OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
73 context_clear(struct context *c)
74 {
75  CLEAR(*c);
76 }
77 
78 void
79 context_clear_1(struct context *c)
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
85 context_clear_2(struct context *c)
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
91 context_clear_all_except_first_time(struct context *c)
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
193 update_options_ce_post(struct options *options)
194 {
195 #if P2MP
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
206  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
207  options->ping_rec_timeout_action = PING_RESTART;
208  }
209 #endif
210 }
211 
212 #ifdef ENABLE_MANAGEMENT
213 static bool
214 management_callback_proxy_cmd(void *arg, const char **p)
215 {
216  struct context *c = arg;
217  struct connection_entry *ce = &c->options.ce;
218  struct gc_arena *gc = &c->c2.gc;
219  bool ret = false;
220 
221  update_time();
222  if (streq(p[1], "NONE"))
223  {
224  ret = true;
225  }
226  else if (p[2] && p[3])
227  {
228  if (streq(p[1], "HTTP"))
229  {
230  struct http_proxy_options *ho;
231  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
232  {
233  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
234  return false;
235  }
236  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
237  ho->server = string_alloc(p[2], gc);
238  ho->port = string_alloc(p[3], gc);
239  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
240  ret = true;
241  }
242  else if (streq(p[1], "SOCKS"))
243  {
244  ce->socks_proxy_server = string_alloc(p[2], gc);
245  ce->socks_proxy_port = string_alloc(p[3], gc);
246  ret = true;
247  }
248  }
249  else
250  {
251  msg(M_WARN, "Bad proxy command");
252  }
253 
254  ce->flags &= ~CE_MAN_QUERY_PROXY;
255 
256  return ret;
257 }
258 
259 static bool
260 ce_management_query_proxy(struct context *c)
261 {
262  const struct connection_list *l = c->options.connection_list;
263  struct connection_entry *ce = &c->options.ce;
264  struct gc_arena gc;
265  bool ret = true;
266 
267  update_time();
268  if (management)
269  {
270  gc = gc_new();
271  {
272  struct buffer out = alloc_buf_gc(256, &gc);
273  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
274  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
275  management_notify_generic(management, BSTR(&out));
276  management->persist.special_state_msg = BSTR(&out);
277  }
278  ce->flags |= CE_MAN_QUERY_PROXY;
279  while (ce->flags & CE_MAN_QUERY_PROXY)
280  {
281  management_event_loop_n_seconds(management, 1);
282  if (IS_SIG(c))
283  {
284  ret = false;
285  break;
286  }
287  }
288  management->persist.special_state_msg = NULL;
289  gc_free(&gc);
290  }
291 
292  return ret;
293 }
294 
309 static bool
310 management_callback_send_cc_message(void *arg,
311  const char *command,
312  const char *parameters)
313 {
314  struct context *c = (struct context *) arg;
315  size_t len = strlen(command) + 1 + sizeof(parameters) + 1;
316  if (len > PUSH_BUNDLE_SIZE)
317  {
318  return false;
319  }
320 
321  struct gc_arena gc = gc_new();
322  struct buffer buf = alloc_buf_gc(len, &gc);
323  ASSERT(buf_printf(&buf, "%s", command));
324  if (parameters)
325  {
326  ASSERT(buf_printf(&buf, ",%s", parameters));
327  }
328  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
329 
330  gc_free(&gc);
331  return status;
332 }
333 
334 static bool
335 management_callback_remote_cmd(void *arg, const char **p)
336 {
337  struct context *c = (struct context *) arg;
338  struct connection_entry *ce = &c->options.ce;
339  int ret = false;
340  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
341  {
342  int flags = 0;
343  if (!strcmp(p[1], "ACCEPT"))
344  {
345  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
346  ret = true;
347  }
348  else if (!strcmp(p[1], "SKIP"))
349  {
350  flags = CE_MAN_QUERY_REMOTE_SKIP;
351  ret = true;
352  }
353  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
354  {
355  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
356  {
357  struct remote_host_store *rhs = c->options.rh_store;
358  if (!rhs)
359  {
360  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
361  c->options.rh_store = rhs;
362  }
363  strncpynt(rhs->host, p[2], RH_HOST_LEN);
364  strncpynt(rhs->port, p[3], RH_PORT_LEN);
365 
366  ce->remote = rhs->host;
367  ce->remote_port = rhs->port;
368  flags = CE_MAN_QUERY_REMOTE_MOD;
369  ret = true;
370  }
371  }
372  if (ret)
373  {
374  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
375  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
376  }
377  }
378  return ret;
379 }
380 
381 static bool
382 ce_management_query_remote(struct context *c)
383 {
384  struct gc_arena gc = gc_new();
385  volatile struct connection_entry *ce = &c->options.ce;
386  int ce_changed = true; /* presume the connection entry will be changed */
387 
388  update_time();
389  if (management)
390  {
391  struct buffer out = alloc_buf_gc(256, &gc);
392 
393  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
394  proto2ascii(ce->proto, ce->af, false));
395  management_notify_generic(management, BSTR(&out));
396  management->persist.special_state_msg = BSTR(&out);
397 
398  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
399  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
400  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
401  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
402  {
403  management_event_loop_n_seconds(management, 1);
404  if (IS_SIG(c))
405  {
406  ce_changed = false; /* connection entry have not been set */
407  break;
408  }
409  }
410  management->persist.special_state_msg = NULL;
411  }
412  gc_free(&gc);
413 
414  if (ce_changed)
415  {
416  /* If it is likely a connection entry was modified,
417  * check what changed in the flags and that it was not skipped
418  */
419  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
420  & CE_MAN_QUERY_REMOTE_MASK);
421  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
422  }
423  return ce_changed;
424 }
425 #endif /* ENABLE_MANAGEMENT */
426 
427 /*
428  * Initialize and possibly randomize connection list.
429  */
430 static void
431 init_connection_list(struct context *c)
432 {
433  struct connection_list *l = c->options.connection_list;
434 
435  l->current = -1;
436  if (c->options.remote_random)
437  {
438  int i;
439  for (i = 0; i < l->len; ++i)
440  {
441  const int j = get_random() % l->len;
442  if (i != j)
443  {
444  struct connection_entry *tmp;
445  tmp = l->array[i];
446  l->array[i] = l->array[j];
447  l->array[j] = tmp;
448  }
449  }
450  }
451 }
452 
453 /*
454  * Clear the remote address list
455  */
456 static void
457 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
458 {
459  if (lsa->remote_list && free)
460  {
461  freeaddrinfo(lsa->remote_list);
462  }
463  lsa->remote_list = NULL;
464  lsa->current_remote = NULL;
465 }
466 
467 /*
468  * Increment to next connection entry
469  */
470 static void
471 next_connection_entry(struct context *c)
472 {
473  struct connection_list *l = c->options.connection_list;
474  bool ce_defined;
475  struct connection_entry *ce;
476  int n_cycles = 0;
477 
478  do
479  {
480  ce_defined = true;
481  if (c->options.no_advance && l->current >= 0)
482  {
483  c->options.no_advance = false;
484  }
485  else
486  {
487  /* Check if there is another resolved address to try for
488  * the current connection */
489  if (c->c1.link_socket_addr.current_remote
490  && c->c1.link_socket_addr.current_remote->ai_next)
491  {
492  c->c1.link_socket_addr.current_remote =
493  c->c1.link_socket_addr.current_remote->ai_next;
494  }
495  else
496  {
497  /* FIXME (schwabe) fix the persist-remote-ip option for real,
498  * this is broken probably ever since connection lists and multiple
499  * remote existed
500  */
501  if (!c->options.persist_remote_ip)
502  {
503  /* close_instance should have cleared the addrinfo objects */
504  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
505  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
506  }
507  else
508  {
509  c->c1.link_socket_addr.current_remote =
510  c->c1.link_socket_addr.remote_list;
511  }
512 
513  /*
514  * Increase the number of connection attempts
515  * If this is connect-retry-max * size(l)
516  * OpenVPN will quit
517  */
518 
519  c->options.unsuccessful_attempts++;
520 
521  if (++l->current >= l->len)
522  {
523 
524  l->current = 0;
525  if (++n_cycles >= 2)
526  {
527  msg(M_FATAL, "No usable connection profiles are present");
528  }
529  }
530  }
531  }
532 
533  ce = l->array[l->current];
534 
535  if (ce->flags & CE_DISABLED)
536  {
537  ce_defined = false;
538  }
539 
540  c->options.ce = *ce;
541 #ifdef ENABLE_MANAGEMENT
542  if (ce_defined && management && management_query_remote_enabled(management))
543  {
544  /* allow management interface to override connection entry details */
545  ce_defined = ce_management_query_remote(c);
546  if (IS_SIG(c))
547  {
548  break;
549  }
550  }
551  else if (ce_defined && management && management_query_proxy_enabled(management))
552  {
553  ce_defined = ce_management_query_proxy(c);
554  if (IS_SIG(c))
555  {
556  break;
557  }
558  }
559 #endif
560  } while (!ce_defined);
561 
562  /* Check if this connection attempt would bring us over the limit */
563  if (c->options.connect_retry_max > 0
564  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
565  {
566  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
567  c->options.connect_retry_max);
568  }
569  update_options_ce_post(&c->options);
570 }
571 
572 /*
573  * Query for private key and auth-user-pass username/passwords
574  */
575 void
576 init_query_passwords(const struct context *c)
577 {
578  /* Certificate password input */
579  if (c->options.key_pass_file)
580  {
581  pem_password_setup(c->options.key_pass_file);
582  }
583 
584 #if P2MP
585  /* Auth user/pass input */
586  if (c->options.auth_user_pass_file)
587  {
588 #ifdef ENABLE_MANAGEMENT
589  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
590 #else
591  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
592 #endif
593  }
594 #endif
595 }
596 
597 /*
598  * Initialize/Uninitialize HTTP or SOCKS proxy
599  */
600 
601 static void
602 uninit_proxy_dowork(struct context *c)
603 {
604  if (c->c1.http_proxy_owned && c->c1.http_proxy)
605  {
606  http_proxy_close(c->c1.http_proxy);
607  c->c1.http_proxy = NULL;
608  c->c1.http_proxy_owned = false;
609  }
610  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
611  {
612  socks_proxy_close(c->c1.socks_proxy);
613  c->c1.socks_proxy = NULL;
614  c->c1.socks_proxy_owned = false;
615  }
616 }
617 
618 static void
619 init_proxy_dowork(struct context *c)
620 {
621  bool did_http = false;
622 
623  uninit_proxy_dowork(c);
624 
625  if (c->options.ce.http_proxy_options)
626  {
627  /* Possible HTTP proxy user/pass input */
628  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
629  if (c->c1.http_proxy)
630  {
631  did_http = true;
632  c->c1.http_proxy_owned = true;
633  }
634  }
635 
636  if (!did_http && c->options.ce.socks_proxy_server)
637  {
638  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
639  c->options.ce.socks_proxy_port,
640  c->options.ce.socks_proxy_authfile);
641  if (c->c1.socks_proxy)
642  {
643  c->c1.socks_proxy_owned = true;
644  }
645  }
646 }
647 
648 static void
649 init_proxy(struct context *c)
650 {
651  init_proxy_dowork(c);
652 }
653 
654 static void
655 uninit_proxy(struct context *c)
656 {
657  uninit_proxy_dowork(c);
658 }
659 
660 /*
661  * Saves the initial state of NCP-regotiable
662  * options into a storage which persists over SIGUSR1.
663  */
664 static void
665 save_ncp_options(struct context *c)
666 {
667  c->c1.ciphername = c->options.ciphername;
668  c->c1.authname = c->options.authname;
669  c->c1.keysize = c->options.keysize;
670 }
671 
672 /* Restores NCP-negotiable options to original values */
673 static void
674 restore_ncp_options(struct context *c)
675 {
676  c->options.ciphername = c->c1.ciphername;
677  c->options.authname = c->c1.authname;
678  c->options.keysize = c->c1.keysize;
679 }
680 
681 void
682 context_init_1(struct context *c)
683 {
684  context_clear_1(c);
685 
686  packet_id_persist_init(&c->c1.pid_persist);
687 
688  init_connection_list(c);
689 
690  save_ncp_options(c);
691 
692 #if defined(ENABLE_PKCS11)
693  if (c->first_time)
694  {
695  int i;
696  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
697  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
698  {
699  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
700  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
701  }
702  }
703 #endif
704 
705 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
706  {
707  /*
708  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
709  */
710  struct user_pass up;
711  CLEAR(up);
712  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
713  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
714  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
715  * 'needok' command, usually 'ok' or 'cancel'. */
716  }
717 #endif
718 
719 #ifdef ENABLE_SYSTEMD
720  /* We can report the PID via getpid() to systemd here as OpenVPN will not
721  * do any fork due to daemon() a future call.
722  * See possibly_become_daemon() [init.c] for more details.
723  */
724  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
725  (unsigned long) getpid());
726 #endif
727 
728 }
729 
730 void
731 context_gc_free(struct context *c)
732 {
733  gc_free(&c->c2.gc);
734  gc_free(&c->options.gc);
735  gc_free(&c->gc);
736 }
737 
738 #if PORT_SHARE
739 
740 static void
741 close_port_share(void)
742 {
743  if (port_share)
744  {
745  port_share_close(port_share);
746  port_share = NULL;
747  }
748 }
749 
750 static void
751 init_port_share(struct context *c)
752 {
753  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
754  {
755  port_share = port_share_open(c->options.port_share_host,
756  c->options.port_share_port,
757  MAX_RW_SIZE_LINK(&c->c2.frame),
758  c->options.port_share_journal_dir);
759  if (port_share == NULL)
760  {
761  msg(M_FATAL, "Fatal error: Port sharing failed");
762  }
763  }
764 }
765 
766 #endif /* if PORT_SHARE */
767 
768 
769 bool
770 init_static(void)
771 {
772  /* configure_path (); */
773 
774 #if defined(DMALLOC)
775  crypto_init_dmalloc();
776 #endif
777 
778 
779  /*
780  * Initialize random number seed. random() is only used
781  * when "weak" random numbers are acceptable.
782  * SSL library routines are always used when cryptographically
783  * strong random numbers are required.
