  }
1116 
1117  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1118  options->genkey_extra_data, options->tls_crypt_v2_file,
1119  options->tls_crypt_v2_inline);
1120  return true;
1121  }
1122  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1123  {
1124  auth_token_write_server_key_file(options->genkey_filename);
1125  return true;
1126  }
1127  else
1128  {
1129  return false;
1130  }
1131 }
1132 
1133 /*
1134  * Persistent TUN/TAP device management mode?
1135  */
1136 bool
1137 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1138 {
1139  if (options->persist_config)
1140  {
1141  /* sanity check on options for --mktun or --rmtun */
1142  notnull(options->dev, "TUN/TAP device (--dev)");
1143  if (options->ce.remote || options->ifconfig_local
1144  || options->ifconfig_remote_netmask
1145  || options->shared_secret_file
1146  || options->tls_server || options->tls_client
1147  )
1148  {
1149  msg(M_FATAL|M_OPTERR,
1150  "options --mktun or --rmtun should only be used together with --dev");
1151  }
1152 #ifdef ENABLE_FEATURE_TUN_PERSIST
1153  tuncfg(options->dev, options->dev_type, options->dev_node,
1154  options->persist_mode,
1155  options->username, options->groupname, &options->tuntap_options,
1156  ctx);
1157  if (options->persist_mode && options->lladdr)
1158  {
1159  set_lladdr(options->dev, options->lladdr, NULL);
1160  }
1161  return true;
1162 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1163  msg( M_FATAL|M_OPTERR,
1164  "options --mktun and --rmtun are not available on your operating "
1165  "system. Please check 'man tun' (or 'tap'), whether your system "
1166  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1167  "persistent tunnel interfaces.", options->dev );
1168 #endif
1169  }
1170  return false;
1171 }
1172 
1173 /*
1174  * Should we become a daemon?
1175  * Return true if we did it.
1176  */
1177 bool
1178 possibly_become_daemon(const struct options *options)
1179 {
1180  bool ret = false;
1181 
1182 #ifdef ENABLE_SYSTEMD
1183  /* return without forking if we are running from systemd */
1184  if (sd_notify(0, "READY=0") > 0)
1185  {
1186  return ret;
1187  }
1188 #endif
1189 
1190  if (options->daemon)
1191  {
1192  ASSERT(!options->inetd);
1193  /* Don't chdir immediately, but the end of the init sequence, if needed */
1194  if (daemon(1, options->log) < 0)
1195  {
1196  msg(M_ERR, "daemon() failed or unsupported");
1197  }
1198  restore_signal_state();
1199  if (options->log)
1200  {
1201  set_std_files_to_null(true);
1202  }
1203 
1204  ret = true;
1205  }
1206  return ret;
1207 }
1208 
1209 /*
1210  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1211  */
1212 static void
1213 do_uid_gid_chroot(struct context *c, bool no_delay)
1214 {
1215  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1216  struct context_0 *c0 = c->c0;
1217 
1218  if (c0 && !c0->uid_gid_chroot_set)
1219  {
1220  /* chroot if requested */
1221  if (c->options.chroot_dir)
1222  {
1223  if (no_delay)
1224  {
1225  platform_chroot(c->options.chroot_dir);
1226  }
1227  else if (c->first_time)
1228  {
1229  msg(M_INFO, "NOTE: chroot %s", why_not);
1230  }
1231  }
1232 
1233  /* set user and/or group if we want to setuid/setgid */
1234  if (c0->uid_gid_specified)
1235  {
1236  if (no_delay)
1237  {
1238  platform_group_set(&c0->platform_state_group);
1239  platform_user_set(&c0->platform_state_user);
1240  }
1241  else if (c->first_time)
1242  {
1243  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1244  }
1245  }
1246 
1247 #ifdef ENABLE_MEMSTATS
1248  if (c->first_time && c->options.memstats_fn)
1249  {
1250  mstats_open(c->options.memstats_fn);
1251  }
1252 #endif
1253 
1254 #ifdef ENABLE_SELINUX
1255  /* Apply a SELinux context in order to restrict what OpenVPN can do
1256  * to _only_ what it is supposed to do after initialization is complete
1257  * (basically just network I/O operations). Doing it after chroot
1258  * requires /proc to be mounted in the chroot (which is annoying indeed
1259  * but doing it before requires more complex SELinux policies.
1260  */
1261  if (c->options.selinux_context)
1262  {
1263  if (no_delay)
1264  {
1265  if (-1 == setcon(c->options.selinux_context))
1266  {
1267  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1268  }
1269  else
1270  {
1271  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1272  }
1273  }
1274  else if (c->first_time)
1275  {
1276  msg(M_INFO, "NOTE: setcon %s", why_not);
1277  }
1278  }
1279 #endif
1280 
1281  /* Privileges are going to be dropped by now (if requested), be sure
1282  * to prevent any future privilege dropping attempts from now on.
1283  */
1284  if (no_delay)
1285  {
1286  c0->uid_gid_chroot_set = true;
1287  }
1288  }
1289 }
1290 
1291 /*
1292  * Return common name in a way that is formatted for
1293  * prepending to msg() output.
1294  */
1295 const char *
1296 format_common_name(struct context *c, struct gc_arena *gc)
1297 {
1298  struct buffer out = alloc_buf_gc(256, gc);
1299  if (c->c2.tls_multi)
1300  {
1301  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1302  }
1303  return BSTR(&out);
1304 }
1305 
1306 void
1307 pre_setup(const struct options *options)
1308 {
1309 #ifdef _WIN32
1310  if (options->exit_event_name)
1311  {
1312  win32_signal_open(&win32_signal,
1313  WSO_FORCE_SERVICE,
1314  options->exit_event_name,
1315  options->exit_event_initial_state);
1316  }
1317  else
1318  {
1319  win32_signal_open(&win32_signal,
1320  WSO_FORCE_CONSOLE,
1321  NULL,
1322  false);
1323 
1324  /* put a title on the top window bar */
1325  if (win32_signal.mode == WSO_MODE_CONSOLE)
1326  {
1327  window_title_save(&window_title);
1328  window_title_generate(options->config);
1329  }
1330  }
1331 #endif /* ifdef _WIN32 */
1332 }
1333 
1334 void
1335 reset_coarse_timers(struct context *c)
1336 {
1337  c->c2.coarse_timer_wakeup = 0;
1338 }
1339 
1340 /*
1341  * Initialise the server poll timeout timer
1342  * This timer is used in the http/socks proxy setup so it needs to be setup
1343  * before
1344  */
1345 static void
1346 do_init_server_poll_timeout(struct context *c)
1347 {
1348  update_time();
1349  if (c->options.ce.connect_timeout)
1350  {
1351  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1352  }
1353 }
1354 
1355 /*
1356  * Initialize timers
1357  */
1358 static void
1359 do_init_timers(struct context *c, bool deferred)
1360 {
1361  update_time();
1362  reset_coarse_timers(c);
1363 
1364  /* initialize inactivity timeout */
1365  if (c->options.inactivity_timeout)
1366  {
1367  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1368  }
1369 
1370  /* initialize pings */
1371 
1372  if (c->options.ping_send_timeout)
1373  {
1374  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1375  }
1376 
1377  if (c->options.ping_rec_timeout)
1378  {
1379  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1380  }
1381 
1382  if (!deferred)
1383  {
1384  /* initialize connection establishment timer */
1385  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1386 
1387 #ifdef ENABLE_OCC
1388  /* initialize occ timers */
1389 
1390  if (c->options.occ
1391  && !TLS_MODE(c)
1392  && c->c2.options_string_local && c->c2.options_string_remote)
1393  {
1394  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1395  }
1396 
1397  if (c->options.mtu_test)
1398  {
1399  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1400  }
1401 #endif
1402 
1403  /* initialize packet_id persistence timer */
1404  if (c->options.packet_id_file)
1405  {
1406  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1407  }
1408 
1409  /* initialize tmp_int optimization that limits the number of times we call
1410  * tls_multi_process in the main event loop */
1411  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1412  }
1413 }
1414 
1415 /*
1416  * Initialize traffic shaper.
1417  */
1418 static void
1419 do_init_traffic_shaper(struct context *c)
1420 {
1421 #ifdef ENABLE_FEATURE_SHAPER
1422  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1423  if (c->options.shaper)
1424  {
1425  shaper_init(&c->c2.shaper, c->options.shaper);
1426  shaper_msg(&c->c2.shaper);
1427  }
1428 #endif
1429 }
1430 
1431 /*
1432  * Allocate route list structures for IPv4 and IPv6
1433  * (we do this for IPv4 even if no --route option has been seen, as other
1434  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1435  */
1436 static void
1437 do_alloc_route_list(struct context *c)
1438 {
1439  if (!c->c1.route_list)
1440  {
1441  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1442  }
1443  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1444  {
1445  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1446  }
1447 }
1448 
1449 
1450 /*
1451  * Initialize the route list, resolving any DNS names in route
1452  * options and saving routes in the environment.
1453  */
1454 static void
1455 do_init_route_list(const struct options *options,
1456  struct route_list *route_list,
1457  const struct link_socket_info *link_socket_info,
1458  struct env_set *es,
1459  openvpn_net_ctx_t *ctx)
1460 {
1461  const char *gw = NULL;
1462  int dev = dev_type_enum(options->dev, options->dev_type);
1463  int metric = 0;
1464 
1465  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1466  {
1467  gw = options->ifconfig_remote_netmask;
1468  }
1469  if (options->route_default_gateway)
1470  {
1471  gw = options->route_default_gateway;
1472  }
1473  if (options->route_default_metric)
1474  {
1475  metric = options->route_default_metric;
1476  }
1477 
1478  if (init_route_list(route_list,
1479  options->routes,
1480  gw,
1481  metric,
1482  link_socket_current_remote(link_socket_info),
1483  es,
1484  ctx))
1485  {
1486  /* copy routes to environment */
1487  setenv_routes(es, route_list);
1488  }
1489 }
1490 
1491 static void
1492 do_init_route_ipv6_list(const struct options *options,
1493  struct route_ipv6_list *route_ipv6_list,
1494  const struct link_socket_info *link_socket_info,
1495  struct env_set *es,
1496  openvpn_net_ctx_t *ctx)
1497 {
1498  const char *gw = NULL;
1499  int metric = -1; /* no metric set */
1500 
1501  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1502  if (options->route_ipv6_default_gateway)
1503  {
1504  gw = options->route_ipv6_default_gateway;
1505  }
1506 
1507  if (options->route_default_metric)
1508  {
1509  metric = options->route_default_metric;
1510  }
1511 
1512  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1513  */
1514  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1515  {
1516  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1517  int i;
1518 
1519  for (i = 0; opt_list[i]; i++)
1520  {
1521  add_route_ipv6_to_option_list( options->routes_ipv6,
1522  string_alloc(opt_list[i], options->routes_ipv6->gc),
1523  NULL, NULL );
1524  }
1525  }
1526 
1527  if (init_route_ipv6_list(route_ipv6_list,
1528  options->routes_ipv6,
1529  gw,
1530  metric,
1531  link_socket_current_remote_ipv6(link_socket_info),
1532  es,
1533  ctx))
1534  {
1535  /* copy routes to environment */
1536  setenv_routes_ipv6(es, route_ipv6_list);
1537  }
1538 }
1539 
1540 
1541 /*
1542  * Called after all initialization has been completed.
