2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
42
#include "occ-inline.h"
45
* Crypto initialization flags
47
#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
48
#define CF_INIT_TLS_MULTI (1<<1)
49
#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
51
static void do_init_first_time (struct context *c);
54
context_clear (struct context *c)
60
context_clear_1 (struct context *c)
66
context_clear_2 (struct context *c)
72
context_clear_all_except_first_time (struct context *c)
74
const bool first_time_save = c->first_time;
75
const struct context_persist cpsave = c->persist;
77
c->first_time = first_time_save;
82
* Should be called after options->ce is modified at the top
83
* of a SIGUSR1 restart.
86
update_options_ce_post (struct options *options)
90
* In pull mode, we usually import --ping/--ping-restart parameters from
91
* the server. However we should also set an initial default --ping-restart
92
* for the period of time before we pull the --ping-restart parameter
96
&& options->ping_rec_timeout_action == PING_UNDEF
97
&& options->ce.proto == PROTO_UDPv4)
99
options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
100
options->ping_rec_timeout_action = PING_RESTART;
105
* Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).
107
if (link_socket_proto_connection_oriented (options->ce.proto))
108
options->replay_window = options->replay_time = 0;
113
* Initialize and possibly randomize connection list.
116
init_connection_list (struct context *c)
118
#ifdef ENABLE_CONNECTION
119
struct connection_list *l = c->options.connection_list;
123
if (c->options.remote_random)
126
for (i = 0; i < l->len; ++i)
128
const int j = get_random () % l->len;
131
struct connection_entry *tmp;
133
l->array[i] = l->array[j];
143
* Increment to next connection entry
146
next_connection_entry (struct context *c)
148
#ifdef ENABLE_CONNECTION
149
struct connection_list *l = c->options.connection_list;
152
if (l->no_advance && l->current >= 0)
154
l->no_advance = false;
159
if (++l->current >= l->len)
162
dmsg (D_CONNECTION_LIST, "CONNECTION_LIST len=%d current=%d",
164
for (i = 0; i < l->len; ++i)
166
dmsg (D_CONNECTION_LIST, "[%d] %s:%d",
169
l->array[i]->remote_port);
172
c->options.ce = *l->array[l->current];
175
update_options_ce_post (&c->options);
179
* Query for private key and auth-user-pass username/passwords
182
init_query_passwords (struct context *c)
184
#if defined(USE_CRYPTO) && defined(USE_SSL)
185
/* Certificate password input */
186
if (c->options.key_pass_file)
187
pem_password_setup (c->options.key_pass_file);
191
/* Auth user/pass input */
192
if (c->options.auth_user_pass_file)
193
auth_user_pass_setup (c->options.auth_user_pass_file);
198
* Initialize/Uninitialize HTTP or SOCKS proxy
201
#ifdef GENERAL_PROXY_SUPPORT
204
proxy_scope (struct context *c)
206
return connection_list_defined (&c->options) ? 2 : 1;
210
uninit_proxy_dowork (struct context *c)
212
#ifdef ENABLE_HTTP_PROXY
213
if (c->c1.http_proxy_owned && c->c1.http_proxy)
215
http_proxy_close (c->c1.http_proxy);
216
c->c1.http_proxy = NULL;
217
c->c1.http_proxy_owned = false;
221
if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
223
socks_proxy_close (c->c1.socks_proxy);
224
c->c1.socks_proxy = NULL;
225
c->c1.socks_proxy_owned = false;
231
init_proxy_dowork (struct context *c)
233
#ifdef ENABLE_HTTP_PROXY
234
bool did_http = false;
236
const bool did_http = false;
239
uninit_proxy_dowork (c);
241
#ifdef ENABLE_HTTP_PROXY
242
if (c->options.ce.http_proxy_options || c->options.auto_proxy_info)
244
/* Possible HTTP proxy user/pass input */
245
c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options,
246
c->options.auto_proxy_info);
247
if (c->c1.http_proxy)
250
c->c1.http_proxy_owned = true;
256
if (!did_http && (c->options.ce.socks_proxy_server || c->options.auto_proxy_info))
258
c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server,
259
c->options.ce.socks_proxy_port,
260
c->options.ce.socks_proxy_retry,
261
c->options.auto_proxy_info);
262
if (c->c1.socks_proxy)
264
c->c1.socks_proxy_owned = true;
271
init_proxy (struct context *c, const int scope)
273
if (scope == proxy_scope (c))
274
init_proxy_dowork (c);
278
uninit_proxy (struct context *c)
280
if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2)
281
uninit_proxy_dowork (c);
287
init_proxy (struct context *c, const int scope)
292
uninit_proxy (struct context *c)
299
context_init_1 (struct context *c)
303
packet_id_persist_init (&c->c1.pid_persist);
305
init_connection_list (c);
307
init_query_passwords (c);
309
#if defined(ENABLE_PKCS11)
312
pkcs11_initialize (true, c->options.pkcs11_pin_cache_period);
313
for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++)
314
pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
315
c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
319
#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
322
* In the management interface, you can okay the request by entering "needok token-insertion-request ok"
326
strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
327
get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
328
msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
329
'needok' command, usually 'ok' or 'cancel'. */
333
/* initialize HTTP or SOCKS proxy object at scope level 1 */
338
context_gc_free (struct context *c)
341
gc_free (&c->options.gc);
348
close_port_share (void)
352
port_share_close (port_share);
358
init_port_share (struct context *c)
360
if (!port_share && (c->options.port_share_host && c->options.port_share_port))
362
port_share = port_share_open (c->options.port_share_host,
363
c->options.port_share_port);
364
if (port_share == NULL)
365
msg (M_FATAL, "Fatal error: Port sharing failed");
374
/* configure_path (); */
376
#if defined(USE_CRYPTO) && defined(DMALLOC)
377
openssl_dmalloc_init ();
380
init_random_seed (); /* init random() function, only used as
381
source for weak random numbers */
382
error_reset (); /* initialize error.c */
383
reset_check_status (); /* initialize status check code in socket.c */
389
#ifdef OPENVPN_DEBUG_COMMAND_LINE
392
for (i = 0; i < argc; ++i)
393
msg (M_INFO, "argv[%d] = '%s'", i, argv[i]);
402
/* init PRNG used for IV generation */
403
/* When forking, copy this to more places in the code to avoid fork
404
random-state predictability */
409
packet_id_interactive_test (); /* test the sequence number code */
423
#ifdef IFCONFIG_POOL_TEST
424
ifconfig_pool_test (0x0A010004, 0x0A0100FF);
428
#ifdef CHARACTER_CLASS_DEBUG
429
character_class_debug ();
433
#ifdef EXTRACT_X509_FIELD_TEST
434
extract_x509_field_test ();
445
struct gc_arena gc = gc_new ();
446
const char *fn = gen_path ("foo",
455
#ifdef STATUS_PRINTF_TEST
457
struct gc_arena gc = gc_new ();
458
const char *tmp_file = create_temp_filename ("/tmp", "foo", &gc);
459
struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
460
status_printf (so, "%s", "foo");
461
status_printf (so, "%s", "bar");
462
if (!status_close (so))
463
msg (M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
471
void argv_test (void);
479
struct gc_arena gc = gc_new ();
482
prng_init ("sha1", 16);
483
//prng_init (NULL, 0);
484
const int factor = 1;
485
for (i = 0; i < factor * 8; ++i)
488
prng_bytes (rndbuf, sizeof (rndbuf));
490
ASSERT(RAND_bytes (rndbuf, sizeof (rndbuf)));
492
printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc));
506
openvpn_thread_cleanup ();
520
#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
521
show_tls_performance_stats ();
526
init_verb_mute (struct context *c, unsigned int flags)
528
if (flags & IVM_LEVEL_1)
530
/* set verbosity and mute levels */
531
set_check_status (D_LINK_ERRORS, D_READ_WRITE);
532
set_debug_level (c->options.verbosity, SDL_CONSTRAIN);
533
set_mute_cutoff (c->options.mute);
536
/* special D_LOG_RW mode */
537
if (flags & IVM_LEVEL_2)
538
c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1));
542
* Possibly set --dev based on --dev-node.
543
* For example, if --dev-node /tmp/foo/tun, and --dev undefined,
547
init_options_dev (struct options *options)
550
options->dev = openvpn_basename (options->dev_node);
554
print_openssl_info (const struct options *options)
557
* OpenSSL info print mode?
560
if (options->show_ciphers || options->show_digests || options->show_engines
562
|| options->show_tls_ciphers
566
if (options->show_ciphers)
567
show_available_ciphers ();
568
if (options->show_digests)
569
show_available_digests ();
570
if (options->show_engines)
571
show_available_engines ();
573
if (options->show_tls_ciphers)
574
show_available_tls_ciphers ();
583
* Static pre-shared key generation mode?
586
do_genkey (const struct options * options)
593
notnull (options->shared_secret_file,
594
"shared secret output file (--secret)");
596
if (options->mlock) /* should we disable paging? */
599
nbits_written = write_key_file (2, options->shared_secret_file);
601
msg (D_GENKEY | M_NOPREFIX,
602
"Randomly generated %d bit key written to %s", nbits_written,
603
options->shared_secret_file);
611
* Persistent TUN/TAP device management mode?
