2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
42 #include "occ-inline.h"
45 * Crypto initialization flags
47 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
48 #define CF_INIT_TLS_MULTI (1<<1)
49 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
51 static void do_init_first_time (struct context
*c
);
54 context_clear (struct context
*c
)
60 context_clear_1 (struct context
*c
)
66 context_clear_2 (struct context
*c
)
72 context_clear_all_except_first_time (struct context
*c
)
74 const bool first_time_save
= c
->first_time
;
75 const struct context_persist cpsave
= c
->persist
;
77 c
->first_time
= first_time_save
;
82 * Should be called after options->ce is modified at the top
83 * of a SIGUSR1 restart.
86 update_options_ce_post (struct options
*options
)
90 * In pull mode, we usually import --ping/--ping-restart parameters from
91 * the server. However we should also set an initial default --ping-restart
92 * for the period of time before we pull the --ping-restart parameter
96 && options
->ping_rec_timeout_action
== PING_UNDEF
97 && options
->ce
.proto
== PROTO_UDPv4
)
99 options
->ping_rec_timeout
= PRE_PULL_INITIAL_PING_RESTART
;
100 options
->ping_rec_timeout_action
= PING_RESTART
;
105 * Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).
107 if (link_socket_proto_connection_oriented (options
->ce
.proto
))
108 options
->replay_window
= options
->replay_time
= 0;
113 * Initialize and possibly randomize connection list.
116 init_connection_list (struct context
*c
)
118 #ifdef ENABLE_CONNECTION
119 struct connection_list
*l
= c
->options
.connection_list
;
123 if (c
->options
.remote_random
)
126 for (i
= 0; i
< l
->len
; ++i
)
128 const int j
= get_random () % l
->len
;
131 struct connection_entry
*tmp
;
133 l
->array
[i
] = l
->array
[j
];
143 * Increment to next connection entry
146 next_connection_entry (struct context
*c
)
148 #ifdef ENABLE_CONNECTION
149 struct connection_list
*l
= c
->options
.connection_list
;
152 if (l
->no_advance
&& l
->current
>= 0)
154 l
->no_advance
= false;
159 if (++l
->current
>= l
->len
)
162 dmsg (D_CONNECTION_LIST
, "CONNECTION_LIST len=%d current=%d",
164 for (i
= 0; i
< l
->len
; ++i
)
166 dmsg (D_CONNECTION_LIST
, "[%d] %s:%d",
169 l
->array
[i
]->remote_port
);
172 c
->options
.ce
= *l
->array
[l
->current
];
175 update_options_ce_post (&c
->options
);
179 * Query for private key and auth-user-pass username/passwords
182 init_query_passwords (struct context
*c
)
184 #if defined(USE_CRYPTO) && defined(USE_SSL)
185 /* Certificate password input */
186 if (c
->options
.key_pass_file
)
187 pem_password_setup (c
->options
.key_pass_file
);
191 /* Auth user/pass input */
192 if (c
->options
.auth_user_pass_file
)
193 auth_user_pass_setup (c
->options
.auth_user_pass_file
);
198 * Initialize/Uninitialize HTTP or SOCKS proxy
201 #ifdef GENERAL_PROXY_SUPPORT
204 proxy_scope (struct context
*c
)
206 return connection_list_defined (&c
->options
) ? 2 : 1;
210 uninit_proxy_dowork (struct context
*c
)
212 #ifdef ENABLE_HTTP_PROXY
213 if (c
->c1
.http_proxy_owned
&& c
->c1
.http_proxy
)
215 http_proxy_close (c
->c1
.http_proxy
);
216 c
->c1
.http_proxy
= NULL
;
217 c
->c1
.http_proxy_owned
= false;
221 if (c
->c1
.socks_proxy_owned
&& c
->c1
.socks_proxy
)
223 socks_proxy_close (c
->c1
.socks_proxy
);
224 c
->c1
.socks_proxy
= NULL
;
225 c
->c1
.socks_proxy_owned
= false;
231 init_proxy_dowork (struct context
*c
)
233 #ifdef ENABLE_HTTP_PROXY
234 bool did_http
= false;
236 const bool did_http
= false;
239 uninit_proxy_dowork (c
);
241 #ifdef ENABLE_HTTP_PROXY
242 if (c
->options
.ce
.http_proxy_options
|| c
->options
.auto_proxy_info
)
244 /* Possible HTTP proxy user/pass input */
245 c
->c1
.http_proxy
= http_proxy_new (c
->options
.ce
.http_proxy_options
,
246 c
->options
.auto_proxy_info
);
247 if (c
->c1
.http_proxy
)
250 c
->c1
.http_proxy_owned
= true;
256 if (!did_http
&& (c
->options
.ce
.socks_proxy_server
|| c
->options
.auto_proxy_info
))
258 c
->c1
.socks_proxy
= socks_proxy_new (c
->options
.ce
.socks_proxy_server
,
259 c
->options
.ce
.socks_proxy_port
,
260 c
->options
.ce
.socks_proxy_retry
,
261 c
->options
.auto_proxy_info
);
262 if (c
->c1
.socks_proxy
)
264 c
->c1
.socks_proxy_owned
= true;
271 init_proxy (struct context
*c
, const int scope
)
273 if (scope
== proxy_scope (c
))
274 init_proxy_dowork (c
);
278 uninit_proxy (struct context
*c
)
280 if (c
->sig
->signal_received
!= SIGUSR1
|| proxy_scope (c
) == 2)
281 uninit_proxy_dowork (c
);
287 init_proxy (struct context
*c
, const int scope
)
292 uninit_proxy (struct context
*c
)
299 context_init_1 (struct context
*c
)
303 packet_id_persist_init (&c
->c1
.pid_persist
);
305 init_connection_list (c
);
307 init_query_passwords (c
);
309 #if defined(ENABLE_PKCS11)
312 pkcs11_initialize (true, c
->options
.pkcs11_pin_cache_period
);
313 for (i
=0;i
<MAX_PARMS
&& c
->options
.pkcs11_providers
[i
] != NULL
;i
++)
314 pkcs11_addProvider (c
->options
.pkcs11_providers
[i
], c
->options
.pkcs11_protected_authentication
[i
],
315 c
->options
.pkcs11_private_mode
[i
], c
->options
.pkcs11_cert_private
[i
]);
319 #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
322 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
326 strcpy (up
.username
, "Please insert your cryptographic token"); /* put the high-level message in up.username */
327 get_user_pass (&up
, NULL
, "token-insertion-request", GET_USER_PASS_MANAGEMENT
|GET_USER_PASS_NEED_OK
);
328 msg (M_INFO
, "RET:%s", up
.password
); /* will return the third argument to management interface
329 'needok' command, usually 'ok' or 'cancel'. */
333 /* initialize HTTP or SOCKS proxy object at scope level 1 */
338 context_gc_free (struct context
*c
)
341 gc_free (&c
->options
.gc
);
348 close_port_share (void)
352 port_share_close (port_share
);
358 init_port_share (struct context
*c
)
360 if (!port_share
&& (c
->options
.port_share_host
&& c
->options
.port_share_port
))
362 port_share
= port_share_open (c
->options
.port_share_host
,
363 c
->options
.port_share_port
);
364 if (port_share
== NULL
)
365 msg (M_FATAL
, "Fatal error: Port sharing failed");
374 /* configure_path (); */
376 #if defined(USE_CRYPTO) && defined(DMALLOC)
377 openssl_dmalloc_init ();
380 init_random_seed (); /* init random() function, only used as
381 source for weak random numbers */
382 error_reset (); /* initialize error.c */
383 reset_check_status (); /* initialize status check code in socket.c */
389 #ifdef OPENVPN_DEBUG_COMMAND_LINE
392 for (i
= 0; i
< argc
; ++i
)
393 msg (M_INFO
, "argv[%d] = '%s'", i
, argv
[i
]);
402 /* init PRNG used for IV generation */
403 /* When forking, copy this to more places in the code to avoid fork
404 random-state predictability */
409 packet_id_interactive_test (); /* test the sequence number code */
423 #ifdef IFCONFIG_POOL_TEST
424 ifconfig_pool_test (0x0A010004, 0x0A0100FF);
428 #ifdef CHARACTER_CLASS_DEBUG
429 character_class_debug ();
433 #ifdef EXTRACT_X509_FIELD_TEST
434 extract_x509_field_test ();
445 struct gc_arena gc
= gc_new ();
446 const char *fn
= gen_path ("foo",
455 #ifdef STATUS_PRINTF_TEST
457 struct gc_arena gc
= gc_new ();
458 const char *tmp_file
= create_temp_filename ("/tmp", "foo", &gc
);
459 struct status_output
*so
= status_open (tmp_file
, 0, -1, NULL
, STATUS_OUTPUT_WRITE
);
460 status_printf (so
, "%s", "foo");
461 status_printf (so
, "%s", "bar");
462 if (!status_close (so
))
463 msg (M_WARN
, "STATUS_PRINTF_TEST: %s: write error", tmp_file
);
471 void argv_test (void);
479 struct gc_arena gc
= gc_new ();
482 prng_init ("sha1", 16);
483 //prng_init (NULL, 0);
484 const int factor
= 1;
485 for (i
= 0; i
< factor
* 8; ++i
)
488 prng_bytes (rndbuf
, sizeof (rndbuf
));
490 ASSERT(RAND_bytes (rndbuf
, sizeof (rndbuf
)));
492 printf ("[%d] %s\n", i
, format_hex (rndbuf
, sizeof (rndbuf
), 0, &gc
));
506 openvpn_thread_cleanup ();
520 #if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
521 show_tls_performance_stats ();
526 init_verb_mute (struct context
*c
, unsigned int flags
)
528 if (flags
& IVM_LEVEL_1
)
530 /* set verbosity and mute levels */
531 set_check_status (D_LINK_ERRORS
, D_READ_WRITE
);
532 set_debug_level (c
->options
.verbosity
, SDL_CONSTRAIN
);
533 set_mute_cutoff (c
->options
.mute
);
536 /* special D_LOG_RW mode */
537 if (flags
& IVM_LEVEL_2
)
538 c
->c2
.log_rw
= (check_debug_level (D_LOG_RW
) && !check_debug_level (D_LOG_RW
+ 1));
542 * Possibly set --dev based on --dev-node.
543 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
547 init_options_dev (struct options
*options
)
550 options
->dev
= openvpn_basename (options
->dev_node
);
554 print_openssl_info (const struct options
*options
)
557 * OpenSSL info print mode?
560 if (options
->show_ciphers
|| options
->show_digests
|| options
->show_engines
562 || options
->show_tls_ciphers
566 if (options
->show_ciphers
)
567 show_available_ciphers ();
568 if (options
->show_digests
)
569 show_available_digests ();
570 if (options
->show_engines
)
571 show_available_engines ();
573 if (options
->show_tls_ciphers
)
574 show_available_tls_ciphers ();
583 * Static pre-shared key generation mode?
586 do_genkey (const struct options
* options
)
593 notnull (options
->shared_secret_file
,
594 "shared secret output file (--secret)");
596 if (options
->mlock
) /* should we disable paging? */
599 nbits_written
= write_key_file (2, options
->shared_secret_file
);
601 msg (D_GENKEY
| M_NOPREFIX
,
602 "Randomly generated %d bit key written to %s", nbits_written
,
603 options
->shared_secret_file
);
611 * Persistent TUN/TAP device management mode?
