OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
74 {
75  CLEAR(*c);
76 }
77 
78 void
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
194 {
195 #if P2MP
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
208  }
209 #endif
210 }
211 
212 #ifdef ENABLE_MANAGEMENT
213 static bool
214 management_callback_proxy_cmd(void *arg, const char **p)
215 {
216  struct context *c = arg;
217  struct connection_entry *ce = &c->options.ce;
218  struct gc_arena *gc = &c->c2.gc;
219  bool ret = false;
220 
221  update_time();
222  if (streq(p[1], "NONE"))
223  {
224  ret = true;
225  }
226  else if (p[2] && p[3])
227  {
228  if (streq(p[1], "HTTP"))
229  {
230  struct http_proxy_options *ho;
231  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
232  {
233  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
234  return false;
235  }
237  ho->server = string_alloc(p[2], gc);
238  ho->port = string_alloc(p[3], gc);
239  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
240  ret = true;
241  }
242  else if (streq(p[1], "SOCKS"))
243  {
244  ce->socks_proxy_server = string_alloc(p[2], gc);
245  ce->socks_proxy_port = string_alloc(p[3], gc);
246  ret = true;
247  }
248  }
249  else
250  {
251  msg(M_WARN, "Bad proxy command");
252  }
253 
254  ce->flags &= ~CE_MAN_QUERY_PROXY;
255 
256  return ret;
257 }
258 
259 static bool
261 {
262  const struct connection_list *l = c->options.connection_list;
263  struct connection_entry *ce = &c->options.ce;
264  struct gc_arena gc;
265  bool ret = true;
266 
267  update_time();
268  if (management)
269  {
270  gc = gc_new();
271  {
272  struct buffer out = alloc_buf_gc(256, &gc);
273  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
274  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
277  }
278  ce->flags |= CE_MAN_QUERY_PROXY;
279  while (ce->flags & CE_MAN_QUERY_PROXY)
280  {
282  if (IS_SIG(c))
283  {
284  ret = false;
285  break;
286  }
287  }
289  gc_free(&gc);
290  }
291 
292  return ret;
293 }
294 
309 static bool
311  const char *command,
312  const char *parameters)
313 {
314  struct context *c = (struct context *) arg;
315  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
316  if (len > PUSH_BUNDLE_SIZE)
317  {
318  return false;
319  }
320 
321  struct gc_arena gc = gc_new();
322  struct buffer buf = alloc_buf_gc(len, &gc);
323  ASSERT(buf_printf(&buf, "%s", command));
324  if (parameters)
325  {
326  ASSERT(buf_printf(&buf, ",%s", parameters));
327  }
328  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
329 
330  gc_free(&gc);
331  return status;
332 }
333 
334 static bool
335 management_callback_remote_cmd(void *arg, const char **p)
336 {
337  struct context *c = (struct context *) arg;
338  struct connection_entry *ce = &c->options.ce;
339  int ret = false;
341  {
342  int flags = 0;
343  if (!strcmp(p[1], "ACCEPT"))
344  {
346  ret = true;
347  }
348  else if (!strcmp(p[1], "SKIP"))
349  {
350  flags = CE_MAN_QUERY_REMOTE_SKIP;
351  ret = true;
352  }
353  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
354  {
355  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
356  {
357  struct remote_host_store *rhs = c->options.rh_store;
358  if (!rhs)
359  {
361  c->options.rh_store = rhs;
362  }
363  strncpynt(rhs->host, p[2], RH_HOST_LEN);
364  strncpynt(rhs->port, p[3], RH_PORT_LEN);
365 
366  ce->remote = rhs->host;
367  ce->remote_port = rhs->port;
368  flags = CE_MAN_QUERY_REMOTE_MOD;
369  ret = true;
370  }
371  }
372  if (ret)
373  {
374  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
376  }
377  }
378  return ret;
379 }
380 
381 static bool
383 {
384  struct gc_arena gc = gc_new();
385  volatile struct connection_entry *ce = &c->options.ce;
386  int ce_changed = true; /* presume the connection entry will be changed */
387 
388  update_time();
389  if (management)
390  {
391  struct buffer out = alloc_buf_gc(256, &gc);
392 
393  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
394  proto2ascii(ce->proto, ce->af, false));
397 
400  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
402  {
404  if (IS_SIG(c))
405  {
406  ce_changed = false; /* connection entry have not been set */
407  break;
408  }
409  }
411  }
412  gc_free(&gc);
413 
414  if (ce_changed)
415  {
416  /* If it is likely a connection entry was modified,
417  * check what changed in the flags and that it was not skipped
418  */
419  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
421  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
422  }
423  return ce_changed;
424 }
425 #endif /* ENABLE_MANAGEMENT */
426 
427 /*
428  * Initialize and possibly randomize connection list.
429  */
430 static void
432 {
433  struct connection_list *l = c->options.connection_list;
434 
435  l->current = -1;
436  if (c->options.remote_random)
437  {
438  int i;
439  for (i = 0; i < l->len; ++i)
440  {
441  const int j = get_random() % l->len;
442  if (i != j)
443  {
444  struct connection_entry *tmp;
445  tmp = l->array[i];
446  l->array[i] = l->array[j];
447  l->array[j] = tmp;
448  }
449  }
450  }
451 }
452 
453 /*
454  * Clear the remote address list
455  */
456 static void
458 {
459  if (lsa->remote_list && free)
460  {
461  freeaddrinfo(lsa->remote_list);
462  }
463  lsa->remote_list = NULL;
464  lsa->current_remote = NULL;
465 }
466 
467 /*
468  * Increment to next connection entry
469  */
470 static void
472 {
473  struct connection_list *l = c->options.connection_list;
474  bool ce_defined;
475  struct connection_entry *ce;
476  int n_cycles = 0;
477 
478  do
479  {
480  ce_defined = true;
481  if (c->options.no_advance && l->current >= 0)
482  {
483  c->options.no_advance = false;
484  }
485  else
486  {
487  /* Check if there is another resolved address to try for
488  * the current connection */
490  && c->c1.link_socket_addr.current_remote->ai_next)
491  {
493  c->c1.link_socket_addr.current_remote->ai_next;
494  }
495  else
496  {
497  /* FIXME (schwabe) fix the persist-remote-ip option for real,
498  * this is broken probably ever since connection lists and multiple
499  * remote existed
500  */
501  if (!c->options.persist_remote_ip)
502  {
503  /* Connection entry addrinfo objects might have been
504  * resolved earlier but the entry itself might have been
505  * skipped by management on the previous loop.
506  * If so, clear the addrinfo objects as close_instance does
507  */
509  {
512  }
513 
514  /* close_instance should have cleared the addrinfo objects */
517  }
518  else
519  {
522  }
523 
524  /*
525  * Increase the number of connection attempts
526  * If this is connect-retry-max * size(l)
527  * OpenVPN will quit
528  */
529 
531 
532  if (++l->current >= l->len)
533  {
534 
535  l->current = 0;
536  if (++n_cycles >= 2)
537  {
538  msg(M_FATAL, "No usable connection profiles are present");
539  }
540  }
541  }
542  }
543 
544  ce = l->array[l->current];
545 
546  if (ce->flags & CE_DISABLED)
547  {
548  ce_defined = false;
549  }
550 
551  c->options.ce = *ce;
552 #ifdef ENABLE_MANAGEMENT
554  {
555  /* allow management interface to override connection entry details */
556  ce_defined = ce_management_query_remote(c);
557  if (IS_SIG(c))
558  {
559  break;
560  }
561  }
562  else if (ce_defined && management && management_query_proxy_enabled(management))
563  {
564  ce_defined = ce_management_query_proxy(c);
565  if (IS_SIG(c))
566  {
567  break;
568  }
569  }
570 #endif
571  } while (!ce_defined);
572 
573  /* Check if this connection attempt would bring us over the limit */
574  if (c->options.connect_retry_max > 0
576  {
577  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
579  }
581 }
582 
583 /*
584  * Query for private key and auth-user-pass username/passwords
585  */
586 void
588 {
589  /* Certificate password input */
590  if (c->options.key_pass_file)
591  {
593  }
594 
595 #if P2MP
596  /* Auth user/pass input */
598  {
599 #ifdef ENABLE_MANAGEMENT
601 #else
603 #endif
604  }
605 #endif
606 }
607 
608 /*
609  * Initialize/Uninitialize HTTP or SOCKS proxy
610  */
611 
612 static void
614 {
615  if (c->c1.http_proxy_owned && c->c1.http_proxy)
616  {
618  c->c1.http_proxy = NULL;
619  c->c1.http_proxy_owned = false;
620  }
621  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
622  {
624  c->c1.socks_proxy = NULL;
625  c->c1.socks_proxy_owned = false;
626  }
627 }
628 
629 static void
631 {
632  bool did_http = false;
633 
635 
637  {
638  /* Possible HTTP proxy user/pass input */
640  if (c->c1.http_proxy)
641  {
642  did_http = true;
643  c->c1.http_proxy_owned = true;
644  }
645  }
646 
647  if (!did_http && c->options.ce.socks_proxy_server)
648  {
652  if (c->c1.socks_proxy)
653  {
654  c->c1.socks_proxy_owned = true;
655  }
656  }
657 }
658 
659 static void
660 init_proxy(struct context *c)
661 {
663 }
664 
665 static void
667 {
669 }
670 
671 /*
672  * Saves the initial state of NCP-regotiable
673  * options into a storage which persists over SIGUSR1.
674  */
675 static void
677 {
679  c->c1.authname = c->options.authname;
680  c->c1.keysize = c->options.keysize;
681 }
682 
683 /* Restores NCP-negotiable options to original values */
684 static void
686 {
688  c->options.authname = c->c1.authname;
689  c->options.keysize = c->c1.keysize;
690  c->options.data_channel_use_ekm = false;
691 }
692 
693 void
695 {
696  context_clear_1(c);
697 
699 
701 
702  save_ncp_options(c);
703 
704 #if defined(ENABLE_PKCS11)
705  if (c->first_time)
706  {
707  int i;
708  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
709  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
710  {
711  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
712  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
713  }
714  }
715 #endif
716 
717 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
718  {
719  /*
720  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
721  */
722  struct user_pass up;
723  CLEAR(up);
724  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
725  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
726  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
727  * 'needok' command, usually 'ok' or 'cancel'. */
728  }
729 #endif
730 
731 #ifdef ENABLE_SYSTEMD
732  /* We can report the PID via getpid() to systemd here as OpenVPN will not
733  * do any fork due to daemon() a future call.
734  * See possibly_become_daemon() [init.c] for more details.
735  */
736  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
737  (unsigned long) getpid());
738 #endif
739 
740 }
741 
742 void
744 {
745  gc_free(&c->c2.gc);
746  gc_free(&c->options.gc);
747  gc_free(&c->gc);
748 }
749 
750 #if PORT_SHARE
751 
752 static void
753 close_port_share(void)
754 {
755  if (port_share)
756  {
757  port_share_close(port_share);
758  port_share = NULL;
759  }
760 }
761 
762 static void
763 init_port_share(struct context *c)
764 {
765  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
766  {
767  port_share = port_share_open(c->options.port_share_host,
768  c->options.port_share_port,
770  c->options.port_share_journal_dir);
771  if (port_share == NULL)
772  {
773  msg(M_FATAL, "Fatal error: Port sharing failed");
774  }
775  }
776 }
777 
778 #endif /* if PORT_SHARE */
779 
780 
781 bool
783 {
784  /* configure_path (); */
785 
786 #if defined(DMALLOC)
787  crypto_init_dmalloc();
788 #endif
789 
790 
791  /*
792  * Initialize random number seed. random() is only used
793  * when "weak" random numbers are acceptable.
794  * SSL library routines are always used when cryptographically
795  * strong random numbers are required.
796  */
797  struct timeval tv;
798  if (!gettimeofday(&tv, NULL))
799  {
800  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
801  srandom(seed);
802  }
803 
804  error_reset(); /* initialize error.c */
805  reset_check_status(); /* initialize status check code in socket.c */
806 
807 #ifdef _WIN32
808  init_win32();
809 #endif
810 
811 #ifdef OPENVPN_DEBUG_COMMAND_LINE
812  {
813  int i;
814  for (i = 0; i < argc; ++i)
815  {
816  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
817  }
818  }
819 #endif
820 
821  update_time();
822 
823  init_ssl_lib();
824 
825  /* init PRNG used for IV generation */
826  /* When forking, copy this to more places in the code to avoid fork
827  * random-state predictability */
828  prng_init(NULL, 0);
829 
830 #ifdef PID_TEST
831  packet_id_interactive_test(); /* test the sequence number code */
832  return false;
833 #endif
834 
835 #ifdef SCHEDULE_TEST
836  schedule_test();
837  return false;
838 #endif
839 
840 #ifdef LIST_TEST
841  list_test();
842  return false;
843 #endif
844 
845 #ifdef IFCONFIG_POOL_TEST
846  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
847  return false;
848 #endif
849 
850 #ifdef CHARACTER_CLASS_DEBUG
851  character_class_debug();
852  return false;
853 #endif
854 
855 #ifdef EXTRACT_X509_FIELD_TEST
857  return false;
858 #endif
859 
860 #ifdef TIME_TEST
861  time_test();
862  return false;
863 #endif
864 
865 #ifdef TEST_GET_DEFAULT_GATEWAY
866  {
867  struct route_gateway_info rgi;
868  struct route_ipv6_gateway_info rgi6;
869  get_default_gateway(&rgi);
870  get_default_gateway_ipv6(&rgi6, NULL);
871  print_default_gateway(M_INFO, &rgi, &rgi6);
872  return false;
873  }
874 #endif
875 
876 #ifdef GEN_PATH_TEST
877  {
878  struct gc_arena gc = gc_new();
879  const char *fn = gen_path("foo",
880  "bar",
881  &gc);
882  printf("%s\n", fn);
883  gc_free(&gc);
884  }
885  return false;
886 #endif
887 
888 #ifdef STATUS_PRINTF_TEST
889  {
890  struct gc_arena gc = gc_new();
891  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
892  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
893  status_printf(so, "%s", "foo");
894  status_printf(so, "%s", "bar");
895  if (!status_close(so))
896  {
897  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
898  }
899  gc_free(&gc);
900  }
901  return false;
902 #endif
903 
904 #ifdef PRNG_TEST
905  {
906  struct gc_arena gc = gc_new();
907  uint8_t rndbuf[8];
908  int i;
909  prng_init("sha1", 16);
910  /*prng_init (NULL, 0);*/
911  const int factor = 1;
912  for (i = 0; i < factor * 8; ++i)
913  {
914 #if 1
915  prng_bytes(rndbuf, sizeof(rndbuf));
916 #else
917  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
918 #endif
919  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
920  }
921  gc_free(&gc);
922  prng_uninit();
923  return false;
924  }
925 #endif /* ifdef PRNG_TEST */
926 
927 #ifdef BUFFER_LIST_AGGREGATE_TEST
928  /* test buffer_list_aggregate function */
929  {
930  static const char *text[] = {
931  "It was a bright cold day in April, ",
932  "and the clocks were striking ",
933  "thirteen. ",
934  "Winston Smith, ",
935  "his chin nuzzled into his breast in an ",
936  "effort to escape the vile wind, ",
937  "slipped quickly through the glass doors ",
938  "of Victory Mansions, though not quickly ",
939  "enough to prevent a swirl of gritty dust from ",
940  "entering along with him."
