OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 #include "mss.h"
57 #include "mudp.h"
58 #include "dco.h"
59 
60 #include "memdbg.h"
61 
62 
63 static struct context *static_context; /* GLOBAL */
64 static const char *saved_pid_file_name; /* GLOBAL */
65 
66 /*
67  * Crypto initialization flags
68  */
69 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
70 #define CF_INIT_TLS_MULTI (1<<1)
71 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
72 
73 static void do_init_first_time(struct context *c);
74 
75 static bool do_deferred_p2p_ncp(struct context *c);
76 
77 void
78 context_clear(struct context *c)
79 {
80  CLEAR(*c);
81 }
82 
83 void
84 context_clear_1(struct context *c)
85 {
86  CLEAR(c->c1);
87 }
88 
89 void
90 context_clear_2(struct context *c)
91 {
92  CLEAR(c->c2);
93 }
94 
95 void
96 context_clear_all_except_first_time(struct context *c)
97 {
98  const bool first_time_save = c->first_time;
99  const struct context_persist cpsave = c->persist;
100  context_clear(c);
101  c->first_time = first_time_save;
102  c->persist = cpsave;
103 }
104 
105 /*
106  * Pass tunnel endpoint and MTU parms to a user-supplied script.
107  * Used to execute the up/down script/plugins.
108  */
109 static void
110 run_up_down(const char *command,
111  const struct plugin_list *plugins,
112  int plugin_type,
113  const char *arg,
114 #ifdef _WIN32
115  DWORD adapter_index,
116 #endif
117  const char *dev_type,
118  int tun_mtu,
119  const char *ifconfig_local,
120  const char *ifconfig_remote,
121  const char *context,
122  const char *signal_text,
123  const char *script_type,
124  struct env_set *es)
125 {
126  struct gc_arena gc = gc_new();
127 
128  if (signal_text)
129  {
130  setenv_str(es, "signal", signal_text);
131  }
132  setenv_str(es, "script_context", context);
133  setenv_int(es, "tun_mtu", tun_mtu);
134  setenv_str(es, "dev", arg);
135  if (dev_type)
136  {
137  setenv_str(es, "dev_type", dev_type);
138  }
139 #ifdef _WIN32
140  setenv_int(es, "dev_idx", adapter_index);
141 #endif
142 
143  if (!ifconfig_local)
144  {
145  ifconfig_local = "";
146  }
147  if (!ifconfig_remote)
148  {
149  ifconfig_remote = "";
150  }
151  if (!context)
152  {
153  context = "";
154  }
155 
156  if (plugin_defined(plugins, plugin_type))
157  {
158  struct argv argv = argv_new();
159  ASSERT(arg);
160  argv_printf(&argv,
161  "%s %d 0 %s %s %s",
162  arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
193 update_options_ce_post(struct options *options)
194 {
195  /*
196  * In pull mode, we usually import --ping/--ping-restart parameters from
197  * the server. However we should also set an initial default --ping-restart
198  * for the period of time before we pull the --ping-restart parameter
199  * from the server.
200  */
201  if (options->pull
202  && options->ping_rec_timeout_action == PING_UNDEF
203  && proto_is_dgram(options->ce.proto))
204  {
205  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
206  options->ping_rec_timeout_action = PING_RESTART;
207  }
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
234  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
258 ce_management_query_proxy(struct context *c)
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
273  management_notify_generic(management, BSTR(&out));
274  management->persist.special_state_msg = BSTR(&out);
275  }
276  ce->flags |= CE_MAN_QUERY_PROXY;
277  while (ce->flags & CE_MAN_QUERY_PROXY)
278  {
279  management_event_loop_n_seconds(management, 1);
280  if (IS_SIG(c))
281  {
282  ret = false;
283  break;
284  }
285  }
286  management->persist.special_state_msg = NULL;
287  gc_free(&gc);
288  }
289 
290  return ret;
291 }
292 
307 static bool
308 management_callback_send_cc_message(void *arg,
309  const char *command,
310  const char *parameters)
311 {
312  struct context *c = (struct context *) arg;
313  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
314  if (len > PUSH_BUNDLE_SIZE)
315  {
316  return false;
317  }
318 
319  struct gc_arena gc = gc_new();
320  struct buffer buf = alloc_buf_gc(len, &gc);
321  ASSERT(buf_printf(&buf, "%s", command));
322  if (parameters)
323  {
324  ASSERT(buf_printf(&buf, ",%s", parameters));
325  }
326  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
327 
328  gc_free(&gc);
329  return status;
330 }
331 
332 static bool
333 management_callback_remote_cmd(void *arg, const char **p)
334 {
335  struct context *c = (struct context *) arg;
336  struct connection_entry *ce = &c->options.ce;
337  int ret = false;
338  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
339  {
340  int flags = 0;
341  if (!strcmp(p[1], "ACCEPT"))
342  {
343  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
344  ret = true;
345  }
346  else if (!strcmp(p[1], "SKIP"))
347  {
348  flags = CE_MAN_QUERY_REMOTE_SKIP;
349  ret = true;
350  }
351  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
352  {
353  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
354  {
355  struct remote_host_store *rhs = c->options.rh_store;
356  if (!rhs)
357  {
358  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
359  c->options.rh_store = rhs;
360  }
361  strncpynt(rhs->host, p[2], RH_HOST_LEN);
362  strncpynt(rhs->port, p[3], RH_PORT_LEN);
363 
364  ce->remote = rhs->host;
365  ce->remote_port = rhs->port;
366  flags = CE_MAN_QUERY_REMOTE_MOD;
367  ret = true;
368  }
369  }
370  if (ret)
371  {
372  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
373  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
374  }
375  }
376  return ret;
377 }
378 
379 static bool
380 ce_management_query_remote(struct context *c)
381 {
382  struct gc_arena gc = gc_new();
383  volatile struct connection_entry *ce = &c->options.ce;
384  int ce_changed = true; /* presume the connection entry will be changed */
385 
386  update_time();
387  if (management)
388  {
389  struct buffer out = alloc_buf_gc(256, &gc);
390 
391  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
392  proto2ascii(ce->proto, ce->af, false));
393  management_notify_generic(management, BSTR(&out));
394  management->persist.special_state_msg = BSTR(&out);
395 
396  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
397  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
398  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
399  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
400  {
401  management_event_loop_n_seconds(management, 1);
402  if (IS_SIG(c))
403  {
404  ce_changed = false; /* connection entry have not been set */
405  break;
406  }
407  }
408  management->persist.special_state_msg = NULL;
409  }
410  gc_free(&gc);
411 
412  if (ce_changed)
413  {
414  /* If it is likely a connection entry was modified,
415  * check what changed in the flags and that it was not skipped
416  */
417  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
418  & CE_MAN_QUERY_REMOTE_MASK);
419  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
420  }
421  return ce_changed;
422 }
423 #endif /* ENABLE_MANAGEMENT */
424 
425 /*
426  * Initialize and possibly randomize connection list.
427  */
428 static void
429 init_connection_list(struct context *c)
430 {
431  struct connection_list *l = c->options.connection_list;
432 
433  l->current = -1;
434  if (c->options.remote_random)
435  {
436  int i;
437  for (i = 0; i < l->len; ++i)
438  {
439  const int j = get_random() % l->len;
440  if (i != j)
441  {
442  struct connection_entry *tmp;
443  tmp = l->array[i];
444  l->array[i] = l->array[j];
445  l->array[j] = tmp;
446  }
447  }
448  }
449 }
450 
451 /*
452  * Clear the remote address list
453  */
454 static void
455 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
456 {
457  if (lsa->remote_list && free)
458  {
459  freeaddrinfo(lsa->remote_list);
460  }
461  lsa->remote_list = NULL;
462  lsa->current_remote = NULL;
463 }
464 
465 /*
466  * Increment to next connection entry
467  */
468 static void
469 next_connection_entry(struct context *c)
470 {
471  struct connection_list *l = c->options.connection_list;
472  bool ce_defined;
473  struct connection_entry *ce;
474  int n_cycles = 0;
475 
476  do
477  {
478  ce_defined = true;
479  if (c->options.no_advance && l->current >= 0)
480  {
481  c->options.no_advance = false;
482  }
483  else
484  {
485  /* Check if there is another resolved address to try for
486  * the current connection */
487  if (c->c1.link_socket_addr.current_remote
488  && c->c1.link_socket_addr.current_remote->ai_next
489  && !c->options.advance_next_remote)
490  {
491  c->c1.link_socket_addr.current_remote =
492  c->c1.link_socket_addr.current_remote->ai_next;
493  }
494  else
495  {
496  c->options.advance_next_remote = false;
497  /* FIXME (schwabe) fix the persist-remote-ip option for real,
498  * this is broken probably ever since connection lists and multiple
499  * remote existed
500  */
501  if (!c->options.persist_remote_ip)
502  {
503  /* Connection entry addrinfo objects might have been
504  * resolved earlier but the entry itself might have been
505  * skipped by management on the previous loop.
506  * If so, clear the addrinfo objects as close_instance does
507  */
508  if (c->c1.link_socket_addr.remote_list)
509  {
510  clear_remote_addrlist(&c->c1.link_socket_addr,
511  !c->options.resolve_in_advance);
512  }
513 
514  /* close_instance should have cleared the addrinfo objects */
515  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
516  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
517  }
518  else
519  {
520  c->c1.link_socket_addr.current_remote =
521  c->c1.link_socket_addr.remote_list;
522  }
523 
524  /*
525  * Increase the number of connection attempts
526  * If this is connect-retry-max * size(l)
527  * OpenVPN will quit
528  */
529 
530  c->options.unsuccessful_attempts++;
531 
532  if (++l->current >= l->len)
533  {
534 
535  l->current = 0;
536  if (++n_cycles >= 2)
537  {
538  msg(M_FATAL, "No usable connection profiles are present");
539  }
540  }
541  }
542  }
543 
544  ce = l->array[l->current];
545 
546  if (ce->flags & CE_DISABLED)
547  {
548  ce_defined = false;
549  }
550 
551  c->options.ce = *ce;
552 #ifdef ENABLE_MANAGEMENT
553  if (ce_defined && management && management_query_remote_enabled(management))
554  {
555  /* allow management interface to override connection entry details */
556  ce_defined = ce_management_query_remote(c);
557  if (IS_SIG(c))
558  {
559  break;
560  }
561  }
562  else if (ce_defined && management && management_query_proxy_enabled(management))
563  {
564  ce_defined = ce_management_query_proxy(c);
565  if (IS_SIG(c))
566  {
567  break;
568  }
569  }
570 #endif
571  } while (!ce_defined);
572 
573  /* Check if this connection attempt would bring us over the limit */
574  if (c->options.connect_retry_max > 0
575  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
576  {
577  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
578  c->options.connect_retry_max);
579  }
580  update_options_ce_post(&c->options);
581 }
582 
583 /*
584  * Query for private key and auth-user-pass username/passwords
585  */
586 void
587 init_query_passwords(const struct context *c)
588 {
589  /* Certificate password input */
590  if (c->options.key_pass_file)
591  {
592  pem_password_setup(c->options.key_pass_file);
593  }
594 
595  /* Auth user/pass input */
596  if (c->options.auth_user_pass_file)
597  {
598  enable_auth_user_pass();
599 #ifdef ENABLE_MANAGEMENT
600  auth_user_pass_setup(c->options.auth_user_pass_file,
601  c->options.auth_user_pass_file_inline,
602  &c->options.sc_info);
603 #else
604  auth_user_pass_setup(c->options.auth_user_pass_file,
605  c->options.auth_user_pass_file_inline, NULL);
606 #endif
607  }
608 }
609 
610 /*
611  * Initialize/Uninitialize HTTP or SOCKS proxy
612  */
613 
614 static void
615 uninit_proxy_dowork(struct context *c)
616 {
617  if (c->c1.http_proxy_owned && c->c1.http_proxy)
618  {
619  http_proxy_close(c->c1.http_proxy);
620  c->c1.http_proxy = NULL;
621  c->c1.http_proxy_owned = false;
622  }
623  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
624  {
625  socks_proxy_close(c->c1.socks_proxy);
626  c->c1.socks_proxy = NULL;
627  c->c1.socks_proxy_owned = false;
628  }
629 }
630 
631 static void
632 init_proxy_dowork(struct context *c)
633 {
634  bool did_http = false;
635 
636  uninit_proxy_dowork(c);
637 
638  if (c->options.ce.http_proxy_options)
639  {
640  /* Possible HTTP proxy user/pass input */
641  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
642  if (c->c1.http_proxy)
643  {
644  did_http = true;
645  c->c1.http_proxy_owned = true;
646  }
647  }
648 
649  if (!did_http && c->options.ce.socks_proxy_server)
650  {
651  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
652  c->options.ce.socks_proxy_port,
653  c->options.ce.socks_proxy_authfile);
654  if (c->c1.socks_proxy)
655  {
656  c->c1.socks_proxy_owned = true;
657  }
658  }
659 }
660 
661 static void
662 init_proxy(struct context *c)
663 {
664  init_proxy_dowork(c);
665 }
666 
667 static void
668 uninit_proxy(struct context *c)
669 {
670  uninit_proxy_dowork(c);
671 }
672 
673 void
674 context_init_1(struct context *c)
675 {
676  context_clear_1(c);
677 
678  packet_id_persist_init(&c->c1.pid_persist);
679 
680  init_connection_list(c);
681 
682 #if defined(ENABLE_PKCS11)
683  if (c->first_time)
684  {
685  int i;
686  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
687  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
688  {
689  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
690  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
691  }
692  }
693 #endif
694 
695 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
696  {
697  /*
698  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
699  */
700  struct user_pass up;
701  CLEAR(up);
702  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
703  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
704  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
705  * 'needok' command, usually 'ok' or 'cancel'. */
706  }
707 #endif
708 
709 #ifdef ENABLE_SYSTEMD
710  /* We can report the PID via getpid() to systemd here as OpenVPN will not
711  * do any fork due to daemon() a future call.
712  * See possibly_become_daemon() [init.c] for more details.
713  */
714  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
715  (unsigned long) getpid());
716 #endif
717 
718 }
719 
720 void
721 context_gc_free(struct context *c)
722 {
723  gc_free(&c->c2.gc);
724  gc_free(&c->options.gc);
725  gc_free(&c->gc);
726 }
727 
728 #if PORT_SHARE
729 
730 static void
731 close_port_share(void)
732 {
733  if (port_share)
734  {
735  port_share_close(port_share);
736  port_share = NULL;
737  }
738 }
739 
740 static void
741 init_port_share(struct context *c)
742 {
743  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
744  {
745  port_share = port_share_open(c->options.port_share_host,
746  c->options.port_share_port,
747  c->c2.frame.buf.payload_size,
748  c->options.port_share_journal_dir);
749  if (port_share == NULL)
750  {
751  msg(M_FATAL, "Fatal error: Port sharing failed");
752  }
753  }
754 }
755 
756 #endif /* if PORT_SHARE */
757 
758 
759 bool
760 init_static(void)
761 {
762  /* configure_path (); */
763 
764 #if defined(DMALLOC)
765  crypto_init_dmalloc();
766 #endif
767 
768 
769  /*
770  * Initialize random number seed. random() is only used
771  * when "weak" random numbers are acceptable.
772  * SSL library routines are always used when cryptographically
773  * strong random numbers are required.
