OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 static bool do_deferred_p2p_ncp(struct context *c);
72 
73 void
75 {
76  CLEAR(*c);
77 }
78 
79 void
81 {
82  CLEAR(c->c1);
83 }
84 
85 void
87 {
88  CLEAR(c->c2);
89 }
90 
91 void
93 {
94  const bool first_time_save = c->first_time;
95  const struct context_persist cpsave = c->persist;
96  context_clear(c);
97  c->first_time = first_time_save;
98  c->persist = cpsave;
99 }
100 
101 /*
102  * Pass tunnel endpoint and MTU parms to a user-supplied script.
103  * Used to execute the up/down script/plugins.
104  */
105 static void
106 run_up_down(const char *command,
107  const struct plugin_list *plugins,
108  int plugin_type,
109  const char *arg,
110 #ifdef _WIN32
111  DWORD adapter_index,
112 #endif
113  const char *dev_type,
114  int tun_mtu,
115  int link_mtu,
116  const char *ifconfig_local,
117  const char *ifconfig_remote,
118  const char *context,
119  const char *signal_text,
120  const char *script_type,
121  struct env_set *es)
122 {
123  struct gc_arena gc = gc_new();
124 
125  if (signal_text)
126  {
127  setenv_str(es, "signal", signal_text);
128  }
129  setenv_str(es, "script_context", context);
130  setenv_int(es, "tun_mtu", tun_mtu);
131  setenv_int(es, "link_mtu", link_mtu);
132  setenv_str(es, "dev", arg);
133  if (dev_type)
134  {
135  setenv_str(es, "dev_type", dev_type);
136  }
137 #ifdef _WIN32
138  setenv_int(es, "dev_idx", adapter_index);
139 #endif
140 
141  if (!ifconfig_local)
142  {
143  ifconfig_local = "";
144  }
145  if (!ifconfig_remote)
146  {
147  ifconfig_remote = "";
148  }
149  if (!context)
150  {
151  context = "";
152  }
153 
154  if (plugin_defined(plugins, plugin_type))
155  {
156  struct argv argv = argv_new();
157  ASSERT(arg);
158  argv_printf(&argv,
159  "%s %d %d %s %s %s",
160  arg,
161  tun_mtu, link_mtu,
162  ifconfig_local, ifconfig_remote,
163  context);
164 
165  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
166  {
167  msg(M_FATAL, "ERROR: up/down plugin call failed");
168  }
169 
170  argv_free(&argv);
171  }
172 
173  if (command)
174  {
175  struct argv argv = argv_new();
176  ASSERT(arg);
177  setenv_str(es, "script_type", script_type);
178  argv_parse_cmd(&argv, command);
179  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
180  ifconfig_local, ifconfig_remote, context);
181  argv_msg(M_INFO, &argv);
182  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
183  argv_free(&argv);
184  }
185 
186  gc_free(&gc);
187 }
188 
189 /*
190  * Should be called after options->ce is modified at the top
191  * of a SIGUSR1 restart.
192  */
193 static void
195 {
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
208  }
209 }
210 
211 #ifdef ENABLE_MANAGEMENT
212 static bool
213 management_callback_proxy_cmd(void *arg, const char **p)
214 {
215  struct context *c = arg;
216  struct connection_entry *ce = &c->options.ce;
217  struct gc_arena *gc = &c->c2.gc;
218  bool ret = false;
219 
220  update_time();
221  if (streq(p[1], "NONE"))
222  {
223  ret = true;
224  }
225  else if (p[2] && p[3])
226  {
227  if (streq(p[1], "HTTP"))
228  {
229  struct http_proxy_options *ho;
230  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
231  {
232  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
233  return false;
234  }
236  ho->server = string_alloc(p[2], gc);
237  ho->port = string_alloc(p[3], gc);
238  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
239  ret = true;
240  }
241  else if (streq(p[1], "SOCKS"))
242  {
243  ce->socks_proxy_server = string_alloc(p[2], gc);
244  ce->socks_proxy_port = string_alloc(p[3], gc);
245  ret = true;
246  }
247  }
248  else
249  {
250  msg(M_WARN, "Bad proxy command");
251  }
252 
253  ce->flags &= ~CE_MAN_QUERY_PROXY;
254 
255  return ret;
256 }
257 
258 static bool
260 {
261  const struct connection_list *l = c->options.connection_list;
262  struct connection_entry *ce = &c->options.ce;
263  struct gc_arena gc;
264  bool ret = true;
265 
266  update_time();
267  if (management)
268  {
269  gc = gc_new();
270  {
271  struct buffer out = alloc_buf_gc(256, &gc);
272  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
273  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
276  }
277  ce->flags |= CE_MAN_QUERY_PROXY;
278  while (ce->flags & CE_MAN_QUERY_PROXY)
279  {
281  if (IS_SIG(c))
282  {
283  ret = false;
284  break;
285  }
286  }
288  gc_free(&gc);
289  }
290 
291  return ret;
292 }
293 
308 static bool
310  const char *command,
311  const char *parameters)
312 {
313  struct context *c = (struct context *) arg;
314  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
315  if (len > PUSH_BUNDLE_SIZE)
316  {
317  return false;
318  }
319 
320  struct gc_arena gc = gc_new();
321  struct buffer buf = alloc_buf_gc(len, &gc);
322  ASSERT(buf_printf(&buf, "%s", command));
323  if (parameters)
324  {
325  ASSERT(buf_printf(&buf, ",%s", parameters));
326  }
327  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
328 
329  gc_free(&gc);
330  return status;
331 }
332 
333 static bool
334 management_callback_remote_cmd(void *arg, const char **p)
335 {
336  struct context *c = (struct context *) arg;
337  struct connection_entry *ce = &c->options.ce;
338  int ret = false;
340  {
341  int flags = 0;
342  if (!strcmp(p[1], "ACCEPT"))
343  {
345  ret = true;
346  }
347  else if (!strcmp(p[1], "SKIP"))
348  {
349  flags = CE_MAN_QUERY_REMOTE_SKIP;
350  ret = true;
351  }
352  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
353  {
354  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
355  {
356  struct remote_host_store *rhs = c->options.rh_store;
357  if (!rhs)
358  {
360  c->options.rh_store = rhs;
361  }
362  strncpynt(rhs->host, p[2], RH_HOST_LEN);
363  strncpynt(rhs->port, p[3], RH_PORT_LEN);
364 
365  ce->remote = rhs->host;
366  ce->remote_port = rhs->port;
367  flags = CE_MAN_QUERY_REMOTE_MOD;
368  ret = true;
369  }
370  }
371  if (ret)
372  {
373  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
375  }
376  }
377  return ret;
378 }
379 
380 static bool
382 {
383  struct gc_arena gc = gc_new();
384  volatile struct connection_entry *ce = &c->options.ce;
385  int ce_changed = true; /* presume the connection entry will be changed */
386 
387  update_time();
388  if (management)
389  {
390  struct buffer out = alloc_buf_gc(256, &gc);
391 
392  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
393  proto2ascii(ce->proto, ce->af, false));
396 
399  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
401  {
403  if (IS_SIG(c))
404  {
405  ce_changed = false; /* connection entry have not been set */
406  break;
407  }
408  }
410  }
411  gc_free(&gc);
412 
413  if (ce_changed)
414  {
415  /* If it is likely a connection entry was modified,
416  * check what changed in the flags and that it was not skipped
417  */
418  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
420  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
421  }
422  return ce_changed;
423 }
424 #endif /* ENABLE_MANAGEMENT */
425 
426 /*
427  * Initialize and possibly randomize connection list.
428  */
429 static void
431 {
432  struct connection_list *l = c->options.connection_list;
433 
434  l->current = -1;
435  if (c->options.remote_random)
436  {
437  int i;
438  for (i = 0; i < l->len; ++i)
439  {
440  const int j = get_random() % l->len;
441  if (i != j)
442  {
443  struct connection_entry *tmp;
444  tmp = l->array[i];
445  l->array[i] = l->array[j];
446  l->array[j] = tmp;
447  }
448  }
449  }
450 }
451 
452 /*
453  * Clear the remote address list
454  */
455 static void
457 {
458  if (lsa->remote_list && free)
459  {
460  freeaddrinfo(lsa->remote_list);
461  }
462  lsa->remote_list = NULL;
463  lsa->current_remote = NULL;
464 }
465 
466 /*
467  * Increment to next connection entry
468  */
469 static void
471 {
472  struct connection_list *l = c->options.connection_list;
473  bool ce_defined;
474  struct connection_entry *ce;
475  int n_cycles = 0;
476 
477  do
478  {
479  ce_defined = true;
480  if (c->options.no_advance && l->current >= 0)
481  {
482  c->options.no_advance = false;
483  }
484  else
485  {
486  /* Check if there is another resolved address to try for
487  * the current connection */
489  && c->c1.link_socket_addr.current_remote->ai_next)
490  {
492  c->c1.link_socket_addr.current_remote->ai_next;
493  }
494  else
495  {
496  /* FIXME (schwabe) fix the persist-remote-ip option for real,
497  * this is broken probably ever since connection lists and multiple
498  * remote existed
499  */
500  if (!c->options.persist_remote_ip)
501  {
502  /* Connection entry addrinfo objects might have been
503  * resolved earlier but the entry itself might have been
504  * skipped by management on the previous loop.
505  * If so, clear the addrinfo objects as close_instance does
506  */
508  {
511  }
512 
513  /* close_instance should have cleared the addrinfo objects */
516  }
517  else
518  {
521  }
522 
523  /*
524  * Increase the number of connection attempts
525  * If this is connect-retry-max * size(l)
526  * OpenVPN will quit
527  */
528 
530 
531  if (++l->current >= l->len)
532  {
533 
534  l->current = 0;
535  if (++n_cycles >= 2)
536  {
537  msg(M_FATAL, "No usable connection profiles are present");
538  }
539  }
540  }
541  }
542 
543  ce = l->array[l->current];
544 
545  if (ce->flags & CE_DISABLED)
546  {
547  ce_defined = false;
548  }
549 
550  c->options.ce = *ce;
551 #ifdef ENABLE_MANAGEMENT
553  {
554  /* allow management interface to override connection entry details */
555  ce_defined = ce_management_query_remote(c);
556  if (IS_SIG(c))
557  {
558  break;
559  }
560  }
561  else if (ce_defined && management && management_query_proxy_enabled(management))
562  {
563  ce_defined = ce_management_query_proxy(c);
564  if (IS_SIG(c))
565  {
566  break;
567  }
568  }
569 #endif
570  } while (!ce_defined);
571 
572  /* Check if this connection attempt would bring us over the limit */
573  if (c->options.connect_retry_max > 0
575  {
576  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
578  }
580 }
581 
582 /*
583  * Query for private key and auth-user-pass username/passwords
584  */
585 void
587 {
588  /* Certificate password input */
589  if (c->options.key_pass_file)
590  {
592  }
593 
594  /* Auth user/pass input */
596  {
597 #ifdef ENABLE_MANAGEMENT
599 #else
601 #endif
602  }
603 }
604 
605 /*
606  * Initialize/Uninitialize HTTP or SOCKS proxy
607  */
608 
609 static void
611 {
612  if (c->c1.http_proxy_owned && c->c1.http_proxy)
613  {
615  c->c1.http_proxy = NULL;
616  c->c1.http_proxy_owned = false;
617  }
618  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
619  {
621  c->c1.socks_proxy = NULL;
622  c->c1.socks_proxy_owned = false;
623  }
624 }
625 
626 static void
628 {
629  bool did_http = false;
630 
632 
634  {
635  /* Possible HTTP proxy user/pass input */
637  if (c->c1.http_proxy)
638  {
639  did_http = true;
640  c->c1.http_proxy_owned = true;
641  }
642  }
643 
644  if (!did_http && c->options.ce.socks_proxy_server)
645  {
649  if (c->c1.socks_proxy)
650  {
651  c->c1.socks_proxy_owned = true;
652  }
653  }
654 }
655 
656 static void
657 init_proxy(struct context *c)
658 {
660 }
661 
662 static void
664 {
666 }
667 
668 void
670 {
671  context_clear_1(c);
672 
674 
676 
677 #if defined(ENABLE_PKCS11)
678  if (c->first_time)
679  {
680  int i;
681  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
682  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
683  {
684  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
685  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
686  }
687  }
688 #endif
689 
690 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
691  {
692  /*
693  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
694  */
695  struct user_pass up;
696  CLEAR(up);
697  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
698  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
699  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
700  * 'needok' command, usually 'ok' or 'cancel'. */
701  }
702 #endif
703 
704 #ifdef ENABLE_SYSTEMD
705  /* We can report the PID via getpid() to systemd here as OpenVPN will not
706  * do any fork due to daemon() a future call.
707  * See possibly_become_daemon() [init.c] for more details.
708  */
709  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
710  (unsigned long) getpid());
711 #endif
712 
713 }
714 
715 void
717 {
718  gc_free(&c->c2.gc);
719  gc_free(&c->options.gc);
720  gc_free(&c->gc);
721 }
722 
723 #if PORT_SHARE
724 
725 static void
726 close_port_share(void)
727 {
728  if (port_share)
729  {
730  port_share_close(port_share);
731  port_share = NULL;
732  }
733 }
734 
735 static void
736 init_port_share(struct context *c)
737 {
738  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
739  {
740  port_share = port_share_open(c->options.port_share_host,
741  c->options.port_share_port,
743  c->options.port_share_journal_dir);
744  if (port_share == NULL)
745  {
746  msg(M_FATAL, "Fatal error: Port sharing failed");
747  }
748  }
749 }
750 
751 #endif /* if PORT_SHARE */
752 
753 
754 bool
756 {
757  /* configure_path (); */
758 
759 #if defined(DMALLOC)
760  crypto_init_dmalloc();
761 #endif
762 
763 
764  /*
765  * Initialize random number seed. random() is only used
766  * when "weak" random numbers are acceptable.
767  * SSL library routines are always used when cryptographically
768  * strong random numbers are required.
