OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
74 {
75  CLEAR(*c);
76 }
77 
78 void
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
194 {
195  /*
196  * In pull mode, we usually import --ping/--ping-restart parameters from
197  * the server. However we should also set an initial default --ping-restart
198  * for the period of time before we pull the --ping-restart parameter
199  * from the server.
200  */
201  if (options->pull
202  && options->ping_rec_timeout_action == PING_UNDEF
203  && proto_is_dgram(options->ce.proto))
204  {
207  }
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
275  }
276  ce->flags |= CE_MAN_QUERY_PROXY;
277  while (ce->flags & CE_MAN_QUERY_PROXY)
278  {
280  if (IS_SIG(c))
281  {
282  ret = false;
283  break;
284  }
285  }
287  gc_free(&gc);
288  }
289 
290  return ret;
291 }
292 
307 static bool
309  const char *command,
310  const char *parameters)
311 {
312  struct context *c = (struct context *) arg;
313  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
314  if (len > PUSH_BUNDLE_SIZE)
315  {
316  return false;
317  }
318 
319  struct gc_arena gc = gc_new();
320  struct buffer buf = alloc_buf_gc(len, &gc);
321  ASSERT(buf_printf(&buf, "%s", command));
322  if (parameters)
323  {
324  ASSERT(buf_printf(&buf, ",%s", parameters));
325  }
326  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
327 
328  gc_free(&gc);
329  return status;
330 }
331 
332 static bool
333 management_callback_remote_cmd(void *arg, const char **p)
334 {
335  struct context *c = (struct context *) arg;
336  struct connection_entry *ce = &c->options.ce;
337  int ret = false;
339  {
340  int flags = 0;
341  if (!strcmp(p[1], "ACCEPT"))
342  {
344  ret = true;
345  }
346  else if (!strcmp(p[1], "SKIP"))
347  {
348  flags = CE_MAN_QUERY_REMOTE_SKIP;
349  ret = true;
350  }
351  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
352  {
353  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
354  {
355  struct remote_host_store *rhs = c->options.rh_store;
356  if (!rhs)
357  {
359  c->options.rh_store = rhs;
360  }
361  strncpynt(rhs->host, p[2], RH_HOST_LEN);
362  strncpynt(rhs->port, p[3], RH_PORT_LEN);
363 
364  ce->remote = rhs->host;
365  ce->remote_port = rhs->port;
366  flags = CE_MAN_QUERY_REMOTE_MOD;
367  ret = true;
368  }
369  }
370  if (ret)
371  {
372  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
374  }
375  }
376  return ret;
377 }
378 
379 static bool
381 {
382  struct gc_arena gc = gc_new();
383  volatile struct connection_entry *ce = &c->options.ce;
384  int ce_changed = true; /* presume the connection entry will be changed */
385 
386  update_time();
387  if (management)
388  {
389  struct buffer out = alloc_buf_gc(256, &gc);
390 
391  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
392  proto2ascii(ce->proto, ce->af, false));
395 
398  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
400  {
402  if (IS_SIG(c))
403  {
404  ce_changed = false; /* connection entry have not been set */
405  break;
406  }
407  }
409  }
410  gc_free(&gc);
411 
412  if (ce_changed)
413  {
414  /* If it is likely a connection entry was modified,
415  * check what changed in the flags and that it was not skipped
416  */
417  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
419  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
420  }
421  return ce_changed;
422 }
423 #endif /* ENABLE_MANAGEMENT */
424 
425 /*
426  * Initialize and possibly randomize connection list.
427  */
428 static void
430 {
431  struct connection_list *l = c->options.connection_list;
432 
433  l->current = -1;
434  if (c->options.remote_random)
435  {
436  int i;
437  for (i = 0; i < l->len; ++i)
438  {
439  const int j = get_random() % l->len;
440  if (i != j)
441  {
442  struct connection_entry *tmp;
443  tmp = l->array[i];
444  l->array[i] = l->array[j];
445  l->array[j] = tmp;
446  }
447  }
448  }
449 }
450 
451 /*
452  * Clear the remote address list
453  */
454 static void
456 {
457  if (lsa->remote_list && free)
458  {
459  freeaddrinfo(lsa->remote_list);
460  }
461  lsa->remote_list = NULL;
462  lsa->current_remote = NULL;
463 }
464 
465 /*
466  * Increment to next connection entry
467  */
468 static void
470 {
471  struct connection_list *l = c->options.connection_list;
472  bool ce_defined;
473  struct connection_entry *ce;
474  int n_cycles = 0;
475 
476  do
477  {
478  ce_defined = true;
479  if (c->options.no_advance && l->current >= 0)
480  {
481  c->options.no_advance = false;
482  }
483  else
484  {
485  /* Check if there is another resolved address to try for
486  * the current connection */
488  && c->c1.link_socket_addr.current_remote->ai_next)
489  {
491  c->c1.link_socket_addr.current_remote->ai_next;
492  }
493  else
494  {
495  /* FIXME (schwabe) fix the persist-remote-ip option for real,
496  * this is broken probably ever since connection lists and multiple
497  * remote existed
498  */
499  if (!c->options.persist_remote_ip)
500  {
501  /* Connection entry addrinfo objects might have been
502  * resolved earlier but the entry itself might have been
503  * skipped by management on the previous loop.
504  * If so, clear the addrinfo objects as close_instance does
505  */
507  {
510  }
511 
512  /* close_instance should have cleared the addrinfo objects */
515  }
516  else
517  {
520  }
521 
522  /*
523  * Increase the number of connection attempts
524  * If this is connect-retry-max * size(l)
525  * OpenVPN will quit
526  */
527 
529 
530  if (++l->current >= l->len)
531  {
532 
533  l->current = 0;
534  if (++n_cycles >= 2)
535  {
536  msg(M_FATAL, "No usable connection profiles are present");
537  }
538  }
539  }
540  }
541 
542  ce = l->array[l->current];
543 
544  if (ce->flags & CE_DISABLED)
545  {
546  ce_defined = false;
547  }
548 
549  c->options.ce = *ce;
550 #ifdef ENABLE_MANAGEMENT
552  {
553  /* allow management interface to override connection entry details */
554  ce_defined = ce_management_query_remote(c);
555  if (IS_SIG(c))
556  {
557  break;
558  }
559  }
560  else if (ce_defined && management && management_query_proxy_enabled(management))
561  {
562  ce_defined = ce_management_query_proxy(c);
563  if (IS_SIG(c))
564  {
565  break;
566  }
567  }
568 #endif
569  } while (!ce_defined);
570 
571  /* Check if this connection attempt would bring us over the limit */
572  if (c->options.connect_retry_max > 0
574  {
575  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
577  }
579 }
580 
581 /*
582  * Query for private key and auth-user-pass username/passwords
583  */
584 void
586 {
587  /* Certificate password input */
588  if (c->options.key_pass_file)
589  {
591  }
592 
593  /* Auth user/pass input */
595  {
596 #ifdef ENABLE_MANAGEMENT
598 #else
600 #endif
601  }
602 }
603 
604 /*
605  * Initialize/Uninitialize HTTP or SOCKS proxy
606  */
607 
608 static void
610 {
611  if (c->c1.http_proxy_owned && c->c1.http_proxy)
612  {
614  c->c1.http_proxy = NULL;
615  c->c1.http_proxy_owned = false;
616  }
617  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
618  {
620  c->c1.socks_proxy = NULL;
621  c->c1.socks_proxy_owned = false;
622  }
623 }
624 
625 static void
627 {
628  bool did_http = false;
629 
631 
633  {
634  /* Possible HTTP proxy user/pass input */
636  if (c->c1.http_proxy)
637  {
638  did_http = true;
639  c->c1.http_proxy_owned = true;
640  }
641  }
642 
643  if (!did_http && c->options.ce.socks_proxy_server)
644  {
648  if (c->c1.socks_proxy)
649  {
650  c->c1.socks_proxy_owned = true;
651  }
652  }
653 }
654 
655 static void
656 init_proxy(struct context *c)
657 {
659 }
660 
661 static void
663 {
665 }
666 
667 void
669 {
670  context_clear_1(c);
671 
673 
675 
676 #if defined(ENABLE_PKCS11)
677  if (c->first_time)
678  {
679  int i;
680  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
681  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
682  {
683  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
684  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
685  }
686  }
687 #endif
688 
689 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
690  {
691  /*
692  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
693  */
694  struct user_pass up;
695  CLEAR(up);
696  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
697  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
698  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
699  * 'needok' command, usually 'ok' or 'cancel'. */
700  }
701 #endif
702 
703 #ifdef ENABLE_SYSTEMD
704  /* We can report the PID via getpid() to systemd here as OpenVPN will not
705  * do any fork due to daemon() a future call.
706  * See possibly_become_daemon() [init.c] for more details.
707  */
708  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
709  (unsigned long) getpid());
710 #endif
711 
712 }
713 
714 void
716 {
717  gc_free(&c->c2.gc);
718  gc_free(&c->options.gc);
719  gc_free(&c->gc);
720 }
721 
722 #if PORT_SHARE
723 
724 static void
725 close_port_share(void)
726 {
727  if (port_share)
728  {
729  port_share_close(port_share);
730  port_share = NULL;
731  }
732 }
733 
734 static void
735 init_port_share(struct context *c)
736 {
737  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
738  {
739  port_share = port_share_open(c->options.port_share_host,
740  c->options.port_share_port,
742  c->options.port_share_journal_dir);
743  if (port_share == NULL)
744  {
745  msg(M_FATAL, "Fatal error: Port sharing failed");
746  }
747  }
748 }
749 
750 #endif /* if PORT_SHARE */
751 
752 
753 bool
755 {
756  /* configure_path (); */
757 
758 #if defined(DMALLOC)
759  crypto_init_dmalloc();
760 #endif
761 
762 
763  /*
764  * Initialize random number seed. random() is only used
765  * when "weak" random numbers are acceptable.
766  * SSL library routines are always used when cryptographically
767  * strong random numbers are required.
768  */
769  struct timeval tv;
770  if (!gettimeofday(&tv, NULL))
771  {
772  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
773  srandom(seed);
774  }
775 
776  error_reset(); /* initialize error.c */
777  reset_check_status(); /* initialize status check code in socket.c */
778 
779 #ifdef _WIN32
780  init_win32();
781 #endif
782 
783 #ifdef OPENVPN_DEBUG_COMMAND_LINE
784  {
785  int i;
786  for (i = 0; i < argc; ++i)
787  {
788  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
789  }
790  }
791 #endif
792 
793  update_time();
794 
795  init_ssl_lib();
796 
797  /* init PRNG used for IV generation */
798  /* When forking, copy this to more places in the code to avoid fork
799  * random-state predictability */
800  prng_init(NULL, 0);
801 
802 #ifdef PID_TEST
803  packet_id_interactive_test(); /* test the sequence number code */
804  return false;
805 #endif
806 
807 #ifdef SCHEDULE_TEST
808  schedule_test();
809  return false;
810 #endif
811 
812 #ifdef LIST_TEST
813  list_test();
814  return false;
815 #endif
816 
817 #ifdef IFCONFIG_POOL_TEST
818  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
819  return false;
820 #endif
821 
822 #ifdef CHARACTER_CLASS_DEBUG
823  character_class_debug();
824  return false;
825 #endif
826 
827 #ifdef EXTRACT_X509_FIELD_TEST
829  return false;
830 #endif
831 
832 #ifdef TIME_TEST
833  time_test();
834  return false;
835 #endif
836 
837 #ifdef TEST_GET_DEFAULT_GATEWAY
838  {
839  struct route_gateway_info rgi;
840  struct route_ipv6_gateway_info rgi6;
841  get_default_gateway(&rgi);
842  get_default_gateway_ipv6(&rgi6, NULL);
843  print_default_gateway(M_INFO, &rgi, &rgi6);
844  return false;
845  }
846 #endif
847 
848 #ifdef GEN_PATH_TEST
849  {
850  struct gc_arena gc = gc_new();
851  const char *fn = gen_path("foo",
852  "bar",
853  &gc);
854  printf("%s\n", fn);
855  gc_free(&gc);
856  }
857  return false;
858 #endif
859 
860 #ifdef STATUS_PRINTF_TEST
861  {
862  struct gc_arena gc = gc_new();
863  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
864  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
865  status_printf(so, "%s", "foo");
866  status_printf(so, "%s", "bar");
867  if (!status_close(so))
868  {
869  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
870  }
871  gc_free(&gc);
872  }
873  return false;
874 #endif
875 
876 #ifdef PRNG_TEST
877  {
878  struct gc_arena gc = gc_new();
879  uint8_t rndbuf[8];
880  int i;
881  prng_init("sha1", 16);
882  /*prng_init (NULL, 0);*/
883  const int factor = 1;
884  for (i = 0; i < factor * 8; ++i)
885  {
886 #if 1
887  prng_bytes(rndbuf, sizeof(rndbuf));
888 #else
889  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
890 #endif
891  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
892  }
893  gc_free(&gc);
894  prng_uninit();
895  return false;
896  }
897 #endif /* ifdef PRNG_TEST */
898 
899 #ifdef BUFFER_LIST_AGGREGATE_TEST
900  /* test buffer_list_aggregate function */
901  {
902  static const char *text[] = {
903  "It was a bright cold day in April, ",
904  "and the clocks were striking ",
905  "thirteen. ",
906  "Winston Smith, ",
907  "his chin nuzzled into his breast in an ",
908  "effort to escape the vile wind, ",
909  "slipped quickly through the glass doors ",
910  "of Victory Mansions, though not quickly ",
911  "enough to prevent a swirl of gritty dust from ",
912  "entering along with him."
