aboutsummaryrefslogtreecommitdiff
path: root/init.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 05:28:27 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 05:28:27 +0000
commit6fbf66fad3367b24fd6743bcd50254902fd9c8d5 (patch)
tree9802876e3771744eead18917bb47ff6e90ac39f5 /init.c
downloadopenvpn-6fbf66fad3367b24fd6743bcd50254902fd9c8d5.tar.xz
This is the start of the BETA21 branch.
It includes the --topology feature, and TAP-Win32 driver changes to allow non-admin access. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'init.c')
-rw-r--r--init.c2727
1 files changed, 2727 insertions, 0 deletions
diff --git a/init.c b/init.c
new file mode 100644
index 0000000..8a4c100
--- /dev/null
+++ b/init.c
@@ -0,0 +1,2727 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifdef WIN32
+#include "config-win32.h"
+#else
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#include "win32.h"
+#include "init.h"
+#include "sig.h"
+#include "occ.h"
+#include "list.h"
+#include "otime.h"
+#include "pool.h"
+#include "gremlin.h"
+
+#include "memdbg.h"
+
+#include "occ-inline.h"
+
+/*
+ * Crypto initialization flags
+ */
+#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
+#define CF_INIT_TLS_MULTI (1<<1)
+#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
+
+static void do_init_first_time (struct context *c);
+
+void
+context_clear (struct context *c)
+{
+ CLEAR (*c);
+}
+
+void
+context_clear_1 (struct context *c)
+{
+ CLEAR (c->c1);
+}
+
+void
+context_clear_2 (struct context *c)
+{
+ CLEAR (c->c2);
+}
+
+void
+context_clear_all_except_first_time (struct context *c)
+{
+ const bool first_time_save = c->first_time;
+ context_clear (c);
+ c->first_time = first_time_save;
+}
+
+/*
+ * Initialize and possibly randomize remote list.
+ */
+static void
+init_remote_list (struct context *c)
+{
+ c->c1.remote_list = NULL;
+
+ if (c->options.remote_list)
+ {
+ struct remote_list *l;
+ ALLOC_OBJ_GC (c->c1.remote_list, struct remote_list, &c->gc);
+ l = c->c1.remote_list;
+ *l = *c->options.remote_list;
+ l->current = -1;
+ if (c->options.remote_random)
+ remote_list_randomize (l);
+ }
+}
+
+void
+context_init_1 (struct context *c)
+{
+ context_clear_1 (c);
+
+ packet_id_persist_init (&c->c1.pid_persist);
+ init_remote_list (c);
+
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ /* Certificate password input */
+ if (c->options.key_pass_file)
+ pem_password_setup (c->options.key_pass_file);
+#endif
+
+#if P2MP
+ /* Auth user/pass input */
+ if (c->options.auth_user_pass_file)
+ {
+ auth_user_pass_setup (c->options.auth_user_pass_file);
+ }
+#endif
+
+#ifdef ENABLE_HTTP_PROXY
+ if (c->options.http_proxy_options)
+ {
+ /* Possible HTTP proxy user/pass input */
+ c->c1.http_proxy = new_http_proxy (c->options.http_proxy_options,
+ &c->gc);
+ }
+#endif
+
+#ifdef ENABLE_SOCKS
+ if (c->options.socks_proxy_server)
+ {
+ c->c1.socks_proxy = new_socks_proxy (c->options.socks_proxy_server,
+ c->options.socks_proxy_port,
+ c->options.socks_proxy_retry,
+ &c->gc);
+ }
+#endif
+}
+
+void
+context_gc_free (struct context *c)
+{
+ gc_free (&c->c2.gc);
+ gc_free (&c->options.gc);
+ gc_free (&c->gc);
+}
+
+bool
+init_static (void)
+{
+#if defined(USE_CRYPTO) && defined(DMALLOC)
+ openssl_dmalloc_init ();
+#endif
+
+ init_random_seed (); /* init random() function, only used as
+ source for weak random numbers */
+ error_reset (); /* initialize error.c */
+ reset_check_status (); /* initialize status check code in socket.c */
+
+#ifdef WIN32
+ init_win32 ();
+#endif
+
+#ifdef OPENVPN_DEBUG_COMMAND_LINE
+ {
+ int i;
+ for (i = 0; i < argc; ++i)
+ msg (M_INFO, "argv[%d] = '%s'", i, argv[i]);
+ }
+#endif
+
+ update_time ();
+
+#ifdef USE_CRYPTO
+ init_ssl_lib ();
+
+ /* init PRNG used for IV generation */
+ /* When forking, copy this to more places in the code to avoid fork
+ random-state predictability */
+ prng_init ();
+#endif
+
+#ifdef PID_TEST
+ packet_id_interactive_test (); /* test the sequence number code */
+ return false;
+#endif
+
+#ifdef SCHEDULE_TEST
+ schedule_test ();
+ return false;
+#endif
+
+#ifdef LIST_TEST
+ list_test ();
+ return false;
+#endif
+
+#ifdef IFCONFIG_POOL_TEST
+ ifconfig_pool_test (0x0A010004, 0x0A0100FF);
+ return false;
+#endif
+
+#ifdef CHARACTER_CLASS_DEBUG
+ character_class_debug ();
+ return false;
+#endif
+
+#ifdef EXTRACT_X509_FIELD_TEST
+ extract_x509_field_test ();
+ return false;
+#endif
+
+ return true;
+}
+
+void
+uninit_static (void)
+{
+ openvpn_thread_cleanup ();
+
+#ifdef USE_CRYPTO
+ free_ssl_lib ();
+#endif
+
+#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
+ show_tls_performance_stats ();
+#endif
+}
+
+void
+init_verb_mute (struct context *c, unsigned int flags)
+{
+ if (flags & IVM_LEVEL_1)
+ {
+ /* set verbosity and mute levels */
+ set_check_status (D_LINK_ERRORS, D_READ_WRITE);
+ set_debug_level (c->options.verbosity, SDL_CONSTRAIN);
+ set_mute_cutoff (c->options.mute);
+ }
+
+ /* special D_LOG_RW mode */
+ if (flags & IVM_LEVEL_2)
+ c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1));
+}
+
+/*
+ * Possibly set --dev based on --dev-node.
+ * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
+ * set --dev to tun.
+ */
+void
+init_options_dev (struct options *options)
+{
+ if (!options->dev)
+ options->dev = dev_component_in_dev_node (options->dev_node);
+}
+
+bool
+print_openssl_info (const struct options *options)
+{
+ /*
+ * OpenSSL info print mode?
+ */
+#ifdef USE_CRYPTO
+ if (options->show_ciphers || options->show_digests || options->show_engines
+#ifdef USE_SSL
+ || options->show_tls_ciphers
+#endif
+ )
+ {
+ if (options->show_ciphers)
+ show_available_ciphers ();
+ if (options->show_digests)
+ show_available_digests ();
+ if (options->show_engines)
+ show_available_engines ();
+#ifdef USE_SSL
+ if (options->show_tls_ciphers)
+ show_available_tls_ciphers ();
+#endif
+ return true;
+ }
+#endif
+ return false;
+}
+
+/*
+ * Static pre-shared key generation mode?
+ */
+bool
+do_genkey (const struct options * options)
+{
+#ifdef USE_CRYPTO
+ if (options->genkey)
+ {
+ int nbits_written;
+
+ notnull (options->shared_secret_file,
+ "shared secret output file (--secret)");
+
+ if (options->mlock) /* should we disable paging? */
+ do_mlockall (true);
+
+ nbits_written = write_key_file (2, options->shared_secret_file);
+
+ msg (D_GENKEY | M_NOPREFIX,
+ "Randomly generated %d bit key written to %s", nbits_written,
+ options->shared_secret_file);
+ return true;
+ }
+#endif
+ return false;
+}
+
+/*
+ * Persistent TUN/TAP device management mode?
+ */
+bool
+do_persist_tuntap (const struct options *options)
+{
+#ifdef TUNSETPERSIST
+ if (options->persist_config)
+ {
+ /* sanity check on options for --mktun or --rmtun */
+ notnull (options->dev, "TUN/TAP device (--dev)");
+ if (options->remote_list || options->ifconfig_local
+ || options->ifconfig_remote_netmask
+#ifdef USE_CRYPTO
+ || options->shared_secret_file
+#ifdef USE_SSL
+ || options->tls_server || options->tls_client
+#endif
+#endif
+ )
+ msg (M_FATAL|M_OPTERR,
+ "options --mktun or --rmtun should only be used together with --dev");
+ tuncfg (options->dev, options->dev_type, options->dev_node,
+ options->tun_ipv6, options->persist_mode);
+ return true;
+ }
+#endif
+ return false;
+}
+
+/*
+ * Should we become a daemon?
+ * Return true if we did it.
+ */
+static bool
+possibly_become_daemon (const struct options *options, const bool first_time)
+{
+ bool ret = false;
+ if (first_time && options->daemon)
+ {
+ ASSERT (!options->inetd);
+ if (daemon (options->cd_dir != NULL, options->log) < 0)
+ msg (M_ERR, "daemon() failed");
+ if (options->log)
+ set_std_files_to_null (true);
+ ret = true;
+ }
+ return ret;
+}
+
+/*
+ * Actually do UID/GID downgrade, and chroot, if requested.