784  */
785  struct timeval tv;
786  if (!gettimeofday(&tv, NULL))
787  {
788  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
789  srandom(seed);
790  }
791 
792  error_reset(); /* initialize error.c */
793  reset_check_status(); /* initialize status check code in socket.c */
794 
795 #ifdef _WIN32
796  init_win32();
797 #endif
798 
799 #ifdef OPENVPN_DEBUG_COMMAND_LINE
800  {
801  int i;
802  for (i = 0; i < argc; ++i)
803  {
804  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
805  }
806  }
807 #endif
808 
809  update_time();
810 
811  init_ssl_lib();
812 
813  /* init PRNG used for IV generation */
814  /* When forking, copy this to more places in the code to avoid fork
815  * random-state predictability */
816  prng_init(NULL, 0);
817 
818 #ifdef PID_TEST
819  packet_id_interactive_test(); /* test the sequence number code */
820  return false;
821 #endif
822 
823 #ifdef SCHEDULE_TEST
824  schedule_test();
825  return false;
826 #endif
827 
828 #ifdef LIST_TEST
829  list_test();
830  return false;
831 #endif
832 
833 #ifdef IFCONFIG_POOL_TEST
834  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
835  return false;
836 #endif
837 
838 #ifdef CHARACTER_CLASS_DEBUG
839  character_class_debug();
840  return false;
841 #endif
842 
843 #ifdef EXTRACT_X509_FIELD_TEST
844  extract_x509_field_test();
845  return false;
846 #endif
847 
848 #ifdef TIME_TEST
849  time_test();
850  return false;
851 #endif
852 
853 #ifdef TEST_GET_DEFAULT_GATEWAY
854  {
855  struct route_gateway_info rgi;
856  struct route_ipv6_gateway_info rgi6;
857  get_default_gateway(&rgi);
858  get_default_gateway_ipv6(&rgi6, NULL);
859  print_default_gateway(M_INFO, &rgi, &rgi6);
860  return false;
861  }
862 #endif
863 
864 #ifdef GEN_PATH_TEST
865  {
866  struct gc_arena gc = gc_new();
867  const char *fn = gen_path("foo",
868  "bar",
869  &gc);
870  printf("%s\n", fn);
871  gc_free(&gc);
872  }
873  return false;
874 #endif
875 
876 #ifdef STATUS_PRINTF_TEST
877  {
878  struct gc_arena gc = gc_new();
879  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
880  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
881  status_printf(so, "%s", "foo");
882  status_printf(so, "%s", "bar");
883  if (!status_close(so))
884  {
885  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
886  }
887  gc_free(&gc);
888  }
889  return false;
890 #endif
891 
892 #ifdef PRNG_TEST
893  {
894  struct gc_arena gc = gc_new();
895  uint8_t rndbuf[8];
896  int i;
897  prng_init("sha1", 16);
898  /*prng_init (NULL, 0);*/
899  const int factor = 1;
900  for (i = 0; i < factor * 8; ++i)
901  {
902 #if 1
903  prng_bytes(rndbuf, sizeof(rndbuf));
904 #else
905  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
906 #endif
907  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
908  }
909  gc_free(&gc);
910  prng_uninit();
911  return false;
912  }
913 #endif /* ifdef PRNG_TEST */
914 
915 #ifdef BUFFER_LIST_AGGREGATE_TEST
916  /* test buffer_list_aggregate function */
917  {
918  static const char *text[] = {
919  "It was a bright cold day in April, ",
920  "and the clocks were striking ",
921  "thirteen. ",
922  "Winston Smith, ",
923  "his chin nuzzled into his breast in an ",
924  "effort to escape the vile wind, ",
925  "slipped quickly through the glass doors ",
926  "of Victory Mansions, though not quickly ",
927  "enough to prevent a swirl of gritty dust from ",
928  "entering along with him."
929  };
930 
931  int iter, listcap;
932  for (listcap = 0; listcap < 12; ++listcap)
933  {
934  for (iter = 0; iter < 512; ++iter)
935  {
936  struct buffer_list *bl = buffer_list_new(listcap);
937  {
938  int i;
939  for (i = 0; i < SIZE(text); ++i)
940  {
941  buffer_list_push(bl, (unsigned char *)text[i]);
942  }
943  }
944  printf("[cap=%d i=%d] *************************\n", listcap, iter);
945  if (!(iter & 8))
946  {
947  buffer_list_aggregate(bl, iter/2);
948  }
949  if (!(iter & 16))
950  {
951  buffer_list_push(bl, (unsigned char *)"Even more text...");
952  }
953  buffer_list_aggregate(bl, iter);
954  if (!(iter & 1))
955  {
956  buffer_list_push(bl, (unsigned char *)"More text...");
957  }
958  {
959  struct buffer *buf;
960  while ((buf = buffer_list_peek(bl)))
961  {
962  int c;
963  printf("'");
964  while ((c = buf_read_u8(buf)) >= 0)
965  {
966  putchar(c);
967  }
968  printf("'\n");
969  buffer_list_advance(bl, 0);
970  }
971  }
972  buffer_list_free(bl);
973  }
974  }
975  return false;
976  }
977 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
978 
979 #ifdef MSTATS_TEST
980  {
981  int i;
982  mstats_open("/dev/shm/mstats.dat");
983  for (i = 0; i < 30; ++i)
984  {
985  mmap_stats->n_clients += 1;
986  mmap_stats->link_write_bytes += 8;
987  mmap_stats->link_read_bytes += 16;
988  sleep(1);
989  }
990  mstats_close();
991  return false;
992  }
993 #endif
994 
995  return true;
996 }
997 
998 void
999 uninit_static(void)
1000 {
1001  free_ssl_lib();
1002 
1003 #ifdef ENABLE_PKCS11
1004  pkcs11_terminate();
1005 #endif
1006 
1007 #if PORT_SHARE
1008  close_port_share();
1009 #endif
1010 
1011 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
1012  show_tls_performance_stats();
1013 #endif
1014 }
1015 
1016 void
1017 init_verb_mute(struct context *c, unsigned int flags)
1018 {
1019  if (flags & IVM_LEVEL_1)
1020  {
1021  /* set verbosity and mute levels */
1022  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
1023  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
1024  set_mute_cutoff(c->options.mute);
1025  }
1026 
1027  /* special D_LOG_RW mode */
1028  if (flags & IVM_LEVEL_2)
1029  {
1030  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
1031  }
1032 }
1033 
1034 /*
1035  * Possibly set --dev based on --dev-node.
1036  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1037  * set --dev to tun.
1038  */
1039 void
1040 init_options_dev(struct options *options)
1041 {
1042  if (!options->dev && options->dev_node)
1043  {
1044  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1045  options->dev = basename(dev_node);
1046  }
1047 }
1048 
1049 bool
1050 print_openssl_info(const struct options *options)
1051 {
1052  /*
1053  * OpenSSL info print mode?
1054  */
1055  if (options->show_ciphers || options->show_digests || options->show_engines
1056  || options->show_tls_ciphers || options->show_curves)
1057  {
1058  if (options->show_ciphers)
1059  {
1060  show_available_ciphers();
1061  }
1062  if (options->show_digests)
1063  {
1064  show_available_digests();
1065  }
1066  if (options->show_engines)
1067  {
1068  show_available_engines();
1069  }
1070  if (options->show_tls_ciphers)
1071  {
1072  show_available_tls_ciphers(options->cipher_list,
1073  options->cipher_list_tls13,
1074  options->tls_cert_profile);
1075  }
1076  if (options->show_curves)
1077  {
1078  show_available_curves();
1079  }
1080  return true;
1081  }
1082  return false;
1083 }
1084 
1085 /*
1086  * Static pre-shared key generation mode?
1087  */
1088 bool
1089 do_genkey(const struct options *options)
1090 {
1091  /* should we disable paging? */
1092  if (options->mlock && (options->genkey))
1093  {
1094  platform_mlockall(true);
1095  }
1096 
1097  /*
1098  * We do not want user to use --genkey with --secret. In the transistion
1099  * phase we for secret.
1100  */
1101  if (options->genkey && options->genkey_type != GENKEY_SECRET
1102  && options->shared_secret_file)
1103  {
1104  msg(M_USAGE, "Using --genkey type with --secret filename is "
1105  "not supported. Use --genkey type filename instead.");
1106  }
1107  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1108  {
1109  int nbits_written;
1110  const char *genkey_filename = options->genkey_filename;
1111  if (options->shared_secret_file && options->genkey_filename)
1112  {
1113  msg(M_USAGE, "You must provide a filename to either --genkey "
1114  "or --secret, not both");
1115  }
1116 
1117  /*
1118  * Copy filename from shared_secret_file to genkey_filename to support
1119  * the old --genkey --secret foo.file syntax.
1120  */
1121  if (options->shared_secret_file)
1122  {
1123  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1124  "DEPRECATED. Use --genkey secret filename instead.");
1125  genkey_filename = options->shared_secret_file;
1126  }
1127 
1128  nbits_written = write_key_file(2, genkey_filename);
1129  if (nbits_written < 0)
1130  {
1131  msg(M_FATAL, "Failed to write key file");
1132  }
1133 
1134  msg(D_GENKEY | M_NOPREFIX,
1135  "Randomly generated %d bit key written to %s", nbits_written,
1136  options->shared_secret_file);
1137  return true;
1138  }
1139  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1140  {
1141  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1142  return true;
1143  }
1144  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1145  {
1146  if (!options->tls_crypt_v2_file)
1147  {
1148  msg(M_USAGE,
1149  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1150  }
1151 
1152  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1153  options->genkey_extra_data, options->tls_crypt_v2_file,
1154  options->tls_crypt_v2_file_inline);
1155  return true;
1156  }
1157  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1158  {
1159  auth_token_write_server_key_file(options->genkey_filename);
1160  return true;
1161  }
1162  else
1163  {
1164  return false;
1165  }
1166 }
1167 
1168 /*
1169  * Persistent TUN/TAP device management mode?
1170  */
1171 bool
1172 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1173 {
1174  if (options->persist_config)
1175  {
1176  /* sanity check on options for --mktun or --rmtun */
1177  notnull(options->dev, "TUN/TAP device (--dev)");
1178  if (options->ce.remote || options->ifconfig_local
1179  || options->ifconfig_remote_netmask
1180  || options->shared_secret_file
1181  || options->tls_server || options->tls_client
1182  )
1183  {
1184  msg(M_FATAL|M_OPTERR,
1185  "options --mktun or --rmtun should only be used together with --dev");
1186  }
1187 #ifdef ENABLE_FEATURE_TUN_PERSIST
1188  tuncfg(options->dev, options->dev_type, options->dev_node,
1189  options->persist_mode,
1190  options->username, options->groupname, &options->tuntap_options,
1191  ctx);
1192  if (options->persist_mode && options->lladdr)
1193  {
1194  set_lladdr(options->dev, options->lladdr, NULL);
1195  }
1196  return true;
1197 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1198  msg( M_FATAL|M_OPTERR,
1199  "options --mktun and --rmtun are not available on your operating "
1200  "system. Please check 'man tun' (or 'tap'), whether your system "
1201  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1202  "persistent tunnel interfaces.", options->dev );
1203 #endif
1204  }
1205  return false;
1206 }
1207 
1208 /*
1209  * Should we become a daemon?
1210  * Return true if we did it.
1211  */
1212 bool
1213 possibly_become_daemon(const struct options *options)
1214 {
1215  bool ret = false;
1216 
1217 #ifdef ENABLE_SYSTEMD
1218  /* return without forking if we are running from systemd */
1219  if (sd_notify(0, "READY=0") > 0)
1220  {
1221  return ret;
1222  }
1223 #endif
1224 
1225  if (options->daemon)
1226  {
1227  ASSERT(!options->inetd);
1228  /* Don't chdir immediately, but the end of the init sequence, if needed */
1229  if (daemon(1, options->log) < 0)
1230  {
1231  msg(M_ERR, "daemon() failed or unsupported");
1232  }
1233  restore_signal_state();
1234  if (options->log)
1235  {
1236  set_std_files_to_null(true);
1237  }
1238 
1239  ret = true;
1240  }
1241  return ret;
1242 }
1243 
1244 /*
1245  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1246  */
1247 static void
1248 do_uid_gid_chroot(struct context *c, bool no_delay)
1249 {
1250  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1251  struct context_0 *c0 = c->c0;
1252 
1253  if (c0 && !c0->uid_gid_chroot_set)
1254  {
1255  /* chroot if requested */
1256  if (c->options.chroot_dir)
1257  {
1258  if (no_delay)
1259  {
1260  platform_chroot(c->options.chroot_dir);
1261  }
1262  else if (c->first_time)
1263  {
1264  msg(M_INFO, "NOTE: chroot %s", why_not);
1265  }
1266  }
1267 
1268  /* set user and/or group if we want to setuid/setgid */
1269  if (c0->uid_gid_specified)
1270  {
1271  if (no_delay)
1272  {
1273  platform_group_set(&c0->platform_state_group);
1274  platform_user_set(&c0->platform_state_user);
1275  }
1276  else if (c->first_time)
1277  {
1278  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1279  }
1280  }
1281 
1282 #ifdef ENABLE_MEMSTATS
1283  if (c->first_time && c->options.memstats_fn)
1284  {
1285  mstats_open(c->options.memstats_fn);
1286  }
1287 #endif
1288 
1289 #ifdef ENABLE_SELINUX
1290  /* Apply a SELinux context in order to restrict what OpenVPN can do
1291  * to _only_ what it is supposed to do after initialization is complete
1292  * (basically just network I/O operations). Doing it after chroot
1293  * requires /proc to be mounted in the chroot (which is annoying indeed
1294  * but doing it before requires more complex SELinux policies.
1295  */
1296  if (c->options.selinux_context)
1297  {
1298  if (no_delay)
1299  {
1300  if (-1 == setcon(c->options.selinux_context))
1301  {
1302  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1303  }
1304  else
1305  {
1306  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1307  }
1308  }
1309  else if (c->first_time)
1310  {
1311  msg(M_INFO, "NOTE: setcon %s", why_not);
1312  }
1313  }
1314 #endif
1315 
1316  /* Privileges are going to be dropped by now (if requested), be sure
1317  * to prevent any future privilege dropping attempts from now on.
1318  */
1319  if (no_delay)
1320  {
1321  c0->uid_gid_chroot_set = true;
1322  }
1323  }
1324 }
1325 
1326 /*
1327  * Return common name in a way that is formatted for
1328  * prepending to msg() output.
1329  */
1330 const char *
1331 format_common_name(struct context *c, struct gc_arena *gc)
1332 {
1333  struct buffer out = alloc_buf_gc(256, gc);
1334  if (c->c2.tls_multi)
1335  {
1336  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1337  }
1338  return BSTR(&out);
1339 }
1340 
1341 void
1342 pre_setup(const struct options *options)
1343 {
1344 #ifdef _WIN32
1345  if (options->exit_event_name)
1346  {
1347  win32_signal_open(&win32_signal,
1348  WSO_FORCE_SERVICE,
1349  options->exit_event_name,
1350  options->exit_event_initial_state);
1351  }
1352  else
1353  {
1354  win32_signal_open(&win32_signal,
1355  WSO_FORCE_CONSOLE,
1356  NULL,
1357  false);
1358 
1359  /* put a title on the top window bar */
1360  if (win32_signal.mode == WSO_MODE_CONSOLE)
1361  {
1362  window_title_save(&window_title);
1363  window_title_generate(options->config);
1364  }
1365  }
1366 #endif /* ifdef _WIN32 */
1367 }
1368 
1369 void
1370 reset_coarse_timers(struct context *c)
1371 {
1372  c->c2.coarse_timer_wakeup = 0;
1373 }
1374 
1375 /*
1376  * Initialise the server poll timeout timer
1377  * This timer is used in the http/socks proxy setup so it needs to be setup
1378  * before
1379  */
1380 static void
1381 do_init_server_poll_timeout(struct context *c)
1382 {
1383  update_time();
1384  if (c->options.ce.connect_timeout)
1385  {
1386  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1387  }
1388 }
1389 
1390 /*
1391  * Initialize timers
1392  */
1393 static void
1394 do_init_timers(struct context *c, bool deferred)
1395 {
1396  update_time();
1397  reset_coarse_timers(c);
1398 
1399  /* initialize inactivity timeout */
1400  if (c->options.inactivity_timeout)
1401  {
1402  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1403  }
1404 
1405  /* initialize pings */
1406 
1407  if (c->options.ping_send_timeout)
1408  {
1409  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1410  }
1411 
1412  if (c->options.ping_rec_timeout)
1413  {
1414  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1415  }
1416 
1417  if (!deferred)
1418  {
1419  /* initialize connection establishment timer */
1420  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1421 
1422  /* initialize occ timers */
1423 
1424  if (c->options.occ
1425  && !TLS_MODE(c)
1426  && c->c2.options_string_local && c->c2.options_string_remote)
1427  {
1428  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1429  }
1430 
1431  if (c->options.mtu_test)
1432  {
1433  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1434  }
1435 
1436  /* initialize packet_id persistence timer */
1437  if (c->options.packet_id_file)
1438  {
1439  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1440  }
1441 
1442  /* initialize tmp_int optimization that limits the number of times we call
1443  * tls_multi_process in the main event loop */
1444  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1445  }
1446 }
1447 
1448 /*
1449  * Initialize traffic shaper.