941  };
942 
943  int iter, listcap;
944  for (listcap = 0; listcap < 12; ++listcap)
945  {
946  for (iter = 0; iter < 512; ++iter)
947  {
948  struct buffer_list *bl = buffer_list_new(listcap);
949  {
950  int i;
951  for (i = 0; i < SIZE(text); ++i)
952  {
953  buffer_list_push(bl, (unsigned char *)text[i]);
954  }
955  }
956  printf("[cap=%d i=%d] *************************\n", listcap, iter);
957  if (!(iter & 8))
958  {
959  buffer_list_aggregate(bl, iter/2);
960  }
961  if (!(iter & 16))
962  {
963  buffer_list_push(bl, (unsigned char *)"Even more text...");
964  }
965  buffer_list_aggregate(bl, iter);
966  if (!(iter & 1))
967  {
968  buffer_list_push(bl, (unsigned char *)"More text...");
969  }
970  {
971  struct buffer *buf;
972  while ((buf = buffer_list_peek(bl)))
973  {
974  int c;
975  printf("'");
976  while ((c = buf_read_u8(buf)) >= 0)
977  {
978  putchar(c);
979  }
980  printf("'\n");
981  buffer_list_advance(bl, 0);
982  }
983  }
984  buffer_list_free(bl);
985  }
986  }
987  return false;
988  }
989 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
990 
991 #ifdef MSTATS_TEST
992  {
993  int i;
994  mstats_open("/dev/shm/mstats.dat");
995  for (i = 0; i < 30; ++i)
996  {
997  mmap_stats->n_clients += 1;
998  mmap_stats->link_write_bytes += 8;
999  mmap_stats->link_read_bytes += 16;
1000  sleep(1);
1001  }
1002  mstats_close();
1003  return false;
1004  }
1005 #endif
1006 
1007  return true;
1008 }
1009 
1010 void
1012 {
1013  free_ssl_lib();
1014 
1015 #ifdef ENABLE_PKCS11
1016  pkcs11_terminate();
1017 #endif
1018 
1019 #if PORT_SHARE
1020  close_port_share();
1021 #endif
1022 
1023 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
1024  show_tls_performance_stats();
1025 #endif
1026 }
1027 
1028 void
1029 init_verb_mute(struct context *c, unsigned int flags)
1030 {
1031  if (flags & IVM_LEVEL_1)
1032  {
1033  /* set verbosity and mute levels */
1037  }
1038 
1039  /* special D_LOG_RW mode */
1040  if (flags & IVM_LEVEL_2)
1041  {
1043  }
1044 }
1045 
1046 /*
1047  * Possibly set --dev based on --dev-node.
1048  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1049  * set --dev to tun.
1050  */
1051 void
1053 {
1054  if (!options->dev && options->dev_node)
1055  {
1056  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1057  options->dev = basename(dev_node);
1058  }
1059 }
1060 
1061 bool
1063 {
1064  /*
1065  * OpenSSL info print mode?
1066  */
1067  if (options->show_ciphers || options->show_digests || options->show_engines
1068  || options->show_tls_ciphers || options->show_curves)
1069  {
1070  if (options->show_ciphers)
1071  {
1073  }
1074  if (options->show_digests)
1075  {
1077  }
1078  if (options->show_engines)
1079  {
1081  }
1082  if (options->show_tls_ciphers)
1083  {
1085  options->cipher_list_tls13,
1086  options->tls_cert_profile);
1087  }
1088  if (options->show_curves)
1089  {
1091  }
1092  return true;
1093  }
1094  return false;
1095 }
1096 
1097 /*
1098  * Static pre-shared key generation mode?
1099  */
1100 bool
1101 do_genkey(const struct options *options)
1102 {
1103  /* should we disable paging? */
1104  if (options->mlock && (options->genkey))
1105  {
1106  platform_mlockall(true);
1107  }
1108 
1109  /*
1110  * We do not want user to use --genkey with --secret. In the transistion
1111  * phase we for secret.
1112  */
1113  if (options->genkey && options->genkey_type != GENKEY_SECRET
1114  && options->shared_secret_file)
1115  {
1116  msg(M_USAGE, "Using --genkey type with --secret filename is "
1117  "not supported. Use --genkey type filename instead.");
1118  }
1119  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1120  {
1121  int nbits_written;
1122  const char *genkey_filename = options->genkey_filename;
1123  if (options->shared_secret_file && options->genkey_filename)
1124  {
1125  msg(M_USAGE, "You must provide a filename to either --genkey "
1126  "or --secret, not both");
1127  }
1128 
1129  /*
1130  * Copy filename from shared_secret_file to genkey_filename to support
1131  * the old --genkey --secret foo.file syntax.
1132  */
1133  if (options->shared_secret_file)
1134  {
1135  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1136  "DEPRECATED. Use --genkey secret filename instead.");
1137  genkey_filename = options->shared_secret_file;
1138  }
1139 
1140  nbits_written = write_key_file(2, genkey_filename);
1141  if (nbits_written < 0)
1142  {
1143  msg(M_FATAL, "Failed to write key file");
1144  }
1145 
1147  "Randomly generated %d bit key written to %s", nbits_written,
1148  options->shared_secret_file);
1149  return true;
1150  }
1151  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1152  {
1154  return true;
1155  }
1156  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1157  {
1158  if (!options->tls_crypt_v2_file)
1159  {
1160  msg(M_USAGE,
1161  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1162  }
1163 
1165  options->genkey_extra_data, options->tls_crypt_v2_file,
1166  options->tls_crypt_v2_file_inline);
1167  return true;
1168  }
1169  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1170  {
1172  return true;
1173  }
1174  else
1175  {
1176  return false;
1177  }
1178 }
1179 
1180 /*
1181  * Persistent TUN/TAP device management mode?
1182  */
1183 bool
1185 {
1186  if (options->persist_config)
1187  {
1188  /* sanity check on options for --mktun or --rmtun */
1189  notnull(options->dev, "TUN/TAP device (--dev)");
1190  if (options->ce.remote || options->ifconfig_local
1191  || options->ifconfig_remote_netmask
1192  || options->shared_secret_file
1193  || options->tls_server || options->tls_client
1194  )
1195  {
1197  "options --mktun or --rmtun should only be used together with --dev");
1198  }
1199 #ifdef ENABLE_FEATURE_TUN_PERSIST
1200  tuncfg(options->dev, options->dev_type, options->dev_node,
1201  options->persist_mode,
1202  options->username, options->groupname, &options->tuntap_options,
1203  ctx);
1204  if (options->persist_mode && options->lladdr)
1205  {
1206  set_lladdr(options->dev, options->lladdr, NULL);
1207  }
1208  return true;
1209 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1210  msg( M_FATAL|M_OPTERR,
1211  "options --mktun and --rmtun are not available on your operating "
1212  "system. Please check 'man tun' (or 'tap'), whether your system "
1213  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1214  "persistent tunnel interfaces.", options->dev );
1215 #endif
1216  }
1217  return false;
1218 }
1219 
1220 /*
1221  * Should we become a daemon?
1222  * Return true if we did it.
1223  */
1224 bool
1226 {
1227  bool ret = false;
1228 
1229 #ifdef ENABLE_SYSTEMD
1230  /* return without forking if we are running from systemd */
1231  if (sd_notify(0, "READY=0") > 0)
1232  {
1233  return ret;
1234  }
1235 #endif
1236 
1237  if (options->daemon)
1238  {
1239  /* Don't chdir immediately, but the end of the init sequence, if needed */
1240 
1241 #if defined(__APPLE__) && defined(__clang__)
1242 #pragma clang diagnostic push
1243 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1244 #endif
1245  if (daemon(1, options->log) < 0)
1246  {
1247  msg(M_ERR, "daemon() failed or unsupported");
1248  }
1249 #if defined(__APPLE__) && defined(__clang__)
1250 #pragma clang diagnostic pop
1251 #endif
1253  if (options->log)
1254  {
1255  set_std_files_to_null(true);
1256  }
1257 
1258  ret = true;
1259  }
1260  return ret;
1261 }
1262 
1263 /*
1264  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1265  */
1266 static void
1267 do_uid_gid_chroot(struct context *c, bool no_delay)
1268 {
1269  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1270  struct context_0 *c0 = c->c0;
1271 
1272  if (c0 && !c0->uid_gid_chroot_set)
1273  {
1274  /* chroot if requested */
1275  if (c->options.chroot_dir)
1276  {
1277  if (no_delay)
1278  {
1280  }
1281  else if (c->first_time)
1282  {
1283  msg(M_INFO, "NOTE: chroot %s", why_not);
1284  }
1285  }
1286 
1287  /* set user and/or group if we want to setuid/setgid */
1288  if (c0->uid_gid_specified)
1289  {
1290  if (no_delay)
1291  {
1294  }
1295  else if (c->first_time)
1296  {
1297  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1298  }
1299  }
1300 
1301 #ifdef ENABLE_MEMSTATS
1302  if (c->first_time && c->options.memstats_fn)
1303  {
1304  mstats_open(c->options.memstats_fn);
1305  }
1306 #endif
1307 
1308 #ifdef ENABLE_SELINUX
1309  /* Apply a SELinux context in order to restrict what OpenVPN can do
1310  * to _only_ what it is supposed to do after initialization is complete
1311  * (basically just network I/O operations). Doing it after chroot
1312  * requires /proc to be mounted in the chroot (which is annoying indeed
1313  * but doing it before requires more complex SELinux policies.
1314  */
1315  if (c->options.selinux_context)
1316  {
1317  if (no_delay)
1318  {
1319  if (-1 == setcon(c->options.selinux_context))
1320  {
1321  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1322  }
1323  else
1324  {
1325  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1326  }
1327  }
1328  else if (c->first_time)
1329  {
1330  msg(M_INFO, "NOTE: setcon %s", why_not);
1331  }
1332  }
1333 #endif
1334 
1335  /* Privileges are going to be dropped by now (if requested), be sure
1336  * to prevent any future privilege dropping attempts from now on.
1337  */
1338  if (no_delay)
1339  {
1340  c0->uid_gid_chroot_set = true;
1341  }
1342  }
1343 }
1344 
1345 /*
1346  * Return common name in a way that is formatted for
1347  * prepending to msg() output.
1348  */
1349 const char *
1350 format_common_name(struct context *c, struct gc_arena *gc)
1351 {
1352  struct buffer out = alloc_buf_gc(256, gc);
1353  if (c->c2.tls_multi)
1354  {
1355  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1356  }
1357  return BSTR(&out);
1358 }
1359 
1360 void
1361 pre_setup(const struct options *options)
1362 {
1363 #ifdef _WIN32
1364  if (options->exit_event_name)
1365  {
1368  options->exit_event_name,
1369  options->exit_event_initial_state);
1370  }
1371  else
1372  {
1375  NULL,
1376  false);
1377 
1378  /* put a title on the top window bar */
1380  {
1382  window_title_generate(options->config);
1383  }
1384  }
1385 #endif /* ifdef _WIN32 */
1386 }
1387 
1388 void
1390 {
1391  c->c2.coarse_timer_wakeup = 0;
1392 }
1393 
1394 /*
1395  * Initialise the server poll timeout timer
1396  * This timer is used in the http/socks proxy setup so it needs to be setup
1397  * before
1398  */
1399 static void
1401 {
1402  update_time();
1403  if (c->options.ce.connect_timeout)
1404  {
1406  }
1407 }
1408 
1409 /*
1410  * Initialize timers
1411  */
1412 static void
1413 do_init_timers(struct context *c, bool deferred)
1414 {
1415  update_time();
1417 
1418  /* initialize inactivity timeout */
1419  if (c->options.inactivity_timeout)
1420  {
1422  }
1423 
1424  /* initialize pings */
1425 
1426  if (c->options.ping_send_timeout)
1427  {
1429  }
1430 
1431  if (c->options.ping_rec_timeout)
1432  {
1434  }
1435 
1436  if (!deferred)
1437  {
1438  /* initialize connection establishment timer */
1440 
1441  /* initialize occ timers */
1442 
1443  if (c->options.occ
1444  && !TLS_MODE(c)
1446  {
1448  }
1449 
1450  if (c->options.mtu_test)
1451  {
1453  }
1454 
1455  /* initialize packet_id persistence timer */
1456  if (c->options.packet_id_file)
1457  {
1459  }
1460 
1461  /* initialize tmp_int optimization that limits the number of times we call
1462  * tls_multi_process in the main event loop */
1464  }
1465 }
1466 
1467 /*
1468  * Initialize traffic shaper.
1469  */
1470 static void
1472 {
1473 #ifdef ENABLE_FEATURE_SHAPER
1474  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1475  if (c->options.shaper)
1476  {
1477  shaper_init(&c->c2.shaper, c->options.shaper);
1478  shaper_msg(&c->c2.shaper);
1479  }
1480 #endif
1481 }
1482 
1483 /*
1484  * Allocate route list structures for IPv4 and IPv6
1485  * (we do this for IPv4 even if no --route option has been seen, as other
1486  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1487  */
1488 static void
1490 {
1491  if (!c->c1.route_list)
1492  {
1493  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1494  }
1495  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1496  {
1498  }
1499 }
1500 
1501 
1502 /*
1503  * Initialize the route list, resolving any DNS names in route
1504  * options and saving routes in the environment.
