OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
73 context_clear(struct context *c)
74 {
75  CLEAR(*c);
76 }
77 
78 void
79 context_clear_1(struct context *c)
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
85 context_clear_2(struct context *c)
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
91 context_clear_all_except_first_time(struct context *c)
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
193 update_options_ce_post(struct options *options)
194 {
195 #if P2MP
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
206  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
207  options->ping_rec_timeout_action = PING_RESTART;
208  }
209 #endif
210 }
211 
212 #ifdef ENABLE_MANAGEMENT
213 static bool
214 management_callback_proxy_cmd(void *arg, const char **p)
215 {
216  struct context *c = arg;
217  struct connection_entry *ce = &c->options.ce;
218  struct gc_arena *gc = &c->c2.gc;
219  bool ret = false;
220 
221  update_time();
222  if (streq(p[1], "NONE"))
223  {
224  ret = true;
225  }
226  else if (p[2] && p[3])
227  {
228  if (streq(p[1], "HTTP"))
229  {
230  struct http_proxy_options *ho;
231  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
232  {
233  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
234  return false;
235  }
236  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
237  ho->server = string_alloc(p[2], gc);
238  ho->port = string_alloc(p[3], gc);
239  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
240  ret = true;
241  }
242  else if (streq(p[1], "SOCKS"))
243  {
244  ce->socks_proxy_server = string_alloc(p[2], gc);
245  ce->socks_proxy_port = string_alloc(p[3], gc);
246  ret = true;
247  }
248  }
249  else
250  {
251  msg(M_WARN, "Bad proxy command");
252  }
253 
254  ce->flags &= ~CE_MAN_QUERY_PROXY;
255 
256  return ret;
257 }
258 
259 static bool
260 ce_management_query_proxy(struct context *c)
261 {
262  const struct connection_list *l = c->options.connection_list;
263  struct connection_entry *ce = &c->options.ce;
264  struct gc_arena gc;
265  bool ret = true;
266 
267  update_time();
268  if (management)
269  {
270  gc = gc_new();
271  {
272  struct buffer out = alloc_buf_gc(256, &gc);
273  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
274  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
275  management_notify_generic(management, BSTR(&out));
276  management->persist.special_state_msg = BSTR(&out);
277  }
278  ce->flags |= CE_MAN_QUERY_PROXY;
279  while (ce->flags & CE_MAN_QUERY_PROXY)
280  {
281  management_event_loop_n_seconds(management, 1);
282  if (IS_SIG(c))
283  {
284  ret = false;
285  break;
286  }
287  }
288  management->persist.special_state_msg = NULL;
289  gc_free(&gc);
290  }
291 
292  return ret;
293 }
294 
309 static bool
310 management_callback_send_cc_message(void *arg,
311  const char *command,
312  const char *parameters)
313 {
314  struct context *c = (struct context *) arg;
315  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
316  if (len > PUSH_BUNDLE_SIZE)
317  {
318  return false;
319  }
320 
321  struct gc_arena gc = gc_new();
322  struct buffer buf = alloc_buf_gc(len, &gc);
323  ASSERT(buf_printf(&buf, "%s", command));
324  if (parameters)
325  {
326  ASSERT(buf_printf(&buf, ",%s", parameters));
327  }
328  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
329 
330  gc_free(&gc);
331  return status;
332 }
333 
334 static bool
335 management_callback_remote_cmd(void *arg, const char **p)
336 {
337  struct context *c = (struct context *) arg;
338  struct connection_entry *ce = &c->options.ce;
339  int ret = false;
340  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
341  {
342  int flags = 0;
343  if (!strcmp(p[1], "ACCEPT"))
344  {
345  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
346  ret = true;
347  }
348  else if (!strcmp(p[1], "SKIP"))
349  {
350  flags = CE_MAN_QUERY_REMOTE_SKIP;
351  ret = true;
352  }
353  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
354  {
355  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
356  {
357  struct remote_host_store *rhs = c->options.rh_store;
358  if (!rhs)
359  {
360  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
361  c->options.rh_store = rhs;
362  }
363  strncpynt(rhs->host, p[2], RH_HOST_LEN);
364  strncpynt(rhs->port, p[3], RH_PORT_LEN);
365 
366  ce->remote = rhs->host;
367  ce->remote_port = rhs->port;
368  flags = CE_MAN_QUERY_REMOTE_MOD;
369  ret = true;
370  }
371  }
372  if (ret)
373  {
374  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
375  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
376  }
377  }
378  return ret;
379 }
380 
381 static bool
382 ce_management_query_remote(struct context *c)
383 {
384  struct gc_arena gc = gc_new();
385  volatile struct connection_entry *ce = &c->options.ce;
386  int ce_changed = true; /* presume the connection entry will be changed */
387 
388  update_time();
389  if (management)
390  {
391  struct buffer out = alloc_buf_gc(256, &gc);
392 
393  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
394  proto2ascii(ce->proto, ce->af, false));
395  management_notify_generic(management, BSTR(&out));
396  management->persist.special_state_msg = BSTR(&out);
397 
398  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
399  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
400  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
401  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
402  {
403  management_event_loop_n_seconds(management, 1);
404  if (IS_SIG(c))
405  {
406  ce_changed = false; /* connection entry have not been set */
407  break;
408  }
409  }
410  management->persist.special_state_msg = NULL;
411  }
412  gc_free(&gc);
413 
414  if (ce_changed)
415  {
416  /* If it is likely a connection entry was modified,
417  * check what changed in the flags and that it was not skipped
418  */
419  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
420  & CE_MAN_QUERY_REMOTE_MASK);
421  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
422  }
423  return ce_changed;
424 }
425 #endif /* ENABLE_MANAGEMENT */
426 
427 /*
428  * Initialize and possibly randomize connection list.
429  */
430 static void
431 init_connection_list(struct context *c)
432 {
433  struct connection_list *l = c->options.connection_list;
434 
435  l->current = -1;
436  if (c->options.remote_random)
437  {
438  int i;
439  for (i = 0; i < l->len; ++i)
440  {
441  const int j = get_random() % l->len;
442  if (i != j)
443  {
444  struct connection_entry *tmp;
445  tmp = l->array[i];
446  l->array[i] = l->array[j];
447  l->array[j] = tmp;
448  }
449  }
450  }
451 }
452 
453 /*
454  * Clear the remote address list
455  */
456 static void
457 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
458 {
459  if (lsa->remote_list && free)
460  {
461  freeaddrinfo(lsa->remote_list);
462  }
463  lsa->remote_list = NULL;
464  lsa->current_remote = NULL;
465 }
466 
467 /*
468  * Increment to next connection entry
469  */
470 static void
471 next_connection_entry(struct context *c)
472 {
473  struct connection_list *l = c->options.connection_list;
474  bool ce_defined;
475  struct connection_entry *ce;
476  int n_cycles = 0;
477 
478  do
479  {
480  ce_defined = true;
481  if (c->options.no_advance && l->current >= 0)
482  {
483  c->options.no_advance = false;
484  }
485  else
486  {
487  /* Check if there is another resolved address to try for
488  * the current connection */
489  if (c->c1.link_socket_addr.current_remote
490  && c->c1.link_socket_addr.current_remote->ai_next)
491  {
492  c->c1.link_socket_addr.current_remote =
493  c->c1.link_socket_addr.current_remote->ai_next;
494  }
495  else
496  {
497  /* FIXME (schwabe) fix the persist-remote-ip option for real,
498  * this is broken probably ever since connection lists and multiple
499  * remote existed
500  */
501  if (!c->options.persist_remote_ip)
502  {
503  /* Connection entry addrinfo objects might have been
504  * resolved earlier but the entry itself might have been
505  * skipped by management on the previous loop.
506  * If so, clear the addrinfo objects as close_instance does
507  */
508  if (c->c1.link_socket_addr.remote_list)
509  {
510  clear_remote_addrlist(&c->c1.link_socket_addr,
511  !c->options.resolve_in_advance);
512  }
513 
514  /* close_instance should have cleared the addrinfo objects */
515  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
516  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
517  }
518  else
519  {
520  c->c1.link_socket_addr.current_remote =
521  c->c1.link_socket_addr.remote_list;
522  }
523 
524  /*
525  * Increase the number of connection attempts
526  * If this is connect-retry-max * size(l)
527  * OpenVPN will quit
528  */
529 
530  c->options.unsuccessful_attempts++;
531 
532  if (++l->current >= l->len)
533  {
534 
535  l->current = 0;
536  if (++n_cycles >= 2)
537  {
538  msg(M_FATAL, "No usable connection profiles are present");
539  }
540  }
541  }
542  }
543 
544  ce = l->array[l->current];
545 
546  if (ce->flags & CE_DISABLED)
547  {
548  ce_defined = false;
549  }
550 
551  c->options.ce = *ce;
552 #ifdef ENABLE_MANAGEMENT
553  if (ce_defined && management && management_query_remote_enabled(management))
554  {
555  /* allow management interface to override connection entry details */
556  ce_defined = ce_management_query_remote(c);
557  if (IS_SIG(c))
558  {
559  break;
560  }
561  }
562  else if (ce_defined && management && management_query_proxy_enabled(management))
563  {
564  ce_defined = ce_management_query_proxy(c);
565  if (IS_SIG(c))
566  {
567  break;
568  }
569  }
570 #endif
571  } while (!ce_defined);
572 
573  /* Check if this connection attempt would bring us over the limit */
574  if (c->options.connect_retry_max > 0
575  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
576  {
577  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
578  c->options.connect_retry_max);
579  }
580  update_options_ce_post(&c->options);
581 }
582 
583 /*
584  * Query for private key and auth-user-pass username/passwords
585  */
586 void
587 init_query_passwords(const struct context *c)
588 {
589  /* Certificate password input */
590  if (c->options.key_pass_file)
591  {
592  pem_password_setup(c->options.key_pass_file);
593  }
594 
595 #if P2MP
596  /* Auth user/pass input */
597  if (c->options.auth_user_pass_file)
598  {
599 #ifdef ENABLE_MANAGEMENT
600  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
601 #else
602  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
603 #endif
604  }
605 #endif
606 }
607 
608 /*
609  * Initialize/Uninitialize HTTP or SOCKS proxy
610  */
611 
612 static void
613 uninit_proxy_dowork(struct context *c)
614 {
615  if (c->c1.http_proxy_owned && c->c1.http_proxy)
616  {
617  http_proxy_close(c->c1.http_proxy);
618  c->c1.http_proxy = NULL;
619  c->c1.http_proxy_owned = false;
620  }
621  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
622  {
623  socks_proxy_close(c->c1.socks_proxy);
624  c->c1.socks_proxy = NULL;
625  c->c1.socks_proxy_owned = false;
626  }
627 }
628 
629 static void
630 init_proxy_dowork(struct context *c)
631 {
632  bool did_http = false;
633 
634  uninit_proxy_dowork(c);
635 
636  if (c->options.ce.http_proxy_options)
637  {
638  /* Possible HTTP proxy user/pass input */
639  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
640  if (c->c1.http_proxy)
641  {
642  did_http = true;
643  c->c1.http_proxy_owned = true;
644  }
645  }
646 
647  if (!did_http && c->options.ce.socks_proxy_server)
648  {
649  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
650  c->options.ce.socks_proxy_port,
651  c->options.ce.socks_proxy_authfile);
652  if (c->c1.socks_proxy)
653  {
654  c->c1.socks_proxy_owned = true;
655  }
656  }
657 }
658 
659 static void
660 init_proxy(struct context *c)
661 {
662  init_proxy_dowork(c);
663 }
664 
665 static void
666 uninit_proxy(struct context *c)
667 {
668  uninit_proxy_dowork(c);
669 }
670 
671 /*
672  * Saves the initial state of NCP-regotiable
673  * options into a storage which persists over SIGUSR1.
674  */
675 static void
676 save_ncp_options(struct context *c)
677 {
678  c->c1.ciphername = c->options.ciphername;
679  c->c1.authname = c->options.authname;
680  c->c1.keysize = c->options.keysize;
681 }
682 
683 /* Restores NCP-negotiable options to original values */
684 static void
685 restore_ncp_options(struct context *c)
686 {
687  c->options.ciphername = c->c1.ciphername;
688  c->options.authname = c->c1.authname;
689  c->options.keysize = c->c1.keysize;
690  c->options.data_channel_use_ekm = false;
691 }
692 
693 void
694 context_init_1(struct context *c)
695 {
696  context_clear_1(c);
697 
698  packet_id_persist_init(&c->c1.pid_persist);
699 
700  init_connection_list(c);
701 
702  save_ncp_options(c);
703 
704 #if defined(ENABLE_PKCS11)
705  if (c->first_time)
706  {
707  int i;
708  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
709  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
710  {
711  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
712  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
713  }
714  }
715 #endif
716 
717 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
718  {
719  /*
720  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
721  */
722  struct user_pass up;
723  CLEAR(up);
724  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
725  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
726  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
727  * 'needok' command, usually 'ok' or 'cancel'. */
728  }
729 #endif
730 
731 #ifdef ENABLE_SYSTEMD
732  /* We can report the PID via getpid() to systemd here as OpenVPN will not
733  * do any fork due to daemon() a future call.
734  * See possibly_become_daemon() [init.c] for more details.
735  */
736  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
737  (unsigned long) getpid());
738 #endif
739 
740 }
741 
742 void
743 context_gc_free(struct context *c)
744 {
745  gc_free(&c->c2.gc);
746  gc_free(&c->options.gc);
747  gc_free(&c->gc);
748 }
749 
750 #if PORT_SHARE
751 
752 static void
753 close_port_share(void)
754 {
755  if (port_share)
756  {
757  port_share_close(port_share);
758  port_share = NULL;
759  }
760 }
761 
762 static void
763 init_port_share(struct context *c)
764 {
765  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
766  {
767  port_share = port_share_open(c->options.port_share_host,
768  c->options.port_share_port,
769  MAX_RW_SIZE_LINK(&c->c2.frame),
770  c->options.port_share_journal_dir);
771  if (port_share == NULL)
772  {
773  msg(M_FATAL, "Fatal error: Port sharing failed");
774  }
775  }
776 }
777 
778 #endif /* if PORT_SHARE */
779 
780 
781 bool
782 init_static(void)
783 {
784  /* configure_path (); */
785 
786 #if defined(DMALLOC)
787  crypto_init_dmalloc();
788 #endif
789 
790 
791  /*
792  * Initialize random number seed. random() is only used
793  * when "weak" random numbers are acceptable.
794  * SSL library routines are always used when cryptographically
795  * strong random numbers are required.