614 do_persist_tuntap (const struct options
*options
)
617 if (options
->persist_config
)
619 /* sanity check on options for --mktun or --rmtun */
620 notnull (options
->dev
, "TUN/TAP device (--dev)");
621 if (options
->ce
.remote
|| options
->ifconfig_local
622 || options
->ifconfig_remote_netmask
624 || options
->shared_secret_file
626 || options
->tls_server
|| options
->tls_client
630 msg (M_FATAL
|M_OPTERR
,
631 "options --mktun or --rmtun should only be used together with --dev");
632 tuncfg (options
->dev
, options
->dev_type
, options
->dev_node
,
633 options
->tun_ipv6
, options
->persist_mode
,
634 options
->username
, options
->groupname
, &options
->tuntap_options
);
635 if (options
->persist_mode
&& options
->lladdr
)
636 set_lladdr(options
->dev
, options
->lladdr
, NULL
);
644 * Should we become a daemon?
645 * Return true if we did it.
648 possibly_become_daemon (const struct options
*options
, const bool first_time
)
651 if (first_time
&& options
->daemon
)
653 ASSERT (!options
->inetd
);
654 if (daemon (options
->cd_dir
!= NULL
, options
->log
) < 0)
655 msg (M_ERR
, "daemon() failed");
656 restore_signal_state ();
658 set_std_files_to_null (true);
660 #if defined(ENABLE_PKCS11)
670 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
673 do_uid_gid_chroot (struct context
*c
, bool no_delay
)
675 static const char why_not
[] = "will be delayed because of --client, --pull, or --up-delay";
676 struct context_0
*c0
= c
->c0
;
678 if (c
->first_time
&& c0
&& !c0
->uid_gid_set
)
680 /* chroot if requested */
681 if (c
->options
.chroot_dir
)
684 do_chroot (c
->options
.chroot_dir
);
686 msg (M_INFO
, "NOTE: chroot %s", why_not
);
689 /* set user and/or group that we want to setuid/setgid to */
692 set_group (&c0
->group_state
);
693 set_user (&c0
->user_state
);
694 c0
->uid_gid_set
= true;
696 else if (c0
->uid_gid_specified
)
698 msg (M_INFO
, "NOTE: UID/GID downgrade %s", why_not
);
702 /* Apply a SELinux context in order to restrict what OpenVPN can do
703 * to _only_ what it is supposed to do after initialization is complete
704 * (basically just network I/O operations). Doing it after chroot
705 * requires /proc to be mounted in the chroot (which is annoying indeed
706 * but doing it before requires more complex SELinux policies.
708 if (c
->options
.selinux_context
)
711 if (-1 == setcon (c
->options
.selinux_context
))
712 msg (M_ERR
, "setcon to '%s' failed; is /proc accessible?", c
->options
.selinux_context
);
714 msg (M_INFO
, "setcon to '%s' succeeded", c
->options
.selinux_context
);
717 msg (M_INFO
, "NOTE: setcon %s", why_not
);
724 * Return common name in a way that is formatted for
725 * prepending to msg() output.
728 format_common_name (struct context
*c
, struct gc_arena
*gc
)
730 struct buffer out
= alloc_buf_gc (256, gc
);
731 #if defined(USE_CRYPTO) && defined(USE_SSL)
734 buf_printf (&out
, "[%s] ", tls_common_name (c
->c2
.tls_multi
, false));
741 pre_setup (const struct options
*options
)
744 if (options
->exit_event_name
)
746 win32_signal_open (&win32_signal
,
748 options
->exit_event_name
,
749 options
->exit_event_initial_state
);
753 win32_signal_open (&win32_signal
,
758 /* put a title on the top window bar */
759 if (win32_signal
.mode
== WSO_MODE_CONSOLE
)
761 window_title_save (&window_title
);
762 window_title_generate (options
->config
);
769 reset_coarse_timers (struct context
*c
)
771 c
->c2
.coarse_timer_wakeup
= 0;
778 do_init_timers (struct context
*c
, bool deferred
)
781 reset_coarse_timers (c
);
783 /* initialize inactivity timeout */
784 if (c
->options
.inactivity_timeout
)
785 event_timeout_init (&c
->c2
.inactivity_interval
, c
->options
.inactivity_timeout
, now
);
787 /* initialize pings */
789 if (c
->options
.ping_send_timeout
)
790 event_timeout_init (&c
->c2
.ping_send_interval
, c
->options
.ping_send_timeout
, 0);
792 if (c
->options
.ping_rec_timeout
)
793 event_timeout_init (&c
->c2
.ping_rec_interval
, c
->options
.ping_rec_timeout
, now
);
796 if (c
->options
.server_poll_timeout
)
797 event_timeout_init (&c
->c2
.server_poll_interval
, c
->options
.server_poll_timeout
, now
);
802 /* initialize connection establishment timer */
803 event_timeout_init (&c
->c2
.wait_for_connect
, 1, now
);
806 /* initialize occ timers */
810 && c
->c2
.options_string_local
&& c
->c2
.options_string_remote
)
811 event_timeout_init (&c
->c2
.occ_interval
, OCC_INTERVAL_SECONDS
, now
);
813 if (c
->options
.mtu_test
)
814 event_timeout_init (&c
->c2
.occ_mtu_load_test_interval
, OCC_MTU_LOAD_INTERVAL_SECONDS
, now
);
817 /* initialize packet_id persistence timer */
819 if (c
->options
.packet_id_file
)
820 event_timeout_init (&c
->c2
.packet_id_persist_interval
, 60, now
);
823 #if defined(USE_CRYPTO) && defined(USE_SSL)
824 /* initialize tmp_int optimization that limits the number of times we call
825 tls_multi_process in the main event loop */
826 interval_init (&c
->c2
.tmp_int
, TLS_MULTI_HORIZON
, TLS_MULTI_REFRESH
);
832 * Initialize traffic shaper.
835 do_init_traffic_shaper (struct context
*c
)
837 #ifdef HAVE_GETTIMEOFDAY
838 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
839 if (c
->options
.shaper
)
841 shaper_init (&c
->c2
.shaper
, c
->options
.shaper
);
842 shaper_msg (&c
->c2
.shaper
);
848 * Allocate a route list structure if at least one
849 * --route option was specified.
852 do_alloc_route_list (struct context
*c
)
854 if (c
->options
.routes
&& !c
->c1
.route_list
)
855 c
->c1
.route_list
= new_route_list (c
->options
.max_routes
, &c
->gc
);
860 * Initialize the route list, resolving any DNS names in route
861 * options and saving routes in the environment.
864 do_init_route_list (const struct options
*options
,
865 struct route_list
*route_list
,
866 const struct link_socket_info
*link_socket_info
,
870 const char *gw
= NULL
;
871 int dev
= dev_type_enum (options
->dev
, options
->dev_type
);
874 if (dev
== DEV_TYPE_TUN
&& (options
->topology
== TOP_NET30
|| options
->topology
== TOP_P2P
))
875 gw
= options
->ifconfig_remote_netmask
;
876 if (options
->route_default_gateway
)
877 gw
= options
->route_default_gateway
;
878 if (options
->route_default_metric
)
879 metric
= options
->route_default_metric
;
881 if (!init_route_list (route_list
,
885 link_socket_current_remote (link_socket_info
),
889 openvpn_exit (OPENVPN_EXIT_STATUS_ERROR
); /* exit point */
893 /* copy routes to environment */
894 setenv_routes (es
, route_list
);
899 * Called after all initialization has been completed.
902 initialization_sequence_completed (struct context
*c
, const unsigned int flags
)
904 static const char message
[] = "Initialization Sequence Completed";
906 /* If we delayed UID/GID downgrade or chroot, do it now */
907 do_uid_gid_chroot (c
, true);
910 if (flags
& ISC_ERRORS
)
913 show_routes (M_INFO
|M_NOPREFIX
);
914 show_adapters (M_INFO
|M_NOPREFIX
);
915 msg (M_INFO
, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message
);
917 msg (M_INFO
, "%s With Errors", message
);
921 msg (M_INFO
, "%s", message
);
923 /* Flag connection_list that we initialized */
924 if ((flags
& (ISC_ERRORS
|ISC_SERVER
)) == 0 && connection_list_defined (&c
->options
))
925 connection_list_set_no_advance (&c
->options
);
927 #ifdef ENABLE_MANAGEMENT
928 /* Tell management interface that we initialized */
931 in_addr_t tun_local
= 0;
932 in_addr_t tun_remote
= 0; /* FKS */
933 const char *detail
= "SUCCESS";
935 tun_local
= c
->c1
.tuntap
->local
;
936 tun_remote
= htonl (c
->c1
.link_socket_addr
.actual
.dest
.sa
.sin_addr
.s_addr
);
937 if (flags
& ISC_ERRORS
)
939 management_set_state (management
,
940 OPENVPN_STATE_CONNECTED
,
945 management_post_tunnel_open (management
, tun_local
);
952 * Possibly add routes and/or call route-up script
956 do_route (const struct options
*options
,
957 struct route_list
*route_list
,
958 const struct tuntap
*tt
,
959 const struct plugin_list
*plugins
,
962 if (!options
->route_noexec
&& route_list
)
963 add_routes (route_list
, tt
, ROUTE_OPTION_FLAGS (options
), es
);
965 if (plugin_defined (plugins
, OPENVPN_PLUGIN_ROUTE_UP
))
967 if (plugin_call (plugins
, OPENVPN_PLUGIN_ROUTE_UP
, NULL
, NULL
, es
) != OPENVPN_PLUGIN_FUNC_SUCCESS
)
968 msg (M_WARN
, "WARNING: route-up plugin call failed");
971 if (options
->route_script
)
973 struct argv argv
= argv_new ();
974 setenv_str (es
, "script_type", "route-up");
975 argv_printf (&argv
, "%sc", options
->route_script
);
976 openvpn_execve_check (&argv
, es
, S_SCRIPT
, "Route script failed");
981 if (options
->show_net_up
)
983 show_routes (M_INFO
|M_NOPREFIX
);
984 show_adapters (M_INFO
|M_NOPREFIX
);
986 else if (check_debug_level (D_SHOW_NET
))
988 show_routes (D_SHOW_NET
|M_NOPREFIX
);
989 show_adapters (D_SHOW_NET
|M_NOPREFIX
);
995 * Save current pulled options string in the c1 context store, so we can
996 * compare against it after possible future restarts.
1000 save_pulled_options_digest (struct context
*c
, const struct md5_digest
*newdigest
)
1003 c
->c1
.pulled_options_digest_save
= *newdigest
;
1005 md5_digest_clear (&c
->c1
.pulled_options_digest_save
);
1010 * initialize tun/tap device object
1013 do_init_tun (struct context
*c
)
1015 c
->c1
.tuntap
= init_tun (c
->options
.dev
,
1016 c
->options
.dev_type
,
1017 c
->options
.topology
,
1018 c
->options
.ifconfig_local
,
1019 c
->options
.ifconfig_remote_netmask
,
1020 addr_host (&c
->c1
.link_socket_addr
.local
),
1021 addr_host (&c
->c1
.link_socket_addr
.remote
),
1022 !c
->options
.ifconfig_nowarn
,
1025 init_tun_post (c
->c1
.tuntap
,
1027 &c
->options
.tuntap_options
);
1029 c
->c1
.tuntap_owned
= true;
1033 * Open tun/tap device, ifconfig, call up script, etc.