1505  */
1506 static void
1508  struct route_list *route_list,
1509  const struct link_socket_info *link_socket_info,
1510  struct env_set *es,
1511  openvpn_net_ctx_t *ctx)
1512 {
1513  const char *gw = NULL;
1514  int dev = dev_type_enum(options->dev, options->dev_type);
1515  int metric = 0;
1516 
1517  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1518  {
1519  gw = options->ifconfig_remote_netmask;
1520  }
1521  if (options->route_default_gateway)
1522  {
1523  gw = options->route_default_gateway;
1524  }
1525  if (options->route_default_metric)
1526  {
1527  metric = options->route_default_metric;
1528  }
1529 
1530  if (init_route_list(route_list,
1531  options->routes,
1532  gw,
1533  metric,
1534  link_socket_current_remote(link_socket_info),
1535  es,
1536  ctx))
1537  {
1538  /* copy routes to environment */
1539  setenv_routes(es, route_list);
1540  }
1541 }
1542 
1543 static void
1546  const struct link_socket_info *link_socket_info,
1547  struct env_set *es,
1548  openvpn_net_ctx_t *ctx)
1549 {
1550  const char *gw = NULL;
1551  int metric = -1; /* no metric set */
1552 
1553  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1554  if (options->route_ipv6_default_gateway)
1555  {
1556  gw = options->route_ipv6_default_gateway;
1557  }
1558 
1559  if (options->route_default_metric)
1560  {
1561  metric = options->route_default_metric;
1562  }
1563 
1564  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1565  */
1566  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1567  {
1568  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1569  int i;
1570 
1571  for (i = 0; opt_list[i]; i++)
1572  {
1574  string_alloc(opt_list[i], options->routes_ipv6->gc),
1575  NULL, NULL );
1576  }
1577  }
1578 
1579  if (init_route_ipv6_list(route_ipv6_list,
1580  options->routes_ipv6,
1581  gw,
1582  metric,
1583  link_socket_current_remote_ipv6(link_socket_info),
1584  es,
1585  ctx))
1586  {
1587  /* copy routes to environment */
1588  setenv_routes_ipv6(es, route_ipv6_list);
1589  }
1590 }
1591 
1592 
1593 /*
1594  * Called after all initialization has been completed.
1595  */
1596 void
1597 initialization_sequence_completed(struct context *c, const unsigned int flags)
1598 {
1599  static const char message[] = "Initialization Sequence Completed";
1600 
1601  /* Reset the unsuccessful connection counter on complete initialisation */
1603 
1604  /* If we delayed UID/GID downgrade or chroot, do it now */
1605  do_uid_gid_chroot(c, true);
1606 
1607 
1608  /*
1609  * In some cases (i.e. when receiving auth-token via
1610  * push-reply) the auth-nocache option configured on the
1611  * client is overridden; for this reason we have to wait
1612  * for the push-reply message before attempting to wipe
1613  * the user/pass entered by the user
1614  */
1615  if (c->options.mode == MODE_POINT_TO_POINT)
1616  {
1618  }
1619 
1620  /* Test if errors */
1621  if (flags & ISC_ERRORS)
1622  {
1623 #ifdef _WIN32
1626  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1627 #else
1628 #ifdef ENABLE_SYSTEMD
1629  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1630 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1631  msg(M_INFO, "%s With Errors", message);
1632 #endif
1633  }
1634  else
1635  {
1636 #ifdef ENABLE_SYSTEMD
1637  sd_notifyf(0, "STATUS=%s", message);
1638 #endif
1639  msg(M_INFO, "%s", message);
1640  }
1641 
1642  /* Flag that we initialized */
1643  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1644  {
1645  c->options.no_advance = true;
1646  }
1647 
1648 #ifdef _WIN32
1650 #endif
1651 
1652 #ifdef ENABLE_MANAGEMENT
1653  /* Tell management interface that we initialized */
1654  if (management)
1655  {
1656  in_addr_t *tun_local = NULL;
1657  struct in6_addr *tun_local6 = NULL;
1658  struct openvpn_sockaddr local, remote;
1659  struct link_socket_actual *actual;
1660  socklen_t sa_len = sizeof(local);
1661  const char *detail = "SUCCESS";
1662  if (flags & ISC_ERRORS)
1663  {
1664  detail = "ERROR";
1665  }
1666 
1667  CLEAR(local);
1668  actual = &get_link_socket_info(c)->lsa->actual;
1669  remote = actual->dest;
1670  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1671 #if ENABLE_IP_PKTINFO
1672  if (!addr_defined(&local))
1673  {
1674  switch (local.addr.sa.sa_family)
1675  {
1676  case AF_INET:
1677 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1678  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1679 #else
1680  local.addr.in4.sin_addr = actual->pi.in4;
1681 #endif
1682  break;
1683 
1684  case AF_INET6:
1685  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1686  break;
1687  }
1688  }
1689 #endif
1690 
1691  if (c->c1.tuntap)
1692  {
1693  tun_local = &c->c1.tuntap->local;
1694  tun_local6 = &c->c1.tuntap->local_ipv6;
1695  }
1698  detail,
1699  tun_local,
1700  tun_local6,
1701  &local,
1702  &remote);
1703  if (tun_local)
1704  {
1706  }
1707  }
1708 #endif /* ifdef ENABLE_MANAGEMENT */
1709 }
1710 
1711 /*
1712  * Possibly add routes and/or call route-up script
1713  * based on options.
1714  */
1715 void
1716 do_route(const struct options *options,
1717  struct route_list *route_list,
1719  const struct tuntap *tt,
1720  const struct plugin_list *plugins,
1721  struct env_set *es,
1722  openvpn_net_ctx_t *ctx)
1723 {
1724  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1725  {
1726  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1727  es, ctx);
1728  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1729  }
1730 #ifdef ENABLE_MANAGEMENT
1731  if (management)
1732  {
1733  management_up_down(management, "UP", es);
1734  }
1735 #endif
1736 
1738  {
1739  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1740  {
1741  msg(M_WARN, "WARNING: route-up plugin call failed");
1742  }
1743  }
1744 
1745  if (options->route_script)
1746  {
1747  struct argv argv = argv_new();
1748  setenv_str(es, "script_type", "route-up");
1749  argv_parse_cmd(&argv, options->route_script);
1750  openvpn_run_script(&argv, es, 0, "--route-up");
1751  argv_free(&argv);
1752  }
1753 
1754 #ifdef _WIN32
1755  if (options->show_net_up)
1756  {
1759  }
1760  else if (check_debug_level(D_SHOW_NET))
1761  {
1764  }
1765 #endif
1766 }
1767 
1768 /*
1769  * initialize tun/tap device object
1770  */
1771 static void
1773 {
1774  c->c1.tuntap = init_tun(c->options.dev,
1775  c->options.dev_type,
1776  c->options.topology,
1785  c->c2.es,
1786  &c->net_ctx);
1787 
1788 #ifdef _WIN32
1790 #endif
1791 
1792  init_tun_post(c->c1.tuntap,
1793  &c->c2.frame,
1794  &c->options.tuntap_options);
1795 
1796  c->c1.tuntap_owned = true;
1797 }
1798 
1799 /*
1800  * Open tun/tap device, ifconfig, call up script, etc.
1801  */
1802 
1803 static bool
1805 {
1806  struct gc_arena gc = gc_new();
1807  bool ret = false;
1808 
1809 #ifndef TARGET_ANDROID
1810  if (!c->c1.tuntap)
1811  {
1812 #endif
1813 
1814 #ifdef TARGET_ANDROID
1815  /* If we emulate persist-tun on android we still have to open a new tun and
1816  * then close the old */
1817  int oldtunfd = -1;
1818  if (c->c1.tuntap)
1819  {
1820  oldtunfd = c->c1.tuntap->fd;
1821  free(c->c1.tuntap);
1822  c->c1.tuntap = NULL;
1823  c->c1.tuntap_owned = false;
1824  }
1825 #endif
1826 
1827  /* initialize (but do not open) tun/tap object */
1828  do_init_tun(c);
1829 
1830 #ifdef _WIN32
1831  /* store (hide) interactive service handle in tuntap_options */
1833  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1834 #endif
1835 
1836  /* allocate route list structure */
1838 
1839  /* parse and resolve the route option list */
1840  ASSERT(c->c2.link_socket);
1841  if (c->options.routes && c->c1.route_list)
1842  {
1844  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1845  }
1846  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1847  {
1849  &c->c2.link_socket->info, c->c2.es,
1850  &c->net_ctx);
1851  }
1852 
1853  /* do ifconfig */
1854  if (!c->options.ifconfig_noexec
1856  {
1857  /* guess actual tun/tap unit number that will be returned
1858  * by open_tun */
1859  const char *guess = guess_tuntap_dev(c->options.dev,
1860  c->options.dev_type,
1861  c->options.dev_node,
1862  &gc);
1863  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1864  &c->net_ctx);
1865  }
1866 
1867  /* possibly add routes */
1868  if (route_order() == ROUTE_BEFORE_TUN)
1869  {
1870  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1872  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1873  }
1874 #ifdef TARGET_ANDROID
1875  /* Store the old fd inside the fd so open_tun can use it */
1876  c->c1.tuntap->fd = oldtunfd;
1877 #endif
1878  /* open the tun device */
1880  c->c1.tuntap);
1881 
1882  /* set the hardware address */
1883  if (c->options.lladdr)
1884  {
1886  }
1887 
1888  /* do ifconfig */
1889  if (!c->options.ifconfig_noexec
1891  {
1893  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1894  }
1895 
1896  /* run the up script */
1898  c->plugins,
1900  c->c1.tuntap->actual_name,
1901 #ifdef _WIN32
1902  c->c1.tuntap->adapter_index,
1903 #endif
1905  TUN_MTU_SIZE(&c->c2.frame),
1906  EXPANDED_SIZE(&c->c2.frame),
1909  "init",
1910  NULL,
1911  "up",
1912  c->c2.es);
1913 
1914 #if defined(_WIN32)
1915  if (c->options.block_outside_dns)
1916  {
1917  dmsg(D_LOW, "Blocking outside DNS");
1919  {
1920  msg(M_FATAL, "Blocking DNS failed!");
1921  }
1922  }
1923 #endif
1924 
1925  /* possibly add routes */
1927  {
1929  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1930  }
1931 
1932  /*
1933  * Did tun/tap driver give us an MTU?
1934  */
1935  if (c->c1.tuntap->post_open_mtu)
1936  {
1938  c->c1.tuntap->post_open_mtu,
1940  }
1941 
1942  ret = true;
1943  static_context = c;
1944 #ifndef TARGET_ANDROID
1945 }
1946 else
1947 {
1948  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1949  c->c1.tuntap->actual_name);
1950 
1951  /* explicitly set the ifconfig_* env vars */
1952  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1953 
1954  /* run the up script if user specified --up-restart */
1955  if (c->options.up_restart)
1956  {
1958  c->plugins,
1960  c->c1.tuntap->actual_name,
1961 #ifdef _WIN32
1962  c->c1.tuntap->adapter_index,
1963 #endif
1965  TUN_MTU_SIZE(&c->c2.frame),
1966  EXPANDED_SIZE(&c->c2.frame),
1969  "restart",
1970  NULL,
1971  "up",
1972  c->c2.es);
1973  }
1974 #if defined(_WIN32)
1975  if (c->options.block_outside_dns)
1976  {
1977  dmsg(D_LOW, "Blocking outside DNS");
1979  {
1980  msg(M_FATAL, "Blocking DNS failed!");
1981  }
1982  }
1983 #endif
1984 
1985 }
1986 #endif /* ifndef TARGET_ANDROID */
1987  gc_free(&gc);
1988  return ret;
1989 }
1990 
1991 /*
1992  * Close TUN/TAP device
1993  */
1994 
1995 static void
1997 {
1998  msg(D_CLOSE, "Closing TUN/TAP interface");
1999  if (c->c1.tuntap)
2000  {
2001  close_tun(c->c1.tuntap, &c->net_ctx);
2002  c->c1.tuntap = NULL;
2003  }
2004  c->c1.tuntap_owned = false;
2005 #if P2MP
2007 #endif
2008 }
2009 
2010 static void
2011 do_close_tun(struct context *c, bool force)
2012 {
2013  struct gc_arena gc = gc_new();
2014  if (c->c1.tuntap && c->c1.tuntap_owned)
2015  {
2016  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
2017 #ifdef _WIN32
2018  DWORD adapter_index = c->c1.tuntap->adapter_index;
2019 #endif
2020  const in_addr_t local = c->c1.tuntap->local;
2021  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
2022 
2023  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2024  {
2025  static_context = NULL;
2026 
2027 #ifdef ENABLE_MANAGEMENT
2028  /* tell management layer we are about to close the TUN/TAP device */
2029  if (management)
2030  {
2032  management_up_down(management, "DOWN", c->c2.es);
2033  }
2034 #endif
2035 
2036  /* delete any routes we added */
2037  if (c->c1.route_list || c->c1.route_ipv6_list)
2038  {
2040  c->plugins,
2042  tuntap_actual,
2043 #ifdef _WIN32
2044  adapter_index,
2045 #endif
2046  NULL,
2047  TUN_MTU_SIZE(&c->c2.frame),
2048  EXPANDED_SIZE(&c->c2.frame),
2049  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2050  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2051  "init",
2053  c->sig->signal_text),
2054  "route-pre-down",
2055  c->c2.es);
2056 
2059  c->c2.es, &c->net_ctx);
2060  }
2061 
2062  /* actually close tun/tap device based on --down-pre flag */
2063  if (!c->options.down_pre)
2064  {
2066  }
2067 
2068  /* Run the down script -- note that it will run at reduced
2069  * privilege if, for example, "--user nobody" was used. */
2071  c->plugins,
2073  tuntap_actual,
2074 #ifdef _WIN32
2075  adapter_index,
2076 #endif
2077  NULL,
2078  TUN_MTU_SIZE(&c->c2.frame),
2079  EXPANDED_SIZE(&c->c2.frame),
2080  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2081  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2082  "init",
2084  c->sig->signal_text),
2085  "down",
2086  c->c2.es);
2087 
2088 #if defined(_WIN32)
2089  if (c->options.block_outside_dns)
2090  {
2091  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2092  {
2093  msg(M_FATAL, "Uninitialising WFP failed!");
2094  }
2095  }
2096 #endif
2097 
2098  /* actually close tun/tap device based on --down-pre flag */
2099  if (c->options.down_pre)
2100  {
2102  }
2103  }
2104  else
2105  {
2106  /* run the down script on this restart if --up-restart was specified */
2107  if (c->options.up_restart)
2108  {
2110  c->plugins,
2112  tuntap_actual,
2113 #ifdef _WIN32
2114  adapter_index,
2115 #endif
2116  NULL,
2117  TUN_MTU_SIZE(&c->c2.frame),
2118  EXPANDED_SIZE(&c->c2.frame),
2119  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2120  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2121  "restart",
2123  c->sig->signal_text),
2124  "down",
2125  c->c2.es);
2126  }
2127 
2128 #if defined(_WIN32)
2129  if (c->options.block_outside_dns)
2130  {
2131  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2132  {
2133  msg(M_FATAL, "Uninitialising WFP failed!");
2134  }
2135  }
2136 #endif
2137 
2138  }
2139  }
2140  gc_free(&gc);
2141 }
2142 
2143 void
2145 {
2146  struct context *c = static_context;
2147  if (c)
2148  {
2149  static_context = NULL;
2150  do_close_tun(c, true);
2151  }
2152 }
2153 
2154 /*
2155  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2156  */
2157 
2158 #if P2MP
2159 
2163 static bool
2165  const struct sha256_digest *b)
2166 {
2167  const struct sha256_digest zero = {{0}};
2168  return memcmp(a, b, sizeof(struct sha256_digest))
2169  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2170 }
2171 #endif /* P2MP */
2172 
2173 bool
2174 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2175 {
2176  if (!c->c2.do_up_ran)
2177  {
2179 
2180  if (pulled_options)
2181  {
2182  if (!do_deferred_options(c, option_types_found))
2183  {
2184  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2185  return false;
2186  }
2187  }
2188 
2189  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2190  if (c->options.up_delay || PULL_DEFINED(&c->options))
2191  {
2192  c->c2.did_open_tun = do_open_tun(c);
2193  update_time();
2194 
2195 #if P2MP
2196  /*
2197  * Was tun interface object persisted from previous restart iteration,
2198  * and if so did pulled options string change from previous iteration?
