OpenVPN
init.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_SYSTEMD
33 #include <systemd/sd-daemon.h>
34 #endif
35 
36 #include "win32.h"
37 #include "init.h"
38 #include "run_command.h"
39 #include "sig.h"
40 #include "occ.h"
41 #include "list.h"
42 #include "otime.h"
43 #include "pool.h"
44 #include "gremlin.h"
45 #include "occ.h"
46 #include "pkcs11.h"
47 #include "ps.h"
48 #include "lladdr.h"
49 #include "ping.h"
50 #include "mstats.h"
51 #include "ssl_verify.h"
52 #include "ssl_ncp.h"
53 #include "tls_crypt.h"
54 #include "forward.h"
55 #include "auth_token.h"
56 
57 #include "memdbg.h"
58 
59 
60 static struct context *static_context; /* GLOBAL */
61 static const char *saved_pid_file_name; /* GLOBAL */
62 
63 /*
64  * Crypto initialization flags
65  */
66 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
67 #define CF_INIT_TLS_MULTI (1<<1)
68 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
69 
70 static void do_init_first_time(struct context *c);
71 
72 void
73 context_clear(struct context *c)
74 {
75  CLEAR(*c);
76 }
77 
78 void
79 context_clear_1(struct context *c)
80 {
81  CLEAR(c->c1);
82 }
83 
84 void
85 context_clear_2(struct context *c)
86 {
87  CLEAR(c->c2);
88 }
89 
90 void
91 context_clear_all_except_first_time(struct context *c)
92 {
93  const bool first_time_save = c->first_time;
94  const struct context_persist cpsave = c->persist;
95  context_clear(c);
96  c->first_time = first_time_save;
97  c->persist = cpsave;
98 }
99 
100 /*
101  * Pass tunnel endpoint and MTU parms to a user-supplied script.
102  * Used to execute the up/down script/plugins.
103  */
104 static void
105 run_up_down(const char *command,
106  const struct plugin_list *plugins,
107  int plugin_type,
108  const char *arg,
109 #ifdef _WIN32
110  DWORD adapter_index,
111 #endif
112  const char *dev_type,
113  int tun_mtu,
114  int link_mtu,
115  const char *ifconfig_local,
116  const char *ifconfig_remote,
117  const char *context,
118  const char *signal_text,
119  const char *script_type,
120  struct env_set *es)
121 {
122  struct gc_arena gc = gc_new();
123 
124  if (signal_text)
125  {
126  setenv_str(es, "signal", signal_text);
127  }
128  setenv_str(es, "script_context", context);
129  setenv_int(es, "tun_mtu", tun_mtu);
130  setenv_int(es, "link_mtu", link_mtu);
131  setenv_str(es, "dev", arg);
132  if (dev_type)
133  {
134  setenv_str(es, "dev_type", dev_type);
135  }
136 #ifdef _WIN32
137  setenv_int(es, "dev_idx", adapter_index);
138 #endif
139 
140  if (!ifconfig_local)
141  {
142  ifconfig_local = "";
143  }
144  if (!ifconfig_remote)
145  {
146  ifconfig_remote = "";
147  }
148  if (!context)
149  {
150  context = "";
151  }
152 
153  if (plugin_defined(plugins, plugin_type))
154  {
155  struct argv argv = argv_new();
156  ASSERT(arg);
157  argv_printf(&argv,
158  "%s %d %d %s %s %s",
159  arg,
160  tun_mtu, link_mtu,
161  ifconfig_local, ifconfig_remote,
162  context);
163 
164  if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
165  {
166  msg(M_FATAL, "ERROR: up/down plugin call failed");
167  }
168 
169  argv_free(&argv);
170  }
171 
172  if (command)
173  {
174  struct argv argv = argv_new();
175  ASSERT(arg);
176  setenv_str(es, "script_type", script_type);
177  argv_parse_cmd(&argv, command);
178  argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
179  ifconfig_local, ifconfig_remote, context);
180  argv_msg(M_INFO, &argv);
181  openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
182  argv_free(&argv);
183  }
184 
185  gc_free(&gc);
186 }
187 
188 /*
189  * Should be called after options->ce is modified at the top
190  * of a SIGUSR1 restart.
191  */
192 static void
193 update_options_ce_post(struct options *options)
194 {
195  /*
196  * In pull mode, we usually import --ping/--ping-restart parameters from
197  * the server. However we should also set an initial default --ping-restart
198  * for the period of time before we pull the --ping-restart parameter
199  * from the server.
200  */
201  if (options->pull
202  && options->ping_rec_timeout_action == PING_UNDEF
203  && proto_is_dgram(options->ce.proto))
204  {
205  options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
206  options->ping_rec_timeout_action = PING_RESTART;
207  }
208 }
209 
210 #ifdef ENABLE_MANAGEMENT
211 static bool
212 management_callback_proxy_cmd(void *arg, const char **p)
213 {
214  struct context *c = arg;
215  struct connection_entry *ce = &c->options.ce;
216  struct gc_arena *gc = &c->c2.gc;
217  bool ret = false;
218 
219  update_time();
220  if (streq(p[1], "NONE"))
221  {
222  ret = true;
223  }
224  else if (p[2] && p[3])
225  {
226  if (streq(p[1], "HTTP"))
227  {
228  struct http_proxy_options *ho;
229  if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
230  {
231  msg(M_WARN, "HTTP proxy support only works for TCP based connections");
232  return false;
233  }
234  ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
235  ho->server = string_alloc(p[2], gc);
236  ho->port = string_alloc(p[3], gc);
237  ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
238  ret = true;
239  }
240  else if (streq(p[1], "SOCKS"))
241  {
242  ce->socks_proxy_server = string_alloc(p[2], gc);
243  ce->socks_proxy_port = string_alloc(p[3], gc);
244  ret = true;
245  }
246  }
247  else
248  {
249  msg(M_WARN, "Bad proxy command");
250  }
251 
252  ce->flags &= ~CE_MAN_QUERY_PROXY;
253 
254  return ret;
255 }
256 
257 static bool
258 ce_management_query_proxy(struct context *c)
259 {
260  const struct connection_list *l = c->options.connection_list;
261  struct connection_entry *ce = &c->options.ce;
262  struct gc_arena gc;
263  bool ret = true;
264 
265  update_time();
266  if (management)
267  {
268  gc = gc_new();
269  {
270  struct buffer out = alloc_buf_gc(256, &gc);
271  buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
272  (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
273  management_notify_generic(management, BSTR(&out));
274  management->persist.special_state_msg = BSTR(&out);
275  }
276  ce->flags |= CE_MAN_QUERY_PROXY;
277  while (ce->flags & CE_MAN_QUERY_PROXY)
278  {
279  management_event_loop_n_seconds(management, 1);
280  if (IS_SIG(c))
281  {
282  ret = false;
283  break;
284  }
285  }
286  management->persist.special_state_msg = NULL;
287  gc_free(&gc);
288  }
289 
290  return ret;
291 }
292 
307 static bool
308 management_callback_send_cc_message(void *arg,
309  const char *command,
310  const char *parameters)
311 {
312  struct context *c = (struct context *) arg;
313  size_t len = strlen(command) + 1 + strlen(parameters) + 1;
314  if (len > PUSH_BUNDLE_SIZE)
315  {
316  return false;
317  }
318 
319  struct gc_arena gc = gc_new();
320  struct buffer buf = alloc_buf_gc(len, &gc);
321  ASSERT(buf_printf(&buf, "%s", command));
322  if (parameters)
323  {
324  ASSERT(buf_printf(&buf, ",%s", parameters));
325  }
326  bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
327 
328  gc_free(&gc);
329  return status;
330 }
331 
332 static bool
333 management_callback_remote_cmd(void *arg, const char **p)
334 {
335  struct context *c = (struct context *) arg;
336  struct connection_entry *ce = &c->options.ce;
337  int ret = false;
338  if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
339  {
340  int flags = 0;
341  if (!strcmp(p[1], "ACCEPT"))
342  {
343  flags = CE_MAN_QUERY_REMOTE_ACCEPT;
344  ret = true;
345  }
346  else if (!strcmp(p[1], "SKIP"))
347  {
348  flags = CE_MAN_QUERY_REMOTE_SKIP;
349  ret = true;
350  }
351  else if (!strcmp(p[1], "MOD") && p[2] && p[3])
352  {
353  if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
354  {
355  struct remote_host_store *rhs = c->options.rh_store;
356  if (!rhs)
357  {
358  ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
359  c->options.rh_store = rhs;
360  }
361  strncpynt(rhs->host, p[2], RH_HOST_LEN);
362  strncpynt(rhs->port, p[3], RH_PORT_LEN);
363 
364  ce->remote = rhs->host;
365  ce->remote_port = rhs->port;
366  flags = CE_MAN_QUERY_REMOTE_MOD;
367  ret = true;
368  }
369  }
370  if (ret)
371  {
372  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
373  ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
374  }
375  }
376  return ret;
377 }
378 
379 static bool
380 ce_management_query_remote(struct context *c)
381 {
382  struct gc_arena gc = gc_new();
383  volatile struct connection_entry *ce = &c->options.ce;
384  int ce_changed = true; /* presume the connection entry will be changed */
385 
386  update_time();
387  if (management)
388  {
389  struct buffer out = alloc_buf_gc(256, &gc);
390 
391  buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
392  proto2ascii(ce->proto, ce->af, false));
393  management_notify_generic(management, BSTR(&out));
394  management->persist.special_state_msg = BSTR(&out);
395 
396  ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
397  ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
398  while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
399  & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
400  {
401  management_event_loop_n_seconds(management, 1);
402  if (IS_SIG(c))
403  {
404  ce_changed = false; /* connection entry have not been set */
405  break;
406  }
407  }
408  management->persist.special_state_msg = NULL;
409  }
410  gc_free(&gc);
411 
412  if (ce_changed)
413  {
414  /* If it is likely a connection entry was modified,
415  * check what changed in the flags and that it was not skipped
416  */
417  const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
418  & CE_MAN_QUERY_REMOTE_MASK);
419  ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
420  }
421  return ce_changed;
422 }
423 #endif /* ENABLE_MANAGEMENT */
424 
425 /*
426  * Initialize and possibly randomize connection list.
427  */
428 static void
429 init_connection_list(struct context *c)
430 {
431  struct connection_list *l = c->options.connection_list;
432 
433  l->current = -1;
434  if (c->options.remote_random)
435  {
436  int i;
437  for (i = 0; i < l->len; ++i)
438  {
439  const int j = get_random() % l->len;
440  if (i != j)
441  {
442  struct connection_entry *tmp;
443  tmp = l->array[i];
444  l->array[i] = l->array[j];
445  l->array[j] = tmp;
446  }
447  }
448  }
449 }
450 
451 /*
452  * Clear the remote address list
453  */
454 static void
455 clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
456 {
457  if (lsa->remote_list && free)
458  {
459  freeaddrinfo(lsa->remote_list);
460  }
461  lsa->remote_list = NULL;
462  lsa->current_remote = NULL;
463 }
464 
465 /*
466  * Increment to next connection entry
467  */
468 static void
469 next_connection_entry(struct context *c)
470 {
471  struct connection_list *l = c->options.connection_list;
472  bool ce_defined;
473  struct connection_entry *ce;
474  int n_cycles = 0;
475 
476  do
477  {
478  ce_defined = true;
479  if (c->options.no_advance && l->current >= 0)
480  {
481  c->options.no_advance = false;
482  }
483  else
484  {
485  /* Check if there is another resolved address to try for
486  * the current connection */
487  if (c->c1.link_socket_addr.current_remote
488  && c->c1.link_socket_addr.current_remote->ai_next)
489  {
490  c->c1.link_socket_addr.current_remote =
491  c->c1.link_socket_addr.current_remote->ai_next;
492  }
493  else
494  {
495  /* FIXME (schwabe) fix the persist-remote-ip option for real,
496  * this is broken probably ever since connection lists and multiple
497  * remote existed
498  */
499  if (!c->options.persist_remote_ip)
500  {
501  /* Connection entry addrinfo objects might have been
502  * resolved earlier but the entry itself might have been
503  * skipped by management on the previous loop.
504  * If so, clear the addrinfo objects as close_instance does
505  */
506  if (c->c1.link_socket_addr.remote_list)
507  {
508  clear_remote_addrlist(&c->c1.link_socket_addr,
509  !c->options.resolve_in_advance);
510  }
511 
512  /* close_instance should have cleared the addrinfo objects */
513  ASSERT(c->c1.link_socket_addr.current_remote == NULL);
514  ASSERT(c->c1.link_socket_addr.remote_list == NULL);
515  }
516  else
517  {
518  c->c1.link_socket_addr.current_remote =
519  c->c1.link_socket_addr.remote_list;
520  }
521 
522  /*
523  * Increase the number of connection attempts
524  * If this is connect-retry-max * size(l)
525  * OpenVPN will quit
526  */
527 
528  c->options.unsuccessful_attempts++;
529 
530  if (++l->current >= l->len)
531  {
532 
533  l->current = 0;
534  if (++n_cycles >= 2)
535  {
536  msg(M_FATAL, "No usable connection profiles are present");
537  }
538  }
539  }
540  }
541 
542  ce = l->array[l->current];
543 
544  if (ce->flags & CE_DISABLED)
545  {
546  ce_defined = false;
547  }
548 
549  c->options.ce = *ce;
550 #ifdef ENABLE_MANAGEMENT
551  if (ce_defined && management && management_query_remote_enabled(management))
552  {
553  /* allow management interface to override connection entry details */
554  ce_defined = ce_management_query_remote(c);
555  if (IS_SIG(c))
556  {
557  break;
558  }
559  }
560  else if (ce_defined && management && management_query_proxy_enabled(management))
561  {
562  ce_defined = ce_management_query_proxy(c);
563  if (IS_SIG(c))
564  {
565  break;
566  }
567  }
568 #endif
569  } while (!ce_defined);
570 
571  /* Check if this connection attempt would bring us over the limit */
572  if (c->options.connect_retry_max > 0
573  && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
574  {
575  msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
576  c->options.connect_retry_max);
577  }
578  update_options_ce_post(&c->options);
579 }
580 
581 /*
582  * Query for private key and auth-user-pass username/passwords
583  */
584 void
585 init_query_passwords(const struct context *c)
586 {
587  /* Certificate password input */
588  if (c->options.key_pass_file)
589  {
590  pem_password_setup(c->options.key_pass_file);
591  }
592 
593  /* Auth user/pass input */
594  if (c->options.auth_user_pass_file)
595  {
596 #ifdef ENABLE_MANAGEMENT
597  auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
598 #else
599  auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
600 #endif
601  }
602 }
603 
604 /*
605  * Initialize/Uninitialize HTTP or SOCKS proxy
606  */
607 
608 static void
609 uninit_proxy_dowork(struct context *c)
610 {
611  if (c->c1.http_proxy_owned && c->c1.http_proxy)
612  {
613  http_proxy_close(c->c1.http_proxy);
614  c->c1.http_proxy = NULL;
615  c->c1.http_proxy_owned = false;
616  }
617  if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
618  {
619  socks_proxy_close(c->c1.socks_proxy);
620  c->c1.socks_proxy = NULL;
621  c->c1.socks_proxy_owned = false;
622  }
623 }
624 
625 static void
626 init_proxy_dowork(struct context *c)
627 {
628  bool did_http = false;
629 
630  uninit_proxy_dowork(c);
631 
632  if (c->options.ce.http_proxy_options)
633  {
634  /* Possible HTTP proxy user/pass input */
635  c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
636  if (c->c1.http_proxy)
637  {
638  did_http = true;
639  c->c1.http_proxy_owned = true;
640  }
641  }
642 
643  if (!did_http && c->options.ce.socks_proxy_server)
644  {
645  c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
646  c->options.ce.socks_proxy_port,
647  c->options.ce.socks_proxy_authfile);
648  if (c->c1.socks_proxy)
649  {
650  c->c1.socks_proxy_owned = true;
651  }
652  }
653 }
654 
655 static void
656 init_proxy(struct context *c)
657 {
658  init_proxy_dowork(c);
659 }
660 
661 static void
662 uninit_proxy(struct context *c)
663 {
664  uninit_proxy_dowork(c);
665 }
666 
667 void
668 context_init_1(struct context *c)
669 {
670  context_clear_1(c);
671 
672  packet_id_persist_init(&c->c1.pid_persist);
673 
674  init_connection_list(c);
675 
676 #if defined(ENABLE_PKCS11)
677  if (c->first_time)
678  {
679  int i;
680  pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
681  for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
682  {
683  pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
684  c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
685  }
686  }
687 #endif
688 
689 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
690  {
691  /*
692  * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
693  */
694  struct user_pass up;
695  CLEAR(up);
696  strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
697  get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
698  msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
699  * 'needok' command, usually 'ok' or 'cancel'. */
700  }
701 #endif
702 
703 #ifdef ENABLE_SYSTEMD
704  /* We can report the PID via getpid() to systemd here as OpenVPN will not
705  * do any fork due to daemon() a future call.
706  * See possibly_become_daemon() [init.c] for more details.
707  */
708  sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
709  (unsigned long) getpid());
710 #endif
711 
712 }
713 
714 void
715 context_gc_free(struct context *c)
716 {
717  gc_free(&c->c2.gc);
718  gc_free(&c->options.gc);
719  gc_free(&c->gc);
720 }
721 
722 #if PORT_SHARE
723 
724 static void
725 close_port_share(void)
726 {
727  if (port_share)
728  {
729  port_share_close(port_share);
730  port_share = NULL;
731  }
732 }
733 
734 static void
735 init_port_share(struct context *c)
736 {
737  if (!port_share && (c->options.port_share_host && c->options.port_share_port))
738  {
739  port_share = port_share_open(c->options.port_share_host,
740  c->options.port_share_port,
741  MAX_RW_SIZE_LINK(&c->c2.frame),
742  c->options.port_share_journal_dir);
743  if (port_share == NULL)
744  {
745  msg(M_FATAL, "Fatal error: Port sharing failed");
746  }
747  }
748 }
749 
750 #endif /* if PORT_SHARE */
751 
752 
753 bool
754 init_static(void)
755 {
756  /* configure_path (); */
757 
758 #if defined(DMALLOC)
759  crypto_init_dmalloc();
760 #endif
761 
762 
763  /*
764  * Initialize random number seed. random() is only used
765  * when "weak" random numbers are acceptable.
766  * SSL library routines are always used when cryptographically
767  * strong random numbers are required.
