OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "pkcs11.h"
46 #include "ps.h"
47 #include "lladdr.h"
48 #include "ping.h"
49 #include "mstats.h"
50 #include "ssl_verify.h"
51 #include "tls_crypt.h"
52 #include "forward-inline.h"
53 
54 #include "memdbg.h"
55 
56 #include "occ-inline.h"
57 
58 static struct context *static_context; /* GLOBAL */
59 
60 /*
61  * Crypto initialization flags
62  */
63 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64 #define CF_INIT_TLS_MULTI (1<<1)
65 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66 
67 static void do_init_first_time(struct context *c);
68 
69 void
70 context_clear(struct context *c)
71 {
72  CLEAR(*c);
73 }
74 
75 void
76 context_clear_1(struct context *c)
77 {
78  CLEAR(c->c1);
79 }
80 
81 void
82 context_clear_2(struct context *c)
83 {
84  CLEAR(c->c2);
85 }
86 
87 void
88 context_clear_all_except_first_time(struct context *c)
89 {
90  const bool first_time_save = c->first_time;
91  const struct context_persist cpsave = c->persist;
92  context_clear(c);
93  c->first_time = first_time_save;
94  c->persist = cpsave;
95 }
96 
97 /*
98  * Pass tunnel endpoint and MTU parms to a user-supplied script.
99  * Used to execute the up/down script/plugins.
100  */
101 static void
102 run_up_down(const char *command,
103  const struct plugin_list *plugins,
104  int plugin_type,
105  const char *arg,
106 #ifdef _WIN32
107  DWORD adapter_index,
108 #endif
109  const char *dev_type,
110  int tun_mtu,
111  int link_mtu,
112  const char *ifconfig_local,
113  const char *ifconfig_remote,
114  const char *context,
115  const char *signal_text,
116  const char *script_type,
117  struct env_set *es)
118 {
119  struct gc_arena gc = gc_new();
120 
121  if (signal_text)
122  {
123  setenv_str(es, "signal", signal_text);
124  }
125  setenv_str(es, "script_context", context);
126  setenv_int(es, "tun_mtu", tun_mtu);
127  setenv_int(es, "link_mtu", link_mtu);
128  setenv_str(es, "dev", arg);
129  if (dev_type)
130  {
131  setenv_str(es, "dev_type", dev_type);
132  }
133 #ifdef _WIN32
134  setenv_int(es, "dev_idx", adapter_index);
135 #endif
136 
137  if (!ifconfig_local)
138  {
139  ifconfig_local = "";
140  }
141  if (!ifconfig_remote)
142  {
143  ifconfig_remote = "";
144  }
145  if (!context)
146  {
147  context = "";
148  }
149 
150  if (plugin_defined(plugins, plugin_type))
151  {
152  struct argv argv = argv_new();
153  ASSERT(arg);
154  argv_printf(&argv,
155  "%s %d %d %s %s %s",
156  arg,
157  tun_mtu, link_mtu,
158  ifconfig_local, ifconfig_remote,
159  context);
160 
161  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162  {
163  msg(M_FATAL, "ERROR: up/down plugin call failed");
164  }
165 
166  argv_reset(&argv);
167  }
168 
169  if (command)
170  {
171  struct argv argv = argv_new();
172  ASSERT(arg);
173  setenv_str(es, "script_type", script_type);
174  argv_parse_cmd(&argv, command);
175  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176  ifconfig_local, ifconfig_remote, context);
177  argv_msg(M_INFO, &argv);
178  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179  argv_reset(&argv);
180  }
181 
182  gc_free(&gc);
183 }
184 
185 /*
186  * Should be called after options->ce is modified at the top
187  * of a SIGUSR1 restart.
188  */
189 static void
190 update_options_ce_post(struct options *options)
191 {
192 #if P2MP
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 #endif
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
233  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
257 ce_management_query_proxy(struct context *c)
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  management_notify_generic(management, BSTR(&out));
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  gc_free(&gc);
285  }
286 
287  return ret;
288 }
289 
290 
291 static bool
292 management_callback_remote_cmd(void *arg, const char **p)
293 {
294  struct context *c = (struct context *) arg;
295  struct connection_entry *ce = &c->options.ce;
296  int ret = false;
297  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
298  {
299  int flags = 0;
300  if (!strcmp(p[1], "ACCEPT"))
301  {
302  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
303  ret = true;
304  }
305  else if (!strcmp(p[1], "SKIP"))
306  {
307  flags = CE_MAN_QUERY_REMOTE_SKIP;
308  ret = true;
309  }
310  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311  {
312  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313  {
314  struct remote_host_store *rhs = c->options.rh_store;
315  if (!rhs)
316  {
317  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
318  c->options.rh_store = rhs;
319  }
320  strncpynt(rhs->host, p[2], RH_HOST_LEN);
321  strncpynt(rhs->port, p[3], RH_PORT_LEN);
322 
323  ce->remote = rhs->host;
324  ce->remote_port = rhs->port;
325  flags = CE_MAN_QUERY_REMOTE_MOD;
326  ret = true;
327  }
328  }
329  if (ret)
330  {
331  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
333  }
334  }
335  return ret;
336 }
337 
338 static bool
339 ce_management_query_remote(struct context *c)
340 {
341  struct gc_arena gc = gc_new();
342  volatile struct connection_entry *ce = &c->options.ce;
343  int ce_changed = true; /* presume the connection entry will be changed */
344 
345  update_time();
346  if (management)
347  {
348  struct buffer out = alloc_buf_gc(256, &gc);
349 
350  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351  proto2ascii(ce->proto, ce->af, false));
352  management_notify_generic(management, BSTR(&out));
353 
354  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
355  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
356  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
358  {
359  management_event_loop_n_seconds(management, 1);
360  if (IS_SIG(c))
361  {
362  ce_changed = false; /* connection entry have not been set */
363  break;
364  }
365  }
366  }
367  gc_free(&gc);
368 
369  if (ce_changed)
370  {
371  /* If it is likely a connection entry was modified,
372  * check what changed in the flags and that it was not skipped
373  */
374  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375  & CE_MAN_QUERY_REMOTE_MASK);
376  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
377  }
378  return ce_changed;
379 }
380 #endif /* ENABLE_MANAGEMENT */
381 
382 /*
383  * Initialize and possibly randomize connection list.
384  */
385 static void
386 init_connection_list(struct context *c)
387 {
388  struct connection_list *l = c->options.connection_list;
389 
390  l->current = -1;
391  if (c->options.remote_random)
392  {
393  int i;
394  for (i = 0; i < l->len; ++i)
395  {
396  const int j = get_random() % l->len;
397  if (i != j)
398  {
399  struct connection_entry *tmp;
400  tmp = l->array[i];
401  l->array[i] = l->array[j];
402  l->array[j] = tmp;
403  }
404  }
405  }
406 }
407 
408 /*
409  * Clear the remote address list
410  */
411 static void
412 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
413 {
414  if (lsa->remote_list && free)
415  {
416  freeaddrinfo(lsa->remote_list);
417  }
418  lsa->remote_list = NULL;
419  lsa->current_remote = NULL;
420 }
421 
422 /*
423  * Increment to next connection entry
424  */
425 static void
426 next_connection_entry(struct context *c)
427 {
428  struct connection_list *l = c->options.connection_list;
429  bool ce_defined;
430  struct connection_entry *ce;
431  int n_cycles = 0;
432 
433  do
434  {
435  ce_defined = true;
436  if (c->options.no_advance && l->current >= 0)
437  {
438  c->options.no_advance = false;
439  }
440  else
441  {
442  /* Check if there is another resolved address to try for
443  * the current connection */
444  if (c->c1.link_socket_addr.current_remote
445  && c->c1.link_socket_addr.current_remote->ai_next)
446  {
447  c->c1.link_socket_addr.current_remote =
448  c->c1.link_socket_addr.current_remote->ai_next;
449  }
450  else
451  {
452  /* FIXME (schwabe) fix the persist-remote-ip option for real,
453  * this is broken probably ever since connection lists and multiple
454  * remote existed
455  */
456  if (!c->options.persist_remote_ip)
457  {
458  /* close_instance should have cleared the addrinfo objects */
459  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
460  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
461  }
462  else
463  {
464  c->c1.link_socket_addr.current_remote =
465  c->c1.link_socket_addr.remote_list;
466  }
467 
468  /*
469  * Increase the number of connection attempts
470  * If this is connect-retry-max * size(l)
471  * OpenVPN will quit
472  */
473 
474  c->options.unsuccessful_attempts++;
475 
476  if (++l->current >= l->len)
477  {
478 
479  l->current = 0;
480  if (++n_cycles >= 2)
481  {
482  msg(M_FATAL, "No usable connection profiles are present");
483  }
484  }
485  }
486  }
487 
488  ce = l->array[l->current];
489 
490  if (ce->flags & CE_DISABLED)
491  {
492  ce_defined = false;
493  }
494 
495  c->options.ce = *ce;
496 #ifdef ENABLE_MANAGEMENT
497  if (ce_defined && management && management_query_remote_enabled(management))
498  {
499  /* allow management interface to override connection entry details */
500  ce_defined = ce_management_query_remote(c);
501  if (IS_SIG(c))
502  {
503  break;
504  }
505  }
506  else if (ce_defined && management && management_query_proxy_enabled(management))
507  {
508  ce_defined = ce_management_query_proxy(c);
509  if (IS_SIG(c))
510  {
511  break;
512  }
513  }
514 #endif
515  } while (!ce_defined);
516 
517  /* Check if this connection attempt would bring us over the limit */
518  if (c->options.connect_retry_max > 0
519  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
520  {
521  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522  c->options.connect_retry_max);
523  }
524  update_options_ce_post(&c->options);
525 }
526 
527 /*
528  * Query for private key and auth-user-pass username/passwords
529  */
530 void
531 init_query_passwords(const struct context *c)
532 {
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
536  pem_password_setup(c->options.key_pass_file);
537  }
538 
539 #if P2MP
540  /* Auth user/pass input */
541  if (c->options.auth_user_pass_file)
542  {
543 #ifdef ENABLE_CLIENT_CR
544  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
545 #else
546  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
547 #endif
548  }
549 #endif
550 }
551 
552 /*
553  * Initialize/Uninitialize HTTP or SOCKS proxy
554  */
555 
556 static void
557 uninit_proxy_dowork(struct context *c)
558 {
559  if (c->c1.http_proxy_owned && c->c1.http_proxy)
560  {
561  http_proxy_close(c->c1.http_proxy);
562  c->c1.http_proxy = NULL;
563  c->c1.http_proxy_owned = false;
564  }
565  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
566  {
567  socks_proxy_close(c->c1.socks_proxy);
568  c->c1.socks_proxy = NULL;
569  c->c1.socks_proxy_owned = false;
570  }
571 }
572 
573 static void
574 init_proxy_dowork(struct context *c)
575 {
576  bool did_http = false;
577 
578  uninit_proxy_dowork(c);
579 
580  if (c->options.ce.http_proxy_options)
581  {
582  /* Possible HTTP proxy user/pass input */
583  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
584  if (c->c1.http_proxy)
585  {
586  did_http = true;
587  c->c1.http_proxy_owned = true;
588  }
589  }
590 
591  if (!did_http && c->options.ce.socks_proxy_server)
592  {
593  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
594  c->options.ce.socks_proxy_port,
595  c->options.ce.socks_proxy_authfile);
596  if (c->c1.socks_proxy)
597  {
598  c->c1.socks_proxy_owned = true;
599  }
600  }
601 }
602 
603 static void
604 init_proxy(struct context *c)
605 {
606  init_proxy_dowork(c);
607 }
608 
609 static void
610 uninit_proxy(struct context *c)
611 {
612  uninit_proxy_dowork(c);
613 }
614 
615 void
616 context_init_1(struct context *c)
617 {
618  context_clear_1(c);
619 
620  packet_id_persist_init(&c->c1.pid_persist);
621 
622  init_connection_list(c);
623 
624 #if defined(ENABLE_PKCS11)
625  if (c->first_time)
626  {
627  int i;
628  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
629  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
630  {
631  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
632  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
633  }
634  }
635 #endif
636 
637 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
638  {
639  /*
640  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
641  */
642  struct user_pass up;
643  CLEAR(up);
644  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
645  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
646  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
647  * 'needok' command, usually 'ok' or 'cancel'. */
648  }
649 #endif
650 
651 #ifdef ENABLE_SYSTEMD
652  /* We can report the PID via getpid() to systemd here as OpenVPN will not
653  * do any fork due to daemon() a future call.
654  * See possibly_become_daemon() [init.c] for more details.
655  */
656  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
657  (unsigned long) getpid());
658 #endif
659 
660 }
661 
662 void
663 context_gc_free(struct context *c)
664 {
665  gc_free(&c->c2.gc);
666  gc_free(&c->options.gc);
667  gc_free(&c->gc);
668 }
669 
670 #if PORT_SHARE
671 
672 static void
673 close_port_share(void)
674 {
675  if (port_share)
676  {
677  port_share_close(port_share);
678  port_share = NULL;
679  }
680 }
681 
682 static void
683 init_port_share(struct context *c)
684 {
685  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
686  {
687  port_share = port_share_open(c->options.port_share_host,
688  c->options.port_share_port,
689  MAX_RW_SIZE_LINK(&c->c2.frame),
690  c->options.port_share_journal_dir);
691  if (port_share == NULL)
692  {
693  msg(M_FATAL, "Fatal error: Port sharing failed");
694  }
695  }
696 }
697 
698 #endif /* if PORT_SHARE */
699 
700 
701 bool
702 init_static(void)
703 {
704  /* configure_path (); */
705 
706 #if defined(DMALLOC)
707  crypto_init_dmalloc();
708 #endif
709 
710 
711  /*
712  * Initialize random number seed. random() is only used
713  * when "weak" random numbers are acceptable.
714  * SSL library routines are always used when cryptographically
715  * strong random numbers are required.
716  */
717  struct timeval tv;
718  if (!gettimeofday(&tv, NULL))
719  {
720  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
721  srandom(seed);
722  }
723 
724  error_reset(); /* initialize error.c */
725  reset_check_status(); /* initialize status check code in socket.c */
726 
727 #ifdef _WIN32
728  init_win32();
729 #endif
730 
731 #ifdef OPENVPN_DEBUG_COMMAND_LINE
732  {
733  int i;
734  for (i = 0; i < argc; ++i)
735  {
736  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
737  }
738  }
739 #endif
740 
741  update_time();
742 
743  init_ssl_lib();
744 
745  /* init PRNG used for IV generation */
746  /* When forking, copy this to more places in the code to avoid fork
747  * random-state predictability */
748  prng_init(NULL, 0);
749 
750 #ifdef PID_TEST
751  packet_id_interactive_test(); /* test the sequence number code */
752  return false;
753 #endif
754 
755 #ifdef SCHEDULE_TEST
756  schedule_test();
757  return false;
758 #endif
759 
760 #ifdef LIST_TEST
761  list_test();
762  return false;
763 #endif
764 
765 #ifdef IFCONFIG_POOL_TEST
766  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
767  return false;
768 #endif
769 
770 #ifdef CHARACTER_CLASS_DEBUG
771  character_class_debug();
772  return false;
773 #endif
774 
775 #ifdef EXTRACT_X509_FIELD_TEST
776  extract_x509_field_test();
777  return false;
778 #endif
779 
780 #ifdef TIME_TEST
781  time_test();
782  return false;
783 #endif
784 
785 #ifdef TEST_GET_DEFAULT_GATEWAY
786  {
787  struct route_gateway_info rgi;
788  struct route_ipv6_gateway_info rgi6;
789  get_default_gateway(&rgi);
790  get_default_gateway_ipv6(&rgi6, NULL);
791  print_default_gateway(M_INFO, &rgi, &rgi6);
792  return false;
793  }
794 #endif
795 
796 #ifdef GEN_PATH_TEST
797  {
798  struct gc_arena gc = gc_new();
799  const char *fn = gen_path("foo",
800  "bar",
801  &gc);
802  printf("%s\n", fn);
803  gc_free(&gc);
804  }
805  return false;
806 #endif
807 
808 #ifdef STATUS_PRINTF_TEST
809  {
810  struct gc_arena gc = gc_new();
811  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
812  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
813  status_printf(so, "%s", "foo");
814  status_printf(so, "%s", "bar");
815  if (!status_close(so))
816  {
817  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
818  }
819  gc_free(&gc);
820  }
821  return false;
822 #endif
823 
824 #ifdef ARGV_TEST
825  {
826  void argv_test(void);
827 
828  argv_test();
829  return false;
830  }
831 #endif
832 
833 #ifdef PRNG_TEST
834  {
835  struct gc_arena gc = gc_new();
836  uint8_t rndbuf[8];
837  int i;
838  prng_init("sha1", 16);
839  /*prng_init (NULL, 0);*/
840  const int factor = 1;
841  for (i = 0; i < factor * 8; ++i)
842  {
843 #if 1
844  prng_bytes(rndbuf, sizeof(rndbuf));
845 #else
846  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
847 #endif
848  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
849  }
850  gc_free(&gc);
851  prng_uninit();
852  return false;
853  }
854 #endif /* ifdef PRNG_TEST */
855 
856 #ifdef BUFFER_LIST_AGGREGATE_TEST
857  /* test buffer_list_aggregate function */
858  {
859  static const char *text[] = {
860  "It was a bright cold day in April, ",
861  "and the clocks were striking ",
862  "thirteen. ",
863  "Winston Smith, ",
864  "his chin nuzzled into his breast in an ",
865  "effort to escape the vile wind, ",
866  "slipped quickly through the glass doors ",
867  "of Victory Mansions, though not quickly ",
868  "enough to prevent a swirl of gritty dust from ",
869  "entering along with him."
