OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 #include "mss.h"
57 #include "mudp.h"
58 
59 #include "memdbg.h"
60 
61 
62 static struct context *static_context; /* GLOBAL */
63 static const char *saved_pid_file_name; /* GLOBAL */
64 
65 /*
66  * Crypto initialization flags
67  */
68 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
69 #define CF_INIT_TLS_MULTI (1<<1)
70 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
71 
72 static void do_init_first_time(struct context *c);
73 static bool do_deferred_p2p_ncp(struct context *c);
74 
75 void
76 context_clear(struct context *c)
77 {
78  CLEAR(*c);
79 }
80 
81 void
82 context_clear_1(struct context *c)
83 {
84  CLEAR(c->c1);
85 }
86 
87 void
88 context_clear_2(struct context *c)
89 {
90  CLEAR(c->c2);
91 }
92 
93 void
94 context_clear_all_except_first_time(struct context *c)
95 {
96  const bool first_time_save = c->first_time;
97  const struct context_persist cpsave = c->persist;
98  context_clear(c);
99  c->first_time = first_time_save;
100  c->persist = cpsave;
101 }
102 
103 /*
104  * Pass tunnel endpoint and MTU parms to a user-supplied script.
105  * Used to execute the up/down script/plugins.
106  */
107 static void
108 run_up_down(const char *command,
109  const struct plugin_list *plugins,
110  int plugin_type,
111  const char *arg,
112 #ifdef _WIN32
113  DWORD adapter_index,
114 #endif
115  const char *dev_type,
116  int tun_mtu,
117  const char *ifconfig_local,
118  const char *ifconfig_remote,
119  const char *context,
120  const char *signal_text,
121  const char *script_type,
122  struct env_set *es)
123 {
124  struct gc_arena gc = gc_new();
125 
126  if (signal_text)
127  {
128  setenv_str(es, "signal", signal_text);
129  }
130  setenv_str(es, "script_context", context);
131  setenv_int(es, "tun_mtu", tun_mtu);
132  setenv_str(es, "dev", arg);
133  if (dev_type)
134  {
135  setenv_str(es, "dev_type", dev_type);
136  }
137 #ifdef _WIN32
138  setenv_int(es, "dev_idx", adapter_index);
139 #endif
140 
141  if (!ifconfig_local)
142  {
143  ifconfig_local = "";
144  }
145  if (!ifconfig_remote)
146  {
147  ifconfig_remote = "";
148  }
149  if (!context)
150  {
151  context = "";
152  }
153 
154  if (plugin_defined(plugins, plugin_type))
155  {
156  struct argv argv = argv_new();
157  ASSERT(arg);
158  argv_printf(&argv,
159  "%s %d 0 %s %s %s",
160  arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
161 
162  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163  {
164  msg(M_FATAL, "ERROR: up/down plugin call failed");
165  }
166 
167  argv_free(&argv);
168  }
169 
170  if (command)
171  {
172  struct argv argv = argv_new();
173  ASSERT(arg);
174  setenv_str(es, "script_type", script_type);
175  argv_parse_cmd(&argv, command);
176  argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
177  ifconfig_local, ifconfig_remote, context);
178  argv_msg(M_INFO, &argv);
179  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
180  argv_free(&argv);
181  }
182 
183  gc_free(&gc);
184 }
185 
186 /*
187  * Should be called after options->ce is modified at the top
188  * of a SIGUSR1 restart.
189  */
190 static void
191 update_options_ce_post(struct options *options)
192 {
193  /*
194  * In pull mode, we usually import --ping/--ping-restart parameters from
195  * the server. However we should also set an initial default --ping-restart
196  * for the period of time before we pull the --ping-restart parameter
197  * from the server.
198  */
199  if (options->pull
200  && options->ping_rec_timeout_action == PING_UNDEF
201  && proto_is_dgram(options->ce.proto))
202  {
203  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204  options->ping_rec_timeout_action = PING_RESTART;
205  }
206 }
207 
208 #ifdef ENABLE_MANAGEMENT
209 static bool
210 management_callback_proxy_cmd(void *arg, const char **p)
211 {
212  struct context *c = arg;
213  struct connection_entry *ce = &c->options.ce;
214  struct gc_arena *gc = &c->c2.gc;
215  bool ret = false;
216 
217  update_time();
218  if (streq(p[1], "NONE"))
219  {
220  ret = true;
221  }
222  else if (p[2] && p[3])
223  {
224  if (streq(p[1], "HTTP"))
225  {
226  struct http_proxy_options *ho;
227  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
228  {
229  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
230  return false;
231  }
232  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
233  ho->server = string_alloc(p[2], gc);
234  ho->port = string_alloc(p[3], gc);
235  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
236  ret = true;
237  }
238  else if (streq(p[1], "SOCKS"))
239  {
240  ce->socks_proxy_server = string_alloc(p[2], gc);
241  ce->socks_proxy_port = string_alloc(p[3], gc);
242  ret = true;
243  }
244  }
245  else
246  {
247  msg(M_WARN, "Bad proxy command");
248  }
249 
250  ce->flags &= ~CE_MAN_QUERY_PROXY;
251 
252  return ret;
253 }
254 
255 static bool
256 ce_management_query_proxy(struct context *c)
257 {
258  const struct connection_list *l = c->options.connection_list;
259  struct connection_entry *ce = &c->options.ce;
260  struct gc_arena gc;
261  bool ret = true;
262 
263  update_time();
264  if (management)
265  {
266  gc = gc_new();
267  {
268  struct buffer out = alloc_buf_gc(256, &gc);
269  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
270  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
271  management_notify_generic(management, BSTR(&out));
272  management->persist.special_state_msg = BSTR(&out);
273  }
274  ce->flags |= CE_MAN_QUERY_PROXY;
275  while (ce->flags & CE_MAN_QUERY_PROXY)
276  {
277  management_event_loop_n_seconds(management, 1);
278  if (IS_SIG(c))
279  {
280  ret = false;
281  break;
282  }
283  }
284  management->persist.special_state_msg = NULL;
285  gc_free(&gc);
286  }
287 
288  return ret;
289 }
290 
305 static bool
306 management_callback_send_cc_message(void *arg,
307  const char *command,
308  const char *parameters)
309 {
310  struct context *c = (struct context *) arg;
311  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
312  if (len > PUSH_BUNDLE_SIZE)
313  {
314  return false;
315  }
316 
317  struct gc_arena gc = gc_new();
318  struct buffer buf = alloc_buf_gc(len, &gc);
319  ASSERT(buf_printf(&buf, "%s", command));
320  if (parameters)
321  {
322  ASSERT(buf_printf(&buf, ",%s", parameters));
323  }
324  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
325 
326  gc_free(&gc);
327  return status;
328 }
329 
330 static bool
331 management_callback_remote_cmd(void *arg, const char **p)
332 {
333  struct context *c = (struct context *) arg;
334  struct connection_entry *ce = &c->options.ce;
335  int ret = false;
336  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
337  {
338  int flags = 0;
339  if (!strcmp(p[1], "ACCEPT"))
340  {
341  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
342  ret = true;
343  }
344  else if (!strcmp(p[1], "SKIP"))
345  {
346  flags = CE_MAN_QUERY_REMOTE_SKIP;
347  ret = true;
348  }
349  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
350  {
351  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
352  {
353  struct remote_host_store *rhs = c->options.rh_store;
354  if (!rhs)
355  {
356  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
357  c->options.rh_store = rhs;
358  }
359  strncpynt(rhs->host, p[2], RH_HOST_LEN);
360  strncpynt(rhs->port, p[3], RH_PORT_LEN);
361 
362  ce->remote = rhs->host;
363  ce->remote_port = rhs->port;
364  flags = CE_MAN_QUERY_REMOTE_MOD;
365  ret = true;
366  }
367  }
368  if (ret)
369  {
370  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
371  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
372  }
373  }
374  return ret;
375 }
376 
377 static bool
378 ce_management_query_remote(struct context *c)
379 {
380  struct gc_arena gc = gc_new();
381  volatile struct connection_entry *ce = &c->options.ce;
382  int ce_changed = true; /* presume the connection entry will be changed */
383 
384  update_time();
385  if (management)
386  {
387  struct buffer out = alloc_buf_gc(256, &gc);
388 
389  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
390  proto2ascii(ce->proto, ce->af, false));
391  management_notify_generic(management, BSTR(&out));
392  management->persist.special_state_msg = BSTR(&out);
393 
394  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
395  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
396  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
397  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
398  {
399  management_event_loop_n_seconds(management, 1);
400  if (IS_SIG(c))
401  {
402  ce_changed = false; /* connection entry have not been set */
403  break;
404  }
405  }
406  management->persist.special_state_msg = NULL;
407  }
408  gc_free(&gc);
409 
410  if (ce_changed)
411  {
412  /* If it is likely a connection entry was modified,
413  * check what changed in the flags and that it was not skipped
414  */
415  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
416  & CE_MAN_QUERY_REMOTE_MASK);
417  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
418  }
419  return ce_changed;
420 }
421 #endif /* ENABLE_MANAGEMENT */
422 
423 /*
424  * Initialize and possibly randomize connection list.
425  */
426 static void
427 init_connection_list(struct context *c)
428 {
429  struct connection_list *l = c->options.connection_list;
430 
431  l->current = -1;
432  if (c->options.remote_random)
433  {
434  int i;
435  for (i = 0; i < l->len; ++i)
436  {
437  const int j = get_random() % l->len;
438  if (i != j)
439  {
440  struct connection_entry *tmp;
441  tmp = l->array[i];
442  l->array[i] = l->array[j];
443  l->array[j] = tmp;
444  }
445  }
446  }
447 }
448 
449 /*
450  * Clear the remote address list
451  */
452 static void
453 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
454 {
455  if (lsa->remote_list && free)
456  {
457  freeaddrinfo(lsa->remote_list);
458  }
459  lsa->remote_list = NULL;
460  lsa->current_remote = NULL;
461 }
462 
463 /*
464  * Increment to next connection entry
465  */
466 static void
467 next_connection_entry(struct context *c)
468 {
469  struct connection_list *l = c->options.connection_list;
470  bool ce_defined;
471  struct connection_entry *ce;
472  int n_cycles = 0;
473 
474  do
475  {
476  ce_defined = true;
477  if (c->options.no_advance && l->current >= 0)
478  {
479  c->options.no_advance = false;
480  }
481  else
482  {
483  /* Check if there is another resolved address to try for
484  * the current connection */
485  if (c->c1.link_socket_addr.current_remote
486  && c->c1.link_socket_addr.current_remote->ai_next)
487  {
488  c->c1.link_socket_addr.current_remote =
489  c->c1.link_socket_addr.current_remote->ai_next;
490  }
491  else
492  {
493  /* FIXME (schwabe) fix the persist-remote-ip option for real,
494  * this is broken probably ever since connection lists and multiple
495  * remote existed
496  */
497  if (!c->options.persist_remote_ip)
498  {
499  /* Connection entry addrinfo objects might have been
500  * resolved earlier but the entry itself might have been
501  * skipped by management on the previous loop.
502  * If so, clear the addrinfo objects as close_instance does
503  */
504  if (c->c1.link_socket_addr.remote_list)
505  {
506  clear_remote_addrlist(&c->c1.link_socket_addr,
507  !c->options.resolve_in_advance);
508  }
509 
510  /* close_instance should have cleared the addrinfo objects */
511  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
512  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
513  }
514  else
515  {
516  c->c1.link_socket_addr.current_remote =
517  c->c1.link_socket_addr.remote_list;
518  }
519 
520  /*
521  * Increase the number of connection attempts
522  * If this is connect-retry-max * size(l)
523  * OpenVPN will quit
524  */
525 
526  c->options.unsuccessful_attempts++;
527 
528  if (++l->current >= l->len)
529  {
530 
531  l->current = 0;
532  if (++n_cycles >= 2)
533  {
534  msg(M_FATAL, "No usable connection profiles are present");
535  }
536  }
537  }
538  }
539 
540  ce = l->array[l->current];
541 
542  if (ce->flags & CE_DISABLED)
543  {
544  ce_defined = false;
545  }
546 
547  c->options.ce = *ce;
548 #ifdef ENABLE_MANAGEMENT
549  if (ce_defined && management && management_query_remote_enabled(management))
550  {
551  /* allow management interface to override connection entry details */
552  ce_defined = ce_management_query_remote(c);
553  if (IS_SIG(c))
554  {
555  break;
556  }
557  }
558  else if (ce_defined && management && management_query_proxy_enabled(management))
559  {
560  ce_defined = ce_management_query_proxy(c);
561  if (IS_SIG(c))
562  {
563  break;
564  }
565  }
566 #endif
567  } while (!ce_defined);
568 
569  /* Check if this connection attempt would bring us over the limit */
570  if (c->options.connect_retry_max > 0
571  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
572  {
573  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
574  c->options.connect_retry_max);
575  }
576  update_options_ce_post(&c->options);
577 }
578 
579 /*
580  * Query for private key and auth-user-pass username/passwords
581  */
582 void
583 init_query_passwords(const struct context *c)
584 {
585  /* Certificate password input */
586  if (c->options.key_pass_file)
587  {
588  pem_password_setup(c->options.key_pass_file);
589  }
590 
591  /* Auth user/pass input */
592  if (c->options.auth_user_pass_file)
593  {
594 #ifdef ENABLE_MANAGEMENT
595  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
596 #else
597  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
598 #endif
599  }
600 }
601 
602 /*
603  * Initialize/Uninitialize HTTP or SOCKS proxy
604  */
605 
606 static void
607 uninit_proxy_dowork(struct context *c)
608 {
609  if (c->c1.http_proxy_owned && c->c1.http_proxy)
610  {
611  http_proxy_close(c->c1.http_proxy);
612  c->c1.http_proxy = NULL;
613  c->c1.http_proxy_owned = false;
614  }
615  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
616  {
617  socks_proxy_close(c->c1.socks_proxy);
618  c->c1.socks_proxy = NULL;
619  c->c1.socks_proxy_owned = false;
620  }
621 }
622 
623 static void
624 init_proxy_dowork(struct context *c)
625 {
626  bool did_http = false;
627 
628  uninit_proxy_dowork(c);
629 
630  if (c->options.ce.http_proxy_options)
631  {
632  /* Possible HTTP proxy user/pass input */
633  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
634  if (c->c1.http_proxy)
635  {
636  did_http = true;
637  c->c1.http_proxy_owned = true;
638  }
639  }
640 
641  if (!did_http && c->options.ce.socks_proxy_server)
642  {
643  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
644  c->options.ce.socks_proxy_port,
645  c->options.ce.socks_proxy_authfile);
646  if (c->c1.socks_proxy)
647  {
648  c->c1.socks_proxy_owned = true;
649  }
650  }
651 }
652 
653 static void
654 init_proxy(struct context *c)
655 {
656  init_proxy_dowork(c);
657 }
658 
659 static void
660 uninit_proxy(struct context *c)
661 {
662  uninit_proxy_dowork(c);
663 }
664 
665 void
666 context_init_1(struct context *c)
667 {
668  context_clear_1(c);
669 
670  packet_id_persist_init(&c->c1.pid_persist);
671 
672  init_connection_list(c);
673 
674 #if defined(ENABLE_PKCS11)
675  if (c->first_time)
676  {
677  int i;
678  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
679  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
680  {
681  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
682  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
683  }
684  }
685 #endif
686 
687 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
688  {
689  /*
690  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
691  */
692  struct user_pass up;
693  CLEAR(up);
694  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
695  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
696  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
697  * 'needok' command, usually 'ok' or 'cancel'. */
698  }
699 #endif
700 
701 #ifdef ENABLE_SYSTEMD
702  /* We can report the PID via getpid() to systemd here as OpenVPN will not
703  * do any fork due to daemon() a future call.
704  * See possibly_become_daemon() [init.c] for more details.
705  */
706  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
707  (unsigned long) getpid());
708 #endif
709 
710 }
711 
712 void
713 context_gc_free(struct context *c)
714 {
715  gc_free(&c->c2.gc);
716  gc_free(&c->options.gc);
717  gc_free(&c->gc);
718 }
719 
720 #if PORT_SHARE
721 
722 static void
723 close_port_share(void)
724 {
725  if (port_share)
726  {
727  port_share_close(port_share);
728  port_share = NULL;
729  }
730 }
731 
732 static void
733 init_port_share(struct context *c)
734 {
735  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
736  {
737  port_share = port_share_open(c->options.port_share_host,
738  c->options.port_share_port,
739  c->c2.frame.buf.payload_size,
740  c->options.port_share_journal_dir);
741  if (port_share == NULL)
742  {
743  msg(M_FATAL, "Fatal error: Port sharing failed");
744  }
745  }
746 }
747 
748 #endif /* if PORT_SHARE */
749 
750 
751 bool
752 init_static(void)
753 {
754  /* configure_path (); */
755 
756 #if defined(DMALLOC)
757  crypto_init_dmalloc();
758 #endif
759 
760 
761  /*
762  * Initialize random number seed. random() is only used
763  * when "weak" random numbers are acceptable.
