OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "tls_crypt.h"
53 #include "forward.h"
54 #include "auth_token.h"
55 
56 #include "memdbg.h"
57 
58 
59 static struct context *static_context; /* GLOBAL */
60 
61 /*
62  * Crypto initialization flags
63  */
64 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
65 #define CF_INIT_TLS_MULTI (1<<1)
66 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
67 
68 static void do_init_first_time(struct context *c);
69 
70 void
71 context_clear(struct context *c)
72 {
73  CLEAR(*c);
74 }
75 
76 void
77 context_clear_1(struct context *c)
78 {
79  CLEAR(c->c1);
80 }
81 
82 void
83 context_clear_2(struct context *c)
84 {
85  CLEAR(c->c2);
86 }
87 
88 void
89 context_clear_all_except_first_time(struct context *c)
90 {
91  const bool first_time_save = c->first_time;
92  const struct context_persist cpsave = c->persist;
93  context_clear(c);
94  c->first_time = first_time_save;
95  c->persist = cpsave;
96 }
97 
98 /*
99  * Pass tunnel endpoint and MTU parms to a user-supplied script.
100  * Used to execute the up/down script/plugins.
101  */
102 static void
103 run_up_down(const char *command,
104  const struct plugin_list *plugins,
105  int plugin_type,
106  const char *arg,
107 #ifdef _WIN32
108  DWORD adapter_index,
109 #endif
110  const char *dev_type,
111  int tun_mtu,
112  int link_mtu,
113  const char *ifconfig_local,
114  const char *ifconfig_remote,
115  const char *context,
116  const char *signal_text,
117  const char *script_type,
118  struct env_set *es)
119 {
120  struct gc_arena gc = gc_new();
121 
122  if (signal_text)
123  {
124  setenv_str(es, "signal", signal_text);
125  }
126  setenv_str(es, "script_context", context);
127  setenv_int(es, "tun_mtu", tun_mtu);
128  setenv_int(es, "link_mtu", link_mtu);
129  setenv_str(es, "dev", arg);
130  if (dev_type)
131  {
132  setenv_str(es, "dev_type", dev_type);
133  }
134 #ifdef _WIN32
135  setenv_int(es, "dev_idx", adapter_index);
136 #endif
137 
138  if (!ifconfig_local)
139  {
140  ifconfig_local = "";
141  }
142  if (!ifconfig_remote)
143  {
144  ifconfig_remote = "";
145  }
146  if (!context)
147  {
148  context = "";
149  }
150 
151  if (plugin_defined(plugins, plugin_type))
152  {
153  struct argv argv = argv_new();
154  ASSERT(arg);
155  argv_printf(&argv,
156  "%s %d %d %s %s %s",
157  arg,
158  tun_mtu, link_mtu,
159  ifconfig_local, ifconfig_remote,
160  context);
161 
162  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163  {
164  msg(M_FATAL, "ERROR: up/down plugin call failed");
165  }
166 
167  argv_free(&argv);
168  }
169 
170  if (command)
171  {
172  struct argv argv = argv_new();
173  ASSERT(arg);
174  setenv_str(es, "script_type", script_type);
175  argv_parse_cmd(&argv, command);
176  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
177  ifconfig_local, ifconfig_remote, context);
178  argv_msg(M_INFO, &argv);
179  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
180  argv_free(&argv);
181  }
182 
183  gc_free(&gc);
184 }
185 
186 /*
187  * Should be called after options->ce is modified at the top
188  * of a SIGUSR1 restart.
189  */
190 static void
191 update_options_ce_post(struct options *options)
192 {
193 #if P2MP
194  /*
195  * In pull mode, we usually import --ping/--ping-restart parameters from
196  * the server. However we should also set an initial default --ping-restart
197  * for the period of time before we pull the --ping-restart parameter
198  * from the server.
199  */
200  if (options->pull
201  && options->ping_rec_timeout_action == PING_UNDEF
202  && proto_is_dgram(options->ce.proto))
203  {
204  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
205  options->ping_rec_timeout_action = PING_RESTART;
206  }
207 #endif
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
234  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
258 ce_management_query_proxy(struct context *c)
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
273  management_notify_generic(management, BSTR(&out));
274  }
275  ce->flags |= CE_MAN_QUERY_PROXY;
276  while (ce->flags & CE_MAN_QUERY_PROXY)
277  {
278  management_event_loop_n_seconds(management, 1);
279  if (IS_SIG(c))
280  {
281  ret = false;
282  break;
283  }
284  }
285  gc_free(&gc);
286  }
287 
288  return ret;
289 }
290 
291 
292 static bool
293 management_callback_remote_cmd(void *arg, const char **p)
294 {
295  struct context *c = (struct context *) arg;
296  struct connection_entry *ce = &c->options.ce;
297  int ret = false;
298  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
299  {
300  int flags = 0;
301  if (!strcmp(p[1], "ACCEPT"))
302  {
303  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
304  ret = true;
305  }
306  else if (!strcmp(p[1], "SKIP"))
307  {
308  flags = CE_MAN_QUERY_REMOTE_SKIP;
309  ret = true;
310  }
311  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
312  {
313  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
314  {
315  struct remote_host_store *rhs = c->options.rh_store;
316  if (!rhs)
317  {
318  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
319  c->options.rh_store = rhs;
320  }
321  strncpynt(rhs->host, p[2], RH_HOST_LEN);
322  strncpynt(rhs->port, p[3], RH_PORT_LEN);
323 
324  ce->remote = rhs->host;
325  ce->remote_port = rhs->port;
326  flags = CE_MAN_QUERY_REMOTE_MOD;
327  ret = true;
328  }
329  }
330  if (ret)
331  {
332  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
333  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
334  }
335  }
336  return ret;
337 }
338 
339 static bool
340 ce_management_query_remote(struct context *c)
341 {
342  struct gc_arena gc = gc_new();
343  volatile struct connection_entry *ce = &c->options.ce;
344  int ce_changed = true; /* presume the connection entry will be changed */
345 
346  update_time();
347  if (management)
348  {
349  struct buffer out = alloc_buf_gc(256, &gc);
350 
351  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
352  proto2ascii(ce->proto, ce->af, false));
353  management_notify_generic(management, BSTR(&out));
354 
355  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
356  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
357  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
358  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
359  {
360  management_event_loop_n_seconds(management, 1);
361  if (IS_SIG(c))
362  {
363  ce_changed = false; /* connection entry have not been set */
364  break;
365  }
366  }
367  }
368  gc_free(&gc);
369 
370  if (ce_changed)
371  {
372  /* If it is likely a connection entry was modified,
373  * check what changed in the flags and that it was not skipped
374  */
375  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
376  & CE_MAN_QUERY_REMOTE_MASK);
377  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
378  }
379  return ce_changed;
380 }
381 #endif /* ENABLE_MANAGEMENT */
382 
383 /*
384  * Initialize and possibly randomize connection list.
385  */
386 static void
387 init_connection_list(struct context *c)
388 {
389  struct connection_list *l = c->options.connection_list;
390 
391  l->current = -1;
392  if (c->options.remote_random)
393  {
394  int i;
395  for (i = 0; i < l->len; ++i)
396  {
397  const int j = get_random() % l->len;
398  if (i != j)
399  {
400  struct connection_entry *tmp;
401  tmp = l->array[i];
402  l->array[i] = l->array[j];
403  l->array[j] = tmp;
404  }
405  }
406  }
407 }
408 
409 /*
410  * Clear the remote address list
411  */
412 static void
413 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
414 {
415  if (lsa->remote_list && free)
416  {
417  freeaddrinfo(lsa->remote_list);
418  }
419  lsa->remote_list = NULL;
420  lsa->current_remote = NULL;
421 }
422 
423 /*
424  * Increment to next connection entry
425  */
426 static void
427 next_connection_entry(struct context *c)
428 {
429  struct connection_list *l = c->options.connection_list;
430  bool ce_defined;
431  struct connection_entry *ce;
432  int n_cycles = 0;
433 
434  do
435  {
436  ce_defined = true;
437  if (c->options.no_advance && l->current >= 0)
438  {
439  c->options.no_advance = false;
440  }
441  else
442  {
443  /* Check if there is another resolved address to try for
444  * the current connection */
445  if (c->c1.link_socket_addr.current_remote
446  && c->c1.link_socket_addr.current_remote->ai_next)
447  {
448  c->c1.link_socket_addr.current_remote =
449  c->c1.link_socket_addr.current_remote->ai_next;
450  }
451  else
452  {
453  /* FIXME (schwabe) fix the persist-remote-ip option for real,
454  * this is broken probably ever since connection lists and multiple
455  * remote existed
456  */
457  if (!c->options.persist_remote_ip)
458  {
459  /* close_instance should have cleared the addrinfo objects */
460  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
461  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
462  }
463  else
464  {
465  c->c1.link_socket_addr.current_remote =
466  c->c1.link_socket_addr.remote_list;
467  }
468 
469  /*
470  * Increase the number of connection attempts
471  * If this is connect-retry-max * size(l)
472  * OpenVPN will quit
473  */
474 
475  c->options.unsuccessful_attempts++;
476 
477  if (++l->current >= l->len)
478  {
479 
480  l->current = 0;
481  if (++n_cycles >= 2)
482  {
483  msg(M_FATAL, "No usable connection profiles are present");
484  }
485  }
486  }
487  }
488 
489  ce = l->array[l->current];
490 
491  if (ce->flags & CE_DISABLED)
492  {
493  ce_defined = false;
494  }
495 
496  c->options.ce = *ce;
497 #ifdef ENABLE_MANAGEMENT
498  if (ce_defined && management && management_query_remote_enabled(management))
499  {
500  /* allow management interface to override connection entry details */
501  ce_defined = ce_management_query_remote(c);
502  if (IS_SIG(c))
503  {
504  break;
505  }
506  }
507  else if (ce_defined && management && management_query_proxy_enabled(management))
508  {
509  ce_defined = ce_management_query_proxy(c);
510  if (IS_SIG(c))
511  {
512  break;
513  }
514  }
515 #endif
516  } while (!ce_defined);
517 
518  /* Check if this connection attempt would bring us over the limit */
519  if (c->options.connect_retry_max > 0
520  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
521  {
522  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
523  c->options.connect_retry_max);
524  }
525  update_options_ce_post(&c->options);
526 }
527 
528 /*
529  * Query for private key and auth-user-pass username/passwords
530  */
531 void
532 init_query_passwords(const struct context *c)
533 {
534  /* Certificate password input */
535  if (c->options.key_pass_file)
536  {
537  pem_password_setup(c->options.key_pass_file);
538  }
539 
540 #if P2MP
541  /* Auth user/pass input */
542  if (c->options.auth_user_pass_file)
543  {
544 #ifdef ENABLE_MANAGEMENT
545  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
546 #else
547  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
548 #endif
549  }
550 #endif
551 }
552 
553 /*
554  * Initialize/Uninitialize HTTP or SOCKS proxy
555  */
556 
557 static void
558 uninit_proxy_dowork(struct context *c)
559 {
560  if (c->c1.http_proxy_owned && c->c1.http_proxy)
561  {
562  http_proxy_close(c->c1.http_proxy);
563  c->c1.http_proxy = NULL;
564  c->c1.http_proxy_owned = false;
565  }
566  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
567  {
568  socks_proxy_close(c->c1.socks_proxy);
569  c->c1.socks_proxy = NULL;
570  c->c1.socks_proxy_owned = false;
571  }
572 }
573 
574 static void
575 init_proxy_dowork(struct context *c)
576 {
577  bool did_http = false;
578 
579  uninit_proxy_dowork(c);
580 
581  if (c->options.ce.http_proxy_options)
582  {
583  /* Possible HTTP proxy user/pass input */
584  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
585  if (c->c1.http_proxy)
586  {
587  did_http = true;
588  c->c1.http_proxy_owned = true;
589  }
590  }
591 
592  if (!did_http && c->options.ce.socks_proxy_server)
593  {
594  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
595  c->options.ce.socks_proxy_port,
596  c->options.ce.socks_proxy_authfile);
597  if (c->c1.socks_proxy)
598  {
599  c->c1.socks_proxy_owned = true;
600  }
601  }
602 }
603 
604 static void
605 init_proxy(struct context *c)
606 {
607  init_proxy_dowork(c);
608 }
609 
610 static void
611 uninit_proxy(struct context *c)
612 {
613  uninit_proxy_dowork(c);
614 }
615 
616 /*
617  * Saves the initial state of NCP-regotiable
618  * options into a storage which persists over SIGUSR1.
619  */
620 static void
621 save_ncp_options(struct context *c)
622 {
623  c->c1.ciphername = c->options.ciphername;
624  c->c1.authname = c->options.authname;
625  c->c1.keysize = c->options.keysize;
626 }
627 
628 /* Restores NCP-negotiable options to original values */
629 static void
630 restore_ncp_options(struct context *c)
631 {
632  c->options.ciphername = c->c1.ciphername;
633  c->options.authname = c->c1.authname;
634  c->options.keysize = c->c1.keysize;
635 }
636 
637 void
638 context_init_1(struct context *c)
639 {
640  context_clear_1(c);
641 
642  packet_id_persist_init(&c->c1.pid_persist);
643 
644  init_connection_list(c);
645 
646  save_ncp_options(c);
647 
648 #if defined(ENABLE_PKCS11)
649  if (c->first_time)
650  {
651  int i;
652  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
653  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
654  {
655  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
656  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
657  }
658  }
659 #endif
660 
661 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
662  {
663  /*
664  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
665  */
666  struct user_pass up;
667  CLEAR(up);
668  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
669  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
670  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
671  * 'needok' command, usually 'ok' or 'cancel'. */
672  }
673 #endif
674 
675 #ifdef ENABLE_SYSTEMD
676  /* We can report the PID via getpid() to systemd here as OpenVPN will not
677  * do any fork due to daemon() a future call.
678  * See possibly_become_daemon() [init.c] for more details.
679  */
680  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
681  (unsigned long) getpid());
682 #endif
683 
684 }
685 
686 void
687 context_gc_free(struct context *c)
688 {
689  gc_free(&c->c2.gc);
690  gc_free(&c->options.gc);
691  gc_free(&c->gc);
692 }
693 
694 #if PORT_SHARE
695 
696 static void
697 close_port_share(void)
698 {
699  if (port_share)
700  {
701  port_share_close(port_share);
702  port_share = NULL;
703  }
704 }
705 
706 static void
707 init_port_share(struct context *c)
708 {
709  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
710  {
711  port_share = port_share_open(c->options.port_share_host,
712  c->options.port_share_port,
713  MAX_RW_SIZE_LINK(&c->c2.frame),
714  c->options.port_share_journal_dir);
715  if (port_share == NULL)
716  {
717  msg(M_FATAL, "Fatal error: Port sharing failed");
718  }
719  }
720 }
721 
722 #endif /* if PORT_SHARE */
723 
724 
725 bool
726 init_static(void)
727 {
728  /* configure_path (); */
729 
730 #if defined(DMALLOC)
731  crypto_init_dmalloc();
732 #endif
733 
734 
735  /*
736  * Initialize random number seed. random() is only used
737  * when "weak" random numbers are acceptable.
738  * SSL library routines are always used when cryptographically
739  * strong random numbers are required.