769  */
770  struct timeval tv;
771  if (!gettimeofday(&tv, NULL))
772  {
773  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
774  srandom(seed);
775  }
776 
777  error_reset(); /* initialize error.c */
778  reset_check_status(); /* initialize status check code in socket.c */
779 
780 #ifdef _WIN32
781  init_win32();
782 #endif
783 
784 #ifdef OPENVPN_DEBUG_COMMAND_LINE
785  {
786  int i;
787  for (i = 0; i < argc; ++i)
788  {
789  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
790  }
791  }
792 #endif
793 
794  update_time();
795 
796  init_ssl_lib();
797 
798  /* init PRNG used for IV generation */
799  /* When forking, copy this to more places in the code to avoid fork
800  * random-state predictability */
801  prng_init(NULL, 0);
802 
803 #ifdef PID_TEST
804  packet_id_interactive_test(); /* test the sequence number code */
805  return false;
806 #endif
807 
808 #ifdef SCHEDULE_TEST
809  schedule_test();
810  return false;
811 #endif
812 
813 #ifdef LIST_TEST
814  list_test();
815  return false;
816 #endif
817 
818 #ifdef IFCONFIG_POOL_TEST
819  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
820  return false;
821 #endif
822 
823 #ifdef CHARACTER_CLASS_DEBUG
824  character_class_debug();
825  return false;
826 #endif
827 
828 #ifdef EXTRACT_X509_FIELD_TEST
830  return false;
831 #endif
832 
833 #ifdef TIME_TEST
834  time_test();
835  return false;
836 #endif
837 
838 #ifdef TEST_GET_DEFAULT_GATEWAY
839  {
840  struct route_gateway_info rgi;
841  struct route_ipv6_gateway_info rgi6;
842  get_default_gateway(&rgi);
843  get_default_gateway_ipv6(&rgi6, NULL);
844  print_default_gateway(M_INFO, &rgi, &rgi6);
845  return false;
846  }
847 #endif
848 
849 #ifdef GEN_PATH_TEST
850  {
851  struct gc_arena gc = gc_new();
852  const char *fn = gen_path("foo",
853  "bar",
854  &gc);
855  printf("%s\n", fn);
856  gc_free(&gc);
857  }
858  return false;
859 #endif
860 
861 #ifdef STATUS_PRINTF_TEST
862  {
863  struct gc_arena gc = gc_new();
864  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
865  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
866  status_printf(so, "%s", "foo");
867  status_printf(so, "%s", "bar");
868  if (!status_close(so))
869  {
870  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
871  }
872  gc_free(&gc);
873  }
874  return false;
875 #endif
876 
877 #ifdef PRNG_TEST
878  {
879  struct gc_arena gc = gc_new();
880  uint8_t rndbuf[8];
881  int i;
882  prng_init("sha1", 16);
883  /*prng_init (NULL, 0);*/
884  const int factor = 1;
885  for (i = 0; i < factor * 8; ++i)
886  {
887 #if 1
888  prng_bytes(rndbuf, sizeof(rndbuf));
889 #else
890  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
891 #endif
892  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
893  }
894  gc_free(&gc);
895  prng_uninit();
896  return false;
897  }
898 #endif /* ifdef PRNG_TEST */
899 
900 #ifdef BUFFER_LIST_AGGREGATE_TEST
901  /* test buffer_list_aggregate function */
902  {
903  static const char *text[] = {
904  "It was a bright cold day in April, ",
905  "and the clocks were striking ",
906  "thirteen. ",
907  "Winston Smith, ",
908  "his chin nuzzled into his breast in an ",
909  "effort to escape the vile wind, ",
910  "slipped quickly through the glass doors ",
911  "of Victory Mansions, though not quickly ",
912  "enough to prevent a swirl of gritty dust from ",
913  "entering along with him."
914  };
915 
916  int iter, listcap;
917  for (listcap = 0; listcap < 12; ++listcap)
918  {
919  for (iter = 0; iter < 512; ++iter)
920  {
921  struct buffer_list *bl = buffer_list_new(listcap);
922  {
923  int i;
924  for (i = 0; i < SIZE(text); ++i)
925  {
926  buffer_list_push(bl, (unsigned char *)text[i]);
927  }
928  }
929  printf("[cap=%d i=%d] *************************\n", listcap, iter);
930  if (!(iter & 8))
931  {
932  buffer_list_aggregate(bl, iter/2);
933  }
934  if (!(iter & 16))
935  {
936  buffer_list_push(bl, (unsigned char *)"Even more text...");
937  }
938  buffer_list_aggregate(bl, iter);
939  if (!(iter & 1))
940  {
941  buffer_list_push(bl, (unsigned char *)"More text...");
942  }
943  {
944  struct buffer *buf;
945  while ((buf = buffer_list_peek(bl)))
946  {
947  int c;
948  printf("'");
949  while ((c = buf_read_u8(buf)) >= 0)
950  {
951  putchar(c);
952  }
953  printf("'\n");
954  buffer_list_advance(bl, 0);
955  }
956  }
957  buffer_list_free(bl);
958  }
959  }
960  return false;
961  }
962 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
963 
964 #ifdef MSTATS_TEST
965  {
966  int i;
967  mstats_open("/dev/shm/mstats.dat");
968  for (i = 0; i < 30; ++i)
969  {
970  mmap_stats->n_clients += 1;
971  mmap_stats->link_write_bytes += 8;
972  mmap_stats->link_read_bytes += 16;
973  sleep(1);
974  }
975  mstats_close();
976  return false;
977  }
978 #endif
979 
980  return true;
981 }
982 
983 void
985 {
986  free_ssl_lib();
987 
988 #ifdef ENABLE_PKCS11
989  pkcs11_terminate();
990 #endif
991 
992 #if PORT_SHARE
993  close_port_share();
994 #endif
995 
996 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
997  show_tls_performance_stats();
998 #endif
999 }
1000 
1001 void
1002 init_verb_mute(struct context *c, unsigned int flags)
1003 {
1004  if (flags & IVM_LEVEL_1)
1005  {
1006  /* set verbosity and mute levels */
1010  }
1011 
1012  /* special D_LOG_RW mode */
1013  if (flags & IVM_LEVEL_2)
1014  {
1016  }
1017 }
1018 
1019 /*
1020  * Possibly set --dev based on --dev-node.
1021  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1022  * set --dev to tun.
1023  */
1024 void
1026 {
1027  if (!options->dev && options->dev_node)
1028  {
1029  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1030  options->dev = basename(dev_node);
1031  }
1032 }
1033 
1034 bool
1036 {
1037  /*
1038  * OpenSSL info print mode?
1039  */
1040  if (options->show_ciphers || options->show_digests || options->show_engines
1041  || options->show_tls_ciphers || options->show_curves)
1042  {
1043  if (options->show_ciphers)
1044  {
1046  }
1047  if (options->show_digests)
1048  {
1050  }
1051  if (options->show_engines)
1052  {
1054  }
1055  if (options->show_tls_ciphers)
1056  {
1058  options->cipher_list_tls13,
1059  options->tls_cert_profile);
1060  }
1061  if (options->show_curves)
1062  {
1064  }
1065  return true;
1066  }
1067  return false;
1068 }
1069 
1070 /*
1071  * Static pre-shared key generation mode?
1072  */
1073 bool
1074 do_genkey(const struct options *options)
1075 {
1076  /* should we disable paging? */
1077  if (options->mlock && (options->genkey))
1078  {
1079  platform_mlockall(true);
1080  }
1081 
1082  /*
1083  * We do not want user to use --genkey with --secret. In the transistion
1084  * phase we for secret.
1085  */
1086  if (options->genkey && options->genkey_type != GENKEY_SECRET
1087  && options->shared_secret_file)
1088  {
1089  msg(M_USAGE, "Using --genkey type with --secret filename is "
1090  "not supported. Use --genkey type filename instead.");
1091  }
1092  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1093  {
1094  int nbits_written;
1095  const char *genkey_filename = options->genkey_filename;
1096  if (options->shared_secret_file && options->genkey_filename)
1097  {
1098  msg(M_USAGE, "You must provide a filename to either --genkey "
1099  "or --secret, not both");
1100  }
1101 
1102  /*
1103  * Copy filename from shared_secret_file to genkey_filename to support
1104  * the old --genkey --secret foo.file syntax.
1105  */
1106  if (options->shared_secret_file)
1107  {
1108  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1109  "DEPRECATED. Use --genkey secret filename instead.");
1110  genkey_filename = options->shared_secret_file;
1111  }
1112 
1113  nbits_written = write_key_file(2, genkey_filename);
1114  if (nbits_written < 0)
1115  {
1116  msg(M_FATAL, "Failed to write key file");
1117  }
1118 
1120  "Randomly generated %d bit key written to %s", nbits_written,
1121  options->shared_secret_file);
1122  return true;
1123  }
1124  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1125  {
1127  return true;
1128  }
1129  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1130  {
1131  if (!options->tls_crypt_v2_file)
1132  {
1133  msg(M_USAGE,
1134  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1135  }
1136 
1138  options->genkey_extra_data, options->tls_crypt_v2_file,
1139  options->tls_crypt_v2_file_inline);
1140  return true;
1141  }
1142  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1143  {
1145  return true;
1146  }
1147  else
1148  {
1149  return false;
1150  }
1151 }
1152 
1153 /*
1154  * Persistent TUN/TAP device management mode?
1155  */
1156 bool
1158 {
1159  if (options->persist_config)
1160  {
1161  /* sanity check on options for --mktun or --rmtun */
1162  notnull(options->dev, "TUN/TAP device (--dev)");
1163  if (options->ce.remote || options->ifconfig_local
1164  || options->ifconfig_remote_netmask
1165  || options->shared_secret_file
1166  || options->tls_server || options->tls_client
1167  )
1168  {
1170  "options --mktun or --rmtun should only be used together with --dev");
1171  }
1172 #ifdef ENABLE_FEATURE_TUN_PERSIST
1173  tuncfg(options->dev, options->dev_type, options->dev_node,
1174  options->persist_mode,
1175  options->username, options->groupname, &options->tuntap_options,
1176  ctx);
1177  if (options->persist_mode && options->lladdr)
1178  {
1179  set_lladdr(ctx, options->dev, options->lladdr, NULL);
1180  }
1181  return true;
1182 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1183  msg( M_FATAL|M_OPTERR,
1184  "options --mktun and --rmtun are not available on your operating "
1185  "system. Please check 'man tun' (or 'tap'), whether your system "
1186  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1187  "persistent tunnel interfaces.", options->dev );
1188 #endif
1189  }
1190  return false;
1191 }
1192 
1193 /*
1194  * Should we become a daemon?
1195  * Return true if we did it.
1196  */
1197 bool
1199 {
1200  bool ret = false;
1201 
1202 #ifdef ENABLE_SYSTEMD
1203  /* return without forking if we are running from systemd */
1204  if (sd_notify(0, "READY=0") > 0)
1205  {
1206  return ret;
1207  }
1208 #endif
1209 
1210  if (options->daemon)
1211  {
1212  /* Don't chdir immediately, but the end of the init sequence, if needed */
1213 
1214 #if defined(__APPLE__) && defined(__clang__)
1215 #pragma clang diagnostic push
1216 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1217 #endif
1218  if (daemon(1, options->log) < 0)
1219  {
1220  msg(M_ERR, "daemon() failed or unsupported");
1221  }
1222 #if defined(__APPLE__) && defined(__clang__)
1223 #pragma clang diagnostic pop
1224 #endif
1226  if (options->log)
1227  {
1228  set_std_files_to_null(true);
1229  }
1230 
1231  ret = true;
1232  }
1233  return ret;
1234 }
1235 
1236 /*
1237  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1238  */
1239 static void
1240 do_uid_gid_chroot(struct context *c, bool no_delay)
1241 {
1242  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1243  struct context_0 *c0 = c->c0;
1244 
1245  if (c0 && !c0->uid_gid_chroot_set)
1246  {
1247  /* chroot if requested */
1248  if (c->options.chroot_dir)
1249  {
1250  if (no_delay)
1251  {
1253  }
1254  else if (c->first_time)
1255  {
1256  msg(M_INFO, "NOTE: chroot %s", why_not);
1257  }
1258  }
1259 
1260  /* set user and/or group if we want to setuid/setgid */
1261  if (c0->uid_gid_specified)
1262  {
1263  if (no_delay)
1264  {
1267  }
1268  else if (c->first_time)
1269  {
1270  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1271  }
1272  }
1273 
1274 #ifdef ENABLE_MEMSTATS
1275  if (c->first_time && c->options.memstats_fn)
1276  {
1277  mstats_open(c->options.memstats_fn);
1278  }
1279 #endif
1280 
1281 #ifdef ENABLE_SELINUX
1282  /* Apply a SELinux context in order to restrict what OpenVPN can do
1283  * to _only_ what it is supposed to do after initialization is complete
1284  * (basically just network I/O operations). Doing it after chroot
1285  * requires /proc to be mounted in the chroot (which is annoying indeed
1286  * but doing it before requires more complex SELinux policies.
1287  */
1288  if (c->options.selinux_context)
1289  {
1290  if (no_delay)
1291  {
1292  if (-1 == setcon(c->options.selinux_context))
1293  {
1294  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1295  }
1296  else
1297  {
1298  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1299  }
1300  }
1301  else if (c->first_time)
1302  {
1303  msg(M_INFO, "NOTE: setcon %s", why_not);
1304  }
1305  }
1306 #endif
1307 
1308  /* Privileges are going to be dropped by now (if requested), be sure
1309  * to prevent any future privilege dropping attempts from now on.
1310  */
1311  if (no_delay)
1312  {
1313  c0->uid_gid_chroot_set = true;
1314  }
1315  }
1316 }
1317 
1318 /*
1319  * Return common name in a way that is formatted for
1320  * prepending to msg() output.
