OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 #include "auth_token.h"
55 
56 #include "memdbg.h"
57 
58 
59 static struct context *static_context; /* GLOBAL */
60 
61 /*
62  * Crypto initialization flags
63  */
64 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
65 #define CF_INIT_TLS_MULTI (1<<1)
66 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
67 
68 static void do_init_first_time(struct context *c);
69 
70 void
72 {
73  CLEAR(*c);
74 }
75 
76 void
78 {
79  CLEAR(c->c1);
80 }
81 
82 void
84 {
85  CLEAR(c->c2);
86 }
87 
88 void
90 {
91  const bool first_time_save = c->first_time;
92  const struct context_persist cpsave = c->persist;
93  context_clear(c);
94  c->first_time = first_time_save;
95  c->persist = cpsave;
96 }
97 
98 /*
99  * Pass tunnel endpoint and MTU parms to a user-supplied script.
100  * Used to execute the up/down script/plugins.
101  */
102 static void
103 run_up_down(const char *command,
104  const struct plugin_list *plugins,
105  int plugin_type,
106  const char *arg,
107 #ifdef _WIN32
108  DWORD adapter_index,
109 #endif
110  const char *dev_type,
111  int tun_mtu,
112  int link_mtu,
113  const char *ifconfig_local,
114  const char *ifconfig_remote,
115  const char *context,
116  const char *signal_text,
117  const char *script_type,
118  struct env_set *es)
119 {
120  struct gc_arena gc = gc_new();
121 
122  if (signal_text)
123  {
124  setenv_str(es, "signal", signal_text);
125  }
126  setenv_str(es, "script_context", context);
127  setenv_int(es, "tun_mtu", tun_mtu);
128  setenv_int(es, "link_mtu", link_mtu);
129  setenv_str(es, "dev", arg);
130  if (dev_type)
131  {
132  setenv_str(es, "dev_type", dev_type);
133  }
134 #ifdef _WIN32
135  setenv_int(es, "dev_idx", adapter_index);
136 #endif
137 
138  if (!ifconfig_local)
139  {
140  ifconfig_local = "";
141  }
142  if (!ifconfig_remote)
143  {
144  ifconfig_remote = "";
145  }
146  if (!context)
147  {
148  context = "";
149  }
150 
151  if (plugin_defined(plugins, plugin_type))
152  {
153  struct argv argv = argv_new();
154  ASSERT(arg);
155  argv_printf(&argv,
156  "%s %d %d %s %s %s",
157  arg,
158  tun_mtu, link_mtu,
159  ifconfig_local, ifconfig_remote,
160  context);
161 
162  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163  {
164  msg(M_FATAL, "ERROR: up/down plugin call failed");
165  }
166 
167  argv_free(&argv);
168  }
169 
170  if (command)
171  {
172  struct argv argv = argv_new();
173  ASSERT(arg);
174  setenv_str(es, "script_type", script_type);
175  argv_parse_cmd(&argv, command);
176  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
177  ifconfig_local, ifconfig_remote, context);
178  argv_msg(M_INFO, &argv);
179  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
180  argv_free(&argv);
181  }
182 
183  gc_free(&gc);
184 }
185 
186 /*
187  * Should be called after options->ce is modified at the top
188  * of a SIGUSR1 restart.
189  */
190 static void
192 {
193 #if P2MP
194  /*
195  * In pull mode, we usually import --ping/--ping-restart parameters from
196  * the server. However we should also set an initial default --ping-restart
197  * for the period of time before we pull the --ping-restart parameter
198  * from the server.
199  */
200  if (options->pull
201  && options->ping_rec_timeout_action == PING_UNDEF
202  && proto_is_dgram(options->ce.proto))
203  {
206  }
207 #endif
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
274  }
275  ce->flags |= CE_MAN_QUERY_PROXY;
276  while (ce->flags & CE_MAN_QUERY_PROXY)
277  {
279  if (IS_SIG(c))
280  {
281  ret = false;
282  break;
283  }
284  }
285  gc_free(&gc);
286  }
287 
288  return ret;
289 }
290 
291 
292 static bool
293 management_callback_remote_cmd(void *arg, const char **p)
294 {
295  struct context *c = (struct context *) arg;
296  struct connection_entry *ce = &c->options.ce;
297  int ret = false;
299  {
300  int flags = 0;
301  if (!strcmp(p[1], "ACCEPT"))
302  {
304  ret = true;
305  }
306  else if (!strcmp(p[1], "SKIP"))
307  {
308  flags = CE_MAN_QUERY_REMOTE_SKIP;
309  ret = true;
310  }
311  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
312  {
313  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
314  {
315  struct remote_host_store *rhs = c->options.rh_store;
316  if (!rhs)
317  {
319  c->options.rh_store = rhs;
320  }
321  strncpynt(rhs->host, p[2], RH_HOST_LEN);
322  strncpynt(rhs->port, p[3], RH_PORT_LEN);
323 
324  ce->remote = rhs->host;
325  ce->remote_port = rhs->port;
326  flags = CE_MAN_QUERY_REMOTE_MOD;
327  ret = true;
328  }
329  }
330  if (ret)
331  {
332  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
334  }
335  }
336  return ret;
337 }
338 
339 static bool
341 {
342  struct gc_arena gc = gc_new();
343  volatile struct connection_entry *ce = &c->options.ce;
344  int ce_changed = true; /* presume the connection entry will be changed */
345 
346  update_time();
347  if (management)
348  {
349  struct buffer out = alloc_buf_gc(256, &gc);
350 
351  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
352  proto2ascii(ce->proto, ce->af, false));
354 
357  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
359  {
361  if (IS_SIG(c))
362  {
363  ce_changed = false; /* connection entry have not been set */
364  break;
365  }
366  }
367  }
368  gc_free(&gc);
369 
370  if (ce_changed)
371  {
372  /* If it is likely a connection entry was modified,
373  * check what changed in the flags and that it was not skipped
374  */
375  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
377  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
378  }
379  return ce_changed;
380 }
381 #endif /* ENABLE_MANAGEMENT */
382 
383 /*
384  * Initialize and possibly randomize connection list.
385  */
386 static void
388 {
389  struct connection_list *l = c->options.connection_list;
390 
391  l->current = -1;
392  if (c->options.remote_random)
393  {
394  int i;
395  for (i = 0; i < l->len; ++i)
396  {
397  const int j = get_random() % l->len;
398  if (i != j)
399  {
400  struct connection_entry *tmp;
401  tmp = l->array[i];
402  l->array[i] = l->array[j];
403  l->array[j] = tmp;
404  }
405  }
406  }
407 }
408 
409 /*
410  * Clear the remote address list
411  */
412 static void
414 {
415  if (lsa->remote_list && free)
416  {
417  freeaddrinfo(lsa->remote_list);
418  }
419  lsa->remote_list = NULL;
420  lsa->current_remote = NULL;
421 }
422 
423 /*
424  * Increment to next connection entry
425  */
426 static void
428 {
429  struct connection_list *l = c->options.connection_list;
430  bool ce_defined;
431  struct connection_entry *ce;
432  int n_cycles = 0;
433 
434  do
435  {
436  ce_defined = true;
437  if (c->options.no_advance && l->current >= 0)
438  {
439  c->options.no_advance = false;
440  }
441  else
442  {
443  /* Check if there is another resolved address to try for
444  * the current connection */
446  && c->c1.link_socket_addr.current_remote->ai_next)
447  {
449  c->c1.link_socket_addr.current_remote->ai_next;
450  }
451  else
452  {
453  /* FIXME (schwabe) fix the persist-remote-ip option for real,
454  * this is broken probably ever since connection lists and multiple
455  * remote existed
456  */
457  if (!c->options.persist_remote_ip)
458  {
459  /* close_instance should have cleared the addrinfo objects */
462  }
463  else
464  {
467  }
468 
469  /*
470  * Increase the number of connection attempts
471  * If this is connect-retry-max * size(l)
472  * OpenVPN will quit
473  */
474 
476 
477  if (++l->current >= l->len)
478  {
479 
480  l->current = 0;
481  if (++n_cycles >= 2)
482  {
483  msg(M_FATAL, "No usable connection profiles are present");
484  }
485  }
486  }
487  }
488 
489  ce = l->array[l->current];
490 
491  if (ce->flags & CE_DISABLED)
492  {
493  ce_defined = false;
494  }
495 
496  c->options.ce = *ce;
497 #ifdef ENABLE_MANAGEMENT
499  {
500  /* allow management interface to override connection entry details */
501  ce_defined = ce_management_query_remote(c);
502  if (IS_SIG(c))
503  {
504  break;
505  }
506  }
507  else if (ce_defined && management && management_query_proxy_enabled(management))
508  {
509  ce_defined = ce_management_query_proxy(c);
510  if (IS_SIG(c))
511  {
512  break;
513  }
514  }
515 #endif
516  } while (!ce_defined);
517 
518  /* Check if this connection attempt would bring us over the limit */
519  if (c->options.connect_retry_max > 0
521  {
522  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
524  }
526 }
527 
528 /*
529  * Query for private key and auth-user-pass username/passwords
530  */
531 void
533 {
534  /* Certificate password input */
535  if (c->options.key_pass_file)
536  {
538  }
539 
540 #if P2MP
541  /* Auth user/pass input */
543  {
544 #ifdef ENABLE_MANAGEMENT
546 #else
548 #endif
549  }
550 #endif
551 }
552 
553 /*
554  * Initialize/Uninitialize HTTP or SOCKS proxy
555  */
556 
557 static void
559 {
560  if (c->c1.http_proxy_owned && c->c1.http_proxy)
561  {
563  c->c1.http_proxy = NULL;
564  c->c1.http_proxy_owned = false;
565  }
566  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
567  {
569  c->c1.socks_proxy = NULL;
570  c->c1.socks_proxy_owned = false;
571  }
572 }
573 
574 static void
576 {
577  bool did_http = false;
578 
580 
582  {
583  /* Possible HTTP proxy user/pass input */
585  if (c->c1.http_proxy)
586  {
587  did_http = true;
588  c->c1.http_proxy_owned = true;
589  }
590  }
591 
592  if (!did_http && c->options.ce.socks_proxy_server)
593  {
597  if (c->c1.socks_proxy)
598  {
599  c->c1.socks_proxy_owned = true;
600  }
601  }
602 }
603 
604 static void
605 init_proxy(struct context *c)
606 {
608 }
609 
610 static void
612 {
614 }
615 
616 /*
617  * Saves the initial state of NCP-regotiable
618  * options into a storage which persists over SIGUSR1.
619  */
620 static void
622 {
624  c->c1.authname = c->options.authname;
625  c->c1.keysize = c->options.keysize;
626 }
627 
628 /* Restores NCP-negotiable options to original values */
629 static void
631 {
633  c->options.authname = c->c1.authname;
634  c->options.keysize = c->c1.keysize;
635 }
636 
637 void
639 {
640  context_clear_1(c);
641 
643 
645 
646  save_ncp_options(c);
647 
648 #if defined(ENABLE_PKCS11)
649  if (c->first_time)
650  {
651  int i;
652  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
653  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
654  {
655  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
656  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
657  }
658  }
659 #endif
660 
661 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
662  {
663  /*
664  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
665  */
666  struct user_pass up;
667  CLEAR(up);
668  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
669  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
670  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
671  * 'needok' command, usually 'ok' or 'cancel'. */
672  }
673 #endif
674 
675 #ifdef ENABLE_SYSTEMD
676  /* We can report the PID via getpid() to systemd here as OpenVPN will not
677  * do any fork due to daemon() a future call.
678  * See possibly_become_daemon() [init.c] for more details.
679  */
680  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
681  (unsigned long) getpid());
682 #endif
683 
684 }
685 
686 void
688 {
689  gc_free(&c->c2.gc);
690  gc_free(&c->options.gc);
691  gc_free(&c->gc);
692 }
693 
694 #if PORT_SHARE
695 
696 static void
697 close_port_share(void)
698 {
699  if (port_share)
700  {
701  port_share_close(port_share);
702  port_share = NULL;
703  }
704 }
705 
706 static void
707 init_port_share(struct context *c)
708 {
709  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
710  {
711  port_share = port_share_open(c->options.port_share_host,
712  c->options.port_share_port,
714  c->options.port_share_journal_dir);
715  if (port_share == NULL)
716  {
717  msg(M_FATAL, "Fatal error: Port sharing failed");
718  }
719  }
720 }
721 
722 #endif /* if PORT_SHARE */
723 
724 
725 bool
727 {
728  /* configure_path (); */
729 
730 #if defined(DMALLOC)
731  crypto_init_dmalloc();
732 #endif
733 
734 
735  /*
736  * Initialize random number seed. random() is only used
737  * when "weak" random numbers are acceptable.
738  * SSL library routines are always used when cryptographically
739  * strong random numbers are required.
740  */
741  struct timeval tv;
742  if (!gettimeofday(&tv, NULL))
743  {
744  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
745  srandom(seed);
746  }
747 
748  error_reset(); /* initialize error.c */
749  reset_check_status(); /* initialize status check code in socket.c */
750 
751 #ifdef _WIN32
752  init_win32();
753 #endif
754 
755 #ifdef OPENVPN_DEBUG_COMMAND_LINE
756  {
757  int i;
758  for (i = 0; i < argc; ++i)
759  {
760  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
761  }
762  }
763 #endif
764 
765  update_time();
766 
767  init_ssl_lib();
768 
769  /* init PRNG used for IV generation */
770  /* When forking, copy this to more places in the code to avoid fork
771  * random-state predictability */
772  prng_init(NULL, 0);
773 
774 #ifdef PID_TEST
775  packet_id_interactive_test(); /* test the sequence number code */
776  return false;
777 #endif
778 
779 #ifdef SCHEDULE_TEST
780  schedule_test();
781  return false;
782 #endif
783 
784 #ifdef LIST_TEST
785  list_test();
786  return false;
787 #endif
788 
789 #ifdef IFCONFIG_POOL_TEST
790  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
791  return false;
792 #endif
793 
794 #ifdef CHARACTER_CLASS_DEBUG
795  character_class_debug();
796  return false;
797 #endif
798 
799 #ifdef EXTRACT_X509_FIELD_TEST
801  return false;
802 #endif
803 
804 #ifdef TIME_TEST
805  time_test();
806  return false;
807 #endif
808 
809 #ifdef TEST_GET_DEFAULT_GATEWAY
810  {
811  struct route_gateway_info rgi;
812  struct route_ipv6_gateway_info rgi6;
813  get_default_gateway(&rgi);
814  get_default_gateway_ipv6(&rgi6, NULL);
815  print_default_gateway(M_INFO, &rgi, &rgi6);
816  return false;
817  }
818 #endif
819 
820 #ifdef GEN_PATH_TEST
821  {
822  struct gc_arena gc = gc_new();
823  const char *fn = gen_path("foo",
824  "bar",
825  &gc);
826  printf("%s\n", fn);
827  gc_free(&gc);
828  }
829  return false;
830 #endif
831 
832 #ifdef STATUS_PRINTF_TEST
833  {
834  struct gc_arena gc = gc_new();
835  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
836  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
837  status_printf(so, "%s", "foo");
838  status_printf(so, "%s", "bar");
839  if (!status_close(so))
840  {
841  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
842  }
843  gc_free(&gc);
844  }
845  return false;
846 #endif
847 
848 #ifdef PRNG_TEST
849  {
850  struct gc_arena gc = gc_new();
851  uint8_t rndbuf[8];
852  int i;
853  prng_init("sha1", 16);
854  /*prng_init (NULL, 0);*/
855  const int factor = 1;
856  for (i = 0; i < factor * 8; ++i)
857  {
858 #if 1
859  prng_bytes(rndbuf, sizeof(rndbuf));
860 #else
861  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
862 #endif
863  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
864  }
865  gc_free(&gc);
866  prng_uninit();
867  return false;
868  }
869 #endif /* ifdef PRNG_TEST */
870 
871 #ifdef BUFFER_LIST_AGGREGATE_TEST
872  /* test buffer_list_aggregate function */
873  {
874  static const char *text[] = {
875  "It was a bright cold day in April, ",
876  "and the clocks were striking ",
877  "thirteen. ",
878  "Winston Smith, ",
879  "his chin nuzzled into his breast in an ",
880  "effort to escape the vile wind, ",
881  "slipped quickly through the glass doors ",
882  "of Victory Mansions, though not quickly ",
883  "enough to prevent a swirl of gritty dust from ",
884  "entering along with him."
885  };
886 
887  int iter, listcap;
888  for (listcap = 0; listcap < 12; ++listcap)
889  {
890  for (iter = 0; iter < 512; ++iter)
891  {
892  struct buffer_list *bl = buffer_list_new(listcap);
893  {
894  int i;
895  for (i = 0; i < SIZE(text); ++i)
896  {
897  buffer_list_push(bl, (unsigned char *)text[i]);
898  }
899  }
900  printf("[cap=%d i=%d] *************************\n", listcap, iter);
901  if (!(iter & 8))
902  {
903  buffer_list_aggregate(bl, iter/2);
904  }
905  if (!(iter & 16))
906  {
907  buffer_list_push(bl, (unsigned char *)"Even more text...");
908  }
909  buffer_list_aggregate(bl, iter);
910  if (!(iter & 1))
911  {
912  buffer_list_push(bl, (unsigned char *)"More text...");
913  }
914  {
915  struct buffer *buf;
916  while ((buf = buffer_list_peek(bl)))
917  {
918  int c;
919  printf("'");
920  while ((c = buf_read_u8(buf)) >= 0)
921  {
922  putchar(c);
923  }
924  printf("'\n");
925  buffer_list_advance(bl, 0);
926  }
927  }
928  buffer_list_free(bl);
929  }
930  }
931  return false;
932  }
933 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
934 
935 #ifdef MSTATS_TEST
936  {
937  int i;
938  mstats_open("/dev/shm/mstats.dat");
939  for (i = 0; i < 30; ++i)
940  {
941  mmap_stats->n_clients += 1;
942  mmap_stats->link_write_bytes += 8;
943  mmap_stats->link_read_bytes += 16;
944  sleep(1);
945  }
946  mstats_close();
947  return false;
948  }
949 #endif
950 
951  return true;
952 }
953 
954 void
956 {
957  free_ssl_lib();
958 
959 #ifdef ENABLE_PKCS11
960  pkcs11_terminate();
961 #endif
962 
963 #if PORT_SHARE
964  close_port_share();
965 #endif
966 
967 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
968  show_tls_performance_stats();
969 #endif
970 }
971 
972 void
973 init_verb_mute(struct context *c, unsigned int flags)
974 {
975  if (flags & IVM_LEVEL_1)
976  {
977  /* set verbosity and mute levels */
981  }
982 
983  /* special D_LOG_RW mode */
984  if (flags & IVM_LEVEL_2)
985  {
987  }
988 }
989 
990 /*
991  * Possibly set --dev based on --dev-node.
992  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
993  * set --dev to tun.
994  */
995 void
997 {
998  if (!options->dev && options->dev_node)
999  {
1000  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1001  options->dev = basename(dev_node);
1002  }
1003 }
1004 
1005 bool
1007 {
1008  /*
1009  * OpenSSL info print mode?
1010  */
1011  if (options->show_ciphers || options->show_digests || options->show_engines
1012  || options->show_tls_ciphers || options->show_curves)
1013  {
1014  if (options->show_ciphers)
1015  {
1017  }
1018  if (options->show_digests)
1019  {
1021  }
1022  if (options->show_engines)
1023  {
1025  }
1026  if (options->show_tls_ciphers)
1027  {
1029  options->cipher_list_tls13,
1030  options->tls_cert_profile);
1031  }
1032  if (options->show_curves)
1033  {
1035  }
1036  return true;
1037  }
1038  return false;
1039 }
1040 
1041 /*
1042  * Static pre-shared key generation mode?
1043  */
1044 bool
1045 do_genkey(const struct options *options)
1046 {
1047  /* should we disable paging? */
1048  if (options->mlock && (options->genkey))
1049  {
1050  platform_mlockall(true);
1051  }
1052 
1053  /*
1054  * We do not want user to use --genkey with --secret. In the transistion
1055  * phase we for secret.
1056  */
1057  if (options->genkey && options->genkey_type != GENKEY_SECRET
1058  && options->shared_secret_file)
1059  {
1060  msg(M_USAGE, "Using --genkey type with --secret filename is "
1061  "not supported. Use --genkey type filename instead.");
1062  }
1063  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1064  {
1065  int nbits_written;
1066  const char *genkey_filename = options->genkey_filename;
1067  if (options->shared_secret_file && options->genkey_filename)
1068  {
1069  msg(M_USAGE, "You must provide a filename to either --genkey "
1070  "or --secret, not both");
1071  }
1072 
1073  /*
1074  * Copy filename from shared_secret_file to genkey_filename to support
1075  * the old --genkey --secret foo.file syntax.
1076  */
1077  if (options->shared_secret_file)
1078  {
1079  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1080  "DEPRECATED. Use --genkey secret filename instead.");
1081  genkey_filename = options->shared_secret_file;
1082  }
1083 
1084  nbits_written = write_key_file(2, genkey_filename);
1085  if (nbits_written < 0)
1086  {
1087  msg(M_FATAL, "Failed to write key file");
1088  }
1089 
1091  "Randomly generated %d bit key written to %s", nbits_written,
1092  options->shared_secret_file);
1093  return true;
1094  }
1095  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1096  {
1098  return true;
1099  }
1100  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1101  {
1102  if (!options->tls_crypt_v2_file)
1103  {
1104  msg(M_USAGE,
1105  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1106  }
1107 
1109  options->genkey_extra_data, options->tls_crypt_v2_file,
1110  options->tls_crypt_v2_inline);
1111  return true;
1112  }
1113  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1114  {
1116  return true;
1117  }
1118  else
1119  {
1120  return false;
1121  }
1122 }
1123 
1124 /*
1125  * Persistent TUN/TAP device management mode?
1126  */
1127 bool
1129 {
1130  if (options->persist_config)
1131  {
1132  /* sanity check on options for --mktun or --rmtun */
1133  notnull(options->dev, "TUN/TAP device (--dev)");
1134  if (options->ce.remote || options->ifconfig_local
1135  || options->ifconfig_remote_netmask
1136  || options->shared_secret_file
1137  || options->tls_server || options->tls_client
1138  )
1139  {
1141  "options --mktun or --rmtun should only be used together with --dev");
1142  }
1143 #ifdef ENABLE_FEATURE_TUN_PERSIST
1144  tuncfg(options->dev, options->dev_type, options->dev_node,
1145  options->persist_mode,
1146  options->username, options->groupname, &options->tuntap_options,
1147  ctx);
1148  if (options->persist_mode && options->lladdr)
1149  {
1150  set_lladdr(options->dev, options->lladdr, NULL);
1151  }
1152  return true;
1153 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1154  msg( M_FATAL|M_OPTERR,
1155  "options --mktun and --rmtun are not available on your operating "
1156  "system. Please check 'man tun' (or 'tap'), whether your system "
1157  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1158  "persistent tunnel interfaces.", options->dev );
1159 #endif
1160  }
1161  return false;
1162 }
1163 
1164 /*
1165  * Should we become a daemon?
1166  * Return true if we did it.
1167  */
1168 bool
1170 {
1171  bool ret = false;
1172 
1173 #ifdef ENABLE_SYSTEMD
1174  /* return without forking if we are running from systemd */
1175  if (sd_notify(0, "READY=0") > 0)
1176  {
1177  return ret;
1178  }
1179 #endif
1180 
1181  if (options->daemon)
1182  {
1183  ASSERT(!options->inetd);
1184  /* Don't chdir immediately, but the end of the init sequence, if needed */
1185  if (daemon(1, options->log) < 0)
1186  {
1187  msg(M_ERR, "daemon() failed or unsupported");
1188  }
1190  if (options->log)
1191  {
1192  set_std_files_to_null(true);
1193  }
1194 
1195  ret = true;
1196  }
1197  return ret;
1198 }
1199 
1200 /*
1201  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1202  */
1203 static void
1204 do_uid_gid_chroot(struct context *c, bool no_delay)
1205 {
1206  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1207  struct context_0 *c0 = c->c0;
1208 
1209  if (c0 && !c0->uid_gid_chroot_set)
1210  {
1211  /* chroot if requested */
1212  if (c->options.chroot_dir)
1213  {
1214  if (no_delay)
1215  {
1217  }
1218  else if (c->first_time)
1219  {
1220  msg(M_INFO, "NOTE: chroot %s", why_not);
1221  }
1222  }
1223 
1224  /* set user and/or group if we want to setuid/setgid */
1225  if (c0->uid_gid_specified)
1226  {
1227  if (no_delay)
1228  {
1231  }
1232  else if (c->first_time)
1233  {
1234  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1235  }
1236  }
1237 
1238 #ifdef ENABLE_MEMSTATS
1239  if (c->first_time && c->options.memstats_fn)
1240  {
1241  mstats_open(c->options.memstats_fn);
1242  }
1243 #endif
1244 
1245 #ifdef ENABLE_SELINUX
1246  /* Apply a SELinux context in order to restrict what OpenVPN can do
1247  * to _only_ what it is supposed to do after initialization is complete
1248  * (basically just network I/O operations). Doing it after chroot
1249  * requires /proc to be mounted in the chroot (which is annoying indeed
1250  * but doing it before requires more complex SELinux policies.
1251  */
1252  if (c->options.selinux_context)
1253  {
1254  if (no_delay)
1255  {
1256  if (-1 == setcon(c->options.selinux_context))
1257  {
1258  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1259  }
1260  else
1261  {
1262  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1263  }
1264  }
1265  else if (c->first_time)
1266  {
1267  msg(M_INFO, "NOTE: setcon %s", why_not);
1268  }
1269  }
1270 #endif
1271 
1272  /* Privileges are going to be dropped by now (if requested), be sure
1273  * to prevent any future privilege dropping attempts from now on.
1274  */
1275  if (no_delay)
1276  {
1277  c0->uid_gid_chroot_set = true;
1278  }
1279  }
1280 }
1281 
1282 /*
1283  * Return common name in a way that is formatted for
1284  * prepending to msg() output.
1285  */
1286 const char *
1287 format_common_name(struct context *c, struct gc_arena *gc)
1288 {
1289  struct buffer out = alloc_buf_gc(256, gc);
1290  if (c->c2.tls_multi)
1291  {
1292  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1293  }
1294  return BSTR(&out);
1295 }
1296 
1297 void
1298 pre_setup(const struct options *options)
1299 {
1300 #ifdef _WIN32
1301  if (options->exit_event_name)
1302  {
1305  options->exit_event_name,
1306  options->exit_event_initial_state);
1307  }
1308  else
1309  {
1312  NULL,
1313  false);
1314 
1315  /* put a title on the top window bar */
1317  {
1319  window_title_generate(options->config);
1320  }
1321  }
1322 #endif /* ifdef _WIN32 */
1323 }
1324 
1325 void
1327 {
1328  c->c2.coarse_timer_wakeup = 0;
1329 }
1330 
1331 /*
1332  * Initialise the server poll timeout timer
1333  * This timer is used in the http/socks proxy setup so it needs to be setup
1334  * before
1335  */
1336 static void
1338 {
1339  update_time();
1340  if (c->options.ce.connect_timeout)
1341  {
1343  }
1344 }
1345 
1346 /*
1347  * Initialize timers
1348  */
1349 static void
1350 do_init_timers(struct context *c, bool deferred)
1351 {
1352  update_time();
1354 
1355  /* initialize inactivity timeout */
1356  if (c->options.inactivity_timeout)
1357  {
1359  }
1360 
1361  /* initialize pings */
1362 
1363  if (c->options.ping_send_timeout)
1364  {
1366  }
1367 
1368  if (c->options.ping_rec_timeout)
1369  {
1371  }
1372 
1373  if (!deferred)
1374  {
1375  /* initialize connection establishment timer */
1377 
1378 #ifdef ENABLE_OCC
1379  /* initialize occ timers */
1380 
1381  if (c->options.occ
1382  && !TLS_MODE(c)
1384  {
1386  }
1387 
1388  if (c->options.mtu_test)
1389  {
1391  }
1392 #endif
1393 
1394  /* initialize packet_id persistence timer */
1395  if (c->options.packet_id_file)
1396  {
1398  }
1399 
1400  /* initialize tmp_int optimization that limits the number of times we call
1401  * tls_multi_process in the main event loop */
1403  }
1404 }
1405 
1406 /*
1407  * Initialize traffic shaper.
1408  */
1409 static void
1411 {
1412 #ifdef ENABLE_FEATURE_SHAPER
1413  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1414  if (c->options.shaper)
1415  {
1416  shaper_init(&c->c2.shaper, c->options.shaper);
1417  shaper_msg(&c->c2.shaper);
1418  }
1419 #endif
1420 }
1421 
1422 /*
1423  * Allocate route list structures for IPv4 and IPv6
1424  * (we do this for IPv4 even if no --route option has been seen, as other
1425  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1426  */
1427 static void
1429 {
1430  if (!c->c1.route_list)
1431  {
1432  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1433  }
1434  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1435  {
1437  }
1438 }
1439 
1440 
1441 /*
1442  * Initialize the route list, resolving any DNS names in route
1443  * options and saving routes in the environment.
1444  */
1445 static void
1447  struct route_list *route_list,
1448  const struct link_socket_info *link_socket_info,
1449  struct env_set *es,
1450  openvpn_net_ctx_t *ctx)
1451 {
1452  const char *gw = NULL;
1453  int dev = dev_type_enum(options->dev, options->dev_type);
1454  int metric = 0;
1455 
1456  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1457  {
1458  gw = options->ifconfig_remote_netmask;
1459  }
1460  if (options->route_default_gateway)
1461  {
1462  gw = options->route_default_gateway;
1463  }
1464  if (options->route_default_metric)
1465  {
1466  metric = options->route_default_metric;
1467  }
1468 
1469  if (init_route_list(route_list,
1470  options->routes,
1471  gw,
1472  metric,
1473  link_socket_current_remote(link_socket_info),
1474  es,
1475  ctx))
1476  {
1477  /* copy routes to environment */
1478  setenv_routes(es, route_list);
1479  }
1480 }
1481 
1482 static void
1485  const struct link_socket_info *link_socket_info,
1486  struct env_set *es,
1487  openvpn_net_ctx_t *ctx)
1488 {
1489  const char *gw = NULL;
1490  int metric = -1; /* no metric set */
1491 
1492  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1493  if (options->route_ipv6_default_gateway)
1494  {
1495  gw = options->route_ipv6_default_gateway;
1496  }
1497 
1498  if (options->route_default_metric)
1499  {
1500  metric = options->route_default_metric;
1501  }
1502 
1503  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1504  */
1505  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1506  {
1507  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1508  int i;
1509 
1510  for (i = 0; opt_list[i]; i++)
1511  {
1513  string_alloc(opt_list[i], options->routes_ipv6->gc),
1514  NULL, NULL );
1515  }
1516  }
1517 
1518  if (init_route_ipv6_list(route_ipv6_list,
1519  options->routes_ipv6,
1520  gw,
1521  metric,
1522  link_socket_current_remote_ipv6(link_socket_info),
1523  es,
1524  ctx))
1525  {
1526  /* copy routes to environment */
1527  setenv_routes_ipv6(es, route_ipv6_list);
1528  }
1529 }
1530 
1531 
1532 /*
1533  * Called after all initialization has been completed.
1534  */
1535 void
1536 initialization_sequence_completed(struct context *c, const unsigned int flags)
1537 {
1538  static const char message[] = "Initialization Sequence Completed";
1539 
1540  /* Reset the unsuccessful connection counter on complete initialisation */
1542 
1543  /* If we delayed UID/GID downgrade or chroot, do it now */
1544  do_uid_gid_chroot(c, true);
1545 
1546 
1547  /*
1548  * In some cases (i.e. when receiving auth-token via
1549  * push-reply) the auth-nocache option configured on the
1550  * client is overridden; for this reason we have to wait
1551  * for the push-reply message before attempting to wipe
1552  * the user/pass entered by the user
1553  */
1554  if (c->options.mode == MODE_POINT_TO_POINT)
1555  {
1557  }
1558 
1559  /* Test if errors */
1560  if (flags & ISC_ERRORS)
1561  {
1562 #ifdef _WIN32
1565  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1566 #else
1567 #ifdef ENABLE_SYSTEMD
1568  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1569 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1570  msg(M_INFO, "%s With Errors", message);
1571 #endif
1572  }
1573  else
1574  {
1575 #ifdef ENABLE_SYSTEMD
1576  sd_notifyf(0, "STATUS=%s", message);
1577 #endif
1578  msg(M_INFO, "%s", message);
1579  }
1580 
1581  /* Flag that we initialized */
1582  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1583  {
1584  c->options.no_advance = true;
1585  }
1586 
1587 #ifdef _WIN32
1589 #endif
1590 
1591 #ifdef ENABLE_MANAGEMENT
1592  /* Tell management interface that we initialized */
1593  if (management)
1594  {
1595  in_addr_t *tun_local = NULL;
1596  struct in6_addr *tun_local6 = NULL;
1597  struct openvpn_sockaddr local, remote;
1598  struct link_socket_actual *actual;
1599  socklen_t sa_len = sizeof(local);
1600  const char *detail = "SUCCESS";
1601  if (flags & ISC_ERRORS)
1602  {
1603  detail = "ERROR";
1604  }
1605 
1606  CLEAR(local);
1607  actual = &get_link_socket_info(c)->lsa->actual;
1608  remote = actual->dest;
1609  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1610 #if ENABLE_IP_PKTINFO
1611  if (!addr_defined(&local))
1612  {
1613  switch (local.addr.sa.sa_family)
1614  {
1615  case AF_INET:
1616 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1617  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1618 #else
1619  local.addr.in4.sin_addr = actual->pi.in4;
1620 #endif
1621  break;
1622 
1623  case AF_INET6:
1624  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1625  break;
1626  }
1627  }
1628 #endif
1629 
1630  if (c->c1.tuntap)
1631  {
1632  tun_local = &c->c1.tuntap->local;
1633  tun_local6 = &c->c1.tuntap->local_ipv6;
1634  }
1637  detail,
1638  tun_local,
1639  tun_local6,
1640  &local,
1641  &remote);
1642  if (tun_local)
1643  {
1645  }
1646  }
1647 #endif /* ifdef ENABLE_MANAGEMENT */
1648 }
1649 
1650 /*
1651  * Possibly add routes and/or call route-up script
1652  * based on options.
1653  */
1654 void
1655 do_route(const struct options *options,
1656  struct route_list *route_list,
1658  const struct tuntap *tt,
1659  const struct plugin_list *plugins,
1660  struct env_set *es,
1661  openvpn_net_ctx_t *ctx)
1662 {
1663  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1664  {
1665  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1666  es, ctx);
1667  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1668  }
1669 #ifdef ENABLE_MANAGEMENT
1670  if (management)
1671  {
1672  management_up_down(management, "UP", es);
1673  }
1674 #endif
1675 
1677  {
1678  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1679  {
1680  msg(M_WARN, "WARNING: route-up plugin call failed");
1681  }
1682  }
1683 
1684  if (options->route_script)
1685  {
1686  struct argv argv = argv_new();
1687  setenv_str(es, "script_type", "route-up");
1688  argv_parse_cmd(&argv, options->route_script);
1689  openvpn_run_script(&argv, es, 0, "--route-up");
1690  argv_free(&argv);
1691  }
1692 
1693 #ifdef _WIN32
1694  if (options->show_net_up)
1695  {
1698  }
1699  else if (check_debug_level(D_SHOW_NET))
1700  {
1703  }
1704 #endif
1705 }
1706 
1707 /*
1708  * initialize tun/tap device object
1709  */
1710 static void
1712 {
1713  c->c1.tuntap = init_tun(c->options.dev,
1714  c->options.dev_type,
1715  c->options.topology,
1724  c->c2.es,
1725  &c->net_ctx);
1726 
1727 #ifdef _WIN32
1729 #endif
1730 
1731  init_tun_post(c->c1.tuntap,
1732  &c->c2.frame,
1733  &c->options.tuntap_options);
1734 
1735  c->c1.tuntap_owned = true;
1736 }
1737 
1738 /*
1739  * Open tun/tap device, ifconfig, call up script, etc.
1740  */
1741 
1742 static bool
1744 {
1745  struct gc_arena gc = gc_new();
1746  bool ret = false;
1747 
1748 #ifndef TARGET_ANDROID
1749  if (!c->c1.tuntap)
1750  {
1751 #endif
1752 
1753 #ifdef TARGET_ANDROID
1754  /* If we emulate persist-tun on android we still have to open a new tun and
1755  * then close the old */
1756  int oldtunfd = -1;
1757  if (c->c1.tuntap)
1758  {
1759  oldtunfd = c->c1.tuntap->fd;
1760  free(c->c1.tuntap);
1761  c->c1.tuntap = NULL;
1762  c->c1.tuntap_owned = false;
1763  }
1764 #endif
1765 
1766  /* initialize (but do not open) tun/tap object */
1767  do_init_tun(c);
1768 
1769 #ifdef _WIN32
1770  /* store (hide) interactive service handle in tuntap_options */
1772  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1773 #endif
1774 
1775  /* allocate route list structure */
1777 
1778  /* parse and resolve the route option list */
1779  ASSERT(c->c2.link_socket);
1780  if (c->options.routes && c->c1.route_list)
1781  {
1783  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1784  }
1785  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1786  {
1788  &c->c2.link_socket->info, c->c2.es,
1789  &c->net_ctx);
1790  }
1791 
1792  /* do ifconfig */
1793  if (!c->options.ifconfig_noexec
1795  {
1796  /* guess actual tun/tap unit number that will be returned
1797  * by open_tun */
1798  const char *guess = guess_tuntap_dev(c->options.dev,
1799  c->options.dev_type,
1800  c->options.dev_node,
1801  &gc);
1802  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1803  &c->net_ctx);
1804  }
1805 
1806  /* possibly add routes */
1807  if (route_order() == ROUTE_BEFORE_TUN)
1808  {
1809  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1811  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1812  }
1813 #ifdef TARGET_ANDROID
1814  /* Store the old fd inside the fd so open_tun can use it */
1815  c->c1.tuntap->fd = oldtunfd;
1816 #endif
1817  /* open the tun device */
1819  c->c1.tuntap);
1820 
1821  /* set the hardware address */
1822  if (c->options.lladdr)
1823  {
1825  }
1826 
1827  /* do ifconfig */
1828  if (!c->options.ifconfig_noexec
1830  {
1832  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1833  }
1834 
1835  /* run the up script */
1837  c->plugins,
1839  c->c1.tuntap->actual_name,
1840 #ifdef _WIN32
1841  c->c1.tuntap->adapter_index,
1842 #endif
1844  TUN_MTU_SIZE(&c->c2.frame),
1845  EXPANDED_SIZE(&c->c2.frame),
1848  "init",
1849  NULL,
1850  "up",
1851  c->c2.es);
1852 
1853 #if defined(_WIN32)
1854  if (c->options.block_outside_dns)
1855  {
1856  dmsg(D_LOW, "Blocking outside DNS");
1858  {
1859  msg(M_FATAL, "Blocking DNS failed!");
1860  }
1861  }
1862 #endif
1863 
1864  /* possibly add routes */
1866  {
1868  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1869  }
1870 
1871  /*
1872  * Did tun/tap driver give us an MTU?
1873  */
1874  if (c->c1.tuntap->post_open_mtu)
1875  {
1877  c->c1.tuntap->post_open_mtu,
1879  }
1880 
1881  ret = true;
1882  static_context = c;
1883 #ifndef TARGET_ANDROID
1884 }
1885 else
1886 {
1887  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1888  c->c1.tuntap->actual_name);
1889 
1890  /* explicitly set the ifconfig_* env vars */
1891  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1892 
1893  /* run the up script if user specified --up-restart */
1894  if (c->options.up_restart)
1895  {
1897  c->plugins,
1899  c->c1.tuntap->actual_name,
1900 #ifdef _WIN32
1901  c->c1.tuntap->adapter_index,
1902 #endif
1904  TUN_MTU_SIZE(&c->c2.frame),
1905  EXPANDED_SIZE(&c->c2.frame),
1908  "restart",
1909  NULL,
1910  "up",
1911  c->c2.es);
1912  }
1913 #if defined(_WIN32)
1914  if (c->options.block_outside_dns)
1915  {
1916  dmsg(D_LOW, "Blocking outside DNS");
1918  {
1919  msg(M_FATAL, "Blocking DNS failed!");
1920  }
1921  }
1922 #endif
1923 
1924 }
1925 #endif /* ifndef TARGET_ANDROID */
1926  gc_free(&gc);
1927  return ret;
1928 }
1929 
1930 /*
1931  * Close TUN/TAP device
1932  */
1933 
1934 static void
1936 {
1937  msg(D_CLOSE, "Closing TUN/TAP interface");
1938  if (c->c1.tuntap)
1939  {
1940  close_tun(c->c1.tuntap, &c->net_ctx);
1941  c->c1.tuntap = NULL;
1942  }
1943  c->c1.tuntap_owned = false;
1944 #if P2MP
1946 #endif
1947 }
1948 
1949 static void
1950 do_close_tun(struct context *c, bool force)
1951 {
1952  struct gc_arena gc = gc_new();
1953  if (c->c1.tuntap && c->c1.tuntap_owned)
1954  {
1955  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1956 #ifdef _WIN32
1957  DWORD adapter_index = c->c1.tuntap->adapter_index;
1958 #endif
1959  const in_addr_t local = c->c1.tuntap->local;
1960  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1961 
1962  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1963  {
1964  static_context = NULL;
1965 
1966 #ifdef ENABLE_MANAGEMENT
1967  /* tell management layer we are about to close the TUN/TAP device */
1968  if (management)
1969  {
1971  management_up_down(management, "DOWN", c->c2.es);
1972  }
1973 #endif
1974 
1975  /* delete any routes we added */
1976  if (c->c1.route_list || c->c1.route_ipv6_list)
1977  {
1979  c->plugins,
1981  tuntap_actual,
1982 #ifdef _WIN32
1983  adapter_index,
1984 #endif
1985  NULL,
1986  TUN_MTU_SIZE(&c->c2.frame),
1987  EXPANDED_SIZE(&c->c2.frame),
1988  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1989  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1990  "init",
1992  c->sig->signal_text),
1993  "route-pre-down",
1994  c->c2.es);
1995 
1998  c->c2.es, &c->net_ctx);
1999  }
2000 
2001  /* actually close tun/tap device based on --down-pre flag */
2002  if (!c->options.down_pre)
2003  {
2005  }
2006 
2007  /* Run the down script -- note that it will run at reduced
2008  * privilege if, for example, "--user nobody" was used. */
2010  c->plugins,
2012  tuntap_actual,
2013 #ifdef _WIN32
2014  adapter_index,
2015 #endif
2016  NULL,
2017  TUN_MTU_SIZE(&c->c2.frame),
2018  EXPANDED_SIZE(&c->c2.frame),
2019  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2020  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2021  "init",
2023  c->sig->signal_text),
2024  "down",
2025  c->c2.es);
2026 
2027 #if defined(_WIN32)
2028  if (c->options.block_outside_dns)
2029  {
2030  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2031  {
2032  msg(M_FATAL, "Uninitialising WFP failed!");
2033  }
2034  }
2035 #endif
2036 
2037  /* actually close tun/tap device based on --down-pre flag */
2038  if (c->options.down_pre)
2039  {
2041  }
2042  }
2043  else
2044  {
2045  /* run the down script on this restart if --up-restart was specified */
2046  if (c->options.up_restart)
2047  {
2049  c->plugins,
2051  tuntap_actual,
2052 #ifdef _WIN32
2053  adapter_index,
2054 #endif
2055  NULL,
2056  TUN_MTU_SIZE(&c->c2.frame),
2057  EXPANDED_SIZE(&c->c2.frame),
2058  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2059  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2060  "restart",
2062  c->sig->signal_text),
2063  "down",
2064  c->c2.es);
2065  }
2066 
2067 #if defined(_WIN32)
2068  if (c->options.block_outside_dns)
2069  {
2070  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2071  {
2072  msg(M_FATAL, "Uninitialising WFP failed!");
2073  }
2074  }
2075 #endif
2076 
2077  }
2078  }
2079  gc_free(&gc);
2080 }
2081 
2082 void
2084 {
2085  struct context *c = static_context;
2086  if (c)
2087  {
2088  static_context = NULL;
2089  do_close_tun(c, true);
2090  }
2091 }
2092 
2093 /*
2094  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2095  */
2096 
2097 #if P2MP
2098 
2102 static bool
2104  const struct sha256_digest *b)
2105 {
2106  const struct sha256_digest zero = {{0}};
2107  return memcmp(a, b, sizeof(struct sha256_digest))
2108  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2109 }
2110 #endif /* P2MP */
2111 
2112 bool
2113 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2114 {
2115  if (!c->c2.do_up_ran)
2116  {
2118 
2119  if (pulled_options)
2120  {
2121  if (!do_deferred_options(c, option_types_found))
2122  {
2123  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2124  return false;
2125  }
2126  }
2127 
2128  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2129  if (c->options.up_delay || PULL_DEFINED(&c->options))
2130  {
2131  c->c2.did_open_tun = do_open_tun(c);
2132  update_time();
2133 
2134 #if P2MP
2135  /*
2136  * Was tun interface object persisted from previous restart iteration,
2137  * and if so did pulled options string change from previous iteration?
2138  */
2139  if (!c->c2.did_open_tun
2140  && PULL_DEFINED(&c->options)
2141  && c->c1.tuntap
2144  {
2145  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2146  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2147  do_close_tun(c, true);
2148  management_sleep(1);
2149  c->c2.did_open_tun = do_open_tun(c);
2150  update_time();
2151  }
2152 #endif
2153  }
2154 
2155  if (c->c2.did_open_tun)
2156  {
2157 #if P2MP
2159 #endif
2160 
2161  /* if --route-delay was specified, start timer */
2163  {
2166  if (c->c1.tuntap)
2167  {
2169  }
2170  }
2171  else
2172  {
2173  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2174  }
2175  }
2176  else if (c->options.mode == MODE_POINT_TO_POINT)
2177  {
2178  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2179  }
2180 
2181  c->c2.do_up_ran = true;
2182  }
2183  return true;
2184 }
2185 
2186 /*
2187  * These are the option categories which will be accepted by pull.
2188  */
2189 unsigned int
2191 {
2192  unsigned int flags =
2193  OPT_P_UP
2195  | OPT_P_SOCKBUF
2196  | OPT_P_SOCKFLAGS
2197  | OPT_P_SETENV
2198  | OPT_P_SHAPER
2199  | OPT_P_TIMER
2200  | OPT_P_COMP
2201  | OPT_P_PERSIST
2202  | OPT_P_MESSAGES
2204  | OPT_P_ECHO
2205  | OPT_P_PULL_MODE
2206  | OPT_P_PEER_ID;
2207 
2208  if (!c->options.route_nopull)
2209  {
2210  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2211  }
2212 
2213  if (c->options.ncp_enabled)
2214  {
2215  flags |= OPT_P_NCP;
2216  }
2217 
2218  return flags;
2219 }
2220 
2221 /*
2222  * Handle non-tun-related pulled options.
2223  */
2224 bool
2225 do_deferred_options(struct context *c, const unsigned int found)
2226 {
2227  if (found & OPT_P_MESSAGES)
2228  {
2230  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2231  }
2232  if (found & OPT_P_TIMER)
2233  {
2234  do_init_timers(c, true);
2235  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2236  }
2237 
2238 #ifdef ENABLE_OCC
2239  if (found & OPT_P_EXPLICIT_NOTIFY)
2240  {
2242  {
2243  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2245  }
2246  else
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2249  }
2250  }
2251 #endif
2252 
2253 #ifdef USE_COMP
2254  if (found & OPT_P_COMP)
2255  {
2256  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2257  comp_uninit(c->c2.comp_context);
2258  c->c2.comp_context = comp_init(&c->options.comp);
2259  }
2260 #endif
2261 
2262  if (found & OPT_P_SHAPER)
2263  {
2264  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2266  }
2267 
2268  if (found & OPT_P_SOCKBUF)
2269  {
2270  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2272  }
2273 
2274  if (found & OPT_P_SOCKFLAGS)
2275  {
2276  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2278  }
2279 
2280  if (found & OPT_P_PERSIST)
2281  {
2282  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2283  }
2284  if (found & OPT_P_UP)
2285  {
2286  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2287  }
2288  if (found & OPT_P_ROUTE)
2289  {
2290  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2291  }
2292  if (found & OPT_P_ROUTE_EXTRAS)
2293  {
2294  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2295  }
2296  if (found & OPT_P_IPWIN32)
2297  {
2298  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2299  }
2300  if (found & OPT_P_SETENV)
2301  {
2302  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2303  }
2304 
2305  if (found & OPT_P_PEER_ID)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2308  c->c2.tls_multi->use_peer_id = true;
2309  c->c2.tls_multi->peer_id = c->options.peer_id;
2310  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2311  if (!c->options.ce.link_mtu_defined)
2312  {
2313  frame_add_to_link_mtu(&c->c2.frame, +3);
2314  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2315  EXPANDED_SIZE(&c->c2.frame));
2316  }
2317  else
2318  {
2319  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2320  " fixed by config - reducing tun-mtu to %d, expect"
2321  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2322  }
2323  }
2324 
2325  /* process (potentially pushed) crypto options */
2326  if (c->options.pull)
2327  {
2328  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2329  if (found & OPT_P_NCP)
2330  {
2331  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2332  }
2333  else if (c->options.ncp_enabled)
2334  {
2336  }
2337  struct frame *frame_fragment = NULL;
2338 #ifdef ENABLE_FRAGMENT
2339  if (c->options.ce.fragment)
2340  {
2341  frame_fragment = &c->c2.frame_fragment;
2342  }
2343 #endif
2344 
2345  /* Do not regenerate keys if server sends an extra push reply */
2347  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2348  frame_fragment))
2349  {
2350  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2351  return false;
2352  }
2353  }
2354 
2355  return true;
2356 }
2357 
2358 /*
2359  * Possible hold on initialization, holdtime is the
2360  * time OpenVPN would wait without management
2361  */
2362 static bool
2363 do_hold(int holdtime)
2364 {
2365 #ifdef ENABLE_MANAGEMENT
2366  if (management)
2367  {
2368  /* block until management hold is released */
2369  if (management_hold(management, holdtime))
2370  {
2371  return true;
2372  }
2373  }
2374 #endif
2375  return false;
2376 }
2377 
2378 /*
2379  * Sleep before restart.
2380  */
2381 static void
2383 {
2384  int sec = 2;
2385  int backoff = 0;
2386 
2387  switch (c->options.ce.proto)
2388  {
2389  case PROTO_TCP_SERVER:
2390  sec = 1;
2391  break;
2392 
2393  case PROTO_UDP:
2394  case PROTO_TCP_CLIENT:
2395  sec = c->options.ce.connect_retry_seconds;
2396  break;
2397  }
2398 
2399 #ifdef ENABLE_DEBUG
2400  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2401  {
2402  sec = 0;
2403  }
2404 #endif
2405 
2406 #if P2MP
2407  if (auth_retry_get() == AR_NOINTERACT)
2408  {
2409  sec = 10;
2410  }
2411 #endif
2412 
2413  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2414  if (c->options.ce.proto != PROTO_TCP_SERVER)
2415  {
2416  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2417  if (backoff > 0)
2418  {
2419  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2420  sec = max_int(sec, 1) << min_int(backoff, 15);
2421  }
2422 
2423  if (sec > c->options.ce.connect_retry_seconds_max)
2424  {
2426  }
2427  }
2428 
2430  {
2431  sec = c->persist.restart_sleep_seconds;
2432  }
2433  else if (c->persist.restart_sleep_seconds == -1)
2434  {
2435  sec = 0;
2436  }
2438 
2439  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2440  if (do_hold(sec))
2441  {
2442  sec = 0;
2443  }
2444 
2445  if (sec)
2446  {
2447  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2448  management_sleep(sec);
2449  }
2450 }
2451 
2452 /*
2453  * Do a possible pause on context_2 initialization.
2454  */
2455 static void
2457 {
2458  if (!c->first_time)
2459  {
2461  }
2462  else
2463  {
2464  do_hold(0); /* do management hold on first context initialization */
2465  }
2466 }
2467 
2468 /*
2469  * Finalize MTU parameters based on command line or config file options.
2470  */
2471 static void
2472 frame_finalize_options(struct context *c, const struct options *o)
2473 {
2474  if (!o)
2475  {
2476  o = &c->options;
2477  }
2478 
2479  /*
2480  * Set adjustment factor for buffer alignment when no
2481  * cipher is used.
2482  */
2483  if (!CIPHER_ENABLED(c))
2484  {
2490  }
2491 
2493  frame_finalize(&c->c2.frame,
2494  o->ce.link_mtu_defined,
2495  o->ce.link_mtu,
2496  o->ce.tun_mtu_defined,
2497  o->ce.tun_mtu);
2498 }
2499 
2500 /*
2501  * Free a key schedule, including OpenSSL components.
2502  */
2503 static void
2504 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2505 {
2507  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2508  {
2509  tls_ctx_free(&ks->ssl_ctx);
2511  }
2512  CLEAR(*ks);
2513 }
2514 
2515 static void
2516 init_crypto_pre(struct context *c, const unsigned int flags)
2517 {
2518  if (c->options.engine)
2519  {
2521  }
2522 
2523  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2524  {
2525  /* load a persisted packet-id for cross-session replay-protection */
2526  if (c->options.packet_id_file)
2527  {
2529  }
2530  }
2531 
2532 #ifdef ENABLE_PREDICTION_RESISTANCE
2533  if (c->options.use_prediction_resistance)
2534  {
2535  rand_ctx_enable_prediction_resistance();
2536  }
2537 #endif
2538 }
2539 
2540 /*
2541  * Static Key Mode (using a pre-shared key)
2542  */
2543 static void
2544 do_init_crypto_static(struct context *c, const unsigned int flags)
2545 {
2546  const struct options *options = &c->options;
2547  ASSERT(options->shared_secret_file);
2548 
2549  init_crypto_pre(c, flags);
2550 
2551  /* Initialize flags */
2553  {
2555  }
2556 
2557  /* Initialize packet ID tracking */
2558  if (options->replay)
2559  {
2561  options->replay_window,
2562  options->replay_time,
2563  "STATIC", 0);
2568  }
2569 
2570  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2571  {
2572  /* Get cipher & hash algorithms */
2573  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2574  options->keysize, options->test_crypto, true);
2575 
2576  /* Read cipher and hmac keys from shared secret file */
2578  options->shared_secret_file,
2579  options->shared_secret_file_inline,
2580  options->key_direction, "Static Key Encryption",
2581  "secret");
2582  }
2583  else
2584  {
2585  msg(M_INFO, "Re-using pre-shared static key");
2586  }
2587 
2588  /* Get key schedule */
2590 
2591  /* Compute MTU parameters */
2593  options->replay, true);
2594 
2595  /* Sanity check on sequence number, and cipher mode options */
2596  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2597 }
2598 
2599 /*
2600  * Initialize the tls-auth/crypt key context
2601  */
2602 static void
2604 {
2605  const struct options *options = &c->options;
2606 
2607  /* TLS handshake authentication (--tls-auth) */
2608  if (options->ce.tls_auth_file)
2609  {
2610  /* Initialize key_type for tls-auth with auth only */
2612  if (!streq(options->authname, "none"))
2613  {
2617  }
2618  else
2619  {
2620  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2621  "algorithm specified ('%s')", options->authname);
2622  }
2623 
2625  &c->c1.ks.tls_wrap_key,
2626  options->ce.tls_auth_file,
2627  options->ce.tls_auth_file_inline,
2628  options->ce.key_direction,
2629  "Control Channel Authentication", "tls-auth");
2630  }
2631 
2632  /* TLS handshake encryption+authentication (--tls-crypt) */
2633  if (options->ce.tls_crypt_file)
2634  {
2636  options->ce.tls_crypt_file,
2637  options->ce.tls_crypt_inline, options->tls_server);
2638  }
2639 
2640  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2641  if (options->ce.tls_crypt_v2_file)
2642  {
2643  if (options->tls_server)
2644  {
2646  true, options->ce.tls_crypt_v2_file,
2647  options->ce.tls_crypt_v2_inline);
2648  }
2649  else
2650  {
2652  &c->c1.ks.tls_crypt_v2_wkc,
2653  options->ce.tls_crypt_v2_file,
2654  options->ce.tls_crypt_v2_inline);
2655  }
2656  }
2657 
2658 
2659 }
2660 
2661 #if P2MP_SERVER
2662 /*
2663  * Initialise the auth-token key context
2664  */
2665 static void
2667 {
2668  if (!c->options.auth_token_generate)
2669  {
2670  return;
2671  }
2672 
2676 }
2677 #endif
2678 
2679 /*
2680  * Initialize the persistent component of OpenVPN's TLS mode,
2681  * which is preserved across SIGUSR1 resets.
2682  */
2683 static void
2685 {
2686  const struct options *options = &c->options;
2687 
2688  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2689  {
2690  /*
2691  * Initialize the OpenSSL library's global
2692  * SSL context.
2693  */
2694  init_ssl(options, &(c->c1.ks.ssl_ctx));
2695  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2696  {
2697 #if P2MP
2698  switch (auth_retry_get())
2699  {
2700  case AR_NONE:
2701  msg(M_FATAL, "Error: private key password verification failed");
2702  break;
2703 
2704  case AR_INTERACT:
2705  ssl_purge_auth(false);
2706 
2707  case AR_NOINTERACT:
2708  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2709  break;
2710 
2711  default:
2712  ASSERT(0);
2713  }
2714  c->sig->signal_text = "private-key-password-failure";
2715  return;
2716 #else /* if P2MP */
2717  msg(M_FATAL, "Error: private key password verification failed");
2718 #endif /* if P2MP */
2719  }
2720 
2721  /* Get cipher & hash algorithms */
2722  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2723  options->keysize, true, true);
2724 
2725  /* Initialize PRNG with config-specified digest */
2726  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2727 
2728  /* initialize tls-auth/crypt/crypt-v2 key */
2730 
2731 #if P2MP_SERVER
2732  /* initialise auth-token crypto support */
2734 #endif
2735 
2736 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2737  if (options->priv_key_file_inline)
2738  {
2740  c->options.priv_key_file_inline = NULL;
2741  }
2742 #endif
2743  }
2744  else
2745  {
2746  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2747 
2748  /*
2749  * tls-auth/crypt key can be configured per connection block, therefore
2750  * we must reload it as it may have changed
2751  */
2753  }
2754 }
2755 
2756 static void
2757 do_init_crypto_tls(struct context *c, const unsigned int flags)
2758 {
2759  const struct options *options = &c->options;
2760  struct tls_options to;
2761  bool packet_id_long_form;
2762 
2763  ASSERT(options->tls_server || options->tls_client);
2764  ASSERT(!options->test_crypto);
2765 
2766  init_crypto_pre(c, flags);
2767 
2768  /* Make sure we are either a TLS client or server but not both */
2769  ASSERT(options->tls_server == !options->tls_client);
2770 
2771  /* initialize persistent component */
2773  if (IS_SIG(c))
2774  {
2775  return;
2776  }
2777 
2778  /* Sanity check on sequence number, and cipher mode options */
2779  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2780 
2781  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2782  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2783 
2784  /* Compute MTU parameters (postpone if we push/pull options) */
2785  if (c->options.pull || c->options.mode == MODE_SERVER)
2786  {
2787  /* Account for worst-case crypto overhead before allocating buffers */
2789  }
2790  else
2791  {
2793  options->replay, packet_id_long_form);
2794  }
2796 
2797  /* Set all command-line TLS-related options */
2798  CLEAR(to);
2799 
2800  if (options->mute_replay_warnings)
2801  {
2803  }
2804 
2806  if (packet_id_long_form)
2807  {
2809  }
2810 
2811  to.ssl_ctx = c->c1.ks.ssl_ctx;
2812  to.key_type = c->c1.ks.key_type;
2813  to.server = options->tls_server;
2814  to.key_method = options->key_method;
2815  to.replay = options->replay;
2816  to.replay_window = options->replay_window;
2817  to.replay_time = options->replay_time;
2820  to.config_ncp_ciphers = options->ncp_ciphers;
2821  to.ncp_enabled = options->ncp_enabled;
2822  to.transition_window = options->transition_window;
2823  to.handshake_window = options->handshake_window;
2824  to.packet_timeout = options->tls_timeout;
2825  to.renegotiate_bytes = options->renegotiate_bytes;
2827  if (options->renegotiate_seconds_min < 0)
2828  {
2829  /* Add 10% jitter to reneg-sec by default (server side only) */
2830  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2831  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2832  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2833  }
2834  else
2835  {
2836  /* Add user-specified jitter to reneg-sec */
2838  -(get_random() % max_int(options->renegotiate_seconds
2839  - options->renegotiate_seconds_min, 1));
2840  }
2841  to.single_session = options->single_session;
2842  to.mode = options->mode;
2843  to.pull = options->pull;
2844  if (options->push_peer_info) /* all there is */
2845  {
2846  to.push_peer_info_detail = 2;
2847  }
2848  else if (options->pull) /* pull clients send some details */
2849  {
2850  to.push_peer_info_detail = 1;
2851  }
2852  else /* default: no peer-info at all */
2853  {
2854  to.push_peer_info_detail = 0;
2855  }
2856 
2857  /* should we not xmit any packets until we get an initial
2858  * response from client? */
2859  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2860  {
2861  to.xmit_hold = true;
2862  }
2863 
2864 #ifdef ENABLE_OCC
2865  to.disable_occ = !options->occ;
2866 #endif
2867 
2868  to.verify_command = options->tls_verify;
2869  to.verify_export_cert = options->tls_export_cert;
2870  to.verify_x509_type = (options->verify_x509_type & 0xff);
2871  to.verify_x509_name = options->verify_x509_name;
2872  to.crl_file = options->crl_file;
2873  to.crl_file_inline = options->crl_file_inline;
2874  to.ssl_flags = options->ssl_flags;
2875  to.ns_cert_type = options->ns_cert_type;
2876  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2877  to.remote_cert_eku = options->remote_cert_eku;
2878  to.verify_hash = options->verify_hash;
2879  to.verify_hash_algo = options->verify_hash_algo;
2880 #ifdef ENABLE_X509ALTUSERNAME
2881  to.x509_username_field = (char *) options->x509_username_field;
2882 #else
2884 #endif
2885  to.es = c->c2.es;
2886  to.net_ctx = &c->net_ctx;
2887 
2888 #ifdef ENABLE_DEBUG
2889  to.gremlin = c->options.gremlin;
2890 #endif
2891 
2892  to.plugins = c->plugins;
2893 
2894 #ifdef MANAGEMENT_DEF_AUTH
2895  to.mda_context = &c->c2.mda_context;
2896 #endif
2897 
2898 #if P2MP_SERVER
2901  to.tmp_dir = options->tmp_dir;
2902  if (options->ccd_exclusive)
2903  {
2905  }
2911 #endif
2912 
2913  to.x509_track = options->x509_track;
2914 
2915 #if P2MP
2916 #ifdef ENABLE_MANAGEMENT
2917  to.sci = &options->sc_info;
2918 #endif
2919 #endif
2920 
2921 #ifdef USE_COMP
2922  to.comp_options = options->comp;
2923 #endif
2924 
2925 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2926  if (options->keying_material_exporter_label)
2927  {
2928  to.ekm_size = options->keying_material_exporter_length;
2929  if (to.ekm_size < 16 || to.ekm_size > 4095)
2930  {
2931  to.ekm_size = 0;
2932  }
2933 
2934  to.ekm_label = options->keying_material_exporter_label;
2935  to.ekm_label_size = strlen(to.ekm_label);
2936  }
2937  else
2938  {
2939  to.ekm_size = 0;
2940  }
2941 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2942 
2943  /* TLS handshake authentication (--tls-auth) */
2944  if (options->ce.tls_auth_file)
2945  {
2946  to.tls_wrap.mode = TLS_WRAP_AUTH;
2951  true, true);
2952  }
2953 
2954  /* TLS handshake encryption (--tls-crypt) */
2955  if (options->ce.tls_crypt_file
2956  || (options->ce.tls_crypt_v2_file && options->tls_client))
2957  {
2958  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2963 
2964  if (options->ce.tls_crypt_v2_file)
2965  {
2967  }
2968  }
2969 
2970  if (options->ce.tls_crypt_v2_file)
2971  {
2972  to.tls_crypt_v2 = true;
2973  if (options->tls_server)
2974  {
2977  }
2978  }
2979 
2980  /* If we are running over TCP, allow for
2981  * length prefix */
2983 
2984  /*
2985  * Initialize OpenVPN's master TLS-mode object.
2986  */
2987  if (flags & CF_INIT_TLS_MULTI)
2988  {
2989  c->c2.tls_multi = tls_multi_init(&to);
2990  }
2991 
2992  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2993  {
2995  }
2996 }
2997 
2998 static void
3000 {
3001  if (c->c2.tls_multi)
3002  {
3005  EXPANDED_SIZE(&c->c2.frame));
3007  "Control Channel MTU parms");
3008  }
3009  if (c->c2.tls_auth_standalone)
3010  {
3013  "TLS-Auth MTU parms");
3014  }
3015 }
3016 
3017 /*
3018  * No encryption or authentication.
3019  */
3020 static void
3022 {
3023  ASSERT(!c->options.test_crypto);
3024  msg(M_WARN,
3025  "******* WARNING *******: All encryption and authentication features "
3026  "disabled -- All data will be tunnelled as clear text and will not be "
3027  "protected against man-in-the-middle changes. "
3028  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3029 }
3030 
3031 static void
3032 do_init_crypto(struct context *c, const unsigned int flags)
3033 {
3034  if (c->options.shared_secret_file)
3035  {
3036  do_init_crypto_static(c, flags);
3037  }
3038  else if (c->options.tls_server || c->options.tls_client)
3039  {
3040  do_init_crypto_tls(c, flags);
3041  }
3042  else /* no encryption or authentication. */
3043  {
3045  }
3046 }
3047 
3048 static void
3050 {
3051 #ifdef USE_COMP
3052  /*
3053  * modify frame parameters if compression is enabled
3054  */
3055  if (comp_enabled(&c->options.comp))
3056  {
3057  comp_add_to_extra_frame(&c->c2.frame);
3058 
3059 #if !defined(ENABLE_LZ4)
3060  /*
3061  * Compression usage affects buffer alignment when non-swapped algs
3062  * such as LZO is used.
3063  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3064  * any special alignment because of the control-byte swap approach.
3065  * LZO alignment (on the other hand) is problematic because
3066  * the presence of the control byte means that either the output of
3067  * decryption must be written to an unaligned buffer, or the input
3068  * to compression (or packet dispatch if packet is uncompressed)
3069  * must be read from an unaligned buffer.
3070  * This code tries to align the input to compression (or packet
3071  * dispatch if packet is uncompressed) at the cost of requiring
3072  * decryption output to be written to an unaligned buffer, so
3073  * it's more of a tradeoff than an optimal solution and we don't
3074  * include it when we are doing a modern build with LZ4.
3075  * Strictly speaking, on the server it would be better to execute
3076  * this code for every connection after we decide the compression
3077  * method, but currently the frame code doesn't appear to be
3078  * flexible enough for this, since the frame is already established
3079  * before it is known which compression options will be pushed.
3080  */
3081  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3082  {
3083  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3087  }
3088 #endif
3089 
3090 #ifdef ENABLE_FRAGMENT
3091  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3092 #endif
3093  }
3094 #endif /* USE_COMP */
3095 
3096  /*
3097  * Adjust frame size for UDP Socks support.
3098  */
3099  if (c->options.ce.socks_proxy_server)
3100  {
3102  }
3103 
3104  /*
3105  * Adjust frame size based on the --tun-mtu-extra parameter.
3106  */
3108  {
3110  }
3111 
3112  /*
3113  * Adjust frame size based on link socket parameters.
3114  * (Since TCP is a stream protocol, we need to insert
3115  * a packet length uint16_t in the buffer.)
3116  */
3118 
3119  /*
3120  * Fill in the blanks in the frame parameters structure,
3121  * make sure values are rational, etc.
3122  */
3123  frame_finalize_options(c, NULL);
3124 
3125 #ifdef USE_COMP
3126  /*
3127  * Modify frame parameters if compression is compiled in.
3128  * Should be called after frame_finalize_options.
3129  */
3130  comp_add_to_extra_buffer(&c->c2.frame);
3131 #ifdef ENABLE_FRAGMENT
3132  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3133 #endif
3134 #endif /* USE_COMP */
3135 
3136  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3137  * and need link_mtu+3 bytes on socket reception (on server).
3138  *
3139  * accommodate receive path in f->extra_link, which has the side effect of
3140  * also increasing send buffers (BUF_SIZE() macro), which need to be
3141  * allocated big enough before receiving peer-id option from server.
3142  *
3143  * f->extra_frame is adjusted when peer-id option is push-received
3144  */
3146 
3147 #ifdef ENABLE_FRAGMENT
3148  /*
3149  * Set frame parameter for fragment code. This is necessary because
3150  * the fragmentation code deals with payloads which have already been
3151  * passed through the compression code.
3152  */
3153  c->c2.frame_fragment = c->c2.frame;
3156 #endif
3157 
3158 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3159  /*
3160  * MTU advisories
3161  */
3162  if (c->options.ce.fragment && c->options.mtu_test)
3163  {
3164  msg(M_WARN,
3165  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3166  }
3167 #endif
3168 
3169 #ifdef ENABLE_FRAGMENT
3170  if ((c->options.ce.mssfix || c->options.ce.fragment)
3172  {
3173  msg(M_WARN,
3174  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3176  }
3177 #endif
3178 }
3179 
3180 static void
3182 {
3183  const struct options *o = &c->options;
3184 
3185  if (o->ping_send_timeout && !o->ping_rec_timeout)
3186  {
3187  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3188  }
3189 
3190  if (o->username || o->groupname || o->chroot_dir
3191 #ifdef ENABLE_SELINUX
3192  || o->selinux_context
3193 #endif
3194  )
3195  {
3196  if (!o->persist_tun)
3197  {
3198  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3199  }
3200  if (!o->persist_key
3201 #ifdef ENABLE_PKCS11
3202  && !o->pkcs11_id
3203 #endif
3204  )
3205  {
3206  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3207  }
3208  }
3209 
3210  if (o->chroot_dir && !(o->username && o->groupname))
3211  {
3212  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3213  }
3214 
3215 #if P2MP
3216  if (o->pull && o->ifconfig_local && c->first_time)
3217  {
3218  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3219  }
3220 
3221 #if P2MP_SERVER
3223  {
3224  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3225  }
3226 
3227  if (o->mode == MODE_SERVER)
3228  {
3229  if (o->duplicate_cn && o->client_config_dir)
3230  {
3231  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3232  }
3234  {
3235  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3236  }
3237  if (!o->keepalive_ping || !o->keepalive_timeout)
3238  {
3239  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3240  }
3241  }
3242 #endif /* if P2MP_SERVER */
3243 #endif /* if P2MP */
3244 
3245  if (!o->replay)
3246  {
3247  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3248  }
3249 
3250  if (o->tls_server)
3251  {
3253  }
3254  if (o->tls_client
3255  && !o->tls_verify
3258  && !o->remote_cert_eku)
3259  {
3260  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3261  }
3262  if (o->ns_cert_type)
3263  {
3264  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3265  }
3266 
3267  /* If a script is used, print appropriate warnings */
3268  if (o->user_script_used)
3269  {
3270  if (script_security() >= SSEC_SCRIPTS)
3271  {
3272  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3273  }
3274  else if (script_security() >= SSEC_PW_ENV)
3275  {
3276  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3277  }
3278  else
3279  {
3280  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3281  }
3282  }
3283 }
3284 
3285 static void
3287 {
3289 }
3290 
3291 struct context_buffers *
3293 {
3294  struct context_buffers *b;
3295 
3296  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3297 
3298  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3299  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3300 
3301  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3302 
3303  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3304  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3305 
3306 #ifdef USE_COMP
3307  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3308  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3309 #endif
3310 
3311  return b;
3312 }
3313 
3314 void
3316 {
3317  if (b)
3318  {
3319  free_buf(&b->read_link_buf);
3320  free_buf(&b->read_tun_buf);
3321  free_buf(&b->aux_buf);
3322 
3323 #ifdef USE_COMP
3324  free_buf(&b->compress_buf);
3325  free_buf(&b->decompress_buf);
3326 #endif
3327 
3328  free_buf(&b->encrypt_buf);
3329  free_buf(&b->decrypt_buf);
3330 
3331  free(b);
3332  }
3333 }
3334 
3335 /*
3336  * Now that we know all frame parameters, initialize
3337  * our buffers.
3338  */
3339 static void
3341 {
3343  c->c2.buffers_owned = true;
3344 }
3345 
3346 #ifdef ENABLE_FRAGMENT
3347 /*
3348  * Fragmenting code has buffers to initialize
3349  * once frame parameters are known.
3350  */
3351 static void
3353 {
3354  ASSERT(c->options.ce.fragment);
3358 }
3359 #endif
3360 
3361 /*
3362  * Allocate our socket object.
3363  */
3364 static void
3366 {
3367  ASSERT(!c->c2.link_socket);
3369  c->c2.link_socket_owned = true;
3370 }
3371 
3372 /*
3373  * bind the TCP/UDP socket
3374  */
3375 static void
3376 do_init_socket_1(struct context *c, const int mode)
3377 {
3378  unsigned int sockflags = c->options.sockflags;
3379 
3380 #if PORT_SHARE
3381  if (c->options.port_share_host && c->options.port_share_port)
3382  {
3383  sockflags |= SF_PORT_SHARE;
3384  }
3385 #endif
3386 
3388  c->options.ce.local,
3389  c->options.ce.local_port,
3390  c->options.ce.remote,
3391  c->options.ce.remote_port,
3392  c->c1.dns_cache,
3393  c->options.ce.proto,
3394  c->options.ce.af,
3396  mode,
3397  c->c2.accept_from,
3398  c->c1.http_proxy,
3399  c->c1.socks_proxy,
3400 #ifdef ENABLE_DEBUG
3401  c->options.gremlin,
3402 #endif
3403  c->options.ce.bind_local,
3404  c->options.ce.remote_float,
3405  c->options.inetd,
3406  &c->c1.link_socket_addr,
3407  c->options.ipchange,
3408  c->plugins,
3411  c->options.rcvbuf,
3412  c->options.sndbuf,
3413  c->options.mark,
3415  sockflags);
3416 }
3417 
3418 /*
3419  * finalize the TCP/UDP socket
3420  */
3421 static void
3423 {
3425  c->sig);
3426 }
3427 
3428 /*
3429  * Print MTU INFO
3430  */
3431 static void
3433 {
3434  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3435 #ifdef ENABLE_FRAGMENT
3436  if (c->c2.fragment)
3437  {
3439  "Fragmentation MTU parms");
3440  }
3441 #endif
3442 }
3443 
3444 #ifdef ENABLE_OCC
3445 /*
3446  * Get local and remote options compatibility strings.
3447  */
3448 static void
3450 {
3451  struct gc_arena gc = gc_new();
3452 
3454  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3455  false, &gc);
3457  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3458  true, &gc);
3459 
3460  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3463  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3466 
3467  if (c->c2.tls_multi)
3468  {
3472  }
3473 
3474  gc_free(&gc);
3475 }
3476 #endif /* ifdef ENABLE_OCC */
3477 
3478 /*
3479  * These things can only be executed once per program instantiation.
3480  * Set up for possible UID/GID downgrade, but don't do it yet.
3481  * Daemonize if requested.
3482  */
3483 static void
3485 {
3486  if (c->first_time && !c->c0)
3487  {
3488  struct context_0 *c0;
3489 
3490  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3491  c0 = c->c0;
3492 
3493  /* get user and/or group that we want to setuid/setgid to */
3494  c0->uid_gid_specified =
3497 
3498  /* perform postponed chdir if --daemon */
3499  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3500  {
3501  platform_chdir("/");
3502  }
3503 
3504  /* should we change scheduling priority? */
3506  }
3507 }
3508 
3509 /*
3510  * If xinetd/inetd mode, don't allow restart.
3511  */
3512 static void
3514 {
3515  if (c->options.inetd
3516  && (c->sig->signal_received == SIGHUP
3517  || c->sig->signal_received == SIGUSR1))
3518  {
3519  c->sig->signal_received = SIGTERM;
3520  msg(M_INFO,
3521  PACKAGE_NAME
3522  " started by inetd/xinetd cannot restart... Exiting.");
3523  }
3524 }
3525 
3526 /*
3527  * free buffers
3528  */
3529 static void
3531 {
3532  if (c->c2.buffers_owned)
3533  {
3535  c->c2.buffers = NULL;
3536  c->c2.buffers_owned = false;
3537  }
3538 }
3539 
3540 /*
3541  * close TLS
3542  */
3543 static void
3545 {
3546  if (c->c2.tls_multi)
3547  {
3548  tls_multi_free(c->c2.tls_multi, true);
3549  c->c2.tls_multi = NULL;
3550  }
3551 
3552 #ifdef ENABLE_OCC
3553  /* free options compatibility strings */
3554  if (c->c2.options_string_local)
3555  {
3557  }
3558  if (c->c2.options_string_remote)
3559  {
3561  }
3563 #endif
3564 
3565  if (c->c2.pulled_options_state)
3566  {
3569  }
3570 }
3571 
3572 /*
3573  * Free key schedules
3574  */
3575 static void
3576 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3577 {
3578  /*
3579  * always free the tls_auth/crypt key. If persist_key is true, the key will
3580  * be reloaded from memory (pre-cached)
3581  */
3583  CLEAR(c->c1.ks.tls_wrap_key);
3586 
3587  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3588  {
3589  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3590  }
3591 }
3592 
3593 /*
3594  * Close TCP/UDP connection
3595  */
3596 static void
3598 {
3599  if (c->c2.link_socket && c->c2.link_socket_owned)
3600  {
3602  c->c2.link_socket = NULL;
3603  }
3604 
3605 
3606  /* Preserve the resolved list of remote if the user request to or if we want
3607  * reconnect to the same host again or there are still addresses that need
3608  * to be tried */
3609  if (!(c->sig->signal_received == SIGUSR1
3610  && ( (c->options.persist_remote_ip)
3611  ||
3612  ( c->sig->source != SIG_SOURCE_HARD
3614  || c->options.no_advance))
3615  )))
3616  {
3618  }
3619 
3620  /* Clear the remote actual address when persist_remote_ip is not in use */
3621  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3622  {
3624  }
3625 
3626  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3627  {
3629  {
3630  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3631  }
3632 
3633  c->c1.link_socket_addr.bind_local = NULL;
3634  }
3635 }
3636 
3637 /*
3638  * Close packet-id persistence file
3639  */
3640 static void
3642 {
3645  if (!(c->sig->signal_received == SIGUSR1))
3646  {
3648  }
3649 }
3650 
3651 #ifdef ENABLE_FRAGMENT
3652 /*
3653  * Close fragmentation handler.
3654  */
3655 static void
3657 {
3658  if (c->c2.fragment)
3659  {
3661  c->c2.fragment = NULL;
3662  }
3663 }
3664 #endif
3665 
3666 /*
3667  * Open and close our event objects.
3668  */
3669 
3670 static void
3672  bool need_us_timeout)
3673 {
3674  unsigned int flags = 0;
3675 
3677 
3678  flags |= EVENT_METHOD_FAST;
3679 
3680  if (need_us_timeout)
3681  {
3682  flags |= EVENT_METHOD_US_TIMEOUT;
3683  }
3684 
3685  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3686  c->c2.event_set_owned = true;
3687 }
3688 
3689 static void
3691 {
3692  if (c->c2.event_set && c->c2.event_set_owned)
3693  {
3694  event_free(c->c2.event_set);
3695  c->c2.event_set = NULL;
3696  c->c2.event_set_owned = false;
3697  }
3698 }
3699 
3700 /*
3701  * Open and close --status file
3702  */
3703 
3704 static void
3706 {
3707  if (!c->c1.status_output)
3708  {
3711  -1,
3712  NULL,
3714  c->c1.status_output_owned = true;
3715  }
3716 }
3717 
3718 static void
3720 {
3721  if (!(c->sig->signal_received == SIGUSR1))
3722  {
3723  if (c->c1.status_output_owned && c->c1.status_output)
3724  {
3726  c->c1.status_output = NULL;
3727  c->c1.status_output_owned = false;
3728  }
3729  }
3730 }
3731 
3732 /*
3733  * Handle ifconfig-pool persistence object.
3734  */
3735 static void
3737 {
3738 #if P2MP_SERVER
3740  {
3743  c->c1.ifconfig_pool_persist_owned = true;
3744  }
3745 #endif
3746 }
3747 
3748 static void
3750 {
3751 #if P2MP_SERVER
3752  if (!(c->sig->signal_received == SIGUSR1))
3753  {
3755  {
3757  c->c1.ifconfig_pool_persist = NULL;
3758  c->c1.ifconfig_pool_persist_owned = false;
3759  }
3760  }
3761 #endif
3762 }
3763 
3764 /*
3765  * Inherit environmental variables
3766  */
3767 
3768 static void
3769 do_inherit_env(struct context *c, const struct env_set *src)
3770 {
3771  c->c2.es = env_set_create(NULL);
3772  c->c2.es_owned = true;
3773  env_set_inherit(c->c2.es, src);
3774 }
3775 
3776 static void
3778 {
3779  if (c->c2.es && c->c2.es_owned)
3780  {
3781  env_set_destroy(c->c2.es);
3782  c->c2.es = NULL;
3783  c->c2.es_owned = false;
3784  }
3785 }
3786 
3787 /*
3788  * Fast I/O setup. Fast I/O is an optimization which only works
3789  * if all of the following are true:
3790  *
3791  * (1) The platform is not Windows
3792  * (2) --proto udp is enabled
3793  * (3) --shaper is disabled
3794  */
3795 static void
3797 {
3798  if (c->options.fast_io)
3799  {
3800 #ifdef _WIN32
3801  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3802 #else
3803  if (!proto_is_udp(c->options.ce.proto))
3804  {
3805  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3806  }
3807  else
3808  {
3809 #ifdef ENABLE_FEATURE_SHAPER
3810  if (c->options.shaper)
3811  {
3812  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3813  }
3814  else
3815 #endif
3816  {
3817  c->c2.fast_io = true;
3818  }
3819  }
3820 #endif
3821  }
3822 }
3823 
3824 static void
3826 {
3827  if (c->options.tls_exit)
3828  {
3829  c->c2.tls_exit_signal = SIGTERM;
3830  }
3831  else
3832  {
3833  c->c2.tls_exit_signal = SIGUSR1;
3834  }
3835 }
3836 
3837 #ifdef ENABLE_PLUGIN
3838 
3839 void
3841 {
3842  if (c->options.plugin_list && !c->plugins)
3843  {
3845  c->plugins_owned = true;
3846  }
3847 }
3848 
3849 void
3850 open_plugins(struct context *c, const bool import_options, int init_point)
3851 {
3852  if (c->plugins && c->plugins_owned)
3853  {
3854  if (import_options)
3855  {
3856  struct plugin_return pr, config;
3857  plugin_return_init(&pr);
3858  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3859  plugin_return_get_column(&pr, &config, "config");
3860  if (plugin_return_defined(&config))
3861  {
3862  int i;
3863  for (i = 0; i < config.n; ++i)
3864  {
3865  unsigned int option_types_found = 0;
3866  if (config.list[i] && config.list[i]->value)
3867  {
3869  config.list[i]->value,
3872  &option_types_found,
3873  c->es);
3874  }
3875  }
3876  }
3877  plugin_return_free(&pr);
3878  }
3879  else
3880  {
3881  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3882  }
3883  }
3884 }
3885 
3886 static void
3888 {
3889  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3890  {
3892  c->plugins = NULL;
3893  c->plugins_owned = false;
3894  }
3895 }
3896 
3897 static void
3898 do_inherit_plugins(struct context *c, const struct context *src)
3899 {
3900  if (!c->plugins && src->plugins)
3901  {
3902  c->plugins = plugin_list_inherit(src->plugins);
3903  c->plugins_owned = true;
3904  }
3905 }
3906 
3907 #endif /* ifdef ENABLE_PLUGIN */
3908 
3909 #ifdef ENABLE_MANAGEMENT
3910 
3911 static void
3912 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3913 {
3914  struct context *c = (struct context *) arg;
3915  print_status(c, so);
3916 }
3917 
3918 void
3919 management_show_net_callback(void *arg, const int msglevel)
3920 {
3921 #ifdef _WIN32
3922  show_routes(msglevel);
3923  show_adapters(msglevel);
3924  msg(msglevel, "END");
3925 #else
3926  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3927 #endif
3928 }
3929 
3930 #ifdef TARGET_ANDROID
3931 int
3932 management_callback_network_change(void *arg, bool samenetwork)
3933 {
3934  /* Check if the client should translate the network change to a SIGUSR1 to
3935  * reestablish the connection or just reprotect the socket
3936  *
3937  * At the moment just assume that, for all settings that use pull (not
3938  * --static) and are not using peer-id reestablishing the connection is
3939  * required (unless the network is the same)
3940  *
3941  * The function returns -1 on invalid fd and -2 if the socket cannot be
3942  * reused. On the -2 return value the man_network_change function triggers
3943  * a SIGUSR1 to force a reconnect.
3944  */
3945 
3946  int socketfd = -1;
3947  struct context *c = (struct context *) arg;
3948  if (!c->c2.link_socket)
3949  {
3950  return -1;
3951  }
3952  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3953  {
3954  return -1;
3955  }
3956 
3957  socketfd = c->c2.link_socket->sd;
3958  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3959  {
3960  return socketfd;
3961  }
3962  else
3963  {
3964  return -2;
3965  }
3966 }
3967 #endif /* ifdef TARGET_ANDROID */
3968 
3969 #endif /* ifdef ENABLE_MANAGEMENT */
3970 
3971 void
3973 {
3974 #ifdef ENABLE_MANAGEMENT
3975  if (management)
3976  {
3977  struct management_callback cb;
3978  CLEAR(cb);
3979  cb.arg = c;
3984 #ifdef TARGET_ANDROID
3985  cb.network_change = management_callback_network_change;
3986 #endif
3988  }
3989 #endif
3990 }
3991 
3992 #ifdef ENABLE_MANAGEMENT
3993 
3994 void
3996 {
3997  if (!management)
3998  {
4000  }
4001 }
4002 
4003 bool
4005 {
4006  /* initialize management layer */
4007  if (management)
4008  {
4009  if (c->options.management_addr)
4010  {
4011  unsigned int flags = c->options.management_flags;
4012  if (c->options.mode == MODE_SERVER)
4013  {
4014  flags |= MF_SERVER;
4015  }
4027  flags))
4028  {
4031  NULL,
4032  NULL,
4033  NULL,
4034  NULL,
4035  NULL);
4036  }
4037 
4038  /* initial management hold, called early, before first context initialization */
4039  do_hold(0);
4040  if (IS_SIG(c))
4041  {
4042  msg(M_WARN, "Signal received from management interface, exiting");
4043  return false;
4044  }
4045  }
4046  else
4047  {
4048  close_management();
4049  }
4050  }
4051  return true;
4052 }
4053 
4054 void
4056 {
4057  if (management)
4058  {
4060  management = NULL;
4061  }
4062 }
4063 
4064 #endif /* ifdef ENABLE_MANAGEMENT */
4065 
4066 
4067 void
4069 {
4070 #ifdef ENABLE_MANAGEMENT
4071  if (management)
4072  {
4074  }
4075 #endif
4076 }
4077 
4078 /*
4079  * Initialize a tunnel instance, handle pre and post-init
4080  * signal settings.
4081  */
4082 void
4083 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4084 {
4086  init_instance(c, env, flags);
4088 
4089  /*
4090  * This is done so that signals thrown during
4091  * initialization can bring us back to
4092  * a management hold.
4093  */
4094  if (IS_SIG(c))
4095  {
4096  remap_signal(c);
4098  }
4099 }
4100 
4101 /*
4102  * Initialize a tunnel instance.
4103  */
4104 void
4105 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4106 {
4107  const struct options *options = &c->options;
4108  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4109  int link_socket_mode = LS_MODE_DEFAULT;
4110 
4111  /* init garbage collection level */
4112  gc_init(&c->c2.gc);
4113 
4114  /* inherit environmental variables */
4115  if (env)
4116  {
4117  do_inherit_env(c, env);
4118  }
4119 
4120  /* signals caught here will abort */
4121  c->sig->signal_received = 0;
4122  c->sig->signal_text = NULL;
4123  c->sig->source = SIG_SOURCE_SOFT;
4124 
4125  if (c->mode == CM_P2P)
4126  {
4128  }
4129 
4130  /* possible sleep or management hold if restart */
4131  if (c->mode == CM_P2P || c->mode == CM_TOP)
4132  {
4133  do_startup_pause(c);
4134  if (IS_SIG(c))
4135  {
4136  goto sig;
4137  }
4138  }
4139 
4140  if (c->options.resolve_in_advance)
4141  {
4142  do_preresolve(c);
4143  if (IS_SIG(c))
4144  {
4145  goto sig;
4146  }
4147  }
4148 
4149  /* map in current connection entry */
4151 
4152  /* link_socket_mode allows CM_CHILD_TCP
4153  * instances to inherit acceptable fds
4154  * from a top-level parent */
4155  if (c->options.ce.proto == PROTO_TCP_SERVER)
4156  {
4157  if (c->mode == CM_TOP)
4158  {
4159  link_socket_mode = LS_MODE_TCP_LISTEN;
4160  }
4161  else if (c->mode == CM_CHILD_TCP)
4162  {
4163  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4164  }
4165  }
4166 
4167  /* should we disable paging? */
4168  if (c->first_time && options->mlock)
4169  {
4170  platform_mlockall(true);
4171  }
4172 
4173 #if P2MP
4174  /* get passwords if undefined */
4175  if (auth_retry_get() == AR_INTERACT)
4176  {
4178  }
4179 #endif
4180 
4181  /* initialize context level 2 --verb/--mute parms */
4183 
4184  /* set error message delay for non-server modes */
4185  if (c->mode == CM_P2P)
4186  {
4188  }
4189 
4190  /* warn about inconsistent options */
4191  if (c->mode == CM_P2P || c->mode == CM_TOP)
4192  {
4193  do_option_warnings(c);
4194  }
4195 
4196 #ifdef ENABLE_PLUGIN
4197  /* initialize plugins */
4198  if (c->mode == CM_P2P || c->mode == CM_TOP)
4199  {
4201  }
4202 #endif
4203 
4204  /* should we enable fast I/O? */
4205  if (c->mode == CM_P2P || c->mode == CM_TOP)
4206  {
4207  do_setup_fast_io(c);
4208  }
4209 
4210  /* should we throw a signal on TLS errors? */
4212 
4213  /* open --status file */
4214  if (c->mode == CM_P2P || c->mode == CM_TOP)
4215  {
4217  }
4218 
4219  /* open --ifconfig-pool-persist file */
4220  if (c->mode == CM_TOP)
4221  {
4223  }
4224 
4225 #ifdef ENABLE_OCC
4226  /* reset OCC state */
4227  if (c->mode == CM_P2P || child)
4228  {
4229  c->c2.occ_op = occ_reset_op();
4230  }
4231 #endif
4232 
4233  /* our wait-for-i/o objects, different for posix vs. win32 */
4234  if (c->mode == CM_P2P)
4235  {
4237  }
4238  else if (c->mode == CM_CHILD_TCP)
4239  {
4240  do_event_set_init(c, false);
4241  }
4242 
4243  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4244  init_proxy(c);
4245 
4246  /* allocate our socket object */
4247  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4248  {
4249  do_link_socket_new(c);
4250  }
4251 
4252 #ifdef ENABLE_FRAGMENT
4253  /* initialize internal fragmentation object */
4254  if (options->ce.fragment && (c->mode == CM_P2P || child))
4255  {
4256  c->c2.fragment = fragment_init(&c->c2.frame);
4257  }
4258 #endif
4259 
4260  /* init crypto layer */
4261  {
4262  unsigned int crypto_flags = 0;
4263  if (c->mode == CM_TOP)
4264  {
4265  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4266  }
4267  else if (c->mode == CM_P2P)
4268  {
4270  }
4271  else if (child)
4272  {
4273  crypto_flags = CF_INIT_TLS_MULTI;
4274  }
4275  do_init_crypto(c, crypto_flags);
4276  if (IS_SIG(c) && !child)
4277  {
4278  goto sig;
4279  }
4280  }
4281 
4282 #ifdef USE_COMP
4283  /* initialize compression library. */
4284  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4285  {
4286  c->c2.comp_context = comp_init(&options->comp);
4287  }
4288 #endif
4289 
4290  /* initialize MTU variables */
4291  do_init_frame(c);
4292 
4293  /* initialize TLS MTU variables */
4294  do_init_frame_tls(c);
4295 
4296  /* init workspace buffers whose size is derived from frame size */
4297  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4298  {
4299  do_init_buffers(c);
4300  }
4301 
4302 #ifdef ENABLE_FRAGMENT
4303  /* initialize internal fragmentation capability with known frame size */
4304  if (options->ce.fragment && (c->mode == CM_P2P || child))
4305  {
4306  do_init_fragment(c);
4307  }
4308 #endif
4309 
4310  /* initialize dynamic MTU variable */
4311  frame_init_mssfix(&c->c2.frame, &c->options);
4312 
4313  /* bind the TCP/UDP socket */
4314  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4315  {
4316  do_init_socket_1(c, link_socket_mode);
4317  }
4318 
4319  /* initialize tun/tap device object,
4320  * open tun/tap device, ifconfig, run up script, etc. */
4321  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4322  {
4323  c->c2.did_open_tun = do_open_tun(c);
4324  }
4325 
4326  c->c2.frame_initial = c->c2.frame;
4327 
4328  /* print MTU info */
4330 
4331 #ifdef ENABLE_OCC
4332  /* get local and remote options compatibility strings */
4333  if (c->mode == CM_P2P || child)
4334  {
4336  }
4337 #endif
4338 
4339  /* initialize output speed limiter */
4340  if (c->mode == CM_P2P)
4341  {
4343  }
4344 
4345  /* do one-time inits, and possibly become a daemon here */
4346  do_init_first_time(c);
4347 
4348 #ifdef ENABLE_PLUGIN
4349  /* initialize plugins */
4350  if (c->mode == CM_P2P || c->mode == CM_TOP)
4351  {
4353  }
4354 #endif
4355 
4356  /* initialise connect timeout timer */
4358 
4359  /* finalize the TCP/UDP socket */
4360  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4361  {
4362  do_init_socket_2(c);
4363  }
4364 
4365  /*
4366  * Actually do UID/GID downgrade, and chroot, if requested.
4367  * May be delayed by --client, --pull, or --up-delay.
4368  */
4370 
4371  /* initialize timers */
4372  if (c->mode == CM_P2P || child)
4373  {
4374  do_init_timers(c, false);
4375  }
4376 
4377 #ifdef ENABLE_PLUGIN
4378  /* initialize plugins */
4379  if (c->mode == CM_P2P || c->mode == CM_TOP)
4380  {
4382  }
4383 #endif
4384 
4385 #if PORT_SHARE
4386  /* share OpenVPN port with foreign (such as HTTPS) server */
4387  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4388  {
4389  init_port_share(c);
4390  }
4391 #endif
4392 
4393 #ifdef ENABLE_PF
4394  if (child)
4395  {
4396  pf_init_context(c);
4397  }
4398 #endif
4399 
4400  /* Check for signals */
4401  if (IS_SIG(c))
4402  {
4403  goto sig;
4404  }
4405 
4406  return;
4407 
4408 sig:
4409  if (!c->sig->signal_text)
4410  {
4411  c->sig->signal_text = "init_instance";
4412  }
4413  close_context(c, -1, flags);
4414  return;
4415 }
4416 
4417 /*
4418  * Close a tunnel instance.
4419  */
4420 void
4422 {
4423  /* close event objects */
4424  do_close_event_set(c);
4425 
4426  if (c->mode == CM_P2P
4427  || c->mode == CM_CHILD_TCP
4428  || c->mode == CM_CHILD_UDP
4429  || c->mode == CM_TOP)
4430  {
4431  /* if xinetd/inetd mode, don't allow restart */
4433 
4434 #ifdef USE_COMP
4435  if (c->c2.comp_context)
4436  {
4437  comp_uninit(c->c2.comp_context);
4438  c->c2.comp_context = NULL;
4439  }
4440 #endif
4441 
4442  /* free buffers */
4443  do_close_free_buf(c);
4444 
4445  /* close TLS */
4446  do_close_tls(c);
4447 
4448  /* free key schedules */
4449  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4450 
4452 
4453  /* close TCP/UDP connection */
4455 
4456  /* close TUN/TAP device */
4457  do_close_tun(c, false);
4458 
4459 #ifdef MANAGEMENT_DEF_AUTH
4460  if (management)
4461  {
4462  management_notify_client_close(management, &c->c2.mda_context, NULL);
4463  }
4464 #endif
4465 
4466 #ifdef ENABLE_PF
4467  pf_destroy_context(&c->c2.pf);
4468 #endif
4469 
4470 #ifdef ENABLE_PLUGIN
4471  /* call plugin close functions and unload */
4472  do_close_plugins(c);
4473 #endif
4474 
4475  /* close packet-id persistence file */
4476  do_close_packet_id(c);
4477 
4478  /* close --status file */
4480 
4481 #ifdef ENABLE_FRAGMENT
4482  /* close fragmentation handler */
4483  do_close_fragment(c);
4484 #endif
4485 
4486  /* close --ifconfig-pool-persist obj */
4488 
4489  /* free up environmental variable store */
4490  do_env_set_destroy(c);
4491 
4492  /* close HTTP or SOCKS proxy */
4493  uninit_proxy(c);
4494 
4495  /* garbage collect */
4496  gc_free(&c->c2.gc);
4497  }
4498 }
4499 
4500 void
4502  const struct context *src)
4503 {
4504  CLEAR(*dest);
4505 
4506  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4508 
4509  dest->gc = gc_new();
4510 
4511  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4512 
4513  /* c1 init */
4515 
4516  dest->c1.ks.key_type = src->c1.ks.key_type;
4517  /* inherit SSL context */
4518  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4519  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4522  /* inherit pre-NCP ciphers */
4523  dest->c1.ciphername = src->c1.ciphername;
4524  dest->c1.authname = src->c1.authname;
4525  dest->c1.keysize = src->c1.keysize;
4526 
4527  /* inherit auth-token */
4528  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4529 
4530  /* options */
4531  dest->options = src->options;
4532  options_detach(&dest->options);
4533 
4534  if (dest->mode == CM_CHILD_TCP)
4535  {
4536  /*
4537  * The CM_TOP context does the socket listen(),
4538  * and the CM_CHILD_TCP context does the accept().
4539  */
4540  dest->c2.accept_from = src->c2.link_socket;
4541  }
4542 
4543 #ifdef ENABLE_PLUGIN
4544  /* inherit plugins */
4545  do_inherit_plugins(dest, src);
4546 #endif
4547 
4548  /* context init */
4549  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4550  if (IS_SIG(dest))
4551  {
4552  return;
4553  }
4554 
4555  /* inherit tun/tap interface object */
4556  dest->c1.tuntap = src->c1.tuntap;
4557 
4558  /* UDP inherits some extra things which TCP does not */
4559  if (dest->mode == CM_CHILD_UDP)
4560  {
4561  /* inherit buffers */
4562  dest->c2.buffers = src->c2.buffers;
4563 
4564  /* inherit parent link_socket and tuntap */
4565  dest->c2.link_socket = src->c2.link_socket;
4566 
4567  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4568  *dest->c2.link_socket_info = src->c2.link_socket->info;
4569 
4570  /* locally override some link_socket_info fields */
4571  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4573  }
4574 }
4575 
4576 void
4578  const struct context *src)
4579 {
4580  /* copy parent */
4581  *dest = *src;
4582 
4583  /*
4584  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4585  * resources owned by the parent.
4586  *
4587  * Also note that CM_TOP_CLONE context objects are
4588  * closed by multi_top_free in multi.c.
4589  */
4590  dest->mode = CM_TOP_CLONE;
4591 
4592  dest->first_time = false;
4593  dest->c0 = NULL;
4594 
4595  options_detach(&dest->options);
4596  gc_detach(&dest->gc);
4597  gc_detach(&dest->c2.gc);
4598 
4599  /* detach plugins */
4600  dest->plugins_owned = false;
4601 
4602  dest->c2.tls_multi = NULL;
4603 
4604  /* detach c1 ownership */
4605  dest->c1.tuntap_owned = false;
4606  dest->c1.status_output_owned = false;
4607 #if P2MP_SERVER
4608  dest->c1.ifconfig_pool_persist_owned = false;
4609 #endif
4610 
4611  /* detach c2 ownership */
4612  dest->c2.event_set_owned = false;
4613  dest->c2.link_socket_owned = false;
4614  dest->c2.buffers_owned = false;
4615  dest->c2.es_owned = false;
4616 
4617  dest->c2.event_set = NULL;
4618  if (proto_is_dgram(src->options.ce.proto))
4619  {
4620  do_event_set_init(dest, false);
4621  }
4622 
4623 #ifdef USE_COMP
4624  dest->c2.comp_context = NULL;
4625 #endif
4626 }
4627 
4628 void
4629 close_context(struct context *c, int sig, unsigned int flags)
4630 {
4631  ASSERT(c);
4632  ASSERT(c->sig);
4633 
4634  if (sig >= 0)
4635  {
4636  c->sig->signal_received = sig;
4637  }
4638 
4639  if (c->sig->signal_received == SIGUSR1)
4640  {
4641  if ((flags & CC_USR1_TO_HUP)
4642  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4643  {
4644  c->sig->signal_received = SIGHUP;
4645  c->sig->signal_text = "close_context usr1 to hup";
4646  }
4647  }
4648 
4649  if (!(flags & CC_NO_CLOSE))
4650  {
4651  close_instance(c);
4652  }
4653 
4654  if (flags & CC_GC_FREE)
4655  {
4656  context_gc_free(c);
4657  }
4658 }
4659 
4660 /*
4661  * Do a loopback test
4662  * on the crypto subsystem.
4663  */
4664 static void *
4666 {
4667  struct context *c = (struct context *) arg;
4668  const struct options *options = &c->options;
4669 
4670  ASSERT(options->test_crypto);
4672  context_init_1(c);
4674  do_init_crypto_static(c, 0);
4675 
4676  frame_finalize_options(c, options);
4677 
4678  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4679 
4680  key_schedule_free(&c->c1.ks, true);
4682 
4683  context_gc_free(c);
4684  return NULL;
4685 }
4686 
4687 bool
4688 do_test_crypto(const struct options *o)
4689 {
4690  if (o->test_crypto)
4691  {
4692  struct context c;
4693 
4694  /* print version number */
4695  msg(M_INFO, "%s", title_string);
4696 
4697  context_clear(&c);
4698  c.options = *o;
4699  options_detach(&c.options);
4700  c.first_time = true;
4701  test_crypto_thread((void *) &c);
4702  return true;
4703  }
4704  return false;
4705 }
struct tuntap_options tuntap_options
Definition: options.h:303
bool tcp_mode
Definition: ssl_common.h:302
struct env_set * es
Definition: openvpn.h:429
char port[RH_PORT_LEN]
Definition: options.h:184
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:210
bool remote_float
Definition: options.h:95
bool socks_proxy_owned
Definition: openvpn.h:190
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:458
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2516
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:338
void management_close(struct management *man)
Definition: manage.c:2636
int ifconfig_pool_persist_refresh_freq
Definition: options.h:436
struct key_type key_type
Definition: ssl_common.h:247
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
bool persist_remote_ip
Definition: options.h:292
int sndbuf
Definition: options.h:351
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:370
bool log_rw
Definition: openvpn.h:389
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:104
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
struct frame frame_fragment_omit
Definition: openvpn.h:270
const char * tmp_dir
Definition: ssl_common.h:319
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:392
bool tun_mtu_defined
Definition: options.h:108
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:558
#define OPT_P_DEFAULT
Definition: options.h:695
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1483
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:252
Definition: tun.h:145
bool ncp_enabled
Definition: options.h:511
unsigned int management_flags
Definition: options.h:395
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1950
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:904
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2544
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
struct buffer read_tun_buf
Definition: openvpn.h:112
const char * crl_file
Definition: ssl_common.h:284
#define P2MP_SERVER
Definition: syshead.h:525
#define M_NOPREFIX
Definition: error.h:102
bool block_outside_dns
Definition: options.h:636
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:105
struct event_timeout ping_rec_interval
Definition: openvpn.h:301
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1319
bool tls_crypt_v2
Definition: ssl_common.h:308
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:504
void platform_nice(int niceval)
Definition: platform.c:156
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
struct event_timeout route_wakeup_expire
Definition: openvpn.h:393
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:519
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1099
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5472
bool show_curves
Definition: options.h:222
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:633
const char * cipher_list
Definition: options.h:538
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:529
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
static void do_alloc_route_list(struct context *c)
Definition: init.c:1428
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:293
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:973
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3636
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2103
static void init_proxy_dowork(struct context *c)
Definition: init.c:575
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1721
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
bool did_open_tun
Definition: openvpn.h:396
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
unsigned int auth_token_lifetime
Definition: ssl_common.h:327
const char * tls_cert_profile
Definition: options.h:540
int management_log_history_cache
Definition: options.h:386
#define M_OPTERR
Definition: error.h:105
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
struct interval tmp_int
Definition: openvpn.h:353
#define streq(x, y)
Definition: options.h:660
const char * ifconfig_pool_persist_filename
Definition: options.h:435
const char * chroot_dir
Definition: options.h:308
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:731
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3898
static void do_close_event_set(struct context *c)
Definition: init.c:3690
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2684
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
bool server_bridge_proxy_dhcp
Definition: options.h:422
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:247
#define WSO_FORCE_SERVICE
Definition: win32.h:166
int ping_rec_timeout_action
Definition: options.h:288
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2113
bool auth_token_generate
Definition: options.h:478
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
int inetd
Definition: options.h:325
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4295
void tun_abort(void)
Definition: init.c:2083
Contains all state information for one tunnel.
Definition: openvpn.h:502
#define CIPHER_ENABLED(c)
Definition: openvpn.h:573
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3777
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2603
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:355
struct env_set * es
Set of environment variables.
Definition: openvpn.h:525
#define D_PUSH
Definition: errlevel.h:83
#define M_USAGE
Definition: error.h:111
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1187
#define srandom
Definition: syshead.h:45
bool proto_is_udp(int proto)
Definition: socket.c:3174
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:377
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:212
#define OPT_P_PLUGIN
Definition: options.h:689
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
#define dmsg
Definition: error.h:174
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4629
int script_security(void)
Definition: run_command.c:45
static void do_init_socket_2(struct context *c)
Definition: init.c:3422
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
#define SDL_CONSTRAIN
Definition: error.h:203
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
const char * shared_secret_file
Definition: options.h:507
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6379
#define RH_PORT_LEN
Definition: options.h:183
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:641
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3972
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:341
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:327
void close_instance(struct context *c)
Definition: init.c:4421
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
Definition: options.h:86
int renegotiate_seconds
Definition: options.h:586
const char * client_config_dir_exclusive
Definition: ssl_common.h:333
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1346
#define OPT_P_IPWIN32
Definition: options.h:668
bool persist_key
Definition: options.h:293
#define SIGUSR1
Definition: config-msvc.h:153
int replay_window
Definition: options.h:520
int persist_mode
Definition: options.h:215
int keysize
Data channel keysize from config file.
Definition: openvpn.h:212
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:413
const char * auth_user_pass_file
Definition: ssl_common.h:320
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3825
struct context_buffers * buffers
Definition: openvpn.h:376
int verify_x509_type
Definition: ssl_common.h:282
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:99
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
struct event_timeout wait_for_connect
Definition: openvpn.h:299
int rcvbuf
Definition: options.h:350
const char * config_ncp_ciphers
Definition: ssl_common.h:305
const char * crl_file_inline
Definition: options.h:551
#define D_LOG_RW
Definition: errlevel.h:110
struct link_socket_info * link_socket_info
Definition: openvpn.h:255
static void next_connection_entry(struct context *c)
Definition: init.c:427
int handshake_window
Definition: ssl_common.h:273
struct connection_list * connection_list
Definition: options.h:231
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:296
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
#define LS_MODE_DEFAULT
Definition: socket.h:196
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
#define RH_HOST_LEN
Definition: options.h:181
const char * exit_event_name
Definition: options.h:632
#define AR_NONE
Definition: options.h:847
void md_ctx_free(md_ctx_t *ctx)
const struct link_socket * accept_from
Definition: openvpn.h:256
bool route_noexec
Definition: options.h:365
unsigned int sockflags
Definition: options.h:357
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2472
const char * auth_token_secret_file_inline
Definition: options.h:483
in_addr_t remote_netmask
Definition: tun.h:167
const char * tls_crypt_file
Definition: options.h:140
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
static void do_close_tls(struct context *c)
Definition: init.c:3544
const char * genkey_extra_data
Definition: options.h:226
static bool ce_management_query_remote(struct context *c)
Definition: init.c:340
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define ENABLE_PKCS11
Definition: config-msvc.h:18
const char * route_script
Definition: options.h:360
int management_state_buffer_size
Definition: options.h:388
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
int resolve_retry_seconds
Definition: options.h:299
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:482
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:106
#define D_READ_WRITE
Definition: errlevel.h:164
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:141
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3049
const char * config
Definition: options.h:201
int route_delay
Definition: options.h:366
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:529
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:315
const char * local_port
Definition: options.h:90
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:361
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3850
const char * ekm_label
Definition: ssl_common.h:372
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
struct frame frame_initial
Definition: openvpn.h:263
bool down_pre
Definition: options.h:317
int keepalive_timeout
Definition: options.h:276
#define OPT_P_SOCKBUF
Definition: options.h:690
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
#define SIGTERM
Definition: config-msvc.h:155
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:323
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1410
#define TLS_MODE(c)
Definition: openvpn.h:565
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:532
bool push_peer_info
Definition: options.h:621
#define OPT_P_SETENV
Definition: options.h:670
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
#define SIGHUP
Definition: config-msvc.h:151
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
int renegotiate_seconds_min
Definition: options.h:587
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3710
#define PING_RESTART
Definition: options.h:287
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2999
int handshake_window
Definition: options.h:591
#define ASSERT(x)
Definition: error.h:221
static void do_close_plugins(struct context *c)
Definition: init.c:3887
#define D_SHOW_NET
Definition: errlevel.h:129
static int ifconfig_order(void)
Definition: tun.h:333
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:227
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:298
const char * tls_auth_file_inline
Definition: options.h:136
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:243
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
int explicit_exit_notification
Definition: options.h:121
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
int status_file_update_freq
Definition: options.h:340
int verify_x509_type
Definition: options.h:543
unsigned int unsuccessful_attempts
Definition: options.h:237
void close_management(void)
Definition: init.c:4055
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
bool auth_token_call_auth
Definition: options.h:480
const char * config_ciphername
Definition: ssl_common.h:304
const char * prng_hash
Definition: options.h:515
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:2066
int ping_rec_timeout
Definition: options.h:282
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:257
bool fast_io
Definition: options.h:343
int key_direction
Definition: options.h:509
int renegotiate_bytes
Definition: ssl_common.h:275
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
static void update_options_ce_post(struct options *options)
Definition: init.c:191
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1428
struct tuntap_options options
Definition: tun.h:158
bool link_mtu_defined
Definition: options.h:112
static struct context * static_context
Definition: init.c:59
char username[USER_PASS_LEN]
Definition: misc.h:74
const char * tls_crypt_v2_inline
Definition: options.h:146
bool init_static(void)
Definition: init.c:726
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
struct frame frame_fragment_initial
Definition: openvpn.h:269
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:205
bool use_peer_id
Definition: ssl_common.h:586
struct event_timeout ping_send_interval
Definition: openvpn.h:300
bool route_delay_defined
Definition: options.h:368
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
#define CM_CHILD_UDP
Definition: openvpn.h:514
bool initialized
Definition: crypto.h:225
bool tls_exit
Definition: options.h:623
#define MF_SERVER
Definition: manage.h:332
bool print_openssl_info(const struct options *options)
Definition: init.c:1006
void restore_signal_state(void)
Definition: sig.c:272
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1016
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:779
int key_direction
Definition: options.h:137
#define PULL_DEFINED(opt)
Definition: options.h:698
char * x509_username_field
Definition: ssl_common.h:291
bool route_nopull
Definition: options.h:372
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3656
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1204
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6488
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:66
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
const char * tls_export_cert
Definition: options.h:545
const char * route_default_gateway
Definition: options.h:362
const char * ncp_ciphers
Definition: options.h:512
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4083
int remap_sigusr1
Definition: options.h:322