]> git.ipfire.org Git - thirdparty/openvpn.git/blame - src/openvpn/init.c
projects / thirdparty / openvpn.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update Copyright statements to 2024
[thirdparty/openvpn.git] / src / openvpn / init.c
CommitLineData
6fbf66fa
JY		 1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
b25c6d7e 8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
6fbf66fa
JY		 9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
caa54ac3
DS		 19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
6fbf66fa
JY		 22 */
23
c110b289
ABL		 24#ifdef HAVE_CONFIG_H
25#include "config.h"
c110b289
ABL		 26#endif
27
6fbf66fa
JY		 28#include "syshead.h"
29
c5931897
CH		 30#ifdef ENABLE_SYSTEMD
31#include <systemd/sd-daemon.h>
32#endif
33
6fbf66fa
JY		 34#include "win32.h"
35#include "init.h"
bf97c00f 36#include "run_command.h"
6fbf66fa
JY		 37#include "sig.h"
38#include "occ.h"
39#include "list.h"
40#include "otime.h"
41#include "pool.h"
42#include "gremlin.h"
a54f37d8 43#include "occ.h"
ce98fd24 44#include "pkcs11.h"
6add6b2f 45#include "ps.h"
e12fe286 46#include "lladdr.h"
e7a65dfb 47#include "ping.h"
ffea644c 48#include "mstats.h"
63dc03d0 49#include "ssl_verify.h"
1828f9c1 50#include "ssl_ncp.h"
c6e24fa3 51#include "tls_crypt.h"
a54f37d8 52#include "forward.h"
1b9a88a2 53#include "auth_token.h"
d4458eed 54#include "mss.h"
b3647114 55#include "mudp.h"
a2d851d4 56#include "dco.h"
6fbf66fa
JY		 57
58#include "memdbg.h"
59
6fbf66fa 60
0c9eb1d3 61static struct context *static_context; /* GLOBAL */
008ec688 62static const char *saved_pid_file_name; /* GLOBAL */
0c9eb1d3 63
6fbf66fa
JY		 64/*
65 * Crypto initialization flags
66 */
67#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
68#define CF_INIT_TLS_MULTI (1<<1)
69#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
70
81d882d5 71static void do_init_first_time(struct context *c);
7d48d31b 72
8c72d798 73static bool do_deferred_p2p_ncp(struct context *c);
6fbf66fa
JY		 74
75void
81d882d5 76context_clear(struct context *c)
6fbf66fa 77{
81d882d5 78 CLEAR(*c);
6fbf66fa
JY		 79}
80
81void
81d882d5 82context_clear_1(struct context *c)
6fbf66fa 83{
81d882d5 84 CLEAR(c->c1);
6fbf66fa
JY		 85}
86
87void
81d882d5 88context_clear_2(struct context *c)
6fbf66fa 89{
81d882d5 90 CLEAR(c->c2);
6fbf66fa
JY		 91}
92
93void
81d882d5 94context_clear_all_except_first_time(struct context *c)
6fbf66fa 95{
81d882d5
DS		 96 const bool first_time_save = c->first_time;
97 const struct context_persist cpsave = c->persist;
98 context_clear(c);
99 c->first_time = first_time_save;
100 c->persist = cpsave;
6fbf66fa
JY		 101}
102
4a9d1d70
SK		 103/*
104 * Pass tunnel endpoint and MTU parms to a user-supplied script.
105 * Used to execute the up/down script/plugins.
106 */
107static void
108run_up_down(const char *command,
109 const struct plugin_list *plugins,
110 int plugin_type,
111 const char *arg,
112#ifdef _WIN32
113 DWORD adapter_index,
114#endif
115 const char *dev_type,
116 int tun_mtu,
4a9d1d70
SK		 117 const char *ifconfig_local,
118 const char *ifconfig_remote,
119 const char *context,
120 const char *signal_text,
121 const char *script_type,
122 struct env_set *es)
123{
124 struct gc_arena gc = gc_new();
125
126 if (signal_text)
127 {
128 setenv_str(es, "signal", signal_text);
129 }
130 setenv_str(es, "script_context", context);
131 setenv_int(es, "tun_mtu", tun_mtu);
4a9d1d70
SK		 132 setenv_str(es, "dev", arg);
133 if (dev_type)
134 {
135 setenv_str(es, "dev_type", dev_type);
136 }
137#ifdef _WIN32
138 setenv_int(es, "dev_idx", adapter_index);
139#endif
140
141 if (!ifconfig_local)
142 {
143 ifconfig_local = "";
144 }
145 if (!ifconfig_remote)
146 {
147 ifconfig_remote = "";
148 }
149 if (!context)
150 {
151 context = "";
152 }
153
154 if (plugin_defined(plugins, plugin_type))
155 {
156 struct argv argv = argv_new();
157 ASSERT(arg);
158 argv_printf(&argv,
3780ce0e
AS		 159 "%s %d 0 %s %s %s",
160 arg, tun_mtu, ifconfig_local, ifconfig_remote, context);
4a9d1d70
SK		 161
162 if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
163 {
164 msg(M_FATAL, "ERROR: up/down plugin call failed");
165 }
166
870e2405 167 argv_free(&argv);
4a9d1d70
SK		 168 }
169
170 if (command)
171 {
172 struct argv argv = argv_new();
173 ASSERT(arg);
174 setenv_str(es, "script_type", script_type);
175 argv_parse_cmd(&argv, command);
3780ce0e 176 argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu,
4a9d1d70
SK		 177 ifconfig_local, ifconfig_remote, context);
178 argv_msg(M_INFO, &argv);
179 openvpn_run_script(&argv, es, S_FATAL, "--up/--down");
870e2405 180 argv_free(&argv);
4a9d1d70
SK		 181 }
182
183 gc_free(&gc);
184}
185
6fbf66fa 186/*
4e9a51d7
JY		 187 * Should be called after options->ce is modified at the top
188 * of a SIGUSR1 restart.
6fbf66fa
JY		 189 */
190static void
81d882d5 191update_options_ce_post(struct options *options)
6fbf66fa 192{
81d882d5
DS		 193 /*
194 * In pull mode, we usually import --ping/--ping-restart parameters from
195 * the server. However we should also set an initial default --ping-restart
196 * for the period of time before we pull the --ping-restart parameter
197 * from the server.
198 */
199 if (options->pull
200 && options->ping_rec_timeout_action == PING_UNDEF
201 && proto_is_dgram(options->ce.proto))
4e9a51d7 202 {
81d882d5
DS		 203 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
204 options->ping_rec_timeout_action = PING_RESTART;
4e9a51d7 205 }
4e9a51d7 206}
6fbf66fa 207
af1bf85a 208#ifdef ENABLE_MANAGEMENT
3cf6c932 209static bool
81d882d5 210management_callback_proxy_cmd(void *arg, const char **p)
3cf6c932 211{
81d882d5
DS		 212 struct context *c = arg;
213 struct connection_entry *ce = &c->options.ce;
214 struct gc_arena *gc = &c->c2.gc;
215 bool ret = false;
3cf6c932 216
81d882d5
DS		 217 update_time();
218 if (streq(p[1], "NONE"))
219 {
220 ret = true;
221 }
222 else if (p[2] && p[3])
af1bf85a 223 {
45a1cb2a
LS		 224 if (dco_enabled(&c->options))
225 {
226 msg(M_INFO, "Proxy set via management, disabling Data Channel Offload.");
227 c->options.tuntap_options.disable_dco = true;
228 }
229
81d882d5 230 if (streq(p[1], "HTTP"))
af1bf85a 231 {
81d882d5
DS		 232 struct http_proxy_options *ho;
233 if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT)
e719a053 234 {
81d882d5
DS		 235 msg(M_WARN, "HTTP proxy support only works for TCP based connections");
236 return false;
af1bf85a 237 }
81d882d5
DS		 238 ho = init_http_proxy_options_once(&ce->http_proxy_options, gc);
239 ho->server = string_alloc(p[2], gc);
240 ho->port = string_alloc(p[3], gc);
241 ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL);
242 ret = true;
af1bf85a 243 }
81d882d5 244 else if (streq(p[1], "SOCKS"))
af1bf85a 245 {
81d882d5 246 ce->socks_proxy_server = string_alloc(p[2], gc);
aa9d3a5b 247 ce->socks_proxy_port = string_alloc(p[3], gc);
81d882d5 248 ret = true;
af1bf85a 249 }
3cf6c932 250 }
81d882d5
DS		 251 else
252 {
253 msg(M_WARN, "Bad proxy command");
254 }
3cf6c932 255
81d882d5 256 ce->flags &= ~CE_MAN_QUERY_PROXY;
3cf6c932 257
81d882d5 258 return ret;
3cf6c932
JY		 259}
260
261static bool
81d882d5
DS		 262ce_management_query_proxy(struct context *c)
263{
264 const struct connection_list *l = c->options.connection_list;
265 struct connection_entry *ce = &c->options.ce;
266 struct gc_arena gc;
267 bool ret = true;
268
269 update_time();
270 if (management)
271 {
272 gc = gc_new();
273 {
274 struct buffer out = alloc_buf_gc(256, &gc);
275 buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
276 (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
277 management_notify_generic(management, BSTR(&out));
93ba6ccd 278 management->persist.special_state_msg = BSTR(&out);
81d882d5
DS		 279 }
280 ce->flags |= CE_MAN_QUERY_PROXY;
281 while (ce->flags & CE_MAN_QUERY_PROXY)
282 {
283 management_event_loop_n_seconds(management, 1);
284 if (IS_SIG(c))
af1bf85a 285 {
81d882d5
DS		 286 ret = false;
287 break;
af1bf85a
HH		 288 }
289 }
93ba6ccd 290 management->persist.special_state_msg = NULL;
81d882d5 291 gc_free(&gc);
3cf6c932 292 }
af1bf85a 293
81d882d5 294 return ret;
3cf6c932
JY		 295}
296
adb9bb91
AS		 297/**
298 * This method sends a custom control channel message
299 *
300 * This will write the control message
301 *
302 * command parm1,parm2,..
303 * .
304 * to the control channel.
305 *
306 * @param arg The context struct
307 * @param command The command being sent
308 * @param parameters the parameters to the command
309 * @return if sending was successful
310 */
311static bool
312management_callback_send_cc_message(void *arg,
313 const char *command,
314 const char *parameters)
315{
316 struct context *c = (struct context *) arg;
62560e2a 317 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
adb9bb91
AS		 318 if (len > PUSH_BUNDLE_SIZE)
319 {
320 return false;
321 }
322
323 struct gc_arena gc = gc_new();
324 struct buffer buf = alloc_buf_gc(len, &gc);
325 ASSERT(buf_printf(&buf, "%s", command));
326 if (parameters)
327 {
328 ASSERT(buf_printf(&buf, ",%s", parameters));
329 }
330 bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
331
332 gc_free(&gc);
333 return status;
334}
3cf6c932 335
12526380
SN		 336static unsigned int
337management_callback_remote_entry_count(void *arg)
338{
339 assert(arg);
340 struct context *c = (struct context *) arg;
341 struct connection_list *l = c->options.connection_list;
342
343 return l->len;
344}
345
346static bool
347management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
348{
349 assert(arg);
350 assert(remote);
351
352 struct context *c = (struct context *) arg;
353 struct connection_list *l = c->options.connection_list;
354 bool ret = true;
355
356 if (index < l->len)
357 {
358 struct connection_entry *ce = l->array[index];
359 const char *proto = proto2ascii(ce->proto, ce->af, false);
eafbedc5 360 const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled";
12526380 361
eafbedc5
SN		 362 /* space for output including 3 commas and a nul */
363 int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto)
364 + strlen(status) + 3 + 1;
12526380
SN		 365 char *out = malloc(len);
366 check_malloc_return(out);
367
eafbedc5 368 openvpn_snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status);
12526380
SN		 369 *remote = out;
370 }
371 else
372 {
373 ret = false;
374 msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index);
375 }
376
377 return ret;
378}
379
54561af6 380static bool
81d882d5
DS		 381management_callback_remote_cmd(void *arg, const char **p)
382{
383 struct context *c = (struct context *) arg;
384 struct connection_entry *ce = &c->options.ce;
385 int ret = false;
386 if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
387 {
388 int flags = 0;
389 if (!strcmp(p[1], "ACCEPT"))
390 {
391 flags = CE_MAN_QUERY_REMOTE_ACCEPT;
392 ret = true;
393 }
394 else if (!strcmp(p[1], "SKIP"))
395 {
396 flags = CE_MAN_QUERY_REMOTE_SKIP;
397 ret = true;
ec5ffe35 398 c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1;
81d882d5
DS		 399 }
400 else if (!strcmp(p[1], "MOD") && p[2] && p[3])
401 {
402 if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
403 {
404 struct remote_host_store *rhs = c->options.rh_store;
405 if (!rhs)
406 {
407 ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc);
408 c->options.rh_store = rhs;
409 }
410 strncpynt(rhs->host, p[2], RH_HOST_LEN);
411 strncpynt(rhs->port, p[3], RH_PORT_LEN);
412
413 ce->remote = rhs->host;
414 ce->remote_port = rhs->port;
415 flags = CE_MAN_QUERY_REMOTE_MOD;
416 ret = true;
417 }
418 }
419 if (ret)
420 {
421 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
422 ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
423 }
424 }
425 return ret;
54561af6
JY		 426}
427
428static bool
81d882d5
DS		 429ce_management_query_remote(struct context *c)
430{
431 struct gc_arena gc = gc_new();
432 volatile struct connection_entry *ce = &c->options.ce;
e81f313a
DS		 433 int ce_changed = true; /* presume the connection entry will be changed */
434
81d882d5
DS		 435 update_time();
436 if (management)
437 {
438 struct buffer out = alloc_buf_gc(256, &gc);
e81f313a
DS		 439
440 buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
441 proto2ascii(ce->proto, ce->af, false));
81d882d5 442 management_notify_generic(management, BSTR(&out));
93ba6ccd 443 management->persist.special_state_msg = BSTR(&out);
e81f313a
DS		 444
445 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
446 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
447 while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
448 & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
81d882d5
DS		 449 {
450 management_event_loop_n_seconds(management, 1);
451 if (IS_SIG(c))
452 {
e81f313a 453 ce_changed = false; /* connection entry have not been set */
81d882d5
DS		 454 break;
455 }
456 }
93ba6ccd 457 management->persist.special_state_msg = NULL;
81d882d5 458 }
e81f313a
DS		 459 gc_free(&gc);
460
461 if (ce_changed)
81d882d5 462 {
e81f313a
DS		 463 /* If it is likely a connection entry was modified,
464 * check what changed in the flags and that it was not skipped
465 */
466 const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
467 & CE_MAN_QUERY_REMOTE_MASK);
468 ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
81d882d5 469 }
e81f313a 470 return ce_changed;
54561af6 471}
cf93f0e0 472#endif /* ENABLE_MANAGEMENT */
54561af6 473
4e9a51d7
JY		 474/*
475 * Initialize and possibly randomize connection list.
476 */
477static void
81d882d5 478init_connection_list(struct context *c)
4e9a51d7 479{
81d882d5 480 struct connection_list *l = c->options.connection_list;
23d61c56 481
81d882d5
DS		 482 l->current = -1;
483 if (c->options.remote_random)
6fbf66fa 484 {
81d882d5
DS		 485 int i;
486 for (i = 0; i < l->len; ++i)
23d61c56 487 {
81d882d5
DS		 488 const int j = get_random() % l->len;
489 if (i != j)
23d61c56 490 {
81d882d5
DS		 491 struct connection_entry *tmp;
492 tmp = l->array[i];
493 l->array[i] = l->array[j];
494 l->array[j] = tmp;
23d61c56
AS		 495 }
496 }
6fbf66fa 497 }
4e9a51d7
JY		 498}
499
23d61c56
AS		 500/*
501 * Clear the remote address list
502 */
81d882d5
DS		 503static void
504clear_remote_addrlist(struct link_socket_addr *lsa, bool free)
23d61c56 505{
e719a053 506 if (lsa->remote_list && free)
81d882d5
DS		 507 {
508 freeaddrinfo(lsa->remote_list);
509 }
23d61c56
AS		 510 lsa->remote_list = NULL;
511 lsa->current_remote = NULL;
512}
513
4e9a51d7
JY		 514/*
515 * Increment to next connection entry
516 */
517static void
81d882d5
DS		 518next_connection_entry(struct context *c)
519{
520 struct connection_list *l = c->options.connection_list;
521 bool ce_defined;
522 struct connection_entry *ce;
523 int n_cycles = 0;
524
4cd4899e
SK		 525 do
526 {
81d882d5
DS		 527 ce_defined = true;
528 if (c->options.no_advance && l->current >= 0)
529 {
530 c->options.no_advance = false;
531 }
23d61c56 532 else
81d882d5
DS		 533 {
534 /* Check if there is another resolved address to try for
535 * the current connection */
536 if (c->c1.link_socket_addr.current_remote
c9474fa3
AS		 537 && c->c1.link_socket_addr.current_remote->ai_next
538 && !c->options.advance_next_remote)
81d882d5 539 {
23d61c56 540 c->c1.link_socket_addr.current_remote =
81d882d5
DS		 541 c->c1.link_socket_addr.current_remote->ai_next;
542 }
543 else
544 {
c9474fa3 545 c->options.advance_next_remote = false;
81d882d5
DS		 546 /* FIXME (schwabe) fix the persist-remote-ip option for real,
547 * this is broken probably ever since connection lists and multiple
548 * remote existed
549 */
550 if (!c->options.persist_remote_ip)
551 {
3ad86c25
VG		 552 /* Connection entry addrinfo objects might have been
553 * resolved earlier but the entry itself might have been
554 * skipped by management on the previous loop.
555 * If so, clear the addrinfo objects as close_instance does
556 */
557 if (c->c1.link_socket_addr.remote_list)
558 {
559 clear_remote_addrlist(&c->c1.link_socket_addr,
560 !c->options.resolve_in_advance);
561 }
562
81d882d5
DS		 563 /* close_instance should have cleared the addrinfo objects */
564 ASSERT(c->c1.link_socket_addr.current_remote == NULL);
565 ASSERT(c->c1.link_socket_addr.remote_list == NULL);
566 }
567 else
568 {
569 c->c1.link_socket_addr.current_remote =
570 c->c1.link_socket_addr.remote_list;
571 }
572
ec5ffe35
SN		 573 int advance_count = 1;
574
575 /* If previous connection entry was skipped by management client
576 * with a count to advance by, apply it.
577 */
578 if (c->options.ce_advance_count > 0)
579 {
580 advance_count = c->options.ce_advance_count;
581 }
582
81d882d5
DS		 583 /*
584 * Increase the number of connection attempts
585 * If this is connect-retry-max * size(l)
586 * OpenVPN will quit
587 */
588
ec5ffe35
SN		 589 c->options.unsuccessful_attempts += advance_count;
590 l->current += advance_count;
81d882d5 591
ec5ffe35 592 if (l->current >= l->len)
81d882d5 593 {
ec5ffe35 594 l->current %= l->len;
81d882d5
DS		 595 if (++n_cycles >= 2)
596 {
597 msg(M_FATAL, "No usable connection profiles are present");
598 }
599 }
600 }
601 }
3cf6c932 602
ec5ffe35 603 c->options.ce_advance_count = 1;
81d882d5 604 ce = l->array[l->current];
3cf6c932 605
81d882d5
DS		 606 if (ce->flags & CE_DISABLED)
607 {
608 ce_defined = false;
609 }
3cf6c932 610
81d882d5 611 c->options.ce = *ce;
cf93f0e0 612#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 613 if (ce_defined && management && management_query_remote_enabled(management))
614 {
615 /* allow management interface to override connection entry details */
616 ce_defined = ce_management_query_remote(c);
617 if (IS_SIG(c))
618 {
619 break;
620 }
621 }
7b02cc2a 622 else if (ce_defined && management && management_query_proxy_enabled(management))
23d61c56 623 {
81d882d5
DS		 624 ce_defined = ce_management_query_proxy(c);
625 if (IS_SIG(c))
626 {
627 break;
628 }
23d61c56 629 }
3cf6c932 630#endif
81d882d5 631 } while (!ce_defined);
23d61c56 632
81d882d5
DS		 633 /* Check if this connection attempt would bring us over the limit */
634 if (c->options.connect_retry_max > 0
635 && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max))
636 {
637 msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting",
638 c->options.connect_retry_max);
639 }
640 update_options_ce_post(&c->options);
6fbf66fa
JY		 641}
642
92bbb061
JY		 643/*
644 * Query for private key and auth-user-pass username/passwords
645 */
315f6fbc 646void
81d882d5 647init_query_passwords(const struct context *c)
92bbb061 648{
81d882d5
DS		 649 /* Certificate password input */
650 if (c->options.key_pass_file)
651 {
652 pem_password_setup(c->options.key_pass_file);
653 }
81d882d5 654
81d882d5
DS		 655 /* Auth user/pass input */
656 if (c->options.auth_user_pass_file)
eab3e22f 657 {
7d291e10 658 enable_auth_user_pass();
66b9409b 659#ifdef ENABLE_MANAGEMENT
7d48d31b
AQ		 660 auth_user_pass_setup(c->options.auth_user_pass_file,
661 c->options.auth_user_pass_file_inline,
662 &c->options.sc_info);
eab3e22f 663#else
7d48d31b
AQ		 664 auth_user_pass_setup(c->options.auth_user_pass_file,
665 c->options.auth_user_pass_file_inline, NULL);
eab3e22f
JY		 666#endif
667 }
92bbb061
JY		 668}
669
4e9a51d7
JY		 670/*
671 * Initialize/Uninitialize HTTP or SOCKS proxy
672 */
673
4e9a51d7 674static void
81d882d5 675uninit_proxy_dowork(struct context *c)
4e9a51d7 676{
81d882d5 677 if (c->c1.http_proxy_owned && c->c1.http_proxy)
4e9a51d7 678 {
81d882d5
DS		 679 http_proxy_close(c->c1.http_proxy);
680 c->c1.http_proxy = NULL;
681 c->c1.http_proxy_owned = false;
4e9a51d7 682 }
81d882d5 683 if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
4e9a51d7 684 {
81d882d5
DS		 685 socks_proxy_close(c->c1.socks_proxy);
686 c->c1.socks_proxy = NULL;
687 c->c1.socks_proxy_owned = false;
4e9a51d7 688 }
4e9a51d7
JY		 689}
690
691static void
81d882d5 692init_proxy_dowork(struct context *c)
6fbf66fa 693{
81d882d5 694 bool did_http = false;
f214bb21 695
81d882d5 696 uninit_proxy_dowork(c);
4e9a51d7 697
81d882d5 698 if (c->options.ce.http_proxy_options)
4e9a51d7 699 {
81d882d5
DS		 700 /* Possible HTTP proxy user/pass input */
701 c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
702 if (c->c1.http_proxy)
703 {
704 did_http = true;
705 c->c1.http_proxy_owned = true;
706 }
4e9a51d7 707 }
4e9a51d7 708
a4b8f653 709 if (!did_http && c->options.ce.socks_proxy_server)
4e9a51d7 710 {
81d882d5
DS		 711 c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server,
712 c->options.ce.socks_proxy_port,
713 c->options.ce.socks_proxy_authfile);
714 if (c->c1.socks_proxy)
715 {
716 c->c1.socks_proxy_owned = true;
717 }
4e9a51d7 718 }
4e9a51d7
JY		 719}
720
721static void
81d882d5 722init_proxy(struct context *c)
4e9a51d7 723{
81d882d5 724 init_proxy_dowork(c);
4e9a51d7
JY		 725}
726
727static void
81d882d5 728uninit_proxy(struct context *c)
4e9a51d7 729{
81d882d5 730 uninit_proxy_dowork(c);
4e9a51d7
JY		 731}
732
4e9a51d7 733void
81d882d5 734context_init_1(struct context *c)
4e9a51d7 735{
81d882d5 736 context_clear_1(c);
6fbf66fa 737
81d882d5 738 packet_id_persist_init(&c->c1.pid_persist);
4e9a51d7 739
81d882d5 740 init_connection_list(c);
6fbf66fa 741
ce98fd24 742#if defined(ENABLE_PKCS11)
81d882d5
DS		 743 if (c->first_time)
744 {
745 int i;
746 pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
747 for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
4cd4899e 748 {
81d882d5
DS		 749 pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
750 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
4cd4899e 751 }
81d882d5 752 }
ce98fd24 753#endif
984cf003 754
c67d59cd 755#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
81d882d5
DS		 756 {
757 /*
758 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
759 */
760 struct user_pass up;
761 CLEAR(up);
762 strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
763 get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
764 msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
765 * 'needok' command, usually 'ok' or 'cancel'. */
766 }
dd1047f5
JY		 767#endif
768
e83a8684
DS		 769#ifdef ENABLE_SYSTEMD
770 /* We can report the PID via getpid() to systemd here as OpenVPN will not
771 * do any fork due to daemon() a future call.