764  * SSL library routines are always used when cryptographically
765  * strong random numbers are required.
766  */
767  struct timeval tv;
768  if (!gettimeofday(&tv, NULL))
769  {
770  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
771  srandom(seed);
772  }
773 
774  error_reset(); /* initialize error.c */
775  reset_check_status(); /* initialize status check code in socket.c */
776 
777 #ifdef _WIN32
778  init_win32();
779 #endif
780 
781 #ifdef OPENVPN_DEBUG_COMMAND_LINE
782  {
783  int i;
784  for (i = 0; i < argc; ++i)
785  {
786  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
787  }
788  }
789 #endif
790 
791  update_time();
792 
793  init_ssl_lib();
794 
795 #ifdef SCHEDULE_TEST
796  schedule_test();
797  return false;
798 #endif
799 
800 #ifdef LIST_TEST
801  list_test();
802  return false;
803 #endif
804 
805 #ifdef IFCONFIG_POOL_TEST
806  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
807  return false;
808 #endif
809 
810 #ifdef CHARACTER_CLASS_DEBUG
811  character_class_debug();
812  return false;
813 #endif
814 
815 #ifdef EXTRACT_X509_FIELD_TEST
816  extract_x509_field_test();
817  return false;
818 #endif
819 
820 #ifdef TIME_TEST
821  time_test();
822  return false;
823 #endif
824 
825 #ifdef TEST_GET_DEFAULT_GATEWAY
826  {
827  struct route_gateway_info rgi;
828  struct route_ipv6_gateway_info rgi6;
829  get_default_gateway(&rgi);
830  get_default_gateway_ipv6(&rgi6, NULL);
831  print_default_gateway(M_INFO, &rgi, &rgi6);
832  return false;
833  }
834 #endif
835 
836 #ifdef GEN_PATH_TEST
837  {
838  struct gc_arena gc = gc_new();
839  const char *fn = gen_path("foo",
840  "bar",
841  &gc);
842  printf("%s\n", fn);
843  gc_free(&gc);
844  }
845  return false;
846 #endif
847 
848 #ifdef STATUS_PRINTF_TEST
849  {
850  struct gc_arena gc = gc_new();
851  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
852  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
853  status_printf(so, "%s", "foo");
854  status_printf(so, "%s", "bar");
855  if (!status_close(so))
856  {
857  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
858  }
859  gc_free(&gc);
860  }
861  return false;
862 #endif
863 
864 #ifdef MSTATS_TEST
865  {
866  int i;
867  mstats_open("/dev/shm/mstats.dat");
868  for (i = 0; i < 30; ++i)
869  {
870  mmap_stats->n_clients += 1;
871  mmap_stats->link_write_bytes += 8;
872  mmap_stats->link_read_bytes += 16;
873  sleep(1);
874  }
875  mstats_close();
876  return false;
877  }
878 #endif
879 
880  return true;
881 }
882 
883 void
884 uninit_static(void)
885 {
886  free_ssl_lib();
887 
888 #ifdef ENABLE_PKCS11
889  pkcs11_terminate();
890 #endif
891 
892 #if PORT_SHARE
893  close_port_share();
894 #endif
895 
896 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
897  show_tls_performance_stats();
898 #endif
899 }
900 
901 void
902 init_verb_mute(struct context *c, unsigned int flags)
903 {
904  if (flags & IVM_LEVEL_1)
905  {
906  /* set verbosity and mute levels */
907  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
908  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
909  set_mute_cutoff(c->options.mute);
910  }
911 
912  /* special D_LOG_RW mode */
913  if (flags & IVM_LEVEL_2)
914  {
915  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
916  }
917 }
918 
919 /*
920  * Possibly set --dev based on --dev-node.
921  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
922  * set --dev to tun.
923  */
924 void
925 init_options_dev(struct options *options)
926 {
927  if (!options->dev && options->dev_node)
928  {
929  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
930  options->dev = basename(dev_node);
931  }
932 }
933 
934 bool
935 print_openssl_info(const struct options *options)
936 {
937  /*
938  * OpenSSL info print mode?
939  */
940  if (options->show_ciphers || options->show_digests || options->show_engines
941  || options->show_tls_ciphers || options->show_curves)
942  {
943  if (options->show_ciphers)
944  {
945  show_available_ciphers();
946  }
947  if (options->show_digests)
948  {
949  show_available_digests();
950  }
951  if (options->show_engines)
952  {
953  show_available_engines();
954  }
955  if (options->show_tls_ciphers)
956  {
957  show_available_tls_ciphers(options->cipher_list,
958  options->cipher_list_tls13,
959  options->tls_cert_profile);
960  }
961  if (options->show_curves)
962  {
963  show_available_curves();
964  }
965  return true;
966  }
967  return false;
968 }
969 
970 /*
971  * Static pre-shared key generation mode?
972  */
973 bool
974 do_genkey(const struct options *options)
975 {
976  /* should we disable paging? */
977  if (options->mlock && (options->genkey))
978  {
979  platform_mlockall(true);
980  }
981 
982  /*
983  * We do not want user to use --genkey with --secret. In the transistion
984  * phase we for secret.
985  */
986  if (options->genkey && options->genkey_type != GENKEY_SECRET
987  && options->shared_secret_file)
988  {
989  msg(M_USAGE, "Using --genkey type with --secret filename is "
990  "not supported. Use --genkey type filename instead.");
991  }
992  if (options->genkey && options->genkey_type == GENKEY_SECRET)
993  {
994  int nbits_written;
995  const char *genkey_filename = options->genkey_filename;
996  if (options->shared_secret_file && options->genkey_filename)
997  {
998  msg(M_USAGE, "You must provide a filename to either --genkey "
999  "or --secret, not both");
1000  }
1001 
1002  /*
1003  * Copy filename from shared_secret_file to genkey_filename to support
1004  * the old --genkey --secret foo.file syntax.
1005  */
1006  if (options->shared_secret_file)
1007  {
1008  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1009  "DEPRECATED. Use --genkey secret filename instead.");
1010  genkey_filename = options->shared_secret_file;
1011  }
1012 
1013  nbits_written = write_key_file(2, genkey_filename);
1014  if (nbits_written < 0)
1015  {
1016  msg(M_FATAL, "Failed to write key file");
1017  }
1018 
1019  msg(D_GENKEY | M_NOPREFIX,
1020  "Randomly generated %d bit key written to %s", nbits_written,
1021  options->shared_secret_file);
1022  return true;
1023  }
1024  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1025  {
1026  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1027  return true;
1028  }
1029  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1030  {
1031  if (!options->tls_crypt_v2_file)
1032  {
1033  msg(M_USAGE,
1034  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1035  }
1036 
1037  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1038  options->genkey_extra_data, options->tls_crypt_v2_file,
1039  options->tls_crypt_v2_file_inline);
1040  return true;
1041  }
1042  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1043  {
1044  auth_token_write_server_key_file(options->genkey_filename);
1045  return true;
1046  }
1047  else
1048  {
1049  return false;
1050  }
1051 }
1052 
1053 /*
1054  * Persistent TUN/TAP device management mode?
1055  */
1056 bool
1057 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1058 {
1059  if (options->persist_config)
1060  {
1061  /* sanity check on options for --mktun or --rmtun */
1062  notnull(options->dev, "TUN/TAP device (--dev)");
1063  if (options->ce.remote || options->ifconfig_local
1064  || options->ifconfig_remote_netmask
1065  || options->shared_secret_file
1066  || options->tls_server || options->tls_client
1067  )
1068  {
1069  msg(M_FATAL|M_OPTERR,
1070  "options --mktun or --rmtun should only be used together with --dev");
1071  }
1072 #ifdef ENABLE_FEATURE_TUN_PERSIST
1073  tuncfg(options->dev, options->dev_type, options->dev_node,
1074  options->persist_mode,
1075  options->username, options->groupname, &options->tuntap_options,
1076  ctx);
1077  if (options->persist_mode && options->lladdr)
1078  {
1079  set_lladdr(ctx, options->dev, options->lladdr, NULL);
1080  }
1081  return true;
1082 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1083  msg( M_FATAL|M_OPTERR,
1084  "options --mktun and --rmtun are not available on your operating "
1085  "system. Please check 'man tun' (or 'tap'), whether your system "
1086  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1087  "persistent tunnel interfaces.", options->dev );
1088 #endif
1089  }
1090  return false;
1091 }
1092 
1093 /*
1094  * Should we become a daemon?
1095  * Return true if we did it.
1096  */
1097 bool
1098 possibly_become_daemon(const struct options *options)
1099 {
1100  bool ret = false;
1101 
1102 #ifdef ENABLE_SYSTEMD
1103  /* return without forking if we are running from systemd */
1104  if (sd_notify(0, "READY=0") > 0)
1105  {
1106  return ret;
1107  }
1108 #endif
1109 
1110  if (options->daemon)
1111  {
1112  /* Don't chdir immediately, but the end of the init sequence, if needed */
1113 
1114 #if defined(__APPLE__) && defined(__clang__)
1115 #pragma clang diagnostic push
1116 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1117 #endif
1118  if (daemon(1, options->log) < 0)
1119  {
1120  msg(M_ERR, "daemon() failed or unsupported");
1121  }
1122 #if defined(__APPLE__) && defined(__clang__)
1123 #pragma clang diagnostic pop
1124 #endif
1125  restore_signal_state();
1126  if (options->log)
1127  {
1128  set_std_files_to_null(true);
1129  }
1130 
1131  ret = true;
1132  }
1133  return ret;
1134 }
1135 
1136 /*
1137  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1138  */
1139 static void
1140 do_uid_gid_chroot(struct context *c, bool no_delay)
1141 {
1142  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1143  struct context_0 *c0 = c->c0;
1144 
1145  if (c0 && !c0->uid_gid_chroot_set)
1146  {
1147  /* chroot if requested */
1148  if (c->options.chroot_dir)
1149  {
1150  if (no_delay)
1151  {
1152  platform_chroot(c->options.chroot_dir);
1153  }
1154  else if (c->first_time)
1155  {
1156  msg(M_INFO, "NOTE: chroot %s", why_not);
1157  }
1158  }
1159 
1160  /* set user and/or group if we want to setuid/setgid */
1161  if (c0->uid_gid_specified)
1162  {
1163  if (no_delay)
1164  {
1165  platform_group_set(&c0->platform_state_group);
1166  platform_user_set(&c0->platform_state_user);
1167  }
1168  else if (c->first_time)
1169  {
1170  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1171  }
1172  }
1173 
1174 #ifdef ENABLE_MEMSTATS
1175  if (c->first_time && c->options.memstats_fn)
1176  {
1177  mstats_open(c->options.memstats_fn);
1178  }
1179 #endif
1180 
1181 #ifdef ENABLE_SELINUX
1182  /* Apply a SELinux context in order to restrict what OpenVPN can do
1183  * to _only_ what it is supposed to do after initialization is complete
1184  * (basically just network I/O operations). Doing it after chroot
1185  * requires /proc to be mounted in the chroot (which is annoying indeed
1186  * but doing it before requires more complex SELinux policies.
1187  */
1188  if (c->options.selinux_context)
1189  {
1190  if (no_delay)
1191  {
1192  if (-1 == setcon(c->options.selinux_context))
1193  {
1194  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1195  }
1196  else
1197  {
1198  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1199  }
1200  }
1201  else if (c->first_time)
1202  {
1203  msg(M_INFO, "NOTE: setcon %s", why_not);
1204  }
1205  }
1206 #endif
1207 
1208  /* Privileges are going to be dropped by now (if requested), be sure
1209  * to prevent any future privilege dropping attempts from now on.
1210  */
1211  if (no_delay)
1212  {
1213  c0->uid_gid_chroot_set = true;
1214  }
1215  }
1216 }
1217 
1218 /*
1219  * Return common name in a way that is formatted for
1220  * prepending to msg() output.
1221  */
1222 const char *
1223 format_common_name(struct context *c, struct gc_arena *gc)
1224 {
1225  struct buffer out = alloc_buf_gc(256, gc);
1226  if (c->c2.tls_multi)
1227  {
1228  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1229  }
1230  return BSTR(&out);
1231 }
1232 
1233 void
1234 pre_setup(const struct options *options)
1235 {
1236 #ifdef _WIN32
1237  if (options->exit_event_name)
1238  {
1239  win32_signal_open(&win32_signal,
1240  WSO_FORCE_SERVICE,
1241  options->exit_event_name,
1242  options->exit_event_initial_state);
1243  }
1244  else
1245  {
1246  win32_signal_open(&win32_signal,
1247  WSO_FORCE_CONSOLE,
1248  NULL,
1249  false);
1250 
1251  /* put a title on the top window bar */
1252  if (win32_signal.mode == WSO_MODE_CONSOLE)
1253  {
1254  window_title_save(&window_title);
1255  window_title_generate(options->config);
1256  }
1257  }
1258 #endif /* ifdef _WIN32 */
1259 }
1260 
1261 void
1262 reset_coarse_timers(struct context *c)
1263 {
1264  c->c2.coarse_timer_wakeup = 0;
1265 }
1266 
1267 /*
1268  * Initialise the server poll timeout timer
1269  * This timer is used in the http/socks proxy setup so it needs to be setup
1270  * before
1271  */
1272 static void
1273 do_init_server_poll_timeout(struct context *c)
1274 {
1275  update_time();
1276  if (c->options.ce.connect_timeout)
1277  {
1278  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1279  }
1280 }
1281 
1282 /*
1283  * Initialize timers
1284  */
1285 static void
1286 do_init_timers(struct context *c, bool deferred)
1287 {
1288  update_time();
1289  reset_coarse_timers(c);
1290 
1291  /* initialize inactivity timeout */
1292  if (c->options.inactivity_timeout)
1293  {
1294  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1295  }
1296 
1297  /* initialize pings */
1298 
1299  if (c->options.ping_send_timeout)
1300  {
1301  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1302  }
1303 
1304  if (c->options.ping_rec_timeout)
1305  {
1306  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1307  }
1308 
1309  if (!deferred)
1310  {
1311  /* initialize connection establishment timer */
1312  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1313 
1314  /* initialize occ timers */
1315 
1316  if (c->options.occ
1317  && !TLS_MODE(c)
1318  && c->c2.options_string_local && c->c2.options_string_remote)
1319  {
1320  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1321  }
1322 
1323  if (c->options.mtu_test)
1324  {
1325  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1326  }
1327 
1328  /* initialize packet_id persistence timer */
1329  if (c->options.packet_id_file)
1330  {
1331  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1332  }
1333 
1334  /* initialize tmp_int optimization that limits the number of times we call
1335  * tls_multi_process in the main event loop */
1336  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1337  }
1338 }
1339 
1340 /*
1341  * Initialize traffic shaper.
1342  */
1343 static void
1344 do_init_traffic_shaper(struct context *c)
1345 {
1346  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1347  if (c->options.shaper)
1348  {
1349  shaper_init(&c->c2.shaper, c->options.shaper);
1350  shaper_msg(&c->c2.shaper);
1351  }
1352 }
1353 
1354 /*
1355  * Allocate route list structures for IPv4 and IPv6
1356  * (we do this for IPv4 even if no --route option has been seen, as other
1357  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1358  */
1359 static void
1360 do_alloc_route_list(struct context *c)
1361 {
1362  if (!c->c1.route_list)
1363  {
1364  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1365  }
1366  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1367  {
1368  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1369  }
1370 }
1371 
1372 
1373 /*
1374  * Initialize the route list, resolving any DNS names in route
1375  * options and saving routes in the environment.