1037 do_open_tun (struct context
*c
)
1039 struct gc_arena gc
= gc_new ();
1042 c
->c2
.ipv4_tun
= (!c
->options
.tun_ipv6
1043 && is_dev_type (c
->options
.dev
, c
->options
.dev_type
, "tun"));
1047 /* initialize (but do not open) tun/tap object */
1050 /* allocate route list structure */
1051 do_alloc_route_list (c
);
1053 /* parse and resolve the route option list */
1054 if (c
->options
.routes
&& c
->c1
.route_list
&& c
->c2
.link_socket
)
1055 do_init_route_list (&c
->options
, c
->c1
.route_list
, &c
->c2
.link_socket
->info
, false, c
->c2
.es
);
1058 if (!c
->options
.ifconfig_noexec
1059 && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN
)
1061 /* guess actual tun/tap unit number that will be returned
1063 const char *guess
= guess_tuntap_dev (c
->options
.dev
,
1064 c
->options
.dev_type
,
1065 c
->options
.dev_node
,
1067 do_ifconfig (c
->c1
.tuntap
, guess
, TUN_MTU_SIZE (&c
->c2
.frame
), c
->c2
.es
);
1070 /* open the tun device */
1071 open_tun (c
->options
.dev
, c
->options
.dev_type
, c
->options
.dev_node
,
1072 c
->options
.tun_ipv6
, c
->c1
.tuntap
);
1074 /* set the hardware address */
1075 if (c
->options
.lladdr
)
1076 set_lladdr(c
->c1
.tuntap
->actual_name
, c
->options
.lladdr
, c
->c2
.es
);
1079 if (!c
->options
.ifconfig_noexec
1080 && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN
)
1082 do_ifconfig (c
->c1
.tuntap
, c
->c1
.tuntap
->actual_name
, TUN_MTU_SIZE (&c
->c2
.frame
), c
->c2
.es
);
1085 /* run the up script */
1086 run_up_down (c
->options
.up_script
,
1089 c
->c1
.tuntap
->actual_name
,
1090 TUN_MTU_SIZE (&c
->c2
.frame
),
1091 EXPANDED_SIZE (&c
->c2
.frame
),
1092 print_in_addr_t (c
->c1
.tuntap
->local
, IA_EMPTY_IF_UNDEF
, &gc
),
1093 print_in_addr_t (c
->c1
.tuntap
->remote_netmask
, IA_EMPTY_IF_UNDEF
, &gc
),
1099 /* possibly add routes */
1100 if (!c
->options
.route_delay_defined
)
1101 do_route (&c
->options
, c
->c1
.route_list
, c
->c1
.tuntap
, c
->plugins
, c
->c2
.es
);
1104 * Did tun/tap driver give us an MTU?
1106 if (c
->c1
.tuntap
->post_open_mtu
)
1107 frame_set_mtu_dynamic (&c
->c2
.frame
,
1108 c
->c1
.tuntap
->post_open_mtu
,
1109 SET_MTU_TUN
| SET_MTU_UPPER_BOUND
);
1115 msg (M_INFO
, "Preserving previous TUN/TAP instance: %s",
1116 c
->c1
.tuntap
->actual_name
);
1118 /* run the up script if user specified --up-restart */
1119 if (c
->options
.up_restart
)
1120 run_up_down (c
->options
.up_script
,
1123 c
->c1
.tuntap
->actual_name
,
1124 TUN_MTU_SIZE (&c
->c2
.frame
),
1125 EXPANDED_SIZE (&c
->c2
.frame
),
1126 print_in_addr_t (c
->c1
.tuntap
->local
, IA_EMPTY_IF_UNDEF
, &gc
),
1127 print_in_addr_t (c
->c1
.tuntap
->remote_netmask
, IA_EMPTY_IF_UNDEF
, &gc
),
1138 * Close TUN/TAP device
1142 do_close_tun_simple (struct context
*c
)
1144 msg (D_CLOSE
, "Closing TUN/TAP interface");
1145 close_tun (c
->c1
.tuntap
);
1146 c
->c1
.tuntap
= NULL
;
1147 c
->c1
.tuntap_owned
= false;
1149 save_pulled_options_digest (c
, NULL
); /* delete C1-saved pulled_options_digest */
1154 do_close_tun (struct context
*c
, bool force
)
1156 struct gc_arena gc
= gc_new ();
1157 if (c
->c1
.tuntap
&& c
->c1
.tuntap_owned
)
1159 const char *tuntap_actual
= string_alloc (c
->c1
.tuntap
->actual_name
, &gc
);
1160 const in_addr_t local
= c
->c1
.tuntap
->local
;
1161 const in_addr_t remote_netmask
= c
->c1
.tuntap
->remote_netmask
;
1163 if (force
|| !(c
->sig
->signal_received
== SIGUSR1
&& c
->options
.persist_tun
))
1165 #ifdef ENABLE_MANAGEMENT
1166 /* tell management layer we are about to close the TUN/TAP device */
1168 management_pre_tunnel_close (management
);
1171 /* delete any routes we added */
1172 if (c
->c1
.route_list
)
1173 delete_routes (c
->c1
.route_list
, c
->c1
.tuntap
, ROUTE_OPTION_FLAGS (&c
->options
), c
->c2
.es
);
1175 /* actually close tun/tap device based on --down-pre flag */
1176 if (!c
->options
.down_pre
)
1177 do_close_tun_simple (c
);
1179 /* Run the down script -- note that it will run at reduced
1180 privilege if, for example, "--user nobody" was used. */
1181 run_up_down (c
->options
.down_script
,
1183 OPENVPN_PLUGIN_DOWN
,
1185 TUN_MTU_SIZE (&c
->c2
.frame
),
1186 EXPANDED_SIZE (&c
->c2
.frame
),
1187 print_in_addr_t (local
, IA_EMPTY_IF_UNDEF
, &gc
),
1188 print_in_addr_t (remote_netmask
, IA_EMPTY_IF_UNDEF
, &gc
),
1190 signal_description (c
->sig
->signal_received
,
1191 c
->sig
->signal_text
),
1195 /* actually close tun/tap device based on --down-pre flag */
1196 if (c
->options
.down_pre
)
1197 do_close_tun_simple (c
);
1201 /* run the down script on this restart if --up-restart was specified */
1202 if (c
->options
.up_restart
)
1203 run_up_down (c
->options
.down_script
,
1205 OPENVPN_PLUGIN_DOWN
,
1207 TUN_MTU_SIZE (&c
->c2
.frame
),
1208 EXPANDED_SIZE (&c
->c2
.frame
),
1209 print_in_addr_t (local
, IA_EMPTY_IF_UNDEF
, &gc
),
1210 print_in_addr_t (remote_netmask
, IA_EMPTY_IF_UNDEF
, &gc
),
1212 signal_description (c
->sig
->signal_received
,
1213 c
->sig
->signal_text
),
1222 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
1226 do_up (struct context
*c
, bool pulled_options
, unsigned int option_types_found
)
1228 if (!c
->c2
.do_up_ran
)
1230 reset_coarse_timers (c
);
1232 if (pulled_options
&& option_types_found
)
1233 do_deferred_options (c
, option_types_found
);
1235 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
1236 if (c
->options
.up_delay
|| PULL_DEFINED (&c
->options
))
1238 c
->c2
.did_open_tun
= do_open_tun (c
);
1243 * Was tun interface object persisted from previous restart iteration,
1244 * and if so did pulled options string change from previous iteration?
1246 if (!c
->c2
.did_open_tun
1247 && PULL_DEFINED (&c
->options
)
1249 && (!md5_digest_defined (&c
->c1
.pulled_options_digest_save
) || !md5_digest_defined (&c
->c2
.pulled_options_digest
)
1250 || !md5_digest_equal (&c
->c1
.pulled_options_digest_save
, &c
->c2
.pulled_options_digest
)))
1252 /* if so, close tun, delete routes, then reinitialize tun and add routes */
1253 msg (M_INFO
, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
1254 do_close_tun (c
, true);
1256 c
->c2
.did_open_tun
= do_open_tun (c
);
1262 if (c
->c2
.did_open_tun
)
1265 save_pulled_options_digest (c
, &c
->c2
.pulled_options_digest
);
1268 /* if --route-delay was specified, start timer */
1269 if (c
->options
.route_delay_defined
)
1271 event_timeout_init (&c
->c2
.route_wakeup
, c
->options
.route_delay
, now
);
1272 event_timeout_init (&c
->c2
.route_wakeup_expire
, c
->options
.route_delay
+ c
->options
.route_delay_window
, now
);
1274 tun_standby_init (c
->c1
.tuntap
);
1278 initialization_sequence_completed (c
, 0); /* client/p2p --route-delay undefined */
1281 else if (c
->options
.mode
== MODE_POINT_TO_POINT
)
1283 initialization_sequence_completed (c
, 0); /* client/p2p restart with --persist-tun */
1286 c
->c2
.do_up_ran
= true;
1291 * These are the option categories which will be accepted by pull.
1294 pull_permission_mask (const struct context
*c
)
1296 unsigned int flags
=
1298 | OPT_P_ROUTE_EXTRAS
1308 | OPT_P_EXPLICIT_NOTIFY
1312 if (!c
->options
.route_nopull
)
1313 flags
|= OPT_P_ROUTE
;
1319 * Handle non-tun-related pulled options.
1322 do_deferred_options (struct context
*c
, const unsigned int found
)
1324 if (found
& OPT_P_MESSAGES
)
1326 init_verb_mute (c
, IVM_LEVEL_1
|IVM_LEVEL_2
);
1327 msg (D_PUSH
, "OPTIONS IMPORT: --verb and/or --mute level changed");
1329 if (found
& OPT_P_TIMER
)
1331 do_init_timers (c
, true);
1332 msg (D_PUSH
, "OPTIONS IMPORT: timers and/or timeouts modified");
1336 if (found
& OPT_P_EXPLICIT_NOTIFY
)
1338 if (c
->options
.ce
.proto
!= PROTO_UDPv4
&& c
->options
.explicit_exit_notification
)
1340 msg (D_PUSH
, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
1341 c
->options
.explicit_exit_notification
= 0;
1344 msg (D_PUSH
, "OPTIONS IMPORT: explicit notify parm(s) modified");
1349 if (found
& OPT_P_COMP
)
1351 if (lzo_defined (&c
->c2
.lzo_compwork
))
1353 msg (D_PUSH
, "OPTIONS IMPORT: LZO parms modified");
1354 lzo_modify_flags (&c
->c2
.lzo_compwork
, c
->options
.lzo
);
1359 if (found
& OPT_P_SHAPER
)
1361 msg (D_PUSH
, "OPTIONS IMPORT: traffic shaper enabled");
1362 do_init_traffic_shaper (c
);
1365 if (found
& OPT_P_SOCKBUF
)
1367 msg (D_PUSH
, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
1368 link_socket_update_buffer_sizes (c
->c2
.link_socket
, c
->options
.rcvbuf
, c
->options
.sndbuf
);
1371 if (found
& OPT_P_SOCKFLAGS
)
1373 msg (D_PUSH
, "OPTIONS IMPORT: --socket-flags option modified");
1374 link_socket_update_flags (c
->c2
.link_socket
, c
->options
.sockflags
);
1377 if (found
& OPT_P_PERSIST
)
1378 msg (D_PUSH
, "OPTIONS IMPORT: --persist options modified");
1379 if (found
& OPT_P_UP
)
1380 msg (D_PUSH
, "OPTIONS IMPORT: --ifconfig/up options modified");
1381 if (found
& OPT_P_ROUTE
)
1382 msg (D_PUSH
, "OPTIONS IMPORT: route options modified");
1383 if (found
& OPT_P_ROUTE_EXTRAS
)
1384 msg (D_PUSH
, "OPTIONS IMPORT: route-related options modified");
1385 if (found
& OPT_P_IPWIN32
)
1386 msg (D_PUSH
, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
1387 if (found
& OPT_P_SETENV
)
1388 msg (D_PUSH
, "OPTIONS IMPORT: environment modified");
1392 * Possible hold on initialization
1395 do_hold (struct context
*c
)
1397 #ifdef ENABLE_MANAGEMENT
1400 /* if c is defined, daemonize before hold */
1401 if (c
&& c
->options
.daemon
&& management_should_daemonize (management
))
1402 do_init_first_time (c
);
1404 /* block until management hold is released */
1405 if (management_hold (management
))
1413 * Sleep before restart.