796  */
797  struct timeval tv;
798  if (!gettimeofday(&tv, NULL))
799  {
800  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
801  srandom(seed);
802  }
803 
804  error_reset(); /* initialize error.c */
805  reset_check_status(); /* initialize status check code in socket.c */
806 
807 #ifdef _WIN32
808  init_win32();
809 #endif
810 
811 #ifdef OPENVPN_DEBUG_COMMAND_LINE
812  {
813  int i;
814  for (i = 0; i < argc; ++i)
815  {
816  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
817  }
818  }
819 #endif
820 
821  update_time();
822 
823  init_ssl_lib();
824 
825  /* init PRNG used for IV generation */
826  /* When forking, copy this to more places in the code to avoid fork
827  * random-state predictability */
828  prng_init(NULL, 0);
829 
830 #ifdef PID_TEST
831  packet_id_interactive_test(); /* test the sequence number code */
832  return false;
833 #endif
834 
835 #ifdef SCHEDULE_TEST
836  schedule_test();
837  return false;
838 #endif
839 
840 #ifdef LIST_TEST
841  list_test();
842  return false;
843 #endif
844 
845 #ifdef IFCONFIG_POOL_TEST
846  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
847  return false;
848 #endif
849 
850 #ifdef CHARACTER_CLASS_DEBUG
851  character_class_debug();
852  return false;
853 #endif
854 
855 #ifdef EXTRACT_X509_FIELD_TEST
856  extract_x509_field_test();
857  return false;
858 #endif
859 
860 #ifdef TIME_TEST
861  time_test();
862  return false;
863 #endif
864 
865 #ifdef TEST_GET_DEFAULT_GATEWAY
866  {
867  struct route_gateway_info rgi;
868  struct route_ipv6_gateway_info rgi6;
869  get_default_gateway(&rgi);
870  get_default_gateway_ipv6(&rgi6, NULL);
871  print_default_gateway(M_INFO, &rgi, &rgi6);
872  return false;
873  }
874 #endif
875 
876 #ifdef GEN_PATH_TEST
877  {
878  struct gc_arena gc = gc_new();
879  const char *fn = gen_path("foo",
880  "bar",
881  &gc);
882  printf("%s\n", fn);
883  gc_free(&gc);
884  }
885  return false;
886 #endif
887 
888 #ifdef STATUS_PRINTF_TEST
889  {
890  struct gc_arena gc = gc_new();
891  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
892  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
893  status_printf(so, "%s", "foo");
894  status_printf(so, "%s", "bar");
895  if (!status_close(so))
896  {
897  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
898  }
899  gc_free(&gc);
900  }
901  return false;
902 #endif
903 
904 #ifdef PRNG_TEST
905  {
906  struct gc_arena gc = gc_new();
907  uint8_t rndbuf[8];
908  int i;
909  prng_init("sha1", 16);
910  /*prng_init (NULL, 0);*/
911  const int factor = 1;
912  for (i = 0; i < factor * 8; ++i)
913  {
914 #if 1
915  prng_bytes(rndbuf, sizeof(rndbuf));
916 #else
917  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
918 #endif
919  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
920  }
921  gc_free(&gc);
922  prng_uninit();
923  return false;
924  }
925 #endif /* ifdef PRNG_TEST */
926 
927 #ifdef BUFFER_LIST_AGGREGATE_TEST
928  /* test buffer_list_aggregate function */
929  {
930  static const char *text[] = {
931  "It was a bright cold day in April, ",
932  "and the clocks were striking ",
933  "thirteen. ",
934  "Winston Smith, ",
935  "his chin nuzzled into his breast in an ",
936  "effort to escape the vile wind, ",
937  "slipped quickly through the glass doors ",
938  "of Victory Mansions, though not quickly ",
939  "enough to prevent a swirl of gritty dust from ",
940  "entering along with him."
941  };
942 
943  int iter, listcap;
944  for (listcap = 0; listcap < 12; ++listcap)
945  {
946  for (iter = 0; iter < 512; ++iter)
947  {
948  struct buffer_list *bl = buffer_list_new(listcap);
949  {
950  int i;
951  for (i = 0; i < SIZE(text); ++i)
952  {
953  buffer_list_push(bl, (unsigned char *)text[i]);
954  }
955  }
956  printf("[cap=%d i=%d] *************************\n", listcap, iter);
957  if (!(iter & 8))
958  {
959  buffer_list_aggregate(bl, iter/2);
960  }
961  if (!(iter & 16))
962  {
963  buffer_list_push(bl, (unsigned char *)"Even more text...");
964  }
965  buffer_list_aggregate(bl, iter);
966  if (!(iter & 1))
967  {
968  buffer_list_push(bl, (unsigned char *)"More text...");
969  }
970  {
971  struct buffer *buf;
972  while ((buf = buffer_list_peek(bl)))
973  {
974  int c;
975  printf("'");
976  while ((c = buf_read_u8(buf)) >= 0)
977  {
978  putchar(c);
979  }
980  printf("'\n");
981  buffer_list_advance(bl, 0);
982  }
983  }
984  buffer_list_free(bl);
985  }
986  }
987  return false;
988  }
989 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
990 
991 #ifdef MSTATS_TEST
992  {
993  int i;
994  mstats_open("/dev/shm/mstats.dat");
995  for (i = 0; i < 30; ++i)
996  {
997  mmap_stats->n_clients += 1;
998  mmap_stats->link_write_bytes += 8;
999  mmap_stats->link_read_bytes += 16;
1000  sleep(1);
1001  }
1002  mstats_close();
1003  return false;
1004  }
1005 #endif
1006 
1007  return true;
1008 }
1009 
1010 void
1011 uninit_static(void)
1012 {
1013  free_ssl_lib();
1014 
1015 #ifdef ENABLE_PKCS11
1016  pkcs11_terminate();
1017 #endif
1018 
1019 #if PORT_SHARE
1020  close_port_share();
1021 #endif
1022 
1023 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
1024  show_tls_performance_stats();
1025 #endif
1026 }
1027 
1028 void
1029 init_verb_mute(struct context *c, unsigned int flags)
1030 {
1031  if (flags & IVM_LEVEL_1)
1032  {
1033  /* set verbosity and mute levels */
1034  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
1035  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
1036  set_mute_cutoff(c->options.mute);
1037  }
1038 
1039  /* special D_LOG_RW mode */
1040  if (flags & IVM_LEVEL_2)
1041  {
1042  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
1043  }
1044 }
1045 
1046 /*
1047  * Possibly set --dev based on --dev-node.
1048  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1049  * set --dev to tun.
1050  */
1051 void
1052 init_options_dev(struct options *options)
1053 {
1054  if (!options->dev && options->dev_node)
1055  {
1056  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1057  options->dev = basename(dev_node);
1058  }
1059 }
1060 
1061 bool
1062 print_openssl_info(const struct options *options)
1063 {
1064  /*
1065  * OpenSSL info print mode?
1066  */
1067  if (options->show_ciphers || options->show_digests || options->show_engines
1068  || options->show_tls_ciphers || options->show_curves)
1069  {
1070  if (options->show_ciphers)
1071  {
1072  show_available_ciphers();
1073  }
1074  if (options->show_digests)
1075  {
1076  show_available_digests();
1077  }
1078  if (options->show_engines)
1079  {
1080  show_available_engines();
1081  }
1082  if (options->show_tls_ciphers)
1083  {
1084  show_available_tls_ciphers(options->cipher_list,
1085  options->cipher_list_tls13,
1086  options->tls_cert_profile);
1087  }
1088  if (options->show_curves)
1089  {
1090  show_available_curves();
1091  }
1092  return true;
1093  }
1094  return false;
1095 }
1096 
1097 /*
1098  * Static pre-shared key generation mode?
1099  */
1100 bool
1101 do_genkey(const struct options *options)
1102 {
1103  /* should we disable paging? */
1104  if (options->mlock && (options->genkey))
1105  {
1106  platform_mlockall(true);
1107  }
1108 
1109  /*
1110  * We do not want user to use --genkey with --secret. In the transistion
1111  * phase we for secret.
1112  */
1113  if (options->genkey && options->genkey_type != GENKEY_SECRET
1114  && options->shared_secret_file)
1115  {
1116  msg(M_USAGE, "Using --genkey type with --secret filename is "
1117  "not supported. Use --genkey type filename instead.");
1118  }
1119  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1120  {
1121  int nbits_written;
1122  const char *genkey_filename = options->genkey_filename;
1123  if (options->shared_secret_file && options->genkey_filename)
1124  {
1125  msg(M_USAGE, "You must provide a filename to either --genkey "
1126  "or --secret, not both");
1127  }
1128 
1129  /*
1130  * Copy filename from shared_secret_file to genkey_filename to support
1131  * the old --genkey --secret foo.file syntax.
1132  */
1133  if (options->shared_secret_file)
1134  {
1135  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1136  "DEPRECATED. Use --genkey secret filename instead.");
1137  genkey_filename = options->shared_secret_file;
1138  }
1139 
1140  nbits_written = write_key_file(2, genkey_filename);
1141  if (nbits_written < 0)
1142  {
1143  msg(M_FATAL, "Failed to write key file");
1144  }
1145 
1146  msg(D_GENKEY | M_NOPREFIX,
1147  "Randomly generated %d bit key written to %s", nbits_written,
1148  options->shared_secret_file);
1149  return true;
1150  }
1151  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1152  {
1153  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1154  return true;
1155  }
1156  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1157  {
1158  if (!options->tls_crypt_v2_file)
1159  {
1160  msg(M_USAGE,
1161  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1162  }
1163 
1164  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1165  options->genkey_extra_data, options->tls_crypt_v2_file,
1166  options->tls_crypt_v2_file_inline);
1167  return true;
1168  }
1169  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1170  {
1171  auth_token_write_server_key_file(options->genkey_filename);
1172  return true;
1173  }
1174  else
1175  {
1176  return false;
1177  }
1178 }
1179 
1180 /*
1181  * Persistent TUN/TAP device management mode?
1182  */
1183 bool
1184 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1185 {
1186  if (options->persist_config)
1187  {
1188  /* sanity check on options for --mktun or --rmtun */
1189  notnull(options->dev, "TUN/TAP device (--dev)");
1190  if (options->ce.remote || options->ifconfig_local
1191  || options->ifconfig_remote_netmask
1192  || options->shared_secret_file
1193  || options->tls_server || options->tls_client
1194  )
1195  {
1196  msg(M_FATAL|M_OPTERR,
1197  "options --mktun or --rmtun should only be used together with --dev");
1198  }
1199 #ifdef ENABLE_FEATURE_TUN_PERSIST
1200  tuncfg(options->dev, options->dev_type, options->dev_node,
1201  options->persist_mode,
1202  options->username, options->groupname, &options->tuntap_options,
1203  ctx);
1204  if (options->persist_mode && options->lladdr)
1205  {
1206  set_lladdr(options->dev, options->lladdr, NULL);
1207  }
1208  return true;
1209 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1210  msg( M_FATAL|M_OPTERR,
1211  "options --mktun and --rmtun are not available on your operating "
1212  "system. Please check 'man tun' (or 'tap'), whether your system "
1213  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1214  "persistent tunnel interfaces.", options->dev );
1215 #endif
1216  }
1217  return false;
1218 }
1219 
1220 /*
1221  * Should we become a daemon?
1222  * Return true if we did it.
1223  */
1224 bool
1225 possibly_become_daemon(const struct options *options)
1226 {
1227  bool ret = false;
1228 
1229 #ifdef ENABLE_SYSTEMD
1230  /* return without forking if we are running from systemd */
1231  if (sd_notify(0, "READY=0") > 0)
1232  {
1233  return ret;
1234  }
1235 #endif
1236 
1237  if (options->daemon)
1238  {
1239  ASSERT(!options->inetd);
1240  /* Don't chdir immediately, but the end of the init sequence, if needed */
1241 
1242 #if defined(__APPLE__) && defined(__clang__)
1243 #pragma clang diagnostic push
1244 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1245 #endif
1246  if (daemon(1, options->log) < 0)
1247  {
1248  msg(M_ERR, "daemon() failed or unsupported");
1249  }
1250 #if defined(__APPLE__) && defined(__clang__)
1251 #pragma clang diagnostic pop
1252 #endif
1253  restore_signal_state();
1254  if (options->log)
1255  {
1256  set_std_files_to_null(true);
1257  }
1258 
1259  ret = true;
1260  }
1261  return ret;
1262 }
1263 
1264 /*
1265  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1266  */
1267 static void
1268 do_uid_gid_chroot(struct context *c, bool no_delay)
1269 {
1270  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1271  struct context_0 *c0 = c->c0;
1272 
1273  if (c0 && !c0->uid_gid_chroot_set)
1274  {
1275  /* chroot if requested */
1276  if (c->options.chroot_dir)
1277  {
1278  if (no_delay)
1279  {
1280  platform_chroot(c->options.chroot_dir);
1281  }
1282  else if (c->first_time)
1283  {
1284  msg(M_INFO, "NOTE: chroot %s", why_not);
1285  }
1286  }
1287 
1288  /* set user and/or group if we want to setuid/setgid */
1289  if (c0->uid_gid_specified)
1290  {
1291  if (no_delay)
1292  {
1293  platform_group_set(&c0->platform_state_group);
1294  platform_user_set(&c0->platform_state_user);
1295  }
1296  else if (c->first_time)
1297  {
1298  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1299  }
1300  }
1301 
1302 #ifdef ENABLE_MEMSTATS
1303  if (c->first_time && c->options.memstats_fn)
1304  {
1305  mstats_open(c->options.memstats_fn);
1306  }
1307 #endif
1308 
1309 #ifdef ENABLE_SELINUX
1310  /* Apply a SELinux context in order to restrict what OpenVPN can do
1311  * to _only_ what it is supposed to do after initialization is complete
1312  * (basically just network I/O operations). Doing it after chroot
1313  * requires /proc to be mounted in the chroot (which is annoying indeed
1314  * but doing it before requires more complex SELinux policies.
1315  */
1316  if (c->options.selinux_context)
1317  {
1318  if (no_delay)
1319  {
1320  if (-1 == setcon(c->options.selinux_context))
1321  {
1322  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1323  }
1324  else
1325  {
1326  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1327  }
1328  }
1329  else if (c->first_time)
1330  {
1331  msg(M_INFO, "NOTE: setcon %s", why_not);
1332  }
1333  }
1334 #endif
1335 
1336  /* Privileges are going to be dropped by now (if requested), be sure
1337  * to prevent any future privilege dropping attempts from now on.
1338  */
1339  if (no_delay)
1340  {
1341  c0->uid_gid_chroot_set = true;
1342  }
1343  }
1344 }
1345 
1346 /*
1347  * Return common name in a way that is formatted for
1348  * prepending to msg() output.
1349  */
1350 const char *
1351 format_common_name(struct context *c, struct gc_arena *gc)
1352 {
1353  struct buffer out = alloc_buf_gc(256, gc);
1354  if (c->c2.tls_multi)
1355  {
1356  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1357  }
1358  return BSTR(&out);
1359 }
1360 
1361 void
1362 pre_setup(const struct options *options)
1363 {
1364 #ifdef _WIN32
1365  if (options->exit_event_name)
1366  {
1367  win32_signal_open(&win32_signal,
1368  WSO_FORCE_SERVICE,
1369  options->exit_event_name,
1370  options->exit_event_initial_state);
1371  }
1372  else
1373  {
1374  win32_signal_open(&win32_signal,
1375  WSO_FORCE_CONSOLE,
1376  NULL,
1377  false);
1378 
1379  /* put a title on the top window bar */
1380  if (win32_signal.mode == WSO_MODE_CONSOLE)
1381  {
1382  window_title_save(&window_title);
1383  window_title_generate(options->config);
1384  }
1385  }
1386 #endif /* ifdef _WIN32 */
1387 }
1388 
1389 void
1390 reset_coarse_timers(struct context *c)
1391 {
1392  c->c2.coarse_timer_wakeup = 0;
1393 }
1394 
1395 /*
1396  * Initialise the server poll timeout timer
1397  * This timer is used in the http/socks proxy setup so it needs to be setup
1398  * before
1399  */
1400 static void
1401 do_init_server_poll_timeout(struct context *c)
1402 {
1403  update_time();
1404  if (c->options.ce.connect_timeout)
1405  {
1406  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1407  }
1408 }
1409 
1410 /*
1411  * Initialize timers
1412  */
1413 static void
1414 do_init_timers(struct context *c, bool deferred)
1415 {
1416  update_time();
1417  reset_coarse_timers(c);
1418 
1419  /* initialize inactivity timeout */
1420  if (c->options.inactivity_timeout)
1421  {
1422  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1423  }
1424 
1425  /* initialize pings */
1426 
1427  if (c->options.ping_send_timeout)
1428  {
1429  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1430  }
1431 
1432  if (c->options.ping_rec_timeout)
1433  {
1434  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1435  }
1436 
1437  if (!deferred)
1438  {
1439  /* initialize connection establishment timer */
1440  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1441 
1442  /* initialize occ timers */
1443 
1444  if (c->options.occ
1445  && !TLS_MODE(c)
1446  && c->c2.options_string_local && c->c2.options_string_remote)
1447  {
1448  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1449  }
1450 
1451  if (c->options.mtu_test)
1452  {
1453  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1454  }
1455 
1456  /* initialize packet_id persistence timer */
1457  if (c->options.packet_id_file)
1458  {
1459  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1460  }
1461 
1462  /* initialize tmp_int optimization that limits the number of times we call
1463  * tls_multi_process in the main event loop */
1464  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1465  }
1466 }
1467 
1468 /*
1469  * Initialize traffic shaper.