740  */
741  struct timeval tv;
742  if (!gettimeofday(&tv, NULL))
743  {
744  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
745  srandom(seed);
746  }
747 
748  error_reset(); /* initialize error.c */
749  reset_check_status(); /* initialize status check code in socket.c */
750 
751 #ifdef _WIN32
752  init_win32();
753 #endif
754 
755 #ifdef OPENVPN_DEBUG_COMMAND_LINE
756  {
757  int i;
758  for (i = 0; i < argc; ++i)
759  {
760  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
761  }
762  }
763 #endif
764 
765  update_time();
766 
767  init_ssl_lib();
768 
769  /* init PRNG used for IV generation */
770  /* When forking, copy this to more places in the code to avoid fork
771  * random-state predictability */
772  prng_init(NULL, 0);
773 
774 #ifdef PID_TEST
775  packet_id_interactive_test(); /* test the sequence number code */
776  return false;
777 #endif
778 
779 #ifdef SCHEDULE_TEST
780  schedule_test();
781  return false;
782 #endif
783 
784 #ifdef LIST_TEST
785  list_test();
786  return false;
787 #endif
788 
789 #ifdef IFCONFIG_POOL_TEST
790  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
791  return false;
792 #endif
793 
794 #ifdef CHARACTER_CLASS_DEBUG
795  character_class_debug();
796  return false;
797 #endif
798 
799 #ifdef EXTRACT_X509_FIELD_TEST
800  extract_x509_field_test();
801  return false;
802 #endif
803 
804 #ifdef TIME_TEST
805  time_test();
806  return false;
807 #endif
808 
809 #ifdef TEST_GET_DEFAULT_GATEWAY
810  {
811  struct route_gateway_info rgi;
812  struct route_ipv6_gateway_info rgi6;
813  get_default_gateway(&rgi);
814  get_default_gateway_ipv6(&rgi6, NULL);
815  print_default_gateway(M_INFO, &rgi, &rgi6);
816  return false;
817  }
818 #endif
819 
820 #ifdef GEN_PATH_TEST
821  {
822  struct gc_arena gc = gc_new();
823  const char *fn = gen_path("foo",
824  "bar",
825  &gc);
826  printf("%s\n", fn);
827  gc_free(&gc);
828  }
829  return false;
830 #endif
831 
832 #ifdef STATUS_PRINTF_TEST
833  {
834  struct gc_arena gc = gc_new();
835  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
836  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
837  status_printf(so, "%s", "foo");
838  status_printf(so, "%s", "bar");
839  if (!status_close(so))
840  {
841  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
842  }
843  gc_free(&gc);
844  }
845  return false;
846 #endif
847 
848 #ifdef PRNG_TEST
849  {
850  struct gc_arena gc = gc_new();
851  uint8_t rndbuf[8];
852  int i;
853  prng_init("sha1", 16);
854  /*prng_init (NULL, 0);*/
855  const int factor = 1;
856  for (i = 0; i < factor * 8; ++i)
857  {
858 #if 1
859  prng_bytes(rndbuf, sizeof(rndbuf));
860 #else
861  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
862 #endif
863  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
864  }
865  gc_free(&gc);
866  prng_uninit();
867  return false;
868  }
869 #endif /* ifdef PRNG_TEST */
870 
871 #ifdef BUFFER_LIST_AGGREGATE_TEST
872  /* test buffer_list_aggregate function */
873  {
874  static const char *text[] = {
875  "It was a bright cold day in April, ",
876  "and the clocks were striking ",
877  "thirteen. ",
878  "Winston Smith, ",
879  "his chin nuzzled into his breast in an ",
880  "effort to escape the vile wind, ",
881  "slipped quickly through the glass doors ",
882  "of Victory Mansions, though not quickly ",
883  "enough to prevent a swirl of gritty dust from ",
884  "entering along with him."
885  };
886 
887  int iter, listcap;
888  for (listcap = 0; listcap < 12; ++listcap)
889  {
890  for (iter = 0; iter < 512; ++iter)
891  {
892  struct buffer_list *bl = buffer_list_new(listcap);
893  {
894  int i;
895  for (i = 0; i < SIZE(text); ++i)
896  {
897  buffer_list_push(bl, (unsigned char *)text[i]);
898  }
899  }
900  printf("[cap=%d i=%d] *************************\n", listcap, iter);
901  if (!(iter & 8))
902  {
903  buffer_list_aggregate(bl, iter/2);
904  }
905  if (!(iter & 16))
906  {
907  buffer_list_push(bl, (unsigned char *)"Even more text...");
908  }
909  buffer_list_aggregate(bl, iter);
910  if (!(iter & 1))
911  {
912  buffer_list_push(bl, (unsigned char *)"More text...");
913  }
914  {
915  struct buffer *buf;
916  while ((buf = buffer_list_peek(bl)))
917  {
918  int c;
919  printf("'");
920  while ((c = buf_read_u8(buf)) >= 0)
921  {
922  putchar(c);
923  }
924  printf("'\n");
925  buffer_list_advance(bl, 0);
926  }
927  }
928  buffer_list_free(bl);
929  }
930  }
931  return false;
932  }
933 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
934 
935 #ifdef MSTATS_TEST
936  {
937  int i;
938  mstats_open("/dev/shm/mstats.dat");
939  for (i = 0; i < 30; ++i)
940  {
941  mmap_stats->n_clients += 1;
942  mmap_stats->link_write_bytes += 8;
943  mmap_stats->link_read_bytes += 16;
944  sleep(1);
945  }
946  mstats_close();
947  return false;
948  }
949 #endif
950 
951  return true;
952 }
953 
954 void
955 uninit_static(void)
956 {
957  free_ssl_lib();
958 
959 #ifdef ENABLE_PKCS11
960  pkcs11_terminate();
961 #endif
962 
963 #if PORT_SHARE
964  close_port_share();
965 #endif
966 
967 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
968  show_tls_performance_stats();
969 #endif
970 }
971 
972 void
973 init_verb_mute(struct context *c, unsigned int flags)
974 {
975  if (flags & IVM_LEVEL_1)
976  {
977  /* set verbosity and mute levels */
978  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
979  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
980  set_mute_cutoff(c->options.mute);
981  }
982 
983  /* special D_LOG_RW mode */
984  if (flags & IVM_LEVEL_2)
985  {
986  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
987  }
988 }
989 
990 /*
991  * Possibly set --dev based on --dev-node.
992  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
993  * set --dev to tun.
994  */
995 void
996 init_options_dev(struct options *options)
997 {
998  if (!options->dev && options->dev_node)
999  {
1000  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1001  options->dev = basename(dev_node);
1002  }
1003 }
1004 
1005 bool
1006 print_openssl_info(const struct options *options)
1007 {
1008  /*
1009  * OpenSSL info print mode?
1010  */
1011  if (options->show_ciphers || options->show_digests || options->show_engines
1012  || options->show_tls_ciphers || options->show_curves)
1013  {
1014  if (options->show_ciphers)
1015  {
1016  show_available_ciphers();
1017  }
1018  if (options->show_digests)
1019  {
1020  show_available_digests();
1021  }
1022  if (options->show_engines)
1023  {
1024  show_available_engines();
1025  }
1026  if (options->show_tls_ciphers)
1027  {
1028  show_available_tls_ciphers(options->cipher_list,
1029  options->cipher_list_tls13,
1030  options->tls_cert_profile);
1031  }
1032  if (options->show_curves)
1033  {
1034  show_available_curves();
1035  }
1036  return true;
1037  }
1038  return false;
1039 }
1040 
1041 /*
1042  * Static pre-shared key generation mode?
1043  */
1044 bool
1045 do_genkey(const struct options *options)
1046 {
1047  /* should we disable paging? */
1048  if (options->mlock && (options->genkey))
1049  {
1050  platform_mlockall(true);
1051  }
1052 
1053  /*
1054  * We do not want user to use --genkey with --secret. In the transistion
1055  * phase we for secret.
1056  */
1057  if (options->genkey && options->genkey_type != GENKEY_SECRET
1058  && options->shared_secret_file)
1059  {
1060  msg(M_USAGE, "Using --genkey type with --secret filename is "
1061  "not supported. Use --genkey type filename instead.");
1062  }
1063  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1064  {
1065  int nbits_written;
1066  const char *genkey_filename = options->genkey_filename;
1067  if (options->shared_secret_file && options->genkey_filename)
1068  {
1069  msg(M_USAGE, "You must provide a filename to either --genkey "
1070  "or --secret, not both");
1071  }
1072 
1073  /*
1074  * Copy filename from shared_secret_file to genkey_filename to support
1075  * the old --genkey --secret foo.file syntax.
1076  */
1077  if (options->shared_secret_file)
1078  {
1079  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1080  "DEPRECATED. Use --genkey secret filename instead.");
1081  genkey_filename = options->shared_secret_file;
1082  }
1083 
1084  nbits_written = write_key_file(2, genkey_filename);
1085  if (nbits_written < 0)
1086  {
1087  msg(M_FATAL, "Failed to write key file");
1088  }
1089 
1090  msg(D_GENKEY | M_NOPREFIX,
1091  "Randomly generated %d bit key written to %s", nbits_written,
1092  options->shared_secret_file);
1093  return true;
1094  }
1095  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1096  {
1097  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1098  return true;
1099  }
1100  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1101  {
1102  if (!options->tls_crypt_v2_file)
1103  {
1104  msg(M_USAGE,
1105  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1106  }
1107 
1108  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1109  options->genkey_extra_data, options->tls_crypt_v2_file,
1110  options->tls_crypt_v2_inline);
1111  return true;
1112  }
1113  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1114  {
1115  auth_token_write_server_key_file(options->genkey_filename);
1116  return true;
1117  }
1118  else
1119  {
1120  return false;
1121  }
1122 }
1123 
1124 /*
1125  * Persistent TUN/TAP device management mode?
1126  */
1127 bool
1128 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1129 {
1130  if (options->persist_config)
1131  {
1132  /* sanity check on options for --mktun or --rmtun */
1133  notnull(options->dev, "TUN/TAP device (--dev)");
1134  if (options->ce.remote || options->ifconfig_local
1135  || options->ifconfig_remote_netmask
1136  || options->shared_secret_file
1137  || options->tls_server || options->tls_client
1138  )
1139  {
1140  msg(M_FATAL|M_OPTERR,
1141  "options --mktun or --rmtun should only be used together with --dev");
1142  }
1143 #ifdef ENABLE_FEATURE_TUN_PERSIST
1144  tuncfg(options->dev, options->dev_type, options->dev_node,
1145  options->persist_mode,
1146  options->username, options->groupname, &options->tuntap_options,
1147  ctx);
1148  if (options->persist_mode && options->lladdr)
1149  {
1150  set_lladdr(options->dev, options->lladdr, NULL);
1151  }
1152  return true;
1153 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1154  msg( M_FATAL|M_OPTERR,
1155  "options --mktun and --rmtun are not available on your operating "
1156  "system. Please check 'man tun' (or 'tap'), whether your system "
1157  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1158  "persistent tunnel interfaces.", options->dev );
1159 #endif
1160  }
1161  return false;
1162 }
1163 
1164 /*
1165  * Should we become a daemon?
1166  * Return true if we did it.
1167  */
1168 bool
1169 possibly_become_daemon(const struct options *options)
1170 {
1171  bool ret = false;
1172 
1173 #ifdef ENABLE_SYSTEMD
1174  /* return without forking if we are running from systemd */
1175  if (sd_notify(0, "READY=0") > 0)
1176  {
1177  return ret;
1178  }
1179 #endif
1180 
1181  if (options->daemon)
1182  {
1183  ASSERT(!options->inetd);
1184  /* Don't chdir immediately, but the end of the init sequence, if needed */
1185  if (daemon(1, options->log) < 0)
1186  {
1187  msg(M_ERR, "daemon() failed or unsupported");
1188  }
1189  restore_signal_state();
1190  if (options->log)
1191  {
1192  set_std_files_to_null(true);
1193  }
1194 
1195  ret = true;
1196  }
1197  return ret;
1198 }
1199 
1200 /*
1201  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1202  */
1203 static void
1204 do_uid_gid_chroot(struct context *c, bool no_delay)
1205 {
1206  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1207  struct context_0 *c0 = c->c0;
1208 
1209  if (c0 && !c0->uid_gid_chroot_set)
1210  {
1211  /* chroot if requested */
1212  if (c->options.chroot_dir)
1213  {
1214  if (no_delay)
1215  {
1216  platform_chroot(c->options.chroot_dir);
1217  }
1218  else if (c->first_time)
1219  {
1220  msg(M_INFO, "NOTE: chroot %s", why_not);
1221  }
1222  }
1223 
1224  /* set user and/or group if we want to setuid/setgid */
1225  if (c0->uid_gid_specified)
1226  {
1227  if (no_delay)
1228  {
1229  platform_group_set(&c0->platform_state_group);
1230  platform_user_set(&c0->platform_state_user);
1231  }
1232  else if (c->first_time)
1233  {
1234  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1235  }
1236  }
1237 
1238 #ifdef ENABLE_MEMSTATS
1239  if (c->first_time && c->options.memstats_fn)
1240  {
1241  mstats_open(c->options.memstats_fn);
1242  }
1243 #endif
1244 
1245 #ifdef ENABLE_SELINUX
1246  /* Apply a SELinux context in order to restrict what OpenVPN can do
1247  * to _only_ what it is supposed to do after initialization is complete
1248  * (basically just network I/O operations). Doing it after chroot
1249  * requires /proc to be mounted in the chroot (which is annoying indeed
1250  * but doing it before requires more complex SELinux policies.
1251  */
1252  if (c->options.selinux_context)
1253  {
1254  if (no_delay)
1255  {
1256  if (-1 == setcon(c->options.selinux_context))
1257  {
1258  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1259  }
1260  else
1261  {
1262  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1263  }
1264  }
1265  else if (c->first_time)
1266  {
1267  msg(M_INFO, "NOTE: setcon %s", why_not);
1268  }
1269  }
1270 #endif
1271 
1272  /* Privileges are going to be dropped by now (if requested), be sure
1273  * to prevent any future privilege dropping attempts from now on.
1274  */
1275  if (no_delay)
1276  {
1277  c0->uid_gid_chroot_set = true;
1278  }
1279  }
1280 }
1281 
1282 /*
1283  * Return common name in a way that is formatted for
1284  * prepending to msg() output.
1285  */
1286 const char *
1287 format_common_name(struct context *c, struct gc_arena *gc)
1288 {
1289  struct buffer out = alloc_buf_gc(256, gc);
1290  if (c->c2.tls_multi)
1291  {
1292  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1293  }
1294  return BSTR(&out);
1295 }
1296 
1297 void
1298 pre_setup(const struct options *options)
1299 {
1300 #ifdef _WIN32
1301  if (options->exit_event_name)
1302  {
1303  win32_signal_open(&win32_signal,
1304  WSO_FORCE_SERVICE,
1305  options->exit_event_name,
1306  options->exit_event_initial_state);
1307  }
1308  else
1309  {
1310  win32_signal_open(&win32_signal,
1311  WSO_FORCE_CONSOLE,
1312  NULL,
1313  false);
1314 
1315  /* put a title on the top window bar */
1316  if (win32_signal.mode == WSO_MODE_CONSOLE)
1317  {
1318  window_title_save(&window_title);
1319  window_title_generate(options->config);
1320  }
1321  }
1322 #endif /* ifdef _WIN32 */
1323 }
1324 
1325 void
1326 reset_coarse_timers(struct context *c)
1327 {
1328  c->c2.coarse_timer_wakeup = 0;
1329 }
1330 
1331 /*
1332  * Initialise the server poll timeout timer
1333  * This timer is used in the http/socks proxy setup so it needs to be setup
1334  * before
1335  */
1336 static void
1337 do_init_server_poll_timeout(struct context *c)
1338 {
1339  update_time();
1340  if (c->options.ce.connect_timeout)
1341  {
1342  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1343  }
1344 }
1345 
1346 /*
1347  * Initialize timers
1348  */
1349 static void
1350 do_init_timers(struct context *c, bool deferred)
1351 {
1352  update_time();
1353  reset_coarse_timers(c);
1354 
1355  /* initialize inactivity timeout */
1356  if (c->options.inactivity_timeout)
1357  {
1358  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1359  }
1360 
1361  /* initialize pings */
1362 
1363  if (c->options.ping_send_timeout)
1364  {
1365  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1366  }
1367 
1368  if (c->options.ping_rec_timeout)
1369  {
1370  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1371  }
1372 
1373  if (!deferred)
1374  {
1375  /* initialize connection establishment timer */
1376  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1377 
1378 #ifdef ENABLE_OCC
1379  /* initialize occ timers */
1380 
1381  if (c->options.occ
1382  && !TLS_MODE(c)
1383  && c->c2.options_string_local && c->c2.options_string_remote)
1384  {
1385  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1386  }
1387 
1388  if (c->options.mtu_test)
1389  {
1390  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1391  }
1392 #endif
1393 
1394  /* initialize packet_id persistence timer */
1395  if (c->options.packet_id_file)
1396  {
1397  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1398  }
1399 
1400  /* initialize tmp_int optimization that limits the number of times we call
1401  * tls_multi_process in the main event loop */
1402  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1403  }
1404 }
1405 
1406 /*
1407  * Initialize traffic shaper.