774  */
775  struct timeval tv;
776  if (!gettimeofday(&tv, NULL))
777  {
778  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
779  srandom(seed);
780  }
781 
782  error_reset(); /* initialize error.c */
783  reset_check_status(); /* initialize status check code in socket.c */
784 
785 #ifdef _WIN32
786  init_win32();
787 #endif
788 
789 #ifdef OPENVPN_DEBUG_COMMAND_LINE
790  {
791  int i;
792  for (i = 0; i < argc; ++i)
793  {
794  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
795  }
796  }
797 #endif
798 
799  update_time();
800 
801  init_ssl_lib();
802 
803 #ifdef SCHEDULE_TEST
804  schedule_test();
805  return false;
806 #endif
807 
808 #ifdef LIST_TEST
809  list_test();
810  return false;
811 #endif
812 
813 #ifdef IFCONFIG_POOL_TEST
814  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
815  return false;
816 #endif
817 
818 #ifdef CHARACTER_CLASS_DEBUG
819  character_class_debug();
820  return false;
821 #endif
822 
823 #ifdef EXTRACT_X509_FIELD_TEST
824  extract_x509_field_test();
825  return false;
826 #endif
827 
828 #ifdef TIME_TEST
829  time_test();
830  return false;
831 #endif
832 
833 #ifdef TEST_GET_DEFAULT_GATEWAY
834  {
835  struct route_gateway_info rgi;
836  struct route_ipv6_gateway_info rgi6;
837  get_default_gateway(&rgi);
838  get_default_gateway_ipv6(&rgi6, NULL);
839  print_default_gateway(M_INFO, &rgi, &rgi6);
840  return false;
841  }
842 #endif
843 
844 #ifdef GEN_PATH_TEST
845  {
846  struct gc_arena gc = gc_new();
847  const char *fn = gen_path("foo",
848  "bar",
849  &gc);
850  printf("%s\n", fn);
851  gc_free(&gc);
852  }
853  return false;
854 #endif
855 
856 #ifdef STATUS_PRINTF_TEST
857  {
858  struct gc_arena gc = gc_new();
859  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
860  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
861  status_printf(so, "%s", "foo");
862  status_printf(so, "%s", "bar");
863  if (!status_close(so))
864  {
865  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
866  }
867  gc_free(&gc);
868  }
869  return false;
870 #endif
871 
872 #ifdef MSTATS_TEST
873  {
874  int i;
875  mstats_open("/dev/shm/mstats.dat");
876  for (i = 0; i < 30; ++i)
877  {
878  mmap_stats->n_clients += 1;
879  mmap_stats->link_write_bytes += 8;
880  mmap_stats->link_read_bytes += 16;
881  sleep(1);
882  }
883  mstats_close();
884  return false;
885  }
886 #endif
887 
888  return true;
889 }
890 
891 void
892 uninit_static(void)
893 {
894  free_ssl_lib();
895 
896 #ifdef ENABLE_PKCS11
897  pkcs11_terminate();
898 #endif
899 
900 #if PORT_SHARE
901  close_port_share();
902 #endif
903 
904 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
905  show_tls_performance_stats();
906 #endif
907 }
908 
909 void
910 init_verb_mute(struct context *c, unsigned int flags)
911 {
912  if (flags & IVM_LEVEL_1)
913  {
914  /* set verbosity and mute levels */
915  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
916  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
917  set_mute_cutoff(c->options.mute);
918  }
919 
920  /* special D_LOG_RW mode */
921  if (flags & IVM_LEVEL_2)
922  {
923  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
924  }
925 }
926 
927 /*
928  * Possibly set --dev based on --dev-node.
929  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
930  * set --dev to tun.
931  */
932 void
933 init_options_dev(struct options *options)
934 {
935  if (!options->dev && options->dev_node)
936  {
937  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
938  options->dev = basename(dev_node);
939  }
940 }
941 
942 bool
943 print_openssl_info(const struct options *options)
944 {
945  /*
946  * OpenSSL info print mode?
947  */
948  if (options->show_ciphers || options->show_digests || options->show_engines
949  || options->show_tls_ciphers || options->show_curves)
950  {
951  if (options->show_ciphers)
952  {
953  show_available_ciphers();
954  }
955  if (options->show_digests)
956  {
957  show_available_digests();
958  }
959  if (options->show_engines)
960  {
961  show_available_engines();
962  }
963  if (options->show_tls_ciphers)
964  {
965  show_available_tls_ciphers(options->cipher_list,
966  options->cipher_list_tls13,
967  options->tls_cert_profile);
968  }
969  if (options->show_curves)
970  {
971  show_available_curves();
972  }
973  return true;
974  }
975  return false;
976 }
977 
978 /*
979  * Static pre-shared key generation mode?
980  */
981 bool
982 do_genkey(const struct options *options)
983 {
984  /* should we disable paging? */
985  if (options->mlock && (options->genkey))
986  {
987  platform_mlockall(true);
988  }
989 
990  /*
991  * We do not want user to use --genkey with --secret. In the transistion
992  * phase we for secret.
993  */
994  if (options->genkey && options->genkey_type != GENKEY_SECRET
995  && options->shared_secret_file)
996  {
997  msg(M_USAGE, "Using --genkey type with --secret filename is "
998  "not supported. Use --genkey type filename instead.");
999  }
1000  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1001  {
1002  int nbits_written;
1003  const char *genkey_filename = options->genkey_filename;
1004  if (options->shared_secret_file && options->genkey_filename)
1005  {
1006  msg(M_USAGE, "You must provide a filename to either --genkey "
1007  "or --secret, not both");
1008  }
1009 
1010  /*
1011  * Copy filename from shared_secret_file to genkey_filename to support
1012  * the old --genkey --secret foo.file syntax.
1013  */
1014  if (options->shared_secret_file)
1015  {
1016  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1017  "DEPRECATED. Use --genkey secret filename instead.");
1018  genkey_filename = options->shared_secret_file;
1019  }
1020 
1021  nbits_written = write_key_file(2, genkey_filename);
1022  if (nbits_written < 0)
1023  {
1024  msg(M_FATAL, "Failed to write key file");
1025  }
1026 
1027  msg(D_GENKEY | M_NOPREFIX,
1028  "Randomly generated %d bit key written to %s", nbits_written,
1029  options->shared_secret_file);
1030  return true;
1031  }
1032  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1033  {
1034  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1035  return true;
1036  }
1037  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1038  {
1039  if (!options->tls_crypt_v2_file)
1040  {
1041  msg(M_USAGE,
1042  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1043  }
1044 
1045  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1046  options->genkey_extra_data, options->tls_crypt_v2_file,
1047  options->tls_crypt_v2_file_inline);
1048  return true;
1049  }
1050  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1051  {
1052  auth_token_write_server_key_file(options->genkey_filename);
1053  return true;
1054  }
1055  else
1056  {
1057  return false;
1058  }
1059 }
1060 
1061 /*
1062  * Persistent TUN/TAP device management mode?
1063  */
1064 bool
1065 do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
1066 {
1067  if (!options->persist_config)
1068  {
1069  return false;
1070  }
1071 
1072  /* sanity check on options for --mktun or --rmtun */
1073  notnull(options->dev, "TUN/TAP device (--dev)");
1074  if (options->ce.remote || options->ifconfig_local
1075  || options->ifconfig_remote_netmask
1076  || options->shared_secret_file
1077  || options->tls_server || options->tls_client
1078  )
1079  {
1080  msg(M_FATAL|M_OPTERR,
1081  "options --mktun or --rmtun should only be used together with --dev");
1082  }
1083 
1084 #if defined(ENABLE_DCO)
1085  if (dco_enabled(options))
1086  {
1087  /* creating a DCO interface via --mktun is not supported as it does not
1088  * make much sense. Since DCO is enabled by default, people may run into
1089  * this without knowing, therefore this case should be properly handled.
1090  *
1091  * Disable DCO if --mktun was provided and print a message to let
1092  * user know.
1093  */
1094  if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
1095  {
1096  msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
1097  }
1098 
1099  options->tuntap_options.disable_dco = true;
1100  }
1101 #endif
1102 
1103 #ifdef ENABLE_FEATURE_TUN_PERSIST
1104  tuncfg(options->dev, options->dev_type, options->dev_node,
1105  options->persist_mode,
1106  options->username, options->groupname, &options->tuntap_options,
1107  ctx);
1108  if (options->persist_mode && options->lladdr)
1109  {
1110  set_lladdr(ctx, options->dev, options->lladdr, NULL);
1111  }
1112  return true;
1113 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1114  msg(M_FATAL|M_OPTERR,
1115  "options --mktun and --rmtun are not available on your operating "
1116  "system. Please check 'man tun' (or 'tap'), whether your system "
1117  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1118  "persistent tunnel interfaces.", options->dev );
1119 #endif
1120  return false;
1121 }
1122 
1123 /*
1124  * Should we become a daemon?
1125  * Return true if we did it.
1126  */
1127 bool
1128 possibly_become_daemon(const struct options *options)
1129 {
1130  bool ret = false;
1131 
1132 #ifdef ENABLE_SYSTEMD
1133  /* return without forking if we are running from systemd */
1134  if (sd_notify(0, "READY=0") > 0)
1135  {
1136  return ret;
1137  }
1138 #endif
1139 
1140  if (options->daemon)
1141  {
1142  /* Don't chdir immediately, but the end of the init sequence, if needed */
1143 
1144 #if defined(__APPLE__) && defined(__clang__)
1145 #pragma clang diagnostic push
1146 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1147 #endif
1148  if (daemon(1, options->log) < 0)
1149  {
1150  msg(M_ERR, "daemon() failed or unsupported");
1151  }
1152 #if defined(__APPLE__) && defined(__clang__)
1153 #pragma clang diagnostic pop
1154 #endif
1155  restore_signal_state();
1156  if (options->log)
1157  {
1158  set_std_files_to_null(true);
1159  }
1160 
1161  ret = true;
1162  }
1163  return ret;
1164 }
1165 
1166 /*
1167  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1168  */
1169 static void
1170 do_uid_gid_chroot(struct context *c, bool no_delay)
1171 {
1172  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1173  struct context_0 *c0 = c->c0;
1174 
1175  if (c0 && !c0->uid_gid_chroot_set)
1176  {
1177  /* chroot if requested */
1178  if (c->options.chroot_dir)
1179  {
1180  if (no_delay)
1181  {
1182  platform_chroot(c->options.chroot_dir);
1183  }
1184  else if (c->first_time)
1185  {
1186  msg(M_INFO, "NOTE: chroot %s", why_not);
1187  }
1188  }
1189 
1190  /* set user and/or group if we want to setuid/setgid */
1191  if (c0->uid_gid_specified)
1192  {
1193  if (no_delay)
1194  {
1195  platform_user_group_set(&c0->platform_state_user,
1196  &c0->platform_state_group,
1197  c);
1198  }
1199  else if (c->first_time)
1200  {
1201  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1202  }
1203  }
1204 
1205 #ifdef ENABLE_MEMSTATS
1206  if (c->first_time && c->options.memstats_fn)
1207  {
1208  mstats_open(c->options.memstats_fn);
1209  }
1210 #endif
1211 
1212 #ifdef ENABLE_SELINUX
1213  /* Apply a SELinux context in order to restrict what OpenVPN can do
1214  * to _only_ what it is supposed to do after initialization is complete
1215  * (basically just network I/O operations). Doing it after chroot
1216  * requires /proc to be mounted in the chroot (which is annoying indeed
1217  * but doing it before requires more complex SELinux policies.
1218  */
1219  if (c->options.selinux_context)
1220  {
1221  if (no_delay)
1222  {
1223  if (-1 == setcon(c->options.selinux_context))
1224  {
1225  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1226  }
1227  else
1228  {
1229  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1230  }
1231  }
1232  else if (c->first_time)
1233  {
1234  msg(M_INFO, "NOTE: setcon %s", why_not);
1235  }
1236  }
1237 #endif
1238 
1239  /* Privileges are going to be dropped by now (if requested), be sure
1240  * to prevent any future privilege dropping attempts from now on.
1241  */
1242  if (no_delay)
1243  {
1244  c0->uid_gid_chroot_set = true;
1245  }
1246  }
1247 }
1248 
1249 /*
1250  * Return common name in a way that is formatted for
1251  * prepending to msg() output.
1252  */
1253 const char *
1254 format_common_name(struct context *c, struct gc_arena *gc)
1255 {
1256  struct buffer out = alloc_buf_gc(256, gc);
1257  if (c->c2.tls_multi)
1258  {
1259  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1260  }
1261  return BSTR(&out);
1262 }
1263 
1264 void
1265 pre_setup(const struct options *options)
1266 {
1267 #ifdef _WIN32
1268  if (options->exit_event_name)
1269  {
1270  win32_signal_open(&win32_signal,
1271  WSO_FORCE_SERVICE,
1272  options->exit_event_name,
1273  options->exit_event_initial_state);
1274  }
1275  else
1276  {
1277  win32_signal_open(&win32_signal,
1278  WSO_FORCE_CONSOLE,
1279  NULL,
1280  false);
1281 
1282  /* put a title on the top window bar */
1283  if (win32_signal.mode == WSO_MODE_CONSOLE)
1284  {
1285  window_title_save(&window_title);
1286  window_title_generate(options->config);
1287  }
1288  }
1289 #endif /* ifdef _WIN32 */
1290 }
1291 
1292 void
1293 reset_coarse_timers(struct context *c)
1294 {
1295  c->c2.coarse_timer_wakeup = 0;
1296 }
1297 
1298 /*
1299  * Initialise the server poll timeout timer
1300  * This timer is used in the http/socks proxy setup so it needs to be setup
1301  * before
1302  */
1303 static void
1304 do_init_server_poll_timeout(struct context *c)
1305 {
1306  update_time();
1307  if (c->options.ce.connect_timeout)
1308  {
1309  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1310  }
1311 }
1312 
1313 /*
1314  * Initialize timers
1315  */
1316 static void
1317 do_init_timers(struct context *c, bool deferred)
1318 {
1319  update_time();
1320  reset_coarse_timers(c);
1321 
1322  /* initialize inactivity timeout */
1323  if (c->options.inactivity_timeout)
1324  {
1325  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1326  }
1327 
1328  /* initialize inactivity timeout */
1329  if (c->options.session_timeout)
1330  {
1331  event_timeout_init(&c->c2.session_interval, c->options.session_timeout,
1332  now);
1333  }
1334 
1335  /* initialize pings */
1336  if (dco_enabled(&c->options))
1337  {
1338  /* The DCO kernel module will send the pings instead of user space */
1339  event_timeout_clear(&c->c2.ping_rec_interval);
1340  event_timeout_clear(&c->c2.ping_send_interval);
1341  }
1342  else
1343  {
1344  if (c->options.ping_send_timeout)
1345  {
1346  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1347  }
1348 
1349  if (c->options.ping_rec_timeout)
1350  {
1351  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1352  }
1353  }
1354 
1355  /* If the auth-token renewal interval is shorter than reneg-sec, arm
1356  * "auth-token renewal" timer to send additional auth-token to update the
1357  * token on the client more often. If not, this happens automatically
1358  * at renegotiation time, without needing an extra event.
1359  */
1360  if (c->options.auth_token_generate
1361  && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1362  {
1363  event_timeout_init(&c->c2.auth_token_renewal_interval,
1364  c->options.auth_token_renewal, now);
1365  }
1366 
1367  if (!deferred)
1368  {
1369  /* initialize connection establishment timer */
1370  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1371 
1372  /* initialize occ timers */
1373 
1374  if (c->options.occ
1375  && !TLS_MODE(c)
1376  && c->c2.options_string_local && c->c2.options_string_remote)
1377  {
1378  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1379  }
1380 
1381  if (c->options.mtu_test)
1382  {
1383  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1384  }
1385 
1386  /* initialize packet_id persistence timer */
1387  if (c->options.packet_id_file)
1388  {
1389  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1390  }
1391 
1392  /* initialize tmp_int optimization that limits the number of times we call
1393  * tls_multi_process in the main event loop */
1394  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1395  }
1396 }
1397 
1398 /*
1399  * Initialize traffic shaper.
1400  */
1401 static void
1402 do_init_traffic_shaper(struct context *c)
1403 {
1404  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1405  if (c->options.shaper)
1406  {
1407  shaper_init(&c->c2.shaper, c->options.shaper);
1408  shaper_msg(&c->c2.shaper);
1409  }
1410 }
1411 
1412 /*
1413  * Allocate route list structures for IPv4 and IPv6
1414  * (we do this for IPv4 even if no --route option has been seen, as other
1415  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1416  */
1417 static void
1418 do_alloc_route_list(struct context *c)
1419 {
1420  if (!c->c1.route_list)
1421  {
1422  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1423  }
1424  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1425  {
1426  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1427  }
1428 }
1429 
1430 
1431 /*
1432  * Initialize the route list, resolving any DNS names in route
1433  * options and saving routes in the environment.