1470  */
1471 static void
1472 do_init_traffic_shaper(struct context *c)
1473 {
1474 #ifdef ENABLE_FEATURE_SHAPER
1475  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1476  if (c->options.shaper)
1477  {
1478  shaper_init(&c->c2.shaper, c->options.shaper);
1479  shaper_msg(&c->c2.shaper);
1480  }
1481 #endif
1482 }
1483 
1484 /*
1485  * Allocate route list structures for IPv4 and IPv6
1486  * (we do this for IPv4 even if no --route option has been seen, as other
1487  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1488  */
1489 static void
1490 do_alloc_route_list(struct context *c)
1491 {
1492  if (!c->c1.route_list)
1493  {
1494  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1495  }
1496  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1497  {
1498  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1499  }
1500 }
1501 
1502 
1503 /*
1504  * Initialize the route list, resolving any DNS names in route
1505  * options and saving routes in the environment.
1506  */
1507 static void
1508 do_init_route_list(const struct options *options,
1509  struct route_list *route_list,
1510  const struct link_socket_info *link_socket_info,
1511  struct env_set *es,
1512  openvpn_net_ctx_t *ctx)
1513 {
1514  const char *gw = NULL;
1515  int dev = dev_type_enum(options->dev, options->dev_type);
1516  int metric = 0;
1517 
1518  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1519  {
1520  gw = options->ifconfig_remote_netmask;
1521  }
1522  if (options->route_default_gateway)
1523  {
1524  gw = options->route_default_gateway;
1525  }
1526  if (options->route_default_metric)
1527  {
1528  metric = options->route_default_metric;
1529  }
1530 
1531  if (init_route_list(route_list,
1532  options->routes,
1533  gw,
1534  metric,
1535  link_socket_current_remote(link_socket_info),
1536  es,
1537  ctx))
1538  {
1539  /* copy routes to environment */
1540  setenv_routes(es, route_list);
1541  }
1542 }
1543 
1544 static void
1545 do_init_route_ipv6_list(const struct options *options,
1546  struct route_ipv6_list *route_ipv6_list,
1547  const struct link_socket_info *link_socket_info,
1548  struct env_set *es,
1549  openvpn_net_ctx_t *ctx)
1550 {
1551  const char *gw = NULL;
1552  int metric = -1; /* no metric set */
1553 
1554  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1555  if (options->route_ipv6_default_gateway)
1556  {
1557  gw = options->route_ipv6_default_gateway;
1558  }
1559 
1560  if (options->route_default_metric)
1561  {
1562  metric = options->route_default_metric;
1563  }
1564 
1565  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1566  */
1567  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1568  {
1569  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1570  int i;
1571 
1572  for (i = 0; opt_list[i]; i++)
1573  {
1574  add_route_ipv6_to_option_list( options->routes_ipv6,
1575  string_alloc(opt_list[i], options->routes_ipv6->gc),
1576  NULL, NULL );
1577  }
1578  }
1579 
1580  if (init_route_ipv6_list(route_ipv6_list,
1581  options->routes_ipv6,
1582  gw,
1583  metric,
1584  link_socket_current_remote_ipv6(link_socket_info),
1585  es,
1586  ctx))
1587  {
1588  /* copy routes to environment */
1589  setenv_routes_ipv6(es, route_ipv6_list);
1590  }
1591 }
1592 
1593 
1594 /*
1595  * Called after all initialization has been completed.
1596  */
1597 void
1598 initialization_sequence_completed(struct context *c, const unsigned int flags)
1599 {
1600  static const char message[] = "Initialization Sequence Completed";
1601 
1602  /* Reset the unsuccessful connection counter on complete initialisation */
1603  c->options.unsuccessful_attempts = 0;
1604 
1605  /* If we delayed UID/GID downgrade or chroot, do it now */
1606  do_uid_gid_chroot(c, true);
1607 
1608 
1609  /*
1610  * In some cases (i.e. when receiving auth-token via
1611  * push-reply) the auth-nocache option configured on the
1612  * client is overridden; for this reason we have to wait
1613  * for the push-reply message before attempting to wipe
1614  * the user/pass entered by the user
1615  */
1616  if (c->options.mode == MODE_POINT_TO_POINT)
1617  {
1618  delayed_auth_pass_purge();
1619  }
1620 
1621  /* Test if errors */
1622  if (flags & ISC_ERRORS)
1623  {
1624 #ifdef _WIN32
1625  show_routes(M_INFO|M_NOPREFIX);
1626  show_adapters(M_INFO|M_NOPREFIX);
1627  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1628 #else
1629 #ifdef ENABLE_SYSTEMD
1630  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1631 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1632  msg(M_INFO, "%s With Errors", message);
1633 #endif
1634  }
1635  else
1636  {
1637 #ifdef ENABLE_SYSTEMD
1638  sd_notifyf(0, "STATUS=%s", message);
1639 #endif
1640  msg(M_INFO, "%s", message);
1641  }
1642 
1643  /* Flag that we initialized */
1644  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1645  {
1646  c->options.no_advance = true;
1647  }
1648 
1649 #ifdef _WIN32
1650  fork_register_dns_action(c->c1.tuntap);
1651 #endif
1652 
1653 #ifdef ENABLE_MANAGEMENT
1654  /* Tell management interface that we initialized */
1655  if (management)
1656  {
1657  in_addr_t *tun_local = NULL;
1658  struct in6_addr *tun_local6 = NULL;
1659  struct openvpn_sockaddr local, remote;
1660  struct link_socket_actual *actual;
1661  socklen_t sa_len = sizeof(local);
1662  const char *detail = "SUCCESS";
1663  if (flags & ISC_ERRORS)
1664  {
1665  detail = "ERROR";
1666  }
1667 
1668  CLEAR(local);
1669  actual = &get_link_socket_info(c)->lsa->actual;
1670  remote = actual->dest;
1671  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1672 #if ENABLE_IP_PKTINFO
1673  if (!addr_defined(&local))
1674  {
1675  switch (local.addr.sa.sa_family)
1676  {
1677  case AF_INET:
1678 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1679  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1680 #else
1681  local.addr.in4.sin_addr = actual->pi.in4;
1682 #endif
1683  break;
1684 
1685  case AF_INET6:
1686  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1687  break;
1688  }
1689  }
1690 #endif
1691 
1692  if (c->c1.tuntap)
1693  {
1694  tun_local = &c->c1.tuntap->local;
1695  tun_local6 = &c->c1.tuntap->local_ipv6;
1696  }
1697  management_set_state(management,
1698  OPENVPN_STATE_CONNECTED,
1699  detail,
1700  tun_local,
1701  tun_local6,
1702  &local,
1703  &remote);
1704  if (tun_local)
1705  {
1706  management_post_tunnel_open(management, *tun_local);
1707  }
1708  }
1709 #endif /* ifdef ENABLE_MANAGEMENT */
1710 }
1711 
1712 /*
1713  * Possibly add routes and/or call route-up script
1714  * based on options.
1715  */
1716 void
1717 do_route(const struct options *options,
1718  struct route_list *route_list,
1719  struct route_ipv6_list *route_ipv6_list,
1720  const struct tuntap *tt,
1721  const struct plugin_list *plugins,
1722  struct env_set *es,
1723  openvpn_net_ctx_t *ctx)
1724 {
1725  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1726  {
1727  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1728  es, ctx);
1729  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1730  }
1731 #ifdef ENABLE_MANAGEMENT
1732  if (management)
1733  {
1734  management_up_down(management, "UP", es);
1735  }
1736 #endif
1737 
1738  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1739  {
1740  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1741  {
1742  msg(M_WARN, "WARNING: route-up plugin call failed");
1743  }
1744  }
1745 
1746  if (options->route_script)
1747  {
1748  struct argv argv = argv_new();
1749  setenv_str(es, "script_type", "route-up");
1750  argv_parse_cmd(&argv, options->route_script);
1751  openvpn_run_script(&argv, es, 0, "--route-up");
1752  argv_free(&argv);
1753  }
1754 
1755 #ifdef _WIN32
1756  if (options->show_net_up)
1757  {
1758  show_routes(M_INFO|M_NOPREFIX);
1759  show_adapters(M_INFO|M_NOPREFIX);
1760  }
1761  else if (check_debug_level(D_SHOW_NET))
1762  {
1763  show_routes(D_SHOW_NET|M_NOPREFIX);
1764  show_adapters(D_SHOW_NET|M_NOPREFIX);
1765  }
1766 #endif
1767 }
1768 
1769 /*
1770  * initialize tun/tap device object
1771  */
1772 static void
1773 do_init_tun(struct context *c)
1774 {
1775  c->c1.tuntap = init_tun(c->options.dev,
1776  c->options.dev_type,
1777  c->options.topology,
1778  c->options.ifconfig_local,
1779  c->options.ifconfig_remote_netmask,
1780  c->options.ifconfig_ipv6_local,
1781  c->options.ifconfig_ipv6_netbits,
1782  c->options.ifconfig_ipv6_remote,
1783  c->c1.link_socket_addr.bind_local,
1784  c->c1.link_socket_addr.remote_list,
1785  !c->options.ifconfig_nowarn,
1786  c->c2.es,
1787  &c->net_ctx);
1788 
1789 #ifdef _WIN32
1790  c->c1.tuntap->windows_driver = c->options.windows_driver;
1791 #endif
1792 
1793  init_tun_post(c->c1.tuntap,
1794  &c->c2.frame,
1795  &c->options.tuntap_options);
1796 
1797  c->c1.tuntap_owned = true;
1798 }
1799 
1800 /*
1801  * Open tun/tap device, ifconfig, call up script, etc.
1802  */
1803 
1804 static bool
1805 do_open_tun(struct context *c)
1806 {
1807  struct gc_arena gc = gc_new();
1808  bool ret = false;
1809 
1810 #ifndef TARGET_ANDROID
1811  if (!c->c1.tuntap)
1812  {
1813 #endif
1814 
1815 #ifdef TARGET_ANDROID
1816  /* If we emulate persist-tun on android we still have to open a new tun and
1817  * then close the old */
1818  int oldtunfd = -1;
1819  if (c->c1.tuntap)
1820  {
1821  oldtunfd = c->c1.tuntap->fd;
1822  free(c->c1.tuntap);
1823  c->c1.tuntap = NULL;
1824  c->c1.tuntap_owned = false;
1825  }
1826 #endif
1827 
1828  /* initialize (but do not open) tun/tap object */
1829  do_init_tun(c);
1830 
1831 #ifdef _WIN32
1832  /* store (hide) interactive service handle in tuntap_options */
1833  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1834  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1835 #endif
1836 
1837  /* allocate route list structure */
1838  do_alloc_route_list(c);
1839 
1840  /* parse and resolve the route option list */
1841  ASSERT(c->c2.link_socket);
1842  if (c->options.routes && c->c1.route_list)
1843  {
1844  do_init_route_list(&c->options, c->c1.route_list,
1845  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1846  }
1847  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1848  {
1849  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1850  &c->c2.link_socket->info, c->c2.es,
1851  &c->net_ctx);
1852  }
1853 
1854  /* do ifconfig */
1855  if (!c->options.ifconfig_noexec
1856  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1857  {
1858  /* guess actual tun/tap unit number that will be returned
1859  * by open_tun */
1860  const char *guess = guess_tuntap_dev(c->options.dev,
1861  c->options.dev_type,
1862  c->options.dev_node,
1863  &gc);
1864  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1865  &c->net_ctx);
1866  }
1867 
1868  /* possibly add routes */
1869  if (route_order() == ROUTE_BEFORE_TUN)
1870  {
1871  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1872  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1873  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1874  }
1875 #ifdef TARGET_ANDROID
1876  /* Store the old fd inside the fd so open_tun can use it */
1877  c->c1.tuntap->fd = oldtunfd;
1878 #endif
1879  /* open the tun device */
1880  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1881  c->c1.tuntap);
1882 
1883  /* set the hardware address */
1884  if (c->options.lladdr)
1885  {
1886  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1887  }
1888 
1889  /* do ifconfig */
1890  if (!c->options.ifconfig_noexec
1891  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1892  {
1893  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1894  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1895  }
1896 
1897  /* run the up script */
1898  run_up_down(c->options.up_script,
1899  c->plugins,
1900  OPENVPN_PLUGIN_UP,
1901  c->c1.tuntap->actual_name,
1902 #ifdef _WIN32
1903  c->c1.tuntap->adapter_index,
1904 #endif
1905  dev_type_string(c->options.dev, c->options.dev_type),
1906  TUN_MTU_SIZE(&c->c2.frame),
1907  EXPANDED_SIZE(&c->c2.frame),
1908  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1909  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1910  "init",
1911  NULL,
1912  "up",
1913  c->c2.es);
1914 
1915 #if defined(_WIN32)
1916  if (c->options.block_outside_dns)
1917  {
1918  dmsg(D_LOW, "Blocking outside DNS");
1919  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1920  {
1921  msg(M_FATAL, "Blocking DNS failed!");
1922  }
1923  }
1924 #endif
1925 
1926  /* possibly add routes */
1927  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1928  {
1929  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1930  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1931  }
1932 
1933  /*
1934  * Did tun/tap driver give us an MTU?