870  };
871 
872  int iter, listcap;
873  for (listcap = 0; listcap < 12; ++listcap)
874  {
875  for (iter = 0; iter < 512; ++iter)
876  {
877  struct buffer_list *bl = buffer_list_new(listcap);
878  {
879  int i;
880  for (i = 0; i < SIZE(text); ++i)
881  {
882  buffer_list_push(bl, (unsigned char *)text[i]);
883  }
884  }
885  printf("[cap=%d i=%d] *************************\n", listcap, iter);
886  if (!(iter & 8))
887  {
888  buffer_list_aggregate(bl, iter/2);
889  }
890  if (!(iter & 16))
891  {
892  buffer_list_push(bl, (unsigned char *)"Even more text...");
893  }
894  buffer_list_aggregate(bl, iter);
895  if (!(iter & 1))
896  {
897  buffer_list_push(bl, (unsigned char *)"More text...");
898  }
899  {
900  struct buffer *buf;
901  while ((buf = buffer_list_peek(bl)))
902  {
903  int c;
904  printf("'");
905  while ((c = buf_read_u8(buf)) >= 0)
906  {
907  putchar(c);
908  }
909  printf("'\n");
910  buffer_list_advance(bl, 0);
911  }
912  }
913  buffer_list_free(bl);
914  }
915  }
916  return false;
917  }
918 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
919 
920 #ifdef MSTATS_TEST
921  {
922  int i;
923  mstats_open("/dev/shm/mstats.dat");
924  for (i = 0; i < 30; ++i)
925  {
926  mmap_stats->n_clients += 1;
927  mmap_stats->link_write_bytes += 8;
928  mmap_stats->link_read_bytes += 16;
929  sleep(1);
930  }
931  mstats_close();
932  return false;
933  }
934 #endif
935 
936  return true;
937 }
938 
939 void
940 uninit_static(void)
941 {
942  free_ssl_lib();
943 
944 #ifdef ENABLE_PKCS11
945  pkcs11_terminate();
946 #endif
947 
948 #if PORT_SHARE
949  close_port_share();
950 #endif
951 
952 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
953  show_tls_performance_stats();
954 #endif
955 }
956 
957 void
958 init_verb_mute(struct context *c, unsigned int flags)
959 {
960  if (flags & IVM_LEVEL_1)
961  {
962  /* set verbosity and mute levels */
963  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
964  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
965  set_mute_cutoff(c->options.mute);
966  }
967 
968  /* special D_LOG_RW mode */
969  if (flags & IVM_LEVEL_2)
970  {
971  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
972  }
973 }
974 
975 /*
976  * Possibly set --dev based on --dev-node.
977  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
978  * set --dev to tun.
979  */
980 void
981 init_options_dev(struct options *options)
982 {
983  if (!options->dev && options->dev_node)
984  {
985  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
986  options->dev = basename(dev_node);
987  }
988 }
989 
990 bool
991 print_openssl_info(const struct options *options)
992 {
993  /*
994  * OpenSSL info print mode?
995  */
996  if (options->show_ciphers || options->show_digests || options->show_engines
997  || options->show_tls_ciphers || options->show_curves)
998  {
999  if (options->show_ciphers)
1000  {
1001  show_available_ciphers();
1002  }
1003  if (options->show_digests)
1004  {
1005  show_available_digests();
1006  }
1007  if (options->show_engines)
1008  {
1009  show_available_engines();
1010  }
1011  if (options->show_tls_ciphers)
1012  {
1013  show_available_tls_ciphers(options->cipher_list,
1014  options->tls_cert_profile);
1015  }
1016  if (options->show_curves)
1017  {
1018  show_available_curves();
1019  }
1020  return true;
1021  }
1022  return false;
1023 }
1024 
1025 /*
1026  * Static pre-shared key generation mode?
1027  */
1028 bool
1029 do_genkey(const struct options *options)
1030 {
1031  if (options->genkey)
1032  {
1033  int nbits_written;
1034 
1035  notnull(options->shared_secret_file,
1036  "shared secret output file (--secret)");
1037 
1038  if (options->mlock) /* should we disable paging? */
1039  {
1040  platform_mlockall(true);
1041  }
1042 
1043  nbits_written = write_key_file(2, options->shared_secret_file);
1044  if (nbits_written < 0)
1045  {
1046  msg(M_FATAL, "Failed to write key file");
1047  }
1048 
1049  msg(D_GENKEY | M_NOPREFIX,
1050  "Randomly generated %d bit key written to %s", nbits_written,
1051  options->shared_secret_file);
1052  return true;
1053  }
1054  return false;
1055 }
1056 
1057 /*
1058  * Persistent TUN/TAP device management mode?
1059  */
1060 bool
1061 do_persist_tuntap(const struct options *options)
1062 {
1063  if (options->persist_config)
1064  {
1065  /* sanity check on options for --mktun or --rmtun */
1066  notnull(options->dev, "TUN/TAP device (--dev)");
1067  if (options->ce.remote || options->ifconfig_local
1068  || options->ifconfig_remote_netmask
1069  || options->shared_secret_file
1070  || options->tls_server || options->tls_client
1071  )
1072  {
1073  msg(M_FATAL|M_OPTERR,
1074  "options --mktun or --rmtun should only be used together with --dev");
1075  }
1076 #ifdef ENABLE_FEATURE_TUN_PERSIST
1077  tuncfg(options->dev, options->dev_type, options->dev_node,
1078  options->persist_mode,
1079  options->username, options->groupname, &options->tuntap_options);
1080  if (options->persist_mode && options->lladdr)
1081  {
1082  set_lladdr(options->dev, options->lladdr, NULL);
1083  }
1084  return true;
1085 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1086  msg( M_FATAL|M_OPTERR,
1087  "options --mktun and --rmtun are not available on your operating "
1088  "system. Please check 'man tun' (or 'tap'), whether your system "
1089  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1090  "persistant tunnel interfaces.", options->dev );
1091 #endif
1092  }
1093  return false;
1094 }
1095 
1096 /*
1097  * Should we become a daemon?
1098  * Return true if we did it.
1099  */
1100 bool
1101 possibly_become_daemon(const struct options *options)
1102 {
1103  bool ret = false;
1104 
1105 #ifdef ENABLE_SYSTEMD
1106  /* return without forking if we are running from systemd */
1107  if (sd_notify(0, "READY=0") > 0)
1108  {
1109  return ret;
1110  }
1111 #endif
1112 
1113  if (options->daemon)
1114  {
1115  ASSERT(!options->inetd);
1116  /* Don't chdir immediately, but the end of the init sequence, if needed */
1117  if (daemon(1, options->log) < 0)
1118  {
1119  msg(M_ERR, "daemon() failed or unsupported");
1120  }
1121  restore_signal_state();
1122  if (options->log)
1123  {
1124  set_std_files_to_null(true);
1125  }
1126 
1127  ret = true;
1128  }
1129  return ret;
1130 }
1131 
1132 /*
1133  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1134  */
1135 static void
1136 do_uid_gid_chroot(struct context *c, bool no_delay)
1137 {
1138  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1139  struct context_0 *c0 = c->c0;
1140 
1141  if (c0 && !c0->uid_gid_chroot_set)
1142  {
1143  /* chroot if requested */
1144  if (c->options.chroot_dir)
1145  {
1146  if (no_delay)
1147  {
1148  platform_chroot(c->options.chroot_dir);
1149  }
1150  else if (c->first_time)
1151  {
1152  msg(M_INFO, "NOTE: chroot %s", why_not);
1153  }
1154  }
1155 
1156  /* set user and/or group if we want to setuid/setgid */
1157  if (c0->uid_gid_specified)
1158  {
1159  if (no_delay)
1160  {
1161  platform_group_set(&c0->platform_state_group);
1162  platform_user_set(&c0->platform_state_user);
1163  }
1164  else if (c->first_time)
1165  {
1166  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1167  }
1168  }
1169 
1170 #ifdef ENABLE_MEMSTATS
1171  if (c->first_time && c->options.memstats_fn)
1172  {
1173  mstats_open(c->options.memstats_fn);
1174  }
1175 #endif
1176 
1177 #ifdef ENABLE_SELINUX
1178  /* Apply a SELinux context in order to restrict what OpenVPN can do
1179  * to _only_ what it is supposed to do after initialization is complete
1180  * (basically just network I/O operations). Doing it after chroot
1181  * requires /proc to be mounted in the chroot (which is annoying indeed
1182  * but doing it before requires more complex SELinux policies.
1183  */
1184  if (c->options.selinux_context)
1185  {
1186  if (no_delay)
1187  {
1188  if (-1 == setcon(c->options.selinux_context))
1189  {
1190  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1191  }
1192  else
1193  {
1194  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1195  }
1196  }
1197  else if (c->first_time)
1198  {
1199  msg(M_INFO, "NOTE: setcon %s", why_not);
1200  }
1201  }
1202 #endif
1203 
1204  /* Privileges are going to be dropped by now (if requested), be sure
1205  * to prevent any future privilege dropping attempts from now on.
1206  */
1207  if (no_delay)
1208  {
1209  c0->uid_gid_chroot_set = true;
1210  }
1211  }
1212 }
1213 
1214 /*
1215  * Return common name in a way that is formatted for
1216  * prepending to msg() output.
1217  */
1218 const char *
1219 format_common_name(struct context *c, struct gc_arena *gc)
1220 {
1221  struct buffer out = alloc_buf_gc(256, gc);
1222  if (c->c2.tls_multi)
1223  {
1224  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1225  }
1226  return BSTR(&out);
1227 }
1228 
1229 void
1230 pre_setup(const struct options *options)
1231 {
1232 #ifdef _WIN32
1233  if (options->exit_event_name)
1234  {
1235  win32_signal_open(&win32_signal,
1236  WSO_FORCE_SERVICE,
1237  options->exit_event_name,
1238  options->exit_event_initial_state);
1239  }
1240  else
1241  {
1242  win32_signal_open(&win32_signal,
1243  WSO_FORCE_CONSOLE,
1244  NULL,
1245  false);
1246 
1247  /* put a title on the top window bar */
1248  if (win32_signal.mode == WSO_MODE_CONSOLE)
1249  {
1250  window_title_save(&window_title);
1251  window_title_generate(options->config);
1252  }
1253  }
1254 #endif /* ifdef _WIN32 */
1255 }
1256 
1257 void
1258 reset_coarse_timers(struct context *c)
1259 {
1260  c->c2.coarse_timer_wakeup = 0;
1261 }
1262 
1263 /*
1264  * Initialise the server poll timeout timer
1265  * This timer is used in the http/socks proxy setup so it needs to be setup
1266  * before
1267  */
1268 static void
1269 do_init_server_poll_timeout(struct context *c)
1270 {
1271  update_time();
1272  if (c->options.ce.connect_timeout)
1273  {
1274  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1275  }
1276 }
1277 
1278 /*
1279  * Initialize timers
1280  */
1281 static void
1282 do_init_timers(struct context *c, bool deferred)
1283 {
1284  update_time();
1285  reset_coarse_timers(c);
1286 
1287  /* initialize inactivity timeout */
1288  if (c->options.inactivity_timeout)
1289  {
1290  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1291  }
1292 
1293  /* initialize pings */
1294 
1295  if (c->options.ping_send_timeout)
1296  {
1297  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1298  }
1299 
1300  if (c->options.ping_rec_timeout)
1301  {
1302  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1303  }
1304 
1305  if (!deferred)
1306  {
1307  /* initialize connection establishment timer */
1308  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1309 
1310 #ifdef ENABLE_OCC
1311  /* initialize occ timers */
1312 
1313  if (c->options.occ
1314  && !TLS_MODE(c)
1315  && c->c2.options_string_local && c->c2.options_string_remote)
1316  {
1317  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1318  }
1319 
1320  if (c->options.mtu_test)
1321  {
1322  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1323  }
1324 #endif
1325 
1326  /* initialize packet_id persistence timer */
1327  if (c->options.packet_id_file)
1328  {
1329  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1330  }
1331 
1332  /* initialize tmp_int optimization that limits the number of times we call
1333  * tls_multi_process in the main event loop */
1334  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1335  }
1336 }
1337 
1338 /*
1339  * Initialize traffic shaper.
1340  */
1341 static void
1342 do_init_traffic_shaper(struct context *c)
1343 {
1344 #ifdef ENABLE_FEATURE_SHAPER
1345  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1346  if (c->options.shaper)
1347  {
1348  shaper_init(&c->c2.shaper, c->options.shaper);
1349  shaper_msg(&c->c2.shaper);
1350  }
1351 #endif
1352 }
1353 
1354 /*
1355  * Allocate route list structures for IPv4 and IPv6
1356  * (we do this for IPv4 even if no --route option has been seen, as other
1357  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1358  */
1359 static void
1360 do_alloc_route_list(struct context *c)
1361 {
1362  if (!c->c1.route_list)
1363  {
1364  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1365  }
1366  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1367  {
1368  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1369  }
1370 }
1371 
1372 
1373 /*
1374  * Initialize the route list, resolving any DNS names in route
1375  * options and saving routes in the environment.