1543  */
1544 void
1545 initialization_sequence_completed(struct context *c, const unsigned int flags)
1546 {
1547  static const char message[] = "Initialization Sequence Completed";
1548 
1549  /* Reset the unsuccessful connection counter on complete initialisation */
1550  c->options.unsuccessful_attempts = 0;
1551 
1552  /* If we delayed UID/GID downgrade or chroot, do it now */
1553  do_uid_gid_chroot(c, true);
1554 
1555 
1556  /*
1557  * In some cases (i.e. when receiving auth-token via
1558  * push-reply) the auth-nocache option configured on the
1559  * client is overridden; for this reason we have to wait
1560  * for the push-reply message before attempting to wipe
1561  * the user/pass entered by the user
1562  */
1563  if (c->options.mode == MODE_POINT_TO_POINT)
1564  {
1565  delayed_auth_pass_purge();
1566  }
1567 
1568  /* Test if errors */
1569  if (flags & ISC_ERRORS)
1570  {
1571 #ifdef _WIN32
1572  show_routes(M_INFO|M_NOPREFIX);
1573  show_adapters(M_INFO|M_NOPREFIX);
1574  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1575 #else
1576 #ifdef ENABLE_SYSTEMD
1577  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1578 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1579  msg(M_INFO, "%s With Errors", message);
1580 #endif
1581  }
1582  else
1583  {
1584 #ifdef ENABLE_SYSTEMD
1585  sd_notifyf(0, "STATUS=%s", message);
1586 #endif
1587  msg(M_INFO, "%s", message);
1588  }
1589 
1590  /* Flag that we initialized */
1591  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1592  {
1593  c->options.no_advance = true;
1594  }
1595 
1596 #ifdef _WIN32
1597  fork_register_dns_action(c->c1.tuntap);
1598 #endif
1599 
1600 #ifdef ENABLE_MANAGEMENT
1601  /* Tell management interface that we initialized */
1602  if (management)
1603  {
1604  in_addr_t *tun_local = NULL;
1605  struct in6_addr *tun_local6 = NULL;
1606  struct openvpn_sockaddr local, remote;
1607  struct link_socket_actual *actual;
1608  socklen_t sa_len = sizeof(local);
1609  const char *detail = "SUCCESS";
1610  if (flags & ISC_ERRORS)
1611  {
1612  detail = "ERROR";
1613  }
1614 
1615  CLEAR(local);
1616  actual = &get_link_socket_info(c)->lsa->actual;
1617  remote = actual->dest;
1618  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1619 #if ENABLE_IP_PKTINFO
1620  if (!addr_defined(&local))
1621  {
1622  switch (local.addr.sa.sa_family)
1623  {
1624  case AF_INET:
1625 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1626  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1627 #else
1628  local.addr.in4.sin_addr = actual->pi.in4;
1629 #endif
1630  break;
1631 
1632  case AF_INET6:
1633  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1634  break;
1635  }
1636  }
1637 #endif
1638 
1639  if (c->c1.tuntap)
1640  {
1641  tun_local = &c->c1.tuntap->local;
1642  tun_local6 = &c->c1.tuntap->local_ipv6;
1643  }
1644  management_set_state(management,
1645  OPENVPN_STATE_CONNECTED,
1646  detail,
1647  tun_local,
1648  tun_local6,
1649  &local,
1650  &remote);
1651  if (tun_local)
1652  {
1653  management_post_tunnel_open(management, *tun_local);
1654  }
1655  }
1656 #endif /* ifdef ENABLE_MANAGEMENT */
1657 }
1658 
1659 /*
1660  * Possibly add routes and/or call route-up script
1661  * based on options.
1662  */
1663 void
1664 do_route(const struct options *options,
1665  struct route_list *route_list,
1666  struct route_ipv6_list *route_ipv6_list,
1667  const struct tuntap *tt,
1668  const struct plugin_list *plugins,
1669  struct env_set *es,
1670  openvpn_net_ctx_t *ctx)
1671 {
1672  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1673  {
1674  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1675  es, ctx);
1676  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1677  }
1678 #ifdef ENABLE_MANAGEMENT
1679  if (management)
1680  {
1681  management_up_down(management, "UP", es);
1682  }
1683 #endif
1684 
1685  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1686  {
1687  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1688  {
1689  msg(M_WARN, "WARNING: route-up plugin call failed");
1690  }
1691  }
1692 
1693  if (options->route_script)
1694  {
1695  struct argv argv = argv_new();
1696  setenv_str(es, "script_type", "route-up");
1697  argv_parse_cmd(&argv, options->route_script);
1698  openvpn_run_script(&argv, es, 0, "--route-up");
1699  argv_reset(&argv);
1700  }
1701 
1702 #ifdef _WIN32
1703  if (options->show_net_up)
1704  {
1705  show_routes(M_INFO|M_NOPREFIX);
1706  show_adapters(M_INFO|M_NOPREFIX);
1707  }
1708  else if (check_debug_level(D_SHOW_NET))
1709  {
1710  show_routes(D_SHOW_NET|M_NOPREFIX);
1711  show_adapters(D_SHOW_NET|M_NOPREFIX);
1712  }
1713 #endif
1714 }
1715 
1716 /*
1717  * initialize tun/tap device object
1718  */
1719 static void
1720 do_init_tun(struct context *c)
1721 {
1722  c->c1.tuntap = init_tun(c->options.dev,
1723  c->options.dev_type,
1724  c->options.topology,
1725  c->options.ifconfig_local,
1726  c->options.ifconfig_remote_netmask,
1727  c->options.ifconfig_ipv6_local,
1728  c->options.ifconfig_ipv6_netbits,
1729  c->options.ifconfig_ipv6_remote,
1730  c->c1.link_socket_addr.bind_local,
1731  c->c1.link_socket_addr.remote_list,
1732  !c->options.ifconfig_nowarn,
1733  c->c2.es,
1734  &c->net_ctx);
1735 
1736  init_tun_post(c->c1.tuntap,
1737  &c->c2.frame,
1738  &c->options.tuntap_options);
1739 
1740  c->c1.tuntap_owned = true;
1741 }
1742 
1743 /*
1744  * Open tun/tap device, ifconfig, call up script, etc.
1745  */
1746 
1747 static bool
1748 do_open_tun(struct context *c)
1749 {
1750  struct gc_arena gc = gc_new();
1751  bool ret = false;
1752 
1753 #ifndef TARGET_ANDROID
1754  if (!c->c1.tuntap)
1755  {
1756 #endif
1757 
1758 #ifdef TARGET_ANDROID
1759  /* If we emulate persist-tun on android we still have to open a new tun and
1760  * then close the old */
1761  int oldtunfd = -1;
1762  if (c->c1.tuntap)
1763  {
1764  oldtunfd = c->c1.tuntap->fd;
1765  free(c->c1.tuntap);
1766  c->c1.tuntap = NULL;
1767  c->c1.tuntap_owned = false;
1768  }
1769 #endif
1770 
1771  /* initialize (but do not open) tun/tap object */
1772  do_init_tun(c);
1773 
1774 #ifdef _WIN32
1775  /* store (hide) interactive service handle in tuntap_options */
1776  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1777  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1778 #endif
1779 
1780  /* allocate route list structure */
1781  do_alloc_route_list(c);
1782 
1783  /* parse and resolve the route option list */
1784  ASSERT(c->c2.link_socket);
1785  if (c->options.routes && c->c1.route_list)
1786  {
1787  do_init_route_list(&c->options, c->c1.route_list,
1788  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1789  }
1790  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1791  {
1792  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1793  &c->c2.link_socket->info, c->c2.es,
1794  &c->net_ctx);
1795  }
1796 
1797  /* do ifconfig */
1798  if (!c->options.ifconfig_noexec
1799  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1800  {
1801  /* guess actual tun/tap unit number that will be returned
1802  * by open_tun */
1803  const char *guess = guess_tuntap_dev(c->options.dev,
1804  c->options.dev_type,
1805  c->options.dev_node,
1806  &gc);
1807  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1808  &c->net_ctx);
1809  }
1810 
1811  /* possibly add routes */
1812  if (route_order() == ROUTE_BEFORE_TUN)
1813  {
1814  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1815  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1816  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1817  }
1818 #ifdef TARGET_ANDROID
1819  /* Store the old fd inside the fd so open_tun can use it */
1820  c->c1.tuntap->fd = oldtunfd;
1821 #endif
1822  /* open the tun device */
1823  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1824  c->c1.tuntap);
1825 
1826  /* set the hardware address */
1827  if (c->options.lladdr)
1828  {
1829  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1830  }
1831 
1832  /* do ifconfig */
1833  if (!c->options.ifconfig_noexec
1834  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1835  {
1836  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1837  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1838  }
1839 
1840  /* run the up script */
1841  run_up_down(c->options.up_script,
1842  c->plugins,
1843  OPENVPN_PLUGIN_UP,
1844  c->c1.tuntap->actual_name,
1845 #ifdef _WIN32
1846  c->c1.tuntap->adapter_index,
1847 #endif
1848  dev_type_string(c->options.dev, c->options.dev_type),
1849  TUN_MTU_SIZE(&c->c2.frame),
1850  EXPANDED_SIZE(&c->c2.frame),
1851  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1852  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1853  "init",
1854  NULL,
1855  "up",
1856  c->c2.es);
1857 
1858 #if defined(_WIN32)
1859  if (c->options.block_outside_dns)
1860  {
1861  dmsg(D_LOW, "Blocking outside DNS");
1862  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1863  {
1864  msg(M_FATAL, "Blocking DNS failed!");
1865  }
1866  }
1867 #endif
1868 
1869  /* possibly add routes */
1870  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1871  {
1872  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1873  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1874  }
1875 
1876  /*
1877  * Did tun/tap driver give us an MTU?
1878  */
1879  if (c->c1.tuntap->post_open_mtu)
1880  {
1881  frame_set_mtu_dynamic(&c->c2.frame,
1882  c->c1.tuntap->post_open_mtu,
1883  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1884  }
1885 
1886  ret = true;
1887  static_context = c;
1888 #ifndef TARGET_ANDROID
1889 }
1890 else
1891 {
1892  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1893  c->c1.tuntap->actual_name);
1894 
1895  /* explicitly set the ifconfig_* env vars */
1896  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1897 
1898  /* run the up script if user specified --up-restart */
1899  if (c->options.up_restart)
1900  {
1901  run_up_down(c->options.up_script,
1902  c->plugins,
1903  OPENVPN_PLUGIN_UP,
1904  c->c1.tuntap->actual_name,
1905 #ifdef _WIN32
1906  c->c1.tuntap->adapter_index,
1907 #endif
1908  dev_type_string(c->options.dev, c->options.dev_type),
1909  TUN_MTU_SIZE(&c->c2.frame),
1910  EXPANDED_SIZE(&c->c2.frame),
1911  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1912  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1913  "restart",
1914  NULL,
1915  "up",
1916  c->c2.es);
1917  }
1918 #if defined(_WIN32)
1919  if (c->options.block_outside_dns)
1920  {
1921  dmsg(D_LOW, "Blocking outside DNS");
1922  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1923  {
1924  msg(M_FATAL, "Blocking DNS failed!");
1925  }
1926  }
1927 #endif
1928 
1929 }
1930 #endif /* ifndef TARGET_ANDROID */
1931  gc_free(&gc);
1932  return ret;
1933 }
1934 
1935 /*
1936  * Close TUN/TAP device
1937  */
1938 
1939 static void
1940 do_close_tun_simple(struct context *c)
1941 {
1942  msg(D_CLOSE, "Closing TUN/TAP interface");
1943  if (c->c1.tuntap)
1944  {
1945  close_tun(c->c1.tuntap, &c->net_ctx);
1946  c->c1.tuntap = NULL;
1947  }
1948  c->c1.tuntap_owned = false;
1949 #if P2MP
1950  CLEAR(c->c1.pulled_options_digest_save);
1951 #endif
1952 }
1953 
1954 static void
1955 do_close_tun(struct context *c, bool force)
1956 {
1957  struct gc_arena gc = gc_new();
1958  if (c->c1.tuntap && c->c1.tuntap_owned)
1959  {
1960  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1961 #ifdef _WIN32
1962  DWORD adapter_index = c->c1.tuntap->adapter_index;
1963 #endif
1964  const in_addr_t local = c->c1.tuntap->local;
1965  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1966 
1967  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1968  {
1969  static_context = NULL;
1970 
1971 #ifdef ENABLE_MANAGEMENT
1972  /* tell management layer we are about to close the TUN/TAP device */
1973  if (management)
1974  {
1975  management_pre_tunnel_close(management);
1976  management_up_down(management, "DOWN", c->c2.es);
1977  }
1978 #endif
1979 
1980  /* delete any routes we added */
1981  if (c->c1.route_list || c->c1.route_ipv6_list)
1982  {
1983  run_up_down(c->options.route_predown_script,
1984  c->plugins,
1985  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1986  tuntap_actual,
1987 #ifdef _WIN32
1988  adapter_index,
1989 #endif
1990  NULL,
1991  TUN_MTU_SIZE(&c->c2.frame),
1992  EXPANDED_SIZE(&c->c2.frame),
1993  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1994  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1995  "init",
1996  signal_description(c->sig->signal_received,
1997  c->sig->signal_text),
1998  "route-pre-down",
1999  c->c2.es);
2000 
2001  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2002  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2003  c->c2.es, &c->net_ctx);
2004  }
2005 
2006  /* actually close tun/tap device based on --down-pre flag */
2007  if (!c->options.down_pre)
2008  {
2009  do_close_tun_simple(c);
2010  }
2011 
2012  /* Run the down script -- note that it will run at reduced
2013  * privilege if, for example, "--user nobody" was used. */
2014  run_up_down(c->options.down_script,
2015  c->plugins,
2016  OPENVPN_PLUGIN_DOWN,
2017  tuntap_actual,
2018 #ifdef _WIN32
2019  adapter_index,
2020 #endif
2021  NULL,
2022  TUN_MTU_SIZE(&c->c2.frame),
2023  EXPANDED_SIZE(&c->c2.frame),
2024  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2025  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2026  "init",
2027  signal_description(c->sig->signal_received,
2028  c->sig->signal_text),
2029  "down",
2030  c->c2.es);
2031 
2032 #if defined(_WIN32)
2033  if (c->options.block_outside_dns)
2034  {
2035  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2036  {
2037  msg(M_FATAL, "Uninitialising WFP failed!");
2038  }
2039  }
2040 #endif
2041 
2042  /* actually close tun/tap device based on --down-pre flag */
2043  if (c->options.down_pre)
2044  {
2045  do_close_tun_simple(c);
2046  }
2047  }
2048  else
2049  {
2050  /* run the down script on this restart if --up-restart was specified */
2051  if (c->options.up_restart)
2052  {
2053  run_up_down(c->options.down_script,
2054  c->plugins,
2055  OPENVPN_PLUGIN_DOWN,
2056  tuntap_actual,
2057 #ifdef _WIN32
2058  adapter_index,
2059 #endif
2060  NULL,
2061  TUN_MTU_SIZE(&c->c2.frame),
2062  EXPANDED_SIZE(&c->c2.frame),
2063  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2064  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2065  "restart",
2066  signal_description(c->sig->signal_received,
2067  c->sig->signal_text),
2068  "down",
2069  c->c2.es);
2070  }
2071 
2072 #if defined(_WIN32)
2073  if (c->options.block_outside_dns)
2074  {
2075  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2076  {
2077  msg(M_FATAL, "Uninitialising WFP failed!");
2078  }
2079  }
2080 #endif
2081 
2082  }
2083  }
2084  gc_free(&gc);
2085 }
2086 
2087 void
2088 tun_abort(void)
2089 {
2090  struct context *c = static_context;
2091  if (c)
2092  {
2093  static_context = NULL;
2094  do_close_tun(c, true);
2095  }
2096 }
2097 
2098 /*
2099  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2100  */
2101 
2102 #if P2MP
2103 
2107 static bool
2108 options_hash_changed_or_zero(const struct sha256_digest *a,
2109  const struct sha256_digest *b)
2110 {
2111  const struct sha256_digest zero = {{0}};
2112  return memcmp(a, b, sizeof(struct sha256_digest))
2113  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2114 }
2115 #endif /* P2MP */
2116 
2117 bool
2118 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2119 {
2120  if (!c->c2.do_up_ran)
2121  {
2122  reset_coarse_timers(c);
2123 
2124  if (pulled_options)
2125  {
2126  if (!do_deferred_options(c, option_types_found))
2127  {
2128  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2129  return false;
2130  }
2131  }
2132 
2133  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2134  if (c->options.up_delay || PULL_DEFINED(&c->options))
2135  {
2136  c->c2.did_open_tun = do_open_tun(c);
2137  update_time();
2138 
2139 #if P2MP
2140  /*
2141  * Was tun interface object persisted from previous restart iteration,
2142  * and if so did pulled options string change from previous iteration?