1935  */
1936  if (c->c1.tuntap->post_open_mtu)
1937  {
1938  frame_set_mtu_dynamic(&c->c2.frame,
1939  c->c1.tuntap->post_open_mtu,
1940  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1941  }
1942 
1943  ret = true;
1944  static_context = c;
1945 #ifndef TARGET_ANDROID
1946 }
1947 else
1948 {
1949  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1950  c->c1.tuntap->actual_name);
1951 
1952  /* explicitly set the ifconfig_* env vars */
1953  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1954 
1955  /* run the up script if user specified --up-restart */
1956  if (c->options.up_restart)
1957  {
1958  run_up_down(c->options.up_script,
1959  c->plugins,
1960  OPENVPN_PLUGIN_UP,
1961  c->c1.tuntap->actual_name,
1962 #ifdef _WIN32
1963  c->c1.tuntap->adapter_index,
1964 #endif
1965  dev_type_string(c->options.dev, c->options.dev_type),
1966  TUN_MTU_SIZE(&c->c2.frame),
1967  EXPANDED_SIZE(&c->c2.frame),
1968  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1969  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1970  "restart",
1971  NULL,
1972  "up",
1973  c->c2.es);
1974  }
1975 #if defined(_WIN32)
1976  if (c->options.block_outside_dns)
1977  {
1978  dmsg(D_LOW, "Blocking outside DNS");
1979  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1980  {
1981  msg(M_FATAL, "Blocking DNS failed!");
1982  }
1983  }
1984 #endif
1985 
1986 }
1987 #endif /* ifndef TARGET_ANDROID */
1988  gc_free(&gc);
1989  return ret;
1990 }
1991 
1992 /*
1993  * Close TUN/TAP device
1994  */
1995 
1996 static void
1997 do_close_tun_simple(struct context *c)
1998 {
1999  msg(D_CLOSE, "Closing TUN/TAP interface");
2000  if (c->c1.tuntap)
2001  {
2002  close_tun(c->c1.tuntap, &c->net_ctx);
2003  c->c1.tuntap = NULL;
2004  }
2005  c->c1.tuntap_owned = false;
2006 #if P2MP
2007  CLEAR(c->c1.pulled_options_digest_save);
2008 #endif
2009 }
2010 
2011 static void
2012 do_close_tun(struct context *c, bool force)
2013 {
2014  struct gc_arena gc = gc_new();
2015  if (c->c1.tuntap && c->c1.tuntap_owned)
2016  {
2017  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2018 #ifdef _WIN32
2019  DWORD adapter_index = c->c1.tuntap->adapter_index;
2020 #endif
2021  const in_addr_t local = c->c1.tuntap->local;
2022  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2023 
2024  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2025  {
2026  static_context = NULL;
2027 
2028 #ifdef ENABLE_MANAGEMENT
2029  /* tell management layer we are about to close the TUN/TAP device */
2030  if (management)
2031  {
2032  management_pre_tunnel_close(management);
2033  management_up_down(management, "DOWN", c->c2.es);
2034  }
2035 #endif
2036 
2037  /* delete any routes we added */
2038  if (c->c1.route_list || c->c1.route_ipv6_list)
2039  {
2040  run_up_down(c->options.route_predown_script,
2041  c->plugins,
2042  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2043  tuntap_actual,
2044 #ifdef _WIN32
2045  adapter_index,
2046 #endif
2047  NULL,
2048  TUN_MTU_SIZE(&c->c2.frame),
2049  EXPANDED_SIZE(&c->c2.frame),
2050  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2051  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2052  "init",
2053  signal_description(c->sig->signal_received,
2054  c->sig->signal_text),
2055  "route-pre-down",
2056  c->c2.es);
2057 
2058  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2059  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2060  c->c2.es, &c->net_ctx);
2061  }
2062 
2063  /* actually close tun/tap device based on --down-pre flag */
2064  if (!c->options.down_pre)
2065  {
2066  do_close_tun_simple(c);
2067  }
2068 
2069  /* Run the down script -- note that it will run at reduced
2070  * privilege if, for example, "--user nobody" was used. */
2071  run_up_down(c->options.down_script,
2072  c->plugins,
2073  OPENVPN_PLUGIN_DOWN,
2074  tuntap_actual,
2075 #ifdef _WIN32
2076  adapter_index,
2077 #endif
2078  NULL,
2079  TUN_MTU_SIZE(&c->c2.frame),
2080  EXPANDED_SIZE(&c->c2.frame),
2081  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2082  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2083  "init",
2084  signal_description(c->sig->signal_received,
2085  c->sig->signal_text),
2086  "down",
2087  c->c2.es);
2088 
2089 #if defined(_WIN32)
2090  if (c->options.block_outside_dns)
2091  {
2092  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2093  {
2094  msg(M_FATAL, "Uninitialising WFP failed!");
2095  }
2096  }
2097 #endif
2098 
2099  /* actually close tun/tap device based on --down-pre flag */
2100  if (c->options.down_pre)
2101  {
2102  do_close_tun_simple(c);
2103  }
2104  }
2105  else
2106  {
2107  /* run the down script on this restart if --up-restart was specified */
2108  if (c->options.up_restart)
2109  {
2110  run_up_down(c->options.down_script,
2111  c->plugins,
2112  OPENVPN_PLUGIN_DOWN,
2113  tuntap_actual,
2114 #ifdef _WIN32
2115  adapter_index,
2116 #endif
2117  NULL,
2118  TUN_MTU_SIZE(&c->c2.frame),
2119  EXPANDED_SIZE(&c->c2.frame),
2120  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2121  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2122  "restart",
2123  signal_description(c->sig->signal_received,
2124  c->sig->signal_text),
2125  "down",
2126  c->c2.es);
2127  }
2128 
2129 #if defined(_WIN32)
2130  if (c->options.block_outside_dns)
2131  {
2132  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2133  {
2134  msg(M_FATAL, "Uninitialising WFP failed!");
2135  }
2136  }
2137 #endif
2138 
2139  }
2140  }
2141  gc_free(&gc);
2142 }
2143 
2144 void
2145 tun_abort(void)
2146 {
2147  struct context *c = static_context;
2148  if (c)
2149  {
2150  static_context = NULL;
2151  do_close_tun(c, true);
2152  }
2153 }
2154 
2155 /*
2156  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2157  */
2158 
2159 #if P2MP
2160 
2164 static bool
2165 options_hash_changed_or_zero(const struct sha256_digest *a,
2166  const struct sha256_digest *b)
2167 {
2168  const struct sha256_digest zero = {{0}};
2169  return memcmp(a, b, sizeof(struct sha256_digest))
2170  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2171 }
2172 #endif /* P2MP */
2173 
2174 bool
2175 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2176 {
2177  if (!c->c2.do_up_ran)
2178  {
2179  reset_coarse_timers(c);
2180 
2181  if (pulled_options)
2182  {
2183  if (!do_deferred_options(c, option_types_found))
2184  {
2185  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2186  return false;
2187  }
2188  }
2189 
2190  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2191  if (c->options.up_delay || PULL_DEFINED(&c->options))
2192  {
2193  c->c2.did_open_tun = do_open_tun(c);
2194  update_time();
2195 
2196 #if P2MP
2197  /*
2198  * Was tun interface object persisted from previous restart iteration,
2199  * and if so did pulled options string change from previous iteration?
2200  */
2201  if (!c->c2.did_open_tun
2202  && PULL_DEFINED(&c->options)
2203  && c->c1.tuntap
2204  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2205  &c->c2.pulled_options_digest))
2206  {
2207  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2208  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2209  do_close_tun(c, true);
2210  management_sleep(1);
2211  c->c2.did_open_tun = do_open_tun(c);
2212  update_time();
2213  }
2214 #endif
2215  }
2216 
2217  if (c->c2.did_open_tun)
2218  {
2219 #if P2MP
2220  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2221 #endif
2222 
2223  /* if --route-delay was specified, start timer */
2224  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2225  {
2226  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2227  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2228  if (c->c1.tuntap)
2229  {
2230  tun_standby_init(c->c1.tuntap);
2231  }
2232  }
2233  else
2234  {
2235  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2236  }
2237  }
2238  else if (c->options.mode == MODE_POINT_TO_POINT)
2239  {
2240  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2241  }
2242 
2243  c->c2.do_up_ran = true;
2244  }
2245  return true;
2246 }
2247 
2248 /*
2249  * These are the option categories which will be accepted by pull.
2250  */
2251 unsigned int
2252 pull_permission_mask(const struct context *c)
2253 {
2254  unsigned int flags =
2255  OPT_P_UP
2256  | OPT_P_ROUTE_EXTRAS
2257  | OPT_P_SOCKBUF
2258  | OPT_P_SOCKFLAGS
2259  | OPT_P_SETENV
2260  | OPT_P_SHAPER
2261  | OPT_P_TIMER
2262  | OPT_P_COMP
2263  | OPT_P_PERSIST
2264  | OPT_P_MESSAGES
2265  | OPT_P_EXPLICIT_NOTIFY
2266  | OPT_P_ECHO
2267  | OPT_P_PULL_MODE
2268  | OPT_P_PEER_ID;
2269 
2270  if (!c->options.route_nopull)
2271  {
2272  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2273  }
2274 
2275  if (c->options.ncp_enabled)
2276  {
2277  flags |= OPT_P_NCP;
2278  }
2279 
2280  return flags;
2281 }
2282 
2283 /*
2284  * Handle non-tun-related pulled options.
2285  */
2286 bool
2287 do_deferred_options(struct context *c, const unsigned int found)
2288 {
2289  if (found & OPT_P_MESSAGES)
2290  {
2291  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2292  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2293  }
2294  if (found & OPT_P_TIMER)
2295  {
2296  do_init_timers(c, true);
2297  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2298  }
2299 
2300  if (found & OPT_P_EXPLICIT_NOTIFY)
2301  {
2302  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2303  {
2304  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2305  c->options.ce.explicit_exit_notification = 0;
2306  }
2307  else
2308  {
2309  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2310  }
2311  }
2312 
2313 #ifdef USE_COMP
2314  if (found & OPT_P_COMP)
2315  {
2316  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2317  comp_uninit(c->c2.comp_context);
2318  c->c2.comp_context = comp_init(&c->options.comp);
2319  }
2320 #endif
2321 
2322  if (found & OPT_P_SHAPER)
2323  {
2324  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2325  do_init_traffic_shaper(c);
2326  }
2327 
2328  if (found & OPT_P_SOCKBUF)
2329  {
2330  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2331  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2332  }
2333 
2334  if (found & OPT_P_SOCKFLAGS)
2335  {
2336  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2337  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2338  }
2339 
2340  if (found & OPT_P_PERSIST)
2341  {
2342  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2343  }
2344  if (found & OPT_P_UP)
2345  {
2346  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2347  }
2348  if (found & OPT_P_ROUTE)
2349  {
2350  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2351  }
2352  if (found & OPT_P_ROUTE_EXTRAS)
2353  {
2354  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2355  }
2356  if (found & OPT_P_IPWIN32)
2357  {
2358  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2359  }
2360  if (found & OPT_P_SETENV)
2361  {
2362  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2363  }
2364 
2365  if (found & OPT_P_PEER_ID)
2366  {
2367  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2368  c->c2.tls_multi->use_peer_id = true;
2369  c->c2.tls_multi->peer_id = c->options.peer_id;
2370  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2371  if (!c->options.ce.link_mtu_defined)
2372  {
2373  frame_add_to_link_mtu(&c->c2.frame, +3);
2374  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2375  EXPANDED_SIZE(&c->c2.frame));
2376  }
2377  else
2378  {
2379  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2380  " fixed by config - reducing tun-mtu to %d, expect"
2381  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2382  }
2383  }
2384 
2385  /* process (potentially pushed) crypto options */
2386  if (c->options.pull)
2387  {
2388  if (!check_pull_client_ncp(c, found))
2389  {
2390  return false;
2391  }
2392  struct frame *frame_fragment = NULL;
2393 #ifdef ENABLE_FRAGMENT
2394  if (c->options.ce.fragment)
2395  {
2396  frame_fragment = &c->c2.frame_fragment;
2397  }
2398 #endif
2399 
2400  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2401  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2402  frame_fragment))
2403  {
2404  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2405  return false;
2406  }
2407  }
2408 
2409  return true;
2410 }
2411 
2412 /*
2413  * Possible hold on initialization, holdtime is the
2414  * time OpenVPN would wait without management
2415  */
2416 static bool
2417 do_hold(int holdtime)
2418 {
2419 #ifdef ENABLE_MANAGEMENT
2420  if (management)
2421  {
2422  /* block until management hold is released */
2423  if (management_hold(management, holdtime))
2424  {
2425  return true;
2426  }
2427  }
2428 #endif
2429  return false;
2430 }
2431 
2432 /*
2433  * Sleep before restart.
2434  */
2435 static void
2436 socket_restart_pause(struct context *c)
2437 {
2438  int sec = 2;
2439  int backoff = 0;
2440 
2441  switch (c->options.ce.proto)
2442  {
2443  case PROTO_TCP_SERVER:
2444  sec = 1;
2445  break;
2446 
2447  case PROTO_UDP:
2448  case PROTO_TCP_CLIENT:
2449  sec = c->options.ce.connect_retry_seconds;
2450  break;
2451  }
2452 
2453 #ifdef ENABLE_DEBUG
2454  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2455  {
2456  sec = 0;
2457  }
2458 #endif
2459 
2460 #if P2MP
2461  if (auth_retry_get() == AR_NOINTERACT)
2462  {
2463  sec = 10;
2464  }
2465 #endif
2466 
2467  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2468  if (c->options.ce.proto != PROTO_TCP_SERVER)
2469  {
2470  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2471  if (backoff > 0)
2472  {
2473  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2474  sec = max_int(sec, 1) << min_int(backoff, 15);
2475  }
2476 
2477  if (sec > c->options.ce.connect_retry_seconds_max)
2478  {
2479  sec = c->options.ce.connect_retry_seconds_max;
2480  }
2481  }
2482 
2483  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2484  {
2485  sec = c->persist.restart_sleep_seconds;
2486  }
2487  else if (c->persist.restart_sleep_seconds == -1)
2488  {
2489  sec = 0;
2490  }
2491  c->persist.restart_sleep_seconds = 0;
2492 
2493  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2494  if (do_hold(sec))
2495  {
2496  sec = 0;
2497  }
2498 
2499  if (sec)
2500  {
2501  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2502  management_sleep(sec);
2503  }
2504 }
2505 
2506 /*
2507  * Do a possible pause on context_2 initialization.
2508  */
2509 static void
2510 do_startup_pause(struct context *c)
2511 {
2512  if (!c->first_time)
2513  {
2514  socket_restart_pause(c);
2515  }
2516  else
2517  {
2518  do_hold(0); /* do management hold on first context initialization */
2519  }
2520 }
2521 
2522 /*
2523  * Finalize MTU parameters based on command line or config file options.
2524  */
2525 static void
2526 frame_finalize_options(struct context *c, const struct options *o)
2527 {
2528  if (!o)
2529  {
2530  o = &c->options;
2531  }
2532 
2533  /*
2534  * Set adjustment factor for buffer alignment when no
2535  * cipher is used.
2536  */
2537  if (!CIPHER_ENABLED(c))
2538  {
2539  frame_align_to_extra_frame(&c->c2.frame);
2540  frame_or_align_flags(&c->c2.frame,
2541  FRAME_HEADROOM_MARKER_FRAGMENT
2542  |FRAME_HEADROOM_MARKER_READ_LINK
2543  |FRAME_HEADROOM_MARKER_READ_STREAM);
2544  }
2545 
2546  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2547  frame_finalize(&c->c2.frame,
2548  o->ce.link_mtu_defined,
2549  o->ce.link_mtu,
2550  o->ce.tun_mtu_defined,
2551  o->ce.tun_mtu);
2552 }
2553 
2554 /*
2555  * Free a key schedule, including OpenSSL components.
