OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 static bool do_deferred_p2p_ncp(struct context *c);
72 
73 void
74 context_clear(struct context *c)
75 {
76  CLEAR(*c);
77 }
78 
79 void
80 context_clear_1(struct context *c)
81 {
82  CLEAR(c->c1);
83 }
84 
85 void
86 context_clear_2(struct context *c)
87 {
88  CLEAR(c->c2);
89 }
90 
91 void
92 context_clear_all_except_first_time(struct context *c)
93 {
94  const bool first_time_save = c->first_time;
95  const struct context_persist cpsave = c->persist;
96  context_clear(c);
97  c->first_time = first_time_save;
98  c->persist = cpsave;
99 }
100 
101 /*
102  * Pass tunnel endpoint and MTU parms to a user-supplied script.
103  * Used to execute the up/down script/plugins.
104  */
105 static void
106 run_up_down(const char *command,
107  const struct plugin_list *plugins,
108  int plugin_type,
109  const char *arg,
110 #ifdef _WIN32
111  DWORD adapter_index,
112 #endif
113  const char *dev_type,
114  int tun_mtu,
115  int link_mtu,
116  const char *ifconfig_local,
117  const char *ifconfig_remote,
118  const char *context,
119  const char *signal_text,
120  const char *script_type,
121  struct env_set *es)
122 {
123  struct gc_arena gc = gc_new();
124 
125  if (signal_text)
126  {
127  setenv_str(es, "signal", signal_text);
128  }
129  setenv_str(es, "script_context", context);
130  setenv_int(es, "tun_mtu", tun_mtu);
131  setenv_int(es, "link_mtu", link_mtu);
132  setenv_str(es, "dev", arg);
133  if (dev_type)
134  {
135  setenv_str(es, "dev_type", dev_type);
136  }
137 #ifdef _WIN32
138  setenv_int(es, "dev_idx", adapter_index);
139 #endif
140 
141  if (!ifconfig_local)
142  {
143  ifconfig_local = "";
144  }
145  if (!ifconfig_remote)
146  {
147  ifconfig_remote = "";
148  }
149  if (!context)
150  {
151  context = "";
152  }
153 
154  if (plugin_defined(plugins, plugin_type))
155  {
156  struct argv argv = argv_new();
157  ASSERT(arg);
158  argv_printf(&argv,
159  "%s %d %d %s %s %s",
160  arg,
161  tun_mtu, link_mtu,
162  ifconfig_local, ifconfig_remote,
163  context);
164 
165  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
166  {
167  msg(M_FATAL, "ERROR: up/down plugin call failed");
168  }
169 
170  argv_free(&argv);
171  }
172 
173  if (command)
174  {
175  struct argv argv = argv_new();
176  ASSERT(arg);
177  setenv_str(es, "script_type", script_type);
178  argv_parse_cmd(&argv, command);
179  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
180  ifconfig_local, ifconfig_remote, context);
181  argv_msg(M_INFO, &argv);
182  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
183  argv_free(&argv);
184  }
185 
186  gc_free(&gc);
187 }
188 
189 /*
190  * Should be called after options->ce is modified at the top
191  * of a SIGUSR1 restart.
192  */
193 static void
194 update_options_ce_post(struct options *options)
195 {
196  /*
197  * In pull mode, we usually import --ping/--ping-restart parameters from
198  * the server. However we should also set an initial default --ping-restart
199  * for the period of time before we pull the --ping-restart parameter
200  * from the server.
201  */
202  if (options->pull
203  && options->ping_rec_timeout_action == PING_UNDEF
204  && proto_is_dgram(options->ce.proto))
205  {
206  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
207  options->ping_rec_timeout_action = PING_RESTART;
208  }
209 }
210 
211 #ifdef ENABLE_MANAGEMENT
212 static bool
213 management_callback_proxy_cmd(void *arg, const char **p)
214 {
215  struct context *c = arg;
216  struct connection_entry *ce = &c->options.ce;
217  struct gc_arena *gc = &c->c2.gc;
218  bool ret = false;
219 
220  update_time();
221  if (streq(p[1], "NONE"))
222  {
223  ret = true;
224  }
225  else if (p[2] && p[3])
226  {
227  if (streq(p[1], "HTTP"))
228  {
229  struct http_proxy_options *ho;
230  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
231  {
232  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
233  return false;
234  }
235  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
236  ho->server = string_alloc(p[2], gc);
237  ho->port = string_alloc(p[3], gc);
238  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
239  ret = true;
240  }
241  else if (streq(p[1], "SOCKS"))
242  {
243  ce->socks_proxy_server = string_alloc(p[2], gc);
244  ce->socks_proxy_port = string_alloc(p[3], gc);
245  ret = true;
246  }
247  }
248  else
249  {
250  msg(M_WARN, "Bad proxy command");
251  }
252 
253  ce->flags &= ~CE_MAN_QUERY_PROXY;
254 
255  return ret;
256 }
257 
258 static bool
259 ce_management_query_proxy(struct context *c)
260 {
261  const struct connection_list *l = c->options.connection_list;
262  struct connection_entry *ce = &c->options.ce;
263  struct gc_arena gc;
264  bool ret = true;
265 
266  update_time();
267  if (management)
268  {
269  gc = gc_new();
270  {
271  struct buffer out = alloc_buf_gc(256, &gc);
272  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
273  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
274  management_notify_generic(management, BSTR(&out));
275  management->persist.special_state_msg = BSTR(&out);
276  }
277  ce->flags |= CE_MAN_QUERY_PROXY;
278  while (ce->flags & CE_MAN_QUERY_PROXY)
279  {
280  management_event_loop_n_seconds(management, 1);
281  if (IS_SIG(c))
282  {
283  ret = false;
284  break;
285  }
286  }
287  management->persist.special_state_msg = NULL;
288  gc_free(&gc);
289  }
290 
291  return ret;
292 }
293 
308 static bool
309 management_callback_send_cc_message(void *arg,
310  const char *command,
311  const char *parameters)
312 {
313  struct context *c = (struct context *) arg;
314  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
315  if (len > PUSH_BUNDLE_SIZE)
316  {
317  return false;
318  }
319 
320  struct gc_arena gc = gc_new();
321  struct buffer buf = alloc_buf_gc(len, &gc);
322  ASSERT(buf_printf(&buf, "%s", command));
323  if (parameters)
324  {
325  ASSERT(buf_printf(&buf, ",%s", parameters));
326  }
327  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
328 
329  gc_free(&gc);
330  return status;
331 }
332 
333 static bool
334 management_callback_remote_cmd(void *arg, const char **p)
335 {
336  struct context *c = (struct context *) arg;
337  struct connection_entry *ce = &c->options.ce;
338  int ret = false;
339  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
340  {
341  int flags = 0;
342  if (!strcmp(p[1], "ACCEPT"))
343  {
344  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
345  ret = true;
346  }
347  else if (!strcmp(p[1], "SKIP"))
348  {
349  flags = CE_MAN_QUERY_REMOTE_SKIP;
350  ret = true;
351  }
352  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
353  {
354  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
355  {
356  struct remote_host_store *rhs = c->options.rh_store;
357  if (!rhs)
358  {
359  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
360  c->options.rh_store = rhs;
361  }
362  strncpynt(rhs->host, p[2], RH_HOST_LEN);
363  strncpynt(rhs->port, p[3], RH_PORT_LEN);
364 
365  ce->remote = rhs->host;
366  ce->remote_port = rhs->port;
367  flags = CE_MAN_QUERY_REMOTE_MOD;
368  ret = true;
369  }
370  }
371  if (ret)
372  {
373  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
374  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
375  }
376  }
377  return ret;
378 }
379 
380 static bool
381 ce_management_query_remote(struct context *c)
382 {
383  struct gc_arena gc = gc_new();
384  volatile struct connection_entry *ce = &c->options.ce;
385  int ce_changed = true; /* presume the connection entry will be changed */
386 
387  update_time();
388  if (management)
389  {
390  struct buffer out = alloc_buf_gc(256, &gc);
391 
392  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
393  proto2ascii(ce->proto, ce->af, false));
394  management_notify_generic(management, BSTR(&out));
395  management->persist.special_state_msg = BSTR(&out);
396 
397  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
398  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
399  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
400  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
401  {
402  management_event_loop_n_seconds(management, 1);
403  if (IS_SIG(c))
404  {
405  ce_changed = false; /* connection entry have not been set */
406  break;
407  }
408  }
409  management->persist.special_state_msg = NULL;
410  }
411  gc_free(&gc);
412 
413  if (ce_changed)
414  {
415  /* If it is likely a connection entry was modified,
416  * check what changed in the flags and that it was not skipped
417  */
418  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
419  & CE_MAN_QUERY_REMOTE_MASK);
420  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
421  }
422  return ce_changed;
423 }
424 #endif /* ENABLE_MANAGEMENT */
425 
426 /*
427  * Initialize and possibly randomize connection list.
428  */
429 static void
430 init_connection_list(struct context *c)
431 {
432  struct connection_list *l = c->options.connection_list;
433 
434  l->current = -1;
435  if (c->options.remote_random)
436  {
437  int i;
438  for (i = 0; i < l->len; ++i)
439  {
440  const int j = get_random() % l->len;
441  if (i != j)
442  {
443  struct connection_entry *tmp;
444  tmp = l->array[i];
445  l->array[i] = l->array[j];
446  l->array[j] = tmp;
447  }
448  }
449  }
450 }
451 
452 /*
453  * Clear the remote address list
454  */
455 static void
456 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
457 {
458  if (lsa->remote_list && free)
459  {
460  freeaddrinfo(lsa->remote_list);
461  }
462  lsa->remote_list = NULL;
463  lsa->current_remote = NULL;
464 }
465 
466 /*
467  * Increment to next connection entry
468  */
469 static void
470 next_connection_entry(struct context *c)
471 {
472  struct connection_list *l = c->options.connection_list;
473  bool ce_defined;
474  struct connection_entry *ce;
475  int n_cycles = 0;
476 
477  do
478  {
479  ce_defined = true;
480  if (c->options.no_advance && l->current >= 0)
481  {
482  c->options.no_advance = false;
483  }
484  else
485  {
486  /* Check if there is another resolved address to try for
487  * the current connection */
488  if (c->c1.link_socket_addr.current_remote
489  && c->c1.link_socket_addr.current_remote->ai_next)
490  {
491  c->c1.link_socket_addr.current_remote =
492  c->c1.link_socket_addr.current_remote->ai_next;
493  }
494  else
495  {
496  /* FIXME (schwabe) fix the persist-remote-ip option for real,
497  * this is broken probably ever since connection lists and multiple
498  * remote existed
499  */
500  if (!c->options.persist_remote_ip)
501  {
502  /* Connection entry addrinfo objects might have been
503  * resolved earlier but the entry itself might have been
504  * skipped by management on the previous loop.
505  * If so, clear the addrinfo objects as close_instance does
506  */
507  if (c->c1.link_socket_addr.remote_list)
508  {
509  clear_remote_addrlist(&c->c1.link_socket_addr,
510  !c->options.resolve_in_advance);
511  }
512 
513  /* close_instance should have cleared the addrinfo objects */
514  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
515  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
516  }
517  else
518  {
519  c->c1.link_socket_addr.current_remote =
520  c->c1.link_socket_addr.remote_list;
521  }
522 
523  /*
524  * Increase the number of connection attempts
525  * If this is connect-retry-max * size(l)
526  * OpenVPN will quit
527  */
528 
529  c->options.unsuccessful_attempts++;
530 
531  if (++l->current >= l->len)
532  {
533 
534  l->current = 0;
535  if (++n_cycles >= 2)
536  {
537  msg(M_FATAL, "No usable connection profiles are present");
538  }
539  }
540  }
541  }
542 
543  ce = l->array[l->current];
544 
545  if (ce->flags & CE_DISABLED)
546  {
547  ce_defined = false;
548  }
549 
550  c->options.ce = *ce;
551 #ifdef ENABLE_MANAGEMENT
552  if (ce_defined && management && management_query_remote_enabled(management))
553  {
554  /* allow management interface to override connection entry details */
555  ce_defined = ce_management_query_remote(c);
556  if (IS_SIG(c))
557  {
558  break;
559  }
560  }
561  else if (ce_defined && management && management_query_proxy_enabled(management))
562  {
563  ce_defined = ce_management_query_proxy(c);
564  if (IS_SIG(c))
565  {
566  break;
567  }
568  }
569 #endif
570  } while (!ce_defined);
571 
572  /* Check if this connection attempt would bring us over the limit */
573  if (c->options.connect_retry_max > 0
574  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
575  {
576  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
577  c->options.connect_retry_max);
578  }
579  update_options_ce_post(&c->options);
580 }
581 
582 /*
583  * Query for private key and auth-user-pass username/passwords
584  */
585 void
586 init_query_passwords(const struct context *c)
587 {
588  /* Certificate password input */
589  if (c->options.key_pass_file)
590  {
591  pem_password_setup(c->options.key_pass_file);
592  }
593 
594  /* Auth user/pass input */
595  if (c->options.auth_user_pass_file)
596  {
597 #ifdef ENABLE_MANAGEMENT
598  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
599 #else
600  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
601 #endif
602  }
603 }
604 
605 /*
606  * Initialize/Uninitialize HTTP or SOCKS proxy
607  */
608 
609 static void
610 uninit_proxy_dowork(struct context *c)
611 {
612  if (c->c1.http_proxy_owned && c->c1.http_proxy)
613  {
614  http_proxy_close(c->c1.http_proxy);
615  c->c1.http_proxy = NULL;
616  c->c1.http_proxy_owned = false;
617  }
618  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
619  {
620  socks_proxy_close(c->c1.socks_proxy);
621  c->c1.socks_proxy = NULL;
622  c->c1.socks_proxy_owned = false;
623  }
624 }
625 
626 static void
627 init_proxy_dowork(struct context *c)
628 {
629  bool did_http = false;
630 
631  uninit_proxy_dowork(c);
632 
633  if (c->options.ce.http_proxy_options)
634  {
635  /* Possible HTTP proxy user/pass input */
636  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
637  if (c->c1.http_proxy)
638  {
639  did_http = true;
640  c->c1.http_proxy_owned = true;
641  }
642  }
643 
644  if (!did_http && c->options.ce.socks_proxy_server)
645  {
646  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
647  c->options.ce.socks_proxy_port,
648  c->options.ce.socks_proxy_authfile);
649  if (c->c1.socks_proxy)
650  {
651  c->c1.socks_proxy_owned = true;
652  }
653  }
654 }
655 
656 static void
657 init_proxy(struct context *c)
658 {
659  init_proxy_dowork(c);
660 }
661 
662 static void
663 uninit_proxy(struct context *c)
664 {
665  uninit_proxy_dowork(c);
666 }
667 
668 void
669 context_init_1(struct context *c)
670 {
671  context_clear_1(c);
672 
673  packet_id_persist_init(&c->c1.pid_persist);
674 
675  init_connection_list(c);
676 
677 #if defined(ENABLE_PKCS11)
678  if (c->first_time)
679  {
680  int i;
681  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
682  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
683  {
684  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
685  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
686  }
687  }
688 #endif
689 
690 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
691  {
692  /*
693  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
694  */
695  struct user_pass up;
696  CLEAR(up);
697  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
698  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
699  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
700  * 'needok' command, usually 'ok' or 'cancel'. */
701  }
702 #endif
703 
704 #ifdef ENABLE_SYSTEMD
705  /* We can report the PID via getpid() to systemd here as OpenVPN will not
706  * do any fork due to daemon() a future call.
707  * See possibly_become_daemon() [init.c] for more details.