772 * See possibly_become_daemon() [init.c] for more details.
773 */
b13bc6c9 774 sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
e83a8684
DS		 775 (unsigned long) getpid());
776#endif
777
6fbf66fa
JY		 778}
779
780void
81d882d5 781context_gc_free(struct context *c)
6fbf66fa 782{
81d882d5
DS		 783 gc_free(&c->c2.gc);
784 gc_free(&c->options.gc);
785 gc_free(&c->gc);
6fbf66fa
JY		 786}
787
6add6b2f
JY		 788#if PORT_SHARE
789
790static void
81d882d5 791close_port_share(void)
6add6b2f 792{
81d882d5 793 if (port_share)
6add6b2f 794 {
81d882d5
DS		 795 port_share_close(port_share);
796 port_share = NULL;
6add6b2f
JY		 797 }
798}
799
800static void
81d882d5 801init_port_share(struct context *c)
6add6b2f 802{
81d882d5 803 if (!port_share && (c->options.port_share_host && c->options.port_share_port))
6add6b2f 804 {
81d882d5
DS		 805 port_share = port_share_open(c->options.port_share_host,
806 c->options.port_share_port,
65a21eb1 807 c->c2.frame.buf.payload_size,
81d882d5
DS		 808 c->options.port_share_journal_dir);
809 if (port_share == NULL)
810 {
811 msg(M_FATAL, "Fatal error: Port sharing failed");
812 }
6add6b2f
JY		 813 }
814}
815
81d882d5 816#endif /* if PORT_SHARE */
6add6b2f 817
e74e3a4d 818
6fbf66fa 819bool
81d882d5 820init_static(void)
6fbf66fa 821{
81d882d5 822 /* configure_path (); */
c67d59cd 823
c7ca9133 824#if defined(DMALLOC)
81d882d5 825 crypto_init_dmalloc();
6fbf66fa
JY		 826#endif
827
e74e3a4d
DS		 828
829 /*
830 * Initialize random number seed. random() is only used
831 * when "weak" random numbers are acceptable.
832 * SSL library routines are always used when cryptographically
833 * strong random numbers are required.
834 */
835 struct timeval tv;
836 if (!gettimeofday(&tv, NULL))
837 {
838 const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec;
839 srandom(seed);
840 }
841
81d882d5
DS		 842 error_reset(); /* initialize error.c */
843 reset_check_status(); /* initialize status check code in socket.c */
6fbf66fa 844
445b192a 845#ifdef _WIN32
81d882d5 846 init_win32();
6fbf66fa
JY		 847#endif
848
849#ifdef OPENVPN_DEBUG_COMMAND_LINE
81d882d5
DS		 850 {
851 int i;
852 for (i = 0; i < argc; ++i)
4cd4899e 853 {
81d882d5 854 msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
4cd4899e 855 }
81d882d5 856 }
6fbf66fa
JY		 857#endif
858
81d882d5 859 update_time();
6fbf66fa 860
81d882d5 861 init_ssl_lib();
6fbf66fa 862
6fbf66fa 863#ifdef SCHEDULE_TEST
81d882d5
DS		 864 schedule_test();
865 return false;
6fbf66fa
JY		 866#endif
867
6fbf66fa 868#ifdef IFCONFIG_POOL_TEST
81d882d5
DS		 869 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
870 return false;
6fbf66fa
JY		 871#endif
872
428b8279 873#ifdef TIME_TEST
81d882d5
DS		 874 time_test();
875 return false;
428b8279
JY		 876#endif
877
6cd276ba 878#ifdef GEN_PATH_TEST
81d882d5
DS		 879 {
880 struct gc_arena gc = gc_new();
881 const char *fn = gen_path("foo",
882 "bar",
883 &gc);
884 printf("%s\n", fn);
885 gc_free(&gc);
886 }
887 return false;
6cd276ba 888#endif
ddad0a8c 889
6cd276ba 890#ifdef STATUS_PRINTF_TEST
81d882d5
DS		 891 {
892 struct gc_arena gc = gc_new();
b7bea782 893 const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc);
81d882d5
DS		 894 struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
895 status_printf(so, "%s", "foo");
896 status_printf(so, "%s", "bar");
897 if (!status_close(so))
898 {
899 msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
900 }
901 gc_free(&gc);
902 }
903 return false;
ddad0a8c
JY		 904#endif
905
ffea644c 906#ifdef MSTATS_TEST
81d882d5
DS		 907 {
908 int i;
909 mstats_open("/dev/shm/mstats.dat");
910 for (i = 0; i < 30; ++i)
911 {
912 mmap_stats->n_clients += 1;
913 mmap_stats->link_write_bytes += 8;
914 mmap_stats->link_read_bytes += 16;
915 sleep(1);
916 }
917 mstats_close();
918 return false;
919 }
ffea644c
JY		 920#endif
921
81d882d5 922 return true;
6fbf66fa
JY		 923}
924
925void
81d882d5 926uninit_static(void)
6fbf66fa 927{
81d882d5 928 free_ssl_lib();
ce98fd24 929
ce98fd24 930#ifdef ENABLE_PKCS11
81d882d5 931 pkcs11_terminate();
ce98fd24 932#endif
6fbf66fa 933
6add6b2f 934#if PORT_SHARE
81d882d5 935 close_port_share();
6add6b2f
JY		 936#endif
937
c7ca9133 938#if defined(MEASURE_TLS_HANDSHAKE_STATS)
81d882d5 939 show_tls_performance_stats();
6fbf66fa
JY		 940#endif
941}
942
943void
81d882d5 944init_verb_mute(struct context *c, unsigned int flags)
6fbf66fa 945{
81d882d5 946 if (flags & IVM_LEVEL_1)
6fbf66fa 947 {
81d882d5
DS		 948 /* set verbosity and mute levels */
949 set_check_status(D_LINK_ERRORS, D_READ_WRITE);
950 set_debug_level(c->options.verbosity, SDL_CONSTRAIN);
951 set_mute_cutoff(c->options.mute);
6fbf66fa
JY		 952 }
953
81d882d5
DS		 954 /* special D_LOG_RW mode */
955 if (flags & IVM_LEVEL_2)
956 {
957 c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1));
958 }
6fbf66fa
JY		 959}
960
961/*
962 * Possibly set --dev based on --dev-node.
963 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
964 * set --dev to tun.
965 */
966void
81d882d5 967init_options_dev(struct options *options)
6fbf66fa 968{
81d882d5
DS		 969 if (!options->dev && options->dev_node)
970 {
ccb636c7 971 char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
81d882d5
DS		 972 options->dev = basename(dev_node);
973 }
6fbf66fa
JY		 974}
975
976bool
81d882d5 977print_openssl_info(const struct options *options)
6fbf66fa 978{
81d882d5
DS		 979 /*
980 * OpenSSL info print mode?
981 */
81d882d5
DS		 982 if (options->show_ciphers || options->show_digests || options->show_engines
983 || options->show_tls_ciphers || options->show_curves)
6fbf66fa 984 {
81d882d5
DS		 985 if (options->show_ciphers)
986 {
987 show_available_ciphers();
988 }
989 if (options->show_digests)
990 {
991 show_available_digests();
992 }
993 if (options->show_engines)
994 {
995 show_available_engines();
996 }
997 if (options->show_tls_ciphers)
998 {
aba75874 999 show_available_tls_ciphers(options->cipher_list,
7aeabadd 1000 options->cipher_list_tls13,
aba75874 1001 options->tls_cert_profile);
81d882d5
DS		 1002 }
1003 if (options->show_curves)
1004 {
1005 show_available_curves();
1006 }
1007 return true;
6fbf66fa 1008 }
81d882d5 1009 return false;
6fbf66fa
JY		 1010}
1011
1012/*
1013 * Static pre-shared key generation mode?
1014 */
1015bool
81d882d5 1016do_genkey(const struct options *options)
6fbf66fa 1017{
9d59029a 1018 /* should we disable paging? */
0d80b562 1019 if (options->mlock && (options->genkey))
9d59029a
SK		 1020 {
1021 platform_mlockall(true);
1022 }
0d80b562
AS		 1023
1024 /*
1025 * We do not want user to use --genkey with --secret. In the transistion
1026 * phase we for secret.
1027 */
1028 if (options->genkey && options->genkey_type != GENKEY_SECRET
1029 && options->shared_secret_file)
1030 {
1031 msg(M_USAGE, "Using --genkey type with --secret filename is "
1032 "not supported. Use --genkey type filename instead.");
1033 }
1034 if (options->genkey && options->genkey_type == GENKEY_SECRET)
6fbf66fa 1035 {
81d882d5 1036 int nbits_written;
0d80b562
AS		 1037 const char *genkey_filename = options->genkey_filename;
1038 if (options->shared_secret_file && options->genkey_filename)
1039 {
1040 msg(M_USAGE, "You must provide a filename to either --genkey "
1041 "or --secret, not both");
1042 }
6fbf66fa 1043
0d80b562
AS		 1044 /*
1045 * Copy filename from shared_secret_file to genkey_filename to support
1046 * the old --genkey --secret foo.file syntax.
1047 */
1048 if (options->shared_secret_file)
1049 {
1050 msg(M_WARN, "WARNING: Using --genkey --secret filename is "
1051 "DEPRECATED. Use --genkey secret filename instead.");
1052 genkey_filename = options->shared_secret_file;
1053 }
6fbf66fa 1054
0d80b562 1055 nbits_written = write_key_file(2, genkey_filename);
a8fa1679
SK		 1056 if (nbits_written < 0)
1057 {
1058 msg(M_FATAL, "Failed to write key file");
1059 }
6fbf66fa 1060
81d882d5
DS		 1061 msg(D_GENKEY | M_NOPREFIX,
1062 "Randomly generated %d bit key written to %s", nbits_written,
1063 options->shared_secret_file);
1064 return true;
6fbf66fa 1065 }
0d80b562 1066 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER)
9d59029a 1067 {
0d80b562
AS		 1068 tls_crypt_v2_write_server_key_file(options->genkey_filename);
1069 return true;
1070 }
1071 else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT)
1072 {
1073 if (!options->tls_crypt_v2_file)
9d59029a 1074 {
0d80b562
AS		 1075 msg(M_USAGE,
1076 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
9d59029a
SK		 1077 }
1078
0d80b562
AS		 1079 tls_crypt_v2_write_client_key_file(options->genkey_filename,
1080 options->genkey_extra_data, options->tls_crypt_v2_file,
cb2e9218 1081 options->tls_crypt_v2_file_inline);
0d80b562
AS		 1082 return true;
1083 }
1b9a88a2
AS		 1084 else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN)
1085 {
1086 auth_token_write_server_key_file(options->genkey_filename);
1087 return true;
1088 }
0d80b562
AS		 1089 else
1090 {
1091 return false;
9d59029a 1092 }
6fbf66fa
JY		 1093}
1094
1095/*
1096 * Persistent TUN/TAP device management mode?
1097 */
1098bool
6a2fe47a 1099do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx)
6fbf66fa 1100{
84099782 1101 if (!options->persist_config)
6fbf66fa 1102 {
84099782
LS		 1103 return false;
1104 }
1105
1106 /* sanity check on options for --mktun or --rmtun */
1107 notnull(options->dev, "TUN/TAP device (--dev)");
1108 if (options->ce.remote || options->ifconfig_local
1109 || options->ifconfig_remote_netmask
1110 || options->shared_secret_file
1111 || options->tls_server || options->tls_client
1112 )
1113 {
1114 msg(M_FATAL|M_OPTERR,
1115 "options --mktun or --rmtun should only be used together with --dev");
1116 }
6a2fe47a
AQ		 1117
1118#if defined(ENABLE_DCO)
84099782
LS		 1119 if (dco_enabled(options))
1120 {
1121 /* creating a DCO interface via --mktun is not supported as it does not
1122 * make much sense. Since DCO is enabled by default, people may run into
1123 * this without knowing, therefore this case should be properly handled.
1124 *
1125 * Disable DCO if --mktun was provided and print a message to let
1126 * user know.
1127 */
1128 if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN)
6a2fe47a 1129 {
84099782 1130 msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface.");
6a2fe47a 1131 }
84099782
LS		 1132
1133 options->tuntap_options.disable_dco = true;
1134 }
6a2fe47a
AQ		 1135#endif
1136
4ad2b65d 1137#ifdef ENABLE_FEATURE_TUN_PERSIST
84099782
LS		 1138 tuncfg(options->dev, options->dev_type, options->dev_node,
1139 options->persist_mode,
1140 options->username, options->groupname, &options->tuntap_options,
1141 ctx);
1142 if (options->persist_mode && options->lladdr)
1143 {
1144 set_lladdr(ctx, options->dev, options->lladdr, NULL);
1145 }
1146 return true;
81d882d5 1147#else /* ifdef ENABLE_FEATURE_TUN_PERSIST */
84099782
LS		 1148 msg(M_FATAL|M_OPTERR,
1149 "options --mktun and --rmtun are not available on your operating "
1150 "system. Please check 'man tun' (or 'tap'), whether your system "
1151 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1152 "persistent tunnel interfaces.", options->dev );
6fbf66fa 1153#endif
81d882d5 1154 return false;
6fbf66fa
JY		 1155}
1156
1157/*
1158 * Should we become a daemon?
1159 * Return true if we did it.
1160 */
da9b2927 1161bool
81d882d5 1162possibly_become_daemon(const struct options *options)
6fbf66fa 1163{
81d882d5 1164 bool ret = false;
7660bba1
CH		 1165
1166#ifdef ENABLE_SYSTEMD
81d882d5
DS		 1167 /* return without forking if we are running from systemd */
1168 if (sd_notify(0, "READY=0") > 0)
1169 {
1170 return ret;
1171 }
7660bba1
CH		 1172#endif
1173
81d882d5 1174 if (options->daemon)
6fbf66fa 1175 {
81d882d5 1176 /* Don't chdir immediately, but the end of the init sequence, if needed */
a480eaae
AS		 1177
1178#if defined(__APPLE__) && defined(__clang__)
1179#pragma clang diagnostic push
1180#pragma clang diagnostic ignored "-Wdeprecated-declarations"
1181#endif
81d882d5
DS		 1182 if (daemon(1, options->log) < 0)
1183 {
1184 msg(M_ERR, "daemon() failed or unsupported");
1185 }
a480eaae
AS		 1186#if defined(__APPLE__) && defined(__clang__)
1187#pragma clang diagnostic pop
1188#endif
81d882d5
DS		 1189 restore_signal_state();
1190 if (options->log)
1191 {
1192 set_std_files_to_null(true);
1193 }
6835555e 1194
81d882d5 1195 ret = true;
6fbf66fa 1196 }
81d882d5 1197 return ret;
6fbf66fa
JY		 1198}
1199
1200/*
99385447 1201 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
6fbf66fa
JY		 1202 */
1203static void
81d882d5 1204do_uid_gid_chroot(struct context *c, bool no_delay)
6fbf66fa 1205{
81d882d5
DS		 1206 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
1207 struct context_0 *c0 = c->c0;
6fbf66fa 1208
81d882d5 1209 if (c0 && !c0->uid_gid_chroot_set)
6fbf66fa 1210 {
81d882d5
DS		 1211 /* chroot if requested */
1212 if (c->options.chroot_dir)
1213 {
1214 if (no_delay)
65140a3a 1215 {
81d882d5
DS		 1216 platform_chroot(c->options.chroot_dir);
1217 }
1218 else if (c->first_time)
1219 {
1220 msg(M_INFO, "NOTE: chroot %s", why_not);
1221 }
1222 }
1223
1224 /* set user and/or group if we want to setuid/setgid */
1225 if (c0->uid_gid_specified)
1226 {
1227 if (no_delay)
1228 {
2e359a08
TR		 1229 platform_user_group_set(&c0->platform_state_user,
1230 &c0->platform_state_group,
1231 c);
81d882d5
DS		 1232 }
1233 else if (c->first_time)
1234 {
1235 msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not);
65140a3a 1236 }
81d882d5 1237 }
99385447 1238
ffea644c 1239#ifdef ENABLE_MEMSTATS
81d882d5
DS		 1240 if (c->first_time && c->options.memstats_fn)
1241 {
1242 mstats_open(c->options.memstats_fn);
1243 }
ffea644c
JY		 1244#endif
1245
cd5990e0 1246#ifdef ENABLE_SELINUX
81d882d5
DS		 1247 /* Apply a SELinux context in order to restrict what OpenVPN can do
1248 * to _only_ what it is supposed to do after initialization is complete
1249 * (basically just network I/O operations). Doing it after chroot
1250 * requires /proc to be mounted in the chroot (which is annoying indeed
1251 * but doing it before requires more complex SELinux policies.
1252 */
1253 if (c->options.selinux_context)
1254 {
1255 if (no_delay)
1256 {
1257 if (-1 == setcon(c->options.selinux_context))
1258 {
1259 msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1260 }
1261 else
1262 {
1263 msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1264 }
1265 }
1266 else if (c->first_time)
1267 {
1268 msg(M_INFO, "NOTE: setcon %s", why_not);
1269 }
1270 }
1271#endif
1272
1273 /* Privileges are going to be dropped by now (if requested), be sure
1274 * to prevent any future privilege dropping attempts from now on.
1275 */
1276 if (no_delay)
1277 {
1278 c0->uid_gid_chroot_set = true;
1279 }
6fbf66fa
JY		 1280 }
1281}
1282
1283/*
1284 * Return common name in a way that is formatted for
1285 * prepending to msg() output.