1321  */
1322 const char *
1323 format_common_name(struct context *c, struct gc_arena *gc)
1324 {
1325  struct buffer out = alloc_buf_gc(256, gc);
1326  if (c->c2.tls_multi)
1327  {
1328  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1329  }
1330  return BSTR(&out);
1331 }
1332 
1333 void
1334 pre_setup(const struct options *options)
1335 {
1336 #ifdef _WIN32
1337  if (options->exit_event_name)
1338  {
1341  options->exit_event_name,
1342  options->exit_event_initial_state);
1343  }
1344  else
1345  {
1348  NULL,
1349  false);
1350 
1351  /* put a title on the top window bar */
1353  {
1355  window_title_generate(options->config);
1356  }
1357  }
1358 #endif /* ifdef _WIN32 */
1359 }
1360 
1361 void
1363 {
1364  c->c2.coarse_timer_wakeup = 0;
1365 }
1366 
1367 /*
1368  * Initialise the server poll timeout timer
1369  * This timer is used in the http/socks proxy setup so it needs to be setup
1370  * before
1371  */
1372 static void
1374 {
1375  update_time();
1376  if (c->options.ce.connect_timeout)
1377  {
1379  }
1380 }
1381 
1382 /*
1383  * Initialize timers
1384  */
1385 static void
1386 do_init_timers(struct context *c, bool deferred)
1387 {
1388  update_time();
1390 
1391  /* initialize inactivity timeout */
1392  if (c->options.inactivity_timeout)
1393  {
1395  }
1396 
1397  /* initialize pings */
1398 
1399  if (c->options.ping_send_timeout)
1400  {
1402  }
1403 
1404  if (c->options.ping_rec_timeout)
1405  {
1407  }
1408 
1409  if (!deferred)
1410  {
1411  /* initialize connection establishment timer */
1413 
1414  /* initialize occ timers */
1415 
1416  if (c->options.occ
1417  && !TLS_MODE(c)
1419  {
1421  }
1422 
1423  if (c->options.mtu_test)
1424  {
1426  }
1427 
1428  /* initialize packet_id persistence timer */
1429  if (c->options.packet_id_file)
1430  {
1432  }
1433 
1434  /* initialize tmp_int optimization that limits the number of times we call
1435  * tls_multi_process in the main event loop */
1437  }
1438 }
1439 
1440 /*
1441  * Initialize traffic shaper.
1442  */
1443 static void
1445 {
1446  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1447  if (c->options.shaper)
1448  {
1449  shaper_init(&c->c2.shaper, c->options.shaper);
1450  shaper_msg(&c->c2.shaper);
1451  }
1452 }
1453 
1454 /*
1455  * Allocate route list structures for IPv4 and IPv6
1456  * (we do this for IPv4 even if no --route option has been seen, as other
1457  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1458  */
1459 static void
1461 {
1462  if (!c->c1.route_list)
1463  {
1464  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1465  }
1466  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1467  {
1469  }
1470 }
1471 
1472 
1473 /*
1474  * Initialize the route list, resolving any DNS names in route
1475  * options and saving routes in the environment.
1476  */
1477 static void
1479  struct route_list *route_list,
1480  const struct link_socket_info *link_socket_info,
1481  struct env_set *es,
1482  openvpn_net_ctx_t *ctx)
1483 {
1484  const char *gw = NULL;
1485  int dev = dev_type_enum(options->dev, options->dev_type);
1486  int metric = 0;
1487 
1488  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1489  {
1490  gw = options->ifconfig_remote_netmask;
1491  }
1492  if (options->route_default_gateway)
1493  {
1494  gw = options->route_default_gateway;
1495  }
1496  if (options->route_default_metric)
1497  {
1498  metric = options->route_default_metric;
1499  }
1500 
1501  if (init_route_list(route_list,
1502  options->routes,
1503  gw,
1504  metric,
1505  link_socket_current_remote(link_socket_info),
1506  es,
1507  ctx))
1508  {
1509  /* copy routes to environment */
1510  setenv_routes(es, route_list);
1511  }
1512 }
1513 
1514 static void
1517  const struct link_socket_info *link_socket_info,
1518  struct env_set *es,
1519  openvpn_net_ctx_t *ctx)
1520 {
1521  const char *gw = NULL;
1522  int metric = -1; /* no metric set */
1523 
1524  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1525  if (options->route_ipv6_default_gateway)
1526  {
1527  gw = options->route_ipv6_default_gateway;
1528  }
1529 
1530  if (options->route_default_metric)
1531  {
1532  metric = options->route_default_metric;
1533  }
1534 
1535  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1536  */
1537  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1538  {
1539  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1540  int i;
1541 
1542  for (i = 0; opt_list[i]; i++)
1543  {
1545  string_alloc(opt_list[i], options->routes_ipv6->gc),
1546  NULL, NULL );
1547  }
1548  }
1549 
1550  if (init_route_ipv6_list(route_ipv6_list,
1551  options->routes_ipv6,
1552  gw,
1553  metric,
1554  link_socket_current_remote_ipv6(link_socket_info),
1555  es,
1556  ctx))
1557  {
1558  /* copy routes to environment */
1559  setenv_routes_ipv6(es, route_ipv6_list);
1560  }
1561 }
1562 
1563 
1564 /*
1565  * Called after all initialization has been completed.
1566  */
1567 void
1568 initialization_sequence_completed(struct context *c, const unsigned int flags)
1569 {
1570  static const char message[] = "Initialization Sequence Completed";
1571 
1572  /* Reset the unsuccessful connection counter on complete initialisation */
1574 
1575  /* If we delayed UID/GID downgrade or chroot, do it now */
1576  do_uid_gid_chroot(c, true);
1577 
1578 
1579  /*
1580  * In some cases (i.e. when receiving auth-token via
1581  * push-reply) the auth-nocache option configured on the
1582  * client is overridden; for this reason we have to wait
1583  * for the push-reply message before attempting to wipe
1584  * the user/pass entered by the user
1585  */
1586  if (c->options.mode == MODE_POINT_TO_POINT)
1587  {
1589  }
1590 
1591  /* Test if errors */
1592  if (flags & ISC_ERRORS)
1593  {
1594 #ifdef _WIN32
1597  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1598 #else
1599 #ifdef ENABLE_SYSTEMD
1600  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1601 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1602  msg(M_INFO, "%s With Errors", message);
1603 #endif
1604  }
1605  else
1606  {
1607 #ifdef ENABLE_SYSTEMD
1608  sd_notifyf(0, "STATUS=%s", message);
1609 #endif
1610  msg(M_INFO, "%s", message);
1611  }
1612 
1613  /* Flag that we initialized */
1614  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1615  {
1616  c->options.no_advance = true;
1617  }
1618 
1619 #ifdef _WIN32
1621 #endif
1622 
1623 #ifdef ENABLE_MANAGEMENT
1624  /* Tell management interface that we initialized */
1625  if (management)
1626  {
1627  in_addr_t *tun_local = NULL;
1628  struct in6_addr *tun_local6 = NULL;
1629  struct openvpn_sockaddr local, remote;
1630  struct link_socket_actual *actual;
1631  socklen_t sa_len = sizeof(local);
1632  const char *detail = "SUCCESS";
1633  if (flags & ISC_ERRORS)
1634  {
1635  detail = "ERROR";
1636  }
1637 
1638  CLEAR(local);
1639  actual = &get_link_socket_info(c)->lsa->actual;
1640  remote = actual->dest;
1641  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1642 #if ENABLE_IP_PKTINFO
1643  if (!addr_defined(&local))
1644  {
1645  switch (local.addr.sa.sa_family)
1646  {
1647  case AF_INET:
1648 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1649  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1650 #else
1651  local.addr.in4.sin_addr = actual->pi.in4;
1652 #endif
1653  break;
1654 
1655  case AF_INET6:
1656  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1657  break;
1658  }
1659  }
1660 #endif
1661 
1662  if (c->c1.tuntap)
1663  {
1664  tun_local = &c->c1.tuntap->local;
1665  tun_local6 = &c->c1.tuntap->local_ipv6;
1666  }
1669  detail,
1670  tun_local,
1671  tun_local6,
1672  &local,
1673  &remote);
1674  if (tun_local)
1675  {
1677  }
1678  }
1679 #endif /* ifdef ENABLE_MANAGEMENT */
1680 }
1681 
1682 /*
1683  * Possibly add routes and/or call route-up script
1684  * based on options.
1685  */
1686 void
1687 do_route(const struct options *options,
1688  struct route_list *route_list,
1690  const struct tuntap *tt,
1691  const struct plugin_list *plugins,
1692  struct env_set *es,
1693  openvpn_net_ctx_t *ctx)
1694 {
1695  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1696  {
1697  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1698  es, ctx);
1699  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1700  }
1701 #ifdef ENABLE_MANAGEMENT
1702  if (management)
1703  {
1704  management_up_down(management, "UP", es);
1705  }
1706 #endif
1707 
1709  {
1710  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1711  {
1712  msg(M_WARN, "WARNING: route-up plugin call failed");
1713  }
1714  }
1715 
1716  if (options->route_script)
1717  {
1718  struct argv argv = argv_new();
1719  setenv_str(es, "script_type", "route-up");
1720  argv_parse_cmd(&argv, options->route_script);
1721  openvpn_run_script(&argv, es, 0, "--route-up");
1722  argv_free(&argv);
1723  }
1724 
1725 #ifdef _WIN32
1726  if (options->show_net_up)
1727  {
1730  }
1731  else if (check_debug_level(D_SHOW_NET))
1732  {
1735  }
1736 #endif
1737 }
1738 
1739 /*
1740  * initialize tun/tap device object
1741  */
1742 static void
1744 {
1745  c->c1.tuntap = init_tun(c->options.dev,
1746  c->options.dev_type,
1747  c->options.topology,
1756  c->c2.es,
1757  &c->net_ctx);
1758 
1759 #ifdef _WIN32
1761 #endif
1762 
1763  init_tun_post(c->c1.tuntap,
1764  &c->c2.frame,
1765  &c->options.tuntap_options);
1766 
1767  c->c1.tuntap_owned = true;
1768 }
1769 
1770 /*
1771  * Open tun/tap device, ifconfig, call up script, etc.
1772  */
1773 
1774 static bool
1776 {
1777  struct gc_arena gc = gc_new();
1778  bool ret = false;
1779 
1780 #ifndef TARGET_ANDROID
1781  if (!c->c1.tuntap)
1782  {
1783 #endif
1784 
1785 #ifdef TARGET_ANDROID
1786  /* If we emulate persist-tun on android we still have to open a new tun and
1787  * then close the old */
1788  int oldtunfd = -1;
1789  if (c->c1.tuntap)
1790  {
1791  oldtunfd = c->c1.tuntap->fd;
1792  free(c->c1.tuntap);
1793  c->c1.tuntap = NULL;
1794  c->c1.tuntap_owned = false;
1795  }
1796 #endif
1797 
1798  /* initialize (but do not open) tun/tap object */
1799  do_init_tun(c);
1800 
1801 #ifdef _WIN32
1802  /* store (hide) interactive service handle in tuntap_options */
1804  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1805 #endif
1806 
1807  /* allocate route list structure */
1809 
1810  /* parse and resolve the route option list */
1811  ASSERT(c->c2.link_socket);
1812  if (c->options.routes && c->c1.route_list)
1813  {
1815  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1816  }
1817  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1818  {
1820  &c->c2.link_socket->info, c->c2.es,
1821  &c->net_ctx);
1822  }
1823 
1824  /* do ifconfig */
1825  if (!c->options.ifconfig_noexec
1827  {
1828  /* guess actual tun/tap unit number that will be returned
1829  * by open_tun */
1830  const char *guess = guess_tuntap_dev(c->options.dev,
1831  c->options.dev_type,
1832  c->options.dev_node,
1833  &gc);
1834  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1835  &c->net_ctx);
1836  }
1837 
1838  /* possibly add routes */
1839  if (route_order() == ROUTE_BEFORE_TUN)
1840  {
1841  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1843  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1844  }
1845 #ifdef TARGET_ANDROID
1846  /* Store the old fd inside the fd so open_tun can use it */
1847  c->c1.tuntap->fd = oldtunfd;
1848 #endif
1849  /* open the tun device */
1851  c->c1.tuntap);
1852 
1853  /* set the hardware address */
1854  if (c->options.lladdr)
1855  {
1857  c->c2.es);
1858  }
1859 
1860  /* do ifconfig */
1861  if (!c->options.ifconfig_noexec
1863  {
1865  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1866  }
1867 
1868  /* run the up script */
1870  c->plugins,
1872  c->c1.tuntap->actual_name,
1873 #ifdef _WIN32
1874  c->c1.tuntap->adapter_index,
1875 #endif
1877  TUN_MTU_SIZE(&c->c2.frame),
1878  EXPANDED_SIZE(&c->c2.frame),
1881  "init",
1882  NULL,
1883  "up",
1884  c->c2.es);
1885 
1886 #if defined(_WIN32)
1887  if (c->options.block_outside_dns)
1888  {
1889  dmsg(D_LOW, "Blocking outside DNS");
1891  {
1892  msg(M_FATAL, "Blocking DNS failed!");
1893  }
1894  }
1895 #endif
1896 
1897  /* possibly add routes */
1899  {
1901  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1902  }
1903 
1904  /*
1905  * Did tun/tap driver give us an MTU?