1450  */
1451 static void
1452 do_init_traffic_shaper(struct context *c)
1453 {
1454 #ifdef ENABLE_FEATURE_SHAPER
1455  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1456  if (c->options.shaper)
1457  {
1458  shaper_init(&c->c2.shaper, c->options.shaper);
1459  shaper_msg(&c->c2.shaper);
1460  }
1461 #endif
1462 }
1463 
1464 /*
1465  * Allocate route list structures for IPv4 and IPv6
1466  * (we do this for IPv4 even if no --route option has been seen, as other
1467  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1468  */
1469 static void
1470 do_alloc_route_list(struct context *c)
1471 {
1472  if (!c->c1.route_list)
1473  {
1474  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1475  }
1476  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1477  {
1478  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1479  }
1480 }
1481 
1482 
1483 /*
1484  * Initialize the route list, resolving any DNS names in route
1485  * options and saving routes in the environment.
1486  */
1487 static void
1488 do_init_route_list(const struct options *options,
1489  struct route_list *route_list,
1490  const struct link_socket_info *link_socket_info,
1491  struct env_set *es,
1492  openvpn_net_ctx_t *ctx)
1493 {
1494  const char *gw = NULL;
1495  int dev = dev_type_enum(options->dev, options->dev_type);
1496  int metric = 0;
1497 
1498  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1499  {
1500  gw = options->ifconfig_remote_netmask;
1501  }
1502  if (options->route_default_gateway)
1503  {
1504  gw = options->route_default_gateway;
1505  }
1506  if (options->route_default_metric)
1507  {
1508  metric = options->route_default_metric;
1509  }
1510 
1511  if (init_route_list(route_list,
1512  options->routes,
1513  gw,
1514  metric,
1515  link_socket_current_remote(link_socket_info),
1516  es,
1517  ctx))
1518  {
1519  /* copy routes to environment */
1520  setenv_routes(es, route_list);
1521  }
1522 }
1523 
1524 static void
1525 do_init_route_ipv6_list(const struct options *options,
1526  struct route_ipv6_list *route_ipv6_list,
1527  const struct link_socket_info *link_socket_info,
1528  struct env_set *es,
1529  openvpn_net_ctx_t *ctx)
1530 {
1531  const char *gw = NULL;
1532  int metric = -1; /* no metric set */
1533 
1534  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1535  if (options->route_ipv6_default_gateway)
1536  {
1537  gw = options->route_ipv6_default_gateway;
1538  }
1539 
1540  if (options->route_default_metric)
1541  {
1542  metric = options->route_default_metric;
1543  }
1544 
1545  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1546  */
1547  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1548  {
1549  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1550  int i;
1551 
1552  for (i = 0; opt_list[i]; i++)
1553  {
1554  add_route_ipv6_to_option_list( options->routes_ipv6,
1555  string_alloc(opt_list[i], options->routes_ipv6->gc),
1556  NULL, NULL );
1557  }
1558  }
1559 
1560  if (init_route_ipv6_list(route_ipv6_list,
1561  options->routes_ipv6,
1562  gw,
1563  metric,
1564  link_socket_current_remote_ipv6(link_socket_info),
1565  es,
1566  ctx))
1567  {
1568  /* copy routes to environment */
1569  setenv_routes_ipv6(es, route_ipv6_list);
1570  }
1571 }
1572 
1573 
1574 /*
1575  * Called after all initialization has been completed.
1576  */
1577 void
1578 initialization_sequence_completed(struct context *c, const unsigned int flags)
1579 {
1580  static const char message[] = "Initialization Sequence Completed";
1581 
1582  /* Reset the unsuccessful connection counter on complete initialisation */
1583  c->options.unsuccessful_attempts = 0;
1584 
1585  /* If we delayed UID/GID downgrade or chroot, do it now */
1586  do_uid_gid_chroot(c, true);
1587 
1588 
1589  /*
1590  * In some cases (i.e. when receiving auth-token via
1591  * push-reply) the auth-nocache option configured on the
1592  * client is overridden; for this reason we have to wait
1593  * for the push-reply message before attempting to wipe
1594  * the user/pass entered by the user
1595  */
1596  if (c->options.mode == MODE_POINT_TO_POINT)
1597  {
1598  delayed_auth_pass_purge();
1599  }
1600 
1601  /* Test if errors */
1602  if (flags & ISC_ERRORS)
1603  {
1604 #ifdef _WIN32
1605  show_routes(M_INFO|M_NOPREFIX);
1606  show_adapters(M_INFO|M_NOPREFIX);
1607  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1608 #else
1609 #ifdef ENABLE_SYSTEMD
1610  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1611 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1612  msg(M_INFO, "%s With Errors", message);
1613 #endif
1614  }
1615  else
1616  {
1617 #ifdef ENABLE_SYSTEMD
1618  sd_notifyf(0, "STATUS=%s", message);
1619 #endif
1620  msg(M_INFO, "%s", message);
1621  }
1622 
1623  /* Flag that we initialized */
1624  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1625  {
1626  c->options.no_advance = true;
1627  }
1628 
1629 #ifdef _WIN32
1630  fork_register_dns_action(c->c1.tuntap);
1631 #endif
1632 
1633 #ifdef ENABLE_MANAGEMENT
1634  /* Tell management interface that we initialized */
1635  if (management)
1636  {
1637  in_addr_t *tun_local = NULL;
1638  struct in6_addr *tun_local6 = NULL;
1639  struct openvpn_sockaddr local, remote;
1640  struct link_socket_actual *actual;
1641  socklen_t sa_len = sizeof(local);
1642  const char *detail = "SUCCESS";
1643  if (flags & ISC_ERRORS)
1644  {
1645  detail = "ERROR";
1646  }
1647 
1648  CLEAR(local);
1649  actual = &get_link_socket_info(c)->lsa->actual;
1650  remote = actual->dest;
1651  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1652 #if ENABLE_IP_PKTINFO
1653  if (!addr_defined(&local))
1654  {
1655  switch (local.addr.sa.sa_family)
1656  {
1657  case AF_INET:
1658 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1659  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1660 #else
1661  local.addr.in4.sin_addr = actual->pi.in4;
1662 #endif
1663  break;
1664 
1665  case AF_INET6:
1666  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1667  break;
1668  }
1669  }
1670 #endif
1671 
1672  if (c->c1.tuntap)
1673  {
1674  tun_local = &c->c1.tuntap->local;
1675  tun_local6 = &c->c1.tuntap->local_ipv6;
1676  }
1677  management_set_state(management,
1678  OPENVPN_STATE_CONNECTED,
1679  detail,
1680  tun_local,
1681  tun_local6,
1682  &local,
1683  &remote);
1684  if (tun_local)
1685  {
1686  management_post_tunnel_open(management, *tun_local);
1687  }
1688  }
1689 #endif /* ifdef ENABLE_MANAGEMENT */
1690 }
1691 
1692 /*
1693  * Possibly add routes and/or call route-up script
1694  * based on options.
1695  */
1696 void
1697 do_route(const struct options *options,
1698  struct route_list *route_list,
1699  struct route_ipv6_list *route_ipv6_list,
1700  const struct tuntap *tt,
1701  const struct plugin_list *plugins,
1702  struct env_set *es,
1703  openvpn_net_ctx_t *ctx)
1704 {
1705  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1706  {
1707  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1708  es, ctx);
1709  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1710  }
1711 #ifdef ENABLE_MANAGEMENT
1712  if (management)
1713  {
1714  management_up_down(management, "UP", es);
1715  }
1716 #endif
1717 
1718  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1719  {
1720  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1721  {
1722  msg(M_WARN, "WARNING: route-up plugin call failed");
1723  }
1724  }
1725 
1726  if (options->route_script)
1727  {
1728  struct argv argv = argv_new();
1729  setenv_str(es, "script_type", "route-up");
1730  argv_parse_cmd(&argv, options->route_script);
1731  openvpn_run_script(&argv, es, 0, "--route-up");
1732  argv_free(&argv);
1733  }
1734 
1735 #ifdef _WIN32
1736  if (options->show_net_up)
1737  {
1738  show_routes(M_INFO|M_NOPREFIX);
1739  show_adapters(M_INFO|M_NOPREFIX);
1740  }
1741  else if (check_debug_level(D_SHOW_NET))
1742  {
1743  show_routes(D_SHOW_NET|M_NOPREFIX);
1744  show_adapters(D_SHOW_NET|M_NOPREFIX);
1745  }
1746 #endif
1747 }
1748 
1749 /*
1750  * initialize tun/tap device object
1751  */
1752 static void
1753 do_init_tun(struct context *c)
1754 {
1755  c->c1.tuntap = init_tun(c->options.dev,
1756  c->options.dev_type,
1757  c->options.topology,
1758  c->options.ifconfig_local,
1759  c->options.ifconfig_remote_netmask,
1760  c->options.ifconfig_ipv6_local,
1761  c->options.ifconfig_ipv6_netbits,
1762  c->options.ifconfig_ipv6_remote,
1763  c->c1.link_socket_addr.bind_local,
1764  c->c1.link_socket_addr.remote_list,
1765  !c->options.ifconfig_nowarn,
1766  c->c2.es,
1767  &c->net_ctx);
1768 
1769 #ifdef _WIN32
1770  c->c1.tuntap->windows_driver = c->options.windows_driver;
1771 #endif
1772 
1773  init_tun_post(c->c1.tuntap,
1774  &c->c2.frame,
1775  &c->options.tuntap_options);
1776 
1777  c->c1.tuntap_owned = true;
1778 }
1779 
1780 /*
1781  * Open tun/tap device, ifconfig, call up script, etc.
1782  */
1783 
1784 static bool
1785 do_open_tun(struct context *c)
1786 {
1787  struct gc_arena gc = gc_new();
1788  bool ret = false;
1789 
1790 #ifndef TARGET_ANDROID
1791  if (!c->c1.tuntap)
1792  {
1793 #endif
1794 
1795 #ifdef TARGET_ANDROID
1796  /* If we emulate persist-tun on android we still have to open a new tun and
1797  * then close the old */
1798  int oldtunfd = -1;
1799  if (c->c1.tuntap)
1800  {
1801  oldtunfd = c->c1.tuntap->fd;
1802  free(c->c1.tuntap);
1803  c->c1.tuntap = NULL;
1804  c->c1.tuntap_owned = false;
1805  }
1806 #endif
1807 
1808  /* initialize (but do not open) tun/tap object */
1809  do_init_tun(c);
1810 
1811 #ifdef _WIN32
1812  /* store (hide) interactive service handle in tuntap_options */
1813  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1814  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1815 #endif
1816 
1817  /* allocate route list structure */
1818  do_alloc_route_list(c);
1819 
1820  /* parse and resolve the route option list */
1821  ASSERT(c->c2.link_socket);
1822  if (c->options.routes && c->c1.route_list)
1823  {
1824  do_init_route_list(&c->options, c->c1.route_list,
1825  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1826  }
1827  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1828  {
1829  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1830  &c->c2.link_socket->info, c->c2.es,
1831  &c->net_ctx);
1832  }
1833 
1834  /* do ifconfig */
1835  if (!c->options.ifconfig_noexec
1836  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1837  {
1838  /* guess actual tun/tap unit number that will be returned
1839  * by open_tun */
1840  const char *guess = guess_tuntap_dev(c->options.dev,
1841  c->options.dev_type,
1842  c->options.dev_node,
1843  &gc);
1844  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1845  &c->net_ctx);
1846  }
1847 
1848  /* possibly add routes */
1849  if (route_order() == ROUTE_BEFORE_TUN)
1850  {
1851  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1852  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1853  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1854  }
1855 #ifdef TARGET_ANDROID
1856  /* Store the old fd inside the fd so open_tun can use it */
1857  c->c1.tuntap->fd = oldtunfd;
1858 #endif
1859  /* open the tun device */
1860  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1861  c->c1.tuntap);
1862 
1863  /* set the hardware address */
1864  if (c->options.lladdr)
1865  {
1866  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1867  }
1868 
1869  /* do ifconfig */
1870  if (!c->options.ifconfig_noexec
1871  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1872  {
1873  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1874  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1875  }
1876 
1877  /* run the up script */
1878  run_up_down(c->options.up_script,
1879  c->plugins,
1880  OPENVPN_PLUGIN_UP,
1881  c->c1.tuntap->actual_name,
1882 #ifdef _WIN32
1883  c->c1.tuntap->adapter_index,
1884 #endif
1885  dev_type_string(c->options.dev, c->options.dev_type),
1886  TUN_MTU_SIZE(&c->c2.frame),
1887  EXPANDED_SIZE(&c->c2.frame),
1888  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1889  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1890  "init",
1891  NULL,
1892  "up",
1893  c->c2.es);
1894 
1895 #if defined(_WIN32)
1896  if (c->options.block_outside_dns)
1897  {
1898  dmsg(D_LOW, "Blocking outside DNS");
1899  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1900  {
1901  msg(M_FATAL, "Blocking DNS failed!");
1902  }
1903  }
1904 #endif
1905 
1906  /* possibly add routes */
1907  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1908  {
1909  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1910  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1911  }
1912 
1913  /*
1914  * Did tun/tap driver give us an MTU?