1286 */
1287const char *
81d882d5 1288format_common_name(struct context *c, struct gc_arena *gc)
6fbf66fa 1289{
81d882d5 1290 struct buffer out = alloc_buf_gc(256, gc);
81d882d5 1291 if (c->c2.tls_multi)
6fbf66fa 1292 {
81d882d5 1293 buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false));
6fbf66fa 1294 }
81d882d5 1295 return BSTR(&out);
6fbf66fa
JY		 1296}
1297
1298void
81d882d5 1299pre_setup(const struct options *options)
6fbf66fa 1300{
445b192a 1301#ifdef _WIN32
81d882d5 1302 if (options->exit_event_name)
6fbf66fa 1303 {
81d882d5
DS		 1304 win32_signal_open(&win32_signal,
1305 WSO_FORCE_SERVICE,
1306 options->exit_event_name,
1307 options->exit_event_initial_state);
6fbf66fa 1308 }
81d882d5 1309 else
6fbf66fa 1310 {
81d882d5
DS		 1311 win32_signal_open(&win32_signal,
1312 WSO_FORCE_CONSOLE,
1313 NULL,
1314 false);
6fbf66fa 1315
81d882d5
DS		 1316 /* put a title on the top window bar */
1317 if (win32_signal.mode == WSO_MODE_CONSOLE)
1318 {
1319 window_title_save(&window_title);
1320 window_title_generate(options->config);
1321 }
6fbf66fa 1322 }
81d882d5 1323#endif /* ifdef _WIN32 */
6fbf66fa
JY		 1324}
1325
1326void
81d882d5 1327reset_coarse_timers(struct context *c)
6fbf66fa 1328{
81d882d5 1329 c->c2.coarse_timer_wakeup = 0;
6fbf66fa
JY		 1330}
1331
f2134b7b
AS		 1332/*
1333 * Initialise the server poll timeout timer
1334 * This timer is used in the http/socks proxy setup so it needs to be setup
1335 * before
1336 */
1337static void
81d882d5 1338do_init_server_poll_timeout(struct context *c)
f2134b7b 1339{
81d882d5 1340 update_time();
f2134b7b 1341 if (c->options.ce.connect_timeout)
81d882d5
DS		 1342 {
1343 event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now);
1344 }
f2134b7b
AS		 1345}
1346
6fbf66fa
JY		 1347/*
1348 * Initialize timers
1349 */
1350static void
81d882d5 1351do_init_timers(struct context *c, bool deferred)
6fbf66fa 1352{
81d882d5
DS		 1353 update_time();
1354 reset_coarse_timers(c);
6fbf66fa 1355
81d882d5
DS		 1356 /* initialize inactivity timeout */
1357 if (c->options.inactivity_timeout)
1358 {
1359 event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1360 }
6fbf66fa 1361
f96290ff
DZ		 1362 /* initialize inactivity timeout */
1363 if (c->options.session_timeout)
1364 {
1365 event_timeout_init(&c->c2.session_interval, c->options.session_timeout,
1366 now);
1367 }
1368
81d882d5 1369 /* initialize pings */
a2d851d4 1370 if (dco_enabled(&c->options))
81d882d5 1371 {
a2d851d4
AQ		 1372 /* The DCO kernel module will send the pings instead of user space */
1373 event_timeout_clear(&c->c2.ping_rec_interval);
1374 event_timeout_clear(&c->c2.ping_send_interval);
81d882d5 1375 }
a2d851d4 1376 else
81d882d5 1377 {
a2d851d4
AQ		 1378 if (c->options.ping_send_timeout)
1379 {
1380 event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1381 }
1382
1383 if (c->options.ping_rec_timeout)
1384 {
1385 event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1386 }
81d882d5 1387 }
6fbf66fa 1388
9a516170
AS		 1389 /* If the auth-token renewal interval is shorter than reneg-sec, arm
1390 * "auth-token renewal" timer to send additional auth-token to update the
1391 * token on the client more often. If not, this happens automatically
1392 * at renegotiation time, without needing an extra event.
1393 */
1394 if (c->options.auth_token_generate
1395 && c->options.auth_token_renewal < c->options.renegotiate_seconds)
1396 {
1397 event_timeout_init(&c->c2.auth_token_renewal_interval,
1398 c->options.auth_token_renewal, now);
1399 }
1400
81d882d5 1401 if (!deferred)
6fbf66fa 1402 {
81d882d5
DS		 1403 /* initialize connection establishment timer */
1404 event_timeout_init(&c->c2.wait_for_connect, 1, now);
6fbf66fa 1405
81d882d5 1406 /* initialize occ timers */
6fbf66fa 1407
81d882d5
DS		 1408 if (c->options.occ
1409 && !TLS_MODE(c)
1410 && c->c2.options_string_local && c->c2.options_string_remote)
1411 {
1412 event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1413 }
6fbf66fa 1414
81d882d5
DS		 1415 if (c->options.mtu_test)
1416 {
1417 event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1418 }
6fbf66fa 1419
81d882d5 1420 /* initialize packet_id persistence timer */
81d882d5
DS		 1421 if (c->options.packet_id_file)
1422 {
1423 event_timeout_init(&c->c2.packet_id_persist_interval, 60, now);
1424 }
6fbf66fa 1425
81d882d5
DS		 1426 /* initialize tmp_int optimization that limits the number of times we call
1427 * tls_multi_process in the main event loop */
1428 interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
6fbf66fa
JY		 1429 }
1430}
1431
1432/*
1433 * Initialize traffic shaper.
1434 */
1435static void
81d882d5 1436do_init_traffic_shaper(struct context *c)
6fbf66fa 1437{
81d882d5
DS		 1438 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1439 if (c->options.shaper)
6fbf66fa 1440 {
81d882d5
DS		 1441 shaper_init(&c->c2.shaper, c->options.shaper);
1442 shaper_msg(&c->c2.shaper);
6fbf66fa 1443 }
6fbf66fa
JY		 1444}
1445
1446/*
eb95f367
GD		 1447 * Allocate route list structures for IPv4 and IPv6
1448 * (we do this for IPv4 even if no --route option has been seen, as other
1449 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
6fbf66fa
JY		 1450 */
1451static void
81d882d5 1452do_alloc_route_list(struct context *c)
6fbf66fa 1453{
81d882d5
DS		 1454 if (!c->c1.route_list)
1455 {
1456 ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc);
1457 }
1458 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1459 {
1460 ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc);
1461 }
6fbf66fa
JY		 1462}
1463
1464
1465/*
1466 * Initialize the route list, resolving any DNS names in route
1467 * options and saving routes in the environment.
1468 */
1469static void
81d882d5
DS		 1470do_init_route_list(const struct options *options,
1471 struct route_list *route_list,
1472 const struct link_socket_info *link_socket_info,
aec4a3d1
AQ		 1473 struct env_set *es,
1474 openvpn_net_ctx_t *ctx)
6fbf66fa 1475{
81d882d5
DS		 1476 const char *gw = NULL;
1477 int dev = dev_type_enum(options->dev, options->dev_type);
1478 int metric = 0;
6fbf66fa 1479
90d9c38b
AQ		 1480 /* if DCO is enabled we have both regular routes and iroutes in the system
1481 * routing table, and normal routes must have a higher metric for that to
1482 * work so that iroutes are always matched first
1483 */
1484 if (dco_enabled(options))
1485 {
1486 metric = DCO_DEFAULT_METRIC;
1487 }
1488
81d882d5
DS		 1489 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
1490 {
1491 gw = options->ifconfig_remote_netmask;
1492 }
1493 if (options->route_default_gateway)
1494 {
1495 gw = options->route_default_gateway;
1496 }
1497 if (options->route_default_metric)
1498 {
1499 metric = options->route_default_metric;
1500 }
6fbf66fa 1501
81d882d5
DS		 1502 if (init_route_list(route_list,
1503 options->routes,
1504 gw,
1505 metric,
1506 link_socket_current_remote(link_socket_info),
aec4a3d1
AQ		 1507 es,
1508 ctx))
6fbf66fa 1509 {
81d882d5
DS		 1510 /* copy routes to environment */
1511 setenv_routes(es, route_list);
6fbf66fa
JY		 1512 }
1513}
1514
512cda46 1515static void
81d882d5
DS		 1516do_init_route_ipv6_list(const struct options *options,
1517 struct route_ipv6_list *route_ipv6_list,
1518 const struct link_socket_info *link_socket_info,
c454b21e
AQ		 1519 struct env_set *es,
1520 openvpn_net_ctx_t *ctx)
512cda46 1521{
81d882d5
DS		 1522 const char *gw = NULL;
1523 int metric = -1; /* no metric set */
512cda46 1524
90d9c38b
AQ		 1525 /* see explanation in do_init_route_list() */
1526 if (dco_enabled(options))
1527 {
1528 metric = DCO_DEFAULT_METRIC;
1529 }
1530
81d882d5 1531 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
d24e1b17 1532 if (options->route_ipv6_default_gateway)
81d882d5
DS		 1533 {
1534 gw = options->route_ipv6_default_gateway;
1535 }
512cda46 1536
81d882d5
DS		 1537 if (options->route_default_metric)
1538 {
1539 metric = options->route_default_metric;
1540 }
512cda46 1541
81d882d5
DS		 1542 /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics
1543 */
1544 if (options->routes_ipv6->flags & RG_REROUTE_GW)
d227929b 1545 {
81d882d5
DS		 1546 char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL };
1547 int i;
d227929b 1548
81d882d5
DS		 1549 for (i = 0; opt_list[i]; i++)
1550 {
1551 add_route_ipv6_to_option_list( options->routes_ipv6,
1552 string_alloc(opt_list[i], options->routes_ipv6->gc),
1553 NULL, NULL );
1554 }
d227929b
GD		 1555 }
1556
81d882d5
DS		 1557 if (init_route_ipv6_list(route_ipv6_list,
1558 options->routes_ipv6,
1559 gw,
1560 metric,
1561 link_socket_current_remote_ipv6(link_socket_info),
c454b21e
AQ		 1562 es,
1563 ctx))
512cda46 1564 {
81d882d5
DS		 1565 /* copy routes to environment */
1566 setenv_routes_ipv6(es, route_ipv6_list);
512cda46
GD		 1567 }
1568}
1569
1570
6fbf66fa
JY		 1571/*
1572 * Called after all initialization has been completed.
1573 */
1574void
81d882d5 1575initialization_sequence_completed(struct context *c, const unsigned int flags)
6fbf66fa 1576{
81d882d5 1577 static const char message[] = "Initialization Sequence Completed";
6fbf66fa 1578
81d882d5
DS		 1579 /* Reset the unsuccessful connection counter on complete initialisation */
1580 c->options.unsuccessful_attempts = 0;
23d61c56 1581
81d882d5
DS		 1582 /* If we delayed UID/GID downgrade or chroot, do it now */
1583 do_uid_gid_chroot(c, true);
6fbf66fa 1584
81d882d5
DS		 1585 /* Test if errors */
1586 if (flags & ISC_ERRORS)
a9c802b2 1587 {
445b192a 1588#ifdef _WIN32
81d882d5
DS		 1589 show_routes(M_INFO|M_NOPREFIX);
1590 show_adapters(M_INFO|M_NOPREFIX);
1591 msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
6fbf66fa 1592#else
c5931897 1593#ifdef ENABLE_SYSTEMD
81d882d5 1594 sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
c5931897 1595#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
81d882d5 1596 msg(M_INFO, "%s With Errors", message);
6fbf66fa 1597#endif
a9c802b2 1598 }
81d882d5 1599 else
c5931897
CH		 1600 {
1601#ifdef ENABLE_SYSTEMD
e83a8684 1602 sd_notifyf(0, "STATUS=%s", message);
c5931897 1603#endif
81d882d5 1604 msg(M_INFO, "%s", message);
c5931897 1605 }
6fbf66fa 1606
81d882d5
DS		 1607 /* Flag that we initialized */
1608 if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
1609 {
1610 c->options.no_advance = true;
1611 }
6fbf66fa 1612
445b192a 1613#ifdef _WIN32
81d882d5 1614 fork_register_dns_action(c->c1.tuntap);
b90c6f17
JY		 1615#endif
1616
6fbf66fa 1617#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 1618 /* Tell management interface that we initialized */
1619 if (management)
1620 {
1621 in_addr_t *tun_local = NULL;
1622 struct in6_addr *tun_local6 = NULL;
1623 struct openvpn_sockaddr local, remote;
1624 struct link_socket_actual *actual;
1625 socklen_t sa_len = sizeof(local);
1626 const char *detail = "SUCCESS";
1627 if (flags & ISC_ERRORS)
1628 {
1629 detail = "ERROR";
1630 }
e04c2536
SN		 1631 /* Flag route error only on platforms where trivial "already exists" errors
1632 * are filtered out. Currently this is the case on Windows or if usng netlink.
1633 */
1634#if defined(_WIN32) || defined(ENABLE_SITNL)
1635 else if (flags & ISC_ROUTE_ERRORS)
1636 {
1637 detail = "ROUTE_ERROR";
1638 }
1639#endif
81d882d5
DS		 1640
1641 CLEAR(local);
1642 actual = &get_link_socket_info(c)->lsa->actual;
1643 remote = actual->dest;
1644 getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len);
2191c471 1645#if ENABLE_IP_PKTINFO
81d882d5 1646 if (!addr_defined(&local))
2191c471 1647 {
81d882d5 1648 switch (local.addr.sa.sa_family)
2191c471 1649 {
81d882d5 1650 case AF_INET:
7efa60d9 1651#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
81d882d5 1652 local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst;
4a82a9ac 1653#else
81d882d5 1654 local.addr.in4.sin_addr = actual->pi.in4;
4a82a9ac 1655#endif
81d882d5
DS		 1656 break;
1657
1658 case AF_INET6:
1659 local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr;
1660 break;
2191c471
HH		 1661 }
1662 }
1663#endif
1664
81d882d5 1665 if (c->c1.tuntap)
2191c471 1666 {
81d882d5
DS		 1667 tun_local = &c->c1.tuntap->local;
1668 tun_local6 = &c->c1.tuntap->local_ipv6;
1669 }
1670 management_set_state(management,
1671 OPENVPN_STATE_CONNECTED,
1672 detail,
1673 tun_local,
1674 tun_local6,
1675 &local,
1676 &remote);
1677 if (tun_local)
1678 {
1679 management_post_tunnel_open(management, *tun_local);
2191c471 1680 }
6fbf66fa 1681 }
81d882d5 1682#endif /* ifdef ENABLE_MANAGEMENT */
6fbf66fa
JY		 1683}
1684
1685/*
1686 * Possibly add routes and/or call route-up script
1687 * based on options.
1688 */
e04c2536 1689bool
81d882d5
DS		 1690do_route(const struct options *options,
1691 struct route_list *route_list,
1692 struct route_ipv6_list *route_ipv6_list,
1693 const struct tuntap *tt,
1694 const struct plugin_list *plugins,
aec4a3d1
AQ		 1695 struct env_set *es,
1696 openvpn_net_ctx_t *ctx)
6fbf66fa 1697{
e04c2536 1698 bool ret = true;
81d882d5 1699 if (!options->route_noexec && ( route_list || route_ipv6_list ) )
15be3202 1700 {
e04c2536
SN		 1701 ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options),
1702 es, ctx);
81d882d5 1703 setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
15be3202
JY		 1704 }
1705#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 1706 if (management)
1707 {
1708 management_up_down(management, "UP", es);
1709 }
15be3202 1710#endif
6fbf66fa 1711
81d882d5 1712 if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP))
6fbf66fa 1713 {
81d882d5
DS		 1714 if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1715 {
1716 msg(M_WARN, "WARNING: route-up plugin call failed");
1717 }
6fbf66fa
JY		 1718 }
1719
81d882d5 1720 if (options->route_script)
6fbf66fa 1721 {
81d882d5
DS		 1722 struct argv argv = argv_new();
1723 setenv_str(es, "script_type", "route-up");
1724 argv_parse_cmd(&argv, options->route_script);
1725 openvpn_run_script(&argv, es, 0, "--route-up");
870e2405 1726 argv_free(&argv);
6fbf66fa
JY		 1727 }
1728
445b192a 1729#ifdef _WIN32
81d882d5 1730 if (options->show_net_up)
6fbf66fa 1731 {
81d882d5
DS		 1732 show_routes(M_INFO|M_NOPREFIX);
1733 show_adapters(M_INFO|M_NOPREFIX);
6fbf66fa 1734 }
81d882d5 1735 else if (check_debug_level(D_SHOW_NET))
6fbf66fa 1736 {
81d882d5
DS		 1737 show_routes(D_SHOW_NET|M_NOPREFIX);
1738 show_adapters(D_SHOW_NET|M_NOPREFIX);
6fbf66fa
JY		 1739 }
1740#endif
e04c2536 1741 return ret;
6fbf66fa
JY		 1742}
1743
6fbf66fa
JY		 1744/*
1745 * initialize tun/tap device object
1746 */
1747static void
81d882d5 1748do_init_tun(struct context *c)
6fbf66fa 1749{
81d882d5
DS		 1750 c->c1.tuntap = init_tun(c->options.dev,
1751 c->options.dev_type,
1752 c->options.topology,
1753 c->options.ifconfig_local,
1754 c->options.ifconfig_remote_netmask,
1755 c->options.ifconfig_ipv6_local,
1756 c->options.ifconfig_ipv6_netbits,
1757 c->options.ifconfig_ipv6_remote,
1758 c->c1.link_socket_addr.bind_local,
1759 c->c1.link_socket_addr.remote_list,
1760 !c->options.ifconfig_nowarn,
dc7fcd71 1761 c->c2.es,
3adbc5c6
AQ		 1762 &c->net_ctx,
1763 c->c1.tuntap);
81d882d5 1764
c0658271 1765#ifdef _WIN32
36215dc5 1766 c->c1.tuntap->windows_driver = c->options.windows_driver;
c0658271
LS		 1767#endif
1768
81d882d5
DS		 1769 init_tun_post(c->c1.tuntap,
1770 &c->c2.frame,
1771 &c->options.tuntap_options);
1772
1773 c->c1.tuntap_owned = true;
6fbf66fa
JY		 1774}
1775
1776/*
1777 * Open tun/tap device, ifconfig, call up script, etc.
1778 */
1779
bd139689
AQ		 1780
1781static bool
1782can_preserve_tun(struct tuntap *tt)
1783{
1784#ifdef TARGET_ANDROID
1785 return false;
1786#else
3adbc5c6 1787 return is_tun_type_set(tt);
bd139689
AQ		 1788#endif
1789}
1790
6fbf66fa 1791static bool
e04c2536 1792do_open_tun(struct context *c, int *error_flags)
6fbf66fa 1793{
81d882d5
DS		 1794 struct gc_arena gc = gc_new();
1795 bool ret = false;
e04c2536 1796 *error_flags = 0;
6fbf66fa 1797
bd139689 1798 if (!can_preserve_tun(c->c1.tuntap))
6fbf66fa 1799 {
bd14d55d 1800#ifdef TARGET_ANDROID
bd139689
AQ		 1801 /* If we emulate persist-tun on android we still have to open a new tun and
1802 * then close the old */
1803 int oldtunfd = -1;
1804 if (c->c1.tuntap)
1805 {
1806 oldtunfd = c->c1.tuntap->fd;
1807 free(c->c1.tuntap);
1808 c->c1.tuntap = NULL;
1809 c->c1.tuntap_owned = false;
1810 }
bd14d55d
AS		 1811#endif
1812
bd139689
AQ		 1813 /* initialize (but do not open) tun/tap object */
1814 do_init_tun(c);
6fbf66fa 1815
bd139689
AQ		 1816 /* inherit the dco context from the tuntap object */
1817 if (c->c2.tls_multi)
1818 {
1819 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
1820 }
a2d851d4 1821
445b192a 1822#ifdef _WIN32
bd139689
AQ		 1823 /* store (hide) interactive service handle in tuntap_options */
1824 c->c1.tuntap->options.msg_channel = c->options.msg_channel;
9c52e0c6
AS		 1825 msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR,
1826 (intptr_t) c->options.msg_channel);
81d882d5
DS		 1827#endif
1828
bd139689
AQ		 1829 /* allocate route list structure */
1830 do_alloc_route_list(c);
81d882d5 1831
bd139689
AQ		 1832 /* parse and resolve the route option list */
1833 ASSERT(c->c2.link_socket);
1834 if (c->options.routes && c->c1.route_list)
1835 {
1836 do_init_route_list(&c->options, c->c1.route_list,
1837 &c->c2.link_socket->info, c->c2.es, &c->net_ctx);
1838 }
1839 if (c->options.routes_ipv6 && c->c1.route_ipv6_list)
1840 {
1841 do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list,
1842 &c->c2.link_socket->info, c->c2.es,
1843 &c->net_ctx);
1844 }
81d882d5 1845
bd139689
AQ		 1846 /* do ifconfig */
1847 if (!c->options.ifconfig_noexec
1848 && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)
1849 {
1850 /* guess actual tun/tap unit number that will be returned
1851 * by open_tun */
1852 const char *guess = guess_tuntap_dev(c->options.dev,
1853 c->options.dev_type,
1854 c->options.dev_node,
1855 &gc);
1856 do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es,
1857 &c->net_ctx);
1858 }
81d882d5 1859
bd139689
AQ		 1860 /* possibly add routes */
1861 if (route_order() == ROUTE_BEFORE_TUN)
1862 {
1863 /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
e04c2536
SN		 1864 bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1865 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1866 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
bd139689 1867 }
c058cbff 1868#ifdef TARGET_ANDROID
bd139689
AQ		 1869 /* Store the old fd inside the fd so open_tun can use it */
1870 c->c1.tuntap->fd = oldtunfd;
81d882d5 1871#endif
bd139689 1872 if (dco_enabled(&c->options))
81d882d5 1873 {
bd139689 1874 ovpn_dco_init(c->mode, &c->c1.tuntap->dco);
81d882d5 1875 }
38c85658 1876
bd139689
AQ		 1877 /* open the tun device */
1878 open_tun(c->options.dev, c->options.dev_type, c->options.dev_node,
1879 c->c1.tuntap, &c->net_ctx);
6fbf66fa 1880
bd139689
AQ		 1881 /* set the hardware address */
1882 if (c->options.lladdr)
1883 {
1884 set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr,
1885 c->c2.es);
1886 }
6fbf66fa 1887
bd139689
AQ		 1888 /* do ifconfig */
1889 if (!c->options.ifconfig_noexec
1890 && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)
1891 {
1892 do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name,
1893 c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx);
1894 }
db950be8 1895
bd139689 1896 /* run the up script */
81d882d5
DS		 1897 run_up_down(c->options.up_script,
1898 c->plugins,
1899 OPENVPN_PLUGIN_UP,
1900 c->c1.tuntap->actual_name,
445b192a 1901#ifdef _WIN32
81d882d5
DS		 1902 c->c1.tuntap->adapter_index,
1903#endif
1904 dev_type_string(c->options.dev, c->options.dev_type),
364b7b4f 1905 c->c2.frame.tun_mtu,
81d882d5
DS		 1906 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1907 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
bd139689 1908 "init",
81d882d5
DS		 1909 NULL,
1910 "up",
1911 c->c2.es);
bd139689 1912
445b192a 1913#if defined(_WIN32)
bd139689 1914 if (c->options.block_outside_dns)
451d2177 1915 {
bd139689
AQ		 1916 dmsg(D_LOW, "Blocking outside DNS");
1917 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1918 {
1919 msg(M_FATAL, "Blocking DNS failed!");
1920 }
1921 }
1922#endif
1923
1924 /* possibly add routes */
1925 if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
1926 {
e04c2536
SN		 1927 int status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1928 c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx);
1929 *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS);
451d2177 1930 }
bd139689
AQ		 1931
1932 ret = true;
1933 static_context = c;
6fbf66fa 1934 }
bd139689
AQ		 1935 else
1936 {
1937 msg(M_INFO, "Preserving previous TUN/TAP instance: %s",
1938 c->c1.tuntap->actual_name);
1939
1940 /* explicitly set the ifconfig_* env vars */
1941 do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1942
1943 /* run the up script if user specified --up-restart */
1944 if (c->options.up_restart)
1945 {
1946 run_up_down(c->options.up_script,
1947 c->plugins,
1948 OPENVPN_PLUGIN_UP,
1949 c->c1.tuntap->actual_name,
1950#ifdef _WIN32
1951 c->c1.tuntap->adapter_index,
1952#endif
1953 dev_type_string(c->options.dev, c->options.dev_type),
1954 c->c2.frame.tun_mtu,
1955 print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1956 print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1957 "restart",
1958 NULL,
1959 "up",
1960 c->c2.es);
1961 }
1962#if defined(_WIN32)
1963 if (c->options.block_outside_dns)
1964 {
1965 dmsg(D_LOW, "Blocking outside DNS");
1966 if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel))
1967 {
1968 msg(M_FATAL, "Blocking DNS failed!");
1969 }
1970 }
bd14d55d 1971#endif
81d882d5 1972
bd139689 1973 }
81d882d5
DS		 1974 gc_free(&gc);
1975 return ret;
6fbf66fa
JY		 1976}
1977
1978/*
1979 * Close TUN/TAP device
1980 */
1981
1982static void
81d882d5 1983do_close_tun_simple(struct context *c)
6fbf66fa 1984{
77829be2
AQ		 1985 msg(D_CLOSE, "Closing %s interface",
1986 dco_enabled(&c->options) ? "DCO" : "TUN/TAP");
1987
0bea472c
AQ		 1988 if (c->c1.tuntap)
1989 {
0c4d40cb
MF		 1990 if (!c->options.ifconfig_noexec)
1991 {
1992 undo_ifconfig(c->c1.tuntap, &c->net_ctx);
1993 }
dc7fcd71 1994 close_tun(c->c1.tuntap, &c->net_ctx);
0bea472c
AQ		 1995 c->c1.tuntap = NULL;
1996 }
81d882d5 1997 c->c1.tuntap_owned = false;
81d882d5 1998 CLEAR(c->c1.pulled_options_digest_save);
6fbf66fa
JY		 1999}
2000
2001static void
81d882d5 2002do_close_tun(struct context *c, bool force)
6fbf66fa 2003{
3adbc5c6
AQ		 2004 /* With dco-win we open tun handle in the very beginning.