+ */
+static void
+do_uid_gid_chroot (struct context *c, bool no_delay)
+{
+ static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
+
+ if (c->first_time && !c->c2.uid_gid_set)
+ {
+ /* chroot if requested */
+ if (c->options.chroot_dir)
+ {
+ if (no_delay)
+ do_chroot (c->options.chroot_dir);
+ else
+ msg (M_INFO, "NOTE: chroot %s", why_not);
+ }
+
+ /* set user and/or group that we want to setuid/setgid to */
+ if (no_delay)
+ {
+ set_group (&c->c2.group_state);
+ set_user (&c->c2.user_state);
+ c->c2.uid_gid_set = true;
+ }
+ else if (c->c2.uid_gid_specified)
+ {
+ msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
+ }
+ }
+}
+
+/*
+ * Return common name in a way that is formatted for
+ * prepending to msg() output.
+ */
+const char *
+format_common_name (struct context *c, struct gc_arena *gc)
+{
+ struct buffer out = alloc_buf_gc (256, gc);
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ if (c->c2.tls_multi)
+ {
+ buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));
+ }
+#endif
+ return BSTR (&out);
+}
+
+void
+pre_setup (const struct options *options)
+{
+#ifdef WIN32
+ if (options->exit_event_name)
+ {
+ win32_signal_open (&win32_signal,
+ WSO_FORCE_SERVICE,
+ options->exit_event_name,
+ options->exit_event_initial_state);
+ }
+ else
+ {
+ win32_signal_open (&win32_signal,
+ WSO_FORCE_CONSOLE,
+ NULL,
+ false);
+
+ /* put a title on the top window bar */
+ if (win32_signal.mode == WSO_MODE_CONSOLE)
+ {
+ window_title_save (&window_title);
+ window_title_generate (options->config);
+ }
+ }
+#endif
+}
+
+void
+reset_coarse_timers (struct context *c)
+{
+ c->c2.coarse_timer_wakeup = 0;
+}
+
+/*
+ * Initialize timers
+ */
+static void
+do_init_timers (struct context *c, bool deferred)
+{
+ update_time ();
+ reset_coarse_timers (c);
+
+ /* initialize inactivity timeout */
+ if (c->options.inactivity_timeout)
+ event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
+
+ /* initialize pings */
+
+ if (c->options.ping_send_timeout)
+ event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
+
+ if (c->options.ping_rec_timeout)
+ event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
+
+ if (!deferred)
+ {
+ /* initialize connection establishment timer */
+ event_timeout_init (&c->c2.wait_for_connect, 1, now);
+
+#ifdef ENABLE_OCC
+ /* initialize occ timers */
+
+ if (c->options.occ
+ && !TLS_MODE (c)
+ && c->c2.options_string_local && c->c2.options_string_remote)
+ event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
+
+ if (c->options.mtu_test)
+ event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
+#endif
+
+ /* initialize packet_id persistence timer */
+#ifdef USE_CRYPTO
+ if (c->options.packet_id_file)
+ event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);
+#endif
+
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ /* initialize tmp_int optimization that limits the number of times we call
+ tls_multi_process in the main event loop */
+ interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
+#endif
+ }
+}
+
+/*
+ * Initialize traffic shaper.
+ */
+static void
+do_init_traffic_shaper (struct context *c)
+{
+#ifdef HAVE_GETTIMEOFDAY
+ /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
+ if (c->options.shaper)
+ {
+ shaper_init (&c->c2.shaper, c->options.shaper);
+ shaper_msg (&c->c2.shaper);
+ }
+#endif
+}
+
+/*
+ * Allocate a route list structure if at least one
+ * --route option was specified.
+ */
+static void
+do_alloc_route_list (struct context *c)
+{
+ if (c->options.routes && !c->c1.route_list)
+ c->c1.route_list = new_route_list (&c->gc);
+}
+
+
+/*
+ * Initialize the route list, resolving any DNS names in route
+ * options and saving routes in the environment.
+ */
+static void
+do_init_route_list (const struct options *options,
+ struct route_list *route_list,
+ const struct link_socket_info *link_socket_info,
+ bool fatal,
+ struct env_set *es)
+{
+ const char *gw = NULL;
+ int dev = dev_type_enum (options->dev, options->dev_type);
+
+ if (dev == DEV_TYPE_TUN)
+ gw = options->ifconfig_remote_netmask;
+ if (options->route_default_gateway)
+ gw = options->route_default_gateway;
+
+ if (!init_route_list (route_list,
+ options->routes,
+ gw,
+ link_socket_current_remote (link_socket_info),
+ es))
+ {
+ if (fatal)
+ openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
+ }
+ else
+ {
+ /* copy routes to environment */
+ setenv_routes (es, route_list);
+ }
+}
+
+/*
+ * Called after all initialization has been completed.
+ */
+void
+initialization_sequence_completed (struct context *c, const unsigned int flags)
+{
+ static const char message[] = "Initialization Sequence Completed";
+
+ /* If we delayed UID/GID downgrade or chroot, do it now */
+ do_uid_gid_chroot (c, true);
+
+ /* Test if errors */
+ if (flags & ISC_ERRORS)
+#ifdef WIN32
+ msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
+#else
+ msg (M_INFO, "%s With Errors", message);
+#endif
+ else
+ msg (M_INFO, "%s", message);
+
+ /* Flag remote_list that we initialized */
+ if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && c->c1.remote_list && c->c1.remote_list->len > 1)
+ c->c1.remote_list->no_advance = true;
+
+#ifdef ENABLE_MANAGEMENT
+ /* Tell management interface that we initialized */
+ if (management)
+ {
+ in_addr_t tun_local = 0;
+ const char *detail = "SUCCESS";
+ if (c->c1.tuntap)
+ tun_local = c->c1.tuntap->local;
+ if (flags & ISC_ERRORS)
+ detail = "ERROR";
+ management_set_state (management,
+ OPENVPN_STATE_CONNECTED,
+ detail,
+ tun_local);
+ if (tun_local)
+ management_post_tunnel_open (management, tun_local);
+ }
+#endif
+
+}
+
+/*
+ * Possibly add routes and/or call route-up script
+ * based on options.
+ */
+void
+do_route (const struct options *options,
+ struct route_list *route_list,
+ const struct tuntap *tt,
+ const struct plugin_list *plugins,
+ struct env_set *es)
+{
+ if (!options->route_noexec && route_list)
+ add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es);
+
+ if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP))
+ {
+ if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, es))
+ msg (M_WARN, "WARNING: route-up plugin call failed");
+ }
+
+ if (options->route_script)
+ {
+ setenv_str (es, "script_type", "route-up");
+ system_check (options->route_script, es, S_SCRIPT, "Route script failed");
+ }
+
+#ifdef WIN32
+ if (options->show_net_up)
+ {
+ show_routes (M_INFO|M_NOPREFIX);
+ show_adapters (M_INFO|M_NOPREFIX);
+ }
+ else if (check_debug_level (D_SHOW_NET))
+ {
+ show_routes (D_SHOW_NET|M_NOPREFIX);
+ show_adapters (D_SHOW_NET|M_NOPREFIX);
+ }
+#endif
+}
+
+/*
+ * Save current pulled options string in the c1 context store, so we can
+ * compare against it after possible future restarts.
+ */
+#if P2MP
+static void
+save_pulled_options_string (struct context *c, const char *newstring)
+{
+ if (c->c1.pulled_options_string_save)
+ free (c->c1.pulled_options_string_save);
+
+ c->c1.pulled_options_string_save = NULL;
+
+ if (newstring)
+ c->c1.pulled_options_string_save = string_alloc (newstring, NULL);
+}
+#endif
+
+/*
+ * initialize tun/tap device object
+ */
+static void
+do_init_tun (struct context *c)
+{
+ c->c1.tuntap = init_tun (c->options.dev,
+ c->options.dev_type,
+ c->options.ifconfig_local,
+ c->options.ifconfig_remote_netmask,
+ addr_host (&c->c1.link_socket_addr.local),
+ addr_host (&c->c1.link_socket_addr.remote),
+ !c->options.ifconfig_nowarn,
+ c->c2.es);
+
+ init_tun_post (c->c1.tuntap,
+ &c->c2.frame,
+ &c->options.tuntap_options);
+
+ c->c1.tuntap_owned = true;
+}
+
+/*
+ * Open tun/tap device, ifconfig, call up script, etc.
+ */
+
+static bool
+do_open_tun (struct context *c)
+{
+ struct gc_arena gc = gc_new ();
+ bool ret = false;
+
+ c->c2.ipv4_tun = (!c->options.tun_ipv6
+ && is_dev_type (c->options.dev, c->options.dev_type, "tun"));
+
+ if (!c->c1.tuntap)
+ {
+ /* initialize (but do not open) tun/tap object */
+ do_init_tun (c);
+
+ /* allocate route list structure */
+ do_alloc_route_list (c);
+
+ /* parse and resolve the route option list */
+ if (c->c1.route_list && c->c2.link_socket)
+ do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es);
+
+ /* do ifconfig */
+ if (!c->options.ifconfig_noexec
+ && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN)
+ {
+ /* guess actual tun/tap unit number that will be returned
+ by open_tun */
+ const char *guess = guess_tuntap_dev (c->options.dev,
+ c->options.dev_type,
+ c->options.dev_node,
+ &gc);
+ do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
+ }
+
+ /* open the tun device */
+ open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
+ c->options.tun_ipv6, c->c1.tuntap);
+
+ /* do ifconfig */
+ if (!c->options.ifconfig_noexec
+ && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN)
+ {
+ do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
+ }
+
+ /* run the up script */
+ run_up_down (c->options.up_script,
+ c->c1.plugins,
+ OPENVPN_PLUGIN_UP,
+ c->c1.tuntap->actual_name,
+ TUN_MTU_SIZE (&c->c2.frame),
+ EXPANDED_SIZE (&c->c2.frame),
+ print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
+ "init",
+ NULL,
+ "up",
+ c->c2.es);
+
+ /* possibly add routes */
+ if (!c->options.route_delay_defined)
+ do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->c1.plugins, c->c2.es);
+
+ /*
+ * Did tun/tap driver give us an MTU?
+ */
+ if (c->c1.tuntap->post_open_mtu)
+ frame_set_mtu_dynamic (&c->c2.frame,
+ c->c1.tuntap->post_open_mtu,
+ SET_MTU_TUN | SET_MTU_UPPER_BOUND);
+
+ ret = true;
+ }
+ else
+ {
+ msg (M_INFO, "Preserving previous TUN/TAP instance: %s",
+ c->c1.tuntap->actual_name);
+
+ /* run the up script if user specified --up-restart */
+ if (c->options.up_restart)
+ run_up_down (c->options.up_script,
+ c->c1.plugins,
+ OPENVPN_PLUGIN_UP,
+ c->c1.tuntap->actual_name,
+ TUN_MTU_SIZE (&c->c2.frame),
+ EXPANDED_SIZE (&c->c2.frame),
+ print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
+ "restart",
+ NULL,
+ "up",
+ c->c2.es);
+ }
+ gc_free (&gc);
+ return ret;
+}
+
+/*
+ * Close TUN/TAP device
+ */
+
+static void
+do_close_tun_simple (struct context *c)
+{
+ msg (D_CLOSE, "Closing TUN/TAP interface");
+ close_tun (c->c1.tuntap);
+ c->c1.tuntap = NULL;
+ c->c1.tuntap_owned = false;
+#if P2MP
+ save_pulled_options_string (c, NULL); /* delete C1-saved pulled_options_string */
+#endif
+}
+
+static void
+do_close_tun (struct context *c, bool force)
+{
+ struct gc_arena gc = gc_new ();
+ if (c->c1.tuntap && c->c1.tuntap_owned)
+ {
+ const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc);
+ const in_addr_t local = c->c1.tuntap->local;
+ const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
+
+ if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
+ {
+#ifdef ENABLE_MANAGEMENT
+ /* tell management layer we are about to close the TUN/TAP device */
+ if (management)
+ management_pre_tunnel_close (management);
+#endif
+
+ /* delete any routes we added */
+ if (c->c1.route_list)
+ delete_routes (c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);
+
+ /* actually close tun/tap device based on --down-pre flag */
+ if (!c->options.down_pre)
+ do_close_tun_simple (c);
+
+ /* Run the down script -- note that it will run at reduced
+ privilege if, for example, "--user nobody" was used. */
+ run_up_down (c->options.down_script,
+ c->c1.plugins,
+ OPENVPN_PLUGIN_DOWN,
+ tuntap_actual,
+ TUN_MTU_SIZE (&c->c2.frame),
+ EXPANDED_SIZE (&c->c2.frame),
+ print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
+ "init",
+ signal_description (c->sig->signal_received,
+ c->sig->signal_text),
+ "down",
+ c->c2.es);
+
+ /* actually close tun/tap device based on --down-pre flag */
+ if (c->options.down_pre)
+ do_close_tun_simple (c);
+ }
+ else
+ {
+ /* run the down script on this restart if --up-restart was specified */
+ if (c->options.up_restart)
+ run_up_down (c->options.down_script,
+ c->c1.plugins,
+ OPENVPN_PLUGIN_DOWN,
+ tuntap_actual,
+ TUN_MTU_SIZE (&c->c2.frame),
+ EXPANDED_SIZE (&c->c2.frame),
+ print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
+ print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
+ "restart",
+ signal_description (c->sig->signal_received,
+ c->sig->signal_text),
+ "down",
+ c->c2.es);
+ }
+ }
+ gc_free (&gc);
+}
+
+/*
+ * Handle delayed tun/tap interface bringup due to --up-delay or --pull
+ */
+
+void
+do_up (struct context *c, bool pulled_options, unsigned int option_types_found)
+{
+ if (!c->c2.do_up_ran)
+ {
+ reset_coarse_timers (c);
+
+ if (pulled_options && option_types_found)
+ do_deferred_options (c, option_types_found);
+
+ /* if --up-delay specified, open tun, do ifconfig, and run up script now */
+ if (c->options.up_delay || PULL_DEFINED (&c->options))
+ {
+ c->c2.did_open_tun = do_open_tun (c);
+ update_time ();
+
+#if P2MP
+ /*
+ * Was tun interface object persisted from previous restart iteration,
+ * and if so did pulled options string change from previous iteration?
+ */
+ if (!c->c2.did_open_tun
+ && PULL_DEFINED (&c->options)
+ && c->c1.tuntap
+ && (!c->c1.pulled_options_string_save || !c->c2.pulled_options_string
+ || strcmp (c->c1.pulled_options_string_save, c->c2.pulled_options_string)))
+ {
+ /* if so, close tun, delete routes, then reinitialize tun and add routes */
+ msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
+ do_close_tun (c, true);
+ openvpn_sleep (1);
+ c->c2.did_open_tun = do_open_tun (c);
+ update_time ();
+ }
+#endif
+ }
+
+ if (c->c2.did_open_tun)
+ {
+#if P2MP
+ save_pulled_options_string (c, c->c2.pulled_options_string);
+#endif
+
+ /* if --route-delay was specified, start timer */
+ if (c->options.route_delay_defined)
+ {
+ event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now);
+ event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
+ }
+ else
+ {
+ initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */
+ }
+ }
+ else if (c->options.mode == MODE_POINT_TO_POINT)
+ {
+ initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */
+ }
+
+ c->c2.do_up_ran = true;
+ }
+}
+
+/*
+ * These are the option categories which will be accepted by pull.
+ */
+unsigned int
+pull_permission_mask (void)
+{
+ return ( OPT_P_UP
+ | OPT_P_ROUTE
+ | OPT_P_IPWIN32
+ | OPT_P_SETENV
+ | OPT_P_SHAPER
+ | OPT_P_TIMER
+ | OPT_P_PERSIST
+ | OPT_P_MESSAGES
+ | OPT_P_EXPLICIT_NOTIFY
+ | OPT_P_ECHO);
+}
+
+/*
+ * Handle non-tun-related pulled options.
+ */
+void
+do_deferred_options (struct context *c, const unsigned int found)
+{
+ if (found & OPT_P_MESSAGES)
+ {
+ init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2);
+ msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
+ }
+ if (found & OPT_P_TIMER)
+ {
+ do_init_timers (c, true);
+ msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
+ }
+
+#ifdef ENABLE_OCC
+ if (found & OPT_P_EXPLICIT_NOTIFY)
+ {
+ if (c->options.proto != PROTO_UDPv4 && c->options.explicit_exit_notification)
+ {
+ msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
+ c->options.explicit_exit_notification = 0;
+ }
+ else
+ msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
+ }
+#endif
+
+ if (found & OPT_P_SHAPER)
+ {
+ msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
+ do_init_traffic_shaper (c);
+ }
+
+ if (found & OPT_P_PERSIST)
+ msg (D_PUSH, "OPTIONS IMPORT: --persist options modified");
+ if (found & OPT_P_UP)
+ msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
+ if (found & OPT_P_ROUTE)
+ msg (D_PUSH, "OPTIONS IMPORT: route options modified");
+ if (found & OPT_P_IPWIN32)
+ msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
+ if (found & OPT_P_SETENV)
+ msg (D_PUSH, "OPTIONS IMPORT: environment modified");
+}
+
+/*
+ * Possible hold on initialization
+ */
+static bool
+do_hold (struct context *c)
+{
+#ifdef ENABLE_MANAGEMENT
+ if (management)
+ {
+ /* if c is defined, daemonize before hold */
+ if (c && c->options.daemon && management_would_hold (management))
+ do_init_first_time (c);
+
+ /* block until management hold is released */
+ if (management_hold (management))
+ return true;
+ }
+#endif
+ return false;
+}
+
+/*
+ * Sleep before restart.
+ */
+static void
+socket_restart_pause (struct context *c)
+{
+ bool proxy = false;
+ int sec = 2;
+
+#ifdef ENABLE_HTTP_PROXY
+ if (c->options.http_proxy_options)
+ proxy = true;
+#endif
+#ifdef ENABLE_SOCKS
+ if (c->options.socks_proxy_server)
+ proxy = true;
+#endif
+
+ switch (c->options.proto)
+ {
+ case PROTO_UDPv4:
+ if (proxy)
+ sec = c->options.connect_retry_seconds;
+ break;
+ case PROTO_TCPv4_SERVER:
+ sec = 1;
+ break;
+ case PROTO_TCPv4_CLIENT:
+ sec = c->options.connect_retry_seconds;
+ break;
+ }
+
+#ifdef ENABLE_DEBUG
+ if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin))
+ sec = 0;
+#endif
+
+#if P2MP
+ if (auth_retry_get () == AR_NOINTERACT)
+ sec = 10;
+#endif
+
+ if (do_hold (NULL))
+ sec = 0;
+
+ if (sec)
+ {
+ msg (D_RESTART, "Restart pause, %d second(s)", sec);
+ openvpn_sleep (sec);
+ }
+}
+
+/*
+ * Do a possible pause on context_2 initialization.
+ */
+static void
+do_startup_pause (struct context *c)
+{
+ if (!c->first_time)
+ socket_restart_pause (c);
+ else
+ do_hold (NULL);
+}
+
+/*
+ * Finalize MTU parameters based on command line or config file options.
+ */
+static void
+frame_finalize_options (struct context *c, const struct options *o)
+{
+ if (!o)
+ o = &c->options;
+
+ /*
+ * Set adjustment factor for buffer alignment when no
+ * cipher is used.
+ */
+ if (!CIPHER_ENABLED (c))
+ {
+ frame_align_to_extra_frame (&c->c2.frame);
+ frame_or_align_flags (&c->c2.frame,
+ FRAME_HEADROOM_MARKER_FRAGMENT
+ |FRAME_HEADROOM_MARKER_READ_LINK
+ |FRAME_HEADROOM_MARKER_READ_STREAM);
+ }
+
+ frame_finalize (&c->c2.frame,
+ o->link_mtu_defined,
+ o->link_mtu,
+ o->tun_mtu_defined,
+ o->tun_mtu);
+}
+
+/*
+ * Free a key schedule, including OpenSSL components.
+ */
+static void
+key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
+{
+#ifdef USE_CRYPTO
+ free_key_ctx_bi (&ks->static_key);
+#ifdef USE_SSL
+ if (ks->ssl_ctx && free_ssl_ctx)
+ {
+ SSL_CTX_free (ks->ssl_ctx);
+ free_key_ctx_bi (&ks->tls_auth_key);
+ }
+#endif /* USE_SSL */
+#endif /* USE_CRYPTO */
+ CLEAR (*ks);
+}
+
+#ifdef USE_CRYPTO
+
+static void
+init_crypto_pre (struct context *c, const unsigned int flags)
+{
+ if (c->options.engine)
+ init_crypto_lib_engine (c->options.engine);
+
+ if (flags & CF_LOAD_PERSISTED_PACKET_ID)
+ {
+ /* load a persisted packet-id for cross-session replay-protection */
+ if (c->options.packet_id_file)
+ packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file);
+ }
+
+ /* Initialize crypto options */
+
+ if (c->options.use_iv)
+ c->c2.crypto_options.flags |= CO_USE_IV;
+
+ if (c->options.mute_replay_warnings)
+ c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
+}
+
+/*
+ * Static Key Mode (using a pre-shared key)
+ */
+static void
+do_init_crypto_static (struct context *c, const unsigned int flags)
+{
+ const struct options *options = &c->options;
+ ASSERT (options->shared_secret_file);
+
+ init_crypto_pre (c, flags);
+
+ /* Initialize packet ID tracking */
+ if (options->replay)
+ {
+ packet_id_init (&c->c2.packet_id, options->replay_window,
+ options->replay_time);
+ c->c2.crypto_options.packet_id = &c->c2.packet_id;
+ c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
+ c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
+ packet_id_persist_load_obj (&c->c1.pid_persist,
+ c->c2.crypto_options.packet_id);
+ }
+
+ if (!key_ctx_bi_defined (&c->c1.ks.static_key))
+ {
+ struct key2 key2;
+ struct key_direction_state kds;
+
+ /* Get cipher & hash algorithms */
+ init_key_type (&c->c1.ks.key_type, options->ciphername,
+ options->ciphername_defined, options->authname,
+ options->authname_defined, options->keysize,
+ options->test_crypto, true);
+
+ /* Read cipher and hmac keys from shared secret file */
+ read_key_file (&key2, options->shared_secret_file, true);
+
+ /* Check for and fix highly unlikely key problems */
+ verify_fix_key2 (&key2, &c->c1.ks.key_type,
+ options->shared_secret_file);
+
+ /* Initialize OpenSSL key objects */
+ key_direction_state_init (&kds, options->key_direction);
+ must_have_n_keys (options->shared_secret_file, "secret", &key2,
+ kds.need_keys);
+ init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
+ &c->c1.ks.key_type, DO_ENCRYPT, "Static Encrypt");
+ init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
+ &c->c1.ks.key_type, DO_DECRYPT, "Static Decrypt");
+
+ /* Erase the temporary copy of key */
+ CLEAR (key2);
+ }
+ else
+ {
+ msg (M_INFO, "Re-using pre-shared static key");
+ }
+
+ /* Get key schedule */
+ c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key;
+
+ /* Compute MTU parameters */
+ crypto_adjust_frame_parameters (&c->c2.frame,
+ &c->c1.ks.key_type,
+ options->ciphername_defined,
+ options->use_iv, options->replay, true);
+
+ /* Sanity check on IV, sequence number, and cipher mode options */
+ check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
+ options->use_iv);
+}
+
+#ifdef USE_SSL
+
+/*
+ * Initialize the persistent component of OpenVPN's TLS mode,
+ * which is preserved across SIGUSR1 resets.
+ */
+static void
+do_init_crypto_tls_c1 (struct context *c)
+{
+ const struct options *options = &c->options;
+
+ if (!c->c1.ks.ssl_ctx)
+ {
+ /*
+ * Initialize the OpenSSL library's global
+ * SSL context.
+ */
+ c->c1.ks.ssl_ctx = init_ssl (options);
+ if (!c->c1.ks.ssl_ctx)
+ {
+#if P2MP
+ switch (auth_retry_get ())
+ {
+ case AR_NONE:
+ msg (M_FATAL, "Error: private key password verification failed");
+ break;
+ case AR_INTERACT:
+ ssl_purge_auth ();
+ case AR_NOINTERACT:
+ c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
+ break;
+ default:
+ ASSERT (0);
+ }
+ c->sig->signal_text = "private-key-password-failure";
+ return;
+#else
+ msg (M_FATAL, "Error: private key password verification failed");
+#endif
+ }
+
+ /* Get cipher & hash algorithms */
+ init_key_type (&c->c1.ks.key_type, options->ciphername,
+ options->ciphername_defined, options->authname,
+ options->authname_defined, options->keysize, true, true);
+
+ /* TLS handshake authentication (--tls-auth) */
+ if (options->tls_auth_file)
+ get_tls_handshake_key (&c->c1.ks.key_type,
+ &c->c1.ks.tls_auth_key,
+ options->tls_auth_file,
+ options->key_direction);
+ }
+ else
+ {
+ msg (M_INFO, "Re-using SSL/TLS context");
+ }
+}
+
+static void
+do_init_crypto_tls (struct context *c, const unsigned int flags)
+{
+ const struct options *options = &c->options;
+ struct tls_options to;
+ bool packet_id_long_form;
+
+ ASSERT (options->tls_server || options->tls_client);
+ ASSERT (!options->test_crypto);
+
+ init_crypto_pre (c, flags);
+
+ /* Make sure we are either a TLS client or server but not both */
+ ASSERT (options->tls_server == !options->tls_client);
+
+ /* initialize persistent component */
+ do_init_crypto_tls_c1 (c);
+ if (IS_SIG (c))
+ return;
+
+ /* Sanity check on IV, sequence number, and cipher mode options */
+ check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
+ options->use_iv);
+
+ /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
+ packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type);
+
+ /* Compute MTU parameters */
+ crypto_adjust_frame_parameters (&c->c2.frame,
+ &c->c1.ks.key_type,
+ options->ciphername_defined,
+ options->use_iv,
+ options->replay, packet_id_long_form);
+ tls_adjust_frame_parameters (&c->c2.frame);
+
+ /* Set all command-line TLS-related options */
+ CLEAR (to);
+
+ to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
+ if (packet_id_long_form)
+ to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
+
+ to.ssl_ctx = c->c1.ks.ssl_ctx;
+ to.key_type = c->c1.ks.key_type;
+ to.server = options->tls_server;
+ to.key_method = options->key_method;
+ to.replay = options->replay;
+ to.replay_window = options->replay_window;
+ to.replay_time = options->replay_time;
+ to.transition_window = options->transition_window;
+ to.handshake_window = options->handshake_window;
+ to.packet_timeout = options->tls_timeout;
+ to.renegotiate_bytes = options->renegotiate_bytes;
+ to.renegotiate_packets = options->renegotiate_packets;
+ to.renegotiate_seconds = options->renegotiate_seconds;
+ to.single_session = options->single_session;
+
+#ifdef ENABLE_OCC
+ to.disable_occ = !options->occ;
+#endif
+
+ to.verify_command = options->tls_verify;
+ to.verify_x509name = options->tls_remote;
+ to.crl_file = options->crl_file;
+ to.ns_cert_type = options->ns_cert_type;
+ to.es = c->c2.es;
+
+#ifdef ENABLE_DEBUG
+ to.gremlin = c->options.gremlin;
+#endif
+
+ to.plugins = c->c1.plugins;
+
+#if P2MP_SERVER
+ to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
+ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
+ to.tmp_dir = options->tmp_dir;
+ to.username_as_common_name = options->username_as_common_name;
+ if (options->ccd_exclusive)
+ to.client_config_dir_exclusive = options->client_config_dir;
+#endif
+
+ /* TLS handshake authentication (--tls-auth) */
+ if (options->tls_auth_file)
+ {
+ to.tls_auth_key = c->c1.ks.tls_auth_key;
+ to.tls_auth.pid_persist = &c->c1.pid_persist;
+ to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM;
+ crypto_adjust_frame_parameters (&to.frame,
+ &c->c1.ks.key_type,
+ false, false, true, true);
+ }
+
+ /* If we are running over TCP, allow for
+ length prefix */
+ socket_adjust_frame_parameters (&to.frame, options->proto);
+
+ /*
+ * Initialize OpenVPN's master TLS-mode object.
+ */
+ if (flags & CF_INIT_TLS_MULTI)
+ c->c2.tls_multi = tls_multi_init (&to);
+
+ if (flags & CF_INIT_TLS_AUTH_STANDALONE)
+ c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc);
+}
+
+static void
+do_init_finalize_tls_frame (struct context *c)
+{
+ if (c->c2.tls_multi)
+ {
+ tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame);
+ ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <=
+ EXPANDED_SIZE (&c->c2.frame));
+ frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO,
+ "Control Channel MTU parms");
+ }
+ if (c->c2.tls_auth_standalone)
+ {
+ tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame);
+ frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
+ "TLS-Auth MTU parms");
+ }
+}
+
+#endif /* USE_SSL */
+#endif /* USE_CRYPTO */
+
+#ifdef USE_CRYPTO
+/*
+ * No encryption or authentication.
+ */
+static void
+do_init_crypto_none (const struct context *c)
+{
+ ASSERT (!c->options.test_crypto);
+ msg (M_WARN,
+ "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
+}
+#endif
+
+static void
+do_init_crypto (struct context *c, const unsigned int flags)
+{
+#ifdef USE_CRYPTO
+ if (c->options.shared_secret_file)
+ do_init_crypto_static (c, flags);
+#ifdef USE_SSL
+ else if (c->options.tls_server || c->options.tls_client)
+ do_init_crypto_tls (c, flags);
+#endif
+ else /* no encryption or authentication. */
+ do_init_crypto_none (c);
+#else /* USE_CRYPTO */
+ msg (M_WARN,
+ "******* WARNING *******: " PACKAGE_NAME
+ " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
+#endif /* USE_CRYPTO */
+}
+
+static void
+do_init_frame (struct context *c)
+{
+#ifdef USE_LZO
+ /*
+ * Initialize LZO compression library.
+ */
+ if (c->options.comp_lzo)
+ {
+ lzo_adjust_frame_parameters (&c->c2.frame);
+
+ /*
+ * LZO usage affects buffer alignment.
+ */
+ if (CIPHER_ENABLED (c))
+ {
+ frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN);
+ frame_or_align_flags (&c->c2.frame,
+ FRAME_HEADROOM_MARKER_FRAGMENT
+ |FRAME_HEADROOM_MARKER_DECRYPT);
+ }
+
+#ifdef ENABLE_FRAGMENT
+ lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */
+#endif
+ }
+#endif
+
+#ifdef ENABLE_SOCKS
+ /*
+ * Adjust frame size for UDP Socks support.
+ */
+ if (c->options.socks_proxy_server)
+ socks_adjust_frame_parameters (&c->c2.frame, c->options.proto);
+#endif
+
+ /*
+ * Adjust frame size based on the --tun-mtu-extra parameter.
+ */
+ if (c->options.tun_mtu_extra_defined)
+ tun_adjust_frame_parameters (&c->c2.frame, c->options.tun_mtu_extra);
+
+ /*
+ * Adjust frame size based on link socket parameters.
+ * (Since TCP is a stream protocol, we need to insert
+ * a packet length uint16_t in the buffer.)
+ */
+ socket_adjust_frame_parameters (&c->c2.frame, c->options.proto);
+
+ /*
+ * Fill in the blanks in the frame parameters structure,
+ * make sure values are rational, etc.
+ */
+ frame_finalize_options (c, NULL);
+
+#ifdef ENABLE_FRAGMENT
+ /*
+ * Set frame parameter for fragment code. This is necessary because
+ * the fragmentation code deals with payloads which have already been
+ * passed through the compression code.
+ */
+ c->c2.frame_fragment = c->c2.frame;
+ frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
+#endif
+
+#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
+ /*
+ * MTU advisories
+ */
+ if (c->options.fragment && c->options.mtu_test)
+ msg (M_WARN,
+ "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
+#endif
+
+#ifdef ENABLE_FRAGMENT
+ if ((c->options.mssfix || c->options.fragment)
+ && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU)
+ msg (M_WARN,
+ "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
+ ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment));
+#endif
+}
+
+static void
+do_option_warnings (struct context *c)
+{
+ const struct options *o = &c->options;
+
+#if 1 /* JYFIXME -- port warning */
+ if (!o->port_option_used && (o->local_port == OPENVPN_PORT && o->remote_port == OPENVPN_PORT))
+ msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.",
+ OPENVPN_PORT);
+#endif
+
+ if (o->ping_send_timeout && !o->ping_rec_timeout)
+ msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
+
+ if ((o->username || o->groupname || o->chroot_dir) && (!o->persist_tun || !o->persist_key))
+ msg (M_WARN, "WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail");
+
+#if P2MP
+ if (o->pull && o->ifconfig_local && c->first_time)
+ msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
+
+#if P2MP_SERVER
+ if (o->mode == MODE_SERVER)
+ {
+ if (o->duplicate_cn && o->client_config_dir)
+ msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
+ if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
+ msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
+ if (!o->keepalive_ping || !o->keepalive_timeout)
+ msg (M_WARN, "WARNING: --keepalive option is missing from server config");
+ }
+#endif
+#endif
+
+#ifdef USE_CRYPTO
+ if (!o->replay)
+ msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
+ if (!o->use_iv)
+ msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");
+
+#ifdef USE_SSL
+ if (o->tls_client
+ && !o->tls_verify
+ && !o->tls_remote
+ && !(o->ns_cert_type & NS_SSL_SERVER))
+ msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
+#endif
+
+#endif
+}
+
+static void
+do_init_frame_tls (struct context *c)
+{
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ do_init_finalize_tls_frame (c);
+#endif
+}
+
+struct context_buffers *
+init_context_buffers (const struct frame *frame)
+{
+ struct context_buffers *b;
+
+ ALLOC_OBJ_CLEAR (b, struct context_buffers);
+
+ b->read_link_buf = alloc_buf (BUF_SIZE (frame));
+ b->read_tun_buf = alloc_buf (BUF_SIZE (frame));
+
+ b->aux_buf = alloc_buf (BUF_SIZE (frame));
+
+#ifdef USE_CRYPTO
+ b->encrypt_buf = alloc_buf (BUF_SIZE (frame));
+ b->decrypt_buf = alloc_buf (BUF_SIZE (frame));
+#endif
+
+#ifdef USE_LZO
+ b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame));
+ b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame));
+#endif
+
+ return b;
+}
+
+void
+free_context_buffers (struct context_buffers *b)
+{
+ if (b)
+ {
+ free_buf (&b->read_link_buf);
+ free_buf (&b->read_tun_buf);
+ free_buf (&b->aux_buf);
+
+#ifdef USE_LZO
+ free_buf (&b->lzo_compress_buf);
+ free_buf (&b->lzo_decompress_buf);
+#endif
+
+#ifdef USE_CRYPTO
+ free_buf (&b->encrypt_buf);
+ free_buf (&b->decrypt_buf);
+#endif
+
+ free (b);
+ }
+}
+
+/*
+ * Now that we know all frame parameters, initialize
+ * our buffers.
+ */
+static void
+do_init_buffers (struct context *c)
+{
+ c->c2.buffers = init_context_buffers (&c->c2.frame);
+ c->c2.buffers_owned = true;
+}
+
+#ifdef ENABLE_FRAGMENT
+/*
+ * Fragmenting code has buffers to initialize
+ * once frame parameters are known.
+ */
+static void
+do_init_fragment (struct context *c)
+{
+ ASSERT (c->options.fragment);
+ frame_set_mtu_dynamic (&c->c2.frame_fragment,
+ c->options.fragment, SET_MTU_UPPER_BOUND);
+ fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment);
+}
+#endif
+
+/*
+ * Set the --mssfix option.
+ */
+static void
+do_init_mssfix (struct context *c)
+{
+ if (c->options.mssfix)
+ {
+ frame_set_mtu_dynamic (&c->c2.frame,
+ c->options.mssfix, SET_MTU_UPPER_BOUND);
+ }
+}
+
+/*
+ * Allocate our socket object.
+ */
+static void
+do_link_socket_new (struct context *c)
+{
+ ASSERT (!c->c2.link_socket);
+ c->c2.link_socket = link_socket_new ();
+ c->c2.link_socket_owned = true;
+}
+
+/*
+ * bind the TCP/UDP socket
+ */
+static void
+do_init_socket_1 (struct context *c, int mode)
+{
+ link_socket_init_phase1 (c->c2.link_socket,
+ c->options.local,
+ c->c1.remote_list,
+ c->options.local_port,
+ c->options.proto,
+ mode,
+ c->c2.accept_from,
+#ifdef ENABLE_HTTP_PROXY
+ c->c1.http_proxy,
+#endif
+#ifdef ENABLE_SOCKS
+ c->c1.socks_proxy,
+#endif
+#ifdef ENABLE_DEBUG
+ c->options.gremlin,
+#endif
+ c->options.bind_local,
+ c->options.remote_float,
+ c->options.inetd,
+ &c->c1.link_socket_addr,
+ c->options.ipchange,
+ c->c1.plugins,
+ c->options.resolve_retry_seconds,
+ c->options.connect_retry_seconds,
+ c->options.mtu_discover_type,
+ c->options.rcvbuf,
+ c->options.sndbuf);
+}
+
+/*
+ * finalize the TCP/UDP socket
+ */
+static void
+do_init_socket_2 (struct context *c)
+{
+ link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame,
+ &c->sig->signal_received);
+}
+
+/*
+ * Print MTU INFO
+ */
+static void
+do_print_data_channel_mtu_parms (struct context *c)
+{
+ frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
+#ifdef ENABLE_FRAGMENT
+ if (c->c2.fragment)
+ frame_print (&c->c2.frame_fragment, D_MTU_INFO,
+ "Fragmentation MTU parms");
+#endif
+}
+
+#ifdef ENABLE_OCC
+/*
+ * Get local and remote options compatibility strings.
+ */
+static void
+do_compute_occ_strings (struct context *c)
+{
+ struct gc_arena gc = gc_new ();
+
+ c->c2.options_string_local =
+ options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
+ c->c2.options_string_remote =
+ options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
+
+ msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local);
+ msg (D_SHOW_OCC, "Expected Remote Options String: '%s'",
+ c->c2.options_string_remote);
+
+#ifdef USE_CRYPTO
+ msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
+ options_string_version (c->c2.options_string_local, &gc),
+ md5sum ((uint8_t*)c->c2.options_string_local,
+ strlen (c->c2.options_string_local), 9, &gc));
+ msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
+ options_string_version (c->c2.options_string_remote, &gc),
+ md5sum ((uint8_t*)c->c2.options_string_remote,
+ strlen (c->c2.options_string_remote), 9, &gc));
+#endif
+
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ if (c->c2.tls_multi)
+ tls_multi_init_set_options (c->c2.tls_multi,
+ c->c2.options_string_local,
+ c->c2.options_string_remote);
+#endif
+
+ gc_free (&gc);
+}
+#endif
+
+/*
+ * These things can only be executed once per program instantiation.
+ * Set up for possible UID/GID downgrade, but don't do it yet.
+ * Daemonize if requested.
+ */
+static void
+do_init_first_time (struct context *c)
+{
+ if (c->first_time && !c->c2.did_we_daemonize)
+ {
+ /* get user and/or group that we want to setuid/setgid to */
+ c->c2.uid_gid_specified =
+ get_group (c->options.groupname, &c->c2.group_state) |
+ get_user (c->options.username, &c->c2.user_state);
+
+ /* get --writepid file descriptor */
+ get_pid_file (c->options.writepid, &c->c2.pid_state);
+
+ /* become a daemon if --daemon */
+ c->c2.did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
+
+ /* should we disable paging? */
+ if (c->options.mlock && c->c2.did_we_daemonize)
+ do_mlockall (true); /* call again in case we daemonized */
+
+ /* save process ID in a file */
+ write_pid (&c->c2.pid_state);
+
+ /* should we change scheduling priority? */
+ set_nice (c->options.nice);
+ }
+}
+
+/*
+ * If xinetd/inetd mode, don't allow restart.
+ */
+static void
+do_close_check_if_restart_permitted (struct context *c)
+{
+ if (c->options.inetd
+ && (c->sig->signal_received == SIGHUP
+ || c->sig->signal_received == SIGUSR1))
+ {
+ c->sig->signal_received = SIGTERM;
+ msg (M_INFO,
+ PACKAGE_NAME
+ " started by inetd/xinetd cannot restart... Exiting.");
+ }
+}
+
+/*
+ * free buffers
+ */
+static void
+do_close_free_buf (struct context *c)
+{
+ if (c->c2.buffers_owned)
+ {
+ free_context_buffers (c->c2.buffers);
+ c->c2.buffers = NULL;
+ c->c2.buffers_owned = false;
+ }
+}
+
+/*
+ * close TLS
+ */
+static void
+do_close_tls (struct context *c)
+{
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ if (c->c2.tls_multi)
+ {
+ tls_multi_free (c->c2.tls_multi, true);
+ c->c2.tls_multi = NULL;
+ }
+
+#ifdef ENABLE_OCC
+ /* free options compatibility strings */
+ if (c->c2.options_string_local)
+ free (c->c2.options_string_local);
+ if (c->c2.options_string_remote)
+ free (c->c2.options_string_remote);
+ c->c2.options_string_local = c->c2.options_string_remote = NULL;
+#endif
+#endif
+}
+
+/*
+ * Free key schedules
+ */
+static void
+do_close_free_key_schedule (struct context *c, bool free_ssl_ctx)
+{
+ if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
+ key_schedule_free (&c->c1.ks, free_ssl_ctx);
+}
+
+/*
+ * Close TCP/UDP connection
+ */
+static void
+do_close_link_socket (struct context *c)
+{
+ if (c->c2.link_socket && c->c2.link_socket_owned)
+ {
+ link_socket_close (c->c2.link_socket);
+ c->c2.link_socket = NULL;
+ }
+
+ if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
+ {
+ CLEAR (c->c1.link_socket_addr.remote);
+ CLEAR (c->c1.link_socket_addr.actual);
+ }
+
+ if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
+ CLEAR (c->c1.link_socket_addr.local);
+}
+
+/*
+ * Close packet-id persistance file
+ */
+static void
+do_close_packet_id (struct context *c)
+{
+#ifdef USE_CRYPTO
+ packet_id_free (&c->c2.packet_id);
+ packet_id_persist_save (&c->c1.pid_persist);
+ if (!(c->sig->signal_received == SIGUSR1))
+ packet_id_persist_close (&c->c1.pid_persist);
+#endif
+}
+
+#ifdef ENABLE_FRAGMENT
+/*
+ * Close fragmentation handler.
+ */
+static void
+do_close_fragment (struct context *c)
+{
+ if (c->c2.fragment)
+ {
+ fragment_free (c->c2.fragment);
+ c->c2.fragment = NULL;
+ }
+}
+#endif
+
+/*
+ * Open and close our event objects.
+ */
+
+static void
+do_event_set_init (struct context *c,
+ bool need_us_timeout)
+{
+ unsigned int flags = 0;
+
+ c->c2.event_set_max = BASE_N_EVENTS;
+
+ flags |= EVENT_METHOD_FAST;
+
+ if (need_us_timeout)
+ flags |= EVENT_METHOD_US_TIMEOUT;
+
+ c->c2.event_set = event_set_init (&c->c2.event_set_max, flags);
+ c->c2.event_set_owned = true;
+}
+
+static void
+do_close_event_set (struct context *c)
+{
+ if (c->c2.event_set && c->c2.event_set_owned)
+ {
+ event_free (c->c2.event_set);
+ c->c2.event_set = NULL;
+ c->c2.event_set_owned = false;
+ }
+}
+
+/*
+ * Open and close --status file
+ */
+
+static void
+do_open_status_output (struct context *c)
+{
+ if (!c->c1.status_output)
+ {
+ c->c1.status_output = status_open (c->options.status_file,
+ c->options.status_file_update_freq,
+ -1,
+ NULL,
+ STATUS_OUTPUT_WRITE);
+ c->c1.status_output_owned = true;
+ }
+}
+
+static void
+do_close_status_output (struct context *c)
+{
+ if (!(c->sig->signal_received == SIGUSR1))
+ {
+ if (c->c1.status_output_owned && c->c1.status_output)
+ {
+ status_close (c->c1.status_output);
+ c->c1.status_output = NULL;
+ c->c1.status_output_owned = false;
+ }
+ }
+}
+
+/*
+ * Handle ifconfig-pool persistance object.
+ */
+static void
+do_open_ifconfig_pool_persist (struct context *c)
+{
+#if P2MP_SERVER
+ if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
+ {
+ c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename,
+ c->options.ifconfig_pool_persist_refresh_freq);
+ c->c1.ifconfig_pool_persist_owned = true;
+ }
+#endif
+}
+
+static void
+do_close_ifconfig_pool_persist (struct context *c)
+{
+#if P2MP_SERVER
+ if (!(c->sig->signal_received == SIGUSR1))
+ {
+ if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
+ {
+ ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist);
+ c->c1.ifconfig_pool_persist = NULL;
+ c->c1.ifconfig_pool_persist_owned = false;
+ }
+ }
+#endif
+}
+
+/*
+ * Inherit environmental variables
+ */
+
+static void
+do_inherit_env (struct context *c, const struct env_set *src)
+{
+ c->c2.es = env_set_create (&c->c2.gc);
+ env_set_inherit (c->c2.es, src);
+}
+
+/*
+ * Fast I/O setup. Fast I/O is an optimization which only works
+ * if all of the following are true:
+ *
+ * (1) The platform is not Windows
+ * (2) --proto udp is enabled
+ * (3) --shaper is disabled
+ */
+static void
+do_setup_fast_io (struct context *c)
+{
+ if (c->options.fast_io)
+ {
+#ifdef WIN32
+ msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
+#else
+ if (c->options.proto != PROTO_UDPv4)
+ msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
+ else
+ {
+ if (c->options.shaper)
+ msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
+ else
+ {
+ c->c2.fast_io = true;
+ }
+ }
+#endif
+ }
+}
+
+static void
+do_signal_on_tls_errors (struct context *c)
+{
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ if (c->options.tls_exit)
+ c->c2.tls_exit_signal = SIGTERM;
+ else
+ c->c2.tls_exit_signal = SIGUSR1;
+#endif
+}
+
+
+static void
+do_open_plugins (struct context *c)
+{
+#ifdef ENABLE_PLUGIN
+ if (c->options.plugin_list && !c->c1.plugins)
+ {
+ c->c1.plugins = plugin_list_open (c->options.plugin_list, c->c2.es);
+ c->c1.plugins_owned = true;
+ }
+#endif
+}
+
+static void
+do_close_plugins (struct context *c)
+{
+#ifdef ENABLE_PLUGIN
+ if (c->c1.plugins && c->c1.plugins_owned && !(c->sig->signal_received == SIGUSR1))
+ {
+ plugin_list_close (c->c1.plugins);
+ c->c1.plugins = NULL;
+ c->c1.plugins_owned = false;
+ }
+#endif
+}
+
+#ifdef ENABLE_MANAGEMENT
+
+static void
+management_callback_status_p2p (void *arg, const int version, struct status_output *so)
+{
+ struct context *c = (struct context *) arg;
+ print_status (c, so);
+}
+
+void
+management_show_net_callback (void *arg, const int msglevel)
+{
+#ifdef WIN32
+ show_routes (msglevel);
+ show_adapters (msglevel);
+ msg (msglevel, "END");
+#else
+ msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
+#endif
+}
+
+#endif
+
+void
+init_management_callback_p2p (struct context *c)
+{
+#ifdef ENABLE_MANAGEMENT
+ if (management)
+ {
+ struct management_callback cb;
+ CLEAR (cb);
+ cb.arg = c;
+ cb.status = management_callback_status_p2p;
+ cb.show_net = management_show_net_callback;
+ management_set_callback (management, &cb);
+ }
+#endif
+}
+
+#ifdef ENABLE_MANAGEMENT
+
+void
+init_management (struct context *c)
+{
+ if (!management)
+ management = management_init ();
+}
+
+bool
+open_management (struct context *c)
+{
+ /* initialize management layer */
+ if (management)
+ {
+ if (c->options.management_addr)
+ {
+ if (management_open (management,
+ c->options.management_addr,
+ c->options.management_port,
+ c->options.management_user_pass,
+ c->options.mode == MODE_SERVER,
+ c->options.management_query_passwords,
+ c->options.management_log_history_cache,
+ c->options.management_echo_buffer_size,
+ c->options.management_state_buffer_size,
+ c->options.management_hold))
+ {
+ management_set_state (management,
+ OPENVPN_STATE_CONNECTING,
+ NULL,
+ (in_addr_t)0);
+ }
+
+ /* possible wait */
+ do_hold (c);
+ if (IS_SIG (c))
+ {
+ msg (M_WARN, "Signal received from management interface, exiting");
+ return false;
+ }
+ }
+ else
+ close_management ();
+ }
+ return true;
+}
+
+void
+close_management (void)
+{
+ if (management)
+ {
+ management_close (management);
+ management = NULL;
+ }
+}
+
+#endif
+
+
+void
+uninit_management_callback (void)
+{
+#ifdef ENABLE_MANAGEMENT
+ if (management)
+ {
+ management_clear_callback (management);
+ }
+#endif
+}
+
+/*
+ * Initialize a tunnel instance, handle pre and post-init
+ * signal settings.
+ */
+void
+init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags)
+{
+ pre_init_signal_catch ();
+ init_instance (c, env, flags);
+ post_init_signal_catch ();
+}
+
+/*
+ * Initialize a tunnel instance.
+ */
+void
+init_instance (struct context *c, const struct env_set *env, const unsigned int flags)
+{
+ const struct options *options = &c->options;
+ const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
+ int link_socket_mode = LS_MODE_DEFAULT;
+
+ /* init garbage collection level */
+ gc_init (&c->c2.gc);
+
+ /* signals caught here will abort */
+ c->sig->signal_received = 0;
+ c->sig->signal_text = NULL;
+ c->sig->hard = false;
+
+ /* link_socket_mode allows CM_CHILD_TCP
+ instances to inherit acceptable fds
+ from a top-level parent */
+ if (c->options.proto == PROTO_TCPv4_SERVER)
+ {
+ if (c->mode == CM_TOP)
+ link_socket_mode = LS_MODE_TCP_LISTEN;
+ else if (c->mode == CM_CHILD_TCP)
+ link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
+ }
+
+ /* should we disable paging? */
+ if (c->first_time && options->mlock)
+ do_mlockall (true);
+
+ /* possible sleep or management hold if restart */
+ if (c->mode == CM_P2P || c->mode == CM_TOP)
+ {
+ do_startup_pause (c);
+ if (IS_SIG (c))
+ goto sig;
+ }
+
+ /* initialize context level 2 --verb/--mute parms */
+ init_verb_mute (c, IVM_LEVEL_2);
+
+ /* set error message delay for non-server modes */
+ if (c->mode == CM_P2P)
+ set_check_status_error_delay (P2P_ERROR_DELAY_MS);
+
+ /* warn about inconsistent options */
+ if (c->mode == CM_P2P || c->mode == CM_TOP)
+ do_option_warnings (c);
+
+ /* inherit environmental variables */
+ if (env)
+ do_inherit_env (c, env);
+
+ /* initialize plugins */
+ if (c->mode == CM_P2P || c->mode == CM_TOP)
+ do_open_plugins (c);
+
+ /* should we enable fast I/O? */
+ if (c->mode == CM_P2P || c->mode == CM_TOP)
+ do_setup_fast_io (c);
+
+ /* should we throw a signal on TLS errors? */
+ do_signal_on_tls_errors (c);
+
+ /* open --status file */
+ if (c->mode == CM_P2P || c->mode == CM_TOP)
+ do_open_status_output (c);
+
+ /* open --ifconfig-pool-persist file */
+ if (c->mode == CM_TOP)
+ do_open_ifconfig_pool_persist (c);
+
+#ifdef ENABLE_OCC
+ /* reset OCC state */
+ if (c->mode == CM_P2P || child)
+ c->c2.occ_op = occ_reset_op ();
+#endif
+
+ /* our wait-for-i/o objects, different for posix vs. win32 */
+ if (c->mode == CM_P2P)
+ do_event_set_init (c, SHAPER_DEFINED (&c->options));
+ else if (c->mode == CM_CHILD_TCP)
+ do_event_set_init (c, false);
+
+ /* allocate our socket object */
+ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
+ do_link_socket_new (c);
+
+#ifdef ENABLE_FRAGMENT
+ /* initialize internal fragmentation object */
+ if (options->fragment && (c->mode == CM_P2P || child))
+ c->c2.fragment = fragment_init (&c->c2.frame);
+#endif
+
+ /* init crypto layer */
+ {
+ unsigned int crypto_flags = 0;
+ if (c->mode == CM_TOP)
+ crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
+ else if (c->mode == CM_P2P)
+ crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
+ else if (child)
+ crypto_flags = CF_INIT_TLS_MULTI;
+ do_init_crypto (c, crypto_flags);
+ if (IS_SIG (c))
+ goto sig;
+ }
+
+#ifdef USE_LZO
+ /* initialize LZO compression library. */
+ if (options->comp_lzo && (c->mode == CM_P2P || child))
+ lzo_compress_init (&c->c2.lzo_compwork, options->comp_lzo_adaptive);
+#endif
+
+ /* initialize MTU variables */
+ do_init_frame (c);
+
+ /* initialize TLS MTU variables */
+ do_init_frame_tls (c);
+
+ /* init workspace buffers whose size is derived from frame size */
+ if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
+ do_init_buffers (c);
+
+#ifdef ENABLE_FRAGMENT
+ /* initialize internal fragmentation capability with known frame size */
+ if (options->fragment && (c->mode == CM_P2P || child))
+ do_init_fragment (c);
+#endif
+
+ /* initialize dynamic MTU variable */
+ do_init_mssfix (c);
+
+ /* bind the TCP/UDP socket */
+ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
+ do_init_socket_1 (c, link_socket_mode);
+
+ /* initialize tun/tap device object,
+ open tun/tap device, ifconfig, run up script, etc. */
+ if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
+ c->c2.did_open_tun = do_open_tun (c);
+
+ /* print MTU info */
+ do_print_data_channel_mtu_parms (c);
+
+#ifdef ENABLE_OCC
+ /* get local and remote options compatibility strings */
+ if (c->mode == CM_P2P || child)
+ do_compute_occ_strings (c);
+#endif
+
+ /* initialize output speed limiter */
+ if (c->mode == CM_P2P)
+ do_init_traffic_shaper (c);
+
+ /* do one-time inits, and possibily become a daemon here */
+ do_init_first_time (c);
+
+ /*
+ * Actually do UID/GID downgrade, and chroot, if requested.
+ * May be delayed by --client, --pull, or --up-delay.
+ */
+ do_uid_gid_chroot (c, c->c2.did_open_tun);
+
+ /* finalize the TCP/UDP socket */
+ if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
+ do_init_socket_2 (c);
+
+ /* initialize timers */
+ if (c->mode == CM_P2P || child)
+ do_init_timers (c, false);
+
+ /* Check for signals */
+ if (IS_SIG (c))
+ goto sig;
+
+ return;
+
+ sig:
+ c->sig->signal_text = "init_instance";
+ close_context (c, -1, flags);
+ return;
+}
+
+/*
+ * Close a tunnel instance.
+ */
+void
+close_instance (struct context *c)
+{
+ /* close event objects */
+ do_close_event_set (c);
+
+ if (c->mode == CM_P2P
+ || c->mode == CM_CHILD_TCP
+ || c->mode == CM_CHILD_UDP
+ || c->mode == CM_TOP)
+ {
+ /* if xinetd/inetd mode, don't allow restart */
+ do_close_check_if_restart_permitted (c);
+
+#ifdef USE_LZO
+ if (c->options.comp_lzo)
+ lzo_compress_uninit (&c->c2.lzo_compwork);
+#endif
+
+ /* free buffers */
+ do_close_free_buf (c);
+
+ /* close TLS */
+ do_close_tls (c);
+
+ /* free key schedules */
+ do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP));
+
+ /* close TCP/UDP connection */
+ do_close_link_socket (c);
+
+ /* close TUN/TAP device */
+ do_close_tun (c, false);
+
+ /* call plugin close functions and unload */
+ do_close_plugins (c);
+
+ /* close packet-id persistance file */
+ do_close_packet_id (c);
+
+ /* close --status file */
+ do_close_status_output (c);
+
+#ifdef ENABLE_FRAGMENT
+ /* close fragmentation handler */
+ do_close_fragment (c);
+#endif
+
+ /* close --ifconfig-pool-persist obj */
+ do_close_ifconfig_pool_persist (c);
+
+ /* garbage collect */
+ gc_free (&c->c2.gc);
+ }
+}
+
+void
+inherit_context_child (struct context *dest,
+ const struct context *src)
+{
+ CLEAR (*dest);
+
+ switch (src->options.proto)
+ {
+ case PROTO_UDPv4:
+ dest->mode = CM_CHILD_UDP;
+ break;
+ case PROTO_TCPv4_SERVER:
+ dest->mode = CM_CHILD_TCP;
+ break;
+ default:
+ ASSERT (0);
+ }
+
+ dest->first_time = false;
+
+ dest->gc = gc_new ();
+
+ ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc);
+
+ /* c1 init */
+ packet_id_persist_init (&dest->c1.pid_persist);
+
+#ifdef USE_CRYPTO
+ dest->c1.ks.key_type = src->c1.ks.key_type;
+#ifdef USE_SSL
+ /* inherit SSL context */
+ dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
+ dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
+#endif
+#endif
+
+ /* options */
+ dest->options = src->options;
+ options_detach (&dest->options);
+
+ if (dest->mode == CM_CHILD_TCP)
+ {
+ /*
+ * The CM_TOP context does the socket listen(),
+ * and the CM_CHILD_TCP context does the accept().
+ */
+ dest->c2.accept_from = src->c2.link_socket;
+ }
+
+ /* inherit plugins */
+ dest->c1.plugins = src->c1.plugins;
+
+ /* context init */
+ init_instance (dest, src->c2.es, CC_USR1_TO_HUP | CC_GC_FREE);
+ if (IS_SIG (dest))
+ return;
+
+ /* inherit tun/tap interface object */
+ dest->c1.tuntap = src->c1.tuntap;
+
+ /* UDP inherits some extra things which TCP does not */
+ if (dest->mode == CM_CHILD_UDP)
+ {
+ /* inherit buffers */
+ dest->c2.buffers = src->c2.buffers;
+
+ /* inherit parent link_socket and tuntap */
+ dest->c2.link_socket = src->c2.link_socket;
+
+ ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
+ *dest->c2.link_socket_info = src->c2.link_socket->info;
+
+ /* locally override some link_socket_info fields */
+ dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
+ dest->c2.link_socket_info->connection_established = false;
+ }
+}
+
+void
+inherit_context_top (struct context *dest,
+ const struct context *src)
+{
+ /* copy parent */
+ *dest = *src;
+
+ /*
+ * CM_TOP_CLONE will prevent close_instance from freeing or closing
+ * resources owned by the parent.
+ *
+ * Also note that CM_TOP_CLONE context objects are
+ * closed by multi_top_free in multi.c.
+ */
+ dest->mode = CM_TOP_CLONE;
+
+ dest->first_time = false;
+
+ options_detach (&dest->options);
+ gc_detach (&dest->gc);
+ gc_detach (&dest->c2.gc);
+
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+ dest->c2.tls_multi = NULL;
+#endif
+
+ dest->c1.tuntap_owned = false;
+ dest->c1.status_output_owned = false;
+#if P2MP_SERVER
+ dest->c1.ifconfig_pool_persist_owned = false;
+#endif
+ dest->c2.event_set_owned = false;
+ dest->c2.link_socket_owned = false;
+ dest->c2.buffers_owned = false;
+
+ dest->c2.event_set = NULL;
+ if (src->options.proto == PROTO_UDPv4)
+ do_event_set_init (dest, false);
+}
+
+void
+close_context (struct context *c, int sig, unsigned int flags)
+{
+ if (sig >= 0)
+ c->sig->signal_received = sig;
+
+ if (c->sig->signal_received == SIGUSR1)
+ {
+ if ((flags & CC_USR1_TO_HUP)
+ || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP)))
+ c->sig->signal_received = SIGHUP;
+ }
+
+ close_instance (c);
+
+ if (flags & CC_GC_FREE)
+ context_gc_free (c);
+}
+
+#ifdef USE_CRYPTO
+
+static void
+test_malloc (void)
+{
+ int i, j;
+ msg (M_INFO, "Multithreaded malloc test...");
+ for (i = 0; i < 25; ++i)
+ {
+ struct gc_arena gc = gc_new ();
+ const int limit = get_random () & 0x03FF;
+ for (j = 0; j < limit; ++j)
+ {
+ gc_malloc (get_random () & 0x03FF, false, &gc);
+ }
+ gc_free (&gc);
+ }
+}
+
+/*
+ * Do a loopback test
+ * on the crypto subsystem.
+ */
+static void *
+test_crypto_thread (void *arg)
+{
+ struct context *c = (struct context *) arg;
+ const struct options *options = &c->options;
+#if defined(USE_PTHREAD)
+ struct context *child = NULL;
+ openvpn_thread_t child_id = 0;
+#endif
+
+ ASSERT (options->test_crypto);
+ init_verb_mute (c, IVM_LEVEL_1);
+ context_init_1 (c);
+ do_init_crypto_static (c, 0);
+
+#if defined(USE_PTHREAD)
+ {
+ if (c->first_time && options->n_threads > 1)
+ {
+ if (options->n_threads > 2)
+ msg (M_FATAL, "ERROR: --test-crypto option only works with --threads set to 1 or 2");
+ openvpn_thread_init ();
+ ALLOC_OBJ (child, struct context);
+ context_clear (child);
+ child->options = *options;
+ options_detach (&child->options);
+ child->first_time = false;
+ child_id = openvpn_thread_create (test_crypto_thread, (void *) child);
+ }
+ }
+#endif
+ frame_finalize_options (c, options);
+
+#if defined(USE_PTHREAD)
+ if (options->n_threads == 2)
+ test_malloc ();
+#endif
+
+ test_crypto (&c->c2.crypto_options, &c->c2.frame);
+
+ key_schedule_free (&c->c1.ks, true);
+ packet_id_free (&c->c2.packet_id);
+
+#if defined(USE_PTHREAD)
+ if (c->first_time && options->n_threads > 1)
+ openvpn_thread_join (child_id);
+ if (child)
+ free (child);
+#endif
+ context_gc_free (c);
+ return NULL;
+}
+
+#endif
+
+bool
+do_test_crypto (const struct options *o)
+{
+#ifdef USE_CRYPTO
+ if (o->test_crypto)
+ {
+ struct context c;
+
+ /* print version number */
+ msg (M_INFO, "%s", title_string);
+
+ context_clear (&c);
+ c.options = *o;
+ options_detach (&c.options);
+ c.first_time = true;
+ test_crypto_thread ((void *) &c);
+ return true;
+ }
+#endif
+ return false;
+}