913  };
914 
915  int iter, listcap;
916  for (listcap = 0; listcap < 12; ++listcap)
917  {
918  for (iter = 0; iter < 512; ++iter)
919  {
920  struct buffer_list *bl = buffer_list_new(listcap);
921  {
922  int i;
923  for (i = 0; i < SIZE(text); ++i)
924  {
925  buffer_list_push(bl, (unsigned char *)text[i]);
926  }
927  }
928  printf("[cap=%d i=%d] *************************\n", listcap, iter);
929  if (!(iter & 8))
930  {
931  buffer_list_aggregate(bl, iter/2);
932  }
933  if (!(iter & 16))
934  {
935  buffer_list_push(bl, (unsigned char *)"Even more text...");
936  }
937  buffer_list_aggregate(bl, iter);
938  if (!(iter & 1))
939  {
940  buffer_list_push(bl, (unsigned char *)"More text...");
941  }
942  {
943  struct buffer *buf;
944  while ((buf = buffer_list_peek(bl)))
945  {
946  int c;
947  printf("'");
948  while ((c = buf_read_u8(buf)) >= 0)
949  {
950  putchar(c);
951  }
952  printf("'\n");
953  buffer_list_advance(bl, 0);
954  }
955  }
956  buffer_list_free(bl);
957  }
958  }
959  return false;
960  }
961 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
962 
963 #ifdef MSTATS_TEST
964  {
965  int i;
966  mstats_open("/dev/shm/mstats.dat");
967  for (i = 0; i < 30; ++i)
968  {
969  mmap_stats->n_clients += 1;
970  mmap_stats->link_write_bytes += 8;
971  mmap_stats->link_read_bytes += 16;
972  sleep(1);
973  }
974  mstats_close();
975  return false;
976  }
977 #endif
978 
979  return true;
980 }
981 
982 void
984 {
985  free_ssl_lib();
986 
987 #ifdef ENABLE_PKCS11
988  pkcs11_terminate();
989 #endif
990 
991 #if PORT_SHARE
992  close_port_share();
993 #endif
994 
995 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
996  show_tls_performance_stats();
997 #endif
998 }
999 
1000 void
1001 init_verb_mute(struct context *c, unsigned int flags)
1002 {
1003  if (flags & IVM_LEVEL_1)
1004  {
1005  /* set verbosity and mute levels */
1009  }
1010 
1011  /* special D_LOG_RW mode */
1012  if (flags & IVM_LEVEL_2)
1013  {
1015  }
1016 }
1017 
1018 /*
1019  * Possibly set --dev based on --dev-node.
1020  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1021  * set --dev to tun.
1022  */
1023 void
1025 {
1026  if (!options->dev && options->dev_node)
1027  {
1028  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1029  options->dev = basename(dev_node);
1030  }
1031 }
1032 
1033 bool
1035 {
1036  /*
1037  * OpenSSL info print mode?
1038  */
1039  if (options->show_ciphers || options->show_digests || options->show_engines
1040  || options->show_tls_ciphers || options->show_curves)
1041  {
1042  if (options->show_ciphers)
1043  {
1045  }
1046  if (options->show_digests)
1047  {
1049  }
1050  if (options->show_engines)
1051  {
1053  }
1054  if (options->show_tls_ciphers)
1055  {
1057  options->cipher_list_tls13,
1058  options->tls_cert_profile);
1059  }
1060  if (options->show_curves)
1061  {
1063  }
1064  return true;
1065  }
1066  return false;
1067 }
1068 
1069 /*
1070  * Static pre-shared key generation mode?
1071  */
1072 bool
1073 do_genkey(const struct options *options)
1074 {
1075  /* should we disable paging? */
1076  if (options->mlock && (options->genkey))
1077  {
1078  platform_mlockall(true);
1079  }
1080 
1081  /*
1082  * We do not want user to use --genkey with --secret. In the transistion
1083  * phase we for secret.
1084  */
1085  if (options->genkey && options->genkey_type != GENKEY_SECRET
1086  && options->shared_secret_file)
1087  {
1088  msg(M_USAGE, "Using --genkey type with --secret filename is "
1089  "not supported. Use --genkey type filename instead.");
1090  }
1091  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1092  {
1093  int nbits_written;
1094  const char *genkey_filename = options->genkey_filename;
1095  if (options->shared_secret_file && options->genkey_filename)
1096  {
1097  msg(M_USAGE, "You must provide a filename to either --genkey "
1098  "or --secret, not both");
1099  }
1100 
1101  /*
1102  * Copy filename from shared_secret_file to genkey_filename to support
1103  * the old --genkey --secret foo.file syntax.
1104  */
1105  if (options->shared_secret_file)
1106  {
1107  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1108  "DEPRECATED. Use --genkey secret filename instead.");
1109  genkey_filename = options->shared_secret_file;
1110  }
1111 
1112  nbits_written = write_key_file(2, genkey_filename);
1113  if (nbits_written < 0)
1114  {
1115  msg(M_FATAL, "Failed to write key file");
1116  }
1117 
1119  "Randomly generated %d bit key written to %s", nbits_written,
1120  options->shared_secret_file);
1121  return true;
1122  }
1123  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1124  {
1126  return true;
1127  }
1128  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1129  {
1130  if (!options->tls_crypt_v2_file)
1131  {
1132  msg(M_USAGE,
1133  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1134  }
1135 
1137  options->genkey_extra_data, options->tls_crypt_v2_file,
1138  options->tls_crypt_v2_file_inline);
1139  return true;
1140  }
1141  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1142  {
1144  return true;
1145  }
1146  else
1147  {
1148  return false;
1149  }
1150 }
1151 
1152 /*
1153  * Persistent TUN/TAP device management mode?
1154  */
1155 bool
1157 {
1158  if (options->persist_config)
1159  {
1160  /* sanity check on options for --mktun or --rmtun */
1161  notnull(options->dev, "TUN/TAP device (--dev)");
1162  if (options->ce.remote || options->ifconfig_local
1163  || options->ifconfig_remote_netmask
1164  || options->shared_secret_file
1165  || options->tls_server || options->tls_client
1166  )
1167  {
1169  "options --mktun or --rmtun should only be used together with --dev");
1170  }
1171 #ifdef ENABLE_FEATURE_TUN_PERSIST
1172  tuncfg(options->dev, options->dev_type, options->dev_node,
1173  options->persist_mode,
1174  options->username, options->groupname, &options->tuntap_options,
1175  ctx);
1176  if (options->persist_mode && options->lladdr)
1177  {
1178  set_lladdr(options->dev, options->lladdr, NULL);
1179  }
1180  return true;
1181 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1182  msg( M_FATAL|M_OPTERR,
1183  "options --mktun and --rmtun are not available on your operating "
1184  "system. Please check 'man tun' (or 'tap'), whether your system "
1185  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1186  "persistent tunnel interfaces.", options->dev );
1187 #endif
1188  }
1189  return false;
1190 }
1191 
1192 /*
1193  * Should we become a daemon?
1194  * Return true if we did it.
1195  */
1196 bool
1198 {
1199  bool ret = false;
1200 
1201 #ifdef ENABLE_SYSTEMD
1202  /* return without forking if we are running from systemd */
1203  if (sd_notify(0, "READY=0") > 0)
1204  {
1205  return ret;
1206  }
1207 #endif
1208 
1209  if (options->daemon)
1210  {
1211  /* Don't chdir immediately, but the end of the init sequence, if needed */
1212 
1213 #if defined(__APPLE__) && defined(__clang__)
1214 #pragma clang diagnostic push
1215 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1216 #endif
1217  if (daemon(1, options->log) < 0)
1218  {
1219  msg(M_ERR, "daemon() failed or unsupported");
1220  }
1221 #if defined(__APPLE__) && defined(__clang__)
1222 #pragma clang diagnostic pop
1223 #endif
1225  if (options->log)
1226  {
1227  set_std_files_to_null(true);
1228  }
1229 
1230  ret = true;
1231  }
1232  return ret;
1233 }
1234 
1235 /*
1236  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1237  */
1238 static void
1239 do_uid_gid_chroot(struct context *c, bool no_delay)
1240 {
1241  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1242  struct context_0 *c0 = c->c0;
1243 
1244  if (c0 && !c0->uid_gid_chroot_set)
1245  {
1246  /* chroot if requested */
1247  if (c->options.chroot_dir)
1248  {
1249  if (no_delay)
1250  {
1252  }
1253  else if (c->first_time)
1254  {
1255  msg(M_INFO, "NOTE: chroot %s", why_not);
1256  }
1257  }
1258 
1259  /* set user and/or group if we want to setuid/setgid */
1260  if (c0->uid_gid_specified)
1261  {
1262  if (no_delay)
1263  {
1266  }
1267  else if (c->first_time)
1268  {
1269  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1270  }
1271  }
1272 
1273 #ifdef ENABLE_MEMSTATS
1274  if (c->first_time && c->options.memstats_fn)
1275  {
1276  mstats_open(c->options.memstats_fn);
1277  }
1278 #endif
1279 
1280 #ifdef ENABLE_SELINUX
1281  /* Apply a SELinux context in order to restrict what OpenVPN can do
1282  * to _only_ what it is supposed to do after initialization is complete
1283  * (basically just network I/O operations). Doing it after chroot
1284  * requires /proc to be mounted in the chroot (which is annoying indeed
1285  * but doing it before requires more complex SELinux policies.
1286  */
1287  if (c->options.selinux_context)
1288  {
1289  if (no_delay)
1290  {
1291  if (-1 == setcon(c->options.selinux_context))
1292  {
1293  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1294  }
1295  else
1296  {
1297  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1298  }
1299  }
1300  else if (c->first_time)
1301  {
1302  msg(M_INFO, "NOTE: setcon %s", why_not);
1303  }
1304  }
1305 #endif
1306 
1307  /* Privileges are going to be dropped by now (if requested), be sure
1308  * to prevent any future privilege dropping attempts from now on.
1309  */
1310  if (no_delay)
1311  {
1312  c0->uid_gid_chroot_set = true;
1313  }
1314  }
1315 }
1316 
1317 /*
1318  * Return common name in a way that is formatted for
1319  * prepending to msg() output.
1320  */
1321 const char *
1322 format_common_name(struct context *c, struct gc_arena *gc)
1323 {
1324  struct buffer out = alloc_buf_gc(256, gc);
1325  if (c->c2.tls_multi)
1326  {
1327  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1328  }
1329  return BSTR(&out);
1330 }
1331 
1332 void
1333 pre_setup(const struct options *options)
1334 {
1335 #ifdef _WIN32
1336  if (options->exit_event_name)
1337  {
1340  options->exit_event_name,
1341  options->exit_event_initial_state);
1342  }
1343  else
1344  {
1347  NULL,
1348  false);
1349 
1350  /* put a title on the top window bar */
1352  {
1354  window_title_generate(options->config);
1355  }
1356  }
1357 #endif /* ifdef _WIN32 */
1358 }
1359 
1360 void
1362 {
1363  c->c2.coarse_timer_wakeup = 0;
1364 }
1365 
1366 /*
1367  * Initialise the server poll timeout timer
1368  * This timer is used in the http/socks proxy setup so it needs to be setup
1369  * before
1370  */
1371 static void
1373 {
1374  update_time();
1375  if (c->options.ce.connect_timeout)
1376  {
1378  }
1379 }
1380 
1381 /*
1382  * Initialize timers
1383  */
1384 static void
1385 do_init_timers(struct context *c, bool deferred)
1386 {
1387  update_time();
1389 
1390  /* initialize inactivity timeout */
1391  if (c->options.inactivity_timeout)
1392  {
1394  }
1395 
1396  /* initialize pings */
1397 
1398  if (c->options.ping_send_timeout)
1399  {
1401  }
1402 
1403  if (c->options.ping_rec_timeout)
1404  {
1406  }
1407 
1408  if (!deferred)
1409  {
1410  /* initialize connection establishment timer */
1412 
1413  /* initialize occ timers */
1414 
1415  if (c->options.occ
1416  && !TLS_MODE(c)
1418  {
1420  }
1421 
1422  if (c->options.mtu_test)
1423  {
1425  }
1426 
1427  /* initialize packet_id persistence timer */
1428  if (c->options.packet_id_file)
1429  {
1431  }
1432 
1433  /* initialize tmp_int optimization that limits the number of times we call
1434  * tls_multi_process in the main event loop */
1436  }
1437 }
1438 
1439 /*
1440  * Initialize traffic shaper.
1441  */
1442 static void
1444 {
1445  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1446  if (c->options.shaper)
1447  {
1448  shaper_init(&c->c2.shaper, c->options.shaper);
1449  shaper_msg(&c->c2.shaper);
1450  }
1451 }
1452 
1453 /*
1454  * Allocate route list structures for IPv4 and IPv6
1455  * (we do this for IPv4 even if no --route option has been seen, as other
1456  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1457  */
1458 static void
1460 {
1461  if (!c->c1.route_list)
1462  {
1463  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1464  }
1465  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1466  {
1468  }
1469 }
1470 
1471 
1472 /*
1473  * Initialize the route list, resolving any DNS names in route
1474  * options and saving routes in the environment.
1475  */
1476 static void
1478  struct route_list *route_list,
1479  const struct link_socket_info *link_socket_info,
1480  struct env_set *es,
1481  openvpn_net_ctx_t *ctx)
1482 {
1483  const char *gw = NULL;
1484  int dev = dev_type_enum(options->dev, options->dev_type);
1485  int metric = 0;
1486 
1487  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1488  {
1489  gw = options->ifconfig_remote_netmask;
1490  }
1491  if (options->route_default_gateway)
1492  {
1493  gw = options->route_default_gateway;
1494  }
1495  if (options->route_default_metric)
1496  {
1497  metric = options->route_default_metric;
1498  }
1499 
1500  if (init_route_list(route_list,
1501  options->routes,
1502  gw,
1503  metric,
1504  link_socket_current_remote(link_socket_info),
1505  es,
1506  ctx))
1507  {
1508  /* copy routes to environment */
1509  setenv_routes(es, route_list);
1510  }
1511 }
1512 
1513 static void
1516  const struct link_socket_info *link_socket_info,
1517  struct env_set *es,
1518  openvpn_net_ctx_t *ctx)
1519 {
1520  const char *gw = NULL;
1521  int metric = -1; /* no metric set */
1522 
1523  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1524  if (options->route_ipv6_default_gateway)
1525  {
1526  gw = options->route_ipv6_default_gateway;
1527  }
1528 
1529  if (options->route_default_metric)
1530  {
1531  metric = options->route_default_metric;
1532  }
1533 
1534  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1535  */
1536  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1537  {
1538  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1539  int i;
1540 
1541  for (i = 0; opt_list[i]; i++)
1542  {
1544  string_alloc(opt_list[i], options->routes_ipv6->gc),
1545  NULL, NULL );
1546  }
1547  }
1548 
1549  if (init_route_ipv6_list(route_ipv6_list,
1550  options->routes_ipv6,
1551  gw,
1552  metric,
1553  link_socket_current_remote_ipv6(link_socket_info),
1554  es,
1555  ctx))
1556  {
1557  /* copy routes to environment */
1558  setenv_routes_ipv6(es, route_ipv6_list);
1559  }
1560 }
1561 
1562 
1563 /*
1564  * Called after all initialization has been completed.
