OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 static bool do_deferred_p2p_ncp(struct context *c);
72 
73 void
75 {
76  CLEAR(*c);
77 }
78 
79 void
81 {
82  CLEAR(c->c1);
83 }
84 
85 void
87 {
88  CLEAR(c->c2);
89 }
90 
91 void
93 {
94  const bool first_time_save = c->first_time;
95  const struct context_persist cpsave = c->persist;
96  context_clear(c);
97  c->first_time = first_time_save;
98  c->persist = cpsave;
99 }
100 
101 /*
102  * Pass tunnel endpoint and MTU parms to a user-supplied script.
103  * Used to execute the up/down script/plugins.
104  */
105 static void
106 run_up_down(const char *command,
107  const struct plugin_list *plugins,
108  int plugin_type,
109  const char *arg,
110 #ifdef _WIN32
111  DWORD adapter_index,
112 #endif
113  const char *dev_type,
114  int tun_mtu,
115  int link_mtu,
116  const char *ifconfig_local,
117  const char *ifconfig_remote,
118  const char *context,
119  const char *signal_text,
120  const char *script_type,
121  struct env_set *es)
122 {
123  struct gc_arena gc = gc_new();
124 
125  if (signal_text)
126  {
127  setenv_str(es, "signal", signal_text);
128  }
129  setenv_str(es, "script_context", context);
130  setenv_int(es, "tun_mtu", tun_mtu);
131  setenv_int(es, "link_mtu", link_mtu);
132  setenv_str(es, "dev", arg);
133  if (dev_type)
134  {
135  setenv_str(es, "dev_type", dev_type);
136  }
137 #ifdef _WIN32
138  setenv_int(es, "dev_idx", adapter_index);
139 #endif
140 
141  if (!ifconfig_local)
142  {
143  ifconfig_local = "";
144  }
145  if (!ifconfig_remote)
146  {
147  ifconfig_remote = "";
148  }
149  if (!context)
150  {
151  context = "";
152  }
153 
154  if (plugin_defined(plugins, plugin_type))
155  {
156  struct argv argv = argv_new();
157  ASSERT(arg);
158  argv_printf(&argv,
159  "%s %d %d %s %s %s",
160  arg,
161  tun_mtu, link_mtu,
162  ifconfig_local, ifconfig_remote,
163  context);
164 
165  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
166  {
167  msg(M_FATAL, "ERROR: up/down plugin call failed");
168  }
169 
170  argv_free(&argv);
171  }
172 
173  if (command)
174  {
175  struct argv argv = argv_new();
176  ASSERT(arg);
177  setenv_str(es, "script_type", script_type);
178  argv_parse_cmd(&argv, command);
179  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
180  ifconfig_local, ifconfig_remote, context);
181  argv_msg(M_INFO, &argv);
182  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
183  argv_free(&argv);
184  }
185 
186  gc_free(&gc);
187 }
188 
189 /*
190  * Should be called after options->ce is modified at the top
191  * of a SIGUSR1 restart.
192  */
193 static void
195 {
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
208  }
209 }
210 
211 #ifdef ENABLE_MANAGEMENT
212 static bool
213 management_callback_proxy_cmd(void *arg, const char **p)
214 {
215  struct context *c = arg;
216  struct connection_entry *ce = &c->options.ce;
217  struct gc_arena *gc = &c->c2.gc;
218  bool ret = false;
219 
220  update_time();
221  if (streq(p[1], "NONE"))
222  {
223  ret = true;
224  }
225  else if (p[2] && p[3])
226  {
227  if (streq(p[1], "HTTP"))
228  {
229  struct http_proxy_options *ho;
230  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
231  {
232  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
233  return false;
234  }
236  ho->server = string_alloc(p[2], gc);
237  ho->port = string_alloc(p[3], gc);
238  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
239  ret = true;
240  }
241  else if (streq(p[1], "SOCKS"))
242  {
243  ce->socks_proxy_server = string_alloc(p[2], gc);
244  ce->socks_proxy_port = string_alloc(p[3], gc);
245  ret = true;
246  }
247  }
248  else
249  {
250  msg(M_WARN, "Bad proxy command");
251  }
252 
253  ce->flags &= ~CE_MAN_QUERY_PROXY;
254 
255  return ret;
256 }
257 
258 static bool
260 {
261  const struct connection_list *l = c->options.connection_list;
262  struct connection_entry *ce = &c->options.ce;
263  struct gc_arena gc;
264  bool ret = true;
265 
266  update_time();
267  if (management)
268  {
269  gc = gc_new();
270  {
271  struct buffer out = alloc_buf_gc(256, &gc);
272  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
273  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
276  }
277  ce->flags |= CE_MAN_QUERY_PROXY;
278  while (ce->flags & CE_MAN_QUERY_PROXY)
279  {
281  if (IS_SIG(c))
282  {
283  ret = false;
284  break;
285  }
286  }
288  gc_free(&gc);
289  }
290 
291  return ret;
292 }
293 
308 static bool
310  const char *command,
311  const char *parameters)
312 {
313  struct context *c = (struct context *) arg;
314  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
315  if (len > PUSH_BUNDLE_SIZE)
316  {
317  return false;
318  }
319 
320  struct gc_arena gc = gc_new();
321  struct buffer buf = alloc_buf_gc(len, &gc);
322  ASSERT(buf_printf(&buf, "%s", command));
323  if (parameters)
324  {
325  ASSERT(buf_printf(&buf, ",%s", parameters));
326  }
327  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
328 
329  gc_free(&gc);
330  return status;
331 }
332 
333 static bool
334 management_callback_remote_cmd(void *arg, const char **p)
335 {
336  struct context *c = (struct context *) arg;
337  struct connection_entry *ce = &c->options.ce;
338  int ret = false;
340  {
341  int flags = 0;
342  if (!strcmp(p[1], "ACCEPT"))
343  {
345  ret = true;
346  }
347  else if (!strcmp(p[1], "SKIP"))
348  {
349  flags = CE_MAN_QUERY_REMOTE_SKIP;
350  ret = true;
351  }
352  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
353  {
354  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
355  {
356  struct remote_host_store *rhs = c->options.rh_store;
357  if (!rhs)
358  {
360  c->options.rh_store = rhs;
361  }
362  strncpynt(rhs->host, p[2], RH_HOST_LEN);
363  strncpynt(rhs->port, p[3], RH_PORT_LEN);
364 
365  ce->remote = rhs->host;
366  ce->remote_port = rhs->port;
367  flags = CE_MAN_QUERY_REMOTE_MOD;
368  ret = true;
369  }
370  }
371  if (ret)
372  {
373  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
375  }
376  }
377  return ret;
378 }
379 
380 static bool
382 {
383  struct gc_arena gc = gc_new();
384  volatile struct connection_entry *ce = &c->options.ce;
385  int ce_changed = true; /* presume the connection entry will be changed */
386 
387  update_time();
388  if (management)
389  {
390  struct buffer out = alloc_buf_gc(256, &gc);
391 
392  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
393  proto2ascii(ce->proto, ce->af, false));
396 
399  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
401  {
403  if (IS_SIG(c))
404  {
405  ce_changed = false; /* connection entry have not been set */
406  break;
407  }
408  }
410  }
411  gc_free(&gc);
412 
413  if (ce_changed)
414  {
415  /* If it is likely a connection entry was modified,
416  * check what changed in the flags and that it was not skipped
417  */
418  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
420  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
421  }
422  return ce_changed;
423 }
424 #endif /* ENABLE_MANAGEMENT */
425 
426 /*
427  * Initialize and possibly randomize connection list.
428  */
429 static void
431 {
432  struct connection_list *l = c->options.connection_list;
433 
434  l->current = -1;
435  if (c->options.remote_random)
436  {
437  int i;
438  for (i = 0; i < l->len; ++i)
439  {
440  const int j = get_random() % l->len;
441  if (i != j)
442  {
443  struct connection_entry *tmp;
444  tmp = l->array[i];
445  l->array[i] = l->array[j];
446  l->array[j] = tmp;
447  }
448  }
449  }
450 }
451 
452 /*
453  * Clear the remote address list
454  */
455 static void
457 {
458  if (lsa->remote_list && free)
459  {
460  freeaddrinfo(lsa->remote_list);
461  }
462  lsa->remote_list = NULL;
463  lsa->current_remote = NULL;
464 }
465 
466 /*
467  * Increment to next connection entry
468  */
469 static void
471 {
472  struct connection_list *l = c->options.connection_list;
473  bool ce_defined;
474  struct connection_entry *ce;
475  int n_cycles = 0;
476 
477  do
478  {
479  ce_defined = true;
480  if (c->options.no_advance && l->current >= 0)
481  {
482  c->options.no_advance = false;
483  }
484  else
485  {
486  /* Check if there is another resolved address to try for
487  * the current connection */
489  && c->c1.link_socket_addr.current_remote->ai_next)
490  {
492  c->c1.link_socket_addr.current_remote->ai_next;
493  }
494  else
495  {
496  /* FIXME (schwabe) fix the persist-remote-ip option for real,
497  * this is broken probably ever since connection lists and multiple
498  * remote existed
499  */
500  if (!c->options.persist_remote_ip)
501  {
502  /* Connection entry addrinfo objects might have been
503  * resolved earlier but the entry itself might have been
504  * skipped by management on the previous loop.
505  * If so, clear the addrinfo objects as close_instance does
506  */
508  {
511  }
512 
513  /* close_instance should have cleared the addrinfo objects */
516  }
517  else
518  {
521  }
522 
523  /*
524  * Increase the number of connection attempts
525  * If this is connect-retry-max * size(l)
526  * OpenVPN will quit
527  */
528 
530 
531  if (++l->current >= l->len)
532  {
533 
534  l->current = 0;
535  if (++n_cycles >= 2)
536  {
537  msg(M_FATAL, "No usable connection profiles are present");
538  }
539  }
540  }
541  }
542 
543  ce = l->array[l->current];
544 
545  if (ce->flags & CE_DISABLED)
546  {
547  ce_defined = false;
548  }
549 
550  c->options.ce = *ce;
551 #ifdef ENABLE_MANAGEMENT
553  {
554  /* allow management interface to override connection entry details */
555  ce_defined = ce_management_query_remote(c);
556  if (IS_SIG(c))
557  {
558  break;
559  }
560  }
561  else if (ce_defined && management && management_query_proxy_enabled(management))
562  {
563  ce_defined = ce_management_query_proxy(c);
564  if (IS_SIG(c))
565  {
566  break;
567  }
568  }
569 #endif
570  } while (!ce_defined);
571 
572  /* Check if this connection attempt would bring us over the limit */
573  if (c->options.connect_retry_max > 0
575  {
576  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
578  }
580 }
581 
582 /*
583  * Query for private key and auth-user-pass username/passwords
584  */
585 void
587 {
588  /* Certificate password input */
589  if (c->options.key_pass_file)
590  {
592  }
593 
594  /* Auth user/pass input */
596  {
597 #ifdef ENABLE_MANAGEMENT
599 #else
601 #endif
602  }
603 }
604 
605 /*
606  * Initialize/Uninitialize HTTP or SOCKS proxy
607  */
608 
609 static void
611 {
612  if (c->c1.http_proxy_owned && c->c1.http_proxy)
613  {
615  c->c1.http_proxy = NULL;
616  c->c1.http_proxy_owned = false;
617  }
618  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
619  {
621  c->c1.socks_proxy = NULL;
622  c->c1.socks_proxy_owned = false;
623  }
624 }
625 
626 static void
628 {
629  bool did_http = false;
630 
632 
634  {
635  /* Possible HTTP proxy user/pass input */
637  if (c->c1.http_proxy)
638  {
639  did_http = true;
640  c->c1.http_proxy_owned = true;
641  }
642  }
643 
644  if (!did_http && c->options.ce.socks_proxy_server)
645  {
649  if (c->c1.socks_proxy)
650  {
651  c->c1.socks_proxy_owned = true;
652  }
653  }
654 }
655 
656 static void
657 init_proxy(struct context *c)
658 {
660 }
661 
662 static void
664 {
666 }
667 
668 void
670 {
671  context_clear_1(c);
672 
674 
676 
677 #if defined(ENABLE_PKCS11)
678  if (c->first_time)
679  {
680  int i;
681  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
682  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
683  {
684  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
685  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
686  }
687  }
688 #endif
689 
690 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
691  {
692  /*
693  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
694  */
695  struct user_pass up;
696  CLEAR(up);
697  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
698  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
699  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
700  * 'needok' command, usually 'ok' or 'cancel'. */
701  }
702 #endif
703 
704 #ifdef ENABLE_SYSTEMD
705  /* We can report the PID via getpid() to systemd here as OpenVPN will not
706  * do any fork due to daemon() a future call.
707  * See possibly_become_daemon() [init.c] for more details.
708  */
709  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
710  (unsigned long) getpid());
711 #endif
712 
713 }
714 
715 void
717 {
718  gc_free(&c->c2.gc);
719  gc_free(&c->options.gc);
720  gc_free(&c->gc);
721 }
722 
723 #if PORT_SHARE
724 
725 static void
726 close_port_share(void)
727 {
728  if (port_share)
729  {
730  port_share_close(port_share);
731  port_share = NULL;
732  }
733 }
734 
735 static void
736 init_port_share(struct context *c)
737 {
738  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
739  {
740  port_share = port_share_open(c->options.port_share_host,
741  c->options.port_share_port,
743  c->options.port_share_journal_dir);
744  if (port_share == NULL)
745  {
746  msg(M_FATAL, "Fatal error: Port sharing failed");
747  }
748  }
749 }
750 
751 #endif /* if PORT_SHARE */
752 
753 
754 bool
756 {
757  /* configure_path (); */
758 
759 #if defined(DMALLOC)
760  crypto_init_dmalloc();
761 #endif
762 
763 
764  /*
765  * Initialize random number seed. random() is only used
766  * when "weak" random numbers are acceptable.
767  * SSL library routines are always used when cryptographically
768  * strong random numbers are required.