2143  */
2144  if (!c->c2.did_open_tun
2145  && PULL_DEFINED(&c->options)
2146  && c->c1.tuntap
2147  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2148  &c->c2.pulled_options_digest))
2149  {
2150  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2151  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2152  do_close_tun(c, true);
2153  management_sleep(1);
2154  c->c2.did_open_tun = do_open_tun(c);
2155  update_time();
2156  }
2157 #endif
2158  }
2159 
2160  if (c->c2.did_open_tun)
2161  {
2162 #if P2MP
2163  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2164 #endif
2165 
2166  /* if --route-delay was specified, start timer */
2167  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2168  {
2169  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2170  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2171  if (c->c1.tuntap)
2172  {
2173  tun_standby_init(c->c1.tuntap);
2174  }
2175  }
2176  else
2177  {
2178  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2179  }
2180  }
2181  else if (c->options.mode == MODE_POINT_TO_POINT)
2182  {
2183  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2184  }
2185 
2186  c->c2.do_up_ran = true;
2187  }
2188  return true;
2189 }
2190 
2191 /*
2192  * These are the option categories which will be accepted by pull.
2193  */
2194 unsigned int
2195 pull_permission_mask(const struct context *c)
2196 {
2197  unsigned int flags =
2198  OPT_P_UP
2199  | OPT_P_ROUTE_EXTRAS
2200  | OPT_P_SOCKBUF
2201  | OPT_P_SOCKFLAGS
2202  | OPT_P_SETENV
2203  | OPT_P_SHAPER
2204  | OPT_P_TIMER
2205  | OPT_P_COMP
2206  | OPT_P_PERSIST
2207  | OPT_P_MESSAGES
2208  | OPT_P_EXPLICIT_NOTIFY
2209  | OPT_P_ECHO
2210  | OPT_P_PULL_MODE
2211  | OPT_P_PEER_ID;
2212 
2213  if (!c->options.route_nopull)
2214  {
2215  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2216  }
2217 
2218  if (c->options.ncp_enabled)
2219  {
2220  flags |= OPT_P_NCP;
2221  }
2222 
2223  return flags;
2224 }
2225 
2226 /*
2227  * Handle non-tun-related pulled options.
2228  */
2229 bool
2230 do_deferred_options(struct context *c, const unsigned int found)
2231 {
2232  if (found & OPT_P_MESSAGES)
2233  {
2234  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2235  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2236  }
2237  if (found & OPT_P_TIMER)
2238  {
2239  do_init_timers(c, true);
2240  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2241  }
2242 
2243 #ifdef ENABLE_OCC
2244  if (found & OPT_P_EXPLICIT_NOTIFY)
2245  {
2246  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2249  c->options.ce.explicit_exit_notification = 0;
2250  }
2251  else
2252  {
2253  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2254  }
2255  }
2256 #endif
2257 
2258 #ifdef USE_COMP
2259  if (found & OPT_P_COMP)
2260  {
2261  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2262  comp_uninit(c->c2.comp_context);
2263  c->c2.comp_context = comp_init(&c->options.comp);
2264  }
2265 #endif
2266 
2267  if (found & OPT_P_SHAPER)
2268  {
2269  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2270  do_init_traffic_shaper(c);
2271  }
2272 
2273  if (found & OPT_P_SOCKBUF)
2274  {
2275  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2276  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2277  }
2278 
2279  if (found & OPT_P_SOCKFLAGS)
2280  {
2281  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2282  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2283  }
2284 
2285  if (found & OPT_P_PERSIST)
2286  {
2287  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2288  }
2289  if (found & OPT_P_UP)
2290  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2292  }
2293  if (found & OPT_P_ROUTE)
2294  {
2295  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2296  }
2297  if (found & OPT_P_ROUTE_EXTRAS)
2298  {
2299  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2300  }
2301  if (found & OPT_P_IPWIN32)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2304  }
2305  if (found & OPT_P_SETENV)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2308  }
2309 
2310  if (found & OPT_P_PEER_ID)
2311  {
2312  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2313  c->c2.tls_multi->use_peer_id = true;
2314  c->c2.tls_multi->peer_id = c->options.peer_id;
2315  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2316  if (!c->options.ce.link_mtu_defined)
2317  {
2318  frame_add_to_link_mtu(&c->c2.frame, +3);
2319  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2320  EXPANDED_SIZE(&c->c2.frame));
2321  }
2322  else
2323  {
2324  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2325  " fixed by config - reducing tun-mtu to %d, expect"
2326  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2327  }
2328  }
2329 
2330  /* process (potentially pushed) crypto options */
2331  if (c->options.pull)
2332  {
2333  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2334  if (found & OPT_P_NCP)
2335  {
2336  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2337  }
2338  else if (c->options.ncp_enabled)
2339  {
2340  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2341  }
2342  struct frame *frame_fragment = NULL;
2343 #ifdef ENABLE_FRAGMENT
2344  if (c->options.ce.fragment)
2345  {
2346  frame_fragment = &c->c2.frame_fragment;
2347  }
2348 #endif
2349 
2350  /* Do not regenerate keys if server sends an extra push reply */
2351  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2352  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2353  frame_fragment))
2354  {
2355  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2356  return false;
2357  }
2358  }
2359 
2360  return true;
2361 }
2362 
2363 /*
2364  * Possible hold on initialization, holdtime is the
2365  * time OpenVPN would wait without management
2366  */
2367 static bool
2368 do_hold(int holdtime)
2369 {
2370 #ifdef ENABLE_MANAGEMENT
2371  if (management)
2372  {
2373  /* block until management hold is released */
2374  if (management_hold(management, holdtime))
2375  {
2376  return true;
2377  }
2378  }
2379 #endif
2380  return false;
2381 }
2382 
2383 /*
2384  * Sleep before restart.
2385  */
2386 static void
2387 socket_restart_pause(struct context *c)
2388 {
2389  int sec = 2;
2390  int backoff = 0;
2391 
2392  switch (c->options.ce.proto)
2393  {
2394  case PROTO_TCP_SERVER:
2395  sec = 1;
2396  break;
2397 
2398  case PROTO_UDP:
2399  case PROTO_TCP_CLIENT:
2400  sec = c->options.ce.connect_retry_seconds;
2401  break;
2402  }
2403 
2404 #ifdef ENABLE_DEBUG
2405  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2406  {
2407  sec = 0;
2408  }
2409 #endif
2410 
2411 #if P2MP
2412  if (auth_retry_get() == AR_NOINTERACT)
2413  {
2414  sec = 10;
2415  }
2416 #endif
2417 
2418  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2419  if (c->options.ce.proto != PROTO_TCP_SERVER)
2420  {
2421  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2422  if (backoff > 0)
2423  {
2424  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2425  sec = max_int(sec, 1) << min_int(backoff, 15);
2426  }
2427 
2428  if (sec > c->options.ce.connect_retry_seconds_max)
2429  {
2430  sec = c->options.ce.connect_retry_seconds_max;
2431  }
2432  }
2433 
2434  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2435  {
2436  sec = c->persist.restart_sleep_seconds;
2437  }
2438  else if (c->persist.restart_sleep_seconds == -1)
2439  {
2440  sec = 0;
2441  }
2442  c->persist.restart_sleep_seconds = 0;
2443 
2444  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2445  if (do_hold(sec))
2446  {
2447  sec = 0;
2448  }
2449 
2450  if (sec)
2451  {
2452  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2453  management_sleep(sec);
2454  }
2455 }
2456 
2457 /*
2458  * Do a possible pause on context_2 initialization.
2459  */
2460 static void
2461 do_startup_pause(struct context *c)
2462 {
2463  if (!c->first_time)
2464  {
2465  socket_restart_pause(c);
2466  }
2467  else
2468  {
2469  do_hold(0); /* do management hold on first context initialization */
2470  }
2471 }
2472 
2473 /*
2474  * Finalize MTU parameters based on command line or config file options.
2475  */
2476 static void
2477 frame_finalize_options(struct context *c, const struct options *o)
2478 {
2479  if (!o)
2480  {
2481  o = &c->options;
2482  }
2483 
2484  /*
2485  * Set adjustment factor for buffer alignment when no
2486  * cipher is used.
2487  */
2488  if (!CIPHER_ENABLED(c))
2489  {
2490  frame_align_to_extra_frame(&c->c2.frame);
2491  frame_or_align_flags(&c->c2.frame,
2492  FRAME_HEADROOM_MARKER_FRAGMENT
2493  |FRAME_HEADROOM_MARKER_READ_LINK
2494  |FRAME_HEADROOM_MARKER_READ_STREAM);
2495  }
2496 
2497  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2498  frame_finalize(&c->c2.frame,
2499  o->ce.link_mtu_defined,
2500  o->ce.link_mtu,
2501  o->ce.tun_mtu_defined,
2502  o->ce.tun_mtu);
2503 }
2504 
2505 /*
2506  * Free a key schedule, including OpenSSL components.