2005 * In case when tun wasn't opened - like we haven't connected,
2006 * we still need to close tun handle
2007 */
2008 if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap))
2009 {
2010 do_close_tun_simple(c);
2011 return;
2012 }
2013
c05a0502 2014 if (!c->c1.tuntap || !c->c1.tuntap_owned)
6fbf66fa 2015 {
c05a0502
AQ		 2016 return;
2017 }
2018
2019 struct gc_arena gc = gc_new();
2020 const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc);
445b192a 2021#ifdef _WIN32
c05a0502 2022 DWORD adapter_index = c->c1.tuntap->adapter_index;
9dff2c1f 2023#endif
c05a0502
AQ		 2024 const in_addr_t local = c->c1.tuntap->local;
2025 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
6fbf66fa 2026
c05a0502
AQ		 2027 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
2028 {
2029 static_context = NULL;
0c9eb1d3 2030
6fbf66fa 2031#ifdef ENABLE_MANAGEMENT
c05a0502
AQ		 2032 /* tell management layer we are about to close the TUN/TAP device */
2033 if (management)
2034 {
2035 management_pre_tunnel_close(management);
2036 management_up_down(management, "DOWN", c->c2.es);
2037 }
81d882d5 2038#endif
6fbf66fa 2039
c05a0502
AQ		 2040 /* delete any routes we added */
2041 if (c->c1.route_list || c->c1.route_ipv6_list)
2042 {
2043 run_up_down(c->options.route_predown_script,
81d882d5 2044 c->plugins,
c05a0502 2045 OPENVPN_PLUGIN_ROUTE_PREDOWN,
81d882d5 2046 tuntap_actual,
445b192a 2047#ifdef _WIN32
81d882d5
DS		 2048 adapter_index,
2049#endif
2050 NULL,
364b7b4f 2051 c->c2.frame.tun_mtu,
81d882d5
DS		 2052 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2053 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2054 "init",
2055 signal_description(c->sig->signal_received,
2056 c->sig->signal_text),
c05a0502 2057 "route-pre-down",
81d882d5 2058 c->c2.es);
6fbf66fa 2059
c05a0502
AQ		 2060 delete_routes(c->c1.route_list, c->c1.route_ipv6_list,
2061 c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
2062 c->c2.es, &c->net_ctx);
2063 }
2064
2065 /* actually close tun/tap device based on --down-pre flag */
2066 if (!c->options.down_pre)
2067 {
2068 do_close_tun_simple(c);
2069 }
2070
2071 /* Run the down script -- note that it will run at reduced
a6664825 2072 * privilege if, for example, "--user" was used. */
c05a0502
AQ		 2073 run_up_down(c->options.down_script,
2074 c->plugins,
2075 OPENVPN_PLUGIN_DOWN,
2076 tuntap_actual,
2077#ifdef _WIN32
2078 adapter_index,
2079#endif
2080 NULL,
2081 c->c2.frame.tun_mtu,
2082 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2083 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2084 "init",
2085 signal_description(c->sig->signal_received,
2086 c->sig->signal_text),
2087 "down",
2088 c->c2.es);
2089
445b192a 2090#if defined(_WIN32)
c05a0502
AQ		 2091 if (c->options.block_outside_dns)
2092 {
2093 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
38c85658 2094 {
c05a0502 2095 msg(M_FATAL, "Uninitialising WFP failed!");
38c85658 2096 }
c05a0502 2097 }
38c85658
V		 2098#endif
2099
c05a0502
AQ		 2100 /* actually close tun/tap device based on --down-pre flag */
2101 if (c->options.down_pre)
2102 {
2103 do_close_tun_simple(c);
81d882d5 2104 }
c05a0502
AQ		 2105 }
2106 else
2107 {
2108 /* run the down script on this restart if --up-restart was specified */
2109 if (c->options.up_restart)
81d882d5 2110 {
c05a0502
AQ		 2111 run_up_down(c->options.down_script,
2112 c->plugins,
2113 OPENVPN_PLUGIN_DOWN,
2114 tuntap_actual,
445b192a 2115#ifdef _WIN32
c05a0502 2116 adapter_index,
81d882d5 2117#endif
c05a0502
AQ		 2118 NULL,
2119 c->c2.frame.tun_mtu,
2120 print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc),
2121 print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
2122 "restart",
2123 signal_description(c->sig->signal_received,
2124 c->sig->signal_text),
2125 "down",
2126 c->c2.es);
2127 }
451d2177 2128
445b192a 2129#if defined(_WIN32)
c05a0502
AQ		 2130 if (c->options.block_outside_dns)
2131 {
2132 if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
451d2177 2133 {
c05a0502 2134 msg(M_FATAL, "Uninitialising WFP failed!");
451d2177 2135 }
c05a0502 2136 }
451d2177
SN		 2137#endif
2138
6fbf66fa 2139 }
81d882d5 2140 gc_free(&gc);
6fbf66fa
JY		 2141}
2142
0c9eb1d3 2143void
e2a0cad4 2144tun_abort(void)
0c9eb1d3 2145{
81d882d5
DS		 2146 struct context *c = static_context;
2147 if (c)
0c9eb1d3 2148 {
81d882d5
DS		 2149 static_context = NULL;
2150 do_close_tun(c, true);
0c9eb1d3
JY		 2151 }
2152}
2153
6fbf66fa
JY		 2154/*
2155 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
2156 */
2157
827de237
SK		 2158/**
2159 * Helper for do_up(). Take two option hashes and return true if they are not
2160 * equal, or either one is all-zeroes.
2161 */
2162static bool
5b48e8c9
SK		 2163options_hash_changed_or_zero(const struct sha256_digest *a,
2164 const struct sha256_digest *b)
827de237 2165{
5b48e8c9
SK		 2166 const struct sha256_digest zero = {{0}};
2167 return memcmp(a, b, sizeof(struct sha256_digest))
2168 || !memcmp(a, &zero, sizeof(struct sha256_digest));
827de237 2169}
827de237 2170
7c66a6da
AS		 2171static bool
2172p2p_set_dco_keepalive(struct context *c)
2173{
2174 if (dco_enabled(&c->options)
2175 && (c->options.ping_send_timeout || c->c2.frame.mss_fix))
2176 {
2177 int ret = dco_set_peer(&c->c1.tuntap->dco,
2178 c->c2.tls_multi->dco_peer_id,
2179 c->options.ping_send_timeout,
2180 c->options.ping_rec_timeout,
2181 c->c2.frame.mss_fix);
2182 if (ret < 0)
2183 {
2184 msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s",
2185 c->c2.tls_multi->dco_peer_id, strerror(-ret));
2186 return false;
2187 }
2188 }
2189 return true;
2190}
c333a0c0
AS		 2191
2192/**
2193 * Helper function for tls_print_deferred_options_results
2194 * Adds the ", " delimitor if there already some data in the
2195 * buffer.
2196 */
2197static void
2198add_delim_if_non_empty(struct buffer *buf, const char *header)
2199{
2200 if (buf_len(buf) > strlen(header))
2201 {
2202 buf_printf(buf, ", ");
2203 }
2204}
2205
2206
2207/**
2208 * Prints the results of options imported for the data channel
2209 * @param o
2210 */
2211static void
2212tls_print_deferred_options_results(struct context *c)
2213{
2214 struct options *o = &c->options;
2215
2216 struct buffer out;
2217 uint8_t line[1024] = { 0 };
2218 buf_set_write(&out, line, sizeof(line));
2219
2220
2221 if (cipher_kt_mode_aead(o->ciphername))
2222 {
2223 buf_printf(&out, "Data Channel: cipher '%s'",
2224 cipher_kt_name(o->ciphername));
2225 }
2226 else
2227 {
2228 buf_printf(&out, "Data Channel: cipher '%s', auth '%s'",
2229 cipher_kt_name(o->ciphername), md_kt_name(o->authname));
2230 }
2231
2232 if (o->use_peer_id)
2233 {
2234 buf_printf(&out, ", peer-id: %d", o->peer_id);
2235 }
2236
2237#ifdef USE_COMP
2238 if (c->c2.comp_context)
2239 {
2240 buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name);
2241 }
2242#endif
2243
2244 msg(D_HANDSHAKE, "%s", BSTR(&out));
2245
2246 buf_clear(&out);
2247
2248 const char *header = "Timers: ";
2249
2250 buf_printf(&out, "%s", header);
2251
2252 if (o->ping_send_timeout)
2253 {
2254 buf_printf(&out, "ping %d", o->ping_send_timeout);
2255 }
2256
2257 if (o->ping_rec_timeout_action != PING_UNDEF)
2258 {
2259 /* yes unidirectional ping is possible .... */
2260 add_delim_if_non_empty(&out, header);
2261
2262 if (o->ping_rec_timeout_action == PING_EXIT)
2263 {
2264 buf_printf(&out, "ping-exit %d", o->ping_rec_timeout);
2265 }
2266 else
2267 {
2268 buf_printf(&out, "ping-restart %d", o->ping_rec_timeout);
2269 }
2270 }
2271
2272 if (o->inactivity_timeout)
2273 {
2274 add_delim_if_non_empty(&out, header);
2275
2276 buf_printf(&out, "inactive %d", o->inactivity_timeout);
2277 if (o->inactivity_minimum_bytes)
2278 {
2279 buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes);
2280 }
2281 }
2282
2283 if (o->session_timeout)
2284 {
2285 add_delim_if_non_empty(&out, header);
2286 buf_printf(&out, "session-timeout %d", o->session_timeout);
2287 }
2288
2289 if (buf_len(&out) > strlen(header))
2290 {
2291 msg(D_HANDSHAKE, "%s", BSTR(&out));
2292 }
2293
2294 buf_clear(&out);
2295 header = "Protocol options: ";
2296 buf_printf(&out, "%s", header);
2297
2298 if (c->options.ce.explicit_exit_notification)
2299 {
2300 buf_printf(&out, "explicit-exit-notify %d",
2301 c->options.ce.explicit_exit_notification);
2302 }
2303 if (c->options.imported_protocol_flags)
2304 {
2305 add_delim_if_non_empty(&out, header);
2306
2307 buf_printf(&out, "protocol-flags");
2308
2309 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
2310 {
2311 buf_printf(&out, " cc-exit");
2312 }
2313 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
2314 {
2315 buf_printf(&out, " tls-ekm");
2316 }
6a05768a
AS		 2317 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
2318 {
2319 buf_printf(&out, " dyn-tls-crypt");
2320 }
c333a0c0
AS		 2321 }
2322
2323 if (buf_len(&out) > strlen(header))
2324 {
2325 msg(D_HANDSHAKE, "%s", BSTR(&out));
2326 }
2327}
2328
2329
6b9f4d71
AQ		 2330/**
2331 * This function is expected to be invoked after open_tun() was performed.
2332 *
2333 * This kind of behaviour is required by DCO, because the following operations
2334 * can be done only after the DCO device was created and the new peer was
2335 * properly added.
2336 */
2337static bool
2338do_deferred_options_part2(struct context *c)
2339{
2340 struct frame *frame_fragment = NULL;
2341#ifdef ENABLE_FRAGMENT
2342 if (c->options.ce.fragment)
2343 {
2344 frame_fragment = &c->c2.frame_fragment;
2345 }
2346#endif
2347
2348 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2349 if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
2350 &c->options, &c->c2.frame,
2351 frame_fragment,
2352 get_link_socket_info(c)))
2353 {
2354 msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
2355 return false;
2356 }
2357
2358 return true;
2359}
2360
d728ebed 2361bool
81d882d5 2362do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
6fbf66fa 2363{
e04c2536 2364 int error_flags = 0;
81d882d5 2365 if (!c->c2.do_up_ran)
6fbf66fa 2366 {
81d882d5 2367 reset_coarse_timers(c);
6fbf66fa 2368
bd230079 2369 if (pulled_options)
81d882d5
DS		 2370 {
2371 if (!do_deferred_options(c, option_types_found))
2372 {
2373 msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
2374 return false;
2375 }
2376 }
6fbf66fa 2377
81d882d5
DS		 2378 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
2379 if (c->options.up_delay || PULL_DEFINED(&c->options))
2380 {
e04c2536 2381 c->c2.did_open_tun = do_open_tun(c, &error_flags);
81d882d5 2382 update_time();
6fbf66fa 2383
81d882d5
DS		 2384 /*
2385 * Was tun interface object persisted from previous restart iteration,
2386 * and if so did pulled options string change from previous iteration?
2387 */
2388 if (!c->c2.did_open_tun
2389 && PULL_DEFINED(&c->options)
2390 && c->c1.tuntap
2391 && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save,
2392 &c->c2.pulled_options_digest))
2393 {
2394 /* if so, close tun, delete routes, then reinitialize tun and add routes */
2395 msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
cac18de7
LS		 2396
2397 bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap);
81d882d5 2398 do_close_tun(c, true);
cac18de7
LS		 2399
2400 if (tt_dco_win)
2401 {
2402 msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device");
2403 /* prevent link_socket_close() from closing handle with WinSock API */
2404 c->c2.link_socket->sd = SOCKET_UNDEFINED;
2405 return false;
2406 }
2407 else
2408 {
2409 management_sleep(1);
e04c2536 2410 c->c2.did_open_tun = do_open_tun(c, &error_flags);
cac18de7
LS		 2411 update_time();
2412 }
81d882d5 2413 }
81d882d5 2414 }
cde3edb1 2415 }
81d882d5 2416
cde3edb1
AS		 2417 /* This part needs to be run in p2p mode (without pull) when the client
2418 * reconnects to setup various things (like DCO and NCP cipher) that
2419 * might have changed from the previous connection.
2420 */
2421 if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING))
2422 {
b6f7b285
AQ		 2423 if (c->mode == MODE_POINT_TO_POINT)
2424 {
2425 /* ovpn-dco requires adding the peer now, before any option can be set,
2426 * but *after* having parsed the pushed peer-id in do_deferred_options()
2427 */
2428 int ret = dco_p2p_add_new_peer(c);
2429 if (ret < 0)
2430 {
2431 msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2432 return false;
2433 }
2434 }
2435
6b9f4d71
AQ		 2436 /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be
2437 * invoked after open_tun().
2438 * This is required by DCO because we must have created the interface
2439 * and added the peer before we can fiddle with the keys or any other
2440 * data channel per-peer setting.
2441 */
2442 if (pulled_options)
2443 {
2444 if (!do_deferred_options_part2(c))
2445 {
2446 return false;
2447 }
2448 }
2449 else
2450 {
2451 if (c->mode == MODE_POINT_TO_POINT)
2452 {
2453 if (!do_deferred_p2p_ncp(c))
2454 {
2455 msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
2456 return false;
2457 }
2458 }
2459 }
2460
7c66a6da
AS		 2461 if (c->mode == MODE_POINT_TO_POINT && !p2p_set_dco_keepalive(c))
2462 {
2463 msg(D_TLS_ERRORS, "ERROR: Failed to apply DCO keepalive or MSS fix parameters");
2464 return false;
2465 }
2466
81d882d5
DS		 2467 if (c->c2.did_open_tun)
2468 {
81d882d5 2469 c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
81d882d5
DS		 2470
2471 /* if --route-delay was specified, start timer */
2472 if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined)
2473 {
2474 event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now);
2475 event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
2476 if (c->c1.tuntap)
2477 {
2478 tun_standby_init(c->c1.tuntap);
2479 }
2480 }
2481 else
2482 {
e04c2536 2483 initialization_sequence_completed(c, error_flags); /* client/p2p --route-delay undefined */
81d882d5
DS		 2484 }
2485 }
2486 else if (c->options.mode == MODE_POINT_TO_POINT)
2487 {
e04c2536 2488 initialization_sequence_completed(c, error_flags); /* client/p2p restart with --persist-tun */
81d882d5
DS		 2489 }
2490
c333a0c0
AS		 2491 tls_print_deferred_options_results(c);
2492
81d882d5 2493 c->c2.do_up_ran = true;
34b42549
AS		 2494 if (c->c2.tls_multi)
2495 {
2496 c->c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2497 }
81d882d5
DS		 2498 }
2499 return true;
6fbf66fa
JY		 2500}
2501
2502/*
2503 * These are the option categories which will be accepted by pull.
2504 */
2505unsigned int
81d882d5
DS		 2506pull_permission_mask(const struct context *c)
2507{
2508 unsigned int flags =
2509 OPT_P_UP
2510 | OPT_P_ROUTE_EXTRAS
2511 | OPT_P_SOCKBUF
2512 | OPT_P_SOCKFLAGS
2513 | OPT_P_SETENV
2514 | OPT_P_SHAPER
2515 | OPT_P_TIMER
2516 | OPT_P_COMP
2517 | OPT_P_PERSIST
2518 | OPT_P_MESSAGES
2519 | OPT_P_EXPLICIT_NOTIFY
2520 | OPT_P_ECHO
2521 | OPT_P_PULL_MODE
caacd629 2522 | OPT_P_PEER_ID
01aed6a5
AS		 2523 | OPT_P_NCP
2524 | OPT_P_PUSH_MTU;
81d882d5
DS		 2525
2526 if (!c->options.route_nopull)
2527 {
8a7d0005 2528 flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS);
81d882d5 2529 }
3c7f2f55 2530
81d882d5 2531 return flags;
6fbf66fa
JY		 2532}
2533
8c72d798
AS		 2534static bool
2535do_deferred_p2p_ncp(struct context *c)
2536{
2537 if (!c->c2.tls_multi)
2538 {
2539 return true;
2540 }
2541
0d46c496
LS		 2542 c->options.use_peer_id = c->c2.tls_multi->use_peer_id;
2543
8c72d798
AS		 2544 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2545
2546 const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info,
2547 &c->options.gc);
2548
2549 if (ncp_cipher)
2550 {
2551 c->options.ciphername = ncp_cipher;
2552 }
2553 else if (!c->options.enable_ncp_fallback)
2554 {
2555 msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
abe49856
DS		 2556 "--data-ciphers-fallback not enabled. No usable "
2557 "data channel cipher");
8c72d798
AS		 2558 return false;
2559 }
2560
2561 struct frame *frame_fragment = NULL;
2562#ifdef ENABLE_FRAGMENT
2563 if (c->options.ce.fragment)
2564 {
2565 frame_fragment = &c->c2.frame_fragment;
2566 }
2567#endif
2568
6a5612fe
AQ		 2569 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2570 &c->c2.frame, frame_fragment,
2571 get_link_socket_info(c)))
8c72d798
AS		 2572 {
2573 msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
2574 return false;
2575 }
2576 return true;
2577}
2578
6fbf66fa
JY		 2579/*
2580 * Handle non-tun-related pulled options.
