OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 static bool do_deferred_p2p_ncp(struct context *c);
72 
73 void
74 context_clear(struct context *c)
75 {
76  CLEAR(*c);
77 }
78 
79 void
80 context_clear_1(struct context *c)
81 {
82  CLEAR(c->c1);
83 }
84 
85 void
86 context_clear_2(struct context *c)
87 {
88  CLEAR(c->c2);
89 }
90 
91 void
92 context_clear_all_except_first_time(struct context *c)
93 {
94  const bool first_time_save = c->first_time;
95  const struct context_persist cpsave = c->persist;
96  context_clear(c);
97  c->first_time = first_time_save;
98  c->persist = cpsave;
99 }
100 
101 /*
102  * Pass tunnel endpoint and MTU parms to a user-supplied script.
103  * Used to execute the up/down script/plugins.
104  */
105 static void
106 run_up_down(const char *command,
107  const struct plugin_list *plugins,
108  int plugin_type,
109  const char *arg,
110 #ifdef _WIN32
111  DWORD adapter_index,
112 #endif
113  const char *dev_type,
114  int tun_mtu,
115  int link_mtu,
116  const char *ifconfig_local,
117  const char *ifconfig_remote,
118  const char *context,
119  const char *signal_text,
120  const char *script_type,
121  struct env_set *es)
122 {
123  struct gc_arena gc = gc_new();
124 
125  if (signal_text)
126  {
127  setenv_str(es, "signal", signal_text);
128  }
129  setenv_str(es, "script_context", context);
130  setenv_int(es, "tun_mtu", tun_mtu);
131  setenv_int(es, "link_mtu", link_mtu);
132  setenv_str(es, "dev", arg);
133  if (dev_type)
134  {
135  setenv_str(es, "dev_type", dev_type);
136  }
137 #ifdef _WIN32
138  setenv_int(es, "dev_idx", adapter_index);
139 #endif
140 
141  if (!ifconfig_local)
142  {
143  ifconfig_local = "";
144  }
145  if (!ifconfig_remote)
146  {
147  ifconfig_remote = "";
148  }
149  if (!context)
150  {
151  context = "";
152  }
153 
154  if (plugin_defined(plugins, plugin_type))
155  {
156  struct argv argv = argv_new();
157  ASSERT(arg);
158  argv_printf(&argv,
159  "%s %d %d %s %s %s",
160  arg,
161  tun_mtu, link_mtu,
162  ifconfig_local, ifconfig_remote,
163  context);
164 
165  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
166  {
167  msg(M_FATAL, "ERROR: up/down plugin call failed");
168  }
169 
170  argv_free(&argv);
171  }
172 
173  if (command)
174  {
175  struct argv argv = argv_new();
176  ASSERT(arg);
177  setenv_str(es, "script_type", script_type);
178  argv_parse_cmd(&argv, command);
179  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
180  ifconfig_local, ifconfig_remote, context);
181  argv_msg(M_INFO, &argv);
182  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
183  argv_free(&argv);
184  }
185 
186  gc_free(&gc);
187 }
188 
189 /*
190  * Should be called after options->ce is modified at the top
191  * of a SIGUSR1 restart.
192  */
193 static void
194 update_options_ce_post(struct options *options)
195 {
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
206  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
207  options->ping_rec_timeout_action = PING_RESTART;
208  }
209 }
210 
211 #ifdef ENABLE_MANAGEMENT
212 static bool
213 management_callback_proxy_cmd(void *arg, const char **p)
214 {
215  struct context *c = arg;
216  struct connection_entry *ce = &c->options.ce;
217  struct gc_arena *gc = &c->c2.gc;
218  bool ret = false;
219 
220  update_time();
221  if (streq(p[1], "NONE"))
222  {
223  ret = true;
224  }
225  else if (p[2] && p[3])
226  {
227  if (streq(p[1], "HTTP"))
228  {
229  struct http_proxy_options *ho;
230  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
231  {
232  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
233  return false;
234  }
235  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
236  ho->server = string_alloc(p[2], gc);
237  ho->port = string_alloc(p[3], gc);
238  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
239  ret = true;
240  }
241  else if (streq(p[1], "SOCKS"))
242  {
243  ce->socks_proxy_server = string_alloc(p[2], gc);
244  ce->socks_proxy_port = string_alloc(p[3], gc);
245  ret = true;
246  }
247  }
248  else
249  {
250  msg(M_WARN, "Bad proxy command");
251  }
252 
253  ce->flags &= ~CE_MAN_QUERY_PROXY;
254 
255  return ret;
256 }
257 
258 static bool
259 ce_management_query_proxy(struct context *c)
260 {
261  const struct connection_list *l = c->options.connection_list;
262  struct connection_entry *ce = &c->options.ce;
263  struct gc_arena gc;
264  bool ret = true;
265 
266  update_time();
267  if (management)
268  {
269  gc = gc_new();
270  {
271  struct buffer out = alloc_buf_gc(256, &gc);
272  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
273  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
274  management_notify_generic(management, BSTR(&out));
275  management->persist.special_state_msg = BSTR(&out);
276  }
277  ce->flags |= CE_MAN_QUERY_PROXY;
278  while (ce->flags & CE_MAN_QUERY_PROXY)
279  {
280  management_event_loop_n_seconds(management, 1);
281  if (IS_SIG(c))
282  {
283  ret = false;
284  break;
285  }
286  }
287  management->persist.special_state_msg = NULL;
288  gc_free(&gc);
289  }
290 
291  return ret;
292 }
293 
308 static bool
309 management_callback_send_cc_message(void *arg,
310  const char *command,
311  const char *parameters)
312 {
313  struct context *c = (struct context *) arg;
314  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
315  if (len > PUSH_BUNDLE_SIZE)
316  {
317  return false;
318  }
319 
320  struct gc_arena gc = gc_new();
321  struct buffer buf = alloc_buf_gc(len, &gc);
322  ASSERT(buf_printf(&buf, "%s", command));
323  if (parameters)
324  {
325  ASSERT(buf_printf(&buf, ",%s", parameters));
326  }
327  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
328 
329  gc_free(&gc);
330  return status;
331 }
332 
333 static bool
334 management_callback_remote_cmd(void *arg, const char **p)
335 {
336  struct context *c = (struct context *) arg;
337  struct connection_entry *ce = &c->options.ce;
338  int ret = false;
339  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
340  {
341  int flags = 0;
342  if (!strcmp(p[1], "ACCEPT"))
343  {
344  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
345  ret = true;
346  }
347  else if (!strcmp(p[1], "SKIP"))
348  {
349  flags = CE_MAN_QUERY_REMOTE_SKIP;
350  ret = true;
351  }
352  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
353  {
354  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
355  {
356  struct remote_host_store *rhs = c->options.rh_store;
357  if (!rhs)
358  {
359  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
360  c->options.rh_store = rhs;
361  }
362  strncpynt(rhs->host, p[2], RH_HOST_LEN);
363  strncpynt(rhs->port, p[3], RH_PORT_LEN);
364 
365  ce->remote = rhs->host;
366  ce->remote_port = rhs->port;
367  flags = CE_MAN_QUERY_REMOTE_MOD;
368  ret = true;
369  }
370  }
371  if (ret)
372  {
373  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
374  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
375  }
376  }
377  return ret;
378 }
379 
380 static bool
381 ce_management_query_remote(struct context *c)
382 {
383  struct gc_arena gc = gc_new();
384  volatile struct connection_entry *ce = &c->options.ce;
385  int ce_changed = true; /* presume the connection entry will be changed */
386 
387  update_time();
388  if (management)
389  {
390  struct buffer out = alloc_buf_gc(256, &gc);
391 
392  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
393  proto2ascii(ce->proto, ce->af, false));
394  management_notify_generic(management, BSTR(&out));
395  management->persist.special_state_msg = BSTR(&out);
396 
397  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
398  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
399  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
400  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
401  {
402  management_event_loop_n_seconds(management, 1);
403  if (IS_SIG(c))
404  {
405  ce_changed = false; /* connection entry have not been set */
406  break;
407  }
408  }
409  management->persist.special_state_msg = NULL;
410  }
411  gc_free(&gc);
412 
413  if (ce_changed)
414  {
415  /* If it is likely a connection entry was modified,
416  * check what changed in the flags and that it was not skipped
417  */
418  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
419  & CE_MAN_QUERY_REMOTE_MASK);
420  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
421  }
422  return ce_changed;
423 }
424 #endif /* ENABLE_MANAGEMENT */
425 
426 /*
427  * Initialize and possibly randomize connection list.
428  */
429 static void
430 init_connection_list(struct context *c)
431 {
432  struct connection_list *l = c->options.connection_list;
433 
434  l->current = -1;
435  if (c->options.remote_random)
436  {
437  int i;
438  for (i = 0; i < l->len; ++i)
439  {
440  const int j = get_random() % l->len;
441  if (i != j)
442  {
443  struct connection_entry *tmp;
444  tmp = l->array[i];
445  l->array[i] = l->array[j];
446  l->array[j] = tmp;
447  }
448  }
449  }
450 }
451 
452 /*
453  * Clear the remote address list
454  */
455 static void
456 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
457 {
458  if (lsa->remote_list && free)
459  {
460  freeaddrinfo(lsa->remote_list);
461  }
462  lsa->remote_list = NULL;
463  lsa->current_remote = NULL;
464 }
465 
466 /*
467  * Increment to next connection entry
468  */
469 static void
470 next_connection_entry(struct context *c)
471 {
472  struct connection_list *l = c->options.connection_list;
473  bool ce_defined;
474  struct connection_entry *ce;
475  int n_cycles = 0;
476 
477  do
478  {
479  ce_defined = true;
480  if (c->options.no_advance && l->current >= 0)
481  {
482  c->options.no_advance = false;
483  }
484  else
485  {
486  /* Check if there is another resolved address to try for
487  * the current connection */
488  if (c->c1.link_socket_addr.current_remote
489  && c->c1.link_socket_addr.current_remote->ai_next)
490  {
491  c->c1.link_socket_addr.current_remote =
492  c->c1.link_socket_addr.current_remote->ai_next;
493  }
494  else
495  {
496  /* FIXME (schwabe) fix the persist-remote-ip option for real,
497  * this is broken probably ever since connection lists and multiple
498  * remote existed
499  */
500  if (!c->options.persist_remote_ip)
501  {
502  /* Connection entry addrinfo objects might have been
503  * resolved earlier but the entry itself might have been
504  * skipped by management on the previous loop.
505  * If so, clear the addrinfo objects as close_instance does
506  */
507  if (c->c1.link_socket_addr.remote_list)
508  {
509  clear_remote_addrlist(&c->c1.link_socket_addr,
510  !c->options.resolve_in_advance);
511  }
512 
513  /* close_instance should have cleared the addrinfo objects */
514  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
515  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
516  }
517  else
518  {
519  c->c1.link_socket_addr.current_remote =
520  c->c1.link_socket_addr.remote_list;
521  }
522 
523  /*
524  * Increase the number of connection attempts
525  * If this is connect-retry-max * size(l)
526  * OpenVPN will quit
527  */
528 
529  c->options.unsuccessful_attempts++;
530 
531  if (++l->current >= l->len)
532  {
533 
534  l->current = 0;
535  if (++n_cycles >= 2)
536  {
537  msg(M_FATAL, "No usable connection profiles are present");
538  }
539  }
540  }
541  }
542 
543  ce = l->array[l->current];
544 
545  if (ce->flags & CE_DISABLED)
546  {
547  ce_defined = false;
548  }
549 
550  c->options.ce = *ce;
551 #ifdef ENABLE_MANAGEMENT
552  if (ce_defined && management && management_query_remote_enabled(management))
553  {
554  /* allow management interface to override connection entry details */
555  ce_defined = ce_management_query_remote(c);
556  if (IS_SIG(c))
557  {
558  break;
559  }
560  }
561  else if (ce_defined && management && management_query_proxy_enabled(management))
562  {
563  ce_defined = ce_management_query_proxy(c);
564  if (IS_SIG(c))
565  {
566  break;
567  }
568  }
569 #endif
570  } while (!ce_defined);
571 
572  /* Check if this connection attempt would bring us over the limit */
573  if (c->options.connect_retry_max > 0
574  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
575  {
576  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
577  c->options.connect_retry_max);
578  }
579  update_options_ce_post(&c->options);
580 }
581 
582 /*
583  * Query for private key and auth-user-pass username/passwords
584  */
585 void
586 init_query_passwords(const struct context *c)
587 {
588  /* Certificate password input */
589  if (c->options.key_pass_file)
590  {
591  pem_password_setup(c->options.key_pass_file);
592  }
593 
594  /* Auth user/pass input */
595  if (c->options.auth_user_pass_file)
596  {
597 #ifdef ENABLE_MANAGEMENT
598  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
599 #else
600  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
601 #endif
602  }
603 }
604 
605 /*
606  * Initialize/Uninitialize HTTP or SOCKS proxy
607  */
608 
609 static void
610 uninit_proxy_dowork(struct context *c)
611 {
612  if (c->c1.http_proxy_owned && c->c1.http_proxy)
613  {
614  http_proxy_close(c->c1.http_proxy);
615  c->c1.http_proxy = NULL;
616  c->c1.http_proxy_owned = false;
617  }
618  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
619  {
620  socks_proxy_close(c->c1.socks_proxy);
621  c->c1.socks_proxy = NULL;
622  c->c1.socks_proxy_owned = false;
623  }
624 }
625 
626 static void
627 init_proxy_dowork(struct context *c)
628 {
629  bool did_http = false;
630 
631  uninit_proxy_dowork(c);
632 
633  if (c->options.ce.http_proxy_options)
634  {
635  /* Possible HTTP proxy user/pass input */
636  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
637  if (c->c1.http_proxy)
638  {
639  did_http = true;
640  c->c1.http_proxy_owned = true;
641  }
642  }
643 
644  if (!did_http && c->options.ce.socks_proxy_server)
645  {
646  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
647  c->options.ce.socks_proxy_port,
648  c->options.ce.socks_proxy_authfile);
649  if (c->c1.socks_proxy)
650  {
651  c->c1.socks_proxy_owned = true;
652  }
653  }
654 }
655 
656 static void
657 init_proxy(struct context *c)
658 {
659  init_proxy_dowork(c);
660 }
661 
662 static void
663 uninit_proxy(struct context *c)
664 {
665  uninit_proxy_dowork(c);
666 }
667 
668 void
669 context_init_1(struct context *c)
670 {
671  context_clear_1(c);
672 
673  packet_id_persist_init(&c->c1.pid_persist);
674 
675  init_connection_list(c);
676 
677 #if defined(ENABLE_PKCS11)
678  if (c->first_time)
679  {
680  int i;
681  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
682  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
683  {
684  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
685  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
686  }
687  }
688 #endif
689 
690 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
691  {
692  /*
693  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
694  */
695  struct user_pass up;
696  CLEAR(up);
697  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
698  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
699  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
700  * 'needok' command, usually 'ok' or 'cancel'. */
701  }
702 #endif
703 
704 #ifdef ENABLE_SYSTEMD
705  /* We can report the PID via getpid() to systemd here as OpenVPN will not
706  * do any fork due to daemon() a future call.
707  * See possibly_become_daemon() [init.c] for more details.
708  */
709  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
710  (unsigned long) getpid());
711 #endif
712 
713 }
714 
715 void
716 context_gc_free(struct context *c)
717 {
718  gc_free(&c->c2.gc);
719  gc_free(&c->options.gc);
720  gc_free(&c->gc);
721 }
722 
723 #if PORT_SHARE
724 
725 static void
726 close_port_share(void)
727 {
728  if (port_share)
729  {
730  port_share_close(port_share);
731  port_share = NULL;
732  }
733 }
734 
735 static void
736 init_port_share(struct context *c)
737 {
738  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
739  {
740  port_share = port_share_open(c->options.port_share_host,
741  c->options.port_share_port,
742  MAX_RW_SIZE_LINK(&c->c2.frame),
743  c->options.port_share_journal_dir);
744  if (port_share == NULL)
745  {
746  msg(M_FATAL, "Fatal error: Port sharing failed");
747  }
748  }
749 }
750 
751 #endif /* if PORT_SHARE */
752 
753 
754 bool
755 init_static(void)
756 {
757  /* configure_path (); */
758 
759 #if defined(DMALLOC)
760  crypto_init_dmalloc();
761 #endif
762 
763 
764  /*
765  * Initialize random number seed. random() is only used
766  * when "weak" random numbers are acceptable.