1565  */
1566 void
1567 initialization_sequence_completed(struct context *c, const unsigned int flags)
1568 {
1569  static const char message[] = "Initialization Sequence Completed";
1570 
1571  /* Reset the unsuccessful connection counter on complete initialisation */
1573 
1574  /* If we delayed UID/GID downgrade or chroot, do it now */
1575  do_uid_gid_chroot(c, true);
1576 
1577 
1578  /*
1579  * In some cases (i.e. when receiving auth-token via
1580  * push-reply) the auth-nocache option configured on the
1581  * client is overridden; for this reason we have to wait
1582  * for the push-reply message before attempting to wipe
1583  * the user/pass entered by the user
1584  */
1585  if (c->options.mode == MODE_POINT_TO_POINT)
1586  {
1588  }
1589 
1590  /* Test if errors */
1591  if (flags & ISC_ERRORS)
1592  {
1593 #ifdef _WIN32
1596  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1597 #else
1598 #ifdef ENABLE_SYSTEMD
1599  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1600 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1601  msg(M_INFO, "%s With Errors", message);
1602 #endif
1603  }
1604  else
1605  {
1606 #ifdef ENABLE_SYSTEMD
1607  sd_notifyf(0, "STATUS=%s", message);
1608 #endif
1609  msg(M_INFO, "%s", message);
1610  }
1611 
1612  /* Flag that we initialized */
1613  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1614  {
1615  c->options.no_advance = true;
1616  }
1617 
1618 #ifdef _WIN32
1620 #endif
1621 
1622 #ifdef ENABLE_MANAGEMENT
1623  /* Tell management interface that we initialized */
1624  if (management)
1625  {
1626  in_addr_t *tun_local = NULL;
1627  struct in6_addr *tun_local6 = NULL;
1628  struct openvpn_sockaddr local, remote;
1629  struct link_socket_actual *actual;
1630  socklen_t sa_len = sizeof(local);
1631  const char *detail = "SUCCESS";
1632  if (flags & ISC_ERRORS)
1633  {
1634  detail = "ERROR";
1635  }
1636 
1637  CLEAR(local);
1638  actual = &get_link_socket_info(c)->lsa->actual;
1639  remote = actual->dest;
1640  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1641 #if ENABLE_IP_PKTINFO
1642  if (!addr_defined(&local))
1643  {
1644  switch (local.addr.sa.sa_family)
1645  {
1646  case AF_INET:
1647 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1648  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1649 #else
1650  local.addr.in4.sin_addr = actual->pi.in4;
1651 #endif
1652  break;
1653 
1654  case AF_INET6:
1655  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1656  break;
1657  }
1658  }
1659 #endif
1660 
1661  if (c->c1.tuntap)
1662  {
1663  tun_local = &c->c1.tuntap->local;
1664  tun_local6 = &c->c1.tuntap->local_ipv6;
1665  }
1668  detail,
1669  tun_local,
1670  tun_local6,
1671  &local,
1672  &remote);
1673  if (tun_local)
1674  {
1676  }
1677  }
1678 #endif /* ifdef ENABLE_MANAGEMENT */
1679 }
1680 
1681 /*
1682  * Possibly add routes and/or call route-up script
1683  * based on options.
1684  */
1685 void
1686 do_route(const struct options *options,
1687  struct route_list *route_list,
1689  const struct tuntap *tt,
1690  const struct plugin_list *plugins,
1691  struct env_set *es,
1692  openvpn_net_ctx_t *ctx)
1693 {
1694  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1695  {
1696  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1697  es, ctx);
1698  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1699  }
1700 #ifdef ENABLE_MANAGEMENT
1701  if (management)
1702  {
1703  management_up_down(management, "UP", es);
1704  }
1705 #endif
1706 
1708  {
1709  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1710  {
1711  msg(M_WARN, "WARNING: route-up plugin call failed");
1712  }
1713  }
1714 
1715  if (options->route_script)
1716  {
1717  struct argv argv = argv_new();
1718  setenv_str(es, "script_type", "route-up");
1719  argv_parse_cmd(&argv, options->route_script);
1720  openvpn_run_script(&argv, es, 0, "--route-up");
1721  argv_free(&argv);
1722  }
1723 
1724 #ifdef _WIN32
1725  if (options->show_net_up)
1726  {
1729  }
1730  else if (check_debug_level(D_SHOW_NET))
1731  {
1734  }
1735 #endif
1736 }
1737 
1738 /*
1739  * initialize tun/tap device object
1740  */
1741 static void
1743 {
1744  c->c1.tuntap = init_tun(c->options.dev,
1745  c->options.dev_type,
1746  c->options.topology,
1755  c->c2.es,
1756  &c->net_ctx);
1757 
1758 #ifdef _WIN32
1760 #endif
1761 
1762  init_tun_post(c->c1.tuntap,
1763  &c->c2.frame,
1764  &c->options.tuntap_options);
1765 
1766  c->c1.tuntap_owned = true;
1767 }
1768 
1769 /*
1770  * Open tun/tap device, ifconfig, call up script, etc.
1771  */
1772 
1773 static bool
1775 {
1776  struct gc_arena gc = gc_new();
1777  bool ret = false;
1778 
1779 #ifndef TARGET_ANDROID
1780  if (!c->c1.tuntap)
1781  {
1782 #endif
1783 
1784 #ifdef TARGET_ANDROID
1785  /* If we emulate persist-tun on android we still have to open a new tun and
1786  * then close the old */
1787  int oldtunfd = -1;
1788  if (c->c1.tuntap)
1789  {
1790  oldtunfd = c->c1.tuntap->fd;
1791  free(c->c1.tuntap);
1792  c->c1.tuntap = NULL;
1793  c->c1.tuntap_owned = false;
1794  }
1795 #endif
1796 
1797  /* initialize (but do not open) tun/tap object */
1798  do_init_tun(c);
1799 
1800 #ifdef _WIN32
1801  /* store (hide) interactive service handle in tuntap_options */
1803  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1804 #endif
1805 
1806  /* allocate route list structure */
1808 
1809  /* parse and resolve the route option list */
1810  ASSERT(c->c2.link_socket);
1811  if (c->options.routes && c->c1.route_list)
1812  {
1814  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1815  }
1816  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1817  {
1819  &c->c2.link_socket->info, c->c2.es,
1820  &c->net_ctx);
1821  }
1822 
1823  /* do ifconfig */
1824  if (!c->options.ifconfig_noexec
1826  {
1827  /* guess actual tun/tap unit number that will be returned
1828  * by open_tun */
1829  const char *guess = guess_tuntap_dev(c->options.dev,
1830  c->options.dev_type,
1831  c->options.dev_node,
1832  &gc);
1833  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1834  &c->net_ctx);
1835  }
1836 
1837  /* possibly add routes */
1838  if (route_order() == ROUTE_BEFORE_TUN)
1839  {
1840  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1842  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1843  }
1844 #ifdef TARGET_ANDROID
1845  /* Store the old fd inside the fd so open_tun can use it */
1846  c->c1.tuntap->fd = oldtunfd;
1847 #endif
1848  /* open the tun device */
1850  c->c1.tuntap);
1851 
1852  /* set the hardware address */
1853  if (c->options.lladdr)
1854  {
1856  }
1857 
1858  /* do ifconfig */
1859  if (!c->options.ifconfig_noexec
1861  {
1863  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1864  }
1865 
1866  /* run the up script */
1868  c->plugins,
1870  c->c1.tuntap->actual_name,
1871 #ifdef _WIN32
1872  c->c1.tuntap->adapter_index,
1873 #endif
1875  TUN_MTU_SIZE(&c->c2.frame),
1876  EXPANDED_SIZE(&c->c2.frame),
1879  "init",
1880  NULL,
1881  "up",
1882  c->c2.es);
1883 
1884 #if defined(_WIN32)
1885  if (c->options.block_outside_dns)
1886  {
1887  dmsg(D_LOW, "Blocking outside DNS");
1889  {
1890  msg(M_FATAL, "Blocking DNS failed!");
1891  }
1892  }
1893 #endif
1894 
1895  /* possibly add routes */
1897  {
1899  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1900  }
1901 
1902  /*
1903  * Did tun/tap driver give us an MTU?
1904  */
1905  if (c->c1.tuntap->post_open_mtu)
1906  {
1908  c->c1.tuntap->post_open_mtu,
1910  }
1911 
1912  ret = true;
1913  static_context = c;
1914 #ifndef TARGET_ANDROID
1915 }
1916 else
1917 {
1918  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1919  c->c1.tuntap->actual_name);
1920 
1921  /* explicitly set the ifconfig_* env vars */
1922  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1923 
1924  /* run the up script if user specified --up-restart */
1925  if (c->options.up_restart)
1926  {
1928  c->plugins,
1930  c->c1.tuntap->actual_name,
1931 #ifdef _WIN32
1932  c->c1.tuntap->adapter_index,
1933 #endif
1935  TUN_MTU_SIZE(&c->c2.frame),
1936  EXPANDED_SIZE(&c->c2.frame),
1939  "restart",
1940  NULL,
1941  "up",
1942  c->c2.es);
1943  }
1944 #if defined(_WIN32)
1945  if (c->options.block_outside_dns)
1946  {
1947  dmsg(D_LOW, "Blocking outside DNS");
1949  {
1950  msg(M_FATAL, "Blocking DNS failed!");
1951  }
1952  }
1953 #endif
1954 
1955 }
1956 #endif /* ifndef TARGET_ANDROID */
1957  gc_free(&gc);
1958  return ret;
1959 }
1960 
1961 /*
1962  * Close TUN/TAP device
1963  */
1964 
1965 static void
1967 {
1968  msg(D_CLOSE, "Closing TUN/TAP interface");
1969  if (c->c1.tuntap)
1970  {
1971  close_tun(c->c1.tuntap, &c->net_ctx);
1972  c->c1.tuntap = NULL;
1973  }
1974  c->c1.tuntap_owned = false;
1976 }
1977 
1978 static void
1979 do_close_tun(struct context *c, bool force)
1980 {
1981  struct gc_arena gc = gc_new();
1982  if (c->c1.tuntap && c->c1.tuntap_owned)
1983  {
1984  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1985 #ifdef _WIN32
1986  DWORD adapter_index = c->c1.tuntap->adapter_index;
1987 #endif
1988  const in_addr_t local = c->c1.tuntap->local;
1989  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1990 
1991  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1992  {
1993  static_context = NULL;
1994 
1995 #ifdef ENABLE_MANAGEMENT
1996  /* tell management layer we are about to close the TUN/TAP device */
1997  if (management)
1998  {
2000  management_up_down(management, "DOWN", c->c2.es);
2001  }
2002 #endif
2003 
2004  /* delete any routes we added */
2005  if (c->c1.route_list || c->c1.route_ipv6_list)
2006  {
2008  c->plugins,
2010  tuntap_actual,
2011 #ifdef _WIN32
2012  adapter_index,
2013 #endif
2014  NULL,
2015  TUN_MTU_SIZE(&c->c2.frame),
2016  EXPANDED_SIZE(&c->c2.frame),
2017  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2018  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2019  "init",
2021  c->sig->signal_text),
2022  "route-pre-down",
2023  c->c2.es);
2024 
2027  c->c2.es, &c->net_ctx);
2028  }
2029 
2030  /* actually close tun/tap device based on --down-pre flag */
2031  if (!c->options.down_pre)
2032  {
2034  }
2035 
2036  /* Run the down script -- note that it will run at reduced
2037  * privilege if, for example, "--user nobody" was used. */
2039  c->plugins,
2041  tuntap_actual,
2042 #ifdef _WIN32
2043  adapter_index,
2044 #endif
2045  NULL,
2046  TUN_MTU_SIZE(&c->c2.frame),
2047  EXPANDED_SIZE(&c->c2.frame),
2048  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2049  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2050  "init",
2052  c->sig->signal_text),
2053  "down",
2054  c->c2.es);
2055 
2056 #if defined(_WIN32)
2057  if (c->options.block_outside_dns)
2058  {
2059  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2060  {
2061  msg(M_FATAL, "Uninitialising WFP failed!");
2062  }
2063  }
2064 #endif
2065 
2066  /* actually close tun/tap device based on --down-pre flag */
2067  if (c->options.down_pre)
2068  {
2070  }
2071  }
2072  else
2073  {
2074  /* run the down script on this restart if --up-restart was specified */
2075  if (c->options.up_restart)
2076  {
2078  c->plugins,
2080  tuntap_actual,
2081 #ifdef _WIN32
2082  adapter_index,
2083 #endif
2084  NULL,
2085  TUN_MTU_SIZE(&c->c2.frame),
2086  EXPANDED_SIZE(&c->c2.frame),
2087  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2088  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2089  "restart",
2091  c->sig->signal_text),
2092  "down",
2093  c->c2.es);
2094  }
2095 
2096 #if defined(_WIN32)
2097  if (c->options.block_outside_dns)
2098  {
2099  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2100  {
2101  msg(M_FATAL, "Uninitialising WFP failed!");
2102  }
2103  }
2104 #endif
2105 
2106  }
2107  }
2108  gc_free(&gc);
2109 }
2110 
2111 void
2113 {
2114  struct context *c = static_context;
2115  if (c)
2116  {
2117  static_context = NULL;
2118  do_close_tun(c, true);
2119  }
2120 }
2121 
2122 /*
2123  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2124  */
2125 
2130 static bool
2132  const struct sha256_digest *b)
2133 {
2134  const struct sha256_digest zero = {{0}};
2135  return memcmp(a, b, sizeof(struct sha256_digest))
2136  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2137 }
2138 
2139 bool
2140 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2141 {
2142  if (!c->c2.do_up_ran)
2143  {
2145 
2146  if (pulled_options)
2147  {
2148  if (!do_deferred_options(c, option_types_found))
2149  {
2150  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2151  return false;
2152  }
2153  }
2154 
2155  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2156  if (c->options.up_delay || PULL_DEFINED(&c->options))
2157  {
2158  c->c2.did_open_tun = do_open_tun(c);
2159  update_time();
2160 
2161  /*
2162  * Was tun interface object persisted from previous restart iteration,
2163  * and if so did pulled options string change from previous iteration?