1408  */
1409 static void
1410 do_init_traffic_shaper(struct context *c)
1411 {
1412 #ifdef ENABLE_FEATURE_SHAPER
1413  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1414  if (c->options.shaper)
1415  {
1416  shaper_init(&c->c2.shaper, c->options.shaper);
1417  shaper_msg(&c->c2.shaper);
1418  }
1419 #endif
1420 }
1421 
1422 /*
1423  * Allocate route list structures for IPv4 and IPv6
1424  * (we do this for IPv4 even if no --route option has been seen, as other
1425  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1426  */
1427 static void
1428 do_alloc_route_list(struct context *c)
1429 {
1430  if (!c->c1.route_list)
1431  {
1432  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1433  }
1434  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1435  {
1436  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1437  }
1438 }
1439 
1440 
1441 /*
1442  * Initialize the route list, resolving any DNS names in route
1443  * options and saving routes in the environment.
1444  */
1445 static void
1446 do_init_route_list(const struct options *options,
1447  struct route_list *route_list,
1448  const struct link_socket_info *link_socket_info,
1449  struct env_set *es,
1450  openvpn_net_ctx_t *ctx)
1451 {
1452  const char *gw = NULL;
1453  int dev = dev_type_enum(options->dev, options->dev_type);
1454  int metric = 0;
1455 
1456  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1457  {
1458  gw = options->ifconfig_remote_netmask;
1459  }
1460  if (options->route_default_gateway)
1461  {
1462  gw = options->route_default_gateway;
1463  }
1464  if (options->route_default_metric)
1465  {
1466  metric = options->route_default_metric;
1467  }
1468 
1469  if (init_route_list(route_list,
1470  options->routes,
1471  gw,
1472  metric,
1473  link_socket_current_remote(link_socket_info),
1474  es,
1475  ctx))
1476  {
1477  /* copy routes to environment */
1478  setenv_routes(es, route_list);
1479  }
1480 }
1481 
1482 static void
1483 do_init_route_ipv6_list(const struct options *options,
1484  struct route_ipv6_list *route_ipv6_list,
1485  const struct link_socket_info *link_socket_info,
1486  struct env_set *es,
1487  openvpn_net_ctx_t *ctx)
1488 {
1489  const char *gw = NULL;
1490  int metric = -1; /* no metric set */
1491 
1492  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1493  if (options->route_ipv6_default_gateway)
1494  {
1495  gw = options->route_ipv6_default_gateway;
1496  }
1497 
1498  if (options->route_default_metric)
1499  {
1500  metric = options->route_default_metric;
1501  }
1502 
1503  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1504  */
1505  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1506  {
1507  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1508  int i;
1509 
1510  for (i = 0; opt_list[i]; i++)
1511  {
1512  add_route_ipv6_to_option_list( options->routes_ipv6,
1513  string_alloc(opt_list[i], options->routes_ipv6->gc),
1514  NULL, NULL );
1515  }
1516  }
1517 
1518  if (init_route_ipv6_list(route_ipv6_list,
1519  options->routes_ipv6,
1520  gw,
1521  metric,
1522  link_socket_current_remote_ipv6(link_socket_info),
1523  es,
1524  ctx))
1525  {
1526  /* copy routes to environment */
1527  setenv_routes_ipv6(es, route_ipv6_list);
1528  }
1529 }
1530 
1531 
1532 /*
1533  * Called after all initialization has been completed.
1534  */
1535 void
1536 initialization_sequence_completed(struct context *c, const unsigned int flags)
1537 {
1538  static const char message[] = "Initialization Sequence Completed";
1539 
1540  /* Reset the unsuccessful connection counter on complete initialisation */
1541  c->options.unsuccessful_attempts = 0;
1542 
1543  /* If we delayed UID/GID downgrade or chroot, do it now */
1544  do_uid_gid_chroot(c, true);
1545 
1546 
1547  /*
1548  * In some cases (i.e. when receiving auth-token via
1549  * push-reply) the auth-nocache option configured on the
1550  * client is overridden; for this reason we have to wait
1551  * for the push-reply message before attempting to wipe
1552  * the user/pass entered by the user
1553  */
1554  if (c->options.mode == MODE_POINT_TO_POINT)
1555  {
1556  delayed_auth_pass_purge();
1557  }
1558 
1559  /* Test if errors */
1560  if (flags & ISC_ERRORS)
1561  {
1562 #ifdef _WIN32
1563  show_routes(M_INFO|M_NOPREFIX);
1564  show_adapters(M_INFO|M_NOPREFIX);
1565  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1566 #else
1567 #ifdef ENABLE_SYSTEMD
1568  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1569 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1570  msg(M_INFO, "%s With Errors", message);
1571 #endif
1572  }
1573  else
1574  {
1575 #ifdef ENABLE_SYSTEMD
1576  sd_notifyf(0, "STATUS=%s", message);
1577 #endif
1578  msg(M_INFO, "%s", message);
1579  }
1580 
1581  /* Flag that we initialized */
1582  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1583  {
1584  c->options.no_advance = true;
1585  }
1586 
1587 #ifdef _WIN32
1588  fork_register_dns_action(c->c1.tuntap);
1589 #endif
1590 
1591 #ifdef ENABLE_MANAGEMENT
1592  /* Tell management interface that we initialized */
1593  if (management)
1594  {
1595  in_addr_t *tun_local = NULL;
1596  struct in6_addr *tun_local6 = NULL;
1597  struct openvpn_sockaddr local, remote;
1598  struct link_socket_actual *actual;
1599  socklen_t sa_len = sizeof(local);
1600  const char *detail = "SUCCESS";
1601  if (flags & ISC_ERRORS)
1602  {
1603  detail = "ERROR";
1604  }
1605 
1606  CLEAR(local);
1607  actual = &get_link_socket_info(c)->lsa->actual;
1608  remote = actual->dest;
1609  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1610 #if ENABLE_IP_PKTINFO
1611  if (!addr_defined(&local))
1612  {
1613  switch (local.addr.sa.sa_family)
1614  {
1615  case AF_INET:
1616 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1617  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1618 #else
1619  local.addr.in4.sin_addr = actual->pi.in4;
1620 #endif
1621  break;
1622 
1623  case AF_INET6:
1624  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1625  break;
1626  }
1627  }
1628 #endif
1629 
1630  if (c->c1.tuntap)
1631  {
1632  tun_local = &c->c1.tuntap->local;
1633  tun_local6 = &c->c1.tuntap->local_ipv6;
1634  }
1635  management_set_state(management,
1636  OPENVPN_STATE_CONNECTED,
1637  detail,
1638  tun_local,
1639  tun_local6,
1640  &local,
1641  &remote);
1642  if (tun_local)
1643  {
1644  management_post_tunnel_open(management, *tun_local);
1645  }
1646  }
1647 #endif /* ifdef ENABLE_MANAGEMENT */
1648 }
1649 
1650 /*
1651  * Possibly add routes and/or call route-up script
1652  * based on options.
1653  */
1654 void
1655 do_route(const struct options *options,
1656  struct route_list *route_list,
1657  struct route_ipv6_list *route_ipv6_list,
1658  const struct tuntap *tt,
1659  const struct plugin_list *plugins,
1660  struct env_set *es,
1661  openvpn_net_ctx_t *ctx)
1662 {
1663  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1664  {
1665  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1666  es, ctx);
1667  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1668  }
1669 #ifdef ENABLE_MANAGEMENT
1670  if (management)
1671  {
1672  management_up_down(management, "UP", es);
1673  }
1674 #endif
1675 
1676  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1677  {
1678  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1679  {
1680  msg(M_WARN, "WARNING: route-up plugin call failed");
1681  }
1682  }
1683 
1684  if (options->route_script)
1685  {
1686  struct argv argv = argv_new();
1687  setenv_str(es, "script_type", "route-up");
1688  argv_parse_cmd(&argv, options->route_script);
1689  openvpn_run_script(&argv, es, 0, "--route-up");
1690  argv_free(&argv);
1691  }
1692 
1693 #ifdef _WIN32
1694  if (options->show_net_up)
1695  {
1696  show_routes(M_INFO|M_NOPREFIX);
1697  show_adapters(M_INFO|M_NOPREFIX);
1698  }
1699  else if (check_debug_level(D_SHOW_NET))
1700  {
1701  show_routes(D_SHOW_NET|M_NOPREFIX);
1702  show_adapters(D_SHOW_NET|M_NOPREFIX);
1703  }
1704 #endif
1705 }
1706 
1707 /*
1708  * initialize tun/tap device object
1709  */
1710 static void
1711 do_init_tun(struct context *c)
1712 {
1713  c->c1.tuntap = init_tun(c->options.dev,
1714  c->options.dev_type,
1715  c->options.topology,
1716  c->options.ifconfig_local,
1717  c->options.ifconfig_remote_netmask,
1718  c->options.ifconfig_ipv6_local,
1719  c->options.ifconfig_ipv6_netbits,
1720  c->options.ifconfig_ipv6_remote,
1721  c->c1.link_socket_addr.bind_local,
1722  c->c1.link_socket_addr.remote_list,
1723  !c->options.ifconfig_nowarn,
1724  c->c2.es,
1725  &c->net_ctx);
1726 
1727 #ifdef _WIN32
1728  c->c1.tuntap->windows_driver = c->options.windows_driver;
1729 #endif
1730 
1731  init_tun_post(c->c1.tuntap,
1732  &c->c2.frame,
1733  &c->options.tuntap_options);
1734 
1735  c->c1.tuntap_owned = true;
1736 }
1737 
1738 /*
1739  * Open tun/tap device, ifconfig, call up script, etc.
1740  */
1741 
1742 static bool
1743 do_open_tun(struct context *c)
1744 {
1745  struct gc_arena gc = gc_new();
1746  bool ret = false;
1747 
1748 #ifndef TARGET_ANDROID
1749  if (!c->c1.tuntap)
1750  {
1751 #endif
1752 
1753 #ifdef TARGET_ANDROID
1754  /* If we emulate persist-tun on android we still have to open a new tun and
1755  * then close the old */
1756  int oldtunfd = -1;
1757  if (c->c1.tuntap)
1758  {
1759  oldtunfd = c->c1.tuntap->fd;
1760  free(c->c1.tuntap);
1761  c->c1.tuntap = NULL;
1762  c->c1.tuntap_owned = false;
1763  }
1764 #endif
1765 
1766  /* initialize (but do not open) tun/tap object */
1767  do_init_tun(c);
1768 
1769 #ifdef _WIN32
1770  /* store (hide) interactive service handle in tuntap_options */
1771  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1772  msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1773 #endif
1774 
1775  /* allocate route list structure */
1776  do_alloc_route_list(c);
1777 
1778  /* parse and resolve the route option list */
1779  ASSERT(c->c2.link_socket);
1780  if (c->options.routes && c->c1.route_list)
1781  {
1782  do_init_route_list(&c->options, c->c1.route_list,
1783  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1784  }
1785  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1786  {
1787  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1788  &c->c2.link_socket->info, c->c2.es,
1789  &c->net_ctx);
1790  }
1791 
1792  /* do ifconfig */
1793  if (!c->options.ifconfig_noexec
1794  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1795  {
1796  /* guess actual tun/tap unit number that will be returned
1797  * by open_tun */
1798  const char *guess = guess_tuntap_dev(c->options.dev,
1799  c->options.dev_type,
1800  c->options.dev_node,
1801  &gc);
1802  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1803  &c->net_ctx);
1804  }
1805 
1806  /* possibly add routes */
1807  if (route_order() == ROUTE_BEFORE_TUN)
1808  {
1809  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1810  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1811  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1812  }
1813 #ifdef TARGET_ANDROID
1814  /* Store the old fd inside the fd so open_tun can use it */
1815  c->c1.tuntap->fd = oldtunfd;
1816 #endif
1817  /* open the tun device */
1818  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1819  c->c1.tuntap);
1820 
1821  /* set the hardware address */
1822  if (c->options.lladdr)
1823  {
1824  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1825  }
1826 
1827  /* do ifconfig */
1828  if (!c->options.ifconfig_noexec
1829  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1830  {
1831  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1832  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1833  }
1834 
1835  /* run the up script */
1836  run_up_down(c->options.up_script,
1837  c->plugins,
1838  OPENVPN_PLUGIN_UP,
1839  c->c1.tuntap->actual_name,
1840 #ifdef _WIN32
1841  c->c1.tuntap->adapter_index,
1842 #endif
1843  dev_type_string(c->options.dev, c->options.dev_type),
1844  TUN_MTU_SIZE(&c->c2.frame),
1845  EXPANDED_SIZE(&c->c2.frame),
1846  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1847  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1848  "init",
1849  NULL,
1850  "up",
1851  c->c2.es);
1852 
1853 #if defined(_WIN32)
1854  if (c->options.block_outside_dns)
1855  {
1856  dmsg(D_LOW, "Blocking outside DNS");
1857  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1858  {
1859  msg(M_FATAL, "Blocking DNS failed!");
1860  }
1861  }
1862 #endif
1863 
1864  /* possibly add routes */
1865  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1866  {
1867  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1868  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1869  }
1870 
1871  /*
1872  * Did tun/tap driver give us an MTU?