1915  */
1916  if (c->c1.tuntap->post_open_mtu)
1917  {
1918  frame_set_mtu_dynamic(&c->c2.frame,
1919  c->c1.tuntap->post_open_mtu,
1920  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1921  }
1922 
1923  ret = true;
1924  static_context = c;
1925 #ifndef TARGET_ANDROID
1926 }
1927 else
1928 {
1929  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1930  c->c1.tuntap->actual_name);
1931 
1932  /* explicitly set the ifconfig_* env vars */
1933  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1934 
1935  /* run the up script if user specified --up-restart */
1936  if (c->options.up_restart)
1937  {
1938  run_up_down(c->options.up_script,
1939  c->plugins,
1940  OPENVPN_PLUGIN_UP,
1941  c->c1.tuntap->actual_name,
1942 #ifdef _WIN32
1943  c->c1.tuntap->adapter_index,
1944 #endif
1945  dev_type_string(c->options.dev, c->options.dev_type),
1946  TUN_MTU_SIZE(&c->c2.frame),
1947  EXPANDED_SIZE(&c->c2.frame),
1948  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1949  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1950  "restart",
1951  NULL,
1952  "up",
1953  c->c2.es);
1954  }
1955 #if defined(_WIN32)
1956  if (c->options.block_outside_dns)
1957  {
1958  dmsg(D_LOW, "Blocking outside DNS");
1959  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1960  {
1961  msg(M_FATAL, "Blocking DNS failed!");
1962  }
1963  }
1964 #endif
1965 
1966 }
1967 #endif /* ifndef TARGET_ANDROID */
1968  gc_free(&gc);
1969  return ret;
1970 }
1971 
1972 /*
1973  * Close TUN/TAP device
1974  */
1975 
1976 static void
1977 do_close_tun_simple(struct context *c)
1978 {
1979  msg(D_CLOSE, "Closing TUN/TAP interface");
1980  if (c->c1.tuntap)
1981  {
1982  close_tun(c->c1.tuntap, &c->net_ctx);
1983  c->c1.tuntap = NULL;
1984  }
1985  c->c1.tuntap_owned = false;
1986 #if P2MP
1987  CLEAR(c->c1.pulled_options_digest_save);
1988 #endif
1989 }
1990 
1991 static void
1992 do_close_tun(struct context *c, bool force)
1993 {
1994  struct gc_arena gc = gc_new();
1995  if (c->c1.tuntap && c->c1.tuntap_owned)
1996  {
1997  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1998 #ifdef _WIN32
1999  DWORD adapter_index = c->c1.tuntap->adapter_index;
2000 #endif
2001  const in_addr_t local = c->c1.tuntap->local;
2002  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2003 
2004  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2005  {
2006  static_context = NULL;
2007 
2008 #ifdef ENABLE_MANAGEMENT
2009  /* tell management layer we are about to close the TUN/TAP device */
2010  if (management)
2011  {
2012  management_pre_tunnel_close(management);
2013  management_up_down(management, "DOWN", c->c2.es);
2014  }
2015 #endif
2016 
2017  /* delete any routes we added */
2018  if (c->c1.route_list || c->c1.route_ipv6_list)
2019  {
2020  run_up_down(c->options.route_predown_script,
2021  c->plugins,
2022  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2023  tuntap_actual,
2024 #ifdef _WIN32
2025  adapter_index,
2026 #endif
2027  NULL,
2028  TUN_MTU_SIZE(&c->c2.frame),
2029  EXPANDED_SIZE(&c->c2.frame),
2030  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2031  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2032  "init",
2033  signal_description(c->sig->signal_received,
2034  c->sig->signal_text),
2035  "route-pre-down",
2036  c->c2.es);
2037 
2038  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2039  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2040  c->c2.es, &c->net_ctx);
2041  }
2042 
2043  /* actually close tun/tap device based on --down-pre flag */
2044  if (!c->options.down_pre)
2045  {
2046  do_close_tun_simple(c);
2047  }
2048 
2049  /* Run the down script -- note that it will run at reduced
2050  * privilege if, for example, "--user nobody" was used. */
2051  run_up_down(c->options.down_script,
2052  c->plugins,
2053  OPENVPN_PLUGIN_DOWN,
2054  tuntap_actual,
2055 #ifdef _WIN32
2056  adapter_index,
2057 #endif
2058  NULL,
2059  TUN_MTU_SIZE(&c->c2.frame),
2060  EXPANDED_SIZE(&c->c2.frame),
2061  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2062  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2063  "init",
2064  signal_description(c->sig->signal_received,
2065  c->sig->signal_text),
2066  "down",
2067  c->c2.es);
2068 
2069 #if defined(_WIN32)
2070  if (c->options.block_outside_dns)
2071  {
2072  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2073  {
2074  msg(M_FATAL, "Uninitialising WFP failed!");
2075  }
2076  }
2077 #endif
2078 
2079  /* actually close tun/tap device based on --down-pre flag */
2080  if (c->options.down_pre)
2081  {
2082  do_close_tun_simple(c);
2083  }
2084  }
2085  else
2086  {
2087  /* run the down script on this restart if --up-restart was specified */
2088  if (c->options.up_restart)
2089  {
2090  run_up_down(c->options.down_script,
2091  c->plugins,
2092  OPENVPN_PLUGIN_DOWN,
2093  tuntap_actual,
2094 #ifdef _WIN32
2095  adapter_index,
2096 #endif
2097  NULL,
2098  TUN_MTU_SIZE(&c->c2.frame),
2099  EXPANDED_SIZE(&c->c2.frame),
2100  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2101  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2102  "restart",
2103  signal_description(c->sig->signal_received,
2104  c->sig->signal_text),
2105  "down",
2106  c->c2.es);
2107  }
2108 
2109 #if defined(_WIN32)
2110  if (c->options.block_outside_dns)
2111  {
2112  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2113  {
2114  msg(M_FATAL, "Uninitialising WFP failed!");
2115  }
2116  }
2117 #endif
2118 
2119  }
2120  }
2121  gc_free(&gc);
2122 }
2123 
2124 void
2125 tun_abort(void)
2126 {
2127  struct context *c = static_context;
2128  if (c)
2129  {
2130  static_context = NULL;
2131  do_close_tun(c, true);
2132  }
2133 }
2134 
2135 /*
2136  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2137  */
2138 
2139 #if P2MP
2140 
2144 static bool
2145 options_hash_changed_or_zero(const struct sha256_digest *a,
2146  const struct sha256_digest *b)
2147 {
2148  const struct sha256_digest zero = {{0}};
2149  return memcmp(a, b, sizeof(struct sha256_digest))
2150  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2151 }
2152 #endif /* P2MP */
2153 
2154 bool
2155 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2156 {
2157  if (!c->c2.do_up_ran)
2158  {
2159  reset_coarse_timers(c);
2160 
2161  if (pulled_options)
2162  {
2163  if (!do_deferred_options(c, option_types_found))
2164  {
2165  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2166  return false;
2167  }
2168  }
2169 
2170  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2171  if (c->options.up_delay || PULL_DEFINED(&c->options))
2172  {
2173  c->c2.did_open_tun = do_open_tun(c);
2174  update_time();
2175 
2176 #if P2MP
2177  /*
2178  * Was tun interface object persisted from previous restart iteration,
2179  * and if so did pulled options string change from previous iteration?
2180  */
2181  if (!c->c2.did_open_tun
2182  && PULL_DEFINED(&c->options)
2183  && c->c1.tuntap
2184  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2185  &c->c2.pulled_options_digest))
2186  {
2187  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2188  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2189  do_close_tun(c, true);
2190  management_sleep(1);
2191  c->c2.did_open_tun = do_open_tun(c);
2192  update_time();
2193  }
2194 #endif
2195  }
2196 
2197  if (c->c2.did_open_tun)
2198  {
2199 #if P2MP
2200  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2201 #endif
2202 
2203  /* if --route-delay was specified, start timer */
2204  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2205  {
2206  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2207  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2208  if (c->c1.tuntap)
2209  {
2210  tun_standby_init(c->c1.tuntap);
2211  }
2212  }
2213  else
2214  {
2215  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2216  }
2217  }
2218  else if (c->options.mode == MODE_POINT_TO_POINT)
2219  {
2220  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2221  }
2222 
2223  c->c2.do_up_ran = true;
2224  }
2225  return true;
2226 }
2227 
2228 /*
2229  * These are the option categories which will be accepted by pull.
2230  */
2231 unsigned int
2232 pull_permission_mask(const struct context *c)
2233 {
2234  unsigned int flags =
2235  OPT_P_UP
2236  | OPT_P_ROUTE_EXTRAS
2237  | OPT_P_SOCKBUF
2238  | OPT_P_SOCKFLAGS
2239  | OPT_P_SETENV
2240  | OPT_P_SHAPER
2241  | OPT_P_TIMER
2242  | OPT_P_COMP
2243  | OPT_P_PERSIST
2244  | OPT_P_MESSAGES
2245  | OPT_P_EXPLICIT_NOTIFY
2246  | OPT_P_ECHO
2247  | OPT_P_PULL_MODE
2248  | OPT_P_PEER_ID;
2249 
2250  if (!c->options.route_nopull)
2251  {
2252  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2253  }
2254 
2255  if (c->options.ncp_enabled)
2256  {
2257  flags |= OPT_P_NCP;
2258  }
2259 
2260  return flags;
2261 }
2262 
2263 /*
2264  * Handle non-tun-related pulled options.
2265  */
2266 bool
2267 do_deferred_options(struct context *c, const unsigned int found)
2268 {
2269  if (found & OPT_P_MESSAGES)
2270  {
2271  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2272  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2273  }
2274  if (found & OPT_P_TIMER)
2275  {
2276  do_init_timers(c, true);
2277  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2278  }
2279 
2280  if (found & OPT_P_EXPLICIT_NOTIFY)
2281  {
2282  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2283  {
2284  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2285  c->options.ce.explicit_exit_notification = 0;
2286  }
2287  else
2288  {
2289  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2290  }
2291  }
2292 
2293 #ifdef USE_COMP
2294  if (found & OPT_P_COMP)
2295  {
2296  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2297  comp_uninit(c->c2.comp_context);
2298  c->c2.comp_context = comp_init(&c->options.comp);
2299  }
2300 #endif
2301 
2302  if (found & OPT_P_SHAPER)
2303  {
2304  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2305  do_init_traffic_shaper(c);
2306  }
2307 
2308  if (found & OPT_P_SOCKBUF)
2309  {
2310  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2311  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2312  }
2313 
2314  if (found & OPT_P_SOCKFLAGS)
2315  {
2316  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2317  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2318  }
2319 
2320  if (found & OPT_P_PERSIST)
2321  {
2322  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2323  }
2324  if (found & OPT_P_UP)
2325  {
2326  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2327  }
2328  if (found & OPT_P_ROUTE)
2329  {
2330  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2331  }
2332  if (found & OPT_P_ROUTE_EXTRAS)
2333  {
2334  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2335  }
2336  if (found & OPT_P_IPWIN32)
2337  {
2338  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2339  }
2340  if (found & OPT_P_SETENV)
2341  {
2342  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2343  }
2344 
2345  if (found & OPT_P_PEER_ID)
2346  {
2347  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2348  c->c2.tls_multi->use_peer_id = true;
2349  c->c2.tls_multi->peer_id = c->options.peer_id;
2350  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2351  if (!c->options.ce.link_mtu_defined)
2352  {
2353  frame_add_to_link_mtu(&c->c2.frame, +3);
2354  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2355  EXPANDED_SIZE(&c->c2.frame));
2356  }
2357  else
2358  {
2359  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2360  " fixed by config - reducing tun-mtu to %d, expect"
2361  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2362  }
2363  }
2364 
2365  /* process (potentially pushed) crypto options */
2366  if (c->options.pull)
2367  {
2368  if (!check_pull_client_ncp(c, found))
2369  {
2370  return false;
2371  }
2372  struct frame *frame_fragment = NULL;
2373 #ifdef ENABLE_FRAGMENT
2374  if (c->options.ce.fragment)
2375  {
2376  frame_fragment = &c->c2.frame_fragment;
2377  }
2378 #endif
2379 
2380  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2381  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2382  frame_fragment))
2383  {
2384  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2385  return false;
2386  }
2387  }
2388 
2389  return true;
2390 }
2391 
2392 /*
2393  * Possible hold on initialization, holdtime is the
2394  * time OpenVPN would wait without management
2395  */
2396 static bool
2397 do_hold(int holdtime)
2398 {
2399 #ifdef ENABLE_MANAGEMENT
2400  if (management)
2401  {
2402  /* block until management hold is released */
2403  if (management_hold(management, holdtime))
2404  {
2405  return true;
2406  }
2407  }
2408 #endif
2409  return false;
2410 }
2411 
2412 /*
2413  * Sleep before restart.
2414  */
2415 static void
2416 socket_restart_pause(struct context *c)
2417 {
2418  int sec = 2;
2419  int backoff = 0;
2420 
2421  switch (c->options.ce.proto)
2422  {
2423  case PROTO_TCP_SERVER:
2424  sec = 1;
2425  break;
2426 
2427  case PROTO_UDP:
2428  case PROTO_TCP_CLIENT:
2429  sec = c->options.ce.connect_retry_seconds;
2430  break;
2431  }
2432 
2433 #ifdef ENABLE_DEBUG
2434  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2435  {
2436  sec = 0;
2437  }
2438 #endif
2439 
2440 #if P2MP
2441  if (auth_retry_get() == AR_NOINTERACT)
2442  {
2443  sec = 10;
2444  }
2445 #endif
2446 
2447  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2448  if (c->options.ce.proto != PROTO_TCP_SERVER)
2449  {
2450  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2451  if (backoff > 0)
2452  {
2453  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2454  sec = max_int(sec, 1) << min_int(backoff, 15);
2455  }
2456 
2457  if (sec > c->options.ce.connect_retry_seconds_max)
2458  {
2459  sec = c->options.ce.connect_retry_seconds_max;
2460  }
2461  }
2462 
2463  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2464  {
2465  sec = c->persist.restart_sleep_seconds;
2466  }
2467  else if (c->persist.restart_sleep_seconds == -1)
2468  {
2469  sec = 0;
2470  }
2471  c->persist.restart_sleep_seconds = 0;
2472 
2473  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2474  if (do_hold(sec))
2475  {
2476  sec = 0;
2477  }
2478 
2479  if (sec)
2480  {
2481  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2482  management_sleep(sec);
2483  }
2484 }
2485 
2486 /*
2487  * Do a possible pause on context_2 initialization.
2488  */
2489 static void
2490 do_startup_pause(struct context *c)
2491 {
2492  if (!c->first_time)
2493  {
2494  socket_restart_pause(c);
2495  }
2496  else
2497  {
2498  do_hold(0); /* do management hold on first context initialization */
2499  }
2500 }
2501 
2502 /*
2503  * Finalize MTU parameters based on command line or config file options.
2504  */
2505 static void
2506 frame_finalize_options(struct context *c, const struct options *o)
2507 {
2508  if (!o)
2509  {
2510  o = &c->options;
2511  }
2512 
2513  /*
2514  * Set adjustment factor for buffer alignment when no
2515  * cipher is used.
2516  */
2517  if (!CIPHER_ENABLED(c))
2518  {
2519  frame_align_to_extra_frame(&c->c2.frame);
2520  frame_or_align_flags(&c->c2.frame,
2521  FRAME_HEADROOM_MARKER_FRAGMENT
2522  |FRAME_HEADROOM_MARKER_READ_LINK
2523  |FRAME_HEADROOM_MARKER_READ_STREAM);
2524  }
2525 
2526  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2527  frame_finalize(&c->c2.frame,
2528  o->ce.link_mtu_defined,
2529  o->ce.link_mtu,
2530  o->ce.tun_mtu_defined,
2531  o->ce.tun_mtu);
2532 }
2533 
2534 /*
2535  * Free a key schedule, including OpenSSL components.