2164  */
2165  if (!c->c2.did_open_tun
2166  && PULL_DEFINED(&c->options)
2167  && c->c1.tuntap
2170  {
2171  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2172  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2173  do_close_tun(c, true);
2174  management_sleep(1);
2175  c->c2.did_open_tun = do_open_tun(c);
2176  update_time();
2177  }
2178  }
2179 
2180  if (c->c2.did_open_tun)
2181  {
2183 
2184  /* if --route-delay was specified, start timer */
2186  {
2189  if (c->c1.tuntap)
2190  {
2192  }
2193  }
2194  else
2195  {
2196  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2197  }
2198  }
2199  else if (c->options.mode == MODE_POINT_TO_POINT)
2200  {
2201  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2202  }
2203 
2204  c->c2.do_up_ran = true;
2205  }
2206  return true;
2207 }
2208 
2209 /*
2210  * These are the option categories which will be accepted by pull.
2211  */
2212 unsigned int
2214 {
2215  unsigned int flags =
2216  OPT_P_UP
2218  | OPT_P_SOCKBUF
2219  | OPT_P_SOCKFLAGS
2220  | OPT_P_SETENV
2221  | OPT_P_SHAPER
2222  | OPT_P_TIMER
2223  | OPT_P_COMP
2224  | OPT_P_PERSIST
2225  | OPT_P_MESSAGES
2227  | OPT_P_ECHO
2228  | OPT_P_PULL_MODE
2229  | OPT_P_PEER_ID;
2230 
2231  if (!c->options.route_nopull)
2232  {
2233  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2234  }
2235 
2236  if (c->options.ncp_enabled)
2237  {
2238  flags |= OPT_P_NCP;
2239  }
2240 
2241  return flags;
2242 }
2243 
2244 /*
2245  * Handle non-tun-related pulled options.
2246  */
2247 bool
2248 do_deferred_options(struct context *c, const unsigned int found)
2249 {
2250  if (found & OPT_P_MESSAGES)
2251  {
2253  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2254  }
2255  if (found & OPT_P_TIMER)
2256  {
2257  do_init_timers(c, true);
2258  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2259  }
2260 
2261  if (found & OPT_P_EXPLICIT_NOTIFY)
2262  {
2264  {
2265  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2267  }
2268  else
2269  {
2270  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2271  }
2272  }
2273 
2274 #ifdef USE_COMP
2275  if (found & OPT_P_COMP)
2276  {
2277  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2278  comp_uninit(c->c2.comp_context);
2279  c->c2.comp_context = comp_init(&c->options.comp);
2280  }
2281 #endif
2282 
2283  if (found & OPT_P_SHAPER)
2284  {
2285  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2287  }
2288 
2289  if (found & OPT_P_SOCKBUF)
2290  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2293  }
2294 
2295  if (found & OPT_P_SOCKFLAGS)
2296  {
2297  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2299  }
2300 
2301  if (found & OPT_P_PERSIST)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2304  }
2305  if (found & OPT_P_UP)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2308  }
2309  if (found & OPT_P_ROUTE)
2310  {
2311  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2312  }
2313  if (found & OPT_P_ROUTE_EXTRAS)
2314  {
2315  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2316  }
2317  if (found & OPT_P_IPWIN32)
2318  {
2319  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2320  }
2321  if (found & OPT_P_SETENV)
2322  {
2323  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2324  }
2325 
2326  if (found & OPT_P_PEER_ID)
2327  {
2328  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2329  c->c2.tls_multi->use_peer_id = true;
2330  c->c2.tls_multi->peer_id = c->options.peer_id;
2331  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2332  if (!c->options.ce.link_mtu_defined)
2333  {
2334  frame_add_to_link_mtu(&c->c2.frame, +3);
2335  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2336  EXPANDED_SIZE(&c->c2.frame));
2337  }
2338  else
2339  {
2340  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2341  " fixed by config - reducing tun-mtu to %d, expect"
2342  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2343  }
2344  }
2345 
2346  /* process (potentially pushed) crypto options */
2347  if (c->options.pull)
2348  {
2349  if (!check_pull_client_ncp(c, found))
2350  {
2351  return false;
2352  }
2353  struct frame *frame_fragment = NULL;
2354 #ifdef ENABLE_FRAGMENT
2355  if (c->options.ce.fragment)
2356  {
2357  frame_fragment = &c->c2.frame_fragment;
2358  }
2359 #endif
2360 
2361  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2362  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2363  frame_fragment))
2364  {
2365  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2366  return false;
2367  }
2368  }
2369 
2370  return true;
2371 }
2372 
2373 /*
2374  * Possible hold on initialization, holdtime is the
2375  * time OpenVPN would wait without management
2376  */
2377 static bool
2378 do_hold(int holdtime)
2379 {
2380 #ifdef ENABLE_MANAGEMENT
2381  if (management)
2382  {
2383  /* block until management hold is released */
2384  if (management_hold(management, holdtime))
2385  {
2386  return true;
2387  }
2388  }
2389 #endif
2390  return false;
2391 }
2392 
2393 /*
2394  * Sleep before restart.
2395  */
2396 static void
2398 {
2399  int sec = 2;
2400  int backoff = 0;
2401 
2402  switch (c->options.ce.proto)
2403  {
2404  case PROTO_TCP_SERVER:
2405  sec = 1;
2406  break;
2407 
2408  case PROTO_UDP:
2409  case PROTO_TCP_CLIENT:
2410  sec = c->options.ce.connect_retry_seconds;
2411  break;
2412  }
2413 
2414 #ifdef ENABLE_DEBUG
2415  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2416  {
2417  sec = 0;
2418  }
2419 #endif
2420 
2421  if (auth_retry_get() == AR_NOINTERACT)
2422  {
2423  sec = 10;
2424  }
2425 
2426  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2427  if (c->options.ce.proto != PROTO_TCP_SERVER)
2428  {
2429  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2430  if (backoff > 0)
2431  {
2432  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2433  sec = max_int(sec, 1) << min_int(backoff, 15);
2434  }
2435 
2436  if (sec > c->options.ce.connect_retry_seconds_max)
2437  {
2439  }
2440  }
2441 
2443  {
2444  sec = c->persist.restart_sleep_seconds;
2445  }
2446  else if (c->persist.restart_sleep_seconds == -1)
2447  {
2448  sec = 0;
2449  }
2451 
2452  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2453  if (do_hold(sec))
2454  {
2455  sec = 0;
2456  }
2457 
2458  if (sec)
2459  {
2460  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2461  management_sleep(sec);
2462  }
2463 }
2464 
2465 /*
2466  * Do a possible pause on context_2 initialization.
2467  */
2468 static void
2470 {
2471  if (!c->first_time)
2472  {
2474  }
2475  else
2476  {
2477  do_hold(0); /* do management hold on first context initialization */
2478  }
2479 }
2480 
2481 /*
2482  * Finalize MTU parameters based on command line or config file options.
2483  */
2484 static void
2485 frame_finalize_options(struct context *c, const struct options *o)
2486 {
2487  if (!o)
2488  {
2489  o = &c->options;
2490  }
2491 
2492  /*
2493  * Set adjustment factor for buffer alignment when no
2494  * cipher is used.
2495  */
2496  if (!CIPHER_ENABLED(c))
2497  {
2503  }
2504 
2506  frame_finalize(&c->c2.frame,
2507  o->ce.link_mtu_defined,
2508  o->ce.link_mtu,
2509  o->ce.tun_mtu_defined,
2510  o->ce.tun_mtu);
2511 }
2512 
2513 /*
2514  * Free a key schedule, including OpenSSL components.
2515  */
2516 static void
2517 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2518 {
2520  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2521  {
2522  tls_ctx_free(&ks->ssl_ctx);
2523  }
2524  CLEAR(*ks);
2525 }
2526 
2527 static void
2528 init_crypto_pre(struct context *c, const unsigned int flags)
2529 {
2530  if (c->options.engine)
2531  {
2533  }
2534 
2535  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2536  {
2537  /* load a persisted packet-id for cross-session replay-protection */
2538  if (c->options.packet_id_file)
2539  {
2541  }
2542  }
2543 
2544 #ifdef ENABLE_PREDICTION_RESISTANCE
2545  if (c->options.use_prediction_resistance)
2546  {
2547  rand_ctx_enable_prediction_resistance();
2548  }
2549 #endif
2550 }
2551 
2552 /*
2553  * Static Key Mode (using a pre-shared key)
2554  */
2555 static void
2556 do_init_crypto_static(struct context *c, const unsigned int flags)
2557 {
2558  const struct options *options = &c->options;
2559  ASSERT(options->shared_secret_file);
2560 
2561  init_crypto_pre(c, flags);
2562 
2563  /* Initialize flags */
2565  {
2567  }
2568 
2569  /* Initialize packet ID tracking */
2570  if (options->replay)
2571  {
2573  options->replay_window,
2574  options->replay_time,
2575  "STATIC", 0);
2580  }
2581 
2582  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2583  {
2584  /* Get cipher & hash algorithms */
2585  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2586  options->test_crypto, true);
2587 
2588  /* Read cipher and hmac keys from shared secret file */
2590  options->shared_secret_file,
2591  options->shared_secret_file_inline,
2592  options->key_direction, "Static Key Encryption",
2593  "secret");
2594  }
2595  else
2596  {
2597  msg(M_INFO, "Re-using pre-shared static key");
2598  }
2599 
2600  /* Get key schedule */
2602 
2603  /* Compute MTU parameters */
2605  options->replay, true);
2606 
2607  /* Sanity check on sequence number, and cipher mode options */
2608  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2609 }
2610 
2611 /*
2612  * Initialize the tls-auth/crypt key context
2613  */
2614 static void
2616 {
2617  const struct options *options = &c->options;
2618 
2619  /* TLS handshake authentication (--tls-auth) */
2620  if (options->ce.tls_auth_file)
2621  {
2622  /* Initialize key_type for tls-auth with auth only */
2624  if (!streq(options->authname, "none"))
2625  {
2629  }
2630  else
2631  {
2632  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2633  "algorithm specified ('%s')", options->authname);
2634  }
2635 
2637  &c->c1.ks.tls_wrap_key,
2638  options->ce.tls_auth_file,
2639  options->ce.tls_auth_file_inline,
2640  options->ce.key_direction,
2641  "Control Channel Authentication", "tls-auth");
2642  }
2643 
2644  /* TLS handshake encryption+authentication (--tls-crypt) */
2645  if (options->ce.tls_crypt_file)
2646  {
2648  options->ce.tls_crypt_file,
2649  options->ce.tls_crypt_file_inline,
2650  options->tls_server);
2651  }
2652 
2653  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2654  if (options->ce.tls_crypt_v2_file)
2655  {
2656  if (options->tls_server)
2657  {
2659  true, options->ce.tls_crypt_v2_file,
2660  options->ce.tls_crypt_v2_file_inline);
2661  }
2662  else
2663  {
2665  &c->c1.ks.tls_crypt_v2_wkc,
2666  options->ce.tls_crypt_v2_file,
2667  options->ce.tls_crypt_v2_file_inline);
2668  }
2669  }
2670 
2671 
2672 }
2673 
2674 /*
2675  * Initialise the auth-token key context
2676  */
2677 static void
2679 {
2680  if (!c->options.auth_token_generate)
2681  {
2682  return;
2683  }
2684 
2688 }
2689 
2690 /*
2691  * Initialize the persistent component of OpenVPN's TLS mode,
2692  * which is preserved across SIGUSR1 resets.
2693  */
2694 static void
2696 {
2697  const struct options *options = &c->options;
2698 
2699  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2700  {
2701  /*
2702  * Initialize the OpenSSL library's global
2703  * SSL context.
2704  */
2705  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2706  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2707  {
2708  switch (auth_retry_get())
2709  {
2710  case AR_NONE:
2711  msg(M_FATAL, "Error: private key password verification failed");
2712  break;
2713 
2714  case AR_INTERACT:
2715  ssl_purge_auth(false);
2716 
2717  case AR_NOINTERACT:
2718  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2719  break;
2720 
2721  default:
2722  ASSERT(0);
2723  }
2724  c->sig->signal_text = "private-key-password-failure";
2725  return;
2726  }
2727 
2728  /*
2729  * BF-CBC is allowed to be used only when explicitly configured
2730  * as NCP-fallback or when NCP has been disabled or explicitly
2731  * allowed in the in ncp_ciphers list.
2732  * In all other cases do not attempt to initialize BF-CBC as it
2733  * may not even be supported by the underlying SSL library.