614
do_persist_tuntap (const struct options *options)
617
if (options->persist_config)
619
/* sanity check on options for --mktun or --rmtun */
620
notnull (options->dev, "TUN/TAP device (--dev)");
621
if (options->ce.remote || options->ifconfig_local
622
|| options->ifconfig_remote_netmask
624
|| options->shared_secret_file
626
|| options->tls_server || options->tls_client
630
msg (M_FATAL|M_OPTERR,
631
"options --mktun or --rmtun should only be used together with --dev");
632
tuncfg (options->dev, options->dev_type, options->dev_node,
633
options->tun_ipv6, options->persist_mode,
634
options->username, options->groupname, &options->tuntap_options);
635
if (options->persist_mode && options->lladdr)
636
set_lladdr(options->dev, options->lladdr, NULL);
644
* Should we become a daemon?
645
* Return true if we did it.
648
possibly_become_daemon (const struct options *options, const bool first_time)
651
if (first_time && options->daemon)
653
ASSERT (!options->inetd);
654
if (daemon (options->cd_dir != NULL, options->log) < 0)
655
msg (M_ERR, "daemon() failed");
656
restore_signal_state ();
658
set_std_files_to_null (true);
660
#if defined(ENABLE_PKCS11)
670
* Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
673
do_uid_gid_chroot (struct context *c, bool no_delay)
675
static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
676
struct context_0 *c0 = c->c0;
678
if (c->first_time && c0 && !c0->uid_gid_set)
680
/* chroot if requested */
681
if (c->options.chroot_dir)
684
do_chroot (c->options.chroot_dir);
686
msg (M_INFO, "NOTE: chroot %s", why_not);
689
/* set user and/or group that we want to setuid/setgid to */
692
set_group (&c0->group_state);
693
set_user (&c0->user_state);
694
c0->uid_gid_set = true;
696
else if (c0->uid_gid_specified)
698
msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
702
/* Apply a SELinux context in order to restrict what OpenVPN can do
703
* to _only_ what it is supposed to do after initialization is complete
704
* (basically just network I/O operations). Doing it after chroot
705
* requires /proc to be mounted in the chroot (which is annoying indeed
706
* but doing it before requires more complex SELinux policies.
708
if (c->options.selinux_context)
711
if (-1 == setcon (c->options.selinux_context))
712
msg (M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
714
msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
717
msg (M_INFO, "NOTE: setcon %s", why_not);
724
* Return common name in a way that is formatted for
725
* prepending to msg() output.
728
format_common_name (struct context *c, struct gc_arena *gc)
730
struct buffer out = alloc_buf_gc (256, gc);
731
#if defined(USE_CRYPTO) && defined(USE_SSL)
734
buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));
741
pre_setup (const struct options *options)
744
if (options->exit_event_name)
746
win32_signal_open (&win32_signal,
748
options->exit_event_name,
749
options->exit_event_initial_state);
753
win32_signal_open (&win32_signal,
758
/* put a title on the top window bar */
759
if (win32_signal.mode == WSO_MODE_CONSOLE)
761
window_title_save (&window_title);
762
window_title_generate (options->config);
769
reset_coarse_timers (struct context *c)
771
c->c2.coarse_timer_wakeup = 0;
778
do_init_timers (struct context *c, bool deferred)
781
reset_coarse_timers (c);
783
/* initialize inactivity timeout */
784
if (c->options.inactivity_timeout)
785
event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
787
/* initialize pings */
789
if (c->options.ping_send_timeout)
790
event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
792
if (c->options.ping_rec_timeout)
793
event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
796
if (c->options.server_poll_timeout)
797
event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now);
802
/* initialize connection establishment timer */
803
event_timeout_init (&c->c2.wait_for_connect, 1, now);
806
/* initialize occ timers */
810
&& c->c2.options_string_local && c->c2.options_string_remote)
811
event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
813
if (c->options.mtu_test)
814
event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
817
/* initialize packet_id persistence timer */
819
if (c->options.packet_id_file)
820
event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);
823
#if defined(USE_CRYPTO) && defined(USE_SSL)
824
/* initialize tmp_int optimization that limits the number of times we call
825
tls_multi_process in the main event loop */
826
interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
832
* Initialize traffic shaper.
835
do_init_traffic_shaper (struct context *c)
837
#ifdef HAVE_GETTIMEOFDAY
838
/* initialize traffic shaper (i.e. transmit bandwidth limiter) */
839
if (c->options.shaper)
841
shaper_init (&c->c2.shaper, c->options.shaper);
842
shaper_msg (&c->c2.shaper);
848
* Allocate a route list structure if at least one
849
* --route option was specified.
852
do_alloc_route_list (struct context *c)
854
if (c->options.routes && !c->c1.route_list)
855
c->c1.route_list = new_route_list (c->options.max_routes, &c->gc);
860
* Initialize the route list, resolving any DNS names in route
861
* options and saving routes in the environment.
864
do_init_route_list (const struct options *options,
865
struct route_list *route_list,
866
const struct link_socket_info *link_socket_info,
870
const char *gw = NULL;
871
int dev = dev_type_enum (options->dev, options->dev_type);
874
if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
875
gw = options->ifconfig_remote_netmask;
876
if (options->route_default_gateway)
877
gw = options->route_default_gateway;
878
if (options->route_default_metric)
879
metric = options->route_default_metric;
881
if (!init_route_list (route_list,
885
link_socket_current_remote (link_socket_info),
889
openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
893
/* copy routes to environment */
894
setenv_routes (es, route_list);
899
* Called after all initialization has been completed.
902
initialization_sequence_completed (struct context *c, const unsigned int flags)
904
static const char message[] = "Initialization Sequence Completed";
906
/* If we delayed UID/GID downgrade or chroot, do it now */
907
do_uid_gid_chroot (c, true);
910
if (flags & ISC_ERRORS)
913
show_routes (M_INFO|M_NOPREFIX);
914
show_adapters (M_INFO|M_NOPREFIX);
915
msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
917
msg (M_INFO, "%s With Errors", message);
921
msg (M_INFO, "%s", message);
923
/* Flag connection_list that we initialized */
924
if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options))
925
connection_list_set_no_advance (&c->options);
927
#ifdef ENABLE_MANAGEMENT
928
/* Tell management interface that we initialized */
931
in_addr_t tun_local = 0;
932
in_addr_t tun_remote = 0; /* FKS */
933
const char *detail = "SUCCESS";
935
tun_local = c->c1.tuntap->local;
936
tun_remote = htonl (c->c1.link_socket_addr.actual.dest.sa.sin_addr.s_addr);
937
if (flags & ISC_ERRORS)
939
management_set_state (management,
940
OPENVPN_STATE_CONNECTED,
945
management_post_tunnel_open (management, tun_local);
952
* Possibly add routes and/or call route-up script
956
do_route (const struct options *options,
957
struct route_list *route_list,
958
const struct tuntap *tt,
959
const struct plugin_list *plugins,
962
if (!options->route_noexec && route_list)
963
add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es);
965
if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP))
967
if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
968
msg (M_WARN, "WARNING: route-up plugin call failed");
971
if (options->route_script)
973
struct argv argv = argv_new ();
974
setenv_str (es, "script_type", "route-up");
975
argv_printf (&argv, "%sc", options->route_script);
976
openvpn_execve_check (&argv, es, S_SCRIPT, "Route script failed");
981
if (options->show_net_up)
983
show_routes (M_INFO|M_NOPREFIX);
984
show_adapters (M_INFO|M_NOPREFIX);
986
else if (check_debug_level (D_SHOW_NET))
988
show_routes (D_SHOW_NET|M_NOPREFIX);
989
show_adapters (D_SHOW_NET|M_NOPREFIX);
995
* Save current pulled options string in the c1 context store, so we can
996
* compare against it after possible future restarts.
1000
save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest)
1003
c->c1.pulled_options_digest_save = *newdigest;
1005
md5_digest_clear (&c->c1.pulled_options_digest_save);
1010
* initialize tun/tap device object
1013
do_init_tun (struct context *c)
1015
c->c1.tuntap = init_tun (c->options.dev,
1016
c->options.dev_type,
1017
c->options.topology,
1018
c->options.ifconfig_local,
1019
c->options.ifconfig_remote_netmask,
1020
addr_host (&c->c1.link_socket_addr.local),
1021
addr_host (&c->c1.link_socket_addr.remote),
1022
!c->options.ifconfig_nowarn,
1025
init_tun_post (c->c1.tuntap,
1027
&c->options.tuntap_options);
1029
c->c1.tuntap_owned = true;
1033
* Open tun/tap device, ifconfig, call up script, etc.