769  */
770  struct timeval tv;
771  if (!gettimeofday(&tv, NULL))
772  {
773  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
774  srandom(seed);
775  }
776 
777  error_reset(); /* initialize error.c */
778  reset_check_status(); /* initialize status check code in socket.c */
779 
780 #ifdef _WIN32
781  init_win32();
782 #endif
783 
784 #ifdef OPENVPN_DEBUG_COMMAND_LINE
785  {
786  int i;
787  for (i = 0; i < argc; ++i)
788  {
789  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
790  }
791  }
792 #endif
793 
794  update_time();
795 
796  init_ssl_lib();
797 
798  /* init PRNG used for IV generation */
799  /* When forking, copy this to more places in the code to avoid fork
800  * random-state predictability */
801  prng_init(NULL, 0);
802 
803 #ifdef PID_TEST
804  packet_id_interactive_test(); /* test the sequence number code */
805  return false;
806 #endif
807 
808 #ifdef SCHEDULE_TEST
809  schedule_test();
810  return false;
811 #endif
812 
813 #ifdef LIST_TEST
814  list_test();
815  return false;
816 #endif
817 
818 #ifdef IFCONFIG_POOL_TEST
819  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
820  return false;
821 #endif
822 
823 #ifdef CHARACTER_CLASS_DEBUG
824  character_class_debug();
825  return false;
826 #endif
827 
828 #ifdef EXTRACT_X509_FIELD_TEST
830  return false;
831 #endif
832 
833 #ifdef TIME_TEST
834  time_test();
835  return false;
836 #endif
837 
838 #ifdef TEST_GET_DEFAULT_GATEWAY
839  {
840  struct route_gateway_info rgi;
841  struct route_ipv6_gateway_info rgi6;
842  get_default_gateway(&rgi);
843  get_default_gateway_ipv6(&rgi6, NULL);
844  print_default_gateway(M_INFO, &rgi, &rgi6);
845  return false;
846  }
847 #endif
848 
849 #ifdef GEN_PATH_TEST
850  {
851  struct gc_arena gc = gc_new();
852  const char *fn = gen_path("foo",
853  "bar",
854  &gc);
855  printf("%s\n", fn);
856  gc_free(&gc);
857  }
858  return false;
859 #endif
860 
861 #ifdef STATUS_PRINTF_TEST
862  {
863  struct gc_arena gc = gc_new();
864  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
865  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
866  status_printf(so, "%s", "foo");
867  status_printf(so, "%s", "bar");
868  if (!status_close(so))
869  {
870  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
871  }
872  gc_free(&gc);
873  }
874  return false;
875 #endif
876 
877 #ifdef PRNG_TEST
878  {
879  struct gc_arena gc = gc_new();
880  uint8_t rndbuf[8];
881  int i;
882  prng_init("sha1", 16);
883  /*prng_init (NULL, 0);*/
884  const int factor = 1;
885  for (i = 0; i < factor * 8; ++i)
886  {
887 #if 1
888  prng_bytes(rndbuf, sizeof(rndbuf));
889 #else
890  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
891 #endif
892  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
893  }
894  gc_free(&gc);
895  prng_uninit();
896  return false;
897  }
898 #endif /* ifdef PRNG_TEST */
899 
900 #ifdef BUFFER_LIST_AGGREGATE_TEST
901  /* test buffer_list_aggregate function */
902  {
903  static const char *text[] = {
904  "It was a bright cold day in April, ",
905  "and the clocks were striking ",
906  "thirteen. ",
907  "Winston Smith, ",
908  "his chin nuzzled into his breast in an ",
909  "effort to escape the vile wind, ",
910  "slipped quickly through the glass doors ",
911  "of Victory Mansions, though not quickly ",
912  "enough to prevent a swirl of gritty dust from ",
913  "entering along with him."
914  };
915 
916  int iter, listcap;
917  for (listcap = 0; listcap < 12; ++listcap)
918  {
919  for (iter = 0; iter < 512; ++iter)
920  {
921  struct buffer_list *bl = buffer_list_new(listcap);
922  {
923  int i;
924  for (i = 0; i < SIZE(text); ++i)
925  {
926  buffer_list_push(bl, (unsigned char *)text[i]);
927  }
928  }
929  printf("[cap=%d i=%d] *************************\n", listcap, iter);
930  if (!(iter & 8))
931  {
932  buffer_list_aggregate(bl, iter/2);
933  }
934  if (!(iter & 16))
935  {
936  buffer_list_push(bl, (unsigned char *)"Even more text...");
937  }
938  buffer_list_aggregate(bl, iter);
939  if (!(iter & 1))
940  {
941  buffer_list_push(bl, (unsigned char *)"More text...");
942  }
943  {
944  struct buffer *buf;
945  while ((buf = buffer_list_peek(bl)))
946  {
947  int c;
948  printf("'");
949  while ((c = buf_read_u8(buf)) >= 0)
950  {
951  putchar(c);
952  }
953  printf("'\n");
954  buffer_list_advance(bl, 0);
955  }
956  }
957  buffer_list_free(bl);
958  }
959  }
960  return false;
961  }
962 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
963 
964 #ifdef MSTATS_TEST
965  {
966  int i;
967  mstats_open("/dev/shm/mstats.dat");
968  for (i = 0; i < 30; ++i)
969  {
970  mmap_stats->n_clients += 1;
971  mmap_stats->link_write_bytes += 8;
972  mmap_stats->link_read_bytes += 16;
973  sleep(1);
974  }
975  mstats_close();
976  return false;
977  }
978 #endif
979 
980  return true;
981 }
982 
983 void
985 {
986  free_ssl_lib();
987 
988 #ifdef ENABLE_PKCS11
989  pkcs11_terminate();
990 #endif
991 
992 #if PORT_SHARE
993  close_port_share();
994 #endif
995 
996 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
997  show_tls_performance_stats();
998 #endif
999 }
1000 
1001 void
1002 init_verb_mute(struct context *c, unsigned int flags)
1003 {
1004  if (flags & IVM_LEVEL_1)
1005  {
1006  /* set verbosity and mute levels */
1010  }
1011 
1012  /* special D_LOG_RW mode */
1013  if (flags & IVM_LEVEL_2)
1014  {
1016  }
1017 }
1018 
1019 /*
1020  * Possibly set --dev based on --dev-node.
1021  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1022  * set --dev to tun.
1023  */
1024 void
1026 {
1027  if (!options->dev && options->dev_node)
1028  {
1029  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1030  options->dev = basename(dev_node);
1031  }
1032 }
1033 
1034 bool
1036 {
1037  /*
1038  * OpenSSL info print mode?
1039  */
1040  if (options->show_ciphers || options->show_digests || options->show_engines
1041  || options->show_tls_ciphers || options->show_curves)
1042  {
1043  if (options->show_ciphers)
1044  {
1046  }
1047  if (options->show_digests)
1048  {
1050  }
1051  if (options->show_engines)
1052  {
1054  }
1055  if (options->show_tls_ciphers)
1056  {
1058  options->cipher_list_tls13,
1059  options->tls_cert_profile);
1060  }
1061  if (options->show_curves)
1062  {
1064  }
1065  return true;
1066  }
1067  return false;
1068 }
1069 
1070 /*
1071  * Static pre-shared key generation mode?
1072  */
1073 bool
1074 do_genkey(const struct options *options)
1075 {
1076  /* should we disable paging? */
1077  if (options->mlock && (options->genkey))
1078  {
1079  platform_mlockall(true);
1080  }
1081 
1082  /*
1083  * We do not want user to use --genkey with --secret. In the transistion
1084  * phase we for secret.
1085  */
1086  if (options->genkey && options->genkey_type != GENKEY_SECRET
1087  && options->shared_secret_file)
1088  {
1089  msg(M_USAGE, "Using --genkey type with --secret filename is "
1090  "not supported. Use --genkey type filename instead.");
1091  }
1092  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1093  {
1094  int nbits_written;
1095  const char *genkey_filename = options->genkey_filename;
1096  if (options->shared_secret_file && options->genkey_filename)
1097  {
1098  msg(M_USAGE, "You must provide a filename to either --genkey "
1099  "or --secret, not both");
1100  }
1101 
1102  /*
1103  * Copy filename from shared_secret_file to genkey_filename to support
1104  * the old --genkey --secret foo.file syntax.
1105  */
1106  if (options->shared_secret_file)
1107  {
1108  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1109  "DEPRECATED. Use --genkey secret filename instead.");
1110  genkey_filename = options->shared_secret_file;
1111  }
1112 
1113  nbits_written = write_key_file(2, genkey_filename);
1114  if (nbits_written < 0)
1115  {
1116  msg(M_FATAL, "Failed to write key file");
1117  }
1118 
1120  "Randomly generated %d bit key written to %s", nbits_written,
1121  options->shared_secret_file);
1122  return true;
1123  }
1124  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1125  {
1127  return true;
1128  }
1129  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1130  {
1131  if (!options->tls_crypt_v2_file)
1132  {
1133  msg(M_USAGE,
1134  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1135  }
1136 
1138  options->genkey_extra_data, options->tls_crypt_v2_file,
1139  options->tls_crypt_v2_file_inline);
1140  return true;
1141  }
1142  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1143  {
1145  return true;
1146  }
1147  else
1148  {
1149  return false;
1150  }
1151 }
1152 
1153 /*
1154  * Persistent TUN/TAP device management mode?
1155  */
1156 bool
1158 {
1159  if (options->persist_config)
1160  {
1161  /* sanity check on options for --mktun or --rmtun */
1162  notnull(options->dev, "TUN/TAP device (--dev)");
1163  if (options->ce.remote || options->ifconfig_local
1164  || options->ifconfig_remote_netmask
1165  || options->shared_secret_file
1166  || options->tls_server || options->tls_client
1167  )
1168  {
1170  "options --mktun or --rmtun should only be used together with --dev");
1171  }
1172 #ifdef ENABLE_FEATURE_TUN_PERSIST
1173  tuncfg(options->dev, options->dev_type, options->dev_node,
1174  options->persist_mode,
1175  options->username, options->groupname, &options->tuntap_options,
1176  ctx);
1177  if (options->persist_mode && options->lladdr)
1178  {
1179  set_lladdr(options->dev, options->lladdr, NULL);
1180  }
1181  return true;
1182 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1183  msg( M_FATAL|M_OPTERR,
1184  "options --mktun and --rmtun are not available on your operating "
1185  "system. Please check 'man tun' (or 'tap'), whether your system "
1186  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1187  "persistent tunnel interfaces.", options->dev );
1188 #endif
1189  }
1190  return false;
1191 }
1192 
1193 /*
1194  * Should we become a daemon?
1195  * Return true if we did it.
1196  */
1197 bool
1199 {
1200  bool ret = false;
1201 
1202 #ifdef ENABLE_SYSTEMD
1203  /* return without forking if we are running from systemd */
1204  if (sd_notify(0, "READY=0") > 0)
1205  {
1206  return ret;
1207  }
1208 #endif
1209 
1210  if (options->daemon)
1211  {
1212  /* Don't chdir immediately, but the end of the init sequence, if needed */
1213 
1214 #if defined(__APPLE__) && defined(__clang__)
1215 #pragma clang diagnostic push
1216 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1217 #endif
1218  if (daemon(1, options->log) < 0)
1219  {
1220  msg(M_ERR, "daemon() failed or unsupported");
1221  }
1222 #if defined(__APPLE__) && defined(__clang__)
1223 #pragma clang diagnostic pop
1224 #endif
1226  if (options->log)
1227  {
1228  set_std_files_to_null(true);
1229  }
1230 
1231  ret = true;
1232  }
1233  return ret;
1234 }
1235 
1236 /*
1237  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1238  */
1239 static void
1240 do_uid_gid_chroot(struct context *c, bool no_delay)
1241 {
1242  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1243  struct context_0 *c0 = c->c0;
1244 
1245  if (c0 && !c0->uid_gid_chroot_set)
1246  {
1247  /* chroot if requested */
1248  if (c->options.chroot_dir)
1249  {
1250  if (no_delay)
1251  {
1253  }
1254  else if (c->first_time)
1255  {
1256  msg(M_INFO, "NOTE: chroot %s", why_not);
1257  }
1258  }
1259 
1260  /* set user and/or group if we want to setuid/setgid */
1261  if (c0->uid_gid_specified)
1262  {
1263  if (no_delay)
1264  {
1267  }
1268  else if (c->first_time)
1269  {
1270  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1271  }
1272  }
1273 
1274 #ifdef ENABLE_MEMSTATS
1275  if (c->first_time && c->options.memstats_fn)
1276  {
1277  mstats_open(c->options.memstats_fn);
1278  }
1279 #endif
1280 
1281 #ifdef ENABLE_SELINUX
1282  /* Apply a SELinux context in order to restrict what OpenVPN can do
1283  * to _only_ what it is supposed to do after initialization is complete
1284  * (basically just network I/O operations). Doing it after chroot
1285  * requires /proc to be mounted in the chroot (which is annoying indeed
1286  * but doing it before requires more complex SELinux policies.
1287  */
1288  if (c->options.selinux_context)
1289  {
1290  if (no_delay)
1291  {
1292  if (-1 == setcon(c->options.selinux_context))
1293  {
1294  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1295  }
1296  else
1297  {
1298  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1299  }
1300  }
1301  else if (c->first_time)
1302  {
1303  msg(M_INFO, "NOTE: setcon %s", why_not);
1304  }
1305  }
1306 #endif
1307 
1308  /* Privileges are going to be dropped by now (if requested), be sure
1309  * to prevent any future privilege dropping attempts from now on.
1310  */
1311  if (no_delay)
1312  {
1313  c0->uid_gid_chroot_set = true;
1314  }
1315  }
1316 }
1317 
1318 /*
1319  * Return common name in a way that is formatted for
1320  * prepending to msg() output.