2734  *
2735  * Therefore, the key structure has to be initialized when:
2736  * - any non-BF-CBC cipher was selected; or
2737  * - BF-CBC is selected and NCP is disabled (explicit request to
2738  * use the BF-CBC cipher); or
2739  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2740  * (BF-CBC will be the fallback).
2741  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2742  * If the negotiated cipher and options->ciphername are the
2743  * same we do not reinit the cipher
2744  *
2745  * Note that BF-CBC will still be part of the OCC string to retain
2746  * backwards compatibility with older clients.
2747  */
2748  if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
2749  || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
2750  || options->enable_ncp_fallback)
2751  {
2752  /* Do not warn if the if the cipher is used only in OCC */
2753  bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
2754  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2755  true, warn);
2756  }
2757  /* Initialize PRNG with config-specified digest */
2758  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2759 
2760  /* initialize tls-auth/crypt/crypt-v2 key */
2762 
2763  /* initialise auth-token crypto support */
2765 
2766 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2767  if (options->priv_key_file_inline)
2768  {
2770  c->options.priv_key_file_inline = NULL;
2771  }
2772 #endif
2773  }
2774  else
2775  {
2776  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2777 
2778  /*
2779  * tls-auth/crypt key can be configured per connection block, therefore
2780  * we must reload it as it may have changed
2781  */
2783  }
2784 }
2785 
2786 static void
2787 do_init_crypto_tls(struct context *c, const unsigned int flags)
2788 {
2789  const struct options *options = &c->options;
2790  struct tls_options to;
2791  bool packet_id_long_form;
2792 
2793  ASSERT(options->tls_server || options->tls_client);
2794  ASSERT(!options->test_crypto);
2795 
2796  init_crypto_pre(c, flags);
2797 
2798  /* Make sure we are either a TLS client or server but not both */
2799  ASSERT(options->tls_server == !options->tls_client);
2800 
2801  /* initialize persistent component */
2803  if (IS_SIG(c))
2804  {
2805  return;
2806  }
2807 
2808  /* Sanity check on sequence number, and cipher mode options */
2809  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2810 
2811  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2812  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2813 
2814  /* Compute MTU parameters (postpone if we push/pull options) */
2815  if (c->options.pull || c->options.mode == MODE_SERVER)
2816  {
2817  /* Account for worst-case crypto overhead before allocating buffers */
2819  }
2820  else
2821  {
2823  options->replay, packet_id_long_form);
2824  }
2826 
2827  /* Set all command-line TLS-related options */
2828  CLEAR(to);
2829 
2830  if (options->mute_replay_warnings)
2831  {
2833  }
2834 
2836  if (packet_id_long_form)
2837  {
2839  }
2840 
2841  to.ssl_ctx = c->c1.ks.ssl_ctx;
2842  to.key_type = c->c1.ks.key_type;
2843  to.server = options->tls_server;
2844  to.replay = options->replay;
2845  to.replay_window = options->replay_window;
2846  to.replay_time = options->replay_time;
2850  to.ncp_enabled = options->ncp_enabled;
2851  to.transition_window = options->transition_window;
2852  to.handshake_window = options->handshake_window;
2853  to.packet_timeout = options->tls_timeout;
2854  to.renegotiate_bytes = options->renegotiate_bytes;
2856  if (options->renegotiate_seconds_min < 0)
2857  {
2858  /* Add 10% jitter to reneg-sec by default (server side only) */
2859  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2860  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2861  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2862  }
2863  else
2864  {
2865  /* Add user-specified jitter to reneg-sec */
2867  -(get_random() % max_int(options->renegotiate_seconds
2868  - options->renegotiate_seconds_min, 1));
2869  }
2870  to.single_session = options->single_session;
2871  to.mode = options->mode;
2872  to.pull = options->pull;
2873  if (options->push_peer_info) /* all there is */
2874  {
2875  to.push_peer_info_detail = 2;
2876  }
2877  else if (options->pull) /* pull clients send some details */
2878  {
2879  to.push_peer_info_detail = 1;
2880  }
2881  else /* default: no peer-info at all */
2882  {
2883  to.push_peer_info_detail = 0;
2884  }
2885 
2886  /* should we not xmit any packets until we get an initial
2887  * response from client? */
2888  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2889  {
2890  to.xmit_hold = true;
2891  }
2892 
2893  to.disable_occ = !options->occ;
2894 
2895  to.verify_command = options->tls_verify;
2896  to.verify_export_cert = options->tls_export_cert;
2897  to.verify_x509_type = (options->verify_x509_type & 0xff);
2898  to.verify_x509_name = options->verify_x509_name;
2899  to.crl_file = options->crl_file;
2900  to.crl_file_inline = options->crl_file_inline;
2901  to.ssl_flags = options->ssl_flags;
2902  to.ns_cert_type = options->ns_cert_type;
2903  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2904  to.remote_cert_eku = options->remote_cert_eku;
2905  to.verify_hash = options->verify_hash;
2906  to.verify_hash_algo = options->verify_hash_algo;
2907  to.verify_hash_depth = options->verify_hash_depth;
2908  to.verify_hash_no_ca = options->verify_hash_no_ca;
2909 #ifdef ENABLE_X509ALTUSERNAME
2910  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2911 #else
2913 #endif
2914  to.es = c->c2.es;
2915  to.net_ctx = &c->net_ctx;
2916 
2917 #ifdef ENABLE_DEBUG
2918  to.gremlin = c->options.gremlin;
2919 #endif
2920 
2921  to.plugins = c->plugins;
2922 
2923 #ifdef ENABLE_MANAGEMENT
2924  to.mda_context = &c->c2.mda_context;
2925 #endif
2926 
2929  to.tmp_dir = options->tmp_dir;
2930  if (options->ccd_exclusive)
2931  {
2933  }
2939 
2940  to.x509_track = options->x509_track;
2941 
2942 #ifdef ENABLE_MANAGEMENT
2943  to.sci = &options->sc_info;
2944 #endif
2945 
2946 #ifdef USE_COMP
2947  to.comp_options = options->comp;
2948 #endif
2949 
2950 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2951  if (options->keying_material_exporter_label)
2952  {
2953  to.ekm_size = options->keying_material_exporter_length;
2954  if (to.ekm_size < 16 || to.ekm_size > 4095)
2955  {
2956  to.ekm_size = 0;
2957  }
2958 
2959  to.ekm_label = options->keying_material_exporter_label;
2960  to.ekm_label_size = strlen(to.ekm_label);
2961  }
2962  else
2963  {
2964  to.ekm_size = 0;
2965  }
2966 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2967 
2968  /* TLS handshake authentication (--tls-auth) */
2969  if (options->ce.tls_auth_file)
2970  {
2971  to.tls_wrap.mode = TLS_WRAP_AUTH;
2976  true, true);
2977  }
2978 
2979  /* TLS handshake encryption (--tls-crypt) */
2980  if (options->ce.tls_crypt_file
2981  || (options->ce.tls_crypt_v2_file && options->tls_client))
2982  {
2983  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2988 
2989  if (options->ce.tls_crypt_v2_file)
2990  {
2992  }
2993  }
2994 
2995  if (options->ce.tls_crypt_v2_file)
2996  {
2997  to.tls_crypt_v2 = true;
2998  if (options->tls_server)
2999  {
3002  }
3003  }
3004 
3005  /* If we are running over TCP, allow for
3006  * length prefix */
3008 
3009  /*
3010  * Initialize OpenVPN's master TLS-mode object.
3011  */
3012  if (flags & CF_INIT_TLS_MULTI)
3013  {
3014  c->c2.tls_multi = tls_multi_init(&to);
3015  }
3016 
3017  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3018  {
3020  }
3021 }
3022 
3023 static void
3025 {
3026  if (c->c2.tls_multi)
3027  {
3030  EXPANDED_SIZE(&c->c2.frame));
3032  "Control Channel MTU parms");
3033  }
3034  if (c->c2.tls_auth_standalone)
3035  {
3038  "TLS-Auth MTU parms");
3039  }
3040 }
3041 
3042 /*
3043  * No encryption or authentication.
3044  */
3045 static void
3047 {
3048  ASSERT(!c->options.test_crypto);
3049  msg(M_WARN,
3050  "******* WARNING *******: All encryption and authentication features "
3051  "disabled -- All data will be tunnelled as clear text and will not be "
3052  "protected against man-in-the-middle changes. "
3053  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3054 }
3055 
3056 static void
3057 do_init_crypto(struct context *c, const unsigned int flags)
3058 {
3059  if (c->options.shared_secret_file)
3060  {
3061  do_init_crypto_static(c, flags);
3062  }
3063  else if (c->options.tls_server || c->options.tls_client)
3064  {
3065  do_init_crypto_tls(c, flags);
3066  }
3067  else /* no encryption or authentication. */
3068  {
3070  }
3071 }
3072 
3073 static void
3075 {
3076 #ifdef USE_COMP
3077  /*
3078  * modify frame parameters if compression is enabled
3079  */
3080  if (comp_enabled(&c->options.comp))
3081  {
3082  comp_add_to_extra_frame(&c->c2.frame);
3083 
3084 #ifdef ENABLE_FRAGMENT
3085  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3086 #endif
3087  }
3088 #endif /* USE_COMP */
3089 
3090  /*
3091  * Adjust frame size for UDP Socks support.
3092  */
3093  if (c->options.ce.socks_proxy_server)
3094  {
3096  }
3097 
3098  /*
3099  * Adjust frame size based on the --tun-mtu-extra parameter.
3100  */
3102  {
3104  }
3105 
3106  /*
3107  * Adjust frame size based on link socket parameters.
3108  * (Since TCP is a stream protocol, we need to insert
3109  * a packet length uint16_t in the buffer.)
3110  */
3112 
3113  /*
3114  * Fill in the blanks in the frame parameters structure,
3115  * make sure values are rational, etc.
3116  */
3117  frame_finalize_options(c, NULL);
3118 
3119 #ifdef USE_COMP
3120  /*
3121  * Modify frame parameters if compression is compiled in.
3122  * Should be called after frame_finalize_options.
3123  */
3124  comp_add_to_extra_buffer(&c->c2.frame);
3125 #ifdef ENABLE_FRAGMENT
3126  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3127 #endif
3128 #endif /* USE_COMP */
3129 
3130  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3131  * and need link_mtu+3 bytes on socket reception (on server).
3132  *
3133  * accommodate receive path in f->extra_link, which has the side effect of
3134  * also increasing send buffers (BUF_SIZE() macro), which need to be
3135  * allocated big enough before receiving peer-id option from server.
3136  *
3137  * f->extra_frame is adjusted when peer-id option is push-received
3138  */
3140 
3141 #ifdef ENABLE_FRAGMENT
3142  /*
3143  * Set frame parameter for fragment code. This is necessary because
3144  * the fragmentation code deals with payloads which have already been
3145  * passed through the compression code.
3146  */
3147  c->c2.frame_fragment = c->c2.frame;
3150 #endif
3151 
3152 #if defined(ENABLE_FRAGMENT)
3153  /*
3154  * MTU advisories
3155  */
3156  if (c->options.ce.fragment && c->options.mtu_test)
3157  {
3158  msg(M_WARN,
3159  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3160  }
3161 #endif
3162 
3163 #ifdef ENABLE_FRAGMENT
3164  if ((c->options.ce.mssfix || c->options.ce.fragment)
3166  {
3167  msg(M_WARN,
3168  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3170  }
3171 #endif
3172 }
3173 
3174 static void
3176 {
3177  const struct options *o = &c->options;
3178 
3179  if (o->ping_send_timeout && !o->ping_rec_timeout)
3180  {
3181  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3182  }
3183 
3184  if (o->username || o->groupname || o->chroot_dir
3185 #ifdef ENABLE_SELINUX
3186  || o->selinux_context
3187 #endif
3188  )
3189  {
3190  if (!o->persist_tun)
3191  {
3192  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3193  }
3194  if (!o->persist_key
3195 #ifdef ENABLE_PKCS11
3196  && !o->pkcs11_id
3197 #endif
3198  )
3199  {
3200  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3201  }
3202  }
3203 
3204  if (o->chroot_dir && !(o->username && o->groupname))
3205  {
3206  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3207  }
3208 
3209  if (o->pull && o->ifconfig_local && c->first_time)
3210  {
3211  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3212  }
3213 
3215  {
3216  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3217  }
3218 
3219  if (o->mode == MODE_SERVER)
3220  {
3221  if (o->duplicate_cn && o->client_config_dir)
3222  {
3223  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3224  }
3226  {
3227  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3228  }
3229  if (!o->keepalive_ping || !o->keepalive_timeout)
3230  {
3231  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3232  }
3233  }
3234 
3235  if (!o->replay)
3236  {
3237  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3238  }
3239 
3240  if (o->tls_server)
3241  {
3243  }
3244  if (o->tls_client
3245  && !o->tls_verify
3248  && !o->remote_cert_eku)
3249  {
3250  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3251  }
3252  if (o->ns_cert_type)
3253  {
3254  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3255  }
3256 
3257  /* If a script is used, print appropriate warnings */
3258  if (o->user_script_used)
3259  {
3260  if (script_security() >= SSEC_SCRIPTS)
3261  {
3262  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3263  }
3264  else if (script_security() >= SSEC_PW_ENV)
3265  {
3266  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3267  }
3268  else
3269  {
3270  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3271  }
3272  }
3273 }
3274 
3275 static void
3277 {
3279 }
3280 
3281 struct context_buffers *
3283 {
3284  struct context_buffers *b;
3285 
3286  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3287 
3288  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3289  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3290 
3291  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3292 
3293  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3294  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3295 
3296 #ifdef USE_COMP
3297  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3298  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3299 #endif
3300 
3301  return b;
3302 }
3303 
3304 void
3306 {
3307  if (b)
3308  {
3309  free_buf(&b->read_link_buf);
3310  free_buf(&b->read_tun_buf);
3311  free_buf(&b->aux_buf);
3312 
3313 #ifdef USE_COMP
3314  free_buf(&b->compress_buf);
3315  free_buf(&b->decompress_buf);
3316 #endif
3317 
3318  free_buf(&b->encrypt_buf);
3319  free_buf(&b->decrypt_buf);
3320 
3321  free(b);
3322  }
3323 }
3324 
3325 /*
3326  * Now that we know all frame parameters, initialize
3327  * our buffers.