1906  */
1907  if (c->c1.tuntap->post_open_mtu)
1908  {
1910  c->c1.tuntap->post_open_mtu,
1912  }
1913 
1914  ret = true;
1915  static_context = c;
1916 #ifndef TARGET_ANDROID
1917 }
1918 else
1919 {
1920  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1921  c->c1.tuntap->actual_name);
1922 
1923  /* explicitly set the ifconfig_* env vars */
1924  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1925 
1926  /* run the up script if user specified --up-restart */
1927  if (c->options.up_restart)
1928  {
1930  c->plugins,
1932  c->c1.tuntap->actual_name,
1933 #ifdef _WIN32
1934  c->c1.tuntap->adapter_index,
1935 #endif
1937  TUN_MTU_SIZE(&c->c2.frame),
1938  EXPANDED_SIZE(&c->c2.frame),
1941  "restart",
1942  NULL,
1943  "up",
1944  c->c2.es);
1945  }
1946 #if defined(_WIN32)
1947  if (c->options.block_outside_dns)
1948  {
1949  dmsg(D_LOW, "Blocking outside DNS");
1951  {
1952  msg(M_FATAL, "Blocking DNS failed!");
1953  }
1954  }
1955 #endif
1956 
1957 }
1958 #endif /* ifndef TARGET_ANDROID */
1959  gc_free(&gc);
1960  return ret;
1961 }
1962 
1963 /*
1964  * Close TUN/TAP device
1965  */
1966 
1967 static void
1969 {
1970  msg(D_CLOSE, "Closing TUN/TAP interface");
1971  if (c->c1.tuntap)
1972  {
1973  close_tun(c->c1.tuntap, &c->net_ctx);
1974  c->c1.tuntap = NULL;
1975  }
1976  c->c1.tuntap_owned = false;
1978 }
1979 
1980 static void
1981 do_close_tun(struct context *c, bool force)
1982 {
1983  struct gc_arena gc = gc_new();
1984  if (c->c1.tuntap && c->c1.tuntap_owned)
1985  {
1986  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1987 #ifdef _WIN32
1988  DWORD adapter_index = c->c1.tuntap->adapter_index;
1989 #endif
1990  const in_addr_t local = c->c1.tuntap->local;
1991  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1992 
1993  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1994  {
1995  static_context = NULL;
1996 
1997 #ifdef ENABLE_MANAGEMENT
1998  /* tell management layer we are about to close the TUN/TAP device */
1999  if (management)
2000  {
2002  management_up_down(management, "DOWN", c->c2.es);
2003  }
2004 #endif
2005 
2006  /* delete any routes we added */
2007  if (c->c1.route_list || c->c1.route_ipv6_list)
2008  {
2010  c->plugins,
2012  tuntap_actual,
2013 #ifdef _WIN32
2014  adapter_index,
2015 #endif
2016  NULL,
2017  TUN_MTU_SIZE(&c->c2.frame),
2018  EXPANDED_SIZE(&c->c2.frame),
2019  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2020  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2021  "init",
2023  c->sig->signal_text),
2024  "route-pre-down",
2025  c->c2.es);
2026 
2029  c->c2.es, &c->net_ctx);
2030  }
2031 
2032  /* actually close tun/tap device based on --down-pre flag */
2033  if (!c->options.down_pre)
2034  {
2036  }
2037 
2038  /* Run the down script -- note that it will run at reduced
2039  * privilege if, for example, "--user nobody" was used. */
2041  c->plugins,
2043  tuntap_actual,
2044 #ifdef _WIN32
2045  adapter_index,
2046 #endif
2047  NULL,
2048  TUN_MTU_SIZE(&c->c2.frame),
2049  EXPANDED_SIZE(&c->c2.frame),
2050  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2051  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2052  "init",
2054  c->sig->signal_text),
2055  "down",
2056  c->c2.es);
2057 
2058 #if defined(_WIN32)
2059  if (c->options.block_outside_dns)
2060  {
2061  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2062  {
2063  msg(M_FATAL, "Uninitialising WFP failed!");
2064  }
2065  }
2066 #endif
2067 
2068  /* actually close tun/tap device based on --down-pre flag */
2069  if (c->options.down_pre)
2070  {
2072  }
2073  }
2074  else
2075  {
2076  /* run the down script on this restart if --up-restart was specified */
2077  if (c->options.up_restart)
2078  {
2080  c->plugins,
2082  tuntap_actual,
2083 #ifdef _WIN32
2084  adapter_index,
2085 #endif
2086  NULL,
2087  TUN_MTU_SIZE(&c->c2.frame),
2088  EXPANDED_SIZE(&c->c2.frame),
2089  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2090  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2091  "restart",
2093  c->sig->signal_text),
2094  "down",
2095  c->c2.es);
2096  }
2097 
2098 #if defined(_WIN32)
2099  if (c->options.block_outside_dns)
2100  {
2101  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2102  {
2103  msg(M_FATAL, "Uninitialising WFP failed!");
2104  }
2105  }
2106 #endif
2107 
2108  }
2109  }
2110  gc_free(&gc);
2111 }
2112 
2113 void
2115 {
2116  struct context *c = static_context;
2117  if (c)
2118  {
2119  static_context = NULL;
2120  do_close_tun(c, true);
2121  }
2122 }
2123 
2124 /*
2125  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2126  */
2127 
2132 static bool
2134  const struct sha256_digest *b)
2135 {
2136  const struct sha256_digest zero = {{0}};
2137  return memcmp(a, b, sizeof(struct sha256_digest))
2138  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2139 }
2140 
2141 bool
2142 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2143 {
2144  if (!c->c2.do_up_ran)
2145  {
2147 
2148  if (pulled_options)
2149  {
2150  if (!do_deferred_options(c, option_types_found))
2151  {
2152  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2153  return false;
2154  }
2155  }
2156  else if (c->mode == MODE_POINT_TO_POINT)
2157  {
2158  if (!do_deferred_p2p_ncp(c))
2159  {
2160  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2161  return false;
2162  }
2163  }
2164 
2165  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2166  if (c->options.up_delay || PULL_DEFINED(&c->options))
2167  {
2168  c->c2.did_open_tun = do_open_tun(c);
2169  update_time();
2170 
2171  /*
2172  * Was tun interface object persisted from previous restart iteration,
2173  * and if so did pulled options string change from previous iteration?
2174  */
2175  if (!c->c2.did_open_tun
2176  && PULL_DEFINED(&c->options)
2177  && c->c1.tuntap
2180  {
2181  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2182  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2183  do_close_tun(c, true);
2184  management_sleep(1);
2185  c->c2.did_open_tun = do_open_tun(c);
2186  update_time();
2187  }
2188  }
2189 
2190  if (c->c2.did_open_tun)
2191  {
2193 
2194  /* if --route-delay was specified, start timer */
2196  {
2199  if (c->c1.tuntap)
2200  {
2202  }
2203  }
2204  else
2205  {
2206  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2207  }
2208  }
2209  else if (c->options.mode == MODE_POINT_TO_POINT)
2210  {
2211  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2212  }
2213 
2214  c->c2.do_up_ran = true;
2215  if (c->c2.tls_multi)
2216  {
2218  }
2219  }
2220  return true;
2221 }
2222 
2223 /*
2224  * These are the option categories which will be accepted by pull.
2225  */
2226 unsigned int
2228 {
2229  unsigned int flags =
2230  OPT_P_UP
2232  | OPT_P_SOCKBUF
2233  | OPT_P_SOCKFLAGS
2234  | OPT_P_SETENV
2235  | OPT_P_SHAPER
2236  | OPT_P_TIMER
2237  | OPT_P_COMP
2238  | OPT_P_PERSIST
2239  | OPT_P_MESSAGES
2241  | OPT_P_ECHO
2242  | OPT_P_PULL_MODE
2243  | OPT_P_PEER_ID
2244  | OPT_P_NCP;
2245 
2246  if (!c->options.route_nopull)
2247  {
2248  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2249  }
2250 
2251  return flags;
2252 }
2253 
2254 static
2256 {
2257  frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */
2258  if (!c->options.ce.link_mtu_defined)
2259  {
2260  frame_add_to_link_mtu(&c->c2.frame, 3);
2261  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2262  EXPANDED_SIZE(&c->c2.frame));
2263  }
2264  else
2265  {
2266  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2267  " fixed by config - reducing tun-mtu to %d, expect"
2268  " MTU problems", TUN_MTU_SIZE(&c->c2.frame));
2269  }
2270 }
2271 
2272 static bool
2274 {
2275  if (!c->c2.tls_multi)
2276  {
2277  return true;
2278  }
2279 
2280  if (c->c2.tls_multi->use_peer_id)
2281  {
2282  adjust_mtu_peerid(c);
2283  }
2284 
2285  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2286 
2287  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2288  &c->options.gc);
2289 
2290  if (ncp_cipher)
2291  {
2292  c->options.ciphername = ncp_cipher;
2293  }
2294  else if (!c->options.enable_ncp_fallback)
2295  {
2296  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2297  "--data-ciphers-fallback not enabled. No usable "
2298  "data channel cipher");
2299  return false;
2300  }
2301 
2302  struct frame *frame_fragment = NULL;
2303 #ifdef ENABLE_FRAGMENT
2304  if (c->options.ce.fragment)
2305  {
2306  frame_fragment = &c->c2.frame_fragment;
2307  }
2308 #endif
2309 
2310  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2311  frame_fragment))
2312  {
2313  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2314  return false;
2315  }
2316  return true;
2317 }
2318 
2319 /*
2320  * Handle non-tun-related pulled options.
2321  */
2322 bool
2323 do_deferred_options(struct context *c, const unsigned int found)
2324 {
2325  if (found & OPT_P_MESSAGES)
2326  {
2328  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2329  }
2330  if (found & OPT_P_TIMER)
2331  {
2332  do_init_timers(c, true);
2333  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2334  }
2335 
2336  if (found & OPT_P_EXPLICIT_NOTIFY)
2337  {
2339  {
2340  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2342  }
2343  else
2344  {
2345  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2346  }
2347  }
2348 
2349 #ifdef USE_COMP
2350  if (found & OPT_P_COMP)
2351  {
2352  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2353  comp_uninit(c->c2.comp_context);
2354  c->c2.comp_context = comp_init(&c->options.comp);
2355  }
2356 #endif
2357 
2358  if (found & OPT_P_SHAPER)
2359  {
2360  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2362  }
2363 
2364  if (found & OPT_P_SOCKBUF)
2365  {
2366  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2368  }
2369 
2370  if (found & OPT_P_SOCKFLAGS)
2371  {
2372  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2374  }
2375 
2376  if (found & OPT_P_PERSIST)
2377  {
2378  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2379  }
2380  if (found & OPT_P_UP)
2381  {
2382  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2383  }
2384  if (found & OPT_P_ROUTE)
2385  {
2386  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2387  }
2388  if (found & OPT_P_ROUTE_EXTRAS)
2389  {
2390  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2391  }
2392  if (found & OPT_P_IPWIN32)
2393  {
2394  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2395  }
2396  if (found & OPT_P_SETENV)
2397  {
2398  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2399  }
2400 
2401  if (found & OPT_P_PEER_ID)
2402  {
2403  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2404  c->c2.tls_multi->use_peer_id = true;
2405  c->c2.tls_multi->peer_id = c->options.peer_id;
2406  adjust_mtu_peerid(c);
2407  }
2408 
2409  /* process (potentially pushed) crypto options */
2410  if (c->options.pull)
2411  {
2412  if (!check_pull_client_ncp(c, found))
2413  {
2414  return false;
2415  }
2416  struct frame *frame_fragment = NULL;
2417 #ifdef ENABLE_FRAGMENT
2418  if (c->options.ce.fragment)
2419  {
2420  frame_fragment = &c->c2.frame_fragment;
2421  }
2422 #endif
2423 
2424  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2425  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2426  frame_fragment))
2427  {
2428  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2429  return false;
2430  }
2431  }
2432 
2433  return true;
2434 }
2435 
2436 /*
2437  * Possible hold on initialization, holdtime is the
2438  * time OpenVPN would wait without management
2439  */
2440 static bool
2441 do_hold(int holdtime)
2442 {
2443 #ifdef ENABLE_MANAGEMENT
2444  if (management)
2445  {
2446  /* block until management hold is released */
2447  if (management_hold(management, holdtime))
2448  {
2449  return true;
2450  }
2451  }
2452 #endif
2453  return false;
2454 }
2455 
2456 /*
2457  * Sleep before restart.
2458  */
2459 static void
2461 {
2462  int sec = 2;
2463  int backoff = 0;
2464 
2465  switch (c->options.ce.proto)
2466  {
2467  case PROTO_TCP_SERVER:
2468  sec = 1;
2469  break;
2470 
2471  case PROTO_UDP:
2472  case PROTO_TCP_CLIENT:
2473  sec = c->options.ce.connect_retry_seconds;
2474  break;
2475  }
2476 
2477 #ifdef ENABLE_DEBUG
2478  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2479  {
2480  sec = 0;
2481  }
2482 #endif
2483 
2484  if (auth_retry_get() == AR_NOINTERACT)
2485  {
2486  sec = 10;
2487  }
2488 
2489  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2490  if (c->options.ce.proto == PROTO_TCP_CLIENT
2491  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2492  {
2493  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2494  if (backoff > 0)
2495  {
2496  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2497  sec = max_int(sec, 1) << min_int(backoff, 15);
2498  }
2499 
2500  if (sec > c->options.ce.connect_retry_seconds_max)
2501  {
2503  }
2504  }
2505 
2507  {
2508  sec = c->persist.restart_sleep_seconds;
2509  }
2510  else if (c->persist.restart_sleep_seconds == -1)
2511  {
2512  sec = 0;
2513  }
2515 
2516  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2517  if (do_hold(sec))
2518  {
2519  sec = 0;
2520  }
2521 
2522  if (sec)
2523  {
2524  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2525  management_sleep(sec);
2526  }
2527 }
2528 
2529 /*
2530  * Do a possible pause on context_2 initialization.
2531  */
2532 static void
2534 {
2535  if (!c->first_time)
2536  {
2538  }
2539  else
2540  {
2541  do_hold(0); /* do management hold on first context initialization */
2542  }
2543 }
2544 
2545 /*
2546  * Finalize MTU parameters based on command line or config file options.
2547  */
2548 static void
2549 frame_finalize_options(struct context *c, const struct options *o)
2550 {
2551  if (!o)
2552  {
2553  o = &c->options;
2554  }
2555 
2556  /*
2557  * Set adjustment factor for buffer alignment when no
2558  * cipher is used.
2559  */
2560  if (!CIPHER_ENABLED(c))
2561  {
2567  }
2568 
2570  frame_finalize(&c->c2.frame,
2571  o->ce.link_mtu_defined,
2572  o->ce.link_mtu,
2573  o->ce.tun_mtu_defined,
2574  o->ce.tun_mtu);
2575 }
2576 
2577 /*
2578  * Free a key schedule, including OpenSSL components.
