OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
73 context_clear(struct context *c)
74 {
75  CLEAR(*c);
76 }
77 
78 void
79 context_clear_1(struct context *c)
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
85 context_clear_2(struct context *c)
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
91 context_clear_all_except_first_time(struct context *c)
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
193 update_options_ce_post(struct options *options)
194 {
195 #if P2MP
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
206  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
207  options->ping_rec_timeout_action = PING_RESTART;
208  }
209 #endif
210 }
211 
212 #ifdef ENABLE_MANAGEMENT
213 static bool
214 management_callback_proxy_cmd(void *arg, const char **p)
215 {
216  struct context *c = arg;
217  struct connection_entry *ce = &c->options.ce;
218  struct gc_arena *gc = &c->c2.gc;
219  bool ret = false;
220 
221  update_time();
222  if (streq(p[1], "NONE"))
223  {
224  ret = true;
225  }
226  else if (p[2] && p[3])
227  {
228  if (streq(p[1], "HTTP"))
229  {
230  struct http_proxy_options *ho;
231  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
232  {
233  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
234  return false;
235  }
236  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
237  ho->server = string_alloc(p[2], gc);
238  ho->port = string_alloc(p[3], gc);
239  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
240  ret = true;
241  }
242  else if (streq(p[1], "SOCKS"))
243  {
244  ce->socks_proxy_server = string_alloc(p[2], gc);
245  ce->socks_proxy_port = string_alloc(p[3], gc);
246  ret = true;
247  }
248  }
249  else
250  {
251  msg(M_WARN, "Bad proxy command");
252  }
253 
254  ce->flags &= ~CE_MAN_QUERY_PROXY;
255 
256  return ret;
257 }
258 
259 static bool
260 ce_management_query_proxy(struct context *c)
261 {
262  const struct connection_list *l = c->options.connection_list;
263  struct connection_entry *ce = &c->options.ce;
264  struct gc_arena gc;
265  bool ret = true;
266 
267  update_time();
268  if (management)
269  {
270  gc = gc_new();
271  {
272  struct buffer out = alloc_buf_gc(256, &gc);
273  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
274  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
275  management_notify_generic(management, BSTR(&out));
276  management->persist.special_state_msg = BSTR(&out);
277  }
278  ce->flags |= CE_MAN_QUERY_PROXY;
279  while (ce->flags & CE_MAN_QUERY_PROXY)
280  {
281  management_event_loop_n_seconds(management, 1);
282  if (IS_SIG(c))
283  {
284  ret = false;
285  break;
286  }
287  }
288  management->persist.special_state_msg = NULL;
289  gc_free(&gc);
290  }
291 
292  return ret;
293 }
294 
309 static bool
310 management_callback_send_cc_message(void *arg,
311  const char *command,
312  const char *parameters)
313 {
314  struct context *c = (struct context *) arg;
315  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
316  if (len > PUSH_BUNDLE_SIZE)
317  {
318  return false;
319  }
320 
321  struct gc_arena gc = gc_new();
322  struct buffer buf = alloc_buf_gc(len, &gc);
323  ASSERT(buf_printf(&buf, "%s", command));
324  if (parameters)
325  {
326  ASSERT(buf_printf(&buf, ",%s", parameters));
327  }
328  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
329 
330  gc_free(&gc);
331  return status;
332 }
333 
334 static bool
335 management_callback_remote_cmd(void *arg, const char **p)
336 {
337  struct context *c = (struct context *) arg;
338  struct connection_entry *ce = &c->options.ce;
339  int ret = false;
340  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
341  {
342  int flags = 0;
343  if (!strcmp(p[1], "ACCEPT"))
344  {
345  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
346  ret = true;
347  }
348  else if (!strcmp(p[1], "SKIP"))
349  {
350  flags = CE_MAN_QUERY_REMOTE_SKIP;
351  ret = true;
352  }
353  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
354  {
355  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
356  {
357  struct remote_host_store *rhs = c->options.rh_store;
358  if (!rhs)
359  {
360  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
361  c->options.rh_store = rhs;
362  }
363  strncpynt(rhs->host, p[2], RH_HOST_LEN);
364  strncpynt(rhs->port, p[3], RH_PORT_LEN);
365 
366  ce->remote = rhs->host;
367  ce->remote_port = rhs->port;
368  flags = CE_MAN_QUERY_REMOTE_MOD;
369  ret = true;
370  }
371  }
372  if (ret)
373  {
374  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
375  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
376  }
377  }
378  return ret;
379 }
380 
381 static bool
382 ce_management_query_remote(struct context *c)
383 {
384  struct gc_arena gc = gc_new();
385  volatile struct connection_entry *ce = &c->options.ce;
386  int ce_changed = true; /* presume the connection entry will be changed */
387 
388  update_time();
389  if (management)
390  {
391  struct buffer out = alloc_buf_gc(256, &gc);
392 
393  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
394  proto2ascii(ce->proto, ce->af, false));
395  management_notify_generic(management, BSTR(&out));
396  management->persist.special_state_msg = BSTR(&out);
397 
398  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
399  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
400  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
401  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
402  {
403  management_event_loop_n_seconds(management, 1);
404  if (IS_SIG(c))
405  {
406  ce_changed = false; /* connection entry have not been set */
407  break;
408  }
409  }
410  management->persist.special_state_msg = NULL;
411  }
412  gc_free(&gc);
413 
414  if (ce_changed)
415  {
416  /* If it is likely a connection entry was modified,
417  * check what changed in the flags and that it was not skipped
418  */
419  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
420  & CE_MAN_QUERY_REMOTE_MASK);
421  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
422  }
423  return ce_changed;
424 }
425 #endif /* ENABLE_MANAGEMENT */
426 
427 /*
428  * Initialize and possibly randomize connection list.
429  */
430 static void
431 init_connection_list(struct context *c)
432 {
433  struct connection_list *l = c->options.connection_list;
434 
435  l->current = -1;
436  if (c->options.remote_random)
437  {
438  int i;
439  for (i = 0; i < l->len; ++i)
440  {
441  const int j = get_random() % l->len;
442  if (i != j)
443  {
444  struct connection_entry *tmp;
445  tmp = l->array[i];
446  l->array[i] = l->array[j];
447  l->array[j] = tmp;
448  }
449  }
450  }
451 }
452 
453 /*
454  * Clear the remote address list
455  */
456 static void
457 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
458 {
459  if (lsa->remote_list && free)
460  {
461  freeaddrinfo(lsa->remote_list);
462  }
463  lsa->remote_list = NULL;
464  lsa->current_remote = NULL;
465 }
466 
467 /*
468  * Increment to next connection entry
469  */
470 static void
471 next_connection_entry(struct context *c)
472 {
473  struct connection_list *l = c->options.connection_list;
474  bool ce_defined;
475  struct connection_entry *ce;
476  int n_cycles = 0;
477 
478  do
479  {
480  ce_defined = true;
481  if (c->options.no_advance && l->current >= 0)
482  {
483  c->options.no_advance = false;
484  }
485  else
486  {
487  /* Check if there is another resolved address to try for
488  * the current connection */
489  if (c->c1.link_socket_addr.current_remote
490  && c->c1.link_socket_addr.current_remote->ai_next)
491  {
492  c->c1.link_socket_addr.current_remote =
493  c->c1.link_socket_addr.current_remote->ai_next;
494  }
495  else
496  {
497  /* FIXME (schwabe) fix the persist-remote-ip option for real,
498  * this is broken probably ever since connection lists and multiple
499  * remote existed
500  */
501  if (!c->options.persist_remote_ip)
502  {
503  /* Connection entry addrinfo objects might have been
504  * resolved earlier but the entry itself might have been
505  * skipped by management on the previous loop.
506  * If so, clear the addrinfo objects as close_instance does
507  */
508  if (c->c1.link_socket_addr.remote_list)
509  {
510  clear_remote_addrlist(&c->c1.link_socket_addr,
511  !c->options.resolve_in_advance);
512  }
513 
514  /* close_instance should have cleared the addrinfo objects */
515  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
516  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
517  }
518  else
519  {
520  c->c1.link_socket_addr.current_remote =
521  c->c1.link_socket_addr.remote_list;
522  }
523 
524  /*
525  * Increase the number of connection attempts
526  * If this is connect-retry-max * size(l)
527  * OpenVPN will quit
528  */
529 
530  c->options.unsuccessful_attempts++;
531 
532  if (++l->current >= l->len)
533  {
534 
535  l->current = 0;
536  if (++n_cycles >= 2)
537  {
538  msg(M_FATAL, "No usable connection profiles are present");
539  }
540  }
541  }
542  }
543 
544  ce = l->array[l->current];
545 
546  if (ce->flags & CE_DISABLED)
547  {
548  ce_defined = false;
549  }
550 
551  c->options.ce = *ce;
552 #ifdef ENABLE_MANAGEMENT
553  if (ce_defined && management && management_query_remote_enabled(management))
554  {
555  /* allow management interface to override connection entry details */
556  ce_defined = ce_management_query_remote(c);
557  if (IS_SIG(c))
558  {
559  break;
560  }
561  }
562  else if (ce_defined && management && management_query_proxy_enabled(management))
563  {
564  ce_defined = ce_management_query_proxy(c);
565  if (IS_SIG(c))
566  {
567  break;
568  }
569  }
570 #endif
571  } while (!ce_defined);
572 
573  /* Check if this connection attempt would bring us over the limit */
574  if (c->options.connect_retry_max > 0
575  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
576  {
577  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
578  c->options.connect_retry_max);
579  }
580  update_options_ce_post(&c->options);
581 }
582 
583 /*
584  * Query for private key and auth-user-pass username/passwords
585  */
586 void
587 init_query_passwords(const struct context *c)
588 {
589  /* Certificate password input */
590  if (c->options.key_pass_file)
591  {
592  pem_password_setup(c->options.key_pass_file);
593  }
594 
595 #if P2MP
596  /* Auth user/pass input */
597  if (c->options.auth_user_pass_file)
598  {
599 #ifdef ENABLE_MANAGEMENT
600  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
601 #else
602  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
603 #endif
604  }
605 #endif
606 }
607 
608 /*
609  * Initialize/Uninitialize HTTP or SOCKS proxy
610  */
611 
612 static void
613 uninit_proxy_dowork(struct context *c)
614 {
615  if (c->c1.http_proxy_owned && c->c1.http_proxy)
616  {
617  http_proxy_close(c->c1.http_proxy);
618  c->c1.http_proxy = NULL;
619  c->c1.http_proxy_owned = false;
620  }
621  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
622  {
623  socks_proxy_close(c->c1.socks_proxy);
624  c->c1.socks_proxy = NULL;
625  c->c1.socks_proxy_owned = false;
626  }
627 }
628 
629 static void
630 init_proxy_dowork(struct context *c)
631 {
632  bool did_http = false;
633 
634  uninit_proxy_dowork(c);
635 
636  if (c->options.ce.http_proxy_options)
637  {
638  /* Possible HTTP proxy user/pass input */
639  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
640  if (c->c1.http_proxy)
641  {
642  did_http = true;
643  c->c1.http_proxy_owned = true;
644  }
645  }
646 
647  if (!did_http && c->options.ce.socks_proxy_server)
648  {
649  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
650  c->options.ce.socks_proxy_port,
651  c->options.ce.socks_proxy_authfile);
652  if (c->c1.socks_proxy)
653  {
654  c->c1.socks_proxy_owned = true;
655  }
656  }
657 }
658 
659 static void
660 init_proxy(struct context *c)
661 {
662  init_proxy_dowork(c);
663 }
664 
665 static void
666 uninit_proxy(struct context *c)
667 {
668  uninit_proxy_dowork(c);
669 }
670 
671 /*
672  * Saves the initial state of NCP-regotiable
673  * options into a storage which persists over SIGUSR1.
674  */
675 static void
676 save_ncp_options(struct context *c)
677 {
678  c->c1.ciphername = c->options.ciphername;
679  c->c1.authname = c->options.authname;
680  c->c1.keysize = c->options.keysize;
681 }
682 
683 /* Restores NCP-negotiable options to original values */
684 static void
685 restore_ncp_options(struct context *c)
686 {
687  c->options.ciphername = c->c1.ciphername;
688  c->options.authname = c->c1.authname;
689  c->options.keysize = c->c1.keysize;
690  c->options.data_channel_use_ekm = false;
691 }
692 
693 void
694 context_init_1(struct context *c)
695 {
696  context_clear_1(c);
697 
698  packet_id_persist_init(&c->c1.pid_persist);
699 
700  init_connection_list(c);
701 
702  save_ncp_options(c);
703 
704 #if defined(ENABLE_PKCS11)
705  if (c->first_time)
706  {
707  int i;
708  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
709  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
710  {
711  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
712  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
713  }
714  }
715 #endif
716 
717 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
718  {
719  /*
720  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
721  */
722  struct user_pass up;
723  CLEAR(up);
724  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
725  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
726  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
727  * 'needok' command, usually 'ok' or 'cancel'. */
728  }
729 #endif
730 
731 #ifdef ENABLE_SYSTEMD
732  /* We can report the PID via getpid() to systemd here as OpenVPN will not
733  * do any fork due to daemon() a future call.
734  * See possibly_become_daemon() [init.c] for more details.
735  */
736  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
737  (unsigned long) getpid());
738 #endif
739 
740 }
741 
742 void
743 context_gc_free(struct context *c)
744 {
745  gc_free(&c->c2.gc);
746  gc_free(&c->options.gc);
747  gc_free(&c->gc);
748 }
749 
750 #if PORT_SHARE
751 
752 static void
753 close_port_share(void)
754 {
755  if (port_share)
756  {
757  port_share_close(port_share);
758  port_share = NULL;
759  }
760 }
761 
762 static void
763 init_port_share(struct context *c)
764 {
765  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
766  {
767  port_share = port_share_open(c->options.port_share_host,
768  c->options.port_share_port,
769  MAX_RW_SIZE_LINK(&c->c2.frame),
770  c->options.port_share_journal_dir);
771  if (port_share == NULL)
772  {
773  msg(M_FATAL, "Fatal error: Port sharing failed");
774  }
775  }
776 }
777 
778 #endif /* if PORT_SHARE */
779 
780 
781 bool
782 init_static(void)
783 {
784  /* configure_path (); */
785 
786 #if defined(DMALLOC)
787  crypto_init_dmalloc();
788 #endif
789 
790 
791  /*
792  * Initialize random number seed. random() is only used
793  * when "weak" random numbers are acceptable.
794  * SSL library routines are always used when cryptographically
795  * strong random numbers are required.