1873  */
1874  if (c->c1.tuntap->post_open_mtu)
1875  {
1876  frame_set_mtu_dynamic(&c->c2.frame,
1877  c->c1.tuntap->post_open_mtu,
1878  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1879  }
1880 
1881  ret = true;
1882  static_context = c;
1883 #ifndef TARGET_ANDROID
1884 }
1885 else
1886 {
1887  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1888  c->c1.tuntap->actual_name);
1889 
1890  /* explicitly set the ifconfig_* env vars */
1891  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1892 
1893  /* run the up script if user specified --up-restart */
1894  if (c->options.up_restart)
1895  {
1896  run_up_down(c->options.up_script,
1897  c->plugins,
1898  OPENVPN_PLUGIN_UP,
1899  c->c1.tuntap->actual_name,
1900 #ifdef _WIN32
1901  c->c1.tuntap->adapter_index,
1902 #endif
1903  dev_type_string(c->options.dev, c->options.dev_type),
1904  TUN_MTU_SIZE(&c->c2.frame),
1905  EXPANDED_SIZE(&c->c2.frame),
1906  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1907  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1908  "restart",
1909  NULL,
1910  "up",
1911  c->c2.es);
1912  }
1913 #if defined(_WIN32)
1914  if (c->options.block_outside_dns)
1915  {
1916  dmsg(D_LOW, "Blocking outside DNS");
1917  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1918  {
1919  msg(M_FATAL, "Blocking DNS failed!");
1920  }
1921  }
1922 #endif
1923 
1924 }
1925 #endif /* ifndef TARGET_ANDROID */
1926  gc_free(&gc);
1927  return ret;
1928 }
1929 
1930 /*
1931  * Close TUN/TAP device
1932  */
1933 
1934 static void
1935 do_close_tun_simple(struct context *c)
1936 {
1937  msg(D_CLOSE, "Closing TUN/TAP interface");
1938  if (c->c1.tuntap)
1939  {
1940  close_tun(c->c1.tuntap, &c->net_ctx);
1941  c->c1.tuntap = NULL;
1942  }
1943  c->c1.tuntap_owned = false;
1944 #if P2MP
1945  CLEAR(c->c1.pulled_options_digest_save);
1946 #endif
1947 }
1948 
1949 static void
1950 do_close_tun(struct context *c, bool force)
1951 {
1952  struct gc_arena gc = gc_new();
1953  if (c->c1.tuntap && c->c1.tuntap_owned)
1954  {
1955  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1956 #ifdef _WIN32
1957  DWORD adapter_index = c->c1.tuntap->adapter_index;
1958 #endif
1959  const in_addr_t local = c->c1.tuntap->local;
1960  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1961 
1962  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1963  {
1964  static_context = NULL;
1965 
1966 #ifdef ENABLE_MANAGEMENT
1967  /* tell management layer we are about to close the TUN/TAP device */
1968  if (management)
1969  {
1970  management_pre_tunnel_close(management);
1971  management_up_down(management, "DOWN", c->c2.es);
1972  }
1973 #endif
1974 
1975  /* delete any routes we added */
1976  if (c->c1.route_list || c->c1.route_ipv6_list)
1977  {
1978  run_up_down(c->options.route_predown_script,
1979  c->plugins,
1980  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1981  tuntap_actual,
1982 #ifdef _WIN32
1983  adapter_index,
1984 #endif
1985  NULL,
1986  TUN_MTU_SIZE(&c->c2.frame),
1987  EXPANDED_SIZE(&c->c2.frame),
1988  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1989  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1990  "init",
1991  signal_description(c->sig->signal_received,
1992  c->sig->signal_text),
1993  "route-pre-down",
1994  c->c2.es);
1995 
1996  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1997  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
1998  c->c2.es, &c->net_ctx);
1999  }
2000 
2001  /* actually close tun/tap device based on --down-pre flag */
2002  if (!c->options.down_pre)
2003  {
2004  do_close_tun_simple(c);
2005  }
2006 
2007  /* Run the down script -- note that it will run at reduced
2008  * privilege if, for example, "--user nobody" was used. */
2009  run_up_down(c->options.down_script,
2010  c->plugins,
2011  OPENVPN_PLUGIN_DOWN,
2012  tuntap_actual,
2013 #ifdef _WIN32
2014  adapter_index,
2015 #endif
2016  NULL,
2017  TUN_MTU_SIZE(&c->c2.frame),
2018  EXPANDED_SIZE(&c->c2.frame),
2019  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2020  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2021  "init",
2022  signal_description(c->sig->signal_received,
2023  c->sig->signal_text),
2024  "down",
2025  c->c2.es);
2026 
2027 #if defined(_WIN32)
2028  if (c->options.block_outside_dns)
2029  {
2030  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2031  {
2032  msg(M_FATAL, "Uninitialising WFP failed!");
2033  }
2034  }
2035 #endif
2036 
2037  /* actually close tun/tap device based on --down-pre flag */
2038  if (c->options.down_pre)
2039  {
2040  do_close_tun_simple(c);
2041  }
2042  }
2043  else
2044  {
2045  /* run the down script on this restart if --up-restart was specified */
2046  if (c->options.up_restart)
2047  {
2048  run_up_down(c->options.down_script,
2049  c->plugins,
2050  OPENVPN_PLUGIN_DOWN,
2051  tuntap_actual,
2052 #ifdef _WIN32
2053  adapter_index,
2054 #endif
2055  NULL,
2056  TUN_MTU_SIZE(&c->c2.frame),
2057  EXPANDED_SIZE(&c->c2.frame),
2058  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2059  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2060  "restart",
2061  signal_description(c->sig->signal_received,
2062  c->sig->signal_text),
2063  "down",
2064  c->c2.es);
2065  }
2066 
2067 #if defined(_WIN32)
2068  if (c->options.block_outside_dns)
2069  {
2070  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2071  {
2072  msg(M_FATAL, "Uninitialising WFP failed!");
2073  }
2074  }
2075 #endif
2076 
2077  }
2078  }
2079  gc_free(&gc);
2080 }
2081 
2082 void
2083 tun_abort(void)
2084 {
2085  struct context *c = static_context;
2086  if (c)
2087  {
2088  static_context = NULL;
2089  do_close_tun(c, true);
2090  }
2091 }
2092 
2093 /*
2094  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2095  */
2096 
2097 #if P2MP
2098 
2102 static bool
2103 options_hash_changed_or_zero(const struct sha256_digest *a,
2104  const struct sha256_digest *b)
2105 {
2106  const struct sha256_digest zero = {{0}};
2107  return memcmp(a, b, sizeof(struct sha256_digest))
2108  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2109 }
2110 #endif /* P2MP */
2111 
2112 bool
2113 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2114 {
2115  if (!c->c2.do_up_ran)
2116  {
2117  reset_coarse_timers(c);
2118 
2119  if (pulled_options)
2120  {
2121  if (!do_deferred_options(c, option_types_found))
2122  {
2123  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2124  return false;
2125  }
2126  }
2127 
2128  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2129  if (c->options.up_delay || PULL_DEFINED(&c->options))
2130  {
2131  c->c2.did_open_tun = do_open_tun(c);
2132  update_time();
2133 
2134 #if P2MP
2135  /*
2136  * Was tun interface object persisted from previous restart iteration,
2137  * and if so did pulled options string change from previous iteration?
2138  */
2139  if (!c->c2.did_open_tun
2140  && PULL_DEFINED(&c->options)
2141  && c->c1.tuntap
2142  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2143  &c->c2.pulled_options_digest))
2144  {
2145  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2146  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2147  do_close_tun(c, true);
2148  management_sleep(1);
2149  c->c2.did_open_tun = do_open_tun(c);
2150  update_time();
2151  }
2152 #endif
2153  }
2154 
2155  if (c->c2.did_open_tun)
2156  {
2157 #if P2MP
2158  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2159 #endif
2160 
2161  /* if --route-delay was specified, start timer */
2162  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2163  {
2164  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2165  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2166  if (c->c1.tuntap)
2167  {
2168  tun_standby_init(c->c1.tuntap);
2169  }
2170  }
2171  else
2172  {
2173  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2174  }
2175  }
2176  else if (c->options.mode == MODE_POINT_TO_POINT)
2177  {
2178  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2179  }
2180 
2181  c->c2.do_up_ran = true;
2182  }
2183  return true;
2184 }
2185 
2186 /*
2187  * These are the option categories which will be accepted by pull.
2188  */
2189 unsigned int
2190 pull_permission_mask(const struct context *c)
2191 {
2192  unsigned int flags =
2193  OPT_P_UP
2194  | OPT_P_ROUTE_EXTRAS
2195  | OPT_P_SOCKBUF
2196  | OPT_P_SOCKFLAGS
2197  | OPT_P_SETENV
2198  | OPT_P_SHAPER
2199  | OPT_P_TIMER
2200  | OPT_P_COMP
2201  | OPT_P_PERSIST
2202  | OPT_P_MESSAGES
2203  | OPT_P_EXPLICIT_NOTIFY
2204  | OPT_P_ECHO
2205  | OPT_P_PULL_MODE
2206  | OPT_P_PEER_ID;
2207 
2208  if (!c->options.route_nopull)
2209  {
2210  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2211  }
2212 
2213  if (c->options.ncp_enabled)
2214  {
2215  flags |= OPT_P_NCP;
2216  }
2217 
2218  return flags;
2219 }
2220 
2221 /*
2222  * Handle non-tun-related pulled options.
2223  */
2224 bool
2225 do_deferred_options(struct context *c, const unsigned int found)
2226 {
2227  if (found & OPT_P_MESSAGES)
2228  {
2229  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2230  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2231  }
2232  if (found & OPT_P_TIMER)
2233  {
2234  do_init_timers(c, true);
2235  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2236  }
2237 
2238 #ifdef ENABLE_OCC
2239  if (found & OPT_P_EXPLICIT_NOTIFY)
2240  {
2241  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2242  {
2243  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2244  c->options.ce.explicit_exit_notification = 0;
2245  }
2246  else
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2249  }
2250  }
2251 #endif
2252 
2253 #ifdef USE_COMP
2254  if (found & OPT_P_COMP)
2255  {
2256  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2257  comp_uninit(c->c2.comp_context);
2258  c->c2.comp_context = comp_init(&c->options.comp);
2259  }
2260 #endif
2261 
2262  if (found & OPT_P_SHAPER)
2263  {
2264  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2265  do_init_traffic_shaper(c);
2266  }
2267 
2268  if (found & OPT_P_SOCKBUF)
2269  {
2270  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2271  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2272  }
2273 
2274  if (found & OPT_P_SOCKFLAGS)
2275  {
2276  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2277  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2278  }
2279 
2280  if (found & OPT_P_PERSIST)
2281  {
2282  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2283  }
2284  if (found & OPT_P_UP)
2285  {
2286  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2287  }
2288  if (found & OPT_P_ROUTE)
2289  {
2290  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2291  }
2292  if (found & OPT_P_ROUTE_EXTRAS)
2293  {
2294  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2295  }
2296  if (found & OPT_P_IPWIN32)
2297  {
2298  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2299  }
2300  if (found & OPT_P_SETENV)
2301  {
2302  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2303  }
2304 
2305  if (found & OPT_P_PEER_ID)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2308  c->c2.tls_multi->use_peer_id = true;
2309  c->c2.tls_multi->peer_id = c->options.peer_id;
2310  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2311  if (!c->options.ce.link_mtu_defined)
2312  {
2313  frame_add_to_link_mtu(&c->c2.frame, +3);
2314  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2315  EXPANDED_SIZE(&c->c2.frame));
2316  }
2317  else
2318  {
2319  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2320  " fixed by config - reducing tun-mtu to %d, expect"
2321  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2322  }
2323  }
2324 
2325  /* process (potentially pushed) crypto options */
2326  if (c->options.pull)
2327  {
2328  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2329  if (found & OPT_P_NCP)
2330  {
2331  msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2332  }
2333  else if (c->options.ncp_enabled)
2334  {
2335  tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2336  }
2337  struct frame *frame_fragment = NULL;
2338 #ifdef ENABLE_FRAGMENT
2339  if (c->options.ce.fragment)
2340  {
2341  frame_fragment = &c->c2.frame_fragment;
2342  }
2343 #endif
2344 
2345  /* Do not regenerate keys if server sends an extra push reply */
2346  if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2347  && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2348  frame_fragment))
2349  {
2350  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2351  return false;
2352  }
2353  }
2354 
2355  return true;
2356 }
2357 
2358 /*
2359  * Possible hold on initialization, holdtime is the
2360  * time OpenVPN would wait without management
2361  */
2362 static bool
2363 do_hold(int holdtime)
2364 {
2365 #ifdef ENABLE_MANAGEMENT
2366  if (management)
2367  {
2368  /* block until management hold is released */
2369  if (management_hold(management, holdtime))
2370  {
2371  return true;
2372  }
2373  }
2374 #endif
2375  return false;
2376 }
2377 
2378 /*
2379  * Sleep before restart.
2380  */
2381 static void
2382 socket_restart_pause(struct context *c)
2383 {
2384  int sec = 2;
2385  int backoff = 0;
2386 
2387  switch (c->options.ce.proto)
2388  {
2389  case PROTO_TCP_SERVER:
2390  sec = 1;
2391  break;
2392 
2393  case PROTO_UDP:
2394  case PROTO_TCP_CLIENT:
2395  sec = c->options.ce.connect_retry_seconds;
2396  break;
2397  }
2398 
2399 #ifdef ENABLE_DEBUG
2400  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2401  {
2402  sec = 0;
2403  }
2404 #endif
2405 
2406 #if P2MP
2407  if (auth_retry_get() == AR_NOINTERACT)
2408  {
2409  sec = 10;
2410  }
2411 #endif
2412 
2413  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2414  if (c->options.ce.proto != PROTO_TCP_SERVER)
2415  {
2416  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2417  if (backoff > 0)
2418  {
2419  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2420  sec = max_int(sec, 1) << min_int(backoff, 15);
2421  }
2422 
2423  if (sec > c->options.ce.connect_retry_seconds_max)
2424  {
2425  sec = c->options.ce.connect_retry_seconds_max;
2426  }
2427  }
2428 
2429  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2430  {
2431  sec = c->persist.restart_sleep_seconds;
2432  }
2433  else if (c->persist.restart_sleep_seconds == -1)
2434  {
2435  sec = 0;
2436  }
2437  c->persist.restart_sleep_seconds = 0;
2438 
2439  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2440  if (do_hold(sec))
2441  {
2442  sec = 0;
2443  }
2444 
2445  if (sec)
2446  {
2447  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2448  management_sleep(sec);
2449  }
2450 }
2451 
2452 /*
2453  * Do a possible pause on context_2 initialization.
2454  */
2455 static void
2456 do_startup_pause(struct context *c)
2457 {
2458  if (!c->first_time)
2459  {
2460  socket_restart_pause(c);
2461  }
2462  else
2463  {
2464  do_hold(0); /* do management hold on first context initialization */
2465  }
2466 }
2467 
2468 /*
2469  * Finalize MTU parameters based on command line or config file options.
2470  */
2471 static void
2472 frame_finalize_options(struct context *c, const struct options *o)
2473 {
2474  if (!o)
2475  {
2476  o = &c->options;
2477  }
2478 
2479  /*
2480  * Set adjustment factor for buffer alignment when no
2481  * cipher is used.
2482  */
2483  if (!CIPHER_ENABLED(c))
2484  {
2485  frame_align_to_extra_frame(&c->c2.frame);
2486  frame_or_align_flags(&c->c2.frame,
2487  FRAME_HEADROOM_MARKER_FRAGMENT
2488  |FRAME_HEADROOM_MARKER_READ_LINK
2489  |FRAME_HEADROOM_MARKER_READ_STREAM);
2490  }
2491 
2492  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2493  frame_finalize(&c->c2.frame,
2494  o->ce.link_mtu_defined,
2495  o->ce.link_mtu,
2496  o->ce.tun_mtu_defined,
2497  o->ce.tun_mtu);
2498 }
2499 
2500 /*
2501  * Free a key schedule, including OpenSSL components.