1321  */
1322 const char *
1323 format_common_name(struct context *c, struct gc_arena *gc)
1324 {
1325  struct buffer out = alloc_buf_gc(256, gc);
1326  if (c->c2.tls_multi)
1327  {
1328  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1329  }
1330  return BSTR(&out);
1331 }
1332 
1333 void
1334 pre_setup(const struct options *options)
1335 {
1336 #ifdef _WIN32
1337  if (options->exit_event_name)
1338  {
1341  options->exit_event_name,
1342  options->exit_event_initial_state);
1343  }
1344  else
1345  {
1348  NULL,
1349  false);
1350 
1351  /* put a title on the top window bar */
1353  {
1355  window_title_generate(options->config);
1356  }
1357  }
1358 #endif /* ifdef _WIN32 */
1359 }
1360 
1361 void
1363 {
1364  c->c2.coarse_timer_wakeup = 0;
1365 }
1366 
1367 /*
1368  * Initialise the server poll timeout timer
1369  * This timer is used in the http/socks proxy setup so it needs to be setup
1370  * before
1371  */
1372 static void
1374 {
1375  update_time();
1376  if (c->options.ce.connect_timeout)
1377  {
1379  }
1380 }
1381 
1382 /*
1383  * Initialize timers
1384  */
1385 static void
1386 do_init_timers(struct context *c, bool deferred)
1387 {
1388  update_time();
1390 
1391  /* initialize inactivity timeout */
1392  if (c->options.inactivity_timeout)
1393  {
1395  }
1396 
1397  /* initialize pings */
1398 
1399  if (c->options.ping_send_timeout)
1400  {
1402  }
1403 
1404  if (c->options.ping_rec_timeout)
1405  {
1407  }
1408 
1409  if (!deferred)
1410  {
1411  /* initialize connection establishment timer */
1413 
1414  /* initialize occ timers */
1415 
1416  if (c->options.occ
1417  && !TLS_MODE(c)
1419  {
1421  }
1422 
1423  if (c->options.mtu_test)
1424  {
1426  }
1427 
1428  /* initialize packet_id persistence timer */
1429  if (c->options.packet_id_file)
1430  {
1432  }
1433 
1434  /* initialize tmp_int optimization that limits the number of times we call
1435  * tls_multi_process in the main event loop */
1437  }
1438 }
1439 
1440 /*
1441  * Initialize traffic shaper.
1442  */
1443 static void
1445 {
1446  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1447  if (c->options.shaper)
1448  {
1449  shaper_init(&c->c2.shaper, c->options.shaper);
1450  shaper_msg(&c->c2.shaper);
1451  }
1452 }
1453 
1454 /*
1455  * Allocate route list structures for IPv4 and IPv6
1456  * (we do this for IPv4 even if no --route option has been seen, as other
1457  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1458  */
1459 static void
1461 {
1462  if (!c->c1.route_list)
1463  {
1464  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1465  }
1466  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1467  {
1469  }
1470 }
1471 
1472 
1473 /*
1474  * Initialize the route list, resolving any DNS names in route
1475  * options and saving routes in the environment.
1476  */
1477 static void
1479  struct route_list *route_list,
1480  const struct link_socket_info *link_socket_info,
1481  struct env_set *es,
1482  openvpn_net_ctx_t *ctx)
1483 {
1484  const char *gw = NULL;
1485  int dev = dev_type_enum(options->dev, options->dev_type);
1486  int metric = 0;
1487 
1488  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1489  {
1490  gw = options->ifconfig_remote_netmask;
1491  }
1492  if (options->route_default_gateway)
1493  {
1494  gw = options->route_default_gateway;
1495  }
1496  if (options->route_default_metric)
1497  {
1498  metric = options->route_default_metric;
1499  }
1500 
1501  if (init_route_list(route_list,
1502  options->routes,
1503  gw,
1504  metric,
1505  link_socket_current_remote(link_socket_info),
1506  es,
1507  ctx))
1508  {
1509  /* copy routes to environment */
1510  setenv_routes(es, route_list);
1511  }
1512 }
1513 
1514 static void
1517  const struct link_socket_info *link_socket_info,
1518  struct env_set *es,
1519  openvpn_net_ctx_t *ctx)
1520 {
1521  const char *gw = NULL;
1522  int metric = -1; /* no metric set */
1523 
1524  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1525  if (options->route_ipv6_default_gateway)
1526  {
1527  gw = options->route_ipv6_default_gateway;
1528  }
1529 
1530  if (options->route_default_metric)
1531  {
1532  metric = options->route_default_metric;
1533  }
1534 
1535  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1536  */
1537  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1538  {
1539  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1540  int i;
1541 
1542  for (i = 0; opt_list[i]; i++)
1543  {
1545  string_alloc(opt_list[i], options->routes_ipv6->gc),
1546  NULL, NULL );
1547  }
1548  }
1549 
1550  if (init_route_ipv6_list(route_ipv6_list,
1551  options->routes_ipv6,
1552  gw,
1553  metric,
1554  link_socket_current_remote_ipv6(link_socket_info),
1555  es,
1556  ctx))
1557  {
1558  /* copy routes to environment */
1559  setenv_routes_ipv6(es, route_ipv6_list);
1560  }
1561 }
1562 
1563 
1564 /*
1565  * Called after all initialization has been completed.
1566  */
1567 void
1568 initialization_sequence_completed(struct context *c, const unsigned int flags)
1569 {
1570  static const char message[] = "Initialization Sequence Completed";
1571 
1572  /* Reset the unsuccessful connection counter on complete initialisation */
1574 
1575  /* If we delayed UID/GID downgrade or chroot, do it now */
1576  do_uid_gid_chroot(c, true);
1577 
1578 
1579  /*
1580  * In some cases (i.e. when receiving auth-token via
1581  * push-reply) the auth-nocache option configured on the
1582  * client is overridden; for this reason we have to wait
1583  * for the push-reply message before attempting to wipe
1584  * the user/pass entered by the user
1585  */
1586  if (c->options.mode == MODE_POINT_TO_POINT)
1587  {
1589  }
1590 
1591  /* Test if errors */
1592  if (flags & ISC_ERRORS)
1593  {
1594 #ifdef _WIN32
1597  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1598 #else
1599 #ifdef ENABLE_SYSTEMD
1600  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1601 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1602  msg(M_INFO, "%s With Errors", message);
1603 #endif
1604  }
1605  else
1606  {
1607 #ifdef ENABLE_SYSTEMD
1608  sd_notifyf(0, "STATUS=%s", message);
1609 #endif
1610  msg(M_INFO, "%s", message);
1611  }
1612 
1613  /* Flag that we initialized */
1614  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1615  {
1616  c->options.no_advance = true;
1617  }
1618 
1619 #ifdef _WIN32
1621 #endif
1622 
1623 #ifdef ENABLE_MANAGEMENT
1624  /* Tell management interface that we initialized */
1625  if (management)
1626  {
1627  in_addr_t *tun_local = NULL;
1628  struct in6_addr *tun_local6 = NULL;
1629  struct openvpn_sockaddr local, remote;
1630  struct link_socket_actual *actual;
1631  socklen_t sa_len = sizeof(local);
1632  const char *detail = "SUCCESS";
1633  if (flags & ISC_ERRORS)
1634  {
1635  detail = "ERROR";
1636  }
1637 
1638  CLEAR(local);
1639  actual = &get_link_socket_info(c)->lsa->actual;
1640  remote = actual->dest;
1641  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1642 #if ENABLE_IP_PKTINFO
1643  if (!addr_defined(&local))
1644  {
1645  switch (local.addr.sa.sa_family)
1646  {
1647  case AF_INET:
1648 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1649  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1650 #else
1651  local.addr.in4.sin_addr = actual->pi.in4;
1652 #endif
1653  break;
1654 
1655  case AF_INET6:
1656  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1657  break;
1658  }
1659  }
1660 #endif
1661 
1662  if (c->c1.tuntap)
1663  {
1664  tun_local = &c->c1.tuntap->local;
1665  tun_local6 = &c->c1.tuntap->local_ipv6;
1666  }
1669  detail,
1670  tun_local,
1671  tun_local6,
1672  &local,
1673  &remote);
1674  if (tun_local)
1675  {
1677  }
1678  }
1679 #endif /* ifdef ENABLE_MANAGEMENT */
1680 }
1681 
1682 /*
1683  * Possibly add routes and/or call route-up script
1684  * based on options.
1685  */
1686 void
1687 do_route(const struct options *options,
1688  struct route_list *route_list,
1690  const struct tuntap *tt,
1691  const struct plugin_list *plugins,
1692  struct env_set *es,
1693  openvpn_net_ctx_t *ctx)
1694 {
1695  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1696  {
1697  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1698  es, ctx);
1699  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1700  }
1701 #ifdef ENABLE_MANAGEMENT
1702  if (management)
1703  {
1704  management_up_down(management, "UP", es);
1705  }
1706 #endif
1707 
1709  {
1710  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1711  {
1712  msg(M_WARN, "WARNING: route-up plugin call failed");
1713  }
1714  }
1715 
1716  if (options->route_script)
1717  {
1718  struct argv argv = argv_new();
1719  setenv_str(es, "script_type", "route-up");
1720  argv_parse_cmd(&argv, options->route_script);
1721  openvpn_run_script(&argv, es, 0, "--route-up");
1722  argv_free(&argv);
1723  }
1724 
1725 #ifdef _WIN32
1726  if (options->show_net_up)
1727  {
1730  }
1731  else if (check_debug_level(D_SHOW_NET))
1732  {
1735  }
1736 #endif
1737 }
1738 
1739 /*
1740  * initialize tun/tap device object
1741  */
1742 static void
1744 {
1745  c->c1.tuntap = init_tun(c->options.dev,
1746  c->options.dev_type,
1747  c->options.topology,
1756  c->c2.es,
1757  &c->net_ctx);
1758 
1759 #ifdef _WIN32
1761 #endif
1762 
1763  init_tun_post(c->c1.tuntap,
1764  &c->c2.frame,
1765  &c->options.tuntap_options);
1766 
1767  c->c1.tuntap_owned = true;
1768 }
1769 
1770 /*
1771  * Open tun/tap device, ifconfig, call up script, etc.
1772  */
1773 
1774 static bool
1776 {
1777  struct gc_arena gc = gc_new();
1778  bool ret = false;
1779 
1780 #ifndef TARGET_ANDROID
1781  if (!c->c1.tuntap)
1782  {
1783 #endif
1784 
1785 #ifdef TARGET_ANDROID
1786  /* If we emulate persist-tun on android we still have to open a new tun and
1787  * then close the old */
1788  int oldtunfd = -1;
1789  if (c->c1.tuntap)
1790  {
1791  oldtunfd = c->c1.tuntap->fd;
1792  free(c->c1.tuntap);
1793  c->c1.tuntap = NULL;
1794  c->c1.tuntap_owned = false;
1795  }
1796 #endif
1797 
1798  /* initialize (but do not open) tun/tap object */
1799  do_init_tun(c);
1800 
1801 #ifdef _WIN32
1802  /* store (hide) interactive service handle in tuntap_options */
1804  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1805 #endif
1806 
1807  /* allocate route list structure */
1809 
1810  /* parse and resolve the route option list */
1811  ASSERT(c->c2.link_socket);
1812  if (c->options.routes && c->c1.route_list)
1813  {
1815  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1816  }
1817  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1818  {
1820  &c->c2.link_socket->info, c->c2.es,
1821  &c->net_ctx);
1822  }
1823 
1824  /* do ifconfig */
1825  if (!c->options.ifconfig_noexec
1827  {
1828  /* guess actual tun/tap unit number that will be returned
1829  * by open_tun */
1830  const char *guess = guess_tuntap_dev(c->options.dev,
1831  c->options.dev_type,
1832  c->options.dev_node,
1833  &gc);
1834  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1835  &c->net_ctx);
1836  }
1837 
1838  /* possibly add routes */
1839  if (route_order() == ROUTE_BEFORE_TUN)
1840  {
1841  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1843  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1844  }
1845 #ifdef TARGET_ANDROID
1846  /* Store the old fd inside the fd so open_tun can use it */
1847  c->c1.tuntap->fd = oldtunfd;
1848 #endif
1849  /* open the tun device */
1851  c->c1.tuntap);
1852 
1853  /* set the hardware address */
1854  if (c->options.lladdr)
1855  {
1857  }
1858 
1859  /* do ifconfig */
1860  if (!c->options.ifconfig_noexec
1862  {
1864  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1865  }
1866 
1867  /* run the up script */
1869  c->plugins,
1871  c->c1.tuntap->actual_name,
1872 #ifdef _WIN32
1873  c->c1.tuntap->adapter_index,
1874 #endif
1876  TUN_MTU_SIZE(&c->c2.frame),
1877  EXPANDED_SIZE(&c->c2.frame),
1880  "init",
1881  NULL,
1882  "up",
1883  c->c2.es);
1884 
1885 #if defined(_WIN32)
1886  if (c->options.block_outside_dns)
1887  {
1888  dmsg(D_LOW, "Blocking outside DNS");
1890  {
1891  msg(M_FATAL, "Blocking DNS failed!");
1892  }
1893  }
1894 #endif
1895 
1896  /* possibly add routes */
1898  {
1900  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1901  }
1902 
1903  /*
1904  * Did tun/tap driver give us an MTU?