2507  */
2508 static void
2509 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2510 {
2511  free_key_ctx_bi(&ks->static_key);
2512  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2513  {
2514  tls_ctx_free(&ks->ssl_ctx);
2515  free_key_ctx(&ks->tls_crypt_v2_server_key);
2516  }
2517  CLEAR(*ks);
2518 }
2519 
2520 static void
2521 init_crypto_pre(struct context *c, const unsigned int flags)
2522 {
2523  if (c->options.engine)
2524  {
2525  crypto_init_lib_engine(c->options.engine);
2526  }
2527 
2528  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2529  {
2530  /* load a persisted packet-id for cross-session replay-protection */
2531  if (c->options.packet_id_file)
2532  {
2533  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2534  }
2535  }
2536 
2537 #ifdef ENABLE_PREDICTION_RESISTANCE
2538  if (c->options.use_prediction_resistance)
2539  {
2540  rand_ctx_enable_prediction_resistance();
2541  }
2542 #endif
2543 }
2544 
2545 /*
2546  * Static Key Mode (using a pre-shared key)
2547  */
2548 static void
2549 do_init_crypto_static(struct context *c, const unsigned int flags)
2550 {
2551  const struct options *options = &c->options;
2552  ASSERT(options->shared_secret_file);
2553 
2554  init_crypto_pre(c, flags);
2555 
2556  /* Initialize flags */
2557  if (c->options.mute_replay_warnings)
2558  {
2559  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2560  }
2561 
2562  /* Initialize packet ID tracking */
2563  if (options->replay)
2564  {
2565  packet_id_init(&c->c2.crypto_options.packet_id,
2566  options->replay_window,
2567  options->replay_time,
2568  "STATIC", 0);
2569  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2570  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2571  packet_id_persist_load_obj(&c->c1.pid_persist,
2572  &c->c2.crypto_options.packet_id);
2573  }
2574 
2575  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2576  {
2577  /* Get cipher & hash algorithms */
2578  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2579  options->keysize, options->test_crypto, true);
2580 
2581  /* Read cipher and hmac keys from shared secret file */
2582  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2583  options->shared_secret_file,
2584  options->shared_secret_file_inline,
2585  options->key_direction, "Static Key Encryption",
2586  "secret");
2587  }
2588  else
2589  {
2590  msg(M_INFO, "Re-using pre-shared static key");
2591  }
2592 
2593  /* Get key schedule */
2594  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2595 
2596  /* Compute MTU parameters */
2597  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2598  options->replay, true);
2599 
2600  /* Sanity check on sequence number, and cipher mode options */
2601  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2602 }
2603 
2604 /*
2605  * Initialize the tls-auth/crypt key context
2606  */
2607 static void
2608 do_init_tls_wrap_key(struct context *c)
2609 {
2610  const struct options *options = &c->options;
2611 
2612  /* TLS handshake authentication (--tls-auth) */
2613  if (options->ce.tls_auth_file)
2614  {
2615  /* Initialize key_type for tls-auth with auth only */
2616  CLEAR(c->c1.ks.tls_auth_key_type);
2617  if (!streq(options->authname, "none"))
2618  {
2619  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2620  c->c1.ks.tls_auth_key_type.hmac_length =
2621  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2622  }
2623  else
2624  {
2625  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2626  "algorithm specified ('%s')", options->authname);
2627  }
2628 
2629  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2630  &c->c1.ks.tls_wrap_key,
2631  options->ce.tls_auth_file,
2632  options->ce.tls_auth_file_inline,
2633  options->ce.key_direction,
2634  "Control Channel Authentication", "tls-auth");
2635  }
2636 
2637  /* TLS handshake encryption+authentication (--tls-crypt) */
2638  if (options->ce.tls_crypt_file)
2639  {
2640  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2641  options->ce.tls_crypt_file,
2642  options->ce.tls_crypt_inline, options->tls_server);
2643  }
2644 
2645  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2646  if (options->ce.tls_crypt_v2_file)
2647  {
2648  if (options->tls_server)
2649  {
2650  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2651  true, options->ce.tls_crypt_v2_file,
2652  options->ce.tls_crypt_v2_inline);
2653  }
2654  else
2655  {
2656  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2657  &c->c1.ks.tls_crypt_v2_wkc,
2658  options->ce.tls_crypt_v2_file,
2659  options->ce.tls_crypt_v2_inline);
2660  }
2661  }
2662 
2663 
2664 }
2665 
2666 #if P2MP_SERVER
2667 /*
2668  * Initialise the auth-token key context
2669  */
2670 static void
2671 do_init_auth_token_key(struct context *c)
2672 {
2673  if (!c->options.auth_token_generate)
2674  {
2675  return;
2676  }
2677 
2678  auth_token_init_secret(&c->c1.ks.auth_token_key,
2679  c->options.auth_token_secret_file,
2680  c->options.auth_token_secret_file_inline);
2681 }
2682 #endif
2683 
2684 /*
2685  * Initialize the persistent component of OpenVPN's TLS mode,
2686  * which is preserved across SIGUSR1 resets.
2687  */
2688 static void
2689 do_init_crypto_tls_c1(struct context *c)
2690 {
2691  const struct options *options = &c->options;
2692 
2693  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2694  {
2695  /*
2696  * Initialize the OpenSSL library's global
2697  * SSL context.
2698  */
2699  init_ssl(options, &(c->c1.ks.ssl_ctx));
2700  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2701  {
2702 #if P2MP
2703  switch (auth_retry_get())
2704  {
2705  case AR_NONE:
2706  msg(M_FATAL, "Error: private key password verification failed");
2707  break;
2708 
2709  case AR_INTERACT:
2710  ssl_purge_auth(false);
2711 
2712  case AR_NOINTERACT:
2713  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2714  break;
2715 
2716  default:
2717  ASSERT(0);
2718  }
2719  c->sig->signal_text = "private-key-password-failure";
2720  return;
2721 #else /* if P2MP */
2722  msg(M_FATAL, "Error: private key password verification failed");
2723 #endif /* if P2MP */
2724  }
2725 
2726  /* Get cipher & hash algorithms */
2727  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2728  options->keysize, true, true);
2729 
2730  /* Initialize PRNG with config-specified digest */
2731  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2732 
2733  /* initialize tls-auth/crypt/crypt-v2 key */
2734  do_init_tls_wrap_key(c);
2735 
2736 #if P2MP_SERVER
2737  /* initialise auth-token crypto support */
2738  do_init_auth_token_key(c);
2739 #endif
2740 
2741 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2742  if (options->priv_key_file_inline)
2743  {
2744  string_clear(c->options.priv_key_file_inline);
2745  c->options.priv_key_file_inline = NULL;
2746  }
2747 #endif
2748  }
2749  else
2750  {
2751  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2752 
2753  /*
2754  * tls-auth/crypt key can be configured per connection block, therefore
2755  * we must reload it as it may have changed
2756  */
2757  do_init_tls_wrap_key(c);
2758  }
2759 }
2760 
2761 static void
2762 do_init_crypto_tls(struct context *c, const unsigned int flags)
2763 {
2764  const struct options *options = &c->options;
2765  struct tls_options to;
2766  bool packet_id_long_form;
2767 
2768  ASSERT(options->tls_server || options->tls_client);
2769  ASSERT(!options->test_crypto);
2770 
2771  init_crypto_pre(c, flags);
2772 
2773  /* Make sure we are either a TLS client or server but not both */
2774  ASSERT(options->tls_server == !options->tls_client);
2775 
2776  /* initialize persistent component */
2777  do_init_crypto_tls_c1(c);
2778  if (IS_SIG(c))
2779  {
2780  return;
2781  }
2782 
2783  /* Sanity check on sequence number, and cipher mode options */
2784  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2785 
2786  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2787  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2788 
2789  /* Compute MTU parameters (postpone if we push/pull options) */
2790  if (c->options.pull || c->options.mode == MODE_SERVER)
2791  {
2792  /* Account for worst-case crypto overhead before allocating buffers */
2793  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2794  }
2795  else
2796  {
2797  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2798  options->replay, packet_id_long_form);
2799  }
2800  tls_adjust_frame_parameters(&c->c2.frame);
2801 
2802  /* Set all command-line TLS-related options */
2803  CLEAR(to);
2804 
2805  if (options->mute_replay_warnings)
2806  {
2807  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2808  }
2809 
2810  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2811  if (packet_id_long_form)
2812  {
2813  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2814  }
2815 
2816  to.ssl_ctx = c->c1.ks.ssl_ctx;
2817  to.key_type = c->c1.ks.key_type;
2818  to.server = options->tls_server;
2819  to.key_method = options->key_method;
2820  to.replay = options->replay;
2821  to.replay_window = options->replay_window;
2822  to.replay_time = options->replay_time;
2823  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2824  to.config_ciphername = c->c1.ciphername;
2825  to.config_authname = c->c1.authname;
2826  to.ncp_enabled = options->ncp_enabled;
2827  to.transition_window = options->transition_window;
2828  to.handshake_window = options->handshake_window;
2829  to.packet_timeout = options->tls_timeout;
2830  to.renegotiate_bytes = options->renegotiate_bytes;
2831  to.renegotiate_packets = options->renegotiate_packets;
2832  if (options->renegotiate_seconds_min < 0)
2833  {
2834  /* Add 10% jitter to reneg-sec by default (server side only) */
2835  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2836  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2837  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2838  }
2839  else
2840  {
2841  /* Add user-specified jitter to reneg-sec */
2842  to.renegotiate_seconds = options->renegotiate_seconds
2843  -(get_random() % max_int(options->renegotiate_seconds
2844  - options->renegotiate_seconds_min, 1));
2845  }
2846  to.single_session = options->single_session;
2847  to.mode = options->mode;
2848  to.pull = options->pull;
2849  if (options->push_peer_info) /* all there is */
2850  {
2851  to.push_peer_info_detail = 2;
2852  }
2853  else if (options->pull) /* pull clients send some details */
2854  {
2855  to.push_peer_info_detail = 1;
2856  }
2857  else /* default: no peer-info at all */
2858  {
2859  to.push_peer_info_detail = 0;
2860  }
2861 
2862  /* should we not xmit any packets until we get an initial
2863  * response from client? */
2864  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2865  {
2866  to.xmit_hold = true;
2867  }
2868 
2869 #ifdef ENABLE_OCC
2870  to.disable_occ = !options->occ;
2871 #endif
2872 
2873  to.verify_command = options->tls_verify;
2874  to.verify_export_cert = options->tls_export_cert;
2875  to.verify_x509_type = (options->verify_x509_type & 0xff);
2876  to.verify_x509_name = options->verify_x509_name;
2877  to.crl_file = options->crl_file;
2878  to.crl_file_inline = options->crl_file_inline;
2879  to.ssl_flags = options->ssl_flags;
2880  to.ns_cert_type = options->ns_cert_type;
2881  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2882  to.remote_cert_eku = options->remote_cert_eku;
2883  to.verify_hash = options->verify_hash;
2884  to.verify_hash_algo = options->verify_hash_algo;
2885 #ifdef ENABLE_X509ALTUSERNAME
2886  to.x509_username_field = (char *) options->x509_username_field;
2887 #else
2888  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2889 #endif
2890  to.es = c->c2.es;
2891  to.net_ctx = &c->net_ctx;
2892 
2893 #ifdef ENABLE_DEBUG
2894  to.gremlin = c->options.gremlin;
2895 #endif
2896 
2897  to.plugins = c->plugins;
2898 
2899 #ifdef MANAGEMENT_DEF_AUTH
2900  to.mda_context = &c->c2.mda_context;
2901 #endif
2902 
2903 #if P2MP_SERVER
2904  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2905  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2906  to.tmp_dir = options->tmp_dir;
2907  if (options->ccd_exclusive)
2908  {
2909  to.client_config_dir_exclusive = options->client_config_dir;
2910  }
2911  to.auth_user_pass_file = options->auth_user_pass_file;
2912  to.auth_token_generate = options->auth_token_generate;
2913  to.auth_token_lifetime = options->auth_token_lifetime;
2914  to.auth_token_call_auth = options->auth_token_call_auth;
2915  to.auth_token_key = c->c1.ks.auth_token_key;
2916 #endif
2917 
2918  to.x509_track = options->x509_track;
2919 
2920 #if P2MP
2921 #ifdef ENABLE_MANAGEMENT
2922  to.sci = &options->sc_info;
2923 #endif
2924 #endif
2925 
2926 #ifdef USE_COMP
2927  to.comp_options = options->comp;
2928 #endif
2929 
2930 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2931  if (options->keying_material_exporter_label)
2932  {
2933  to.ekm_size = options->keying_material_exporter_length;
2934  if (to.ekm_size < 16 || to.ekm_size > 4095)
2935  {
2936  to.ekm_size = 0;
2937  }
2938 
2939  to.ekm_label = options->keying_material_exporter_label;
2940  to.ekm_label_size = strlen(to.ekm_label);
2941  }
2942  else
2943  {
2944  to.ekm_size = 0;
2945  }
2946 #endif
2947 
2948  /* TLS handshake authentication (--tls-auth) */
2949  if (options->ce.tls_auth_file)
2950  {
2951  to.tls_wrap.mode = TLS_WRAP_AUTH;
2952  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2953  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2954  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2955  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2956  true, true);
2957  }
2958 
2959  /* TLS handshake encryption (--tls-crypt) */
2960  if (options->ce.tls_crypt_file
2961  || (options->ce.tls_crypt_v2_file && options->tls_client))
2962  {
2963  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2964  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2965  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2966  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2967  tls_crypt_adjust_frame_parameters(&to.frame);
2968 
2969  if (options->ce.tls_crypt_v2_file)
2970  {
2971  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2972  }
2973  }
2974 
2975  if (options->ce.tls_crypt_v2_file)
2976  {
2977  to.tls_crypt_v2 = true;
2978  if (options->tls_server)
2979  {
2980  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2981  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2982  }
2983  }
2984 
2985  /* If we are running over TCP, allow for
2986  * length prefix */
2987  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2988 
2989  /*
2990  * Initialize OpenVPN's master TLS-mode object.