1376  */
1377 static void
1378 do_init_route_list(const struct options *options,
1379  struct route_list *route_list,
1380  const struct link_socket_info *link_socket_info,
1381  struct env_set *es,
1382  openvpn_net_ctx_t *ctx)
1383 {
1384  const char *gw = NULL;
1385  int dev = dev_type_enum(options->dev, options->dev_type);
1386  int metric = 0;
1387 
1388  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1389  {
1390  gw = options->ifconfig_remote_netmask;
1391  }
1392  if (options->route_default_gateway)
1393  {
1394  gw = options->route_default_gateway;
1395  }
1396  if (options->route_default_metric)
1397  {
1398  metric = options->route_default_metric;
1399  }
1400 
1401  if (init_route_list(route_list,
1402  options->routes,
1403  gw,
1404  metric,
1405  link_socket_current_remote(link_socket_info),
1406  es,
1407  ctx))
1408  {
1409  /* copy routes to environment */
1410  setenv_routes(es, route_list);
1411  }
1412 }
1413 
1414 static void
1415 do_init_route_ipv6_list(const struct options *options,
1416  struct route_ipv6_list *route_ipv6_list,
1417  const struct link_socket_info *link_socket_info,
1418  struct env_set *es,
1419  openvpn_net_ctx_t *ctx)
1420 {
1421  const char *gw = NULL;
1422  int metric = -1; /* no metric set */
1423 
1424  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1425  if (options->route_ipv6_default_gateway)
1426  {
1427  gw = options->route_ipv6_default_gateway;
1428  }
1429 
1430  if (options->route_default_metric)
1431  {
1432  metric = options->route_default_metric;
1433  }
1434 
1435  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1436  */
1437  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1438  {
1439  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1440  int i;
1441 
1442  for (i = 0; opt_list[i]; i++)
1443  {
1444  add_route_ipv6_to_option_list( options->routes_ipv6,
1445  string_alloc(opt_list[i], options->routes_ipv6->gc),
1446  NULL, NULL );
1447  }
1448  }
1449 
1450  if (init_route_ipv6_list(route_ipv6_list,
1451  options->routes_ipv6,
1452  gw,
1453  metric,
1454  link_socket_current_remote_ipv6(link_socket_info),
1455  es,
1456  ctx))
1457  {
1458  /* copy routes to environment */
1459  setenv_routes_ipv6(es, route_ipv6_list);
1460  }
1461 }
1462 
1463 
1464 /*
1465  * Called after all initialization has been completed.
1466  */
1467 void
1468 initialization_sequence_completed(struct context *c, const unsigned int flags)
1469 {
1470  static const char message[] = "Initialization Sequence Completed";
1471 
1472  /* Reset the unsuccessful connection counter on complete initialisation */
1473  c->options.unsuccessful_attempts = 0;
1474 
1475  /* If we delayed UID/GID downgrade or chroot, do it now */
1476  do_uid_gid_chroot(c, true);
1477 
1478 
1479  /*
1480  * In some cases (i.e. when receiving auth-token via
1481  * push-reply) the auth-nocache option configured on the
1482  * client is overridden; for this reason we have to wait
1483  * for the push-reply message before attempting to wipe
1484  * the user/pass entered by the user
1485  */
1486  if (c->options.mode == MODE_POINT_TO_POINT)
1487  {
1488  ssl_clean_user_pass();
1489  }
1490 
1491  /* Test if errors */
1492  if (flags & ISC_ERRORS)
1493  {
1494 #ifdef _WIN32
1495  show_routes(M_INFO|M_NOPREFIX);
1496  show_adapters(M_INFO|M_NOPREFIX);
1497  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1498 #else
1499 #ifdef ENABLE_SYSTEMD
1500  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1501 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1502  msg(M_INFO, "%s With Errors", message);
1503 #endif
1504  }
1505  else
1506  {
1507 #ifdef ENABLE_SYSTEMD
1508  sd_notifyf(0, "STATUS=%s", message);
1509 #endif
1510  msg(M_INFO, "%s", message);
1511  }
1512 
1513  /* Flag that we initialized */
1514  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1515  {
1516  c->options.no_advance = true;
1517  }
1518 
1519 #ifdef _WIN32
1520  fork_register_dns_action(c->c1.tuntap);
1521 #endif
1522 
1523 #ifdef ENABLE_MANAGEMENT
1524  /* Tell management interface that we initialized */
1525  if (management)
1526  {
1527  in_addr_t *tun_local = NULL;
1528  struct in6_addr *tun_local6 = NULL;
1529  struct openvpn_sockaddr local, remote;
1530  struct link_socket_actual *actual;
1531  socklen_t sa_len = sizeof(local);
1532  const char *detail = "SUCCESS";
1533  if (flags & ISC_ERRORS)
1534  {
1535  detail = "ERROR";
1536  }
1537 
1538  CLEAR(local);
1539  actual = &get_link_socket_info(c)->lsa->actual;
1540  remote = actual->dest;
1541  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1542 #if ENABLE_IP_PKTINFO
1543  if (!addr_defined(&local))
1544  {
1545  switch (local.addr.sa.sa_family)
1546  {
1547  case AF_INET:
1548 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1549  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1550 #else
1551  local.addr.in4.sin_addr = actual->pi.in4;
1552 #endif
1553  break;
1554 
1555  case AF_INET6:
1556  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1557  break;
1558  }
1559  }
1560 #endif
1561 
1562  if (c->c1.tuntap)
1563  {
1564  tun_local = &c->c1.tuntap->local;
1565  tun_local6 = &c->c1.tuntap->local_ipv6;
1566  }
1567  management_set_state(management,
1568  OPENVPN_STATE_CONNECTED,
1569  detail,
1570  tun_local,
1571  tun_local6,
1572  &local,
1573  &remote);
1574  if (tun_local)
1575  {
1576  management_post_tunnel_open(management, *tun_local);
1577  }
1578  }
1579 #endif /* ifdef ENABLE_MANAGEMENT */
1580 }
1581 
1582 /*
1583  * Possibly add routes and/or call route-up script
1584  * based on options.
1585  */
1586 void
1587 do_route(const struct options *options,
1588  struct route_list *route_list,
1589  struct route_ipv6_list *route_ipv6_list,
1590  const struct tuntap *tt,
1591  const struct plugin_list *plugins,
1592  struct env_set *es,
1593  openvpn_net_ctx_t *ctx)
1594 {
1595  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1596  {
1597  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1598  es, ctx);
1599  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1600  }
1601 #ifdef ENABLE_MANAGEMENT
1602  if (management)
1603  {
1604  management_up_down(management, "UP", es);
1605  }
1606 #endif
1607 
1608  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1609  {
1610  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1611  {
1612  msg(M_WARN, "WARNING: route-up plugin call failed");
1613  }
1614  }
1615 
1616  if (options->route_script)
1617  {
1618  struct argv argv = argv_new();
1619  setenv_str(es, "script_type", "route-up");
1620  argv_parse_cmd(&argv, options->route_script);
1621  openvpn_run_script(&argv, es, 0, "--route-up");
1622  argv_free(&argv);
1623  }
1624 
1625 #ifdef _WIN32
1626  if (options->show_net_up)
1627  {
1628  show_routes(M_INFO|M_NOPREFIX);
1629  show_adapters(M_INFO|M_NOPREFIX);
1630  }
1631  else if (check_debug_level(D_SHOW_NET))
1632  {
1633  show_routes(D_SHOW_NET|M_NOPREFIX);
1634  show_adapters(D_SHOW_NET|M_NOPREFIX);
1635  }
1636 #endif
1637 }
1638 
1639 /*
1640  * initialize tun/tap device object
1641  */
1642 static void
1643 do_init_tun(struct context *c)
1644 {
1645  c->c1.tuntap = init_tun(c->options.dev,
1646  c->options.dev_type,
1647  c->options.topology,
1648  c->options.ifconfig_local,
1649  c->options.ifconfig_remote_netmask,
1650  c->options.ifconfig_ipv6_local,
1651  c->options.ifconfig_ipv6_netbits,
1652  c->options.ifconfig_ipv6_remote,
1653  c->c1.link_socket_addr.bind_local,
1654  c->c1.link_socket_addr.remote_list,
1655  !c->options.ifconfig_nowarn,
1656  c->c2.es,
1657  &c->net_ctx);
1658 
1659 #ifdef _WIN32
1660  c->c1.tuntap->windows_driver = c->options.windows_driver;
1661 #endif
1662 
1663  init_tun_post(c->c1.tuntap,
1664  &c->c2.frame,
1665  &c->options.tuntap_options);
1666 
1667  c->c1.tuntap_owned = true;
1668 }
1669 
1670 /*
1671  * Open tun/tap device, ifconfig, call up script, etc.
1672  */
1673 
1674 static bool
1675 do_open_tun(struct context *c)
1676 {
1677  struct gc_arena gc = gc_new();
1678  bool ret = false;
1679 
1680 #ifndef TARGET_ANDROID
1681  if (!c->c1.tuntap)
1682  {
1683 #endif
1684 
1685 #ifdef TARGET_ANDROID
1686  /* If we emulate persist-tun on android we still have to open a new tun and
1687  * then close the old */
1688  int oldtunfd = -1;
1689  if (c->c1.tuntap)
1690  {
1691  oldtunfd = c->c1.tuntap->fd;
1692  free(c->c1.tuntap);
1693  c->c1.tuntap = NULL;
1694  c->c1.tuntap_owned = false;
1695  }
1696 #endif
1697 
1698  /* initialize (but do not open) tun/tap object */
1699  do_init_tun(c);
1700 
1701 #ifdef _WIN32
1702  /* store (hide) interactive service handle in tuntap_options */
1703  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1704  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1705 #endif
1706 
1707  /* allocate route list structure */
1708  do_alloc_route_list(c);
1709 
1710  /* parse and resolve the route option list */
1711  ASSERT(c->c2.link_socket);
1712  if (c->options.routes && c->c1.route_list)
1713  {
1714  do_init_route_list(&c->options, c->c1.route_list,
1715  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1716  }
1717  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1718  {
1719  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1720  &c->c2.link_socket->info, c->c2.es,
1721  &c->net_ctx);
1722  }
1723 
1724  /* do ifconfig */
1725  if (!c->options.ifconfig_noexec
1726  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1727  {
1728  /* guess actual tun/tap unit number that will be returned
1729  * by open_tun */
1730  const char *guess = guess_tuntap_dev(c->options.dev,
1731  c->options.dev_type,
1732  c->options.dev_node,
1733  &gc);
1734  do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es,
1735  &c->net_ctx);
1736  }
1737 
1738  /* possibly add routes */
1739  if (route_order() == ROUTE_BEFORE_TUN)
1740  {
1741  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1742  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1743  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1744  }
1745 #ifdef TARGET_ANDROID
1746  /* Store the old fd inside the fd so open_tun can use it */
1747  c->c1.tuntap->fd = oldtunfd;
1748 #endif
1749  /* open the tun device */
1750  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1751  c->c1.tuntap);
1752 
1753  /* set the hardware address */
1754  if (c->options.lladdr)
1755  {
1756  set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr,
1757  c->c2.es);
1758  }
1759 
1760  /* do ifconfig */
1761  if (!c->options.ifconfig_noexec
1762  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1763  {
1764  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1765  c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1766  }
1767 
1768  /* run the up script */
1769  run_up_down(c->options.up_script,
1770  c->plugins,
1771  OPENVPN_PLUGIN_UP,
1772  c->c1.tuntap->actual_name,
1773 #ifdef _WIN32
1774  c->c1.tuntap->adapter_index,
1775 #endif
1776  dev_type_string(c->options.dev, c->options.dev_type),
1777  c->c2.frame.tun_mtu,
1778  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1779  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1780  "init",
1781  NULL,
1782  "up",
1783  c->c2.es);
1784 
1785 #if defined(_WIN32)
1786  if (c->options.block_outside_dns)
1787  {
1788  dmsg(D_LOW, "Blocking outside DNS");
1789  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1790  {
1791  msg(M_FATAL, "Blocking DNS failed!");
1792  }
1793  }
1794 #endif
1795 
1796  /* possibly add routes */
1797  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1798  {
1799  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1800  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1801  }
1802 
1803  ret = true;
1804  static_context = c;
1805 #ifndef TARGET_ANDROID
1806 }
1807 else
1808 {
1809  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1810  c->c1.tuntap->actual_name);
1811 
1812  /* explicitly set the ifconfig_* env vars */
1813  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1814 
1815  /* run the up script if user specified --up-restart */
1816  if (c->options.up_restart)
1817  {
1818  run_up_down(c->options.up_script,
1819  c->plugins,
1820  OPENVPN_PLUGIN_UP,
1821  c->c1.tuntap->actual_name,
1822 #ifdef _WIN32
1823  c->c1.tuntap->adapter_index,
1824 #endif
1825  dev_type_string(c->options.dev, c->options.dev_type),
1826  c->c2.frame.tun_mtu,
1827  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1828  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1829  "restart",
1830  NULL,
1831  "up",
1832  c->c2.es);
1833  }
1834 #if defined(_WIN32)
1835  if (c->options.block_outside_dns)
1836  {
1837  dmsg(D_LOW, "Blocking outside DNS");
1838  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1839  {
1840  msg(M_FATAL, "Blocking DNS failed!");
1841  }
1842  }
1843 #endif
1844 
1845 }
1846 #endif /* ifndef TARGET_ANDROID */
1847  gc_free(&gc);
1848  return ret;
1849 }
1850 
1851 /*
1852  * Close TUN/TAP device
1853  */
1854 
1855 static void
1856 do_close_tun_simple(struct context *c)
1857 {
1858  msg(D_CLOSE, "Closing TUN/TAP interface");
1859  if (c->c1.tuntap)
1860  {
1861  close_tun(c->c1.tuntap, &c->net_ctx);
1862  c->c1.tuntap = NULL;
1863  }
1864  c->c1.tuntap_owned = false;
1865  CLEAR(c->c1.pulled_options_digest_save);
1866 }
1867 
1868 static void
1869 do_close_tun(struct context *c, bool force)
1870 {
1871  struct gc_arena gc = gc_new();
1872  if (c->c1.tuntap && c->c1.tuntap_owned)
1873  {
1874  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1875 #ifdef _WIN32
1876  DWORD adapter_index = c->c1.tuntap->adapter_index;
1877 #endif
1878  const in_addr_t local = c->c1.tuntap->local;
1879  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1880 
1881  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1882  {
1883  static_context = NULL;
1884 
1885 #ifdef ENABLE_MANAGEMENT
1886  /* tell management layer we are about to close the TUN/TAP device */
1887  if (management)
1888  {
1889  management_pre_tunnel_close(management);
1890  management_up_down(management, "DOWN", c->c2.es);
1891  }
1892 #endif
1893 
1894  /* delete any routes we added */
1895  if (c->c1.route_list || c->c1.route_ipv6_list)
1896  {
1897  run_up_down(c->options.route_predown_script,
1898  c->plugins,
1899  OPENVPN_PLUGIN_ROUTE_PREDOWN,
1900  tuntap_actual,
1901 #ifdef _WIN32
1902  adapter_index,
1903 #endif
1904  NULL,
1905  c->c2.frame.tun_mtu,
1906  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1907  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1908  "init",
1909  signal_description(c->sig->signal_received,
1910  c->sig->signal_text),
1911  "route-pre-down",
1912  c->c2.es);
1913 
1914  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1915  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
1916  c->c2.es, &c->net_ctx);
1917  }
1918 
1919  /* actually close tun/tap device based on --down-pre flag */
1920  if (!c->options.down_pre)
1921  {
1922  do_close_tun_simple(c);
1923  }
1924 
1925  /* Run the down script -- note that it will run at reduced
1926  * privilege if, for example, "--user nobody" was used. */
1927  run_up_down(c->options.down_script,
1928  c->plugins,
1929  OPENVPN_PLUGIN_DOWN,
1930  tuntap_actual,
1931 #ifdef _WIN32
1932  adapter_index,
1933 #endif
1934  NULL,
1935  c->c2.frame.tun_mtu,
1936  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1937  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1938  "init",
1939  signal_description(c->sig->signal_received,
1940  c->sig->signal_text),
1941  "down",
1942  c->c2.es);
1943 
1944 #if defined(_WIN32)
1945  if (c->options.block_outside_dns)
1946  {
1947  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1948  {
1949  msg(M_FATAL, "Uninitialising WFP failed!");
1950  }
1951  }
1952 #endif
1953 
1954  /* actually close tun/tap device based on --down-pre flag */
1955  if (c->options.down_pre)
1956  {
1957  do_close_tun_simple(c);
1958  }
1959  }
1960  else
1961  {
1962  /* run the down script on this restart if --up-restart was specified */
1963  if (c->options.up_restart)
1964  {
1965  run_up_down(c->options.down_script,
1966  c->plugins,
1967  OPENVPN_PLUGIN_DOWN,
1968  tuntap_actual,
1969 #ifdef _WIN32
1970  adapter_index,
1971 #endif
1972  NULL,
1973  c->c2.frame.tun_mtu,
1974  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1975  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1976  "restart",
1977  signal_description(c->sig->signal_received,
1978  c->sig->signal_text),
1979  "down",
1980  c->c2.es);
1981  }
1982 
1983 #if defined(_WIN32)
1984  if (c->options.block_outside_dns)
1985  {
1986  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
1987  {
1988  msg(M_FATAL, "Uninitialising WFP failed!");
1989  }
1990  }
1991 #endif
1992 
1993  }
1994  }
1995  gc_free(&gc);
1996 }
1997 
1998 void
1999 tun_abort(void)
2000 {
2001  struct context *c = static_context;
2002  if (c)
2003  {
2004  static_context = NULL;
2005  do_close_tun(c, true);
2006  }
2007 }
2008 
2009 /*
2010  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2011  */
2012 
2017 static bool
2018 options_hash_changed_or_zero(const struct sha256_digest *a,
2019  const struct sha256_digest *b)
2020 {
2021  const struct sha256_digest zero = {{0}};
2022  return memcmp(a, b, sizeof(struct sha256_digest))
2023  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2024 }
2025 
2026 bool
2027 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2028 {
2029  if (!c->c2.do_up_ran)
2030  {
2031  reset_coarse_timers(c);
2032 
2033  if (pulled_options)
2034  {
2035  if (!do_deferred_options(c, option_types_found))
2036  {
2037  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2038  return false;
2039  }
2040  }
2041  else if (c->mode == MODE_POINT_TO_POINT)
2042  {
2043  if (!do_deferred_p2p_ncp(c))
2044  {
2045  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2046  return false;
2047  }
2048  }
2049 
2050  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2051  if (c->options.up_delay || PULL_DEFINED(&c->options))
2052  {
2053  c->c2.did_open_tun = do_open_tun(c);
2054  update_time();
2055 
2056  /*
2057  * Was tun interface object persisted from previous restart iteration,
2058  * and if so did pulled options string change from previous iteration?