1905  */
1906  if (c->c1.tuntap->post_open_mtu)
1907  {
1909  c->c1.tuntap->post_open_mtu,
1911  }
1912 
1913  ret = true;
1914  static_context = c;
1915 #ifndef TARGET_ANDROID
1916 }
1917 else
1918 {
1919  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1920  c->c1.tuntap->actual_name);
1921 
1922  /* explicitly set the ifconfig_* env vars */
1923  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1924 
1925  /* run the up script if user specified --up-restart */
1926  if (c->options.up_restart)
1927  {
1929  c->plugins,
1931  c->c1.tuntap->actual_name,
1932 #ifdef _WIN32
1933  c->c1.tuntap->adapter_index,
1934 #endif
1936  TUN_MTU_SIZE(&c->c2.frame),
1937  EXPANDED_SIZE(&c->c2.frame),
1940  "restart",
1941  NULL,
1942  "up",
1943  c->c2.es);
1944  }
1945 #if defined(_WIN32)
1946  if (c->options.block_outside_dns)
1947  {
1948  dmsg(D_LOW, "Blocking outside DNS");
1950  {
1951  msg(M_FATAL, "Blocking DNS failed!");
1952  }
1953  }
1954 #endif
1955 
1956 }
1957 #endif /* ifndef TARGET_ANDROID */
1958  gc_free(&gc);
1959  return ret;
1960 }
1961 
1962 /*
1963  * Close TUN/TAP device
1964  */
1965 
1966 static void
1968 {
1969  msg(D_CLOSE, "Closing TUN/TAP interface");
1970  if (c->c1.tuntap)
1971  {
1972  close_tun(c->c1.tuntap, &c->net_ctx);
1973  c->c1.tuntap = NULL;
1974  }
1975  c->c1.tuntap_owned = false;
1977 }
1978 
1979 static void
1980 do_close_tun(struct context *c, bool force)
1981 {
1982  struct gc_arena gc = gc_new();
1983  if (c->c1.tuntap && c->c1.tuntap_owned)
1984  {
1985  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1986 #ifdef _WIN32
1987  DWORD adapter_index = c->c1.tuntap->adapter_index;
1988 #endif
1989  const in_addr_t local = c->c1.tuntap->local;
1990  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1991 
1992  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1993  {
1994  static_context = NULL;
1995 
1996 #ifdef ENABLE_MANAGEMENT
1997  /* tell management layer we are about to close the TUN/TAP device */
1998  if (management)
1999  {
2001  management_up_down(management, "DOWN", c->c2.es);
2002  }
2003 #endif
2004 
2005  /* delete any routes we added */
2006  if (c->c1.route_list || c->c1.route_ipv6_list)
2007  {
2009  c->plugins,
2011  tuntap_actual,
2012 #ifdef _WIN32
2013  adapter_index,
2014 #endif
2015  NULL,
2016  TUN_MTU_SIZE(&c->c2.frame),
2017  EXPANDED_SIZE(&c->c2.frame),
2018  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2019  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2020  "init",
2022  c->sig->signal_text),
2023  "route-pre-down",
2024  c->c2.es);
2025 
2028  c->c2.es, &c->net_ctx);
2029  }
2030 
2031  /* actually close tun/tap device based on --down-pre flag */
2032  if (!c->options.down_pre)
2033  {
2035  }
2036 
2037  /* Run the down script -- note that it will run at reduced
2038  * privilege if, for example, "--user nobody" was used. */
2040  c->plugins,
2042  tuntap_actual,
2043 #ifdef _WIN32
2044  adapter_index,
2045 #endif
2046  NULL,
2047  TUN_MTU_SIZE(&c->c2.frame),
2048  EXPANDED_SIZE(&c->c2.frame),
2049  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2050  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2051  "init",
2053  c->sig->signal_text),
2054  "down",
2055  c->c2.es);
2056 
2057 #if defined(_WIN32)
2058  if (c->options.block_outside_dns)
2059  {
2060  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2061  {
2062  msg(M_FATAL, "Uninitialising WFP failed!");
2063  }
2064  }
2065 #endif
2066 
2067  /* actually close tun/tap device based on --down-pre flag */
2068  if (c->options.down_pre)
2069  {
2071  }
2072  }
2073  else
2074  {
2075  /* run the down script on this restart if --up-restart was specified */
2076  if (c->options.up_restart)
2077  {
2079  c->plugins,
2081  tuntap_actual,
2082 #ifdef _WIN32
2083  adapter_index,
2084 #endif
2085  NULL,
2086  TUN_MTU_SIZE(&c->c2.frame),
2087  EXPANDED_SIZE(&c->c2.frame),
2088  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2089  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2090  "restart",
2092  c->sig->signal_text),
2093  "down",
2094  c->c2.es);
2095  }
2096 
2097 #if defined(_WIN32)
2098  if (c->options.block_outside_dns)
2099  {
2100  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2101  {
2102  msg(M_FATAL, "Uninitialising WFP failed!");
2103  }
2104  }
2105 #endif
2106 
2107  }
2108  }
2109  gc_free(&gc);
2110 }
2111 
2112 void
2114 {
2115  struct context *c = static_context;
2116  if (c)
2117  {
2118  static_context = NULL;
2119  do_close_tun(c, true);
2120  }
2121 }
2122 
2123 /*
2124  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2125  */
2126 
2131 static bool
2133  const struct sha256_digest *b)
2134 {
2135  const struct sha256_digest zero = {{0}};
2136  return memcmp(a, b, sizeof(struct sha256_digest))
2137  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2138 }
2139 
2140 bool
2141 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2142 {
2143  if (!c->c2.do_up_ran)
2144  {
2146 
2147  if (pulled_options)
2148  {
2149  if (!do_deferred_options(c, option_types_found))
2150  {
2151  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2152  return false;
2153  }
2154  }
2155  else if (c->mode == MODE_POINT_TO_POINT)
2156  {
2157  if (!do_deferred_p2p_ncp(c))
2158  {
2159  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2160  return false;
2161  }
2162  }
2163 
2164  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2165  if (c->options.up_delay || PULL_DEFINED(&c->options))
2166  {
2167  c->c2.did_open_tun = do_open_tun(c);
2168  update_time();
2169 
2170  /*
2171  * Was tun interface object persisted from previous restart iteration,
2172  * and if so did pulled options string change from previous iteration?
2173  */
2174  if (!c->c2.did_open_tun
2175  && PULL_DEFINED(&c->options)
2176  && c->c1.tuntap
2179  {
2180  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2181  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2182  do_close_tun(c, true);
2183  management_sleep(1);
2184  c->c2.did_open_tun = do_open_tun(c);
2185  update_time();
2186  }
2187  }
2188 
2189  if (c->c2.did_open_tun)
2190  {
2192 
2193  /* if --route-delay was specified, start timer */
2195  {
2198  if (c->c1.tuntap)
2199  {
2201  }
2202  }
2203  else
2204  {
2205  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2206  }
2207  }
2208  else if (c->options.mode == MODE_POINT_TO_POINT)
2209  {
2210  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2211  }
2212 
2213  c->c2.do_up_ran = true;
2214  if (c->c2.tls_multi)
2215  {
2217  }
2218  }
2219  return true;
2220 }
2221 
2222 /*
2223  * These are the option categories which will be accepted by pull.
2224  */
2225 unsigned int
2227 {
2228  unsigned int flags =
2229  OPT_P_UP
2231  | OPT_P_SOCKBUF
2232  | OPT_P_SOCKFLAGS
2233  | OPT_P_SETENV
2234  | OPT_P_SHAPER
2235  | OPT_P_TIMER
2236  | OPT_P_COMP
2237  | OPT_P_PERSIST
2238  | OPT_P_MESSAGES
2240  | OPT_P_ECHO
2241  | OPT_P_PULL_MODE
2242  | OPT_P_PEER_ID
2243  | OPT_P_NCP;
2244 
2245  if (!c->options.route_nopull)
2246  {
2247  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2248  }
2249 
2250  return flags;
2251 }
2252 
2253 static
2255 {
2256  frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */
2257  if (!c->options.ce.link_mtu_defined)
2258  {
2259  frame_add_to_link_mtu(&c->c2.frame, 3);
2260  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2261  EXPANDED_SIZE(&c->c2.frame));
2262  }
2263  else
2264  {
2265  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2266  " fixed by config - reducing tun-mtu to %d, expect"
2267  " MTU problems", TUN_MTU_SIZE(&c->c2.frame));
2268  }
2269 }
2270 
2271 static bool
2273 {
2274  if (!c->c2.tls_multi)
2275  {
2276  return true;
2277  }
2278 
2279  if (c->c2.tls_multi->use_peer_id)
2280  {
2281  adjust_mtu_peerid(c);
2282  }
2283 
2284  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2285 
2286  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2287  &c->options.gc);
2288 
2289  if (ncp_cipher)
2290  {
2291  c->options.ciphername = ncp_cipher;
2292  }
2293  else if (!c->options.enable_ncp_fallback)
2294  {
2295  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2296  "--data-ciphers-fallback not enabled. No usable "
2297  "data channel cipher");
2298  return false;
2299  }
2300 
2301  struct frame *frame_fragment = NULL;
2302 #ifdef ENABLE_FRAGMENT
2303  if (c->options.ce.fragment)
2304  {
2305  frame_fragment = &c->c2.frame_fragment;
2306  }
2307 #endif
2308 
2309  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2310  frame_fragment))
2311  {
2312  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2313  return false;
2314  }
2315  return true;
2316 }
2317 
2318 /*
2319  * Handle non-tun-related pulled options.
2320  */
2321 bool
2322 do_deferred_options(struct context *c, const unsigned int found)
2323 {
2324  if (found & OPT_P_MESSAGES)
2325  {
2327  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2328  }
2329  if (found & OPT_P_TIMER)
2330  {
2331  do_init_timers(c, true);
2332  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2333  }
2334 
2335  if (found & OPT_P_EXPLICIT_NOTIFY)
2336  {
2338  {
2339  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2341  }
2342  else
2343  {
2344  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2345  }
2346  }
2347 
2348 #ifdef USE_COMP
2349  if (found & OPT_P_COMP)
2350  {
2351  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2352  comp_uninit(c->c2.comp_context);
2353  c->c2.comp_context = comp_init(&c->options.comp);
2354  }
2355 #endif
2356 
2357  if (found & OPT_P_SHAPER)
2358  {
2359  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2361  }
2362 
2363  if (found & OPT_P_SOCKBUF)
2364  {
2365  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2367  }
2368 
2369  if (found & OPT_P_SOCKFLAGS)
2370  {
2371  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2373  }
2374 
2375  if (found & OPT_P_PERSIST)
2376  {
2377  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2378  }
2379  if (found & OPT_P_UP)
2380  {
2381  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2382  }
2383  if (found & OPT_P_ROUTE)
2384  {
2385  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2386  }
2387  if (found & OPT_P_ROUTE_EXTRAS)
2388  {
2389  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2390  }
2391  if (found & OPT_P_IPWIN32)
2392  {
2393  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2394  }
2395  if (found & OPT_P_SETENV)
2396  {
2397  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2398  }
2399 
2400  if (found & OPT_P_PEER_ID)
2401  {
2402  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2403  c->c2.tls_multi->use_peer_id = true;
2404  c->c2.tls_multi->peer_id = c->options.peer_id;
2405  adjust_mtu_peerid(c);
2406  }
2407 
2408  /* process (potentially pushed) crypto options */
2409  if (c->options.pull)
2410  {
2411  if (!check_pull_client_ncp(c, found))
2412  {
2413  return false;
2414  }
2415  struct frame *frame_fragment = NULL;
2416 #ifdef ENABLE_FRAGMENT
2417  if (c->options.ce.fragment)
2418  {
2419  frame_fragment = &c->c2.frame_fragment;
2420  }
2421 #endif
2422 
2423  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2424  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2425  frame_fragment))
2426  {
2427  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2428  return false;
2429  }
2430  }
2431 
2432  return true;
2433 }
2434 
2435 /*
2436  * Possible hold on initialization, holdtime is the
2437  * time OpenVPN would wait without management
2438  */
2439 static bool
2440 do_hold(int holdtime)
2441 {
2442 #ifdef ENABLE_MANAGEMENT
2443  if (management)
2444  {
2445  /* block until management hold is released */
2446  if (management_hold(management, holdtime))
2447  {
2448  return true;
2449  }
2450  }
2451 #endif
2452  return false;
2453 }
2454 
2455 /*
2456  * Sleep before restart.
2457  */
2458 static void
2460 {
2461  int sec = 2;
2462  int backoff = 0;
2463 
2464  switch (c->options.ce.proto)
2465  {
2466  case PROTO_TCP_SERVER:
2467  sec = 1;
2468  break;
2469 
2470  case PROTO_UDP:
2471  case PROTO_TCP_CLIENT:
2472  sec = c->options.ce.connect_retry_seconds;
2473  break;
2474  }
2475 
2476 #ifdef ENABLE_DEBUG
2477  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2478  {
2479  sec = 0;
2480  }
2481 #endif
2482 
2483  if (auth_retry_get() == AR_NOINTERACT)
2484  {
2485  sec = 10;
2486  }
2487 
2488  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2489  if (c->options.ce.proto == PROTO_TCP_CLIENT
2490  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2491  {
2492  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2493  if (backoff > 0)
2494  {
2495  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2496  sec = max_int(sec, 1) << min_int(backoff, 15);
2497  }
2498 
2499  if (sec > c->options.ce.connect_retry_seconds_max)
2500  {
2502  }
2503  }
2504 
2506  {
2507  sec = c->persist.restart_sleep_seconds;
2508  }
2509  else if (c->persist.restart_sleep_seconds == -1)
2510  {
2511  sec = 0;
2512  }
2514 
2515  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2516  if (do_hold(sec))
2517  {
2518  sec = 0;
2519  }
2520 
2521  if (sec)
2522  {
2523  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2524  management_sleep(sec);
2525  }
2526 }
2527 
2528 /*
2529  * Do a possible pause on context_2 initialization.
2530  */
2531 static void
2533 {
2534  if (!c->first_time)
2535  {
2537  }
2538  else
2539  {
2540  do_hold(0); /* do management hold on first context initialization */
2541  }
2542 }
2543 
2544 /*
2545  * Finalize MTU parameters based on command line or config file options.
2546  */
2547 static void
2548 frame_finalize_options(struct context *c, const struct options *o)
2549 {
2550  if (!o)
2551  {
2552  o = &c->options;
2553  }
2554 
2555  /*
2556  * Set adjustment factor for buffer alignment when no
2557  * cipher is used.
2558  */
2559  if (!CIPHER_ENABLED(c))
2560  {
2566  }
2567 
2569  frame_finalize(&c->c2.frame,
2570  o->ce.link_mtu_defined,
2571  o->ce.link_mtu,
2572  o->ce.tun_mtu_defined,
2573  o->ce.tun_mtu);
2574 }
2575 
2576 /*
2577  * Free a key schedule, including OpenSSL components.
2578  */
2579 static void
2580 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2581 {
2583  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2584  {
2585  tls_ctx_free(&ks->ssl_ctx);
2587  }
2588  CLEAR(*ks);
2589 }
2590 
2591 static void
2592 init_crypto_pre(struct context *c, const unsigned int flags)
2593 {
2594  if (c->options.engine)
2595  {
2597  }
2598 
2599  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2600  {
2601  /* load a persisted packet-id for cross-session replay-protection */
2602  if (c->options.packet_id_file)
2603  {
2605  }
2606  }
2607 
2608 #ifdef ENABLE_PREDICTION_RESISTANCE
2609  if (c->options.use_prediction_resistance)
2610  {
2611  rand_ctx_enable_prediction_resistance();
2612  }
2613 #endif
2614 }
2615 
2616 /*
2617  * Static Key Mode (using a pre-shared key)
2618  */
2619 static void
2620 do_init_crypto_static(struct context *c, const unsigned int flags)
2621 {
2622  const struct options *options = &c->options;
2623  ASSERT(options->shared_secret_file);
2624 
2625  init_crypto_pre(c, flags);
2626 
2627  /* Initialize flags */
2629  {
2631  }
2632 
2633  /* Initialize packet ID tracking */
2634  if (options->replay)
2635  {
2637  options->replay_window,
2638  options->replay_time,
2639  "STATIC", 0);
2644  }
2645 
2646  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2647  {
2648  /* Get cipher & hash algorithms */
2649  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2650  options->test_crypto, true);
2651 
2652  /* Read cipher and hmac keys from shared secret file */
2654  options->shared_secret_file,
2655  options->shared_secret_file_inline,
2656  options->key_direction, "Static Key Encryption",
2657  "secret");
2658  }
2659  else
2660  {
2661  msg(M_INFO, "Re-using pre-shared static key");
2662  }
2663 
2664  /* Get key schedule */
2666 
2667  /* Compute MTU parameters */
2669  options->replay, true);
2670 
2671  /* Sanity check on sequence number, and cipher mode options */
2672  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2673 }
2674 
2675 /*
2676  * Initialize the tls-auth/crypt key context
2677  */
2678 static void
2680 {
2681  const struct options *options = &c->options;
2682 
2683  /* TLS handshake authentication (--tls-auth) */
2684  if (options->ce.tls_auth_file)
2685  {
2686  /* Initialize key_type for tls-auth with auth only */
2688  if (!streq(options->authname, "none"))
2689  {
2693  }
2694  else
2695  {
2696  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2697  "algorithm specified ('%s')", options->authname);
2698  }
2699 
2701  &c->c1.ks.tls_wrap_key,
2702  options->ce.tls_auth_file,
2703  options->ce.tls_auth_file_inline,
2704  options->ce.key_direction,
2705  "Control Channel Authentication", "tls-auth");
2706  }
2707 
2708  /* TLS handshake encryption+authentication (--tls-crypt) */
2709  if (options->ce.tls_crypt_file)
2710  {
2712  options->ce.tls_crypt_file,
2713  options->ce.tls_crypt_file_inline,
2714  options->tls_server);
2715  }
2716 
2717  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2718  if (options->ce.tls_crypt_v2_file)
2719  {
2720  if (options->tls_server)
2721  {
2723  true, options->ce.tls_crypt_v2_file,
2724  options->ce.tls_crypt_v2_file_inline);
2725  }
2726  else
2727  {
2729  &c->c1.ks.tls_crypt_v2_wkc,
2730  options->ce.tls_crypt_v2_file,
2731  options->ce.tls_crypt_v2_file_inline);
2732  }
2733  }
2734 
2735 
2736 }
2737 
2738 /*
2739  * Initialize the persistent component of OpenVPN's TLS mode,
2740  * which is preserved across SIGUSR1 resets.
2741  */
2742 static void
2744 {
2745  const struct options *options = &c->options;
2746 
2747  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2748  {
2749  /*
2750  * Initialize the OpenSSL library's global
2751  * SSL context.
2752  */
2753  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2754  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2755  {
2756  switch (auth_retry_get())
2757  {
2758  case AR_NONE:
2759  msg(M_FATAL, "Error: private key password verification failed");
2760  break;
2761 
2762  case AR_INTERACT:
2763  ssl_purge_auth(false);
2764 
2765  case AR_NOINTERACT:
2766  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2767  break;
2768 
2769  default:
2770  ASSERT(0);
2771  }
2772  c->sig->signal_text = "private-key-password-failure";
2773  return;
2774  }
2775 
2776  /*
2777  * BF-CBC is allowed to be used only when explicitly configured
2778  * as NCP-fallback or when NCP has been disabled or explicitly
2779  * allowed in the in ncp_ciphers list.
2780  * In all other cases do not attempt to initialize BF-CBC as it
2781  * may not even be supported by the underlying SSL library.
2782  *
2783  * Therefore, the key structure has to be initialized when:
2784  * - any non-BF-CBC cipher was selected; or
2785  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2786  * (BF-CBC will be the fallback).
2787  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2788  * If the negotiated cipher and options->ciphername are the
2789  * same we do not reinit the cipher
2790  *
2791  * Note that BF-CBC will still be part of the OCC string to retain
2792  * backwards compatibility with older clients.
2793  */
2794  if (!streq(options->ciphername, "BF-CBC")
2795  || tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
2796  || options->enable_ncp_fallback)
2797  {
2798  /* Do not warn if the if the cipher is used only in OCC */
2799  bool warn = options->enable_ncp_fallback;
2800  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2801  true, warn);
2802  }
2803  /* Initialize PRNG with config-specified digest */
2804  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2805 
2806  /* initialize tls-auth/crypt/crypt-v2 key */
2808 
2809  /* initialise auth-token crypto support */
2811  {
2815  }
2816 
2817 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2818  if (options->priv_key_file_inline)
2819  {
2821  c->options.priv_key_file_inline = NULL;
2822  }
2823 #endif
2824  }
2825  else
2826  {
2827  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2828 
2829  /*
2830  * tls-auth/crypt key can be configured per connection block, therefore
2831  * we must reload it as it may have changed
2832  */
2834  }
2835 }
2836 
2837 static void
2838 do_init_crypto_tls(struct context *c, const unsigned int flags)
2839 {
2840  const struct options *options = &c->options;
2841  struct tls_options to;
2842  bool packet_id_long_form;
2843 
2844  ASSERT(options->tls_server || options->tls_client);
2845  ASSERT(!options->test_crypto);
2846 
2847  init_crypto_pre(c, flags);
2848 
2849  /* Make sure we are either a TLS client or server but not both */
2850  ASSERT(options->tls_server == !options->tls_client);
2851 
2852  /* initialize persistent component */
2854  if (IS_SIG(c))
2855  {
2856  return;
2857  }
2858 
2859  /* Sanity check on sequence number, and cipher mode options */
2860  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2861 
2862  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2863  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2864 
2865  /* Compute MTU parameters (postpone if we push/pull options) */
2866  if (c->options.pull || c->options.mode == MODE_SERVER)
2867  {
2868  /* Account for worst-case crypto overhead before allocating buffers */
2870  }
2871  else
2872  {
2874  options->replay, packet_id_long_form);
2875  }
2877 
2878  /* Set all command-line TLS-related options */
2879  CLEAR(to);
2880 
2881  if (options->mute_replay_warnings)
2882  {
2884  }
2885 
2887  if (packet_id_long_form)
2888  {
2890  }
2891 
2892  to.ssl_ctx = c->c1.ks.ssl_ctx;
2893  to.key_type = c->c1.ks.key_type;
2894  to.server = options->tls_server;
2895  to.replay = options->replay;
2896  to.replay_window = options->replay_window;
2897  to.replay_time = options->replay_time;
2901  to.transition_window = options->transition_window;
2902  to.handshake_window = options->handshake_window;
2903  to.packet_timeout = options->tls_timeout;
2904  to.renegotiate_bytes = options->renegotiate_bytes;
2906  if (options->renegotiate_seconds_min < 0)
2907  {
2908  /* Add 10% jitter to reneg-sec by default (server side only) */
2909  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2910  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2911  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2912  }
2913  else
2914  {
2915  /* Add user-specified jitter to reneg-sec */
2917  -(get_random() % max_int(options->renegotiate_seconds
2918  - options->renegotiate_seconds_min, 1));
2919  }
2920  to.single_session = options->single_session;
2921  to.mode = options->mode;
2922  to.pull = options->pull;
2923  if (options->push_peer_info) /* all there is */
2924  {
2925  to.push_peer_info_detail = 3;
2926  }
2927  else if (options->pull) /* pull clients send some details */
2928  {
2929  to.push_peer_info_detail = 2;
2930  }
2931  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
2932  {
2933  to.push_peer_info_detail = 0;
2934  }
2935  else /* default: minimal info to allow NCP in P2P mode */
2936  {
2937  to.push_peer_info_detail = 1;
2938  }
2939 
2940 
2941  /* should we not xmit any packets until we get an initial
2942  * response from client? */
2943  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2944  {
2945  to.xmit_hold = true;
2946  }
2947 
2948  to.disable_occ = !options->occ;
2949 
2950  to.verify_command = options->tls_verify;
2951  to.verify_export_cert = options->tls_export_cert;
2952  to.verify_x509_type = (options->verify_x509_type & 0xff);
2953  to.verify_x509_name = options->verify_x509_name;
2954  to.crl_file = options->crl_file;
2955  to.crl_file_inline = options->crl_file_inline;
2956  to.ssl_flags = options->ssl_flags;
2957  to.ns_cert_type = options->ns_cert_type;
2958  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2959  to.remote_cert_eku = options->remote_cert_eku;
2960  to.verify_hash = options->verify_hash;
2961  to.verify_hash_algo = options->verify_hash_algo;
2962  to.verify_hash_depth = options->verify_hash_depth;
2963  to.verify_hash_no_ca = options->verify_hash_no_ca;
2964 #ifdef ENABLE_X509ALTUSERNAME
2965  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2966 #else
2968 #endif
2969  to.es = c->c2.es;
2970  to.net_ctx = &c->net_ctx;
2971 
2972 #ifdef ENABLE_DEBUG
2973  to.gremlin = c->options.gremlin;
2974 #endif
2975 
2976  to.plugins = c->plugins;
2977 
2978 #ifdef ENABLE_MANAGEMENT
2979  to.mda_context = &c->c2.mda_context;
2980 #endif
2981 
2984  to.tmp_dir = options->tmp_dir;
2985  if (options->ccd_exclusive)
2986  {
2988  }
2994 
2995  to.x509_track = options->x509_track;
2996 
2997 #ifdef ENABLE_MANAGEMENT
2998  to.sci = &options->sc_info;
2999 #endif
3000 
3001 #ifdef USE_COMP
3002  to.comp_options = options->comp;
3003 #endif
3004 
3005 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3006  if (options->keying_material_exporter_label)
3007  {
3008  to.ekm_size = options->keying_material_exporter_length;
3009  if (to.ekm_size < 16 || to.ekm_size > 4095)
3010  {
3011  to.ekm_size = 0;
3012  }
3013 
3014  to.ekm_label = options->keying_material_exporter_label;
3015  to.ekm_label_size = strlen(to.ekm_label);
3016  }
3017  else
3018  {
3019  to.ekm_size = 0;
3020  }
3021 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3022 
3023  /* TLS handshake authentication (--tls-auth) */
3024  if (options->ce.tls_auth_file)
3025  {
3026  to.tls_wrap.mode = TLS_WRAP_AUTH;
3031  true, true);
3032  }
3033 
3034  /* TLS handshake encryption (--tls-crypt) */
3035  if (options->ce.tls_crypt_file
3036  || (options->ce.tls_crypt_v2_file && options->tls_client))
3037  {
3038  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3043 
3044  if (options->ce.tls_crypt_v2_file)
3045  {
3047  }
3048  }
3049 
3050  if (options->ce.tls_crypt_v2_file)
3051  {
3052  to.tls_crypt_v2 = true;
3053  if (options->tls_server)
3054  {
3057  }
3058  }
3059 
3060  /* If we are running over TCP, allow for
3061  * length prefix */
3063 
3064  /*
3065  * Initialize OpenVPN's master TLS-mode object.
3066  */
3067  if (flags & CF_INIT_TLS_MULTI)
3068  {
3069  c->c2.tls_multi = tls_multi_init(&to);
3070  }
3071 
3072  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3073  {
3075  }
3076 }
3077 
3078 static void
3080 {
3081  if (c->c2.tls_multi)
3082  {
3085  EXPANDED_SIZE(&c->c2.frame));
3087  "Control Channel MTU parms");
3088  }
3089  if (c->c2.tls_auth_standalone)
3090  {
3093  "TLS-Auth MTU parms");
3094  }
3095 }
3096 
3097 /*
3098  * No encryption or authentication.
3099  */
3100 static void
3102 {
3103  ASSERT(!c->options.test_crypto);
3104  msg(M_WARN,
3105  "******* WARNING *******: All encryption and authentication features "
3106  "disabled -- All data will be tunnelled as clear text and will not be "
3107  "protected against man-in-the-middle changes. "
3108  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3109 }
3110 
3111 static void
3112 do_init_crypto(struct context *c, const unsigned int flags)
3113 {
3114  if (c->options.shared_secret_file)
3115  {
3116  do_init_crypto_static(c, flags);
3117  }
3118  else if (c->options.tls_server || c->options.tls_client)
3119  {
3120  do_init_crypto_tls(c, flags);
3121  }
3122  else /* no encryption or authentication. */
3123  {
3125  }
3126 }
3127 
3128 static void
3130 {
3131 #ifdef USE_COMP
3132  /*
3133  * modify frame parameters if compression is enabled
3134  */
3135  if (comp_enabled(&c->options.comp))
3136  {
3137  comp_add_to_extra_frame(&c->c2.frame);
3138 
3139 #ifdef ENABLE_FRAGMENT
3140  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3141 #endif
3142  }
3143 #endif /* USE_COMP */
3144 
3145  /*
3146  * Adjust frame size for UDP Socks support.
3147  */
3148  if (c->options.ce.socks_proxy_server)
3149  {
3151  }
3152 
3153  /*
3154  * Adjust frame size based on the --tun-mtu-extra parameter.
3155  */
3157  {
3159  }
3160 
3161  /*
3162  * Adjust frame size based on link socket parameters.
3163  * (Since TCP is a stream protocol, we need to insert
3164  * a packet length uint16_t in the buffer.)
3165  */
3167 
3168  /*
3169  * Fill in the blanks in the frame parameters structure,
3170  * make sure values are rational, etc.
3171  */
3172  frame_finalize_options(c, NULL);
3173 
3174 #ifdef USE_COMP
3175  /*
3176  * Modify frame parameters if compression is compiled in.
3177  * Should be called after frame_finalize_options.
3178  */
3179  comp_add_to_extra_buffer(&c->c2.frame);
3180 #ifdef ENABLE_FRAGMENT
3181  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3182 #endif
3183 #endif /* USE_COMP */
3184 
3185  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3186  * and need link_mtu+3 bytes on socket reception (on server).
3187  *
3188  * accommodate receive path in f->extra_link, which has the side effect of
3189  * also increasing send buffers (BUF_SIZE() macro), which need to be
3190  * allocated big enough before receiving peer-id option from server.
3191  *
3192  * f->extra_frame is adjusted when peer-id option is push-received
3193  */
3195 
3196 #ifdef ENABLE_FRAGMENT
3197  /*
3198  * Set frame parameter for fragment code. This is necessary because
3199  * the fragmentation code deals with payloads which have already been
3200  * passed through the compression code.
3201  */
3202  c->c2.frame_fragment = c->c2.frame;
3205 #endif
3206 
3207 #if defined(ENABLE_FRAGMENT)
3208  /*
3209  * MTU advisories
3210  */
3211  if (c->options.ce.fragment && c->options.mtu_test)
3212  {
3213  msg(M_WARN,
3214  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3215  }
3216 #endif
3217 
3218 #ifdef ENABLE_FRAGMENT
3219  if ((c->options.ce.mssfix || c->options.ce.fragment)
3221  {
3222  msg(M_WARN,
3223  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3225  }
3226 #endif
3227 }
3228 
3229 static void
3231 {
3232  const struct options *o = &c->options;
3233 
3234  if (o->ping_send_timeout && !o->ping_rec_timeout)
3235  {
3236  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3237  }
3238 
3239  if (o->username || o->groupname || o->chroot_dir
3240 #ifdef ENABLE_SELINUX
3241  || o->selinux_context
3242 #endif
3243  )
3244  {
3245  if (!o->persist_tun)
3246  {
3247  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3248  }
3249  if (!o->persist_key
3250 #ifdef ENABLE_PKCS11
3251  && !o->pkcs11_id
3252 #endif
3253  )
3254  {
3255  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3256  }
3257  }
3258 
3259  if (o->chroot_dir && !(o->username && o->groupname))
3260  {
3261  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3262  }
3263 
3264  if (o->pull && o->ifconfig_local && c->first_time)
3265  {
3266  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3267  }
3268 
3270  {
3271  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3272  }
3273 
3274  if (o->mode == MODE_SERVER)
3275  {
3276  if (o->duplicate_cn && o->client_config_dir)
3277  {
3278  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3279  }
3281  {
3282  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3283  }
3284  if (!o->keepalive_ping || !o->keepalive_timeout)
3285  {
3286  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3287  }
3288  }
3289 
3290  if (!o->replay)
3291  {
3292  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3293  }
3294 
3295  if (o->tls_server)
3296  {
3298  }
3299  if (o->tls_client
3300  && !o->tls_verify
3303  && !o->remote_cert_eku)
3304  {
3305  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3306  }
3307  if (o->ns_cert_type)
3308  {
3309  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3310  }
3311 
3312  /* If a script is used, print appropriate warnings */
3313  if (o->user_script_used)
3314  {
3315  if (script_security() >= SSEC_SCRIPTS)
3316  {
3317  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3318  }
3319  else if (script_security() >= SSEC_PW_ENV)
3320  {
3321  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3322  }
3323  else
3324  {
3325  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3326  }
3327  }
3328 }
3329 
3330 static void
3332 {
3334 }
3335 
3336 struct context_buffers *
3338 {
3339  struct context_buffers *b;
3340 
3341  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3342 
3343  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3344  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3345 
3346  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3347 
3348  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3349  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3350 
3351 #ifdef USE_COMP
3352  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3353  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3354 #endif
3355 
3356  return b;
3357 }
3358 
3359 void
3361 {
3362  if (b)
3363  {
3364  free_buf(&b->read_link_buf);
3365  free_buf(&b->read_tun_buf);
3366  free_buf(&b->aux_buf);
3367 
3368 #ifdef USE_COMP
3369  free_buf(&b->compress_buf);
3370  free_buf(&b->decompress_buf);
3371 #endif
3372 
3373  free_buf(&b->encrypt_buf);
3374  free_buf(&b->decrypt_buf);
3375 
3376  free(b);
3377  }
3378 }
3379 
3380 /*
3381  * Now that we know all frame parameters, initialize
3382  * our buffers.
3383  */
3384 static void
3386 {
3388  c->c2.buffers_owned = true;
3389 }
3390 
3391 #ifdef ENABLE_FRAGMENT
3392 /*
3393  * Fragmenting code has buffers to initialize
3394  * once frame parameters are known.
3395  */
3396 static void
3398 {
3399  ASSERT(c->options.ce.fragment);
3403 }
3404 #endif
3405 
3406 /*
3407  * Allocate our socket object.
3408  */
3409 static void
3411 {
3412  ASSERT(!c->c2.link_socket);
3414  c->c2.link_socket_owned = true;
3415 }
3416 
3417 /*
3418  * Print MTU INFO
3419  */
3420 static void
3422 {
3423  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3424 #ifdef ENABLE_FRAGMENT
3425  if (c->c2.fragment)
3426  {
3428  "Fragmentation MTU parms");
3429  }
3430 #endif
3431 }
3432 
3433 /*
3434  * Get local and remote options compatibility strings.
3435  */
3436 static void
3438 {
3439  struct gc_arena gc = gc_new();
3440 
3442  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3443  false, &gc);
3445  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3446  true, &gc);
3447 
3448  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3451  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3454 
3455  if (c->c2.tls_multi)
3456  {
3460  }
3461 
3462  gc_free(&gc);
3463 }
3464 
3465 /*
3466  * These things can only be executed once per program instantiation.
3467  * Set up for possible UID/GID downgrade, but don't do it yet.
3468  * Daemonize if requested.
3469  */
3470 static void
3472 {
3473  if (c->first_time && !c->c0)
3474  {
3475  struct context_0 *c0;
3476 
3477  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3478  c0 = c->c0;
3479 
3480  /* get user and/or group that we want to setuid/setgid to */
3481  c0->uid_gid_specified =
3484 
3485  /* perform postponed chdir if --daemon */
3486  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3487  {
3488  platform_chdir("/");
3489  }
3490 
3491  /* should we change scheduling priority? */
3493  }
3494 }
3495 
3496 /*
3497  * free buffers
3498  */
3499 static void
3501 {
3502  if (c->c2.buffers_owned)
3503  {
3505  c->c2.buffers = NULL;
3506  c->c2.buffers_owned = false;
3507  }
3508 }
3509 
3510 /*
3511  * close TLS
3512  */
3513 static void
3515 {
3516  if (c->c2.tls_multi)
3517  {
3518  tls_multi_free(c->c2.tls_multi, true);
3519  c->c2.tls_multi = NULL;
3520  }
3521 
3522  /* free options compatibility strings */
3525 
3527 
3528  if (c->c2.pulled_options_state)
3529  {
3532  }
3533 }
3534 
3535 /*
3536  * Free key schedules
3537  */
3538 static void
3539 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3540 {
3541  /*
3542  * always free the tls_auth/crypt key. If persist_key is true, the key will
3543  * be reloaded from memory (pre-cached)
3544  */
3547  CLEAR(c->c1.ks.tls_wrap_key);
3550 
3551  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3552  {
3553  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3554  }
3555 }
3556 
3557 /*
3558  * Close TCP/UDP connection
3559  */
3560 static void
3562 {
3563  if (c->c2.link_socket && c->c2.link_socket_owned)
3564  {
3566  c->c2.link_socket = NULL;
3567  }
3568 
3569 
3570  /* Preserve the resolved list of remote if the user request to or if we want
3571  * reconnect to the same host again or there are still addresses that need
3572  * to be tried */
3573  if (!(c->sig->signal_received == SIGUSR1
3574  && ( (c->options.persist_remote_ip)
3575  ||
3576  ( c->sig->source != SIG_SOURCE_HARD
3578  && c->c1.link_socket_addr.current_remote->ai_next)
3579  || c->options.no_advance))
3580  )))
3581  {
3583  }
3584 
3585  /* Clear the remote actual address when persist_remote_ip is not in use */
3586  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3587  {
3589  }
3590 
3591  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3592  {
3594  {
3595  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3596  }
3597 
3598  c->c1.link_socket_addr.bind_local = NULL;
3599  }
3600 }
3601 
3602 /*
3603  * Close packet-id persistence file
3604  */
3605 static void
3607 {
3610  if (!(c->sig->signal_received == SIGUSR1))
3611  {
3613  }
3614 }
3615 
3616 #ifdef ENABLE_FRAGMENT
3617 /*
3618  * Close fragmentation handler.
3619  */
3620 static void
3622 {
3623  if (c->c2.fragment)
3624  {
3626  c->c2.fragment = NULL;
3627  }
3628 }
3629 #endif
3630 
3631 /*
3632  * Open and close our event objects.
3633  */
3634 
3635 static void
3637  bool need_us_timeout)
3638 {
3639  unsigned int flags = 0;
3640 
3642 
3643  flags |= EVENT_METHOD_FAST;
3644 
3645  if (need_us_timeout)
3646  {
3647  flags |= EVENT_METHOD_US_TIMEOUT;
3648  }
3649 
3650  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3651  c->c2.event_set_owned = true;
3652 }
3653 
3654 static void
3656 {
3657  if (c->c2.event_set && c->c2.event_set_owned)
3658  {
3659  event_free(c->c2.event_set);
3660  c->c2.event_set = NULL;
3661  c->c2.event_set_owned = false;
3662  }
3663 }
3664 
3665 /*
3666  * Open and close --status file
3667  */
3668 
3669 static void
3671 {
3672  if (!c->c1.status_output)
3673  {
3676  -1,
3677  NULL,
3679  c->c1.status_output_owned = true;
3680  }
3681 }
3682 
3683 static void
3685 {
3686  if (!(c->sig->signal_received == SIGUSR1))
3687  {
3688  if (c->c1.status_output_owned && c->c1.status_output)
3689  {
3691  c->c1.status_output = NULL;
3692  c->c1.status_output_owned = false;
3693  }
3694  }
3695 }
3696 
3697 /*
3698  * Handle ifconfig-pool persistence object.
3699  */
3700 static void
3702 {
3704  {
3707  c->c1.ifconfig_pool_persist_owned = true;
3708  }
3709 }
3710 
3711 static void
3713 {
3714  if (!(c->sig->signal_received == SIGUSR1))
3715  {
3717  {
3719  c->c1.ifconfig_pool_persist = NULL;
3720  c->c1.ifconfig_pool_persist_owned = false;
3721  }
3722  }
3723 }
3724 
3725 /*
3726  * Inherit environmental variables
3727  */
3728 
3729 static void
3730 do_inherit_env(struct context *c, const struct env_set *src)
3731 {
3732  c->c2.es = env_set_create(NULL);
3733  c->c2.es_owned = true;
3734  env_set_inherit(c->c2.es, src);
3735 }
3736 
3737 static void
3739 {
3740  if (c->c2.es && c->c2.es_owned)
3741  {
3742  env_set_destroy(c->c2.es);
3743  c->c2.es = NULL;
3744  c->c2.es_owned = false;
3745  }
3746 }
3747 
3748 /*
3749  * Fast I/O setup. Fast I/O is an optimization which only works
3750  * if all of the following are true:
3751  *
3752  * (1) The platform is not Windows
3753  * (2) --proto udp is enabled
3754  * (3) --shaper is disabled
3755  */
3756 static void
3758 {
3759  if (c->options.fast_io)
3760  {
3761 #ifdef _WIN32
3762  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3763 #else
3764  if (!proto_is_udp(c->options.ce.proto))
3765  {
3766  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3767  }
3768  else
3769  {
3770  if (c->options.shaper)
3771  {
3772  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3773  }
3774  else
3775  {
3776  c->c2.fast_io = true;
3777  }
3778  }
3779 #endif
3780  }
3781 }
3782 
3783 static void
3785 {
3786  if (c->options.tls_exit)
3787  {
3788  c->c2.tls_exit_signal = SIGTERM;
3789  }
3790  else
3791  {
3792  c->c2.tls_exit_signal = SIGUSR1;
3793  }
3794 }
3795 
3796 #ifdef ENABLE_PLUGIN
3797 
3798 void
3800 {
3801  if (c->options.plugin_list && !c->plugins)
3802  {
3804  c->plugins_owned = true;
3805  }
3806 }
3807 
3808 void
3809 open_plugins(struct context *c, const bool import_options, int init_point)
3810 {
3811  if (c->plugins && c->plugins_owned)
3812  {
3813  if (import_options)
3814  {
3815  struct plugin_return pr, config;
3816  plugin_return_init(&pr);
3817  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3818  plugin_return_get_column(&pr, &config, "config");
3819  if (plugin_return_defined(&config))
3820  {
3821  int i;
3822  for (i = 0; i < config.n; ++i)
3823  {
3824  unsigned int option_types_found = 0;
3825  if (config.list[i] && config.list[i]->value)
3826  {
3828  config.list[i]->value,
3831  &option_types_found,
3832  c->es);
3833  }
3834  }
3835  }
3836  plugin_return_free(&pr);
3837  }
3838  else
3839  {
3840  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3841  }
3842  }
3843 }
3844 
3845 static void
3847 {
3848  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3849  {
3851  c->plugins = NULL;
3852  c->plugins_owned = false;
3853  }
3854 }
3855 
3856 static void
3857 do_inherit_plugins(struct context *c, const struct context *src)
3858 {
3859  if (!c->plugins && src->plugins)
3860  {
3861  c->plugins = plugin_list_inherit(src->plugins);
3862  c->plugins_owned = true;
3863  }
3864 }
3865 
3866 #endif /* ifdef ENABLE_PLUGIN */
3867 
3868 #ifdef ENABLE_MANAGEMENT
3869 
3870 static void
3871 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3872 {
3873  struct context *c = (struct context *) arg;
3874  print_status(c, so);
3875 }
3876 
3877 void
3878 management_show_net_callback(void *arg, const int msglevel)
3879 {
3880 #ifdef _WIN32
3881  show_routes(msglevel);
3882  show_adapters(msglevel);
3883  msg(msglevel, "END");
3884 #else
3885  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3886 #endif
3887 }
3888 
3889 #ifdef TARGET_ANDROID
3890 int
3891 management_callback_network_change(void *arg, bool samenetwork)
3892 {
3893  /* Check if the client should translate the network change to a SIGUSR1 to
3894  * reestablish the connection or just reprotect the socket
3895  *
3896  * At the moment just assume that, for all settings that use pull (not
3897  * --static) and are not using peer-id reestablishing the connection is
3898  * required (unless the network is the same)
3899  *
3900  * The function returns -1 on invalid fd and -2 if the socket cannot be
3901  * reused. On the -2 return value the man_network_change function triggers
3902  * a SIGUSR1 to force a reconnect.