1434  */
1435 static void
1436 do_init_route_list(const struct options *options,
1437  struct route_list *route_list,
1438  const struct link_socket_info *link_socket_info,
1439  struct env_set *es,
1440  openvpn_net_ctx_t *ctx)
1441 {
1442  const char *gw = NULL;
1443  int dev = dev_type_enum(options->dev, options->dev_type);
1444  int metric = 0;
1445 
1446  /* if DCO is enabled we have both regular routes and iroutes in the system
1447  * routing table, and normal routes must have a higher metric for that to
1448  * work so that iroutes are always matched first
1449  */
1450  if (dco_enabled(options))
1451  {
1452  metric = DCO_DEFAULT_METRIC;
1453  }
1454 
1455  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1456  {
1457  gw = options->ifconfig_remote_netmask;
1458  }
1459  if (options->route_default_gateway)
1460  {
1461  gw = options->route_default_gateway;
1462  }
1463  if (options->route_default_metric)
1464  {
1465  metric = options->route_default_metric;
1466  }
1467 
1468  if (init_route_list(route_list,
1469  options->routes,
1470  gw,
1471  metric,
1472  link_socket_current_remote(link_socket_info),
1473  es,
1474  ctx))
1475  {
1476  /* copy routes to environment */
1477  setenv_routes(es, route_list);
1478  }
1479 }
1480 
1481 static void
1482 do_init_route_ipv6_list(const struct options *options,
1483  struct route_ipv6_list *route_ipv6_list,
1484  const struct link_socket_info *link_socket_info,
1485  struct env_set *es,
1486  openvpn_net_ctx_t *ctx)
1487 {
1488  const char *gw = NULL;
1489  int metric = -1; /* no metric set */
1490 
1491  /* see explanation in do_init_route_list() */
1492  if (dco_enabled(options))
1493  {
1494  metric = DCO_DEFAULT_METRIC;
1495  }
1496 
1497  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1498  if (options->route_ipv6_default_gateway)
1499  {
1500  gw = options->route_ipv6_default_gateway;
1501  }
1502 
1503  if (options->route_default_metric)
1504  {
1505  metric = options->route_default_metric;
1506  }
1507 
1508  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1509  */
1510  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1511  {
1512  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1513  int i;
1514 
1515  for (i = 0; opt_list[i]; i++)
1516  {
1517  add_route_ipv6_to_option_list( options->routes_ipv6,
1518  string_alloc(opt_list[i], options->routes_ipv6->gc),
1519  NULL, NULL );
1520  }
1521  }
1522 
1523  if (init_route_ipv6_list(route_ipv6_list,
1524  options->routes_ipv6,
1525  gw,
1526  metric,
1527  link_socket_current_remote_ipv6(link_socket_info),
1528  es,
1529  ctx))
1530  {
1531  /* copy routes to environment */
1532  setenv_routes_ipv6(es, route_ipv6_list);
1533  }
1534 }
1535 
1536 
1537 /*
1538  * Called after all initialization has been completed.
1539  */
1540 void
1541 initialization_sequence_completed(struct context *c, const unsigned int flags)
1542 {
1543  static const char message[] = "Initialization Sequence Completed";
1544 
1545  /* Reset the unsuccessful connection counter on complete initialisation */
1546  c->options.unsuccessful_attempts = 0;
1547 
1548  /* If we delayed UID/GID downgrade or chroot, do it now */
1549  do_uid_gid_chroot(c, true);
1550 
1551  /* Test if errors */
1552  if (flags & ISC_ERRORS)
1553  {
1554 #ifdef _WIN32
1555  show_routes(M_INFO|M_NOPREFIX);
1556  show_adapters(M_INFO|M_NOPREFIX);
1557  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1558 #else
1559 #ifdef ENABLE_SYSTEMD
1560  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1561 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1562  msg(M_INFO, "%s With Errors", message);
1563 #endif
1564  }
1565  else
1566  {
1567 #ifdef ENABLE_SYSTEMD
1568  sd_notifyf(0, "STATUS=%s", message);
1569 #endif
1570  msg(M_INFO, "%s", message);
1571  }
1572 
1573  /* Flag that we initialized */
1574  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1575  {
1576  c->options.no_advance = true;
1577  }
1578 
1579 #ifdef _WIN32
1580  fork_register_dns_action(c->c1.tuntap);
1581 #endif
1582 
1583 #ifdef ENABLE_MANAGEMENT
1584  /* Tell management interface that we initialized */
1585  if (management)
1586  {
1587  in_addr_t *tun_local = NULL;
1588  struct in6_addr *tun_local6 = NULL;
1589  struct openvpn_sockaddr local, remote;
1590  struct link_socket_actual *actual;
1591  socklen_t sa_len = sizeof(local);
1592  const char *detail = "SUCCESS";
1593  if (flags & ISC_ERRORS)
1594  {
1595  detail = "ERROR";
1596  }
1597 
1598  CLEAR(local);
1599  actual = &get_link_socket_info(c)->lsa->actual;
1600  remote = actual->dest;
1601  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1602 #if ENABLE_IP_PKTINFO
1603  if (!addr_defined(&local))
1604  {
1605  switch (local.addr.sa.sa_family)
1606  {
1607  case AF_INET:
1608 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1609  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1610 #else
1611  local.addr.in4.sin_addr = actual->pi.in4;
1612 #endif
1613  break;
1614 
1615  case AF_INET6:
1616  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1617  break;
1618  }
1619  }
1620 #endif
1621 
1622  if (c->c1.tuntap)
1623  {
1624  tun_local = &c->c1.tuntap->local;
1625  tun_local6 = &c->c1.tuntap->local_ipv6;
1626  }
1627  management_set_state(management,
1628  OPENVPN_STATE_CONNECTED,
1629  detail,
1630  tun_local,
1631  tun_local6,
1632  &local,
1633  &remote);
1634  if (tun_local)
1635  {
1636  management_post_tunnel_open(management, *tun_local);
1637  }
1638  }
1639 #endif /* ifdef ENABLE_MANAGEMENT */
1640 }
1641 
1642 /*
1643  * Possibly add routes and/or call route-up script
1644  * based on options.
1645  */
1646 void
1647 do_route(const struct options *options,
1648  struct route_list *route_list,
1649  struct route_ipv6_list *route_ipv6_list,
1650  const struct tuntap *tt,
1651  const struct plugin_list *plugins,
1652  struct env_set *es,
1653  openvpn_net_ctx_t *ctx)
1654 {
1655  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1656  {
1657  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1658  es, ctx);
1659  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1660  }
1661 #ifdef ENABLE_MANAGEMENT
1662  if (management)
1663  {
1664  management_up_down(management, "UP", es);
1665  }
1666 #endif
1667 
1668  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1669  {
1670  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1671  {
1672  msg(M_WARN, "WARNING: route-up plugin call failed");
1673  }
1674  }
1675 
1676  if (options->route_script)
1677  {
1678  struct argv argv = argv_new();
1679  setenv_str(es, "script_type", "route-up");
1680  argv_parse_cmd(&argv, options->route_script);
1681  openvpn_run_script(&argv, es, 0, "--route-up");
1682  argv_free(&argv);
1683  }
1684 
1685 #ifdef _WIN32
1686  if (options->show_net_up)
1687  {
1688  show_routes(M_INFO|M_NOPREFIX);
1689  show_adapters(M_INFO|M_NOPREFIX);
1690  }
1691  else if (check_debug_level(D_SHOW_NET))
1692  {
1693  show_routes(D_SHOW_NET|M_NOPREFIX);
1694  show_adapters(D_SHOW_NET|M_NOPREFIX);
1695  }
1696 #endif
1697 }
1698 
1699 /*
1700  * initialize tun/tap device object
1701  */
1702 static void
1703 do_init_tun(struct context *c)
1704 {
1705  c->c1.tuntap = init_tun(c->options.dev,
1706  c->options.dev_type,
1707  c->options.topology,
1708  c->options.ifconfig_local,
1709  c->options.ifconfig_remote_netmask,
1710  c->options.ifconfig_ipv6_local,
1711  c->options.ifconfig_ipv6_netbits,
1712  c->options.ifconfig_ipv6_remote,
1713  c->c1.link_socket_addr.bind_local,
1714  c->c1.link_socket_addr.remote_list,
1715  !c->options.ifconfig_nowarn,
1716  c->c2.es,
1717  &c->net_ctx,
1718  c->c1.tuntap);
1719 
1720 #ifdef _WIN32
1721  c->c1.tuntap->windows_driver = c->options.windows_driver;
1722 #endif
1723 
1724  init_tun_post(c->c1.tuntap,
1725  &c->c2.frame,
1726  &c->options.tuntap_options);
1727 
1728  c->c1.tuntap_owned = true;
1729 }
1730 
1731 /*
1732  * Open tun/tap device, ifconfig, call up script, etc.
1733  */
1734 
1735 
1736 static bool
1737 can_preserve_tun(struct tuntap *tt)
1738 {
1739 #ifdef TARGET_ANDROID
1740  return false;
1741 #else
1742  return is_tun_type_set(tt);
1743 #endif
1744 }
1745 
1746 static bool
1747 do_open_tun(struct context *c)
1748 {
1749  struct gc_arena gc = gc_new();
1750  bool ret = false;
1751 
1752  if (!can_preserve_tun(c->c1.tuntap))
1753  {
1754 #ifdef TARGET_ANDROID
1755  /* If we emulate persist-tun on android we still have to open a new tun and
1756  * then close the old */
1757  int oldtunfd = -1;
1758  if (c->c1.tuntap)
1759  {
1760  oldtunfd = c->c1.tuntap->fd;
1761  free(c->c1.tuntap);
1762  c->c1.tuntap = NULL;
1763  c->c1.tuntap_owned = false;
1764  }
1765 #endif
1766 
1767  /* initialize (but do not open) tun/tap object */
1768  do_init_tun(c);
1769 
1770  /* inherit the dco context from the tuntap object */
1771  if (c->c2.tls_multi)
1772  {
1773  c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1774  }
1775 
1776 #ifdef _WIN32
1777  /* store (hide) interactive service handle in tuntap_options */
1778  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1779  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1780 #endif
1781 
1782  /* allocate route list structure */
1783  do_alloc_route_list(c);
1784 
1785  /* parse and resolve the route option list */
1786  ASSERT(c->c2.link_socket);
1787  if (c->options.routes && c->c1.route_list)
1788  {
1789  do_init_route_list(&c->options, c->c1.route_list,
1790  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1791  }
1792  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1793  {
1794  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1795  &c->c2.link_socket->info, c->c2.es,
1796  &c->net_ctx);
1797  }
1798 
1799  /* do ifconfig */
1800  if (!c->options.ifconfig_noexec
1801  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1802  {
1803  /* guess actual tun/tap unit number that will be returned
1804  * by open_tun */
1805  const char *guess = guess_tuntap_dev(c->options.dev,
1806  c->options.dev_type,
1807  c->options.dev_node,
1808  &gc);
1809  do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es,
1810  &c->net_ctx);
1811  }
1812 
1813  /* possibly add routes */
1814  if (route_order() == ROUTE_BEFORE_TUN)
1815  {
1816  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1817  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1818  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1819  }
1820 #ifdef TARGET_ANDROID
1821  /* Store the old fd inside the fd so open_tun can use it */
1822  c->c1.tuntap->fd = oldtunfd;
1823 #endif
1824  if (dco_enabled(&c->options))
1825  {
1826  ovpn_dco_init(c->mode, &c->c1.tuntap->dco);
1827  }
1828 
1829  /* open the tun device */
1830  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1831  c->c1.tuntap, &c->net_ctx);
1832 
1833  /* set the hardware address */
1834  if (c->options.lladdr)
1835  {
1836  set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr,
1837  c->c2.es);
1838  }
1839 
1840  /* do ifconfig */
1841  if (!c->options.ifconfig_noexec
1842  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1843  {
1844  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1845  c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1846  }
1847 
1848  /* run the up script */
1849  run_up_down(c->options.up_script,
1850  c->plugins,
1851  OPENVPN_PLUGIN_UP,
1852  c->c1.tuntap->actual_name,
1853 #ifdef _WIN32
1854  c->c1.tuntap->adapter_index,
1855 #endif
1856  dev_type_string(c->options.dev, c->options.dev_type),
1857  c->c2.frame.tun_mtu,
1858  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1859  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1860  "init",
1861  NULL,
1862  "up",
1863  c->c2.es);
1864 
1865 #if defined(_WIN32)
1866  if (c->options.block_outside_dns)
1867  {
1868  dmsg(D_LOW, "Blocking outside DNS");
1869  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1870  {
1871  msg(M_FATAL, "Blocking DNS failed!");
1872  }
1873  }
1874 #endif
1875 
1876  /* possibly add routes */
1877  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1878  {
1879  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1880  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1881  }
1882 
1883  ret = true;
1884  static_context = c;
1885  }
1886  else
1887  {
1888  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1889  c->c1.tuntap->actual_name);
1890 
1891  /* explicitly set the ifconfig_* env vars */
1892  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1893 
1894  /* run the up script if user specified --up-restart */
1895  if (c->options.up_restart)
1896  {
1897  run_up_down(c->options.up_script,
1898  c->plugins,
1899  OPENVPN_PLUGIN_UP,
1900  c->c1.tuntap->actual_name,
1901 #ifdef _WIN32
1902  c->c1.tuntap->adapter_index,
1903 #endif
1904  dev_type_string(c->options.dev, c->options.dev_type),
1905  c->c2.frame.tun_mtu,
1906  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1907  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1908  "restart",
1909  NULL,
1910  "up",
1911  c->c2.es);
1912  }
1913 #if defined(_WIN32)
1914  if (c->options.block_outside_dns)
1915  {
1916  dmsg(D_LOW, "Blocking outside DNS");
1917  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1918  {
1919  msg(M_FATAL, "Blocking DNS failed!");
1920  }
1921  }
1922 #endif
1923 
1924  }
1925  gc_free(&gc);
1926  return ret;
1927 }
1928 
1929 /*
1930  * Close TUN/TAP device
1931  */
1932 
1933 static void
1934 do_close_tun_simple(struct context *c)
1935 {
1936  msg(D_CLOSE, "Closing %s interface",
1937  dco_enabled(&c->options) ? "DCO" : "TUN/TAP");
1938 
1939  if (c->c1.tuntap)
1940  {
1941  if (!c->options.ifconfig_noexec)
1942  {
1943  undo_ifconfig(c->c1.tuntap, &c->net_ctx);
1944  }
1945  close_tun(c->c1.tuntap, &c->net_ctx);
1946  c->c1.tuntap = NULL;
1947  }
1948  c->c1.tuntap_owned = false;
1949  CLEAR(c->c1.pulled_options_digest_save);
1950 }
1951 
1952 static void
1953 do_close_tun(struct context *c, bool force)
1954 {
1955  /* With dco-win we open tun handle in the very beginning.