2502  */
2503 static void
2504 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2505 {
2506  free_key_ctx_bi(&ks->static_key);
2507  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2508  {
2509  tls_ctx_free(&ks->ssl_ctx);
2510  free_key_ctx(&ks->tls_crypt_v2_server_key);
2511  }
2512  CLEAR(*ks);
2513 }
2514 
2515 static void
2516 init_crypto_pre(struct context *c, const unsigned int flags)
2517 {
2518  if (c->options.engine)
2519  {
2520  crypto_init_lib_engine(c->options.engine);
2521  }
2522 
2523  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2524  {
2525  /* load a persisted packet-id for cross-session replay-protection */
2526  if (c->options.packet_id_file)
2527  {
2528  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2529  }
2530  }
2531 
2532 #ifdef ENABLE_PREDICTION_RESISTANCE
2533  if (c->options.use_prediction_resistance)
2534  {
2535  rand_ctx_enable_prediction_resistance();
2536  }
2537 #endif
2538 }
2539 
2540 /*
2541  * Static Key Mode (using a pre-shared key)
2542  */
2543 static void
2544 do_init_crypto_static(struct context *c, const unsigned int flags)
2545 {
2546  const struct options *options = &c->options;
2547  ASSERT(options->shared_secret_file);
2548 
2549  init_crypto_pre(c, flags);
2550 
2551  /* Initialize flags */
2552  if (c->options.mute_replay_warnings)
2553  {
2554  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2555  }
2556 
2557  /* Initialize packet ID tracking */
2558  if (options->replay)
2559  {
2560  packet_id_init(&c->c2.crypto_options.packet_id,
2561  options->replay_window,
2562  options->replay_time,
2563  "STATIC", 0);
2564  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2565  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2566  packet_id_persist_load_obj(&c->c1.pid_persist,
2567  &c->c2.crypto_options.packet_id);
2568  }
2569 
2570  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2571  {
2572  /* Get cipher & hash algorithms */
2573  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2574  options->keysize, options->test_crypto, true);
2575 
2576  /* Read cipher and hmac keys from shared secret file */
2577  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2578  options->shared_secret_file,
2579  options->shared_secret_file_inline,
2580  options->key_direction, "Static Key Encryption",
2581  "secret");
2582  }
2583  else
2584  {
2585  msg(M_INFO, "Re-using pre-shared static key");
2586  }
2587 
2588  /* Get key schedule */
2589  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2590 
2591  /* Compute MTU parameters */
2592  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2593  options->replay, true);
2594 
2595  /* Sanity check on sequence number, and cipher mode options */
2596  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2597 }
2598 
2599 /*
2600  * Initialize the tls-auth/crypt key context
2601  */
2602 static void
2603 do_init_tls_wrap_key(struct context *c)
2604 {
2605  const struct options *options = &c->options;
2606 
2607  /* TLS handshake authentication (--tls-auth) */
2608  if (options->ce.tls_auth_file)
2609  {
2610  /* Initialize key_type for tls-auth with auth only */
2611  CLEAR(c->c1.ks.tls_auth_key_type);
2612  if (!streq(options->authname, "none"))
2613  {
2614  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2615  c->c1.ks.tls_auth_key_type.hmac_length =
2616  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2617  }
2618  else
2619  {
2620  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2621  "algorithm specified ('%s')", options->authname);
2622  }
2623 
2624  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2625  &c->c1.ks.tls_wrap_key,
2626  options->ce.tls_auth_file,
2627  options->ce.tls_auth_file_inline,
2628  options->ce.key_direction,
2629  "Control Channel Authentication", "tls-auth");
2630  }
2631 
2632  /* TLS handshake encryption+authentication (--tls-crypt) */
2633  if (options->ce.tls_crypt_file)
2634  {
2635  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2636  options->ce.tls_crypt_file,
2637  options->ce.tls_crypt_inline, options->tls_server);
2638  }
2639 
2640  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2641  if (options->ce.tls_crypt_v2_file)
2642  {
2643  if (options->tls_server)
2644  {
2645  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2646  true, options->ce.tls_crypt_v2_file,
2647  options->ce.tls_crypt_v2_inline);
2648  }
2649  else
2650  {
2651  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2652  &c->c1.ks.tls_crypt_v2_wkc,
2653  options->ce.tls_crypt_v2_file,
2654  options->ce.tls_crypt_v2_inline);
2655  }
2656  }
2657 
2658 
2659 }
2660 
2661 #if P2MP_SERVER
2662 /*
2663  * Initialise the auth-token key context
2664  */
2665 static void
2666 do_init_auth_token_key(struct context *c)
2667 {
2668  if (!c->options.auth_token_generate)
2669  {
2670  return;
2671  }
2672 
2673  auth_token_init_secret(&c->c1.ks.auth_token_key,
2674  c->options.auth_token_secret_file,
2675  c->options.auth_token_secret_file_inline);
2676 }
2677 #endif
2678 
2679 /*
2680  * Initialize the persistent component of OpenVPN's TLS mode,
2681  * which is preserved across SIGUSR1 resets.
2682  */
2683 static void
2684 do_init_crypto_tls_c1(struct context *c)
2685 {
2686  const struct options *options = &c->options;
2687 
2688  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2689  {
2690  /*
2691  * Initialize the OpenSSL library's global
2692  * SSL context.
2693  */
2694  init_ssl(options, &(c->c1.ks.ssl_ctx));
2695  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2696  {
2697 #if P2MP
2698  switch (auth_retry_get())
2699  {
2700  case AR_NONE:
2701  msg(M_FATAL, "Error: private key password verification failed");
2702  break;
2703 
2704  case AR_INTERACT:
2705  ssl_purge_auth(false);
2706 
2707  case AR_NOINTERACT:
2708  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2709  break;
2710 
2711  default:
2712  ASSERT(0);
2713  }
2714  c->sig->signal_text = "private-key-password-failure";
2715  return;
2716 #else /* if P2MP */
2717  msg(M_FATAL, "Error: private key password verification failed");
2718 #endif /* if P2MP */
2719  }
2720 
2721  /* Get cipher & hash algorithms */
2722  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2723  options->keysize, true, true);
2724 
2725  /* Initialize PRNG with config-specified digest */
2726  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2727 
2728  /* initialize tls-auth/crypt/crypt-v2 key */
2729  do_init_tls_wrap_key(c);
2730 
2731 #if P2MP_SERVER
2732  /* initialise auth-token crypto support */
2733  do_init_auth_token_key(c);
2734 #endif
2735 
2736 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2737  if (options->priv_key_file_inline)
2738  {
2739  string_clear(c->options.priv_key_file_inline);
2740  c->options.priv_key_file_inline = NULL;
2741  }
2742 #endif
2743  }
2744  else
2745  {
2746  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2747 
2748  /*
2749  * tls-auth/crypt key can be configured per connection block, therefore
2750  * we must reload it as it may have changed
2751  */
2752  do_init_tls_wrap_key(c);
2753  }
2754 }
2755 
2756 static void
2757 do_init_crypto_tls(struct context *c, const unsigned int flags)
2758 {
2759  const struct options *options = &c->options;
2760  struct tls_options to;
2761  bool packet_id_long_form;
2762 
2763  ASSERT(options->tls_server || options->tls_client);
2764  ASSERT(!options->test_crypto);
2765 
2766  init_crypto_pre(c, flags);
2767 
2768  /* Make sure we are either a TLS client or server but not both */
2769  ASSERT(options->tls_server == !options->tls_client);
2770 
2771  /* initialize persistent component */
2772  do_init_crypto_tls_c1(c);
2773  if (IS_SIG(c))
2774  {
2775  return;
2776  }
2777 
2778  /* Sanity check on sequence number, and cipher mode options */
2779  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2780 
2781  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2782  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2783 
2784  /* Compute MTU parameters (postpone if we push/pull options) */
2785  if (c->options.pull || c->options.mode == MODE_SERVER)
2786  {
2787  /* Account for worst-case crypto overhead before allocating buffers */
2788  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2789  }
2790  else
2791  {
2792  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2793  options->replay, packet_id_long_form);
2794  }
2795  tls_adjust_frame_parameters(&c->c2.frame);
2796 
2797  /* Set all command-line TLS-related options */
2798  CLEAR(to);
2799 
2800  if (options->mute_replay_warnings)
2801  {
2802  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2803  }
2804 
2805  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2806  if (packet_id_long_form)
2807  {
2808  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2809  }
2810 
2811  to.ssl_ctx = c->c1.ks.ssl_ctx;
2812  to.key_type = c->c1.ks.key_type;
2813  to.server = options->tls_server;
2814  to.key_method = options->key_method;
2815  to.replay = options->replay;
2816  to.replay_window = options->replay_window;
2817  to.replay_time = options->replay_time;
2818  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2819  to.config_ciphername = c->c1.ciphername;
2820  to.config_ncp_ciphers = options->ncp_ciphers;
2821  to.ncp_enabled = options->ncp_enabled;
2822  to.transition_window = options->transition_window;
2823  to.handshake_window = options->handshake_window;
2824  to.packet_timeout = options->tls_timeout;
2825  to.renegotiate_bytes = options->renegotiate_bytes;
2826  to.renegotiate_packets = options->renegotiate_packets;
2827  if (options->renegotiate_seconds_min < 0)
2828  {
2829  /* Add 10% jitter to reneg-sec by default (server side only) */
2830  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2831  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2832  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2833  }
2834  else
2835  {
2836  /* Add user-specified jitter to reneg-sec */
2837  to.renegotiate_seconds = options->renegotiate_seconds
2838  -(get_random() % max_int(options->renegotiate_seconds
2839  - options->renegotiate_seconds_min, 1));
2840  }
2841  to.single_session = options->single_session;
2842  to.mode = options->mode;
2843  to.pull = options->pull;
2844  if (options->push_peer_info) /* all there is */
2845  {
2846  to.push_peer_info_detail = 2;
2847  }
2848  else if (options->pull) /* pull clients send some details */
2849  {
2850  to.push_peer_info_detail = 1;
2851  }
2852  else /* default: no peer-info at all */
2853  {
2854  to.push_peer_info_detail = 0;
2855  }
2856 
2857  /* should we not xmit any packets until we get an initial
2858  * response from client? */
2859  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2860  {
2861  to.xmit_hold = true;
2862  }
2863 
2864 #ifdef ENABLE_OCC
2865  to.disable_occ = !options->occ;
2866 #endif
2867 
2868  to.verify_command = options->tls_verify;
2869  to.verify_export_cert = options->tls_export_cert;
2870  to.verify_x509_type = (options->verify_x509_type & 0xff);
2871  to.verify_x509_name = options->verify_x509_name;
2872  to.crl_file = options->crl_file;
2873  to.crl_file_inline = options->crl_file_inline;
2874  to.ssl_flags = options->ssl_flags;
2875  to.ns_cert_type = options->ns_cert_type;
2876  memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2877  to.remote_cert_eku = options->remote_cert_eku;
2878  to.verify_hash = options->verify_hash;
2879  to.verify_hash_algo = options->verify_hash_algo;
2880 #ifdef ENABLE_X509ALTUSERNAME
2881  to.x509_username_field = (char *) options->x509_username_field;
2882 #else
2883  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2884 #endif
2885  to.es = c->c2.es;
2886  to.net_ctx = &c->net_ctx;
2887 
2888 #ifdef ENABLE_DEBUG
2889  to.gremlin = c->options.gremlin;
2890 #endif
2891 
2892  to.plugins = c->plugins;
2893 
2894 #ifdef MANAGEMENT_DEF_AUTH
2895  to.mda_context = &c->c2.mda_context;
2896 #endif
2897 
2898 #if P2MP_SERVER
2899  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2900  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2901  to.tmp_dir = options->tmp_dir;
2902  if (options->ccd_exclusive)
2903  {
2904  to.client_config_dir_exclusive = options->client_config_dir;
2905  }
2906  to.auth_user_pass_file = options->auth_user_pass_file;
2907  to.auth_token_generate = options->auth_token_generate;
2908  to.auth_token_lifetime = options->auth_token_lifetime;
2909  to.auth_token_call_auth = options->auth_token_call_auth;
2910  to.auth_token_key = c->c1.ks.auth_token_key;
2911 #endif
2912 
2913  to.x509_track = options->x509_track;
2914 
2915 #if P2MP
2916 #ifdef ENABLE_MANAGEMENT
2917  to.sci = &options->sc_info;
2918 #endif
2919 #endif
2920 
2921 #ifdef USE_COMP
2922  to.comp_options = options->comp;
2923 #endif
2924 
2925 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2926  if (options->keying_material_exporter_label)
2927  {
2928  to.ekm_size = options->keying_material_exporter_length;
2929  if (to.ekm_size < 16 || to.ekm_size > 4095)
2930  {
2931  to.ekm_size = 0;
2932  }
2933 
2934  to.ekm_label = options->keying_material_exporter_label;
2935  to.ekm_label_size = strlen(to.ekm_label);
2936  }
2937  else
2938  {
2939  to.ekm_size = 0;
2940  }
2941 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2942 
2943  /* TLS handshake authentication (--tls-auth) */
2944  if (options->ce.tls_auth_file)
2945  {
2946  to.tls_wrap.mode = TLS_WRAP_AUTH;
2947  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2948  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2949  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2950  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2951  true, true);
2952  }
2953 
2954  /* TLS handshake encryption (--tls-crypt) */
2955  if (options->ce.tls_crypt_file
2956  || (options->ce.tls_crypt_v2_file && options->tls_client))
2957  {
2958  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2959  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2960  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2961  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2962  tls_crypt_adjust_frame_parameters(&to.frame);
2963 
2964  if (options->ce.tls_crypt_v2_file)
2965  {
2966  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2967  }
2968  }
2969 
2970  if (options->ce.tls_crypt_v2_file)
2971  {
2972  to.tls_crypt_v2 = true;
2973  if (options->tls_server)
2974  {
2975  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2976  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2977  }
2978  }
2979 
2980  /* If we are running over TCP, allow for
2981  * length prefix */
2982  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
2983 
2984  /*
2985  * Initialize OpenVPN's master TLS-mode object.
2986  */
2987  if (flags & CF_INIT_TLS_MULTI)
2988  {
2989  c->c2.tls_multi = tls_multi_init(&to);
2990  }
2991 
2992  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2993  {
2994  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2995  }
2996 }
2997 
2998 static void
2999 do_init_finalize_tls_frame(struct context *c)
3000 {
3001  if (c->c2.tls_multi)
3002  {
3003  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3004  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3005  EXPANDED_SIZE(&c->c2.frame));
3006  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3007  "Control Channel MTU parms");
3008  }
3009  if (c->c2.tls_auth_standalone)
3010  {
3011  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3012  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3013  "TLS-Auth MTU parms");
3014  }
3015 }
3016 
3017 /*
3018  * No encryption or authentication.
3019  */
3020 static void
3021 do_init_crypto_none(const struct context *c)
3022 {
3023  ASSERT(!c->options.test_crypto);
3024  msg(M_WARN,
3025  "******* WARNING *******: All encryption and authentication features "
3026  "disabled -- All data will be tunnelled as clear text and will not be "
3027  "protected against man-in-the-middle changes. "
3028  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3029 }
3030 
3031 static void
3032 do_init_crypto(struct context *c, const unsigned int flags)
3033 {
3034  if (c->options.shared_secret_file)
3035  {
3036  do_init_crypto_static(c, flags);
3037  }
3038  else if (c->options.tls_server || c->options.tls_client)
3039  {
3040  do_init_crypto_tls(c, flags);
3041  }
3042  else /* no encryption or authentication. */
3043  {
3044  do_init_crypto_none(c);
3045  }
3046 }
3047 
3048 static void
3049 do_init_frame(struct context *c)
3050 {
3051 #ifdef USE_COMP
3052  /*
3053  * modify frame parameters if compression is enabled
3054  */
3055  if (comp_enabled(&c->options.comp))
3056  {
3057  comp_add_to_extra_frame(&c->c2.frame);
3058 
3059 #if !defined(ENABLE_LZ4)
3060  /*
3061  * Compression usage affects buffer alignment when non-swapped algs
3062  * such as LZO is used.
3063  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3064  * any special alignment because of the control-byte swap approach.
3065  * LZO alignment (on the other hand) is problematic because
3066  * the presence of the control byte means that either the output of
3067  * decryption must be written to an unaligned buffer, or the input
3068  * to compression (or packet dispatch if packet is uncompressed)
3069  * must be read from an unaligned buffer.
3070  * This code tries to align the input to compression (or packet
3071  * dispatch if packet is uncompressed) at the cost of requiring
3072  * decryption output to be written to an unaligned buffer, so
3073  * it's more of a tradeoff than an optimal solution and we don't
3074  * include it when we are doing a modern build with LZ4.
3075  * Strictly speaking, on the server it would be better to execute
3076  * this code for every connection after we decide the compression
3077  * method, but currently the frame code doesn't appear to be
3078  * flexible enough for this, since the frame is already established
3079  * before it is known which compression options will be pushed.
3080  */
3081  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3082  {
3083  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3084  frame_or_align_flags(&c->c2.frame,
3085  FRAME_HEADROOM_MARKER_FRAGMENT
3086  |FRAME_HEADROOM_MARKER_DECRYPT);
3087  }
3088 #endif
3089 
3090 #ifdef ENABLE_FRAGMENT
3091  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3092 #endif
3093  }
3094 #endif /* USE_COMP */
3095 
3096  /*
3097  * Adjust frame size for UDP Socks support.
3098  */
3099  if (c->options.ce.socks_proxy_server)
3100  {
3101  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3102  }
3103 
3104  /*
3105  * Adjust frame size based on the --tun-mtu-extra parameter.
3106  */
3107  if (c->options.ce.tun_mtu_extra_defined)
3108  {
3109  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3110  }
3111 
3112  /*
3113  * Adjust frame size based on link socket parameters.