767  * SSL library routines are always used when cryptographically
768  * strong random numbers are required.
769  */
770  struct timeval tv;
771  if (!gettimeofday(&tv, NULL))
772  {
773  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
774  srandom(seed);
775  }
776 
777  error_reset(); /* initialize error.c */
778  reset_check_status(); /* initialize status check code in socket.c */
779 
780 #ifdef _WIN32
781  init_win32();
782 #endif
783 
784 #ifdef OPENVPN_DEBUG_COMMAND_LINE
785  {
786  int i;
787  for (i = 0; i < argc; ++i)
788  {
789  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
790  }
791  }
792 #endif
793 
794  update_time();
795 
796  init_ssl_lib();
797 
798  /* init PRNG used for IV generation */
799  /* When forking, copy this to more places in the code to avoid fork
800  * random-state predictability */
801  prng_init(NULL, 0);
802 
803 #ifdef PID_TEST
804  packet_id_interactive_test(); /* test the sequence number code */
805  return false;
806 #endif
807 
808 #ifdef SCHEDULE_TEST
809  schedule_test();
810  return false;
811 #endif
812 
813 #ifdef LIST_TEST
814  list_test();
815  return false;
816 #endif
817 
818 #ifdef IFCONFIG_POOL_TEST
819  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
820  return false;
821 #endif
822 
823 #ifdef CHARACTER_CLASS_DEBUG
824  character_class_debug();
825  return false;
826 #endif
827 
828 #ifdef EXTRACT_X509_FIELD_TEST
829  extract_x509_field_test();
830  return false;
831 #endif
832 
833 #ifdef TIME_TEST
834  time_test();
835  return false;
836 #endif
837 
838 #ifdef TEST_GET_DEFAULT_GATEWAY
839  {
840  struct route_gateway_info rgi;
841  struct route_ipv6_gateway_info rgi6;
842  get_default_gateway(&rgi);
843  get_default_gateway_ipv6(&rgi6, NULL);
844  print_default_gateway(M_INFO, &rgi, &rgi6);
845  return false;
846  }
847 #endif
848 
849 #ifdef GEN_PATH_TEST
850  {
851  struct gc_arena gc = gc_new();
852  const char *fn = gen_path("foo",
853  "bar",
854  &gc);
855  printf("%s\n", fn);
856  gc_free(&gc);
857  }
858  return false;
859 #endif
860 
861 #ifdef STATUS_PRINTF_TEST
862  {
863  struct gc_arena gc = gc_new();
864  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
865  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
866  status_printf(so, "%s", "foo");
867  status_printf(so, "%s", "bar");
868  if (!status_close(so))
869  {
870  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
871  }
872  gc_free(&gc);
873  }
874  return false;
875 #endif
876 
877 #ifdef PRNG_TEST
878  {
879  struct gc_arena gc = gc_new();
880  uint8_t rndbuf[8];
881  int i;
882  prng_init("sha1", 16);
883  /*prng_init (NULL, 0);*/
884  const int factor = 1;
885  for (i = 0; i < factor * 8; ++i)
886  {
887 #if 1
888  prng_bytes(rndbuf, sizeof(rndbuf));
889 #else
890  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
891 #endif
892  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
893  }
894  gc_free(&gc);
895  prng_uninit();
896  return false;
897  }
898 #endif /* ifdef PRNG_TEST */
899 
900 #ifdef BUFFER_LIST_AGGREGATE_TEST
901  /* test buffer_list_aggregate function */
902  {
903  static const char *text[] = {
904  "It was a bright cold day in April, ",
905  "and the clocks were striking ",
906  "thirteen. ",
907  "Winston Smith, ",
908  "his chin nuzzled into his breast in an ",
909  "effort to escape the vile wind, ",
910  "slipped quickly through the glass doors ",
911  "of Victory Mansions, though not quickly ",
912  "enough to prevent a swirl of gritty dust from ",
913  "entering along with him."
914  };
915 
916  int iter, listcap;
917  for (listcap = 0; listcap < 12; ++listcap)
918  {
919  for (iter = 0; iter < 512; ++iter)
920  {
921  struct buffer_list *bl = buffer_list_new(listcap);
922  {
923  int i;
924  for (i = 0; i < SIZE(text); ++i)
925  {
926  buffer_list_push(bl, (unsigned char *)text[i]);
927  }
928  }
929  printf("[cap=%d i=%d] *************************\n", listcap, iter);
930  if (!(iter & 8))
931  {
932  buffer_list_aggregate(bl, iter/2);
933  }
934  if (!(iter & 16))
935  {
936  buffer_list_push(bl, (unsigned char *)"Even more text...");
937  }
938  buffer_list_aggregate(bl, iter);
939  if (!(iter & 1))
940  {
941  buffer_list_push(bl, (unsigned char *)"More text...");
942  }
943  {
944  struct buffer *buf;
945  while ((buf = buffer_list_peek(bl)))
946  {
947  int c;
948  printf("'");
949  while ((c = buf_read_u8(buf)) >= 0)
950  {
951  putchar(c);
952  }
953  printf("'\n");
954  buffer_list_advance(bl, 0);
955  }
956  }
957  buffer_list_free(bl);
958  }
959  }
960  return false;
961  }
962 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
963 
964 #ifdef MSTATS_TEST
965  {
966  int i;
967  mstats_open("/dev/shm/mstats.dat");
968  for (i = 0; i < 30; ++i)
969  {
970  mmap_stats->n_clients += 1;
971  mmap_stats->link_write_bytes += 8;
972  mmap_stats->link_read_bytes += 16;
973  sleep(1);
974  }
975  mstats_close();
976  return false;
977  }
978 #endif
979 
980  return true;
981 }
982 
983 void
984 uninit_static(void)
985 {
986  free_ssl_lib();
987 
988 #ifdef ENABLE_PKCS11
989  pkcs11_terminate();
990 #endif
991 
992 #if PORT_SHARE
993  close_port_share();
994 #endif
995 
996 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
997  show_tls_performance_stats();
998 #endif
999 }
1000 
1001 void
1002 init_verb_mute(struct context *c, unsigned int flags)
1003 {
1004  if (flags & IVM_LEVEL_1)
1005  {
1006  /* set verbosity and mute levels */
1007  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
1008  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
1009  set_mute_cutoff(c->options.mute);
1010  }
1011 
1012  /* special D_LOG_RW mode */
1013  if (flags & IVM_LEVEL_2)
1014  {
1015  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
1016  }
1017 }
1018 
1019 /*
1020  * Possibly set --dev based on --dev-node.
1021  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1022  * set --dev to tun.
1023  */
1024 void
1025 init_options_dev(struct options *options)
1026 {
1027  if (!options->dev && options->dev_node)
1028  {
1029  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1030  options->dev = basename(dev_node);
1031  }
1032 }
1033 
1034 bool
1035 print_openssl_info(const struct options *options)
1036 {
1037  /*
1038  * OpenSSL info print mode?
1039  */
1040  if (options->show_ciphers || options->show_digests || options->show_engines
1041  || options->show_tls_ciphers || options->show_curves)
1042  {
1043  if (options->show_ciphers)
1044  {
1045  show_available_ciphers();
1046  }
1047  if (options->show_digests)
1048  {
1049  show_available_digests();
1050  }
1051  if (options->show_engines)
1052  {
1053  show_available_engines();
1054  }
1055  if (options->show_tls_ciphers)
1056  {
1057  show_available_tls_ciphers(options->cipher_list,
1058  options->cipher_list_tls13,
1059  options->tls_cert_profile);
1060  }
1061  if (options->show_curves)
1062  {
1063  show_available_curves();
1064  }
1065  return true;
1066  }
1067  return false;
1068 }
1069 
1070 /*
1071  * Static pre-shared key generation mode?
1072  */
1073 bool
1074 do_genkey(const struct options *options)
1075 {
1076  /* should we disable paging? */
1077  if (options->mlock && (options->genkey))
1078  {
1079  platform_mlockall(true);
1080  }
1081 
1082  /*
1083  * We do not want user to use --genkey with --secret. In the transistion
1084  * phase we for secret.
1085  */
1086  if (options->genkey && options->genkey_type != GENKEY_SECRET
1087  && options->shared_secret_file)
1088  {
1089  msg(M_USAGE, "Using --genkey type with --secret filename is "
1090  "not supported. Use --genkey type filename instead.");
1091  }
1092  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1093  {
1094  int nbits_written;
1095  const char *genkey_filename = options->genkey_filename;
1096  if (options->shared_secret_file && options->genkey_filename)
1097  {
1098  msg(M_USAGE, "You must provide a filename to either --genkey "
1099  "or --secret, not both");
1100  }
1101 
1102  /*
1103  * Copy filename from shared_secret_file to genkey_filename to support
1104  * the old --genkey --secret foo.file syntax.
1105  */
1106  if (options->shared_secret_file)
1107  {
1108  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1109  "DEPRECATED. Use --genkey secret filename instead.");
1110  genkey_filename = options->shared_secret_file;
1111  }
1112 
1113  nbits_written = write_key_file(2, genkey_filename);
1114  if (nbits_written < 0)
1115  {
1116  msg(M_FATAL, "Failed to write key file");
1117  }
1118 
1119  msg(D_GENKEY | M_NOPREFIX,
1120  "Randomly generated %d bit key written to %s", nbits_written,
1121  options->shared_secret_file);
1122  return true;
1123  }
1124  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1125  {
1126  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1127  return true;
1128  }
1129  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1130  {
1131  if (!options->tls_crypt_v2_file)
1132  {
1133  msg(M_USAGE,
1134  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1135  }
1136 
1137  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1138  options->genkey_extra_data, options->tls_crypt_v2_file,
1139  options->tls_crypt_v2_file_inline);
1140  return true;
1141  }
1142  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1143  {
1144  auth_token_write_server_key_file(options->genkey_filename);
1145  return true;
1146  }
1147  else
1148  {
1149  return false;
1150  }
1151 }
1152 
1153 /*
1154  * Persistent TUN/TAP device management mode?
1155  */
1156 bool
1157 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1158 {
1159  if (options->persist_config)
1160  {
1161  /* sanity check on options for --mktun or --rmtun */
1162  notnull(options->dev, "TUN/TAP device (--dev)");
1163  if (options->ce.remote || options->ifconfig_local
1164  || options->ifconfig_remote_netmask
1165  || options->shared_secret_file
1166  || options->tls_server || options->tls_client
1167  )
1168  {
1169  msg(M_FATAL|M_OPTERR,
1170  "options --mktun or --rmtun should only be used together with --dev");
1171  }
1172 #ifdef ENABLE_FEATURE_TUN_PERSIST
1173  tuncfg(options->dev, options->dev_type, options->dev_node,
1174  options->persist_mode,
1175  options->username, options->groupname, &options->tuntap_options,
1176  ctx);
1177  if (options->persist_mode && options->lladdr)
1178  {
1179  set_lladdr(ctx, options->dev, options->lladdr, NULL);
1180  }
1181  return true;
1182 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1183  msg( M_FATAL|M_OPTERR,
1184  "options --mktun and --rmtun are not available on your operating "
1185  "system. Please check 'man tun' (or 'tap'), whether your system "
1186  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1187  "persistent tunnel interfaces.", options->dev );
1188 #endif
1189  }
1190  return false;
1191 }
1192 
1193 /*
1194  * Should we become a daemon?
1195  * Return true if we did it.
1196  */
1197 bool
1198 possibly_become_daemon(const struct options *options)
1199 {
1200  bool ret = false;
1201 
1202 #ifdef ENABLE_SYSTEMD
1203  /* return without forking if we are running from systemd */
1204  if (sd_notify(0, "READY=0") > 0)
1205  {
1206  return ret;
1207  }
1208 #endif
1209 
1210  if (options->daemon)
1211  {
1212  /* Don't chdir immediately, but the end of the init sequence, if needed */
1213 
1214 #if defined(__APPLE__) && defined(__clang__)
1215 #pragma clang diagnostic push
1216 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1217 #endif
1218  if (daemon(1, options->log) < 0)
1219  {
1220  msg(M_ERR, "daemon() failed or unsupported");
1221  }
1222 #if defined(__APPLE__) && defined(__clang__)
1223 #pragma clang diagnostic pop
1224 #endif
1225  restore_signal_state();
1226  if (options->log)
1227  {
1228  set_std_files_to_null(true);
1229  }
1230 
1231  ret = true;
1232  }
1233  return ret;
1234 }
1235 
1236 /*
1237  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1238  */
1239 static void
1240 do_uid_gid_chroot(struct context *c, bool no_delay)
1241 {
1242  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1243  struct context_0 *c0 = c->c0;
1244 
1245  if (c0 && !c0->uid_gid_chroot_set)
1246  {
1247  /* chroot if requested */
1248  if (c->options.chroot_dir)
1249  {
1250  if (no_delay)
1251  {
1252  platform_chroot(c->options.chroot_dir);
1253  }
1254  else if (c->first_time)
1255  {
1256  msg(M_INFO, "NOTE: chroot %s", why_not);
1257  }
1258  }
1259 
1260  /* set user and/or group if we want to setuid/setgid */
1261  if (c0->uid_gid_specified)
1262  {
1263  if (no_delay)
1264  {
1265  platform_group_set(&c0->platform_state_group);
1266  platform_user_set(&c0->platform_state_user);
1267  }
1268  else if (c->first_time)
1269  {
1270  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1271  }
1272  }
1273 
1274 #ifdef ENABLE_MEMSTATS
1275  if (c->first_time && c->options.memstats_fn)
1276  {
1277  mstats_open(c->options.memstats_fn);
1278  }
1279 #endif
1280 
1281 #ifdef ENABLE_SELINUX
1282  /* Apply a SELinux context in order to restrict what OpenVPN can do
1283  * to _only_ what it is supposed to do after initialization is complete
1284  * (basically just network I/O operations). Doing it after chroot
1285  * requires /proc to be mounted in the chroot (which is annoying indeed
1286  * but doing it before requires more complex SELinux policies.
1287  */
1288  if (c->options.selinux_context)
1289  {
1290  if (no_delay)
1291  {
1292  if (-1 == setcon(c->options.selinux_context))
1293  {
1294  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1295  }
1296  else
1297  {
1298  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1299  }
1300  }
1301  else if (c->first_time)
1302  {
1303  msg(M_INFO, "NOTE: setcon %s", why_not);
1304  }
1305  }
1306 #endif
1307 
1308  /* Privileges are going to be dropped by now (if requested), be sure
1309  * to prevent any future privilege dropping attempts from now on.
1310  */
1311  if (no_delay)
1312  {
1313  c0->uid_gid_chroot_set = true;
1314  }
1315  }
1316 }
1317 
1318 /*
1319  * Return common name in a way that is formatted for
1320  * prepending to msg() output.