2556  */
2557 static void
2558 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2559 {
2560  free_key_ctx_bi(&ks->static_key);
2561  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2562  {
2563  tls_ctx_free(&ks->ssl_ctx);
2564  free_key_ctx(&ks->tls_crypt_v2_server_key);
2565  }
2566  CLEAR(*ks);
2567 }
2568 
2569 static void
2570 init_crypto_pre(struct context *c, const unsigned int flags)
2571 {
2572  if (c->options.engine)
2573  {
2574  crypto_init_lib_engine(c->options.engine);
2575  }
2576 
2577  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2578  {
2579  /* load a persisted packet-id for cross-session replay-protection */
2580  if (c->options.packet_id_file)
2581  {
2582  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2583  }
2584  }
2585 
2586 #ifdef ENABLE_PREDICTION_RESISTANCE
2587  if (c->options.use_prediction_resistance)
2588  {
2589  rand_ctx_enable_prediction_resistance();
2590  }
2591 #endif
2592 }
2593 
2594 /*
2595  * Static Key Mode (using a pre-shared key)
2596  */
2597 static void
2598 do_init_crypto_static(struct context *c, const unsigned int flags)
2599 {
2600  const struct options *options = &c->options;
2601  ASSERT(options->shared_secret_file);
2602 
2603  init_crypto_pre(c, flags);
2604 
2605  /* Initialize flags */
2606  if (c->options.mute_replay_warnings)
2607  {
2608  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2609  }
2610 
2611  /* Initialize packet ID tracking */
2612  if (options->replay)
2613  {
2614  packet_id_init(&c->c2.crypto_options.packet_id,
2615  options->replay_window,
2616  options->replay_time,
2617  "STATIC", 0);
2618  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2619  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2620  packet_id_persist_load_obj(&c->c1.pid_persist,
2621  &c->c2.crypto_options.packet_id);
2622  }
2623 
2624  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2625  {
2626  /* Get cipher & hash algorithms */
2627  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2628  options->keysize, options->test_crypto, true);
2629 
2630  /* Read cipher and hmac keys from shared secret file */
2631  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2632  options->shared_secret_file,
2633  options->shared_secret_file_inline,
2634  options->key_direction, "Static Key Encryption",
2635  "secret");
2636  }
2637  else
2638  {
2639  msg(M_INFO, "Re-using pre-shared static key");
2640  }
2641 
2642  /* Get key schedule */
2643  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2644 
2645  /* Compute MTU parameters */
2646  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2647  options->replay, true);
2648 
2649  /* Sanity check on sequence number, and cipher mode options */
2650  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2651 }
2652 
2653 /*
2654  * Initialize the tls-auth/crypt key context
2655  */
2656 static void
2657 do_init_tls_wrap_key(struct context *c)
2658 {
2659  const struct options *options = &c->options;
2660 
2661  /* TLS handshake authentication (--tls-auth) */
2662  if (options->ce.tls_auth_file)
2663  {
2664  /* Initialize key_type for tls-auth with auth only */
2665  CLEAR(c->c1.ks.tls_auth_key_type);
2666  if (!streq(options->authname, "none"))
2667  {
2668  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2669  c->c1.ks.tls_auth_key_type.hmac_length =
2670  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2671  }
2672  else
2673  {
2674  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2675  "algorithm specified ('%s')", options->authname);
2676  }
2677 
2678  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2679  &c->c1.ks.tls_wrap_key,
2680  options->ce.tls_auth_file,
2681  options->ce.tls_auth_file_inline,
2682  options->ce.key_direction,
2683  "Control Channel Authentication", "tls-auth");
2684  }
2685 
2686  /* TLS handshake encryption+authentication (--tls-crypt) */
2687  if (options->ce.tls_crypt_file)
2688  {
2689  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2690  options->ce.tls_crypt_file,
2691  options->ce.tls_crypt_file_inline,
2692  options->tls_server);
2693  }
2694 
2695  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2696  if (options->ce.tls_crypt_v2_file)
2697  {
2698  if (options->tls_server)
2699  {
2700  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2701  true, options->ce.tls_crypt_v2_file,
2702  options->ce.tls_crypt_v2_file_inline);
2703  }
2704  else
2705  {
2706  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2707  &c->c1.ks.tls_crypt_v2_wkc,
2708  options->ce.tls_crypt_v2_file,
2709  options->ce.tls_crypt_v2_file_inline);
2710  }
2711  }
2712 
2713 
2714 }
2715 
2716 /*
2717  * Initialise the auth-token key context
2718  */
2719 static void
2720 do_init_auth_token_key(struct context *c)
2721 {
2722  if (!c->options.auth_token_generate)
2723  {
2724  return;
2725  }
2726 
2727  auth_token_init_secret(&c->c1.ks.auth_token_key,
2728  c->options.auth_token_secret_file,
2729  c->options.auth_token_secret_file_inline);
2730 }
2731 
2732 /*
2733  * Initialize the persistent component of OpenVPN's TLS mode,
2734  * which is preserved across SIGUSR1 resets.
2735  */
2736 static void
2737 do_init_crypto_tls_c1(struct context *c)
2738 {
2739  const struct options *options = &c->options;
2740 
2741  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2742  {
2743  /*
2744  * Initialize the OpenSSL library's global
2745  * SSL context.
2746  */
2747  init_ssl(options, &(c->c1.ks.ssl_ctx));
2748  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2749  {
2750 #if P2MP
2751  switch (auth_retry_get())
2752  {
2753  case AR_NONE:
2754  msg(M_FATAL, "Error: private key password verification failed");
2755  break;
2756 
2757  case AR_INTERACT:
2758  ssl_purge_auth(false);
2759 
2760  case AR_NOINTERACT:
2761  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2762  break;
2763 
2764  default:
2765  ASSERT(0);
2766  }
2767  c->sig->signal_text = "private-key-password-failure";
2768  return;
2769 #else /* if P2MP */
2770  msg(M_FATAL, "Error: private key password verification failed");
2771 #endif /* if P2MP */
2772  }
2773 
2774  /* Do not warn if we only have BF-CBC in options->ciphername
2775  * because it is still the default cipher */
2776  bool warn = !streq(options->ciphername, "BF-CBC")
2777  || options->enable_ncp_fallback;
2778  /* Get cipher & hash algorithms */
2779  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2780  options->keysize, true, warn);
2781 
2782  /* Initialize PRNG with config-specified digest */
2783  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2784 
2785  /* initialize tls-auth/crypt/crypt-v2 key */
2786  do_init_tls_wrap_key(c);
2787 
2788  /* initialise auth-token crypto support */
2789  do_init_auth_token_key(c);
2790 
2791 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2792  if (options->priv_key_file_inline)
2793  {
2794  string_clear(c->options.priv_key_file_inline);
2795  c->options.priv_key_file_inline = NULL;
2796  }
2797 #endif
2798  }
2799  else
2800  {
2801  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2802 
2803  /*
2804  * tls-auth/crypt key can be configured per connection block, therefore
2805  * we must reload it as it may have changed
2806  */
2807  do_init_tls_wrap_key(c);
2808  }
2809 }
2810 
2811 static void
2812 do_init_crypto_tls(struct context *c, const unsigned int flags)
2813 {
2814  const struct options *options = &c->options;
2815  struct tls_options to;
2816  bool packet_id_long_form;
2817 
2818  ASSERT(options->tls_server || options->tls_client);
2819  ASSERT(!options->test_crypto);
2820 
2821  init_crypto_pre(c, flags);
2822 
2823  /* Make sure we are either a TLS client or server but not both */
2824  ASSERT(options->tls_server == !options->tls_client);
2825 
2826  /* initialize persistent component */
2827  do_init_crypto_tls_c1(c);
2828  if (IS_SIG(c))
2829  {
2830  return;
2831  }
2832 
2833  /* Sanity check on sequence number, and cipher mode options */
2834  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2835 
2836  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2837  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2838 
2839  /* Compute MTU parameters (postpone if we push/pull options) */
2840  if (c->options.pull || c->options.mode == MODE_SERVER)
2841  {
2842  /* Account for worst-case crypto overhead before allocating buffers */
2843  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2844  }
2845  else
2846  {
2847  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2848  options->replay, packet_id_long_form);
2849  }
2850  tls_adjust_frame_parameters(&c->c2.frame);
2851 
2852  /* Set all command-line TLS-related options */
2853  CLEAR(to);
2854 
2855  if (options->mute_replay_warnings)
2856  {
2857  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2858  }
2859 
2860  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2861  if (packet_id_long_form)
2862  {
2863  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2864  }
2865 
2866  to.ssl_ctx = c->c1.ks.ssl_ctx;
2867  to.key_type = c->c1.ks.key_type;
2868  to.server = options->tls_server;
2869  to.replay = options->replay;
2870  to.replay_window = options->replay_window;
2871  to.replay_time = options->replay_time;
2872  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2873  to.config_ciphername = c->c1.ciphername;
2874  to.config_ncp_ciphers = options->ncp_ciphers;
2875  to.ncp_enabled = options->ncp_enabled;
2876  to.transition_window = options->transition_window;
2877  to.handshake_window = options->handshake_window;
2878  to.packet_timeout = options->tls_timeout;
2879  to.renegotiate_bytes = options->renegotiate_bytes;
2880  to.renegotiate_packets = options->renegotiate_packets;
2881  if (options->renegotiate_seconds_min < 0)
2882  {
2883  /* Add 10% jitter to reneg-sec by default (server side only) */
2884  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2885  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2886  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2887  }
2888  else
2889  {
2890  /* Add user-specified jitter to reneg-sec */
2891  to.renegotiate_seconds = options->renegotiate_seconds
2892  -(get_random() % max_int(options->renegotiate_seconds
2893  - options->renegotiate_seconds_min, 1));
2894  }
2895  to.single_session = options->single_session;
2896  to.mode = options->mode;
2897  to.pull = options->pull;
2898  if (options->push_peer_info) /* all there is */
2899  {
2900  to.push_peer_info_detail = 2;
2901  }
2902  else if (options->pull) /* pull clients send some details */
2903  {
2904  to.push_peer_info_detail = 1;
2905  }
2906  else /* default: no peer-info at all */
2907  {
2908  to.push_peer_info_detail = 0;
2909  }
2910 
2911  /* should we not xmit any packets until we get an initial
2912  * response from client? */
2913  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2914  {
2915  to.xmit_hold = true;
2916  }
2917 
2918  to.disable_occ = !options->occ;
2919 
2920  to.verify_command = options->tls_verify;
2921  to.verify_export_cert = options->tls_export_cert;
2922  to.verify_x509_type = (options->verify_x509_type & 0xff);
2923  to.verify_x509_name = options->verify_x509_name;
2924  to.crl_file = options->crl_file;
2925  to.crl_file_inline = options->crl_file_inline;
2926  to.ssl_flags = options->ssl_flags;
2927  to.ns_cert_type = options->ns_cert_type;
2928  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2929  to.remote_cert_eku = options->remote_cert_eku;
2930  to.verify_hash = options->verify_hash;
2931  to.verify_hash_algo = options->verify_hash_algo;
2932 #ifdef ENABLE_X509ALTUSERNAME
2933  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2934 #else
2935  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
2936 #endif
2937  to.es = c->c2.es;
2938  to.net_ctx = &c->net_ctx;
2939 
2940 #ifdef ENABLE_DEBUG
2941  to.gremlin = c->options.gremlin;
2942 #endif
2943 
2944  to.plugins = c->plugins;
2945 
2946 #ifdef ENABLE_MANAGEMENT
2947  to.mda_context = &c->c2.mda_context;
2948 #endif
2949 
2950  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2951  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2952  to.tmp_dir = options->tmp_dir;
2953  if (options->ccd_exclusive)
2954  {
2955  to.client_config_dir_exclusive = options->client_config_dir;
2956  }
2957  to.auth_user_pass_file = options->auth_user_pass_file;
2958  to.auth_token_generate = options->auth_token_generate;
2959  to.auth_token_lifetime = options->auth_token_lifetime;
2960  to.auth_token_call_auth = options->auth_token_call_auth;
2961  to.auth_token_key = c->c1.ks.auth_token_key;
2962 
2963  to.x509_track = options->x509_track;
2964 
2965 #if P2MP
2966 #ifdef ENABLE_MANAGEMENT
2967  to.sci = &options->sc_info;
2968 #endif
2969 #endif
2970 
2971 #ifdef USE_COMP
2972  to.comp_options = options->comp;
2973 #endif
2974 
2975 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2976  if (options->keying_material_exporter_label)
2977  {
2978  to.ekm_size = options->keying_material_exporter_length;
2979  if (to.ekm_size < 16 || to.ekm_size > 4095)
2980  {
2981  to.ekm_size = 0;
2982  }
2983 
2984  to.ekm_label = options->keying_material_exporter_label;
2985  to.ekm_label_size = strlen(to.ekm_label);
2986  }
2987  else
2988  {
2989  to.ekm_size = 0;
2990  }
2991 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2992 
2993  /* TLS handshake authentication (--tls-auth) */
2994  if (options->ce.tls_auth_file)
2995  {
2996  to.tls_wrap.mode = TLS_WRAP_AUTH;
2997  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2998  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2999  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3000  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
3001  true, true);
3002  }
3003 
3004  /* TLS handshake encryption (--tls-crypt) */
3005  if (options->ce.tls_crypt_file
3006  || (options->ce.tls_crypt_v2_file && options->tls_client))
3007  {
3008  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3009  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3010  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3011  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3012  tls_crypt_adjust_frame_parameters(&to.frame);
3013 
3014  if (options->ce.tls_crypt_v2_file)
3015  {
3016  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3017  }
3018  }
3019 
3020  if (options->ce.tls_crypt_v2_file)
3021  {
3022  to.tls_crypt_v2 = true;
3023  if (options->tls_server)
3024  {
3025  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3026  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3027  }
3028  }
3029 
3030  /* If we are running over TCP, allow for
3031  * length prefix */
3032  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
3033 
3034  /*
3035  * Initialize OpenVPN's master TLS-mode object.
3036  */
3037  if (flags & CF_INIT_TLS_MULTI)
3038  {
3039  c->c2.tls_multi = tls_multi_init(&to);
3040  }
3041 
3042  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3043  {
3044  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3045  }
3046 }
3047 
3048 static void
3049 do_init_finalize_tls_frame(struct context *c)
3050 {
3051  if (c->c2.tls_multi)
3052  {
3053  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3054  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3055  EXPANDED_SIZE(&c->c2.frame));
3056  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3057  "Control Channel MTU parms");
3058  }
3059  if (c->c2.tls_auth_standalone)
3060  {
3061  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3062  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3063  "TLS-Auth MTU parms");
3064  }
3065 }
3066 
3067 /*
3068  * No encryption or authentication.
3069  */
3070 static void
3071 do_init_crypto_none(const struct context *c)
3072 {
3073  ASSERT(!c->options.test_crypto);
3074  msg(M_WARN,
3075  "******* WARNING *******: All encryption and authentication features "
3076  "disabled -- All data will be tunnelled as clear text and will not be "
3077  "protected against man-in-the-middle changes. "
3078  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3079 }
3080 
3081 static void
3082 do_init_crypto(struct context *c, const unsigned int flags)
3083 {
3084  if (c->options.shared_secret_file)
3085  {
3086  do_init_crypto_static(c, flags);
3087  }
3088  else if (c->options.tls_server || c->options.tls_client)
3089  {
3090  do_init_crypto_tls(c, flags);
3091  }
3092  else /* no encryption or authentication. */
3093  {
3094  do_init_crypto_none(c);
3095  }
3096 }
3097 
3098 static void
3099 do_init_frame(struct context *c)
3100 {
3101 #ifdef USE_COMP
3102  /*
3103  * modify frame parameters if compression is enabled
3104  */
3105  if (comp_enabled(&c->options.comp))
3106  {
3107  comp_add_to_extra_frame(&c->c2.frame);
3108 
3109 #if !defined(ENABLE_LZ4)
3110  /*
3111  * Compression usage affects buffer alignment when non-swapped algs
3112  * such as LZO is used.
3113  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3114  * any special alignment because of the control-byte swap approach.
3115  * LZO alignment (on the other hand) is problematic because
3116  * the presence of the control byte means that either the output of
3117  * decryption must be written to an unaligned buffer, or the input
3118  * to compression (or packet dispatch if packet is uncompressed)
3119  * must be read from an unaligned buffer.
3120  * This code tries to align the input to compression (or packet
3121  * dispatch if packet is uncompressed) at the cost of requiring
3122  * decryption output to be written to an unaligned buffer, so
3123  * it's more of a tradeoff than an optimal solution and we don't
3124  * include it when we are doing a modern build with LZ4.
3125  * Strictly speaking, on the server it would be better to execute
3126  * this code for every connection after we decide the compression
3127  * method, but currently the frame code doesn't appear to be
3128  * flexible enough for this, since the frame is already established
3129  * before it is known which compression options will be pushed.
3130  */
3131  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3132  {
3133  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3134  frame_or_align_flags(&c->c2.frame,
3135  FRAME_HEADROOM_MARKER_FRAGMENT
3136  |FRAME_HEADROOM_MARKER_DECRYPT);
3137  }
3138 #endif
3139 
3140 #ifdef ENABLE_FRAGMENT
3141  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3142 #endif
3143  }
3144 #endif /* USE_COMP */
3145 
3146  /*
3147  * Adjust frame size for UDP Socks support.
3148  */
3149  if (c->options.ce.socks_proxy_server)
3150  {
3151  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3152  }
3153 
3154  /*
3155  * Adjust frame size based on the --tun-mtu-extra parameter.
3156  */
3157  if (c->options.ce.tun_mtu_extra_defined)
3158  {
3159  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3160  }
3161 
3162  /*
3163  * Adjust frame size based on link socket parameters.