708  */
709  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
710  (unsigned long) getpid());
711 #endif
712 
713 }
714 
715 void
716 context_gc_free(struct context *c)
717 {
718  gc_free(&c->c2.gc);
719  gc_free(&c->options.gc);
720  gc_free(&c->gc);
721 }
722 
723 #if PORT_SHARE
724 
725 static void
726 close_port_share(void)
727 {
728  if (port_share)
729  {
730  port_share_close(port_share);
731  port_share = NULL;
732  }
733 }
734 
735 static void
736 init_port_share(struct context *c)
737 {
738  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
739  {
740  port_share = port_share_open(c->options.port_share_host,
741  c->options.port_share_port,
742  MAX_RW_SIZE_LINK(&c->c2.frame),
743  c->options.port_share_journal_dir);
744  if (port_share == NULL)
745  {
746  msg(M_FATAL, "Fatal error: Port sharing failed");
747  }
748  }
749 }
750 
751 #endif /* if PORT_SHARE */
752 
753 
754 bool
755 init_static(void)
756 {
757  /* configure_path (); */
758 
759 #if defined(DMALLOC)
760  crypto_init_dmalloc();
761 #endif
762 
763 
764  /*
765  * Initialize random number seed. random() is only used
766  * when "weak" random numbers are acceptable.
767  * SSL library routines are always used when cryptographically
768  * strong random numbers are required.
769  */
770  struct timeval tv;
771  if (!gettimeofday(&tv, NULL))
772  {
773  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
774  srandom(seed);
775  }
776 
777  error_reset(); /* initialize error.c */
778  reset_check_status(); /* initialize status check code in socket.c */
779 
780 #ifdef _WIN32
781  init_win32();
782 #endif
783 
784 #ifdef OPENVPN_DEBUG_COMMAND_LINE
785  {
786  int i;
787  for (i = 0; i < argc; ++i)
788  {
789  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
790  }
791  }
792 #endif
793 
794  update_time();
795 
796  init_ssl_lib();
797 
798  /* init PRNG used for IV generation */
799  /* When forking, copy this to more places in the code to avoid fork
800  * random-state predictability */
801  prng_init(NULL, 0);
802 
803 #ifdef PID_TEST
804  packet_id_interactive_test(); /* test the sequence number code */
805  return false;
806 #endif
807 
808 #ifdef SCHEDULE_TEST
809  schedule_test();
810  return false;
811 #endif
812 
813 #ifdef LIST_TEST
814  list_test();
815  return false;
816 #endif
817 
818 #ifdef IFCONFIG_POOL_TEST
819  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
820  return false;
821 #endif
822 
823 #ifdef CHARACTER_CLASS_DEBUG
824  character_class_debug();
825  return false;
826 #endif
827 
828 #ifdef EXTRACT_X509_FIELD_TEST
829  extract_x509_field_test();
830  return false;
831 #endif
832 
833 #ifdef TIME_TEST
834  time_test();
835  return false;
836 #endif
837 
838 #ifdef TEST_GET_DEFAULT_GATEWAY
839  {
840  struct route_gateway_info rgi;
841  struct route_ipv6_gateway_info rgi6;
842  get_default_gateway(&rgi);
843  get_default_gateway_ipv6(&rgi6, NULL);
844  print_default_gateway(M_INFO, &rgi, &rgi6);
845  return false;
846  }
847 #endif
848 
849 #ifdef GEN_PATH_TEST
850  {
851  struct gc_arena gc = gc_new();
852  const char *fn = gen_path("foo",
853  "bar",
854  &gc);
855  printf("%s\n", fn);
856  gc_free(&gc);
857  }
858  return false;
859 #endif
860 
861 #ifdef STATUS_PRINTF_TEST
862  {
863  struct gc_arena gc = gc_new();
864  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
865  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
866  status_printf(so, "%s", "foo");
867  status_printf(so, "%s", "bar");
868  if (!status_close(so))
869  {
870  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
871  }
872  gc_free(&gc);
873  }
874  return false;
875 #endif
876 
877 #ifdef PRNG_TEST
878  {
879  struct gc_arena gc = gc_new();
880  uint8_t rndbuf[8];
881  int i;
882  prng_init("sha1", 16);
883  /*prng_init (NULL, 0);*/
884  const int factor = 1;
885  for (i = 0; i < factor * 8; ++i)
886  {
887 #if 1
888  prng_bytes(rndbuf, sizeof(rndbuf));
889 #else
890  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
891 #endif
892  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
893  }
894  gc_free(&gc);
895  prng_uninit();
896  return false;
897  }
898 #endif /* ifdef PRNG_TEST */
899 
900 #ifdef BUFFER_LIST_AGGREGATE_TEST
901  /* test buffer_list_aggregate function */
902  {
903  static const char *text[] = {
904  "It was a bright cold day in April, ",
905  "and the clocks were striking ",
906  "thirteen. ",
907  "Winston Smith, ",
908  "his chin nuzzled into his breast in an ",
909  "effort to escape the vile wind, ",
910  "slipped quickly through the glass doors ",
911  "of Victory Mansions, though not quickly ",
912  "enough to prevent a swirl of gritty dust from ",
913  "entering along with him."
914  };
915 
916  int iter, listcap;
917  for (listcap = 0; listcap < 12; ++listcap)
918  {
919  for (iter = 0; iter < 512; ++iter)
920  {
921  struct buffer_list *bl = buffer_list_new(listcap);
922  {
923  int i;
924  for (i = 0; i < SIZE(text); ++i)
925  {
926  buffer_list_push(bl, (unsigned char *)text[i]);
927  }
928  }
929  printf("[cap=%d i=%d] *************************\n", listcap, iter);
930  if (!(iter & 8))
931  {
932  buffer_list_aggregate(bl, iter/2);
933  }
934  if (!(iter & 16))
935  {
936  buffer_list_push(bl, (unsigned char *)"Even more text...");
937  }
938  buffer_list_aggregate(bl, iter);
939  if (!(iter & 1))
940  {
941  buffer_list_push(bl, (unsigned char *)"More text...");
942  }
943  {
944  struct buffer *buf;
945  while ((buf = buffer_list_peek(bl)))
946  {
947  int c;
948  printf("'");
949  while ((c = buf_read_u8(buf)) >= 0)
950  {
951  putchar(c);
952  }
953  printf("'\n");
954  buffer_list_advance(bl, 0);
955  }
956  }
957  buffer_list_free(bl);
958  }
959  }
960  return false;
961  }
962 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
963 
964 #ifdef MSTATS_TEST
965  {
966  int i;
967  mstats_open("/dev/shm/mstats.dat");
968  for (i = 0; i < 30; ++i)
969  {
970  mmap_stats->n_clients += 1;
971  mmap_stats->link_write_bytes += 8;
972  mmap_stats->link_read_bytes += 16;
973  sleep(1);
974  }
975  mstats_close();
976  return false;
977  }
978 #endif
979 
980  return true;
981 }
982 
983 void
984 uninit_static(void)
985 {
986  free_ssl_lib();
987 
988 #ifdef ENABLE_PKCS11
989  pkcs11_terminate();
990 #endif
991 
992 #if PORT_SHARE
993  close_port_share();
994 #endif
995 
996 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
997  show_tls_performance_stats();
998 #endif
999 }
1000 
1001 void
1002 init_verb_mute(struct context *c, unsigned int flags)
1003 {
1004  if (flags & IVM_LEVEL_1)
1005  {
1006  /* set verbosity and mute levels */
1007  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
1008  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
1009  set_mute_cutoff(c->options.mute);
1010  }
1011 
1012  /* special D_LOG_RW mode */
1013  if (flags & IVM_LEVEL_2)
1014  {
1015  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
1016  }
1017 }
1018 
1019 /*
1020  * Possibly set --dev based on --dev-node.
1021  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1022  * set --dev to tun.
1023  */
1024 void
1025 init_options_dev(struct options *options)
1026 {
1027  if (!options->dev && options->dev_node)
1028  {
1029  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1030  options->dev = basename(dev_node);
1031  }
1032 }
1033 
1034 bool
1035 print_openssl_info(const struct options *options)
1036 {
1037  /*
1038  * OpenSSL info print mode?
1039  */
1040  if (options->show_ciphers || options->show_digests || options->show_engines
1041  || options->show_tls_ciphers || options->show_curves)
1042  {
1043  if (options->show_ciphers)
1044  {
1045  show_available_ciphers();
1046  }
1047  if (options->show_digests)
1048  {
1049  show_available_digests();
1050  }
1051  if (options->show_engines)
1052  {
1053  show_available_engines();
1054  }
1055  if (options->show_tls_ciphers)
1056  {
1057  show_available_tls_ciphers(options->cipher_list,
1058  options->cipher_list_tls13,
1059  options->tls_cert_profile);
1060  }
1061  if (options->show_curves)
1062  {
1063  show_available_curves();
1064  }
1065  return true;
1066  }
1067  return false;
1068 }
1069 
1070 /*
1071  * Static pre-shared key generation mode?
1072  */
1073 bool
1074 do_genkey(const struct options *options)
1075 {
1076  /* should we disable paging? */
1077  if (options->mlock && (options->genkey))
1078  {
1079  platform_mlockall(true);
1080  }
1081 
1082  /*
1083  * We do not want user to use --genkey with --secret. In the transistion
1084  * phase we for secret.
1085  */
1086  if (options->genkey && options->genkey_type != GENKEY_SECRET
1087  && options->shared_secret_file)
1088  {
1089  msg(M_USAGE, "Using --genkey type with --secret filename is "
1090  "not supported. Use --genkey type filename instead.");
1091  }
1092  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1093  {
1094  int nbits_written;
1095  const char *genkey_filename = options->genkey_filename;
1096  if (options->shared_secret_file && options->genkey_filename)
1097  {
1098  msg(M_USAGE, "You must provide a filename to either --genkey "
1099  "or --secret, not both");
1100  }
1101 
1102  /*
1103  * Copy filename from shared_secret_file to genkey_filename to support
1104  * the old --genkey --secret foo.file syntax.
1105  */
1106  if (options->shared_secret_file)
1107  {
1108  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1109  "DEPRECATED. Use --genkey secret filename instead.");
1110  genkey_filename = options->shared_secret_file;
1111  }
1112 
1113  nbits_written = write_key_file(2, genkey_filename);
1114  if (nbits_written < 0)
1115  {
1116  msg(M_FATAL, "Failed to write key file");
1117  }
1118 
1119  msg(D_GENKEY | M_NOPREFIX,
1120  "Randomly generated %d bit key written to %s", nbits_written,
1121  options->shared_secret_file);
1122  return true;
1123  }
1124  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1125  {
1126  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1127  return true;
1128  }
1129  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1130  {
1131  if (!options->tls_crypt_v2_file)
1132  {
1133  msg(M_USAGE,
1134  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1135  }
1136 
1137  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1138  options->genkey_extra_data, options->tls_crypt_v2_file,
1139  options->tls_crypt_v2_file_inline);
1140  return true;
1141  }
1142  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1143  {
1144  auth_token_write_server_key_file(options->genkey_filename);
1145  return true;
1146  }
1147  else
1148  {
1149  return false;
1150  }
1151 }
1152 
1153 /*
1154  * Persistent TUN/TAP device management mode?
1155  */
1156 bool
1157 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1158 {
1159  if (options->persist_config)
1160  {
1161  /* sanity check on options for --mktun or --rmtun */
1162  notnull(options->dev, "TUN/TAP device (--dev)");
1163  if (options->ce.remote || options->ifconfig_local
1164  || options->ifconfig_remote_netmask
1165  || options->shared_secret_file
1166  || options->tls_server || options->tls_client
1167  )
1168  {
1169  msg(M_FATAL|M_OPTERR,
1170  "options --mktun or --rmtun should only be used together with --dev");
1171  }
1172 #ifdef ENABLE_FEATURE_TUN_PERSIST
1173  tuncfg(options->dev, options->dev_type, options->dev_node,
1174  options->persist_mode,
1175  options->username, options->groupname, &options->tuntap_options,
1176  ctx);
1177  if (options->persist_mode && options->lladdr)
1178  {
1179  set_lladdr(options->dev, options->lladdr, NULL);
1180  }
1181  return true;
1182 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1183  msg( M_FATAL|M_OPTERR,
1184  "options --mktun and --rmtun are not available on your operating "
1185  "system. Please check 'man tun' (or 'tap'), whether your system "
1186  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1187  "persistent tunnel interfaces.", options->dev );
1188 #endif
1189  }
1190  return false;
1191 }
1192 
1193 /*
1194  * Should we become a daemon?
1195  * Return true if we did it.
1196  */
1197 bool
1198 possibly_become_daemon(const struct options *options)
1199 {
1200  bool ret = false;
1201 
1202 #ifdef ENABLE_SYSTEMD
1203  /* return without forking if we are running from systemd */
1204  if (sd_notify(0, "READY=0") > 0)
1205  {
1206  return ret;
1207  }
1208 #endif
1209 
1210  if (options->daemon)
1211  {
1212  /* Don't chdir immediately, but the end of the init sequence, if needed */
1213 
1214 #if defined(__APPLE__) && defined(__clang__)
1215 #pragma clang diagnostic push
1216 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1217 #endif
1218  if (daemon(1, options->log) < 0)
1219  {
1220  msg(M_ERR, "daemon() failed or unsupported");
1221  }
1222 #if defined(__APPLE__) && defined(__clang__)
1223 #pragma clang diagnostic pop
1224 #endif
1225  restore_signal_state();
1226  if (options->log)
1227  {
1228  set_std_files_to_null(true);
1229  }
1230 
1231  ret = true;
1232  }
1233  return ret;
1234 }
1235 
1236 /*
1237  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1238  */
1239 static void
1240 do_uid_gid_chroot(struct context *c, bool no_delay)
1241 {
1242  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1243  struct context_0 *c0 = c->c0;
1244 
1245  if (c0 && !c0->uid_gid_chroot_set)
1246  {
1247  /* chroot if requested */
1248  if (c->options.chroot_dir)
1249  {
1250  if (no_delay)
1251  {
1252  platform_chroot(c->options.chroot_dir);
1253  }
1254  else if (c->first_time)
1255  {
1256  msg(M_INFO, "NOTE: chroot %s", why_not);
1257  }
1258  }
1259 
1260  /* set user and/or group if we want to setuid/setgid */
1261  if (c0->uid_gid_specified)
1262  {
1263  if (no_delay)
1264  {
1265  platform_group_set(&c0->platform_state_group);
1266  platform_user_set(&c0->platform_state_user);
1267  }
1268  else if (c->first_time)
1269  {
1270  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1271  }
1272  }
1273 
1274 #ifdef ENABLE_MEMSTATS
1275  if (c->first_time && c->options.memstats_fn)
1276  {
1277  mstats_open(c->options.memstats_fn);
1278  }
1279 #endif
1280 
1281 #ifdef ENABLE_SELINUX
1282  /* Apply a SELinux context in order to restrict what OpenVPN can do
1283  * to _only_ what it is supposed to do after initialization is complete
1284  * (basically just network I/O operations). Doing it after chroot
1285  * requires /proc to be mounted in the chroot (which is annoying indeed
1286  * but doing it before requires more complex SELinux policies.
1287  */
1288  if (c->options.selinux_context)
1289  {
1290  if (no_delay)
1291  {
1292  if (-1 == setcon(c->options.selinux_context))
1293  {
1294  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1295  }
1296  else
1297  {
1298  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1299  }
1300  }
1301  else if (c->first_time)
1302  {
1303  msg(M_INFO, "NOTE: setcon %s", why_not);
1304  }
1305  }
1306 #endif
1307 
1308  /* Privileges are going to be dropped by now (if requested), be sure
1309  * to prevent any future privilege dropping attempts from now on.
1310  */
1311  if (no_delay)
1312  {
1313  c0->uid_gid_chroot_set = true;
1314  }
1315  }
1316 }
1317 
1318 /*
1319  * Return common name in a way that is formatted for
1320  * prepending to msg() output.