796  */
797  struct timeval tv;
798  if (!gettimeofday(&tv, NULL))
799  {
800  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
801  srandom(seed);
802  }
803 
804  error_reset(); /* initialize error.c */
805  reset_check_status(); /* initialize status check code in socket.c */
806 
807 #ifdef _WIN32
808  init_win32();
809 #endif
810 
811 #ifdef OPENVPN_DEBUG_COMMAND_LINE
812  {
813  int i;
814  for (i = 0; i < argc; ++i)
815  {
816  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
817  }
818  }
819 #endif
820 
821  update_time();
822 
823  init_ssl_lib();
824 
825  /* init PRNG used for IV generation */
826  /* When forking, copy this to more places in the code to avoid fork
827  * random-state predictability */
828  prng_init(NULL, 0);
829 
830 #ifdef PID_TEST
831  packet_id_interactive_test(); /* test the sequence number code */
832  return false;
833 #endif
834 
835 #ifdef SCHEDULE_TEST
836  schedule_test();
837  return false;
838 #endif
839 
840 #ifdef LIST_TEST
841  list_test();
842  return false;
843 #endif
844 
845 #ifdef IFCONFIG_POOL_TEST
846  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
847  return false;
848 #endif
849 
850 #ifdef CHARACTER_CLASS_DEBUG
851  character_class_debug();
852  return false;
853 #endif
854 
855 #ifdef EXTRACT_X509_FIELD_TEST
856  extract_x509_field_test();
857  return false;
858 #endif
859 
860 #ifdef TIME_TEST
861  time_test();
862  return false;
863 #endif
864 
865 #ifdef TEST_GET_DEFAULT_GATEWAY
866  {
867  struct route_gateway_info rgi;
868  struct route_ipv6_gateway_info rgi6;
869  get_default_gateway(&rgi);
870  get_default_gateway_ipv6(&rgi6, NULL);
871  print_default_gateway(M_INFO, &rgi, &rgi6);
872  return false;
873  }
874 #endif
875 
876 #ifdef GEN_PATH_TEST
877  {
878  struct gc_arena gc = gc_new();
879  const char *fn = gen_path("foo",
880  "bar",
881  &gc);
882  printf("%s\n", fn);
883  gc_free(&gc);
884  }
885  return false;
886 #endif
887 
888 #ifdef STATUS_PRINTF_TEST
889  {
890  struct gc_arena gc = gc_new();
891  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
892  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
893  status_printf(so, "%s", "foo");
894  status_printf(so, "%s", "bar");
895  if (!status_close(so))
896  {
897  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
898  }
899  gc_free(&gc);
900  }
901  return false;
902 #endif
903 
904 #ifdef PRNG_TEST
905  {
906  struct gc_arena gc = gc_new();
907  uint8_t rndbuf[8];
908  int i;
909  prng_init("sha1", 16);
910  /*prng_init (NULL, 0);*/
911  const int factor = 1;
912  for (i = 0; i < factor * 8; ++i)
913  {
914 #if 1
915  prng_bytes(rndbuf, sizeof(rndbuf));
916 #else
917  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
918 #endif
919  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
920  }
921  gc_free(&gc);
922  prng_uninit();
923  return false;
924  }
925 #endif /* ifdef PRNG_TEST */
926 
927 #ifdef BUFFER_LIST_AGGREGATE_TEST
928  /* test buffer_list_aggregate function */
929  {
930  static const char *text[] = {
931  "It was a bright cold day in April, ",
932  "and the clocks were striking ",
933  "thirteen. ",
934  "Winston Smith, ",
935  "his chin nuzzled into his breast in an ",
936  "effort to escape the vile wind, ",
937  "slipped quickly through the glass doors ",
938  "of Victory Mansions, though not quickly ",
939  "enough to prevent a swirl of gritty dust from ",
940  "entering along with him."
941  };
942 
943  int iter, listcap;
944  for (listcap = 0; listcap < 12; ++listcap)
945  {
946  for (iter = 0; iter < 512; ++iter)
947  {
948  struct buffer_list *bl = buffer_list_new(listcap);
949  {
950  int i;
951  for (i = 0; i < SIZE(text); ++i)
952  {
953  buffer_list_push(bl, (unsigned char *)text[i]);
954  }
955  }
956  printf("[cap=%d i=%d] *************************\n", listcap, iter);
957  if (!(iter & 8))
958  {
959  buffer_list_aggregate(bl, iter/2);
960  }
961  if (!(iter & 16))
962  {
963  buffer_list_push(bl, (unsigned char *)"Even more text...");
964  }
965  buffer_list_aggregate(bl, iter);
966  if (!(iter & 1))
967  {
968  buffer_list_push(bl, (unsigned char *)"More text...");
969  }
970  {
971  struct buffer *buf;
972  while ((buf = buffer_list_peek(bl)))
973  {
974  int c;
975  printf("'");
976  while ((c = buf_read_u8(buf)) >= 0)
977  {
978  putchar(c);
979  }
980  printf("'\n");
981  buffer_list_advance(bl, 0);
982  }
983  }
984  buffer_list_free(bl);
985  }
986  }
987  return false;
988  }
989 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
990 
991 #ifdef MSTATS_TEST
992  {
993  int i;
994  mstats_open("/dev/shm/mstats.dat");
995  for (i = 0; i < 30; ++i)
996  {
997  mmap_stats->n_clients += 1;
998  mmap_stats->link_write_bytes += 8;
999  mmap_stats->link_read_bytes += 16;
1000  sleep(1);
1001  }
1002  mstats_close();
1003  return false;
1004  }
1005 #endif
1006 
1007  return true;
1008 }
1009 
1010 void
1011 uninit_static(void)
1012 {
1013  free_ssl_lib();
1014 
1015 #ifdef ENABLE_PKCS11
1016  pkcs11_terminate();
1017 #endif
1018 
1019 #if PORT_SHARE
1020  close_port_share();
1021 #endif
1022 
1023 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
1024  show_tls_performance_stats();
1025 #endif
1026 }
1027 
1028 void
1029 init_verb_mute(struct context *c, unsigned int flags)
1030 {
1031  if (flags & IVM_LEVEL_1)
1032  {
1033  /* set verbosity and mute levels */
1034  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
1035  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
1036  set_mute_cutoff(c->options.mute);
1037  }
1038 
1039  /* special D_LOG_RW mode */
1040  if (flags & IVM_LEVEL_2)
1041  {
1042  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
1043  }
1044 }
1045 
1046 /*
1047  * Possibly set --dev based on --dev-node.
1048  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1049  * set --dev to tun.
1050  */
1051 void
1052 init_options_dev(struct options *options)
1053 {
1054  if (!options->dev && options->dev_node)
1055  {
1056  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1057  options->dev = basename(dev_node);
1058  }
1059 }
1060 
1061 bool
1062 print_openssl_info(const struct options *options)
1063 {
1064  /*
1065  * OpenSSL info print mode?
1066  */
1067  if (options->show_ciphers || options->show_digests || options->show_engines
1068  || options->show_tls_ciphers || options->show_curves)
1069  {
1070  if (options->show_ciphers)
1071  {
1072  show_available_ciphers();
1073  }
1074  if (options->show_digests)
1075  {
1076  show_available_digests();
1077  }
1078  if (options->show_engines)
1079  {
1080  show_available_engines();
1081  }
1082  if (options->show_tls_ciphers)
1083  {
1084  show_available_tls_ciphers(options->cipher_list,
1085  options->cipher_list_tls13,
1086  options->tls_cert_profile);
1087  }
1088  if (options->show_curves)
1089  {
1090  show_available_curves();
1091  }
1092  return true;
1093  }
1094  return false;
1095 }
1096 
1097 /*
1098  * Static pre-shared key generation mode?
1099  */
1100 bool
1101 do_genkey(const struct options *options)
1102 {
1103  /* should we disable paging? */
1104  if (options->mlock && (options->genkey))
1105  {
1106  platform_mlockall(true);
1107  }
1108 
1109  /*
1110  * We do not want user to use --genkey with --secret. In the transistion
1111  * phase we for secret.
1112  */
1113  if (options->genkey && options->genkey_type != GENKEY_SECRET
1114  && options->shared_secret_file)
1115  {
1116  msg(M_USAGE, "Using --genkey type with --secret filename is "
1117  "not supported. Use --genkey type filename instead.");
1118  }
1119  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1120  {
1121  int nbits_written;
1122  const char *genkey_filename = options->genkey_filename;
1123  if (options->shared_secret_file && options->genkey_filename)
1124  {
1125  msg(M_USAGE, "You must provide a filename to either --genkey "
1126  "or --secret, not both");
1127  }
1128 
1129  /*
1130  * Copy filename from shared_secret_file to genkey_filename to support
1131  * the old --genkey --secret foo.file syntax.
1132  */
1133  if (options->shared_secret_file)
1134  {
1135  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1136  "DEPRECATED. Use --genkey secret filename instead.");
1137  genkey_filename = options->shared_secret_file;
1138  }
1139 
1140  nbits_written = write_key_file(2, genkey_filename);
1141  if (nbits_written < 0)
1142  {
1143  msg(M_FATAL, "Failed to write key file");
1144  }
1145 
1146  msg(D_GENKEY | M_NOPREFIX,
1147  "Randomly generated %d bit key written to %s", nbits_written,
1148  options->shared_secret_file);
1149  return true;
1150  }
1151  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1152  {
1153  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1154  return true;
1155  }
1156  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1157  {
1158  if (!options->tls_crypt_v2_file)
1159  {
1160  msg(M_USAGE,
1161  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1162  }
1163 
1164  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1165  options->genkey_extra_data, options->tls_crypt_v2_file,
1166  options->tls_crypt_v2_file_inline);
1167  return true;
1168  }
1169  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1170  {
1171  auth_token_write_server_key_file(options->genkey_filename);
1172  return true;
1173  }
1174  else
1175  {
1176  return false;
1177  }
1178 }
1179 
1180 /*
1181  * Persistent TUN/TAP device management mode?
1182  */
1183 bool
1184 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1185 {
1186  if (options->persist_config)
1187  {
1188  /* sanity check on options for --mktun or --rmtun */
1189  notnull(options->dev, "TUN/TAP device (--dev)");
1190  if (options->ce.remote || options->ifconfig_local
1191  || options->ifconfig_remote_netmask
1192  || options->shared_secret_file
1193  || options->tls_server || options->tls_client
1194  )
1195  {
1196  msg(M_FATAL|M_OPTERR,
1197  "options --mktun or --rmtun should only be used together with --dev");
1198  }
1199 #ifdef ENABLE_FEATURE_TUN_PERSIST
1200  tuncfg(options->dev, options->dev_type, options->dev_node,
1201  options->persist_mode,
1202  options->username, options->groupname, &options->tuntap_options,
1203  ctx);
1204  if (options->persist_mode && options->lladdr)
1205  {
1206  set_lladdr(options->dev, options->lladdr, NULL);
1207  }
1208  return true;
1209 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1210  msg( M_FATAL|M_OPTERR,
1211  "options --mktun and --rmtun are not available on your operating "
1212  "system. Please check 'man tun' (or 'tap'), whether your system "
1213  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1214  "persistent tunnel interfaces.", options->dev );
1215 #endif
1216  }
1217  return false;
1218 }
1219 
1220 /*
1221  * Should we become a daemon?
1222  * Return true if we did it.
1223  */
1224 bool
1225 possibly_become_daemon(const struct options *options)
1226 {
1227  bool ret = false;
1228 
1229 #ifdef ENABLE_SYSTEMD
1230  /* return without forking if we are running from systemd */
1231  if (sd_notify(0, "READY=0") > 0)
1232  {
1233  return ret;
1234  }
1235 #endif
1236 
1237  if (options->daemon)
1238  {
1239  /* Don't chdir immediately, but the end of the init sequence, if needed */
1240 
1241 #if defined(__APPLE__) && defined(__clang__)
1242 #pragma clang diagnostic push
1243 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1244 #endif
1245  if (daemon(1, options->log) < 0)
1246  {
1247  msg(M_ERR, "daemon() failed or unsupported");
1248  }
1249 #if defined(__APPLE__) && defined(__clang__)
1250 #pragma clang diagnostic pop
1251 #endif
1252  restore_signal_state();
1253  if (options->log)
1254  {
1255  set_std_files_to_null(true);
1256  }
1257 
1258  ret = true;
1259  }
1260  return ret;
1261 }
1262 
1263 /*
1264  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1265  */
1266 static void
1267 do_uid_gid_chroot(struct context *c, bool no_delay)
1268 {
1269  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1270  struct context_0 *c0 = c->c0;
1271 
1272  if (c0 && !c0->uid_gid_chroot_set)
1273  {
1274  /* chroot if requested */
1275  if (c->options.chroot_dir)
1276  {
1277  if (no_delay)
1278  {
1279  platform_chroot(c->options.chroot_dir);
1280  }
1281  else if (c->first_time)
1282  {
1283  msg(M_INFO, "NOTE: chroot %s", why_not);
1284  }
1285  }
1286 
1287  /* set user and/or group if we want to setuid/setgid */
1288  if (c0->uid_gid_specified)
1289  {
1290  if (no_delay)
1291  {
1292  platform_group_set(&c0->platform_state_group);
1293  platform_user_set(&c0->platform_state_user);
1294  }
1295  else if (c->first_time)
1296  {
1297  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1298  }
1299  }
1300 
1301 #ifdef ENABLE_MEMSTATS
1302  if (c->first_time && c->options.memstats_fn)
1303  {
1304  mstats_open(c->options.memstats_fn);
1305  }
1306 #endif
1307 
1308 #ifdef ENABLE_SELINUX
1309  /* Apply a SELinux context in order to restrict what OpenVPN can do
1310  * to _only_ what it is supposed to do after initialization is complete
1311  * (basically just network I/O operations). Doing it after chroot
1312  * requires /proc to be mounted in the chroot (which is annoying indeed
1313  * but doing it before requires more complex SELinux policies.
1314  */
1315  if (c->options.selinux_context)
1316  {
1317  if (no_delay)
1318  {
1319  if (-1 == setcon(c->options.selinux_context))
1320  {
1321  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1322  }
1323  else
1324  {
1325  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1326  }
1327  }
1328  else if (c->first_time)
1329  {
1330  msg(M_INFO, "NOTE: setcon %s", why_not);
1331  }
1332  }
1333 #endif
1334 
1335  /* Privileges are going to be dropped by now (if requested), be sure
1336  * to prevent any future privilege dropping attempts from now on.
1337  */
1338  if (no_delay)
1339  {
1340  c0->uid_gid_chroot_set = true;
1341  }
1342  }
1343 }
1344 
1345 /*
1346  * Return common name in a way that is formatted for
1347  * prepending to msg() output.
1348  */
1349 const char *
1350 format_common_name(struct context *c, struct gc_arena *gc)
1351 {
1352  struct buffer out = alloc_buf_gc(256, gc);
1353  if (c->c2.tls_multi)
1354  {
1355  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1356  }
1357  return BSTR(&out);
1358 }
1359 
1360 void
1361 pre_setup(const struct options *options)
1362 {
1363 #ifdef _WIN32
1364  if (options->exit_event_name)
1365  {
1366  win32_signal_open(&win32_signal,
1367  WSO_FORCE_SERVICE,
1368  options->exit_event_name,
1369  options->exit_event_initial_state);
1370  }
1371  else
1372  {
1373  win32_signal_open(&win32_signal,
1374  WSO_FORCE_CONSOLE,
1375  NULL,
1376  false);
1377 
1378  /* put a title on the top window bar */
1379  if (win32_signal.mode == WSO_MODE_CONSOLE)
1380  {
1381  window_title_save(&window_title);
1382  window_title_generate(options->config);
1383  }
1384  }
1385 #endif /* ifdef _WIN32 */
1386 }
1387 
1388 void
1389 reset_coarse_timers(struct context *c)
1390 {
1391  c->c2.coarse_timer_wakeup = 0;
1392 }
1393 
1394 /*
1395  * Initialise the server poll timeout timer
1396  * This timer is used in the http/socks proxy setup so it needs to be setup
1397  * before
1398  */
1399 static void
1400 do_init_server_poll_timeout(struct context *c)
1401 {
1402  update_time();
1403  if (c->options.ce.connect_timeout)
1404  {
1405  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1406  }
1407 }
1408 
1409 /*
1410  * Initialize timers
1411  */
1412 static void
1413 do_init_timers(struct context *c, bool deferred)
1414 {
1415  update_time();
1416  reset_coarse_timers(c);
1417 
1418  /* initialize inactivity timeout */
1419  if (c->options.inactivity_timeout)
1420  {
1421  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1422  }
1423 
1424  /* initialize pings */
1425 
1426  if (c->options.ping_send_timeout)
1427  {
1428  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1429  }
1430 
1431  if (c->options.ping_rec_timeout)
1432  {
1433  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1434  }
1435 
1436  if (!deferred)
1437  {
1438  /* initialize connection establishment timer */
1439  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1440 
1441  /* initialize occ timers */
1442 
1443  if (c->options.occ
1444  && !TLS_MODE(c)
1445  && c->c2.options_string_local && c->c2.options_string_remote)
1446  {
1447  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1448  }
1449 
1450  if (c->options.mtu_test)
1451  {
1452  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1453  }
1454 
1455  /* initialize packet_id persistence timer */
1456  if (c->options.packet_id_file)
1457  {
1458  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1459  }
1460 
1461  /* initialize tmp_int optimization that limits the number of times we call
1462  * tls_multi_process in the main event loop */
1463  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1464  }
1465 }
1466 
1467 /*
1468  * Initialize traffic shaper.
1469  */
1470 static void
1471 do_init_traffic_shaper(struct context *c)
1472 {
1473 #ifdef ENABLE_FEATURE_SHAPER
1474  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1475  if (c->options.shaper)
1476  {
1477  shaper_init(&c->c2.shaper, c->options.shaper);
1478  shaper_msg(&c->c2.shaper);
1479  }
1480 #endif
1481 }
1482 
1483 /*
1484  * Allocate route list structures for IPv4 and IPv6
1485  * (we do this for IPv4 even if no --route option has been seen, as other
1486  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1487  */
1488 static void
1489 do_alloc_route_list(struct context *c)
1490 {
1491  if (!c->c1.route_list)
1492  {
1493  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1494  }
1495  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1496  {
1497  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1498  }
1499 }
1500 
1501 
1502 /*
1503  * Initialize the route list, resolving any DNS names in route
1504  * options and saving routes in the environment.
1505  */
1506 static void
1507 do_init_route_list(const struct options *options,
1508  struct route_list *route_list,
1509  const struct link_socket_info *link_socket_info,
1510  struct env_set *es,
1511  openvpn_net_ctx_t *ctx)
1512 {
1513  const char *gw = NULL;
1514  int dev = dev_type_enum(options->dev, options->dev_type);
1515  int metric = 0;
1516 
1517  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1518  {
1519  gw = options->ifconfig_remote_netmask;
1520  }
1521  if (options->route_default_gateway)
1522  {
1523  gw = options->route_default_gateway;
1524  }
1525  if (options->route_default_metric)
1526  {
1527  metric = options->route_default_metric;
1528  }
1529 
1530  if (init_route_list(route_list,
1531  options->routes,
1532  gw,
1533  metric,
1534  link_socket_current_remote(link_socket_info),
1535  es,
1536  ctx))
1537  {
1538  /* copy routes to environment */
1539  setenv_routes(es, route_list);
1540  }
1541 }
1542 
1543 static void
1544 do_init_route_ipv6_list(const struct options *options,
1545  struct route_ipv6_list *route_ipv6_list,
1546  const struct link_socket_info *link_socket_info,
1547  struct env_set *es,
1548  openvpn_net_ctx_t *ctx)
1549 {
1550  const char *gw = NULL;
1551  int metric = -1; /* no metric set */
1552 
1553  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1554  if (options->route_ipv6_default_gateway)
1555  {
1556  gw = options->route_ipv6_default_gateway;
1557  }
1558 
1559  if (options->route_default_metric)
1560  {
1561  metric = options->route_default_metric;
1562  }
1563 
1564  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1565  */
1566  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1567  {
1568  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1569  int i;
1570 
1571  for (i = 0; opt_list[i]; i++)
1572  {
1573  add_route_ipv6_to_option_list( options->routes_ipv6,
1574  string_alloc(opt_list[i], options->routes_ipv6->gc),
1575  NULL, NULL );
1576  }
1577  }
1578 
1579  if (init_route_ipv6_list(route_ipv6_list,
1580  options->routes_ipv6,
1581  gw,
1582  metric,
1583  link_socket_current_remote_ipv6(link_socket_info),
1584  es,
1585  ctx))
1586  {
1587  /* copy routes to environment */
1588  setenv_routes_ipv6(es, route_ipv6_list);
1589  }
1590 }
1591 
1592 
1593 /*
1594  * Called after all initialization has been completed.
1595  */
1596 void
1597 initialization_sequence_completed(struct context *c, const unsigned int flags)
1598 {
1599  static const char message[] = "Initialization Sequence Completed";
1600 
1601  /* Reset the unsuccessful connection counter on complete initialisation */
1602  c->options.unsuccessful_attempts = 0;
1603 
1604  /* If we delayed UID/GID downgrade or chroot, do it now */
1605  do_uid_gid_chroot(c, true);
1606 
1607 
1608  /*
1609  * In some cases (i.e. when receiving auth-token via
1610  * push-reply) the auth-nocache option configured on the
1611  * client is overridden; for this reason we have to wait
1612  * for the push-reply message before attempting to wipe
1613  * the user/pass entered by the user
1614  */
1615  if (c->options.mode == MODE_POINT_TO_POINT)
1616  {
1617  ssl_clean_user_pass();
1618  }
1619 
1620  /* Test if errors */
1621  if (flags & ISC_ERRORS)
1622  {
1623 #ifdef _WIN32
1624  show_routes(M_INFO|M_NOPREFIX);
1625  show_adapters(M_INFO|M_NOPREFIX);
1626  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1627 #else
1628 #ifdef ENABLE_SYSTEMD
1629  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1630 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1631  msg(M_INFO, "%s With Errors", message);
1632 #endif
1633  }
1634  else
1635  {
1636 #ifdef ENABLE_SYSTEMD
1637  sd_notifyf(0, "STATUS=%s", message);
1638 #endif
1639  msg(M_INFO, "%s", message);
1640  }
1641 
1642  /* Flag that we initialized */
1643  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1644  {
1645  c->options.no_advance = true;
1646  }
1647 
1648 #ifdef _WIN32
1649  fork_register_dns_action(c->c1.tuntap);
1650 #endif
1651 
1652 #ifdef ENABLE_MANAGEMENT
1653  /* Tell management interface that we initialized */
1654  if (management)
1655  {
1656  in_addr_t *tun_local = NULL;
1657  struct in6_addr *tun_local6 = NULL;
1658  struct openvpn_sockaddr local, remote;
1659  struct link_socket_actual *actual;
1660  socklen_t sa_len = sizeof(local);
1661  const char *detail = "SUCCESS";
1662  if (flags & ISC_ERRORS)
1663  {
1664  detail = "ERROR";
1665  }
1666 
1667  CLEAR(local);
1668  actual = &get_link_socket_info(c)->lsa->actual;
1669  remote = actual->dest;
1670  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1671 #if ENABLE_IP_PKTINFO
1672  if (!addr_defined(&local))
1673  {
1674  switch (local.addr.sa.sa_family)
1675  {
1676  case AF_INET:
1677 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1678  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1679 #else
1680  local.addr.in4.sin_addr = actual->pi.in4;
1681 #endif
1682  break;
1683 
1684  case AF_INET6:
1685  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1686  break;
1687  }
1688  }
1689 #endif
1690 
1691  if (c->c1.tuntap)
1692  {
1693  tun_local = &c->c1.tuntap->local;
1694  tun_local6 = &c->c1.tuntap->local_ipv6;
1695  }
1696  management_set_state(management,
1697  OPENVPN_STATE_CONNECTED,
1698  detail,
1699  tun_local,
1700  tun_local6,
1701  &local,
1702  &remote);
1703  if (tun_local)
1704  {
1705  management_post_tunnel_open(management, *tun_local);
1706  }
1707  }
1708 #endif /* ifdef ENABLE_MANAGEMENT */
1709 }
1710 
1711 /*
1712  * Possibly add routes and/or call route-up script
1713  * based on options.
1714  */
1715 void
1716 do_route(const struct options *options,
1717  struct route_list *route_list,
1718  struct route_ipv6_list *route_ipv6_list,
1719  const struct tuntap *tt,
1720  const struct plugin_list *plugins,
1721  struct env_set *es,
1722  openvpn_net_ctx_t *ctx)
1723 {
1724  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1725  {
1726  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1727  es, ctx);
1728  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1729  }
1730 #ifdef ENABLE_MANAGEMENT
1731  if (management)
1732  {
1733  management_up_down(management, "UP", es);
1734  }
1735 #endif
1736 
1737  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1738  {
1739  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1740  {
1741  msg(M_WARN, "WARNING: route-up plugin call failed");
1742  }
1743  }
1744 
1745  if (options->route_script)
1746  {
1747  struct argv argv = argv_new();
1748  setenv_str(es, "script_type", "route-up");
1749  argv_parse_cmd(&argv, options->route_script);
1750  openvpn_run_script(&argv, es, 0, "--route-up");
1751  argv_free(&argv);
1752  }
1753 
1754 #ifdef _WIN32
1755  if (options->show_net_up)
1756  {
1757  show_routes(M_INFO|M_NOPREFIX);
1758  show_adapters(M_INFO|M_NOPREFIX);
1759  }
1760  else if (check_debug_level(D_SHOW_NET))
1761  {
1762  show_routes(D_SHOW_NET|M_NOPREFIX);
1763  show_adapters(D_SHOW_NET|M_NOPREFIX);
1764  }
1765 #endif
1766 }
1767 
1768 /*
1769  * initialize tun/tap device object
1770  */
1771 static void
1772 do_init_tun(struct context *c)
1773 {
1774  c->c1.tuntap = init_tun(c->options.dev,
1775  c->options.dev_type,
1776  c->options.topology,
1777  c->options.ifconfig_local,
1778  c->options.ifconfig_remote_netmask,
1779  c->options.ifconfig_ipv6_local,
1780  c->options.ifconfig_ipv6_netbits,
1781  c->options.ifconfig_ipv6_remote,
1782  c->c1.link_socket_addr.bind_local,
1783  c->c1.link_socket_addr.remote_list,
1784  !c->options.ifconfig_nowarn,
1785  c->c2.es,
1786  &c->net_ctx);
1787 
1788 #ifdef _WIN32
1789  c->c1.tuntap->windows_driver = c->options.windows_driver;
1790 #endif
1791 
1792  init_tun_post(c->c1.tuntap,
1793  &c->c2.frame,
1794  &c->options.tuntap_options);
1795 
1796  c->c1.tuntap_owned = true;
1797 }
1798 
1799 /*
1800  * Open tun/tap device, ifconfig, call up script, etc.
1801  */
1802 
1803 static bool
1804 do_open_tun(struct context *c)
1805 {
1806  struct gc_arena gc = gc_new();
1807  bool ret = false;
1808 
1809 #ifndef TARGET_ANDROID
1810  if (!c->c1.tuntap)
1811  {
1812 #endif
1813 
1814 #ifdef TARGET_ANDROID
1815  /* If we emulate persist-tun on android we still have to open a new tun and
1816  * then close the old */
1817  int oldtunfd = -1;
1818  if (c->c1.tuntap)
1819  {
1820  oldtunfd = c->c1.tuntap->fd;
1821  free(c->c1.tuntap);
1822  c->c1.tuntap = NULL;
1823  c->c1.tuntap_owned = false;
1824  }
1825 #endif
1826 
1827  /* initialize (but do not open) tun/tap object */
1828  do_init_tun(c);
1829 
1830 #ifdef _WIN32
1831  /* store (hide) interactive service handle in tuntap_options */
1832  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1833  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1834 #endif
1835 
1836  /* allocate route list structure */
1837  do_alloc_route_list(c);
1838 
1839  /* parse and resolve the route option list */
1840  ASSERT(c->c2.link_socket);
1841  if (c->options.routes && c->c1.route_list)
1842  {
1843  do_init_route_list(&c->options, c->c1.route_list,
1844  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1845  }
1846  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1847  {
1848  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1849  &c->c2.link_socket->info, c->c2.es,
1850  &c->net_ctx);
1851  }
1852 
1853  /* do ifconfig */
1854  if (!c->options.ifconfig_noexec
1855  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1856  {
1857  /* guess actual tun/tap unit number that will be returned
1858  * by open_tun */
1859  const char *guess = guess_tuntap_dev(c->options.dev,
1860  c->options.dev_type,
1861  c->options.dev_node,
1862  &gc);
1863  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1864  &c->net_ctx);
1865  }
1866 
1867  /* possibly add routes */
1868  if (route_order() == ROUTE_BEFORE_TUN)
1869  {
1870  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1871  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1872  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1873  }
1874 #ifdef TARGET_ANDROID
1875  /* Store the old fd inside the fd so open_tun can use it */
1876  c->c1.tuntap->fd = oldtunfd;
1877 #endif
1878  /* open the tun device */
1879  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1880  c->c1.tuntap);
1881 
1882  /* set the hardware address */
1883  if (c->options.lladdr)
1884  {
1885  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1886  }
1887 
1888  /* do ifconfig */
1889  if (!c->options.ifconfig_noexec
1890  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1891  {
1892  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1893  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1894  }
1895 
1896  /* run the up script */
1897  run_up_down(c->options.up_script,
1898  c->plugins,
1899  OPENVPN_PLUGIN_UP,
1900  c->c1.tuntap->actual_name,
1901 #ifdef _WIN32
1902  c->c1.tuntap->adapter_index,
1903 #endif
1904  dev_type_string(c->options.dev, c->options.dev_type),
1905  TUN_MTU_SIZE(&c->c2.frame),
1906  EXPANDED_SIZE(&c->c2.frame),
1907  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1908  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1909  "init",
1910  NULL,
1911  "up",
1912  c->c2.es);
1913 
1914 #if defined(_WIN32)
1915  if (c->options.block_outside_dns)
1916  {
1917  dmsg(D_LOW, "Blocking outside DNS");
1918  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1919  {
1920  msg(M_FATAL, "Blocking DNS failed!");
1921  }
1922  }
1923 #endif
1924 
1925  /* possibly add routes */
1926  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1927  {
1928  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1929  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1930  }
1931 
1932  /*
1933  * Did tun/tap driver give us an MTU?
1934  */
1935  if (c->c1.tuntap->post_open_mtu)
1936  {
1937  frame_set_mtu_dynamic(&c->c2.frame,
1938  c->c1.tuntap->post_open_mtu,
1939  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1940  }
1941 
1942  ret = true;
1943  static_context = c;
1944 #ifndef TARGET_ANDROID
1945 }
1946 else
1947 {
1948  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1949  c->c1.tuntap->actual_name);
1950 
1951  /* explicitly set the ifconfig_* env vars */
1952  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1953 
1954  /* run the up script if user specified --up-restart */
1955  if (c->options.up_restart)
1956  {
1957  run_up_down(c->options.up_script,
1958  c->plugins,
1959  OPENVPN_PLUGIN_UP,
1960  c->c1.tuntap->actual_name,
1961 #ifdef _WIN32
1962  c->c1.tuntap->adapter_index,
1963 #endif
1964  dev_type_string(c->options.dev, c->options.dev_type),
1965  TUN_MTU_SIZE(&c->c2.frame),
1966  EXPANDED_SIZE(&c->c2.frame),
1967  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1968  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1969  "restart",
1970  NULL,
1971  "up",
1972  c->c2.es);
1973  }
1974 #if defined(_WIN32)
1975  if (c->options.block_outside_dns)
1976  {
1977  dmsg(D_LOW, "Blocking outside DNS");
1978  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1979  {
1980  msg(M_FATAL, "Blocking DNS failed!");
1981  }
1982  }
1983 #endif
1984 
1985 }
1986 #endif /* ifndef TARGET_ANDROID */
1987  gc_free(&gc);
1988  return ret;
1989 }
1990 
1991 /*
1992  * Close TUN/TAP device
1993  */
1994 
1995 static void
1996 do_close_tun_simple(struct context *c)
1997 {
1998  msg(D_CLOSE, "Closing TUN/TAP interface");
1999  if (c->c1.tuntap)
2000  {
2001  close_tun(c->c1.tuntap, &c->net_ctx);
2002  c->c1.tuntap = NULL;
2003  }
2004  c->c1.tuntap_owned = false;
2005 #if P2MP
2006  CLEAR(c->c1.pulled_options_digest_save);
2007 #endif
2008 }
2009 
2010 static void
2011 do_close_tun(struct context *c, bool force)
2012 {
2013  struct gc_arena gc = gc_new();
2014  if (c->c1.tuntap && c->c1.tuntap_owned)
2015  {
2016  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2017 #ifdef _WIN32
2018  DWORD adapter_index = c->c1.tuntap->adapter_index;
2019 #endif
2020  const in_addr_t local = c->c1.tuntap->local;
2021  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2022 
2023  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2024  {
2025  static_context = NULL;
2026 
2027 #ifdef ENABLE_MANAGEMENT
2028  /* tell management layer we are about to close the TUN/TAP device */
2029  if (management)
2030  {
2031  management_pre_tunnel_close(management);
2032  management_up_down(management, "DOWN", c->c2.es);
2033  }
2034 #endif
2035 
2036  /* delete any routes we added */
2037  if (c->c1.route_list || c->c1.route_ipv6_list)
2038  {
2039  run_up_down(c->options.route_predown_script,
2040  c->plugins,
2041  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2042  tuntap_actual,
2043 #ifdef _WIN32
2044  adapter_index,
2045 #endif
2046  NULL,
2047  TUN_MTU_SIZE(&c->c2.frame),
2048  EXPANDED_SIZE(&c->c2.frame),
2049  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2050  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2051  "init",
2052  signal_description(c->sig->signal_received,
2053  c->sig->signal_text),
2054  "route-pre-down",
2055  c->c2.es);
2056 
2057  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2058  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2059  c->c2.es, &c->net_ctx);
2060  }
2061 
2062  /* actually close tun/tap device based on --down-pre flag */
2063  if (!c->options.down_pre)
2064  {
2065  do_close_tun_simple(c);
2066  }
2067 
2068  /* Run the down script -- note that it will run at reduced
2069  * privilege if, for example, "--user nobody" was used. */
2070  run_up_down(c->options.down_script,
2071  c->plugins,
2072  OPENVPN_PLUGIN_DOWN,
2073  tuntap_actual,
2074 #ifdef _WIN32
2075  adapter_index,
2076 #endif
2077  NULL,
2078  TUN_MTU_SIZE(&c->c2.frame),
2079  EXPANDED_SIZE(&c->c2.frame),
2080  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2081  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2082  "init",
2083  signal_description(c->sig->signal_received,
2084  c->sig->signal_text),
2085  "down",
2086  c->c2.es);
2087 
2088 #if defined(_WIN32)
2089  if (c->options.block_outside_dns)
2090  {
2091  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2092  {
2093  msg(M_FATAL, "Uninitialising WFP failed!");
2094  }
2095  }
2096 #endif
2097 
2098  /* actually close tun/tap device based on --down-pre flag */
2099  if (c->options.down_pre)
2100  {
2101  do_close_tun_simple(c);
2102  }
2103  }
2104  else
2105  {
2106  /* run the down script on this restart if --up-restart was specified */
2107  if (c->options.up_restart)
2108  {
2109  run_up_down(c->options.down_script,
2110  c->plugins,
2111  OPENVPN_PLUGIN_DOWN,
2112  tuntap_actual,
2113 #ifdef _WIN32
2114  adapter_index,
2115 #endif
2116  NULL,
2117  TUN_MTU_SIZE(&c->c2.frame),
2118  EXPANDED_SIZE(&c->c2.frame),
2119  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2120  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2121  "restart",
2122  signal_description(c->sig->signal_received,
2123  c->sig->signal_text),
2124  "down",
2125  c->c2.es);
2126  }
2127 
2128 #if defined(_WIN32)
2129  if (c->options.block_outside_dns)
2130  {
2131  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2132  {
2133  msg(M_FATAL, "Uninitialising WFP failed!");
2134  }
2135  }
2136 #endif
2137 
2138  }
2139  }
2140  gc_free(&gc);
2141 }
2142 
2143 void
2144 tun_abort(void)
2145 {
2146  struct context *c = static_context;
2147  if (c)
2148  {
2149  static_context = NULL;
2150  do_close_tun(c, true);
2151  }
2152 }
2153 
2154 /*
2155  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2156  */
2157 
2158 #if P2MP
2159 
2163 static bool
2164 options_hash_changed_or_zero(const struct sha256_digest *a,
2165  const struct sha256_digest *b)
2166 {
2167  const struct sha256_digest zero = {{0}};
2168  return memcmp(a, b, sizeof(struct sha256_digest))
2169  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2170 }
2171 #endif /* P2MP */
2172 
2173 bool
2174 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2175 {
2176  if (!c->c2.do_up_ran)
2177  {
2178  reset_coarse_timers(c);
2179 
2180  if (pulled_options)
2181  {
2182  if (!do_deferred_options(c, option_types_found))
2183  {
2184  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2185  return false;
2186  }
2187  }
2188 
2189  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2190  if (c->options.up_delay || PULL_DEFINED(&c->options))
2191  {
2192  c->c2.did_open_tun = do_open_tun(c);
2193  update_time();
2194 
2195 #if P2MP
2196  /*
2197  * Was tun interface object persisted from previous restart iteration,
2198  * and if so did pulled options string change from previous iteration?
2199  */
2200  if (!c->c2.did_open_tun
2201  && PULL_DEFINED(&c->options)
2202  && c->c1.tuntap
2203  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2204  &c->c2.pulled_options_digest))
2205  {
2206  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2207  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2208  do_close_tun(c, true);
2209  management_sleep(1);
2210  c->c2.did_open_tun = do_open_tun(c);
2211  update_time();
2212  }
2213 #endif
2214  }
2215 
2216  if (c->c2.did_open_tun)
2217  {
2218 #if P2MP
2219  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2220 #endif
2221 
2222  /* if --route-delay was specified, start timer */
2223  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2224  {
2225  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2226  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2227  if (c->c1.tuntap)
2228  {
2229  tun_standby_init(c->c1.tuntap);
2230  }
2231  }
2232  else
2233  {
2234  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2235  }
2236  }
2237  else if (c->options.mode == MODE_POINT_TO_POINT)
2238  {
2239  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2240  }
2241 
2242  c->c2.do_up_ran = true;
2243  }
2244  return true;
2245 }
2246 
2247 /*
2248  * These are the option categories which will be accepted by pull.
2249  */
2250 unsigned int
2251 pull_permission_mask(const struct context *c)
2252 {
2253  unsigned int flags =
2254  OPT_P_UP
2255  | OPT_P_ROUTE_EXTRAS
2256  | OPT_P_SOCKBUF
2257  | OPT_P_SOCKFLAGS
2258  | OPT_P_SETENV
2259  | OPT_P_SHAPER
2260  | OPT_P_TIMER
2261  | OPT_P_COMP
2262  | OPT_P_PERSIST
2263  | OPT_P_MESSAGES
2264  | OPT_P_EXPLICIT_NOTIFY
2265  | OPT_P_ECHO
2266  | OPT_P_PULL_MODE
2267  | OPT_P_PEER_ID;
2268 
2269  if (!c->options.route_nopull)
2270  {
2271  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2272  }
2273 
2274  if (c->options.ncp_enabled)
2275  {
2276  flags |= OPT_P_NCP;
2277  }
2278 
2279  return flags;
2280 }
2281 
2282 /*
2283  * Handle non-tun-related pulled options.
2284  */
2285 bool
2286 do_deferred_options(struct context *c, const unsigned int found)
2287 {
2288  if (found & OPT_P_MESSAGES)
2289  {
2290  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2291  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2292  }
2293  if (found & OPT_P_TIMER)
2294  {
2295  do_init_timers(c, true);
2296  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2297  }
2298 
2299  if (found & OPT_P_EXPLICIT_NOTIFY)
2300  {
2301  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2304  c->options.ce.explicit_exit_notification = 0;
2305  }
2306  else
2307  {
2308  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2309  }
2310  }
2311 
2312 #ifdef USE_COMP
2313  if (found & OPT_P_COMP)
2314  {
2315  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2316  comp_uninit(c->c2.comp_context);
2317  c->c2.comp_context = comp_init(&c->options.comp);
2318  }
2319 #endif
2320 
2321  if (found & OPT_P_SHAPER)
2322  {
2323  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2324  do_init_traffic_shaper(c);
2325  }
2326 
2327  if (found & OPT_P_SOCKBUF)
2328  {
2329  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2330  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2331  }
2332 
2333  if (found & OPT_P_SOCKFLAGS)
2334  {
2335  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2336  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2337  }
2338 
2339  if (found & OPT_P_PERSIST)
2340  {
2341  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2342  }
2343  if (found & OPT_P_UP)
2344  {
2345  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2346  }
2347  if (found & OPT_P_ROUTE)
2348  {
2349  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2350  }
2351  if (found & OPT_P_ROUTE_EXTRAS)
2352  {
2353  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2354  }
2355  if (found & OPT_P_IPWIN32)
2356  {
2357  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2358  }
2359  if (found & OPT_P_SETENV)
2360  {
2361  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2362  }
2363 
2364  if (found & OPT_P_PEER_ID)
2365  {
2366  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2367  c->c2.tls_multi->use_peer_id = true;
2368  c->c2.tls_multi->peer_id = c->options.peer_id;
2369  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2370  if (!c->options.ce.link_mtu_defined)
2371  {
2372  frame_add_to_link_mtu(&c->c2.frame, +3);
2373  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2374  EXPANDED_SIZE(&c->c2.frame));
2375  }
2376  else
2377  {
2378  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2379  " fixed by config - reducing tun-mtu to %d, expect"
2380  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2381  }
2382  }
2383 
2384  /* process (potentially pushed) crypto options */
2385  if (c->options.pull)
2386  {
2387  if (!check_pull_client_ncp(c, found))
2388  {
2389  return false;
2390  }
2391  struct frame *frame_fragment = NULL;
2392 #ifdef ENABLE_FRAGMENT
2393  if (c->options.ce.fragment)
2394  {
2395  frame_fragment = &c->c2.frame_fragment;
2396  }
2397 #endif
2398 
2399  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2400  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2401  frame_fragment))
2402  {
2403  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2404  return false;
2405  }
2406  }
2407 
2408  return true;
2409 }
2410 
2411 /*
2412  * Possible hold on initialization, holdtime is the
2413  * time OpenVPN would wait without management
2414  */
2415 static bool
2416 do_hold(int holdtime)
2417 {
2418 #ifdef ENABLE_MANAGEMENT
2419  if (management)
2420  {
2421  /* block until management hold is released */
2422  if (management_hold(management, holdtime))
2423  {
2424  return true;
2425  }
2426  }
2427 #endif
2428  return false;
2429 }
2430 
2431 /*
2432  * Sleep before restart.
2433  */
2434 static void
2435 socket_restart_pause(struct context *c)
2436 {
2437  int sec = 2;
2438  int backoff = 0;
2439 
2440  switch (c->options.ce.proto)
2441  {
2442  case PROTO_TCP_SERVER:
2443  sec = 1;
2444  break;
2445 
2446  case PROTO_UDP:
2447  case PROTO_TCP_CLIENT:
2448  sec = c->options.ce.connect_retry_seconds;
2449  break;
2450  }
2451 
2452 #ifdef ENABLE_DEBUG
2453  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2454  {
2455  sec = 0;
2456  }
2457 #endif
2458 
2459 #if P2MP
2460  if (auth_retry_get() == AR_NOINTERACT)
2461  {
2462  sec = 10;
2463  }
2464 #endif
2465 
2466  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2467  if (c->options.ce.proto != PROTO_TCP_SERVER)
2468  {
2469  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2470  if (backoff > 0)
2471  {
2472  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2473  sec = max_int(sec, 1) << min_int(backoff, 15);
2474  }
2475 
2476  if (sec > c->options.ce.connect_retry_seconds_max)
2477  {
2478  sec = c->options.ce.connect_retry_seconds_max;
2479  }
2480  }
2481 
2482  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2483  {
2484  sec = c->persist.restart_sleep_seconds;
2485  }
2486  else if (c->persist.restart_sleep_seconds == -1)
2487  {
2488  sec = 0;
2489  }
2490  c->persist.restart_sleep_seconds = 0;
2491 
2492  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2493  if (do_hold(sec))
2494  {
2495  sec = 0;
2496  }
2497 
2498  if (sec)
2499  {
2500  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2501  management_sleep(sec);
2502  }
2503 }
2504 
2505 /*
2506  * Do a possible pause on context_2 initialization.
2507  */
2508 static void
2509 do_startup_pause(struct context *c)
2510 {
2511  if (!c->first_time)
2512  {
2513  socket_restart_pause(c);
2514  }
2515  else
2516  {
2517  do_hold(0); /* do management hold on first context initialization */
2518  }
2519 }
2520 
2521 /*
2522  * Finalize MTU parameters based on command line or config file options.
2523  */
2524 static void
2525 frame_finalize_options(struct context *c, const struct options *o)
2526 {
2527  if (!o)
2528  {
2529  o = &c->options;
2530  }
2531 
2532  /*
2533  * Set adjustment factor for buffer alignment when no
2534  * cipher is used.
2535  */
2536  if (!CIPHER_ENABLED(c))
2537  {
2538  frame_align_to_extra_frame(&c->c2.frame);
2539  frame_or_align_flags(&c->c2.frame,
2540  FRAME_HEADROOM_MARKER_FRAGMENT
2541  |FRAME_HEADROOM_MARKER_READ_LINK
2542  |FRAME_HEADROOM_MARKER_READ_STREAM);
2543  }
2544 
2545  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2546  frame_finalize(&c->c2.frame,
2547  o->ce.link_mtu_defined,
2548  o->ce.link_mtu,
2549  o->ce.tun_mtu_defined,
2550  o->ce.tun_mtu);
2551 }
2552 
2553 /*
2554  * Free a key schedule, including OpenSSL components.
2555  */
2556 static void
2557 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2558 {
2559  free_key_ctx_bi(&ks->static_key);
2560  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2561  {
2562  tls_ctx_free(&ks->ssl_ctx);
2563  }
2564  CLEAR(*ks);
2565 }
2566 
2567 static void
2568 init_crypto_pre(struct context *c, const unsigned int flags)
2569 {
2570  if (c->options.engine)
2571  {
2572  crypto_init_lib_engine(c->options.engine);
2573  }
2574 
2575  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2576  {
2577  /* load a persisted packet-id for cross-session replay-protection */
2578  if (c->options.packet_id_file)
2579  {
2580  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2581  }
2582  }
2583 
2584 #ifdef ENABLE_PREDICTION_RESISTANCE
2585  if (c->options.use_prediction_resistance)
2586  {
2587  rand_ctx_enable_prediction_resistance();
2588  }
2589 #endif
2590 }
2591 
2592 /*
2593  * Static Key Mode (using a pre-shared key)
2594  */
2595 static void
2596 do_init_crypto_static(struct context *c, const unsigned int flags)
2597 {
2598  const struct options *options = &c->options;
2599  ASSERT(options->shared_secret_file);
2600 
2601  init_crypto_pre(c, flags);
2602 
2603  /* Initialize flags */
2604  if (c->options.mute_replay_warnings)
2605  {
2606  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2607  }
2608 
2609  /* Initialize packet ID tracking */
2610  if (options->replay)
2611  {
2612  packet_id_init(&c->c2.crypto_options.packet_id,
2613  options->replay_window,
2614  options->replay_time,
2615  "STATIC", 0);
2616  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2617  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2618  packet_id_persist_load_obj(&c->c1.pid_persist,
2619  &c->c2.crypto_options.packet_id);
2620  }
2621 
2622  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2623  {
2624  /* Get cipher & hash algorithms */
2625  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2626  options->keysize, options->test_crypto, true);
2627 
2628  /* Read cipher and hmac keys from shared secret file */
2629  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2630  options->shared_secret_file,
2631  options->shared_secret_file_inline,
2632  options->key_direction, "Static Key Encryption",
2633  "secret");
2634  }
2635  else
2636  {
2637  msg(M_INFO, "Re-using pre-shared static key");
2638  }
2639 
2640  /* Get key schedule */
2641  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2642 
2643  /* Compute MTU parameters */
2644  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2645  options->replay, true);
2646 
2647  /* Sanity check on sequence number, and cipher mode options */
2648  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2649 }
2650 
2651 /*
2652  * Initialize the tls-auth/crypt key context
2653  */
2654 static void
2655 do_init_tls_wrap_key(struct context *c)
2656 {
2657  const struct options *options = &c->options;
2658 
2659  /* TLS handshake authentication (--tls-auth) */
2660  if (options->ce.tls_auth_file)
2661  {
2662  /* Initialize key_type for tls-auth with auth only */
2663  CLEAR(c->c1.ks.tls_auth_key_type);
2664  if (!streq(options->authname, "none"))
2665  {
2666  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2667  c->c1.ks.tls_auth_key_type.hmac_length =
2668  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2669  }
2670  else
2671  {
2672  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2673  "algorithm specified ('%s')", options->authname);
2674  }
2675 
2676  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2677  &c->c1.ks.tls_wrap_key,
2678  options->ce.tls_auth_file,
2679  options->ce.tls_auth_file_inline,
2680  options->ce.key_direction,
2681  "Control Channel Authentication", "tls-auth");
2682  }
2683 
2684  /* TLS handshake encryption+authentication (--tls-crypt) */
2685  if (options->ce.tls_crypt_file)
2686  {
2687  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2688  options->ce.tls_crypt_file,
2689  options->ce.tls_crypt_file_inline,
2690  options->tls_server);
2691  }
2692 
2693  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2694  if (options->ce.tls_crypt_v2_file)
2695  {
2696  if (options->tls_server)
2697  {
2698  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2699  true, options->ce.tls_crypt_v2_file,
2700  options->ce.tls_crypt_v2_file_inline);
2701  }
2702  else
2703  {
2704  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2705  &c->c1.ks.tls_crypt_v2_wkc,
2706  options->ce.tls_crypt_v2_file,
2707  options->ce.tls_crypt_v2_file_inline);
2708  }
2709  }
2710 
2711 
2712 }
2713 
2714 /*
2715  * Initialise the auth-token key context
2716  */
2717 static void
2718 do_init_auth_token_key(struct context *c)
2719 {
2720  if (!c->options.auth_token_generate)
2721  {
2722  return;
2723  }
2724 
2725  auth_token_init_secret(&c->c1.ks.auth_token_key,
2726  c->options.auth_token_secret_file,
2727  c->options.auth_token_secret_file_inline);
2728 }
2729 
2730 /*
2731  * Initialize the persistent component of OpenVPN's TLS mode,
2732  * which is preserved across SIGUSR1 resets.
2733  */
2734 static void
2735 do_init_crypto_tls_c1(struct context *c)
2736 {
2737  const struct options *options = &c->options;
2738 
2739  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2740  {
2741  /*
2742  * Initialize the OpenSSL library's global
2743  * SSL context.
2744  */
2745  init_ssl(options, &(c->c1.ks.ssl_ctx));
2746  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2747  {
2748 #if P2MP
2749  switch (auth_retry_get())
2750  {
2751  case AR_NONE:
2752  msg(M_FATAL, "Error: private key password verification failed");
2753  break;
2754 
2755  case AR_INTERACT:
2756  ssl_purge_auth(false);
2757 
2758  case AR_NOINTERACT:
2759  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2760  break;
2761 
2762  default:
2763  ASSERT(0);
2764  }
2765  c->sig->signal_text = "private-key-password-failure";
2766  return;
2767 #else /* if P2MP */
2768  msg(M_FATAL, "Error: private key password verification failed");
2769 #endif /* if P2MP */
2770  }
2771 
2772  /* Do not warn if we only have BF-CBC in options->ciphername
2773  * because it is still the default cipher */
2774  bool warn = !streq(options->ciphername, "BF-CBC")
2775  || options->enable_ncp_fallback;
2776  /* Get cipher & hash algorithms */
2777  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2778  options->keysize, true, warn);
2779 
2780  /* Initialize PRNG with config-specified digest */
2781  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2782 
2783  /* initialize tls-auth/crypt/crypt-v2 key */
2784  do_init_tls_wrap_key(c);
2785 
2786  /* initialise auth-token crypto support */
2787  do_init_auth_token_key(c);
2788 
2789 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2790  if (options->priv_key_file_inline)
2791  {
2792  string_clear(c->options.priv_key_file_inline);
2793  c->options.priv_key_file_inline = NULL;
2794  }
2795 #endif
2796  }
2797  else
2798  {
2799  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2800 
2801  /*
2802  * tls-auth/crypt key can be configured per connection block, therefore
2803  * we must reload it as it may have changed
2804  */
2805  do_init_tls_wrap_key(c);
2806  }
2807 }
2808 
2809 static void
2810 do_init_crypto_tls(struct context *c, const unsigned int flags)
2811 {
2812  const struct options *options = &c->options;
2813  struct tls_options to;
2814  bool packet_id_long_form;
2815 
2816  ASSERT(options->tls_server || options->tls_client);
2817  ASSERT(!options->test_crypto);
2818 
2819  init_crypto_pre(c, flags);
2820 
2821  /* Make sure we are either a TLS client or server but not both */
2822  ASSERT(options->tls_server == !options->tls_client);
2823 
2824  /* initialize persistent component */
2825  do_init_crypto_tls_c1(c);
2826  if (IS_SIG(c))
2827  {
2828  return;
2829  }
2830 
2831  /* Sanity check on sequence number, and cipher mode options */
2832  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2833 
2834  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2835  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2836 
2837  /* Compute MTU parameters (postpone if we push/pull options) */
2838  if (c->options.pull || c->options.mode == MODE_SERVER)
2839  {
2840  /* Account for worst-case crypto overhead before allocating buffers */
2841  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2842  }
2843  else
2844  {
2845  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2846  options->replay, packet_id_long_form);
2847  }
2848  tls_adjust_frame_parameters(&c->c2.frame);
2849 
2850  /* Set all command-line TLS-related options */
2851  CLEAR(to);
2852 
2853  if (options->mute_replay_warnings)
2854  {
2855  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2856  }
2857 
2858  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2859  if (packet_id_long_form)
2860  {
2861  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2862  }
2863 
2864  to.ssl_ctx = c->c1.ks.ssl_ctx;
2865  to.key_type = c->c1.ks.key_type;
2866  to.server = options->tls_server;
2867  to.replay = options->replay;
2868  to.replay_window = options->replay_window;
2869  to.replay_time = options->replay_time;
2870  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2871  to.config_ciphername = c->c1.ciphername;
2872  to.config_ncp_ciphers = options->ncp_ciphers;
2873  to.ncp_enabled = options->ncp_enabled;
2874  to.transition_window = options->transition_window;
2875  to.handshake_window = options->handshake_window;
2876  to.packet_timeout = options->tls_timeout;
2877  to.renegotiate_bytes = options->renegotiate_bytes;
2878  to.renegotiate_packets = options->renegotiate_packets;
2879  if (options->renegotiate_seconds_min < 0)
2880  {
2881  /* Add 10% jitter to reneg-sec by default (server side only) */
2882  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2883  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2884  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2885  }
2886  else
2887  {
2888  /* Add user-specified jitter to reneg-sec */
2889  to.renegotiate_seconds = options->renegotiate_seconds
2890  -(get_random() % max_int(options->renegotiate_seconds
2891  - options->renegotiate_seconds_min, 1));
2892  }
2893  to.single_session = options->single_session;
2894  to.mode = options->mode;
2895  to.pull = options->pull;
2896  if (options->push_peer_info) /* all there is */
2897  {
2898  to.push_peer_info_detail = 2;
2899  }
2900  else if (options->pull) /* pull clients send some details */
2901  {
2902  to.push_peer_info_detail = 1;
2903  }
2904  else /* default: no peer-info at all */
2905  {
2906  to.push_peer_info_detail = 0;
2907  }
2908 
2909  /* should we not xmit any packets until we get an initial
2910  * response from client? */
2911  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2912  {
2913  to.xmit_hold = true;
2914  }
2915 
2916  to.disable_occ = !options->occ;
2917 
2918  to.verify_command = options->tls_verify;
2919  to.verify_export_cert = options->tls_export_cert;
2920  to.verify_x509_type = (options->verify_x509_type & 0xff);
2921  to.verify_x509_name = options->verify_x509_name;
2922  to.crl_file = options->crl_file;
2923  to.crl_file_inline = options->crl_file_inline;
2924  to.ssl_flags = options->ssl_flags;
2925  to.ns_cert_type = options->ns_cert_type;
2926  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2927  to.remote_cert_eku = options->remote_cert_eku;
2928  to.verify_hash = options->verify_hash;
2929  to.verify_hash_algo = options->verify_hash_algo;
2930 #ifdef ENABLE_X509ALTUSERNAME
2931  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2932 #else
2933  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
2934 #endif
2935  to.es = c->c2.es;
2936  to.net_ctx = &c->net_ctx;
2937 
2938 #ifdef ENABLE_DEBUG
2939  to.gremlin = c->options.gremlin;
2940 #endif
2941 
2942  to.plugins = c->plugins;
2943 
2944 #ifdef ENABLE_MANAGEMENT
2945  to.mda_context = &c->c2.mda_context;
2946 #endif
2947 
2948  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2949  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2950  to.tmp_dir = options->tmp_dir;
2951  if (options->ccd_exclusive)
2952  {
2953  to.client_config_dir_exclusive = options->client_config_dir;
2954  }
2955  to.auth_user_pass_file = options->auth_user_pass_file;
2956  to.auth_token_generate = options->auth_token_generate;
2957  to.auth_token_lifetime = options->auth_token_lifetime;
2958  to.auth_token_call_auth = options->auth_token_call_auth;
2959  to.auth_token_key = c->c1.ks.auth_token_key;
2960 
2961  to.x509_track = options->x509_track;
2962 
2963 #if P2MP
2964 #ifdef ENABLE_MANAGEMENT
2965  to.sci = &options->sc_info;
2966 #endif
2967 #endif
2968 
2969 #ifdef USE_COMP
2970  to.comp_options = options->comp;
2971 #endif
2972 
2973 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2974  if (options->keying_material_exporter_label)
2975  {
2976  to.ekm_size = options->keying_material_exporter_length;
2977  if (to.ekm_size < 16 || to.ekm_size > 4095)
2978  {
2979  to.ekm_size = 0;
2980  }
2981 
2982  to.ekm_label = options->keying_material_exporter_label;
2983  to.ekm_label_size = strlen(to.ekm_label);
2984  }
2985  else
2986  {
2987  to.ekm_size = 0;
2988  }
2989 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2990 
2991  /* TLS handshake authentication (--tls-auth) */
2992  if (options->ce.tls_auth_file)
2993  {
2994  to.tls_wrap.mode = TLS_WRAP_AUTH;
2995  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2996  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2997  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2998  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2999  true, true);
3000  }
3001 
3002  /* TLS handshake encryption (--tls-crypt) */
3003  if (options->ce.tls_crypt_file
3004  || (options->ce.tls_crypt_v2_file && options->tls_client))
3005  {
3006  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3007  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3008  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3009  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3010  tls_crypt_adjust_frame_parameters(&to.frame);
3011 
3012  if (options->ce.tls_crypt_v2_file)
3013  {
3014  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3015  }
3016  }
3017 
3018  if (options->ce.tls_crypt_v2_file)
3019  {
3020  to.tls_crypt_v2 = true;
3021  if (options->tls_server)
3022  {
3023  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3024  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3025  }
3026  }
3027 
3028  /* If we are running over TCP, allow for
3029  * length prefix */
3030  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
3031 
3032  /*
3033  * Initialize OpenVPN's master TLS-mode object.
3034  */
3035  if (flags & CF_INIT_TLS_MULTI)
3036  {
3037  c->c2.tls_multi = tls_multi_init(&to);
3038  }
3039 
3040  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3041  {
3042  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3043  }
3044 }
3045 
3046 static void
3047 do_init_finalize_tls_frame(struct context *c)
3048 {
3049  if (c->c2.tls_multi)
3050  {
3051  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3052  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3053  EXPANDED_SIZE(&c->c2.frame));
3054  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3055  "Control Channel MTU parms");
3056  }
3057  if (c->c2.tls_auth_standalone)
3058  {
3059  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3060  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3061  "TLS-Auth MTU parms");
3062  }
3063 }
3064 
3065 /*
3066  * No encryption or authentication.
3067  */
3068 static void
3069 do_init_crypto_none(const struct context *c)
3070 {
3071  ASSERT(!c->options.test_crypto);
3072  msg(M_WARN,
3073  "******* WARNING *******: All encryption and authentication features "
3074  "disabled -- All data will be tunnelled as clear text and will not be "
3075  "protected against man-in-the-middle changes. "
3076  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3077 }
3078 
3079 static void
3080 do_init_crypto(struct context *c, const unsigned int flags)
3081 {
3082  if (c->options.shared_secret_file)
3083  {
3084  do_init_crypto_static(c, flags);
3085  }
3086  else if (c->options.tls_server || c->options.tls_client)
3087  {
3088  do_init_crypto_tls(c, flags);
3089  }
3090  else /* no encryption or authentication. */
3091  {
3092  do_init_crypto_none(c);
3093  }
3094 }
3095 
3096 static void
3097 do_init_frame(struct context *c)
3098 {
3099 #ifdef USE_COMP
3100  /*
3101  * modify frame parameters if compression is enabled
3102  */
3103  if (comp_enabled(&c->options.comp))
3104  {
3105  comp_add_to_extra_frame(&c->c2.frame);
3106 
3107 #if !defined(ENABLE_LZ4)
3108  /*
3109  * Compression usage affects buffer alignment when non-swapped algs
3110  * such as LZO is used.
3111  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3112  * any special alignment because of the control-byte swap approach.
3113  * LZO alignment (on the other hand) is problematic because
3114  * the presence of the control byte means that either the output of
3115  * decryption must be written to an unaligned buffer, or the input
3116  * to compression (or packet dispatch if packet is uncompressed)
3117  * must be read from an unaligned buffer.
3118  * This code tries to align the input to compression (or packet
3119  * dispatch if packet is uncompressed) at the cost of requiring
3120  * decryption output to be written to an unaligned buffer, so
3121  * it's more of a tradeoff than an optimal solution and we don't
3122  * include it when we are doing a modern build with LZ4.
3123  * Strictly speaking, on the server it would be better to execute
3124  * this code for every connection after we decide the compression
3125  * method, but currently the frame code doesn't appear to be
3126  * flexible enough for this, since the frame is already established
3127  * before it is known which compression options will be pushed.
3128  */
3129  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3130  {
3131  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3132  frame_or_align_flags(&c->c2.frame,
3133  FRAME_HEADROOM_MARKER_FRAGMENT
3134  |FRAME_HEADROOM_MARKER_DECRYPT);
3135  }
3136 #endif
3137 
3138 #ifdef ENABLE_FRAGMENT
3139  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3140 #endif
3141  }
3142 #endif /* USE_COMP */
3143 
3144  /*
3145  * Adjust frame size for UDP Socks support.
3146  */
3147  if (c->options.ce.socks_proxy_server)
3148  {
3149  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3150  }
3151 
3152  /*
3153  * Adjust frame size based on the --tun-mtu-extra parameter.
3154  */
3155  if (c->options.ce.tun_mtu_extra_defined)
3156  {
3157  tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3158  }
3159 
3160  /*
3161  * Adjust frame size based on link socket parameters.
3162  * (Since TCP is a stream protocol, we need to insert
3163  * a packet length uint16_t in the buffer.)
3164  */
3165  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3166 
3167  /*
3168  * Fill in the blanks in the frame parameters structure,
3169  * make sure values are rational, etc.
3170  */
3171  frame_finalize_options(c, NULL);
3172 
3173 #ifdef USE_COMP
3174  /*
3175  * Modify frame parameters if compression is compiled in.
3176  * Should be called after frame_finalize_options.
3177  */
3178  comp_add_to_extra_buffer(&c->c2.frame);
3179 #ifdef ENABLE_FRAGMENT
3180  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3181 #endif
3182 #endif /* USE_COMP */
3183 
3184  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3185  * and need link_mtu+3 bytes on socket reception (on server).
3186  *
3187  * accommodate receive path in f->extra_link, which has the side effect of
3188  * also increasing send buffers (BUF_SIZE() macro), which need to be
3189  * allocated big enough before receiving peer-id option from server.
3190  *
3191  * f->extra_frame is adjusted when peer-id option is push-received
3192  */
3193  frame_add_to_extra_link(&c->c2.frame, 3);
3194 
3195 #ifdef ENABLE_FRAGMENT
3196  /*
3197  * Set frame parameter for fragment code. This is necessary because
3198  * the fragmentation code deals with payloads which have already been
3199  * passed through the compression code.
3200  */
3201  c->c2.frame_fragment = c->c2.frame;
3202  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3203  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3204 #endif
3205 
3206 #if defined(ENABLE_FRAGMENT)
3207  /*
3208  * MTU advisories
3209  */
3210  if (c->options.ce.fragment && c->options.mtu_test)
3211  {
3212  msg(M_WARN,
3213  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3214  }
3215 #endif
3216 
3217 #ifdef ENABLE_FRAGMENT
3218  if ((c->options.ce.mssfix || c->options.ce.fragment)
3219  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3220  {
3221  msg(M_WARN,
3222  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3223  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3224  }
3225 #endif
3226 }
3227 
3228 static void
3229 do_option_warnings(struct context *c)
3230 {
3231  const struct options *o = &c->options;
3232 
3233  if (o->ping_send_timeout && !o->ping_rec_timeout)
3234  {
3235  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3236  }
3237 
3238  if (o->username || o->groupname || o->chroot_dir
3239 #ifdef ENABLE_SELINUX
3240  || o->selinux_context
3241 #endif
3242  )
3243  {
3244  if (!o->persist_tun)
3245  {
3246  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3247  }
3248  if (!o->persist_key
3249 #ifdef ENABLE_PKCS11
3250  && !o->pkcs11_id
3251 #endif
3252  )
3253  {
3254  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3255  }
3256  }
3257 
3258  if (o->chroot_dir && !(o->username && o->groupname))
3259  {
3260  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3261  }
3262 
3263 #if P2MP
3264  if (o->pull && o->ifconfig_local && c->first_time)
3265  {
3266  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3267  }
3268 
3269  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3270  {
3271  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3272  }
3273 
3274  if (o->mode == MODE_SERVER)
3275  {
3276  if (o->duplicate_cn && o->client_config_dir)
3277  {
3278  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3279  }
3280  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3281  {
3282  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3283  }
3284  if (!o->keepalive_ping || !o->keepalive_timeout)
3285  {
3286  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3287  }
3288  }
3289 #endif /* if P2MP */
3290 
3291  if (!o->replay)
3292  {
3293  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3294  }
3295 
3296  if (o->tls_server)
3297  {
3298  warn_on_use_of_common_subnets(&c->net_ctx);
3299  }
3300  if (o->tls_client
3301  && !o->tls_verify
3302  && o->verify_x509_type == VERIFY_X509_NONE
3303  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3304  && !o->remote_cert_eku)
3305  {
3306  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3307  }
3308  if (o->ns_cert_type)
3309  {
3310  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3311  }
3312 
3313  /* If a script is used, print appropriate warnings */
3314  if (o->user_script_used)
3315  {
3316  if (script_security() >= SSEC_SCRIPTS)
3317  {
3318  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3319  }
3320  else if (script_security() >= SSEC_PW_ENV)
3321  {
3322  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3323  }
3324  else
3325  {
3326  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3327  }
3328  }
3329 }
3330 
3331 static void
3332 do_init_frame_tls(struct context *c)
3333 {
3334  do_init_finalize_tls_frame(c);
3335 }
3336 
3337 struct context_buffers *
3338 init_context_buffers(const struct frame *frame)
3339 {
3340  struct context_buffers *b;
3341 
3342  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3343 
3344  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3345  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3346 
3347  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3348 
3349  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3350  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3351 
3352 #ifdef USE_COMP
3353  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3354  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3355 #endif
3356 
3357  return b;
3358 }
3359 
3360 void
3361 free_context_buffers(struct context_buffers *b)
3362 {
3363  if (b)
3364  {
3365  free_buf(&b->read_link_buf);
3366  free_buf(&b->read_tun_buf);
3367  free_buf(&b->aux_buf);
3368 
3369 #ifdef USE_COMP
3370  free_buf(&b->compress_buf);
3371  free_buf(&b->decompress_buf);
3372 #endif
3373 
3374  free_buf(&b->encrypt_buf);
3375  free_buf(&b->decrypt_buf);
3376 
3377  free(b);
3378  }
3379 }
3380 
3381 /*
3382  * Now that we know all frame parameters, initialize
3383  * our buffers.
3384  */
3385 static void
3386 do_init_buffers(struct context *c)
3387 {
3388  c->c2.buffers = init_context_buffers(&c->c2.frame);
3389  c->c2.buffers_owned = true;
3390 }
3391 
3392 #ifdef ENABLE_FRAGMENT
3393 /*
3394  * Fragmenting code has buffers to initialize
3395  * once frame parameters are known.
3396  */
3397 static void
3398 do_init_fragment(struct context *c)
3399 {
3400  ASSERT(c->options.ce.fragment);
3401  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3402  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3403  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3404 }
3405 #endif
3406 
3407 /*
3408  * Allocate our socket object.
3409  */
3410 static void
3411 do_link_socket_new(struct context *c)
3412 {
3413  ASSERT(!c->c2.link_socket);
3414  c->c2.link_socket = link_socket_new();
3415  c->c2.link_socket_owned = true;
3416 }
3417 
3418 /*
3419  * bind the TCP/UDP socket
3420  */
3421 static void
3422 do_init_socket_1(struct context *c, const int mode)
3423 {
3424  unsigned int sockflags = c->options.sockflags;
3425 
3426 #if PORT_SHARE
3427  if (c->options.port_share_host && c->options.port_share_port)
3428  {
3429  sockflags |= SF_PORT_SHARE;
3430  }
3431 #endif
3432 
3433  link_socket_init_phase1(c->c2.link_socket,
3434  c->options.ce.local,
3435  c->options.ce.local_port,
3436  c->options.ce.remote,
3437  c->options.ce.remote_port,
3438  c->c1.dns_cache,
3439  c->options.ce.proto,
3440  c->options.ce.af,
3441  c->options.ce.bind_ipv6_only,
3442  mode,
3443  c->c2.accept_from,
3444  c->c1.http_proxy,
3445  c->c1.socks_proxy,
3446 #ifdef ENABLE_DEBUG
3447  c->options.gremlin,
3448 #endif
3449  c->options.ce.bind_local,
3450  c->options.ce.remote_float,
3451  &c->c1.link_socket_addr,
3452  c->options.ipchange,
3453  c->plugins,
3454  c->options.resolve_retry_seconds,
3455  c->options.ce.mtu_discover_type,
3456  c->options.rcvbuf,
3457  c->options.sndbuf,
3458  c->options.mark,
3459  c->options.bind_dev,
3460  &c->c2.server_poll_interval,
3461  sockflags);
3462 }
3463 
3464 /*
3465  * finalize the TCP/UDP socket
3466  */
3467 static void
3468 do_init_socket_2(struct context *c)
3469 {
3470  link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3471  c->sig);
3472 }
3473 
3474 /*
3475  * Print MTU INFO
3476  */
3477 static void
3478 do_print_data_channel_mtu_parms(struct context *c)
3479 {
3480  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3481 #ifdef ENABLE_FRAGMENT
3482  if (c->c2.fragment)
3483  {
3484  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3485  "Fragmentation MTU parms");
3486  }
3487 #endif
3488 }
3489 
3490 /*
3491  * Get local and remote options compatibility strings.
3492  */
3493 static void
3494 do_compute_occ_strings(struct context *c)
3495 {
3496  struct gc_arena gc = gc_new();
3497 
3498  c->c2.options_string_local =
3499  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3500  false, &gc);
3501  c->c2.options_string_remote =
3502  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3503  true, &gc);
3504 
3505  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3506  options_string_version(c->c2.options_string_local, &gc),
3507  c->c2.options_string_local);
3508  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3509  options_string_version(c->c2.options_string_remote, &gc),
3510  c->c2.options_string_remote);
3511 
3512  if (c->c2.tls_multi)
3513  {
3514  tls_multi_init_set_options(c->c2.tls_multi,
3515  c->c2.options_string_local,
3516  c->c2.options_string_remote);
3517  }
3518 
3519  gc_free(&gc);
3520 }
3521 
3522 /*
3523  * These things can only be executed once per program instantiation.
3524  * Set up for possible UID/GID downgrade, but don't do it yet.
3525  * Daemonize if requested.
3526  */
3527 static void
3528 do_init_first_time(struct context *c)
3529 {
3530  if (c->first_time && !c->c0)
3531  {
3532  struct context_0 *c0;
3533 
3534  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3535  c0 = c->c0;
3536 
3537  /* get user and/or group that we want to setuid/setgid to */
3538  c0->uid_gid_specified =
3539  platform_group_get(c->options.groupname, &c0->platform_state_group)
3540  |platform_user_get(c->options.username, &c0->platform_state_user);
3541 
3542  /* perform postponed chdir if --daemon */
3543  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3544  {
3545  platform_chdir("/");
3546  }
3547 
3548  /* should we change scheduling priority? */
3549  platform_nice(c->options.nice);
3550  }
3551 }
3552 
3553 /*
3554  * free buffers
3555  */
3556 static void
3557 do_close_free_buf(struct context *c)
3558 {
3559  if (c->c2.buffers_owned)
3560  {
3561  free_context_buffers(c->c2.buffers);
3562  c->c2.buffers = NULL;
3563  c->c2.buffers_owned = false;
3564  }
3565 }
3566 
3567 /*
3568  * close TLS
3569  */
3570 static void
3571 do_close_tls(struct context *c)
3572 {
3573  if (c->c2.tls_multi)
3574  {
3575  tls_multi_free(c->c2.tls_multi, true);
3576  c->c2.tls_multi = NULL;
3577  }
3578 
3579  /* free options compatibility strings */
3580  free(c->c2.options_string_local);
3581  free(c->c2.options_string_remote);
3582 
3583  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3584 
3585  if (c->c2.pulled_options_state)
3586  {
3587  md_ctx_cleanup(c->c2.pulled_options_state);
3588  md_ctx_free(c->c2.pulled_options_state);
3589  }
3590 }
3591 
3592 /*
3593  * Free key schedules
3594  */
3595 static void
3596 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3597 {
3598  /*
3599  * always free the tls_auth/crypt key. If persist_key is true, the key will
3600  * be reloaded from memory (pre-cached)
3601  */
3602  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3603  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3604  CLEAR(c->c1.ks.tls_wrap_key);
3605  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3606  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3607 
3608  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3609  {
3610  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3611  }
3612 }
3613 
3614 /*
3615  * Close TCP/UDP connection
3616  */
3617 static void
3618 do_close_link_socket(struct context *c)
3619 {
3620  if (c->c2.link_socket && c->c2.link_socket_owned)
3621  {
3622  link_socket_close(c->c2.link_socket);
3623  c->c2.link_socket = NULL;
3624  }
3625 
3626 
3627  /* Preserve the resolved list of remote if the user request to or if we want
3628  * reconnect to the same host again or there are still addresses that need
3629  * to be tried */
3630  if (!(c->sig->signal_received == SIGUSR1
3631  && ( (c->options.persist_remote_ip)
3632  ||
3633  ( c->sig->source != SIG_SOURCE_HARD
3634  && ((c->c1.link_socket_addr.current_remote
3635  && c->c1.link_socket_addr.current_remote->ai_next)
3636  || c->options.no_advance))
3637  )))
3638  {
3639  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3640  }
3641 
3642  /* Clear the remote actual address when persist_remote_ip is not in use */
3643  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3644  {
3645  CLEAR(c->c1.link_socket_addr.actual);
3646  }
3647 
3648  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3649  {
3650  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3651  {
3652  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3653  }
3654 
3655  c->c1.link_socket_addr.bind_local = NULL;
3656  }
3657 }
3658 
3659 /*
3660  * Close packet-id persistence file
3661  */
3662 static void
3663 do_close_packet_id(struct context *c)
3664 {
3665  packet_id_free(&c->c2.crypto_options.packet_id);
3666  packet_id_persist_save(&c->c1.pid_persist);
3667  if (!(c->sig->signal_received == SIGUSR1))
3668  {
3669  packet_id_persist_close(&c->c1.pid_persist);
3670  }
3671 }
3672 
3673 #ifdef ENABLE_FRAGMENT
3674 /*
3675  * Close fragmentation handler.
3676  */
3677 static void
3678 do_close_fragment(struct context *c)
3679 {
3680  if (c->c2.fragment)
3681  {
3682  fragment_free(c->c2.fragment);
3683  c->c2.fragment = NULL;
3684  }
3685 }
3686 #endif
3687 
3688 /*
3689  * Open and close our event objects.
3690  */
3691 
3692 static void
3693 do_event_set_init(struct context *c,
3694  bool need_us_timeout)
3695 {
3696  unsigned int flags = 0;
3697 
3698  c->c2.event_set_max = BASE_N_EVENTS;
3699 
3700  flags |= EVENT_METHOD_FAST;
3701 
3702  if (need_us_timeout)
3703  {
3704  flags |= EVENT_METHOD_US_TIMEOUT;
3705  }
3706 
3707  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3708  c->c2.event_set_owned = true;
3709 }
3710 
3711 static void
3712 do_close_event_set(struct context *c)
3713 {
3714  if (c->c2.event_set && c->c2.event_set_owned)
3715  {
3716  event_free(c->c2.event_set);
3717  c->c2.event_set = NULL;
3718  c->c2.event_set_owned = false;
3719  }
3720 }
3721 
3722 /*
3723  * Open and close --status file
3724  */
3725 
3726 static void
3727 do_open_status_output(struct context *c)
3728 {
3729  if (!c->c1.status_output)
3730  {
3731  c->c1.status_output = status_open(c->options.status_file,
3732  c->options.status_file_update_freq,
3733  -1,
3734  NULL,
3735  STATUS_OUTPUT_WRITE);
3736  c->c1.status_output_owned = true;
3737  }
3738 }
3739 
3740 static void
3741 do_close_status_output(struct context *c)
3742 {
3743  if (!(c->sig->signal_received == SIGUSR1))
3744  {
3745  if (c->c1.status_output_owned && c->c1.status_output)
3746  {
3747  status_close(c->c1.status_output);
3748  c->c1.status_output = NULL;
3749  c->c1.status_output_owned = false;
3750  }
3751  }
3752 }
3753 
3754 /*
3755  * Handle ifconfig-pool persistence object.
3756  */
3757 static void
3758 do_open_ifconfig_pool_persist(struct context *c)
3759 {
3760  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3761  {
3762  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3763  c->options.ifconfig_pool_persist_refresh_freq);
3764  c->c1.ifconfig_pool_persist_owned = true;
3765  }
3766 }
3767 
3768 static void
3769 do_close_ifconfig_pool_persist(struct context *c)
3770 {
3771  if (!(c->sig->signal_received == SIGUSR1))
3772  {
3773  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3774  {
3775  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3776  c->c1.ifconfig_pool_persist = NULL;
3777  c->c1.ifconfig_pool_persist_owned = false;
3778  }
3779  }
3780 }
3781 
3782 /*
3783  * Inherit environmental variables
3784  */
3785 
3786 static void
3787 do_inherit_env(struct context *c, const struct env_set *src)
3788 {
3789  c->c2.es = env_set_create(NULL);
3790  c->c2.es_owned = true;
3791  env_set_inherit(c->c2.es, src);
3792 }
3793 
3794 static void
3795 do_env_set_destroy(struct context *c)
3796 {
3797  if (c->c2.es && c->c2.es_owned)
3798  {
3799  env_set_destroy(c->c2.es);
3800  c->c2.es = NULL;
3801  c->c2.es_owned = false;
3802  }
3803 }
3804 
3805 /*
3806  * Fast I/O setup. Fast I/O is an optimization which only works
3807  * if all of the following are true:
3808  *
3809  * (1) The platform is not Windows
3810  * (2) --proto udp is enabled
3811  * (3) --shaper is disabled
3812  */
3813 static void
3814 do_setup_fast_io(struct context *c)
3815 {
3816  if (c->options.fast_io)
3817  {
3818 #ifdef _WIN32
3819  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3820 #else
3821  if (!proto_is_udp(c->options.ce.proto))
3822  {
3823  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3824  }
3825  else
3826  {
3827 #ifdef ENABLE_FEATURE_SHAPER
3828  if (c->options.shaper)
3829  {
3830  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3831  }
3832  else
3833 #endif
3834  {
3835  c->c2.fast_io = true;
3836  }
3837  }
3838 #endif
3839  }
3840 }
3841 
3842 static void
3843 do_signal_on_tls_errors(struct context *c)
3844 {
3845  if (c->options.tls_exit)
3846  {
3847  c->c2.tls_exit_signal = SIGTERM;
3848  }
3849  else
3850  {
3851  c->c2.tls_exit_signal = SIGUSR1;
3852  }
3853 }
3854 
3855 #ifdef ENABLE_PLUGIN
3856 
3857 void
3858 init_plugins(struct context *c)
3859 {
3860  if (c->options.plugin_list && !c->plugins)
3861  {
3862  c->plugins = plugin_list_init(c->options.plugin_list);
3863  c->plugins_owned = true;
3864  }
3865 }
3866 
3867 void
3868 open_plugins(struct context *c, const bool import_options, int init_point)
3869 {
3870  if (c->plugins && c->plugins_owned)
3871  {
3872  if (import_options)
3873  {
3874  struct plugin_return pr, config;
3875  plugin_return_init(&pr);
3876  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3877  plugin_return_get_column(&pr, &config, "config");
3878  if (plugin_return_defined(&config))
3879  {
3880  int i;
3881  for (i = 0; i < config.n; ++i)
3882  {
3883  unsigned int option_types_found = 0;
3884  if (config.list[i] && config.list[i]->value)
3885  {
3886  options_string_import(&c->options,
3887  config.list[i]->value,
3888  D_IMPORT_ERRORS|M_OPTERR,
3889  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3890  &option_types_found,
3891  c->es);
3892  }
3893  }
3894  }
3895  plugin_return_free(&pr);
3896  }
3897  else
3898  {
3899  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3900  }
3901  }
3902 }
3903 
3904 static void
3905 do_close_plugins(struct context *c)
3906 {
3907  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3908  {
3909  plugin_list_close(c->plugins);
3910  c->plugins = NULL;
3911  c->plugins_owned = false;
3912  }
3913 }
3914 
3915 static void
3916 do_inherit_plugins(struct context *c, const struct context *src)
3917 {
3918  if (!c->plugins && src->plugins)
3919  {
3920  c->plugins = plugin_list_inherit(src->plugins);
3921  c->plugins_owned = true;
3922  }
3923 }
3924 
3925 #endif /* ifdef ENABLE_PLUGIN */
3926 
3927 #ifdef ENABLE_MANAGEMENT
3928 
3929 static void
3930 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3931 {
3932  struct context *c = (struct context *) arg;
3933  print_status(c, so);
3934 }
3935 
3936 void
3937 management_show_net_callback(void *arg, const int msglevel)
3938 {
3939 #ifdef _WIN32
3940  show_routes(msglevel);
3941  show_adapters(msglevel);
3942  msg(msglevel, "END");
3943 #else
3944  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3945 #endif
3946 }
3947 
3948 #ifdef TARGET_ANDROID
3949 int
3950 management_callback_network_change(void *arg, bool samenetwork)
3951 {
3952  /* Check if the client should translate the network change to a SIGUSR1 to
3953  * reestablish the connection or just reprotect the socket
3954  *
3955  * At the moment just assume that, for all settings that use pull (not
3956  * --static) and are not using peer-id reestablishing the connection is
3957  * required (unless the network is the same)
3958  *
3959  * The function returns -1 on invalid fd and -2 if the socket cannot be
3960  * reused. On the -2 return value the man_network_change function triggers
3961  * a SIGUSR1 to force a reconnect.
3962  */
3963 
3964  int socketfd = -1;
3965  struct context *c = (struct context *) arg;
3966  if (!c->c2.link_socket)
3967  {
3968  return -1;
3969  }
3970  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3971  {
3972  return -1;
3973  }
3974 
3975  socketfd = c->c2.link_socket->sd;
3976  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3977  {
3978  return socketfd;
3979  }
3980  else
3981  {
3982  return -2;
3983  }
3984 }
3985 #endif /* ifdef TARGET_ANDROID */
3986 
3987 #endif /* ifdef ENABLE_MANAGEMENT */
3988 
3989 void
3990 init_management_callback_p2p(struct context *c)
3991 {
3992 #ifdef ENABLE_MANAGEMENT
3993  if (management)
3994  {
3995  struct management_callback cb;
3996  CLEAR(cb);
3997  cb.arg = c;
3998  cb.status = management_callback_status_p2p;
3999  cb.show_net = management_show_net_callback;
4000  cb.proxy_cmd = management_callback_proxy_cmd;
4001  cb.remote_cmd = management_callback_remote_cmd;
4002  cb.send_cc_message = management_callback_send_cc_message;
4003 #ifdef TARGET_ANDROID
4004  cb.network_change = management_callback_network_change;
4005 #endif
4006  management_set_callback(management, &cb);
4007  }
4008 #endif
4009 }
4010 
4011 #ifdef ENABLE_MANAGEMENT
4012 
4013 void
4014 init_management(void)
4015 {
4016  if (!management)
4017  {
4018  management = management_init();
4019  }
4020 }
4021 
4022 bool
4023 open_management(struct context *c)
4024 {
4025  /* initialize management layer */
4026  if (management)
4027  {
4028  if (c->options.management_addr)
4029  {
4030  unsigned int flags = c->options.management_flags;
4031  if (c->options.mode == MODE_SERVER)
4032  {
4033  flags |= MF_SERVER;
4034  }
4035  if (management_open(management,
4036  c->options.management_addr,
4037  c->options.management_port,
4038  c->options.management_user_pass,
4039  c->options.management_client_user,
4040  c->options.management_client_group,
4041  c->options.management_log_history_cache,
4042  c->options.management_echo_buffer_size,
4043  c->options.management_state_buffer_size,
4044  c->options.management_write_peer_info_file,
4045  c->options.remap_sigusr1,
4046  flags))
4047  {
4048  management_set_state(management,
4049  OPENVPN_STATE_CONNECTING,
4050  NULL,
4051  NULL,
4052  NULL,
4053  NULL,
4054  NULL);
4055  }
4056 
4057  /* initial management hold, called early, before first context initialization */
4058  do_hold(0);
4059  if (IS_SIG(c))
4060  {
4061  msg(M_WARN, "Signal received from management interface, exiting");
4062  return false;
4063  }
4064  }
4065  else
4066  {
4067  close_management();
4068  }
4069  }
4070  return true;
4071 }
4072 
4073 void
4074 close_management(void)
4075 {
4076  if (management)
4077  {
4078  management_close(management);
4079  management = NULL;
4080  }
4081 }
4082 
4083 #endif /* ifdef ENABLE_MANAGEMENT */
4084 
4085 
4086 void
4087 uninit_management_callback(void)
4088 {
4089 #ifdef ENABLE_MANAGEMENT
4090  if (management)
4091  {
4092  management_clear_callback(management);
4093  }
4094 #endif
4095 }
4096 
4097 /*
4098  * Initialize a tunnel instance, handle pre and post-init
4099  * signal settings.
4100  */
4101 void
4102 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4103 {
4104  pre_init_signal_catch();
4105  init_instance(c, env, flags);
4106  post_init_signal_catch();
4107 
4108  /*
4109  * This is done so that signals thrown during
4110  * initialization can bring us back to
4111  * a management hold.
4112  */
4113  if (IS_SIG(c))
4114  {
4115  remap_signal(c);
4116  uninit_management_callback();
4117  }
4118 }
4119 
4120 /*
4121  * Initialize a tunnel instance.
4122  */
4123 void
4124 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4125 {
4126  const struct options *options = &c->options;
4127  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4128  int link_socket_mode = LS_MODE_DEFAULT;
4129 
4130  /* init garbage collection level */
4131  gc_init(&c->c2.gc);
4132 
4133  /* inherit environmental variables */
4134  if (env)
4135  {
4136  do_inherit_env(c, env);
4137  }
4138 
4139  /* signals caught here will abort */
4140  c->sig->signal_received = 0;
4141  c->sig->signal_text = NULL;
4142  c->sig->source = SIG_SOURCE_SOFT;
4143 
4144  if (c->mode == CM_P2P)
4145  {
4146  init_management_callback_p2p(c);
4147  }
4148 
4149  /* possible sleep or management hold if restart */
4150  if (c->mode == CM_P2P || c->mode == CM_TOP)
4151  {
4152  do_startup_pause(c);
4153  if (IS_SIG(c))
4154  {
4155  goto sig;
4156  }
4157  }
4158 
4159  if (c->options.resolve_in_advance)
4160  {
4161  do_preresolve(c);
4162  if (IS_SIG(c))
4163  {
4164  goto sig;
4165  }
4166  }
4167 
4168  /* map in current connection entry */
4169  next_connection_entry(c);
4170 
4171  /* link_socket_mode allows CM_CHILD_TCP
4172  * instances to inherit acceptable fds
4173  * from a top-level parent */
4174  if (c->options.ce.proto == PROTO_TCP_SERVER)
4175  {
4176  if (c->mode == CM_TOP)
4177  {
4178  link_socket_mode = LS_MODE_TCP_LISTEN;
4179  }
4180  else if (c->mode == CM_CHILD_TCP)
4181  {
4182  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4183  }
4184  }
4185 
4186  /* should we disable paging? */
4187  if (c->first_time && options->mlock)
4188  {
4189  platform_mlockall(true);
4190  }
4191 
4192 #if P2MP
4193  /* get passwords if undefined */
4194  if (auth_retry_get() == AR_INTERACT)
4195  {
4196  init_query_passwords(c);
4197  }
4198 #endif
4199 
4200  /* initialize context level 2 --verb/--mute parms */
4201  init_verb_mute(c, IVM_LEVEL_2);
4202 
4203  /* set error message delay for non-server modes */
4204  if (c->mode == CM_P2P)
4205  {
4206  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4207  }
4208 
4209  /* warn about inconsistent options */
4210  if (c->mode == CM_P2P || c->mode == CM_TOP)
4211  {
4212  do_option_warnings(c);
4213  }
4214 
4215 #ifdef ENABLE_PLUGIN
4216  /* initialize plugins */
4217  if (c->mode == CM_P2P || c->mode == CM_TOP)
4218  {
4219  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4220  }
4221 #endif
4222 
4223  /* should we enable fast I/O? */
4224  if (c->mode == CM_P2P || c->mode == CM_TOP)
4225  {
4226  do_setup_fast_io(c);
4227  }
4228 
4229  /* should we throw a signal on TLS errors? */
4230  do_signal_on_tls_errors(c);
4231 
4232  /* open --status file */
4233  if (c->mode == CM_P2P || c->mode == CM_TOP)
4234  {
4235  do_open_status_output(c);
4236  }
4237 
4238  /* open --ifconfig-pool-persist file */
4239  if (c->mode == CM_TOP)
4240  {
4241  do_open_ifconfig_pool_persist(c);
4242  }
4243 
4244  /* reset OCC state */
4245  if (c->mode == CM_P2P || child)
4246  {
4247  c->c2.occ_op = occ_reset_op();
4248  }
4249 
4250  /* our wait-for-i/o objects, different for posix vs. win32 */
4251  if (c->mode == CM_P2P)
4252  {
4253  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4254  }
4255  else if (c->mode == CM_CHILD_TCP)
4256  {
4257  do_event_set_init(c, false);
4258  }
4259 
4260  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4261  init_proxy(c);
4262 
4263  /* allocate our socket object */
4264  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4265  {
4266  do_link_socket_new(c);
4267  }
4268 
4269 #ifdef ENABLE_FRAGMENT
4270  /* initialize internal fragmentation object */
4271  if (options->ce.fragment && (c->mode == CM_P2P || child))
4272  {
4273  c->c2.fragment = fragment_init(&c->c2.frame);
4274  }
4275 #endif
4276 
4277  /* init crypto layer */
4278  {
4279  unsigned int crypto_flags = 0;
4280  if (c->mode == CM_TOP)
4281  {
4282  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4283  }
4284  else if (c->mode == CM_P2P)
4285  {
4286  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4287  }
4288  else if (child)
4289  {
4290  crypto_flags = CF_INIT_TLS_MULTI;
4291  }
4292  do_init_crypto(c, crypto_flags);
4293  if (IS_SIG(c) && !child)
4294  {
4295  goto sig;
4296  }
4297  }
4298 
4299 #ifdef USE_COMP
4300  /* initialize compression library. */
4301  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4302  {
4303  c->c2.comp_context = comp_init(&options->comp);
4304  }
4305 #endif
4306 
4307  /* initialize MTU variables */
4308  do_init_frame(c);
4309 
4310  /* initialize TLS MTU variables */
4311  do_init_frame_tls(c);
4312 
4313  /* init workspace buffers whose size is derived from frame size */
4314  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4315  {
4316  do_init_buffers(c);
4317  }
4318 
4319 #ifdef ENABLE_FRAGMENT
4320  /* initialize internal fragmentation capability with known frame size */
4321  if (options->ce.fragment && (c->mode == CM_P2P || child))
4322  {
4323  do_init_fragment(c);
4324  }
4325 #endif
4326 
4327  /* initialize dynamic MTU variable */
4328  frame_init_mssfix(&c->c2.frame, &c->options);
4329 
4330  /* bind the TCP/UDP socket */
4331  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4332  {
4333  do_init_socket_1(c, link_socket_mode);
4334  }
4335 
4336  /* initialize tun/tap device object,
4337  * open tun/tap device, ifconfig, run up script, etc. */
4338  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4339  {
4340  c->c2.did_open_tun = do_open_tun(c);
4341  }
4342 
4343  c->c2.frame_initial = c->c2.frame;
4344 
4345  /* print MTU info */
4346  do_print_data_channel_mtu_parms(c);
4347 
4348  /* get local and remote options compatibility strings */
4349  if (c->mode == CM_P2P || child)
4350  {
4351  do_compute_occ_strings(c);
4352  }
4353 
4354  /* initialize output speed limiter */
4355  if (c->mode == CM_P2P)
4356  {
4357  do_init_traffic_shaper(c);
4358  }
4359 
4360  /* do one-time inits, and possibly become a daemon here */
4361  do_init_first_time(c);
4362 
4363 #ifdef ENABLE_PLUGIN
4364  /* initialize plugins */
4365  if (c->mode == CM_P2P || c->mode == CM_TOP)
4366  {
4367  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4368  }
4369 #endif
4370 
4371  /* initialise connect timeout timer */
4372  do_init_server_poll_timeout(c);
4373 
4374  /* finalize the TCP/UDP socket */
4375  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4376  {
4377  do_init_socket_2(c);
4378  }
4379 
4380  /*
4381  * Actually do UID/GID downgrade, and chroot, if requested.
4382  * May be delayed by --client, --pull, or --up-delay.
4383  */
4384  do_uid_gid_chroot(c, c->c2.did_open_tun);
4385 
4386  /* initialize timers */
4387  if (c->mode == CM_P2P || child)
4388  {
4389  do_init_timers(c, false);
4390  }
4391 
4392 #ifdef ENABLE_PLUGIN
4393  /* initialize plugins */
4394  if (c->mode == CM_P2P || c->mode == CM_TOP)
4395  {
4396  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4397  }
4398 #endif
4399 
4400 #if PORT_SHARE
4401  /* share OpenVPN port with foreign (such as HTTPS) server */
4402  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4403  {
4404  init_port_share(c);
4405  }
4406 #endif
4407 
4408 #ifdef ENABLE_PF
4409  if (child)
4410  {
4411  pf_init_context(c);
4412  }
4413 #endif
4414 
4415  /* Check for signals */
4416  if (IS_SIG(c))
4417  {
4418  goto sig;
4419  }
4420 
4421  return;
4422 
4423 sig:
4424  if (!c->sig->signal_text)
4425  {
4426  c->sig->signal_text = "init_instance";
4427  }
4428  close_context(c, -1, flags);
4429  return;
4430 }
4431 
4432 /*
4433  * Close a tunnel instance.
4434  */
4435 void
4436 close_instance(struct context *c)
4437 {
4438  /* close event objects */
4439  do_close_event_set(c);
4440 
4441  if (c->mode == CM_P2P
4442  || c->mode == CM_CHILD_TCP
4443  || c->mode == CM_CHILD_UDP
4444  || c->mode == CM_TOP)
4445  {
4446 #ifdef USE_COMP
4447  if (c->c2.comp_context)
4448  {
4449  comp_uninit(c->c2.comp_context);
4450  c->c2.comp_context = NULL;
4451  }
4452 #endif
4453 
4454  /* free buffers */
4455  do_close_free_buf(c);
4456 
4457  /* close TLS */
4458  do_close_tls(c);
4459 
4460  /* free key schedules */
4461  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4462 
4463  restore_ncp_options(c);
4464 
4465  /* close TCP/UDP connection */
4466  do_close_link_socket(c);
4467 
4468  /* close TUN/TAP device */
4469  do_close_tun(c, false);
4470 
4471 #ifdef ENABLE_MANAGEMENT
4472  if (management)
4473  {
4474  management_notify_client_close(management, &c->c2.mda_context, NULL);
4475  }
4476 #endif
4477 
4478 #ifdef ENABLE_PF
4479  pf_destroy_context(&c->c2.pf);
4480 #endif
4481 
4482 #ifdef ENABLE_PLUGIN
4483  /* call plugin close functions and unload */
4484  do_close_plugins(c);
4485 #endif
4486 
4487  /* close packet-id persistence file */
4488  do_close_packet_id(c);
4489 
4490  /* close --status file */
4491  do_close_status_output(c);
4492 
4493 #ifdef ENABLE_FRAGMENT
4494  /* close fragmentation handler */
4495  do_close_fragment(c);
4496 #endif
4497 
4498  /* close --ifconfig-pool-persist obj */
4499  do_close_ifconfig_pool_persist(c);
4500 
4501  /* free up environmental variable store */
4502  do_env_set_destroy(c);
4503 
4504  /* close HTTP or SOCKS proxy */
4505  uninit_proxy(c);
4506 
4507  /* garbage collect */
4508  gc_free(&c->c2.gc);
4509  }
4510 }
4511 
4512 void
4513 inherit_context_child(struct context *dest,
4514  const struct context *src)
4515 {
4516  CLEAR(*dest);
4517 
4518  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4519  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4520 
4521  dest->gc = gc_new();
4522 
4523  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4524 
4525  /* c1 init */
4526  packet_id_persist_init(&dest->c1.pid_persist);
4527 
4528  dest->c1.ks.key_type = src->c1.ks.key_type;
4529  /* inherit SSL context */
4530  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4531  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4532  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4533  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4534  /* inherit pre-NCP ciphers */
4535  dest->c1.ciphername = src->c1.ciphername;
4536  dest->c1.authname = src->c1.authname;
4537  dest->c1.keysize = src->c1.keysize;
4538 
4539  /* inherit auth-token */
4540  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4541 
4542  /* options */
4543  dest->options = src->options;
4544  options_detach(&dest->options);
4545 
4546  if (dest->mode == CM_CHILD_TCP)
4547  {
4548  /*
4549  * The CM_TOP context does the socket listen(),
4550  * and the CM_CHILD_TCP context does the accept().
4551  */
4552  dest->c2.accept_from = src->c2.link_socket;
4553  }
4554 
4555 #ifdef ENABLE_PLUGIN
4556  /* inherit plugins */
4557  do_inherit_plugins(dest, src);
4558 #endif
4559 
4560  /* context init */
4561  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4562  if (IS_SIG(dest))
4563  {
4564  return;
4565  }
4566 
4567  /* inherit tun/tap interface object */
4568  dest->c1.tuntap = src->c1.tuntap;
4569 
4570  /* UDP inherits some extra things which TCP does not */
4571  if (dest->mode == CM_CHILD_UDP)
4572  {
4573  /* inherit buffers */
4574  dest->c2.buffers = src->c2.buffers;
4575 
4576  /* inherit parent link_socket and tuntap */
4577  dest->c2.link_socket = src->c2.link_socket;
4578 
4579  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4580  *dest->c2.link_socket_info = src->c2.link_socket->info;
4581 
4582  /* locally override some link_socket_info fields */
4583  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4584  dest->c2.link_socket_info->connection_established = false;
4585  }
4586 }
4587 
4588 void
4589 inherit_context_top(struct context *dest,
4590  const struct context *src)
4591 {
4592  /* copy parent */
4593  *dest = *src;
4594 
4595  /*
4596  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4597  * resources owned by the parent.
4598  *
4599  * Also note that CM_TOP_CLONE context objects are
4600  * closed by multi_top_free in multi.c.
4601  */
4602  dest->mode = CM_TOP_CLONE;
4603 
4604  dest->first_time = false;
4605  dest->c0 = NULL;
4606 
4607  options_detach(&dest->options);
4608  gc_detach(&dest->gc);
4609  gc_detach(&dest->c2.gc);
4610 
4611  /* detach plugins */
4612  dest->plugins_owned = false;
4613 
4614  dest->c2.tls_multi = NULL;
4615 
4616  /* detach c1 ownership */
4617  dest->c1.tuntap_owned = false;
4618  dest->c1.status_output_owned = false;
4619  dest->c1.ifconfig_pool_persist_owned = false;
4620 
4621  /* detach c2 ownership */
4622  dest->c2.event_set_owned = false;
4623  dest->c2.link_socket_owned = false;
4624  dest->c2.buffers_owned = false;
4625  dest->c2.es_owned = false;
4626 
4627  dest->c2.event_set = NULL;
4628  if (proto_is_dgram(src->options.ce.proto))
4629  {
4630  do_event_set_init(dest, false);
4631  }
4632 
4633 #ifdef USE_COMP
4634  dest->c2.comp_context = NULL;
4635 #endif
4636 }
4637 
4638 void
4639 close_context(struct context *c, int sig, unsigned int flags)
4640 {
4641  ASSERT(c);
4642  ASSERT(c->sig);
4643 
4644  if (sig >= 0)
4645  {
4646  c->sig->signal_received = sig;
4647  }
4648 
4649  if (c->sig->signal_received == SIGUSR1)
4650  {
4651  if ((flags & CC_USR1_TO_HUP)
4652  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4653  {
4654  c->sig->signal_received = SIGHUP;
4655  c->sig->signal_text = "close_context usr1 to hup";
4656  }
4657  }
4658 
4659  if (!(flags & CC_NO_CLOSE))
4660  {
4661  close_instance(c);
4662  }
4663 
4664  if (flags & CC_GC_FREE)
4665  {
4666  context_gc_free(c);
4667  }
4668 }
4669 
4670 /* Write our PID to a file */
4671 void
4672 write_pid_file(const char *filename, const char *chroot_dir)
4673 {
4674  if (filename)
4675  {
4676  unsigned int pid = 0;
4677  FILE *fp = platform_fopen(filename, "w");
4678  if (!fp)
4679  {
4680  msg(M_ERR, "Open error on pid file %s", filename);
4681  return;
4682  }
4683 
4684  pid = platform_getpid();
4685  fprintf(fp, "%u\n", pid);
4686  if (fclose(fp))
4687  {
4688  msg(M_ERR, "Close error on pid file %s", filename);
4689  }
4690 
4691  /* remember file name so it can be deleted "out of context" later */
4692  /* (the chroot case is more complex and not handled today) */
4693  if (!chroot_dir)
4694  {
4695  saved_pid_file_name = strdup(filename);
4696  }
4697  }
4698 }
4699 
4700 /* remove PID file on exit, called from openvpn_exit() */
4701 void
4702 remove_pid_file(void)
4703 {
4704  if (saved_pid_file_name)
4705  {
4706  platform_unlink(saved_pid_file_name);
4707  }
4708 }
4709 
4710 
4711 /*
4712  * Do a loopback test
4713  * on the crypto subsystem.
4714  */
4715 static void *
4716 test_crypto_thread(void *arg)
4717 {
4718  struct context *c = (struct context *) arg;
4719  const struct options *options = &c->options;
4720 
4721  ASSERT(options->test_crypto);
4722  init_verb_mute(c, IVM_LEVEL_1);
4723  context_init_1(c);
4724  next_connection_entry(c);
4725  do_init_crypto_static(c, 0);
4726 
4727  frame_finalize_options(c, options);
4728 
4729  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4730 
4731  key_schedule_free(&c->c1.ks, true);
4732  packet_id_free(&c->c2.crypto_options.packet_id);
4733 
4734  context_gc_free(c);
4735  return NULL;
4736 }
4737 
4738 bool
4739 do_test_crypto(const struct options *o)
4740 {
4741  if (o->test_crypto)
4742  {
4743  struct context c;
4744 
4745  /* print version number */
4746  msg(M_INFO, "%s", title_string);
4747 
4748  context_clear(&c);
4749  c.options = *o;
4750  options_detach(&c.options);
4751  c.first_time = true;
4752  test_crypto_thread((void *) &c);
4753  return true;
4754  }
4755  return false;
4756 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:301
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:313
context_2::es
struct env_set * es
Definition: openvpn.h:440
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:184
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:178
context_1::ciphername
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
connection_entry::remote_float
bool remote_float
Definition: options.h:95
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:570
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2568
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:333
management_close
void management_close(struct management *man)
Definition: manage.c:2692
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:429
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:259
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:555
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:290
options::sndbuf
int sndbuf
Definition: options.h:346
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:366
context_2::log_rw
bool log_rw
Definition: openvpn.h:402
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:104
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:475
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:286
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:330
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:405
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:108
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:613
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:689
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1544
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:364
tuntap
Definition: tun.h:151
options::ncp_enabled
bool ncp_enabled
Definition: options.h:505
options::management_flags
unsigned int management_flags
Definition: options.h:389
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:2011
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:891
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2596
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:291
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:626
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:106
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:317
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1280
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:319
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
platform_nice
void platform_nice(int niceval)
Definition: platform.c:156
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:406
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:513
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1086
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5690
options::show_curves
bool show_curves
Definition: options.h:222
ssl_clean_user_pass
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4200
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:623
options::cipher_list
const char * cipher_list
Definition: options.h:538
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
options::tls_server
bool tls_server
Definition: options.h:523
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1868
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1489
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:335
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1029
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3664
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:503
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:602
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2164
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:630
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1719
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_1::dns_cache
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:409
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:337
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:541
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:380
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:320
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:366
streq
#define streq(x, y)
Definition: options.h:653
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:428
options::chroot_dir
const char * chroot_dir
Definition: options.h:306
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:728
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3916
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3712
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2735
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:415
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:247
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:166
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:286
tls_options::mode
int mode
Definition: ssl_common.h:276
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2174
options::auth_token_generate
bool auth_token_generate
Definition: options.h:471
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4331
tun_abort
void tun_abort(void)
Definition: init.c:2144
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:503
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:574
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3795
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2655
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:716
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:361
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:84
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:526
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
management::persist
struct man_persist persist
Definition: manage.h:318
srandom
#define srandom
Definition: syshead.h:45
auth_token.h
proto_is_udp
bool proto_is_udp(int proto)
Definition: socket.c:3121
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:375
link_socket_init_phase1
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, const char *bind_dev, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1879
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:256
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:214
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:682
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
dmsg
#define dmsg
Definition: error.h:174
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4639
script_security
int script_security(void)
Definition: run_command.c:45
do_init_socket_2
static void do_init_socket_2(struct context *c)
Definition: init.c:3468
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:203
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:328
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:499
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:346
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6682
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:183
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:42
options::peer_id
uint32_t peer_id
Definition: options.h:631
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3990
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:354
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1198
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:333
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:146
close_instance
void close_instance(struct context *c)
Definition: init.c:4436
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2826
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:86
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:576
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:342
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1305
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:661
options::persist_key
bool persist_key
Definition: options.h:291
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:152
options::replay_window
int replay_window
Definition: options.h:514
options::persist_mode
int persist_mode
Definition: options.h:215
context_1::keysize
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:457
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:331
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3843
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:389
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:289
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:99
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1208
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:315
options::rcvbuf
int rcvbuf
Definition: options.h:345
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:316
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:111
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:471
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:280
options::connection_list
struct connection_list * connection_list
Definition: options.h:231
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:408
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1339
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:191
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:239
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:181
options::exit_event_name
const char * exit_event_name
Definition: options.h:622
AR_NONE
#define AR_NONE
Definition: options.h:835
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:272
options::route_noexec
bool route_noexec
Definition: options.h:361
options::sockflags
unsigned int sockflags
Definition: options.h:353
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2525
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:173
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:140
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3571
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:226
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:382
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:301
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:16
options::route_script
const char * route_script
Definition: options.h:356
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:382
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:368
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:297
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:475
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:107
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:165
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:140
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3097
options::config
const char * config
Definition: options.h:201
options::route_delay
int route_delay
Definition: options.h:362
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4702
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:313
connection_entry::local_port
const char * local_port
Definition: options.h:90
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:357
tls_options::gremlin
int gremlin
Definition: ssl_common.h:378
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3868
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:381
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:255
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:279
options::down_pre
bool down_pre
Definition: options.h:315
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:274
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:683
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
SIGTERM
#define SIGTERM
Definition: config-msvc.h:154
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:333
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1471
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:566
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:587
options::push_peer_info
bool push_peer_info
Definition: options.h:611
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:663
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
SIGHUP
#define SIGHUP
Definition: config-msvc.h:150
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:577
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3796
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:141
PING_RESTART
#define PING_RESTART
Definition: options.h:285
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3047
options::handshake_window
int handshake_window
Definition: options.h:581
ASSERT
#define ASSERT(x)
Definition: error.h:221
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3905
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:130
tls_options
Definition: ssl_common.h:253
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:339
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:243
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:245
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:309
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:162
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:243
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:121
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:335
options::verify_x509_type
int verify_x509_type
Definition: options.h:544
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:237
close_management
void close_management(void)
Definition: init.c:4074
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:321
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:473
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:315
options::prng_hash
const char * prng_hash
Definition: options.h:509
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1956
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:280
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
D_LOW
#define D_LOW
Definition: errlevel.h:98
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:257
options::fast_io
bool fast_io
Definition: options.h:338
options::key_direction
int key_direction
Definition: options.h:501
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:282
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:193
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1576
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:164
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:112
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:67
init_static
bool init_static(void)
Definition: init.c:782
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:285
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:205
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:586
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:316
options::route_delay_defined
bool route_delay_defined
Definition: options.h:364
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:515
options::tls_exit
bool tls_exit
Definition: options.h:613
MF_SERVER
#define MF_SERVER
Defi