3328  */
3329 static void
3331 {
3333  c->c2.buffers_owned = true;
3334 }
3335 
3336 #ifdef ENABLE_FRAGMENT
3337 /*
3338  * Fragmenting code has buffers to initialize
3339  * once frame parameters are known.
3340  */
3341 static void
3343 {
3344  ASSERT(c->options.ce.fragment);
3348 }
3349 #endif
3350 
3351 /*
3352  * Allocate our socket object.
3353  */
3354 static void
3356 {
3357  ASSERT(!c->c2.link_socket);
3359  c->c2.link_socket_owned = true;
3360 }
3361 
3362 /*
3363  * Print MTU INFO
3364  */
3365 static void
3367 {
3368  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3369 #ifdef ENABLE_FRAGMENT
3370  if (c->c2.fragment)
3371  {
3373  "Fragmentation MTU parms");
3374  }
3375 #endif
3376 }
3377 
3378 /*
3379  * Get local and remote options compatibility strings.
3380  */
3381 static void
3383 {
3384  struct gc_arena gc = gc_new();
3385 
3387  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3388  false, &gc);
3390  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3391  true, &gc);
3392 
3393  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3396  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3399 
3400  if (c->c2.tls_multi)
3401  {
3405  }
3406 
3407  gc_free(&gc);
3408 }
3409 
3410 /*
3411  * These things can only be executed once per program instantiation.
3412  * Set up for possible UID/GID downgrade, but don't do it yet.
3413  * Daemonize if requested.
3414  */
3415 static void
3417 {
3418  if (c->first_time && !c->c0)
3419  {
3420  struct context_0 *c0;
3421 
3422  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3423  c0 = c->c0;
3424 
3425  /* get user and/or group that we want to setuid/setgid to */
3426  c0->uid_gid_specified =
3429 
3430  /* perform postponed chdir if --daemon */
3431  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3432  {
3433  platform_chdir("/");
3434  }
3435 
3436  /* should we change scheduling priority? */
3438  }
3439 }
3440 
3441 /*
3442  * free buffers
3443  */
3444 static void
3446 {
3447  if (c->c2.buffers_owned)
3448  {
3450  c->c2.buffers = NULL;
3451  c->c2.buffers_owned = false;
3452  }
3453 }
3454 
3455 /*
3456  * close TLS
3457  */
3458 static void
3460 {
3461  if (c->c2.tls_multi)
3462  {
3463  tls_multi_free(c->c2.tls_multi, true);
3464  c->c2.tls_multi = NULL;
3465  }
3466 
3467  /* free options compatibility strings */
3470 
3472 
3473  if (c->c2.pulled_options_state)
3474  {
3477  }
3478 }
3479 
3480 /*
3481  * Free key schedules
3482  */
3483 static void
3484 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3485 {
3486  /*
3487  * always free the tls_auth/crypt key. If persist_key is true, the key will
3488  * be reloaded from memory (pre-cached)
3489  */
3492  CLEAR(c->c1.ks.tls_wrap_key);
3495 
3496  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3497  {
3498  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3499  }
3500 }
3501 
3502 /*
3503  * Close TCP/UDP connection
3504  */
3505 static void
3507 {
3508  if (c->c2.link_socket && c->c2.link_socket_owned)
3509  {
3511  c->c2.link_socket = NULL;
3512  }
3513 
3514 
3515  /* Preserve the resolved list of remote if the user request to or if we want
3516  * reconnect to the same host again or there are still addresses that need
3517  * to be tried */
3518  if (!(c->sig->signal_received == SIGUSR1
3519  && ( (c->options.persist_remote_ip)
3520  ||
3521  ( c->sig->source != SIG_SOURCE_HARD
3523  && c->c1.link_socket_addr.current_remote->ai_next)
3524  || c->options.no_advance))
3525  )))
3526  {
3528  }
3529 
3530  /* Clear the remote actual address when persist_remote_ip is not in use */
3531  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3532  {
3534  }
3535 
3536  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3537  {
3539  {
3540  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3541  }
3542 
3543  c->c1.link_socket_addr.bind_local = NULL;
3544  }
3545 }
3546 
3547 /*
3548  * Close packet-id persistence file
3549  */
3550 static void
3552 {
3555  if (!(c->sig->signal_received == SIGUSR1))
3556  {
3558  }
3559 }
3560 
3561 #ifdef ENABLE_FRAGMENT
3562 /*
3563  * Close fragmentation handler.
3564  */
3565 static void
3567 {
3568  if (c->c2.fragment)
3569  {
3571  c->c2.fragment = NULL;
3572  }
3573 }
3574 #endif
3575 
3576 /*
3577  * Open and close our event objects.
3578  */
3579 
3580 static void
3582  bool need_us_timeout)
3583 {
3584  unsigned int flags = 0;
3585 
3587 
3588  flags |= EVENT_METHOD_FAST;
3589 
3590  if (need_us_timeout)
3591  {
3592  flags |= EVENT_METHOD_US_TIMEOUT;
3593  }
3594 
3595  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3596  c->c2.event_set_owned = true;
3597 }
3598 
3599 static void
3601 {
3602  if (c->c2.event_set && c->c2.event_set_owned)
3603  {
3604  event_free(c->c2.event_set);
3605  c->c2.event_set = NULL;
3606  c->c2.event_set_owned = false;
3607  }
3608 }
3609 
3610 /*
3611  * Open and close --status file
3612  */
3613 
3614 static void
3616 {
3617  if (!c->c1.status_output)
3618  {
3621  -1,
3622  NULL,
3624  c->c1.status_output_owned = true;
3625  }
3626 }
3627 
3628 static void
3630 {
3631  if (!(c->sig->signal_received == SIGUSR1))
3632  {
3633  if (c->c1.status_output_owned && c->c1.status_output)
3634  {
3636  c->c1.status_output = NULL;
3637  c->c1.status_output_owned = false;
3638  }
3639  }
3640 }
3641 
3642 /*
3643  * Handle ifconfig-pool persistence object.
3644  */
3645 static void
3647 {
3649  {
3652  c->c1.ifconfig_pool_persist_owned = true;
3653  }
3654 }
3655 
3656 static void
3658 {
3659  if (!(c->sig->signal_received == SIGUSR1))
3660  {
3662  {
3664  c->c1.ifconfig_pool_persist = NULL;
3665  c->c1.ifconfig_pool_persist_owned = false;
3666  }
3667  }
3668 }
3669 
3670 /*
3671  * Inherit environmental variables
3672  */
3673 
3674 static void
3675 do_inherit_env(struct context *c, const struct env_set *src)
3676 {
3677  c->c2.es = env_set_create(NULL);
3678  c->c2.es_owned = true;
3679  env_set_inherit(c->c2.es, src);
3680 }
3681 
3682 static void
3684 {
3685  if (c->c2.es && c->c2.es_owned)
3686  {
3687  env_set_destroy(c->c2.es);
3688  c->c2.es = NULL;
3689  c->c2.es_owned = false;
3690  }
3691 }
3692 
3693 /*
3694  * Fast I/O setup. Fast I/O is an optimization which only works
3695  * if all of the following are true:
3696  *
3697  * (1) The platform is not Windows
3698  * (2) --proto udp is enabled
3699  * (3) --shaper is disabled
3700  */
3701 static void
3703 {
3704  if (c->options.fast_io)
3705  {
3706 #ifdef _WIN32
3707  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3708 #else
3709  if (!proto_is_udp(c->options.ce.proto))
3710  {
3711  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3712  }
3713  else
3714  {
3715  if (c->options.shaper)
3716  {
3717  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3718  }
3719  else
3720  {
3721  c->c2.fast_io = true;
3722  }
3723  }
3724 #endif
3725  }
3726 }
3727 
3728 static void
3730 {
3731  if (c->options.tls_exit)
3732  {
3733  c->c2.tls_exit_signal = SIGTERM;
3734  }
3735  else
3736  {
3737  c->c2.tls_exit_signal = SIGUSR1;
3738  }
3739 }
3740 
3741 #ifdef ENABLE_PLUGIN
3742 
3743 void
3745 {
3746  if (c->options.plugin_list && !c->plugins)
3747  {
3749  c->plugins_owned = true;
3750  }
3751 }
3752 
3753 void
3754 open_plugins(struct context *c, const bool import_options, int init_point)
3755 {
3756  if (c->plugins && c->plugins_owned)
3757  {
3758  if (import_options)
3759  {
3760  struct plugin_return pr, config;
3761  plugin_return_init(&pr);
3762  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3763  plugin_return_get_column(&pr, &config, "config");
3764  if (plugin_return_defined(&config))
3765  {
3766  int i;
3767  for (i = 0; i < config.n; ++i)
3768  {
3769  unsigned int option_types_found = 0;
3770  if (config.list[i] && config.list[i]->value)
3771  {
3773  config.list[i]->value,
3776  &option_types_found,
3777  c->es);
3778  }
3779  }
3780  }
3781  plugin_return_free(&pr);
3782  }
3783  else
3784  {
3785  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3786  }
3787  }
3788 }
3789 
3790 static void
3792 {
3793  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3794  {
3796  c->plugins = NULL;
3797  c->plugins_owned = false;
3798  }
3799 }
3800 
3801 static void
3802 do_inherit_plugins(struct context *c, const struct context *src)
3803 {
3804  if (!c->plugins && src->plugins)
3805  {
3806  c->plugins = plugin_list_inherit(src->plugins);
3807  c->plugins_owned = true;
3808  }
3809 }
3810 
3811 #endif /* ifdef ENABLE_PLUGIN */
3812 
3813 #ifdef ENABLE_MANAGEMENT
3814 
3815 static void
3816 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3817 {
3818  struct context *c = (struct context *) arg;
3819  print_status(c, so);
3820 }
3821 
3822 void
3823 management_show_net_callback(void *arg, const int msglevel)
3824 {
3825 #ifdef _WIN32
3826  show_routes(msglevel);
3827  show_adapters(msglevel);
3828  msg(msglevel, "END");
3829 #else
3830  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3831 #endif
3832 }
3833 
3834 #ifdef TARGET_ANDROID
3835 int
3836 management_callback_network_change(void *arg, bool samenetwork)
3837 {
3838  /* Check if the client should translate the network change to a SIGUSR1 to
3839  * reestablish the connection or just reprotect the socket
3840  *
3841  * At the moment just assume that, for all settings that use pull (not
3842  * --static) and are not using peer-id reestablishing the connection is
3843  * required (unless the network is the same)
3844  *
3845  * The function returns -1 on invalid fd and -2 if the socket cannot be
3846  * reused. On the -2 return value the man_network_change function triggers
3847  * a SIGUSR1 to force a reconnect.
3848  */
3849 
3850  int socketfd = -1;
3851  struct context *c = (struct context *) arg;
3852  if (!c->c2.link_socket)
3853  {
3854  return -1;
3855  }
3856  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3857  {
3858  return -1;
3859  }
3860 
3861  socketfd = c->c2.link_socket->sd;
3862  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3863  {
3864  return socketfd;
3865  }
3866  else
3867  {
3868  return -2;
3869  }
3870 }
3871 #endif /* ifdef TARGET_ANDROID */
3872 
3873 #endif /* ifdef ENABLE_MANAGEMENT */
3874 
3875 void
3877 {
3878 #ifdef ENABLE_MANAGEMENT
3879  if (management)
3880  {
3881  struct management_callback cb;
3882  CLEAR(cb);
3883  cb.arg = c;
3889 #ifdef TARGET_ANDROID
3890  cb.network_change = management_callback_network_change;
3891 #endif
3893  }
3894 #endif
3895 }
3896 
3897 #ifdef ENABLE_MANAGEMENT
3898 
3899 void
3901 {
3902  if (!management)
3903  {
3905  }
3906 }
3907 
3908 bool
3910 {
3911  /* initialize management layer */
3912  if (management)
3913  {
3914  if (c->options.management_addr)
3915  {
3916  unsigned int flags = c->options.management_flags;
3917  if (c->options.mode == MODE_SERVER)
3918  {
3919  flags |= MF_SERVER;
3920  }
3932  flags))
3933  {
3936  NULL,
3937  NULL,
3938  NULL,
3939  NULL,
3940  NULL);
3941  }
3942 
3943  /* initial management hold, called early, before first context initialization */
3944  do_hold(0);
3945  if (IS_SIG(c))
3946  {
3947  msg(M_WARN, "Signal received from management interface, exiting");
3948  return false;
3949  }
3950  }
3951  else
3952  {
3953  close_management();
3954  }
3955  }
3956  return true;
3957 }
3958 
3959 void
3961 {
3962  if (management)
3963  {
3965  management = NULL;
3966  }
3967 }
3968 
3969 #endif /* ifdef ENABLE_MANAGEMENT */
3970 
3971 
3972 void
3974 {
3975 #ifdef ENABLE_MANAGEMENT
3976  if (management)
3977  {
3979  }
3980 #endif
3981 }
3982 
3983 /*
3984  * Initialize a tunnel instance, handle pre and post-init
3985  * signal settings.
3986  */
3987 void
3988 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
3989 {
3991  init_instance(c, env, flags);
3993 
3994  /*
3995  * This is done so that signals thrown during
3996  * initialization can bring us back to
3997  * a management hold.
3998  */
3999  if (IS_SIG(c))
4000  {
4001  remap_signal(c);
4003  }
4004 }
4005 
4006 /*
4007  * Initialize a tunnel instance.