1321  */
1322 const char *
1323 format_common_name(struct context *c, struct gc_arena *gc)
1324 {
1325  struct buffer out = alloc_buf_gc(256, gc);
1326  if (c->c2.tls_multi)
1327  {
1328  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1329  }
1330  return BSTR(&out);
1331 }
1332 
1333 void
1334 pre_setup(const struct options *options)
1335 {
1336 #ifdef _WIN32
1337  if (options->exit_event_name)
1338  {
1339  win32_signal_open(&win32_signal,
1340  WSO_FORCE_SERVICE,
1341  options->exit_event_name,
1342  options->exit_event_initial_state);
1343  }
1344  else
1345  {
1346  win32_signal_open(&win32_signal,
1347  WSO_FORCE_CONSOLE,
1348  NULL,
1349  false);
1350 
1351  /* put a title on the top window bar */
1352  if (win32_signal.mode == WSO_MODE_CONSOLE)
1353  {
1354  window_title_save(&window_title);
1355  window_title_generate(options->config);
1356  }
1357  }
1358 #endif /* ifdef _WIN32 */
1359 }
1360 
1361 void
1362 reset_coarse_timers(struct context *c)
1363 {
1364  c->c2.coarse_timer_wakeup = 0;
1365 }
1366 
1367 /*
1368  * Initialise the server poll timeout timer
1369  * This timer is used in the http/socks proxy setup so it needs to be setup
1370  * before
1371  */
1372 static void
1373 do_init_server_poll_timeout(struct context *c)
1374 {
1375  update_time();
1376  if (c->options.ce.connect_timeout)
1377  {
1378  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1379  }
1380 }
1381 
1382 /*
1383  * Initialize timers
1384  */
1385 static void
1386 do_init_timers(struct context *c, bool deferred)
1387 {
1388  update_time();
1389  reset_coarse_timers(c);
1390 
1391  /* initialize inactivity timeout */
1392  if (c->options.inactivity_timeout)
1393  {
1394  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1395  }
1396 
1397  /* initialize pings */
1398 
1399  if (c->options.ping_send_timeout)
1400  {
1401  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1402  }
1403 
1404  if (c->options.ping_rec_timeout)
1405  {
1406  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1407  }
1408 
1409  if (!deferred)
1410  {
1411  /* initialize connection establishment timer */
1412  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1413 
1414  /* initialize occ timers */
1415 
1416  if (c->options.occ
1417  && !TLS_MODE(c)
1418  && c->c2.options_string_local && c->c2.options_string_remote)
1419  {
1420  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1421  }
1422 
1423  if (c->options.mtu_test)
1424  {
1425  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1426  }
1427 
1428  /* initialize packet_id persistence timer */
1429  if (c->options.packet_id_file)
1430  {
1431  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1432  }
1433 
1434  /* initialize tmp_int optimization that limits the number of times we call
1435  * tls_multi_process in the main event loop */
1436  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1437  }
1438 }
1439 
1440 /*
1441  * Initialize traffic shaper.
1442  */
1443 static void
1444 do_init_traffic_shaper(struct context *c)
1445 {
1446  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1447  if (c->options.shaper)
1448  {
1449  shaper_init(&c->c2.shaper, c->options.shaper);
1450  shaper_msg(&c->c2.shaper);
1451  }
1452 }
1453 
1454 /*
1455  * Allocate route list structures for IPv4 and IPv6
1456  * (we do this for IPv4 even if no --route option has been seen, as other
1457  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1458  */
1459 static void
1460 do_alloc_route_list(struct context *c)
1461 {
1462  if (!c->c1.route_list)
1463  {
1464  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1465  }
1466  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1467  {
1468  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1469  }
1470 }
1471 
1472 
1473 /*
1474  * Initialize the route list, resolving any DNS names in route
1475  * options and saving routes in the environment.
1476  */
1477 static void
1478 do_init_route_list(const struct options *options,
1479  struct route_list *route_list,
1480  const struct link_socket_info *link_socket_info,
1481  struct env_set *es,
1482  openvpn_net_ctx_t *ctx)
1483 {
1484  const char *gw = NULL;
1485  int dev = dev_type_enum(options->dev, options->dev_type);
1486  int metric = 0;
1487 
1488  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1489  {
1490  gw = options->ifconfig_remote_netmask;
1491  }
1492  if (options->route_default_gateway)
1493  {
1494  gw = options->route_default_gateway;
1495  }
1496  if (options->route_default_metric)
1497  {
1498  metric = options->route_default_metric;
1499  }
1500 
1501  if (init_route_list(route_list,
1502  options->routes,
1503  gw,
1504  metric,
1505  link_socket_current_remote(link_socket_info),
1506  es,
1507  ctx))
1508  {
1509  /* copy routes to environment */
1510  setenv_routes(es, route_list);
1511  }
1512 }
1513 
1514 static void
1515 do_init_route_ipv6_list(const struct options *options,
1516  struct route_ipv6_list *route_ipv6_list,
1517  const struct link_socket_info *link_socket_info,
1518  struct env_set *es,
1519  openvpn_net_ctx_t *ctx)
1520 {
1521  const char *gw = NULL;
1522  int metric = -1; /* no metric set */
1523 
1524  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1525  if (options->route_ipv6_default_gateway)
1526  {
1527  gw = options->route_ipv6_default_gateway;
1528  }
1529 
1530  if (options->route_default_metric)
1531  {
1532  metric = options->route_default_metric;
1533  }
1534 
1535  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1536  */
1537  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1538  {
1539  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1540  int i;
1541 
1542  for (i = 0; opt_list[i]; i++)
1543  {
1544  add_route_ipv6_to_option_list( options->routes_ipv6,
1545  string_alloc(opt_list[i], options->routes_ipv6->gc),
1546  NULL, NULL );
1547  }
1548  }
1549 
1550  if (init_route_ipv6_list(route_ipv6_list,
1551  options->routes_ipv6,
1552  gw,
1553  metric,
1554  link_socket_current_remote_ipv6(link_socket_info),
1555  es,
1556  ctx))
1557  {
1558  /* copy routes to environment */
1559  setenv_routes_ipv6(es, route_ipv6_list);
1560  }
1561 }
1562 
1563 
1564 /*
1565  * Called after all initialization has been completed.
1566  */
1567 void
1568 initialization_sequence_completed(struct context *c, const unsigned int flags)
1569 {
1570  static const char message[] = "Initialization Sequence Completed";
1571 
1572  /* Reset the unsuccessful connection counter on complete initialisation */
1573  c->options.unsuccessful_attempts = 0;
1574 
1575  /* If we delayed UID/GID downgrade or chroot, do it now */
1576  do_uid_gid_chroot(c, true);
1577 
1578 
1579  /*
1580  * In some cases (i.e. when receiving auth-token via
1581  * push-reply) the auth-nocache option configured on the
1582  * client is overridden; for this reason we have to wait
1583  * for the push-reply message before attempting to wipe
1584  * the user/pass entered by the user
1585  */
1586  if (c->options.mode == MODE_POINT_TO_POINT)
1587  {
1588  ssl_clean_user_pass();
1589  }
1590 
1591  /* Test if errors */
1592  if (flags & ISC_ERRORS)
1593  {
1594 #ifdef _WIN32
1595  show_routes(M_INFO|M_NOPREFIX);
1596  show_adapters(M_INFO|M_NOPREFIX);
1597  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1598 #else
1599 #ifdef ENABLE_SYSTEMD
1600  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1601 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1602  msg(M_INFO, "%s With Errors", message);
1603 #endif
1604  }
1605  else
1606  {
1607 #ifdef ENABLE_SYSTEMD
1608  sd_notifyf(0, "STATUS=%s", message);
1609 #endif
1610  msg(M_INFO, "%s", message);
1611  }
1612 
1613  /* Flag that we initialized */
1614  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1615  {
1616  c->options.no_advance = true;
1617  }
1618 
1619 #ifdef _WIN32
1620  fork_register_dns_action(c->c1.tuntap);
1621 #endif
1622 
1623 #ifdef ENABLE_MANAGEMENT
1624  /* Tell management interface that we initialized */
1625  if (management)
1626  {
1627  in_addr_t *tun_local = NULL;
1628  struct in6_addr *tun_local6 = NULL;
1629  struct openvpn_sockaddr local, remote;
1630  struct link_socket_actual *actual;
1631  socklen_t sa_len = sizeof(local);
1632  const char *detail = "SUCCESS";
1633  if (flags & ISC_ERRORS)
1634  {
1635  detail = "ERROR";
1636  }
1637 
1638  CLEAR(local);
1639  actual = &get_link_socket_info(c)->lsa->actual;
1640  remote = actual->dest;
1641  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1642 #if ENABLE_IP_PKTINFO
1643  if (!addr_defined(&local))
1644  {
1645  switch (local.addr.sa.sa_family)
1646  {
1647  case AF_INET:
1648 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1649  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1650 #else
1651  local.addr.in4.sin_addr = actual->pi.in4;
1652 #endif
1653  break;
1654 
1655  case AF_INET6:
1656  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1657  break;
1658  }
1659  }
1660 #endif
1661 
1662  if (c->c1.tuntap)
1663  {
1664  tun_local = &c->c1.tuntap->local;
1665  tun_local6 = &c->c1.tuntap->local_ipv6;
1666  }
1667  management_set_state(management,
1668  OPENVPN_STATE_CONNECTED,
1669  detail,
1670  tun_local,
1671  tun_local6,
1672  &local,
1673  &remote);
1674  if (tun_local)
1675  {
1676  management_post_tunnel_open(management, *tun_local);
1677  }
1678  }
1679 #endif /* ifdef ENABLE_MANAGEMENT */
1680 }
1681 
1682 /*
1683  * Possibly add routes and/or call route-up script
1684  * based on options.
1685  */
1686 void
1687 do_route(const struct options *options,
1688  struct route_list *route_list,
1689  struct route_ipv6_list *route_ipv6_list,
1690  const struct tuntap *tt,
1691  const struct plugin_list *plugins,
1692  struct env_set *es,
1693  openvpn_net_ctx_t *ctx)
1694 {
1695  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1696  {
1697  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1698  es, ctx);
1699  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1700  }
1701 #ifdef ENABLE_MANAGEMENT
1702  if (management)
1703  {
1704  management_up_down(management, "UP", es);
1705  }
1706 #endif
1707 
1708  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1709  {
1710  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1711  {
1712  msg(M_WARN, "WARNING: route-up plugin call failed");
1713  }
1714  }
1715 
1716  if (options->route_script)
1717  {
1718  struct argv argv = argv_new();
1719  setenv_str(es, "script_type", "route-up");
1720  argv_parse_cmd(&argv, options->route_script);
1721  openvpn_run_script(&argv, es, 0, "--route-up");
1722  argv_free(&argv);
1723  }
1724 
1725 #ifdef _WIN32
1726  if (options->show_net_up)
1727  {
1728  show_routes(M_INFO|M_NOPREFIX);
1729  show_adapters(M_INFO|M_NOPREFIX);
1730  }
1731  else if (check_debug_level(D_SHOW_NET))
1732  {
1733  show_routes(D_SHOW_NET|M_NOPREFIX);
1734  show_adapters(D_SHOW_NET|M_NOPREFIX);
1735  }
1736 #endif
1737 }
1738 
1739 /*
1740  * initialize tun/tap device object
1741  */
1742 static void
1743 do_init_tun(struct context *c)
1744 {
1745  c->c1.tuntap = init_tun(c->options.dev,
1746  c->options.dev_type,
1747  c->options.topology,
1748  c->options.ifconfig_local,
1749  c->options.ifconfig_remote_netmask,
1750  c->options.ifconfig_ipv6_local,
1751  c->options.ifconfig_ipv6_netbits,
1752  c->options.ifconfig_ipv6_remote,
1753  c->c1.link_socket_addr.bind_local,
1754  c->c1.link_socket_addr.remote_list,
1755  !c->options.ifconfig_nowarn,
1756  c->c2.es,
1757  &c->net_ctx);
1758 
1759 #ifdef _WIN32
1760  c->c1.tuntap->windows_driver = c->options.windows_driver;
1761 #endif
1762 
1763  init_tun_post(c->c1.tuntap,
1764  &c->c2.frame,
1765  &c->options.tuntap_options);
1766 
1767  c->c1.tuntap_owned = true;
1768 }
1769 
1770 /*
1771  * Open tun/tap device, ifconfig, call up script, etc.
1772  */
1773 
1774 static bool
1775 do_open_tun(struct context *c)
1776 {
1777  struct gc_arena gc = gc_new();
1778  bool ret = false;
1779 
1780 #ifndef TARGET_ANDROID
1781  if (!c->c1.tuntap)
1782  {
1783 #endif
1784 
1785 #ifdef TARGET_ANDROID
1786  /* If we emulate persist-tun on android we still have to open a new tun and
1787  * then close the old */
1788  int oldtunfd = -1;
1789  if (c->c1.tuntap)
1790  {
1791  oldtunfd = c->c1.tuntap->fd;
1792  free(c->c1.tuntap);
1793  c->c1.tuntap = NULL;
1794  c->c1.tuntap_owned = false;
1795  }
1796 #endif
1797 
1798  /* initialize (but do not open) tun/tap object */
1799  do_init_tun(c);
1800 
1801 #ifdef _WIN32
1802  /* store (hide) interactive service handle in tuntap_options */
1803  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1804  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1805 #endif
1806 
1807  /* allocate route list structure */
1808  do_alloc_route_list(c);
1809 
1810  /* parse and resolve the route option list */
1811  ASSERT(c->c2.link_socket);
1812  if (c->options.routes && c->c1.route_list)
1813  {
1814  do_init_route_list(&c->options, c->c1.route_list,
1815  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1816  }
1817  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1818  {
1819  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1820  &c->c2.link_socket->info, c->c2.es,
1821  &c->net_ctx);
1822  }
1823 
1824  /* do ifconfig */
1825  if (!c->options.ifconfig_noexec
1826  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1827  {
1828  /* guess actual tun/tap unit number that will be returned
1829  * by open_tun */
1830  const char *guess = guess_tuntap_dev(c->options.dev,
1831  c->options.dev_type,
1832  c->options.dev_node,
1833  &gc);
1834  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1835  &c->net_ctx);
1836  }
1837 
1838  /* possibly add routes */
1839  if (route_order() == ROUTE_BEFORE_TUN)
1840  {
1841  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1842  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1843  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1844  }
1845 #ifdef TARGET_ANDROID
1846  /* Store the old fd inside the fd so open_tun can use it */
1847  c->c1.tuntap->fd = oldtunfd;
1848 #endif
1849  /* open the tun device */
1850  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1851  c->c1.tuntap);
1852 
1853  /* set the hardware address */
1854  if (c->options.lladdr)
1855  {
1856  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1857  }
1858 
1859  /* do ifconfig */
1860  if (!c->options.ifconfig_noexec
1861  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1862  {
1863  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1864  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1865  }
1866 
1867  /* run the up script */
1868  run_up_down(c->options.up_script,
1869  c->plugins,
1870  OPENVPN_PLUGIN_UP,
1871  c->c1.tuntap->actual_name,
1872 #ifdef _WIN32
1873  c->c1.tuntap->adapter_index,
1874 #endif
1875  dev_type_string(c->options.dev, c->options.dev_type),
1876  TUN_MTU_SIZE(&c->c2.frame),
1877  EXPANDED_SIZE(&c->c2.frame),
1878  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1879  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1880  "init",
1881  NULL,
1882  "up",
1883  c->c2.es);
1884 
1885 #if defined(_WIN32)
1886  if (c->options.block_outside_dns)
1887  {
1888  dmsg(D_LOW, "Blocking outside DNS");
1889  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1890  {
1891  msg(M_FATAL, "Blocking DNS failed!");
1892  }
1893  }
1894 #endif
1895 
1896  /* possibly add routes */
1897  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1898  {
1899  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1900  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1901  }
1902 
1903  /*
1904  * Did tun/tap driver give us an MTU?
