OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 
55 #include "memdbg.h"
56 
57 
58 static struct context *static_context; /* GLOBAL */
59 
60 /*
61  * Crypto initialization flags
62  */
63 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64 #define CF_INIT_TLS_MULTI (1<<1)
65 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66 
67 static void do_init_first_time(struct context *c);
68 
69 void
70 context_clear(struct context *c)
71 {
72  CLEAR(*c);
73 }
74 
75 void
76 context_clear_1(struct context *c)
77 {
78  CLEAR(c->c1);
79 }
80 
81 void
82 context_clear_2(struct context *c)
83 {
84  CLEAR(c->c2);
85 }
86 
87 void
88 context_clear_all_except_first_time(struct context *c)
89 {
90  const bool first_time_save = c->first_time;
91  const struct context_persist cpsave = c->persist;
92  context_clear(c);
93  c->first_time = first_time_save;
94  c->persist = cpsave;
95 }
96 
97 /*
98  * Pass tunnel endpoint and MTU parms to a user-supplied script.
99  * Used to execute the up/down script/plugins.
100  */
101 static void
102 run_up_down(const char *command,
103  const struct plugin_list *plugins,
104  int plugin_type,
105  const char *arg,
106 #ifdef _WIN32
107  DWORD adapter_index,
108 #endif
109  const char *dev_type,
110  int tun_mtu,
111  int link_mtu,
112  const char *ifconfig_local,
113  const char *ifconfig_remote,
114  const char *context,
115  const char *signal_text,
116  const char *script_type,
117  struct env_set *es)
118 {
119  struct gc_arena gc = gc_new();
120 
121  if (signal_text)
122  {
123  setenv_str(es, "signal", signal_text);
124  }
125  setenv_str(es, "script_context", context);
126  setenv_int(es, "tun_mtu", tun_mtu);
127  setenv_int(es, "link_mtu", link_mtu);
128  setenv_str(es, "dev", arg);
129  if (dev_type)
130  {
131  setenv_str(es, "dev_type", dev_type);
132  }
133 #ifdef _WIN32
134  setenv_int(es, "dev_idx", adapter_index);
135 #endif
136 
137  if (!ifconfig_local)
138  {
139  ifconfig_local = "";
140  }
141  if (!ifconfig_remote)
142  {
143  ifconfig_remote = "";
144  }
145  if (!context)
146  {
147  context = "";
148  }
149 
150  if (plugin_defined(plugins, plugin_type))
151  {
152  struct argv argv = argv_new();
153  ASSERT(arg);
154  argv_printf(&argv,
155  "%s %d %d %s %s %s",
156  arg,
157  tun_mtu, link_mtu,
158  ifconfig_local, ifconfig_remote,
159  context);
160 
161  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162  {
163  msg(M_FATAL, "ERROR: up/down plugin call failed");
164  }
165 
166  argv_reset(&argv);
167  }
168 
169  if (command)
170  {
171  struct argv argv = argv_new();
172  ASSERT(arg);
173  setenv_str(es, "script_type", script_type);
174  argv_parse_cmd(&argv, command);
175  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176  ifconfig_local, ifconfig_remote, context);
177  argv_msg(M_INFO, &argv);
178  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179  argv_reset(&argv);
180  }
181 
182  gc_free(&gc);
183 }
184 
185 /*
186  * Should be called after options->ce is modified at the top
187  * of a SIGUSR1 restart.
188  */
189 static void
190 update_options_ce_post(struct options *options)
191 {
192 #if P2MP
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 #endif
207 }
208 
209 #ifdef ENABLE_MANAGEMENT
210 static bool
211 management_callback_proxy_cmd(void *arg, const char **p)
212 {
213  struct context *c = arg;
214  struct connection_entry *ce = &c->options.ce;
215  struct gc_arena *gc = &c->c2.gc;
216  bool ret = false;
217 
218  update_time();
219  if (streq(p[1], "NONE"))
220  {
221  ret = true;
222  }
223  else if (p[2] && p[3])
224  {
225  if (streq(p[1], "HTTP"))
226  {
227  struct http_proxy_options *ho;
228  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
229  {
230  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231  return false;
232  }
233  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234  ho->server = string_alloc(p[2], gc);
235  ho->port = string_alloc(p[3], gc);
236  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237  ret = true;
238  }
239  else if (streq(p[1], "SOCKS"))
240  {
241  ce->socks_proxy_server = string_alloc(p[2], gc);
242  ce->socks_proxy_port = string_alloc(p[3], gc);
243  ret = true;
244  }
245  }
246  else
247  {
248  msg(M_WARN, "Bad proxy command");
249  }
250 
251  ce->flags &= ~CE_MAN_QUERY_PROXY;
252 
253  return ret;
254 }
255 
256 static bool
257 ce_management_query_proxy(struct context *c)
258 {
259  const struct connection_list *l = c->options.connection_list;
260  struct connection_entry *ce = &c->options.ce;
261  struct gc_arena gc;
262  bool ret = true;
263 
264  update_time();
265  if (management)
266  {
267  gc = gc_new();
268  {
269  struct buffer out = alloc_buf_gc(256, &gc);
270  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272  management_notify_generic(management, BSTR(&out));
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  gc_free(&gc);
285  }
286 
287  return ret;
288 }
289 
290 
291 static bool
292 management_callback_remote_cmd(void *arg, const char **p)
293 {
294  struct context *c = (struct context *) arg;
295  struct connection_entry *ce = &c->options.ce;
296  int ret = false;
297  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
298  {
299  int flags = 0;
300  if (!strcmp(p[1], "ACCEPT"))
301  {
302  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
303  ret = true;
304  }
305  else if (!strcmp(p[1], "SKIP"))
306  {
307  flags = CE_MAN_QUERY_REMOTE_SKIP;
308  ret = true;
309  }
310  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311  {
312  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313  {
314  struct remote_host_store *rhs = c->options.rh_store;
315  if (!rhs)
316  {
317  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
318  c->options.rh_store = rhs;
319  }
320  strncpynt(rhs->host, p[2], RH_HOST_LEN);
321  strncpynt(rhs->port, p[3], RH_PORT_LEN);
322 
323  ce->remote = rhs->host;
324  ce->remote_port = rhs->port;
325  flags = CE_MAN_QUERY_REMOTE_MOD;
326  ret = true;
327  }
328  }
329  if (ret)
330  {
331  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
333  }
334  }
335  return ret;
336 }
337 
338 static bool
339 ce_management_query_remote(struct context *c)
340 {
341  struct gc_arena gc = gc_new();
342  volatile struct connection_entry *ce = &c->options.ce;
343  int ce_changed = true; /* presume the connection entry will be changed */
344 
345  update_time();
346  if (management)
347  {
348  struct buffer out = alloc_buf_gc(256, &gc);
349 
350  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351  proto2ascii(ce->proto, ce->af, false));
352  management_notify_generic(management, BSTR(&out));
353 
354  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
355  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
356  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
358  {
359  management_event_loop_n_seconds(management, 1);
360  if (IS_SIG(c))
361  {
362  ce_changed = false; /* connection entry have not been set */
363  break;
364  }
365  }
366  }
367  gc_free(&gc);
368 
369  if (ce_changed)
370  {
371  /* If it is likely a connection entry was modified,
372  * check what changed in the flags and that it was not skipped
373  */
374  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375  & CE_MAN_QUERY_REMOTE_MASK);
376  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
377  }
378  return ce_changed;
379 }
380 #endif /* ENABLE_MANAGEMENT */
381 
382 /*
383  * Initialize and possibly randomize connection list.
384  */
385 static void
386 init_connection_list(struct context *c)
387 {
388  struct connection_list *l = c->options.connection_list;
389 
390  l->current = -1;
391  if (c->options.remote_random)
392  {
393  int i;
394  for (i = 0; i < l->len; ++i)
395  {
396  const int j = get_random() % l->len;
397  if (i != j)
398  {
399  struct connection_entry *tmp;
400  tmp = l->array[i];
401  l->array[i] = l->array[j];
402  l->array[j] = tmp;
403  }
404  }
405  }
406 }
407 
408 /*
409  * Clear the remote address list
410  */
411 static void
412 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
413 {
414  if (lsa->remote_list && free)
415  {
416  freeaddrinfo(lsa->remote_list);
417  }
418  lsa->remote_list = NULL;
419  lsa->current_remote = NULL;
420 }
421 
422 /*
423  * Increment to next connection entry
424  */
425 static void
426 next_connection_entry(struct context *c)
427 {
428  struct connection_list *l = c->options.connection_list;
429  bool ce_defined;
430  struct connection_entry *ce;
431  int n_cycles = 0;
432 
433  do
434  {
435  ce_defined = true;
436  if (c->options.no_advance && l->current >= 0)
437  {
438  c->options.no_advance = false;
439  }
440  else
441  {
442  /* Check if there is another resolved address to try for
443  * the current connection */
444  if (c->c1.link_socket_addr.current_remote
445  && c->c1.link_socket_addr.current_remote->ai_next)
446  {
447  c->c1.link_socket_addr.current_remote =
448  c->c1.link_socket_addr.current_remote->ai_next;
449  }
450  else
451  {
452  /* FIXME (schwabe) fix the persist-remote-ip option for real,
453  * this is broken probably ever since connection lists and multiple
454  * remote existed
455  */
456  if (!c->options.persist_remote_ip)
457  {
458  /* close_instance should have cleared the addrinfo objects */
459  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
460  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
461  }
462  else
463  {
464  c->c1.link_socket_addr.current_remote =
465  c->c1.link_socket_addr.remote_list;
466  }
467 
468  /*
469  * Increase the number of connection attempts
470  * If this is connect-retry-max * size(l)
471  * OpenVPN will quit
472  */
473 
474  c->options.unsuccessful_attempts++;
475 
476  if (++l->current >= l->len)
477  {
478 
479  l->current = 0;
480  if (++n_cycles >= 2)
481  {
482  msg(M_FATAL, "No usable connection profiles are present");
483  }
484  }
485  }
486  }
487 
488  ce = l->array[l->current];
489 
490  if (ce->flags & CE_DISABLED)
491  {
492  ce_defined = false;
493  }
494 
495  c->options.ce = *ce;
496 #ifdef ENABLE_MANAGEMENT
497  if (ce_defined && management && management_query_remote_enabled(management))
498  {
499  /* allow management interface to override connection entry details */
500  ce_defined = ce_management_query_remote(c);
501  if (IS_SIG(c))
502  {
503  break;
504  }
505  }
506  else if (ce_defined && management && management_query_proxy_enabled(management))
507  {
508  ce_defined = ce_management_query_proxy(c);
509  if (IS_SIG(c))
510  {
511  break;
512  }
513  }
514 #endif
515  } while (!ce_defined);
516 
517  /* Check if this connection attempt would bring us over the limit */
518  if (c->options.connect_retry_max > 0
519  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
520  {
521  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522  c->options.connect_retry_max);
523  }
524  update_options_ce_post(&c->options);
525 }
526 
527 /*
528  * Query for private key and auth-user-pass username/passwords
529  */
530 void
531 init_query_passwords(const struct context *c)
532 {
533  /* Certificate password input */
534  if (c->options.key_pass_file)
535  {
536  pem_password_setup(c->options.key_pass_file);
537  }
538 
539 #if P2MP
540  /* Auth user/pass input */
541  if (c->options.auth_user_pass_file)
542  {
543 #ifdef ENABLE_MANAGEMENT
544  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
545 #else
546  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
547 #endif
548  }
549 #endif
550 }
551 
552 /*
553  * Initialize/Uninitialize HTTP or SOCKS proxy
554  */
555 
556 static void
557 uninit_proxy_dowork(struct context *c)
558 {
559  if (c->c1.http_proxy_owned && c->c1.http_proxy)
560  {
561  http_proxy_close(c->c1.http_proxy);
562  c->c1.http_proxy = NULL;
563  c->c1.http_proxy_owned = false;
564  }
565  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
566  {
567  socks_proxy_close(c->c1.socks_proxy);
568  c->c1.socks_proxy = NULL;
569  c->c1.socks_proxy_owned = false;
570  }
571 }
572 
573 static void
574 init_proxy_dowork(struct context *c)
575 {
576  bool did_http = false;
577 
578  uninit_proxy_dowork(c);
579 
580  if (c->options.ce.http_proxy_options)
581  {
582  /* Possible HTTP proxy user/pass input */
583  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
584  if (c->c1.http_proxy)
585  {
586  did_http = true;
587  c->c1.http_proxy_owned = true;
588  }
589  }
590 
591  if (!did_http && c->options.ce.socks_proxy_server)
592  {
593  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
594  c->options.ce.socks_proxy_port,
595  c->options.ce.socks_proxy_authfile);
596  if (c->c1.socks_proxy)
597  {
598  c->c1.socks_proxy_owned = true;
599  }
600  }
601 }
602 
603 static void
604 init_proxy(struct context *c)
605 {
606  init_proxy_dowork(c);
607 }
608 
609 static void
610 uninit_proxy(struct context *c)
611 {
612  uninit_proxy_dowork(c);
613 }
614 
615 /*
616  * Saves the initial state of NCP-regotiable
617  * options into a storage which persists over SIGUSR1.
618  */
619 static void
620 save_ncp_options(struct context *c)
621 {
622  c->c1.ciphername = c->options.ciphername;
623  c->c1.authname = c->options.authname;
624  c->c1.keysize = c->options.keysize;
625 }
626 
627 /* Restores NCP-negotiable options to original values */
628 static void
629 restore_ncp_options(struct context *c)
630 {
631  c->options.ciphername = c->c1.ciphername;
632  c->options.authname = c->c1.authname;
633  c->options.keysize = c->c1.keysize;
634 }
635 
636 void
637 context_init_1(struct context *c)
638 {
639  context_clear_1(c);
640 
641  packet_id_persist_init(&c->c1.pid_persist);
642 
643  init_connection_list(c);
644 
645  save_ncp_options(c);
646 
647 #if defined(ENABLE_PKCS11)
648  if (c->first_time)
649  {
650  int i;
651  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
652  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
653  {
654  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
655  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
656  }
657  }
658 #endif
659 
660 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
661  {
662  /*
663  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
664  */
665  struct user_pass up;
666  CLEAR(up);
667  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
668  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
669  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
670  * 'needok' command, usually 'ok' or 'cancel'. */
671  }
672 #endif
673 
674 #ifdef ENABLE_SYSTEMD
675  /* We can report the PID via getpid() to systemd here as OpenVPN will not
676  * do any fork due to daemon() a future call.
677  * See possibly_become_daemon() [init.c] for more details.
678  */
679  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
680  (unsigned long) getpid());
681 #endif
682 
683 }
684 
685 void
686 context_gc_free(struct context *c)
687 {
688  gc_free(&c->c2.gc);
689  gc_free(&c->options.gc);
690  gc_free(&c->gc);
691 }
692 
693 #if PORT_SHARE
694 
695 static void
696 close_port_share(void)
697 {
698  if (port_share)
699  {
700  port_share_close(port_share);
701  port_share = NULL;
702  }
703 }
704 
705 static void
706 init_port_share(struct context *c)
707 {
708  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
709  {
710  port_share = port_share_open(c->options.port_share_host,
711  c->options.port_share_port,
712  MAX_RW_SIZE_LINK(&c->c2.frame),
713  c->options.port_share_journal_dir);
714  if (port_share == NULL)
715  {
716  msg(M_FATAL, "Fatal error: Port sharing failed");
717  }
718  }
719 }
720 
721 #endif /* if PORT_SHARE */
722 
723 
724 bool
725 init_static(void)
726 {
727  /* configure_path (); */
728 
729 #if defined(DMALLOC)
730  crypto_init_dmalloc();
731 #endif
732 
733 
734  /*
735  * Initialize random number seed. random() is only used
736  * when "weak" random numbers are acceptable.
737  * SSL library routines are always used when cryptographically
738  * strong random numbers are required.
739  */
740  struct timeval tv;
741  if (!gettimeofday(&tv, NULL))
742  {
743  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
744  srandom(seed);
745  }
746 
747  error_reset(); /* initialize error.c */
748  reset_check_status(); /* initialize status check code in socket.c */
749 
750 #ifdef _WIN32
751  init_win32();
752 #endif
753 
754 #ifdef OPENVPN_DEBUG_COMMAND_LINE
755  {
756  int i;
757  for (i = 0; i < argc; ++i)
758  {
759  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
760  }
761  }
762 #endif
763 
764  update_time();
765 
766  init_ssl_lib();
767 
768  /* init PRNG used for IV generation */
769  /* When forking, copy this to more places in the code to avoid fork
770  * random-state predictability */
771  prng_init(NULL, 0);
772 
773 #ifdef PID_TEST
774  packet_id_interactive_test(); /* test the sequence number code */
775  return false;
776 #endif
777 
778 #ifdef SCHEDULE_TEST
779  schedule_test();
780  return false;
781 #endif
782 
783 #ifdef LIST_TEST
784  list_test();
785  return false;
786 #endif
787 
788 #ifdef IFCONFIG_POOL_TEST
789  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
790  return false;
791 #endif
792 
793 #ifdef CHARACTER_CLASS_DEBUG
794  character_class_debug();
795  return false;
796 #endif
797 
798 #ifdef EXTRACT_X509_FIELD_TEST
799  extract_x509_field_test();
800  return false;
801 #endif
802 
803 #ifdef TIME_TEST
804  time_test();
805  return false;
806 #endif
807 
808 #ifdef TEST_GET_DEFAULT_GATEWAY
809  {
810  struct route_gateway_info rgi;
811  struct route_ipv6_gateway_info rgi6;
812  get_default_gateway(&rgi);
813  get_default_gateway_ipv6(&rgi6, NULL);
814  print_default_gateway(M_INFO, &rgi, &rgi6);
815  return false;
816  }
817 #endif
818 
819 #ifdef GEN_PATH_TEST
820  {
821  struct gc_arena gc = gc_new();
822  const char *fn = gen_path("foo",
823  "bar",
824  &gc);
825  printf("%s\n", fn);
826  gc_free(&gc);
827  }
828  return false;
829 #endif
830 
831 #ifdef STATUS_PRINTF_TEST
832  {
833  struct gc_arena gc = gc_new();
834  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
835  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
836  status_printf(so, "%s", "foo");
837  status_printf(so, "%s", "bar");
838  if (!status_close(so))
839  {
840  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
841  }
842  gc_free(&gc);
843  }
844  return false;
845 #endif
846 
847 #ifdef ARGV_TEST
848  {
849  void argv_test(void);
850 
851  argv_test();
852  return false;
853  }
854 #endif
855 
856 #ifdef PRNG_TEST
857  {
858  struct gc_arena gc = gc_new();
859  uint8_t rndbuf[8];
860  int i;
861  prng_init("sha1", 16);
862  /*prng_init (NULL, 0);*/
863  const int factor = 1;
864  for (i = 0; i < factor * 8; ++i)
865  {
866 #if 1
867  prng_bytes(rndbuf, sizeof(rndbuf));
868 #else
869  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
870 #endif
871  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
872  }
873  gc_free(&gc);
874  prng_uninit();
875  return false;
876  }
877 #endif /* ifdef PRNG_TEST */
878 
879 #ifdef BUFFER_LIST_AGGREGATE_TEST
880  /* test buffer_list_aggregate function */
881  {
882  static const char *text[] = {
883  "It was a bright cold day in April, ",
884  "and the clocks were striking ",
885  "thirteen. ",
886  "Winston Smith, ",
887  "his chin nuzzled into his breast in an ",
888  "effort to escape the vile wind, ",
889  "slipped quickly through the glass doors ",
890  "of Victory Mansions, though not quickly ",
891  "enough to prevent a swirl of gritty dust from ",
892  "entering along with him."
893  };
894 
895  int iter, listcap;
896  for (listcap = 0; listcap < 12; ++listcap)
897  {
898  for (iter = 0; iter < 512; ++iter)
899  {
900  struct buffer_list *bl = buffer_list_new(listcap);
901  {
902  int i;
903  for (i = 0; i < SIZE(text); ++i)
904  {
905  buffer_list_push(bl, (unsigned char *)text[i]);
906  }
907  }
908  printf("[cap=%d i=%d] *************************\n", listcap, iter);
909  if (!(iter & 8))
910  {
911  buffer_list_aggregate(bl, iter/2);
912  }
913  if (!(iter & 16))
914  {
915  buffer_list_push(bl, (unsigned char *)"Even more text...");
916  }
917  buffer_list_aggregate(bl, iter);
918  if (!(iter & 1))
919  {
920  buffer_list_push(bl, (unsigned char *)"More text...");
921  }
922  {
923  struct buffer *buf;
924  while ((buf = buffer_list_peek(bl)))
925  {
926  int c;
927  printf("'");
928  while ((c = buf_read_u8(buf)) >= 0)
929  {
930  putchar(c);
931  }
932  printf("'\n");
933  buffer_list_advance(bl, 0);
934  }
935  }
936  buffer_list_free(bl);
937  }
938  }
939  return false;
940  }
941 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
942 
943 #ifdef MSTATS_TEST
944  {
945  int i;
946  mstats_open("/dev/shm/mstats.dat");
947  for (i = 0; i < 30; ++i)
948  {
949  mmap_stats->n_clients += 1;
950  mmap_stats->link_write_bytes += 8;
951  mmap_stats->link_read_bytes += 16;
952  sleep(1);
953  }
954  mstats_close();
955  return false;
956  }
957 #endif
958 
959  return true;
960 }
961 
962 void
963 uninit_static(void)
964 {
965  free_ssl_lib();
966 
967 #ifdef ENABLE_PKCS11
968  pkcs11_terminate();
969 #endif
970 
971 #if PORT_SHARE
972  close_port_share();
973 #endif
974 
975 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
976  show_tls_performance_stats();
977 #endif
978 }
979 
980 void
981 init_verb_mute(struct context *c, unsigned int flags)
982 {
983  if (flags & IVM_LEVEL_1)
984  {
985  /* set verbosity and mute levels */
986  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
987  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
988  set_mute_cutoff(c->options.mute);
989  }
990 
991  /* special D_LOG_RW mode */
992  if (flags & IVM_LEVEL_2)
993  {
994  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
995  }
996 }
997 
998 /*
999  * Possibly set --dev based on --dev-node.
1000  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1001  * set --dev to tun.
1002  */
1003 void
1004 init_options_dev(struct options *options)
1005 {
1006  if (!options->dev && options->dev_node)
1007  {
1008  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
1009  options->dev = basename(dev_node);
1010  }
1011 }
1012 
1013 bool
1014 print_openssl_info(const struct options *options)
1015 {
1016  /*
1017  * OpenSSL info print mode?
1018  */
1019  if (options->show_ciphers || options->show_digests || options->show_engines
1020  || options->show_tls_ciphers || options->show_curves)
1021  {
1022  if (options->show_ciphers)
1023  {
1024  show_available_ciphers();
1025  }
1026  if (options->show_digests)
1027  {
1028  show_available_digests();
1029  }
1030  if (options->show_engines)
1031  {
1032  show_available_engines();
1033  }
1034  if (options->show_tls_ciphers)
1035  {
1036  show_available_tls_ciphers(options->cipher_list,
1037  options->cipher_list_tls13,
1038  options->tls_cert_profile);
1039  }
1040  if (options->show_curves)
1041  {
1042  show_available_curves();
1043  }
1044  return true;
1045  }
1046  return false;
1047 }
1048 
1049 /*
1050  * Static pre-shared key generation mode?
1051  */
1052 bool
1053 do_genkey(const struct options *options)
1054 {
1055  if (options->genkey)
1056  {
1057  int nbits_written;
1058 
1059  notnull(options->shared_secret_file,
1060  "shared secret output file (--secret)");
1061 
1062  if (options->mlock) /* should we disable paging? */
1063  {
1064  platform_mlockall(true);
1065  }
1066 
1067  nbits_written = write_key_file(2, options->shared_secret_file);
1068  if (nbits_written < 0)
1069  {
1070  msg(M_FATAL, "Failed to write key file");
1071  }
1072 
1073  msg(D_GENKEY | M_NOPREFIX,
1074  "Randomly generated %d bit key written to %s", nbits_written,
1075  options->shared_secret_file);
1076  return true;
1077  }
1078  return false;
1079 }
1080 
1081 /*
1082  * Persistent TUN/TAP device management mode?
1083  */
1084 bool
1085 do_persist_tuntap(const struct options *options)
1086 {
1087  if (options->persist_config)
1088  {
1089  /* sanity check on options for --mktun or --rmtun */
1090  notnull(options->dev, "TUN/TAP device (--dev)");
1091  if (options->ce.remote || options->ifconfig_local
1092  || options->ifconfig_remote_netmask
1093  || options->shared_secret_file
1094  || options->tls_server || options->tls_client
1095  )
1096  {
1097  msg(M_FATAL|M_OPTERR,
1098  "options --mktun or --rmtun should only be used together with --dev");
1099  }
1100 #ifdef ENABLE_FEATURE_TUN_PERSIST
1101  tuncfg(options->dev, options->dev_type, options->dev_node,
1102  options->persist_mode,
1103  options->username, options->groupname, &options->tuntap_options);
1104  if (options->persist_mode && options->lladdr)
1105  {
1106  set_lladdr(options->dev, options->lladdr, NULL);
1107  }
1108  return true;
1109 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1110  msg( M_FATAL|M_OPTERR,
1111  "options --mktun and --rmtun are not available on your operating "
1112  "system. Please check 'man tun' (or 'tap'), whether your system "
1113  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1114  "persistant tunnel interfaces.", options->dev );
1115 #endif
1116  }
1117  return false;
1118 }
1119 
1120 /*
1121  * Should we become a daemon?
1122  * Return true if we did it.
1123  */
1124 bool
1125 possibly_become_daemon(const struct options *options)
1126 {
1127  bool ret = false;
1128 
1129 #ifdef ENABLE_SYSTEMD
1130  /* return without forking if we are running from systemd */
1131  if (sd_notify(0, "READY=0") > 0)
1132  {
1133  return ret;
1134  }
1135 #endif
1136 
1137  if (options->daemon)
1138  {
1139  ASSERT(!options->inetd);
1140  /* Don't chdir immediately, but the end of the init sequence, if needed */
1141  if (daemon(1, options->log) < 0)
1142  {
1143  msg(M_ERR, "daemon() failed or unsupported");
1144  }
1145  restore_signal_state();
1146  if (options->log)
1147  {
1148  set_std_files_to_null(true);
1149  }
1150 
1151  ret = true;
1152  }
1153  return ret;
1154 }
1155 
1156 /*
1157  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1158  */
1159 static void
1160 do_uid_gid_chroot(struct context *c, bool no_delay)
1161 {
1162  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1163  struct context_0 *c0 = c->c0;
1164 
1165  if (c0 && !c0->uid_gid_chroot_set)
1166  {
1167  /* chroot if requested */
1168  if (c->options.chroot_dir)
1169  {
1170  if (no_delay)
1171  {
1172  platform_chroot(c->options.chroot_dir);
1173  }
1174  else if (c->first_time)
1175  {
1176  msg(M_INFO, "NOTE: chroot %s", why_not);
1177  }
1178  }
1179 
1180  /* set user and/or group if we want to setuid/setgid */
1181  if (c0->uid_gid_specified)
1182  {
1183  if (no_delay)
1184  {
1185  platform_group_set(&c0->platform_state_group);
1186  platform_user_set(&c0->platform_state_user);
1187  }
1188  else if (c->first_time)
1189  {
1190  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1191  }
1192  }
1193 
1194 #ifdef ENABLE_MEMSTATS
1195  if (c->first_time && c->options.memstats_fn)
1196  {
1197  mstats_open(c->options.memstats_fn);
1198  }
1199 #endif
1200 
1201 #ifdef ENABLE_SELINUX
1202  /* Apply a SELinux context in order to restrict what OpenVPN can do
1203  * to _only_ what it is supposed to do after initialization is complete
1204  * (basically just network I/O operations). Doing it after chroot
1205  * requires /proc to be mounted in the chroot (which is annoying indeed
1206  * but doing it before requires more complex SELinux policies.
1207  */
1208  if (c->options.selinux_context)
1209  {
1210  if (no_delay)
1211  {
1212  if (-1 == setcon(c->options.selinux_context))
1213  {
1214  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1215  }
1216  else
1217  {
1218  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1219  }
1220  }
1221  else if (c->first_time)
1222  {
1223  msg(M_INFO, "NOTE: setcon %s", why_not);
1224  }
1225  }
1226 #endif
1227 
1228  /* Privileges are going to be dropped by now (if requested), be sure
1229  * to prevent any future privilege dropping attempts from now on.
1230  */
1231  if (no_delay)
1232  {
1233  c0->uid_gid_chroot_set = true;
1234  }
1235  }
1236 }
1237 
1238 /*
1239  * Return common name in a way that is formatted for
1240  * prepending to msg() output.
1241  */
1242 const char *
1243 format_common_name(struct context *c, struct gc_arena *gc)
1244 {
1245  struct buffer out = alloc_buf_gc(256, gc);
1246  if (c->c2.tls_multi)
1247  {
1248  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1249  }
1250  return BSTR(&out);
1251 }
1252 
1253 void
1254 pre_setup(const struct options *options)
1255 {
1256 #ifdef _WIN32
1257  if (options->exit_event_name)
1258  {
1259  win32_signal_open(&win32_signal,
1260  WSO_FORCE_SERVICE,
1261  options->exit_event_name,
1262  options->exit_event_initial_state);
1263  }
1264  else
1265  {
1266  win32_signal_open(&win32_signal,
1267  WSO_FORCE_CONSOLE,
1268  NULL,
1269  false);
1270 
1271  /* put a title on the top window bar */
1272  if (win32_signal.mode == WSO_MODE_CONSOLE)
1273  {
1274  window_title_save(&window_title);
1275  window_title_generate(options->config);
1276  }
1277  }
1278 #endif /* ifdef _WIN32 */
1279 }
1280 
1281 void
1282 reset_coarse_timers(struct context *c)
1283 {
1284  c->c2.coarse_timer_wakeup = 0;
1285 }
1286 
1287 /*
1288  * Initialise the server poll timeout timer
1289  * This timer is used in the http/socks proxy setup so it needs to be setup
1290  * before
1291  */
1292 static void
1293 do_init_server_poll_timeout(struct context *c)
1294 {
1295  update_time();
1296  if (c->options.ce.connect_timeout)
1297  {
1298  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1299  }
1300 }
1301 
1302 /*
1303  * Initialize timers
1304  */
1305 static void
1306 do_init_timers(struct context *c, bool deferred)
1307 {
1308  update_time();
1309  reset_coarse_timers(c);
1310 
1311  /* initialize inactivity timeout */
1312  if (c->options.inactivity_timeout)
1313  {
1314  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1315  }
1316 
1317  /* initialize pings */
1318 
1319  if (c->options.ping_send_timeout)
1320  {
1321  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1322  }
1323 
1324  if (c->options.ping_rec_timeout)
1325  {
1326  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1327  }
1328 
1329  if (!deferred)
1330  {
1331  /* initialize connection establishment timer */
1332  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1333 
1334 #ifdef ENABLE_OCC
1335  /* initialize occ timers */
1336 
1337  if (c->options.occ
1338  && !TLS_MODE(c)
1339  && c->c2.options_string_local && c->c2.options_string_remote)
1340  {
1341  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1342  }
1343 
1344  if (c->options.mtu_test)
1345  {
1346  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1347  }
1348 #endif
1349 
1350  /* initialize packet_id persistence timer */
1351  if (c->options.packet_id_file)
1352  {
1353  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1354  }
1355 
1356  /* initialize tmp_int optimization that limits the number of times we call
1357  * tls_multi_process in the main event loop */
1358  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1359  }
1360 }
1361 
1362 /*
1363  * Initialize traffic shaper.
1364  */
1365 static void
1366 do_init_traffic_shaper(struct context *c)
1367 {
1368 #ifdef ENABLE_FEATURE_SHAPER
1369  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1370  if (c->options.shaper)
1371  {
1372  shaper_init(&c->c2.shaper, c->options.shaper);
1373  shaper_msg(&c->c2.shaper);
1374  }
1375 #endif
1376 }
1377 
1378 /*
1379  * Allocate route list structures for IPv4 and IPv6
1380  * (we do this for IPv4 even if no --route option has been seen, as other
1381  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1382  */
1383 static void
1384 do_alloc_route_list(struct context *c)
1385 {
1386  if (!c->c1.route_list)
1387  {
1388  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1389  }
1390  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1391  {
1392  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1393  }
1394 }
1395 
1396 
1397 /*
1398  * Initialize the route list, resolving any DNS names in route
1399  * options and saving routes in the environment.
1400  */
1401 static void
1402 do_init_route_list(const struct options *options,
1403  struct route_list *route_list,
1404  const struct link_socket_info *link_socket_info,
1405  struct env_set *es)
1406 {
1407  const char *gw = NULL;
1408  int dev = dev_type_enum(options->dev, options->dev_type);
1409  int metric = 0;
1410 
1411  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1412  {
1413  gw = options->ifconfig_remote_netmask;
1414  }
1415  if (options->route_default_gateway)
1416  {
1417  gw = options->route_default_gateway;
1418  }
1419  if (options->route_default_metric)
1420  {
1421  metric = options->route_default_metric;
1422  }
1423 
1424  if (init_route_list(route_list,
1425  options->routes,
1426  gw,
1427  metric,
1428  link_socket_current_remote(link_socket_info),
1429  es))
1430  {
1431  /* copy routes to environment */
1432  setenv_routes(es, route_list);
1433  }
1434 }
1435 
1436 static void
1437 do_init_route_ipv6_list(const struct options *options,
1438  struct route_ipv6_list *route_ipv6_list,
1439  const struct link_socket_info *link_socket_info,
1440  struct env_set *es)
1441 {
1442  const char *gw = NULL;
1443  int metric = -1; /* no metric set */
1444 
1445  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1446 #if 0 /* not yet done for IPv6 - TODO!*/
1447  if (options->route_ipv6_default_gateway) /* override? */
1448  {
1449  gw = options->route_ipv6_default_gateway;
1450  }
1451 #endif
1452 
1453  if (options->route_default_metric)
1454  {
1455  metric = options->route_default_metric;
1456  }
1457 
1458  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1459  */
1460  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1461  {
1462  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1463  int i;
1464 
1465  for (i = 0; opt_list[i]; i++)
1466  {
1467  add_route_ipv6_to_option_list( options->routes_ipv6,
1468  string_alloc(opt_list[i], options->routes_ipv6->gc),
1469  NULL, NULL );
1470  }
1471  }
1472 
1473  if (init_route_ipv6_list(route_ipv6_list,
1474  options->routes_ipv6,
1475  gw,
1476  metric,
1477  link_socket_current_remote_ipv6(link_socket_info),
1478  es))
1479  {
1480  /* copy routes to environment */
1481  setenv_routes_ipv6(es, route_ipv6_list);
1482  }
1483 }
1484 
1485 
1486 /*
1487  * Called after all initialization has been completed.
1488  */
1489 void
1490 initialization_sequence_completed(struct context *c, const unsigned int flags)
1491 {
1492  static const char message[] = "Initialization Sequence Completed";
1493 
1494  /* Reset the unsuccessful connection counter on complete initialisation */
1495  c->options.unsuccessful_attempts = 0;
1496 
1497  /* If we delayed UID/GID downgrade or chroot, do it now */
1498  do_uid_gid_chroot(c, true);
1499 
1500 
1501  /*
1502  * In some cases (i.e. when receiving auth-token via
1503  * push-reply) the auth-nocache option configured on the
1504  * client is overridden; for this reason we have to wait
1505  * for the push-reply message before attempting to wipe
1506  * the user/pass entered by the user
1507  */
1508  if (c->options.mode == MODE_POINT_TO_POINT)
1509  {
1510  delayed_auth_pass_purge();
1511  }
1512 
1513  /* Test if errors */
1514  if (flags & ISC_ERRORS)
1515  {
1516 #ifdef _WIN32
1517  show_routes(M_INFO|M_NOPREFIX);
1518  show_adapters(M_INFO|M_NOPREFIX);
1519  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1520 #else
1521 #ifdef ENABLE_SYSTEMD
1522  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1523 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1524  msg(M_INFO, "%s With Errors", message);
1525 #endif
1526  }
1527  else
1528  {
1529 #ifdef ENABLE_SYSTEMD
1530  sd_notifyf(0, "STATUS=%s", message);
1531 #endif
1532  msg(M_INFO, "%s", message);
1533  }
1534 
1535  /* Flag that we initialized */
1536  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1537  {
1538  c->options.no_advance = true;
1539  }
1540 
1541 #ifdef _WIN32
1542  fork_register_dns_action(c->c1.tuntap);
1543 #endif
1544 
1545 #ifdef ENABLE_MANAGEMENT
1546  /* Tell management interface that we initialized */
1547  if (management)
1548  {
1549  in_addr_t *tun_local = NULL;
1550  struct in6_addr *tun_local6 = NULL;
1551  struct openvpn_sockaddr local, remote;
1552  struct link_socket_actual *actual;
1553  socklen_t sa_len = sizeof(local);
1554  const char *detail = "SUCCESS";
1555  if (flags & ISC_ERRORS)
1556  {
1557  detail = "ERROR";
1558  }
1559 
1560  CLEAR(local);
1561  actual = &get_link_socket_info(c)->lsa->actual;
1562  remote = actual->dest;
1563  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1564 #if ENABLE_IP_PKTINFO
1565  if (!addr_defined(&local))
1566  {
1567  switch (local.addr.sa.sa_family)
1568  {
1569  case AF_INET:
1570 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1571  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1572 #else
1573  local.addr.in4.sin_addr = actual->pi.in4;
1574 #endif
1575  break;
1576 
1577  case AF_INET6:
1578  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1579  break;
1580  }
1581  }
1582 #endif
1583 
1584  if (c->c1.tuntap)
1585  {
1586  tun_local = &c->c1.tuntap->local;
1587  tun_local6 = &c->c1.tuntap->local_ipv6;
1588  }
1589  management_set_state(management,
1590  OPENVPN_STATE_CONNECTED,
1591  detail,
1592  tun_local,
1593  tun_local6,
1594  &local,
1595  &remote);
1596  if (tun_local)
1597  {
1598  management_post_tunnel_open(management, *tun_local);
1599  }
1600  }
1601 #endif /* ifdef ENABLE_MANAGEMENT */
1602 }
1603 
1604 /*
1605  * Possibly add routes and/or call route-up script
1606  * based on options.
1607  */
1608 void
1609 do_route(const struct options *options,
1610  struct route_list *route_list,
1611  struct route_ipv6_list *route_ipv6_list,
1612  const struct tuntap *tt,
1613  const struct plugin_list *plugins,
1614  struct env_set *es)
1615 {
1616  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1617  {
1618  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es);
1619  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1620  }
1621 #ifdef ENABLE_MANAGEMENT
1622  if (management)
1623  {
1624  management_up_down(management, "UP", es);
1625  }
1626 #endif
1627 
1628  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1629  {
1630  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1631  {
1632  msg(M_WARN, "WARNING: route-up plugin call failed");
1633  }
1634  }
1635 
1636  if (options->route_script)
1637  {
1638  struct argv argv = argv_new();
1639  setenv_str(es, "script_type", "route-up");
1640  argv_parse_cmd(&argv, options->route_script);
1641  openvpn_run_script(&argv, es, 0, "--route-up");
1642  argv_reset(&argv);
1643  }
1644 
1645 #ifdef _WIN32
1646  if (options->show_net_up)
1647  {
1648  show_routes(M_INFO|M_NOPREFIX);
1649  show_adapters(M_INFO|M_NOPREFIX);
1650  }
1651  else if (check_debug_level(D_SHOW_NET))
1652  {
1653  show_routes(D_SHOW_NET|M_NOPREFIX);
1654  show_adapters(D_SHOW_NET|M_NOPREFIX);
1655  }
1656 #endif
1657 }
1658 
1659 /*
1660  * initialize tun/tap device object
1661  */
1662 static void
1663 do_init_tun(struct context *c)
1664 {
1665  c->c1.tuntap = init_tun(c->options.dev,
1666  c->options.dev_type,
1667  c->options.topology,
1668  c->options.ifconfig_local,
1669  c->options.ifconfig_remote_netmask,
1670  c->options.ifconfig_ipv6_local,
1671  c->options.ifconfig_ipv6_netbits,
1672  c->options.ifconfig_ipv6_remote,
1673  c->c1.link_socket_addr.bind_local,
1674  c->c1.link_socket_addr.remote_list,
1675  !c->options.ifconfig_nowarn,
1676  c->c2.es);
1677 
1678  init_tun_post(c->c1.tuntap,
1679  &c->c2.frame,
1680  &c->options.tuntap_options);
1681 
1682  c->c1.tuntap_owned = true;
1683 }
1684 
1685 /*
1686  * Open tun/tap device, ifconfig, call up script, etc.
1687  */
1688 
1689 static bool
1690 do_open_tun(struct context *c)
1691 {
1692  struct gc_arena gc = gc_new();
1693  bool ret = false;
1694 
1695 #ifndef TARGET_ANDROID
1696  if (!c->c1.tuntap)
1697  {
1698 #endif
1699 
1700 #ifdef TARGET_ANDROID
1701  /* If we emulate persist-tun on android we still have to open a new tun and
1702  * then close the old */
1703  int oldtunfd = -1;
1704  if (c->c1.tuntap)
1705  {
1706  oldtunfd = c->c1.tuntap->fd;
1707  free(c->c1.tuntap);
1708  c->c1.tuntap = NULL;
1709  c->c1.tuntap_owned = false;
1710  }
1711 #endif
1712 
1713  /* initialize (but do not open) tun/tap object */
1714  do_init_tun(c);
1715 
1716 #ifdef _WIN32
1717  /* store (hide) interactive service handle in tuntap_options */
1718  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1719  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1720 #endif
1721 
1722  /* allocate route list structure */
1723  do_alloc_route_list(c);
1724 
1725  /* parse and resolve the route option list */
1726  ASSERT(c->c2.link_socket);
1727  if (c->options.routes && c->c1.route_list)
1728  {
1729  do_init_route_list(&c->options, c->c1.route_list,
1730  &c->c2.link_socket->info, c->c2.es);
1731  }
1732  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1733  {
1734  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1735  &c->c2.link_socket->info, c->c2.es);
1736  }
1737 
1738  /* do ifconfig */
1739  if (!c->options.ifconfig_noexec
1740  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1741  {
1742  /* guess actual tun/tap unit number that will be returned
1743  * by open_tun */
1744  const char *guess = guess_tuntap_dev(c->options.dev,
1745  c->options.dev_type,
1746  c->options.dev_node,
1747  &gc);
1748  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1749  }
1750 
1751  /* possibly add routes */
1752  if (route_order() == ROUTE_BEFORE_TUN)
1753  {
1754  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1755  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1756  c->c1.tuntap, c->plugins, c->c2.es);
1757  }
1758 #ifdef TARGET_ANDROID
1759  /* Store the old fd inside the fd so open_tun can use it */
1760  c->c1.tuntap->fd = oldtunfd;
1761 #endif
1762  /* open the tun device */
1763  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1764  c->c1.tuntap);
1765 
1766  /* set the hardware address */
1767  if (c->options.lladdr)
1768  {
1769  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1770  }
1771 
1772  /* do ifconfig */
1773  if (!c->options.ifconfig_noexec
1774  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1775  {
1776  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1777  }
1778 
1779  /* run the up script */
1780  run_up_down(c->options.up_script,
1781  c->plugins,
1782  OPENVPN_PLUGIN_UP,
1783  c->c1.tuntap->actual_name,
1784 #ifdef _WIN32
1785  c->c1.tuntap->adapter_index,
1786 #endif
1787  dev_type_string(c->options.dev, c->options.dev_type),
1788  TUN_MTU_SIZE(&c->c2.frame),
1789  EXPANDED_SIZE(&c->c2.frame),
1790  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1791  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1792  "init",
1793  NULL,
1794  "up",
1795  c->c2.es);
1796 
1797 #if defined(_WIN32)
1798  if (c->options.block_outside_dns)
1799  {
1800  dmsg(D_LOW, "Blocking outside DNS");
1801  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1802  {
1803  msg(M_FATAL, "Blocking DNS failed!");
1804  }
1805  }
1806 #endif
1807 
1808  /* possibly add routes */
1809  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1810  {
1811  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1812  c->c1.tuntap, c->plugins, c->c2.es);
1813  }
1814 
1815  /*
1816  * Did tun/tap driver give us an MTU?
1817  */
1818  if (c->c1.tuntap->post_open_mtu)
1819  {
1820  frame_set_mtu_dynamic(&c->c2.frame,
1821  c->c1.tuntap->post_open_mtu,
1822  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1823  }
1824 
1825  ret = true;
1826  static_context = c;
1827 #ifndef TARGET_ANDROID
1828 }
1829 else
1830 {
1831  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1832  c->c1.tuntap->actual_name);
1833 
1834  /* explicitly set the ifconfig_* env vars */
1835  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1836 
1837  /* run the up script if user specified --up-restart */
1838  if (c->options.up_restart)
1839  {
1840  run_up_down(c->options.up_script,
1841  c->plugins,
1842  OPENVPN_PLUGIN_UP,
1843  c->c1.tuntap->actual_name,
1844 #ifdef _WIN32
1845  c->c1.tuntap->adapter_index,
1846 #endif
1847  dev_type_string(c->options.dev, c->options.dev_type),
1848  TUN_MTU_SIZE(&c->c2.frame),
1849  EXPANDED_SIZE(&c->c2.frame),
1850  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1851  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1852  "restart",
1853  NULL,
1854  "up",
1855  c->c2.es);
1856  }
1857 #if defined(_WIN32)
1858  if (c->options.block_outside_dns)
1859  {
1860  dmsg(D_LOW, "Blocking outside DNS");
1861  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1862  {
1863  msg(M_FATAL, "Blocking DNS failed!");
1864  }
1865  }
1866 #endif
1867 
1868 }
1869 #endif /* ifndef TARGET_ANDROID */
1870  gc_free(&gc);
1871  return ret;
1872 }
1873 
1874 /*
1875  * Close TUN/TAP device
1876  */
1877 
1878 static void
1879 do_close_tun_simple(struct context *c)
1880 {
1881  msg(D_CLOSE, "Closing TUN/TAP interface");
1882  if (c->c1.tuntap)
1883  {
1884  close_tun(c->c1.tuntap);
1885  c->c1.tuntap = NULL;
1886  }
1887  c->c1.tuntap_owned = false;
1888 #if P2MP
1889  CLEAR(c->c1.pulled_options_digest_save);
1890 #endif
1891 }
1892 
1893 static void
1894 do_close_tun(struct context *c, bool force)
1895 {
1896  struct gc_arena gc = gc_new();
1897  if (c->c1.tuntap && c->c1.tuntap_owned)
1898  {
1899  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1900 #ifdef _WIN32
1901  DWORD adapter_index = c->c1.tuntap->adapter_index;
1902 #endif
1903  const in_addr_t local = c->c1.tuntap->local;
1904  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1905 
1906  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1907  {
1908  static_context = NULL;
1909 
1910 #ifdef ENABLE_MANAGEMENT
1911  /* tell management layer we are about to close the TUN/TAP device */
1912  if (management)
1913  {
1914  management_pre_tunnel_close(management);
1915  management_up_down(management, "DOWN", c->c2.es);
1916  }
1917 #endif
1918 
1919  /* delete any routes we added */
1920  if (c->c1.route_list || c->c1.route_ipv6_list)
1921  {
1922  run_up_down(c->options.route_predown_script,
1923  c->plugins,
1924  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1925  tuntap_actual,
1926 #ifdef _WIN32
1927  adapter_index,
1928 #endif
1929  NULL,
1930  TUN_MTU_SIZE(&c->c2.frame),
1931  EXPANDED_SIZE(&c->c2.frame),
1932  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1933  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1934  "init",
1935  signal_description(c->sig->signal_received,
1936  c->sig->signal_text),
1937  "route-pre-down",
1938  c->c2.es);
1939 
1940  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1941  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es);
1942  }
1943 
1944  /* actually close tun/tap device based on --down-pre flag */
1945  if (!c->options.down_pre)
1946  {
1947  do_close_tun_simple(c);
1948  }
1949 
1950  /* Run the down script -- note that it will run at reduced
1951  * privilege if, for example, "--user nobody" was used. */
1952  run_up_down(c->options.down_script,
1953  c->plugins,
1954  OPENVPN_PLUGIN_DOWN,
1955  tuntap_actual,
1956 #ifdef _WIN32
1957  adapter_index,
1958 #endif
1959  NULL,
1960  TUN_MTU_SIZE(&c->c2.frame),
1961  EXPANDED_SIZE(&c->c2.frame),
1962  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1963  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1964  "init",
1965  signal_description(c->sig->signal_received,
1966  c->sig->signal_text),
1967  "down",
1968  c->c2.es);
1969 
1970 #if defined(_WIN32)
1971  if (c->options.block_outside_dns)
1972  {
1973  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1974  {
1975  msg(M_FATAL, "Uninitialising WFP failed!");
1976  }
1977  }
1978 #endif
1979 
1980  /* actually close tun/tap device based on --down-pre flag */
1981  if (c->options.down_pre)
1982  {
1983  do_close_tun_simple(c);
1984  }
1985  }
1986  else
1987  {
1988  /* run the down script on this restart if --up-restart was specified */
1989  if (c->options.up_restart)
1990  {
1991  run_up_down(c->options.down_script,
1992  c->plugins,
1993  OPENVPN_PLUGIN_DOWN,
1994  tuntap_actual,
1995 #ifdef _WIN32
1996  adapter_index,
1997 #endif
1998  NULL,
1999  TUN_MTU_SIZE(&c->c2.frame),
2000  EXPANDED_SIZE(&c->c2.frame),
2001  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2002  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2003  "restart",
2004  signal_description(c->sig->signal_received,
2005  c->sig->signal_text),
2006  "down",
2007  c->c2.es);
2008  }
2009 
2010 #if defined(_WIN32)
2011  if (c->options.block_outside_dns)
2012  {
2013  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2014  {
2015  msg(M_FATAL, "Uninitialising WFP failed!");
2016  }
2017  }
2018 #endif
2019 
2020  }
2021  }
2022  gc_free(&gc);
2023 }
2024 
2025 void
2026 tun_abort(void)
2027 {
2028  struct context *c = static_context;
2029  if (c)
2030  {
2031  static_context = NULL;
2032  do_close_tun(c, true);
2033  }
2034 }
2035 
2036 /*
2037  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2038  */
2039 
2040 #if P2MP
2041 
2045 static bool
2046 options_hash_changed_or_zero(const struct sha256_digest *a,
2047  const struct sha256_digest *b)
2048 {
2049  const struct sha256_digest zero = {{0}};
2050  return memcmp(a, b, sizeof(struct sha256_digest))
2051  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2052 }
2053 #endif /* P2MP */
2054 
2055 bool
2056 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2057 {
2058  if (!c->c2.do_up_ran)
2059  {
2060  reset_coarse_timers(c);
2061 
2062  if (pulled_options)
2063  {
2064  if (!do_deferred_options(c, option_types_found))
2065  {
2066  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2067  return false;
2068  }
2069  }
2070 
2071  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2072  if (c->options.up_delay || PULL_DEFINED(&c->options))
2073  {
2074  c->c2.did_open_tun = do_open_tun(c);
2075  update_time();
2076 
2077 #if P2MP
2078  /*
2079  * Was tun interface object persisted from previous restart iteration,
2080  * and if so did pulled options string change from previous iteration?
2081  */
2082  if (!c->c2.did_open_tun
2083  && PULL_DEFINED(&c->options)
2084  && c->c1.tuntap
2085  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2086  &c->c2.pulled_options_digest))
2087  {
2088  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2089  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2090  do_close_tun(c, true);
2091  management_sleep(1);
2092  c->c2.did_open_tun = do_open_tun(c);
2093  update_time();
2094  }
2095 #endif
2096  }
2097 
2098  if (c->c2.did_open_tun)
2099  {
2100 #if P2MP
2101  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2102 #endif
2103 
2104  /* if --route-delay was specified, start timer */
2105  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2106  {
2107  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2108  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2109  if (c->c1.tuntap)
2110  {
2111  tun_standby_init(c->c1.tuntap);
2112  }
2113  }
2114  else
2115  {
2116  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2117  }
2118  }
2119  else if (c->options.mode == MODE_POINT_TO_POINT)
2120  {
2121  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2122  }
2123 
2124  c->c2.do_up_ran = true;
2125  }
2126  return true;
2127 }
2128 
2129 /*
2130  * These are the option categories which will be accepted by pull.
2131  */
2132 unsigned int
2133 pull_permission_mask(const struct context *c)
2134 {
2135  unsigned int flags =
2136  OPT_P_UP
2137  | OPT_P_ROUTE_EXTRAS
2138  | OPT_P_SOCKBUF
2139  | OPT_P_SOCKFLAGS
2140  | OPT_P_SETENV
2141  | OPT_P_SHAPER
2142  | OPT_P_TIMER
2143  | OPT_P_COMP
2144  | OPT_P_PERSIST
2145  | OPT_P_MESSAGES
2146  | OPT_P_EXPLICIT_NOTIFY
2147  | OPT_P_ECHO
2148  | OPT_P_PULL_MODE
2149  | OPT_P_PEER_ID;
2150 
2151  if (!c->options.route_nopull)
2152  {
2153  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2154  }
2155 
2156  if (c->options.ncp_enabled)
2157  {
2158  flags |= OPT_P_NCP;
2159  }
2160 
2161  return flags;
2162 }
2163 
2164 /*
2165  * Handle non-tun-related pulled options.
2166  */
2167 bool
2168 do_deferred_options(struct context *c, const unsigned int found)
2169 {
2170  if (found & OPT_P_MESSAGES)
2171  {
2172  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2173  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2174  }
2175  if (found & OPT_P_TIMER)
2176  {
2177  do_init_timers(c, true);
2178  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2179  }
2180 
2181 #ifdef ENABLE_OCC
2182  if (found & OPT_P_EXPLICIT_NOTIFY)
2183  {
2184  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2185  {
2186  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2187  c->options.ce.explicit_exit_notification = 0;
2188  }
2189  else
2190  {
2191  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2192  }
2193  }
2194 #endif
2195 
2196 #ifdef USE_COMP
2197  if (found & OPT_P_COMP)
2198  {
2199  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2200  comp_uninit(c->c2.comp_context);
2201  c->c2.comp_context = comp_init(&c->options.comp);
2202  }
2203 #endif
2204 
2205  if (found & OPT_P_SHAPER)
2206  {
2207  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2208  do_init_traffic_shaper(c);
2209  }
2210 
2211  if (found & OPT_P_SOCKBUF)
2212  {
2213  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2214  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2215  }
2216 
2217  if (found & OPT_P_SOCKFLAGS)
2218  {
2219  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2220  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2221  }
2222 
2223  if (found & OPT_P_PERSIST)
2224  {
2225  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2226  }
2227  if (found & OPT_P_UP)
2228  {
2229  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2230  }
2231  if (found & OPT_P_ROUTE)
2232  {
2233  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2234  }
2235  if (found & OPT_P_ROUTE_EXTRAS)
2236  {
2237  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2238  }
2239  if (found & OPT_P_IPWIN32)
2240  {
2241  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2242  }
2243  if (found & OPT_P_SETENV)
2244  {
2245  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2246  }
2247 
2248  if (found & OPT_P_PEER_ID)
2249  {
2250  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2251  c->c2.tls_multi->use_peer_id = true;
2252  c->c2.tls_multi->peer_id = c->options.peer_id;
2253  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2254  if (!c->options.ce.link_mtu_defined)
2255  {
2256  frame_add_to_link_mtu(&c->c2.frame, +3);
2257  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2258  EXPANDED_SIZE(&c->c2.frame));
2259  }
2260  else
2261  {
2262  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2263  " fixed by config - reducing tun-mtu to %d, expect"
2264  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2265  }
2266  }
2267 
2268  /* process (potentially pushed) crypto options */
2269  if (c->options.pull)
2270  {
2271  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2272  if (found & OPT_P_NCP)
2273  {
2274  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2275  }
2276  else if (c->options.ncp_enabled)
2277  {
2278  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2279  }
2280  /* Do not regenerate keys if server sends an extra push reply */
2281  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2282  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2283  {
2284  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2285  return false;
2286  }
2287  }
2288 
2289  return true;
2290 }
2291 
2292 /*
2293  * Possible hold on initialization, holdtime is the
2294  * time OpenVPN would wait without management
2295  */
2296 static bool
2297 do_hold(int holdtime)
2298 {
2299 #ifdef ENABLE_MANAGEMENT
2300  if (management)
2301  {
2302  /* block until management hold is released */
2303  if (management_hold(management, holdtime))
2304  {
2305  return true;
2306  }
2307  }
2308 #endif
2309  return false;
2310 }
2311 
2312 /*
2313  * Sleep before restart.
2314  */
2315 static void
2316 socket_restart_pause(struct context *c)
2317 {
2318  int sec = 2;
2319  int backoff = 0;
2320 
2321  switch (c->options.ce.proto)
2322  {
2323  case PROTO_TCP_SERVER:
2324  sec = 1;
2325  break;
2326 
2327  case PROTO_UDP:
2328  case PROTO_TCP_CLIENT:
2329  sec = c->options.ce.connect_retry_seconds;
2330  break;
2331  }
2332 
2333 #ifdef ENABLE_DEBUG
2334  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2335  {
2336  sec = 0;
2337  }
2338 #endif
2339 
2340 #if P2MP
2341  if (auth_retry_get() == AR_NOINTERACT)
2342  {
2343  sec = 10;
2344  }
2345 #endif
2346 
2347  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2348  if (c->options.ce.proto != PROTO_TCP_SERVER)
2349  {
2350  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2351  if (backoff > 0)
2352  {
2353  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2354  sec = max_int(sec, 1) << min_int(backoff, 15);
2355  }
2356 
2357  if (sec > c->options.ce.connect_retry_seconds_max)
2358  {
2359  sec = c->options.ce.connect_retry_seconds_max;
2360  }
2361  }
2362 
2363  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2364  {
2365  sec = c->persist.restart_sleep_seconds;
2366  }
2367  else if (c->persist.restart_sleep_seconds == -1)
2368  {
2369  sec = 0;
2370  }
2371  c->persist.restart_sleep_seconds = 0;
2372 
2373  /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
2374  if (do_hold(sec))
2375  {
2376  sec = 0;
2377  }
2378 
2379  if (sec)
2380  {
2381  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2382  management_sleep(sec);
2383  }
2384 }
2385 
2386 /*
2387  * Do a possible pause on context_2 initialization.
2388  */
2389 static void
2390 do_startup_pause(struct context *c)
2391 {
2392  if (!c->first_time)
2393  {
2394  socket_restart_pause(c);
2395  }
2396  else
2397  {
2398  do_hold(0); /* do management hold on first context initialization */
2399  }
2400 }
2401 
2402 /*
2403  * Finalize MTU parameters based on command line or config file options.
2404  */
2405 static void
2406 frame_finalize_options(struct context *c, const struct options *o)
2407 {
2408  if (!o)
2409  {
2410  o = &c->options;
2411  }
2412 
2413  /*
2414  * Set adjustment factor for buffer alignment when no
2415  * cipher is used.
2416  */
2417  if (!CIPHER_ENABLED(c))
2418  {
2419  frame_align_to_extra_frame(&c->c2.frame);
2420  frame_or_align_flags(&c->c2.frame,
2421  FRAME_HEADROOM_MARKER_FRAGMENT
2422  |FRAME_HEADROOM_MARKER_READ_LINK
2423  |FRAME_HEADROOM_MARKER_READ_STREAM);
2424  }
2425 
2426  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2427  frame_finalize(&c->c2.frame,
2428  o->ce.link_mtu_defined,
2429  o->ce.link_mtu,
2430  o->ce.tun_mtu_defined,
2431  o->ce.tun_mtu);
2432 }
2433 
2434 /*
2435  * Free a key schedule, including OpenSSL components.
2436  */
2437 static void
2438 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2439 {
2440  free_key_ctx_bi(&ks->static_key);
2441  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2442  {
2443  tls_ctx_free(&ks->ssl_ctx);
2444  }
2445  CLEAR(*ks);
2446 }
2447 
2448 static void
2449 init_crypto_pre(struct context *c, const unsigned int flags)
2450 {
2451  if (c->options.engine)
2452  {
2453  crypto_init_lib_engine(c->options.engine);
2454  }
2455 
2456  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2457  {
2458  /* load a persisted packet-id for cross-session replay-protection */
2459  if (c->options.packet_id_file)
2460  {
2461  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2462  }
2463  }
2464 
2465 #ifdef ENABLE_PREDICTION_RESISTANCE
2466  if (c->options.use_prediction_resistance)
2467  {
2468  rand_ctx_enable_prediction_resistance();
2469  }
2470 #endif
2471 
2472 }
2473 
2474 /*
2475  * Static Key Mode (using a pre-shared key)
2476  */
2477 static void
2478 do_init_crypto_static(struct context *c, const unsigned int flags)
2479 {
2480  const struct options *options = &c->options;
2481  ASSERT(options->shared_secret_file);
2482 
2483  init_crypto_pre(c, flags);
2484 
2485  /* Initialize flags */
2486  if (c->options.mute_replay_warnings)
2487  {
2488  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2489  }
2490 
2491  /* Initialize packet ID tracking */
2492  if (options->replay)
2493  {
2494  packet_id_init(&c->c2.crypto_options.packet_id,
2495  options->replay_window,
2496  options->replay_time,
2497  "STATIC", 0);
2498  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2499  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2500  packet_id_persist_load_obj(&c->c1.pid_persist,
2501  &c->c2.crypto_options.packet_id);
2502  }
2503 
2504  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2505  {
2506  /* Get cipher & hash algorithms */
2507  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2508  options->keysize, options->test_crypto, true);
2509 
2510  /* Read cipher and hmac keys from shared secret file */
2511  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2512  options->shared_secret_file,
2513  options->shared_secret_file_inline,
2514  options->key_direction, "Static Key Encryption",
2515  "secret");
2516  }
2517  else
2518  {
2519  msg(M_INFO, "Re-using pre-shared static key");
2520  }
2521 
2522  /* Get key schedule */
2523  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2524 
2525  /* Compute MTU parameters */
2526  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2527  options->replay, true);
2528 
2529  /* Sanity check on sequence number, and cipher mode options */
2530  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2531 }
2532 
2533 /*
2534  * Initialize the tls-auth/crypt key context
2535  */
2536 static void
2537 do_init_tls_wrap_key(struct context *c)
2538 {
2539  const struct options *options = &c->options;
2540 
2541  /* TLS handshake authentication (--tls-auth) */
2542  if (options->ce.tls_auth_file)
2543  {
2544  /* Initialize key_type for tls-auth with auth only */
2545  CLEAR(c->c1.ks.tls_auth_key_type);
2546  if (!streq(options->authname, "none"))
2547  {
2548  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2549  c->c1.ks.tls_auth_key_type.hmac_length =
2550  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2551  }
2552  else
2553  {
2554  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2555  "algorithm specified ('%s')", options->authname);
2556  }
2557 
2558  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2559  &c->c1.ks.tls_wrap_key,
2560  options->ce.tls_auth_file,
2561  options->ce.tls_auth_file_inline,
2562  options->ce.key_direction,
2563  "Control Channel Authentication", "tls-auth");
2564  }
2565 
2566  /* TLS handshake encryption+authentication (--tls-crypt) */
2567  if (options->ce.tls_crypt_file)
2568  {
2569  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2570  options->ce.tls_crypt_file,
2571  options->ce.tls_crypt_inline, options->tls_server);
2572  }
2573 }
2574 
2575 /*
2576  * Initialize the persistent component of OpenVPN's TLS mode,
2577  * which is preserved across SIGUSR1 resets.
2578  */
2579 static void
2580 do_init_crypto_tls_c1(struct context *c)
2581 {
2582  const struct options *options = &c->options;
2583 
2584  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2585  {
2586  /*
2587  * Initialize the OpenSSL library's global
2588  * SSL context.
2589  */
2590  init_ssl(options, &(c->c1.ks.ssl_ctx));
2591  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2592  {
2593 #if P2MP
2594  switch (auth_retry_get())
2595  {
2596  case AR_NONE:
2597  msg(M_FATAL, "Error: private key password verification failed");
2598  break;
2599 
2600  case AR_INTERACT:
2601  ssl_purge_auth(false);
2602 
2603  case AR_NOINTERACT:
2604  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2605  break;
2606 
2607  default:
2608  ASSERT(0);
2609  }
2610  c->sig->signal_text = "private-key-password-failure";
2611  return;
2612 #else /* if P2MP */
2613  msg(M_FATAL, "Error: private key password verification failed");
2614 #endif
2615  }
2616 
2617  /* Get cipher & hash algorithms */
2618  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2619  options->keysize, true, true);
2620 
2621  /* Initialize PRNG with config-specified digest */
2622  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2623 
2624  /* initialize tls-auth/crypt key */
2625  do_init_tls_wrap_key(c);
2626 
2627 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2628  if (options->priv_key_file_inline)
2629  {
2630  string_clear(c->options.priv_key_file_inline);
2631  c->options.priv_key_file_inline = NULL;
2632  }
2633 #endif
2634  }
2635  else
2636  {
2637  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2638 
2639  /*
2640  * tls-auth/crypt key can be configured per connection block, therefore
2641  * we must reload it as it may have changed
2642  */
2643  do_init_tls_wrap_key(c);
2644  }
2645 }
2646 
2647 static void
2648 do_init_crypto_tls(struct context *c, const unsigned int flags)
2649 {
2650  const struct options *options = &c->options;
2651  struct tls_options to;
2652  bool packet_id_long_form;
2653 
2654  ASSERT(options->tls_server || options->tls_client);
2655  ASSERT(!options->test_crypto);
2656 
2657  init_crypto_pre(c, flags);
2658 
2659  /* Make sure we are either a TLS client or server but not both */
2660  ASSERT(options->tls_server == !options->tls_client);
2661 
2662  /* initialize persistent component */
2663  do_init_crypto_tls_c1(c);
2664  if (IS_SIG(c))
2665  {
2666  return;
2667  }
2668 
2669  /* Sanity check on sequence number, and cipher mode options */
2670  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2671 
2672  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2673  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2674 
2675  /* Compute MTU parameters (postpone if we push/pull options) */
2676  if (c->options.pull || c->options.mode == MODE_SERVER)
2677  {
2678  /* Account for worst-case crypto overhead before allocating buffers */
2679  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2680  }
2681  else
2682  {
2683  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2684  options->replay, packet_id_long_form);
2685  }
2686  tls_adjust_frame_parameters(&c->c2.frame);
2687 
2688  /* Set all command-line TLS-related options */
2689  CLEAR(to);
2690 
2691  if (options->mute_replay_warnings)
2692  {
2693  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2694  }
2695 
2696  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2697  if (packet_id_long_form)
2698  {
2699  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2700  }
2701 
2702  to.ssl_ctx = c->c1.ks.ssl_ctx;
2703  to.key_type = c->c1.ks.key_type;
2704  to.server = options->tls_server;
2705  to.key_method = options->key_method;
2706  to.replay = options->replay;
2707  to.replay_window = options->replay_window;
2708  to.replay_time = options->replay_time;
2709  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2710  to.config_ciphername = c->c1.ciphername;
2711  to.config_authname = c->c1.authname;
2712  to.ncp_enabled = options->ncp_enabled;
2713  to.transition_window = options->transition_window;
2714  to.handshake_window = options->handshake_window;
2715  to.packet_timeout = options->tls_timeout;
2716  to.renegotiate_bytes = options->renegotiate_bytes;
2717  to.renegotiate_packets = options->renegotiate_packets;
2718  if (options->renegotiate_seconds_min < 0)
2719  {
2720  /* Add 10% jitter to reneg-sec by default (server side only) */
2721  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2722  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2723  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2724  }
2725  else
2726  {
2727  /* Add user-specified jitter to reneg-sec */
2728  to.renegotiate_seconds = options->renegotiate_seconds -
2729  (get_random() % max_int(options->renegotiate_seconds
2730  - options->renegotiate_seconds_min, 1));
2731  }
2732  to.single_session = options->single_session;
2733  to.mode = options->mode;
2734  to.pull = options->pull;
2735  if (options->push_peer_info) /* all there is */
2736  {
2737  to.push_peer_info_detail = 2;
2738  }
2739  else if (options->pull) /* pull clients send some details */
2740  {
2741  to.push_peer_info_detail = 1;
2742  }
2743  else /* default: no peer-info at all */
2744  {
2745  to.push_peer_info_detail = 0;
2746  }
2747 
2748  /* should we not xmit any packets until we get an initial
2749  * response from client? */
2750  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2751  {
2752  to.xmit_hold = true;
2753  }
2754 
2755 #ifdef ENABLE_OCC
2756  to.disable_occ = !options->occ;
2757 #endif
2758 
2759  to.verify_command = options->tls_verify;
2760  to.verify_export_cert = options->tls_export_cert;
2761  to.verify_x509_type = (options->verify_x509_type & 0xff);
2762  to.verify_x509_name = options->verify_x509_name;
2763  to.crl_file = options->crl_file;
2764  to.crl_file_inline = options->crl_file_inline;
2765  to.ssl_flags = options->ssl_flags;
2766  to.ns_cert_type = options->ns_cert_type;
2767  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2768  to.remote_cert_eku = options->remote_cert_eku;
2769  to.verify_hash = options->verify_hash;
2770  to.verify_hash_algo = options->verify_hash_algo;
2771 #ifdef ENABLE_X509ALTUSERNAME
2772  to.x509_username_field = (char *) options->x509_username_field;
2773 #else
2774  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2775 #endif
2776  to.es = c->c2.es;
2777 
2778 #ifdef ENABLE_DEBUG
2779  to.gremlin = c->options.gremlin;
2780 #endif
2781 
2782  to.plugins = c->plugins;
2783 
2784 #ifdef MANAGEMENT_DEF_AUTH
2785  to.mda_context = &c->c2.mda_context;
2786 #endif
2787 
2788 #if P2MP_SERVER
2789  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2790  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2791  to.tmp_dir = options->tmp_dir;
2792  if (options->ccd_exclusive)
2793  {
2794  to.client_config_dir_exclusive = options->client_config_dir;
2795  }
2796  to.auth_user_pass_file = options->auth_user_pass_file;
2797  to.auth_token_generate = options->auth_token_generate;
2798  to.auth_token_lifetime = options->auth_token_lifetime;
2799 #endif
2800 
2801  to.x509_track = options->x509_track;
2802 
2803 #if P2MP
2804 #ifdef ENABLE_MANAGEMENT
2805  to.sci = &options->sc_info;
2806 #endif
2807 #endif
2808 
2809 #ifdef USE_COMP
2810  to.comp_options = options->comp;
2811 #endif
2812 
2813 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
2814  if (options->keying_material_exporter_label)
2815  {
2816  to.ekm_size = options->keying_material_exporter_length;
2817  if (to.ekm_size < 16 || to.ekm_size > 4095)
2818  {
2819  to.ekm_size = 0;
2820  }
2821 
2822  to.ekm_label = options->keying_material_exporter_label;
2823  to.ekm_label_size = strlen(to.ekm_label);
2824  }
2825  else
2826  {
2827  to.ekm_size = 0;
2828  }
2829 #endif
2830 
2831  /* TLS handshake authentication (--tls-auth) */
2832  if (options->ce.tls_auth_file)
2833  {
2834  to.tls_wrap.mode = TLS_WRAP_AUTH;
2835  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2836  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2837  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2838  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2839  true, true);
2840  }
2841 
2842  /* TLS handshake encryption (--tls-crypt) */
2843  if (options->ce.tls_crypt_file)
2844  {
2845  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2846  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2847  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2848  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2849  tls_crypt_adjust_frame_parameters(&to.frame);
2850  }
2851 
2852  /* If we are running over TCP, allow for
2853  * length prefix */
2854  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2855 
2856  /*
2857  * Initialize OpenVPN's master TLS-mode object.
2858  */
2859  if (flags & CF_INIT_TLS_MULTI)
2860  {
2861  c->c2.tls_multi = tls_multi_init(&to);
2862  }
2863 
2864  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2865  {
2866  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2867  }
2868 }
2869 
2870 static void
2871 do_init_finalize_tls_frame(struct context *c)
2872 {
2873  if (c->c2.tls_multi)
2874  {
2875  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2876  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
2877  EXPANDED_SIZE(&c->c2.frame));
2878  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2879  "Control Channel MTU parms");
2880  }
2881  if (c->c2.tls_auth_standalone)
2882  {
2883  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
2884  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2885  "TLS-Auth MTU parms");
2886  }
2887 }
2888 
2889 /*
2890  * No encryption or authentication.
2891  */
2892 static void
2893 do_init_crypto_none(const struct context *c)
2894 {
2895  ASSERT(!c->options.test_crypto);
2896  msg(M_WARN,
2897  "******* WARNING *******: All encryption and authentication features "
2898  "disabled -- All data will be tunnelled as clear text and will not be "
2899  "protected against man-in-the-middle changes. "
2900  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
2901 }
2902 
2903 static void
2904 do_init_crypto(struct context *c, const unsigned int flags)
2905 {
2906  if (c->options.shared_secret_file)
2907  {
2908  do_init_crypto_static(c, flags);
2909  }
2910  else if (c->options.tls_server || c->options.tls_client)
2911  {
2912  do_init_crypto_tls(c, flags);
2913  }
2914  else /* no encryption or authentication. */
2915  {
2916  do_init_crypto_none(c);
2917  }
2918 }
2919 
2920 static void
2921 do_init_frame(struct context *c)
2922 {
2923 #ifdef USE_COMP
2924  /*
2925  * modify frame parameters if compression is enabled
2926  */
2927  if (comp_enabled(&c->options.comp))
2928  {
2929  comp_add_to_extra_frame(&c->c2.frame);
2930 
2931 #if !defined(ENABLE_LZ4)
2932  /*
2933  * Compression usage affects buffer alignment when non-swapped algs
2934  * such as LZO is used.
2935  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
2936  * any special alignment because of the control-byte swap approach.
2937  * LZO alignment (on the other hand) is problematic because
2938  * the presence of the control byte means that either the output of
2939  * decryption must be written to an unaligned buffer, or the input
2940  * to compression (or packet dispatch if packet is uncompressed)
2941  * must be read from an unaligned buffer.
2942  * This code tries to align the input to compression (or packet
2943  * dispatch if packet is uncompressed) at the cost of requiring
2944  * decryption output to be written to an unaligned buffer, so
2945  * it's more of a tradeoff than an optimal solution and we don't
2946  * include it when we are doing a modern build with LZ4.
2947  * Strictly speaking, on the server it would be better to execute
2948  * this code for every connection after we decide the compression
2949  * method, but currently the frame code doesn't appear to be
2950  * flexible enough for this, since the frame is already established
2951  * before it is known which compression options will be pushed.
2952  */
2953  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
2954  {
2955  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
2956  frame_or_align_flags(&c->c2.frame,
2957  FRAME_HEADROOM_MARKER_FRAGMENT
2958  |FRAME_HEADROOM_MARKER_DECRYPT);
2959  }
2960 #endif
2961 
2962 #ifdef ENABLE_FRAGMENT
2963  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
2964 #endif
2965  }
2966 #endif /* USE_COMP */
2967 
2968  /*
2969  * Adjust frame size for UDP Socks support.
2970  */
2971  if (c->options.ce.socks_proxy_server)
2972  {
2973  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
2974  }
2975 
2976  /*
2977  * Adjust frame size based on the --tun-mtu-extra parameter.
2978  */
2979  if (c->options.ce.tun_mtu_extra_defined)
2980  {
2981  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
2982  }
2983 
2984  /*
2985  * Adjust frame size based on link socket parameters.
2986  * (Since TCP is a stream protocol, we need to insert
2987  * a packet length uint16_t in the buffer.)
2988  */
2989  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
2990 
2991  /*
2992  * Fill in the blanks in the frame parameters structure,
2993  * make sure values are rational, etc.
2994  */
2995  frame_finalize_options(c, NULL);
2996 
2997 #ifdef USE_COMP
2998  /*
2999  * Modify frame parameters if compression is compiled in.
3000  * Should be called after frame_finalize_options.
3001  */
3002  comp_add_to_extra_buffer(&c->c2.frame);
3003 #ifdef ENABLE_FRAGMENT
3004  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3005 #endif
3006 #endif /* USE_COMP */
3007 
3008  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3009  * and need link_mtu+3 bytes on socket reception (on server).
3010  *
3011  * accomodate receive path in f->extra_link, which has the side effect of
3012  * also increasing send buffers (BUF_SIZE() macro), which need to be
3013  * allocated big enough before receiving peer-id option from server.
3014  *
3015  * f->extra_frame is adjusted when peer-id option is push-received
3016  */
3017  frame_add_to_extra_link(&c->c2.frame, 3);
3018 
3019 #ifdef ENABLE_FRAGMENT
3020  /*
3021  * Set frame parameter for fragment code. This is necessary because
3022  * the fragmentation code deals with payloads which have already been
3023  * passed through the compression code.
3024  */
3025  c->c2.frame_fragment = c->c2.frame;
3026  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3027 #endif
3028 
3029 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3030  /*
3031  * MTU advisories
3032  */
3033  if (c->options.ce.fragment && c->options.mtu_test)
3034  {
3035  msg(M_WARN,
3036  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3037  }
3038 #endif
3039 
3040 #ifdef ENABLE_FRAGMENT
3041  if ((c->options.ce.mssfix || c->options.ce.fragment)
3042  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3043  {
3044  msg(M_WARN,
3045  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3046  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3047  }
3048 #endif
3049 }
3050 
3051 static void
3052 do_option_warnings(struct context *c)
3053 {
3054  const struct options *o = &c->options;
3055 
3056  if (o->ping_send_timeout && !o->ping_rec_timeout)
3057  {
3058  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3059  }
3060 
3061  if (o->username || o->groupname || o->chroot_dir
3062 #ifdef ENABLE_SELINUX
3063  || o->selinux_context
3064 #endif
3065  )
3066  {
3067  if (!o->persist_tun)
3068  {
3069  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3070  }
3071  if (!o->persist_key
3072 #ifdef ENABLE_PKCS11
3073  && !o->pkcs11_id
3074 #endif
3075  )
3076  {
3077  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3078  }
3079  }
3080 
3081  if (o->chroot_dir && !(o->username && o->groupname))
3082  {
3083  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3084  }
3085 
3086 #if P2MP
3087  if (o->pull && o->ifconfig_local && c->first_time)
3088  {
3089  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3090  }
3091 
3092 #if P2MP_SERVER
3093  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3094  {
3095  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3096  }
3097 
3098  if (o->mode == MODE_SERVER)
3099  {
3100  if (o->duplicate_cn && o->client_config_dir)
3101  {
3102  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3103  }
3104  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3105  {
3106  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3107  }
3108  if (!o->keepalive_ping || !o->keepalive_timeout)
3109  {
3110  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3111  }
3112  }
3113 #endif /* if P2MP_SERVER */
3114 #endif /* if P2MP */
3115 
3116  if (!o->replay)
3117  {
3118  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3119  }
3120 
3121  if (o->tls_server)
3122  {
3123  warn_on_use_of_common_subnets();
3124  }
3125  if (o->tls_client
3126  && !o->tls_verify
3127  && o->verify_x509_type == VERIFY_X509_NONE
3128  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3129  && !o->remote_cert_eku)
3130  {
3131  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3132  }
3133  if (o->ns_cert_type)
3134  {
3135  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3136  }
3137 
3138  /* If a script is used, print appropiate warnings */
3139  if (o->user_script_used)
3140  {
3141  if (script_security() >= SSEC_SCRIPTS)
3142  {
3143  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3144  }
3145  else if (script_security() >= SSEC_PW_ENV)
3146  {
3147  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3148  }
3149  else
3150  {
3151  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3152  }
3153  }
3154 }
3155 
3156 static void
3157 do_init_frame_tls(struct context *c)
3158 {
3159  do_init_finalize_tls_frame(c);
3160 }
3161 
3162 struct context_buffers *
3163 init_context_buffers(const struct frame *frame)
3164 {
3165  struct context_buffers *b;
3166 
3167  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3168 
3169  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3170  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3171 
3172  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3173 
3174  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3175  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3176 
3177 #ifdef USE_COMP
3178  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3179  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3180 #endif
3181 
3182  return b;
3183 }
3184 
3185 void
3186 free_context_buffers(struct context_buffers *b)
3187 {
3188  if (b)
3189  {
3190  free_buf(&b->read_link_buf);
3191  free_buf(&b->read_tun_buf);
3192  free_buf(&b->aux_buf);
3193 
3194 #ifdef USE_COMP
3195  free_buf(&b->compress_buf);
3196  free_buf(&b->decompress_buf);
3197 #endif
3198 
3199  free_buf(&b->encrypt_buf);
3200  free_buf(&b->decrypt_buf);
3201 
3202  free(b);
3203  }
3204 }
3205 
3206 /*
3207  * Now that we know all frame parameters, initialize
3208  * our buffers.
3209  */
3210 static void
3211 do_init_buffers(struct context *c)
3212 {
3213  c->c2.buffers = init_context_buffers(&c->c2.frame);
3214  c->c2.buffers_owned = true;
3215 }
3216 
3217 #ifdef ENABLE_FRAGMENT
3218 /*
3219  * Fragmenting code has buffers to initialize
3220  * once frame parameters are known.
3221  */
3222 static void
3223 do_init_fragment(struct context *c)
3224 {
3225  ASSERT(c->options.ce.fragment);
3226  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3227  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3228  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3229 }
3230 #endif
3231 
3232 /*
3233  * Allocate our socket object.
3234  */
3235 static void
3236 do_link_socket_new(struct context *c)
3237 {
3238  ASSERT(!c->c2.link_socket);
3239  c->c2.link_socket = link_socket_new();
3240  c->c2.link_socket_owned = true;
3241 }
3242 
3243 /*
3244  * bind the TCP/UDP socket
3245  */
3246 static void
3247 do_init_socket_1(struct context *c, const int mode)
3248 {
3249  unsigned int sockflags = c->options.sockflags;
3250 
3251 #if PORT_SHARE
3252  if (c->options.port_share_host && c->options.port_share_port)
3253  {
3254  sockflags |= SF_PORT_SHARE;
3255  }
3256 #endif
3257 
3258  link_socket_init_phase1(c->c2.link_socket,
3259  c->options.ce.local,
3260  c->options.ce.local_port,
3261  c->options.ce.remote,
3262  c->options.ce.remote_port,
3263  c->c1.dns_cache,
3264  c->options.ce.proto,
3265  c->options.ce.af,
3266  c->options.ce.bind_ipv6_only,
3267  mode,
3268  c->c2.accept_from,
3269  c->c1.http_proxy,
3270  c->c1.socks_proxy,
3271 #ifdef ENABLE_DEBUG
3272  c->options.gremlin,
3273 #endif
3274  c->options.ce.bind_local,
3275  c->options.ce.remote_float,
3276  c->options.inetd,
3277  &c->c1.link_socket_addr,
3278  c->options.ipchange,
3279  c->plugins,
3280  c->options.resolve_retry_seconds,
3281  c->options.ce.mtu_discover_type,
3282  c->options.rcvbuf,
3283  c->options.sndbuf,
3284  c->options.mark,
3285  &c->c2.server_poll_interval,
3286  sockflags);
3287 }
3288 
3289 /*
3290  * finalize the TCP/UDP socket
3291  */
3292 static void
3293 do_init_socket_2(struct context *c)
3294 {
3295  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3296  c->sig);
3297 }
3298 
3299 /*
3300  * Print MTU INFO
3301  */
3302 static void
3303 do_print_data_channel_mtu_parms(struct context *c)
3304 {
3305  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3306 #ifdef ENABLE_FRAGMENT
3307  if (c->c2.fragment)
3308  {
3309  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3310  "Fragmentation MTU parms");
3311  }
3312 #endif
3313 }
3314 
3315 #ifdef ENABLE_OCC
3316 /*
3317  * Get local and remote options compatibility strings.
3318  */
3319 static void
3320 do_compute_occ_strings(struct context *c)
3321 {
3322  struct gc_arena gc = gc_new();
3323 
3324  c->c2.options_string_local =
3325  options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
3326  c->c2.options_string_remote =
3327  options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
3328 
3329  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3330  options_string_version(c->c2.options_string_local, &gc),
3331  c->c2.options_string_local);
3332  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3333  options_string_version(c->c2.options_string_remote, &gc),
3334  c->c2.options_string_remote);
3335 
3336  if (c->c2.tls_multi)
3337  {
3338  tls_multi_init_set_options(c->c2.tls_multi,
3339  c->c2.options_string_local,
3340  c->c2.options_string_remote);
3341  }
3342 
3343  gc_free(&gc);
3344 }
3345 #endif /* ifdef ENABLE_OCC */
3346 
3347 /*
3348  * These things can only be executed once per program instantiation.
3349  * Set up for possible UID/GID downgrade, but don't do it yet.
3350  * Daemonize if requested.
3351  */
3352 static void
3353 do_init_first_time(struct context *c)
3354 {
3355  if (c->first_time && !c->c0)
3356  {
3357  struct context_0 *c0;
3358 
3359  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3360  c0 = c->c0;
3361 
3362  /* get user and/or group that we want to setuid/setgid to */
3363  c0->uid_gid_specified =
3364  platform_group_get(c->options.groupname, &c0->platform_state_group)
3365  |platform_user_get(c->options.username, &c0->platform_state_user);
3366 
3367  /* perform postponed chdir if --daemon */
3368  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3369  {
3370  platform_chdir("/");
3371  }
3372 
3373  /* should we change scheduling priority? */
3374  platform_nice(c->options.nice);
3375  }
3376 }
3377 
3378 /*
3379  * If xinetd/inetd mode, don't allow restart.
3380  */
3381 static void
3382 do_close_check_if_restart_permitted(struct context *c)
3383 {
3384  if (c->options.inetd
3385  && (c->sig->signal_received == SIGHUP
3386  || c->sig->signal_received == SIGUSR1))
3387  {
3388  c->sig->signal_received = SIGTERM;
3389  msg(M_INFO,
3390  PACKAGE_NAME
3391  " started by inetd/xinetd cannot restart... Exiting.");
3392  }
3393 }
3394 
3395 /*
3396  * free buffers
3397  */
3398 static void
3399 do_close_free_buf(struct context *c)
3400 {
3401  if (c->c2.buffers_owned)
3402  {
3403  free_context_buffers(c->c2.buffers);
3404  c->c2.buffers = NULL;
3405  c->c2.buffers_owned = false;
3406  }
3407 }
3408 
3409 /*
3410  * close TLS
3411  */
3412 static void
3413 do_close_tls(struct context *c)
3414 {
3415  if (c->c2.tls_multi)
3416  {
3417  tls_multi_free(c->c2.tls_multi, true);
3418  c->c2.tls_multi = NULL;
3419  }
3420 
3421 #ifdef ENABLE_OCC
3422  /* free options compatibility strings */
3423  if (c->c2.options_string_local)
3424  {
3425  free(c->c2.options_string_local);
3426  }
3427  if (c->c2.options_string_remote)
3428  {
3429  free(c->c2.options_string_remote);
3430  }
3431  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3432 #endif
3433 
3434  if (c->c2.pulled_options_state)
3435  {
3436  md_ctx_cleanup(c->c2.pulled_options_state);
3437  md_ctx_free(c->c2.pulled_options_state);
3438  }
3439 }
3440 
3441 /*
3442  * Free key schedules
3443  */
3444 static void
3445 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3446 {
3447  /*
3448  * always free the tls_auth/crypt key. If persist_key is true, the key will
3449  * be reloaded from memory (pre-cached)
3450  */
3451  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3452  CLEAR(c->c1.ks.tls_wrap_key);
3453 
3454  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3455  {
3456  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3457  }
3458 }
3459 
3460 /*
3461  * Close TCP/UDP connection
3462  */
3463 static void
3464 do_close_link_socket(struct context *c)
3465 {
3466  if (c->c2.link_socket && c->c2.link_socket_owned)
3467  {
3468  link_socket_close(c->c2.link_socket);
3469  c->c2.link_socket = NULL;
3470  }
3471 
3472 
3473  /* Preserve the resolved list of remote if the user request to or if we want
3474  * reconnect to the same host again or there are still addresses that need
3475  * to be tried */
3476  if (!(c->sig->signal_received == SIGUSR1
3477  && ( (c->options.persist_remote_ip)
3478  ||
3479  ( c->sig->source != SIG_SOURCE_HARD
3480  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3481  || c->options.no_advance))
3482  )))
3483  {
3484  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3485  }
3486 
3487  /* Clear the remote actual address when persist_remote_ip is not in use */
3488  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3489  {
3490  CLEAR(c->c1.link_socket_addr.actual);
3491  }
3492 
3493  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3494  {
3495  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3496  {
3497  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3498  }
3499 
3500  c->c1.link_socket_addr.bind_local = NULL;
3501  }
3502 }
3503 
3504 /*
3505  * Close packet-id persistance file
3506  */
3507 static void
3508 do_close_packet_id(struct context *c)
3509 {
3510  packet_id_free(&c->c2.crypto_options.packet_id);
3511  packet_id_persist_save(&c->c1.pid_persist);
3512  if (!(c->sig->signal_received == SIGUSR1))
3513  {
3514  packet_id_persist_close(&c->c1.pid_persist);
3515  }
3516 }
3517 
3518 #ifdef ENABLE_FRAGMENT
3519 /*
3520  * Close fragmentation handler.
3521  */
3522 static void
3523 do_close_fragment(struct context *c)
3524 {
3525  if (c->c2.fragment)
3526  {
3527  fragment_free(c->c2.fragment);
3528  c->c2.fragment = NULL;
3529  }
3530 }
3531 #endif
3532 
3533 /*
3534  * Open and close our event objects.
3535  */
3536 
3537 static void
3538 do_event_set_init(struct context *c,
3539  bool need_us_timeout)
3540 {
3541  unsigned int flags = 0;
3542 
3543  c->c2.event_set_max = BASE_N_EVENTS;
3544 
3545  flags |= EVENT_METHOD_FAST;
3546 
3547  if (need_us_timeout)
3548  {
3549  flags |= EVENT_METHOD_US_TIMEOUT;
3550  }
3551 
3552  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3553  c->c2.event_set_owned = true;
3554 }
3555 
3556 static void
3557 do_close_event_set(struct context *c)
3558 {
3559  if (c->c2.event_set && c->c2.event_set_owned)
3560  {
3561  event_free(c->c2.event_set);
3562  c->c2.event_set = NULL;
3563  c->c2.event_set_owned = false;
3564  }
3565 }
3566 
3567 /*
3568  * Open and close --status file
3569  */
3570 
3571 static void
3572 do_open_status_output(struct context *c)
3573 {
3574  if (!c->c1.status_output)
3575  {
3576  c->c1.status_output = status_open(c->options.status_file,
3577  c->options.status_file_update_freq,
3578  -1,
3579  NULL,
3580  STATUS_OUTPUT_WRITE);
3581  c->c1.status_output_owned = true;
3582  }
3583 }
3584 
3585 static void
3586 do_close_status_output(struct context *c)
3587 {
3588  if (!(c->sig->signal_received == SIGUSR1))
3589  {
3590  if (c->c1.status_output_owned && c->c1.status_output)
3591  {
3592  status_close(c->c1.status_output);
3593  c->c1.status_output = NULL;
3594  c->c1.status_output_owned = false;
3595  }
3596  }
3597 }
3598 
3599 /*
3600  * Handle ifconfig-pool persistance object.
3601  */
3602 static void
3603 do_open_ifconfig_pool_persist(struct context *c)
3604 {
3605 #if P2MP_SERVER
3606  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3607  {
3608  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3609  c->options.ifconfig_pool_persist_refresh_freq);
3610  c->c1.ifconfig_pool_persist_owned = true;
3611  }
3612 #endif
3613 }
3614 
3615 static void
3616 do_close_ifconfig_pool_persist(struct context *c)
3617 {
3618 #if P2MP_SERVER
3619  if (!(c->sig->signal_received == SIGUSR1))
3620  {
3621  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3622  {
3623  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3624  c->c1.ifconfig_pool_persist = NULL;
3625  c->c1.ifconfig_pool_persist_owned = false;
3626  }
3627  }
3628 #endif
3629 }
3630 
3631 /*
3632  * Inherit environmental variables
3633  */
3634 
3635 static void
3636 do_inherit_env(struct context *c, const struct env_set *src)
3637 {
3638  c->c2.es = env_set_create(NULL);
3639  c->c2.es_owned = true;
3640  env_set_inherit(c->c2.es, src);
3641 }
3642 
3643 static void
3644 do_env_set_destroy(struct context *c)
3645 {
3646  if (c->c2.es && c->c2.es_owned)
3647  {
3648  env_set_destroy(c->c2.es);
3649  c->c2.es = NULL;
3650  c->c2.es_owned = false;
3651  }
3652 }
3653 
3654 /*
3655  * Fast I/O setup. Fast I/O is an optimization which only works
3656  * if all of the following are true:
3657  *
3658  * (1) The platform is not Windows
3659  * (2) --proto udp is enabled
3660  * (3) --shaper is disabled
3661  */
3662 static void
3663 do_setup_fast_io(struct context *c)
3664 {
3665  if (c->options.fast_io)
3666  {
3667 #ifdef _WIN32
3668  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3669 #else
3670  if (!proto_is_udp(c->options.ce.proto))
3671  {
3672  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3673  }
3674  else
3675  {
3676 #ifdef ENABLE_FEATURE_SHAPER
3677  if (c->options.shaper)
3678  {
3679  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3680  }
3681  else
3682 #endif
3683  {
3684  c->c2.fast_io = true;
3685  }
3686  }
3687 #endif
3688  }
3689 }
3690 
3691 static void
3692 do_signal_on_tls_errors(struct context *c)
3693 {
3694  if (c->options.tls_exit)
3695  {
3696  c->c2.tls_exit_signal = SIGTERM;
3697  }
3698  else
3699  {
3700  c->c2.tls_exit_signal = SIGUSR1;
3701  }
3702 }
3703 
3704 #ifdef ENABLE_PLUGIN
3705 
3706 void
3707 init_plugins(struct context *c)
3708 {
3709  if (c->options.plugin_list && !c->plugins)
3710  {
3711  c->plugins = plugin_list_init(c->options.plugin_list);
3712  c->plugins_owned = true;
3713  }
3714 }
3715 
3716 void
3717 open_plugins(struct context *c, const bool import_options, int init_point)
3718 {
3719  if (c->plugins && c->plugins_owned)
3720  {
3721  if (import_options)
3722  {
3723  struct plugin_return pr, config;
3724  plugin_return_init(&pr);
3725  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3726  plugin_return_get_column(&pr, &config, "config");
3727  if (plugin_return_defined(&config))
3728  {
3729  int i;
3730  for (i = 0; i < config.n; ++i)
3731  {
3732  unsigned int option_types_found = 0;
3733  if (config.list[i] && config.list[i]->value)
3734  {
3735  options_string_import(&c->options,
3736  config.list[i]->value,
3737  D_IMPORT_ERRORS|M_OPTERR,
3738  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3739  &option_types_found,
3740  c->es);
3741  }
3742  }
3743  }
3744  plugin_return_free(&pr);
3745  }
3746  else
3747  {
3748  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3749  }
3750  }
3751 }
3752 
3753 static void
3754 do_close_plugins(struct context *c)
3755 {
3756  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3757  {
3758  plugin_list_close(c->plugins);
3759  c->plugins = NULL;
3760  c->plugins_owned = false;
3761  }
3762 }
3763 
3764 static void
3765 do_inherit_plugins(struct context *c, const struct context *src)
3766 {
3767  if (!c->plugins && src->plugins)
3768  {
3769  c->plugins = plugin_list_inherit(src->plugins);
3770  c->plugins_owned = true;
3771  }
3772 }
3773 
3774 #endif /* ifdef ENABLE_PLUGIN */
3775 
3776 #ifdef ENABLE_MANAGEMENT
3777 
3778 static void
3779 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3780 {
3781  struct context *c = (struct context *) arg;
3782  print_status(c, so);
3783 }
3784 
3785 void
3786 management_show_net_callback(void *arg, const int msglevel)
3787 {
3788 #ifdef _WIN32
3789  show_routes(msglevel);
3790  show_adapters(msglevel);
3791  msg(msglevel, "END");
3792 #else
3793  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3794 #endif
3795 }
3796 
3797 #ifdef TARGET_ANDROID
3798 int
3799 management_callback_network_change(void *arg, bool samenetwork)
3800 {
3801  /* Check if the client should translate the network change to a SIGUSR1 to
3802  * reestablish the connection or just reprotect the socket
3803  *
3804  * At the moment just assume that, for all settings that use pull (not
3805  * --static) and are not using peer-id reestablishing the connection is
3806  * required (unless the network is the same)
3807  *
3808  * The function returns -1 on invalid fd and -2 if the socket cannot be
3809  * reused. On the -2 return value the man_network_change function triggers
3810  * a SIGUSR1 to force a reconnect.
3811  */
3812 
3813  int socketfd = -1;
3814  struct context *c = (struct context *) arg;
3815  if (!c->c2.link_socket)
3816  {
3817  return -1;
3818  }
3819  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3820  {
3821  return -1;
3822  }
3823 
3824  socketfd = c->c2.link_socket->sd;
3825  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3826  {
3827  return socketfd;
3828  }
3829  else
3830  {
3831  return -2;
3832  }
3833 }
3834 #endif /* ifdef TARGET_ANDROID */
3835 
3836 #endif /* ifdef ENABLE_MANAGEMENT */
3837 
3838 void
3839 init_management_callback_p2p(struct context *c)
3840 {
3841 #ifdef ENABLE_MANAGEMENT
3842  if (management)
3843  {
3844  struct management_callback cb;
3845  CLEAR(cb);
3846  cb.arg = c;
3847  cb.status = management_callback_status_p2p;
3848  cb.show_net = management_show_net_callback;
3849  cb.proxy_cmd = management_callback_proxy_cmd;
3850  cb.remote_cmd = management_callback_remote_cmd;
3851 #ifdef TARGET_ANDROID
3852  cb.network_change = management_callback_network_change;
3853 #endif
3854  management_set_callback(management, &cb);
3855  }
3856 #endif
3857 }
3858 
3859 #ifdef ENABLE_MANAGEMENT
3860 
3861 void
3862 init_management(struct context *c)
3863 {
3864  if (!management)
3865  {
3866  management = management_init();
3867  }
3868 }
3869 
3870 bool
3871 open_management(struct context *c)
3872 {
3873  /* initialize management layer */
3874  if (management)
3875  {
3876  if (c->options.management_addr)
3877  {
3878  unsigned int flags = c->options.management_flags;
3879  if (c->options.mode == MODE_SERVER)
3880  {
3881  flags |= MF_SERVER;
3882  }
3883  if (management_open(management,
3884  c->options.management_addr,
3885  c->options.management_port,
3886  c->options.management_user_pass,
3887  c->options.management_client_user,
3888  c->options.management_client_group,
3889  c->options.management_log_history_cache,
3890  c->options.management_echo_buffer_size,
3891  c->options.management_state_buffer_size,
3892  c->options.management_write_peer_info_file,
3893  c->options.remap_sigusr1,
3894  flags))
3895  {
3896  management_set_state(management,
3897  OPENVPN_STATE_CONNECTING,
3898  NULL,
3899  NULL,
3900  NULL,
3901  NULL,
3902  NULL);
3903  }
3904 
3905  /* initial management hold, called early, before first context initialization */
3906  do_hold(0);
3907  if (IS_SIG(c))
3908  {
3909  msg(M_WARN, "Signal received from management interface, exiting");
3910  return false;
3911  }
3912  }
3913  else
3914  {
3915  close_management();
3916  }
3917  }
3918  return true;
3919 }
3920 
3921 void
3922 close_management(void)
3923 {
3924  if (management)
3925  {
3926  management_close(management);
3927  management = NULL;
3928  }
3929 }
3930 
3931 #endif /* ifdef ENABLE_MANAGEMENT */
3932 
3933 
3934 void
3935 uninit_management_callback(void)
3936 {
3937 #ifdef ENABLE_MANAGEMENT
3938  if (management)
3939  {
3940  management_clear_callback(management);
3941  }
3942 #endif
3943 }
3944 
3945 /*
3946  * Initialize a tunnel instance, handle pre and post-init
3947  * signal settings.
3948  */
3949 void
3950 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
3951 {
3952  pre_init_signal_catch();
3953  init_instance(c, env, flags);
3954  post_init_signal_catch();
3955 
3956  /*
3957  * This is done so that signals thrown during
3958  * initialization can bring us back to
3959  * a management hold.
3960  */
3961  if (IS_SIG(c))
3962  {
3963  remap_signal(c);
3964  uninit_management_callback();
3965  }
3966 }
3967 
3968 /*
3969  * Initialize a tunnel instance.
3970  */
3971 void
3972 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
3973 {
3974  const struct options *options = &c->options;
3975  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
3976  int link_socket_mode = LS_MODE_DEFAULT;
3977 
3978  /* init garbage collection level */
3979  gc_init(&c->c2.gc);
3980 
3981  /* inherit environmental variables */
3982  if (env)
3983  {
3984  do_inherit_env(c, env);
3985  }
3986 
3987  /* signals caught here will abort */
3988  c->sig->signal_received = 0;
3989  c->sig->signal_text = NULL;
3990  c->sig->source = SIG_SOURCE_SOFT;
3991 
3992  if (c->mode == CM_P2P)
3993  {
3994  init_management_callback_p2p(c);
3995  }
3996 
3997  /* possible sleep or management hold if restart */
3998  if (c->mode == CM_P2P || c->mode == CM_TOP)
3999  {
4000  do_startup_pause(c);
4001  if (IS_SIG(c))
4002  {
4003  goto sig;
4004  }
4005  }
4006 
4007  if (c->options.resolve_in_advance)
4008  {
4009  do_preresolve(c);
4010  if (IS_SIG(c))
4011  {
4012  goto sig;
4013  }
4014  }
4015 
4016  /* map in current connection entry */
4017  next_connection_entry(c);
4018 
4019  /* link_socket_mode allows CM_CHILD_TCP
4020  * instances to inherit acceptable fds
4021  * from a top-level parent */
4022  if (c->options.ce.proto == PROTO_TCP_SERVER)
4023  {
4024  if (c->mode == CM_TOP)
4025  {
4026  link_socket_mode = LS_MODE_TCP_LISTEN;
4027  }
4028  else if (c->mode == CM_CHILD_TCP)
4029  {
4030  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4031  }
4032  }
4033 
4034  /* should we disable paging? */
4035  if (c->first_time && options->mlock)
4036  {
4037  platform_mlockall(true);
4038  }
4039 
4040 #if P2MP
4041  /* get passwords if undefined */
4042  if (auth_retry_get() == AR_INTERACT)
4043  {
4044  init_query_passwords(c);
4045  }
4046 #endif
4047 
4048  /* initialize context level 2 --verb/--mute parms */
4049  init_verb_mute(c, IVM_LEVEL_2);
4050 
4051  /* set error message delay for non-server modes */
4052  if (c->mode == CM_P2P)
4053  {
4054  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4055  }
4056 
4057  /* warn about inconsistent options */
4058  if (c->mode == CM_P2P || c->mode == CM_TOP)
4059  {
4060  do_option_warnings(c);
4061  }
4062 
4063 #ifdef ENABLE_PLUGIN
4064  /* initialize plugins */
4065  if (c->mode == CM_P2P || c->mode == CM_TOP)
4066  {
4067  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4068  }
4069 #endif
4070 
4071  /* should we enable fast I/O? */
4072  if (c->mode == CM_P2P || c->mode == CM_TOP)
4073  {
4074  do_setup_fast_io(c);
4075  }
4076 
4077  /* should we throw a signal on TLS errors? */
4078  do_signal_on_tls_errors(c);
4079 
4080  /* open --status file */
4081  if (c->mode == CM_P2P || c->mode == CM_TOP)
4082  {
4083  do_open_status_output(c);
4084  }
4085 
4086  /* open --ifconfig-pool-persist file */
4087  if (c->mode == CM_TOP)
4088  {
4089  do_open_ifconfig_pool_persist(c);
4090  }
4091 
4092 #ifdef ENABLE_OCC
4093  /* reset OCC state */
4094  if (c->mode == CM_P2P || child)
4095  {
4096  c->c2.occ_op = occ_reset_op();
4097  }
4098 #endif
4099 
4100  /* our wait-for-i/o objects, different for posix vs. win32 */
4101  if (c->mode == CM_P2P)
4102  {
4103  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4104  }
4105  else if (c->mode == CM_CHILD_TCP)
4106  {
4107  do_event_set_init(c, false);
4108  }
4109 
4110  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4111  init_proxy(c);
4112 
4113  /* allocate our socket object */
4114  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4115  {
4116  do_link_socket_new(c);
4117  }
4118 
4119 #ifdef ENABLE_FRAGMENT
4120  /* initialize internal fragmentation object */
4121  if (options->ce.fragment && (c->mode == CM_P2P || child))
4122  {
4123  c->c2.fragment = fragment_init(&c->c2.frame);
4124  }
4125 #endif
4126 
4127  /* init crypto layer */
4128  {
4129  unsigned int crypto_flags = 0;
4130  if (c->mode == CM_TOP)
4131  {
4132  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4133  }
4134  else if (c->mode == CM_P2P)
4135  {
4136  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4137  }
4138  else if (child)
4139  {
4140  crypto_flags = CF_INIT_TLS_MULTI;
4141  }
4142  do_init_crypto(c, crypto_flags);
4143  if (IS_SIG(c) && !child)
4144  {
4145  goto sig;
4146  }
4147  }
4148 
4149 #ifdef USE_COMP
4150  /* initialize compression library. */
4151  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4152  {
4153  c->c2.comp_context = comp_init(&options->comp);
4154  }
4155 #endif
4156 
4157  /* initialize MTU variables */
4158  do_init_frame(c);
4159 
4160  /* initialize TLS MTU variables */
4161  do_init_frame_tls(c);
4162 
4163  /* init workspace buffers whose size is derived from frame size */
4164  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4165  {
4166  do_init_buffers(c);
4167  }
4168 
4169 #ifdef ENABLE_FRAGMENT
4170  /* initialize internal fragmentation capability with known frame size */
4171  if (options->ce.fragment && (c->mode == CM_P2P || child))
4172  {
4173  do_init_fragment(c);
4174  }
4175 #endif
4176 
4177  /* initialize dynamic MTU variable */
4178  frame_init_mssfix(&c->c2.frame, &c->options);
4179 
4180  /* bind the TCP/UDP socket */
4181  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4182  {
4183  do_init_socket_1(c, link_socket_mode);
4184  }
4185 
4186  /* initialize tun/tap device object,
4187  * open tun/tap device, ifconfig, run up script, etc. */
4188  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4189  {
4190  c->c2.did_open_tun = do_open_tun(c);
4191  }
4192 
4193  c->c2.frame_initial = c->c2.frame;
4194 
4195  /* print MTU info */
4196  do_print_data_channel_mtu_parms(c);
4197 
4198 #ifdef ENABLE_OCC
4199  /* get local and remote options compatibility strings */
4200  if (c->mode == CM_P2P || child)
4201  {
4202  do_compute_occ_strings(c);
4203  }
4204 #endif
4205 
4206  /* initialize output speed limiter */
4207  if (c->mode == CM_P2P)
4208  {
4209  do_init_traffic_shaper(c);
4210  }
4211 
4212  /* do one-time inits, and possibily become a daemon here */
4213  do_init_first_time(c);
4214 
4215 #ifdef ENABLE_PLUGIN
4216  /* initialize plugins */
4217  if (c->mode == CM_P2P || c->mode == CM_TOP)
4218  {
4219  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4220  }
4221 #endif
4222 
4223  /* initialise connect timeout timer */
4224  do_init_server_poll_timeout(c);
4225 
4226  /* finalize the TCP/UDP socket */
4227  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4228  {
4229  do_init_socket_2(c);
4230  }
4231 
4232  /*
4233  * Actually do UID/GID downgrade, and chroot, if requested.
4234  * May be delayed by --client, --pull, or --up-delay.
4235  */
4236  do_uid_gid_chroot(c, c->c2.did_open_tun);
4237 
4238  /* initialize timers */
4239  if (c->mode == CM_P2P || child)
4240  {
4241  do_init_timers(c, false);
4242  }
4243 
4244 #ifdef ENABLE_PLUGIN
4245  /* initialize plugins */
4246  if (c->mode == CM_P2P || c->mode == CM_TOP)
4247  {
4248  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4249  }
4250 #endif
4251 
4252 #if PORT_SHARE
4253  /* share OpenVPN port with foreign (such as HTTPS) server */
4254  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4255  {
4256  init_port_share(c);
4257  }
4258 #endif
4259 
4260 #ifdef ENABLE_PF
4261  if (child)
4262  {
4263  pf_init_context(c);
4264  }
4265 #endif
4266 
4267  /* Check for signals */
4268  if (IS_SIG(c))
4269  {
4270  goto sig;
4271  }
4272 
4273  return;
4274 
4275 sig:
4276  if (!c->sig->signal_text)
4277  {
4278  c->sig->signal_text = "init_instance";
4279  }
4280  close_context(c, -1, flags);
4281  return;
4282 }
4283 
4284 /*
4285  * Close a tunnel instance.
4286  */
4287 void
4288 close_instance(struct context *c)
4289 {
4290  /* close event objects */
4291  do_close_event_set(c);
4292 
4293  if (c->mode == CM_P2P
4294  || c->mode == CM_CHILD_TCP
4295  || c->mode == CM_CHILD_UDP
4296  || c->mode == CM_TOP)
4297  {
4298  /* if xinetd/inetd mode, don't allow restart */
4299  do_close_check_if_restart_permitted(c);
4300 
4301 #ifdef USE_COMP
4302  if (c->c2.comp_context)
4303  {
4304  comp_uninit(c->c2.comp_context);
4305  c->c2.comp_context = NULL;
4306  }
4307 #endif
4308 
4309  /* free buffers */
4310  do_close_free_buf(c);
4311 
4312  /* close TLS */
4313  do_close_tls(c);
4314 
4315  /* free key schedules */
4316  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4317 
4318  restore_ncp_options(c);
4319 
4320  /* close TCP/UDP connection */
4321  do_close_link_socket(c);
4322 
4323  /* close TUN/TAP device */
4324  do_close_tun(c, false);
4325 
4326 #ifdef MANAGEMENT_DEF_AUTH
4327  if (management)
4328  {
4329  management_notify_client_close(management, &c->c2.mda_context, NULL);
4330  }
4331 #endif
4332 
4333 #ifdef ENABLE_PF
4334  pf_destroy_context(&c->c2.pf);
4335 #endif
4336 
4337 #ifdef ENABLE_PLUGIN
4338  /* call plugin close functions and unload */
4339  do_close_plugins(c);
4340 #endif
4341 
4342  /* close packet-id persistance file */
4343  do_close_packet_id(c);
4344 
4345  /* close --status file */
4346  do_close_status_output(c);
4347 
4348 #ifdef ENABLE_FRAGMENT
4349  /* close fragmentation handler */
4350  do_close_fragment(c);
4351 #endif
4352 
4353  /* close --ifconfig-pool-persist obj */
4354  do_close_ifconfig_pool_persist(c);
4355 
4356  /* free up environmental variable store */
4357  do_env_set_destroy(c);
4358 
4359  /* close HTTP or SOCKS proxy */
4360  uninit_proxy(c);
4361 
4362  /* garbage collect */
4363  gc_free(&c->c2.gc);
4364  }
4365 }
4366 
4367 void
4368 inherit_context_child(struct context *dest,
4369  const struct context *src)
4370 {
4371  CLEAR(*dest);
4372 
4373  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4374  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4375 
4376  dest->gc = gc_new();
4377 
4378  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4379 
4380  /* c1 init */
4381  packet_id_persist_init(&dest->c1.pid_persist);
4382 
4383  dest->c1.ks.key_type = src->c1.ks.key_type;
4384  /* inherit SSL context */
4385  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4386  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4387  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4388  /* inherit pre-NCP ciphers */
4389  dest->c1.ciphername = src->c1.ciphername;
4390  dest->c1.authname = src->c1.authname;
4391  dest->c1.keysize = src->c1.keysize;
4392 
4393  /* options */
4394  dest->options = src->options;
4395  options_detach(&dest->options);
4396 
4397  if (dest->mode == CM_CHILD_TCP)
4398  {
4399  /*
4400  * The CM_TOP context does the socket listen(),
4401  * and the CM_CHILD_TCP context does the accept().
4402  */
4403  dest->c2.accept_from = src->c2.link_socket;
4404  }
4405 
4406 #ifdef ENABLE_PLUGIN
4407  /* inherit plugins */
4408  do_inherit_plugins(dest, src);
4409 #endif
4410 
4411  /* context init */
4412  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4413  if (IS_SIG(dest))
4414  {
4415  return;
4416  }
4417 
4418  /* inherit tun/tap interface object */
4419  dest->c1.tuntap = src->c1.tuntap;
4420 
4421  /* UDP inherits some extra things which TCP does not */
4422  if (dest->mode == CM_CHILD_UDP)
4423  {
4424  /* inherit buffers */
4425  dest->c2.buffers = src->c2.buffers;
4426 
4427  /* inherit parent link_socket and tuntap */
4428  dest->c2.link_socket = src->c2.link_socket;
4429 
4430  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4431  *dest->c2.link_socket_info = src->c2.link_socket->info;
4432 
4433  /* locally override some link_socket_info fields */
4434  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4435  dest->c2.link_socket_info->connection_established = false;
4436  }
4437 }
4438 
4439 void
4440 inherit_context_top(struct context *dest,
4441  const struct context *src)
4442 {
4443  /* copy parent */
4444  *dest = *src;
4445 
4446  /*
4447  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4448  * resources owned by the parent.
4449  *
4450  * Also note that CM_TOP_CLONE context objects are
4451  * closed by multi_top_free in multi.c.
4452  */
4453  dest->mode = CM_TOP_CLONE;
4454 
4455  dest->first_time = false;
4456  dest->c0 = NULL;
4457 
4458  options_detach(&dest->options);
4459  gc_detach(&dest->gc);
4460  gc_detach(&dest->c2.gc);
4461 
4462  /* detach plugins */
4463  dest->plugins_owned = false;
4464 
4465  dest->c2.tls_multi = NULL;
4466 
4467  /* detach c1 ownership */
4468  dest->c1.tuntap_owned = false;
4469  dest->c1.status_output_owned = false;
4470 #if P2MP_SERVER
4471  dest->c1.ifconfig_pool_persist_owned = false;
4472 #endif
4473 
4474  /* detach c2 ownership */
4475  dest->c2.event_set_owned = false;
4476  dest->c2.link_socket_owned = false;
4477  dest->c2.buffers_owned = false;
4478  dest->c2.es_owned = false;
4479 
4480  dest->c2.event_set = NULL;
4481  if (proto_is_dgram(src->options.ce.proto))
4482  {
4483  do_event_set_init(dest, false);
4484  }
4485 
4486 #ifdef USE_COMP
4487  dest->c2.comp_context = NULL;
4488 #endif
4489 }
4490 
4491 void
4492 close_context(struct context *c, int sig, unsigned int flags)
4493 {
4494  ASSERT(c);
4495  ASSERT(c->sig);
4496 
4497  if (sig >= 0)
4498  {
4499  c->sig->signal_received = sig;
4500  }
4501 
4502  if (c->sig->signal_received == SIGUSR1)
4503  {
4504  if ((flags & CC_USR1_TO_HUP)
4505  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4506  {
4507  c->sig->signal_received = SIGHUP;
4508  c->sig->signal_text = "close_context usr1 to hup";
4509  }
4510  }
4511 
4512  if (!(flags & CC_NO_CLOSE))
4513  {
4514  close_instance(c);
4515  }
4516 
4517  if (flags & CC_GC_FREE)
4518  {
4519  context_gc_free(c);
4520  }
4521 }
4522 
4523 /*
4524  * Do a loopback test
4525  * on the crypto subsystem.
4526  */
4527 static void *
4528 test_crypto_thread(void *arg)
4529 {
4530  struct context *c = (struct context *) arg;
4531  const struct options *options = &c->options;
4532 
4533  ASSERT(options->test_crypto);
4534  init_verb_mute(c, IVM_LEVEL_1);
4535  context_init_1(c);
4536  next_connection_entry(c);
4537  do_init_crypto_static(c, 0);
4538 
4539  frame_finalize_options(c, options);
4540 
4541  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4542 
4543  key_schedule_free(&c->c1.ks, true);
4544  packet_id_free(&c->c2.crypto_options.packet_id);
4545 
4546  context_gc_free(c);
4547  return NULL;
4548 }
4549 
4550 bool
4551 do_test_crypto(const struct options *o)
4552 {
4553  if (o->test_crypto)
4554  {
4555  struct context c;
4556 
4557  /* print version number */
4558  msg(M_INFO, "%s", title_string);
4559 
4560  context_clear(&c);
4561  c.options = *o;
4562  options_detach(&c.options);
4563  c.first_time = true;
4564  test_crypto_thread((void *) &c);
4565  return true;
4566  }
4567  return false;
4568 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:281
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:296
context_2::es
struct env_set * es
Definition: openvpn.h:425
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:172
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:187
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2449
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:316
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:412
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:241
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:270
options::sndbuf
int sndbuf
Definition: options.h:329
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:347
context_2::log_rw
bool log_rw
Definition: openvpn.h:385
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:394
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:456
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:266
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:311
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:388
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:557
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:652
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:239
tuntap
Definition: tun.h:131
options::ncp_enabled
bool ncp_enabled
Definition: options.h:482
options::management_flags
unsigned int management_flags
Definition: options.h:371
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1894
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2478
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:436
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:109
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:278
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:524
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1408
options::block_outside_dns
bool block_outside_dns
Definition: options.h:598
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:297
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1310
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:500
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:963
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:389
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:490
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1088
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5283
options::show_curves
bool show_curves
Definition: options.h:203
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:595
options::cipher_list
const char * cipher_list
Definition: options.h:509
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:500
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1841
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1384
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:292
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:663
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:981
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Definition: argv.c:52
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2046
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:574
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1701
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:160
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:392
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:315
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:511
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:362
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:349
streq
#define streq(x, y)
Definition: options.h:617
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:411
options::chroot_dir
const char * chroot_dir
Definition: options.h:286
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:706
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3765
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3557
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2580
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:398
S_FATAL
#define S_FATAL
Definition: run_command.h:42
options::dev
const char * dev
Definition: options.h:225
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:163
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:266
tls_options::mode
int mode
Definition: ssl_common.h:263
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2056
options::auth_token_generate
bool auth_token_generate
Definition: options.h:454
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:303
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1301
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4139
tun_abort
void tun_abort(void)
Definition: init.c:2026
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:498
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:567
frame
Packet geometry parameters.
Definition: mtu.h:93
SIZE
#define SIZE(x)
Definition: basic.h:30
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3644
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2537
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:704
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:319
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:521
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:178
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1176
srandom
#define srandom
Definition: syshead.h:44
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3170
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:374
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:68
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:999
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1852
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:238
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:211
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:646
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4492
script_security
int script_security(void)
Definition: run_command.c:44
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3293
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:309
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:478
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:81
openvpn_sockaddr::addr
union openvpn_sockaddr::@8 addr
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:5528
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:171
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:602
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3839
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:337
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1176
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:291
close_instance
void close_instance(struct context *c)
Definition: init.c:4288
ASSERT
#define ASSERT(x)
Definition: error.h:221
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:557
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:318
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1337
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:625
options::persist_key
bool persist_key
Definition: options.h:271
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:116
options::replay_window
int replay_window
Definition: options.h:491
options::persist_mode
int persist_mode
Definition: options.h:196
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:412
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:312
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3692
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:372
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:276
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1448
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1186
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:295
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1167
options::rcvbuf
int rcvbuf
Definition: options.h:328
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:522
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:252
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:426
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:267
options::connection_list
struct connection_list * connection_list
Definition: options.h:209
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:283
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1317
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:169
options::exit_event_name
const char * exit_event_name
Definition: options.h:594
AR_NONE
#define AR_NONE
Definition: options.h:803
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:253
options::route_noexec
bool route_noexec
Definition: options.h:342
options::sockflags
unsigned int sockflags
Definition: options.h:335
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2406
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:153
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3413
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:339
M_FATAL
#define M_FATAL
Definition: error.h:94
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:507
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:243
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:338
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:364
do_route
void do_route(const struct options *options, struct route_list *route_list, struct route_ipv6_list *route_ipv6_list, const struct tuntap *tt, const struct plugin_list *plugins, struct env_set *es)
Definition: init.c:1609
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:509
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:277
CLEAR
#define CLEAR(x)
Definition: basic.h:33
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:152
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:161
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:186
in_addr_t
#define in_addr_t
Definition: config-msvc.h:104
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:795
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:2921
options::config
const char * config
Definition: options.h:182
options::route_delay
int route_delay
Definition: options.h:343
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, bool remote, struct gc_arena *gc)
Definition: options.c:3509
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:523
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:293
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:339
tls_options::gremlin
int gremlin
Definition: ssl_common.h:353
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3717
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:356
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:967
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:260
options::down_pre
bool down_pre
Definition: options.h:295
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:254
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:647
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
SIGTERM
#define SIGTERM
Definition: config-msvc.h:118
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth, set via options->auth_token_generate.
Definition: ssl_common.h:313
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1366
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:559
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:531
options::push_peer_info
bool push_peer_info
Definition: options.h:583
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:627
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:114
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:165
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:558
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3696
PING_RESTART
#define PING_RESTART
Definition: options.h:265
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2871
options::handshake_window
int handshake_window
Definition: options.h:562
init_management
void init_management(struct context *c)
Definition: init.c:3862
route_ipv6_list
Definition: route.h:214
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3754
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:128
tls_options
Definition: ssl_common.h:235
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:297
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:224
basename
char * basename(char *filename)
Definition: compat-basename.c:39
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:292
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:157
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:221
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:569
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:318
options::verify_x509_type
int verify_x509_type
Definition: options.h:514
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:215
close_management
void close_management(void)
Definition: init.c:3922
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:166
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:298
options::prng_hash
const char * prng_hash
Definition: options.h:486
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:260
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:235
options::fast_io
bool fast_io
Definition: options.h:321
options::key_direction
int key_direction
Definition: options.h:480
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:269
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:190
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:144
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:58
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:75
init_static
bool init_static(void)
Definition: init.c:725
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:186
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:555
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:296
options::route_delay_defined
bool route_delay_defined
Definition: options.h:345
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:510
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:585
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1014
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1005
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1058
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:785
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:655
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:285
options::route_nopull
bool route_nopull
Definition: options.h:348
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3523
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1160
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:65
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:516
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:340
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3950
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:300
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:135
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:515
options::remote_random
bool remote_random
Definition: options.h:223
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:203
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:198
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:536
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:239
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:164
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:1004
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:533
prng_uninit
void prng_uninit(void)
Definition: crypto.c:1720
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1287
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:453
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:149
options::tls_verify
const char * tls_verify
Definition: options.h:513
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1417
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:96
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:300
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:358
open_management
bool open_management(struct context *c)
Definition: init.c:3871
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:194
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:107
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:596
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4368
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:645
save_ncp_options
static void save_ncp_options(struct context *c)
Definition: init.c:620
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:265
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3779
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:686
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3572
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2804
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2579
FRAME_HEADROOM_MARKER_FRAGMENT
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: options.h:130
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:631
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:303
tls_options::packet_timeout
interval_t packet_timeout
Definition: ssl_common.h:268
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3616
do_close_check_if_restart_permitted
static void do_close_check_if_restart_permitted(struct context *c)
Definition: init.c:3382
tls_options::config_authname
const char * config_authname
Definition: ssl_common.h:299
connection_list::len
int len
Definition: options.h:156
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:107
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:515
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:465
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3186
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
do_genkey
bool do_genkey(const struct options *options)
Definition: init.c:1053
tuntap::local
in_addr_t local
Definition: tun.h:152
management_callback::arg
void * arg
Definition: manage.h:156
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:271
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:103
options::ns_cert_type
int ns_cert_type
Definition: options.h:527
options::management_write_peer_info_file
const char * management_write_peer_info_file
Definition: options.h:365
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
LS_MODE_TCP_LISTEN
#define LS_MODE_TCP_LISTEN
Definition: socket.h:197
md_kt_size
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:376
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:131
connection_entry::proto
int proto
Definition: options.h:88
options::verbosity
int verbosity
Definition: options.h:309
options::show_net_up
bool show_net_up
Definition: options.h:596
tls_options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: ssl_common.h:310
options::show_engines
bool show_engines
Definition: options.h:201
show_available_engines
void show_available_engines(void)
Definition: crypto_openssl.c:353
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition: crypto_openssl.c:468
np
static const char * np(const char *str)
Definition: simple.c:108
tls_options::crl_file_inline
const char * crl_file_inline
Definition: ssl_common.h:279
options::mode
int mode
Definition: options.h:187
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:183
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:202
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:424
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:991
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:368
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:770
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4762
tls_options::single_session
bool single_session
Definition: ssl_common.h:259
options::occ
bool occ
Definition: options.h:355
tls_options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: ssl_common.h:281
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition: tun.h:292
now
time_t now
Definition: otime.c:36
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:233
link_socket_addr
Definition: socket.h:103
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition: openvpn.h:511
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3972
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition: socket.h:105
uninit_proxy
static void uninit_proxy(struct context *c)
Definition: init.c:610
options::tls_client
bool tls_client
Definition: options.h:501
options::authname
const char * authname
Definition: options.h:484
do_init_crypto_none
static void do_init_crypto_none(const struct context *c)
Definition: init.c:2893
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition: socket.h:107
context_2::occ_interval
struct event_timeout occ_interval
Definition: openvpn.h:310
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:170
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2818
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:730
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4120
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1026
key_state::crypto_options
struct crypto_options crypto_options
Definition: ssl_common.h:181
options::connect_retry_max
int connect_retry_max
Definition: options.h:207
options::show_digests
bool show_digests
Definition: options.h:200
context_0::platform_state_group
struct platform_state_group platform_state_group
Definition: openvpn.h:137
options::genkey
bool genkey
Definition: options.h:204
do_init_crypto
static void do_init_crypto(struct context *c, const unsigned int flags)
Definition: init.c:2904
init_win32
void init_win32(void)
Definition: win32.c:105
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1246
prng_bytes
void prng_bytes(uint8_t *output, int len)
Definition: crypto.c:1729
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4001
options::topology
int topology
Definition: options.h:229