]>
Commit | Line | Data |
---|---|---|
6fbf66fa JY |
1 | /* |
2 | * OpenVPN -- An application to securely tunnel IP networks | |
3 | * over a single TCP/UDP port, with support for SSL/TLS-based | |
4 | * session authentication and key exchange, | |
5 | * packet encryption, packet authentication, and | |
6 | * packet compression. | |
7 | * | |
b25c6d7e | 8 | * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net> |
6fbf66fa JY |
9 | * |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License version 2 | |
12 | * as published by the Free Software Foundation. | |
13 | * | |
14 | * This program is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | * GNU General Public License for more details. | |
18 | * | |
caa54ac3 DS |
19 | * You should have received a copy of the GNU General Public License along |
20 | * with this program; if not, write to the Free Software Foundation, Inc., | |
21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
6fbf66fa JY |
22 | */ |
23 | ||
c110b289 ABL |
24 | #ifdef HAVE_CONFIG_H |
25 | #include "config.h" | |
c110b289 ABL |
26 | #endif |
27 | ||
6fbf66fa JY |
28 | #include "syshead.h" |
29 | ||
c5931897 CH |
30 | #ifdef ENABLE_SYSTEMD |
31 | #include <systemd/sd-daemon.h> | |
32 | #endif | |
33 | ||
6fbf66fa JY |
34 | #include "win32.h" |
35 | #include "init.h" | |
bf97c00f | 36 | #include "run_command.h" |
6fbf66fa JY |
37 | #include "sig.h" |
38 | #include "occ.h" | |
39 | #include "list.h" | |
40 | #include "otime.h" | |
41 | #include "pool.h" | |
42 | #include "gremlin.h" | |
a54f37d8 | 43 | #include "occ.h" |
ce98fd24 | 44 | #include "pkcs11.h" |
6add6b2f | 45 | #include "ps.h" |
e12fe286 | 46 | #include "lladdr.h" |
e7a65dfb | 47 | #include "ping.h" |
ffea644c | 48 | #include "mstats.h" |
63dc03d0 | 49 | #include "ssl_verify.h" |
1828f9c1 | 50 | #include "ssl_ncp.h" |
c6e24fa3 | 51 | #include "tls_crypt.h" |
a54f37d8 | 52 | #include "forward.h" |
1b9a88a2 | 53 | #include "auth_token.h" |
d4458eed | 54 | #include "mss.h" |
b3647114 | 55 | #include "mudp.h" |
a2d851d4 | 56 | #include "dco.h" |
6fbf66fa JY |
57 | |
58 | #include "memdbg.h" | |
59 | ||
6fbf66fa | 60 | |
0c9eb1d3 | 61 | static struct context *static_context; /* GLOBAL */ |
008ec688 | 62 | static const char *saved_pid_file_name; /* GLOBAL */ |
0c9eb1d3 | 63 | |
6fbf66fa JY |
64 | /* |
65 | * Crypto initialization flags | |
66 | */ | |
67 | #define CF_LOAD_PERSISTED_PACKET_ID (1<<0) | |
68 | #define CF_INIT_TLS_MULTI (1<<1) | |
69 | #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) | |
70 | ||
81d882d5 | 71 | static void do_init_first_time(struct context *c); |
7d48d31b | 72 | |
8c72d798 | 73 | static bool do_deferred_p2p_ncp(struct context *c); |
6fbf66fa JY |
74 | |
75 | void | |
81d882d5 | 76 | context_clear(struct context *c) |
6fbf66fa | 77 | { |
81d882d5 | 78 | CLEAR(*c); |
6fbf66fa JY |
79 | } |
80 | ||
81 | void | |
81d882d5 | 82 | context_clear_1(struct context *c) |
6fbf66fa | 83 | { |
81d882d5 | 84 | CLEAR(c->c1); |
6fbf66fa JY |
85 | } |
86 | ||
87 | void | |
81d882d5 | 88 | context_clear_2(struct context *c) |
6fbf66fa | 89 | { |
81d882d5 | 90 | CLEAR(c->c2); |
6fbf66fa JY |
91 | } |
92 | ||
93 | void | |
81d882d5 | 94 | context_clear_all_except_first_time(struct context *c) |
6fbf66fa | 95 | { |
81d882d5 DS |
96 | const bool first_time_save = c->first_time; |
97 | const struct context_persist cpsave = c->persist; | |
98 | context_clear(c); | |
99 | c->first_time = first_time_save; | |
100 | c->persist = cpsave; | |
6fbf66fa JY |
101 | } |
102 | ||
4a9d1d70 SK |
103 | /* |
104 | * Pass tunnel endpoint and MTU parms to a user-supplied script. | |
105 | * Used to execute the up/down script/plugins. | |
106 | */ | |
107 | static void | |
108 | run_up_down(const char *command, | |
109 | const struct plugin_list *plugins, | |
110 | int plugin_type, | |
111 | const char *arg, | |
112 | #ifdef _WIN32 | |
113 | DWORD adapter_index, | |
114 | #endif | |
115 | const char *dev_type, | |
116 | int tun_mtu, | |
4a9d1d70 SK |
117 | const char *ifconfig_local, |
118 | const char *ifconfig_remote, | |
119 | const char *context, | |
120 | const char *signal_text, | |
121 | const char *script_type, | |
122 | struct env_set *es) | |
123 | { | |
124 | struct gc_arena gc = gc_new(); | |
125 | ||
126 | if (signal_text) | |
127 | { | |
128 | setenv_str(es, "signal", signal_text); | |
129 | } | |
130 | setenv_str(es, "script_context", context); | |
131 | setenv_int(es, "tun_mtu", tun_mtu); | |
4a9d1d70 SK |
132 | setenv_str(es, "dev", arg); |
133 | if (dev_type) | |
134 | { | |
135 | setenv_str(es, "dev_type", dev_type); | |
136 | } | |
137 | #ifdef _WIN32 | |
138 | setenv_int(es, "dev_idx", adapter_index); | |
139 | #endif | |
140 | ||
141 | if (!ifconfig_local) | |
142 | { | |
143 | ifconfig_local = ""; | |
144 | } | |
145 | if (!ifconfig_remote) | |
146 | { | |
147 | ifconfig_remote = ""; | |
148 | } | |
149 | if (!context) | |
150 | { | |
151 | context = ""; | |
152 | } | |
153 | ||
154 | if (plugin_defined(plugins, plugin_type)) | |
155 | { | |
156 | struct argv argv = argv_new(); | |
157 | ASSERT(arg); | |
158 | argv_printf(&argv, | |
3780ce0e AS |
159 | "%s %d 0 %s %s %s", |
160 | arg, tun_mtu, ifconfig_local, ifconfig_remote, context); | |
4a9d1d70 SK |
161 | |
162 | if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) | |
163 | { | |
164 | msg(M_FATAL, "ERROR: up/down plugin call failed"); | |
165 | } | |
166 | ||
870e2405 | 167 | argv_free(&argv); |
4a9d1d70 SK |
168 | } |
169 | ||
170 | if (command) | |
171 | { | |
172 | struct argv argv = argv_new(); | |
173 | ASSERT(arg); | |
174 | setenv_str(es, "script_type", script_type); | |
175 | argv_parse_cmd(&argv, command); | |
3780ce0e | 176 | argv_printf_cat(&argv, "%s %d 0 %s %s %s", arg, tun_mtu, |
4a9d1d70 SK |
177 | ifconfig_local, ifconfig_remote, context); |
178 | argv_msg(M_INFO, &argv); | |
179 | openvpn_run_script(&argv, es, S_FATAL, "--up/--down"); | |
870e2405 | 180 | argv_free(&argv); |
4a9d1d70 SK |
181 | } |
182 | ||
183 | gc_free(&gc); | |
184 | } | |
185 | ||
6fbf66fa | 186 | /* |
4e9a51d7 JY |
187 | * Should be called after options->ce is modified at the top |
188 | * of a SIGUSR1 restart. | |
6fbf66fa JY |
189 | */ |
190 | static void | |
81d882d5 | 191 | update_options_ce_post(struct options *options) |
6fbf66fa | 192 | { |
81d882d5 DS |
193 | /* |
194 | * In pull mode, we usually import --ping/--ping-restart parameters from | |
195 | * the server. However we should also set an initial default --ping-restart | |
196 | * for the period of time before we pull the --ping-restart parameter | |
197 | * from the server. | |
198 | */ | |
199 | if (options->pull | |
200 | && options->ping_rec_timeout_action == PING_UNDEF | |
201 | && proto_is_dgram(options->ce.proto)) | |
4e9a51d7 | 202 | { |
81d882d5 DS |
203 | options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; |
204 | options->ping_rec_timeout_action = PING_RESTART; | |
4e9a51d7 | 205 | } |
4e9a51d7 | 206 | } |
6fbf66fa | 207 | |
af1bf85a | 208 | #ifdef ENABLE_MANAGEMENT |
3cf6c932 | 209 | static bool |
81d882d5 | 210 | management_callback_proxy_cmd(void *arg, const char **p) |
3cf6c932 | 211 | { |
81d882d5 DS |
212 | struct context *c = arg; |
213 | struct connection_entry *ce = &c->options.ce; | |
214 | struct gc_arena *gc = &c->c2.gc; | |
215 | bool ret = false; | |
3cf6c932 | 216 | |
81d882d5 DS |
217 | update_time(); |
218 | if (streq(p[1], "NONE")) | |
219 | { | |
220 | ret = true; | |
221 | } | |
222 | else if (p[2] && p[3]) | |
af1bf85a | 223 | { |
45a1cb2a LS |
224 | if (dco_enabled(&c->options)) |
225 | { | |
226 | msg(M_INFO, "Proxy set via management, disabling Data Channel Offload."); | |
227 | c->options.tuntap_options.disable_dco = true; | |
228 | } | |
229 | ||
81d882d5 | 230 | if (streq(p[1], "HTTP")) |
af1bf85a | 231 | { |
81d882d5 DS |
232 | struct http_proxy_options *ho; |
233 | if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT) | |
e719a053 | 234 | { |
81d882d5 DS |
235 | msg(M_WARN, "HTTP proxy support only works for TCP based connections"); |
236 | return false; | |
af1bf85a | 237 | } |
81d882d5 DS |
238 | ho = init_http_proxy_options_once(&ce->http_proxy_options, gc); |
239 | ho->server = string_alloc(p[2], gc); | |
240 | ho->port = string_alloc(p[3], gc); | |
241 | ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL); | |
242 | ret = true; | |
af1bf85a | 243 | } |
81d882d5 | 244 | else if (streq(p[1], "SOCKS")) |
af1bf85a | 245 | { |
81d882d5 | 246 | ce->socks_proxy_server = string_alloc(p[2], gc); |
aa9d3a5b | 247 | ce->socks_proxy_port = string_alloc(p[3], gc); |
81d882d5 | 248 | ret = true; |
af1bf85a | 249 | } |
3cf6c932 | 250 | } |
81d882d5 DS |
251 | else |
252 | { | |
253 | msg(M_WARN, "Bad proxy command"); | |
254 | } | |
3cf6c932 | 255 | |
81d882d5 | 256 | ce->flags &= ~CE_MAN_QUERY_PROXY; |
3cf6c932 | 257 | |
81d882d5 | 258 | return ret; |
3cf6c932 JY |
259 | } |
260 | ||
261 | static bool | |
81d882d5 DS |
262 | ce_management_query_proxy(struct context *c) |
263 | { | |
264 | const struct connection_list *l = c->options.connection_list; | |
265 | struct connection_entry *ce = &c->options.ce; | |
266 | struct gc_arena gc; | |
267 | bool ret = true; | |
268 | ||
269 | update_time(); | |
270 | if (management) | |
271 | { | |
272 | gc = gc_new(); | |
273 | { | |
274 | struct buffer out = alloc_buf_gc(256, &gc); | |
275 | buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, | |
276 | (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); | |
277 | management_notify_generic(management, BSTR(&out)); | |
93ba6ccd | 278 | management->persist.special_state_msg = BSTR(&out); |
81d882d5 DS |
279 | } |
280 | ce->flags |= CE_MAN_QUERY_PROXY; | |
281 | while (ce->flags & CE_MAN_QUERY_PROXY) | |
282 | { | |
283 | management_event_loop_n_seconds(management, 1); | |
284 | if (IS_SIG(c)) | |
af1bf85a | 285 | { |
81d882d5 DS |
286 | ret = false; |
287 | break; | |
af1bf85a HH |
288 | } |
289 | } | |
93ba6ccd | 290 | management->persist.special_state_msg = NULL; |
81d882d5 | 291 | gc_free(&gc); |
3cf6c932 | 292 | } |
af1bf85a | 293 | |
81d882d5 | 294 | return ret; |
3cf6c932 JY |
295 | } |
296 | ||
adb9bb91 AS |
297 | /** |
298 | * This method sends a custom control channel message | |
299 | * | |
300 | * This will write the control message | |
301 | * | |
302 | * command parm1,parm2,.. | |
303 | * . | |
304 | * to the control channel. | |
305 | * | |
306 | * @param arg The context struct | |
307 | * @param command The command being sent | |
308 | * @param parameters the parameters to the command | |
309 | * @return if sending was successful | |
310 | */ | |
311 | static bool | |
312 | management_callback_send_cc_message(void *arg, | |
313 | const char *command, | |
314 | const char *parameters) | |
315 | { | |
316 | struct context *c = (struct context *) arg; | |
62560e2a | 317 | size_t len = strlen(command) + 1 + strlen(parameters) + 1; |
adb9bb91 AS |
318 | if (len > PUSH_BUNDLE_SIZE) |
319 | { | |
320 | return false; | |
321 | } | |
322 | ||
323 | struct gc_arena gc = gc_new(); | |
324 | struct buffer buf = alloc_buf_gc(len, &gc); | |
325 | ASSERT(buf_printf(&buf, "%s", command)); | |
326 | if (parameters) | |
327 | { | |
328 | ASSERT(buf_printf(&buf, ",%s", parameters)); | |
329 | } | |
330 | bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH); | |
331 | ||
332 | gc_free(&gc); | |
333 | return status; | |
334 | } | |
3cf6c932 | 335 | |
12526380 SN |
336 | static unsigned int |
337 | management_callback_remote_entry_count(void *arg) | |
338 | { | |
339 | assert(arg); | |
340 | struct context *c = (struct context *) arg; | |
341 | struct connection_list *l = c->options.connection_list; | |
342 | ||
343 | return l->len; | |
344 | } | |
345 | ||
346 | static bool | |
347 | management_callback_remote_entry_get(void *arg, unsigned int index, char **remote) | |
348 | { | |
349 | assert(arg); | |
350 | assert(remote); | |
351 | ||
352 | struct context *c = (struct context *) arg; | |
353 | struct connection_list *l = c->options.connection_list; | |
354 | bool ret = true; | |
355 | ||
356 | if (index < l->len) | |
357 | { | |
358 | struct connection_entry *ce = l->array[index]; | |
359 | const char *proto = proto2ascii(ce->proto, ce->af, false); | |
eafbedc5 | 360 | const char *status = (ce->flags & CE_DISABLED) ? "disabled" : "enabled"; |
12526380 | 361 | |
eafbedc5 SN |
362 | /* space for output including 3 commas and a nul */ |
363 | int len = strlen(ce->remote) + strlen(ce->remote_port) + strlen(proto) | |
364 | + strlen(status) + 3 + 1; | |
12526380 SN |
365 | char *out = malloc(len); |
366 | check_malloc_return(out); | |
367 | ||
eafbedc5 | 368 | openvpn_snprintf(out, len, "%s,%s,%s,%s", ce->remote, ce->remote_port, proto, status); |
12526380 SN |
369 | *remote = out; |
370 | } | |
371 | else | |
372 | { | |
373 | ret = false; | |
374 | msg(M_WARN, "Out of bounds index in management query for remote entry: index = %u", index); | |
375 | } | |
376 | ||
377 | return ret; | |
378 | } | |
379 | ||
54561af6 | 380 | static bool |
81d882d5 DS |
381 | management_callback_remote_cmd(void *arg, const char **p) |
382 | { | |
383 | struct context *c = (struct context *) arg; | |
384 | struct connection_entry *ce = &c->options.ce; | |
385 | int ret = false; | |
386 | if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) | |
387 | { | |
388 | int flags = 0; | |
389 | if (!strcmp(p[1], "ACCEPT")) | |
390 | { | |
391 | flags = CE_MAN_QUERY_REMOTE_ACCEPT; | |
392 | ret = true; | |
393 | } | |
394 | else if (!strcmp(p[1], "SKIP")) | |
395 | { | |
396 | flags = CE_MAN_QUERY_REMOTE_SKIP; | |
397 | ret = true; | |
ec5ffe35 | 398 | c->options.ce_advance_count = (p[2]) ? atoi(p[2]) : 1; |
81d882d5 DS |
399 | } |
400 | else if (!strcmp(p[1], "MOD") && p[2] && p[3]) | |
401 | { | |
402 | if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) | |
403 | { | |
404 | struct remote_host_store *rhs = c->options.rh_store; | |
405 | if (!rhs) | |
406 | { | |
407 | ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc); | |
408 | c->options.rh_store = rhs; | |
409 | } | |
410 | strncpynt(rhs->host, p[2], RH_HOST_LEN); | |
411 | strncpynt(rhs->port, p[3], RH_PORT_LEN); | |
412 | ||
413 | ce->remote = rhs->host; | |
414 | ce->remote_port = rhs->port; | |
415 | flags = CE_MAN_QUERY_REMOTE_MOD; | |
416 | ret = true; | |
417 | } | |
418 | } | |
419 | if (ret) | |
420 | { | |
421 | ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); | |
422 | ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT); | |
423 | } | |
424 | } | |
425 | return ret; | |
54561af6 JY |
426 | } |
427 | ||
428 | static bool | |
81d882d5 DS |
429 | ce_management_query_remote(struct context *c) |
430 | { | |
431 | struct gc_arena gc = gc_new(); | |
432 | volatile struct connection_entry *ce = &c->options.ce; | |
e81f313a DS |
433 | int ce_changed = true; /* presume the connection entry will be changed */ |
434 | ||
81d882d5 DS |
435 | update_time(); |
436 | if (management) | |
437 | { | |
438 | struct buffer out = alloc_buf_gc(256, &gc); | |
e81f313a DS |
439 | |
440 | buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, | |
441 | proto2ascii(ce->proto, ce->af, false)); | |
81d882d5 | 442 | management_notify_generic(management, BSTR(&out)); |
93ba6ccd | 443 | management->persist.special_state_msg = BSTR(&out); |
e81f313a DS |
444 | |
445 | ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); | |
446 | ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); | |
447 | while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) | |
448 | & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) | |
81d882d5 DS |
449 | { |
450 | management_event_loop_n_seconds(management, 1); | |
451 | if (IS_SIG(c)) | |
452 | { | |
e81f313a | 453 | ce_changed = false; /* connection entry have not been set */ |
81d882d5 DS |
454 | break; |
455 | } | |
456 | } | |
93ba6ccd | 457 | management->persist.special_state_msg = NULL; |
81d882d5 | 458 | } |
e81f313a DS |
459 | gc_free(&gc); |
460 | ||
461 | if (ce_changed) | |
81d882d5 | 462 | { |
e81f313a DS |
463 | /* If it is likely a connection entry was modified, |
464 | * check what changed in the flags and that it was not skipped | |
465 | */ | |
466 | const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) | |
467 | & CE_MAN_QUERY_REMOTE_MASK); | |
468 | ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP); | |
81d882d5 | 469 | } |
e81f313a | 470 | return ce_changed; |
54561af6 | 471 | } |
cf93f0e0 | 472 | #endif /* ENABLE_MANAGEMENT */ |
54561af6 | 473 | |
4e9a51d7 JY |
474 | /* |
475 | * Initialize and possibly randomize connection list. | |
476 | */ | |
477 | static void | |
81d882d5 | 478 | init_connection_list(struct context *c) |
4e9a51d7 | 479 | { |
81d882d5 | 480 | struct connection_list *l = c->options.connection_list; |
23d61c56 | 481 | |
81d882d5 DS |
482 | l->current = -1; |
483 | if (c->options.remote_random) | |
6fbf66fa | 484 | { |
81d882d5 DS |
485 | int i; |
486 | for (i = 0; i < l->len; ++i) | |
23d61c56 | 487 | { |
81d882d5 DS |
488 | const int j = get_random() % l->len; |
489 | if (i != j) | |
23d61c56 | 490 | { |
81d882d5 DS |
491 | struct connection_entry *tmp; |
492 | tmp = l->array[i]; | |
493 | l->array[i] = l->array[j]; | |
494 | l->array[j] = tmp; | |
23d61c56 AS |
495 | } |
496 | } | |
6fbf66fa | 497 | } |
4e9a51d7 JY |
498 | } |
499 | ||
23d61c56 AS |
500 | /* |
501 | * Clear the remote address list | |
502 | */ | |
81d882d5 DS |
503 | static void |
504 | clear_remote_addrlist(struct link_socket_addr *lsa, bool free) | |
23d61c56 | 505 | { |
e719a053 | 506 | if (lsa->remote_list && free) |
81d882d5 DS |
507 | { |
508 | freeaddrinfo(lsa->remote_list); | |
509 | } | |
23d61c56 AS |
510 | lsa->remote_list = NULL; |
511 | lsa->current_remote = NULL; | |
512 | } | |
513 | ||
4e9a51d7 JY |
514 | /* |
515 | * Increment to next connection entry | |
516 | */ | |
517 | static void | |
81d882d5 DS |
518 | next_connection_entry(struct context *c) |
519 | { | |
520 | struct connection_list *l = c->options.connection_list; | |
521 | bool ce_defined; | |
522 | struct connection_entry *ce; | |
523 | int n_cycles = 0; | |
524 | ||
4cd4899e SK |
525 | do |
526 | { | |
81d882d5 DS |
527 | ce_defined = true; |
528 | if (c->options.no_advance && l->current >= 0) | |
529 | { | |
530 | c->options.no_advance = false; | |
531 | } | |
23d61c56 | 532 | else |
81d882d5 DS |
533 | { |
534 | /* Check if there is another resolved address to try for | |
535 | * the current connection */ | |
536 | if (c->c1.link_socket_addr.current_remote | |
c9474fa3 AS |
537 | && c->c1.link_socket_addr.current_remote->ai_next |
538 | && !c->options.advance_next_remote) | |
81d882d5 | 539 | { |
23d61c56 | 540 | c->c1.link_socket_addr.current_remote = |
81d882d5 DS |
541 | c->c1.link_socket_addr.current_remote->ai_next; |
542 | } | |
543 | else | |
544 | { | |
c9474fa3 | 545 | c->options.advance_next_remote = false; |
81d882d5 DS |
546 | /* FIXME (schwabe) fix the persist-remote-ip option for real, |
547 | * this is broken probably ever since connection lists and multiple | |
548 | * remote existed | |
549 | */ | |
550 | if (!c->options.persist_remote_ip) | |
551 | { | |
3ad86c25 VG |
552 | /* Connection entry addrinfo objects might have been |
553 | * resolved earlier but the entry itself might have been | |
554 | * skipped by management on the previous loop. | |
555 | * If so, clear the addrinfo objects as close_instance does | |
556 | */ | |
557 | if (c->c1.link_socket_addr.remote_list) | |
558 | { | |
559 | clear_remote_addrlist(&c->c1.link_socket_addr, | |
560 | !c->options.resolve_in_advance); | |
561 | } | |
562 | ||
81d882d5 DS |
563 | /* close_instance should have cleared the addrinfo objects */ |
564 | ASSERT(c->c1.link_socket_addr.current_remote == NULL); | |
565 | ASSERT(c->c1.link_socket_addr.remote_list == NULL); | |
566 | } | |
567 | else | |
568 | { | |
569 | c->c1.link_socket_addr.current_remote = | |
570 | c->c1.link_socket_addr.remote_list; | |
571 | } | |
572 | ||
ec5ffe35 SN |
573 | int advance_count = 1; |
574 | ||
575 | /* If previous connection entry was skipped by management client | |
576 | * with a count to advance by, apply it. | |
577 | */ | |
578 | if (c->options.ce_advance_count > 0) | |
579 | { | |
580 | advance_count = c->options.ce_advance_count; | |
581 | } | |
582 | ||
81d882d5 DS |
583 | /* |
584 | * Increase the number of connection attempts | |
585 | * If this is connect-retry-max * size(l) | |
586 | * OpenVPN will quit | |
587 | */ | |
588 | ||
ec5ffe35 SN |
589 | c->options.unsuccessful_attempts += advance_count; |
590 | l->current += advance_count; | |
81d882d5 | 591 | |
ec5ffe35 | 592 | if (l->current >= l->len) |
81d882d5 | 593 | { |
ec5ffe35 | 594 | l->current %= l->len; |
81d882d5 DS |
595 | if (++n_cycles >= 2) |
596 | { | |
597 | msg(M_FATAL, "No usable connection profiles are present"); | |
598 | } | |
599 | } | |
600 | } | |
601 | } | |
3cf6c932 | 602 | |
ec5ffe35 | 603 | c->options.ce_advance_count = 1; |
81d882d5 | 604 | ce = l->array[l->current]; |
3cf6c932 | 605 | |
81d882d5 DS |
606 | if (ce->flags & CE_DISABLED) |
607 | { | |
608 | ce_defined = false; | |
609 | } | |
3cf6c932 | 610 | |
81d882d5 | 611 | c->options.ce = *ce; |
cf93f0e0 | 612 | #ifdef ENABLE_MANAGEMENT |
81d882d5 DS |
613 | if (ce_defined && management && management_query_remote_enabled(management)) |
614 | { | |
615 | /* allow management interface to override connection entry details */ | |
616 | ce_defined = ce_management_query_remote(c); | |
617 | if (IS_SIG(c)) | |
618 | { | |
619 | break; | |
620 | } | |
621 | } | |
7b02cc2a | 622 | else if (ce_defined && management && management_query_proxy_enabled(management)) |
23d61c56 | 623 | { |
81d882d5 DS |
624 | ce_defined = ce_management_query_proxy(c); |
625 | if (IS_SIG(c)) | |
626 | { | |
627 | break; | |
628 | } | |
23d61c56 | 629 | } |
3cf6c932 | 630 | #endif |
81d882d5 | 631 | } while (!ce_defined); |
23d61c56 | 632 | |
81d882d5 DS |
633 | /* Check if this connection attempt would bring us over the limit */ |
634 | if (c->options.connect_retry_max > 0 | |
635 | && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) | |
636 | { | |
637 | msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", | |
638 | c->options.connect_retry_max); | |
639 | } | |
640 | update_options_ce_post(&c->options); | |
6fbf66fa JY |
641 | } |
642 | ||
92bbb061 JY |
643 | /* |
644 | * Query for private key and auth-user-pass username/passwords | |
645 | */ | |
315f6fbc | 646 | void |
81d882d5 | 647 | init_query_passwords(const struct context *c) |
92bbb061 | 648 | { |
81d882d5 DS |
649 | /* Certificate password input */ |
650 | if (c->options.key_pass_file) | |