3164  * (Since TCP is a stream protocol, we need to insert
3165  * a packet length uint16_t in the buffer.)
3166  */
3167  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3168 
3169  /*
3170  * Fill in the blanks in the frame parameters structure,
3171  * make sure values are rational, etc.
3172  */
3173  frame_finalize_options(c, NULL);
3174 
3175 #ifdef USE_COMP
3176  /*
3177  * Modify frame parameters if compression is compiled in.
3178  * Should be called after frame_finalize_options.
3179  */
3180  comp_add_to_extra_buffer(&c->c2.frame);
3181 #ifdef ENABLE_FRAGMENT
3182  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3183 #endif
3184 #endif /* USE_COMP */
3185 
3186  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3187  * and need link_mtu+3 bytes on socket reception (on server).
3188  *
3189  * accommodate receive path in f->extra_link, which has the side effect of
3190  * also increasing send buffers (BUF_SIZE() macro), which need to be
3191  * allocated big enough before receiving peer-id option from server.
3192  *
3193  * f->extra_frame is adjusted when peer-id option is push-received
3194  */
3195  frame_add_to_extra_link(&c->c2.frame, 3);
3196 
3197 #ifdef ENABLE_FRAGMENT
3198  /*
3199  * Set frame parameter for fragment code. This is necessary because
3200  * the fragmentation code deals with payloads which have already been
3201  * passed through the compression code.
3202  */
3203  c->c2.frame_fragment = c->c2.frame;
3204  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3205  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3206 #endif
3207 
3208 #if defined(ENABLE_FRAGMENT)
3209  /*
3210  * MTU advisories
3211  */
3212  if (c->options.ce.fragment && c->options.mtu_test)
3213  {
3214  msg(M_WARN,
3215  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3216  }
3217 #endif
3218 
3219 #ifdef ENABLE_FRAGMENT
3220  if ((c->options.ce.mssfix || c->options.ce.fragment)
3221  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3222  {
3223  msg(M_WARN,
3224  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3225  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3226  }
3227 #endif
3228 }
3229 
3230 static void
3231 do_option_warnings(struct context *c)
3232 {
3233  const struct options *o = &c->options;
3234 
3235  if (o->ping_send_timeout && !o->ping_rec_timeout)
3236  {
3237  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3238  }
3239 
3240  if (o->username || o->groupname || o->chroot_dir
3241 #ifdef ENABLE_SELINUX
3242  || o->selinux_context
3243 #endif
3244  )
3245  {
3246  if (!o->persist_tun)
3247  {
3248  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3249  }
3250  if (!o->persist_key
3251 #ifdef ENABLE_PKCS11
3252  && !o->pkcs11_id
3253 #endif
3254  )
3255  {
3256  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3257  }
3258  }
3259 
3260  if (o->chroot_dir && !(o->username && o->groupname))
3261  {
3262  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3263  }
3264 
3265 #if P2MP
3266  if (o->pull && o->ifconfig_local && c->first_time)
3267  {
3268  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3269  }
3270 
3271  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3272  {
3273  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3274  }
3275 
3276  if (o->mode == MODE_SERVER)
3277  {
3278  if (o->duplicate_cn && o->client_config_dir)
3279  {
3280  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3281  }
3282  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3283  {
3284  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3285  }
3286  if (!o->keepalive_ping || !o->keepalive_timeout)
3287  {
3288  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3289  }
3290  }
3291 #endif /* if P2MP */
3292 
3293  if (!o->replay)
3294  {
3295  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3296  }
3297 
3298  if (o->tls_server)
3299  {
3300  warn_on_use_of_common_subnets(&c->net_ctx);
3301  }
3302  if (o->tls_client
3303  && !o->tls_verify
3304  && o->verify_x509_type == VERIFY_X509_NONE
3305  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3306  && !o->remote_cert_eku)
3307  {
3308  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3309  }
3310  if (o->ns_cert_type)
3311  {
3312  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3313  }
3314 
3315  /* If a script is used, print appropriate warnings */
3316  if (o->user_script_used)
3317  {
3318  if (script_security() >= SSEC_SCRIPTS)
3319  {
3320  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3321  }
3322  else if (script_security() >= SSEC_PW_ENV)
3323  {
3324  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3325  }
3326  else
3327  {
3328  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3329  }
3330  }
3331 }
3332 
3333 static void
3334 do_init_frame_tls(struct context *c)
3335 {
3336  do_init_finalize_tls_frame(c);
3337 }
3338 
3339 struct context_buffers *
3340 init_context_buffers(const struct frame *frame)
3341 {
3342  struct context_buffers *b;
3343 
3344  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3345 
3346  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3347  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3348 
3349  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3350 
3351  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3352  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3353 
3354 #ifdef USE_COMP
3355  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3356  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3357 #endif
3358 
3359  return b;
3360 }
3361 
3362 void
3363 free_context_buffers(struct context_buffers *b)
3364 {
3365  if (b)
3366  {
3367  free_buf(&b->read_link_buf);
3368  free_buf(&b->read_tun_buf);
3369  free_buf(&b->aux_buf);
3370 
3371 #ifdef USE_COMP
3372  free_buf(&b->compress_buf);
3373  free_buf(&b->decompress_buf);
3374 #endif
3375 
3376  free_buf(&b->encrypt_buf);
3377  free_buf(&b->decrypt_buf);
3378 
3379  free(b);
3380  }
3381 }
3382 
3383 /*
3384  * Now that we know all frame parameters, initialize
3385  * our buffers.
3386  */
3387 static void
3388 do_init_buffers(struct context *c)
3389 {
3390  c->c2.buffers = init_context_buffers(&c->c2.frame);
3391  c->c2.buffers_owned = true;
3392 }
3393 
3394 #ifdef ENABLE_FRAGMENT
3395 /*
3396  * Fragmenting code has buffers to initialize
3397  * once frame parameters are known.
3398  */
3399 static void
3400 do_init_fragment(struct context *c)
3401 {
3402  ASSERT(c->options.ce.fragment);
3403  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3404  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3405  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3406 }
3407 #endif
3408 
3409 /*
3410  * Allocate our socket object.
3411  */
3412 static void
3413 do_link_socket_new(struct context *c)
3414 {
3415  ASSERT(!c->c2.link_socket);
3416  c->c2.link_socket = link_socket_new();
3417  c->c2.link_socket_owned = true;
3418 }
3419 
3420 /*
3421  * bind the TCP/UDP socket
3422  */
3423 static void
3424 do_init_socket_1(struct context *c, const int mode)
3425 {
3426  unsigned int sockflags = c->options.sockflags;
3427 
3428 #if PORT_SHARE
3429  if (c->options.port_share_host && c->options.port_share_port)
3430  {
3431  sockflags |= SF_PORT_SHARE;
3432  }
3433 #endif
3434 
3435  link_socket_init_phase1(c->c2.link_socket,
3436  c->options.ce.local,
3437  c->options.ce.local_port,
3438  c->options.ce.remote,
3439  c->options.ce.remote_port,
3440  c->c1.dns_cache,
3441  c->options.ce.proto,
3442  c->options.ce.af,
3443  c->options.ce.bind_ipv6_only,
3444  mode,
3445  c->c2.accept_from,
3446  c->c1.http_proxy,
3447  c->c1.socks_proxy,
3448 #ifdef ENABLE_DEBUG
3449  c->options.gremlin,
3450 #endif
3451  c->options.ce.bind_local,
3452  c->options.ce.remote_float,
3453  c->options.inetd,
3454  &c->c1.link_socket_addr,
3455  c->options.ipchange,
3456  c->plugins,
3457  c->options.resolve_retry_seconds,
3458  c->options.ce.mtu_discover_type,
3459  c->options.rcvbuf,
3460  c->options.sndbuf,
3461  c->options.mark,
3462  c->options.bind_dev,
3463  &c->c2.server_poll_interval,
3464  sockflags);
3465 }
3466 
3467 /*
3468  * finalize the TCP/UDP socket
3469  */
3470 static void
3471 do_init_socket_2(struct context *c)
3472 {
3473  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3474  c->sig);
3475 }
3476 
3477 /*
3478  * Print MTU INFO
3479  */
3480 static void
3481 do_print_data_channel_mtu_parms(struct context *c)
3482 {
3483  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3484 #ifdef ENABLE_FRAGMENT
3485  if (c->c2.fragment)
3486  {
3487  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3488  "Fragmentation MTU parms");
3489  }
3490 #endif
3491 }
3492 
3493 /*
3494  * Get local and remote options compatibility strings.
3495  */
3496 static void
3497 do_compute_occ_strings(struct context *c)
3498 {
3499  struct gc_arena gc = gc_new();
3500 
3501  c->c2.options_string_local =
3502  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3503  false, &gc);
3504  c->c2.options_string_remote =
3505  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3506  true, &gc);
3507 
3508  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3509  options_string_version(c->c2.options_string_local, &gc),
3510  c->c2.options_string_local);
3511  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3512  options_string_version(c->c2.options_string_remote, &gc),
3513  c->c2.options_string_remote);
3514 
3515  if (c->c2.tls_multi)
3516  {
3517  tls_multi_init_set_options(c->c2.tls_multi,
3518  c->c2.options_string_local,
3519  c->c2.options_string_remote);
3520  }
3521 
3522  gc_free(&gc);
3523 }
3524 
3525 /*
3526  * These things can only be executed once per program instantiation.
3527  * Set up for possible UID/GID downgrade, but don't do it yet.
3528  * Daemonize if requested.
3529  */
3530 static void
3531 do_init_first_time(struct context *c)
3532 {
3533  if (c->first_time && !c->c0)
3534  {
3535  struct context_0 *c0;
3536 
3537  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3538  c0 = c->c0;
3539 
3540  /* get user and/or group that we want to setuid/setgid to */
3541  c0->uid_gid_specified =
3542  platform_group_get(c->options.groupname, &c0->platform_state_group)
3543  |platform_user_get(c->options.username, &c0->platform_state_user);
3544 
3545  /* perform postponed chdir if --daemon */
3546  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3547  {
3548  platform_chdir("/");
3549  }
3550 
3551  /* should we change scheduling priority? */
3552  platform_nice(c->options.nice);
3553  }
3554 }
3555 
3556 /*
3557  * If xinetd/inetd mode, don't allow restart.
3558  */
3559 static void
3560 do_close_check_if_restart_permitted(struct context *c)
3561 {
3562  if (c->options.inetd
3563  && (c->sig->signal_received == SIGHUP
3564  || c->sig->signal_received == SIGUSR1))
3565  {
3566  c->sig->signal_received = SIGTERM;
3567  msg(M_INFO,
3568  PACKAGE_NAME
3569  " started by inetd/xinetd cannot restart... Exiting.");
3570  }
3571 }
3572 
3573 /*
3574  * free buffers
3575  */
3576 static void
3577 do_close_free_buf(struct context *c)
3578 {
3579  if (c->c2.buffers_owned)
3580  {
3581  free_context_buffers(c->c2.buffers);
3582  c->c2.buffers = NULL;
3583  c->c2.buffers_owned = false;
3584  }
3585 }
3586 
3587 /*
3588  * close TLS
3589  */
3590 static void
3591 do_close_tls(struct context *c)
3592 {
3593  if (c->c2.tls_multi)
3594  {
3595  tls_multi_free(c->c2.tls_multi, true);
3596  c->c2.tls_multi = NULL;
3597  }
3598 
3599  /* free options compatibility strings */
3600  free(c->c2.options_string_local);
3601  free(c->c2.options_string_remote);
3602 
3603  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3604 
3605  if (c->c2.pulled_options_state)
3606  {
3607  md_ctx_cleanup(c->c2.pulled_options_state);
3608  md_ctx_free(c->c2.pulled_options_state);
3609  }
3610 }
3611 
3612 /*
3613  * Free key schedules
3614  */
3615 static void
3616 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3617 {
3618  /*
3619  * always free the tls_auth/crypt key. If persist_key is true, the key will
3620  * be reloaded from memory (pre-cached)
3621  */
3622  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3623  CLEAR(c->c1.ks.tls_wrap_key);
3624  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3625  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3626 
3627  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3628  {
3629  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3630  }
3631 }
3632 
3633 /*
3634  * Close TCP/UDP connection
3635  */
3636 static void
3637 do_close_link_socket(struct context *c)
3638 {
3639  if (c->c2.link_socket && c->c2.link_socket_owned)
3640  {
3641  link_socket_close(c->c2.link_socket);
3642  c->c2.link_socket = NULL;
3643  }
3644 
3645 
3646  /* Preserve the resolved list of remote if the user request to or if we want
3647  * reconnect to the same host again or there are still addresses that need
3648  * to be tried */
3649  if (!(c->sig->signal_received == SIGUSR1
3650  && ( (c->options.persist_remote_ip)
3651  ||
3652  ( c->sig->source != SIG_SOURCE_HARD
3653  && ((c->c1.link_socket_addr.current_remote
3654  && c->c1.link_socket_addr.current_remote->ai_next)
3655  || c->options.no_advance))
3656  )))
3657  {
3658  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3659  }
3660 
3661  /* Clear the remote actual address when persist_remote_ip is not in use */
3662  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3663  {
3664  CLEAR(c->c1.link_socket_addr.actual);
3665  }
3666 
3667  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3668  {
3669  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3670  {
3671  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3672  }
3673 
3674  c->c1.link_socket_addr.bind_local = NULL;
3675  }
3676 }
3677 
3678 /*
3679  * Close packet-id persistence file
3680  */
3681 static void
3682 do_close_packet_id(struct context *c)
3683 {
3684  packet_id_free(&c->c2.crypto_options.packet_id);
3685  packet_id_persist_save(&c->c1.pid_persist);
3686  if (!(c->sig->signal_received == SIGUSR1))
3687  {
3688  packet_id_persist_close(&c->c1.pid_persist);
3689  }
3690 }
3691 
3692 #ifdef ENABLE_FRAGMENT
3693 /*
3694  * Close fragmentation handler.
3695  */
3696 static void
3697 do_close_fragment(struct context *c)
3698 {
3699  if (c->c2.fragment)
3700  {
3701  fragment_free(c->c2.fragment);
3702  c->c2.fragment = NULL;
3703  }
3704 }
3705 #endif
3706 
3707 /*
3708  * Open and close our event objects.
3709  */
3710 
3711 static void
3712 do_event_set_init(struct context *c,
3713  bool need_us_timeout)
3714 {
3715  unsigned int flags = 0;
3716 
3717  c->c2.event_set_max = BASE_N_EVENTS;
3718 
3719  flags |= EVENT_METHOD_FAST;
3720 
3721  if (need_us_timeout)
3722  {
3723  flags |= EVENT_METHOD_US_TIMEOUT;
3724  }
3725 
3726  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3727  c->c2.event_set_owned = true;
3728 }
3729 
3730 static void
3731 do_close_event_set(struct context *c)
3732 {
3733  if (c->c2.event_set && c->c2.event_set_owned)
3734  {
3735  event_free(c->c2.event_set);
3736  c->c2.event_set = NULL;
3737  c->c2.event_set_owned = false;
3738  }
3739 }
3740 
3741 /*
3742  * Open and close --status file
3743  */
3744 
3745 static void
3746 do_open_status_output(struct context *c)
3747 {
3748  if (!c->c1.status_output)
3749  {
3750  c->c1.status_output = status_open(c->options.status_file,
3751  c->options.status_file_update_freq,
3752  -1,
3753  NULL,
3754  STATUS_OUTPUT_WRITE);
3755  c->c1.status_output_owned = true;
3756  }
3757 }
3758 
3759 static void
3760 do_close_status_output(struct context *c)
3761 {
3762  if (!(c->sig->signal_received == SIGUSR1))
3763  {
3764  if (c->c1.status_output_owned && c->c1.status_output)
3765  {
3766  status_close(c->c1.status_output);
3767  c->c1.status_output = NULL;
3768  c->c1.status_output_owned = false;
3769  }
3770  }
3771 }
3772 
3773 /*
3774  * Handle ifconfig-pool persistence object.