3903  */
3904 
3905  int socketfd = -1;
3906  struct context *c = (struct context *) arg;
3907  if (!c->c2.link_socket)
3908  {
3909  return -1;
3910  }
3911  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3912  {
3913  return -1;
3914  }
3915 
3916  socketfd = c->c2.link_socket->sd;
3917  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3918  {
3919  return socketfd;
3920  }
3921  else
3922  {
3923  return -2;
3924  }
3925 }
3926 #endif /* ifdef TARGET_ANDROID */
3927 
3928 #endif /* ifdef ENABLE_MANAGEMENT */
3929 
3930 void
3932 {
3933 #ifdef ENABLE_MANAGEMENT
3934  if (management)
3935  {
3936  struct management_callback cb;
3937  CLEAR(cb);
3938  cb.arg = c;
3944 #ifdef TARGET_ANDROID
3945  cb.network_change = management_callback_network_change;
3946 #endif
3948  }
3949 #endif
3950 }
3951 
3952 #ifdef ENABLE_MANAGEMENT
3953 
3954 void
3956 {
3957  if (!management)
3958  {
3960  }
3961 }
3962 
3963 bool
3965 {
3966  /* initialize management layer */
3967  if (management)
3968  {
3969  if (c->options.management_addr)
3970  {
3971  unsigned int flags = c->options.management_flags;
3972  if (c->options.mode == MODE_SERVER)
3973  {
3974  flags |= MF_SERVER;
3975  }
3987  flags))
3988  {
3991  NULL,
3992  NULL,
3993  NULL,
3994  NULL,
3995  NULL);
3996  }
3997 
3998  /* initial management hold, called early, before first context initialization */
3999  do_hold(0);
4000  if (IS_SIG(c))
4001  {
4002  msg(M_WARN, "Signal received from management interface, exiting");
4003  return false;
4004  }
4005  }
4006  else
4007  {
4008  close_management();
4009  }
4010  }
4011  return true;
4012 }
4013 
4014 void
4016 {
4017  if (management)
4018  {
4020  management = NULL;
4021  }
4022 }
4023 
4024 #endif /* ifdef ENABLE_MANAGEMENT */
4025 
4026 
4027 void
4029 {
4030 #ifdef ENABLE_MANAGEMENT
4031  if (management)
4032  {
4034  }
4035 #endif
4036 }
4037 
4038 /*
4039  * Initialize a tunnel instance, handle pre and post-init
4040  * signal settings.
4041  */
4042 void
4043 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4044 {
4046  init_instance(c, env, flags);
4048 
4049  /*
4050  * This is done so that signals thrown during
4051  * initialization can bring us back to
4052  * a management hold.
4053  */
4054  if (IS_SIG(c))
4055  {
4056  remap_signal(c);
4058  }
4059 }
4060 
4061 /*
4062  * Initialize a tunnel instance.
4063  */
4064 void
4065 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4066 {
4067  const struct options *options = &c->options;
4068  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4069  int link_socket_mode = LS_MODE_DEFAULT;
4070 
4071  /* init garbage collection level */
4072  gc_init(&c->c2.gc);
4073 
4074  /* inherit environmental variables */
4075  if (env)
4076  {
4077  do_inherit_env(c, env);
4078  }
4079 
4080  /* signals caught here will abort */
4081  c->sig->signal_received = 0;
4082  c->sig->signal_text = NULL;
4083  c->sig->source = SIG_SOURCE_SOFT;
4084 
4085  if (c->mode == CM_P2P)
4086  {
4088  }
4089 
4090  /* possible sleep or management hold if restart */
4091  if (c->mode == CM_P2P || c->mode == CM_TOP)
4092  {
4093  do_startup_pause(c);
4094  if (IS_SIG(c))
4095  {
4096  goto sig;
4097  }
4098  }
4099 
4100  if (c->options.resolve_in_advance)
4101  {
4102  do_preresolve(c);
4103  if (IS_SIG(c))
4104  {
4105  goto sig;
4106  }
4107  }
4108 
4109  /* Resets all values to the initial values from the config where needed */
4110  pre_connect_restore(&c->options, &c->c2.gc);
4111 
4112  /* map in current connection entry */
4114 
4115  /* link_socket_mode allows CM_CHILD_TCP
4116  * instances to inherit acceptable fds
4117  * from a top-level parent */
4118  if (c->options.ce.proto == PROTO_TCP_SERVER)
4119  {
4120  if (c->mode == CM_TOP)
4121  {
4122  link_socket_mode = LS_MODE_TCP_LISTEN;
4123  }
4124  else if (c->mode == CM_CHILD_TCP)
4125  {
4126  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4127  }
4128  }
4129 
4130  /* should we disable paging? */
4131  if (c->first_time && options->mlock)
4132  {
4133  platform_mlockall(true);
4134  }
4135 
4136  /* get passwords if undefined */
4137  if (auth_retry_get() == AR_INTERACT)
4138  {
4140  }
4141 
4142  /* initialize context level 2 --verb/--mute parms */
4144 
4145  /* set error message delay for non-server modes */
4146  if (c->mode == CM_P2P)
4147  {
4149  }
4150 
4151  /* warn about inconsistent options */
4152  if (c->mode == CM_P2P || c->mode == CM_TOP)
4153  {
4154  do_option_warnings(c);
4155  }
4156 
4157 #ifdef ENABLE_PLUGIN
4158  /* initialize plugins */
4159  if (c->mode == CM_P2P || c->mode == CM_TOP)
4160  {
4162  }
4163 #endif
4164 
4165  /* should we enable fast I/O? */
4166  if (c->mode == CM_P2P || c->mode == CM_TOP)
4167  {
4168  do_setup_fast_io(c);
4169  }
4170 
4171  /* should we throw a signal on TLS errors? */
4173 
4174  /* open --status file */
4175  if (c->mode == CM_P2P || c->mode == CM_TOP)
4176  {
4178  }
4179 
4180  /* open --ifconfig-pool-persist file */
4181  if (c->mode == CM_TOP)
4182  {
4184  }
4185 
4186  /* reset OCC state */
4187  if (c->mode == CM_P2P || child)
4188  {
4189  c->c2.occ_op = occ_reset_op();
4190  }
4191 
4192  /* our wait-for-i/o objects, different for posix vs. win32 */
4193  if (c->mode == CM_P2P)
4194  {
4196  }
4197  else if (c->mode == CM_CHILD_TCP)
4198  {
4199  do_event_set_init(c, false);
4200  }
4201 
4202  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4203  init_proxy(c);
4204 
4205  /* allocate our socket object */
4206  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4207  {
4208  do_link_socket_new(c);
4209  }
4210 
4211 #ifdef ENABLE_FRAGMENT
4212  /* initialize internal fragmentation object */
4213  if (options->ce.fragment && (c->mode == CM_P2P || child))
4214  {
4215  c->c2.fragment = fragment_init(&c->c2.frame);
4216  }
4217 #endif
4218 
4219  /* init crypto layer */
4220  {
4221  unsigned int crypto_flags = 0;
4222  if (c->mode == CM_TOP)
4223  {
4224  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4225  }
4226  else if (c->mode == CM_P2P)
4227  {
4229  }
4230  else if (child)
4231  {
4232  crypto_flags = CF_INIT_TLS_MULTI;
4233  }
4234  do_init_crypto(c, crypto_flags);
4235  if (IS_SIG(c) && !child)
4236  {
4237  goto sig;
4238  }
4239  }
4240 
4241 #ifdef USE_COMP
4242  /* initialize compression library. */
4243  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4244  {
4245  c->c2.comp_context = comp_init(&options->comp);
4246  }
4247 #endif
4248 
4249  /* initialize MTU variables */
4250  do_init_frame(c);
4251 
4252  /* initialize TLS MTU variables */
4253  do_init_frame_tls(c);
4254 
4255  /* init workspace buffers whose size is derived from frame size */
4256  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4257  {
4258  do_init_buffers(c);
4259  }
4260 
4261 #ifdef ENABLE_FRAGMENT
4262  /* initialize internal fragmentation capability with known frame size */
4263  if (options->ce.fragment && (c->mode == CM_P2P || child))
4264  {
4265  do_init_fragment(c);
4266  }
4267 #endif
4268 
4269  /* initialize dynamic MTU variable */
4270  frame_init_mssfix(&c->c2.frame, &c->options);
4271 
4272  /* bind the TCP/UDP socket */
4273  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4274  {
4275  link_socket_init_phase1(c, link_socket_mode);
4276  }
4277 
4278  /* initialize tun/tap device object,
4279  * open tun/tap device, ifconfig, run up script, etc. */
4280  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4281  {
4282  c->c2.did_open_tun = do_open_tun(c);
4283  }
4284 
4285  c->c2.frame_initial = c->c2.frame;
4286 
4287  /* print MTU info */
4289 
4290  /* get local and remote options compatibility strings */
4291  if (c->mode == CM_P2P || child)
4292  {
4294  }
4295 
4296  /* initialize output speed limiter */
4297  if (c->mode == CM_P2P)
4298  {
4300  }
4301 
4302  /* do one-time inits, and possibly become a daemon here */
4303  do_init_first_time(c);
4304 
4305 #ifdef ENABLE_PLUGIN
4306  /* initialize plugins */
4307  if (c->mode == CM_P2P || c->mode == CM_TOP)
4308  {
4310  }
4311 #endif
4312 
4313  /* initialise connect timeout timer */
4315 
4316  /* finalize the TCP/UDP socket */
4317  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4318  {
4320  }
4321 
4322  /*
4323  * Actually do UID/GID downgrade, and chroot, if requested.
4324  * May be delayed by --client, --pull, or --up-delay.
4325  */
4327 
4328  /* initialize timers */
4329  if (c->mode == CM_P2P || child)
4330  {
4331  do_init_timers(c, false);
4332  }
4333 
4334 #ifdef ENABLE_PLUGIN
4335  /* initialize plugins */
4336  if (c->mode == CM_P2P || c->mode == CM_TOP)
4337  {
4339  }
4340 #endif
4341 
4342 #if PORT_SHARE
4343  /* share OpenVPN port with foreign (such as HTTPS) server */
4344  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4345  {
4346  init_port_share(c);
4347  }
4348 #endif
4349 
4350  /* Check for signals */
4351  if (IS_SIG(c))
4352  {
4353  goto sig;
4354  }
4355 
4356  return;
4357 
4358 sig:
4359  if (!c->sig->signal_text)
4360  {
4361  c->sig->signal_text = "init_instance";
4362  }
4363  close_context(c, -1, flags);
4364  return;
4365 }
4366 
4367 /*
4368  * Close a tunnel instance.
4369  */
4370 void
4372 {
4373  /* close event objects */
4374  do_close_event_set(c);
4375 
4376  if (c->mode == CM_P2P
4377  || c->mode == CM_CHILD_TCP
4378  || c->mode == CM_CHILD_UDP
4379  || c->mode == CM_TOP)
4380  {
4381 #ifdef USE_COMP
4382  if (c->c2.comp_context)
4383  {
4384  comp_uninit(c->c2.comp_context);
4385  c->c2.comp_context = NULL;
4386  }
4387 #endif
4388 
4389  /* free buffers */
4390  do_close_free_buf(c);
4391 
4392  /* close TLS */
4393  do_close_tls(c);
4394 
4395  /* free key schedules */
4396  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4397 
4398  /* close TCP/UDP connection */
4400 
4401  /* close TUN/TAP device */
4402  do_close_tun(c, false);
4403 
4404 #ifdef ENABLE_MANAGEMENT
4405  if (management)
4406  {
4408  }
4409 #endif
4410 
4411 #ifdef ENABLE_PLUGIN
4412  /* call plugin close functions and unload */
4413  do_close_plugins(c);
4414 #endif
4415 
4416  /* close packet-id persistence file */
4417  do_close_packet_id(c);
4418 
4419  /* close --status file */
4421 
4422 #ifdef ENABLE_FRAGMENT
4423  /* close fragmentation handler */
4424  do_close_fragment(c);
4425 #endif
4426 
4427  /* close --ifconfig-pool-persist obj */
4429 
4430  /* free up environmental variable store */
4431  do_env_set_destroy(c);
4432 
4433  /* close HTTP or SOCKS proxy */
4434  uninit_proxy(c);
4435 
4436  /* garbage collect */
4437  gc_free(&c->c2.gc);
4438  }
4439 }
4440 
4441 void
4443  const struct context *src)
4444 {
4445  CLEAR(*dest);
4446 
4447  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4449 
4450  dest->gc = gc_new();
4451 
4452  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4453 
4454  /* c1 init */
4456 
4457  dest->c1.ks.key_type = src->c1.ks.key_type;
4458  /* inherit SSL context */
4459  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4460  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4463  /* inherit pre-NCP ciphers */
4464  dest->options.ciphername = src->options.ciphername;
4465  dest->options.authname = src->options.authname;
4466 
4467  /* inherit auth-token */
4468  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4469 
4470  /* options */
4471  dest->options = src->options;
4472  options_detach(&dest->options);
4473 
4474  if (dest->mode == CM_CHILD_TCP)
4475  {
4476  /*
4477  * The CM_TOP context does the socket listen(),
4478  * and the CM_CHILD_TCP context does the accept().
4479  */
4480  dest->c2.accept_from = src->c2.link_socket;
4481  }
4482 
4483 #ifdef ENABLE_PLUGIN
4484  /* inherit plugins */
4485  do_inherit_plugins(dest, src);
4486 #endif
4487 
4488  /* context init */
4489  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4490  if (IS_SIG(dest))
4491  {
4492  return;
4493  }
4494 
4495  /* inherit tun/tap interface object */
4496  dest->c1.tuntap = src->c1.tuntap;
4497 
4498  /* UDP inherits some extra things which TCP does not */
4499  if (dest->mode == CM_CHILD_UDP)
4500  {
4501  /* inherit buffers */
4502  dest->c2.buffers = src->c2.buffers;
4503 
4504  /* inherit parent link_socket and tuntap */
4505  dest->c2.link_socket = src->c2.link_socket;
4506 
4507  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4508  *dest->c2.link_socket_info = src->c2.link_socket->info;
4509 
4510  /* locally override some link_socket_info fields */
4511  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4513  }
4514 }
4515 
4516 void
4518  const struct context *src)
4519 {
4520  /* copy parent */
4521  *dest = *src;
4522 
4523  /*
4524  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4525  * resources owned by the parent.
4526  *
4527  * Also note that CM_TOP_CLONE context objects are
4528  * closed by multi_top_free in multi.c.
4529  */
4530  dest->mode = CM_TOP_CLONE;
4531 
4532  dest->first_time = false;
4533  dest->c0 = NULL;
4534 
4535  options_detach(&dest->options);
4536  gc_detach(&dest->gc);
4537  gc_detach(&dest->c2.gc);
4538 
4539  /* detach plugins */
4540  dest->plugins_owned = false;
4541 
4542  dest->c2.tls_multi = NULL;
4543 
4544  /* detach c1 ownership */
4545  dest->c1.tuntap_owned = false;
4546  dest->c1.status_output_owned = false;
4547  dest->c1.ifconfig_pool_persist_owned = false;
4548 
4549  /* detach c2 ownership */
4550  dest->c2.event_set_owned = false;
4551  dest->c2.link_socket_owned = false;
4552  dest->c2.buffers_owned = false;
4553  dest->c2.es_owned = false;
4554 
4555  dest->c2.event_set = NULL;
4556  if (proto_is_dgram(src->options.ce.proto))
4557  {
4558  do_event_set_init(dest, false);
4559  }
4560 
4561 #ifdef USE_COMP
4562  dest->c2.comp_context = NULL;
4563 #endif
4564 }
4565 
4566 void
4567 close_context(struct context *c, int sig, unsigned int flags)
4568 {
4569  ASSERT(c);
4570  ASSERT(c->sig);
4571 
4572  if (sig >= 0)
4573  {
4574  c->sig->signal_received = sig;
4575  }
4576 
4577  if (c->sig->signal_received == SIGUSR1)
4578  {
4579  if ((flags & CC_USR1_TO_HUP)
4580  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4581  {
4582  c->sig->signal_received = SIGHUP;
4583  c->sig->signal_text = "close_context usr1 to hup";
4584  }
4585  }
4586 
4587  if (!(flags & CC_NO_CLOSE))
4588  {
4589  close_instance(c);
4590  }
4591 
4592  if (flags & CC_GC_FREE)
4593  {
4594  context_gc_free(c);
4595  }
4596 }
4597 
4598 /* Write our PID to a file */
4599 void
4600 write_pid_file(const char *filename, const char *chroot_dir)
4601 {
4602  if (filename)
4603  {
4604  unsigned int pid = 0;
4605  FILE *fp = platform_fopen(filename, "w");
4606  if (!fp)
4607  {
4608  msg(M_ERR, "Open error on pid file %s", filename);
4609  return;
4610  }
4611 
4612  pid = platform_getpid();
4613  fprintf(fp, "%u\n", pid);
4614  if (fclose(fp))
4615  {
4616  msg(M_ERR, "Close error on pid file %s", filename);
4617  }
4618 
4619  /* remember file name so it can be deleted "out of context" later */
4620  /* (the chroot case is more complex and not handled today) */
4621  if (!chroot_dir)
4622  {
4623  saved_pid_file_name = strdup(filename);
4624  }
4625  }
4626 }
4627 
4628 /* remove PID file on exit, called from openvpn_exit() */
4629 void
4631 {
4632  if (saved_pid_file_name)
4633  {
4635  }
4636 }
4637 
4638 
4639 /*
4640  * Do a loopback test
4641  * on the crypto subsystem.
4642  */
4643 static void *
4645 {
4646  struct context *c = (struct context *) arg;
4647  const struct options *options = &c->options;
4648 
4649  ASSERT(options->test_crypto);
4651  context_init_1(c);
4653  do_init_crypto_static(c, 0);
4654 
4655  frame_finalize_options(c, options);
4656 
4657  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4658 
4659  key_schedule_free(&c->c1.ks, true);
4661 
4662  context_gc_free(c);
4663  return NULL;
4664 }
4665 
4666 bool
4667 do_test_crypto(const struct options *o)
4668 {
4669  if (o->test_crypto)
4670  {
4671  struct context c;
4672 
4673  /* print version number */
4674  msg(M_INFO, "%s", title_string);
4675 
4676  context_clear(&c);
4677  c.options = *o;
4678  options_detach(&c.options);
4679  c.first_time = true;
4680  test_crypto_thread((void *) &c);
4681  return true;
4682  }
4683  return false;
4684 }
struct tuntap_options tuntap_options
Definition: options.h:321
bool tcp_mode
Definition: ssl_common.h:350
struct env_set * es
Definition: openvpn.h:408
char port[RH_PORT_LEN]
Definition: options.h:194
unsigned int platform_getpid(void)
Definition: platform.c:182
bool socks_proxy_owned
Definition: openvpn.h:189
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2592
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:353
void management_close(struct management *man)
Definition: manage.c:2638
int ifconfig_pool_persist_refresh_freq
Definition: options.h:445
struct key_type key_type
Definition: ssl_common.h:288
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
bool persist_remote_ip
Definition: options.h:310
int sndbuf
Definition: options.h:366
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:386
bool log_rw
Definition: openvpn.h:370
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:114
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
struct frame frame_fragment_omit
Definition: openvpn.h:256
const char * tmp_dir
Definition: ssl_common.h:366
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:373
bool tun_mtu_defined
Definition: options.h:118
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:610
#define OPT_P_DEFAULT
Definition: options.h:703
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1515
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
Definition: tun.h:155
unsigned int management_flags
Definition: options.h:409
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1980
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2620
bool verify_hash_no_ca
Definition: options.h:568
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct buffer read_tun_buf
Definition: openvpn.h:111
const char * crl_file
Definition: ssl_common.h:330
#define M_NOPREFIX
Definition: error.h:106
bool block_outside_dns
Definition: options.h:640
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:104
struct event_timeout ping_rec_interval
Definition: openvpn.h:285
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1314
bool tls_crypt_v2
Definition: ssl_common.h:355
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
void platform_nice(int niceval)
Definition: platform.c:160
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:960
struct event_timeout route_wakeup_expire
Definition: openvpn.h:374
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:525
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1082
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5664
bool show_curves
Definition: options.h:244
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4222
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:637
const char * cipher_list
Definition: options.h:550
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:535
struct link_socket * link_socket_new(void)
Definition: socket.c:1840
static void do_alloc_route_list(struct context *c)
Definition: init.c:1460
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:334
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:138
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1002
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3851
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:517
bool tls_crypt_v2_file_inline
Definition: options.h:616
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2132
static void init_proxy_dowork(struct context *c)
Definition: init.c:627
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1715
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
bool did_open_tun
Definition: openvpn.h:377
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
unsigned int auth_token_lifetime
Definition: ssl_common.h:373
const char * tls_cert_profile
Definition: options.h:553
int management_log_history_cache
Definition: options.h:400
#define M_OPTERR
Definition: error.h:109
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:356
struct interval tmp_int
Definition: openvpn.h:334
#define streq(x, y)
Definition: options.h:667
const char * ifconfig_pool_persist_filename
Definition: options.h:444
const char * chroot_dir
Definition: options.h:326
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:727
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3857
static void do_close_event_set(struct context *c)
Definition: init.c:3655
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2743
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
bool server_bridge_proxy_dhcp
Definition: options.h:431
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:269
#define WSO_FORCE_SERVICE
Definition: win32.h:167
int ping_rec_timeout_action
Definition: options.h:306
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2141
bool auth_token_generate
Definition: options.h:487
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4526
void tun_abort(void)
Definition: init.c:2113
Contains all state information for one tunnel.
Definition: openvpn.h:461
#define CIPHER_ENABLED(c)
Definition: openvpn.h:532
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3738
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2679
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:352
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
struct env_set * es
Set of environment variables.
Definition: openvpn.h:484
#define D_PUSH
Definition: errlevel.h:83
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
#define M_USAGE
Definition: error.h:115
struct man_persist persist
Definition: manage.h:314
#define srandom
Definition: syshead.h:45
char * peer_info
Definition: ssl_common.h:619
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:365
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:285
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:213
#define OPT_P_PLUGIN
Definition: options.h:696
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4567
int script_security(void)
Definition: run_command.c:45
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
#define SDL_CONSTRAIN
Definition: error.h:186
const char * auth_user_pass_verify_script
Definition: ssl_common.h:364
const char * shared_secret_file
Definition: options.h:513
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
enum multi_status multi_state
Definition: ssl_common.h:588
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6656
#define RH_PORT_LEN
Definition: options.h:193
#define EVENT_METHOD_FAST
Definition: event.h:80
uint32_t peer_id
Definition: options.h:645
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3931
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:322
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:324
bool tls_crypt_v2_file_inline
Definition: options.h:156
void close_instance(struct context *c)
Definition: init.c:4371
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2809
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
Definition: options.h:96
int renegotiate_seconds
Definition: options.h:590
const char * client_config_dir_exclusive
Definition: ssl_common.h:378
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1339
#define OPT_P_IPWIN32
Definition: options.h:675
bool persist_key
Definition: options.h:311
#define SIGUSR1
Definition: config-msvc.h:115
int replay_window
Definition: options.h:526
int persist_mode
Definition: options.h:237
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:456
const char * auth_user_pass_file
Definition: ssl_common.h:367
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3784
struct context_buffers * buffers
Definition: openvpn.h:357
int verify_x509_type
Definition: ssl_common.h:328
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:109
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
struct event_timeout wait_for_connect
Definition: openvpn.h:283
int rcvbuf
Definition: options.h:365
const char * config_ncp_ciphers
Definition: ssl_common.h:353
#define D_LOG_RW
Definition: errlevel.h:109
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
static void next_connection_entry(struct context *c)
Definition: init.c:470
int handshake_window
Definition: ssl_common.h:319
struct connection_list * connection_list
Definition: options.h:253
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:405
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
#define LS_MODE_DEFAULT
Definition: socket.h:191
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:268
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:540
#define RH_HOST_LEN
Definition: options.h:191
const char * exit_event_name
Definition: options.h:636
#define AR_NONE
Definition: options.h:841
const struct link_socket * accept_from
Definition: openvpn.h:242
void md_ctx_free(md_ctx_t *ctx)
bool route_noexec
Definition: options.h:381
unsigned int sockflags
Definition: options.h:373
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2548
in_addr_t remote_netmask
Definition: tun.h:174
const char * tls_crypt_file
Definition: options.h:150
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
static void do_close_tls(struct context *c)
Definition: init.c:3514
const char * genkey_extra_data
Definition: options.h:248
static bool ce_management_query_remote(struct context *c)
Definition: init.c:381
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
char * x509_username_field[2]
Definition: ssl_common.h:342
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define ENABLE_PKCS11
Definition: config-msvc.h:13
const char * route_script
Definition: options.h:376
int management_state_buffer_size
Definition: options.h:402
struct man_def_auth_context * mda_context
Definition: ssl_common.h:405
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:491
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:105
#define D_READ_WRITE
Definition: errlevel.h:161
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
#define in_addr_t
Definition: config-msvc.h:103
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3129
const char * config
Definition: options.h:219
#define dmsg(flags,...)
Definition: error.h:157
int route_delay
Definition: options.h:382
void remove_pid_file(void)
Definition: init.c:4630
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:333
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:377
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3809
const char * ekm_label
Definition: ssl_common.h:418
void post_init_signal_catch(void)
Definition: sig.c:249
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
struct frame frame_initial
Definition: openvpn.h:249
bool down_pre
Definition: options.h:335
int keepalive_timeout
Definition: options.h:294
#define OPT_P_SOCKBUF
Definition: options.h:697
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:189
#define SIGTERM
Definition: config-msvc.h:117
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:369
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1444
#define TLS_MODE(c)
Definition: openvpn.h:524
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:586
bool push_peer_info
Definition: options.h:625
#define OPT_P_SETENV
Definition: options.h:677
#define CE_MAN_QUERY_PROXY
Definition: options.h:134
#define SIGHUP
Definition: config-msvc.h:113
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
int renegotiate_seconds_min
Definition: options.h:591
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3742
bool tls_crypt_file_inline
Definition: options.h:151
#define PING_RESTART
Definition: options.h:305
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3079
int handshake_window
Definition: options.h:595
#define ASSERT(x)
Definition: error.h:204
static void do_close_plugins(struct context *c)
Definition: init.c:3846
#define D_SHOW_NET
Definition: errlevel.h:128
static int ifconfig_order(void)
Definition: tun.h:330
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:225
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:234
unsigned int crypto_flags
Definition: ssl_common.h:346
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:265
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
int explicit_exit_notification
Definition: options.h:131
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
int status_file_update_freq
Definition: options.h:355
int verify_x509_type
Definition: options.h:556
unsigned int unsuccessful_attempts
Definition: options.h:259
void close_management(void)
Definition: init.c:4015
bool platform_unlink(const char *filename)
Definition: platform.c:350
static void adjust_mtu_peerid(struct context *c)
Definition: init.c:2254
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
bool auth_token_call_auth
Definition: options.h:489
const char * config_ciphername
Definition: ssl_common.h:352
const char * prng_hash
Definition: options.h:521
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1940
int ping_rec_timeout
Definition: options.h:300
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:279
bool fast_io
Definition: options.h:358
int key_direction
Definition: options.h:515
int renegotiate_bytes
Definition: ssl_common.h:321
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
static void update_options_ce_post(struct options *options)
Definition: init.c:194
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
struct tuntap_options options
Definition: tun.h:168
bool link_mtu_defined
Definition: options.h:122
static struct context * static_context
Definition: init.c:60
char username[USER_PASS_LEN]
Definition: misc.h:70
bool init_static(void)
Definition: init.c:755
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
struct frame frame_fragment_initial
Definition: openvpn.h:255
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:139
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:223
bool use_peer_id
Definition: ssl_common.h:643
struct event_timeout ping_send_interval
Definition: openvpn.h:284
bool route_delay_defined
Definition: options.h:384
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
#define CM_CHILD_UDP
Definition: openvpn.h:473
bool tls_exit
Definition: options.h:627
#define MF_SERVER
Definition: manage.h:326
bool print_openssl_info(const struct options *options)
Definition: init.c:1035
void restore_signal_state(void)
Definition: sig.c:264
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:999
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:888
int key_direction
Definition: options.h:147
#define PULL_DEFINED(opt)
Definition: options.h:705
bool route_nopull
Definition: options.h:388
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3621
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1240
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:286
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6780
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:68
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
const char * tls_export_cert
Definition: options.h:558
const char * route_default_gateway
Definition: options.h:378
const char * ncp_ciphers
Definition: options.h:519
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:574
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4043
int remap_sigusr1
Definition: options.h:340
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:137
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:539
bool remote_random
Definition: options.h:267
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
bool status_close(struct status_output *so)
Definition: status.c:190
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:193
struct context_1 c1
Level 1 context.
Definition: openvpn.h:501
void pre_init_signal_catch(void)
Definition: sig.c:235
#define WSO_FORCE_CONSOLE
Definition: win32.h:168
void init_options_dev(struct options *options)
Definition: init.c:1025