768  */
769  struct timeval tv;
770  if (!gettimeofday(&tv, NULL))
771  {
772  const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
773  srandom(seed);
774  }
775 
776  error_reset(); /* initialize error.c */
777  reset_check_status(); /* initialize status check code in socket.c */
778 
779 #ifdef _WIN32
780  init_win32();
781 #endif
782 
783 #ifdef OPENVPN_DEBUG_COMMAND_LINE
784  {
785  int i;
786  for (i = 0; i < argc; ++i)
787  {
788  msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
789  }
790  }
791 #endif
792 
793  update_time();
794 
795  init_ssl_lib();
796 
797  /* init PRNG used for IV generation */
798  /* When forking, copy this to more places in the code to avoid fork
799  * random-state predictability */
800  prng_init(NULL, 0);
801 
802 #ifdef PID_TEST
803  packet_id_interactive_test(); /* test the sequence number code */
804  return false;
805 #endif
806 
807 #ifdef SCHEDULE_TEST
808  schedule_test();
809  return false;
810 #endif
811 
812 #ifdef LIST_TEST
813  list_test();
814  return false;
815 #endif
816 
817 #ifdef IFCONFIG_POOL_TEST
818  ifconfig_pool_test(0x0A010004, 0x0A0100FF);
819  return false;
820 #endif
821 
822 #ifdef CHARACTER_CLASS_DEBUG
823  character_class_debug();
824  return false;
825 #endif
826 
827 #ifdef EXTRACT_X509_FIELD_TEST
828  extract_x509_field_test();
829  return false;
830 #endif
831 
832 #ifdef TIME_TEST
833  time_test();
834  return false;
835 #endif
836 
837 #ifdef TEST_GET_DEFAULT_GATEWAY
838  {
839  struct route_gateway_info rgi;
840  struct route_ipv6_gateway_info rgi6;
841  get_default_gateway(&rgi);
842  get_default_gateway_ipv6(&rgi6, NULL);
843  print_default_gateway(M_INFO, &rgi, &rgi6);
844  return false;
845  }
846 #endif
847 
848 #ifdef GEN_PATH_TEST
849  {
850  struct gc_arena gc = gc_new();
851  const char *fn = gen_path("foo",
852  "bar",
853  &gc);
854  printf("%s\n", fn);
855  gc_free(&gc);
856  }
857  return false;
858 #endif
859 
860 #ifdef STATUS_PRINTF_TEST
861  {
862  struct gc_arena gc = gc_new();
863  const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
864  struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
865  status_printf(so, "%s", "foo");
866  status_printf(so, "%s", "bar");
867  if (!status_close(so))
868  {
869  msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
870  }
871  gc_free(&gc);
872  }
873  return false;
874 #endif
875 
876 #ifdef PRNG_TEST
877  {
878  struct gc_arena gc = gc_new();
879  uint8_t rndbuf[8];
880  int i;
881  prng_init("sha1", 16);
882  /*prng_init (NULL, 0);*/
883  const int factor = 1;
884  for (i = 0; i < factor * 8; ++i)
885  {
886 #if 1
887  prng_bytes(rndbuf, sizeof(rndbuf));
888 #else
889  ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
890 #endif
891  printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
892  }
893  gc_free(&gc);
894  prng_uninit();
895  return false;
896  }
897 #endif /* ifdef PRNG_TEST */
898 
899 #ifdef BUFFER_LIST_AGGREGATE_TEST
900  /* test buffer_list_aggregate function */
901  {
902  static const char *text[] = {
903  "It was a bright cold day in April, ",
904  "and the clocks were striking ",
905  "thirteen. ",
906  "Winston Smith, ",
907  "his chin nuzzled into his breast in an ",
908  "effort to escape the vile wind, ",
909  "slipped quickly through the glass doors ",
910  "of Victory Mansions, though not quickly ",
911  "enough to prevent a swirl of gritty dust from ",
912  "entering along with him."
913  };
914 
915  int iter, listcap;
916  for (listcap = 0; listcap < 12; ++listcap)
917  {
918  for (iter = 0; iter < 512; ++iter)
919  {
920  struct buffer_list *bl = buffer_list_new(listcap);
921  {
922  int i;
923  for (i = 0; i < SIZE(text); ++i)
924  {
925  buffer_list_push(bl, (unsigned char *)text[i]);
926  }
927  }
928  printf("[cap=%d i=%d] *************************\n", listcap, iter);
929  if (!(iter & 8))
930  {
931  buffer_list_aggregate(bl, iter/2);
932  }
933  if (!(iter & 16))
934  {
935  buffer_list_push(bl, (unsigned char *)"Even more text...");
936  }
937  buffer_list_aggregate(bl, iter);
938  if (!(iter & 1))
939  {
940  buffer_list_push(bl, (unsigned char *)"More text...");
941  }
942  {
943  struct buffer *buf;
944  while ((buf = buffer_list_peek(bl)))
945  {
946  int c;
947  printf("'");
948  while ((c = buf_read_u8(buf)) >= 0)
949  {
950  putchar(c);
951  }
952  printf("'\n");
953  buffer_list_advance(bl, 0);
954  }
955  }
956  buffer_list_free(bl);
957  }
958  }
959  return false;
960  }
961 #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
962 
963 #ifdef MSTATS_TEST
964  {
965  int i;
966  mstats_open("/dev/shm/mstats.dat");
967  for (i = 0; i < 30; ++i)
968  {
969  mmap_stats->n_clients += 1;
970  mmap_stats->link_write_bytes += 8;
971  mmap_stats->link_read_bytes += 16;
972  sleep(1);
973  }
974  mstats_close();
975  return false;
976  }
977 #endif
978 
979  return true;
980 }
981 
982 void
983 uninit_static(void)
984 {
985  free_ssl_lib();
986 
987 #ifdef ENABLE_PKCS11
988  pkcs11_terminate();
989 #endif
990 
991 #if PORT_SHARE
992  close_port_share();
993 #endif
994 
995 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
996  show_tls_performance_stats();
997 #endif
998 }
999 
1000 void
1001 init_verb_mute(struct context *c, unsigned int flags)
1002 {
1003  if (flags & IVM_LEVEL_1)
1004  {
1005  /* set verbosity and mute levels */
1006  set_check_status(D_LINK_ERRORS, D_READ_WRITE);
1007  set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
1008  set_mute_cutoff(c->options.mute);
1009  }
1010 
1011  /* special D_LOG_RW mode */
1012  if (flags & IVM_LEVEL_2)
1013  {
1014  c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
1015  }
1016 }
1017 
1018 /*
1019  * Possibly set --dev based on --dev-node.
1020  * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1021  * set --dev to tun.
1022  */
1023 void
1024 init_options_dev(struct options *options)
1025 {
1026  if (!options->dev && options->dev_node)
1027  {
1028  char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
1029  options->dev = basename(dev_node);
1030  }
1031 }
1032 
1033 bool
1034 print_openssl_info(const struct options *options)
1035 {
1036  /*
1037  * OpenSSL info print mode?
1038  */
1039  if (options->show_ciphers || options->show_digests || options->show_engines
1040  || options->show_tls_ciphers || options->show_curves)
1041  {
1042  if (options->show_ciphers)
1043  {
1044  show_available_ciphers();
1045  }
1046  if (options->show_digests)
1047  {
1048  show_available_digests();
1049  }
1050  if (options->show_engines)
1051  {
1052  show_available_engines();
1053  }
1054  if (options->show_tls_ciphers)
1055  {
1056  show_available_tls_ciphers(options->cipher_list,
1057  options->cipher_list_tls13,
1058  options->tls_cert_profile);
1059  }
1060  if (options->show_curves)
1061  {
1062  show_available_curves();
1063  }
1064  return true;
1065  }
1066  return false;
1067 }
1068 
1069 /*
1070  * Static pre-shared key generation mode?
1071  */
1072 bool
1073 do_genkey(const struct options *options)
1074 {
1075  /* should we disable paging? */
1076  if (options->mlock && (options->genkey))
1077  {
1078  platform_mlockall(true);
1079  }
1080 
1081  /*
1082  * We do not want user to use --genkey with --secret. In the transistion
1083  * phase we for secret.
1084  */
1085  if (options->genkey && options->genkey_type != GENKEY_SECRET
1086  && options->shared_secret_file)
1087  {
1088  msg(M_USAGE, "Using --genkey type with --secret filename is "
1089  "not supported. Use --genkey type filename instead.");
1090  }
1091  if (options->genkey && options->genkey_type == GENKEY_SECRET)
1092  {
1093  int nbits_written;
1094  const char *genkey_filename = options->genkey_filename;
1095  if (options->shared_secret_file && options->genkey_filename)
1096  {
1097  msg(M_USAGE, "You must provide a filename to either --genkey "
1098  "or --secret, not both");
1099  }
1100 
1101  /*
1102  * Copy filename from shared_secret_file to genkey_filename to support
1103  * the old --genkey --secret foo.file syntax.
1104  */
1105  if (options->shared_secret_file)
1106  {
1107  msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1108  "DEPRECATED. Use --genkey secret filename instead.");
1109  genkey_filename = options->shared_secret_file;
1110  }
1111 
1112  nbits_written = write_key_file(2, genkey_filename);
1113  if (nbits_written < 0)
1114  {
1115  msg(M_FATAL, "Failed to write key file");
1116  }
1117 
1118  msg(D_GENKEY | M_NOPREFIX,
1119  "Randomly generated %d bit key written to %s", nbits_written,
1120  options->shared_secret_file);
1121  return true;
1122  }
1123  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
1124  {
1125  tls_crypt_v2_write_server_key_file(options->genkey_filename);
1126  return true;
1127  }
1128  else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1129  {
1130  if (!options->tls_crypt_v2_file)
1131  {
1132  msg(M_USAGE,
1133  "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1134  }
1135 
1136  tls_crypt_v2_write_client_key_file(options->genkey_filename,
1137  options->genkey_extra_data, options->tls_crypt_v2_file,
1138  options->tls_crypt_v2_file_inline);
1139  return true;
1140  }
1141  else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1142  {
1143  auth_token_write_server_key_file(options->genkey_filename);
1144  return true;
1145  }
1146  else
1147  {
1148  return false;
1149  }
1150 }
1151 
1152 /*
1153  * Persistent TUN/TAP device management mode?
1154  */
1155 bool
1156 do_persist_tuntap(const struct options *options, openvpn_net_ctx_t *ctx)
1157 {
1158  if (options->persist_config)
1159  {
1160  /* sanity check on options for --mktun or --rmtun */
1161  notnull(options->dev, "TUN/TAP device (--dev)");
1162  if (options->ce.remote || options->ifconfig_local
1163  || options->ifconfig_remote_netmask
1164  || options->shared_secret_file
1165  || options->tls_server || options->tls_client
1166  )
1167  {
1168  msg(M_FATAL|M_OPTERR,
1169  "options --mktun or --rmtun should only be used together with --dev");
1170  }
1171 #ifdef ENABLE_FEATURE_TUN_PERSIST
1172  tuncfg(options->dev, options->dev_type, options->dev_node,
1173  options->persist_mode,
1174  options->username, options->groupname, &options->tuntap_options,
1175  ctx);
1176  if (options->persist_mode && options->lladdr)
1177  {
1178  set_lladdr(options->dev, options->lladdr, NULL);
1179  }
1180  return true;
1181 #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1182  msg( M_FATAL|M_OPTERR,
1183  "options --mktun and --rmtun are not available on your operating "
1184  "system. Please check 'man tun' (or 'tap'), whether your system "
1185  "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1186  "persistent tunnel interfaces.", options->dev );
1187 #endif
1188  }
1189  return false;
1190 }
1191 
1192 /*
1193  * Should we become a daemon?
1194  * Return true if we did it.
1195  */
1196 bool
1197 possibly_become_daemon(const struct options *options)
1198 {
1199  bool ret = false;
1200 
1201 #ifdef ENABLE_SYSTEMD
1202  /* return without forking if we are running from systemd */
1203  if (sd_notify(0, "READY=0") > 0)
1204  {
1205  return ret;
1206  }
1207 #endif
1208 
1209  if (options->daemon)
1210  {
1211  /* Don't chdir immediately, but the end of the init sequence, if needed */
1212 
1213 #if defined(__APPLE__) && defined(__clang__)
1214 #pragma clang diagnostic push
1215 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1216 #endif
1217  if (daemon(1, options->log) < 0)
1218  {
1219  msg(M_ERR, "daemon() failed or unsupported");
1220  }
1221 #if defined(__APPLE__) && defined(__clang__)
1222 #pragma clang diagnostic pop
1223 #endif
1224  restore_signal_state();
1225  if (options->log)
1226  {
1227  set_std_files_to_null(true);
1228  }
1229 
1230  ret = true;
1231  }
1232  return ret;
1233 }
1234 
1235 /*
1236  * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
1237  */
1238 static void
1239 do_uid_gid_chroot(struct context *c, bool no_delay)
1240 {
1241  static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1242  struct context_0 *c0 = c->c0;
1243 
1244  if (c0 && !c0->uid_gid_chroot_set)
1245  {
1246  /* chroot if requested */
1247  if (c->options.chroot_dir)
1248  {
1249  if (no_delay)
1250  {
1251  platform_chroot(c->options.chroot_dir);
1252  }
1253  else if (c->first_time)
1254  {
1255  msg(M_INFO, "NOTE: chroot %s", why_not);
1256  }
1257  }
1258 
1259  /* set user and/or group if we want to setuid/setgid */
1260  if (c0->uid_gid_specified)
1261  {
1262  if (no_delay)
1263  {
1264  platform_group_set(&c0->platform_state_group);
1265  platform_user_set(&c0->platform_state_user);
1266  }
1267  else if (c->first_time)
1268  {
1269  msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
1270  }
1271  }
1272 
1273 #ifdef ENABLE_MEMSTATS
1274  if (c->first_time && c->options.memstats_fn)
1275  {
1276  mstats_open(c->options.memstats_fn);
1277  }
1278 #endif
1279 
1280 #ifdef ENABLE_SELINUX
1281  /* Apply a SELinux context in order to restrict what OpenVPN can do
1282  * to _only_ what it is supposed to do after initialization is complete
1283  * (basically just network I/O operations). Doing it after chroot
1284  * requires /proc to be mounted in the chroot (which is annoying indeed
1285  * but doing it before requires more complex SELinux policies.
1286  */
1287  if (c->options.selinux_context)
1288  {
1289  if (no_delay)
1290  {
1291  if (-1 == setcon(c->options.selinux_context))
1292  {
1293  msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1294  }
1295  else
1296  {
1297  msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1298  }
1299  }
1300  else if (c->first_time)
1301  {
1302  msg(M_INFO, "NOTE: setcon %s", why_not);
1303  }
1304  }
1305 #endif
1306 
1307  /* Privileges are going to be dropped by now (if requested), be sure
1308  * to prevent any future privilege dropping attempts from now on.
1309  */
1310  if (no_delay)
1311  {
1312  c0->uid_gid_chroot_set = true;
1313  }
1314  }
1315 }
1316 
1317 /*
1318  * Return common name in a way that is formatted for
1319  * prepending to msg() output.
1320  */
1321 const char *
1322 format_common_name(struct context *c, struct gc_arena *gc)
1323 {
1324  struct buffer out = alloc_buf_gc(256, gc);
1325  if (c->c2.tls_multi)
1326  {
1327  buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
1328  }
1329  return BSTR(&out);
1330 }
1331 
1332 void
1333 pre_setup(const struct options *options)
1334 {
1335 #ifdef _WIN32
1336  if (options->exit_event_name)
1337  {
1338  win32_signal_open(&win32_signal,
1339  WSO_FORCE_SERVICE,
1340  options->exit_event_name,
1341  options->exit_event_initial_state);
1342  }
1343  else
1344  {
1345  win32_signal_open(&win32_signal,
1346  WSO_FORCE_CONSOLE,
1347  NULL,
1348  false);
1349 
1350  /* put a title on the top window bar */
1351  if (win32_signal.mode == WSO_MODE_CONSOLE)
1352  {
1353  window_title_save(&window_title);
1354  window_title_generate(options->config);
1355  }
1356  }
1357 #endif /* ifdef _WIN32 */
1358 }
1359 
1360 void
1361 reset_coarse_timers(struct context *c)
1362 {
1363  c->c2.coarse_timer_wakeup = 0;
1364 }
1365 
1366 /*
1367  * Initialise the server poll timeout timer
1368  * This timer is used in the http/socks proxy setup so it needs to be setup
1369  * before
1370  */
1371 static void
1372 do_init_server_poll_timeout(struct context *c)
1373 {
1374  update_time();
1375  if (c->options.ce.connect_timeout)
1376  {
1377  event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1378  }
1379 }
1380 
1381 /*
1382  * Initialize timers
1383  */
1384 static void
1385 do_init_timers(struct context *c, bool deferred)
1386 {
1387  update_time();
1388  reset_coarse_timers(c);
1389 
1390  /* initialize inactivity timeout */
1391  if (c->options.inactivity_timeout)
1392  {
1393  event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1394  }
1395 
1396  /* initialize pings */
1397 
1398  if (c->options.ping_send_timeout)
1399  {
1400  event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1401  }
1402 
1403  if (c->options.ping_rec_timeout)
1404  {
1405  event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1406  }
1407 
1408  if (!deferred)
1409  {
1410  /* initialize connection establishment timer */
1411  event_timeout_init(&c->c2.wait_for_connect, 1, now);
1412 
1413  /* initialize occ timers */
1414 
1415  if (c->options.occ
1416  && !TLS_MODE(c)
1417  && c->c2.options_string_local && c->c2.options_string_remote)
1418  {
1419  event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1420  }
1421 
1422  if (c->options.mtu_test)
1423  {
1424  event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1425  }
1426 
1427  /* initialize packet_id persistence timer */
1428  if (c->options.packet_id_file)
1429  {
1430  event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1431  }
1432 
1433  /* initialize tmp_int optimization that limits the number of times we call
1434  * tls_multi_process in the main event loop */
1435  interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1436  }
1437 }
1438 
1439 /*
1440  * Initialize traffic shaper.
1441  */
1442 static void
1443 do_init_traffic_shaper(struct context *c)
1444 {
1445  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1446  if (c->options.shaper)
1447  {
1448  shaper_init(&c->c2.shaper, c->options.shaper);
1449  shaper_msg(&c->c2.shaper);
1450  }
1451 }
1452 
1453 /*
1454  * Allocate route list structures for IPv4 and IPv6
1455  * (we do this for IPv4 even if no --route option has been seen, as other
1456  * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1457  */
1458 static void
1459 do_alloc_route_list(struct context *c)
1460 {
1461  if (!c->c1.route_list)
1462  {
1463  ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1464  }
1465  if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1466  {
1467  ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1468  }
1469 }
1470 
1471 
1472 /*
1473  * Initialize the route list, resolving any DNS names in route
1474  * options and saving routes in the environment.