3775  */
3776 static void
3777 do_open_ifconfig_pool_persist(struct context *c)
3778 {
3779  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3780  {
3781  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3782  c->options.ifconfig_pool_persist_refresh_freq);
3783  c->c1.ifconfig_pool_persist_owned = true;
3784  }
3785 }
3786 
3787 static void
3788 do_close_ifconfig_pool_persist(struct context *c)
3789 {
3790  if (!(c->sig->signal_received == SIGUSR1))
3791  {
3792  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3793  {
3794  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3795  c->c1.ifconfig_pool_persist = NULL;
3796  c->c1.ifconfig_pool_persist_owned = false;
3797  }
3798  }
3799 }
3800 
3801 /*
3802  * Inherit environmental variables
3803  */
3804 
3805 static void
3806 do_inherit_env(struct context *c, const struct env_set *src)
3807 {
3808  c->c2.es = env_set_create(NULL);
3809  c->c2.es_owned = true;
3810  env_set_inherit(c->c2.es, src);
3811 }
3812 
3813 static void
3814 do_env_set_destroy(struct context *c)
3815 {
3816  if (c->c2.es && c->c2.es_owned)
3817  {
3818  env_set_destroy(c->c2.es);
3819  c->c2.es = NULL;
3820  c->c2.es_owned = false;
3821  }
3822 }
3823 
3824 /*
3825  * Fast I/O setup. Fast I/O is an optimization which only works
3826  * if all of the following are true:
3827  *
3828  * (1) The platform is not Windows
3829  * (2) --proto udp is enabled
3830  * (3) --shaper is disabled
3831  */
3832 static void
3833 do_setup_fast_io(struct context *c)
3834 {
3835  if (c->options.fast_io)
3836  {
3837 #ifdef _WIN32
3838  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3839 #else
3840  if (!proto_is_udp(c->options.ce.proto))
3841  {
3842  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3843  }
3844  else
3845  {
3846 #ifdef ENABLE_FEATURE_SHAPER
3847  if (c->options.shaper)
3848  {
3849  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3850  }
3851  else
3852 #endif
3853  {
3854  c->c2.fast_io = true;
3855  }
3856  }
3857 #endif
3858  }
3859 }
3860 
3861 static void
3862 do_signal_on_tls_errors(struct context *c)
3863 {
3864  if (c->options.tls_exit)
3865  {
3866  c->c2.tls_exit_signal = SIGTERM;
3867  }
3868  else
3869  {
3870  c->c2.tls_exit_signal = SIGUSR1;
3871  }
3872 }
3873 
3874 #ifdef ENABLE_PLUGIN
3875 
3876 void
3877 init_plugins(struct context *c)
3878 {
3879  if (c->options.plugin_list && !c->plugins)
3880  {
3881  c->plugins = plugin_list_init(c->options.plugin_list);
3882  c->plugins_owned = true;
3883  }
3884 }
3885 
3886 void
3887 open_plugins(struct context *c, const bool import_options, int init_point)
3888 {
3889  if (c->plugins && c->plugins_owned)
3890  {
3891  if (import_options)
3892  {
3893  struct plugin_return pr, config;
3894  plugin_return_init(&pr);
3895  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3896  plugin_return_get_column(&pr, &config, "config");
3897  if (plugin_return_defined(&config))
3898  {
3899  int i;
3900  for (i = 0; i < config.n; ++i)
3901  {
3902  unsigned int option_types_found = 0;
3903  if (config.list[i] && config.list[i]->value)
3904  {
3905  options_string_import(&c->options,
3906  config.list[i]->value,
3907  D_IMPORT_ERRORS|M_OPTERR,
3908  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3909  &option_types_found,
3910  c->es);
3911  }
3912  }
3913  }
3914  plugin_return_free(&pr);
3915  }
3916  else
3917  {
3918  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3919  }
3920  }
3921 }
3922 
3923 static void
3924 do_close_plugins(struct context *c)
3925 {
3926  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3927  {
3928  plugin_list_close(c->plugins);
3929  c->plugins = NULL;
3930  c->plugins_owned = false;
3931  }
3932 }
3933 
3934 static void
3935 do_inherit_plugins(struct context *c, const struct context *src)
3936 {
3937  if (!c->plugins && src->plugins)
3938  {
3939  c->plugins = plugin_list_inherit(src->plugins);
3940  c->plugins_owned = true;
3941  }
3942 }
3943 
3944 #endif /* ifdef ENABLE_PLUGIN */
3945 
3946 #ifdef ENABLE_MANAGEMENT
3947 
3948 static void
3949 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3950 {
3951  struct context *c = (struct context *) arg;
3952  print_status(c, so);
3953 }
3954 
3955 void
3956 management_show_net_callback(void *arg, const int msglevel)
3957 {
3958 #ifdef _WIN32
3959  show_routes(msglevel);
3960  show_adapters(msglevel);
3961  msg(msglevel, "END");
3962 #else
3963  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3964 #endif
3965 }
3966 
3967 #ifdef TARGET_ANDROID
3968 int
3969 management_callback_network_change(void *arg, bool samenetwork)
3970 {
3971  /* Check if the client should translate the network change to a SIGUSR1 to
3972  * reestablish the connection or just reprotect the socket
3973  *
3974  * At the moment just assume that, for all settings that use pull (not
3975  * --static) and are not using peer-id reestablishing the connection is
3976  * required (unless the network is the same)
3977  *
3978  * The function returns -1 on invalid fd and -2 if the socket cannot be
3979  * reused. On the -2 return value the man_network_change function triggers
3980  * a SIGUSR1 to force a reconnect.
3981  */
3982 
3983  int socketfd = -1;
3984  struct context *c = (struct context *) arg;
3985  if (!c->c2.link_socket)
3986  {
3987  return -1;
3988  }
3989  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3990  {
3991  return -1;
3992  }
3993 
3994  socketfd = c->c2.link_socket->sd;
3995  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3996  {
3997  return socketfd;
3998  }
3999  else
4000  {
4001  return -2;
4002  }
4003 }
4004 #endif /* ifdef TARGET_ANDROID */
4005 
4006 #endif /* ifdef ENABLE_MANAGEMENT */
4007 
4008 void
4009 init_management_callback_p2p(struct context *c)
4010 {
4011 #ifdef ENABLE_MANAGEMENT
4012  if (management)
4013  {
4014  struct management_callback cb;
4015  CLEAR(cb);
4016  cb.arg = c;
4017  cb.status = management_callback_status_p2p;
4018  cb.show_net = management_show_net_callback;
4019  cb.proxy_cmd = management_callback_proxy_cmd;
4020  cb.remote_cmd = management_callback_remote_cmd;
4021  cb.send_cc_message = management_callback_send_cc_message;
4022 #ifdef TARGET_ANDROID
4023  cb.network_change = management_callback_network_change;
4024 #endif
4025  management_set_callback(management, &cb);
4026  }
4027 #endif
4028 }
4029 
4030 #ifdef ENABLE_MANAGEMENT
4031 
4032 void
4033 init_management(void)
4034 {
4035  if (!management)
4036  {
4037  management = management_init();
4038  }
4039 }
4040 
4041 bool
4042 open_management(struct context *c)
4043 {
4044  /* initialize management layer */
4045  if (management)
4046  {
4047  if (c->options.management_addr)
4048  {
4049  unsigned int flags = c->options.management_flags;
4050  if (c->options.mode == MODE_SERVER)
4051  {
4052  flags |= MF_SERVER;
4053  }
4054  if (management_open(management,
4055  c->options.management_addr,
4056  c->options.management_port,
4057  c->options.management_user_pass,
4058  c->options.management_client_user,
4059  c->options.management_client_group,
4060  c->options.management_log_history_cache,
4061  c->options.management_echo_buffer_size,
4062  c->options.management_state_buffer_size,
4063  c->options.management_write_peer_info_file,
4064  c->options.remap_sigusr1,
4065  flags))
4066  {
4067  management_set_state(management,
4068  OPENVPN_STATE_CONNECTING,
4069  NULL,
4070  NULL,
4071  NULL,
4072  NULL,
4073  NULL);
4074  }
4075 
4076  /* initial management hold, called early, before first context initialization */
4077  do_hold(0);
4078  if (IS_SIG(c))
4079  {
4080  msg(M_WARN, "Signal received from management interface, exiting");
4081  return false;
4082  }
4083  }
4084  else
4085  {
4086  close_management();
4087  }
4088  }
4089  return true;
4090 }
4091 
4092 void
4093 close_management(void)
4094 {
4095  if (management)
4096  {
4097  management_close(management);
4098  management = NULL;
4099  }
4100 }
4101 
4102 #endif /* ifdef ENABLE_MANAGEMENT */
4103 
4104 
4105 void
4106 uninit_management_callback(void)
4107 {
4108 #ifdef ENABLE_MANAGEMENT
4109  if (management)
4110  {
4111  management_clear_callback(management);
4112  }
4113 #endif
4114 }
4115 
4116 /*
4117  * Initialize a tunnel instance, handle pre and post-init
4118  * signal settings.
4119  */
4120 void
4121 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4122 {
4123  pre_init_signal_catch();
4124  init_instance(c, env, flags);
4125  post_init_signal_catch();
4126 
4127  /*
4128  * This is done so that signals thrown during
4129  * initialization can bring us back to
4130  * a management hold.
4131  */
4132  if (IS_SIG(c))
4133  {
4134  remap_signal(c);
4135  uninit_management_callback();
4136  }
4137 }
4138 
4139 /*
4140  * Initialize a tunnel instance.
4141  */
4142 void
4143 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4144 {
4145  const struct options *options = &c->options;
4146  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4147  int link_socket_mode = LS_MODE_DEFAULT;
4148 
4149  /* init garbage collection level */
4150  gc_init(&c->c2.gc);
4151 
4152  /* inherit environmental variables */
4153  if (env)
4154  {
4155  do_inherit_env(c, env);
4156  }
4157 
4158  /* signals caught here will abort */
4159  c->sig->signal_received = 0;
4160  c->sig->signal_text = NULL;
4161  c->sig->source = SIG_SOURCE_SOFT;
4162 
4163  if (c->mode == CM_P2P)
4164  {
4165  init_management_callback_p2p(c);
4166  }
4167 
4168  /* possible sleep or management hold if restart */
4169  if (c->mode == CM_P2P || c->mode == CM_TOP)
4170  {
4171  do_startup_pause(c);
4172  if (IS_SIG(c))
4173  {
4174  goto sig;
4175  }
4176  }
4177 
4178  if (c->options.resolve_in_advance)
4179  {
4180  do_preresolve(c);
4181  if (IS_SIG(c))
4182  {
4183  goto sig;
4184  }
4185  }
4186 
4187  /* map in current connection entry */
4188  next_connection_entry(c);
4189 
4190  /* link_socket_mode allows CM_CHILD_TCP
4191  * instances to inherit acceptable fds
4192  * from a top-level parent */
4193  if (c->options.ce.proto == PROTO_TCP_SERVER)
4194  {
4195  if (c->mode == CM_TOP)
4196  {
4197  link_socket_mode = LS_MODE_TCP_LISTEN;
4198  }
4199  else if (c->mode == CM_CHILD_TCP)
4200  {
4201  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4202  }
4203  }
4204 
4205  /* should we disable paging? */
4206  if (c->first_time && options->mlock)
4207  {
4208  platform_mlockall(true);
4209  }
4210 
4211 #if P2MP
4212  /* get passwords if undefined */
4213  if (auth_retry_get() == AR_INTERACT)
4214  {
4215  init_query_passwords(c);
4216  }
4217 #endif
4218 
4219  /* initialize context level 2 --verb/--mute parms */
4220  init_verb_mute(c, IVM_LEVEL_2);
4221 
4222  /* set error message delay for non-server modes */
4223  if (c->mode == CM_P2P)
4224  {
4225  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4226  }
4227 
4228  /* warn about inconsistent options */
4229  if (c->mode == CM_P2P || c->mode == CM_TOP)
4230  {
4231  do_option_warnings(c);
4232  }
4233 
4234 #ifdef ENABLE_PLUGIN
4235  /* initialize plugins */
4236  if (c->mode == CM_P2P || c->mode == CM_TOP)
4237  {
4238  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4239  }
4240 #endif
4241 
4242  /* should we enable fast I/O? */
4243  if (c->mode == CM_P2P || c->mode == CM_TOP)
4244  {
4245  do_setup_fast_io(c);
4246  }
4247 
4248  /* should we throw a signal on TLS errors? */
4249  do_signal_on_tls_errors(c);
4250 
4251  /* open --status file */
4252  if (c->mode == CM_P2P || c->mode == CM_TOP)
4253  {
4254  do_open_status_output(c);
4255  }
4256 
4257  /* open --ifconfig-pool-persist file */
4258  if (c->mode == CM_TOP)
4259  {
4260  do_open_ifconfig_pool_persist(c);
4261  }
4262 
4263  /* reset OCC state */
4264  if (c->mode == CM_P2P || child)
4265  {
4266  c->c2.occ_op = occ_reset_op();
4267  }
4268 
4269  /* our wait-for-i/o objects, different for posix vs. win32 */
4270  if (c->mode == CM_P2P)
4271  {
4272  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4273  }
4274  else if (c->mode == CM_CHILD_TCP)
4275  {
4276  do_event_set_init(c, false);
4277  }
4278 
4279  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4280  init_proxy(c);
4281 
4282  /* allocate our socket object */
4283  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4284  {
4285  do_link_socket_new(c);
4286  }
4287 
4288 #ifdef ENABLE_FRAGMENT
4289  /* initialize internal fragmentation object */
4290  if (options->ce.fragment && (c->mode == CM_P2P || child))
4291  {
4292  c->c2.fragment = fragment_init(&c->c2.frame);
4293  }
4294 #endif
4295 
4296  /* init crypto layer */
4297  {
4298  unsigned int crypto_flags = 0;
4299  if (c->mode == CM_TOP)
4300  {
4301  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4302  }
4303  else if (c->mode == CM_P2P)
4304  {
4305  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4306  }
4307  else if (child)
4308  {
4309  crypto_flags = CF_INIT_TLS_MULTI;
4310  }
4311  do_init_crypto(c, crypto_flags);
4312  if (IS_SIG(c) && !child)
4313  {
4314  goto sig;
4315  }
4316  }
4317 
4318 #ifdef USE_COMP
4319  /* initialize compression library. */
4320  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4321  {
4322  c->c2.comp_context = comp_init(&options->comp);
4323  }
4324 #endif
4325 
4326  /* initialize MTU variables */
4327  do_init_frame(c);
4328 
4329  /* initialize TLS MTU variables */
4330  do_init_frame_tls(c);
4331 
4332  /* init workspace buffers whose size is derived from frame size */
4333  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4334  {
4335  do_init_buffers(c);
4336  }
4337 
4338 #ifdef ENABLE_FRAGMENT
4339  /* initialize internal fragmentation capability with known frame size */
4340  if (options->ce.fragment && (c->mode == CM_P2P || child))
4341  {
4342  do_init_fragment(c);
4343  }
4344 #endif
4345 
4346  /* initialize dynamic MTU variable */
4347  frame_init_mssfix(&c->c2.frame, &c->options);
4348 
4349  /* bind the TCP/UDP socket */
4350  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4351  {
4352  do_init_socket_1(c, link_socket_mode);
4353  }
4354 
4355  /* initialize tun/tap device object,
4356  * open tun/tap device, ifconfig, run up script, etc. */
4357  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4358  {
4359  c->c2.did_open_tun = do_open_tun(c);
4360  }
4361 
4362  c->c2.frame_initial = c->c2.frame;
4363 
4364  /* print MTU info */
4365  do_print_data_channel_mtu_parms(c);
4366 
4367  /* get local and remote options compatibility strings */
4368  if (c->mode == CM_P2P || child)
4369  {
4370  do_compute_occ_strings(c);
4371  }
4372 
4373  /* initialize output speed limiter */
4374  if (c->mode == CM_P2P)
4375  {
4376  do_init_traffic_shaper(c);
4377  }
4378 
4379  /* do one-time inits, and possibly become a daemon here */
4380  do_init_first_time(c);
4381 
4382 #ifdef ENABLE_PLUGIN
4383  /* initialize plugins */
4384  if (c->mode == CM_P2P || c->mode == CM_TOP)
4385  {
4386  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4387  }
4388 #endif
4389 
4390  /* initialise connect timeout timer */
4391  do_init_server_poll_timeout(c);
4392 
4393  /* finalize the TCP/UDP socket */
4394  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4395  {
4396  do_init_socket_2(c);
4397  }
4398 
4399  /*
4400  * Actually do UID/GID downgrade, and chroot, if requested.