2059  */
2060  if (!c->c2.did_open_tun
2061  && PULL_DEFINED(&c->options)
2062  && c->c1.tuntap
2063  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2064  &c->c2.pulled_options_digest))
2065  {
2066  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2067  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2068  do_close_tun(c, true);
2069  management_sleep(1);
2070  c->c2.did_open_tun = do_open_tun(c);
2071  update_time();
2072  }
2073  }
2074 
2075  if (c->c2.did_open_tun)
2076  {
2077  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2078 
2079  /* if --route-delay was specified, start timer */
2080  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2081  {
2082  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2083  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2084  if (c->c1.tuntap)
2085  {
2086  tun_standby_init(c->c1.tuntap);
2087  }
2088  }
2089  else
2090  {
2091  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2092  }
2093  }
2094  else if (c->options.mode == MODE_POINT_TO_POINT)
2095  {
2096  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2097  }
2098 
2099  c->c2.do_up_ran = true;
2100  if (c->c2.tls_multi)
2101  {
2102  c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2103  }
2104  }
2105  return true;
2106 }
2107 
2108 /*
2109  * These are the option categories which will be accepted by pull.
2110  */
2111 unsigned int
2112 pull_permission_mask(const struct context *c)
2113 {
2114  unsigned int flags =
2115  OPT_P_UP
2116  | OPT_P_ROUTE_EXTRAS
2117  | OPT_P_SOCKBUF
2118  | OPT_P_SOCKFLAGS
2119  | OPT_P_SETENV
2120  | OPT_P_SHAPER
2121  | OPT_P_TIMER
2122  | OPT_P_COMP
2123  | OPT_P_PERSIST
2124  | OPT_P_MESSAGES
2125  | OPT_P_EXPLICIT_NOTIFY
2126  | OPT_P_ECHO
2127  | OPT_P_PULL_MODE
2128  | OPT_P_PEER_ID
2129  | OPT_P_NCP;
2130 
2131  if (!c->options.route_nopull)
2132  {
2133  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2134  }
2135 
2136  return flags;
2137 }
2138 
2139 static bool
2140 do_deferred_p2p_ncp(struct context *c)
2141 {
2142  if (!c->c2.tls_multi)
2143  {
2144  return true;
2145  }
2146 
2147  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2148 
2149  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2150  &c->options.gc);
2151 
2152  if (ncp_cipher)
2153  {
2154  c->options.ciphername = ncp_cipher;
2155  }
2156  else if (!c->options.enable_ncp_fallback)
2157  {
2158  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2159  "--data-ciphers-fallback not enabled. No usable "
2160  "data channel cipher");
2161  return false;
2162  }
2163 
2164  struct frame *frame_fragment = NULL;
2165 #ifdef ENABLE_FRAGMENT
2166  if (c->options.ce.fragment)
2167  {
2168  frame_fragment = &c->c2.frame_fragment;
2169  }
2170 #endif
2171 
2172  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2173  frame_fragment, get_link_socket_info(c)))
2174  {
2175  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2176  return false;
2177  }
2178  return true;
2179 }
2180 
2181 /*
2182  * Handle non-tun-related pulled options.
2183  */
2184 bool
2185 do_deferred_options(struct context *c, const unsigned int found)
2186 {
2187  if (found & OPT_P_MESSAGES)
2188  {
2189  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2190  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2191  }
2192  if (found & OPT_P_TIMER)
2193  {
2194  do_init_timers(c, true);
2195  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2196  }
2197 
2198  if (found & OPT_P_EXPLICIT_NOTIFY)
2199  {
2200  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2201  {
2202  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2203  c->options.ce.explicit_exit_notification = 0;
2204  }
2205  else
2206  {
2207  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2208  }
2209  }
2210 
2211 #ifdef USE_COMP
2212  if (found & OPT_P_COMP)
2213  {
2214  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2215  comp_uninit(c->c2.comp_context);
2216  c->c2.comp_context = comp_init(&c->options.comp);
2217  }
2218 #endif
2219 
2220  if (found & OPT_P_SHAPER)
2221  {
2222  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2223  do_init_traffic_shaper(c);
2224  }
2225 
2226  if (found & OPT_P_SOCKBUF)
2227  {
2228  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2229  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2230  }
2231 
2232  if (found & OPT_P_SOCKFLAGS)
2233  {
2234  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2235  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2236  }
2237 
2238  if (found & OPT_P_PERSIST)
2239  {
2240  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2241  }
2242  if (found & OPT_P_UP)
2243  {
2244  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2245  }
2246  if (found & OPT_P_ROUTE)
2247  {
2248  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2249  }
2250  if (found & OPT_P_ROUTE_EXTRAS)
2251  {
2252  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2253  }
2254  if (found & OPT_P_IPWIN32)
2255  {
2256  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2257  }
2258  if (found & OPT_P_SETENV)
2259  {
2260  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2261  }
2262 
2263  if (found & OPT_P_PEER_ID)
2264  {
2265  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2266  c->c2.tls_multi->use_peer_id = true;
2267  c->c2.tls_multi->peer_id = c->options.peer_id;
2268  }
2269 
2270  /* process (potentially pushed) crypto options */
2271  if (c->options.pull)
2272  {
2273  if (!check_pull_client_ncp(c, found))
2274  {
2275  return false;
2276  }
2277  struct frame *frame_fragment = NULL;
2278 #ifdef ENABLE_FRAGMENT
2279  if (c->options.ce.fragment)
2280  {
2281  frame_fragment = &c->c2.frame_fragment;
2282  }
2283 #endif
2284 
2285  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2286  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2287  frame_fragment, get_link_socket_info(c)))
2288  {
2289  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2290  return false;
2291  }
2292  }
2293 
2294  return true;
2295 }
2296 
2297 /*
2298  * Possible hold on initialization, holdtime is the
2299  * time OpenVPN would wait without management
2300  */
2301 static bool
2302 do_hold(int holdtime)
2303 {
2304 #ifdef ENABLE_MANAGEMENT
2305  if (management)
2306  {
2307  /* block until management hold is released */
2308  if (management_hold(management, holdtime))
2309  {
2310  return true;
2311  }
2312  }
2313 #endif
2314  return false;
2315 }
2316 
2317 /*
2318  * Sleep before restart.
2319  */
2320 static void
2321 socket_restart_pause(struct context *c)
2322 {
2323  int sec = 2;
2324  int backoff = 0;
2325 
2326  switch (c->options.ce.proto)
2327  {
2328  case PROTO_TCP_SERVER:
2329  sec = 1;
2330  break;
2331 
2332  case PROTO_UDP:
2333  case PROTO_TCP_CLIENT:
2334  sec = c->options.ce.connect_retry_seconds;
2335  break;
2336  }
2337 
2338 #ifdef ENABLE_DEBUG
2339  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2340  {
2341  sec = 0;
2342  }
2343 #endif
2344 
2345  if (auth_retry_get() == AR_NOINTERACT)
2346  {
2347  sec = 10;
2348  }
2349 
2350  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2351  if (c->options.ce.proto == PROTO_TCP_CLIENT
2352  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2353  {
2354  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2355  if (backoff > 0)
2356  {
2357  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2358  sec = max_int(sec, 1) << min_int(backoff, 15);
2359  }
2360 
2361  if (sec > c->options.ce.connect_retry_seconds_max)
2362  {
2363  sec = c->options.ce.connect_retry_seconds_max;
2364  }
2365  }
2366 
2367  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2368  {
2369  sec = c->persist.restart_sleep_seconds;
2370  }
2371  else if (c->persist.restart_sleep_seconds == -1)
2372  {
2373  sec = 0;
2374  }
2375  c->persist.restart_sleep_seconds = 0;
2376 
2377  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2378  if (do_hold(sec))
2379  {
2380  sec = 0;
2381  }
2382 
2383  if (sec)
2384  {
2385  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2386  management_sleep(sec);
2387  }
2388 }
2389 
2390 /*
2391  * Do a possible pause on context_2 initialization.
2392  */
2393 static void
2394 do_startup_pause(struct context *c)
2395 {
2396  if (!c->first_time)
2397  {
2398  socket_restart_pause(c);
2399  }
2400  else
2401  {
2402  do_hold(0); /* do management hold on first context initialization */
2403  }
2404 }
2405 
2406 static size_t
2407 get_frame_mtu(struct context *c, const struct options *o)
2408 {
2409  size_t mtu;
2410 
2411  if (o->ce.link_mtu_defined)
2412  {
2413  ASSERT(o->ce.link_mtu_defined);
2414  /* if we have a link mtu defined we calculate what the old code
2415  * would have come up with as tun-mtu */
2416  size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
2417  o, true);
2418  mtu = o->ce.link_mtu - overhead;
2419 
2420  }
2421  else
2422  {
2423  ASSERT(o->ce.tun_mtu_defined);
2424  mtu = o->ce.tun_mtu;
2425  }
2426 
2427  if (mtu < TUN_MTU_MIN)
2428  {
2429  msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
2430  frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2431  }
2432  return mtu;
2433 }
2434 
2435 /*
2436  * Finalize MTU parameters based on command line or config file options.
2437  */
2438 static void
2439 frame_finalize_options(struct context *c, const struct options *o)
2440 {
2441  if (!o)
2442  {
2443  o = &c->options;
2444  }
2445 
2446  struct frame *frame = &c->c2.frame;
2447 
2448  frame->tun_mtu = get_frame_mtu(c, o);
2449 
2450  /* We always allow at least 1500 MTU packets to be received in our buffer
2451  * space */
2452  size_t payload_size = max_int(1500, frame->tun_mtu);
2453 
2454  /* The extra tun needs to be added to the payload size */
2455  if (o->ce.tun_mtu_defined)
2456  {
2457  payload_size += o->ce.tun_mtu_extra;
2458  }
2459 
2460  /* Add 100 byte of extra space in the buffer to account for slightly
2461  * mismatched MUTs between peers */
2462  payload_size += 100;
2463 
2464 
2465  /* the space that is reserved before the payload to add extra headers to it
2466  * we always reserve the space for the worst case */
2467  size_t headroom = 0;
2468 
2469  /* includes IV and packet ID */
2470  headroom += crypto_max_overhead();
2471 
2472  /* peer id + opcode */
2473  headroom += 4;
2474 
2475  /* socks proxy header */
2476  headroom += 10;
2477 
2478  /* compression header and fragment header (part of the encrypted payload) */
2479  headroom += 1 + 1;
2480 
2481  /* Round up headroom to the next multiple of 4 to ensure alignment */
2482  headroom = (headroom + 3) & ~3;
2483 
2484  /* Add the headroom to the payloadsize as a received (IP) packet can have
2485  * all the extra headers in it */
2486  payload_size += headroom;
2487 
2488  /* the space after the payload, this needs some extra buffer space for
2489  * encryption so headroom is probably too much but we do not really care
2490  * the few extra bytes */
2491  size_t tailroom = headroom;
2492 
2493 #ifdef USE_COMP
2494  msg(D_MTU_DEBUG, "MTU: adding %lu buffer tailroom for compression for %lu "
2495  "bytes of payload",
2496  COMP_EXTRA_BUFFER(payload_size), payload_size);
2497  tailroom += COMP_EXTRA_BUFFER(payload_size);
2498 #endif
2499 
2500  frame->buf.payload_size = payload_size;
2501  frame->buf.headroom = headroom;
2502  frame->buf.tailroom = tailroom;
2503 }
2504 
2505 /*
2506  * Free a key schedule, including OpenSSL components.
2507  */
2508 static void
2509 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2510 {
2511  free_key_ctx_bi(&ks->static_key);
2512  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2513  {
2514  tls_ctx_free(&ks->ssl_ctx);
2515  free_key_ctx(&ks->auth_token_key);
2516  }
2517  CLEAR(*ks);
2518 }
2519 
2520 static void
2521 init_crypto_pre(struct context *c, const unsigned int flags)
2522 {
2523  if (c->options.engine)
2524  {
2525  crypto_init_lib_engine(c->options.engine);
2526  }
2527 
2528  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2529  {
2530  /* load a persisted packet-id for cross-session replay-protection */
2531  if (c->options.packet_id_file)
2532  {
2533  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2534  }
2535  }
2536 
2537 #ifdef ENABLE_PREDICTION_RESISTANCE
2538  if (c->options.use_prediction_resistance)
2539  {
2540  rand_ctx_enable_prediction_resistance();
2541  }
2542 #endif
2543 }
2544 
2545 /*
2546  * Static Key Mode (using a pre-shared key)
2547  */
2548 static void
2549 do_init_crypto_static(struct context *c, const unsigned int flags)
2550 {
2551  const struct options *options = &c->options;
2552  ASSERT(options->shared_secret_file);
2553 
2554  init_crypto_pre(c, flags);
2555 
2556  /* Initialize flags */
2557  if (c->options.mute_replay_warnings)
2558  {
2559  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2560  }
2561 
2562  /* Initialize packet ID tracking */
2563  if (options->replay)
2564  {
2565  packet_id_init(&c->c2.crypto_options.packet_id,
2566  options->replay_window,
2567  options->replay_time,
2568  "STATIC", 0);
2569  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2570  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2571  packet_id_persist_load_obj(&c->c1.pid_persist,
2572  &c->c2.crypto_options.packet_id);
2573  }
2574 
2575  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2576  {
2577  /* Get cipher & hash algorithms */
2578  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2579  options->test_crypto, true);
2580 
2581  /* Read cipher and hmac keys from shared secret file */
2582  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2583  options->shared_secret_file,
2584  options->shared_secret_file_inline,
2585  options->key_direction, "Static Key Encryption",
2586  "secret");
2587  }
2588  else
2589  {
2590  msg(M_INFO, "Re-using pre-shared static key");
2591  }
2592 
2593  /* Get key schedule */
2594  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2595 
2596  /* Sanity check on sequence number, and cipher mode options */
2597  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2598 }
2599 
2600 /*
2601  * Initialize the tls-auth/crypt key context
2602  */
2603 static void
2604 do_init_tls_wrap_key(struct context *c)
2605 {
2606  const struct options *options = &c->options;
2607 
2608  /* TLS handshake authentication (--tls-auth) */
2609  if (options->ce.tls_auth_file)
2610  {
2611  /* Initialize key_type for tls-auth with auth only */
2612  CLEAR(c->c1.ks.tls_auth_key_type);
2613  c->c1.ks.tls_auth_key_type.cipher = "none";
2614  c->c1.ks.tls_auth_key_type.digest = options->authname;
2615  if (!md_valid(options->authname))
2616  {
2617  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2618  "algorithm specified ('%s')", options->authname);
2619  }
2620 
2621  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2622  &c->c1.ks.tls_wrap_key,
2623  options->ce.tls_auth_file,
2624  options->ce.tls_auth_file_inline,
2625  options->ce.key_direction,
2626  "Control Channel Authentication", "tls-auth");
2627  }
2628 
2629  /* TLS handshake encryption+authentication (--tls-crypt) */
2630  if (options->ce.tls_crypt_file)
2631  {
2632  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2633  options->ce.tls_crypt_file,
2634  options->ce.tls_crypt_file_inline,
2635  options->tls_server);
2636  }
2637 
2638  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2639  if (options->ce.tls_crypt_v2_file)
2640  {
2641  if (options->tls_server)
2642  {
2643  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2644  true, options->ce.tls_crypt_v2_file,
2645  options->ce.tls_crypt_v2_file_inline);
2646  }
2647  else
2648  {
2649  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2650  &c->c1.ks.tls_crypt_v2_wkc,
2651  options->ce.tls_crypt_v2_file,
2652  options->ce.tls_crypt_v2_file_inline);
2653  }
2654  }
2655 
2656 
2657 }
2658 
2659 /*
2660  * Initialize the persistent component of OpenVPN's TLS mode,
2661  * which is preserved across SIGUSR1 resets.
2662  */
2663 static void
2664 do_init_crypto_tls_c1(struct context *c)
2665 {
2666  const struct options *options = &c->options;
2667 
2668  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2669  {
2670  /*
2671  * Initialize the OpenSSL library's global
2672  * SSL context.