2199  */
2200  if (!c->c2.did_open_tun
2201  && PULL_DEFINED(&c->options)
2202  && c->c1.tuntap
2205  {
2206  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2207  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2208  do_close_tun(c, true);
2209  management_sleep(1);
2210  c->c2.did_open_tun = do_open_tun(c);
2211  update_time();
2212  }
2213 #endif
2214  }
2215 
2216  if (c->c2.did_open_tun)
2217  {
2218 #if P2MP
2220 #endif
2221 
2222  /* if --route-delay was specified, start timer */
2224  {
2227  if (c->c1.tuntap)
2228  {
2230  }
2231  }
2232  else
2233  {
2234  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2235  }
2236  }
2237  else if (c->options.mode == MODE_POINT_TO_POINT)
2238  {
2239  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2240  }
2241 
2242  c->c2.do_up_ran = true;
2243  }
2244  return true;
2245 }
2246 
2247 /*
2248  * These are the option categories which will be accepted by pull.
2249  */
2250 unsigned int
2252 {
2253  unsigned int flags =
2254  OPT_P_UP
2256  | OPT_P_SOCKBUF
2257  | OPT_P_SOCKFLAGS
2258  | OPT_P_SETENV
2259  | OPT_P_SHAPER
2260  | OPT_P_TIMER
2261  | OPT_P_COMP
2262  | OPT_P_PERSIST
2263  | OPT_P_MESSAGES
2265  | OPT_P_ECHO
2266  | OPT_P_PULL_MODE
2267  | OPT_P_PEER_ID;
2268 
2269  if (!c->options.route_nopull)
2270  {
2271  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2272  }
2273 
2274  if (c->options.ncp_enabled)
2275  {
2276  flags |= OPT_P_NCP;
2277  }
2278 
2279  return flags;
2280 }
2281 
2282 /*
2283  * Handle non-tun-related pulled options.
2284  */
2285 bool
2286 do_deferred_options(struct context *c, const unsigned int found)
2287 {
2288  if (found & OPT_P_MESSAGES)
2289  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2292  }
2293  if (found & OPT_P_TIMER)
2294  {
2295  do_init_timers(c, true);
2296  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2297  }
2298 
2299  if (found & OPT_P_EXPLICIT_NOTIFY)
2300  {
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2305  }
2306  else
2307  {
2308  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2309  }
2310  }
2311 
2312 #ifdef USE_COMP
2313  if (found & OPT_P_COMP)
2314  {
2315  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2316  comp_uninit(c->c2.comp_context);
2317  c->c2.comp_context = comp_init(&c->options.comp);
2318  }
2319 #endif
2320 
2321  if (found & OPT_P_SHAPER)
2322  {
2323  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2325  }
2326 
2327  if (found & OPT_P_SOCKBUF)
2328  {
2329  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2331  }
2332 
2333  if (found & OPT_P_SOCKFLAGS)
2334  {
2335  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2337  }
2338 
2339  if (found & OPT_P_PERSIST)
2340  {
2341  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2342  }
2343  if (found & OPT_P_UP)
2344  {
2345  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2346  }
2347  if (found & OPT_P_ROUTE)
2348  {
2349  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2350  }
2351  if (found & OPT_P_ROUTE_EXTRAS)
2352  {
2353  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2354  }
2355  if (found & OPT_P_IPWIN32)
2356  {
2357  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2358  }
2359  if (found & OPT_P_SETENV)
2360  {
2361  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2362  }
2363 
2364  if (found & OPT_P_PEER_ID)
2365  {
2366  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2367  c->c2.tls_multi->use_peer_id = true;
2368  c->c2.tls_multi->peer_id = c->options.peer_id;
2369  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2370  if (!c->options.ce.link_mtu_defined)
2371  {
2372  frame_add_to_link_mtu(&c->c2.frame, +3);
2373  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2374  EXPANDED_SIZE(&c->c2.frame));
2375  }
2376  else
2377  {
2378  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2379  " fixed by config - reducing tun-mtu to %d, expect"
2380  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2381  }
2382  }
2383 
2384  /* process (potentially pushed) crypto options */
2385  if (c->options.pull)
2386  {
2387  if (!check_pull_client_ncp(c, found))
2388  {
2389  return false;
2390  }
2391  struct frame *frame_fragment = NULL;
2392 #ifdef ENABLE_FRAGMENT
2393  if (c->options.ce.fragment)
2394  {
2395  frame_fragment = &c->c2.frame_fragment;
2396  }
2397 #endif
2398 
2399  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2400  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2401  frame_fragment))
2402  {
2403  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2404  return false;
2405  }
2406  }
2407 
2408  return true;
2409 }
2410 
2411 /*
2412  * Possible hold on initialization, holdtime is the
2413  * time OpenVPN would wait without management
2414  */
2415 static bool
2416 do_hold(int holdtime)
2417 {
2418 #ifdef ENABLE_MANAGEMENT
2419  if (management)
2420  {
2421  /* block until management hold is released */
2422  if (management_hold(management, holdtime))
2423  {
2424  return true;
2425  }
2426  }
2427 #endif
2428  return false;
2429 }
2430 
2431 /*
2432  * Sleep before restart.
2433  */
2434 static void
2436 {
2437  int sec = 2;
2438  int backoff = 0;
2439 
2440  switch (c->options.ce.proto)
2441  {
2442  case PROTO_TCP_SERVER:
2443  sec = 1;
2444  break;
2445 
2446  case PROTO_UDP:
2447  case PROTO_TCP_CLIENT:
2448  sec = c->options.ce.connect_retry_seconds;
2449  break;
2450  }
2451 
2452 #ifdef ENABLE_DEBUG
2453  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2454  {
2455  sec = 0;
2456  }
2457 #endif
2458 
2459 #if P2MP
2460  if (auth_retry_get() == AR_NOINTERACT)
2461  {
2462  sec = 10;
2463  }
2464 #endif
2465 
2466  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2467  if (c->options.ce.proto != PROTO_TCP_SERVER)
2468  {
2469  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2470  if (backoff > 0)
2471  {
2472  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2473  sec = max_int(sec, 1) << min_int(backoff, 15);
2474  }
2475 
2476  if (sec > c->options.ce.connect_retry_seconds_max)
2477  {
2479  }
2480  }
2481 
2483  {
2484  sec = c->persist.restart_sleep_seconds;
2485  }
2486  else if (c->persist.restart_sleep_seconds == -1)
2487  {
2488  sec = 0;
2489  }
2491 
2492  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2493  if (do_hold(sec))
2494  {
2495  sec = 0;
2496  }
2497 
2498  if (sec)
2499  {
2500  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2501  management_sleep(sec);
2502  }
2503 }
2504 
2505 /*
2506  * Do a possible pause on context_2 initialization.
2507  */
2508 static void
2510 {
2511  if (!c->first_time)
2512  {
2514  }
2515  else
2516  {
2517  do_hold(0); /* do management hold on first context initialization */
2518  }
2519 }
2520 
2521 /*
2522  * Finalize MTU parameters based on command line or config file options.
2523  */
2524 static void
2525 frame_finalize_options(struct context *c, const struct options *o)
2526 {
2527  if (!o)
2528  {
2529  o = &c->options;
2530  }
2531 
2532  /*
2533  * Set adjustment factor for buffer alignment when no
2534  * cipher is used.
2535  */
2536  if (!CIPHER_ENABLED(c))
2537  {
2543  }
2544 
2546  frame_finalize(&c->c2.frame,
2547  o->ce.link_mtu_defined,
2548  o->ce.link_mtu,
2549  o->ce.tun_mtu_defined,
2550  o->ce.tun_mtu);
2551 }
2552 
2553 /*
2554  * Free a key schedule, including OpenSSL components.
2555  */
2556 static void
2557 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2558 {
2560  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2561  {
2562  tls_ctx_free(&ks->ssl_ctx);
2563  }
2564  CLEAR(*ks);
2565 }
2566 
2567 static void
2568 init_crypto_pre(struct context *c, const unsigned int flags)
2569 {
2570  if (c->options.engine)
2571  {
2573  }
2574 
2575  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2576  {
2577  /* load a persisted packet-id for cross-session replay-protection */
2578  if (c->options.packet_id_file)
2579  {
2581  }
2582  }
2583 
2584 #ifdef ENABLE_PREDICTION_RESISTANCE
2585  if (c->options.use_prediction_resistance)
2586  {
2587  rand_ctx_enable_prediction_resistance();
2588  }
2589 #endif
2590 }
2591 
2592 /*
2593  * Static Key Mode (using a pre-shared key)
2594  */
2595 static void
2596 do_init_crypto_static(struct context *c, const unsigned int flags)
2597 {
2598  const struct options *options = &c->options;
2599  ASSERT(options->shared_secret_file);
2600 
2601  init_crypto_pre(c, flags);
2602 
2603  /* Initialize flags */
2605  {
2607  }
2608 
2609  /* Initialize packet ID tracking */
2610  if (options->replay)
2611  {
2613  options->replay_window,
2614  options->replay_time,
2615  "STATIC", 0);
2620  }
2621 
2622  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2623  {
2624  /* Get cipher & hash algorithms */
2625  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2626  options->keysize, options->test_crypto, true);
2627 
2628  /* Read cipher and hmac keys from shared secret file */
2630  options->shared_secret_file,
2631  options->shared_secret_file_inline,
2632  options->key_direction, "Static Key Encryption",
2633  "secret");
2634  }
2635  else
2636  {
2637  msg(M_INFO, "Re-using pre-shared static key");
2638  }
2639 
2640  /* Get key schedule */
2642 
2643  /* Compute MTU parameters */
2645  options->replay, true);
2646 
2647  /* Sanity check on sequence number, and cipher mode options */
2648  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2649 }
2650 
2651 /*
2652  * Initialize the tls-auth/crypt key context
2653  */
2654 static void
2656 {
2657  const struct options *options = &c->options;
2658 
2659  /* TLS handshake authentication (--tls-auth) */
2660  if (options->ce.tls_auth_file)
2661  {
2662  /* Initialize key_type for tls-auth with auth only */
2664  if (!streq(options->authname, "none"))
2665  {
2669  }
2670  else
2671  {
2672  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2673  "algorithm specified ('%s')", options->authname);
2674  }
2675 
2677  &c->c1.ks.tls_wrap_key,
2678  options->ce.tls_auth_file,
2679  options->ce.tls_auth_file_inline,
2680  options->ce.key_direction,
2681  "Control Channel Authentication", "tls-auth");
2682  }
2683 
2684  /* TLS handshake encryption+authentication (--tls-crypt) */
2685  if (options->ce.tls_crypt_file)
2686  {
2688  options->ce.tls_crypt_file,
2689  options->ce.tls_crypt_file_inline,
2690  options->tls_server);
2691  }
2692 
2693  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2694  if (options->ce.tls_crypt_v2_file)
2695  {
2696  if (options->tls_server)
2697  {
2699  true, options->ce.tls_crypt_v2_file,
2700  options->ce.tls_crypt_v2_file_inline);
2701  }
2702  else
2703  {
2705  &c->c1.ks.tls_crypt_v2_wkc,
2706  options->ce.tls_crypt_v2_file,
2707  options->ce.tls_crypt_v2_file_inline);
2708  }
2709  }
2710 
2711 
2712 }
2713 
2714 /*
2715  * Initialise the auth-token key context
2716  */
2717 static void
2719 {
2720  if (!c->options.auth_token_generate)
2721  {
2722  return;
2723  }
2724 
2728 }
2729 
2730 /*
2731  * Initialize the persistent component of OpenVPN's TLS mode,
2732  * which is preserved across SIGUSR1 resets.
2733  */
2734 static void
2736 {
2737  const struct options *options = &c->options;
2738 
2739  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2740  {
2741  /*
2742  * Initialize the OpenSSL library's global
2743  * SSL context.
2744  */
2745  init_ssl(options, &(c->c1.ks.ssl_ctx));
2746  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2747  {
2748 #if P2MP
2749  switch (auth_retry_get())
2750  {
2751  case AR_NONE:
2752  msg(M_FATAL, "Error: private key password verification failed");
2753  break;
2754 
2755  case AR_INTERACT:
2756  ssl_purge_auth(false);
2757 
2758  case AR_NOINTERACT:
2759  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2760  break;
2761 
2762  default:
2763  ASSERT(0);
2764  }
2765  c->sig->signal_text = "private-key-password-failure";
2766  return;
2767 #else /* if P2MP */
2768  msg(M_FATAL, "Error: private key password verification failed");
2769 #endif /* if P2MP */
2770  }
2771 
2772  /* Do not warn if we only have BF-CBC in options->ciphername
2773  * because it is still the default cipher */
2774  bool warn = !streq(options->ciphername, "BF-CBC")
2775  || options->enable_ncp_fallback;
2776  /* Get cipher & hash algorithms */
2777  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2778  options->keysize, true, warn);
2779 
2780  /* Initialize PRNG with config-specified digest */
2781  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2782 
2783  /* initialize tls-auth/crypt/crypt-v2 key */
2785 
2786  /* initialise auth-token crypto support */
2788 
2789 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2790  if (options->priv_key_file_inline)
2791  {
2793  c->options.priv_key_file_inline = NULL;
2794  }
2795 #endif
2796  }
2797  else
2798  {
2799  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2800 
2801  /*
2802  * tls-auth/crypt key can be configured per connection block, therefore
2803  * we must reload it as it may have changed
2804  */
2806  }
2807 }
2808 
2809 static void
2810 do_init_crypto_tls(struct context *c, const unsigned int flags)
2811 {
2812  const struct options *options = &c->options;
2813  struct tls_options to;
2814  bool packet_id_long_form;
2815 
2816  ASSERT(options->tls_server || options->tls_client);
2817  ASSERT(!options->test_crypto);
2818 
2819  init_crypto_pre(c, flags);
2820 
2821  /* Make sure we are either a TLS client or server but not both */
2822  ASSERT(options->tls_server == !options->tls_client);
2823 
2824  /* initialize persistent component */
2826  if (IS_SIG(c))
2827  {
2828  return;
2829  }
2830 
2831  /* Sanity check on sequence number, and cipher mode options */
2832  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2833 
2834  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2835  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2836 
2837  /* Compute MTU parameters (postpone if we push/pull options) */
2838  if (c->options.pull || c->options.mode == MODE_SERVER)
2839  {
2840  /* Account for worst-case crypto overhead before allocating buffers */
2842  }
2843  else
2844  {
2846  options->replay, packet_id_long_form);
2847  }
2849 
2850  /* Set all command-line TLS-related options */
2851  CLEAR(to);
2852 
2853  if (options->mute_replay_warnings)
2854  {
2856  }
2857 
2859  if (packet_id_long_form)
2860  {
2862  }
2863 
2864  to.ssl_ctx = c->c1.ks.ssl_ctx;
2865  to.key_type = c->c1.ks.key_type;
2866  to.server = options->tls_server;
2867  to.replay = options->replay;
2868  to.replay_window = options->replay_window;
2869  to.replay_time = options->replay_time;
2872  to.config_ncp_ciphers = options->ncp_ciphers;
2873  to.ncp_enabled = options->ncp_enabled;
2874  to.transition_window = options->transition_window;
2875  to.handshake_window = options->handshake_window;
2876  to.packet_timeout = options->tls_timeout;
2877  to.renegotiate_bytes = options->renegotiate_bytes;
2879  if (options->renegotiate_seconds_min < 0)
2880  {
2881  /* Add 10% jitter to reneg-sec by default (server side only) */
2882  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2883  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2884  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2885  }
2886  else
2887  {
2888  /* Add user-specified jitter to reneg-sec */
2890  -(get_random() % max_int(options->renegotiate_seconds
2891  - options->renegotiate_seconds_min, 1));
2892  }
2893  to.single_session = options->single_session;
2894  to.mode = options->mode;
2895  to.pull = options->pull;
2896  if (options->push_peer_info) /* all there is */
2897  {
2898  to.push_peer_info_detail = 2;
2899  }
2900  else if (options->pull) /* pull clients send some details */
2901  {
2902  to.push_peer_info_detail = 1;
2903  }
2904  else /* default: no peer-info at all */
2905  {
2906  to.push_peer_info_detail = 0;
2907  }
2908 
2909  /* should we not xmit any packets until we get an initial
2910  * response from client? */
2911  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2912  {
2913  to.xmit_hold = true;
2914  }
2915 
2916  to.disable_occ = !options->occ;
2917 
2918  to.verify_command = options->tls_verify;
2919  to.verify_export_cert = options->tls_export_cert;
2920  to.verify_x509_type = (options->verify_x509_type & 0xff);
2921  to.verify_x509_name = options->verify_x509_name;
2922  to.crl_file = options->crl_file;
2923  to.crl_file_inline = options->crl_file_inline;
2924  to.ssl_flags = options->ssl_flags;
2925  to.ns_cert_type = options->ns_cert_type;
2926  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2927  to.remote_cert_eku = options->remote_cert_eku;
2928  to.verify_hash = options->verify_hash;
2929  to.verify_hash_algo = options->verify_hash_algo;
2930 #ifdef ENABLE_X509ALTUSERNAME
2931  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2932 #else
2934 #endif
2935  to.es = c->c2.es;
2936  to.net_ctx = &c->net_ctx;
2937 
2938 #ifdef ENABLE_DEBUG
2939  to.gremlin = c->options.gremlin;
2940 #endif
2941 
2942  to.plugins = c->plugins;
2943 
2944 #ifdef ENABLE_MANAGEMENT
2945  to.mda_context = &c->c2.mda_context;
2946 #endif
2947 
2950  to.tmp_dir = options->tmp_dir;
2951  if (options->ccd_exclusive)
2952  {
2954  }
2960 
2961  to.x509_track = options->x509_track;
2962 
2963 #if P2MP
2964 #ifdef ENABLE_MANAGEMENT
2965  to.sci = &options->sc_info;
2966 #endif
2967 #endif
2968 
2969 #ifdef USE_COMP
2970  to.comp_options = options->comp;
2971 #endif
2972 
2973 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2974  if (options->keying_material_exporter_label)
2975  {
2976  to.ekm_size = options->keying_material_exporter_length;
2977  if (to.ekm_size < 16 || to.ekm_size > 4095)
2978  {
2979  to.ekm_size = 0;
2980  }
2981 
2982  to.ekm_label = options->keying_material_exporter_label;
2983  to.ekm_label_size = strlen(to.ekm_label);
2984  }
2985  else
2986  {
2987  to.ekm_size = 0;
2988  }
2989 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2990 
2991  /* TLS handshake authentication (--tls-auth) */
2992  if (options->ce.tls_auth_file)
2993  {
2994  to.tls_wrap.mode = TLS_WRAP_AUTH;
2999  true, true);
3000  }
3001 
3002  /* TLS handshake encryption (--tls-crypt) */
3003  if (options->ce.tls_crypt_file
3004  || (options->ce.tls_crypt_v2_file && options->tls_client))
3005  {
3006  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3011 
3012  if (options->ce.tls_crypt_v2_file)
3013  {
3015  }
3016  }
3017 
3018  if (options->ce.tls_crypt_v2_file)
3019  {
3020  to.tls_crypt_v2 = true;
3021  if (options->tls_server)
3022  {
3025  }
3026  }
3027 
3028  /* If we are running over TCP, allow for
3029  * length prefix */
3031 
3032  /*
3033  * Initialize OpenVPN's master TLS-mode object.
3034  */
3035  if (flags & CF_INIT_TLS_MULTI)
3036  {
3037  c->c2.tls_multi = tls_multi_init(&to);
3038  }
3039 
3040  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3041  {
3043  }
3044 }
3045 
3046 static void
3048 {
3049  if (c->c2.tls_multi)
3050  {
3053  EXPANDED_SIZE(&c->c2.frame));
3055  "Control Channel MTU parms");
3056  }
3057  if (c->c2.tls_auth_standalone)
3058  {
3061  "TLS-Auth MTU parms");
3062  }
3063 }
3064 
3065 /*
3066  * No encryption or authentication.
3067  */
3068 static void
3070 {
3071  ASSERT(!c->options.test_crypto);
3072  msg(M_WARN,
3073  "******* WARNING *******: All encryption and authentication features "
3074  "disabled -- All data will be tunnelled as clear text and will not be "
3075  "protected against man-in-the-middle changes. "
3076  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3077 }
3078 
3079 static void
3080 do_init_crypto(struct context *c, const unsigned int flags)
3081 {
3082  if (c->options.shared_secret_file)
3083  {
3084  do_init_crypto_static(c, flags);
3085  }
3086  else if (c->options.tls_server || c->options.tls_client)
3087  {
3088  do_init_crypto_tls(c, flags);
3089  }
3090  else /* no encryption or authentication. */
3091  {
3093  }
3094 }
3095 
3096 static void
3098 {
3099 #ifdef USE_COMP
3100  /*
3101  * modify frame parameters if compression is enabled
3102  */
3103  if (comp_enabled(&c->options.comp))
3104  {
3105  comp_add_to_extra_frame(&c->c2.frame);
3106 
3107 #if !defined(ENABLE_LZ4)
3108  /*
3109  * Compression usage affects buffer alignment when non-swapped algs
3110  * such as LZO is used.
3111  * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
3112  * any special alignment because of the control-byte swap approach.
3113  * LZO alignment (on the other hand) is problematic because
3114  * the presence of the control byte means that either the output of
3115  * decryption must be written to an unaligned buffer, or the input
3116  * to compression (or packet dispatch if packet is uncompressed)
3117  * must be read from an unaligned buffer.
3118  * This code tries to align the input to compression (or packet
3119  * dispatch if packet is uncompressed) at the cost of requiring
3120  * decryption output to be written to an unaligned buffer, so
3121  * it's more of a tradeoff than an optimal solution and we don't
3122  * include it when we are doing a modern build with LZ4.
3123  * Strictly speaking, on the server it would be better to execute
3124  * this code for every connection after we decide the compression
3125  * method, but currently the frame code doesn't appear to be
3126  * flexible enough for this, since the frame is already established
3127  * before it is known which compression options will be pushed.
3128  */
3129  if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3130  {
3131  frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3135  }
3136 #endif
3137 
3138 #ifdef ENABLE_FRAGMENT
3139  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3140 #endif
3141  }
3142 #endif /* USE_COMP */
3143 
3144  /*
3145  * Adjust frame size for UDP Socks support.
3146  */
3147  if (c->options.ce.socks_proxy_server)
3148  {
3150  }
3151 
3152  /*
3153  * Adjust frame size based on the --tun-mtu-extra parameter.
3154  */
3156  {
3158  }
3159 
3160  /*
3161  * Adjust frame size based on link socket parameters.
3162  * (Since TCP is a stream protocol, we need to insert
3163  * a packet length uint16_t in the buffer.)
3164  */
3166 
3167  /*
3168  * Fill in the blanks in the frame parameters structure,
3169  * make sure values are rational, etc.
3170  */
3171  frame_finalize_options(c, NULL);
3172 
3173 #ifdef USE_COMP
3174  /*
3175  * Modify frame parameters if compression is compiled in.
3176  * Should be called after frame_finalize_options.
3177  */
3178  comp_add_to_extra_buffer(&c->c2.frame);
3179 #ifdef ENABLE_FRAGMENT
3180  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3181 #endif
3182 #endif /* USE_COMP */
3183 
3184  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3185  * and need link_mtu+3 bytes on socket reception (on server).
3186  *
3187  * accommodate receive path in f->extra_link, which has the side effect of
3188  * also increasing send buffers (BUF_SIZE() macro), which need to be
3189  * allocated big enough before receiving peer-id option from server.
3190  *
3191  * f->extra_frame is adjusted when peer-id option is push-received
3192  */
3194 
3195 #ifdef ENABLE_FRAGMENT
3196  /*
3197  * Set frame parameter for fragment code. This is necessary because
3198  * the fragmentation code deals with payloads which have already been
3199  * passed through the compression code.
3200  */
3201  c->c2.frame_fragment = c->c2.frame;
3204 #endif
3205 
3206 #if defined(ENABLE_FRAGMENT)
3207  /*
3208  * MTU advisories
3209  */
3210  if (c->options.ce.fragment && c->options.mtu_test)
3211  {
3212  msg(M_WARN,
3213  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3214  }
3215 #endif
3216 
3217 #ifdef ENABLE_FRAGMENT
3218  if ((c->options.ce.mssfix || c->options.ce.fragment)
3220  {
3221  msg(M_WARN,
3222  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3224  }
3225 #endif
3226 }
3227 
3228 static void
3230 {
3231  const struct options *o = &c->options;
3232 
3233  if (o->ping_send_timeout && !o->ping_rec_timeout)
3234  {
3235  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3236  }
3237 
3238  if (o->username || o->groupname || o->chroot_dir
3239 #ifdef ENABLE_SELINUX
3240  || o->selinux_context
3241 #endif
3242  )
3243  {
3244  if (!o->persist_tun)
3245  {
3246  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3247  }
3248  if (!o->persist_key
3249 #ifdef ENABLE_PKCS11
3250  && !o->pkcs11_id
3251 #endif
3252  )
3253  {
3254  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3255  }
3256  }
3257 
3258  if (o->chroot_dir && !(o->username && o->groupname))
3259  {
3260  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3261  }
3262 
3263 #if P2MP
3264  if (o->pull && o->ifconfig_local && c->first_time)
3265  {
3266  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3267  }
3268 
3270  {
3271  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3272  }
3273 
3274  if (o->mode == MODE_SERVER)
3275  {
3276  if (o->duplicate_cn && o->client_config_dir)
3277  {
3278  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3279  }
3281  {
3282  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3283  }
3284  if (!o->keepalive_ping || !o->keepalive_timeout)
3285  {
3286  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3287  }
3288  }
3289 #endif /* if P2MP */
3290 
3291  if (!o->replay)
3292  {
3293  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3294  }
3295 
3296  if (o->tls_server)
3297  {
3299  }
3300  if (o->tls_client
3301  && !o->tls_verify
3304  && !o->remote_cert_eku)
3305  {
3306  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3307  }
3308  if (o->ns_cert_type)
3309  {
3310  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3311  }
3312 
3313  /* If a script is used, print appropriate warnings */
3314  if (o->user_script_used)
3315  {
3316  if (script_security() >= SSEC_SCRIPTS)
3317  {
3318  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3319  }
3320  else if (script_security() >= SSEC_PW_ENV)
3321  {
3322  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3323  }
3324  else
3325  {
3326  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3327  }
3328  }
3329 }
3330 
3331 static void
3333 {
3335 }
3336 
3337 struct context_buffers *
3339 {
3340  struct context_buffers *b;
3341 
3342  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3343 
3344  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3345  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3346 
3347  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3348 
3349  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3350  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3351 
3352 #ifdef USE_COMP
3353  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3354  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3355 #endif
3356 
3357  return b;
3358 }
3359 
3360 void
3362 {
3363  if (b)
3364  {
3365  free_buf(&b->read_link_buf);
3366  free_buf(&b->read_tun_buf);
3367  free_buf(&b->aux_buf);
3368 
3369 #ifdef USE_COMP
3370  free_buf(&b->compress_buf);
3371  free_buf(&b->decompress_buf);
3372 #endif
3373 
3374  free_buf(&b->encrypt_buf);
3375  free_buf(&b->decrypt_buf);
3376 
3377  free(b);
3378  }
3379 }
3380 
3381 /*
3382  * Now that we know all frame parameters, initialize
3383  * our buffers.
3384  */
3385 static void
3387 {
3389  c->c2.buffers_owned = true;
3390 }
3391 
3392 #ifdef ENABLE_FRAGMENT
3393 /*
3394  * Fragmenting code has buffers to initialize
3395  * once frame parameters are known.
3396  */
3397 static void
3399 {
3400  ASSERT(c->options.ce.fragment);
3404 }
3405 #endif
3406 
3407 /*
3408  * Allocate our socket object.
3409  */
3410 static void
3412 {
3413  ASSERT(!c->c2.link_socket);
3415  c->c2.link_socket_owned = true;
3416 }
3417 
3418 /*
3419  * bind the TCP/UDP socket
3420  */
3421 static void
3422 do_init_socket_1(struct context *c, const int mode)
3423 {
3424  unsigned int sockflags = c->options.sockflags;
3425 
3426 #if PORT_SHARE
3427  if (c->options.port_share_host && c->options.port_share_port)
3428  {
3429  sockflags |= SF_PORT_SHARE;
3430  }
3431 #endif
3432 
3434  c->options.ce.local,
3435  c->options.ce.local_port,
3436  c->options.ce.remote,
3437  c->options.ce.remote_port,
3438  c->c1.dns_cache,
3439  c->options.ce.proto,
3440  c->options.ce.af,
3442  mode,
3443  c->c2.accept_from,
3444  c->c1.http_proxy,
3445  c->c1.socks_proxy,
3446 #ifdef ENABLE_DEBUG
3447  c->options.gremlin,
3448 #endif
3449  c->options.ce.bind_local,
3450  c->options.ce.remote_float,
3451  &c->c1.link_socket_addr,
3452  c->options.ipchange,
3453  c->plugins,
3456  c->options.rcvbuf,
3457  c->options.sndbuf,
3458  c->options.mark,
3459  c->options.bind_dev,
3461  sockflags);
3462 }
3463 
3464 /*
3465  * finalize the TCP/UDP socket
3466  */
3467 static void
3469 {
3471  c->sig);
3472 }
3473 
3474 /*
3475  * Print MTU INFO
3476  */
3477 static void
3479 {
3480  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3481 #ifdef ENABLE_FRAGMENT
3482  if (c->c2.fragment)
3483  {
3485  "Fragmentation MTU parms");
3486  }
3487 #endif
3488 }
3489 
3490 /*
3491  * Get local and remote options compatibility strings.
3492  */
3493 static void
3495 {
3496  struct gc_arena gc = gc_new();
3497 
3499  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3500  false, &gc);
3502  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3503  true, &gc);
3504 
3505  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3508  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3511 
3512  if (c->c2.tls_multi)
3513  {
3517  }
3518 
3519  gc_free(&gc);
3520 }
3521 
3522 /*
3523  * These things can only be executed once per program instantiation.
3524  * Set up for possible UID/GID downgrade, but don't do it yet.
3525  * Daemonize if requested.
3526  */
3527 static void
3529 {
3530  if (c->first_time && !c->c0)
3531  {
3532  struct context_0 *c0;
3533 
3534  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3535  c0 = c->c0;
3536 
3537  /* get user and/or group that we want to setuid/setgid to */
3538  c0->uid_gid_specified =
3541 
3542  /* perform postponed chdir if --daemon */
3543  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3544  {
3545  platform_chdir("/");
3546  }
3547 
3548  /* should we change scheduling priority? */
3550  }
3551 }
3552 
3553 /*
3554  * free buffers
3555  */
3556 static void
3558 {
3559  if (c->c2.buffers_owned)
3560  {
3562  c->c2.buffers = NULL;
3563  c->c2.buffers_owned = false;
3564  }
3565 }
3566 
3567 /*
3568  * close TLS
3569  */
3570 static void
3572 {
3573  if (c->c2.tls_multi)
3574  {
3575  tls_multi_free(c->c2.tls_multi, true);
3576  c->c2.tls_multi = NULL;
3577  }
3578 
3579  /* free options compatibility strings */
3582 
3584 
3585  if (c->c2.pulled_options_state)
3586  {
3589  }
3590 }
3591 
3592 /*
3593  * Free key schedules
3594  */
3595 static void
3596 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3597 {
3598  /*
3599  * always free the tls_auth/crypt key. If persist_key is true, the key will
3600  * be reloaded from memory (pre-cached)
3601  */
3604  CLEAR(c->c1.ks.tls_wrap_key);
3607 
3608  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3609  {
3610  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3611  }
3612 }
3613 
3614 /*
3615  * Close TCP/UDP connection
3616  */
3617 static void
3619 {
3620  if (c->c2.link_socket && c->c2.link_socket_owned)
3621  {
3623  c->c2.link_socket = NULL;
3624  }
3625 
3626 
3627  /* Preserve the resolved list of remote if the user request to or if we want
3628  * reconnect to the same host again or there are still addresses that need
3629  * to be tried */
3630  if (!(c->sig->signal_received == SIGUSR1
3631  && ( (c->options.persist_remote_ip)
3632  ||
3633  ( c->sig->source != SIG_SOURCE_HARD
3635  && c->c1.link_socket_addr.current_remote->ai_next)
3636  || c->options.no_advance))
3637  )))
3638  {
3640  }
3641 
3642  /* Clear the remote actual address when persist_remote_ip is not in use */
3643  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3644  {
3646  }
3647 
3648  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3649  {
3651  {
3652  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3653  }
3654 
3655  c->c1.link_socket_addr.bind_local = NULL;
3656  }
3657 }
3658 
3659 /*
3660  * Close packet-id persistence file
3661  */
3662 static void
3664 {
3667  if (!(c->sig->signal_received == SIGUSR1))
3668  {
3670  }
3671 }
3672 
3673 #ifdef ENABLE_FRAGMENT
3674 /*
3675  * Close fragmentation handler.
3676  */
3677 static void
3679 {
3680  if (c->c2.fragment)
3681  {
3683  c->c2.fragment = NULL;
3684  }
3685 }
3686 #endif
3687 
3688 /*
3689  * Open and close our event objects.
3690  */
3691 
3692 static void
3694  bool need_us_timeout)
3695 {
3696  unsigned int flags = 0;
3697 
3699 
3700  flags |= EVENT_METHOD_FAST;
3701 
3702  if (need_us_timeout)
3703  {
3704  flags |= EVENT_METHOD_US_TIMEOUT;
3705  }
3706 
3707  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3708  c->c2.event_set_owned = true;
3709 }
3710 
3711 static void
3713 {
3714  if (c->c2.event_set && c->c2.event_set_owned)
3715  {
3716  event_free(c->c2.event_set);
3717  c->c2.event_set = NULL;
3718  c->c2.event_set_owned = false;
3719  }
3720 }
3721 
3722 /*
3723  * Open and close --status file
3724  */
3725 
3726 static void
3728 {
3729  if (!c->c1.status_output)
3730  {
3733  -1,
3734  NULL,
3736  c->c1.status_output_owned = true;
3737  }
3738 }
3739 
3740 static void
3742 {
3743  if (!(c->sig->signal_received == SIGUSR1))
3744  {
3745  if (c->c1.status_output_owned && c->c1.status_output)
3746  {
3748  c->c1.status_output = NULL;
3749  c->c1.status_output_owned = false;
3750  }
3751  }
3752 }
3753 
3754 /*
3755  * Handle ifconfig-pool persistence object.
3756  */
3757 static void
3759 {
3761  {
3764  c->c1.ifconfig_pool_persist_owned = true;
3765  }
3766 }
3767 
3768 static void
3770 {
3771  if (!(c->sig->signal_received == SIGUSR1))
3772  {
3774  {
3776  c->c1.ifconfig_pool_persist = NULL;
3777  c->c1.ifconfig_pool_persist_owned = false;
3778  }
3779  }
3780 }
3781 
3782 /*
3783  * Inherit environmental variables
3784  */
3785 
3786 static void
3787 do_inherit_env(struct context *c, const struct env_set *src)
3788 {
3789  c->c2.es = env_set_create(NULL);
3790  c->c2.es_owned = true;
3791  env_set_inherit(c->c2.es, src);
3792 }
3793 
3794 static void
3796 {
3797  if (c->c2.es && c->c2.es_owned)
3798  {
3799  env_set_destroy(c->c2.es);
3800  c->c2.es = NULL;
3801  c->c2.es_owned = false;
3802  }
3803 }
3804 
3805 /*
3806  * Fast I/O setup. Fast I/O is an optimization which only works
3807  * if all of the following are true:
3808  *
3809  * (1) The platform is not Windows
3810  * (2) --proto udp is enabled
3811  * (3) --shaper is disabled
3812  */
3813 static void
3815 {
3816  if (c->options.fast_io)
3817  {
3818 #ifdef _WIN32
3819  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3820 #else
3821  if (!proto_is_udp(c->options.ce.proto))
3822  {
3823  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3824  }
3825  else
3826  {
3827 #ifdef ENABLE_FEATURE_SHAPER
3828  if (c->options.shaper)
3829  {
3830  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3831  }
3832  else
3833 #endif
3834  {
3835  c->c2.fast_io = true;
3836  }
3837  }
3838 #endif
3839  }
3840 }
3841 
3842 static void
3844 {
3845  if (c->options.tls_exit)
3846  {
3847  c->c2.tls_exit_signal = SIGTERM;
3848  }
3849  else
3850  {
3851  c->c2.tls_exit_signal = SIGUSR1;
3852  }
3853 }
3854 
3855 #ifdef ENABLE_PLUGIN
3856 
3857 void
3859 {
3860  if (c->options.plugin_list && !c->plugins)
3861  {
3863  c->plugins_owned = true;
3864  }
3865 }
3866 
3867 void
3868 open_plugins(struct context *c, const bool import_options, int init_point)
3869 {
3870  if (c->plugins && c->plugins_owned)
3871  {
3872  if (import_options)
3873  {
3874  struct plugin_return pr, config;
3875  plugin_return_init(&pr);
3876  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3877  plugin_return_get_column(&pr, &config, "config");
3878  if (plugin_return_defined(&config))
3879  {
3880  int i;
3881  for (i = 0; i < config.n; ++i)
3882  {
3883  unsigned int option_types_found = 0;
3884  if (config.list[i] && config.list[i]->value)
3885  {
3887  config.list[i]->value,
3890  &option_types_found,
3891  c->es);
3892  }
3893  }
3894  }
3895  plugin_return_free(&pr);
3896  }
3897  else
3898  {
3899  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3900  }
3901  }
3902 }
3903 
3904 static void
3906 {
3907  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3908  {
3910  c->plugins = NULL;
3911  c->plugins_owned = false;
3912  }
3913 }
3914 
3915 static void
3916 do_inherit_plugins(struct context *c, const struct context *src)
3917 {
3918  if (!c->plugins && src->plugins)
3919  {
3920  c->plugins = plugin_list_inherit(src->plugins);
3921  c->plugins_owned = true;
3922  }
3923 }
3924 
3925 #endif /* ifdef ENABLE_PLUGIN */
3926 
3927 #ifdef ENABLE_MANAGEMENT
3928 
3929 static void
3930 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3931 {
3932  struct context *c = (struct context *) arg;
3933  print_status(c, so);
3934 }
3935 
3936 void
3937 management_show_net_callback(void *arg, const int msglevel)
3938 {
3939 #ifdef _WIN32
3940  show_routes(msglevel);
3941  show_adapters(msglevel);
3942  msg(msglevel, "END");
3943 #else
3944  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3945 #endif
3946 }
3947 
3948 #ifdef TARGET_ANDROID
3949 int
3950 management_callback_network_change(void *arg, bool samenetwork)
3951 {
3952  /* Check if the client should translate the network change to a SIGUSR1 to
3953  * reestablish the connection or just reprotect the socket
3954  *
3955  * At the moment just assume that, for all settings that use pull (not
3956  * --static) and are not using peer-id reestablishing the connection is
3957  * required (unless the network is the same)
3958  *
3959  * The function returns -1 on invalid fd and -2 if the socket cannot be
3960  * reused. On the -2 return value the man_network_change function triggers
3961  * a SIGUSR1 to force a reconnect.
3962  */
3963 
3964  int socketfd = -1;
3965  struct context *c = (struct context *) arg;
3966  if (!c->c2.link_socket)
3967  {
3968  return -1;
3969  }
3970  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3971  {
3972  return -1;
3973  }
3974 
3975  socketfd = c->c2.link_socket->sd;
3976  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3977  {
3978  return socketfd;
3979  }
3980  else
3981  {
3982  return -2;
3983  }
3984 }
3985 #endif /* ifdef TARGET_ANDROID */
3986 
3987 #endif /* ifdef ENABLE_MANAGEMENT */
3988 
3989 void
3991 {
3992 #ifdef ENABLE_MANAGEMENT
3993  if (management)
3994  {
3995  struct management_callback cb;
3996  CLEAR(cb);
3997  cb.arg = c;
4003 #ifdef TARGET_ANDROID
4004  cb.network_change = management_callback_network_change;
4005 #endif
4007  }
4008 #endif
4009 }
4010 
4011 #ifdef ENABLE_MANAGEMENT
4012 
4013 void
4015 {
4016  if (!management)
4017  {
4019  }
4020 }
4021 
4022 bool
4024 {
4025  /* initialize management layer */
4026  if (management)
4027  {
4028  if (c->options.management_addr)
4029  {
4030  unsigned int flags = c->options.management_flags;
4031  if (c->options.mode == MODE_SERVER)
4032  {
4033  flags |= MF_SERVER;
4034  }
4046  flags))
4047  {
4050  NULL,
4051  NULL,
4052  NULL,
4053  NULL,
4054  NULL);
4055  }
4056 
4057  /* initial management hold, called early, before first context initialization */
4058  do_hold(0);
4059  if (IS_SIG(c))
4060  {
4061  msg(M_WARN, "Signal received from management interface, exiting");
4062  return false;
4063  }
4064  }
4065  else
4066  {
4067  close_management();
4068  }
4069  }
4070  return true;
4071 }
4072 
4073 void
4075 {
4076  if (management)
4077  {
4079  management = NULL;
4080  }
4081 }
4082 
4083 #endif /* ifdef ENABLE_MANAGEMENT */
4084 
4085 
4086 void
4088 {
4089 #ifdef ENABLE_MANAGEMENT
4090  if (management)
4091  {
4093  }
4094 #endif
4095 }
4096 
4097 /*
4098  * Initialize a tunnel instance, handle pre and post-init
4099  * signal settings.
4100  */
4101 void
4102 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4103 {
4105  init_instance(c, env, flags);
4107 
4108  /*
4109  * This is done so that signals thrown during
4110  * initialization can bring us back to
4111  * a management hold.
4112  */
4113  if (IS_SIG(c))
4114  {
4115  remap_signal(c);
4117  }
4118 }
4119 
4120 /*
4121  * Initialize a tunnel instance.
4122  */
4123 void
4124 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4125 {
4126  const struct options *options = &c->options;
4127  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4128  int link_socket_mode = LS_MODE_DEFAULT;
4129 
4130  /* init garbage collection level */
4131  gc_init(&c->c2.gc);
4132 
4133  /* inherit environmental variables */
4134  if (env)
4135  {
4136  do_inherit_env(c, env);
4137  }
4138 
4139  /* signals caught here will abort */
4140  c->sig->signal_received = 0;
4141  c->sig->signal_text = NULL;
4142  c->sig->source = SIG_SOURCE_SOFT;
4143 
4144  if (c->mode == CM_P2P)
4145  {
4147  }
4148 
4149  /* possible sleep or management hold if restart */
4150  if (c->mode == CM_P2P || c->mode == CM_TOP)
4151  {
4152  do_startup_pause(c);
4153  if (IS_SIG(c))
4154  {
4155  goto sig;
4156  }
4157  }
4158 
4159  if (c->options.resolve_in_advance)
4160  {
4161  do_preresolve(c);
4162  if (IS_SIG(c))
4163  {
4164  goto sig;
4165  }
4166  }
4167 
4168  /* map in current connection entry */
4170 
4171  /* link_socket_mode allows CM_CHILD_TCP
4172  * instances to inherit acceptable fds
4173  * from a top-level parent */
4174  if (c->options.ce.proto == PROTO_TCP_SERVER)
4175  {
4176  if (c->mode == CM_TOP)
4177  {
4178  link_socket_mode = LS_MODE_TCP_LISTEN;
4179  }
4180  else if (c->mode == CM_CHILD_TCP)
4181  {
4182  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4183  }
4184  }
4185 
4186  /* should we disable paging? */
4187  if (c->first_time && options->mlock)
4188  {
4189  platform_mlockall(true);
4190  }
4191 
4192 #if P2MP
4193  /* get passwords if undefined */
4194  if (auth_retry_get() == AR_INTERACT)
4195  {
4197  }
4198 #endif
4199 
4200  /* initialize context level 2 --verb/--mute parms */
4202 
4203  /* set error message delay for non-server modes */
4204  if (c->mode == CM_P2P)
4205  {
4207  }
4208 
4209  /* warn about inconsistent options */
4210  if (c->mode == CM_P2P || c->mode == CM_TOP)
4211  {
4212  do_option_warnings(c);
4213  }
4214 
4215 #ifdef ENABLE_PLUGIN
4216  /* initialize plugins */
4217  if (c->mode == CM_P2P || c->mode == CM_TOP)
4218  {
4220  }
4221 #endif
4222 
4223  /* should we enable fast I/O? */
4224  if (c->mode == CM_P2P || c->mode == CM_TOP)
4225  {
4226  do_setup_fast_io(c);
4227  }
4228 
4229  /* should we throw a signal on TLS errors? */
4231 
4232  /* open --status file */
4233  if (c->mode == CM_P2P || c->mode == CM_TOP)
4234  {
4236  }
4237 
4238  /* open --ifconfig-pool-persist file */
4239  if (c->mode == CM_TOP)
4240  {
4242  }
4243 
4244  /* reset OCC state */
4245  if (c->mode == CM_P2P || child)
4246  {
4247  c->c2.occ_op = occ_reset_op();
4248  }
4249 
4250  /* our wait-for-i/o objects, different for posix vs. win32 */
4251  if (c->mode == CM_P2P)
4252  {
4254  }
4255  else if (c->mode == CM_CHILD_TCP)
4256  {
4257  do_event_set_init(c, false);
4258  }
4259 
4260  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4261  init_proxy(c);
4262 
4263  /* allocate our socket object */
4264  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4265  {
4266  do_link_socket_new(c);
4267  }
4268 
4269 #ifdef ENABLE_FRAGMENT
4270  /* initialize internal fragmentation object */
4271  if (options->ce.fragment && (c->mode == CM_P2P || child))
4272  {
4273  c->c2.fragment = fragment_init(&c->c2.frame);
4274  }
4275 #endif
4276 
4277  /* init crypto layer */
4278  {
4279  unsigned int crypto_flags = 0;
4280  if (c->mode == CM_TOP)
4281  {
4282  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4283  }
4284  else if (c->mode == CM_P2P)
4285  {
4287  }
4288  else if (child)
4289  {
4290  crypto_flags = CF_INIT_TLS_MULTI;
4291  }
4292  do_init_crypto(c, crypto_flags);
4293  if (IS_SIG(c) && !child)
4294  {
4295  goto sig;
4296  }
4297  }
4298 
4299 #ifdef USE_COMP
4300  /* initialize compression library. */
4301  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4302  {
4303  c->c2.comp_context = comp_init(&options->comp);
4304  }
4305 #endif
4306 
4307  /* initialize MTU variables */
4308  do_init_frame(c);
4309 
4310  /* initialize TLS MTU variables */
4311  do_init_frame_tls(c);
4312 
4313  /* init workspace buffers whose size is derived from frame size */
4314  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4315  {
4316  do_init_buffers(c);
4317  }
4318 
4319 #ifdef ENABLE_FRAGMENT
4320  /* initialize internal fragmentation capability with known frame size */
4321  if (options->ce.fragment && (c->mode == CM_P2P || child))
4322  {
4323  do_init_fragment(c);
4324  }
4325 #endif
4326 
4327  /* initialize dynamic MTU variable */
4328  frame_init_mssfix(&c->c2.frame, &c->options);
4329 
4330  /* bind the TCP/UDP socket */
4331  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4332  {
4333  do_init_socket_1(c, link_socket_mode);
4334  }
4335 
4336  /* initialize tun/tap device object,
4337  * open tun/tap device, ifconfig, run up script, etc. */
4338  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4339  {
4340  c->c2.did_open_tun = do_open_tun(c);
4341  }
4342 
4343  c->c2.frame_initial = c->c2.frame;
4344 
4345  /* print MTU info */
4347 
4348  /* get local and remote options compatibility strings */
4349  if (c->mode == CM_P2P || child)
4350  {
4352  }
4353 
4354  /* initialize output speed limiter */
4355  if (c->mode == CM_P2P)
4356  {
4358  }
4359 
4360  /* do one-time inits, and possibly become a daemon here */
4361  do_init_first_time(c);
4362 
4363 #ifdef ENABLE_PLUGIN
4364  /* initialize plugins */
4365  if (c->mode == CM_P2P || c->mode == CM_TOP)
4366  {
4368  }
4369 #endif
4370 
4371  /* initialise connect timeout timer */
4373 
4374  /* finalize the TCP/UDP socket */
4375  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4376  {
4377  do_init_socket_2(c);
4378  }
4379 
4380  /*
4381  * Actually do UID/GID downgrade, and chroot, if requested.
4382  * May be delayed by --client, --pull, or --up-delay.
4383  */
4385 
4386  /* initialize timers */
4387  if (c->mode == CM_P2P || child)
4388  {
4389  do_init_timers(c, false);
4390  }
4391 
4392 #ifdef ENABLE_PLUGIN
4393  /* initialize plugins */
4394  if (c->mode == CM_P2P || c->mode == CM_TOP)
4395  {
4397  }
4398 #endif
4399 
4400 #if PORT_SHARE
4401  /* share OpenVPN port with foreign (such as HTTPS) server */
4402  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4403  {
4404  init_port_share(c);
4405  }
4406 #endif
4407 
4408 #ifdef ENABLE_PF
4409  if (child)
4410  {
4411  pf_init_context(c);
4412  }
4413 #endif
4414 
4415  /* Check for signals */
4416  if (IS_SIG(c))
4417  {
4418  goto sig;
4419  }
4420 
4421  return;
4422 
4423 sig:
4424  if (!c->sig->signal_text)
4425  {
4426  c->sig->signal_text = "init_instance";
4427  }
4428  close_context(c, -1, flags);
4429  return;
4430 }
4431 
4432 /*
4433  * Close a tunnel instance.
4434  */
4435 void
4437 {
4438  /* close event objects */
4439  do_close_event_set(c);
4440 
4441  if (c->mode == CM_P2P
4442  || c->mode == CM_CHILD_TCP
4443  || c->mode == CM_CHILD_UDP
4444  || c->mode == CM_TOP)
4445  {
4446 #ifdef USE_COMP
4447  if (c->c2.comp_context)
4448  {
4449  comp_uninit(c->c2.comp_context);
4450  c->c2.comp_context = NULL;
4451  }
4452 #endif
4453 
4454  /* free buffers */
4455  do_close_free_buf(c);
4456 
4457  /* close TLS */
4458  do_close_tls(c);
4459 
4460  /* free key schedules */
4461  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4462 
4464 
4465  /* close TCP/UDP connection */
4467 
4468  /* close TUN/TAP device */
4469  do_close_tun(c, false);
4470 
4471 #ifdef ENABLE_MANAGEMENT
4472  if (management)
4473  {
4475  }
4476 #endif
4477 
4478 #ifdef ENABLE_PF
4479  pf_destroy_context(&c->c2.pf);
4480 #endif
4481 
4482 #ifdef ENABLE_PLUGIN
4483  /* call plugin close functions and unload */
4484  do_close_plugins(c);
4485 #endif
4486 
4487  /* close packet-id persistence file */
4488  do_close_packet_id(c);
4489 
4490  /* close --status file */
4492 
4493 #ifdef ENABLE_FRAGMENT
4494  /* close fragmentation handler */
4495  do_close_fragment(c);
4496 #endif
4497 
4498  /* close --ifconfig-pool-persist obj */
4500 
4501  /* free up environmental variable store */
4502  do_env_set_destroy(c);
4503 
4504  /* close HTTP or SOCKS proxy */
4505  uninit_proxy(c);
4506 
4507  /* garbage collect */
4508  gc_free(&c->c2.gc);
4509  }
4510 }
4511 
4512 void
4514  const struct context *src)
4515 {
4516  CLEAR(*dest);
4517 
4518  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4520 
4521  dest->gc = gc_new();
4522 
4523  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4524 
4525  /* c1 init */
4527 
4528  dest->c1.ks.key_type = src->c1.ks.key_type;
4529  /* inherit SSL context */
4530  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4531  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4534  /* inherit pre-NCP ciphers */
4535  dest->c1.ciphername = src->c1.ciphername;
4536  dest->c1.authname = src->c1.authname;
4537  dest->c1.keysize = src->c1.keysize;
4538 
4539  /* inherit auth-token */
4540  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4541 
4542  /* options */
4543  dest->options = src->options;
4544  options_detach(&dest->options);
4545 
4546  if (dest->mode == CM_CHILD_TCP)
4547  {
4548  /*
4549  * The CM_TOP context does the socket listen(),
4550  * and the CM_CHILD_TCP context does the accept().
4551  */
4552  dest->c2.accept_from = src->c2.link_socket;
4553  }
4554 
4555 #ifdef ENABLE_PLUGIN
4556  /* inherit plugins */
4557  do_inherit_plugins(dest, src);
4558 #endif
4559 
4560  /* context init */
4561  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4562  if (IS_SIG(dest))
4563  {
4564  return;
4565  }
4566 
4567  /* inherit tun/tap interface object */
4568  dest->c1.tuntap = src->c1.tuntap;
4569 
4570  /* UDP inherits some extra things which TCP does not */
4571  if (dest->mode == CM_CHILD_UDP)
4572  {
4573  /* inherit buffers */
4574  dest->c2.buffers = src->c2.buffers;
4575 
4576  /* inherit parent link_socket and tuntap */
4577  dest->c2.link_socket = src->c2.link_socket;
4578 
4579  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4580  *dest->c2.link_socket_info = src->c2.link_socket->info;
4581 
4582  /* locally override some link_socket_info fields */
4583  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4585  }
4586 }
4587 
4588 void
4590  const struct context *src)
4591 {
4592  /* copy parent */
4593  *dest = *src;
4594 
4595  /*
4596  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4597  * resources owned by the parent.
4598  *
4599  * Also note that CM_TOP_CLONE context objects are
4600  * closed by multi_top_free in multi.c.
4601  */
4602  dest->mode = CM_TOP_CLONE;
4603 
4604  dest->first_time = false;
4605  dest->c0 = NULL;
4606 
4607  options_detach(&dest->options);
4608  gc_detach(&dest->gc);
4609  gc_detach(&dest->c2.gc);
4610 
4611  /* detach plugins */
4612  dest->plugins_owned = false;
4613 
4614  dest->c2.tls_multi = NULL;
4615 
4616  /* detach c1 ownership */
4617  dest->c1.tuntap_owned = false;
4618  dest->c1.status_output_owned = false;
4619  dest->c1.ifconfig_pool_persist_owned = false;
4620 
4621  /* detach c2 ownership */
4622  dest->c2.event_set_owned = false;
4623  dest->c2.link_socket_owned = false;
4624  dest->c2.buffers_owned = false;
4625  dest->c2.es_owned = false;
4626 
4627  dest->c2.event_set = NULL;
4628  if (proto_is_dgram(src->options.ce.proto))
4629  {
4630  do_event_set_init(dest, false);
4631  }
4632 
4633 #ifdef USE_COMP
4634  dest->c2.comp_context = NULL;
4635 #endif
4636 }
4637 
4638 void
4639 close_context(struct context *c, int sig, unsigned int flags)
4640 {
4641  ASSERT(c);
4642  ASSERT(c->sig);
4643 
4644  if (sig >= 0)
4645  {
4646  c->sig->signal_received = sig;
4647  }
4648 
4649  if (c->sig->signal_received == SIGUSR1)
4650  {
4651  if ((flags & CC_USR1_TO_HUP)
4652  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4653  {
4654  c->sig->signal_received = SIGHUP;
4655  c->sig->signal_text = "close_context usr1 to hup";
4656  }
4657  }
4658 
4659  if (!(flags & CC_NO_CLOSE))
4660  {
4661  close_instance(c);
4662  }
4663 
4664  if (flags & CC_GC_FREE)
4665  {
4666  context_gc_free(c);
4667  }
4668 }
4669 
4670 /* Write our PID to a file */
4671 void
4672 write_pid_file(const char *filename, const char *chroot_dir)
4673 {
4674  if (filename)
4675  {
4676  unsigned int pid = 0;
4677  FILE *fp = platform_fopen(filename, "w");
4678  if (!fp)
4679  {
4680  msg(M_ERR, "Open error on pid file %s", filename);
4681  return;
4682  }
4683 
4684  pid = platform_getpid();
4685  fprintf(fp, "%u\n", pid);
4686  if (fclose(fp))
4687  {
4688  msg(M_ERR, "Close error on pid file %s", filename);
4689  }
4690 
4691  /* remember file name so it can be deleted "out of context" later */
4692  /* (the chroot case is more complex and not handled today) */
4693  if (!chroot_dir)
4694  {
4695  saved_pid_file_name = strdup(filename);
4696  }
4697  }
4698 }
4699 
4700 /* remove PID file on exit, called from openvpn_exit() */
4701 void
4703 {
4704  if (saved_pid_file_name)
4705  {
4707  }
4708 }
4709 
4710 
4711 /*
4712  * Do a loopback test
4713  * on the crypto subsystem.