2579  */
2580 static void
2581 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2582 {
2584  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2585  {
2586  tls_ctx_free(&ks->ssl_ctx);
2588  }
2589  CLEAR(*ks);
2590 }
2591 
2592 static void
2593 init_crypto_pre(struct context *c, const unsigned int flags)
2594 {
2595  if (c->options.engine)
2596  {
2598  }
2599 
2600  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2601  {
2602  /* load a persisted packet-id for cross-session replay-protection */
2603  if (c->options.packet_id_file)
2604  {
2606  }
2607  }
2608 
2609 #ifdef ENABLE_PREDICTION_RESISTANCE
2610  if (c->options.use_prediction_resistance)
2611  {
2612  rand_ctx_enable_prediction_resistance();
2613  }
2614 #endif
2615 }
2616 
2617 /*
2618  * Static Key Mode (using a pre-shared key)
2619  */
2620 static void
2621 do_init_crypto_static(struct context *c, const unsigned int flags)
2622 {
2623  const struct options *options = &c->options;
2624  ASSERT(options->shared_secret_file);
2625 
2626  init_crypto_pre(c, flags);
2627 
2628  /* Initialize flags */
2630  {
2632  }
2633 
2634  /* Initialize packet ID tracking */
2635  if (options->replay)
2636  {
2638  options->replay_window,
2639  options->replay_time,
2640  "STATIC", 0);
2645  }
2646 
2647  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2648  {
2649  /* Get cipher & hash algorithms */
2650  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2651  options->test_crypto, true);
2652 
2653  /* Read cipher and hmac keys from shared secret file */
2655  options->shared_secret_file,
2656  options->shared_secret_file_inline,
2657  options->key_direction, "Static Key Encryption",
2658  "secret");
2659  }
2660  else
2661  {
2662  msg(M_INFO, "Re-using pre-shared static key");
2663  }
2664 
2665  /* Get key schedule */
2667 
2668  /* Compute MTU parameters */
2670  options->replay, true);
2671 
2672  /* Sanity check on sequence number, and cipher mode options */
2673  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2674 }
2675 
2676 /*
2677  * Initialize the tls-auth/crypt key context
2678  */
2679 static void
2681 {
2682  const struct options *options = &c->options;
2683 
2684  /* TLS handshake authentication (--tls-auth) */
2685  if (options->ce.tls_auth_file)
2686  {
2687  /* Initialize key_type for tls-auth with auth only */
2689  if (!streq(options->authname, "none"))
2690  {
2694  }
2695  else
2696  {
2697  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2698  "algorithm specified ('%s')", options->authname);
2699  }
2700 
2702  &c->c1.ks.tls_wrap_key,
2703  options->ce.tls_auth_file,
2704  options->ce.tls_auth_file_inline,
2705  options->ce.key_direction,
2706  "Control Channel Authentication", "tls-auth");
2707  }
2708 
2709  /* TLS handshake encryption+authentication (--tls-crypt) */
2710  if (options->ce.tls_crypt_file)
2711  {
2713  options->ce.tls_crypt_file,
2714  options->ce.tls_crypt_file_inline,
2715  options->tls_server);
2716  }
2717 
2718  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2719  if (options->ce.tls_crypt_v2_file)
2720  {
2721  if (options->tls_server)
2722  {
2724  true, options->ce.tls_crypt_v2_file,
2725  options->ce.tls_crypt_v2_file_inline);
2726  }
2727  else
2728  {
2730  &c->c1.ks.tls_crypt_v2_wkc,
2731  options->ce.tls_crypt_v2_file,
2732  options->ce.tls_crypt_v2_file_inline);
2733  }
2734  }
2735 
2736 
2737 }
2738 
2739 /*
2740  * Initialize the persistent component of OpenVPN's TLS mode,
2741  * which is preserved across SIGUSR1 resets.
2742  */
2743 static void
2745 {
2746  const struct options *options = &c->options;
2747 
2748  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2749  {
2750  /*
2751  * Initialize the OpenSSL library's global
2752  * SSL context.
2753  */
2754  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2755  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2756  {
2757  switch (auth_retry_get())
2758  {
2759  case AR_NONE:
2760  msg(M_FATAL, "Error: private key password verification failed");
2761  break;
2762 
2763  case AR_INTERACT:
2764  ssl_purge_auth(false);
2765 
2766  case AR_NOINTERACT:
2767  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2768  break;
2769 
2770  default:
2771  ASSERT(0);
2772  }
2773  c->sig->signal_text = "private-key-password-failure";
2774  return;
2775  }
2776 
2777  /*
2778  * BF-CBC is allowed to be used only when explicitly configured
2779  * as NCP-fallback or when NCP has been disabled or explicitly
2780  * allowed in the in ncp_ciphers list.
2781  * In all other cases do not attempt to initialize BF-CBC as it
2782  * may not even be supported by the underlying SSL library.
2783  *
2784  * Therefore, the key structure has to be initialized when:
2785  * - any non-BF-CBC cipher was selected; or
2786  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2787  * (BF-CBC will be the fallback).
2788  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2789  * If the negotiated cipher and options->ciphername are the
2790  * same we do not reinit the cipher
2791  *
2792  * Note that BF-CBC will still be part of the OCC string to retain
2793  * backwards compatibility with older clients.
2794  */
2795  if (!streq(options->ciphername, "BF-CBC")
2796  || tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
2797  || options->enable_ncp_fallback)
2798  {
2799  /* Do not warn if the if the cipher is used only in OCC */
2800  bool warn = options->enable_ncp_fallback;
2801  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2802  true, warn);
2803  }
2804  /* Initialize PRNG with config-specified digest */
2805  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2806 
2807  /* initialize tls-auth/crypt/crypt-v2 key */
2809 
2810  /* initialise auth-token crypto support */
2812  {
2816  }
2817 
2818 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2819  if (options->priv_key_file_inline)
2820  {
2822  c->options.priv_key_file_inline = NULL;
2823  }
2824 #endif
2825  }
2826  else
2827  {
2828  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2829 
2830  /*
2831  * tls-auth/crypt key can be configured per connection block, therefore
2832  * we must reload it as it may have changed
2833  */
2835  }
2836 }
2837 
2838 static void
2839 do_init_crypto_tls(struct context *c, const unsigned int flags)
2840 {
2841  const struct options *options = &c->options;
2842  struct tls_options to;
2843  bool packet_id_long_form;
2844 
2845  ASSERT(options->tls_server || options->tls_client);
2846  ASSERT(!options->test_crypto);
2847 
2848  init_crypto_pre(c, flags);
2849 
2850  /* Make sure we are either a TLS client or server but not both */
2851  ASSERT(options->tls_server == !options->tls_client);
2852 
2853  /* initialize persistent component */
2855  if (IS_SIG(c))
2856  {
2857  return;
2858  }
2859 
2860  /* Sanity check on sequence number, and cipher mode options */
2861  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2862 
2863  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2864  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2865 
2866  /* Compute MTU parameters (postpone if we push/pull options) */
2867  if (c->options.pull || c->options.mode == MODE_SERVER)
2868  {
2869  /* Account for worst-case crypto overhead before allocating buffers */
2871  }
2872  else
2873  {
2875  options->replay, packet_id_long_form);
2876  }
2878 
2879  /* Set all command-line TLS-related options */
2880  CLEAR(to);
2881 
2882  if (options->mute_replay_warnings)
2883  {
2885  }
2886 
2888  if (packet_id_long_form)
2889  {
2891  }
2892 
2893  to.ssl_ctx = c->c1.ks.ssl_ctx;
2894  to.key_type = c->c1.ks.key_type;
2895  to.server = options->tls_server;
2896  to.replay = options->replay;
2897  to.replay_window = options->replay_window;
2898  to.replay_time = options->replay_time;
2902  to.transition_window = options->transition_window;
2903  to.handshake_window = options->handshake_window;
2904  to.packet_timeout = options->tls_timeout;
2905  to.renegotiate_bytes = options->renegotiate_bytes;
2907  if (options->renegotiate_seconds_min < 0)
2908  {
2909  /* Add 10% jitter to reneg-sec by default (server side only) */
2910  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2911  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2912  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2913  }
2914  else
2915  {
2916  /* Add user-specified jitter to reneg-sec */
2918  -(get_random() % max_int(options->renegotiate_seconds
2919  - options->renegotiate_seconds_min, 1));
2920  }
2921  to.single_session = options->single_session;
2922  to.mode = options->mode;
2923  to.pull = options->pull;
2924  if (options->push_peer_info) /* all there is */
2925  {
2926  to.push_peer_info_detail = 3;
2927  }
2928  else if (options->pull) /* pull clients send some details */
2929  {
2930  to.push_peer_info_detail = 2;
2931  }
2932  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
2933  {
2934  to.push_peer_info_detail = 0;
2935  }
2936  else /* default: minimal info to allow NCP in P2P mode */
2937  {
2938  to.push_peer_info_detail = 1;
2939  }
2940 
2941 
2942  /* should we not xmit any packets until we get an initial
2943  * response from client? */
2944  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2945  {
2946  to.xmit_hold = true;
2947  }
2948 
2949  to.disable_occ = !options->occ;
2950 
2951  to.verify_command = options->tls_verify;
2952  to.verify_export_cert = options->tls_export_cert;
2953  to.verify_x509_type = (options->verify_x509_type & 0xff);
2954  to.verify_x509_name = options->verify_x509_name;
2955  to.crl_file = options->crl_file;
2956  to.crl_file_inline = options->crl_file_inline;
2957  to.ssl_flags = options->ssl_flags;
2958  to.ns_cert_type = options->ns_cert_type;
2959  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2960  to.remote_cert_eku = options->remote_cert_eku;
2961  to.verify_hash = options->verify_hash;
2962  to.verify_hash_algo = options->verify_hash_algo;
2963  to.verify_hash_depth = options->verify_hash_depth;
2964  to.verify_hash_no_ca = options->verify_hash_no_ca;
2965 #ifdef ENABLE_X509ALTUSERNAME
2966  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2967 #else
2969 #endif
2970  to.es = c->c2.es;
2971  to.net_ctx = &c->net_ctx;
2972 
2973 #ifdef ENABLE_DEBUG
2974  to.gremlin = c->options.gremlin;
2975 #endif
2976 
2977  to.plugins = c->plugins;
2978 
2979 #ifdef ENABLE_MANAGEMENT
2980  to.mda_context = &c->c2.mda_context;
2981 #endif
2982 
2985  to.tmp_dir = options->tmp_dir;
2986  if (options->ccd_exclusive)
2987  {
2989  }
2995 
2996  to.x509_track = options->x509_track;
2997 
2998 #ifdef ENABLE_MANAGEMENT
2999  to.sci = &options->sc_info;
3000 #endif
3001 
3002 #ifdef USE_COMP
3003  to.comp_options = options->comp;
3004 #endif
3005 
3006 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3007  if (options->keying_material_exporter_label)
3008  {
3009  to.ekm_size = options->keying_material_exporter_length;
3010  if (to.ekm_size < 16 || to.ekm_size > 4095)
3011  {
3012  to.ekm_size = 0;
3013  }
3014 
3015  to.ekm_label = options->keying_material_exporter_label;
3016  to.ekm_label_size = strlen(to.ekm_label);
3017  }
3018  else
3019  {
3020  to.ekm_size = 0;
3021  }
3022 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3023 
3024  /* TLS handshake authentication (--tls-auth) */
3025  if (options->ce.tls_auth_file)
3026  {
3027  to.tls_wrap.mode = TLS_WRAP_AUTH;
3032  true, true);
3033  }
3034 
3035  /* TLS handshake encryption (--tls-crypt) */
3036  if (options->ce.tls_crypt_file
3037  || (options->ce.tls_crypt_v2_file && options->tls_client))
3038  {
3039  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3044 
3045  if (options->ce.tls_crypt_v2_file)
3046  {
3048  }
3049  }
3050 
3051  if (options->ce.tls_crypt_v2_file)
3052  {
3053  to.tls_crypt_v2 = true;
3054  if (options->tls_server)
3055  {
3058  }
3059  }
3060 
3061  /* If we are running over TCP, allow for
3062  * length prefix */
3064 
3065  /*
3066  * Initialize OpenVPN's master TLS-mode object.
3067  */
3068  if (flags & CF_INIT_TLS_MULTI)
3069  {
3070  c->c2.tls_multi = tls_multi_init(&to);
3071  }
3072 
3073  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3074  {
3076  }
3077 }
3078 
3079 static void
3081 {
3082  if (c->c2.tls_multi)
3083  {
3086  EXPANDED_SIZE(&c->c2.frame));
3088  "Control Channel MTU parms");
3089  }
3090  if (c->c2.tls_auth_standalone)
3091  {
3094  "TLS-Auth MTU parms");
3095  }
3096 }
3097 
3098 /*
3099  * No encryption or authentication.
3100  */
3101 static void
3103 {
3104  ASSERT(!c->options.test_crypto);
3105  msg(M_WARN,
3106  "******* WARNING *******: All encryption and authentication features "
3107  "disabled -- All data will be tunnelled as clear text and will not be "
3108  "protected against man-in-the-middle changes. "
3109  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3110 }
3111 
3112 static void
3113 do_init_crypto(struct context *c, const unsigned int flags)
3114 {
3115  if (c->options.shared_secret_file)
3116  {
3117  do_init_crypto_static(c, flags);
3118  }
3119  else if (c->options.tls_server || c->options.tls_client)
3120  {
3121  do_init_crypto_tls(c, flags);
3122  }
3123  else /* no encryption or authentication. */
3124  {
3126  }
3127 }
3128 
3129 static void
3131 {
3132 #ifdef USE_COMP
3133  /*
3134  * modify frame parameters if compression is enabled
3135  */
3136  if (comp_enabled(&c->options.comp))
3137  {
3138  comp_add_to_extra_frame(&c->c2.frame);
3139 
3140 #ifdef ENABLE_FRAGMENT
3141  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3142 #endif
3143  }
3144 #endif /* USE_COMP */
3145 
3146  /*
3147  * Adjust frame size for UDP Socks support.
3148  */
3149  if (c->options.ce.socks_proxy_server)
3150  {
3152  }
3153 
3154  /*
3155  * Adjust frame size based on the --tun-mtu-extra parameter.
3156  */
3158  {
3160  }
3161 
3162  /*
3163  * Adjust frame size based on link socket parameters.
3164  * (Since TCP is a stream protocol, we need to insert
3165  * a packet length uint16_t in the buffer.)
3166  */
3168 
3169  /*
3170  * Fill in the blanks in the frame parameters structure,
3171  * make sure values are rational, etc.
3172  */
3173  frame_finalize_options(c, NULL);
3174 
3175 #ifdef USE_COMP
3176  /*
3177  * Modify frame parameters if compression is compiled in.
3178  * Should be called after frame_finalize_options.
3179  */
3180  comp_add_to_extra_buffer(&c->c2.frame);
3181 #ifdef ENABLE_FRAGMENT
3182  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3183 #endif
3184 #endif /* USE_COMP */
3185 
3186  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3187  * and need link_mtu+3 bytes on socket reception (on server).
3188  *
3189  * accommodate receive path in f->extra_link, which has the side effect of
3190  * also increasing send buffers (BUF_SIZE() macro), which need to be
3191  * allocated big enough before receiving peer-id option from server.
3192  *
3193  * f->extra_frame is adjusted when peer-id option is push-received
3194  */
3196 
3197 #ifdef ENABLE_FRAGMENT
3198  /*
3199  * Set frame parameter for fragment code. This is necessary because
3200  * the fragmentation code deals with payloads which have already been
3201  * passed through the compression code.
3202  */
3203  c->c2.frame_fragment = c->c2.frame;
3206 #endif
3207 
3208 #if defined(ENABLE_FRAGMENT)
3209  /*
3210  * MTU advisories
3211  */
3212  if (c->options.ce.fragment && c->options.mtu_test)
3213  {
3214  msg(M_WARN,
3215  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3216  }
3217 #endif
3218 
3219 #ifdef ENABLE_FRAGMENT
3220  if ((c->options.ce.mssfix || c->options.ce.fragment)
3222  {
3223  msg(M_WARN,
3224  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3226  }
3227 #endif
3228 }
3229 
3230 static void
3232 {
3233  const struct options *o = &c->options;
3234 
3235  if (o->ping_send_timeout && !o->ping_rec_timeout)
3236  {
3237  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3238  }
3239 
3240  if (o->username || o->groupname || o->chroot_dir
3241 #ifdef ENABLE_SELINUX
3242  || o->selinux_context
3243 #endif
3244  )
3245  {
3246  if (!o->persist_tun)
3247  {
3248  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3249  }
3250  if (!o->persist_key
3251 #ifdef ENABLE_PKCS11
3252  && !o->pkcs11_id
3253 #endif
3254  )
3255  {
3256  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3257  }
3258  }
3259 
3260  if (o->chroot_dir && !(o->username && o->groupname))
3261  {
3262  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3263  }
3264 
3265  if (o->pull && o->ifconfig_local && c->first_time)
3266  {
3267  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3268  }
3269 
3271  {
3272  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3273  }
3274 
3275  if (o->mode == MODE_SERVER)
3276  {
3277  if (o->duplicate_cn && o->client_config_dir)
3278  {
3279  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3280  }
3282  {
3283  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3284  }
3285  if (!o->keepalive_ping || !o->keepalive_timeout)
3286  {
3287  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3288  }
3289  }
3290 
3291  if (!o->replay)
3292  {
3293  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3294  }
3295 
3296  if (o->tls_server)
3297  {
3299  }
3300  if (o->tls_client
3301  && !o->tls_verify
3304  && !o->remote_cert_eku)
3305  {
3306  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3307  }
3308  if (o->ns_cert_type)
3309  {
3310  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3311  }
3312 
3313  /* If a script is used, print appropriate warnings */
3314  if (o->user_script_used)
3315  {
3316  if (script_security() >= SSEC_SCRIPTS)
3317  {
3318  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3319  }
3320  else if (script_security() >= SSEC_PW_ENV)
3321  {
3322  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3323  }
3324  else
3325  {
3326  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3327  }
3328  }
3329 }
3330 
3331 static void
3333 {
3335 }
3336 
3337 struct context_buffers *
3339 {
3340  struct context_buffers *b;
3341 
3342  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3343 
3344  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3345  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3346 
3347  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3348 
3349  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3350  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3351 
3352 #ifdef USE_COMP
3353  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3354  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3355 #endif
3356 
3357  return b;
3358 }
3359 
3360 void
3362 {
3363  if (b)
3364  {
3365  free_buf(&b->read_link_buf);
3366  free_buf(&b->read_tun_buf);
3367  free_buf(&b->aux_buf);
3368 
3369 #ifdef USE_COMP
3370  free_buf(&b->compress_buf);
3371  free_buf(&b->decompress_buf);
3372 #endif
3373 
3374  free_buf(&b->encrypt_buf);
3375  free_buf(&b->decrypt_buf);
3376 
3377  free(b);
3378  }
3379 }
3380 
3381 /*
3382  * Now that we know all frame parameters, initialize
3383  * our buffers.
3384  */
3385 static void
3387 {
3389  c->c2.buffers_owned = true;
3390 }
3391 
3392 #ifdef ENABLE_FRAGMENT
3393 /*
3394  * Fragmenting code has buffers to initialize
3395  * once frame parameters are known.
3396  */
3397 static void
3399 {
3400  ASSERT(c->options.ce.fragment);
3404 }
3405 #endif
3406 
3407 /*
3408  * Allocate our socket object.
3409  */
3410 static void
3412 {
3413  ASSERT(!c->c2.link_socket);
3415  c->c2.link_socket_owned = true;
3416 }
3417 
3418 /*
3419  * Print MTU INFO
3420  */
3421 static void
3423 {
3424  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3425 #ifdef ENABLE_FRAGMENT
3426  if (c->c2.fragment)
3427  {
3429  "Fragmentation MTU parms");
3430  }
3431 #endif
3432 }
3433 
3434 /*
3435  * Get local and remote options compatibility strings.
3436  */
3437 static void
3439 {
3440  struct gc_arena gc = gc_new();
3441 
3443  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3444  false, &gc);
3446  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3447  true, &gc);
3448 
3449  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3452  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3455 
3456  if (c->c2.tls_multi)
3457  {
3461  }
3462 
3463  gc_free(&gc);
3464 }
3465 
3466 /*
3467  * These things can only be executed once per program instantiation.
3468  * Set up for possible UID/GID downgrade, but don't do it yet.
3469  * Daemonize if requested.
3470  */
3471 static void
3473 {
3474  if (c->first_time && !c->c0)
3475  {
3476  struct context_0 *c0;
3477 
3478  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3479  c0 = c->c0;
3480 
3481  /* get user and/or group that we want to setuid/setgid to */
3482  c0->uid_gid_specified =
3485 
3486  /* perform postponed chdir if --daemon */
3487  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3488  {
3489  platform_chdir("/");
3490  }
3491 
3492  /* should we change scheduling priority? */
3494  }
3495 }
3496 
3497 /*
3498  * free buffers
3499  */
3500 static void
3502 {
3503  if (c->c2.buffers_owned)
3504  {
3506  c->c2.buffers = NULL;
3507  c->c2.buffers_owned = false;
3508  }
3509 }
3510 
3511 /*
3512  * close TLS
3513  */
3514 static void
3516 {
3517  if (c->c2.tls_multi)
3518  {
3519  tls_multi_free(c->c2.tls_multi, true);
3520  c->c2.tls_multi = NULL;
3521  }
3522 
3523  /* free options compatibility strings */
3526 
3528 
3529  if (c->c2.pulled_options_state)
3530  {
3533  }
3534 }
3535 
3536 /*
3537  * Free key schedules
3538  */
3539 static void
3540 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3541 {
3542  /*
3543  * always free the tls_auth/crypt key. If persist_key is true, the key will
3544  * be reloaded from memory (pre-cached)
3545  */
3548  CLEAR(c->c1.ks.tls_wrap_key);
3551 
3552  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3553  {
3554  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3555  }
3556 }
3557 
3558 /*
3559  * Close TCP/UDP connection
3560  */
3561 static void
3563 {
3564  if (c->c2.link_socket && c->c2.link_socket_owned)
3565  {
3567  c->c2.link_socket = NULL;
3568  }
3569 
3570 
3571  /* Preserve the resolved list of remote if the user request to or if we want
3572  * reconnect to the same host again or there are still addresses that need
3573  * to be tried */
3574  if (!(c->sig->signal_received == SIGUSR1
3575  && ( (c->options.persist_remote_ip)
3576  ||
3577  ( c->sig->source != SIG_SOURCE_HARD
3579  && c->c1.link_socket_addr.current_remote->ai_next)
3580  || c->options.no_advance))
3581  )))
3582  {
3584  }
3585 
3586  /* Clear the remote actual address when persist_remote_ip is not in use */
3587  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3588  {
3590  }
3591 
3592  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3593  {
3595  {
3596  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3597  }
3598 
3599  c->c1.link_socket_addr.bind_local = NULL;
3600  }
3601 }
3602 
3603 /*
3604  * Close packet-id persistence file
3605  */
3606 static void
3608 {
3611  if (!(c->sig->signal_received == SIGUSR1))
3612  {
3614  }
3615 }
3616 
3617 #ifdef ENABLE_FRAGMENT
3618 /*
3619  * Close fragmentation handler.
3620  */
3621 static void
3623 {
3624  if (c->c2.fragment)
3625  {
3627  c->c2.fragment = NULL;
3628  }
3629 }
3630 #endif
3631 
3632 /*
3633  * Open and close our event objects.
3634  */
3635 
3636 static void
3638  bool need_us_timeout)
3639 {
3640  unsigned int flags = 0;
3641 
3643 
3644  flags |= EVENT_METHOD_FAST;
3645 
3646  if (need_us_timeout)
3647  {
3648  flags |= EVENT_METHOD_US_TIMEOUT;
3649  }
3650 
3651  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3652  c->c2.event_set_owned = true;
3653 }
3654 
3655 static void
3657 {
3658  if (c->c2.event_set && c->c2.event_set_owned)
3659  {
3660  event_free(c->c2.event_set);
3661  c->c2.event_set = NULL;
3662  c->c2.event_set_owned = false;
3663  }
3664 }
3665 
3666 /*
3667  * Open and close --status file
3668  */
3669 
3670 static void
3672 {
3673  if (!c->c1.status_output)
3674  {
3677  -1,
3678  NULL,
3680  c->c1.status_output_owned = true;
3681  }
3682 }
3683 
3684 static void
3686 {
3687  if (!(c->sig->signal_received == SIGUSR1))
3688  {
3689  if (c->c1.status_output_owned && c->c1.status_output)
3690  {
3692  c->c1.status_output = NULL;
3693  c->c1.status_output_owned = false;
3694  }
3695  }
3696 }
3697 
3698 /*
3699  * Handle ifconfig-pool persistence object.
3700  */
3701 static void
3703 {
3705  {
3708  c->c1.ifconfig_pool_persist_owned = true;
3709  }
3710 }
3711 
3712 static void
3714 {
3715  if (!(c->sig->signal_received == SIGUSR1))
3716  {
3718  {
3720  c->c1.ifconfig_pool_persist = NULL;
3721  c->c1.ifconfig_pool_persist_owned = false;
3722  }
3723  }
3724 }
3725 
3726 /*
3727  * Inherit environmental variables
3728  */
3729 
3730 static void
3731 do_inherit_env(struct context *c, const struct env_set *src)
3732 {
3733  c->c2.es = env_set_create(NULL);
3734  c->c2.es_owned = true;
3735  env_set_inherit(c->c2.es, src);
3736 }
3737 
3738 static void
3740 {
3741  if (c->c2.es && c->c2.es_owned)
3742  {
3743  env_set_destroy(c->c2.es);
3744  c->c2.es = NULL;
3745  c->c2.es_owned = false;
3746  }
3747 }
3748 
3749 /*
3750  * Fast I/O setup. Fast I/O is an optimization which only works
3751  * if all of the following are true:
3752  *
3753  * (1) The platform is not Windows
3754  * (2) --proto udp is enabled
3755  * (3) --shaper is disabled
3756  */
3757 static void
3759 {
3760  if (c->options.fast_io)
3761  {
3762 #ifdef _WIN32
3763  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3764 #else
3765  if (!proto_is_udp(c->options.ce.proto))
3766  {
3767  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3768  }
3769  else
3770  {
3771  if (c->options.shaper)
3772  {
3773  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3774  }
3775  else
3776  {
3777  c->c2.fast_io = true;
3778  }
3779  }
3780 #endif
3781  }
3782 }
3783 
3784 static void
3786 {
3787  if (c->options.tls_exit)
3788  {
3789  c->c2.tls_exit_signal = SIGTERM;
3790  }
3791  else
3792  {
3793  c->c2.tls_exit_signal = SIGUSR1;
3794  }
3795 }
3796 
3797 #ifdef ENABLE_PLUGIN
3798 
3799 void
3801 {
3802  if (c->options.plugin_list && !c->plugins)
3803  {
3805  c->plugins_owned = true;
3806  }
3807 }
3808 
3809 void
3810 open_plugins(struct context *c, const bool import_options, int init_point)
3811 {
3812  if (c->plugins && c->plugins_owned)
3813  {
3814  if (import_options)
3815  {
3816  struct plugin_return pr, config;
3817  plugin_return_init(&pr);
3818  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3819  plugin_return_get_column(&pr, &config, "config");
3820  if (plugin_return_defined(&config))
3821  {
3822  int i;
3823  for (i = 0; i < config.n; ++i)
3824  {
3825  unsigned int option_types_found = 0;
3826  if (config.list[i] && config.list[i]->value)
3827  {
3829  config.list[i]->value,
3832  &option_types_found,
3833  c->es);
3834  }
3835  }
3836  }
3837  plugin_return_free(&pr);
3838  }
3839  else
3840  {
3841  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3842  }
3843  }
3844 }
3845 
3846 static void
3848 {
3849  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3850  {
3852  c->plugins = NULL;
3853  c->plugins_owned = false;
3854  }
3855 }
3856 
3857 static void
3858 do_inherit_plugins(struct context *c, const struct context *src)
3859 {
3860  if (!c->plugins && src->plugins)
3861  {
3862  c->plugins = plugin_list_inherit(src->plugins);
3863  c->plugins_owned = true;
3864  }
3865 }
3866 
3867 #endif /* ifdef ENABLE_PLUGIN */
3868 
3869 #ifdef ENABLE_MANAGEMENT
3870 
3871 static void
3872 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3873 {
3874  struct context *c = (struct context *) arg;
3875  print_status(c, so);
3876 }
3877 
3878 void
3879 management_show_net_callback(void *arg, const int msglevel)
3880 {
3881 #ifdef _WIN32
3882  show_routes(msglevel);
3883  show_adapters(msglevel);
3884  msg(msglevel, "END");
3885 #else
3886  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3887 #endif
3888 }
3889 
3890 #ifdef TARGET_ANDROID
3891 int
3892 management_callback_network_change(void *arg, bool samenetwork)
3893 {
3894  /* Check if the client should translate the network change to a SIGUSR1 to
3895  * reestablish the connection or just reprotect the socket
3896  *
3897  * At the moment just assume that, for all settings that use pull (not
3898  * --static) and are not using peer-id reestablishing the connection is
3899  * required (unless the network is the same)
3900  *
3901  * The function returns -1 on invalid fd and -2 if the socket cannot be
3902  * reused. On the -2 return value the man_network_change function triggers
3903  * a SIGUSR1 to force a reconnect.
3904  */
3905 
3906  int socketfd = -1;
3907  struct context *c = (struct context *) arg;
3908  if (!c->c2.link_socket)
3909  {
3910  return -1;
3911  }
3912  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3913  {
3914  return -1;
3915  }
3916 
3917  socketfd = c->c2.link_socket->sd;
3918  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3919  {
3920  return socketfd;
3921  }
3922  else
3923  {
3924  return -2;
3925  }
3926 }
3927 #endif /* ifdef TARGET_ANDROID */
3928 
3929 #endif /* ifdef ENABLE_MANAGEMENT */
3930 
3931 void
3933 {
3934 #ifdef ENABLE_MANAGEMENT
3935  if (management)
3936  {
3937  struct management_callback cb;
3938  CLEAR(cb);
3939  cb.arg = c;
3945 #ifdef TARGET_ANDROID
3946  cb.network_change = management_callback_network_change;
3947 #endif
3949  }
3950 #endif
3951 }
3952 
3953 #ifdef ENABLE_MANAGEMENT
3954 
3955 void
3957 {
3958  if (!management)
3959  {
3961  }
3962 }
3963 
3964 bool
3966 {
3967  /* initialize management layer */
3968  if (management)
3969  {
3970  if (c->options.management_addr)
3971  {
3972  unsigned int flags = c->options.management_flags;
3973  if (c->options.mode == MODE_SERVER)
3974  {
3975  flags |= MF_SERVER;
3976  }
3988  flags))
3989  {
3992  NULL,
3993  NULL,
3994  NULL,
3995  NULL,
3996  NULL);
3997  }
3998 
3999  /* initial management hold, called early, before first context initialization */
4000  do_hold(0);
4001  if (IS_SIG(c))
4002  {
4003  msg(M_WARN, "Signal received from management interface, exiting");
4004  return false;
4005  }
4006  }
4007  else
4008  {
4009  close_management();
4010  }
4011  }
4012  return true;
4013 }
4014 
4015 void
4017 {
4018  if (management)
4019  {
4021  management = NULL;
4022  }
4023 }
4024 
4025 #endif /* ifdef ENABLE_MANAGEMENT */
4026 
4027 
4028 void
4030 {
4031 #ifdef ENABLE_MANAGEMENT
4032  if (management)
4033  {
4035  }
4036 #endif
4037 }
4038 
4039 /*
4040  * Initialize a tunnel instance, handle pre and post-init
4041  * signal settings.
4042  */
4043 void
4044 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4045 {
4047  init_instance(c, env, flags);
4049 
4050  /*
4051  * This is done so that signals thrown during
4052  * initialization can bring us back to
4053  * a management hold.
4054  */
4055  if (IS_SIG(c))
4056  {
4057  remap_signal(c);
4059  }
4060 }
4061 
4062 /*
4063  * Initialize a tunnel instance.
4064  */
4065 void
4066 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4067 {
4068  const struct options *options = &c->options;
4069  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4070  int link_socket_mode = LS_MODE_DEFAULT;
4071 
4072  /* init garbage collection level */
4073  gc_init(&c->c2.gc);
4074 
4075  /* inherit environmental variables */
4076  if (env)
4077  {
4078  do_inherit_env(c, env);
4079  }
4080 
4081  /* signals caught here will abort */
4082  c->sig->signal_received = 0;
4083  c->sig->signal_text = NULL;
4084  c->sig->source = SIG_SOURCE_SOFT;
4085 
4086  if (c->mode == CM_P2P)
4087  {
4089  }
4090 
4091  /* possible sleep or management hold if restart */
4092  if (c->mode == CM_P2P || c->mode == CM_TOP)
4093  {
4094  do_startup_pause(c);
4095  if (IS_SIG(c))
4096  {
4097  goto sig;
4098  }
4099  }
4100 
4101  if (c->options.resolve_in_advance)
4102  {
4103  do_preresolve(c);
4104  if (IS_SIG(c))
4105  {
4106  goto sig;
4107  }
4108  }
4109 
4110  /* Resets all values to the initial values from the config where needed */
4111  pre_connect_restore(&c->options, &c->c2.gc);
4112 
4113  /* map in current connection entry */
4115 
4116  /* link_socket_mode allows CM_CHILD_TCP
4117  * instances to inherit acceptable fds
4118  * from a top-level parent */
4119  if (c->options.ce.proto == PROTO_TCP_SERVER)
4120  {
4121  if (c->mode == CM_TOP)
4122  {
4123  link_socket_mode = LS_MODE_TCP_LISTEN;
4124  }
4125  else if (c->mode == CM_CHILD_TCP)
4126  {
4127  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4128  }
4129  }
4130 
4131  /* should we disable paging? */
4132  if (c->first_time && options->mlock)
4133  {
4134  platform_mlockall(true);
4135  }
4136 
4137  /* get passwords if undefined */
4138  if (auth_retry_get() == AR_INTERACT)
4139  {
4141  }
4142 
4143  /* initialize context level 2 --verb/--mute parms */
4145 
4146  /* set error message delay for non-server modes */
4147  if (c->mode == CM_P2P)
4148  {
4150  }
4151 
4152  /* warn about inconsistent options */
4153  if (c->mode == CM_P2P || c->mode == CM_TOP)
4154  {
4155  do_option_warnings(c);
4156  }
4157 
4158 #ifdef ENABLE_PLUGIN
4159  /* initialize plugins */
4160  if (c->mode == CM_P2P || c->mode == CM_TOP)
4161  {
4163  }
4164 #endif
4165 
4166  /* should we enable fast I/O? */
4167  if (c->mode == CM_P2P || c->mode == CM_TOP)
4168  {
4169  do_setup_fast_io(c);
4170  }
4171 
4172  /* should we throw a signal on TLS errors? */
4174 
4175  /* open --status file */
4176  if (c->mode == CM_P2P || c->mode == CM_TOP)
4177  {
4179  }
4180 
4181  /* open --ifconfig-pool-persist file */
4182  if (c->mode == CM_TOP)
4183  {
4185  }
4186 
4187  /* reset OCC state */
4188  if (c->mode == CM_P2P || child)
4189  {
4190  c->c2.occ_op = occ_reset_op();
4191  }
4192 
4193  /* our wait-for-i/o objects, different for posix vs. win32 */
4194  if (c->mode == CM_P2P)
4195  {
4197  }
4198  else if (c->mode == CM_CHILD_TCP)
4199  {
4200  do_event_set_init(c, false);
4201  }
4202 
4203  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4204  init_proxy(c);
4205 
4206  /* allocate our socket object */
4207  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4208  {
4209  do_link_socket_new(c);
4210  }
4211 
4212 #ifdef ENABLE_FRAGMENT
4213  /* initialize internal fragmentation object */
4214  if (options->ce.fragment && (c->mode == CM_P2P || child))
4215  {
4216  c->c2.fragment = fragment_init(&c->c2.frame);
4217  }
4218 #endif
4219 
4220  /* init crypto layer */
4221  {
4222  unsigned int crypto_flags = 0;
4223  if (c->mode == CM_TOP)
4224  {
4225  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4226  }
4227  else if (c->mode == CM_P2P)
4228  {
4230  }
4231  else if (child)
4232  {
4233  crypto_flags = CF_INIT_TLS_MULTI;
4234  }
4235  do_init_crypto(c, crypto_flags);
4236  if (IS_SIG(c) && !child)
4237  {
4238  goto sig;
4239  }
4240  }
4241 
4242 #ifdef USE_COMP
4243  /* initialize compression library. */
4244  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4245  {
4246  c->c2.comp_context = comp_init(&options->comp);
4247  }
4248 #endif
4249 
4250  /* initialize MTU variables */
4251  do_init_frame(c);
4252 
4253  /* initialize TLS MTU variables */
4254  do_init_frame_tls(c);
4255 
4256  /* init workspace buffers whose size is derived from frame size */
4257  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4258  {
4259  do_init_buffers(c);
4260  }
4261 
4262 #ifdef ENABLE_FRAGMENT
4263  /* initialize internal fragmentation capability with known frame size */
4264  if (options->ce.fragment && (c->mode == CM_P2P || child))
4265  {
4266  do_init_fragment(c);
4267  }
4268 #endif
4269 
4270  /* initialize dynamic MTU variable */
4271  frame_init_mssfix(&c->c2.frame, &c->options);
4272 
4273  /* bind the TCP/UDP socket */
4274  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4275  {
4276  link_socket_init_phase1(c, link_socket_mode);
4277  }
4278 
4279  /* initialize tun/tap device object,
4280  * open tun/tap device, ifconfig, run up script, etc. */
4281  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4282  {
4283  c->c2.did_open_tun = do_open_tun(c);
4284  }
4285 
4286  c->c2.frame_initial = c->c2.frame;
4287 
4288  /* print MTU info */
4290 
4291  /* get local and remote options compatibility strings */
4292  if (c->mode == CM_P2P || child)
4293  {
4295  }
4296 
4297  /* initialize output speed limiter */
4298  if (c->mode == CM_P2P)
4299  {
4301  }
4302 
4303  /* do one-time inits, and possibly become a daemon here */
4304  do_init_first_time(c);
4305 
4306 #ifdef ENABLE_PLUGIN
4307  /* initialize plugins */
4308  if (c->mode == CM_P2P || c->mode == CM_TOP)
4309  {
4311  }
4312 #endif
4313 
4314  /* initialise connect timeout timer */
4316 
4317  /* finalize the TCP/UDP socket */
4318  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4319  {
4321  }
4322 
4323  /*
4324  * Actually do UID/GID downgrade, and chroot, if requested.
4325  * May be delayed by --client, --pull, or --up-delay.
4326  */
4328 
4329  /* initialize timers */
4330  if (c->mode == CM_P2P || child)
4331  {
4332  do_init_timers(c, false);
4333  }
4334 
4335 #ifdef ENABLE_PLUGIN
4336  /* initialize plugins */
4337  if (c->mode == CM_P2P || c->mode == CM_TOP)
4338  {
4340  }
4341 #endif
4342 
4343 #if PORT_SHARE
4344  /* share OpenVPN port with foreign (such as HTTPS) server */
4345  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4346  {
4347  init_port_share(c);
4348  }
4349 #endif
4350 
4351  /* Check for signals */
4352  if (IS_SIG(c))
4353  {
4354  goto sig;
4355  }
4356 
4357  return;
4358 
4359 sig:
4360  if (!c->sig->signal_text)
4361  {
4362  c->sig->signal_text = "init_instance";
4363  }
4364  close_context(c, -1, flags);
4365  return;
4366 }
4367 
4368 /*
4369  * Close a tunnel instance.
4370  */
4371 void
4373 {
4374  /* close event objects */
4375  do_close_event_set(c);
4376 
4377  if (c->mode == CM_P2P
4378  || c->mode == CM_CHILD_TCP
4379  || c->mode == CM_CHILD_UDP
4380  || c->mode == CM_TOP)
4381  {
4382 #ifdef USE_COMP
4383  if (c->c2.comp_context)
4384  {
4385  comp_uninit(c->c2.comp_context);
4386  c->c2.comp_context = NULL;
4387  }
4388 #endif
4389 
4390  /* free buffers */
4391  do_close_free_buf(c);
4392 
4393  /* close TLS */
4394  do_close_tls(c);
4395 
4396  /* free key schedules */
4397  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4398 
4399  /* close TCP/UDP connection */
4401 
4402  /* close TUN/TAP device */
4403  do_close_tun(c, false);
4404 
4405 #ifdef ENABLE_MANAGEMENT
4406  if (management)
4407  {
4409  }
4410 #endif
4411 
4412 #ifdef ENABLE_PLUGIN
4413  /* call plugin close functions and unload */
4414  do_close_plugins(c);
4415 #endif
4416 
4417  /* close packet-id persistence file */
4418  do_close_packet_id(c);
4419 
4420  /* close --status file */
4422 
4423 #ifdef ENABLE_FRAGMENT
4424  /* close fragmentation handler */
4425  do_close_fragment(c);
4426 #endif
4427 
4428  /* close --ifconfig-pool-persist obj */
4430 
4431  /* free up environmental variable store */
4432  do_env_set_destroy(c);
4433 
4434  /* close HTTP or SOCKS proxy */
4435  uninit_proxy(c);
4436 
4437  /* garbage collect */
4438  gc_free(&c->c2.gc);
4439  }
4440 }
4441 
4442 void
4444  const struct context *src)
4445 {
4446  CLEAR(*dest);
4447 
4448  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4450 
4451  dest->gc = gc_new();
4452 
4453  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4454 
4455  /* c1 init */
4457 
4458  dest->c1.ks.key_type = src->c1.ks.key_type;
4459  /* inherit SSL context */
4460  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4461  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4464  /* inherit pre-NCP ciphers */
4465  dest->options.ciphername = src->options.ciphername;
4466  dest->options.authname = src->options.authname;
4467 
4468  /* inherit auth-token */
4469  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4470 
4471  /* options */
4472  dest->options = src->options;
4473  options_detach(&dest->options);
4474 
4475  if (dest->mode == CM_CHILD_TCP)
4476  {
4477  /*
4478  * The CM_TOP context does the socket listen(),
4479  * and the CM_CHILD_TCP context does the accept().
4480  */
4481  dest->c2.accept_from = src->c2.link_socket;
4482  }
4483 
4484 #ifdef ENABLE_PLUGIN
4485  /* inherit plugins */
4486  do_inherit_plugins(dest, src);
4487 #endif
4488 
4489  /* context init */
4490  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4491  if (IS_SIG(dest))
4492  {
4493  return;
4494  }
4495 
4496  /* inherit tun/tap interface object */
4497  dest->c1.tuntap = src->c1.tuntap;
4498 
4499  /* UDP inherits some extra things which TCP does not */
4500  if (dest->mode == CM_CHILD_UDP)
4501  {
4502  /* inherit buffers */
4503  dest->c2.buffers = src->c2.buffers;
4504 
4505  /* inherit parent link_socket and tuntap */
4506  dest->c2.link_socket = src->c2.link_socket;
4507 
4508  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4509  *dest->c2.link_socket_info = src->c2.link_socket->info;
4510 
4511  /* locally override some link_socket_info fields */
4512  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4514  }
4515 }
4516 
4517 void
4519  const struct context *src)
4520 {
4521  /* copy parent */
4522  *dest = *src;
4523 
4524  /*
4525  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4526  * resources owned by the parent.
4527  *
4528  * Also note that CM_TOP_CLONE context objects are
4529  * closed by multi_top_free in multi.c.