1037
do_open_tun (struct context *c)
1039
struct gc_arena gc = gc_new ();
1042
c->c2.ipv4_tun = (!c->options.tun_ipv6
1043
&& is_dev_type (c->options.dev, c->options.dev_type, "tun"));
1047
/* initialize (but do not open) tun/tap object */
1050
/* allocate route list structure */
1051
do_alloc_route_list (c);
1053
/* parse and resolve the route option list */
1054
if (c->options.routes && c->c1.route_list && c->c2.link_socket)
1055
do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es);
1058
if (!c->options.ifconfig_noexec
1059
&& ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN)
1061
/* guess actual tun/tap unit number that will be returned
1063
const char *guess = guess_tuntap_dev (c->options.dev,
1064
c->options.dev_type,
1065
c->options.dev_node,
1067
do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
1070
/* open the tun device */
1071
open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
1072
c->options.tun_ipv6, c->c1.tuntap);
1074
/* set the hardware address */
1075
if (c->options.lladdr)
1076
set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1079
if (!c->options.ifconfig_noexec
1080
&& ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN)
1082
do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
1085
/* run the up script */
1086
run_up_down (c->options.up_script,
1089
c->c1.tuntap->actual_name,
1090
TUN_MTU_SIZE (&c->c2.frame),
1091
EXPANDED_SIZE (&c->c2.frame),
1092
print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1093
print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1099
/* possibly add routes */
1100
if (!c->options.route_delay_defined)
1101
do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es);
1104
* Did tun/tap driver give us an MTU?
1106
if (c->c1.tuntap->post_open_mtu)
1107
frame_set_mtu_dynamic (&c->c2.frame,
1108
c->c1.tuntap->post_open_mtu,
1109
SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1115
msg (M_INFO, "Preserving previous TUN/TAP instance: %s",
1116
c->c1.tuntap->actual_name);
1118
/* run the up script if user specified --up-restart */
1119
if (c->options.up_restart)
1120
run_up_down (c->options.up_script,
1123
c->c1.tuntap->actual_name,
1124
TUN_MTU_SIZE (&c->c2.frame),
1125
EXPANDED_SIZE (&c->c2.frame),
1126
print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1127
print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1138
* Close TUN/TAP device
1142
do_close_tun_simple (struct context *c)
1144
msg (D_CLOSE, "Closing TUN/TAP interface");
1145
close_tun (c->c1.tuntap);
1146
c->c1.tuntap = NULL;
1147
c->c1.tuntap_owned = false;
1149
save_pulled_options_digest (c, NULL); /* delete C1-saved pulled_options_digest */
1154
do_close_tun (struct context *c, bool force)
1156
struct gc_arena gc = gc_new ();
1157
if (c->c1.tuntap && c->c1.tuntap_owned)
1159
const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc);
1160
const in_addr_t local = c->c1.tuntap->local;
1161
const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1163
if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1165
#ifdef ENABLE_MANAGEMENT
1166
/* tell management layer we are about to close the TUN/TAP device */
1168
management_pre_tunnel_close (management);
1171
/* delete any routes we added */
1172
if (c->c1.route_list)
1173
delete_routes (c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);
1175
/* actually close tun/tap device based on --down-pre flag */
1176
if (!c->options.down_pre)
1177
do_close_tun_simple (c);
1179
/* Run the down script -- note that it will run at reduced
1180
privilege if, for example, "--user nobody" was used. */
1181
run_up_down (c->options.down_script,
1183
OPENVPN_PLUGIN_DOWN,
1185
TUN_MTU_SIZE (&c->c2.frame),
1186
EXPANDED_SIZE (&c->c2.frame),
1187
print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1188
print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1190
signal_description (c->sig->signal_received,
1191
c->sig->signal_text),
1195
/* actually close tun/tap device based on --down-pre flag */
1196
if (c->options.down_pre)
1197
do_close_tun_simple (c);
1201
/* run the down script on this restart if --up-restart was specified */
1202
if (c->options.up_restart)
1203
run_up_down (c->options.down_script,
1205
OPENVPN_PLUGIN_DOWN,
1207
TUN_MTU_SIZE (&c->c2.frame),
1208
EXPANDED_SIZE (&c->c2.frame),
1209
print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1210
print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1212
signal_description (c->sig->signal_received,
1213
c->sig->signal_text),
1222
* Handle delayed tun/tap interface bringup due to --up-delay or --pull
1226
do_up (struct context *c, bool pulled_options, unsigned int option_types_found)
1228
if (!c->c2.do_up_ran)
1230
reset_coarse_timers (c);
1232
if (pulled_options && option_types_found)
1233
do_deferred_options (c, option_types_found);
1235
/* if --up-delay specified, open tun, do ifconfig, and run up script now */
1236
if (c->options.up_delay || PULL_DEFINED (&c->options))
1238
c->c2.did_open_tun = do_open_tun (c);
1243
* Was tun interface object persisted from previous restart iteration,
1244
* and if so did pulled options string change from previous iteration?
1246
if (!c->c2.did_open_tun
1247
&& PULL_DEFINED (&c->options)
1249
&& (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest)
1250
|| !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)))
1252
/* if so, close tun, delete routes, then reinitialize tun and add routes */
1253
msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
1254
do_close_tun (c, true);
1256
c->c2.did_open_tun = do_open_tun (c);
1262
if (c->c2.did_open_tun)
1265
save_pulled_options_digest (c, &c->c2.pulled_options_digest);
1268
/* if --route-delay was specified, start timer */
1269
if (c->options.route_delay_defined)
1271
event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now);
1272
event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
1274
tun_standby_init (c->c1.tuntap);
1278
initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */
1281
else if (c->options.mode == MODE_POINT_TO_POINT)
1283
initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */
1286
c->c2.do_up_ran = true;
1291
* These are the option categories which will be accepted by pull.
1294
pull_permission_mask (const struct context *c)
1296
unsigned int flags =
1298
| OPT_P_ROUTE_EXTRAS
1308
| OPT_P_EXPLICIT_NOTIFY
1312
if (!c->options.route_nopull)
1313
flags |= OPT_P_ROUTE;
1319
* Handle non-tun-related pulled options.
1322
do_deferred_options (struct context *c, const unsigned int found)
1324
if (found & OPT_P_MESSAGES)
1326
init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2);
1327
msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
1329
if (found & OPT_P_TIMER)
1331
do_init_timers (c, true);
1332
msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
1336
if (found & OPT_P_EXPLICIT_NOTIFY)
1338
if (c->options.ce.proto != PROTO_UDPv4 && c->options.explicit_exit_notification)
1340
msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
1341
c->options.explicit_exit_notification = 0;
1344
msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
1349
if (found & OPT_P_COMP)
1351
if (lzo_defined (&c->c2.lzo_compwork))
1353
msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified");
1354
lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo);
1359
if (found & OPT_P_SHAPER)
1361
msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
1362
do_init_traffic_shaper (c);
1365
if (found & OPT_P_SOCKBUF)
1367
msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
1368
link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
1371
if (found & OPT_P_SOCKFLAGS)
1373
msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
1374
link_socket_update_flags (c->c2.link_socket, c->options.sockflags);
1377
if (found & OPT_P_PERSIST)
1378
msg (D_PUSH, "OPTIONS IMPORT: --persist options modified");
1379
if (found & OPT_P_UP)
1380
msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
1381
if (found & OPT_P_ROUTE)
1382
msg (D_PUSH, "OPTIONS IMPORT: route options modified");
1383
if (found & OPT_P_ROUTE_EXTRAS)
1384
msg (D_PUSH, "OPTIONS IMPORT: route-related options modified");
1385
if (found & OPT_P_IPWIN32)
1386
msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
1387
if (found & OPT_P_SETENV)
1388
msg (D_PUSH, "OPTIONS IMPORT: environment modified");
1392
* Possible hold on initialization
1395
do_hold (struct context *c)
1397
#ifdef ENABLE_MANAGEMENT
1400
/* if c is defined, daemonize before hold */
1401
if (c && c->options.daemon && management_should_daemonize (management))
1402
do_init_first_time (c);
1404
/* block until management hold is released */
1405
if (management_hold (management))
1413
* Sleep before restart.
1416
socket_restart_pause (struct context *c)
1421
#ifdef ENABLE_HTTP_PROXY
1422
if (c->options.ce.http_proxy_options)
1426
if (c->options.ce.socks_proxy_server)
1430
switch (c->options.ce.proto)
1434
sec = c->options.ce.connect_retry_seconds;
1436
case PROTO_TCPv4_SERVER:
1439
case PROTO_TCPv4_CLIENT:
1440
sec = c->options.ce.connect_retry_seconds;
1445
if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin))
1450
if (auth_retry_get () == AR_NOINTERACT)
1453
if (c->options.server_poll_timeout && sec > 1)
1457
if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
1458
sec = c->persist.restart_sleep_seconds;
1459
else if (c->persist.restart_sleep_seconds == -1)
1461
c->persist.restart_sleep_seconds = 0;
1463
/* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
1469
msg (D_RESTART, "Restart pause, %d second(s)", sec);
1470
openvpn_sleep (sec);
1475
* Do a possible pause on context_2 initialization.
1478
do_startup_pause (struct context *c)
1481
socket_restart_pause (c);
1483
do_hold (NULL); /* do management hold on first context initialization */
1487
* Finalize MTU parameters based on command line or config file options.