651 | { | |
652 | pem_password_setup(c->options.key_pass_file); | |
653 | } | |
81d882d5 | 654 | |
81d882d5 DS |
655 | /* Auth user/pass input */ |
656 | if (c->options.auth_user_pass_file) | |
eab3e22f | 657 | { |
7d291e10 | 658 | enable_auth_user_pass(); |
66b9409b | 659 | #ifdef ENABLE_MANAGEMENT |
7d48d31b AQ |
660 | auth_user_pass_setup(c->options.auth_user_pass_file, |
661 | c->options.auth_user_pass_file_inline, | |
662 | &c->options.sc_info); | |
eab3e22f | 663 | #else |
7d48d31b AQ |
664 | auth_user_pass_setup(c->options.auth_user_pass_file, |
665 | c->options.auth_user_pass_file_inline, NULL); | |
eab3e22f JY |
666 | #endif |
667 | } | |
92bbb061 JY |
668 | } |
669 | ||
4e9a51d7 JY |
670 | /* |
671 | * Initialize/Uninitialize HTTP or SOCKS proxy | |
672 | */ | |
673 | ||
4e9a51d7 | 674 | static void |
81d882d5 | 675 | uninit_proxy_dowork(struct context *c) |
4e9a51d7 | 676 | { |
81d882d5 | 677 | if (c->c1.http_proxy_owned && c->c1.http_proxy) |
4e9a51d7 | 678 | { |
81d882d5 DS |
679 | http_proxy_close(c->c1.http_proxy); |
680 | c->c1.http_proxy = NULL; | |
681 | c->c1.http_proxy_owned = false; | |
4e9a51d7 | 682 | } |
81d882d5 | 683 | if (c->c1.socks_proxy_owned && c->c1.socks_proxy) |
4e9a51d7 | 684 | { |
81d882d5 DS |
685 | socks_proxy_close(c->c1.socks_proxy); |
686 | c->c1.socks_proxy = NULL; | |
687 | c->c1.socks_proxy_owned = false; | |
4e9a51d7 | 688 | } |
4e9a51d7 JY |
689 | } |
690 | ||
691 | static void | |
81d882d5 | 692 | init_proxy_dowork(struct context *c) |
6fbf66fa | 693 | { |
81d882d5 | 694 | bool did_http = false; |
f214bb21 | 695 | |
81d882d5 | 696 | uninit_proxy_dowork(c); |
4e9a51d7 | 697 | |
81d882d5 | 698 | if (c->options.ce.http_proxy_options) |
4e9a51d7 | 699 | { |
81d882d5 DS |
700 | /* Possible HTTP proxy user/pass input */ |
701 | c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); | |
702 | if (c->c1.http_proxy) | |
703 | { | |
704 | did_http = true; | |
705 | c->c1.http_proxy_owned = true; | |
706 | } | |
4e9a51d7 | 707 | } |
4e9a51d7 | 708 | |
a4b8f653 | 709 | if (!did_http && c->options.ce.socks_proxy_server) |
4e9a51d7 | 710 | { |
81d882d5 DS |
711 | c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server, |
712 | c->options.ce.socks_proxy_port, | |
713 | c->options.ce.socks_proxy_authfile); | |
714 | if (c->c1.socks_proxy) | |
715 | { | |
716 | c->c1.socks_proxy_owned = true; | |
717 | } | |
4e9a51d7 | 718 | } |
4e9a51d7 JY |
719 | } |
720 | ||
721 | static void | |
81d882d5 | 722 | init_proxy(struct context *c) |
4e9a51d7 | 723 | { |
81d882d5 | 724 | init_proxy_dowork(c); |
4e9a51d7 JY |
725 | } |
726 | ||
727 | static void | |
81d882d5 | 728 | uninit_proxy(struct context *c) |
4e9a51d7 | 729 | { |
81d882d5 | 730 | uninit_proxy_dowork(c); |
4e9a51d7 JY |
731 | } |
732 | ||
4e9a51d7 | 733 | void |
81d882d5 | 734 | context_init_1(struct context *c) |
4e9a51d7 | 735 | { |
81d882d5 | 736 | context_clear_1(c); |
6fbf66fa | 737 | |
81d882d5 | 738 | packet_id_persist_init(&c->c1.pid_persist); |
4e9a51d7 | 739 | |
81d882d5 | 740 | init_connection_list(c); |
6fbf66fa | 741 | |
ce98fd24 | 742 | #if defined(ENABLE_PKCS11) |
81d882d5 DS |
743 | if (c->first_time) |
744 | { | |
745 | int i; | |
746 | pkcs11_initialize(true, c->options.pkcs11_pin_cache_period); | |
747 | for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++) | |
4cd4899e | 748 | { |
81d882d5 DS |
749 | pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], |
750 | c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); | |
4cd4899e | 751 | } |
81d882d5 | 752 | } |
ce98fd24 | 753 | #endif |
984cf003 | 754 | |
c67d59cd | 755 | #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ |
81d882d5 DS |
756 | { |
757 | /* | |
758 | * In the management interface, you can okay the request by entering "needok token-insertion-request ok" | |
759 | */ | |
760 | struct user_pass up; | |
761 | CLEAR(up); | |
762 | strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ | |
763 | get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); | |
764 | msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface | |
765 | * 'needok' command, usually 'ok' or 'cancel'. */ | |
766 | } | |
dd1047f5 JY |
767 | #endif |
768 | ||
e83a8684 DS |
769 | #ifdef ENABLE_SYSTEMD |
770 | /* We can report the PID via getpid() to systemd here as OpenVPN will not | |
771 | * do any fork due to daemon() a future call. | |
772 | * See possibly_become_daemon() [init.c] for more details. | |
773 | */ | |
b13bc6c9 | 774 | sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", |
e83a8684 DS |
775 | (unsigned long) getpid()); |
776 | #endif | |
777 | ||
6fbf66fa JY |
778 | } |
779 | ||
780 | void | |
81d882d5 | 781 | context_gc_free(struct context *c) |
6fbf66fa | 782 | { |
81d882d5 DS |
783 | gc_free(&c->c2.gc); |
784 | gc_free(&c->options.gc); | |
785 | gc_free(&c->gc); | |
6fbf66fa JY |
786 | } |
787 | ||
6add6b2f JY |
788 | #if PORT_SHARE |
789 | ||
790 | static void | |
81d882d5 | 791 | close_port_share(void) |
6add6b2f | 792 | { |
81d882d5 | 793 | if (port_share) |
6add6b2f | 794 | { |
81d882d5 DS |
795 | port_share_close(port_share); |
796 | port_share = NULL; | |
6add6b2f JY |
797 | } |
798 | } | |
799 | ||
800 | static void | |
81d882d5 | 801 | init_port_share(struct context *c) |
6add6b2f | 802 | { |
81d882d5 | 803 | if (!port_share && (c->options.port_share_host && c->options.port_share_port)) |
6add6b2f | 804 | { |
81d882d5 DS |
805 | port_share = port_share_open(c->options.port_share_host, |
806 | c->options.port_share_port, | |
65a21eb1 | 807 | c->c2.frame.buf.payload_size, |
81d882d5 DS |
808 | c->options.port_share_journal_dir); |
809 | if (port_share == NULL) | |
810 | { | |
811 | msg(M_FATAL, "Fatal error: Port sharing failed"); | |
812 | } | |
6add6b2f JY |
813 | } |
814 | } | |
815 | ||
81d882d5 | 816 | #endif /* if PORT_SHARE */ |
6add6b2f | 817 | |
e74e3a4d | 818 | |
6fbf66fa | 819 | bool |
81d882d5 | 820 | init_static(void) |
6fbf66fa | 821 | { |
81d882d5 | 822 | /* configure_path (); */ |
c67d59cd | 823 | |
c7ca9133 | 824 | #if defined(DMALLOC) |
81d882d5 | 825 | crypto_init_dmalloc(); |
6fbf66fa JY |
826 | #endif |
827 | ||
e74e3a4d DS |
828 | |
829 | /* | |
830 | * Initialize random number seed. random() is only used | |
831 | * when "weak" random numbers are acceptable. | |
832 | * SSL library routines are always used when cryptographically | |
833 | * strong random numbers are required. | |
834 | */ | |
835 | struct timeval tv; | |
836 | if (!gettimeofday(&tv, NULL)) | |
837 | { | |
838 | const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec; | |
839 | srandom(seed); | |
840 | } | |
841 | ||
81d882d5 DS |
842 | error_reset(); /* initialize error.c */ |
843 | reset_check_status(); /* initialize status check code in socket.c */ | |
6fbf66fa | 844 | |
445b192a | 845 | #ifdef _WIN32 |
81d882d5 | 846 | init_win32(); |
6fbf66fa JY |
847 | #endif |
848 | ||
849 | #ifdef OPENVPN_DEBUG_COMMAND_LINE | |
81d882d5 DS |
850 | { |
851 | int i; | |
852 | for (i = 0; i < argc; ++i) | |
4cd4899e | 853 | { |
81d882d5 | 854 | msg(M_INFO, "argv[%d] = '%s'", i, argv[i]); |
4cd4899e | 855 | } |
81d882d5 | 856 | } |
6fbf66fa JY |
857 | #endif |
858 | ||
81d882d5 | 859 | update_time(); |
6fbf66fa | 860 | |
81d882d5 | 861 | init_ssl_lib(); |
6fbf66fa | 862 | |
6fbf66fa | 863 | #ifdef SCHEDULE_TEST |
81d882d5 DS |
864 | schedule_test(); |
865 | return false; | |
6fbf66fa JY |
866 | #endif |
867 | ||
6fbf66fa | 868 | #ifdef IFCONFIG_POOL_TEST |
81d882d5 DS |
869 | ifconfig_pool_test(0x0A010004, 0x0A0100FF); |
870 | return false; | |
6fbf66fa JY |
871 | #endif |
872 | ||
428b8279 | 873 | #ifdef TIME_TEST |
81d882d5 DS |
874 | time_test(); |
875 | return false; | |
428b8279 JY |
876 | #endif |
877 | ||
6cd276ba | 878 | #ifdef GEN_PATH_TEST |
81d882d5 DS |
879 | { |
880 | struct gc_arena gc = gc_new(); | |
881 | const char *fn = gen_path("foo", | |
882 | "bar", | |
883 | &gc); | |
884 | printf("%s\n", fn); | |
885 | gc_free(&gc); | |
886 | } | |
887 | return false; | |
6cd276ba | 888 | #endif |
ddad0a8c | 889 | |
6cd276ba | 890 | #ifdef STATUS_PRINTF_TEST |
81d882d5 DS |
891 | { |
892 | struct gc_arena gc = gc_new(); | |
b7bea782 | 893 | const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc); |
81d882d5 DS |
894 | struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); |
895 | status_printf(so, "%s", "foo"); | |
896 | status_printf(so, "%s", "bar"); | |
897 | if (!status_close(so)) | |
898 | { | |
899 | msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file); | |
900 | } | |
901 | gc_free(&gc); | |
902 | } | |
903 | return false; | |
ddad0a8c JY |
904 | #endif |
905 | ||
ffea644c | 906 | #ifdef MSTATS_TEST |
81d882d5 DS |
907 | { |
908 | int i; | |
909 | mstats_open("/dev/shm/mstats.dat"); | |
910 | for (i = 0; i < 30; ++i) | |
911 | { | |
912 | mmap_stats->n_clients += 1; | |
913 | mmap_stats->link_write_bytes += 8; | |
914 | mmap_stats->link_read_bytes += 16; | |
915 | sleep(1); | |
916 | } | |
917 | mstats_close(); | |
918 | return false; | |
919 | } | |
ffea644c JY |
920 | #endif |
921 | ||
81d882d5 | 922 | return true; |
6fbf66fa JY |
923 | } |
924 | ||
925 | void | |
81d882d5 | 926 | uninit_static(void) |
6fbf66fa | 927 | { |
81d882d5 | 928 | free_ssl_lib(); |
ce98fd24 | 929 | |
ce98fd24 | 930 | #ifdef ENABLE_PKCS11 |
81d882d5 | 931 | pkcs11_terminate(); |
ce98fd24 | 932 | #endif |
6fbf66fa | 933 | |
6add6b2f | 934 | #if PORT_SHARE |
81d882d5 | 935 | close_port_share(); |
6add6b2f JY |
936 | #endif |
937 | ||
c7ca9133 | 938 | #if defined(MEASURE_TLS_HANDSHAKE_STATS) |
81d882d5 | 939 | show_tls_performance_stats(); |
6fbf66fa JY |
940 | #endif |
941 | } | |
942 | ||
943 | void | |
81d882d5 | 944 | init_verb_mute(struct context *c, unsigned int flags) |
6fbf66fa | 945 | { |
81d882d5 | 946 | if (flags & IVM_LEVEL_1) |
6fbf66fa | 947 | { |
81d882d5 DS |
948 | /* set verbosity and mute levels */ |
949 | set_check_status(D_LINK_ERRORS, D_READ_WRITE); | |
950 | set_debug_level(c->options.verbosity, SDL_CONSTRAIN); | |
951 | set_mute_cutoff(c->options.mute); | |
6fbf66fa JY |
952 | } |
953 | ||
81d882d5 DS |
954 | /* special D_LOG_RW mode */ |
955 | if (flags & IVM_LEVEL_2) | |
956 | { | |
957 | c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1)); | |
958 | } | |
6fbf66fa JY |
959 | } |
960 | ||
961 | /* | |
962 | * Possibly set --dev based on --dev-node. | |
963 | * For example, if --dev-node /tmp/foo/tun, and --dev undefined, | |
964 | * set --dev to tun. | |
965 | */ | |
966 | void | |
81d882d5 | 967 | init_options_dev(struct options *options) |
6fbf66fa | 968 | { |
81d882d5 DS |
969 | if (!options->dev && options->dev_node) |
970 | { | |
ccb636c7 | 971 | char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */ |
81d882d5 DS |
972 | options->dev = basename(dev_node); |
973 | } | |
6fbf66fa JY |
974 | } |
975 | ||
976 | bool | |
81d882d5 | 977 | print_openssl_info(const struct options *options) |
6fbf66fa | 978 | { |
81d882d5 DS |
979 | /* |
980 | * OpenSSL info print mode? | |
981 | */ | |
81d882d5 DS |
982 | if (options->show_ciphers || options->show_digests || options->show_engines |
983 | || options->show_tls_ciphers || options->show_curves) | |
6fbf66fa | 984 | { |
81d882d5 DS |
985 | if (options->show_ciphers) |
986 | { | |
987 | show_available_ciphers(); | |
988 | } | |
989 | if (options->show_digests) | |
990 | { | |
991 | show_available_digests(); | |
992 | } | |
993 | if (options->show_engines) | |
994 | { | |
995 | show_available_engines(); | |
996 | } | |
997 | if (options->show_tls_ciphers) | |
998 | { | |
aba75874 | 999 | show_available_tls_ciphers(options->cipher_list, |
7aeabadd | 1000 | options->cipher_list_tls13, |
aba75874 | 1001 | options->tls_cert_profile); |
81d882d5 DS |
1002 | } |
1003 | if (options->show_curves) | |
1004 | { | |
1005 | show_available_curves(); | |
1006 | } | |
1007 | return true; | |
6fbf66fa | 1008 | } |
81d882d5 | 1009 | return false; |
6fbf66fa JY |
1010 | } |
1011 | ||
1012 | /* | |
1013 | * Static pre-shared key generation mode? | |
1014 | */ | |
1015 | bool | |
81d882d5 | 1016 | do_genkey(const struct options *options) |
6fbf66fa | 1017 | { |
9d59029a | 1018 | /* should we disable paging? */ |
0d80b562 | 1019 | if (options->mlock && (options->genkey)) |
9d59029a SK |
1020 | { |
1021 | platform_mlockall(true); | |
1022 | } | |
0d80b562 AS |
1023 | |
1024 | /* | |
1025 | * We do not want user to use --genkey with --secret. In the transistion | |
1026 | * phase we for secret. | |
1027 | */ | |
1028 | if (options->genkey && options->genkey_type != GENKEY_SECRET | |
1029 | && options->shared_secret_file) | |
1030 | { | |
1031 | msg(M_USAGE, "Using --genkey type with --secret filename is " | |
1032 | "not supported. Use --genkey type filename instead."); | |
1033 | } | |
1034 | if (options->genkey && options->genkey_type == GENKEY_SECRET) | |
6fbf66fa | 1035 | { |
81d882d5 | 1036 | int nbits_written; |
0d80b562 AS |
1037 | const char *genkey_filename = options->genkey_filename; |
1038 | if (options->shared_secret_file && options->genkey_filename) | |
1039 | { | |
1040 | msg(M_USAGE, "You must provide a filename to either --genkey " | |
1041 | "or --secret, not both"); | |
1042 | } | |
6fbf66fa | 1043 | |
0d80b562 AS |
1044 | /* |
1045 | * Copy filename from shared_secret_file to genkey_filename to support | |
1046 | * the old --genkey --secret foo.file syntax. | |
1047 | */ | |
1048 | if (options->shared_secret_file) | |
1049 | { | |
1050 | msg(M_WARN, "WARNING: Using --genkey --secret filename is " | |
1051 | "DEPRECATED. Use --genkey secret filename instead."); | |
1052 | genkey_filename = options->shared_secret_file; | |
1053 | } | |
6fbf66fa | 1054 | |
0d80b562 | 1055 | nbits_written = write_key_file(2, genkey_filename); |
a8fa1679 SK |
1056 | if (nbits_written < 0) |
1057 | { | |
1058 | msg(M_FATAL, "Failed to write key file"); | |
1059 | } | |
6fbf66fa | 1060 | |
81d882d5 DS |
1061 | msg(D_GENKEY | M_NOPREFIX, |
1062 | "Randomly generated %d bit key written to %s", nbits_written, | |
1063 | options->shared_secret_file); | |
1064 | return true; | |
6fbf66fa | 1065 | } |
0d80b562 | 1066 | else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_SERVER) |
9d59029a | 1067 | { |
0d80b562 AS |
1068 | tls_crypt_v2_write_server_key_file(options->genkey_filename); |
1069 | return true; | |
1070 | } | |
1071 | else if (options->genkey && options->genkey_type == GENKEY_TLS_CRYPTV2_CLIENT) | |
1072 | { | |
1073 | if (!options->tls_crypt_v2_file) | |
9d59029a | 1074 | { |
0d80b562 AS |
1075 | msg(M_USAGE, |
1076 | "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key"); | |
9d59029a SK |
1077 | } |
1078 | ||
0d80b562 AS |
1079 | tls_crypt_v2_write_client_key_file(options->genkey_filename, |
1080 | options->genkey_extra_data, options->tls_crypt_v2_file, | |
cb2e9218 | 1081 | options->tls_crypt_v2_file_inline); |
0d80b562 AS |
1082 | return true; |
1083 | } | |
1b9a88a2 AS |
1084 | else if (options->genkey && options->genkey_type == GENKEY_AUTH_TOKEN) |
1085 | { | |
1086 | auth_token_write_server_key_file(options->genkey_filename); | |
1087 | return true; | |
1088 | } | |
0d80b562 AS |
1089 | else |
1090 | { | |
1091 | return false; | |
9d59029a | 1092 | } |
6fbf66fa JY |
1093 | } |
1094 | ||
1095 | /* | |
1096 | * Persistent TUN/TAP device management mode? | |
1097 | */ | |
1098 | bool | |
6a2fe47a | 1099 | do_persist_tuntap(struct options *options, openvpn_net_ctx_t *ctx) |
6fbf66fa | 1100 | { |
84099782 | 1101 | if (!options->persist_config) |
6fbf66fa | 1102 | { |
84099782 LS |
1103 | return false; |
1104 | } | |
1105 | ||
1106 | /* sanity check on options for --mktun or --rmtun */ | |
1107 | notnull(options->dev, "TUN/TAP device (--dev)"); | |
1108 | if (options->ce.remote || options->ifconfig_local | |
1109 | || options->ifconfig_remote_netmask | |
1110 | || options->shared_secret_file | |
1111 | || options->tls_server || options->tls_client | |
1112 | ) | |
1113 | { | |
1114 | msg(M_FATAL|M_OPTERR, | |
1115 | "options --mktun or --rmtun should only be used together with --dev"); | |
1116 | } | |
6a2fe47a AQ |
1117 | |
1118 | #if defined(ENABLE_DCO) | |
84099782 LS |
1119 | if (dco_enabled(options)) |
1120 | { | |
1121 | /* creating a DCO interface via --mktun is not supported as it does not | |
1122 | * make much sense. Since DCO is enabled by default, people may run into | |
1123 | * this without knowing, therefore this case should be properly handled. | |
1124 | * | |
1125 | * Disable DCO if --mktun was provided and print a message to let | |
1126 | * user know. | |
1127 | */ | |
1128 | if (dev_type_enum(options->dev, options->dev_type) == DEV_TYPE_TUN) | |
6a2fe47a | 1129 | { |
84099782 | 1130 | msg(M_WARN, "Note: --mktun does not support DCO. Creating TUN interface."); |
6a2fe47a | 1131 | } |
84099782 LS |
1132 | |
1133 | options->tuntap_options.disable_dco = true; | |
1134 | } | |
6a2fe47a AQ |
1135 | #endif |
1136 | ||
4ad2b65d | 1137 | #ifdef ENABLE_FEATURE_TUN_PERSIST |
84099782 LS |
1138 | tuncfg(options->dev, options->dev_type, options->dev_node, |
1139 | options->persist_mode, | |
1140 | options->username, options->groupname, &options->tuntap_options, | |
1141 | ctx); | |
1142 | if (options->persist_mode && options->lladdr) | |
1143 | { | |
1144 | set_lladdr(ctx, options->dev, options->lladdr, NULL); | |
1145 | } | |
1146 | return true; | |
81d882d5 | 1147 | #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */ |
84099782 LS |
1148 | msg(M_FATAL|M_OPTERR, |
1149 | "options --mktun and --rmtun are not available on your operating " | |
1150 | "system. Please check 'man tun' (or 'tap'), whether your system " | |
1151 | "supports using 'ifconfig %s create' / 'destroy' to create/remove " | |
1152 | "persistent tunnel interfaces.", options->dev ); | |
6fbf66fa | 1153 | #endif |
81d882d5 | 1154 | return false; |
6fbf66fa JY |
1155 | } |
1156 | ||
1157 | /* | |
1158 | * Should we become a daemon? | |
1159 | * Return true if we did it. | |
1160 | */ | |
da9b2927 | 1161 | bool |
81d882d5 | 1162 | possibly_become_daemon(const struct options *options) |
6fbf66fa | 1163 | { |
81d882d5 | 1164 | bool ret = false; |
7660bba1 CH |
1165 | |
1166 | #ifdef ENABLE_SYSTEMD | |
81d882d5 DS |
1167 | /* return without forking if we are running from systemd */ |
1168 | if (sd_notify(0, "READY=0") > 0) | |
1169 | { | |
1170 | return ret; | |
1171 | } | |
7660bba1 CH |
1172 | #endif |
1173 | ||
81d882d5 | 1174 | if (options->daemon) |
6fbf66fa | 1175 | { |
81d882d5 | 1176 | /* Don't chdir immediately, but the end of the init sequence, if needed */ |
a480eaae AS |
1177 | |
1178 | #if defined(__APPLE__) && defined(__clang__) | |
1179 | #pragma clang diagnostic push | |
1180 | #pragma clang diagnostic ignored "-Wdeprecated-declarations" | |
1181 | #endif | |
81d882d5 DS |
1182 | if (daemon(1, options->log) < 0) |
1183 | { | |
1184 | msg(M_ERR, "daemon() failed or unsupported"); | |
1185 | } | |
a480eaae AS |
1186 | #if defined(__APPLE__) && defined(__clang__) |
1187 | #pragma clang diagnostic pop | |
1188 | #endif | |
81d882d5 DS |
1189 | restore_signal_state(); |
1190 | if (options->log) | |
1191 | { | |
1192 | set_std_files_to_null(true); | |
1193 | } | |
6835555e | 1194 | |
81d882d5 | 1195 | ret = true; |
6fbf66fa | 1196 | } |
81d882d5 | 1197 | return ret; |
6fbf66fa JY |
1198 | } |
1199 | ||
1200 | /* | |
99385447 | 1201 | * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested. |
6fbf66fa JY |
1202 | */ |
1203 | static void | |
81d882d5 | 1204 | do_uid_gid_chroot(struct context *c, bool no_delay) |
6fbf66fa | 1205 | { |
81d882d5 DS |
1206 | static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; |
1207 | struct context_0 *c0 = c->c0; | |
6fbf66fa | 1208 | |
81d882d5 | 1209 | if (c0 && !c0->uid_gid_chroot_set) |
6fbf66fa | 1210 | { |
81d882d5 DS |
1211 | /* chroot if requested */ |
1212 | if (c->options.chroot_dir) | |
1213 | { | |
1214 | if (no_delay) | |
65140a3a | 1215 | { |
81d882d5 DS |
1216 | platform_chroot(c->options.chroot_dir); |
1217 | } | |
1218 | else if (c->first_time) | |
1219 | { | |
1220 | msg(M_INFO, "NOTE: chroot %s", why_not); | |
1221 | } | |
1222 | } | |
1223 | ||
1224 | /* set user and/or group if we want to setuid/setgid */ | |
1225 | if (c0->uid_gid_specified) | |
1226 | { | |
1227 | if (no_delay) | |
1228 | { | |
2e359a08 TR |
1229 | platform_user_group_set(&c0->platform_state_user, |
1230 | &c0->platform_state_group, | |
1231 | c); | |
81d882d5 DS |
1232 | } |
1233 | else if (c->first_time) | |
1234 | { | |
1235 | msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not); | |
65140a3a | 1236 | } |
81d882d5 | 1237 | } |
99385447 | 1238 | |
ffea644c | 1239 | #ifdef ENABLE_MEMSTATS |
81d882d5 DS |
1240 | if (c->first_time && c->options.memstats_fn) |
1241 | { | |
1242 | mstats_open(c->options.memstats_fn); | |
1243 | } | |
ffea644c JY |
1244 | #endif |
1245 | ||
cd5990e0 | 1246 | #ifdef ENABLE_SELINUX |
81d882d5 DS |
1247 | /* Apply a SELinux context in order to restrict what OpenVPN can do |
1248 | * to _only_ what it is supposed to do after initialization is complete | |
1249 | * (basically just network I/O operations). Doing it after chroot | |
1250 | * requires /proc to be mounted in the chroot (which is annoying indeed | |
1251 | * but doing it before requires more complex SELinux policies. | |
1252 | */ | |
1253 | if (c->options.selinux_context) | |
1254 | { | |
1255 | if (no_delay) | |
1256 | { | |
1257 | if (-1 == setcon(c->options.selinux_context)) | |
1258 | { | |
1259 | msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); | |
1260 | } | |
1261 | else | |
1262 | { | |
1263 | msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context); | |
1264 | } | |
1265 | } | |
1266 | else if (c->first_time) | |
1267 | { | |
1268 | msg(M_INFO, "NOTE: setcon %s", why_not); | |
1269 | } | |
1270 | } | |
1271 | #endif | |
1272 | ||
1273 | /* Privileges are going to be dropped by now (if requested), be sure | |
1274 | * to prevent any future privilege dropping attempts from now on. | |
1275 | */ | |
1276 | if (no_delay) | |
1277 | { | |
1278 | c0->uid_gid_chroot_set = true; | |
1279 | } | |
6fbf66fa JY |
1280 | } |
1281 | } | |
1282 | ||
1283 | /* | |
1284 | * Return common name in a way that is formatted for | |
1285 | * prepending to msg() output. | |
1286 | */ | |
1287 | const char * | |
81d882d5 | 1288 | format_common_name(struct context *c, struct gc_arena *gc) |
6fbf66fa | 1289 | { |
81d882d5 | 1290 | struct buffer out = alloc_buf_gc(256, gc); |
81d882d5 | 1291 | if (c->c2.tls_multi) |
6fbf66fa | 1292 | { |
81d882d5 | 1293 | buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false)); |
6fbf66fa | 1294 | } |
81d882d5 | 1295 | return BSTR(&out); |
6fbf66fa JY |