1905  */
1906  if (c->c1.tuntap->post_open_mtu)
1907  {
1908  frame_set_mtu_dynamic(&c->c2.frame,
1909  c->c1.tuntap->post_open_mtu,
1910  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1911  }
1912 
1913  ret = true;
1914  static_context = c;
1915 #ifndef TARGET_ANDROID
1916 }
1917 else
1918 {
1919  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1920  c->c1.tuntap->actual_name);
1921 
1922  /* explicitly set the ifconfig_* env vars */
1923  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1924 
1925  /* run the up script if user specified --up-restart */
1926  if (c->options.up_restart)
1927  {
1928  run_up_down(c->options.up_script,
1929  c->plugins,
1930  OPENVPN_PLUGIN_UP,
1931  c->c1.tuntap->actual_name,
1932 #ifdef _WIN32
1933  c->c1.tuntap->adapter_index,
1934 #endif
1935  dev_type_string(c->options.dev, c->options.dev_type),
1936  TUN_MTU_SIZE(&c->c2.frame),
1937  EXPANDED_SIZE(&c->c2.frame),
1938  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1939  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1940  "restart",
1941  NULL,
1942  "up",
1943  c->c2.es);
1944  }
1945 #if defined(_WIN32)
1946  if (c->options.block_outside_dns)
1947  {
1948  dmsg(D_LOW, "Blocking outside DNS");
1949  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1950  {
1951  msg(M_FATAL, "Blocking DNS failed!");
1952  }
1953  }
1954 #endif
1955 
1956 }
1957 #endif /* ifndef TARGET_ANDROID */
1958  gc_free(&gc);
1959  return ret;
1960 }
1961 
1962 /*
1963  * Close TUN/TAP device
1964  */
1965 
1966 static void
1967 do_close_tun_simple(struct context *c)
1968 {
1969  msg(D_CLOSE, "Closing TUN/TAP interface");
1970  if (c->c1.tuntap)
1971  {
1972  close_tun(c->c1.tuntap, &c->net_ctx);
1973  c->c1.tuntap = NULL;
1974  }
1975  c->c1.tuntap_owned = false;
1976  CLEAR(c->c1.pulled_options_digest_save);
1977 }
1978 
1979 static void
1980 do_close_tun(struct context *c, bool force)
1981 {
1982  struct gc_arena gc = gc_new();
1983  if (c->c1.tuntap && c->c1.tuntap_owned)
1984  {
1985  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1986 #ifdef _WIN32
1987  DWORD adapter_index = c->c1.tuntap->adapter_index;
1988 #endif
1989  const in_addr_t local = c->c1.tuntap->local;
1990  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1991 
1992  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1993  {
1994  static_context = NULL;
1995 
1996 #ifdef ENABLE_MANAGEMENT
1997  /* tell management layer we are about to close the TUN/TAP device */
1998  if (management)
1999  {
2000  management_pre_tunnel_close(management);
2001  management_up_down(management, "DOWN", c->c2.es);
2002  }
2003 #endif
2004 
2005  /* delete any routes we added */
2006  if (c->c1.route_list || c->c1.route_ipv6_list)
2007  {
2008  run_up_down(c->options.route_predown_script,
2009  c->plugins,
2010  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2011  tuntap_actual,
2012 #ifdef _WIN32
2013  adapter_index,
2014 #endif
2015  NULL,
2016  TUN_MTU_SIZE(&c->c2.frame),
2017  EXPANDED_SIZE(&c->c2.frame),
2018  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2019  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2020  "init",
2021  signal_description(c->sig->signal_received,
2022  c->sig->signal_text),
2023  "route-pre-down",
2024  c->c2.es);
2025 
2026  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2027  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2028  c->c2.es, &c->net_ctx);
2029  }
2030 
2031  /* actually close tun/tap device based on --down-pre flag */
2032  if (!c->options.down_pre)
2033  {
2034  do_close_tun_simple(c);
2035  }
2036 
2037  /* Run the down script -- note that it will run at reduced
2038  * privilege if, for example, "--user nobody" was used. */
2039  run_up_down(c->options.down_script,
2040  c->plugins,
2041  OPENVPN_PLUGIN_DOWN,
2042  tuntap_actual,
2043 #ifdef _WIN32
2044  adapter_index,
2045 #endif
2046  NULL,
2047  TUN_MTU_SIZE(&c->c2.frame),
2048  EXPANDED_SIZE(&c->c2.frame),
2049  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2050  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2051  "init",
2052  signal_description(c->sig->signal_received,
2053  c->sig->signal_text),
2054  "down",
2055  c->c2.es);
2056 
2057 #if defined(_WIN32)
2058  if (c->options.block_outside_dns)
2059  {
2060  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2061  {
2062  msg(M_FATAL, "Uninitialising WFP failed!");
2063  }
2064  }
2065 #endif
2066 
2067  /* actually close tun/tap device based on --down-pre flag */
2068  if (c->options.down_pre)
2069  {
2070  do_close_tun_simple(c);
2071  }
2072  }
2073  else
2074  {
2075  /* run the down script on this restart if --up-restart was specified */
2076  if (c->options.up_restart)
2077  {
2078  run_up_down(c->options.down_script,
2079  c->plugins,
2080  OPENVPN_PLUGIN_DOWN,
2081  tuntap_actual,
2082 #ifdef _WIN32
2083  adapter_index,
2084 #endif
2085  NULL,
2086  TUN_MTU_SIZE(&c->c2.frame),
2087  EXPANDED_SIZE(&c->c2.frame),
2088  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2089  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2090  "restart",
2091  signal_description(c->sig->signal_received,
2092  c->sig->signal_text),
2093  "down",
2094  c->c2.es);
2095  }
2096 
2097 #if defined(_WIN32)
2098  if (c->options.block_outside_dns)
2099  {
2100  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2101  {
2102  msg(M_FATAL, "Uninitialising WFP failed!");
2103  }
2104  }
2105 #endif
2106 
2107  }
2108  }
2109  gc_free(&gc);
2110 }
2111 
2112 void
2113 tun_abort(void)
2114 {
2115  struct context *c = static_context;
2116  if (c)
2117  {
2118  static_context = NULL;
2119  do_close_tun(c, true);
2120  }
2121 }
2122 
2123 /*
2124  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2125  */
2126 
2131 static bool
2132 options_hash_changed_or_zero(const struct sha256_digest *a,
2133  const struct sha256_digest *b)
2134 {
2135  const struct sha256_digest zero = {{0}};
2136  return memcmp(a, b, sizeof(struct sha256_digest))
2137  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2138 }
2139 
2140 bool
2141 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2142 {
2143  if (!c->c2.do_up_ran)
2144  {
2145  reset_coarse_timers(c);
2146 
2147  if (pulled_options)
2148  {
2149  if (!do_deferred_options(c, option_types_found))
2150  {
2151  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2152  return false;
2153  }
2154  }
2155  else if (c->mode == MODE_POINT_TO_POINT)
2156  {
2157  if (!do_deferred_p2p_ncp(c))
2158  {
2159  msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2160  return false;
2161  }
2162  }
2163 
2164  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2165  if (c->options.up_delay || PULL_DEFINED(&c->options))
2166  {
2167  c->c2.did_open_tun = do_open_tun(c);
2168  update_time();
2169 
2170  /*
2171  * Was tun interface object persisted from previous restart iteration,
2172  * and if so did pulled options string change from previous iteration?
2173  */
2174  if (!c->c2.did_open_tun
2175  && PULL_DEFINED(&c->options)
2176  && c->c1.tuntap
2177  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2178  &c->c2.pulled_options_digest))
2179  {
2180  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2181  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2182  do_close_tun(c, true);
2183  management_sleep(1);
2184  c->c2.did_open_tun = do_open_tun(c);
2185  update_time();
2186  }
2187  }
2188 
2189  if (c->c2.did_open_tun)
2190  {
2191  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2192 
2193  /* if --route-delay was specified, start timer */
2194  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2195  {
2196  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2197  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2198  if (c->c1.tuntap)
2199  {
2200  tun_standby_init(c->c1.tuntap);
2201  }
2202  }
2203  else
2204  {
2205  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2206  }
2207  }
2208  else if (c->options.mode == MODE_POINT_TO_POINT)
2209  {
2210  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2211  }
2212 
2213  c->c2.do_up_ran = true;
2214  if (c->c2.tls_multi)
2215  {
2216  c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2217  }
2218  }
2219  return true;
2220 }
2221 
2222 /*
2223  * These are the option categories which will be accepted by pull.
2224  */
2225 unsigned int
2226 pull_permission_mask(const struct context *c)
2227 {
2228  unsigned int flags =
2229  OPT_P_UP
2230  | OPT_P_ROUTE_EXTRAS
2231  | OPT_P_SOCKBUF
2232  | OPT_P_SOCKFLAGS
2233  | OPT_P_SETENV
2234  | OPT_P_SHAPER
2235  | OPT_P_TIMER
2236  | OPT_P_COMP
2237  | OPT_P_PERSIST
2238  | OPT_P_MESSAGES
2239  | OPT_P_EXPLICIT_NOTIFY
2240  | OPT_P_ECHO
2241  | OPT_P_PULL_MODE
2242  | OPT_P_PEER_ID
2243  | OPT_P_NCP;
2244 
2245  if (!c->options.route_nopull)
2246  {
2247  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2248  }
2249 
2250  return flags;
2251 }
2252 
2253 static
2254 void adjust_mtu_peerid(struct context *c)
2255 {
2256  frame_add_to_extra_frame(&c->c2.frame, 3); /* peer-id overhead */
2257  if (!c->options.ce.link_mtu_defined)
2258  {
2259  frame_add_to_link_mtu(&c->c2.frame, 3);
2260  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2261  EXPANDED_SIZE(&c->c2.frame));
2262  }
2263  else
2264  {
2265  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2266  " fixed by config - reducing tun-mtu to %d, expect"
2267  " MTU problems", TUN_MTU_SIZE(&c->c2.frame));
2268  }
2269 }
2270 
2271 static bool
2272 do_deferred_p2p_ncp(struct context *c)
2273 {
2274  if (!c->c2.tls_multi)
2275  {
2276  return true;
2277  }
2278 
2279  if (c->c2.tls_multi->use_peer_id)
2280  {
2281  adjust_mtu_peerid(c);
2282  }
2283 
2284  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2285 
2286  const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2287  &c->options.gc);
2288 
2289  if (ncp_cipher)
2290  {
2291  c->options.ciphername = ncp_cipher;
2292  }
2293  else if (!c->options.enable_ncp_fallback)
2294  {
2295  msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
2296  "--data-ciphers-fallback not enabled. No usable "
2297  "data channel cipher");
2298  return false;
2299  }
2300 
2301  struct frame *frame_fragment = NULL;
2302 #ifdef ENABLE_FRAGMENT
2303  if (c->options.ce.fragment)
2304  {
2305  frame_fragment = &c->c2.frame_fragment;
2306  }
2307 #endif
2308 
2309  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2310  frame_fragment))
2311  {
2312  msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2313  return false;
2314  }
2315  return true;
2316 }
2317 
2318 /*
2319  * Handle non-tun-related pulled options.
2320  */
2321 bool
2322 do_deferred_options(struct context *c, const unsigned int found)
2323 {
2324  if (found & OPT_P_MESSAGES)
2325  {
2326  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2327  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2328  }
2329  if (found & OPT_P_TIMER)
2330  {
2331  do_init_timers(c, true);
2332  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2333  }
2334 
2335  if (found & OPT_P_EXPLICIT_NOTIFY)
2336  {
2337  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2338  {
2339  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2340  c->options.ce.explicit_exit_notification = 0;
2341  }
2342  else
2343  {
2344  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2345  }
2346  }
2347 
2348 #ifdef USE_COMP
2349  if (found & OPT_P_COMP)
2350  {
2351  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2352  comp_uninit(c->c2.comp_context);
2353  c->c2.comp_context = comp_init(&c->options.comp);
2354  }
2355 #endif
2356 
2357  if (found & OPT_P_SHAPER)
2358  {
2359  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2360  do_init_traffic_shaper(c);
2361  }
2362 
2363  if (found & OPT_P_SOCKBUF)
2364  {
2365  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2366  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2367  }
2368 
2369  if (found & OPT_P_SOCKFLAGS)
2370  {
2371  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2372  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2373  }
2374 
2375  if (found & OPT_P_PERSIST)
2376  {
2377  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2378  }
2379  if (found & OPT_P_UP)
2380  {
2381  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2382  }
2383  if (found & OPT_P_ROUTE)
2384  {
2385  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2386  }
2387  if (found & OPT_P_ROUTE_EXTRAS)
2388  {
2389  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2390  }
2391  if (found & OPT_P_IPWIN32)
2392  {
2393  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2394  }
2395  if (found & OPT_P_SETENV)
2396  {
2397  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2398  }
2399 
2400  if (found & OPT_P_PEER_ID)
2401  {
2402  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2403  c->c2.tls_multi->use_peer_id = true;
2404  c->c2.tls_multi->peer_id = c->options.peer_id;
2405  adjust_mtu_peerid(c);
2406  }
2407 
2408  /* process (potentially pushed) crypto options */
2409  if (c->options.pull)
2410  {
2411  if (!check_pull_client_ncp(c, found))
2412  {
2413  return false;
2414  }
2415  struct frame *frame_fragment = NULL;
2416 #ifdef ENABLE_FRAGMENT
2417  if (c->options.ce.fragment)
2418  {
2419  frame_fragment = &c->c2.frame_fragment;
2420  }
2421 #endif
2422 
2423  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2424  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2425  frame_fragment))
2426  {
2427  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2428  return false;
2429  }
2430  }
2431 
2432  return true;
2433 }
2434 
2435 /*
2436  * Possible hold on initialization, holdtime is the
2437  * time OpenVPN would wait without management
2438  */
2439 static bool
2440 do_hold(int holdtime)
2441 {
2442 #ifdef ENABLE_MANAGEMENT
2443  if (management)
2444  {
2445  /* block until management hold is released */
2446  if (management_hold(management, holdtime))
2447  {
2448  return true;
2449  }
2450  }
2451 #endif
2452  return false;
2453 }
2454 
2455 /*
2456  * Sleep before restart.
2457  */
2458 static void
2459 socket_restart_pause(struct context *c)
2460 {
2461  int sec = 2;
2462  int backoff = 0;
2463 
2464  switch (c->options.ce.proto)
2465  {
2466  case PROTO_TCP_SERVER:
2467  sec = 1;
2468  break;
2469 
2470  case PROTO_UDP:
2471  case PROTO_TCP_CLIENT:
2472  sec = c->options.ce.connect_retry_seconds;
2473  break;
2474  }
2475 
2476 #ifdef ENABLE_DEBUG
2477  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2478  {
2479  sec = 0;
2480  }
2481 #endif
2482 
2483  if (auth_retry_get() == AR_NOINTERACT)
2484  {
2485  sec = 10;
2486  }
2487 
2488  /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2489  if (c->options.ce.proto == PROTO_TCP_CLIENT
2490  || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
2491  {
2492  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2493  if (backoff > 0)
2494  {
2495  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2496  sec = max_int(sec, 1) << min_int(backoff, 15);
2497  }
2498 
2499  if (sec > c->options.ce.connect_retry_seconds_max)
2500  {
2501  sec = c->options.ce.connect_retry_seconds_max;
2502  }
2503  }
2504 
2505  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2506  {
2507  sec = c->persist.restart_sleep_seconds;
2508  }
2509  else if (c->persist.restart_sleep_seconds == -1)
2510  {
2511  sec = 0;
2512  }
2513  c->persist.restart_sleep_seconds = 0;
2514 
2515  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2516  if (do_hold(sec))
2517  {
2518  sec = 0;
2519  }
2520 
2521  if (sec)
2522  {
2523  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2524  management_sleep(sec);
2525  }
2526 }
2527 
2528 /*
2529  * Do a possible pause on context_2 initialization.
2530  */
2531 static void
2532 do_startup_pause(struct context *c)
2533 {
2534  if (!c->first_time)
2535  {
2536  socket_restart_pause(c);
2537  }
2538  else
2539  {
2540  do_hold(0); /* do management hold on first context initialization */
2541  }
2542 }
2543 
2544 /*
2545  * Finalize MTU parameters based on command line or config file options.
2546  */
2547 static void
2548 frame_finalize_options(struct context *c, const struct options *o)
2549 {
2550  if (!o)
2551  {
2552  o = &c->options;
2553  }
2554 
2555  /*
2556  * Set adjustment factor for buffer alignment when no
2557  * cipher is used.