2536  */
2537 static void
2538 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2539 {
2540  free_key_ctx_bi(&ks->static_key);
2541  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2542  {
2543  tls_ctx_free(&ks->ssl_ctx);
2544  free_key_ctx(&ks->tls_crypt_v2_server_key);
2545  }
2546  CLEAR(*ks);
2547 }
2548 
2549 static void
2550 init_crypto_pre(struct context *c, const unsigned int flags)
2551 {
2552  if (c->options.engine)
2553  {
2554  crypto_init_lib_engine(c->options.engine);
2555  }
2556 
2557  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2558  {
2559  /* load a persisted packet-id for cross-session replay-protection */
2560  if (c->options.packet_id_file)
2561  {
2562  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2563  }
2564  }
2565 
2566 #ifdef ENABLE_PREDICTION_RESISTANCE
2567  if (c->options.use_prediction_resistance)
2568  {
2569  rand_ctx_enable_prediction_resistance();
2570  }
2571 #endif
2572 }
2573 
2574 /*
2575  * Static Key Mode (using a pre-shared key)
2576  */
2577 static void
2578 do_init_crypto_static(struct context *c, const unsigned int flags)
2579 {
2580  const struct options *options = &c->options;
2581  ASSERT(options->shared_secret_file);
2582 
2583  init_crypto_pre(c, flags);
2584 
2585  /* Initialize flags */
2586  if (c->options.mute_replay_warnings)
2587  {
2588  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2589  }
2590 
2591  /* Initialize packet ID tracking */
2592  if (options->replay)
2593  {
2594  packet_id_init(&c->c2.crypto_options.packet_id,
2595  options->replay_window,
2596  options->replay_time,
2597  "STATIC", 0);
2598  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2599  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2600  packet_id_persist_load_obj(&c->c1.pid_persist,
2601  &c->c2.crypto_options.packet_id);
2602  }
2603 
2604  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2605  {
2606  /* Get cipher & hash algorithms */
2607  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2608  options->keysize, options->test_crypto, true);
2609 
2610  /* Read cipher and hmac keys from shared secret file */
2611  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2612  options->shared_secret_file,
2613  options->shared_secret_file_inline,
2614  options->key_direction, "Static Key Encryption",
2615  "secret");
2616  }
2617  else
2618  {
2619  msg(M_INFO, "Re-using pre-shared static key");
2620  }
2621 
2622  /* Get key schedule */
2623  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2624 
2625  /* Compute MTU parameters */
2626  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2627  options->replay, true);
2628 
2629  /* Sanity check on sequence number, and cipher mode options */
2630  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2631 }
2632 
2633 /*
2634  * Initialize the tls-auth/crypt key context
2635  */
2636 static void
2637 do_init_tls_wrap_key(struct context *c)
2638 {
2639  const struct options *options = &c->options;
2640 
2641  /* TLS handshake authentication (--tls-auth) */
2642  if (options->ce.tls_auth_file)
2643  {
2644  /* Initialize key_type for tls-auth with auth only */
2645  CLEAR(c->c1.ks.tls_auth_key_type);
2646  if (!streq(options->authname, "none"))
2647  {
2648  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2649  c->c1.ks.tls_auth_key_type.hmac_length =
2650  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2651  }
2652  else
2653  {
2654  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2655  "algorithm specified ('%s')", options->authname);
2656  }
2657 
2658  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2659  &c->c1.ks.tls_wrap_key,
2660  options->ce.tls_auth_file,
2661  options->ce.tls_auth_file_inline,
2662  options->ce.key_direction,
2663  "Control Channel Authentication", "tls-auth");
2664  }
2665 
2666  /* TLS handshake encryption+authentication (--tls-crypt) */
2667  if (options->ce.tls_crypt_file)
2668  {
2669  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2670  options->ce.tls_crypt_file,
2671  options->ce.tls_crypt_file_inline,
2672  options->tls_server);
2673  }
2674 
2675  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2676  if (options->ce.tls_crypt_v2_file)
2677  {
2678  if (options->tls_server)
2679  {
2680  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2681  true, options->ce.tls_crypt_v2_file,
2682  options->ce.tls_crypt_v2_file_inline);
2683  }
2684  else
2685  {
2686  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2687  &c->c1.ks.tls_crypt_v2_wkc,
2688  options->ce.tls_crypt_v2_file,
2689  options->ce.tls_crypt_v2_file_inline);
2690  }
2691  }
2692 
2693 
2694 }
2695 
2696 /*
2697  * Initialise the auth-token key context
2698  */
2699 static void
2700 do_init_auth_token_key(struct context *c)
2701 {
2702  if (!c->options.auth_token_generate)
2703  {
2704  return;
2705  }
2706 
2707  auth_token_init_secret(&c->c1.ks.auth_token_key,
2708  c->options.auth_token_secret_file,
2709  c->options.auth_token_secret_file_inline);
2710 }
2711 
2712 /*
2713  * Initialize the persistent component of OpenVPN's TLS mode,
2714  * which is preserved across SIGUSR1 resets.
2715  */
2716 static void
2717 do_init_crypto_tls_c1(struct context *c)
2718 {
2719  const struct options *options = &c->options;
2720 
2721  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2722  {
2723  /*
2724  * Initialize the OpenSSL library's global
2725  * SSL context.
2726  */
2727  init_ssl(options, &(c->c1.ks.ssl_ctx));
2728  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2729  {
2730 #if P2MP
2731  switch (auth_retry_get())
2732  {
2733  case AR_NONE:
2734  msg(M_FATAL, "Error: private key password verification failed");
2735  break;
2736 
2737  case AR_INTERACT:
2738  ssl_purge_auth(false);
2739 
2740  case AR_NOINTERACT:
2741  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2742  break;
2743 
2744  default:
2745  ASSERT(0);
2746  }
2747  c->sig->signal_text = "private-key-password-failure";
2748  return;
2749 #else /* if P2MP */
2750  msg(M_FATAL, "Error: private key password verification failed");
2751 #endif /* if P2MP */
2752  }
2753 
2754  /* Do not warn if we only have BF-CBC in options->ciphername
2755  * because it is still the default cipher */
2756  bool warn = !streq(options->ciphername, "BF-CBC")
2757  || options->enable_ncp_fallback;
2758  /* Get cipher & hash algorithms */
2759  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2760  options->keysize, true, warn);
2761 
2762  /* Initialize PRNG with config-specified digest */
2763  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2764 
2765  /* initialize tls-auth/crypt/crypt-v2 key */
2766  do_init_tls_wrap_key(c);
2767 
2768  /* initialise auth-token crypto support */
2769  do_init_auth_token_key(c);
2770 
2771 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2772  if (options->priv_key_file_inline)
2773  {
2774  string_clear(c->options.priv_key_file_inline);
2775  c->options.priv_key_file_inline = NULL;
2776  }
2777 #endif
2778  }
2779  else
2780  {
2781  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2782 
2783  /*
2784  * tls-auth/crypt key can be configured per connection block, therefore
2785  * we must reload it as it may have changed
2786  */
2787  do_init_tls_wrap_key(c);
2788  }
2789 }
2790 
2791 static void
2792 do_init_crypto_tls(struct context *c, const unsigned int flags)
2793 {
2794  const struct options *options = &c->options;
2795  struct tls_options to;
2796  bool packet_id_long_form;
2797 
2798  ASSERT(options->tls_server || options->tls_client);
2799  ASSERT(!options->test_crypto);
2800 
2801  init_crypto_pre(c, flags);
2802 
2803  /* Make sure we are either a TLS client or server but not both */
2804  ASSERT(options->tls_server == !options->tls_client);
2805 
2806  /* initialize persistent component */
2807  do_init_crypto_tls_c1(c);
2808  if (IS_SIG(c))
2809  {
2810  return;
2811  }
2812 
2813  /* Sanity check on sequence number, and cipher mode options */
2814  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2815 
2816  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2817  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2818 
2819  /* Compute MTU parameters (postpone if we push/pull options) */
2820  if (c->options.pull || c->options.mode == MODE_SERVER)
2821  {
2822  /* Account for worst-case crypto overhead before allocating buffers */
2823  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2824  }
2825  else
2826  {
2827  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2828  options->replay, packet_id_long_form);
2829  }
2830  tls_adjust_frame_parameters(&c->c2.frame);
2831 
2832  /* Set all command-line TLS-related options */
2833  CLEAR(to);
2834 
2835  if (options->mute_replay_warnings)
2836  {
2837  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2838  }
2839 
2840  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2841  if (packet_id_long_form)
2842  {
2843  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2844  }
2845 
2846  to.ssl_ctx = c->c1.ks.ssl_ctx;
2847  to.key_type = c->c1.ks.key_type;
2848  to.server = options->tls_server;
2849  to.replay = options->replay;
2850  to.replay_window = options->replay_window;
2851  to.replay_time = options->replay_time;
2852  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2853  to.config_ciphername = c->c1.ciphername;
2854  to.config_ncp_ciphers = options->ncp_ciphers;
2855  to.ncp_enabled = options->ncp_enabled;
2856  to.transition_window = options->transition_window;
2857  to.handshake_window = options->handshake_window;
2858  to.packet_timeout = options->tls_timeout;
2859  to.renegotiate_bytes = options->renegotiate_bytes;
2860  to.renegotiate_packets = options->renegotiate_packets;
2861  if (options->renegotiate_seconds_min < 0)
2862  {
2863  /* Add 10% jitter to reneg-sec by default (server side only) */
2864  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2865  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2866  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2867  }
2868  else
2869  {
2870  /* Add user-specified jitter to reneg-sec */
2871  to.renegotiate_seconds = options->renegotiate_seconds
2872  -(get_random() % max_int(options->renegotiate_seconds
2873  - options->renegotiate_seconds_min, 1));
2874  }
2875  to.single_session = options->single_session;
2876  to.mode = options->mode;
2877  to.pull = options->pull;
2878  if (options->push_peer_info) /* all there is */
2879  {
2880  to.push_peer_info_detail = 2;
2881  }
2882  else if (options->pull) /* pull clients send some details */
2883  {
2884  to.push_peer_info_detail = 1;
2885  }
2886  else /* default: no peer-info at all */
2887  {
2888  to.push_peer_info_detail = 0;
2889  }
2890 
2891  /* should we not xmit any packets until we get an initial
2892  * response from client? */
2893  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2894  {
2895  to.xmit_hold = true;
2896  }
2897 
2898  to.disable_occ = !options->occ;
2899 
2900  to.verify_command = options->tls_verify;
2901  to.verify_export_cert = options->tls_export_cert;
2902  to.verify_x509_type = (options->verify_x509_type & 0xff);
2903  to.verify_x509_name = options->verify_x509_name;
2904  to.crl_file = options->crl_file;
2905  to.crl_file_inline = options->crl_file_inline;
2906  to.ssl_flags = options->ssl_flags;
2907  to.ns_cert_type = options->ns_cert_type;
2908  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2909  to.remote_cert_eku = options->remote_cert_eku;
2910  to.verify_hash = options->verify_hash;
2911  to.verify_hash_algo = options->verify_hash_algo;
2912 #ifdef ENABLE_X509ALTUSERNAME
2913  to.x509_username_field = (char *) options->x509_username_field;
2914 #else
2915  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2916 #endif
2917  to.es = c->c2.es;
2918  to.net_ctx = &c->net_ctx;
2919 
2920 #ifdef ENABLE_DEBUG
2921  to.gremlin = c->options.gremlin;
2922 #endif
2923 
2924  to.plugins = c->plugins;
2925 
2926 #ifdef MANAGEMENT_DEF_AUTH
2927  to.mda_context = &c->c2.mda_context;
2928 #endif
2929 
2930  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2931  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2932  to.tmp_dir = options->tmp_dir;
2933  if (options->ccd_exclusive)
2934  {
2935  to.client_config_dir_exclusive = options->client_config_dir;
2936  }
2937  to.auth_user_pass_file = options->auth_user_pass_file;
2938  to.auth_token_generate = options->auth_token_generate;
2939  to.auth_token_lifetime = options->auth_token_lifetime;
2940  to.auth_token_call_auth = options->auth_token_call_auth;
2941  to.auth_token_key = c->c1.ks.auth_token_key;
2942 
2943  to.x509_track = options->x509_track;
2944 
2945 #if P2MP
2946 #ifdef ENABLE_MANAGEMENT
2947  to.sci = &options->sc_info;
2948 #endif
2949 #endif
2950 
2951 #ifdef USE_COMP
2952  to.comp_options = options->comp;
2953 #endif
2954 
2955 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2956  if (options->keying_material_exporter_label)
2957  {
2958  to.ekm_size = options->keying_material_exporter_length;
2959  if (to.ekm_size < 16 || to.ekm_size > 4095)
2960  {
2961  to.ekm_size = 0;
2962  }
2963 
2964  to.ekm_label = options->keying_material_exporter_label;
2965  to.ekm_label_size = strlen(to.ekm_label);
2966  }
2967  else
2968  {
2969  to.ekm_size = 0;
2970  }
2971 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2972 
2973  /* TLS handshake authentication (--tls-auth) */
2974  if (options->ce.tls_auth_file)
2975  {
2976  to.tls_wrap.mode = TLS_WRAP_AUTH;
2977  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2978  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2979  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2980  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2981  true, true);
2982  }
2983 
2984  /* TLS handshake encryption (--tls-crypt) */
2985  if (options->ce.tls_crypt_file
2986  || (options->ce.tls_crypt_v2_file && options->tls_client))
2987  {
2988  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2989  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2990  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2991  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2992  tls_crypt_adjust_frame_parameters(&to.frame);
2993 
2994  if (options->ce.tls_crypt_v2_file)
2995  {
2996  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2997  }
2998  }
2999 
3000  if (options->ce.tls_crypt_v2_file)
3001  {
3002  to.tls_crypt_v2 = true;
3003  if (options->tls_server)
3004  {
3005  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3006  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3007  }
3008  }
3009 
3010  /* If we are running over TCP, allow for
3011  * length prefix */
3012  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
3013 
3014  /*
3015  * Initialize OpenVPN's master TLS-mode object.
3016  */
3017  if (flags & CF_INIT_TLS_MULTI)
3018  {
3019  c->c2.tls_multi = tls_multi_init(&to);
3020  }
3021 
3022  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3023  {
3024  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3025  }
3026 }
3027 
3028 static void
3029 do_init_finalize_tls_frame(struct context *c)
3030 {
3031  if (c->c2.tls_multi)
3032  {
3033  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3034  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3035  EXPANDED_SIZE(&c->c2.frame));
3036  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3037  "Control Channel MTU parms");
3038  }
3039  if (c->c2.tls_auth_standalone)
3040  {
3041  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3042  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3043  "TLS-Auth MTU parms");
3044  }
3045 }
3046 
3047 /*
3048  * No encryption or authentication.
3049  */
3050 static void
3051 do_init_crypto_none(const struct context *c)
3052 {
3053  ASSERT(!c->options.test_crypto);
3054  msg(M_WARN,
3055  "******* WARNING *******: All encryption and authentication features "
3056  "disabled -- All data will be tunnelled as clear text and will not be "
3057  "protected against man-in-the-middle changes. "
3058  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3059 }
3060 
3061 static void
3062 do_init_crypto(struct context *c, const unsigned int flags)
3063 {
3064  if (c->options.shared_secret_file)
3065  {
3066  do_init_crypto_static(c, flags);
3067  }
3068  else if (c->options.tls_server || c->options.tls_client)
3069  {
3070  do_init_crypto_tls(c, flags);
3071  }
3072  else /* no encryption or authentication. */
3073  {
3074  do_init_crypto_none(c);
3075  }
3076 }
3077 
3078 static void
3079 do_init_frame(struct context *c)
3080 {
3081 #ifdef USE_COMP
3082  /*
3083  * modify frame parameters if compression is enabled
3084  */
3085  if (comp_enabled(&c->options.comp))
3086  {
3087  comp_add_to_extra_frame(&c->c2.frame);
3088 
3089 #if !defined(ENABLE_LZ4)
3090  /*
3091  * Compression usage affects buffer alignment when non-swapped algs
3092  * such as LZO is used.
3093  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3094  * any special alignment because of the control-byte swap approach.
3095  * LZO alignment (on the other hand) is problematic because
3096  * the presence of the control byte means that either the output of
3097  * decryption must be written to an unaligned buffer, or the input
3098  * to compression (or packet dispatch if packet is uncompressed)
3099  * must be read from an unaligned buffer.
3100  * This code tries to align the input to compression (or packet
3101  * dispatch if packet is uncompressed) at the cost of requiring
3102  * decryption output to be written to an unaligned buffer, so
3103  * it's more of a tradeoff than an optimal solution and we don't
3104  * include it when we are doing a modern build with LZ4.
3105  * Strictly speaking, on the server it would be better to execute
3106  * this code for every connection after we decide the compression
3107  * method, but currently the frame code doesn't appear to be
3108  * flexible enough for this, since the frame is already established
3109  * before it is known which compression options will be pushed.
3110  */
3111  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3112  {
3113  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3114  frame_or_align_flags(&c->c2.frame,
3115  FRAME_HEADROOM_MARKER_FRAGMENT
3116  |FRAME_HEADROOM_MARKER_DECRYPT);
3117  }
3118 #endif
3119 
3120 #ifdef ENABLE_FRAGMENT
3121  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3122 #endif
3123  }
3124 #endif /* USE_COMP */
3125 
3126  /*
3127  * Adjust frame size for UDP Socks support.
3128  */
3129  if (c->options.ce.socks_proxy_server)
3130  {
3131  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3132  }
3133 
3134  /*
3135  * Adjust frame size based on the --tun-mtu-extra parameter.
3136  */
3137  if (c->options.ce.tun_mtu_extra_defined)
3138  {
3139  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3140  }
3141 
3142  /*
3143  * Adjust frame size based on link socket parameters.
3144  * (Since TCP is a stream protocol, we need to insert
3145  * a packet length uint16_t in the buffer.)
3146  */
3147  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3148 
3149  /*
3150  * Fill in the blanks in the frame parameters structure,
3151  * make sure values are rational, etc.