1296 | } |
1297 | ||
1298 | void | |
81d882d5 | 1299 | pre_setup(const struct options *options) |
6fbf66fa | 1300 | { |
445b192a | 1301 | #ifdef _WIN32 |
81d882d5 | 1302 | if (options->exit_event_name) |
6fbf66fa | 1303 | { |
81d882d5 DS |
1304 | win32_signal_open(&win32_signal, |
1305 | WSO_FORCE_SERVICE, | |
1306 | options->exit_event_name, | |
1307 | options->exit_event_initial_state); | |
6fbf66fa | 1308 | } |
81d882d5 | 1309 | else |
6fbf66fa | 1310 | { |
81d882d5 DS |
1311 | win32_signal_open(&win32_signal, |
1312 | WSO_FORCE_CONSOLE, | |
1313 | NULL, | |
1314 | false); | |
6fbf66fa | 1315 | |
81d882d5 DS |
1316 | /* put a title on the top window bar */ |
1317 | if (win32_signal.mode == WSO_MODE_CONSOLE) | |
1318 | { | |
1319 | window_title_save(&window_title); | |
1320 | window_title_generate(options->config); | |
1321 | } | |
6fbf66fa | 1322 | } |
81d882d5 | 1323 | #endif /* ifdef _WIN32 */ |
6fbf66fa JY |
1324 | } |
1325 | ||
1326 | void | |
81d882d5 | 1327 | reset_coarse_timers(struct context *c) |
6fbf66fa | 1328 | { |
81d882d5 | 1329 | c->c2.coarse_timer_wakeup = 0; |
6fbf66fa JY |
1330 | } |
1331 | ||
f2134b7b AS |
1332 | /* |
1333 | * Initialise the server poll timeout timer | |
1334 | * This timer is used in the http/socks proxy setup so it needs to be setup | |
1335 | * before | |
1336 | */ | |
1337 | static void | |
81d882d5 | 1338 | do_init_server_poll_timeout(struct context *c) |
f2134b7b | 1339 | { |
81d882d5 | 1340 | update_time(); |
f2134b7b | 1341 | if (c->options.ce.connect_timeout) |
81d882d5 DS |
1342 | { |
1343 | event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now); | |
1344 | } | |
f2134b7b AS |
1345 | } |
1346 | ||
6fbf66fa JY |
1347 | /* |
1348 | * Initialize timers | |
1349 | */ | |
1350 | static void | |
81d882d5 | 1351 | do_init_timers(struct context *c, bool deferred) |
6fbf66fa | 1352 | { |
81d882d5 DS |
1353 | update_time(); |
1354 | reset_coarse_timers(c); | |
6fbf66fa | 1355 | |
81d882d5 DS |
1356 | /* initialize inactivity timeout */ |
1357 | if (c->options.inactivity_timeout) | |
1358 | { | |
1359 | event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now); | |
1360 | } | |
6fbf66fa | 1361 | |
f96290ff DZ |
1362 | /* initialize inactivity timeout */ |
1363 | if (c->options.session_timeout) | |
1364 | { | |
1365 | event_timeout_init(&c->c2.session_interval, c->options.session_timeout, | |
1366 | now); | |
1367 | } | |
1368 | ||
81d882d5 | 1369 | /* initialize pings */ |
a2d851d4 | 1370 | if (dco_enabled(&c->options)) |
81d882d5 | 1371 | { |
a2d851d4 AQ |
1372 | /* The DCO kernel module will send the pings instead of user space */ |
1373 | event_timeout_clear(&c->c2.ping_rec_interval); | |
1374 | event_timeout_clear(&c->c2.ping_send_interval); | |
81d882d5 | 1375 | } |
a2d851d4 | 1376 | else |
81d882d5 | 1377 | { |
a2d851d4 AQ |
1378 | if (c->options.ping_send_timeout) |
1379 | { | |
1380 | event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); | |
1381 | } | |
1382 | ||
1383 | if (c->options.ping_rec_timeout) | |
1384 | { | |
1385 | event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); | |
1386 | } | |
81d882d5 | 1387 | } |
6fbf66fa | 1388 | |
9a516170 AS |
1389 | /* If the auth-token renewal interval is shorter than reneg-sec, arm |
1390 | * "auth-token renewal" timer to send additional auth-token to update the | |
1391 | * token on the client more often. If not, this happens automatically | |
1392 | * at renegotiation time, without needing an extra event. | |
1393 | */ | |
1394 | if (c->options.auth_token_generate | |
1395 | && c->options.auth_token_renewal < c->options.renegotiate_seconds) | |
1396 | { | |
1397 | event_timeout_init(&c->c2.auth_token_renewal_interval, | |
1398 | c->options.auth_token_renewal, now); | |
1399 | } | |
1400 | ||
81d882d5 | 1401 | if (!deferred) |
6fbf66fa | 1402 | { |
81d882d5 DS |
1403 | /* initialize connection establishment timer */ |
1404 | event_timeout_init(&c->c2.wait_for_connect, 1, now); | |
6fbf66fa | 1405 | |
81d882d5 | 1406 | /* initialize occ timers */ |
6fbf66fa | 1407 | |
81d882d5 DS |
1408 | if (c->options.occ |
1409 | && !TLS_MODE(c) | |
1410 | && c->c2.options_string_local && c->c2.options_string_remote) | |
1411 | { | |
1412 | event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); | |
1413 | } | |
6fbf66fa | 1414 | |
81d882d5 DS |
1415 | if (c->options.mtu_test) |
1416 | { | |
1417 | event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); | |
1418 | } | |
6fbf66fa | 1419 | |
81d882d5 | 1420 | /* initialize packet_id persistence timer */ |
81d882d5 DS |
1421 | if (c->options.packet_id_file) |
1422 | { | |
1423 | event_timeout_init(&c->c2.packet_id_persist_interval, 60, now); | |
1424 | } | |
6fbf66fa | 1425 | |
81d882d5 DS |
1426 | /* initialize tmp_int optimization that limits the number of times we call |
1427 | * tls_multi_process in the main event loop */ | |
1428 | interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); | |
6fbf66fa JY |
1429 | } |
1430 | } | |
1431 | ||
1432 | /* | |
1433 | * Initialize traffic shaper. | |
1434 | */ | |
1435 | static void | |
81d882d5 | 1436 | do_init_traffic_shaper(struct context *c) |
6fbf66fa | 1437 | { |
81d882d5 DS |
1438 | /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ |
1439 | if (c->options.shaper) | |
6fbf66fa | 1440 | { |
81d882d5 DS |
1441 | shaper_init(&c->c2.shaper, c->options.shaper); |
1442 | shaper_msg(&c->c2.shaper); | |
6fbf66fa | 1443 | } |
6fbf66fa JY |
1444 | } |
1445 | ||
1446 | /* | |
eb95f367 GD |
1447 | * Allocate route list structures for IPv4 and IPv6 |
1448 | * (we do this for IPv4 even if no --route option has been seen, as other | |
1449 | * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP) | |
6fbf66fa JY |
1450 | */ |
1451 | static void | |
81d882d5 | 1452 | do_alloc_route_list(struct context *c) |
6fbf66fa | 1453 | { |
81d882d5 DS |
1454 | if (!c->c1.route_list) |
1455 | { | |
1456 | ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc); | |
1457 | } | |
1458 | if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) | |
1459 | { | |
1460 | ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc); | |
1461 | } | |
6fbf66fa JY |
1462 | } |
1463 | ||
1464 | ||
1465 | /* | |
1466 | * Initialize the route list, resolving any DNS names in route | |
1467 | * options and saving routes in the environment. | |
1468 | */ | |
1469 | static void | |
81d882d5 DS |
1470 | do_init_route_list(const struct options *options, |
1471 | struct route_list *route_list, | |
1472 | const struct link_socket_info *link_socket_info, | |
aec4a3d1 AQ |
1473 | struct env_set *es, |
1474 | openvpn_net_ctx_t *ctx) | |
6fbf66fa | 1475 | { |
81d882d5 DS |
1476 | const char *gw = NULL; |
1477 | int dev = dev_type_enum(options->dev, options->dev_type); | |
1478 | int metric = 0; | |
6fbf66fa | 1479 | |
90d9c38b AQ |
1480 | /* if DCO is enabled we have both regular routes and iroutes in the system |
1481 | * routing table, and normal routes must have a higher metric for that to | |
1482 | * work so that iroutes are always matched first | |
1483 | */ | |
1484 | if (dco_enabled(options)) | |
1485 | { | |
1486 | metric = DCO_DEFAULT_METRIC; | |
1487 | } | |
1488 | ||
81d882d5 DS |
1489 | if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) |
1490 | { | |
1491 | gw = options->ifconfig_remote_netmask; | |
1492 | } | |
1493 | if (options->route_default_gateway) | |
1494 | { | |
1495 | gw = options->route_default_gateway; | |
1496 | } | |
1497 | if (options->route_default_metric) | |
1498 | { | |
1499 | metric = options->route_default_metric; | |
1500 | } | |
6fbf66fa | 1501 | |
81d882d5 DS |
1502 | if (init_route_list(route_list, |
1503 | options->routes, | |
1504 | gw, | |
1505 | metric, | |
1506 | link_socket_current_remote(link_socket_info), | |
aec4a3d1 AQ |
1507 | es, |
1508 | ctx)) | |
6fbf66fa | 1509 | { |
81d882d5 DS |
1510 | /* copy routes to environment */ |
1511 | setenv_routes(es, route_list); | |
6fbf66fa JY |
1512 | } |
1513 | } | |
1514 | ||
512cda46 | 1515 | static void |
81d882d5 DS |
1516 | do_init_route_ipv6_list(const struct options *options, |
1517 | struct route_ipv6_list *route_ipv6_list, | |
1518 | const struct link_socket_info *link_socket_info, | |
c454b21e AQ |
1519 | struct env_set *es, |
1520 | openvpn_net_ctx_t *ctx) | |
512cda46 | 1521 | { |
81d882d5 DS |
1522 | const char *gw = NULL; |
1523 | int metric = -1; /* no metric set */ | |
512cda46 | 1524 | |
90d9c38b AQ |
1525 | /* see explanation in do_init_route_list() */ |
1526 | if (dco_enabled(options)) | |
1527 | { | |
1528 | metric = DCO_DEFAULT_METRIC; | |
1529 | } | |
1530 | ||
81d882d5 | 1531 | gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ |
d24e1b17 | 1532 | if (options->route_ipv6_default_gateway) |
81d882d5 DS |
1533 | { |
1534 | gw = options->route_ipv6_default_gateway; | |
1535 | } | |
512cda46 | 1536 | |
81d882d5 DS |
1537 | if (options->route_default_metric) |
1538 | { | |
1539 | metric = options->route_default_metric; | |
1540 | } | |
512cda46 | 1541 | |
81d882d5 DS |
1542 | /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics |
1543 | */ | |
1544 | if (options->routes_ipv6->flags & RG_REROUTE_GW) | |
d227929b | 1545 | { |
81d882d5 DS |
1546 | char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL }; |
1547 | int i; | |
d227929b | 1548 | |
81d882d5 DS |
1549 | for (i = 0; opt_list[i]; i++) |
1550 | { | |
1551 | add_route_ipv6_to_option_list( options->routes_ipv6, | |
1552 | string_alloc(opt_list[i], options->routes_ipv6->gc), | |
1553 | NULL, NULL ); | |
1554 | } | |
d227929b GD |
1555 | } |
1556 | ||
81d882d5 DS |
1557 | if (init_route_ipv6_list(route_ipv6_list, |
1558 | options->routes_ipv6, | |
1559 | gw, | |
1560 | metric, | |
1561 | link_socket_current_remote_ipv6(link_socket_info), | |
c454b21e AQ |
1562 | es, |
1563 | ctx)) | |
512cda46 | 1564 | { |
81d882d5 DS |
1565 | /* copy routes to environment */ |
1566 | setenv_routes_ipv6(es, route_ipv6_list); | |
512cda46 GD |
1567 | } |
1568 | } | |
1569 | ||
1570 | ||
6fbf66fa JY |
1571 | /* |
1572 | * Called after all initialization has been completed. | |
1573 | */ | |
1574 | void | |
81d882d5 | 1575 | initialization_sequence_completed(struct context *c, const unsigned int flags) |
6fbf66fa | 1576 | { |
81d882d5 | 1577 | static const char message[] = "Initialization Sequence Completed"; |
6fbf66fa | 1578 | |
81d882d5 DS |
1579 | /* Reset the unsuccessful connection counter on complete initialisation */ |
1580 | c->options.unsuccessful_attempts = 0; | |
23d61c56 | 1581 | |
81d882d5 DS |
1582 | /* If we delayed UID/GID downgrade or chroot, do it now */ |
1583 | do_uid_gid_chroot(c, true); | |
6fbf66fa | 1584 | |
81d882d5 DS |
1585 | /* Test if errors */ |
1586 | if (flags & ISC_ERRORS) | |
a9c802b2 | 1587 | { |
445b192a | 1588 | #ifdef _WIN32 |
81d882d5 DS |
1589 | show_routes(M_INFO|M_NOPREFIX); |
1590 | show_adapters(M_INFO|M_NOPREFIX); | |
1591 | msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); | |
6fbf66fa | 1592 | #else |
c5931897 | 1593 | #ifdef ENABLE_SYSTEMD |
81d882d5 | 1594 | sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message); |
c5931897 | 1595 | #endif /* HAVE_SYSTEMD_SD_DAEMON_H */ |
81d882d5 | 1596 | msg(M_INFO, "%s With Errors", message); |
6fbf66fa | 1597 | #endif |
a9c802b2 | 1598 | } |
81d882d5 | 1599 | else |
c5931897 CH |
1600 | { |
1601 | #ifdef ENABLE_SYSTEMD | |
e83a8684 | 1602 | sd_notifyf(0, "STATUS=%s", message); |
c5931897 | 1603 | #endif |
81d882d5 | 1604 | msg(M_INFO, "%s", message); |
c5931897 | 1605 | } |
6fbf66fa | 1606 | |
81d882d5 DS |
1607 | /* Flag that we initialized */ |
1608 | if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) | |
1609 | { | |
1610 | c->options.no_advance = true; | |
1611 | } | |
6fbf66fa | 1612 | |
445b192a | 1613 | #ifdef _WIN32 |
81d882d5 | 1614 | fork_register_dns_action(c->c1.tuntap); |
b90c6f17 JY |
1615 | #endif |
1616 | ||
6fbf66fa | 1617 | #ifdef ENABLE_MANAGEMENT |
81d882d5 DS |
1618 | /* Tell management interface that we initialized */ |
1619 | if (management) | |
1620 | { | |
1621 | in_addr_t *tun_local = NULL; | |
1622 | struct in6_addr *tun_local6 = NULL; | |
1623 | struct openvpn_sockaddr local, remote; | |
1624 | struct link_socket_actual *actual; | |
1625 | socklen_t sa_len = sizeof(local); | |
1626 | const char *detail = "SUCCESS"; | |
1627 | if (flags & ISC_ERRORS) | |
1628 | { | |
1629 | detail = "ERROR"; | |
1630 | } | |
e04c2536 SN |
1631 | /* Flag route error only on platforms where trivial "already exists" errors |
1632 | * are filtered out. Currently this is the case on Windows or if usng netlink. | |
1633 | */ | |
1634 | #if defined(_WIN32) || defined(ENABLE_SITNL) | |
1635 | else if (flags & ISC_ROUTE_ERRORS) | |
1636 | { | |
1637 | detail = "ROUTE_ERROR"; | |
1638 | } | |
1639 | #endif | |
81d882d5 DS |
1640 | |
1641 | CLEAR(local); | |
1642 | actual = &get_link_socket_info(c)->lsa->actual; | |
1643 | remote = actual->dest; | |
1644 | getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len); | |
2191c471 | 1645 | #if ENABLE_IP_PKTINFO |
81d882d5 | 1646 | if (!addr_defined(&local)) |
2191c471 | 1647 | { |
81d882d5 | 1648 | switch (local.addr.sa.sa_family) |
2191c471 | 1649 | { |
81d882d5 | 1650 | case AF_INET: |
7efa60d9 | 1651 | #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) |
81d882d5 | 1652 | local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst; |
4a82a9ac | 1653 | #else |
81d882d5 | 1654 | local.addr.in4.sin_addr = actual->pi.in4; |
4a82a9ac | 1655 | #endif |
81d882d5 DS |
1656 | break; |
1657 | ||
1658 | case AF_INET6: | |
1659 | local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr; | |
1660 | break; | |
2191c471 HH |
1661 | } |
1662 | } | |
1663 | #endif | |
1664 | ||
81d882d5 | 1665 | if (c->c1.tuntap) |
2191c471 | 1666 | { |
81d882d5 DS |
1667 | tun_local = &c->c1.tuntap->local; |
1668 | tun_local6 = &c->c1.tuntap->local_ipv6; | |
1669 | } | |
1670 | management_set_state(management, | |
1671 | OPENVPN_STATE_CONNECTED, | |
1672 | detail, | |
1673 | tun_local, | |
1674 | tun_local6, | |
1675 | &local, | |
1676 | &remote); | |
1677 | if (tun_local) | |
1678 | { | |
1679 | management_post_tunnel_open(management, *tun_local); | |
2191c471 | 1680 | } |
6fbf66fa | 1681 | } |
81d882d5 | 1682 | #endif /* ifdef ENABLE_MANAGEMENT */ |
6fbf66fa JY |
1683 | } |
1684 | ||
1685 | /* | |
1686 | * Possibly add routes and/or call route-up script | |
1687 | * based on options. | |
1688 | */ | |
e04c2536 | 1689 | bool |
81d882d5 DS |
1690 | do_route(const struct options *options, |
1691 | struct route_list *route_list, | |
1692 | struct route_ipv6_list *route_ipv6_list, | |
1693 | const struct tuntap *tt, | |
1694 | const struct plugin_list *plugins, | |
aec4a3d1 AQ |
1695 | struct env_set *es, |
1696 | openvpn_net_ctx_t *ctx) | |
6fbf66fa | 1697 | { |
e04c2536 | 1698 | bool ret = true; |
81d882d5 | 1699 | if (!options->route_noexec && ( route_list || route_ipv6_list ) ) |
15be3202 | 1700 | { |
e04c2536 SN |
1701 | ret = add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), |
1702 | es, ctx); | |
81d882d5 | 1703 | setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); |
15be3202 JY |
1704 | } |
1705 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 DS |
1706 | if (management) |
1707 | { | |
1708 | management_up_down(management, "UP", es); | |
1709 | } | |
15be3202 | 1710 | #endif |
6fbf66fa | 1711 | |
81d882d5 | 1712 | if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP)) |
6fbf66fa | 1713 | { |
81d882d5 DS |
1714 | if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) |
1715 | { | |
1716 | msg(M_WARN, "WARNING: route-up plugin call failed"); | |
1717 | } | |
6fbf66fa JY |
1718 | } |
1719 | ||
81d882d5 | 1720 | if (options->route_script) |
6fbf66fa | 1721 | { |
81d882d5 DS |
1722 | struct argv argv = argv_new(); |
1723 | setenv_str(es, "script_type", "route-up"); | |
1724 | argv_parse_cmd(&argv, options->route_script); | |
1725 | openvpn_run_script(&argv, es, 0, "--route-up"); | |
870e2405 | 1726 | argv_free(&argv); |
6fbf66fa JY |
1727 | } |
1728 | ||
445b192a | 1729 | #ifdef _WIN32 |
81d882d5 | 1730 | if (options->show_net_up) |
6fbf66fa | 1731 | { |
81d882d5 DS |
1732 | show_routes(M_INFO|M_NOPREFIX); |
1733 | show_adapters(M_INFO|M_NOPREFIX); | |
6fbf66fa | 1734 | } |
81d882d5 | 1735 | else if (check_debug_level(D_SHOW_NET)) |
6fbf66fa | 1736 | { |
81d882d5 DS |
1737 | show_routes(D_SHOW_NET|M_NOPREFIX); |
1738 | show_adapters(D_SHOW_NET|M_NOPREFIX); | |
6fbf66fa JY |
1739 | } |
1740 | #endif | |
e04c2536 | 1741 | return ret; |
6fbf66fa JY |
1742 | } |
1743 | ||
6fbf66fa JY |
1744 | /* |
1745 | * initialize tun/tap device object | |
1746 | */ | |
1747 | static void | |
81d882d5 | 1748 | do_init_tun(struct context *c) |
6fbf66fa | 1749 | { |
81d882d5 DS |
1750 | c->c1.tuntap = init_tun(c->options.dev, |
1751 | c->options.dev_type, | |
1752 | c->options.topology, | |
1753 | c->options.ifconfig_local, | |
1754 | c->options.ifconfig_remote_netmask, | |
1755 | c->options.ifconfig_ipv6_local, | |
1756 | c->options.ifconfig_ipv6_netbits, | |
1757 | c->options.ifconfig_ipv6_remote, | |
1758 | c->c1.link_socket_addr.bind_local, | |
1759 | c->c1.link_socket_addr.remote_list, | |
1760 | !c->options.ifconfig_nowarn, | |
dc7fcd71 | 1761 | c->c2.es, |
3adbc5c6 AQ |
1762 | &c->net_ctx, |
1763 | c->c1.tuntap); | |
81d882d5 | 1764 | |
c0658271 | 1765 | #ifdef _WIN32 |
36215dc5 | 1766 | c->c1.tuntap->windows_driver = c->options.windows_driver; |
c0658271 LS |
1767 | #endif |
1768 | ||
81d882d5 DS |
1769 | init_tun_post(c->c1.tuntap, |
1770 | &c->c2.frame, | |
1771 | &c->options.tuntap_options); | |
1772 | ||
1773 | c->c1.tuntap_owned = true; | |
6fbf66fa JY |
1774 | } |
1775 | ||
1776 | /* | |
1777 | * Open tun/tap device, ifconfig, call up script, etc. | |
1778 | */ | |
1779 | ||
bd139689 AQ |
1780 | |
1781 | static bool | |
1782 | can_preserve_tun(struct tuntap *tt) | |
1783 | { | |
1784 | #ifdef TARGET_ANDROID | |
1785 | return false; | |
1786 | #else | |
3adbc5c6 | 1787 | return is_tun_type_set(tt); |
bd139689 AQ |
1788 | #endif |
1789 | } | |
1790 | ||
6fbf66fa | 1791 | static bool |
e04c2536 | 1792 | do_open_tun(struct context *c, int *error_flags) |
6fbf66fa | 1793 | { |
81d882d5 DS |
1794 | struct gc_arena gc = gc_new(); |
1795 | bool ret = false; | |
e04c2536 | 1796 | *error_flags = 0; |
6fbf66fa | 1797 | |
bd139689 | 1798 | if (!can_preserve_tun(c->c1.tuntap)) |
6fbf66fa | 1799 | { |
bd14d55d | 1800 | #ifdef TARGET_ANDROID |
bd139689 AQ |
1801 | /* If we emulate persist-tun on android we still have to open a new tun and |
1802 | * then close the old */ | |
1803 | int oldtunfd = -1; | |
1804 | if (c->c1.tuntap) | |
1805 | { | |
1806 | oldtunfd = c->c1.tuntap->fd; | |
1807 | free(c->c1.tuntap); | |
1808 | c->c1.tuntap = NULL; | |
1809 | c->c1.tuntap_owned = false; | |
1810 | } | |
bd14d55d AS |
1811 | #endif |
1812 | ||
bd139689 AQ |
1813 | /* initialize (but do not open) tun/tap object */ |
1814 | do_init_tun(c); | |
6fbf66fa | 1815 | |
bd139689 AQ |
1816 | /* inherit the dco context from the tuntap object */ |
1817 | if (c->c2.tls_multi) | |
1818 | { | |
1819 | c->c2.tls_multi->dco = &c->c1.tuntap->dco; | |
1820 | } | |
a2d851d4 | 1821 | |
445b192a | 1822 | #ifdef _WIN32 |
bd139689 AQ |
1823 | /* store (hide) interactive service handle in tuntap_options */ |
1824 | c->c1.tuntap->options.msg_channel = c->options.msg_channel; | |
9c52e0c6 AS |
1825 | msg(D_ROUTE, "interactive service msg_channel=%" PRIuPTR, |
1826 | (intptr_t) c->options.msg_channel); | |
81d882d5 DS |
1827 | #endif |
1828 | ||
bd139689 AQ |
1829 | /* allocate route list structure */ |
1830 | do_alloc_route_list(c); | |
81d882d5 | 1831 | |
bd139689 AQ |
1832 | /* parse and resolve the route option list */ |
1833 | ASSERT(c->c2.link_socket); | |
1834 | if (c->options.routes && c->c1.route_list) | |
1835 | { | |
1836 | do_init_route_list(&c->options, c->c1.route_list, | |
1837 | &c->c2.link_socket->info, c->c2.es, &c->net_ctx); | |
1838 | } | |
1839 | if (c->options.routes_ipv6 && c->c1.route_ipv6_list) | |
1840 | { | |
1841 | do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list, | |
1842 | &c->c2.link_socket->info, c->c2.es, | |
1843 | &c->net_ctx); | |
1844 | } | |
81d882d5 | 1845 | |
bd139689 AQ |
1846 | /* do ifconfig */ |
1847 | if (!c->options.ifconfig_noexec | |
1848 | && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN) | |
1849 | { | |
1850 | /* guess actual tun/tap unit number that will be returned | |
1851 | * by open_tun */ | |
1852 | const char *guess = guess_tuntap_dev(c->options.dev, | |
1853 | c->options.dev_type, | |
1854 | c->options.dev_node, | |
1855 | &gc); | |
1856 | do_ifconfig(c->c1.tuntap, guess, c->c2.frame.tun_mtu, c->c2.es, | |
1857 | &c->net_ctx); | |
1858 | } | |
81d882d5 | 1859 | |
bd139689 AQ |
1860 | /* possibly add routes */ |
1861 | if (route_order() == ROUTE_BEFORE_TUN) | |
1862 | { | |
1863 | /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */ | |
e04c2536 SN |
1864 | bool status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, |
1865 | c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx); | |
1866 | *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS); | |
bd139689 | 1867 | } |
c058cbff | 1868 | #ifdef TARGET_ANDROID |
bd139689 AQ |
1869 | /* Store the old fd inside the fd so open_tun can use it */ |
1870 | c->c1.tuntap->fd = oldtunfd; | |
81d882d5 | 1871 | #endif |
bd139689 | 1872 | if (dco_enabled(&c->options)) |
81d882d5 | 1873 | { |
bd139689 | 1874 | ovpn_dco_init(c->mode, &c->c1.tuntap->dco); |
81d882d5 | 1875 | } |
38c85658 | 1876 | |
bd139689 AQ |
1877 | /* open the tun device */ |
1878 | open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, | |
1879 | c->c1.tuntap, &c->net_ctx); | |
6fbf66fa | 1880 | |
bd139689 AQ |
1881 | /* set the hardware address */ |
1882 | if (c->options.lladdr) | |
1883 | { | |
1884 | set_lladdr(&c->net_ctx, c->c1.tuntap->actual_name, c->options.lladdr, | |
1885 | c->c2.es); | |
1886 | } | |
6fbf66fa | 1887 | |
bd139689 AQ |
1888 | /* do ifconfig */ |
1889 | if (!c->options.ifconfig_noexec | |
1890 | && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN) | |
1891 | { | |
1892 | do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, | |
1893 | c->c2.frame.tun_mtu, c->c2.es, &c->net_ctx); | |
1894 | } | |
db950be8 | 1895 | |
bd139689 | 1896 | /* run the up script */ |
81d882d5 DS |
1897 | run_up_down(c->options.up_script, |
1898 | c->plugins, | |
1899 | OPENVPN_PLUGIN_UP, | |
1900 | c->c1.tuntap->actual_name, | |
445b192a | 1901 | #ifdef _WIN32 |
81d882d5 DS |
1902 | c->c1.tuntap->adapter_index, |
1903 | #endif | |
1904 | dev_type_string(c->options.dev, c->options.dev_type), | |