2673  */
2674  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2675  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2676  {
2677  switch (auth_retry_get())
2678  {
2679  case AR_NONE:
2680  msg(M_FATAL, "Error: private key password verification failed");
2681  break;
2682 
2683  case AR_INTERACT:
2684  ssl_purge_auth(false);
2685 
2686  case AR_NOINTERACT:
2687  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2688  break;
2689 
2690  default:
2691  ASSERT(0);
2692  }
2693  c->sig->signal_text = "private-key-password-failure";
2694  return;
2695  }
2696 
2697  /*
2698  * BF-CBC is allowed to be used only when explicitly configured
2699  * as NCP-fallback or when NCP has been disabled or explicitly
2700  * allowed in the in ncp_ciphers list.
2701  * In all other cases do not attempt to initialize BF-CBC as it
2702  * may not even be supported by the underlying SSL library.
2703  *
2704  * Therefore, the key structure has to be initialized when:
2705  * - any non-BF-CBC cipher was selected; or
2706  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2707  * (BF-CBC will be the fallback).
2708  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2709  * If the negotiated cipher and options->ciphername are the
2710  * same we do not reinit the cipher
2711  *
2712  * Note that BF-CBC will still be part of the OCC string to retain
2713  * backwards compatibility with older clients.
2714  */
2715  const char *ciphername = options->ciphername;
2716  if (streq(options->ciphername, "BF-CBC")
2717  && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
2718  && !options->enable_ncp_fallback)
2719  {
2720  ciphername = "none";
2721  }
2722 
2723  /* Do not warn if the cipher is used only in OCC */
2724  bool warn = options->enable_ncp_fallback;
2725  init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
2726  true, warn);
2727 
2728  /* initialize tls-auth/crypt/crypt-v2 key */
2729  do_init_tls_wrap_key(c);
2730 
2731  /* initialise auth-token crypto support */
2732  if (c->options.auth_token_generate)
2733  {
2734  auth_token_init_secret(&c->c1.ks.auth_token_key,
2735  c->options.auth_token_secret_file,
2736  c->options.auth_token_secret_file_inline);
2737  }
2738 
2739 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2740  if (options->priv_key_file_inline)
2741  {
2742  string_clear(c->options.priv_key_file_inline);
2743  c->options.priv_key_file_inline = NULL;
2744  }
2745 #endif
2746  }
2747  else
2748  {
2749  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2750 
2751  /*
2752  * tls-auth/crypt key can be configured per connection block, therefore
2753  * we must reload it as it may have changed
2754  */
2755  do_init_tls_wrap_key(c);
2756  }
2757 }
2758 
2759 static void
2760 do_init_crypto_tls(struct context *c, const unsigned int flags)
2761 {
2762  const struct options *options = &c->options;
2763  struct tls_options to;
2764  bool packet_id_long_form;
2765 
2766  ASSERT(options->tls_server || options->tls_client);
2767  ASSERT(!options->test_crypto);
2768 
2769  init_crypto_pre(c, flags);
2770 
2771  /* Make sure we are either a TLS client or server but not both */
2772  ASSERT(options->tls_server == !options->tls_client);
2773 
2774  /* initialize persistent component */
2775  do_init_crypto_tls_c1(c);
2776  if (IS_SIG(c))
2777  {
2778  return;
2779  }
2780 
2781  /* Sanity check on sequence number, and cipher mode options */
2782  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2783 
2784  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2785  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2786 
2787  /* Set all command-line TLS-related options */
2788  CLEAR(to);
2789 
2790  if (options->mute_replay_warnings)
2791  {
2792  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2793  }
2794 
2795  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2796  if (packet_id_long_form)
2797  {
2798  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2799  }
2800 
2801  to.ssl_ctx = c->c1.ks.ssl_ctx;
2802  to.key_type = c->c1.ks.key_type;
2803  to.server = options->tls_server;
2804  to.replay = options->replay;
2805  to.replay_window = options->replay_window;
2806  to.replay_time = options->replay_time;
2807  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2808  to.config_ciphername = c->options.ciphername;
2809  to.config_ncp_ciphers = c->options.ncp_ciphers;
2810  to.transition_window = options->transition_window;
2811  to.handshake_window = options->handshake_window;
2812  to.packet_timeout = options->tls_timeout;
2813  to.renegotiate_bytes = options->renegotiate_bytes;
2814  to.renegotiate_packets = options->renegotiate_packets;
2815  if (options->renegotiate_seconds_min < 0)
2816  {
2817  /* Add 10% jitter to reneg-sec by default (server side only) */
2818  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2819  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2820  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2821  }
2822  else
2823  {
2824  /* Add user-specified jitter to reneg-sec */
2825  to.renegotiate_seconds = options->renegotiate_seconds
2826  -(get_random() % max_int(options->renegotiate_seconds
2827  - options->renegotiate_seconds_min, 1));
2828  }
2829  to.single_session = options->single_session;
2830  to.mode = options->mode;
2831  to.pull = options->pull;
2832  if (options->push_peer_info) /* all there is */
2833  {
2834  to.push_peer_info_detail = 3;
2835  }
2836  else if (options->pull) /* pull clients send some details */
2837  {
2838  to.push_peer_info_detail = 2;
2839  }
2840  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
2841  {
2842  to.push_peer_info_detail = 0;
2843  }
2844  else /* default: minimal info to allow NCP in P2P mode */
2845  {
2846  to.push_peer_info_detail = 1;
2847  }
2848 
2849 
2850  /* should we not xmit any packets until we get an initial
2851  * response from client? */
2852  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2853  {
2854  to.xmit_hold = true;
2855  }
2856 
2857  to.disable_occ = !options->occ;
2858 
2859  to.verify_command = options->tls_verify;
2860  to.verify_export_cert = options->tls_export_cert;
2861  to.verify_x509_type = (options->verify_x509_type & 0xff);
2862  to.verify_x509_name = options->verify_x509_name;
2863  to.crl_file = options->crl_file;
2864  to.crl_file_inline = options->crl_file_inline;
2865  to.ssl_flags = options->ssl_flags;
2866  to.ns_cert_type = options->ns_cert_type;
2867  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2868  to.remote_cert_eku = options->remote_cert_eku;
2869  to.verify_hash = options->verify_hash;
2870  to.verify_hash_algo = options->verify_hash_algo;
2871  to.verify_hash_depth = options->verify_hash_depth;
2872  to.verify_hash_no_ca = options->verify_hash_no_ca;
2873 #ifdef ENABLE_X509ALTUSERNAME
2874  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2875 #else
2876  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
2877 #endif
2878  to.es = c->c2.es;
2879  to.net_ctx = &c->net_ctx;
2880 
2881 #ifdef ENABLE_DEBUG
2882  to.gremlin = c->options.gremlin;
2883 #endif
2884 
2885  to.plugins = c->plugins;
2886 
2887 #ifdef ENABLE_MANAGEMENT
2888  to.mda_context = &c->c2.mda_context;
2889 #endif
2890 
2891  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2892  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2893  to.tmp_dir = options->tmp_dir;
2894  if (options->ccd_exclusive)
2895  {
2896  to.client_config_dir_exclusive = options->client_config_dir;
2897  }
2898  to.auth_user_pass_file = options->auth_user_pass_file;
2899  to.auth_token_generate = options->auth_token_generate;
2900  to.auth_token_lifetime = options->auth_token_lifetime;
2901  to.auth_token_call_auth = options->auth_token_call_auth;
2902  to.auth_token_key = c->c1.ks.auth_token_key;
2903 
2904  to.x509_track = options->x509_track;
2905 
2906 #ifdef ENABLE_MANAGEMENT
2907  to.sci = &options->sc_info;
2908 #endif
2909 
2910 #ifdef USE_COMP
2911  to.comp_options = options->comp;
2912 #endif
2913 
2914 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2915  if (options->keying_material_exporter_label)
2916  {
2917  to.ekm_size = options->keying_material_exporter_length;
2918  if (to.ekm_size < 16 || to.ekm_size > 4095)
2919  {
2920  to.ekm_size = 0;
2921  }
2922 
2923  to.ekm_label = options->keying_material_exporter_label;
2924  to.ekm_label_size = strlen(to.ekm_label);
2925  }
2926  else
2927  {
2928  to.ekm_size = 0;
2929  }
2930 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2931 
2932  /* TLS handshake authentication (--tls-auth) */
2933  if (options->ce.tls_auth_file)
2934  {
2935  to.tls_wrap.mode = TLS_WRAP_AUTH;
2936  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2937  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2938  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2939  }
2940 
2941  /* TLS handshake encryption (--tls-crypt) */
2942  if (options->ce.tls_crypt_file
2943  || (options->ce.tls_crypt_v2_file && options->tls_client))
2944  {
2945  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2946  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2947  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2948  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2949 
2950  if (options->ce.tls_crypt_v2_file)
2951  {
2952  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2953  }
2954  }
2955 
2956  if (options->ce.tls_crypt_v2_file)
2957  {
2958  to.tls_crypt_v2 = true;
2959  if (options->tls_server)
2960  {
2961  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
2962  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
2963  if (options->ce.tls_crypt_v2_force_cookie)
2964  {
2965  to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
2966  }
2967  }
2968  }
2969 
2970  /*
2971  * Initialize OpenVPN's master TLS-mode object.
2972  */
2973  if (flags & CF_INIT_TLS_MULTI)
2974  {
2975  c->c2.tls_multi = tls_multi_init(&to);
2976  }
2977 
2978  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2979  {
2980  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2981  c->c2.session_id_hmac = session_id_hmac_init();
2982  }
2983 }
2984 
2985 static void
2986 do_init_frame_tls(struct context *c)
2987 {
2988  if (c->c2.tls_multi)
2989  {
2990  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2991  ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
2992  c->c2.frame.buf.payload_size);
2993  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2994  "Control Channel MTU parms");
2995  }
2996  if (c->c2.tls_auth_standalone)
2997  {
2998  tls_init_control_channel_frame_parameters(&c->c2.frame, &c->c2.tls_auth_standalone->frame);
2999  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3000  "TLS-Auth MTU parms");
3001  c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
3002  }
3003 }
3004 
3005 /*
3006  * No encryption or authentication.
3007  */
3008 static void
3009 do_init_crypto_none(struct context *c)
3010 {
3011  ASSERT(!c->options.test_crypto);
3012 
3013  /* Initialise key_type with auth/cipher "none", so the key_type struct is
3014  * valid */
3015  init_key_type(&c->c1.ks.key_type, "none", "none",
3016  c->options.test_crypto, true);
3017 
3018  msg(M_WARN,
3019  "******* WARNING *******: All encryption and authentication features "
3020  "disabled -- All data will be tunnelled as clear text and will not be "
3021  "protected against man-in-the-middle changes. "
3022  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3023 }
3024 
3025 static void
3026 do_init_crypto(struct context *c, const unsigned int flags)
3027 {
3028  if (c->options.shared_secret_file)
3029  {
3030  do_init_crypto_static(c, flags);
3031  }
3032  else if (c->options.tls_server || c->options.tls_client)
3033  {
3034  do_init_crypto_tls(c, flags);
3035  }
3036  else /* no encryption or authentication. */
3037  {
3038  do_init_crypto_none(c);
3039  }
3040 }
3041 
3042 static void
3043 do_init_frame(struct context *c)
3044 {
3045  /*
3046  * Adjust frame size based on the --tun-mtu-extra parameter.
3047  */
3048  if (c->options.ce.tun_mtu_extra_defined)
3049  {
3050  frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra);
3051  }
3052 
3053  /*
3054  * Fill in the blanks in the frame parameters structure,
3055  * make sure values are rational, etc.
3056  */
3057  frame_finalize_options(c, NULL);
3058 
3059 #ifdef ENABLE_FRAGMENT
3060  /*
3061  * Set frame parameter for fragment code. This is necessary because
3062  * the fragmentation code deals with payloads which have already been
3063  * passed through the compression code.
3064  */
3065  c->c2.frame_fragment = c->c2.frame;
3066  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3067 #endif
3068 
3069 #if defined(ENABLE_FRAGMENT)
3070  /*
3071  * MTU advisories
3072  */
3073  if (c->options.ce.fragment && c->options.mtu_test)
3074  {
3075  msg(M_WARN,
3076  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3077  }
3078 #endif
3079 
3080 #ifdef ENABLE_FRAGMENT
3081  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
3082  {
3083  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3084  "set --fragment (%d) larger or equal than --mssfix (%d)",
3085  c->options.ce.fragment, c->options.ce.mssfix);
3086  }
3087  if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3088  && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3089  {
3090  msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
3091  "use the \"mtu\" flag for both or none of of them.");
3092  }
3093 #endif
3094 }
3095 
3096 static void
3097 do_option_warnings(struct context *c)
3098 {
3099  const struct options *o = &c->options;
3100 
3101  if (o->ping_send_timeout && !o->ping_rec_timeout)
3102  {
3103  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3104  }
3105 
3106  if (o->username || o->groupname || o->chroot_dir
3107 #ifdef ENABLE_SELINUX
3108  || o->selinux_context
3109 #endif
3110  )
3111  {
3112  if (!o->persist_tun)
3113  {
3114  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3115  }
3116  if (!o->persist_key
3117 #ifdef ENABLE_PKCS11
3118  && !o->pkcs11_id
3119 #endif
3120  )
3121  {
3122  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3123  }
3124  }
3125 
3126  if (o->chroot_dir && !(o->username && o->groupname))
3127  {
3128  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3129  }
3130 
3131  if (o->pull && o->ifconfig_local && c->first_time)
3132  {
3133  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3134  }
3135 
3136  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3137  {
3138  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3139  }
3140 
3141  if (o->mode == MODE_SERVER)
3142  {
3143  if (o->duplicate_cn && o->client_config_dir)
3144  {
3145  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3146  }
3147  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3148  {
3149  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3150  }
3151  if (!o->keepalive_ping || !o->keepalive_timeout)
3152  {
3153  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3154  }
3155  }
3156 
3157  if (!o->replay)
3158  {
3159  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3160  }
3161 
3162  if (o->tls_server)
3163  {
3164  warn_on_use_of_common_subnets(&c->net_ctx);
3165  }
3166  if (o->tls_client
3167  && !o->tls_verify
3168  && o->verify_x509_type == VERIFY_X509_NONE
3169  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3170  && !o->remote_cert_eku)
3171  {
3172  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3173  }
3174  if (o->ns_cert_type)
3175  {
3176  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3177  }
3178 
3179  /* If a script is used, print appropriate warnings */
3180  if (o->user_script_used)
3181  {
3182  if (script_security() >= SSEC_SCRIPTS)
3183  {
3184  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3185  }
3186  else if (script_security() >= SSEC_PW_ENV)
3187  {
3188  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3189  }
3190  else
3191  {
3192  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3193  }
3194  }
3195 }
3196 
3197 struct context_buffers *
3198 init_context_buffers(const struct frame *frame)
3199 {
3200  struct context_buffers *b;
3201 
3202  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3203 
3204  size_t buf_size = BUF_SIZE(frame);
3205 
3206  b->read_link_buf = alloc_buf(buf_size);
3207  b->read_tun_buf = alloc_buf(buf_size);
3208 
3209  b->aux_buf = alloc_buf(buf_size);
3210 
3211  b->encrypt_buf = alloc_buf(buf_size);
3212  b->decrypt_buf = alloc_buf(buf_size);
3213 
3214 #ifdef USE_COMP
3215  b->compress_buf = alloc_buf(buf_size);
3216  b->decompress_buf = alloc_buf(buf_size);
3217 #endif
3218 
3219  return b;
3220 }
3221 
3222 void
3223 free_context_buffers(struct context_buffers *b)
3224 {
3225  if (b)
3226  {
3227  free_buf(&b->read_link_buf);
3228  free_buf(&b->read_tun_buf);
3229  free_buf(&b->aux_buf);
3230 
3231 #ifdef USE_COMP
3232  free_buf(&b->compress_buf);
3233  free_buf(&b->decompress_buf);
3234 #endif
3235 
3236  free_buf(&b->encrypt_buf);
3237  free_buf(&b->decrypt_buf);
3238 
3239  free(b);
3240  }
3241 }
3242 
3243 /*
3244  * Now that we know all frame parameters, initialize
3245  * our buffers.
3246  */
3247 static void
3248 do_init_buffers(struct context *c)
3249 {
3250  c->c2.buffers = init_context_buffers(&c->c2.frame);
3251  c->c2.buffers_owned = true;
3252 }
3253 
3254 #ifdef ENABLE_FRAGMENT
3255 /*
3256  * Fragmenting code has buffers to initialize
3257  * once frame parameters are known.
3258  */
3259 static void
3260 do_init_fragment(struct context *c)
3261 {
3262  ASSERT(c->options.ce.fragment);
3263  frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
3264  &c->options, get_link_socket_info(c));
3265  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3266 }
3267 #endif
3268 
3269 /*
3270  * Allocate our socket object.
3271  */
3272 static void
3273 do_link_socket_new(struct context *c)
3274 {
3275  ASSERT(!c->c2.link_socket);
3276  c->c2.link_socket = link_socket_new();
3277  c->c2.link_socket_owned = true;
3278 }
3279 
3280 /*
3281  * Print MTU INFO
3282  */
3283 static void
3284 do_print_data_channel_mtu_parms(struct context *c)
3285 {
3286  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3287 #ifdef ENABLE_FRAGMENT
3288  if (c->c2.fragment)
3289  {
3290  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3291  "Fragmentation MTU parms");
3292  }
3293 #endif
3294 }
3295 
3296 /*
3297  * Get local and remote options compatibility strings.
3298  */
3299 static void
3300 do_compute_occ_strings(struct context *c)
3301 {
3302  struct gc_arena gc = gc_new();
3303 
3304  c->c2.options_string_local =
3305  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3306  false, &gc);
3307  c->c2.options_string_remote =
3308  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3309  true, &gc);
3310 
3311  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3312  options_string_version(c->c2.options_string_local, &gc),
3313  c->c2.options_string_local);
3314  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3315  options_string_version(c->c2.options_string_remote, &gc),
3316  c->c2.options_string_remote);
3317 
3318  if (c->c2.tls_multi)
3319  {
3320  tls_multi_init_set_options(c->c2.tls_multi,
3321  c->c2.options_string_local,
3322  c->c2.options_string_remote);
3323  }
3324 
3325  gc_free(&gc);
3326 }
3327 
3328 /*
3329  * These things can only be executed once per program instantiation.
3330  * Set up for possible UID/GID downgrade, but don't do it yet.
3331  * Daemonize if requested.
3332  */
3333 static void
3334 do_init_first_time(struct context *c)
3335 {
3336  if (c->first_time && !c->c0)
3337  {
3338  struct context_0 *c0;
3339 
3340  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3341  c0 = c->c0;
3342 
3343  /* get user and/or group that we want to setuid/setgid to */
3344  c0->uid_gid_specified =
3345  platform_group_get(c->options.groupname, &c0->platform_state_group)
3346  |platform_user_get(c->options.username, &c0->platform_state_user);
3347 
3348  /* perform postponed chdir if --daemon */
3349  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3350  {
3351  platform_chdir("/");
3352  }
3353 
3354  /* should we change scheduling priority? */
3355  platform_nice(c->options.nice);
3356  }
3357 }
3358 
3359 /*
3360  * free buffers
3361  */
3362 static void
3363 do_close_free_buf(struct context *c)
3364 {
3365  if (c->c2.buffers_owned)
3366  {
3367  free_context_buffers(c->c2.buffers);
3368  c->c2.buffers = NULL;
3369  c->c2.buffers_owned = false;
3370  }
3371 }
3372 
3373 /*
3374  * close TLS
3375  */
3376 static void
3377 do_close_tls(struct context *c)
3378 {
3379  if (c->c2.tls_multi)
3380  {
3381  tls_multi_free(c->c2.tls_multi, true);
3382  c->c2.tls_multi = NULL;
3383  }
3384 
3385  /* free options compatibility strings */
3386  free(c->c2.options_string_local);
3387  free(c->c2.options_string_remote);
3388 
3389  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3390 
3391  if (c->c2.pulled_options_state)
3392  {
3393  md_ctx_cleanup(c->c2.pulled_options_state);
3394  md_ctx_free(c->c2.pulled_options_state);
3395  }
3396 }
3397 
3398 /*
3399  * Free key schedules
3400  */
3401 static void
3402 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3403 {
3404  /*
3405  * always free the tls_auth/crypt key. If persist_key is true, the key will
3406  * be reloaded from memory (pre-cached)
3407  */
3408  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3409  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3410  CLEAR(c->c1.ks.tls_wrap_key);
3411  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3412  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3413 
3414  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3415  {
3416  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3417  }
3418 }
3419 
3420 /*
3421  * Close TCP/UDP connection
3422  */
3423 static void
3424 do_close_link_socket(struct context *c)
3425 {
3426  if (c->c2.link_socket && c->c2.link_socket_owned)
3427  {
3428  link_socket_close(c->c2.link_socket);
3429  c->c2.link_socket = NULL;
3430  }
3431 
3432 
3433  /* Preserve the resolved list of remote if the user request to or if we want
3434  * reconnect to the same host again or there are still addresses that need
3435  * to be tried */
3436  if (!(c->sig->signal_received == SIGUSR1
3437  && ( (c->options.persist_remote_ip)
3438  ||
3439  ( c->sig->source != SIG_SOURCE_HARD
3440  && ((c->c1.link_socket_addr.current_remote
3441  && c->c1.link_socket_addr.current_remote->ai_next)
3442  || c->options.no_advance))
3443  )))
3444  {
3445  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3446  }
3447 
3448  /* Clear the remote actual address when persist_remote_ip is not in use */
3449  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3450  {
3451  CLEAR(c->c1.link_socket_addr.actual);
3452  }
3453 
3454  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3455  {
3456  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3457  {
3458  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3459  }
3460 
3461  c->c1.link_socket_addr.bind_local = NULL;
3462  }
3463 }
3464 
3465 /*
3466  * Close packet-id persistence file
3467  */
3468 static void
3469 do_close_packet_id(struct context *c)
3470 {
3471  packet_id_free(&c->c2.crypto_options.packet_id);
3472  packet_id_persist_save(&c->c1.pid_persist);
3473  if (!(c->sig->signal_received == SIGUSR1))
3474  {
3475  packet_id_persist_close(&c->c1.pid_persist);
3476  }
3477 }
3478 
3479 #ifdef ENABLE_FRAGMENT
3480 /*
3481  * Close fragmentation handler.
3482  */
3483 static void
3484 do_close_fragment(struct context *c)
3485 {
3486  if (c->c2.fragment)
3487  {
3488  fragment_free(c->c2.fragment);
3489  c->c2.fragment = NULL;
3490  }
3491 }
3492 #endif
3493 
3494 /*
3495  * Open and close our event objects.
3496  */
3497 
3498 static void
3499 do_event_set_init(struct context *c,
3500  bool need_us_timeout)
3501 {
3502  unsigned int flags = 0;
3503 
3504  c->c2.event_set_max = BASE_N_EVENTS;
3505 
3506  flags |= EVENT_METHOD_FAST;
3507 
3508  if (need_us_timeout)
3509  {
3510  flags |= EVENT_METHOD_US_TIMEOUT;
3511  }
3512 
3513  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3514  c->c2.event_set_owned = true;
3515 }
3516 
3517 static void
3518 do_close_event_set(struct context *c)
3519 {
3520  if (c->c2.event_set && c->c2.event_set_owned)
3521  {
3522  event_free(c->c2.event_set);
3523  c->c2.event_set = NULL;
3524  c->c2.event_set_owned = false;
3525  }
3526 }
3527 
3528 /*
3529  * Open and close --status file
3530  */
3531 
3532 static void
3533 do_open_status_output(struct context *c)
3534 {
3535  if (!c->c1.status_output)
3536  {
3537  c->c1.status_output = status_open(c->options.status_file,
3538  c->options.status_file_update_freq,
3539  -1,
3540  NULL,
3541  STATUS_OUTPUT_WRITE);
3542  c->c1.status_output_owned = true;
3543  }
3544 }
3545 
3546 static void
3547 do_close_status_output(struct context *c)
3548 {
3549  if (!(c->sig->signal_received == SIGUSR1))
3550  {
3551  if (c->c1.status_output_owned && c->c1.status_output)
3552  {
3553  status_close(c->c1.status_output);
3554  c->c1.status_output = NULL;
3555  c->c1.status_output_owned = false;
3556  }
3557  }
3558 }
3559 
3560 /*
3561  * Handle ifconfig-pool persistence object.
3562  */
3563 static void
3564 do_open_ifconfig_pool_persist(struct context *c)
3565 {
3566  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3567  {
3568  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3569  c->options.ifconfig_pool_persist_refresh_freq);
3570  c->c1.ifconfig_pool_persist_owned = true;
3571  }
3572 }
3573 
3574 static void
3575 do_close_ifconfig_pool_persist(struct context *c)
3576 {
3577  if (!(c->sig->signal_received == SIGUSR1))
3578  {
3579  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3580  {
3581  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3582  c->c1.ifconfig_pool_persist = NULL;
3583  c->c1.ifconfig_pool_persist_owned = false;
3584  }
3585  }
3586 }
3587 
3588 /*
3589  * Inherit environmental variables
3590  */
3591 
3592 static void
3593 do_inherit_env(struct context *c, const struct env_set *src)
3594 {
3595  c->c2.es = env_set_create(NULL);
3596  c->c2.es_owned = true;
3597  env_set_inherit(c->c2.es, src);
3598 }
3599 
3600 static void
3601 do_env_set_destroy(struct context *c)
3602 {
3603  if (c->c2.es && c->c2.es_owned)
3604  {
3605  env_set_destroy(c->c2.es);
3606  c->c2.es = NULL;
3607  c->c2.es_owned = false;
3608  }
3609 }
3610 
3611 /*
3612  * Fast I/O setup. Fast I/O is an optimization which only works
3613  * if all of the following are true:
3614  *
3615  * (1) The platform is not Windows
3616  * (2) --proto udp is enabled
3617  * (3) --shaper is disabled
3618  */
3619 static void
3620 do_setup_fast_io(struct context *c)
3621 {
3622  if (c->options.fast_io)
3623  {
3624 #ifdef _WIN32
3625  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3626 #else
3627  if (!proto_is_udp(c->options.ce.proto))
3628  {
3629  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3630  }
3631  else
3632  {
3633  if (c->options.shaper)
3634  {
3635  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3636  }
3637  else
3638  {
3639  c->c2.fast_io = true;
3640  }
3641  }
3642 #endif
3643  }
3644 }
3645 
3646 static void
3647 do_signal_on_tls_errors(struct context *c)
3648 {
3649  if (c->options.tls_exit)
3650  {
3651  c->c2.tls_exit_signal = SIGTERM;
3652  }
3653  else
3654  {
3655  c->c2.tls_exit_signal = SIGUSR1;
3656  }
3657 }
3658 
3659 #ifdef ENABLE_PLUGIN
3660 
3661 void
3662 init_plugins(struct context *c)
3663 {
3664  if (c->options.plugin_list && !c->plugins)
3665  {
3666  c->plugins = plugin_list_init(c->options.plugin_list);
3667  c->plugins_owned = true;
3668  }
3669 }
3670 
3671 void
3672 open_plugins(struct context *c, const bool import_options, int init_point)
3673 {
3674  if (c->plugins && c->plugins_owned)
3675  {
3676  if (import_options)
3677  {
3678  struct plugin_return pr, config;
3679  plugin_return_init(&pr);
3680  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3681  plugin_return_get_column(&pr, &config, "config");
3682  if (plugin_return_defined(&config))
3683  {
3684  int i;
3685  for (i = 0; i < config.n; ++i)
3686  {
3687  unsigned int option_types_found = 0;
3688  if (config.list[i] && config.list[i]->value)
3689  {
3690  options_string_import(&c->options,
3691  config.list[i]->value,
3692  D_IMPORT_ERRORS|M_OPTERR,
3693  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3694  &option_types_found,
3695  c->es);
3696  }
3697  }
3698  }
3699  plugin_return_free(&pr);
3700  }
3701  else
3702  {
3703  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3704  }
3705  }
3706 }
3707 
3708 static void
3709 do_close_plugins(struct context *c)
3710 {
3711  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3712  {
3713  plugin_list_close(c->plugins);
3714  c->plugins = NULL;
3715  c->plugins_owned = false;
3716  }
3717 }
3718 
3719 static void
3720 do_inherit_plugins(struct context *c, const struct context *src)
3721 {
3722  if (!c->plugins && src->plugins)
3723  {
3724  c->plugins = plugin_list_inherit(src->plugins);
3725  c->plugins_owned = true;
3726  }
3727 }
3728 
3729 #endif /* ifdef ENABLE_PLUGIN */
3730 
3731 #ifdef ENABLE_MANAGEMENT
3732 
3733 static void
3734 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3735 {
3736  struct context *c = (struct context *) arg;
3737  print_status(c, so);
3738 }
3739 
3740 void
3741 management_show_net_callback(void *arg, const int msglevel)
3742 {
3743 #ifdef _WIN32
3744  show_routes(msglevel);
3745  show_adapters(msglevel);
3746  msg(msglevel, "END");
3747 #else
3748  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3749 #endif
3750 }
3751 
3752 #ifdef TARGET_ANDROID
3753 int
3754 management_callback_network_change(void *arg, bool samenetwork)
3755 {
3756  /* Check if the client should translate the network change to a SIGUSR1 to
3757  * reestablish the connection or just reprotect the socket
3758  *
3759  * At the moment just assume that, for all settings that use pull (not
3760  * --static) and are not using peer-id reestablishing the connection is
3761  * required (unless the network is the same)
3762  *
3763  * The function returns -1 on invalid fd and -2 if the socket cannot be
3764  * reused. On the -2 return value the man_network_change function triggers
3765  * a SIGUSR1 to force a reconnect.
3766  */
3767 
3768  int socketfd = -1;
3769  struct context *c = (struct context *) arg;
3770  if (!c->c2.link_socket)
3771  {
3772  return -1;
3773  }
3774  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3775  {
3776  return -1;
3777  }
3778 
3779  socketfd = c->c2.link_socket->sd;
3780  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3781  {
3782  return socketfd;
3783  }
3784  else
3785  {
3786  return -2;
3787  }
3788 }
3789 #endif /* ifdef TARGET_ANDROID */
3790 
3791 #endif /* ifdef ENABLE_MANAGEMENT */
3792 
3793 void
3794 init_management_callback_p2p(struct context *c)
3795 {
3796 #ifdef ENABLE_MANAGEMENT
3797  if (management)
3798  {
3799  struct management_callback cb;
3800  CLEAR(cb);
3801  cb.arg = c;
3802  cb.status = management_callback_status_p2p;
3803  cb.show_net = management_show_net_callback;
3804  cb.proxy_cmd = management_callback_proxy_cmd;
3805  cb.remote_cmd = management_callback_remote_cmd;
3806  cb.send_cc_message = management_callback_send_cc_message;
3807 #ifdef TARGET_ANDROID
3808  cb.network_change = management_callback_network_change;
3809 #endif
3810  management_set_callback(management, &cb);
3811  }
3812 #endif
3813 }
3814 
3815 #ifdef ENABLE_MANAGEMENT
3816 
3817 void
3818 init_management(void)
3819 {
3820  if (!management)
3821  {
3822  management = management_init();
3823  }
3824 }
3825 
3826 bool
3827 open_management(struct context *c)
3828 {
3829  /* initialize management layer */
3830  if (management)
3831  {
3832  if (c->options.management_addr)
3833  {
3834  unsigned int flags = c->options.management_flags;
3835  if (c->options.mode == MODE_SERVER)
3836  {
3837  flags |= MF_SERVER;
3838  }
3839  if (management_open(management,
3840  c->options.management_addr,
3841  c->options.management_port,
3842  c->options.management_user_pass,
3843  c->options.management_client_user,
3844  c->options.management_client_group,
3845  c->options.management_log_history_cache,
3846  c->options.management_echo_buffer_size,
3847  c->options.management_state_buffer_size,
3848  c->options.management_write_peer_info_file,
3849  c->options.remap_sigusr1,
3850  flags))
3851  {
3852  management_set_state(management,
3853  OPENVPN_STATE_CONNECTING,
3854  NULL,
3855  NULL,
3856  NULL,
3857  NULL,
3858  NULL);
3859  }
3860 
3861  /* initial management hold, called early, before first context initialization */
3862  do_hold(0);
3863  if (IS_SIG(c))
3864  {
3865  msg(M_WARN, "Signal received from management interface, exiting");
3866  return false;
3867  }
3868  }
3869  else
3870  {
3871  close_management();
3872  }
3873  }
3874  return true;
3875 }
3876 
3877 void
3878 close_management(void)
3879 {
3880  if (management)
3881  {
3882  management_close(management);
3883  management = NULL;
3884  }
3885 }
3886 
3887 #endif /* ifdef ENABLE_MANAGEMENT */
3888 
3889 
3890 void
3891 uninit_management_callback(void)
3892 {
3893 #ifdef ENABLE_MANAGEMENT
3894  if (management)
3895  {
3896  management_clear_callback(management);
3897  }
3898 #endif
3899 }
3900 
3901 /*
3902  * Initialize a tunnel instance, handle pre and post-init
3903  * signal settings.
3904  */
3905 void
3906 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
3907 {
3908  pre_init_signal_catch();
3909  init_instance(c, env, flags);
3910  post_init_signal_catch();
3911 
3912  /*
3913  * This is done so that signals thrown during
3914  * initialization can bring us back to
3915  * a management hold.
3916  */
3917  if (IS_SIG(c))
3918  {
3919  remap_signal(c);
3920  uninit_management_callback();
3921  }
3922 }
3923 
3924 /*
3925  * Initialize a tunnel instance.
3926  */
3927 void
3928 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
3929 {
3930  const struct options *options = &c->options;
3931  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
3932  int link_socket_mode = LS_MODE_DEFAULT;
3933 
3934  /* init garbage collection level */
3935  gc_init(&c->c2.gc);
3936 
3937  /* inherit environmental variables */
3938  if (env)
3939  {
3940  do_inherit_env(c, env);
3941  }
3942 
3943  /* signals caught here will abort */
3944  c->sig->signal_received = 0;
3945  c->sig->signal_text = NULL;
3946  c->sig->source = SIG_SOURCE_SOFT;
3947 
3948  if (c->mode == CM_P2P)
3949  {
3950  init_management_callback_p2p(c);
3951  }
3952 
3953  /* possible sleep or management hold if restart */
3954  if (c->mode == CM_P2P || c->mode == CM_TOP)
3955  {
3956  do_startup_pause(c);
3957  if (IS_SIG(c))
3958  {
3959  goto sig;
3960  }
3961  }
3962 
3963  if (c->options.resolve_in_advance)
3964  {
3965  do_preresolve(c);
3966  if (IS_SIG(c))
3967  {
3968  goto sig;
3969  }
3970  }
3971 
3972  /* Resets all values to the initial values from the config where needed */
3973  pre_connect_restore(&c->options, &c->c2.gc);
3974 
3975  /* map in current connection entry */
3976  next_connection_entry(c);
3977 
3978  /* link_socket_mode allows CM_CHILD_TCP
3979  * instances to inherit acceptable fds
3980  * from a top-level parent */
3981  if (c->options.ce.proto == PROTO_TCP_SERVER)
3982  {
3983  if (c->mode == CM_TOP)
3984  {
3985  link_socket_mode = LS_MODE_TCP_LISTEN;
3986  }
3987  else if (c->mode == CM_CHILD_TCP)
3988  {
3989  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
3990  }
3991  }
3992 
3993  /* should we disable paging? */
3994  if (c->first_time && options->mlock)
3995  {
3996  platform_mlockall(true);
3997  }
3998 
3999  /* get passwords if undefined */
4000  if (auth_retry_get() == AR_INTERACT)
4001  {
4002  init_query_passwords(c);
4003  }
4004 
4005  /* initialize context level 2 --verb/--mute parms */
4006  init_verb_mute(c, IVM_LEVEL_2);
4007 
4008  /* set error message delay for non-server modes */
4009  if (c->mode == CM_P2P)
4010  {
4011  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4012  }
4013 
4014  /* warn about inconsistent options */
4015  if (c->mode == CM_P2P || c->mode == CM_TOP)
4016  {
4017  do_option_warnings(c);
4018  }
4019 
4020 #ifdef ENABLE_PLUGIN
4021  /* initialize plugins */
4022  if (c->mode == CM_P2P || c->mode == CM_TOP)
4023  {
4024  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4025  }
4026 #endif
4027 
4028  /* should we enable fast I/O? */
4029  if (c->mode == CM_P2P || c->mode == CM_TOP)
4030  {
4031  do_setup_fast_io(c);
4032  }
4033 
4034  /* should we throw a signal on TLS errors? */
4035  do_signal_on_tls_errors(c);
4036 
4037  /* open --status file */
4038  if (c->mode == CM_P2P || c->mode == CM_TOP)
4039  {
4040  do_open_status_output(c);
4041  }
4042 
4043  /* open --ifconfig-pool-persist file */
4044  if (c->mode == CM_TOP)
4045  {
4046  do_open_ifconfig_pool_persist(c);
4047  }
4048 
4049  /* reset OCC state */
4050  if (c->mode == CM_P2P || child)
4051  {
4052  c->c2.occ_op = occ_reset_op();
4053  }
4054 
4055  /* our wait-for-i/o objects, different for posix vs. win32 */
4056  if (c->mode == CM_P2P)
4057  {
4058  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4059  }
4060  else if (c->mode == CM_CHILD_TCP)
4061  {
4062  do_event_set_init(c, false);
4063  }
4064 
4065  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4066  init_proxy(c);
4067 
4068  /* allocate our socket object */
4069  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4070  {
4071  do_link_socket_new(c);
4072  }
4073 
4074 #ifdef ENABLE_FRAGMENT
4075  /* initialize internal fragmentation object */
4076  if (options->ce.fragment && (c->mode == CM_P2P || child))
4077  {
4078  c->c2.fragment = fragment_init(&c->c2.frame);
4079  }
4080 #endif
4081 
4082  /* init crypto layer */
4083  {
4084  unsigned int crypto_flags = 0;
4085  if (c->mode == CM_TOP)
4086  {
4087  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4088  }
4089  else if (c->mode == CM_P2P)
4090  {
4091  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4092  }
4093  else if (child)
4094  {
4095  crypto_flags = CF_INIT_TLS_MULTI;
4096  }
4097  do_init_crypto(c, crypto_flags);
4098  if (IS_SIG(c) && !child)
4099  {
4100  goto sig;
4101  }
4102  }
4103 
4104 #ifdef USE_COMP
4105  /* initialize compression library. */
4106  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4107  {
4108  c->c2.comp_context = comp_init(&options->comp);
4109  }
4110 #endif
4111 
4112  /* initialize MTU variables */
4113  do_init_frame(c);
4114 
4115  /* initialize TLS MTU variables */
4116  do_init_frame_tls(c);
4117 
4118  /* init workspace buffers whose size is derived from frame size */
4119  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4120  {
4121  do_init_buffers(c);
4122  }
4123 
4124 #ifdef ENABLE_FRAGMENT
4125  /* initialize internal fragmentation capability with known frame size */
4126  if (options->ce.fragment && (c->mode == CM_P2P || child))
4127  {
4128  do_init_fragment(c);
4129  }
4130 #endif
4131 
4132  /* bind the TCP/UDP socket */
4133  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4134  {
4135  link_socket_init_phase1(c, link_socket_mode);
4136  }
4137 
4138  /* initialize tun/tap device object,
4139  * open tun/tap device, ifconfig, run up script, etc. */
4140  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4141  {
4142  c->c2.did_open_tun = do_open_tun(c);
4143  }
4144 
4145  c->c2.frame_initial = c->c2.frame;
4146 
4147  /* print MTU info */
4148  do_print_data_channel_mtu_parms(c);
4149 
4150  /* get local and remote options compatibility strings */
4151  if (c->mode == CM_P2P || child)
4152  {
4153  do_compute_occ_strings(c);
4154  }
4155 
4156  /* initialize output speed limiter */
4157  if (c->mode == CM_P2P)
4158  {
4159  do_init_traffic_shaper(c);
4160  }
4161 
4162  /* do one-time inits, and possibly become a daemon here */
4163  do_init_first_time(c);
4164 
4165 #ifdef ENABLE_PLUGIN
4166  /* initialize plugins */
4167  if (c->mode == CM_P2P || c->mode == CM_TOP)
4168  {
4169  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4170  }
4171 #endif
4172 
4173  /* initialise connect timeout timer */
4174  do_init_server_poll_timeout(c);
4175 
4176  /* finalize the TCP/UDP socket */
4177  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4178  {
4179  link_socket_init_phase2(c);
4180  }
4181 
4182  /* Update dynamic frame calculation as exact transport socket information
4183  * (IP vs IPv6) may be only available after socket phase2 has finished.
4184  * This is only needed for --static or no crypto, NCP will recalculate this
4185  * in tls_session_update_crypto_params (P2MP) */
4186  frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4187  get_link_socket_info(c));
4188 
4189  /*
4190  * Actually do UID/GID downgrade, and chroot, if requested.
4191  * May be delayed by --client, --pull, or --up-delay.
4192  */
4193  do_uid_gid_chroot(c, c->c2.did_open_tun);
4194 
4195  /* initialize timers */
4196  if (c->mode == CM_P2P || child)
4197  {
4198  do_init_timers(c, false);
4199  }
4200 
4201 #ifdef ENABLE_PLUGIN
4202  /* initialize plugins */
4203  if (c->mode == CM_P2P || c->mode == CM_TOP)
4204  {
4205  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4206  }
4207 #endif
4208 
4209 #if PORT_SHARE
4210  /* share OpenVPN port with foreign (such as HTTPS) server */
4211  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4212  {
4213  init_port_share(c);
4214  }
4215 #endif
4216 
4217  /* Check for signals */
4218  if (IS_SIG(c))
4219  {
4220  goto sig;
4221  }
4222 
4223  return;
4224 
4225 sig:
4226  if (!c->sig->signal_text)
4227  {
4228  c->sig->signal_text = "init_instance";
4229  }
4230  close_context(c, -1, flags);
4231  return;
4232 }
4233 
4234 /*
4235  * Close a tunnel instance.
4236  */
4237 void
4238 close_instance(struct context *c)
4239 {
4240  /* close event objects */
4241  do_close_event_set(c);
4242 
4243  if (c->mode == CM_P2P
4244  || c->mode == CM_CHILD_TCP
4245  || c->mode == CM_CHILD_UDP
4246  || c->mode == CM_TOP)
4247  {
4248 #ifdef USE_COMP
4249  if (c->c2.comp_context)
4250  {
4251  comp_uninit(c->c2.comp_context);
4252  c->c2.comp_context = NULL;
4253  }
4254 #endif
4255 
4256  /* free buffers */
4257  do_close_free_buf(c);
4258 
4259  /* close TLS */
4260  do_close_tls(c);
4261 
4262  /* free key schedules */
4263  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4264 
4265  /* close TCP/UDP connection */
4266  do_close_link_socket(c);
4267 
4268  /* close TUN/TAP device */
4269  do_close_tun(c, false);
4270 
4271 #ifdef ENABLE_MANAGEMENT
4272  if (management)
4273  {
4274  management_notify_client_close(management, &c->c2.mda_context, NULL);
4275  }
4276 #endif
4277 
4278 #ifdef ENABLE_PLUGIN
4279  /* call plugin close functions and unload */
4280  do_close_plugins(c);
4281 #endif
4282 
4283  /* close packet-id persistence file */
4284  do_close_packet_id(c);
4285 
4286  /* close --status file */
4287  do_close_status_output(c);
4288 
4289 #ifdef ENABLE_FRAGMENT
4290  /* close fragmentation handler */
4291  do_close_fragment(c);
4292 #endif
4293 
4294  /* close --ifconfig-pool-persist obj */
4295  do_close_ifconfig_pool_persist(c);
4296 
4297  /* free up environmental variable store */
4298  do_env_set_destroy(c);
4299 
4300  /* close HTTP or SOCKS proxy */
4301  uninit_proxy(c);
4302 
4303  /* garbage collect */
4304  gc_free(&c->c2.gc);
4305  }
4306 }
4307 
4308 void
4309 inherit_context_child(struct context *dest,
4310  const struct context *src)
4311 {
4312  CLEAR(*dest);
4313 
4314  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4315  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4316 
4317  dest->gc = gc_new();
4318 
4319  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4320 
4321  /* c1 init */
4322  packet_id_persist_init(&dest->c1.pid_persist);
4323 
4324  dest->c1.ks.key_type = src->c1.ks.key_type;
4325  /* inherit SSL context */
4326  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4327  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4328  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4329  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4330  /* inherit pre-NCP ciphers */
4331  dest->options.ciphername = src->options.ciphername;
4332  dest->options.authname = src->options.authname;
4333 
4334  /* inherit auth-token */
4335  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4336 
4337  /* options */
4338  dest->options = src->options;
4339  options_detach(&dest->options);
4340 
4341  if (dest->mode == CM_CHILD_TCP)
4342  {
4343  /*
4344  * The CM_TOP context does the socket listen(),
4345  * and the CM_CHILD_TCP context does the accept().
4346  */
4347  dest->c2.accept_from = src->c2.link_socket;
4348  }
4349 
4350 #ifdef ENABLE_PLUGIN
4351  /* inherit plugins */
4352  do_inherit_plugins(dest, src);
4353 #endif
4354 
4355  /* context init */
4356  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4357  if (IS_SIG(dest))
4358  {
4359  return;
4360  }
4361 
4362  /* inherit tun/tap interface object */
4363  dest->c1.tuntap = src->c1.tuntap;
4364 
4365  /* UDP inherits some extra things which TCP does not */
4366  if (dest->mode == CM_CHILD_UDP)
4367  {
4368  /* inherit buffers */
4369  dest->c2.buffers = src->c2.buffers;
4370 
4371  /* inherit parent link_socket and tuntap */
4372  dest->c2.link_socket = src->c2.link_socket;
4373 
4374  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4375  *dest->c2.link_socket_info = src->c2.link_socket->info;
4376 
4377  /* locally override some link_socket_info fields */
4378  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4379  dest->c2.link_socket_info->connection_established = false;
4380  }
4381 }
4382 
4383 void
4384 inherit_context_top(struct context *dest,
4385  const struct context *src)
4386 {
4387  /* copy parent */
4388  *dest = *src;
4389 
4390  /*
4391  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4392  * resources owned by the parent.
4393  *
4394  * Also note that CM_TOP_CLONE context objects are
4395  * closed by multi_top_free in multi.c.
4396  */
4397  dest->mode = CM_TOP_CLONE;
4398 
4399  dest->first_time = false;
4400  dest->c0 = NULL;
4401 
4402  options_detach(&dest->options);
4403  gc_detach(&dest->gc);
4404  gc_detach(&dest->c2.gc);
4405 
4406  /* detach plugins */
4407  dest->plugins_owned = false;
4408 
4409  dest->c2.tls_multi = NULL;
4410 
4411  /* detach c1 ownership */
4412  dest->c1.tuntap_owned = false;
4413  dest->c1.status_output_owned = false;
4414  dest->c1.ifconfig_pool_persist_owned = false;
4415 
4416  /* detach c2 ownership */
4417  dest->c2.event_set_owned = false;
4418  dest->c2.link_socket_owned = false;
4419  dest->c2.buffers_owned = false;
4420  dest->c2.es_owned = false;
4421 
4422  dest->c2.event_set = NULL;
4423  if (proto_is_dgram(src->options.ce.proto))
4424  {
4425  do_event_set_init(dest, false);
4426  }
4427 
4428 #ifdef USE_COMP
4429  dest->c2.comp_context = NULL;
4430 #endif
4431 }
4432 
4433 void
4434 close_context(struct context *c, int sig, unsigned int flags)
4435 {
4436  ASSERT(c);
4437  ASSERT(c->sig);
4438 
4439  if (sig >= 0)
4440  {
4441  c->sig->signal_received = sig;
4442  }
4443 
4444  if (c->sig->signal_received == SIGUSR1)
4445  {
4446  if ((flags & CC_USR1_TO_HUP)
4447  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4448  {
4449  c->sig->signal_received = SIGHUP;
4450  c->sig->signal_text = "close_context usr1 to hup";
4451  }
4452  }
4453 
4454  if (!(flags & CC_NO_CLOSE))
4455  {
4456  close_instance(c);
4457  }
4458 
4459  if (flags & CC_GC_FREE)
4460  {
4461  context_gc_free(c);
4462  }
4463 }
4464 
4465 /* Write our PID to a file */
4466 void
4467 write_pid_file(const char *filename, const char *chroot_dir)
4468 {
4469  if (filename)
4470  {
4471  unsigned int pid = 0;
4472  FILE *fp = platform_fopen(filename, "w");
4473  if (!fp)
4474  {
4475  msg(M_ERR, "Open error on pid file %s", filename);
4476  return;
4477  }
4478 
4479  pid = platform_getpid();
4480  fprintf(fp, "%u\n", pid);
4481  if (fclose(fp))
4482  {
4483  msg(M_ERR, "Close error on pid file %s", filename);
4484  }
4485 
4486  /* remember file name so it can be deleted "out of context" later */
4487  /* (the chroot case is more complex and not handled today) */
4488  if (!chroot_dir)
4489  {
4490  saved_pid_file_name = strdup(filename);
4491  }
4492  }
4493 }
4494 
4495 /* remove PID file on exit, called from openvpn_exit() */
4496 void
4497 remove_pid_file(void)
4498 {
4499  if (saved_pid_file_name)
4500  {
4501  platform_unlink(saved_pid_file_name);
4502  }
4503 }
4504 
4505 
4506 /*
4507  * Do a loopback test
4508  * on the crypto subsystem.
4509  */
4510 static void *
4511 test_crypto_thread(void *arg)
4512 {
4513  struct context *c = (struct context *) arg;
4514  const struct options *options = &c->options;
4515 
4516  ASSERT(options->test_crypto);
4517  init_verb_mute(c, IVM_LEVEL_1);
4518  context_init_1(c);
4519  next_connection_entry(c);
4520  do_init_crypto_static(c, 0);
4521 
4522  frame_finalize_options(c, options);
4523 
4524  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4525 
4526  key_schedule_free(&c->c1.ks, true);
4527  packet_id_free(&c->c2.crypto_options.packet_id);
4528 
4529  context_gc_free(c);
4530  return NULL;
4531 }
4532 
4533 bool
4534 do_test_crypto(const struct options *o)
4535 {
4536  if (o->test_crypto)
4537  {
4538  struct context c;
4539 
4540  /* print version number */
4541  msg(M_INFO, "%s", title_string);
4542 
4543  context_clear(&c);
4544  c.options = *o;
4545  options_detach(&c.options);
4546  c.first_time = true;
4547  test_crypto_thread((void *) &c);
4548  return true;
4549  }
4550  return false;
4551 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:158
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:315
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
do_close_ifconfig_pool_persist
static void do_close_ifconfig_pool_persist(struct context *c)
Definition: init.c:3575
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2112
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:379
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5599
options::replay_time
int replay_time
Definition: options.h:547
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:220
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:403
do_test_crypto
bool do_test_crypto(const struct options *o)
Definition: init.c:4534
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
Definition: openvpn.h:322
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:265
plugin_list_init
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
Definition: plugin.c:763
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2662
options::show_engines
bool show_engines
Definition: options.h:261
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3709
write_key_file
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition: crypto.c:1371
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2578
signal_info::signal_received
volatile int signal_received
Definition: sig.h:45
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:589
options::verbosity
int verbosity
Definition: options.h:367
do_ifconfig_setenv
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
Definition: tun.c:689
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:153
do_init_server_poll_timeout
static void do_init_server_poll_timeout(struct context *c)
Definition: init.c:1273
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:467
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:146
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1259
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:585
OPENVPN_PLUGIN_UP
#define OPENVPN_PLUGIN_UP
Definition: openvpn-plugin.h:117
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:294
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:135
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2809
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:339
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:133
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition: manage.c:2971
options::show_digests
bool show_digests
Definition: options.h:260
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3377
connection_entry::link_mtu
int link_mtu
Definition: options.h:124
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
fragment_frame_init
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
Definition: fragment.c:124
options::management_write_peer_info_file
const char * management_write_peer_info_file
Definition: options.h:424
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4637
M_OPTERR
#define M_OPTERR
Definition: error.h:106
tls_options::verify_x509_name
const char * verify_x509_name
Definition: ssl_common.h:315
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:531
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:118
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:242
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:538
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:998
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:217
fragment_init
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
Definition: fragment.c:91
options::nice
int nice
Definition: options.h:366
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
run_command.h
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
auth_token.h
tls_options::frame
struct frame frame
Definition: ssl_common.h:347
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:112
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:139
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:319
forward.h
open_management
bool open_management(struct context *c)
Definition: init.c:3827
plugin_return
Definition: plugin.h:101
ROUTE_BEFORE_TUN
#define ROUTE_BEFORE_TUN
Definition: tun.h:346
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:249
fragment_free
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
Definition: fragment.c:115
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:541
signal_info::signal_text
const char * signal_text
Definition: sig.h:47
route_list
Definition: route.h:206
gremlin.h
context_1::status_output_owned
bool status_output_owned
Definition: openvpn.h:181
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
options::up_script
const char * up_script
Definition: options.h:353
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:504
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:265
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:209
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:723
options::keepalive_ping
int keepalive_ping
Definition: options.h:314
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6583
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:116
set_lladdr
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition: lladdr.c:19
init_connection_list
static void init_connection_list(struct context *c)
Definition: init.c:427
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3736
M_FATAL
#define M_FATAL
Definition: error.h:95
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:201
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1676
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:583
win32.h
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition: env_set.c:168
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:512
EVENT_METHOD_US_TIMEOUT
#define EVENT_METHOD_US_TIMEOUT
Definition: event.h:79
tuntap::windows_driver
enum windows_driver_type windows_driver
Definition: tun.h:196
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3997
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
route_gateway_info
Definition: route.h:146
options::show_ciphers
bool show_ciphers
Definition: options.h:259
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:212
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:695
argv
Definition: argv.h:35
in_addr_t
#define in_addr_t
Definition: config-msvc.h:67
context_2::es_owned
bool es_owned
Definition: openvpn.h:415
options::duplicate_cn
bool duplicate_cn
Definition: options.h:498
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:159
streq
#define streq(x, y)
Definition: options.h:687
set_check_status_error_delay
static void set_check_status_error_delay(unsigned int milliseconds)
Definition: error.h:297
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:12
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3070
packet_id_persist_load
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
Definition: packet_id.c:430
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:530
do_close_free_buf
static void do_close_free_buf(struct context *c)
Definition: init.c:3363
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:257
occ_reset_op
static int occ_reset_op(void)
Definition: occ.h:101
connection_entry::remote_port
const char * remote_port
Definition: options.h:105
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4037
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:347
lladdr.h
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3533
context
Contains all state information for one tunnel.
Definition: openvpn.h:467
do_setup_fast_io
static void do_setup_fast_io(struct context *c)
Definition: init.c:3620
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
tls_options::transition_window
int transition_window
Definition: ssl_common.h:304
options::route_nopull
bool route_nopull
Definition: options.h:409
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:771
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:635
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:106
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:121
key_schedule::auth_token_key
struct key_ctx auth_token_key
Definition: openvpn.h:70
extract_x509_field_test
void extract_x509_field_test(void)
options::key_direction
int key_direction
Definition: options.h:536
options::topology
int topology
Definition: options.h:294
tls_wrap_ctx::mode
enum tls_wrap_ctx::@14 mode
Control channel wrapping mode.
SSEC_SCRIPTS
#define SSEC_SCRIPTS
Definition: run_command.h:33
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:157
options::authname
const char * authname
Definition: options.h:541
options::dev_type
const char * dev_type
Definition: options.h:291
tls_options::auth_token_key
struct key_ctx auth_token_key
Definition: ssl_common.h:361
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:70
get_random
long int get_random(void)
Definition: crypto.c:1632
do_init_crypto_none
static void do_init_crypto_none(struct context *c)
Definition: init.c:3009
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:340
AR_NONE
#define AR_NONE
Definition: options.h:863
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:182
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:105
do_print_data_channel_mtu_parms
static void do_print_data_channel_mtu_parms(struct context *c)
Definition: init.c:3284
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:376
link_socket_addr::bind_local
struct addrinfo * bind_local
Definition: socket.h:105
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:479
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:496
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
options::tls_client
bool tls_client
Definition: options.h:556
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:534
context_2::log_rw
bool log_rw
Definition: openvpn.h:376
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:406
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:167
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:935
context_2::es
struct env_set * es
Definition: openvpn.h:414
config-msvc.h
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:610
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:114
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:96
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
link_socket_proto_connection_oriented
static bool link_socket_proto_connection_oriented(int proto)
Definition: socket.h:627
route_ipv6_gateway_info
Definition: route.h:179
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:107
man_persist::special_state_msg
const char * special_state_msg
Definition: manage.h:214
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3484
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:218
tls_options::replay_time
int replay_time
Definition: ssl_common.h:335
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:716
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:461
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:382
options::cipher_list
const char * cipher_list
Definition: options.h:570
plugin_list_open
void plugin_list_open(struct plugin_list *pl, const struct plugin_option_list *list, struct plugin_return *pr, const struct env_set *es, const int init_point)
Definition: plugin.c:773
init_instance
void init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3928
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition: manage.h:180
tls_options::remote_cert_eku
const char * remote_cert_eku
Definition: ssl_common.h:320
options::mode
int mode
Definition: options.h:243
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition: mtu.h:107
tls_options::single_session
bool single_session
Definition: ssl_common.h:289
reset_coarse_timers
void reset_coarse_timers(struct context *c)
Definition: init.c:1262
route_ipv6_list
Definition: route.h:219
options::mute
int mute
Definition: options.h:368
tls_options::verify_hash_depth
int verify_hash_depth
Definition: ssl_common.h:322
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:288
SSEC_PW_ENV
#define SSEC_PW_ENV
Definition: run_command.h:34
MF_SERVER
#define MF_SERVER
Definition: manage.h:326
show_available_ciphers
void show_available_ciphers(void)
Definition: crypto_openssl.c:357
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:213
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
context::c0
struct context_0 * c0
Level 0 context.
Definition: openvpn.h:506
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
frame::buf
struct frame::@5 buf
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:142
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:125
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1869
time_test
void time_test(void)
dmsg
#define dmsg(flags,...)
Definition: error.h:154
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1121
CO_FORCE_TLSCRYPTV2_COOKIE
#define CO_FORCE_TLSCRYPTV2_COOKIE
Bit-flag indicating that we do not allow clients that do not support resending the wrapped client key...
Definition: crypto.h:263
options::ce
struct connection_entry ce
Definition: options.h:271
options::msg_channel
HANDLE msg_channel
Definition: options.h:655
tls_options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: ssl_common.h:323
tls_options::crl_file_inline
bool crl_file_inline
Definition: ssl_common.h:317
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
link_socket_addr::current_remote
struct addrinfo * current_remote
Definition: socket.h:107
openvpn_sockaddr
Definition: socket.h:64
env_set_inherit
void env_set_inherit(struct env_set *es, const struct env_set *src)
Definition: env_set.c:240
do_close_free_key_schedule
static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
Definition: init.c:3402
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:336
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:363
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:586
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:713
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
D_LOW
#define D_LOW
Definition: errlevel.h:97
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:383
set_check_status
void set_check_status(unsigned int info_level, unsigned int verbose_level)
Definition: error.c:639
frame_calculate_protocol_header_size
size_t frame_calculate_protocol_header_size(const struct key_type *kt, const struct options *options, bool occ)
Calculates the size of the OpenVPN protocol header.
Definition: mtu.c:73
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:267
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:103
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition: init.c:306
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3198
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:380
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:98
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2018
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:582
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:438
SIG_SOURCE_HARD
#define SIG_SOURCE_HARD
Definition: sig.h:33
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:82
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:345
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:341
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:338
options::shaper
int shaper
Definition: options.h:302
window_title_save
void window_title_save(struct window_title *wt)
Definition: win32.c:714
window_title
Definition: win32.h:70
tls_crypt.h
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3720
do_close_packet_id
static void do_close_packet_id(struct context *c)
Definition: init.c:3469
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:309
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:109
context::mode
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:481
reset_check_status
void reset_check_status(void)
Definition: error.c:632
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2027
options::cd_dir
const char * cd_dir
Definition: options.h:348
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
MODE_SERVER
#define MODE_SERVER
Definition: options.h:242
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:210
tun_abort
void tun_abort(void)
Definition: init.c:1999
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
options::remote_random
bool remote_random
Definition: options.h:288
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:300
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:255
frame
Packet geometry parameters.
Definition: mtu.h:93
IFCONFIG_AFTER_TUN_OPEN
#define IFCONFIG_AFTER_TUN_OPEN
Definition: tun.h:320
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:352
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:269
key_schedule_free
static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
Definition: init.c:2509
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition: socket.h:555
connection_entry::fragment_encap
bool fragment_encap
Definition: options.h:131
status_output::flags
unsigned int flags
Definition: status.h:52
options::tls_server
bool tls_server
Definition: options.h:555
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3741
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:108
srandom
#define srandom
Definition: syshead.h:45
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
connection_entry
Definition: options.h:99
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
do_inherit_env
static void do_inherit_env(struct context *c, const struct env_set *src)
Definition: init.c:3593
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2819
sleep
#define sleep(x)
Definition: syshead.h:43
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:407
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:697
route_order
static int route_order(void)
Definition: tun.h:351
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1415
options::tls_exit
bool tls_exit
Definition: options.h:647
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:3891
context_2::occ_interval
struct event_timeout occ_interval
Definition: openvpn.h:297
np
static const char * np(const char *str)
Definition: multi-auth.c:146
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
options::route_noexec
bool route_noexec
Definition: options.h:402
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:573
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2549
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:355
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
link_socket::sd
socket_descriptor_t sd
Definition: socket.h:168
context_persist
Definition: openvpn.h:117
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:610
context_0
Level 0 context containing information related to the OpenVPN process.
Definition: openvpn.h:132
context_1::route_list
struct route_list * route_list
List of routing information.
Definition: openvpn.h:172
PING_RESTART
#define PING_RESTART
Definition: options.h:326
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:283
options::persist_local_ip
bool persist_local_ip
Definition: options.h:330
tuntap::actual_name
char * actual_name
Definition: tun.h:169
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1026
CLEAR
#define CLEAR(x)
Definition: basic.h:33
options::verify_hash_depth
int verify_hash_depth
Definition: options.h:587
win32_signal
Definition: win32.h:150
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:717
do_init_first_time
static void do_init_first_time(struct context *c)
Definition: init.c:3334
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:572
D_MTU_DEBUG
#define D_MTU_DEBUG
Definition: errlevel.h:123
options::show_curves
bool show_curves
Definition: options.h:263
tls_auth_standalone::frame
struct frame frame
Definition: ssl_pkt.h:80
connection_list::len
int len
Definition: options.h:182
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:508
options::cipher_list_tls13
const char * cipher_list_tls13
Definition: options.h:571
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:907
do_close_tun_simple
static void do_close_tun_simple(struct context *c)
Definition: init.c:1856
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
options::up_delay
bool up_delay
Definition: options.h:357
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:493
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:271
do_init_route_list
static void do_init_route_list(const struct options *options, struct route_list *route_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1378
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:662
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure.
Definition: openvpn.h:225
do_compute_occ_strings
static void do_compute_occ_strings(struct context *c)
Definition: init.c:3300
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:117
options::resolve_in_advance
bool resolve_in_advance
Definition: options.h:339
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:191
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:254
ssl_verify.h
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition: options.h:301
tls_options::ekm_label_size
size_t ekm_label_size
Definition: ssl_common.h:405
options::dev
const char * dev
Definition: options.h:290
connection_list::current
int current
Definition: options.h:183
ASSERT
#define ASSERT(x)
Definition: error.h:201
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:768
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:175
options::management_port
const char * management_port
Definition: options.h:419
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:256
string_clear
void string_clear(char *str)
Definition: buffer.c:704
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:284
options::groupname
const char * groupname
Definition: options.h:346
D_SHOW_OCC
#define D_SHOW_OCC
Definition: errlevel.h:96
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition: options.h:113
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:378
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:556
options::single_session
bool single_session
Definition: options.h:643
options::auth_user_pass_file
const char * auth_user_pass_file
Definition: options.h:525
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:725
key_schedule::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: openvpn.h:63
link_socket_actual
Definition: socket.h:85
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:404
tls_options::verify_export_cert
const char * verify_export_cert
Definition: ssl_common.h:313
frame_add_to_extra_tun
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:292
CM_CHILD_TCP
#define CM_CHILD_TCP
Definition: openvpn.h:480
tls_options::verify_hash
struct verify_hash_list * verify_hash
Definition: ssl_common.h:321
key_schedule::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Definition: openvpn.h:68
connection_list
Definition: options.h:180
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition: openvpn.h:486
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition: route.h:89
OPENVPN_PLUGIN_INIT_PRE_DAEMON
#define OPENVPN_PLUGIN_INIT_PRE_DAEMON
Definition: openvpn-plugin.h:767
ping.h
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:320
tls_options::net_ctx
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:368
tls_options
Definition: ssl_common.h:268
packet_id_persist_save
void packet_id_persist_save(struct packet_id_persist *p)
Definition: packet_id.c:479
context_2::event_set_max
int event_set_max
Definition: openvpn.h:231
tls_options::x509_track
const struct x509_track * x509_track
Definition: ssl_common.h:394
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:147
options::x509_track
const struct x509_track * x509_track
Definition: options.h:649
options::windows_driver
enum windows_driver_type windows_driver
Definition: options.h:661
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition: options.h:535
init_proxy
static void init_proxy(struct context *c)
Definition: init.c:654
options::management_client_group
const char * management_client_group
Definition: options.h:427
do_link_socket_new
static void do_link_socket_new(struct context *c)
Definition: init.c:3273
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:68
key_schedule::tls_auth_key_type
struct key_type tls_auth_key_type
Definition: openvpn.h:66
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1257
context::plugins_owned
bool plugins_owned
Whether the plug-ins should be cleaned up when this context is cleaned up.
Definition: openvpn.h:497
options::test_crypto
bool test_crypto
Definition: options.h:549
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:588
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3672
ssl_clean_user_pass
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4036
options::block_outside_dns
bool block_outside_dns
Definition: options.h:660
key_schedule
Definition: openvpn.h:54
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:703
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:298
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:540
key_schedule::key_type
struct key_type key_type
Definition: openvpn.h:57
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:715
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2910
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:142
options::persist_config
bool persist_config
Definition: options.h:255
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:97
init_ssl_lib
void init_ssl_lib(void)
Definition: ssl.c:338