1321  */
1322 const char *
1323 format_common_name(struct context *c, struct gc_arena *gc)
1324 {
1325  struct buffer out = alloc_buf_gc(256, gc);
1326  if (c->c2.tls_multi)
1327  {
1328  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1329  }
1330  return BSTR(&out);
1331 }
1332 
1333 void
1334 pre_setup(const struct options *options)
1335 {
1336 #ifdef _WIN32
1337  if (options->exit_event_name)
1338  {
1339  win32_signal_open(&win32_signal,
1340  WSO_FORCE_SERVICE,
1341  options->exit_event_name,
1342  options->exit_event_initial_state);
1343  }
1344  else
1345  {
1346  win32_signal_open(&win32_signal,
1347  WSO_FORCE_CONSOLE,
1348  NULL,
1349  false);
1350 
1351  /* put a title on the top window bar */
1352  if (win32_signal.mode == WSO_MODE_CONSOLE)
1353  {
1354  window_title_save(&window_title);
1355  window_title_generate(options->config);
1356  }
1357  }
1358 #endif /* ifdef _WIN32 */
1359 }
1360 
1361 void
1362 reset_coarse_timers(struct context *c)
1363 {
1364  c->c2.coarse_timer_wakeup = 0;
1365 }
1366 
1367 /*
1368  * Initialise the server poll timeout timer
1369  * This timer is used in the http/socks proxy setup so it needs to be setup
1370  * before
1371  */
1372 static void
1373 do_init_server_poll_timeout(struct context *c)
1374 {
1375  update_time();
1376  if (c->options.ce.connect_timeout)
1377  {
1378  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1379  }
1380 }
1381 
1382 /*
1383  * Initialize timers
1384  */
1385 static void
1386 do_init_timers(struct context *c, bool deferred)
1387 {
1388  update_time();
1389  reset_coarse_timers(c);
1390 
1391  /* initialize inactivity timeout */
1392  if (c->options.inactivity_timeout)
1393  {
1394  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1395  }
1396 
1397  /* initialize pings */
1398 
1399  if (c->options.ping_send_timeout)
1400  {
1401  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1402  }
1403 
1404  if (c->options.ping_rec_timeout)
1405  {
1406  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1407  }
1408 
1409  if (!deferred)
1410  {
1411  /* initialize connection establishment timer */
1412  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1413 
1414  /* initialize occ timers */
1415 
1416  if (c->options.occ
1417  && !TLS_MODE(c)
1418  && c->c2.options_string_local && c->c2.options_string_remote)
1419  {
1420  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1421  }
1422 
1423  if (c->options.mtu_test)
1424  {
1425  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1426  }
1427 
1428  /* initialize packet_id persistence timer */
1429  if (c->options.packet_id_file)
1430  {
1431  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1432  }
1433 
1434  /* initialize tmp_int optimization that limits the number of times we call
1435  * tls_multi_process in the main event loop */
1436  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1437  }
1438 }
1439 
1440 /*
1441  * Initialize traffic shaper.
1442  */
1443 static void
1444 do_init_traffic_shaper(struct context *c)
1445 {
1446  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1447  if (c->options.shaper)
1448  {
1449  shaper_init(&c->c2.shaper, c->options.shaper);
1450  shaper_msg(&c->c2.shaper);
1451  }
1452 }
1453 
1454 /*
1455  * Allocate route list structures for IPv4 and IPv6
1456  * (we do this for IPv4 even if no --route option has been seen, as other
1457  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1458  */
1459 static void
1460 do_alloc_route_list(struct context *c)
1461 {
1462  if (!c->c1.route_list)
1463  {
1464  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1465  }
1466  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1467  {
1468  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1469  }
1470 }
1471 
1472 
1473 /*
1474  * Initialize the route list, resolving any DNS names in route
1475  * options and saving routes in the environment.
1476  */
1477 static void
1478 do_init_route_list(const struct options *options,
1479  struct route_list *route_list,
1480  const struct link_socket_info *link_socket_info,
1481  struct env_set *es,
1482  openvpn_net_ctx_t *ctx)
1483 {
1484  const char *gw = NULL;
1485  int dev = dev_type_enum(options->dev, options->dev_type);
1486  int metric = 0;
1487 
1488  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1489  {
1490  gw = options->ifconfig_remote_netmask;
1491  }
1492  if (options->route_default_gateway)
1493  {
1494  gw = options->route_default_gateway;
1495  }
1496  if (options->route_default_metric)
1497  {
1498  metric = options->route_default_metric;
1499  }
1500 
1501  if (init_route_list(route_list,
1502  options->routes,
1503  gw,
1504  metric,
1505  link_socket_current_remote(link_socket_info),
1506  es,
1507  ctx))
1508  {
1509  /* copy routes to environment */
1510  setenv_routes(es, route_list);
1511  }
1512 }
1513 
1514 static void
1515 do_init_route_ipv6_list(const struct options *options,
1516  struct route_ipv6_list *route_ipv6_list,
1517  const struct link_socket_info *link_socket_info,
1518  struct env_set *es,
1519  openvpn_net_ctx_t *ctx)
1520 {
1521  const char *gw = NULL;
1522  int metric = -1; /* no metric set */
1523 
1524  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1525  if (options->route_ipv6_default_gateway)
1526  {
1527  gw = options->route_ipv6_default_gateway;
1528  }
1529 
1530  if (options->route_default_metric)
1531  {
1532  metric = options->route_default_metric;
1533  }
1534 
1535  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1536  */
1537  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1538  {
1539  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1540  int i;
1541 
1542  for (i = 0; opt_list[i]; i++)
1543  {
1544  add_route_ipv6_to_option_list( options->routes_ipv6,
1545  string_alloc(opt_list[i], options->routes_ipv6->gc),
1546  NULL, NULL );
1547  }
1548  }
1549 
1550  if (init_route_ipv6_list(route_ipv6_list,
1551  options->routes_ipv6,
1552  gw,
1553  metric,
1554  link_socket_current_remote_ipv6(link_socket_info),
1555  es,
1556  ctx))
1557  {
1558  /* copy routes to environment */
1559  setenv_routes_ipv6(es, route_ipv6_list);
1560  }
1561 }
1562 
1563 
1564 /*
1565  * Called after all initialization has been completed.
1566  */
1567 void
1568 initialization_sequence_completed(struct context *c, const unsigned int flags)
1569 {
1570  static const char message[] = "Initialization Sequence Completed";
1571 
1572  /* Reset the unsuccessful connection counter on complete initialisation */
1573  c->options.unsuccessful_attempts = 0;
1574 
1575  /* If we delayed UID/GID downgrade or chroot, do it now */
1576  do_uid_gid_chroot(c, true);
1577 
1578 
1579  /*
1580  * In some cases (i.e. when receiving auth-token via
1581  * push-reply) the auth-nocache option configured on the
1582  * client is overridden; for this reason we have to wait
1583  * for the push-reply message before attempting to wipe
1584  * the user/pass entered by the user
1585  */
1586  if (c->options.mode == MODE_POINT_TO_POINT)
1587  {
1588  ssl_clean_user_pass();
1589  }
1590 
1591  /* Test if errors */
1592  if (flags & ISC_ERRORS)
1593  {
1594 #ifdef _WIN32
1595  show_routes(M_INFO|M_NOPREFIX);
1596  show_adapters(M_INFO|M_NOPREFIX);
1597  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1598 #else
1599 #ifdef ENABLE_SYSTEMD
1600  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1601 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1602  msg(M_INFO, "%s With Errors", message);
1603 #endif
1604  }
1605  else
1606  {
1607 #ifdef ENABLE_SYSTEMD
1608  sd_notifyf(0, "STATUS=%s", message);
1609 #endif
1610  msg(M_INFO, "%s", message);
1611  }
1612 
1613  /* Flag that we initialized */
1614  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1615  {
1616  c->options.no_advance = true;
1617  }
1618 
1619 #ifdef _WIN32
1620  fork_register_dns_action(c->c1.tuntap);
1621 #endif
1622 
1623 #ifdef ENABLE_MANAGEMENT
1624  /* Tell management interface that we initialized */
1625  if (management)
1626  {
1627  in_addr_t *tun_local = NULL;
1628  struct in6_addr *tun_local6 = NULL;
1629  struct openvpn_sockaddr local, remote;
1630  struct link_socket_actual *actual;
1631  socklen_t sa_len = sizeof(local);
1632  const char *detail = "SUCCESS";
1633  if (flags & ISC_ERRORS)
1634  {
1635  detail = "ERROR";
1636  }
1637 
1638  CLEAR(local);
1639  actual = &get_link_socket_info(c)->lsa->actual;
1640  remote = actual->dest;
1641  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1642 #if ENABLE_IP_PKTINFO
1643  if (!addr_defined(&local))
1644  {
1645  switch (local.addr.sa.sa_family)
1646  {
1647  case AF_INET:
1648 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1649  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1650 #else
1651  local.addr.in4.sin_addr = actual->pi.in4;
1652 #endif
1653  break;
1654 
1655  case AF_INET6:
1656  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1657  break;
1658  }
1659  }
1660 #endif
1661 
1662  if (c->c1.tuntap)
1663  {
1664  tun_local = &c->c1.tuntap->local;
1665  tun_local6 = &c->c1.tuntap->local_ipv6;
1666  }
1667  management_set_state(management,
1668  OPENVPN_STATE_CONNECTED,
1669  detail,
1670  tun_local,
1671  tun_local6,
1672  &local,
1673  &remote);
1674  if (tun_local)
1675  {
1676  management_post_tunnel_open(management, *tun_local);
1677  }
1678  }
1679 #endif /* ifdef ENABLE_MANAGEMENT */
1680 }
1681 
1682 /*
1683  * Possibly add routes and/or call route-up script
1684  * based on options.
1685  */
1686 void
1687 do_route(const struct options *options,
1688  struct route_list *route_list,
1689  struct route_ipv6_list *route_ipv6_list,
1690  const struct tuntap *tt,
1691  const struct plugin_list *plugins,
1692  struct env_set *es,
1693  openvpn_net_ctx_t *ctx)
1694 {
1695  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1696  {
1697  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1698  es, ctx);
1699  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1700  }
1701 #ifdef ENABLE_MANAGEMENT
1702  if (management)
1703  {
1704  management_up_down(management, "UP", es);
1705  }
1706 #endif
1707 
1708  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1709  {
1710  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1711  {
1712  msg(M_WARN, "WARNING: route-up plugin call failed");
1713  }
1714  }
1715 
1716  if (options->route_script)
1717  {
1718  struct argv argv = argv_new();
1719  setenv_str(es, "script_type", "route-up");
1720  argv_parse_cmd(&argv, options->route_script);
1721  openvpn_run_script(&argv, es, 0, "--route-up");
1722  argv_free(&argv);
1723  }
1724 
1725 #ifdef _WIN32
1726  if (options->show_net_up)
1727  {
1728  show_routes(M_INFO|M_NOPREFIX);
1729  show_adapters(M_INFO|M_NOPREFIX);
1730  }
1731  else if (check_debug_level(D_SHOW_NET))
1732  {
1733  show_routes(D_SHOW_NET|M_NOPREFIX);
1734  show_adapters(D_SHOW_NET|M_NOPREFIX);
1735  }
1736 #endif
1737 }
1738 
1739 /*
1740  * initialize tun/tap device object
1741  */
1742 static void
1743 do_init_tun(struct context *c)
1744 {
1745  c->c1.tuntap = init_tun(c->options.dev,
1746  c->options.dev_type,
1747  c->options.topology,
1748  c->options.ifconfig_local,
1749  c->options.ifconfig_remote_netmask,
1750  c->options.ifconfig_ipv6_local,
1751  c->options.ifconfig_ipv6_netbits,
1752  c->options.ifconfig_ipv6_remote,
1753  c->c1.link_socket_addr.bind_local,
1754  c->c1.link_socket_addr.remote_list,
1755  !c->options.ifconfig_nowarn,
1756  c->c2.es,
1757  &c->net_ctx);
1758 
1759 #ifdef _WIN32
1760  c->c1.tuntap->windows_driver = c->options.windows_driver;
1761 #endif
1762 
1763  init_tun_post(c->c1.tuntap,
1764  &c->c2.frame,
1765  &c->options.tuntap_options);
1766 
1767  c->c1.tuntap_owned = true;
1768 }
1769 
1770 /*
1771  * Open tun/tap device, ifconfig, call up script, etc.
1772  */
1773 
1774 static bool
1775 do_open_tun(struct context *c)
1776 {
1777  struct gc_arena gc = gc_new();
1778  bool ret = false;
1779 
1780 #ifndef TARGET_ANDROID
1781  if (!c->c1.tuntap)
1782  {
1783 #endif
1784 
1785 #ifdef TARGET_ANDROID
1786  /* If we emulate persist-tun on android we still have to open a new tun and
1787  * then close the old */
1788  int oldtunfd = -1;
1789  if (c->c1.tuntap)
1790  {
1791  oldtunfd = c->c1.tuntap->fd;
1792  free(c->c1.tuntap);
1793  c->c1.tuntap = NULL;
1794  c->c1.tuntap_owned = false;
1795  }
1796 #endif
1797 
1798  /* initialize (but do not open) tun/tap object */
1799  do_init_tun(c);
1800 
1801 #ifdef _WIN32
1802  /* store (hide) interactive service handle in tuntap_options */
1803  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1804  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1805 #endif
1806 
1807  /* allocate route list structure */
1808  do_alloc_route_list(c);
1809 
1810  /* parse and resolve the route option list */
1811  ASSERT(c->c2.link_socket);
1812  if (c->options.routes && c->c1.route_list)
1813  {
1814  do_init_route_list(&c->options, c->c1.route_list,
1815  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1816  }
1817  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1818  {
1819  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1820  &c->c2.link_socket->info, c->c2.es,
1821  &c->net_ctx);
1822  }
1823 
1824  /* do ifconfig */
1825  if (!c->options.ifconfig_noexec
1826  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1827  {
1828  /* guess actual tun/tap unit number that will be returned
1829  * by open_tun */
1830  const char *guess = guess_tuntap_dev(c->options.dev,
1831  c->options.dev_type,
1832  c->options.dev_node,
1833  &gc);
1834  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1835  &c->net_ctx);
1836  }
1837 
1838  /* possibly add routes */
1839  if (route_order() == ROUTE_BEFORE_TUN)
1840  {
1841  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1842  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1843  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1844  }
1845 #ifdef TARGET_ANDROID
1846  /* Store the old fd inside the fd so open_tun can use it */
1847  c->c1.tuntap->fd = oldtunfd;
1848 #endif
1849  /* open the tun device */
1850  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1851  c->c1.tuntap);
1852 
1853  /* set the hardware address */
1854  if (c->options.lladdr)
1855  {
1856  set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr,
1857  c->c2.es);
1858  }
1859 
1860  /* do ifconfig */
1861  if (!c->options.ifconfig_noexec
1862  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1863  {
1864  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1865  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1866  }
1867 
1868  /* run the up script */
1869  run_up_down(c->options.up_script,
1870  c->plugins,
1871  OPENVPN_PLUGIN_UP,
1872  c->c1.tuntap->actual_name,
1873 #ifdef _WIN32
1874  c->c1.tuntap->adapter_index,
1875 #endif
1876  dev_type_string(c->options.dev, c->options.dev_type),
1877  TUN_MTU_SIZE(&c->c2.frame),
1878  EXPANDED_SIZE(&c->c2.frame),
1879  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1880  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1881  "init",
1882  NULL,
1883  "up",
1884  c->c2.es);
1885 
1886 #if defined(_WIN32)
1887  if (c->options.block_outside_dns)
1888  {
1889  dmsg(D_LOW, "Blocking outside DNS");
1890  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1891  {
1892  msg(M_FATAL, "Blocking DNS failed!");
1893  }
1894  }
1895 #endif
1896 
1897  /* possibly add routes */
1898  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1899  {
1900  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1901  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1902  }
1903 
1904  /*
1905  * Did tun/tap driver give us an MTU?