3152  */
3153  frame_finalize_options(c, NULL);
3154 
3155 #ifdef USE_COMP
3156  /*
3157  * Modify frame parameters if compression is compiled in.
3158  * Should be called after frame_finalize_options.
3159  */
3160  comp_add_to_extra_buffer(&c->c2.frame);
3161 #ifdef ENABLE_FRAGMENT
3162  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3163 #endif
3164 #endif /* USE_COMP */
3165 
3166  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3167  * and need link_mtu+3 bytes on socket reception (on server).
3168  *
3169  * accommodate receive path in f->extra_link, which has the side effect of
3170  * also increasing send buffers (BUF_SIZE() macro), which need to be
3171  * allocated big enough before receiving peer-id option from server.
3172  *
3173  * f->extra_frame is adjusted when peer-id option is push-received
3174  */
3175  frame_add_to_extra_link(&c->c2.frame, 3);
3176 
3177 #ifdef ENABLE_FRAGMENT
3178  /*
3179  * Set frame parameter for fragment code. This is necessary because
3180  * the fragmentation code deals with payloads which have already been
3181  * passed through the compression code.
3182  */
3183  c->c2.frame_fragment = c->c2.frame;
3184  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3185  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3186 #endif
3187 
3188 #if defined(ENABLE_FRAGMENT)
3189  /*
3190  * MTU advisories
3191  */
3192  if (c->options.ce.fragment && c->options.mtu_test)
3193  {
3194  msg(M_WARN,
3195  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3196  }
3197 #endif
3198 
3199 #ifdef ENABLE_FRAGMENT
3200  if ((c->options.ce.mssfix || c->options.ce.fragment)
3201  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3202  {
3203  msg(M_WARN,
3204  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3205  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3206  }
3207 #endif
3208 }
3209 
3210 static void
3211 do_option_warnings(struct context *c)
3212 {
3213  const struct options *o = &c->options;
3214 
3215  if (o->ping_send_timeout && !o->ping_rec_timeout)
3216  {
3217  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3218  }
3219 
3220  if (o->username || o->groupname || o->chroot_dir
3221 #ifdef ENABLE_SELINUX
3222  || o->selinux_context
3223 #endif
3224  )
3225  {
3226  if (!o->persist_tun)
3227  {
3228  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3229  }
3230  if (!o->persist_key
3231 #ifdef ENABLE_PKCS11
3232  && !o->pkcs11_id
3233 #endif
3234  )
3235  {
3236  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3237  }
3238  }
3239 
3240  if (o->chroot_dir && !(o->username && o->groupname))
3241  {
3242  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3243  }
3244 
3245 #if P2MP
3246  if (o->pull && o->ifconfig_local && c->first_time)
3247  {
3248  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3249  }
3250 
3251  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3252  {
3253  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3254  }
3255 
3256  if (o->mode == MODE_SERVER)
3257  {
3258  if (o->duplicate_cn && o->client_config_dir)
3259  {
3260  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3261  }
3262  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3263  {
3264  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3265  }
3266  if (!o->keepalive_ping || !o->keepalive_timeout)
3267  {
3268  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3269  }
3270  }
3271 #endif /* if P2MP */
3272 
3273  if (!o->replay)
3274  {
3275  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3276  }
3277 
3278  if (o->tls_server)
3279  {
3280  warn_on_use_of_common_subnets(&c->net_ctx);
3281  }
3282  if (o->tls_client
3283  && !o->tls_verify
3284  && o->verify_x509_type == VERIFY_X509_NONE
3285  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3286  && !o->remote_cert_eku)
3287  {
3288  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3289  }
3290  if (o->ns_cert_type)
3291  {
3292  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3293  }
3294 
3295  /* If a script is used, print appropriate warnings */
3296  if (o->user_script_used)
3297  {
3298  if (script_security() >= SSEC_SCRIPTS)
3299  {
3300  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3301  }
3302  else if (script_security() >= SSEC_PW_ENV)
3303  {
3304  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3305  }
3306  else
3307  {
3308  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3309  }
3310  }
3311 }
3312 
3313 static void
3314 do_init_frame_tls(struct context *c)
3315 {
3316  do_init_finalize_tls_frame(c);
3317 }
3318 
3319 struct context_buffers *
3320 init_context_buffers(const struct frame *frame)
3321 {
3322  struct context_buffers *b;
3323 
3324  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3325 
3326  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3327  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3328 
3329  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3330 
3331  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3332  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3333 
3334 #ifdef USE_COMP
3335  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3336  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3337 #endif
3338 
3339  return b;
3340 }
3341 
3342 void
3343 free_context_buffers(struct context_buffers *b)
3344 {
3345  if (b)
3346  {
3347  free_buf(&b->read_link_buf);
3348  free_buf(&b->read_tun_buf);
3349  free_buf(&b->aux_buf);
3350 
3351 #ifdef USE_COMP
3352  free_buf(&b->compress_buf);
3353  free_buf(&b->decompress_buf);
3354 #endif
3355 
3356  free_buf(&b->encrypt_buf);
3357  free_buf(&b->decrypt_buf);
3358 
3359  free(b);
3360  }
3361 }
3362 
3363 /*
3364  * Now that we know all frame parameters, initialize
3365  * our buffers.
3366  */
3367 static void
3368 do_init_buffers(struct context *c)
3369 {
3370  c->c2.buffers = init_context_buffers(&c->c2.frame);
3371  c->c2.buffers_owned = true;
3372 }
3373 
3374 #ifdef ENABLE_FRAGMENT
3375 /*
3376  * Fragmenting code has buffers to initialize
3377  * once frame parameters are known.
3378  */
3379 static void
3380 do_init_fragment(struct context *c)
3381 {
3382  ASSERT(c->options.ce.fragment);
3383  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3384  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3385  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3386 }
3387 #endif
3388 
3389 /*
3390  * Allocate our socket object.
3391  */
3392 static void
3393 do_link_socket_new(struct context *c)
3394 {
3395  ASSERT(!c->c2.link_socket);
3396  c->c2.link_socket = link_socket_new();
3397  c->c2.link_socket_owned = true;
3398 }
3399 
3400 /*
3401  * bind the TCP/UDP socket
3402  */
3403 static void
3404 do_init_socket_1(struct context *c, const int mode)
3405 {
3406  unsigned int sockflags = c->options.sockflags;
3407 
3408 #if PORT_SHARE
3409  if (c->options.port_share_host && c->options.port_share_port)
3410  {
3411  sockflags |= SF_PORT_SHARE;
3412  }
3413 #endif
3414 
3415  link_socket_init_phase1(c->c2.link_socket,
3416  c->options.ce.local,
3417  c->options.ce.local_port,
3418  c->options.ce.remote,
3419  c->options.ce.remote_port,
3420  c->c1.dns_cache,
3421  c->options.ce.proto,
3422  c->options.ce.af,
3423  c->options.ce.bind_ipv6_only,
3424  mode,
3425  c->c2.accept_from,
3426  c->c1.http_proxy,
3427  c->c1.socks_proxy,
3428 #ifdef ENABLE_DEBUG
3429  c->options.gremlin,
3430 #endif
3431  c->options.ce.bind_local,
3432  c->options.ce.remote_float,
3433  c->options.inetd,
3434  &c->c1.link_socket_addr,
3435  c->options.ipchange,
3436  c->plugins,
3437  c->options.resolve_retry_seconds,
3438  c->options.ce.mtu_discover_type,
3439  c->options.rcvbuf,
3440  c->options.sndbuf,
3441  c->options.mark,
3442  c->options.bind_dev,
3443  &c->c2.server_poll_interval,
3444  sockflags);
3445 }
3446 
3447 /*
3448  * finalize the TCP/UDP socket
3449  */
3450 static void
3451 do_init_socket_2(struct context *c)
3452 {
3453  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3454  c->sig);
3455 }
3456 
3457 /*
3458  * Print MTU INFO
3459  */
3460 static void
3461 do_print_data_channel_mtu_parms(struct context *c)
3462 {
3463  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3464 #ifdef ENABLE_FRAGMENT
3465  if (c->c2.fragment)
3466  {
3467  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3468  "Fragmentation MTU parms");
3469  }
3470 #endif
3471 }
3472 
3473 /*
3474  * Get local and remote options compatibility strings.
3475  */
3476 static void
3477 do_compute_occ_strings(struct context *c)
3478 {
3479  struct gc_arena gc = gc_new();
3480 
3481  c->c2.options_string_local =
3482  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3483  false, &gc);
3484  c->c2.options_string_remote =
3485  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3486  true, &gc);
3487 
3488  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3489  options_string_version(c->c2.options_string_local, &gc),
3490  c->c2.options_string_local);
3491  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3492  options_string_version(c->c2.options_string_remote, &gc),
3493  c->c2.options_string_remote);
3494 
3495  if (c->c2.tls_multi)
3496  {
3497  tls_multi_init_set_options(c->c2.tls_multi,
3498  c->c2.options_string_local,
3499  c->c2.options_string_remote);
3500  }
3501 
3502  gc_free(&gc);
3503 }
3504 
3505 /*
3506  * These things can only be executed once per program instantiation.
3507  * Set up for possible UID/GID downgrade, but don't do it yet.
3508  * Daemonize if requested.
3509  */
3510 static void
3511 do_init_first_time(struct context *c)
3512 {
3513  if (c->first_time && !c->c0)
3514  {
3515  struct context_0 *c0;
3516 
3517  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3518  c0 = c->c0;
3519 
3520  /* get user and/or group that we want to setuid/setgid to */
3521  c0->uid_gid_specified =
3522  platform_group_get(c->options.groupname, &c0->platform_state_group)
3523  |platform_user_get(c->options.username, &c0->platform_state_user);
3524 
3525  /* perform postponed chdir if --daemon */
3526  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3527  {
3528  platform_chdir("/");
3529  }
3530 
3531  /* should we change scheduling priority? */
3532  platform_nice(c->options.nice);
3533  }
3534 }
3535 
3536 /*
3537  * If xinetd/inetd mode, don't allow restart.
3538  */
3539 static void
3540 do_close_check_if_restart_permitted(struct context *c)
3541 {
3542  if (c->options.inetd
3543  && (c->sig->signal_received == SIGHUP
3544  || c->sig->signal_received == SIGUSR1))
3545  {
3546  c->sig->signal_received = SIGTERM;
3547  msg(M_INFO,
3548  PACKAGE_NAME
3549  " started by inetd/xinetd cannot restart... Exiting.");
3550  }
3551 }
3552 
3553 /*
3554  * free buffers
3555  */
3556 static void
3557 do_close_free_buf(struct context *c)
3558 {
3559  if (c->c2.buffers_owned)
3560  {
3561  free_context_buffers(c->c2.buffers);
3562  c->c2.buffers = NULL;
3563  c->c2.buffers_owned = false;
3564  }
3565 }
3566 
3567 /*
3568  * close TLS
3569  */
3570 static void
3571 do_close_tls(struct context *c)
3572 {
3573  if (c->c2.tls_multi)
3574  {
3575  tls_multi_free(c->c2.tls_multi, true);
3576  c->c2.tls_multi = NULL;
3577  }
3578 
3579  /* free options compatibility strings */
3580  if (c->c2.options_string_local)
3581  {
3582  free(c->c2.options_string_local);
3583  }
3584  if (c->c2.options_string_remote)
3585  {
3586  free(c->c2.options_string_remote);
3587  }
3588  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3589 
3590  if (c->c2.pulled_options_state)
3591  {
3592  md_ctx_cleanup(c->c2.pulled_options_state);
3593  md_ctx_free(c->c2.pulled_options_state);
3594  }
3595 }
3596 
3597 /*
3598  * Free key schedules
3599  */
3600 static void
3601 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3602 {
3603  /*
3604  * always free the tls_auth/crypt key. If persist_key is true, the key will
3605  * be reloaded from memory (pre-cached)
3606  */
3607  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3608  CLEAR(c->c1.ks.tls_wrap_key);
3609  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3610  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3611 
3612  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3613  {
3614  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3615  }
3616 }
3617 
3618 /*
3619  * Close TCP/UDP connection
3620  */
3621 static void
3622 do_close_link_socket(struct context *c)
3623 {
3624  if (c->c2.link_socket && c->c2.link_socket_owned)
3625  {
3626  link_socket_close(c->c2.link_socket);
3627  c->c2.link_socket = NULL;
3628  }
3629 
3630 
3631  /* Preserve the resolved list of remote if the user request to or if we want
3632  * reconnect to the same host again or there are still addresses that need
3633  * to be tried */
3634  if (!(c->sig->signal_received == SIGUSR1
3635  && ( (c->options.persist_remote_ip)
3636  ||
3637  ( c->sig->source != SIG_SOURCE_HARD
3638  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3639  || c->options.no_advance))
3640  )))
3641  {
3642  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3643  }
3644 
3645  /* Clear the remote actual address when persist_remote_ip is not in use */
3646  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3647  {
3648  CLEAR(c->c1.link_socket_addr.actual);
3649  }
3650 
3651  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3652  {
3653  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3654  {
3655  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3656  }
3657 
3658  c->c1.link_socket_addr.bind_local = NULL;
3659  }
3660 }
3661 
3662 /*
3663  * Close packet-id persistence file
3664  */
3665 static void
3666 do_close_packet_id(struct context *c)
3667 {
3668  packet_id_free(&c->c2.crypto_options.packet_id);
3669  packet_id_persist_save(&c->c1.pid_persist);
3670  if (!(c->sig->signal_received == SIGUSR1))
3671  {
3672  packet_id_persist_close(&c->c1.pid_persist);
3673  }
3674 }
3675 
3676 #ifdef ENABLE_FRAGMENT
3677 /*
3678  * Close fragmentation handler.
3679  */
3680 static void
3681 do_close_fragment(struct context *c)
3682 {
3683  if (c->c2.fragment)
3684  {
3685  fragment_free(c->c2.fragment);
3686  c->c2.fragment = NULL;
3687  }
3688 }
3689 #endif
3690 
3691 /*
3692  * Open and close our event objects.
3693  */
3694 
3695 static void
3696 do_event_set_init(struct context *c,
3697  bool need_us_timeout)
3698 {
3699  unsigned int flags = 0;
3700 
3701  c->c2.event_set_max = BASE_N_EVENTS;
3702 
3703  flags |= EVENT_METHOD_FAST;
3704 
3705  if (need_us_timeout)
3706  {
3707  flags |= EVENT_METHOD_US_TIMEOUT;
3708  }
3709 
3710  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3711  c->c2.event_set_owned = true;
3712 }
3713 
3714 static void
3715 do_close_event_set(struct context *c)
3716 {
3717  if (c->c2.event_set && c->c2.event_set_owned)
3718  {
3719  event_free(c->c2.event_set);
3720  c->c2.event_set = NULL;
3721  c->c2.event_set_owned = false;
3722  }
3723 }
3724 
3725 /*
3726  * Open and close --status file
3727  */
3728 
3729 static void
3730 do_open_status_output(struct context *c)
3731 {
3732  if (!c->c1.status_output)
3733  {
3734  c->c1.status_output = status_open(c->options.status_file,
3735  c->options.status_file_update_freq,
3736  -1,
3737  NULL,
3738  STATUS_OUTPUT_WRITE);
3739  c->c1.status_output_owned = true;
3740  }
3741 }
3742 
3743 static void
3744 do_close_status_output(struct context *c)
3745 {
3746  if (!(c->sig->signal_received == SIGUSR1))
3747  {
3748  if (c->c1.status_output_owned && c->c1.status_output)
3749  {
3750  status_close(c->c1.status_output);
3751  c->c1.status_output = NULL;
3752  c->c1.status_output_owned = false;
3753  }
3754  }
3755 }
3756 
3757 /*
3758  * Handle ifconfig-pool persistence object.