1956  * In case when tun wasn't opened - like we haven't connected,
1957  * we still need to close tun handle
1958  */
1959  if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
1960  {
1961  do_close_tun_simple(c);
1962  return;
1963  }
1964 
1965  if (!c->c1.tuntap || !c->c1.tuntap_owned)
1966  {
1967  return;
1968  }
1969 
1970  struct gc_arena gc = gc_new();
1971  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1972 #ifdef _WIN32
1973  DWORD adapter_index = c->c1.tuntap->adapter_index;
1974 #endif
1975  const in_addr_t local = c->c1.tuntap->local;
1976  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1977 
1978  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1979  {
1980  static_context = NULL;
1981 
1982 #ifdef ENABLE_MANAGEMENT
1983  /* tell management layer we are about to close the TUN/TAP device */
1984  if (management)
1985  {
1986  management_pre_tunnel_close(management);
1987  management_up_down(management, "DOWN", c->c2.es);
1988  }
1989 #endif
1990 
1991  /* delete any routes we added */
1992  if (c->c1.route_list || c->c1.route_ipv6_list)
1993  {
1994  run_up_down(c->options.route_predown_script,
1995  c->plugins,
1996  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1997  tuntap_actual,
1998 #ifdef _WIN32
1999  adapter_index,
2000 #endif
2001  NULL,
2002  c->c2.frame.tun_mtu,
2003  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2004  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2005  "init",
2006  signal_description(c->sig->signal_received,
2007  c->sig->signal_text),
2008  "route-pre-down",
2009  c->c2.es);
2010 
2011  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2012  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2013  c->c2.es, &c->net_ctx);
2014  }
2015 
2016  /* actually close tun/tap device based on --down-pre flag */
2017  if (!c->options.down_pre)
2018  {
2019  do_close_tun_simple(c);
2020  }
2021 
2022  /* Run the down script -- note that it will run at reduced
2023  * privilege if, for example, "--user nobody" was used. */
2024  run_up_down(c->options.down_script,
2025  c->plugins,
2026  OPENVPN_PLUGIN_DOWN,
2027  tuntap_actual,
2028 #ifdef _WIN32
2029  adapter_index,
2030 #endif
2031  NULL,
2032  c->c2.frame.tun_mtu,
2033  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2034  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2035  "init",
2036  signal_description(c->sig->signal_received,
2037  c->sig->signal_text),
2038  "down",
2039  c->c2.es);
2040 
2041 #if defined(_WIN32)
2042  if (c->options.block_outside_dns)
2043  {
2044  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2045  {
2046  msg(M_FATAL, "Uninitialising WFP failed!");
2047  }
2048  }
2049 #endif
2050 
2051  /* actually close tun/tap device based on --down-pre flag */
2052  if (c->options.down_pre)
2053  {
2054  do_close_tun_simple(c);
2055  }
2056  }
2057  else
2058  {
2059  /* run the down script on this restart if --up-restart was specified */
2060  if (c->options.up_restart)
2061  {
2062  run_up_down(c->options.down_script,
2063  c->plugins,
2064  OPENVPN_PLUGIN_DOWN,
2065  tuntap_actual,
2066 #ifdef _WIN32
2067  adapter_index,
2068 #endif
2069  NULL,
2070  c->c2.frame.tun_mtu,
2071  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2072  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2073  "restart",
2074  signal_description(c->sig->signal_received,
2075  c->sig->signal_text),
2076  "down",
2077  c->c2.es);
2078  }
2079 
2080 #if defined(_WIN32)
2081  if (c->options.block_outside_dns)
2082  {
2083  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2084  {
2085  msg(M_FATAL, "Uninitialising WFP failed!");
2086  }
2087  }
2088 #endif
2089 
2090  }
2091  gc_free(&gc);
2092 }
2093 
2094 void
2095 tun_abort(void)
2096 {
2097  struct context *c = static_context;
2098  if (c)
2099  {
2100  static_context = NULL;
2101  do_close_tun(c, true);
2102  }
2103 }
2104 
2105 /*
2106  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2107  */
2108 
2113 static bool
2114 options_hash_changed_or_zero(const struct sha256_digest *a,
2115  const struct sha256_digest *b)
2116 {
2117  const struct sha256_digest zero = {{0}};
2118  return memcmp(a, b, sizeof(struct sha256_digest))
2119  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2120 }
2121 
2129 static bool
2130 do_deferred_options_part2(struct context *c)
2131 {
2132  struct frame *frame_fragment = NULL;
2133 #ifdef ENABLE_FRAGMENT
2134  if (c->options.ce.fragment)
2135  {
2136  frame_fragment = &c->c2.frame_fragment;
2137  }
2138 #endif
2139 
2140  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2141  if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
2142  &c->options, &c->c2.frame,
2143  frame_fragment,
2144  get_link_socket_info(c)))
2145  {
2146  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2147  return false;
2148  }
2149 
2150  if (dco_enabled(&c->options)
2151  && (c->options.ping_send_timeout || c->c2.frame.mss_fix))
2152  {
2153  int ret = dco_set_peer(&c->c1.tuntap->dco,
2154  c->c2.tls_multi->peer_id,
2155  c->options.ping_send_timeout,
2156  c->options.ping_rec_timeout,
2157  c->c2.frame.mss_fix);
2158  if (ret < 0)
2159  {
2160  msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s",
2161  c->c2.tls_multi->peer_id, strerror(-ret));
2162  return false;
2163  }
2164  }
2165 
2166  return true;
2167 }
2168 
2169 bool
2170 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2171 {
2172  if (!c->c2.do_up_ran)
2173  {
2174  reset_coarse_timers(c);
2175 
2176  if (pulled_options)
2177  {
2178  if (!do_deferred_options(c, option_types_found))
2179  {
2180  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2181  return false;
2182  }
2183  }
2184 
2185  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2186  if (c->options.up_delay || PULL_DEFINED(&c->options))
2187  {
2188  c->c2.did_open_tun = do_open_tun(c);
2189  update_time();
2190 
2191  /*
2192  * Was tun interface object persisted from previous restart iteration,
2193  * and if so did pulled options string change from previous iteration?
2194  */
2195  if (!c->c2.did_open_tun
2196  && PULL_DEFINED(&c->options)
2197  && c->c1.tuntap
2198  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2199  &c->c2.pulled_options_digest))
2200  {
2201  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2202  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2203 
2204  bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
2205  do_close_tun(c, true);
2206 
2207  if (tt_dco_win)
2208  {
2209  msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2210  /* prevent link_socket_close() from closing handle with WinSock API */
2211  c->c2.link_socket->sd = SOCKET_UNDEFINED;
2212  return false;
2213  }
2214  else
2215  {
2216  management_sleep(1);
2217  c->c2.did_open_tun = do_open_tun(c);
2218  update_time();
2219  }
2220  }
2221  }
2222 
2223  if (c->mode == MODE_POINT_TO_POINT)
2224  {
2225  /* ovpn-dco requires adding the peer now, before any option can be set,
2226  * but *after* having parsed the pushed peer-id in do_deferred_options()
2227  */
2228  int ret = dco_p2p_add_new_peer(c);
2229  if (ret < 0)
2230  {
2231  msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2232  return false;
2233  }
2234  }
2235 
2236  /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2237  * invoked after open_tun().
2238  * This is required by DCO because we must have created the interface
2239  * and added the peer before we can fiddle with the keys or any other
2240  * data channel per-peer setting.
2241  */
2242  if (pulled_options)
2243  {
2244  if (!do_deferred_options_part2(c))
2245  {
2246  return false;
2247  }
2248  }
2249  else
2250  {
2251  if (c->mode == MODE_POINT_TO_POINT)
2252  {
2253  if (!do_deferred_p2p_ncp(c))
2254  {
2255  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2256  return false;
2257  }
2258  }
2259  }
2260 
2261  if (c->c2.did_open_tun)
2262  {
2263  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2264 
2265  /* if --route-delay was specified, start timer */
2266  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2267  {
2268  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2269  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2270  if (c->c1.tuntap)
2271  {
2272  tun_standby_init(c->c1.tuntap);
2273  }
2274  }
2275  else
2276  {
2277  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2278  }
2279  }
2280  else if (c->options.mode == MODE_POINT_TO_POINT)
2281  {
2282  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2283  }
2284 
2285  c->c2.do_up_ran = true;
2286  if (c->c2.tls_multi)
2287  {
2288  c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2289  }
2290  }
2291  return true;
2292 }
2293 
2294 /*
2295  * These are the option categories which will be accepted by pull.
2296  */
2297 unsigned int
2298 pull_permission_mask(const struct context *c)
2299 {
2300  unsigned int flags =
2301  OPT_P_UP
2302  | OPT_P_ROUTE_EXTRAS
2303  | OPT_P_SOCKBUF
2304  | OPT_P_SOCKFLAGS
2305  | OPT_P_SETENV
2306  | OPT_P_SHAPER
2307  | OPT_P_TIMER
2308  | OPT_P_COMP
2309  | OPT_P_PERSIST
2310  | OPT_P_MESSAGES
2311  | OPT_P_EXPLICIT_NOTIFY
2312  | OPT_P_ECHO
2313  | OPT_P_PULL_MODE
2314  | OPT_P_PEER_ID
2315  | OPT_P_NCP
2316  | OPT_P_PUSH_MTU;
2317 
2318  if (!c->options.route_nopull)
2319  {
2320  flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
2321  }
2322 
2323  return flags;
2324 }
2325 
2326 static bool
2327 do_deferred_p2p_ncp(struct context *c)
2328 {
2329  if (!c->c2.tls_multi)
2330  {
2331  return true;
2332  }
2333 
2334  c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2335 
2336  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2337 
2338  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2339  &c->options.gc);
2340 
2341  if (ncp_cipher)
2342  {
2343  c->options.ciphername = ncp_cipher;
2344  }
2345  else if (!c->options.enable_ncp_fallback)
2346  {
2347  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2348  "--data-ciphers-fallback not enabled. No usable "
2349  "data channel cipher");
2350  return false;
2351  }
2352 
2353  struct frame *frame_fragment = NULL;
2354 #ifdef ENABLE_FRAGMENT
2355  if (c->options.ce.fragment)
2356  {
2357  frame_fragment = &c->c2.frame_fragment;
2358  }
2359 #endif
2360 
2361  if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2362  &c->c2.frame, frame_fragment,
2363  get_link_socket_info(c)))
2364  {
2365  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2366  return false;
2367  }
2368  return true;
2369 }
2370 
2371 /*
2372  * Handle non-tun-related pulled options.
2373  */
2374 bool
2375 do_deferred_options(struct context *c, const unsigned int found)
2376 {
2377  if (found & OPT_P_MESSAGES)
2378  {
2379  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2380  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2381  }
2382  if (found & OPT_P_TIMER)
2383  {
2384  do_init_timers(c, true);
2385  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2386  }
2387 
2388  if (found & OPT_P_EXPLICIT_NOTIFY)
2389  {
2390  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2391  {
2392  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2393  c->options.ce.explicit_exit_notification = 0;
2394  }
2395  else
2396  {
2397  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2398  }
2399  }
2400 
2401 #ifdef USE_COMP
2402  if (found & OPT_P_COMP)
2403  {
2404  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2405  comp_uninit(c->c2.comp_context);
2406  c->c2.comp_context = comp_init(&c->options.comp);
2407  }
2408 #endif
2409 
2410  if (found & OPT_P_SHAPER)
2411  {
2412  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2413  do_init_traffic_shaper(c);
2414  }
2415 
2416  if (found & OPT_P_SOCKBUF)
2417  {
2418  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2419  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2420  }
2421 
2422  if (found & OPT_P_SOCKFLAGS)
2423  {
2424  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2425  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2426  }
2427 
2428  if (found & OPT_P_PERSIST)
2429  {
2430  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2431  }
2432  if (found & OPT_P_UP)
2433  {
2434  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2435  }
2436  if (found & OPT_P_ROUTE)
2437  {
2438  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2439  }
2440  if (found & OPT_P_ROUTE_EXTRAS)
2441  {
2442  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2443  }
2444  if (found & OPT_P_DHCPDNS)
2445  {
2446  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2447  }
2448  if (found & OPT_P_SETENV)
2449  {
2450  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2451  }
2452 
2453  if (found & OPT_P_PEER_ID)
2454  {
2455  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2456  c->c2.tls_multi->use_peer_id = true;
2457  c->c2.tls_multi->peer_id = c->options.peer_id;
2458  }
2459 
2460  /* process (potentially) pushed options */
2461  if (c->options.pull)
2462  {
2463  if (!check_pull_client_ncp(c, found))
2464  {
2465  return false;
2466  }
2467 
2468  /* Check if pushed options are compatible with DCO, if enabled */
2469  if (dco_enabled(&c->options)
2470  && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2471  {
2472  msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2473  "with data channel offload. Use --disable-dco to connect to "
2474  "this server");
2475  return false;
2476  }
2477  }
2478 
2479  if (found & OPT_P_PUSH_MTU)
2480  {
2481  /* MTU has changed, check that the pushed MTU is small enough to
2482  * be able to change it */
2483  msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2484 
2485  struct frame *frame = &c->c2.frame;
2486 
2487  if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2488  {
2489  msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add "
2490  "tun-mtu-max %d in the client configuration",
2491  c->options.ce.tun_mtu);
2492  }
2493  frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2494  }
2495 
2496  return true;
2497 }
2498 
2499 /*
2500  * Possible hold on initialization, holdtime is the
2501  * time OpenVPN would wait without management
2502  */
2503 static bool
2504 do_hold(int holdtime)
2505 {
2506 #ifdef ENABLE_MANAGEMENT
2507  if (management)
2508  {
2509  /* block until management hold is released */
2510  if (management_hold(management, holdtime))
2511  {
2512  return true;
2513  }
2514  }
2515 #endif
2516  return false;
2517 }
2518 
2519 /*
2520  * Sleep before restart.
2521  */
2522 static void
2523 socket_restart_pause(struct context *c)
2524 {
2525  int sec = 2;
2526  int backoff = 0;
2527 
2528  switch (c->options.ce.proto)
2529  {
2530  case PROTO_TCP_SERVER:
2531  sec = 1;
2532  break;
2533 
2534  case PROTO_UDP:
2535  case PROTO_TCP_CLIENT:
2536  sec = c->options.ce.connect_retry_seconds;
2537  break;
2538  }
2539 
2540 #ifdef ENABLE_DEBUG
2541  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2542  {
2543  sec = 0;
2544  }
2545 #endif
2546 
2547  if (auth_retry_get() == AR_NOINTERACT)
2548  {
2549  sec = 10;
2550  }
2551 
2552  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2553  if (c->options.ce.proto == PROTO_TCP_CLIENT
2554  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2555  {
2556  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2557  if (backoff > 0)
2558  {
2559  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2560  sec = max_int(sec, 1) << min_int(backoff, 15);
2561  }
2562  if (c->options.server_backoff_time)
2563  {
2564  sec = max_int(sec, c->options.server_backoff_time);
2565  c->options.server_backoff_time = 0;
2566  }
2567 
2568  if (sec > c->options.ce.connect_retry_seconds_max)
2569  {
2570  sec = c->options.ce.connect_retry_seconds_max;
2571  }
2572  }
2573 
2574  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2575  {
2576  sec = c->persist.restart_sleep_seconds;
2577  }
2578  else if (c->persist.restart_sleep_seconds == -1)
2579  {
2580  sec = 0;
2581  }
2582  c->persist.restart_sleep_seconds = 0;
2583 
2584  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2585  if (do_hold(sec))
2586  {
2587  sec = 0;
2588  }
2589 
2590  if (sec)
2591  {
2592  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2593  management_sleep(sec);
2594  }
2595 }
2596 
2597 /*
2598  * Do a possible pause on context_2 initialization.
2599  */
2600 static void
2601 do_startup_pause(struct context *c)
2602 {
2603  if (!c->first_time)
2604  {
2605  socket_restart_pause(c);
2606  }
2607  else
2608  {
2609  do_hold(0); /* do management hold on first context initialization */
2610  }
2611 }
2612 
2613 static size_t
2614 get_frame_mtu(struct context *c, const struct options *o)
2615 {
2616  size_t mtu;
2617 
2618  if (o->ce.link_mtu_defined)
2619  {
2620  ASSERT(o->ce.link_mtu_defined);
2621  /* if we have a link mtu defined we calculate what the old code
2622  * would have come up with as tun-mtu */
2623  size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
2624  o, true);
2625  mtu = o->ce.link_mtu - overhead;
2626 
2627  }
2628  else
2629  {
2630  ASSERT(o->ce.tun_mtu_defined);
2631  mtu = o->ce.tun_mtu;
2632  }
2633 
2634  if (mtu < TUN_MTU_MIN)
2635  {
2636  msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2637  frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2638  }
2639  return mtu;
2640 }
2641 
2642 /*
2643  * Finalize MTU parameters based on command line or config file options.
2644  */
2645 static void
2646 frame_finalize_options(struct context *c, const struct options *o)
2647 {
2648  if (!o)
2649  {
2650  o = &c->options;
2651  }
2652 
2653  struct frame *frame = &c->c2.frame;
2654 
2655  frame->tun_mtu = get_frame_mtu(c, o);
2656  frame->tun_max_mtu = o->ce.tun_mtu_max;
2657 
2658  /* max mtu needs to be at least as large as the tun mtu */
2659  frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
2660 
2661  /* We always allow at least 1600 MTU packets to be received in our buffer
2662  * space to allow server to push "baby giant" MTU sizes */
2663  frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu);
2664 
2665  size_t payload_size = frame->tun_max_mtu;
2666 
2667  /* we need to be also large enough to hold larger control channel packets
2668  * if configured */
2669  payload_size = max_int(payload_size, o->ce.tls_mtu);
2670 
2671  /* The extra tun needs to be added to the payload size */
2672  if (o->ce.tun_mtu_defined)
2673  {
2674  payload_size += o->ce.tun_mtu_extra;
2675  }
2676 
2677  /* Add 32 byte of extra space in the buffer to account for small errors
2678  * in the calculation */
2679  payload_size += 32;
2680 
2681 
2682  /* the space that is reserved before the payload to add extra headers to it
2683  * we always reserve the space for the worst case */
2684  size_t headroom = 0;
2685 
2686  /* includes IV and packet ID */
2687  headroom += crypto_max_overhead();
2688 
2689  /* peer id + opcode */
2690  headroom += 4;
2691 
2692  /* socks proxy header */
2693  headroom += 10;
2694 
2695  /* compression header and fragment header (part of the encrypted payload) */
2696  headroom += 1 + 1;
2697 
2698  /* Round up headroom to the next multiple of 4 to ensure alignment */
2699  headroom = (headroom + 3) & ~3;
2700 
2701  /* Add the headroom to the payloadsize as a received (IP) packet can have
2702  * all the extra headers in it */
2703  payload_size += headroom;
2704 
2705  /* the space after the payload, this needs some extra buffer space for
2706  * encryption so headroom is probably too much but we do not really care
2707  * the few extra bytes */
2708  size_t tailroom = headroom;
2709 
2710 #ifdef USE_COMP
2711  msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu "
2712  "bytes of payload",
2713  COMP_EXTRA_BUFFER(payload_size), payload_size);
2714  tailroom += COMP_EXTRA_BUFFER(payload_size);
2715 #endif
2716 
2717  frame->buf.payload_size = payload_size;
2718  frame->buf.headroom = headroom;
2719  frame->buf.tailroom = tailroom;
2720 }
2721 
2722 /*
2723  * Free a key schedule, including OpenSSL components.
2724  */
2725 static void
2726 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2727 {
2728  free_key_ctx_bi(&ks->static_key);
2729  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2730  {
2731  tls_ctx_free(&ks->ssl_ctx);
2732  free_key_ctx(&ks->auth_token_key);
2733  }
2734  CLEAR(*ks);
2735 }
2736 
2737 static void
2738 init_crypto_pre(struct context *c, const unsigned int flags)
2739 {
2740  if (c->options.engine)
2741  {
2742  crypto_init_lib_engine(c->options.engine);
2743  }
2744 
2745  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2746  {
2747  /* load a persisted packet-id for cross-session replay-protection */
2748  if (c->options.packet_id_file)
2749  {
2750  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2751  }
2752  }
2753 
2754 #ifdef ENABLE_PREDICTION_RESISTANCE
2755  if (c->options.use_prediction_resistance)
2756  {
2757  rand_ctx_enable_prediction_resistance();
2758  }
2759 #endif
2760 }
2761 
2762 /*
2763  * Static Key Mode (using a pre-shared key)
2764  */
2765 static void
2766 do_init_crypto_static(struct context *c, const unsigned int flags)
2767 {
2768  const struct options *options = &c->options;
2769  ASSERT(options->shared_secret_file);
2770 
2771  init_crypto_pre(c, flags);
2772 
2773  /* Initialize flags */
2774  if (c->options.mute_replay_warnings)
2775  {
2776  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2777  }
2778 
2779  /* Initialize packet ID tracking */
2780  if (options->replay)
2781  {
2782  packet_id_init(&c->c2.crypto_options.packet_id,
2783  options->replay_window,
2784  options->replay_time,
2785  "STATIC", 0);
2786  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2787  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2788  packet_id_persist_load_obj(&c->c1.pid_persist,
2789  &c->c2.crypto_options.packet_id);
2790  }
2791 
2792  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2793  {
2794  /* Get cipher & hash algorithms */
2795  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2796  options->test_crypto, true);
2797 
2798  /* Read cipher and hmac keys from shared secret file */
2799  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2800  options->shared_secret_file,
2801  options->shared_secret_file_inline,
2802  options->key_direction, "Static Key Encryption",
2803  "secret");
2804  }
2805  else
2806  {
2807  msg(M_INFO, "Re-using pre-shared static key");
2808  }
2809 
2810  /* Get key schedule */
2811  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2812 
2813  /* Sanity check on sequence number, and cipher mode options */
2814  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2815 }
2816 
2817 /*
2818  * Initialize the tls-auth/crypt key context
2819  */
2820 static void
2821 do_init_tls_wrap_key(struct context *c)
2822 {
2823  const struct options *options = &c->options;
2824 
2825  /* TLS handshake authentication (--tls-auth) */
2826  if (options->ce.tls_auth_file)
2827  {
2828  /* Initialize key_type for tls-auth with auth only */
2829  CLEAR(c->c1.ks.tls_auth_key_type);
2830  c->c1.ks.tls_auth_key_type.cipher = "none";
2831  c->c1.ks.tls_auth_key_type.digest = options->authname;
2832  if (!md_valid(options->authname))
2833  {
2834  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2835  "algorithm specified ('%s')", options->authname);
2836  }
2837 
2838  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2839  &c->c1.ks.tls_wrap_key,
2840  options->ce.tls_auth_file,
2841  options->ce.tls_auth_file_inline,
2842  options->ce.key_direction,
2843  "Control Channel Authentication", "tls-auth");
2844  }
2845 
2846  /* TLS handshake encryption+authentication (--tls-crypt) */
2847  if (options->ce.tls_crypt_file)
2848  {
2849  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2850  options->ce.tls_crypt_file,
2851  options->ce.tls_crypt_file_inline,
2852  options->tls_server);
2853  }
2854 
2855  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2856  if (options->ce.tls_crypt_v2_file)
2857  {
2858  if (options->tls_server)
2859  {
2860  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2861  true, options->ce.tls_crypt_v2_file,
2862  options->ce.tls_crypt_v2_file_inline);
2863  }
2864  else
2865  {
2866  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2867  &c->c1.ks.tls_crypt_v2_wkc,
2868  options->ce.tls_crypt_v2_file,
2869  options->ce.tls_crypt_v2_file_inline);
2870  }
2871  /* We have to ensure that the loaded tls-crypt key is small enough
2872  * to fit into the initial hard reset v3 packet */
2873  int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
2874 
2875  /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
2876  int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
2877 
2878  if (required_size > c->options.ce.tls_mtu)
2879  {
2880  msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with "
2881  "requested --max-packet-size %d, requires at least "
2882  "--max-packet-size %d. Packets will ignore requested "
2883  "maximum packet size", c->options.ce.tls_mtu,
2884  required_size);
2885  }
2886  }
2887 
2888 
2889 }
2890 
2891 /*
2892  * Initialize the persistent component of OpenVPN's TLS mode,
2893  * which is preserved across SIGUSR1 resets.
2894  */
2895 static void
2896 do_init_crypto_tls_c1(struct context *c)
2897 {
2898  const struct options *options = &c->options;
2899 
2900  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2901  {
2902  /*
2903  * Initialize the OpenSSL library's global
2904  * SSL context.
2905  */
2906  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2907  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2908  {
2909  switch (auth_retry_get())
2910  {
2911  case AR_NONE:
2912  msg(M_FATAL, "Error: private key password verification failed");
2913  break;
2914 
2915  case AR_INTERACT:
2916  ssl_purge_auth(false);
2917 
2918  case AR_NOINTERACT:
2919  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2920  break;
2921 
2922  default:
2923  ASSERT(0);
2924  }
2925  c->sig->signal_text = "private-key-password-failure";
2926  return;
2927  }
2928 
2929  /*
2930  * BF-CBC is allowed to be used only when explicitly configured
2931  * as NCP-fallback or when NCP has been disabled or explicitly
2932  * allowed in the in ncp_ciphers list.
2933  * In all other cases do not attempt to initialize BF-CBC as it
2934  * may not even be supported by the underlying SSL library.
2935  *
2936  * Therefore, the key structure has to be initialized when:
2937  * - any non-BF-CBC cipher was selected; or
2938  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2939  * (BF-CBC will be the fallback).
2940  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2941  * If the negotiated cipher and options->ciphername are the
2942  * same we do not reinit the cipher
2943  *
2944  * Note that BF-CBC will still be part of the OCC string to retain
2945  * backwards compatibility with older clients.
2946  */
2947  const char *ciphername = options->ciphername;
2948  if (streq(options->ciphername, "BF-CBC")
2949  && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
2950  && !options->enable_ncp_fallback)
2951  {
2952  ciphername = "none";
2953  }
2954 
2955  /* Do not warn if the cipher is used only in OCC */
2956  bool warn = options->enable_ncp_fallback;
2957  init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
2958  true, warn);
2959 
2960  /* initialize tls-auth/crypt/crypt-v2 key */
2961  do_init_tls_wrap_key(c);
2962 
2963  /* initialise auth-token crypto support */
2964  if (c->options.auth_token_generate)
2965  {
2966  auth_token_init_secret(&c->c1.ks.auth_token_key,
2967  c->options.auth_token_secret_file,
2968  c->options.auth_token_secret_file_inline);
2969  }
2970 
2971 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2972  if (options->priv_key_file_inline)
2973  {
2974  string_clear(c->options.priv_key_file_inline);
2975  c->options.priv_key_file_inline = NULL;
2976  }
2977 #endif
2978  }
2979  else
2980  {
2981  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2982 
2983  /*
2984  * tls-auth/crypt key can be configured per connection block, therefore
2985  * we must reload it as it may have changed
2986  */
2987  do_init_tls_wrap_key(c);
2988  }
2989 }
2990 
2991 static void
2992 do_init_crypto_tls(struct context *c, const unsigned int flags)
2993 {
2994  const struct options *options = &c->options;
2995  struct tls_options to;
2996  bool packet_id_long_form;
2997 
2998  ASSERT(options->tls_server || options->tls_client);
2999  ASSERT(!options->test_crypto);
3000 
3001  init_crypto_pre(c, flags);
3002 
3003  /* Make sure we are either a TLS client or server but not both */
3004  ASSERT(options->tls_server == !options->tls_client);
3005 
3006  /* initialize persistent component */
3007  do_init_crypto_tls_c1(c);
3008  if (IS_SIG(c))
3009  {
3010  return;
3011  }
3012 
3013  /* Sanity check on sequence number, and cipher mode options */
3014  check_replay_consistency(&c->c1.ks.key_type, options->replay);
3015 
3016  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3017  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3018 
3019  /* Set all command-line TLS-related options */
3020  CLEAR(to);
3021 
3022  if (options->mute_replay_warnings)
3023  {
3024  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3025  }
3026 
3027  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3028  if (packet_id_long_form)
3029  {
3030  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3031  }
3032 
3033  to.ssl_ctx = c->c1.ks.ssl_ctx;
3034  to.key_type = c->c1.ks.key_type;
3035  to.server = options->tls_server;
3036  to.replay = options->replay;
3037  to.replay_window = options->replay_window;
3038  to.replay_time = options->replay_time;
3039  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
3040  to.config_ciphername = c->options.ciphername;
3041  to.config_ncp_ciphers = c->options.ncp_ciphers;
3042  to.transition_window = options->transition_window;
3043  to.handshake_window = options->handshake_window;
3044  to.packet_timeout = options->tls_timeout;
3045  to.renegotiate_bytes = options->renegotiate_bytes;
3046  to.renegotiate_packets = options->renegotiate_packets;
3047  if (options->renegotiate_seconds_min < 0)
3048  {
3049  /* Add 10% jitter to reneg-sec by default (server side only) */
3050  int auto_jitter = options->mode != MODE_SERVER ? 0 :
3051  get_random() % max_int(options->renegotiate_seconds / 10, 1);
3052  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3053  }
3054  else
3055  {
3056  /* Add user-specified jitter to reneg-sec */
3057  to.renegotiate_seconds = options->renegotiate_seconds
3058  -(get_random() % max_int(options->renegotiate_seconds
3059  - options->renegotiate_seconds_min, 1));
3060  }
3061  to.single_session = options->single_session;
3062  to.mode = options->mode;
3063  to.pull = options->pull;
3064  if (options->push_peer_info) /* all there is */
3065  {
3066  to.push_peer_info_detail = 3;
3067  }
3068  else if (options->pull) /* pull clients send some details */
3069  {
3070  to.push_peer_info_detail = 2;
3071  }
3072  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
3073  {
3074  to.push_peer_info_detail = 0;
3075  }
3076  else /* default: minimal info to allow NCP in P2P mode */
3077  {
3078  to.push_peer_info_detail = 1;
3079  }
3080 
3081 
3082  /* should we not xmit any packets until we get an initial
3083  * response from client? */
3084  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
3085  {
3086  to.xmit_hold = true;
3087  }
3088 
3089  to.disable_occ = !options->occ;
3090 
3091  to.verify_command = options->tls_verify;
3092  to.verify_export_cert = options->tls_export_cert;
3093  to.verify_x509_type = (options->verify_x509_type & 0xff);
3094  to.verify_x509_name = options->verify_x509_name;
3095  to.crl_file = options->crl_file;
3096  to.crl_file_inline = options->crl_file_inline;
3097  to.ssl_flags = options->ssl_flags;
3098  to.ns_cert_type = options->ns_cert_type;
3099  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
3100  to.remote_cert_eku = options->remote_cert_eku;
3101  to.verify_hash = options->verify_hash;
3102  to.verify_hash_algo = options->verify_hash_algo;
3103  to.verify_hash_depth = options->verify_hash_depth;
3104  to.verify_hash_no_ca = options->verify_hash_no_ca;
3105 #ifdef ENABLE_X509ALTUSERNAME
3106  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
3107 #else
3108  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
3109 #endif
3110  to.es = c->c2.es;
3111  to.net_ctx = &c->net_ctx;
3112 
3113 #ifdef ENABLE_DEBUG
3114  to.gremlin = c->options.gremlin;
3115 #endif
3116 
3117  to.plugins = c->plugins;
3118 
3119 #ifdef ENABLE_MANAGEMENT
3120  to.mda_context = &c->c2.mda_context;
3121 #endif
3122 
3123  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3124  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
3125  to.client_crresponse_script = options->client_crresponse_script;
3126  to.tmp_dir = options->tmp_dir;
3127  if (options->ccd_exclusive)
3128  {
3129  to.client_config_dir_exclusive = options->client_config_dir;
3130  }
3131  to.auth_user_pass_file = options->auth_user_pass_file;
3132  to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
3133  to.auth_token_generate = options->auth_token_generate;
3134  to.auth_token_lifetime = options->auth_token_lifetime;
3135  to.auth_token_renewal = options->auth_token_renewal;
3136  to.auth_token_call_auth = options->auth_token_call_auth;
3137  to.auth_token_key = c->c1.ks.auth_token_key;
3138 
3139  to.x509_track = options->x509_track;
3140 
3141 #ifdef ENABLE_MANAGEMENT
3142  to.sci = &options->sc_info;
3143 #endif
3144 
3145 #ifdef USE_COMP
3146  to.comp_options = options->comp;
3147 #endif
3148 
3149 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3150  if (options->keying_material_exporter_label)
3151  {
3152  to.ekm_size = options->keying_material_exporter_length;
3153  if (to.ekm_size < 16 || to.ekm_size > 4095)
3154  {
3155  to.ekm_size = 0;
3156  }
3157 
3158  to.ekm_label = options->keying_material_exporter_label;
3159  to.ekm_label_size = strlen(to.ekm_label);
3160  }
3161  else
3162  {
3163  to.ekm_size = 0;
3164  }
3165 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3166 
3167  /* TLS handshake authentication (--tls-auth) */
3168  if (options->ce.tls_auth_file)
3169  {
3170  to.tls_wrap.mode = TLS_WRAP_AUTH;
3171  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3172  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3173  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3174  }
3175 
3176  /* TLS handshake encryption (--tls-crypt) */
3177  if (options->ce.tls_crypt_file
3178  || (options->ce.tls_crypt_v2_file && options->tls_client))
3179  {
3180  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3181  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3182  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3183  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3184 
3185  if (options->ce.tls_crypt_v2_file)
3186  {
3187  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3188  }
3189  }
3190 
3191  if (options->ce.tls_crypt_v2_file)
3192  {
3193  to.tls_crypt_v2 = true;
3194  if (options->tls_server)
3195  {
3196  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3197  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3198  if (options->ce.tls_crypt_v2_force_cookie)
3199  {
3200  to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3201  }
3202  }
3203  }
3204 
3205  /* let the TLS engine know if keys have to be installed in DCO or not */
3206  to.dco_enabled = dco_enabled(options);
3207 
3208  /*
3209  * Initialize OpenVPN's master TLS-mode object.
3210  */
3211  if (flags & CF_INIT_TLS_MULTI)
3212  {
3213  c->c2.tls_multi = tls_multi_init(&to);
3214  /* inherit the dco context from the tuntap object */
3215  if (c->c1.tuntap)
3216  {
3217  c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3218  }
3219  }
3220 
3221  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3222  {
3223  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3224  c->c2.session_id_hmac = session_id_hmac_init();
3225  }
3226 }
3227 
3228 static void
3229 do_init_frame_tls(struct context *c)
3230 {
3231  if (c->c2.tls_multi)
3232  {
3233  tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
3234  ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
3235  c->c2.frame.buf.payload_size);
3236  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3237  "Control Channel MTU parms");
3238 
3239  /* Keep the max mtu also in the frame of tls multi so it can access
3240  * it in push_peer_info */
3241  c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
3242  }
3243  if (c->c2.tls_auth_standalone)
3244  {
3245  tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu);
3246  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3247  "TLS-Auth MTU parms");
3248  c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3249  }
3250 }
3251 
3252 /*
3253  * No encryption or authentication.
3254  */
3255 static void
3256 do_init_crypto_none(struct context *c)
3257 {
3258  ASSERT(!c->options.test_crypto);
3259 
3260  /* Initialise key_type with auth/cipher "none", so the key_type struct is
3261  * valid */
3262  init_key_type(&c->c1.ks.key_type, "none", "none",
3263  c->options.test_crypto, true);
3264 
3265  msg(M_WARN,
3266  "******* WARNING *******: All encryption and authentication features "
3267  "disabled -- All data will be tunnelled as clear text and will not be "
3268  "protected against man-in-the-middle changes. "
3269  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3270 }
3271 
3272 static void
3273 do_init_crypto(struct context *c, const unsigned int flags)
3274 {
3275  if (c->options.shared_secret_file)
3276  {
3277  do_init_crypto_static(c, flags);
3278  }
3279  else if (c->options.tls_server || c->options.tls_client)
3280  {
3281  do_init_crypto_tls(c, flags);
3282  }
3283  else /* no encryption or authentication. */
3284  {
3285  do_init_crypto_none(c);
3286  }
3287 }
3288 
3289 static void
3290 do_init_frame(struct context *c)
3291 {
3292  /*
3293  * Adjust frame size based on the --tun-mtu-extra parameter.
3294  */
3295  if (c->options.ce.tun_mtu_extra_defined)
3296  {
3297  c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
3298  }
3299 
3300  /*
3301  * Fill in the blanks in the frame parameters structure,
3302  * make sure values are rational, etc.
3303  */
3304  frame_finalize_options(c, NULL);
3305 
3306 #ifdef ENABLE_FRAGMENT
3307  /*
3308  * Set frame parameter for fragment code. This is necessary because
3309  * the fragmentation code deals with payloads which have already been
3310  * passed through the compression code.
3311  */
3312  c->c2.frame_fragment = c->c2.frame;
3313  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3314 #endif
3315 
3316 #if defined(ENABLE_FRAGMENT)
3317  /*
3318  * MTU advisories
3319  */
3320  if (c->options.ce.fragment && c->options.mtu_test)
3321  {
3322  msg(M_WARN,
3323  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3324  }
3325 #endif
3326 
3327 #ifdef ENABLE_FRAGMENT
3328  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3329  {
3330  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3331  "set --fragment (%d) larger or equal than --mssfix (%d)",
3332  c->options.ce.fragment, c->options.ce.mssfix);
3333  }
3334  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3335  && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3336  {
3337  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3338  "use the \"mtu\" flag for both or none of of them.");
3339  }
3340 #endif
3341 }
3342 
3343 static void
3344 do_option_warnings(struct context *c)
3345 {
3346  const struct options *o = &c->options;
3347 
3348  if (o->ping_send_timeout && !o->ping_rec_timeout)
3349  {
3350  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3351  }
3352 
3353  if (o->username || o->groupname || o->chroot_dir
3354 #ifdef ENABLE_SELINUX
3355  || o->selinux_context
3356 #endif
3357  )
3358  {
3359  if (!o->persist_tun)
3360  {
3361  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3362  }
3363  if (!o->persist_key
3364 #ifdef ENABLE_PKCS11
3365  && !o->pkcs11_id
3366 #endif
3367  )
3368  {
3369  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3370  }
3371  }
3372 
3373  if (o->chroot_dir && !(o->username && o->groupname))
3374  {
3375  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3376  }
3377 
3378  if (o->pull && o->ifconfig_local && c->first_time)
3379  {
3380  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3381  }
3382 
3383  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3384  {
3385  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3386  }
3387 
3388  if (o->mode == MODE_SERVER)
3389  {
3390  if (o->duplicate_cn && o->client_config_dir)
3391  {
3392  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3393  }
3394  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3395  {
3396  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3397  }
3398  if (!o->keepalive_ping || !o->keepalive_timeout)
3399  {
3400  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3401  }
3402  }
3403 
3404  if (!o->replay)
3405  {
3406  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3407  }
3408 
3409  if (o->tls_server)
3410  {
3411  warn_on_use_of_common_subnets(&c->net_ctx);
3412  }
3413  if (o->tls_client
3414  && !o->tls_verify
3415  && o->verify_x509_type == VERIFY_X509_NONE
3416  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3417  && !o->remote_cert_eku)
3418  {
3419  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3420  }
3421  if (o->ns_cert_type)
3422  {
3423  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3424  }
3425 
3426  /* If a script is used, print appropriate warnings */
3427  if (o->user_script_used)
3428  {
3429  if (script_security() >= SSEC_SCRIPTS)
3430  {
3431  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3432  }
3433  else if (script_security() >= SSEC_PW_ENV)
3434  {
3435  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3436  }
3437  else
3438  {
3439  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3440  }
3441  }
3442 }
3443 
3444 struct context_buffers *
3445 init_context_buffers(const struct frame *frame)
3446 {
3447  struct context_buffers *b;
3448 
3449  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3450 
3451  size_t buf_size = BUF_SIZE(frame);
3452 
3453  b->read_link_buf = alloc_buf(buf_size);
3454  b->read_tun_buf = alloc_buf(buf_size);
3455 
3456  b->aux_buf = alloc_buf(buf_size);
3457 
3458  b->encrypt_buf = alloc_buf(buf_size);
3459  b->decrypt_buf = alloc_buf(buf_size);
3460 
3461 #ifdef USE_COMP
3462  b->compress_buf = alloc_buf(buf_size);
3463  b->decompress_buf = alloc_buf(buf_size);
3464 #endif
3465 
3466  return b;
3467 }
3468 
3469 void
3470 free_context_buffers(struct context_buffers *b)
3471 {
3472  if (b)
3473  {
3474  free_buf(&b->read_link_buf);
3475  free_buf(&b->read_tun_buf);
3476  free_buf(&b->aux_buf);
3477 
3478 #ifdef USE_COMP
3479  free_buf(&b->compress_buf);
3480  free_buf(&b->decompress_buf);
3481 #endif
3482 
3483  free_buf(&b->encrypt_buf);
3484  free_buf(&b->decrypt_buf);
3485 
3486  free(b);
3487  }
3488 }
3489 
3490 /*
3491  * Now that we know all frame parameters, initialize
3492  * our buffers.
3493  */
3494 static void
3495 do_init_buffers(struct context *c)
3496 {
3497  c->c2.buffers = init_context_buffers(&c->c2.frame);
3498  c->c2.buffers_owned = true;
3499 }
3500 
3501 #ifdef ENABLE_FRAGMENT
3502 /*
3503  * Fragmenting code has buffers to initialize
3504  * once frame parameters are known.
3505  */
3506 static void
3507 do_init_fragment(struct context *c)
3508 {
3509  ASSERT(c->options.ce.fragment);
3510  frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
3511  &c->options, get_link_socket_info(c));
3512  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3513 }
3514 #endif
3515 
3516 /*
3517  * Allocate our socket object.
3518  */
3519 static void
3520 do_link_socket_new(struct context *c)
3521 {
3522  ASSERT(!c->c2.link_socket);
3523  c->c2.link_socket = link_socket_new();
3524  c->c2.link_socket_owned = true;
3525 }
3526 
3527 /*
3528  * Print MTU INFO
3529  */
3530 static void
3531 do_print_data_channel_mtu_parms(struct context *c)
3532 {
3533  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3534 #ifdef ENABLE_FRAGMENT
3535  if (c->c2.fragment)
3536  {
3537  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3538  "Fragmentation MTU parms");
3539  }
3540 #endif
3541 }
3542 
3543 /*
3544  * Get local and remote options compatibility strings.
3545  */
3546 static void
3547 do_compute_occ_strings(struct context *c)
3548 {
3549  struct gc_arena gc = gc_new();
3550 
3551  c->c2.options_string_local =
3552  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3553  false, &gc);
3554  c->c2.options_string_remote =
3555  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3556  true, &gc);
3557 
3558  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3559  options_string_version(c->c2.options_string_local, &gc),
3560  c->c2.options_string_local);
3561  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3562  options_string_version(c->c2.options_string_remote, &gc),
3563  c->c2.options_string_remote);
3564 
3565  if (c->c2.tls_multi)
3566  {
3567  tls_multi_init_set_options(c->c2.tls_multi,
3568  c->c2.options_string_local,
3569  c->c2.options_string_remote);
3570  }
3571 
3572  gc_free(&gc);
3573 }
3574 
3575 /*
3576  * These things can only be executed once per program instantiation.
3577  * Set up for possible UID/GID downgrade, but don't do it yet.
3578  * Daemonize if requested.
3579  */
3580 static void
3581 do_init_first_time(struct context *c)
3582 {
3583  if (c->first_time && !c->c0)
3584  {
3585  struct context_0 *c0;
3586 
3587  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3588  c0 = c->c0;
3589 
3590  /* get user and/or group that we want to setuid/setgid to,
3591  * sets also platform_x_state */
3592  bool group_defined = platform_group_get(c->options.groupname,
3593  &c0->platform_state_group);
3594  bool user_defined = platform_user_get(c->options.username,
3595  &c0->platform_state_user);
3596 
3597  c0->uid_gid_specified = user_defined || group_defined;
3598 
3599  /* perform postponed chdir if --daemon */
3600  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3601  {
3602  platform_chdir("/");
3603  }
3604 
3605  /* should we change scheduling priority? */
3606  platform_nice(c->options.nice);
3607  }
3608 }
3609 
3610 /*
3611  * free buffers
3612  */
3613 static void
3614 do_close_free_buf(struct context *c)
3615 {
3616  if (c->c2.buffers_owned)
3617  {
3618  free_context_buffers(c->c2.buffers);
3619  c->c2.buffers = NULL;
3620  c->c2.buffers_owned = false;
3621  }
3622 }
3623 
3624 /*
3625  * close TLS
3626  */
3627 static void
3628 do_close_tls(struct context *c)
3629 {
3630  if (c->c2.tls_multi)
3631  {
3632  tls_multi_free(c->c2.tls_multi, true);
3633  c->c2.tls_multi = NULL;
3634  }
3635 
3636  /* free options compatibility strings */
3637  free(c->c2.options_string_local);
3638  free(c->c2.options_string_remote);
3639 
3640  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3641 
3642  if (c->c2.pulled_options_state)
3643  {
3644  md_ctx_cleanup(c->c2.pulled_options_state);
3645  md_ctx_free(c->c2.pulled_options_state);
3646  }
3647 }
3648 
3649 /*
3650  * Free key schedules
3651  */
3652 static void
3653 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3654 {
3655  /*
3656  * always free the tls_auth/crypt key. If persist_key is true, the key will
3657  * be reloaded from memory (pre-cached)
3658  */
3659  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3660  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3661  CLEAR(c->c1.ks.tls_wrap_key);
3662  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3663  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3664 
3665  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3666  {
3667  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3668  }
3669 }
3670 
3671 /*
3672  * Close TCP/UDP connection
3673  */
3674 static void
3675 do_close_link_socket(struct context *c)
3676 {
3677  /* in dco-win case, link socket is a tun handle which is
3678  * closed in do_close_tun(). Set it to UNDEFINED so
3679  * we won't use WinSock API to close it. */
3680  if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket
3681  && c->c2.link_socket->info.dco_installed)
3682  {
3683  c->c2.link_socket->sd = SOCKET_UNDEFINED;
3684  }
3685 
3686  if (c->c2.link_socket && c->c2.link_socket_owned)
3687  {
3688  link_socket_close(c->c2.link_socket);
3689  c->c2.link_socket = NULL;
3690  }
3691 
3692 
3693  /* Preserve the resolved list of remote if the user request to or if we want
3694  * reconnect to the same host again or there are still addresses that need
3695  * to be tried */
3696  if (!(c->sig->signal_received == SIGUSR1
3697  && ( (c->options.persist_remote_ip)
3698  ||
3699  ( c->sig->source != SIG_SOURCE_HARD
3700  && ((c->c1.link_socket_addr.current_remote
3701  && c->c1.link_socket_addr.current_remote->ai_next)
3702  || c->options.no_advance))
3703  )))
3704  {
3705  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3706  }
3707 
3708  /* Clear the remote actual address when persist_remote_ip is not in use */
3709  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3710  {
3711  CLEAR(c->c1.link_socket_addr.actual);
3712  }
3713 
3714  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3715  {
3716  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3717  {
3718  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3719  }
3720 
3721  c->c1.link_socket_addr.bind_local = NULL;
3722  }
3723 }
3724 
3725 /*
3726  * Close packet-id persistence file
3727  */
3728 static void
3729 do_close_packet_id(struct context *c)
3730 {
3731  packet_id_free(&c->c2.crypto_options.packet_id);
3732  packet_id_persist_save(&c->c1.pid_persist);
3733  if (!(c->sig->signal_received == SIGUSR1))
3734  {
3735  packet_id_persist_close(&c->c1.pid_persist);
3736  }
3737 }
3738 
3739 #ifdef ENABLE_FRAGMENT
3740 /*
3741  * Close fragmentation handler.
3742  */
3743 static void
3744 do_close_fragment(struct context *c)
3745 {
3746  if (c->c2.fragment)
3747  {
3748  fragment_free(c->c2.fragment);
3749  c->c2.fragment = NULL;
3750  }
3751 }
3752 #endif
3753 
3754 /*
3755  * Open and close our event objects.
3756  */
3757 
3758 static void
3759 do_event_set_init(struct context *c,
3760  bool need_us_timeout)
3761 {
3762  unsigned int flags = 0;
3763 
3764  c->c2.event_set_max = BASE_N_EVENTS;
3765 
3766  flags |= EVENT_METHOD_FAST;
3767 
3768  if (need_us_timeout)
3769  {
3770  flags |= EVENT_METHOD_US_TIMEOUT;
3771  }
3772 
3773  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3774  c->c2.event_set_owned = true;
3775 }
3776 
3777 static void
3778 do_close_event_set(struct context *c)
3779 {
3780  if (c->c2.event_set && c->c2.event_set_owned)
3781  {
3782  event_free(c->c2.event_set);
3783  c->c2.event_set = NULL;
3784  c->c2.event_set_owned = false;
3785  }
3786 }
3787 
3788 /*
3789  * Open and close --status file
3790  */
3791 
3792 static void
3793 do_open_status_output(struct context *c)
3794 {
3795  if (!c->c1.status_output)
3796  {
3797  c->c1.status_output = status_open(c->options.status_file,
3798  c->options.status_file_update_freq,
3799  -1,
3800  NULL,
3801  STATUS_OUTPUT_WRITE);
3802  c->c1.status_output_owned = true;
3803  }
3804 }
3805 
3806 static void
3807 do_close_status_output(struct context *c)
3808 {
3809  if (!(c->sig->signal_received == SIGUSR1))
3810  {
3811  if (c->c1.status_output_owned && c->c1.status_output)
3812  {
3813  status_close(c->c1.status_output);
3814  c->c1.status_output = NULL;
3815  c->c1.status_output_owned = false;
3816  }
3817  }
3818 }
3819 
3820 /*
3821  * Handle ifconfig-pool persistence object.
3822  */
3823 static void
3824 do_open_ifconfig_pool_persist(struct context *c)
3825 {
3826  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3827  {
3828  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3829  c->options.ifconfig_pool_persist_refresh_freq);
3830  c->c1.ifconfig_pool_persist_owned = true;
3831  }
3832 }
3833 
3834 static void
3835 do_close_ifconfig_pool_persist(struct context *c)
3836 {
3837  if (!(c->sig->signal_received == SIGUSR1))
3838  {
3839  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3840  {
3841  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3842  c->c1.ifconfig_pool_persist = NULL;
3843  c->c1.ifconfig_pool_persist_owned = false;
3844  }
3845  }
3846 }
3847 
3848 /*
3849  * Inherit environmental variables
3850  */
3851 
3852 static void
3853 do_inherit_env(struct context *c, const struct env_set *src)
3854 {
3855  c->c2.es = env_set_create(NULL);
3856  c->c2.es_owned = true;
3857  env_set_inherit(c->c2.es, src);
3858 }
3859 
3860 static void
3861 do_env_set_destroy(struct context *c)
3862 {
3863  if (c->c2.es && c->c2.es_owned)
3864  {
3865  env_set_destroy(c->c2.es);
3866  c->c2.es = NULL;
3867  c->c2.es_owned = false;
3868  }
3869 }
3870 
3871 /*
3872  * Fast I/O setup. Fast I/O is an optimization which only works
3873  * if all of the following are true:
3874  *
3875  * (1) The platform is not Windows
3876  * (2) --proto udp is enabled
3877  * (3) --shaper is disabled
3878  */
3879 static void
3880 do_setup_fast_io(struct context *c)
3881 {
3882  if (c->options.fast_io)
3883  {
3884 #ifdef _WIN32
3885  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3886 #else
3887  if (!proto_is_udp(c->options.ce.proto))
3888  {
3889  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3890  }
3891  else
3892  {
3893  if (c->options.shaper)
3894  {
3895  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3896  }
3897  else
3898  {
3899  c->c2.fast_io = true;
3900  }
3901  }
3902 #endif
3903  }
3904 }
3905 
3906 static void
3907 do_signal_on_tls_errors(struct context *c)
3908 {
3909  if (c->options.tls_exit)
3910  {
3911  c->c2.tls_exit_signal = SIGTERM;
3912  }
3913  else
3914  {
3915  c->c2.tls_exit_signal = SIGUSR1;
3916  }
3917 }
3918 
3919 #ifdef ENABLE_PLUGIN
3920 
3921 void
3922 init_plugins(struct context *c)
3923 {
3924  if (c->options.plugin_list && !c->plugins)
3925  {
3926  c->plugins = plugin_list_init(c->options.plugin_list);
3927  c->plugins_owned = true;
3928  }
3929 }
3930 
3931 void
3932 open_plugins(struct context *c, const bool import_options, int init_point)
3933 {
3934  if (c->plugins && c->plugins_owned)
3935  {
3936  if (import_options)
3937  {
3938  struct plugin_return pr, config;
3939  plugin_return_init(&pr);
3940  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3941  plugin_return_get_column(&pr, &config, "config");
3942  if (plugin_return_defined(&config))
3943  {
3944  int i;
3945  for (i = 0; i < config.n; ++i)
3946  {
3947  unsigned int option_types_found = 0;
3948  if (config.list[i] && config.list[i]->value)
3949  {
3950  options_string_import(&c->options,
3951  config.list[i]->value,
3952  D_IMPORT_ERRORS|M_OPTERR,
3953  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3954  &option_types_found,
3955  c->es);
3956  }
3957  }
3958  }
3959  plugin_return_free(&pr);
3960  }
3961  else
3962  {
3963  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3964  }
3965  }
3966 }
3967 
3968 static void
3969 do_close_plugins(struct context *c)
3970 {
3971  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3972  {
3973  plugin_list_close(c->plugins);
3974  c->plugins = NULL;
3975  c->plugins_owned = false;
3976  }
3977 }
3978 
3979 static void
3980 do_inherit_plugins(struct context *c, const struct context *src)
3981 {
3982  if (!c->plugins && src->plugins)
3983  {
3984  c->plugins = plugin_list_inherit(src->plugins);
3985  c->plugins_owned = true;
3986  }
3987 }
3988 
3989 #endif /* ifdef ENABLE_PLUGIN */
3990 
3991 #ifdef ENABLE_MANAGEMENT
3992 
3993 static void
3994 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3995 {
3996  struct context *c = (struct context *) arg;
3997  print_status(c, so);
3998 }
3999 
4000 void
4001 management_show_net_callback(void *arg, const int msglevel)
4002 {
4003 #ifdef _WIN32
4004  show_routes(msglevel);
4005  show_adapters(msglevel);
4006  msg(msglevel, "END");
4007 #else
4008  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
4009 #endif
4010 }
4011 
4012 #ifdef TARGET_ANDROID
4013 int
4014 management_callback_network_change(void *arg, bool samenetwork)
4015 {
4016  /* Check if the client should translate the network change to a SIGUSR1 to
4017  * reestablish the connection or just reprotect the socket
4018  *
4019  * At the moment just assume that, for all settings that use pull (not
4020  * --static) and are not using peer-id reestablishing the connection is
4021  * required (unless the network is the same)
4022  *
4023  * The function returns -1 on invalid fd and -2 if the socket cannot be
4024  * reused. On the -2 return value the man_network_change function triggers
4025  * a SIGUSR1 to force a reconnect.
4026  */
4027 
4028  int socketfd = -1;
4029  struct context *c = (struct context *) arg;
4030  if (!c->c2.link_socket)
4031  {
4032  return -1;
4033  }
4034  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
4035  {
4036  return -1;
4037  }
4038 
4039  socketfd = c->c2.link_socket->sd;
4040  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4041  {
4042  return socketfd;
4043  }
4044  else
4045  {
4046  return -2;
4047  }
4048 }
4049 #endif /* ifdef TARGET_ANDROID */
4050 
4051 #endif /* ifdef ENABLE_MANAGEMENT */
4052 
4053 void
4054 init_management_callback_p2p(struct context *c)
4055 {
4056 #ifdef ENABLE_MANAGEMENT
4057  if (management)
4058  {
4059  struct management_callback cb;
4060  CLEAR(cb);
4061  cb.arg = c;
4062  cb.status = management_callback_status_p2p;
4063  cb.show_net = management_show_net_callback;
4064  cb.proxy_cmd = management_callback_proxy_cmd;
4065  cb.remote_cmd = management_callback_remote_cmd;
4066  cb.send_cc_message = management_callback_send_cc_message;
4067 #ifdef TARGET_ANDROID
4068  cb.network_change = management_callback_network_change;
4069 #endif
4070  management_set_callback(management, &cb);
4071  }
4072 #endif
4073 }
4074 
4075 #ifdef ENABLE_MANAGEMENT
4076 
4077 void
4078 init_management(void)
4079 {
4080  if (!management)
4081  {
4082  management = management_init();
4083  }
4084 }
4085 
4086 bool
4087 open_management(struct context *c)
4088 {
4089  /* initialize management layer */
4090  if (management)
4091  {
4092  if (c->options.management_addr)
4093  {
4094  unsigned int flags = c->options.management_flags;
4095  if (c->options.mode == MODE_SERVER)
4096  {
4097  flags |= MF_SERVER;
4098  }
4099  if (management_open(management,
4100  c->options.management_addr,
4101  c->options.management_port,
4102  c->options.management_user_pass,
4103  c->options.management_client_user,
4104  c->options.management_client_group,
4105  c->options.management_log_history_cache,
4106  c->options.management_echo_buffer_size,
4107  c->options.management_state_buffer_size,
4108  c->options.remap_sigusr1,
4109  flags))
4110  {
4111  management_set_state(management,
4112  OPENVPN_STATE_CONNECTING,
4113  NULL,
4114  NULL,
4115  NULL,
4116  NULL,
4117  NULL);
4118  }
4119 
4120  /* initial management hold, called early, before first context initialization */
4121  do_hold(0);
4122  if (IS_SIG(c))
4123  {
4124  msg(M_WARN, "Signal received from management interface, exiting");
4125  return false;
4126  }
4127  }
4128  else
4129  {
4130  close_management();
4131  }
4132  }
4133  return true;
4134 }
4135 
4136 void
4137 close_management(void)
4138 {
4139  if (management)
4140  {
4141  management_close(management);
4142  management = NULL;
4143  }
4144 }
4145 
4146 #endif /* ifdef ENABLE_MANAGEMENT */
4147 
4148 
4149 void
4150 uninit_management_callback(void)
4151 {
4152 #ifdef ENABLE_MANAGEMENT
4153  if (management)
4154  {
4155  management_clear_callback(management);
4156  }
4157 #endif
4158 }
4159 
4160 /*
4161  * Initialize a tunnel instance, handle pre and post-init
4162  * signal settings.
4163  */
4164 void
4165 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4166 {
4167  pre_init_signal_catch();
4168  init_instance(c, env, flags);
4169  post_init_signal_catch();
4170 
4171  /*
4172  * This is done so that signals thrown during
4173  * initialization can bring us back to
4174  * a management hold.
4175  */
4176  if (IS_SIG(c))
4177  {
4178  remap_signal(c);
4179  uninit_management_callback();
4180  }
4181 }
4182 
4183 /*
4184  * Initialize a tunnel instance.
4185  */
4186 void
4187 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4188 {
4189  const struct options *options = &c->options;
4190  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4191  int link_socket_mode = LS_MODE_DEFAULT;
4192 
4193  /* init garbage collection level */
4194  gc_init(&c->c2.gc);
4195 
4196  /* inherit environmental variables */
4197  if (env)
4198  {
4199  do_inherit_env(c, env);
4200  }
4201 
4202  /* signals caught here will abort */
4203  c->sig->signal_received = 0;
4204  c->sig->signal_text = NULL;
4205  c->sig->source = SIG_SOURCE_SOFT;
4206 
4207  if (c->mode == CM_P2P)
4208  {
4209  init_management_callback_p2p(c);
4210  }
4211 
4212  /* possible sleep or management hold if restart */
4213  if (c->mode == CM_P2P || c->mode == CM_TOP)
4214  {
4215  do_startup_pause(c);
4216  if (IS_SIG(c))
4217  {
4218  goto sig;
4219  }
4220  }
4221 
4222  if (c->options.resolve_in_advance)
4223  {
4224  do_preresolve(c);
4225  if (IS_SIG(c))
4226  {
4227  goto sig;
4228  }
4229  }
4230 
4231  /* Resets all values to the initial values from the config where needed */
4232  pre_connect_restore(&c->options, &c->c2.gc);
4233 
4234  /* map in current connection entry */
4235  next_connection_entry(c);
4236 
4237  /* link_socket_mode allows CM_CHILD_TCP
4238  * instances to inherit acceptable fds
4239  * from a top-level parent */
4240  if (c->options.ce.proto == PROTO_TCP_SERVER)
4241  {
4242  if (c->mode == CM_TOP)
4243  {
4244  link_socket_mode = LS_MODE_TCP_LISTEN;
4245  }
4246  else if (c->mode == CM_CHILD_TCP)
4247  {
4248  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4249  }
4250  }
4251 
4252  /* should we disable paging? */
4253  if (c->first_time && options->mlock)
4254  {
4255  platform_mlockall(true);
4256  }
4257 
4258  /* get passwords if undefined */
4259  if (auth_retry_get() == AR_INTERACT)
4260  {
4261  init_query_passwords(c);
4262  }
4263 
4264  /* initialize context level 2 --verb/--mute parms */
4265  init_verb_mute(c, IVM_LEVEL_2);
4266 
4267  /* set error message delay for non-server modes */
4268  if (c->mode == CM_P2P)
4269  {
4270  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4271  }
4272 
4273  /* warn about inconsistent options */
4274  if (c->mode == CM_P2P || c->mode == CM_TOP)
4275  {
4276  do_option_warnings(c);
4277  }
4278 
4279 #ifdef ENABLE_PLUGIN
4280  /* initialize plugins */
4281  if (c->mode == CM_P2P || c->mode == CM_TOP)
4282  {
4283  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4284  }
4285 #endif
4286 
4287  /* should we enable fast I/O? */
4288  if (c->mode == CM_P2P || c->mode == CM_TOP)
4289  {
4290  do_setup_fast_io(c);
4291  }
4292 
4293  /* should we throw a signal on TLS errors? */
4294  do_signal_on_tls_errors(c);
4295 
4296  /* open --status file */
4297  if (c->mode == CM_P2P || c->mode == CM_TOP)
4298  {
4299  do_open_status_output(c);
4300  }
4301 
4302  /* open --ifconfig-pool-persist file */
4303  if (c->mode == CM_TOP)
4304  {
4305  do_open_ifconfig_pool_persist(c);
4306  }
4307 
4308  /* reset OCC state */
4309  if (c->mode == CM_P2P || child)
4310  {
4311  c->c2.occ_op = occ_reset_op();
4312  }
4313 
4314  /* our wait-for-i/o objects, different for posix vs. win32 */
4315  if (c->mode == CM_P2P)
4316  {
4317  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4318  }
4319  else if (c->mode == CM_CHILD_TCP)
4320  {
4321  do_event_set_init(c, false);
4322  }
4323 
4324  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4325  init_proxy(c);
4326 
4327  /* allocate our socket object */
4328  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4329  {
4330  do_link_socket_new(c);
4331  }
4332 
4333 #ifdef ENABLE_FRAGMENT
4334  /* initialize internal fragmentation object */
4335  if (options->ce.fragment && (c->mode == CM_P2P || child))
4336  {
4337  c->c2.fragment = fragment_init(&c->c2.frame);
4338  }
4339 #endif
4340 
4341  /* init crypto layer */
4342  {
4343  unsigned int crypto_flags = 0;
4344  if (c->mode == CM_TOP)
4345  {
4346  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4347  }
4348  else if (c->mode == CM_P2P)
4349  {
4350  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4351  }
4352  else if (child)
4353  {
4354  crypto_flags = CF_INIT_TLS_MULTI;
4355  }
4356  do_init_crypto(c, crypto_flags);
4357  if (IS_SIG(c) && !child)
4358  {
4359  goto sig;
4360  }
4361  }
4362 
4363 #ifdef USE_COMP
4364  /* initialize compression library. */
4365  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4366  {
4367  c->c2.comp_context = comp_init(&options->comp);
4368  }
4369 #endif
4370 
4371  /* initialize MTU variables */
4372  do_init_frame(c);
4373 
4374  /* initialize TLS MTU variables */
4375  do_init_frame_tls(c);
4376 
4377  /* init workspace buffers whose size is derived from frame size */
4378  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4379  {
4380  do_init_buffers(c);
4381  }
4382 
4383 #ifdef ENABLE_FRAGMENT
4384  /* initialize internal fragmentation capability with known frame size */
4385  if (options->ce.fragment && (c->mode == CM_P2P || child))
4386  {
4387  do_init_fragment(c);
4388  }
4389 #endif
4390 
4391  /* bind the TCP/UDP socket */
4392  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4393  {
4394  link_socket_init_phase1(c, link_socket_mode);
4395  }
4396 
4397  /* initialize tun/tap device object,
4398  * open tun/tap device, ifconfig, run up script, etc. */
4399  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4400  {
4401  c->c2.did_open_tun = do_open_tun(c);
4402  }
4403 
4404  c->c2.frame_initial = c->c2.frame;
4405 
4406  /* print MTU info */
4407  do_print_data_channel_mtu_parms(c);
4408 
4409  /* get local and remote options compatibility strings */
4410  if (c->mode == CM_P2P || child)
4411  {
4412  do_compute_occ_strings(c);
4413  }
4414 
4415  /* initialize output speed limiter */
4416  if (c->mode == CM_P2P)
4417  {
4418  do_init_traffic_shaper(c);
4419  }
4420 
4421  /* do one-time inits, and possibly become a daemon here */
4422  do_init_first_time(c);
4423 
4424 #ifdef ENABLE_PLUGIN
4425  /* initialize plugins */
4426  if (c->mode == CM_P2P || c->mode == CM_TOP)
4427  {
4428  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4429  }
4430 #endif
4431 
4432  /* initialise connect timeout timer */
4433  do_init_server_poll_timeout(c);
4434 
4435  /* finalize the TCP/UDP socket */
4436  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4437  {
4438  link_socket_init_phase2(c);
4439  }
4440 
4441  /* Update dynamic frame calculation as exact transport socket information
4442  * (IP vs IPv6) may be only available after socket phase2 has finished.
4443  * This is only needed for --static or no crypto, NCP will recalculate this
4444  * in tls_session_update_crypto_params (P2MP) */
4445  frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4446  get_link_socket_info(c));
4447 
4448  /*
4449  * Actually do UID/GID downgrade, and chroot, if requested.
4450  * May be delayed by --client, --pull, or --up-delay.
4451  */
4452  do_uid_gid_chroot(c, c->c2.did_open_tun);
4453 
4454  /* initialize timers */
4455  if (c->mode == CM_P2P || child)
4456  {
4457  do_init_timers(c, false);
4458  }
4459 
4460 #ifdef ENABLE_PLUGIN
4461  /* initialize plugins */
4462  if (c->mode == CM_P2P || c->mode == CM_TOP)
4463  {
4464  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4465  }
4466 #endif
4467 
4468 #if PORT_SHARE
4469  /* share OpenVPN port with foreign (such as HTTPS) server */
4470  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4471  {
4472  init_port_share(c);
4473  }
4474 #endif
4475 
4476  /* Check for signals */
4477  if (IS_SIG(c))
4478  {
4479  goto sig;
4480  }
4481 
4482  return;
4483 
4484 sig:
4485  if (!c->sig->signal_text)
4486  {
4487  c->sig->signal_text = "init_instance";
4488  }
4489  close_context(c, -1, flags);
4490  return;
4491 }
4492 
4493 /*
4494  * Close a tunnel instance.