1906  */
1907  if (c->c1.tuntap->post_open_mtu)
1908  {
1909  frame_set_mtu_dynamic(&c->c2.frame,
1910  c->c1.tuntap->post_open_mtu,
1911  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1912  }
1913 
1914  ret = true;
1915  static_context = c;
1916 #ifndef TARGET_ANDROID
1917 }
1918 else
1919 {
1920  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1921  c->c1.tuntap->actual_name);
1922 
1923  /* explicitly set the ifconfig_* env vars */
1924  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1925 
1926  /* run the up script if user specified --up-restart */
1927  if (c->options.up_restart)
1928  {
1929  run_up_down(c->options.up_script,
1930  c->plugins,
1931  OPENVPN_PLUGIN_UP,
1932  c->c1.tuntap->actual_name,
1933 #ifdef _WIN32
1934  c->c1.tuntap->adapter_index,
1935 #endif
1936  dev_type_string(c->options.dev, c->options.dev_type),
1937  TUN_MTU_SIZE(&c->c2.frame),
1938  EXPANDED_SIZE(&c->c2.frame),
1939  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1940  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1941  "restart",
1942  NULL,
1943  "up",
1944  c->c2.es);
1945  }
1946 #if defined(_WIN32)
1947  if (c->options.block_outside_dns)
1948  {
1949  dmsg(D_LOW, "Blocking outside DNS");
1950  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1951  {
1952  msg(M_FATAL, "Blocking DNS failed!");
1953  }
1954  }
1955 #endif
1956 
1957 }
1958 #endif /* ifndef TARGET_ANDROID */
1959  gc_free(&gc);
1960  return ret;
1961 }
1962 
1963 /*
1964  * Close TUN/TAP device
1965  */
1966 
1967 static void
1968 do_close_tun_simple(struct context *c)
1969 {
1970  msg(D_CLOSE, "Closing TUN/TAP interface");
1971  if (c->c1.tuntap)
1972  {
1973  close_tun(c->c1.tuntap, &c->net_ctx);
1974  c->c1.tuntap = NULL;
1975  }
1976  c->c1.tuntap_owned = false;
1977  CLEAR(c->c1.pulled_options_digest_save);
1978 }
1979 
1980 static void
1981 do_close_tun(struct context *c, bool force)
1982 {
1983  struct gc_arena gc = gc_new();
1984  if (c->c1.tuntap && c->c1.tuntap_owned)
1985  {
1986  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1987 #ifdef _WIN32
1988  DWORD adapter_index = c->c1.tuntap->adapter_index;
1989 #endif
1990  const in_addr_t local = c->c1.tuntap->local;
1991  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1992 
1993  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1994  {
1995  static_context = NULL;
1996 
1997 #ifdef ENABLE_MANAGEMENT
1998  /* tell management layer we are about to close the TUN/TAP device */
1999  if (management)
2000  {
2001  management_pre_tunnel_close(management);
2002  management_up_down(management, "DOWN", c->c2.es);
2003  }
2004 #endif
2005 
2006  /* delete any routes we added */
2007  if (c->c1.route_list || c->c1.route_ipv6_list)
2008  {
2009  run_up_down(c->options.route_predown_script,
2010  c->plugins,
2011  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2012  tuntap_actual,
2013 #ifdef _WIN32
2014  adapter_index,
2015 #endif
2016  NULL,
2017  TUN_MTU_SIZE(&c->c2.frame),
2018  EXPANDED_SIZE(&c->c2.frame),
2019  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2020  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2021  "init",
2022  signal_description(c->sig->signal_received,
2023  c->sig->signal_text),
2024  "route-pre-down",
2025  c->c2.es);
2026 
2027  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2028  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2029  c->c2.es, &c->net_ctx);
2030  }
2031 
2032  /* actually close tun/tap device based on --down-pre flag */
2033  if (!c->options.down_pre)
2034  {
2035  do_close_tun_simple(c);
2036  }
2037 
2038  /* Run the down script -- note that it will run at reduced
2039  * privilege if, for example, "--user nobody" was used. */
2040  run_up_down(c->options.down_script,
2041  c->plugins,
2042  OPENVPN_PLUGIN_DOWN,
2043  tuntap_actual,
2044 #ifdef _WIN32
2045  adapter_index,
2046 #endif
2047  NULL,
2048  TUN_MTU_SIZE(&c->c2.frame),
2049  EXPANDED_SIZE(&c->c2.frame),
2050  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2051  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2052  "init",
2053  signal_description(c->sig->signal_received,
2054  c->sig->signal_text),
2055  "down",
2056  c->c2.es);
2057 
2058 #if defined(_WIN32)
2059  if (c->options.block_outside_dns)
2060  {
2061  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2062  {
2063  msg(M_FATAL, "Uninitialising WFP failed!");
2064  }
2065  }
2066 #endif
2067 
2068  /* actually close tun/tap device based on --down-pre flag */
2069  if (c->options.down_pre)
2070  {
2071  do_close_tun_simple(c);
2072  }
2073  }
2074  else
2075  {
2076  /* run the down script on this restart if --up-restart was specified */
2077  if (c->options.up_restart)
2078  {
2079  run_up_down(c->options.down_script,
2080  c->plugins,
2081  OPENVPN_PLUGIN_DOWN,
2082  tuntap_actual,
2083 #ifdef _WIN32
2084  adapter_index,
2085 #endif
2086  NULL,
2087  TUN_MTU_SIZE(&c->c2.frame),
2088  EXPANDED_SIZE(&c->c2.frame),
2089  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2090  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2091  "restart",
2092  signal_description(c->sig->signal_received,
2093  c->sig->signal_text),
2094  "down",
2095  c->c2.es);
2096  }
2097 
2098 #if defined(_WIN32)
2099  if (c->options.block_outside_dns)
2100  {
2101  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2102  {
2103  msg(M_FATAL, "Uninitialising WFP failed!");
2104  }
2105  }
2106 #endif
2107 
2108  }
2109  }
2110  gc_free(&gc);
2111 }
2112 
2113 void
2114 tun_abort(void)
2115 {
2116  struct context *c = static_context;
2117  if (c)
2118  {
2119  static_context = NULL;
2120  do_close_tun(c, true);
2121  }
2122 }
2123 
2124 /*
2125  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2126  */
2127 
2132 static bool
2133 options_hash_changed_or_zero(const struct sha256_digest *a,
2134  const struct sha256_digest *b)
2135 {
2136  const struct sha256_digest zero = {{0}};
2137  return memcmp(a, b, sizeof(struct sha256_digest))
2138  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2139 }
2140 
2141 bool
2142 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2143 {
2144  if (!c->c2.do_up_ran)
2145  {
2146  reset_coarse_timers(c);
2147 
2148  if (pulled_options)
2149  {
2150  if (!do_deferred_options(c, option_types_found))
2151  {
2152  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2153  return false;
2154  }
2155  }
2156  else if (c->mode == MODE_POINT_TO_POINT)
2157  {
2158  if (!do_deferred_p2p_ncp(c))
2159  {
2160  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2161  return false;
2162  }
2163  }
2164 
2165  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2166  if (c->options.up_delay || PULL_DEFINED(&c->options))
2167  {
2168  c->c2.did_open_tun = do_open_tun(c);
2169  update_time();
2170 
2171  /*
2172  * Was tun interface object persisted from previous restart iteration,
2173  * and if so did pulled options string change from previous iteration?
2174  */
2175  if (!c->c2.did_open_tun
2176  && PULL_DEFINED(&c->options)
2177  && c->c1.tuntap
2178  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2179  &c->c2.pulled_options_digest))
2180  {
2181  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2182  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2183  do_close_tun(c, true);
2184  management_sleep(1);
2185  c->c2.did_open_tun = do_open_tun(c);
2186  update_time();
2187  }
2188  }
2189 
2190  if (c->c2.did_open_tun)
2191  {
2192  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2193 
2194  /* if --route-delay was specified, start timer */
2195  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2196  {
2197  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2198  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2199  if (c->c1.tuntap)
2200  {
2201  tun_standby_init(c->c1.tuntap);
2202  }
2203  }
2204  else
2205  {
2206  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2207  }
2208  }
2209  else if (c->options.mode == MODE_POINT_TO_POINT)
2210  {
2211  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2212  }
2213 
2214  c->c2.do_up_ran = true;
2215  if (c->c2.tls_multi)
2216  {
2217  c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2218  }
2219  }
2220  return true;
2221 }
2222 
2223 /*
2224  * These are the option categories which will be accepted by pull.
2225  */
2226 unsigned int
2227 pull_permission_mask(const struct context *c)
2228 {
2229  unsigned int flags =
2230  OPT_P_UP
2231  | OPT_P_ROUTE_EXTRAS
2232  | OPT_P_SOCKBUF
2233  | OPT_P_SOCKFLAGS
2234  | OPT_P_SETENV
2235  | OPT_P_SHAPER
2236  | OPT_P_TIMER
2237  | OPT_P_COMP
2238  | OPT_P_PERSIST
2239  | OPT_P_MESSAGES
2240  | OPT_P_EXPLICIT_NOTIFY
2241  | OPT_P_ECHO
2242  | OPT_P_PULL_MODE
2243  | OPT_P_PEER_ID
2244  | OPT_P_NCP;
2245 
2246  if (!c->options.route_nopull)
2247  {
2248  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2249  }
2250 
2251  return flags;
2252 }
2253 
2254 static
2255 void adjust_mtu_peerid(struct context *c)
2256 {
2257  frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */
2258  if (!c->options.ce.link_mtu_defined)
2259  {
2260  frame_add_to_link_mtu(&c->c2.frame, 3);
2261  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2262  EXPANDED_SIZE(&c->c2.frame));
2263  }
2264  else
2265  {
2266  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2267  " fixed by config - reducing tun-mtu to %d, expect"
2268  " MTU problems", TUN_MTU_SIZE(&c->c2.frame));
2269  }
2270 }
2271 
2272 static bool
2273 do_deferred_p2p_ncp(struct context *c)
2274 {
2275  if (!c->c2.tls_multi)
2276  {
2277  return true;
2278  }
2279 
2280  if (c->c2.tls_multi->use_peer_id)
2281  {
2282  adjust_mtu_peerid(c);
2283  }
2284 
2285  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2286 
2287  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2288  &c->options.gc);
2289 
2290  if (ncp_cipher)
2291  {
2292  c->options.ciphername = ncp_cipher;
2293  }
2294  else if (!c->options.enable_ncp_fallback)
2295  {
2296  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2297  "--data-ciphers-fallback not enabled. No usable "
2298  "data channel cipher");
2299  return false;
2300  }
2301 
2302  struct frame *frame_fragment = NULL;
2303 #ifdef ENABLE_FRAGMENT
2304  if (c->options.ce.fragment)
2305  {
2306  frame_fragment = &c->c2.frame_fragment;
2307  }
2308 #endif
2309 
2310  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2311  frame_fragment))
2312  {
2313  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2314  return false;
2315  }
2316  return true;
2317 }
2318 
2319 /*
2320  * Handle non-tun-related pulled options.
2321  */
2322 bool
2323 do_deferred_options(struct context *c, const unsigned int found)
2324 {
2325  if (found & OPT_P_MESSAGES)
2326  {
2327  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2328  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2329  }
2330  if (found & OPT_P_TIMER)
2331  {
2332  do_init_timers(c, true);
2333  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2334  }
2335 
2336  if (found & OPT_P_EXPLICIT_NOTIFY)
2337  {
2338  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2339  {
2340  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2341  c->options.ce.explicit_exit_notification = 0;
2342  }
2343  else
2344  {
2345  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2346  }
2347  }
2348 
2349 #ifdef USE_COMP
2350  if (found & OPT_P_COMP)
2351  {
2352  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2353  comp_uninit(c->c2.comp_context);
2354  c->c2.comp_context = comp_init(&c->options.comp);
2355  }
2356 #endif
2357 
2358  if (found & OPT_P_SHAPER)
2359  {
2360  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2361  do_init_traffic_shaper(c);
2362  }
2363 
2364  if (found & OPT_P_SOCKBUF)
2365  {
2366  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2367  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2368  }
2369 
2370  if (found & OPT_P_SOCKFLAGS)
2371  {
2372  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2373  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2374  }
2375 
2376  if (found & OPT_P_PERSIST)
2377  {
2378  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2379  }
2380  if (found & OPT_P_UP)
2381  {
2382  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2383  }
2384  if (found & OPT_P_ROUTE)
2385  {
2386  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2387  }
2388  if (found & OPT_P_ROUTE_EXTRAS)
2389  {
2390  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2391  }
2392  if (found & OPT_P_IPWIN32)
2393  {
2394  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2395  }
2396  if (found & OPT_P_SETENV)
2397  {
2398  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2399  }
2400 
2401  if (found & OPT_P_PEER_ID)
2402  {
2403  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2404  c->c2.tls_multi->use_peer_id = true;
2405  c->c2.tls_multi->peer_id = c->options.peer_id;
2406  adjust_mtu_peerid(c);
2407  }
2408 
2409  /* process (potentially pushed) crypto options */
2410  if (c->options.pull)
2411  {
2412  if (!check_pull_client_ncp(c, found))
2413  {
2414  return false;
2415  }
2416  struct frame *frame_fragment = NULL;
2417 #ifdef ENABLE_FRAGMENT
2418  if (c->options.ce.fragment)
2419  {
2420  frame_fragment = &c->c2.frame_fragment;
2421  }
2422 #endif
2423 
2424  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2425  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2426  frame_fragment))
2427  {
2428  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2429  return false;
2430  }
2431  }
2432 
2433  return true;
2434 }
2435 
2436 /*
2437  * Possible hold on initialization, holdtime is the
2438  * time OpenVPN would wait without management
2439  */
2440 static bool
2441 do_hold(int holdtime)
2442 {
2443 #ifdef ENABLE_MANAGEMENT
2444  if (management)
2445  {
2446  /* block until management hold is released */
2447  if (management_hold(management, holdtime))
2448  {
2449  return true;
2450  }
2451  }
2452 #endif
2453  return false;
2454 }
2455 
2456 /*
2457  * Sleep before restart.
2458  */
2459 static void
2460 socket_restart_pause(struct context *c)
2461 {
2462  int sec = 2;
2463  int backoff = 0;
2464 
2465  switch (c->options.ce.proto)
2466  {
2467  case PROTO_TCP_SERVER:
2468  sec = 1;
2469  break;
2470 
2471  case PROTO_UDP:
2472  case PROTO_TCP_CLIENT:
2473  sec = c->options.ce.connect_retry_seconds;
2474  break;
2475  }
2476 
2477 #ifdef ENABLE_DEBUG
2478  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2479  {
2480  sec = 0;
2481  }
2482 #endif
2483 
2484  if (auth_retry_get() == AR_NOINTERACT)
2485  {
2486  sec = 10;
2487  }
2488 
2489  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2490  if (c->options.ce.proto == PROTO_TCP_CLIENT
2491  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2492  {
2493  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2494  if (backoff > 0)
2495  {
2496  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2497  sec = max_int(sec, 1) << min_int(backoff, 15);
2498  }
2499 
2500  if (sec > c->options.ce.connect_retry_seconds_max)
2501  {
2502  sec = c->options.ce.connect_retry_seconds_max;
2503  }
2504  }
2505 
2506  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2507  {
2508  sec = c->persist.restart_sleep_seconds;
2509  }
2510  else if (c->persist.restart_sleep_seconds == -1)
2511  {
2512  sec = 0;
2513  }
2514  c->persist.restart_sleep_seconds = 0;
2515 
2516  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2517  if (do_hold(sec))
2518  {
2519  sec = 0;
2520  }
2521 
2522  if (sec)
2523  {
2524  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2525  management_sleep(sec);
2526  }
2527 }
2528 
2529 /*
2530  * Do a possible pause on context_2 initialization.
2531  */
2532 static void
2533 do_startup_pause(struct context *c)
2534 {
2535  if (!c->first_time)
2536  {
2537  socket_restart_pause(c);
2538  }
2539  else
2540  {
2541  do_hold(0); /* do management hold on first context initialization */
2542  }
2543 }
2544 
2545 /*
2546  * Finalize MTU parameters based on command line or config file options.
2547  */
2548 static void
2549 frame_finalize_options(struct context *c, const struct options *o)
2550 {
2551  if (!o)
2552  {
2553  o = &c->options;
2554  }
2555 
2556  /*
2557  * Set adjustment factor for buffer alignment when no
2558  * cipher is used.