2991  */
2992  if (flags & CF_INIT_TLS_MULTI)
2993  {
2994  c->c2.tls_multi = tls_multi_init(&to);
2995  }
2996 
2997  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2998  {
2999  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3000  }
3001 }
3002 
3003 static void
3004 do_init_finalize_tls_frame(struct context *c)
3005 {
3006  if (c->c2.tls_multi)
3007  {
3008  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3009  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3010  EXPANDED_SIZE(&c->c2.frame));
3011  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3012  "Control Channel MTU parms");
3013  }
3014  if (c->c2.tls_auth_standalone)
3015  {
3016  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3017  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3018  "TLS-Auth MTU parms");
3019  }
3020 }
3021 
3022 /*
3023  * No encryption or authentication.
3024  */
3025 static void
3026 do_init_crypto_none(const struct context *c)
3027 {
3028  ASSERT(!c->options.test_crypto);
3029  msg(M_WARN,
3030  "******* WARNING *******: All encryption and authentication features "
3031  "disabled -- All data will be tunnelled as clear text and will not be "
3032  "protected against man-in-the-middle changes. "
3033  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3034 }
3035 
3036 static void
3037 do_init_crypto(struct context *c, const unsigned int flags)
3038 {
3039  if (c->options.shared_secret_file)
3040  {
3041  do_init_crypto_static(c, flags);
3042  }
3043  else if (c->options.tls_server || c->options.tls_client)
3044  {
3045  do_init_crypto_tls(c, flags);
3046  }
3047  else /* no encryption or authentication. */
3048  {
3049  do_init_crypto_none(c);
3050  }
3051 }
3052 
3053 static void
3054 do_init_frame(struct context *c)
3055 {
3056 #ifdef USE_COMP
3057  /*
3058  * modify frame parameters if compression is enabled
3059  */
3060  if (comp_enabled(&c->options.comp))
3061  {
3062  comp_add_to_extra_frame(&c->c2.frame);
3063 
3064 #if !defined(ENABLE_LZ4)
3065  /*
3066  * Compression usage affects buffer alignment when non-swapped algs
3067  * such as LZO is used.
3068  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3069  * any special alignment because of the control-byte swap approach.
3070  * LZO alignment (on the other hand) is problematic because
3071  * the presence of the control byte means that either the output of
3072  * decryption must be written to an unaligned buffer, or the input
3073  * to compression (or packet dispatch if packet is uncompressed)
3074  * must be read from an unaligned buffer.
3075  * This code tries to align the input to compression (or packet
3076  * dispatch if packet is uncompressed) at the cost of requiring
3077  * decryption output to be written to an unaligned buffer, so
3078  * it's more of a tradeoff than an optimal solution and we don't
3079  * include it when we are doing a modern build with LZ4.
3080  * Strictly speaking, on the server it would be better to execute
3081  * this code for every connection after we decide the compression
3082  * method, but currently the frame code doesn't appear to be
3083  * flexible enough for this, since the frame is already established
3084  * before it is known which compression options will be pushed.
3085  */
3086  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3087  {
3088  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3089  frame_or_align_flags(&c->c2.frame,
3090  FRAME_HEADROOM_MARKER_FRAGMENT
3091  |FRAME_HEADROOM_MARKER_DECRYPT);
3092  }
3093 #endif
3094 
3095 #ifdef ENABLE_FRAGMENT
3096  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3097 #endif
3098  }
3099 #endif /* USE_COMP */
3100 
3101  /*
3102  * Adjust frame size for UDP Socks support.
3103  */
3104  if (c->options.ce.socks_proxy_server)
3105  {
3106  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3107  }
3108 
3109  /*
3110  * Adjust frame size based on the --tun-mtu-extra parameter.
3111  */
3112  if (c->options.ce.tun_mtu_extra_defined)
3113  {
3114  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3115  }
3116 
3117  /*
3118  * Adjust frame size based on link socket parameters.
3119  * (Since TCP is a stream protocol, we need to insert
3120  * a packet length uint16_t in the buffer.)
3121  */
3122  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3123 
3124  /*
3125  * Fill in the blanks in the frame parameters structure,
3126  * make sure values are rational, etc.
3127  */
3128  frame_finalize_options(c, NULL);
3129 
3130 #ifdef USE_COMP
3131  /*
3132  * Modify frame parameters if compression is compiled in.
3133  * Should be called after frame_finalize_options.
3134  */
3135  comp_add_to_extra_buffer(&c->c2.frame);
3136 #ifdef ENABLE_FRAGMENT
3137  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3138 #endif
3139 #endif /* USE_COMP */
3140 
3141  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3142  * and need link_mtu+3 bytes on socket reception (on server).
3143  *
3144  * accommodate receive path in f->extra_link, which has the side effect of
3145  * also increasing send buffers (BUF_SIZE() macro), which need to be
3146  * allocated big enough before receiving peer-id option from server.
3147  *
3148  * f->extra_frame is adjusted when peer-id option is push-received
3149  */
3150  frame_add_to_extra_link(&c->c2.frame, 3);
3151 
3152 #ifdef ENABLE_FRAGMENT
3153  /*
3154  * Set frame parameter for fragment code. This is necessary because
3155  * the fragmentation code deals with payloads which have already been
3156  * passed through the compression code.
3157  */
3158  c->c2.frame_fragment = c->c2.frame;
3159  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3160  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3161 #endif
3162 
3163 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3164  /*
3165  * MTU advisories
3166  */
3167  if (c->options.ce.fragment && c->options.mtu_test)
3168  {
3169  msg(M_WARN,
3170  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3171  }
3172 #endif
3173 
3174 #ifdef ENABLE_FRAGMENT
3175  if ((c->options.ce.mssfix || c->options.ce.fragment)
3176  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3177  {
3178  msg(M_WARN,
3179  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3180  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3181  }
3182 #endif
3183 }
3184 
3185 static void
3186 do_option_warnings(struct context *c)
3187 {
3188  const struct options *o = &c->options;
3189 
3190  if (o->ping_send_timeout && !o->ping_rec_timeout)
3191  {
3192  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3193  }
3194 
3195  if (o->username || o->groupname || o->chroot_dir
3196 #ifdef ENABLE_SELINUX
3197  || o->selinux_context
3198 #endif
3199  )
3200  {
3201  if (!o->persist_tun)
3202  {
3203  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3204  }
3205  if (!o->persist_key
3206 #ifdef ENABLE_PKCS11
3207  && !o->pkcs11_id
3208 #endif
3209  )
3210  {
3211  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3212  }
3213  }
3214 
3215  if (o->chroot_dir && !(o->username && o->groupname))
3216  {
3217  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3218  }
3219 
3220 #if P2MP
3221  if (o->pull && o->ifconfig_local && c->first_time)
3222  {
3223  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3224  }
3225 
3226 #if P2MP_SERVER
3227  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3228  {
3229  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3230  }
3231 
3232  if (o->mode == MODE_SERVER)
3233  {
3234  if (o->duplicate_cn && o->client_config_dir)
3235  {
3236  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3237  }
3238  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3239  {
3240  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3241  }
3242  if (!o->keepalive_ping || !o->keepalive_timeout)
3243  {
3244  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3245  }
3246  }
3247 #endif /* if P2MP_SERVER */
3248 #endif /* if P2MP */
3249 
3250  if (!o->replay)
3251  {
3252  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3253  }
3254 
3255  if (o->tls_server)
3256  {
3257  warn_on_use_of_common_subnets(&c->net_ctx);
3258  }
3259  if (o->tls_client
3260  && !o->tls_verify
3261  && o->verify_x509_type == VERIFY_X509_NONE
3262  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3263  && !o->remote_cert_eku)
3264  {
3265  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3266  }
3267  if (o->ns_cert_type)
3268  {
3269  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3270  }
3271 
3272  /* If a script is used, print appropriate warnings */
3273  if (o->user_script_used)
3274  {
3275  if (script_security() >= SSEC_SCRIPTS)
3276  {
3277  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3278  }
3279  else if (script_security() >= SSEC_PW_ENV)
3280  {
3281  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3282  }
3283  else
3284  {
3285  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3286  }
3287  }
3288 }
3289 
3290 static void
3291 do_init_frame_tls(struct context *c)
3292 {
3293  do_init_finalize_tls_frame(c);
3294 }
3295 
3296 struct context_buffers *
3297 init_context_buffers(const struct frame *frame)
3298 {
3299  struct context_buffers *b;
3300 
3301  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3302 
3303  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3304  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3305 
3306  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3307 
3308  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3309  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3310 
3311 #ifdef USE_COMP
3312  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3313  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3314 #endif
3315 
3316  return b;
3317 }
3318 
3319 void
3320 free_context_buffers(struct context_buffers *b)
3321 {
3322  if (b)
3323  {
3324  free_buf(&b->read_link_buf);
3325  free_buf(&b->read_tun_buf);
3326  free_buf(&b->aux_buf);
3327 
3328 #ifdef USE_COMP
3329  free_buf(&b->compress_buf);
3330  free_buf(&b->decompress_buf);
3331 #endif
3332 
3333  free_buf(&b->encrypt_buf);
3334  free_buf(&b->decrypt_buf);
3335 
3336  free(b);
3337  }
3338 }
3339 
3340 /*
3341  * Now that we know all frame parameters, initialize
3342  * our buffers.
3343  */
3344 static void
3345 do_init_buffers(struct context *c)
3346 {
3347  c->c2.buffers = init_context_buffers(&c->c2.frame);
3348  c->c2.buffers_owned = true;
3349 }
3350 
3351 #ifdef ENABLE_FRAGMENT
3352 /*
3353  * Fragmenting code has buffers to initialize
3354  * once frame parameters are known.
3355  */
3356 static void
3357 do_init_fragment(struct context *c)
3358 {
3359  ASSERT(c->options.ce.fragment);
3360  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3361  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3362  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3363 }
3364 #endif
3365 
3366 /*
3367  * Allocate our socket object.
3368  */
3369 static void
3370 do_link_socket_new(struct context *c)
3371 {
3372  ASSERT(!c->c2.link_socket);
3373  c->c2.link_socket = link_socket_new();
3374  c->c2.link_socket_owned = true;
3375 }
3376 
3377 /*
3378  * bind the TCP/UDP socket
3379  */
3380 static void
3381 do_init_socket_1(struct context *c, const int mode)
3382 {
3383  unsigned int sockflags = c->options.sockflags;
3384 
3385 #if PORT_SHARE
3386  if (c->options.port_share_host && c->options.port_share_port)
3387  {
3388  sockflags |= SF_PORT_SHARE;
3389  }
3390 #endif
3391 
3392  link_socket_init_phase1(c->c2.link_socket,
3393  c->options.ce.local,
3394  c->options.ce.local_port,
3395  c->options.ce.remote,
3396  c->options.ce.remote_port,
3397  c->c1.dns_cache,
3398  c->options.ce.proto,
3399  c->options.ce.af,
3400  c->options.ce.bind_ipv6_only,
3401  mode,
3402  c->c2.accept_from,
3403  c->c1.http_proxy,
3404  c->c1.socks_proxy,
3405 #ifdef ENABLE_DEBUG
3406  c->options.gremlin,
3407 #endif
3408  c->options.ce.bind_local,
3409  c->options.ce.remote_float,
3410  c->options.inetd,
3411  &c->c1.link_socket_addr,
3412  c->options.ipchange,
3413  c->plugins,
3414  c->options.resolve_retry_seconds,
3415  c->options.ce.mtu_discover_type,
3416  c->options.rcvbuf,
3417  c->options.sndbuf,
3418  c->options.mark,
3419  &c->c2.server_poll_interval,
3420  sockflags);
3421 }
3422 
3423 /*
3424  * finalize the TCP/UDP socket
3425  */
3426 static void
3427 do_init_socket_2(struct context *c)
3428 {
3429  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3430  c->sig);
3431 }
3432 
3433 /*
3434  * Print MTU INFO
3435  */
3436 static void
3437 do_print_data_channel_mtu_parms(struct context *c)
3438 {
3439  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3440 #ifdef ENABLE_FRAGMENT
3441  if (c->c2.fragment)
3442  {
3443  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3444  "Fragmentation MTU parms");
3445  }
3446 #endif
3447 }
3448 
3449 #ifdef ENABLE_OCC
3450 /*
3451  * Get local and remote options compatibility strings.
3452  */
3453 static void
3454 do_compute_occ_strings(struct context *c)
3455 {
3456  struct gc_arena gc = gc_new();
3457 
3458  c->c2.options_string_local =
3459  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3460  false, &gc);
3461  c->c2.options_string_remote =
3462  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3463  true, &gc);
3464 
3465  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3466  options_string_version(c->c2.options_string_local, &gc),
3467  c->c2.options_string_local);
3468  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3469  options_string_version(c->c2.options_string_remote, &gc),
3470  c->c2.options_string_remote);
3471 
3472  if (c->c2.tls_multi)
3473  {
3474  tls_multi_init_set_options(c->c2.tls_multi,
3475  c->c2.options_string_local,
3476  c->c2.options_string_remote);
3477  }
3478 
3479  gc_free(&gc);
3480 }
3481 #endif /* ifdef ENABLE_OCC */
3482 
3483 /*
3484  * These things can only be executed once per program instantiation.
3485  * Set up for possible UID/GID downgrade, but don't do it yet.
3486  * Daemonize if requested.
3487  */
3488 static void
3489 do_init_first_time(struct context *c)
3490 {
3491  if (c->first_time && !c->c0)
3492  {
3493  struct context_0 *c0;
3494 
3495  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3496  c0 = c->c0;
3497 
3498  /* get user and/or group that we want to setuid/setgid to */
3499  c0->uid_gid_specified =
3500  platform_group_get(c->options.groupname, &c0->platform_state_group)
3501  |platform_user_get(c->options.username, &c0->platform_state_user);
3502 
3503  /* perform postponed chdir if --daemon */
3504  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3505  {
3506  platform_chdir("/");
3507  }
3508 
3509  /* should we change scheduling priority? */
3510  platform_nice(c->options.nice);
3511  }
3512 }
3513 
3514 /*
3515  * If xinetd/inetd mode, don't allow restart.
3516  */
3517 static void
3518 do_close_check_if_restart_permitted(struct context *c)
3519 {
3520  if (c->options.inetd
3521  && (c->sig->signal_received == SIGHUP
3522  || c->sig->signal_received == SIGUSR1))
3523  {
3524  c->sig->signal_received = SIGTERM;
3525  msg(M_INFO,
3526  PACKAGE_NAME
3527  " started by inetd/xinetd cannot restart... Exiting.");
3528  }
3529 }
3530 
3531 /*
3532  * free buffers
3533  */
3534 static void
3535 do_close_free_buf(struct context *c)
3536 {
3537  if (c->c2.buffers_owned)
3538  {
3539  free_context_buffers(c->c2.buffers);
3540  c->c2.buffers = NULL;
3541  c->c2.buffers_owned = false;
3542  }
3543 }
3544 
3545 /*
3546  * close TLS
3547  */
3548 static void
3549 do_close_tls(struct context *c)
3550 {
3551  if (c->c2.tls_multi)
3552  {
3553  tls_multi_free(c->c2.tls_multi, true);
3554  c->c2.tls_multi = NULL;
3555  }
3556 
3557 #ifdef ENABLE_OCC
3558  /* free options compatibility strings */
3559  if (c->c2.options_string_local)
3560  {
3561  free(c->c2.options_string_local);
3562  }
3563  if (c->c2.options_string_remote)
3564  {
3565  free(c->c2.options_string_remote);
3566  }
3567  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3568 #endif
3569 
3570  if (c->c2.pulled_options_state)
3571  {
3572  md_ctx_cleanup(c->c2.pulled_options_state);
3573  md_ctx_free(c->c2.pulled_options_state);
3574  }
3575 }
3576 
3577 /*
3578  * Free key schedules
3579  */
3580 static void
3581 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3582 {
3583  /*
3584  * always free the tls_auth/crypt key. If persist_key is true, the key will
3585  * be reloaded from memory (pre-cached)
3586  */
3587  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3588  CLEAR(c->c1.ks.tls_wrap_key);
3589  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3590  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3591 
3592  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3593  {
3594  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3595  }
3596 }
3597 
3598 /*
3599  * Close TCP/UDP connection
3600  */
3601 static void
3602 do_close_link_socket(struct context *c)
3603 {
3604  if (c->c2.link_socket && c->c2.link_socket_owned)
3605  {
3606  link_socket_close(c->c2.link_socket);
3607  c->c2.link_socket = NULL;
3608  }
3609 
3610 
3611  /* Preserve the resolved list of remote if the user request to or if we want
3612  * reconnect to the same host again or there are still addresses that need
3613  * to be tried */
3614  if (!(c->sig->signal_received == SIGUSR1
3615  && ( (c->options.persist_remote_ip)
3616  ||
3617  ( c->sig->source != SIG_SOURCE_HARD
3618  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3619  || c->options.no_advance))
3620  )))
3621  {
3622  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3623  }
3624 
3625  /* Clear the remote actual address when persist_remote_ip is not in use */
3626  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3627  {
3628  CLEAR(c->c1.link_socket_addr.actual);
3629  }
3630 
3631  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3632  {
3633  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3634  {
3635  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3636  }
3637 
3638  c->c1.link_socket_addr.bind_local = NULL;
3639  }
3640 }
3641 
3642 /*
3643  * Close packet-id persistence file
3644  */
3645 static void
3646 do_close_packet_id(struct context *c)
3647 {
3648  packet_id_free(&c->c2.crypto_options.packet_id);
3649  packet_id_persist_save(&c->c1.pid_persist);
3650  if (!(c->sig->signal_received == SIGUSR1))
3651  {
3652  packet_id_persist_close(&c->c1.pid_persist);
3653  }
3654 }
3655 
3656 #ifdef ENABLE_FRAGMENT
3657 /*
3658  * Close fragmentation handler.
3659  */
3660 static void
3661 do_close_fragment(struct context *c)
3662 {
3663  if (c->c2.fragment)
3664  {
3665  fragment_free(c->c2.fragment);
3666  c->c2.fragment = NULL;
3667  }
3668 }
3669 #endif
3670 
3671 /*
3672  * Open and close our event objects.
3673  */
3674 
3675 static void
3676 do_event_set_init(struct context *c,
3677  bool need_us_timeout)
3678 {
3679  unsigned int flags = 0;
3680 
3681  c->c2.event_set_max = BASE_N_EVENTS;
3682 
3683  flags |= EVENT_METHOD_FAST;
3684 
3685  if (need_us_timeout)
3686  {
3687  flags |= EVENT_METHOD_US_TIMEOUT;
3688  }
3689 
3690  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3691  c->c2.event_set_owned = true;
3692 }
3693 
3694 static void
3695 do_close_event_set(struct context *c)
3696 {
3697  if (c->c2.event_set && c->c2.event_set_owned)
3698  {
3699  event_free(c->c2.event_set);
3700  c->c2.event_set = NULL;
3701  c->c2.event_set_owned = false;
3702  }
3703 }
3704 
3705 /*
3706  * Open and close --status file
3707  */
3708 
3709 static void
3710 do_open_status_output(struct context *c)
3711 {
3712  if (!c->c1.status_output)
3713  {
3714  c->c1.status_output = status_open(c->options.status_file,
3715  c->options.status_file_update_freq,
3716  -1,
3717  NULL,
3718  STATUS_OUTPUT_WRITE);
3719  c->c1.status_output_owned = true;
3720  }
3721 }
3722 
3723 static void
3724 do_close_status_output(struct context *c)
3725 {
3726  if (!(c->sig->signal_received == SIGUSR1))
3727  {
3728  if (c->c1.status_output_owned && c->c1.status_output)
3729  {
3730  status_close(c->c1.status_output);
3731  c->c1.status_output = NULL;
3732  c->c1.status_output_owned = false;
3733  }
3734  }
3735 }
3736 
3737 /*
3738  * Handle ifconfig-pool persistence object.
3739  */
3740 static void
3741 do_open_ifconfig_pool_persist(struct context *c)
3742 {
3743 #if P2MP_SERVER
3744  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3745  {
3746  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3747  c->options.ifconfig_pool_persist_refresh_freq);
3748  c->c1.ifconfig_pool_persist_owned = true;
3749  }
3750 #endif
3751 }
3752 
3753 static void
3754 do_close_ifconfig_pool_persist(struct context *c)
3755 {
3756 #if P2MP_SERVER
3757  if (!(c->sig->signal_received == SIGUSR1))
3758  {
3759  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3760  {
3761  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3762  c->c1.ifconfig_pool_persist = NULL;
3763  c->c1.ifconfig_pool_persist_owned = false;
3764  }
3765  }
3766 #endif
3767 }
3768 
3769 /*
3770  * Inherit environmental variables
3771  */
3772 
3773 static void
3774 do_inherit_env(struct context *c, const struct env_set *src)
3775 {
3776  c->c2.es = env_set_create(NULL);
3777  c->c2.es_owned = true;
3778  env_set_inherit(c->c2.es, src);
3779 }
3780 
3781 static void
3782 do_env_set_destroy(struct context *c)
3783 {
3784  if (c->c2.es && c->c2.es_owned)
3785  {
3786  env_set_destroy(c->c2.es);
3787  c->c2.es = NULL;
3788  c->c2.es_owned = false;
3789  }
3790 }
3791 
3792 /*
3793  * Fast I/O setup. Fast I/O is an optimization which only works
3794  * if all of the following are true:
3795  *
3796  * (1) The platform is not Windows
3797  * (2) --proto udp is enabled
3798  * (3) --shaper is disabled
3799  */
3800 static void
3801 do_setup_fast_io(struct context *c)
3802 {
3803  if (c->options.fast_io)
3804  {
3805 #ifdef _WIN32
3806  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3807 #else
3808  if (!proto_is_udp(c->options.ce.proto))
3809  {
3810  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3811  }
3812  else
3813  {
3814 #ifdef ENABLE_FEATURE_SHAPER
3815  if (c->options.shaper)
3816  {
3817  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3818  }
3819  else
3820 #endif
3821  {
3822  c->c2.fast_io = true;
3823  }
3824  }
3825 #endif
3826  }
3827 }
3828 
3829 static void
3830 do_signal_on_tls_errors(struct context *c)
3831 {
3832  if (c->options.tls_exit)
3833  {
3834  c->c2.tls_exit_signal = SIGTERM;
3835  }
3836  else
3837  {
3838  c->c2.tls_exit_signal = SIGUSR1;
3839  }
3840 }
3841 
3842 #ifdef ENABLE_PLUGIN
3843 
3844 void
3845 init_plugins(struct context *c)
3846 {
3847  if (c->options.plugin_list && !c->plugins)
3848  {
3849  c->plugins = plugin_list_init(c->options.plugin_list);
3850  c->plugins_owned = true;
3851  }
3852 }
3853 
3854 void
3855 open_plugins(struct context *c, const bool import_options, int init_point)
3856 {
3857  if (c->plugins && c->plugins_owned)
3858  {
3859  if (import_options)
3860  {
3861  struct plugin_return pr, config;
3862  plugin_return_init(&pr);
3863  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3864  plugin_return_get_column(&pr, &config, "config");
3865  if (plugin_return_defined(&config))
3866  {
3867  int i;
3868  for (i = 0; i < config.n; ++i)
3869  {
3870  unsigned int option_types_found = 0;
3871  if (config.list[i] && config.list[i]->value)
3872  {
3873  options_string_import(&c->options,
3874  config.list[i]->value,
3875  D_IMPORT_ERRORS|M_OPTERR,
3876  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3877  &option_types_found,
3878  c->es);
3879  }
3880  }
3881  }
3882  plugin_return_free(&pr);
3883  }
3884  else
3885  {
3886  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3887  }
3888  }
3889 }
3890 
3891 static void
3892 do_close_plugins(struct context *c)
3893 {
3894  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3895  {
3896  plugin_list_close(c->plugins);
3897  c->plugins = NULL;
3898  c->plugins_owned = false;
3899  }
3900 }
3901 
3902 static void
3903 do_inherit_plugins(struct context *c, const struct context *src)
3904 {
3905  if (!c->plugins && src->plugins)
3906  {
3907  c->plugins = plugin_list_inherit(src->plugins);
3908  c->plugins_owned = true;
3909  }
3910 }
3911 
3912 #endif /* ifdef ENABLE_PLUGIN */
3913 
3914 #ifdef ENABLE_MANAGEMENT
3915 
3916 static void
3917 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3918 {
3919  struct context *c = (struct context *) arg;
3920  print_status(c, so);
3921 }
3922 
3923 void
3924 management_show_net_callback(void *arg, const int msglevel)
3925 {
3926 #ifdef _WIN32
3927  show_routes(msglevel);
3928  show_adapters(msglevel);
3929  msg(msglevel, "END");
3930 #else
3931  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3932 #endif
3933 }
3934 
3935 #ifdef TARGET_ANDROID
3936 int
3937 management_callback_network_change(void *arg, bool samenetwork)
3938 {
3939  /* Check if the client should translate the network change to a SIGUSR1 to
3940  * reestablish the connection or just reprotect the socket
3941  *
3942  * At the moment just assume that, for all settings that use pull (not
3943  * --static) and are not using peer-id reestablishing the connection is
3944  * required (unless the network is the same)
3945  *
3946  * The function returns -1 on invalid fd and -2 if the socket cannot be
3947  * reused. On the -2 return value the man_network_change function triggers
3948  * a SIGUSR1 to force a reconnect.