4495  */
4496 void
4497 close_instance(struct context *c)
4498 {
4499  /* close event objects */
4500  do_close_event_set(c);
4501 
4502  if (c->mode == CM_P2P
4503  || c->mode == CM_CHILD_TCP
4504  || c->mode == CM_CHILD_UDP
4505  || c->mode == CM_TOP)
4506  {
4507 #ifdef USE_COMP
4508  if (c->c2.comp_context)
4509  {
4510  comp_uninit(c->c2.comp_context);
4511  c->c2.comp_context = NULL;
4512  }
4513 #endif
4514 
4515  /* free buffers */
4516  do_close_free_buf(c);
4517 
4518  /* close peer for DCO if enabled, needs peer-id so must be done before
4519  * closing TLS contexts */
4520  dco_remove_peer(c);
4521 
4522  /* close TLS */
4523  do_close_tls(c);
4524 
4525  /* free key schedules */
4526  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4527 
4528  /* close TCP/UDP connection */
4529  do_close_link_socket(c);
4530 
4531  /* close TUN/TAP device */
4532  do_close_tun(c, false);
4533 
4534 #ifdef ENABLE_MANAGEMENT
4535  if (management)
4536  {
4537  management_notify_client_close(management, &c->c2.mda_context, NULL);
4538  }
4539 #endif
4540 
4541 #ifdef ENABLE_PLUGIN
4542  /* call plugin close functions and unload */
4543  do_close_plugins(c);
4544 #endif
4545 
4546  /* close packet-id persistence file */
4547  do_close_packet_id(c);
4548 
4549  /* close --status file */
4550  do_close_status_output(c);
4551 
4552 #ifdef ENABLE_FRAGMENT
4553  /* close fragmentation handler */
4554  do_close_fragment(c);
4555 #endif
4556 
4557  /* close --ifconfig-pool-persist obj */
4558  do_close_ifconfig_pool_persist(c);
4559 
4560  /* free up environmental variable store */
4561  do_env_set_destroy(c);
4562 
4563  /* close HTTP or SOCKS proxy */
4564  uninit_proxy(c);
4565 
4566  /* garbage collect */
4567  gc_free(&c->c2.gc);
4568  }
4569 }
4570 
4571 void
4572 inherit_context_child(struct context *dest,
4573  const struct context *src)
4574 {
4575  CLEAR(*dest);
4576 
4577  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4578  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4579 
4580  dest->gc = gc_new();
4581 
4582  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4583 
4584  /* c1 init */
4585  packet_id_persist_init(&dest->c1.pid_persist);
4586 
4587  dest->c1.ks.key_type = src->c1.ks.key_type;
4588  /* inherit SSL context */
4589  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4590  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4591  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4592  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4593  /* inherit pre-NCP ciphers */
4594  dest->options.ciphername = src->options.ciphername;
4595  dest->options.authname = src->options.authname;
4596 
4597  /* inherit auth-token */
4598  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4599 
4600  /* options */
4601  dest->options = src->options;
4602  options_detach(&dest->options);
4603 
4604  if (dest->mode == CM_CHILD_TCP)
4605  {
4606  /*
4607  * The CM_TOP context does the socket listen(),
4608  * and the CM_CHILD_TCP context does the accept().
4609  */
4610  dest->c2.accept_from = src->c2.link_socket;
4611  }
4612 
4613 #ifdef ENABLE_PLUGIN
4614  /* inherit plugins */
4615  do_inherit_plugins(dest, src);
4616 #endif
4617 
4618  /* context init */
4619 
4620  /* inherit tun/tap interface object now as it may be required
4621  * to initialize the DCO context in init_instance()
4622  */
4623  dest->c1.tuntap = src->c1.tuntap;
4624 
4625  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4626  if (IS_SIG(dest))
4627  {
4628  return;
4629  }
4630 
4631  /* UDP inherits some extra things which TCP does not */
4632  if (dest->mode == CM_CHILD_UDP)
4633  {
4634  /* inherit buffers */
4635  dest->c2.buffers = src->c2.buffers;
4636 
4637  /* inherit parent link_socket and tuntap */
4638  dest->c2.link_socket = src->c2.link_socket;
4639 
4640  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4641  *dest->c2.link_socket_info = src->c2.link_socket->info;
4642 
4643  /* locally override some link_socket_info fields */
4644  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4645  dest->c2.link_socket_info->connection_established = false;
4646  }
4647 }
4648 
4649 void
4650 inherit_context_top(struct context *dest,
4651  const struct context *src)
4652 {
4653  /* copy parent */
4654  *dest = *src;
4655 
4656  /*
4657  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4658  * resources owned by the parent.
4659  *
4660  * Also note that CM_TOP_CLONE context objects are
4661  * closed by multi_top_free in multi.c.
4662  */
4663  dest->mode = CM_TOP_CLONE;
4664 
4665  dest->first_time = false;
4666  dest->c0 = NULL;
4667 
4668  options_detach(&dest->options);
4669  gc_detach(&dest->gc);
4670  gc_detach(&dest->c2.gc);
4671 
4672  /* detach plugins */
4673  dest->plugins_owned = false;
4674 
4675  dest->c2.tls_multi = NULL;
4676 
4677  /* detach c1 ownership */
4678  dest->c1.tuntap_owned = false;
4679  dest->c1.status_output_owned = false;
4680  dest->c1.ifconfig_pool_persist_owned = false;
4681 
4682  /* detach c2 ownership */
4683  dest->c2.event_set_owned = false;
4684  dest->c2.link_socket_owned = false;
4685  dest->c2.buffers_owned = false;
4686  dest->c2.es_owned = false;
4687 
4688  dest->c2.event_set = NULL;
4689  if (proto_is_dgram(src->options.ce.proto))
4690  {
4691  do_event_set_init(dest, false);
4692  }
4693 
4694 #ifdef USE_COMP
4695  dest->c2.comp_context = NULL;
4696 #endif
4697 }
4698 
4699 void
4700 close_context(struct context *c, int sig, unsigned int flags)
4701 {
4702  ASSERT(c);
4703  ASSERT(c->sig);
4704 
4705  if (sig >= 0)
4706  {
4707  c->sig->signal_received = sig;
4708  }
4709 
4710  if (c->sig->signal_received == SIGUSR1)
4711  {
4712  if ((flags & CC_USR1_TO_HUP)
4713  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4714  {
4715  c->sig->signal_received = SIGHUP;
4716  c->sig->signal_text = "close_context usr1 to hup";
4717  }
4718  }
4719 
4720  if (!(flags & CC_NO_CLOSE))
4721  {
4722  close_instance(c);
4723  }
4724 
4725  if (flags & CC_GC_FREE)
4726  {
4727  context_gc_free(c);
4728  }
4729 }
4730 
4731 /* Write our PID to a file */
4732 void
4733 write_pid_file(const char *filename, const char *chroot_dir)
4734 {
4735  if (filename)
4736  {
4737  unsigned int pid = 0;
4738  FILE *fp = platform_fopen(filename, "w");
4739  if (!fp)
4740  {
4741  msg(M_ERR, "Open error on pid file %s", filename);
4742  return;
4743  }
4744 
4745  pid = platform_getpid();
4746  fprintf(fp, "%u\n", pid);
4747  if (fclose(fp))
4748  {
4749  msg(M_ERR, "Close error on pid file %s", filename);
4750  }
4751 
4752  /* remember file name so it can be deleted "out of context" later */
4753  /* (the chroot case is more complex and not handled today) */
4754  if (!chroot_dir)
4755  {
4756  saved_pid_file_name = strdup(filename);
4757  }
4758  }
4759 }
4760 
4761 /* remove PID file on exit, called from openvpn_exit() */
4762 void
4763 remove_pid_file(void)
4764 {
4765  if (saved_pid_file_name)
4766  {
4767  platform_unlink(saved_pid_file_name);
4768  }
4769 }
4770 
4771 
4772 /*
4773  * Do a loopback test
4774  * on the crypto subsystem.
4775  */
4776 static void *
4777 test_crypto_thread(void *arg)
4778 {
4779  struct context *c = (struct context *) arg;
4780  const struct options *options = &c->options;
4781 
4782  ASSERT(options->test_crypto);
4783  init_verb_mute(c, IVM_LEVEL_1);
4784  context_init_1(c);
4785  next_connection_entry(c);
4786  do_init_crypto_static(c, 0);
4787 
4788  frame_finalize_options(c, options);
4789 
4790  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4791 
4792  key_schedule_free(&c->c1.ks, true);
4793  packet_id_free(&c->c2.crypto_options.packet_id);
4794 
4795  context_gc_free(c);
4796  return NULL;
4797 }
4798 
4799 bool
4800 do_test_crypto(const struct options *o)
4801 {
4802  if (o->test_crypto)
4803  {
4804  struct context c;
4805 
4806  /* print version number */
4807  msg(M_INFO, "%s", title_string);
4808 
4809  context_clear(&c);
4810  c.options = *o;
4811  options_detach(&c.options);
4812  c.first_time = true;
4813  test_crypto_thread((void *) &c);
4814  return true;
4815  }
4816  return false;
4817 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:162
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:326
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition: tun.c:734
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3835
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2298
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:384
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5722
options::replay_time
int replay_time
Definition: options.h:561
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:224
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:546
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition: init.c:4800
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition: openvpn.h:327
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:269
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition: plugin.c:766
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2649
options::show_engines
bool show_engines
Definition: options.h:265
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3969
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition: crypto.c:1373
signal_info::signal_received
volatile int signal_received
Definition: sig.h:45
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:603
options::verbosity
int verbosity
Definition: options.h:380
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition: tun.c:690
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:153
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition: init.c:1304
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition: ssl.c:300
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:469
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:150
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:599
OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_UP
Definition: openvpn-plugin.h:117
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:294
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:139
frame::mss_fix
unsigned int mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2807
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:355
platform_user_group_set
void platform_user_group_set(const struct platform_state_user *user_state, const struct platform_state_group *group_state, struct context *c)
Definition: platform.c:209
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:137
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition: manage.c:2958
options::show_digests
bool show_digests
Definition: options.h:264
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3628
connection_entry::link_mtu
int link_mtu
Definition: options.h:127
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition: fragment.c:124
options::use_peer_id
bool use_peer_id
Definition: options.h:678
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4828
M_OPTERR
#define M_OPTERR
Definition: error.h:106
tls_options::verify_x509_name
const char * verify_x509_name
Definition: ssl_common.h:331
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:545
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:118
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:242
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:552
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:998
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:221
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition: fragment.c:91
options::nice
int nice
Definition: options.h:379
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1562
run_command.h
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
auth_token.h
tls_options::frame
struct frame frame
Definition: ssl_common.h:363
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:112
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:143
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:324
forward.h
open_management
bool open_management(struct context *c)
Definition: init.c:4087
plugin_return
Definition: plugin.h:101
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition: tun.h:375
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:249
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition: fragment.c:115
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:546
signal_info::signal_text
const char * signal_text
Definition: sig.h:47
route_list
Definition: route.h:206
gremlin.h
context_1::status_output_owned
bool status_output_owned
Definition: openvpn.h:181
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
options::up_script
const char * up_script
Definition: options.h:366
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:511
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:265
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:209
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:738
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition: options.h:736
options::keepalive_ping
int keepalive_ping
Definition: options.h:325
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:116
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition: lladdr.c:19
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6718
init_connection_list
static void init_connection_list(struct context *c)
Definition: init.c:429
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:81
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3723
M_FATAL
#define M_FATAL
Definition: error.h:95
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:209
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:587
win32.h
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition: env_set.c:168
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:525
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition: event.h:82
tuntap::windows_driver
enum windows_driver_type windows_driver
Definition: tun.h:209
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:4173
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
route_gateway_info
Definition: route.h:146
options::show_ciphers
bool show_ciphers
Definition: options.h:263
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:216
argv
Definition: argv.h:35
in_addr_t
#define in_addr_t
Definition: config-msvc.h:67
context_2::es_owned
bool es_owned
Definition: openvpn.h:422
options::duplicate_cn
bool duplicate_cn
Definition: options.h:511
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:163
streq
#define streq(x, y)
Definition: options.h:701
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition: error.h:292
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:12
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3121
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition: packet_id.c:433
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:537
M_NONFATAL
#define M_NONFATAL
Definition: error.h:96
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition: init.c:3614
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:273
occ_reset_op
static int occ_reset_op(void)
Definition: occ.h:101
connection_entry::remote_port
const char * remote_port
Definition: options.h:105
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4024
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:376
lladdr.h
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3793
context
Contains all state information for one tunnel.
Definition: openvpn.h:474
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition: init.c:3880
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2567
tls_options::transition_window
int transition_window
Definition: ssl_common.h:320
options::route_nopull
bool route_nopull
Definition: options.h:422
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:771
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:656
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:106
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:124
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition: openvpn.h:70
extract_x509_field_test
void extract_x509_field_test(void)
options::key_direction
int key_direction
Definition: options.h:550
options::topology
int topology
Definition: options.h:305
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
context_2::auth_token_renewal_interval
struct event_timeout auth_token_renewal_interval
Definition: openvpn.h:294
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:157
options::authname
const char * authname
Definition: options.h:555
options::dev_type
const char * dev_type
Definition: options.h:302
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition: ssl_common.h:380
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:70
get_random
long int get_random(void)
Definition: crypto.c:1634
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition: init.c:3256
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:345
AR_NONE
#define AR_NONE
Definition: options.h:876
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:325
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:106
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition: init.c:3531
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:389
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition: socket.h:106
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:486
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:503
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:568
options::tls_client
bool tls_client
Definition: options.h:570
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:548
context_2::log_rw
bool log_rw
Definition: openvpn.h:381
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:425
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:171
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:943
context_2::es
struct env_set * es
Definition: openvpn.h:421
config-msvc.h
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:611
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:114
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:106
tls_options::client_crresponse_script
const char * client_crresponse_script
Definition: ssl_common.h:367
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
link_socket_proto_connection_oriented
static bool link_socket_proto_connection_oriented(int proto)
Definition: socket.h:629
route_ipv6_gateway_info
Definition: route.h:179
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:107
man_persist::special_state_msg
const char * special_state_msg
Definition: manage.h:214
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3744
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:222
tls_options::replay_time
int replay_time
Definition: ssl_common.h:351
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:730
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:471
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:383
options::cipher_list
const char * cipher_list
Definition: options.h:584
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:776
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4187
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition: manage.h:180
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition: ssl_common.h:336
options::mode
int mode
Definition: options.h:247
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition: mtu.h:112
options::session_timeout
int session_timeout
Definition: options.h:331
tls_options::single_session
bool single_session
Definition: ssl_common.h:305
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition: init.c:1293
route_ipv6_list
Definition: route.h:219
options::mute
int mute
Definition: options.h:381
tls_options::verify_hash_depth
int verify_hash_depth
Definition: ssl_common.h:338
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:120
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:288
SSEC_PW_ENV
#define SSEC_PW_ENV
Definition: run_command.h:34
MF_SERVER
#define MF_SERVER
Definition: manage.h:325
show_available_ciphers
void show_available_ciphers(void)
Definition: crypto_openssl.c:357
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:217
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
context::c0
struct context_0 * c0
Level 0 context.
Definition: openvpn.h:513
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
frame::buf
struct frame::@5 buf
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:146
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:128
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1953
time_test
void time_test(void)
dmsg
#define dmsg(flags,...)
Definition: error.h:154
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1123
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition: crypto.h:263
options::ce
struct connection_entry ce
Definition: options.h:275
options::msg_channel
HANDLE msg_channel
Definition: options.h:669
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: ssl_common.h:339
tls_options::crl_file_inline
bool crl_file_inline
Definition: ssl_common.h:333
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition: socket.h:108
openvpn_sockaddr
Definition: socket.h:65
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition: env_set.c:240
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition: init.c:3653
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:352
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:368
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:600
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:721
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:28
D_LOW
#define D_LOW
Definition: errlevel.h:98
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:388
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition: error.c:639
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition: mtu.c:73
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:271
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:103
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition: init.c:308
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3445
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:385
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:98
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2114
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:445
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition: sig.h:33
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:82
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:361
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:357
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:354