2581 */
d728ebed 2582bool
81d882d5 2583do_deferred_options(struct context *c, const unsigned int found)
6fbf66fa 2584{
81d882d5 2585 if (found & OPT_P_MESSAGES)
6fbf66fa 2586 {
81d882d5
DS		 2587 init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2);
2588 msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
6fbf66fa 2589 }
81d882d5 2590 if (found & OPT_P_TIMER)
6fbf66fa 2591 {
81d882d5 2592 do_init_timers(c, true);
c333a0c0 2593 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified");
6fbf66fa
JY		 2594 }
2595
81d882d5 2596 if (found & OPT_P_EXPLICIT_NOTIFY)
6fbf66fa 2597 {
81d882d5
DS		 2598 if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
2599 {
2600 msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2601 c->options.ce.explicit_exit_notification = 0;
2602 }
2603 else
2604 {
c333a0c0 2605 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified");
81d882d5 2606 }
6fbf66fa 2607 }
6fbf66fa 2608
81d882d5 2609 if (found & OPT_P_COMP)
537073fd 2610 {
e86bc8b2
AS		 2611 if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS))
2612 {
2613 msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression "
2614 "settings that are not allowed and will result "
2615 "in a non-working connection. "
2616 "See also allow-compression in the manual.");
2617 return false;
2618 }
a8170dd0 2619#ifdef USE_COMP
c333a0c0 2620 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified");
81d882d5
DS		 2621 comp_uninit(c->c2.comp_context);
2622 c->c2.comp_context = comp_init(&c->options.comp);
537073fd 2623#endif
a8170dd0 2624 }
537073fd 2625
81d882d5 2626 if (found & OPT_P_SHAPER)
6fbf66fa 2627 {
81d882d5
DS		 2628 msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
2629 do_init_traffic_shaper(c);
6fbf66fa
JY		 2630 }
2631
81d882d5 2632 if (found & OPT_P_SOCKBUF)
00d39170 2633 {
81d882d5
DS		 2634 msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2635 link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
00d39170
JY		 2636 }
2637
81d882d5 2638 if (found & OPT_P_SOCKFLAGS)
00d39170 2639 {
81d882d5
DS		 2640 msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
2641 link_socket_update_flags(c->c2.link_socket, c->options.sockflags);
00d39170
JY		 2642 }
2643
81d882d5
DS		 2644 if (found & OPT_P_PERSIST)
2645 {
2646 msg(D_PUSH, "OPTIONS IMPORT: --persist options modified");
2647 }
2648 if (found & OPT_P_UP)
2649 {
2650 msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
2651 }
2652 if (found & OPT_P_ROUTE)
2653 {
2654 msg(D_PUSH, "OPTIONS IMPORT: route options modified");
2655 }
2656 if (found & OPT_P_ROUTE_EXTRAS)
2657 {
2658 msg(D_PUSH, "OPTIONS IMPORT: route-related options modified");
2659 }
8a7d0005 2660 if (found & OPT_P_DHCPDNS)
81d882d5
DS		 2661 {
2662 msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2663 }
2664 if (found & OPT_P_SETENV)
2665 {
2666 msg(D_PUSH, "OPTIONS IMPORT: environment modified");
2667 }
65eedc35 2668
81d882d5
DS		 2669 if (found & OPT_P_PEER_ID)
2670 {
c333a0c0 2671 msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set");
81d882d5
DS		 2672 c->c2.tls_multi->use_peer_id = true;
2673 c->c2.tls_multi->peer_id = c->options.peer_id;
81d882d5
DS		 2674 }
2675
f9ef554a 2676 /* process (potentially) pushed options */
81d882d5
DS		 2677 if (c->options.pull)
2678 {
2c1d8c33 2679 if (!check_pull_client_ncp(c, found))
81d882d5 2680 {
2c1d8c33 2681 return false;
81d882d5 2682 }
c7ca9133 2683
f9ef554a
AQ		 2684 /* Check if pushed options are compatible with DCO, if enabled */
2685 if (dco_enabled(&c->options)
2686 && !dco_check_pull_options(D_PUSH_ERRORS, &c->options))
2687 {
2688 msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible "
2689 "with data channel offload. Use --disable-dco to connect to "
2690 "this server");
2691 return false;
2692 }
46f6a7e8
AQ		 2693 }
2694
01aed6a5
AS		 2695 if (found & OPT_P_PUSH_MTU)
2696 {
2697 /* MTU has changed, check that the pushed MTU is small enough to
2698 * be able to change it */
2699 msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu);
2700
2701 struct frame *frame = &c->c2.frame;
2702
2703 if (c->options.ce.tun_mtu > frame->tun_max_mtu)
2704 {
2705 msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add "
2706 "tun-mtu-max %d in the client configuration",
2707 c->options.ce.tun_mtu);
2708 }
2709 frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu);
2710 }
2711
81d882d5 2712 return true;
6fbf66fa
JY		 2713}
2714
2715/*
396d30c2
AS		 2716 * Possible hold on initialization, holdtime is the
2717 * time OpenVPN would wait without management
6fbf66fa
JY		 2718 */
2719static bool
81d882d5 2720do_hold(int holdtime)
6fbf66fa
JY		 2721{
2722#ifdef ENABLE_MANAGEMENT
81d882d5 2723 if (management)
6fbf66fa 2724 {
81d882d5
DS		 2725 /* block until management hold is released */
2726 if (management_hold(management, holdtime))
2727 {
2728 return true;
2729 }
6fbf66fa
JY		 2730 }
2731#endif
81d882d5 2732 return false;
6fbf66fa
JY		 2733}
2734
2735/*
2736 * Sleep before restart.
2737 */
2738static void
81d882d5 2739socket_restart_pause(struct context *c)
6fbf66fa 2740{
81d882d5
DS		 2741 int sec = 2;
2742 int backoff = 0;
6fbf66fa 2743
81d882d5 2744 switch (c->options.ce.proto)
6fbf66fa 2745 {
81d882d5
DS		 2746 case PROTO_TCP_SERVER:
2747 sec = 1;
2748 break;
2749
2750 case PROTO_UDP:
2751 case PROTO_TCP_CLIENT:
2752 sec = c->options.ce.connect_retry_seconds;
2753 break;
6fbf66fa
JY		 2754 }
2755
2756#ifdef ENABLE_DEBUG
81d882d5
DS		 2757 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin))
2758 {
2759 sec = 0;
2760 }
6fbf66fa
JY		 2761#endif
2762
81d882d5
DS		 2763 if (auth_retry_get() == AR_NOINTERACT)
2764 {
2765 sec = 10;
2766 }
6fbf66fa 2767
063d55af
SN		 2768 /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */
2769 if (c->options.ce.proto == PROTO_TCP_CLIENT
2770 || (c->options.ce.proto == PROTO_UDP && c->options.tls_client))
5d429efd 2771 {
81d882d5
DS		 2772 backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4;
2773 if (backoff > 0)
5d429efd 2774 {
81d882d5
DS		 2775 /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */
2776 sec = max_int(sec, 1) << min_int(backoff, 15);
5d429efd 2777 }
c9474fa3
AS		 2778 if (c->options.server_backoff_time)
2779 {
2780 sec = max_int(sec, c->options.server_backoff_time);
2781 c->options.server_backoff_time = 0;
2782 }
5d429efd 2783
81d882d5
DS		 2784 if (sec > c->options.ce.connect_retry_seconds_max)
2785 {
2786 sec = c->options.ce.connect_retry_seconds_max;
2787 }
5d429efd
SN		 2788 }
2789
81d882d5
DS		 2790 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
2791 {
2792 sec = c->persist.restart_sleep_seconds;
2793 }
2794 else if (c->persist.restart_sleep_seconds == -1)
2795 {
2796 sec = 0;
2797 }
2798 c->persist.restart_sleep_seconds = 0;
a9c802b2 2799
ccb636c7 2800 /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */
81d882d5
DS		 2801 if (do_hold(sec))
2802 {
2803 sec = 0;
2804 }
6fbf66fa 2805
81d882d5 2806 if (sec)
6fbf66fa 2807 {
81d882d5 2808 msg(D_RESTART, "Restart pause, %d second(s)", sec);
45b2af9c 2809 management_sleep(sec);
6fbf66fa
JY		 2810 }
2811}
2812
2813/*
2814 * Do a possible pause on context_2 initialization.
2815 */
2816static void
81d882d5 2817do_startup_pause(struct context *c)
6fbf66fa 2818{
81d882d5
DS		 2819 if (!c->first_time)
2820 {
2821 socket_restart_pause(c);
2822 }
2823 else
2824 {
2825 do_hold(0); /* do management hold on first context initialization */
2826 }
6fbf66fa
JY		 2827}
2828
65a21eb1
AS		 2829static size_t
2830get_frame_mtu(struct context *c, const struct options *o)
2831{
2832 size_t mtu;
2833
2834 if (o->ce.link_mtu_defined)
2835 {
2836 ASSERT(o->ce.link_mtu_defined);
2837 /* if we have a link mtu defined we calculate what the old code
2838 * would have come up with as tun-mtu */
2839 size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type,
2840 o, true);
2841 mtu = o->ce.link_mtu - overhead;
2842
2843 }
2844 else
2845 {
2846 ASSERT(o->ce.tun_mtu_defined);
2847 mtu = o->ce.tun_mtu;
2848 }
2849
2850 if (mtu < TUN_MTU_MIN)
2851 {
6e375353 2852 msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN);
65a21eb1
AS		 2853 frame_print(&c->c2.frame, M_FATAL, "MTU is too small");
2854 }
2855 return mtu;
2856}
2857
6fbf66fa
JY		 2858/*
2859 * Finalize MTU parameters based on command line or config file options.
2860 */
2861static void
81d882d5 2862frame_finalize_options(struct context *c, const struct options *o)
6fbf66fa 2863{
81d882d5
DS		 2864 if (!o)
2865 {
2866 o = &c->options;
2867 }
6fbf66fa 2868
65a21eb1
AS		 2869 struct frame *frame = &c->c2.frame;
2870
2871 frame->tun_mtu = get_frame_mtu(c, o);
01aed6a5
AS		 2872 frame->tun_max_mtu = o->ce.tun_mtu_max;
2873
2874 /* max mtu needs to be at least as large as the tun mtu */
2875 frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu);
65a21eb1 2876
01aed6a5
AS		 2877 /* We always allow at least 1600 MTU packets to be received in our buffer
2878 * space to allow server to push "baby giant" MTU sizes */
2879 frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu);
2880
2881 size_t payload_size = frame->tun_max_mtu;
65a21eb1 2882
5f6ea597
AS		 2883 /* we need to be also large enough to hold larger control channel packets
2884 * if configured */
2885 payload_size = max_int(payload_size, o->ce.tls_mtu);
2886
65a21eb1
AS		 2887 /* The extra tun needs to be added to the payload size */
2888 if (o->ce.tun_mtu_defined)
2889 {
2890 payload_size += o->ce.tun_mtu_extra;
2891 }
2892
01aed6a5
AS		 2893 /* Add 32 byte of extra space in the buffer to account for small errors
2894 * in the calculation */
2895 payload_size += 32;
65a21eb1
AS		 2896
2897
2898 /* the space that is reserved before the payload to add extra headers to it
abe49856 2899 * we always reserve the space for the worst case */
65a21eb1
AS		 2900 size_t headroom = 0;
2901
2902 /* includes IV and packet ID */
2903 headroom += crypto_max_overhead();
2904
2905 /* peer id + opcode */
2906 headroom += 4;
2907
2908 /* socks proxy header */
2909 headroom += 10;
2910
2911 /* compression header and fragment header (part of the encrypted payload) */
2912 headroom += 1 + 1;
2913
2914 /* Round up headroom to the next multiple of 4 to ensure alignment */
2915 headroom = (headroom + 3) & ~3;
2916
2917 /* Add the headroom to the payloadsize as a received (IP) packet can have
2918 * all the extra headers in it */
2919 payload_size += headroom;
2920
2921 /* the space after the payload, this needs some extra buffer space for
2922 * encryption so headroom is probably too much but we do not really care
2923 * the few extra bytes */
2924 size_t tailroom = headroom;
2925
2926#ifdef USE_COMP
8c815699 2927 msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu "
abe49856
DS		 2928 "bytes of payload",
2929 COMP_EXTRA_BUFFER(payload_size), payload_size);
65a21eb1
AS		 2930 tailroom += COMP_EXTRA_BUFFER(payload_size);
2931#endif
2932
2933 frame->buf.payload_size = payload_size;
2934 frame->buf.headroom = headroom;
2935 frame->buf.tailroom = tailroom;
6fbf66fa
JY		 2936}
2937
2938/*
2939 * Free a key schedule, including OpenSSL components.
2940 */
2941static void
81d882d5 2942key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
6fbf66fa 2943{
81d882d5
DS		 2944 free_key_ctx_bi(&ks->static_key);
2945 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
6fbf66fa 2946 {
81d882d5 2947 tls_ctx_free(&ks->ssl_ctx);
fe39156a 2948 free_key_ctx(&ks->auth_token_key);
6fbf66fa 2949 }
81d882d5 2950 CLEAR(*ks);
6fbf66fa
JY		 2951}
2952
6fbf66fa 2953static void
81d882d5 2954init_crypto_pre(struct context *c, const unsigned int flags)
6fbf66fa 2955{
81d882d5
DS		 2956 if (c->options.engine)
2957 {
2958 crypto_init_lib_engine(c->options.engine);
2959 }
6fbf66fa 2960
81d882d5 2961 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
6fbf66fa 2962 {
81d882d5
DS		 2963 /* load a persisted packet-id for cross-session replay-protection */
2964 if (c->options.packet_id_file)
2965 {
2966 packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file);
2967 }
6fbf66fa
JY		 2968 }
2969
0f25d296 2970#ifdef ENABLE_PREDICTION_RESISTANCE
81d882d5
DS		 2971 if (c->options.use_prediction_resistance)
2972 {
2973 rand_ctx_enable_prediction_resistance();
2974 }
0f25d296 2975#endif
6fbf66fa
JY		 2976}
2977
2978/*
2979 * Static Key Mode (using a pre-shared key)
2980 */
2981static void
81d882d5 2982do_init_crypto_static(struct context *c, const unsigned int flags)
6fbf66fa 2983{
81d882d5
DS		 2984 const struct options *options = &c->options;
2985 ASSERT(options->shared_secret_file);
6fbf66fa 2986
81d882d5 2987 init_crypto_pre(c, flags);
2d9c6d20 2988
81d882d5 2989 /* Initialize flags */
81d882d5 2990 if (c->options.mute_replay_warnings)
6fbf66fa 2991 {
81d882d5 2992 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
6fbf66fa
JY		 2993 }
2994
81d882d5 2995 /* Initialize packet ID tracking */
6d76218d
FL		 2996 packet_id_init(&c->c2.crypto_options.packet_id,
2997 options->replay_window,
2998 options->replay_time,
2999 "STATIC", 0);
3000 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
3001 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
3002 packet_id_persist_load_obj(&c->c1.pid_persist,
3003 &c->c2.crypto_options.packet_id);
6fbf66fa 3004
81d882d5
DS		 3005 if (!key_ctx_bi_defined(&c->c1.ks.static_key))
3006 {
3007 /* Get cipher & hash algorithms */
3008 init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
6ea62d50 3009 options->test_crypto, true);
81d882d5
DS		 3010
3011 /* Read cipher and hmac keys from shared secret file */
3012 crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key,
3013 options->shared_secret_file,
3014 options->shared_secret_file_inline,
3015 options->key_direction, "Static Key Encryption",
6a05768a 3016 "secret", NULL);
6fbf66fa 3017 }
81d882d5 3018 else
6fbf66fa 3019 {
81d882d5 3020 msg(M_INFO, "Re-using pre-shared static key");
6fbf66fa
JY		 3021 }
3022
81d882d5
DS		 3023 /* Get key schedule */
3024 c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key;
6fbf66fa
JY		 3025}
3026
5817b49b
AQ		 3027/*
3028 * Initialize the tls-auth/crypt key context
3029 */
3030static void
3031do_init_tls_wrap_key(struct context *c)
3032{
3033 const struct options *options = &c->options;
3034
3035 /* TLS handshake authentication (--tls-auth) */
57d6f103 3036 if (options->ce.tls_auth_file)
5817b49b
AQ		 3037 {
3038 /* Initialize key_type for tls-auth with auth only */
3039 CLEAR(c->c1.ks.tls_auth_key_type);
b39725cf
AS		 3040 c->c1.ks.tls_auth_key_type.cipher = "none";
3041 c->c1.ks.tls_auth_key_type.digest = options->authname;
3042 if (!md_valid(options->authname))
5817b49b
AQ		 3043 {
3044 msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth "
3045 "algorithm specified ('%s')", options->authname);
3046 }
3047
3048 crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
3049 &c->c1.ks.tls_wrap_key,
57d6f103
AQ		 3050 options->ce.tls_auth_file,
3051 options->ce.tls_auth_file_inline,
3052 options->ce.key_direction,
6a05768a
AS		 3053 "Control Channel Authentication", "tls-auth",
3054 &c->c1.ks.original_wrap_keydata);
5817b49b
AQ		 3055 }
3056
3057 /* TLS handshake encryption+authentication (--tls-crypt) */
57d6f103 3058 if (options->ce.tls_crypt_file)
5817b49b
AQ		 3059 {
3060 tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
6a05768a 3061 &c->c1.ks.original_wrap_keydata,
57d6f103 3062 options->ce.tls_crypt_file,
cb2e9218
AQ		 3063 options->ce.tls_crypt_file_inline,
3064 options->tls_server);
5817b49b 3065 }
19d6d9c3
SK		 3066
3067 /* tls-crypt with client-specific keys (--tls-crypt-v2) */
3068 if (options->ce.tls_crypt_v2_file)
3069 {
3070 if (options->tls_server)
3071 {
3072 tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
3073 true, options->ce.tls_crypt_v2_file,
cb2e9218 3074 options->ce.tls_crypt_v2_file_inline);
19d6d9c3
SK		 3075 }
3076 else
3077 {
3078 tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
6a05768a 3079 &c->c1.ks.original_wrap_keydata,
19d6d9c3
SK		 3080 &c->c1.ks.tls_crypt_v2_wkc,
3081 options->ce.tls_crypt_v2_file,
cb2e9218 3082 options->ce.tls_crypt_v2_file_inline);
19d6d9c3 3083 }
5f6ea597
AS		 3084 /* We have to ensure that the loaded tls-crypt key is small enough
3085 * to fit into the initial hard reset v3 packet */
3086 int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc);
3087
3088 /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
3089 int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40;
3090
3091 if (required_size > c->options.ce.tls_mtu)
3092 {
3093 msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with "
3094 "requested --max-packet-size %d, requires at least "
3095 "--max-packet-size %d. Packets will ignore requested "
3096 "maximum packet size", c->options.ce.tls_mtu,
3097 required_size);
3098 }
19d6d9c3
SK		 3099 }
3100
3101
5817b49b
AQ		 3102}
3103
6fbf66fa
JY		 3104/*
3105 * Initialize the persistent component of OpenVPN's TLS mode,
3106 * which is preserved across SIGUSR1 resets.
3107 */
3108static void
81d882d5 3109do_init_crypto_tls_c1(struct context *c)
6fbf66fa 3110{
81d882d5 3111 const struct options *options = &c->options;
6fbf66fa 3112
81d882d5 3113 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
6fbf66fa 3114 {
81d882d5
DS		 3115 /*
3116 * Initialize the OpenSSL library's global
3117 * SSL context.
3118 */
21a0b249 3119 init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
81d882d5
DS		 3120 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
3121 {
81d882d5
DS		 3122 switch (auth_retry_get())
3123 {
3124 case AR_NONE:
3125 msg(M_FATAL, "Error: private key password verification failed");
3126 break;
3127
3128 case AR_INTERACT:
3129 ssl_purge_auth(false);
f2454ec6 3130 /* Intentional [[fallthrough]]; */
81d882d5
DS		 3131
3132 case AR_NOINTERACT:
05715485
SN		 3133 /* SOFT-SIGUSR1 -- Password failure error */
3134 register_signal(c->sig, SIGUSR1, "private-key-password-failure");
81d882d5
DS		 3135 break;
3136
3137 default:
3138 ASSERT(0);
3139 }
81d882d5 3140 return;
81d882d5
DS		 3141 }
3142
abe49856
DS		 3143 /*
3144 * BF-CBC is allowed to be used only when explicitly configured
3145 * as NCP-fallback or when NCP has been disabled or explicitly
3146 * allowed in the in ncp_ciphers list.
3147 * In all other cases do not attempt to initialize BF-CBC as it
3148 * may not even be supported by the underlying SSL library.
3149 *
3150 * Therefore, the key structure has to be initialized when:
3151 * - any non-BF-CBC cipher was selected; or
3152 * - BF-CBC is selected, NCP is enabled and fallback is enabled
3153 * (BF-CBC will be the fallback).
3154 * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
3155 * If the negotiated cipher and options->ciphername are the
3156 * same we do not reinit the cipher
3157 *
3158 * Note that BF-CBC will still be part of the OCC string to retain
3159 * backwards compatibility with older clients.