2558  */
2559  if (!CIPHER_ENABLED(c))
2560  {
2561  frame_align_to_extra_frame(&c->c2.frame);
2562  frame_or_align_flags(&c->c2.frame,
2563  FRAME_HEADROOM_MARKER_FRAGMENT
2564  |FRAME_HEADROOM_MARKER_READ_LINK
2565  |FRAME_HEADROOM_MARKER_READ_STREAM);
2566  }
2567 
2568  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2569  frame_finalize(&c->c2.frame,
2570  o->ce.link_mtu_defined,
2571  o->ce.link_mtu,
2572  o->ce.tun_mtu_defined,
2573  o->ce.tun_mtu);
2574 }
2575 
2576 /*
2577  * Free a key schedule, including OpenSSL components.
2578  */
2579 static void
2580 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2581 {
2582  free_key_ctx_bi(&ks->static_key);
2583  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2584  {
2585  tls_ctx_free(&ks->ssl_ctx);
2586  free_key_ctx(&ks->auth_token_key);
2587  }
2588  CLEAR(*ks);
2589 }
2590 
2591 static void
2592 init_crypto_pre(struct context *c, const unsigned int flags)
2593 {
2594  if (c->options.engine)
2595  {
2596  crypto_init_lib_engine(c->options.engine);
2597  }
2598 
2599  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2600  {
2601  /* load a persisted packet-id for cross-session replay-protection */
2602  if (c->options.packet_id_file)
2603  {
2604  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2605  }
2606  }
2607 
2608 #ifdef ENABLE_PREDICTION_RESISTANCE
2609  if (c->options.use_prediction_resistance)
2610  {
2611  rand_ctx_enable_prediction_resistance();
2612  }
2613 #endif
2614 }
2615 
2616 /*
2617  * Static Key Mode (using a pre-shared key)
2618  */
2619 static void
2620 do_init_crypto_static(struct context *c, const unsigned int flags)
2621 {
2622  const struct options *options = &c->options;
2623  ASSERT(options->shared_secret_file);
2624 
2625  init_crypto_pre(c, flags);
2626 
2627  /* Initialize flags */
2628  if (c->options.mute_replay_warnings)
2629  {
2630  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2631  }
2632 
2633  /* Initialize packet ID tracking */
2634  if (options->replay)
2635  {
2636  packet_id_init(&c->c2.crypto_options.packet_id,
2637  options->replay_window,
2638  options->replay_time,
2639  "STATIC", 0);
2640  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2641  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2642  packet_id_persist_load_obj(&c->c1.pid_persist,
2643  &c->c2.crypto_options.packet_id);
2644  }
2645 
2646  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2647  {
2648  /* Get cipher & hash algorithms */
2649  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2650  options->test_crypto, true);
2651 
2652  /* Read cipher and hmac keys from shared secret file */
2653  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2654  options->shared_secret_file,
2655  options->shared_secret_file_inline,
2656  options->key_direction, "Static Key Encryption",
2657  "secret");
2658  }
2659  else
2660  {
2661  msg(M_INFO, "Re-using pre-shared static key");
2662  }
2663 
2664  /* Get key schedule */
2665  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2666 
2667  /* Compute MTU parameters */
2668  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2669  options->replay, true);
2670 
2671  /* Sanity check on sequence number, and cipher mode options */
2672  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2673 }
2674 
2675 /*
2676  * Initialize the tls-auth/crypt key context
2677  */
2678 static void
2679 do_init_tls_wrap_key(struct context *c)
2680 {
2681  const struct options *options = &c->options;
2682 
2683  /* TLS handshake authentication (--tls-auth) */
2684  if (options->ce.tls_auth_file)
2685  {
2686  /* Initialize key_type for tls-auth with auth only */
2687  CLEAR(c->c1.ks.tls_auth_key_type);
2688  if (!streq(options->authname, "none"))
2689  {
2690  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2691  c->c1.ks.tls_auth_key_type.hmac_length =
2692  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2693  }
2694  else
2695  {
2696  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2697  "algorithm specified ('%s')", options->authname);
2698  }
2699 
2700  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2701  &c->c1.ks.tls_wrap_key,
2702  options->ce.tls_auth_file,
2703  options->ce.tls_auth_file_inline,
2704  options->ce.key_direction,
2705  "Control Channel Authentication", "tls-auth");
2706  }
2707 
2708  /* TLS handshake encryption+authentication (--tls-crypt) */
2709  if (options->ce.tls_crypt_file)
2710  {
2711  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2712  options->ce.tls_crypt_file,
2713  options->ce.tls_crypt_file_inline,
2714  options->tls_server);
2715  }
2716 
2717  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2718  if (options->ce.tls_crypt_v2_file)
2719  {
2720  if (options->tls_server)
2721  {
2722  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2723  true, options->ce.tls_crypt_v2_file,
2724  options->ce.tls_crypt_v2_file_inline);
2725  }
2726  else
2727  {
2728  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2729  &c->c1.ks.tls_crypt_v2_wkc,
2730  options->ce.tls_crypt_v2_file,
2731  options->ce.tls_crypt_v2_file_inline);
2732  }
2733  }
2734 
2735 
2736 }
2737 
2738 /*
2739  * Initialize the persistent component of OpenVPN's TLS mode,
2740  * which is preserved across SIGUSR1 resets.
2741  */
2742 static void
2743 do_init_crypto_tls_c1(struct context *c)
2744 {
2745  const struct options *options = &c->options;
2746 
2747  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2748  {
2749  /*
2750  * Initialize the OpenSSL library's global
2751  * SSL context.
2752  */
2753  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2754  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2755  {
2756  switch (auth_retry_get())
2757  {
2758  case AR_NONE:
2759  msg(M_FATAL, "Error: private key password verification failed");
2760  break;
2761 
2762  case AR_INTERACT:
2763  ssl_purge_auth(false);
2764 
2765  case AR_NOINTERACT:
2766  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2767  break;
2768 
2769  default:
2770  ASSERT(0);
2771  }
2772  c->sig->signal_text = "private-key-password-failure";
2773  return;
2774  }
2775 
2776  /*
2777  * BF-CBC is allowed to be used only when explicitly configured
2778  * as NCP-fallback or when NCP has been disabled or explicitly
2779  * allowed in the in ncp_ciphers list.
2780  * In all other cases do not attempt to initialize BF-CBC as it
2781  * may not even be supported by the underlying SSL library.
2782  *
2783  * Therefore, the key structure has to be initialized when:
2784  * - any non-BF-CBC cipher was selected; or
2785  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2786  * (BF-CBC will be the fallback).
2787  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2788  * If the negotiated cipher and options->ciphername are the
2789  * same we do not reinit the cipher
2790  *
2791  * Note that BF-CBC will still be part of the OCC string to retain
2792  * backwards compatibility with older clients.
2793  */
2794  if (!streq(options->ciphername, "BF-CBC")
2795  || tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
2796  || options->enable_ncp_fallback)
2797  {
2798  /* Do not warn if the if the cipher is used only in OCC */
2799  bool warn = options->enable_ncp_fallback;
2800  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2801  true, warn);
2802  }
2803  /* Initialize PRNG with config-specified digest */
2804  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2805 
2806  /* initialize tls-auth/crypt/crypt-v2 key */
2807  do_init_tls_wrap_key(c);
2808 
2809  /* initialise auth-token crypto support */
2810  if (c->options.auth_token_generate)
2811  {
2812  auth_token_init_secret(&c->c1.ks.auth_token_key,
2813  c->options.auth_token_secret_file,
2814  c->options.auth_token_secret_file_inline);
2815  }
2816 
2817 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2818  if (options->priv_key_file_inline)
2819  {
2820  string_clear(c->options.priv_key_file_inline);
2821  c->options.priv_key_file_inline = NULL;
2822  }
2823 #endif
2824  }
2825  else
2826  {
2827  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2828 
2829  /*
2830  * tls-auth/crypt key can be configured per connection block, therefore
2831  * we must reload it as it may have changed
2832  */
2833  do_init_tls_wrap_key(c);
2834  }
2835 }
2836 
2837 static void
2838 do_init_crypto_tls(struct context *c, const unsigned int flags)
2839 {
2840  const struct options *options = &c->options;
2841  struct tls_options to;
2842  bool packet_id_long_form;
2843 
2844  ASSERT(options->tls_server || options->tls_client);
2845  ASSERT(!options->test_crypto);
2846 
2847  init_crypto_pre(c, flags);
2848 
2849  /* Make sure we are either a TLS client or server but not both */
2850  ASSERT(options->tls_server == !options->tls_client);
2851 
2852  /* initialize persistent component */
2853  do_init_crypto_tls_c1(c);
2854  if (IS_SIG(c))
2855  {
2856  return;
2857  }
2858 
2859  /* Sanity check on sequence number, and cipher mode options */
2860  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2861 
2862  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2863  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2864 
2865  /* Compute MTU parameters (postpone if we push/pull options) */
2866  if (c->options.pull || c->options.mode == MODE_SERVER)
2867  {
2868  /* Account for worst-case crypto overhead before allocating buffers */
2869  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2870  }
2871  else
2872  {
2873  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2874  options->replay, packet_id_long_form);
2875  }
2876  tls_adjust_frame_parameters(&c->c2.frame);
2877 
2878  /* Set all command-line TLS-related options */
2879  CLEAR(to);
2880 
2881  if (options->mute_replay_warnings)
2882  {
2883  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2884  }
2885 
2886  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2887  if (packet_id_long_form)
2888  {
2889  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2890  }
2891 
2892  to.ssl_ctx = c->c1.ks.ssl_ctx;
2893  to.key_type = c->c1.ks.key_type;
2894  to.server = options->tls_server;
2895  to.replay = options->replay;
2896  to.replay_window = options->replay_window;
2897  to.replay_time = options->replay_time;
2898  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2899  to.config_ciphername = c->options.ciphername;
2900  to.config_ncp_ciphers = c->options.ncp_ciphers;
2901  to.transition_window = options->transition_window;
2902  to.handshake_window = options->handshake_window;
2903  to.packet_timeout = options->tls_timeout;
2904  to.renegotiate_bytes = options->renegotiate_bytes;
2905  to.renegotiate_packets = options->renegotiate_packets;
2906  if (options->renegotiate_seconds_min < 0)
2907  {
2908  /* Add 10% jitter to reneg-sec by default (server side only) */
2909  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2910  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2911  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2912  }
2913  else
2914  {
2915  /* Add user-specified jitter to reneg-sec */
2916  to.renegotiate_seconds = options->renegotiate_seconds
2917  -(get_random() % max_int(options->renegotiate_seconds
2918  - options->renegotiate_seconds_min, 1));
2919  }
2920  to.single_session = options->single_session;
2921  to.mode = options->mode;
2922  to.pull = options->pull;
2923  if (options->push_peer_info) /* all there is */
2924  {
2925  to.push_peer_info_detail = 3;
2926  }
2927  else if (options->pull) /* pull clients send some details */
2928  {
2929  to.push_peer_info_detail = 2;
2930  }
2931  else if (options->mode == MODE_SERVER) /* server: no peer info at all */
2932  {
2933  to.push_peer_info_detail = 0;
2934  }
2935  else /* default: minimal info to allow NCP in P2P mode */
2936  {
2937  to.push_peer_info_detail = 1;
2938  }
2939 
2940 
2941  /* should we not xmit any packets until we get an initial
2942  * response from client? */
2943  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2944  {
2945  to.xmit_hold = true;
2946  }
2947 
2948  to.disable_occ = !options->occ;
2949 
2950  to.verify_command = options->tls_verify;
2951  to.verify_export_cert = options->tls_export_cert;
2952  to.verify_x509_type = (options->verify_x509_type & 0xff);
2953  to.verify_x509_name = options->verify_x509_name;
2954  to.crl_file = options->crl_file;
2955  to.crl_file_inline = options->crl_file_inline;
2956  to.ssl_flags = options->ssl_flags;
2957  to.ns_cert_type = options->ns_cert_type;
2958  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2959  to.remote_cert_eku = options->remote_cert_eku;
2960  to.verify_hash = options->verify_hash;
2961  to.verify_hash_algo = options->verify_hash_algo;
2962  to.verify_hash_depth = options->verify_hash_depth;
2963  to.verify_hash_no_ca = options->verify_hash_no_ca;
2964 #ifdef ENABLE_X509ALTUSERNAME
2965  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2966 #else
2967  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
2968 #endif
2969  to.es = c->c2.es;
2970  to.net_ctx = &c->net_ctx;
2971 
2972 #ifdef ENABLE_DEBUG
2973  to.gremlin = c->options.gremlin;
2974 #endif
2975 
2976  to.plugins = c->plugins;
2977 
2978 #ifdef ENABLE_MANAGEMENT
2979  to.mda_context = &c->c2.mda_context;
2980 #endif
2981 
2982  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2983  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2984  to.tmp_dir = options->tmp_dir;
2985  if (options->ccd_exclusive)
2986  {
2987  to.client_config_dir_exclusive = options->client_config_dir;
2988  }
2989  to.auth_user_pass_file = options->auth_user_pass_file;
2990  to.auth_token_generate = options->auth_token_generate;
2991  to.auth_token_lifetime = options->auth_token_lifetime;
2992  to.auth_token_call_auth = options->auth_token_call_auth;
2993  to.auth_token_key = c->c1.ks.auth_token_key;
2994 
2995  to.x509_track = options->x509_track;
2996 
2997 #ifdef ENABLE_MANAGEMENT
2998  to.sci = &options->sc_info;
2999 #endif
3000 
3001 #ifdef USE_COMP
3002  to.comp_options = options->comp;
3003 #endif
3004 
3005 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3006  if (options->keying_material_exporter_label)
3007  {
3008  to.ekm_size = options->keying_material_exporter_length;
3009  if (to.ekm_size < 16 || to.ekm_size > 4095)
3010  {
3011  to.ekm_size = 0;
3012  }
3013 
3014  to.ekm_label = options->keying_material_exporter_label;
3015  to.ekm_label_size = strlen(to.ekm_label);
3016  }
3017  else
3018  {
3019  to.ekm_size = 0;
3020  }
3021 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
3022 
3023  /* TLS handshake authentication (--tls-auth) */
3024  if (options->ce.tls_auth_file)
3025  {
3026  to.tls_wrap.mode = TLS_WRAP_AUTH;
3027  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3028  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3029  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3030  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
3031  true, true);
3032  }
3033 
3034  /* TLS handshake encryption (--tls-crypt) */
3035  if (options->ce.tls_crypt_file
3036  || (options->ce.tls_crypt_v2_file && options->tls_client))
3037  {
3038  to.tls_wrap.mode = TLS_WRAP_CRYPT;
3039  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3040  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3041  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
3042  tls_crypt_adjust_frame_parameters(&to.frame);
3043 
3044  if (options->ce.tls_crypt_v2_file)
3045  {
3046  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3047  }
3048  }
3049 
3050  if (options->ce.tls_crypt_v2_file)
3051  {
3052  to.tls_crypt_v2 = true;
3053  if (options->tls_server)
3054  {
3055  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3056  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3057  }
3058  }
3059 
3060  /* If we are running over TCP, allow for
3061  * length prefix */
3062  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
3063 
3064  /*
3065  * Initialize OpenVPN's master TLS-mode object.
3066  */
3067  if (flags & CF_INIT_TLS_MULTI)
3068  {
3069  c->c2.tls_multi = tls_multi_init(&to);
3070  }
3071 
3072  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3073  {
3074  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3075  }
3076 }
3077 
3078 static void
3079 do_init_finalize_tls_frame(struct context *c)
3080 {
3081  if (c->c2.tls_multi)
3082  {
3083  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3084  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3085  EXPANDED_SIZE(&c->c2.frame));
3086  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3087  "Control Channel MTU parms");
3088  }
3089  if (c->c2.tls_auth_standalone)
3090  {
3091  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3092  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3093  "TLS-Auth MTU parms");
3094  }
3095 }
3096 
3097 /*
3098  * No encryption or authentication.
3099  */
3100 static void
3101 do_init_crypto_none(const struct context *c)
3102 {
3103  ASSERT(!c->options.test_crypto);
3104  msg(M_WARN,
3105  "******* WARNING *******: All encryption and authentication features "
3106  "disabled -- All data will be tunnelled as clear text and will not be "
3107  "protected against man-in-the-middle changes. "
3108  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3109 }
3110 
3111 static void
3112 do_init_crypto(struct context *c, const unsigned int flags)
3113 {
3114  if (c->options.shared_secret_file)
3115  {
3116  do_init_crypto_static(c, flags);
3117  }
3118  else if (c->options.tls_server || c->options.tls_client)
3119  {
3120  do_init_crypto_tls(c, flags);
3121  }
3122  else /* no encryption or authentication. */
3123  {
3124  do_init_crypto_none(c);
3125  }
3126 }
3127 
3128 static void
3129 do_init_frame(struct context *c)
3130 {
3131 #ifdef USE_COMP
3132  /*
3133  * modify frame parameters if compression is enabled
3134  */
3135  if (comp_enabled(&c->options.comp))
3136  {
3137  comp_add_to_extra_frame(&c->c2.frame);
3138 
3139 #ifdef ENABLE_FRAGMENT
3140  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3141 #endif
3142  }
3143 #endif /* USE_COMP */
3144 
3145  /*
3146  * Adjust frame size for UDP Socks support.
3147  */
3148  if (c->options.ce.socks_proxy_server)
3149  {
3150  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3151  }
3152 
3153  /*
3154  * Adjust frame size based on the --tun-mtu-extra parameter.
3155  */
3156  if (c->options.ce.tun_mtu_extra_defined)
3157  {
3158  frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra);
3159  }
3160 
3161  /*
3162  * Adjust frame size based on link socket parameters.
3163  * (Since TCP is a stream protocol, we need to insert
3164  * a packet length uint16_t in the buffer.)
3165  */
3166  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3167 
3168  /*
3169  * Fill in the blanks in the frame parameters structure,
3170  * make sure values are rational, etc.
3171  */
3172  frame_finalize_options(c, NULL);
3173 
3174 #ifdef USE_COMP
3175  /*
3176  * Modify frame parameters if compression is compiled in.
3177  * Should be called after frame_finalize_options.
3178  */
3179  comp_add_to_extra_buffer(&c->c2.frame);
3180 #ifdef ENABLE_FRAGMENT
3181  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3182 #endif
3183 #endif /* USE_COMP */
3184 
3185  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3186  * and need link_mtu+3 bytes on socket reception (on server).
3187  *
3188  * accommodate receive path in f->extra_link, which has the side effect of
3189  * also increasing send buffers (BUF_SIZE() macro), which need to be
3190  * allocated big enough before receiving peer-id option from server.
3191  *
3192  * f->extra_frame is adjusted when peer-id option is push-received
3193  */
3194  frame_add_to_extra_link(&c->c2.frame, 3);
3195 
3196 #ifdef ENABLE_FRAGMENT
3197  /*
3198  * Set frame parameter for fragment code. This is necessary because
3199  * the fragmentation code deals with payloads which have already been
3200  * passed through the compression code.
3201  */
3202  c->c2.frame_fragment = c->c2.frame;
3203  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3204  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3205 #endif
3206 
3207 #if defined(ENABLE_FRAGMENT)
3208  /*
3209  * MTU advisories
3210  */
3211  if (c->options.ce.fragment && c->options.mtu_test)
3212  {
3213  msg(M_WARN,
3214  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3215  }
3216 #endif
3217 
3218 #ifdef ENABLE_FRAGMENT
3219  if ((c->options.ce.mssfix || c->options.ce.fragment)
3220  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3221  {
3222  msg(M_WARN,
3223  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3224  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3225  }
3226 #endif
3227 }
3228 
3229 static void
3230 do_option_warnings(struct context *c)
3231 {
3232  const struct options *o = &c->options;
3233 
3234  if (o->ping_send_timeout && !o->ping_rec_timeout)
3235  {
3236  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3237  }
3238 
3239  if (o->username || o->groupname || o->chroot_dir
3240 #ifdef ENABLE_SELINUX
3241  || o->selinux_context
3242 #endif
3243  )
3244  {
3245  if (!o->persist_tun)
3246  {
3247  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3248  }
3249  if (!o->persist_key
3250 #ifdef ENABLE_PKCS11
3251  && !o->pkcs11_id
3252 #endif
3253  )
3254  {
3255  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3256  }
3257  }
3258 
3259  if (o->chroot_dir && !(o->username && o->groupname))
3260  {
3261  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3262  }
3263 
3264  if (o->pull && o->ifconfig_local && c->first_time)
3265  {
3266  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3267  }
3268 
3269  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3270  {
3271  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3272  }
3273 
3274  if (o->mode == MODE_SERVER)
3275  {
3276  if (o->duplicate_cn && o->client_config_dir)
3277  {
3278  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3279  }
3280  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3281  {
3282  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3283  }
3284  if (!o->keepalive_ping || !o->keepalive_timeout)
3285  {
3286  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3287  }
3288  }
3289 
3290  if (!o->replay)
3291  {
3292  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3293  }
3294 
3295  if (o->tls_server)
3296  {
3297  warn_on_use_of_common_subnets(&c->net_ctx);
3298  }
3299  if (o->tls_client
3300  && !o->tls_verify
3301  && o->verify_x509_type == VERIFY_X509_NONE
3302  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3303  && !o->remote_cert_eku)
3304  {
3305  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3306  }
3307  if (o->ns_cert_type)
3308  {
3309  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3310  }
3311 
3312  /* If a script is used, print appropriate warnings */
3313  if (o->user_script_used)
3314  {
3315  if (script_security() >= SSEC_SCRIPTS)
3316  {
3317  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3318  }
3319  else if (script_security() >= SSEC_PW_ENV)
3320  {
3321  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3322  }
3323  else
3324  {
3325  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3326  }
3327  }
3328 }
3329 
3330 static void
3331 do_init_frame_tls(struct context *c)
3332 {
3333  do_init_finalize_tls_frame(c);
3334 }
3335 
3336 struct context_buffers *
3337 init_context_buffers(const struct frame *frame)
3338 {
3339  struct context_buffers *b;
3340 
3341  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3342 
3343  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3344  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3345 
3346  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3347 
3348  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3349  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3350 
3351 #ifdef USE_COMP
3352  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3353  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3354 #endif
3355 
3356  return b;
3357 }
3358 
3359 void
3360 free_context_buffers(struct context_buffers *b)
3361 {
3362  if (b)
3363  {
3364  free_buf(&b->read_link_buf);
3365  free_buf(&b->read_tun_buf);
3366  free_buf(&b->aux_buf);
3367 
3368 #ifdef USE_COMP
3369  free_buf(&b->compress_buf);
3370  free_buf(&b->decompress_buf);
3371 #endif
3372 
3373  free_buf(&b->encrypt_buf);
3374  free_buf(&b->decrypt_buf);
3375 
3376  free(b);
3377  }
3378 }
3379 
3380 /*
3381  * Now that we know all frame parameters, initialize
3382  * our buffers.
3383  */
3384 static void
3385 do_init_buffers(struct context *c)
3386 {
3387  c->c2.buffers = init_context_buffers(&c->c2.frame);
3388  c->c2.buffers_owned = true;
3389 }
3390 
3391 #ifdef ENABLE_FRAGMENT
3392 /*
3393  * Fragmenting code has buffers to initialize
3394  * once frame parameters are known.
3395  */
3396 static void
3397 do_init_fragment(struct context *c)
3398 {
3399  ASSERT(c->options.ce.fragment);
3400  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3401  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3402  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3403 }
3404 #endif
3405 
3406 /*
3407  * Allocate our socket object.
3408  */
3409 static void
3410 do_link_socket_new(struct context *c)
3411 {
3412  ASSERT(!c->c2.link_socket);
3413  c->c2.link_socket = link_socket_new();
3414  c->c2.link_socket_owned = true;
3415 }
3416 
3417 /*
3418  * Print MTU INFO
3419  */
3420 static void
3421 do_print_data_channel_mtu_parms(struct context *c)
3422 {
3423  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3424 #ifdef ENABLE_FRAGMENT
3425  if (c->c2.fragment)
3426  {
3427  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3428  "Fragmentation MTU parms");
3429  }
3430 #endif
3431 }
3432 
3433 /*
3434  * Get local and remote options compatibility strings.
3435  */
3436 static void
3437 do_compute_occ_strings(struct context *c)
3438 {
3439  struct gc_arena gc = gc_new();
3440 
3441  c->c2.options_string_local =
3442  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3443  false, &gc);
3444  c->c2.options_string_remote =
3445  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3446  true, &gc);
3447 
3448  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3449  options_string_version(c->c2.options_string_local, &gc),
3450  c->c2.options_string_local);
3451  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3452  options_string_version(c->c2.options_string_remote, &gc),
3453  c->c2.options_string_remote);
3454 
3455  if (c->c2.tls_multi)
3456  {
3457  tls_multi_init_set_options(c->c2.tls_multi,
3458  c->c2.options_string_local,
3459  c->c2.options_string_remote);
3460  }
3461 
3462  gc_free(&gc);
3463 }
3464 
3465 /*
3466  * These things can only be executed once per program instantiation.
3467  * Set up for possible UID/GID downgrade, but don't do it yet.
3468  * Daemonize if requested.
3469  */
3470 static void
3471 do_init_first_time(struct context *c)
3472 {
3473  if (c->first_time && !c->c0)
3474  {
3475  struct context_0 *c0;
3476 
3477  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3478  c0 = c->c0;
3479 
3480  /* get user and/or group that we want to setuid/setgid to */
3481  c0->uid_gid_specified =
3482  platform_group_get(c->options.groupname, &c0->platform_state_group)
3483  |platform_user_get(c->options.username, &c0->platform_state_user);
3484 
3485  /* perform postponed chdir if --daemon */
3486  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3487  {
3488  platform_chdir("/");
3489  }
3490 
3491  /* should we change scheduling priority? */
3492  platform_nice(c->options.nice);
3493  }
3494 }
3495 
3496 /*
3497  * free buffers
3498  */
3499 static void
3500 do_close_free_buf(struct context *c)
3501 {
3502  if (c->c2.buffers_owned)
3503  {
3504  free_context_buffers(c->c2.buffers);
3505  c->c2.buffers = NULL;
3506  c->c2.buffers_owned = false;
3507  }
3508 }
3509 
3510 /*
3511  * close TLS
3512  */
3513 static void
3514 do_close_tls(struct context *c)
3515 {
3516  if (c->c2.tls_multi)
3517  {
3518  tls_multi_free(c->c2.tls_multi, true);
3519  c->c2.tls_multi = NULL;
3520  }
3521 
3522  /* free options compatibility strings */
3523  free(c->c2.options_string_local);
3524  free(c->c2.options_string_remote);
3525 
3526  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3527 
3528  if (c->c2.pulled_options_state)
3529  {
3530  md_ctx_cleanup(c->c2.pulled_options_state);
3531  md_ctx_free(c->c2.pulled_options_state);
3532  }
3533 }
3534 
3535 /*
3536  * Free key schedules
3537  */
3538 static void
3539 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3540 {
3541  /*
3542  * always free the tls_auth/crypt key. If persist_key is true, the key will
3543  * be reloaded from memory (pre-cached)
3544  */
3545  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3546  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3547  CLEAR(c->c1.ks.tls_wrap_key);
3548  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3549  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3550 
3551  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3552  {
3553  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3554  }
3555 }
3556 
3557 /*
3558  * Close TCP/UDP connection
3559  */
3560 static void
3561 do_close_link_socket(struct context *c)
3562 {
3563  if (c->c2.link_socket && c->c2.link_socket_owned)
3564  {
3565  link_socket_close(c->c2.link_socket);
3566  c->c2.link_socket = NULL;
3567  }
3568 
3569 
3570  /* Preserve the resolved list of remote if the user request to or if we want
3571  * reconnect to the same host again or there are still addresses that need
3572  * to be tried */
3573  if (!(c->sig->signal_received == SIGUSR1
3574  && ( (c->options.persist_remote_ip)
3575  ||
3576  ( c->sig->source != SIG_SOURCE_HARD
3577  && ((c->c1.link_socket_addr.current_remote
3578  && c->c1.link_socket_addr.current_remote->ai_next)
3579  || c->options.no_advance))
3580  )))
3581  {
3582  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3583  }
3584 
3585  /* Clear the remote actual address when persist_remote_ip is not in use */
3586  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3587  {
3588  CLEAR(c->c1.link_socket_addr.actual);
3589  }
3590 
3591  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3592  {
3593  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3594  {
3595  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3596  }
3597 
3598  c->c1.link_socket_addr.bind_local = NULL;
3599  }
3600 }
3601 
3602 /*
3603  * Close packet-id persistence file
3604  */
3605 static void
3606 do_close_packet_id(struct context *c)
3607 {
3608  packet_id_free(&c->c2.crypto_options.packet_id);
3609  packet_id_persist_save(&c->c1.pid_persist);
3610  if (!(c->sig->signal_received == SIGUSR1))
3611  {
3612  packet_id_persist_close(&c->c1.pid_persist);
3613  }
3614 }
3615 
3616 #ifdef ENABLE_FRAGMENT
3617 /*
3618  * Close fragmentation handler.
3619  */
3620 static void
3621 do_close_fragment(struct context *c)
3622 {
3623  if (c->c2.fragment)
3624  {
3625  fragment_free(c->c2.fragment);
3626  c->c2.fragment = NULL;
3627  }
3628 }
3629 #endif
3630 
3631 /*
3632  * Open and close our event objects.
3633  */
3634 
3635 static void
3636 do_event_set_init(struct context *c,
3637  bool need_us_timeout)
3638 {
3639  unsigned int flags = 0;
3640 
3641  c->c2.event_set_max = BASE_N_EVENTS;
3642 
3643  flags |= EVENT_METHOD_FAST;
3644 
3645  if (need_us_timeout)
3646  {
3647  flags |= EVENT_METHOD_US_TIMEOUT;
3648  }
3649 
3650  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3651  c->c2.event_set_owned = true;
3652 }
3653 
3654 static void
3655 do_close_event_set(struct context *c)
3656 {
3657  if (c->c2.event_set && c->c2.event_set_owned)
3658  {
3659  event_free(c->c2.event_set);
3660  c->c2.event_set = NULL;
3661  c->c2.event_set_owned = false;
3662  }
3663 }
3664 
3665 /*
3666  * Open and close --status file
3667  */
3668 
3669 static void
3670 do_open_status_output(struct context *c)
3671 {
3672  if (!c->c1.status_output)
3673  {
3674  c->c1.status_output = status_open(c->options.status_file,
3675  c->options.status_file_update_freq,
3676  -1,
3677  NULL,
3678  STATUS_OUTPUT_WRITE);
3679  c->c1.status_output_owned = true;
3680  }
3681 }
3682 
3683 static void
3684 do_close_status_output(struct context *c)
3685 {
3686  if (!(c->sig->signal_received == SIGUSR1))
3687  {
3688  if (c->c1.status_output_owned && c->c1.status_output)
3689  {
3690  status_close(c->c1.status_output);
3691  c->c1.status_output = NULL;
3692  c->c1.status_output_owned = false;
3693  }
3694  }
3695 }
3696 
3697 /*
3698  * Handle ifconfig-pool persistence object.
3699  */
3700 static void
3701 do_open_ifconfig_pool_persist(struct context *c)
3702 {
3703  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3704  {
3705  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3706  c->options.ifconfig_pool_persist_refresh_freq);
3707  c->c1.ifconfig_pool_persist_owned = true;
3708  }
3709 }
3710 
3711 static void
3712 do_close_ifconfig_pool_persist(struct context *c)
3713 {
3714  if (!(c->sig->signal_received == SIGUSR1))
3715  {
3716  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3717  {
3718  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3719  c->c1.ifconfig_pool_persist = NULL;
3720  c->c1.ifconfig_pool_persist_owned = false;
3721  }
3722  }
3723 }
3724 
3725 /*
3726  * Inherit environmental variables
3727  */
3728 
3729 static void
3730 do_inherit_env(struct context *c, const struct env_set *src)
3731 {
3732  c->c2.es = env_set_create(NULL);
3733  c->c2.es_owned = true;
3734  env_set_inherit(c->c2.es, src);
3735 }
3736 
3737 static void
3738 do_env_set_destroy(struct context *c)
3739 {
3740  if (c->c2.es && c->c2.es_owned)
3741  {
3742  env_set_destroy(c->c2.es);
3743  c->c2.es = NULL;
3744  c->c2.es_owned = false;
3745  }
3746 }
3747 
3748 /*
3749  * Fast I/O setup. Fast I/O is an optimization which only works
3750  * if all of the following are true:
3751  *
3752  * (1) The platform is not Windows
3753  * (2) --proto udp is enabled
3754  * (3) --shaper is disabled
3755  */
3756 static void
3757 do_setup_fast_io(struct context *c)
3758 {
3759  if (c->options.fast_io)
3760  {
3761 #ifdef _WIN32
3762  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3763 #else
3764  if (!proto_is_udp(c->options.ce.proto))
3765  {
3766  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3767  }
3768  else
3769  {
3770  if (c->options.shaper)
3771  {
3772  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3773  }
3774  else
3775  {
3776  c->c2.fast_io = true;
3777  }
3778  }
3779 #endif
3780  }
3781 }
3782 
3783 static void
3784 do_signal_on_tls_errors(struct context *c)
3785 {
3786  if (c->options.tls_exit)
3787  {
3788  c->c2.tls_exit_signal = SIGTERM;
3789  }
3790  else
3791  {
3792  c->c2.tls_exit_signal = SIGUSR1;
3793  }
3794 }
3795 
3796 #ifdef ENABLE_PLUGIN
3797 
3798 void
3799 init_plugins(struct context *c)
3800 {
3801  if (c->options.plugin_list && !c->plugins)
3802  {
3803  c->plugins = plugin_list_init(c->options.plugin_list);
3804  c->plugins_owned = true;
3805  }
3806 }
3807 
3808 void
3809 open_plugins(struct context *c, const bool import_options, int init_point)
3810 {
3811  if (c->plugins && c->plugins_owned)
3812  {
3813  if (import_options)
3814  {
3815  struct plugin_return pr, config;
3816  plugin_return_init(&pr);
3817  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3818  plugin_return_get_column(&pr, &config, "config");
3819  if (plugin_return_defined(&config))
3820  {
3821  int i;
3822  for (i = 0; i < config.n; ++i)
3823  {
3824  unsigned int option_types_found = 0;
3825  if (config.list[i] && config.list[i]->value)
3826  {
3827  options_string_import(&c->options,
3828  config.list[i]->value,
3829  D_IMPORT_ERRORS|M_OPTERR,
3830  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3831  &option_types_found,
3832  c->es);
3833  }
3834  }
3835  }
3836  plugin_return_free(&pr);
3837  }
3838  else
3839  {
3840  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3841  }
3842  }
3843 }
3844 
3845 static void
3846 do_close_plugins(struct context *c)
3847 {
3848  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3849  {
3850  plugin_list_close(c->plugins);
3851  c->plugins = NULL;
3852  c->plugins_owned = false;
3853  }
3854 }
3855 
3856 static void
3857 do_inherit_plugins(struct context *c, const struct context *src)
3858 {
3859  if (!c->plugins && src->plugins)
3860  {
3861  c->plugins = plugin_list_inherit(src->plugins);
3862  c->plugins_owned = true;
3863  }
3864 }
3865 
3866 #endif /* ifdef ENABLE_PLUGIN */
3867 
3868 #ifdef ENABLE_MANAGEMENT
3869 
3870 static void
3871 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3872 {
3873  struct context *c = (struct context *) arg;
3874  print_status(c, so);
3875 }
3876 
3877 void
3878 management_show_net_callback(void *arg, const int msglevel)
3879 {
3880 #ifdef _WIN32
3881  show_routes(msglevel);
3882  show_adapters(msglevel);
3883  msg(msglevel, "END");
3884 #else
3885  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3886 #endif
3887 }
3888 
3889 #ifdef TARGET_ANDROID
3890 int
3891 management_callback_network_change(void *arg, bool samenetwork)
3892 {
3893  /* Check if the client should translate the network change to a SIGUSR1 to
3894  * reestablish the connection or just reprotect the socket
3895  *
3896  * At the moment just assume that, for all settings that use pull (not
3897  * --static) and are not using peer-id reestablishing the connection is
3898  * required (unless the network is the same)
3899  *
3900  * The function returns -1 on invalid fd and -2 if the socket cannot be
3901  * reused. On the -2 return value the man_network_change function triggers
3902  * a SIGUSR1 to force a reconnect.
3903  */
3904 
3905  int socketfd = -1;
3906  struct context *c = (struct context *) arg;
3907  if (!c->c2.link_socket)
3908  {
3909  return -1;
3910  }
3911  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3912  {
3913  return -1;
3914  }
3915 
3916  socketfd = c->c2.link_socket->sd;
3917  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3918  {
3919  return socketfd;
3920  }
3921  else
3922  {
3923  return -2;
3924  }
3925 }
3926 #endif /* ifdef TARGET_ANDROID */
3927 
3928 #endif /* ifdef ENABLE_MANAGEMENT */
3929 
3930 void
3931 init_management_callback_p2p(struct context *c)
3932 {
3933 #ifdef ENABLE_MANAGEMENT
3934  if (management)
3935  {
3936  struct management_callback cb;
3937  CLEAR(cb);
3938  cb.arg = c;
3939  cb.status = management_callback_status_p2p;
3940  cb.show_net = management_show_net_callback;
3941  cb.proxy_cmd = management_callback_proxy_cmd;
3942  cb.remote_cmd = management_callback_remote_cmd;
3943  cb.send_cc_message = management_callback_send_cc_message;
3944 #ifdef TARGET_ANDROID
3945  cb.network_change = management_callback_network_change;
3946 #endif
3947  management_set_callback(management, &cb);
3948  }
3949 #endif
3950 }
3951 
3952 #ifdef ENABLE_MANAGEMENT
3953 
3954 void
3955 init_management(void)
3956 {
3957  if (!management)
3958  {
3959  management = management_init();
3960  }
3961 }
3962 
3963 bool
3964 open_management(struct context *c)
3965 {
3966  /* initialize management layer */
3967  if (management)
3968  {
3969  if (c->options.management_addr)
3970  {
3971  unsigned int flags = c->options.management_flags;
3972  if (c->options.mode == MODE_SERVER)
3973  {
3974  flags |= MF_SERVER;
3975  }
3976  if (management_open(management,
3977  c->options.management_addr,
3978  c->options.management_port,
3979  c->options.management_user_pass,
3980  c->options.management_client_user,
3981  c->options.management_client_group,
3982  c->options.management_log_history_cache,
3983  c->options.management_echo_buffer_size,
3984  c->options.management_state_buffer_size,
3985  c->options.management_write_peer_info_file,
3986  c->options.remap_sigusr1,
3987  flags))
3988  {
3989  management_set_state(management,
3990  OPENVPN_STATE_CONNECTING,
3991  NULL,
3992  NULL,
3993  NULL,
3994  NULL,
3995  NULL);
3996  }
3997 
3998  /* initial management hold, called early, before first context initialization */
3999  do_hold(0);
4000  if (IS_SIG(c))
4001  {
4002  msg(M_WARN, "Signal received from management interface, exiting");
4003  return false;
4004  }
4005  }
4006  else
4007  {
4008  close_management();
4009  }
4010  }
4011  return true;
4012 }
4013 
4014 void
4015 close_management(void)
4016 {
4017  if (management)
4018  {
4019  management_close(management);
4020  management = NULL;
4021  }
4022 }
4023 
4024 #endif /* ifdef ENABLE_MANAGEMENT */
4025 
4026 
4027 void
4028 uninit_management_callback(void)
4029 {
4030 #ifdef ENABLE_MANAGEMENT
4031  if (management)
4032  {
4033  management_clear_callback(management);
4034  }
4035 #endif
4036 }
4037 
4038 /*
4039  * Initialize a tunnel instance, handle pre and post-init
4040  * signal settings.
4041  */
4042 void
4043 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
4044 {
4045  pre_init_signal_catch();
4046  init_instance(c, env, flags);
4047  post_init_signal_catch();
4048 
4049  /*
4050  * This is done so that signals thrown during
4051  * initialization can bring us back to
4052  * a management hold.
4053  */
4054  if (IS_SIG(c))
4055  {
4056  remap_signal(c);
4057  uninit_management_callback();
4058  }
4059 }
4060 
4061 /*
4062  * Initialize a tunnel instance.
4063  */
4064 void
4065 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4066 {
4067  const struct options *options = &c->options;
4068  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4069  int link_socket_mode = LS_MODE_DEFAULT;
4070 
4071  /* init garbage collection level */
4072  gc_init(&c->c2.gc);
4073 
4074  /* inherit environmental variables */
4075  if (env)
4076  {
4077  do_inherit_env(c, env);
4078  }
4079 
4080  /* signals caught here will abort */
4081  c->sig->signal_received = 0;
4082  c->sig->signal_text = NULL;
4083  c->sig->source = SIG_SOURCE_SOFT;
4084 
4085  if (c->mode == CM_P2P)
4086  {
4087  init_management_callback_p2p(c);
4088  }
4089 
4090  /* possible sleep or management hold if restart */
4091  if (c->mode == CM_P2P || c->mode == CM_TOP)
4092  {
4093  do_startup_pause(c);
4094  if (IS_SIG(c))
4095  {
4096  goto sig;
4097  }
4098  }
4099 
4100  if (c->options.resolve_in_advance)
4101  {
4102  do_preresolve(c);
4103  if (IS_SIG(c))
4104  {
4105  goto sig;
4106  }
4107  }
4108 
4109  /* Resets all values to the initial values from the config where needed */
4110  pre_connect_restore(&c->options, &c->c2.gc);
4111 
4112  /* map in current connection entry */
4113  next_connection_entry(c);
4114 
4115  /* link_socket_mode allows CM_CHILD_TCP
4116  * instances to inherit acceptable fds
4117  * from a top-level parent */
4118  if (c->options.ce.proto == PROTO_TCP_SERVER)
4119  {
4120  if (c->mode == CM_TOP)
4121  {
4122  link_socket_mode = LS_MODE_TCP_LISTEN;
4123  }
4124  else if (c->mode == CM_CHILD_TCP)
4125  {
4126  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4127  }
4128  }
4129 
4130  /* should we disable paging? */
4131  if (c->first_time && options->mlock)
4132  {
4133  platform_mlockall(true);
4134  }
4135 
4136  /* get passwords if undefined */
4137  if (auth_retry_get() == AR_INTERACT)
4138  {
4139  init_query_passwords(c);
4140  }
4141 
4142  /* initialize context level 2 --verb/--mute parms */
4143  init_verb_mute(c, IVM_LEVEL_2);
4144 
4145  /* set error message delay for non-server modes */
4146  if (c->mode == CM_P2P)
4147  {
4148  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4149  }
4150 
4151  /* warn about inconsistent options */
4152  if (c->mode == CM_P2P || c->mode == CM_TOP)
4153  {
4154  do_option_warnings(c);
4155  }
4156 
4157 #ifdef ENABLE_PLUGIN
4158  /* initialize plugins */
4159  if (c->mode == CM_P2P || c->mode == CM_TOP)
4160  {
4161  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4162  }
4163 #endif
4164 
4165  /* should we enable fast I/O? */
4166  if (c->mode == CM_P2P || c->mode == CM_TOP)
4167  {
4168  do_setup_fast_io(c);
4169  }
4170 
4171  /* should we throw a signal on TLS errors? */
4172  do_signal_on_tls_errors(c);
4173 
4174  /* open --status file */
4175  if (c->mode == CM_P2P || c->mode == CM_TOP)
4176  {
4177  do_open_status_output(c);
4178  }
4179 
4180  /* open --ifconfig-pool-persist file */
4181  if (c->mode == CM_TOP)
4182  {
4183  do_open_ifconfig_pool_persist(c);
4184  }
4185 
4186  /* reset OCC state */
4187  if (c->mode == CM_P2P || child)
4188  {
4189  c->c2.occ_op = occ_reset_op();
4190  }
4191 
4192  /* our wait-for-i/o objects, different for posix vs. win32 */
4193  if (c->mode == CM_P2P)
4194  {
4195  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4196  }
4197  else if (c->mode == CM_CHILD_TCP)
4198  {
4199  do_event_set_init(c, false);
4200  }
4201 
4202  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4203  init_proxy(c);
4204 
4205  /* allocate our socket object */
4206  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4207  {
4208  do_link_socket_new(c);
4209  }
4210 
4211 #ifdef ENABLE_FRAGMENT
4212  /* initialize internal fragmentation object */
4213  if (options->ce.fragment && (c->mode == CM_P2P || child))
4214  {
4215  c->c2.fragment = fragment_init(&c->c2.frame);
4216  }
4217 #endif
4218 
4219  /* init crypto layer */
4220  {
4221  unsigned int crypto_flags = 0;
4222  if (c->mode == CM_TOP)
4223  {
4224  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4225  }
4226  else if (c->mode == CM_P2P)
4227  {
4228  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4229  }
4230  else if (child)
4231  {
4232  crypto_flags = CF_INIT_TLS_MULTI;
4233  }
4234  do_init_crypto(c, crypto_flags);
4235  if (IS_SIG(c) && !child)
4236  {
4237  goto sig;
4238  }
4239  }
4240 
4241 #ifdef USE_COMP
4242  /* initialize compression library. */
4243  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4244  {
4245  c->c2.comp_context = comp_init(&options->comp);
4246  }
4247 #endif
4248 
4249  /* initialize MTU variables */
4250  do_init_frame(c);
4251 
4252  /* initialize TLS MTU variables */
4253  do_init_frame_tls(c);
4254 
4255  /* init workspace buffers whose size is derived from frame size */
4256  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4257  {
4258  do_init_buffers(c);
4259  }
4260 
4261 #ifdef ENABLE_FRAGMENT
4262  /* initialize internal fragmentation capability with known frame size */
4263  if (options->ce.fragment && (c->mode == CM_P2P || child))
4264  {
4265  do_init_fragment(c);
4266  }
4267 #endif
4268 
4269  /* initialize dynamic MTU variable */
4270  frame_init_mssfix(&c->c2.frame, &c->options);
4271 
4272  /* bind the TCP/UDP socket */
4273  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4274  {
4275  link_socket_init_phase1(c, link_socket_mode);
4276  }
4277 
4278  /* initialize tun/tap device object,
4279  * open tun/tap device, ifconfig, run up script, etc. */
4280  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4281  {
4282  c->c2.did_open_tun = do_open_tun(c);
4283  }
4284 
4285  c->c2.frame_initial = c->c2.frame;
4286 
4287  /* print MTU info */
4288  do_print_data_channel_mtu_parms(c);
4289 
4290  /* get local and remote options compatibility strings */
4291  if (c->mode == CM_P2P || child)
4292  {
4293  do_compute_occ_strings(c);
4294  }
4295 
4296  /* initialize output speed limiter */
4297  if (c->mode == CM_P2P)
4298  {
4299  do_init_traffic_shaper(c);
4300  }
4301 
4302  /* do one-time inits, and possibly become a daemon here */
4303  do_init_first_time(c);
4304 
4305 #ifdef ENABLE_PLUGIN
4306  /* initialize plugins */
4307  if (c->mode == CM_P2P || c->mode == CM_TOP)
4308  {
4309  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4310  }
4311 #endif
4312 
4313  /* initialise connect timeout timer */
4314  do_init_server_poll_timeout(c);
4315 
4316  /* finalize the TCP/UDP socket */
4317  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4318  {
4319  link_socket_init_phase2(c);
4320  }
4321 
4322  /*
4323  * Actually do UID/GID downgrade, and chroot, if requested.