1376  */
1377 static void
1378 do_init_route_list(const struct options *options,
1379  struct route_list *route_list,
1380  const struct link_socket_info *link_socket_info,
1381  struct env_set *es)
1382 {
1383  const char *gw = NULL;
1384  int dev = dev_type_enum(options->dev, options->dev_type);
1385  int metric = 0;
1386 
1387  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1388  {
1389  gw = options->ifconfig_remote_netmask;
1390  }
1391  if (options->route_default_gateway)
1392  {
1393  gw = options->route_default_gateway;
1394  }
1395  if (options->route_default_metric)
1396  {
1397  metric = options->route_default_metric;
1398  }
1399 
1400  if (init_route_list(route_list,
1401  options->routes,
1402  gw,
1403  metric,
1404  link_socket_current_remote(link_socket_info),
1405  es))
1406  {
1407  /* copy routes to environment */
1408  setenv_routes(es, route_list);
1409  }
1410 }
1411 
1412 static void
1413 do_init_route_ipv6_list(const struct options *options,
1414  struct route_ipv6_list *route_ipv6_list,
1415  const struct link_socket_info *link_socket_info,
1416  struct env_set *es)
1417 {
1418  const char *gw = NULL;
1419  int metric = -1; /* no metric set */
1420 
1421  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1422 #if 0 /* not yet done for IPv6 - TODO!*/
1423  if (options->route_ipv6_default_gateway) /* override? */
1424  {
1425  gw = options->route_ipv6_default_gateway;
1426  }
1427 #endif
1428 
1429  if (options->route_default_metric)
1430  {
1431  metric = options->route_default_metric;
1432  }
1433 
1434  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1435  */
1436  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1437  {
1438  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1439  int i;
1440 
1441  for (i = 0; opt_list[i]; i++)
1442  {
1443  add_route_ipv6_to_option_list( options->routes_ipv6,
1444  string_alloc(opt_list[i], options->routes_ipv6->gc),
1445  NULL, NULL );
1446  }
1447  }
1448 
1449  if (init_route_ipv6_list(route_ipv6_list,
1450  options->routes_ipv6,
1451  gw,
1452  metric,
1453  link_socket_current_remote_ipv6(link_socket_info),
1454  es))
1455  {
1456  /* copy routes to environment */
1457  setenv_routes_ipv6(es, route_ipv6_list);
1458  }
1459 }
1460 
1461 
1462 /*
1463  * Called after all initialization has been completed.
1464  */
1465 void
1466 initialization_sequence_completed(struct context *c, const unsigned int flags)
1467 {
1468  static const char message[] = "Initialization Sequence Completed";
1469 
1470  /* Reset the unsuccessful connection counter on complete initialisation */
1471  c->options.unsuccessful_attempts = 0;
1472 
1473  /* If we delayed UID/GID downgrade or chroot, do it now */
1474  do_uid_gid_chroot(c, true);
1475 
1476 
1477  /*
1478  * In some cases (i.e. when receiving auth-token via
1479  * push-reply) the auth-nocache option configured on the
1480  * client is overridden; for this reason we have to wait
1481  * for the push-reply message before attempting to wipe
1482  * the user/pass entered by the user
1483  */
1484  if (c->options.mode == MODE_POINT_TO_POINT)
1485  {
1486  delayed_auth_pass_purge();
1487  }
1488 
1489  /* Test if errors */
1490  if (flags & ISC_ERRORS)
1491  {
1492 #ifdef _WIN32
1493  show_routes(M_INFO|M_NOPREFIX);
1494  show_adapters(M_INFO|M_NOPREFIX);
1495  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1496 #else
1497 #ifdef ENABLE_SYSTEMD
1498  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1499 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1500  msg(M_INFO, "%s With Errors", message);
1501 #endif
1502  }
1503  else
1504  {
1505 #ifdef ENABLE_SYSTEMD
1506  sd_notifyf(0, "STATUS=%s", message);
1507 #endif
1508  msg(M_INFO, "%s", message);
1509  }
1510 
1511  /* Flag that we initialized */
1512  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1513  {
1514  c->options.no_advance = true;
1515  }
1516 
1517 #ifdef _WIN32
1518  fork_register_dns_action(c->c1.tuntap);
1519 #endif
1520 
1521 #ifdef ENABLE_MANAGEMENT
1522  /* Tell management interface that we initialized */
1523  if (management)
1524  {
1525  in_addr_t *tun_local = NULL;
1526  struct in6_addr *tun_local6 = NULL;
1527  struct openvpn_sockaddr local, remote;
1528  struct link_socket_actual *actual;
1529  socklen_t sa_len = sizeof(local);
1530  const char *detail = "SUCCESS";
1531  if (flags & ISC_ERRORS)
1532  {
1533  detail = "ERROR";
1534  }
1535 
1536  CLEAR(local);
1537  actual = &get_link_socket_info(c)->lsa->actual;
1538  remote = actual->dest;
1539  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1540 #if ENABLE_IP_PKTINFO
1541  if (!addr_defined(&local))
1542  {
1543  switch (local.addr.sa.sa_family)
1544  {
1545  case AF_INET:
1546 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1547  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1548 #else
1549  local.addr.in4.sin_addr = actual->pi.in4;
1550 #endif
1551  break;
1552 
1553  case AF_INET6:
1554  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1555  break;
1556  }
1557  }
1558 #endif
1559 
1560  if (c->c1.tuntap)
1561  {
1562  tun_local = &c->c1.tuntap->local;
1563  tun_local6 = &c->c1.tuntap->local_ipv6;
1564  }
1565  management_set_state(management,
1566  OPENVPN_STATE_CONNECTED,
1567  detail,
1568  tun_local,
1569  tun_local6,
1570  &local,
1571  &remote);
1572  if (tun_local)
1573  {
1574  management_post_tunnel_open(management, *tun_local);
1575  }
1576  }
1577 #endif /* ifdef ENABLE_MANAGEMENT */
1578 }
1579 
1580 /*
1581  * Possibly add routes and/or call route-up script
1582  * based on options.
1583  */
1584 void
1585 do_route(const struct options *options,
1586  struct route_list *route_list,
1587  struct route_ipv6_list *route_ipv6_list,
1588  const struct tuntap *tt,
1589  const struct plugin_list *plugins,
1590  struct env_set *es)
1591 {
1592  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1593  {
1594  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es);
1595  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1596  }
1597 #ifdef ENABLE_MANAGEMENT
1598  if (management)
1599  {
1600  management_up_down(management, "UP", es);
1601  }
1602 #endif
1603 
1604  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1605  {
1606  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1607  {
1608  msg(M_WARN, "WARNING: route-up plugin call failed");
1609  }
1610  }
1611 
1612  if (options->route_script)
1613  {
1614  struct argv argv = argv_new();
1615  setenv_str(es, "script_type", "route-up");
1616  argv_parse_cmd(&argv, options->route_script);
1617  openvpn_run_script(&argv, es, 0, "--route-up");
1618  argv_reset(&argv);
1619  }
1620 
1621 #ifdef _WIN32
1622  if (options->show_net_up)
1623  {
1624  show_routes(M_INFO|M_NOPREFIX);
1625  show_adapters(M_INFO|M_NOPREFIX);
1626  }
1627  else if (check_debug_level(D_SHOW_NET))
1628  {
1629  show_routes(D_SHOW_NET|M_NOPREFIX);
1630  show_adapters(D_SHOW_NET|M_NOPREFIX);
1631  }
1632 #endif
1633 }
1634 
1635 /*
1636  * initialize tun/tap device object
1637  */
1638 static void
1639 do_init_tun(struct context *c)
1640 {
1641  c->c1.tuntap = init_tun(c->options.dev,
1642  c->options.dev_type,
1643  c->options.topology,
1644  c->options.ifconfig_local,
1645  c->options.ifconfig_remote_netmask,
1646  c->options.ifconfig_ipv6_local,
1647  c->options.ifconfig_ipv6_netbits,
1648  c->options.ifconfig_ipv6_remote,
1649  c->c1.link_socket_addr.bind_local,
1650  c->c1.link_socket_addr.remote_list,
1651  !c->options.ifconfig_nowarn,
1652  c->c2.es);
1653 
1654  init_tun_post(c->c1.tuntap,
1655  &c->c2.frame,
1656  &c->options.tuntap_options);
1657 
1658  c->c1.tuntap_owned = true;
1659 }
1660 
1661 /*
1662  * Open tun/tap device, ifconfig, call up script, etc.
1663  */
1664 
1665 static bool
1666 do_open_tun(struct context *c)
1667 {
1668  struct gc_arena gc = gc_new();
1669  bool ret = false;
1670 
1671 #ifndef TARGET_ANDROID
1672  if (!c->c1.tuntap)
1673  {
1674 #endif
1675 
1676 #ifdef TARGET_ANDROID
1677  /* If we emulate persist-tun on android we still have to open a new tun and
1678  * then close the old */
1679  int oldtunfd = -1;
1680  if (c->c1.tuntap)
1681  {
1682  oldtunfd = c->c1.tuntap->fd;
1683  }
1684 #endif
1685 
1686  /* initialize (but do not open) tun/tap object */
1687  do_init_tun(c);
1688 
1689 #ifdef _WIN32
1690  /* store (hide) interactive service handle in tuntap_options */
1691  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1692  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1693 #endif
1694 
1695  /* allocate route list structure */
1696  do_alloc_route_list(c);
1697 
1698  /* parse and resolve the route option list */
1699  ASSERT(c->c2.link_socket);
1700  if (c->options.routes && c->c1.route_list)
1701  {
1702  do_init_route_list(&c->options, c->c1.route_list,
1703  &c->c2.link_socket->info, c->c2.es);
1704  }
1705  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1706  {
1707  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1708  &c->c2.link_socket->info, c->c2.es);
1709  }
1710 
1711  /* do ifconfig */
1712  if (!c->options.ifconfig_noexec
1713  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1714  {
1715  /* guess actual tun/tap unit number that will be returned
1716  * by open_tun */
1717  const char *guess = guess_tuntap_dev(c->options.dev,
1718  c->options.dev_type,
1719  c->options.dev_node,
1720  &gc);
1721  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1722  }
1723 
1724  /* possibly add routes */
1725  if (route_order() == ROUTE_BEFORE_TUN)
1726  {
1727  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1728  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1729  c->c1.tuntap, c->plugins, c->c2.es);
1730  }
1731 #ifdef TARGET_ANDROID
1732  /* Store the old fd inside the fd so open_tun can use it */
1733  c->c1.tuntap->fd = oldtunfd;
1734 #endif
1735  /* open the tun device */
1736  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1737  c->c1.tuntap);
1738 
1739  /* set the hardware address */
1740  if (c->options.lladdr)
1741  {
1742  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1743  }
1744 
1745  /* do ifconfig */
1746  if (!c->options.ifconfig_noexec
1747  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1748  {
1749  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1750  }
1751 
1752  /* run the up script */
1753  run_up_down(c->options.up_script,
1754  c->plugins,
1755  OPENVPN_PLUGIN_UP,
1756  c->c1.tuntap->actual_name,
1757 #ifdef _WIN32
1758  c->c1.tuntap->adapter_index,
1759 #endif
1760  dev_type_string(c->options.dev, c->options.dev_type),
1761  TUN_MTU_SIZE(&c->c2.frame),
1762  EXPANDED_SIZE(&c->c2.frame),
1763  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1764  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1765  "init",
1766  NULL,
1767  "up",
1768  c->c2.es);
1769 
1770 #if defined(_WIN32)
1771  if (c->options.block_outside_dns)
1772  {
1773  dmsg(D_LOW, "Blocking outside DNS");
1774  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1775  {
1776  msg(M_FATAL, "Blocking DNS failed!");
1777  }
1778  }
1779 #endif
1780 
1781  /* possibly add routes */
1782  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1783  {
1784  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1785  c->c1.tuntap, c->plugins, c->c2.es);
1786  }
1787 
1788  /*
1789  * Did tun/tap driver give us an MTU?
1790  */
1791  if (c->c1.tuntap->post_open_mtu)
1792  {
1793  frame_set_mtu_dynamic(&c->c2.frame,
1794  c->c1.tuntap->post_open_mtu,
1795  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1796  }
1797 
1798  ret = true;
1799  static_context = c;
1800 #ifndef TARGET_ANDROID
1801 }
1802 else
1803 {
1804  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1805  c->c1.tuntap->actual_name);
1806 
1807  /* explicitly set the ifconfig_* env vars */
1808  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1809 
1810  /* run the up script if user specified --up-restart */
1811  if (c->options.up_restart)
1812  {
1813  run_up_down(c->options.up_script,
1814  c->plugins,
1815  OPENVPN_PLUGIN_UP,
1816  c->c1.tuntap->actual_name,
1817 #ifdef _WIN32
1818  c->c1.tuntap->adapter_index,
1819 #endif
1820  dev_type_string(c->options.dev, c->options.dev_type),
1821  TUN_MTU_SIZE(&c->c2.frame),
1822  EXPANDED_SIZE(&c->c2.frame),
1823  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1824  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1825  "restart",
1826  NULL,
1827  "up",
1828  c->c2.es);
1829  }
1830 #if defined(_WIN32)
1831  if (c->options.block_outside_dns)
1832  {
1833  dmsg(D_LOW, "Blocking outside DNS");
1834  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1835  {
1836  msg(M_FATAL, "Blocking DNS failed!");
1837  }
1838  }
1839 #endif
1840 
1841 }
1842 #endif /* ifndef TARGET_ANDROID */
1843  gc_free(&gc);
1844  return ret;
1845 }
1846 
1847 /*
1848  * Close TUN/TAP device
1849  */
1850 
1851 static void
1852 do_close_tun_simple(struct context *c)
1853 {
1854  msg(D_CLOSE, "Closing TUN/TAP interface");
1855  if (c->c1.tuntap)
1856  {
1857  close_tun(c->c1.tuntap);
1858  c->c1.tuntap = NULL;
1859  }
1860  c->c1.tuntap_owned = false;
1861 #if P2MP
1862  CLEAR(c->c1.pulled_options_digest_save);
1863 #endif
1864 }
1865 
1866 static void
1867 do_close_tun(struct context *c, bool force)
1868 {
1869  struct gc_arena gc = gc_new();
1870  if (c->c1.tuntap && c->c1.tuntap_owned)
1871  {
1872  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1873 #ifdef _WIN32
1874  DWORD adapter_index = c->c1.tuntap->adapter_index;
1875 #endif
1876  const in_addr_t local = c->c1.tuntap->local;
1877  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1878 
1879  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1880  {
1881  static_context = NULL;
1882 
1883 #ifdef ENABLE_MANAGEMENT
1884  /* tell management layer we are about to close the TUN/TAP device */
1885  if (management)
1886  {
1887  management_pre_tunnel_close(management);
1888  management_up_down(management, "DOWN", c->c2.es);
1889  }
1890 #endif
1891 
1892  /* delete any routes we added */
1893  if (c->c1.route_list || c->c1.route_ipv6_list)
1894  {
1895  run_up_down(c->options.route_predown_script,
1896  c->plugins,
1897  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1898  tuntap_actual,
1899 #ifdef _WIN32
1900  adapter_index,
1901 #endif
1902  NULL,
1903  TUN_MTU_SIZE(&c->c2.frame),
1904  EXPANDED_SIZE(&c->c2.frame),
1905  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1906  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1907  "init",
1908  signal_description(c->sig->signal_received,
1909  c->sig->signal_text),
1910  "route-pre-down",
1911  c->c2.es);
1912 
1913  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1914  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es);
1915  }
1916 
1917  /* actually close tun/tap device based on --down-pre flag */
1918  if (!c->options.down_pre)
1919  {
1920  do_close_tun_simple(c);
1921  }
1922 
1923  /* Run the down script -- note that it will run at reduced
1924  * privilege if, for example, "--user nobody" was used. */
1925  run_up_down(c->options.down_script,
1926  c->plugins,
1927  OPENVPN_PLUGIN_DOWN,
1928  tuntap_actual,
1929 #ifdef _WIN32
1930  adapter_index,
1931 #endif
1932  NULL,
1933  TUN_MTU_SIZE(&c->c2.frame),
1934  EXPANDED_SIZE(&c->c2.frame),
1935  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1936  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1937  "init",
1938  signal_description(c->sig->signal_received,
1939  c->sig->signal_text),
1940  "down",
1941  c->c2.es);
1942 
1943 #if defined(_WIN32)
1944  if (c->options.block_outside_dns)
1945  {
1946  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1947  {
1948  msg(M_FATAL, "Uninitialising WFP failed!");
1949  }
1950  }
1951 #endif
1952 
1953  /* actually close tun/tap device based on --down-pre flag */
1954  if (c->options.down_pre)
1955  {
1956  do_close_tun_simple(c);
1957  }
1958  }
1959  else
1960  {
1961  /* run the down script on this restart if --up-restart was specified */
1962  if (c->options.up_restart)
1963  {
1964  run_up_down(c->options.down_script,
1965  c->plugins,
1966  OPENVPN_PLUGIN_DOWN,
1967  tuntap_actual,
1968 #ifdef _WIN32
1969  adapter_index,
1970 #endif
1971  NULL,
1972  TUN_MTU_SIZE(&c->c2.frame),
1973  EXPANDED_SIZE(&c->c2.frame),
1974  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1975  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1976  "restart",
1977  signal_description(c->sig->signal_received,
1978  c->sig->signal_text),
1979  "down",
1980  c->c2.es);
1981  }
1982 
1983 #if defined(_WIN32)
1984  if (c->options.block_outside_dns)
1985  {
1986  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1987  {
1988  msg(M_FATAL, "Uninitialising WFP failed!");
1989  }
1990  }
1991 #endif
1992 
1993  }
1994  }
1995  gc_free(&gc);
1996 }
1997 
1998 void
1999 tun_abort(void)
2000 {
2001  struct context *c = static_context;
2002  if (c)
2003  {
2004  static_context = NULL;
2005  do_close_tun(c, true);
2006  }
2007 }
2008 
2009 /*
2010  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2011  */
2012 
2013 #if P2MP
2014 
2018 static bool
2019 options_hash_changed_or_zero(const struct sha256_digest *a,
2020  const struct sha256_digest *b)
2021 {
2022  const struct sha256_digest zero = {{0}};
2023  return memcmp(a, b, sizeof(struct sha256_digest))
2024  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2025 }
2026 #endif /* P2MP */
2027 
2028 bool
2029 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2030 {
2031  if (!c->c2.do_up_ran)
2032  {
2033  reset_coarse_timers(c);
2034 
2035  if (pulled_options)
2036  {
2037  if (!do_deferred_options(c, option_types_found))
2038  {
2039  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2040  return false;
2041  }
2042  }
2043 
2044  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2045  if (c->options.up_delay || PULL_DEFINED(&c->options))
2046  {
2047  c->c2.did_open_tun = do_open_tun(c);
2048  update_time();
2049 
2050 #if P2MP
2051  /*
2052  * Was tun interface object persisted from previous restart iteration,
2053  * and if so did pulled options string change from previous iteration?
2054  */
2055  if (!c->c2.did_open_tun
2056  && PULL_DEFINED(&c->options)
2057  && c->c1.tuntap
2058  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2059  &c->c2.pulled_options_digest))
2060  {
2061  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2062  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2063  do_close_tun(c, true);
2064  management_sleep(1);
2065  c->c2.did_open_tun = do_open_tun(c);
2066  update_time();
2067  }
2068 #endif
2069  }
2070 
2071  if (c->c2.did_open_tun)
2072  {
2073 #if P2MP
2074  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2075 #endif
2076 
2077  /* if --route-delay was specified, start timer */
2078  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2079  {
2080  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2081  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2082  if (c->c1.tuntap)
2083  {
2084  tun_standby_init(c->c1.tuntap);
2085  }
2086  }
2087  else
2088  {
2089  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2090  }
2091  }
2092  else if (c->options.mode == MODE_POINT_TO_POINT)
2093  {
2094  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2095  }
2096 
2097  c->c2.do_up_ran = true;
2098  }
2099  return true;
2100 }
2101 
2102 /*
2103  * These are the option categories which will be accepted by pull.
2104  */
2105 unsigned int
2106 pull_permission_mask(const struct context *c)
2107 {
2108  unsigned int flags =
2109  OPT_P_UP
2110  | OPT_P_ROUTE_EXTRAS
2111  | OPT_P_SOCKBUF
2112  | OPT_P_SOCKFLAGS
2113  | OPT_P_SETENV
2114  | OPT_P_SHAPER
2115  | OPT_P_TIMER
2116  | OPT_P_COMP
2117  | OPT_P_PERSIST
2118  | OPT_P_MESSAGES
2119  | OPT_P_EXPLICIT_NOTIFY
2120  | OPT_P_ECHO
2121  | OPT_P_PULL_MODE
2122  | OPT_P_PEER_ID;
2123 
2124  if (!c->options.route_nopull)
2125  {
2126  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2127  }
2128 
2129  if (c->options.ncp_enabled)
2130  {
2131  flags |= OPT_P_NCP;
2132  }
2133 
2134  return flags;
2135 }
2136 
2137 /*
2138  * Handle non-tun-related pulled options.
2139  */
2140 bool
2141 do_deferred_options(struct context *c, const unsigned int found)
2142 {
2143  if (found & OPT_P_MESSAGES)
2144  {
2145  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2146  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2147  }
2148  if (found & OPT_P_TIMER)
2149  {
2150  do_init_timers(c, true);
2151  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2152  }
2153 
2154 #ifdef ENABLE_OCC
2155  if (found & OPT_P_EXPLICIT_NOTIFY)
2156  {
2157  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2158  {
2159  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2160  c->options.ce.explicit_exit_notification = 0;
2161  }
2162  else
2163  {
2164  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2165  }
2166  }
2167 #endif
2168 
2169 #ifdef USE_COMP
2170  if (found & OPT_P_COMP)
2171  {
2172  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2173  comp_uninit(c->c2.comp_context);
2174  c->c2.comp_context = comp_init(&c->options.comp);
2175  }
2176 #endif
2177 
2178  if (found & OPT_P_SHAPER)
2179  {
2180  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2181  do_init_traffic_shaper(c);
2182  }
2183 
2184  if (found & OPT_P_SOCKBUF)
2185  {
2186  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2187  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2188  }
2189 
2190  if (found & OPT_P_SOCKFLAGS)
2191  {
2192  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2193  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2194  }
2195 
2196  if (found & OPT_P_PERSIST)
2197  {
2198  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2199  }
2200  if (found & OPT_P_UP)
2201  {
2202  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2203  }
2204  if (found & OPT_P_ROUTE)
2205  {
2206  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2207  }
2208  if (found & OPT_P_ROUTE_EXTRAS)
2209  {
2210  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2211  }
2212  if (found & OPT_P_IPWIN32)
2213  {
2214  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2215  }
2216  if (found & OPT_P_SETENV)
2217  {
2218  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2219  }
2220 
2221  if (found & OPT_P_PEER_ID)
2222  {
2223  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2224  c->c2.tls_multi->use_peer_id = true;
2225  c->c2.tls_multi->peer_id = c->options.peer_id;
2226  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2227  if (!c->options.ce.link_mtu_defined)
2228  {
2229  frame_add_to_link_mtu(&c->c2.frame, +3);
2230  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2231  EXPANDED_SIZE(&c->c2.frame));
2232  }
2233  else
2234  {
2235  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2236  " fixed by config - reducing tun-mtu to %d, expect"
2237  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2238  }
2239  }
2240 
2241  /* process (potentially pushed) crypto options */
2242  if (c->options.pull)
2243  {
2244  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2245  if (found & OPT_P_NCP)
2246  {
2247  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2248  }
2249  else if (c->options.ncp_enabled)
2250  {
2251  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2252  }
2253  /* Do not regenerate keys if server sends an extra push reply */
2254  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2255  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2256  {
2257  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2258  return false;
2259  }
2260  }
2261 
2262  return true;
2263 }
2264 
2265 /*
2266  * Possible hold on initialization, holdtime is the
2267  * time OpenVPN would wait without management
2268  */
2269 static bool
2270 do_hold(int holdtime)
2271 {
2272 #ifdef ENABLE_MANAGEMENT
2273  if (management)
2274  {
2275  /* block until management hold is released */
2276  if (management_hold(management, holdtime))
2277  {
2278  return true;
2279  }
2280  }
2281 #endif
2282  return false;
2283 }
2284 
2285 /*
2286  * Sleep before restart.
2287  */
2288 static void
2289 socket_restart_pause(struct context *c)
2290 {
2291  int sec = 2;
2292  int backoff = 0;
2293 
2294  switch (c->options.ce.proto)
2295  {
2296  case PROTO_TCP_SERVER:
2297  sec = 1;
2298  break;
2299 
2300  case PROTO_UDP:
2301  case PROTO_TCP_CLIENT:
2302  sec = c->options.ce.connect_retry_seconds;
2303  break;
2304  }
2305 
2306 #ifdef ENABLE_DEBUG
2307  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2308  {
2309  sec = 0;
2310  }
2311 #endif
2312 
2313 #if P2MP
2314  if (auth_retry_get() == AR_NOINTERACT)
2315  {
2316  sec = 10;
2317  }
2318 #endif
2319 
2320  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2321  if (c->options.ce.proto != PROTO_TCP_SERVER)
2322  {
2323  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2324  if (backoff > 0)
2325  {
2326  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2327  sec = max_int(sec, 1) << min_int(backoff, 15);
2328  }
2329 
2330  if (sec > c->options.ce.connect_retry_seconds_max)
2331  {
2332  sec = c->options.ce.connect_retry_seconds_max;
2333  }
2334  }
2335 
2336  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2337  {
2338  sec = c->persist.restart_sleep_seconds;
2339  }
2340  else if (c->persist.restart_sleep_seconds == -1)
2341  {
2342  sec = 0;
2343  }
2344  c->persist.restart_sleep_seconds = 0;
2345 
2346  /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
2347  if (do_hold(sec))
2348  {
2349  sec = 0;
2350  }
2351 
2352  if (sec)
2353  {
2354  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2355  management_sleep(sec);
2356  }
2357 }
2358 
2359 /*
2360  * Do a possible pause on context_2 initialization.
2361  */
2362 static void
2363 do_startup_pause(struct context *c)
2364 {
2365  if (!c->first_time)
2366  {
2367  socket_restart_pause(c);
2368  }
2369  else
2370  {
2371  do_hold(0); /* do management hold on first context initialization */
2372  }
2373 }
2374 
2375 /*
2376  * Finalize MTU parameters based on command line or config file options.
2377  */
2378 static void
2379 frame_finalize_options(struct context *c, const struct options *o)
2380 {
2381  if (!o)
2382  {
2383  o = &c->options;
2384  }
2385 
2386  /*
2387  * Set adjustment factor for buffer alignment when no
2388  * cipher is used.
2389  */
2390  if (!CIPHER_ENABLED(c))
2391  {
2392  frame_align_to_extra_frame(&c->c2.frame);
2393  frame_or_align_flags(&c->c2.frame,
2394  FRAME_HEADROOM_MARKER_FRAGMENT
2395  |FRAME_HEADROOM_MARKER_READ_LINK
2396  |FRAME_HEADROOM_MARKER_READ_STREAM);
2397  }
2398 
2399  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2400  frame_finalize(&c->c2.frame,
2401  o->ce.link_mtu_defined,
2402  o->ce.link_mtu,
2403  o->ce.tun_mtu_defined,
2404  o->ce.tun_mtu);
2405 }
2406 
2407 /*
2408  * Free a key schedule, including OpenSSL components.
2409  */
2410 static void
2411 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2412 {
2413  free_key_ctx_bi(&ks->static_key);
2414  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2415  {
2416  tls_ctx_free(&ks->ssl_ctx);
2417  }
2418  CLEAR(*ks);
2419 }
2420 
2421 static void
2422 init_crypto_pre(struct context *c, const unsigned int flags)
2423 {
2424  if (c->options.engine)
2425  {
2426  crypto_init_lib_engine(c->options.engine);
2427  }
2428 
2429  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2430  {
2431  /* load a persisted packet-id for cross-session replay-protection */
2432  if (c->options.packet_id_file)
2433  {
2434  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2435  }
2436  }
2437 
2438 #ifdef ENABLE_PREDICTION_RESISTANCE
2439  if (c->options.use_prediction_resistance)
2440  {
2441  rand_ctx_enable_prediction_resistance();
2442  }
2443 #endif
2444 
2445 }
2446 
2447 /*
2448  * Static Key Mode (using a pre-shared key)
2449  */
2450 static void
2451 do_init_crypto_static(struct context *c, const unsigned int flags)
2452 {
2453  const struct options *options = &c->options;
2454  ASSERT(options->shared_secret_file);
2455 
2456  init_crypto_pre(c, flags);
2457 
2458  /* Initialize flags */
2459  if (c->options.mute_replay_warnings)
2460  {
2461  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2462  }
2463 
2464  /* Initialize packet ID tracking */
2465  if (options->replay)
2466  {
2467  packet_id_init(&c->c2.crypto_options.packet_id,
2468  options->replay_window,
2469  options->replay_time,
2470  "STATIC", 0);
2471  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2472  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2473  packet_id_persist_load_obj(&c->c1.pid_persist,
2474  &c->c2.crypto_options.packet_id);
2475  }
2476 
2477  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2478  {
2479  /* Get cipher & hash algorithms */
2480  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2481  options->keysize, options->test_crypto, true);
2482 
2483  /* Read cipher and hmac keys from shared secret file */
2484  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2485  options->shared_secret_file,
2486  options->shared_secret_file_inline,
2487  options->key_direction, "Static Key Encryption",
2488  "secret");
2489  }
2490  else
2491  {
2492  msg(M_INFO, "Re-using pre-shared static key");
2493  }
2494 
2495  /* Get key schedule */
2496  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2497 
2498  /* Compute MTU parameters */
2499  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2500  options->replay, true);
2501 
2502  /* Sanity check on sequence number, and cipher mode options */
2503  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2504 }
2505 
2506 /*
2507  * Initialize the tls-auth/crypt key context
2508  */
2509 static void
2510 do_init_tls_wrap_key(struct context *c)
2511 {
2512  const struct options *options = &c->options;
2513 
2514  /* TLS handshake authentication (--tls-auth) */
2515  if (options->ce.tls_auth_file)
2516  {
2517  /* Initialize key_type for tls-auth with auth only */
2518  CLEAR(c->c1.ks.tls_auth_key_type);
2519  if (!streq(options->authname, "none"))
2520  {
2521  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2522  c->c1.ks.tls_auth_key_type.hmac_length =
2523  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2524  }
2525  else
2526  {
2527  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2528  "algorithm specified ('%s')", options->authname);
2529  }
2530 
2531  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2532  &c->c1.ks.tls_wrap_key,
2533  options->ce.tls_auth_file,
2534  options->ce.tls_auth_file_inline,
2535  options->ce.key_direction,
2536  "Control Channel Authentication", "tls-auth");
2537  }
2538 
2539  /* TLS handshake encryption+authentication (--tls-crypt) */
2540  if (options->ce.tls_crypt_file)
2541  {
2542  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2543  options->ce.tls_crypt_file,
2544  options->ce.tls_crypt_inline, options->tls_server);
2545  }
2546 }
2547 
2548 /*
2549  * Initialize the persistent component of OpenVPN's TLS mode,
2550  * which is preserved across SIGUSR1 resets.
2551  */
2552 static void
2553 do_init_crypto_tls_c1(struct context *c)
2554 {
2555  const struct options *options = &c->options;
2556 
2557  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2558  {
2559  /*
2560  * Initialize the OpenSSL library's global
2561  * SSL context.