3759  */
3760 static void
3761 do_open_ifconfig_pool_persist(struct context *c)
3762 {
3763  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3764  {
3765  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3766  c->options.ifconfig_pool_persist_refresh_freq);
3767  c->c1.ifconfig_pool_persist_owned = true;
3768  }
3769 }
3770 
3771 static void
3772 do_close_ifconfig_pool_persist(struct context *c)
3773 {
3774  if (!(c->sig->signal_received == SIGUSR1))
3775  {
3776  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3777  {
3778  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3779  c->c1.ifconfig_pool_persist = NULL;
3780  c->c1.ifconfig_pool_persist_owned = false;
3781  }
3782  }
3783 }
3784 
3785 /*
3786  * Inherit environmental variables
3787  */
3788 
3789 static void
3790 do_inherit_env(struct context *c, const struct env_set *src)
3791 {
3792  c->c2.es = env_set_create(NULL);
3793  c->c2.es_owned = true;
3794  env_set_inherit(c->c2.es, src);
3795 }
3796 
3797 static void
3798 do_env_set_destroy(struct context *c)
3799 {
3800  if (c->c2.es && c->c2.es_owned)
3801  {
3802  env_set_destroy(c->c2.es);
3803  c->c2.es = NULL;
3804  c->c2.es_owned = false;
3805  }
3806 }
3807 
3808 /*
3809  * Fast I/O setup. Fast I/O is an optimization which only works
3810  * if all of the following are true:
3811  *
3812  * (1) The platform is not Windows
3813  * (2) --proto udp is enabled
3814  * (3) --shaper is disabled
3815  */
3816 static void
3817 do_setup_fast_io(struct context *c)
3818 {
3819  if (c->options.fast_io)
3820  {
3821 #ifdef _WIN32
3822  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3823 #else
3824  if (!proto_is_udp(c->options.ce.proto))
3825  {
3826  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3827  }
3828  else
3829  {
3830 #ifdef ENABLE_FEATURE_SHAPER
3831  if (c->options.shaper)
3832  {
3833  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3834  }
3835  else
3836 #endif
3837  {
3838  c->c2.fast_io = true;
3839  }
3840  }
3841 #endif
3842  }
3843 }
3844 
3845 static void
3846 do_signal_on_tls_errors(struct context *c)
3847 {
3848  if (c->options.tls_exit)
3849  {
3850  c->c2.tls_exit_signal = SIGTERM;
3851  }
3852  else
3853  {
3854  c->c2.tls_exit_signal = SIGUSR1;
3855  }
3856 }
3857 
3858 #ifdef ENABLE_PLUGIN
3859 
3860 void
3861 init_plugins(struct context *c)
3862 {
3863  if (c->options.plugin_list && !c->plugins)
3864  {
3865  c->plugins = plugin_list_init(c->options.plugin_list);
3866  c->plugins_owned = true;
3867  }
3868 }
3869 
3870 void
3871 open_plugins(struct context *c, const bool import_options, int init_point)
3872 {
3873  if (c->plugins && c->plugins_owned)
3874  {
3875  if (import_options)
3876  {
3877  struct plugin_return pr, config;
3878  plugin_return_init(&pr);
3879  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3880  plugin_return_get_column(&pr, &config, "config");
3881  if (plugin_return_defined(&config))
3882  {
3883  int i;
3884  for (i = 0; i < config.n; ++i)
3885  {
3886  unsigned int option_types_found = 0;
3887  if (config.list[i] && config.list[i]->value)
3888  {
3889  options_string_import(&c->options,
3890  config.list[i]->value,
3891  D_IMPORT_ERRORS|M_OPTERR,
3892  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3893  &option_types_found,
3894  c->es);
3895  }
3896  }
3897  }
3898  plugin_return_free(&pr);
3899  }
3900  else
3901  {
3902  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3903  }
3904  }
3905 }
3906 
3907 static void
3908 do_close_plugins(struct context *c)
3909 {
3910  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3911  {
3912  plugin_list_close(c->plugins);
3913  c->plugins = NULL;
3914  c->plugins_owned = false;
3915  }
3916 }
3917 
3918 static void
3919 do_inherit_plugins(struct context *c, const struct context *src)
3920 {
3921  if (!c->plugins && src->plugins)
3922  {
3923  c->plugins = plugin_list_inherit(src->plugins);
3924  c->plugins_owned = true;
3925  }
3926 }
3927 
3928 #endif /* ifdef ENABLE_PLUGIN */
3929 
3930 #ifdef ENABLE_MANAGEMENT
3931 
3932 static void
3933 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3934 {
3935  struct context *c = (struct context *) arg;
3936  print_status(c, so);
3937 }
3938 
3939 void
3940 management_show_net_callback(void *arg, const int msglevel)
3941 {
3942 #ifdef _WIN32
3943  show_routes(msglevel);
3944  show_adapters(msglevel);
3945  msg(msglevel, "END");
3946 #else
3947  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3948 #endif
3949 }
3950 
3951 #ifdef TARGET_ANDROID
3952 int
3953 management_callback_network_change(void *arg, bool samenetwork)
3954 {
3955  /* Check if the client should translate the network change to a SIGUSR1 to
3956  * reestablish the connection or just reprotect the socket
3957  *
3958  * At the moment just assume that, for all settings that use pull (not
3959  * --static) and are not using peer-id reestablishing the connection is
3960  * required (unless the network is the same)
3961  *
3962  * The function returns -1 on invalid fd and -2 if the socket cannot be
3963  * reused. On the -2 return value the man_network_change function triggers
3964  * a SIGUSR1 to force a reconnect.
3965  */
3966 
3967  int socketfd = -1;
3968  struct context *c = (struct context *) arg;
3969  if (!c->c2.link_socket)
3970  {
3971  return -1;
3972  }
3973  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3974  {
3975  return -1;
3976  }
3977 
3978  socketfd = c->c2.link_socket->sd;
3979  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3980  {
3981  return socketfd;
3982  }
3983  else
3984  {
3985  return -2;
3986  }
3987 }
3988 #endif /* ifdef TARGET_ANDROID */
3989 
3990 #endif /* ifdef ENABLE_MANAGEMENT */
3991 
3992 void
3993 init_management_callback_p2p(struct context *c)
3994 {
3995 #ifdef ENABLE_MANAGEMENT
3996  if (management)
3997  {
3998  struct management_callback cb;
3999  CLEAR(cb);
4000  cb.arg = c;
4001  cb.status = management_callback_status_p2p;
4002  cb.show_net = management_show_net_callback;
4003  cb.proxy_cmd = management_callback_proxy_cmd;
4004  cb.remote_cmd = management_callback_remote_cmd;
4005  cb.send_cc_message = management_callback_send_cc_message;
4006 #ifdef TARGET_ANDROID
4007  cb.network_change = management_callback_network_change;
4008 #endif
4009  management_set_callback(management, &cb);
4010  }
4011 #endif
4012 }
4013 
4014 #ifdef ENABLE_MANAGEMENT
4015 
4016 void
4017 init_management(void)
4018 {
4019  if (!management)
4020  {
4021  management = management_init();
4022  }
4023 }
4024 
4025 bool
4026 open_management(struct context *c)
4027 {
4028  /* initialize management layer */
4029  if (management)
4030  {
4031  if (c->options.management_addr)
4032  {
4033  unsigned int flags = c->options.management_flags;
4034  if (c->options.mode == MODE_SERVER)
4035  {
4036  flags |= MF_SERVER;
4037  }
4038  if (management_open(management,
4039  c->options.management_addr,
4040  c->options.management_port,
4041  c->options.management_user_pass,
4042  c->options.management_client_user,
4043  c->options.management_client_group,
4044  c->options.management_log_history_cache,
4045  c->options.management_echo_buffer_size,
4046  c->options.management_state_buffer_size,
4047  c->options.management_write_peer_info_file,
4048  c->options.remap_sigusr1,
4049  flags))
4050  {
4051  management_set_state(management,
4052  OPENVPN_STATE_CONNECTING,
4053  NULL,
4054  NULL,
4055  NULL,
4056  NULL,
4057  NULL);
4058  }
4059 
4060  /* initial management hold, called early, before first context initialization */
4061  do_hold(0);
4062  if (IS_SIG(c))
4063  {
4064  msg(M_WARN, "Signal received from management interface, exiting");
4065  return false;
4066  }
4067  }
4068  else
4069  {
4070  close_management();
4071  }
4072  }
4073  return true;
4074 }
4075 
4076 void
4077 close_management(void)
4078 {
4079  if (management)
4080  {
4081  management_close(management);
4082  management = NULL;
4083  }
4084 }
4085 
4086 #endif /* ifdef ENABLE_MANAGEMENT */
4087 
4088 
4089 void
4090 uninit_management_callback(void)
4091 {
4092 #ifdef ENABLE_MANAGEMENT
4093  if (management)
4094  {
4095  management_clear_callback(management);
4096  }
4097 #endif
4098 }
4099 
4100 /*
4101  * Initialize a tunnel instance, handle pre and post-init
4102  * signal settings.
4103  */
4104 void
4105 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4106 {
4107  pre_init_signal_catch();
4108  init_instance(c, env, flags);
4109  post_init_signal_catch();
4110 
4111  /*
4112  * This is done so that signals thrown during
4113  * initialization can bring us back to
4114  * a management hold.
4115  */
4116  if (IS_SIG(c))
4117  {
4118  remap_signal(c);
4119  uninit_management_callback();
4120  }
4121 }
4122 
4123 /*
4124  * Initialize a tunnel instance.
4125  */
4126 void
4127 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4128 {
4129  const struct options *options = &c->options;
4130  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4131  int link_socket_mode = LS_MODE_DEFAULT;
4132 
4133  /* init garbage collection level */
4134  gc_init(&c->c2.gc);
4135 
4136  /* inherit environmental variables */
4137  if (env)
4138  {
4139  do_inherit_env(c, env);
4140  }
4141 
4142  /* signals caught here will abort */
4143  c->sig->signal_received = 0;
4144  c->sig->signal_text = NULL;
4145  c->sig->source = SIG_SOURCE_SOFT;
4146 
4147  if (c->mode == CM_P2P)
4148  {
4149  init_management_callback_p2p(c);
4150  }
4151 
4152  /* possible sleep or management hold if restart */
4153  if (c->mode == CM_P2P || c->mode == CM_TOP)
4154  {
4155  do_startup_pause(c);
4156  if (IS_SIG(c))
4157  {
4158  goto sig;
4159  }
4160  }
4161 
4162  if (c->options.resolve_in_advance)
4163  {
4164  do_preresolve(c);
4165  if (IS_SIG(c))
4166  {
4167  goto sig;
4168  }
4169  }
4170 
4171  /* map in current connection entry */
4172  next_connection_entry(c);
4173 
4174  /* link_socket_mode allows CM_CHILD_TCP
4175  * instances to inherit acceptable fds
4176  * from a top-level parent */
4177  if (c->options.ce.proto == PROTO_TCP_SERVER)
4178  {
4179  if (c->mode == CM_TOP)
4180  {
4181  link_socket_mode = LS_MODE_TCP_LISTEN;
4182  }
4183  else if (c->mode == CM_CHILD_TCP)
4184  {
4185  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4186  }
4187  }
4188 
4189  /* should we disable paging? */
4190  if (c->first_time && options->mlock)
4191  {
4192  platform_mlockall(true);
4193  }
4194 
4195 #if P2MP
4196  /* get passwords if undefined */
4197  if (auth_retry_get() == AR_INTERACT)
4198  {
4199  init_query_passwords(c);
4200  }
4201 #endif
4202 
4203  /* initialize context level 2 --verb/--mute parms */
4204  init_verb_mute(c, IVM_LEVEL_2);
4205 
4206  /* set error message delay for non-server modes */
4207  if (c->mode == CM_P2P)
4208  {
4209  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4210  }
4211 
4212  /* warn about inconsistent options */
4213  if (c->mode == CM_P2P || c->mode == CM_TOP)
4214  {
4215  do_option_warnings(c);
4216  }
4217 
4218 #ifdef ENABLE_PLUGIN
4219  /* initialize plugins */
4220  if (c->mode == CM_P2P || c->mode == CM_TOP)
4221  {
4222  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4223  }
4224 #endif
4225 
4226  /* should we enable fast I/O? */
4227  if (c->mode == CM_P2P || c->mode == CM_TOP)
4228  {
4229  do_setup_fast_io(c);
4230  }
4231 
4232  /* should we throw a signal on TLS errors? */
4233  do_signal_on_tls_errors(c);
4234 
4235  /* open --status file */
4236  if (c->mode == CM_P2P || c->mode == CM_TOP)
4237  {
4238  do_open_status_output(c);
4239  }
4240 
4241  /* open --ifconfig-pool-persist file */
4242  if (c->mode == CM_TOP)
4243  {
4244  do_open_ifconfig_pool_persist(c);
4245  }
4246 
4247  /* reset OCC state */
4248  if (c->mode == CM_P2P || child)
4249  {
4250  c->c2.occ_op = occ_reset_op();
4251  }
4252 
4253  /* our wait-for-i/o objects, different for posix vs. win32 */
4254  if (c->mode == CM_P2P)
4255  {
4256  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4257  }
4258  else if (c->mode == CM_CHILD_TCP)
4259  {
4260  do_event_set_init(c, false);
4261  }
4262 
4263  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4264  init_proxy(c);
4265 
4266  /* allocate our socket object */
4267  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4268  {
4269  do_link_socket_new(c);
4270  }
4271 
4272 #ifdef ENABLE_FRAGMENT
4273  /* initialize internal fragmentation object */
4274  if (options->ce.fragment && (c->mode == CM_P2P || child))
4275  {
4276  c->c2.fragment = fragment_init(&c->c2.frame);
4277  }
4278 #endif
4279 
4280  /* init crypto layer */
4281  {
4282  unsigned int crypto_flags = 0;
4283  if (c->mode == CM_TOP)
4284  {
4285  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4286  }
4287  else if (c->mode == CM_P2P)
4288  {
4289  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4290  }
4291  else if (child)
4292  {
4293  crypto_flags = CF_INIT_TLS_MULTI;
4294  }
4295  do_init_crypto(c, crypto_flags);
4296  if (IS_SIG(c) && !child)
4297  {
4298  goto sig;
4299  }
4300  }
4301 
4302 #ifdef USE_COMP
4303  /* initialize compression library. */
4304  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4305  {
4306  c->c2.comp_context = comp_init(&options->comp);
4307  }
4308 #endif
4309 
4310  /* initialize MTU variables */
4311  do_init_frame(c);
4312 
4313  /* initialize TLS MTU variables */
4314  do_init_frame_tls(c);
4315 
4316  /* init workspace buffers whose size is derived from frame size */
4317  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4318  {
4319  do_init_buffers(c);
4320  }
4321 
4322 #ifdef ENABLE_FRAGMENT
4323  /* initialize internal fragmentation capability with known frame size */
4324  if (options->ce.fragment && (c->mode == CM_P2P || child))
4325  {
4326  do_init_fragment(c);
4327  }
4328 #endif
4329 
4330  /* initialize dynamic MTU variable */
4331  frame_init_mssfix(&c->c2.frame, &c->options);
4332 
4333  /* bind the TCP/UDP socket */
4334  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4335  {
4336  do_init_socket_1(c, link_socket_mode);
4337  }
4338 
4339  /* initialize tun/tap device object,
4340  * open tun/tap device, ifconfig, run up script, etc. */
4341  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4342  {
4343  c->c2.did_open_tun = do_open_tun(c);
4344  }
4345 
4346  c->c2.frame_initial = c->c2.frame;
4347 
4348  /* print MTU info */
4349  do_print_data_channel_mtu_parms(c);
4350 
4351  /* get local and remote options compatibility strings */
4352  if (c->mode == CM_P2P || child)
4353  {
4354  do_compute_occ_strings(c);
4355  }
4356 
4357  /* initialize output speed limiter */
4358  if (c->mode == CM_P2P)
4359  {
4360  do_init_traffic_shaper(c);
4361  }
4362 
4363  /* do one-time inits, and possibly become a daemon here */
4364  do_init_first_time(c);
4365 
4366 #ifdef ENABLE_PLUGIN
4367  /* initialize plugins */
4368  if (c->mode == CM_P2P || c->mode == CM_TOP)
4369  {
4370  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4371  }
4372 #endif
4373 
4374  /* initialise connect timeout timer */
4375  do_init_server_poll_timeout(c);
4376 
4377  /* finalize the TCP/UDP socket */
4378  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4379  {
4380  do_init_socket_2(c);
4381  }
4382 
4383  /*
4384  * Actually do UID/GID downgrade, and chroot, if requested.