4008  */
4009 void
4010 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4011 {
4012  const struct options *options = &c->options;
4013  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4014  int link_socket_mode = LS_MODE_DEFAULT;
4015 
4016  /* init garbage collection level */
4017  gc_init(&c->c2.gc);
4018 
4019  /* inherit environmental variables */
4020  if (env)
4021  {
4022  do_inherit_env(c, env);
4023  }
4024 
4025  /* signals caught here will abort */
4026  c->sig->signal_received = 0;
4027  c->sig->signal_text = NULL;
4028  c->sig->source = SIG_SOURCE_SOFT;
4029 
4030  if (c->mode == CM_P2P)
4031  {
4033  }
4034 
4035  /* possible sleep or management hold if restart */
4036  if (c->mode == CM_P2P || c->mode == CM_TOP)
4037  {
4038  do_startup_pause(c);
4039  if (IS_SIG(c))
4040  {
4041  goto sig;
4042  }
4043  }
4044 
4045  if (c->options.resolve_in_advance)
4046  {
4047  do_preresolve(c);
4048  if (IS_SIG(c))
4049  {
4050  goto sig;
4051  }
4052  }
4053 
4054  /* Resets all values to the initial values from the config where needed */
4055  pre_connect_restore(&c->options, &c->c2.gc);
4056 
4057  /* map in current connection entry */
4059 
4060  /* link_socket_mode allows CM_CHILD_TCP
4061  * instances to inherit acceptable fds
4062  * from a top-level parent */
4063  if (c->options.ce.proto == PROTO_TCP_SERVER)
4064  {
4065  if (c->mode == CM_TOP)
4066  {
4067  link_socket_mode = LS_MODE_TCP_LISTEN;
4068  }
4069  else if (c->mode == CM_CHILD_TCP)
4070  {
4071  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4072  }
4073  }
4074 
4075  /* should we disable paging? */
4076  if (c->first_time && options->mlock)
4077  {
4078  platform_mlockall(true);
4079  }
4080 
4081  /* get passwords if undefined */
4082  if (auth_retry_get() == AR_INTERACT)
4083  {
4085  }
4086 
4087  /* initialize context level 2 --verb/--mute parms */
4089 
4090  /* set error message delay for non-server modes */
4091  if (c->mode == CM_P2P)
4092  {
4094  }
4095 
4096  /* warn about inconsistent options */
4097  if (c->mode == CM_P2P || c->mode == CM_TOP)
4098  {
4099  do_option_warnings(c);
4100  }
4101 
4102 #ifdef ENABLE_PLUGIN
4103  /* initialize plugins */
4104  if (c->mode == CM_P2P || c->mode == CM_TOP)
4105  {
4107  }
4108 #endif
4109 
4110  /* should we enable fast I/O? */
4111  if (c->mode == CM_P2P || c->mode == CM_TOP)
4112  {
4113  do_setup_fast_io(c);
4114  }
4115 
4116  /* should we throw a signal on TLS errors? */
4118 
4119  /* open --status file */
4120  if (c->mode == CM_P2P || c->mode == CM_TOP)
4121  {
4123  }
4124 
4125  /* open --ifconfig-pool-persist file */
4126  if (c->mode == CM_TOP)
4127  {
4129  }
4130 
4131  /* reset OCC state */
4132  if (c->mode == CM_P2P || child)
4133  {
4134  c->c2.occ_op = occ_reset_op();
4135  }
4136 
4137  /* our wait-for-i/o objects, different for posix vs. win32 */
4138  if (c->mode == CM_P2P)
4139  {
4141  }
4142  else if (c->mode == CM_CHILD_TCP)
4143  {
4144  do_event_set_init(c, false);
4145  }
4146 
4147  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4148  init_proxy(c);
4149 
4150  /* allocate our socket object */
4151  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4152  {
4153  do_link_socket_new(c);
4154  }
4155 
4156 #ifdef ENABLE_FRAGMENT
4157  /* initialize internal fragmentation object */
4158  if (options->ce.fragment && (c->mode == CM_P2P || child))
4159  {
4160  c->c2.fragment = fragment_init(&c->c2.frame);
4161  }
4162 #endif
4163 
4164  /* init crypto layer */
4165  {
4166  unsigned int crypto_flags = 0;
4167  if (c->mode == CM_TOP)
4168  {
4169  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4170  }
4171  else if (c->mode == CM_P2P)
4172  {
4174  }
4175  else if (child)
4176  {
4177  crypto_flags = CF_INIT_TLS_MULTI;
4178  }
4179  do_init_crypto(c, crypto_flags);
4180  if (IS_SIG(c) && !child)
4181  {
4182  goto sig;
4183  }
4184  }
4185 
4186 #ifdef USE_COMP
4187  /* initialize compression library. */
4188  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4189  {
4190  c->c2.comp_context = comp_init(&options->comp);
4191  }
4192 #endif
4193 
4194  /* initialize MTU variables */
4195  do_init_frame(c);
4196 
4197  /* initialize TLS MTU variables */
4198  do_init_frame_tls(c);
4199 
4200  /* init workspace buffers whose size is derived from frame size */
4201  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4202  {
4203  do_init_buffers(c);
4204  }
4205 
4206 #ifdef ENABLE_FRAGMENT
4207  /* initialize internal fragmentation capability with known frame size */
4208  if (options->ce.fragment && (c->mode == CM_P2P || child))
4209  {
4210  do_init_fragment(c);
4211  }
4212 #endif
4213 
4214  /* initialize dynamic MTU variable */
4215  frame_init_mssfix(&c->c2.frame, &c->options);
4216 
4217  /* bind the TCP/UDP socket */
4218  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4219  {
4220  link_socket_init_phase1(c, link_socket_mode);
4221  }
4222 
4223  /* initialize tun/tap device object,
4224  * open tun/tap device, ifconfig, run up script, etc. */
4225  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4226  {
4227  c->c2.did_open_tun = do_open_tun(c);
4228  }
4229 
4230  c->c2.frame_initial = c->c2.frame;
4231 
4232  /* print MTU info */
4234 
4235  /* get local and remote options compatibility strings */
4236  if (c->mode == CM_P2P || child)
4237  {
4239  }
4240 
4241  /* initialize output speed limiter */
4242  if (c->mode == CM_P2P)
4243  {
4245  }
4246 
4247  /* do one-time inits, and possibly become a daemon here */
4248  do_init_first_time(c);
4249 
4250 #ifdef ENABLE_PLUGIN
4251  /* initialize plugins */
4252  if (c->mode == CM_P2P || c->mode == CM_TOP)
4253  {
4255  }
4256 #endif
4257 
4258  /* initialise connect timeout timer */
4260 
4261  /* finalize the TCP/UDP socket */
4262  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4263  {
4265  }
4266 
4267  /*
4268  * Actually do UID/GID downgrade, and chroot, if requested.
4269  * May be delayed by --client, --pull, or --up-delay.
4270  */
4272 
4273  /* initialize timers */
4274  if (c->mode == CM_P2P || child)
4275  {
4276  do_init_timers(c, false);
4277  }
4278 
4279 #ifdef ENABLE_PLUGIN
4280  /* initialize plugins */
4281  if (c->mode == CM_P2P || c->mode == CM_TOP)
4282  {
4284  }
4285 #endif
4286 
4287 #if PORT_SHARE
4288  /* share OpenVPN port with foreign (such as HTTPS) server */
4289  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4290  {
4291  init_port_share(c);
4292  }
4293 #endif
4294 
4295 #ifdef ENABLE_PF
4296  if (child)
4297  {
4298  pf_init_context(c);
4299  }
4300 #endif
4301 
4302  /* Check for signals */
4303  if (IS_SIG(c))
4304  {
4305  goto sig;
4306  }
4307 
4308  return;
4309 
4310 sig:
4311  if (!c->sig->signal_text)
4312  {
4313  c->sig->signal_text = "init_instance";
4314  }
4315  close_context(c, -1, flags);
4316  return;
4317 }
4318 
4319 /*
4320  * Close a tunnel instance.
4321  */
4322 void
4324 {
4325  /* close event objects */
4326  do_close_event_set(c);
4327 
4328  if (c->mode == CM_P2P
4329  || c->mode == CM_CHILD_TCP
4330  || c->mode == CM_CHILD_UDP
4331  || c->mode == CM_TOP)
4332  {
4333 #ifdef USE_COMP
4334  if (c->c2.comp_context)
4335  {
4336  comp_uninit(c->c2.comp_context);
4337  c->c2.comp_context = NULL;
4338  }
4339 #endif
4340 
4341  /* free buffers */
4342  do_close_free_buf(c);
4343 
4344  /* close TLS */
4345  do_close_tls(c);
4346 
4347  /* free key schedules */
4348  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4349 
4350  /* close TCP/UDP connection */
4352 
4353  /* close TUN/TAP device */
4354  do_close_tun(c, false);
4355 
4356 #ifdef ENABLE_MANAGEMENT
4357  if (management)
4358  {
4360  }
4361 #endif
4362 
4363 #ifdef ENABLE_PF
4364  pf_destroy_context(&c->c2.pf);
4365 #endif
4366 
4367 #ifdef ENABLE_PLUGIN
4368  /* call plugin close functions and unload */
4369  do_close_plugins(c);
4370 #endif
4371 
4372  /* close packet-id persistence file */
4373  do_close_packet_id(c);
4374 
4375  /* close --status file */
4377 
4378 #ifdef ENABLE_FRAGMENT
4379  /* close fragmentation handler */
4380  do_close_fragment(c);
4381 #endif
4382 
4383  /* close --ifconfig-pool-persist obj */
4385 
4386  /* free up environmental variable store */
4387  do_env_set_destroy(c);
4388 
4389  /* close HTTP or SOCKS proxy */
4390  uninit_proxy(c);
4391 
4392  /* garbage collect */
4393  gc_free(&c->c2.gc);
4394  }
4395 }
4396 
4397 void
4399  const struct context *src)
4400 {
4401  CLEAR(*dest);
4402 
4403  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4405 
4406  dest->gc = gc_new();
4407 
4408  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4409 
4410  /* c1 init */
4412 
4413  dest->c1.ks.key_type = src->c1.ks.key_type;
4414  /* inherit SSL context */
4415  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4416  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4419  /* inherit pre-NCP ciphers */
4420  dest->options.ciphername = src->options.ciphername;
4421  dest->options.authname = src->options.authname;
4422 
4423  /* inherit auth-token */
4424  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4425 
4426  /* options */
4427  dest->options = src->options;
4428  options_detach(&dest->options);
4429 
4430  if (dest->mode == CM_CHILD_TCP)
4431  {
4432  /*
4433  * The CM_TOP context does the socket listen(),
4434  * and the CM_CHILD_TCP context does the accept().
4435  */
4436  dest->c2.accept_from = src->c2.link_socket;
4437  }
4438 
4439 #ifdef ENABLE_PLUGIN
4440  /* inherit plugins */
4441  do_inherit_plugins(dest, src);
4442 #endif
4443 
4444  /* context init */
4445  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4446  if (IS_SIG(dest))
4447  {
4448  return;
4449  }
4450 
4451  /* inherit tun/tap interface object */
4452  dest->c1.tuntap = src->c1.tuntap;
4453 
4454  /* UDP inherits some extra things which TCP does not */
4455  if (dest->mode == CM_CHILD_UDP)
4456  {
4457  /* inherit buffers */
4458  dest->c2.buffers = src->c2.buffers;
4459 
4460  /* inherit parent link_socket and tuntap */
4461  dest->c2.link_socket = src->c2.link_socket;
4462 
4463  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4464  *dest->c2.link_socket_info = src->c2.link_socket->info;
4465 
4466  /* locally override some link_socket_info fields */
4467  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4469  }
4470 }
4471 
4472 void
4474  const struct context *src)
4475 {
4476  /* copy parent */
4477  *dest = *src;
4478 
4479  /*
4480  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4481  * resources owned by the parent.
4482  *
4483  * Also note that CM_TOP_CLONE context objects are
4484  * closed by multi_top_free in multi.c.
4485  */
4486  dest->mode = CM_TOP_CLONE;
4487 
4488  dest->first_time = false;
4489  dest->c0 = NULL;
4490 
4491  options_detach(&dest->options);
4492  gc_detach(&dest->gc);
4493  gc_detach(&dest->c2.gc);
4494 
4495  /* detach plugins */
4496  dest->plugins_owned = false;
4497 
4498  dest->c2.tls_multi = NULL;
4499 
4500  /* detach c1 ownership */
4501  dest->c1.tuntap_owned = false;
4502  dest->c1.status_output_owned = false;
4503  dest->c1.ifconfig_pool_persist_owned = false;
4504 
4505  /* detach c2 ownership */
4506  dest->c2.event_set_owned = false;
4507  dest->c2.link_socket_owned = false;
4508  dest->c2.buffers_owned = false;
4509  dest->c2.es_owned = false;
4510 
4511  dest->c2.event_set = NULL;
4512  if (proto_is_dgram(src->options.ce.proto))
4513  {
4514  do_event_set_init(dest, false);
4515  }
4516 
4517 #ifdef USE_COMP
4518  dest->c2.comp_context = NULL;
4519 #endif
4520 }
4521 
4522 void
4523 close_context(struct context *c, int sig, unsigned int flags)
4524 {
4525  ASSERT(c);
4526  ASSERT(c->sig);
4527 
4528  if (sig >= 0)
4529  {
4530  c->sig->signal_received = sig;
4531  }
4532 
4533  if (c->sig->signal_received == SIGUSR1)
4534  {
4535  if ((flags & CC_USR1_TO_HUP)
4536  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4537  {
4538  c->sig->signal_received = SIGHUP;
4539  c->sig->signal_text = "close_context usr1 to hup";
4540  }
4541  }
4542 
4543  if (!(flags & CC_NO_CLOSE))
4544  {
4545  close_instance(c);
4546  }
4547 
4548  if (flags & CC_GC_FREE)
4549  {
4550  context_gc_free(c);
4551  }
4552 }
4553 
4554 /* Write our PID to a file */
4555 void
4556 write_pid_file(const char *filename, const char *chroot_dir)
4557 {
4558  if (filename)
4559  {
4560  unsigned int pid = 0;
4561  FILE *fp = platform_fopen(filename, "w");
4562  if (!fp)
4563  {
4564  msg(M_ERR, "Open error on pid file %s", filename);
4565  return;
4566  }
4567 
4568  pid = platform_getpid();
4569  fprintf(fp, "%u\n", pid);
4570  if (fclose(fp))
4571  {
4572  msg(M_ERR, "Close error on pid file %s", filename);
4573  }
4574 
4575  /* remember file name so it can be deleted "out of context" later */
4576  /* (the chroot case is more complex and not handled today) */
4577  if (!chroot_dir)
4578  {
4579  saved_pid_file_name = strdup(filename);
4580  }
4581  }
4582 }
4583 
4584 /* remove PID file on exit, called from openvpn_exit() */
4585 void
4587 {
4588  if (saved_pid_file_name)
4589  {
4591  }
4592 }
4593 
4594 
4595 /*
4596  * Do a loopback test
4597  * on the crypto subsystem.