4530  */
4531  dest->mode = CM_TOP_CLONE;
4532 
4533  dest->first_time = false;
4534  dest->c0 = NULL;
4535 
4536  options_detach(&dest->options);
4537  gc_detach(&dest->gc);
4538  gc_detach(&dest->c2.gc);
4539 
4540  /* detach plugins */
4541  dest->plugins_owned = false;
4542 
4543  dest->c2.tls_multi = NULL;
4544 
4545  /* detach c1 ownership */
4546  dest->c1.tuntap_owned = false;
4547  dest->c1.status_output_owned = false;
4548  dest->c1.ifconfig_pool_persist_owned = false;
4549 
4550  /* detach c2 ownership */
4551  dest->c2.event_set_owned = false;
4552  dest->c2.link_socket_owned = false;
4553  dest->c2.buffers_owned = false;
4554  dest->c2.es_owned = false;
4555 
4556  dest->c2.event_set = NULL;
4557  if (proto_is_dgram(src->options.ce.proto))
4558  {
4559  do_event_set_init(dest, false);
4560  }
4561 
4562 #ifdef USE_COMP
4563  dest->c2.comp_context = NULL;
4564 #endif
4565 }
4566 
4567 void
4568 close_context(struct context *c, int sig, unsigned int flags)
4569 {
4570  ASSERT(c);
4571  ASSERT(c->sig);
4572 
4573  if (sig >= 0)
4574  {
4575  c->sig->signal_received = sig;
4576  }
4577 
4578  if (c->sig->signal_received == SIGUSR1)
4579  {
4580  if ((flags & CC_USR1_TO_HUP)
4581  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4582  {
4583  c->sig->signal_received = SIGHUP;
4584  c->sig->signal_text = "close_context usr1 to hup";
4585  }
4586  }
4587 
4588  if (!(flags & CC_NO_CLOSE))
4589  {
4590  close_instance(c);
4591  }
4592 
4593  if (flags & CC_GC_FREE)
4594  {
4595  context_gc_free(c);
4596  }
4597 }
4598 
4599 /* Write our PID to a file */
4600 void
4601 write_pid_file(const char *filename, const char *chroot_dir)
4602 {
4603  if (filename)
4604  {
4605  unsigned int pid = 0;
4606  FILE *fp = platform_fopen(filename, "w");
4607  if (!fp)
4608  {
4609  msg(M_ERR, "Open error on pid file %s", filename);
4610  return;
4611  }
4612 
4613  pid = platform_getpid();
4614  fprintf(fp, "%u\n", pid);
4615  if (fclose(fp))
4616  {
4617  msg(M_ERR, "Close error on pid file %s", filename);
4618  }
4619 
4620  /* remember file name so it can be deleted "out of context" later */
4621  /* (the chroot case is more complex and not handled today) */
4622  if (!chroot_dir)
4623  {
4624  saved_pid_file_name = strdup(filename);
4625  }
4626  }
4627 }
4628 
4629 /* remove PID file on exit, called from openvpn_exit() */
4630 void
4632 {
4633  if (saved_pid_file_name)
4634  {
4636  }
4637 }
4638 
4639 
4640 /*
4641  * Do a loopback test
4642  * on the crypto subsystem.
4643  */
4644 static void *
4646 {
4647  struct context *c = (struct context *) arg;
4648  const struct options *options = &c->options;
4649 
4650  ASSERT(options->test_crypto);
4652  context_init_1(c);
4654  do_init_crypto_static(c, 0);
4655 
4656  frame_finalize_options(c, options);
4657 
4658  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4659 
4660  key_schedule_free(&c->c1.ks, true);
4662 
4663  context_gc_free(c);
4664  return NULL;
4665 }
4666 
4667 bool
4668 do_test_crypto(const struct options *o)
4669 {
4670  if (o->test_crypto)
4671  {
4672  struct context c;
4673 
4674  /* print version number */
4675  msg(M_INFO, "%s", title_string);
4676 
4677  context_clear(&c);
4678  c.options = *o;
4679  options_detach(&c.options);
4680  c.first_time = true;
4681  test_crypto_thread((void *) &c);
4682  return true;
4683  }
4684  return false;
4685 }
struct tuntap_options tuntap_options
Definition: options.h:321
bool tcp_mode
Definition: ssl_common.h:350
struct env_set * es
Definition: openvpn.h:408
char port[RH_PORT_LEN]
Definition: options.h:194
unsigned int platform_getpid(void)
Definition: platform.c:182
bool socks_proxy_owned
Definition: openvpn.h:189
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2593
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:353
void management_close(struct management *man)
Definition: manage.c:2638
int ifconfig_pool_persist_refresh_freq
Definition: options.h:445
struct key_type key_type
Definition: ssl_common.h:288
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
bool persist_remote_ip
Definition: options.h:310
int sndbuf
Definition: options.h:366
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:386
bool log_rw
Definition: openvpn.h:370
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:114
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
struct frame frame_fragment_omit
Definition: openvpn.h:256
const char * tmp_dir
Definition: ssl_common.h:366
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:373
bool tun_mtu_defined
Definition: options.h:118
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:610
#define OPT_P_DEFAULT
Definition: options.h:703
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1515
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
Definition: tun.h:155
unsigned int management_flags
Definition: options.h:409
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1981
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2621
bool verify_hash_no_ca
Definition: options.h:568
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct buffer read_tun_buf
Definition: openvpn.h:111
const char * crl_file
Definition: ssl_common.h:330
#define M_NOPREFIX
Definition: error.h:106
bool block_outside_dns
Definition: options.h:640
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:104
struct event_timeout ping_rec_interval
Definition: openvpn.h:285
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1314
bool tls_crypt_v2
Definition: ssl_common.h:355
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
void platform_nice(int niceval)
Definition: platform.c:160
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:960
struct event_timeout route_wakeup_expire
Definition: openvpn.h:374
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:525
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1082
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5664
bool show_curves
Definition: options.h:244
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4222
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:637
const char * cipher_list
Definition: options.h:550
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:535
struct link_socket * link_socket_new(void)
Definition: socket.c:1840
static void do_alloc_route_list(struct context *c)
Definition: init.c:1460
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:334
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:138
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1002
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3851
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:517
bool tls_crypt_v2_file_inline
Definition: options.h:616
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2133
static void init_proxy_dowork(struct context *c)
Definition: init.c:627
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1715
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
bool did_open_tun
Definition: openvpn.h:377
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
unsigned int auth_token_lifetime
Definition: ssl_common.h:373
const char * tls_cert_profile
Definition: options.h:553
int management_log_history_cache
Definition: options.h:400
#define M_OPTERR
Definition: error.h:109
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:356
struct interval tmp_int
Definition: openvpn.h:334
#define streq(x, y)
Definition: options.h:667
const char * ifconfig_pool_persist_filename
Definition: options.h:444
const char * chroot_dir
Definition: options.h:326
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:727
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3858
static void do_close_event_set(struct context *c)
Definition: init.c:3656
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2744
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
bool server_bridge_proxy_dhcp
Definition: options.h:431
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:269
#define WSO_FORCE_SERVICE
Definition: win32.h:167
int ping_rec_timeout_action
Definition: options.h:306
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2142
bool auth_token_generate
Definition: options.h:487
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4526
void tun_abort(void)
Definition: init.c:2114
Contains all state information for one tunnel.
Definition: openvpn.h:461
#define CIPHER_ENABLED(c)
Definition: openvpn.h:532
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3739
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2680
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:352
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
struct env_set * es
Set of environment variables.
Definition: openvpn.h:484
#define D_PUSH
Definition: errlevel.h:83
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
#define M_USAGE
Definition: error.h:115
struct man_persist persist
Definition: manage.h:314
#define srandom
Definition: syshead.h:45
char * peer_info
Definition: ssl_common.h:619
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:365
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:285
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:213
#define OPT_P_PLUGIN
Definition: options.h:696
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4568
int script_security(void)
Definition: run_command.c:45
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
#define SDL_CONSTRAIN
Definition: error.h:186
const char * auth_user_pass_verify_script
Definition: ssl_common.h:364
const char * shared_secret_file
Definition: options.h:513
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
enum multi_status multi_state
Definition: ssl_common.h:588
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6656
#define RH_PORT_LEN
Definition: options.h:193
#define EVENT_METHOD_FAST
Definition: event.h:80
uint32_t peer_id
Definition: options.h:645
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3932
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:322
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:324
bool tls_crypt_v2_file_inline
Definition: options.h:156
void close_instance(struct context *c)
Definition: init.c:4372
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2809
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
Definition: options.h:96
int renegotiate_seconds
Definition: options.h:590
const char * client_config_dir_exclusive
Definition: ssl_common.h:378
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1339
#define OPT_P_IPWIN32
Definition: options.h:675
bool persist_key
Definition: options.h:311
#define SIGUSR1
Definition: config-msvc.h:115
int replay_window
Definition: options.h:526
int persist_mode
Definition: options.h:237
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:456
const char * auth_user_pass_file
Definition: ssl_common.h:367
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3785
struct context_buffers * buffers
Definition: openvpn.h:357
int verify_x509_type
Definition: ssl_common.h:328
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:109
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
struct event_timeout wait_for_connect
Definition: openvpn.h:283
int rcvbuf
Definition: options.h:365
const char * config_ncp_ciphers
Definition: ssl_common.h:353
#define D_LOG_RW
Definition: errlevel.h:109
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
static void next_connection_entry(struct context *c)
Definition: init.c:470
int handshake_window
Definition: ssl_common.h:319
struct connection_list * connection_list
Definition: options.h:253
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:405
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
#define LS_MODE_DEFAULT
Definition: socket.h:191
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:268
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:540
#define RH_HOST_LEN
Definition: options.h:191
const char * exit_event_name
Definition: options.h:636
#define AR_NONE
Definition: options.h:841
const struct link_socket * accept_from
Definition: openvpn.h:242
void md_ctx_free(md_ctx_t *ctx)
bool route_noexec
Definition: options.h:381
unsigned int sockflags
Definition: options.h:373
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2549
in_addr_t remote_netmask
Definition: tun.h:174
const char * tls_crypt_file
Definition: options.h:150
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
static void do_close_tls(struct context *c)
Definition: init.c:3515
const char * genkey_extra_data
Definition: options.h:248
static bool ce_management_query_remote(struct context *c)
Definition: init.c:381
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
char * x509_username_field[2]
Definition: ssl_common.h:342
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define ENABLE_PKCS11
Definition: config-msvc.h:13
const char * route_script
Definition: options.h:376
int management_state_buffer_size
Definition: options.h:402
struct man_def_auth_context * mda_context
Definition: ssl_common.h:405
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:491
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:105
#define D_READ_WRITE
Definition: errlevel.h:161
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
#define in_addr_t
Definition: config-msvc.h:103
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3130
const char * config
Definition: options.h:219
#define dmsg(flags,...)
Definition: error.h:157
int route_delay
Definition: options.h:382
void remove_pid_file(void)
Definition: init.c:4631
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:333
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:377
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3810
const char * ekm_label
Definition: ssl_common.h:418
void post_init_signal_catch(void)
Definition: sig.c:249
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
struct frame frame_initial
Definition: openvpn.h:249
bool down_pre
Definition: options.h:335
int keepalive_timeout
Definition: options.h:294
#define OPT_P_SOCKBUF
Definition: options.h:697
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
Definition: lladdr.c:18
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:189
#define SIGTERM
Definition: config-msvc.h:117
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:369
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1444
#define TLS_MODE(c)
Definition: openvpn.h:524
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:586
bool push_peer_info
Definition: options.h:625
#define OPT_P_SETENV
Definition: options.h:677
#define CE_MAN_QUERY_PROXY
Definition: options.h:134
#define SIGHUP
Definition: config-msvc.h:113
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
int renegotiate_seconds_min
Definition: options.h:591
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3742
bool tls_crypt_file_inline
Definition: options.h:151
#define PING_RESTART
Definition: options.h:305
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3080
int handshake_window
Definition: options.h:595
#define ASSERT(x)
Definition: error.h:204
static void do_close_plugins(struct context *c)
Definition: init.c:3847
#define D_SHOW_NET
Definition: errlevel.h:128
static int ifconfig_order(void)
Definition: tun.h:330
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:225
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:234
unsigned int crypto_flags
Definition: ssl_common.h:346
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:265
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
int explicit_exit_notification
Definition: options.h:131
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
int status_file_update_freq
Definition: options.h:355
int verify_x509_type
Definition: options.h:556
unsigned int unsuccessful_attempts
Definition: options.h:259
void close_management(void)
Definition: init.c:4016
bool platform_unlink(const char *filename)
Definition: platform.c:350
static void adjust_mtu_peerid(struct context *c)
Definition: init.c:2255
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
bool auth_token_call_auth
Definition: options.h:489
const char * config_ciphername
Definition: ssl_common.h:352
const char * prng_hash
Definition: options.h:521
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1940
int ping_rec_timeout
Definition: options.h:300
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
#define D_LOW
Definition: errlevel.h:97
bool ifconfig_noexec
Definition: options.h:279
bool fast_io
Definition: options.h:358
int key_direction
Definition: options.h:515
int renegotiate_bytes
Definition: ssl_common.h:321
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
static void update_options_ce_post(struct options *options)
Definition: init.c:194
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
struct tuntap_options options
Definition: tun.h:168
bool link_mtu_defined
Definition: options.h:122
static struct context * static_context
Definition: init.c:60
char username[USER_PASS_LEN]
Definition: misc.h:70
bool init_static(void)
Definition: init.c:755
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
struct frame frame_fragment_initial
Definition: openvpn.h:255
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:139
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:223
bool use_peer_id
Definition: ssl_common.h:643
struct event_timeout ping_send_interval
Definition: openvpn.h:284
bool route_delay_defined
Definition: options.h:384
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
#define CM_CHILD_UDP
Definition: openvpn.h:473
bool tls_exit
Definition: options.h:627
#define MF_SERVER
Definition: manage.h:326
bool print_openssl_info(const struct options *options)
Definition: init.c:1035
void restore_signal_state(void)
Definition: sig.c:264
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:999
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:888
int key_direction
Definition: options.h:147
#define PULL_DEFINED(opt)
Definition: options.h:705
bool route_nopull
Definition: options.h:388
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
struct sockaddr_in6 in6
Definition: socket.h:70
list flags
#define TOP_P2P
Definition: proto.h:44
static void do_close_fragment(struct context *c)
Definition: init.c:3622
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1240
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:286
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6780
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:68
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
const char * tls_export_cert
Definition: options.h:558
const char * route_default_gateway
Definition: options.h:378
const char * ncp_ciphers
Definition: options.h:519
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:574
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4044
int remap_sigusr1
Definition: options.h:340
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
void extract_x509_field_test(void)
bool uid_gid_chroot_set
Definition: openvpn.h:137
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:539
bool remote_random
Definition: options.h:267
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
bool status_close(struct status_output *so)
Definition: status.c:190
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:193
struct context_1 c1
Level 1 context.
Definition: openvpn.h:501
void pre_init_signal_catch(void)
Definition: sig.c:235