4385  * May be delayed by --client, --pull, or --up-delay.
4386  */
4387  do_uid_gid_chroot(c, c->c2.did_open_tun);
4388 
4389  /* initialize timers */
4390  if (c->mode == CM_P2P || child)
4391  {
4392  do_init_timers(c, false);
4393  }
4394 
4395 #ifdef ENABLE_PLUGIN
4396  /* initialize plugins */
4397  if (c->mode == CM_P2P || c->mode == CM_TOP)
4398  {
4399  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4400  }
4401 #endif
4402 
4403 #if PORT_SHARE
4404  /* share OpenVPN port with foreign (such as HTTPS) server */
4405  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4406  {
4407  init_port_share(c);
4408  }
4409 #endif
4410 
4411 #ifdef ENABLE_PF
4412  if (child)
4413  {
4414  pf_init_context(c);
4415  }
4416 #endif
4417 
4418  /* Check for signals */
4419  if (IS_SIG(c))
4420  {
4421  goto sig;
4422  }
4423 
4424  return;
4425 
4426 sig:
4427  if (!c->sig->signal_text)
4428  {
4429  c->sig->signal_text = "init_instance";
4430  }
4431  close_context(c, -1, flags);
4432  return;
4433 }
4434 
4435 /*
4436  * Close a tunnel instance.
4437  */
4438 void
4439 close_instance(struct context *c)
4440 {
4441  /* close event objects */
4442  do_close_event_set(c);
4443 
4444  if (c->mode == CM_P2P
4445  || c->mode == CM_CHILD_TCP
4446  || c->mode == CM_CHILD_UDP
4447  || c->mode == CM_TOP)
4448  {
4449  /* if xinetd/inetd mode, don't allow restart */
4450  do_close_check_if_restart_permitted(c);
4451 
4452 #ifdef USE_COMP
4453  if (c->c2.comp_context)
4454  {
4455  comp_uninit(c->c2.comp_context);
4456  c->c2.comp_context = NULL;
4457  }
4458 #endif
4459 
4460  /* free buffers */
4461  do_close_free_buf(c);
4462 
4463  /* close TLS */
4464  do_close_tls(c);
4465 
4466  /* free key schedules */
4467  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4468 
4469  restore_ncp_options(c);
4470 
4471  /* close TCP/UDP connection */
4472  do_close_link_socket(c);
4473 
4474  /* close TUN/TAP device */
4475  do_close_tun(c, false);
4476 
4477 #ifdef MANAGEMENT_DEF_AUTH
4478  if (management)
4479  {
4480  management_notify_client_close(management, &c->c2.mda_context, NULL);
4481  }
4482 #endif
4483 
4484 #ifdef ENABLE_PF
4485  pf_destroy_context(&c->c2.pf);
4486 #endif
4487 
4488 #ifdef ENABLE_PLUGIN
4489  /* call plugin close functions and unload */
4490  do_close_plugins(c);
4491 #endif
4492 
4493  /* close packet-id persistence file */
4494  do_close_packet_id(c);
4495 
4496  /* close --status file */
4497  do_close_status_output(c);
4498 
4499 #ifdef ENABLE_FRAGMENT
4500  /* close fragmentation handler */
4501  do_close_fragment(c);
4502 #endif
4503 
4504  /* close --ifconfig-pool-persist obj */
4505  do_close_ifconfig_pool_persist(c);
4506 
4507  /* free up environmental variable store */
4508  do_env_set_destroy(c);
4509 
4510  /* close HTTP or SOCKS proxy */
4511  uninit_proxy(c);
4512 
4513  /* garbage collect */
4514  gc_free(&c->c2.gc);
4515  }
4516 }
4517 
4518 void
4519 inherit_context_child(struct context *dest,
4520  const struct context *src)
4521 {
4522  CLEAR(*dest);
4523 
4524  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4525  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4526 
4527  dest->gc = gc_new();
4528 
4529  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4530 
4531  /* c1 init */
4532  packet_id_persist_init(&dest->c1.pid_persist);
4533 
4534  dest->c1.ks.key_type = src->c1.ks.key_type;
4535  /* inherit SSL context */
4536  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4537  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4538  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4539  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4540  /* inherit pre-NCP ciphers */
4541  dest->c1.ciphername = src->c1.ciphername;
4542  dest->c1.authname = src->c1.authname;
4543  dest->c1.keysize = src->c1.keysize;
4544 
4545  /* inherit auth-token */
4546  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4547 
4548  /* options */
4549  dest->options = src->options;
4550  options_detach(&dest->options);
4551 
4552  if (dest->mode == CM_CHILD_TCP)
4553  {
4554  /*
4555  * The CM_TOP context does the socket listen(),
4556  * and the CM_CHILD_TCP context does the accept().
4557  */
4558  dest->c2.accept_from = src->c2.link_socket;
4559  }
4560 
4561 #ifdef ENABLE_PLUGIN
4562  /* inherit plugins */
4563  do_inherit_plugins(dest, src);
4564 #endif
4565 
4566  /* context init */
4567  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4568  if (IS_SIG(dest))
4569  {
4570  return;
4571  }
4572 
4573  /* inherit tun/tap interface object */
4574  dest->c1.tuntap = src->c1.tuntap;
4575 
4576  /* UDP inherits some extra things which TCP does not */
4577  if (dest->mode == CM_CHILD_UDP)
4578  {
4579  /* inherit buffers */
4580  dest->c2.buffers = src->c2.buffers;
4581 
4582  /* inherit parent link_socket and tuntap */
4583  dest->c2.link_socket = src->c2.link_socket;
4584 
4585  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4586  *dest->c2.link_socket_info = src->c2.link_socket->info;
4587 
4588  /* locally override some link_socket_info fields */
4589  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4590  dest->c2.link_socket_info->connection_established = false;
4591  }
4592 }
4593 
4594 void
4595 inherit_context_top(struct context *dest,
4596  const struct context *src)
4597 {
4598  /* copy parent */
4599  *dest = *src;
4600 
4601  /*
4602  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4603  * resources owned by the parent.
4604  *
4605  * Also note that CM_TOP_CLONE context objects are
4606  * closed by multi_top_free in multi.c.
4607  */
4608  dest->mode = CM_TOP_CLONE;
4609 
4610  dest->first_time = false;
4611  dest->c0 = NULL;
4612 
4613  options_detach(&dest->options);
4614  gc_detach(&dest->gc);
4615  gc_detach(&dest->c2.gc);
4616 
4617  /* detach plugins */
4618  dest->plugins_owned = false;
4619 
4620  dest->c2.tls_multi = NULL;
4621 
4622  /* detach c1 ownership */
4623  dest->c1.tuntap_owned = false;
4624  dest->c1.status_output_owned = false;
4625  dest->c1.ifconfig_pool_persist_owned = false;
4626 
4627  /* detach c2 ownership */
4628  dest->c2.event_set_owned = false;
4629  dest->c2.link_socket_owned = false;
4630  dest->c2.buffers_owned = false;
4631  dest->c2.es_owned = false;
4632 
4633  dest->c2.event_set = NULL;
4634  if (proto_is_dgram(src->options.ce.proto))
4635  {
4636  do_event_set_init(dest, false);
4637  }
4638 
4639 #ifdef USE_COMP
4640  dest->c2.comp_context = NULL;
4641 #endif
4642 }
4643 
4644 void
4645 close_context(struct context *c, int sig, unsigned int flags)
4646 {
4647  ASSERT(c);
4648  ASSERT(c->sig);
4649 
4650  if (sig >= 0)
4651  {
4652  c->sig->signal_received = sig;
4653  }
4654 
4655  if (c->sig->signal_received == SIGUSR1)
4656  {
4657  if ((flags & CC_USR1_TO_HUP)
4658  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4659  {
4660  c->sig->signal_received = SIGHUP;
4661  c->sig->signal_text = "close_context usr1 to hup";
4662  }
4663  }
4664 
4665  if (!(flags & CC_NO_CLOSE))
4666  {
4667  close_instance(c);
4668  }
4669 
4670  if (flags & CC_GC_FREE)
4671  {
4672  context_gc_free(c);
4673  }
4674 }
4675 
4676 /* Write our PID to a file */
4677 void
4678 write_pid_file(const char *filename, const char *chroot_dir)
4679 {
4680  if (filename)
4681  {
4682  unsigned int pid = 0;
4683  FILE *fp = platform_fopen(filename, "w");
4684  if (!fp)
4685  {
4686  msg(M_ERR, "Open error on pid file %s", filename);
4687  return;
4688  }
4689 
4690  pid = platform_getpid();
4691  fprintf(fp, "%u\n", pid);
4692  if (fclose(fp))
4693  {
4694  msg(M_ERR, "Close error on pid file %s", filename);
4695  }
4696 
4697  /* remember file name so it can be deleted "out of context" later */
4698  /* (the chroot case is more complex and not handled today) */
4699  if (!chroot_dir)
4700  {
4701  saved_pid_file_name = strdup(filename);
4702  }
4703  }
4704 }
4705 
4706 /* remove PID file on exit, called from openvpn_exit() */
4707 void
4708 remove_pid_file(void)
4709 {
4710  if (saved_pid_file_name)
4711  {
4712  platform_unlink(saved_pid_file_name);
4713  }
4714 }
4715 
4716 
4717 /*
4718  * Do a loopback test
4719  * on the crypto subsystem.
4720  */
4721 static void *
4722 test_crypto_thread(void *arg)
4723 {
4724  struct context *c = (struct context *) arg;
4725  const struct options *options = &c->options;
4726 
4727  ASSERT(options->test_crypto);
4728  init_verb_mute(c, IVM_LEVEL_1);
4729  context_init_1(c);
4730  next_connection_entry(c);
4731  do_init_crypto_static(c, 0);
4732 
4733  frame_finalize_options(c, options);
4734 
4735  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4736 
4737  key_schedule_free(&c->c1.ks, true);
4738  packet_id_free(&c->c2.crypto_options.packet_id);
4739 
4740  context_gc_free(c);
4741  return NULL;
4742 }
4743 
4744 bool
4745 do_test_crypto(const struct options *o)
4746 {
4747  if (o->test_crypto)
4748  {
4749  struct context c;
4750 
4751  /* print version number */
4752  msg(M_INFO, "%s", title_string);
4753 
4754  context_clear(&c);
4755  c.options = *o;
4756  options_detach(&c.options);
4757  c.first_time = true;
4758  test_crypto_thread((void *) &c);
4759  return true;
4760  }
4761  return false;
4762 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:301
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:310
context_2::es
struct env_set * es
Definition: openvpn.h:440
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:184
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:178
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:508
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2550
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:336
management_close
void management_close(struct management *man)
Definition: manage.c:2719
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:432
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:260
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:537
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:290
options::sndbuf
int sndbuf
Definition: options.h:349
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:369
context_2::log_rw
bool log_rw
Definition: openvpn.h:402
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:472
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:286
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:327
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:405
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:602
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:689
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1525
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:302
tuntap
Definition: tun.h:151
options::ncp_enabled
bool ncp_enabled
Definition: options.h:508
options::management_flags
unsigned int management_flags
Definition: options.h:392
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1992
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:891
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2578
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:292
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:629
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:317
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1287
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:316
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:406
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:516
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1086
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5588
options::show_curves
bool show_curves
Definition: options.h:222
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:626
options::cipher_list
const char * cipher_list
Definition: options.h:541
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:526
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1857
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1470
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:335
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1017
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3700
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:506
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:605
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2145
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:619
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1719
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:409
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:334
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:544
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:383
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:317
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:366
streq
#define streq(x, y)
Definition: options.h:653
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:431
options::chroot_dir
const char * chroot_dir
Definition: options.h:306
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3919
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3715
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2717
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:418
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:247
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:166
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:286
tls_options::mode
int mode
Definition: ssl_common.h:277
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2155
options::auth_token_generate
bool auth_token_generate
Definition: options.h:474
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:323
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1331
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4367
tun_abort
void tun_abort(void)
Definition: init.c:2125
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:503
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:574
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3798
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2637
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:361
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:84
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:526
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
management::persist
struct man_persist persist
Definition: manage.h:324
srandom
#define srandom
Definition: syshead.h:45
auth_token.h
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3187
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:375
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:257
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:214
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:682
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4645
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3451
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:325
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:502
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:329
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6560
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:183
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:634
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3993
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:354
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:333
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:146
close_instance
void close_instance(struct context *c)
Definition: init.c:4439
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2816
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:579
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:339
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1312
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:661
options::persist_key
bool persist_key
Definition: options.h:291
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:152
options::replay_window
int replay_window
Definition: options.h:517
options::persist_mode
int persist_mode
Definition: options.h:215
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:457
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:328
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3846
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:389
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:290
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1478
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:315
options::rcvbuf
int rcvbuf
Definition: options.h:348
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:313
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:471
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:281
options::connection_list
struct connection_list * connection_list
Definition: options.h:231
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:346
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:240
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:181
options::exit_event_name
const char * exit_event_name
Definition: options.h:625
AR_NONE
#define AR_NONE
Definition: options.h:835
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:272
options::route_noexec
bool route_noexec
Definition: options.h:364
options::sockflags
unsigned int sockflags
Definition: options.h:356
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2506
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:173
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3571
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:226
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:382
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:17
options::route_script
const char * route_script
Definition: options.h:359
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:385
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:297
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:478
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:164
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:140
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3079
options::config
const char * config
Definition: options.h:201
options::route_delay
int route_delay
Definition: options.h:365
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4708
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:313
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:360
tls_options::gremlin
int gremlin
Definition: ssl_common.h:375
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3871
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:378
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:279
options::down_pre
bool down_pre
Definition: options.h:315
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:274
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:683
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:154
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:330
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1452
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:566
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:576
options::push_peer_info
bool push_peer_info
Definition: options.h:614
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:663
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:150
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:580
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3819
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:141
PING_RESTART
#define PING_RESTART
Definition: options.h:285
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3029
options::handshake_window
int handshake_window
Definition: options.h:584
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3908
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:129
tls_options
Definition: ssl_common.h:254
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:339
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:243
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:306
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:243
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:597
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:338
options::verify_x509_type
int verify_x509_type
Definition: options.h:547
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:237
close_management
void close_management(void)
Definition: init.c:4077
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:287
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:476
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:312
options::prng_hash
const char * prng_hash
Definition: options.h:512
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1911
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:280
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:257
options::fast_io
bool fast_io
Definition: options.h:341
options::key_direction
int key_direction
Definition: options.h:504
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:283
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:226
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:193
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1478
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:164
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:75
init_static
bool init_static(void)
Definition: init.c:770
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:285
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:205
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:590
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:316
options::route_delay_defined
bool route_delay_defined
Definition: options.h:367
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:515
options::tls_exit
bool tls_exit
Definition: options.h:616
MF_SERVER
#define MF_SERVER
Definition: manage.h:336
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1050
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272