3160 */
3161 const char *ciphername = options->ciphername;
ce2954a0
AS		 3162 if (streq(options->ciphername, "BF-CBC")
3163 && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
3164 && !options->enable_ncp_fallback)
79ff3f79 3165 {
ce2954a0 3166 ciphername = "none";
79ff3f79 3167 }
81d882d5 3168
ce2954a0
AS		 3169 /* Do not warn if the cipher is used only in OCC */
3170 bool warn = options->enable_ncp_fallback;
3171 init_key_type(&c->c1.ks.key_type, ciphername, options->authname,
3172 true, warn);
3173
19d6d9c3 3174 /* initialize tls-auth/crypt/crypt-v2 key */
5817b49b 3175 do_init_tls_wrap_key(c);
81d882d5 3176
1b9a88a2 3177 /* initialise auth-token crypto support */
6cf4fa5a
AS		 3178 if (c->options.auth_token_generate)
3179 {
3180 auth_token_init_secret(&c->c1.ks.auth_token_key,
3181 c->options.auth_token_secret_file,
3182 c->options.auth_token_secret_file_inline);
3183 }
1b9a88a2 3184
1f4309ae 3185#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
81d882d5
DS		 3186 if (options->priv_key_file_inline)
3187 {
3188 string_clear(c->options.priv_key_file_inline);
3189 c->options.priv_key_file_inline = NULL;
3190 }
d40f2b20 3191#endif
6fbf66fa 3192 }
81d882d5 3193 else
6fbf66fa 3194 {
81d882d5 3195 msg(D_INIT_MEDIUM, "Re-using SSL/TLS context");
129d2924 3196
5817b49b
AQ		 3197 /*
3198 * tls-auth/crypt key can be configured per connection block, therefore
3199 * we must reload it as it may have changed
3200 */
3201 do_init_tls_wrap_key(c);
6fbf66fa
JY		 3202 }
3203}
3204
3205static void
81d882d5 3206do_init_crypto_tls(struct context *c, const unsigned int flags)
6fbf66fa 3207{
81d882d5
DS		 3208 const struct options *options = &c->options;
3209 struct tls_options to;
3210 bool packet_id_long_form;
6fbf66fa 3211
81d882d5
DS		 3212 ASSERT(options->tls_server || options->tls_client);
3213 ASSERT(!options->test_crypto);
6fbf66fa 3214
81d882d5 3215 init_crypto_pre(c, flags);
6fbf66fa 3216
81d882d5
DS		 3217 /* Make sure we are either a TLS client or server but not both */
3218 ASSERT(options->tls_server == !options->tls_client);
6fbf66fa 3219
81d882d5
DS		 3220 /* initialize persistent component */
3221 do_init_crypto_tls_c1(c);
3222 if (IS_SIG(c))
3223 {
3224 return;
3225 }
3226
81d882d5
DS		 3227 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
3228 packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher);
3229
81d882d5
DS		 3230 /* Set all command-line TLS-related options */
3231 CLEAR(to);
3232
81d882d5
DS		 3233 if (options->mute_replay_warnings)
3234 {
3235 to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
3236 }
3237
3238 to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
3239 if (packet_id_long_form)
3240 {
3241 to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
3242 }
3243
3244 to.ssl_ctx = c->c1.ks.ssl_ctx;
3245 to.key_type = c->c1.ks.key_type;
3246 to.server = options->tls_server;
81d882d5
DS		 3247 to.replay_window = options->replay_window;
3248 to.replay_time = options->replay_time;
3249 to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
7064ccb9
AS		 3250 to.config_ciphername = c->options.ciphername;
3251 to.config_ncp_ciphers = c->options.ncp_ciphers;
81d882d5
DS		 3252 to.transition_window = options->transition_window;
3253 to.handshake_window = options->handshake_window;
3254 to.packet_timeout = options->tls_timeout;
3255 to.renegotiate_bytes = options->renegotiate_bytes;
3256 to.renegotiate_packets = options->renegotiate_packets;
dd996463
SM		 3257 if (options->renegotiate_seconds_min < 0)
3258 {
3259 /* Add 10% jitter to reneg-sec by default (server side only) */
3260 int auto_jitter = options->mode != MODE_SERVER ? 0 :
f57431cd 3261 get_random() % max_int(options->renegotiate_seconds / 10, 1);
dd996463
SM		 3262 to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
3263 }
3264 else
3265 {
3266 /* Add user-specified jitter to reneg-sec */
f57431cd
GD		 3267 to.renegotiate_seconds = options->renegotiate_seconds
3268 -(get_random() % max_int(options->renegotiate_seconds
3269 - options->renegotiate_seconds_min, 1));
dd996463 3270 }
81d882d5
DS		 3271 to.single_session = options->single_session;
3272 to.mode = options->mode;
3273 to.pull = options->pull;
81d882d5
DS		 3274 if (options->push_peer_info) /* all there is */
3275 {
8c72d798 3276 to.push_peer_info_detail = 3;
81d882d5
DS		 3277 }
3278 else if (options->pull) /* pull clients send some details */
3279 {
8c72d798 3280 to.push_peer_info_detail = 2;
81d882d5 3281 }
8c72d798 3282 else if (options->mode == MODE_SERVER) /* server: no peer info at all */
81d882d5
DS		 3283 {
3284 to.push_peer_info_detail = 0;
3285 }
8c72d798
AS		 3286 else /* default: minimal info to allow NCP in P2P mode */
3287 {
3288 to.push_peer_info_detail = 1;
3289 }
3290
6fbf66fa 3291
81d882d5
DS		 3292 /* should we not xmit any packets until we get an initial
3293 * response from client? */
3294 if (to.server && options->ce.proto == PROTO_TCP_SERVER)
3295 {
3296 to.xmit_hold = true;
3297 }
6add6b2f 3298
81d882d5 3299 to.verify_command = options->tls_verify;
81d882d5
DS		 3300 to.verify_x509_type = (options->verify_x509_type & 0xff);
3301 to.verify_x509_name = options->verify_x509_name;
3302 to.crl_file = options->crl_file;
3303 to.crl_file_inline = options->crl_file_inline;
3304 to.ssl_flags = options->ssl_flags;
3305 to.ns_cert_type = options->ns_cert_type;
3b04c34d 3306 memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
81d882d5
DS		 3307 to.remote_cert_eku = options->remote_cert_eku;
3308 to.verify_hash = options->verify_hash;
2193d7c0 3309 to.verify_hash_algo = options->verify_hash_algo;
c3a7065d 3310 to.verify_hash_depth = options->verify_hash_depth;
c3746da7 3311 to.verify_hash_no_ca = options->verify_hash_no_ca;
19dd3ef1 3312#ifdef ENABLE_X509ALTUSERNAME
3b04c34d 3313 memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
19dd3ef1 3314#else
3b04c34d 3315 to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
19dd3ef1 3316#endif
81d882d5 3317 to.es = c->c2.es;
aec4a3d1 3318 to.net_ctx = &c->net_ctx;
6fbf66fa
JY		 3319
3320#ifdef ENABLE_DEBUG
81d882d5 3321 to.gremlin = c->options.gremlin;
6fbf66fa
JY		 3322#endif
3323
81d882d5 3324 to.plugins = c->plugins;
6fbf66fa 3325
99d217b2 3326#ifdef ENABLE_MANAGEMENT
81d882d5 3327 to.mda_context = &c->c2.mda_context;
90efcacb
JY		 3328#endif
3329
81d882d5
DS		 3330 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
3331 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
23eec2d2 3332 to.client_crresponse_script = options->client_crresponse_script;
81d882d5 3333 to.tmp_dir = options->tmp_dir;
c58c7c3c 3334 to.export_peer_cert_dir = options->tls_export_peer_cert_dir;
81d882d5
DS		 3335 if (options->ccd_exclusive)
3336 {
3337 to.client_config_dir_exclusive = options->client_config_dir;
3338 }
3339 to.auth_user_pass_file = options->auth_user_pass_file;
7d48d31b 3340 to.auth_user_pass_file_inline = options->auth_user_pass_file_inline;
81d882d5
DS		 3341 to.auth_token_generate = options->auth_token_generate;
3342 to.auth_token_lifetime = options->auth_token_lifetime;
9a516170 3343 to.auth_token_renewal = options->auth_token_renewal;
c8723aa7 3344 to.auth_token_call_auth = options->auth_token_call_auth;
1b9a88a2 3345 to.auth_token_key = c->c1.ks.auth_token_key;
6fbf66fa 3346
81d882d5 3347 to.x509_track = options->x509_track;
9356bae8 3348
66b9409b 3349#ifdef ENABLE_MANAGEMENT
81d882d5 3350 to.sci = &options->sc_info;
16d909e2 3351#endif
eab3e22f 3352
38d96bd7 3353#ifdef USE_COMP
81d882d5 3354 to.comp_options = options->comp;
38d96bd7
JY		 3355#endif
3356
5defbba4 3357#ifdef HAVE_EXPORT_KEYING_MATERIAL
81d882d5 3358 if (options->keying_material_exporter_label)
685e486e 3359 {
81d882d5
DS		 3360 to.ekm_size = options->keying_material_exporter_length;
3361 if (to.ekm_size < 16 || to.ekm_size > 4095)
3362 {
3363 to.ekm_size = 0;
3364 }
685e486e 3365
81d882d5
DS		 3366 to.ekm_label = options->keying_material_exporter_label;
3367 to.ekm_label_size = strlen(to.ekm_label);
685e486e 3368 }
81d882d5 3369 else
685e486e 3370 {
81d882d5 3371 to.ekm_size = 0;
685e486e 3372 }
5defbba4 3373#endif /* HAVE_EXPORT_KEYING_MATERIAL */
685e486e 3374
81d882d5 3375 /* TLS handshake authentication (--tls-auth) */
57d6f103 3376 if (options->ce.tls_auth_file)
6fbf66fa 3377 {
81d882d5 3378 to.tls_wrap.mode = TLS_WRAP_AUTH;
6fbf66fa
JY		 3379 }
3380
81d882d5 3381 /* TLS handshake encryption (--tls-crypt) */
19dffdbd
SK		 3382 if (options->ce.tls_crypt_file
3383 || (options->ce.tls_crypt_v2_file && options->tls_client))
c6e24fa3 3384 {
81d882d5 3385 to.tls_wrap.mode = TLS_WRAP_CRYPT;
6a05768a
AS		 3386 }
3387
3388 if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT)
3389 {
81d882d5
DS		 3390 to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
3391 to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
3392 to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
6a05768a 3393 to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
19dffdbd
SK		 3394 }
3395
19d6d9c3 3396 if (options->ce.tls_crypt_v2_file)
19dffdbd
SK		 3397 {
3398 to.tls_crypt_v2 = true;
6a05768a
AS		 3399 to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc;
3400
19dffdbd
SK		 3401 if (options->tls_server)
3402 {
3403 to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key;
ff931c5e 3404 to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script;
e7d8c4a7
AS		 3405 if (options->ce.tls_crypt_v2_force_cookie)
3406 {
3407 to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE;
3408 }
19dffdbd 3409 }
c6e24fa3
SK		 3410 }
3411
a2d851d4
AQ		 3412 /* let the TLS engine know if keys have to be installed in DCO or not */
3413 to.dco_enabled = dco_enabled(options);
3414
81d882d5
DS		 3415 /*
3416 * Initialize OpenVPN's master TLS-mode object.
3417 */
3418 if (flags & CF_INIT_TLS_MULTI)
3419 {
3420 c->c2.tls_multi = tls_multi_init(&to);
a2d851d4
AQ		 3421 /* inherit the dco context from the tuntap object */
3422 if (c->c1.tuntap)
3423 {
3424 c->c2.tls_multi->dco = &c->c1.tuntap->dco;
3425 }
81d882d5 3426 }
6fbf66fa 3427
81d882d5
DS		 3428 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
3429 {
3430 c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc);
b3647114 3431 c->c2.session_id_hmac = session_id_hmac_init();
81d882d5 3432 }
6fbf66fa
JY		 3433}
3434
3435static void
2b6fcdc0 3436do_init_frame_tls(struct context *c)
6fbf66fa 3437{
81d882d5 3438 if (c->c2.tls_multi)
6fbf66fa 3439 {
5f6ea597 3440 tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu);
986559bf
AS		 3441 ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <=
3442 c->c2.frame.buf.payload_size);
81d882d5
DS		 3443 frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO,
3444 "Control Channel MTU parms");
01aed6a5
AS		 3445
3446 /* Keep the max mtu also in the frame of tls multi so it can access
3447 * it in push_peer_info */
3448 c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu;
6fbf66fa 3449 }
81d882d5 3450 if (c->c2.tls_auth_standalone)
6fbf66fa 3451 {
5f6ea597 3452 tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu);
81d882d5
DS		 3453 frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
3454 "TLS-Auth MTU parms");
b3647114 3455 c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
e8ecaadd 3456 c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc);
6fbf66fa
JY		 3457 }
3458}
3459
6fbf66fa
JY		 3460/*
3461 * No encryption or authentication.
3462 */
3463static void
02d8f792 3464do_init_crypto_none(struct context *c)
6fbf66fa 3465{
81d882d5 3466 ASSERT(!c->options.test_crypto);
02d8f792
AS		 3467
3468 /* Initialise key_type with auth/cipher "none", so the key_type struct is
3469 * valid */
3470 init_key_type(&c->c1.ks.key_type, "none", "none",
3471 c->options.test_crypto, true);
3472
81d882d5 3473 msg(M_WARN,
7a1b6a0d
DS		 3474 "******* WARNING *******: All encryption and authentication features "
3475 "disabled -- All data will be tunnelled as clear text and will not be "
3476 "protected against man-in-the-middle changes. "
3477 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
6fbf66fa 3478}
6fbf66fa
JY		 3479
3480static void
81d882d5 3481do_init_crypto(struct context *c, const unsigned int flags)
6fbf66fa 3482{
81d882d5
DS		 3483 if (c->options.shared_secret_file)
3484 {
3485 do_init_crypto_static(c, flags);
3486 }
3487 else if (c->options.tls_server || c->options.tls_client)
3488 {
3489 do_init_crypto_tls(c, flags);
3490 }
3491 else /* no encryption or authentication. */
3492 {
3493 do_init_crypto_none(c);
3494 }
6fbf66fa
JY		 3495}
3496
3497static void
81d882d5 3498do_init_frame(struct context *c)
6fbf66fa 3499{
81d882d5
DS		 3500 /*
3501 * Adjust frame size based on the --tun-mtu-extra parameter.
3502 */
3503 if (c->options.ce.tun_mtu_extra_defined)
3504 {
65c63086 3505 c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra;
81d882d5
DS		 3506 }
3507
81d882d5
DS		 3508 /*
3509 * Fill in the blanks in the frame parameters structure,
3510 * make sure values are rational, etc.
3511 */
3512 frame_finalize_options(c, NULL);
6fbf66fa 3513
6fbf66fa 3514
ba66faad 3515#if defined(ENABLE_FRAGMENT)
81d882d5
DS		 3516 /*
3517 * MTU advisories
3518 */
3519 if (c->options.ce.fragment && c->options.mtu_test)
3520 {
3521 msg(M_WARN,
3522 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3523 }
6fbf66fa
JY		 3524#endif
3525
3526#ifdef ENABLE_FRAGMENT
f1e06301 3527 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
81d882d5 3528 {
f1e06301 3529 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
abe49856
DS		 3530 "set --fragment (%d) larger or equal than --mssfix (%d)",
3531 c->options.ce.fragment, c->options.ce.mssfix);
f1e06301
AS		 3532 }
3533 if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
3534 && c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
3535 {
3536 msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
abe49856 3537 "use the \"mtu\" flag for both or none of of them.");
81d882d5 3538 }
6fbf66fa
JY		 3539#endif
3540}
3541
3542static void
81d882d5 3543do_option_warnings(struct context *c)
6fbf66fa 3544{
81d882d5 3545 const struct options *o = &c->options;
6fbf66fa 3546
81d882d5
DS		 3547 if (o->ping_send_timeout && !o->ping_rec_timeout)
3548 {
3549 msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3550 }
6fbf66fa 3551
81d882d5 3552 if (o->username || o->groupname || o->chroot_dir
cd5990e0 3553#ifdef ENABLE_SELINUX
81d882d5 3554 || o->selinux_context
99385447 3555#endif
81d882d5
DS		 3556 )
3557 {
3558 if (!o->persist_tun)
3559 {
3560 msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3561 }
81d882d5 3562 }
6fbf66fa 3563
81d882d5
DS		 3564 if (o->chroot_dir && !(o->username && o->groupname))
3565 {
3566 msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3567 }
31f90e64 3568
81d882d5
DS		 3569 if (o->pull && o->ifconfig_local && c->first_time)
3570 {
3571 msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3572 }
6fbf66fa 3573
81d882d5
DS		 3574 if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
3575 {
3576 msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3577 }
f77c60d3 3578
81d882d5 3579 if (o->mode == MODE_SERVER)
6fbf66fa 3580 {
81d882d5
DS		 3581 if (o->duplicate_cn && o->client_config_dir)
3582 {
3583 msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3584 }
3585 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
3586 {
3587 msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3588 }
3589 if (!o->keepalive_ping || !o->keepalive_timeout)
3590 {
3591 msg(M_WARN, "WARNING: --keepalive option is missing from server config");
3592 }
6fbf66fa 3593 }
6fbf66fa 3594
81d882d5
DS		 3595 if (o->tls_server)
3596 {
aec4a3d1 3597 warn_on_use_of_common_subnets(&c->net_ctx);
81d882d5
DS		 3598 }
3599 if (o->tls_client
3600 && !o->tls_verify
3601 && o->verify_x509_type == VERIFY_X509_NONE
3602 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
3603 && !o->remote_cert_eku)
3604 {
3605 msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3606 }
2dc33226
SK		 3607 if (o->ns_cert_type)
3608 {
3609 msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3610 }
81d882d5 3611
ccb636c7 3612 /* If a script is used, print appropriate warnings */
81d882d5
DS		 3613 if (o->user_script_used)
3614 {
bf97c00f 3615 if (script_security() >= SSEC_SCRIPTS)
81d882d5
DS		 3616 {
3617 msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3618 }
bf97c00f 3619 else if (script_security() >= SSEC_PW_ENV)
81d882d5
DS		 3620 {
3621 msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3622 }
3623 else
3624 {
3625 msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3626 }
3627 }
6fbf66fa
JY		 3628}
3629
6fbf66fa 3630struct context_buffers *
81d882d5 3631init_context_buffers(const struct frame *frame)
6fbf66fa 3632{
81d882d5 3633 struct context_buffers *b;
6fbf66fa 3634
81d882d5 3635 ALLOC_OBJ_CLEAR(b, struct context_buffers);
6fbf66fa 3636
65a21eb1
AS		 3637 size_t buf_size = BUF_SIZE(frame);
3638
3639 b->read_link_buf = alloc_buf(buf_size);
3640 b->read_tun_buf = alloc_buf(buf_size);
6fbf66fa 3641
65a21eb1 3642 b->aux_buf = alloc_buf(buf_size);
6fbf66fa 3643
65a21eb1
AS		 3644 b->encrypt_buf = alloc_buf(buf_size);
3645 b->decrypt_buf = alloc_buf(buf_size);
6fbf66fa 3646
38d96bd7 3647#ifdef USE_COMP
65a21eb1
AS		 3648 b->compress_buf = alloc_buf(buf_size);
3649 b->decompress_buf = alloc_buf(buf_size);
6fbf66fa
JY		 3650#endif
3651
81d882d5 3652 return b;
6fbf66fa
JY		 3653}
3654
3655void
81d882d5 3656free_context_buffers(struct context_buffers *b)
6fbf66fa 3657{
81d882d5 3658 if (b)
6fbf66fa 3659 {
81d882d5
DS		 3660 free_buf(&b->read_link_buf);
3661 free_buf(&b->read_tun_buf);
3662 free_buf(&b->aux_buf);
6fbf66fa 3663
38d96bd7 3664#ifdef USE_COMP
81d882d5
DS		 3665 free_buf(&b->compress_buf);
3666 free_buf(&b->decompress_buf);
6fbf66fa
JY		 3667#endif
3668
81d882d5
DS		 3669 free_buf(&b->encrypt_buf);
3670 free_buf(&b->decrypt_buf);
6fbf66fa 3671
81d882d5 3672 free(b);
6fbf66fa
JY		 3673 }
3674}
3675
3676/*
3677 * Now that we know all frame parameters, initialize
3678 * our buffers.
3679 */
3680static void
81d882d5 3681do_init_buffers(struct context *c)
6fbf66fa 3682{
81d882d5
DS		 3683 c->c2.buffers = init_context_buffers(&c->c2.frame);
3684 c->c2.buffers_owned = true;
6fbf66fa
JY		 3685}
3686
3687#ifdef ENABLE_FRAGMENT
3688/*
3689 * Fragmenting code has buffers to initialize
3690 * once frame parameters are known.
3691 */
3692static void
81d882d5 3693do_init_fragment(struct context *c)
6fbf66fa 3694{
81d882d5 3695 ASSERT(c->options.ce.fragment);
a3419142
AS		 3696
3697 /*
3698 * Set frame parameter for fragment code. This is necessary because
3699 * the fragmentation code deals with payloads which have already been
3700 * passed through the compression code.
3701 */
3702 c->c2.frame_fragment = c->c2.frame;
3703
0d969976
AS		 3704 frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type,
3705 &c->options, get_link_socket_info(c));
81d882d5 3706 fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment);
6fbf66fa
JY		 3707}
3708#endif
3709
6fbf66fa
JY		 3710/*
3711 * Allocate our socket object.
3712 */
3713static void
81d882d5 3714do_link_socket_new(struct context *c)
6fbf66fa 3715{
81d882d5
DS		 3716 ASSERT(!c->c2.link_socket);
3717 c->c2.link_socket = link_socket_new();
3718 c->c2.link_socket_owned = true;
6fbf66fa
JY		 3719}
3720
6fbf66fa
JY		 3721/*
3722 * Print MTU INFO
3723 */
3724static void
81d882d5 3725do_print_data_channel_mtu_parms(struct context *c)
6fbf66fa 3726{
81d882d5 3727 frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
6fbf66fa 3728#ifdef ENABLE_FRAGMENT
81d882d5
DS		 3729 if (c->c2.fragment)
3730 {
3731 frame_print(&c->c2.frame_fragment, D_MTU_INFO,
3732 "Fragmentation MTU parms");
3733 }
6fbf66fa
JY		 3734#endif
3735}
3736
6fbf66fa
JY		 3737/*
3738 * Get local and remote options compatibility strings.
3739 */
3740static void
81d882d5 3741do_compute_occ_strings(struct context *c)
6fbf66fa 3742{
81d882d5 3743 struct gc_arena gc = gc_new();
6fbf66fa 3744
81d882d5 3745 c->c2.options_string_local =
dc7fcd71
AQ		 3746 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3747 false, &gc);
81d882d5 3748 c->c2.options_string_remote =
dc7fcd71
AQ		 3749 options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx,
3750 true, &gc);
6fbf66fa 3751
81d882d5
DS		 3752 msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'",
3753 options_string_version(c->c2.options_string_local, &gc),
3754 c->c2.options_string_local);
3755 msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'",
3756 options_string_version(c->c2.options_string_remote, &gc),
3757 c->c2.options_string_remote);
6fbf66fa 3758
81d882d5
DS		 3759 if (c->c2.tls_multi)
3760 {
3761 tls_multi_init_set_options(c->c2.tls_multi,
3762 c->c2.options_string_local,
3763 c->c2.options_string_remote);
3764 }
6fbf66fa 3765
81d882d5 3766 gc_free(&gc);
6fbf66fa 3767}
6fbf66fa
JY		 3768
3769/*
3770 * These things can only be executed once per program instantiation.
3771 * Set up for possible UID/GID downgrade, but don't do it yet.
3772 * Daemonize if requested.