3949  */
3950 
3951  int socketfd = -1;
3952  struct context *c = (struct context *) arg;
3953  if (!c->c2.link_socket)
3954  {
3955  return -1;
3956  }
3957  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3958  {
3959  return -1;
3960  }
3961 
3962  socketfd = c->c2.link_socket->sd;
3963  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3964  {
3965  return socketfd;
3966  }
3967  else
3968  {
3969  return -2;
3970  }
3971 }
3972 #endif /* ifdef TARGET_ANDROID */
3973 
3974 #endif /* ifdef ENABLE_MANAGEMENT */
3975 
3976 void
3977 init_management_callback_p2p(struct context *c)
3978 {
3979 #ifdef ENABLE_MANAGEMENT
3980  if (management)
3981  {
3982  struct management_callback cb;
3983  CLEAR(cb);
3984  cb.arg = c;
3985  cb.status = management_callback_status_p2p;
3986  cb.show_net = management_show_net_callback;
3987  cb.proxy_cmd = management_callback_proxy_cmd;
3988  cb.remote_cmd = management_callback_remote_cmd;
3989 #ifdef TARGET_ANDROID
3990  cb.network_change = management_callback_network_change;
3991 #endif
3992  management_set_callback(management, &cb);
3993  }
3994 #endif
3995 }
3996 
3997 #ifdef ENABLE_MANAGEMENT
3998 
3999 void
4000 init_management(void)
4001 {
4002  if (!management)
4003  {
4004  management = management_init();
4005  }
4006 }
4007 
4008 bool
4009 open_management(struct context *c)
4010 {
4011  /* initialize management layer */
4012  if (management)
4013  {
4014  if (c->options.management_addr)
4015  {
4016  unsigned int flags = c->options.management_flags;
4017  if (c->options.mode == MODE_SERVER)
4018  {
4019  flags |= MF_SERVER;
4020  }
4021  if (management_open(management,
4022  c->options.management_addr,
4023  c->options.management_port,
4024  c->options.management_user_pass,
4025  c->options.management_client_user,
4026  c->options.management_client_group,
4027  c->options.management_log_history_cache,
4028  c->options.management_echo_buffer_size,
4029  c->options.management_state_buffer_size,
4030  c->options.management_write_peer_info_file,
4031  c->options.remap_sigusr1,
4032  flags))
4033  {
4034  management_set_state(management,
4035  OPENVPN_STATE_CONNECTING,
4036  NULL,
4037  NULL,
4038  NULL,
4039  NULL,
4040  NULL);
4041  }
4042 
4043  /* initial management hold, called early, before first context initialization */
4044  do_hold(0);
4045  if (IS_SIG(c))
4046  {
4047  msg(M_WARN, "Signal received from management interface, exiting");
4048  return false;
4049  }
4050  }
4051  else
4052  {
4053  close_management();
4054  }
4055  }
4056  return true;
4057 }
4058 
4059 void
4060 close_management(void)
4061 {
4062  if (management)
4063  {
4064  management_close(management);
4065  management = NULL;
4066  }
4067 }
4068 
4069 #endif /* ifdef ENABLE_MANAGEMENT */
4070 
4071 
4072 void
4073 uninit_management_callback(void)
4074 {
4075 #ifdef ENABLE_MANAGEMENT
4076  if (management)
4077  {
4078  management_clear_callback(management);
4079  }
4080 #endif
4081 }
4082 
4083 /*
4084  * Initialize a tunnel instance, handle pre and post-init
4085  * signal settings.
4086  */
4087 void
4088 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4089 {
4090  pre_init_signal_catch();
4091  init_instance(c, env, flags);
4092  post_init_signal_catch();
4093 
4094  /*
4095  * This is done so that signals thrown during
4096  * initialization can bring us back to
4097  * a management hold.
4098  */
4099  if (IS_SIG(c))
4100  {
4101  remap_signal(c);
4102  uninit_management_callback();
4103  }
4104 }
4105 
4106 /*
4107  * Initialize a tunnel instance.
4108  */
4109 void
4110 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4111 {
4112  const struct options *options = &c->options;
4113  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4114  int link_socket_mode = LS_MODE_DEFAULT;
4115 
4116  /* init garbage collection level */
4117  gc_init(&c->c2.gc);
4118 
4119  /* inherit environmental variables */
4120  if (env)
4121  {
4122  do_inherit_env(c, env);
4123  }
4124 
4125  /* signals caught here will abort */
4126  c->sig->signal_received = 0;
4127  c->sig->signal_text = NULL;
4128  c->sig->source = SIG_SOURCE_SOFT;
4129 
4130  if (c->mode == CM_P2P)
4131  {
4132  init_management_callback_p2p(c);
4133  }
4134 
4135  /* possible sleep or management hold if restart */
4136  if (c->mode == CM_P2P || c->mode == CM_TOP)
4137  {
4138  do_startup_pause(c);
4139  if (IS_SIG(c))
4140  {
4141  goto sig;
4142  }
4143  }
4144 
4145  if (c->options.resolve_in_advance)
4146  {
4147  do_preresolve(c);
4148  if (IS_SIG(c))
4149  {
4150  goto sig;
4151  }
4152  }
4153 
4154  /* map in current connection entry */
4155  next_connection_entry(c);
4156 
4157  /* link_socket_mode allows CM_CHILD_TCP
4158  * instances to inherit acceptable fds
4159  * from a top-level parent */
4160  if (c->options.ce.proto == PROTO_TCP_SERVER)
4161  {
4162  if (c->mode == CM_TOP)
4163  {
4164  link_socket_mode = LS_MODE_TCP_LISTEN;
4165  }
4166  else if (c->mode == CM_CHILD_TCP)
4167  {
4168  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4169  }
4170  }
4171 
4172  /* should we disable paging? */
4173  if (c->first_time && options->mlock)
4174  {
4175  platform_mlockall(true);
4176  }
4177 
4178 #if P2MP
4179  /* get passwords if undefined */
4180  if (auth_retry_get() == AR_INTERACT)
4181  {
4182  init_query_passwords(c);
4183  }
4184 #endif
4185 
4186  /* initialize context level 2 --verb/--mute parms */
4187  init_verb_mute(c, IVM_LEVEL_2);
4188 
4189  /* set error message delay for non-server modes */
4190  if (c->mode == CM_P2P)
4191  {
4192  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4193  }
4194 
4195  /* warn about inconsistent options */
4196  if (c->mode == CM_P2P || c->mode == CM_TOP)
4197  {
4198  do_option_warnings(c);
4199  }
4200 
4201 #ifdef ENABLE_PLUGIN
4202  /* initialize plugins */
4203  if (c->mode == CM_P2P || c->mode == CM_TOP)
4204  {
4205  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4206  }
4207 #endif
4208 
4209  /* should we enable fast I/O? */
4210  if (c->mode == CM_P2P || c->mode == CM_TOP)
4211  {
4212  do_setup_fast_io(c);
4213  }
4214 
4215  /* should we throw a signal on TLS errors? */
4216  do_signal_on_tls_errors(c);
4217 
4218  /* open --status file */
4219  if (c->mode == CM_P2P || c->mode == CM_TOP)
4220  {
4221  do_open_status_output(c);
4222  }
4223 
4224  /* open --ifconfig-pool-persist file */
4225  if (c->mode == CM_TOP)
4226  {
4227  do_open_ifconfig_pool_persist(c);
4228  }
4229 
4230 #ifdef ENABLE_OCC
4231  /* reset OCC state */
4232  if (c->mode == CM_P2P || child)
4233  {
4234  c->c2.occ_op = occ_reset_op();
4235  }
4236 #endif
4237 
4238  /* our wait-for-i/o objects, different for posix vs. win32 */
4239  if (c->mode == CM_P2P)
4240  {
4241  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4242  }
4243  else if (c->mode == CM_CHILD_TCP)
4244  {
4245  do_event_set_init(c, false);
4246  }
4247 
4248  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4249  init_proxy(c);
4250 
4251  /* allocate our socket object */
4252  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4253  {
4254  do_link_socket_new(c);
4255  }
4256 
4257 #ifdef ENABLE_FRAGMENT
4258  /* initialize internal fragmentation object */
4259  if (options->ce.fragment && (c->mode == CM_P2P || child))
4260  {
4261  c->c2.fragment = fragment_init(&c->c2.frame);
4262  }
4263 #endif
4264 
4265  /* init crypto layer */
4266  {
4267  unsigned int crypto_flags = 0;
4268  if (c->mode == CM_TOP)
4269  {
4270  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4271  }
4272  else if (c->mode == CM_P2P)
4273  {
4274  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4275  }
4276  else if (child)
4277  {
4278  crypto_flags = CF_INIT_TLS_MULTI;
4279  }
4280  do_init_crypto(c, crypto_flags);
4281  if (IS_SIG(c) && !child)
4282  {
4283  goto sig;
4284  }
4285  }
4286 
4287 #ifdef USE_COMP
4288  /* initialize compression library. */
4289  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4290  {
4291  c->c2.comp_context = comp_init(&options->comp);
4292  }
4293 #endif
4294 
4295  /* initialize MTU variables */
4296  do_init_frame(c);
4297 
4298  /* initialize TLS MTU variables */
4299  do_init_frame_tls(c);
4300 
4301  /* init workspace buffers whose size is derived from frame size */
4302  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4303  {
4304  do_init_buffers(c);
4305  }
4306 
4307 #ifdef ENABLE_FRAGMENT
4308  /* initialize internal fragmentation capability with known frame size */
4309  if (options->ce.fragment && (c->mode == CM_P2P || child))
4310  {
4311  do_init_fragment(c);
4312  }
4313 #endif
4314 
4315  /* initialize dynamic MTU variable */
4316  frame_init_mssfix(&c->c2.frame, &c->options);
4317 
4318  /* bind the TCP/UDP socket */
4319  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4320  {
4321  do_init_socket_1(c, link_socket_mode);
4322  }
4323 
4324  /* initialize tun/tap device object,
4325  * open tun/tap device, ifconfig, run up script, etc. */
4326  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4327  {
4328  c->c2.did_open_tun = do_open_tun(c);
4329  }
4330 
4331  c->c2.frame_initial = c->c2.frame;
4332 
4333  /* print MTU info */
4334  do_print_data_channel_mtu_parms(c);
4335 
4336 #ifdef ENABLE_OCC
4337  /* get local and remote options compatibility strings */
4338  if (c->mode == CM_P2P || child)
4339  {
4340  do_compute_occ_strings(c);
4341  }
4342 #endif
4343 
4344  /* initialize output speed limiter */
4345  if (c->mode == CM_P2P)
4346  {
4347  do_init_traffic_shaper(c);
4348  }
4349 
4350  /* do one-time inits, and possibly become a daemon here */
4351  do_init_first_time(c);
4352 
4353 #ifdef ENABLE_PLUGIN
4354  /* initialize plugins */
4355  if (c->mode == CM_P2P || c->mode == CM_TOP)
4356  {
4357  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4358  }
4359 #endif
4360 
4361  /* initialise connect timeout timer */
4362  do_init_server_poll_timeout(c);
4363 
4364  /* finalize the TCP/UDP socket */
4365  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4366  {
4367  do_init_socket_2(c);
4368  }
4369 
4370  /*
4371  * Actually do UID/GID downgrade, and chroot, if requested.
4372  * May be delayed by --client, --pull, or --up-delay.
4373  */
4374  do_uid_gid_chroot(c, c->c2.did_open_tun);
4375 
4376  /* initialize timers */
4377  if (c->mode == CM_P2P || child)
4378  {
4379  do_init_timers(c, false);
4380  }
4381 
4382 #ifdef ENABLE_PLUGIN
4383  /* initialize plugins */
4384  if (c->mode == CM_P2P || c->mode == CM_TOP)
4385  {
4386  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4387  }
4388 #endif
4389 
4390 #if PORT_SHARE
4391  /* share OpenVPN port with foreign (such as HTTPS) server */
4392  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4393  {
4394  init_port_share(c);
4395  }
4396 #endif
4397 
4398 #ifdef ENABLE_PF
4399  if (child)
4400  {
4401  pf_init_context(c);
4402  }
4403 #endif
4404 
4405  /* Check for signals */
4406  if (IS_SIG(c))
4407  {
4408  goto sig;
4409  }
4410 
4411  return;
4412 
4413 sig:
4414  if (!c->sig->signal_text)
4415  {
4416  c->sig->signal_text = "init_instance";
4417  }
4418  close_context(c, -1, flags);
4419  return;
4420 }
4421 
4422 /*
4423  * Close a tunnel instance.