2559  */
2560  if (!CIPHER_ENABLED(c))
2561  {
2562  frame_align_to_extra_frame(&c->c2.frame);
2563  frame_or_align_flags(&c->c2.frame,
2564  FRAME_HEADROOM_MARKER_FRAGMENT
2565  |FRAME_HEADROOM_MARKER_READ_LINK
2566  |FRAME_HEADROOM_MARKER_READ_STREAM);
2567  }
2568 
2569  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2570  frame_finalize(&c->c2.frame,
2571  o->ce.link_mtu_defined,
2572  o->ce.link_mtu,
2573  o->ce.tun_mtu_defined,
2574  o->ce.tun_mtu);
2575 }
2576 
2577 /*
2578  * Free a key schedule, including OpenSSL components.
2579  */
2580 static void
2581 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2582 {
2583  free_key_ctx_bi(&ks->static_key);
2584  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2585  {
2586  tls_ctx_free(&ks->ssl_ctx);
2587  free_key_ctx(&ks->auth_token_key);
2588  }
2589  CLEAR(*ks);
2590 }
2591 
2592 static void
2593 init_crypto_pre(struct context *c, const unsigned int flags)
2594 {
2595  if (c->options.engine)
2596  {
2597  crypto_init_lib_engine(c->options.engine);
2598  }
2599 
2600  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2601  {
2602  /* load a persisted packet-id for cross-session replay-protection */
2603  if (c->options.packet_id_file)
2604  {
2605  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2606  }
2607  }
2608 
2609 #ifdef ENABLE_PREDICTION_RESISTANCE
2610  if (c->options.use_prediction_resistance)
2611  {
2612  rand_ctx_enable_prediction_resistance();
2613  }
2614 #endif
2615 }
2616 
2617 /*
2618  * Static Key Mode (using a pre-shared key)
2619  */
2620 static void
2621 do_init_crypto_static(struct context *c, const unsigned int flags)
2622 {
2623  const struct options *options = &c->options;
2624  ASSERT(options->shared_secret_file);
2625 
2626  init_crypto_pre(c, flags);
2627 
2628  /* Initialize flags */
2629  if (c->options.mute_replay_warnings)
2630  {
2631  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2632  }
2633 
2634  /* Initialize packet ID tracking */
2635  if (options->replay)
2636  {
2637  packet_id_init(&c->c2.crypto_options.packet_id,
2638  options->replay_window,
2639  options->replay_time,
2640  "STATIC", 0);
2641  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2642  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2643  packet_id_persist_load_obj(&c->c1.pid_persist,
2644  &c->c2.crypto_options.packet_id);
2645  }
2646 
2647  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2648  {
2649  /* Get cipher & hash algorithms */
2650  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2651  options->test_crypto, true);
2652 
2653  /* Read cipher and hmac keys from shared secret file */
2654  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2655  options->shared_secret_file,
2656  options->shared_secret_file_inline,
2657  options->key_direction, "Static Key Encryption",
2658  "secret");
2659  }
2660  else
2661  {
2662  msg(M_INFO, "Re-using pre-shared static key");
2663  }
2664 
2665  /* Get key schedule */
2666  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2667 
2668  /* Compute MTU parameters */
2669  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2670  options->replay, true);
2671 
2672  /* Sanity check on sequence number, and cipher mode options */
2673  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2674 }
2675 
2676 /*
2677  * Initialize the tls-auth/crypt key context
2678  */
2679 static void
2680 do_init_tls_wrap_key(struct context *c)
2681 {
2682  const struct options *options = &c->options;
2683 
2684  /* TLS handshake authentication (--tls-auth) */
2685  if (options->ce.tls_auth_file)
2686  {
2687  /* Initialize key_type for tls-auth with auth only */
2688  CLEAR(c->c1.ks.tls_auth_key_type);
2689  if (!streq(options->authname, "none"))
2690  {
2691  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2692  c->c1.ks.tls_auth_key_type.hmac_length =
2693  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2694  }
2695  else
2696  {
2697  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2698  "algorithm specified ('%s')", options->authname);
2699  }
2700 
2701  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2702  &c->c1.ks.tls_wrap_key,
2703  options->ce.tls_auth_file,
2704  options->ce.tls_auth_file_inline,
2705  options->ce.key_direction,
2706  "Control Channel Authentication", "tls-auth");
2707  }
2708 
2709  /* TLS handshake encryption+authentication (--tls-crypt) */
2710  if (options->ce.tls_crypt_file)
2711  {
2712  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2713  options->ce.tls_crypt_file,
2714  options->ce.tls_crypt_file_inline,
2715  options->tls_server);
2716  }
2717 
2718  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2719  if (options->ce.tls_crypt_v2_file)
2720  {
2721  if (options->tls_server)
2722  {
2723  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2724  true, options->ce.tls_crypt_v2_file,
2725  options->ce.tls_crypt_v2_file_inline);
2726  }
2727  else
2728  {
2729  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2730  &c->c1.ks.tls_crypt_v2_wkc,
2731  options->ce.tls_crypt_v2_file,
2732  options->ce.tls_crypt_v2_file_inline);
2733  }
2734  }
2735 
2736 
2737 }
2738 
2739 /*
2740  * Initialize the persistent component of OpenVPN's TLS mode,
2741  * which is preserved across SIGUSR1 resets.
2742  */
2743 static void
2744 do_init_crypto_tls_c1(struct context *c)
2745 {
2746  const struct options *options = &c->options;
2747 
2748  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2749  {
2750  /*
2751  * Initialize the OpenSSL library's global
2752  * SSL context.
2753  */
2754  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2755  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2756  {
2757  switch (auth_retry_get())
2758  {
2759  case AR_NONE:
2760  msg(M_FATAL, "Error: private key password verification failed");
2761  break;
2762 
2763  case AR_INTERACT:
2764  ssl_purge_auth(false);
2765 
2766  case AR_NOINTERACT:
2767  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2768  break;
2769 
2770  default:
2771  ASSERT(0);
2772  }
2773  c->sig->signal_text = "private-key-password-failure";
2774  return;
2775  }
2776 
2777  /*
2778  * BF-CBC is allowed to be used only when explicitly configured
2779  * as NCP-fallback or when NCP has been disabled or explicitly
2780  * allowed in the in ncp_ciphers list.
2781  * In all other cases do not attempt to initialize BF-CBC as it
2782  * may not even be supported by the underlying SSL library.
2783  *
2784  * Therefore, the key structure has to be initialized when:
2785  * - any non-BF-CBC cipher was selected; or
2786  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2787  * (BF-CBC will be the fallback).
2788  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2789  * If the negotiated cipher and options->ciphername are the
2790  * same we do not reinit the cipher
2791  *
2792  * Note that BF-CBC will still be part of the OCC string to retain
2793  * backwards compatibility with older clients.
2794  */
2795  if (!streq(options->ciphername, "BF-CBC")
2796  || tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
2797  || options->enable_ncp_fallback)
2798  {
2799  /* Do not warn if the if the cipher is used only in OCC */
2800  bool warn = options->enable_ncp_fallback;
2801  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2802  true, warn);
2803  }
2804  /* Initialize PRNG with config-specified digest */
2805  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2806 
2807  /* initialize tls-auth/crypt/crypt-v2 key */
2808  do_init_tls_wrap_key(c);
2809 
2810  /* initialise auth-token crypto support */
2811  if (c->options.auth_token_generate)
2812  {
2813  auth_token_init_secret(&c->c1.ks.auth_token_key,
2814  c->options.auth_token_secret_file,
2815  c->options.auth_token_secret_file_inline);
2816  }
2817 
2818 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2819  if (options->priv_key_file_inline)
2820  {
2821  string_clear(c->options.priv_key_file_inline);
2822  c->options.priv_key_file_inline = NULL;
2823  }
2824 #endif
2825  }
2826  else
2827  {
2828  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2829 
2830  /*
2831  * tls-auth/crypt key can be configured per connection block, therefore
2832  * we must reload it as it may have changed
2833  */
2834  do_init_tls_wrap_key(c);
2835  }
2836 }
2837 
2838 static void
2839 do_init_crypto_tls(struct context *c, const unsigned int flags)
2840 {
2841  const struct options *options = &c->options;
2842  struct tls_options to;
2843  bool packet_id_long_form;
2844 
2845  ASSERT(options->tls_server || options->tls_client);
2846  ASSERT(!options->test_crypto);
2847 
2848  init_crypto_pre(c, flags);
2849 
2850  /* Make sure we are either a TLS client or server but not both */
2851  ASSERT(options->tls_server == !options->tls_client);
2852 
2853  /* initialize persistent component */
2854  do_init_crypto_tls_c1(c);
2855  if (IS_SIG(c))
2856  {
2857  return;
2858  }
2859 
2860  /* Sanity check on sequence number, and cipher mode options */
2861  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2862 
2863  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2864  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2865 
2866  /* Compute MTU parameters (postpone if we push/pull options) */
2867  if (c->options.pull || c->options.mode == MODE_SERVER)
2868  {
2869  /* Account for worst-case crypto overhead before allocating buffers */
2870  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2871  }
2872  else
2873  {
2874  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2875  options->replay, packet_id_long_form);
2876  }
2877  tls_adjust_frame_parameters(&c->c2.frame);
2878 
2879  /* Set all command-line TLS-related options */
2880  CLEAR(to);
2881 
2882  if (options->mute_replay_warnings)
2883  {
2884  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2885  }
2886 
2887  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2888  if (packet_id_long_form)
2889  {
2890  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2891  }
2892 
2893  to.ssl_ctx = c->c1.ks.ssl_ctx;
2894  to.key_type = c->c1.ks.key_type;
2895  to.server = options->tls_server;
2896  to.replay = options->replay;
2897  to.replay_window = options->replay_window;
2898  to.replay_time = options->replay_time;
2899  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2900  to.config_ciphername = c->options.ciphername;
2901  to.config_ncp_ciphers = c->options.ncp_ciphers;
2902  to.transition_window = options->transition_window;
2903  to.handshake_window = options->handshake_window;
2904  to.packet_timeout = options->tls_timeout;
2905  to.renegotiate_bytes = options->renegotiate_bytes;
2906  to.renegotiate_packets = options->renegotiate_packets;
2907  if (options->renegotiate_seconds_min < 0)
2908  {
2909  /* Add 10% jitter to reneg-sec by default (server side only) */
2910  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2911  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2912  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2913  }
2914  else
2915  {
2916  /* Add user-specified jitter to reneg-sec */
2917  to.renegotiate_seconds = options->renegotiate_seconds
2918  -(get_random() % max_int(options->renegotiate_seconds
2919  - options->renegotiate_seconds_min, 1));
2920  }
2921  to.single_session = options->single_session;
2922  to.mode = options->mode;
2923  to.pull = options->pull;
2924  if (options->push_peer_info) /* all there is */
2925  {
2926  to.push_peer_info_detail = 3;
2927  }
2928  else if (options->pull) /* pull clients send some details */
2929  {
2930  to.push_peer_info_detail = 2;
2931  }
2932  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
2933  {
2934  to.push_peer_info_detail = 0;
2935  }
2936  else /* default: minimal info to allow NCP in P2P mode */
2937  {
2938  to.push_peer_info_detail = 1;
2939  }
2940 
2941 
2942  /* should we not xmit any packets until we get an initial
2943  * response from client? */
2944  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2945  {
2946  to.xmit_hold = true;
2947  }
2948 
2949  to.disable_occ = !options->occ;
2950 
2951  to.verify_command = options->tls_verify;
2952  to.verify_export_cert = options->tls_export_cert;
2953  to.verify_x509_type = (options->verify_x509_type & 0xff);
2954  to.verify_x509_name = options->verify_x509_name;
2955  to.crl_file = options->crl_file;
2956  to.crl_file_inline = options->crl_file_inline;
2957  to.ssl_flags = options->ssl_flags;
2958  to.ns_cert_type = options->ns_cert_type;
2959  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2960  to.remote_cert_eku = options->remote_cert_eku;
2961  to.verify_hash = options->verify_hash;
2962  to.verify_hash_algo = options->verify_hash_algo;
2963  to.verify_hash_depth = options->verify_hash_depth;
2964  to.verify_hash_no_ca = options->verify_hash_no_ca;
2965 #ifdef ENABLE_X509ALTUSERNAME
2966  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2967 #else
2968  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
2969 #endif
2970  to.es = c->c2.es;
2971  to.net_ctx = &c->net_ctx;
2972 
2973 #ifdef ENABLE_DEBUG
2974  to.gremlin = c->options.gremlin;
2975 #endif
2976 
2977  to.plugins = c->plugins;
2978 
2979 #ifdef ENABLE_MANAGEMENT
2980  to.mda_context = &c->c2.mda_context;
2981 #endif
2982 
2983  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2984  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2985  to.tmp_dir = options->tmp_dir;
2986  if (options->ccd_exclusive)
2987  {
2988  to.client_config_dir_exclusive = options->client_config_dir;
2989  }
2990  to.auth_user_pass_file = options->auth_user_pass_file;
2991  to.auth_token_generate = options->auth_token_generate;
2992  to.auth_token_lifetime = options->auth_token_lifetime;
2993  to.auth_token_call_auth = options->auth_token_call_auth;
2994  to.auth_token_key = c->c1.ks.auth_token_key;
2995 
2996  to.x509_track = options->x509_track;
2997 
2998 #ifdef ENABLE_MANAGEMENT
2999  to.sci = &options->sc_info;
3000 #endif
3001 
3002 #ifdef USE_COMP
3003  to.comp_options = options->comp;
3004 #endif
3005 
3006 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3007  if (options->keying_material_exporter_label)
3008  {
3009  to.ekm_size = options->keying_material_exporter_length;
3010  if (to.ekm_size < 16 || to.ekm_size > 4095)
3011  {
3012  to.ekm_size = 0;
3013  }
3014 
3015  to.ekm_label = options->keying_material_exporter_label;
3016  to.ekm_label_size = strlen(to.ekm_label);
3017  }
3018  else
3019  {
3020  to.ekm_size = 0;
3021  }
3022 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3023 
3024  /* TLS handshake authentication (--tls-auth) */
3025  if (options->ce.tls_auth_file)
3026  {
3027  to.tls_wrap.mode = TLS_WRAP_AUTH;
3028  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3029  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3030  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3031  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
3032  true, true);
3033  }
3034 
3035  /* TLS handshake encryption (--tls-crypt) */
3036  if (options->ce.tls_crypt_file
3037  || (options->ce.tls_crypt_v2_file && options->tls_client))
3038  {
3039  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3040  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3041  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3042  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3043  tls_crypt_adjust_frame_parameters(&to.frame);
3044 
3045  if (options->ce.tls_crypt_v2_file)
3046  {
3047  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3048  }
3049  }
3050 
3051  if (options->ce.tls_crypt_v2_file)
3052  {
3053  to.tls_crypt_v2 = true;
3054  if (options->tls_server)
3055  {
3056  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3057  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3058  }
3059  }
3060 
3061  /* If we are running over TCP, allow for
3062  * length prefix */
3063  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
3064 
3065  /*
3066  * Initialize OpenVPN's master TLS-mode object.
3067  */
3068  if (flags & CF_INIT_TLS_MULTI)
3069  {
3070  c->c2.tls_multi = tls_multi_init(&to);
3071  }
3072 
3073  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3074  {
3075  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3076  }
3077 }
3078 
3079 static void
3080 do_init_finalize_tls_frame(struct context *c)
3081 {
3082  if (c->c2.tls_multi)
3083  {
3084  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3085  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3086  EXPANDED_SIZE(&c->c2.frame));
3087  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3088  "Control Channel MTU parms");
3089  }
3090  if (c->c2.tls_auth_standalone)
3091  {
3092  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3093  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3094  "TLS-Auth MTU parms");
3095  }
3096 }
3097 
3098 /*
3099  * No encryption or authentication.
3100  */
3101 static void
3102 do_init_crypto_none(const struct context *c)
3103 {
3104  ASSERT(!c->options.test_crypto);
3105  msg(M_WARN,
3106  "******* WARNING *******: All encryption and authentication features "
3107  "disabled -- All data will be tunnelled as clear text and will not be "
3108  "protected against man-in-the-middle changes. "
3109  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3110 }
3111 
3112 static void
3113 do_init_crypto(struct context *c, const unsigned int flags)
3114 {
3115  if (c->options.shared_secret_file)
3116  {
3117  do_init_crypto_static(c, flags);
3118  }
3119  else if (c->options.tls_server || c->options.tls_client)
3120  {
3121  do_init_crypto_tls(c, flags);
3122  }
3123  else /* no encryption or authentication. */
3124  {
3125  do_init_crypto_none(c);
3126  }
3127 }
3128 
3129 static void
3130 do_init_frame(struct context *c)
3131 {
3132 #ifdef USE_COMP
3133  /*
3134  * modify frame parameters if compression is enabled
3135  */
3136  if (comp_enabled(&c->options.comp))
3137  {
3138  comp_add_to_extra_frame(&c->c2.frame);
3139 
3140 #ifdef ENABLE_FRAGMENT
3141  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3142 #endif
3143  }
3144 #endif /* USE_COMP */
3145 
3146  /*
3147  * Adjust frame size for UDP Socks support.
3148  */
3149  if (c->options.ce.socks_proxy_server)
3150  {
3151  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3152  }
3153 
3154  /*
3155  * Adjust frame size based on the --tun-mtu-extra parameter.
3156  */
3157  if (c->options.ce.tun_mtu_extra_defined)
3158  {
3159  frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra);
3160  }
3161 
3162  /*
3163  * Adjust frame size based on link socket parameters.
3164  * (Since TCP is a stream protocol, we need to insert
3165  * a packet length uint16_t in the buffer.)
3166  */
3167  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3168 
3169  /*
3170  * Fill in the blanks in the frame parameters structure,
3171  * make sure values are rational, etc.
3172  */
3173  frame_finalize_options(c, NULL);
3174 
3175 #ifdef USE_COMP
3176  /*
3177  * Modify frame parameters if compression is compiled in.
3178  * Should be called after frame_finalize_options.
3179  */
3180  comp_add_to_extra_buffer(&c->c2.frame);
3181 #ifdef ENABLE_FRAGMENT
3182  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3183 #endif
3184 #endif /* USE_COMP */
3185 
3186  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3187  * and need link_mtu+3 bytes on socket reception (on server).
3188  *
3189  * accommodate receive path in f->extra_link, which has the side effect of
3190  * also increasing send buffers (BUF_SIZE() macro), which need to be
3191  * allocated big enough before receiving peer-id option from server.
3192  *
3193  * f->extra_frame is adjusted when peer-id option is push-received
3194  */
3195  frame_add_to_extra_link(&c->c2.frame, 3);
3196 
3197 #ifdef ENABLE_FRAGMENT
3198  /*
3199  * Set frame parameter for fragment code. This is necessary because
3200  * the fragmentation code deals with payloads which have already been
3201  * passed through the compression code.
3202  */
3203  c->c2.frame_fragment = c->c2.frame;
3204  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3205  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3206 #endif
3207 
3208 #if defined(ENABLE_FRAGMENT)
3209  /*
3210  * MTU advisories
3211  */
3212  if (c->options.ce.fragment && c->options.mtu_test)
3213  {
3214  msg(M_WARN,
3215  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3216  }
3217 #endif
3218 
3219 #ifdef ENABLE_FRAGMENT
3220  if ((c->options.ce.mssfix || c->options.ce.fragment)
3221  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3222  {
3223  msg(M_WARN,
3224  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3225  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3226  }
3227 #endif
3228 }
3229 
3230 static void
3231 do_option_warnings(struct context *c)
3232 {
3233  const struct options *o = &c->options;
3234 
3235  if (o->ping_send_timeout && !o->ping_rec_timeout)
3236  {
3237  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3238  }
3239 
3240  if (o->username || o->groupname || o->chroot_dir
3241 #ifdef ENABLE_SELINUX
3242  || o->selinux_context
3243 #endif
3244  )
3245  {
3246  if (!o->persist_tun)
3247  {
3248  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3249  }
3250  if (!o->persist_key
3251 #ifdef ENABLE_PKCS11
3252  && !o->pkcs11_id
3253 #endif
3254  )
3255  {
3256  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3257  }
3258  }
3259 
3260  if (o->chroot_dir && !(o->username && o->groupname))
3261  {
3262  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3263  }
3264 
3265  if (o->pull && o->ifconfig_local && c->first_time)
3266  {
3267  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3268  }
3269 
3270  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3271  {
3272  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3273  }
3274 
3275  if (o->mode == MODE_SERVER)
3276  {
3277  if (o->duplicate_cn && o->client_config_dir)
3278  {
3279  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3280  }
3281  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3282  {
3283  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3284  }
3285  if (!o->keepalive_ping || !o->keepalive_timeout)
3286  {
3287  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3288  }
3289  }
3290 
3291  if (!o->replay)
3292  {
3293  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3294  }
3295 
3296  if (o->tls_server)
3297  {
3298  warn_on_use_of_common_subnets(&c->net_ctx);
3299  }
3300  if (o->tls_client
3301  && !o->tls_verify
3302  && o->verify_x509_type == VERIFY_X509_NONE
3303  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3304  && !o->remote_cert_eku)
3305  {
3306  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3307  }
3308  if (o->ns_cert_type)
3309  {
3310  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3311  }
3312 
3313  /* If a script is used, print appropriate warnings */
3314  if (o->user_script_used)
3315  {
3316  if (script_security() >= SSEC_SCRIPTS)
3317  {
3318  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3319  }
3320  else if (script_security() >= SSEC_PW_ENV)
3321  {
3322  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3323  }
3324  else
3325  {
3326  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3327  }
3328  }
3329 }
3330 
3331 static void
3332 do_init_frame_tls(struct context *c)
3333 {
3334  do_init_finalize_tls_frame(c);
3335 }
3336 
3337 struct context_buffers *
3338 init_context_buffers(const struct frame *frame)
3339 {
3340  struct context_buffers *b;
3341 
3342  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3343 
3344  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3345  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3346 
3347  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3348 
3349  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3350  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3351 
3352 #ifdef USE_COMP
3353  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3354  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3355 #endif
3356 
3357  return b;
3358 }
3359 
3360 void
3361 free_context_buffers(struct context_buffers *b)
3362 {
3363  if (b)
3364  {
3365  free_buf(&b->read_link_buf);
3366  free_buf(&b->read_tun_buf);
3367  free_buf(&b->aux_buf);
3368 
3369 #ifdef USE_COMP
3370  free_buf(&b->compress_buf);
3371  free_buf(&b->decompress_buf);
3372 #endif
3373 
3374  free_buf(&b->encrypt_buf);
3375  free_buf(&b->decrypt_buf);
3376 
3377  free(b);
3378  }
3379 }
3380 
3381 /*
3382  * Now that we know all frame parameters, initialize
3383  * our buffers.
3384  */
3385 static void
3386 do_init_buffers(struct context *c)
3387 {
3388  c->c2.buffers = init_context_buffers(&c->c2.frame);
3389  c->c2.buffers_owned = true;
3390 }
3391 
3392 #ifdef ENABLE_FRAGMENT
3393 /*
3394  * Fragmenting code has buffers to initialize
3395  * once frame parameters are known.
3396  */
3397 static void
3398 do_init_fragment(struct context *c)
3399 {
3400  ASSERT(c->options.ce.fragment);
3401  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3402  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3403  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3404 }
3405 #endif
3406 
3407 /*
3408  * Allocate our socket object.
3409  */
3410 static void
3411 do_link_socket_new(struct context *c)
3412 {
3413  ASSERT(!c->c2.link_socket);
3414  c->c2.link_socket = link_socket_new();
3415  c->c2.link_socket_owned = true;
3416 }
3417 
3418 /*
3419  * Print MTU INFO
3420  */
3421 static void
3422 do_print_data_channel_mtu_parms(struct context *c)
3423 {
3424  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3425 #ifdef ENABLE_FRAGMENT
3426  if (c->c2.fragment)
3427  {
3428  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3429  "Fragmentation MTU parms");
3430  }
3431 #endif
3432 }
3433 
3434 /*
3435  * Get local and remote options compatibility strings.
3436  */
3437 static void
3438 do_compute_occ_strings(struct context *c)
3439 {
3440  struct gc_arena gc = gc_new();
3441 
3442  c->c2.options_string_local =
3443  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3444  false, &gc);
3445  c->c2.options_string_remote =
3446  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3447  true, &gc);
3448 
3449  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3450  options_string_version(c->c2.options_string_local, &gc),
3451  c->c2.options_string_local);
3452  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3453  options_string_version(c->c2.options_string_remote, &gc),
3454  c->c2.options_string_remote);
3455 
3456  if (c->c2.tls_multi)
3457  {
3458  tls_multi_init_set_options(c->c2.tls_multi,
3459  c->c2.options_string_local,
3460  c->c2.options_string_remote);
3461  }
3462 
3463  gc_free(&gc);
3464 }
3465 
3466 /*
3467  * These things can only be executed once per program instantiation.
3468  * Set up for possible UID/GID downgrade, but don't do it yet.
3469  * Daemonize if requested.
3470  */
3471 static void
3472 do_init_first_time(struct context *c)
3473 {
3474  if (c->first_time && !c->c0)
3475  {
3476  struct context_0 *c0;
3477 
3478  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3479  c0 = c->c0;
3480 
3481  /* get user and/or group that we want to setuid/setgid to */
3482  c0->uid_gid_specified =
3483  platform_group_get(c->options.groupname, &c0->platform_state_group)
3484  |platform_user_get(c->options.username, &c0->platform_state_user);
3485 
3486  /* perform postponed chdir if --daemon */
3487  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3488  {
3489  platform_chdir("/");
3490  }
3491 
3492  /* should we change scheduling priority? */
3493  platform_nice(c->options.nice);
3494  }
3495 }
3496 
3497 /*
3498  * free buffers
3499  */
3500 static void
3501 do_close_free_buf(struct context *c)
3502 {
3503  if (c->c2.buffers_owned)
3504  {
3505  free_context_buffers(c->c2.buffers);
3506  c->c2.buffers = NULL;
3507  c->c2.buffers_owned = false;
3508  }
3509 }
3510 
3511 /*
3512  * close TLS
3513  */
3514 static void
3515 do_close_tls(struct context *c)
3516 {
3517  if (c->c2.tls_multi)
3518  {
3519  tls_multi_free(c->c2.tls_multi, true);
3520  c->c2.tls_multi = NULL;
3521  }
3522 
3523  /* free options compatibility strings */
3524  free(c->c2.options_string_local);
3525  free(c->c2.options_string_remote);
3526 
3527  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3528 
3529  if (c->c2.pulled_options_state)
3530  {
3531  md_ctx_cleanup(c->c2.pulled_options_state);
3532  md_ctx_free(c->c2.pulled_options_state);
3533  }
3534 }
3535 
3536 /*
3537  * Free key schedules
3538  */
3539 static void
3540 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3541 {
3542  /*
3543  * always free the tls_auth/crypt key. If persist_key is true, the key will
3544  * be reloaded from memory (pre-cached)
3545  */
3546  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3547  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3548  CLEAR(c->c1.ks.tls_wrap_key);
3549  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3550  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3551 
3552  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3553  {
3554  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3555  }
3556 }
3557 
3558 /*
3559  * Close TCP/UDP connection
3560  */
3561 static void
3562 do_close_link_socket(struct context *c)
3563 {
3564  if (c->c2.link_socket && c->c2.link_socket_owned)
3565  {
3566  link_socket_close(c->c2.link_socket);
3567  c->c2.link_socket = NULL;
3568  }
3569 
3570 
3571  /* Preserve the resolved list of remote if the user request to or if we want
3572  * reconnect to the same host again or there are still addresses that need
3573  * to be tried */
3574  if (!(c->sig->signal_received == SIGUSR1
3575  && ( (c->options.persist_remote_ip)
3576  ||
3577  ( c->sig->source != SIG_SOURCE_HARD
3578  && ((c->c1.link_socket_addr.current_remote
3579  && c->c1.link_socket_addr.current_remote->ai_next)
3580  || c->options.no_advance))
3581  )))
3582  {
3583  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3584  }
3585 
3586  /* Clear the remote actual address when persist_remote_ip is not in use */
3587  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3588  {
3589  CLEAR(c->c1.link_socket_addr.actual);
3590  }
3591 
3592  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3593  {
3594  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3595  {
3596  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3597  }
3598 
3599  c->c1.link_socket_addr.bind_local = NULL;
3600  }
3601 }
3602 
3603 /*
3604  * Close packet-id persistence file
3605  */
3606 static void
3607 do_close_packet_id(struct context *c)
3608 {
3609  packet_id_free(&c->c2.crypto_options.packet_id);
3610  packet_id_persist_save(&c->c1.pid_persist);
3611  if (!(c->sig->signal_received == SIGUSR1))
3612  {
3613  packet_id_persist_close(&c->c1.pid_persist);
3614  }
3615 }
3616 
3617 #ifdef ENABLE_FRAGMENT
3618 /*
3619  * Close fragmentation handler.
3620  */
3621 static void
3622 do_close_fragment(struct context *c)
3623 {
3624  if (c->c2.fragment)
3625  {
3626  fragment_free(c->c2.fragment);
3627  c->c2.fragment = NULL;
3628  }
3629 }
3630 #endif
3631 
3632 /*
3633  * Open and close our event objects.
3634  */
3635 
3636 static void
3637 do_event_set_init(struct context *c,
3638  bool need_us_timeout)
3639 {
3640  unsigned int flags = 0;
3641 
3642  c->c2.event_set_max = BASE_N_EVENTS;
3643 
3644  flags |= EVENT_METHOD_FAST;
3645 
3646  if (need_us_timeout)
3647  {
3648  flags |= EVENT_METHOD_US_TIMEOUT;
3649  }
3650 
3651  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3652  c->c2.event_set_owned = true;
3653 }
3654 
3655 static void
3656 do_close_event_set(struct context *c)
3657 {
3658  if (c->c2.event_set && c->c2.event_set_owned)
3659  {
3660  event_free(c->c2.event_set);
3661  c->c2.event_set = NULL;
3662  c->c2.event_set_owned = false;
3663  }
3664 }
3665 
3666 /*
3667  * Open and close --status file
3668  */
3669 
3670 static void
3671 do_open_status_output(struct context *c)
3672 {
3673  if (!c->c1.status_output)
3674  {
3675  c->c1.status_output = status_open(c->options.status_file,
3676  c->options.status_file_update_freq,
3677  -1,
3678  NULL,
3679  STATUS_OUTPUT_WRITE);
3680  c->c1.status_output_owned = true;
3681  }
3682 }
3683 
3684 static void
3685 do_close_status_output(struct context *c)
3686 {
3687  if (!(c->sig->signal_received == SIGUSR1))
3688  {
3689  if (c->c1.status_output_owned && c->c1.status_output)
3690  {
3691  status_close(c->c1.status_output);
3692  c->c1.status_output = NULL;
3693  c->c1.status_output_owned = false;
3694  }
3695  }
3696 }
3697 
3698 /*
3699  * Handle ifconfig-pool persistence object.
3700  */
3701 static void
3702 do_open_ifconfig_pool_persist(struct context *c)
3703 {
3704  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3705  {
3706  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3707  c->options.ifconfig_pool_persist_refresh_freq);
3708  c->c1.ifconfig_pool_persist_owned = true;
3709  }
3710 }
3711 
3712 static void
3713 do_close_ifconfig_pool_persist(struct context *c)
3714 {
3715  if (!(c->sig->signal_received == SIGUSR1))
3716  {
3717  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3718  {
3719  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3720  c->c1.ifconfig_pool_persist = NULL;
3721  c->c1.ifconfig_pool_persist_owned = false;
3722  }
3723  }
3724 }
3725 
3726 /*
3727  * Inherit environmental variables
3728  */
3729 
3730 static void
3731 do_inherit_env(struct context *c, const struct env_set *src)
3732 {
3733  c->c2.es = env_set_create(NULL);
3734  c->c2.es_owned = true;
3735  env_set_inherit(c->c2.es, src);
3736 }
3737 
3738 static void
3739 do_env_set_destroy(struct context *c)
3740 {
3741  if (c->c2.es && c->c2.es_owned)
3742  {
3743  env_set_destroy(c->c2.es);
3744  c->c2.es = NULL;
3745  c->c2.es_owned = false;
3746  }
3747 }
3748 
3749 /*
3750  * Fast I/O setup. Fast I/O is an optimization which only works
3751  * if all of the following are true:
3752  *
3753  * (1) The platform is not Windows
3754  * (2) --proto udp is enabled
3755  * (3) --shaper is disabled
3756  */
3757 static void
3758 do_setup_fast_io(struct context *c)
3759 {
3760  if (c->options.fast_io)
3761  {
3762 #ifdef _WIN32
3763  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3764 #else
3765  if (!proto_is_udp(c->options.ce.proto))
3766  {
3767  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3768  }
3769  else
3770  {
3771  if (c->options.shaper)
3772  {
3773  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3774  }
3775  else
3776  {
3777  c->c2.fast_io = true;
3778  }
3779  }
3780 #endif
3781  }
3782 }
3783 
3784 static void
3785 do_signal_on_tls_errors(struct context *c)
3786 {
3787  if (c->options.tls_exit)
3788  {
3789  c->c2.tls_exit_signal = SIGTERM;
3790  }
3791  else
3792  {
3793  c->c2.tls_exit_signal = SIGUSR1;
3794  }
3795 }
3796 
3797 #ifdef ENABLE_PLUGIN
3798 
3799 void
3800 init_plugins(struct context *c)
3801 {
3802  if (c->options.plugin_list && !c->plugins)
3803  {
3804  c->plugins = plugin_list_init(c->options.plugin_list);
3805  c->plugins_owned = true;
3806  }
3807 }
3808 
3809 void
3810 open_plugins(struct context *c, const bool import_options, int init_point)
3811 {
3812  if (c->plugins && c->plugins_owned)
3813  {
3814  if (import_options)
3815  {
3816  struct plugin_return pr, config;
3817  plugin_return_init(&pr);
3818  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3819  plugin_return_get_column(&pr, &config, "config");
3820  if (plugin_return_defined(&config))
3821  {
3822  int i;
3823  for (i = 0; i < config.n; ++i)
3824  {
3825  unsigned int option_types_found = 0;
3826  if (config.list[i] && config.list[i]->value)
3827  {
3828  options_string_import(&c->options,
3829  config.list[i]->value,
3830  D_IMPORT_ERRORS|M_OPTERR,
3831  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3832  &option_types_found,
3833  c->es);
3834  }
3835  }
3836  }
3837  plugin_return_free(&pr);
3838  }
3839  else
3840  {
3841  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3842  }
3843  }
3844 }
3845 
3846 static void
3847 do_close_plugins(struct context *c)
3848 {
3849  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3850  {
3851  plugin_list_close(c->plugins);
3852  c->plugins = NULL;
3853  c->plugins_owned = false;
3854  }
3855 }
3856 
3857 static void
3858 do_inherit_plugins(struct context *c, const struct context *src)
3859 {
3860  if (!c->plugins && src->plugins)
3861  {
3862  c->plugins = plugin_list_inherit(src->plugins);
3863  c->plugins_owned = true;
3864  }
3865 }
3866 
3867 #endif /* ifdef ENABLE_PLUGIN */
3868 
3869 #ifdef ENABLE_MANAGEMENT
3870 
3871 static void
3872 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3873 {
3874  struct context *c = (struct context *) arg;
3875  print_status(c, so);
3876 }
3877 
3878 void
3879 management_show_net_callback(void *arg, const int msglevel)
3880 {
3881 #ifdef _WIN32
3882  show_routes(msglevel);
3883  show_adapters(msglevel);
3884  msg(msglevel, "END");
3885 #else
3886  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3887 #endif
3888 }
3889 
3890 #ifdef TARGET_ANDROID
3891 int
3892 management_callback_network_change(void *arg, bool samenetwork)
3893 {
3894  /* Check if the client should translate the network change to a SIGUSR1 to
3895  * reestablish the connection or just reprotect the socket
3896  *
3897  * At the moment just assume that, for all settings that use pull (not
3898  * --static) and are not using peer-id reestablishing the connection is
3899  * required (unless the network is the same)
3900  *
3901  * The function returns -1 on invalid fd and -2 if the socket cannot be
3902  * reused. On the -2 return value the man_network_change function triggers
3903  * a SIGUSR1 to force a reconnect.
3904  */
3905 
3906  int socketfd = -1;
3907  struct context *c = (struct context *) arg;
3908  if (!c->c2.link_socket)
3909  {
3910  return -1;
3911  }
3912  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3913  {
3914  return -1;
3915  }
3916 
3917  socketfd = c->c2.link_socket->sd;
3918  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3919  {
3920  return socketfd;
3921  }
3922  else
3923  {
3924  return -2;
3925  }
3926 }
3927 #endif /* ifdef TARGET_ANDROID */
3928 
3929 #endif /* ifdef ENABLE_MANAGEMENT */
3930 
3931 void
3932 init_management_callback_p2p(struct context *c)
3933 {
3934 #ifdef ENABLE_MANAGEMENT
3935  if (management)
3936  {
3937  struct management_callback cb;
3938  CLEAR(cb);
3939  cb.arg = c;
3940  cb.status = management_callback_status_p2p;
3941  cb.show_net = management_show_net_callback;
3942  cb.proxy_cmd = management_callback_proxy_cmd;
3943  cb.remote_cmd = management_callback_remote_cmd;
3944  cb.send_cc_message = management_callback_send_cc_message;
3945 #ifdef TARGET_ANDROID
3946  cb.network_change = management_callback_network_change;
3947 #endif
3948  management_set_callback(management, &cb);
3949  }
3950 #endif
3951 }
3952 
3953 #ifdef ENABLE_MANAGEMENT
3954 
3955 void
3956 init_management(void)
3957 {
3958  if (!management)
3959  {
3960  management = management_init();
3961  }
3962 }
3963 
3964 bool
3965 open_management(struct context *c)
3966 {
3967  /* initialize management layer */
3968  if (management)
3969  {
3970  if (c->options.management_addr)
3971  {
3972  unsigned int flags = c->options.management_flags;
3973  if (c->options.mode == MODE_SERVER)
3974  {
3975  flags |= MF_SERVER;
3976  }
3977  if (management_open(management,
3978  c->options.management_addr,
3979  c->options.management_port,
3980  c->options.management_user_pass,
3981  c->options.management_client_user,
3982  c->options.management_client_group,
3983  c->options.management_log_history_cache,
3984  c->options.management_echo_buffer_size,
3985  c->options.management_state_buffer_size,
3986  c->options.management_write_peer_info_file,
3987  c->options.remap_sigusr1,
3988  flags))
3989  {
3990  management_set_state(management,
3991  OPENVPN_STATE_CONNECTING,
3992  NULL,
3993  NULL,
3994  NULL,
3995  NULL,
3996  NULL);
3997  }
3998 
3999  /* initial management hold, called early, before first context initialization */
4000  do_hold(0);
4001  if (IS_SIG(c))
4002  {
4003  msg(M_WARN, "Signal received from management interface, exiting");
4004  return false;
4005  }
4006  }
4007  else
4008  {
4009  close_management();
4010  }
4011  }
4012  return true;
4013 }
4014 
4015 void
4016 close_management(void)
4017 {
4018  if (management)
4019  {
4020  management_close(management);
4021  management = NULL;
4022  }
4023 }
4024 
4025 #endif /* ifdef ENABLE_MANAGEMENT */
4026 
4027 
4028 void
4029 uninit_management_callback(void)
4030 {
4031 #ifdef ENABLE_MANAGEMENT
4032  if (management)
4033  {
4034  management_clear_callback(management);
4035  }
4036 #endif
4037 }
4038 
4039 /*
4040  * Initialize a tunnel instance, handle pre and post-init
4041  * signal settings.
4042  */
4043 void
4044 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4045 {
4046  pre_init_signal_catch();
4047  init_instance(c, env, flags);
4048  post_init_signal_catch();
4049 
4050  /*
4051  * This is done so that signals thrown during
4052  * initialization can bring us back to
4053  * a management hold.
4054  */
4055  if (IS_SIG(c))
4056  {
4057  remap_signal(c);
4058  uninit_management_callback();
4059  }
4060 }
4061 
4062 /*
4063  * Initialize a tunnel instance.
4064  */
4065 void
4066 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4067 {
4068  const struct options *options = &c->options;
4069  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4070  int link_socket_mode = LS_MODE_DEFAULT;
4071 
4072  /* init garbage collection level */
4073  gc_init(&c->c2.gc);
4074 
4075  /* inherit environmental variables */
4076  if (env)
4077  {
4078  do_inherit_env(c, env);
4079  }
4080 
4081  /* signals caught here will abort */
4082  c->sig->signal_received = 0;
4083  c->sig->signal_text = NULL;
4084  c->sig->source = SIG_SOURCE_SOFT;
4085 
4086  if (c->mode == CM_P2P)
4087  {
4088  init_management_callback_p2p(c);
4089  }
4090 
4091  /* possible sleep or management hold if restart */
4092  if (c->mode == CM_P2P || c->mode == CM_TOP)
4093  {
4094  do_startup_pause(c);
4095  if (IS_SIG(c))
4096  {
4097  goto sig;
4098  }
4099  }
4100 
4101  if (c->options.resolve_in_advance)
4102  {
4103  do_preresolve(c);
4104  if (IS_SIG(c))
4105  {
4106  goto sig;
4107  }
4108  }
4109 
4110  /* Resets all values to the initial values from the config where needed */
4111  pre_connect_restore(&c->options, &c->c2.gc);
4112 
4113  /* map in current connection entry */
4114  next_connection_entry(c);
4115 
4116  /* link_socket_mode allows CM_CHILD_TCP
4117  * instances to inherit acceptable fds
4118  * from a top-level parent */
4119  if (c->options.ce.proto == PROTO_TCP_SERVER)
4120  {
4121  if (c->mode == CM_TOP)
4122  {
4123  link_socket_mode = LS_MODE_TCP_LISTEN;
4124  }
4125  else if (c->mode == CM_CHILD_TCP)
4126  {
4127  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4128  }
4129  }
4130 
4131  /* should we disable paging? */
4132  if (c->first_time && options->mlock)
4133  {
4134  platform_mlockall(true);
4135  }
4136 
4137  /* get passwords if undefined */
4138  if (auth_retry_get() == AR_INTERACT)
4139  {
4140  init_query_passwords(c);
4141  }
4142 
4143  /* initialize context level 2 --verb/--mute parms */
4144  init_verb_mute(c, IVM_LEVEL_2);
4145 
4146  /* set error message delay for non-server modes */
4147  if (c->mode == CM_P2P)
4148  {
4149  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4150  }
4151 
4152  /* warn about inconsistent options */
4153  if (c->mode == CM_P2P || c->mode == CM_TOP)
4154  {
4155  do_option_warnings(c);
4156  }
4157 
4158 #ifdef ENABLE_PLUGIN
4159  /* initialize plugins */
4160  if (c->mode == CM_P2P || c->mode == CM_TOP)
4161  {
4162  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4163  }
4164 #endif
4165 
4166  /* should we enable fast I/O? */
4167  if (c->mode == CM_P2P || c->mode == CM_TOP)
4168  {
4169  do_setup_fast_io(c);
4170  }
4171 
4172  /* should we throw a signal on TLS errors? */
4173  do_signal_on_tls_errors(c);
4174 
4175  /* open --status file */
4176  if (c->mode == CM_P2P || c->mode == CM_TOP)
4177  {
4178  do_open_status_output(c);
4179  }
4180 
4181  /* open --ifconfig-pool-persist file */
4182  if (c->mode == CM_TOP)
4183  {
4184  do_open_ifconfig_pool_persist(c);
4185  }
4186 
4187  /* reset OCC state */
4188  if (c->mode == CM_P2P || child)
4189  {
4190  c->c2.occ_op = occ_reset_op();
4191  }
4192 
4193  /* our wait-for-i/o objects, different for posix vs. win32 */
4194  if (c->mode == CM_P2P)
4195  {
4196  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4197  }
4198  else if (c->mode == CM_CHILD_TCP)
4199  {
4200  do_event_set_init(c, false);
4201  }
4202 
4203  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4204  init_proxy(c);
4205 
4206  /* allocate our socket object */
4207  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4208  {
4209  do_link_socket_new(c);
4210  }
4211 
4212 #ifdef ENABLE_FRAGMENT
4213  /* initialize internal fragmentation object */
4214  if (options->ce.fragment && (c->mode == CM_P2P || child))
4215  {
4216  c->c2.fragment = fragment_init(&c->c2.frame);
4217  }
4218 #endif
4219 
4220  /* init crypto layer */
4221  {
4222  unsigned int crypto_flags = 0;
4223  if (c->mode == CM_TOP)
4224  {
4225  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4226  }
4227  else if (c->mode == CM_P2P)
4228  {
4229  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4230  }
4231  else if (child)
4232  {
4233  crypto_flags = CF_INIT_TLS_MULTI;
4234  }
4235  do_init_crypto(c, crypto_flags);
4236  if (IS_SIG(c) && !child)
4237  {
4238  goto sig;
4239  }
4240  }
4241 
4242 #ifdef USE_COMP
4243  /* initialize compression library. */
4244  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4245  {
4246  c->c2.comp_context = comp_init(&options->comp);
4247  }
4248 #endif
4249 
4250  /* initialize MTU variables */
4251  do_init_frame(c);
4252 
4253  /* initialize TLS MTU variables */
4254  do_init_frame_tls(c);
4255 
4256  /* init workspace buffers whose size is derived from frame size */
4257  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4258  {
4259  do_init_buffers(c);
4260  }
4261 
4262 #ifdef ENABLE_FRAGMENT
4263  /* initialize internal fragmentation capability with known frame size */
4264  if (options->ce.fragment && (c->mode == CM_P2P || child))
4265  {
4266  do_init_fragment(c);
4267  }
4268 #endif
4269 
4270  /* initialize dynamic MTU variable */
4271  frame_init_mssfix(&c->c2.frame, &c->options);
4272 
4273  /* bind the TCP/UDP socket */
4274  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4275  {
4276  link_socket_init_phase1(c, link_socket_mode);
4277  }
4278 
4279  /* initialize tun/tap device object,
4280  * open tun/tap device, ifconfig, run up script, etc. */
4281  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4282  {
4283  c->c2.did_open_tun = do_open_tun(c);
4284  }
4285 
4286  c->c2.frame_initial = c->c2.frame;
4287 
4288  /* print MTU info */
4289  do_print_data_channel_mtu_parms(c);
4290 
4291  /* get local and remote options compatibility strings */
4292  if (c->mode == CM_P2P || child)
4293  {
4294  do_compute_occ_strings(c);
4295  }
4296 
4297  /* initialize output speed limiter */
4298  if (c->mode == CM_P2P)
4299  {
4300  do_init_traffic_shaper(c);
4301  }
4302 
4303  /* do one-time inits, and possibly become a daemon here */
4304  do_init_first_time(c);
4305 
4306 #ifdef ENABLE_PLUGIN
4307  /* initialize plugins */
4308  if (c->mode == CM_P2P || c->mode == CM_TOP)
4309  {
4310  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4311  }
4312 #endif
4313 
4314  /* initialise connect timeout timer */
4315  do_init_server_poll_timeout(c);
4316 
4317  /* finalize the TCP/UDP socket */
4318  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4319  {
4320  link_socket_init_phase2(c);
4321  }
4322 
4323  /*
4324  * Actually do UID/GID downgrade, and chroot, if requested.
4325  * May be delayed by --client, --pull, or --up-delay.
4326  */
4327  do_uid_gid_chroot(c, c->c2.did_open_tun);
4328 
4329  /* initialize timers */
4330  if (c->mode == CM_P2P || child)
4331  {
4332  do_init_timers(c, false);
4333  }
4334 
4335 #ifdef ENABLE_PLUGIN
4336  /* initialize plugins */
4337  if (c->mode == CM_P2P || c->mode == CM_TOP)
4338  {
4339  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4340  }
4341 #endif
4342 
4343 #if PORT_SHARE
4344  /* share OpenVPN port with foreign (such as HTTPS) server */
4345  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4346  {
4347  init_port_share(c);
4348  }
4349 #endif
4350 
4351  /* Check for signals */
4352  if (IS_SIG(c))
4353  {
4354  goto sig;
4355  }
4356 
4357  return;
4358 
4359 sig:
4360  if (!c->sig->signal_text)
4361  {
4362  c->sig->signal_text = "init_instance";
4363  }
4364  close_context(c, -1, flags);
4365  return;
4366 }
4367 
4368 /*
4369  * Close a tunnel instance.
4370  */
4371 void
4372 close_instance(struct context *c)
4373 {
4374  /* close event objects */
4375  do_close_event_set(c);
4376 
4377  if (c->mode == CM_P2P
4378  || c->mode == CM_CHILD_TCP
4379  || c->mode == CM_CHILD_UDP
4380  || c->mode == CM_TOP)
4381  {
4382 #ifdef USE_COMP
4383  if (c->c2.comp_context)
4384  {
4385  comp_uninit(c->c2.comp_context);
4386  c->c2.comp_context = NULL;
4387  }
4388 #endif
4389 
4390  /* free buffers */
4391  do_close_free_buf(c);
4392 
4393  /* close TLS */
4394  do_close_tls(c);
4395 
4396  /* free key schedules */
4397  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4398 
4399  /* close TCP/UDP connection */
4400  do_close_link_socket(c);
4401 
4402  /* close TUN/TAP device */
4403  do_close_tun(c, false);
4404 
4405 #ifdef ENABLE_MANAGEMENT
4406  if (management)
4407  {
4408  management_notify_client_close(management, &c->c2.mda_context, NULL);
4409  }
4410 #endif
4411 
4412 #ifdef ENABLE_PLUGIN
4413  /* call plugin close functions and unload */
4414  do_close_plugins(c);
4415 #endif
4416 
4417  /* close packet-id persistence file */
4418  do_close_packet_id(c);
4419 
4420  /* close --status file */
4421  do_close_status_output(c);
4422 
4423 #ifdef ENABLE_FRAGMENT
4424  /* close fragmentation handler */
4425  do_close_fragment(c);
4426 #endif
4427 
4428  /* close --ifconfig-pool-persist obj */
4429  do_close_ifconfig_pool_persist(c);
4430 
4431  /* free up environmental variable store */
4432  do_env_set_destroy(c);
4433 
4434  /* close HTTP or SOCKS proxy */
4435  uninit_proxy(c);
4436 
4437  /* garbage collect */
4438  gc_free(&c->c2.gc);
4439  }
4440 }
4441 
4442 void
4443 inherit_context_child(struct context *dest,
4444  const struct context *src)
4445 {
4446  CLEAR(*dest);
4447 
4448  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4449  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4450 
4451  dest->gc = gc_new();
4452 
4453  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4454 
4455  /* c1 init */
4456  packet_id_persist_init(&dest->c1.pid_persist);
4457 
4458  dest->c1.ks.key_type = src->c1.ks.key_type;
4459  /* inherit SSL context */
4460  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4461  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4462  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4463  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4464  /* inherit pre-NCP ciphers */
4465  dest->options.ciphername = src->options.ciphername;
4466  dest->options.authname = src->options.authname;
4467 
4468  /* inherit auth-token */
4469  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4470 
4471  /* options */
4472  dest->options = src->options;
4473  options_detach(&dest->options);
4474 
4475  if (dest->mode == CM_CHILD_TCP)
4476  {
4477  /*
4478  * The CM_TOP context does the socket listen(),
4479  * and the CM_CHILD_TCP context does the accept().
4480  */
4481  dest->c2.accept_from = src->c2.link_socket;
4482  }
4483 
4484 #ifdef ENABLE_PLUGIN
4485  /* inherit plugins */
4486  do_inherit_plugins(dest, src);
4487 #endif
4488 
4489  /* context init */
4490  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4491  if (IS_SIG(dest))
4492  {
4493  return;
4494  }
4495 
4496  /* inherit tun/tap interface object */
4497  dest->c1.tuntap = src->c1.tuntap;
4498 
4499  /* UDP inherits some extra things which TCP does not */
4500  if (dest->mode == CM_CHILD_UDP)
4501  {
4502  /* inherit buffers */
4503  dest->c2.buffers = src->c2.buffers;
4504 
4505  /* inherit parent link_socket and tuntap */
4506  dest->c2.link_socket = src->c2.link_socket;
4507 
4508  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4509  *dest->c2.link_socket_info = src->c2.link_socket->info;
4510 
4511  /* locally override some link_socket_info fields */
4512  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4513  dest->c2.link_socket_info->connection_established = false;
4514  }
4515 }
4516 
4517 void
4518 inherit_context_top(struct context *dest,
4519  const struct context *src)
4520 {
4521  /* copy parent */
4522  *dest = *src;
4523 
4524  /*
4525  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4526  * resources owned by the parent.
4527  *
4528  * Also note that CM_TOP_CLONE context objects are
4529  * closed by multi_top_free in multi.c.
4530  */
4531  dest->mode = CM_TOP_CLONE;
4532 
4533  dest->first_time = false;
4534  dest->c0 = NULL;
4535 
4536  options_detach(&dest->options);
4537  gc_detach(&dest->gc);
4538  gc_detach(&dest->c2.gc);
4539 
4540  /* detach plugins */
4541  dest->plugins_owned = false;
4542 
4543  dest->c2.tls_multi = NULL;
4544 
4545  /* detach c1 ownership */
4546  dest->c1.tuntap_owned = false;
4547  dest->c1.status_output_owned = false;
4548  dest->c1.ifconfig_pool_persist_owned = false;
4549 
4550  /* detach c2 ownership */
4551  dest->c2.event_set_owned = false;
4552  dest->c2.link_socket_owned = false;
4553  dest->c2.buffers_owned = false;
4554  dest->c2.es_owned = false;
4555 
4556  dest->c2.event_set = NULL;
4557  if (proto_is_dgram(src->options.ce.proto))
4558  {
4559  do_event_set_init(dest, false);
4560  }
4561 
4562 #ifdef USE_COMP
4563  dest->c2.comp_context = NULL;
4564 #endif
4565 }
4566 
4567 void
4568 close_context(struct context *c, int sig, unsigned int flags)
4569 {
4570  ASSERT(c);
4571  ASSERT(c->sig);
4572 
4573  if (sig >= 0)
4574  {
4575  c->sig->signal_received = sig;
4576  }
4577 
4578  if (c->sig->signal_received == SIGUSR1)
4579  {
4580  if ((flags & CC_USR1_TO_HUP)
4581  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4582  {
4583  c->sig->signal_received = SIGHUP;
4584  c->sig->signal_text = "close_context usr1 to hup";
4585  }
4586  }
4587 
4588  if (!(flags & CC_NO_CLOSE))
4589  {
4590  close_instance(c);
4591  }
4592 
4593  if (flags & CC_GC_FREE)
4594  {
4595  context_gc_free(c);
4596  }
4597 }
4598 
4599 /* Write our PID to a file */
4600 void
4601 write_pid_file(const char *filename, const char *chroot_dir)
4602 {
4603  if (filename)
4604  {
4605  unsigned int pid = 0;
4606  FILE *fp = platform_fopen(filename, "w");
4607  if (!fp)
4608  {
4609  msg(M_ERR, "Open error on pid file %s", filename);
4610  return;
4611  }
4612 
4613  pid = platform_getpid();
4614  fprintf(fp, "%u\n", pid);
4615  if (fclose(fp))
4616  {
4617  msg(M_ERR, "Close error on pid file %s", filename);
4618  }
4619 
4620  /* remember file name so it can be deleted "out of context" later */
4621  /* (the chroot case is more complex and not handled today) */
4622  if (!chroot_dir)
4623  {
4624  saved_pid_file_name = strdup(filename);
4625  }
4626  }
4627 }
4628 
4629 /* remove PID file on exit, called from openvpn_exit() */
4630 void
4631 remove_pid_file(void)
4632 {
4633  if (saved_pid_file_name)
4634  {
4635  platform_unlink(saved_pid_file_name);
4636  }
4637 }
4638 
4639 
4640 /*
4641  * Do a loopback test
4642  * on the crypto subsystem.
4643  */
4644 static void *
4645 test_crypto_thread(void *arg)
4646 {
4647  struct context *c = (struct context *) arg;
4648  const struct options *options = &c->options;
4649 
4650  ASSERT(options->test_crypto);
4651  init_verb_mute(c, IVM_LEVEL_1);
4652  context_init_1(c);
4653  next_connection_entry(c);
4654  do_init_crypto_static(c, 0);
4655 
4656  frame_finalize_options(c, options);
4657 
4658  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4659 
4660  key_schedule_free(&c->c1.ks, true);
4661  packet_id_free(&c->c2.crypto_options.packet_id);
4662 
4663  context_gc_free(c);
4664  return NULL;
4665 }
4666 
4667 bool
4668 do_test_crypto(const struct options *o)
4669 {
4670  if (o->test_crypto)
4671  {
4672  struct context c;
4673 
4674  /* print version number */
4675  msg(M_INFO, "%s", title_string);
4676 
4677  context_clear(&c);
4678  c.options = *o;
4679  options_detach(&c.options);
4680  c.first_time = true;
4681  test_crypto_thread((void *) &c);
4682  return true;
4683  }
4684  return false;
4685 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:321
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:350
context_2::es
struct env_set * es
Definition: openvpn.h:408
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:194
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:182
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2593
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:353
management_close
void management_close(struct management *man)
Definition: manage.c:2638
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:445
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:288
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:310
options::sndbuf
int sndbuf
Definition: options.h:366
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:386
context_2::log_rw
bool log_rw
Definition: openvpn.h:370
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:114
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:256
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:366
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:373
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:118
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:610
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:703
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1515
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
tuntap
Definition: tun.h:155
options::management_flags
unsigned int management_flags
Definition: options.h:409
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1981
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2621
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:568
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:111
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:330
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:106
options::block_outside_dns
bool block_outside_dns
Definition: options.h:640
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:104
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:285
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1314
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:355
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
platform_nice
void platform_nice(int niceval)
Definition: platform.c:160
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:960
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:374
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:525
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1082
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5664
options::show_curves
bool show_curves
Definition: options.h:244
ssl_clean_user_pass
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4222
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:637
options::cipher_list
const char * cipher_list
Definition: options.h:550
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
options::tls_server
bool tls_server
Definition: options.h:535
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1840
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1460
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:334
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:138
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1002
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3851
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:517
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:616
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2133
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:627
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1715
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:377
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:373
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:553
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:400
M_OPTERR
#define M_OPTERR
Definition: error.h:109
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:356
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:334
streq
#define streq(x, y)
Definition: options.h:667
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:444
options::chroot_dir
const char * chroot_dir
Definition: options.h:326
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:727
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3858
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3656
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2744
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:431
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:269
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:167
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:306
tls_options::mode
int mode
Definition: ssl_common.h:305
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2142
options::auth_token_generate
bool auth_token_generate
Definition: options.h:487
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4526
tun_abort
void tun_abort(void)
Definition: init.c:2114
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:461
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:532
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3739
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2680
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:730
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:352
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:484
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:115
management::persist
struct man_persist persist
Definition: manage.h:314
srandom
#define srandom
Definition: syshead.h:45
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:619
auth_token.h
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:365
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:285
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:213
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:696
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4568
script_security
int script_security(void)
Definition: run_command.c:45
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:186
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:364
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:513
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:588
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6656
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:193
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:80
options::peer_id
uint32_t peer_id
Definition: options.h:645
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3932
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:322
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:324
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:156
close_instance
void close_instance(struct context *c)
Definition: init.c:4372
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2809
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:96
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:590
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:378
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1339
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:675
options::persist_key
bool persist_key
Definition: options.h:311
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:115
options::replay_window
int replay_window
Definition: options.h:526
options::persist_mode
int persist_mode
Definition: options.h:237
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:456
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:367
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3785
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:357
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:328
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:109
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:283
CAS_CONNECT_DONE
Definition: ssl_common.h:549
options::rcvbuf
int rcvbuf
Definition: options.h:365
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:353
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:109
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:470
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:319
options::connection_list
struct connection_list * connection_list
Definition: options.h:253
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:405
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:191
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:268
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:540
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:191
options::exit_event_name
const char * exit_event_name
Definition: options.h:636
AR_NONE
#define AR_NONE
Definition: options.h:841
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:242
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
options::route_noexec
bool route_noexec
Definition: options.h:381
options::sockflags
unsigned int sockflags
Definition: options.h:373
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2549
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:174
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:150
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3515
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:248
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:381
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:342
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:13
options::route_script
const char * route_script
Definition: options.h:376
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:402
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:405
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:491
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:105
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:161
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
in_addr_t
#define in_addr_t
Definition: config-msvc.h:103
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3130
options::config
const char * config
Definition: options.h:219
dmsg
#define dmsg(flags,...)
Definition: error.h:157
options::route_delay
int route_delay
Definition: options.h:382
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4631
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:333
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:377
tls_options::gremlin
int gremlin
Definition: ssl_common.h:415
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3810
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:418
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:249
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:249
options::down_pre
bool down_pre
Definition: options.h:335
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:294
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:697
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition: lladdr.c:18
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:189
SIGTERM
#define SIGTERM
Definition: config-msvc.h:117
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:369
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1444
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:524
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:586
options::push_peer_info
bool push_peer_info
Definition: options.h:625
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:677
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:134
SIGHUP
#define SIGHUP
Definition: config-msvc.h:113
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:591
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3742
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:151
PING_RESTART
#define PING_RESTART
Definition: options.h:305
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3080
options::handshake_window
int handshake_window
Definition: options.h:595
ASSERT
#define ASSERT(x)
Definition: error.h:204
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3847
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:128
tls_options
Definition: ssl_common.h:282
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:330
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:225
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:234
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:346
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
connection_list::current
int current
Definition: options.h:172
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:265
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:131
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:355
options::verify_x509_type
int verify_x509_type
Definition: options.h:556
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:259
close_management
void close_management(void)
Definition: init.c:4016
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:350
adjust_mtu_peerid
static void adjust_mtu_peerid(struct context *c)
Definition: init.c:2255
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:489
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:352
options::prng_hash
const char * prng_hash
Definition: options.h:521
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1940
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:300
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:279
options::fast_io
bool fast_io
Definition: options.h:358
options::key_direction
int key_direction
Definition: options.h:515
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:321
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:194
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:168
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:122
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:70
init_static
bool init_static(void)
Definition: init.c:755
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:255
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:139
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:223
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:643
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:284
options::route_delay_defined
bool route_delay_defined
Definition: options.h:384
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:473
options::tls_exit
bool tls_exit
Definition: options.h:627
MF_SERVER
#define MF_SERVER
Definition: manage.h:326
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1035
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:264
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:999
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:888
connection_entry::key_direction
int key_direction
Definition: options.h:147
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:705
options::route_nopull
bool route_nopull
Definition: options.h:388
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3622
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1240
frame_add_to_extra_tun
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:286
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6780
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:68
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:558
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:378
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:519
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:574
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4044
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:340
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:539
options::remote_random
bool remote_random
Definition: options.h:267
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:190
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:193
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:501
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:235