4401  * May be delayed by --client, --pull, or --up-delay.
4402  */
4403  do_uid_gid_chroot(c, c->c2.did_open_tun);
4404 
4405  /* initialize timers */
4406  if (c->mode == CM_P2P || child)
4407  {
4408  do_init_timers(c, false);
4409  }
4410 
4411 #ifdef ENABLE_PLUGIN
4412  /* initialize plugins */
4413  if (c->mode == CM_P2P || c->mode == CM_TOP)
4414  {
4415  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4416  }
4417 #endif
4418 
4419 #if PORT_SHARE
4420  /* share OpenVPN port with foreign (such as HTTPS) server */
4421  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4422  {
4423  init_port_share(c);
4424  }
4425 #endif
4426 
4427 #ifdef ENABLE_PF
4428  if (child)
4429  {
4430  pf_init_context(c);
4431  }
4432 #endif
4433 
4434  /* Check for signals */
4435  if (IS_SIG(c))
4436  {
4437  goto sig;
4438  }
4439 
4440  return;
4441 
4442 sig:
4443  if (!c->sig->signal_text)
4444  {
4445  c->sig->signal_text = "init_instance";
4446  }
4447  close_context(c, -1, flags);
4448  return;
4449 }
4450 
4451 /*
4452  * Close a tunnel instance.
4453  */
4454 void
4455 close_instance(struct context *c)
4456 {
4457  /* close event objects */
4458  do_close_event_set(c);
4459 
4460  if (c->mode == CM_P2P
4461  || c->mode == CM_CHILD_TCP
4462  || c->mode == CM_CHILD_UDP
4463  || c->mode == CM_TOP)
4464  {
4465  /* if xinetd/inetd mode, don't allow restart */
4466  do_close_check_if_restart_permitted(c);
4467 
4468 #ifdef USE_COMP
4469  if (c->c2.comp_context)
4470  {
4471  comp_uninit(c->c2.comp_context);
4472  c->c2.comp_context = NULL;
4473  }
4474 #endif
4475 
4476  /* free buffers */
4477  do_close_free_buf(c);
4478 
4479  /* close TLS */
4480  do_close_tls(c);
4481 
4482  /* free key schedules */
4483  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4484 
4485  restore_ncp_options(c);
4486 
4487  /* close TCP/UDP connection */
4488  do_close_link_socket(c);
4489 
4490  /* close TUN/TAP device */
4491  do_close_tun(c, false);
4492 
4493 #ifdef ENABLE_MANAGEMENT
4494  if (management)
4495  {
4496  management_notify_client_close(management, &c->c2.mda_context, NULL);
4497  }
4498 #endif
4499 
4500 #ifdef ENABLE_PF
4501  pf_destroy_context(&c->c2.pf);
4502 #endif
4503 
4504 #ifdef ENABLE_PLUGIN
4505  /* call plugin close functions and unload */
4506  do_close_plugins(c);
4507 #endif
4508 
4509  /* close packet-id persistence file */
4510  do_close_packet_id(c);
4511 
4512  /* close --status file */
4513  do_close_status_output(c);
4514 
4515 #ifdef ENABLE_FRAGMENT
4516  /* close fragmentation handler */
4517  do_close_fragment(c);
4518 #endif
4519 
4520  /* close --ifconfig-pool-persist obj */
4521  do_close_ifconfig_pool_persist(c);
4522 
4523  /* free up environmental variable store */
4524  do_env_set_destroy(c);
4525 
4526  /* close HTTP or SOCKS proxy */
4527  uninit_proxy(c);
4528 
4529  /* garbage collect */
4530  gc_free(&c->c2.gc);
4531  }
4532 }
4533 
4534 void
4535 inherit_context_child(struct context *dest,
4536  const struct context *src)
4537 {
4538  CLEAR(*dest);
4539 
4540  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4541  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4542 
4543  dest->gc = gc_new();
4544 
4545  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4546 
4547  /* c1 init */
4548  packet_id_persist_init(&dest->c1.pid_persist);
4549 
4550  dest->c1.ks.key_type = src->c1.ks.key_type;
4551  /* inherit SSL context */
4552  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4553  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4554  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4555  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4556  /* inherit pre-NCP ciphers */
4557  dest->c1.ciphername = src->c1.ciphername;
4558  dest->c1.authname = src->c1.authname;
4559  dest->c1.keysize = src->c1.keysize;
4560 
4561  /* inherit auth-token */
4562  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4563 
4564  /* options */
4565  dest->options = src->options;
4566  options_detach(&dest->options);
4567 
4568  if (dest->mode == CM_CHILD_TCP)
4569  {
4570  /*
4571  * The CM_TOP context does the socket listen(),
4572  * and the CM_CHILD_TCP context does the accept().
4573  */
4574  dest->c2.accept_from = src->c2.link_socket;
4575  }
4576 
4577 #ifdef ENABLE_PLUGIN
4578  /* inherit plugins */
4579  do_inherit_plugins(dest, src);
4580 #endif
4581 
4582  /* context init */
4583  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4584  if (IS_SIG(dest))
4585  {
4586  return;
4587  }
4588 
4589  /* inherit tun/tap interface object */
4590  dest->c1.tuntap = src->c1.tuntap;
4591 
4592  /* UDP inherits some extra things which TCP does not */
4593  if (dest->mode == CM_CHILD_UDP)
4594  {
4595  /* inherit buffers */
4596  dest->c2.buffers = src->c2.buffers;
4597 
4598  /* inherit parent link_socket and tuntap */
4599  dest->c2.link_socket = src->c2.link_socket;
4600 
4601  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4602  *dest->c2.link_socket_info = src->c2.link_socket->info;
4603 
4604  /* locally override some link_socket_info fields */
4605  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4606  dest->c2.link_socket_info->connection_established = false;
4607  }
4608 }
4609 
4610 void
4611 inherit_context_top(struct context *dest,
4612  const struct context *src)
4613 {
4614  /* copy parent */
4615  *dest = *src;
4616 
4617  /*
4618  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4619  * resources owned by the parent.
4620  *
4621  * Also note that CM_TOP_CLONE context objects are
4622  * closed by multi_top_free in multi.c.
4623  */
4624  dest->mode = CM_TOP_CLONE;
4625 
4626  dest->first_time = false;
4627  dest->c0 = NULL;
4628 
4629  options_detach(&dest->options);
4630  gc_detach(&dest->gc);
4631  gc_detach(&dest->c2.gc);
4632 
4633  /* detach plugins */
4634  dest->plugins_owned = false;
4635 
4636  dest->c2.tls_multi = NULL;
4637 
4638  /* detach c1 ownership */
4639  dest->c1.tuntap_owned = false;
4640  dest->c1.status_output_owned = false;
4641  dest->c1.ifconfig_pool_persist_owned = false;
4642 
4643  /* detach c2 ownership */
4644  dest->c2.event_set_owned = false;
4645  dest->c2.link_socket_owned = false;
4646  dest->c2.buffers_owned = false;
4647  dest->c2.es_owned = false;
4648 
4649  dest->c2.event_set = NULL;
4650  if (proto_is_dgram(src->options.ce.proto))
4651  {
4652  do_event_set_init(dest, false);
4653  }
4654 
4655 #ifdef USE_COMP
4656  dest->c2.comp_context = NULL;
4657 #endif
4658 }
4659 
4660 void
4661 close_context(struct context *c, int sig, unsigned int flags)
4662 {
4663  ASSERT(c);
4664  ASSERT(c->sig);
4665 
4666  if (sig >= 0)
4667  {
4668  c->sig->signal_received = sig;
4669  }
4670 
4671  if (c->sig->signal_received == SIGUSR1)
4672  {
4673  if ((flags & CC_USR1_TO_HUP)
4674  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4675  {
4676  c->sig->signal_received = SIGHUP;
4677  c->sig->signal_text = "close_context usr1 to hup";
4678  }
4679  }
4680 
4681  if (!(flags & CC_NO_CLOSE))
4682  {
4683  close_instance(c);
4684  }
4685 
4686  if (flags & CC_GC_FREE)
4687  {
4688  context_gc_free(c);
4689  }
4690 }
4691 
4692 /* Write our PID to a file */
4693 void
4694 write_pid_file(const char *filename, const char *chroot_dir)
4695 {
4696  if (filename)
4697  {
4698  unsigned int pid = 0;
4699  FILE *fp = platform_fopen(filename, "w");
4700  if (!fp)
4701  {
4702  msg(M_ERR, "Open error on pid file %s", filename);
4703  return;
4704  }
4705 
4706  pid = platform_getpid();
4707  fprintf(fp, "%u\n", pid);
4708  if (fclose(fp))
4709  {
4710  msg(M_ERR, "Close error on pid file %s", filename);
4711  }
4712 
4713  /* remember file name so it can be deleted "out of context" later */
4714  /* (the chroot case is more complex and not handled today) */
4715  if (!chroot_dir)
4716  {
4717  saved_pid_file_name = strdup(filename);
4718  }
4719  }
4720 }
4721 
4722 /* remove PID file on exit, called from openvpn_exit() */
4723 void
4724 remove_pid_file(void)
4725 {
4726  if (saved_pid_file_name)
4727  {
4728  platform_unlink(saved_pid_file_name);
4729  }
4730 }
4731 
4732 
4733 /*
4734  * Do a loopback test
4735  * on the crypto subsystem.
4736  */
4737 static void *
4738 test_crypto_thread(void *arg)
4739 {
4740  struct context *c = (struct context *) arg;
4741  const struct options *options = &c->options;
4742 
4743  ASSERT(options->test_crypto);
4744  init_verb_mute(c, IVM_LEVEL_1);
4745  context_init_1(c);
4746  next_connection_entry(c);
4747  do_init_crypto_static(c, 0);
4748 
4749  frame_finalize_options(c, options);
4750 
4751  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4752 
4753  key_schedule_free(&c->c1.ks, true);
4754  packet_id_free(&c->c2.crypto_options.packet_id);
4755 
4756  context_gc_free(c);
4757  return NULL;
4758 }
4759 
4760 bool
4761 do_test_crypto(const struct options *o)
4762 {
4763  if (o->test_crypto)
4764  {
4765  struct context c;
4766 
4767  /* print version number */
4768  msg(M_INFO, "%s", title_string);
4769 
4770  context_clear(&c);
4771  c.options = *o;
4772  options_detach(&c.options);
4773  c.first_time = true;
4774  test_crypto_thread((void *) &c);
4775  return true;
4776  }
4777  return false;
4778 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:301
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:312
context_2::es
struct env_set * es
Definition: openvpn.h:440
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:184
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:178
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:570
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2570
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:336
management_close
void management_close(struct management *man)
Definition: manage.c:2689
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:432
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:258
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:555
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:290
options::sndbuf
int sndbuf
Definition: options.h:349
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:369
context_2::log_rw
bool log_rw
Definition: openvpn.h:402
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:474
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:286
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:329
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:405
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:613
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:692
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1545
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:364
tuntap
Definition: tun.h:151
options::ncp_enabled
bool ncp_enabled
Definition: options.h:508
options::management_flags
unsigned int management_flags
Definition: options.h:392
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:2012
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:891
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2598
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:290
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:629
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:106
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:317
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1265
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:318
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:406
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:516
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1086
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5691
options::show_curves
bool show_curves
Definition: options.h:222
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:626
options::cipher_list
const char * cipher_list
Definition: options.h:541
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
options::tls_server
bool tls_server
Definition: options.h:526
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1868
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1490
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:335
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1029
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3726
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:506
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:605
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2165
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:630
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1719
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:409
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:336
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:544
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:383
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:319
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:366
streq
#define streq(x, y)
Definition: options.h:656
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:431
options::chroot_dir
const char * chroot_dir
Definition: options.h:306
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:728
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3935
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3731
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2737
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:418
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:247
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:166
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:286
tls_options::mode
int mode
Definition: ssl_common.h:275
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2175
options::auth_token_generate
bool auth_token_generate
Definition: options.h:474
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
options::inetd
int inetd
Definition: options.h:323
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4393
tun_abort
void tun_abort(void)
Definition: init.c:2145
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:503
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:574
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3814
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2657
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:361
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:84
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:526
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
management::persist
struct man_persist persist
Definition: manage.h:318
srandom
#define srandom
Definition: syshead.h:45
auth_token.h
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3204
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:375
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:255
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:214
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:685
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4661
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3471
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:327
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:502
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:329
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6683
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:183
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:634
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:4009
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:354
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1198
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:333
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:146
close_instance
void close_instance(struct context *c)
Definition: init.c:4455
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2826
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:579
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:341
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1290
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:664
options::persist_key
bool persist_key
Definition: options.h:291
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:152
options::replay_window
int replay_window
Definition: options.h:517
options::persist_mode
int persist_mode
Definition: options.h:215
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:457
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:330
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3862
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:389
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:288
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1208
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:315
options::rcvbuf
int rcvbuf
Definition: options.h:348
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:315
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:111
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:471
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:279
options::connection_list
struct connection_list * connection_list
Definition: options.h:231
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:408
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1339
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:238
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:181
options::exit_event_name
const char * exit_event_name
Definition: options.h:625
AR_NONE
#define AR_NONE
Definition: options.h:838
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:272
options::route_noexec
bool route_noexec
Definition: options.h:364
options::sockflags
unsigned int sockflags
Definition: options.h:356
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2526
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:173
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3591
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:226
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:382
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:300
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:16
options::route_script
const char * route_script
Definition: options.h:359
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:385
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:367
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:297
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:478
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:107
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:165
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:140
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3099
options::config
const char * config
Definition: options.h:201
options::route_delay
int route_delay
Definition: options.h:365
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4724
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:313
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:360
tls_options::gremlin
int gremlin
Definition: ssl_common.h:377
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3887
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:380
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:279
options::down_pre
bool down_pre
Definition: options.h:315
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:274
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:686
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:154
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:332
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1472
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:566
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:587
options::push_peer_info
bool push_peer_info
Definition: options.h:614
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:666
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:150
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:580
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3794
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:141
PING_RESTART
#define PING_RESTART
Definition: options.h:285
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3049
options::handshake_window
int handshake_window
Definition: options.h:584
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3924
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:130
tls_options
Definition: ssl_common.h:252
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:339
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:243
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:308
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:243
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:597
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:338
options::verify_x509_type
int verify_x509_type
Definition: options.h:547
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:237
close_management
void close_management(void)
Definition: init.c:4093
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:287
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:476
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:314
options::prng_hash
const char * prng_hash
Definition: options.h:512
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1941
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:280
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
D_LOW
#define D_LOW
Definition: errlevel.h:98
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:257
options::fast_io
bool fast_io
Definition: options.h:341
options::key_direction
int key_direction
Definition: options.h:504
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:281
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:193
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1576
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:164
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:75
init_static
bool init_static(void)
Definition: init.c:782
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:285
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: