OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 
62 /*
63  * Crypto initialization flags
64  */
65 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
66 #define CF_INIT_TLS_MULTI (1<<1)
67 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
68 
69 static void do_init_first_time(struct context *c);
70 
71 void
73 {
74  CLEAR(*c);
75 }
76 
77 void
79 {
80  CLEAR(c->c1);
81 }
82 
83 void
85 {
86  CLEAR(c->c2);
87 }
88 
89 void
91 {
92  const bool first_time_save = c->first_time;
93  const struct context_persist cpsave = c->persist;
94  context_clear(c);
95  c->first_time = first_time_save;
96  c->persist = cpsave;
97 }
98 
99 /*
100  * Pass tunnel endpoint and MTU parms to a user-supplied script.
101  * Used to execute the up/down script/plugins.
102  */
103 static void
104 run_up_down(const char *command,
105  const struct plugin_list *plugins,
106  int plugin_type,
107  const char *arg,
108 #ifdef _WIN32
109  DWORD adapter_index,
110 #endif
111  const char *dev_type,
112  int tun_mtu,
113  int link_mtu,
114  const char *ifconfig_local,
115  const char *ifconfig_remote,
116  const char *context,
117  const char *signal_text,
118  const char *script_type,
119  struct env_set *es)
120 {
121  struct gc_arena gc = gc_new();
122 
123  if (signal_text)
124  {
125  setenv_str(es, "signal", signal_text);
126  }
127  setenv_str(es, "script_context", context);
128  setenv_int(es, "tun_mtu", tun_mtu);
129  setenv_int(es, "link_mtu", link_mtu);
130  setenv_str(es, "dev", arg);
131  if (dev_type)
132  {
133  setenv_str(es, "dev_type", dev_type);
134  }
135 #ifdef _WIN32
136  setenv_int(es, "dev_idx", adapter_index);
137 #endif
138 
139  if (!ifconfig_local)
140  {
141  ifconfig_local = "";
142  }
143  if (!ifconfig_remote)
144  {
145  ifconfig_remote = "";
146  }
147  if (!context)
148  {
149  context = "";
150  }
151 
152  if (plugin_defined(plugins, plugin_type))
153  {
154  struct argv argv = argv_new();
155  ASSERT(arg);
156  argv_printf(&argv,
157  "%s %d %d %s %s %s",
158  arg,
159  tun_mtu, link_mtu,
160  ifconfig_local, ifconfig_remote,
161  context);
162 
163  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
164  {
165  msg(M_FATAL, "ERROR: up/down plugin call failed");
166  }
167 
168  argv_free(&argv);
169  }
170 
171  if (command)
172  {
173  struct argv argv = argv_new();
174  ASSERT(arg);
175  setenv_str(es, "script_type", script_type);
176  argv_parse_cmd(&argv, command);
177  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
178  ifconfig_local, ifconfig_remote, context);
179  argv_msg(M_INFO, &argv);
180  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
181  argv_free(&argv);
182  }
183 
184  gc_free(&gc);
185 }
186 
187 /*
188  * Should be called after options->ce is modified at the top
189  * of a SIGUSR1 restart.
190  */
191 static void
193 {
194 #if P2MP
195  /*
196  * In pull mode, we usually import --ping/--ping-restart parameters from
197  * the server. However we should also set an initial default --ping-restart
198  * for the period of time before we pull the --ping-restart parameter
199  * from the server.
200  */
201  if (options->pull
202  && options->ping_rec_timeout_action == PING_UNDEF
203  && proto_is_dgram(options->ce.proto))
204  {
207  }
208 #endif
209 }
210 
211 #ifdef ENABLE_MANAGEMENT
212 static bool
213 management_callback_proxy_cmd(void *arg, const char **p)
214 {
215  struct context *c = arg;
216  struct connection_entry *ce = &c->options.ce;
217  struct gc_arena *gc = &c->c2.gc;
218  bool ret = false;
219 
220  update_time();
221  if (streq(p[1], "NONE"))
222  {
223  ret = true;
224  }
225  else if (p[2] && p[3])
226  {
227  if (streq(p[1], "HTTP"))
228  {
229  struct http_proxy_options *ho;
230  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
231  {
232  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
233  return false;
234  }
236  ho->server = string_alloc(p[2], gc);
237  ho->port = string_alloc(p[3], gc);
238  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
239  ret = true;
240  }
241  else if (streq(p[1], "SOCKS"))
242  {
243  ce->socks_proxy_server = string_alloc(p[2], gc);
244  ce->socks_proxy_port = string_alloc(p[3], gc);
245  ret = true;
246  }
247  }
248  else
249  {
250  msg(M_WARN, "Bad proxy command");
251  }
252 
253  ce->flags &= ~CE_MAN_QUERY_PROXY;
254 
255  return ret;
256 }
257 
258 static bool
260 {
261  const struct connection_list *l = c->options.connection_list;
262  struct connection_entry *ce = &c->options.ce;
263  struct gc_arena gc;
264  bool ret = true;
265 
266  update_time();
267  if (management)
268  {
269  gc = gc_new();
270  {
271  struct buffer out = alloc_buf_gc(256, &gc);
272  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
273  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
276  }
277  ce->flags |= CE_MAN_QUERY_PROXY;
278  while (ce->flags & CE_MAN_QUERY_PROXY)
279  {
281  if (IS_SIG(c))
282  {
283  ret = false;
284  break;
285  }
286  }
288  gc_free(&gc);
289  }
290 
291  return ret;
292 }
293 
294 
295 static bool
296 management_callback_remote_cmd(void *arg, const char **p)
297 {
298  struct context *c = (struct context *) arg;
299  struct connection_entry *ce = &c->options.ce;
300  int ret = false;
302  {
303  int flags = 0;
304  if (!strcmp(p[1], "ACCEPT"))
305  {
307  ret = true;
308  }
309  else if (!strcmp(p[1], "SKIP"))
310  {
311  flags = CE_MAN_QUERY_REMOTE_SKIP;
312  ret = true;
313  }
314  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
315  {
316  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
317  {
318  struct remote_host_store *rhs = c->options.rh_store;
319  if (!rhs)
320  {
322  c->options.rh_store = rhs;
323  }
324  strncpynt(rhs->host, p[2], RH_HOST_LEN);
325  strncpynt(rhs->port, p[3], RH_PORT_LEN);
326 
327  ce->remote = rhs->host;
328  ce->remote_port = rhs->port;
329  flags = CE_MAN_QUERY_REMOTE_MOD;
330  ret = true;
331  }
332  }
333  if (ret)
334  {
335  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
337  }
338  }
339  return ret;
340 }
341 
342 static bool
344 {
345  struct gc_arena gc = gc_new();
346  volatile struct connection_entry *ce = &c->options.ce;
347  int ce_changed = true; /* presume the connection entry will be changed */
348 
349  update_time();
350  if (management)
351  {
352  struct buffer out = alloc_buf_gc(256, &gc);
353 
354  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
355  proto2ascii(ce->proto, ce->af, false));
358 
361  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
363  {
365  if (IS_SIG(c))
366  {
367  ce_changed = false; /* connection entry have not been set */
368  break;
369  }
370  }
372  }
373  gc_free(&gc);
374 
375  if (ce_changed)
376  {
377  /* If it is likely a connection entry was modified,
378  * check what changed in the flags and that it was not skipped
379  */
380  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
382  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
383  }
384  return ce_changed;
385 }
386 #endif /* ENABLE_MANAGEMENT */
387 
388 /*
389  * Initialize and possibly randomize connection list.
390  */
391 static void
393 {
394  struct connection_list *l = c->options.connection_list;
395 
396  l->current = -1;
397  if (c->options.remote_random)
398  {
399  int i;
400  for (i = 0; i < l->len; ++i)
401  {
402  const int j = get_random() % l->len;
403  if (i != j)
404  {
405  struct connection_entry *tmp;
406  tmp = l->array[i];
407  l->array[i] = l->array[j];
408  l->array[j] = tmp;
409  }
410  }
411  }
412 }
413 
414 /*
415  * Clear the remote address list
416  */
417 static void
419 {
420  if (lsa->remote_list && free)
421  {
422  freeaddrinfo(lsa->remote_list);
423  }
424  lsa->remote_list = NULL;
425  lsa->current_remote = NULL;
426 }
427 
428 /*
429  * Increment to next connection entry
430  */
431 static void
433 {
434  struct connection_list *l = c->options.connection_list;
435  bool ce_defined;
436  struct connection_entry *ce;
437  int n_cycles = 0;
438 
439  do
440  {
441  ce_defined = true;
442  if (c->options.no_advance && l->current >= 0)
443  {
444  c->options.no_advance = false;
445  }
446  else
447  {
448  /* Check if there is another resolved address to try for
449  * the current connection */
451  && c->c1.link_socket_addr.current_remote->ai_next)
452  {
454  c->c1.link_socket_addr.current_remote->ai_next;
455  }
456  else
457  {
458  /* FIXME (schwabe) fix the persist-remote-ip option for real,
459  * this is broken probably ever since connection lists and multiple
460  * remote existed
461  */
462  if (!c->options.persist_remote_ip)
463  {
464  /* close_instance should have cleared the addrinfo objects */
467  }
468  else
469  {
472  }
473 
474  /*
475  * Increase the number of connection attempts
476  * If this is connect-retry-max * size(l)
477  * OpenVPN will quit
478  */
479 
481 
482  if (++l->current >= l->len)
483  {
484 
485  l->current = 0;
486  if (++n_cycles >= 2)
487  {
488  msg(M_FATAL, "No usable connection profiles are present");
489  }
490  }
491  }
492  }
493 
494  ce = l->array[l->current];
495 
496  if (ce->flags & CE_DISABLED)
497  {
498  ce_defined = false;
499  }
500 
501  c->options.ce = *ce;
502 #ifdef ENABLE_MANAGEMENT
504  {
505  /* allow management interface to override connection entry details */
506  ce_defined = ce_management_query_remote(c);
507  if (IS_SIG(c))
508  {
509  break;
510  }
511  }
512  else if (ce_defined && management && management_query_proxy_enabled(management))
513  {
514  ce_defined = ce_management_query_proxy(c);
515  if (IS_SIG(c))
516  {
517  break;
518  }
519  }
520 #endif
521  } while (!ce_defined);
522 
523  /* Check if this connection attempt would bring us over the limit */
524  if (c->options.connect_retry_max > 0
526  {
527  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
529  }
531 }
532 
533 /*
534  * Query for private key and auth-user-pass username/passwords
535  */
536 void
538 {
539  /* Certificate password input */
540  if (c->options.key_pass_file)
541  {
543  }
544 
545 #if P2MP
546  /* Auth user/pass input */
548  {
549 #ifdef ENABLE_MANAGEMENT
551 #else
553 #endif
554  }
555 #endif
556 }
557 
558 /*
559  * Initialize/Uninitialize HTTP or SOCKS proxy
560  */
561 
562 static void
564 {
565  if (c->c1.http_proxy_owned && c->c1.http_proxy)
566  {
568  c->c1.http_proxy = NULL;
569  c->c1.http_proxy_owned = false;
570  }
571  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
572  {
574  c->c1.socks_proxy = NULL;
575  c->c1.socks_proxy_owned = false;
576  }
577 }
578 
579 static void
581 {
582  bool did_http = false;
583 
585 
587  {
588  /* Possible HTTP proxy user/pass input */
590  if (c->c1.http_proxy)
591  {
592  did_http = true;
593  c->c1.http_proxy_owned = true;
594  }
595  }
596 
597  if (!did_http && c->options.ce.socks_proxy_server)
598  {
602  if (c->c1.socks_proxy)
603  {
604  c->c1.socks_proxy_owned = true;
605  }
606  }
607 }
608 
609 static void
610 init_proxy(struct context *c)
611 {
613 }
614 
615 static void
617 {
619 }
620 
621 /*
622  * Saves the initial state of NCP-regotiable
623  * options into a storage which persists over SIGUSR1.
624  */
625 static void
627 {
629  c->c1.authname = c->options.authname;
630  c->c1.keysize = c->options.keysize;
631 }
632 
633 /* Restores NCP-negotiable options to original values */
634 static void
636 {
638  c->options.authname = c->c1.authname;
639  c->options.keysize = c->c1.keysize;
640 }
641 
642 void
644 {
645  context_clear_1(c);
646 
648 
650 
651  save_ncp_options(c);
652 
653 #if defined(ENABLE_PKCS11)
654  if (c->first_time)
655  {
656  int i;
657  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
658  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
659  {
660  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
661  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
662  }
663  }
664 #endif
665 
666 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
667  {
668  /*
669  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
670  */
671  struct user_pass up;
672  CLEAR(up);
673  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
674  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
675  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
676  * 'needok' command, usually 'ok' or 'cancel'. */
677  }
678 #endif
679 
680 #ifdef ENABLE_SYSTEMD
681  /* We can report the PID via getpid() to systemd here as OpenVPN will not
682  * do any fork due to daemon() a future call.
683  * See possibly_become_daemon() [init.c] for more details.
684  */
685  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
686  (unsigned long) getpid());
687 #endif
688 
689 }
690 
691 void
693 {
694  gc_free(&c->c2.gc);
695  gc_free(&c->options.gc);
696  gc_free(&c->gc);
697 }
698 
699 #if PORT_SHARE
700 
701 static void
702 close_port_share(void)
703 {
704  if (port_share)
705  {
706  port_share_close(port_share);
707  port_share = NULL;
708  }
709 }
710 
711 static void
712 init_port_share(struct context *c)
713 {
714  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
715  {
716  port_share = port_share_open(c->options.port_share_host,
717  c->options.port_share_port,
719  c->options.port_share_journal_dir);
720  if (port_share == NULL)
721  {
722  msg(M_FATAL, "Fatal error: Port sharing failed");
723  }
724  }
725 }
726 
727 #endif /* if PORT_SHARE */
728 
729 
730 bool
732 {
733  /* configure_path (); */
734 
735 #if defined(DMALLOC)
736  crypto_init_dmalloc();
737 #endif
738 
739 
740  /*
741  * Initialize random number seed. random() is only used
742  * when "weak" random numbers are acceptable.
743  * SSL library routines are always used when cryptographically
744  * strong random numbers are required.
745  */
746  struct timeval tv;
747  if (!gettimeofday(&tv, NULL))
748  {
749  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
750  srandom(seed);
751  }
752 
753  error_reset(); /* initialize error.c */
754  reset_check_status(); /* initialize status check code in socket.c */
755 
756 #ifdef _WIN32
757  init_win32();
758 #endif
759 
760 #ifdef OPENVPN_DEBUG_COMMAND_LINE
761  {
762  int i;
763  for (i = 0; i < argc; ++i)
764  {
765  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
766  }
767  }
768 #endif
769 
770  update_time();
771 
772  init_ssl_lib();
773 
774  /* init PRNG used for IV generation */
775  /* When forking, copy this to more places in the code to avoid fork
776  * random-state predictability */
777  prng_init(NULL, 0);
778 
779 #ifdef PID_TEST
780  packet_id_interactive_test(); /* test the sequence number code */
781  return false;
782 #endif
783 
784 #ifdef SCHEDULE_TEST
785  schedule_test();
786  return false;
787 #endif
788 
789 #ifdef LIST_TEST
790  list_test();
791  return false;
792 #endif
793 
794 #ifdef IFCONFIG_POOL_TEST
795  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
796  return false;
797 #endif
798 
799 #ifdef CHARACTER_CLASS_DEBUG
800  character_class_debug();
801  return false;
802 #endif
803 
804 #ifdef EXTRACT_X509_FIELD_TEST
806  return false;
807 #endif
808 
809 #ifdef TIME_TEST
810  time_test();
811  return false;
812 #endif
813 
814 #ifdef TEST_GET_DEFAULT_GATEWAY
815  {
816  struct route_gateway_info rgi;
817  struct route_ipv6_gateway_info rgi6;
818  get_default_gateway(&rgi);
819  get_default_gateway_ipv6(&rgi6, NULL);
820  print_default_gateway(M_INFO, &rgi, &rgi6);
821  return false;
822  }
823 #endif
824 
825 #ifdef GEN_PATH_TEST
826  {
827  struct gc_arena gc = gc_new();
828  const char *fn = gen_path("foo",
829  "bar",
830  &gc);
831  printf("%s\n", fn);
832  gc_free(&gc);
833  }
834  return false;
835 #endif
836 
837 #ifdef STATUS_PRINTF_TEST
838  {
839  struct gc_arena gc = gc_new();
840  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
841  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
842  status_printf(so, "%s", "foo");
843  status_printf(so, "%s", "bar");
844  if (!status_close(so))
845  {
846  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
847  }
848  gc_free(&gc);
849  }
850  return false;
851 #endif
852 
853 #ifdef PRNG_TEST
854  {
855  struct gc_arena gc = gc_new();
856  uint8_t rndbuf[8];
857  int i;
858  prng_init("sha1", 16);
859  /*prng_init (NULL, 0);*/
860  const int factor = 1;
861  for (i = 0; i < factor * 8; ++i)
862  {
863 #if 1
864  prng_bytes(rndbuf, sizeof(rndbuf));
865 #else
866  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
867 #endif
868  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
869  }
870  gc_free(&gc);
871  prng_uninit();
872  return false;
873  }
874 #endif /* ifdef PRNG_TEST */
875 
876 #ifdef BUFFER_LIST_AGGREGATE_TEST
877  /* test buffer_list_aggregate function */
878  {
879  static const char *text[] = {
880  "It was a bright cold day in April, ",
881  "and the clocks were striking ",
882  "thirteen. ",
883  "Winston Smith, ",
884  "his chin nuzzled into his breast in an ",
885  "effort to escape the vile wind, ",
886  "slipped quickly through the glass doors ",
887  "of Victory Mansions, though not quickly ",
888  "enough to prevent a swirl of gritty dust from ",
889  "entering along with him."
890  };
891 
892  int iter, listcap;
893  for (listcap = 0; listcap < 12; ++listcap)
894  {
895  for (iter = 0; iter < 512; ++iter)
896  {
897  struct buffer_list *bl = buffer_list_new(listcap);
898  {
899  int i;
900  for (i = 0; i < SIZE(text); ++i)
901  {
902  buffer_list_push(bl, (unsigned char *)text[i]);
903  }
904  }
905  printf("[cap=%d i=%d] *************************\n", listcap, iter);
906  if (!(iter & 8))
907  {
908  buffer_list_aggregate(bl, iter/2);
909  }
910  if (!(iter & 16))
911  {
912  buffer_list_push(bl, (unsigned char *)"Even more text...");
913  }
914  buffer_list_aggregate(bl, iter);
915  if (!(iter & 1))
916  {
917  buffer_list_push(bl, (unsigned char *)"More text...");
918  }
919  {
920  struct buffer *buf;
921  while ((buf = buffer_list_peek(bl)))
922  {
923  int c;
924  printf("'");
925  while ((c = buf_read_u8(buf)) >= 0)
926  {
927  putchar(c);
928  }
929  printf("'\n");
930  buffer_list_advance(bl, 0);
931  }
932  }
933  buffer_list_free(bl);
934  }
935  }
936  return false;
937  }
938 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
939 
940 #ifdef MSTATS_TEST
941  {
942  int i;
943  mstats_open("/dev/shm/mstats.dat");
944  for (i = 0; i < 30; ++i)
945  {
946  mmap_stats->n_clients += 1;
947  mmap_stats->link_write_bytes += 8;
948  mmap_stats->link_read_bytes += 16;
949  sleep(1);
950  }
951  mstats_close();
952  return false;
953  }
954 #endif
955 
956  return true;
957 }
958 
959 void
961 {
962  free_ssl_lib();
963 
964 #ifdef ENABLE_PKCS11
965  pkcs11_terminate();
966 #endif
967 
968 #if PORT_SHARE
969  close_port_share();
970 #endif
971 
972 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
973  show_tls_performance_stats();
974 #endif
975 }
976 
977 void
978 init_verb_mute(struct context *c, unsigned int flags)
979 {
980  if (flags & IVM_LEVEL_1)
981  {
982  /* set verbosity and mute levels */
986  }
987 
988  /* special D_LOG_RW mode */
989  if (flags & IVM_LEVEL_2)
990  {
992  }
993 }
994 
995 /*
996  * Possibly set --dev based on --dev-node.
997  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
998  * set --dev to tun.
999  */
1000 void
1002 {
1003  if (!options->dev && options->dev_node)
1004  {
1005  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1006  options->dev = basename(dev_node);
1007  }
1008 }
1009 
1010 bool
1012 {
1013  /*
1014  * OpenSSL info print mode?
1015  */
1016  if (options->show_ciphers || options->show_digests || options->show_engines
1017  || options->show_tls_ciphers || options->show_curves)
1018  {
1019  if (options->show_ciphers)
1020  {
1022  }
1023  if (options->show_digests)
1024  {
1026  }
1027  if (options->show_engines)
1028  {
1030  }
1031  if (options->show_tls_ciphers)
1032  {
1034  options->cipher_list_tls13,
1035  options->tls_cert_profile);
1036  }
1037  if (options->show_curves)
1038  {
1040  }
1041  return true;
1042  }
1043  return false;
1044 }
1045 
1046 /*
1047  * Static pre-shared key generation mode?
1048  */
1049 bool
1050 do_genkey(const struct options *options)
1051 {
1052  /* should we disable paging? */
1053  if (options->mlock && (options->genkey))
1054  {
1055  platform_mlockall(true);
1056  }
1057 
1058  /*
1059  * We do not want user to use --genkey with --secret. In the transistion
1060  * phase we for secret.
1061  */
1062  if (options->genkey && options->genkey_type != GENKEY_SECRET
1063  && options->shared_secret_file)
1064  {
1065  msg(M_USAGE, "Using --genkey type with --secret filename is "
1066  "not supported. Use --genkey type filename instead.");
1067  }
1068  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1069  {
1070  int nbits_written;
1071  const char *genkey_filename = options->genkey_filename;
1072  if (options->shared_secret_file && options->genkey_filename)
1073  {
1074  msg(M_USAGE, "You must provide a filename to either --genkey "
1075  "or --secret, not both");
1076  }
1077 
1078  /*
1079  * Copy filename from shared_secret_file to genkey_filename to support
1080  * the old --genkey --secret foo.file syntax.
1081  */
1082  if (options->shared_secret_file)
1083  {
1084  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1085  "DEPRECATED. Use --genkey secret filename instead.");
1086  genkey_filename = options->shared_secret_file;
1087  }
1088 
1089  nbits_written = write_key_file(2, genkey_filename);
1090  if (nbits_written < 0)
1091  {
1092  msg(M_FATAL, "Failed to write key file");
1093  }
1094 
1096  "Randomly generated %d bit key written to %s", nbits_written,
1097  options->shared_secret_file);
1098  return true;
1099  }
1100  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1101  {
1103  return true;
1104  }
1105  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1106  {
1107  if (!options->tls_crypt_v2_file)
1108  {
1109  msg(M_USAGE,
1110  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1111  }
1112 
1114  options->genkey_extra_data, options->tls_crypt_v2_file,
1115  options->tls_crypt_v2_file_inline);
1116  return true;
1117  }
1118  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1119  {
1121  return true;
1122  }
1123  else
1124  {
1125  return false;
1126  }
1127 }
1128 
1129 /*
1130  * Persistent TUN/TAP device management mode?
1131  */
1132 bool
1134 {
1135  if (options->persist_config)
1136  {
1137  /* sanity check on options for --mktun or --rmtun */
1138  notnull(options->dev, "TUN/TAP device (--dev)");
1139  if (options->ce.remote || options->ifconfig_local
1140  || options->ifconfig_remote_netmask
1141  || options->shared_secret_file
1142  || options->tls_server || options->tls_client
1143  )
1144  {
1146  "options --mktun or --rmtun should only be used together with --dev");
1147  }
1148 #ifdef ENABLE_FEATURE_TUN_PERSIST
1149  tuncfg(options->dev, options->dev_type, options->dev_node,
1150  options->persist_mode,
1151  options->username, options->groupname, &options->tuntap_options,
1152  ctx);
1153  if (options->persist_mode && options->lladdr)
1154  {
1155  set_lladdr(options->dev, options->lladdr, NULL);
1156  }
1157  return true;
1158 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1159  msg( M_FATAL|M_OPTERR,
1160  "options --mktun and --rmtun are not available on your operating "
1161  "system. Please check 'man tun' (or 'tap'), whether your system "
1162  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1163  "persistent tunnel interfaces.", options->dev );
1164 #endif
1165  }
1166  return false;
1167 }
1168 
1169 /*
1170  * Should we become a daemon?
1171  * Return true if we did it.
1172  */
1173 bool
1175 {
1176  bool ret = false;
1177 
1178 #ifdef ENABLE_SYSTEMD
1179  /* return without forking if we are running from systemd */
1180  if (sd_notify(0, "READY=0") > 0)
1181  {
1182  return ret;
1183  }
1184 #endif
1185 
1186  if (options->daemon)
1187  {
1188  ASSERT(!options->inetd);
1189  /* Don't chdir immediately, but the end of the init sequence, if needed */
1190  if (daemon(1, options->log) < 0)
1191  {
1192  msg(M_ERR, "daemon() failed or unsupported");
1193  }
1195  if (options->log)
1196  {
1197  set_std_files_to_null(true);
1198  }
1199 
1200  ret = true;
1201  }
1202  return ret;
1203 }
1204 
1205 /*
1206  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1207  */
1208 static void
1209 do_uid_gid_chroot(struct context *c, bool no_delay)
1210 {
1211  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1212  struct context_0 *c0 = c->c0;
1213 
1214  if (c0 && !c0->uid_gid_chroot_set)
1215  {
1216  /* chroot if requested */
1217  if (c->options.chroot_dir)
1218  {
1219  if (no_delay)
1220  {
1222  }
1223  else if (c->first_time)
1224  {
1225  msg(M_INFO, "NOTE: chroot %s", why_not);
1226  }
1227  }
1228 
1229  /* set user and/or group if we want to setuid/setgid */
1230  if (c0->uid_gid_specified)
1231  {
1232  if (no_delay)
1233  {
1236  }
1237  else if (c->first_time)
1238  {
1239  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1240  }
1241  }
1242 
1243 #ifdef ENABLE_MEMSTATS
1244  if (c->first_time && c->options.memstats_fn)
1245  {
1246  mstats_open(c->options.memstats_fn);
1247  }
1248 #endif
1249 
1250 #ifdef ENABLE_SELINUX
1251  /* Apply a SELinux context in order to restrict what OpenVPN can do
1252  * to _only_ what it is supposed to do after initialization is complete
1253  * (basically just network I/O operations). Doing it after chroot
1254  * requires /proc to be mounted in the chroot (which is annoying indeed
1255  * but doing it before requires more complex SELinux policies.
1256  */
1257  if (c->options.selinux_context)
1258  {
1259  if (no_delay)
1260  {
1261  if (-1 == setcon(c->options.selinux_context))
1262  {
1263  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1264  }
1265  else
1266  {
1267  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1268  }
1269  }
1270  else if (c->first_time)
1271  {
1272  msg(M_INFO, "NOTE: setcon %s", why_not);
1273  }
1274  }
1275 #endif
1276 
1277  /* Privileges are going to be dropped by now (if requested), be sure
1278  * to prevent any future privilege dropping attempts from now on.
1279  */
1280  if (no_delay)
1281  {
1282  c0->uid_gid_chroot_set = true;
1283  }
1284  }
1285 }
1286 
1287 /*
1288  * Return common name in a way that is formatted for
1289  * prepending to msg() output.
1290  */
1291 const char *
1292 format_common_name(struct context *c, struct gc_arena *gc)
1293 {
1294  struct buffer out = alloc_buf_gc(256, gc);
1295  if (c->c2.tls_multi)
1296  {
1297  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1298  }
1299  return BSTR(&out);
1300 }
1301 
1302 void
1303 pre_setup(const struct options *options)
1304 {
1305 #ifdef _WIN32
1306  if (options->exit_event_name)
1307  {
1310  options->exit_event_name,
1311  options->exit_event_initial_state);
1312  }
1313  else
1314  {
1317  NULL,
1318  false);
1319 
1320  /* put a title on the top window bar */
1322  {
1324  window_title_generate(options->config);
1325  }
1326  }
1327 #endif /* ifdef _WIN32 */
1328 }
1329 
1330 void
1332 {
1333  c->c2.coarse_timer_wakeup = 0;
1334 }
1335 
1336 /*
1337  * Initialise the server poll timeout timer
1338  * This timer is used in the http/socks proxy setup so it needs to be setup
1339  * before
1340  */
1341 static void
1343 {
1344  update_time();
1345  if (c->options.ce.connect_timeout)
1346  {
1348  }
1349 }
1350 
1351 /*
1352  * Initialize timers
1353  */
1354 static void
1355 do_init_timers(struct context *c, bool deferred)
1356 {
1357  update_time();
1359 
1360  /* initialize inactivity timeout */
1361  if (c->options.inactivity_timeout)
1362  {
1364  }
1365 
1366  /* initialize pings */
1367 
1368  if (c->options.ping_send_timeout)
1369  {
1371  }
1372 
1373  if (c->options.ping_rec_timeout)
1374  {
1376  }
1377 
1378  if (!deferred)
1379  {
1380  /* initialize connection establishment timer */
1382 
1383 #ifdef ENABLE_OCC
1384  /* initialize occ timers */
1385 
1386  if (c->options.occ
1387  && !TLS_MODE(c)
1389  {
1391  }
1392 
1393  if (c->options.mtu_test)
1394  {
1396  }
1397 #endif
1398 
1399  /* initialize packet_id persistence timer */
1400  if (c->options.packet_id_file)
1401  {
1403  }
1404 
1405  /* initialize tmp_int optimization that limits the number of times we call
1406  * tls_multi_process in the main event loop */
1408  }
1409 }
1410 
1411 /*
1412  * Initialize traffic shaper.
1413  */
1414 static void
1416 {
1417 #ifdef ENABLE_FEATURE_SHAPER
1418  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1419  if (c->options.shaper)
1420  {
1421  shaper_init(&c->c2.shaper, c->options.shaper);
1422  shaper_msg(&c->c2.shaper);
1423  }
1424 #endif
1425 }
1426 
1427 /*
1428  * Allocate route list structures for IPv4 and IPv6
1429  * (we do this for IPv4 even if no --route option has been seen, as other
1430  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1431  */
1432 static void
1434 {
1435  if (!c->c1.route_list)
1436  {
1437  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1438  }
1439  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1440  {
1442  }
1443 }
1444 
1445 
1446 /*
1447  * Initialize the route list, resolving any DNS names in route
1448  * options and saving routes in the environment.
1449  */
1450 static void
1452  struct route_list *route_list,
1453  const struct link_socket_info *link_socket_info,
1454  struct env_set *es,
1455  openvpn_net_ctx_t *ctx)
1456 {
1457  const char *gw = NULL;
1458  int dev = dev_type_enum(options->dev, options->dev_type);
1459  int metric = 0;
1460 
1461  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1462  {
1463  gw = options->ifconfig_remote_netmask;
1464  }
1465  if (options->route_default_gateway)
1466  {
1467  gw = options->route_default_gateway;
1468  }
1469  if (options->route_default_metric)
1470  {
1471  metric = options->route_default_metric;
1472  }
1473 
1474  if (init_route_list(route_list,
1475  options->routes,
1476  gw,
1477  metric,
1478  link_socket_current_remote(link_socket_info),
1479  es,
1480  ctx))
1481  {
1482  /* copy routes to environment */
1483  setenv_routes(es, route_list);
1484  }
1485 }
1486 
1487 static void
1490  const struct link_socket_info *link_socket_info,
1491  struct env_set *es,
1492  openvpn_net_ctx_t *ctx)
1493 {
1494  const char *gw = NULL;
1495  int metric = -1; /* no metric set */
1496 
1497  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1498  if (options->route_ipv6_default_gateway)
1499  {
1500  gw = options->route_ipv6_default_gateway;
1501  }
1502 
1503  if (options->route_default_metric)
1504  {
1505  metric = options->route_default_metric;
1506  }
1507 
1508  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1509  */
1510  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1511  {
1512  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1513  int i;
1514 
1515  for (i = 0; opt_list[i]; i++)
1516  {
1518  string_alloc(opt_list[i], options->routes_ipv6->gc),
1519  NULL, NULL );
1520  }
1521  }
1522 
1523  if (init_route_ipv6_list(route_ipv6_list,
1524  options->routes_ipv6,
1525  gw,
1526  metric,
1527  link_socket_current_remote_ipv6(link_socket_info),
1528  es,
1529  ctx))
1530  {
1531  /* copy routes to environment */
1532  setenv_routes_ipv6(es, route_ipv6_list);
1533  }
1534 }
1535 
1536 
1537 /*
1538  * Called after all initialization has been completed.
1539  */
1540 void
1541 initialization_sequence_completed(struct context *c, const unsigned int flags)
1542 {
1543  static const char message[] = "Initialization Sequence Completed";
1544 
1545  /* Reset the unsuccessful connection counter on complete initialisation */
1547 
1548  /* If we delayed UID/GID downgrade or chroot, do it now */
1549  do_uid_gid_chroot(c, true);
1550 
1551 
1552  /*
1553  * In some cases (i.e. when receiving auth-token via
1554  * push-reply) the auth-nocache option configured on the
1555  * client is overridden; for this reason we have to wait
1556  * for the push-reply message before attempting to wipe
1557  * the user/pass entered by the user
1558  */
1559  if (c->options.mode == MODE_POINT_TO_POINT)
1560  {
1562  }
1563 
1564  /* Test if errors */
1565  if (flags & ISC_ERRORS)
1566  {
1567 #ifdef _WIN32
1570  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1571 #else
1572 #ifdef ENABLE_SYSTEMD
1573  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1574 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1575  msg(M_INFO, "%s With Errors", message);
1576 #endif
1577  }
1578  else
1579  {
1580 #ifdef ENABLE_SYSTEMD
1581  sd_notifyf(0, "STATUS=%s", message);
1582 #endif
1583  msg(M_INFO, "%s", message);
1584  }
1585 
1586  /* Flag that we initialized */
1587  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1588  {
1589  c->options.no_advance = true;
1590  }
1591 
1592 #ifdef _WIN32
1594 #endif
1595 
1596 #ifdef ENABLE_MANAGEMENT
1597  /* Tell management interface that we initialized */
1598  if (management)
1599  {
1600  in_addr_t *tun_local = NULL;
1601  struct in6_addr *tun_local6 = NULL;
1602  struct openvpn_sockaddr local, remote;
1603  struct link_socket_actual *actual;
1604  socklen_t sa_len = sizeof(local);
1605  const char *detail = "SUCCESS";
1606  if (flags & ISC_ERRORS)
1607  {
1608  detail = "ERROR";
1609  }
1610 
1611  CLEAR(local);
1612  actual = &get_link_socket_info(c)->lsa->actual;
1613  remote = actual->dest;
1614  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1615 #if ENABLE_IP_PKTINFO
1616  if (!addr_defined(&local))
1617  {
1618  switch (local.addr.sa.sa_family)
1619  {
1620  case AF_INET:
1621 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1622  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1623 #else
1624  local.addr.in4.sin_addr = actual->pi.in4;
1625 #endif
1626  break;
1627 
1628  case AF_INET6:
1629  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1630  break;
1631  }
1632  }
1633 #endif
1634 
1635  if (c->c1.tuntap)
1636  {
1637  tun_local = &c->c1.tuntap->local;
1638  tun_local6 = &c->c1.tuntap->local_ipv6;
1639  }
1642  detail,
1643  tun_local,
1644  tun_local6,
1645  &local,
1646  &remote);
1647  if (tun_local)
1648  {
1650  }
1651  }
1652 #endif /* ifdef ENABLE_MANAGEMENT */
1653 }
1654 
1655 /*
1656  * Possibly add routes and/or call route-up script
1657  * based on options.
1658  */
1659 void
1660 do_route(const struct options *options,
1661  struct route_list *route_list,
1663  const struct tuntap *tt,
1664  const struct plugin_list *plugins,
1665  struct env_set *es,
1666  openvpn_net_ctx_t *ctx)
1667 {
1668  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1669  {
1670  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1671  es, ctx);
1672  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1673  }
1674 #ifdef ENABLE_MANAGEMENT
1675  if (management)
1676  {
1677  management_up_down(management, "UP", es);
1678  }
1679 #endif
1680 
1682  {
1683  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1684  {
1685  msg(M_WARN, "WARNING: route-up plugin call failed");
1686  }
1687  }
1688 
1689  if (options->route_script)
1690  {
1691  struct argv argv = argv_new();
1692  setenv_str(es, "script_type", "route-up");
1693  argv_parse_cmd(&argv, options->route_script);
1694  openvpn_run_script(&argv, es, 0, "--route-up");
1695  argv_free(&argv);
1696  }
1697 
1698 #ifdef _WIN32
1699  if (options->show_net_up)
1700  {
1703  }
1704  else if (check_debug_level(D_SHOW_NET))
1705  {
1708  }
1709 #endif
1710 }
1711 
1712 /*
1713  * initialize tun/tap device object
1714  */
1715 static void
1717 {
1718  c->c1.tuntap = init_tun(c->options.dev,
1719  c->options.dev_type,
1720  c->options.topology,
1729  c->c2.es,
1730  &c->net_ctx);
1731 
1732 #ifdef _WIN32
1734 #endif
1735 
1736  init_tun_post(c->c1.tuntap,
1737  &c->c2.frame,
1738  &c->options.tuntap_options);
1739 
1740  c->c1.tuntap_owned = true;
1741 }
1742 
1743 /*
1744  * Open tun/tap device, ifconfig, call up script, etc.
1745  */
1746 
1747 static bool
1749 {
1750  struct gc_arena gc = gc_new();
1751  bool ret = false;
1752 
1753 #ifndef TARGET_ANDROID
1754  if (!c->c1.tuntap)
1755  {
1756 #endif
1757 
1758 #ifdef TARGET_ANDROID
1759  /* If we emulate persist-tun on android we still have to open a new tun and
1760  * then close the old */
1761  int oldtunfd = -1;
1762  if (c->c1.tuntap)
1763  {
1764  oldtunfd = c->c1.tuntap->fd;
1765  free(c->c1.tuntap);
1766  c->c1.tuntap = NULL;
1767  c->c1.tuntap_owned = false;
1768  }
1769 #endif
1770 
1771  /* initialize (but do not open) tun/tap object */
1772  do_init_tun(c);
1773 
1774 #ifdef _WIN32
1775  /* store (hide) interactive service handle in tuntap_options */
1777  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1778 #endif
1779 
1780  /* allocate route list structure */
1782 
1783  /* parse and resolve the route option list */
1784  ASSERT(c->c2.link_socket);
1785  if (c->options.routes && c->c1.route_list)
1786  {
1788  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1789  }
1790  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1791  {
1793  &c->c2.link_socket->info, c->c2.es,
1794  &c->net_ctx);
1795  }
1796 
1797  /* do ifconfig */
1798  if (!c->options.ifconfig_noexec
1800  {
1801  /* guess actual tun/tap unit number that will be returned
1802  * by open_tun */
1803  const char *guess = guess_tuntap_dev(c->options.dev,
1804  c->options.dev_type,
1805  c->options.dev_node,
1806  &gc);
1807  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1808  &c->net_ctx);
1809  }
1810 
1811  /* possibly add routes */
1812  if (route_order() == ROUTE_BEFORE_TUN)
1813  {
1814  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1816  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1817  }
1818 #ifdef TARGET_ANDROID
1819  /* Store the old fd inside the fd so open_tun can use it */
1820  c->c1.tuntap->fd = oldtunfd;
1821 #endif
1822  /* open the tun device */
1824  c->c1.tuntap);
1825 
1826  /* set the hardware address */
1827  if (c->options.lladdr)
1828  {
1830  }
1831 
1832  /* do ifconfig */
1833  if (!c->options.ifconfig_noexec
1835  {
1837  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1838  }
1839 
1840  /* run the up script */
1842  c->plugins,
1844  c->c1.tuntap->actual_name,
1845 #ifdef _WIN32
1846  c->c1.tuntap->adapter_index,
1847 #endif
1849  TUN_MTU_SIZE(&c->c2.frame),
1850  EXPANDED_SIZE(&c->c2.frame),
1853  "init",
1854  NULL,
1855  "up",
1856  c->c2.es);
1857 
1858 #if defined(_WIN32)
1859  if (c->options.block_outside_dns)
1860  {
1861  dmsg(D_LOW, "Blocking outside DNS");
1863  {
1864  msg(M_FATAL, "Blocking DNS failed!");
1865  }
1866  }
1867 #endif
1868 
1869  /* possibly add routes */
1871  {
1873  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1874  }
1875 
1876  /*
1877  * Did tun/tap driver give us an MTU?
1878  */
1879  if (c->c1.tuntap->post_open_mtu)
1880  {
1882  c->c1.tuntap->post_open_mtu,
1884  }
1885 
1886  ret = true;
1887  static_context = c;
1888 #ifndef TARGET_ANDROID
1889 }
1890 else
1891 {
1892  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1893  c->c1.tuntap->actual_name);
1894 
1895  /* explicitly set the ifconfig_* env vars */
1896  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1897 
1898  /* run the up script if user specified --up-restart */
1899  if (c->options.up_restart)
1900  {
1902  c->plugins,
1904  c->c1.tuntap->actual_name,
1905 #ifdef _WIN32
1906  c->c1.tuntap->adapter_index,
1907 #endif
1909  TUN_MTU_SIZE(&c->c2.frame),
1910  EXPANDED_SIZE(&c->c2.frame),
1913  "restart",
1914  NULL,
1915  "up",
1916  c->c2.es);
1917  }
1918 #if defined(_WIN32)
1919  if (c->options.block_outside_dns)
1920  {
1921  dmsg(D_LOW, "Blocking outside DNS");
1923  {
1924  msg(M_FATAL, "Blocking DNS failed!");
1925  }
1926  }
1927 #endif
1928 
1929 }
1930 #endif /* ifndef TARGET_ANDROID */
1931  gc_free(&gc);
1932  return ret;
1933 }
1934 
1935 /*
1936  * Close TUN/TAP device
1937  */
1938 
1939 static void
1941 {
1942  msg(D_CLOSE, "Closing TUN/TAP interface");
1943  if (c->c1.tuntap)
1944  {
1945  close_tun(c->c1.tuntap, &c->net_ctx);
1946  c->c1.tuntap = NULL;
1947  }
1948  c->c1.tuntap_owned = false;
1949 #if P2MP
1951 #endif
1952 }
1953 
1954 static void
1955 do_close_tun(struct context *c, bool force)
1956 {
1957  struct gc_arena gc = gc_new();
1958  if (c->c1.tuntap && c->c1.tuntap_owned)
1959  {
1960  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1961 #ifdef _WIN32
1962  DWORD adapter_index = c->c1.tuntap->adapter_index;
1963 #endif
1964  const in_addr_t local = c->c1.tuntap->local;
1965  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1966 
1967  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1968  {
1969  static_context = NULL;
1970 
1971 #ifdef ENABLE_MANAGEMENT
1972  /* tell management layer we are about to close the TUN/TAP device */
1973  if (management)
1974  {
1976  management_up_down(management, "DOWN", c->c2.es);
1977  }
1978 #endif
1979 
1980  /* delete any routes we added */
1981  if (c->c1.route_list || c->c1.route_ipv6_list)
1982  {
1984  c->plugins,
1986  tuntap_actual,
1987 #ifdef _WIN32
1988  adapter_index,
1989 #endif
1990  NULL,
1991  TUN_MTU_SIZE(&c->c2.frame),
1992  EXPANDED_SIZE(&c->c2.frame),
1993  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1994  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1995  "init",
1997  c->sig->signal_text),
1998  "route-pre-down",
1999  c->c2.es);
2000 
2003  c->c2.es, &c->net_ctx);
2004  }
2005 
2006  /* actually close tun/tap device based on --down-pre flag */
2007  if (!c->options.down_pre)
2008  {
2010  }
2011 
2012  /* Run the down script -- note that it will run at reduced
2013  * privilege if, for example, "--user nobody" was used. */
2015  c->plugins,
2017  tuntap_actual,
2018 #ifdef _WIN32
2019  adapter_index,
2020 #endif
2021  NULL,
2022  TUN_MTU_SIZE(&c->c2.frame),
2023  EXPANDED_SIZE(&c->c2.frame),
2024  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2025  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2026  "init",
2028  c->sig->signal_text),
2029  "down",
2030  c->c2.es);
2031 
2032 #if defined(_WIN32)
2033  if (c->options.block_outside_dns)
2034  {
2035  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2036  {
2037  msg(M_FATAL, "Uninitialising WFP failed!");
2038  }
2039  }
2040 #endif
2041 
2042  /* actually close tun/tap device based on --down-pre flag */
2043  if (c->options.down_pre)
2044  {
2046  }
2047  }
2048  else
2049  {
2050  /* run the down script on this restart if --up-restart was specified */
2051  if (c->options.up_restart)
2052  {
2054  c->plugins,
2056  tuntap_actual,
2057 #ifdef _WIN32
2058  adapter_index,
2059 #endif
2060  NULL,
2061  TUN_MTU_SIZE(&c->c2.frame),
2062  EXPANDED_SIZE(&c->c2.frame),
2063  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2064  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2065  "restart",
2067  c->sig->signal_text),
2068  "down",
2069  c->c2.es);
2070  }
2071 
2072 #if defined(_WIN32)
2073  if (c->options.block_outside_dns)
2074  {
2075  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2076  {
2077  msg(M_FATAL, "Uninitialising WFP failed!");
2078  }
2079  }
2080 #endif
2081 
2082  }
2083  }
2084  gc_free(&gc);
2085 }
2086 
2087 void
2089 {
2090  struct context *c = static_context;
2091  if (c)
2092  {
2093  static_context = NULL;
2094  do_close_tun(c, true);
2095  }
2096 }
2097 
2098 /*
2099  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2100  */
2101 
2102 #if P2MP
2103 
2107 static bool
2109  const struct sha256_digest *b)
2110 {
2111  const struct sha256_digest zero = {{0}};
2112  return memcmp(a, b, sizeof(struct sha256_digest))
2113  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2114 }
2115 #endif /* P2MP */
2116 
2117 bool
2118 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2119 {
2120  if (!c->c2.do_up_ran)
2121  {
2123 
2124  if (pulled_options)
2125  {
2126  if (!do_deferred_options(c, option_types_found))
2127  {
2128  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2129  return false;
2130  }
2131  }
2132 
2133  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2134  if (c->options.up_delay || PULL_DEFINED(&c->options))
2135  {
2136  c->c2.did_open_tun = do_open_tun(c);
2137  update_time();
2138 
2139 #if P2MP
2140  /*
2141  * Was tun interface object persisted from previous restart iteration,
2142  * and if so did pulled options string change from previous iteration?
2143  */
2144  if (!c->c2.did_open_tun
2145  && PULL_DEFINED(&c->options)
2146  && c->c1.tuntap
2149  {
2150  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2151  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2152  do_close_tun(c, true);
2153  management_sleep(1);
2154  c->c2.did_open_tun = do_open_tun(c);
2155  update_time();
2156  }
2157 #endif
2158  }
2159 
2160  if (c->c2.did_open_tun)
2161  {
2162 #if P2MP
2164 #endif
2165 
2166  /* if --route-delay was specified, start timer */
2168  {
2171  if (c->c1.tuntap)
2172  {
2174  }
2175  }
2176  else
2177  {
2178  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2179  }
2180  }
2181  else if (c->options.mode == MODE_POINT_TO_POINT)
2182  {
2183  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2184  }
2185 
2186  c->c2.do_up_ran = true;
2187  }
2188  return true;
2189 }
2190 
2191 /*
2192  * These are the option categories which will be accepted by pull.
2193  */
2194 unsigned int
2196 {
2197  unsigned int flags =
2198  OPT_P_UP
2200  | OPT_P_SOCKBUF
2201  | OPT_P_SOCKFLAGS
2202  | OPT_P_SETENV
2203  | OPT_P_SHAPER
2204  | OPT_P_TIMER
2205  | OPT_P_COMP
2206  | OPT_P_PERSIST
2207  | OPT_P_MESSAGES
2209  | OPT_P_ECHO
2210  | OPT_P_PULL_MODE
2211  | OPT_P_PEER_ID;
2212 
2213  if (!c->options.route_nopull)
2214  {
2215  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2216  }
2217 
2218  if (c->options.ncp_enabled)
2219  {
2220  flags |= OPT_P_NCP;
2221  }
2222 
2223  return flags;
2224 }
2225 
2226 /*
2227  * Handle non-tun-related pulled options.
2228  */
2229 bool
2230 do_deferred_options(struct context *c, const unsigned int found)
2231 {
2232  if (found & OPT_P_MESSAGES)
2233  {
2235  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2236  }
2237  if (found & OPT_P_TIMER)
2238  {
2239  do_init_timers(c, true);
2240  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2241  }
2242 
2243 #ifdef ENABLE_OCC
2244  if (found & OPT_P_EXPLICIT_NOTIFY)
2245  {
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2250  }
2251  else
2252  {
2253  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2254  }
2255  }
2256 #endif
2257 
2258 #ifdef USE_COMP
2259  if (found & OPT_P_COMP)
2260  {
2261  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2262  comp_uninit(c->c2.comp_context);
2263  c->c2.comp_context = comp_init(&c->options.comp);
2264  }
2265 #endif
2266 
2267  if (found & OPT_P_SHAPER)
2268  {
2269  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2271  }
2272 
2273  if (found & OPT_P_SOCKBUF)
2274  {
2275  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2277  }
2278 
2279  if (found & OPT_P_SOCKFLAGS)
2280  {
2281  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2283  }
2284 
2285  if (found & OPT_P_PERSIST)
2286  {
2287  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2288  }
2289  if (found & OPT_P_UP)
2290  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2292  }
2293  if (found & OPT_P_ROUTE)
2294  {
2295  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2296  }
2297  if (found & OPT_P_ROUTE_EXTRAS)
2298  {
2299  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2300  }
2301  if (found & OPT_P_IPWIN32)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2304  }
2305  if (found & OPT_P_SETENV)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2308  }
2309 
2310  if (found & OPT_P_PEER_ID)
2311  {
2312  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2313  c->c2.tls_multi->use_peer_id = true;
2314  c->c2.tls_multi->peer_id = c->options.peer_id;
2315  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2316  if (!c->options.ce.link_mtu_defined)
2317  {
2318  frame_add_to_link_mtu(&c->c2.frame, +3);
2319  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2320  EXPANDED_SIZE(&c->c2.frame));
2321  }
2322  else
2323  {
2324  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2325  " fixed by config - reducing tun-mtu to %d, expect"
2326  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2327  }
2328  }
2329 
2330  /* process (potentially pushed) crypto options */
2331  if (c->options.pull)
2332  {
2333  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2334  if (found & OPT_P_NCP)
2335  {
2336  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2337  }
2338  else if (c->options.ncp_enabled)
2339  {
2341  }
2342  struct frame *frame_fragment = NULL;
2343 #ifdef ENABLE_FRAGMENT
2344  if (c->options.ce.fragment)
2345  {
2346  frame_fragment = &c->c2.frame_fragment;
2347  }
2348 #endif
2349 
2350  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2351  frame_fragment))
2352  {
2353  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2354  return false;
2355  }
2356  }
2357 
2358  return true;
2359 }
2360 
2361 /*
2362  * Possible hold on initialization, holdtime is the
2363  * time OpenVPN would wait without management
2364  */
2365 static bool
2366 do_hold(int holdtime)
2367 {
2368 #ifdef ENABLE_MANAGEMENT
2369  if (management)
2370  {
2371  /* block until management hold is released */
2372  if (management_hold(management, holdtime))
2373  {
2374  return true;
2375  }
2376  }
2377 #endif
2378  return false;
2379 }
2380 
2381 /*
2382  * Sleep before restart.
2383  */
2384 static void
2386 {
2387  int sec = 2;
2388  int backoff = 0;
2389 
2390  switch (c->options.ce.proto)
2391  {
2392  case PROTO_TCP_SERVER:
2393  sec = 1;
2394  break;
2395 
2396  case PROTO_UDP:
2397  case PROTO_TCP_CLIENT:
2398  sec = c->options.ce.connect_retry_seconds;
2399  break;
2400  }
2401 
2402 #ifdef ENABLE_DEBUG
2403  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2404  {
2405  sec = 0;
2406  }
2407 #endif
2408 
2409 #if P2MP
2410  if (auth_retry_get() == AR_NOINTERACT)
2411  {
2412  sec = 10;
2413  }
2414 #endif
2415 
2416  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2417  if (c->options.ce.proto != PROTO_TCP_SERVER)
2418  {
2419  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2420  if (backoff > 0)
2421  {
2422  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2423  sec = max_int(sec, 1) << min_int(backoff, 15);
2424  }
2425 
2426  if (sec > c->options.ce.connect_retry_seconds_max)
2427  {
2429  }
2430  }
2431 
2433  {
2434  sec = c->persist.restart_sleep_seconds;
2435  }
2436  else if (c->persist.restart_sleep_seconds == -1)
2437  {
2438  sec = 0;
2439  }
2441 
2442  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2443  if (do_hold(sec))
2444  {
2445  sec = 0;
2446  }
2447 
2448  if (sec)
2449  {
2450  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2451  management_sleep(sec);
2452  }
2453 }
2454 
2455 /*
2456  * Do a possible pause on context_2 initialization.
2457  */
2458 static void
2460 {
2461  if (!c->first_time)
2462  {
2464  }
2465  else
2466  {
2467  do_hold(0); /* do management hold on first context initialization */
2468  }
2469 }
2470 
2471 /*
2472  * Finalize MTU parameters based on command line or config file options.
2473  */
2474 static void
2475 frame_finalize_options(struct context *c, const struct options *o)
2476 {
2477  if (!o)
2478  {
2479  o = &c->options;
2480  }
2481 
2482  /*
2483  * Set adjustment factor for buffer alignment when no
2484  * cipher is used.
2485  */
2486  if (!CIPHER_ENABLED(c))
2487  {
2493  }
2494 
2496  frame_finalize(&c->c2.frame,
2497  o->ce.link_mtu_defined,
2498  o->ce.link_mtu,
2499  o->ce.tun_mtu_defined,
2500  o->ce.tun_mtu);
2501 }
2502 
2503 /*
2504  * Free a key schedule, including OpenSSL components.
2505  */
2506 static void
2507 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2508 {
2510  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2511  {
2512  tls_ctx_free(&ks->ssl_ctx);
2514  }
2515  CLEAR(*ks);
2516 }
2517 
2518 static void
2519 init_crypto_pre(struct context *c, const unsigned int flags)
2520 {
2521  if (c->options.engine)
2522  {
2524  }
2525 
2526  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2527  {
2528  /* load a persisted packet-id for cross-session replay-protection */
2529  if (c->options.packet_id_file)
2530  {
2532  }
2533  }
2534 
2535 #ifdef ENABLE_PREDICTION_RESISTANCE
2536  if (c->options.use_prediction_resistance)
2537  {
2538  rand_ctx_enable_prediction_resistance();
2539  }
2540 #endif
2541 }
2542 
2543 /*
2544  * Static Key Mode (using a pre-shared key)
2545  */
2546 static void
2547 do_init_crypto_static(struct context *c, const unsigned int flags)
2548 {
2549  const struct options *options = &c->options;
2550  ASSERT(options->shared_secret_file);
2551 
2552  init_crypto_pre(c, flags);
2553 
2554  /* Initialize flags */
2556  {
2558  }
2559 
2560  /* Initialize packet ID tracking */
2561  if (options->replay)
2562  {
2564  options->replay_window,
2565  options->replay_time,
2566  "STATIC", 0);
2571  }
2572 
2573  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2574  {
2575  /* Get cipher & hash algorithms */
2576  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2577  options->keysize, options->test_crypto, true);
2578 
2579  /* Read cipher and hmac keys from shared secret file */
2581  options->shared_secret_file,
2582  options->shared_secret_file_inline,
2583  options->key_direction, "Static Key Encryption",
2584  "secret");
2585  }
2586  else
2587  {
2588  msg(M_INFO, "Re-using pre-shared static key");
2589  }
2590 
2591  /* Get key schedule */
2593 
2594  /* Compute MTU parameters */
2596  options->replay, true);
2597 
2598  /* Sanity check on sequence number, and cipher mode options */
2599  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2600 }
2601 
2602 /*
2603  * Initialize the tls-auth/crypt key context
2604  */
2605 static void
2607 {
2608  const struct options *options = &c->options;
2609 
2610  /* TLS handshake authentication (--tls-auth) */
2611  if (options->ce.tls_auth_file)
2612  {
2613  /* Initialize key_type for tls-auth with auth only */
2615  if (!streq(options->authname, "none"))
2616  {
2620  }
2621  else
2622  {
2623  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2624  "algorithm specified ('%s')", options->authname);
2625  }
2626 
2628  &c->c1.ks.tls_wrap_key,
2629  options->ce.tls_auth_file,
2630  options->ce.tls_auth_file_inline,
2631  options->ce.key_direction,
2632  "Control Channel Authentication", "tls-auth");
2633  }
2634 
2635  /* TLS handshake encryption+authentication (--tls-crypt) */
2636  if (options->ce.tls_crypt_file)
2637  {
2639  options->ce.tls_crypt_file,
2640  options->ce.tls_crypt_file_inline,
2641  options->tls_server);
2642  }
2643 
2644  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2645  if (options->ce.tls_crypt_v2_file)
2646  {
2647  if (options->tls_server)
2648  {
2650  true, options->ce.tls_crypt_v2_file,
2651  options->ce.tls_crypt_v2_file_inline);
2652  }
2653  else
2654  {
2656  &c->c1.ks.tls_crypt_v2_wkc,
2657  options->ce.tls_crypt_v2_file,
2658  options->ce.tls_crypt_v2_file_inline);
2659  }
2660  }
2661 
2662 
2663 }
2664 
2665 /*
2666  * Initialise the auth-token key context
2667  */
2668 static void
2670 {
2671  if (!c->options.auth_token_generate)
2672  {
2673  return;
2674  }
2675 
2679 }
2680 
2681 /*
2682  * Initialize the persistent component of OpenVPN's TLS mode,
2683  * which is preserved across SIGUSR1 resets.
2684  */
2685 static void
2687 {
2688  const struct options *options = &c->options;
2689 
2690  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2691  {
2692  /*
2693  * Initialize the OpenSSL library's global
2694  * SSL context.
2695  */
2696  init_ssl(options, &(c->c1.ks.ssl_ctx));
2697  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2698  {
2699 #if P2MP
2700  switch (auth_retry_get())
2701  {
2702  case AR_NONE:
2703  msg(M_FATAL, "Error: private key password verification failed");
2704  break;
2705 
2706  case AR_INTERACT:
2707  ssl_purge_auth(false);
2708 
2709  case AR_NOINTERACT:
2710  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2711  break;
2712 
2713  default:
2714  ASSERT(0);
2715  }
2716  c->sig->signal_text = "private-key-password-failure";
2717  return;
2718 #else /* if P2MP */
2719  msg(M_FATAL, "Error: private key password verification failed");
2720 #endif /* if P2MP */
2721  }
2722 
2723  /* Get cipher & hash algorithms */
2724  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2725  options->keysize, true, true);
2726 
2727  /* Initialize PRNG with config-specified digest */
2728  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2729 
2730  /* initialize tls-auth/crypt/crypt-v2 key */
2732 
2733  /* initialise auth-token crypto support */
2735 
2736 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2737  if (options->priv_key_file_inline)
2738  {
2740  c->options.priv_key_file_inline = NULL;
2741  }
2742 #endif
2743  }
2744  else
2745  {
2746  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2747 
2748  /*
2749  * tls-auth/crypt key can be configured per connection block, therefore
2750  * we must reload it as it may have changed
2751  */
2753  }
2754 }
2755 
2756 static void
2757 do_init_crypto_tls(struct context *c, const unsigned int flags)
2758 {
2759  const struct options *options = &c->options;
2760  struct tls_options to;
2761  bool packet_id_long_form;
2762 
2763  ASSERT(options->tls_server || options->tls_client);
2764  ASSERT(!options->test_crypto);
2765 
2766  init_crypto_pre(c, flags);
2767 
2768  /* Make sure we are either a TLS client or server but not both */
2769  ASSERT(options->tls_server == !options->tls_client);
2770 
2771  /* initialize persistent component */
2773  if (IS_SIG(c))
2774  {
2775  return;
2776  }
2777 
2778  /* Sanity check on sequence number, and cipher mode options */
2779  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2780 
2781  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2782  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2783 
2784  /* Compute MTU parameters (postpone if we push/pull options) */
2785  if (c->options.pull || c->options.mode == MODE_SERVER)
2786  {
2787  /* Account for worst-case crypto overhead before allocating buffers */
2789  }
2790  else
2791  {
2793  options->replay, packet_id_long_form);
2794  }
2796 
2797  /* Set all command-line TLS-related options */
2798  CLEAR(to);
2799 
2800  if (options->mute_replay_warnings)
2801  {
2803  }
2804 
2806  if (packet_id_long_form)
2807  {
2809  }
2810 
2811  to.ssl_ctx = c->c1.ks.ssl_ctx;
2812  to.key_type = c->c1.ks.key_type;
2813  to.server = options->tls_server;
2814  to.key_method = options->key_method;
2815  to.replay = options->replay;
2816  to.replay_window = options->replay_window;
2817  to.replay_time = options->replay_time;
2820  to.config_ncp_ciphers = options->ncp_ciphers;
2821  to.ncp_enabled = options->ncp_enabled;
2822  to.transition_window = options->transition_window;
2823  to.handshake_window = options->handshake_window;
2824  to.packet_timeout = options->tls_timeout;
2825  to.renegotiate_bytes = options->renegotiate_bytes;
2827  if (options->renegotiate_seconds_min < 0)
2828  {
2829  /* Add 10% jitter to reneg-sec by default (server side only) */
2830  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2831  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2832  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2833  }
2834  else
2835  {
2836  /* Add user-specified jitter to reneg-sec */
2838  -(get_random() % max_int(options->renegotiate_seconds
2839  - options->renegotiate_seconds_min, 1));
2840  }
2841  to.single_session = options->single_session;
2842  to.mode = options->mode;
2843  to.pull = options->pull;
2844  if (options->push_peer_info) /* all there is */
2845  {
2846  to.push_peer_info_detail = 2;
2847  }
2848  else if (options->pull) /* pull clients send some details */
2849  {
2850  to.push_peer_info_detail = 1;
2851  }
2852  else /* default: no peer-info at all */
2853  {
2854  to.push_peer_info_detail = 0;
2855  }
2856 
2857  /* should we not xmit any packets until we get an initial
2858  * response from client? */
2859  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2860  {
2861  to.xmit_hold = true;
2862  }
2863 
2864 #ifdef ENABLE_OCC
2865  to.disable_occ = !options->occ;
2866 #endif
2867 
2868  to.verify_command = options->tls_verify;
2869  to.verify_export_cert = options->tls_export_cert;
2870  to.verify_x509_type = (options->verify_x509_type & 0xff);
2871  to.verify_x509_name = options->verify_x509_name;
2872  to.crl_file = options->crl_file;
2873  to.crl_file_inline = options->crl_file_inline;
2874  to.ssl_flags = options->ssl_flags;
2875  to.ns_cert_type = options->ns_cert_type;
2876  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2877  to.remote_cert_eku = options->remote_cert_eku;
2878  to.verify_hash = options->verify_hash;
2879  to.verify_hash_algo = options->verify_hash_algo;
2880 #ifdef ENABLE_X509ALTUSERNAME
2881  to.x509_username_field = (char *) options->x509_username_field;
2882 #else
2884 #endif
2885  to.es = c->c2.es;
2886  to.net_ctx = &c->net_ctx;
2887 
2888 #ifdef ENABLE_DEBUG
2889  to.gremlin = c->options.gremlin;
2890 #endif
2891 
2892  to.plugins = c->plugins;
2893 
2894 #ifdef MANAGEMENT_DEF_AUTH
2895  to.mda_context = &c->c2.mda_context;
2896 #endif
2897 
2900  to.tmp_dir = options->tmp_dir;
2901  if (options->ccd_exclusive)
2902  {
2904  }
2910 
2911  to.x509_track = options->x509_track;
2912 
2913 #if P2MP
2914 #ifdef ENABLE_MANAGEMENT
2915  to.sci = &options->sc_info;
2916 #endif
2917 #endif
2918 
2919 #ifdef USE_COMP
2920  to.comp_options = options->comp;
2921 #endif
2922 
2923 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2924  if (options->keying_material_exporter_label)
2925  {
2926  to.ekm_size = options->keying_material_exporter_length;
2927  if (to.ekm_size < 16 || to.ekm_size > 4095)
2928  {
2929  to.ekm_size = 0;
2930  }
2931 
2932  to.ekm_label = options->keying_material_exporter_label;
2933  to.ekm_label_size = strlen(to.ekm_label);
2934  }
2935  else
2936  {
2937  to.ekm_size = 0;
2938  }
2939 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2940 
2941  /* TLS handshake authentication (--tls-auth) */
2942  if (options->ce.tls_auth_file)
2943  {
2944  to.tls_wrap.mode = TLS_WRAP_AUTH;
2949  true, true);
2950  }
2951 
2952  /* TLS handshake encryption (--tls-crypt) */
2953  if (options->ce.tls_crypt_file
2954  || (options->ce.tls_crypt_v2_file && options->tls_client))
2955  {
2956  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2961 
2962  if (options->ce.tls_crypt_v2_file)
2963  {
2965  }
2966  }
2967 
2968  if (options->ce.tls_crypt_v2_file)
2969  {
2970  to.tls_crypt_v2 = true;
2971  if (options->tls_server)
2972  {
2975  }
2976  }
2977 
2978  /* If we are running over TCP, allow for
2979  * length prefix */
2981 
2982  /*
2983  * Initialize OpenVPN's master TLS-mode object.
2984  */
2985  if (flags & CF_INIT_TLS_MULTI)
2986  {
2987  c->c2.tls_multi = tls_multi_init(&to);
2988  }
2989 
2990  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2991  {
2993  }
2994 }
2995 
2996 static void
2998 {
2999  if (c->c2.tls_multi)
3000  {
3003  EXPANDED_SIZE(&c->c2.frame));
3005  "Control Channel MTU parms");
3006  }
3007  if (c->c2.tls_auth_standalone)
3008  {
3011  "TLS-Auth MTU parms");
3012  }
3013 }
3014 
3015 /*
3016  * No encryption or authentication.
3017  */
3018 static void
3020 {
3021  ASSERT(!c->options.test_crypto);
3022  msg(M_WARN,
3023  "******* WARNING *******: All encryption and authentication features "
3024  "disabled -- All data will be tunnelled as clear text and will not be "
3025  "protected against man-in-the-middle changes. "
3026  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3027 }
3028 
3029 static void
3030 do_init_crypto(struct context *c, const unsigned int flags)
3031 {
3032  if (c->options.shared_secret_file)
3033  {
3034  do_init_crypto_static(c, flags);
3035  }
3036  else if (c->options.tls_server || c->options.tls_client)
3037  {
3038  do_init_crypto_tls(c, flags);
3039  }
3040  else /* no encryption or authentication. */
3041  {
3043  }
3044 }
3045 
3046 static void
3048 {
3049 #ifdef USE_COMP
3050  /*
3051  * modify frame parameters if compression is enabled
3052  */
3053  if (comp_enabled(&c->options.comp))
3054  {
3055  comp_add_to_extra_frame(&c->c2.frame);
3056 
3057 #if !defined(ENABLE_LZ4)
3058  /*
3059  * Compression usage affects buffer alignment when non-swapped algs
3060  * such as LZO is used.
3061  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3062  * any special alignment because of the control-byte swap approach.
3063  * LZO alignment (on the other hand) is problematic because
3064  * the presence of the control byte means that either the output of
3065  * decryption must be written to an unaligned buffer, or the input
3066  * to compression (or packet dispatch if packet is uncompressed)
3067  * must be read from an unaligned buffer.
3068  * This code tries to align the input to compression (or packet
3069  * dispatch if packet is uncompressed) at the cost of requiring
3070  * decryption output to be written to an unaligned buffer, so
3071  * it's more of a tradeoff than an optimal solution and we don't
3072  * include it when we are doing a modern build with LZ4.
3073  * Strictly speaking, on the server it would be better to execute
3074  * this code for every connection after we decide the compression
3075  * method, but currently the frame code doesn't appear to be
3076  * flexible enough for this, since the frame is already established
3077  * before it is known which compression options will be pushed.
3078  */
3079  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3080  {
3081  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3085  }
3086 #endif
3087 
3088 #ifdef ENABLE_FRAGMENT
3089  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3090 #endif
3091  }
3092 #endif /* USE_COMP */
3093 
3094  /*
3095  * Adjust frame size for UDP Socks support.
3096  */
3097  if (c->options.ce.socks_proxy_server)
3098  {
3100  }
3101 
3102  /*
3103  * Adjust frame size based on the --tun-mtu-extra parameter.
3104  */
3106  {
3108  }
3109 
3110  /*
3111  * Adjust frame size based on link socket parameters.
3112  * (Since TCP is a stream protocol, we need to insert
3113  * a packet length uint16_t in the buffer.)
3114  */
3116 
3117  /*
3118  * Fill in the blanks in the frame parameters structure,
3119  * make sure values are rational, etc.
3120  */
3121  frame_finalize_options(c, NULL);
3122 
3123 #ifdef USE_COMP
3124  /*
3125  * Modify frame parameters if compression is compiled in.
3126  * Should be called after frame_finalize_options.
3127  */
3128  comp_add_to_extra_buffer(&c->c2.frame);
3129 #ifdef ENABLE_FRAGMENT
3130  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3131 #endif
3132 #endif /* USE_COMP */
3133 
3134  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3135  * and need link_mtu+3 bytes on socket reception (on server).
3136  *
3137  * accommodate receive path in f->extra_link, which has the side effect of
3138  * also increasing send buffers (BUF_SIZE() macro), which need to be
3139  * allocated big enough before receiving peer-id option from server.
3140  *
3141  * f->extra_frame is adjusted when peer-id option is push-received
3142  */
3144 
3145 #ifdef ENABLE_FRAGMENT
3146  /*
3147  * Set frame parameter for fragment code. This is necessary because
3148  * the fragmentation code deals with payloads which have already been
3149  * passed through the compression code.
3150  */
3151  c->c2.frame_fragment = c->c2.frame;
3154 #endif
3155 
3156 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3157  /*
3158  * MTU advisories
3159  */
3160  if (c->options.ce.fragment && c->options.mtu_test)
3161  {
3162  msg(M_WARN,
3163  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3164  }
3165 #endif
3166 
3167 #ifdef ENABLE_FRAGMENT
3168  if ((c->options.ce.mssfix || c->options.ce.fragment)
3170  {
3171  msg(M_WARN,
3172  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3174  }
3175 #endif
3176 }
3177 
3178 static void
3180 {
3181  const struct options *o = &c->options;
3182 
3183  if (o->ping_send_timeout && !o->ping_rec_timeout)
3184  {
3185  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3186  }
3187 
3188  if (o->username || o->groupname || o->chroot_dir
3189 #ifdef ENABLE_SELINUX
3190  || o->selinux_context
3191 #endif
3192  )
3193  {
3194  if (!o->persist_tun)
3195  {
3196  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3197  }
3198  if (!o->persist_key
3199 #ifdef ENABLE_PKCS11
3200  && !o->pkcs11_id
3201 #endif
3202  )
3203  {
3204  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3205  }
3206  }
3207 
3208  if (o->chroot_dir && !(o->username && o->groupname))
3209  {
3210  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3211  }
3212 
3213 #if P2MP
3214  if (o->pull && o->ifconfig_local && c->first_time)
3215  {
3216  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3217  }
3218 
3220  {
3221  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3222  }
3223 
3224  if (o->mode == MODE_SERVER)
3225  {
3226  if (o->duplicate_cn && o->client_config_dir)
3227  {
3228  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3229  }
3231  {
3232  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3233  }
3234  if (!o->keepalive_ping || !o->keepalive_timeout)
3235  {
3236  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3237  }
3238  }
3239 #endif /* if P2MP */
3240 
3241  if (!o->replay)
3242  {
3243  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3244  }
3245 
3246  if (o->tls_server)
3247  {
3249  }
3250  if (o->tls_client
3251  && !o->tls_verify
3254  && !o->remote_cert_eku)
3255  {
3256  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3257  }
3258  if (o->ns_cert_type)
3259  {
3260  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3261  }
3262 
3263  /* If a script is used, print appropriate warnings */
3264  if (o->user_script_used)
3265  {
3266  if (script_security() >= SSEC_SCRIPTS)
3267  {
3268  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3269  }
3270  else if (script_security() >= SSEC_PW_ENV)
3271  {
3272  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3273  }
3274  else
3275  {
3276  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3277  }
3278  }
3279 }
3280 
3281 static void
3283 {
3285 }
3286 
3287 struct context_buffers *
3289 {
3290  struct context_buffers *b;
3291 
3292  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3293 
3294  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3295  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3296 
3297  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3298 
3299  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3300  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3301 
3302 #ifdef USE_COMP
3303  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3304  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3305 #endif
3306 
3307  return b;
3308 }
3309 
3310 void
3312 {
3313  if (b)
3314  {
3315  free_buf(&b->read_link_buf);
3316  free_buf(&b->read_tun_buf);
3317  free_buf(&b->aux_buf);
3318 
3319 #ifdef USE_COMP
3320  free_buf(&b->compress_buf);
3321  free_buf(&b->decompress_buf);
3322 #endif
3323 
3324  free_buf(&b->encrypt_buf);
3325  free_buf(&b->decrypt_buf);
3326 
3327  free(b);
3328  }
3329 }
3330 
3331 /*
3332  * Now that we know all frame parameters, initialize
3333  * our buffers.
3334  */
3335 static void
3337 {
3339  c->c2.buffers_owned = true;
3340 }
3341 
3342 #ifdef ENABLE_FRAGMENT
3343 /*
3344  * Fragmenting code has buffers to initialize
3345  * once frame parameters are known.
3346  */
3347 static void
3349 {
3350  ASSERT(c->options.ce.fragment);
3354 }
3355 #endif
3356 
3357 /*
3358  * Allocate our socket object.
3359  */
3360 static void
3362 {
3363  ASSERT(!c->c2.link_socket);
3365  c->c2.link_socket_owned = true;
3366 }
3367 
3368 /*
3369  * bind the TCP/UDP socket
3370  */
3371 static void
3372 do_init_socket_1(struct context *c, const int mode)
3373 {
3374  unsigned int sockflags = c->options.sockflags;
3375 
3376 #if PORT_SHARE
3377  if (c->options.port_share_host && c->options.port_share_port)
3378  {
3379  sockflags |= SF_PORT_SHARE;
3380  }
3381 #endif
3382 
3384  c->options.ce.local,
3385  c->options.ce.local_port,
3386  c->options.ce.remote,
3387  c->options.ce.remote_port,
3388  c->c1.dns_cache,
3389  c->options.ce.proto,
3390  c->options.ce.af,
3392  mode,
3393  c->c2.accept_from,
3394  c->c1.http_proxy,
3395  c->c1.socks_proxy,
3396 #ifdef ENABLE_DEBUG
3397  c->options.gremlin,
3398 #endif
3399  c->options.ce.bind_local,
3400  c->options.ce.remote_float,
3401  c->options.inetd,
3402  &c->c1.link_socket_addr,
3403  c->options.ipchange,
3404  c->plugins,
3407  c->options.rcvbuf,
3408  c->options.sndbuf,
3409  c->options.mark,
3411  sockflags);
3412 }
3413 
3414 /*
3415  * finalize the TCP/UDP socket
3416  */
3417 static void
3419 {
3421  c->sig);
3422 }
3423 
3424 /*
3425  * Print MTU INFO
3426  */
3427 static void
3429 {
3430  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3431 #ifdef ENABLE_FRAGMENT
3432  if (c->c2.fragment)
3433  {
3435  "Fragmentation MTU parms");
3436  }
3437 #endif
3438 }
3439 
3440 #ifdef ENABLE_OCC
3441 /*
3442  * Get local and remote options compatibility strings.
3443  */
3444 static void
3446 {
3447  struct gc_arena gc = gc_new();
3448 
3450  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3451  false, &gc);
3453  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3454  true, &gc);
3455 
3456  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3459  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3462 
3463  if (c->c2.tls_multi)
3464  {
3468  }
3469 
3470  gc_free(&gc);
3471 }
3472 #endif /* ifdef ENABLE_OCC */
3473 
3474 /*
3475  * These things can only be executed once per program instantiation.
3476  * Set up for possible UID/GID downgrade, but don't do it yet.
3477  * Daemonize if requested.
3478  */
3479 static void
3481 {
3482  if (c->first_time && !c->c0)
3483  {
3484  struct context_0 *c0;
3485 
3486  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3487  c0 = c->c0;
3488 
3489  /* get user and/or group that we want to setuid/setgid to */
3490  c0->uid_gid_specified =
3493 
3494  /* perform postponed chdir if --daemon */
3495  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3496  {
3497  platform_chdir("/");
3498  }
3499 
3500  /* should we change scheduling priority? */
3502  }
3503 }
3504 
3505 /*
3506  * If xinetd/inetd mode, don't allow restart.
3507  */
3508 static void
3510 {
3511  if (c->options.inetd
3512  && (c->sig->signal_received == SIGHUP
3513  || c->sig->signal_received == SIGUSR1))
3514  {
3515  c->sig->signal_received = SIGTERM;
3516  msg(M_INFO,
3517  PACKAGE_NAME
3518  " started by inetd/xinetd cannot restart... Exiting.");
3519  }
3520 }
3521 
3522 /*
3523  * free buffers
3524  */
3525 static void
3527 {
3528  if (c->c2.buffers_owned)
3529  {
3531  c->c2.buffers = NULL;
3532  c->c2.buffers_owned = false;
3533  }
3534 }
3535 
3536 /*
3537  * close TLS
3538  */
3539 static void
3541 {
3542  if (c->c2.tls_multi)
3543  {
3544  tls_multi_free(c->c2.tls_multi, true);
3545  c->c2.tls_multi = NULL;
3546  }
3547 
3548 #ifdef ENABLE_OCC
3549  /* free options compatibility strings */
3550  if (c->c2.options_string_local)
3551  {
3553  }
3554  if (c->c2.options_string_remote)
3555  {
3557  }
3559 #endif
3560 
3561  if (c->c2.pulled_options_state)
3562  {
3565  }
3566 }
3567 
3568 /*
3569  * Free key schedules
3570  */
3571 static void
3572 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3573 {
3574  /*
3575  * always free the tls_auth/crypt key. If persist_key is true, the key will
3576  * be reloaded from memory (pre-cached)
3577  */
3579  CLEAR(c->c1.ks.tls_wrap_key);
3582 
3583  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3584  {
3585  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3586  }
3587 }
3588 
3589 /*
3590  * Close TCP/UDP connection
3591  */
3592 static void
3594 {
3595  if (c->c2.link_socket && c->c2.link_socket_owned)
3596  {
3598  c->c2.link_socket = NULL;
3599  }
3600 
3601 
3602  /* Preserve the resolved list of remote if the user request to or if we want
3603  * reconnect to the same host again or there are still addresses that need
3604  * to be tried */
3605  if (!(c->sig->signal_received == SIGUSR1
3606  && ( (c->options.persist_remote_ip)
3607  ||
3608  ( c->sig->source != SIG_SOURCE_HARD
3610  || c->options.no_advance))
3611  )))
3612  {
3614  }
3615 
3616  /* Clear the remote actual address when persist_remote_ip is not in use */
3617  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3618  {
3620  }
3621 
3622  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3623  {
3625  {
3626  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3627  }
3628 
3629  c->c1.link_socket_addr.bind_local = NULL;
3630  }
3631 }
3632 
3633 /*
3634  * Close packet-id persistence file
3635  */
3636 static void
3638 {
3641  if (!(c->sig->signal_received == SIGUSR1))
3642  {
3644  }
3645 }
3646 
3647 #ifdef ENABLE_FRAGMENT
3648 /*
3649  * Close fragmentation handler.
3650  */
3651 static void
3653 {
3654  if (c->c2.fragment)
3655  {
3657  c->c2.fragment = NULL;
3658  }
3659 }
3660 #endif
3661 
3662 /*
3663  * Open and close our event objects.
3664  */
3665 
3666 static void
3668  bool need_us_timeout)
3669 {
3670  unsigned int flags = 0;
3671 
3673 
3674  flags |= EVENT_METHOD_FAST;
3675 
3676  if (need_us_timeout)
3677  {
3678  flags |= EVENT_METHOD_US_TIMEOUT;
3679  }
3680 
3681  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3682  c->c2.event_set_owned = true;
3683 }
3684 
3685 static void
3687 {
3688  if (c->c2.event_set && c->c2.event_set_owned)
3689  {
3690  event_free(c->c2.event_set);
3691  c->c2.event_set = NULL;
3692  c->c2.event_set_owned = false;
3693  }
3694 }
3695 
3696 /*
3697  * Open and close --status file
3698  */
3699 
3700 static void
3702 {
3703  if (!c->c1.status_output)
3704  {
3707  -1,
3708  NULL,
3710  c->c1.status_output_owned = true;
3711  }
3712 }
3713 
3714 static void
3716 {
3717  if (!(c->sig->signal_received == SIGUSR1))
3718  {
3719  if (c->c1.status_output_owned && c->c1.status_output)
3720  {
3722  c->c1.status_output = NULL;
3723  c->c1.status_output_owned = false;
3724  }
3725  }
3726 }
3727 
3728 /*
3729  * Handle ifconfig-pool persistence object.
3730  */
3731 static void
3733 {
3735  {
3738  c->c1.ifconfig_pool_persist_owned = true;
3739  }
3740 }
3741 
3742 static void
3744 {
3745  if (!(c->sig->signal_received == SIGUSR1))
3746  {
3748  {
3750  c->c1.ifconfig_pool_persist = NULL;
3751  c->c1.ifconfig_pool_persist_owned = false;
3752  }
3753  }
3754 }
3755 
3756 /*
3757  * Inherit environmental variables
3758  */
3759 
3760 static void
3761 do_inherit_env(struct context *c, const struct env_set *src)
3762 {
3763  c->c2.es = env_set_create(NULL);
3764  c->c2.es_owned = true;
3765  env_set_inherit(c->c2.es, src);
3766 }
3767 
3768 static void
3770 {
3771  if (c->c2.es && c->c2.es_owned)
3772  {
3773  env_set_destroy(c->c2.es);
3774  c->c2.es = NULL;
3775  c->c2.es_owned = false;
3776  }
3777 }
3778 
3779 /*
3780  * Fast I/O setup. Fast I/O is an optimization which only works
3781  * if all of the following are true:
3782  *
3783  * (1) The platform is not Windows
3784  * (2) --proto udp is enabled
3785  * (3) --shaper is disabled
3786  */
3787 static void
3789 {
3790  if (c->options.fast_io)
3791  {
3792 #ifdef _WIN32
3793  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3794 #else
3795  if (!proto_is_udp(c->options.ce.proto))
3796  {
3797  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3798  }
3799  else
3800  {
3801 #ifdef ENABLE_FEATURE_SHAPER
3802  if (c->options.shaper)
3803  {
3804  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3805  }
3806  else
3807 #endif
3808  {
3809  c->c2.fast_io = true;
3810  }
3811  }
3812 #endif
3813  }
3814 }
3815 
3816 static void
3818 {
3819  if (c->options.tls_exit)
3820  {
3821  c->c2.tls_exit_signal = SIGTERM;
3822  }
3823  else
3824  {
3825  c->c2.tls_exit_signal = SIGUSR1;
3826  }
3827 }
3828 
3829 #ifdef ENABLE_PLUGIN
3830 
3831 void
3833 {
3834  if (c->options.plugin_list && !c->plugins)
3835  {
3837  c->plugins_owned = true;
3838  }
3839 }
3840 
3841 void
3842 open_plugins(struct context *c, const bool import_options, int init_point)
3843 {
3844  if (c->plugins && c->plugins_owned)
3845  {
3846  if (import_options)
3847  {
3848  struct plugin_return pr, config;
3849  plugin_return_init(&pr);
3850  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3851  plugin_return_get_column(&pr, &config, "config");
3852  if (plugin_return_defined(&config))
3853  {
3854  int i;
3855  for (i = 0; i < config.n; ++i)
3856  {
3857  unsigned int option_types_found = 0;
3858  if (config.list[i] && config.list[i]->value)
3859  {
3861  config.list[i]->value,
3864  &option_types_found,
3865  c->es);
3866  }
3867  }
3868  }
3869  plugin_return_free(&pr);
3870  }
3871  else
3872  {
3873  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3874  }
3875  }
3876 }
3877 
3878 static void
3880 {
3881  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3882  {
3884  c->plugins = NULL;
3885  c->plugins_owned = false;
3886  }
3887 }
3888 
3889 static void
3890 do_inherit_plugins(struct context *c, const struct context *src)
3891 {
3892  if (!c->plugins && src->plugins)
3893  {
3894  c->plugins = plugin_list_inherit(src->plugins);
3895  c->plugins_owned = true;
3896  }
3897 }
3898 
3899 #endif /* ifdef ENABLE_PLUGIN */
3900 
3901 #ifdef ENABLE_MANAGEMENT
3902 
3903 static void
3904 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3905 {
3906  struct context *c = (struct context *) arg;
3907  print_status(c, so);
3908 }
3909 
3910 void
3911 management_show_net_callback(void *arg, const int msglevel)
3912 {
3913 #ifdef _WIN32
3914  show_routes(msglevel);
3915  show_adapters(msglevel);
3916  msg(msglevel, "END");
3917 #else
3918  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3919 #endif
3920 }
3921 
3922 #ifdef TARGET_ANDROID
3923 int
3924 management_callback_network_change(void *arg, bool samenetwork)
3925 {
3926  /* Check if the client should translate the network change to a SIGUSR1 to
3927  * reestablish the connection or just reprotect the socket
3928  *
3929  * At the moment just assume that, for all settings that use pull (not
3930  * --static) and are not using peer-id reestablishing the connection is
3931  * required (unless the network is the same)
3932  *
3933  * The function returns -1 on invalid fd and -2 if the socket cannot be
3934  * reused. On the -2 return value the man_network_change function triggers
3935  * a SIGUSR1 to force a reconnect.
3936  */
3937 
3938  int socketfd = -1;
3939  struct context *c = (struct context *) arg;
3940  if (!c->c2.link_socket)
3941  {
3942  return -1;
3943  }
3944  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3945  {
3946  return -1;
3947  }
3948 
3949  socketfd = c->c2.link_socket->sd;
3950  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3951  {
3952  return socketfd;
3953  }
3954  else
3955  {
3956  return -2;
3957  }
3958 }
3959 #endif /* ifdef TARGET_ANDROID */
3960 
3961 #endif /* ifdef ENABLE_MANAGEMENT */
3962 
3963 void
3965 {
3966 #ifdef ENABLE_MANAGEMENT
3967  if (management)
3968  {
3969  struct management_callback cb;
3970  CLEAR(cb);
3971  cb.arg = c;
3976 #ifdef TARGET_ANDROID
3977  cb.network_change = management_callback_network_change;
3978 #endif
3980  }
3981 #endif
3982 }
3983 
3984 #ifdef ENABLE_MANAGEMENT
3985 
3986 void
3988 {
3989  if (!management)
3990  {
3992  }
3993 }
3994 
3995 bool
3997 {
3998  /* initialize management layer */
3999  if (management)
4000  {
4001  if (c->options.management_addr)
4002  {
4003  unsigned int flags = c->options.management_flags;
4004  if (c->options.mode == MODE_SERVER)
4005  {
4006  flags |= MF_SERVER;
4007  }
4019  flags))
4020  {
4023  NULL,
4024  NULL,
4025  NULL,
4026  NULL,
4027  NULL);
4028  }
4029 
4030  /* initial management hold, called early, before first context initialization */
4031  do_hold(0);
4032  if (IS_SIG(c))
4033  {
4034  msg(M_WARN, "Signal received from management interface, exiting");
4035  return false;
4036  }
4037  }
4038  else
4039  {
4040  close_management();
4041  }
4042  }
4043  return true;
4044 }
4045 
4046 void
4048 {
4049  if (management)
4050  {
4052  management = NULL;
4053  }
4054 }
4055 
4056 #endif /* ifdef ENABLE_MANAGEMENT */
4057 
4058 
4059 void
4061 {
4062 #ifdef ENABLE_MANAGEMENT
4063  if (management)
4064  {
4066  }
4067 #endif
4068 }
4069 
4070 /*
4071  * Initialize a tunnel instance, handle pre and post-init
4072  * signal settings.
4073  */
4074 void
4075 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4076 {
4078  init_instance(c, env, flags);
4080 
4081  /*
4082  * This is done so that signals thrown during
4083  * initialization can bring us back to
4084  * a management hold.
4085  */
4086  if (IS_SIG(c))
4087  {
4088  remap_signal(c);
4090  }
4091 }
4092 
4093 /*
4094  * Initialize a tunnel instance.
4095  */
4096 void
4097 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4098 {
4099  const struct options *options = &c->options;
4100  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4101  int link_socket_mode = LS_MODE_DEFAULT;
4102 
4103  /* init garbage collection level */
4104  gc_init(&c->c2.gc);
4105 
4106  /* inherit environmental variables */
4107  if (env)
4108  {
4109  do_inherit_env(c, env);
4110  }
4111 
4112  /* signals caught here will abort */
4113  c->sig->signal_received = 0;
4114  c->sig->signal_text = NULL;
4115  c->sig->source = SIG_SOURCE_SOFT;
4116 
4117  if (c->mode == CM_P2P)
4118  {
4120  }
4121 
4122  /* possible sleep or management hold if restart */
4123  if (c->mode == CM_P2P || c->mode == CM_TOP)
4124  {
4125  do_startup_pause(c);
4126  if (IS_SIG(c))
4127  {
4128  goto sig;
4129  }
4130  }
4131 
4132  if (c->options.resolve_in_advance)
4133  {
4134  do_preresolve(c);
4135  if (IS_SIG(c))
4136  {
4137  goto sig;
4138  }
4139  }
4140 
4141  /* map in current connection entry */
4143 
4144  /* link_socket_mode allows CM_CHILD_TCP
4145  * instances to inherit acceptable fds
4146  * from a top-level parent */
4147  if (c->options.ce.proto == PROTO_TCP_SERVER)
4148  {
4149  if (c->mode == CM_TOP)
4150  {
4151  link_socket_mode = LS_MODE_TCP_LISTEN;
4152  }
4153  else if (c->mode == CM_CHILD_TCP)
4154  {
4155  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4156  }
4157  }
4158 
4159  /* should we disable paging? */
4160  if (c->first_time && options->mlock)
4161  {
4162  platform_mlockall(true);
4163  }
4164 
4165 #if P2MP
4166  /* get passwords if undefined */
4167  if (auth_retry_get() == AR_INTERACT)
4168  {
4170  }
4171 #endif
4172 
4173  /* initialize context level 2 --verb/--mute parms */
4175 
4176  /* set error message delay for non-server modes */
4177  if (c->mode == CM_P2P)
4178  {
4180  }
4181 
4182  /* warn about inconsistent options */
4183  if (c->mode == CM_P2P || c->mode == CM_TOP)
4184  {
4185  do_option_warnings(c);
4186  }
4187 
4188 #ifdef ENABLE_PLUGIN
4189  /* initialize plugins */
4190  if (c->mode == CM_P2P || c->mode == CM_TOP)
4191  {
4193  }
4194 #endif
4195 
4196  /* should we enable fast I/O? */
4197  if (c->mode == CM_P2P || c->mode == CM_TOP)
4198  {
4199  do_setup_fast_io(c);
4200  }
4201 
4202  /* should we throw a signal on TLS errors? */
4204 
4205  /* open --status file */
4206  if (c->mode == CM_P2P || c->mode == CM_TOP)
4207  {
4209  }
4210 
4211  /* open --ifconfig-pool-persist file */
4212  if (c->mode == CM_TOP)
4213  {
4215  }
4216 
4217 #ifdef ENABLE_OCC
4218  /* reset OCC state */
4219  if (c->mode == CM_P2P || child)
4220  {
4221  c->c2.occ_op = occ_reset_op();
4222  }
4223 #endif
4224 
4225  /* our wait-for-i/o objects, different for posix vs. win32 */
4226  if (c->mode == CM_P2P)
4227  {
4229  }
4230  else if (c->mode == CM_CHILD_TCP)
4231  {
4232  do_event_set_init(c, false);
4233  }
4234 
4235  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4236  init_proxy(c);
4237 
4238  /* allocate our socket object */
4239  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4240  {
4241  do_link_socket_new(c);
4242  }
4243 
4244 #ifdef ENABLE_FRAGMENT
4245  /* initialize internal fragmentation object */
4246  if (options->ce.fragment && (c->mode == CM_P2P || child))
4247  {
4248  c->c2.fragment = fragment_init(&c->c2.frame);
4249  }
4250 #endif
4251 
4252  /* init crypto layer */
4253  {
4254  unsigned int crypto_flags = 0;
4255  if (c->mode == CM_TOP)
4256  {
4257  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4258  }
4259  else if (c->mode == CM_P2P)
4260  {
4262  }
4263  else if (child)
4264  {
4265  crypto_flags = CF_INIT_TLS_MULTI;
4266  }
4267  do_init_crypto(c, crypto_flags);
4268  if (IS_SIG(c) && !child)
4269  {
4270  goto sig;
4271  }
4272  }
4273 
4274 #ifdef USE_COMP
4275  /* initialize compression library. */
4276  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4277  {
4278  c->c2.comp_context = comp_init(&options->comp);
4279  }
4280 #endif
4281 
4282  /* initialize MTU variables */
4283  do_init_frame(c);
4284 
4285  /* initialize TLS MTU variables */
4286  do_init_frame_tls(c);
4287 
4288  /* init workspace buffers whose size is derived from frame size */
4289  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4290  {
4291  do_init_buffers(c);
4292  }
4293 
4294 #ifdef ENABLE_FRAGMENT
4295  /* initialize internal fragmentation capability with known frame size */
4296  if (options->ce.fragment && (c->mode == CM_P2P || child))
4297  {
4298  do_init_fragment(c);
4299  }
4300 #endif
4301 
4302  /* initialize dynamic MTU variable */
4303  frame_init_mssfix(&c->c2.frame, &c->options);
4304 
4305  /* bind the TCP/UDP socket */
4306  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4307  {
4308  do_init_socket_1(c, link_socket_mode);
4309  }
4310 
4311  /* initialize tun/tap device object,
4312  * open tun/tap device, ifconfig, run up script, etc. */
4313  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4314  {
4315  c->c2.did_open_tun = do_open_tun(c);
4316  }
4317 
4318  c->c2.frame_initial = c->c2.frame;
4319 
4320  /* print MTU info */
4322 
4323 #ifdef ENABLE_OCC
4324  /* get local and remote options compatibility strings */
4325  if (c->mode == CM_P2P || child)
4326  {
4328  }
4329 #endif
4330 
4331  /* initialize output speed limiter */
4332  if (c->mode == CM_P2P)
4333  {
4335  }
4336 
4337  /* do one-time inits, and possibly become a daemon here */
4338  do_init_first_time(c);
4339 
4340 #ifdef ENABLE_PLUGIN
4341  /* initialize plugins */
4342  if (c->mode == CM_P2P || c->mode == CM_TOP)
4343  {
4345  }
4346 #endif
4347 
4348  /* initialise connect timeout timer */
4350 
4351  /* finalize the TCP/UDP socket */
4352  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4353  {
4354  do_init_socket_2(c);
4355  }
4356 
4357  /*
4358  * Actually do UID/GID downgrade, and chroot, if requested.
4359  * May be delayed by --client, --pull, or --up-delay.
4360  */
4362 
4363  /* initialize timers */
4364  if (c->mode == CM_P2P || child)
4365  {
4366  do_init_timers(c, false);
4367  }
4368 
4369 #ifdef ENABLE_PLUGIN
4370  /* initialize plugins */
4371  if (c->mode == CM_P2P || c->mode == CM_TOP)
4372  {
4374  }
4375 #endif
4376 
4377 #if PORT_SHARE
4378  /* share OpenVPN port with foreign (such as HTTPS) server */
4379  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4380  {
4381  init_port_share(c);
4382  }
4383 #endif
4384 
4385 #ifdef ENABLE_PF
4386  if (child)
4387  {
4388  pf_init_context(c);
4389  }
4390 #endif
4391 
4392  /* Check for signals */
4393  if (IS_SIG(c))
4394  {
4395  goto sig;
4396  }
4397 
4398  return;
4399 
4400 sig:
4401  if (!c->sig->signal_text)
4402  {
4403  c->sig->signal_text = "init_instance";
4404  }
4405  close_context(c, -1, flags);
4406  return;
4407 }
4408 
4409 /*
4410  * Close a tunnel instance.
4411  */
4412 void
4414 {
4415  /* close event objects */
4416  do_close_event_set(c);
4417 
4418  if (c->mode == CM_P2P
4419  || c->mode == CM_CHILD_TCP
4420  || c->mode == CM_CHILD_UDP
4421  || c->mode == CM_TOP)
4422  {
4423  /* if xinetd/inetd mode, don't allow restart */
4425 
4426 #ifdef USE_COMP
4427  if (c->c2.comp_context)
4428  {
4429  comp_uninit(c->c2.comp_context);
4430  c->c2.comp_context = NULL;
4431  }
4432 #endif
4433 
4434  /* free buffers */
4435  do_close_free_buf(c);
4436 
4437  /* close TLS */
4438  do_close_tls(c);
4439 
4440  /* free key schedules */
4441  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4442 
4444 
4445  /* close TCP/UDP connection */
4447 
4448  /* close TUN/TAP device */
4449  do_close_tun(c, false);
4450 
4451 #ifdef MANAGEMENT_DEF_AUTH
4452  if (management)
4453  {
4454  management_notify_client_close(management, &c->c2.mda_context, NULL);
4455  }
4456 #endif
4457 
4458 #ifdef ENABLE_PF
4459  pf_destroy_context(&c->c2.pf);
4460 #endif
4461 
4462 #ifdef ENABLE_PLUGIN
4463  /* call plugin close functions and unload */
4464  do_close_plugins(c);
4465 #endif
4466 
4467  /* close packet-id persistence file */
4468  do_close_packet_id(c);
4469 
4470  /* close --status file */
4472 
4473 #ifdef ENABLE_FRAGMENT
4474  /* close fragmentation handler */
4475  do_close_fragment(c);
4476 #endif
4477 
4478  /* close --ifconfig-pool-persist obj */
4480 
4481  /* free up environmental variable store */
4482  do_env_set_destroy(c);
4483 
4484  /* close HTTP or SOCKS proxy */
4485  uninit_proxy(c);
4486 
4487  /* garbage collect */
4488  gc_free(&c->c2.gc);
4489  }
4490 }
4491 
4492 void
4494  const struct context *src)
4495 {
4496  CLEAR(*dest);
4497 
4498  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4500 
4501  dest->gc = gc_new();
4502 
4503  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4504 
4505  /* c1 init */
4507 
4508  dest->c1.ks.key_type = src->c1.ks.key_type;
4509  /* inherit SSL context */
4510  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4511  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4514  /* inherit pre-NCP ciphers */
4515  dest->c1.ciphername = src->c1.ciphername;
4516  dest->c1.authname = src->c1.authname;
4517  dest->c1.keysize = src->c1.keysize;
4518 
4519  /* inherit auth-token */
4520  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4521 
4522  /* options */
4523  dest->options = src->options;
4524  options_detach(&dest->options);
4525 
4526  if (dest->mode == CM_CHILD_TCP)
4527  {
4528  /*
4529  * The CM_TOP context does the socket listen(),
4530  * and the CM_CHILD_TCP context does the accept().
4531  */
4532  dest->c2.accept_from = src->c2.link_socket;
4533  }
4534 
4535 #ifdef ENABLE_PLUGIN
4536  /* inherit plugins */
4537  do_inherit_plugins(dest, src);
4538 #endif
4539 
4540  /* context init */
4541  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4542  if (IS_SIG(dest))
4543  {
4544  return;
4545  }
4546 
4547  /* inherit tun/tap interface object */
4548  dest->c1.tuntap = src->c1.tuntap;
4549 
4550  /* UDP inherits some extra things which TCP does not */
4551  if (dest->mode == CM_CHILD_UDP)
4552  {
4553  /* inherit buffers */
4554  dest->c2.buffers = src->c2.buffers;
4555 
4556  /* inherit parent link_socket and tuntap */
4557  dest->c2.link_socket = src->c2.link_socket;
4558 
4559  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4560  *dest->c2.link_socket_info = src->c2.link_socket->info;
4561 
4562  /* locally override some link_socket_info fields */
4563  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4565  }
4566 }
4567 
4568 void
4570  const struct context *src)
4571 {
4572  /* copy parent */
4573  *dest = *src;
4574 
4575  /*
4576  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4577  * resources owned by the parent.
4578  *
4579  * Also note that CM_TOP_CLONE context objects are
4580  * closed by multi_top_free in multi.c.
4581  */
4582  dest->mode = CM_TOP_CLONE;
4583 
4584  dest->first_time = false;
4585  dest->c0 = NULL;
4586 
4587  options_detach(&dest->options);
4588  gc_detach(&dest->gc);
4589  gc_detach(&dest->c2.gc);
4590 
4591  /* detach plugins */
4592  dest->plugins_owned = false;
4593 
4594  dest->c2.tls_multi = NULL;
4595 
4596  /* detach c1 ownership */
4597  dest->c1.tuntap_owned = false;
4598  dest->c1.status_output_owned = false;
4599  dest->c1.ifconfig_pool_persist_owned = false;
4600 
4601  /* detach c2 ownership */
4602  dest->c2.event_set_owned = false;
4603  dest->c2.link_socket_owned = false;
4604  dest->c2.buffers_owned = false;
4605  dest->c2.es_owned = false;
4606 
4607  dest->c2.event_set = NULL;
4608  if (proto_is_dgram(src->options.ce.proto))
4609  {
4610  do_event_set_init(dest, false);
4611  }
4612 
4613 #ifdef USE_COMP
4614  dest->c2.comp_context = NULL;
4615 #endif
4616 }
4617 
4618 void
4619 close_context(struct context *c, int sig, unsigned int flags)
4620 {
4621  ASSERT(c);
4622  ASSERT(c->sig);
4623 
4624  if (sig >= 0)
4625  {
4626  c->sig->signal_received = sig;
4627  }
4628 
4629  if (c->sig->signal_received == SIGUSR1)
4630  {
4631  if ((flags & CC_USR1_TO_HUP)
4632  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4633  {
4634  c->sig->signal_received = SIGHUP;
4635  c->sig->signal_text = "close_context usr1 to hup";
4636  }
4637  }
4638 
4639  if (!(flags & CC_NO_CLOSE))
4640  {
4641  close_instance(c);
4642  }
4643 
4644  if (flags & CC_GC_FREE)
4645  {
4646  context_gc_free(c);
4647  }
4648 }
4649 
4650 /*
4651  * Do a loopback test
4652  * on the crypto subsystem.
4653  */
4654 static void *
4656 {
4657  struct context *c = (struct context *) arg;
4658  const struct options *options = &c->options;
4659 
4660  ASSERT(options->test_crypto);
4662  context_init_1(c);
4664  do_init_crypto_static(c, 0);
4665 
4666  frame_finalize_options(c, options);
4667 
4668  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4669 
4670  key_schedule_free(&c->c1.ks, true);
4672 
4673  context_gc_free(c);
4674  return NULL;
4675 }
4676 
4677 bool
4678 do_test_crypto(const struct options *o)
4679 {
4680  if (o->test_crypto)
4681  {
4682  struct context c;
4683 
4684  /* print version number */
4685  msg(M_INFO, "%s", title_string);
4686 
4687  context_clear(&c);
4688  c.options = *o;
4689  options_detach(&c.options);
4690  c.first_time = true;
4691  test_crypto_thread((void *) &c);
4692  return true;
4693  }
4694  return false;
4695 }
struct tuntap_options tuntap_options
Definition: options.h:303
bool tcp_mode
Definition: ssl_common.h:302
struct env_set * es
Definition: openvpn.h:426
char port[RH_PORT_LEN]
Definition: options.h:184
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
bool remote_float
Definition: options.h:95
bool socks_proxy_owned
Definition: openvpn.h:190
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:458
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2519
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:338
void management_close(struct management *man)
Definition: manage.c:2636
int ifconfig_pool_persist_refresh_freq
Definition: options.h:435
struct key_type key_type
Definition: ssl_common.h:247
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
bool persist_remote_ip
Definition: options.h:292
int sndbuf
Definition: options.h:351
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:370
bool log_rw
Definition: openvpn.h:386
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:104
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:464
struct frame frame_fragment_omit
Definition: openvpn.h:267
const char * tmp_dir
Definition: ssl_common.h:319
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:389
bool tun_mtu_defined
Definition: options.h:108
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:563
#define OPT_P_DEFAULT
Definition: options.h:693
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1488
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:252
Definition: tun.h:145
bool ncp_enabled
Definition: options.h:509
unsigned int management_flags
Definition: options.h:395
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1955
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:905
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2547
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct buffer read_tun_buf
Definition: openvpn.h:112
const char * crl_file
Definition: ssl_common.h:284
#define M_NOPREFIX
Definition: error.h:102
bool block_outside_dns
Definition: options.h:633
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:105
struct event_timeout ping_rec_interval
Definition: openvpn.h:298
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1321
bool tls_crypt_v2
Definition: ssl_common.h:308
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:499
void platform_nice(int niceval)
Definition: platform.c:156
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:963
struct event_timeout route_wakeup_expire
Definition: openvpn.h:390
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:517
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1100
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5480
bool show_curves
Definition: options.h:222
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:630
const char * cipher_list
Definition: options.h:542
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:527
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
static void do_alloc_route_list(struct context *c)
Definition: init.c:1433
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:296
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:978
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3671
bool tls_crypt_v2_file_inline
Definition: options.h:609
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2108
static void init_proxy_dowork(struct context *c)
Definition: init.c:580
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1735
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
bool did_open_tun
Definition: openvpn.h:393
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
unsigned int auth_token_lifetime
Definition: ssl_common.h:326
const char * tls_cert_profile
Definition: options.h:544
int management_log_history_cache
Definition: options.h:386
#define M_OPTERR
Definition: error.h:105
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
struct interval tmp_int
Definition: openvpn.h:350
#define streq(x, y)
Definition: options.h:657
const char * ifconfig_pool_persist_filename
Definition: options.h:434
const char * chroot_dir
Definition: options.h:308
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:731
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3890
static void do_close_event_set(struct context *c)
Definition: init.c:3686
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2686
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
bool server_bridge_proxy_dhcp
Definition: options.h:421
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:247
#define WSO_FORCE_SERVICE
Definition: win32.h:166
int ping_rec_timeout_action
Definition: options.h:288
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2118
bool auth_token_generate
Definition: options.h:477
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
int inetd
Definition: options.h:325
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4330
void tun_abort(void)
Definition: init.c:2088
Contains all state information for one tunnel.
Definition: openvpn.h:497
#define CIPHER_ENABLED(c)
Definition: openvpn.h:568
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3769
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2606
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:355
struct env_set * es
Set of environment variables.
Definition: openvpn.h:520
#define D_PUSH
Definition: errlevel.h:83
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
#define M_USAGE
Definition: error.h:111
struct man_persist persist
Definition: manage.h:320
#define srandom
Definition: syshead.h:45
bool proto_is_udp(int proto)
Definition: socket.c:3174
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:377
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:213
#define OPT_P_PLUGIN
Definition: options.h:686
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
#define dmsg
Definition: error.h:174
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4619
int script_security(void)
Definition: run_command.c:45
static void do_init_socket_2(struct context *c)
Definition: init.c:3418
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
#define SDL_CONSTRAIN
Definition: error.h:203
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
const char * shared_secret_file
Definition: options.h:505
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6401
#define RH_PORT_LEN
Definition: options.h:183
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:638
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3964
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:338
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:327
bool tls_crypt_v2_file_inline
Definition: options.h:146
void close_instance(struct context *c)
Definition: init.c:4413
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
Definition: options.h:86
int renegotiate_seconds
Definition: options.h:583
const char * client_config_dir_exclusive
Definition: ssl_common.h:331
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1348
#define OPT_P_IPWIN32
Definition: options.h:665
bool persist_key
Definition: options.h:293
#define SIGUSR1
Definition: config-msvc.h:153
int replay_window
Definition: options.h:518
int persist_mode
Definition: options.h:215
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:418
const char * auth_user_pass_file
Definition: ssl_common.h:320
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3817
struct context_buffers * buffers
Definition: openvpn.h:373
int verify_x509_type
Definition: ssl_common.h:282
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:99
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
struct event_timeout wait_for_connect
Definition: openvpn.h:296
int rcvbuf
Definition: options.h:350
const char * config_ncp_ciphers
Definition: ssl_common.h:305
#define D_LOG_RW
Definition: errlevel.h:110
struct link_socket_info * link_socket_info
Definition: openvpn.h:252
static void next_connection_entry(struct context *c)
Definition: init.c:432
int handshake_window
Definition: ssl_common.h:273
struct connection_list * connection_list
Definition: options.h:231
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:296
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
#define LS_MODE_DEFAULT
Definition: socket.h:196
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
#define RH_HOST_LEN
Definition: options.h:181
const char * exit_event_name
Definition: options.h:629
#define AR_NONE
Definition: options.h:843
void md_ctx_free(md_ctx_t *ctx)
const struct link_socket * accept_from
Definition: openvpn.h:253
bool route_noexec
Definition: options.h:365
unsigned int sockflags
Definition: options.h:357
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2475
in_addr_t remote_netmask
Definition: tun.h:167
const char * tls_crypt_file
Definition: options.h:140
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
static void do_close_tls(struct context *c)
Definition: init.c:3540
const char * genkey_extra_data
Definition: options.h:226
static bool ce_management_query_remote(struct context *c)
Definition: init.c:343
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define ENABLE_PKCS11
Definition: config-msvc.h:18
const char * route_script
Definition: options.h:360
void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
"Poor man&#39;s NCP": Use peer cipher if it is an allowed (NCP) cipher.
Definition: ssl_ncp.c:262
int management_state_buffer_size
Definition: options.h:388
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
int resolve_retry_seconds
Definition: options.h:299
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:481
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:106
#define D_READ_WRITE
Definition: errlevel.h:164
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:141
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3047
const char * config
Definition: options.h:201
int route_delay
Definition: options.h:366
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:524
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:315
const char * local_port
Definition: options.h:90
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:361
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3842
const char * ekm_label
Definition: ssl_common.h:370
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
struct frame frame_initial
Definition: openvpn.h:260
bool down_pre
Definition: options.h:317
int keepalive_timeout
Definition: options.h:276
#define OPT_P_SOCKBUF
Definition: options.h:687
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
#define SIGTERM
Definition: config-msvc.h:155
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:322
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1415
#define TLS_MODE(c)
Definition: openvpn.h:560
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:537
bool push_peer_info
Definition: options.h:618
#define OPT_P_SETENV
Definition: options.h:667
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
#define SIGHUP
Definition: config-msvc.h:151
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
int renegotiate_seconds_min
Definition: options.h:584
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3710
bool tls_crypt_file_inline
Definition: options.h:141
#define PING_RESTART
Definition: options.h:287
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2997
int handshake_window
Definition: options.h:588
#define ASSERT(x)
Definition: error.h:221
static void do_close_plugins(struct context *c)
Definition: init.c:3879
#define D_SHOW_NET
Definition: errlevel.h:129
static int ifconfig_order(void)
Definition: tun.h:333
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:224
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:298
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:243
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:589
int explicit_exit_notification
Definition: options.h:121
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
int status_file_update_freq
Definition: options.h:340
int verify_x509_type
Definition: options.h:547
unsigned int unsuccessful_attempts
Definition: options.h:237
void close_management(void)
Definition: init.c:4047
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
bool auth_token_call_auth
Definition: options.h:479
const char * config_ciphername
Definition: ssl_common.h:304
const char * prng_hash
Definition: options.h:513
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1956
int ping_rec_timeout
Definition: options.h:282
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:257
bool fast_io
Definition: options.h:343
int key_direction
Definition: options.h:507
int renegotiate_bytes
Definition: ssl_common.h:275
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
static void update_options_ce_post(struct options *options)
Definition: init.c:192
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1419
struct tuntap_options options
Definition: tun.h:158
bool link_mtu_defined
Definition: options.h:112
static struct context * static_context
Definition: init.c:60
char username[USER_PASS_LEN]
Definition: misc.h:75
bool init_static(void)
Definition: init.c:731
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
struct frame frame_fragment_initial
Definition: openvpn.h:266
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:205
bool use_peer_id
Definition: ssl_common.h:582
struct event_timeout ping_send_interval
Definition: openvpn.h:297
bool route_delay_defined
Definition: options.h:368
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
#define CM_CHILD_UDP
Definition: openvpn.h:509
bool tls_exit
Definition: options.h:620
#define MF_SERVER
Definition: manage.h:332
bool print_openssl_info(const struct options *options)
Definition: init.c:1011
void restore_signal_state(void)
Definition: sig.c:272
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1017
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:779
int key_direction
Definition: options.h:137
#define PULL_DEFINED(opt)
Definition: options.h:696
char * x509_username_field
Definition: ssl_common.h:291
bool route_nopull
Definition: options.h:372
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3652
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1209
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6515
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:67
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
const char * tls_export_cert
Definition: options.h:549
const char * route_default_gateway
Definition: options.h:362
const char * ncp_ciphers
Definition: options.h:510
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4075
int remap_sigusr1
Definition: options.h:322
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:138
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:537