4424  */
4425 void
4426 close_instance(struct context *c)
4427 {
4428  /* close event objects */
4429  do_close_event_set(c);
4430 
4431  if (c->mode == CM_P2P
4432  || c->mode == CM_CHILD_TCP
4433  || c->mode == CM_CHILD_UDP
4434  || c->mode == CM_TOP)
4435  {
4436  /* if xinetd/inetd mode, don't allow restart */
4437  do_close_check_if_restart_permitted(c);
4438 
4439 #ifdef USE_COMP
4440  if (c->c2.comp_context)
4441  {
4442  comp_uninit(c->c2.comp_context);
4443  c->c2.comp_context = NULL;
4444  }
4445 #endif
4446 
4447  /* free buffers */
4448  do_close_free_buf(c);
4449 
4450  /* close TLS */
4451  do_close_tls(c);
4452 
4453  /* free key schedules */
4454  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4455 
4456  restore_ncp_options(c);
4457 
4458  /* close TCP/UDP connection */
4459  do_close_link_socket(c);
4460 
4461  /* close TUN/TAP device */
4462  do_close_tun(c, false);
4463 
4464 #ifdef MANAGEMENT_DEF_AUTH
4465  if (management)
4466  {
4467  management_notify_client_close(management, &c->c2.mda_context, NULL);
4468  }
4469 #endif
4470 
4471 #ifdef ENABLE_PF
4472  pf_destroy_context(&c->c2.pf);
4473 #endif
4474 
4475 #ifdef ENABLE_PLUGIN
4476  /* call plugin close functions and unload */
4477  do_close_plugins(c);
4478 #endif
4479 
4480  /* close packet-id persistence file */
4481  do_close_packet_id(c);
4482 
4483  /* close --status file */
4484  do_close_status_output(c);
4485 
4486 #ifdef ENABLE_FRAGMENT
4487  /* close fragmentation handler */
4488  do_close_fragment(c);
4489 #endif
4490 
4491  /* close --ifconfig-pool-persist obj */
4492  do_close_ifconfig_pool_persist(c);
4493 
4494  /* free up environmental variable store */
4495  do_env_set_destroy(c);
4496 
4497  /* close HTTP or SOCKS proxy */
4498  uninit_proxy(c);
4499 
4500  /* garbage collect */
4501  gc_free(&c->c2.gc);
4502  }
4503 }
4504 
4505 void
4506 inherit_context_child(struct context *dest,
4507  const struct context *src)
4508 {
4509  CLEAR(*dest);
4510 
4511  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4512  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4513 
4514  dest->gc = gc_new();
4515 
4516  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4517 
4518  /* c1 init */
4519  packet_id_persist_init(&dest->c1.pid_persist);
4520 
4521  dest->c1.ks.key_type = src->c1.ks.key_type;
4522  /* inherit SSL context */
4523  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4524  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4525  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4526  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4527  /* inherit pre-NCP ciphers */
4528  dest->c1.ciphername = src->c1.ciphername;
4529  dest->c1.authname = src->c1.authname;
4530  dest->c1.keysize = src->c1.keysize;
4531 
4532  /* inherit auth-token */
4533  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4534 
4535  /* options */
4536  dest->options = src->options;
4537  options_detach(&dest->options);
4538 
4539  if (dest->mode == CM_CHILD_TCP)
4540  {
4541  /*
4542  * The CM_TOP context does the socket listen(),
4543  * and the CM_CHILD_TCP context does the accept().
4544  */
4545  dest->c2.accept_from = src->c2.link_socket;
4546  }
4547 
4548 #ifdef ENABLE_PLUGIN
4549  /* inherit plugins */
4550  do_inherit_plugins(dest, src);
4551 #endif
4552 
4553  /* context init */
4554  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4555  if (IS_SIG(dest))
4556  {
4557  return;
4558  }
4559 
4560  /* inherit tun/tap interface object */
4561  dest->c1.tuntap = src->c1.tuntap;
4562 
4563  /* UDP inherits some extra things which TCP does not */
4564  if (dest->mode == CM_CHILD_UDP)
4565  {
4566  /* inherit buffers */
4567  dest->c2.buffers = src->c2.buffers;
4568 
4569  /* inherit parent link_socket and tuntap */
4570  dest->c2.link_socket = src->c2.link_socket;
4571 
4572  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4573  *dest->c2.link_socket_info = src->c2.link_socket->info;
4574 
4575  /* locally override some link_socket_info fields */
4576  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4577  dest->c2.link_socket_info->connection_established = false;
4578  }
4579 }
4580 
4581 void
4582 inherit_context_top(struct context *dest,
4583  const struct context *src)
4584 {
4585  /* copy parent */
4586  *dest = *src;
4587 
4588  /*
4589  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4590  * resources owned by the parent.
4591  *
4592  * Also note that CM_TOP_CLONE context objects are
4593  * closed by multi_top_free in multi.c.
4594  */
4595  dest->mode = CM_TOP_CLONE;
4596 
4597  dest->first_time = false;
4598  dest->c0 = NULL;
4599 
4600  options_detach(&dest->options);
4601  gc_detach(&dest->gc);
4602  gc_detach(&dest->c2.gc);
4603 
4604  /* detach plugins */
4605  dest->plugins_owned = false;
4606 
4607  dest->c2.tls_multi = NULL;
4608 
4609  /* detach c1 ownership */
4610  dest->c1.tuntap_owned = false;
4611  dest->c1.status_output_owned = false;
4612 #if P2MP_SERVER
4613  dest->c1.ifconfig_pool_persist_owned = false;
4614 #endif
4615 
4616  /* detach c2 ownership */
4617  dest->c2.event_set_owned = false;
4618  dest->c2.link_socket_owned = false;
4619  dest->c2.buffers_owned = false;
4620  dest->c2.es_owned = false;
4621 
4622  dest->c2.event_set = NULL;
4623  if (proto_is_dgram(src->options.ce.proto))
4624  {
4625  do_event_set_init(dest, false);
4626  }
4627 
4628 #ifdef USE_COMP
4629  dest->c2.comp_context = NULL;
4630 #endif
4631 }
4632 
4633 void
4634 close_context(struct context *c, int sig, unsigned int flags)
4635 {
4636  ASSERT(c);
4637  ASSERT(c->sig);
4638 
4639  if (sig >= 0)
4640  {
4641  c->sig->signal_received = sig;
4642  }
4643 
4644  if (c->sig->signal_received == SIGUSR1)
4645  {
4646  if ((flags & CC_USR1_TO_HUP)
4647  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4648  {
4649  c->sig->signal_received = SIGHUP;
4650  c->sig->signal_text = "close_context usr1 to hup";
4651  }
4652  }
4653 
4654  if (!(flags & CC_NO_CLOSE))
4655  {
4656  close_instance(c);
4657  }
4658 
4659  if (flags & CC_GC_FREE)
4660  {
4661  context_gc_free(c);
4662  }
4663 }
4664 
4665 /*
4666  * Do a loopback test
4667  * on the crypto subsystem.
4668  */
4669 static void *
4670 test_crypto_thread(void *arg)
4671 {
4672  struct context *c = (struct context *) arg;
4673  const struct options *options = &c->options;
4674 
4675  ASSERT(options->test_crypto);
4676  init_verb_mute(c, IVM_LEVEL_1);
4677  context_init_1(c);
4678  next_connection_entry(c);
4679  do_init_crypto_static(c, 0);
4680 
4681  frame_finalize_options(c, options);
4682 
4683  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4684 
4685  key_schedule_free(&c->c1.ks, true);
4686  packet_id_free(&c->c2.crypto_options.packet_id);
4687 
4688  context_gc_free(c);
4689  return NULL;
4690 }
4691 
4692 bool
4693 do_test_crypto(const struct options *o)
4694 {
4695  if (o->test_crypto)
4696  {
4697  struct context c;
4698 
4699  /* print version number */
4700  msg(M_INFO, "%s", title_string);
4701 
4702  context_clear(&c);
4703  c.options = *o;
4704  options_detach(&c.options);
4705  c.first_time = true;
4706  test_crypto_thread((void *) &c);
4707  return true;
4708  }
4709  return false;
4710 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:296
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:302
context_2::es
struct env_set * es
Definition: openvpn.h:429
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:177
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:210
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:456
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2521
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:331
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:429
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:247
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:285
options::sndbuf
int sndbuf
Definition: options.h:344
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:363
context_2::log_rw
bool log_rw
Definition: openvpn.h:389
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:406
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:270
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:319
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:392
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:558
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:683
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1492
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:240
tuntap
Definition: tun.h:132
options::ncp_enabled
bool ncp_enabled
Definition: options.h:504
options::management_flags
unsigned int management_flags
Definition: options.h:388
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1955
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2549
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:284
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:524
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:629
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:301
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1319
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:308
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:504
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:393
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:512
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1089
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5296
options::show_curves
bool show_curves
Definition: options.h:215
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:626
options::cipher_list
const char * cipher_list
Definition: options.h:531
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:522
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1437
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:293
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:982
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3551
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Definition: argv.c:52
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2108
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:575
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1711
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:396
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:327
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:533
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:379
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:353
streq
#define streq(x, y)
Definition: options.h:648
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:428
options::chroot_dir
const char * chroot_dir
Definition: options.h:301
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3903
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3695
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2689
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:415
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:240
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:164
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:281
tls_options::mode
int mode
Definition: ssl_common.h:269
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2118
options::auth_token_generate
bool auth_token_generate
Definition: options.h:471
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:318
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4183
tun_abort
void tun_abort(void)
Definition: init.c:2088
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:502
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:573
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3782
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2608
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:323
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:525
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1177
srandom
#define srandom
Definition: syshead.h:44
auth_token.h
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3174
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:374
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:212
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:677
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4634
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3427
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:500
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
openvpn_sockaddr::addr
union openvpn_sockaddr::@8 addr
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5541
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:176
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:633
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3977
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:341
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:295
close_instance
void close_instance(struct context *c)
Definition: init.c:4426
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:579
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:333
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1346
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:656
options::persist_key
bool persist_key
Definition: options.h:286
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:116
options::replay_window
int replay_window
Definition: options.h:513
options::persist_mode
int persist_mode
Definition: options.h:208
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:212
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:413
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:320
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3830
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:376
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:282
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:299
options::rcvbuf
int rcvbuf
Definition: options.h:343
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:544
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:255
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:427
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:273
options::connection_list
struct connection_list * connection_list
Definition: options.h:224
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:284
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:174
options::exit_event_name
const char * exit_event_name
Definition: options.h:625
AR_NONE
#define AR_NONE
Definition: options.h:835
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:256
options::route_noexec
bool route_noexec
Definition: options.h:358
options::sockflags
unsigned int sockflags
Definition: options.h:350
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2477
options::auth_token_secret_file_inline
const char * auth_token_secret_file_inline
Definition: options.h:476
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:154
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3549
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:219
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:340
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:353
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:381
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:292
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:475
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:162
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:104
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3054
options::config
const char * config
Definition: options.h:194
options::route_delay
int route_delay
Definition: options.h:359
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:529
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:308
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:354
tls_options::gremlin
int gremlin
Definition: ssl_common.h:369
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3855
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:372
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:263
options::down_pre
bool down_pre
Definition: options.h:310
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:269
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:678
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:118
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:323
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1419
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:565
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:532
options::push_peer_info
bool push_peer_info
Definition: options.h:614
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:658
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:114
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:580
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3698
PING_RESTART
#define PING_RESTART
Definition: options.h:280
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3004
options::handshake_window
int handshake_window
Definition: options.h:584
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3892
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:129
tls_options
Definition: ssl_common.h:241
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:301
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:227
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:298
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:236
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:333
options::verify_x509_type
int verify_x509_type
Definition: options.h:536
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:230
close_management
void close_management(void)
Definition: init.c:4060
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:473
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:304
options::prng_hash
const char * prng_hash
Definition: options.h:508
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1987
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:275
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:250
options::fast_io
bool fast_io
Definition: options.h:336
options::key_direction
int key_direction
Definition: options.h:502
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:275
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:191
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1408
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:145
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:59
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:74
connection_entry::tls_crypt_v2_inline
const char * tls_crypt_v2_inline
Definition: options.h:146
init_static
bool init_static(void)
Definition: init.c:726
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:269
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:198
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:586
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:300
options::route_delay_defined
bool route_delay_defined
Definition: options.h:361
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:514
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:616
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1015
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1006
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:787
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:686
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:291
options::route_nopull
bool route_nopull
Definition: options.h:365
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3661
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1213
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6085
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:66
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:538
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:355
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4088
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:315
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:138