364b7b4f | 1905 | c->c2.frame.tun_mtu, |
81d882d5 DS |
1906 | print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), |
1907 | print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
bd139689 | 1908 | "init", |
81d882d5 DS |
1909 | NULL, |
1910 | "up", | |
1911 | c->c2.es); | |
bd139689 | 1912 | |
445b192a | 1913 | #if defined(_WIN32) |
bd139689 | 1914 | if (c->options.block_outside_dns) |
451d2177 | 1915 | { |
bd139689 AQ |
1916 | dmsg(D_LOW, "Blocking outside DNS"); |
1917 | if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) | |
1918 | { | |
1919 | msg(M_FATAL, "Blocking DNS failed!"); | |
1920 | } | |
1921 | } | |
1922 | #endif | |
1923 | ||
1924 | /* possibly add routes */ | |
1925 | if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined)) | |
1926 | { | |
e04c2536 SN |
1927 | int status = do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, |
1928 | c->c1.tuntap, c->plugins, c->c2.es, &c->net_ctx); | |
1929 | *error_flags |= (status ? 0 : ISC_ROUTE_ERRORS); | |
451d2177 | 1930 | } |
bd139689 AQ |
1931 | |
1932 | ret = true; | |
1933 | static_context = c; | |
6fbf66fa | 1934 | } |
bd139689 AQ |
1935 | else |
1936 | { | |
1937 | msg(M_INFO, "Preserving previous TUN/TAP instance: %s", | |
1938 | c->c1.tuntap->actual_name); | |
1939 | ||
1940 | /* explicitly set the ifconfig_* env vars */ | |
1941 | do_ifconfig_setenv(c->c1.tuntap, c->c2.es); | |
1942 | ||
1943 | /* run the up script if user specified --up-restart */ | |
1944 | if (c->options.up_restart) | |
1945 | { | |
1946 | run_up_down(c->options.up_script, | |
1947 | c->plugins, | |
1948 | OPENVPN_PLUGIN_UP, | |
1949 | c->c1.tuntap->actual_name, | |
1950 | #ifdef _WIN32 | |
1951 | c->c1.tuntap->adapter_index, | |
1952 | #endif | |
1953 | dev_type_string(c->options.dev, c->options.dev_type), | |
1954 | c->c2.frame.tun_mtu, | |
1955 | print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
1956 | print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1957 | "restart", | |
1958 | NULL, | |
1959 | "up", | |
1960 | c->c2.es); | |
1961 | } | |
1962 | #if defined(_WIN32) | |
1963 | if (c->options.block_outside_dns) | |
1964 | { | |
1965 | dmsg(D_LOW, "Blocking outside DNS"); | |
1966 | if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) | |
1967 | { | |
1968 | msg(M_FATAL, "Blocking DNS failed!"); | |
1969 | } | |
1970 | } | |
bd14d55d | 1971 | #endif |
81d882d5 | 1972 | |
bd139689 | 1973 | } |
81d882d5 DS |
1974 | gc_free(&gc); |
1975 | return ret; | |
6fbf66fa JY |
1976 | } |
1977 | ||
1978 | /* | |
1979 | * Close TUN/TAP device | |
1980 | */ | |
1981 | ||
1982 | static void | |
81d882d5 | 1983 | do_close_tun_simple(struct context *c) |
6fbf66fa | 1984 | { |
77829be2 AQ |
1985 | msg(D_CLOSE, "Closing %s interface", |
1986 | dco_enabled(&c->options) ? "DCO" : "TUN/TAP"); | |
1987 | ||
0bea472c AQ |
1988 | if (c->c1.tuntap) |
1989 | { | |
0c4d40cb MF |
1990 | if (!c->options.ifconfig_noexec) |
1991 | { | |
1992 | undo_ifconfig(c->c1.tuntap, &c->net_ctx); | |
1993 | } | |
dc7fcd71 | 1994 | close_tun(c->c1.tuntap, &c->net_ctx); |
0bea472c AQ |
1995 | c->c1.tuntap = NULL; |
1996 | } | |
81d882d5 | 1997 | c->c1.tuntap_owned = false; |
81d882d5 | 1998 | CLEAR(c->c1.pulled_options_digest_save); |
6fbf66fa JY |
1999 | } |
2000 | ||
2001 | static void | |
81d882d5 | 2002 | do_close_tun(struct context *c, bool force) |
6fbf66fa | 2003 | { |
3adbc5c6 AQ |
2004 | /* With dco-win we open tun handle in the very beginning. |
2005 | * In case when tun wasn't opened - like we haven't connected, | |
2006 | * we still need to close tun handle | |
2007 | */ | |
2008 | if (tuntap_is_dco_win(c->c1.tuntap) && !is_tun_type_set(c->c1.tuntap)) | |
2009 | { | |
2010 | do_close_tun_simple(c); | |
2011 | return; | |
2012 | } | |
2013 | ||
c05a0502 | 2014 | if (!c->c1.tuntap || !c->c1.tuntap_owned) |
6fbf66fa | 2015 | { |
c05a0502 AQ |
2016 | return; |
2017 | } | |
2018 | ||
2019 | struct gc_arena gc = gc_new(); | |
2020 | const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc); | |
445b192a | 2021 | #ifdef _WIN32 |
c05a0502 | 2022 | DWORD adapter_index = c->c1.tuntap->adapter_index; |
9dff2c1f | 2023 | #endif |
c05a0502 AQ |
2024 | const in_addr_t local = c->c1.tuntap->local; |
2025 | const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; | |
6fbf66fa | 2026 | |
c05a0502 AQ |
2027 | if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) |
2028 | { | |
2029 | static_context = NULL; | |
0c9eb1d3 | 2030 | |
6fbf66fa | 2031 | #ifdef ENABLE_MANAGEMENT |
c05a0502 AQ |
2032 | /* tell management layer we are about to close the TUN/TAP device */ |
2033 | if (management) | |
2034 | { | |
2035 | management_pre_tunnel_close(management); | |
2036 | management_up_down(management, "DOWN", c->c2.es); | |
2037 | } | |
81d882d5 | 2038 | #endif |
6fbf66fa | 2039 | |
c05a0502 AQ |
2040 | /* delete any routes we added */ |
2041 | if (c->c1.route_list || c->c1.route_ipv6_list) | |
2042 | { | |
2043 | run_up_down(c->options.route_predown_script, | |
81d882d5 | 2044 | c->plugins, |
c05a0502 | 2045 | OPENVPN_PLUGIN_ROUTE_PREDOWN, |
81d882d5 | 2046 | tuntap_actual, |
445b192a | 2047 | #ifdef _WIN32 |
81d882d5 DS |
2048 | adapter_index, |
2049 | #endif | |
2050 | NULL, | |
364b7b4f | 2051 | c->c2.frame.tun_mtu, |
81d882d5 DS |
2052 | print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), |
2053 | print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
2054 | "init", | |
2055 | signal_description(c->sig->signal_received, | |
2056 | c->sig->signal_text), | |
c05a0502 | 2057 | "route-pre-down", |
81d882d5 | 2058 | c->c2.es); |
6fbf66fa | 2059 | |
c05a0502 AQ |
2060 | delete_routes(c->c1.route_list, c->c1.route_ipv6_list, |
2061 | c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), | |
2062 | c->c2.es, &c->net_ctx); | |
2063 | } | |
2064 | ||
2065 | /* actually close tun/tap device based on --down-pre flag */ | |
2066 | if (!c->options.down_pre) | |
2067 | { | |
2068 | do_close_tun_simple(c); | |
2069 | } | |
2070 | ||
2071 | /* Run the down script -- note that it will run at reduced | |
a6664825 | 2072 | * privilege if, for example, "--user" was used. */ |
c05a0502 AQ |
2073 | run_up_down(c->options.down_script, |
2074 | c->plugins, | |
2075 | OPENVPN_PLUGIN_DOWN, | |
2076 | tuntap_actual, | |
2077 | #ifdef _WIN32 | |
2078 | adapter_index, | |
2079 | #endif | |
2080 | NULL, | |
2081 | c->c2.frame.tun_mtu, | |
2082 | print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), | |
2083 | print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
2084 | "init", | |
2085 | signal_description(c->sig->signal_received, | |
2086 | c->sig->signal_text), | |
2087 | "down", | |
2088 | c->c2.es); | |
2089 | ||
445b192a | 2090 | #if defined(_WIN32) |
c05a0502 AQ |
2091 | if (c->options.block_outside_dns) |
2092 | { | |
2093 | if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) | |
38c85658 | 2094 | { |
c05a0502 | 2095 | msg(M_FATAL, "Uninitialising WFP failed!"); |
38c85658 | 2096 | } |
c05a0502 | 2097 | } |
38c85658 V |
2098 | #endif |
2099 | ||
c05a0502 AQ |
2100 | /* actually close tun/tap device based on --down-pre flag */ |
2101 | if (c->options.down_pre) | |
2102 | { | |
2103 | do_close_tun_simple(c); | |
81d882d5 | 2104 | } |
c05a0502 AQ |
2105 | } |
2106 | else | |
2107 | { | |
2108 | /* run the down script on this restart if --up-restart was specified */ | |
2109 | if (c->options.up_restart) | |
81d882d5 | 2110 | { |
c05a0502 AQ |
2111 | run_up_down(c->options.down_script, |
2112 | c->plugins, | |
2113 | OPENVPN_PLUGIN_DOWN, | |
2114 | tuntap_actual, | |
445b192a | 2115 | #ifdef _WIN32 |
c05a0502 | 2116 | adapter_index, |
81d882d5 | 2117 | #endif |
c05a0502 AQ |
2118 | NULL, |
2119 | c->c2.frame.tun_mtu, | |
2120 | print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), | |
2121 | print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
2122 | "restart", | |
2123 | signal_description(c->sig->signal_received, | |
2124 | c->sig->signal_text), | |
2125 | "down", | |
2126 | c->c2.es); | |
2127 | } | |
451d2177 | 2128 | |
445b192a | 2129 | #if defined(_WIN32) |
c05a0502 AQ |
2130 | if (c->options.block_outside_dns) |
2131 | { | |
2132 | if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) | |
451d2177 | 2133 | { |
c05a0502 | 2134 | msg(M_FATAL, "Uninitialising WFP failed!"); |
451d2177 | 2135 | } |
c05a0502 | 2136 | } |
451d2177 SN |
2137 | #endif |
2138 | ||
6fbf66fa | 2139 | } |
81d882d5 | 2140 | gc_free(&gc); |
6fbf66fa JY |
2141 | } |
2142 | ||
0c9eb1d3 | 2143 | void |
e2a0cad4 | 2144 | tun_abort(void) |
0c9eb1d3 | 2145 | { |
81d882d5 DS |
2146 | struct context *c = static_context; |
2147 | if (c) | |
0c9eb1d3 | 2148 | { |
81d882d5 DS |
2149 | static_context = NULL; |
2150 | do_close_tun(c, true); | |
0c9eb1d3 JY |
2151 | } |
2152 | } | |
2153 | ||
6fbf66fa JY |
2154 | /* |
2155 | * Handle delayed tun/tap interface bringup due to --up-delay or --pull | |
2156 | */ | |
2157 | ||
827de237 SK |
2158 | /** |
2159 | * Helper for do_up(). Take two option hashes and return true if they are not | |
2160 | * equal, or either one is all-zeroes. | |
2161 | */ | |
2162 | static bool | |
5b48e8c9 SK |
2163 | options_hash_changed_or_zero(const struct sha256_digest *a, |
2164 | const struct sha256_digest *b) | |
827de237 | 2165 | { |
5b48e8c9 SK |
2166 | const struct sha256_digest zero = {{0}}; |
2167 | return memcmp(a, b, sizeof(struct sha256_digest)) | |
2168 | || !memcmp(a, &zero, sizeof(struct sha256_digest)); | |
827de237 | 2169 | } |
827de237 | 2170 | |
7c66a6da AS |
2171 | static bool |
2172 | p2p_set_dco_keepalive(struct context *c) | |
2173 | { | |
2174 | if (dco_enabled(&c->options) | |
2175 | && (c->options.ping_send_timeout || c->c2.frame.mss_fix)) | |
2176 | { | |
2177 | int ret = dco_set_peer(&c->c1.tuntap->dco, | |
2178 | c->c2.tls_multi->dco_peer_id, | |
2179 | c->options.ping_send_timeout, | |
2180 | c->options.ping_rec_timeout, | |
2181 | c->c2.frame.mss_fix); | |
2182 | if (ret < 0) | |
2183 | { | |
2184 | msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", | |
2185 | c->c2.tls_multi->dco_peer_id, strerror(-ret)); | |
2186 | return false; | |
2187 | } | |
2188 | } | |
2189 | return true; | |
2190 | } | |
c333a0c0 AS |
2191 | |
2192 | /** | |
2193 | * Helper function for tls_print_deferred_options_results | |
2194 | * Adds the ", " delimitor if there already some data in the | |
2195 | * buffer. | |
2196 | */ | |
2197 | static void | |
2198 | add_delim_if_non_empty(struct buffer *buf, const char *header) | |
2199 | { | |
2200 | if (buf_len(buf) > strlen(header)) | |
2201 | { | |
2202 | buf_printf(buf, ", "); | |
2203 | } | |
2204 | } | |
2205 | ||
2206 | ||
2207 | /** | |
2208 | * Prints the results of options imported for the data channel | |
2209 | * @param o | |
2210 | */ | |
2211 | static void | |
2212 | tls_print_deferred_options_results(struct context *c) | |
2213 | { | |
2214 | struct options *o = &c->options; | |
2215 | ||
2216 | struct buffer out; | |
2217 | uint8_t line[1024] = { 0 }; | |
2218 | buf_set_write(&out, line, sizeof(line)); | |
2219 | ||
2220 | ||
2221 | if (cipher_kt_mode_aead(o->ciphername)) | |
2222 | { | |
2223 | buf_printf(&out, "Data Channel: cipher '%s'", | |
2224 | cipher_kt_name(o->ciphername)); | |
2225 | } | |
2226 | else | |
2227 | { | |
2228 | buf_printf(&out, "Data Channel: cipher '%s', auth '%s'", | |
2229 | cipher_kt_name(o->ciphername), md_kt_name(o->authname)); | |
2230 | } | |
2231 | ||
2232 | if (o->use_peer_id) | |
2233 | { | |
2234 | buf_printf(&out, ", peer-id: %d", o->peer_id); | |
2235 | } | |
2236 | ||
2237 | #ifdef USE_COMP | |
2238 | if (c->c2.comp_context) | |
2239 | { | |
2240 | buf_printf(&out, ", compression: '%s'", c->c2.comp_context->alg.name); | |
2241 | } | |
2242 | #endif | |
2243 | ||
2244 | msg(D_HANDSHAKE, "%s", BSTR(&out)); | |
2245 | ||
2246 | buf_clear(&out); | |
2247 | ||
2248 | const char *header = "Timers: "; | |
2249 | ||
2250 | buf_printf(&out, "%s", header); | |
2251 | ||
2252 | if (o->ping_send_timeout) | |
2253 | { | |
2254 | buf_printf(&out, "ping %d", o->ping_send_timeout); | |
2255 | } | |
2256 | ||
2257 | if (o->ping_rec_timeout_action != PING_UNDEF) | |
2258 | { | |
2259 | /* yes unidirectional ping is possible .... */ | |
2260 | add_delim_if_non_empty(&out, header); | |
2261 | ||
2262 | if (o->ping_rec_timeout_action == PING_EXIT) | |
2263 | { | |
2264 | buf_printf(&out, "ping-exit %d", o->ping_rec_timeout); | |
2265 | } | |
2266 | else | |
2267 | { | |
2268 | buf_printf(&out, "ping-restart %d", o->ping_rec_timeout); | |
2269 | } | |
2270 | } | |
2271 | ||
2272 | if (o->inactivity_timeout) | |
2273 | { | |
2274 | add_delim_if_non_empty(&out, header); | |
2275 | ||
2276 | buf_printf(&out, "inactive %d", o->inactivity_timeout); | |
2277 | if (o->inactivity_minimum_bytes) | |
2278 | { | |
2279 | buf_printf(&out, " %" PRIu64, o->inactivity_minimum_bytes); | |
2280 | } | |
2281 | } | |
2282 | ||
2283 | if (o->session_timeout) | |
2284 | { | |
2285 | add_delim_if_non_empty(&out, header); | |
2286 | buf_printf(&out, "session-timeout %d", o->session_timeout); | |
2287 | } | |
2288 | ||
2289 | if (buf_len(&out) > strlen(header)) | |
2290 | { | |
2291 | msg(D_HANDSHAKE, "%s", BSTR(&out)); | |
2292 | } | |
2293 | ||
2294 | buf_clear(&out); | |
2295 | header = "Protocol options: "; | |
2296 | buf_printf(&out, "%s", header); | |
2297 | ||
2298 | if (c->options.ce.explicit_exit_notification) | |
2299 | { | |
2300 | buf_printf(&out, "explicit-exit-notify %d", | |
2301 | c->options.ce.explicit_exit_notification); | |
2302 | } | |
2303 | if (c->options.imported_protocol_flags) | |
2304 | { | |
2305 | add_delim_if_non_empty(&out, header); | |
2306 | ||
2307 | buf_printf(&out, "protocol-flags"); | |
2308 | ||
2309 | if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY) | |
2310 | { | |
2311 | buf_printf(&out, " cc-exit"); | |
2312 | } | |
2313 | if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT) | |
2314 | { | |
2315 | buf_printf(&out, " tls-ekm"); | |
2316 | } | |
6a05768a AS |
2317 | if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT) |
2318 | { | |
2319 | buf_printf(&out, " dyn-tls-crypt"); | |
2320 | } | |
c333a0c0 AS |
2321 | } |
2322 | ||
2323 | if (buf_len(&out) > strlen(header)) | |
2324 | { | |
2325 | msg(D_HANDSHAKE, "%s", BSTR(&out)); | |
2326 | } | |
2327 | } | |
2328 | ||
2329 | ||
6b9f4d71 AQ |
2330 | /** |
2331 | * This function is expected to be invoked after open_tun() was performed. | |
2332 | * | |
2333 | * This kind of behaviour is required by DCO, because the following operations | |
2334 | * can be done only after the DCO device was created and the new peer was | |
2335 | * properly added. | |
2336 | */ | |
2337 | static bool | |
2338 | do_deferred_options_part2(struct context *c) | |
2339 | { | |
2340 | struct frame *frame_fragment = NULL; | |
2341 | #ifdef ENABLE_FRAGMENT | |
2342 | if (c->options.ce.fragment) | |
2343 | { | |
2344 | frame_fragment = &c->c2.frame_fragment; | |
2345 | } | |
2346 | #endif | |
2347 | ||
2348 | struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; | |
2349 | if (!tls_session_update_crypto_params(c->c2.tls_multi, session, | |
2350 | &c->options, &c->c2.frame, | |
2351 | frame_fragment, | |
2352 | get_link_socket_info(c))) | |
2353 | { | |
2354 | msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); | |
2355 | return false; | |
2356 | } | |
2357 | ||
2358 | return true; | |
2359 | } | |
2360 | ||
d728ebed | 2361 | bool |
81d882d5 | 2362 | do_up(struct context *c, bool pulled_options, unsigned int option_types_found) |
6fbf66fa | 2363 | { |
e04c2536 | 2364 | int error_flags = 0; |
81d882d5 | 2365 | if (!c->c2.do_up_ran) |
6fbf66fa | 2366 | { |
81d882d5 | 2367 | reset_coarse_timers(c); |
6fbf66fa | 2368 | |
bd230079 | 2369 | if (pulled_options) |
81d882d5 DS |
2370 | { |
2371 | if (!do_deferred_options(c, option_types_found)) | |
2372 | { | |
2373 | msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options"); | |
2374 | return false; | |
2375 | } | |
2376 | } | |
6fbf66fa | 2377 | |
81d882d5 DS |
2378 | /* if --up-delay specified, open tun, do ifconfig, and run up script now */ |
2379 | if (c->options.up_delay || PULL_DEFINED(&c->options)) | |
2380 | { | |
e04c2536 | 2381 | c->c2.did_open_tun = do_open_tun(c, &error_flags); |
81d882d5 | 2382 | update_time(); |
6fbf66fa | 2383 | |
81d882d5 DS |
2384 | /* |
2385 | * Was tun interface object persisted from previous restart iteration, | |
2386 | * and if so did pulled options string change from previous iteration? | |
2387 | */ | |
2388 | if (!c->c2.did_open_tun | |
2389 | && PULL_DEFINED(&c->options) | |
2390 | && c->c1.tuntap | |
2391 | && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save, | |
2392 | &c->c2.pulled_options_digest)) | |
2393 | { | |
2394 | /* if so, close tun, delete routes, then reinitialize tun and add routes */ | |
2395 | msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); | |
cac18de7 LS |
2396 | |
2397 | bool tt_dco_win = tuntap_is_dco_win(c->c1.tuntap); | |
81d882d5 | 2398 | do_close_tun(c, true); |
cac18de7 LS |
2399 | |
2400 | if (tt_dco_win) | |
2401 | { | |
2402 | msg(M_NONFATAL, "dco-win doesn't yet support reopening TUN device"); | |
2403 | /* prevent link_socket_close() from closing handle with WinSock API */ | |
2404 | c->c2.link_socket->sd = SOCKET_UNDEFINED; | |
2405 | return false; | |
2406 | } | |
2407 | else | |
2408 | { | |
2409 | management_sleep(1); | |
e04c2536 | 2410 | c->c2.did_open_tun = do_open_tun(c, &error_flags); |
cac18de7 LS |
2411 | update_time(); |
2412 | } | |
81d882d5 | 2413 | } |
81d882d5 | 2414 | } |
cde3edb1 | 2415 | } |
81d882d5 | 2416 | |
cde3edb1 AS |
2417 | /* This part needs to be run in p2p mode (without pull) when the client |
2418 | * reconnects to setup various things (like DCO and NCP cipher) that | |
2419 | * might have changed from the previous connection. | |
2420 | */ | |
2421 | if (!c->c2.do_up_ran || (c->c2.tls_multi && c->c2.tls_multi->multi_state == CAS_RECONNECT_PENDING)) | |
2422 | { | |
b6f7b285 AQ |
2423 | if (c->mode == MODE_POINT_TO_POINT) |
2424 | { | |
2425 | /* ovpn-dco requires adding the peer now, before any option can be set, | |
2426 | * but *after* having parsed the pushed peer-id in do_deferred_options() | |
2427 | */ | |
2428 | int ret = dco_p2p_add_new_peer(c); | |
2429 | if (ret < 0) | |
2430 | { | |
2431 | msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret); | |
2432 | return false; | |
2433 | } | |
2434 | } | |
2435 | ||
6b9f4d71 AQ |
2436 | /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be |
2437 | * invoked after open_tun(). | |
2438 | * This is required by DCO because we must have created the interface | |
2439 | * and added the peer before we can fiddle with the keys or any other | |
2440 | * data channel per-peer setting. | |
2441 | */ | |
2442 | if (pulled_options) | |
2443 | { | |
2444 | if (!do_deferred_options_part2(c)) | |
2445 | { | |
2446 | return false; | |
2447 | } | |
2448 | } | |
2449 | else | |
2450 | { | |
2451 | if (c->mode == MODE_POINT_TO_POINT) | |
2452 | { | |
2453 | if (!do_deferred_p2p_ncp(c)) | |
2454 | { | |
2455 | msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); | |
2456 | return false; | |
2457 | } | |
2458 | } | |
2459 | } | |
2460 | ||
7c66a6da AS |
2461 | if (c->mode == MODE_POINT_TO_POINT && !p2p_set_dco_keepalive(c)) |
2462 | { | |
2463 | msg(D_TLS_ERRORS, "ERROR: Failed to apply DCO keepalive or MSS fix parameters"); | |
2464 | return false; | |
2465 | } | |
2466 | ||
81d882d5 DS |
2467 | if (c->c2.did_open_tun) |
2468 | { | |
81d882d5 | 2469 | c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; |
81d882d5 DS |
2470 | |
2471 | /* if --route-delay was specified, start timer */ | |
2472 | if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined) | |
2473 | { | |
2474 | event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now); | |
2475 | event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); | |
2476 | if (c->c1.tuntap) | |
2477 | { | |
2478 | tun_standby_init(c->c1.tuntap); | |
2479 | } | |
2480 | } | |
2481 | else | |
2482 | { | |
e04c2536 | 2483 | initialization_sequence_completed(c, error_flags); /* client/p2p --route-delay undefined */ |
81d882d5 DS |
2484 | } |
2485 | } | |
2486 | else if (c->options.mode == MODE_POINT_TO_POINT) | |
2487 | { | |
e04c2536 | 2488 | initialization_sequence_completed(c, error_flags); /* client/p2p restart with --persist-tun */ |
81d882d5 DS |
2489 | } |
2490 | ||
c333a0c0 AS |
2491 | tls_print_deferred_options_results(c); |
2492 | ||
81d882d5 | 2493 | c->c2.do_up_ran = true; |
34b42549 AS |
2494 | if (c->c2.tls_multi) |
2495 | { | |
2496 | c->c2.tls_multi->multi_state = CAS_CONNECT_DONE; | |
2497 | } | |
81d882d5 DS |
2498 | } |
2499 | return true; | |
6fbf66fa JY |
2500 | } |
2501 | ||
2502 | /* | |
2503 | * These are the option categories which will be accepted by pull. | |
2504 | */ | |
2505 | unsigned int | |
81d882d5 DS |
2506 | pull_permission_mask(const struct context *c) |
2507 | { | |
2508 | unsigned int flags = | |
2509 | OPT_P_UP | |
2510 | | OPT_P_ROUTE_EXTRAS | |
2511 | | OPT_P_SOCKBUF | |
2512 | | OPT_P_SOCKFLAGS | |
2513 | | OPT_P_SETENV | |
2514 | | OPT_P_SHAPER | |
2515 | | OPT_P_TIMER | |
2516 | | OPT_P_COMP | |
2517 | | OPT_P_PERSIST | |
2518 | | OPT_P_MESSAGES | |
2519 | | OPT_P_EXPLICIT_NOTIFY | |
2520 | | OPT_P_ECHO | |
2521 | | OPT_P_PULL_MODE | |
caacd629 | 2522 | | OPT_P_PEER_ID |
01aed6a5 AS |
2523 | | OPT_P_NCP |
2524 | | OPT_P_PUSH_MTU; | |
81d882d5 DS |
2525 | |
2526 | if (!c->options.route_nopull) | |
2527 | { | |
8a7d0005 | 2528 | flags |= (OPT_P_ROUTE | OPT_P_DHCPDNS); |
81d882d5 | 2529 | } |
3c7f2f55 | 2530 | |
81d882d5 | 2531 | return flags; |
6fbf66fa JY |
2532 | } |
2533 | ||
8c72d798 AS |
2534 | static bool |
2535 | do_deferred_p2p_ncp(struct context *c) | |
2536 | { | |
2537 | if (!c->c2.tls_multi) | |
2538 | { | |
2539 | return true; | |
2540 | } | |
2541 | ||
0d46c496 LS |
2542 | c->options.use_peer_id = c->c2.tls_multi->use_peer_id; |
2543 | ||
8c72d798 AS |
2544 | struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; |
2545 | ||
2546 | const char *ncp_cipher = get_p2p_ncp_cipher(session, c->c2.tls_multi->peer_info, | |
2547 | &c->options.gc); | |
2548 | ||
2549 | if (ncp_cipher) | |
2550 | { | |
2551 | c->options.ciphername = ncp_cipher; | |
2552 | } | |
2553 | else if (!c->options.enable_ncp_fallback) | |
2554 | { | |
2555 | msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and " | |
abe49856 DS |
2556 | "--data-ciphers-fallback not enabled. No usable " |
2557 | "data channel cipher"); | |
8c72d798 AS |
2558 | return false; |
2559 | } | |
2560 | ||
2561 | struct frame *frame_fragment = NULL; | |
2562 | #ifdef ENABLE_FRAGMENT | |
2563 | if (c->options.ce.fragment) | |
2564 | { | |
2565 | frame_fragment = &c->c2.frame_fragment; | |
2566 | } | |
2567 | #endif | |
2568 | ||
6a5612fe AQ |
2569 | if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, |
2570 | &c->c2.frame, frame_fragment, | |
2571 | get_link_socket_info(c))) | |
8c72d798 AS |
2572 | { |
2573 | msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); | |
2574 | return false; | |
2575 | } | |
2576 | return true; | |
2577 | } | |
2578 | ||
6fbf66fa JY |
2579 | /* |
2580 | * Handle non-tun-related pulled options. | |
2581 | */ | |
d728ebed | 2582 | bool |
81d882d5 | 2583 | do_deferred_options(struct context *c, const unsigned int found) |
6fbf66fa | 2584 | { |
81d882d5 | 2585 | if (found & OPT_P_MESSAGES) |
6fbf66fa | 2586 | { |
81d882d5 DS |
2587 | init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2); |
2588 | msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); | |
6fbf66fa | 2589 | } |
81d882d5 | 2590 | if (found & OPT_P_TIMER) |
6fbf66fa | 2591 | { |
81d882d5 | 2592 | do_init_timers(c, true); |
c333a0c0 | 2593 | msg(D_PUSH_DEBUG, "OPTIONS IMPORT: timers and/or timeouts modified"); |
6fbf66fa JY |
2594 | } |
2595 | ||
81d882d5 | 2596 | if (found & OPT_P_EXPLICIT_NOTIFY) |
6fbf66fa | 2597 | { |
81d882d5 DS |
2598 | if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification) |
2599 | { | |
2600 | msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); | |
2601 | c->options.ce.explicit_exit_notification = 0; | |
2602 | } | |
2603 | else | |
2604 | { | |
c333a0c0 | 2605 | msg(D_PUSH_DEBUG, "OPTIONS IMPORT: explicit notify parm(s) modified"); |
81d882d5 | 2606 | } |
6fbf66fa | 2607 | } |
6fbf66fa | 2608 | |
81d882d5 | 2609 | if (found & OPT_P_COMP) |
537073fd | 2610 | { |
e86bc8b2 AS |
2611 | if (!check_compression_settings_valid(&c->options.comp, D_PUSH_ERRORS)) |
2612 | { | |
2613 | msg(D_PUSH_ERRORS, "OPTIONS ERROR: server pushed compression " | |
2614 | "settings that are not allowed and will result " | |
2615 | "in a non-working connection. " | |
2616 | "See also allow-compression in the manual."); | |
2617 | return false; | |
2618 | } | |
a8170dd0 | 2619 | #ifdef USE_COMP |
c333a0c0 | 2620 | msg(D_PUSH_DEBUG, "OPTIONS IMPORT: compression parms modified"); |
81d882d5 DS |
2621 | comp_uninit(c->c2.comp_context); |
2622 | c->c2.comp_context = comp_init(&c->options.comp); | |
537073fd | 2623 | #endif |
a8170dd0 | 2624 | } |
537073fd | 2625 | |
81d882d5 | 2626 | if (found & OPT_P_SHAPER) |
6fbf66fa | 2627 | { |
81d882d5 DS |
2628 | msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); |
2629 | do_init_traffic_shaper(c); | |
6fbf66fa JY |
2630 | } |
2631 | ||
81d882d5 | 2632 | if (found & OPT_P_SOCKBUF) |
00d39170 | 2633 | { |
81d882d5 DS |
2634 | msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); |
2635 | link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); | |
00d39170 JY |
2636 | } |
2637 | ||
81d882d5 | 2638 | if (found & OPT_P_SOCKFLAGS) |
00d39170 | 2639 | { |
81d882d5 DS |
2640 | msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); |
2641 | link_socket_update_flags(c->c2.link_socket, c->options.sockflags); | |
00d39170 JY |
2642 | } |
2643 | ||
81d882d5 DS |
2644 | if (found & OPT_P_PERSIST) |
2645 | { | |
2646 | msg(D_PUSH, "OPTIONS IMPORT: --persist options modified"); | |
2647 | } | |
2648 | if (found & OPT_P_UP) | |
2649 | { | |
2650 | msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); | |
2651 | } | |
2652 | if (found & OPT_P_ROUTE) | |
2653 | { | |
2654 | msg(D_PUSH, "OPTIONS IMPORT: route options modified"); | |
2655 | } | |
2656 | if (found & OPT_P_ROUTE_EXTRAS) | |
2657 | { | |
2658 | msg(D_PUSH, "OPTIONS IMPORT: route-related options modified"); | |
2659 | } | |
8a7d0005 | 2660 | if (found & OPT_P_DHCPDNS) |
81d882d5 DS |
2661 | { |
2662 | msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); | |
2663 | } | |
2664 | if (found & OPT_P_SETENV) | |
2665 | { | |
2666 | msg(D_PUSH, "OPTIONS IMPORT: environment modified"); | |
2667 | } | |
65eedc35 | 2668 | |
81d882d5 DS |
2669 | if (found & OPT_P_PEER_ID) |
2670 | { | |
c333a0c0 | 2671 | msg(D_PUSH_DEBUG, "OPTIONS IMPORT: peer-id set"); |
81d882d5 DS |
2672 | c->c2.tls_multi->use_peer_id = true; |
2673 | c->c2.tls_multi->peer_id = c->options.peer_id; | |
81d882d5 DS |
2674 | } |
2675 | ||
f9ef554a | 2676 | /* process (potentially) pushed options */ |
81d882d5 DS |
2677 | if (c->options.pull) |
2678 | { | |
2c1d8c33 | 2679 | if (!check_pull_client_ncp(c, found)) |
81d882d5 | 2680 | { |
2c1d8c33 | 2681 | return false; |
81d882d5 | 2682 | } |
c7ca9133 | 2683 | |
f9ef554a AQ |
2684 | /* Check if pushed options are compatible with DCO, if enabled */ |
2685 | if (dco_enabled(&c->options) | |
2686 | && !dco_check_pull_options(D_PUSH_ERRORS, &c->options)) | |
2687 | { | |
2688 | msg(D_PUSH_ERRORS, "OPTIONS ERROR: pushed options are incompatible " | |
2689 | "with data channel offload. Use --disable-dco to connect to " | |
2690 | "this server"); | |
2691 | return false; | |
2692 | } | |
46f6a7e8 AQ |
2693 | } |
2694 | ||
01aed6a5 AS |
2695 | if (found & OPT_P_PUSH_MTU) |
2696 | { | |
2697 | /* MTU has changed, check that the pushed MTU is small enough to | |
2698 | * be able to change it */ | |
2699 | msg(D_PUSH, "OPTIONS IMPORT: tun-mtu set to %d", c->options.ce.tun_mtu); | |
2700 | ||
2701 | struct frame *frame = &c->c2.frame; | |
2702 | ||
2703 | if (c->options.ce.tun_mtu > frame->tun_max_mtu) | |
2704 | { | |
2705 | msg(D_PUSH_ERRORS, "Server-pushed tun-mtu is too large, please add " | |
2706 | "tun-mtu-max %d in the client configuration", | |
2707 | c->options.ce.tun_mtu); | |
2708 | } | |
2709 | frame->tun_mtu = min_int(frame->tun_max_mtu, c->options.ce.tun_mtu); | |
2710 | } | |
2711 | ||
81d882d5 | 2712 | return true; |
6fbf66fa JY |
2713 | } |
2714 | ||
2715 | /* | |
396d30c2 AS |
2716 | * Possible hold on initialization, holdtime is the |
2717 | * time OpenVPN would wait without management | |
6fbf66fa JY |
2718 | */ |
2719 | static bool | |
81d882d5 | 2720 | do_hold(int holdtime) |
6fbf66fa JY |
2721 | { |
2722 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 | 2723 | if (management) |
6fbf66fa | 2724 | { |
81d882d5 DS |
2725 | /* block until management hold is released */ |
2726 | if (management_hold(management, holdtime)) | |
2727 | { | |
2728 | return true; | |
2729 | } | |
6fbf66fa JY |
2730 | } |
2731 | #endif | |
81d882d5 | 2732 | return false; |
6fbf66fa JY |
2733 | } |
2734 | ||
2735 | /* | |
2736 | * Sleep before restart. | |
2737 | */ | |
2738 | static void | |
81d882d5 | 2739 | socket_restart_pause(struct context *c) |
6fbf66fa | 2740 | { |
81d882d5 DS |
2741 | int sec = 2; |
2742 | int backoff = 0; | |
6fbf66fa | 2743 | |
81d882d5 | 2744 | switch (c->options.ce.proto) |
6fbf66fa | 2745 | { |
81d882d5 DS |
2746 | case PROTO_TCP_SERVER: |
2747 | sec = 1; | |
2748 | break; | |
2749 | ||
2750 | case PROTO_UDP: | |
2751 | case PROTO_TCP_CLIENT: | |
2752 | sec = c->options.ce.connect_retry_seconds; | |
2753 | break; | |
6fbf66fa JY |
2754 | } |
2755 | ||
2756 | #ifdef ENABLE_DEBUG | |
81d882d5 DS |
2757 | if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin)) |
2758 | { | |
2759 | sec = 0; | |
2760 | } | |
6fbf66fa JY |
2761 | #endif |
2762 | ||
81d882d5 DS |
2763 | if (auth_retry_get() == AR_NOINTERACT) |
2764 | { | |
2765 | sec = 10; | |
2766 | } | |
6fbf66fa | 2767 | |
063d55af SN |
2768 | /* Slow down reconnection after 5 retries per remote -- for TCP client or UDP tls-client only */ |
2769 | if (c->options.ce.proto == PROTO_TCP_CLIENT | |
2770 | || (c->options.ce.proto == PROTO_UDP && c->options.tls_client)) | |
5d429efd | 2771 | { |
81d882d5 DS |
2772 | backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4; |
2773 | if (backoff > 0) | |
5d429efd | 2774 | { |
81d882d5 DS |
2775 | /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */ |
2776 | sec = max_int(sec, 1) << min_int(backoff, 15); | |
5d429efd | 2777 | } |
c9474fa3 AS |
2778 | if (c->options.server_backoff_time) |
2779 | { | |
2780 | sec = max_int(sec, c->options.server_backoff_time); | |
2781 | c->options.server_backoff_time = 0; | |
2782 | } | |
5d429efd | 2783 | |
81d882d5 DS |
2784 | if (sec > c->options.ce.connect_retry_seconds_max) |
2785 | { | |
2786 | sec = c->options.ce.connect_retry_seconds_max; | |
2787 | } | |
5d429efd SN |
2788 | } |
2789 | ||
81d882d5 DS |
2790 | if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) |
2791 | { | |
2792 | sec = c->persist.restart_sleep_seconds; | |
2793 | } | |
2794 | else if (c->persist.restart_sleep_seconds == -1) | |
2795 | { | |
2796 | sec = 0; | |
2797 | } | |
2798 | c->persist.restart_sleep_seconds = 0; | |
a9c802b2 | 2799 | |
ccb636c7 | 2800 | /* do management hold on context restart, i.e. second, third, fourth, etc. initialization */ |
81d882d5 DS |
2801 | if (do_hold(sec)) |
2802 | { | |
2803 | sec = 0; | |
2804 | } | |
6fbf66fa | 2805 | |
81d882d5 | 2806 | if (sec) |
6fbf66fa | 2807 | { |
81d882d5 | 2808 | msg(D_RESTART, "Restart pause, %d second(s)", sec); |
45b2af9c | 2809 | management_sleep(sec); |
6fbf66fa JY |
2810 | } |
2811 | } | |
2812 | ||
2813 | /* | |
2814 | * Do a possible pause on context_2 initialization. | |
2815 | */ | |
2816 | static void | |
81d882d5 | 2817 | do_startup_pause(struct context *c) |
6fbf66fa | 2818 | { |
81d882d5 DS |
2819 | if (!c->first_time) |
2820 | { | |
2821 | socket_restart_pause(c); | |
2822 | } | |
2823 | else | |
2824 | { | |
2825 | do_hold(0); /* do management hold on first context initialization */ | |
2826 | } | |
6fbf66fa JY |
2827 | } |
2828 | ||
65a21eb1 AS |
2829 | static size_t |
2830 | get_frame_mtu(struct context *c, const struct options *o) | |
2831 | { | |
2832 | size_t mtu; | |
2833 | ||
2834 | if (o->ce.link_mtu_defined) | |
2835 | { | |
2836 | ASSERT(o->ce.link_mtu_defined); | |
2837 | /* if we have a link mtu defined we calculate what the old code | |
2838 | * would have come up with as tun-mtu */ | |
2839 | size_t overhead = frame_calculate_protocol_header_size(&c->c1.ks.key_type, | |
2840 | o, true); | |
2841 | mtu = o->ce.link_mtu - overhead; | |
2842 | ||
2843 | } | |
2844 | else | |
2845 | { | |
2846 | ASSERT(o->ce.tun_mtu_defined); | |
2847 | mtu = o->ce.tun_mtu; | |
2848 | } | |
2849 | ||
2850 | if (mtu < TUN_MTU_MIN) | |
2851 | { | |
6e375353 | 2852 | msg(M_WARN, "TUN MTU value (%zu) must be at least %d", mtu, TUN_MTU_MIN); |
65a21eb1 AS |
2853 | frame_print(&c->c2.frame, M_FATAL, "MTU is too small"); |
2854 | } | |
2855 | return mtu; | |
2856 | } | |
2857 | ||
6fbf66fa JY |
2858 | /* |
2859 | * Finalize MTU parameters based on command line or config file options. | |
2860 | */ | |
2861 | static void | |
81d882d5 | 2862 | frame_finalize_options(struct context *c, const struct options *o) |
6fbf66fa | 2863 | { |
81d882d5 DS |
2864 | if (!o) |
2865 | { | |
2866 | o = &c->options; | |
2867 | } | |
6fbf66fa | 2868 | |
65a21eb1 AS |
2869 | struct frame *frame = &c->c2.frame; |
2870 | ||
2871 | frame->tun_mtu = get_frame_mtu(c, o); | |
01aed6a5 AS |
2872 | frame->tun_max_mtu = o->ce.tun_mtu_max; |
2873 | ||
2874 | /* max mtu needs to be at least as large as the tun mtu */ | |
2875 | frame->tun_max_mtu = max_int(frame->tun_mtu, frame->tun_max_mtu); | |
65a21eb1 | 2876 | |
01aed6a5 AS |
2877 | /* We always allow at least 1600 MTU packets to be received in our buffer |
2878 | * space to allow server to push "baby giant" MTU sizes */ | |
2879 | frame->tun_max_mtu = max_int(1600, frame->tun_max_mtu); | |
2880 | ||
2881 | size_t payload_size = frame->tun_max_mtu; | |
65a21eb1 | 2882 | |
5f6ea597 AS |
2883 | /* we need to be also large enough to hold larger control channel packets |
2884 | * if configured */ | |
2885 | payload_size = max_int(payload_size, o->ce.tls_mtu); | |
2886 | ||
65a21eb1 AS |
2887 | /* The extra tun needs to be added to the payload size */ |
2888 | if (o->ce.tun_mtu_defined) | |
2889 | { | |
2890 | payload_size += o->ce.tun_mtu_extra; | |
2891 | } | |
2892 | ||
01aed6a5 AS |
2893 | /* Add 32 byte of extra space in the buffer to account for small errors |
2894 | * in the calculation */ | |
2895 | payload_size += 32; | |
65a21eb1 AS |
2896 | |
2897 | ||
2898 | /* the space that is reserved before the payload to add extra headers to it | |
abe49856 | 2899 | * we always reserve the space for the worst case */ |
65a21eb1 AS |
2900 | size_t headroom = 0; |
2901 | ||
2902 | /* includes IV and packet ID */ | |
2903 | headroom += crypto_max_overhead(); | |
2904 | ||
2905 | /* peer id + opcode */ | |
2906 | headroom += 4; | |
2907 | ||
2908 | /* socks proxy header */ | |
2909 | headroom += 10; | |
2910 | ||
2911 | /* compression header and fragment header (part of the encrypted payload) */ | |
2912 | headroom += 1 + 1; | |
2913 | ||
2914 | /* Round up headroom to the next multiple of 4 to ensure alignment */ | |
2915 | headroom = (headroom + 3) & ~3; | |
2916 | ||
2917 | /* Add the headroom to the payloadsize as a received (IP) packet can have | |
2918 | * all the extra headers in it */ | |
2919 | payload_size += headroom; | |
2920 | ||
2921 | /* the space after the payload, this needs some extra buffer space for | |
2922 | * encryption so headroom is probably too much but we do not really care | |
2923 | * the few extra bytes */ | |
2924 | size_t tailroom = headroom; | |
2925 | ||
2926 | #ifdef USE_COMP | |
8c815699 | 2927 | msg(D_MTU_DEBUG, "MTU: adding %zu buffer tailroom for compression for %zu " |
abe49856 DS |
2928 | "bytes of payload", |
2929 | COMP_EXTRA_BUFFER(payload_size), payload_size); | |
65a21eb1 AS |
2930 | tailroom += COMP_EXTRA_BUFFER(payload_size); |
2931 | #endif | |
2932 | ||
2933 | frame->buf.payload_size = payload_size; | |
2934 | frame->buf.headroom = headroom; | |
2935 | frame->buf.tailroom = tailroom; | |
6fbf66fa JY |
2936 | } |
2937 | ||
2938 | /* | |
2939 | * Free a key schedule, including OpenSSL components. | |
2940 | */ | |
2941 | static void | |
81d882d5 | 2942 | key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) |
6fbf66fa | 2943 | { |
81d882d5 DS |
2944 | free_key_ctx_bi(&ks->static_key); |
2945 | if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) | |
6fbf66fa | 2946 | { |
81d882d5 | 2947 | tls_ctx_free(&ks->ssl_ctx); |
fe39156a | 2948 | free_key_ctx(&ks->auth_token_key); |
6fbf66fa | 2949 | } |
81d882d5 | 2950 | CLEAR(*ks); |
6fbf66fa JY |
2951 | } |
2952 | ||
6fbf66fa | 2953 | static void |
81d882d5 | 2954 | init_crypto_pre(struct context *c, const unsigned int flags) |
6fbf66fa | 2955 | { |
81d882d5 DS |
2956 | if (c->options.engine) |
2957 | { | |
2958 | crypto_init_lib_engine(c->options.engine); | |
2959 | } | |
6fbf66fa | 2960 | |
81d882d5 | 2961 | if (flags & CF_LOAD_PERSISTED_PACKET_ID) |
6fbf66fa | 2962 | { |
81d882d5 DS |
2963 | /* load a persisted packet-id for cross-session replay-protection */ |
2964 | if (c->options.packet_id_file) | |
2965 | { | |
2966 | packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file); | |
2967 | } | |
6fbf66fa JY |
2968 | } |
2969 | ||
0f25d296 | 2970 | #ifdef ENABLE_PREDICTION_RESISTANCE |
81d882d5 DS |
2971 | if (c->options.use_prediction_resistance) |
2972 | { | |
2973 | rand_ctx_enable_prediction_resistance(); | |
2974 | } | |
0f25d296 | 2975 | #endif |
6fbf66fa JY |
2976 | } |
2977 | ||
2978 | /* | |
2979 | * Static Key Mode (using a pre-shared key) | |
2980 | */ | |
2981 | static void | |
81d882d5 | 2982 | do_init_crypto_static(struct context *c, const unsigned int flags) |
6fbf66fa | 2983 | { |
81d882d5 DS |
2984 | const struct options *options = &c->options; |
2985 | ASSERT(options->shared_secret_file); | |
6fbf66fa | 2986 | |
81d882d5 | 2987 | init_crypto_pre(c, flags); |
2d9c6d20 | 2988 | |
81d882d5 | 2989 | /* Initialize flags */ |
81d882d5 | 2990 | if (c->options.mute_replay_warnings) |
6fbf66fa | 2991 | { |
81d882d5 | 2992 | c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; |
6fbf66fa JY |
2993 | } |
2994 | ||
81d882d5 | 2995 | /* Initialize packet ID tracking */ |
6d76218d FL |
2996 | packet_id_init(&c->c2.crypto_options.packet_id, |
2997 | options->replay_window, | |
2998 | options->replay_time, | |
2999 | "STATIC", 0); | |
3000 | c->c2.crypto_options.pid_persist = &c->c1.pid_persist; | |
3001 | c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; | |
3002 | packet_id_persist_load_obj(&c->c1.pid_persist, | |
3003 | &c->c2.crypto_options.packet_id); | |
6fbf66fa | 3004 | |
81d882d5 DS |
3005 | if (!key_ctx_bi_defined(&c->c1.ks.static_key)) |
3006 | { | |
3007 | /* Get cipher & hash algorithms */ | |
3008 | init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, | |
6ea62d50 | 3009 | options->test_crypto, true); |
81d882d5 DS |
3010 | |
3011 | /* Read cipher and hmac keys from shared secret file */ | |
3012 | crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, | |
3013 | options->shared_secret_file, | |
3014 | options->shared_secret_file_inline, | |
3015 | options->key_direction, "Static Key Encryption", | |
6a05768a | 3016 | "secret", NULL); |
6fbf66fa | 3017 | } |
81d882d5 | 3018 | else |
6fbf66fa | 3019 | { |
81d882d5 | 3020 | msg(M_INFO, "Re-using pre-shared static key"); |
6fbf66fa JY |
3021 | } |
3022 | ||
81d882d5 DS |
3023 | /* Get key schedule */ |
3024 | c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; | |
6fbf66fa JY |
3025 | } |
3026 | ||
5817b49b AQ |
3027 | /* |
3028 | * Initialize the tls-auth/crypt key context | |
3029 | */ | |
3030 | static void | |
3031 | do_init_tls_wrap_key(struct context *c) | |
3032 | { | |
3033 | const struct options *options = &c->options; | |
3034 | ||
3035 | /* TLS handshake authentication (--tls-auth) */ | |
57d6f103 | 3036 | if (options->ce.tls_auth_file) |
5817b49b AQ |
3037 | { |
3038 | /* Initialize key_type for tls-auth with auth only */ | |
3039 | CLEAR(c->c1.ks.tls_auth_key_type); | |
b39725cf AS |
3040 | c->c1.ks.tls_auth_key_type.cipher = "none"; |
3041 | c->c1.ks.tls_auth_key_type.digest = options->authname; | |
3042 | if (!md_valid(options->authname)) | |
5817b49b AQ |
3043 | { |
3044 | msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth " | |
3045 | "algorithm specified ('%s')", options->authname); | |
3046 | } | |
3047 | ||
3048 | crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, | |
3049 | &c->c1.ks.tls_wrap_key, | |
57d6f103 AQ |
3050 | options->ce.tls_auth_file, |
3051 | options->ce.tls_auth_file_inline, | |
3052 | options->ce.key_direction, | |
6a05768a AS |
3053 | "Control Channel Authentication", "tls-auth", |
3054 | &c->c1.ks.original_wrap_keydata); | |
5817b49b AQ |
3055 | } |
3056 | ||
3057 | /* TLS handshake encryption+authentication (--tls-crypt) */ | |
57d6f103 | 3058 | if (options->ce.tls_crypt_file) |
5817b49b AQ |
3059 | { |
3060 | tls_crypt_init_key(&c->c1.ks.tls_wrap_key, | |
6a05768a | 3061 | &c->c1.ks.original_wrap_keydata, |
57d6f103 | 3062 | options->ce.tls_crypt_file, |
cb2e9218 AQ |
3063 | options->ce.tls_crypt_file_inline, |
3064 | options->tls_server); | |
5817b49b | 3065 | } |
19d6d9c3 SK |
3066 | |
3067 | /* tls-crypt with client-specific keys (--tls-crypt-v2) */ | |
3068 | if (options->ce.tls_crypt_v2_file) | |
3069 | { | |
3070 | if (options->tls_server) | |
3071 | { | |
3072 | tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, | |
3073 | true, options->ce.tls_crypt_v2_file, | |
cb2e9218 | 3074 | options->ce.tls_crypt_v2_file_inline); |
19d6d9c3 SK |
3075 | } |
3076 | else | |
3077 | { | |
3078 | tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, | |
6a05768a | 3079 | &c->c1.ks.original_wrap_keydata, |
19d6d9c3 SK |
3080 | &c->c1.ks.tls_crypt_v2_wkc, |
3081 | options->ce.tls_crypt_v2_file, | |
cb2e9218 | 3082 | options->ce.tls_crypt_v2_file_inline); |
19d6d9c3 | 3083 | } |
5f6ea597 AS |
3084 | /* We have to ensure that the loaded tls-crypt key is small enough |
3085 | * to fit into the initial hard reset v3 packet */ | |
3086 | int wkc_len = buf_len(&c->c1.ks.tls_crypt_v2_wkc); | |
3087 | ||
3088 | /* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */ | |
3089 | int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 + 40; | |
3090 | ||
3091 | if (required_size > c->options.ce.tls_mtu) | |
3092 | { | |
3093 | msg(M_WARN, "ERROR: tls-crypt-v2 client key too large to work with " | |
3094 | "requested --max-packet-size %d, requires at least " | |
3095 | "--max-packet-size %d. Packets will ignore requested " | |
3096 | "maximum packet size", c->options.ce.tls_mtu, | |
3097 | required_size); | |
3098 | } | |
19d6d9c3 SK |
3099 | } |
3100 | ||
3101 | ||
5817b49b AQ |
3102 | } |
3103 | ||
6fbf66fa JY |
3104 | /* |
3105 | * Initialize the persistent component of OpenVPN's TLS mode, | |
3106 | * which is preserved across SIGUSR1 resets. | |
3107 | */ | |
3108 | static void | |
81d882d5 | 3109 | do_init_crypto_tls_c1(struct context *c) |
6fbf66fa | 3110 | { |
81d882d5 | 3111 | const struct options *options = &c->options; |
6fbf66fa | 3112 | |
81d882d5 | 3113 | if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) |
6fbf66fa | 3114 | { |
81d882d5 DS |
3115 | /* |
3116 | * Initialize the OpenSSL library's global | |
3117 | * SSL context. | |
3118 | */ | |
21a0b249 | 3119 | init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set); |
81d882d5 DS |
3120 | if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) |
3121 | { | |
81d882d5 DS |
3122 | switch (auth_retry_get()) |
3123 | { | |
3124 | case AR_NONE: | |
3125 | msg(M_FATAL, "Error: private key password verification failed"); | |
3126 | break; | |
3127 | ||
3128 | case AR_INTERACT: | |
3129 | ssl_purge_auth(false); | |
f2454ec6 | 3130 | /* Intentional [[fallthrough]]; */ |
81d882d5 DS |
3131 | |
3132 | case AR_NOINTERACT: | |
05715485 SN |
3133 | /* SOFT-SIGUSR1 -- Password failure error */ |
3134 | register_signal(c->sig, SIGUSR1, "private-key-password-failure"); | |
81d882d5 DS |
3135 | break; |
3136 | ||
3137 | default: | |
3138 | ASSERT(0); | |
3139 | } | |
81d882d5 | 3140 | return; |
81d882d5 DS |
3141 | } |
3142 | ||
abe49856 DS |
3143 | /* |
3144 | * BF-CBC is allowed to be used only when explicitly configured | |
3145 | * as NCP-fallback or when NCP has been disabled or explicitly | |
3146 | * allowed in the in ncp_ciphers list. | |
3147 | * In all other cases do not attempt to initialize BF-CBC as it | |
3148 | * may not even be supported by the underlying SSL library. | |
3149 | * | |
3150 | * Therefore, the key structure has to be initialized when: | |
3151 | * - any non-BF-CBC cipher was selected; or | |
3152 | * - BF-CBC is selected, NCP is enabled and fallback is enabled | |
3153 | * (BF-CBC will be the fallback). | |
3154 | * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC: | |
3155 | * If the negotiated cipher and options->ciphername are the | |