1490
frame_finalize_options (struct context *c, const struct options *o)
1496
* Set adjustment factor for buffer alignment when no
1499
if (!CIPHER_ENABLED (c))
1501
frame_align_to_extra_frame (&c->c2.frame);
1502
frame_or_align_flags (&c->c2.frame,
1503
FRAME_HEADROOM_MARKER_FRAGMENT
1504
|FRAME_HEADROOM_MARKER_READ_LINK
1505
|FRAME_HEADROOM_MARKER_READ_STREAM);
1508
frame_finalize (&c->c2.frame,
1509
o->link_mtu_defined,
1516
* Free a key schedule, including OpenSSL components.
1519
key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
1522
free_key_ctx_bi (&ks->static_key);
1524
if (ks->ssl_ctx && free_ssl_ctx)
1526
SSL_CTX_free (ks->ssl_ctx);
1527
free_key_ctx_bi (&ks->tls_auth_key);
1529
#endif /* USE_SSL */
1530
#endif /* USE_CRYPTO */
1537
init_crypto_pre (struct context *c, const unsigned int flags)
1539
if (c->options.engine)
1540
init_crypto_lib_engine (c->options.engine);
1542
if (flags & CF_LOAD_PERSISTED_PACKET_ID)
1544
/* load a persisted packet-id for cross-session replay-protection */
1545
if (c->options.packet_id_file)
1546
packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file);
1549
/* Initialize crypto options */
1551
if (c->options.use_iv)
1552
c->c2.crypto_options.flags |= CO_USE_IV;
1554
if (c->options.mute_replay_warnings)
1555
c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
1559
* Static Key Mode (using a pre-shared key)
1562
do_init_crypto_static (struct context *c, const unsigned int flags)
1564
const struct options *options = &c->options;
1565
ASSERT (options->shared_secret_file);
1567
/* CVE-2008-0166 (Debian weak key checks) */
1568
/* Only check if we can actually read the key file. Unless the file does not
1569
* exist in the first place, this should never happen (since static keys do
1570
* not work with multi-client mode), but we test it anyway to be on the safe
1571
* side and avoid wrong -vulnkey alerts. */
1572
if (access (options->shared_secret_file, R_OK) == 0)
1574
struct argv argv = argv_new ();
1576
argv_printf (&argv, "/usr/sbin/openvpn-vulnkey -q %s", options->shared_secret_file);
1577
argv_msg (M_INFO, &argv);
1578
ret = openvpn_execve (&argv, c->c2.es, 0);
1579
if (WEXITSTATUS (ret) == 1)
1581
msg (M_WARN, "******* WARNING *******: '%s' is a known vulnerable key. See 'man openvpn-vulnkey' for details.", options->shared_secret_file);
1583
else if (WEXITSTATUS (ret) != 0)
1585
msg (M_WARN, "******* WARNING *******: '%s' cannot be verified as a non-vulnerable key. See 'man openvpn-vulnkey' for details.", options->shared_secret_file);
1590
init_crypto_pre (c, flags);
1592
/* Initialize packet ID tracking */
1593
if (options->replay)
1595
packet_id_init (&c->c2.packet_id, options->replay_window,
1596
options->replay_time);
1597
c->c2.crypto_options.packet_id = &c->c2.packet_id;
1598
c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
1599
c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
1600
packet_id_persist_load_obj (&c->c1.pid_persist,
1601
c->c2.crypto_options.packet_id);
1604
if (!key_ctx_bi_defined (&c->c1.ks.static_key))
1607
struct key_direction_state kds;
1609
/* Get cipher & hash algorithms */
1610
init_key_type (&c->c1.ks.key_type, options->ciphername,
1611
options->ciphername_defined, options->authname,
1612
options->authname_defined, options->keysize,
1613
options->test_crypto, true);
1615
/* Read cipher and hmac keys from shared secret file */
1617
unsigned int rkf_flags = RKF_MUST_SUCCEED;
1618
const char *rkf_file = options->shared_secret_file;
1620
#if ENABLE_INLINE_FILES
1621
if (options->shared_secret_file_inline)
1623
rkf_file = options->shared_secret_file_inline;
1624
rkf_flags |= RKF_INLINE;
1627
read_key_file (&key2, rkf_file, rkf_flags);
1630
/* Check for and fix highly unlikely key problems */
1631
verify_fix_key2 (&key2, &c->c1.ks.key_type,
1632
options->shared_secret_file);
1634
/* Initialize OpenSSL key objects */
1635
key_direction_state_init (&kds, options->key_direction);
1636
must_have_n_keys (options->shared_secret_file, "secret", &key2,
1638
init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
1639
&c->c1.ks.key_type, DO_ENCRYPT, "Static Encrypt");
1640
init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
1641
&c->c1.ks.key_type, DO_DECRYPT, "Static Decrypt");
1643
/* Erase the temporary copy of key */
1648
msg (M_INFO, "Re-using pre-shared static key");
1651
/* Get key schedule */
1652
c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key;
1654
/* Compute MTU parameters */
1655
crypto_adjust_frame_parameters (&c->c2.frame,
1657
options->ciphername_defined,
1658
options->use_iv, options->replay, true);
1660
/* Sanity check on IV, sequence number, and cipher mode options */
1661
check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
1668
* Initialize the persistent component of OpenVPN's TLS mode,
1669
* which is preserved across SIGUSR1 resets.
1672
do_init_crypto_tls_c1 (struct context *c)
1674
const struct options *options = &c->options;
1677
if (!c->c1.ks.ssl_ctx)
1680
* Initialize the OpenSSL library's global
1683
c->c1.ks.ssl_ctx = init_ssl (options);
1684
if (!c->c1.ks.ssl_ctx)
1687
switch (auth_retry_get ())
1690
msg (M_FATAL, "Error: private key password verification failed");
1695
c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
1700
c->sig->signal_text = "private-key-password-failure";
1703
msg (M_FATAL, "Error: private key password verification failed");
1707
/* Get cipher & hash algorithms */
1708
init_key_type (&c->c1.ks.key_type, options->ciphername,
1709
options->ciphername_defined, options->authname,
1710
options->authname_defined, options->keysize, true, true);
1712
/* Initialize PRNG with config-specified digest */
1713
prng_init (options->prng_hash, options->prng_nonce_secret_len);
1715
/* CVE-2008-0166 (Debian weak key checks)
1716
* Obtain the modulus and bits from the certificate that was initialized,
1717
* and send that to openssl-vulnkey.