2562  */
2563  init_ssl(options, &(c->c1.ks.ssl_ctx));
2564  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2565  {
2566 #if P2MP
2567  switch (auth_retry_get())
2568  {
2569  case AR_NONE:
2570  msg(M_FATAL, "Error: private key password verification failed");
2571  break;
2572 
2573  case AR_INTERACT:
2574  ssl_purge_auth(false);
2575 
2576  case AR_NOINTERACT:
2577  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2578  break;
2579 
2580  default:
2581  ASSERT(0);
2582  }
2583  c->sig->signal_text = "private-key-password-failure";
2584  return;
2585 #else /* if P2MP */
2586  msg(M_FATAL, "Error: private key password verification failed");
2587 #endif
2588  }
2589 
2590  /* Get cipher & hash algorithms */
2591  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2592  options->keysize, true, true);
2593 
2594  /* Initialize PRNG with config-specified digest */
2595  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2596 
2597  /* initialize tls-auth/crypt key */
2598  do_init_tls_wrap_key(c);
2599 
2600  c->c1.ciphername = options->ciphername;
2601  c->c1.authname = options->authname;
2602  c->c1.keysize = options->keysize;
2603 
2604 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2605  if (options->priv_key_file_inline)
2606  {
2607  string_clear(c->options.priv_key_file_inline);
2608  c->options.priv_key_file_inline = NULL;
2609  }
2610 #endif
2611  }
2612  else
2613  {
2614  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2615 
2616  /* Restore pre-NCP cipher options */
2617  c->options.ciphername = c->c1.ciphername;
2618  c->options.authname = c->c1.authname;
2619  c->options.keysize = c->c1.keysize;
2620 
2621  /*
2622  * tls-auth/crypt key can be configured per connection block, therefore
2623  * we must reload it as it may have changed
2624  */
2625  do_init_tls_wrap_key(c);
2626  }
2627 }
2628 
2629 static void
2630 do_init_crypto_tls(struct context *c, const unsigned int flags)
2631 {
2632  const struct options *options = &c->options;
2633  struct tls_options to;
2634  bool packet_id_long_form;
2635 
2636  ASSERT(options->tls_server || options->tls_client);
2637  ASSERT(!options->test_crypto);
2638 
2639  init_crypto_pre(c, flags);
2640 
2641  /* Make sure we are either a TLS client or server but not both */
2642  ASSERT(options->tls_server == !options->tls_client);
2643 
2644  /* initialize persistent component */
2645  do_init_crypto_tls_c1(c);
2646  if (IS_SIG(c))
2647  {
2648  return;
2649  }
2650 
2651  /* Sanity check on sequence number, and cipher mode options */
2652  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2653 
2654  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2655  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2656 
2657  /* Compute MTU parameters (postpone if we push/pull options) */
2658  if (c->options.pull || c->options.mode == MODE_SERVER)
2659  {
2660  /* Account for worst-case crypto overhead before allocating buffers */
2661  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2662  }
2663  else
2664  {
2665  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2666  options->replay, packet_id_long_form);
2667  }
2668  tls_adjust_frame_parameters(&c->c2.frame);
2669 
2670  /* Set all command-line TLS-related options */
2671  CLEAR(to);
2672 
2673  if (options->mute_replay_warnings)
2674  {
2675  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2676  }
2677 
2678  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2679  if (packet_id_long_form)
2680  {
2681  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2682  }
2683 
2684  to.ssl_ctx = c->c1.ks.ssl_ctx;
2685  to.key_type = c->c1.ks.key_type;
2686  to.server = options->tls_server;
2687  to.key_method = options->key_method;
2688  to.replay = options->replay;
2689  to.replay_window = options->replay_window;
2690  to.replay_time = options->replay_time;
2691  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2692  to.config_ciphername = c->c1.ciphername;
2693  to.config_authname = c->c1.authname;
2694  to.ncp_enabled = options->ncp_enabled;
2695  to.transition_window = options->transition_window;
2696  to.handshake_window = options->handshake_window;
2697  to.packet_timeout = options->tls_timeout;
2698  to.renegotiate_bytes = options->renegotiate_bytes;
2699  to.renegotiate_packets = options->renegotiate_packets;
2700  if (options->renegotiate_seconds_min < 0)
2701  {
2702  /* Add 10% jitter to reneg-sec by default (server side only) */
2703  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2704  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2705  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2706  }
2707  else
2708  {
2709  /* Add user-specified jitter to reneg-sec */
2710  to.renegotiate_seconds = options->renegotiate_seconds -
2711  (get_random() % max_int(options->renegotiate_seconds
2712  - options->renegotiate_seconds_min, 1));
2713  }
2714  to.single_session = options->single_session;
2715  to.mode = options->mode;
2716  to.pull = options->pull;
2717  if (options->push_peer_info) /* all there is */
2718  {
2719  to.push_peer_info_detail = 2;
2720  }
2721  else if (options->pull) /* pull clients send some details */
2722  {
2723  to.push_peer_info_detail = 1;
2724  }
2725  else /* default: no peer-info at all */
2726  {
2727  to.push_peer_info_detail = 0;
2728  }
2729 
2730  /* should we not xmit any packets until we get an initial
2731  * response from client? */
2732  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2733  {
2734  to.xmit_hold = true;
2735  }
2736 
2737 #ifdef ENABLE_OCC
2738  to.disable_occ = !options->occ;
2739 #endif
2740 
2741  to.verify_command = options->tls_verify;
2742  to.verify_export_cert = options->tls_export_cert;
2743  to.verify_x509_type = (options->verify_x509_type & 0xff);
2744  to.verify_x509_name = options->verify_x509_name;
2745  to.crl_file = options->crl_file;
2746  to.crl_file_inline = options->crl_file_inline;
2747  to.ssl_flags = options->ssl_flags;
2748  to.ns_cert_type = options->ns_cert_type;
2749  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2750  to.remote_cert_eku = options->remote_cert_eku;
2751  to.verify_hash = options->verify_hash;
2752  to.verify_hash_algo = options->verify_hash_algo;
2753 #ifdef ENABLE_X509ALTUSERNAME
2754  to.x509_username_field = (char *) options->x509_username_field;
2755 #else
2756  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2757 #endif
2758  to.es = c->c2.es;
2759 
2760 #ifdef ENABLE_DEBUG
2761  to.gremlin = c->options.gremlin;
2762 #endif
2763 
2764  to.plugins = c->plugins;
2765 
2766 #ifdef MANAGEMENT_DEF_AUTH
2767  to.mda_context = &c->c2.mda_context;
2768 #endif
2769 
2770 #if P2MP_SERVER
2771  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2772  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2773  to.tmp_dir = options->tmp_dir;
2774  if (options->ccd_exclusive)
2775  {
2776  to.client_config_dir_exclusive = options->client_config_dir;
2777  }
2778  to.auth_user_pass_file = options->auth_user_pass_file;
2779  to.auth_token_generate = options->auth_token_generate;
2780  to.auth_token_lifetime = options->auth_token_lifetime;
2781 #endif
2782 
2783  to.x509_track = options->x509_track;
2784 
2785 #if P2MP
2786 #ifdef ENABLE_CLIENT_CR
2787  to.sci = &options->sc_info;
2788 #endif
2789 #endif
2790 
2791 #ifdef USE_COMP
2792  to.comp_options = options->comp;
2793 #endif
2794 
2795 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2796  if (options->keying_material_exporter_label)
2797  {
2798  to.ekm_size = options->keying_material_exporter_length;
2799  if (to.ekm_size < 16 || to.ekm_size > 4095)
2800  {
2801  to.ekm_size = 0;
2802  }
2803 
2804  to.ekm_label = options->keying_material_exporter_label;
2805  to.ekm_label_size = strlen(to.ekm_label);
2806  }
2807  else
2808  {
2809  to.ekm_size = 0;
2810  }
2811 #endif
2812 
2813  /* TLS handshake authentication (--tls-auth) */
2814  if (options->ce.tls_auth_file)
2815  {
2816  to.tls_wrap.mode = TLS_WRAP_AUTH;
2817  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2818  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2819  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2820  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2821  true, true);
2822  }
2823 
2824  /* TLS handshake encryption (--tls-crypt) */
2825  if (options->ce.tls_crypt_file)
2826  {
2827  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2828  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2829  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2830  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2831  tls_crypt_adjust_frame_parameters(&to.frame);
2832  }
2833 
2834  /* If we are running over TCP, allow for
2835  * length prefix */
2836  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2837 
2838  /*
2839  * Initialize OpenVPN's master TLS-mode object.
2840  */
2841  if (flags & CF_INIT_TLS_MULTI)
2842  {
2843  c->c2.tls_multi = tls_multi_init(&to);
2844  }
2845 
2846  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2847  {
2848  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2849  }
2850 }
2851 
2852 static void
2853 do_init_finalize_tls_frame(struct context *c)
2854 {
2855  if (c->c2.tls_multi)
2856  {
2857  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2858  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
2859  EXPANDED_SIZE(&c->c2.frame));
2860  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2861  "Control Channel MTU parms");
2862  }
2863  if (c->c2.tls_auth_standalone)
2864  {
2865  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
2866  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2867  "TLS-Auth MTU parms");
2868  }
2869 }
2870 
2871 /*
2872  * No encryption or authentication.
2873  */
2874 static void
2875 do_init_crypto_none(const struct context *c)
2876 {
2877  ASSERT(!c->options.test_crypto);
2878  msg(M_WARN,
2879  "******* WARNING *******: All encryption and authentication features "
2880  "disabled -- All data will be tunnelled as clear text and will not be "
2881  "protected against man-in-the-middle changes. "
2882  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
2883 }
2884 
2885 static void
2886 do_init_crypto(struct context *c, const unsigned int flags)
2887 {
2888  if (c->options.shared_secret_file)
2889  {
2890  do_init_crypto_static(c, flags);
2891  }
2892  else if (c->options.tls_server || c->options.tls_client)
2893  {
2894  do_init_crypto_tls(c, flags);
2895  }
2896  else /* no encryption or authentication. */
2897  {
2898  do_init_crypto_none(c);
2899  }
2900 }
2901 
2902 static void
2903 do_init_frame(struct context *c)
2904 {
2905 #ifdef USE_COMP
2906  /*
2907  * modify frame parameters if compression is enabled
2908  */
2909  if (comp_enabled(&c->options.comp))
2910  {
2911  comp_add_to_extra_frame(&c->c2.frame);
2912 
2913 #if !defined(ENABLE_LZ4)
2914  /*
2915  * Compression usage affects buffer alignment when non-swapped algs
2916  * such as LZO is used.
2917  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
2918  * any special alignment because of the control-byte swap approach.
2919  * LZO alignment (on the other hand) is problematic because
2920  * the presence of the control byte means that either the output of
2921  * decryption must be written to an unaligned buffer, or the input
2922  * to compression (or packet dispatch if packet is uncompressed)
2923  * must be read from an unaligned buffer.
2924  * This code tries to align the input to compression (or packet
2925  * dispatch if packet is uncompressed) at the cost of requiring
2926  * decryption output to be written to an unaligned buffer, so
2927  * it's more of a tradeoff than an optimal solution and we don't
2928  * include it when we are doing a modern build with LZ4.
2929  * Strictly speaking, on the server it would be better to execute
2930  * this code for every connection after we decide the compression
2931  * method, but currently the frame code doesn't appear to be
2932  * flexible enough for this, since the frame is already established
2933  * before it is known which compression options will be pushed.
2934  */
2935  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
2936  {
2937  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
2938  frame_or_align_flags(&c->c2.frame,
2939  FRAME_HEADROOM_MARKER_FRAGMENT
2940  |FRAME_HEADROOM_MARKER_DECRYPT);
2941  }
2942 #endif
2943 
2944 #ifdef ENABLE_FRAGMENT
2945  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
2946 #endif
2947  }
2948 #endif /* USE_COMP */
2949 
2950  /*
2951  * Adjust frame size for UDP Socks support.
2952  */
2953  if (c->options.ce.socks_proxy_server)
2954  {
2955  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
2956  }
2957 
2958  /*
2959  * Adjust frame size based on the --tun-mtu-extra parameter.
2960  */
2961  if (c->options.ce.tun_mtu_extra_defined)
2962  {
2963  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
2964  }
2965 
2966  /*
2967  * Adjust frame size based on link socket parameters.
2968  * (Since TCP is a stream protocol, we need to insert
2969  * a packet length uint16_t in the buffer.)
2970  */
2971  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
2972 
2973  /*
2974  * Fill in the blanks in the frame parameters structure,
2975  * make sure values are rational, etc.
2976  */
2977  frame_finalize_options(c, NULL);
2978 
2979 #ifdef USE_COMP
2980  /*
2981  * Modify frame parameters if compression is compiled in.
2982  * Should be called after frame_finalize_options.
2983  */
2984  comp_add_to_extra_buffer(&c->c2.frame);
2985 #ifdef ENABLE_FRAGMENT
2986  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
2987 #endif
2988 #endif /* USE_COMP */
2989 
2990  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
2991  * and need link_mtu+3 bytes on socket reception (on server).
2992  *
2993  * accomodate receive path in f->extra_link, which has the side effect of
2994  * also increasing send buffers (BUF_SIZE() macro), which need to be
2995  * allocated big enough before receiving peer-id option from server.
2996  *
2997  * f->extra_frame is adjusted when peer-id option is push-received
2998  */
2999  frame_add_to_extra_link(&c->c2.frame, 3);
3000 
3001 #ifdef ENABLE_FRAGMENT
3002  /*
3003  * Set frame parameter for fragment code. This is necessary because
3004  * the fragmentation code deals with payloads which have already been
3005  * passed through the compression code.
3006  */
3007  c->c2.frame_fragment = c->c2.frame;
3008  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3009 #endif
3010 
3011 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3012  /*
3013  * MTU advisories
3014  */
3015  if (c->options.ce.fragment && c->options.mtu_test)
3016  {
3017  msg(M_WARN,
3018  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3019  }
3020 #endif
3021 
3022 #ifdef ENABLE_FRAGMENT
3023  if ((c->options.ce.mssfix || c->options.ce.fragment)
3024  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3025  {
3026  msg(M_WARN,
3027  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3028  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3029  }
3030 #endif
3031 }
3032 
3033 static void
3034 do_option_warnings(struct context *c)
3035 {
3036  const struct options *o = &c->options;
3037 
3038  if (o->ping_send_timeout && !o->ping_rec_timeout)
3039  {
3040  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3041  }
3042 
3043  if (o->username || o->groupname || o->chroot_dir
3044 #ifdef ENABLE_SELINUX
3045  || o->selinux_context
3046 #endif
3047  )
3048  {
3049  if (!o->persist_tun)
3050  {
3051  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3052  }
3053  if (!o->persist_key
3054 #ifdef ENABLE_PKCS11
3055  && !o->pkcs11_id
3056 #endif
3057  )
3058  {
3059  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3060  }
3061  }
3062 
3063  if (o->chroot_dir && !(o->username && o->groupname))
3064  {
3065  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3066  }
3067 
3068 #if P2MP
3069  if (o->pull && o->ifconfig_local && c->first_time)
3070  {
3071  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3072  }
3073 
3074 #if P2MP_SERVER
3075  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3076  {
3077  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3078  }
3079 
3080  if (o->mode == MODE_SERVER)
3081  {
3082  if (o->duplicate_cn && o->client_config_dir)
3083  {
3084  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3085  }
3086  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3087  {
3088  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3089  }
3090  if (!o->keepalive_ping || !o->keepalive_timeout)
3091  {
3092  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3093  }
3094  }
3095 #endif /* if P2MP_SERVER */
3096 #endif /* if P2MP */
3097 
3098  if (!o->replay)
3099  {
3100  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3101  }
3102 
3103  if (o->tls_server)
3104  {
3105  warn_on_use_of_common_subnets();
3106  }
3107  if (o->tls_client
3108  && !o->tls_verify
3109  && o->verify_x509_type == VERIFY_X509_NONE
3110  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3111  && !o->remote_cert_eku)
3112  {
3113  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3114  }
3115  if (o->ns_cert_type)
3116  {
3117  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3118  }
3119 
3120  /* If a script is used, print appropiate warnings */
3121  if (o->user_script_used)
3122  {
3123  if (script_security() >= SSEC_SCRIPTS)
3124  {
3125  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3126  }
3127  else if (script_security() >= SSEC_PW_ENV)
3128  {
3129  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3130  }
3131  else
3132  {
3133  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3134  }
3135  }
3136 }
3137 
3138 static void
3139 do_init_frame_tls(struct context *c)
3140 {
3141  do_init_finalize_tls_frame(c);
3142 }
3143 
3144 struct context_buffers *
3145 init_context_buffers(const struct frame *frame)
3146 {
3147  struct context_buffers *b;
3148 
3149  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3150 
3151  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3152  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3153 
3154  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3155 
3156  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3157  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3158 
3159 #ifdef USE_COMP
3160  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3161  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3162 #endif
3163 
3164  return b;
3165 }
3166 
3167 void
3168 free_context_buffers(struct context_buffers *b)
3169 {
3170  if (b)
3171  {
3172  free_buf(&b->read_link_buf);
3173  free_buf(&b->read_tun_buf);
3174  free_buf(&b->aux_buf);
3175 
3176 #ifdef USE_COMP
3177  free_buf(&b->compress_buf);
3178  free_buf(&b->decompress_buf);
3179 #endif
3180 
3181  free_buf(&b->encrypt_buf);
3182  free_buf(&b->decrypt_buf);
3183 
3184  free(b);
3185  }
3186 }
3187 
3188 /*
3189  * Now that we know all frame parameters, initialize
3190  * our buffers.
3191  */
3192 static void
3193 do_init_buffers(struct context *c)
3194 {
3195  c->c2.buffers = init_context_buffers(&c->c2.frame);
3196  c->c2.buffers_owned = true;
3197 }
3198 
3199 #ifdef ENABLE_FRAGMENT
3200 /*
3201  * Fragmenting code has buffers to initialize
3202  * once frame parameters are known.
3203  */
3204 static void
3205 do_init_fragment(struct context *c)
3206 {
3207  ASSERT(c->options.ce.fragment);
3208  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3209  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3210  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3211 }
3212 #endif
3213 
3214 /*
3215  * Allocate our socket object.
3216  */
3217 static void
3218 do_link_socket_new(struct context *c)
3219 {
3220  ASSERT(!c->c2.link_socket);
3221  c->c2.link_socket = link_socket_new();
3222  c->c2.link_socket_owned = true;
3223 }
3224 
3225 /*
3226  * bind the TCP/UDP socket
3227  */
3228 static void
3229 do_init_socket_1(struct context *c, const int mode)
3230 {
3231  unsigned int sockflags = c->options.sockflags;
3232 
3233 #if PORT_SHARE
3234  if (c->options.port_share_host && c->options.port_share_port)
3235  {
3236  sockflags |= SF_PORT_SHARE;
3237  }
3238 #endif
3239 
3240  link_socket_init_phase1(c->c2.link_socket,
3241  c->options.ce.local,
3242  c->options.ce.local_port,
3243  c->options.ce.remote,
3244  c->options.ce.remote_port,
3245  c->c1.dns_cache,
3246  c->options.ce.proto,
3247  c->options.ce.af,
3248  c->options.ce.bind_ipv6_only,
3249  mode,
3250  c->c2.accept_from,
3251  c->c1.http_proxy,
3252  c->c1.socks_proxy,
3253 #ifdef ENABLE_DEBUG
3254  c->options.gremlin,
3255 #endif
3256  c->options.ce.bind_local,
3257  c->options.ce.remote_float,
3258  c->options.inetd,
3259  &c->c1.link_socket_addr,
3260  c->options.ipchange,
3261  c->plugins,
3262  c->options.resolve_retry_seconds,
3263  c->options.ce.mtu_discover_type,
3264  c->options.rcvbuf,
3265  c->options.sndbuf,
3266  c->options.mark,
3267  &c->c2.server_poll_interval,
3268  sockflags);
3269 }
3270 
3271 /*
3272  * finalize the TCP/UDP socket
3273  */
3274 static void
3275 do_init_socket_2(struct context *c)
3276 {
3277  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3278  c->sig);
3279 }
3280 
3281 /*
3282  * Print MTU INFO
3283  */
3284 static void
3285 do_print_data_channel_mtu_parms(struct context *c)
3286 {
3287  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3288 #ifdef ENABLE_FRAGMENT
3289  if (c->c2.fragment)
3290  {
3291  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3292  "Fragmentation MTU parms");
3293  }
3294 #endif
3295 }
3296 
3297 #ifdef ENABLE_OCC
3298 /*
3299  * Get local and remote options compatibility strings.
3300  */
3301 static void
3302 do_compute_occ_strings(struct context *c)
3303 {
3304  struct gc_arena gc = gc_new();
3305 
3306  c->c2.options_string_local =
3307  options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
3308  c->c2.options_string_remote =
3309  options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
3310 
3311  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3312  options_string_version(c->c2.options_string_local, &gc),
3313  c->c2.options_string_local);
3314  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3315  options_string_version(c->c2.options_string_remote, &gc),
3316  c->c2.options_string_remote);
3317 
3318  if (c->c2.tls_multi)
3319  {
3320  tls_multi_init_set_options(c->c2.tls_multi,
3321  c->c2.options_string_local,
3322  c->c2.options_string_remote);
3323  }
3324 
3325  gc_free(&gc);
3326 }
3327 #endif /* ifdef ENABLE_OCC */
3328 
3329 /*
3330  * These things can only be executed once per program instantiation.
3331  * Set up for possible UID/GID downgrade, but don't do it yet.
3332  * Daemonize if requested.
3333  */
3334 static void
3335 do_init_first_time(struct context *c)
3336 {
3337  if (c->first_time && !c->c0)
3338  {
3339  struct context_0 *c0;
3340 
3341  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3342  c0 = c->c0;
3343 
3344  /* get user and/or group that we want to setuid/setgid to */
3345  c0->uid_gid_specified =
3346  platform_group_get(c->options.groupname, &c0->platform_state_group)
3347  |platform_user_get(c->options.username, &c0->platform_state_user);
3348 
3349  /* perform postponed chdir if --daemon */
3350  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3351  {
3352  platform_chdir("/");
3353  }
3354 
3355  /* should we change scheduling priority? */
3356  platform_nice(c->options.nice);
3357  }
3358 }
3359 
3360 /*
3361  * If xinetd/inetd mode, don't allow restart.
3362  */
3363 static void
3364 do_close_check_if_restart_permitted(struct context *c)
3365 {
3366  if (c->options.inetd
3367  && (c->sig->signal_received == SIGHUP
3368  || c->sig->signal_received == SIGUSR1))
3369  {
3370  c->sig->signal_received = SIGTERM;
3371  msg(M_INFO,
3372  PACKAGE_NAME
3373  " started by inetd/xinetd cannot restart... Exiting.");
3374  }
3375 }
3376 
3377 /*
3378  * free buffers
3379  */
3380 static void
3381 do_close_free_buf(struct context *c)
3382 {
3383  if (c->c2.buffers_owned)
3384  {
3385  free_context_buffers(c->c2.buffers);
3386  c->c2.buffers = NULL;
3387  c->c2.buffers_owned = false;
3388  }
3389 }
3390 
3391 /*
3392  * close TLS
3393  */
3394 static void
3395 do_close_tls(struct context *c)
3396 {
3397  if (c->c2.tls_multi)
3398  {
3399  tls_multi_free(c->c2.tls_multi, true);
3400  c->c2.tls_multi = NULL;
3401  }
3402 
3403 #ifdef ENABLE_OCC
3404  /* free options compatibility strings */
3405  if (c->c2.options_string_local)
3406  {
3407  free(c->c2.options_string_local);
3408  }
3409  if (c->c2.options_string_remote)
3410  {
3411  free(c->c2.options_string_remote);
3412  }
3413  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3414 #endif
3415 
3416  if (c->c2.pulled_options_state)
3417  {
3418  md_ctx_cleanup(c->c2.pulled_options_state);
3419  md_ctx_free(c->c2.pulled_options_state);
3420  }
3421 }
3422 
3423 /*
3424  * Free key schedules
3425  */
3426 static void
3427 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3428 {
3429  /*
3430  * always free the tls_auth/crypt key. If persist_key is true, the key will
3431  * be reloaded from memory (pre-cached)
3432  */
3433  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3434  CLEAR(c->c1.ks.tls_wrap_key);
3435 
3436  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3437  {
3438  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3439  }
3440 }
3441 
3442 /*
3443  * Close TCP/UDP connection
3444  */
3445 static void
3446 do_close_link_socket(struct context *c)
3447 {
3448  if (c->c2.link_socket && c->c2.link_socket_owned)
3449  {
3450  link_socket_close(c->c2.link_socket);
3451  c->c2.link_socket = NULL;
3452  }
3453 
3454 
3455  /* Preserve the resolved list of remote if the user request to or if we want
3456  * reconnect to the same host again or there are still addresses that need
3457  * to be tried */
3458  if (!(c->sig->signal_received == SIGUSR1
3459  && ( (c->options.persist_remote_ip)
3460  ||
3461  ( c->sig->source != SIG_SOURCE_HARD
3462  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3463  || c->options.no_advance))
3464  )))
3465  {
3466  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3467  }
3468 
3469  /* Clear the remote actual address when persist_remote_ip is not in use */
3470  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3471  {
3472  CLEAR(c->c1.link_socket_addr.actual);
3473  }
3474 
3475  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3476  {
3477  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3478  {
3479  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3480  }
3481 
3482  c->c1.link_socket_addr.bind_local = NULL;
3483  }
3484 }
3485 
3486 /*
3487  * Close packet-id persistance file
3488  */
3489 static void
3490 do_close_packet_id(struct context *c)
3491 {
3492  packet_id_free(&c->c2.crypto_options.packet_id);
3493  packet_id_persist_save(&c->c1.pid_persist);
3494  if (!(c->sig->signal_received == SIGUSR1))
3495  {
3496  packet_id_persist_close(&c->c1.pid_persist);
3497  }
3498 }
3499 
3500 #ifdef ENABLE_FRAGMENT
3501 /*
3502  * Close fragmentation handler.
3503  */
3504 static void
3505 do_close_fragment(struct context *c)
3506 {
3507  if (c->c2.fragment)
3508  {
3509  fragment_free(c->c2.fragment);
3510  c->c2.fragment = NULL;
3511  }
3512 }
3513 #endif
3514 
3515 /*
3516  * Open and close our event objects.
3517  */
3518 
3519 static void
3520 do_event_set_init(struct context *c,
3521  bool need_us_timeout)
3522 {
3523  unsigned int flags = 0;
3524 
3525  c->c2.event_set_max = BASE_N_EVENTS;
3526 
3527  flags |= EVENT_METHOD_FAST;
3528 
3529  if (need_us_timeout)
3530  {
3531  flags |= EVENT_METHOD_US_TIMEOUT;
3532  }
3533 
3534  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3535  c->c2.event_set_owned = true;
3536 }
3537 
3538 static void
3539 do_close_event_set(struct context *c)
3540 {
3541  if (c->c2.event_set && c->c2.event_set_owned)
3542  {
3543  event_free(c->c2.event_set);
3544  c->c2.event_set = NULL;
3545  c->c2.event_set_owned = false;
3546  }
3547 }
3548 
3549 /*
3550  * Open and close --status file
3551  */
3552 
3553 static void
3554 do_open_status_output(struct context *c)
3555 {
3556  if (!c->c1.status_output)
3557  {
3558  c->c1.status_output = status_open(c->options.status_file,
3559  c->options.status_file_update_freq,
3560  -1,
3561  NULL,
3562  STATUS_OUTPUT_WRITE);
3563  c->c1.status_output_owned = true;
3564  }
3565 }
3566 
3567 static void
3568 do_close_status_output(struct context *c)
3569 {
3570  if (!(c->sig->signal_received == SIGUSR1))
3571  {
3572  if (c->c1.status_output_owned && c->c1.status_output)
3573  {
3574  status_close(c->c1.status_output);
3575  c->c1.status_output = NULL;
3576  c->c1.status_output_owned = false;
3577  }
3578  }
3579 }
3580 
3581 /*
3582  * Handle ifconfig-pool persistance object.
3583  */
3584 static void
3585 do_open_ifconfig_pool_persist(struct context *c)
3586 {
3587 #if P2MP_SERVER
3588  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3589  {
3590  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3591  c->options.ifconfig_pool_persist_refresh_freq);
3592  c->c1.ifconfig_pool_persist_owned = true;
3593  }
3594 #endif
3595 }
3596 
3597 static void
3598 do_close_ifconfig_pool_persist(struct context *c)
3599 {
3600 #if P2MP_SERVER
3601  if (!(c->sig->signal_received == SIGUSR1))
3602  {
3603  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3604  {
3605  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3606  c->c1.ifconfig_pool_persist = NULL;
3607  c->c1.ifconfig_pool_persist_owned = false;
3608  }
3609  }
3610 #endif
3611 }
3612 
3613 /*
3614  * Inherit environmental variables
3615  */
3616 
3617 static void
3618 do_inherit_env(struct context *c, const struct env_set *src)
3619 {
3620  c->c2.es = env_set_create(NULL);
3621  c->c2.es_owned = true;
3622  env_set_inherit(c->c2.es, src);
3623 }
3624 
3625 static void
3626 do_env_set_destroy(struct context *c)
3627 {
3628  if (c->c2.es && c->c2.es_owned)
3629  {
3630  env_set_destroy(c->c2.es);
3631  c->c2.es = NULL;
3632  c->c2.es_owned = false;
3633  }
3634 }
3635 
3636 /*
3637  * Fast I/O setup. Fast I/O is an optimization which only works
3638  * if all of the following are true:
3639  *
3640  * (1) The platform is not Windows
3641  * (2) --proto udp is enabled
3642  * (3) --shaper is disabled
3643  */
3644 static void
3645 do_setup_fast_io(struct context *c)
3646 {
3647  if (c->options.fast_io)
3648  {
3649 #ifdef _WIN32
3650  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3651 #else
3652  if (!proto_is_udp(c->options.ce.proto))
3653  {
3654  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3655  }
3656  else
3657  {
3658 #ifdef ENABLE_FEATURE_SHAPER
3659  if (c->options.shaper)
3660  {
3661  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3662  }
3663  else
3664 #endif
3665  {
3666  c->c2.fast_io = true;
3667  }
3668  }
3669 #endif
3670  }
3671 }
3672 
3673 static void
3674 do_signal_on_tls_errors(struct context *c)
3675 {
3676  if (c->options.tls_exit)
3677  {
3678  c->c2.tls_exit_signal = SIGTERM;
3679  }
3680  else
3681  {
3682  c->c2.tls_exit_signal = SIGUSR1;
3683  }
3684 }
3685 
3686 #ifdef ENABLE_PLUGIN
3687 
3688 void
3689 init_plugins(struct context *c)
3690 {
3691  if (c->options.plugin_list && !c->plugins)
3692  {
3693  c->plugins = plugin_list_init(c->options.plugin_list);
3694  c->plugins_owned = true;
3695  }
3696 }
3697 
3698 void
3699 open_plugins(struct context *c, const bool import_options, int init_point)
3700 {
3701  if (c->plugins && c->plugins_owned)
3702  {
3703  if (import_options)
3704  {
3705  struct plugin_return pr, config;
3706  plugin_return_init(&pr);
3707  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3708  plugin_return_get_column(&pr, &config, "config");
3709  if (plugin_return_defined(&config))
3710  {
3711  int i;
3712  for (i = 0; i < config.n; ++i)
3713  {
3714  unsigned int option_types_found = 0;
3715  if (config.list[i] && config.list[i]->value)
3716  {
3717  options_string_import(&c->options,
3718  config.list[i]->value,
3719  D_IMPORT_ERRORS|M_OPTERR,
3720  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3721  &option_types_found,
3722  c->es);
3723  }
3724  }
3725  }
3726  plugin_return_free(&pr);
3727  }
3728  else
3729  {
3730  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3731  }
3732  }
3733 }
3734 
3735 static void
3736 do_close_plugins(struct context *c)
3737 {
3738  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3739  {
3740  plugin_list_close(c->plugins);
3741  c->plugins = NULL;
3742  c->plugins_owned = false;
3743  }
3744 }
3745 
3746 static void
3747 do_inherit_plugins(struct context *c, const struct context *src)
3748 {
3749  if (!c->plugins && src->plugins)
3750  {
3751  c->plugins = plugin_list_inherit(src->plugins);
3752  c->plugins_owned = true;
3753  }
3754 }
3755 
3756 #endif /* ifdef ENABLE_PLUGIN */
3757 
3758 #ifdef ENABLE_MANAGEMENT
3759 
3760 static void
3761 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3762 {
3763  struct context *c = (struct context *) arg;
3764  print_status(c, so);
3765 }
3766 
3767 void
3768 management_show_net_callback(void *arg, const int msglevel)
3769 {
3770 #ifdef _WIN32
3771  show_routes(msglevel);
3772  show_adapters(msglevel);
3773  msg(msglevel, "END");
3774 #else
3775  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3776 #endif
3777 }
3778 
3779 #ifdef TARGET_ANDROID
3780 int
3781 management_callback_network_change(void *arg, bool samenetwork)
3782 {
3783  /* Check if the client should translate the network change to a SIGUSR1 to
3784  * reestablish the connection or just reprotect the socket
3785  *
3786  * At the moment just assume that, for all settings that use pull (not
3787  * --static) and are not using peer-id reestablishing the connection is
3788  * required (unless the network is the same)
3789  *
3790  * The function returns -1 on invalid fd and -2 if the socket cannot be
3791  * reused. On the -2 return value the man_network_change function triggers
3792  * a SIGUSR1 to force a reconnect.
3793  */
3794 
3795  int socketfd = -1;
3796  struct context *c = (struct context *) arg;
3797  if (!c->c2.link_socket)
3798  {
3799  return -1;
3800  }
3801  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3802  {
3803  return -1;
3804  }
3805 
3806  socketfd = c->c2.link_socket->sd;
3807  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3808  {
3809  return socketfd;
3810  }
3811  else
3812  {
3813  return -2;
3814  }
3815 }
3816 #endif /* ifdef TARGET_ANDROID */
3817 
3818 #endif /* ifdef ENABLE_MANAGEMENT */
3819 
3820 void
3821 init_management_callback_p2p(struct context *c)
3822 {
3823 #ifdef ENABLE_MANAGEMENT
3824  if (management)
3825  {
3826  struct management_callback cb;
3827  CLEAR(cb);
3828  cb.arg = c;
3829  cb.status = management_callback_status_p2p;
3830  cb.show_net = management_show_net_callback;
3831  cb.proxy_cmd = management_callback_proxy_cmd;
3832  cb.remote_cmd = management_callback_remote_cmd;
3833 #ifdef TARGET_ANDROID
3834  cb.network_change = management_callback_network_change;
3835 #endif
3836  management_set_callback(management, &cb);
3837  }
3838 #endif
3839 }
3840 
3841 #ifdef ENABLE_MANAGEMENT
3842 
3843 void
3844 init_management(struct context *c)
3845 {
3846  if (!management)
3847  {
3848  management = management_init();
3849  }
3850 }
3851 
3852 bool
3853 open_management(struct context *c)
3854 {
3855  /* initialize management layer */
3856  if (management)
3857  {
3858  if (c->options.management_addr)
3859  {
3860  unsigned int flags = c->options.management_flags;
3861  if (c->options.mode == MODE_SERVER)
3862  {
3863  flags |= MF_SERVER;
3864  }
3865  if (management_open(management,
3866  c->options.management_addr,
3867  c->options.management_port,
3868  c->options.management_user_pass,
3869  c->options.management_client_user,
3870  c->options.management_client_group,
3871  c->options.management_log_history_cache,
3872  c->options.management_echo_buffer_size,
3873  c->options.management_state_buffer_size,
3874  c->options.management_write_peer_info_file,
3875  c->options.remap_sigusr1,
3876  flags))
3877  {
3878  management_set_state(management,
3879  OPENVPN_STATE_CONNECTING,
3880  NULL,
3881  NULL,
3882  NULL,
3883  NULL,
3884  NULL);
3885  }
3886 
3887  /* initial management hold, called early, before first context initialization */
3888  do_hold(0);
3889  if (IS_SIG(c))
3890  {
3891  msg(M_WARN, "Signal received from management interface, exiting");
3892  return false;
3893  }
3894  }
3895  else
3896  {
3897  close_management();
3898  }
3899  }
3900  return true;
3901 }
3902 
3903 void
3904 close_management(void)
3905 {
3906  if (management)
3907  {
3908  management_close(management);
3909  management = NULL;
3910  }
3911 }
3912 
3913 #endif /* ifdef ENABLE_MANAGEMENT */
3914 
3915 
3916 void
3917 uninit_management_callback(void)
3918 {
3919 #ifdef ENABLE_MANAGEMENT
3920  if (management)
3921  {
3922  management_clear_callback(management);
3923  }
3924 #endif
3925 }
3926 
3927 /*
3928  * Initialize a tunnel instance, handle pre and post-init
3929  * signal settings.
3930  */
3931 void
3932 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
3933 {
3934  pre_init_signal_catch();
3935  init_instance(c, env, flags);
3936  post_init_signal_catch();
3937 
3938  /*
3939  * This is done so that signals thrown during
3940  * initialization can bring us back to
3941  * a management hold.
3942  */
3943  if (IS_SIG(c))
3944  {
3945  remap_signal(c);
3946  uninit_management_callback();
3947  }
3948 }
3949 
3950 /*
3951  * Initialize a tunnel instance.
3952  */
3953 void
3954 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
3955 {
3956  const struct options *options = &c->options;
3957  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
3958  int link_socket_mode = LS_MODE_DEFAULT;
3959 
3960  /* init garbage collection level */
3961  gc_init(&c->c2.gc);
3962 
3963  /* inherit environmental variables */
3964  if (env)
3965  {
3966  do_inherit_env(c, env);
3967  }
3968 
3969  /* signals caught here will abort */
3970  c->sig->signal_received = 0;
3971  c->sig->signal_text = NULL;
3972  c->sig->source = SIG_SOURCE_SOFT;
3973 
3974  if (c->mode == CM_P2P)
3975  {
3976  init_management_callback_p2p(c);
3977  }
3978 
3979  /* possible sleep or management hold if restart */
3980  if (c->mode == CM_P2P || c->mode == CM_TOP)
3981  {
3982  do_startup_pause(c);
3983  if (IS_SIG(c))
3984  {
3985  goto sig;
3986  }
3987  }
3988 
3989  if (c->options.resolve_in_advance)
3990  {
3991  do_preresolve(c);
3992  if (IS_SIG(c))
3993  {
3994  goto sig;
3995  }
3996  }
3997 
3998  /* map in current connection entry */
3999  next_connection_entry(c);
4000 
4001  /* link_socket_mode allows CM_CHILD_TCP
4002  * instances to inherit acceptable fds
4003  * from a top-level parent */
4004  if (c->options.ce.proto == PROTO_TCP_SERVER)
4005  {
4006  if (c->mode == CM_TOP)
4007  {
4008  link_socket_mode = LS_MODE_TCP_LISTEN;
4009  }
4010  else if (c->mode == CM_CHILD_TCP)
4011  {
4012  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4013  }
4014  }
4015 
4016  /* should we disable paging? */
4017  if (c->first_time && options->mlock)
4018  {
4019  platform_mlockall(true);
4020  }
4021 
4022 #if P2MP
4023  /* get passwords if undefined */
4024  if (auth_retry_get() == AR_INTERACT)
4025  {
4026  init_query_passwords(c);
4027  }
4028 #endif
4029 
4030  /* initialize context level 2 --verb/--mute parms */
4031  init_verb_mute(c, IVM_LEVEL_2);
4032 
4033  /* set error message delay for non-server modes */
4034  if (c->mode == CM_P2P)
4035  {
4036  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4037  }
4038 
4039  /* warn about inconsistent options */
4040  if (c->mode == CM_P2P || c->mode == CM_TOP)
4041  {
4042  do_option_warnings(c);
4043  }
4044 
4045 #ifdef ENABLE_PLUGIN
4046  /* initialize plugins */
4047  if (c->mode == CM_P2P || c->mode == CM_TOP)
4048  {
4049  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4050  }
4051 #endif
4052 
4053  /* should we enable fast I/O? */
4054  if (c->mode == CM_P2P || c->mode == CM_TOP)
4055  {
4056  do_setup_fast_io(c);
4057  }
4058 
4059  /* should we throw a signal on TLS errors? */
4060  do_signal_on_tls_errors(c);
4061 
4062  /* open --status file */
4063  if (c->mode == CM_P2P || c->mode == CM_TOP)
4064  {
4065  do_open_status_output(c);
4066  }
4067 
4068  /* open --ifconfig-pool-persist file */
4069  if (c->mode == CM_TOP)
4070  {
4071  do_open_ifconfig_pool_persist(c);
4072  }
4073 
4074 #ifdef ENABLE_OCC
4075  /* reset OCC state */
4076  if (c->mode == CM_P2P || child)
4077  {
4078  c->c2.occ_op = occ_reset_op();
4079  }
4080 #endif
4081 
4082  /* our wait-for-i/o objects, different for posix vs. win32 */
4083  if (c->mode == CM_P2P)
4084  {
4085  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4086  }
4087  else if (c->mode == CM_CHILD_TCP)
4088  {
4089  do_event_set_init(c, false);
4090  }
4091 
4092  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4093  init_proxy(c);
4094 
4095  /* allocate our socket object */
4096  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4097  {
4098  do_link_socket_new(c);
4099  }
4100 
4101 #ifdef ENABLE_FRAGMENT
4102  /* initialize internal fragmentation object */
4103  if (options->ce.fragment && (c->mode == CM_P2P || child))
4104  {
4105  c->c2.fragment = fragment_init(&c->c2.frame);
4106  }
4107 #endif
4108 
4109  /* init crypto layer */
4110  {
4111  unsigned int crypto_flags = 0;
4112  if (c->mode == CM_TOP)
4113  {
4114  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4115  }
4116  else if (c->mode == CM_P2P)
4117  {
4118  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4119  }
4120  else if (child)
4121  {
4122  crypto_flags = CF_INIT_TLS_MULTI;
4123  }
4124  do_init_crypto(c, crypto_flags);
4125  if (IS_SIG(c) && !child)
4126  {
4127  goto sig;
4128  }
4129  }
4130 
4131 #ifdef USE_COMP
4132  /* initialize compression library. */
4133  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4134  {
4135  c->c2.comp_context = comp_init(&options->comp);
4136  }
4137 #endif
4138 
4139  /* initialize MTU variables */
4140  do_init_frame(c);
4141 
4142  /* initialize TLS MTU variables */
4143  do_init_frame_tls(c);
4144 
4145  /* init workspace buffers whose size is derived from frame size */
4146  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4147  {
4148  do_init_buffers(c);
4149  }
4150 
4151 #ifdef ENABLE_FRAGMENT
4152  /* initialize internal fragmentation capability with known frame size */
4153  if (options->ce.fragment && (c->mode == CM_P2P || child))
4154  {
4155  do_init_fragment(c);
4156  }
4157 #endif
4158 
4159  /* initialize dynamic MTU variable */
4160  frame_init_mssfix(&c->c2.frame, &c->options);
4161 
4162  /* bind the TCP/UDP socket */
4163  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4164  {
4165  do_init_socket_1(c, link_socket_mode);
4166  }
4167 
4168  /* initialize tun/tap device object,
4169  * open tun/tap device, ifconfig, run up script, etc. */
4170  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4171  {
4172  c->c2.did_open_tun = do_open_tun(c);
4173  }
4174 
4175  c->c2.frame_initial = c->c2.frame;
4176 
4177  /* print MTU info */
4178  do_print_data_channel_mtu_parms(c);
4179 
4180 #ifdef ENABLE_OCC
4181  /* get local and remote options compatibility strings */
4182  if (c->mode == CM_P2P || child)
4183  {
4184  do_compute_occ_strings(c);
4185  }
4186 #endif
4187 
4188  /* initialize output speed limiter */
4189  if (c->mode == CM_P2P)
4190  {
4191  do_init_traffic_shaper(c);
4192  }
4193 
4194  /* do one-time inits, and possibily become a daemon here */
4195  do_init_first_time(c);
4196 
4197 #ifdef ENABLE_PLUGIN
4198  /* initialize plugins */
4199  if (c->mode == CM_P2P || c->mode == CM_TOP)
4200  {
4201  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4202  }
4203 #endif
4204 
4205  /* initialise connect timeout timer */
4206  do_init_server_poll_timeout(c);
4207 
4208  /* finalize the TCP/UDP socket */
4209  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4210  {
4211  do_init_socket_2(c);
4212  }
4213 
4214  /*
4215  * Actually do UID/GID downgrade, and chroot, if requested.
4216  * May be delayed by --client, --pull, or --up-delay.
4217  */
4218  do_uid_gid_chroot(c, c->c2.did_open_tun);
4219 
4220  /* initialize timers */
4221  if (c->mode == CM_P2P || child)
4222  {
4223  do_init_timers(c, false);
4224  }
4225 
4226 #ifdef ENABLE_PLUGIN
4227  /* initialize plugins */
4228  if (c->mode == CM_P2P || c->mode == CM_TOP)
4229  {
4230  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4231  }
4232 #endif
4233 
4234 #if PORT_SHARE
4235  /* share OpenVPN port with foreign (such as HTTPS) server */
4236  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4237  {
4238  init_port_share(c);
4239  }
4240 #endif
4241 
4242 #ifdef ENABLE_PF
4243  if (child)
4244  {
4245  pf_init_context(c);
4246  }
4247 #endif
4248 
4249  /* Check for signals */
4250  if (IS_SIG(c))
4251  {
4252  goto sig;
4253  }
4254 
4255  return;
4256 
4257 sig:
4258  if (!c->sig->signal_text)
4259  {
4260  c->sig->signal_text = "init_instance";
4261  }
4262  close_context(c, -1, flags);
4263  return;
4264 }
4265 
4266 /*
4267  * Close a tunnel instance.
4268  */
4269 void
4270 close_instance(struct context *c)
4271 {
4272  /* close event objects */
4273  do_close_event_set(c);
4274 
4275  if (c->mode == CM_P2P
4276  || c->mode == CM_CHILD_TCP
4277  || c->mode == CM_CHILD_UDP
4278  || c->mode == CM_TOP)
4279  {
4280  /* if xinetd/inetd mode, don't allow restart */
4281  do_close_check_if_restart_permitted(c);
4282 
4283 #ifdef USE_COMP
4284  if (c->c2.comp_context)
4285  {
4286  comp_uninit(c->c2.comp_context);
4287  c->c2.comp_context = NULL;
4288  }
4289 #endif
4290 
4291  /* free buffers */
4292  do_close_free_buf(c);
4293 
4294  /* close TLS */
4295  do_close_tls(c);
4296 
4297  /* free key schedules */
4298  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4299 
4300  /* close TCP/UDP connection */
4301  do_close_link_socket(c);
4302 
4303  /* close TUN/TAP device */
4304  do_close_tun(c, false);
4305 
4306 #ifdef MANAGEMENT_DEF_AUTH
4307  if (management)
4308  {
4309  management_notify_client_close(management, &c->c2.mda_context, NULL);
4310  }
4311 #endif
4312 
4313 #ifdef ENABLE_PF
4314  pf_destroy_context(&c->c2.pf);
4315 #endif
4316 
4317 #ifdef ENABLE_PLUGIN
4318  /* call plugin close functions and unload */
4319  do_close_plugins(c);
4320 #endif
4321 
4322  /* close packet-id persistance file */
4323  do_close_packet_id(c);
4324 
4325  /* close --status file */
4326  do_close_status_output(c);
4327 
4328 #ifdef ENABLE_FRAGMENT
4329  /* close fragmentation handler */
4330  do_close_fragment(c);
4331 #endif
4332 
4333  /* close --ifconfig-pool-persist obj */
4334  do_close_ifconfig_pool_persist(c);
4335 
4336  /* free up environmental variable store */
4337  do_env_set_destroy(c);
4338 
4339  /* close HTTP or SOCKS proxy */
4340  uninit_proxy(c);
4341 
4342  /* garbage collect */
4343  gc_free(&c->c2.gc);
4344  }
4345 }
4346 
4347 void
4348 inherit_context_child(struct context *dest,
4349  const struct context *src)
4350 {
4351  CLEAR(*dest);
4352 
4353  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4354  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4355 
4356  dest->gc = gc_new();
4357 
4358  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4359 
4360  /* c1 init */
4361  packet_id_persist_init(&dest->c1.pid_persist);
4362 
4363  dest->c1.ks.key_type = src->c1.ks.key_type;
4364  /* inherit SSL context */
4365  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4366  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4367  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4368  /* inherit pre-NCP ciphers */
4369  dest->c1.ciphername = src->c1.ciphername;
4370  dest->c1.authname = src->c1.authname;
4371  dest->c1.keysize = src->c1.keysize;
4372 
4373  /* options */
4374  dest->options = src->options;
4375  options_detach(&dest->options);
4376 
4377  if (dest->mode == CM_CHILD_TCP)
4378  {
4379  /*
4380  * The CM_TOP context does the socket listen(),
4381  * and the CM_CHILD_TCP context does the accept().
4382  */
4383  dest->c2.accept_from = src->c2.link_socket;
4384  }
4385 
4386 #ifdef ENABLE_PLUGIN
4387  /* inherit plugins */
4388  do_inherit_plugins(dest, src);
4389 #endif
4390 
4391  /* context init */
4392  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4393  if (IS_SIG(dest))
4394  {
4395  return;
4396  }
4397 
4398  /* inherit tun/tap interface object */
4399  dest->c1.tuntap = src->c1.tuntap;
4400 
4401  /* UDP inherits some extra things which TCP does not */
4402  if (dest->mode == CM_CHILD_UDP)
4403  {
4404  /* inherit buffers */
4405  dest->c2.buffers = src->c2.buffers;
4406 
4407  /* inherit parent link_socket and tuntap */
4408  dest->c2.link_socket = src->c2.link_socket;
4409 
4410  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4411  *dest->c2.link_socket_info = src->c2.link_socket->info;
4412 
4413  /* locally override some link_socket_info fields */
4414  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4415  dest->c2.link_socket_info->connection_established = false;
4416  }
4417 }
4418 
4419 void
4420 inherit_context_top(struct context *dest,
4421  const struct context *src)
4422 {
4423  /* copy parent */
4424  *dest = *src;
4425 
4426  /*
4427  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4428  * resources owned by the parent.
4429  *
4430  * Also note that CM_TOP_CLONE context objects are
4431  * closed by multi_top_free in multi.c.
4432  */
4433  dest->mode = CM_TOP_CLONE;
4434 
4435  dest->first_time = false;
4436  dest->c0 = NULL;
4437 
4438  options_detach(&dest->options);
4439  gc_detach(&dest->gc);
4440  gc_detach(&dest->c2.gc);
4441 
4442  /* detach plugins */
4443  dest->plugins_owned = false;
4444 
4445  dest->c2.tls_multi = NULL;
4446 
4447  /* detach c1 ownership */
4448  dest->c1.tuntap_owned = false;
4449  dest->c1.status_output_owned = false;
4450 #if P2MP_SERVER
4451  dest->c1.ifconfig_pool_persist_owned = false;
4452 #endif
4453 
4454  /* detach c2 ownership */
4455  dest->c2.event_set_owned = false;
4456  dest->c2.link_socket_owned = false;
4457  dest->c2.buffers_owned = false;
4458  dest->c2.es_owned = false;
4459 
4460  dest->c2.event_set = NULL;
4461  if (proto_is_dgram(src->options.ce.proto))
4462  {
4463  do_event_set_init(dest, false);
4464  }
4465 
4466 #ifdef USE_COMP
4467  dest->c2.comp_context = NULL;
4468 #endif
4469 }
4470 
4471 void
4472 close_context(struct context *c, int sig, unsigned int flags)
4473 {
4474  ASSERT(c);
4475  ASSERT(c->sig);
4476 
4477  if (sig >= 0)
4478  {
4479  c->sig->signal_received = sig;
4480  }
4481 
4482  if (c->sig->signal_received == SIGUSR1)
4483  {
4484  if ((flags & CC_USR1_TO_HUP)
4485  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4486  {
4487  c->sig->signal_received = SIGHUP;
4488  c->sig->signal_text = "close_context usr1 to hup";
4489  }
4490  }
4491 
4492  if (!(flags & CC_NO_CLOSE))
4493  {
4494  close_instance(c);
4495  }
4496 
4497  if (flags & CC_GC_FREE)
4498  {
4499  context_gc_free(c);
4500  }
4501 }
4502 
4503 /*
4504  * Do a loopback test
4505  * on the crypto subsystem.
4506  */
4507 static void *
4508 test_crypto_thread(void *arg)
4509 {
4510  struct context *c = (struct context *) arg;
4511  const struct options *options = &c->options;
4512 
4513  ASSERT(options->test_crypto);
4514  init_verb_mute(c, IVM_LEVEL_1);
4515  context_init_1(c);
4516  next_connection_entry(c);
4517  do_init_crypto_static(c, 0);
4518 
4519  frame_finalize_options(c, options);
4520 
4521  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4522 
4523  key_schedule_free(&c->c1.ks, true);
4524  packet_id_free(&c->c2.crypto_options.packet_id);
4525 
4526  context_gc_free(c);
4527  return NULL;
4528 }
4529 
4530 bool
4531 do_test_crypto(const struct options *o)
4532 {
4533  if (o->test_crypto)
4534  {
4535  struct context c;
4536 
4537  /* print version number */
4538  msg(M_INFO, "%s", title_string);
4539 
4540  context_clear(&c);
4541  c.options = *o;
4542  options_detach(&c.options);
4543  c.first_time = true;
4544  test_crypto_thread((void *) &c);
4545  return true;
4546  }
4547  return false;
4548 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:281
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:296
context_2::es
struct env_set * es
Definition: openvpn.h:425
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:172
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:187
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2422
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:316
management_close
void management_close(struct management *man)
Definition: manage.c:2658
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:412
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:241
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:270
options::sndbuf
int sndbuf
Definition: options.h:329
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:292
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:129
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:347
context_2::log_rw
bool log_rw
Definition: openvpn.h:385
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:394
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:456
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:266
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:311
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:388
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:557
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:651
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:107
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:247
tuntap
Definition: tun.h:131
options::ncp_enabled
bool ncp_enabled
Definition: options.h:482
options::management_flags
unsigned int management_flags
Definition: options.h:371
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1867
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2451
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:436
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:109
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:278
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:523
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1416
options::block_outside_dns
bool block_outside_dns
Definition: options.h:597
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:297
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1317
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:500
platform_nice
void platform_nice(int niceval)
Definition: platform.c:155
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:963
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:389
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:490
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1088
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5251
options::show_curves
bool show_curves
Definition: options.h:203
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:594
options::cipher_list
const char * cipher_list
Definition: options.h:509
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:500
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1725
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1360
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:292
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:663
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:958
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Definition: argv.c:52
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2019
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:574
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1701
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:160
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:392
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:315
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:510
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:362
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:349
streq
#define streq(x, y)
Definition: options.h:616
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:411
options::chroot_dir
const char * chroot_dir
Definition: options.h:286
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:706
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3747
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3539
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2553
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:398
S_FATAL
#define S_FATAL
Definition: run_command.h:42
options::dev
const char * dev
Definition: options.h:225
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:162
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:266
tls_options::mode
int mode
Definition: ssl_common.h:263
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2029
options::auth_token_generate
bool auth_token_generate
Definition: options.h:454
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:303
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1301
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4196
tun_abort
void tun_abort(void)
Definition: init.c:1999
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:498
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:567
frame
Packet geometry parameters.
Definition: mtu.h:93
SIZE
#define SIZE(x)
Definition: basic.h:30
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3626
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2510
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:708
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:319
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:521
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:178
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1176
srandom
#define srandom
Definition: syshead.h:44
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3054
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:374
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:68
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:999
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1736
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:238
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:645
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4472
script_security
int script_security(void)
Definition: run_command.c:44
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3275
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:68
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:309
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:478
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:81
openvpn_sockaddr::addr
union openvpn_sockaddr::@8 addr
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5498
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:171
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:601
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3821
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:337
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Definition: buffer.c:1176
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:291
close_instance
void close_instance(struct context *c)
Definition: init.c:4270
ASSERT
#define ASSERT(x)
Definition: error.h:221
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:556
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:318
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:286
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1344
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:624
options::persist_key
bool persist_key
Definition: options.h:271
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:115
options::replay_window
int replay_window
Definition: options.h:491
options::persist_mode
int persist_mode
Definition: options.h:196
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:412
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:312
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3674
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:372
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:276
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1448
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Definition: buffer.c:1186
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:295
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1167
options::rcvbuf
int rcvbuf
Definition: options.h:328
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:521
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:252
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:426
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:267
options::connection_list
struct connection_list * connection_list
Definition: options.h:209
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:291
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Definition: buffer.c:1322
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:169
options::exit_event_name
const char * exit_event_name
Definition: options.h:593
AR_NONE
#define AR_NONE
Definition: options.h:802
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:253
options::route_noexec
bool route_noexec
Definition: options.h:342
options::sockflags
unsigned int sockflags
Definition: options.h:335
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2379
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:153
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3395
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:339
M_FATAL
#define M_FATAL
Definition: error.h:94
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:507
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:243
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:17
occ_reset_op
static int occ_reset_op(void)
Definition: occ-inline.h:34
options::route_script
const char * route_script
Definition: options.h:338
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:364
do_route
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1585
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:509
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:277
CLEAR
#define CLEAR(x)
Definition: basic.h:33
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:152
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:162
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:186
in_addr_t
#define in_addr_t
Definition: config-msvc.h:103
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:795
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:2903
options::config
const char * config
Definition: options.h:182
options::route_delay
int route_delay
Definition: options.h:343
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc)
Definition: options.c:3570
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:523
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:293
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:339
tls_options::gremlin
int gremlin
Definition: ssl_common.h:353
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3699
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:356
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:851
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:260
options::down_pre
bool down_pre
Definition: options.h:295
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:254
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:646
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
SIGTERM
#define SIGTERM
Definition: config-msvc.h:117
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:313
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1342
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:559
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:531
options::push_peer_info
bool push_peer_info
Definition: options.h:582
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:626
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:113
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:165
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:557
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3728
PING_RESTART
#define PING_RESTART
Definition: options.h:265
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2853
options::handshake_window
int handshake_window
Definition: options.h:561
init_management
void init_management(struct context *c)
Definition: init.c:3844
route_ipv6_list
Definition: route.h:214
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3736
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:128
tls_options
Definition: ssl_common.h:235
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:297
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:224
basename
char * basename(char *filename)
Definition: compat-basename.c:39
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:292
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:157
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:221
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:569
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:90
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:318
options::verify_x509_type
int verify_x509_type
Definition: options.h:513
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:215
close_management
void close_management(void)
Definition: init.c:3904
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:166
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:298
options::prng_hash
const char * prng_hash
Definition: options.h:486
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:260
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:235
options::fast_io
bool fast_io
Definition: options.h:321
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const int increment)
Definition: mtu.h:274
options::key_direction
int key_direction
Definition: options.h:480
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:269
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:190
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:144
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:58
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:78
init_static
bool init_static(void)
Definition: init.c:702
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:192
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:186
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:555
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:296
options::route_delay_defined
bool route_delay_defined
Definition: options.h:345
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:510
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:584
MF_SERVER
#define MF_SERVER
Definition: manage.h:336
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:991
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1005
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1058
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:793
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:654
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:285
options::route_nopull
bool route_nopull
Definition: options.h:348
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3505
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1136
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:65
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:515
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:340
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3932
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:300
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:135
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:514
options::remote_random
bool remote_random
Definition: options.h:223
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:203
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:536
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:239
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:163
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:981
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:533
prng_uninit
void prng_uninit(void)
Definition: crypto.c:1720
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1294
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:453
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:148
options::tls_verify
const char * tls_verify
Definition: options.h:512
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1417
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:96
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:300
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:358
open_management
bool open_management(struct context *c)
Definition: init.c:3853
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:194
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:107
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:600
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4348
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:644
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:265
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3761
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:663
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3554
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2804
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2601
FRAME_HEADROOM_MARKER_FRAGMENT
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:130
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:619
tls_options::packet_timeout
interval_t packet_timeout
Definition: ssl_common.h:268
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3598
do_close_check_if_restart_permitted
static void do_close_check_if_restart_permitted(struct context *c)
Definition: init.c:3364
tls_options::config_authname
const char * config_authname
Definition: ssl_common.h:299
connection_list::len
int len
Definition: options.h:156
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:107
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:514
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:465
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3168
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
do_genkey
bool do_genkey(const struct options *options)
Definition: init.c:1029
tuntap::local
in_addr_t local
Definition: tun.h:152
management_callback::arg
void * arg
Definition: manage.h:156
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:271
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:103
options::ns_cert_type
int ns_cert_type
Definition: options.h:526
options::management_write_peer_info_file
const char * management_write_peer_info_file
Definition: options.h:365
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition: socket.h:197
md_kt_size
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:376
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:130
connection_entry::proto
int proto
Definition: options.h:88
options::verbosity
int verbosity
Definition: options.h:309
options::show_net_up
bool show_net_up
Definition: options.h:595
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: ssl_common.h:310
options::show_engines
bool show_engines
Definition: options.h:201
show_available_engines
void show_available_engines(void)
Definition: crypto_openssl.c:367
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition: crypto_openssl.c:482
np
static const char * np(const char *str)
Definition: simple.c:108
tls_options::crl_file_inline
const char * crl_file_inline
Definition: ssl_common.h:279
options::mode
int mode
Definition: options.h:187
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:183
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:202
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:424
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:991
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:368
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:770
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4819
tls_options::single_session
bool single_session
Definition: ssl_common.h:259
options::occ
bool occ
Definition: options.h:355
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: ssl_common.h:281
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition: tun.h:292
now
time_t now
Definition: otime.c:36
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:233
link_socket_addr
Definition: socket.h:103
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition: openvpn.h:511
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3954
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition: socket.h:105
uninit_proxy
static void uninit_proxy(struct context *c)
Definition: init.c:610
options::tls_client
bool tls_client
Definition: options.h:501
options::authname
const char * authname
Definition: options.h:484
do_init_crypto_none
static void do_init_crypto_none(const struct context *c)
Definition: init.c:2875
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition: socket.h:107
context_2::occ_interval
struct event_timeout occ_interval
Definition: openvpn.h:310
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:170
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2840
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:730
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1026
key_state::crypto_options
struct crypto_options crypto_options
Definition: ssl_common.h:181
options::connect_retry_max
int connect_retry_max
Definition: options.h:207
options::show_digests
bool show_digests
Definition: options.h:200
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition: openvpn.h:137
options::genkey
bool genkey
Definition: options.h:204
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition: init.c:2886
init_win32
void init_win32(void)
Definition: win32.c:105
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1253
prng_bytes
void prng_bytes(uint8_t *output, int len)
Definition: crypto.c:1729
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4058
options::topology
int topology
Definition: options.h:229
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:632
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2852
do_init_fragment
static void do_init_fragment(struct context *c)
Definition: init.c:3205
do_init_buffers
static void do_init_buffers(struct context *c)
Definition: init.c:3193
free_ssl_lib
void free_ssl_lib(void)
Definition: ssl.c:356
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition: error.c:645
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:631
buffer_list_advance
void buffer_list_advance(struct buffer_list *ol, int n)
Definition: buffer.c:1345
test_crypto_thread
static void * test_crypto_thread(void *arg)
Definition: init.c:4508
connection_entry::mssfix
int mssfix
Definition: options.h:118
sleep
#define sleep(x)
Definition: syshead.h:42
connection_entry::tls_crypt_inline
const char * tls_crypt_inline
Definition: options.h:141
context_2::frame
struct frame frame
Definition: openvpn.h:259
do_persist_tuntap
bool do_persist_tuntap(const struct options *options)
Definition: init.c:1061
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
tls_options::transition_window
int transition_window
Definition: