]> git.ipfire.org Git - thirdparty/openvpn.git/blame - src/openvpn/init.c
projects / thirdparty / openvpn.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Implement block-ipv6
[thirdparty/openvpn.git] / src / openvpn / init.c
CommitLineData
6fbf66fa
JY		 1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
49979459 8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
6fbf66fa
JY		 9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
caa54ac3
DS		 19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
6fbf66fa
JY		 22 */
23
c110b289
ABL		 24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#elif defined(_MSC_VER)
27#include "config-msvc.h"
28#endif
29
6fbf66fa
JY		 30#include "syshead.h"
31
c5931897
CH		 32#ifdef ENABLE_SYSTEMD
33#include <systemd/sd-daemon.h>
34#endif
35
6fbf66fa
JY		 36#include "win32.h"
37#include "init.h"
bf97c00f 38#include "run_command.h"
6fbf66fa
JY		 39#include "sig.h"
40#include "occ.h"
41#include "list.h"
42#include "otime.h"
43#include "pool.h"
44#include "gremlin.h"
a54f37d8 45#include "occ.h"
ce98fd24 46#include "pkcs11.h"
6add6b2f 47#include "ps.h"
e12fe286 48#include "lladdr.h"
e7a65dfb 49#include "ping.h"
ffea644c 50#include "mstats.h"
63dc03d0 51#include "ssl_verify.h"
c6e24fa3 52#include "tls_crypt.h"
a54f37d8 53#include "forward.h"
6fbf66fa
JY		 54
55#include "memdbg.h"
56
6fbf66fa 57
0c9eb1d3
JY		 58static struct context *static_context; /* GLOBAL */
59
6fbf66fa
JY		 60/*
61 * Crypto initialization flags
62 */
63#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
64#define CF_INIT_TLS_MULTI (1<<1)
65#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
66
81d882d5 67static void do_init_first_time(struct context *c);
6fbf66fa
JY		 68
69void
81d882d5 70context_clear(struct context *c)
6fbf66fa 71{
81d882d5 72 CLEAR(*c);
6fbf66fa
JY		 73}
74
75void
81d882d5 76context_clear_1(struct context *c)
6fbf66fa 77{
81d882d5 78 CLEAR(c->c1);
6fbf66fa
JY		 79}
80
81void
81d882d5 82context_clear_2(struct context *c)
6fbf66fa 83{
81d882d5 84 CLEAR(c->c2);
6fbf66fa
JY		 85}
86
87void
81d882d5 88context_clear_all_except_first_time(struct context *c)
6fbf66fa 89{
81d882d5
DS		 90 const bool first_time_save = c->first_time;
91 const struct context_persist cpsave = c->persist;
92 context_clear(c);
93 c->first_time = first_time_save;
94 c->persist = cpsave;
6fbf66fa
JY		 95}
96
4a9d1d70
SK		 97/*
98 * Pass tunnel endpoint and MTU parms to a user-supplied script.
99 * Used to execute the up/down script/plugins.
100 */
101static void
102run_up_down(const char *command,
103 const struct plugin_list *plugins,
104 int plugin_type,
105 const char *arg,
106#ifdef _WIN32
107 DWORD adapter_index,
108#endif
109 const char *dev_type,
110 int tun_mtu,
111 int link_mtu,
112 const char *ifconfig_local,
113 const char *ifconfig_remote,
114 const char *context,
115 const char *signal_text,
116 const char *script_type,
117 struct env_set *es)
118{
119 struct gc_arena gc = gc_new();
120
121 if (signal_text)
122 {
123 setenv_str(es, "signal", signal_text);
124 }
125 setenv_str(es, "script_context", context);
126 setenv_int(es, "tun_mtu", tun_mtu);
127 setenv_int(es, "link_mtu", link_mtu);
128 setenv_str(es, "dev", arg);
129 if (dev_type)
130 {
131 setenv_str(es, "dev_type", dev_type);
132 }
133#ifdef _WIN32
134 setenv_int(es, "dev_idx", adapter_index);
135#endif
136
137 if (!ifconfig_local)
138 {
139 ifconfig_local = "";
140 }
141 if (!ifconfig_remote)
142 {
143 ifconfig_remote = "";
144 }
145 if (!context)
146 {
147 context = "";
148 }
149
150 if (plugin_defined(plugins, plugin_type))
151 {
152 struct argv argv = argv_new();
153 ASSERT(arg);
154 argv_printf(&argv,
155 "%s %d %d %s %s %s",
156 arg,
157 tun_mtu, link_mtu,
158 ifconfig_local, ifconfig_remote,
159 context);
160
161 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
162 {
163 msg(M_FATAL, "ERROR: up/down plugin call failed");
164 }
165
166 argv_reset(&argv);
167 }
168
169 if (command)
170 {
171 struct argv argv = argv_new();
172 ASSERT(arg);
173 setenv_str(es, "script_type", script_type);
174 argv_parse_cmd(&argv, command);
175 argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
176 ifconfig_local, ifconfig_remote, context);
177 argv_msg(M_INFO, &argv);
178 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
179 argv_reset(&argv);
180 }
181
182 gc_free(&gc);
183}
184
6fbf66fa 185/*
4e9a51d7
JY		 186 * Should be called after options->ce is modified at the top
187 * of a SIGUSR1 restart.
6fbf66fa
JY		 188 */
189static void
81d882d5 190update_options_ce_post(struct options *options)
6fbf66fa 191{
4e9a51d7 192#if P2MP
81d882d5
DS		 193 /*
194 * In pull mode, we usually import --ping/--ping-restart parameters from
195 * the server. However we should also set an initial default --ping-restart
196 * for the period of time before we pull the --ping-restart parameter
197 * from the server.
198 */
199 if (options->pull
200 && options->ping_rec_timeout_action == PING_UNDEF
201 && proto_is_dgram(options->ce.proto))
4e9a51d7 202 {
81d882d5
DS		 203 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204 options->ping_rec_timeout_action = PING_RESTART;
4e9a51d7
JY		 205 }
206#endif
4e9a51d7 207}
6fbf66fa 208
af1bf85a 209#ifdef ENABLE_MANAGEMENT
3cf6c932 210static bool
81d882d5 211management_callback_proxy_cmd(void *arg, const char **p)
3cf6c932 212{
81d882d5
DS		 213 struct context *c = arg;
214 struct connection_entry *ce = &c->options.ce;
215 struct gc_arena *gc = &c->c2.gc;
216 bool ret = false;
3cf6c932 217
81d882d5
DS		 218 update_time();
219 if (streq(p[1], "NONE"))
220 {
221 ret = true;
222 }
223 else if (p[2] && p[3])
af1bf85a 224 {
81d882d5 225 if (streq(p[1], "HTTP"))
af1bf85a 226 {
81d882d5
DS		 227 struct http_proxy_options *ho;
228 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
e719a053 229 {
81d882d5
DS		 230 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
231 return false;
af1bf85a 232 }
81d882d5
DS		 233 ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
234 ho->server = string_alloc(p[2], gc);
235 ho->port = string_alloc(p[3], gc);
236 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
237 ret = true;
af1bf85a 238 }
81d882d5 239 else if (streq(p[1], "SOCKS"))
af1bf85a 240 {
81d882d5 241 ce->socks_proxy_server = string_alloc(p[2], gc);
aa9d3a5b 242 ce->socks_proxy_port = string_alloc(p[3], gc);
81d882d5 243 ret = true;
af1bf85a 244 }
3cf6c932 245 }
81d882d5
DS		 246 else
247 {
248 msg(M_WARN, "Bad proxy command");
249 }
3cf6c932 250
81d882d5 251 ce->flags &= ~CE_MAN_QUERY_PROXY;
3cf6c932 252
81d882d5 253 return ret;
3cf6c932
JY		 254}
255
256static bool
81d882d5
DS		 257ce_management_query_proxy(struct context *c)
258{
259 const struct connection_list *l = c->options.connection_list;
260 struct connection_entry *ce = &c->options.ce;
261 struct gc_arena gc;
262 bool ret = true;
263
264 update_time();
265 if (management)
266 {
267 gc = gc_new();
268 {
269 struct buffer out = alloc_buf_gc(256, &gc);
270 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
271 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
272 management_notify_generic(management, BSTR(&out));
273 }
274 ce->flags |= CE_MAN_QUERY_PROXY;
275 while (ce->flags & CE_MAN_QUERY_PROXY)
276 {
277 management_event_loop_n_seconds(management, 1);
278 if (IS_SIG(c))
af1bf85a 279 {
81d882d5
DS		 280 ret = false;
281 break;
af1bf85a
HH		 282 }
283 }
81d882d5 284 gc_free(&gc);
3cf6c932 285 }
af1bf85a 286
81d882d5 287 return ret;
3cf6c932
JY		 288}
289
3cf6c932 290
54561af6 291static bool
81d882d5
DS		 292management_callback_remote_cmd(void *arg, const char **p)
293{
294 struct context *c = (struct context *) arg;
295 struct connection_entry *ce = &c->options.ce;
296 int ret = false;
297 if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
298 {
299 int flags = 0;
300 if (!strcmp(p[1], "ACCEPT"))
301 {
302 flags = CE_MAN_QUERY_REMOTE_ACCEPT;
303 ret = true;
304 }
305 else if (!strcmp(p[1], "SKIP"))
306 {
307 flags = CE_MAN_QUERY_REMOTE_SKIP;
308 ret = true;
309 }
310 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
311 {
312 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
313 {
314 struct remote_host_store *rhs = c->options.rh_store;
315 if (!rhs)
316 {
317 ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
318 c->options.rh_store = rhs;
319 }
320 strncpynt(rhs->host, p[2], RH_HOST_LEN);
321 strncpynt(rhs->port, p[3], RH_PORT_LEN);
322
323 ce->remote = rhs->host;
324 ce->remote_port = rhs->port;
325 flags = CE_MAN_QUERY_REMOTE_MOD;
326 ret = true;
327 }
328 }
329 if (ret)
330 {
331 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
332 ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
333 }
334 }
335 return ret;
54561af6
JY		 336}
337
338static bool
81d882d5
DS		 339ce_management_query_remote(struct context *c)
340{
341 struct gc_arena gc = gc_new();
342 volatile struct connection_entry *ce = &c->options.ce;
e81f313a
DS		 343 int ce_changed = true; /* presume the connection entry will be changed */
344
81d882d5
DS		 345 update_time();
346 if (management)
347 {
348 struct buffer out = alloc_buf_gc(256, &gc);
e81f313a
DS		 349
350 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
351 proto2ascii(ce->proto, ce->af, false));
81d882d5 352 management_notify_generic(management, BSTR(&out));
e81f313a
DS		 353
354 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
355 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
356 while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
357 & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
81d882d5
DS		 358 {
359 management_event_loop_n_seconds(management, 1);
360 if (IS_SIG(c))
361 {
e81f313a 362 ce_changed = false; /* connection entry have not been set */
81d882d5
DS		 363 break;
364 }
365 }
366 }
e81f313a
DS		 367 gc_free(&gc);
368
369 if (ce_changed)
81d882d5 370 {
e81f313a
DS		 371 /* If it is likely a connection entry was modified,
372 * check what changed in the flags and that it was not skipped
373 */
374 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
375 & CE_MAN_QUERY_REMOTE_MASK);
376 ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
81d882d5 377 }
e81f313a 378 return ce_changed;
54561af6 379}
cf93f0e0 380#endif /* ENABLE_MANAGEMENT */
54561af6 381
4e9a51d7
JY		 382/*
383 * Initialize and possibly randomize connection list.
384 */
385static void
81d882d5 386init_connection_list(struct context *c)
4e9a51d7 387{
81d882d5 388 struct connection_list *l = c->options.connection_list;
23d61c56 389
81d882d5
DS		 390 l->current = -1;
391 if (c->options.remote_random)
6fbf66fa 392 {
81d882d5
DS		 393 int i;
394 for (i = 0; i < l->len; ++i)
23d61c56 395 {
81d882d5
DS		 396 const int j = get_random() % l->len;
397 if (i != j)
23d61c56 398 {
81d882d5
DS		 399 struct connection_entry *tmp;
400 tmp = l->array[i];
401 l->array[i] = l->array[j];
402 l->array[j] = tmp;
23d61c56
AS		 403 }
404 }
6fbf66fa 405 }
4e9a51d7
JY		 406}
407
23d61c56
AS		 408/*
409 * Clear the remote address list
410 */
81d882d5
DS		 411static void
412clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
23d61c56 413{
e719a053 414 if (lsa->remote_list && free)
81d882d5
DS		 415 {
416 freeaddrinfo(lsa->remote_list);
417 }
23d61c56
AS		 418 lsa->remote_list = NULL;
419 lsa->current_remote = NULL;
420}
421
4e9a51d7
JY		 422/*
423 * Increment to next connection entry
424 */
425static void
81d882d5
DS		 426next_connection_entry(struct context *c)
427{
428 struct connection_list *l = c->options.connection_list;
429 bool ce_defined;
430 struct connection_entry *ce;
431 int n_cycles = 0;
432
4cd4899e
SK		 433 do
434 {
81d882d5
DS		 435 ce_defined = true;
436 if (c->options.no_advance && l->current >= 0)
437 {
438 c->options.no_advance = false;
439 }
23d61c56 440 else
81d882d5
DS		 441 {
442 /* Check if there is another resolved address to try for
443 * the current connection */
444 if (c->c1.link_socket_addr.current_remote
445 && c->c1.link_socket_addr.current_remote->ai_next)
446 {
23d61c56 447 c->c1.link_socket_addr.current_remote =
81d882d5
DS		 448 c->c1.link_socket_addr.current_remote->ai_next;
449 }
450 else
451 {
452 /* FIXME (schwabe) fix the persist-remote-ip option for real,
453 * this is broken probably ever since connection lists and multiple
454 * remote existed
455 */
456 if (!c->options.persist_remote_ip)
457 {
458 /* close_instance should have cleared the addrinfo objects */
459 ASSERT(c->c1.link_socket_addr.current_remote == NULL);
460 ASSERT(c->c1.link_socket_addr.remote_list == NULL);
461 }
462 else
463 {
464 c->c1.link_socket_addr.current_remote =
465 c->c1.link_socket_addr.remote_list;
466 }
467
468 /*
469 * Increase the number of connection attempts
470 * If this is connect-retry-max * size(l)
471 * OpenVPN will quit
472 */
473
474 c->options.unsuccessful_attempts++;
475
476 if (++l->current >= l->len)
477 {
478
479 l->current = 0;
480 if (++n_cycles >= 2)
481 {
482 msg(M_FATAL, "No usable connection profiles are present");
483 }
484 }
485 }
486 }
3cf6c932 487
81d882d5 488 ce = l->array[l->current];
3cf6c932 489
81d882d5
DS		 490 if (ce->flags & CE_DISABLED)
491 {
492 ce_defined = false;
493 }
3cf6c932 494
81d882d5 495 c->options.ce = *ce;
cf93f0e0 496#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 497 if (ce_defined && management && management_query_remote_enabled(management))
498 {
499 /* allow management interface to override connection entry details */
500 ce_defined = ce_management_query_remote(c);
501 if (IS_SIG(c))
502 {
503 break;
504 }
505 }
7b02cc2a 506 else if (ce_defined && management && management_query_proxy_enabled(management))
23d61c56 507 {
81d882d5
DS		 508 ce_defined = ce_management_query_proxy(c);
509 if (IS_SIG(c))
510 {
511 break;
512 }
23d61c56 513 }
3cf6c932 514#endif
81d882d5 515 } while (!ce_defined);
23d61c56 516
81d882d5
DS		 517 /* Check if this connection attempt would bring us over the limit */
518 if (c->options.connect_retry_max > 0
519 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
520 {
521 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
522 c->options.connect_retry_max);
523 }
524 update_options_ce_post(&c->options);
6fbf66fa
JY		 525}
526
92bbb061
JY		 527/*
528 * Query for private key and auth-user-pass username/passwords
529 */
315f6fbc 530void
81d882d5 531init_query_passwords(const struct context *c)
92bbb061 532{
81d882d5
DS		 533 /* Certificate password input */
534 if (c->options.key_pass_file)
535 {
536 pem_password_setup(c->options.key_pass_file);
537 }
81d882d5 538
92bbb061 539#if P2MP
81d882d5
DS		 540 /* Auth user/pass input */
541 if (c->options.auth_user_pass_file)
eab3e22f 542 {
66b9409b 543#ifdef ENABLE_MANAGEMENT
81d882d5 544 auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info);
eab3e22f 545#else
81d882d5 546 auth_user_pass_setup(c->options.auth_user_pass_file, NULL);
eab3e22f
JY		 547#endif
548 }
92bbb061
JY		 549#endif
550}
551
4e9a51d7
JY		 552/*
553 * Initialize/Uninitialize HTTP or SOCKS proxy
554 */
555
4e9a51d7 556static void
81d882d5 557uninit_proxy_dowork(struct context *c)
4e9a51d7 558{
81d882d5 559 if (c->c1.http_proxy_owned && c->c1.http_proxy)
4e9a51d7 560 {
81d882d5
DS		 561 http_proxy_close(c->c1.http_proxy);
562 c->c1.http_proxy = NULL;
563 c->c1.http_proxy_owned = false;
4e9a51d7 564 }
81d882d5 565 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
4e9a51d7 566 {
81d882d5
DS		 567 socks_proxy_close(c->c1.socks_proxy);
568 c->c1.socks_proxy = NULL;
569 c->c1.socks_proxy_owned = false;
4e9a51d7 570 }
4e9a51d7
JY		 571}
572
573static void
81d882d5 574init_proxy_dowork(struct context *c)
6fbf66fa 575{
81d882d5 576 bool did_http = false;
f214bb21 577
81d882d5 578 uninit_proxy_dowork(c);
4e9a51d7 579
81d882d5 580 if (c->options.ce.http_proxy_options)
4e9a51d7 581 {
81d882d5
DS		 582 /* Possible HTTP proxy user/pass input */
583 c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
584 if (c->c1.http_proxy)
585 {
586 did_http = true;
587 c->c1.http_proxy_owned = true;
588 }
4e9a51d7 589 }
4e9a51d7 590
a4b8f653 591 if (!did_http && c->options.ce.socks_proxy_server)
4e9a51d7 592 {
81d882d5
DS		 593 c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
594 c->options.ce.socks_proxy_port,
595 c->options.ce.socks_proxy_authfile);
596 if (c->c1.socks_proxy)
597 {
598 c->c1.socks_proxy_owned = true;
599 }
4e9a51d7 600 }
4e9a51d7
JY		 601}
602
603static void
81d882d5 604init_proxy(struct context *c)
4e9a51d7 605{
81d882d5 606 init_proxy_dowork(c);
4e9a51d7
JY		 607}
608
609static void
81d882d5 610uninit_proxy(struct context *c)
4e9a51d7 611{
81d882d5 612 uninit_proxy_dowork(c);
4e9a51d7
JY		 613}
614
5fa25eeb 615/*
39326238
LS		 616 * Saves the initial state of NCP-regotiable
617 * options into a storage which persists over SIGUSR1.
5fa25eeb
LS		 618 */
619static void
39326238 620save_ncp_options(struct context *c)
5fa25eeb
LS		 621{
622 c->c1.ciphername = c->options.ciphername;
623 c->c1.authname = c->options.authname;
624 c->c1.keysize = c->options.keysize;
625}
626
39326238 627/* Restores NCP-negotiable options to original values */
5fa25eeb 628static void
39326238 629restore_ncp_options(struct context *c)
5fa25eeb
LS		 630{
631 c->options.ciphername = c->c1.ciphername;
632 c->options.authname = c->c1.authname;
633 c->options.keysize = c->c1.keysize;
634}
635
4e9a51d7 636void
81d882d5 637context_init_1(struct context *c)
4e9a51d7 638{
81d882d5 639 context_clear_1(c);
6fbf66fa 640
81d882d5 641 packet_id_persist_init(&c->c1.pid_persist);
4e9a51d7 642
81d882d5 643 init_connection_list(c);
6fbf66fa 644
39326238 645 save_ncp_options(c);
5fa25eeb 646
ce98fd24 647#if defined(ENABLE_PKCS11)
81d882d5
DS		 648 if (c->first_time)
649 {
650 int i;
651 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
652 for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
4cd4899e 653 {
81d882d5
DS		 654 pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
655 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
4cd4899e 656 }
81d882d5 657 }
ce98fd24 658#endif
984cf003 659
c67d59cd 660#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
81d882d5
DS		 661 {
662 /*
663 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
664 */
665 struct user_pass up;
666 CLEAR(up);
667 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
668 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
669 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
670 * 'needok' command, usually 'ok' or 'cancel'. */
671 }
dd1047f5
JY		 672#endif
673
e83a8684
DS		 674#ifdef ENABLE_SYSTEMD
675 /* We can report the PID via getpid() to systemd here as OpenVPN will not
676 * do any fork due to daemon() a future call.
677 * See possibly_become_daemon() [init.c] for more details.
678 */
b13bc6c9 679 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
e83a8684
DS		 680 (unsigned long) getpid());
681#endif
682
6fbf66fa
JY		 683}
684
685void
81d882d5 686context_gc_free(struct context *c)
6fbf66fa 687{
81d882d5
DS		 688 gc_free(&c->c2.gc);
689 gc_free(&c->options.gc);
690 gc_free(&c->gc);
6fbf66fa
JY		 691}
692
6add6b2f
JY		 693#if PORT_SHARE
694
695static void
81d882d5 696close_port_share(void)
6add6b2f 697{
81d882d5 698 if (port_share)
6add6b2f 699 {
81d882d5
DS		 700 port_share_close(port_share);
701 port_share = NULL;
6add6b2f
JY		 702 }
703}
704
705static void
81d882d5 706init_port_share(struct context *c)
6add6b2f 707{
81d882d5 708 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
6add6b2f 709 {
81d882d5
DS		 710 port_share = port_share_open(c->options.port_share_host,
711 c->options.port_share_port,
712 MAX_RW_SIZE_LINK(&c->c2.frame),
713 c->options.port_share_journal_dir);
714 if (port_share == NULL)
715 {
716 msg(M_FATAL, "Fatal error: Port sharing failed");
717 }
6add6b2f
JY		 718 }
719}
720
81d882d5 721#endif /* if PORT_SHARE */
6add6b2f 722
e74e3a4d 723
6fbf66fa 724bool
81d882d5 725init_static(void)
6fbf66fa 726{
81d882d5 727 /* configure_path (); */
c67d59cd 728
c7ca9133 729#if defined(DMALLOC)
81d882d5 730 crypto_init_dmalloc();
6fbf66fa
JY		 731#endif
732
e74e3a4d
DS		 733
734 /*
735 * Initialize random number seed. random() is only used
736 * when "weak" random numbers are acceptable.
737 * SSL library routines are always used when cryptographically
738 * strong random numbers are required.
739 */
740 struct timeval tv;
741 if (!gettimeofday(&tv, NULL))
742 {
743 const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
744 srandom(seed);
745 }
746
81d882d5
DS		 747 error_reset(); /* initialize error.c */
748 reset_check_status(); /* initialize status check code in socket.c */
6fbf66fa 749
445b192a 750#ifdef _WIN32
81d882d5 751 init_win32();
6fbf66fa
JY		 752#endif
753
754#ifdef OPENVPN_DEBUG_COMMAND_LINE
81d882d5
DS		 755 {
756 int i;
757 for (i = 0; i < argc; ++i)
4cd4899e 758 {
81d882d5 759 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
4cd4899e 760 }
81d882d5 761 }
6fbf66fa
JY		 762#endif
763
81d882d5 764 update_time();
6fbf66fa 765
81d882d5 766 init_ssl_lib();
6fbf66fa 767
81d882d5
DS		 768 /* init PRNG used for IV generation */
769 /* When forking, copy this to more places in the code to avoid fork
770 * random-state predictability */
771 prng_init(NULL, 0);
6fbf66fa
JY		 772
773#ifdef PID_TEST
81d882d5
DS		 774 packet_id_interactive_test(); /* test the sequence number code */
775 return false;
6fbf66fa
JY		 776#endif
777
778#ifdef SCHEDULE_TEST
81d882d5
DS		 779 schedule_test();
780 return false;
6fbf66fa
JY		 781#endif
782
783#ifdef LIST_TEST
81d882d5
DS		 784 list_test();
785 return false;
6fbf66fa
JY		 786#endif
787
788#ifdef IFCONFIG_POOL_TEST
81d882d5
DS		 789 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
790 return false;
6fbf66fa
JY		 791#endif
792
793#ifdef CHARACTER_CLASS_DEBUG
81d882d5
DS		 794 character_class_debug();
795 return false;
6fbf66fa
JY		 796#endif
797
798#ifdef EXTRACT_X509_FIELD_TEST
81d882d5
DS		 799 extract_x509_field_test();
800 return false;
6fbf66fa
JY		 801#endif
802
428b8279 803#ifdef TIME_TEST
81d882d5
DS		 804 time_test();
805 return false;
428b8279
JY		 806#endif
807
6a8ea970 808#ifdef TEST_GET_DEFAULT_GATEWAY
81d882d5
DS		 809 {
810 struct route_gateway_info rgi;
811 struct route_ipv6_gateway_info rgi6;
812 get_default_gateway(&rgi);
813 get_default_gateway_ipv6(&rgi6, NULL);
814 print_default_gateway(M_INFO, &rgi, &rgi6);
815 return false;
816 }
6a8ea970
JY		 817#endif
818
6cd276ba 819#ifdef GEN_PATH_TEST
81d882d5
DS		 820 {
821 struct gc_arena gc = gc_new();
822 const char *fn = gen_path("foo",
823 "bar",
824 &gc);
825 printf("%s\n", fn);
826 gc_free(&gc);
827 }
828 return false;
6cd276ba 829#endif
ddad0a8c 830
6cd276ba 831#ifdef STATUS_PRINTF_TEST
81d882d5
DS		 832 {
833 struct gc_arena gc = gc_new();
b7bea782 834 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
81d882d5
DS		 835 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
836 status_printf(so, "%s", "foo");
837 status_printf(so, "%s", "bar");
838 if (!status_close(so))
839 {
840 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
841 }
842 gc_free(&gc);
843 }
844 return false;
ddad0a8c
JY		 845#endif
846
26bb4c74 847#ifdef ARGV_TEST
81d882d5
DS		 848 {
849 void argv_test(void);
850
851 argv_test();
852 return false;
853 }
26bb4c74
JY		 854#endif
855
03bfb228 856#ifdef PRNG_TEST
81d882d5
DS		 857 {
858 struct gc_arena gc = gc_new();
859 uint8_t rndbuf[8];
860 int i;
861 prng_init("sha1", 16);
862 /*prng_init (NULL, 0);*/
863 const int factor = 1;
864 for (i = 0; i < factor * 8; ++i)
865 {
03bfb228 866#if 1
81d882d5 867 prng_bytes(rndbuf, sizeof(rndbuf));
03bfb228 868#else
81d882d5 869 ASSERT(rand_bytes(rndbuf, sizeof(rndbuf)));
03bfb228 870#endif
81d882d5
DS		 871 printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc));
872 }
873 gc_free(&gc);
874 prng_uninit();
875 return false;
876 }
877#endif /* ifdef PRNG_TEST */
03bfb228 878
7e1c085d 879#ifdef BUFFER_LIST_AGGREGATE_TEST
81d882d5
DS		 880 /* test buffer_list_aggregate function */
881 {
882 static const char *text[] = {
883 "It was a bright cold day in April, ",
884 "and the clocks were striking ",
885 "thirteen. ",
886 "Winston Smith, ",
887 "his chin nuzzled into his breast in an ",
888 "effort to escape the vile wind, ",
889 "slipped quickly through the glass doors ",
890 "of Victory Mansions, though not quickly ",
891 "enough to prevent a swirl of gritty dust from ",
892 "entering along with him."
893 };
894
895 int iter, listcap;
896 for (listcap = 0; listcap < 12; ++listcap)
897 {
898 for (iter = 0; iter < 512; ++iter)
899 {
900 struct buffer_list *bl = buffer_list_new(listcap);
901 {
902 int i;
903 for (i = 0; i < SIZE(text); ++i)
4cd4899e 904 {
81d882d5 905 buffer_list_push(bl, (unsigned char *)text[i]);
4cd4899e 906 }
81d882d5
DS		 907 }
908 printf("[cap=%d i=%d] *************************\n", listcap, iter);
909 if (!(iter & 8))
910 {
911 buffer_list_aggregate(bl, iter/2);
912 }
913 if (!(iter & 16))
914 {
915 buffer_list_push(bl, (unsigned char *)"Even more text...");
916 }
917 buffer_list_aggregate(bl, iter);
918 if (!(iter & 1))
919 {
920 buffer_list_push(bl, (unsigned char *)"More text...");
921 }
922 {
923 struct buffer *buf;
924 while ((buf = buffer_list_peek(bl)))
925 {
926 int c;
927 printf("'");
928 while ((c = buf_read_u8(buf)) >= 0)
4cd4899e 929 {
81d882d5 930 putchar(c);
4cd4899e 931 }
81d882d5
DS		 932 printf("'\n");
933 buffer_list_advance(bl, 0);
934 }
935 }
936 buffer_list_free(bl);
937 }
938 }
939 return false;
940 }
941#endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */
7e1c085d 942
ffea644c 943#ifdef MSTATS_TEST
81d882d5
DS		 944 {
945 int i;
946 mstats_open("/dev/shm/mstats.dat");
947 for (i = 0; i < 30; ++i)
948 {
949 mmap_stats->n_clients += 1;
950 mmap_stats->link_write_bytes += 8;
951 mmap_stats->link_read_bytes += 16;
952 sleep(1);
953 }
954 mstats_close();
955 return false;
956 }
ffea644c
JY		 957#endif
958
81d882d5 959 return true;
6fbf66fa
JY		 960}
961
962void
81d882d5 963uninit_static(void)
6fbf66fa 964{
81d882d5 965 free_ssl_lib();
ce98fd24 966
ce98fd24 967#ifdef ENABLE_PKCS11
81d882d5 968 pkcs11_terminate();
ce98fd24 969#endif
6fbf66fa 970
6add6b2f 971#if PORT_SHARE
81d882d5 972 close_port_share();
6add6b2f
JY		 973#endif
974
c7ca9133 975#if defined(MEASURE_TLS_HANDSHAKE_STATS)
81d882d5 976 show_tls_performance_stats();
6fbf66fa
JY		 977#endif
978}
979
980void
81d882d5 981init_verb_mute(struct context *c, unsigned int flags)
6fbf66fa 982{
81d882d5 983 if (flags & IVM_LEVEL_1)
6fbf66fa 984 {
81d882d5
DS		 985 /* set verbosity and mute levels */
986 set_check_status(D_LINK_ERRORS, D_READ_WRITE);
987 set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
988 set_mute_cutoff(c->options.mute);
6fbf66fa
JY		 989 }
990
81d882d5
DS		 991 /* special D_LOG_RW mode */
992 if (flags & IVM_LEVEL_2)
993 {
994 c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
995 }
6fbf66fa
JY		 996}
997
998/*
999 * Possibly set --dev based on --dev-node.
1000 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
1001 * set --dev to tun.
1002 */
1003void
81d882d5 1004init_options_dev(struct options *options)
6fbf66fa 1005{
81d882d5
DS		 1006 if (!options->dev && options->dev_node)
1007 {
1008 char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */
1009 options->dev = basename(dev_node);
1010 }
6fbf66fa
JY		 1011}
1012
1013bool
81d882d5 1014print_openssl_info(const struct options *options)
6fbf66fa 1015{
81d882d5
DS		 1016 /*
1017 * OpenSSL info print mode?
1018 */
81d882d5
DS		 1019 if (options->show_ciphers || options->show_digests || options->show_engines
1020 || options->show_tls_ciphers || options->show_curves)
6fbf66fa 1021 {
81d882d5
DS		 1022 if (options->show_ciphers)
1023 {
1024 show_available_ciphers();
1025 }
1026 if (options->show_digests)
1027 {
1028 show_available_digests();
1029 }
1030 if (options->show_engines)
1031 {
1032 show_available_engines();
1033 }
1034 if (options->show_tls_ciphers)
1035 {
aba75874 1036 show_available_tls_ciphers(options->cipher_list,
7aeabadd 1037 options->cipher_list_tls13,
aba75874 1038 options->tls_cert_profile);
81d882d5
DS		 1039 }
1040 if (options->show_curves)
1041 {
1042 show_available_curves();
1043 }
1044 return true;
6fbf66fa 1045 }
81d882d5 1046 return false;
6fbf66fa
JY		 1047}
1048
1049/*
1050 * Static pre-shared key generation mode?
1051 */
1052bool
81d882d5 1053do_genkey(const struct options *options)
6fbf66fa 1054{
9d59029a
SK		 1055 /* should we disable paging? */
1056 if (options->mlock && (options->genkey || options->tls_crypt_v2_genkey_file))
1057 {
1058 platform_mlockall(true);
1059 }
81d882d5 1060 if (options->genkey)
6fbf66fa 1061 {
81d882d5 1062 int nbits_written;
6fbf66fa 1063
81d882d5
DS		 1064 notnull(options->shared_secret_file,
1065 "shared secret output file (--secret)");
6fbf66fa 1066
81d882d5 1067 nbits_written = write_key_file(2, options->shared_secret_file);
a8fa1679
SK		 1068 if (nbits_written < 0)
1069 {
1070 msg(M_FATAL, "Failed to write key file");
1071 }
6fbf66fa 1072
81d882d5
DS		 1073 msg(D_GENKEY | M_NOPREFIX,
1074 "Randomly generated %d bit key written to %s", nbits_written,
1075 options->shared_secret_file);
1076 return true;
6fbf66fa 1077 }
9d59029a
SK		 1078 if (options->tls_crypt_v2_genkey_type)
1079 {
1080 if(!strcmp(options->tls_crypt_v2_genkey_type, "server"))
1081 {
1082 tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file);
1083 return true;
1084 }
1085 if (options->tls_crypt_v2_genkey_type
1086 && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
1087 {
1088 if (!options->tls_crypt_v2_file)
1089 {
658a8ee4 1090 msg(M_USAGE, "--tls-crypt-v2-genkey requires a server key to be set via --tls-crypt-v2 to create a client key");
9d59029a
SK		 1091 }
1092
1093 tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file,
1094 options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
1095 options->tls_crypt_v2_inline);
1096 return true;
1097 }
1098
1099 msg(M_USAGE, "--tls-crypt-v2-genkey type should be \"client\" or \"server\"");
1100 }
81d882d5 1101 return false;
6fbf66fa
JY		 1102}
1103
1104/*
1105 * Persistent TUN/TAP device management mode?
1106 */
1107bool
81d882d5 1108do_persist_tuntap(const struct options *options)
6fbf66fa 1109{
81d882d5 1110 if (options->persist_config)
6fbf66fa 1111 {
81d882d5
DS		 1112 /* sanity check on options for --mktun or --rmtun */
1113 notnull(options->dev, "TUN/TAP device (--dev)");
1114 if (options->ce.remote || options->ifconfig_local
1115 || options->ifconfig_remote_netmask
81d882d5
DS		 1116 || options->shared_secret_file
1117 || options->tls_server || options->tls_client
81d882d5
DS		 1118 )
1119 {
1120 msg(M_FATAL|M_OPTERR,
1121 "options --mktun or --rmtun should only be used together with --dev");
1122 }
4ad2b65d 1123#ifdef ENABLE_FEATURE_TUN_PERSIST
81d882d5
DS		 1124 tuncfg(options->dev, options->dev_type, options->dev_node,
1125 options->persist_mode,
1126 options->username, options->groupname, &options->tuntap_options);
1127 if (options->persist_mode && options->lladdr)
1128 {
1129 set_lladdr(options->dev, options->lladdr, NULL);
1130 }
1131 return true;
1132#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
1133 msg( M_FATAL|M_OPTERR,
1134 "options --mktun and --rmtun are not available on your operating "
1135 "system. Please check 'man tun' (or 'tap'), whether your system "
1136 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1137 "persistant tunnel interfaces.", options->dev );
6fbf66fa 1138#endif
4ad2b65d 1139 }
81d882d5 1140 return false;
6fbf66fa
JY		 1141}
1142
1143/*
1144 * Should we become a daemon?
1145 * Return true if we did it.
1146 */
da9b2927 1147bool
81d882d5 1148possibly_become_daemon(const struct options *options)
6fbf66fa 1149{
81d882d5 1150 bool ret = false;
7660bba1
CH		 1151
1152#ifdef ENABLE_SYSTEMD
81d882d5
DS		 1153 /* return without forking if we are running from systemd */
1154 if (sd_notify(0, "READY=0") > 0)
1155 {
1156 return ret;
1157 }
7660bba1
CH		 1158#endif
1159
81d882d5 1160 if (options->daemon)
6fbf66fa 1161 {
81d882d5
DS		 1162 ASSERT(!options->inetd);
1163 /* Don't chdir immediately, but the end of the init sequence, if needed */
1164 if (daemon(1, options->log) < 0)
1165 {
1166 msg(M_ERR, "daemon() failed or unsupported");
1167 }
1168 restore_signal_state();
1169 if (options->log)
1170 {
1171 set_std_files_to_null(true);
1172 }
6835555e 1173
81d882d5 1174 ret = true;
6fbf66fa 1175 }
81d882d5 1176 return ret;
6fbf66fa
JY		 1177}
1178
1179/*
99385447 1180 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
6fbf66fa
JY		 1181 */
1182static void
81d882d5 1183do_uid_gid_chroot(struct context *c, bool no_delay)
6fbf66fa 1184{
81d882d5
DS		 1185 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1186 struct context_0 *c0 = c->c0;
6fbf66fa 1187
81d882d5 1188 if (c0 && !c0->uid_gid_chroot_set)
6fbf66fa 1189 {
81d882d5
DS		 1190 /* chroot if requested */
1191 if (c->options.chroot_dir)
1192 {
1193 if (no_delay)
65140a3a 1194 {
81d882d5
DS		 1195 platform_chroot(c->options.chroot_dir);
1196 }
1197 else if (c->first_time)
1198 {
1199 msg(M_INFO, "NOTE: chroot %s", why_not);
1200 }
1201 }
1202
1203 /* set user and/or group if we want to setuid/setgid */
1204 if (c0->uid_gid_specified)
1205 {
1206 if (no_delay)
1207 {
1208 platform_group_set(&c0->platform_state_group);
1209 platform_user_set(&c0->platform_state_user);
1210 }
1211 else if (c->first_time)
1212 {
1213 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
65140a3a 1214 }
81d882d5 1215 }
99385447 1216
ffea644c 1217#ifdef ENABLE_MEMSTATS
81d882d5
DS		 1218 if (c->first_time && c->options.memstats_fn)
1219 {
1220 mstats_open(c->options.memstats_fn);
1221 }
ffea644c
JY		 1222#endif
1223
cd5990e0 1224#ifdef ENABLE_SELINUX
81d882d5
DS		 1225 /* Apply a SELinux context in order to restrict what OpenVPN can do
1226 * to _only_ what it is supposed to do after initialization is complete
1227 * (basically just network I/O operations). Doing it after chroot
1228 * requires /proc to be mounted in the chroot (which is annoying indeed
1229 * but doing it before requires more complex SELinux policies.
1230 */
1231 if (c->options.selinux_context)
1232 {
1233 if (no_delay)
1234 {
1235 if (-1 == setcon(c->options.selinux_context))
1236 {
1237 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1238 }
1239 else
1240 {
1241 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1242 }
1243 }
1244 else if (c->first_time)
1245 {
1246 msg(M_INFO, "NOTE: setcon %s", why_not);
1247 }
1248 }
1249#endif
1250
1251 /* Privileges are going to be dropped by now (if requested), be sure
1252 * to prevent any future privilege dropping attempts from now on.
1253 */
1254 if (no_delay)
1255 {
1256 c0->uid_gid_chroot_set = true;
1257 }
6fbf66fa
JY		 1258 }
1259}
1260
1261/*
1262 * Return common name in a way that is formatted for
1263 * prepending to msg() output.
1264 */
1265const char *
81d882d5 1266format_common_name(struct context *c, struct gc_arena *gc)
6fbf66fa 1267{
81d882d5 1268 struct buffer out = alloc_buf_gc(256, gc);
81d882d5 1269 if (c->c2.tls_multi)
6fbf66fa 1270 {
81d882d5 1271 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
6fbf66fa 1272 }
81d882d5 1273 return BSTR(&out);
6fbf66fa
JY		 1274}
1275
1276void
81d882d5 1277pre_setup(const struct options *options)
6fbf66fa 1278{
445b192a 1279#ifdef _WIN32
81d882d5 1280 if (options->exit_event_name)
6fbf66fa 1281 {
81d882d5
DS		 1282 win32_signal_open(&win32_signal,
1283 WSO_FORCE_SERVICE,
1284 options->exit_event_name,
1285 options->exit_event_initial_state);
6fbf66fa 1286 }
81d882d5 1287 else
6fbf66fa 1288 {
81d882d5
DS		 1289 win32_signal_open(&win32_signal,
1290 WSO_FORCE_CONSOLE,
1291 NULL,
1292 false);
6fbf66fa 1293
81d882d5
DS		 1294 /* put a title on the top window bar */
1295 if (win32_signal.mode == WSO_MODE_CONSOLE)
1296 {
1297 window_title_save(&window_title);
1298 window_title_generate(options->config);
1299 }
6fbf66fa 1300 }
81d882d5 1301#endif /* ifdef _WIN32 */
6fbf66fa
JY		 1302}
1303
1304void
81d882d5 1305reset_coarse_timers(struct context *c)
6fbf66fa 1306{
81d882d5 1307 c->c2.coarse_timer_wakeup = 0;
6fbf66fa
JY		 1308}
1309
f2134b7b
AS		 1310/*
1311 * Initialise the server poll timeout timer
1312 * This timer is used in the http/socks proxy setup so it needs to be setup
1313 * before
1314 */
1315static void
81d882d5 1316do_init_server_poll_timeout(struct context *c)
f2134b7b 1317{
81d882d5 1318 update_time();
f2134b7b 1319 if (c->options.ce.connect_timeout)
81d882d5
DS		 1320 {
1321 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1322 }
f2134b7b
AS		 1323}
1324
6fbf66fa
JY		 1325/*
1326 * Initialize timers
1327 */
1328static void
81d882d5 1329do_init_timers(struct context *c, bool deferred)
6fbf66fa 1330{
81d882d5
DS		 1331 update_time();
1332 reset_coarse_timers(c);
6fbf66fa 1333
81d882d5
DS		 1334 /* initialize inactivity timeout */
1335 if (c->options.inactivity_timeout)
1336 {
1337 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1338 }
6fbf66fa 1339
81d882d5 1340 /* initialize pings */
6fbf66fa 1341
81d882d5
DS		 1342 if (c->options.ping_send_timeout)
1343 {
1344 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1345 }
6fbf66fa 1346
81d882d5
DS		 1347 if (c->options.ping_rec_timeout)
1348 {
1349 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1350 }
6fbf66fa 1351
81d882d5 1352 if (!deferred)
6fbf66fa 1353 {
81d882d5
DS		 1354 /* initialize connection establishment timer */
1355 event_timeout_init(&c->c2.wait_for_connect, 1, now);
6fbf66fa
JY		 1356
1357#ifdef ENABLE_OCC
81d882d5 1358 /* initialize occ timers */
6fbf66fa 1359
81d882d5
DS		 1360 if (c->options.occ
1361 && !TLS_MODE(c)
1362 && c->c2.options_string_local && c->c2.options_string_remote)
1363 {
1364 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1365 }
6fbf66fa 1366
81d882d5
DS		 1367 if (c->options.mtu_test)
1368 {
1369 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1370 }
6fbf66fa
JY		 1371#endif
1372
81d882d5 1373 /* initialize packet_id persistence timer */
81d882d5
DS		 1374 if (c->options.packet_id_file)
1375 {
1376 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1377 }
6fbf66fa 1378
81d882d5
DS		 1379 /* initialize tmp_int optimization that limits the number of times we call
1380 * tls_multi_process in the main event loop */
1381 interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
6fbf66fa
JY		 1382 }
1383}
1384
1385/*
1386 * Initialize traffic shaper.
1387 */
1388static void
81d882d5 1389do_init_traffic_shaper(struct context *c)
6fbf66fa 1390{
3d163bc5 1391#ifdef ENABLE_FEATURE_SHAPER
81d882d5
DS		 1392 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1393 if (c->options.shaper)
6fbf66fa 1394 {
81d882d5
DS		 1395 shaper_init(&c->c2.shaper, c->options.shaper);
1396 shaper_msg(&c->c2.shaper);
6fbf66fa
JY		 1397 }
1398#endif
1399}
1400
1401/*
eb95f367
GD		 1402 * Allocate route list structures for IPv4 and IPv6
1403 * (we do this for IPv4 even if no --route option has been seen, as other
1404 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
6fbf66fa
JY		 1405 */
1406static void
81d882d5 1407do_alloc_route_list(struct context *c)
6fbf66fa 1408{
81d882d5
DS		 1409 if (!c->c1.route_list)
1410 {
1411 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1412 }
1413 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1414 {
1415 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1416 }
6fbf66fa
JY		 1417}
1418
1419
1420/*
1421 * Initialize the route list, resolving any DNS names in route
1422 * options and saving routes in the environment.
1423 */
1424static void
81d882d5
DS		 1425do_init_route_list(const struct options *options,
1426 struct route_list *route_list,
1427 const struct link_socket_info *link_socket_info,
1428 struct env_set *es)
6fbf66fa 1429{
81d882d5
DS		 1430 const char *gw = NULL;
1431 int dev = dev_type_enum(options->dev, options->dev_type);
1432 int metric = 0;
6fbf66fa 1433
81d882d5
DS		 1434 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1435 {
1436 gw = options->ifconfig_remote_netmask;
1437 }
1438 if (options->route_default_gateway)
1439 {
1440 gw = options->route_default_gateway;
1441 }
1442 if (options->route_default_metric)
1443 {
1444 metric = options->route_default_metric;
1445 }
6fbf66fa 1446
81d882d5
DS		 1447 if (init_route_list(route_list,
1448 options->routes,
1449 gw,
1450 metric,
1451 link_socket_current_remote(link_socket_info),
1452 es))
6fbf66fa 1453 {
81d882d5
DS		 1454 /* copy routes to environment */
1455 setenv_routes(es, route_list);
6fbf66fa
JY		 1456 }
1457}
1458
512cda46 1459static void
81d882d5
DS		 1460do_init_route_ipv6_list(const struct options *options,
1461 struct route_ipv6_list *route_ipv6_list,
1462 const struct link_socket_info *link_socket_info,
1463 struct env_set *es)
512cda46 1464{
81d882d5
DS		 1465 const char *gw = NULL;
1466 int metric = -1; /* no metric set */
512cda46 1467
81d882d5
DS		 1468 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1469#if 0 /* not yet done for IPv6 - TODO!*/
1470 if (options->route_ipv6_default_gateway) /* override? */
1471 {
1472 gw = options->route_ipv6_default_gateway;
1473 }
512cda46
GD		 1474#endif
1475
81d882d5
DS		 1476 if (options->route_default_metric)
1477 {
1478 metric = options->route_default_metric;
1479 }
512cda46 1480
81d882d5
DS		 1481 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1482 */
1483 if (options->routes_ipv6->flags & RG_REROUTE_GW)
d227929b 1484 {
81d882d5
DS		 1485 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1486 int i;
d227929b 1487
81d882d5
DS		 1488 for (i = 0; opt_list[i]; i++)
1489 {
1490 add_route_ipv6_to_option_list( options->routes_ipv6,
1491 string_alloc(opt_list[i], options->routes_ipv6->gc),
1492 NULL, NULL );
1493 }
d227929b
GD		 1494 }
1495
81d882d5
DS		 1496 if (init_route_ipv6_list(route_ipv6_list,
1497 options->routes_ipv6,
1498 gw,
1499 metric,
1500 link_socket_current_remote_ipv6(link_socket_info),
1501 es))
512cda46 1502 {
81d882d5
DS		 1503 /* copy routes to environment */
1504 setenv_routes_ipv6(es, route_ipv6_list);
512cda46
GD		 1505 }
1506}
1507
1508
6fbf66fa
JY		 1509/*
1510 * Called after all initialization has been completed.
1511 */
1512void
81d882d5 1513initialization_sequence_completed(struct context *c, const unsigned int flags)
6fbf66fa 1514{
81d882d5 1515 static const char message[] = "Initialization Sequence Completed";
6fbf66fa 1516
81d882d5
DS		 1517 /* Reset the unsuccessful connection counter on complete initialisation */
1518 c->options.unsuccessful_attempts = 0;
23d61c56 1519
81d882d5
DS		 1520 /* If we delayed UID/GID downgrade or chroot, do it now */
1521 do_uid_gid_chroot(c, true);
6fbf66fa 1522
5bde5b6d 1523
57116536
AQ		 1524 /*
1525 * In some cases (i.e. when receiving auth-token via
1526 * push-reply) the auth-nocache option configured on the
1527 * client is overridden; for this reason we have to wait
1528 * for the push-reply message before attempting to wipe
1529 * the user/pass entered by the user
1530 */
1531 if (c->options.mode == MODE_POINT_TO_POINT)
1532 {
1533 delayed_auth_pass_purge();
1534 }
1535
81d882d5
DS		 1536 /* Test if errors */
1537 if (flags & ISC_ERRORS)
a9c802b2 1538 {
445b192a 1539#ifdef _WIN32
81d882d5
DS		 1540 show_routes(M_INFO|M_NOPREFIX);
1541 show_adapters(M_INFO|M_NOPREFIX);
1542 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
6fbf66fa 1543#else
c5931897 1544#ifdef ENABLE_SYSTEMD
81d882d5 1545 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
c5931897 1546#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
81d882d5 1547 msg(M_INFO, "%s With Errors", message);
6fbf66fa 1548#endif
a9c802b2 1549 }
81d882d5 1550 else
c5931897
CH		 1551 {
1552#ifdef ENABLE_SYSTEMD
e83a8684 1553 sd_notifyf(0, "STATUS=%s", message);
c5931897 1554#endif
81d882d5 1555 msg(M_INFO, "%s", message);
c5931897 1556 }
6fbf66fa 1557
81d882d5
DS		 1558 /* Flag that we initialized */
1559 if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1560 {
1561 c->options.no_advance = true;
1562 }
6fbf66fa 1563
445b192a 1564#ifdef _WIN32
81d882d5 1565 fork_register_dns_action(c->c1.tuntap);
b90c6f17
JY		 1566#endif
1567
6fbf66fa 1568#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 1569 /* Tell management interface that we initialized */
1570 if (management)
1571 {
1572 in_addr_t *tun_local = NULL;
1573 struct in6_addr *tun_local6 = NULL;
1574 struct openvpn_sockaddr local, remote;
1575 struct link_socket_actual *actual;
1576 socklen_t sa_len = sizeof(local);
1577 const char *detail = "SUCCESS";
1578 if (flags & ISC_ERRORS)
1579 {
1580 detail = "ERROR";
1581 }
1582
1583 CLEAR(local);
1584 actual = &get_link_socket_info(c)->lsa->actual;
1585 remote = actual->dest;
1586 getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
2191c471 1587#if ENABLE_IP_PKTINFO
81d882d5 1588 if (!addr_defined(&local))
2191c471 1589 {
81d882d5 1590 switch (local.addr.sa.sa_family)
2191c471 1591 {
81d882d5 1592 case AF_INET:
7efa60d9 1593#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
81d882d5 1594 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
4a82a9ac 1595#else
81d882d5 1596 local.addr.in4.sin_addr = actual->pi.in4;
4a82a9ac 1597#endif
81d882d5
DS		 1598 break;
1599
1600 case AF_INET6:
1601 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1602 break;
2191c471
HH		 1603 }
1604 }
1605#endif
1606
81d882d5 1607 if (c->c1.tuntap)
2191c471 1608 {
81d882d5
DS		 1609 tun_local = &c->c1.tuntap->local;
1610 tun_local6 = &c->c1.tuntap->local_ipv6;
1611 }
1612 management_set_state(management,
1613 OPENVPN_STATE_CONNECTED,
1614 detail,
1615 tun_local,
1616 tun_local6,
1617 &local,
1618 &remote);
1619 if (tun_local)
1620 {
1621 management_post_tunnel_open(management, *tun_local);
2191c471 1622 }
6fbf66fa 1623 }
81d882d5 1624#endif /* ifdef ENABLE_MANAGEMENT */
6fbf66fa
JY		 1625}
1626
1627/*
1628 * Possibly add routes and/or call route-up script
1629 * based on options.
1630 */
1631void
81d882d5
DS		 1632do_route(const struct options *options,
1633 struct route_list *route_list,
1634 struct route_ipv6_list *route_ipv6_list,
1635 const struct tuntap *tt,
1636 const struct plugin_list *plugins,
1637 struct env_set *es)
6fbf66fa 1638{
81d882d5 1639 if (!options->route_noexec && ( route_list || route_ipv6_list ) )
15be3202 1640 {
81d882d5
DS		 1641 add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es);
1642 setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
15be3202
JY		 1643 }
1644#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 1645 if (management)
1646 {
1647 management_up_down(management, "UP", es);
1648 }
15be3202 1649#endif
6fbf66fa 1650
81d882d5 1651 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
6fbf66fa 1652 {
81d882d5
DS		 1653 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1654 {
1655 msg(M_WARN, "WARNING: route-up plugin call failed");
1656 }
6fbf66fa
JY		 1657 }
1658
81d882d5 1659 if (options->route_script)
6fbf66fa 1660 {
81d882d5
DS		 1661 struct argv argv = argv_new();
1662 setenv_str(es, "script_type", "route-up");
1663 argv_parse_cmd(&argv, options->route_script);
1664 openvpn_run_script(&argv, es, 0, "--route-up");
1665 argv_reset(&argv);
6fbf66fa
JY		 1666 }
1667
445b192a 1668#ifdef _WIN32
81d882d5 1669 if (options->show_net_up)
6fbf66fa 1670 {
81d882d5
DS		 1671 show_routes(M_INFO|M_NOPREFIX);
1672 show_adapters(M_INFO|M_NOPREFIX);
6fbf66fa 1673 }
81d882d5 1674 else if (check_debug_level(D_SHOW_NET))
6fbf66fa 1675 {
81d882d5
DS		 1676 show_routes(D_SHOW_NET|M_NOPREFIX);
1677 show_adapters(D_SHOW_NET|M_NOPREFIX);
6fbf66fa
JY		 1678 }
1679#endif
1680}
1681
6fbf66fa
JY		 1682/*
1683 * initialize tun/tap device object
1684 */
1685static void
81d882d5 1686do_init_tun(struct context *c)
6fbf66fa 1687{
81d882d5
DS		 1688 c->c1.tuntap = init_tun(c->options.dev,
1689 c->options.dev_type,
1690 c->options.topology,
1691 c->options.ifconfig_local,
1692 c->options.ifconfig_remote_netmask,
1693 c->options.ifconfig_ipv6_local,
1694 c->options.ifconfig_ipv6_netbits,
1695 c->options.ifconfig_ipv6_remote,
1696 c->c1.link_socket_addr.bind_local,
1697 c->c1.link_socket_addr.remote_list,
1698 !c->options.ifconfig_nowarn,
1699 c->c2.es);
1700
1701 init_tun_post(c->c1.tuntap,
1702 &c->c2.frame,
1703 &c->options.tuntap_options);
1704
1705 c->c1.tuntap_owned = true;
6fbf66fa
JY		 1706}
1707
1708/*
1709 * Open tun/tap device, ifconfig, call up script, etc.
1710 */
1711
1712static bool
81d882d5 1713do_open_tun(struct context *c)
6fbf66fa 1714{
81d882d5
DS		 1715 struct gc_arena gc = gc_new();
1716 bool ret = false;
6fbf66fa 1717
bd14d55d 1718#ifndef TARGET_ANDROID
81d882d5 1719 if (!c->c1.tuntap)
6fbf66fa 1720 {
bd14d55d
AS		 1721#endif
1722
1723#ifdef TARGET_ANDROID
81d882d5
DS		 1724 /* If we emulate persist-tun on android we still have to open a new tun and
1725 * then close the old */
1726 int oldtunfd = -1;
1727 if (c->c1.tuntap)
1728 {
1729 oldtunfd = c->c1.tuntap->fd;
da3f583f
AS		 1730 free(c->c1.tuntap);
1731 c->c1.tuntap = NULL;
1732 c->c1.tuntap_owned = false;
81d882d5 1733 }
bd14d55d
AS		 1734#endif
1735
81d882d5
DS		 1736 /* initialize (but do not open) tun/tap object */
1737 do_init_tun(c);
6fbf66fa 1738
445b192a 1739#ifdef _WIN32
81d882d5
DS		 1740 /* store (hide) interactive service handle in tuntap_options */
1741 c->c1.tuntap->options.msg_channel = c->options.msg_channel;
1742 msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel);
1743#endif
1744
1745 /* allocate route list structure */
1746 do_alloc_route_list(c);
1747
1748 /* parse and resolve the route option list */
1749 ASSERT(c->c2.link_socket);
1750 if (c->options.routes && c->c1.route_list)
1751 {
1752 do_init_route_list(&c->options, c->c1.route_list,
1753 &c->c2.link_socket->info, c->c2.es);
1754 }
1755 if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1756 {
1757 do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1758 &c->c2.link_socket->info, c->c2.es);
1759 }
1760
1761 /* do ifconfig */
1762 if (!c->options.ifconfig_noexec
1763 && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1764 {
1765 /* guess actual tun/tap unit number that will be returned
1766 * by open_tun */
1767 const char *guess = guess_tuntap_dev(c->options.dev,
1768 c->options.dev_type,
1769 c->options.dev_node,
1770 &gc);
1771 do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1772 }
1773
1774 /* possibly add routes */
1775 if (route_order() == ROUTE_BEFORE_TUN)
1776 {
94e6a2da 1777 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
81d882d5
DS		 1778 do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1779 c->c1.tuntap, c->plugins, c->c2.es);
1780 }
c058cbff 1781#ifdef TARGET_ANDROID
81d882d5
DS		 1782 /* Store the old fd inside the fd so open_tun can use it */
1783 c->c1.tuntap->fd = oldtunfd;
1784#endif
1785 /* open the tun device */
1786 open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1787 c->c1.tuntap);
1788
1789 /* set the hardware address */
1790 if (c->options.lladdr)
1791 {
1792 set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1793 }
1794
1795 /* do ifconfig */
1796 if (!c->options.ifconfig_noexec
1797 && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1798 {
1799 do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE(&c->c2.frame), c->c2.es);
1800 }
1801
1802 /* run the up script */
1803 run_up_down(c->options.up_script,
1804 c->plugins,
1805 OPENVPN_PLUGIN_UP,
1806 c->c1.tuntap->actual_name,
445b192a 1807#ifdef _WIN32
81d882d5
DS		 1808 c->c1.tuntap->adapter_index,
1809#endif
1810 dev_type_string(c->options.dev, c->options.dev_type),
1811 TUN_MTU_SIZE(&c->c2.frame),
1812 EXPANDED_SIZE(&c->c2.frame),
1813 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1814 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1815 "init",
1816 NULL,
1817 "up",
1818 c->c2.es);
6fbf66fa 1819
445b192a 1820#if defined(_WIN32)
81d882d5
DS		 1821 if (c->options.block_outside_dns)
1822 {
1823 dmsg(D_LOW, "Blocking outside DNS");
2282b1be 1824 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
81d882d5
DS		 1825 {
1826 msg(M_FATAL, "Blocking DNS failed!");
1827 }
1828 }
38c85658
V		 1829#endif
1830
81d882d5
DS		 1831 /* possibly add routes */
1832 if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1833 {
1834 do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1835 c->c1.tuntap, c->plugins, c->c2.es);
1836 }
6fbf66fa 1837
81d882d5
DS		 1838 /*
1839 * Did tun/tap driver give us an MTU?
1840 */
1841 if (c->c1.tuntap->post_open_mtu)
1842 {
1843 frame_set_mtu_dynamic(&c->c2.frame,
1844 c->c1.tuntap->post_open_mtu,
1845 SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1846 }
6fbf66fa 1847
81d882d5
DS		 1848 ret = true;
1849 static_context = c;
bd14d55d 1850#ifndef TARGET_ANDROID
81d882d5
DS		 1851}
1852else
1853{
1854 msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1855 c->c1.tuntap->actual_name);
6fbf66fa 1856
81d882d5
DS		 1857 /* explicitly set the ifconfig_* env vars */
1858 do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
db950be8 1859
81d882d5
DS		 1860 /* run the up script if user specified --up-restart */
1861 if (c->options.up_restart)
1862 {
1863 run_up_down(c->options.up_script,
1864 c->plugins,
1865 OPENVPN_PLUGIN_UP,
1866 c->c1.tuntap->actual_name,
445b192a 1867#ifdef _WIN32
81d882d5
DS		 1868 c->c1.tuntap->adapter_index,
1869#endif
1870 dev_type_string(c->options.dev, c->options.dev_type),
1871 TUN_MTU_SIZE(&c->c2.frame),
1872 EXPANDED_SIZE(&c->c2.frame),
1873 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1874 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1875 "restart",
1876 NULL,
1877 "up",
1878 c->c2.es);
1879 }
445b192a 1880#if defined(_WIN32)
81d882d5
DS		 1881 if (c->options.block_outside_dns)
1882 {
1883 dmsg(D_LOW, "Blocking outside DNS");
1884 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
451d2177 1885 {
81d882d5 1886 msg(M_FATAL, "Blocking DNS failed!");
451d2177 1887 }
6fbf66fa 1888 }
bd14d55d 1889#endif
81d882d5
DS		 1890
1891}
1892#endif /* ifndef TARGET_ANDROID */
1893 gc_free(&gc);
1894 return ret;
6fbf66fa
JY		 1895}
1896
1897/*
1898 * Close TUN/TAP device
1899 */
1900
1901static void
81d882d5 1902do_close_tun_simple(struct context *c)
6fbf66fa 1903{
81d882d5 1904 msg(D_CLOSE, "Closing TUN/TAP interface");
0bea472c
AQ		 1905 if (c->c1.tuntap)
1906 {
1907 close_tun(c->c1.tuntap);
1908 c->c1.tuntap = NULL;
1909 }
81d882d5 1910 c->c1.tuntap_owned = false;
6fbf66fa 1911#if P2MP
81d882d5 1912 CLEAR(c->c1.pulled_options_digest_save);
6fbf66fa
JY		 1913#endif
1914}
1915
1916static void
81d882d5 1917do_close_tun(struct context *c, bool force)
6fbf66fa 1918{
81d882d5
DS		 1919 struct gc_arena gc = gc_new();
1920 if (c->c1.tuntap && c->c1.tuntap_owned)
6fbf66fa 1921 {
81d882d5 1922 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
445b192a 1923#ifdef _WIN32
81d882d5 1924 DWORD adapter_index = c->c1.tuntap->adapter_index;
9dff2c1f 1925#endif
81d882d5
DS		 1926 const in_addr_t local = c->c1.tuntap->local;
1927 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
6fbf66fa 1928
81d882d5
DS		 1929 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1930 {
1931 static_context = NULL;
0c9eb1d3 1932
6fbf66fa 1933#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 1934 /* tell management layer we are about to close the TUN/TAP device */
1935 if (management)
1936 {
1937 management_pre_tunnel_close(management);
1938 management_up_down(management, "DOWN", c->c2.es);
1939 }
1940#endif
1941
1942 /* delete any routes we added */
1943 if (c->c1.route_list || c->c1.route_ipv6_list)
1944 {
1945 run_up_down(c->options.route_predown_script,
1946 c->plugins,
1947 OPENVPN_PLUGIN_ROUTE_PREDOWN,
1948 tuntap_actual,
445b192a 1949#ifdef _WIN32
81d882d5
DS		 1950 adapter_index,
1951#endif
1952 NULL,
1953 TUN_MTU_SIZE(&c->c2.frame),
1954 EXPANDED_SIZE(&c->c2.frame),
1955 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1956 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1957 "init",
1958 signal_description(c->sig->signal_received,
415421c2 1959 c->sig->signal_text),
81d882d5
DS		 1960 "route-pre-down",
1961 c->c2.es);
415421c2 1962
81d882d5
DS		 1963 delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
1964 c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es);
415421c2 1965 }
6fbf66fa 1966
81d882d5
DS		 1967 /* actually close tun/tap device based on --down-pre flag */
1968 if (!c->options.down_pre)
1969 {
1970 do_close_tun_simple(c);
1971 }
6fbf66fa 1972
81d882d5
DS		 1973 /* Run the down script -- note that it will run at reduced
1974 * privilege if, for example, "--user nobody" was used. */
1975 run_up_down(c->options.down_script,
1976 c->plugins,
1977 OPENVPN_PLUGIN_DOWN,
1978 tuntap_actual,
445b192a 1979#ifdef _WIN32
81d882d5
DS		 1980 adapter_index,
1981#endif
1982 NULL,
1983 TUN_MTU_SIZE(&c->c2.frame),
1984 EXPANDED_SIZE(&c->c2.frame),
1985 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
1986 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1987 "init",
1988 signal_description(c->sig->signal_received,
1989 c->sig->signal_text),
1990 "down",
1991 c->c2.es);
6fbf66fa 1992
445b192a 1993#if defined(_WIN32)
38c85658
V		 1994 if (c->options.block_outside_dns)
1995 {
27aa8728 1996 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
81d882d5
DS		 1997 {
1998 msg(M_FATAL, "Uninitialising WFP failed!");
1999 }
38c85658
V		 2000 }
2001#endif
2002
81d882d5
DS		 2003 /* actually close tun/tap device based on --down-pre flag */
2004 if (c->options.down_pre)
2005 {
2006 do_close_tun_simple(c);
2007 }
2008 }
2009 else
2010 {
2011 /* run the down script on this restart if --up-restart was specified */
2012 if (c->options.up_restart)
2013 {
2014 run_up_down(c->options.down_script,
2015 c->plugins,
2016 OPENVPN_PLUGIN_DOWN,
2017 tuntap_actual,
445b192a 2018#ifdef _WIN32
81d882d5
DS		 2019 adapter_index,
2020#endif
2021 NULL,
2022 TUN_MTU_SIZE(&c->c2.frame),
2023 EXPANDED_SIZE(&c->c2.frame),
2024 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2025 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2026 "restart",
2027 signal_description(c->sig->signal_received,
2028 c->sig->signal_text),
2029 "down",
2030 c->c2.es);
2031 }
451d2177 2032
445b192a 2033#if defined(_WIN32)
81d882d5 2034 if (c->options.block_outside_dns)
451d2177 2035 {
27aa8728 2036 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
81d882d5
DS		 2037 {
2038 msg(M_FATAL, "Uninitialising WFP failed!");
2039 }
451d2177
SN		 2040 }
2041#endif
2042
81d882d5 2043 }
6fbf66fa 2044 }
81d882d5 2045 gc_free(&gc);
6fbf66fa
JY		 2046}
2047
0c9eb1d3 2048void
e2a0cad4 2049tun_abort(void)
0c9eb1d3 2050{
81d882d5
DS		 2051 struct context *c = static_context;
2052 if (c)
0c9eb1d3 2053 {
81d882d5
DS		 2054 static_context = NULL;
2055 do_close_tun(c, true);
0c9eb1d3
JY		 2056 }
2057}
2058
6fbf66fa
JY		 2059/*
2060 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2061 */
2062
827de237
SK		 2063#if P2MP
2064/**
2065 * Helper for do_up(). Take two option hashes and return true if they are not
2066 * equal, or either one is all-zeroes.
2067 */
2068static bool
5b48e8c9
SK		 2069options_hash_changed_or_zero(const struct sha256_digest *a,
2070 const struct sha256_digest *b)
827de237 2071{
5b48e8c9
SK		 2072 const struct sha256_digest zero = {{0}};
2073 return memcmp(a, b, sizeof(struct sha256_digest))
2074 || !memcmp(a, &zero, sizeof(struct sha256_digest));
827de237
SK		 2075}
2076#endif /* P2MP */
2077
d728ebed 2078bool
81d882d5 2079do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
6fbf66fa 2080{
81d882d5 2081 if (!c->c2.do_up_ran)
6fbf66fa 2082 {
81d882d5 2083 reset_coarse_timers(c);
6fbf66fa 2084
bd230079 2085 if (pulled_options)
81d882d5
DS		 2086 {
2087 if (!do_deferred_options(c, option_types_found))
2088 {
2089 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2090 return false;
2091 }
2092 }
6fbf66fa 2093
81d882d5
DS		 2094 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2095 if (c->options.up_delay || PULL_DEFINED(&c->options))
2096 {
2097 c->c2.did_open_tun = do_open_tun(c);
2098 update_time();
6fbf66fa
JY		 2099
2100#if P2MP
81d882d5
DS		 2101 /*
2102 * Was tun interface object persisted from previous restart iteration,
2103 * and if so did pulled options string change from previous iteration?
2104 */
2105 if (!c->c2.did_open_tun
2106 && PULL_DEFINED(&c->options)
2107 && c->c1.tuntap
2108 && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2109 &c->c2.pulled_options_digest))
2110 {
2111 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2112 msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2113 do_close_tun(c, true);
45b2af9c 2114 management_sleep(1);
81d882d5
DS		 2115 c->c2.did_open_tun = do_open_tun(c);
2116 update_time();
2117 }
2118#endif
2119 }
2120
2121 if (c->c2.did_open_tun)
2122 {
6fbf66fa 2123#if P2MP
81d882d5
DS		 2124 c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
2125#endif
2126
2127 /* if --route-delay was specified, start timer */
2128 if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2129 {
2130 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2131 event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2132 if (c->c1.tuntap)
2133 {
2134 tun_standby_init(c->c1.tuntap);
2135 }
2136 }
2137 else
2138 {
2139 initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */
2140 }
2141 }
2142 else if (c->options.mode == MODE_POINT_TO_POINT)
2143 {
2144 initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */
2145 }
2146
2147 c->c2.do_up_ran = true;
2148 }
2149 return true;
6fbf66fa
JY		 2150}
2151
2152/*
2153 * These are the option categories which will be accepted by pull.
2154 */
2155unsigned int
81d882d5
DS		 2156pull_permission_mask(const struct context *c)
2157{
2158 unsigned int flags =
2159 OPT_P_UP
2160 | OPT_P_ROUTE_EXTRAS
2161 | OPT_P_SOCKBUF
2162 | OPT_P_SOCKFLAGS
2163 | OPT_P_SETENV
2164 | OPT_P_SHAPER
2165 | OPT_P_TIMER
2166 | OPT_P_COMP
2167 | OPT_P_PERSIST
2168 | OPT_P_MESSAGES
2169 | OPT_P_EXPLICIT_NOTIFY
2170 | OPT_P_ECHO
2171 | OPT_P_PULL_MODE
2172 | OPT_P_PEER_ID;
2173
2174 if (!c->options.route_nopull)
2175 {
2176 flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
2177 }
3c7f2f55 2178
81d882d5
DS		 2179 if (c->options.ncp_enabled)
2180 {
2181 flags |= OPT_P_NCP;
2182 }
d728ebed 2183
81d882d5 2184 return flags;
6fbf66fa
JY		 2185}
2186
2187/*
2188 * Handle non-tun-related pulled options.
2189 */
d728ebed 2190bool
81d882d5 2191do_deferred_options(struct context *c, const unsigned int found)
6fbf66fa 2192{
81d882d5 2193 if (found & OPT_P_MESSAGES)
6fbf66fa 2194 {
81d882d5
DS		 2195 init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2196 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
6fbf66fa 2197 }
81d882d5 2198 if (found & OPT_P_TIMER)
6fbf66fa 2199 {
81d882d5
DS		 2200 do_init_timers(c, true);
2201 msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
6fbf66fa
JY		 2202 }
2203
2204#ifdef ENABLE_OCC
81d882d5 2205 if (found & OPT_P_EXPLICIT_NOTIFY)
6fbf66fa 2206 {
81d882d5
DS		 2207 if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2208 {
2209 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2210 c->options.ce.explicit_exit_notification = 0;
2211 }
2212 else
2213 {
2214 msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
2215 }
6fbf66fa
JY		 2216 }
2217#endif
2218
38d96bd7 2219#ifdef USE_COMP
81d882d5 2220 if (found & OPT_P_COMP)
537073fd 2221 {
81d882d5
DS		 2222 msg(D_PUSH, "OPTIONS IMPORT: compression parms modified");
2223 comp_uninit(c->c2.comp_context);
2224 c->c2.comp_context = comp_init(&c->options.comp);
537073fd
JY		 2225 }
2226#endif
2227
81d882d5 2228 if (found & OPT_P_SHAPER)
6fbf66fa 2229 {
81d882d5
DS		 2230 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2231 do_init_traffic_shaper(c);
6fbf66fa
JY		 2232 }
2233
81d882d5 2234 if (found & OPT_P_SOCKBUF)
00d39170 2235 {
81d882d5
DS		 2236 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2237 link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
00d39170
JY		 2238 }
2239
81d882d5 2240 if (found & OPT_P_SOCKFLAGS)
00d39170 2241 {
81d882d5
DS		 2242 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2243 link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
00d39170
JY		 2244 }
2245
81d882d5
DS		 2246 if (found & OPT_P_PERSIST)
2247 {
2248 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2249 }
2250 if (found & OPT_P_UP)
2251 {
2252 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2253 }
2254 if (found & OPT_P_ROUTE)
2255 {
2256 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2257 }
2258 if (found & OPT_P_ROUTE_EXTRAS)
2259 {
2260 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2261 }
2262 if (found & OPT_P_IPWIN32)
2263 {
2264 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2265 }
2266 if (found & OPT_P_SETENV)
2267 {
2268 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2269 }
65eedc35 2270
81d882d5
DS		 2271 if (found & OPT_P_PEER_ID)
2272 {
2273 msg(D_PUSH, "OPTIONS IMPORT: peer-id set");
2274 c->c2.tls_multi->use_peer_id = true;
2275 c->c2.tls_multi->peer_id = c->options.peer_id;
2276 frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
2277 if (!c->options.ce.link_mtu_defined)
2278 {
2279 frame_add_to_link_mtu(&c->c2.frame, +3);
2280 msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
2281 EXPANDED_SIZE(&c->c2.frame));
2282 }
2283 else
2284 {
2285 msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
2286 " fixed by config - reducing tun-mtu to %d, expect"
2287 " MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
2288 }
2289 }
2290
2291 /* process (potentially pushed) crypto options */
2292 if (c->options.pull)
2293 {
2294 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2295 if (found & OPT_P_NCP)
2296 {
2297 msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified");
2298 }
2299 else if (c->options.ncp_enabled)
2300 {
2301 tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername);
2302 }
2303 /* Do not regenerate keys if server sends an extra push reply */
2304 if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized
2305 && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame))
2306 {
2307 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2308 return false;
2309 }
2310 }
c7ca9133 2311
81d882d5 2312 return true;
6fbf66fa
JY		 2313}
2314
2315/*
396d30c2
AS		 2316 * Possible hold on initialization, holdtime is the
2317 * time OpenVPN would wait without management
6fbf66fa
JY		 2318 */
2319static bool
81d882d5 2320do_hold(int holdtime)
6fbf66fa
JY		 2321{
2322#ifdef ENABLE_MANAGEMENT
81d882d5 2323 if (management)
6fbf66fa 2324 {
81d882d5
DS		 2325 /* block until management hold is released */
2326 if (management_hold(management, holdtime))
2327 {
2328 return true;
2329 }
6fbf66fa
JY		 2330 }
2331#endif
81d882d5 2332 return false;
6fbf66fa
JY		 2333}
2334
2335/*
2336 * Sleep before restart.
2337 */
2338static void
81d882d5 2339socket_restart_pause(struct context *c)
6fbf66fa 2340{
81d882d5
DS		 2341 int sec = 2;
2342 int backoff = 0;
6fbf66fa 2343
81d882d5 2344 switch (c->options.ce.proto)
6fbf66fa 2345 {
81d882d5
DS		 2346 case PROTO_TCP_SERVER:
2347 sec = 1;
2348 break;
2349
2350 case PROTO_UDP:
2351 case PROTO_TCP_CLIENT:
2352 sec = c->options.ce.connect_retry_seconds;
2353 break;
6fbf66fa
JY		 2354 }
2355
2356#ifdef ENABLE_DEBUG
81d882d5
DS		 2357 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2358 {
2359 sec = 0;
2360 }
6fbf66fa
JY		 2361#endif
2362
2363#if P2MP
81d882d5
DS		 2364 if (auth_retry_get() == AR_NOINTERACT)
2365 {
2366 sec = 10;
2367 }
6fbf66fa
JY		 2368#endif
2369
81d882d5
DS		 2370 /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */
2371 if (c->options.ce.proto != PROTO_TCP_SERVER)
5d429efd 2372 {
81d882d5
DS		 2373 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2374 if (backoff > 0)
5d429efd 2375 {
81d882d5
DS		 2376 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2377 sec = max_int(sec, 1) << min_int(backoff, 15);
5d429efd
SN		 2378 }
2379
81d882d5
DS		 2380 if (sec > c->options.ce.connect_retry_seconds_max)
2381 {
2382 sec = c->options.ce.connect_retry_seconds_max;
2383 }
5d429efd
SN		 2384 }
2385
81d882d5
DS		 2386 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2387 {
2388 sec = c->persist.restart_sleep_seconds;
2389 }
2390 else if (c->persist.restart_sleep_seconds == -1)
2391 {
2392 sec = 0;
2393 }
2394 c->persist.restart_sleep_seconds = 0;
a9c802b2 2395
81d882d5
DS		 2396 /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
2397 if (do_hold(sec))
2398 {
2399 sec = 0;
2400 }
6fbf66fa 2401
81d882d5 2402 if (sec)
6fbf66fa 2403 {
81d882d5 2404 msg(D_RESTART, "Restart pause, %d second(s)", sec);
45b2af9c 2405 management_sleep(sec);
6fbf66fa
JY		 2406 }
2407}
2408
2409/*
2410 * Do a possible pause on context_2 initialization.
2411 */
2412static void
81d882d5 2413do_startup_pause(struct context *c)
6fbf66fa 2414{
81d882d5
DS		 2415 if (!c->first_time)
2416 {
2417 socket_restart_pause(c);
2418 }
2419 else
2420 {
2421 do_hold(0); /* do management hold on first context initialization */
2422 }
6fbf66fa
JY		 2423}
2424
2425/*
2426 * Finalize MTU parameters based on command line or config file options.
2427 */
2428static void
81d882d5 2429frame_finalize_options(struct context *c, const struct options *o)
6fbf66fa 2430{
81d882d5
DS		 2431 if (!o)
2432 {
2433 o = &c->options;
2434 }
6fbf66fa 2435
81d882d5
DS		 2436 /*
2437 * Set adjustment factor for buffer alignment when no
2438 * cipher is used.
2439 */
2440 if (!CIPHER_ENABLED(c))
6fbf66fa 2441 {
81d882d5
DS		 2442 frame_align_to_extra_frame(&c->c2.frame);
2443 frame_or_align_flags(&c->c2.frame,
2444 FRAME_HEADROOM_MARKER_FRAGMENT
2445 |FRAME_HEADROOM_MARKER_READ_LINK
2446 |FRAME_HEADROOM_MARKER_READ_STREAM);
6fbf66fa 2447 }
81d882d5
DS		 2448
2449 frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN);
2450 frame_finalize(&c->c2.frame,
2451 o->ce.link_mtu_defined,
2452 o->ce.link_mtu,
2453 o->ce.tun_mtu_defined,
2454 o->ce.tun_mtu);
6fbf66fa
JY		 2455}
2456
2457/*
2458 * Free a key schedule, including OpenSSL components.
2459 */
2460static void
81d882d5 2461key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
6fbf66fa 2462{
81d882d5
DS		 2463 free_key_ctx_bi(&ks->static_key);
2464 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
6fbf66fa 2465 {
81d882d5 2466 tls_ctx_free(&ks->ssl_ctx);
19dffdbd 2467 free_key_ctx(&ks->tls_crypt_v2_server_key);
6fbf66fa 2468 }
81d882d5 2469 CLEAR(*ks);
6fbf66fa
JY		 2470}
2471
6fbf66fa 2472static void
81d882d5 2473init_crypto_pre(struct context *c, const unsigned int flags)
6fbf66fa 2474{
81d882d5
DS		 2475 if (c->options.engine)
2476 {
2477 crypto_init_lib_engine(c->options.engine);
2478 }
6fbf66fa 2479
81d882d5 2480 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
6fbf66fa 2481 {
81d882d5
DS		 2482 /* load a persisted packet-id for cross-session replay-protection */
2483 if (c->options.packet_id_file)
2484 {
2485 packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2486 }
6fbf66fa
JY		 2487 }
2488
0f25d296 2489#ifdef ENABLE_PREDICTION_RESISTANCE
81d882d5
DS		 2490 if (c->options.use_prediction_resistance)
2491 {
2492 rand_ctx_enable_prediction_resistance();
2493 }
0f25d296
AJ		 2494#endif
2495
6fbf66fa
JY		 2496}
2497
2498/*
2499 * Static Key Mode (using a pre-shared key)
2500 */
2501static void
81d882d5 2502do_init_crypto_static(struct context *c, const unsigned int flags)
6fbf66fa 2503{
81d882d5
DS		 2504 const struct options *options = &c->options;
2505 ASSERT(options->shared_secret_file);
6fbf66fa 2506
81d882d5 2507 init_crypto_pre(c, flags);
2d9c6d20 2508
81d882d5 2509 /* Initialize flags */
81d882d5 2510 if (c->options.mute_replay_warnings)
6fbf66fa 2511 {
81d882d5 2512 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
6fbf66fa
JY		 2513 }
2514
81d882d5
DS		 2515 /* Initialize packet ID tracking */
2516 if (options->replay)
6fbf66fa 2517 {
81d882d5
DS		 2518 packet_id_init(&c->c2.crypto_options.packet_id,
2519 options->replay_window,
2520 options->replay_time,
2521 "STATIC", 0);
2522 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2523 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
2524 packet_id_persist_load_obj(&c->c1.pid_persist,
2525 &c->c2.crypto_options.packet_id);
2526 }
6fbf66fa 2527
81d882d5
DS		 2528 if (!key_ctx_bi_defined(&c->c1.ks.static_key))
2529 {
2530 /* Get cipher & hash algorithms */
2531 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2532 options->keysize, options->test_crypto, true);
2533
2534 /* Read cipher and hmac keys from shared secret file */
2535 crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
2536 options->shared_secret_file,
2537 options->shared_secret_file_inline,
2538 options->key_direction, "Static Key Encryption",
2539 "secret");
6fbf66fa 2540 }
81d882d5 2541 else
6fbf66fa 2542 {
81d882d5 2543 msg(M_INFO, "Re-using pre-shared static key");
6fbf66fa
JY		 2544 }
2545
81d882d5
DS		 2546 /* Get key schedule */
2547 c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
6fbf66fa 2548
81d882d5 2549 /* Compute MTU parameters */
ef910e3e
SK		 2550 crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
2551 options->replay, true);
6fbf66fa 2552
ef910e3e
SK		 2553 /* Sanity check on sequence number, and cipher mode options */
2554 check_replay_consistency(&c->c1.ks.key_type, options->replay);
6fbf66fa
JY		 2555}
2556
5817b49b
AQ		 2557/*
2558 * Initialize the tls-auth/crypt key context
2559 */
2560static void
2561do_init_tls_wrap_key(struct context *c)
2562{
2563 const struct options *options = &c->options;
2564
2565 /* TLS handshake authentication (--tls-auth) */
57d6f103 2566 if (options->ce.tls_auth_file)
5817b49b
AQ		 2567 {
2568 /* Initialize key_type for tls-auth with auth only */
2569 CLEAR(c->c1.ks.tls_auth_key_type);
2570 if (!streq(options->authname, "none"))
2571 {
2572 c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
2573 c->c1.ks.tls_auth_key_type.hmac_length =
2574 md_kt_size(c->c1.ks.tls_auth_key_type.digest);
2575 }
2576 else
2577 {
2578 msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
2579 "algorithm specified ('%s')", options->authname);
2580 }
2581
2582 crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
2583 &c->c1.ks.tls_wrap_key,
57d6f103
AQ		 2584 options->ce.tls_auth_file,
2585 options->ce.tls_auth_file_inline,
2586 options->ce.key_direction,
5817b49b
AQ		 2587 "Control Channel Authentication", "tls-auth");
2588 }
2589
2590 /* TLS handshake encryption+authentication (--tls-crypt) */
57d6f103 2591 if (options->ce.tls_crypt_file)
5817b49b
AQ		 2592 {
2593 tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
57d6f103
AQ		 2594 options->ce.tls_crypt_file,
2595 options->ce.tls_crypt_inline, options->tls_server);
5817b49b 2596 }
19d6d9c3
SK		 2597
2598 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
2599 if (options->ce.tls_crypt_v2_file)
2600 {
2601 if (options->tls_server)
2602 {
2603 tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
2604 true, options->ce.tls_crypt_v2_file,
2605 options->ce.tls_crypt_v2_inline);
2606 }
2607 else
2608 {
2609 tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
2610 &c->c1.ks.tls_crypt_v2_wkc,
2611 options->ce.tls_crypt_v2_file,
2612 options->ce.tls_crypt_v2_inline);
2613 }
2614 }
2615
2616
5817b49b
AQ		 2617}
2618
6fbf66fa
JY		 2619/*
2620 * Initialize the persistent component of OpenVPN's TLS mode,
2621 * which is preserved across SIGUSR1 resets.
2622 */
2623static void
81d882d5 2624do_init_crypto_tls_c1(struct context *c)
6fbf66fa 2625{
81d882d5 2626 const struct options *options = &c->options;
6fbf66fa 2627
81d882d5 2628 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
6fbf66fa 2629 {
81d882d5
DS		 2630 /*
2631 * Initialize the OpenSSL library's global
2632 * SSL context.
2633 */
2634 init_ssl(options, &(c->c1.ks.ssl_ctx));
2635 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2636 {
6fbf66fa 2637#if P2MP
81d882d5
DS		 2638 switch (auth_retry_get())
2639 {
2640 case AR_NONE:
2641 msg(M_FATAL, "Error: private key password verification failed");
2642 break;
2643
2644 case AR_INTERACT:
2645 ssl_purge_auth(false);
2646
2647 case AR_NOINTERACT:
2648 c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2649 break;
2650
2651 default:
2652 ASSERT(0);
2653 }
2654 c->sig->signal_text = "private-key-password-failure";
2655 return;
2656#else /* if P2MP */
2657 msg(M_FATAL, "Error: private key password verification failed");
2658#endif
2659 }
2660
2661 /* Get cipher & hash algorithms */
2662 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
2663 options->keysize, true, true);
2664
2665 /* Initialize PRNG with config-specified digest */
2666 prng_init(options->prng_hash, options->prng_nonce_secret_len);
2667
19d6d9c3 2668 /* initialize tls-auth/crypt/crypt-v2 key */
5817b49b 2669 do_init_tls_wrap_key(c);
81d882d5 2670
1f4309ae 2671#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
81d882d5
DS		 2672 if (options->priv_key_file_inline)
2673 {
2674 string_clear(c->options.priv_key_file_inline);
2675 c->options.priv_key_file_inline = NULL;
2676 }
d40f2b20 2677#endif
6fbf66fa 2678 }
81d882d5 2679 else
6fbf66fa 2680 {
81d882d5 2681 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
129d2924 2682
5817b49b
AQ		 2683 /*
2684 * tls-auth/crypt key can be configured per connection block, therefore
2685 * we must reload it as it may have changed
2686 */
2687 do_init_tls_wrap_key(c);
6fbf66fa
JY		 2688 }
2689}
2690
2691static void
81d882d5 2692do_init_crypto_tls(struct context *c, const unsigned int flags)
6fbf66fa 2693{
81d882d5
DS		 2694 const struct options *options = &c->options;
2695 struct tls_options to;
2696 bool packet_id_long_form;
6fbf66fa 2697
81d882d5
DS		 2698 ASSERT(options->tls_server || options->tls_client);
2699 ASSERT(!options->test_crypto);
6fbf66fa 2700
81d882d5 2701 init_crypto_pre(c, flags);
6fbf66fa 2702
81d882d5
DS		 2703 /* Make sure we are either a TLS client or server but not both */
2704 ASSERT(options->tls_server == !options->tls_client);
6fbf66fa 2705
81d882d5
DS		 2706 /* initialize persistent component */
2707 do_init_crypto_tls_c1(c);
2708 if (IS_SIG(c))
2709 {
2710 return;
2711 }
2712
ef910e3e
SK		 2713 /* Sanity check on sequence number, and cipher mode options */
2714 check_replay_consistency(&c->c1.ks.key_type, options->replay);
81d882d5
DS		 2715
2716 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2717 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
2718
2719 /* Compute MTU parameters (postpone if we push/pull options) */
2720 if (c->options.pull || c->options.mode == MODE_SERVER)
2721 {
2722 /* Account for worst-case crypto overhead before allocating buffers */
2723 frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead());
2724 }
2725 else
2726 {
2727 crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
ef910e3e 2728 options->replay, packet_id_long_form);
81d882d5
DS		 2729 }
2730 tls_adjust_frame_parameters(&c->c2.frame);
6fbf66fa 2731
81d882d5
DS		 2732 /* Set all command-line TLS-related options */
2733 CLEAR(to);
2734
81d882d5
DS		 2735 if (options->mute_replay_warnings)
2736 {
2737 to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
2738 }
2739
2740 to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2741 if (packet_id_long_form)
2742 {
2743 to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
2744 }
2745
2746 to.ssl_ctx = c->c1.ks.ssl_ctx;
2747 to.key_type = c->c1.ks.key_type;
2748 to.server = options->tls_server;
2749 to.key_method = options->key_method;
2750 to.replay = options->replay;
2751 to.replay_window = options->replay_window;
2752 to.replay_time = options->replay_time;
2753 to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
2754 to.config_ciphername = c->c1.ciphername;
2755 to.config_authname = c->c1.authname;
2756 to.ncp_enabled = options->ncp_enabled;
2757 to.transition_window = options->transition_window;
2758 to.handshake_window = options->handshake_window;
2759 to.packet_timeout = options->tls_timeout;
2760 to.renegotiate_bytes = options->renegotiate_bytes;
2761 to.renegotiate_packets = options->renegotiate_packets;
dd996463
SM		 2762 if (options->renegotiate_seconds_min < 0)
2763 {
2764 /* Add 10% jitter to reneg-sec by default (server side only) */
2765 int auto_jitter = options->mode != MODE_SERVER ? 0 :
2766 get_random() % max_int(options->renegotiate_seconds / 10, 1);
2767 to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
2768 }
2769 else
2770 {
2771 /* Add user-specified jitter to reneg-sec */
2772 to.renegotiate_seconds = options->renegotiate_seconds -
2773 (get_random() % max_int(options->renegotiate_seconds
2774 - options->renegotiate_seconds_min, 1));
2775 }
81d882d5
DS		 2776 to.single_session = options->single_session;
2777 to.mode = options->mode;
2778 to.pull = options->pull;
81d882d5
DS		 2779 if (options->push_peer_info) /* all there is */
2780 {
2781 to.push_peer_info_detail = 2;
2782 }
2783 else if (options->pull) /* pull clients send some details */
2784 {
2785 to.push_peer_info_detail = 1;
2786 }
2787 else /* default: no peer-info at all */
2788 {
2789 to.push_peer_info_detail = 0;
2790 }
6fbf66fa 2791
81d882d5
DS		 2792 /* should we not xmit any packets until we get an initial
2793 * response from client? */
2794 if (to.server && options->ce.proto == PROTO_TCP_SERVER)
2795 {
2796 to.xmit_hold = true;
2797 }
6add6b2f 2798
6fbf66fa 2799#ifdef ENABLE_OCC
81d882d5
DS		 2800 to.disable_occ = !options->occ;
2801#endif
2802
2803 to.verify_command = options->tls_verify;
2804 to.verify_export_cert = options->tls_export_cert;
2805 to.verify_x509_type = (options->verify_x509_type & 0xff);
2806 to.verify_x509_name = options->verify_x509_name;
2807 to.crl_file = options->crl_file;
2808 to.crl_file_inline = options->crl_file_inline;
2809 to.ssl_flags = options->ssl_flags;
2810 to.ns_cert_type = options->ns_cert_type;
2811 memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
2812 to.remote_cert_eku = options->remote_cert_eku;
2813 to.verify_hash = options->verify_hash;
2193d7c0 2814 to.verify_hash_algo = options->verify_hash_algo;
19dd3ef1 2815#ifdef ENABLE_X509ALTUSERNAME
81d882d5 2816 to.x509_username_field = (char *) options->x509_username_field;
19dd3ef1 2817#else
81d882d5 2818 to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
19dd3ef1 2819#endif
81d882d5 2820 to.es = c->c2.es;
6fbf66fa
JY		 2821
2822#ifdef ENABLE_DEBUG
81d882d5 2823 to.gremlin = c->options.gremlin;
6fbf66fa
JY		 2824#endif
2825
81d882d5 2826 to.plugins = c->plugins;
6fbf66fa 2827
90efcacb 2828#ifdef MANAGEMENT_DEF_AUTH
81d882d5 2829 to.mda_context = &c->c2.mda_context;
90efcacb
JY		 2830#endif
2831
6fbf66fa 2832#if P2MP_SERVER
81d882d5
DS		 2833 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2834 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2835 to.tmp_dir = options->tmp_dir;
2836 if (options->ccd_exclusive)
2837 {
2838 to.client_config_dir_exclusive = options->client_config_dir;
2839 }
2840 to.auth_user_pass_file = options->auth_user_pass_file;
2841 to.auth_token_generate = options->auth_token_generate;
2842 to.auth_token_lifetime = options->auth_token_lifetime;
6fbf66fa
JY		 2843#endif
2844
81d882d5 2845 to.x509_track = options->x509_track;
9356bae8 2846
16d909e2 2847#if P2MP
66b9409b 2848#ifdef ENABLE_MANAGEMENT
81d882d5 2849 to.sci = &options->sc_info;
16d909e2 2850#endif
eab3e22f
JY		 2851#endif
2852
38d96bd7 2853#ifdef USE_COMP
81d882d5 2854 to.comp_options = options->comp;
38d96bd7
JY		 2855#endif
2856
685e486e 2857#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
81d882d5 2858 if (options->keying_material_exporter_label)
685e486e 2859 {
81d882d5
DS		 2860 to.ekm_size = options->keying_material_exporter_length;
2861 if (to.ekm_size < 16 || to.ekm_size > 4095)
2862 {
2863 to.ekm_size = 0;
2864 }
685e486e 2865
81d882d5
DS		 2866 to.ekm_label = options->keying_material_exporter_label;
2867 to.ekm_label_size = strlen(to.ekm_label);
685e486e 2868 }
81d882d5 2869 else
685e486e 2870 {
81d882d5 2871 to.ekm_size = 0;
685e486e
DK		 2872 }
2873#endif
2874
81d882d5 2875 /* TLS handshake authentication (--tls-auth) */
57d6f103 2876 if (options->ce.tls_auth_file)
6fbf66fa 2877 {
81d882d5
DS		 2878 to.tls_wrap.mode = TLS_WRAP_AUTH;
2879 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2880 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2881 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
ef910e3e
SK		 2882 crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type,
2883 true, true);
6fbf66fa
JY		 2884 }
2885
81d882d5 2886 /* TLS handshake encryption (--tls-crypt) */
19dffdbd
SK		 2887 if (options->ce.tls_crypt_file
2888 || (options->ce.tls_crypt_v2_file && options->tls_client))
c6e24fa3 2889 {
81d882d5
DS		 2890 to.tls_wrap.mode = TLS_WRAP_CRYPT;
2891 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
2892 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
2893 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
2894 tls_crypt_adjust_frame_parameters(&to.frame);
19dffdbd 2895
19d6d9c3 2896 if (options->ce.tls_crypt_v2_file)
19dffdbd
SK		 2897 {
2898 to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
2899 }
2900 }
2901
19d6d9c3 2902 if (options->ce.tls_crypt_v2_file)
19dffdbd
SK		 2903 {
2904 to.tls_crypt_v2 = true;
2905 if (options->tls_server)
2906 {
2907 to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
ff931c5e 2908 to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
19dffdbd 2909 }
c6e24fa3
SK		 2910 }
2911
81d882d5
DS		 2912 /* If we are running over TCP, allow for
2913 * length prefix */
2914 socket_adjust_frame_parameters(&to.frame, options->ce.proto);
6fbf66fa 2915
81d882d5
DS		 2916 /*
2917 * Initialize OpenVPN's master TLS-mode object.
2918 */
2919 if (flags & CF_INIT_TLS_MULTI)
2920 {
2921 c->c2.tls_multi = tls_multi_init(&to);
2922 }
6fbf66fa 2923
81d882d5
DS		 2924 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2925 {
2926 c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
2927 }
6fbf66fa
JY		 2928}
2929
2930static void
81d882d5 2931do_init_finalize_tls_frame(struct context *c)
6fbf66fa 2932{
81d882d5 2933 if (c->c2.tls_multi)
6fbf66fa 2934 {
81d882d5
DS		 2935 tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame);
2936 ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <=
2937 EXPANDED_SIZE(&c->c2.frame));
2938 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2939 "Control Channel MTU parms");
6fbf66fa 2940 }
81d882d5 2941 if (c->c2.tls_auth_standalone)
6fbf66fa 2942 {
81d882d5
DS		 2943 tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame);
2944 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2945 "TLS-Auth MTU parms");
6fbf66fa
JY		 2946 }
2947}
2948
6fbf66fa
JY		 2949/*
2950 * No encryption or authentication.
2951 */
2952static void
81d882d5 2953do_init_crypto_none(const struct context *c)
6fbf66fa 2954{
81d882d5
DS		 2955 ASSERT(!c->options.test_crypto);
2956 msg(M_WARN,
7a1b6a0d
DS		 2957 "******* WARNING *******: All encryption and authentication features "
2958 "disabled -- All data will be tunnelled as clear text and will not be "
2959 "protected against man-in-the-middle changes. "
2960 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
6fbf66fa 2961}
6fbf66fa
JY		 2962
2963static void
81d882d5 2964do_init_crypto(struct context *c, const unsigned int flags)
6fbf66fa 2965{
81d882d5
DS		 2966 if (c->options.shared_secret_file)
2967 {
2968 do_init_crypto_static(c, flags);
2969 }
2970 else if (c->options.tls_server || c->options.tls_client)
2971 {
2972 do_init_crypto_tls(c, flags);
2973 }
2974 else /* no encryption or authentication. */
2975 {
2976 do_init_crypto_none(c);
2977 }
6fbf66fa
JY		 2978}
2979
2980static void
81d882d5 2981do_init_frame(struct context *c)
6fbf66fa 2982{
38d96bd7 2983#ifdef USE_COMP
81d882d5
DS		 2984 /*
2985 * modify frame parameters if compression is enabled
2986 */
2987 if (comp_enabled(&c->options.comp))
6fbf66fa 2988 {
81d882d5 2989 comp_add_to_extra_frame(&c->c2.frame);
6fbf66fa 2990
9403e3f4 2991#if !defined(ENABLE_LZ4)
81d882d5
DS		 2992 /*
2993 * Compression usage affects buffer alignment when non-swapped algs
2994 * such as LZO is used.
2995 * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need
2996 * any special alignment because of the control-byte swap approach.
2997 * LZO alignment (on the other hand) is problematic because
2998 * the presence of the control byte means that either the output of
2999 * decryption must be written to an unaligned buffer, or the input
3000 * to compression (or packet dispatch if packet is uncompressed)
3001 * must be read from an unaligned buffer.
3002 * This code tries to align the input to compression (or packet
3003 * dispatch if packet is uncompressed) at the cost of requiring
3004 * decryption output to be written to an unaligned buffer, so
3005 * it's more of a tradeoff than an optimal solution and we don't
3006 * include it when we are doing a modern build with LZ4.
3007 * Strictly speaking, on the server it would be better to execute
3008 * this code for every connection after we decide the compression
3009 * method, but currently the frame code doesn't appear to be
3010 * flexible enough for this, since the frame is already established
3011 * before it is known which compression options will be pushed.
3012 */
3013 if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c))
3014 {
3015 frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN);
3016 frame_or_align_flags(&c->c2.frame,
3017 FRAME_HEADROOM_MARKER_FRAGMENT
3018 |FRAME_HEADROOM_MARKER_DECRYPT);
3019 }
38d96bd7 3020#endif
6fbf66fa
JY		 3021
3022#ifdef ENABLE_FRAGMENT
81d882d5 3023 comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
6fbf66fa
JY		 3024#endif
3025 }
38d96bd7 3026#endif /* USE_COMP */
6fbf66fa 3027
81d882d5
DS		 3028 /*
3029 * Adjust frame size for UDP Socks support.
3030 */
3031 if (c->options.ce.socks_proxy_server)
3032 {
3033 socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3034 }
3035
3036 /*
3037 * Adjust frame size based on the --tun-mtu-extra parameter.
3038 */
3039 if (c->options.ce.tun_mtu_extra_defined)
3040 {
3041 tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra);
3042 }
3043
3044 /*
3045 * Adjust frame size based on link socket parameters.
3046 * (Since TCP is a stream protocol, we need to insert
3047 * a packet length uint16_t in the buffer.)
3048 */
3049 socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto);
3050
3051 /*
3052 * Fill in the blanks in the frame parameters structure,
3053 * make sure values are rational, etc.
3054 */
3055 frame_finalize_options(c, NULL);
6fbf66fa 3056
38d96bd7 3057#ifdef USE_COMP
81d882d5
DS		 3058 /*
3059 * Modify frame parameters if compression is compiled in.
3060 * Should be called after frame_finalize_options.
3061 */
3062 comp_add_to_extra_buffer(&c->c2.frame);
38d96bd7 3063#ifdef ENABLE_FRAGMENT
81d882d5 3064 comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */
38d96bd7
JY		 3065#endif
3066#endif /* USE_COMP */
3067
81d882d5
DS		 3068 /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
3069 * and need link_mtu+3 bytes on socket reception (on server).
3070 *
3071 * accomodate receive path in f->extra_link, which has the side effect of
3072 * also increasing send buffers (BUF_SIZE() macro), which need to be
3073 * allocated big enough before receiving peer-id option from server.
3074 *
3075 * f->extra_frame is adjusted when peer-id option is push-received
3076 */
3077 frame_add_to_extra_link(&c->c2.frame, 3);
9e0963c1 3078
6fbf66fa 3079#ifdef ENABLE_FRAGMENT
81d882d5
DS		 3080 /*
3081 * Set frame parameter for fragment code. This is necessary because
3082 * the fragmentation code deals with payloads which have already been
3083 * passed through the compression code.
3084 */
3085 c->c2.frame_fragment = c->c2.frame;
3086 frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
6fbf66fa
JY		 3087#endif
3088
3089#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
81d882d5
DS		 3090 /*
3091 * MTU advisories
3092 */
3093 if (c->options.ce.fragment && c->options.mtu_test)
3094 {
3095 msg(M_WARN,
3096 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3097 }
6fbf66fa
JY		 3098#endif
3099
3100#ifdef ENABLE_FRAGMENT
81d882d5
DS		 3101 if ((c->options.ce.mssfix || c->options.ce.fragment)
3102 && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU)
3103 {
3104 msg(M_WARN,
3105 "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
3106 ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment));
3107 }
6fbf66fa
JY		 3108#endif
3109}
3110
3111static void
81d882d5 3112do_option_warnings(struct context *c)
6fbf66fa 3113{
81d882d5 3114 const struct options *o = &c->options;
6fbf66fa 3115
81d882d5
DS		 3116 if (o->ping_send_timeout && !o->ping_rec_timeout)
3117 {
3118 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3119 }
6fbf66fa 3120
81d882d5 3121 if (o->username || o->groupname || o->chroot_dir
cd5990e0 3122#ifdef ENABLE_SELINUX
81d882d5 3123 || o->selinux_context
99385447 3124#endif
81d882d5
DS		 3125 )
3126 {
3127 if (!o->persist_tun)
3128 {
3129 msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3130 }
3131 if (!o->persist_key
51b1d4c2 3132#ifdef ENABLE_PKCS11
81d882d5 3133 && !o->pkcs11_id
51b1d4c2 3134#endif
81d882d5
DS		 3135 )
3136 {
3137 msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3138 }
3139 }
6fbf66fa 3140
81d882d5
DS		 3141 if (o->chroot_dir && !(o->username && o->groupname))
3142 {
3143 msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3144 }
31f90e64 3145
6fbf66fa 3146#if P2MP
81d882d5
DS		 3147 if (o->pull && o->ifconfig_local && c->first_time)
3148 {
3149 msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3150 }
6fbf66fa
JY		 3151
3152#if P2MP_SERVER
81d882d5
DS		 3153 if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3154 {
3155 msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3156 }
f77c60d3 3157
81d882d5 3158 if (o->mode == MODE_SERVER)
6fbf66fa 3159 {
81d882d5
DS		 3160 if (o->duplicate_cn && o->client_config_dir)
3161 {
3162 msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3163 }
3164 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3165 {
3166 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3167 }
3168 if (!o->keepalive_ping || !o->keepalive_timeout)
3169 {
3170 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3171 }
6fbf66fa 3172 }
81d882d5
DS		 3173#endif /* if P2MP_SERVER */
3174#endif /* if P2MP */
6fbf66fa 3175
81d882d5
DS		 3176 if (!o->replay)
3177 {
3178 msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3179 }
81d882d5
DS		 3180
3181 if (o->tls_server)
3182 {
3183 warn_on_use_of_common_subnets();
3184 }
3185 if (o->tls_client
3186 && !o->tls_verify
3187 && o->verify_x509_type == VERIFY_X509_NONE
3188 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3189 && !o->remote_cert_eku)
3190 {
3191 msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3192 }
2dc33226
SK		 3193 if (o->ns_cert_type)
3194 {
3195 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3196 }
81d882d5
DS		 3197
3198 /* If a script is used, print appropiate warnings */
3199 if (o->user_script_used)
3200 {
bf97c00f 3201 if (script_security() >= SSEC_SCRIPTS)
81d882d5
DS		 3202 {
3203 msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3204 }
bf97c00f 3205 else if (script_security() >= SSEC_PW_ENV)
81d882d5
DS		 3206 {
3207 msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3208 }
3209 else
3210 {
3211 msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3212 }
3213 }
6fbf66fa
JY		 3214}
3215
3216static void
81d882d5 3217do_init_frame_tls(struct context *c)
6fbf66fa 3218{
81d882d5 3219 do_init_finalize_tls_frame(c);
6fbf66fa
JY		 3220}
3221
3222struct context_buffers *
81d882d5 3223init_context_buffers(const struct frame *frame)
6fbf66fa 3224{
81d882d5 3225 struct context_buffers *b;
6fbf66fa 3226
81d882d5 3227 ALLOC_OBJ_CLEAR(b, struct context_buffers);
6fbf66fa 3228
81d882d5
DS		 3229 b->read_link_buf = alloc_buf(BUF_SIZE(frame));
3230 b->read_tun_buf = alloc_buf(BUF_SIZE(frame));
6fbf66fa 3231
81d882d5 3232 b->aux_buf = alloc_buf(BUF_SIZE(frame));
6fbf66fa 3233
81d882d5
DS		 3234 b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
3235 b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
6fbf66fa 3236
38d96bd7 3237#ifdef USE_COMP
81d882d5
DS		 3238 b->compress_buf = alloc_buf(BUF_SIZE(frame));
3239 b->decompress_buf = alloc_buf(BUF_SIZE(frame));
6fbf66fa
JY		 3240#endif
3241
81d882d5 3242 return b;
6fbf66fa
JY		 3243}
3244
3245void
81d882d5 3246free_context_buffers(struct context_buffers *b)
6fbf66fa 3247{
81d882d5 3248 if (b)
6fbf66fa 3249 {
81d882d5
DS		 3250 free_buf(&b->read_link_buf);
3251 free_buf(&b->read_tun_buf);
3252 free_buf(&b->aux_buf);
6fbf66fa 3253
38d96bd7 3254#ifdef USE_COMP
81d882d5
DS		 3255 free_buf(&b->compress_buf);
3256 free_buf(&b->decompress_buf);
6fbf66fa
JY		 3257#endif
3258
81d882d5
DS		 3259 free_buf(&b->encrypt_buf);
3260 free_buf(&b->decrypt_buf);
6fbf66fa 3261
81d882d5 3262 free(b);
6fbf66fa
JY		 3263 }
3264}
3265
3266/*
3267 * Now that we know all frame parameters, initialize
3268 * our buffers.
3269 */
3270static void
81d882d5 3271do_init_buffers(struct context *c)
6fbf66fa 3272{
81d882d5
DS		 3273 c->c2.buffers = init_context_buffers(&c->c2.frame);
3274 c->c2.buffers_owned = true;
6fbf66fa
JY		 3275}
3276
3277#ifdef ENABLE_FRAGMENT
3278/*
3279 * Fragmenting code has buffers to initialize
3280 * once frame parameters are known.
3281 */
3282static void
81d882d5 3283do_init_fragment(struct context *c)
6fbf66fa 3284{
81d882d5
DS		 3285 ASSERT(c->options.ce.fragment);
3286 frame_set_mtu_dynamic(&c->c2.frame_fragment,
3287 c->options.ce.fragment, SET_MTU_UPPER_BOUND);
3288 fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
6fbf66fa
JY		 3289}
3290#endif
3291
6fbf66fa
JY		 3292/*
3293 * Allocate our socket object.
3294 */
3295static void
81d882d5 3296do_link_socket_new(struct context *c)
6fbf66fa 3297{
81d882d5
DS		 3298 ASSERT(!c->c2.link_socket);
3299 c->c2.link_socket = link_socket_new();
3300 c->c2.link_socket_owned = true;
6fbf66fa
JY		 3301}
3302
3303/*
3304 * bind the TCP/UDP socket
3305 */
3306static void
81d882d5 3307do_init_socket_1(struct context *c, const int mode)
6fbf66fa 3308{
81d882d5 3309 unsigned int sockflags = c->options.sockflags;
dc46c067
JY		 3310
3311#if PORT_SHARE
81d882d5
DS		 3312 if (c->options.port_share_host && c->options.port_share_port)
3313 {
3314 sockflags |= SF_PORT_SHARE;
3315 }
3316#endif
3317
3318 link_socket_init_phase1(c->c2.link_socket,
3319 c->options.ce.local,
3320 c->options.ce.local_port,
3321 c->options.ce.remote,
3322 c->options.ce.remote_port,
3323 c->c1.dns_cache,
3324 c->options.ce.proto,
3325 c->options.ce.af,
3326 c->options.ce.bind_ipv6_only,
3327 mode,
3328 c->c2.accept_from,
3329 c->c1.http_proxy,
3330 c->c1.socks_proxy,
6fbf66fa 3331#ifdef ENABLE_DEBUG
81d882d5
DS		 3332 c->options.gremlin,
3333#endif
3334 c->options.ce.bind_local,
3335 c->options.ce.remote_float,
3336 c->options.inetd,
3337 &c->c1.link_socket_addr,
3338 c->options.ipchange,
3339 c->plugins,
3340 c->options.resolve_retry_seconds,
3341 c->options.ce.mtu_discover_type,
3342 c->options.rcvbuf,
3343 c->options.sndbuf,
3344 c->options.mark,
3345 &c->c2.server_poll_interval,
3346 sockflags);
6fbf66fa
JY		 3347}
3348
3349/*
3350 * finalize the TCP/UDP socket
3351 */
3352static void
81d882d5 3353do_init_socket_2(struct context *c)
6fbf66fa 3354{
81d882d5
DS		 3355 link_socket_init_phase2(c->c2.link_socket, &c->c2.frame,
3356 c->sig);
6fbf66fa
JY		 3357}
3358
3359/*
3360 * Print MTU INFO
3361 */
3362static void
81d882d5 3363do_print_data_channel_mtu_parms(struct context *c)
6fbf66fa 3364{
81d882d5 3365 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
6fbf66fa 3366#ifdef ENABLE_FRAGMENT
81d882d5
DS		 3367 if (c->c2.fragment)
3368 {
3369 frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3370 "Fragmentation MTU parms");
3371 }
6fbf66fa
JY		 3372#endif
3373}
3374
3375#ifdef ENABLE_OCC
3376/*
3377 * Get local and remote options compatibility strings.
3378 */
3379static void
81d882d5 3380do_compute_occ_strings(struct context *c)
6fbf66fa 3381{
81d882d5 3382 struct gc_arena gc = gc_new();
6fbf66fa 3383
81d882d5
DS		 3384 c->c2.options_string_local =
3385 options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
3386 c->c2.options_string_remote =
3387 options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
6fbf66fa 3388
81d882d5
DS		 3389 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3390 options_string_version(c->c2.options_string_local, &gc),
3391 c->c2.options_string_local);
3392 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3393 options_string_version(c->c2.options_string_remote, &gc),
3394 c->c2.options_string_remote);
6fbf66fa 3395
81d882d5
DS		 3396 if (c->c2.tls_multi)
3397 {
3398 tls_multi_init_set_options(c->c2.tls_multi,
3399 c->c2.options_string_local,
3400 c->c2.options_string_remote);
3401 }
6fbf66fa 3402
81d882d5 3403 gc_free(&gc);
6fbf66fa 3404}
81d882d5 3405#endif /* ifdef ENABLE_OCC */
6fbf66fa
JY		 3406
3407/*
3408 * These things can only be executed once per program instantiation.
3409 * Set up for possible UID/GID downgrade, but don't do it yet.
3410 * Daemonize if requested.
3411 */
3412static void
81d882d5 3413do_init_first_time(struct context *c)
6fbf66fa 3414{
81d882d5 3415 if (c->first_time && !c->c0)
6fbf66fa 3416 {
81d882d5 3417 struct context_0 *c0;
92bbb061 3418
81d882d5
DS		 3419 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3420 c0 = c->c0;
6fbf66fa 3421
81d882d5
DS		 3422 /* get user and/or group that we want to setuid/setgid to */
3423 c0->uid_gid_specified =
3424 platform_group_get(c->options.groupname, &c0->platform_state_group)
3425 |platform_user_get(c->options.username, &c0->platform_state_user);
6fbf66fa 3426
81d882d5
DS		 3427 /* perform postponed chdir if --daemon */
3428 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3429 {
3430 platform_chdir("/");
3431 }
3432
3433 /* should we change scheduling priority? */
3434 platform_nice(c->options.nice);
6fbf66fa
JY		 3435 }
3436}
3437
3438/*
3439 * If xinetd/inetd mode, don't allow restart.
3440 */
3441static void
81d882d5 3442do_close_check_if_restart_permitted(struct context *c)
6fbf66fa 3443{
81d882d5
DS		 3444 if (c->options.inetd
3445 && (c->sig->signal_received == SIGHUP
3446 || c->sig->signal_received == SIGUSR1))
6fbf66fa 3447 {
81d882d5
DS		 3448 c->sig->signal_received = SIGTERM;
3449 msg(M_INFO,
3450 PACKAGE_NAME
3451 " started by inetd/xinetd cannot restart... Exiting.");
6fbf66fa
JY		 3452 }
3453}
3454
3455/*
3456 * free buffers
3457 */
3458static void
81d882d5 3459do_close_free_buf(struct context *c)
6fbf66fa 3460{
81d882d5 3461 if (c->c2.buffers_owned)
6fbf66fa 3462 {
81d882d5
DS		 3463 free_context_buffers(c->c2.buffers);
3464 c->c2.buffers = NULL;
3465 c->c2.buffers_owned = false;
6fbf66fa
JY		 3466 }
3467}
3468
3469/*
3470 * close TLS
3471 */
3472static void
81d882d5 3473do_close_tls(struct context *c)
6fbf66fa 3474{
81d882d5 3475 if (c->c2.tls_multi)
6fbf66fa 3476 {
81d882d5
DS		 3477 tls_multi_free(c->c2.tls_multi, true);
3478 c->c2.tls_multi = NULL;
6fbf66fa
JY		 3479 }
3480
3481#ifdef ENABLE_OCC
81d882d5
DS		 3482 /* free options compatibility strings */
3483 if (c->c2.options_string_local)
3484 {
3485 free(c->c2.options_string_local);
3486 }
3487 if (c->c2.options_string_remote)
3488 {
3489 free(c->c2.options_string_remote);
3490 }
3491 c->c2.options_string_local = c->c2.options_string_remote = NULL;
6fbf66fa 3492#endif
07036fd3
SK		 3493
3494 if (c->c2.pulled_options_state)
3495 {
3496 md_ctx_cleanup(c->c2.pulled_options_state);
3497 md_ctx_free(c->c2.pulled_options_state);
3498 }
6fbf66fa
JY		 3499}
3500
3501/*
3502 * Free key schedules
3503 */
3504static void
81d882d5 3505do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
6fbf66fa 3506{
5817b49b
AQ		 3507 /*
3508 * always free the tls_auth/crypt key. If persist_key is true, the key will
3509 * be reloaded from memory (pre-cached)
3510 */
3511 free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3512 CLEAR(c->c1.ks.tls_wrap_key);
19dffdbd
SK		 3513 buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3514 free_buf(&c->c1.ks.tls_crypt_v2_wkc);
5817b49b 3515
81d882d5
DS		 3516 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
3517 {
3518 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3519 }
6fbf66fa
JY		 3520}
3521
3522/*
3523 * Close TCP/UDP connection
3524 */
3525static void
81d882d5 3526do_close_link_socket(struct context *c)
6fbf66fa 3527{
81d882d5 3528 if (c->c2.link_socket && c->c2.link_socket_owned)
6fbf66fa 3529 {
81d882d5
DS		 3530 link_socket_close(c->c2.link_socket);
3531 c->c2.link_socket = NULL;
6fbf66fa
JY		 3532 }
3533
81d882d5
DS		 3534
3535 /* Preserve the resolved list of remote if the user request to or if we want
3536 * reconnect to the same host again or there are still addresses that need
3537 * to be tried */
3538 if (!(c->sig->signal_received == SIGUSR1
3539 && ( (c->options.persist_remote_ip)
3540 ||
3541 ( c->sig->source != SIG_SOURCE_HARD
3542 && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next)
3543 || c->options.no_advance))
3544 )))
23d61c56 3545 {
81d882d5 3546 clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
23d61c56
AS		 3547 }
3548
3549 /* Clear the remote actual address when persist_remote_ip is not in use */
3550 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
81d882d5
DS		 3551 {
3552 CLEAR(c->c1.link_socket_addr.actual);
3553 }
6fbf66fa 3554
81d882d5
DS		 3555 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3556 {
3557 if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3558 {
3559 freeaddrinfo(c->c1.link_socket_addr.bind_local);
3560 }
e719a053 3561
81d882d5
DS		 3562 c->c1.link_socket_addr.bind_local = NULL;
3563 }
6fbf66fa
JY		 3564}
3565
3566/*
3567 * Close packet-id persistance file
3568 */
3569static void
81d882d5 3570do_close_packet_id(struct context *c)
6fbf66fa 3571{
81d882d5
DS		 3572 packet_id_free(&c->c2.crypto_options.packet_id);
3573 packet_id_persist_save(&c->c1.pid_persist);
3574 if (!(c->sig->signal_received == SIGUSR1))
3575 {
3576 packet_id_persist_close(&c->c1.pid_persist);
3577 }
6fbf66fa
JY		 3578}
3579
3580#ifdef ENABLE_FRAGMENT
3581/*
3582 * Close fragmentation handler.
3583 */
3584static void
81d882d5 3585do_close_fragment(struct context *c)
6fbf66fa 3586{
81d882d5 3587 if (c->c2.fragment)
6fbf66fa 3588 {
81d882d5
DS		 3589 fragment_free(c->c2.fragment);
3590 c->c2.fragment = NULL;
6fbf66fa
JY		 3591 }
3592}
3593#endif
3594
3595/*
3596 * Open and close our event objects.
3597 */
3598
3599static void
81d882d5
DS		 3600do_event_set_init(struct context *c,
3601 bool need_us_timeout)
6fbf66fa 3602{
81d882d5 3603 unsigned int flags = 0;
6fbf66fa 3604
81d882d5 3605 c->c2.event_set_max = BASE_N_EVENTS;
6fbf66fa 3606
81d882d5 3607 flags |= EVENT_METHOD_FAST;
6fbf66fa 3608
81d882d5
DS		 3609 if (need_us_timeout)
3610 {
3611 flags |= EVENT_METHOD_US_TIMEOUT;
3612 }
6fbf66fa 3613
81d882d5
DS		 3614 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3615 c->c2.event_set_owned = true;
6fbf66fa
JY		 3616}
3617
3618static void
81d882d5 3619do_close_event_set(struct context *c)
6fbf66fa 3620{
81d882d5 3621 if (c->c2.event_set && c->c2.event_set_owned)
6fbf66fa 3622 {
81d882d5
DS		 3623 event_free(c->c2.event_set);
3624 c->c2.event_set = NULL;
3625 c->c2.event_set_owned = false;
6fbf66fa
JY		 3626 }
3627}
3628
3629/*
3630 * Open and close --status file
3631 */
3632
3633static void
81d882d5 3634do_open_status_output(struct context *c)
6fbf66fa 3635{
81d882d5 3636 if (!c->c1.status_output)
6fbf66fa 3637 {
81d882d5
DS		 3638 c->c1.status_output = status_open(c->options.status_file,
3639 c->options.status_file_update_freq,
3640 -1,
3641 NULL,
3642 STATUS_OUTPUT_WRITE);
3643 c->c1.status_output_owned = true;
6fbf66fa
JY		 3644 }
3645}
3646
3647static void
81d882d5 3648do_close_status_output(struct context *c)
6fbf66fa 3649{
81d882d5 3650 if (!(c->sig->signal_received == SIGUSR1))
6fbf66fa 3651 {
81d882d5
DS		 3652 if (c->c1.status_output_owned && c->c1.status_output)
3653 {
3654 status_close(c->c1.status_output);
3655 c->c1.status_output = NULL;
3656 c->c1.status_output_owned = false;
3657 }
6fbf66fa
JY		 3658 }
3659}
3660
3661/*
3662 * Handle ifconfig-pool persistance object.
3663 */
3664static void
81d882d5 3665do_open_ifconfig_pool_persist(struct context *c)
6fbf66fa
JY		 3666{
3667#if P2MP_SERVER
81d882d5 3668 if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
6fbf66fa 3669 {
81d882d5
DS		 3670 c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
3671 c->options.ifconfig_pool_persist_refresh_freq);
3672 c->c1.ifconfig_pool_persist_owned = true;
6fbf66fa
JY		 3673 }
3674#endif
3675}
3676
3677static void
81d882d5 3678do_close_ifconfig_pool_persist(struct context *c)
6fbf66fa
JY		 3679{
3680#if P2MP_SERVER
81d882d5 3681 if (!(c->sig->signal_received == SIGUSR1))
6fbf66fa 3682 {
81d882d5
DS		 3683 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
3684 {
3685 ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
3686 c->c1.ifconfig_pool_persist = NULL;
3687 c->c1.ifconfig_pool_persist_owned = false;
3688 }
6fbf66fa
JY		 3689 }
3690#endif
3691}
3692
3693/*
3694 * Inherit environmental variables
3695 */
3696
3697static void
81d882d5 3698do_inherit_env(struct context *c, const struct env_set *src)
6fbf66fa 3699{
81d882d5
DS		 3700 c->c2.es = env_set_create(NULL);
3701 c->c2.es_owned = true;
3702 env_set_inherit(c->c2.es, src);
6fbf66fa
JY		 3703}
3704
2a64816b 3705static void
81d882d5 3706do_env_set_destroy(struct context *c)
2a64816b 3707{
81d882d5 3708 if (c->c2.es && c->c2.es_owned)
2a64816b 3709 {
81d882d5
DS		 3710 env_set_destroy(c->c2.es);
3711 c->c2.es = NULL;
3712 c->c2.es_owned = false;
2a64816b
JY		 3713 }
3714}
3715
6fbf66fa
JY		 3716/*
3717 * Fast I/O setup. Fast I/O is an optimization which only works
3718 * if all of the following are true:
3719 *
3720 * (1) The platform is not Windows
3721 * (2) --proto udp is enabled
3722 * (3) --shaper is disabled
3723 */
3724static void
81d882d5 3725do_setup_fast_io(struct context *c)
6fbf66fa 3726{
81d882d5 3727 if (c->options.fast_io)
6fbf66fa 3728 {
445b192a 3729#ifdef _WIN32
81d882d5 3730 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
6fbf66fa 3731#else
81d882d5
DS		 3732 if (!proto_is_udp(c->options.ce.proto))
3733 {
3734 msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3735 }
3736 else
3737 {
3d163bc5 3738#ifdef ENABLE_FEATURE_SHAPER
81d882d5
DS		 3739 if (c->options.shaper)
3740 {
3741 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3742 }
3743 else
0475d17e 3744#endif
81d882d5
DS		 3745 {
3746 c->c2.fast_io = true;
3747 }
3748 }
6fbf66fa
JY		 3749#endif
3750 }
3751}
3752
3753static void
81d882d5 3754do_signal_on_tls_errors(struct context *c)
6fbf66fa 3755{
81d882d5
DS		 3756 if (c->options.tls_exit)
3757 {
3758 c->c2.tls_exit_signal = SIGTERM;
3759 }
3760 else
3761 {
3762 c->c2.tls_exit_signal = SIGUSR1;
3763 }
6fbf66fa
JY		 3764}
3765
3c7f2f55 3766#ifdef ENABLE_PLUGIN
6fbf66fa 3767
3c7f2f55 3768void
81d882d5 3769init_plugins(struct context *c)
6fbf66fa 3770{
81d882d5 3771 if (c->options.plugin_list && !c->plugins)
e1791bb1 3772 {
81d882d5
DS		 3773 c->plugins = plugin_list_init(c->options.plugin_list);
3774 c->plugins_owned = true;
e1791bb1
JY		 3775 }
3776}
3777
3778void
81d882d5
DS		 3779open_plugins(struct context *c, const bool import_options, int init_point)
3780{
3781 if (c->plugins && c->plugins_owned)
3782 {
3783 if (import_options)
3784 {
3785 struct plugin_return pr, config;
3786 plugin_return_init(&pr);
3787 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3788 plugin_return_get_column(&pr, &config, "config");
3789 if (plugin_return_defined(&config))
3790 {
3791 int i;
3792 for (i = 0; i < config.n; ++i)
3793 {
3794 unsigned int option_types_found = 0;
3795 if (config.list[i] && config.list[i]->value)
3796 {
3797 options_string_import(&c->options,
3798 config.list[i]->value,
3799 D_IMPORT_ERRORS|M_OPTERR,
3800 OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3801 &option_types_found,
3802 c->es);
3803 }
3804 }
3805 }
3806 plugin_return_free(&pr);
3807 }
3808 else
3809 {
3810 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3811 }
6fbf66fa 3812 }
6fbf66fa
JY		 3813}
3814
3815static void
81d882d5 3816do_close_plugins(struct context *c)
6fbf66fa 3817{
81d882d5 3818 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
6fbf66fa 3819 {
81d882d5
DS		 3820 plugin_list_close(c->plugins);
3821 c->plugins = NULL;
3822 c->plugins_owned = false;
6fbf66fa 3823 }
6fbf66fa
JY		 3824}
3825
3c7f2f55 3826static void
81d882d5 3827do_inherit_plugins(struct context *c, const struct context *src)
3c7f2f55 3828{
81d882d5 3829 if (!c->plugins && src->plugins)
3c7f2f55 3830 {
81d882d5
DS		 3831 c->plugins = plugin_list_inherit(src->plugins);
3832 c->plugins_owned = true;
3c7f2f55
JY		 3833 }
3834}
3835
81d882d5 3836#endif /* ifdef ENABLE_PLUGIN */
3c7f2f55 3837
6fbf66fa
JY		 3838#ifdef ENABLE_MANAGEMENT
3839
3840static void
81d882d5 3841management_callback_status_p2p(void *arg, const int version, struct status_output *so)
6fbf66fa 3842{
81d882d5
DS		 3843 struct context *c = (struct context *) arg;
3844 print_status(c, so);
6fbf66fa
JY		 3845}
3846
3847void
81d882d5 3848management_show_net_callback(void *arg, const int msglevel)
6fbf66fa 3849{
445b192a 3850#ifdef _WIN32
81d882d5
DS		 3851 show_routes(msglevel);
3852 show_adapters(msglevel);
3853 msg(msglevel, "END");
6fbf66fa 3854#else
81d882d5 3855 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
6fbf66fa
JY		 3856#endif
3857}
3858
30003978
AS		 3859#ifdef TARGET_ANDROID
3860int
81d882d5 3861management_callback_network_change(void *arg, bool samenetwork)
30003978
AS		 3862{
3863 /* Check if the client should translate the network change to a SIGUSR1 to
81d882d5
DS		 3864 * reestablish the connection or just reprotect the socket
3865 *
3866 * At the moment just assume that, for all settings that use pull (not
3867 * --static) and are not using peer-id reestablishing the connection is
3868 * required (unless the network is the same)
3869 *
3870 * The function returns -1 on invalid fd and -2 if the socket cannot be
3871 * reused. On the -2 return value the man_network_change function triggers
3872 * a SIGUSR1 to force a reconnect.
3873 */
3874
3875 int socketfd = -1;
3876 struct context *c = (struct context *) arg;
3877 if (!c->c2.link_socket)
3878 {
3879 return -1;
3880 }
3881 if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
3882 {
3883 return -1;
3884 }
30003978 3885
81d882d5
DS		 3886 socketfd = c->c2.link_socket->sd;
3887 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
3888 {
3889 return socketfd;
3890 }
3891 else
3892 {
3893 return -2;
3894 }
30003978 3895}
81d882d5 3896#endif /* ifdef TARGET_ANDROID */
30003978 3897
81d882d5 3898#endif /* ifdef ENABLE_MANAGEMENT */
6fbf66fa
JY		 3899
3900void
81d882d5 3901init_management_callback_p2p(struct context *c)
6fbf66fa
JY		 3902{
3903#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 3904 if (management)
3905 {
3906 struct management_callback cb;
3907 CLEAR(cb);
3908 cb.arg = c;
3909 cb.status = management_callback_status_p2p;
3910 cb.show_net = management_show_net_callback;
3911 cb.proxy_cmd = management_callback_proxy_cmd;
3912 cb.remote_cmd = management_callback_remote_cmd;
30003978 3913#ifdef TARGET_ANDROID
81d882d5 3914 cb.network_change = management_callback_network_change;
30003978 3915#endif
81d882d5 3916 management_set_callback(management, &cb);
6fbf66fa
JY		 3917 }
3918#endif
3919}
3920
3921#ifdef ENABLE_MANAGEMENT
3922
3923void
81d882d5 3924init_management(struct context *c)
6fbf66fa 3925{
81d882d5
DS		 3926 if (!management)
3927 {
3928 management = management_init();
3929 }
6fbf66fa
JY		 3930}
3931
3932bool
81d882d5
DS		 3933open_management(struct context *c)
3934{
3935 /* initialize management layer */
3936 if (management)
3937 {
3938 if (c->options.management_addr)
3939 {
3940 unsigned int flags = c->options.management_flags;
3941 if (c->options.mode == MODE_SERVER)
3942 {
3943 flags |= MF_SERVER;
3944 }
3945 if (management_open(management,
3946 c->options.management_addr,
3947 c->options.management_port,
3948 c->options.management_user_pass,
3949 c->options.management_client_user,
3950 c->options.management_client_group,
3951 c->options.management_log_history_cache,
3952 c->options.management_echo_buffer_size,
3953 c->options.management_state_buffer_size,
3954 c->options.management_write_peer_info_file,
3955 c->options.remap_sigusr1,
3956 flags))
3957 {
3958 management_set_state(management,
3959 OPENVPN_STATE_CONNECTING,
3960 NULL,
3961 NULL,
3962 NULL,
3963 NULL,
3964 NULL);
3965 }
3966
3967 /* initial management hold, called early, before first context initialization */
3968 do_hold(0);
3969 if (IS_SIG(c))
3970 {
3971 msg(M_WARN, "Signal received from management interface, exiting");
3972 return false;
3973 }
3974 }
3975 else
3976 {
3977 close_management();
3978 }
3979 }
3980 return true;
6fbf66fa
JY		 3981}
3982
3983void
81d882d5 3984close_management(void)
6fbf66fa 3985{
81d882d5 3986 if (management)
6fbf66fa 3987 {
81d882d5
DS		 3988 management_close(management);
3989 management = NULL;
6fbf66fa
JY		 3990 }
3991}
3992
81d882d5 3993#endif /* ifdef ENABLE_MANAGEMENT */
6fbf66fa
JY		 3994
3995
3996void
81d882d5 3997uninit_management_callback(void)
6fbf66fa
JY		 3998{
3999#ifdef ENABLE_MANAGEMENT
81d882d5 4000 if (management)
6fbf66fa 4001 {
81d882d5 4002 management_clear_callback(management);
6fbf66fa
JY		 4003 }
4004#endif
4005}
4006
4007/*
4008 * Initialize a tunnel instance, handle pre and post-init
4009 * signal settings.
4010 */
4011void
81d882d5 4012init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
6fbf66fa 4013{
81d882d5
DS		 4014 pre_init_signal_catch();
4015 init_instance(c, env, flags);
4016 post_init_signal_catch();
4017
4018 /*
4019 * This is done so that signals thrown during
4020 * initialization can bring us back to
4021 * a management hold.
4022 */
4023 if (IS_SIG(c))
d5badcf1 4024 {
81d882d5
DS		 4025 remap_signal(c);
4026 uninit_management_callback();
d5badcf1 4027 }
6fbf66fa
JY		 4028}
4029
4030/*
4031 * Initialize a tunnel instance.
4032 */
4033void
81d882d5 4034init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
6fbf66fa 4035{
81d882d5
DS		 4036 const struct options *options = &c->options;
4037 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4038 int link_socket_mode = LS_MODE_DEFAULT;
6fbf66fa 4039
81d882d5
DS		 4040 /* init garbage collection level */
4041 gc_init(&c->c2.gc);
6fbf66fa 4042
81d882d5
DS		 4043 /* inherit environmental variables */
4044 if (env)
4045 {
4046 do_inherit_env(c, env);
4047 }
ac1c2f25 4048
81d882d5
DS		 4049 /* signals caught here will abort */
4050 c->sig->signal_received = 0;
4051 c->sig->signal_text = NULL;
4052 c->sig->source = SIG_SOURCE_SOFT;
6fbf66fa 4053
81d882d5
DS		 4054 if (c->mode == CM_P2P)
4055 {
4056 init_management_callback_p2p(c);
4057 }
3cf6c932 4058
81d882d5
DS		 4059 /* possible sleep or management hold if restart */
4060 if (c->mode == CM_P2P || c->mode == CM_TOP)
3cf6c932 4061 {
81d882d5
DS		 4062 do_startup_pause(c);
4063 if (IS_SIG(c))
4064 {
4065 goto sig;
4066 }
3cf6c932
JY		 4067 }
4068
81d882d5 4069 if (c->options.resolve_in_advance)
e719a053 4070 {
81d882d5
DS		 4071 do_preresolve(c);
4072 if (IS_SIG(c))
4073 {
4074 goto sig;
4075 }
e719a053
AS		 4076 }
4077
81d882d5
DS		 4078 /* map in current connection entry */
4079 next_connection_entry(c);
4e9a51d7 4080
81d882d5
DS		 4081 /* link_socket_mode allows CM_CHILD_TCP
4082 * instances to inherit acceptable fds
4083 * from a top-level parent */
4084 if (c->options.ce.proto == PROTO_TCP_SERVER)
6fbf66fa 4085 {
81d882d5
DS		 4086 if (c->mode == CM_TOP)
4087 {
4088 link_socket_mode = LS_MODE_TCP_LISTEN;
4089 }
4090 else if (c->mode == CM_CHILD_TCP)
4091 {
4092 link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4093 }
6fbf66fa
JY		 4094 }
4095
81d882d5
DS		 4096 /* should we disable paging? */
4097 if (c->first_time && options->mlock)
4098 {
4099 platform_mlockall(true);
4100 }
6fbf66fa 4101
92bbb061 4102#if P2MP
81d882d5
DS		 4103 /* get passwords if undefined */
4104 if (auth_retry_get() == AR_INTERACT)
4105 {
4106 init_query_passwords(c);
4107 }
92bbb061
JY		 4108#endif
4109
81d882d5
DS		 4110 /* initialize context level 2 --verb/--mute parms */
4111 init_verb_mute(c, IVM_LEVEL_2);
4112
4113 /* set error message delay for non-server modes */
4114 if (c->mode == CM_P2P)
4115 {
4116 set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4117 }
6fbf66fa 4118
81d882d5
DS		 4119 /* warn about inconsistent options */
4120 if (c->mode == CM_P2P || c->mode == CM_TOP)
4121 {
4122 do_option_warnings(c);
4123 }
6fbf66fa 4124
3c7f2f55 4125#ifdef ENABLE_PLUGIN
81d882d5
DS		 4126 /* initialize plugins */
4127 if (c->mode == CM_P2P || c->mode == CM_TOP)
4128 {
4129 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4130 }
3c7f2f55 4131#endif
6fbf66fa 4132
81d882d5
DS		 4133 /* should we enable fast I/O? */
4134 if (c->mode == CM_P2P || c->mode == CM_TOP)
4135 {
4136 do_setup_fast_io(c);
4137 }
6fbf66fa 4138
81d882d5
DS		 4139 /* should we throw a signal on TLS errors? */
4140 do_signal_on_tls_errors(c);
6fbf66fa 4141
81d882d5
DS		 4142 /* open --status file */
4143 if (c->mode == CM_P2P || c->mode == CM_TOP)
4144 {
4145 do_open_status_output(c);
4146 }
6fbf66fa 4147
81d882d5
DS		 4148 /* open --ifconfig-pool-persist file */
4149 if (c->mode == CM_TOP)
4150 {
4151 do_open_ifconfig_pool_persist(c);
4152 }
6fbf66fa
JY		 4153
4154#ifdef ENABLE_OCC
81d882d5
DS		 4155 /* reset OCC state */
4156 if (c->mode == CM_P2P || child)
4157 {
4158 c->c2.occ_op = occ_reset_op();
4159 }
6fbf66fa
JY		 4160#endif
4161
81d882d5
DS		 4162 /* our wait-for-i/o objects, different for posix vs. win32 */
4163 if (c->mode == CM_P2P)
4164 {
4165 do_event_set_init(c, SHAPER_DEFINED(&c->options));
4166 }
4167 else if (c->mode == CM_CHILD_TCP)
4168 {
4169 do_event_set_init(c, false);
4170 }
6fbf66fa 4171
81d882d5
DS		 4172 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4173 init_proxy(c);
4e9a51d7 4174
81d882d5
DS		 4175 /* allocate our socket object */
4176 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4177 {
4178 do_link_socket_new(c);
4179 }
6fbf66fa
JY		 4180
4181#ifdef ENABLE_FRAGMENT
81d882d5
DS		 4182 /* initialize internal fragmentation object */
4183 if (options->ce.fragment && (c->mode == CM_P2P || child))
4184 {
4185 c->c2.fragment = fragment_init(&c->c2.frame);
4186 }
6fbf66fa
JY		 4187#endif
4188
81d882d5
DS		 4189 /* init crypto layer */
4190 {
4191 unsigned int crypto_flags = 0;
4192 if (c->mode == CM_TOP)
4193 {
4194 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4195 }
4196 else if (c->mode == CM_P2P)
4197 {
4198 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4199 }
4200 else if (child)
4201 {
4202 crypto_flags = CF_INIT_TLS_MULTI;
4203 }
4204 do_init_crypto(c, crypto_flags);
4205 if (IS_SIG(c) && !child)
4206 {
4207 goto sig;
4208 }
4209 }
6fbf66fa 4210
38d96bd7 4211#ifdef USE_COMP
81d882d5
DS		 4212 /* initialize compression library. */
4213 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4214 {
4215 c->c2.comp_context = comp_init(&options->comp);
4216 }
6fbf66fa
JY		 4217#endif
4218
81d882d5
DS		 4219 /* initialize MTU variables */
4220 do_init_frame(c);
6fbf66fa 4221
81d882d5
DS		 4222 /* initialize TLS MTU variables */
4223 do_init_frame_tls(c);
6fbf66fa 4224
81d882d5
DS		 4225 /* init workspace buffers whose size is derived from frame size */
4226 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4227 {
4228 do_init_buffers(c);
4229 }
6fbf66fa
JY		 4230
4231#ifdef ENABLE_FRAGMENT
81d882d5
DS		 4232 /* initialize internal fragmentation capability with known frame size */
4233 if (options->ce.fragment && (c->mode == CM_P2P || child))
4234 {
4235 do_init_fragment(c);
4236 }
6fbf66fa
JY		 4237#endif
4238
81d882d5
DS		 4239 /* initialize dynamic MTU variable */
4240 frame_init_mssfix(&c->c2.frame, &c->options);
6fbf66fa 4241
81d882d5
DS		 4242 /* bind the TCP/UDP socket */
4243 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4244 {
4245 do_init_socket_1(c, link_socket_mode);
4246 }
6fbf66fa 4247
81d882d5
DS		 4248 /* initialize tun/tap device object,
4249 * open tun/tap device, ifconfig, run up script, etc. */
4250 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4251 {
4252 c->c2.did_open_tun = do_open_tun(c);
4253 }
6fbf66fa 4254
9900e023
SK		 4255 c->c2.frame_initial = c->c2.frame;
4256
81d882d5
DS		 4257 /* print MTU info */
4258 do_print_data_channel_mtu_parms(c);
6fbf66fa
JY		 4259
4260#ifdef ENABLE_OCC
81d882d5
DS		 4261 /* get local and remote options compatibility strings */
4262 if (c->mode == CM_P2P || child)
4263 {
4264 do_compute_occ_strings(c);
4265 }
6fbf66fa
JY		 4266#endif
4267
81d882d5
DS		 4268 /* initialize output speed limiter */
4269 if (c->mode == CM_P2P)
4270 {
4271 do_init_traffic_shaper(c);
4272 }
6fbf66fa 4273
81d882d5
DS		 4274 /* do one-time inits, and possibily become a daemon here */
4275 do_init_first_time(c);
6fbf66fa 4276
e1791bb1 4277#ifdef ENABLE_PLUGIN
81d882d5
DS		 4278 /* initialize plugins */
4279 if (c->mode == CM_P2P || c->mode == CM_TOP)
4280 {
4281 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4282 }
e1791bb1
JY		 4283#endif
4284
81d882d5
DS		 4285 /* initialise connect timeout timer */
4286 do_init_server_poll_timeout(c);
4db06290 4287
81d882d5
DS		 4288 /* finalize the TCP/UDP socket */
4289 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4290 {
4291 do_init_socket_2(c);
4292 }
b3e97582 4293
81d882d5
DS		 4294 /*
4295 * Actually do UID/GID downgrade, and chroot, if requested.
4296 * May be delayed by --client, --pull, or --up-delay.
4297 */
4298 do_uid_gid_chroot(c, c->c2.did_open_tun);
6fbf66fa 4299
81d882d5
DS		 4300 /* initialize timers */
4301 if (c->mode == CM_P2P || child)
4302 {
4303 do_init_timers(c, false);
4304 }
6fbf66fa 4305
e1791bb1 4306#ifdef ENABLE_PLUGIN
81d882d5
DS		 4307 /* initialize plugins */
4308 if (c->mode == CM_P2P || c->mode == CM_TOP)
4309 {
4310 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4311 }
e1791bb1
JY		 4312#endif
4313
6add6b2f 4314#if PORT_SHARE
81d882d5
DS		 4315 /* share OpenVPN port with foreign (such as HTTPS) server */
4316 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4317 {
4318 init_port_share(c);
4319 }
6add6b2f 4320#endif
81d882d5 4321
47ae8457 4322#ifdef ENABLE_PF
81d882d5
DS		 4323 if (child)
4324 {
4325 pf_init_context(c);
4326 }
47ae8457
JY		 4327#endif
4328
81d882d5
DS		 4329 /* Check for signals */
4330 if (IS_SIG(c))
4331 {
4332 goto sig;
4333 }
6fbf66fa 4334
81d882d5 4335 return;
6fbf66fa 4336
81d882d5
DS		 4337sig:
4338 if (!c->sig->signal_text)
4339 {
4340 c->sig->signal_text = "init_instance";
4341 }
4342 close_context(c, -1, flags);
4343 return;
6fbf66fa
JY		 4344}
4345
4346/*
4347 * Close a tunnel instance.
4348 */
4349void
81d882d5 4350close_instance(struct context *c)
6fbf66fa 4351{
81d882d5
DS		 4352 /* close event objects */
4353 do_close_event_set(c);
6fbf66fa
JY		 4354
4355 if (c->mode == CM_P2P
81d882d5
DS		 4356 || c->mode == CM_CHILD_TCP
4357 || c->mode == CM_CHILD_UDP
4358 || c->mode == CM_TOP)
4359 {
4360 /* if xinetd/inetd mode, don't allow restart */
4361 do_close_check_if_restart_permitted(c);
6fbf66fa 4362
38d96bd7 4363#ifdef USE_COMP
81d882d5
DS		 4364 if (c->c2.comp_context)
4365 {
4366 comp_uninit(c->c2.comp_context);
4367 c->c2.comp_context = NULL;
4368 }
6fbf66fa
JY		 4369#endif
4370
81d882d5
DS		 4371 /* free buffers */
4372 do_close_free_buf(c);
6fbf66fa 4373
81d882d5
DS		 4374 /* close TLS */
4375 do_close_tls(c);
6fbf66fa 4376
81d882d5
DS		 4377 /* free key schedules */
4378 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
6fbf66fa 4379
39326238 4380 restore_ncp_options(c);
5fa25eeb 4381
81d882d5
DS		 4382 /* close TCP/UDP connection */
4383 do_close_link_socket(c);
6fbf66fa 4384
81d882d5
DS		 4385 /* close TUN/TAP device */
4386 do_close_tun(c, false);
6fbf66fa 4387
90efcacb 4388#ifdef MANAGEMENT_DEF_AUTH
81d882d5
DS		 4389 if (management)
4390 {
4391 management_notify_client_close(management, &c->c2.mda_context, NULL);
4392 }
90efcacb
JY		 4393#endif
4394
47ae8457 4395#ifdef ENABLE_PF
81d882d5 4396 pf_destroy_context(&c->c2.pf);
47ae8457
JY		 4397#endif
4398
3c7f2f55 4399#ifdef ENABLE_PLUGIN
81d882d5
DS		 4400 /* call plugin close functions and unload */
4401 do_close_plugins(c);
3c7f2f55 4402#endif
6fbf66fa 4403
81d882d5
DS		 4404 /* close packet-id persistance file */
4405 do_close_packet_id(c);
6fbf66fa 4406
81d882d5
DS		 4407 /* close --status file */
4408 do_close_status_output(c);
6fbf66fa
JY		 4409
4410#ifdef ENABLE_FRAGMENT
81d882d5
DS		 4411 /* close fragmentation handler */
4412 do_close_fragment(c);
6fbf66fa
JY		 4413#endif
4414
81d882d5
DS		 4415 /* close --ifconfig-pool-persist obj */
4416 do_close_ifconfig_pool_persist(c);
6fbf66fa 4417
81d882d5
DS		 4418 /* free up environmental variable store */
4419 do_env_set_destroy(c);
2a64816b 4420
81d882d5
DS		 4421 /* close HTTP or SOCKS proxy */
4422 uninit_proxy(c);
4e9a51d7 4423
81d882d5
DS		 4424 /* garbage collect */
4425 gc_free(&c->c2.gc);
4426 }
6fbf66fa
JY		 4427}
4428
4429void
81d882d5
DS		 4430inherit_context_child(struct context *dest,
4431 const struct context *src)
6fbf66fa 4432{
81d882d5 4433 CLEAR(*dest);
6fbf66fa 4434
81d882d5
DS		 4435 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4436 dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
6fbf66fa 4437
81d882d5 4438 dest->gc = gc_new();
6fbf66fa 4439
81d882d5 4440 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
6fbf66fa 4441
81d882d5
DS		 4442 /* c1 init */
4443 packet_id_persist_init(&dest->c1.pid_persist);
6fbf66fa 4444
81d882d5
DS		 4445 dest->c1.ks.key_type = src->c1.ks.key_type;
4446 /* inherit SSL context */
4447 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4448 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4449 dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
19dffdbd 4450 dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
81d882d5
DS		 4451 /* inherit pre-NCP ciphers */
4452 dest->c1.ciphername = src->c1.ciphername;
4453 dest->c1.authname = src->c1.authname;
4454 dest->c1.keysize = src->c1.keysize;
81d882d5
DS		 4455
4456 /* options */
4457 dest->options = src->options;
4458 options_detach(&dest->options);
4459
4460 if (dest->mode == CM_CHILD_TCP)
6fbf66fa 4461 {
81d882d5
DS		 4462 /*
4463 * The CM_TOP context does the socket listen(),
4464 * and the CM_CHILD_TCP context does the accept().
4465 */
4466 dest->c2.accept_from = src->c2.link_socket;
6fbf66fa
JY		 4467 }
4468
3c7f2f55 4469#ifdef ENABLE_PLUGIN
81d882d5
DS		 4470 /* inherit plugins */
4471 do_inherit_plugins(dest, src);
3c7f2f55 4472#endif
6fbf66fa 4473
81d882d5
DS		 4474 /* context init */
4475 init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4476 if (IS_SIG(dest))
4477 {
4478 return;
4479 }
6fbf66fa 4480
81d882d5
DS		 4481 /* inherit tun/tap interface object */
4482 dest->c1.tuntap = src->c1.tuntap;
6fbf66fa 4483
81d882d5
DS		 4484 /* UDP inherits some extra things which TCP does not */
4485 if (dest->mode == CM_CHILD_UDP)
6fbf66fa 4486 {
81d882d5
DS		 4487 /* inherit buffers */
4488 dest->c2.buffers = src->c2.buffers;
6fbf66fa 4489
81d882d5
DS		 4490 /* inherit parent link_socket and tuntap */
4491 dest->c2.link_socket = src->c2.link_socket;
6fbf66fa 4492
81d882d5
DS		 4493 ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4494 *dest->c2.link_socket_info = src->c2.link_socket->info;
6fbf66fa 4495
81d882d5
DS		 4496 /* locally override some link_socket_info fields */
4497 dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4498 dest->c2.link_socket_info->connection_established = false;
6fbf66fa
JY		 4499 }
4500}
4501
4502void
81d882d5
DS		 4503inherit_context_top(struct context *dest,
4504 const struct context *src)
6fbf66fa 4505{
81d882d5
DS		 4506 /* copy parent */
4507 *dest = *src;
6fbf66fa 4508
81d882d5
DS		 4509 /*
4510 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4511 * resources owned by the parent.
4512 *
4513 * Also note that CM_TOP_CLONE context objects are
4514 * closed by multi_top_free in multi.c.
4515 */
4516 dest->mode = CM_TOP_CLONE;
6fbf66fa 4517
81d882d5
DS		 4518 dest->first_time = false;
4519 dest->c0 = NULL;
6fbf66fa 4520
81d882d5
DS		 4521 options_detach(&dest->options);
4522 gc_detach(&dest->gc);
4523 gc_detach(&dest->c2.gc);
6fbf66fa 4524
81d882d5
DS		 4525 /* detach plugins */
4526 dest->plugins_owned = false;
3c7f2f55 4527
81d882d5 4528 dest->c2.tls_multi = NULL;
6fbf66fa 4529
81d882d5
DS		 4530 /* detach c1 ownership */
4531 dest->c1.tuntap_owned = false;
4532 dest->c1.status_output_owned = false;
6fbf66fa 4533#if P2MP_SERVER
81d882d5 4534 dest->c1.ifconfig_pool_persist_owned = false;
6fbf66fa 4535#endif
3c7f2f55 4536
81d882d5
DS		 4537 /* detach c2 ownership */
4538 dest->c2.event_set_owned = false;
4539 dest->c2.link_socket_owned = false;
4540 dest->c2.buffers_owned = false;
4541 dest->c2.es_owned = false;
6fbf66fa 4542
81d882d5
DS		 4543 dest->c2.event_set = NULL;
4544 if (proto_is_dgram(src->options.ce.proto))
4545 {
4546 do_event_set_init(dest, false);
4547 }
38d96bd7
JY		 4548
4549#ifdef USE_COMP
81d882d5 4550 dest->c2.comp_context = NULL;
38d96bd7 4551#endif
6fbf66fa
JY		 4552}
4553
4554void
81d882d5 4555close_context(struct context *c, int sig, unsigned int flags)
6fbf66fa 4556{
81d882d5
DS		 4557 ASSERT(c);
4558 ASSERT(c->sig);
79df31c8 4559
81d882d5
DS		 4560 if (sig >= 0)
4561 {
4562 c->sig->signal_received = sig;
4563 }
6fbf66fa 4564
81d882d5 4565 if (c->sig->signal_received == SIGUSR1)
6fbf66fa 4566 {
81d882d5
DS		 4567 if ((flags & CC_USR1_TO_HUP)
4568 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
c058cbff 4569 {
81d882d5
DS		 4570 c->sig->signal_received = SIGHUP;
4571 c->sig->signal_text = "close_context usr1 to hup";
c058cbff 4572 }
6fbf66fa
JY		 4573 }
4574
81d882d5
DS		 4575 if (!(flags & CC_NO_CLOSE))
4576 {
4577 close_instance(c);
4578 }
6fbf66fa 4579
81d882d5
DS		 4580 if (flags & CC_GC_FREE)
4581 {
4582 context_gc_free(c);
4583 }
6fbf66fa
JY		 4584}
4585
6fbf66fa
JY		 4586/*
4587 * Do a loopback test
4588 * on the crypto subsystem.
4589 */
4590static void *
81d882d5 4591test_crypto_thread(void *arg)
6fbf66fa 4592{
81d882d5
DS		 4593 struct context *c = (struct context *) arg;
4594 const struct options *options = &c->options;
6fbf66fa 4595
81d882d5
DS		 4596 ASSERT(options->test_crypto);
4597 init_verb_mute(c, IVM_LEVEL_1);
4598 context_init_1(c);
4599 next_connection_entry(c);
4600 do_init_crypto_static(c, 0);
6fbf66fa 4601
81d882d5 4602 frame_finalize_options(c, options);
6fbf66fa 4603
81d882d5 4604 test_crypto(&c->c2.crypto_options, &c->c2.frame);
6fbf66fa 4605
81d882d5
DS		 4606 key_schedule_free(&c->c1.ks, true);
4607 packet_id_free(&c->c2.crypto_options.packet_id);
6fbf66fa 4608
81d882d5
DS		 4609 context_gc_free(c);
4610 return NULL;
6fbf66fa
JY		 4611}
4612
6fbf66fa 4613bool
81d882d5 4614do_test_crypto(const struct options *o)
6fbf66fa 4615{
81d882d5 4616 if (o->test_crypto)
6fbf66fa 4617 {
81d882d5 4618 struct context c;
6fbf66fa 4619
81d882d5
DS		 4620 /* print version number */
4621 msg(M_INFO, "%s", title_string);
6fbf66fa 4622
81d882d5
DS		 4623 context_clear(&c);
4624 c.options = *o;
4625 options_detach(&c.options);
4626 c.first_time = true;
4627 test_crypto_thread((void *) &c);
4628 return true;
6fbf66fa 4629 }
81d882d5 4630 return false;
6fbf66fa 4631}
Mirror of https://github.com/OpenVPN/openvpn.git