1475  */
1476 static void
1477 do_init_route_list(const struct options *options,
1478  struct route_list *route_list,
1479  const struct link_socket_info *link_socket_info,
1480  struct env_set *es,
1481  openvpn_net_ctx_t *ctx)
1482 {
1483  const char *gw = NULL;
1484  int dev = dev_type_enum(options->dev, options->dev_type);
1485  int metric = 0;
1486 
1487  if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1488  {
1489  gw = options->ifconfig_remote_netmask;
1490  }
1491  if (options->route_default_gateway)
1492  {
1493  gw = options->route_default_gateway;
1494  }
1495  if (options->route_default_metric)
1496  {
1497  metric = options->route_default_metric;
1498  }
1499 
1500  if (init_route_list(route_list,
1501  options->routes,
1502  gw,
1503  metric,
1504  link_socket_current_remote(link_socket_info),
1505  es,
1506  ctx))
1507  {
1508  /* copy routes to environment */
1509  setenv_routes(es, route_list);
1510  }
1511 }
1512 
1513 static void
1514 do_init_route_ipv6_list(const struct options *options,
1515  struct route_ipv6_list *route_ipv6_list,
1516  const struct link_socket_info *link_socket_info,
1517  struct env_set *es,
1518  openvpn_net_ctx_t *ctx)
1519 {
1520  const char *gw = NULL;
1521  int metric = -1; /* no metric set */
1522 
1523  gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1524  if (options->route_ipv6_default_gateway)
1525  {
1526  gw = options->route_ipv6_default_gateway;
1527  }
1528 
1529  if (options->route_default_metric)
1530  {
1531  metric = options->route_default_metric;
1532  }
1533 
1534  /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1535  */
1536  if (options->routes_ipv6->flags & RG_REROUTE_GW)
1537  {
1538  char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1539  int i;
1540 
1541  for (i = 0; opt_list[i]; i++)
1542  {
1543  add_route_ipv6_to_option_list( options->routes_ipv6,
1544  string_alloc(opt_list[i], options->routes_ipv6->gc),
1545  NULL, NULL );
1546  }
1547  }
1548 
1549  if (init_route_ipv6_list(route_ipv6_list,
1550  options->routes_ipv6,
1551  gw,
1552  metric,
1553  link_socket_current_remote_ipv6(link_socket_info),
1554  es,
1555  ctx))
1556  {
1557  /* copy routes to environment */
1558  setenv_routes_ipv6(es, route_ipv6_list);
1559  }
1560 }
1561 
1562 
1563 /*
1564  * Called after all initialization has been completed.
1565  */
1566 void
1567 initialization_sequence_completed(struct context *c, const unsigned int flags)
1568 {
1569  static const char message[] = "Initialization Sequence Completed";
1570 
1571  /* Reset the unsuccessful connection counter on complete initialisation */
1572  c->options.unsuccessful_attempts = 0;
1573 
1574  /* If we delayed UID/GID downgrade or chroot, do it now */
1575  do_uid_gid_chroot(c, true);
1576 
1577 
1578  /*
1579  * In some cases (i.e. when receiving auth-token via
1580  * push-reply) the auth-nocache option configured on the
1581  * client is overridden; for this reason we have to wait
1582  * for the push-reply message before attempting to wipe
1583  * the user/pass entered by the user
1584  */
1585  if (c->options.mode == MODE_POINT_TO_POINT)
1586  {
1587  ssl_clean_user_pass();
1588  }
1589 
1590  /* Test if errors */
1591  if (flags & ISC_ERRORS)
1592  {
1593 #ifdef _WIN32
1594  show_routes(M_INFO|M_NOPREFIX);
1595  show_adapters(M_INFO|M_NOPREFIX);
1596  msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1597 #else
1598 #ifdef ENABLE_SYSTEMD
1599  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1600 #endif /* HAVE_SYSTEMD_SD_DAEMON_H */
1601  msg(M_INFO, "%s With Errors", message);
1602 #endif
1603  }
1604  else
1605  {
1606 #ifdef ENABLE_SYSTEMD
1607  sd_notifyf(0, "STATUS=%s", message);
1608 #endif
1609  msg(M_INFO, "%s", message);
1610  }
1611 
1612  /* Flag that we initialized */
1613  if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1614  {
1615  c->options.no_advance = true;
1616  }
1617 
1618 #ifdef _WIN32
1619  fork_register_dns_action(c->c1.tuntap);
1620 #endif
1621 
1622 #ifdef ENABLE_MANAGEMENT
1623  /* Tell management interface that we initialized */
1624  if (management)
1625  {
1626  in_addr_t *tun_local = NULL;
1627  struct in6_addr *tun_local6 = NULL;
1628  struct openvpn_sockaddr local, remote;
1629  struct link_socket_actual *actual;
1630  socklen_t sa_len = sizeof(local);
1631  const char *detail = "SUCCESS";
1632  if (flags & ISC_ERRORS)
1633  {
1634  detail = "ERROR";
1635  }
1636 
1637  CLEAR(local);
1638  actual = &get_link_socket_info(c)->lsa->actual;
1639  remote = actual->dest;
1640  getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
1641 #if ENABLE_IP_PKTINFO
1642  if (!addr_defined(&local))
1643  {
1644  switch (local.addr.sa.sa_family)
1645  {
1646  case AF_INET:
1647 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1648  local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1649 #else
1650  local.addr.in4.sin_addr = actual->pi.in4;
1651 #endif
1652  break;
1653 
1654  case AF_INET6:
1655  local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1656  break;
1657  }
1658  }
1659 #endif
1660 
1661  if (c->c1.tuntap)
1662  {
1663  tun_local = &c->c1.tuntap->local;
1664  tun_local6 = &c->c1.tuntap->local_ipv6;
1665  }
1666  management_set_state(management,
1667  OPENVPN_STATE_CONNECTED,
1668  detail,
1669  tun_local,
1670  tun_local6,
1671  &local,
1672  &remote);
1673  if (tun_local)
1674  {
1675  management_post_tunnel_open(management, *tun_local);
1676  }
1677  }
1678 #endif /* ifdef ENABLE_MANAGEMENT */
1679 }
1680 
1681 /*
1682  * Possibly add routes and/or call route-up script
1683  * based on options.
1684  */
1685 void
1686 do_route(const struct options *options,
1687  struct route_list *route_list,
1688  struct route_ipv6_list *route_ipv6_list,
1689  const struct tuntap *tt,
1690  const struct plugin_list *plugins,
1691  struct env_set *es,
1692  openvpn_net_ctx_t *ctx)
1693 {
1694  if (!options->route_noexec && ( route_list || route_ipv6_list ) )
1695  {
1696  add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1697  es, ctx);
1698  setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1699  }
1700 #ifdef ENABLE_MANAGEMENT
1701  if (management)
1702  {
1703  management_up_down(management, "UP", es);
1704  }
1705 #endif
1706 
1707  if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
1708  {
1709  if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1710  {
1711  msg(M_WARN, "WARNING: route-up plugin call failed");
1712  }
1713  }
1714 
1715  if (options->route_script)
1716  {
1717  struct argv argv = argv_new();
1718  setenv_str(es, "script_type", "route-up");
1719  argv_parse_cmd(&argv, options->route_script);
1720  openvpn_run_script(&argv, es, 0, "--route-up");
1721  argv_free(&argv);
1722  }
1723 
1724 #ifdef _WIN32
1725  if (options->show_net_up)
1726  {
1727  show_routes(M_INFO|M_NOPREFIX);
1728  show_adapters(M_INFO|M_NOPREFIX);
1729  }
1730  else if (check_debug_level(D_SHOW_NET))
1731  {
1732  show_routes(D_SHOW_NET|M_NOPREFIX);
1733  show_adapters(D_SHOW_NET|M_NOPREFIX);
1734  }
1735 #endif
1736 }
1737 
1738 /*
1739  * initialize tun/tap device object
1740  */
1741 static void
1742 do_init_tun(struct context *c)
1743 {
1744  c->c1.tuntap = init_tun(c->options.dev,
1745  c->options.dev_type,
1746  c->options.topology,
1747  c->options.ifconfig_local,
1748  c->options.ifconfig_remote_netmask,
1749  c->options.ifconfig_ipv6_local,
1750  c->options.ifconfig_ipv6_netbits,
1751  c->options.ifconfig_ipv6_remote,
1752  c->c1.link_socket_addr.bind_local,
1753  c->c1.link_socket_addr.remote_list,
1754  !c->options.ifconfig_nowarn,
1755  c->c2.es,
1756  &c->net_ctx);
1757 
1758 #ifdef _WIN32
1759  c->c1.tuntap->windows_driver = c->options.windows_driver;
1760 #endif
1761 
1762  init_tun_post(c->c1.tuntap,
1763  &c->c2.frame,
1764  &c->options.tuntap_options);
1765 
1766  c->c1.tuntap_owned = true;
1767 }
1768 
1769 /*
1770  * Open tun/tap device, ifconfig, call up script, etc.
1771  */
1772 
1773 static bool
1774 do_open_tun(struct context *c)
1775 {
1776  struct gc_arena gc = gc_new();
1777  bool ret = false;
1778 
1779 #ifndef TARGET_ANDROID
1780  if (!c->c1.tuntap)
1781  {
1782 #endif
1783 
1784 #ifdef TARGET_ANDROID
1785  /* If we emulate persist-tun on android we still have to open a new tun and
1786  * then close the old */
1787  int oldtunfd = -1;
1788  if (c->c1.tuntap)
1789  {
1790  oldtunfd = c->c1.tuntap->fd;
1791  free(c->c1.tuntap);
1792  c->c1.tuntap = NULL;
1793  c->c1.tuntap_owned = false;
1794  }
1795 #endif
1796 
1797  /* initialize (but do not open) tun/tap object */
1798  do_init_tun(c);
1799 
1800 #ifdef _WIN32
1801  /* store (hide) interactive service handle in tuntap_options */
1802  c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1803  msg(D_ROUTE, "interactive service msg_channel=%" PRIu64, (unsigned long long) c->options.msg_channel);
1804 #endif
1805 
1806  /* allocate route list structure */
1807  do_alloc_route_list(c);
1808 
1809  /* parse and resolve the route option list */
1810  ASSERT(c->c2.link_socket);
1811  if (c->options.routes && c->c1.route_list)
1812  {
1813  do_init_route_list(&c->options, c->c1.route_list,
1814  &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1815  }
1816  if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1817  {
1818  do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1819  &c->c2.link_socket->info, c->c2.es,
1820  &c->net_ctx);
1821  }
1822 
1823  /* do ifconfig */
1824  if (!c->options.ifconfig_noexec
1825  && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1826  {
1827  /* guess actual tun/tap unit number that will be returned
1828  * by open_tun */
1829  const char *guess = guess_tuntap_dev(c->options.dev,
1830  c->options.dev_type,
1831  c->options.dev_node,
1832  &gc);
1833  do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es,
1834  &c->net_ctx);
1835  }
1836 
1837  /* possibly add routes */
1838  if (route_order() == ROUTE_BEFORE_TUN)
1839  {
1840  /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
1841  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1842  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1843  }
1844 #ifdef TARGET_ANDROID
1845  /* Store the old fd inside the fd so open_tun can use it */
1846  c->c1.tuntap->fd = oldtunfd;
1847 #endif
1848  /* open the tun device */
1849  open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1850  c->c1.tuntap);
1851 
1852  /* set the hardware address */
1853  if (c->options.lladdr)
1854  {
1855  set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1856  }
1857 
1858  /* do ifconfig */
1859  if (!c->options.ifconfig_noexec
1860  && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1861  {
1862  do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1863  TUN_MTU_SIZE(&c->c2.frame), c->c2.es, &c->net_ctx);
1864  }
1865 
1866  /* run the up script */
1867  run_up_down(c->options.up_script,
1868  c->plugins,
1869  OPENVPN_PLUGIN_UP,
1870  c->c1.tuntap->actual_name,
1871 #ifdef _WIN32
1872  c->c1.tuntap->adapter_index,
1873 #endif
1874  dev_type_string(c->options.dev, c->options.dev_type),
1875  TUN_MTU_SIZE(&c->c2.frame),
1876  EXPANDED_SIZE(&c->c2.frame),
1877  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1878  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1879  "init",
1880  NULL,
1881  "up",
1882  c->c2.es);
1883 
1884 #if defined(_WIN32)
1885  if (c->options.block_outside_dns)
1886  {
1887  dmsg(D_LOW, "Blocking outside DNS");
1888  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1889  {
1890  msg(M_FATAL, "Blocking DNS failed!");
1891  }
1892  }
1893 #endif
1894 
1895  /* possibly add routes */
1896  if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1897  {
1898  do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1899  c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1900  }
1901 
1902  /*
1903  * Did tun/tap driver give us an MTU?
1904  */
1905  if (c->c1.tuntap->post_open_mtu)
1906  {
1907  frame_set_mtu_dynamic(&c->c2.frame,
1908  c->c1.tuntap->post_open_mtu,
1909  SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1910  }
1911 
1912  ret = true;
1913  static_context = c;
1914 #ifndef TARGET_ANDROID
1915 }
1916 else
1917 {
1918  msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1919  c->c1.tuntap->actual_name);
1920 
1921  /* explicitly set the ifconfig_* env vars */
1922  do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1923 
1924  /* run the up script if user specified --up-restart */
1925  if (c->options.up_restart)
1926  {
1927  run_up_down(c->options.up_script,
1928  c->plugins,
1929  OPENVPN_PLUGIN_UP,
1930  c->c1.tuntap->actual_name,
1931 #ifdef _WIN32
1932  c->c1.tuntap->adapter_index,
1933 #endif
1934  dev_type_string(c->options.dev, c->options.dev_type),
1935  TUN_MTU_SIZE(&c->c2.frame),
1936  EXPANDED_SIZE(&c->c2.frame),
1937  print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1938  print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1939  "restart",
1940  NULL,
1941  "up",
1942  c->c2.es);
1943  }
1944 #if defined(_WIN32)
1945  if (c->options.block_outside_dns)
1946  {
1947  dmsg(D_LOW, "Blocking outside DNS");
1948  if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1949  {
1950  msg(M_FATAL, "Blocking DNS failed!");
1951  }
1952  }
1953 #endif
1954 
1955 }
1956 #endif /* ifndef TARGET_ANDROID */
1957  gc_free(&gc);
1958  return ret;
1959 }
1960 
1961 /*
1962  * Close TUN/TAP device
1963  */
1964 
1965 static void
1966 do_close_tun_simple(struct context *c)
1967 {
1968  msg(D_CLOSE, "Closing TUN/TAP interface");
1969  if (c->c1.tuntap)
1970  {
1971  close_tun(c->c1.tuntap, &c->net_ctx);
1972  c->c1.tuntap = NULL;
1973  }
1974  c->c1.tuntap_owned = false;
1975  CLEAR(c->c1.pulled_options_digest_save);
1976 }
1977 
1978 static void
1979 do_close_tun(struct context *c, bool force)
1980 {
1981  struct gc_arena gc = gc_new();
1982  if (c->c1.tuntap && c->c1.tuntap_owned)
1983  {
1984  const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
1985 #ifdef _WIN32
1986  DWORD adapter_index = c->c1.tuntap->adapter_index;
1987 #endif
1988  const in_addr_t local = c->c1.tuntap->local;
1989  const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1990 
1991  if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1992  {
1993  static_context = NULL;
1994 
1995 #ifdef ENABLE_MANAGEMENT
1996  /* tell management layer we are about to close the TUN/TAP device */
1997  if (management)
1998  {
1999  management_pre_tunnel_close(management);
2000  management_up_down(management, "DOWN", c->c2.es);
2001  }
2002 #endif
2003 
2004  /* delete any routes we added */
2005  if (c->c1.route_list || c->c1.route_ipv6_list)
2006  {
2007  run_up_down(c->options.route_predown_script,
2008  c->plugins,
2009  OPENVPN_PLUGIN_ROUTE_PREDOWN,
2010  tuntap_actual,
2011 #ifdef _WIN32
2012  adapter_index,
2013 #endif
2014  NULL,
2015  TUN_MTU_SIZE(&c->c2.frame),
2016  EXPANDED_SIZE(&c->c2.frame),
2017  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2018  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2019  "init",
2020  signal_description(c->sig->signal_received,
2021  c->sig->signal_text),
2022  "route-pre-down",
2023  c->c2.es);
2024 
2025  delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2026  c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2027  c->c2.es, &c->net_ctx);
2028  }
2029 
2030  /* actually close tun/tap device based on --down-pre flag */
2031  if (!c->options.down_pre)
2032  {
2033  do_close_tun_simple(c);
2034  }
2035 
2036  /* Run the down script -- note that it will run at reduced
2037  * privilege if, for example, "--user nobody" was used. */
2038  run_up_down(c->options.down_script,
2039  c->plugins,
2040  OPENVPN_PLUGIN_DOWN,
2041  tuntap_actual,
2042 #ifdef _WIN32
2043  adapter_index,
2044 #endif
2045  NULL,
2046  TUN_MTU_SIZE(&c->c2.frame),
2047  EXPANDED_SIZE(&c->c2.frame),
2048  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2049  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2050  "init",
2051  signal_description(c->sig->signal_received,
2052  c->sig->signal_text),
2053  "down",
2054  c->c2.es);
2055 
2056 #if defined(_WIN32)
2057  if (c->options.block_outside_dns)
2058  {
2059  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2060  {
2061  msg(M_FATAL, "Uninitialising WFP failed!");
2062  }
2063  }
2064 #endif
2065 
2066  /* actually close tun/tap device based on --down-pre flag */
2067  if (c->options.down_pre)
2068  {
2069  do_close_tun_simple(c);
2070  }
2071  }
2072  else
2073  {
2074  /* run the down script on this restart if --up-restart was specified */
2075  if (c->options.up_restart)
2076  {
2077  run_up_down(c->options.down_script,
2078  c->plugins,
2079  OPENVPN_PLUGIN_DOWN,
2080  tuntap_actual,
2081 #ifdef _WIN32
2082  adapter_index,
2083 #endif
2084  NULL,
2085  TUN_MTU_SIZE(&c->c2.frame),
2086  EXPANDED_SIZE(&c->c2.frame),
2087  print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2088  print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2089  "restart",
2090  signal_description(c->sig->signal_received,
2091  c->sig->signal_text),
2092  "down",
2093  c->c2.es);
2094  }
2095 
2096 #if defined(_WIN32)
2097  if (c->options.block_outside_dns)
2098  {
2099  if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
2100  {
2101  msg(M_FATAL, "Uninitialising WFP failed!");
2102  }
2103  }
2104 #endif
2105 
2106  }
2107  }
2108  gc_free(&gc);
2109 }
2110 
2111 void
2112 tun_abort(void)
2113 {
2114  struct context *c = static_context;
2115  if (c)
2116  {
2117  static_context = NULL;
2118  do_close_tun(c, true);
2119  }
2120 }
2121 
2122 /*
2123  * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2124  */
2125 
2130 static bool
2131 options_hash_changed_or_zero(const struct sha256_digest *a,
2132  const struct sha256_digest *b)
2133 {
2134  const struct sha256_digest zero = {{0}};
2135  return memcmp(a, b, sizeof(struct sha256_digest))
2136  || !memcmp(a, &zero, sizeof(struct sha256_digest));
2137 }
2138 
2139 bool
2140 do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
2141 {
2142  if (!c->c2.do_up_ran)
2143  {
2144  reset_coarse_timers(c);
2145 
2146  if (pulled_options)
2147  {
2148  if (!do_deferred_options(c, option_types_found))
2149  {
2150  msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2151  return false;
2152  }
2153  }
2154 
2155  /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2156  if (c->options.up_delay || PULL_DEFINED(&c->options))
2157  {
2158  c->c2.did_open_tun = do_open_tun(c);
2159  update_time();
2160 
2161  /*
2162  * Was tun interface object persisted from previous restart iteration,
2163  * and if so did pulled options string change from previous iteration?
2164  */
2165  if (!c->c2.did_open_tun
2166  && PULL_DEFINED(&c->options)
2167  && c->c1.tuntap
2168  && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2169  &c->c2.pulled_options_digest))
2170  {
2171  /* if so, close tun, delete routes, then reinitialize tun and add routes */
2172  msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2173  do_close_tun(c, true);
2174  management_sleep(1);
2175  c->c2.did_open_tun = do_open_tun(c);
2176  update_time();
2177  }
2178  }
2179 
2180  if (c->c2.did_open_tun)
2181  {
2182  c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2183 
2184  /* if --route-delay was specified, start timer */
2185  if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2186  {
2187  event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2188  event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2189  if (c->c1.tuntap)
2190  {
2191  tun_standby_init(c->c1.tuntap);
2192  }
2193  }
2194  else
2195  {
2196  initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2197  }
2198  }
2199  else if (c->options.mode == MODE_POINT_TO_POINT)
2200  {
2201  initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2202  }
2203 
2204  c->c2.do_up_ran = true;
2205  }
2206  return true;
2207 }
2208 
2209 /*
2210  * These are the option categories which will be accepted by pull.
2211  */
2212 unsigned int
2213 pull_permission_mask(const struct context *c)
2214 {
2215  unsigned int flags =
2216  OPT_P_UP
2217  | OPT_P_ROUTE_EXTRAS
2218  | OPT_P_SOCKBUF
2219  | OPT_P_SOCKFLAGS
2220  | OPT_P_SETENV
2221  | OPT_P_SHAPER
2222  | OPT_P_TIMER
2223  | OPT_P_COMP
2224  | OPT_P_PERSIST
2225  | OPT_P_MESSAGES
2226  | OPT_P_EXPLICIT_NOTIFY
2227  | OPT_P_ECHO
2228  | OPT_P_PULL_MODE
2229  | OPT_P_PEER_ID;
2230 
2231  if (!c->options.route_nopull)
2232  {
2233  flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2234  }
2235 
2236  if (c->options.ncp_enabled)
2237  {
2238  flags |= OPT_P_NCP;
2239  }
2240 
2241  return flags;
2242 }
2243 
2244 /*
2245  * Handle non-tun-related pulled options.
2246  */
2247 bool
2248 do_deferred_options(struct context *c, const unsigned int found)
2249 {
2250  if (found & OPT_P_MESSAGES)
2251  {
2252  init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2253  msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
2254  }
2255  if (found & OPT_P_TIMER)
2256  {
2257  do_init_timers(c, true);
2258  msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
2259  }
2260 
2261  if (found & OPT_P_EXPLICIT_NOTIFY)
2262  {
2263  if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2264  {
2265  msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2266  c->options.ce.explicit_exit_notification = 0;
2267  }
2268  else
2269  {
2270  msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2271  }
2272  }
2273 
2274 #ifdef USE_COMP
2275  if (found & OPT_P_COMP)
2276  {
2277  msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2278  comp_uninit(c->c2.comp_context);
2279  c->c2.comp_context = comp_init(&c->options.comp);
2280  }
2281 #endif
2282 
2283  if (found & OPT_P_SHAPER)
2284  {
2285  msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2286  do_init_traffic_shaper(c);
2287  }
2288 
2289  if (found & OPT_P_SOCKBUF)
2290  {
2291  msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2292  link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
2293  }
2294 
2295  if (found & OPT_P_SOCKFLAGS)
2296  {
2297  msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2298  link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
2299  }
2300 
2301  if (found & OPT_P_PERSIST)
2302  {
2303  msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2304  }
2305  if (found & OPT_P_UP)
2306  {
2307  msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2308  }
2309  if (found & OPT_P_ROUTE)
2310  {
2311  msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2312  }
2313  if (found & OPT_P_ROUTE_EXTRAS)
2314  {
2315  msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2316  }
2317  if (found & OPT_P_IPWIN32)
2318  {
2319  msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2320  }
2321  if (found & OPT_P_SETENV)
2322  {
2323  msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2324  }
2325 
2326  if (found & OPT_P_PEER_ID)
2327  {
2328  msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2329  c->c2.tls_multi->use_peer_id = true;
2330  c->c2.tls_multi->peer_id = c->options.peer_id;
2331  frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2332  if (!c->options.ce.link_mtu_defined)
2333  {
2334  frame_add_to_link_mtu(&c->c2.frame, +3);
2335  msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2336  EXPANDED_SIZE(&c->c2.frame));
2337  }
2338  else
2339  {
2340  msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2341  " fixed by config - reducing tun-mtu to %d, expect"
2342  " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2343  }
2344  }
2345 
2346  /* process (potentially pushed) crypto options */
2347  if (c->options.pull)
2348  {
2349  if (!check_pull_client_ncp(c, found))
2350  {
2351  return false;
2352  }
2353  struct frame *frame_fragment = NULL;
2354 #ifdef ENABLE_FRAGMENT
2355  if (c->options.ce.fragment)
2356  {
2357  frame_fragment = &c->c2.frame_fragment;
2358  }
2359 #endif
2360 
2361  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2362  if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
2363  frame_fragment))
2364  {
2365  msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2366  return false;
2367  }
2368  }
2369 
2370  return true;
2371 }
2372 
2373 /*
2374  * Possible hold on initialization, holdtime is the
2375  * time OpenVPN would wait without management
2376  */
2377 static bool
2378 do_hold(int holdtime)
2379 {
2380 #ifdef ENABLE_MANAGEMENT
2381  if (management)
2382  {
2383  /* block until management hold is released */
2384  if (management_hold(management, holdtime))
2385  {
2386  return true;
2387  }
2388  }
2389 #endif
2390  return false;
2391 }
2392 
2393 /*
2394  * Sleep before restart.
2395  */
2396 static void
2397 socket_restart_pause(struct context *c)
2398 {
2399  int sec = 2;
2400  int backoff = 0;
2401 
2402  switch (c->options.ce.proto)
2403  {
2404  case PROTO_TCP_SERVER:
2405  sec = 1;
2406  break;
2407 
2408  case PROTO_UDP:
2409  case PROTO_TCP_CLIENT:
2410  sec = c->options.ce.connect_retry_seconds;
2411  break;
2412  }
2413 
2414 #ifdef ENABLE_DEBUG
2415  if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2416  {
2417  sec = 0;
2418  }
2419 #endif
2420 
2421  if (auth_retry_get() == AR_NOINTERACT)
2422  {
2423  sec = 10;
2424  }
2425 
2426  /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2427  if (c->options.ce.proto != PROTO_TCP_SERVER)
2428  {
2429  backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2430  if (backoff > 0)
2431  {
2432  /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2433  sec = max_int(sec, 1) << min_int(backoff, 15);
2434  }
2435 
2436  if (sec > c->options.ce.connect_retry_seconds_max)
2437  {
2438  sec = c->options.ce.connect_retry_seconds_max;
2439  }
2440  }
2441 
2442  if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2443  {
2444  sec = c->persist.restart_sleep_seconds;
2445  }
2446  else if (c->persist.restart_sleep_seconds == -1)
2447  {
2448  sec = 0;
2449  }
2450  c->persist.restart_sleep_seconds = 0;
2451 
2452  /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
2453  if (do_hold(sec))
2454  {
2455  sec = 0;
2456  }
2457 
2458  if (sec)
2459  {
2460  msg(D_RESTART, "Restart pause, %d second(s)", sec);
2461  management_sleep(sec);
2462  }
2463 }
2464 
2465 /*
2466  * Do a possible pause on context_2 initialization.
2467  */
2468 static void
2469 do_startup_pause(struct context *c)
2470 {
2471  if (!c->first_time)
2472  {
2473  socket_restart_pause(c);
2474  }
2475  else
2476  {
2477  do_hold(0); /* do management hold on first context initialization */
2478  }
2479 }
2480 
2481 /*
2482  * Finalize MTU parameters based on command line or config file options.
2483  */
2484 static void
2485 frame_finalize_options(struct context *c, const struct options *o)
2486 {
2487  if (!o)
2488  {
2489  o = &c->options;
2490  }
2491 
2492  /*
2493  * Set adjustment factor for buffer alignment when no
2494  * cipher is used.
2495  */
2496  if (!CIPHER_ENABLED(c))
2497  {
2498  frame_align_to_extra_frame(&c->c2.frame);
2499  frame_or_align_flags(&c->c2.frame,
2500  FRAME_HEADROOM_MARKER_FRAGMENT
2501  |FRAME_HEADROOM_MARKER_READ_LINK
2502  |FRAME_HEADROOM_MARKER_READ_STREAM);
2503  }
2504 
2505  frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2506  frame_finalize(&c->c2.frame,
2507  o->ce.link_mtu_defined,
2508  o->ce.link_mtu,
2509  o->ce.tun_mtu_defined,
2510  o->ce.tun_mtu);
2511 }
2512 
2513 /*
2514  * Free a key schedule, including OpenSSL components.
2515  */
2516 static void
2517 key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
2518 {
2519  free_key_ctx_bi(&ks->static_key);
2520  if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
2521  {
2522  tls_ctx_free(&ks->ssl_ctx);
2523  }
2524  CLEAR(*ks);
2525 }
2526 
2527 static void
2528 init_crypto_pre(struct context *c, const unsigned int flags)
2529 {
2530  if (c->options.engine)
2531  {
2532  crypto_init_lib_engine(c->options.engine);
2533  }
2534 
2535  if (flags & CF_LOAD_PERSISTED_PACKET_ID)
2536  {
2537  /* load a persisted packet-id for cross-session replay-protection */
2538  if (c->options.packet_id_file)
2539  {
2540  packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2541  }
2542  }
2543 
2544 #ifdef ENABLE_PREDICTION_RESISTANCE
2545  if (c->options.use_prediction_resistance)
2546  {
2547  rand_ctx_enable_prediction_resistance();
2548  }
2549 #endif
2550 }
2551 
2552 /*
2553  * Static Key Mode (using a pre-shared key)
2554  */
2555 static void
2556 do_init_crypto_static(struct context *c, const unsigned int flags)
2557 {
2558  const struct options *options = &c->options;
2559  ASSERT(options->shared_secret_file);
2560 
2561  init_crypto_pre(c, flags);
2562 
2563  /* Initialize flags */
2564  if (c->options.mute_replay_warnings)
2565  {
2566  c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
2567  }
2568 
2569  /* Initialize packet ID tracking */
2570  if (options->replay)
2571  {
2572  packet_id_init(&c->c2.crypto_options.packet_id,
2573  options->replay_window,
2574  options->replay_time,
2575  "STATIC", 0);
2576  c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2577  c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2578  packet_id_persist_load_obj(&c->c1.pid_persist,
2579  &c->c2.crypto_options.packet_id);
2580  }
2581 
2582  if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2583  {
2584  /* Get cipher & hash algorithms */
2585  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2586  options->test_crypto, true);
2587 
2588  /* Read cipher and hmac keys from shared secret file */
2589  crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2590  options->shared_secret_file,
2591  options->shared_secret_file_inline,
2592  options->key_direction, "Static Key Encryption",
2593  "secret");
2594  }
2595  else
2596  {
2597  msg(M_INFO, "Re-using pre-shared static key");
2598  }
2599 
2600  /* Get key schedule */
2601  c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
2602 
2603  /* Compute MTU parameters */
2604  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2605  options->replay, true);
2606 
2607  /* Sanity check on sequence number, and cipher mode options */
2608  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2609 }
2610 
2611 /*
2612  * Initialize the tls-auth/crypt key context
2613  */
2614 static void
2615 do_init_tls_wrap_key(struct context *c)
2616 {
2617  const struct options *options = &c->options;
2618 
2619  /* TLS handshake authentication (--tls-auth) */
2620  if (options->ce.tls_auth_file)
2621  {
2622  /* Initialize key_type for tls-auth with auth only */
2623  CLEAR(c->c1.ks.tls_auth_key_type);
2624  if (!streq(options->authname, "none"))
2625  {
2626  c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2627  c->c1.ks.tls_auth_key_type.hmac_length =
2628  md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2629  }
2630  else
2631  {
2632  msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2633  "algorithm specified ('%s')", options->authname);
2634  }
2635 
2636  crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2637  &c->c1.ks.tls_wrap_key,
2638  options->ce.tls_auth_file,
2639  options->ce.tls_auth_file_inline,
2640  options->ce.key_direction,
2641  "Control Channel Authentication", "tls-auth");
2642  }
2643 
2644  /* TLS handshake encryption+authentication (--tls-crypt) */
2645  if (options->ce.tls_crypt_file)
2646  {
2647  tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
2648  options->ce.tls_crypt_file,
2649  options->ce.tls_crypt_file_inline,
2650  options->tls_server);
2651  }
2652 
2653  /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2654  if (options->ce.tls_crypt_v2_file)
2655  {
2656  if (options->tls_server)
2657  {
2658  tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2659  true, options->ce.tls_crypt_v2_file,
2660  options->ce.tls_crypt_v2_file_inline);
2661  }
2662  else
2663  {
2664  tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2665  &c->c1.ks.tls_crypt_v2_wkc,
2666  options->ce.tls_crypt_v2_file,
2667  options->ce.tls_crypt_v2_file_inline);
2668  }
2669  }
2670 
2671 
2672 }
2673 
2674 /*
2675  * Initialise the auth-token key context
2676  */
2677 static void
2678 do_init_auth_token_key(struct context *c)
2679 {
2680  if (!c->options.auth_token_generate)
2681  {
2682  return;
2683  }
2684 
2685  auth_token_init_secret(&c->c1.ks.auth_token_key,
2686  c->options.auth_token_secret_file,
2687  c->options.auth_token_secret_file_inline);
2688 }
2689 
2690 /*
2691  * Initialize the persistent component of OpenVPN's TLS mode,
2692  * which is preserved across SIGUSR1 resets.
2693  */
2694 static void
2695 do_init_crypto_tls_c1(struct context *c)
2696 {
2697  const struct options *options = &c->options;
2698 
2699  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2700  {
2701  /*
2702  * Initialize the OpenSSL library's global
2703  * SSL context.
2704  */
2705  init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
2706  if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2707  {
2708  switch (auth_retry_get())
2709  {
2710  case AR_NONE:
2711  msg(M_FATAL, "Error: private key password verification failed");
2712  break;
2713 
2714  case AR_INTERACT:
2715  ssl_purge_auth(false);
2716 
2717  case AR_NOINTERACT:
2718  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2719  break;
2720 
2721  default:
2722  ASSERT(0);
2723  }
2724  c->sig->signal_text = "private-key-password-failure";
2725  return;
2726  }
2727 
2728  /*
2729  * BF-CBC is allowed to be used only when explicitly configured
2730  * as NCP-fallback or when NCP has been disabled or explicitly
2731  * allowed in the in ncp_ciphers list.
2732  * In all other cases do not attempt to initialize BF-CBC as it
2733  * may not even be supported by the underlying SSL library.
2734  *
2735  * Therefore, the key structure has to be initialized when:
2736  * - any non-BF-CBC cipher was selected; or
2737  * - BF-CBC is selected and NCP is disabled (explicit request to
2738  * use the BF-CBC cipher); or
2739  * - BF-CBC is selected, NCP is enabled and fallback is enabled
2740  * (BF-CBC will be the fallback).
2741  * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
2742  * If the negotiated cipher and options->ciphername are the
2743  * same we do not reinit the cipher
2744  *
2745  * Note that BF-CBC will still be part of the OCC string to retain
2746  * backwards compatibility with older clients.