3156 | * same we do not reinit the cipher | |
3157 | * | |
3158 | * Note that BF-CBC will still be part of the OCC string to retain | |
3159 | * backwards compatibility with older clients. | |
3160 | */ | |
3161 | const char *ciphername = options->ciphername; | |
ce2954a0 AS |
3162 | if (streq(options->ciphername, "BF-CBC") |
3163 | && !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers) | |
3164 | && !options->enable_ncp_fallback) | |
79ff3f79 | 3165 | { |
ce2954a0 | 3166 | ciphername = "none"; |
79ff3f79 | 3167 | } |
81d882d5 | 3168 | |
ce2954a0 AS |
3169 | /* Do not warn if the cipher is used only in OCC */ |
3170 | bool warn = options->enable_ncp_fallback; | |
3171 | init_key_type(&c->c1.ks.key_type, ciphername, options->authname, | |
3172 | true, warn); | |
3173 | ||
19d6d9c3 | 3174 | /* initialize tls-auth/crypt/crypt-v2 key */ |
5817b49b | 3175 | do_init_tls_wrap_key(c); |
81d882d5 | 3176 | |
1b9a88a2 | 3177 | /* initialise auth-token crypto support */ |
6cf4fa5a AS |
3178 | if (c->options.auth_token_generate) |
3179 | { | |
3180 | auth_token_init_secret(&c->c1.ks.auth_token_key, | |
3181 | c->options.auth_token_secret_file, | |
3182 | c->options.auth_token_secret_file_inline); | |
3183 | } | |
1b9a88a2 | 3184 | |
1f4309ae | 3185 | #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ |
81d882d5 DS |
3186 | if (options->priv_key_file_inline) |
3187 | { | |
3188 | string_clear(c->options.priv_key_file_inline); | |
3189 | c->options.priv_key_file_inline = NULL; | |
3190 | } | |
d40f2b20 | 3191 | #endif |
6fbf66fa | 3192 | } |
81d882d5 | 3193 | else |
6fbf66fa | 3194 | { |
81d882d5 | 3195 | msg(D_INIT_MEDIUM, "Re-using SSL/TLS context"); |
129d2924 | 3196 | |
5817b49b AQ |
3197 | /* |
3198 | * tls-auth/crypt key can be configured per connection block, therefore | |
3199 | * we must reload it as it may have changed | |
3200 | */ | |
3201 | do_init_tls_wrap_key(c); | |
6fbf66fa JY |
3202 | } |
3203 | } | |
3204 | ||
3205 | static void | |
81d882d5 | 3206 | do_init_crypto_tls(struct context *c, const unsigned int flags) |
6fbf66fa | 3207 | { |
81d882d5 DS |
3208 | const struct options *options = &c->options; |
3209 | struct tls_options to; | |
3210 | bool packet_id_long_form; | |
6fbf66fa | 3211 | |
81d882d5 DS |
3212 | ASSERT(options->tls_server || options->tls_client); |
3213 | ASSERT(!options->test_crypto); | |
6fbf66fa | 3214 | |
81d882d5 | 3215 | init_crypto_pre(c, flags); |
6fbf66fa | 3216 | |
81d882d5 DS |
3217 | /* Make sure we are either a TLS client or server but not both */ |
3218 | ASSERT(options->tls_server == !options->tls_client); | |
6fbf66fa | 3219 | |
81d882d5 DS |
3220 | /* initialize persistent component */ |
3221 | do_init_crypto_tls_c1(c); | |
3222 | if (IS_SIG(c)) | |
3223 | { | |
3224 | return; | |
3225 | } | |
3226 | ||
81d882d5 DS |
3227 | /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ |
3228 | packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); | |
3229 | ||
81d882d5 DS |
3230 | /* Set all command-line TLS-related options */ |
3231 | CLEAR(to); | |
3232 | ||
81d882d5 DS |
3233 | if (options->mute_replay_warnings) |
3234 | { | |
3235 | to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS; | |
3236 | } | |
3237 | ||
3238 | to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); | |
3239 | if (packet_id_long_form) | |
3240 | { | |
3241 | to.crypto_flags |= CO_PACKET_ID_LONG_FORM; | |
3242 | } | |
3243 | ||
3244 | to.ssl_ctx = c->c1.ks.ssl_ctx; | |
3245 | to.key_type = c->c1.ks.key_type; | |
3246 | to.server = options->tls_server; | |
81d882d5 DS |
3247 | to.replay_window = options->replay_window; |
3248 | to.replay_time = options->replay_time; | |
3249 | to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); | |
7064ccb9 AS |
3250 | to.config_ciphername = c->options.ciphername; |
3251 | to.config_ncp_ciphers = c->options.ncp_ciphers; | |
81d882d5 DS |
3252 | to.transition_window = options->transition_window; |
3253 | to.handshake_window = options->handshake_window; | |
3254 | to.packet_timeout = options->tls_timeout; | |
3255 | to.renegotiate_bytes = options->renegotiate_bytes; | |
3256 | to.renegotiate_packets = options->renegotiate_packets; | |
dd996463 SM |
3257 | if (options->renegotiate_seconds_min < 0) |
3258 | { | |
3259 | /* Add 10% jitter to reneg-sec by default (server side only) */ | |
3260 | int auto_jitter = options->mode != MODE_SERVER ? 0 : | |
f57431cd | 3261 | get_random() % max_int(options->renegotiate_seconds / 10, 1); |
dd996463 SM |
3262 | to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter; |
3263 | } | |
3264 | else | |
3265 | { | |
3266 | /* Add user-specified jitter to reneg-sec */ | |
f57431cd GD |
3267 | to.renegotiate_seconds = options->renegotiate_seconds |
3268 | -(get_random() % max_int(options->renegotiate_seconds | |
3269 | - options->renegotiate_seconds_min, 1)); | |
dd996463 | 3270 | } |
81d882d5 DS |
3271 | to.single_session = options->single_session; |
3272 | to.mode = options->mode; | |
3273 | to.pull = options->pull; | |
81d882d5 DS |
3274 | if (options->push_peer_info) /* all there is */ |
3275 | { | |
8c72d798 | 3276 | to.push_peer_info_detail = 3; |
81d882d5 DS |
3277 | } |
3278 | else if (options->pull) /* pull clients send some details */ | |
3279 | { | |
8c72d798 | 3280 | to.push_peer_info_detail = 2; |
81d882d5 | 3281 | } |
8c72d798 | 3282 | else if (options->mode == MODE_SERVER) /* server: no peer info at all */ |
81d882d5 DS |
3283 | { |
3284 | to.push_peer_info_detail = 0; | |
3285 | } | |
8c72d798 AS |
3286 | else /* default: minimal info to allow NCP in P2P mode */ |
3287 | { | |
3288 | to.push_peer_info_detail = 1; | |
3289 | } | |
3290 | ||
6fbf66fa | 3291 | |
81d882d5 DS |
3292 | /* should we not xmit any packets until we get an initial |
3293 | * response from client? */ | |
3294 | if (to.server && options->ce.proto == PROTO_TCP_SERVER) | |
3295 | { | |
3296 | to.xmit_hold = true; | |
3297 | } | |
6add6b2f | 3298 | |
81d882d5 | 3299 | to.verify_command = options->tls_verify; |
81d882d5 DS |
3300 | to.verify_x509_type = (options->verify_x509_type & 0xff); |
3301 | to.verify_x509_name = options->verify_x509_name; | |
3302 | to.crl_file = options->crl_file; | |
3303 | to.crl_file_inline = options->crl_file_inline; | |
3304 | to.ssl_flags = options->ssl_flags; | |
3305 | to.ns_cert_type = options->ns_cert_type; | |
3b04c34d | 3306 | memcpy(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku)); |
81d882d5 DS |
3307 | to.remote_cert_eku = options->remote_cert_eku; |
3308 | to.verify_hash = options->verify_hash; | |
2193d7c0 | 3309 | to.verify_hash_algo = options->verify_hash_algo; |
c3a7065d | 3310 | to.verify_hash_depth = options->verify_hash_depth; |
c3746da7 | 3311 | to.verify_hash_no_ca = options->verify_hash_no_ca; |
19dd3ef1 | 3312 | #ifdef ENABLE_X509ALTUSERNAME |
3b04c34d | 3313 | memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); |
19dd3ef1 | 3314 | #else |
3b04c34d | 3315 | to.x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT; |
19dd3ef1 | 3316 | #endif |
81d882d5 | 3317 | to.es = c->c2.es; |
aec4a3d1 | 3318 | to.net_ctx = &c->net_ctx; |
6fbf66fa JY |
3319 | |
3320 | #ifdef ENABLE_DEBUG | |
81d882d5 | 3321 | to.gremlin = c->options.gremlin; |
6fbf66fa JY |
3322 | #endif |
3323 | ||
81d882d5 | 3324 | to.plugins = c->plugins; |
6fbf66fa | 3325 | |
99d217b2 | 3326 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 3327 | to.mda_context = &c->c2.mda_context; |
90efcacb JY |
3328 | #endif |
3329 | ||
81d882d5 DS |
3330 | to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; |
3331 | to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; | |
23eec2d2 | 3332 | to.client_crresponse_script = options->client_crresponse_script; |
81d882d5 | 3333 | to.tmp_dir = options->tmp_dir; |
c58c7c3c | 3334 | to.export_peer_cert_dir = options->tls_export_peer_cert_dir; |
81d882d5 DS |
3335 | if (options->ccd_exclusive) |
3336 | { | |
3337 | to.client_config_dir_exclusive = options->client_config_dir; | |
3338 | } | |
3339 | to.auth_user_pass_file = options->auth_user_pass_file; | |
7d48d31b | 3340 | to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; |
81d882d5 DS |
3341 | to.auth_token_generate = options->auth_token_generate; |
3342 | to.auth_token_lifetime = options->auth_token_lifetime; | |
9a516170 | 3343 | to.auth_token_renewal = options->auth_token_renewal; |
c8723aa7 | 3344 | to.auth_token_call_auth = options->auth_token_call_auth; |
1b9a88a2 | 3345 | to.auth_token_key = c->c1.ks.auth_token_key; |
6fbf66fa | 3346 | |
81d882d5 | 3347 | to.x509_track = options->x509_track; |
9356bae8 | 3348 | |
66b9409b | 3349 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 3350 | to.sci = &options->sc_info; |
16d909e2 | 3351 | #endif |
eab3e22f | 3352 | |
38d96bd7 | 3353 | #ifdef USE_COMP |
81d882d5 | 3354 | to.comp_options = options->comp; |
38d96bd7 JY |
3355 | #endif |
3356 | ||
5defbba4 | 3357 | #ifdef HAVE_EXPORT_KEYING_MATERIAL |
81d882d5 | 3358 | if (options->keying_material_exporter_label) |
685e486e | 3359 | { |
81d882d5 DS |
3360 | to.ekm_size = options->keying_material_exporter_length; |
3361 | if (to.ekm_size < 16 || to.ekm_size > 4095) | |
3362 | { | |
3363 | to.ekm_size = 0; | |
3364 | } | |
685e486e | 3365 | |
81d882d5 DS |
3366 | to.ekm_label = options->keying_material_exporter_label; |
3367 | to.ekm_label_size = strlen(to.ekm_label); | |
685e486e | 3368 | } |
81d882d5 | 3369 | else |
685e486e | 3370 | { |
81d882d5 | 3371 | to.ekm_size = 0; |
685e486e | 3372 | } |
5defbba4 | 3373 | #endif /* HAVE_EXPORT_KEYING_MATERIAL */ |
685e486e | 3374 | |
81d882d5 | 3375 | /* TLS handshake authentication (--tls-auth) */ |
57d6f103 | 3376 | if (options->ce.tls_auth_file) |
6fbf66fa | 3377 | { |
81d882d5 | 3378 | to.tls_wrap.mode = TLS_WRAP_AUTH; |
6fbf66fa JY |
3379 | } |
3380 | ||
81d882d5 | 3381 | /* TLS handshake encryption (--tls-crypt) */ |
19dffdbd SK |
3382 | if (options->ce.tls_crypt_file |
3383 | || (options->ce.tls_crypt_v2_file && options->tls_client)) | |
c6e24fa3 | 3384 | { |
81d882d5 | 3385 | to.tls_wrap.mode = TLS_WRAP_CRYPT; |
6a05768a AS |
3386 | } |
3387 | ||
3388 | if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode == TLS_WRAP_CRYPT) | |
3389 | { | |
81d882d5 DS |
3390 | to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; |
3391 | to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; | |
3392 | to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; | |
6a05768a | 3393 | to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata; |
19dffdbd SK |
3394 | } |
3395 | ||
19d6d9c3 | 3396 | if (options->ce.tls_crypt_v2_file) |
19dffdbd SK |
3397 | { |
3398 | to.tls_crypt_v2 = true; | |
6a05768a AS |
3399 | to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc; |
3400 | ||
19dffdbd SK |
3401 | if (options->tls_server) |
3402 | { | |
3403 | to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key; | |
ff931c5e | 3404 | to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script; |
e7d8c4a7 AS |
3405 | if (options->ce.tls_crypt_v2_force_cookie) |
3406 | { | |
3407 | to.tls_wrap.opt.flags |= CO_FORCE_TLSCRYPTV2_COOKIE; | |
3408 | } | |
19dffdbd | 3409 | } |
c6e24fa3 SK |
3410 | } |
3411 | ||
a2d851d4 AQ |
3412 | /* let the TLS engine know if keys have to be installed in DCO or not */ |
3413 | to.dco_enabled = dco_enabled(options); | |
3414 | ||
81d882d5 DS |
3415 | /* |
3416 | * Initialize OpenVPN's master TLS-mode object. | |
3417 | */ | |
3418 | if (flags & CF_INIT_TLS_MULTI) | |
3419 | { | |
3420 | c->c2.tls_multi = tls_multi_init(&to); | |
a2d851d4 AQ |
3421 | /* inherit the dco context from the tuntap object */ |
3422 | if (c->c1.tuntap) | |
3423 | { | |
3424 | c->c2.tls_multi->dco = &c->c1.tuntap->dco; | |
3425 | } | |
81d882d5 | 3426 | } |
6fbf66fa | 3427 | |
81d882d5 DS |
3428 | if (flags & CF_INIT_TLS_AUTH_STANDALONE) |
3429 | { | |
3430 | c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc); | |
b3647114 | 3431 | c->c2.session_id_hmac = session_id_hmac_init(); |
81d882d5 | 3432 | } |
6fbf66fa JY |
3433 | } |
3434 | ||
3435 | static void | |
2b6fcdc0 | 3436 | do_init_frame_tls(struct context *c) |
6fbf66fa | 3437 | { |
81d882d5 | 3438 | if (c->c2.tls_multi) |
6fbf66fa | 3439 | { |
5f6ea597 | 3440 | tls_multi_init_finalize(c->c2.tls_multi, c->options.ce.tls_mtu); |
986559bf AS |
3441 | ASSERT(c->c2.tls_multi->opt.frame.buf.payload_size <= |
3442 | c->c2.frame.buf.payload_size); | |
81d882d5 DS |
3443 | frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, |
3444 | "Control Channel MTU parms"); | |
01aed6a5 AS |
3445 | |
3446 | /* Keep the max mtu also in the frame of tls multi so it can access | |
3447 | * it in push_peer_info */ | |
3448 | c->c2.tls_multi->opt.frame.tun_max_mtu = c->c2.frame.tun_max_mtu; | |
6fbf66fa | 3449 | } |
81d882d5 | 3450 | if (c->c2.tls_auth_standalone) |
6fbf66fa | 3451 | { |
5f6ea597 | 3452 | tls_init_control_channel_frame_parameters(&c->c2.tls_auth_standalone->frame, c->options.ce.tls_mtu); |
81d882d5 DS |
3453 | frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, |
3454 | "TLS-Auth MTU parms"); | |
b3647114 | 3455 | c->c2.tls_auth_standalone->tls_wrap.work = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc); |
e8ecaadd | 3456 | c->c2.tls_auth_standalone->workbuf = alloc_buf_gc(BUF_SIZE(&c->c2.frame), &c->c2.gc); |
6fbf66fa JY |
3457 | } |
3458 | } | |
3459 | ||
6fbf66fa JY |
3460 | /* |
3461 | * No encryption or authentication. | |
3462 | */ | |
3463 | static void | |
02d8f792 | 3464 | do_init_crypto_none(struct context *c) |
6fbf66fa | 3465 | { |
81d882d5 | 3466 | ASSERT(!c->options.test_crypto); |
02d8f792 AS |
3467 | |
3468 | /* Initialise key_type with auth/cipher "none", so the key_type struct is | |
3469 | * valid */ | |
3470 | init_key_type(&c->c1.ks.key_type, "none", "none", | |
3471 | c->options.test_crypto, true); | |
3472 | ||
81d882d5 | 3473 | msg(M_WARN, |
7a1b6a0d DS |
3474 | "******* WARNING *******: All encryption and authentication features " |
3475 | "disabled -- All data will be tunnelled as clear text and will not be " | |
3476 | "protected against man-in-the-middle changes. " | |
3477 | "PLEASE DO RECONSIDER THIS CONFIGURATION!"); | |
6fbf66fa | 3478 | } |
6fbf66fa JY |
3479 | |
3480 | static void | |
81d882d5 | 3481 | do_init_crypto(struct context *c, const unsigned int flags) |
6fbf66fa | 3482 | { |
81d882d5 DS |
3483 | if (c->options.shared_secret_file) |
3484 | { | |
3485 | do_init_crypto_static(c, flags); | |
3486 | } | |
3487 | else if (c->options.tls_server || c->options.tls_client) | |
3488 | { | |
3489 | do_init_crypto_tls(c, flags); | |
3490 | } | |
3491 | else /* no encryption or authentication. */ | |
3492 | { | |
3493 | do_init_crypto_none(c); | |
3494 | } | |
6fbf66fa JY |
3495 | } |
3496 | ||
3497 | static void | |
81d882d5 | 3498 | do_init_frame(struct context *c) |
6fbf66fa | 3499 | { |
81d882d5 DS |
3500 | /* |
3501 | * Adjust frame size based on the --tun-mtu-extra parameter. | |
3502 | */ | |
3503 | if (c->options.ce.tun_mtu_extra_defined) | |
3504 | { | |
65c63086 | 3505 | c->c2.frame.extra_tun += c->options.ce.tun_mtu_extra; |
81d882d5 DS |
3506 | } |
3507 | ||
81d882d5 DS |
3508 | /* |
3509 | * Fill in the blanks in the frame parameters structure, | |
3510 | * make sure values are rational, etc. | |
3511 | */ | |
3512 | frame_finalize_options(c, NULL); | |
6fbf66fa | 3513 | |
6fbf66fa | 3514 | |
ba66faad | 3515 | #if defined(ENABLE_FRAGMENT) |
81d882d5 DS |
3516 | /* |
3517 | * MTU advisories | |
3518 | */ | |
3519 | if (c->options.ce.fragment && c->options.mtu_test) | |
3520 | { | |
3521 | msg(M_WARN, | |
3522 | "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); | |
3523 | } | |
6fbf66fa JY |
3524 | #endif |
3525 | ||
3526 | #ifdef ENABLE_FRAGMENT | |
f1e06301 | 3527 | if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment) |
81d882d5 | 3528 | { |
f1e06301 | 3529 | msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " |
abe49856 DS |
3530 | "set --fragment (%d) larger or equal than --mssfix (%d)", |
3531 | c->options.ce.fragment, c->options.ce.mssfix); | |
f1e06301 AS |
3532 | } |
3533 | if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0 | |
3534 | && c->options.ce.fragment_encap != c->options.ce.mssfix_encap) | |
3535 | { | |
3536 | msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should " | |
abe49856 | 3537 | "use the \"mtu\" flag for both or none of of them."); |
81d882d5 | 3538 | } |
6fbf66fa JY |
3539 | #endif |
3540 | } | |
3541 | ||
3542 | static void | |
81d882d5 | 3543 | do_option_warnings(struct context *c) |
6fbf66fa | 3544 | { |
81d882d5 | 3545 | const struct options *o = &c->options; |
6fbf66fa | 3546 | |
81d882d5 DS |
3547 | if (o->ping_send_timeout && !o->ping_rec_timeout) |
3548 | { | |
3549 | msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); | |
3550 | } | |
6fbf66fa | 3551 | |
81d882d5 | 3552 | if (o->username || o->groupname || o->chroot_dir |
cd5990e0 | 3553 | #ifdef ENABLE_SELINUX |
81d882d5 | 3554 | || o->selinux_context |
99385447 | 3555 | #endif |
81d882d5 DS |
3556 | ) |
3557 | { | |
3558 | if (!o->persist_tun) | |
3559 | { | |
3560 | msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); | |
3561 | } | |
81d882d5 | 3562 | } |
6fbf66fa | 3563 | |
81d882d5 DS |
3564 | if (o->chroot_dir && !(o->username && o->groupname)) |
3565 | { | |
3566 | msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); | |
3567 | } | |
31f90e64 | 3568 | |
81d882d5 DS |
3569 | if (o->pull && o->ifconfig_local && c->first_time) |
3570 | { | |
3571 | msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); | |
3572 | } | |
6fbf66fa | 3573 | |
81d882d5 DS |
3574 | if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) |
3575 | { | |
3576 | msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); | |
3577 | } | |
f77c60d3 | 3578 | |
81d882d5 | 3579 | if (o->mode == MODE_SERVER) |
6fbf66fa | 3580 | { |
81d882d5 DS |
3581 | if (o->duplicate_cn && o->client_config_dir) |
3582 | { | |
3583 | msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); | |
3584 | } | |
3585 | if (o->duplicate_cn && o->ifconfig_pool_persist_filename) | |
3586 | { | |
3587 | msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); | |
3588 | } | |
3589 | if (!o->keepalive_ping || !o->keepalive_timeout) | |
3590 | { | |
3591 | msg(M_WARN, "WARNING: --keepalive option is missing from server config"); | |
3592 | } | |
6fbf66fa | 3593 | } |
6fbf66fa | 3594 | |
81d882d5 DS |
3595 | if (o->tls_server) |
3596 | { | |
aec4a3d1 | 3597 | warn_on_use_of_common_subnets(&c->net_ctx); |
81d882d5 DS |
3598 | } |
3599 | if (o->tls_client | |
3600 | && !o->tls_verify | |
3601 | && o->verify_x509_type == VERIFY_X509_NONE | |
3602 | && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) | |
3603 | && !o->remote_cert_eku) | |
3604 | { | |
3605 | msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); | |
3606 | } | |
2dc33226 SK |
3607 | if (o->ns_cert_type) |
3608 | { | |
3609 | msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."); | |
3610 | } | |
81d882d5 | 3611 | |
ccb636c7 | 3612 | /* If a script is used, print appropriate warnings */ |
81d882d5 DS |
3613 | if (o->user_script_used) |
3614 | { | |
bf97c00f | 3615 | if (script_security() >= SSEC_SCRIPTS) |
81d882d5 DS |
3616 | { |
3617 | msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); | |
3618 | } | |
bf97c00f | 3619 | else if (script_security() >= SSEC_PW_ENV) |
81d882d5 DS |
3620 | { |
3621 | msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); | |
3622 | } | |
3623 | else | |
3624 | { | |
3625 | msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); | |
3626 | } | |
3627 | } | |
6fbf66fa JY |
3628 | } |
3629 | ||
6fbf66fa | 3630 | struct context_buffers * |
81d882d5 | 3631 | init_context_buffers(const struct frame *frame) |
6fbf66fa | 3632 | { |
81d882d5 | 3633 | struct context_buffers *b; |
6fbf66fa | 3634 | |
81d882d5 | 3635 | ALLOC_OBJ_CLEAR(b, struct context_buffers); |
6fbf66fa | 3636 | |
65a21eb1 AS |
3637 | size_t buf_size = BUF_SIZE(frame); |
3638 | ||
3639 | b->read_link_buf = alloc_buf(buf_size); | |
3640 | b->read_tun_buf = alloc_buf(buf_size); | |
6fbf66fa | 3641 | |
65a21eb1 | 3642 | b->aux_buf = alloc_buf(buf_size); |
6fbf66fa | 3643 | |
65a21eb1 AS |
3644 | b->encrypt_buf = alloc_buf(buf_size); |
3645 | b->decrypt_buf = alloc_buf(buf_size); | |
6fbf66fa | 3646 | |
38d96bd7 | 3647 | #ifdef USE_COMP |
65a21eb1 AS |
3648 | b->compress_buf = alloc_buf(buf_size); |
3649 | b->decompress_buf = alloc_buf(buf_size); | |
6fbf66fa JY |
3650 | #endif |
3651 | ||
81d882d5 | 3652 | return b; |
6fbf66fa JY |
3653 | } |
3654 | ||
3655 | void | |
81d882d5 | 3656 | free_context_buffers(struct context_buffers *b) |
6fbf66fa | 3657 | { |
81d882d5 | 3658 | if (b) |
6fbf66fa | 3659 | { |
81d882d5 DS |
3660 | free_buf(&b->read_link_buf); |
3661 | free_buf(&b->read_tun_buf); | |
3662 | free_buf(&b->aux_buf); | |
6fbf66fa | 3663 | |
38d96bd7 | 3664 | #ifdef USE_COMP |
81d882d5 DS |
3665 | free_buf(&b->compress_buf); |
3666 | free_buf(&b->decompress_buf); | |
6fbf66fa JY |
3667 | #endif |
3668 | ||
81d882d5 DS |
3669 | free_buf(&b->encrypt_buf); |
3670 | free_buf(&b->decrypt_buf); | |
6fbf66fa | 3671 | |
81d882d5 | 3672 | free(b); |
6fbf66fa JY |
3673 | } |
3674 | } | |
3675 | ||
3676 | /* | |
3677 | * Now that we know all frame parameters, initialize | |
3678 | * our buffers. | |
3679 | */ | |
3680 | static void | |
81d882d5 | 3681 | do_init_buffers(struct context *c) |
6fbf66fa | 3682 | { |
81d882d5 DS |
3683 | c->c2.buffers = init_context_buffers(&c->c2.frame); |
3684 | c->c2.buffers_owned = true; | |
6fbf66fa JY |
3685 | } |
3686 | ||
3687 | #ifdef ENABLE_FRAGMENT | |
3688 | /* | |
3689 | * Fragmenting code has buffers to initialize | |
3690 | * once frame parameters are known. | |
3691 | */ | |
3692 | static void | |
81d882d5 | 3693 | do_init_fragment(struct context *c) |
6fbf66fa | 3694 | { |
81d882d5 | 3695 | ASSERT(c->options.ce.fragment); |
a3419142 AS |
3696 | |
3697 | /* | |
3698 | * Set frame parameter for fragment code. This is necessary because | |
3699 | * the fragmentation code deals with payloads which have already been | |
3700 | * passed through the compression code. | |
3701 | */ | |
3702 | c->c2.frame_fragment = c->c2.frame; | |
3703 | ||
0d969976 AS |
3704 | frame_calculate_dynamic(&c->c2.frame_fragment, &c->c1.ks.key_type, |
3705 | &c->options, get_link_socket_info(c)); | |
81d882d5 | 3706 | fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); |
6fbf66fa JY |
3707 | } |
3708 | #endif | |
3709 | ||
6fbf66fa JY |
3710 | /* |
3711 | * Allocate our socket object. | |
3712 | */ | |
3713 | static void | |
81d882d5 | 3714 | do_link_socket_new(struct context *c) |
6fbf66fa | 3715 | { |
81d882d5 DS |
3716 | ASSERT(!c->c2.link_socket); |
3717 | c->c2.link_socket = link_socket_new(); | |
3718 | c->c2.link_socket_owned = true; | |
6fbf66fa JY |
3719 | } |
3720 | ||
6fbf66fa JY |
3721 | /* |
3722 | * Print MTU INFO | |
3723 | */ | |
3724 | static void | |
81d882d5 | 3725 | do_print_data_channel_mtu_parms(struct context *c) |
6fbf66fa | 3726 | { |
81d882d5 | 3727 | frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); |
6fbf66fa | 3728 | #ifdef ENABLE_FRAGMENT |
81d882d5 DS |
3729 | if (c->c2.fragment) |
3730 | { | |
3731 | frame_print(&c->c2.frame_fragment, D_MTU_INFO, | |
3732 | "Fragmentation MTU parms"); | |
3733 | } | |
6fbf66fa JY |
3734 | #endif |
3735 | } | |
3736 | ||
6fbf66fa JY |
3737 | /* |
3738 | * Get local and remote options compatibility strings. | |
3739 | */ | |
3740 | static void | |
81d882d5 | 3741 | do_compute_occ_strings(struct context *c) |
6fbf66fa | 3742 | { |
81d882d5 | 3743 | struct gc_arena gc = gc_new(); |
6fbf66fa | 3744 | |
81d882d5 | 3745 | c->c2.options_string_local = |
dc7fcd71 AQ |
3746 | options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, |
3747 | false, &gc); | |
81d882d5 | 3748 | c->c2.options_string_remote = |
dc7fcd71 AQ |
3749 | options_string(&c->options, &c->c2.frame, c->c1.tuntap, &c->net_ctx, |
3750 | true, &gc); | |
6fbf66fa | 3751 | |
81d882d5 DS |
3752 | msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'", |
3753 | options_string_version(c->c2.options_string_local, &gc), | |
3754 | c->c2.options_string_local); | |
3755 | msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'", | |
3756 | options_string_version(c->c2.options_string_remote, &gc), | |
3757 | c->c2.options_string_remote); | |
6fbf66fa | 3758 | |
81d882d5 DS |
3759 | if (c->c2.tls_multi) |
3760 | { | |
3761 | tls_multi_init_set_options(c->c2.tls_multi, | |
3762 | c->c2.options_string_local, | |
3763 | c->c2.options_string_remote); | |
3764 | } | |
6fbf66fa | 3765 | |
81d882d5 | 3766 | gc_free(&gc); |
6fbf66fa | 3767 | } |
6fbf66fa JY |
3768 | |
3769 | /* | |
3770 | * These things can only be executed once per program instantiation. | |
3771 | * Set up for possible UID/GID downgrade, but don't do it yet. | |
3772 | * Daemonize if requested. | |
3773 | */ | |
3774 | static void | |
81d882d5 | 3775 | do_init_first_time(struct context *c) |
6fbf66fa | 3776 | { |
81d882d5 | 3777 | if (c->first_time && !c->c0) |
6fbf66fa | 3778 | { |
81d882d5 | 3779 | struct context_0 *c0; |
92bbb061 | 3780 | |
81d882d5 DS |
3781 | ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc); |
3782 | c0 = c->c0; | |
6fbf66fa | 3783 | |
66f6a3b7 AS |
3784 | /* get user and/or group that we want to setuid/setgid to, |
3785 | * sets also platform_x_state */ | |
3786 | bool group_defined = platform_group_get(c->options.groupname, | |
3787 | &c0->platform_state_group); | |
3788 | bool user_defined = platform_user_get(c->options.username, | |
3789 | &c0->platform_state_user); | |
3790 | ||
3791 | c0->uid_gid_specified = user_defined || group_defined; | |
6fbf66fa | 3792 | |
81d882d5 DS |
3793 | /* perform postponed chdir if --daemon */ |
3794 | if (c->did_we_daemonize && c->options.cd_dir == NULL) | |
3795 | { | |
3796 | platform_chdir("/"); | |
3797 | } | |
3798 | ||
3799 | /* should we change scheduling priority? */ | |
3800 | platform_nice(c->options.nice); | |
6fbf66fa JY |
3801 | } |
3802 | } | |
3803 | ||
6fbf66fa JY |
3804 | /* |
3805 | * free buffers | |
3806 | */ | |
3807 | static void | |
81d882d5 | 3808 | do_close_free_buf(struct context *c) |
6fbf66fa | 3809 | { |
81d882d5 | 3810 | if (c->c2.buffers_owned) |
6fbf66fa | 3811 | { |
81d882d5 DS |
3812 | free_context_buffers(c->c2.buffers); |
3813 | c->c2.buffers = NULL; | |
3814 | c->c2.buffers_owned = false; | |
6fbf66fa JY |
3815 | } |
3816 | } | |
3817 | ||
3818 | /* | |
3819 | * close TLS | |
3820 | */ | |
3821 | static void | |
81d882d5 | 3822 | do_close_tls(struct context *c) |
6fbf66fa | 3823 | { |
81d882d5 | 3824 | if (c->c2.tls_multi) |
6fbf66fa | 3825 | { |
81d882d5 DS |
3826 | tls_multi_free(c->c2.tls_multi, true); |
3827 | c->c2.tls_multi = NULL; | |
6fbf66fa JY |
3828 | } |
3829 | ||
81d882d5 | 3830 | /* free options compatibility strings */ |
cb70cf51 AS |
3831 | free(c->c2.options_string_local); |
3832 | free(c->c2.options_string_remote); | |
3833 | ||
81d882d5 | 3834 | c->c2.options_string_local = c->c2.options_string_remote = NULL; |
07036fd3 SK |
3835 | |
3836 | if (c->c2.pulled_options_state) | |
3837 | { | |
3838 | md_ctx_cleanup(c->c2.pulled_options_state); | |
3839 | md_ctx_free(c->c2.pulled_options_state); | |
3840 | } | |
e8ecaadd AS |
3841 | |
3842 | tls_auth_standalone_free(c->c2.tls_auth_standalone); | |
6fbf66fa JY |
3843 | } |
3844 | ||
3845 | /* | |
3846 | * Free key schedules | |
3847 | */ | |
3848 | static void | |
81d882d5 | 3849 | do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) |
6fbf66fa | 3850 | { |
5817b49b | 3851 | /* |
802fcce5 | 3852 | * always free the tls_auth/crypt key. The key will |
5817b49b AQ |
3853 | * be reloaded from memory (pre-cached) |
3854 | */ | |
fb169c3b | 3855 | free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); |
5817b49b AQ |
3856 | free_key_ctx_bi(&c->c1.ks.tls_wrap_key); |
3857 | CLEAR(c->c1.ks.tls_wrap_key); | |
19dffdbd SK |
3858 | buf_clear(&c->c1.ks.tls_crypt_v2_wkc); |
3859 | free_buf(&c->c1.ks.tls_crypt_v2_wkc); | |
5817b49b | 3860 | |
802fcce5 | 3861 | if (!(c->sig->signal_received == SIGUSR1)) |
81d882d5 DS |
3862 | { |
3863 | key_schedule_free(&c->c1.ks, free_ssl_ctx); | |
3864 | } | |
6fbf66fa JY |
3865 | } |
3866 | ||
3867 | /* | |
3868 | * Close TCP/UDP connection | |
3869 | */ | |
3870 | static void | |
81d882d5 | 3871 | do_close_link_socket(struct context *c) |
6fbf66fa | 3872 | { |
3adbc5c6 AQ |
3873 | /* in dco-win case, link socket is a tun handle which is |
3874 | * closed in do_close_tun(). Set it to UNDEFINED so | |
3875 | * we won't use WinSock API to close it. */ | |
ac1d2428 | 3876 | if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket) |
3adbc5c6 AQ |
3877 | { |
3878 | c->c2.link_socket->sd = SOCKET_UNDEFINED; | |
3879 | } | |
3880 | ||
81d882d5 | 3881 | if (c->c2.link_socket && c->c2.link_socket_owned) |
6fbf66fa | 3882 | { |
81d882d5 DS |
3883 | link_socket_close(c->c2.link_socket); |
3884 | c->c2.link_socket = NULL; | |
6fbf66fa JY |
3885 | } |
3886 | ||
81d882d5 DS |
3887 | |
3888 | /* Preserve the resolved list of remote if the user request to or if we want | |
3889 | * reconnect to the same host again or there are still addresses that need | |
3890 | * to be tried */ | |
3891 | if (!(c->sig->signal_received == SIGUSR1 | |
3892 | && ( (c->options.persist_remote_ip) | |
3893 | || | |
3894 | ( c->sig->source != SIG_SOURCE_HARD | |
a5409c0d VG |
3895 | && ((c->c1.link_socket_addr.current_remote |
3896 | && c->c1.link_socket_addr.current_remote->ai_next) | |
81d882d5 DS |
3897 | || c->options.no_advance)) |
3898 | ))) | |
23d61c56 | 3899 | { |
81d882d5 | 3900 | clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance); |
23d61c56 AS |
3901 | } |
3902 | ||
3903 | /* Clear the remote actual address when persist_remote_ip is not in use */ | |
3904 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) | |
81d882d5 DS |
3905 | { |
3906 | CLEAR(c->c1.link_socket_addr.actual); | |
3907 | } | |
6fbf66fa | 3908 | |
81d882d5 DS |
3909 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) |
3910 | { | |
3911 | if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance) | |
3912 | { | |
3913 | freeaddrinfo(c->c1.link_socket_addr.bind_local); | |
3914 | } | |
e719a053 | 3915 | |
81d882d5 DS |
3916 | c->c1.link_socket_addr.bind_local = NULL; |
3917 | } | |
6fbf66fa JY |
3918 | } |
3919 | ||
3920 | /* | |
ccb636c7 | 3921 | * Close packet-id persistence file |
6fbf66fa JY |
3922 | */ |
3923 | static void | |
81d882d5 | 3924 | do_close_packet_id(struct context *c) |
6fbf66fa | 3925 | { |
81d882d5 DS |
3926 | packet_id_free(&c->c2.crypto_options.packet_id); |
3927 | packet_id_persist_save(&c->c1.pid_persist); | |
3928 | if (!(c->sig->signal_received == SIGUSR1)) | |
3929 | { | |
3930 | packet_id_persist_close(&c->c1.pid_persist); | |
3931 | } | |
6fbf66fa JY |
3932 | } |
3933 | ||
3934 | #ifdef ENABLE_FRAGMENT | |
3935 | /* | |
3936 | * Close fragmentation handler. | |
3937 | */ | |
3938 | static void | |
81d882d5 | 3939 | do_close_fragment(struct context *c) |
6fbf66fa | 3940 | { |
81d882d5 | 3941 | if (c->c2.fragment) |
6fbf66fa | 3942 | { |
81d882d5 DS |
3943 | fragment_free(c->c2.fragment); |
3944 | c->c2.fragment = NULL; | |
6fbf66fa JY |
3945 | } |
3946 | } | |
3947 | #endif | |
3948 | ||
3949 | /* | |
3950 | * Open and close our event objects. | |
3951 | */ | |
3952 | ||
3953 | static void | |
81d882d5 DS |
3954 | do_event_set_init(struct context *c, |
3955 | bool need_us_timeout) | |
6fbf66fa | 3956 | { |
81d882d5 | 3957 | unsigned int flags = 0; |
6fbf66fa | 3958 | |
81d882d5 | 3959 | c->c2.event_set_max = BASE_N_EVENTS; |
6fbf66fa | 3960 | |
81d882d5 | 3961 | flags |= EVENT_METHOD_FAST; |
6fbf66fa | 3962 | |
81d882d5 DS |
3963 | if (need_us_timeout) |
3964 | { | |
3965 | flags |= EVENT_METHOD_US_TIMEOUT; | |
3966 | } | |
6fbf66fa | 3967 | |
81d882d5 DS |
3968 | c->c2.event_set = event_set_init(&c->c2.event_set_max, flags); |
3969 | c->c2.event_set_owned = true; | |
6fbf66fa JY |
3970 | } |
3971 | ||
3972 | static void | |
81d882d5 | 3973 | do_close_event_set(struct context *c) |
6fbf66fa | 3974 | { |
81d882d5 | 3975 | if (c->c2.event_set && c->c2.event_set_owned) |
6fbf66fa | 3976 | { |
81d882d5 DS |
3977 | event_free(c->c2.event_set); |
3978 | c->c2.event_set = NULL; | |
3979 | c->c2.event_set_owned = false; | |
6fbf66fa JY |
3980 | } |
3981 | } | |
3982 | ||
3983 | /* | |
3984 | * Open and close --status file | |
3985 | */ | |
3986 | ||
3987 | static void | |
81d882d5 | 3988 | do_open_status_output(struct context *c) |
6fbf66fa | 3989 | { |
81d882d5 | 3990 | if (!c->c1.status_output) |
6fbf66fa | 3991 | { |
81d882d5 DS |
3992 | c->c1.status_output = status_open(c->options.status_file, |
3993 | c->options.status_file_update_freq, | |
3994 | -1, | |
3995 | NULL, | |
3996 | STATUS_OUTPUT_WRITE); | |
3997 | c->c1.status_output_owned = true; | |
6fbf66fa JY |
3998 | } |
3999 | } | |
4000 | ||
4001 | static void | |
81d882d5 | 4002 | do_close_status_output(struct context *c) |
6fbf66fa | 4003 | { |
81d882d5 | 4004 | if (!(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 4005 | { |
81d882d5 DS |
4006 | if (c->c1.status_output_owned && c->c1.status_output) |
4007 | { | |
4008 | status_close(c->c1.status_output); | |
4009 | c->c1.status_output = NULL; | |
4010 | c->c1.status_output_owned = false; | |
4011 | } | |
6fbf66fa JY |
4012 | } |
4013 | } | |
4014 | ||
4015 | /* | |
ccb636c7 | 4016 | * Handle ifconfig-pool persistence object. |
6fbf66fa JY |
4017 | */ |
4018 | static void | |
81d882d5 | 4019 | do_open_ifconfig_pool_persist(struct context *c) |
6fbf66fa | 4020 | { |
81d882d5 | 4021 | if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) |
6fbf66fa | 4022 | { |
81d882d5 DS |
4023 | c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename, |
4024 | c->options.ifconfig_pool_persist_refresh_freq); | |
4025 | c->c1.ifconfig_pool_persist_owned = true; | |
6fbf66fa | 4026 | } |
6fbf66fa JY |
4027 | } |
4028 | ||
4029 | static void | |
81d882d5 | 4030 | do_close_ifconfig_pool_persist(struct context *c) |
6fbf66fa | 4031 | { |
81d882d5 | 4032 | if (!(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 4033 | { |
81d882d5 DS |
4034 | if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) |
4035 | { | |
4036 | ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist); | |
4037 | c->c1.ifconfig_pool_persist = NULL; | |
4038 | c->c1.ifconfig_pool_persist_owned = false; | |
4039 | } | |
6fbf66fa | 4040 | } |
6fbf66fa JY |
4041 | } |
4042 | ||
4043 | /* | |
4044 | * Inherit environmental variables | |
4045 | */ | |
4046 | ||
4047 | static void | |
81d882d5 | 4048 | do_inherit_env(struct context *c, const struct env_set *src) |
6fbf66fa | 4049 | { |
81d882d5 DS |
4050 | c->c2.es = env_set_create(NULL); |
4051 | c->c2.es_owned = true; | |
4052 | env_set_inherit(c->c2.es, src); | |
6fbf66fa JY |
4053 | } |
4054 | ||
2a64816b | 4055 | static void |
81d882d5 | 4056 | do_env_set_destroy(struct context *c) |
2a64816b | 4057 | { |
81d882d5 | 4058 | if (c->c2.es && c->c2.es_owned) |
2a64816b | 4059 | { |
81d882d5 DS |
4060 | env_set_destroy(c->c2.es); |
4061 | c->c2.es = NULL; | |
4062 | c->c2.es_owned = false; | |
2a64816b JY |
4063 | } |
4064 | } | |
4065 | ||
6fbf66fa JY |
4066 | /* |
4067 | * Fast I/O setup. Fast I/O is an optimization which only works | |
4068 | * if all of the following are true: | |
4069 | * | |
4070 | * (1) The platform is not Windows | |
4071 | * (2) --proto udp is enabled | |
4072 | * (3) --shaper is disabled | |
4073 | */ | |
4074 | static void | |
81d882d5 | 4075 | do_setup_fast_io(struct context *c) |
6fbf66fa | 4076 | { |
81d882d5 | 4077 | if (c->options.fast_io) |
6fbf66fa | 4078 | { |
445b192a | 4079 | #ifdef _WIN32 |
81d882d5 | 4080 | msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); |
6fbf66fa | 4081 | #else |
81d882d5 DS |
4082 | if (!proto_is_udp(c->options.ce.proto)) |
4083 | { | |
4084 | msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); | |
4085 | } | |
4086 | else | |
4087 | { | |
81d882d5 DS |
4088 | if (c->options.shaper) |
4089 | { | |
4090 | msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); | |
4091 | } | |
4092 | else | |
81d882d5 DS |
4093 | { |
4094 | c->c2.fast_io = true; | |
4095 | } | |
4096 | } | |
6fbf66fa JY |
4097 | #endif |
4098 | } | |
4099 | } | |
4100 | ||
4101 | static void | |
81d882d5 | 4102 | do_signal_on_tls_errors(struct context *c) |
6fbf66fa | 4103 | { |
81d882d5 DS |
4104 | if (c->options.tls_exit) |
4105 | { | |
4106 | c->c2.tls_exit_signal = SIGTERM; | |
4107 | } | |
4108 | else | |
4109 | { | |
4110 | c->c2.tls_exit_signal = SIGUSR1; | |
4111 | } | |
6fbf66fa JY |
4112 | } |
4113 | ||
3c7f2f55 | 4114 | #ifdef ENABLE_PLUGIN |
6fbf66fa | 4115 | |
3c7f2f55 | 4116 | void |
81d882d5 | 4117 | init_plugins(struct context *c) |
6fbf66fa | 4118 | { |
81d882d5 | 4119 | if (c->options.plugin_list && !c->plugins) |
e1791bb1 | 4120 | { |
81d882d5 DS |
4121 | c->plugins = plugin_list_init(c->options.plugin_list); |
4122 | c->plugins_owned = true; | |
e1791bb1 JY |
4123 | } |
4124 | } | |
4125 | ||
4126 | void | |
81d882d5 DS |
4127 | open_plugins(struct context *c, const bool import_options, int init_point) |
4128 | { | |
4129 | if (c->plugins && c->plugins_owned) | |
4130 | { | |
4131 | if (import_options) | |
4132 | { | |
4133 | struct plugin_return pr, config; | |
4134 | plugin_return_init(&pr); | |
4135 | plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); | |
4136 | plugin_return_get_column(&pr, &config, "config"); | |
4137 | if (plugin_return_defined(&config)) | |
4138 | { | |
4139 | int i; | |
4140 | for (i = 0; i < config.n; ++i) | |
4141 | { | |
4142 | unsigned int option_types_found = 0; | |
4143 | if (config.list[i] && config.list[i]->value) | |
4144 | { | |
4145 | options_string_import(&c->options, | |
4146 | config.list[i]->value, | |
4147 | D_IMPORT_ERRORS|M_OPTERR, | |
4148 | OPT_P_DEFAULT & ~OPT_P_PLUGIN, | |
4149 | &option_types_found, | |
4150 | c->es); | |
4151 | } | |
4152 | } | |
4153 | } | |
4154 | plugin_return_free(&pr); | |
4155 | } | |
4156 | else | |
4157 | { | |
4158 | plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); | |
4159 | } | |
6fbf66fa | 4160 | } |
6fbf66fa JY |
4161 | } |
4162 | ||
4163 | static void | |
81d882d5 | 4164 | do_close_plugins(struct context *c) |
6fbf66fa | 4165 | { |
81d882d5 | 4166 | if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 4167 | { |
81d882d5 DS |
4168 | plugin_list_close(c->plugins); |
4169 | c->plugins = NULL; | |
4170 | c->plugins_owned = false; | |
6fbf66fa | 4171 | } |
6fbf66fa JY |
4172 | } |
4173 | ||
3c7f2f55 | 4174 | static void |
81d882d5 | 4175 | do_inherit_plugins(struct context *c, const struct context *src) |
3c7f2f55 | 4176 | { |
81d882d5 | 4177 | if (!c->plugins && src->plugins) |
3c7f2f55 | 4178 | { |
81d882d5 DS |
4179 | c->plugins = plugin_list_inherit(src->plugins); |
4180 | c->plugins_owned = true; | |
3c7f2f55 JY |
4181 | } |
4182 | } | |
4183 | ||
81d882d5 | 4184 | #endif /* ifdef ENABLE_PLUGIN */ |
3c7f2f55 | 4185 | |
6fbf66fa JY |
4186 | #ifdef ENABLE_MANAGEMENT |
4187 | ||
4188 | static void | |
81d882d5 | 4189 | management_callback_status_p2p(void *arg, const int version, struct status_output *so) |
6fbf66fa | 4190 | { |
81d882d5 DS |
4191 | struct context *c = (struct context *) arg; |
4192 | print_status(c, so); | |
6fbf66fa JY |
4193 | } |
4194 | ||
4195 | void | |
81d882d5 | 4196 | management_show_net_callback(void *arg, const int msglevel) |
6fbf66fa | 4197 | { |
445b192a | 4198 | #ifdef _WIN32 |
81d882d5 DS |
4199 | show_routes(msglevel); |
4200 | show_adapters(msglevel); | |
4201 | msg(msglevel, "END"); | |
6fbf66fa | 4202 | #else |
81d882d5 | 4203 | msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); |
6fbf66fa JY |
4204 | #endif |
4205 | } | |
4206 | ||
30003978 AS |
4207 | #ifdef TARGET_ANDROID |
4208 | int | |
81d882d5 | 4209 | management_callback_network_change(void *arg, bool samenetwork) |
30003978 AS |
4210 | { |
4211 | /* Check if the client should translate the network change to a SIGUSR1 to | |
81d882d5 DS |
4212 | * reestablish the connection or just reprotect the socket |
4213 | * | |
4214 | * At the moment just assume that, for all settings that use pull (not | |
4215 | * --static) and are not using peer-id reestablishing the connection is | |
4216 | * required (unless the network is the same) | |
4217 | * | |
4218 | * The function returns -1 on invalid fd and -2 if the socket cannot be | |
4219 | * reused. On the -2 return value the man_network_change function triggers | |
4220 | * a SIGUSR1 to force a reconnect. | |
4221 | */ | |
4222 | ||
4223 | int socketfd = -1; | |
4224 | struct context *c = (struct context *) arg; | |
4225 | if (!c->c2.link_socket) | |
4226 | { | |
4227 | return -1; | |
4228 | } | |
4229 | if (c->c2.link_socket->sd == SOCKET_UNDEFINED) | |
4230 | { | |
4231 | return -1; | |
4232 | } | |
30003978 | 4233 | |
81d882d5 DS |
4234 | socketfd = c->c2.link_socket->sd; |
4235 | if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork) | |
4236 | { | |
4237 | return socketfd; | |
4238 | } | |
4239 | else | |
4240 | { | |
4241 | return -2; | |
4242 | } | |
30003978 | 4243 | } |
81d882d5 | 4244 | #endif /* ifdef TARGET_ANDROID */ |
30003978 | 4245 | |
81d882d5 | 4246 | #endif /* ifdef ENABLE_MANAGEMENT */ |
6fbf66fa JY |
4247 | |
4248 | void | |
81d882d5 | 4249 | init_management_callback_p2p(struct context *c) |
6fbf66fa JY |
4250 | { |
4251 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 DS |
4252 | if (management) |
4253 | { | |
4254 | struct management_callback cb; | |
4255 | CLEAR(cb); | |
4256 | cb.arg = c; | |
4257 | cb.status = management_callback_status_p2p; | |
4258 | cb.show_net = management_show_net_callback; | |
4259 | cb.proxy_cmd = management_callback_proxy_cmd; | |
4260 | cb.remote_cmd = management_callback_remote_cmd; | |
adb9bb91 | 4261 | cb.send_cc_message = management_callback_send_cc_message; |
30003978 | 4262 | #ifdef TARGET_ANDROID |
81d882d5 | 4263 | cb.network_change = management_callback_network_change; |
30003978 | 4264 | #endif |
12526380 SN |
4265 | cb.remote_entry_count = management_callback_remote_entry_count; |
4266 | cb.remote_entry_get = management_callback_remote_entry_get; | |
81d882d5 | 4267 | management_set_callback(management, &cb); |
6fbf66fa JY |
4268 | } |
4269 | #endif | |
4270 | } | |
4271 | ||
4272 | #ifdef ENABLE_MANAGEMENT | |
4273 | ||
4274 | void | |
91ba1add | 4275 | init_management(void) |
6fbf66fa | 4276 | { |
81d882d5 DS |
4277 | if (!management) |
4278 | { | |
4279 | management = management_init(); | |
4280 | } | |
6fbf66fa JY |
4281 | } |
4282 | ||
4283 | bool | |
81d882d5 DS |
4284 | open_management(struct context *c) |
4285 | { | |
4286 | /* initialize management layer */ | |
4287 | if (management) | |
4288 | { | |
4289 | if (c->options.management_addr) | |
4290 | { | |
4291 | unsigned int flags = c->options.management_flags; | |
4292 | if (c->options.mode == MODE_SERVER) | |
4293 | { | |
4294 | flags |= MF_SERVER; | |
4295 | } | |
4296 | if (management_open(management, | |
4297 | c->options.management_addr, | |
4298 | c->options.management_port, | |
4299 | c->options.management_user_pass, | |
4300 | c->options.management_client_user, | |
4301 | c->options.management_client_group, | |
4302 | c->options.management_log_history_cache, | |
4303 | c->options.management_echo_buffer_size, | |
4304 | c->options.management_state_buffer_size, | |
81d882d5 DS |
4305 | c->options.remap_sigusr1, |
4306 | flags)) | |
4307 | { | |
4308 | management_set_state(management, | |
4309 | OPENVPN_STATE_CONNECTING, | |
4310 | NULL, | |
4311 | NULL, | |
4312 | NULL, | |
4313 | NULL, | |
4314 | NULL); | |
4315 | } | |
4316 | ||
4317 | /* initial management hold, called early, before first context initialization */ | |
4318 | do_hold(0); | |
4319 | if (IS_SIG(c)) | |
4320 | { | |
4321 | msg(M_WARN, "Signal received from management interface, exiting"); | |
4322 | return false; | |
4323 | } | |
4324 | } | |
4325 | else | |
4326 | { | |
4327 | close_management(); | |
4328 | } | |
4329 | } | |
4330 | return true; | |
6fbf66fa JY |
4331 | } |
4332 | ||
4333 | void | |
81d882d5 | 4334 | close_management(void) |
6fbf66fa | 4335 | { |
81d882d5 | 4336 | if (management) |
6fbf66fa | 4337 | { |
81d882d5 DS |
4338 | management_close(management); |
4339 | management = NULL; | |
6fbf66fa JY |
4340 | } |
4341 | } | |
4342 | ||
81d882d5 | 4343 | #endif /* ifdef ENABLE_MANAGEMENT */ |
6fbf66fa JY |
4344 | |
4345 | ||
4346 | void | |
81d882d5 | 4347 | uninit_management_callback(void) |
6fbf66fa JY |
4348 | { |
4349 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 | 4350 | if (management) |
6fbf66fa | 4351 | { |
81d882d5 | 4352 | management_clear_callback(management); |
6fbf66fa JY |
4353 | } |
4354 | #endif | |
4355 | } | |
4356 | ||
0fdbb288 SN |
4357 | void |
4358 | persist_client_stats(struct context *c) | |
4359 | { | |
4360 | #ifdef ENABLE_MANAGEMENT | |
4361 | if (management) | |
4362 | { | |
4363 | man_persist_client_stats(management, c); | |
4364 | } | |
4365 | #endif | |
4366 | } | |
4367 | ||
6fbf66fa JY |
4368 | /* |
4369 | * Initialize a tunnel instance, handle pre and post-init | |
4370 | * signal settings. | |
4371 | */ | |
4372 | void | |
81d882d5 | 4373 | init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags) |
6fbf66fa | 4374 | { |
81d882d5 DS |
4375 | pre_init_signal_catch(); |
4376 | init_instance(c, env, flags); | |
4377 | post_init_signal_catch(); | |
4378 | ||
4379 | /* | |
4380 | * This is done so that signals thrown during | |
4381 | * initialization can bring us back to | |
4382 | * a management hold. | |
4383 | */ | |
4384 | if (IS_SIG(c)) | |
d5badcf1 | 4385 | { |
81d882d5 DS |
4386 | remap_signal(c); |
4387 | uninit_management_callback(); | |
d5badcf1 | 4388 | } |
6fbf66fa JY |
4389 | } |
4390 | ||
4391 | /* | |
4392 | * Initialize a tunnel instance. | |
4393 | */ | |
4394 | void | |
81d882d5 | 4395 | init_instance(struct context *c, const struct env_set *env, const unsigned int flags) |
6fbf66fa | 4396 | { |
81d882d5 DS |
4397 | const struct options *options = &c->options; |
4398 | const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); | |
4399 | int link_socket_mode = LS_MODE_DEFAULT; | |
6fbf66fa | 4400 | |
81d882d5 DS |
4401 | /* init garbage collection level */ |
4402 | gc_init(&c->c2.gc); | |
6fbf66fa | 4403 | |
81d882d5 DS |
4404 | /* inherit environmental variables */ |
4405 | if (env) | |
4406 | { | |
4407 | do_inherit_env(c, env); | |
4408 | } | |
ac1c2f25 | 4409 | |
81d882d5 DS |
4410 | if (c->mode == CM_P2P) |
4411 | { | |
4412 | init_management_callback_p2p(c); | |
4413 | } | |
3cf6c932 | 4414 | |
81d882d5 DS |
4415 | /* possible sleep or management hold if restart */ |
4416 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3cf6c932 | 4417 | { |
81d882d5 DS |
4418 | do_startup_pause(c); |
4419 | if (IS_SIG(c)) | |
4420 | { | |
4421 | goto sig; | |
4422 | } | |
3cf6c932 JY |
4423 | } |
4424 | ||
81d882d5 | 4425 | if (c->options.resolve_in_advance) |
e719a053 | 4426 | { |
81d882d5 DS |
4427 | do_preresolve(c); |
4428 | if (IS_SIG(c)) | |
4429 | { | |
4430 | goto sig; | |
4431 | } | |
e719a053 AS |
4432 | } |
4433 | ||
c1150e5b AS |
4434 | /* Resets all values to the initial values from the config where needed */ |
4435 | pre_connect_restore(&c->options, &c->c2.gc); | |
528a78fb | 4436 | |
81d882d5 DS |
4437 | /* map in current connection entry */ |
4438 | next_connection_entry(c); | |
4e9a51d7 | 4439 | |
81d882d5 DS |
4440 | /* link_socket_mode allows CM_CHILD_TCP |
4441 | * instances to inherit acceptable fds | |
4442 | * from a top-level parent */ | |
4443 | if (c->options.ce.proto == PROTO_TCP_SERVER) | |
6fbf66fa | 4444 | { |
81d882d5 DS |
4445 | if (c->mode == CM_TOP) |
4446 | { | |
4447 | link_socket_mode = LS_MODE_TCP_LISTEN; | |
4448 | } | |
4449 | else if (c->mode == CM_CHILD_TCP) | |
4450 | { | |
4451 | link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; | |
4452 | } | |
6fbf66fa JY |
4453 | } |
4454 | ||
81d882d5 DS |
4455 | /* should we disable paging? */ |
4456 | if (c->first_time && options->mlock) | |
4457 | { | |
4458 | platform_mlockall(true); | |
4459 | } | |
6fbf66fa | 4460 | |
81d882d5 DS |
4461 | /* get passwords if undefined */ |
4462 | if (auth_retry_get() == AR_INTERACT) | |
4463 | { | |
4464 | init_query_passwords(c); | |
4465 | } | |
92bbb061 | 4466 | |
81d882d5 DS |
4467 | /* initialize context level 2 --verb/--mute parms */ |
4468 | init_verb_mute(c, IVM_LEVEL_2); | |
4469 | ||
4470 | /* set error message delay for non-server modes */ | |
4471 | if (c->mode == CM_P2P) | |
4472 | { | |
4473 | set_check_status_error_delay(P2P_ERROR_DELAY_MS); | |
4474 | } | |
6fbf66fa | 4475 | |
81d882d5 DS |
4476 | /* warn about inconsistent options */ |
4477 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4478 | { | |
4479 | do_option_warnings(c); | |
4480 | } | |
6fbf66fa | 4481 | |
3c7f2f55 | 4482 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4483 | /* initialize plugins */ |
4484 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4485 | { | |
4486 | open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); | |
4487 | } | |
3c7f2f55 | 4488 | #endif |
6fbf66fa | 4489 | |
81d882d5 DS |
4490 | /* should we enable fast I/O? */ |
4491 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4492 | { | |
4493 | do_setup_fast_io(c); | |
4494 | } | |
6fbf66fa | 4495 | |
81d882d5 DS |
4496 | /* should we throw a signal on TLS errors? */ |
4497 | do_signal_on_tls_errors(c); | |
6fbf66fa | 4498 | |
81d882d5 DS |
4499 | /* open --status file */ |
4500 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4501 | { | |
4502 | do_open_status_output(c); | |
4503 | } | |
6fbf66fa | 4504 | |
81d882d5 DS |
4505 | /* open --ifconfig-pool-persist file */ |
4506 | if (c->mode == CM_TOP) | |
4507 | { | |
4508 | do_open_ifconfig_pool_persist(c); | |
4509 | } | |
6fbf66fa | 4510 | |
81d882d5 DS |
4511 | /* reset OCC state */ |
4512 | if (c->mode == CM_P2P || child) | |
4513 | { | |
4514 | c->c2.occ_op = occ_reset_op(); | |
4515 | } | |
6fbf66fa | 4516 | |
81d882d5 DS |
4517 | /* our wait-for-i/o objects, different for posix vs. win32 */ |
4518 | if (c->mode == CM_P2P) | |
4519 | { | |
4520 | do_event_set_init(c, SHAPER_DEFINED(&c->options)); | |
4521 | } | |
4522 | else if (c->mode == CM_CHILD_TCP) | |
4523 | { | |
4524 | do_event_set_init(c, false); | |
4525 | } | |
6fbf66fa | 4526 | |
81d882d5 DS |
4527 | /* initialize HTTP or SOCKS proxy object at scope level 2 */ |
4528 | init_proxy(c); | |
4e9a51d7 | 4529 | |
81d882d5 DS |
4530 | /* allocate our socket object */ |
4531 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
4532 | { | |
4533 | do_link_socket_new(c); | |
4534 | } | |
6fbf66fa JY |
4535 | |
4536 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
4537 | /* initialize internal fragmentation object */ |
4538 | if (options->ce.fragment && (c->mode == CM_P2P || child)) | |
4539 | { | |
4540 | c->c2.fragment = fragment_init(&c->c2.frame); | |
4541 | } | |
6fbf66fa JY |
4542 | #endif |
4543 | ||
81d882d5 DS |
4544 | /* init crypto layer */ |
4545 | { | |
4546 | unsigned int crypto_flags = 0; | |
4547 | if (c->mode == CM_TOP) | |
4548 | { | |
4549 | crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; | |
4550 | } | |
4551 | else if (c->mode == CM_P2P) | |
4552 | { | |
4553 | crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; | |
4554 | } | |
4555 | else if (child) | |
4556 | { | |
4557 | crypto_flags = CF_INIT_TLS_MULTI; | |
4558 | } | |
4559 | do_init_crypto(c, crypto_flags); | |
4560 | if (IS_SIG(c) && !child) | |
4561 | { | |
4562 | goto sig; | |
4563 | } | |
4564 | } | |
6fbf66fa | 4565 | |
38d96bd7 | 4566 | #ifdef USE_COMP |
81d882d5 DS |
4567 | /* initialize compression library. */ |
4568 | if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child)) | |
4569 | { | |
4570 | c->c2.comp_context = comp_init(&options->comp); | |
4571 | } | |
6fbf66fa JY |
4572 | #endif |
4573 | ||
81d882d5 DS |
4574 | /* initialize MTU variables */ |
4575 | do_init_frame(c); | |
6fbf66fa | 4576 | |
81d882d5 DS |
4577 | /* initialize TLS MTU variables */ |
4578 | do_init_frame_tls(c); | |
6fbf66fa | 4579 | |
81d882d5 DS |
4580 | /* init workspace buffers whose size is derived from frame size */ |
4581 | if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) | |
4582 | { | |
4583 | do_init_buffers(c); | |
4584 | } | |
6fbf66fa JY |
4585 | |
4586 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
4587 | /* initialize internal fragmentation capability with known frame size */ |
4588 | if (options->ce.fragment && (c->mode == CM_P2P || child)) | |
4589 | { | |
4590 | do_init_fragment(c); | |
4591 | } | |
6fbf66fa JY |
4592 | #endif |
4593 | ||
81d882d5 DS |
4594 | /* bind the TCP/UDP socket */ |
4595 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
4596 | { | |
343b6119 | 4597 | link_socket_init_phase1(c, link_socket_mode); |
81d882d5 | 4598 | } |
6fbf66fa | 4599 | |
81d882d5 DS |
4600 | /* initialize tun/tap device object, |
4601 | * open tun/tap device, ifconfig, run up script, etc. */ | |
4602 | if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
4603 | { | |
e04c2536 SN |
4604 | int error_flags = 0; |
4605 | c->c2.did_open_tun = do_open_tun(c, &error_flags); | |
81d882d5 | 4606 | } |
6fbf66fa | 4607 | |
81d882d5 DS |
4608 | /* print MTU info */ |
4609 | do_print_data_channel_mtu_parms(c); | |
6fbf66fa | 4610 | |
81d882d5 DS |
4611 | /* get local and remote options compatibility strings */ |
4612 | if (c->mode == CM_P2P || child) | |
4613 | { | |
4614 | do_compute_occ_strings(c); | |
4615 | } | |
6fbf66fa | 4616 | |
81d882d5 DS |
4617 | /* initialize output speed limiter */ |
4618 | if (c->mode == CM_P2P) | |
4619 | { | |
4620 | do_init_traffic_shaper(c); | |
4621 | } | |
6fbf66fa | 4622 | |
ccb636c7 | 4623 | /* do one-time inits, and possibly become a daemon here */ |
81d882d5 | 4624 | do_init_first_time(c); |
6fbf66fa | 4625 | |
e1791bb1 | 4626 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4627 | /* initialize plugins */ |
4628 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4629 | { | |
4630 | open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); | |
4631 | } | |
e1791bb1 JY |
4632 | #endif |
4633 | ||
81d882d5 DS |
4634 | /* initialise connect timeout timer */ |
4635 | do_init_server_poll_timeout(c); | |
4db06290 | 4636 | |
81d882d5 DS |
4637 | /* finalize the TCP/UDP socket */ |
4638 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
4639 | { | |
343b6119 | 4640 | link_socket_init_phase2(c); |
b3e97582 | 4641 | |
2d17869f AS |
4642 | |
4643 | /* Update dynamic frame calculation as exact transport socket information | |
4644 | * (IP vs IPv6) may be only available after socket phase2 has finished. | |
4645 | * This is only needed for --static or no crypto, NCP will recalculate this | |
4646 | * in tls_session_update_crypto_params (P2MP) */ | |
4647 | frame_calculate_dynamic(&c->c2.frame, &c->c1.ks.key_type, &c->options, | |
4648 | get_link_socket_info(c)); | |
4649 | } | |
0d969976 | 4650 | |
81d882d5 DS |
4651 | /* |
4652 | * Actually do UID/GID downgrade, and chroot, if requested. | |
4653 | * May be delayed by --client, --pull, or --up-delay. | |
4654 | */ | |
4655 | do_uid_gid_chroot(c, c->c2.did_open_tun); | |
6fbf66fa | 4656 | |
81d882d5 DS |
4657 | /* initialize timers */ |
4658 | if (c->mode == CM_P2P || child) | |
4659 | { | |
4660 | do_init_timers(c, false); | |
4661 | } | |
6fbf66fa | 4662 | |
e1791bb1 | 4663 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4664 | /* initialize plugins */ |
4665 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4666 | { | |
4667 | open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); | |
4668 | } | |
e1791bb1 JY |
4669 | #endif |
4670 | ||
6add6b2f | 4671 | #if PORT_SHARE |
81d882d5 DS |
4672 | /* share OpenVPN port with foreign (such as HTTPS) server */ |
4673 | if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
4674 | { | |
4675 | init_port_share(c); | |
4676 | } | |
6add6b2f | 4677 | #endif |
81d882d5 | 4678 | |
81d882d5 DS |
4679 | /* Check for signals */ |
4680 | if (IS_SIG(c)) | |
4681 | { | |
4682 | goto sig; | |
4683 | } | |
6fbf66fa | 4684 | |
81d882d5 | 4685 | return; |
6fbf66fa | 4686 | |
81d882d5 DS |
4687 | sig: |
4688 | if (!c->sig->signal_text) | |
4689 | { | |
4690 | c->sig->signal_text = "init_instance"; | |
4691 | } | |
4692 | close_context(c, -1, flags); | |
4693 | return; | |
6fbf66fa JY |
4694 | } |
4695 | ||
4696 | /* | |
4697 | * Close a tunnel instance. | |
4698 | */ | |
4699 | void | |
81d882d5 | 4700 | close_instance(struct context *c) |
6fbf66fa | 4701 | { |
81d882d5 DS |
4702 | /* close event objects */ |
4703 | do_close_event_set(c); | |
6fbf66fa JY |
4704 | |
4705 | if (c->mode == CM_P2P | |
81d882d5 DS |
4706 | || c->mode == CM_CHILD_TCP |
4707 | || c->mode == CM_CHILD_UDP | |
4708 | || c->mode == CM_TOP) | |
4709 | { | |
38d96bd7 | 4710 | #ifdef USE_COMP |
81d882d5 DS |
4711 | if (c->c2.comp_context) |
4712 | { | |
4713 | comp_uninit(c->c2.comp_context); | |
4714 | c->c2.comp_context = NULL; | |
4715 | } | |
6fbf66fa JY |
4716 | #endif |
4717 | ||
81d882d5 DS |
4718 | /* free buffers */ |
4719 | do_close_free_buf(c); | |
6fbf66fa | 4720 | |
b6f7b285 AQ |
4721 | /* close peer for DCO if enabled, needs peer-id so must be done before |
4722 | * closing TLS contexts */ | |
4723 | dco_remove_peer(c); | |
4724 | ||
81d882d5 DS |
4725 | /* close TLS */ |
4726 | do_close_tls(c); | |
6fbf66fa | 4727 | |
81d882d5 DS |
4728 | /* free key schedules */ |
4729 | do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP)); | |
6fbf66fa | 4730 | |
81d882d5 DS |
4731 | /* close TCP/UDP connection */ |
4732 | do_close_link_socket(c); | |
6fbf66fa | 4733 | |
81d882d5 DS |
4734 | /* close TUN/TAP device */ |
4735 | do_close_tun(c, false); | |
6fbf66fa | 4736 | |
99d217b2 | 4737 | #ifdef ENABLE_MANAGEMENT |
81d882d5 DS |
4738 | if (management) |
4739 | { | |
4740 | management_notify_client_close(management, &c->c2.mda_context, NULL); | |
4741 | } | |
90efcacb JY |
4742 | #endif |
4743 | ||
3c7f2f55 | 4744 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4745 | /* call plugin close functions and unload */ |
4746 | do_close_plugins(c); | |
3c7f2f55 | 4747 | #endif |
6fbf66fa | 4748 | |
ccb636c7 | 4749 | /* close packet-id persistence file */ |
81d882d5 | 4750 | do_close_packet_id(c); |
6fbf66fa | 4751 | |
81d882d5 DS |
4752 | /* close --status file */ |
4753 | do_close_status_output(c); | |
6fbf66fa JY |
4754 | |
4755 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
4756 | /* close fragmentation handler */ |
4757 | do_close_fragment(c); | |
6fbf66fa JY |
4758 | #endif |
4759 | ||
81d882d5 DS |
4760 | /* close --ifconfig-pool-persist obj */ |
4761 | do_close_ifconfig_pool_persist(c); | |
6fbf66fa | 4762 | |
81d882d5 DS |
4763 | /* free up environmental variable store */ |
4764 | do_env_set_destroy(c); | |
2a64816b | 4765 | |
81d882d5 DS |
4766 | /* close HTTP or SOCKS proxy */ |
4767 | uninit_proxy(c); | |
4e9a51d7 | 4768 | |
81d882d5 DS |
4769 | /* garbage collect */ |
4770 | gc_free(&c->c2.gc); | |
4771 | } | |
6fbf66fa JY |
4772 | } |
4773 | ||
4774 | void | |
81d882d5 DS |
4775 | inherit_context_child(struct context *dest, |
4776 | const struct context *src) | |
6fbf66fa | 4777 | { |
81d882d5 | 4778 | CLEAR(*dest); |
6fbf66fa | 4779 | |
81d882d5 DS |
4780 | /* proto_is_dgram will ASSERT(0) if proto is invalid */ |
4781 | dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP; | |
6fbf66fa | 4782 | |
81d882d5 | 4783 | dest->gc = gc_new(); |
6fbf66fa | 4784 | |
81d882d5 | 4785 | ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc); |
6fbf66fa | 4786 | |
81d882d5 DS |
4787 | /* c1 init */ |
4788 | packet_id_persist_init(&dest->c1.pid_persist); | |
6fbf66fa | 4789 | |
81d882d5 DS |
4790 | dest->c1.ks.key_type = src->c1.ks.key_type; |
4791 | /* inherit SSL context */ | |
4792 | dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; | |
4793 | dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key; | |
4794 | dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type; | |
19dffdbd | 4795 | dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key; |
81d882d5 | 4796 | /* inherit pre-NCP ciphers */ |
7064ccb9 AS |
4797 | dest->options.ciphername = src->options.ciphername; |
4798 | dest->options.authname = src->options.authname; | |
81d882d5 | 4799 | |
1b9a88a2 AS |
4800 | /* inherit auth-token */ |
4801 | dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key; | |
4802 | ||
81d882d5 DS |
4803 | /* options */ |
4804 | dest->options = src->options; | |
4805 | options_detach(&dest->options); | |
4806 | ||
4807 | if (dest->mode == CM_CHILD_TCP) | |
6fbf66fa | 4808 | { |
81d882d5 DS |
4809 | /* |
4810 | * The CM_TOP context does the socket listen(), | |
4811 | * and the CM_CHILD_TCP context does the accept(). | |
4812 | */ | |
4813 | dest->c2.accept_from = src->c2.link_socket; | |
6fbf66fa JY |
4814 | } |
4815 | ||
3c7f2f55 | 4816 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4817 | /* inherit plugins */ |
4818 | do_inherit_plugins(dest, src); | |
3c7f2f55 | 4819 | #endif |
6fbf66fa | 4820 | |
81d882d5 | 4821 | /* context init */ |
a2d851d4 AQ |
4822 | |
4823 | /* inherit tun/tap interface object now as it may be required | |
4824 | * to initialize the DCO context in init_instance() | |
4825 | */ | |
4826 | dest->c1.tuntap = src->c1.tuntap; | |
4827 | ||
81d882d5 DS |
4828 | init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); |
4829 | if (IS_SIG(dest)) | |
4830 | { | |
4831 | return; | |
4832 | } | |
6fbf66fa | 4833 | |
81d882d5 DS |
4834 | /* UDP inherits some extra things which TCP does not */ |
4835 | if (dest->mode == CM_CHILD_UDP) | |
6fbf66fa | 4836 | { |
81d882d5 DS |
4837 | /* inherit buffers */ |
4838 | dest->c2.buffers = src->c2.buffers; | |
6fbf66fa | 4839 | |
81d882d5 DS |
4840 | /* inherit parent link_socket and tuntap */ |
4841 | dest->c2.link_socket = src->c2.link_socket; | |
6fbf66fa | 4842 | |
81d882d5 DS |
4843 | ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc); |
4844 | *dest->c2.link_socket_info = src->c2.link_socket->info; | |
6fbf66fa | 4845 | |
81d882d5 DS |
4846 | /* locally override some link_socket_info fields */ |
4847 | dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; | |
4848 | dest->c2.link_socket_info->connection_established = false; | |
6fbf66fa JY |
4849 | } |
4850 | } | |
4851 | ||
4852 | void | |
81d882d5 DS |
4853 | inherit_context_top(struct context *dest, |
4854 | const struct context *src) | |
6fbf66fa | 4855 | { |
81d882d5 DS |
4856 | /* copy parent */ |
4857 | *dest = *src; | |
6fbf66fa | 4858 | |
81d882d5 DS |
4859 | /* |
4860 | * CM_TOP_CLONE will prevent close_instance from freeing or closing | |
4861 | * resources owned by the parent. | |
4862 | * | |
4863 | * Also note that CM_TOP_CLONE context objects are | |
4864 | * closed by multi_top_free in multi.c. | |
4865 | */ | |
4866 | dest->mode = CM_TOP_CLONE; | |
6fbf66fa | 4867 | |
81d882d5 DS |
4868 | dest->first_time = false; |
4869 | dest->c0 = NULL; | |
6fbf66fa | 4870 | |
81d882d5 DS |
4871 | options_detach(&dest->options); |
4872 | gc_detach(&dest->gc); | |
4873 | gc_detach(&dest->c2.gc); | |
6fbf66fa | 4874 | |
81d882d5 DS |
4875 | /* detach plugins */ |
4876 | dest->plugins_owned = false; | |
3c7f2f55 | 4877 | |
81d882d5 | 4878 | dest->c2.tls_multi = NULL; |
6fbf66fa | 4879 | |
81d882d5 DS |
4880 | /* detach c1 ownership */ |
4881 | dest->c1.tuntap_owned = false; | |
4882 | dest->c1.status_output_owned = false; | |
81d882d5 | 4883 | dest->c1.ifconfig_pool_persist_owned = false; |
3c7f2f55 | 4884 | |
81d882d5 DS |
4885 | /* detach c2 ownership */ |
4886 | dest->c2.event_set_owned = false; | |
4887 | dest->c2.link_socket_owned = false; | |
4888 | dest->c2.buffers_owned = false; | |
4889 | dest->c2.es_owned = false; | |
6fbf66fa | 4890 | |
81d882d5 DS |
4891 | dest->c2.event_set = NULL; |
4892 | if (proto_is_dgram(src->options.ce.proto)) | |
4893 | { | |
4894 | do_event_set_init(dest, false); | |
4895 | } | |
38d96bd7 JY |
4896 | |
4897 | #ifdef USE_COMP | |
81d882d5 | 4898 | dest->c2.comp_context = NULL; |
38d96bd7 | 4899 | #endif |
6fbf66fa JY |
4900 | } |
4901 | ||
4902 | void | |
81d882d5 | 4903 | close_context(struct context *c, int sig, unsigned int flags) |
6fbf66fa | 4904 | { |
81d882d5 DS |
4905 | ASSERT(c); |
4906 | ASSERT(c->sig); | |
79df31c8 | 4907 | |
81d882d5 DS |
4908 | if (sig >= 0) |
4909 | { | |
05715485 | 4910 | register_signal(c->sig, sig, "close_context"); |
81d882d5 | 4911 | } |
6fbf66fa | 4912 | |
81d882d5 | 4913 | if (c->sig->signal_received == SIGUSR1) |
6fbf66fa | 4914 | { |
81d882d5 DS |
4915 | if ((flags & CC_USR1_TO_HUP) |
4916 | || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) | |
c058cbff | 4917 | { |
05715485 | 4918 | register_signal(c->sig, SIGHUP, "close_context usr1 to hup"); |
c058cbff | 4919 | } |
6fbf66fa JY |
4920 | } |
4921 | ||
81d882d5 DS |
4922 | if (!(flags & CC_NO_CLOSE)) |
4923 | { | |
4924 | close_instance(c); | |
4925 | } | |
6fbf66fa | 4926 | |
81d882d5 DS |
4927 | if (flags & CC_GC_FREE) |
4928 | { | |
4929 | context_gc_free(c); | |
4930 | } | |
6fbf66fa JY |
4931 | } |
4932 | ||
008ec688 GD |
4933 | /* Write our PID to a file */ |
4934 | void | |
4935 | write_pid_file(const char *filename, const char *chroot_dir) | |
4936 | { | |
4937 | if (filename) | |
4938 | { | |
4939 | unsigned int pid = 0; | |
4940 | FILE *fp = platform_fopen(filename, "w"); | |
4941 | if (!fp) | |
4942 | { | |
4943 | msg(M_ERR, "Open error on pid file %s", filename); | |
4944 | return; | |
4945 | } | |
4946 | ||
4947 | pid = platform_getpid(); | |
4948 | fprintf(fp, "%u\n", pid); | |
4949 | if (fclose(fp)) | |
4950 | { | |
4951 | msg(M_ERR, "Close error on pid file %s", filename); | |
4952 | } | |
4953 | ||
4954 | /* remember file name so it can be deleted "out of context" later */ | |
4955 | /* (the chroot case is more complex and not handled today) */ | |
4956 | if (!chroot_dir) | |
4957 | { | |
4958 | saved_pid_file_name = strdup(filename); | |
4959 | } | |
4960 | } | |
4961 | } | |
4962 | ||
4963 | /* remove PID file on exit, called from openvpn_exit() */ | |
4964 | void | |
4965 | remove_pid_file(void) | |
4966 | { | |
4967 | if (saved_pid_file_name) | |
4968 | { | |
4969 | platform_unlink(saved_pid_file_name); | |
4970 | } | |
4971 | } | |
4972 | ||
4973 | ||
6fbf66fa JY |
4974 | /* |
4975 | * Do a loopback test | |
4976 | * on the crypto subsystem. | |
4977 | */ | |
4978 | static void * | |
81d882d5 | 4979 | test_crypto_thread(void *arg) |
6fbf66fa | 4980 | { |
81d882d5 DS |
4981 | struct context *c = (struct context *) arg; |
4982 | const struct options *options = &c->options; | |
6fbf66fa | 4983 | |
81d882d5 DS |
4984 | ASSERT(options->test_crypto); |
4985 | init_verb_mute(c, IVM_LEVEL_1); | |
4986 | context_init_1(c); | |
4987 | next_connection_entry(c); | |
4988 | do_init_crypto_static(c, 0); | |
6fbf66fa | 4989 | |
81d882d5 | 4990 | frame_finalize_options(c, options); |
6fbf66fa | 4991 | |
81d882d5 | 4992 | test_crypto(&c->c2.crypto_options, &c->c2.frame); |
6fbf66fa | 4993 | |
81d882d5 DS |
4994 | key_schedule_free(&c->c1.ks, true); |
4995 | packet_id_free(&c->c2.crypto_options.packet_id); | |
6fbf66fa | 4996 | |
81d882d5 DS |
4997 | context_gc_free(c); |
4998 | return NULL; | |
6fbf66fa JY |
4999 | } |
5000 | ||
6fbf66fa | 5001 | bool |
81d882d5 | 5002 | do_test_crypto(const struct options *o) |
6fbf66fa | 5003 | { |
81d882d5 | 5004 | if (o->test_crypto) |
6fbf66fa | 5005 | { |
81d882d5 | 5006 | struct context c; |
6fbf66fa | 5007 | |
81d882d5 DS |
5008 | /* print version number */ |
5009 | msg(M_INFO, "%s", title_string); | |
6fbf66fa | 5010 | |
81d882d5 DS |
5011 | context_clear(&c); |
5012 | c.options = *o; | |
5013 | options_detach(&c.options); | |
5014 | c.first_time = true; | |
5015 | test_crypto_thread((void *) &c); | |
5016 | return true; | |
6fbf66fa | 5017 | } |
81d882d5 | 5018 | return false; |
6fbf66fa | 5019 | } |