1719
ssl = SSL_new(c->c1.ks.ssl_ctx);
1726
cert = SSL_get_certificate(ssl);
1729
EVP_PKEY *pkey = X509_get_pubkey (cert);
1732
if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
1733
&& pkey->pkey.rsa->n != NULL)
1735
bits = BN_num_bits(pkey->pkey.rsa->n);
1736
bn = BN_bn2hex(pkey->pkey.rsa->n);
1738
else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
1739
&& pkey->pkey.dsa->p != NULL)
1741
bits = BN_num_bits(pkey->pkey.dsa->p);
1742
bn = BN_bn2hex(pkey->pkey.dsa->p);
1747
struct argv argv = argv_new ();
1748
argv_printf (&argv, "/usr/bin/openssl-vulnkey -q -b %d -m %s", bits, bn);
1750
msg (M_INFO, "/usr/bin/openssl-vulnkey -q -b %d -m <modulus omitted>", bits);
1751
ret = openvpn_execve (&argv, NULL, 0);
1752
if (WEXITSTATUS (ret) == 1)
1754
msg (M_WARN, "******* WARNING *******: '%s' is a known vulnerable key. See 'man openssl-vulnkey' for details.", options->priv_key_file);
1756
else if (WEXITSTATUS (ret) != 0)
1758
msg (M_WARN, "******* WARNING *******: '%s' cannot be verified as a non-vulnerable key. See 'man openssl-vulnkey' for details.", options->priv_key_file);
1762
EVP_PKEY_free (pkey);
1768
/* TLS handshake authentication (--tls-auth) */
1769
if (options->tls_auth_file)
1771
unsigned int flags = 0;
1772
const char *file = options->tls_auth_file;
1774
#if ENABLE_INLINE_FILES
1775
if (options->tls_auth_file_inline)
1777
flags |= GHK_INLINE;
1778
file = options->tls_auth_file_inline;
1781
get_tls_handshake_key (&c->c1.ks.key_type,
1782
&c->c1.ks.tls_auth_key,
1784
options->key_direction,
1788
#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
1789
if (options->priv_key_file_inline)
1791
string_clear (c->options.priv_key_file_inline);
1792
c->options.priv_key_file_inline = NULL;
1798
msg (M_INFO, "Re-using SSL/TLS context");
1803
do_init_crypto_tls (struct context *c, const unsigned int flags)
1805
const struct options *options = &c->options;
1806
struct tls_options to;
1807
bool packet_id_long_form;
1809
ASSERT (options->tls_server || options->tls_client);
1810
ASSERT (!options->test_crypto);
1812
init_crypto_pre (c, flags);
1814
/* Make sure we are either a TLS client or server but not both */
1815
ASSERT (options->tls_server == !options->tls_client);
1817
/* initialize persistent component */
1818
do_init_crypto_tls_c1 (c);
1822
/* Sanity check on IV, sequence number, and cipher mode options */
1823
check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
1826
/* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
1827
packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type);
1829
/* Compute MTU parameters */
1830
crypto_adjust_frame_parameters (&c->c2.frame,
1832
options->ciphername_defined,
1834
options->replay, packet_id_long_form);
1835
tls_adjust_frame_parameters (&c->c2.frame);
1837
/* Set all command-line TLS-related options */
1840
to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
1841
if (packet_id_long_form)
1842
to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
1844
to.ssl_ctx = c->c1.ks.ssl_ctx;
1845
to.key_type = c->c1.ks.key_type;
1846
to.server = options->tls_server;
1847
to.key_method = options->key_method;
1848
to.replay = options->replay;
1849
to.replay_window = options->replay_window;
1850
to.replay_time = options->replay_time;
1851
to.transition_window = options->transition_window;
1852
to.handshake_window = options->handshake_window;
1853
to.packet_timeout = options->tls_timeout;
1854
to.renegotiate_bytes = options->renegotiate_bytes;
1855
to.renegotiate_packets = options->renegotiate_packets;
1856
to.renegotiate_seconds = options->renegotiate_seconds;
1857
to.single_session = options->single_session;
1859
/* should we not xmit any packets until we get an initial
1860
response from client? */
1861
if (to.server && options->ce.proto == PROTO_TCPv4_SERVER)
1862
to.xmit_hold = true;
1865
to.disable_occ = !options->occ;
1868
to.verify_command = options->tls_verify;
1869
to.verify_x509name = options->tls_remote;
1870
to.crl_file = options->crl_file;
1871
to.ns_cert_type = options->ns_cert_type;
1872
memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
1873
to.remote_cert_eku = options->remote_cert_eku;
1877
to.gremlin = c->options.gremlin;
1880
to.plugins = c->plugins;
1882
#ifdef MANAGEMENT_DEF_AUTH
1883
to.mda_context = &c->c2.mda_context;
1887
to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
1888
to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
1889
to.tmp_dir = options->tmp_dir;
1890
to.ssl_flags = options->ssl_flags;
1891
if (options->ccd_exclusive)
1892
to.client_config_dir_exclusive = options->client_config_dir;
1895
/* TLS handshake authentication (--tls-auth) */
1896
if (options->tls_auth_file)
1898
to.tls_auth_key = c->c1.ks.tls_auth_key;
1899
to.tls_auth.pid_persist = &c->c1.pid_persist;
1900
to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM;
1901
crypto_adjust_frame_parameters (&to.frame,
1903
false, false, true, true);
1906
/* If we are running over TCP, allow for
1908
socket_adjust_frame_parameters (&to.frame, options->ce.proto);
1911
* Initialize OpenVPN's master TLS-mode object.
1913
if (flags & CF_INIT_TLS_MULTI)
1914
c->c2.tls_multi = tls_multi_init (&to);
1916
if (flags & CF_INIT_TLS_AUTH_STANDALONE)
1917
c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc);
1921
do_init_finalize_tls_frame (struct context *c)
1923
if (c->c2.tls_multi)
1925
tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame);
1926
ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <=
1927
EXPANDED_SIZE (&c->c2.frame));
1928
frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO,
1929
"Control Channel MTU parms");
1931
if (c->c2.tls_auth_standalone)
1933
tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame);
1934
frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
1935
"TLS-Auth MTU parms");
1939
#endif /* USE_SSL */
1940
#endif /* USE_CRYPTO */
1944
* No encryption or authentication.
1947
do_init_crypto_none (const struct context *c)
1949
ASSERT (!c->options.test_crypto);
1951
"******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1956
do_init_crypto (struct context *c, const unsigned int flags)
1959
if (c->options.shared_secret_file)
1960
do_init_crypto_static (c, flags);
1962
else if (c->options.tls_server || c->options.tls_client)
1963
do_init_crypto_tls (c, flags);
1965
else /* no encryption or authentication. */
1966
do_init_crypto_none (c);
1967
#else /* USE_CRYPTO */
1969
"******* WARNING *******: " PACKAGE_NAME
1970
" built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1971
#endif /* USE_CRYPTO */
1975
do_init_frame (struct context *c)
1979
* Initialize LZO compression library.
1981
if (c->options.lzo & LZO_SELECTED)
1983
lzo_adjust_frame_parameters (&c->c2.frame);
1986
* LZO usage affects buffer alignment.
1988
if (CIPHER_ENABLED (c))
1990
frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN);
1991
frame_or_align_flags (&c->c2.frame,
1992
FRAME_HEADROOM_MARKER_FRAGMENT
1993
|FRAME_HEADROOM_MARKER_DECRYPT);
1996
#ifdef ENABLE_FRAGMENT
1997
lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */
2000
#endif /* USE_LZO */
2004
* Adjust frame size for UDP Socks support.
2006
if (c->options.ce.socks_proxy_server)
2007
socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);
2011
* Adjust frame size based on the --tun-mtu-extra parameter.
2013
if (c->options.tun_mtu_extra_defined)
2014
tun_adjust_frame_parameters (&c->c2.frame, c->options.tun_mtu_extra);
2017
* Adjust frame size based on link socket parameters.
2018
* (Since TCP is a stream protocol, we need to insert
2019
* a packet length uint16_t in the buffer.)
2021
socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);
2024
* Fill in the blanks in the frame parameters structure,
2025
* make sure values are rational, etc.
2027
frame_finalize_options (c, NULL);
2029
#ifdef ENABLE_FRAGMENT
2031
* Set frame parameter for fragment code. This is necessary because
2032
* the fragmentation code deals with payloads which have already been
2033
* passed through the compression code.
2035
c->c2.frame_fragment = c->c2.frame;
2036
frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
2039
#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
2043
if (c->options.fragment && c->options.mtu_test)
2045
"WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
2048
#ifdef ENABLE_FRAGMENT
2049
if ((c->options.mssfix || c->options.fragment)
2050
&& TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU)
2052
"WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
2053
ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment));
2058
do_option_warnings (struct context *c)
2060
const struct options *o = &c->options;
2062
#if 1 /* JYFIXME -- port warning */
2063
if (!o->ce.port_option_used && (o->ce.local_port == OPENVPN_PORT && o->ce.remote_port == OPENVPN_PORT))
2064
msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.",
2068
if (o->ping_send_timeout && !o->ping_rec_timeout)
2069
msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
2071
if (o->username || o->groupname || o->chroot_dir
2073
|| o->selinux_context
2077
if (!o->persist_tun)
2078
msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
2080
#ifdef ENABLE_PKCS11
2084
msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
2087
if (o->chroot_dir && !(o->username && o->groupname))
2088
msg (M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
2091
if (o->pull && o->ifconfig_local && c->first_time)
2092
msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
2095
if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
2096
msg (M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
2098
if (o->mode == MODE_SERVER)
2100
if (o->duplicate_cn && o->client_config_dir)
2101
msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
2102
if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
2103
msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
2104
if (!o->keepalive_ping || !o->keepalive_timeout)
2105
msg (M_WARN, "WARNING: --keepalive option is missing from server config");
2112
msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
2114
msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");
2118
warn_on_use_of_common_subnets ();
2122
&& !(o->ns_cert_type & NS_SSL_SERVER)
2123
&& !o->remote_cert_eku)
2124
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
2126
msg (M_WARN, "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).");
2130
#ifndef CONNECT_NONBLOCK
2131
if (o->ce.connect_timeout_defined)
2132
msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
2135
if (script_security >= SSEC_SCRIPTS)
2136
msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
2137
else if (script_security >= SSEC_PW_ENV)
2138
msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
2140
msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");
2142
if (script_method == SM_SYSTEM)
2143
msg (M_WARN, "NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion");
2147
do_init_frame_tls (struct context *c)
2149
#if defined(USE_CRYPTO) && defined(USE_SSL)
2150
do_init_finalize_tls_frame (c);
2154
struct context_buffers *
2155
init_context_buffers (const struct frame *frame)
2157
struct context_buffers *b;
2159
ALLOC_OBJ_CLEAR (b, struct context_buffers);
2161
b->read_link_buf = alloc_buf (BUF_SIZE (frame));
2162
b->read_tun_buf = alloc_buf (BUF_SIZE (frame));
2164
b->aux_buf = alloc_buf (BUF_SIZE (frame));
2167
b->encrypt_buf = alloc_buf (BUF_SIZE (frame));
2168
b->decrypt_buf = alloc_buf (BUF_SIZE (frame));
2172
b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame));
2173
b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame));
2180
free_context_buffers (struct context_buffers *b)
2184
free_buf (&b->read_link_buf);
2185
free_buf (&b->read_tun_buf);
2186
free_buf (&b->aux_buf);
2189
free_buf (&b->lzo_compress_buf);
2190
free_buf (&b->lzo_decompress_buf);
2194
free_buf (&b->encrypt_buf);
2195
free_buf (&b->decrypt_buf);
2203
* Now that we know all frame parameters, initialize
2207
do_init_buffers (struct context *c)
2209
c->c2.buffers = init_context_buffers (&c->c2.frame);
2210
c->c2.buffers_owned = true;
2213
#ifdef ENABLE_FRAGMENT
2215
* Fragmenting code has buffers to initialize
2216
* once frame parameters are known.
2219
do_init_fragment (struct context *c)
2221
ASSERT (c->options.fragment);
2222
frame_set_mtu_dynamic (&c->c2.frame_fragment,
2223
c->options.fragment, SET_MTU_UPPER_BOUND);
2224
fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment);
2229
* Set the --mssfix option.
2232
do_init_mssfix (struct context *c)
2234
if (c->options.mssfix)
2236
frame_set_mtu_dynamic (&c->c2.frame,
2237
c->options.mssfix, SET_MTU_UPPER_BOUND);
2242
* Allocate our socket object.
2245
do_link_socket_new (struct context *c)
2247
ASSERT (!c->c2.link_socket);
2248
c->c2.link_socket = link_socket_new ();
2249
c->c2.link_socket_owned = true;
2253
* bind the TCP/UDP socket
2256
do_init_socket_1 (struct context *c, const int mode)
2258
unsigned int sockflags = c->options.sockflags;
2261
if (c->options.port_share_host && c->options.port_share_port)
2262
sockflags |= SF_PORT_SHARE;
2265
link_socket_init_phase1 (c->c2.link_socket,
2266
connection_list_defined (&c->options),
2267
c->options.ce.local,
2268
c->options.ce.local_port,
2269
c->options.ce.remote,
2270
c->options.ce.remote_port,
2271
c->options.ce.proto,
2274
#ifdef ENABLE_HTTP_PROXY
2283
c->options.ce.bind_local,
2284
c->options.ce.remote_float,
2286
&c->c1.link_socket_addr,
2287
c->options.ipchange,
2289
c->options.resolve_retry_seconds,
2290
c->options.ce.connect_retry_seconds,
2291
c->options.ce.connect_timeout,
2292
c->options.ce.connect_retry_max,
2293
c->options.mtu_discover_type,
2300
* finalize the TCP/UDP socket
2303
do_init_socket_2 (struct context *c)
2305
link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame,
2306
&c->sig->signal_received);
2313
do_print_data_channel_mtu_parms (struct context *c)
2315
frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
2316
#ifdef ENABLE_FRAGMENT
2318
frame_print (&c->c2.frame_fragment, D_MTU_INFO,
2319
"Fragmentation MTU parms");
2325
* Get local and remote options compatibility strings.
2328
do_compute_occ_strings (struct context *c)
2330
struct gc_arena gc = gc_new ();
2332
c->c2.options_string_local =
2333
options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
2334
c->c2.options_string_remote =
2335
options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
2337
msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local);
2338
msg (D_SHOW_OCC, "Expected Remote Options String: '%s'",
2339
c->c2.options_string_remote);
2342
msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
2343
options_string_version (c->c2.options_string_local, &gc),
2344
md5sum ((uint8_t*)c->c2.options_string_local,
2345
strlen (c->c2.options_string_local), 9, &gc));
2346
msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
2347
options_string_version (c->c2.options_string_remote, &gc),
2348
md5sum ((uint8_t*)c->c2.options_string_remote,
2349
strlen (c->c2.options_string_remote), 9, &gc));
2352
#if defined(USE_CRYPTO) && defined(USE_SSL)
2353
if (c->c2.tls_multi)
2354
tls_multi_init_set_options (c->c2.tls_multi,
2355
c->c2.options_string_local,
2356
c->c2.options_string_remote);
2364
* These things can only be executed once per program instantiation.
2365
* Set up for possible UID/GID downgrade, but don't do it yet.
2366
* Daemonize if requested.
2369
do_init_first_time (struct context *c)
2371
if (c->first_time && !c->did_we_daemonize && !c->c0)
2373
struct context_0 *c0;
2375
ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc);
2378
/* get user and/or group that we want to setuid/setgid to */
2379
c0->uid_gid_specified =
2380
get_group (c->options.groupname, &c0->group_state) |
2381
get_user (c->options.username, &c0->user_state);
2383
/* get --writepid file descriptor */
2384
get_pid_file (c->options.writepid, &c0->pid_state);
2386
/* become a daemon if --daemon */
2387
c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
2389
/* should we disable paging? */
2390
if (c->options.mlock && c->did_we_daemonize)
2391
do_mlockall (true); /* call again in case we daemonized */
2393
/* save process ID in a file */
2394
write_pid (&c0->pid_state);
2396
/* should we change scheduling priority? */
2397
set_nice (c->options.nice);
2402
* If xinetd/inetd mode, don't allow restart.
2405
do_close_check_if_restart_permitted (struct context *c)
2407
if (c->options.inetd
2408
&& (c->sig->signal_received == SIGHUP
2409
|| c->sig->signal_received == SIGUSR1))
2411
c->sig->signal_received = SIGTERM;
2414
" started by inetd/xinetd cannot restart... Exiting.");
2422
do_close_free_buf (struct context *c)
2424
if (c->c2.buffers_owned)
2426
free_context_buffers (c->c2.buffers);
2427
c->c2.buffers = NULL;
2428
c->c2.buffers_owned = false;
2436
do_close_tls (struct context *c)
2438
#if defined(USE_CRYPTO) && defined(USE_SSL)
2439
if (c->c2.tls_multi)
2441
tls_multi_free (c->c2.tls_multi, true);
2442
c->c2.tls_multi = NULL;
2446
/* free options compatibility strings */
2447
if (c->c2.options_string_local)
2448
free (c->c2.options_string_local);
2449
if (c->c2.options_string_remote)
2450
free (c->c2.options_string_remote);
2451
c->c2.options_string_local = c->c2.options_string_remote = NULL;
2457
* Free key schedules
2460
do_close_free_key_schedule (struct context *c, bool free_ssl_ctx)
2462
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
2463
key_schedule_free (&c->c1.ks, free_ssl_ctx);
2467
* Close TCP/UDP connection
2470
do_close_link_socket (struct context *c)
2472
if (c->c2.link_socket && c->c2.link_socket_owned)
2474
link_socket_close (c->c2.link_socket);
2475
c->c2.link_socket = NULL;
2478
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
2480
CLEAR (c->c1.link_socket_addr.remote);
2481
CLEAR (c->c1.link_socket_addr.actual);
2484
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
2485
CLEAR (c->c1.link_socket_addr.local);
2489
* Close packet-id persistance file
2492
do_close_packet_id (struct context *c)
2495
packet_id_free (&c->c2.packet_id);
2496
packet_id_persist_save (&c->c1.pid_persist);
2497
if (!(c->sig->signal_received == SIGUSR1))
2498
packet_id_persist_close (&c->c1.pid_persist);
2502
#ifdef ENABLE_FRAGMENT
2504
* Close fragmentation handler.
2507
do_close_fragment (struct context *c)
2511
fragment_free (c->c2.fragment);
2512
c->c2.fragment = NULL;
2518
* Open and close our event objects.
2522
do_event_set_init (struct context *c,
2523
bool need_us_timeout)
2525
unsigned int flags = 0;
2527
c->c2.event_set_max = BASE_N_EVENTS;
2529
flags |= EVENT_METHOD_FAST;
2531
if (need_us_timeout)
2532
flags |= EVENT_METHOD_US_TIMEOUT;
2534
c->c2.event_set = event_set_init (&c->c2.event_set_max, flags);
2535
c->c2.event_set_owned = true;
2539
do_close_event_set (struct context *c)
2541
if (c->c2.event_set && c->c2.event_set_owned)
2543
event_free (c->c2.event_set);
2544
c->c2.event_set = NULL;
2545
c->c2.event_set_owned = false;
2550
* Open and close --status file
2554
do_open_status_output (struct context *c)
2556
if (!c->c1.status_output)
2558
c->c1.status_output = status_open (c->options.status_file,
2559
c->options.status_file_update_freq,
2562
STATUS_OUTPUT_WRITE);
2563
c->c1.status_output_owned = true;
2568
do_close_status_output (struct context *c)
2570
if (!(c->sig->signal_received == SIGUSR1))
2572
if (c->c1.status_output_owned && c->c1.status_output)
2574
status_close (c->c1.status_output);
2575
c->c1.status_output = NULL;
2576
c->c1.status_output_owned = false;
2582
* Handle ifconfig-pool persistance object.
2585
do_open_ifconfig_pool_persist (struct context *c)
2588
if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
2590
c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename,
2591
c->options.ifconfig_pool_persist_refresh_freq);
2592
c->c1.ifconfig_pool_persist_owned = true;
2598
do_close_ifconfig_pool_persist (struct context *c)
2601
if (!(c->sig->signal_received == SIGUSR1))
2603
if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
2605
ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist);
2606
c->c1.ifconfig_pool_persist = NULL;
2607
c->c1.ifconfig_pool_persist_owned = false;
2614
* Inherit environmental variables
2618
do_inherit_env (struct context *c, const struct env_set *src)
2620
c->c2.es = env_set_create (NULL);
2621
c->c2.es_owned = true;
2622
env_set_inherit (c->c2.es, src);
2626
do_env_set_destroy (struct context *c)
2628
if (c->c2.es && c->c2.es_owned)
2630
env_set_destroy (c->c2.es);
2632
c->c2.es_owned = false;
2637
* Fast I/O setup. Fast I/O is an optimization which only works
2638
* if all of the following are true:
2640
* (1) The platform is not Windows
2641
* (2) --proto udp is enabled
2642
* (3) --shaper is disabled
2645
do_setup_fast_io (struct context *c)
2647
if (c->options.fast_io)
2650
msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
2652
if (c->options.ce.proto != PROTO_UDPv4)
2653
msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
2656
#ifdef HAVE_GETTIMEOFDAY
2657
if (c->options.shaper)
2658
msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
2662
c->c2.fast_io = true;
2670
do_signal_on_tls_errors (struct context *c)
2672
#if defined(USE_CRYPTO) && defined(USE_SSL)
2673
if (c->options.tls_exit)
2674
c->c2.tls_exit_signal = SIGTERM;
2676
c->c2.tls_exit_signal = SIGUSR1;
2680
#ifdef ENABLE_PLUGIN
2683
init_plugins (struct context *c)
2685
if (c->options.plugin_list && !c->plugins)
2687
c->plugins = plugin_list_init (c->options.plugin_list);
2688
c->plugins_owned = true;
2693
open_plugins (struct context *c, const bool import_options, int init_point)
2695
if (c->plugins && c->plugins_owned)
2699
struct plugin_return pr, config;
2700
plugin_return_init (&pr);
2701
plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
2702
plugin_return_get_column (&pr, &config, "config");
2703
if (plugin_return_defined (&config))
2706
for (i = 0; i < config.n; ++i)
2708
unsigned int option_types_found = 0;
2709
if (config.list[i] && config.list[i]->value)
2710
options_string_import (&c->options,
2711
config.list[i]->value,
2712
D_IMPORT_ERRORS|M_OPTERR,
2713
OPT_P_DEFAULT & ~OPT_P_PLUGIN,
2714
&option_types_found,
2718
plugin_return_free (&pr);
2722
plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
2728
do_close_plugins (struct context *c)
2730
if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
2732
plugin_list_close (c->plugins);
2734
c->plugins_owned = false;
2739
do_inherit_plugins (struct context *c, const struct context *src)
2741
if (!c->plugins && src->plugins)
2743
c->plugins = plugin_list_inherit (src->plugins);
2744
c->plugins_owned = true;
2750
#ifdef ENABLE_MANAGEMENT
2753
management_callback_status_p2p (void *arg, const int version, struct status_output *so)
2755
struct context *c = (struct context *) arg;
2756
print_status (c, so);
2760
management_show_net_callback (void *arg, const int msglevel)
2763
show_routes (msglevel);
2764
show_adapters (msglevel);
2765
msg (msglevel, "END");
2767
msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
2774
init_management_callback_p2p (struct context *c)
2776
#ifdef ENABLE_MANAGEMENT
2779
struct management_callback cb;
2782
cb.status = management_callback_status_p2p;
2783
cb.show_net = management_show_net_callback;
2784
management_set_callback (management, &cb);
2789
#ifdef ENABLE_MANAGEMENT
2792
init_management (struct context *c)
2795
management = management_init ();
2799
open_management (struct context *c)
2801
/* initialize management layer */
2804
if (c->options.management_addr)
2806
unsigned int flags = c->options.management_flags;
2807
if (c->options.mode == MODE_SERVER)
2809
if (management_open (management,
2810
c->options.management_addr,
2811
c->options.management_port,
2812
c->options.management_user_pass,
2813
c->options.management_client_user,
2814
c->options.management_client_group,
2815
c->options.management_log_history_cache,
2816
c->options.management_echo_buffer_size,
2817
c->options.management_state_buffer_size,
2818
c->options.management_write_peer_info_file,
2819
c->options.remap_sigusr1,
2822
management_set_state (management,
2823
OPENVPN_STATE_CONNECTING,
2829
/* initial management hold, called early, before first context initialization */
2833
msg (M_WARN, "Signal received from management interface, exiting");
2838
close_management ();
2844
close_management (void)
2848
management_close (management);
2857
uninit_management_callback (void)
2859
#ifdef ENABLE_MANAGEMENT
2862
management_clear_callback (management);
2868
* Initialize a tunnel instance, handle pre and post-init
2872
init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags)
2874
pre_init_signal_catch ();
2875
init_instance (c, env, flags);
2876
post_init_signal_catch ();
2879
* This is done so that signals thrown during
2880
* initialization can bring us back to
2881
* a management hold.
2886
uninit_management_callback ();
2891
* Initialize a tunnel instance.
2894
init_instance (struct context *c, const struct env_set *env, const unsigned int flags)
2896
const struct options *options = &c->options;
2897
const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
2898
int link_socket_mode = LS_MODE_DEFAULT;
2900
/* init garbage collection level */
2901
gc_init (&c->c2.gc);
2903
/* signals caught here will abort */
2904
c->sig->signal_received = 0;
2905
c->sig->signal_text = NULL;
2906
c->sig->hard = false;
2908
/* map in current connection entry */
2909
next_connection_entry (c);
2911
/* link_socket_mode allows CM_CHILD_TCP
2912
instances to inherit acceptable fds
2913
from a top-level parent */
2914
if (c->options.ce.proto == PROTO_TCPv4_SERVER)
2916
if (c->mode == CM_TOP)
2917
link_socket_mode = LS_MODE_TCP_LISTEN;
2918
else if (c->mode == CM_CHILD_TCP)
2919
link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
2922
/* should we disable paging? */
2923
if (c->first_time && options->mlock)
2926
/* possible sleep or management hold if restart */
2927
if (c->mode == CM_P2P || c->mode == CM_TOP)
2929
do_startup_pause (c);
2935
/* get passwords if undefined */
2936
if (auth_retry_get () == AR_INTERACT)
2937
init_query_passwords (c);
2940
/* initialize context level 2 --verb/--mute parms */
2941
init_verb_mute (c, IVM_LEVEL_2);
2943
/* set error message delay for non-server modes */
2944
if (c->mode == CM_P2P)
2945
set_check_status_error_delay (P2P_ERROR_DELAY_MS);
2947
/* warn about inconsistent options */
2948
if (c->mode == CM_P2P || c->mode == CM_TOP)
2949
do_option_warnings (c);
2951
/* inherit environmental variables */
2953
do_inherit_env (c, env);
2955
#ifdef ENABLE_PLUGIN
2956
/* initialize plugins */
2957
if (c->mode == CM_P2P || c->mode == CM_TOP)
2958
open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
2961
/* should we enable fast I/O? */
2962
if (c->mode == CM_P2P || c->mode == CM_TOP)
2963
do_setup_fast_io (c);
2965
/* should we throw a signal on TLS errors? */
2966
do_signal_on_tls_errors (c);
2968
/* open --status file */
2969
if (c->mode == CM_P2P || c->mode == CM_TOP)
2970
do_open_status_output (c);
2972
/* open --ifconfig-pool-persist file */
2973
if (c->mode == CM_TOP)
2974
do_open_ifconfig_pool_persist (c);
2977
/* reset OCC state */
2978
if (c->mode == CM_P2P || child)
2979
c->c2.occ_op = occ_reset_op ();
2982
/* our wait-for-i/o objects, different for posix vs. win32 */
2983
if (c->mode == CM_P2P)
2984
do_event_set_init (c, SHAPER_DEFINED (&c->options));
2985
else if (c->mode == CM_CHILD_TCP)
2986
do_event_set_init (c, false);
2988
/* initialize HTTP or SOCKS proxy object at scope level 2 */
2991
/* allocate our socket object */
2992
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
2993
do_link_socket_new (c);
2995
#ifdef ENABLE_FRAGMENT
2996
/* initialize internal fragmentation object */
2997
if (options->fragment && (c->mode == CM_P2P || child))
2998
c->c2.fragment = fragment_init (&c->c2.frame);
3001
/* init crypto layer */
3003
unsigned int crypto_flags = 0;
3004
if (c->mode == CM_TOP)
3005
crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
3006
else if (c->mode == CM_P2P)
3007
crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
3009
crypto_flags = CF_INIT_TLS_MULTI;
3010
do_init_crypto (c, crypto_flags);
3011
if (IS_SIG (c) && !child)
3016
/* initialize LZO compression library. */
3017
if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child))
3018
lzo_compress_init (&c->c2.lzo_compwork, options->lzo);
3021
/* initialize MTU variables */
3024
/* initialize TLS MTU variables */
3025
do_init_frame_tls (c);
3027
/* init workspace buffers whose size is derived from frame size */
3028
if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
3029
do_init_buffers (c);
3031
#ifdef ENABLE_FRAGMENT
3032
/* initialize internal fragmentation capability with known frame size */
3033
if (options->fragment && (c->mode == CM_P2P || child))
3034
do_init_fragment (c);
3037
/* initialize dynamic MTU variable */
3040
/* bind the TCP/UDP socket */
3041
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
3042
do_init_socket_1 (c, link_socket_mode);
3044
/* initialize tun/tap device object,
3045
open tun/tap device, ifconfig, run up script, etc. */
3046
if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
3047
c->c2.did_open_tun = do_open_tun (c);
3049
/* print MTU info */
3050
do_print_data_channel_mtu_parms (c);
3053
/* get local and remote options compatibility strings */
3054
if (c->mode == CM_P2P || child)
3055
do_compute_occ_strings (c);
3058
/* initialize output speed limiter */
3059
if (c->mode == CM_P2P)
3060
do_init_traffic_shaper (c);
3062
/* do one-time inits, and possibily become a daemon here */
3063
do_init_first_time (c);
3065
#ifdef ENABLE_PLUGIN
3066
/* initialize plugins */
3067
if (c->mode == CM_P2P || c->mode == CM_TOP)
3068
open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
3072
* Actually do UID/GID downgrade, and chroot, if requested.
3073
* May be delayed by --client, --pull, or --up-delay.
3075
do_uid_gid_chroot (c, c->c2.did_open_tun);
3077
/* finalize the TCP/UDP socket */
3078
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
3079
do_init_socket_2 (c);
3081
/* initialize timers */
3082
if (c->mode == CM_P2P || child)
3083
do_init_timers (c, false);
3085
#ifdef ENABLE_PLUGIN
3086
/* initialize plugins */
3087
if (c->mode == CM_P2P || c->mode == CM_TOP)
3088
open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
3092
/* share OpenVPN port with foreign (such as HTTPS) server */
3093
if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
3094
init_port_share (c);
3099
pf_init_context (c);
3102
/* Check for signals */
3109
if (!c->sig->signal_text)
3110
c->sig->signal_text = "init_instance";
3111
close_context (c, -1, flags);
3116
* Close a tunnel instance.
3119
close_instance (struct context *c)
3121
/* close event objects */
3122
do_close_event_set (c);
3124
if (c->mode == CM_P2P
3125
|| c->mode == CM_CHILD_TCP
3126
|| c->mode == CM_CHILD_UDP
3127
|| c->mode == CM_TOP)
3129
/* if xinetd/inetd mode, don't allow restart */
3130
do_close_check_if_restart_permitted (c);
3133
if (lzo_defined (&c->c2.lzo_compwork))
3134
lzo_compress_uninit (&c->c2.lzo_compwork);
3138
do_close_free_buf (c);
3143
/* free key schedules */
3144
do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP));
3146
/* close TCP/UDP connection */
3147
do_close_link_socket (c);
3149
/* close TUN/TAP device */
3150
do_close_tun (c, false);
3152
#ifdef MANAGEMENT_DEF_AUTH
3154
management_notify_client_close (management, &c->c2.mda_context, NULL);
3158
pf_destroy_context (&c->c2.pf);
3161
#ifdef ENABLE_PLUGIN
3162
/* call plugin close functions and unload */
3163
do_close_plugins (c);
3166
/* close packet-id persistance file */
3167
do_close_packet_id (c);
3169
/* close --status file */
3170
do_close_status_output (c);
3172
#ifdef ENABLE_FRAGMENT
3173
/* close fragmentation handler */
3174
do_close_fragment (c);
3177
/* close --ifconfig-pool-persist obj */
3178
do_close_ifconfig_pool_persist (c);
3180
/* free up environmental variable store */
3181
do_env_set_destroy (c);
3183
/* close HTTP or SOCKS proxy */
3186
/* garbage collect */
3187
gc_free (&c->c2.gc);
3192
inherit_context_child (struct context *dest,
3193
const struct context *src)
3197
switch (src->options.ce.proto)
3200
dest->mode = CM_CHILD_UDP;
3202
case PROTO_TCPv4_SERVER:
3203
dest->mode = CM_CHILD_TCP;
3209
dest->gc = gc_new ();
3211
ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc);
3214
packet_id_persist_init (&dest->c1.pid_persist);
3217
dest->c1.ks.key_type = src->c1.ks.key_type;
3219
/* inherit SSL context */
3220
dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
3221
dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
3226
dest->options = src->options;
3227
options_detach (&dest->options);
3229
if (dest->mode == CM_CHILD_TCP)
3232
* The CM_TOP context does the socket listen(),
3233
* and the CM_CHILD_TCP context does the accept().
3235
dest->c2.accept_from = src->c2.link_socket;
3238
#ifdef ENABLE_PLUGIN
3239
/* inherit plugins */
3240
do_inherit_plugins (dest, src);
3244
init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
3248
/* inherit tun/tap interface object */
3249
dest->c1.tuntap = src->c1.tuntap;
3251
/* UDP inherits some extra things which TCP does not */
3252
if (dest->mode == CM_CHILD_UDP)
3254
/* inherit buffers */
3255
dest->c2.buffers = src->c2.buffers;
3257
/* inherit parent link_socket and tuntap */
3258
dest->c2.link_socket = src->c2.link_socket;
3260
ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
3261
*dest->c2.link_socket_info = src->c2.link_socket->info;
3263
/* locally override some link_socket_info fields */
3264
dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
3265
dest->c2.link_socket_info->connection_established = false;
3270
inherit_context_top (struct context *dest,
3271
const struct context *src)
3277
* CM_TOP_CLONE will prevent close_instance from freeing or closing
3278
* resources owned by the parent.
3280
* Also note that CM_TOP_CLONE context objects are
3281
* closed by multi_top_free in multi.c.
3283
dest->mode = CM_TOP_CLONE;
3285
dest->first_time = false;
3288
options_detach (&dest->options);
3289
gc_detach (&dest->gc);
3290
gc_detach (&dest->c2.gc);
3292
/* detach plugins */
3293
dest->plugins_owned = false;
3295
#if defined(USE_CRYPTO) && defined(USE_SSL)
3296
dest->c2.tls_multi = NULL;
3299
/* detach c1 ownership */
3300
dest->c1.tuntap_owned = false;
3301
dest->c1.status_output_owned = false;
3303
dest->c1.ifconfig_pool_persist_owned = false;
3306
/* detach c2 ownership */
3307
dest->c2.event_set_owned = false;
3308
dest->c2.link_socket_owned = false;
3309
dest->c2.buffers_owned = false;
3310
dest->c2.es_owned = false;
3312
dest->c2.event_set = NULL;
3313
if (src->options.ce.proto == PROTO_UDPv4)
3314
do_event_set_init (dest, false);
3318
close_context (struct context *c, int sig, unsigned int flags)
3324
c->sig->signal_received = sig;
3326
if (c->sig->signal_received == SIGUSR1)
3328
if ((flags & CC_USR1_TO_HUP)
3329
|| (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP)))
3330
c->sig->signal_received = SIGHUP;
3333
if (!(flags & CC_NO_CLOSE))
3336
if (flags & CC_GC_FREE)
3337
context_gc_free (c);
3346
msg (M_INFO, "Multithreaded malloc test...");
3347
for (i = 0; i < 25; ++i)
3349
struct gc_arena gc = gc_new ();
3350
const int limit = get_random () & 0x03FF;
3351
for (j = 0; j < limit; ++j)
3353
gc_malloc (get_random () & 0x03FF, false, &gc);
3360
* Do a loopback test
3361
* on the crypto subsystem.
3364
test_crypto_thread (void *arg)
3366
struct context *c = (struct context *) arg;
3367
const struct options *options = &c->options;
3368
#if defined(USE_PTHREAD)
3369
struct context *child = NULL;
3370
openvpn_thread_t child_id = 0;
3373
ASSERT (options->test_crypto);
3374
init_verb_mute (c, IVM_LEVEL_1);
3376
do_init_crypto_static (c, 0);
3378
#if defined(USE_PTHREAD)
3380
if (c->first_time && options->n_threads > 1)
3382
if (options->n_threads > 2)
3383
msg (M_FATAL, "ERROR: --test-crypto option only works with --threads set to 1 or 2");
3384
openvpn_thread_init ();
3385
ALLOC_OBJ (child, struct context);
3386
context_clear (child);
3387
child->options = *options;
3388
options_detach (&child->options);
3389
child->first_time = false;
3390
child_id = openvpn_thread_create (test_crypto_thread, (void *) child);
3394
frame_finalize_options (c, options);
3396
#if defined(USE_PTHREAD)
3397
if (options->n_threads == 2)
3401
test_crypto (&c->c2.crypto_options, &c->c2.frame);
3403
key_schedule_free (&c->c1.ks, true);
3404
packet_id_free (&c->c2.packet_id);
3406
#if defined(USE_PTHREAD)
3407
if (c->first_time && options->n_threads > 1)
3408
openvpn_thread_join (child_id);
3412
context_gc_free (c);
3419
do_test_crypto (const struct options *o)
3426
/* print version number */
3427
msg (M_INFO, "%s", title_string);
3431
options_detach (&c.options);
3432
c.first_time = true;
3433
test_crypto_thread ((void *) &c);