2747  */
2748  if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
2749  || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
2750  || options->enable_ncp_fallback)
2751  {
2752  /* Do not warn if the if the cipher is used only in OCC */
2753  bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
2754  init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2755  true, warn);
2756  }
2757  /* Initialize PRNG with config-specified digest */
2758  prng_init(options->prng_hash, options->prng_nonce_secret_len);
2759 
2760  /* initialize tls-auth/crypt/crypt-v2 key */
2761  do_init_tls_wrap_key(c);
2762 
2763  /* initialise auth-token crypto support */
2764  do_init_auth_token_key(c);
2765 
2766 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2767  if (options->priv_key_file_inline)
2768  {
2769  string_clear(c->options.priv_key_file_inline);
2770  c->options.priv_key_file_inline = NULL;
2771  }
2772 #endif
2773  }
2774  else
2775  {
2776  msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
2777 
2778  /*
2779  * tls-auth/crypt key can be configured per connection block, therefore
2780  * we must reload it as it may have changed
2781  */
2782  do_init_tls_wrap_key(c);
2783  }
2784 }
2785 
2786 static void
2787 do_init_crypto_tls(struct context *c, const unsigned int flags)
2788 {
2789  const struct options *options = &c->options;
2790  struct tls_options to;
2791  bool packet_id_long_form;
2792 
2793  ASSERT(options->tls_server || options->tls_client);
2794  ASSERT(!options->test_crypto);
2795 
2796  init_crypto_pre(c, flags);
2797 
2798  /* Make sure we are either a TLS client or server but not both */
2799  ASSERT(options->tls_server == !options->tls_client);
2800 
2801  /* initialize persistent component */
2802  do_init_crypto_tls_c1(c);
2803  if (IS_SIG(c))
2804  {
2805  return;
2806  }
2807 
2808  /* Sanity check on sequence number, and cipher mode options */
2809  check_replay_consistency(&c->c1.ks.key_type, options->replay);
2810 
2811  /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2812  packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2813 
2814  /* Compute MTU parameters (postpone if we push/pull options) */
2815  if (c->options.pull || c->options.mode == MODE_SERVER)
2816  {
2817  /* Account for worst-case crypto overhead before allocating buffers */
2818  frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2819  }
2820  else
2821  {
2822  crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2823  options->replay, packet_id_long_form);
2824  }
2825  tls_adjust_frame_parameters(&c->c2.frame);
2826 
2827  /* Set all command-line TLS-related options */
2828  CLEAR(to);
2829 
2830  if (options->mute_replay_warnings)
2831  {
2832  to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2833  }
2834 
2835  to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2836  if (packet_id_long_form)
2837  {
2838  to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2839  }
2840 
2841  to.ssl_ctx = c->c1.ks.ssl_ctx;
2842  to.key_type = c->c1.ks.key_type;
2843  to.server = options->tls_server;
2844  to.replay = options->replay;
2845  to.replay_window = options->replay_window;
2846  to.replay_time = options->replay_time;
2847  to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2848  to.config_ciphername = c->options.ciphername;
2849  to.config_ncp_ciphers = c->options.ncp_ciphers;
2850  to.ncp_enabled = options->ncp_enabled;
2851  to.transition_window = options->transition_window;
2852  to.handshake_window = options->handshake_window;
2853  to.packet_timeout = options->tls_timeout;
2854  to.renegotiate_bytes = options->renegotiate_bytes;
2855  to.renegotiate_packets = options->renegotiate_packets;
2856  if (options->renegotiate_seconds_min < 0)
2857  {
2858  /* Add 10% jitter to reneg-sec by default (server side only) */
2859  int auto_jitter = options->mode != MODE_SERVER ? 0 :
2860  get_random() % max_int(options->renegotiate_seconds / 10, 1);
2861  to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2862  }
2863  else
2864  {
2865  /* Add user-specified jitter to reneg-sec */
2866  to.renegotiate_seconds = options->renegotiate_seconds
2867  -(get_random() % max_int(options->renegotiate_seconds
2868  - options->renegotiate_seconds_min, 1));
2869  }
2870  to.single_session = options->single_session;
2871  to.mode = options->mode;
2872  to.pull = options->pull;
2873  if (options->push_peer_info) /* all there is */
2874  {
2875  to.push_peer_info_detail = 2;
2876  }
2877  else if (options->pull) /* pull clients send some details */
2878  {
2879  to.push_peer_info_detail = 1;
2880  }
2881  else /* default: no peer-info at all */
2882  {
2883  to.push_peer_info_detail = 0;
2884  }
2885 
2886  /* should we not xmit any packets until we get an initial
2887  * response from client? */
2888  if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2889  {
2890  to.xmit_hold = true;
2891  }
2892 
2893  to.disable_occ = !options->occ;
2894 
2895  to.verify_command = options->tls_verify;
2896  to.verify_export_cert = options->tls_export_cert;
2897  to.verify_x509_type = (options->verify_x509_type & 0xff);
2898  to.verify_x509_name = options->verify_x509_name;
2899  to.crl_file = options->crl_file;
2900  to.crl_file_inline = options->crl_file_inline;
2901  to.ssl_flags = options->ssl_flags;
2902  to.ns_cert_type = options->ns_cert_type;
2903  memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2904  to.remote_cert_eku = options->remote_cert_eku;
2905  to.verify_hash = options->verify_hash;
2906  to.verify_hash_algo = options->verify_hash_algo;
2907  to.verify_hash_depth = options->verify_hash_depth;
2908  to.verify_hash_no_ca = options->verify_hash_no_ca;
2909 #ifdef ENABLE_X509ALTUSERNAME
2910  memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
2911 #else
2912  to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
2913 #endif
2914  to.es = c->c2.es;
2915  to.net_ctx = &c->net_ctx;
2916 
2917 #ifdef ENABLE_DEBUG
2918  to.gremlin = c->options.gremlin;
2919 #endif
2920 
2921  to.plugins = c->plugins;
2922 
2923 #ifdef ENABLE_MANAGEMENT
2924  to.mda_context = &c->c2.mda_context;
2925 #endif
2926 
2927  to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2928  to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2929  to.tmp_dir = options->tmp_dir;
2930  if (options->ccd_exclusive)
2931  {
2932  to.client_config_dir_exclusive = options->client_config_dir;
2933  }
2934  to.auth_user_pass_file = options->auth_user_pass_file;
2935  to.auth_token_generate = options->auth_token_generate;
2936  to.auth_token_lifetime = options->auth_token_lifetime;
2937  to.auth_token_call_auth = options->auth_token_call_auth;
2938  to.auth_token_key = c->c1.ks.auth_token_key;
2939 
2940  to.x509_track = options->x509_track;
2941 
2942 #ifdef ENABLE_MANAGEMENT
2943  to.sci = &options->sc_info;
2944 #endif
2945 
2946 #ifdef USE_COMP
2947  to.comp_options = options->comp;
2948 #endif
2949 
2950 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2951  if (options->keying_material_exporter_label)
2952  {
2953  to.ekm_size = options->keying_material_exporter_length;
2954  if (to.ekm_size < 16 || to.ekm_size > 4095)
2955  {
2956  to.ekm_size = 0;
2957  }
2958 
2959  to.ekm_label = options->keying_material_exporter_label;
2960  to.ekm_label_size = strlen(to.ekm_label);
2961  }
2962  else
2963  {
2964  to.ekm_size = 0;
2965  }
2966 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
2967 
2968  /* TLS handshake authentication (--tls-auth) */
2969  if (options->ce.tls_auth_file)
2970  {
2971  to.tls_wrap.mode = TLS_WRAP_AUTH;
2972  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2973  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2974  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2975  crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2976  true, true);
2977  }
2978 
2979  /* TLS handshake encryption (--tls-crypt) */
2980  if (options->ce.tls_crypt_file
2981  || (options->ce.tls_crypt_v2_file && options->tls_client))
2982  {
2983  to.tls_wrap.mode = TLS_WRAP_CRYPT;
2984  to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2985  to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2986  to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2987  tls_crypt_adjust_frame_parameters(&to.frame);
2988 
2989  if (options->ce.tls_crypt_v2_file)
2990  {
2991  to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2992  }
2993  }
2994 
2995  if (options->ce.tls_crypt_v2_file)
2996  {
2997  to.tls_crypt_v2 = true;
2998  if (options->tls_server)
2999  {
3000  to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
3001  to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
3002  }
3003  }
3004 
3005  /* If we are running over TCP, allow for
3006  * length prefix */
3007  socket_adjust_frame_parameters(&to.frame, options->ce.proto);
3008 
3009  /*
3010  * Initialize OpenVPN's master TLS-mode object.
3011  */
3012  if (flags & CF_INIT_TLS_MULTI)
3013  {
3014  c->c2.tls_multi = tls_multi_init(&to);
3015  }
3016 
3017  if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3018  {
3019  c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
3020  }
3021 }
3022 
3023 static void
3024 do_init_finalize_tls_frame(struct context *c)
3025 {
3026  if (c->c2.tls_multi)
3027  {
3028  tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
3029  ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
3030  EXPANDED_SIZE(&c->c2.frame));
3031  frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3032  "Control Channel MTU parms");
3033  }
3034  if (c->c2.tls_auth_standalone)
3035  {
3036  tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
3037  frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3038  "TLS-Auth MTU parms");
3039  }
3040 }
3041 
3042 /*
3043  * No encryption or authentication.
3044  */
3045 static void
3046 do_init_crypto_none(const struct context *c)
3047 {
3048  ASSERT(!c->options.test_crypto);
3049  msg(M_WARN,
3050  "******* WARNING *******: All encryption and authentication features "
3051  "disabled -- All data will be tunnelled as clear text and will not be "
3052  "protected against man-in-the-middle changes. "
3053  "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3054 }
3055 
3056 static void
3057 do_init_crypto(struct context *c, const unsigned int flags)
3058 {
3059  if (c->options.shared_secret_file)
3060  {
3061  do_init_crypto_static(c, flags);
3062  }
3063  else if (c->options.tls_server || c->options.tls_client)
3064  {
3065  do_init_crypto_tls(c, flags);
3066  }
3067  else /* no encryption or authentication. */
3068  {
3069  do_init_crypto_none(c);
3070  }
3071 }
3072 
3073 static void
3074 do_init_frame(struct context *c)
3075 {
3076 #ifdef USE_COMP
3077  /*
3078  * modify frame parameters if compression is enabled
3079  */
3080  if (comp_enabled(&c->options.comp))
3081  {
3082  comp_add_to_extra_frame(&c->c2.frame);
3083 
3084 #ifdef ENABLE_FRAGMENT
3085  comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3086 #endif
3087  }
3088 #endif /* USE_COMP */
3089 
3090  /*
3091  * Adjust frame size for UDP Socks support.
3092  */
3093  if (c->options.ce.socks_proxy_server)
3094  {
3095  socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3096  }
3097 
3098  /*
3099  * Adjust frame size based on the --tun-mtu-extra parameter.
3100  */
3101  if (c->options.ce.tun_mtu_extra_defined)
3102  {
3103  frame_add_to_extra_tun(&c->c2.frame, c->options.ce.tun_mtu_extra);
3104  }
3105 
3106  /*
3107  * Adjust frame size based on link socket parameters.
3108  * (Since TCP is a stream protocol, we need to insert
3109  * a packet length uint16_t in the buffer.)
3110  */
3111  socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3112 
3113  /*
3114  * Fill in the blanks in the frame parameters structure,
3115  * make sure values are rational, etc.
3116  */
3117  frame_finalize_options(c, NULL);
3118 
3119 #ifdef USE_COMP
3120  /*
3121  * Modify frame parameters if compression is compiled in.
3122  * Should be called after frame_finalize_options.
3123  */
3124  comp_add_to_extra_buffer(&c->c2.frame);
3125 #ifdef ENABLE_FRAGMENT
3126  comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
3127 #endif
3128 #endif /* USE_COMP */
3129 
3130  /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3131  * and need link_mtu+3 bytes on socket reception (on server).
3132  *
3133  * accommodate receive path in f->extra_link, which has the side effect of
3134  * also increasing send buffers (BUF_SIZE() macro), which need to be
3135  * allocated big enough before receiving peer-id option from server.
3136  *
3137  * f->extra_frame is adjusted when peer-id option is push-received
3138  */
3139  frame_add_to_extra_link(&c->c2.frame, 3);
3140 
3141 #ifdef ENABLE_FRAGMENT
3142  /*
3143  * Set frame parameter for fragment code. This is necessary because
3144  * the fragmentation code deals with payloads which have already been
3145  * passed through the compression code.
3146  */
3147  c->c2.frame_fragment = c->c2.frame;
3148  frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
3149  c->c2.frame_fragment_initial = c->c2.frame_fragment;
3150 #endif
3151 
3152 #if defined(ENABLE_FRAGMENT)
3153  /*
3154  * MTU advisories
3155  */
3156  if (c->options.ce.fragment && c->options.mtu_test)
3157  {
3158  msg(M_WARN,
3159  "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3160  }
3161 #endif
3162 
3163 #ifdef ENABLE_FRAGMENT
3164  if ((c->options.ce.mssfix || c->options.ce.fragment)
3165  && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3166  {
3167  msg(M_WARN,
3168  "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3169  ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3170  }
3171 #endif
3172 }
3173 
3174 static void
3175 do_option_warnings(struct context *c)
3176 {
3177  const struct options *o = &c->options;
3178 
3179  if (o->ping_send_timeout && !o->ping_rec_timeout)
3180  {
3181  msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3182  }
3183 
3184  if (o->username || o->groupname || o->chroot_dir
3185 #ifdef ENABLE_SELINUX
3186  || o->selinux_context
3187 #endif
3188  )
3189  {
3190  if (!o->persist_tun)
3191  {
3192  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3193  }
3194  if (!o->persist_key
3195 #ifdef ENABLE_PKCS11
3196  && !o->pkcs11_id
3197 #endif
3198  )
3199  {
3200  msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3201  }
3202  }
3203 
3204  if (o->chroot_dir && !(o->username && o->groupname))
3205  {
3206  msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3207  }
3208 
3209  if (o->pull && o->ifconfig_local && c->first_time)
3210  {
3211  msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3212  }
3213 
3214  if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3215  {
3216  msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3217  }
3218 
3219  if (o->mode == MODE_SERVER)
3220  {
3221  if (o->duplicate_cn && o->client_config_dir)
3222  {
3223  msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3224  }
3225  if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3226  {
3227  msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3228  }
3229  if (!o->keepalive_ping || !o->keepalive_timeout)
3230  {
3231  msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3232  }
3233  }
3234 
3235  if (!o->replay)
3236  {
3237  msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3238  }
3239 
3240  if (o->tls_server)
3241  {
3242  warn_on_use_of_common_subnets(&c->net_ctx);
3243  }
3244  if (o->tls_client
3245  && !o->tls_verify
3246  && o->verify_x509_type == VERIFY_X509_NONE
3247  && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3248  && !o->remote_cert_eku)
3249  {
3250  msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3251  }
3252  if (o->ns_cert_type)
3253  {
3254  msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3255  }
3256 
3257  /* If a script is used, print appropriate warnings */
3258  if (o->user_script_used)
3259  {
3260  if (script_security() >= SSEC_SCRIPTS)
3261  {
3262  msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3263  }
3264  else if (script_security() >= SSEC_PW_ENV)
3265  {
3266  msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3267  }
3268  else
3269  {
3270  msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3271  }
3272  }
3273 }
3274 
3275 static void
3276 do_init_frame_tls(struct context *c)
3277 {
3278  do_init_finalize_tls_frame(c);
3279 }
3280 
3281 struct context_buffers *
3282 init_context_buffers(const struct frame *frame)
3283 {
3284  struct context_buffers *b;
3285 
3286  ALLOC_OBJ_CLEAR(b, struct context_buffers);
3287 
3288  b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3289  b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
3290 
3291  b->aux_buf = alloc_buf(BUF_SIZE(frame));
3292 
3293  b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3294  b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
3295 
3296 #ifdef USE_COMP
3297  b->compress_buf = alloc_buf(BUF_SIZE(frame));
3298  b->decompress_buf = alloc_buf(BUF_SIZE(frame));
3299 #endif
3300 
3301  return b;
3302 }
3303 
3304 void
3305 free_context_buffers(struct context_buffers *b)
3306 {
3307  if (b)
3308  {
3309  free_buf(&b->read_link_buf);
3310  free_buf(&b->read_tun_buf);
3311  free_buf(&b->aux_buf);
3312 
3313 #ifdef USE_COMP
3314  free_buf(&b->compress_buf);
3315  free_buf(&b->decompress_buf);
3316 #endif
3317 
3318  free_buf(&b->encrypt_buf);
3319  free_buf(&b->decrypt_buf);
3320 
3321  free(b);
3322  }
3323 }
3324 
3325 /*
3326  * Now that we know all frame parameters, initialize
3327  * our buffers.
3328  */
3329 static void
3330 do_init_buffers(struct context *c)
3331 {
3332  c->c2.buffers = init_context_buffers(&c->c2.frame);
3333  c->c2.buffers_owned = true;
3334 }
3335 
3336 #ifdef ENABLE_FRAGMENT
3337 /*
3338  * Fragmenting code has buffers to initialize
3339  * once frame parameters are known.
3340  */
3341 static void
3342 do_init_fragment(struct context *c)
3343 {
3344  ASSERT(c->options.ce.fragment);
3345  frame_set_mtu_dynamic(&c->c2.frame_fragment,
3346  c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3347  fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
3348 }
3349 #endif
3350 
3351 /*
3352  * Allocate our socket object.
3353  */
3354 static void
3355 do_link_socket_new(struct context *c)
3356 {
3357  ASSERT(!c->c2.link_socket);
3358  c->c2.link_socket = link_socket_new();
3359  c->c2.link_socket_owned = true;
3360 }
3361 
3362 /*
3363  * Print MTU INFO
3364  */
3365 static void
3366 do_print_data_channel_mtu_parms(struct context *c)
3367 {
3368  frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
3369 #ifdef ENABLE_FRAGMENT
3370  if (c->c2.fragment)
3371  {
3372  frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3373  "Fragmentation MTU parms");
3374  }
3375 #endif
3376 }
3377 
3378 /*
3379  * Get local and remote options compatibility strings.
3380  */
3381 static void
3382 do_compute_occ_strings(struct context *c)
3383 {
3384  struct gc_arena gc = gc_new();
3385 
3386  c->c2.options_string_local =
3387  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3388  false, &gc);
3389  c->c2.options_string_remote =
3390  options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3391  true, &gc);
3392 
3393  msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3394  options_string_version(c->c2.options_string_local, &gc),
3395  c->c2.options_string_local);
3396  msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3397  options_string_version(c->c2.options_string_remote, &gc),
3398  c->c2.options_string_remote);
3399 
3400  if (c->c2.tls_multi)
3401  {
3402  tls_multi_init_set_options(c->c2.tls_multi,
3403  c->c2.options_string_local,
3404  c->c2.options_string_remote);
3405  }
3406 
3407  gc_free(&gc);
3408 }
3409 
3410 /*
3411  * These things can only be executed once per program instantiation.
3412  * Set up for possible UID/GID downgrade, but don't do it yet.
3413  * Daemonize if requested.
3414  */
3415 static void
3416 do_init_first_time(struct context *c)
3417 {
3418  if (c->first_time && !c->c0)
3419  {
3420  struct context_0 *c0;
3421 
3422  ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3423  c0 = c->c0;
3424 
3425  /* get user and/or group that we want to setuid/setgid to */
3426  c0->uid_gid_specified =
3427  platform_group_get(c->options.groupname, &c0->platform_state_group)
3428  |platform_user_get(c->options.username, &c0->platform_state_user);
3429 
3430  /* perform postponed chdir if --daemon */
3431  if (c->did_we_daemonize && c->options.cd_dir == NULL)
3432  {
3433  platform_chdir("/");
3434  }
3435 
3436  /* should we change scheduling priority? */
3437  platform_nice(c->options.nice);
3438  }
3439 }
3440 
3441 /*
3442  * free buffers
3443  */
3444 static void
3445 do_close_free_buf(struct context *c)
3446 {
3447  if (c->c2.buffers_owned)
3448  {
3449  free_context_buffers(c->c2.buffers);
3450  c->c2.buffers = NULL;
3451  c->c2.buffers_owned = false;
3452  }
3453 }
3454 
3455 /*
3456  * close TLS
3457  */
3458 static void
3459 do_close_tls(struct context *c)
3460 {
3461  if (c->c2.tls_multi)
3462  {
3463  tls_multi_free(c->c2.tls_multi, true);
3464  c->c2.tls_multi = NULL;
3465  }
3466 
3467  /* free options compatibility strings */
3468  free(c->c2.options_string_local);
3469  free(c->c2.options_string_remote);
3470 
3471  c->c2.options_string_local = c->c2.options_string_remote = NULL;
3472 
3473  if (c->c2.pulled_options_state)
3474  {
3475  md_ctx_cleanup(c->c2.pulled_options_state);
3476  md_ctx_free(c->c2.pulled_options_state);
3477  }
3478 }
3479 
3480 /*
3481  * Free key schedules
3482  */
3483 static void
3484 do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
3485 {
3486  /*
3487  * always free the tls_auth/crypt key. If persist_key is true, the key will
3488  * be reloaded from memory (pre-cached)
3489  */
3490  free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
3491  free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3492  CLEAR(c->c1.ks.tls_wrap_key);
3493  buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3494  free_buf(&c->c1.ks.tls_crypt_v2_wkc);
3495 
3496  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3497  {
3498  key_schedule_free(&c->c1.ks, free_ssl_ctx);
3499  }
3500 }
3501 
3502 /*
3503  * Close TCP/UDP connection
3504  */
3505 static void
3506 do_close_link_socket(struct context *c)
3507 {
3508  if (c->c2.link_socket && c->c2.link_socket_owned)
3509  {
3510  link_socket_close(c->c2.link_socket);
3511  c->c2.link_socket = NULL;
3512  }
3513 
3514 
3515  /* Preserve the resolved list of remote if the user request to or if we want
3516  * reconnect to the same host again or there are still addresses that need
3517  * to be tried */
3518  if (!(c->sig->signal_received == SIGUSR1
3519  && ( (c->options.persist_remote_ip)
3520  ||
3521  ( c->sig->source != SIG_SOURCE_HARD
3522  && ((c->c1.link_socket_addr.current_remote
3523  && c->c1.link_socket_addr.current_remote->ai_next)
3524  || c->options.no_advance))
3525  )))
3526  {
3527  clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
3528  }
3529 
3530  /* Clear the remote actual address when persist_remote_ip is not in use */
3531  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
3532  {
3533  CLEAR(c->c1.link_socket_addr.actual);
3534  }
3535 
3536  if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3537  {
3538  if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3539  {
3540  freeaddrinfo(c->c1.link_socket_addr.bind_local);
3541  }
3542 
3543  c->c1.link_socket_addr.bind_local = NULL;
3544  }
3545 }
3546 
3547 /*
3548  * Close packet-id persistence file
3549  */
3550 static void
3551 do_close_packet_id(struct context *c)
3552 {
3553  packet_id_free(&c->c2.crypto_options.packet_id);
3554  packet_id_persist_save(&c->c1.pid_persist);
3555  if (!(c->sig->signal_received == SIGUSR1))
3556  {
3557  packet_id_persist_close(&c->c1.pid_persist);
3558  }
3559 }
3560 
3561 #ifdef ENABLE_FRAGMENT
3562 /*
3563  * Close fragmentation handler.
3564  */
3565 static void
3566 do_close_fragment(struct context *c)
3567 {
3568  if (c->c2.fragment)
3569  {
3570  fragment_free(c->c2.fragment);
3571  c->c2.fragment = NULL;
3572  }
3573 }
3574 #endif
3575 
3576 /*
3577  * Open and close our event objects.
3578  */
3579 
3580 static void
3581 do_event_set_init(struct context *c,
3582  bool need_us_timeout)
3583 {
3584  unsigned int flags = 0;
3585 
3586  c->c2.event_set_max = BASE_N_EVENTS;
3587 
3588  flags |= EVENT_METHOD_FAST;
3589 
3590  if (need_us_timeout)
3591  {
3592  flags |= EVENT_METHOD_US_TIMEOUT;
3593  }
3594 
3595  c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3596  c->c2.event_set_owned = true;
3597 }
3598 
3599 static void
3600 do_close_event_set(struct context *c)
3601 {
3602  if (c->c2.event_set && c->c2.event_set_owned)
3603  {
3604  event_free(c->c2.event_set);
3605  c->c2.event_set = NULL;
3606  c->c2.event_set_owned = false;
3607  }
3608 }
3609 
3610 /*
3611  * Open and close --status file
3612  */
3613 
3614 static void
3615 do_open_status_output(struct context *c)
3616 {
3617  if (!c->c1.status_output)
3618  {
3619  c->c1.status_output = status_open(c->options.status_file,
3620  c->options.status_file_update_freq,
3621  -1,
3622  NULL,
3623  STATUS_OUTPUT_WRITE);
3624  c->c1.status_output_owned = true;
3625  }
3626 }
3627 
3628 static void
3629 do_close_status_output(struct context *c)
3630 {
3631  if (!(c->sig->signal_received == SIGUSR1))
3632  {
3633  if (c->c1.status_output_owned && c->c1.status_output)
3634  {
3635  status_close(c->c1.status_output);
3636  c->c1.status_output = NULL;
3637  c->c1.status_output_owned = false;
3638  }
3639  }
3640 }
3641 
3642 /*
3643  * Handle ifconfig-pool persistence object.
3644  */
3645 static void
3646 do_open_ifconfig_pool_persist(struct context *c)
3647 {
3648  if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
3649  {
3650  c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3651  c->options.ifconfig_pool_persist_refresh_freq);
3652  c->c1.ifconfig_pool_persist_owned = true;
3653  }
3654 }
3655 
3656 static void
3657 do_close_ifconfig_pool_persist(struct context *c)
3658 {
3659  if (!(c->sig->signal_received == SIGUSR1))
3660  {
3661  if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3662  {
3663  ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3664  c->c1.ifconfig_pool_persist = NULL;
3665  c->c1.ifconfig_pool_persist_owned = false;
3666  }
3667  }
3668 }
3669 
3670 /*
3671  * Inherit environmental variables
3672  */
3673 
3674 static void
3675 do_inherit_env(struct context *c, const struct env_set *src)
3676 {
3677  c->c2.es = env_set_create(NULL);
3678  c->c2.es_owned = true;
3679  env_set_inherit(c->c2.es, src);
3680 }
3681 
3682 static void
3683 do_env_set_destroy(struct context *c)
3684 {
3685  if (c->c2.es && c->c2.es_owned)
3686  {
3687  env_set_destroy(c->c2.es);
3688  c->c2.es = NULL;
3689  c->c2.es_owned = false;
3690  }
3691 }
3692 
3693 /*
3694  * Fast I/O setup. Fast I/O is an optimization which only works
3695  * if all of the following are true:
3696  *
3697  * (1) The platform is not Windows
3698  * (2) --proto udp is enabled
3699  * (3) --shaper is disabled
3700  */
3701 static void
3702 do_setup_fast_io(struct context *c)
3703 {
3704  if (c->options.fast_io)
3705  {
3706 #ifdef _WIN32
3707  msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3708 #else
3709  if (!proto_is_udp(c->options.ce.proto))
3710  {
3711  msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3712  }
3713  else
3714  {
3715  if (c->options.shaper)
3716  {
3717  msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3718  }
3719  else
3720  {
3721  c->c2.fast_io = true;
3722  }
3723  }
3724 #endif
3725  }
3726 }
3727 
3728 static void
3729 do_signal_on_tls_errors(struct context *c)
3730 {
3731  if (c->options.tls_exit)
3732  {
3733  c->c2.tls_exit_signal = SIGTERM;
3734  }
3735  else
3736  {
3737  c->c2.tls_exit_signal = SIGUSR1;
3738  }
3739 }
3740 
3741 #ifdef ENABLE_PLUGIN
3742 
3743 void
3744 init_plugins(struct context *c)
3745 {
3746  if (c->options.plugin_list && !c->plugins)
3747  {
3748  c->plugins = plugin_list_init(c->options.plugin_list);
3749  c->plugins_owned = true;
3750  }
3751 }
3752 
3753 void
3754 open_plugins(struct context *c, const bool import_options, int init_point)
3755 {
3756  if (c->plugins && c->plugins_owned)
3757  {
3758  if (import_options)
3759  {
3760  struct plugin_return pr, config;
3761  plugin_return_init(&pr);
3762  plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3763  plugin_return_get_column(&pr, &config, "config");
3764  if (plugin_return_defined(&config))
3765  {
3766  int i;
3767  for (i = 0; i < config.n; ++i)
3768  {
3769  unsigned int option_types_found = 0;
3770  if (config.list[i] && config.list[i]->value)
3771  {
3772  options_string_import(&c->options,
3773  config.list[i]->value,
3774  D_IMPORT_ERRORS|M_OPTERR,
3775  OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3776  &option_types_found,
3777  c->es);
3778  }
3779  }
3780  }
3781  plugin_return_free(&pr);
3782  }
3783  else
3784  {
3785  plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3786  }
3787  }
3788 }
3789 
3790 static void
3791 do_close_plugins(struct context *c)
3792 {
3793  if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3794  {
3795  plugin_list_close(c->plugins);
3796  c->plugins = NULL;
3797  c->plugins_owned = false;
3798  }
3799 }
3800 
3801 static void
3802 do_inherit_plugins(struct context *c, const struct context *src)
3803 {
3804  if (!c->plugins && src->plugins)
3805  {
3806  c->plugins = plugin_list_inherit(src->plugins);
3807  c->plugins_owned = true;
3808  }
3809 }
3810 
3811 #endif /* ifdef ENABLE_PLUGIN */
3812 
3813 #ifdef ENABLE_MANAGEMENT
3814 
3815 static void
3816 management_callback_status_p2p(void *arg, const int version, struct status_output *so)
3817 {
3818  struct context *c = (struct context *) arg;
3819  print_status(c, so);
3820 }
3821 
3822 void
3823 management_show_net_callback(void *arg, const int msglevel)
3824 {
3825 #ifdef _WIN32
3826  show_routes(msglevel);
3827  show_adapters(msglevel);
3828  msg(msglevel, "END");
3829 #else
3830  msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3831 #endif
3832 }
3833 
3834 #ifdef TARGET_ANDROID
3835 int
3836 management_callback_network_change(void *arg, bool samenetwork)
3837 {
3838  /* Check if the client should translate the network change to a SIGUSR1 to
3839  * reestablish the connection or just reprotect the socket
3840  *
3841  * At the moment just assume that, for all settings that use pull (not
3842  * --static) and are not using peer-id reestablishing the connection is
3843  * required (unless the network is the same)
3844  *
3845  * The function returns -1 on invalid fd and -2 if the socket cannot be
3846  * reused. On the -2 return value the man_network_change function triggers
3847  * a SIGUSR1 to force a reconnect.
3848  */
3849 
3850  int socketfd = -1;
3851  struct context *c = (struct context *) arg;
3852  if (!c->c2.link_socket)
3853  {
3854  return -1;
3855  }
3856  if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3857  {
3858  return -1;
3859  }
3860 
3861  socketfd = c->c2.link_socket->sd;
3862  if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3863  {
3864  return socketfd;
3865  }
3866  else
3867  {
3868  return -2;
3869  }
3870 }
3871 #endif /* ifdef TARGET_ANDROID */
3872 
3873 #endif /* ifdef ENABLE_MANAGEMENT */
3874 
3875 void
3876 init_management_callback_p2p(struct context *c)
3877 {
3878 #ifdef ENABLE_MANAGEMENT
3879  if (management)
3880  {
3881  struct management_callback cb;
3882  CLEAR(cb);
3883  cb.arg = c;
3884  cb.status = management_callback_status_p2p;
3885  cb.show_net = management_show_net_callback;
3886  cb.proxy_cmd = management_callback_proxy_cmd;
3887  cb.remote_cmd = management_callback_remote_cmd;
3888  cb.send_cc_message = management_callback_send_cc_message;
3889 #ifdef TARGET_ANDROID
3890  cb.network_change = management_callback_network_change;
3891 #endif
3892  management_set_callback(management, &cb);
3893  }
3894 #endif
3895 }
3896 
3897 #ifdef ENABLE_MANAGEMENT
3898 
3899 void
3900 init_management(void)
3901 {
3902  if (!management)
3903  {
3904  management = management_init();
3905  }
3906 }
3907 
3908 bool
3909 open_management(struct context *c)
3910 {
3911  /* initialize management layer */
3912  if (management)
3913  {
3914  if (c->options.management_addr)
3915  {
3916  unsigned int flags = c->options.management_flags;
3917  if (c->options.mode == MODE_SERVER)
3918  {
3919  flags |= MF_SERVER;
3920  }
3921  if (management_open(management,
3922  c->options.management_addr,
3923  c->options.management_port,
3924  c->options.management_user_pass,
3925  c->options.management_client_user,
3926  c->options.management_client_group,
3927  c->options.management_log_history_cache,
3928  c->options.management_echo_buffer_size,
3929  c->options.management_state_buffer_size,
3930  c->options.management_write_peer_info_file,
3931  c->options.remap_sigusr1,
3932  flags))
3933  {
3934  management_set_state(management,
3935  OPENVPN_STATE_CONNECTING,
3936  NULL,
3937  NULL,
3938  NULL,
3939  NULL,
3940  NULL);
3941  }
3942 
3943  /* initial management hold, called early, before first context initialization */
3944  do_hold(0);
3945  if (IS_SIG(c))
3946  {
3947  msg(M_WARN, "Signal received from management interface, exiting");
3948  return false;
3949  }
3950  }
3951  else
3952  {
3953  close_management();
3954  }
3955  }
3956  return true;
3957 }
3958 
3959 void
3960 close_management(void)
3961 {
3962  if (management)
3963  {
3964  management_close(management);
3965  management = NULL;
3966  }
3967 }
3968 
3969 #endif /* ifdef ENABLE_MANAGEMENT */
3970 
3971 
3972 void
3973 uninit_management_callback(void)
3974 {
3975 #ifdef ENABLE_MANAGEMENT
3976  if (management)
3977  {
3978  management_clear_callback(management);
3979  }
3980 #endif
3981 }
3982 
3983 /*
3984  * Initialize a tunnel instance, handle pre and post-init
3985  * signal settings.
3986  */
3987 void
3988 init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
3989 {
3990  pre_init_signal_catch();
3991  init_instance(c, env, flags);
3992  post_init_signal_catch();
3993 
3994  /*
3995  * This is done so that signals thrown during
3996  * initialization can bring us back to
3997  * a management hold.
3998  */
3999  if (IS_SIG(c))
4000  {
4001  remap_signal(c);
4002  uninit_management_callback();
4003  }
4004 }
4005 
4006 /*
4007  * Initialize a tunnel instance.
4008  */
4009 void
4010 init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
4011 {
4012  const struct options *options = &c->options;
4013  const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4014  int link_socket_mode = LS_MODE_DEFAULT;
4015 
4016  /* init garbage collection level */
4017  gc_init(&c->c2.gc);
4018 
4019  /* inherit environmental variables */
4020  if (env)
4021  {
4022  do_inherit_env(c, env);
4023  }
4024 
4025  /* signals caught here will abort */
4026  c->sig->signal_received = 0;
4027  c->sig->signal_text = NULL;
4028  c->sig->source = SIG_SOURCE_SOFT;
4029 
4030  if (c->mode == CM_P2P)
4031  {
4032  init_management_callback_p2p(c);
4033  }
4034 
4035  /* possible sleep or management hold if restart */
4036  if (c->mode == CM_P2P || c->mode == CM_TOP)
4037  {
4038  do_startup_pause(c);
4039  if (IS_SIG(c))
4040  {
4041  goto sig;
4042  }
4043  }
4044 
4045  if (c->options.resolve_in_advance)
4046  {
4047  do_preresolve(c);
4048  if (IS_SIG(c))
4049  {
4050  goto sig;
4051  }
4052  }
4053 
4054  /* Resets all values to the initial values from the config where needed */
4055  pre_connect_restore(&c->options, &c->c2.gc);
4056 
4057  /* map in current connection entry */
4058  next_connection_entry(c);
4059 
4060  /* link_socket_mode allows CM_CHILD_TCP
4061  * instances to inherit acceptable fds
4062  * from a top-level parent */
4063  if (c->options.ce.proto == PROTO_TCP_SERVER)
4064  {
4065  if (c->mode == CM_TOP)
4066  {
4067  link_socket_mode = LS_MODE_TCP_LISTEN;
4068  }
4069  else if (c->mode == CM_CHILD_TCP)
4070  {
4071  link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4072  }
4073  }
4074 
4075  /* should we disable paging? */
4076  if (c->first_time && options->mlock)
4077  {
4078  platform_mlockall(true);
4079  }
4080 
4081  /* get passwords if undefined */
4082  if (auth_retry_get() == AR_INTERACT)
4083  {
4084  init_query_passwords(c);
4085  }
4086 
4087  /* initialize context level 2 --verb/--mute parms */
4088  init_verb_mute(c, IVM_LEVEL_2);
4089 
4090  /* set error message delay for non-server modes */
4091  if (c->mode == CM_P2P)
4092  {
4093  set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4094  }
4095 
4096  /* warn about inconsistent options */
4097  if (c->mode == CM_P2P || c->mode == CM_TOP)
4098  {
4099  do_option_warnings(c);
4100  }
4101 
4102 #ifdef ENABLE_PLUGIN
4103  /* initialize plugins */
4104  if (c->mode == CM_P2P || c->mode == CM_TOP)
4105  {
4106  open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4107  }
4108 #endif
4109 
4110  /* should we enable fast I/O? */
4111  if (c->mode == CM_P2P || c->mode == CM_TOP)
4112  {
4113  do_setup_fast_io(c);
4114  }
4115 
4116  /* should we throw a signal on TLS errors? */
4117  do_signal_on_tls_errors(c);
4118 
4119  /* open --status file */
4120  if (c->mode == CM_P2P || c->mode == CM_TOP)
4121  {
4122  do_open_status_output(c);
4123  }
4124 
4125  /* open --ifconfig-pool-persist file */
4126  if (c->mode == CM_TOP)
4127  {
4128  do_open_ifconfig_pool_persist(c);
4129  }
4130 
4131  /* reset OCC state */
4132  if (c->mode == CM_P2P || child)
4133  {
4134  c->c2.occ_op = occ_reset_op();
4135  }
4136 
4137  /* our wait-for-i/o objects, different for posix vs. win32 */
4138  if (c->mode == CM_P2P)
4139  {
4140  do_event_set_init(c, SHAPER_DEFINED(&c->options));
4141  }
4142  else if (c->mode == CM_CHILD_TCP)
4143  {
4144  do_event_set_init(c, false);
4145  }
4146 
4147  /* initialize HTTP or SOCKS proxy object at scope level 2 */
4148  init_proxy(c);
4149 
4150  /* allocate our socket object */
4151  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4152  {
4153  do_link_socket_new(c);
4154  }
4155 
4156 #ifdef ENABLE_FRAGMENT
4157  /* initialize internal fragmentation object */
4158  if (options->ce.fragment && (c->mode == CM_P2P || child))
4159  {
4160  c->c2.fragment = fragment_init(&c->c2.frame);
4161  }
4162 #endif
4163 
4164  /* init crypto layer */
4165  {
4166  unsigned int crypto_flags = 0;
4167  if (c->mode == CM_TOP)
4168  {
4169  crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4170  }
4171  else if (c->mode == CM_P2P)
4172  {
4173  crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4174  }
4175  else if (child)
4176  {
4177  crypto_flags = CF_INIT_TLS_MULTI;
4178  }
4179  do_init_crypto(c, crypto_flags);
4180  if (IS_SIG(c) && !child)
4181  {
4182  goto sig;
4183  }
4184  }
4185 
4186 #ifdef USE_COMP
4187  /* initialize compression library. */
4188  if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4189  {
4190  c->c2.comp_context = comp_init(&options->comp);
4191  }
4192 #endif
4193 
4194  /* initialize MTU variables */
4195  do_init_frame(c);
4196 
4197  /* initialize TLS MTU variables */
4198  do_init_frame_tls(c);
4199 
4200  /* init workspace buffers whose size is derived from frame size */
4201  if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4202  {
4203  do_init_buffers(c);
4204  }
4205 
4206 #ifdef ENABLE_FRAGMENT
4207  /* initialize internal fragmentation capability with known frame size */
4208  if (options->ce.fragment && (c->mode == CM_P2P || child))
4209  {
4210  do_init_fragment(c);
4211  }
4212 #endif
4213 
4214  /* initialize dynamic MTU variable */
4215  frame_init_mssfix(&c->c2.frame, &c->options);
4216 
4217  /* bind the TCP/UDP socket */
4218  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4219  {
4220  link_socket_init_phase1(c, link_socket_mode);
4221  }
4222 
4223  /* initialize tun/tap device object,
4224  * open tun/tap device, ifconfig, run up script, etc. */
4225  if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4226  {
4227  c->c2.did_open_tun = do_open_tun(c);
4228  }
4229 
4230  c->c2.frame_initial = c->c2.frame;
4231 
4232  /* print MTU info */
4233  do_print_data_channel_mtu_parms(c);
4234 
4235  /* get local and remote options compatibility strings */
4236  if (c->mode == CM_P2P || child)
4237  {
4238  do_compute_occ_strings(c);
4239  }
4240 
4241  /* initialize output speed limiter */
4242  if (c->mode == CM_P2P)
4243  {
4244  do_init_traffic_shaper(c);
4245  }
4246 
4247  /* do one-time inits, and possibly become a daemon here */
4248  do_init_first_time(c);
4249 
4250 #ifdef ENABLE_PLUGIN
4251  /* initialize plugins */
4252  if (c->mode == CM_P2P || c->mode == CM_TOP)
4253  {
4254  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4255  }
4256 #endif
4257 
4258  /* initialise connect timeout timer */
4259  do_init_server_poll_timeout(c);
4260 
4261  /* finalize the TCP/UDP socket */
4262  if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4263  {
4264  link_socket_init_phase2(c);
4265  }
4266 
4267  /*
4268  * Actually do UID/GID downgrade, and chroot, if requested.