4714  */
4715 static void *
4717 {
4718  struct context *c = (struct context *) arg;
4719  const struct options *options = &c->options;
4720 
4721  ASSERT(options->test_crypto);
4723  context_init_1(c);
4725  do_init_crypto_static(c, 0);
4726 
4727  frame_finalize_options(c, options);
4728 
4729  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4730 
4731  key_schedule_free(&c->c1.ks, true);
4733 
4734  context_gc_free(c);
4735  return NULL;
4736 }
4737 
4738 bool
4739 do_test_crypto(const struct options *o)
4740 {
4741  if (o->test_crypto)
4742  {
4743  struct context c;
4744 
4745  /* print version number */
4746  msg(M_INFO, "%s", title_string);
4747 
4748  context_clear(&c);
4749  c.options = *o;
4750  options_detach(&c.options);
4751  c.first_time = true;
4752  test_crypto_thread((void *) &c);
4753  return true;
4754  }
4755  return false;
4756 }
struct tuntap_options tuntap_options
Definition: options.h:301
bool tcp_mode
Definition: ssl_common.h:313
struct env_set * es
Definition: openvpn.h:440
char port[RH_PORT_LEN]
Definition: options.h:184
unsigned int platform_getpid(void)
Definition: platform.c:178
const char * ciphername
Data channel cipher from config file.
Definition: openvpn.h:207
bool remote_float
Definition: options.h:95
bool socks_proxy_owned
Definition: openvpn.h:190
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:570
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2568
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
const char * status_file
Definition: options.h:333
void management_close(struct management *man)
Definition: manage.c:2692
int ifconfig_pool_persist_refresh_freq
Definition: options.h:429
struct key_type key_type
Definition: ssl_common.h:259
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:555
bool persist_remote_ip
Definition: options.h:290
int sndbuf
Definition: options.h:346
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:130
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:366
bool log_rw
Definition: openvpn.h:402
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:404
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
const char * socks_proxy_port
Definition: options.h:104
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:475
struct frame frame_fragment_omit
Definition: openvpn.h:286
const char * tmp_dir
Definition: ssl_common.h:330
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct event_timeout route_wakeup
Definition: openvpn.h:405
bool tun_mtu_defined
Definition: options.h:108
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:613
#define OPT_P_DEFAULT
Definition: options.h:689
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1544
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:108
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:364
Definition: tun.h:151
bool ncp_enabled
Definition: options.h:505
unsigned int management_flags
Definition: options.h:389
static void do_close_tun(struct context *c, bool force)
Definition: init.c:2011
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:891
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2596
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
struct buffer read_tun_buf
Definition: openvpn.h:112
const char * crl_file
Definition: ssl_common.h:291
#define M_NOPREFIX
Definition: error.h:102
bool block_outside_dns
Definition: options.h:626
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define D_INIT_MEDIUM
Definition: errlevel.h:106
struct event_timeout ping_rec_interval
Definition: openvpn.h:317
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1280
bool tls_crypt_v2
Definition: ssl_common.h:319
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
void platform_nice(int niceval)
Definition: platform.c:156
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
struct event_timeout route_wakeup_expire
Definition: openvpn.h:406
#define PAR_NCT
Definition: proxy.h:50
bool mute_replay_warnings
Definition: options.h:513
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1086
#define BASE_N_EVENTS
Definition: init.h:33
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5690
bool show_curves
Definition: options.h:222
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4200
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_ROUTE
Definition: errlevel.h:80
bool exit_event_initial_state
Definition: options.h:623
const char * cipher_list
Definition: options.h:538
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:523
struct link_socket * link_socket_new(void)
Definition: socket.c:1868
static void do_alloc_route_list(struct context *c)
Definition: init.c:1489
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:335
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:128
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1029
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3664
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:503
bool tls_crypt_v2_file_inline
Definition: options.h:602
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2164
static void init_proxy_dowork(struct context *c)
Definition: init.c:630
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:316
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1719
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
#define SET_MTU_TUN
Definition: mtu.h:220
struct cached_dns_entry * dns_cache
Definition: openvpn.h:163
bool did_open_tun
Definition: openvpn.h:409
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
unsigned int auth_token_lifetime
Definition: ssl_common.h:337
const char * tls_cert_profile
Definition: options.h:541
int management_log_history_cache
Definition: options.h:380
#define M_OPTERR
Definition: error.h:105
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:320
struct interval tmp_int
Definition: openvpn.h:366
#define streq(x, y)
Definition: options.h:653
const char * ifconfig_pool_persist_filename
Definition: options.h:428
const char * chroot_dir
Definition: options.h:306
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
void string_clear(char *str)
Definition: buffer.c:728
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3916
static void do_close_event_set(struct context *c)
Definition: init.c:3712
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2735
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
bool server_bridge_proxy_dhcp
Definition: options.h:415
#define S_FATAL
Definition: run_command.h:46
const char * dev
Definition: options.h:247
#define WSO_FORCE_SERVICE
Definition: win32.h:166
int ping_rec_timeout_action
Definition: options.h:286
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2174
bool auth_token_generate
Definition: options.h:471
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
void notnull(const char *arg, const char *description)
Definition: options.c:4331
void tun_abort(void)
Definition: init.c:2144
Contains all state information for one tunnel.
Definition: openvpn.h:503
#define CIPHER_ENABLED(c)
Definition: openvpn.h:574
Packet geometry parameters.
Definition: mtu.h:93
static void do_env_set_destroy(struct context *c)
Definition: init.c:3795
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2655
#define PAR_ALL
Definition: proxy.h:49
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define ROUTE_AFTER_TUN
Definition: tun.h:361
#define PUSH_BUNDLE_SIZE
Definition: common.h:84
struct env_set * es
Set of environment variables.
Definition: openvpn.h:526
#define D_PUSH
Definition: errlevel.h:83
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
#define M_USAGE
Definition: error.h:111
struct man_persist persist
Definition: manage.h:318
#define srandom
Definition: syshead.h:45
bool proto_is_udp(int proto)
Definition: socket.c:3121
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:375
void link_socket_init_phase1(struct link_socket *sock, const char *local_host, const char *local_port, const char *remote_host, const char *remote_port, struct cached_dns_entry *dns_cache, int proto, sa_family_t af, bool bind_ipv6_only, int mode, const struct link_socket *accept_from, struct http_proxy_info *http_proxy, struct socks_proxy_info *socks_proxy, bool bind_local, bool remote_float, struct link_socket_addr *lsa, const char *ipchange_command, const struct plugin_list *plugins, int resolve_retry_seconds, int mtu_discover_type, int rcvbuf, int sndbuf, int mark, const char *bind_dev, struct event_timeout *server_poll_timeout, unsigned int sockflags)
Definition: socket.c:1879
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:256
void error_reset(void)
Definition: error.c:163
#define PAYLOAD_ALIGN
Definition: mtu.h:86
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:214
#define OPT_P_PLUGIN
Definition: options.h:682
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
#define dmsg
Definition: error.h:174
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4639
int script_security(void)
Definition: run_command.c:45
static void do_init_socket_2(struct context *c)
Definition: init.c:3468
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:69
#define SDL_CONSTRAIN
Definition: error.h:203
const char * auth_user_pass_verify_script
Definition: ssl_common.h:328
const char * shared_secret_file
Definition: options.h:499
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:346
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6682
#define RH_PORT_LEN
Definition: options.h:183
#define EVENT_METHOD_FAST
Definition: event.h:42
uint32_t peer_id
Definition: options.h:631
#define D_TLS_ERRORS
Definition: errlevel.h:59
#define OPENVPN_PLUGIN_DOWN
void init_management_callback_p2p(struct context *c)
Definition: init.c:3990
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:354
#define OPENVPN_PLUGIN_ROUTE_UP
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1198
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:333
bool tls_crypt_v2_file_inline
Definition: options.h:146
void close_instance(struct context *c)
Definition: init.c:4436
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2826
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
Definition: options.h:86
int renegotiate_seconds
Definition: options.h:576
const char * client_config_dir_exclusive
Definition: ssl_common.h:342
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1305
#define OPT_P_IPWIN32
Definition: options.h:661
bool persist_key
Definition: options.h:291
#define SIGUSR1
Definition: config-msvc.h:152
int replay_window
Definition: options.h:514
int persist_mode
Definition: options.h:215
int keysize
Data channel keysize from config file.
Definition: openvpn.h:209
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:457
const char * auth_user_pass_file
Definition: ssl_common.h:331
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3843
struct context_buffers * buffers
Definition: openvpn.h:389
int verify_x509_type
Definition: ssl_common.h:289
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
int connect_retry_seconds
Definition: options.h:99
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1208
struct event_timeout wait_for_connect
Definition: openvpn.h:315
int rcvbuf
Definition: options.h:345
const char * config_ncp_ciphers
Definition: ssl_common.h:316
#define D_LOG_RW
Definition: errlevel.h:111
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
static void next_connection_entry(struct context *c)
Definition: init.c:471
int handshake_window
Definition: ssl_common.h:280
struct connection_list * connection_list
Definition: options.h:231
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:408
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1339
#define LS_MODE_DEFAULT
Definition: socket.h:191
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:239
#define RH_HOST_LEN
Definition: options.h:181
const char * exit_event_name
Definition: options.h:622
#define AR_NONE
Definition: options.h:835
void md_ctx_free(md_ctx_t *ctx)
const struct link_socket * accept_from
Definition: openvpn.h:272
bool route_noexec
Definition: options.h:361
unsigned int sockflags
Definition: options.h:353
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2525
in_addr_t remote_netmask
Definition: tun.h:173
const char * tls_crypt_file
Definition: options.h:140
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
static void do_close_tls(struct context *c)
Definition: init.c:3571
const char * genkey_extra_data
Definition: options.h:226
static bool ce_management_query_remote(struct context *c)
Definition: init.c:382
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
char * x509_username_field[2]
Definition: ssl_common.h:301
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define ENABLE_PKCS11
Definition: config-msvc.h:16
const char * route_script
Definition: options.h:356
int management_state_buffer_size
Definition: options.h:382
struct man_def_auth_context * mda_context
Definition: ssl_common.h:368
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
int resolve_retry_seconds
Definition: options.h:297
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
const char * auth_token_secret_file
Definition: options.h:475
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:107
#define D_READ_WRITE
Definition: errlevel.h:165
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
#define in_addr_t
Definition: config-msvc.h:140
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void do_init_frame(struct context *c)
Definition: init.c:3097
const char * config
Definition: options.h:201
int route_delay
Definition: options.h:362
void remove_pid_file(void)
Definition: init.c:4702
#define D_RESTART
Definition: errlevel.h:82
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
#define MAX_PARMS
Definition: options.h:51
const char * port
Definition: proxy.h:46
const char * down_script
Definition: options.h:313
const char * local_port
Definition: options.h:90
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
const char * route_predown_script
Definition: options.h:357
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3868
const char * ekm_label
Definition: ssl_common.h:381
void post_init_signal_catch(void)
Definition: sig.c:255
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
struct frame frame_initial
Definition: openvpn.h:279
bool down_pre
Definition: options.h:315
int keepalive_timeout
Definition: options.h:274
#define OPT_P_SOCKBUF
Definition: options.h:683
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
void * openvpn_net_ctx_t
Definition: networking.h:26
#define SIGTERM
Definition: config-msvc.h:154
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:333
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1471
#define TLS_MODE(c)
Definition: openvpn.h:566
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:587
bool push_peer_info
Definition: options.h:611
#define OPT_P_SETENV
Definition: options.h:663
#define CE_MAN_QUERY_PROXY
Definition: options.h:124
#define SIGHUP
Definition: config-msvc.h:150
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
int renegotiate_seconds_min
Definition: options.h:577
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3796
bool tls_crypt_file_inline
Definition: options.h:141
#define PING_RESTART
Definition: options.h:285
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3047
int handshake_window
Definition: options.h:581
#define ASSERT(x)
Definition: error.h:221
static void do_close_plugins(struct context *c)
Definition: init.c:3905
#define D_SHOW_NET
Definition: errlevel.h:130
static int ifconfig_order(void)
Definition: tun.h:339
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:243
char * basename(char *filename)
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:309
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct remote_host_store * rh_store
Definition: options.h:243
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
int explicit_exit_notification
Definition: options.h:121
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:91
int status_file_update_freq
Definition: options.h:335
int verify_x509_type
Definition: options.h:544
unsigned int unsuccessful_attempts
Definition: options.h:237
void close_management(void)
Definition: init.c:4074
bool platform_unlink(const char *filename)
Definition: platform.c:321
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
bool auth_token_call_auth
Definition: options.h:473
const char * config_ciphername
Definition: ssl_common.h:315
const char * prng_hash
Definition: options.h:509
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1956
int ping_rec_timeout
Definition: options.h:280
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
#define D_LOW
Definition: errlevel.h:98
bool ifconfig_noexec
Definition: options.h:257
bool fast_io
Definition: options.h:338
int key_direction
Definition: options.h:501
int renegotiate_bytes
Definition: ssl_common.h:282
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
static void update_options_ce_post(struct options *options)
Definition: init.c:193
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1576
struct tuntap_options options
Definition: tun.h:164
bool link_mtu_defined
Definition: options.h:112
static struct context * static_context
Definition: init.c:60
char username[USER_PASS_LEN]
Definition: misc.h:67
bool init_static(void)
Definition: init.c:782
void platform_mlockall(bool print_msg)
Definition: platform.c:193
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
struct frame frame_fragment_initial
Definition: openvpn.h:285
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:129
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
#define MODE_SERVER
Definition: options.h:205
bool use_peer_id
Definition: ssl_common.h:586
struct event_timeout ping_send_interval
Definition: openvpn.h:316
bool route_delay_defined
Definition: options.h:364
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
#define CM_CHILD_UDP
Definition: openvpn.h:515
bool tls_exit
Definition: options.h:613
#define MF_SERVER
Defi