4598  */
4599 static void *
4601 {
4602  struct context *c = (struct context *) arg;
4603  const struct options *options = &c->options;
4604 
4605  ASSERT(options->test_crypto);
4607  context_init_1(c);
4609  do_init_crypto_static(c, 0);
4610 
4611  frame_finalize_options(c, options);
4612 
4613  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4614 
4615  key_schedule_free(&c->c1.ks, true);
4617 
4618  context_gc_free(c);
4619  return NULL;
4620 }
4621 
4622 bool
4623 do_test_crypto(const struct options *o)
4624 {
4625  if (o->test_crypto)
4626  {
4627  struct context c;
4628 
4629  /* print version number */
4630  msg(M_INFO, "%s", title_string);
4631 
4632  context_clear(&c);
4633  c.options = *o;
4634  options_detach(&c.options);
4635  c.first_time = true;
4636  test_crypto_thread((void *) &c);
4637  return true;
4638  }
4639  return false;
4640 }
struct tuntap_options tuntap_options
Definition: options.h:317
bool tcp_mode
Definition: ssl_common.h:320
struct env_set * es
Definition: openvpn.h:407
char port[RH_PORT_LEN]
Definition: options.h:194
unsigned int platform_getpid(void)
Definition: platform.c:182
bool socks_proxy_owned
Definition: openvpn.h:190
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2528
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:349
void management_close(struct management *man)
Definition: manage.c:2691
int ifconfig_pool_persist_refresh_freq
Definition: options.h:441
struct key_type key_type
Definition: ssl_common.h:268
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
bool persist_remote_ip
Definition: options.h:306
int sndbuf
Definition: options.h:362
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:382
bool log_rw
Definition: openvpn.h:369
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:114
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:483
struct frame frame_fragment_omit
Definition: openvpn.h:255
const char * tmp_dir
Definition: ssl_common.h:337
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:372
bool tun_mtu_defined
Definition: options.h:118
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:609
#define OPT_P_DEFAULT
Definition: options.h:700
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1514
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
Definition: tun.h:155
bool ncp_enabled
Definition: options.h:515
unsigned int management_flags
Definition: options.h:405
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1979
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2556
bool verify_hash_no_ca
Definition: options.h:565
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct buffer read_tun_buf
Definition: openvpn.h:112
const char * crl_file
Definition: ssl_common.h:300
#define M_NOPREFIX
Definition: error.h:102
bool block_outside_dns
Definition: options.h:637
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:106
struct event_timeout ping_rec_interval
Definition: openvpn.h:284
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1305
bool tls_crypt_v2
Definition: ssl_common.h:326
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:465
void platform_nice(int niceval)
Definition: platform.c:160
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
struct event_timeout route_wakeup_expire
Definition: openvpn.h:373
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:522
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1082
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5664
bool show_curves
Definition: options.h:240
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4145
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:634
const char * cipher_list
Definition: options.h:547
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:532
struct link_socket * link_socket_new(void)
Definition: socket.c:1847
static void do_alloc_route_list(struct context *c)
Definition: init.c:1459
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:333
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:138
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1001
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3773
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:513
bool tls_crypt_v2_file_inline
Definition: options.h:613
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2131
static void init_proxy_dowork(struct context *c)
Definition: init.c:626
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1715
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
bool did_open_tun
Definition: openvpn.h:376
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
unsigned int auth_token_lifetime
Definition: ssl_common.h:344
const char * tls_cert_profile
Definition: options.h:550
int management_log_history_cache
Definition: options.h:396
#define M_OPTERR
Definition: error.h:105
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:327
struct interval tmp_int
Definition: openvpn.h:333
#define streq(x, y)
Definition: options.h:664
const char * ifconfig_pool_persist_filename
Definition: options.h:440
const char * chroot_dir
Definition: options.h:322
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:727
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3802
static void do_close_event_set(struct context *c)
Definition: init.c:3600
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2695
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
bool server_bridge_proxy_dhcp
Definition: options.h:427
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:265
#define WSO_FORCE_SERVICE
Definition: win32.h:166
int ping_rec_timeout_action
Definition: options.h:302
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2140
bool auth_token_generate
Definition: options.h:483
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4449
void tun_abort(void)
Definition: init.c:2112
Contains all state information for one tunnel.
Definition: openvpn.h:463
#define CIPHER_ENABLED(c)
Definition: openvpn.h:534
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3683
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2615
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:352
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
struct env_set * es
Set of environment variables.
Definition: openvpn.h:486
#define D_PUSH
Definition: errlevel.h:83
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
#define M_USAGE
Definition: error.h:111
struct man_persist persist
Definition: manage.h:319
#define srandom
Definition: syshead.h:45
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:365
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:265
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:212
#define OPT_P_PLUGIN
Definition: options.h:693
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4523
int script_security(void)
Definition: run_command.c:45
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
#define SDL_CONSTRAIN
Definition: error.h:182
const char * auth_user_pass_verify_script
Definition: ssl_common.h:335
const char * shared_secret_file
Definition: options.h:509
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:346
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6656
#define RH_PORT_LEN
Definition: options.h:193
#define EVENT_METHOD_FAST
Definition: event.h:80
uint32_t peer_id
Definition: options.h:642
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3876
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:321
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:324
bool tls_crypt_v2_file_inline
Definition: options.h:156
void close_instance(struct context *c)
Definition: init.c:4323
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2825
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
Definition: options.h:96
int renegotiate_seconds
Definition: options.h:587
const char * client_config_dir_exclusive
Definition: ssl_common.h:349
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1330
#define OPT_P_IPWIN32
Definition: options.h:672
bool persist_key
Definition: options.h:307
#define SIGUSR1
Definition: config-msvc.h:115
int replay_window
Definition: options.h:523
int persist_mode
Definition: options.h:233
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:455
const char * auth_user_pass_file
Definition: ssl_common.h:338
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3729
struct context_buffers * buffers
Definition: openvpn.h:356
int verify_x509_type
Definition: ssl_common.h:298
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:109
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
struct event_timeout wait_for_connect
Definition: openvpn.h:282
int rcvbuf
Definition: options.h:361
const char * config_ncp_ciphers
Definition: ssl_common.h:323
#define D_LOG_RW
Definition: errlevel.h:111
struct link_socket_info * link_socket_info
Definition: openvpn.h:240
static void next_connection_entry(struct context *c)
Definition: init.c:469
int handshake_window
Definition: ssl_common.h:289
struct connection_list * connection_list
Definition: options.h:249
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:405
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
#define LS_MODE_DEFAULT
Definition: socket.h:191
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:248
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:540
#define RH_HOST_LEN
Definition: options.h:191
const char * exit_event_name
Definition: options.h:633
#define AR_NONE
Definition: options.h:838
const struct link_socket * accept_from
Definition: openvpn.h:241
void md_ctx_free(md_ctx_t *ctx)
bool route_noexec
Definition: options.h:377
unsigned int sockflags
Definition: options.h:369
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2485
in_addr_t remote_netmask
Definition: tun.h:174
const char * tls_crypt_file
Definition: options.h:150
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
static void do_close_tls(struct context *c)
Definition: init.c:3459
const char * genkey_extra_data
Definition: options.h:244
static bool ce_management_query_remote(struct context *c)
Definition: init.c:380
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
char * x509_username_field[2]
Definition: ssl_common.h:312
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define ENABLE_PKCS11
Definition: config-msvc.h:13
const char * route_script
Definition: options.h:372
int management_state_buffer_size
Definition: options.h:398
struct man_def_auth_context * mda_context
Definition: ssl_common.h:376
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:487
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:107
#define D_READ_WRITE
Definition: errlevel.h:165
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:103
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3074
const char * config
Definition: options.h:219
#define dmsg(flags,...)
Definition: error.h:153
int route_delay
Definition: options.h:378
void remove_pid_file(void)
Definition: init.c:4586
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:490
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:329
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:373
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3754
const char * ekm_label
Definition: ssl_common.h:389
void post_init_signal_catch(void)
Definition: sig.c:249
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
struct frame frame_initial
Definition: openvpn.h:248
bool down_pre
Definition: options.h:331
int keepalive_timeout
Definition: options.h:290
#define OPT_P_SOCKBUF
Definition: options.h:694
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:176
#define SIGTERM
Definition: config-msvc.h:117
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:340
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1443
#define TLS_MODE(c)
Definition: openvpn.h:526
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:585
bool push_peer_info
Definition: options.h:622
#define OPT_P_SETENV
Definition: options.h:674
#define CE_MAN_QUERY_PROXY
Definition: options.h:134
#define SIGHUP
Definition: config-msvc.h:113
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
int renegotiate_seconds_min
Definition: options.h:588
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3795
bool tls_crypt_file_inline
Definition: options.h:151
#define PING_RESTART
Definition: options.h:301
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3024
int handshake_window
Definition: options.h:592
#define ASSERT(x)
Definition: error.h:200
static void do_close_plugins(struct context *c)
Definition: init.c:3791
#define D_SHOW_NET
Definition: errlevel.h:130
static int ifconfig_order(void)
Definition: tun.h:330
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:224
unsigned int crypto_flags
Definition: ssl_common.h:316
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:261
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:616
int explicit_exit_notification
Definition: options.h:131
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
int status_file_update_freq
Definition: options.h:351
int verify_x509_type
Definition: options.h:553
unsigned int unsuccessful_attempts
Definition: options.h:255
void close_management(void)
Definition: init.c:3960
bool platform_unlink(const char *filename)
Definition: platform.c:354
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
bool auth_token_call_auth
Definition: options.h:485
const char * config_ciphername
Definition: ssl_common.h:322
const char * prng_hash
Definition: options.h:518
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1866
int ping_rec_timeout
Definition: options.h:296
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
#define D_LOW
Definition: errlevel.h:98
bool ifconfig_noexec
Definition: options.h:275
bool fast_io
Definition: options.h:354
int key_direction
Definition: options.h:511
int renegotiate_bytes
Definition: ssl_common.h:291
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
static void update_options_ce_post(struct options *options)
Definition: init.c:193
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
struct tuntap_options options
Definition: tun.h:168
bool link_mtu_defined
Definition: options.h:122
static struct context * static_context
Definition: init.c:60
char username[USER_PASS_LEN]
Definition: misc.h:67
bool init_static(void)
Definition: init.c:754
void platform_mlockall(bool print_msg)
Definition: platform.c:197
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
struct frame frame_fragment_initial
Definition: openvpn.h:254
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:139
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:223
bool use_peer_id
Definition: ssl_common.h:608
struct event_timeout ping_send_interval
Definition: openvpn.h:283
bool route_delay_defined
Definition: options.h:380
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
#define CM_CHILD_UDP
Definition: openvpn.h:475
bool tls_exit
Definition: options.h:624
#define MF_SERVER
Definition: manage.h:331
bool print_openssl_info(const struct options *options)
Definition: init.c:1034
void restore_signal_state(void)
Definition: sig.c:264
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:999
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:888
int key_direction
Definition: options.h:147
#define PULL_DEFINED(opt)
Definition: options.h:702
bool route_nopull
Definition: options.h:384
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3566
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1239
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:286
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6780
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:68
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
const char * tls_export_cert
Definition: options.h:555
const char * route_default_gateway
Definition: options.h:374
const char * ncp_ciphers
Definition: options.h:516
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:574
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3988
int remap_sigusr1
Definition: options.h:336
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:138
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:539
bool remote_random
Definition: options.h:263
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
bool status_close(struct status_output *so)
Definition: status.c:190
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:193
struct context_1 c1
Level 1 context.
Definition: openvpn.h:503
void pre_init_signal_catch(void)
Definition: sig.c:235
#define WSO_FORCE_CONSOLE
Definition: win32.h:167
void init_options_dev(struct options *options)
Definition: init.c:1024
void write_pid_file(const char *filename, const char *chroot_dir)
Definition: init.c:4556
struct context_persist persist
Persistent context.
Definition: openvpn.h:500
void prng_uninit(void)
Definition: crypto.c:1734
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:367
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1282
bool auth_user_pass_verify_script_via_file
Definition: options.h:482
#define WSO_MODE_CONSOLE
Definition: win32.h:152
const char * tls_verify
Definition: options.h:552
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1452
struct buffer decrypt_buf
Definition: openvpn.h:99
struct event_timeout inactivity_interval
Definition: openvpn.h:287
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:488
size_t ekm_size
Definition: ssl_common.h:391
bool open_management(struct context *c)
Definition: init.c:3909
#define CLEAR(x)
Definition: basic.h:33
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
#define BUF_SIZE(f)
Definition: mtu.h:194
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:126
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4398
#define OPT_P_PULL_MODE
Definition: options.h:692
struct frame frame_fragment
Definition: openvpn.h:253
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3816
void context_gc_free(struct context *c)
Definition: init.c:715
static void do_open_status_output(struct context *c)
Definition: init.c:3615
bool crl_file_inline
Definition: options.h:557
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2634
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2739
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition: init.c:308
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
#define CE_MAN_QUERY_REMOTE_MASK
Definition: