Context Navigation

Back to Ticket #574

Ticket #574: init.c

File init.c, 94.4 KB (added by breakfastfish, 9 years ago)

Line
1	/*
2	* OpenVPN -- An application to securely tunnel IP networks
3	* over a single TCP/UDP port, with support for SSL/TLS-based
4	* session authentication and key exchange,
5	* packet encryption, packet authentication, and
6	* packet compression.
7	*
8	* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9	*
10	* This program is free software; you can redistribute it and/or modify
11	* it under the terms of the GNU General Public License version 2
12	* as published by the Free Software Foundation.
13	*
14	* This program is distributed in the hope that it will be useful,
15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	* GNU General Public License for more details.
18	*
19	* You should have received a copy of the GNU General Public License
20	* along with this program (see the file COPYING included with this
21	* distribution); if not, write to the Free Software Foundation, Inc.,
22	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23	*/
24
25	#ifdef HAVE_CONFIG_H
26	#include "config.h"
27	#elif defined(_MSC_VER)
28	#include "config-msvc.h"
29	#endif
30
31	#include "syshead.h"
32
33	#include "win32.h"
34	#include "init.h"
35	#include "sig.h"
36	#include "occ.h"
37	#include "list.h"
38	#include "otime.h"
39	#include "pool.h"
40	#include "gremlin.h"
41	#include "pkcs11.h"
42	#include "ps.h"
43	#include "lladdr.h"
44	#include "ping.h"
45	#include "mstats.h"
46
47	#include "memdbg.h"
48
49	#include "occ-inline.h"
50
51	static struct context static_context; / GLOBAL */
52
53	/*
54	* Crypto initialization flags
55	*/
56	#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
57	#define CF_INIT_TLS_MULTI (1<<1)
58	#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
59
60	static void do_init_first_time (struct context *c);
61
62	void
63	context_clear (struct context *c)
64	{
65	CLEAR (*c);
66	}
67
68	void
69	context_clear_1 (struct context *c)
70	{
71	CLEAR (c->c1);
72	}
73
74	void
75	context_clear_2 (struct context *c)
76	{
77	CLEAR (c->c2);
78	}
79
80	void
81	context_clear_all_except_first_time (struct context *c)
82	{
83	const bool first_time_save = c->first_time;
84	const struct context_persist cpsave = c->persist;
85	context_clear (c);
86	c->first_time = first_time_save;
87	c->persist = cpsave;
88	}
89
90	/*
91	* Should be called after options->ce is modified at the top
92	* of a SIGUSR1 restart.
93	*/
94	static void
95	update_options_ce_post (struct options *options)
96	{
97	#if P2MP
98	/*
99	* In pull mode, we usually import --ping/--ping-restart parameters from
100	* the server. However we should also set an initial default --ping-restart
101	* for the period of time before we pull the --ping-restart parameter
102	* from the server.
103	*/
104	if (options->pull
105	&& options->ping_rec_timeout_action == PING_UNDEF
106	&& proto_is_dgram(options->ce.proto))
107	{
108	options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
109	options->ping_rec_timeout_action = PING_RESTART;
110	}
111	#endif
112	}
113
114	#ifdef ENABLE_MANAGEMENT
115	static bool
116	management_callback_proxy_cmd (void arg, const char *p)
117	{
118	struct context *c = arg;
119	struct connection_entry *ce = &c->options.ce;
120	struct gc_arena *gc = &c->c2.gc;
121	bool ret = false;
122
123	update_time();
124	if (streq (p[1], "NONE"))
125	ret = true;
126	else if (p[2] && p[3])
127	{
128	const int port = atoi(p[3]);
129	if (!legal_ipv4_port (port))
130	{
131	msg (M_WARN, "Bad proxy port number: %s", p[3]);
132	return false;
133	}
134
135	if (streq (p[1], "HTTP"))
136	{
137	#ifndef ENABLE_HTTP_PROXY
138	msg (M_WARN, "HTTP proxy support is not available");
139	#else
140	struct http_proxy_options *ho;
141	if (ce->proto != PROTO_TCPv4 && ce->proto != PROTO_TCPv4_CLIENT &&
142	ce->proto != PROTO_TCPv6 && ce->proto != PROTO_TCPv6_CLIENT)
143	{
144	msg (M_WARN, "HTTP proxy support only works for TCP based connections");
145	return false;
146	}
147	ho = init_http_proxy_options_once (&ce->http_proxy_options, gc);
148	ho->server = string_alloc (p[2], gc);
149	ho->port = port;
150	ho->retry = true;
151	ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL);
152	ret = true;
153	#endif
154	}
155	else if (streq (p[1], "SOCKS"))
156	{
157	#ifndef ENABLE_SOCKS
158	msg (M_WARN, "SOCKS proxy support is not available");
159	#else
160	ce->socks_proxy_server = string_alloc (p[2], gc);
161	ce->socks_proxy_port = port;
162	ret = true;
163	#endif
164	}
165	}
166	else
167	msg (M_WARN, "Bad proxy command");
168
169	ce->flags &= ~CE_MAN_QUERY_PROXY;
170
171	return ret;
172	}
173
174	static bool
175	ce_management_query_proxy (struct context *c)
176	{
177	const struct connection_list *l = c->options.connection_list;
178	struct connection_entry *ce = &c->options.ce;
179	struct gc_arena gc;
180	bool ret = true;
181
182	update_time();
183	if (management)
184	{
185	gc = gc_new ();
186	{
187	struct buffer out = alloc_buf_gc (256, &gc);
188	buf_printf (&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
189	(proto_is_udp (ce->proto) ? "UDP" : "TCP"), np (ce->remote));
190	management_notify_generic (management, BSTR (&out));
191	}
192	ce->flags \|= CE_MAN_QUERY_PROXY;
193	while (ce->flags & CE_MAN_QUERY_PROXY)
194	{
195	management_event_loop_n_seconds (management, 1);
196	if (IS_SIG (c))
197	{
198	ret = false;
199	break;
200	}
201	}
202	gc_free (&gc);
203	}
204
205	return ret;
206	}
207
208
209	static bool
210	management_callback_remote_cmd (void arg, const char *p)
211	{
212	struct context c = (struct context ) arg;
213	struct connection_entry *ce = &c->options.ce;
214	int ret = false;
215	if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
216	{
217	int flags = 0;
218	if (!strcmp(p[1], "ACCEPT"))
219	{
220	flags = CE_MAN_QUERY_REMOTE_ACCEPT;
221	ret = true;
222	}
223	else if (!strcmp(p[1], "SKIP"))
224	{
225	flags = CE_MAN_QUERY_REMOTE_SKIP;
226	ret = true;
227	}
228	else if (!strcmp(p[1], "MOD") && p[2] && p[3])
229	{
230	const int port = atoi(p[3]);
231	if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port))
232	{
233	struct remote_host_store *rhs = c->options.rh_store;
234	if (!rhs)
235	{
236	ALLOC_OBJ_CLEAR_GC (rhs, struct remote_host_store, &c->options.gc);
237	c->options.rh_store = rhs;
238	}
239	strncpynt(rhs->host, p[2], RH_HOST_LEN);
240	ce->remote = rhs->host;
241	ce->remote_port = port;
242	flags = CE_MAN_QUERY_REMOTE_MOD;
243	ret = true;
244	}
245	}
246	if (ret)
247	{
248	ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
249	ce->flags \|= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
250	}
251	}
252	return ret;
253	}
254
255	static bool
256	ce_management_query_remote (struct context c, const char remote_ip_hint)
257	{
258	struct gc_arena gc = gc_new ();
259	volatile struct connection_entry *ce = &c->options.ce;
260	int ret = true;
261	update_time();
262	if (management)
263	{
264	struct buffer out = alloc_buf_gc (256, &gc);
265	buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false));
266	management_notify_generic(management, BSTR (&out));
267	ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
268	ce->flags \|= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT);
269	while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
270	{
271	management_event_loop_n_seconds (management, 1);
272	if (IS_SIG (c))
273	{
274	ret = false;
275	break;
276	}
277	}
278	}
279	{
280	const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
281	if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint)
282	ce->remote = remote_ip_hint;
283	ret = (flags != CE_MAN_QUERY_REMOTE_SKIP);
284	}
285	gc_free (&gc);
286	return ret;
287	}
288	#endif /* ENABLE_MANAGEMENT */
289
290	/*
291	* Initialize and possibly randomize connection list.
292	*/
293	static void
294	init_connection_list (struct context *c)
295	{
296	struct connection_list *l = c->options.connection_list;
297	if (l)
298	{
299	l->current = -1;
300	if (c->options.remote_random)
301	{
302	int i;
303	for (i = 0; i < l->len; ++i)
304	{
305	const int j = get_random () % l->len;
306	if (i != j)
307	{
308	struct connection_entry *tmp;
309	tmp = l->array[i];
310	l->array[i] = l->array[j];
311	l->array[j] = tmp;
312	}
313	}
314	}
315	}
316	}
317
318	/*
319	* Increment to next connection entry
320	*/
321	static void
322	next_connection_entry (struct context *c)
323	{
324	struct connection_list *l = c->options.connection_list;
325	if (l)
326	{
327	bool ce_defined;
328	struct connection_entry *ce;
329	int n_cycles = 0;
330
331	do {
332	const char *remote_ip_hint = NULL;
333	bool newcycle = false;
334
335	ce_defined = true;
336	if (l->no_advance && l->current >= 0)
337	{
338	l->no_advance = false;
339	}
340	else
341	{
342	if (++l->current >= l->len)
343	{
344	l->current = 0;
345	++l->n_cycles;
346	if (++n_cycles >= 2)
347	msg (M_FATAL, "No usable connection profiles are present");
348	}
349
350	if (l->current == 0)
351	newcycle = true;
352	}
353
354	ce = l->array[l->current];
355
356	if (c->options.remote_ip_hint && !l->n_cycles)
357	remote_ip_hint = c->options.remote_ip_hint;
358
359	if (ce->flags & CE_DISABLED)
360	ce_defined = false;
361
362	c->options.ce = *ce;
363	#ifdef ENABLE_MANAGEMENT
364	if (ce_defined && management && management_query_remote_enabled(management))
365	{
366	/* allow management interface to override connection entry details */
367	ce_defined = ce_management_query_remote(c, remote_ip_hint);
368	if (IS_SIG (c))
369	break;
370	}
371	else
372	#endif
373	if (remote_ip_hint)
374	c->options.ce.remote = remote_ip_hint;
375
376	#ifdef ENABLE_MANAGEMENT
377	if (ce_defined && management && management_query_proxy_enabled (management))
378	{
379	ce_defined = ce_management_query_proxy (c);
380	if (IS_SIG (c))
381	break;
382	}
383	#endif
384	} while (!ce_defined);
385	}
386	update_options_ce_post (&c->options);
387	}
388
389	/*
390	* Query for private key and auth-user-pass username/passwords
391	*/
392	void
393	init_query_passwords (const struct context *c)
394	{
395	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
396	/* Certificate password input */
397	if (c->options.key_pass_file)
398	pem_password_setup (c->options.key_pass_file);
399	#endif
400
401	#if P2MP
402	/* Auth user/pass input */
403	if (c->options.auth_user_pass_file)
404	{
405	#ifdef ENABLE_CLIENT_CR
406	auth_user_pass_setup (c->options.auth_user_pass_file, &c->options.sc_info);
407	#else
408	auth_user_pass_setup (c->options.auth_user_pass_file, NULL);
409	#endif
410	}
411	#endif
412	}
413
414	/*
415	* Initialize/Uninitialize HTTP or SOCKS proxy
416	*/
417
418	#ifdef GENERAL_PROXY_SUPPORT
419
420	static int
421	proxy_scope (struct context *c)
422	{
423	return connection_list_defined (&c->options) ? 2 : 1;
424	}
425
426	static void
427	uninit_proxy_dowork (struct context *c)
428	{
429	#ifdef ENABLE_HTTP_PROXY
430	if (c->c1.http_proxy_owned && c->c1.http_proxy)
431	{
432	http_proxy_close (c->c1.http_proxy);
433	c->c1.http_proxy = NULL;
434	c->c1.http_proxy_owned = false;
435	}
436	#endif
437	#ifdef ENABLE_SOCKS
438	if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
439	{
440	socks_proxy_close (c->c1.socks_proxy);
441	c->c1.socks_proxy = NULL;
442	c->c1.socks_proxy_owned = false;
443	}
444	#endif
445	}
446
447	static void
448	init_proxy_dowork (struct context *c)
449	{
450	#ifdef ENABLE_HTTP_PROXY
451	bool did_http = false;
452	#else
453	const bool did_http = false;
454	#endif
455
456	uninit_proxy_dowork (c);
457
458	#ifdef ENABLE_HTTP_PROXY
459	if (c->options.ce.http_proxy_options)
460	{
461	/* Possible HTTP proxy user/pass input */
462	c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options);
463	if (c->c1.http_proxy)
464	{
465	did_http = true;
466	c->c1.http_proxy_owned = true;
467	}
468	}
469	#endif
470
471	#ifdef ENABLE_SOCKS
472	if (!did_http && c->options.ce.socks_proxy_server)
473	{
474	c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server,
475	c->options.ce.socks_proxy_port,
476	c->options.ce.socks_proxy_authfile,
477	c->options.ce.socks_proxy_retry);
478	if (c->c1.socks_proxy)
479	{
480	c->c1.socks_proxy_owned = true;
481	}
482	}
483	#endif
484	}
485
486	static void
487	init_proxy (struct context *c, const int scope)
488	{
489	if (scope == proxy_scope (c))
490	init_proxy_dowork (c);
491	}
492
493	static void
494	uninit_proxy (struct context *c)
495	{
496	if (c->sig->signal_received != SIGUSR1 \|\| proxy_scope (c) == 2)
497	uninit_proxy_dowork (c);
498	}
499
500	#else
501
502	static inline void
503	init_proxy (struct context *c, const int scope)
504	{
505	}
506
507	static inline void
508	uninit_proxy (struct context *c)
509	{
510	}
511
512	#endif
513
514	void
515	context_init_1 (struct context *c)
516	{
517	context_clear_1 (c);
518
519	packet_id_persist_init (&c->c1.pid_persist);
520
521	init_connection_list (c);
522
523	#if defined(ENABLE_PKCS11)
524	if (c->first_time) {
525	int i;
526	pkcs11_initialize (true, c->options.pkcs11_pin_cache_period);
527	for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++)
528	pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
529	c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
530	}
531	#endif
532
533	#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
534	{
535	/*
536	* In the management interface, you can okay the request by entering "needok token-insertion-request ok"
537	*/
538	struct user_pass up;
539	CLEAR (up);
540	strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
541	get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT\|GET_USER_PASS_NEED_OK);
542	msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
543	'needok' command, usually 'ok' or 'cancel'. */
544	}
545	#endif
546
547	/* initialize HTTP or SOCKS proxy object at scope level 1 */
548	init_proxy (c, 1);
549	}
550
551	void
552	context_gc_free (struct context *c)
553	{
554	gc_free (&c->c2.gc);
555	gc_free (&c->options.gc);
556	gc_free (&c->gc);
557	}
558
559	#if PORT_SHARE
560
561	static void
562	close_port_share (void)
563	{
564	if (port_share)
565	{
566	port_share_close (port_share);
567	port_share = NULL;
568	}
569	}
570
571	static void
572	init_port_share (struct context *c)
573	{
574	if (!port_share && (c->options.port_share_host && c->options.port_share_port))
575	{
576	port_share = port_share_open (c->options.port_share_host,
577	c->options.port_share_port,
578	MAX_RW_SIZE_LINK (&c->c2.frame),
579	c->options.port_share_journal_dir);
580	if (port_share == NULL)
581	msg (M_FATAL, "Fatal error: Port sharing failed");
582	}
583	}
584
585	#endif
586
587	bool
588	init_static (void)
589	{
590	/* configure_path (); */
591
592	#if defined(ENABLE_CRYPTO) && defined(DMALLOC)
593	crypto_init_dmalloc();
594	#endif
595
596	init_random_seed (); /* init random() function, only used as
597	source for weak random numbers */
598	error_reset (); /* initialize error.c */
599	reset_check_status (); /* initialize status check code in socket.c */
600
601	#ifdef WIN32
602	init_win32 ();
603	#endif
604
605	#ifdef OPENVPN_DEBUG_COMMAND_LINE
606	{
607	int i;
608	for (i = 0; i < argc; ++i)
609	msg (M_INFO, "argv[%d] = '%s'", i, argv[i]);
610	}
611	#endif
612
613	update_time ();
614
615	#ifdef ENABLE_CRYPTO
616	init_ssl_lib ();
617
618	/* init PRNG used for IV generation */
619	/* When forking, copy this to more places in the code to avoid fork
620	random-state predictability */
621	prng_init (NULL, 0);
622	#endif
623
624	#ifdef PID_TEST
625	packet_id_interactive_test (); /* test the sequence number code */
626	return false;
627	#endif
628
629	#ifdef SCHEDULE_TEST
630	schedule_test ();
631	return false;
632	#endif
633
634	#ifdef LIST_TEST
635	list_test ();
636	return false;
637	#endif
638
639	#ifdef IFCONFIG_POOL_TEST
640	ifconfig_pool_test (0x0A010004, 0x0A0100FF);
641	return false;
642	#endif
643
644	#ifdef CHARACTER_CLASS_DEBUG
645	character_class_debug ();
646	return false;
647	#endif
648
649	#ifdef EXTRACT_X509_FIELD_TEST
650	extract_x509_field_test ();
651	return false;
652	#endif
653
654	#ifdef TIME_TEST
655	time_test ();
656	return false;
657	#endif
658
659	#ifdef TEST_GET_DEFAULT_GATEWAY
660	{
661	struct route_gateway_info rgi;
662	get_default_gateway(&rgi);
663	print_default_gateway(M_INFO, &rgi);
664	return false;
665	}
666	#endif
667
668	#ifdef GEN_PATH_TEST
669	{
670	struct gc_arena gc = gc_new ();
671	const char *fn = gen_path ("foo",
672	"bar",
673	&gc);
674	printf ("%s\n", fn);
675	gc_free (&gc);
676	}
677	return false;
678	#endif
679
680	#ifdef STATUS_PRINTF_TEST
681	{
682	struct gc_arena gc = gc_new ();
683	const char *tmp_file = create_temp_file ("/tmp", "foo", &gc);
684	struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
685	status_printf (so, "%s", "foo");
686	status_printf (so, "%s", "bar");
687	if (!status_close (so))
688	msg (M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
689	gc_free (&gc);
690	}
691	return false;
692	#endif
693
694	#ifdef ARGV_TEST
695	{
696	void argv_test (void);
697	argv_test ();
698	return false;
699	}
700	#endif
701
702	#ifdef PRNG_TEST
703	{
704	struct gc_arena gc = gc_new ();
705	uint8_t rndbuf[8];
706	int i;
707	prng_init ("sha1", 16);
708	/prng_init (NULL, 0);/
709	const int factor = 1;
710	for (i = 0; i < factor * 8; ++i)
711	{
712	#if 1
713	prng_bytes (rndbuf, sizeof (rndbuf));
714	#else
715	ASSERT(rand_bytes (rndbuf, sizeof (rndbuf)));
716	#endif
717	printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc));
718	}
719	gc_free (&gc);
720	prng_uninit ();
721	return false;
722	}
723	#endif
724
725	#ifdef BUFFER_LIST_AGGREGATE_TEST
726	/* test buffer_list_aggregate function */
727	{
728	static const char *text[] = {
729	"It was a bright cold day in April, ",
730	"and the clocks were striking ",
731	"thirteen. ",
732	"Winston Smith, ",
733	"his chin nuzzled into his breast in an ",
734	"effort to escape the vile wind, ",
735	"slipped quickly through the glass doors ",
736	"of Victory Mansions, though not quickly ",
737	"enough to prevent a swirl of gritty dust from ",
738	"entering along with him."
739	};
740
741	int iter, listcap;
742	for (listcap = 0; listcap < 12; ++listcap)
743	{
744	for (iter = 0; iter < 512; ++iter)
745	{
746	struct buffer_list *bl = buffer_list_new(listcap);
747	{
748	int i;
749	for (i = 0; i < SIZE(text); ++i)
750	buffer_list_push(bl, (unsigned char *)text[i]);
751	}
752	printf("[cap=%d i=%d] *************************\n", listcap, iter);
753	if (!(iter & 8))
754	buffer_list_aggregate(bl, iter/2);
755	if (!(iter & 16))
756	buffer_list_push(bl, (unsigned char *)"Even more text...");
757	buffer_list_aggregate(bl, iter);
758	if (!(iter & 1))
759	buffer_list_push(bl, (unsigned char *)"More text...");
760	{
761	struct buffer *buf;
762	while ((buf = buffer_list_peek(bl)))
763	{
764	int c;
765	printf ("'");
766	while ((c = buf_read_u8(buf)) >= 0)
767	putchar(c);
768	printf ("'\n");
769	buffer_list_advance(bl, 0);
770	}
771	}
772	buffer_list_free(bl);
773	}
774	}
775	return false;
776	}
777	#endif
778
779	#ifdef MSTATS_TEST
780	{
781	int i;
782	mstats_open("/dev/shm/mstats.dat");
783	for (i = 0; i < 30; ++i)
784	{
785	mmap_stats->n_clients += 1;
786	mmap_stats->link_write_bytes += 8;
787	mmap_stats->link_read_bytes += 16;
788	sleep(1);
789	}
790	mstats_close();
791	return false;
792	}
793	#endif
794
795	return true;
796	}
797
798	void
799	uninit_static (void)
800	{
801	#ifdef ENABLE_CRYPTO
802	free_ssl_lib ();
803	#endif
804
805	#ifdef ENABLE_PKCS11
806	pkcs11_terminate ();
807	#endif
808
809	#if PORT_SHARE
810	close_port_share ();
811	#endif
812
813	#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
814	show_tls_performance_stats ();
815	#endif
816	}
817
818	void
819	init_verb_mute (struct context *c, unsigned int flags)
820	{
821	if (flags & IVM_LEVEL_1)
822	{
823	/* set verbosity and mute levels */
824	set_check_status (D_LINK_ERRORS, D_READ_WRITE);
825	set_debug_level (c->options.verbosity, SDL_CONSTRAIN);
826	set_mute_cutoff (c->options.mute);
827	}
828
829	/* special D_LOG_RW mode */
830	if (flags & IVM_LEVEL_2)
831	c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1));
832	}
833
834	/*
835	* Possibly set --dev based on --dev-node.
836	* For example, if --dev-node /tmp/foo/tun, and --dev undefined,
837	* set --dev to tun.
838	*/
839	void
840	init_options_dev (struct options *options)
841	{
842	if (!options->dev && options->dev_node) {
843	char dev_node = strdup(options->dev_node); / POSIX basename() implementaions may modify its arguments */
844	options->dev = basename (dev_node);
845	}
846	}
847
848	bool
849	print_openssl_info (const struct options *options)
850	{
851	/*
852	* OpenSSL info print mode?
853	*/
854	#ifdef ENABLE_CRYPTO
855	if (options->show_ciphers \|\| options->show_digests \|\| options->show_engines
856	#ifdef ENABLE_SSL
857	\|\| options->show_tls_ciphers
858	#endif
859	)
860	{
861	if (options->show_ciphers)
862	show_available_ciphers ();
863	if (options->show_digests)
864	show_available_digests ();
865	if (options->show_engines)
866	show_available_engines ();
867	#ifdef ENABLE_SSL
868	if (options->show_tls_ciphers)
869	show_available_tls_ciphers (options->cipher_list);
870	#endif
871	return true;
872	}
873	#endif
874	return false;
875	}
876
877	/*
878	* Static pre-shared key generation mode?
879	*/
880	bool
881	do_genkey (const struct options * options)
882	{
883	#ifdef ENABLE_CRYPTO
884	if (options->genkey)
885	{
886	int nbits_written;
887
888	notnull (options->shared_secret_file,
889	"shared secret output file (--secret)");
890
891	if (options->mlock) /* should we disable paging? */
892	platform_mlockall (true);
893
894	nbits_written = write_key_file (2, options->shared_secret_file);
895
896	msg (D_GENKEY \| M_NOPREFIX,
897	"Randomly generated %d bit key written to %s", nbits_written,
898	options->shared_secret_file);
899	return true;
900	}
901	#endif
902	return false;
903	}
904
905	/*
906	* Persistent TUN/TAP device management mode?
907	*/
908	bool
909	do_persist_tuntap (const struct options *options)
910	{
911	if (options->persist_config)
912	{
913	/* sanity check on options for --mktun or --rmtun */
914	notnull (options->dev, "TUN/TAP device (--dev)");
915	if (options->ce.remote \|\| options->ifconfig_local
916	\|\| options->ifconfig_remote_netmask
917	#ifdef ENABLE_CRYPTO
918	\|\| options->shared_secret_file
919	#ifdef ENABLE_SSL
920	\|\| options->tls_server \|\| options->tls_client
921	#endif
922	#endif
923	)
924	msg (M_FATAL\|M_OPTERR,
925	"options --mktun or --rmtun should only be used together with --dev");
926	#ifdef ENABLE_FEATURE_TUN_PERSIST
927	tuncfg (options->dev, options->dev_type, options->dev_node,
928	options->persist_mode,
929	options->username, options->groupname, &options->tuntap_options);
930	if (options->persist_mode && options->lladdr)
931	set_lladdr(options->dev, options->lladdr, NULL);
932	return true;
933	#else
934	msg( M_FATAL\|M_OPTERR,
935	"options --mktun and --rmtun are not available on your operating "
936	"system. Please check 'man tun' (or 'tap'), whether your system "
937	"supports using 'ifconfig %s create' / 'destroy' to create/remove "
938	"persistant tunnel interfaces.", options->dev );
939	#endif
940	}
941	return false;
942	}
943
944	/*
945	* Should we become a daemon?
946	* Return true if we did it.
947	*/
948	bool
949	possibly_become_daemon (const struct options *options)
950	{
951	bool ret = false;
952	if (options->daemon)
953	{
954	ASSERT (!options->inetd);
955	/* Don't chdir immediately, but the end of the init sequence, if needed */
956	if (daemon (1, options->log) < 0)
957	msg (M_ERR, "daemon() failed or unsupported");
958	restore_signal_state ();
959	if (options->log)
960	set_std_files_to_null (true);
961
962	ret = true;
963	}
964	return ret;
965	}
966
967	/*
968	* Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
969	*/
970	static void
971	do_uid_gid_chroot (struct context *c, bool no_delay)
972	{
973	static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
974	struct context_0 *c0 = c->c0;
975
976	if (c->first_time && c0 && !c0->uid_gid_set)
977	{
978	/* chroot if requested */
979	if (c->options.chroot_dir)
980	{
981	if (no_delay)
982	platform_chroot (c->options.chroot_dir);
983	else
984	msg (M_INFO, "NOTE: chroot %s", why_not);
985	}
986
987	/* set user and/or group that we want to setuid/setgid to */
988	if (no_delay)
989	{
990	platform_group_set (&c0->platform_state_group);
991	platform_user_set (&c0->platform_state_user);
992	c0->uid_gid_set = true;
993	}
994	else if (c0->uid_gid_specified)
995	{
996	msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
997	}
998
999	#ifdef ENABLE_MEMSTATS
1000	if (c->options.memstats_fn)
1001	mstats_open(c->options.memstats_fn);
1002	#endif
1003
1004	#ifdef ENABLE_SELINUX
1005	/* Apply a SELinux context in order to restrict what OpenVPN can do
1006	* to _only_ what it is supposed to do after initialization is complete
1007	* (basically just network I/O operations). Doing it after chroot
1008	* requires /proc to be mounted in the chroot (which is annoying indeed
1009	* but doing it before requires more complex SELinux policies.
1010	*/
1011	if (c->options.selinux_context)
1012	{
1013	if (no_delay) {
1014	if (-1 == setcon (c->options.selinux_context))
1015	msg (M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
1016	else
1017	msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
1018	}
1019	else
1020	msg (M_INFO, "NOTE: setcon %s", why_not);
1021	}
1022	#endif
1023	}
1024	}
1025
1026	/*
1027	* Return common name in a way that is formatted for
1028	* prepending to msg() output.
1029	*/
1030	const char *
1031	format_common_name (struct context c, struct gc_arena gc)
1032	{
1033	struct buffer out = alloc_buf_gc (256, gc);
1034	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
1035	if (c->c2.tls_multi)
1036	{
1037	buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));
1038	}
1039	#endif
1040	return BSTR (&out);
1041	}
1042
1043	void
1044	pre_setup (const struct options *options)
1045	{
1046	#ifdef WIN32
1047	if (options->exit_event_name)
1048	{
1049	win32_signal_open (&win32_signal,
1050	WSO_FORCE_SERVICE,
1051	options->exit_event_name,
1052	options->exit_event_initial_state);
1053	}
1054	else
1055	{
1056	win32_signal_open (&win32_signal,
1057	WSO_FORCE_CONSOLE,
1058	NULL,
1059	false);
1060
1061	/* put a title on the top window bar */
1062	if (win32_signal.mode == WSO_MODE_CONSOLE)
1063	{
1064	window_title_save (&window_title);
1065	window_title_generate (options->config);
1066	}
1067	}
1068	#endif
1069	}
1070
1071	void
1072	reset_coarse_timers (struct context *c)
1073	{
1074	c->c2.coarse_timer_wakeup = 0;
1075	}
1076
1077	/*
1078	* Initialize timers
1079	*/
1080	static void
1081	do_init_timers (struct context *c, bool deferred)
1082	{
1083	update_time ();
1084	reset_coarse_timers (c);
1085
1086	/* initialize inactivity timeout */
1087	if (c->options.inactivity_timeout)
1088	event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
1089
1090	/* initialize pings */
1091
1092	if (c->options.ping_send_timeout)
1093	event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
1094
1095	if (c->options.ping_rec_timeout)
1096	event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
1097
1098	#if P2MP
1099	if (c->options.server_poll_timeout)
1100	event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now);
1101	#endif
1102
1103	if (!deferred)
1104	{
1105	/* initialize connection establishment timer */
1106	event_timeout_init (&c->c2.wait_for_connect, 1, now);
1107
1108	#ifdef ENABLE_OCC
1109	/* initialize occ timers */
1110
1111	if (c->options.occ
1112	&& !TLS_MODE (c)
1113	&& c->c2.options_string_local && c->c2.options_string_remote)
1114	event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
1115
1116	if (c->options.mtu_test)
1117	event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
1118	#endif
1119
1120	/* initialize packet_id persistence timer */
1121	#ifdef ENABLE_CRYPTO
1122	if (c->options.packet_id_file)
1123	event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);
1124	#endif
1125
1126	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
1127	/* initialize tmp_int optimization that limits the number of times we call
1128	tls_multi_process in the main event loop */
1129	interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
1130	#endif
1131	}
1132	}
1133
1134	/*
1135	* Initialize traffic shaper.
1136	*/
1137	static void
1138	do_init_traffic_shaper (struct context *c)
1139	{
1140	#ifdef ENABLE_FEATURE_SHAPER
1141	/* initialize traffic shaper (i.e. transmit bandwidth limiter) */
1142	if (c->options.shaper)
1143	{
1144	shaper_init (&c->c2.shaper, c->options.shaper);
1145	shaper_msg (&c->c2.shaper);
1146	}
1147	#endif
1148	}
1149
1150	/*
1151	* Allocate route list structures for IPv4 and IPv6
1152	* (we do this for IPv4 even if no --route option has been seen, as other
1153	* parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
1154	*/
1155	static void
1156	do_alloc_route_list (struct context *c)
1157	{
1158	if (!c->c1.route_list)
1159	c->c1.route_list = new_route_list (c->options.max_routes, &c->gc);
1160	if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
1161	c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc);
1162	}
1163
1164
1165	/*
1166	* Initialize the route list, resolving any DNS names in route
1167	* options and saving routes in the environment.
1168	*/
1169	static void
1170	do_init_route_list (const struct options *options,
1171	struct route_list *route_list,
1172	const struct link_socket_info *link_socket_info,
1173	bool fatal,
1174	struct env_set *es)
1175	{
1176	const char *gw = NULL;
1177	int dev = dev_type_enum (options->dev, options->dev_type);
1178	int metric = 0;
1179
1180	if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 \|\| options->topology == TOP_P2P))
1181	gw = options->ifconfig_remote_netmask;
1182	if (options->route_default_gateway)
1183	gw = options->route_default_gateway;
1184	if (options->route_default_metric)
1185	metric = options->route_default_metric;
1186
1187	if (!init_route_list (route_list,
1188	options->routes,
1189	gw,
1190	metric,
1191	link_socket_current_remote (link_socket_info),
1192	es))
1193	{
1194	if (fatal)
1195	openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
1196	}
1197	else
1198	{
1199	/* copy routes to environment */
1200	setenv_routes (es, route_list);
1201	}
1202	}
1203
1204	static void
1205	do_init_route_ipv6_list (const struct options *options,
1206	struct route_ipv6_list *route_ipv6_list,
1207	bool fatal,
1208	struct env_set *es)
1209	{
1210	const char *gw = NULL;
1211	int dev = dev_type_enum (options->dev, options->dev_type);
1212	int metric = -1; /* no metric set */
1213
1214	gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
1215	#if 0 /* not yet done for IPv6 - TODO!*/
1216	if ( options->route_ipv6_default_gateway ) /* override? */
1217	gw = options->route_ipv6_default_gateway;
1218	#endif
1219
1220	if (options->route_default_metric)
1221	metric = options->route_default_metric;
1222
1223	if (!init_route_ipv6_list (route_ipv6_list,
1224	options->routes_ipv6,
1225	gw,
1226	metric,
1227	es))
1228	{
1229	if (fatal)
1230	openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
1231	}
1232	else
1233	{
1234	/* copy routes to environment */
1235	setenv_routes_ipv6 (es, route_ipv6_list);
1236	}
1237	}
1238
1239
1240	/*
1241	* Called after all initialization has been completed.
1242	*/
1243	void
1244	initialization_sequence_completed (struct context *c, const unsigned int flags)
1245	{
1246	static const char message[] = "Initialization Sequence Completed";
1247
1248	/* If we delayed UID/GID downgrade or chroot, do it now */
1249	do_uid_gid_chroot (c, true);
1250
1251	/* Test if errors */
1252	if (flags & ISC_ERRORS)
1253	{
1254	#ifdef WIN32
1255	show_routes (M_INFO\|M_NOPREFIX);
1256	show_adapters (M_INFO\|M_NOPREFIX);
1257	msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1258	#else
1259	msg (M_INFO, "%s With Errors", message);
1260	#endif
1261	}
1262	else
1263	msg (M_INFO, "%s", message);
1264
1265	/* Flag connection_list that we initialized */
1266	if ((flags & (ISC_ERRORS\|ISC_SERVER)) == 0 && connection_list_defined (&c->options))
1267	connection_list_set_no_advance (&c->options);
1268
1269	#ifdef WIN32
1270	fork_register_dns_action (c->c1.tuntap);
1271	#endif
1272
1273	#ifdef ENABLE_MANAGEMENT
1274	/* Tell management interface that we initialized */
1275	if (management)
1276	{
1277	in_addr_t tun_local = 0;
1278	in_addr_t tun_remote = 0; /* FKS */
1279	const char *detail = "SUCCESS";
1280	if (c->c1.tuntap)
1281	tun_local = c->c1.tuntap->local;
1282	/* TODO(jjo): for ipv6 this will convert some 32bits in the ipv6 addr
1283	* to a meaningless ipv4 address.
1284	* In any case, is somewhat inconsistent to send local tunnel
1285	* addr with remote _endpoint_ addr (?)
1286	*/
1287	tun_remote = htonl (c->c1.link_socket_addr.actual.dest.addr.in4.sin_addr.s_addr);
1288	if (flags & ISC_ERRORS)
1289	detail = "ERROR";
1290	management_set_state (management,
1291	OPENVPN_STATE_CONNECTED,
1292	detail,
1293	tun_local,
1294	tun_remote);
1295	if (tun_local)
1296	management_post_tunnel_open (management, tun_local);
1297	}
1298	#endif
1299	}
1300
1301	/*
1302	* Possibly add routes and/or call route-up script
1303	* based on options.
1304	*/
1305	void
1306	do_route (const struct options *options,
1307	struct route_list *route_list,
1308	struct route_ipv6_list *route_ipv6_list,
1309	const struct tuntap *tt,
1310	const struct plugin_list *plugins,
1311	struct env_set *es)
1312	{
1313	if (!options->route_noexec && ( route_list \|\| route_ipv6_list ) )
1314	{
1315	add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es);
1316	setenv_int (es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
1317	}
1318	#ifdef ENABLE_MANAGEMENT
1319	if (management)
1320	management_up_down (management, "UP", es);
1321	#endif
1322
1323	if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP))
1324	{
1325	if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1326	msg (M_WARN, "WARNING: route-up plugin call failed");
1327	}
1328
1329	if (options->route_script)
1330	{
1331	struct argv argv = argv_new ();
1332	setenv_str (es, "script_type", "route-up");
1333	argv_printf (&argv, "%sc", options->route_script);
1334	openvpn_run_script (&argv, es, 0, "--route-up");
1335	argv_reset (&argv);
1336	}
1337
1338	#ifdef WIN32
1339	if (options->show_net_up)
1340	{
1341	show_routes (M_INFO\|M_NOPREFIX);
1342	show_adapters (M_INFO\|M_NOPREFIX);
1343	}
1344	else if (check_debug_level (D_SHOW_NET))
1345	{
1346	show_routes (D_SHOW_NET\|M_NOPREFIX);
1347	show_adapters (D_SHOW_NET\|M_NOPREFIX);
1348	}
1349	#endif
1350	}
1351
1352	/*
1353	* Save current pulled options string in the c1 context store, so we can
1354	* compare against it after possible future restarts.
1355	*/
1356	#if P2MP
1357	static void
1358	save_pulled_options_digest (struct context c, const struct md5_digest newdigest)
1359	{
1360	if (newdigest)
1361	c->c1.pulled_options_digest_save = *newdigest;
1362	else
1363	md5_digest_clear (&c->c1.pulled_options_digest_save);
1364	}
1365	#endif
1366
1367	/*
1368	* initialize tun/tap device object
1369	*/
1370	static void
1371	do_init_tun (struct context *c)
1372	{
1373	c->c1.tuntap = init_tun (c->options.dev,
1374	c->options.dev_type,
1375	c->options.topology,
1376	c->options.ifconfig_local,
1377	c->options.ifconfig_remote_netmask,
1378	c->options.ifconfig_ipv6_local,
1379	c->options.ifconfig_ipv6_netbits,
1380	c->options.ifconfig_ipv6_remote,
1381	addr_host (&c->c1.link_socket_addr.local),
1382	addr_host (&c->c1.link_socket_addr.remote),
1383	!c->options.ifconfig_nowarn,
1384	c->c2.es);
1385
1386	/* flag tunnel for IPv6 config if --tun-ipv6 is set */
1387	c->c1.tuntap->ipv6 = c->options.tun_ipv6;
1388
1389	init_tun_post (c->c1.tuntap,
1390	&c->c2.frame,
1391	&c->options.tuntap_options);
1392
1393	c->c1.tuntap_owned = true;
1394	}
1395
1396	/*
1397	* Open tun/tap device, ifconfig, call up script, etc.
1398	*/
1399
1400	static bool
1401	do_open_tun (struct context *c)
1402	{
1403	struct gc_arena gc = gc_new ();
1404	bool ret = false;
1405
1406	c->c2.ipv4_tun = (!c->options.tun_ipv6
1407	&& is_dev_type (c->options.dev, c->options.dev_type, "tun"));
1408
1409	if (!c->c1.tuntap)
1410	{
1411	/* initialize (but do not open) tun/tap object */
1412	do_init_tun (c);
1413
1414	/* allocate route list structure */
1415	do_alloc_route_list (c);
1416
1417	/* parse and resolve the route option list */
1418	if (c->options.routes && c->c1.route_list && c->c2.link_socket)
1419	do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es);
1420	if (c->options.routes_ipv6 && c->c1.route_ipv6_list )
1421	do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, false, c->c2.es);
1422
1423	/* do ifconfig */
1424	if (!c->options.ifconfig_noexec
1425	&& ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN)
1426	{
1427	/* guess actual tun/tap unit number that will be returned
1428	by open_tun */
1429	const char *guess = guess_tuntap_dev (c->options.dev,
1430	c->options.dev_type,
1431	c->options.dev_node,
1432	&gc);
1433	do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
1434	}
1435
1436	/* open the tun device */
1437	open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
1438	c->c1.tuntap);
1439
1440	/* set the hardware address */
1441	if (c->options.lladdr)
1442	set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1443
1444	/* do ifconfig */
1445	if (!c->options.ifconfig_noexec
1446	&& ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN)
1447	{
1448	do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
1449	}
1450
1451	/* run the up script */
1452	run_up_down (c->options.up_script,
1453	c->plugins,
1454	OPENVPN_PLUGIN_UP,
1455	c->c1.tuntap->actual_name,
1456	dev_type_string (c->options.dev, c->options.dev_type),
1457	TUN_MTU_SIZE (&c->c2.frame),
1458	EXPANDED_SIZE (&c->c2.frame),
1459	print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1460	print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1461	"init",
1462	NULL,
1463	"up",
1464	c->c2.es);
1465
1466	/* possibly add routes */
1467	if (!c->options.route_delay_defined)
1468	do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
1469	c->c1.tuntap, c->plugins, c->c2.es);
1470
1471	/*
1472	* Did tun/tap driver give us an MTU?
1473	*/
1474	if (c->c1.tuntap->post_open_mtu)
1475	frame_set_mtu_dynamic (&c->c2.frame,
1476	c->c1.tuntap->post_open_mtu,
1477	SET_MTU_TUN \| SET_MTU_UPPER_BOUND);
1478
1479	ret = true;
1480	static_context = c;
1481	}
1482	else
1483	{
1484	msg (M_INFO, "Preserving previous TUN/TAP instance: %s",
1485	c->c1.tuntap->actual_name);
1486
1487	/* explicitly set the ifconfig_* env vars */
1488	do_ifconfig_setenv(c->c1.tuntap, c->c2.es);
1489
1490	/* run the up script if user specified --up-restart */
1491	if (c->options.up_restart)
1492	run_up_down (c->options.up_script,
1493	c->plugins,
1494	OPENVPN_PLUGIN_UP,
1495	c->c1.tuntap->actual_name,
1496	dev_type_string (c->options.dev, c->options.dev_type),
1497	TUN_MTU_SIZE (&c->c2.frame),
1498	EXPANDED_SIZE (&c->c2.frame),
1499	print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1500	print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1501	"restart",
1502	NULL,
1503	"up",
1504	c->c2.es);
1505	}
1506	gc_free (&gc);
1507	return ret;
1508	}
1509
1510	/*
1511	* Close TUN/TAP device
1512	*/
1513
1514	static void
1515	do_close_tun_simple (struct context *c)
1516	{
1517	msg (D_CLOSE, "Closing TUN/TAP interface");
1518	close_tun (c->c1.tuntap);
1519	c->c1.tuntap = NULL;
1520	c->c1.tuntap_owned = false;
1521	#if P2MP
1522	save_pulled_options_digest (c, NULL); /* delete C1-saved pulled_options_digest */
1523	#endif
1524	}
1525
1526	static void
1527	do_close_tun (struct context *c, bool force)
1528	{
1529	struct gc_arena gc = gc_new ();
1530	if (c->c1.tuntap && c->c1.tuntap_owned)
1531	{
1532	const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc);
1533	const in_addr_t local = c->c1.tuntap->local;
1534	const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1535
1536	if (force \|\| !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1537	{
1538	static_context = NULL;
1539
1540	#ifdef ENABLE_MANAGEMENT
1541	/* tell management layer we are about to close the TUN/TAP device */
1542	if (management)
1543	{
1544	management_pre_tunnel_close (management);
1545	management_up_down (management, "DOWN", c->c2.es);
1546	}
1547	#endif
1548
1549	/* delete any routes we added */
1550	if (c->c1.route_list \|\| c->c1.route_ipv6_list )
1551	{
1552	run_up_down (c->options.route_predown_script,
1553	c->plugins,
1554	OPENVPN_PLUGIN_ROUTE_PREDOWN,
1555	tuntap_actual,
1556	NULL,
1557	TUN_MTU_SIZE (&c->c2.frame),
1558	EXPANDED_SIZE (&c->c2.frame),
1559	print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1560	print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1561	"init",
1562	signal_description (c->sig->signal_received,
1563	c->sig->signal_text),
1564	"route-pre-down",
1565	c->c2.es);
1566
1567	delete_routes (c->c1.route_list, c->c1.route_ipv6_list,
1568	c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);
1569	}
1570
1571	/* actually close tun/tap device based on --down-pre flag */
1572	if (!c->options.down_pre)
1573	do_close_tun_simple (c);
1574
1575	/* Run the down script -- note that it will run at reduced
1576	privilege if, for example, "--user nobody" was used. */
1577	run_up_down (c->options.down_script,
1578	c->plugins,
1579	OPENVPN_PLUGIN_DOWN,
1580	tuntap_actual,
1581	NULL,
1582	TUN_MTU_SIZE (&c->c2.frame),
1583	EXPANDED_SIZE (&c->c2.frame),
1584	print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1585	print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1586	"init",
1587	signal_description (c->sig->signal_received,
1588	c->sig->signal_text),
1589	"down",
1590	c->c2.es);
1591
1592	/* actually close tun/tap device based on --down-pre flag */
1593	if (c->options.down_pre)
1594	do_close_tun_simple (c);
1595	}
1596	else
1597	{
1598	/* run the down script on this restart if --up-restart was specified */
1599	if (c->options.up_restart)
1600	run_up_down (c->options.down_script,
1601	c->plugins,
1602	OPENVPN_PLUGIN_DOWN,
1603	tuntap_actual,
1604	NULL,
1605	TUN_MTU_SIZE (&c->c2.frame),
1606	EXPANDED_SIZE (&c->c2.frame),
1607	print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1608	print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1609	"restart",
1610	signal_description (c->sig->signal_received,
1611	c->sig->signal_text),
1612	"down",
1613	c->c2.es);
1614	}
1615	}
1616	gc_free (&gc);
1617	}
1618
1619	void
1620	tun_abort()
1621	{
1622	struct context *c = static_context;
1623	if (c)
1624	{
1625	static_context = NULL;
1626	do_close_tun (c, true);
1627	}
1628	}
1629
1630	/*
1631	* Handle delayed tun/tap interface bringup due to --up-delay or --pull
1632	*/
1633
1634	void
1635	do_up (struct context *c, bool pulled_options, unsigned int option_types_found)
1636	{
1637	if (!c->c2.do_up_ran)
1638	{
1639	reset_coarse_timers (c);
1640
1641	if (pulled_options && option_types_found)
1642	do_deferred_options (c, option_types_found);
1643
1644	/* if --up-delay specified, open tun, do ifconfig, and run up script now */
1645	if (c->options.up_delay \|\| PULL_DEFINED (&c->options))
1646	{
1647	c->c2.did_open_tun = do_open_tun (c);
1648	update_time ();
1649
1650	#if P2MP
1651	/*
1652	* Was tun interface object persisted from previous restart iteration,
1653	* and if so did pulled options string change from previous iteration?
1654	*/
1655	if (!c->c2.did_open_tun
1656	&& PULL_DEFINED (&c->options)
1657	&& c->c1.tuntap
1658	&& (!md5_digest_defined (&c->c1.pulled_options_digest_save) \|\| !md5_digest_defined (&c->c2.pulled_options_digest)
1659	\|\| !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)))
1660	{
1661	/* if so, close tun, delete routes, then reinitialize tun and add routes */
1662	msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
1663	do_close_tun (c, true);
1664	openvpn_sleep (1);
1665	c->c2.did_open_tun = do_open_tun (c);
1666	update_time ();
1667	}
1668	#endif
1669	}
1670
1671	if (c->c2.did_open_tun)
1672	{
1673	#if P2MP
1674	save_pulled_options_digest (c, &c->c2.pulled_options_digest);
1675	#endif
1676
1677	/* if --route-delay was specified, start timer */
1678	if (c->options.route_delay_defined)
1679	{
1680	event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now);
1681	event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
1682	if (c->c1.tuntap)
1683	tun_standby_init (c->c1.tuntap);
1684	}
1685	else
1686	{
1687	initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */
1688	}
1689	}
1690	else if (c->options.mode == MODE_POINT_TO_POINT)
1691	{
1692	initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */
1693	}
1694
1695	c->c2.do_up_ran = true;
1696	}
1697	}
1698
1699	/*
1700	* These are the option categories which will be accepted by pull.
1701	*/
1702	unsigned int
1703	pull_permission_mask (const struct context *c)
1704	{
1705	unsigned int flags =
1706	OPT_P_UP
1707	\| OPT_P_ROUTE_EXTRAS
1708	\| OPT_P_SOCKBUF
1709	\| OPT_P_SOCKFLAGS
1710	\| OPT_P_SETENV
1711	\| OPT_P_SHAPER
1712	\| OPT_P_TIMER
1713	\| OPT_P_COMP
1714	\| OPT_P_PERSIST
1715	\| OPT_P_MESSAGES
1716	\| OPT_P_EXPLICIT_NOTIFY
1717	\| OPT_P_ECHO
1718	\| OPT_P_PULL_MODE
1719	\| OPT_P_PEER_ID;
1720
1721	if (!c->options.route_nopull)
1722	flags \|= (OPT_P_ROUTE \| OPT_P_IPWIN32);
1723
1724	return flags;
1725	}
1726
1727	/*
1728	* Handle non-tun-related pulled options.
1729	*/
1730	void
1731	do_deferred_options (struct context *c, const unsigned int found)
1732	{
1733	if (found & OPT_P_MESSAGES)
1734	{
1735	init_verb_mute (c, IVM_LEVEL_1\|IVM_LEVEL_2);
1736	msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
1737	}
1738	if (found & OPT_P_TIMER)
1739	{
1740	do_init_timers (c, true);
1741	msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
1742	}
1743
1744	#ifdef ENABLE_OCC
1745	if (found & OPT_P_EXPLICIT_NOTIFY)
1746	{
1747	if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification)
1748	{
1749	msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
1750	c->options.ce.explicit_exit_notification = 0;
1751	}
1752	else
1753	msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
1754	}
1755	#endif
1756
1757	#ifdef ENABLE_LZO
1758	if (found & OPT_P_COMP)
1759	{
1760	if (lzo_defined (&c->c2.lzo_compwork))
1761	{
1762	msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified");
1763	lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo);
1764	}
1765	}
1766	#endif
1767
1768	if (found & OPT_P_SHAPER)
1769	{
1770	msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
1771	do_init_traffic_shaper (c);
1772	}
1773
1774	if (found & OPT_P_SOCKBUF)
1775	{
1776	msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
1777	link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
1778	}
1779
1780	if (found & OPT_P_SOCKFLAGS)
1781	{
1782	msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
1783	link_socket_update_flags (c->c2.link_socket, c->options.sockflags);
1784	}
1785
1786	if (found & OPT_P_PERSIST)
1787	msg (D_PUSH, "OPTIONS IMPORT: --persist options modified");
1788	if (found & OPT_P_UP)
1789	msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
1790	if (found & OPT_P_ROUTE)
1791	msg (D_PUSH, "OPTIONS IMPORT: route options modified");
1792	if (found & OPT_P_ROUTE_EXTRAS)
1793	msg (D_PUSH, "OPTIONS IMPORT: route-related options modified");
1794	if (found & OPT_P_IPWIN32)
1795	msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
1796	if (found & OPT_P_SETENV)
1797	msg (D_PUSH, "OPTIONS IMPORT: environment modified");
1798
1799	#ifdef ENABLE_SSL
1800	if (found & OPT_P_PEER_ID)
1801	{
1802	msg (D_PUSH, "OPTIONS IMPORT: peer-id set");
1803	c->c2.tls_multi->use_peer_id = true;
1804	c->c2.tls_multi->peer_id = c->options.peer_id;
1805	frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */
1806	if ( !c->options.ce.link_mtu_defined )
1807	{
1808	frame_add_to_link_mtu(&c->c2.frame, +3);
1809	msg (D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d",
1810	EXPANDED_SIZE(&c->c2.frame));
1811	}
1812	else
1813	{
1814	msg (M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu"
1815	" fixed by config - reducing tun-mtu to %d, expect"
1816	" MTU problems", TUN_MTU_SIZE(&c->c2.frame) );
1817	}
1818	}
1819	#endif
1820	}
1821
1822	/*
1823	* Possible hold on initialization
1824	*/
1825	static bool
1826	do_hold (void)
1827	{
1828	#ifdef ENABLE_MANAGEMENT
1829	if (management)
1830	{
1831	/* block until management hold is released */
1832	if (management_hold (management))
1833	return true;
1834	}
1835	#endif
1836	return false;
1837	}
1838
1839	/*
1840	* Sleep before restart.
1841	*/
1842	static void
1843	socket_restart_pause (struct context *c)
1844	{
1845	bool proxy = false;
1846	int sec = 2;
1847
1848	#ifdef ENABLE_HTTP_PROXY
1849	if (c->options.ce.http_proxy_options)
1850	proxy = true;
1851	#endif
1852	#ifdef ENABLE_SOCKS
1853	if (c->options.ce.socks_proxy_server)
1854	proxy = true;
1855	#endif
1856
1857	switch (c->options.ce.proto)
1858	{
1859	case PROTO_UDPv4:
1860	case PROTO_UDPv6:
1861	if (proxy)
1862	sec = c->options.ce.connect_retry_seconds;
1863	break;
1864	case PROTO_TCPv4_SERVER:
1865	case PROTO_TCPv6_SERVER:
1866	sec = 1;
1867	break;
1868	case PROTO_TCPv4_CLIENT:
1869	case PROTO_TCPv6_CLIENT:
1870	sec = c->options.ce.connect_retry_seconds;
1871	break;
1872	}
1873
1874	#ifdef ENABLE_DEBUG
1875	if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin))
1876	sec = 0;
1877	#endif
1878
1879	#if P2MP
1880	if (auth_retry_get () == AR_NOINTERACT)
1881	sec = 10;
1882
1883	#if 0 /* not really needed because of c->persist.restart_sleep_seconds */
1884	if (c->options.server_poll_timeout && sec > 1)
1885	sec = 1;
1886	#endif
1887	#endif
1888
1889	if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
1890	sec = c->persist.restart_sleep_seconds;
1891	else if (c->persist.restart_sleep_seconds == -1)
1892	sec = 0;
1893	c->persist.restart_sleep_seconds = 0;
1894
1895	/* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
1896	if (do_hold ())
1897	sec = 0;
1898
1899	if (sec)
1900	{
1901	msg (D_RESTART, "Restart pause, %d second(s)", sec);
1902	openvpn_sleep (sec);
1903	}
1904	}
1905
1906	/*
1907	* Do a possible pause on context_2 initialization.
1908	*/
1909	static void
1910	do_startup_pause (struct context *c)
1911	{
1912	if (!c->first_time)
1913	socket_restart_pause (c);
1914	else
1915	do_hold (); /* do management hold on first context initialization */
1916	}
1917
1918	/*
1919	* Finalize MTU parameters based on command line or config file options.
1920	*/
1921	static void
1922	frame_finalize_options (struct context c, const struct options o)
1923	{
1924	if (!o)
1925	o = &c->options;
1926
1927	/*
1928	* Set adjustment factor for buffer alignment when no
1929	* cipher is used.
1930	*/
1931	if (!CIPHER_ENABLED (c))
1932	{
1933	frame_align_to_extra_frame (&c->c2.frame);
1934	frame_or_align_flags (&c->c2.frame,
1935	FRAME_HEADROOM_MARKER_FRAGMENT
1936	\|FRAME_HEADROOM_MARKER_READ_LINK
1937	\|FRAME_HEADROOM_MARKER_READ_STREAM);
1938	}
1939
1940	frame_finalize (&c->c2.frame,
1941	o->ce.link_mtu_defined,
1942	o->ce.link_mtu,
1943	o->ce.tun_mtu_defined,
1944	o->ce.tun_mtu);
1945	}
1946
1947	/*
1948	* Free a key schedule, including OpenSSL components.
1949	*/
1950	static void
1951	key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
1952	{
1953	#ifdef ENABLE_CRYPTO
1954	free_key_ctx_bi (&ks->static_key);
1955	#ifdef ENABLE_SSL
1956	if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
1957	{
1958	tls_ctx_free (&ks->ssl_ctx);
1959	free_key_ctx_bi (&ks->tls_auth_key);
1960	}
1961	#endif /* ENABLE_SSL */
1962	#endif /* ENABLE_CRYPTO */
1963	CLEAR (*ks);
1964	}
1965
1966	#ifdef ENABLE_CRYPTO
1967
1968	static void
1969	init_crypto_pre (struct context *c, const unsigned int flags)
1970	{
1971	if (c->options.engine)
1972	crypto_init_lib_engine (c->options.engine);
1973
1974	if (flags & CF_LOAD_PERSISTED_PACKET_ID)
1975	{
1976	/* load a persisted packet-id for cross-session replay-protection */
1977	if (c->options.packet_id_file)
1978	packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file);
1979	}
1980
1981	/* Initialize crypto options */
1982
1983	if (c->options.use_iv)
1984	c->c2.crypto_options.flags \|= CO_USE_IV;
1985
1986	if (c->options.mute_replay_warnings)
1987	c->c2.crypto_options.flags \|= CO_MUTE_REPLAY_WARNINGS;
1988
1989	#ifdef ENABLE_PREDICTION_RESISTANCE
1990	if (c->options.use_prediction_resistance)
1991	rand_ctx_enable_prediction_resistance();
1992	#endif
1993
1994	}
1995
1996	/*
1997	* Static Key Mode (using a pre-shared key)
1998	*/
1999	static void
2000	do_init_crypto_static (struct context *c, const unsigned int flags)
2001	{
2002	const struct options *options = &c->options;
2003	ASSERT (options->shared_secret_file);
2004
2005	init_crypto_pre (c, flags);
2006
2007	/* Initialize packet ID tracking */
2008	if (options->replay)
2009	{
2010	packet_id_init (&c->c2.packet_id,
2011	link_socket_proto_connection_oriented (options->ce.proto),
2012	options->replay_window,
2013	options->replay_time,
2014	"STATIC", 0);
2015	c->c2.crypto_options.packet_id = &c->c2.packet_id;
2016	c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
2017	c->c2.crypto_options.flags \|= CO_PACKET_ID_LONG_FORM;
2018	packet_id_persist_load_obj (&c->c1.pid_persist,
2019	c->c2.crypto_options.packet_id);
2020	}
2021
2022	if (!key_ctx_bi_defined (&c->c1.ks.static_key))
2023	{
2024	struct key2 key2;
2025	struct key_direction_state kds;
2026
2027	/* Get cipher & hash algorithms */
2028	init_key_type (&c->c1.ks.key_type, options->ciphername,
2029	options->ciphername_defined, options->authname,
2030	options->authname_defined, options->keysize,
2031	options->test_crypto, true);
2032
2033	/* Read cipher and hmac keys from shared secret file */
2034	{
2035	unsigned int rkf_flags = RKF_MUST_SUCCEED;
2036	const char *rkf_file = options->shared_secret_file;
2037
2038	if (options->shared_secret_file_inline)
2039	{
2040	rkf_file = options->shared_secret_file_inline;
2041	rkf_flags \|= RKF_INLINE;
2042	}
2043	read_key_file (&key2, rkf_file, rkf_flags);
2044	}
2045
2046	/* Check for and fix highly unlikely key problems */
2047	verify_fix_key2 (&key2, &c->c1.ks.key_type,
2048	options->shared_secret_file);
2049
2050	/* Initialize OpenSSL key objects */
2051	key_direction_state_init (&kds, options->key_direction);
2052	must_have_n_keys (options->shared_secret_file, "secret", &key2,
2053	kds.need_keys);
2054	init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
2055	&c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt");
2056	init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
2057	&c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt");
2058
2059	/* Erase the temporary copy of key */
2060	CLEAR (key2);
2061	}
2062	else
2063	{
2064	msg (M_INFO, "Re-using pre-shared static key");
2065	}
2066
2067	/* Get key schedule */
2068	c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key;
2069
2070	/* Compute MTU parameters */
2071	crypto_adjust_frame_parameters (&c->c2.frame,
2072	&c->c1.ks.key_type,
2073	options->ciphername_defined,
2074	options->use_iv, options->replay, true);
2075
2076	/* Sanity check on IV, sequence number, and cipher mode options */
2077	check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
2078	options->use_iv);
2079	}
2080
2081	#ifdef ENABLE_SSL
2082
2083	/*
2084	* Initialize the persistent component of OpenVPN's TLS mode,
2085	* which is preserved across SIGUSR1 resets.
2086	*/
2087	static void
2088	do_init_crypto_tls_c1 (struct context *c)
2089	{
2090	const struct options *options = &c->options;
2091
2092	if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2093	{
2094	/*
2095	* Initialize the OpenSSL library's global
2096	* SSL context.
2097	*/
2098	init_ssl (options, &(c->c1.ks.ssl_ctx));
2099	if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
2100	{
2101	#if P2MP
2102	switch (auth_retry_get ())
2103	{
2104	case AR_NONE:
2105	msg (M_FATAL, "Error: private key password verification failed");
2106	break;
2107	case AR_INTERACT:
2108	ssl_purge_auth (false);
2109	case AR_NOINTERACT:
2110	c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
2111	break;
2112	default:
2113	ASSERT (0);
2114	}
2115	c->sig->signal_text = "private-key-password-failure";
2116	return;
2117	#else
2118	msg (M_FATAL, "Error: private key password verification failed");
2119	#endif
2120	}
2121
2122	/* Get cipher & hash algorithms */
2123	init_key_type (&c->c1.ks.key_type, options->ciphername,
2124	options->ciphername_defined, options->authname,
2125	options->authname_defined, options->keysize, true, true);
2126
2127	/* Initialize PRNG with config-specified digest */
2128	prng_init (options->prng_hash, options->prng_nonce_secret_len);
2129
2130	/* TLS handshake authentication (--tls-auth) */
2131	if (options->tls_auth_file)
2132	{
2133	unsigned int flags = 0;
2134	const char *file = options->tls_auth_file;
2135
2136	if (options->tls_auth_file_inline)
2137	{
2138	flags \|= GHK_INLINE;
2139	file = options->tls_auth_file_inline;
2140	}
2141	get_tls_handshake_key (&c->c1.ks.key_type,
2142	&c->c1.ks.tls_auth_key,
2143	file,
2144	options->key_direction,
2145	flags);
2146	}
2147
2148	#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
2149	if (options->priv_key_file_inline)
2150	{
2151	string_clear (c->options.priv_key_file_inline);
2152	c->options.priv_key_file_inline = NULL;
2153	}
2154	#endif
2155	}
2156	else
2157	{
2158	msg (D_INIT_MEDIUM, "Re-using SSL/TLS context");
2159	}
2160	}
2161
2162	static void
2163	do_init_crypto_tls (struct context *c, const unsigned int flags)
2164	{
2165	const struct options *options = &c->options;
2166	struct tls_options to;
2167	bool packet_id_long_form;
2168
2169	ASSERT (options->tls_server \|\| options->tls_client);
2170	ASSERT (!options->test_crypto);
2171
2172	init_crypto_pre (c, flags);
2173
2174	/* Make sure we are either a TLS client or server but not both */
2175	ASSERT (options->tls_server == !options->tls_client);
2176
2177	/* initialize persistent component */
2178	do_init_crypto_tls_c1 (c);
2179	if (IS_SIG (c))
2180	return;
2181
2182	/* Sanity check on IV, sequence number, and cipher mode options */
2183	check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
2184	options->use_iv);
2185
2186	/* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
2187	packet_id_long_form = cipher_kt_mode_ofb_cfb (c->c1.ks.key_type.cipher);
2188
2189	/* Compute MTU parameters */
2190	crypto_adjust_frame_parameters (&c->c2.frame,
2191	&c->c1.ks.key_type,
2192	options->ciphername_defined,
2193	options->use_iv,
2194	options->replay, packet_id_long_form);
2195	tls_adjust_frame_parameters (&c->c2.frame);
2196
2197	/* Set all command-line TLS-related options */
2198	CLEAR (to);
2199
2200	to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
2201	if (packet_id_long_form)
2202	to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
2203
2204	to.ssl_ctx = c->c1.ks.ssl_ctx;
2205	to.key_type = c->c1.ks.key_type;
2206	to.server = options->tls_server;
2207	to.key_method = options->key_method;
2208	to.replay = options->replay;
2209	to.replay_window = options->replay_window;
2210	to.replay_time = options->replay_time;
2211	to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto);
2212	to.transition_window = options->transition_window;
2213	to.handshake_window = options->handshake_window;
2214	to.packet_timeout = options->tls_timeout;
2215	to.renegotiate_bytes = options->renegotiate_bytes;
2216	to.renegotiate_packets = options->renegotiate_packets;
2217	to.renegotiate_seconds = options->renegotiate_seconds;
2218	to.single_session = options->single_session;
2219	#ifdef ENABLE_PUSH_PEER_INFO
2220	if (options->push_peer_info) /* all there is */
2221	to.push_peer_info_detail = 2;
2222	else if (options->pull) /* pull clients send some details */
2223	to.push_peer_info_detail = 1;
2224	else /* default: no peer-info at all */
2225	to.push_peer_info_detail = 0;
2226	#endif
2227
2228	/* should we not xmit any packets until we get an initial
2229	response from client? */
2230	if (to.server && options->ce.proto == PROTO_TCPv4_SERVER)
2231	to.xmit_hold = true;
2232
2233	#ifdef ENABLE_OCC
2234	to.disable_occ = !options->occ;
2235	#endif
2236
2237	to.verify_command = options->tls_verify;
2238	to.verify_export_cert = options->tls_export_cert;
2239	to.verify_x509_type = (options->verify_x509_type & 0xff);
2240	to.verify_x509_name = options->verify_x509_name;
2241	to.crl_file = options->crl_file;
2242	to.ssl_flags = options->ssl_flags;
2243	to.ns_cert_type = options->ns_cert_type;
2244	memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
2245	to.remote_cert_eku = options->remote_cert_eku;
2246	to.verify_hash = options->verify_hash;
2247	#ifdef ENABLE_X509ALTUSERNAME
2248	to.x509_username_field = (char *) options->x509_username_field;
2249	#else
2250	to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
2251	#endif
2252	to.es = c->c2.es;
2253
2254	#ifdef ENABLE_DEBUG
2255	to.gremlin = c->options.gremlin;
2256	#endif
2257
2258	to.plugins = c->plugins;
2259
2260	#ifdef MANAGEMENT_DEF_AUTH
2261	to.mda_context = &c->c2.mda_context;
2262	#endif
2263
2264	#if P2MP_SERVER
2265	to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
2266	to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
2267	to.tmp_dir = options->tmp_dir;
2268	if (options->ccd_exclusive)
2269	to.client_config_dir_exclusive = options->client_config_dir;
2270	to.auth_user_pass_file = options->auth_user_pass_file;
2271	#endif
2272
2273	#ifdef ENABLE_X509_TRACK
2274	to.x509_track = options->x509_track;
2275	#endif
2276
2277	#if P2MP
2278	#ifdef ENABLE_CLIENT_CR
2279	to.sci = &options->sc_info;
2280	#endif
2281	#endif
2282
2283	/* TLS handshake authentication (--tls-auth) */
2284	if (options->tls_auth_file)
2285	{
2286	to.tls_auth_key = c->c1.ks.tls_auth_key;
2287	to.tls_auth.pid_persist = &c->c1.pid_persist;
2288	to.tls_auth.flags \|= CO_PACKET_ID_LONG_FORM;
2289	crypto_adjust_frame_parameters (&to.frame,
2290	&c->c1.ks.key_type,
2291	false, false, true, true);
2292	}
2293
2294	/* If we are running over TCP, allow for
2295	length prefix */
2296	socket_adjust_frame_parameters (&to.frame, options->ce.proto);
2297
2298	/*
2299	* Initialize OpenVPN's master TLS-mode object.
2300	*/
2301	if (flags & CF_INIT_TLS_MULTI)
2302	c->c2.tls_multi = tls_multi_init (&to);
2303
2304	if (flags & CF_INIT_TLS_AUTH_STANDALONE)
2305	c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc);
2306	}
2307
2308	static void
2309	do_init_finalize_tls_frame (struct context *c)
2310	{
2311	if (c->c2.tls_multi)
2312	{
2313	tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame);
2314	ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <=
2315	EXPANDED_SIZE (&c->c2.frame));
2316	frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO,
2317	"Control Channel MTU parms");
2318	}
2319	if (c->c2.tls_auth_standalone)
2320	{
2321	tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame);
2322	frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
2323	"TLS-Auth MTU parms");
2324	}
2325	}
2326
2327	#endif /* ENABLE_SSL */
2328	#endif /* ENABLE_CRYPTO */
2329
2330	#ifdef ENABLE_CRYPTO
2331	/*
2332	* No encryption or authentication.
2333	*/
2334	static void
2335	do_init_crypto_none (const struct context *c)
2336	{
2337	ASSERT (!c->options.test_crypto);
2338	msg (M_WARN,
2339	"***** WARNING *****: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
2340	}
2341	#endif
2342
2343	static void
2344	do_init_crypto (struct context *c, const unsigned int flags)
2345	{
2346	#ifdef ENABLE_CRYPTO
2347	if (c->options.shared_secret_file)
2348	do_init_crypto_static (c, flags);
2349	#ifdef ENABLE_SSL
2350	else if (c->options.tls_server \|\| c->options.tls_client)
2351	do_init_crypto_tls (c, flags);
2352	#endif
2353	else /* no encryption or authentication. */
2354	do_init_crypto_none (c);
2355	#else /* ENABLE_CRYPTO */
2356	msg (M_WARN,
2357	"***** WARNING *****: " PACKAGE_NAME
2358	" built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
2359	#endif /* ENABLE_CRYPTO */
2360	}
2361
2362	static void
2363	do_init_frame (struct context *c)
2364	{
2365	#ifdef ENABLE_LZO
2366	/*
2367	* Initialize LZO compression library.
2368	*/
2369	if (c->options.lzo & LZO_SELECTED)
2370	{
2371	lzo_adjust_frame_parameters (&c->c2.frame);
2372
2373	/*
2374	* LZO usage affects buffer alignment.
2375	*/
2376	if (CIPHER_ENABLED (c))
2377	{
2378	frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN);
2379	frame_or_align_flags (&c->c2.frame,
2380	FRAME_HEADROOM_MARKER_FRAGMENT
2381	\|FRAME_HEADROOM_MARKER_DECRYPT);
2382	}
2383
2384	#ifdef ENABLE_FRAGMENT
2385	lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */
2386	#endif
2387	}
2388	#endif /* ENABLE_LZO */
2389
2390	#ifdef ENABLE_SOCKS
2391	/*
2392	* Adjust frame size for UDP Socks support.
2393	*/
2394	if (c->options.ce.socks_proxy_server)
2395	socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);
2396	#endif
2397
2398	/*
2399	* Adjust frame size based on the --tun-mtu-extra parameter.
2400	*/
2401	if (c->options.ce.tun_mtu_extra_defined)
2402	tun_adjust_frame_parameters (&c->c2.frame, c->options.ce.tun_mtu_extra);
2403
2404	/*
2405	* Adjust frame size based on link socket parameters.
2406	* (Since TCP is a stream protocol, we need to insert
2407	* a packet length uint16_t in the buffer.)
2408	*/
2409	socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);
2410
2411	/*
2412	* Fill in the blanks in the frame parameters structure,
2413	* make sure values are rational, etc.
2414	*/
2415	frame_finalize_options (c, NULL);
2416
2417	/* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client)
2418	* and need link_mtu+3 bytes on socket reception (on server).
2419	*
2420	* accomodate receive path in f->extra_link
2421	* send path in f->extra_buffer (+leave room for alignment)
2422	*
2423	* f->extra_frame is adjusted when peer-id option is push-received
2424	*/
2425	frame_add_to_extra_link(&c->c2.frame, 3);
2426	frame_add_to_extra_buffer(&c->c2.frame, 8);
2427
2428	#ifdef ENABLE_FRAGMENT
2429	/*
2430	* Set frame parameter for fragment code. This is necessary because
2431	* the fragmentation code deals with payloads which have already been
2432	* passed through the compression code.
2433	*/
2434	c->c2.frame_fragment = c->c2.frame;
2435	frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
2436	#endif
2437
2438	#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
2439	/*
2440	* MTU advisories
2441	*/
2442	if (c->options.ce.fragment && c->options.mtu_test)
2443	msg (M_WARN,
2444	"WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
2445	#endif
2446
2447	#ifdef ENABLE_FRAGMENT
2448	if ((c->options.ce.mssfix \|\| c->options.ce.fragment)
2449	&& TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU)
2450	msg (M_WARN,
2451	"WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
2452	ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment));
2453	#endif
2454	}
2455
2456	static void
2457	do_option_warnings (struct context *c)
2458	{
2459	const struct options *o = &c->options;
2460
2461	if (o->ping_send_timeout && !o->ping_rec_timeout)
2462	msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
2463
2464	if (o->username \|\| o->groupname \|\| o->chroot_dir
2465	#ifdef ENABLE_SELINUX
2466	\|\| o->selinux_context
2467	#endif
2468	)
2469	{
2470	if (!o->persist_tun)
2471	msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
2472	if (!o->persist_key
2473	#ifdef ENABLE_PKCS11
2474	&& !o->pkcs11_id
2475	#endif
2476	)
2477	msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
2478	}
2479
2480	if (o->chroot_dir && !(o->username && o->groupname))
2481	msg (M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
2482
2483	#if P2MP
2484	if (o->pull && o->ifconfig_local && c->first_time)
2485	msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
2486
2487	#if P2MP_SERVER
2488	if (o->server_bridge_defined \| o->server_bridge_proxy_dhcp)
2489	msg (M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
2490
2491	if (o->mode == MODE_SERVER)
2492	{
2493	if (o->duplicate_cn && o->client_config_dir)
2494	msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
2495	if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
2496	msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
2497	if (!o->keepalive_ping \|\| !o->keepalive_timeout)
2498	msg (M_WARN, "WARNING: --keepalive option is missing from server config");
2499	}
2500	#endif
2501	#endif
2502
2503	#ifdef ENABLE_CRYPTO
2504	if (!o->replay)
2505	msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
2506	if (!o->use_iv)
2507	msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");
2508
2509	#ifdef ENABLE_SSL
2510	if (o->tls_server)
2511	warn_on_use_of_common_subnets ();
2512	if (o->tls_client
2513	&& !o->tls_verify
2514	&& o->verify_x509_type == VERIFY_X509_NONE
2515	&& !(o->ns_cert_type & NS_CERT_CHECK_SERVER)
2516	&& !o->remote_cert_eku)
2517	msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
2518	#endif
2519	#endif
2520
2521	#ifndef CONNECT_NONBLOCK
2522	if (o->ce.connect_timeout_defined)
2523	msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
2524	#endif
2525
2526	/* If a script is used, print appropiate warnings */
2527	if (o->user_script_used)
2528	{
2529	if (script_security >= SSEC_SCRIPTS)
2530	msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
2531	else if (script_security >= SSEC_PW_ENV)
2532	msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
2533	else
2534	msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
2535	}
2536	}
2537
2538	static void
2539	do_init_frame_tls (struct context *c)
2540	{
2541	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
2542	do_init_finalize_tls_frame (c);
2543	#endif
2544	}
2545
2546	struct context_buffers *
2547	init_context_buffers (const struct frame *frame)
2548	{
2549	struct context_buffers *b;
2550
2551	ALLOC_OBJ_CLEAR (b, struct context_buffers);
2552
2553	b->read_link_buf = alloc_buf (BUF_SIZE (frame));
2554	b->read_tun_buf = alloc_buf (BUF_SIZE (frame));
2555
2556	b->aux_buf = alloc_buf (BUF_SIZE (frame));
2557
2558	#ifdef ENABLE_CRYPTO
2559	b->encrypt_buf = alloc_buf (BUF_SIZE (frame));
2560	b->decrypt_buf = alloc_buf (BUF_SIZE (frame));
2561	#endif
2562
2563	#ifdef ENABLE_LZO
2564	b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame));
2565	b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame));
2566	#endif
2567
2568	return b;
2569	}
2570
2571	void
2572	free_context_buffers (struct context_buffers *b)
2573	{
2574	if (b)
2575	{
2576	free_buf (&b->read_link_buf);
2577	free_buf (&b->read_tun_buf);
2578	free_buf (&b->aux_buf);
2579
2580	#ifdef ENABLE_LZO
2581	free_buf (&b->lzo_compress_buf);
2582	free_buf (&b->lzo_decompress_buf);
2583	#endif
2584
2585	#ifdef ENABLE_CRYPTO
2586	free_buf (&b->encrypt_buf);
2587	free_buf (&b->decrypt_buf);
2588	#endif
2589
2590	free (b);
2591	}
2592	}
2593
2594	/*
2595	* Now that we know all frame parameters, initialize
2596	* our buffers.
2597	*/
2598	static void
2599	do_init_buffers (struct context *c)
2600	{
2601	c->c2.buffers = init_context_buffers (&c->c2.frame);
2602	c->c2.buffers_owned = true;
2603	}
2604
2605	#ifdef ENABLE_FRAGMENT
2606	/*
2607	* Fragmenting code has buffers to initialize
2608	* once frame parameters are known.
2609	*/
2610	static void
2611	do_init_fragment (struct context *c)
2612	{
2613	ASSERT (c->options.ce.fragment);
2614	frame_set_mtu_dynamic (&c->c2.frame_fragment,
2615	c->options.ce.fragment, SET_MTU_UPPER_BOUND);
2616	fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment);
2617	}
2618	#endif
2619
2620	/*
2621	* Set the --mssfix option.
2622	*/
2623	static void
2624	do_init_mssfix (struct context *c)
2625	{
2626	if (c->options.ce.mssfix)
2627	{
2628	frame_set_mtu_dynamic (&c->c2.frame,
2629	c->options.ce.mssfix, SET_MTU_UPPER_BOUND);
2630	}
2631	}
2632
2633	/*
2634	* Allocate our socket object.
2635	*/
2636	static void
2637	do_link_socket_new (struct context *c)
2638	{
2639	ASSERT (!c->c2.link_socket);
2640	c->c2.link_socket = link_socket_new ();
2641	c->c2.link_socket_owned = true;
2642	}
2643
2644	/*
2645	* bind the TCP/UDP socket
2646	*/
2647	static void
2648	do_init_socket_1 (struct context *c, const int mode)
2649	{
2650	unsigned int sockflags = c->options.sockflags;
2651
2652	#if PORT_SHARE
2653	if (c->options.port_share_host && c->options.port_share_port)
2654	sockflags \|= SF_PORT_SHARE;
2655	#endif
2656
2657	link_socket_init_phase1 (c->c2.link_socket,
2658	connection_list_defined (&c->options),
2659	c->options.ce.local,
2660	c->options.ce.local_port,
2661	c->options.ce.remote,
2662	c->options.ce.remote_port,
2663	c->options.ce.proto,
2664	mode,
2665	c->c2.accept_from,
2666	#ifdef ENABLE_HTTP_PROXY
2667	c->c1.http_proxy,
2668	#endif
2669	#ifdef ENABLE_SOCKS
2670	c->c1.socks_proxy,
2671	#endif
2672	#ifdef ENABLE_DEBUG
2673	c->options.gremlin,
2674	#endif
2675	c->options.ce.bind_local,
2676	c->options.ce.remote_float,
2677	c->options.inetd,
2678	&c->c1.link_socket_addr,
2679	c->options.ipchange,
2680	c->plugins,
2681	c->options.resolve_retry_seconds,
2682	c->options.ce.connect_retry_seconds,
2683	c->options.ce.connect_timeout,
2684	c->options.ce.connect_retry_max,
2685	c->options.ce.mtu_discover_type,
2686	c->options.rcvbuf,
2687	c->options.sndbuf,
2688	c->options.mark,
2689	sockflags);
2690	}
2691
2692	/*
2693	* finalize the TCP/UDP socket
2694	*/
2695	static void
2696	do_init_socket_2 (struct context *c)
2697	{
2698	link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame,
2699	&c->sig->signal_received);
2700	}
2701
2702	/*
2703	* Print MTU INFO
2704	*/
2705	static void
2706	do_print_data_channel_mtu_parms (struct context *c)
2707	{
2708	frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
2709	#ifdef ENABLE_FRAGMENT
2710	if (c->c2.fragment)
2711	frame_print (&c->c2.frame_fragment, D_MTU_INFO,
2712	"Fragmentation MTU parms");
2713	#endif
2714	}
2715
2716	#ifdef ENABLE_OCC
2717	/*
2718	* Get local and remote options compatibility strings.
2719	*/
2720	static void
2721	do_compute_occ_strings (struct context *c)
2722	{
2723	struct gc_arena gc = gc_new ();
2724
2725	c->c2.options_string_local =
2726	options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
2727	c->c2.options_string_remote =
2728	options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
2729
2730	msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local);
2731	msg (D_SHOW_OCC, "Expected Remote Options String: '%s'",
2732	c->c2.options_string_remote);
2733
2734	#ifdef ENABLE_CRYPTO
2735	msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
2736	options_string_version (c->c2.options_string_local, &gc),
2737	md5sum ((uint8_t*)c->c2.options_string_local,
2738	strlen (c->c2.options_string_local), 9, &gc));
2739	msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
2740	options_string_version (c->c2.options_string_remote, &gc),
2741	md5sum ((uint8_t*)c->c2.options_string_remote,
2742	strlen (c->c2.options_string_remote), 9, &gc));
2743	#endif
2744
2745	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
2746	if (c->c2.tls_multi)
2747	tls_multi_init_set_options (c->c2.tls_multi,
2748	c->c2.options_string_local,
2749	c->c2.options_string_remote);
2750	#endif
2751
2752	gc_free (&gc);
2753	}
2754	#endif
2755
2756	/*
2757	* These things can only be executed once per program instantiation.
2758	* Set up for possible UID/GID downgrade, but don't do it yet.
2759	* Daemonize if requested.
2760	*/
2761	static void
2762	do_init_first_time (struct context *c)
2763	{
2764	if (c->first_time && !c->c0)
2765	{
2766	struct context_0 *c0;
2767
2768	ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc);
2769	c0 = c->c0;
2770
2771	/* get user and/or group that we want to setuid/setgid to */
2772	c0->uid_gid_specified =
2773	platform_group_get (c->options.groupname, &c0->platform_state_group) \|
2774	platform_user_get (c->options.username, &c0->platform_state_user);
2775
2776	/* get --writepid file descriptor */
2777	get_pid_file (c->options.writepid, &c0->pid_state);
2778
2779	/* perform postponed chdir if --daemon */
2780	if (c->did_we_daemonize && c->options.cd_dir == NULL)
2781	platform_chdir("/");
2782
2783	/* save process ID in a file */
2784	write_pid (&c0->pid_state);
2785
2786	/* should we change scheduling priority? */
2787	platform_nice (c->options.nice);
2788	}
2789	}
2790
2791	/*
2792	* If xinetd/inetd mode, don't allow restart.
2793	*/
2794	static void
2795	do_close_check_if_restart_permitted (struct context *c)
2796	{
2797	if (c->options.inetd
2798	&& (c->sig->signal_received == SIGHUP
2799	\|\| c->sig->signal_received == SIGUSR1))
2800	{
2801	c->sig->signal_received = SIGTERM;
2802	msg (M_INFO,
2803	PACKAGE_NAME
2804	" started by inetd/xinetd cannot restart... Exiting.");
2805	}
2806	}
2807
2808	/*
2809	* free buffers
2810	*/
2811	static void
2812	do_close_free_buf (struct context *c)
2813	{
2814	if (c->c2.buffers_owned)
2815	{
2816	free_context_buffers (c->c2.buffers);
2817	c->c2.buffers = NULL;
2818	c->c2.buffers_owned = false;
2819	}
2820	}
2821
2822	/*
2823	* close TLS
2824	*/
2825	static void
2826	do_close_tls (struct context *c)
2827	{
2828	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
2829	if (c->c2.tls_multi)
2830	{
2831	tls_multi_free (c->c2.tls_multi, true);
2832	c->c2.tls_multi = NULL;
2833	}
2834
2835	#ifdef ENABLE_OCC
2836	/* free options compatibility strings */
2837	if (c->c2.options_string_local)
2838	free (c->c2.options_string_local);
2839	if (c->c2.options_string_remote)
2840	free (c->c2.options_string_remote);
2841	c->c2.options_string_local = c->c2.options_string_remote = NULL;
2842	#endif
2843	#endif
2844	}
2845
2846	/*
2847	* Free key schedules
2848	*/
2849	static void
2850	do_close_free_key_schedule (struct context *c, bool free_ssl_ctx)
2851	{
2852	if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
2853	key_schedule_free (&c->c1.ks, free_ssl_ctx);
2854	}
2855
2856	/*
2857	* Close TCP/UDP connection
2858	*/
2859	static void
2860	do_close_link_socket (struct context *c)
2861	{
2862	if (c->c2.link_socket && c->c2.link_socket_owned)
2863	{
2864	link_socket_close (c->c2.link_socket);
2865	c->c2.link_socket = NULL;
2866	}
2867
2868	if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
2869	{
2870	CLEAR (c->c1.link_socket_addr.remote);
2871	CLEAR (c->c1.link_socket_addr.actual);
2872	}
2873
2874	if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
2875	CLEAR (c->c1.link_socket_addr.local);
2876	}
2877
2878	/*
2879	* Close packet-id persistance file
2880	*/
2881	static void
2882	do_close_packet_id (struct context *c)
2883	{
2884	#ifdef ENABLE_CRYPTO
2885	packet_id_free (&c->c2.packet_id);
2886	packet_id_persist_save (&c->c1.pid_persist);
2887	if (!(c->sig->signal_received == SIGUSR1))
2888	packet_id_persist_close (&c->c1.pid_persist);
2889	#endif
2890	}
2891
2892	#ifdef ENABLE_FRAGMENT
2893	/*
2894	* Close fragmentation handler.
2895	*/
2896	static void
2897	do_close_fragment (struct context *c)
2898	{
2899	if (c->c2.fragment)
2900	{
2901	fragment_free (c->c2.fragment);
2902	c->c2.fragment = NULL;
2903	}
2904	}
2905	#endif
2906
2907	/*
2908	* Open and close our event objects.
2909	*/
2910
2911	static void
2912	do_event_set_init (struct context *c,
2913	bool need_us_timeout)
2914	{
2915	unsigned int flags = 0;
2916
2917	c->c2.event_set_max = BASE_N_EVENTS;
2918
2919	flags \|= EVENT_METHOD_FAST;
2920
2921	if (need_us_timeout)
2922	flags \|= EVENT_METHOD_US_TIMEOUT;
2923
2924	c->c2.event_set = event_set_init (&c->c2.event_set_max, flags);
2925	c->c2.event_set_owned = true;
2926	}
2927
2928	static void
2929	do_close_event_set (struct context *c)
2930	{
2931	if (c->c2.event_set && c->c2.event_set_owned)
2932	{
2933	event_free (c->c2.event_set);
2934	c->c2.event_set = NULL;
2935	c->c2.event_set_owned = false;
2936	}
2937	}
2938
2939	/*
2940	* Open and close --status file
2941	*/
2942
2943	static void
2944	do_open_status_output (struct context *c)
2945	{
2946	if (!c->c1.status_output)
2947	{
2948	c->c1.status_output = status_open (c->options.status_file,
2949	c->options.status_file_update_freq,
2950	-1,
2951	NULL,
2952	STATUS_OUTPUT_WRITE);
2953	c->c1.status_output_owned = true;
2954	}
2955	}
2956
2957	static void
2958	do_close_status_output (struct context *c)
2959	{
2960	if (!(c->sig->signal_received == SIGUSR1))
2961	{
2962	if (c->c1.status_output_owned && c->c1.status_output)
2963	{
2964	status_close (c->c1.status_output);
2965	c->c1.status_output = NULL;
2966	c->c1.status_output_owned = false;
2967	}
2968	}
2969	}
2970
2971	/*
2972	* Handle ifconfig-pool persistance object.
2973	*/
2974	static void
2975	do_open_ifconfig_pool_persist (struct context *c)
2976	{
2977	#if P2MP_SERVER
2978	if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
2979	{
2980	c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename,
2981	c->options.ifconfig_pool_persist_refresh_freq);
2982	c->c1.ifconfig_pool_persist_owned = true;
2983	}
2984	#endif
2985	}
2986
2987	static void
2988	do_close_ifconfig_pool_persist (struct context *c)
2989	{
2990	#if P2MP_SERVER
2991	if (!(c->sig->signal_received == SIGUSR1))
2992	{
2993	if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
2994	{
2995	ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist);
2996	c->c1.ifconfig_pool_persist = NULL;
2997	c->c1.ifconfig_pool_persist_owned = false;
2998	}
2999	}
3000	#endif
3001	}
3002
3003	/*
3004	* Inherit environmental variables
3005	*/
3006
3007	static void
3008	do_inherit_env (struct context c, const struct env_set src)
3009	{
3010	c->c2.es = env_set_create (NULL);
3011	c->c2.es_owned = true;
3012	env_set_inherit (c->c2.es, src);
3013	}
3014
3015	static void
3016	do_env_set_destroy (struct context *c)
3017	{
3018	if (c->c2.es && c->c2.es_owned)
3019	{
3020	env_set_destroy (c->c2.es);
3021	c->c2.es = NULL;
3022	c->c2.es_owned = false;
3023	}
3024	}
3025
3026	/*
3027	* Fast I/O setup. Fast I/O is an optimization which only works
3028	* if all of the following are true:
3029	*
3030	* (1) The platform is not Windows
3031	* (2) --proto udp is enabled
3032	* (3) --shaper is disabled
3033	*/
3034	static void
3035	do_setup_fast_io (struct context *c)
3036	{
3037	if (c->options.fast_io)
3038	{
3039	#ifdef WIN32
3040	msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
3041	#else
3042	if (!proto_is_udp(c->options.ce.proto))
3043	msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
3044	else
3045	{
3046	#ifdef ENABLE_FEATURE_SHAPER
3047	if (c->options.shaper)
3048	msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
3049	else
3050	#endif
3051	{
3052	c->c2.fast_io = true;
3053	}
3054	}
3055	#endif
3056	}
3057	}
3058
3059	static void
3060	do_signal_on_tls_errors (struct context *c)
3061	{
3062	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
3063	if (c->options.tls_exit)
3064	c->c2.tls_exit_signal = SIGTERM;
3065	else
3066	c->c2.tls_exit_signal = SIGUSR1;
3067	#endif
3068	}
3069
3070	#ifdef ENABLE_PLUGIN
3071
3072	void
3073	init_plugins (struct context *c)
3074	{
3075	if (c->options.plugin_list && !c->plugins)
3076	{
3077	c->plugins = plugin_list_init (c->options.plugin_list);
3078	c->plugins_owned = true;
3079	}
3080	}
3081
3082	void
3083	open_plugins (struct context *c, const bool import_options, int init_point)
3084	{
3085	if (c->plugins && c->plugins_owned)
3086	{
3087	if (import_options)
3088	{
3089	struct plugin_return pr, config;
3090	plugin_return_init (&pr);
3091	plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3092	plugin_return_get_column (&pr, &config, "config");
3093	if (plugin_return_defined (&config))
3094	{
3095	int i;
3096	for (i = 0; i < config.n; ++i)
3097	{
3098	unsigned int option_types_found = 0;
3099	if (config.list[i] && config.list[i]->value)
3100	options_string_import (&c->options,
3101	config.list[i]->value,
3102	D_IMPORT_ERRORS\|M_OPTERR,
3103	OPT_P_DEFAULT & ~OPT_P_PLUGIN,
3104	&option_types_found,
3105	c->es);
3106	}
3107	}
3108	plugin_return_free (&pr);
3109	}
3110	else
3111	{
3112	plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3113	}
3114	}
3115	}
3116
3117	static void
3118	do_close_plugins (struct context *c)
3119	{
3120	if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
3121	{
3122	plugin_list_close (c->plugins);
3123	c->plugins = NULL;
3124	c->plugins_owned = false;
3125	}
3126	}
3127
3128	static void
3129	do_inherit_plugins (struct context c, const struct context src)
3130	{
3131	if (!c->plugins && src->plugins)
3132	{
3133	c->plugins = plugin_list_inherit (src->plugins);
3134	c->plugins_owned = true;
3135	}
3136	}
3137
3138	#endif
3139
3140	#ifdef ENABLE_MANAGEMENT
3141
3142	static void
3143	management_callback_status_p2p (void arg, const int version, struct status_output so)
3144	{
3145	struct context c = (struct context ) arg;
3146	print_status (c, so);
3147	}
3148
3149	void
3150	management_show_net_callback (void *arg, const int msglevel)
3151	{
3152	#ifdef WIN32
3153	show_routes (msglevel);
3154	show_adapters (msglevel);
3155	msg (msglevel, "END");
3156	#else
3157	msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
3158	#endif
3159	}
3160
3161	#endif
3162
3163	void
3164	init_management_callback_p2p (struct context *c)
3165	{
3166	#ifdef ENABLE_MANAGEMENT
3167	if (management)
3168	{
3169	struct management_callback cb;
3170	CLEAR (cb);
3171	cb.arg = c;
3172	cb.status = management_callback_status_p2p;
3173	cb.show_net = management_show_net_callback;
3174	cb.proxy_cmd = management_callback_proxy_cmd;
3175	cb.remote_cmd = management_callback_remote_cmd;
3176	management_set_callback (management, &cb);
3177	}
3178	#endif
3179	}
3180
3181	#ifdef ENABLE_MANAGEMENT
3182
3183	void
3184	init_management (struct context *c)
3185	{
3186	if (!management)
3187	management = management_init ();
3188	}
3189
3190	bool
3191	open_management (struct context *c)
3192	{
3193	/* initialize management layer */
3194	if (management)
3195	{
3196	if (c->options.management_addr)
3197	{
3198	unsigned int flags = c->options.management_flags;
3199	if (c->options.mode == MODE_SERVER)
3200	flags \|= MF_SERVER;
3201	if (management_open (management,
3202	c->options.management_addr,
3203	c->options.management_port,
3204	c->options.management_user_pass,
3205	c->options.management_client_user,
3206	c->options.management_client_group,
3207	c->options.management_log_history_cache,
3208	c->options.management_echo_buffer_size,
3209	c->options.management_state_buffer_size,
3210	c->options.management_write_peer_info_file,
3211	c->options.remap_sigusr1,
3212	flags))
3213	{
3214	management_set_state (management,
3215	OPENVPN_STATE_CONNECTING,
3216	NULL,
3217	(in_addr_t)0,
3218	(in_addr_t)0);
3219	}
3220
3221	/* initial management hold, called early, before first context initialization */
3222	do_hold ();
3223	if (IS_SIG (c))
3224	{
3225	msg (M_WARN, "Signal received from management interface, exiting");
3226	return false;
3227	}
3228	}
3229	else
3230	close_management ();
3231	}
3232	return true;
3233	}
3234
3235	void
3236	close_management (void)
3237	{
3238	if (management)
3239	{
3240	management_close (management);
3241	management = NULL;
3242	}
3243	}
3244
3245	#endif
3246
3247
3248	void
3249	uninit_management_callback (void)
3250	{
3251	#ifdef ENABLE_MANAGEMENT
3252	if (management)
3253	{
3254	management_clear_callback (management);
3255	}
3256	#endif
3257	}
3258
3259	/*
3260	* Initialize a tunnel instance, handle pre and post-init
3261	* signal settings.
3262	*/
3263	void
3264	init_instance_handle_signals (struct context c, const struct env_set env, const unsigned int flags)
3265	{
3266	pre_init_signal_catch ();
3267	init_instance (c, env, flags);
3268	post_init_signal_catch ();
3269
3270	/*
3271	* This is done so that signals thrown during
3272	* initialization can bring us back to
3273	* a management hold.
3274	*/
3275	if (IS_SIG (c))
3276	{
3277	remap_signal (c);
3278	uninit_management_callback ();
3279	}
3280	}
3281
3282	/*
3283	* Initialize a tunnel instance.
3284	*/
3285	void
3286	init_instance (struct context c, const struct env_set env, const unsigned int flags)
3287	{
3288	const struct options *options = &c->options;
3289	const bool child = (c->mode == CM_CHILD_TCP \|\| c->mode == CM_CHILD_UDP);
3290	int link_socket_mode = LS_MODE_DEFAULT;
3291
3292	/* init garbage collection level */
3293	gc_init (&c->c2.gc);
3294
3295	/* signals caught here will abort */
3296	c->sig->signal_received = 0;
3297	c->sig->signal_text = NULL;
3298	c->sig->hard = false;
3299
3300	if (c->mode == CM_P2P)
3301	init_management_callback_p2p (c);
3302
3303	/* possible sleep or management hold if restart */
3304	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3305	{
3306	do_startup_pause (c);
3307	if (IS_SIG (c))
3308	goto sig;
3309	}
3310
3311	/* map in current connection entry */
3312	next_connection_entry (c);
3313
3314	/* link_socket_mode allows CM_CHILD_TCP
3315	instances to inherit acceptable fds
3316	from a top-level parent */
3317	if (c->options.ce.proto == PROTO_TCPv4_SERVER
3318	\|\| c->options.ce.proto == PROTO_TCPv6_SERVER)
3319	{
3320	if (c->mode == CM_TOP)
3321	link_socket_mode = LS_MODE_TCP_LISTEN;
3322	else if (c->mode == CM_CHILD_TCP)
3323	link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
3324	}
3325
3326	/* should we disable paging? */
3327	if (c->first_time && options->mlock)
3328	platform_mlockall (true);
3329
3330	#if P2MP
3331	/* get passwords if undefined */
3332	if (auth_retry_get () == AR_INTERACT)
3333	init_query_passwords (c);
3334	#endif
3335
3336	/* initialize context level 2 --verb/--mute parms */
3337	init_verb_mute (c, IVM_LEVEL_2);
3338
3339	/* set error message delay for non-server modes */
3340	if (c->mode == CM_P2P)
3341	set_check_status_error_delay (P2P_ERROR_DELAY_MS);
3342
3343	/* warn about inconsistent options */
3344	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3345	do_option_warnings (c);
3346
3347	/* inherit environmental variables */
3348	if (env)
3349	do_inherit_env (c, env);
3350
3351	#ifdef ENABLE_PLUGIN
3352	/* initialize plugins */
3353	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3354	open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
3355	#endif
3356
3357	/* should we enable fast I/O? */
3358	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3359	do_setup_fast_io (c);
3360
3361	/* should we throw a signal on TLS errors? */
3362	do_signal_on_tls_errors (c);
3363
3364	/* open --status file */
3365	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3366	do_open_status_output (c);
3367
3368	/* open --ifconfig-pool-persist file */
3369	if (c->mode == CM_TOP)
3370	do_open_ifconfig_pool_persist (c);
3371
3372	#ifdef ENABLE_OCC
3373	/* reset OCC state */
3374	if (c->mode == CM_P2P \|\| child)
3375	c->c2.occ_op = occ_reset_op ();
3376	#endif
3377
3378	/* our wait-for-i/o objects, different for posix vs. win32 */
3379	if (c->mode == CM_P2P)
3380	do_event_set_init (c, SHAPER_DEFINED (&c->options));
3381	else if (c->mode == CM_CHILD_TCP)
3382	do_event_set_init (c, false);
3383
3384	/* initialize HTTP or SOCKS proxy object at scope level 2 */
3385	init_proxy (c, 2);
3386
3387	/* allocate our socket object */
3388	if (c->mode == CM_P2P \|\| c->mode == CM_TOP \|\| c->mode == CM_CHILD_TCP)
3389	do_link_socket_new (c);
3390
3391	#ifdef ENABLE_FRAGMENT
3392	/* initialize internal fragmentation object */
3393	if (options->ce.fragment && (c->mode == CM_P2P \|\| child))
3394	c->c2.fragment = fragment_init (&c->c2.frame);
3395	#endif
3396
3397	/* init crypto layer */
3398	{
3399	unsigned int crypto_flags = 0;
3400	if (c->mode == CM_TOP)
3401	crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
3402	else if (c->mode == CM_P2P)
3403	crypto_flags = CF_LOAD_PERSISTED_PACKET_ID \| CF_INIT_TLS_MULTI;
3404	else if (child)
3405	crypto_flags = CF_INIT_TLS_MULTI;
3406	do_init_crypto (c, crypto_flags);
3407	if (IS_SIG (c) && !child)
3408	goto sig;
3409	}
3410
3411	#ifdef ENABLE_LZO
3412	/* initialize LZO compression library. */
3413	if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P \|\| child))
3414	lzo_compress_init (&c->c2.lzo_compwork, options->lzo);
3415	#endif
3416
3417	/* initialize MTU variables */
3418	do_init_frame (c);
3419
3420	/* initialize TLS MTU variables */
3421	do_init_frame_tls (c);
3422
3423	/* init workspace buffers whose size is derived from frame size */
3424	if (c->mode == CM_P2P \|\| c->mode == CM_CHILD_TCP)
3425	do_init_buffers (c);
3426
3427	#ifdef ENABLE_FRAGMENT
3428	/* initialize internal fragmentation capability with known frame size */
3429	if (options->ce.fragment && (c->mode == CM_P2P \|\| child))
3430	do_init_fragment (c);
3431	#endif
3432
3433	/* initialize dynamic MTU variable */
3434	do_init_mssfix (c);
3435
3436	/* bind the TCP/UDP socket */
3437	if (c->mode == CM_P2P \|\| c->mode == CM_TOP \|\| c->mode == CM_CHILD_TCP)
3438	do_init_socket_1 (c, link_socket_mode);
3439
3440	/* initialize tun/tap device object,
3441	open tun/tap device, ifconfig, run up script, etc. */
3442	if (!(options->up_delay \|\| PULL_DEFINED (options)) && (c->mode == CM_P2P \|\| c->mode == CM_TOP))
3443	c->c2.did_open_tun = do_open_tun (c);
3444
3445	/* print MTU info */
3446	do_print_data_channel_mtu_parms (c);
3447
3448	#ifdef ENABLE_OCC
3449	/* get local and remote options compatibility strings */
3450	if (c->mode == CM_P2P \|\| child)
3451	do_compute_occ_strings (c);
3452	#endif
3453
3454	/* initialize output speed limiter */
3455	if (c->mode == CM_P2P)
3456	do_init_traffic_shaper (c);
3457
3458	/* do one-time inits, and possibily become a daemon here */
3459	do_init_first_time (c);
3460
3461	#ifdef ENABLE_PLUGIN
3462	/* initialize plugins */
3463	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3464	open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
3465	#endif
3466
3467	/*
3468	* Actually do UID/GID downgrade, and chroot, if requested.
3469	* May be delayed by --client, --pull, or --up-delay.
3470	*/
3471	do_uid_gid_chroot (c, c->c2.did_open_tun);
3472
3473	/* finalize the TCP/UDP socket */
3474	if (c->mode == CM_P2P \|\| c->mode == CM_TOP \|\| c->mode == CM_CHILD_TCP)
3475	do_init_socket_2 (c);
3476
3477	/* initialize timers */
3478	if (c->mode == CM_P2P \|\| child)
3479	do_init_timers (c, false);
3480
3481	#ifdef ENABLE_PLUGIN
3482	/* initialize plugins */
3483	if (c->mode == CM_P2P \|\| c->mode == CM_TOP)
3484	open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
3485	#endif
3486
3487	#if PORT_SHARE
3488	/* share OpenVPN port with foreign (such as HTTPS) server */
3489	if (c->first_time && (c->mode == CM_P2P \|\| c->mode == CM_TOP))
3490	init_port_share (c);
3491	#endif
3492
3493	#ifdef ENABLE_PF
3494	if (child)
3495	pf_init_context (c);
3496	#endif
3497
3498	/* Check for signals */
3499	if (IS_SIG (c))
3500	goto sig;
3501
3502	return;
3503
3504	sig:
3505	if (!c->sig->signal_text)
3506	c->sig->signal_text = "init_instance";
3507	close_context (c, -1, flags);
3508	return;
3509	}
3510
3511	/*
3512	* Close a tunnel instance.
3513	*/
3514	void
3515	close_instance (struct context *c)
3516	{
3517	/* close event objects */
3518	do_close_event_set (c);
3519
3520	if (c->mode == CM_P2P
3521	\|\| c->mode == CM_CHILD_TCP
3522	\|\| c->mode == CM_CHILD_UDP
3523	\|\| c->mode == CM_TOP)
3524	{
3525	/* if xinetd/inetd mode, don't allow restart */
3526	do_close_check_if_restart_permitted (c);
3527
3528	#ifdef ENABLE_LZO
3529	if (lzo_defined (&c->c2.lzo_compwork))
3530	lzo_compress_uninit (&c->c2.lzo_compwork);
3531	#endif
3532
3533	/* free buffers */
3534	do_close_free_buf (c);
3535
3536	/* close TLS */
3537	do_close_tls (c);
3538
3539	/* free key schedules */
3540	do_close_free_key_schedule (c, (c->mode == CM_P2P \|\| c->mode == CM_TOP));
3541
3542	/* close TCP/UDP connection */
3543	do_close_link_socket (c);
3544
3545	/* close TUN/TAP device */
3546	do_close_tun (c, false);
3547
3548	#ifdef MANAGEMENT_DEF_AUTH
3549	if (management)
3550	management_notify_client_close (management, &c->c2.mda_context, NULL);
3551	#endif
3552
3553	#ifdef ENABLE_PF
3554	pf_destroy_context (&c->c2.pf);
3555	#endif
3556
3557	#ifdef ENABLE_PLUGIN
3558	/* call plugin close functions and unload */
3559	do_close_plugins (c);
3560	#endif
3561
3562	/* close packet-id persistance file */
3563	do_close_packet_id (c);
3564
3565	/* close --status file */
3566	do_close_status_output (c);
3567
3568	#ifdef ENABLE_FRAGMENT
3569	/* close fragmentation handler */
3570	do_close_fragment (c);
3571	#endif
3572
3573	/* close --ifconfig-pool-persist obj */
3574	do_close_ifconfig_pool_persist (c);
3575
3576	/* free up environmental variable store */
3577	do_env_set_destroy (c);
3578
3579	/* close HTTP or SOCKS proxy */
3580	uninit_proxy (c);
3581
3582	/* garbage collect */
3583	gc_free (&c->c2.gc);
3584	}
3585	}
3586
3587	void
3588	inherit_context_child (struct context *dest,
3589	const struct context *src)
3590	{
3591	CLEAR (*dest);
3592
3593	/* proto_is_dgram will ASSERT(0) if proto is invalid */
3594	dest->mode = proto_is_dgram(src->options.ce.proto)? CM_CHILD_UDP : CM_CHILD_TCP;
3595
3596	dest->gc = gc_new ();
3597
3598	ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc);
3599
3600	/* c1 init */
3601	packet_id_persist_init (&dest->c1.pid_persist);
3602
3603	#ifdef ENABLE_CRYPTO
3604	dest->c1.ks.key_type = src->c1.ks.key_type;
3605	#ifdef ENABLE_SSL
3606	/* inherit SSL context */
3607	dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
3608	dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
3609	#endif
3610	#endif
3611
3612	/* options */
3613	dest->options = src->options;
3614	options_detach (&dest->options);
3615
3616	if (dest->mode == CM_CHILD_TCP)
3617	{
3618	/*
3619	* The CM_TOP context does the socket listen(),
3620	* and the CM_CHILD_TCP context does the accept().
3621	*/
3622	dest->c2.accept_from = src->c2.link_socket;
3623	}
3624
3625	#ifdef ENABLE_PLUGIN
3626	/* inherit plugins */
3627	do_inherit_plugins (dest, src);
3628	#endif
3629
3630	/* context init */
3631	init_instance (dest, src->c2.es, CC_NO_CLOSE \| CC_USR1_TO_HUP);
3632	if (IS_SIG (dest))
3633	return;
3634
3635	/* inherit tun/tap interface object */
3636	dest->c1.tuntap = src->c1.tuntap;
3637
3638	/* UDP inherits some extra things which TCP does not */
3639	if (dest->mode == CM_CHILD_UDP)
3640	{
3641	/* inherit buffers */
3642	dest->c2.buffers = src->c2.buffers;
3643
3644	/* inherit parent link_socket and tuntap */
3645	dest->c2.link_socket = src->c2.link_socket;
3646
3647	ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
3648	*dest->c2.link_socket_info = src->c2.link_socket->info;
3649
3650	/* locally override some link_socket_info fields */
3651	dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
3652	dest->c2.link_socket_info->connection_established = false;
3653	}
3654	}
3655
3656	void
3657	inherit_context_top (struct context *dest,
3658	const struct context *src)
3659	{
3660	/* copy parent */
3661	dest = src;
3662
3663	/*
3664	* CM_TOP_CLONE will prevent close_instance from freeing or closing
3665	* resources owned by the parent.
3666	*
3667	* Also note that CM_TOP_CLONE context objects are
3668	* closed by multi_top_free in multi.c.
3669	*/
3670	dest->mode = CM_TOP_CLONE;
3671
3672	dest->first_time = false;
3673	dest->c0 = NULL;
3674
3675	options_detach (&dest->options);
3676	gc_detach (&dest->gc);
3677	gc_detach (&dest->c2.gc);
3678
3679	/* detach plugins */
3680	dest->plugins_owned = false;
3681
3682	#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
3683	dest->c2.tls_multi = NULL;
3684	#endif
3685
3686	/* detach c1 ownership */
3687	dest->c1.tuntap_owned = false;
3688	dest->c1.status_output_owned = false;
3689	#if P2MP_SERVER
3690	dest->c1.ifconfig_pool_persist_owned = false;
3691	#endif
3692
3693	/* detach c2 ownership */
3694	dest->c2.event_set_owned = false;
3695	dest->c2.link_socket_owned = false;
3696	dest->c2.buffers_owned = false;
3697	dest->c2.es_owned = false;
3698
3699	dest->c2.event_set = NULL;
3700	if (proto_is_dgram(src->options.ce.proto))
3701	do_event_set_init (dest, false);
3702	}
3703
3704	void
3705	close_context (struct context *c, int sig, unsigned int flags)
3706	{
3707	ASSERT (c);
3708	ASSERT (c->sig);
3709
3710	if (sig >= 0)
3711	c->sig->signal_received = sig;
3712
3713	if (c->sig->signal_received == SIGUSR1)
3714	{
3715	if ((flags & CC_USR1_TO_HUP)
3716	\|\| (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP)))
3717	c->sig->signal_received = SIGHUP;
3718	}
3719
3720	if (!(flags & CC_NO_CLOSE))
3721	close_instance (c);
3722
3723	if (flags & CC_GC_FREE)
3724	context_gc_free (c);
3725	}
3726
3727	#ifdef ENABLE_CRYPTO
3728
3729	/*
3730	* Do a loopback test
3731	* on the crypto subsystem.
3732	*/
3733	static void *
3734	test_crypto_thread (void *arg)
3735	{
3736	struct context c = (struct context ) arg;
3737	const struct options *options = &c->options;
3738
3739	ASSERT (options->test_crypto);
3740	init_verb_mute (c, IVM_LEVEL_1);
3741	context_init_1 (c);
3742	do_init_crypto_static (c, 0);
3743
3744	frame_finalize_options (c, options);
3745
3746	test_crypto (&c->c2.crypto_options, &c->c2.frame);
3747
3748	key_schedule_free (&c->c1.ks, true);
3749	packet_id_free (&c->c2.packet_id);
3750
3751	context_gc_free (c);
3752	return NULL;
3753	}
3754
3755	#endif
3756
3757	bool
3758	do_test_crypto (const struct options *o)
3759	{
3760	#ifdef ENABLE_CRYPTO
3761	if (o->test_crypto)
3762	{
3763	struct context c;
3764
3765	/* print version number */
3766	msg (M_INFO, "%s", title_string);
3767
3768	context_clear (&c);
3769	c.options = *o;
3770	options_detach (&c.options);
3771	c.first_time = true;
3772	test_crypto_thread ((void *) &c);
3773	return true;
3774	}
3775	#endif
3776	return false;
3777	}

Download in other formats:

Original Format