3773 */
3774static void
81d882d5 3775do_init_first_time(struct context *c)
6fbf66fa 3776{
81d882d5 3777 if (c->first_time && !c->c0)
6fbf66fa 3778 {
81d882d5 3779 struct context_0 *c0;
92bbb061 3780
81d882d5
DS		 3781 ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc);
3782 c0 = c->c0;
6fbf66fa 3783
66f6a3b7
AS		 3784 /* get user and/or group that we want to setuid/setgid to,
3785 * sets also platform_x_state */
3786 bool group_defined = platform_group_get(c->options.groupname,
3787 &c0->platform_state_group);
3788 bool user_defined = platform_user_get(c->options.username,
3789 &c0->platform_state_user);
3790
3791 c0->uid_gid_specified = user_defined || group_defined;
6fbf66fa 3792
81d882d5
DS		 3793 /* perform postponed chdir if --daemon */
3794 if (c->did_we_daemonize && c->options.cd_dir == NULL)
3795 {
3796 platform_chdir("/");
3797 }
3798
3799 /* should we change scheduling priority? */
3800 platform_nice(c->options.nice);
6fbf66fa
JY		 3801 }
3802}
3803
6fbf66fa
JY		 3804/*
3805 * free buffers
3806 */
3807static void
81d882d5 3808do_close_free_buf(struct context *c)
6fbf66fa 3809{
81d882d5 3810 if (c->c2.buffers_owned)
6fbf66fa 3811 {
81d882d5
DS		 3812 free_context_buffers(c->c2.buffers);
3813 c->c2.buffers = NULL;
3814 c->c2.buffers_owned = false;
6fbf66fa
JY		 3815 }
3816}
3817
3818/*
3819 * close TLS
3820 */
3821static void
81d882d5 3822do_close_tls(struct context *c)
6fbf66fa 3823{
81d882d5 3824 if (c->c2.tls_multi)
6fbf66fa 3825 {
81d882d5
DS		 3826 tls_multi_free(c->c2.tls_multi, true);
3827 c->c2.tls_multi = NULL;
6fbf66fa
JY		 3828 }
3829
81d882d5 3830 /* free options compatibility strings */
cb70cf51
AS		 3831 free(c->c2.options_string_local);
3832 free(c->c2.options_string_remote);
3833
81d882d5 3834 c->c2.options_string_local = c->c2.options_string_remote = NULL;
07036fd3
SK		 3835
3836 if (c->c2.pulled_options_state)
3837 {
3838 md_ctx_cleanup(c->c2.pulled_options_state);
3839 md_ctx_free(c->c2.pulled_options_state);
3840 }
e8ecaadd
AS		 3841
3842 tls_auth_standalone_free(c->c2.tls_auth_standalone);
6fbf66fa
JY		 3843}
3844
3845/*
3846 * Free key schedules
3847 */
3848static void
81d882d5 3849do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
6fbf66fa 3850{
5817b49b 3851 /*
802fcce5 3852 * always free the tls_auth/crypt key. The key will
5817b49b
AQ		 3853 * be reloaded from memory (pre-cached)
3854 */
fb169c3b 3855 free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key);
5817b49b
AQ		 3856 free_key_ctx_bi(&c->c1.ks.tls_wrap_key);
3857 CLEAR(c->c1.ks.tls_wrap_key);
19dffdbd
SK		 3858 buf_clear(&c->c1.ks.tls_crypt_v2_wkc);
3859 free_buf(&c->c1.ks.tls_crypt_v2_wkc);
5817b49b 3860
802fcce5 3861 if (!(c->sig->signal_received == SIGUSR1))
81d882d5
DS		 3862 {
3863 key_schedule_free(&c->c1.ks, free_ssl_ctx);
3864 }
6fbf66fa
JY		 3865}
3866
3867/*
3868 * Close TCP/UDP connection
3869 */
3870static void
81d882d5 3871do_close_link_socket(struct context *c)
6fbf66fa 3872{
3adbc5c6
AQ		 3873 /* in dco-win case, link socket is a tun handle which is
3874 * closed in do_close_tun(). Set it to UNDEFINED so
3875 * we won't use WinSock API to close it. */
ac1d2428 3876 if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket)
3adbc5c6
AQ		 3877 {
3878 c->c2.link_socket->sd = SOCKET_UNDEFINED;
3879 }
3880
81d882d5 3881 if (c->c2.link_socket && c->c2.link_socket_owned)
6fbf66fa 3882 {
81d882d5
DS		 3883 link_socket_close(c->c2.link_socket);
3884 c->c2.link_socket = NULL;
6fbf66fa
JY		 3885 }
3886
81d882d5
DS		 3887
3888 /* Preserve the resolved list of remote if the user request to or if we want
3889 * reconnect to the same host again or there are still addresses that need
3890 * to be tried */
3891 if (!(c->sig->signal_received == SIGUSR1
3892 && ( (c->options.persist_remote_ip)
3893 ||
3894 ( c->sig->source != SIG_SOURCE_HARD
a5409c0d
VG		 3895 && ((c->c1.link_socket_addr.current_remote
3896 && c->c1.link_socket_addr.current_remote->ai_next)
81d882d5
DS		 3897 || c->options.no_advance))
3898 )))
23d61c56 3899 {
81d882d5 3900 clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance);
23d61c56
AS		 3901 }
3902
3903 /* Clear the remote actual address when persist_remote_ip is not in use */
3904 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
81d882d5
DS		 3905 {
3906 CLEAR(c->c1.link_socket_addr.actual);
3907 }
6fbf66fa 3908
81d882d5
DS		 3909 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
3910 {
3911 if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance)
3912 {
3913 freeaddrinfo(c->c1.link_socket_addr.bind_local);
3914 }
e719a053 3915
81d882d5
DS		 3916 c->c1.link_socket_addr.bind_local = NULL;
3917 }
6fbf66fa
JY		 3918}
3919
3920/*
ccb636c7 3921 * Close packet-id persistence file
6fbf66fa
JY		 3922 */
3923static void
81d882d5 3924do_close_packet_id(struct context *c)
6fbf66fa 3925{
81d882d5
DS		 3926 packet_id_free(&c->c2.crypto_options.packet_id);
3927 packet_id_persist_save(&c->c1.pid_persist);
3928 if (!(c->sig->signal_received == SIGUSR1))
3929 {
3930 packet_id_persist_close(&c->c1.pid_persist);
3931 }
6fbf66fa
JY		 3932}
3933
3934#ifdef ENABLE_FRAGMENT
3935/*
3936 * Close fragmentation handler.
3937 */
3938static void
81d882d5 3939do_close_fragment(struct context *c)
6fbf66fa 3940{
81d882d5 3941 if (c->c2.fragment)
6fbf66fa 3942 {
81d882d5
DS		 3943 fragment_free(c->c2.fragment);
3944 c->c2.fragment = NULL;
6fbf66fa
JY		 3945 }
3946}
3947#endif
3948
3949/*
3950 * Open and close our event objects.
3951 */
3952
3953static void
81d882d5
DS		 3954do_event_set_init(struct context *c,
3955 bool need_us_timeout)
6fbf66fa 3956{
81d882d5 3957 unsigned int flags = 0;
6fbf66fa 3958
81d882d5 3959 c->c2.event_set_max = BASE_N_EVENTS;
6fbf66fa 3960
81d882d5 3961 flags |= EVENT_METHOD_FAST;
6fbf66fa 3962
81d882d5
DS		 3963 if (need_us_timeout)
3964 {
3965 flags |= EVENT_METHOD_US_TIMEOUT;
3966 }
6fbf66fa 3967
81d882d5
DS		 3968 c->c2.event_set = event_set_init(&c->c2.event_set_max, flags);
3969 c->c2.event_set_owned = true;
6fbf66fa
JY		 3970}
3971
3972static void
81d882d5 3973do_close_event_set(struct context *c)
6fbf66fa 3974{
81d882d5 3975 if (c->c2.event_set && c->c2.event_set_owned)
6fbf66fa 3976 {
81d882d5
DS		 3977 event_free(c->c2.event_set);
3978 c->c2.event_set = NULL;
3979 c->c2.event_set_owned = false;
6fbf66fa
JY		 3980 }
3981}
3982
3983/*
3984 * Open and close --status file
3985 */
3986
3987static void
81d882d5 3988do_open_status_output(struct context *c)
6fbf66fa 3989{
81d882d5 3990 if (!c->c1.status_output)
6fbf66fa 3991 {
81d882d5
DS		 3992 c->c1.status_output = status_open(c->options.status_file,
3993 c->options.status_file_update_freq,
3994 -1,
3995 NULL,
3996 STATUS_OUTPUT_WRITE);
3997 c->c1.status_output_owned = true;
6fbf66fa
JY		 3998 }
3999}
4000
4001static void
81d882d5 4002do_close_status_output(struct context *c)
6fbf66fa 4003{
81d882d5 4004 if (!(c->sig->signal_received == SIGUSR1))
6fbf66fa 4005 {
81d882d5
DS		 4006 if (c->c1.status_output_owned && c->c1.status_output)
4007 {
4008 status_close(c->c1.status_output);
4009 c->c1.status_output = NULL;
4010 c->c1.status_output_owned = false;
4011 }
6fbf66fa
JY		 4012 }
4013}
4014
4015/*
ccb636c7 4016 * Handle ifconfig-pool persistence object.
6fbf66fa
JY		 4017 */
4018static void
81d882d5 4019do_open_ifconfig_pool_persist(struct context *c)
6fbf66fa 4020{
81d882d5 4021 if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
6fbf66fa 4022 {
81d882d5
DS		 4023 c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename,
4024 c->options.ifconfig_pool_persist_refresh_freq);
4025 c->c1.ifconfig_pool_persist_owned = true;
6fbf66fa 4026 }
6fbf66fa
JY		 4027}
4028
4029static void
81d882d5 4030do_close_ifconfig_pool_persist(struct context *c)
6fbf66fa 4031{
81d882d5 4032 if (!(c->sig->signal_received == SIGUSR1))
6fbf66fa 4033 {
81d882d5
DS		 4034 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
4035 {
4036 ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist);
4037 c->c1.ifconfig_pool_persist = NULL;
4038 c->c1.ifconfig_pool_persist_owned = false;
4039 }
6fbf66fa 4040 }
6fbf66fa
JY		 4041}
4042
4043/*
4044 * Inherit environmental variables
4045 */
4046
4047static void
81d882d5 4048do_inherit_env(struct context *c, const struct env_set *src)
6fbf66fa 4049{
81d882d5
DS		 4050 c->c2.es = env_set_create(NULL);
4051 c->c2.es_owned = true;
4052 env_set_inherit(c->c2.es, src);
6fbf66fa
JY		 4053}
4054
2a64816b 4055static void
81d882d5 4056do_env_set_destroy(struct context *c)
2a64816b 4057{
81d882d5 4058 if (c->c2.es && c->c2.es_owned)
2a64816b 4059 {
81d882d5
DS		 4060 env_set_destroy(c->c2.es);
4061 c->c2.es = NULL;
4062 c->c2.es_owned = false;
2a64816b
JY		 4063 }
4064}
4065
6fbf66fa
JY		 4066/*
4067 * Fast I/O setup. Fast I/O is an optimization which only works
4068 * if all of the following are true:
4069 *
4070 * (1) The platform is not Windows
4071 * (2) --proto udp is enabled
4072 * (3) --shaper is disabled
4073 */
4074static void
81d882d5 4075do_setup_fast_io(struct context *c)
6fbf66fa 4076{
81d882d5 4077 if (c->options.fast_io)
6fbf66fa 4078 {
445b192a 4079#ifdef _WIN32
81d882d5 4080 msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
6fbf66fa 4081#else
81d882d5
DS		 4082 if (!proto_is_udp(c->options.ce.proto))
4083 {
4084 msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
4085 }
4086 else
4087 {
81d882d5
DS		 4088 if (c->options.shaper)
4089 {
4090 msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
4091 }
4092 else
81d882d5
DS		 4093 {
4094 c->c2.fast_io = true;
4095 }
4096 }
6fbf66fa
JY		 4097#endif
4098 }
4099}
4100
4101static void
81d882d5 4102do_signal_on_tls_errors(struct context *c)
6fbf66fa 4103{
81d882d5
DS		 4104 if (c->options.tls_exit)
4105 {
4106 c->c2.tls_exit_signal = SIGTERM;
4107 }
4108 else
4109 {
4110 c->c2.tls_exit_signal = SIGUSR1;
4111 }
6fbf66fa
JY		 4112}
4113
3c7f2f55 4114#ifdef ENABLE_PLUGIN
6fbf66fa 4115
3c7f2f55 4116void
81d882d5 4117init_plugins(struct context *c)
6fbf66fa 4118{
81d882d5 4119 if (c->options.plugin_list && !c->plugins)
e1791bb1 4120 {
81d882d5
DS		 4121 c->plugins = plugin_list_init(c->options.plugin_list);
4122 c->plugins_owned = true;
e1791bb1
JY		 4123 }
4124}
4125
4126void
81d882d5
DS		 4127open_plugins(struct context *c, const bool import_options, int init_point)
4128{
4129 if (c->plugins && c->plugins_owned)
4130 {
4131 if (import_options)
4132 {
4133 struct plugin_return pr, config;
4134 plugin_return_init(&pr);
4135 plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
4136 plugin_return_get_column(&pr, &config, "config");
4137 if (plugin_return_defined(&config))
4138 {
4139 int i;
4140 for (i = 0; i < config.n; ++i)
4141 {
4142 unsigned int option_types_found = 0;
4143 if (config.list[i] && config.list[i]->value)
4144 {
4145 options_string_import(&c->options,
4146 config.list[i]->value,
4147 D_IMPORT_ERRORS|M_OPTERR,
4148 OPT_P_DEFAULT & ~OPT_P_PLUGIN,
4149 &option_types_found,
4150 c->es);
4151 }
4152 }
4153 }
4154 plugin_return_free(&pr);
4155 }
4156 else
4157 {
4158 plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
4159 }
6fbf66fa 4160 }
6fbf66fa
JY		 4161}
4162
4163static void
81d882d5 4164do_close_plugins(struct context *c)
6fbf66fa 4165{
81d882d5 4166 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
6fbf66fa 4167 {
81d882d5
DS		 4168 plugin_list_close(c->plugins);
4169 c->plugins = NULL;
4170 c->plugins_owned = false;
6fbf66fa 4171 }
6fbf66fa
JY		 4172}
4173
3c7f2f55 4174static void
81d882d5 4175do_inherit_plugins(struct context *c, const struct context *src)
3c7f2f55 4176{
81d882d5 4177 if (!c->plugins && src->plugins)
3c7f2f55 4178 {
81d882d5
DS		 4179 c->plugins = plugin_list_inherit(src->plugins);
4180 c->plugins_owned = true;
3c7f2f55
JY		 4181 }
4182}
4183
81d882d5 4184#endif /* ifdef ENABLE_PLUGIN */
3c7f2f55 4185
6fbf66fa
JY		 4186#ifdef ENABLE_MANAGEMENT
4187
4188static void
81d882d5 4189management_callback_status_p2p(void *arg, const int version, struct status_output *so)
6fbf66fa 4190{
81d882d5
DS		 4191 struct context *c = (struct context *) arg;
4192 print_status(c, so);
6fbf66fa
JY		 4193}
4194
4195void
81d882d5 4196management_show_net_callback(void *arg, const int msglevel)
6fbf66fa 4197{
445b192a 4198#ifdef _WIN32
81d882d5
DS		 4199 show_routes(msglevel);
4200 show_adapters(msglevel);
4201 msg(msglevel, "END");
6fbf66fa 4202#else
81d882d5 4203 msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
6fbf66fa
JY		 4204#endif
4205}
4206
30003978
AS		 4207#ifdef TARGET_ANDROID
4208int
81d882d5 4209management_callback_network_change(void *arg, bool samenetwork)
30003978
AS		 4210{
4211 /* Check if the client should translate the network change to a SIGUSR1 to
81d882d5
DS		 4212 * reestablish the connection or just reprotect the socket
4213 *
4214 * At the moment just assume that, for all settings that use pull (not
4215 * --static) and are not using peer-id reestablishing the connection is
4216 * required (unless the network is the same)
4217 *
4218 * The function returns -1 on invalid fd and -2 if the socket cannot be
4219 * reused. On the -2 return value the man_network_change function triggers
4220 * a SIGUSR1 to force a reconnect.
4221 */
4222
4223 int socketfd = -1;
4224 struct context *c = (struct context *) arg;
4225 if (!c->c2.link_socket)
4226 {
4227 return -1;
4228 }
4229 if (c->c2.link_socket->sd == SOCKET_UNDEFINED)
4230 {
4231 return -1;
4232 }
30003978 4233
81d882d5
DS		 4234 socketfd = c->c2.link_socket->sd;
4235 if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork)
4236 {
4237 return socketfd;
4238 }
4239 else
4240 {
4241 return -2;
4242 }
30003978 4243}
81d882d5 4244#endif /* ifdef TARGET_ANDROID */
30003978 4245
81d882d5 4246#endif /* ifdef ENABLE_MANAGEMENT */
6fbf66fa
JY		 4247
4248void
81d882d5 4249init_management_callback_p2p(struct context *c)
6fbf66fa
JY		 4250{
4251#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 4252 if (management)
4253 {
4254 struct management_callback cb;
4255 CLEAR(cb);
4256 cb.arg = c;
4257 cb.status = management_callback_status_p2p;
4258 cb.show_net = management_show_net_callback;
4259 cb.proxy_cmd = management_callback_proxy_cmd;
4260 cb.remote_cmd = management_callback_remote_cmd;
adb9bb91 4261 cb.send_cc_message = management_callback_send_cc_message;
30003978 4262#ifdef TARGET_ANDROID
81d882d5 4263 cb.network_change = management_callback_network_change;
30003978 4264#endif
12526380
SN		 4265 cb.remote_entry_count = management_callback_remote_entry_count;
4266 cb.remote_entry_get = management_callback_remote_entry_get;
81d882d5 4267 management_set_callback(management, &cb);
6fbf66fa
JY		 4268 }
4269#endif
4270}
4271
4272#ifdef ENABLE_MANAGEMENT
4273
4274void
91ba1add 4275init_management(void)
6fbf66fa 4276{
81d882d5
DS		 4277 if (!management)
4278 {
4279 management = management_init();
4280 }
6fbf66fa
JY		 4281}
4282
4283bool
81d882d5
DS		 4284open_management(struct context *c)
4285{
4286 /* initialize management layer */
4287 if (management)
4288 {
4289 if (c->options.management_addr)
4290 {
4291 unsigned int flags = c->options.management_flags;
4292 if (c->options.mode == MODE_SERVER)
4293 {
4294 flags |= MF_SERVER;
4295 }
4296 if (management_open(management,
4297 c->options.management_addr,
4298 c->options.management_port,
4299 c->options.management_user_pass,
4300 c->options.management_client_user,
4301 c->options.management_client_group,
4302 c->options.management_log_history_cache,
4303 c->options.management_echo_buffer_size,
4304 c->options.management_state_buffer_size,
81d882d5
DS		 4305 c->options.remap_sigusr1,
4306 flags))
4307 {
4308 management_set_state(management,
4309 OPENVPN_STATE_CONNECTING,
4310 NULL,
4311 NULL,
4312 NULL,
4313 NULL,
4314 NULL);
4315 }
4316
4317 /* initial management hold, called early, before first context initialization */
4318 do_hold(0);
4319 if (IS_SIG(c))
4320 {
4321 msg(M_WARN, "Signal received from management interface, exiting");
4322 return false;
4323 }
4324 }
4325 else
4326 {
4327 close_management();
4328 }
4329 }
4330 return true;
6fbf66fa
JY		 4331}
4332
4333void
81d882d5 4334close_management(void)
6fbf66fa 4335{
81d882d5 4336 if (management)
6fbf66fa 4337 {
81d882d5
DS		 4338 management_close(management);
4339 management = NULL;
6fbf66fa
JY		 4340 }
4341}
4342
81d882d5 4343#endif /* ifdef ENABLE_MANAGEMENT */
6fbf66fa
JY		 4344
4345
4346void
81d882d5 4347uninit_management_callback(void)
6fbf66fa
JY		 4348{
4349#ifdef ENABLE_MANAGEMENT
81d882d5 4350 if (management)
6fbf66fa 4351 {
81d882d5 4352 management_clear_callback(management);
6fbf66fa
JY		 4353 }
4354#endif
4355}
4356
0fdbb288
SN		 4357void
4358persist_client_stats(struct context *c)
4359{
4360#ifdef ENABLE_MANAGEMENT
4361 if (management)
4362 {
4363 man_persist_client_stats(management, c);
4364 }
4365#endif
4366}
4367
6fbf66fa
JY		 4368/*
4369 * Initialize a tunnel instance, handle pre and post-init
4370 * signal settings.
4371 */
4372void
81d882d5 4373init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
6fbf66fa 4374{
81d882d5
DS		 4375 pre_init_signal_catch();
4376 init_instance(c, env, flags);
4377 post_init_signal_catch();
4378
4379 /*
4380 * This is done so that signals thrown during
4381 * initialization can bring us back to
4382 * a management hold.
4383 */
4384 if (IS_SIG(c))
d5badcf1 4385 {
81d882d5
DS		 4386 remap_signal(c);
4387 uninit_management_callback();
d5badcf1 4388 }
6fbf66fa
JY		 4389}
4390
4391/*
4392 * Initialize a tunnel instance.