1416 socket_restart_pause (struct context
*c
)
1421 #ifdef ENABLE_HTTP_PROXY
1422 if (c
->options
.ce
.http_proxy_options
)
1426 if (c
->options
.ce
.socks_proxy_server
)
1430 switch (c
->options
.ce
.proto
)
1434 sec
= c
->options
.ce
.connect_retry_seconds
;
1436 case PROTO_TCPv4_SERVER
:
1439 case PROTO_TCPv4_CLIENT
:
1440 sec
= c
->options
.ce
.connect_retry_seconds
;
1445 if (GREMLIN_CONNECTION_FLOOD_LEVEL (c
->options
.gremlin
))
1450 if (auth_retry_get () == AR_NOINTERACT
)
1453 if (c
->options
.server_poll_timeout
&& sec
> 1)
1457 if (c
->persist
.restart_sleep_seconds
> 0 && c
->persist
.restart_sleep_seconds
> sec
)
1458 sec
= c
->persist
.restart_sleep_seconds
;
1459 else if (c
->persist
.restart_sleep_seconds
== -1)
1461 c
->persist
.restart_sleep_seconds
= 0;
1463 /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
1469 msg (D_RESTART
, "Restart pause, %d second(s)", sec
);
1470 openvpn_sleep (sec
);
1475 * Do a possible pause on context_2 initialization.
1478 do_startup_pause (struct context
*c
)
1481 socket_restart_pause (c
);
1483 do_hold (NULL
); /* do management hold on first context initialization */
1487 * Finalize MTU parameters based on command line or config file options.
1490 frame_finalize_options (struct context
*c
, const struct options
*o
)
1496 * Set adjustment factor for buffer alignment when no
1499 if (!CIPHER_ENABLED (c
))
1501 frame_align_to_extra_frame (&c
->c2
.frame
);
1502 frame_or_align_flags (&c
->c2
.frame
,
1503 FRAME_HEADROOM_MARKER_FRAGMENT
1504 |FRAME_HEADROOM_MARKER_READ_LINK
1505 |FRAME_HEADROOM_MARKER_READ_STREAM
);
1508 frame_finalize (&c
->c2
.frame
,
1509 o
->link_mtu_defined
,
1516 * Free a key schedule, including OpenSSL components.
1519 key_schedule_free (struct key_schedule
*ks
, bool free_ssl_ctx
)
1522 free_key_ctx_bi (&ks
->static_key
);
1524 if (ks
->ssl_ctx
&& free_ssl_ctx
)
1526 SSL_CTX_free (ks
->ssl_ctx
);
1527 free_key_ctx_bi (&ks
->tls_auth_key
);
1529 #endif /* USE_SSL */
1530 #endif /* USE_CRYPTO */
1537 init_crypto_pre (struct context
*c
, const unsigned int flags
)
1539 if (c
->options
.engine
)
1540 init_crypto_lib_engine (c
->options
.engine
);
1542 if (flags
& CF_LOAD_PERSISTED_PACKET_ID
)
1544 /* load a persisted packet-id for cross-session replay-protection */
1545 if (c
->options
.packet_id_file
)
1546 packet_id_persist_load (&c
->c1
.pid_persist
, c
->options
.packet_id_file
);
1549 /* Initialize crypto options */
1551 if (c
->options
.use_iv
)
1552 c
->c2
.crypto_options
.flags
|= CO_USE_IV
;
1554 if (c
->options
.mute_replay_warnings
)
1555 c
->c2
.crypto_options
.flags
|= CO_MUTE_REPLAY_WARNINGS
;
1559 * Static Key Mode (using a pre-shared key)
1562 do_init_crypto_static (struct context
*c
, const unsigned int flags
)
1564 const struct options
*options
= &c
->options
;
1565 ASSERT (options
->shared_secret_file
);
1567 init_crypto_pre (c
, flags
);
1569 /* Initialize packet ID tracking */
1570 if (options
->replay
)
1572 packet_id_init (&c
->c2
.packet_id
, options
->replay_window
,
1573 options
->replay_time
);
1574 c
->c2
.crypto_options
.packet_id
= &c
->c2
.packet_id
;
1575 c
->c2
.crypto_options
.pid_persist
= &c
->c1
.pid_persist
;
1576 c
->c2
.crypto_options
.flags
|= CO_PACKET_ID_LONG_FORM
;
1577 packet_id_persist_load_obj (&c
->c1
.pid_persist
,
1578 c
->c2
.crypto_options
.packet_id
);
1581 if (!key_ctx_bi_defined (&c
->c1
.ks
.static_key
))
1584 struct key_direction_state kds
;
1586 /* Get cipher & hash algorithms */
1587 init_key_type (&c
->c1
.ks
.key_type
, options
->ciphername
,
1588 options
->ciphername_defined
, options
->authname
,
1589 options
->authname_defined
, options
->keysize
,
1590 options
->test_crypto
, true);
1592 /* Read cipher and hmac keys from shared secret file */
1594 unsigned int rkf_flags
= RKF_MUST_SUCCEED
;
1595 const char *rkf_file
= options
->shared_secret_file
;
1597 #if ENABLE_INLINE_FILES
1598 if (options
->shared_secret_file_inline
)
1600 rkf_file
= options
->shared_secret_file_inline
;
1601 rkf_flags
|= RKF_INLINE
;
1604 read_key_file (&key2
, rkf_file
, rkf_flags
);
1607 /* Check for and fix highly unlikely key problems */
1608 verify_fix_key2 (&key2
, &c
->c1
.ks
.key_type
,
1609 options
->shared_secret_file
);
1611 /* Initialize OpenSSL key objects */
1612 key_direction_state_init (&kds
, options
->key_direction
);
1613 must_have_n_keys (options
->shared_secret_file
, "secret", &key2
,
1615 init_key_ctx (&c
->c1
.ks
.static_key
.encrypt
, &key2
.keys
[kds
.out_key
],
1616 &c
->c1
.ks
.key_type
, DO_ENCRYPT
, "Static Encrypt");
1617 init_key_ctx (&c
->c1
.ks
.static_key
.decrypt
, &key2
.keys
[kds
.in_key
],
1618 &c
->c1
.ks
.key_type
, DO_DECRYPT
, "Static Decrypt");
1620 /* Erase the temporary copy of key */
1625 msg (M_INFO
, "Re-using pre-shared static key");
1628 /* Get key schedule */
1629 c
->c2
.crypto_options
.key_ctx_bi
= &c
->c1
.ks
.static_key
;
1631 /* Compute MTU parameters */
1632 crypto_adjust_frame_parameters (&c
->c2
.frame
,
1634 options
->ciphername_defined
,
1635 options
->use_iv
, options
->replay
, true);
1637 /* Sanity check on IV, sequence number, and cipher mode options */
1638 check_replay_iv_consistency (&c
->c1
.ks
.key_type
, options
->replay
,
1645 * Initialize the persistent component of OpenVPN's TLS mode,
1646 * which is preserved across SIGUSR1 resets.
1649 do_init_crypto_tls_c1 (struct context
*c
)
1651 const struct options
*options
= &c
->options
;
1653 if (!c
->c1
.ks
.ssl_ctx
)
1656 * Initialize the OpenSSL library's global
1659 c
->c1
.ks
.ssl_ctx
= init_ssl (options
);
1660 if (!c
->c1
.ks
.ssl_ctx
)
1663 switch (auth_retry_get ())
1666 msg (M_FATAL
, "Error: private key password verification failed");
1671 c
->sig
->signal_received
= SIGUSR1
; /* SOFT-SIGUSR1 -- Password failure error */
1676 c
->sig
->signal_text
= "private-key-password-failure";
1679 msg (M_FATAL
, "Error: private key password verification failed");
1683 /* Get cipher & hash algorithms */
1684 init_key_type (&c
->c1
.ks
.key_type
, options
->ciphername
,
1685 options
->ciphername_defined
, options
->authname
,
1686 options
->authname_defined
, options
->keysize
, true, true);
1688 /* Initialize PRNG with config-specified digest */
1689 prng_init (options
->prng_hash
, options
->prng_nonce_secret_len
);
1691 /* TLS handshake authentication (--tls-auth) */
1692 if (options
->tls_auth_file
)
1694 unsigned int flags
= 0;
1695 const char *file
= options
->tls_auth_file
;
1697 #if ENABLE_INLINE_FILES
1698 if (options
->tls_auth_file_inline
)
1700 flags
|= GHK_INLINE
;
1701 file
= options
->tls_auth_file_inline
;
1704 get_tls_handshake_key (&c
->c1
.ks
.key_type
,
1705 &c
->c1
.ks
.tls_auth_key
,
1707 options
->key_direction
,
1711 #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
1712 if (options
->priv_key_file_inline
)
1714 string_clear (c
->options
.priv_key_file_inline
);
1715 c
->options
.priv_key_file_inline
= NULL
;
1721 msg (M_INFO
, "Re-using SSL/TLS context");
1726 do_init_crypto_tls (struct context
*c
, const unsigned int flags
)
1728 const struct options
*options
= &c
->options
;
1729 struct tls_options to
;
1730 bool packet_id_long_form
;
1732 ASSERT (options
->tls_server
|| options
->tls_client
);
1733 ASSERT (!options
->test_crypto
);
1735 init_crypto_pre (c
, flags
);
1737 /* Make sure we are either a TLS client or server but not both */
1738 ASSERT (options
->tls_server
== !options
->tls_client
);
1740 /* initialize persistent component */
1741 do_init_crypto_tls_c1 (c
);
1745 /* Sanity check on IV, sequence number, and cipher mode options */
1746 check_replay_iv_consistency (&c
->c1
.ks
.key_type
, options
->replay
,
1749 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
1750 packet_id_long_form
= cfb_ofb_mode (&c
->c1
.ks
.key_type
);
1752 /* Compute MTU parameters */
1753 crypto_adjust_frame_parameters (&c
->c2
.frame
,
1755 options
->ciphername_defined
,
1757 options
->replay
, packet_id_long_form
);
1758 tls_adjust_frame_parameters (&c
->c2
.frame
);
1760 /* Set all command-line TLS-related options */
1763 to
.crypto_flags_and
= ~(CO_PACKET_ID_LONG_FORM
);
1764 if (packet_id_long_form
)
1765 to
.crypto_flags_or
= CO_PACKET_ID_LONG_FORM
;
1767 to
.ssl_ctx
= c
->c1
.ks
.ssl_ctx
;
1768 to
.key_type
= c
->c1
.ks
.key_type
;
1769 to
.server
= options
->tls_server
;
1770 to
.key_method
= options
->key_method
;
1771 to
.replay
= options
->replay
;
1772 to
.replay_window
= options
->replay_window
;
1773 to
.replay_time
= options
->replay_time
;
1774 to
.transition_window
= options
->transition_window
;
1775 to
.handshake_window
= options
->handshake_window
;
1776 to
.packet_timeout
= options
->tls_timeout
;
1777 to
.renegotiate_bytes
= options
->renegotiate_bytes
;
1778 to
.renegotiate_packets
= options
->renegotiate_packets
;
1779 to
.renegotiate_seconds
= options
->renegotiate_seconds
;
1780 to
.single_session
= options
->single_session
;
1782 /* should we not xmit any packets until we get an initial
1783 response from client? */
1784 if (to
.server
&& options
->ce
.proto
== PROTO_TCPv4_SERVER
)
1785 to
.xmit_hold
= true;
1788 to
.disable_occ
= !options
->occ
;
1791 to
.verify_command
= options
->tls_verify
;
1792 to
.verify_x509name
= options
->tls_remote
;
1793 to
.crl_file
= options
->crl_file
;
1794 to
.ns_cert_type
= options
->ns_cert_type
;
1795 memmove (to
.remote_cert_ku
, options
->remote_cert_ku
, sizeof (to
.remote_cert_ku
));
1796 to
.remote_cert_eku
= options
->remote_cert_eku
;
1800 to
.gremlin
= c
->options
.gremlin
;
1803 to
.plugins
= c
->plugins
;
1805 #ifdef MANAGEMENT_DEF_AUTH
1806 to
.mda_context
= &c
->c2
.mda_context
;
1810 to
.auth_user_pass_verify_script
= options
->auth_user_pass_verify_script
;
1811 to
.auth_user_pass_verify_script_via_file
= options
->auth_user_pass_verify_script_via_file
;
1812 to
.tmp_dir
= options
->tmp_dir
;
1813 to
.ssl_flags
= options
->ssl_flags
;
1814 if (options
->ccd_exclusive
)
1815 to
.client_config_dir_exclusive
= options
->client_config_dir
;
1818 /* TLS handshake authentication (--tls-auth) */
1819 if (options
->tls_auth_file
)
1821 to
.tls_auth_key
= c
->c1
.ks
.tls_auth_key
;
1822 to
.tls_auth
.pid_persist
= &c
->c1
.pid_persist
;
1823 to
.tls_auth
.flags
|= CO_PACKET_ID_LONG_FORM
;
1824 crypto_adjust_frame_parameters (&to
.frame
,
1826 false, false, true, true);
1829 /* If we are running over TCP, allow for
1831 socket_adjust_frame_parameters (&to
.frame
, options
->ce
.proto
);
1834 * Initialize OpenVPN's master TLS-mode object.
1836 if (flags
& CF_INIT_TLS_MULTI
)
1837 c
->c2
.tls_multi
= tls_multi_init (&to
);
1839 if (flags
& CF_INIT_TLS_AUTH_STANDALONE
)
1840 c
->c2
.tls_auth_standalone
= tls_auth_standalone_init (&to
, &c
->c2
.gc
);
1844 do_init_finalize_tls_frame (struct context
*c
)
1846 if (c
->c2
.tls_multi
)
1848 tls_multi_init_finalize (c
->c2
.tls_multi
, &c
->c2
.frame
);
1849 ASSERT (EXPANDED_SIZE (&c
->c2
.tls_multi
->opt
.frame
) <=
1850 EXPANDED_SIZE (&c
->c2
.frame
));
1851 frame_print (&c
->c2
.tls_multi
->opt
.frame
, D_MTU_INFO
,
1852 "Control Channel MTU parms");
1854 if (c
->c2
.tls_auth_standalone
)
1856 tls_auth_standalone_finalize (c
->c2
.tls_auth_standalone
, &c
->c2
.frame
);
1857 frame_print (&c
->c2
.tls_auth_standalone
->frame
, D_MTU_INFO
,
1858 "TLS-Auth MTU parms");
1862 #endif /* USE_SSL */
1863 #endif /* USE_CRYPTO */
1867 * No encryption or authentication.
1870 do_init_crypto_none (const struct context
*c
)
1872 ASSERT (!c
->options
.test_crypto
);
1874 "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1879 do_init_crypto (struct context
*c
, const unsigned int flags
)
1882 if (c
->options
.shared_secret_file
)
1883 do_init_crypto_static (c
, flags
);
1885 else if (c
->options
.tls_server
|| c
->options
.tls_client
)
1886 do_init_crypto_tls (c
, flags
);
1888 else /* no encryption or authentication. */
1889 do_init_crypto_none (c
);
1890 #else /* USE_CRYPTO */
1892 "******* WARNING *******: " PACKAGE_NAME
1893 " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1894 #endif /* USE_CRYPTO */
1898 do_init_frame (struct context
*c
)
1902 * Initialize LZO compression library.
1904 if (c
->options
.lzo
& LZO_SELECTED
)
1906 lzo_adjust_frame_parameters (&c
->c2
.frame
);
1909 * LZO usage affects buffer alignment.
1911 if (CIPHER_ENABLED (c
))
1913 frame_add_to_align_adjust (&c
->c2
.frame
, LZO_PREFIX_LEN
);
1914 frame_or_align_flags (&c
->c2
.frame
,
1915 FRAME_HEADROOM_MARKER_FRAGMENT
1916 |FRAME_HEADROOM_MARKER_DECRYPT
);
1919 #ifdef ENABLE_FRAGMENT
1920 lzo_adjust_frame_parameters (&c
->c2
.frame_fragment_omit
); /* omit LZO frame delta from final frame_fragment */
1923 #endif /* USE_LZO */
1927 * Adjust frame size for UDP Socks support.
1929 if (c
->options
.ce
.socks_proxy_server
)
1930 socks_adjust_frame_parameters (&c
->c2
.frame
, c
->options
.ce
.proto
);
1934 * Adjust frame size based on the --tun-mtu-extra parameter.
1936 if (c
->options
.tun_mtu_extra_defined
)
1937 tun_adjust_frame_parameters (&c
->c2
.frame
, c
->options
.tun_mtu_extra
);
1940 * Adjust frame size based on link socket parameters.
1941 * (Since TCP is a stream protocol, we need to insert
1942 * a packet length uint16_t in the buffer.)
1944 socket_adjust_frame_parameters (&c
->c2
.frame
, c
->options
.ce
.proto
);
1947 * Fill in the blanks in the frame parameters structure,
1948 * make sure values are rational, etc.
1950 frame_finalize_options (c
, NULL
);
1952 #ifdef ENABLE_FRAGMENT
1954 * Set frame parameter for fragment code. This is necessary because
1955 * the fragmentation code deals with payloads which have already been
1956 * passed through the compression code.
1958 c
->c2
.frame_fragment
= c
->c2
.frame
;
1959 frame_subtract_extra (&c
->c2
.frame_fragment
, &c
->c2
.frame_fragment_omit
);
1962 #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
1966 if (c
->options
.fragment
&& c
->options
.mtu_test
)
1968 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
1971 #ifdef ENABLE_FRAGMENT
1972 if ((c
->options
.mssfix
|| c
->options
.fragment
)
1973 && TUN_MTU_SIZE (&c
->c2
.frame_fragment
) != ETHERNET_MTU
)
1975 "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
1976 ETHERNET_MTU
, TUN_MTU_SIZE (&c
->c2
.frame_fragment
));
1981 do_option_warnings (struct context
*c
)
1983 const struct options
*o
= &c
->options
;
1985 #if 1 /* JYFIXME -- port warning */
1986 if (!o
->ce
.port_option_used
&& (o
->ce
.local_port
== OPENVPN_PORT
&& o
->ce
.remote_port
== OPENVPN_PORT
))
1987 msg (M_WARN
, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.",
1991 if (o
->ping_send_timeout
&& !o
->ping_rec_timeout
)
1992 msg (M_WARN
, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
1994 if (o
->username
|| o
->groupname
|| o
->chroot_dir
1996 || o
->selinux_context
2000 if (!o
->persist_tun
)
2001 msg (M_WARN
, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
2003 #ifdef ENABLE_PKCS11
2007 msg (M_WARN
, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
2010 if (o
->chroot_dir
&& !(o
->username
&& o
->groupname
))
2011 msg (M_WARN
, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
2014 if (o
->pull
&& o
->ifconfig_local
&& c
->first_time
)
2015 msg (M_WARN
, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
2018 if (o
->server_bridge_defined
| o
->server_bridge_proxy_dhcp
)
2019 msg (M_WARN
, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
2021 if (o
->mode
== MODE_SERVER
)
2023 if (o
->duplicate_cn
&& o
->client_config_dir
)
2024 msg (M_WARN
, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
2025 if (o
->duplicate_cn
&& o
->ifconfig_pool_persist_filename
)
2026 msg (M_WARN
, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
2027 if (!o
->keepalive_ping
|| !o
->keepalive_timeout
)
2028 msg (M_WARN
, "WARNING: --keepalive option is missing from server config");
2035 msg (M_WARN
, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME
" less secure");
2037 msg (M_WARN
, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME
" less secure");
2041 warn_on_use_of_common_subnets ();
2045 && !(o
->ns_cert_type
& NS_SSL_SERVER
)
2046 && !o
->remote_cert_eku
)
2047 msg (M_WARN
, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
2049 msg (M_WARN
, "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).");
2053 #ifndef CONNECT_NONBLOCK
2054 if (o
->ce
.connect_timeout_defined
)
2055 msg (M_WARN
, "NOTE: --connect-timeout option is not supported on this OS");
2058 if (script_security
>= SSEC_SCRIPTS
)
2059 msg (M_WARN
, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
2060 else if (script_security
>= SSEC_PW_ENV
)
2061 msg (M_WARN
, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
2063 msg (M_WARN
, "NOTE: " PACKAGE_NAME
" 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");
2065 if (script_method
== SM_SYSTEM
)
2066 msg (M_WARN
, "NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion");
2070 do_init_frame_tls (struct context
*c
)
2072 #if defined(USE_CRYPTO) && defined(USE_SSL)
2073 do_init_finalize_tls_frame (c
);
2077 struct context_buffers
*
2078 init_context_buffers (const struct frame
*frame
)
2080 struct context_buffers
*b
;
2082 ALLOC_OBJ_CLEAR (b
, struct context_buffers
);
2084 b
->read_link_buf
= alloc_buf (BUF_SIZE (frame
));
2085 b
->read_tun_buf
= alloc_buf (BUF_SIZE (frame
));
2087 b
->aux_buf
= alloc_buf (BUF_SIZE (frame
));
2090 b
->encrypt_buf
= alloc_buf (BUF_SIZE (frame
));
2091 b
->decrypt_buf
= alloc_buf (BUF_SIZE (frame
));
2095 b
->lzo_compress_buf
= alloc_buf (BUF_SIZE (frame
));
2096 b
->lzo_decompress_buf
= alloc_buf (BUF_SIZE (frame
));
2103 free_context_buffers (struct context_buffers
*b
)
2107 free_buf (&b
->read_link_buf
);
2108 free_buf (&b
->read_tun_buf
);
2109 free_buf (&b
->aux_buf
);
2112 free_buf (&b
->lzo_compress_buf
);
2113 free_buf (&b
->lzo_decompress_buf
);
2117 free_buf (&b
->encrypt_buf
);
2118 free_buf (&b
->decrypt_buf
);
2126 * Now that we know all frame parameters, initialize
2130 do_init_buffers (struct context
*c
)
2132 c
->c2
.buffers
= init_context_buffers (&c
->c2
.frame
);
2133 c
->c2
.buffers_owned
= true;
2136 #ifdef ENABLE_FRAGMENT
2138 * Fragmenting code has buffers to initialize
2139 * once frame parameters are known.
2142 do_init_fragment (struct context
*c
)
2144 ASSERT (c
->options
.fragment
);
2145 frame_set_mtu_dynamic (&c
->c2
.frame_fragment
,
2146 c
->options
.fragment
, SET_MTU_UPPER_BOUND
);
2147 fragment_frame_init (c
->c2
.fragment
, &c
->c2
.frame_fragment
);
2152 * Set the --mssfix option.
2155 do_init_mssfix (struct context
*c
)
2157 if (c
->options
.mssfix
)
2159 frame_set_mtu_dynamic (&c
->c2
.frame
,
2160 c
->options
.mssfix
, SET_MTU_UPPER_BOUND
);
2165 * Allocate our socket object.
2168 do_link_socket_new (struct context
*c
)
2170 ASSERT (!c
->c2
.link_socket
);
2171 c
->c2
.link_socket
= link_socket_new ();
2172 c
->c2
.link_socket_owned
= true;
2176 * bind the TCP/UDP socket
2179 do_init_socket_1 (struct context
*c
, const int mode
)
2181 unsigned int sockflags
= c
->options
.sockflags
;
2184 if (c
->options
.port_share_host
&& c
->options
.port_share_port
)
2185 sockflags
|= SF_PORT_SHARE
;
2188 link_socket_init_phase1 (c
->c2
.link_socket
,
2189 connection_list_defined (&c
->options
),
2190 c
->options
.ce
.local
,
2191 c
->options
.ce
.local_port
,
2192 c
->options
.ce
.remote
,
2193 c
->options
.ce
.remote_port
,
2194 c
->options
.ce
.proto
,
2197 #ifdef ENABLE_HTTP_PROXY
2206 c
->options
.ce
.bind_local
,
2207 c
->options
.ce
.remote_float
,
2209 &c
->c1
.link_socket_addr
,
2210 c
->options
.ipchange
,
2212 c
->options
.resolve_retry_seconds
,
2213 c
->options
.ce
.connect_retry_seconds
,
2214 c
->options
.ce
.connect_timeout
,
2215 c
->options
.ce
.connect_retry_max
,
2216 c
->options
.mtu_discover_type
,
2223 * finalize the TCP/UDP socket
2226 do_init_socket_2 (struct context
*c
)
2228 link_socket_init_phase2 (c
->c2
.link_socket
, &c
->c2
.frame
,
2229 &c
->sig
->signal_received
);
2236 do_print_data_channel_mtu_parms (struct context
*c
)
2238 frame_print (&c
->c2
.frame
, D_MTU_INFO
, "Data Channel MTU parms");
2239 #ifdef ENABLE_FRAGMENT
2241 frame_print (&c
->c2
.frame_fragment
, D_MTU_INFO
,
2242 "Fragmentation MTU parms");
2248 * Get local and remote options compatibility strings.
2251 do_compute_occ_strings (struct context
*c
)
2253 struct gc_arena gc
= gc_new ();
2255 c
->c2
.options_string_local
=
2256 options_string (&c
->options
, &c
->c2
.frame
, c
->c1
.tuntap
, false, &gc
);
2257 c
->c2
.options_string_remote
=
2258 options_string (&c
->options
, &c
->c2
.frame
, c
->c1
.tuntap
, true, &gc
);
2260 msg (D_SHOW_OCC
, "Local Options String: '%s'", c
->c2
.options_string_local
);
2261 msg (D_SHOW_OCC
, "Expected Remote Options String: '%s'",
2262 c
->c2
.options_string_remote
);
2265 msg (D_SHOW_OCC_HASH
, "Local Options hash (VER=%s): '%s'",
2266 options_string_version (c
->c2
.options_string_local
, &gc
),
2267 md5sum ((uint8_t*)c
->c2
.options_string_local
,
2268 strlen (c
->c2
.options_string_local
), 9, &gc
));
2269 msg (D_SHOW_OCC_HASH
, "Expected Remote Options hash (VER=%s): '%s'",
2270 options_string_version (c
->c2
.options_string_remote
, &gc
),
2271 md5sum ((uint8_t*)c
->c2
.options_string_remote
,
2272 strlen (c
->c2
.options_string_remote
), 9, &gc
));
2275 #if defined(USE_CRYPTO) && defined(USE_SSL)
2276 if (c
->c2
.tls_multi
)
2277 tls_multi_init_set_options (c
->c2
.tls_multi
,
2278 c
->c2
.options_string_local
,
2279 c
->c2
.options_string_remote
);
2287 * These things can only be executed once per program instantiation.
2288 * Set up for possible UID/GID downgrade, but don't do it yet.
2289 * Daemonize if requested.
2292 do_init_first_time (struct context
*c
)
2294 if (c
->first_time
&& !c
->did_we_daemonize
&& !c
->c0
)
2296 struct context_0
*c0
;
2298 ALLOC_OBJ_CLEAR_GC (c
->c0
, struct context_0
, &c
->gc
);
2301 /* get user and/or group that we want to setuid/setgid to */
2302 c0
->uid_gid_specified
=
2303 get_group (c
->options
.groupname
, &c0
->group_state
) |
2304 get_user (c
->options
.username
, &c0
->user_state
);
2306 /* get --writepid file descriptor */
2307 get_pid_file (c
->options
.writepid
, &c0
->pid_state
);
2309 /* become a daemon if --daemon */
2310 c
->did_we_daemonize
= possibly_become_daemon (&c
->options
, c
->first_time
);
2312 /* should we disable paging? */
2313 if (c
->options
.mlock
&& c
->did_we_daemonize
)
2314 do_mlockall (true); /* call again in case we daemonized */
2316 /* save process ID in a file */
2317 write_pid (&c0
->pid_state
);
2319 /* should we change scheduling priority? */
2320 set_nice (c
->options
.nice
);
2325 * If xinetd/inetd mode, don't allow restart.
2328 do_close_check_if_restart_permitted (struct context
*c
)
2330 if (c
->options
.inetd
2331 && (c
->sig
->signal_received
== SIGHUP
2332 || c
->sig
->signal_received
== SIGUSR1
))
2334 c
->sig
->signal_received
= SIGTERM
;
2337 " started by inetd/xinetd cannot restart... Exiting.");
2345 do_close_free_buf (struct context
*c
)
2347 if (c
->c2
.buffers_owned
)
2349 free_context_buffers (c
->c2
.buffers
);
2350 c
->c2
.buffers
= NULL
;
2351 c
->c2
.buffers_owned
= false;
2359 do_close_tls (struct context
*c
)
2361 #if defined(USE_CRYPTO) && defined(USE_SSL)
2362 if (c
->c2
.tls_multi
)
2364 tls_multi_free (c
->c2
.tls_multi
, true);
2365 c
->c2
.tls_multi
= NULL
;
2369 /* free options compatibility strings */
2370 if (c
->c2
.options_string_local
)
2371 free (c
->c2
.options_string_local
);
2372 if (c
->c2
.options_string_remote
)
2373 free (c
->c2
.options_string_remote
);
2374 c
->c2
.options_string_local
= c
->c2
.options_string_remote
= NULL
;
2380 * Free key schedules
2383 do_close_free_key_schedule (struct context
*c
, bool free_ssl_ctx
)
2385 if (!(c
->sig
->signal_received
== SIGUSR1
&& c
->options
.persist_key
))
2386 key_schedule_free (&c
->c1
.ks
, free_ssl_ctx
);
2390 * Close TCP/UDP connection
2393 do_close_link_socket (struct context
*c
)
2395 if (c
->c2
.link_socket
&& c
->c2
.link_socket_owned
)
2397 link_socket_close (c
->c2
.link_socket
);
2398 c
->c2
.link_socket
= NULL
;
2401 if (!(c
->sig
->signal_received
== SIGUSR1
&& c
->options
.persist_remote_ip
))
2403 CLEAR (c
->c1
.link_socket_addr
.remote
);
2404 CLEAR (c
->c1
.link_socket_addr
.actual
);
2407 if (!(c
->sig
->signal_received
== SIGUSR1
&& c
->options
.persist_local_ip
))
2408 CLEAR (c
->c1
.link_socket_addr
.local
);
2412 * Close packet-id persistance file
2415 do_close_packet_id (struct context
*c
)
2418 packet_id_free (&c
->c2
.packet_id
);
2419 packet_id_persist_save (&c
->c1
.pid_persist
);
2420 if (!(c
->sig
->signal_received
== SIGUSR1
))
2421 packet_id_persist_close (&c
->c1
.pid_persist
);
2425 #ifdef ENABLE_FRAGMENT
2427 * Close fragmentation handler.
2430 do_close_fragment (struct context
*c
)
2434 fragment_free (c
->c2
.fragment
);
2435 c
->c2
.fragment
= NULL
;
2441 * Open and close our event objects.
2445 do_event_set_init (struct context
*c
,
2446 bool need_us_timeout
)
2448 unsigned int flags
= 0;
2450 c
->c2
.event_set_max
= BASE_N_EVENTS
;
2452 flags
|= EVENT_METHOD_FAST
;
2454 if (need_us_timeout
)
2455 flags
|= EVENT_METHOD_US_TIMEOUT
;
2457 c
->c2
.event_set
= event_set_init (&c
->c2
.event_set_max
, flags
);
2458 c
->c2
.event_set_owned
= true;
2462 do_close_event_set (struct context
*c
)
2464 if (c
->c2
.event_set
&& c
->c2
.event_set_owned
)
2466 event_free (c
->c2
.event_set
);
2467 c
->c2
.event_set
= NULL
;
2468 c
->c2
.event_set_owned
= false;
2473 * Open and close --status file
2477 do_open_status_output (struct context
*c
)
2479 if (!c
->c1
.status_output
)
2481 c
->c1
.status_output
= status_open (c
->options
.status_file
,
2482 c
->options
.status_file_update_freq
,
2485 STATUS_OUTPUT_WRITE
);
2486 c
->c1
.status_output_owned
= true;
2491 do_close_status_output (struct context
*c
)
2493 if (!(c
->sig
->signal_received
== SIGUSR1
))
2495 if (c
->c1
.status_output_owned
&& c
->c1
.status_output
)
2497 status_close (c
->c1
.status_output
);
2498 c
->c1
.status_output
= NULL
;
2499 c
->c1
.status_output_owned
= false;
2505 * Handle ifconfig-pool persistance object.
2508 do_open_ifconfig_pool_persist (struct context
*c
)
2511 if (!c
->c1
.ifconfig_pool_persist
&& c
->options
.ifconfig_pool_persist_filename
)
2513 c
->c1
.ifconfig_pool_persist
= ifconfig_pool_persist_init (c
->options
.ifconfig_pool_persist_filename
,
2514 c
->options
.ifconfig_pool_persist_refresh_freq
);
2515 c
->c1
.ifconfig_pool_persist_owned
= true;
2521 do_close_ifconfig_pool_persist (struct context
*c
)
2524 if (!(c
->sig
->signal_received
== SIGUSR1
))
2526 if (c
->c1
.ifconfig_pool_persist
&& c
->c1
.ifconfig_pool_persist_owned
)
2528 ifconfig_pool_persist_close (c
->c1
.ifconfig_pool_persist
);
2529 c
->c1
.ifconfig_pool_persist
= NULL
;
2530 c
->c1
.ifconfig_pool_persist_owned
= false;
2537 * Inherit environmental variables
2541 do_inherit_env (struct context
*c
, const struct env_set
*src
)
2543 c
->c2
.es
= env_set_create (NULL
);
2544 c
->c2
.es_owned
= true;
2545 env_set_inherit (c
->c2
.es
, src
);
2549 do_env_set_destroy (struct context
*c
)
2551 if (c
->c2
.es
&& c
->c2
.es_owned
)
2553 env_set_destroy (c
->c2
.es
);
2555 c
->c2
.es_owned
= false;
2560 * Fast I/O setup. Fast I/O is an optimization which only works
2561 * if all of the following are true:
2563 * (1) The platform is not Windows
2564 * (2) --proto udp is enabled
2565 * (3) --shaper is disabled
2568 do_setup_fast_io (struct context
*c
)
2570 if (c
->options
.fast_io
)
2573 msg (M_INFO
, "NOTE: --fast-io is disabled since we are running on Windows");
2575 if (c
->options
.ce
.proto
!= PROTO_UDPv4
)
2576 msg (M_INFO
, "NOTE: --fast-io is disabled since we are not using UDP");
2579 #ifdef HAVE_GETTIMEOFDAY
2580 if (c
->options
.shaper
)
2581 msg (M_INFO
, "NOTE: --fast-io is disabled since we are using --shaper");
2585 c
->c2
.fast_io
= true;
2593 do_signal_on_tls_errors (struct context
*c
)
2595 #if defined(USE_CRYPTO) && defined(USE_SSL)
2596 if (c
->options
.tls_exit
)
2597 c
->c2
.tls_exit_signal
= SIGTERM
;
2599 c
->c2
.tls_exit_signal
= SIGUSR1
;
2603 #ifdef ENABLE_PLUGIN
2606 init_plugins (struct context
*c
)
2608 if (c
->options
.plugin_list
&& !c
->plugins
)
2610 c
->plugins
= plugin_list_init (c
->options
.plugin_list
);
2611 c
->plugins_owned
= true;
2616 open_plugins (struct context
*c
, const bool import_options
, int init_point
)
2618 if (c
->plugins
&& c
->plugins_owned
)
2622 struct plugin_return pr
, config
;
2623 plugin_return_init (&pr
);
2624 plugin_list_open (c
->plugins
, c
->options
.plugin_list
, &pr
, c
->c2
.es
, init_point
);
2625 plugin_return_get_column (&pr
, &config
, "config");
2626 if (plugin_return_defined (&config
))
2629 for (i
= 0; i
< config
.n
; ++i
)
2631 unsigned int option_types_found
= 0;
2632 if (config
.list
[i
] && config
.list
[i
]->value
)
2633 options_string_import (&c
->options
,
2634 config
.list
[i
]->value
,
2635 D_IMPORT_ERRORS
|M_OPTERR
,
2636 OPT_P_DEFAULT
& ~OPT_P_PLUGIN
,
2637 &option_types_found
,
2641 plugin_return_free (&pr
);
2645 plugin_list_open (c
->plugins
, c
->options
.plugin_list
, NULL
, c
->c2
.es
, init_point
);
2651 do_close_plugins (struct context
*c
)
2653 if (c
->plugins
&& c
->plugins_owned
&& !(c
->sig
->signal_received
== SIGUSR1
))
2655 plugin_list_close (c
->plugins
);
2657 c
->plugins_owned
= false;
2662 do_inherit_plugins (struct context
*c
, const struct context
*src
)
2664 if (!c
->plugins
&& src
->plugins
)
2666 c
->plugins
= plugin_list_inherit (src
->plugins
);
2667 c
->plugins_owned
= true;
2673 #ifdef ENABLE_MANAGEMENT
2676 management_callback_status_p2p (void *arg
, const int version
, struct status_output
*so
)
2678 struct context
*c
= (struct context
*) arg
;
2679 print_status (c
, so
);
2683 management_show_net_callback (void *arg
, const int msglevel
)
2686 show_routes (msglevel
);
2687 show_adapters (msglevel
);
2688 msg (msglevel
, "END");
2690 msg (msglevel
, "ERROR: Sorry, this command is currently only implemented on Windows");
2697 init_management_callback_p2p (struct context
*c
)
2699 #ifdef ENABLE_MANAGEMENT
2702 struct management_callback cb
;
2705 cb
.status
= management_callback_status_p2p
;
2706 cb
.show_net
= management_show_net_callback
;
2707 management_set_callback (management
, &cb
);
2712 #ifdef ENABLE_MANAGEMENT
2715 init_management (struct context
*c
)
2718 management
= management_init ();
2722 open_management (struct context
*c
)
2724 /* initialize management layer */
2727 if (c
->options
.management_addr
)
2729 unsigned int flags
= c
->options
.management_flags
;
2730 if (c
->options
.mode
== MODE_SERVER
)
2732 if (management_open (management
,
2733 c
->options
.management_addr
,
2734 c
->options
.management_port
,
2735 c
->options
.management_user_pass
,
2736 c
->options
.management_client_user
,
2737 c
->options
.management_client_group
,
2738 c
->options
.management_log_history_cache
,
2739 c
->options
.management_echo_buffer_size
,
2740 c
->options
.management_state_buffer_size
,
2741 c
->options
.management_write_peer_info_file
,
2742 c
->options
.remap_sigusr1
,
2745 management_set_state (management
,
2746 OPENVPN_STATE_CONNECTING
,
2752 /* initial management hold, called early, before first context initialization */
2756 msg (M_WARN
, "Signal received from management interface, exiting");
2761 close_management ();
2767 close_management (void)
2771 management_close (management
);
2780 uninit_management_callback (void)
2782 #ifdef ENABLE_MANAGEMENT
2785 management_clear_callback (management
);
2791 * Initialize a tunnel instance, handle pre and post-init
2795 init_instance_handle_signals (struct context
*c
, const struct env_set
*env
, const unsigned int flags
)
2797 pre_init_signal_catch ();
2798 init_instance (c
, env
, flags
);
2799 post_init_signal_catch ();
2802 * This is done so that signals thrown during
2803 * initialization can bring us back to
2804 * a management hold.
2809 uninit_management_callback ();
2814 * Initialize a tunnel instance.
2817 init_instance (struct context
*c
, const struct env_set
*env
, const unsigned int flags
)
2819 const struct options
*options
= &c
->options
;
2820 const bool child
= (c
->mode
== CM_CHILD_TCP
|| c
->mode
== CM_CHILD_UDP
);
2821 int link_socket_mode
= LS_MODE_DEFAULT
;
2823 /* init garbage collection level */
2824 gc_init (&c
->c2
.gc
);
2826 /* signals caught here will abort */
2827 c
->sig
->signal_received
= 0;
2828 c
->sig
->signal_text
= NULL
;
2829 c
->sig
->hard
= false;
2831 /* map in current connection entry */
2832 next_connection_entry (c
);
2834 /* link_socket_mode allows CM_CHILD_TCP
2835 instances to inherit acceptable fds
2836 from a top-level parent */
2837 if (c
->options
.ce
.proto
== PROTO_TCPv4_SERVER
)
2839 if (c
->mode
== CM_TOP
)
2840 link_socket_mode
= LS_MODE_TCP_LISTEN
;
2841 else if (c
->mode
== CM_CHILD_TCP
)
2842 link_socket_mode
= LS_MODE_TCP_ACCEPT_FROM
;
2845 /* should we disable paging? */
2846 if (c
->first_time
&& options
->mlock
)
2849 /* possible sleep or management hold if restart */
2850 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
2852 do_startup_pause (c
);
2858 /* get passwords if undefined */
2859 if (auth_retry_get () == AR_INTERACT
)
2860 init_query_passwords (c
);
2863 /* initialize context level 2 --verb/--mute parms */
2864 init_verb_mute (c
, IVM_LEVEL_2
);
2866 /* set error message delay for non-server modes */
2867 if (c
->mode
== CM_P2P
)
2868 set_check_status_error_delay (P2P_ERROR_DELAY_MS
);
2870 /* warn about inconsistent options */
2871 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
2872 do_option_warnings (c
);
2874 /* inherit environmental variables */
2876 do_inherit_env (c
, env
);
2878 #ifdef ENABLE_PLUGIN
2879 /* initialize plugins */
2880 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
2881 open_plugins (c
, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON
);
2884 /* should we enable fast I/O? */
2885 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
2886 do_setup_fast_io (c
);
2888 /* should we throw a signal on TLS errors? */
2889 do_signal_on_tls_errors (c
);
2891 /* open --status file */
2892 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
2893 do_open_status_output (c
);
2895 /* open --ifconfig-pool-persist file */
2896 if (c
->mode
== CM_TOP
)
2897 do_open_ifconfig_pool_persist (c
);
2900 /* reset OCC state */
2901 if (c
->mode
== CM_P2P
|| child
)
2902 c
->c2
.occ_op
= occ_reset_op ();
2905 /* our wait-for-i/o objects, different for posix vs. win32 */
2906 if (c
->mode
== CM_P2P
)
2907 do_event_set_init (c
, SHAPER_DEFINED (&c
->options
));
2908 else if (c
->mode
== CM_CHILD_TCP
)
2909 do_event_set_init (c
, false);
2911 /* initialize HTTP or SOCKS proxy object at scope level 2 */
2914 /* allocate our socket object */
2915 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
|| c
->mode
== CM_CHILD_TCP
)
2916 do_link_socket_new (c
);
2918 #ifdef ENABLE_FRAGMENT
2919 /* initialize internal fragmentation object */
2920 if (options
->fragment
&& (c
->mode
== CM_P2P
|| child
))
2921 c
->c2
.fragment
= fragment_init (&c
->c2
.frame
);
2924 /* init crypto layer */
2926 unsigned int crypto_flags
= 0;
2927 if (c
->mode
== CM_TOP
)
2928 crypto_flags
= CF_INIT_TLS_AUTH_STANDALONE
;
2929 else if (c
->mode
== CM_P2P
)
2930 crypto_flags
= CF_LOAD_PERSISTED_PACKET_ID
| CF_INIT_TLS_MULTI
;
2932 crypto_flags
= CF_INIT_TLS_MULTI
;
2933 do_init_crypto (c
, crypto_flags
);
2934 if (IS_SIG (c
) && !child
)
2939 /* initialize LZO compression library. */
2940 if ((options
->lzo
& LZO_SELECTED
) && (c
->mode
== CM_P2P
|| child
))
2941 lzo_compress_init (&c
->c2
.lzo_compwork
, options
->lzo
);
2944 /* initialize MTU variables */
2947 /* initialize TLS MTU variables */
2948 do_init_frame_tls (c
);
2950 /* init workspace buffers whose size is derived from frame size */
2951 if (c
->mode
== CM_P2P
|| c
->mode
== CM_CHILD_TCP
)
2952 do_init_buffers (c
);
2954 #ifdef ENABLE_FRAGMENT
2955 /* initialize internal fragmentation capability with known frame size */
2956 if (options
->fragment
&& (c
->mode
== CM_P2P
|| child
))
2957 do_init_fragment (c
);
2960 /* initialize dynamic MTU variable */
2963 /* bind the TCP/UDP socket */
2964 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
|| c
->mode
== CM_CHILD_TCP
)
2965 do_init_socket_1 (c
, link_socket_mode
);
2967 /* initialize tun/tap device object,
2968 open tun/tap device, ifconfig, run up script, etc. */
2969 if (!(options
->up_delay
|| PULL_DEFINED (options
)) && (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
))
2970 c
->c2
.did_open_tun
= do_open_tun (c
);
2972 /* print MTU info */
2973 do_print_data_channel_mtu_parms (c
);
2976 /* get local and remote options compatibility strings */
2977 if (c
->mode
== CM_P2P
|| child
)
2978 do_compute_occ_strings (c
);
2981 /* initialize output speed limiter */
2982 if (c
->mode
== CM_P2P
)
2983 do_init_traffic_shaper (c
);
2985 /* do one-time inits, and possibily become a daemon here */
2986 do_init_first_time (c
);
2988 #ifdef ENABLE_PLUGIN
2989 /* initialize plugins */
2990 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
2991 open_plugins (c
, false, OPENVPN_PLUGIN_INIT_POST_DAEMON
);
2995 * Actually do UID/GID downgrade, and chroot, if requested.
2996 * May be delayed by --client, --pull, or --up-delay.
2998 do_uid_gid_chroot (c
, c
->c2
.did_open_tun
);
3000 /* finalize the TCP/UDP socket */
3001 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
|| c
->mode
== CM_CHILD_TCP
)
3002 do_init_socket_2 (c
);
3004 /* initialize timers */
3005 if (c
->mode
== CM_P2P
|| child
)
3006 do_init_timers (c
, false);
3008 #ifdef ENABLE_PLUGIN
3009 /* initialize plugins */
3010 if (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
)
3011 open_plugins (c
, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE
);
3015 /* share OpenVPN port with foreign (such as HTTPS) server */
3016 if (c
->first_time
&& (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
))
3017 init_port_share (c
);
3022 pf_init_context (c
);
3025 /* Check for signals */
3032 if (!c
->sig
->signal_text
)
3033 c
->sig
->signal_text
= "init_instance";
3034 close_context (c
, -1, flags
);
3039 * Close a tunnel instance.
3042 close_instance (struct context
*c
)
3044 /* close event objects */
3045 do_close_event_set (c
);
3047 if (c
->mode
== CM_P2P
3048 || c
->mode
== CM_CHILD_TCP
3049 || c
->mode
== CM_CHILD_UDP
3050 || c
->mode
== CM_TOP
)
3052 /* if xinetd/inetd mode, don't allow restart */
3053 do_close_check_if_restart_permitted (c
);
3056 if (lzo_defined (&c
->c2
.lzo_compwork
))
3057 lzo_compress_uninit (&c
->c2
.lzo_compwork
);
3061 do_close_free_buf (c
);
3066 /* free key schedules */
3067 do_close_free_key_schedule (c
, (c
->mode
== CM_P2P
|| c
->mode
== CM_TOP
));
3069 /* close TCP/UDP connection */
3070 do_close_link_socket (c
);
3072 /* close TUN/TAP device */
3073 do_close_tun (c
, false);
3075 #ifdef MANAGEMENT_DEF_AUTH
3077 management_notify_client_close (management
, &c
->c2
.mda_context
, NULL
);
3081 pf_destroy_context (&c
->c2
.pf
);
3084 #ifdef ENABLE_PLUGIN
3085 /* call plugin close functions and unload */
3086 do_close_plugins (c
);
3089 /* close packet-id persistance file */
3090 do_close_packet_id (c
);
3092 /* close --status file */
3093 do_close_status_output (c
);
3095 #ifdef ENABLE_FRAGMENT
3096 /* close fragmentation handler */
3097 do_close_fragment (c
);
3100 /* close --ifconfig-pool-persist obj */
3101 do_close_ifconfig_pool_persist (c
);
3103 /* free up environmental variable store */
3104 do_env_set_destroy (c
);
3106 /* close HTTP or SOCKS proxy */
3109 /* garbage collect */
3110 gc_free (&c
->c2
.gc
);
3115 inherit_context_child (struct context
*dest
,
3116 const struct context
*src
)
3120 switch (src
->options
.ce
.proto
)
3123 dest
->mode
= CM_CHILD_UDP
;
3125 case PROTO_TCPv4_SERVER
:
3126 dest
->mode
= CM_CHILD_TCP
;
3132 dest
->gc
= gc_new ();
3134 ALLOC_OBJ_CLEAR_GC (dest
->sig
, struct signal_info
, &dest
->gc
);
3137 packet_id_persist_init (&dest
->c1
.pid_persist
);
3140 dest
->c1
.ks
.key_type
= src
->c1
.ks
.key_type
;
3142 /* inherit SSL context */
3143 dest
->c1
.ks
.ssl_ctx
= src
->c1
.ks
.ssl_ctx
;
3144 dest
->c1
.ks
.tls_auth_key
= src
->c1
.ks
.tls_auth_key
;
3149 dest
->options
= src
->options
;
3150 options_detach (&dest
->options
);
3152 if (dest
->mode
== CM_CHILD_TCP
)
3155 * The CM_TOP context does the socket listen(),
3156 * and the CM_CHILD_TCP context does the accept().
3158 dest
->c2
.accept_from
= src
->c2
.link_socket
;
3161 #ifdef ENABLE_PLUGIN
3162 /* inherit plugins */
3163 do_inherit_plugins (dest
, src
);
3167 init_instance (dest
, src
->c2
.es
, CC_NO_CLOSE
| CC_USR1_TO_HUP
);
3171 /* inherit tun/tap interface object */
3172 dest
->c1
.tuntap
= src
->c1
.tuntap
;
3174 /* UDP inherits some extra things which TCP does not */
3175 if (dest
->mode
== CM_CHILD_UDP
)
3177 /* inherit buffers */
3178 dest
->c2
.buffers
= src
->c2
.buffers
;
3180 /* inherit parent link_socket and tuntap */
3181 dest
->c2
.link_socket
= src
->c2
.link_socket
;
3183 ALLOC_OBJ_GC (dest
->c2
.link_socket_info
, struct link_socket_info
, &dest
->gc
);
3184 *dest
->c2
.link_socket_info
= src
->c2
.link_socket
->info
;
3186 /* locally override some link_socket_info fields */
3187 dest
->c2
.link_socket_info
->lsa
= &dest
->c1
.link_socket_addr
;
3188 dest
->c2
.link_socket_info
->connection_established
= false;
3193 inherit_context_top (struct context
*dest
,
3194 const struct context
*src
)
3200 * CM_TOP_CLONE will prevent close_instance from freeing or closing
3201 * resources owned by the parent.
3203 * Also note that CM_TOP_CLONE context objects are
3204 * closed by multi_top_free in multi.c.
3206 dest
->mode
= CM_TOP_CLONE
;
3208 dest
->first_time
= false;
3211 options_detach (&dest
->options
);
3212 gc_detach (&dest
->gc
);
3213 gc_detach (&dest
->c2
.gc
);
3215 /* detach plugins */
3216 dest
->plugins_owned
= false;
3218 #if defined(USE_CRYPTO) && defined(USE_SSL)
3219 dest
->c2
.tls_multi
= NULL
;
3222 /* detach c1 ownership */
3223 dest
->c1
.tuntap_owned
= false;
3224 dest
->c1
.status_output_owned
= false;
3226 dest
->c1
.ifconfig_pool_persist_owned
= false;
3229 /* detach c2 ownership */
3230 dest
->c2
.event_set_owned
= false;
3231 dest
->c2
.link_socket_owned
= false;
3232 dest
->c2
.buffers_owned
= false;
3233 dest
->c2
.es_owned
= false;
3235 dest
->c2
.event_set
= NULL
;
3236 if (src
->options
.ce
.proto
== PROTO_UDPv4
)
3237 do_event_set_init (dest
, false);
3241 close_context (struct context
*c
, int sig
, unsigned int flags
)
3247 c
->sig
->signal_received
= sig
;
3249 if (c
->sig
->signal_received
== SIGUSR1
)
3251 if ((flags
& CC_USR1_TO_HUP
)
3252 || (c
->sig
->hard
&& (flags
& CC_HARD_USR1_TO_HUP
)))
3253 c
->sig
->signal_received
= SIGHUP
;
3256 if (!(flags
& CC_NO_CLOSE
))
3259 if (flags
& CC_GC_FREE
)
3260 context_gc_free (c
);
3269 msg (M_INFO
, "Multithreaded malloc test...");
3270 for (i
= 0; i
< 25; ++i
)
3272 struct gc_arena gc
= gc_new ();
3273 const int limit
= get_random () & 0x03FF;
3274 for (j
= 0; j
< limit
; ++j
)
3276 gc_malloc (get_random () & 0x03FF, false, &gc
);
3283 * Do a loopback test
3284 * on the crypto subsystem.
3287 test_crypto_thread (void *arg
)
3289 struct context
*c
= (struct context
*) arg
;
3290 const struct options
*options
= &c
->options
;
3291 #if defined(USE_PTHREAD)
3292 struct context
*child
= NULL
;
3293 openvpn_thread_t child_id
= 0;
3296 ASSERT (options
->test_crypto
);
3297 init_verb_mute (c
, IVM_LEVEL_1
);
3299 do_init_crypto_static (c
, 0);
3301 #if defined(USE_PTHREAD)
3303 if (c
->first_time
&& options
->n_threads
> 1)
3305 if (options
->n_threads
> 2)
3306 msg (M_FATAL
, "ERROR: --test-crypto option only works with --threads set to 1 or 2");
3307 openvpn_thread_init ();
3308 ALLOC_OBJ (child
, struct context
);
3309 context_clear (child
);
3310 child
->options
= *options
;
3311 options_detach (&child
->options
);
3312 child
->first_time
= false;
3313 child_id
= openvpn_thread_create (test_crypto_thread
, (void *) child
);
3317 frame_finalize_options (c
, options
);
3319 #if defined(USE_PTHREAD)
3320 if (options
->n_threads
== 2)
3324 test_crypto (&c
->c2
.crypto_options
, &c
->c2
.frame
);
3326 key_schedule_free (&c
->c1
.ks
, true);
3327 packet_id_free (&c
->c2
.packet_id
);
3329 #if defined(USE_PTHREAD)
3330 if (c
->first_time
&& options
->n_threads
> 1)
3331 openvpn_thread_join (child_id
);
3335 context_gc_free (c
);
3342 do_test_crypto (const struct options
*o
)
3349 /* print version number */
3350 msg (M_INFO
, "%s", title_string
);
3354 options_detach (&c
.options
);
3355 c
.first_time
= true;
3356 test_crypto_thread ((void *) &c
);