3114  * (Since TCP is a stream protocol, we need to insert
3115  * a packet length uint16_t in the buffer.)
3116  */
3117  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3118 
3119  /*
3120  * Fill in the blanks in the frame parameters structure,
3121  * make sure values are rational, etc.
3122  */
3123  frame_finalize_options(c, NULL);
3124 
3125 #ifdef USE_COMP
3126  /*
3127  * Modify frame parameters if compression is compiled in.
3128  * Should be called after frame_finalize_options.
3129  */
3130  comp_add_to_extra_buffer(&c->c2.frame);
3131 #ifdef ENABLE_FRAGMENT
3132  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3133 #endif
3134 #endif /* USE_COMP */
3135 
3136  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3137  * and need link_mtu+3 bytes on socket reception (on server).
3138  *
3139  * accommodate receive path in f->extra_link, which has the side effect of
3140  * also increasing send buffers (BUF_SIZE() macro), which need to be
3141  * allocated big enough before receiving peer-id option from server.
3142  *
3143  * f->extra_frame is adjusted when peer-id option is push-received
3144  */
3145  frame_add_to_extra_link(&c->c2.frame, 3);
3146 
3147 #ifdef ENABLE_FRAGMENT
3148  /*
3149  * Set frame parameter for fragment code. This is necessary because
3150  * the fragmentation code deals with payloads which have already been
3151  * passed through the compression code.
3152  */
3153  c->c2.frame_fragment = c->c2.frame;
3154  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3155  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3156 #endif
3157 
3158 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
3159  /*
3160  * MTU advisories
3161  */
3162  if (c->options.ce.fragment && c->options.mtu_test)
3163  {
3164  msg(M_WARN,
3165  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3166  }
3167 #endif
3168 
3169 #ifdef ENABLE_FRAGMENT
3170  if ((c->options.ce.mssfix || c->options.ce.fragment)
3171  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3172  {
3173  msg(M_WARN,
3174  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3175  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3176  }
3177 #endif
3178 }
3179 
3180 static void
3181 do_option_warnings(struct context *c)
3182 {
3183  const struct options *o = &c->options;
3184 
3185  if (o->ping_send_timeout && !o->ping_rec_timeout)
3186  {
3187  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3188  }
3189 
3190  if (o->username || o->groupname || o->chroot_dir
3191 #ifdef ENABLE_SELINUX
3192  || o->selinux_context
3193 #endif
3194  )
3195  {
3196  if (!o->persist_tun)
3197  {
3198  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3199  }
3200  if (!o->persist_key
3201 #ifdef ENABLE_PKCS11
3202  && !o->pkcs11_id
3203 #endif
3204  )
3205  {
3206  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3207  }
3208  }
3209 
3210  if (o->chroot_dir && !(o->username && o->groupname))
3211  {
3212  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3213  }
3214 
3215 #if P2MP
3216  if (o->pull && o->ifconfig_local && c->first_time)
3217  {
3218  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3219  }
3220 
3221 #if P2MP_SERVER
3222  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3223  {
3224  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3225  }
3226 
3227  if (o->mode == MODE_SERVER)
3228  {
3229  if (o->duplicate_cn && o->client_config_dir)
3230  {
3231  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3232  }
3233  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3234  {
3235  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3236  }
3237  if (!o->keepalive_ping || !o->keepalive_timeout)
3238  {
3239  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3240  }
3241  }
3242 #endif /* if P2MP_SERVER */
3243 #endif /* if P2MP */
3244 
3245  if (!o->replay)
3246  {
3247  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3248  }
3249 
3250  if (o->tls_server)
3251  {
3252  warn_on_use_of_common_subnets(&c->net_ctx);
3253  }
3254  if (o->tls_client
3255  && !o->tls_verify
3256  && o->verify_x509_type == VERIFY_X509_NONE
3257  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3258  && !o->remote_cert_eku)
3259  {
3260  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3261  }
3262  if (o->ns_cert_type)
3263  {
3264  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3265  }
3266 
3267  /* If a script is used, print appropriate warnings */
3268  if (o->user_script_used)
3269  {
3270  if (script_security() >= SSEC_SCRIPTS)
3271  {
3272  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3273  }
3274  else if (script_security() >= SSEC_PW_ENV)
3275  {
3276  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3277  }
3278  else
3279  {
3280  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3281  }
3282  }
3283 }
3284 
3285 static void
3286 do_init_frame_tls(struct context *c)
3287 {
3288  do_init_finalize_tls_frame(c);
3289 }
3290 
3291 struct context_buffers *
3292 init_context_buffers(const struct frame *frame)
3293 {
3294  struct context_buffers *b;
3295 
3296  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3297 
3298  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3299  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3300 
3301  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3302 
3303  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3304  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3305 
3306 #ifdef USE_COMP
3307  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3308  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3309 #endif
3310 
3311  return b;
3312 }
3313 
3314 void
3315 free_context_buffers(struct context_buffers *b)
3316 {
3317  if (b)
3318  {
3319  free_buf(&b->read_link_buf);
3320  free_buf(&b->read_tun_buf);
3321  free_buf(&b->aux_buf);
3322 
3323 #ifdef USE_COMP
3324  free_buf(&b->compress_buf);
3325  free_buf(&b->decompress_buf);
3326 #endif
3327 
3328  free_buf(&b->encrypt_buf);
3329  free_buf(&b->decrypt_buf);
3330 
3331  free(b);
3332  }
3333 }
3334 
3335 /*
3336  * Now that we know all frame parameters, initialize
3337  * our buffers.
3338  */
3339 static void
3340 do_init_buffers(struct context *c)
3341 {
3342  c->c2.buffers = init_context_buffers(&c->c2.frame);
3343  c->c2.buffers_owned = true;
3344 }
3345 
3346 #ifdef ENABLE_FRAGMENT
3347 /*
3348  * Fragmenting code has buffers to initialize
3349  * once frame parameters are known.
3350  */
3351 static void
3352 do_init_fragment(struct context *c)
3353 {
3354  ASSERT(c->options.ce.fragment);
3355  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3356  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3357  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3358 }
3359 #endif
3360 
3361 /*
3362  * Allocate our socket object.
3363  */
3364 static void
3365 do_link_socket_new(struct context *c)
3366 {
3367  ASSERT(!c->c2.link_socket);
3368  c->c2.link_socket = link_socket_new();
3369  c->c2.link_socket_owned = true;
3370 }
3371 
3372 /*
3373  * bind the TCP/UDP socket
3374  */
3375 static void
3376 do_init_socket_1(struct context *c, const int mode)
3377 {
3378  unsigned int sockflags = c->options.sockflags;
3379 
3380 #if PORT_SHARE
3381  if (c->options.port_share_host && c->options.port_share_port)
3382  {
3383  sockflags |= SF_PORT_SHARE;
3384  }
3385 #endif
3386 
3387  link_socket_init_phase1(c->c2.link_socket,
3388  c->options.ce.local,
3389  c->options.ce.local_port,
3390  c->options.ce.remote,
3391  c->options.ce.remote_port,
3392  c->c1.dns_cache,
3393  c->options.ce.proto,
3394  c->options.ce.af,
3395  c->options.ce.bind_ipv6_only,
3396  mode,
3397  c->c2.accept_from,
3398  c->c1.http_proxy,
3399  c->c1.socks_proxy,
3400 #ifdef ENABLE_DEBUG
3401  c->options.gremlin,
3402 #endif
3403  c->options.ce.bind_local,
3404  c->options.ce.remote_float,
3405  c->options.inetd,
3406  &c->c1.link_socket_addr,
3407  c->options.ipchange,
3408  c->plugins,
3409  c->options.resolve_retry_seconds,
3410  c->options.ce.mtu_discover_type,
3411  c->options.rcvbuf,
3412  c->options.sndbuf,
3413  c->options.mark,
3414  &c->c2.server_poll_interval,
3415  sockflags);
3416 }
3417 
3418 /*
3419  * finalize the TCP/UDP socket
3420  */
3421 static void
3422 do_init_socket_2(struct context *c)
3423 {
3424  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3425  c->sig);
3426 }
3427 
3428 /*
3429  * Print MTU INFO
3430  */
3431 static void
3432 do_print_data_channel_mtu_parms(struct context *c)
3433 {
3434  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3435 #ifdef ENABLE_FRAGMENT
3436  if (c->c2.fragment)
3437  {
3438  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3439  "Fragmentation MTU parms");
3440  }
3441 #endif
3442 }
3443 
3444 #ifdef ENABLE_OCC
3445 /*
3446  * Get local and remote options compatibility strings.
3447  */
3448 static void
3449 do_compute_occ_strings(struct context *c)
3450 {
3451  struct gc_arena gc = gc_new();
3452 
3453  c->c2.options_string_local =
3454  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3455  false, &gc);
3456  c->c2.options_string_remote =
3457  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3458  true, &gc);
3459 
3460  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3461  options_string_version(c->c2.options_string_local, &gc),
3462  c->c2.options_string_local);
3463  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3464  options_string_version(c->c2.options_string_remote, &gc),
3465  c->c2.options_string_remote);
3466 
3467  if (c->c2.tls_multi)
3468  {
3469  tls_multi_init_set_options(c->c2.tls_multi,
3470  c->c2.options_string_local,
3471  c->c2.options_string_remote);
3472  }
3473 
3474  gc_free(&gc);
3475 }
3476 #endif /* ifdef ENABLE_OCC */
3477 
3478 /*
3479  * These things can only be executed once per program instantiation.
3480  * Set up for possible UID/GID downgrade, but don't do it yet.
3481  * Daemonize if requested.
3482  */
3483 static void
3484 do_init_first_time(struct context *c)
3485 {
3486  if (c->first_time && !c->c0)
3487  {
3488  struct context_0 *c0;
3489 
3490  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3491  c0 = c->c0;
3492 
3493  /* get user and/or group that we want to setuid/setgid to */
3494  c0->uid_gid_specified =
3495  platform_group_get(c->options.groupname, &c0->platform_state_group)
3496  |platform_user_get(c->options.username, &c0->platform_state_user);
3497 
3498  /* perform postponed chdir if --daemon */
3499  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3500  {
3501  platform_chdir("/");
3502  }
3503 
3504  /* should we change scheduling priority? */
3505  platform_nice(c->options.nice);
3506  }
3507 }
3508 
3509 /*
3510  * If xinetd/inetd mode, don't allow restart.
3511  */
3512 static void
3513 do_close_check_if_restart_permitted(struct context *c)
3514 {
3515  if (c->options.inetd
3516  && (c->sig->signal_received == SIGHUP
3517  || c->sig->signal_received == SIGUSR1))
3518  {
3519  c->sig->signal_received = SIGTERM;
3520  msg(M_INFO,
3521  PACKAGE_NAME
3522  " started by inetd/xinetd cannot restart... Exiting.");
3523  }
3524 }
3525 
3526 /*
3527  * free buffers
3528  */
3529 static void
3530 do_close_free_buf(struct context *c)
3531 {
3532  if (c->c2.buffers_owned)
3533  {
3534  free_context_buffers(c->c2.buffers);
3535  c->c2.buffers = NULL;
3536  c->c2.buffers_owned = false;
3537  }
3538 }
3539 
3540 /*
3541  * close TLS
3542  */
3543 static void
3544 do_close_tls(struct context *c)
3545 {
3546  if (c->c2.tls_multi)
3547  {
3548  tls_multi_free(c->c2.tls_multi, true);
3549  c->c2.tls_multi = NULL;
3550  }
3551 
3552 #ifdef ENABLE_OCC
3553  /* free options compatibility strings */
3554  if (c->c2.options_string_local)
3555  {
3556  free(c->c2.options_string_local);
3557  }
3558  if (c->c2.options_string_remote)
3559  {
3560  free(c->c2.options_string_remote);
3561  }
3562  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3563 #endif
3564 
3565  if (c->c2.pulled_options_state)
3566  {
3567  md_ctx_cleanup(c->c2.pulled_options_state);
3568  md_ctx_free(c->c2.pulled_options_state);
3569  }
3570 }
3571 
3572 /*
3573  * Free key schedules
3574  */
3575 static void
3576 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3577 {
3578  /*
3579  * always free the tls_auth/crypt key. If persist_key is true, the key will
3580  * be reloaded from memory (pre-cached)
3581  */
3582  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3583  CLEAR(c->c1.ks.tls_wrap_key);
3584  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3585  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3586 
3587  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3588  {
3589  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3590  }
3591 }
3592 
3593 /*
3594  * Close TCP/UDP connection
3595  */
3596 static void
3597 do_close_link_socket(struct context *c)
3598 {
3599  if (c->c2.link_socket && c->c2.link_socket_owned)
3600  {
3601  link_socket_close(c->c2.link_socket);
3602  c->c2.link_socket = NULL;
3603  }
3604 
3605 
3606  /* Preserve the resolved list of remote if the user request to or if we want
3607  * reconnect to the same host again or there are still addresses that need
3608  * to be tried */
3609  if (!(c->sig->signal_received == SIGUSR1
3610  && ( (c->options.persist_remote_ip)
3611  ||
3612  ( c->sig->source != SIG_SOURCE_HARD
3613  && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3614  || c->options.no_advance))
3615  )))
3616  {
3617  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3618  }
3619 
3620  /* Clear the remote actual address when persist_remote_ip is not in use */
3621  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3622  {
3623  CLEAR(c->c1.link_socket_addr.actual);
3624  }
3625 
3626  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3627  {
3628  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3629  {
3630  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3631  }
3632 
3633  c->c1.link_socket_addr.bind_local = NULL;
3634  }
3635 }
3636 
3637 /*
3638  * Close packet-id persistence file
3639  */
3640 static void
3641 do_close_packet_id(struct context *c)
3642 {
3643  packet_id_free(&c->c2.crypto_options.packet_id);
3644  packet_id_persist_save(&c->c1.pid_persist);
3645  if (!(c->sig->signal_received == SIGUSR1))
3646  {
3647  packet_id_persist_close(&c->c1.pid_persist);
3648  }
3649 }
3650 
3651 #ifdef ENABLE_FRAGMENT
3652 /*
3653  * Close fragmentation handler.
3654  */
3655 static void
3656 do_close_fragment(struct context *c)
3657 {
3658  if (c->c2.fragment)
3659  {
3660  fragment_free(c->c2.fragment);
3661  c->c2.fragment = NULL;
3662  }
3663 }
3664 #endif
3665 
3666 /*
3667  * Open and close our event objects.
3668  */
3669 
3670 static void
3671 do_event_set_init(struct context *c,
3672  bool need_us_timeout)
3673 {
3674  unsigned int flags = 0;
3675 
3676  c->c2.event_set_max = BASE_N_EVENTS;
3677 
3678  flags |= EVENT_METHOD_FAST;
3679 
3680  if (need_us_timeout)
3681  {
3682  flags |= EVENT_METHOD_US_TIMEOUT;
3683  }
3684 
3685  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3686  c->c2.event_set_owned = true;
3687 }
3688 
3689 static void
3690 do_close_event_set(struct context *c)
3691 {
3692  if (c->c2.event_set && c->c2.event_set_owned)
3693  {
3694  event_free(c->c2.event_set);
3695  c->c2.event_set = NULL;
3696  c->c2.event_set_owned = false;
3697  }
3698 }
3699 
3700 /*
3701  * Open and close --status file
3702  */
3703 
3704 static void
3705 do_open_status_output(struct context *c)
3706 {
3707  if (!c->c1.status_output)
3708  {
3709  c->c1.status_output = status_open(c->options.status_file,
3710  c->options.status_file_update_freq,
3711  -1,
3712  NULL,
3713  STATUS_OUTPUT_WRITE);
3714  c->c1.status_output_owned = true;
3715  }
3716 }
3717 
3718 static void
3719 do_close_status_output(struct context *c)
3720 {
3721  if (!(c->sig->signal_received == SIGUSR1))
3722  {
3723  if (c->c1.status_output_owned && c->c1.status_output)
3724  {
3725  status_close(c->c1.status_output);
3726  c->c1.status_output = NULL;
3727  c->c1.status_output_owned = false;
3728  }
3729  }
3730 }
3731 
3732 /*
3733  * Handle ifconfig-pool persistence object.
3734  */
3735 static void
3736 do_open_ifconfig_pool_persist(struct context *c)
3737 {
3738 #if P2MP_SERVER
3739  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3740  {
3741  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3742  c->options.ifconfig_pool_persist_refresh_freq);
3743  c->c1.ifconfig_pool_persist_owned = true;
3744  }
3745 #endif
3746 }
3747 
3748 static void
3749 do_close_ifconfig_pool_persist(struct context *c)
3750 {
3751 #if P2MP_SERVER
3752  if (!(c->sig->signal_received == SIGUSR1))
3753  {
3754  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3755  {
3756  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3757  c->c1.ifconfig_pool_persist = NULL;
3758  c->c1.ifconfig_pool_persist_owned = false;
3759  }
3760  }
3761 #endif
3762 }
3763 
3764 /*
3765  * Inherit environmental variables
3766  */
3767 
3768 static void
3769 do_inherit_env(struct context *c, const struct env_set *src)
3770 {
3771  c->c2.es = env_set_create(NULL);
3772  c->c2.es_owned = true;
3773  env_set_inherit(c->c2.es, src);
3774 }
3775 
3776 static void
3777 do_env_set_destroy(struct context *c)
3778 {
3779  if (c->c2.es && c->c2.es_owned)
3780  {
3781  env_set_destroy(c->c2.es);
3782  c->c2.es = NULL;
3783  c->c2.es_owned = false;
3784  }
3785 }
3786 
3787 /*
3788  * Fast I/O setup. Fast I/O is an optimization which only works
3789  * if all of the following are true:
3790  *
3791  * (1) The platform is not Windows
3792  * (2) --proto udp is enabled
3793  * (3) --shaper is disabled
3794  */
3795 static void
3796 do_setup_fast_io(struct context *c)
3797 {
3798  if (c->options.fast_io)
3799  {
3800 #ifdef _WIN32
3801  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3802 #else
3803  if (!proto_is_udp(c->options.ce.proto))
3804  {
3805  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3806  }
3807  else
3808  {
3809 #ifdef ENABLE_FEATURE_SHAPER
3810  if (c->options.shaper)
3811  {
3812  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3813  }
3814  else
3815 #endif
3816  {
3817  c->c2.fast_io = true;
3818  }
3819  }
3820 #endif
3821  }
3822 }
3823 
3824 static void
3825 do_signal_on_tls_errors(struct context *c)
3826 {
3827  if (c->options.tls_exit)
3828  {
3829  c->c2.tls_exit_signal = SIGTERM;
3830  }
3831  else
3832  {
3833  c->c2.tls_exit_signal = SIGUSR1;
3834  }
3835 }
3836 
3837 #ifdef ENABLE_PLUGIN
3838 
3839 void
3840 init_plugins(struct context *c)
3841 {
3842  if (c->options.plugin_list && !c->plugins)
3843  {
3844  c->plugins = plugin_list_init(c->options.plugin_list);
3845  c->plugins_owned = true;
3846  }
3847 }
3848 
3849 void
3850 open_plugins(struct context *c, const bool import_options, int init_point)
3851 {
3852  if (c->plugins && c->plugins_owned)
3853  {
3854  if (import_options)
3855  {
3856  struct plugin_return pr, config;
3857  plugin_return_init(&pr);
3858  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3859  plugin_return_get_column(&pr, &config, "config");
3860  if (plugin_return_defined(&config))
3861  {
3862  int i;
3863  for (i = 0; i < config.n; ++i)
3864  {
3865  unsigned int option_types_found = 0;
3866  if (config.list[i] && config.list[i]->value)
3867  {
3868  options_string_import(&c->options,
3869  config.list[i]->value,
3870  D_IMPORT_ERRORS|M_OPTERR,
3871  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3872  &option_types_found,
3873  c->es);
3874  }
3875  }
3876  }
3877  plugin_return_free(&pr);
3878  }
3879  else
3880  {
3881  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3882  }
3883  }
3884 }
3885 
3886 static void
3887 do_close_plugins(struct context *c)
3888 {
3889  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3890  {
3891  plugin_list_close(c->plugins);
3892  c->plugins = NULL;
3893  c->plugins_owned = false;
3894  }
3895 }
3896 
3897 static void
3898 do_inherit_plugins(struct context *c, const struct context *src)
3899 {
3900  if (!c->plugins && src->plugins)
3901  {
3902  c->plugins = plugin_list_inherit(src->plugins);
3903  c->plugins_owned = true;
3904  }
3905 }
3906 
3907 #endif /* ifdef ENABLE_PLUGIN */
3908 
3909 #ifdef ENABLE_MANAGEMENT
3910 
3911 static void
3912 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3913 {
3914  struct context *c = (struct context *) arg;
3915  print_status(c, so);
3916 }
3917 
3918 void
3919 management_show_net_callback(void *arg, const int msglevel)
3920 {
3921 #ifdef _WIN32
3922  show_routes(msglevel);
3923  show_adapters(msglevel);
3924  msg(msglevel, "END");
3925 #else
3926  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3927 #endif
3928 }
3929 
3930 #ifdef TARGET_ANDROID
3931 int
3932 management_callback_network_change(void *arg, bool samenetwork)
3933 {
3934  /* Check if the client should translate the network change to a SIGUSR1 to
3935  * reestablish the connection or just reprotect the socket
3936  *
3937  * At the moment just assume that, for all settings that use pull (not
3938  * --static) and are not using peer-id reestablishing the connection is
3939  * required (unless the network is the same)
3940  *
3941  * The function returns -1 on invalid fd and -2 if the socket cannot be
3942  * reused. On the -2 return value the man_network_change function triggers
3943  * a SIGUSR1 to force a reconnect.
3944  */
3945 
3946  int socketfd = -1;
3947  struct context *c = (struct context *) arg;
3948  if (!c->c2.link_socket)
3949  {
3950  return -1;
3951  }
3952  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3953  {
3954  return -1;
3955  }
3956 
3957  socketfd = c->c2.link_socket->sd;
3958  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3959  {
3960  return socketfd;
3961  }
3962  else
3963  {
3964  return -2;
3965  }
3966 }
3967 #endif /* ifdef TARGET_ANDROID */
3968 
3969 #endif /* ifdef ENABLE_MANAGEMENT */
3970 
3971 void
3972 init_management_callback_p2p(struct context *c)
3973 {
3974 #ifdef ENABLE_MANAGEMENT
3975  if (management)
3976  {
3977  struct management_callback cb;
3978  CLEAR(cb);
3979  cb.arg = c;
3980  cb.status = management_callback_status_p2p;
3981  cb.show_net = management_show_net_callback;
3982  cb.proxy_cmd = management_callback_proxy_cmd;
3983  cb.remote_cmd = management_callback_remote_cmd;
3984 #ifdef TARGET_ANDROID
3985  cb.network_change = management_callback_network_change;
3986 #endif
3987  management_set_callback(management, &cb);
3988  }
3989 #endif
3990 }
3991 
3992 #ifdef ENABLE_MANAGEMENT
3993 
3994 void
3995 init_management(void)
3996 {
3997  if (!management)
3998  {
3999  management = management_init();
4000  }
4001 }
4002 
4003 bool
4004 open_management(struct context *c)
4005 {
4006  /* initialize management layer */
4007  if (management)
4008  {
4009  if (c->options.management_addr)
4010  {
4011  unsigned int flags = c->options.management_flags;
4012  if (c->options.mode == MODE_SERVER)
4013  {
4014  flags |= MF_SERVER;
4015  }
4016  if (management_open(management,
4017  c->options.management_addr,
4018  c->options.management_port,
4019  c->options.management_user_pass,
4020  c->options.management_client_user,
4021  c->options.management_client_group,
4022  c->options.management_log_history_cache,
4023  c->options.management_echo_buffer_size,
4024  c->options.management_state_buffer_size,
4025  c->options.management_write_peer_info_file,
4026  c->options.remap_sigusr1,
4027  flags))
4028  {
4029  management_set_state(management,
4030  OPENVPN_STATE_CONNECTING,
4031  NULL,
4032  NULL,
4033  NULL,
4034  NULL,
4035  NULL);
4036  }
4037 
4038  /* initial management hold, called early, before first context initialization */
4039  do_hold(0);
4040  if (IS_SIG(c))
4041  {
4042  msg(M_WARN, "Signal received from management interface, exiting");
4043  return false;
4044  }
4045  }
4046  else
4047  {
4048  close_management();
4049  }
4050  }
4051  return true;
4052 }
4053 
4054 void
4055 close_management(void)
4056 {
4057  if (management)
4058  {
4059  management_close(management);
4060  management = NULL;
4061  }
4062 }
4063 
4064 #endif /* ifdef ENABLE_MANAGEMENT */
4065 
4066 
4067 void
4068 uninit_management_callback(void)
4069 {
4070 #ifdef ENABLE_MANAGEMENT
4071  if (management)
4072  {
4073  management_clear_callback(management);
4074  }
4075 #endif
4076 }
4077 
4078 /*
4079  * Initialize a tunnel instance, handle pre and post-init
4080  * signal settings.
4081  */
4082 void
4083 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4084 {
4085  pre_init_signal_catch();
4086  init_instance(c, env, flags);
4087  post_init_signal_catch();
4088 
4089  /*
4090  * This is done so that signals thrown during
4091  * initialization can bring us back to
4092  * a management hold.
4093  */
4094  if (IS_SIG(c))
4095  {
4096  remap_signal(c);
4097  uninit_management_callback();
4098  }
4099 }
4100 
4101 /*
4102  * Initialize a tunnel instance.
4103  */
4104 void
4105 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4106 {
4107  const struct options *options = &c->options;
4108  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4109  int link_socket_mode = LS_MODE_DEFAULT;
4110 
4111  /* init garbage collection level */
4112  gc_init(&c->c2.gc);
4113 
4114  /* inherit environmental variables */
4115  if (env)
4116  {
4117  do_inherit_env(c, env);
4118  }
4119 
4120  /* signals caught here will abort */
4121  c->sig->signal_received = 0;
4122  c->sig->signal_text = NULL;
4123  c->sig->source = SIG_SOURCE_SOFT;
4124 
4125  if (c->mode == CM_P2P)
4126  {
4127  init_management_callback_p2p(c);
4128  }
4129 
4130  /* possible sleep or management hold if restart */
4131  if (c->mode == CM_P2P || c->mode == CM_TOP)
4132  {
4133  do_startup_pause(c);
4134  if (IS_SIG(c))
4135  {
4136  goto sig;
4137  }
4138  }
4139 
4140  if (c->options.resolve_in_advance)
4141  {
4142  do_preresolve(c);
4143  if (IS_SIG(c))
4144  {
4145  goto sig;
4146  }
4147  }
4148 
4149  /* map in current connection entry */
4150  next_connection_entry(c);
4151 
4152  /* link_socket_mode allows CM_CHILD_TCP
4153  * instances to inherit acceptable fds
4154  * from a top-level parent */
4155  if (c->options.ce.proto == PROTO_TCP_SERVER)
4156  {
4157  if (c->mode == CM_TOP)
4158  {
4159  link_socket_mode = LS_MODE_TCP_LISTEN;
4160  }
4161  else if (c->mode == CM_CHILD_TCP)
4162  {
4163  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4164  }
4165  }
4166 
4167  /* should we disable paging? */
4168  if (c->first_time && options->mlock)
4169  {
4170  platform_mlockall(true);
4171  }
4172 
4173 #if P2MP
4174  /* get passwords if undefined */
4175  if (auth_retry_get() == AR_INTERACT)
4176  {
4177  init_query_passwords(c);
4178  }
4179 #endif
4180 
4181  /* initialize context level 2 --verb/--mute parms */
4182  init_verb_mute(c, IVM_LEVEL_2);
4183 
4184  /* set error message delay for non-server modes */
4185  if (c->mode == CM_P2P)
4186  {
4187  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4188  }
4189 
4190  /* warn about inconsistent options */
4191  if (c->mode == CM_P2P || c->mode == CM_TOP)
4192  {
4193  do_option_warnings(c);
4194  }
4195 
4196 #ifdef ENABLE_PLUGIN
4197  /* initialize plugins */
4198  if (c->mode == CM_P2P || c->mode == CM_TOP)
4199  {
4200  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4201  }
4202 #endif
4203 
4204  /* should we enable fast I/O? */
4205  if (c->mode == CM_P2P || c->mode == CM_TOP)
4206  {
4207  do_setup_fast_io(c);
4208  }
4209 
4210  /* should we throw a signal on TLS errors? */
4211  do_signal_on_tls_errors(c);
4212 
4213  /* open --status file */
4214  if (c->mode == CM_P2P || c->mode == CM_TOP)
4215  {
4216  do_open_status_output(c);
4217  }
4218 
4219  /* open --ifconfig-pool-persist file */
4220  if (c->mode == CM_TOP)
4221  {
4222  do_open_ifconfig_pool_persist(c);
4223  }
4224 
4225 #ifdef ENABLE_OCC
4226  /* reset OCC state */
4227  if (c->mode == CM_P2P || child)
4228  {
4229  c->c2.occ_op = occ_reset_op();
4230  }
4231 #endif
4232 
4233  /* our wait-for-i/o objects, different for posix vs. win32 */
4234  if (c->mode == CM_P2P)
4235  {
4236  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4237  }
4238  else if (c->mode == CM_CHILD_TCP)
4239  {
4240  do_event_set_init(c, false);
4241  }
4242 
4243  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4244  init_proxy(c);
4245 
4246  /* allocate our socket object */
4247  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4248  {
4249  do_link_socket_new(c);
4250  }
4251 
4252 #ifdef ENABLE_FRAGMENT
4253  /* initialize internal fragmentation object */
4254  if (options->ce.fragment && (c->mode == CM_P2P || child))
4255  {
4256  c->c2.fragment = fragment_init(&c->c2.frame);
4257  }
4258 #endif
4259 
4260  /* init crypto layer */
4261  {
4262  unsigned int crypto_flags = 0;
4263  if (c->mode == CM_TOP)
4264  {
4265  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4266  }
4267  else if (c->mode == CM_P2P)
4268  {
4269  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4270  }
4271  else if (child)
4272  {
4273  crypto_flags = CF_INIT_TLS_MULTI;
4274  }
4275  do_init_crypto(c, crypto_flags);
4276  if (IS_SIG(c) && !child)
4277  {
4278  goto sig;
4279  }
4280  }
4281 
4282 #ifdef USE_COMP
4283  /* initialize compression library. */
4284  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4285  {
4286  c->c2.comp_context = comp_init(&options->comp);
4287  }
4288 #endif
4289 
4290  /* initialize MTU variables */
4291  do_init_frame(c);
4292 
4293  /* initialize TLS MTU variables */
4294  do_init_frame_tls(c);
4295 
4296  /* init workspace buffers whose size is derived from frame size */
4297  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4298  {
4299  do_init_buffers(c);
4300  }
4301 
4302 #ifdef ENABLE_FRAGMENT
4303  /* initialize internal fragmentation capability with known frame size */
4304  if (options->ce.fragment && (c->mode == CM_P2P || child))
4305  {
4306  do_init_fragment(c);
4307  }
4308 #endif
4309 
4310  /* initialize dynamic MTU variable */
4311  frame_init_mssfix(&c->c2.frame, &c->options);
4312 
4313  /* bind the TCP/UDP socket */
4314  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4315  {
4316  do_init_socket_1(c, link_socket_mode);
4317  }
4318 
4319  /* initialize tun/tap device object,
4320  * open tun/tap device, ifconfig, run up script, etc. */
4321  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4322  {
4323  c->c2.did_open_tun = do_open_tun(c);
4324  }
4325 
4326  c->c2.frame_initial = c->c2.frame;
4327 
4328  /* print MTU info */
4329  do_print_data_channel_mtu_parms(c);
4330 
4331 #ifdef ENABLE_OCC
4332  /* get local and remote options compatibility strings */
4333  if (c->mode == CM_P2P || child)
4334  {
4335  do_compute_occ_strings(c);
4336  }
4337 #endif
4338 
4339  /* initialize output speed limiter */
4340  if (c->mode == CM_P2P)
4341  {
4342  do_init_traffic_shaper(c);
4343  }
4344 
4345  /* do one-time inits, and possibly become a daemon here */
4346  do_init_first_time(c);
4347 
4348 #ifdef ENABLE_PLUGIN
4349  /* initialize plugins */
4350  if (c->mode == CM_P2P || c->mode == CM_TOP)
4351  {
4352  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4353  }
4354 #endif
4355 
4356  /* initialise connect timeout timer */
4357  do_init_server_poll_timeout(c);
4358 
4359  /* finalize the TCP/UDP socket */
4360  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4361  {
4362  do_init_socket_2(c);
4363  }
4364 
4365  /*
4366  * Actually do UID/GID downgrade, and chroot, if requested.
4367  * May be delayed by --client, --pull, or --up-delay.
4368  */
4369  do_uid_gid_chroot(c, c->c2.did_open_tun);
4370 
4371  /* initialize timers */
4372  if (c->mode == CM_P2P || child)
4373  {
4374  do_init_timers(c, false);
4375  }
4376 
4377 #ifdef ENABLE_PLUGIN
4378  /* initialize plugins */
4379  if (c->mode == CM_P2P || c->mode == CM_TOP)
4380  {
4381  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4382  }
4383 #endif
4384 
4385 #if PORT_SHARE
4386  /* share OpenVPN port with foreign (such as HTTPS) server */
4387  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4388  {
4389  init_port_share(c);
4390  }
4391 #endif
4392 
4393 #ifdef ENABLE_PF
4394  if (child)
4395  {
4396  pf_init_context(c);
4397  }
4398 #endif
4399 
4400  /* Check for signals */
4401  if (IS_SIG(c))
4402  {
4403  goto sig;
4404  }
4405 
4406  return;
4407 
4408 sig:
4409  if (!c->sig->signal_text)
4410  {
4411  c->sig->signal_text = "init_instance";
4412  }
4413  close_context(c, -1, flags);
4414  return;
4415 }
4416 
4417 /*
4418  * Close a tunnel instance.
4419  */
4420 void
4421 close_instance(struct context *c)
4422 {
4423  /* close event objects */
4424  do_close_event_set(c);
4425 
4426  if (c->mode == CM_P2P
4427  || c->mode == CM_CHILD_TCP
4428  || c->mode == CM_CHILD_UDP
4429  || c->mode == CM_TOP)
4430  {
4431  /* if xinetd/inetd mode, don't allow restart */
4432  do_close_check_if_restart_permitted(c);
4433 
4434 #ifdef USE_COMP
4435  if (c->c2.comp_context)
4436  {
4437  comp_uninit(c->c2.comp_context);
4438  c->c2.comp_context = NULL;
4439  }
4440 #endif
4441 
4442  /* free buffers */
4443  do_close_free_buf(c);
4444 
4445  /* close TLS */
4446  do_close_tls(c);
4447 
4448  /* free key schedules */
4449  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4450 
4451  restore_ncp_options(c);
4452 
4453  /* close TCP/UDP connection */
4454  do_close_link_socket(c);
4455 
4456  /* close TUN/TAP device */
4457  do_close_tun(c, false);
4458 
4459 #ifdef MANAGEMENT_DEF_AUTH
4460  if (management)
4461  {
4462  management_notify_client_close(management, &c->c2.mda_context, NULL);
4463  }
4464 #endif
4465 
4466 #ifdef ENABLE_PF
4467  pf_destroy_context(&c->c2.pf);
4468 #endif
4469 
4470 #ifdef ENABLE_PLUGIN
4471  /* call plugin close functions and unload */
4472  do_close_plugins(c);
4473 #endif
4474 
4475  /* close packet-id persistence file */
4476  do_close_packet_id(c);
4477 
4478  /* close --status file */
4479  do_close_status_output(c);
4480 
4481 #ifdef ENABLE_FRAGMENT
4482  /* close fragmentation handler */
4483  do_close_fragment(c);
4484 #endif
4485 
4486  /* close --ifconfig-pool-persist obj */
4487  do_close_ifconfig_pool_persist(c);
4488 
4489  /* free up environmental variable store */
4490  do_env_set_destroy(c);
4491 
4492  /* close HTTP or SOCKS proxy */
4493  uninit_proxy(c);
4494 
4495  /* garbage collect */
4496  gc_free(&c->c2.gc);
4497  }
4498 }
4499 
4500 void
4501 inherit_context_child(struct context *dest,
4502  const struct context *src)
4503 {
4504  CLEAR(*dest);
4505 
4506  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4507  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4508 
4509  dest->gc = gc_new();
4510 
4511  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4512 
4513  /* c1 init */
4514  packet_id_persist_init(&dest->c1.pid_persist);
4515 
4516  dest->c1.ks.key_type = src->c1.ks.key_type;
4517  /* inherit SSL context */
4518  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4519  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4520  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4521  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4522  /* inherit pre-NCP ciphers */
4523  dest->c1.ciphername = src->c1.ciphername;
4524  dest->c1.authname = src->c1.authname;
4525  dest->c1.keysize = src->c1.keysize;
4526 
4527  /* inherit auth-token */
4528  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4529 
4530  /* options */
4531  dest->options = src->options;
4532  options_detach(&dest->options);
4533 
4534  if (dest->mode == CM_CHILD_TCP)
4535  {
4536  /*
4537  * The CM_TOP context does the socket listen(),
4538  * and the CM_CHILD_TCP context does the accept().
4539  */
4540  dest->c2.accept_from = src->c2.link_socket;
4541  }
4542 
4543 #ifdef ENABLE_PLUGIN
4544  /* inherit plugins */
4545  do_inherit_plugins(dest, src);
4546 #endif
4547 
4548  /* context init */
4549  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4550  if (IS_SIG(dest))
4551  {
4552  return;
4553  }
4554 
4555  /* inherit tun/tap interface object */
4556  dest->c1.tuntap = src->c1.tuntap;
4557 
4558  /* UDP inherits some extra things which TCP does not */
4559  if (dest->mode == CM_CHILD_UDP)
4560  {
4561  /* inherit buffers */
4562  dest->c2.buffers = src->c2.buffers;
4563 
4564  /* inherit parent link_socket and tuntap */
4565  dest->c2.link_socket = src->c2.link_socket;
4566 
4567  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4568  *dest->c2.link_socket_info = src->c2.link_socket->info;
4569 
4570  /* locally override some link_socket_info fields */
4571  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4572  dest->c2.link_socket_info->connection_established = false;
4573  }
4574 }
4575 
4576 void
4577 inherit_context_top(struct context *dest,
4578  const struct context *src)
4579 {
4580  /* copy parent */
4581  *dest = *src;
4582 
4583  /*
4584  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4585  * resources owned by the parent.
4586  *
4587  * Also note that CM_TOP_CLONE context objects are
4588  * closed by multi_top_free in multi.c.
4589  */
4590  dest->mode = CM_TOP_CLONE;
4591 
4592  dest->first_time = false;
4593  dest->c0 = NULL;
4594 
4595  options_detach(&dest->options);
4596  gc_detach(&dest->gc);
4597  gc_detach(&dest->c2.gc);
4598 
4599  /* detach plugins */
4600  dest->plugins_owned = false;
4601 
4602  dest->c2.tls_multi = NULL;
4603 
4604  /* detach c1 ownership */
4605  dest->c1.tuntap_owned = false;
4606  dest->c1.status_output_owned = false;
4607 #if P2MP_SERVER
4608  dest->c1.ifconfig_pool_persist_owned = false;
4609 #endif
4610 
4611  /* detach c2 ownership */
4612  dest->c2.event_set_owned = false;
4613  dest->c2.link_socket_owned = false;
4614  dest->c2.buffers_owned = false;
4615  dest->c2.es_owned = false;
4616 
4617  dest->c2.event_set = NULL;
4618  if (proto_is_dgram(src->options.ce.proto))
4619  {
4620  do_event_set_init(dest, false);
4621  }
4622 
4623 #ifdef USE_COMP
4624  dest->c2.comp_context = NULL;
4625 #endif
4626 }
4627 
4628 void
4629 close_context(struct context *c, int sig, unsigned int flags)
4630 {
4631  ASSERT(c);
4632  ASSERT(c->sig);
4633 
4634  if (sig >= 0)
4635  {
4636  c->sig->signal_received = sig;
4637  }
4638 
4639  if (c->sig->signal_received == SIGUSR1)
4640  {
4641  if ((flags & CC_USR1_TO_HUP)
4642  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4643  {
4644  c->sig->signal_received = SIGHUP;
4645  c->sig->signal_text = "close_context usr1 to hup";
4646  }
4647  }
4648 
4649  if (!(flags & CC_NO_CLOSE))
4650  {
4651  close_instance(c);
4652  }
4653 
4654  if (flags & CC_GC_FREE)
4655  {
4656  context_gc_free(c);
4657  }
4658 }
4659 
4660 /*
4661  * Do a loopback test
4662  * on the crypto subsystem.
4663  */
4664 static void *
4665 test_crypto_thread(void *arg)
4666 {
4667  struct context *c = (struct context *) arg;
4668  const struct options *options = &c->options;
4669 
4670  ASSERT(options->test_crypto);
4671  init_verb_mute(c, IVM_LEVEL_1);
4672  context_init_1(c);
4673  next_connection_entry(c);
4674  do_init_crypto_static(c, 0);
4675 
4676  frame_finalize_options(c, options);
4677 
4678  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4679 
4680  key_schedule_free(&c->c1.ks, true);
4681  packet_id_free(&c->c2.crypto_options.packet_id);
4682 
4683  context_gc_free(c);
4684  return NULL;
4685 }
4686 
4687 bool
4688 do_test_crypto(const struct options *o)
4689 {
4690  if (o->test_crypto)
4691  {
4692  struct context c;
4693 
4694  /* print version number */
4695  msg(M_INFO, "%s", title_string);
4696 
4697  context_clear(&c);
4698  c.options = *o;
4699  options_detach(&c.options);
4700  c.first_time = true;
4701  test_crypto_thread((void *) &c);
4702  return true;
4703  }
4704  return false;
4705 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:303
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:302
context_2::es
struct env_set * es
Definition: openvpn.h:429
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:184
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:210
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:458
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2516
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:338
management_close
void management_close(struct management *man)
Definition: manage.c:2636
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:436
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:247
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:426
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:292
options::sndbuf
int sndbuf
Definition: options.h:351
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:370
context_2::log_rw
bool log_rw
Definition: openvpn.h:389
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:496
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:270
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:319
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:392
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:558
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:695
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1483
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:252
tuntap
Definition: tun.h:145
options::ncp_enabled
bool ncp_enabled
Definition: options.h:511
options::management_flags
unsigned int management_flags
Definition: options.h:395
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1950
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:904
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2544
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:284
P2MP_SERVER
#define P2MP_SERVER
Definition: syshead.h:525
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:636
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:105
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:301
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1319
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:308
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:504
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:393
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:519
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1099
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5472
options::show_curves
bool show_curves
Definition: options.h:222
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:633
options::cipher_list
const char * cipher_list
Definition: options.h:538
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
options::tls_server
bool tls_server
Definition: options.h:529
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1845
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1428
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:293
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:973
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3636
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2103
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:575
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1721
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:396
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1186
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:327
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:540
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:386
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:353
streq
#define streq(x, y)
Definition: options.h:660
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:435
options::chroot_dir
const char * chroot_dir
Definition: options.h:308
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:731
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3898
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3690
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2684
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:422
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:247
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:166
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:288
tls_options::mode
int mode
Definition: ssl_common.h:269
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2113
options::auth_token_generate
bool auth_token_generate
Definition: options.h:478
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
options::inetd
int inetd
Definition: options.h:325
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1323
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4295
tun_abort
void tun_abort(void)
Definition: init.c:2083
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:502
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:573
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3777
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2603
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:355
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:525
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1187
srandom
#define srandom
Definition: syshead.h:45
auth_token.h
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3174
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:377
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, int inetd, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1856
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:212
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:689
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4629
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3422
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:507
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6379
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:183
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:641
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3972
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:341
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:327
close_instance
void close_instance(struct context *c)
Definition: init.c:4421
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2808
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:586
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:333
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:557
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1346
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:668
options::persist_key
bool persist_key
Definition: options.h:293
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:153
options::replay_window
int replay_window
Definition: options.h:520
options::persist_mode
int persist_mode
Definition: options.h:215
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:212
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:413
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:320
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3825
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:376
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:282
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1470
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:299
options::rcvbuf
int rcvbuf
Definition: options.h:350
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:305
options::crl_file_inline
const char * crl_file_inline
Definition: options.h:551
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:110
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:255
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:427
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:273
options::connection_list
struct connection_list * connection_list
Definition: options.h:231
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:296
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1342
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:196
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:181
options::exit_event_name
const char * exit_event_name
Definition: options.h:632
AR_NONE
#define AR_NONE
Definition: options.h:847
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:256
options::route_noexec
bool route_noexec
Definition: options.h:365
options::sockflags
unsigned int sockflags
Definition: options.h:357
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2472
options::auth_token_secret_file_inline
const char * auth_token_secret_file_inline
Definition: options.h:483
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:167
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:419
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3544
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:226
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:340
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:503
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:18
options::route_script
const char * route_script
Definition: options.h:360
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:388
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:299
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:482
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:164
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:141
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3049
options::config
const char * config
Definition: options.h:201
options::route_delay
int route_delay
Definition: options.h:366
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:529
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:315
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:361
tls_options::gremlin
int gremlin
Definition: ssl_common.h:369
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3850
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:372
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:971
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:263
options::down_pre
bool down_pre
Definition: options.h:317
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:276
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:690
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:155
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:323
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1410
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:565
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:532
options::push_peer_info
bool push_peer_info
Definition: options.h:621
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:670
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:151
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:587
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3710
PING_RESTART
#define PING_RESTART
Definition: options.h:287
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:2999
options::handshake_window
int handshake_window
Definition: options.h:591
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3887
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:129
tls_options
Definition: ssl_common.h:241
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:333
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:227
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:298
connection_entry::tls_auth_file_inline
const char * tls_auth_file_inline
Definition: options.h:136
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:243
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:340
options::verify_x509_type
int verify_x509_type
Definition: options.h:543
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:237
close_management
void close_management(void)
Definition: init.c:4055
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:480
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:304
options::prng_hash
const char * prng_hash
Definition: options.h:515
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:2066
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:282
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:257
options::fast_io
bool fast_io
Definition: options.h:343
options::key_direction
int key_direction
Definition: options.h:509
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:275
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:191
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1428
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:158
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:59
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:74
connection_entry::tls_crypt_v2_inline
const char * tls_crypt_v2_inline
Definition: options.h:146
init_static
bool init_static(void)
Definition: init.c:726
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:64
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:269
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:205
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:586
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:300
options::route_delay_defined
bool route_delay_defined
Definition: options.h:368
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:514
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:225
options::tls_exit
bool tls_exit
Definition: options.h:623
MF_SERVER
#define MF_SERVER
Definition: manage.h:332
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1006
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:272
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1016
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:779
connection_entry::key_direction
int key_direction
Definition: options.h:137
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:698
tls_options::x509_username_field
char * x509_username_field
Definition: ssl_common.h:291
options::route_nopull
bool route_nopull
Definition: options.h:372
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3656
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1204
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6488
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:66
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1180
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:545
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:362
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:512
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:447
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4083
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:322
VERIFY_X509_