4393 */
4394void
81d882d5 4395init_instance(struct context *c, const struct env_set *env, const unsigned int flags)
6fbf66fa 4396{
81d882d5
DS		 4397 const struct options *options = &c->options;
4398 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
4399 int link_socket_mode = LS_MODE_DEFAULT;
6fbf66fa 4400
81d882d5
DS		 4401 /* init garbage collection level */
4402 gc_init(&c->c2.gc);
6fbf66fa 4403
81d882d5
DS		 4404 /* inherit environmental variables */
4405 if (env)
4406 {
4407 do_inherit_env(c, env);
4408 }
ac1c2f25 4409
81d882d5
DS		 4410 if (c->mode == CM_P2P)
4411 {
4412 init_management_callback_p2p(c);
4413 }
3cf6c932 4414
81d882d5
DS		 4415 /* possible sleep or management hold if restart */
4416 if (c->mode == CM_P2P || c->mode == CM_TOP)
3cf6c932 4417 {
81d882d5
DS		 4418 do_startup_pause(c);
4419 if (IS_SIG(c))
4420 {
4421 goto sig;
4422 }
3cf6c932
JY		 4423 }
4424
81d882d5 4425 if (c->options.resolve_in_advance)
e719a053 4426 {
81d882d5
DS		 4427 do_preresolve(c);
4428 if (IS_SIG(c))
4429 {
4430 goto sig;
4431 }
e719a053
AS		 4432 }
4433
c1150e5b
AS		 4434 /* Resets all values to the initial values from the config where needed */
4435 pre_connect_restore(&c->options, &c->c2.gc);
528a78fb 4436
81d882d5
DS		 4437 /* map in current connection entry */
4438 next_connection_entry(c);
4e9a51d7 4439
81d882d5
DS		 4440 /* link_socket_mode allows CM_CHILD_TCP
4441 * instances to inherit acceptable fds
4442 * from a top-level parent */
4443 if (c->options.ce.proto == PROTO_TCP_SERVER)
6fbf66fa 4444 {
81d882d5
DS		 4445 if (c->mode == CM_TOP)
4446 {
4447 link_socket_mode = LS_MODE_TCP_LISTEN;
4448 }
4449 else if (c->mode == CM_CHILD_TCP)
4450 {
4451 link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
4452 }
6fbf66fa
JY		 4453 }
4454
81d882d5
DS		 4455 /* should we disable paging? */
4456 if (c->first_time && options->mlock)
4457 {
4458 platform_mlockall(true);
4459 }
6fbf66fa 4460
81d882d5
DS		 4461 /* get passwords if undefined */
4462 if (auth_retry_get() == AR_INTERACT)
4463 {
4464 init_query_passwords(c);
4465 }
92bbb061 4466
81d882d5
DS		 4467 /* initialize context level 2 --verb/--mute parms */
4468 init_verb_mute(c, IVM_LEVEL_2);
4469
4470 /* set error message delay for non-server modes */
4471 if (c->mode == CM_P2P)
4472 {
4473 set_check_status_error_delay(P2P_ERROR_DELAY_MS);
4474 }
6fbf66fa 4475
81d882d5
DS		 4476 /* warn about inconsistent options */
4477 if (c->mode == CM_P2P || c->mode == CM_TOP)
4478 {
4479 do_option_warnings(c);
4480 }
6fbf66fa 4481
3c7f2f55 4482#ifdef ENABLE_PLUGIN
81d882d5
DS		 4483 /* initialize plugins */
4484 if (c->mode == CM_P2P || c->mode == CM_TOP)
4485 {
4486 open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
4487 }
3c7f2f55 4488#endif
6fbf66fa 4489
81d882d5
DS		 4490 /* should we enable fast I/O? */
4491 if (c->mode == CM_P2P || c->mode == CM_TOP)
4492 {
4493 do_setup_fast_io(c);
4494 }
6fbf66fa 4495
81d882d5
DS		 4496 /* should we throw a signal on TLS errors? */
4497 do_signal_on_tls_errors(c);
6fbf66fa 4498
81d882d5
DS		 4499 /* open --status file */
4500 if (c->mode == CM_P2P || c->mode == CM_TOP)
4501 {
4502 do_open_status_output(c);
4503 }
6fbf66fa 4504
81d882d5
DS		 4505 /* open --ifconfig-pool-persist file */
4506 if (c->mode == CM_TOP)
4507 {
4508 do_open_ifconfig_pool_persist(c);
4509 }
6fbf66fa 4510
81d882d5
DS		 4511 /* reset OCC state */
4512 if (c->mode == CM_P2P || child)
4513 {
4514 c->c2.occ_op = occ_reset_op();
4515 }
6fbf66fa 4516
81d882d5
DS		 4517 /* our wait-for-i/o objects, different for posix vs. win32 */
4518 if (c->mode == CM_P2P)
4519 {
4520 do_event_set_init(c, SHAPER_DEFINED(&c->options));
4521 }
4522 else if (c->mode == CM_CHILD_TCP)
4523 {
4524 do_event_set_init(c, false);
4525 }
6fbf66fa 4526
81d882d5
DS		 4527 /* initialize HTTP or SOCKS proxy object at scope level 2 */
4528 init_proxy(c);
4e9a51d7 4529
81d882d5
DS		 4530 /* allocate our socket object */
4531 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4532 {
4533 do_link_socket_new(c);
4534 }
6fbf66fa
JY		 4535
4536#ifdef ENABLE_FRAGMENT
81d882d5
DS		 4537 /* initialize internal fragmentation object */
4538 if (options->ce.fragment && (c->mode == CM_P2P || child))
4539 {
4540 c->c2.fragment = fragment_init(&c->c2.frame);
4541 }
6fbf66fa
JY		 4542#endif
4543
81d882d5
DS		 4544 /* init crypto layer */
4545 {
4546 unsigned int crypto_flags = 0;
4547 if (c->mode == CM_TOP)
4548 {
4549 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
4550 }
4551 else if (c->mode == CM_P2P)
4552 {
4553 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
4554 }
4555 else if (child)
4556 {
4557 crypto_flags = CF_INIT_TLS_MULTI;
4558 }
4559 do_init_crypto(c, crypto_flags);
4560 if (IS_SIG(c) && !child)
4561 {
4562 goto sig;
4563 }
4564 }
6fbf66fa 4565
38d96bd7 4566#ifdef USE_COMP
81d882d5
DS		 4567 /* initialize compression library. */
4568 if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child))
4569 {
4570 c->c2.comp_context = comp_init(&options->comp);
4571 }
6fbf66fa
JY		 4572#endif
4573
81d882d5
DS		 4574 /* initialize MTU variables */
4575 do_init_frame(c);
6fbf66fa 4576
81d882d5
DS		 4577 /* initialize TLS MTU variables */
4578 do_init_frame_tls(c);
6fbf66fa 4579
81d882d5
DS		 4580 /* init workspace buffers whose size is derived from frame size */
4581 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
4582 {
4583 do_init_buffers(c);
4584 }
6fbf66fa
JY		 4585
4586#ifdef ENABLE_FRAGMENT
81d882d5
DS		 4587 /* initialize internal fragmentation capability with known frame size */
4588 if (options->ce.fragment && (c->mode == CM_P2P || child))
4589 {
4590 do_init_fragment(c);
4591 }
6fbf66fa
JY		 4592#endif
4593
81d882d5
DS		 4594 /* bind the TCP/UDP socket */
4595 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4596 {
343b6119 4597 link_socket_init_phase1(c, link_socket_mode);
81d882d5 4598 }
6fbf66fa 4599
81d882d5
DS		 4600 /* initialize tun/tap device object,
4601 * open tun/tap device, ifconfig, run up script, etc. */
4602 if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
4603 {
e04c2536
SN		 4604 int error_flags = 0;
4605 c->c2.did_open_tun = do_open_tun(c, &error_flags);
81d882d5 4606 }
6fbf66fa 4607
81d882d5
DS		 4608 /* print MTU info */
4609 do_print_data_channel_mtu_parms(c);
6fbf66fa 4610
81d882d5
DS		 4611 /* get local and remote options compatibility strings */
4612 if (c->mode == CM_P2P || child)
4613 {
4614 do_compute_occ_strings(c);
4615 }
6fbf66fa 4616
81d882d5
DS		 4617 /* initialize output speed limiter */
4618 if (c->mode == CM_P2P)
4619 {
4620 do_init_traffic_shaper(c);
4621 }
6fbf66fa 4622
ccb636c7 4623 /* do one-time inits, and possibly become a daemon here */
81d882d5 4624 do_init_first_time(c);
6fbf66fa 4625
e1791bb1 4626#ifdef ENABLE_PLUGIN
81d882d5
DS		 4627 /* initialize plugins */
4628 if (c->mode == CM_P2P || c->mode == CM_TOP)
4629 {
4630 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
4631 }
e1791bb1
JY		 4632#endif
4633
81d882d5
DS		 4634 /* initialise connect timeout timer */
4635 do_init_server_poll_timeout(c);
4db06290 4636
81d882d5
DS		 4637 /* finalize the TCP/UDP socket */
4638 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
4639 {
343b6119 4640 link_socket_init_phase2(c);
b3e97582 4641
2d17869f
AS		 4642
4643 /* Update dynamic frame calculation as exact transport socket information
4644 * (IP vs IPv6) may be only available after socket phase2 has finished.
4645 * This is only needed for --static or no crypto, NCP will recalculate this
4646 * in tls_session_update_crypto_params (P2MP) */
4647 frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options,
4648 get_link_socket_info(c));
4649 }
0d969976 4650
81d882d5
DS		 4651 /*
4652 * Actually do UID/GID downgrade, and chroot, if requested.
4653 * May be delayed by --client, --pull, or --up-delay.
4654 */
4655 do_uid_gid_chroot(c, c->c2.did_open_tun);
6fbf66fa 4656
81d882d5
DS		 4657 /* initialize timers */
4658 if (c->mode == CM_P2P || child)
4659 {
4660 do_init_timers(c, false);
4661 }
6fbf66fa 4662
e1791bb1 4663#ifdef ENABLE_PLUGIN
81d882d5
DS		 4664 /* initialize plugins */
4665 if (c->mode == CM_P2P || c->mode == CM_TOP)
4666 {
4667 open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
4668 }
e1791bb1
JY		 4669#endif
4670
6add6b2f 4671#if PORT_SHARE
81d882d5
DS		 4672 /* share OpenVPN port with foreign (such as HTTPS) server */
4673 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
4674 {
4675 init_port_share(c);
4676 }
6add6b2f 4677#endif
81d882d5 4678
81d882d5
DS		 4679 /* Check for signals */
4680 if (IS_SIG(c))
4681 {
4682 goto sig;
4683 }
6fbf66fa 4684
81d882d5 4685 return;
6fbf66fa 4686
81d882d5
DS		 4687sig:
4688 if (!c->sig->signal_text)
4689 {
4690 c->sig->signal_text = "init_instance";
4691 }
4692 close_context(c, -1, flags);
4693 return;
6fbf66fa
JY		 4694}
4695
4696/*
4697 * Close a tunnel instance.
4698 */
4699void
81d882d5 4700close_instance(struct context *c)
6fbf66fa 4701{
81d882d5
DS		 4702 /* close event objects */
4703 do_close_event_set(c);
6fbf66fa
JY		 4704
4705 if (c->mode == CM_P2P
81d882d5
DS		 4706 || c->mode == CM_CHILD_TCP
4707 || c->mode == CM_CHILD_UDP
4708 || c->mode == CM_TOP)
4709 {
38d96bd7 4710#ifdef USE_COMP
81d882d5
DS		 4711 if (c->c2.comp_context)
4712 {
4713 comp_uninit(c->c2.comp_context);
4714 c->c2.comp_context = NULL;
4715 }
6fbf66fa
JY		 4716#endif
4717
81d882d5
DS		 4718 /* free buffers */
4719 do_close_free_buf(c);
6fbf66fa 4720
b6f7b285
AQ		 4721 /* close peer for DCO if enabled, needs peer-id so must be done before
4722 * closing TLS contexts */
4723 dco_remove_peer(c);
4724
81d882d5
DS		 4725 /* close TLS */
4726 do_close_tls(c);
6fbf66fa 4727
81d882d5
DS		 4728 /* free key schedules */
4729 do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP));
6fbf66fa 4730
81d882d5
DS		 4731 /* close TCP/UDP connection */
4732 do_close_link_socket(c);
6fbf66fa 4733
81d882d5
DS		 4734 /* close TUN/TAP device */
4735 do_close_tun(c, false);
6fbf66fa 4736
99d217b2 4737#ifdef ENABLE_MANAGEMENT
81d882d5
DS		 4738 if (management)
4739 {
4740 management_notify_client_close(management, &c->c2.mda_context, NULL);
4741 }
90efcacb
JY		 4742#endif
4743
3c7f2f55 4744#ifdef ENABLE_PLUGIN
81d882d5
DS		 4745 /* call plugin close functions and unload */
4746 do_close_plugins(c);
3c7f2f55 4747#endif
6fbf66fa 4748
ccb636c7 4749 /* close packet-id persistence file */
81d882d5 4750 do_close_packet_id(c);
6fbf66fa 4751
81d882d5
DS		 4752 /* close --status file */
4753 do_close_status_output(c);
6fbf66fa
JY		 4754
4755#ifdef ENABLE_FRAGMENT
81d882d5
DS		 4756 /* close fragmentation handler */
4757 do_close_fragment(c);
6fbf66fa
JY		 4758#endif
4759
81d882d5
DS		 4760 /* close --ifconfig-pool-persist obj */
4761 do_close_ifconfig_pool_persist(c);
6fbf66fa 4762
81d882d5
DS		 4763 /* free up environmental variable store */
4764 do_env_set_destroy(c);
2a64816b 4765
81d882d5
DS		 4766 /* close HTTP or SOCKS proxy */
4767 uninit_proxy(c);
4e9a51d7 4768
81d882d5
DS		 4769 /* garbage collect */
4770 gc_free(&c->c2.gc);
4771 }
6fbf66fa
JY		 4772}
4773
4774void
81d882d5
DS		 4775inherit_context_child(struct context *dest,
4776 const struct context *src)
6fbf66fa 4777{
81d882d5 4778 CLEAR(*dest);
6fbf66fa 4779
81d882d5
DS		 4780 /* proto_is_dgram will ASSERT(0) if proto is invalid */
4781 dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP;
6fbf66fa 4782
81d882d5 4783 dest->gc = gc_new();
6fbf66fa 4784
81d882d5 4785 ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc);
6fbf66fa 4786
81d882d5
DS		 4787 /* c1 init */
4788 packet_id_persist_init(&dest->c1.pid_persist);
6fbf66fa 4789
81d882d5
DS		 4790 dest->c1.ks.key_type = src->c1.ks.key_type;
4791 /* inherit SSL context */
4792 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
4793 dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key;
4794 dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
19dffdbd 4795 dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key;
81d882d5 4796 /* inherit pre-NCP ciphers */
7064ccb9
AS		 4797 dest->options.ciphername = src->options.ciphername;
4798 dest->options.authname = src->options.authname;
81d882d5 4799
1b9a88a2
AS		 4800 /* inherit auth-token */
4801 dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key;
4802
81d882d5
DS		 4803 /* options */
4804 dest->options = src->options;
4805 options_detach(&dest->options);
4806
4807 if (dest->mode == CM_CHILD_TCP)
6fbf66fa 4808 {
81d882d5
DS		 4809 /*
4810 * The CM_TOP context does the socket listen(),
4811 * and the CM_CHILD_TCP context does the accept().
4812 */
4813 dest->c2.accept_from = src->c2.link_socket;
6fbf66fa
JY		 4814 }
4815
3c7f2f55 4816#ifdef ENABLE_PLUGIN
81d882d5
DS		 4817 /* inherit plugins */
4818 do_inherit_plugins(dest, src);
3c7f2f55 4819#endif
6fbf66fa 4820
81d882d5 4821 /* context init */
a2d851d4
AQ		 4822
4823 /* inherit tun/tap interface object now as it may be required
4824 * to initialize the DCO context in init_instance()
4825 */
4826 dest->c1.tuntap = src->c1.tuntap;
4827
81d882d5
DS		 4828 init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
4829 if (IS_SIG(dest))
4830 {
4831 return;
4832 }
6fbf66fa 4833
81d882d5
DS		 4834 /* UDP inherits some extra things which TCP does not */
4835 if (dest->mode == CM_CHILD_UDP)
6fbf66fa 4836 {
81d882d5
DS		 4837 /* inherit buffers */
4838 dest->c2.buffers = src->c2.buffers;
6fbf66fa 4839
81d882d5
DS		 4840 /* inherit parent link_socket and tuntap */
4841 dest->c2.link_socket = src->c2.link_socket;
6fbf66fa 4842
81d882d5
DS		 4843 ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
4844 *dest->c2.link_socket_info = src->c2.link_socket->info;
6fbf66fa 4845
81d882d5
DS		 4846 /* locally override some link_socket_info fields */
4847 dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
4848 dest->c2.link_socket_info->connection_established = false;
6fbf66fa
JY		 4849 }
4850}
4851
4852void
81d882d5
DS		 4853inherit_context_top(struct context *dest,
4854 const struct context *src)
6fbf66fa 4855{
81d882d5
DS		 4856 /* copy parent */
4857 *dest = *src;
6fbf66fa 4858
81d882d5
DS		 4859 /*
4860 * CM_TOP_CLONE will prevent close_instance from freeing or closing
4861 * resources owned by the parent.
4862 *
4863 * Also note that CM_TOP_CLONE context objects are
4864 * closed by multi_top_free in multi.c.
4865 */
4866 dest->mode = CM_TOP_CLONE;
6fbf66fa 4867
81d882d5
DS		 4868 dest->first_time = false;
4869 dest->c0 = NULL;
6fbf66fa 4870
81d882d5
DS		 4871 options_detach(&dest->options);
4872 gc_detach(&dest->gc);
4873 gc_detach(&dest->c2.gc);
6fbf66fa 4874
81d882d5
DS		 4875 /* detach plugins */
4876 dest->plugins_owned = false;
3c7f2f55 4877
81d882d5 4878 dest->c2.tls_multi = NULL;
6fbf66fa 4879
81d882d5
DS		 4880 /* detach c1 ownership */
4881 dest->c1.tuntap_owned = false;
4882 dest->c1.status_output_owned = false;
81d882d5 4883 dest->c1.ifconfig_pool_persist_owned = false;
3c7f2f55 4884
81d882d5
DS		 4885 /* detach c2 ownership */
4886 dest->c2.event_set_owned = false;
4887 dest->c2.link_socket_owned = false;
4888 dest->c2.buffers_owned = false;
4889 dest->c2.es_owned = false;
6fbf66fa 4890
81d882d5
DS		 4891 dest->c2.event_set = NULL;
4892 if (proto_is_dgram(src->options.ce.proto))
4893 {
4894 do_event_set_init(dest, false);
4895 }
38d96bd7
JY		 4896
4897#ifdef USE_COMP
81d882d5 4898 dest->c2.comp_context = NULL;
38d96bd7 4899#endif
6fbf66fa
JY		 4900}
4901
4902void
81d882d5 4903close_context(struct context *c, int sig, unsigned int flags)
6fbf66fa 4904{
81d882d5
DS		 4905 ASSERT(c);
4906 ASSERT(c->sig);
79df31c8 4907
81d882d5
DS		 4908 if (sig >= 0)
4909 {
05715485 4910 register_signal(c->sig, sig, "close_context");
81d882d5 4911 }
6fbf66fa 4912
81d882d5 4913 if (c->sig->signal_received == SIGUSR1)
6fbf66fa 4914 {
81d882d5
DS		 4915 if ((flags & CC_USR1_TO_HUP)
4916 || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP)))
c058cbff 4917 {
05715485 4918 register_signal(c->sig, SIGHUP, "close_context usr1 to hup");
c058cbff 4919 }
6fbf66fa
JY		 4920 }
4921
81d882d5
DS		 4922 if (!(flags & CC_NO_CLOSE))
4923 {
4924 close_instance(c);
4925 }
6fbf66fa 4926
81d882d5
DS		 4927 if (flags & CC_GC_FREE)
4928 {
4929 context_gc_free(c);
4930 }
6fbf66fa
JY		 4931}
4932
008ec688
GD		 4933/* Write our PID to a file */
4934void
4935write_pid_file(const char *filename, const char *chroot_dir)
4936{
4937 if (filename)
4938 {
4939 unsigned int pid = 0;
4940 FILE *fp = platform_fopen(filename, "w");
4941 if (!fp)
4942 {
4943 msg(M_ERR, "Open error on pid file %s", filename);
4944 return;
4945 }
4946
4947 pid = platform_getpid();
4948 fprintf(fp, "%u\n", pid);
4949 if (fclose(fp))
4950 {
4951 msg(M_ERR, "Close error on pid file %s", filename);
4952 }
4953
4954 /* remember file name so it can be deleted "out of context" later */
4955 /* (the chroot case is more complex and not handled today) */
4956 if (!chroot_dir)
4957 {
4958 saved_pid_file_name = strdup(filename);
4959 }
4960 }
4961}
4962
4963/* remove PID file on exit, called from openvpn_exit() */
4964void
4965remove_pid_file(void)
4966{
4967 if (saved_pid_file_name)
4968 {
4969 platform_unlink(saved_pid_file_name);
4970 }
4971}
4972
4973
6fbf66fa
JY		 4974/*
4975 * Do a loopback test
4976 * on the crypto subsystem.
4977 */
4978static void *
81d882d5 4979test_crypto_thread(void *arg)
6fbf66fa 4980{
81d882d5
DS		 4981 struct context *c = (struct context *) arg;
4982 const struct options *options = &c->options;
6fbf66fa 4983
81d882d5
DS		 4984 ASSERT(options->test_crypto);
4985 init_verb_mute(c, IVM_LEVEL_1);
4986 context_init_1(c);
4987 next_connection_entry(c);
4988 do_init_crypto_static(c, 0);
6fbf66fa 4989
81d882d5 4990 frame_finalize_options(c, options);
6fbf66fa 4991
81d882d5 4992 test_crypto(&c->c2.crypto_options, &c->c2.frame);
6fbf66fa 4993
81d882d5
DS		 4994 key_schedule_free(&c->c1.ks, true);
4995 packet_id_free(&c->c2.crypto_options.packet_id);
6fbf66fa 4996
81d882d5
DS		 4997 context_gc_free(c);
4998 return NULL;
6fbf66fa
JY		 4999}
5000
6fbf66fa 5001bool
81d882d5 5002do_test_crypto(const struct options *o)
6fbf66fa 5003{
81d882d5 5004 if (o->test_crypto)
6fbf66fa 5005 {
81d882d5 5006 struct context c;
6fbf66fa 5007
81d882d5
DS		 5008 /* print version number */
5009 msg(M_INFO, "%s", title_string);
6fbf66fa 5010
81d882d5
DS		 5011 context_clear(&c);
5012 c.options = *o;
5013 options_detach(&c.options);
5014 c.first_time = true;
5015 test_crypto_thread((void *) &c);
5016 return true;
6fbf66fa 5017 }
81d882d5 5018 return false;
6fbf66fa 5019}
Mirror of https://github.com/OpenVPN/openvpn.git