4324  * May be delayed by --client, --pull, or --up-delay.
4325  */
4326  do_uid_gid_chroot(c, c->c2.did_open_tun);
4327 
4328  /* initialize timers */
4329  if (c->mode == CM_P2P || child)
4330  {
4331  do_init_timers(c, false);
4332  }
4333 
4334 #ifdef ENABLE_PLUGIN
4335  /* initialize plugins */
4336  if (c->mode == CM_P2P || c->mode == CM_TOP)
4337  {
4338  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4339  }
4340 #endif
4341 
4342 #if PORT_SHARE
4343  /* share OpenVPN port with foreign (such as HTTPS) server */
4344  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4345  {
4346  init_port_share(c);
4347  }
4348 #endif
4349 
4350  /* Check for signals */
4351  if (IS_SIG(c))
4352  {
4353  goto sig;
4354  }
4355 
4356  return;
4357 
4358 sig:
4359  if (!c->sig->signal_text)
4360  {
4361  c->sig->signal_text = "init_instance";
4362  }
4363  close_context(c, -1, flags);
4364  return;
4365 }
4366 
4367 /*
4368  * Close a tunnel instance.
4369  */
4370 void
4371 close_instance(struct context *c)
4372 {
4373  /* close event objects */
4374  do_close_event_set(c);
4375 
4376  if (c->mode == CM_P2P
4377  || c->mode == CM_CHILD_TCP
4378  || c->mode == CM_CHILD_UDP
4379  || c->mode == CM_TOP)
4380  {
4381 #ifdef USE_COMP
4382  if (c->c2.comp_context)
4383  {
4384  comp_uninit(c->c2.comp_context);
4385  c->c2.comp_context = NULL;
4386  }
4387 #endif
4388 
4389  /* free buffers */
4390  do_close_free_buf(c);
4391 
4392  /* close TLS */
4393  do_close_tls(c);
4394 
4395  /* free key schedules */
4396  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4397 
4398  /* close TCP/UDP connection */
4399  do_close_link_socket(c);
4400 
4401  /* close TUN/TAP device */
4402  do_close_tun(c, false);
4403 
4404 #ifdef ENABLE_MANAGEMENT
4405  if (management)
4406  {
4407  management_notify_client_close(management, &c->c2.mda_context, NULL);
4408  }
4409 #endif
4410 
4411 #ifdef ENABLE_PLUGIN
4412  /* call plugin close functions and unload */
4413  do_close_plugins(c);
4414 #endif
4415 
4416  /* close packet-id persistence file */
4417  do_close_packet_id(c);
4418 
4419  /* close --status file */
4420  do_close_status_output(c);
4421 
4422 #ifdef ENABLE_FRAGMENT
4423  /* close fragmentation handler */
4424  do_close_fragment(c);
4425 #endif
4426 
4427  /* close --ifconfig-pool-persist obj */
4428  do_close_ifconfig_pool_persist(c);
4429 
4430  /* free up environmental variable store */
4431  do_env_set_destroy(c);
4432 
4433  /* close HTTP or SOCKS proxy */
4434  uninit_proxy(c);
4435 
4436  /* garbage collect */
4437  gc_free(&c->c2.gc);
4438  }
4439 }
4440 
4441 void
4442 inherit_context_child(struct context *dest,
4443  const struct context *src)
4444 {
4445  CLEAR(*dest);
4446 
4447  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4448  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4449 
4450  dest->gc = gc_new();
4451 
4452  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4453 
4454  /* c1 init */
4455  packet_id_persist_init(&dest->c1.pid_persist);
4456 
4457  dest->c1.ks.key_type = src->c1.ks.key_type;
4458  /* inherit SSL context */
4459  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4460  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4461  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4462  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4463  /* inherit pre-NCP ciphers */
4464  dest->options.ciphername = src->options.ciphername;
4465  dest->options.authname = src->options.authname;
4466 
4467  /* inherit auth-token */
4468  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4469 
4470  /* options */
4471  dest->options = src->options;
4472  options_detach(&dest->options);
4473 
4474  if (dest->mode == CM_CHILD_TCP)
4475  {
4476  /*
4477  * The CM_TOP context does the socket listen(),
4478  * and the CM_CHILD_TCP context does the accept().
4479  */
4480  dest->c2.accept_from = src->c2.link_socket;
4481  }
4482 
4483 #ifdef ENABLE_PLUGIN
4484  /* inherit plugins */
4485  do_inherit_plugins(dest, src);
4486 #endif
4487 
4488  /* context init */
4489  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4490  if (IS_SIG(dest))
4491  {
4492  return;
4493  }
4494 
4495  /* inherit tun/tap interface object */
4496  dest->c1.tuntap = src->c1.tuntap;
4497 
4498  /* UDP inherits some extra things which TCP does not */
4499  if (dest->mode == CM_CHILD_UDP)
4500  {
4501  /* inherit buffers */
4502  dest->c2.buffers = src->c2.buffers;
4503 
4504  /* inherit parent link_socket and tuntap */
4505  dest->c2.link_socket = src->c2.link_socket;
4506 
4507  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4508  *dest->c2.link_socket_info = src->c2.link_socket->info;
4509 
4510  /* locally override some link_socket_info fields */
4511  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4512  dest->c2.link_socket_info->connection_established = false;
4513  }
4514 }
4515 
4516 void
4517 inherit_context_top(struct context *dest,
4518  const struct context *src)
4519 {
4520  /* copy parent */
4521  *dest = *src;
4522 
4523  /*
4524  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4525  * resources owned by the parent.
4526  *
4527  * Also note that CM_TOP_CLONE context objects are
4528  * closed by multi_top_free in multi.c.
4529  */
4530  dest->mode = CM_TOP_CLONE;
4531 
4532  dest->first_time = false;
4533  dest->c0 = NULL;
4534 
4535  options_detach(&dest->options);
4536  gc_detach(&dest->gc);
4537  gc_detach(&dest->c2.gc);
4538 
4539  /* detach plugins */
4540  dest->plugins_owned = false;
4541 
4542  dest->c2.tls_multi = NULL;
4543 
4544  /* detach c1 ownership */
4545  dest->c1.tuntap_owned = false;
4546  dest->c1.status_output_owned = false;
4547  dest->c1.ifconfig_pool_persist_owned = false;
4548 
4549  /* detach c2 ownership */
4550  dest->c2.event_set_owned = false;
4551  dest->c2.link_socket_owned = false;
4552  dest->c2.buffers_owned = false;
4553  dest->c2.es_owned = false;
4554 
4555  dest->c2.event_set = NULL;
4556  if (proto_is_dgram(src->options.ce.proto))
4557  {
4558  do_event_set_init(dest, false);
4559  }
4560 
4561 #ifdef USE_COMP
4562  dest->c2.comp_context = NULL;
4563 #endif
4564 }
4565 
4566 void
4567 close_context(struct context *c, int sig, unsigned int flags)
4568 {
4569  ASSERT(c);
4570  ASSERT(c->sig);
4571 
4572  if (sig >= 0)
4573  {
4574  c->sig->signal_received = sig;
4575  }
4576 
4577  if (c->sig->signal_received == SIGUSR1)
4578  {
4579  if ((flags & CC_USR1_TO_HUP)
4580  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4581  {
4582  c->sig->signal_received = SIGHUP;
4583  c->sig->signal_text = "close_context usr1 to hup";
4584  }
4585  }
4586 
4587  if (!(flags & CC_NO_CLOSE))
4588  {
4589  close_instance(c);
4590  }
4591 
4592  if (flags & CC_GC_FREE)
4593  {
4594  context_gc_free(c);
4595  }
4596 }
4597 
4598 /* Write our PID to a file */
4599 void
4600 write_pid_file(const char *filename, const char *chroot_dir)
4601 {
4602  if (filename)
4603  {
4604  unsigned int pid = 0;
4605  FILE *fp = platform_fopen(filename, "w");
4606  if (!fp)
4607  {
4608  msg(M_ERR, "Open error on pid file %s", filename);
4609  return;
4610  }
4611 
4612  pid = platform_getpid();
4613  fprintf(fp, "%u\n", pid);
4614  if (fclose(fp))
4615  {
4616  msg(M_ERR, "Close error on pid file %s", filename);
4617  }
4618 
4619  /* remember file name so it can be deleted "out of context" later */
4620  /* (the chroot case is more complex and not handled today) */
4621  if (!chroot_dir)
4622  {
4623  saved_pid_file_name = strdup(filename);
4624  }
4625  }
4626 }
4627 
4628 /* remove PID file on exit, called from openvpn_exit() */
4629 void
4630 remove_pid_file(void)
4631 {
4632  if (saved_pid_file_name)
4633  {
4634  platform_unlink(saved_pid_file_name);
4635  }
4636 }
4637 
4638 
4639 /*
4640  * Do a loopback test
4641  * on the crypto subsystem.
4642  */
4643 static void *
4644 test_crypto_thread(void *arg)
4645 {
4646  struct context *c = (struct context *) arg;
4647  const struct options *options = &c->options;
4648 
4649  ASSERT(options->test_crypto);
4650  init_verb_mute(c, IVM_LEVEL_1);
4651  context_init_1(c);
4652  next_connection_entry(c);
4653  do_init_crypto_static(c, 0);
4654 
4655  frame_finalize_options(c, options);
4656 
4657  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4658 
4659  key_schedule_free(&c->c1.ks, true);
4660  packet_id_free(&c->c2.crypto_options.packet_id);
4661 
4662  context_gc_free(c);
4663  return NULL;
4664 }
4665 
4666 bool
4667 do_test_crypto(const struct options *o)
4668 {
4669  if (o->test_crypto)
4670  {
4671  struct context c;
4672 
4673  /* print version number */
4674  msg(M_INFO, "%s", title_string);
4675 
4676  context_clear(&c);
4677  c.options = *o;
4678  options_detach(&c.options);
4679  c.first_time = true;
4680  test_crypto_thread((void *) &c);
4681  return true;
4682  }
4683  return false;
4684 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:321
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:350
context_2::es
struct env_set * es
Definition: openvpn.h:408
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:194
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:182
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:189
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2592
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:353
management_close
void management_close(struct management *man)
Definition: manage.c:2638
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:445
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:288
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:310
options::sndbuf
int sndbuf
Definition: options.h:366
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:386
context_2::log_rw
bool log_rw
Definition: openvpn.h:370
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:114
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:256
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:366
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:373
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:118
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:610
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:703
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1515
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
tuntap
Definition: tun.h:155
options::management_flags
unsigned int management_flags
Definition: options.h:409
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1980
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2620
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:568
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:111
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:330
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:106
options::block_outside_dns
bool block_outside_dns
Definition: options.h:640
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:104
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:285
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1314
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:355
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
platform_nice
void platform_nice(int niceval)
Definition: platform.c:160
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:960
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:374
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:525
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1082
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5664
options::show_curves
bool show_curves
Definition: options.h:244
ssl_clean_user_pass
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4222
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:637
options::cipher_list
const char * cipher_list
Definition: options.h:550
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
options::tls_server
bool tls_server
Definition: options.h:535
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1840
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1460
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:334
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:138
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1002
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3851
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:517
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:616
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2132
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:627
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1715
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:377
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:373
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:553
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:400
M_OPTERR
#define M_OPTERR
Definition: error.h:109
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:356
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:334
streq
#define streq(x, y)
Definition: options.h:667
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:444
options::chroot_dir
const char * chroot_dir
Definition: options.h:326
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:727
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3857
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3655
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2743
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:431
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:269
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:167
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:306
tls_options::mode
int mode
Definition: ssl_common.h:305
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2141
options::auth_token_generate
bool auth_token_generate
Definition: options.h:487
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4526
tun_abort
void tun_abort(void)
Definition: init.c:2113
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:461
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:532
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3738
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2679
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:730
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:352
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:484
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:115
management::persist
struct man_persist persist
Definition: manage.h:314
srandom
#define srandom
Definition: syshead.h:45
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:619
auth_token.h
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:365
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:285
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:213
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:696
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4567
script_security
int script_security(void)
Definition: run_command.c:45
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:186
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:364
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:513
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:83
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:588
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6656
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:193
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:80
options::peer_id
uint32_t peer_id
Definition: options.h:645
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3931
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:322
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:324
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:156
close_instance
void close_instance(struct context *c)
Definition: init.c:4371
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2809
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:96
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:590
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:378
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1339
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:675
options::persist_key
bool persist_key
Definition: options.h:311
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:115
options::replay_window
int replay_window
Definition: options.h:526
options::persist_mode
int persist_mode
Definition: options.h:237
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:456
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:367
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3784
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:357
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:328
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:109
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:283
CAS_CONNECT_DONE
Definition: ssl_common.h:549
options::rcvbuf
int rcvbuf
Definition: options.h:365
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:353
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:109
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:470
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:319
options::connection_list
struct connection_list * connection_list
Definition: options.h:253
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:405
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:191
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:268
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:540
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:191
options::exit_event_name
const char * exit_event_name
Definition: options.h:636
AR_NONE
#define AR_NONE
Definition: options.h:841
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:242
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
options::route_noexec
bool route_noexec
Definition: options.h:381
options::sockflags
unsigned int sockflags
Definition: options.h:373
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2548
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:174
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:150
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3514
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:248
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:381
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:342
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:13
options::route_script
const char * route_script
Definition: options.h:376
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:402
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:405
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:491
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:154
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:105
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:161
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:188
in_addr_t
#define in_addr_t
Definition: config-msvc.h:103
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3129
options::config
const char * config
Definition: options.h:219
dmsg
#define dmsg(flags,...)
Definition: error.h:157
options::route_delay
int route_delay
Definition: options.h:382
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4630
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:333
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:377
tls_options::gremlin
int gremlin
Definition: ssl_common.h:415
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3809
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:418
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:249
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:249
options::down_pre
bool down_pre
Definition: options.h:335
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:294
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:697
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:189
SIGTERM
#define SIGTERM
Definition: config-msvc.h:117
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:369
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1444
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:524
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:586
options::push_peer_info
bool push_peer_info
Definition: options.h:625
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:677
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:134
SIGHUP
#define SIGHUP
Definition: config-msvc.h:113
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:591
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3742
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:151
PING_RESTART
#define PING_RESTART
Definition: options.h:305
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3079
options::handshake_window
int handshake_window
Definition: options.h:595
ASSERT
#define ASSERT(x)
Definition: error.h:204
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3846
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:128
tls_options
Definition: ssl_common.h:282
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:330
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:225
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:234
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:346
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:67
connection_list::current
int current
Definition: options.h:172
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:265
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:131
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:355
options::verify_x509_type
int verify_x509_type
Definition: options.h:556
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:259
close_management
void close_management(void)
Definition: init.c:4015
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:350
adjust_mtu_peerid
static void adjust_mtu_peerid(struct context *c)
Definition: init.c:2254
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:168
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:489
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:352
options::prng_hash
const char * prng_hash
Definition: options.h:521
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1940
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:300
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
D_LOW
#define D_LOW
Definition: errlevel.h:97
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:279
options::fast_io
bool fast_io
Definition: options.h:358
options::key_direction
int key_direction
Definition: options.h:515
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:321
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:194
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:168
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:122
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:70
init_static
bool init_static(void)
Definition: init.c:755
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:193
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:255
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:139
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:223
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:643
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:284
options::route_delay_defined
bool route_delay_defined
Definition: options.h:384
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:473
options::tls_exit
bool tls_exit
Definition: options.h:627
MF_SERVER
#define MF_SERVER
Definition: manage.h:326
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1035
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:264
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:999
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:888
connection_entry::key_direction
int key_direction
Definition: options.h:147
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:705
options::route_nopull
bool route_nopull
Definition: options.h:388
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3621
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1240
frame_add_to_extra_tun
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:286
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6780
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:68
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:558
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:378
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:519
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:574
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4043
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:340
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:137
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:539
options::remote_random
bool remote_random
Definition: options.h:267
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:190
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:193
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:501
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:235
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:168
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:1025