4269  * May be delayed by --client, --pull, or --up-delay.
4270  */
4271  do_uid_gid_chroot(c, c->c2.did_open_tun);
4272 
4273  /* initialize timers */
4274  if (c->mode == CM_P2P || child)
4275  {
4276  do_init_timers(c, false);
4277  }
4278 
4279 #ifdef ENABLE_PLUGIN
4280  /* initialize plugins */
4281  if (c->mode == CM_P2P || c->mode == CM_TOP)
4282  {
4283  open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4284  }
4285 #endif
4286 
4287 #if PORT_SHARE
4288  /* share OpenVPN port with foreign (such as HTTPS) server */
4289  if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4290  {
4291  init_port_share(c);
4292  }
4293 #endif
4294 
4295 #ifdef ENABLE_PF
4296  if (child)
4297  {
4298  pf_init_context(c);
4299  }
4300 #endif
4301 
4302  /* Check for signals */
4303  if (IS_SIG(c))
4304  {
4305  goto sig;
4306  }
4307 
4308  return;
4309 
4310 sig:
4311  if (!c->sig->signal_text)
4312  {
4313  c->sig->signal_text = "init_instance";
4314  }
4315  close_context(c, -1, flags);
4316  return;
4317 }
4318 
4319 /*
4320  * Close a tunnel instance.
4321  */
4322 void
4323 close_instance(struct context *c)
4324 {
4325  /* close event objects */
4326  do_close_event_set(c);
4327 
4328  if (c->mode == CM_P2P
4329  || c->mode == CM_CHILD_TCP
4330  || c->mode == CM_CHILD_UDP
4331  || c->mode == CM_TOP)
4332  {
4333 #ifdef USE_COMP
4334  if (c->c2.comp_context)
4335  {
4336  comp_uninit(c->c2.comp_context);
4337  c->c2.comp_context = NULL;
4338  }
4339 #endif
4340 
4341  /* free buffers */
4342  do_close_free_buf(c);
4343 
4344  /* close TLS */
4345  do_close_tls(c);
4346 
4347  /* free key schedules */
4348  do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
4349 
4350  /* close TCP/UDP connection */
4351  do_close_link_socket(c);
4352 
4353  /* close TUN/TAP device */
4354  do_close_tun(c, false);
4355 
4356 #ifdef ENABLE_MANAGEMENT
4357  if (management)
4358  {
4359  management_notify_client_close(management, &c->c2.mda_context, NULL);
4360  }
4361 #endif
4362 
4363 #ifdef ENABLE_PF
4364  pf_destroy_context(&c->c2.pf);
4365 #endif
4366 
4367 #ifdef ENABLE_PLUGIN
4368  /* call plugin close functions and unload */
4369  do_close_plugins(c);
4370 #endif
4371 
4372  /* close packet-id persistence file */
4373  do_close_packet_id(c);
4374 
4375  /* close --status file */
4376  do_close_status_output(c);
4377 
4378 #ifdef ENABLE_FRAGMENT
4379  /* close fragmentation handler */
4380  do_close_fragment(c);
4381 #endif
4382 
4383  /* close --ifconfig-pool-persist obj */
4384  do_close_ifconfig_pool_persist(c);
4385 
4386  /* free up environmental variable store */
4387  do_env_set_destroy(c);
4388 
4389  /* close HTTP or SOCKS proxy */
4390  uninit_proxy(c);
4391 
4392  /* garbage collect */
4393  gc_free(&c->c2.gc);
4394  }
4395 }
4396 
4397 void
4398 inherit_context_child(struct context *dest,
4399  const struct context *src)
4400 {
4401  CLEAR(*dest);
4402 
4403  /* proto_is_dgram will ASSERT(0) if proto is invalid */
4404  dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
4405 
4406  dest->gc = gc_new();
4407 
4408  ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
4409 
4410  /* c1 init */
4411  packet_id_persist_init(&dest->c1.pid_persist);
4412 
4413  dest->c1.ks.key_type = src->c1.ks.key_type;
4414  /* inherit SSL context */
4415  dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4416  dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4417  dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
4418  dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
4419  /* inherit pre-NCP ciphers */
4420  dest->options.ciphername = src->options.ciphername;
4421  dest->options.authname = src->options.authname;
4422 
4423  /* inherit auth-token */
4424  dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4425 
4426  /* options */
4427  dest->options = src->options;
4428  options_detach(&dest->options);
4429 
4430  if (dest->mode == CM_CHILD_TCP)
4431  {
4432  /*
4433  * The CM_TOP context does the socket listen(),
4434  * and the CM_CHILD_TCP context does the accept().
4435  */
4436  dest->c2.accept_from = src->c2.link_socket;
4437  }
4438 
4439 #ifdef ENABLE_PLUGIN
4440  /* inherit plugins */
4441  do_inherit_plugins(dest, src);
4442 #endif
4443 
4444  /* context init */
4445  init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4446  if (IS_SIG(dest))
4447  {
4448  return;
4449  }
4450 
4451  /* inherit tun/tap interface object */
4452  dest->c1.tuntap = src->c1.tuntap;
4453 
4454  /* UDP inherits some extra things which TCP does not */
4455  if (dest->mode == CM_CHILD_UDP)
4456  {
4457  /* inherit buffers */
4458  dest->c2.buffers = src->c2.buffers;
4459 
4460  /* inherit parent link_socket and tuntap */
4461  dest->c2.link_socket = src->c2.link_socket;
4462 
4463  ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4464  *dest->c2.link_socket_info = src->c2.link_socket->info;
4465 
4466  /* locally override some link_socket_info fields */
4467  dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4468  dest->c2.link_socket_info->connection_established = false;
4469  }
4470 }
4471 
4472 void
4473 inherit_context_top(struct context *dest,
4474  const struct context *src)
4475 {
4476  /* copy parent */
4477  *dest = *src;
4478 
4479  /*
4480  * CM_TOP_CLONE will prevent close_instance from freeing or closing
4481  * resources owned by the parent.
4482  *
4483  * Also note that CM_TOP_CLONE context objects are
4484  * closed by multi_top_free in multi.c.
4485  */
4486  dest->mode = CM_TOP_CLONE;
4487 
4488  dest->first_time = false;
4489  dest->c0 = NULL;
4490 
4491  options_detach(&dest->options);
4492  gc_detach(&dest->gc);
4493  gc_detach(&dest->c2.gc);
4494 
4495  /* detach plugins */
4496  dest->plugins_owned = false;
4497 
4498  dest->c2.tls_multi = NULL;
4499 
4500  /* detach c1 ownership */
4501  dest->c1.tuntap_owned = false;
4502  dest->c1.status_output_owned = false;
4503  dest->c1.ifconfig_pool_persist_owned = false;
4504 
4505  /* detach c2 ownership */
4506  dest->c2.event_set_owned = false;
4507  dest->c2.link_socket_owned = false;
4508  dest->c2.buffers_owned = false;
4509  dest->c2.es_owned = false;
4510 
4511  dest->c2.event_set = NULL;
4512  if (proto_is_dgram(src->options.ce.proto))
4513  {
4514  do_event_set_init(dest, false);
4515  }
4516 
4517 #ifdef USE_COMP
4518  dest->c2.comp_context = NULL;
4519 #endif
4520 }
4521 
4522 void
4523 close_context(struct context *c, int sig, unsigned int flags)
4524 {
4525  ASSERT(c);
4526  ASSERT(c->sig);
4527 
4528  if (sig >= 0)
4529  {
4530  c->sig->signal_received = sig;
4531  }
4532 
4533  if (c->sig->signal_received == SIGUSR1)
4534  {
4535  if ((flags & CC_USR1_TO_HUP)
4536  || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
4537  {
4538  c->sig->signal_received = SIGHUP;
4539  c->sig->signal_text = "close_context usr1 to hup";
4540  }
4541  }
4542 
4543  if (!(flags & CC_NO_CLOSE))
4544  {
4545  close_instance(c);
4546  }
4547 
4548  if (flags & CC_GC_FREE)
4549  {
4550  context_gc_free(c);
4551  }
4552 }
4553 
4554 /* Write our PID to a file */
4555 void
4556 write_pid_file(const char *filename, const char *chroot_dir)
4557 {
4558  if (filename)
4559  {
4560  unsigned int pid = 0;
4561  FILE *fp = platform_fopen(filename, "w");
4562  if (!fp)
4563  {
4564  msg(M_ERR, "Open error on pid file %s", filename);
4565  return;
4566  }
4567 
4568  pid = platform_getpid();
4569  fprintf(fp, "%u\n", pid);
4570  if (fclose(fp))
4571  {
4572  msg(M_ERR, "Close error on pid file %s", filename);
4573  }
4574 
4575  /* remember file name so it can be deleted "out of context" later */
4576  /* (the chroot case is more complex and not handled today) */
4577  if (!chroot_dir)
4578  {
4579  saved_pid_file_name = strdup(filename);
4580  }
4581  }
4582 }
4583 
4584 /* remove PID file on exit, called from openvpn_exit() */
4585 void
4586 remove_pid_file(void)
4587 {
4588  if (saved_pid_file_name)
4589  {
4590  platform_unlink(saved_pid_file_name);
4591  }
4592 }
4593 
4594 
4595 /*
4596  * Do a loopback test
4597  * on the crypto subsystem.
4598  */
4599 static void *
4600 test_crypto_thread(void *arg)
4601 {
4602  struct context *c = (struct context *) arg;
4603  const struct options *options = &c->options;
4604 
4605  ASSERT(options->test_crypto);
4606  init_verb_mute(c, IVM_LEVEL_1);
4607  context_init_1(c);
4608  next_connection_entry(c);
4609  do_init_crypto_static(c, 0);
4610 
4611  frame_finalize_options(c, options);
4612 
4613  test_crypto(&c->c2.crypto_options, &c->c2.frame);
4614 
4615  key_schedule_free(&c->c1.ks, true);
4616  packet_id_free(&c->c2.crypto_options.packet_id);
4617 
4618  context_gc_free(c);
4619  return NULL;
4620 }
4621 
4622 bool
4623 do_test_crypto(const struct options *o)
4624 {
4625  if (o->test_crypto)
4626  {
4627  struct context c;
4628 
4629  /* print version number */
4630  msg(M_INFO, "%s", title_string);
4631 
4632  context_clear(&c);
4633  c.options = *o;
4634  options_detach(&c.options);
4635  c.first_time = true;
4636  test_crypto_thread((void *) &c);
4637  return true;
4638  }
4639  return false;
4640 }
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:317
tls_options::tcp_mode
bool tcp_mode
Definition: ssl_common.h:320
context_2::es
struct env_set * es
Definition: openvpn.h:407
remote_host_store::port
char port[RH_PORT_LEN]
Definition: options.h:194
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:182
context_1::socks_proxy_owned
bool socks_proxy_owned
Definition: openvpn.h:190
warn_on_use_of_common_subnets
void warn_on_use_of_common_subnets(openvpn_net_ctx_t *ctx)
Definition: tun.c:567
init_crypto_pre
static void init_crypto_pre(struct context *c, const unsigned int flags)
Definition: init.c:2528
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
interval_init
void interval_init(struct interval *top, int horizon, int refresh)
Definition: interval.c:37
options::status_file
const char * status_file
Definition: options.h:349
management_close
void management_close(struct management *man)
Definition: manage.c:2691
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:441
tls_options::key_type
struct key_type key_type
Definition: ssl_common.h:268
ifconfig_pool_persist_init
struct ifconfig_pool_persist * ifconfig_pool_persist_init(const char *filename, int refresh_freq)
Definition: pool.c:553
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:306
options::sndbuf
int sndbuf
Definition: options.h:362
frame_add_to_extra_buffer
static void frame_add_to_extra_buffer(struct frame *frame, const int increment)
Definition: mtu.h:298
platform_group_set
void platform_group_set(const struct platform_state_group *state)
Definition: platform.c:134
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:382
context_2::log_rw
bool log_rw
Definition: openvpn.h:369
frame_subtract_extra
void frame_subtract_extra(struct frame *frame, const struct frame *src)
Definition: mtu.c:123
route_did_redirect_default_gateway
static int route_did_redirect_default_gateway(const struct route_list *rl)
Definition: route.h:402
set_std_files_to_null
void set_std_files_to_null(bool stdin_only)
Definition: misc.c:58
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
http_proxy_new
struct http_proxy_info * http_proxy_new(const struct http_proxy_options *o)
Definition: proxy.c:493
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:114
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:483
context_2::frame_fragment_omit
struct frame frame_fragment_omit
Definition: openvpn.h:255
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:337
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
context_2::route_wakeup
struct event_timeout route_wakeup
Definition: openvpn.h:372
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:118
uninit_proxy_dowork
static void uninit_proxy_dowork(struct context *c)
Definition: init.c:609
OPT_P_DEFAULT
#define OPT_P_DEFAULT
Definition: options.h:700
do_init_route_ipv6_list
static void do_init_route_ipv6_list(const struct options *options, struct route_ipv6_list *route_ipv6_list, const struct link_socket_info *link_socket_info, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: init.c:1514
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
tuntap
Definition: tun.h:155
options::ncp_enabled
bool ncp_enabled
Definition: options.h:515
options::management_flags
unsigned int management_flags
Definition: options.h:405
do_close_tun
static void do_close_tun(struct context *c, bool force)
Definition: init.c:1979
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
do_init_crypto_static
static void do_init_crypto_static(struct context *c, const unsigned int flags)
Definition: init.c:2556
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:565
signal_description
const char * signal_description(const int signum, const char *sigtext)
Definition: sig.c:91
context_buffers::read_tun_buf
struct buffer read_tun_buf
Definition: openvpn.h:112
tls_options::crl_file
const char * crl_file
Definition: ssl_common.h:300
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:102
options::block_outside_dns
bool block_outside_dns
Definition: options.h:637
key_type::hmac_length
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
D_INIT_MEDIUM
#define D_INIT_MEDIUM
Definition: errlevel.h:106
context_2::ping_rec_interval
struct event_timeout ping_rec_interval
Definition: openvpn.h:284
crypto_max_overhead
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
tls_auth_standalone_finalize
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1305
tls_options::tls_crypt_v2
bool tls_crypt_v2
Definition: ssl_common.h:326
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:465
platform_nice
void platform_nice(int niceval)
Definition: platform.c:160
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
context_2::route_wakeup_expire
struct event_timeout route_wakeup_expire
Definition: openvpn.h:373
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:522
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1082
BASE_N_EVENTS
#define BASE_N_EVENTS
Definition: init.h:33
tun_standby_init
void tun_standby_init(struct tuntap *tt)
Definition: tun.c:5664
options::show_curves
bool show_curves
Definition: options.h:240
ssl_clean_user_pass
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4145
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:185
D_ROUTE
#define D_ROUTE
Definition: errlevel.h:80
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:634
options::cipher_list
const char * cipher_list
Definition: options.h:547
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
options::tls_server
bool tls_server
Definition: options.h:532
link_socket_new
struct link_socket * link_socket_new(void)
Definition: socket.c:1847
do_alloc_route_list
static void do_alloc_route_list(struct context *c)
Definition: init.c:1459
management_callback_remote_cmd
static bool management_callback_remote_cmd(void *arg, const char **p)
Definition: init.c:333
socks_proxy_close
void socks_proxy_close(struct socks_proxy_info *sp)
Definition: socks.c:91
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
CE_MAN_QUERY_REMOTE_MOD
#define CE_MAN_QUERY_REMOTE_MOD
Definition: options.h:138
init_verb_mute
void init_verb_mute(struct context *c, unsigned int flags)
Definition: init.c:1001
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:3773
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:513
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:114
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:613
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
options_hash_changed_or_zero
static bool options_hash_changed_or_zero(const struct sha256_digest *a, const struct sha256_digest *b)
Helper for do_up().
Definition: init.c:2131
init_proxy_dowork
static void init_proxy_dowork(struct context *c)
Definition: init.c:626
frame_or_align_flags
static void frame_or_align_flags(struct frame *frame, const unsigned int flag_mask)
Definition: mtu.h:310
prng_init
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1715
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
SET_MTU_TUN
#define SET_MTU_TUN
Definition: mtu.h:220
context_2::did_open_tun
bool did_open_tun
Definition: openvpn.h:376
add_routes
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
tls_options::auth_token_lifetime
unsigned int auth_token_lifetime
Definition: ssl_common.h:344
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:550
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:396
M_OPTERR
#define M_OPTERR
Definition: error.h:105
STATUS_OUTPUT_WRITE
#define STATUS_OUTPUT_WRITE
Definition: status.h:51
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:327
context_2::tmp_int
struct interval tmp_int
Definition: openvpn.h:333
streq
#define streq(x, y)
Definition: options.h:664
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:440
options::chroot_dir
const char * chroot_dir
Definition: options.h:322
P2P_ERROR_DELAY_MS
#define P2P_ERROR_DELAY_MS
Definition: errlevel.h:41
string_clear
void string_clear(char *str)
Definition: buffer.c:727
do_inherit_plugins
static void do_inherit_plugins(struct context *c, const struct context *src)
Definition: init.c:3802
do_close_event_set
static void do_close_event_set(struct context *c)
Definition: init.c:3600
do_init_crypto_tls_c1
static void do_init_crypto_tls_c1(struct context *c)
Definition: init.c:2695
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:427
S_FATAL
#define S_FATAL
Definition: run_command.h:46
options::dev
const char * dev
Definition: options.h:265
WSO_FORCE_SERVICE
#define WSO_FORCE_SERVICE
Definition: win32.h:166
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:302
tls_options::mode
int mode
Definition: ssl_common.h:285
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2140
options::auth_token_generate
bool auth_token_generate
Definition: options.h:483
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
M_INFO
#define M_INFO
Definition: errlevel.h:55
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4449
tun_abort
void tun_abort(void)
Definition: init.c:2112
plugin_return
Definition: plugin.h:101
context
Contains all state information for one tunnel.
Definition: openvpn.h:463
CIPHER_ENABLED
#define CIPHER_ENABLED(c)
Definition: openvpn.h:534
frame
Packet geometry parameters.
Definition: mtu.h:93
do_env_set_destroy
static void do_env_set_destroy(struct context *c)
Definition: init.c:3683
do_init_tls_wrap_key
static void do_init_tls_wrap_key(struct context *c)
Definition: init.c:2615
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition: crypto_openssl.c:718
ROUTE_AFTER_TUN
#define ROUTE_AFTER_TUN
Definition: tun.h:352
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:486
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
route_ipv6_gateway_info
Definition: route.h:179
M_USAGE
#define M_USAGE
Definition: error.h:111
management::persist
struct man_persist persist
Definition: manage.h:319
srandom
#define srandom
Definition: syshead.h:45
auth_token.h
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:365
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
tls_options::ssl_ctx
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:265
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
error_reset
void error_reset(void)
Definition: error.c:163
PAYLOAD_ALIGN
#define PAYLOAD_ALIGN
Definition: mtu.h:86
management_callback_proxy_cmd
static bool management_callback_proxy_cmd(void *arg, const char **p)
Definition: init.c:212
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:693
frame_add_to_extra_frame
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4523
script_security
int script_security(void)
Definition: run_command.c:45
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:182
tls_options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: ssl_common.h:335
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:509
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:346
packet_id_persist_init
static void packet_id_persist_init(struct packet_id_persist *p)
Definition: openvpn.h:84
open_tun
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
Definition: tun.c:6656
RH_PORT_LEN
#define RH_PORT_LEN
Definition: options.h:193
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:80
options::peer_id
uint32_t peer_id
Definition: options.h:642
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
OPENVPN_PLUGIN_DOWN
#define OPENVPN_PLUGIN_DOWN
Definition: openvpn-plugin.h:121
init_management_callback_p2p
void init_management_callback_p2p(struct context *c)
Definition: init.c:3876
context_2::tls_auth_standalone
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client&#39;s connection attempt...
Definition: openvpn.h:321
OPENVPN_PLUGIN_ROUTE_UP
#define OPENVPN_PLUGIN_ROUTE_UP
Definition: openvpn-plugin.h:122
buffer_list_new
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
IFCONFIG_BEFORE_TUN_OPEN
#define IFCONFIG_BEFORE_TUN_OPEN
Definition: tun.h:324
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:156
close_instance
void close_instance(struct context *c)
Definition: init.c:4323
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2825
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
connection_entry
Definition: options.h:96
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:587
tls_options::client_config_dir_exclusive
const char * client_config_dir_exclusive
Definition: ssl_common.h:349
http_proxy_close
void http_proxy_close(struct http_proxy_info *hp)
Definition: proxy.c:554
frame_add_to_extra_link
static void frame_add_to_extra_link(struct frame *frame, const int increment)
Definition: mtu.h:292
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1330
OPT_P_IPWIN32
#define OPT_P_IPWIN32
Definition: options.h:672
options::persist_key
bool persist_key
Definition: options.h:307
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:115
options::replay_window
int replay_window
Definition: options.h:523
options::persist_mode
int persist_mode
Definition: options.h:233
SET_MTU_UPPER_BOUND
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
clear_remote_addrlist
static void clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
Definition: init.c:455
tls_options::auth_user_pass_file
const char * auth_user_pass_file
Definition: ssl_common.h:338
do_signal_on_tls_errors
static void do_signal_on_tls_errors(struct context *c)
Definition: init.c:3729
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:356
tls_options::verify_x509_type
int verify_x509_type
Definition: ssl_common.h:298
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:109
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:282
options::rcvbuf
int rcvbuf
Definition: options.h:361
tls_options::config_ncp_ciphers
const char * config_ncp_ciphers
Definition: ssl_common.h:323
D_LOG_RW
#define D_LOG_RW
Definition: errlevel.h:111
context_2::link_socket_info
struct link_socket_info * link_socket_info
Definition: openvpn.h:240
next_connection_entry
static void next_connection_entry(struct context *c)
Definition: init.c:469
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:289
options::connection_list
struct connection_list * connection_list
Definition: options.h:249
guess_tuntap_dev
const char * guess_tuntap_dev(const char *dev, const char *dev_type, const char *dev_node, struct gc_arena *gc)
Definition: tun.c:405
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:109
LS_MODE_DEFAULT
#define LS_MODE_DEFAULT
Definition: socket.h:191
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:248
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:540
RH_HOST_LEN
#define RH_HOST_LEN
Definition: options.h:191
options::exit_event_name
const char * exit_event_name
Definition: options.h:633
AR_NONE
#define AR_NONE
Definition: options.h:838
context_2::accept_from
const struct link_socket * accept_from
Definition: openvpn.h:241
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
options::route_noexec
bool route_noexec
Definition: options.h:377
options::sockflags
unsigned int sockflags
Definition: options.h:369
frame_finalize_options
static void frame_finalize_options(struct context *c, const struct options *o)
Definition: init.c:2485
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:174
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:150
signal_info
Definition: sig.h:43
packet_id_persist_close
void packet_id_persist_close(struct packet_id_persist *p)
Definition: packet_id.c:416
do_close_tls
static void do_close_tls(struct context *c)
Definition: init.c:3459
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:244
ce_management_query_remote
static bool ce_management_query_remote(struct context *c)
Definition: init.c:380
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
tls_options::x509_username_field
char * x509_username_field[2]
Definition: ssl_common.h:312
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
ENABLE_PKCS11
#define ENABLE_PKCS11
Definition: config-msvc.h:13
options::route_script
const char * route_script
Definition: options.h:372
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:398
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:376
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:487
context_1::link_socket_addr
struct link_socket_addr link_socket_addr
Local and remote addresses on the external network.
Definition: openvpn.h:155
SIZE
#define SIZE(x)
Definition: basic.h:30
D_MTU_INFO
#define D_MTU_INFO
Definition: errlevel.h:107
D_READ_WRITE
#define D_READ_WRITE
Definition: errlevel.h:165
context_1::socks_proxy
struct socks_proxy_info * socks_proxy
Definition: openvpn.h:189
in_addr_t
#define in_addr_t
Definition: config-msvc.h:103
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
do_init_frame
static void do_init_frame(struct context *c)
Definition: init.c:3074
options::config
const char * config
Definition: options.h:219
dmsg
#define dmsg(flags,...)
Definition: error.h:153
options::route_delay
int route_delay
Definition: options.h:378
remove_pid_file
void remove_pid_file(void)
Definition: init.c:4586
shaper_init
static void shaper_init(struct shaper *s, int bytes_per_second)
Definition: shaper.h:86
D_RESTART
#define D_RESTART
Definition: errlevel.h:82
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:490
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::down_script
const char * down_script
Definition: options.h:329
socks_adjust_frame_parameters
void socks_adjust_frame_parameters(struct frame *frame, int proto)
Definition: socks.c:53
options::route_predown_script
const char * route_predown_script
Definition: options.h:373
tls_options::gremlin
int gremlin
Definition: ssl_common.h:386
open_plugins
void open_plugins(struct context *c, const bool import_options, int init_point)
Definition: init.c:3754
tls_options::ekm_label
const char * ekm_label
Definition: ssl_common.h:389
post_init_signal_catch
void post_init_signal_catch(void)
Definition: sig.c:249
link_socket_update_flags
bool link_socket_update_flags(struct link_socket *ls, unsigned int sockflags)
Definition: socket.c:981
context_2::frame_initial
struct frame frame_initial
Definition: openvpn.h:248
options::down_pre
bool down_pre
Definition: options.h:331
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:290
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:694
OPENVPN_PLUGIN_INIT_POST_DAEMON
#define OPENVPN_PLUGIN_INIT_POST_DAEMON
Definition: openvpn-plugin.h:802
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:26
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:176
SIGTERM
#define SIGTERM
Definition: config-msvc.h:117
tls_options::auth_token_generate
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition: ssl_common.h:340
do_init_traffic_shaper
static void do_init_traffic_shaper(struct context *c)
Definition: init.c:1443
TLS_MODE
#define TLS_MODE(c)
Definition: openvpn.h:526
init_query_passwords
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
Definition: init.c:585
options::push_peer_info
bool push_peer_info
Definition: options.h:622
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:674
link_socket::info
struct link_socket_info info
Definition: socket.h:166
CE_MAN_QUERY_PROXY
#define CE_MAN_QUERY_PROXY
Definition: options.h:134
SIGHUP
#define SIGHUP
Definition: config-msvc.h:113
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:588
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3795
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:151
PING_RESTART
#define PING_RESTART
Definition: options.h:301
do_init_finalize_tls_frame
static void do_init_finalize_tls_frame(struct context *c)
Definition: init.c:3024
options::handshake_window
int handshake_window
Definition: options.h:592
ASSERT
#define ASSERT(x)
Definition: error.h:200
route_ipv6_list
Definition: route.h:219
do_close_plugins
static void do_close_plugins(struct context *c)
Definition: init.c:3791
D_SHOW_NET
#define D_SHOW_NET
Definition: errlevel.h:130
tls_options
Definition: ssl_common.h:262
ifconfig_order
static int ifconfig_order(void)
Definition: tun.h:330
context_2::gc
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
basename
char * basename(char *filename)
Definition: compat-basename.c:39
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:224
tls_options::crypto_flags
unsigned int crypto_flags
Definition: ssl_common.h:316
key_schedule::tls_wrap_key
struct key_ctx_bi tls_wrap_key
Definition: openvpn.h:68
connection_list::current
int current
Definition: options.h:172
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:149
options::rh_store
struct remote_host_store * rh_store
Definition: options.h:261
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:616
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:131
platform_user_set
void platform_user_set(const struct platform_state_user *state)
Definition: platform.c:95
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:351
options::verify_x509_type
int verify_x509_type
Definition: options.h:553
options::unsuccessful_attempts
unsigned int unsuccessful_attempts
Definition: options.h:255
close_management
void close_management(void)
Definition: init.c:3960
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:354
context_1::tuntap_owned
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
Definition: openvpn.h:169
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:485
tls_options::config_ciphername
const char * config_ciphername
Definition: ssl_common.h:322
options::prng_hash
const char * prng_hash
Definition: options.h:518
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1866
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:296
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
D_LOW
#define D_LOW
Definition: errlevel.h:98
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:275
options::fast_io
bool fast_io
Definition: options.h:354
options::key_direction
int key_direction
Definition: options.h:511
tls_options::renegotiate_bytes
int renegotiate_bytes
Definition: ssl_common.h:291
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
update_options_ce_post
static void update_options_ce_post(struct options *options)
Definition: init.c:193
do_ifconfig
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
Definition: tun.c:1575
ssl_verify.h
tuntap::options
struct tuntap_options options
Definition: tun.h:168
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:122
static_context
static struct context * static_context
Definition: init.c:60
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:67
init_static
bool init_static(void)
Definition: init.c:754
platform_mlockall
void platform_mlockall(bool print_msg)
Definition: platform.c:197
OCC_MTU_LOAD_INTERVAL_SECONDS
#define OCC_MTU_LOAD_INTERVAL_SECONDS
Definition: occ.h:62
context_2::frame_fragment_initial
struct frame frame_fragment_initial
Definition: openvpn.h:254
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
CE_MAN_QUERY_REMOTE_SKIP
#define CE_MAN_QUERY_REMOTE_SKIP
Definition: options.h:139
socks_proxy_new
struct socks_proxy_info * socks_proxy_new(const char *server, const char *port, const char *authfile)
Definition: socks.c:62
MODE_SERVER
#define MODE_SERVER
Definition: options.h:223
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:608
context_2::ping_send_interval
struct event_timeout ping_send_interval
Definition: openvpn.h:283
options::route_delay_defined
bool route_delay_defined
Definition: options.h:380
argv_msg
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
tls_crypt.h
CM_CHILD_UDP
#define CM_CHILD_UDP
Definition: openvpn.h:475
options::tls_exit
bool tls_exit
Definition: options.h:624
MF_SERVER
#define MF_SERVER
Definition: manage.h:331
link_socket_actual
Definition: socket.h:85
print_openssl_info
bool print_openssl_info(const struct options *options)
Definition: init.c:1034
restore_signal_state
void restore_signal_state(void)
Definition: sig.c:264
check_replay_consistency
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:999
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
init_tun_post
void init_tun_post(struct tuntap *tt, const struct frame *frame, const struct tuntap_options *options)
Definition: tun.c:888
connection_entry::key_direction
int key_direction
Definition: options.h:147
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:702
options::route_nopull
bool route_nopull
Definition: options.h:384
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:48
openvpn_sockaddr::in6
struct sockaddr_in6 in6
Definition: socket.h:70
flags
list flags
Definition: .ycm_extra_conf.py:4
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
do_close_fragment
static void do_close_fragment(struct context *c)
Definition: init.c:3566
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
do_uid_gid_chroot
static void do_uid_gid_chroot(struct context *c, bool no_delay)
Definition: init.c:1239
frame_add_to_extra_tun
static void frame_add_to_extra_tun(struct frame *frame, const int increment)
Definition: mtu.h:286
close_tun
void close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition: tun.c:6780
CF_INIT_TLS_AUTH_STANDALONE
#define CF_INIT_TLS_AUTH_STANDALONE
Definition: init.c:68
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
options::tls_export_cert
const char * tls_export_cert
Definition: options.h:555
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:374
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:516
ifconfig_pool_persist_close
void ifconfig_pool_persist_close(struct ifconfig_pool_persist *persist)
Definition: pool.c:574
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:3988
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:336
VERIFY_X509_NONE
#define VERIFY_X509_NONE
Definition: ssl_verify.h:63
extract_x509_field_test
void extract_x509_field_test(void)
context_0::uid_gid_chroot_set
bool uid_gid_chroot_set
Definition: openvpn.h:138
key_ctx_bi_defined
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:539
options::remote_random
bool remote_random
Definition: options.h:263
frame_add_to_link_mtu
static void frame_add_to_link_mtu(struct frame *frame, const int increment)
Definition: mtu.h:268
status_close
bool status_close(struct status_output *so)
Definition: status.c:190
LS_MODE_TCP_ACCEPT_FROM
#define LS_MODE_TCP_ACCEPT_FROM
Definition: socket.h:193
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:503
pre_init_signal_catch
void pre_init_signal_catch(void)
Definition: sig.c:235
WSO_FORCE_CONSOLE
#define WSO_FORCE_CONSOLE
Definition: win32.h:167
init_options_dev
void init_options_dev(struct options *options)
Definition: init.c:1024
write_pid_file
void write_pid_file(const char *filename, const char *chroot_dir)
Definition: init.c:4556
context::persist
struct context_persist persist
Persistent context.
Definition: openvpn.h:500
prng_uninit
void prng_uninit(void)
Definition: crypto.c:1734
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:367
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1282
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:482
WSO_MODE_CONSOLE
#define WSO_MODE_CONSOLE
Definition: win32.h:152
options::tls_verify
const char * tls_verify
Definition: options.h:552
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1452
context_buffers::decrypt_buf
struct buffer decrypt_buf
Definition: openvpn.h:99
context_2::inactivity_interval
struct event_timeout inactivity_interval
Definition: openvpn.h:287
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition: openvpn.h:488
tls_options::ekm_size
size_t ekm_size
Definition: ssl_common.h:391
open_management
bool open_management(struct context *c)
Definition: init.c:3909
CLEAR
#define CLEAR(x)
Definition: basic.h:33
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:194
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:126
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4398
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:692
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:253
management_callback_status_p2p
static void management_callback_status_p2p(void *arg, const int version, struct status_output *so)
Definition: init.c:3816
context_gc_free
void context_gc_free(struct context *c)
Definition: init.c:715
do_open_status_output
static void do_open_status_output(struct context *c)
Definition: init.c:3615
options::crl_file_inline
bool crl_file_inline
Definition: options.h:557
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2634
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2739
management_callback_send_cc_message
static bool management_callback_send_cc_message(void *arg, const char *command, const char *parameters)
This method sends a custom control channel message.
Definition: init.c:308
FRAME_HEADROOM_MARKER_FRAGMENT
#define FRAME_HEADROOM_MARKER_FRAGMENT
Definition: mtu.h:130
CE_MAN_QUERY_REMOTE_MASK
#define CE_MAN_QUERY_REMOTE_MASK
Definition: