1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 12 * as published by the Free Software Foundation. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (see the file COPYING included with this 21 * distribution); if not, write to the Free Software Foundation, Inc., 22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifdef HAVE_CONFIG_H 26#include "config.h" 27#elif defined(_MSC_VER) 28#include "config-msvc.h" 29#endif 30 31#include "syshead.h" 32 33#include "win32.h" 34#include "init.h" 35#include "sig.h" 36#include "occ.h" 37#include "list.h" 38#include "otime.h" 39#include "pool.h" 40#include "gremlin.h" 41#include "pkcs11.h" 42#include "ps.h" 43#include "lladdr.h" 44#include "ping.h" 45#include "mstats.h" 46#include "status.h" 47 48#include "memdbg.h" 49 50#include "occ-inline.h" 51 52static struct context *static_context; /* GLOBAL */ 53 54/* 55 * Crypto initialization flags 56 */ 57#define CF_LOAD_PERSISTED_PACKET_ID (1<<0) 58#define CF_INIT_TLS_MULTI (1<<1) 59#define CF_INIT_TLS_AUTH_STANDALONE (1<<2) 60 61static void do_init_first_time (struct context *c); 62 63void 64context_clear (struct context *c) 65{ 66 CLEAR (*c); 67} 68 69void 70context_clear_1 (struct context *c) 71{ 72 CLEAR (c->c1); 73} 74 75void 76context_clear_2 (struct context *c) 77{ 78 CLEAR (c->c2); 79} 80 81void 82context_clear_all_except_first_time (struct context *c) 83{ 84 const bool first_time_save = c->first_time; 85 const struct context_persist cpsave = c->persist; 86 context_clear (c); 87 c->first_time = first_time_save; 88 c->persist = cpsave; 89} 90 91/* 92 * Should be called after options->ce is modified at the top 93 * of a SIGUSR1 restart. 94 */ 95static void 96update_options_ce_post (struct options *options) 97{ 98#if P2MP 99 /* 100 * In pull mode, we usually import --ping/--ping-restart parameters from 101 * the server. However we should also set an initial default --ping-restart 102 * for the period of time before we pull the --ping-restart parameter 103 * from the server. 104 */ 105 if (options->pull 106 && options->ping_rec_timeout_action == PING_UNDEF 107 && proto_is_dgram(options->ce.proto)) 108 { 109 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; 110 options->ping_rec_timeout_action = PING_RESTART; 111 } 112#endif 113} 114 115#ifdef ENABLE_MANAGEMENT 116static bool 117management_callback_proxy_cmd (void *arg, const char **p) 118{ 119 struct context *c = arg; 120 struct connection_entry *ce = &c->options.ce; 121 struct gc_arena *gc = &c->c2.gc; 122 bool ret = false; 123 124 update_time(); 125 if (streq (p[1], "NONE")) 126 ret = true; 127 else if (p[2] && p[3]) 128 { 129 const int port = atoi(p[3]); 130 if (!legal_ipv4_port (port)) 131 { 132 msg (M_WARN, "Bad proxy port number: %s", p[3]); 133 return false; 134 } 135 136 if (streq (p[1], "HTTP")) 137 { 138#ifndef ENABLE_HTTP_PROXY 139 msg (M_WARN, "HTTP proxy support is not available"); 140#else 141 struct http_proxy_options *ho; 142 if (ce->proto != PROTO_TCPv4 && ce->proto != PROTO_TCPv4_CLIENT && 143 ce->proto != PROTO_TCPv6 && ce->proto != PROTO_TCPv6_CLIENT) 144 { 145 msg (M_WARN, "HTTP proxy support only works for TCP based connections"); 146 return false; 147 } 148 ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); 149 ho->server = string_alloc (p[2], gc); 150 ho->port = port; 151 ho->retry = true; 152 ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); 153 ret = true; 154#endif 155 } 156 else if (streq (p[1], "SOCKS")) 157 { 158#ifndef ENABLE_SOCKS 159 msg (M_WARN, "SOCKS proxy support is not available"); 160#else 161 ce->socks_proxy_server = string_alloc (p[2], gc); 162 ce->socks_proxy_port = port; 163 ret = true; 164#endif 165 } 166 } 167 else 168 msg (M_WARN, "Bad proxy command"); 169 170 ce->flags &= ~CE_MAN_QUERY_PROXY; 171 172 return ret; 173} 174 175static bool 176ce_management_query_proxy (struct context *c) 177{ 178 const struct connection_list *l = c->options.connection_list; 179 struct connection_entry *ce = &c->options.ce; 180 struct gc_arena gc; 181 bool ret = true; 182 183 update_time(); 184 if (management) 185 { 186 gc = gc_new (); 187 struct buffer out = alloc_buf_gc (256, &gc); 188 buf_printf (&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, 189 (proto_is_udp (ce->proto) ? "UDP" : "TCP"), np (ce->remote)); 190 management_notify_generic (management, BSTR (&out)); 191 ce->flags |= CE_MAN_QUERY_PROXY; 192 while (ce->flags & CE_MAN_QUERY_PROXY) 193 { 194 management_event_loop_n_seconds (management, 1); 195 if (IS_SIG (c)) 196 { 197 ret = false; 198 break; 199 } 200 } 201 gc_free (&gc); 202 } 203 204 return ret; 205} 206 207 208static bool 209management_callback_remote_cmd (void *arg, const char **p) 210{ 211 struct context *c = (struct context *) arg; 212 struct connection_entry *ce = &c->options.ce; 213 int ret = false; 214 if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) 215 { 216 int flags = 0; 217 if (!strcmp(p[1], "ACCEPT")) 218 { 219 flags = CE_MAN_QUERY_REMOTE_ACCEPT; 220 ret = true; 221 } 222 else if (!strcmp(p[1], "SKIP")) 223 { 224 flags = CE_MAN_QUERY_REMOTE_SKIP; 225 ret = true; 226 } 227 else if (!strcmp(p[1], "MOD") && p[2] && p[3]) 228 { 229 const int port = atoi(p[3]); 230 if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port)) 231 { 232 struct remote_host_store *rhs = c->options.rh_store; 233 if (!rhs) 234 { 235 ALLOC_OBJ_CLEAR_GC (rhs, struct remote_host_store, &c->options.gc); 236 c->options.rh_store = rhs; 237 } 238 strncpynt(rhs->host, p[2], RH_HOST_LEN); 239 ce->remote = rhs->host; 240 ce->remote_port = port; 241 flags = CE_MAN_QUERY_REMOTE_MOD; 242 ret = true; 243 } 244 } 245 if (ret) 246 { 247 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); 248 ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT); 249 } 250 } 251 return ret; 252} 253 254static bool 255ce_management_query_remote (struct context *c, const char *remote_ip_hint) 256{ 257 struct gc_arena gc = gc_new (); 258 volatile struct connection_entry *ce = &c->options.ce; 259 int ret = true; 260 update_time(); 261 if (management) 262 { 263 struct buffer out = alloc_buf_gc (256, &gc); 264 buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false)); 265 management_notify_generic(management, BSTR (&out)); 266 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); 267 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT); 268 while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) 269 { 270 management_event_loop_n_seconds (management, 1); 271 if (IS_SIG (c)) 272 { 273 ret = false; 274 break; 275 } 276 } 277 } 278 { 279 const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); 280 if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint) 281 ce->remote = remote_ip_hint; 282 ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); 283 } 284 gc_free (&gc); 285 return ret; 286} 287#endif /* ENABLE_MANAGEMENT */ 288 289/* 290 * Initialize and possibly randomize connection list. 291 */ 292static void 293init_connection_list (struct context *c) 294{ 295 struct connection_list *l = c->options.connection_list; 296 if (l) 297 { 298 l->current = -1; 299 if (c->options.remote_random) 300 { 301 int i; 302 for (i = 0; i < l->len; ++i) 303 { 304 const int j = get_random () % l->len; 305 if (i != j) 306 { 307 struct connection_entry *tmp; 308 tmp = l->array[i]; 309 l->array[i] = l->array[j]; 310 l->array[j] = tmp; 311 } 312 } 313 } 314 } 315} 316 317/* 318 * Increment to next connection entry 319 */ 320static void 321next_connection_entry (struct context *c) 322{ 323 struct connection_list *l = c->options.connection_list; 324 if (l) 325 { 326 bool ce_defined; 327 struct connection_entry *ce; 328 int n_cycles = 0; 329 330 do { 331 const char *remote_ip_hint = NULL; 332 bool newcycle = false; 333 334 ce_defined = true; 335 if (l->no_advance && l->current >= 0) 336 { 337 l->no_advance = false; 338 } 339 else 340 { 341 if (++l->current >= l->len) 342 { 343 l->current = 0; 344 ++l->n_cycles; 345 if (++n_cycles >= 2) 346 msg (M_FATAL, "No usable connection profiles are present"); 347 } 348 349 if (l->current == 0) 350 newcycle = true; 351 } 352 353 ce = l->array[l->current]; 354 355 if (c->options.remote_ip_hint && !l->n_cycles) 356 remote_ip_hint = c->options.remote_ip_hint; 357 358 if (ce->flags & CE_DISABLED) 359 ce_defined = false; 360 361 c->options.ce = *ce; 362#ifdef ENABLE_MANAGEMENT 363 if (ce_defined && management && management_query_remote_enabled(management)) 364 { 365 /* allow management interface to override connection entry details */ 366 ce_defined = ce_management_query_remote(c, remote_ip_hint); 367 if (IS_SIG (c)) 368 break; 369 } 370 else 371#endif 372 if (remote_ip_hint) 373 c->options.ce.remote = remote_ip_hint; 374 375#ifdef ENABLE_MANAGEMENT 376 if (ce_defined && management && management_query_proxy_enabled (management)) 377 { 378 ce_defined = ce_management_query_proxy (c); 379 if (IS_SIG (c)) 380 break; 381 } 382#endif 383 } while (!ce_defined); 384 } 385 update_options_ce_post (&c->options); 386} 387 388/* 389 * Query for private key and auth-user-pass username/passwords 390 */ 391static void 392init_query_passwords (struct context *c) 393{ 394#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 395 /* Certificate password input */ 396 if (c->options.key_pass_file) 397 pem_password_setup (c->options.key_pass_file); 398#endif 399 400#if P2MP 401 /* Auth user/pass input */ 402 if (c->options.auth_user_pass_file) 403 { 404#ifdef ENABLE_CLIENT_CR 405 auth_user_pass_setup (c->options.auth_user_pass_file, &c->options.sc_info); 406#else 407 auth_user_pass_setup (c->options.auth_user_pass_file, NULL); 408#endif 409 } 410#endif 411} 412 413/* 414 * Initialize/Uninitialize HTTP or SOCKS proxy 415 */ 416 417#ifdef GENERAL_PROXY_SUPPORT 418 419static int 420proxy_scope (struct context *c) 421{ 422 return connection_list_defined (&c->options) ? 2 : 1; 423} 424 425static void 426uninit_proxy_dowork (struct context *c) 427{ 428#ifdef ENABLE_HTTP_PROXY 429 if (c->c1.http_proxy_owned && c->c1.http_proxy) 430 { 431 http_proxy_close (c->c1.http_proxy); 432 c->c1.http_proxy = NULL; 433 c->c1.http_proxy_owned = false; 434 } 435#endif 436#ifdef ENABLE_SOCKS 437 if (c->c1.socks_proxy_owned && c->c1.socks_proxy) 438 { 439 socks_proxy_close (c->c1.socks_proxy); 440 c->c1.socks_proxy = NULL; 441 c->c1.socks_proxy_owned = false; 442 } 443#endif 444} 445 446static void 447init_proxy_dowork (struct context *c) 448{ 449#ifdef ENABLE_HTTP_PROXY 450 bool did_http = false; 451#else 452 const bool did_http = false; 453#endif 454 455 uninit_proxy_dowork (c); 456 457#ifdef ENABLE_HTTP_PROXY 458 if (c->options.ce.http_proxy_options) 459 { 460 /* Possible HTTP proxy user/pass input */ 461 c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options); 462 if (c->c1.http_proxy) 463 { 464 did_http = true; 465 c->c1.http_proxy_owned = true; 466 } 467 } 468#endif 469 470#ifdef ENABLE_SOCKS 471 if (!did_http && c->options.ce.socks_proxy_server) 472 { 473 c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server, 474 c->options.ce.socks_proxy_port, 475 c->options.ce.socks_proxy_authfile, 476 c->options.ce.socks_proxy_retry); 477 if (c->c1.socks_proxy) 478 { 479 c->c1.socks_proxy_owned = true; 480 } 481 } 482#endif 483} 484 485static void 486init_proxy (struct context *c, const int scope) 487{ 488 if (scope == proxy_scope (c)) 489 init_proxy_dowork (c); 490} 491 492static void 493uninit_proxy (struct context *c) 494{ 495 if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2) 496 uninit_proxy_dowork (c); 497} 498 499#else 500 501static inline void 502init_proxy (struct context *c, const int scope) 503{ 504} 505 506static inline void 507uninit_proxy (struct context *c) 508{ 509} 510 511#endif 512 513void 514context_init_1 (struct context *c) 515{ 516 context_clear_1 (c); 517 518 packet_id_persist_init (&c->c1.pid_persist); 519 520 init_connection_list (c); 521 522 init_query_passwords (c); 523 524#if defined(ENABLE_PKCS11) 525 if (c->first_time) { 526 int i; 527 pkcs11_initialize (true, c->options.pkcs11_pin_cache_period); 528 for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++) 529 pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], 530 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); 531 } 532#endif 533 534#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ 535 { 536 /* 537 * In the management interface, you can okay the request by entering "needok token-insertion-request ok" 538 */ 539 struct user_pass up; 540 CLEAR (up); 541 strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ 542 get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); 543 msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface 544 'needok' command, usually 'ok' or 'cancel'. */ 545 } 546#endif 547 548 /* initialize HTTP or SOCKS proxy object at scope level 1 */ 549 init_proxy (c, 1); 550} 551 552void 553context_gc_free (struct context *c) 554{ 555 gc_free (&c->c2.gc); 556 gc_free (&c->options.gc); 557 gc_free (&c->gc); 558} 559 560#if PORT_SHARE 561 562static void 563close_port_share (void) 564{ 565 if (port_share) 566 { 567 port_share_close (port_share); 568 port_share = NULL; 569 } 570} 571 572static void 573init_port_share (struct context *c) 574{ 575 if (!port_share && (c->options.port_share_host && c->options.port_share_port)) 576 { 577 port_share = port_share_open (c->options.port_share_host, 578 c->options.port_share_port, 579 MAX_RW_SIZE_LINK (&c->c2.frame), 580 c->options.port_share_journal_dir); 581 if (port_share == NULL) 582 msg (M_FATAL, "Fatal error: Port sharing failed"); 583 } 584} 585 586#endif 587 588bool 589init_static (void) 590{ 591 /* configure_path (); */ 592 593#if defined(ENABLE_CRYPTO) && defined(DMALLOC) 594 crypto_init_dmalloc(); 595#endif 596 597 init_random_seed (); /* init random() function, only used as 598 source for weak random numbers */ 599 error_reset (); /* initialize error.c */ 600 reset_check_status (); /* initialize status check code in socket.c */ 601 602#ifdef WIN32 603 init_win32 (); 604#endif 605 606#ifdef OPENVPN_DEBUG_COMMAND_LINE 607 { 608 int i; 609 for (i = 0; i < argc; ++i) 610 msg (M_INFO, "argv[%d] = '%s'", i, argv[i]); 611 } 612#endif 613 614 update_time (); 615 616#ifdef ENABLE_CRYPTO 617 init_ssl_lib (); 618 619 /* init PRNG used for IV generation */ 620 /* When forking, copy this to more places in the code to avoid fork 621 random-state predictability */ 622 prng_init (NULL, 0); 623#endif 624 625#ifdef PID_TEST 626 packet_id_interactive_test (); /* test the sequence number code */ 627 return false; 628#endif 629 630#ifdef SCHEDULE_TEST 631 schedule_test (); 632 return false; 633#endif 634 635#ifdef LIST_TEST 636 list_test (); 637 return false; 638#endif 639 640#ifdef IFCONFIG_POOL_TEST 641 ifconfig_pool_test (0x0A010004, 0x0A0100FF); 642 return false; 643#endif 644 645#ifdef CHARACTER_CLASS_DEBUG 646 character_class_debug (); 647 return false; 648#endif 649 650#ifdef EXTRACT_X509_FIELD_TEST 651 extract_x509_field_test (); 652 return false; 653#endif 654 655#ifdef TIME_TEST 656 time_test (); 657 return false; 658#endif 659 660#ifdef TEST_GET_DEFAULT_GATEWAY 661 { 662 struct route_gateway_info rgi; 663 get_default_gateway(&rgi); 664 print_default_gateway(M_INFO, &rgi); 665 return false; 666 } 667#endif 668 669#ifdef GEN_PATH_TEST 670 { 671 struct gc_arena gc = gc_new (); 672 const char *fn = gen_path ("foo", 673 "bar", 674 &gc); 675 printf ("%s\n", fn); 676 gc_free (&gc); 677 } 678 return false; 679#endif 680 681#ifdef STATUS_PRINTF_TEST 682 { 683 struct gc_arena gc = gc_new (); 684 const char *tmp_file = create_temp_file ("/tmp", "foo", &gc); 685 struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); 686 status_printf (so, "%s", "foo"); 687 status_printf (so, "%s", "bar"); 688 if (!status_close (so)) 689 msg (M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file); 690 gc_free (&gc); 691 } 692 return false; 693#endif 694 695#ifdef ARGV_TEST 696 { 697 void argv_test (void); 698 argv_test (); 699 return false; 700 } 701#endif 702 703#ifdef PRNG_TEST 704 { 705 struct gc_arena gc = gc_new (); 706 uint8_t rndbuf[8]; 707 int i; 708 prng_init ("sha1", 16); 709 /*prng_init (NULL, 0);*/ 710 const int factor = 1; 711 for (i = 0; i < factor * 8; ++i) 712 { 713#if 1 714 prng_bytes (rndbuf, sizeof (rndbuf)); 715#else 716 ASSERT(rand_bytes (rndbuf, sizeof (rndbuf))); 717#endif 718 printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc)); 719 } 720 gc_free (&gc); 721 prng_uninit (); 722 return false; 723 } 724#endif 725 726#ifdef BUFFER_LIST_AGGREGATE_TEST 727 /* test buffer_list_aggregate function */ 728 { 729 static const char *text[] = { 730 "It was a bright cold day in April, ", 731 "and the clocks were striking ", 732 "thirteen. ", 733 "Winston Smith, ", 734 "his chin nuzzled into his breast in an ", 735 "effort to escape the vile wind, ", 736 "slipped quickly through the glass doors ", 737 "of Victory Mansions, though not quickly ", 738 "enough to prevent a swirl of gritty dust from ", 739 "entering along with him." 740 }; 741 742 int iter, listcap; 743 for (listcap = 0; listcap < 12; ++listcap) 744 { 745 for (iter = 0; iter < 512; ++iter) 746 { 747 struct buffer_list *bl = buffer_list_new(listcap); 748 { 749 int i; 750 for (i = 0; i < SIZE(text); ++i) 751 buffer_list_push(bl, (unsigned char *)text[i]); 752 } 753 printf("[cap=%d i=%d] *************************\n", listcap, iter); 754 if (!(iter & 8)) 755 buffer_list_aggregate(bl, iter/2); 756 if (!(iter & 16)) 757 buffer_list_push(bl, (unsigned char *)"Even more text..."); 758 buffer_list_aggregate(bl, iter); 759 if (!(iter & 1)) 760 buffer_list_push(bl, (unsigned char *)"More text..."); 761 { 762 struct buffer *buf; 763 while ((buf = buffer_list_peek(bl))) 764 { 765 int c; 766 printf ("'"); 767 while ((c = buf_read_u8(buf)) >= 0) 768 putchar(c); 769 printf ("'\n"); 770 buffer_list_advance(bl, 0); 771 } 772 } 773 buffer_list_free(bl); 774 } 775 } 776 return false; 777 } 778#endif 779 780#ifdef MSTATS_TEST 781 { 782 int i; 783 mstats_open("/dev/shm/mstats.dat"); 784 for (i = 0; i < 30; ++i) 785 { 786 mmap_stats->n_clients += 1; 787 mmap_stats->link_write_bytes += 8; 788 mmap_stats->link_read_bytes += 16; 789 sleep(1); 790 } 791 mstats_close(); 792 return false; 793 } 794#endif 795 796 return true; 797} 798 799void 800uninit_static (void) 801{ 802#ifdef ENABLE_CRYPTO 803 free_ssl_lib (); 804#endif 805 806#ifdef ENABLE_PKCS11 807 pkcs11_terminate (); 808#endif 809 810#if PORT_SHARE 811 close_port_share (); 812#endif 813 814#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 815 show_tls_performance_stats (); 816#endif 817} 818 819void 820init_verb_mute (struct context *c, unsigned int flags) 821{ 822 if (flags & IVM_LEVEL_1) 823 { 824 /* set verbosity and mute levels */ 825 set_check_status (D_LINK_ERRORS, D_READ_WRITE); 826 set_debug_level (c->options.verbosity, SDL_CONSTRAIN); 827 set_mute_cutoff (c->options.mute); 828 } 829 830 /* special D_LOG_RW mode */ 831 if (flags & IVM_LEVEL_2) 832 c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1)); 833} 834 835/* 836 * Possibly set --dev based on --dev-node. 837 * For example, if --dev-node /tmp/foo/tun, and --dev undefined, 838 * set --dev to tun. 839 */ 840void 841init_options_dev (struct options *options) 842{ 843 if (!options->dev && options->dev_node) { 844 char *dev_node = strdup(options->dev_node); /* POSIX basename() implementaions may modify its arguments */ 845 options->dev = basename (dev_node); 846 } 847} 848 849bool 850print_openssl_info (const struct options *options) 851{ 852 /* 853 * OpenSSL info print mode? 854 */ 855#ifdef ENABLE_CRYPTO 856 if (options->show_ciphers || options->show_digests || options->show_engines 857#ifdef ENABLE_SSL 858 || options->show_tls_ciphers 859#endif 860 ) 861 { 862 if (options->show_ciphers) 863 show_available_ciphers (); 864 if (options->show_digests) 865 show_available_digests (); 866 if (options->show_engines) 867 show_available_engines (); 868#ifdef ENABLE_SSL 869 if (options->show_tls_ciphers) 870 show_available_tls_ciphers (); 871#endif 872 return true; 873 } 874#endif 875 return false; 876} 877 878/* 879 * Static pre-shared key generation mode? 880 */ 881bool 882do_genkey (const struct options * options) 883{ 884#ifdef ENABLE_CRYPTO 885 if (options->genkey) 886 { 887 int nbits_written; 888 889 notnull (options->shared_secret_file, 890 "shared secret output file (--secret)"); 891 892 if (options->mlock) /* should we disable paging? */ 893 platform_mlockall (true); 894 895 nbits_written = write_key_file (2, options->shared_secret_file); 896 897 msg (D_GENKEY | M_NOPREFIX, 898 "Randomly generated %d bit key written to %s", nbits_written, 899 options->shared_secret_file); 900 return true; 901 } 902#endif 903 return false; 904} 905 906/* 907 * Persistent TUN/TAP device management mode? 908 */ 909bool 910do_persist_tuntap (const struct options *options) 911{ 912#ifdef ENABLE_FEATURE_TUN_PERSIST 913 if (options->persist_config) 914 { 915 /* sanity check on options for --mktun or --rmtun */ 916 notnull (options->dev, "TUN/TAP device (--dev)"); 917 if (options->ce.remote || options->ifconfig_local 918 || options->ifconfig_remote_netmask 919#ifdef ENABLE_CRYPTO 920 || options->shared_secret_file 921#ifdef ENABLE_SSL 922 || options->tls_server || options->tls_client 923#endif 924#endif 925 ) 926 msg (M_FATAL|M_OPTERR, 927 "options --mktun or --rmtun should only be used together with --dev"); 928 tuncfg (options->dev, options->dev_type, options->dev_node, 929 options->persist_mode, 930 options->username, options->groupname, &options->tuntap_options); 931 if (options->persist_mode && options->lladdr) 932 set_lladdr(options->dev, options->lladdr, NULL); 933 return true; 934 } 935#endif 936 return false; 937} 938 939/* 940 * Should we become a daemon? 941 * Return true if we did it. 942 */ 943static bool 944possibly_become_daemon (const struct options *options, const bool first_time) 945{ 946 bool ret = false; 947 if (first_time && options->daemon) 948 { 949 ASSERT (!options->inetd); 950 if (daemon (options->cd_dir != NULL, options->log) < 0) 951 msg (M_ERR, "daemon() failed or unsupported"); 952 restore_signal_state (); 953 if (options->log) 954 set_std_files_to_null (true); 955 956#if defined(ENABLE_PKCS11) 957 pkcs11_forkFixup (); 958#endif 959 960 ret = true; 961 } 962 return ret; 963} 964 965/* 966 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested. 967 */ 968static void 969do_uid_gid_chroot (struct context *c, bool no_delay) 970{ 971 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; 972 struct context_0 *c0 = c->c0; 973 974 if (c->first_time && c0 && !c0->uid_gid_set) 975 { 976 /* chroot if requested */ 977 if (c->options.chroot_dir) 978 { 979 if (no_delay) 980 platform_chroot (c->options.chroot_dir); 981 else 982 msg (M_INFO, "NOTE: chroot %s", why_not); 983 } 984 985 /* set user and/or group that we want to setuid/setgid to */ 986 if (no_delay) 987 { 988 platform_group_set (&c0->platform_state_group); 989 platform_user_set (&c0->platform_state_user); 990 c0->uid_gid_set = true; 991 } 992 else if (c0->uid_gid_specified) 993 { 994 msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not); 995 } 996 997#ifdef ENABLE_MEMSTATS 998 if (c->options.memstats_fn) 999 mstats_open(c->options.memstats_fn); 1000#endif 1001 1002#ifdef ENABLE_SELINUX 1003 /* Apply a SELinux context in order to restrict what OpenVPN can do 1004 * to _only_ what it is supposed to do after initialization is complete 1005 * (basically just network I/O operations). Doing it after chroot 1006 * requires /proc to be mounted in the chroot (which is annoying indeed 1007 * but doing it before requires more complex SELinux policies. 1008 */ 1009 if (c->options.selinux_context) 1010 { 1011 if (no_delay) { 1012 if (-1 == setcon (c->options.selinux_context)) 1013 msg (M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); 1014 else 1015 msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context); 1016 } 1017 else 1018 msg (M_INFO, "NOTE: setcon %s", why_not); 1019 } 1020#endif 1021 } 1022} 1023 1024/* 1025 * Return common name in a way that is formatted for 1026 * prepending to msg() output. 1027 */ 1028const char * 1029format_common_name (struct context *c, struct gc_arena *gc) 1030{ 1031 struct buffer out = alloc_buf_gc (256, gc); 1032#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 1033 if (c->c2.tls_multi) 1034 { 1035 buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false)); 1036 } 1037#endif 1038 return BSTR (&out); 1039} 1040 1041void 1042pre_setup (const struct options *options) 1043{ 1044#ifdef WIN32 1045 if (options->exit_event_name) 1046 { 1047 win32_signal_open (&win32_signal, 1048 WSO_FORCE_SERVICE, 1049 options->exit_event_name, 1050 options->exit_event_initial_state); 1051 } 1052 else 1053 { 1054 win32_signal_open (&win32_signal, 1055 WSO_FORCE_CONSOLE, 1056 NULL, 1057 false); 1058 1059 /* put a title on the top window bar */ 1060 if (win32_signal.mode == WSO_MODE_CONSOLE) 1061 { 1062 window_title_save (&window_title); 1063 window_title_generate (options->config); 1064 } 1065 } 1066#endif 1067} 1068 1069void 1070reset_coarse_timers (struct context *c) 1071{ 1072 c->c2.coarse_timer_wakeup = 0; 1073} 1074 1075/* 1076 * Initialize timers 1077 */ 1078static void 1079do_init_timers (struct context *c, bool deferred) 1080{ 1081 update_time (); 1082 reset_coarse_timers (c); 1083 1084 /* initialize inactivity timeout */ 1085 if (c->options.inactivity_timeout) 1086 event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now); 1087 1088 /* initialize pings */ 1089 1090 if (c->options.ping_send_timeout) 1091 event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); 1092 1093 if (c->options.ping_rec_timeout) 1094 event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); 1095 1096#if P2MP 1097 if (c->options.server_poll_timeout) 1098 event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now); 1099#endif 1100 1101 if (!deferred) 1102 { 1103 /* initialize connection establishment timer */ 1104 event_timeout_init (&c->c2.wait_for_connect, 1, now); 1105 1106#ifdef ENABLE_OCC 1107 /* initialize occ timers */ 1108 1109 if (c->options.occ 1110 && !TLS_MODE (c) 1111 && c->c2.options_string_local && c->c2.options_string_remote) 1112 event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); 1113 1114 if (c->options.mtu_test) 1115 event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); 1116#endif 1117 1118 /* initialize packet_id persistence timer */ 1119#ifdef ENABLE_CRYPTO 1120 if (c->options.packet_id_file) 1121 event_timeout_init (&c->c2.packet_id_persist_interval, 60, now); 1122#endif 1123 1124#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 1125 /* initialize tmp_int optimization that limits the number of times we call 1126 tls_multi_process in the main event loop */ 1127 interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); 1128#endif 1129 } 1130} 1131 1132/* 1133 * Initialize traffic shaper. 1134 */ 1135static void 1136do_init_traffic_shaper (struct context *c) 1137{ 1138#ifdef ENABLE_FEATURE_SHAPER 1139 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ 1140 if (c->options.shaper) 1141 { 1142 shaper_init (&c->c2.shaper, c->options.shaper); 1143 shaper_msg (&c->c2.shaper); 1144 } 1145#endif 1146} 1147 1148/* 1149 * Allocate route list structures for IPv4 and IPv6 1150 * (we do this for IPv4 even if no --route option has been seen, as other 1151 * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP) 1152 */ 1153static void 1154do_alloc_route_list (struct context *c) 1155{ 1156 if (!c->c1.route_list) 1157 c->c1.route_list = new_route_list (c->options.max_routes, &c->gc); 1158 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) 1159 c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc); 1160} 1161 1162 1163/* 1164 * Initialize the route list, resolving any DNS names in route 1165 * options and saving routes in the environment. 1166 */ 1167static void 1168do_init_route_list (const struct options *options, 1169 struct route_list *route_list, 1170 const struct link_socket_info *link_socket_info, 1171 bool fatal, 1172 struct env_set *es) 1173{ 1174 const char *gw = NULL; 1175 int dev = dev_type_enum (options->dev, options->dev_type); 1176 int metric = 0; 1177 1178 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) 1179 gw = options->ifconfig_remote_netmask; 1180 if (options->route_default_gateway) 1181 gw = options->route_default_gateway; 1182 if (options->route_default_metric) 1183 metric = options->route_default_metric; 1184 1185 if (!init_route_list (route_list, 1186 options->routes, 1187 gw, 1188 metric, 1189 link_socket_current_remote (link_socket_info), 1190 es)) 1191 { 1192 if (fatal) 1193 openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ 1194 } 1195 else 1196 { 1197 /* copy routes to environment */ 1198 setenv_routes (es, route_list); 1199 } 1200} 1201 1202static void 1203do_init_route_ipv6_list (const struct options *options, 1204 struct route_ipv6_list *route_ipv6_list, 1205 bool fatal, 1206 struct env_set *es) 1207{ 1208 const char *gw = NULL; 1209 int dev = dev_type_enum (options->dev, options->dev_type); 1210 int metric = -1; /* no metric set */ 1211 1212 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ 1213#if 0 /* not yet done for IPv6 - TODO!*/ 1214 if ( options->route_ipv6_default_gateway ) /* override? */ 1215 gw = options->route_ipv6_default_gateway; 1216#endif 1217 1218 if (options->route_default_metric) 1219 metric = options->route_default_metric; 1220 1221 if (!init_route_ipv6_list (route_ipv6_list, 1222 options->routes_ipv6, 1223 gw, 1224 metric, 1225 es)) 1226 { 1227 if (fatal) 1228 openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ 1229 } 1230 else 1231 { 1232 /* copy routes to environment */ 1233 setenv_routes_ipv6 (es, route_ipv6_list); 1234 } 1235} 1236 1237 1238/* 1239 * Called after all initialization has been completed. 1240 */ 1241void 1242initialization_sequence_completed (struct context *c, const unsigned int flags) 1243{ 1244 static const char message[] = "Initialization Sequence Completed"; 1245 1246 /* If we delayed UID/GID downgrade or chroot, do it now */ 1247 do_uid_gid_chroot (c, true); 1248 1249 /* Test if errors */ 1250 if (flags & ISC_ERRORS) 1251 { 1252#ifdef WIN32 1253 show_routes (M_INFO|M_NOPREFIX); 1254 show_adapters (M_INFO|M_NOPREFIX); 1255 msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); 1256#else 1257 msg (M_INFO, "%s With Errors", message); 1258#endif 1259 } 1260 else 1261 msg (M_INFO, "%s", message); 1262 1263 update_nvram_status(RUNNING); //Sam, 2013/10/31 1264 1265 /* Flag connection_list that we initialized */ 1266 if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options)) 1267 connection_list_set_no_advance (&c->options); 1268 1269#ifdef WIN32 1270 fork_register_dns_action (c->c1.tuntap); 1271#endif 1272 1273#ifdef ENABLE_MANAGEMENT 1274 /* Tell management interface that we initialized */ 1275 if (management) 1276 { 1277 in_addr_t tun_local = 0; 1278 in_addr_t tun_remote = 0; /* FKS */ 1279 const char *detail = "SUCCESS"; 1280 if (c->c1.tuntap) 1281 tun_local = c->c1.tuntap->local; 1282 /* TODO(jjo): for ipv6 this will convert some 32bits in the ipv6 addr 1283 * to a meaningless ipv4 address. 1284 * In any case, is somewhat inconsistent to send local tunnel 1285 * addr with remote _endpoint_ addr (?) 1286 */ 1287 tun_remote = htonl (c->c1.link_socket_addr.actual.dest.addr.in4.sin_addr.s_addr); 1288 if (flags & ISC_ERRORS) 1289 detail = "ERROR"; 1290 management_set_state (management, 1291 OPENVPN_STATE_CONNECTED, 1292 detail, 1293 tun_local, 1294 tun_remote); 1295 if (tun_local) 1296 management_post_tunnel_open (management, tun_local); 1297 } 1298#endif 1299} 1300 1301/* 1302 * Possibly add routes and/or call route-up script 1303 * based on options. 1304 */ 1305void 1306do_route (const struct options *options, 1307 struct route_list *route_list, 1308 struct route_ipv6_list *route_ipv6_list, 1309 const struct tuntap *tt, 1310 const struct plugin_list *plugins, 1311 struct env_set *es) 1312{ 1313 if (!options->route_noexec && ( route_list || route_ipv6_list ) ) 1314 { 1315 add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es); 1316 setenv_int (es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); 1317 } 1318#ifdef ENABLE_MANAGEMENT 1319 if (management) 1320 management_up_down (management, "UP", es); 1321#endif 1322 1323 if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP)) 1324 { 1325 if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) 1326 msg (M_WARN, "WARNING: route-up plugin call failed"); 1327 } 1328 1329 if (options->route_script) 1330 { 1331 struct argv argv = argv_new (); 1332 setenv_str (es, "script_type", "route-up"); 1333 argv_printf (&argv, "%sc", options->route_script); 1334 openvpn_run_script (&argv, es, 0, "--route-up"); 1335 argv_reset (&argv); 1336 } 1337 1338#ifdef WIN32 1339 if (options->show_net_up) 1340 { 1341 show_routes (M_INFO|M_NOPREFIX); 1342 show_adapters (M_INFO|M_NOPREFIX); 1343 } 1344 else if (check_debug_level (D_SHOW_NET)) 1345 { 1346 show_routes (D_SHOW_NET|M_NOPREFIX); 1347 show_adapters (D_SHOW_NET|M_NOPREFIX); 1348 } 1349#endif 1350} 1351 1352/* 1353 * Save current pulled options string in the c1 context store, so we can 1354 * compare against it after possible future restarts. 1355 */ 1356#if P2MP 1357static void 1358save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest) 1359{ 1360 if (newdigest) 1361 c->c1.pulled_options_digest_save = *newdigest; 1362 else 1363 md5_digest_clear (&c->c1.pulled_options_digest_save); 1364} 1365#endif 1366 1367/* 1368 * initialize tun/tap device object 1369 */ 1370static void 1371do_init_tun (struct context *c) 1372{ 1373 c->c1.tuntap = init_tun (c->options.dev, 1374 c->options.dev_type, 1375 c->options.topology, 1376 c->options.ifconfig_local, 1377 c->options.ifconfig_remote_netmask, 1378 c->options.ifconfig_ipv6_local, 1379 c->options.ifconfig_ipv6_netbits, 1380 c->options.ifconfig_ipv6_remote, 1381 addr_host (&c->c1.link_socket_addr.local), 1382 addr_host (&c->c1.link_socket_addr.remote), 1383 !c->options.ifconfig_nowarn, 1384 c->c2.es); 1385 1386 /* flag tunnel for IPv6 config if --tun-ipv6 is set */ 1387 c->c1.tuntap->ipv6 = c->options.tun_ipv6; 1388 1389 init_tun_post (c->c1.tuntap, 1390 &c->c2.frame, 1391 &c->options.tuntap_options); 1392 1393 c->c1.tuntap_owned = true; 1394} 1395 1396/* 1397 * Open tun/tap device, ifconfig, call up script, etc. 1398 */ 1399 1400static bool 1401do_open_tun (struct context *c) 1402{ 1403 struct gc_arena gc = gc_new (); 1404 bool ret = false; 1405 1406 c->c2.ipv4_tun = (!c->options.tun_ipv6 1407 && is_dev_type (c->options.dev, c->options.dev_type, "tun")); 1408 1409 if (!c->c1.tuntap) 1410 { 1411 /* initialize (but do not open) tun/tap object */ 1412 do_init_tun (c); 1413 1414 /* allocate route list structure */ 1415 do_alloc_route_list (c); 1416 1417 /* parse and resolve the route option list */ 1418 if (c->options.routes && c->c1.route_list && c->c2.link_socket) 1419 do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es); 1420 if (c->options.routes_ipv6 && c->c1.route_ipv6_list ) 1421 do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, false, c->c2.es); 1422 1423 /* do ifconfig */ 1424 if (!c->options.ifconfig_noexec 1425 && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN) 1426 { 1427 /* guess actual tun/tap unit number that will be returned 1428 by open_tun */ 1429 const char *guess = guess_tuntap_dev (c->options.dev, 1430 c->options.dev_type, 1431 c->options.dev_node, 1432 &gc); 1433 do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); 1434 } 1435 1436 /* open the tun device */ 1437 open_tun (c->options.dev, c->options.dev_type, c->options.dev_node, 1438 c->c1.tuntap); 1439 1440 /* set the hardware address */ 1441 if (c->options.lladdr) 1442 set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es); 1443 1444 /* do ifconfig */ 1445 if (!c->options.ifconfig_noexec 1446 && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN) 1447 { 1448 do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); 1449 } 1450 1451 /* run the up script */ 1452 run_up_down (c->options.up_script, 1453 c->plugins, 1454 OPENVPN_PLUGIN_UP, 1455 c->c1.tuntap->actual_name, 1456 dev_type_string (c->options.dev, c->options.dev_type), 1457 TUN_MTU_SIZE (&c->c2.frame), 1458 EXPANDED_SIZE (&c->c2.frame), 1459 print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), 1460 print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1461 "init", 1462 NULL, 1463 "up", 1464 c->c2.es); 1465 1466 /* possibly add routes */ 1467 if (!c->options.route_delay_defined) 1468 do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, 1469 c->c1.tuntap, c->plugins, c->c2.es); 1470 1471 /* 1472 * Did tun/tap driver give us an MTU? 1473 */ 1474 if (c->c1.tuntap->post_open_mtu) 1475 frame_set_mtu_dynamic (&c->c2.frame, 1476 c->c1.tuntap->post_open_mtu, 1477 SET_MTU_TUN | SET_MTU_UPPER_BOUND); 1478 1479 ret = true; 1480 static_context = c; 1481 } 1482 else 1483 { 1484 msg (M_INFO, "Preserving previous TUN/TAP instance: %s", 1485 c->c1.tuntap->actual_name); 1486 1487 /* run the up script if user specified --up-restart */ 1488 if (c->options.up_restart) 1489 run_up_down (c->options.up_script, 1490 c->plugins, 1491 OPENVPN_PLUGIN_UP, 1492 c->c1.tuntap->actual_name, 1493 dev_type_string (c->options.dev, c->options.dev_type), 1494 TUN_MTU_SIZE (&c->c2.frame), 1495 EXPANDED_SIZE (&c->c2.frame), 1496 print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), 1497 print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1498 "restart", 1499 NULL, 1500 "up", 1501 c->c2.es); 1502 } 1503 gc_free (&gc); 1504 return ret; 1505} 1506 1507/* 1508 * Close TUN/TAP device 1509 */ 1510 1511static void 1512do_close_tun_simple (struct context *c) 1513{ 1514 msg (D_CLOSE, "Closing TUN/TAP interface"); 1515 close_tun (c->c1.tuntap); 1516 c->c1.tuntap = NULL; 1517 c->c1.tuntap_owned = false; 1518#if P2MP 1519 save_pulled_options_digest (c, NULL); /* delete C1-saved pulled_options_digest */ 1520#endif 1521} 1522 1523static void 1524do_close_tun (struct context *c, bool force) 1525{ 1526 struct gc_arena gc = gc_new (); 1527 if (c->c1.tuntap && c->c1.tuntap_owned) 1528 { 1529 const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc); 1530 const in_addr_t local = c->c1.tuntap->local; 1531 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; 1532 1533 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) 1534 { 1535 static_context = NULL; 1536 1537#ifdef ENABLE_MANAGEMENT 1538 /* tell management layer we are about to close the TUN/TAP device */ 1539 if (management) 1540 { 1541 management_pre_tunnel_close (management); 1542 management_up_down (management, "DOWN", c->c2.es); 1543 } 1544#endif 1545 1546 /* delete any routes we added */ 1547 if (c->c1.route_list || c->c1.route_ipv6_list ) 1548 { 1549 run_up_down (c->options.route_predown_script, 1550 c->plugins, 1551 OPENVPN_PLUGIN_ROUTE_PREDOWN, 1552 tuntap_actual, 1553 NULL, 1554 TUN_MTU_SIZE (&c->c2.frame), 1555 EXPANDED_SIZE (&c->c2.frame), 1556 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), 1557 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1558 "init", 1559 signal_description (c->sig->signal_received, 1560 c->sig->signal_text), 1561 "route-pre-down", 1562 c->c2.es); 1563 1564 delete_routes (c->c1.route_list, c->c1.route_ipv6_list, 1565 c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es); 1566 } 1567 1568 /* actually close tun/tap device based on --down-pre flag */ 1569 if (!c->options.down_pre) 1570 do_close_tun_simple (c); 1571 1572 /* Run the down script -- note that it will run at reduced 1573 privilege if, for example, "--user nobody" was used. */ 1574 run_up_down (c->options.down_script, 1575 c->plugins, 1576 OPENVPN_PLUGIN_DOWN, 1577 tuntap_actual, 1578 NULL, 1579 TUN_MTU_SIZE (&c->c2.frame), 1580 EXPANDED_SIZE (&c->c2.frame), 1581 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), 1582 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1583 "init", 1584 signal_description (c->sig->signal_received, 1585 c->sig->signal_text), 1586 "down", 1587 c->c2.es); 1588 1589 /* actually close tun/tap device based on --down-pre flag */ 1590 if (c->options.down_pre) 1591 do_close_tun_simple (c); 1592 } 1593 else 1594 { 1595 /* run the down script on this restart if --up-restart was specified */ 1596 if (c->options.up_restart) 1597 run_up_down (c->options.down_script, 1598 c->plugins, 1599 OPENVPN_PLUGIN_DOWN, 1600 tuntap_actual, 1601 NULL, 1602 TUN_MTU_SIZE (&c->c2.frame), 1603 EXPANDED_SIZE (&c->c2.frame), 1604 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), 1605 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1606 "restart", 1607 signal_description (c->sig->signal_received, 1608 c->sig->signal_text), 1609 "down", 1610 c->c2.es); 1611 } 1612 } 1613 gc_free (&gc); 1614} 1615 1616void 1617tun_abort() 1618{ 1619 struct context *c = static_context; 1620 if (c) 1621 { 1622 static_context = NULL; 1623 do_close_tun (c, true); 1624 } 1625} 1626 1627/* 1628 * Handle delayed tun/tap interface bringup due to --up-delay or --pull 1629 */ 1630 1631void 1632do_up (struct context *c, bool pulled_options, unsigned int option_types_found) 1633{ 1634 if (!c->c2.do_up_ran) 1635 { 1636 reset_coarse_timers (c); 1637 1638 if (pulled_options && option_types_found) 1639 do_deferred_options (c, option_types_found); 1640 1641 /* if --up-delay specified, open tun, do ifconfig, and run up script now */ 1642 if (c->options.up_delay || PULL_DEFINED (&c->options)) 1643 { 1644 c->c2.did_open_tun = do_open_tun (c); 1645 update_time (); 1646 1647#if P2MP 1648 /* 1649 * Was tun interface object persisted from previous restart iteration, 1650 * and if so did pulled options string change from previous iteration? 1651 */ 1652 if (!c->c2.did_open_tun 1653 && PULL_DEFINED (&c->options) 1654 && c->c1.tuntap 1655 && (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest) 1656 || !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) 1657 { 1658 /* if so, close tun, delete routes, then reinitialize tun and add routes */ 1659 msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); 1660 do_close_tun (c, true); 1661 openvpn_sleep (1); 1662 c->c2.did_open_tun = do_open_tun (c); 1663 update_time (); 1664 } 1665#endif 1666 } 1667 1668 if (c->c2.did_open_tun) 1669 { 1670#if P2MP 1671 save_pulled_options_digest (c, &c->c2.pulled_options_digest); 1672#endif 1673 1674 /* if --route-delay was specified, start timer */ 1675 if (c->options.route_delay_defined) 1676 { 1677 event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now); 1678 event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); 1679 if (c->c1.tuntap) 1680 tun_standby_init (c->c1.tuntap); 1681 } 1682 else 1683 { 1684 initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */ 1685 } 1686 } 1687 else if (c->options.mode == MODE_POINT_TO_POINT) 1688 { 1689 initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */ 1690 } 1691 1692 c->c2.do_up_ran = true; 1693 } 1694} 1695 1696/* 1697 * These are the option categories which will be accepted by pull. 1698 */ 1699unsigned int 1700pull_permission_mask (const struct context *c) 1701{ 1702 unsigned int flags = 1703 OPT_P_UP 1704 | OPT_P_ROUTE_EXTRAS 1705 | OPT_P_SOCKBUF 1706 | OPT_P_SOCKFLAGS 1707 | OPT_P_SETENV 1708 | OPT_P_SHAPER 1709 | OPT_P_TIMER 1710 | OPT_P_COMP 1711 | OPT_P_PERSIST 1712 | OPT_P_MESSAGES 1713 | OPT_P_EXPLICIT_NOTIFY 1714 | OPT_P_ECHO 1715 | OPT_P_PULL_MODE; 1716 1717 if (!c->options.route_nopull) 1718 flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); 1719 1720 return flags; 1721} 1722 1723/* 1724 * Handle non-tun-related pulled options. 1725 */ 1726void 1727do_deferred_options (struct context *c, const unsigned int found) 1728{ 1729 if (found & OPT_P_MESSAGES) 1730 { 1731 init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2); 1732 msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); 1733 } 1734 if (found & OPT_P_TIMER) 1735 { 1736 do_init_timers (c, true); 1737 msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified"); 1738 } 1739 1740#ifdef ENABLE_OCC 1741 if (found & OPT_P_EXPLICIT_NOTIFY) 1742 { 1743 if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification) 1744 { 1745 msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); 1746 c->options.ce.explicit_exit_notification = 0; 1747 } 1748 else 1749 msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified"); 1750 } 1751#endif 1752 1753#ifdef ENABLE_LZO 1754 if (found & OPT_P_COMP) 1755 { 1756 if (lzo_defined (&c->c2.lzo_compwork)) 1757 { 1758 msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified"); 1759 lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo); 1760 } 1761 } 1762#endif 1763 1764 if (found & OPT_P_SHAPER) 1765 { 1766 msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); 1767 do_init_traffic_shaper (c); 1768 } 1769 1770 if (found & OPT_P_SOCKBUF) 1771 { 1772 msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); 1773 link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); 1774 } 1775 1776 if (found & OPT_P_SOCKFLAGS) 1777 { 1778 msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); 1779 link_socket_update_flags (c->c2.link_socket, c->options.sockflags); 1780 } 1781 1782 if (found & OPT_P_PERSIST) 1783 msg (D_PUSH, "OPTIONS IMPORT: --persist options modified"); 1784 if (found & OPT_P_UP) 1785 msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); 1786 if (found & OPT_P_ROUTE) 1787 msg (D_PUSH, "OPTIONS IMPORT: route options modified"); 1788 if (found & OPT_P_ROUTE_EXTRAS) 1789 msg (D_PUSH, "OPTIONS IMPORT: route-related options modified"); 1790 if (found & OPT_P_IPWIN32) 1791 msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); 1792 if (found & OPT_P_SETENV) 1793 msg (D_PUSH, "OPTIONS IMPORT: environment modified"); 1794} 1795 1796/* 1797 * Possible hold on initialization 1798 */ 1799static bool 1800do_hold (struct context *c) 1801{ 1802#ifdef ENABLE_MANAGEMENT 1803 if (management) 1804 { 1805 /* if c is defined, daemonize before hold */ 1806 if (c && c->options.daemon && management_should_daemonize (management)) 1807 do_init_first_time (c); 1808 1809 /* block until management hold is released */ 1810 if (management_hold (management)) 1811 return true; 1812 } 1813#endif 1814 return false; 1815} 1816 1817/* 1818 * Sleep before restart. 1819 */ 1820static void 1821socket_restart_pause (struct context *c) 1822{ 1823 bool proxy = false; 1824 int sec = 2; 1825 1826#ifdef ENABLE_HTTP_PROXY 1827 if (c->options.ce.http_proxy_options) 1828 proxy = true; 1829#endif 1830#ifdef ENABLE_SOCKS 1831 if (c->options.ce.socks_proxy_server) 1832 proxy = true; 1833#endif 1834 1835 switch (c->options.ce.proto) 1836 { 1837 case PROTO_UDPv4: 1838 case PROTO_UDPv6: 1839 if (proxy) 1840 sec = c->options.ce.connect_retry_seconds; 1841 break; 1842 case PROTO_TCPv4_SERVER: 1843 case PROTO_TCPv6_SERVER: 1844 sec = 1; 1845 break; 1846 case PROTO_TCPv4_CLIENT: 1847 case PROTO_TCPv6_CLIENT: 1848 sec = c->options.ce.connect_retry_seconds; 1849 break; 1850 } 1851 1852#ifdef ENABLE_DEBUG 1853 if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin)) 1854 sec = 0; 1855#endif 1856 1857#if P2MP 1858 if (auth_retry_get () == AR_NOINTERACT) 1859 sec = 10; 1860 1861#if 0 /* not really needed because of c->persist.restart_sleep_seconds */ 1862 if (c->options.server_poll_timeout && sec > 1) 1863 sec = 1; 1864#endif 1865#endif 1866 1867 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) 1868 sec = c->persist.restart_sleep_seconds; 1869 else if (c->persist.restart_sleep_seconds == -1) 1870 sec = 0; 1871 c->persist.restart_sleep_seconds = 0; 1872 1873 /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ 1874 if (do_hold (NULL)) 1875 sec = 0; 1876 1877 if (sec) 1878 { 1879 msg (D_RESTART, "Restart pause, %d second(s)", sec); 1880 openvpn_sleep (sec); 1881 } 1882} 1883 1884/* 1885 * Do a possible pause on context_2 initialization. 1886 */ 1887static void 1888do_startup_pause (struct context *c) 1889{ 1890 if (!c->first_time) 1891 socket_restart_pause (c); 1892 else 1893 do_hold (NULL); /* do management hold on first context initialization */ 1894} 1895 1896/* 1897 * Finalize MTU parameters based on command line or config file options. 1898 */ 1899static void 1900frame_finalize_options (struct context *c, const struct options *o) 1901{ 1902 if (!o) 1903 o = &c->options; 1904 1905 /* 1906 * Set adjustment factor for buffer alignment when no 1907 * cipher is used. 1908 */ 1909 if (!CIPHER_ENABLED (c)) 1910 { 1911 frame_align_to_extra_frame (&c->c2.frame); 1912 frame_or_align_flags (&c->c2.frame, 1913 FRAME_HEADROOM_MARKER_FRAGMENT 1914 |FRAME_HEADROOM_MARKER_READ_LINK 1915 |FRAME_HEADROOM_MARKER_READ_STREAM); 1916 } 1917 1918 frame_finalize (&c->c2.frame, 1919 o->ce.link_mtu_defined, 1920 o->ce.link_mtu, 1921 o->ce.tun_mtu_defined, 1922 o->ce.tun_mtu); 1923} 1924 1925/* 1926 * Free a key schedule, including OpenSSL components. 1927 */ 1928static void 1929key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx) 1930{ 1931#ifdef ENABLE_CRYPTO 1932 free_key_ctx_bi (&ks->static_key); 1933#ifdef ENABLE_SSL 1934 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) 1935 { 1936 tls_ctx_free (&ks->ssl_ctx); 1937 free_key_ctx_bi (&ks->tls_auth_key); 1938 } 1939#endif /* ENABLE_SSL */ 1940#endif /* ENABLE_CRYPTO */ 1941 CLEAR (*ks); 1942} 1943 1944#ifdef ENABLE_CRYPTO 1945 1946static void 1947init_crypto_pre (struct context *c, const unsigned int flags) 1948{ 1949 if (c->options.engine) 1950 crypto_init_lib_engine (c->options.engine); 1951 1952 if (flags & CF_LOAD_PERSISTED_PACKET_ID) 1953 { 1954 /* load a persisted packet-id for cross-session replay-protection */ 1955 if (c->options.packet_id_file) 1956 packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file); 1957 } 1958 1959 /* Initialize crypto options */ 1960 1961 if (c->options.use_iv) 1962 c->c2.crypto_options.flags |= CO_USE_IV; 1963 1964 if (c->options.mute_replay_warnings) 1965 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; 1966 1967#ifdef ENABLE_PREDICTION_RESISTANCE 1968 if (c->options.use_prediction_resistance) 1969 rand_ctx_enable_prediction_resistance(); 1970#endif 1971 1972} 1973 1974/* 1975 * Static Key Mode (using a pre-shared key) 1976 */ 1977static void 1978do_init_crypto_static (struct context *c, const unsigned int flags) 1979{ 1980 const struct options *options = &c->options; 1981 ASSERT (options->shared_secret_file); 1982 1983 init_crypto_pre (c, flags); 1984 1985 /* Initialize packet ID tracking */ 1986 if (options->replay) 1987 { 1988 packet_id_init (&c->c2.packet_id, 1989 link_socket_proto_connection_oriented (options->ce.proto), 1990 options->replay_window, 1991 options->replay_time, 1992 "STATIC", 0); 1993 c->c2.crypto_options.packet_id = &c->c2.packet_id; 1994 c->c2.crypto_options.pid_persist = &c->c1.pid_persist; 1995 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; 1996 packet_id_persist_load_obj (&c->c1.pid_persist, 1997 c->c2.crypto_options.packet_id); 1998 } 1999 2000 if (!key_ctx_bi_defined (&c->c1.ks.static_key)) 2001 { 2002 struct key2 key2; 2003 struct key_direction_state kds; 2004 2005 /* Get cipher & hash algorithms */ 2006 init_key_type (&c->c1.ks.key_type, options->ciphername, 2007 options->ciphername_defined, options->authname, 2008 options->authname_defined, options->keysize, 2009 options->test_crypto, true); 2010 2011 /* Read cipher and hmac keys from shared secret file */ 2012 { 2013 unsigned int rkf_flags = RKF_MUST_SUCCEED; 2014 const char *rkf_file = options->shared_secret_file; 2015 2016 if (options->shared_secret_file_inline) 2017 { 2018 rkf_file = options->shared_secret_file_inline; 2019 rkf_flags |= RKF_INLINE; 2020 } 2021 read_key_file (&key2, rkf_file, rkf_flags); 2022 } 2023 2024 /* Check for and fix highly unlikely key problems */ 2025 verify_fix_key2 (&key2, &c->c1.ks.key_type, 2026 options->shared_secret_file); 2027 2028 /* Initialize OpenSSL key objects */ 2029 key_direction_state_init (&kds, options->key_direction); 2030 must_have_n_keys (options->shared_secret_file, "secret", &key2, 2031 kds.need_keys); 2032 init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key], 2033 &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt"); 2034 init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key], 2035 &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt"); 2036 2037 /* Erase the temporary copy of key */ 2038 CLEAR (key2); 2039 } 2040 else 2041 { 2042 msg (M_INFO, "Re-using pre-shared static key"); 2043 } 2044 2045 /* Get key schedule */ 2046 c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; 2047 2048 /* Compute MTU parameters */ 2049 crypto_adjust_frame_parameters (&c->c2.frame, 2050 &c->c1.ks.key_type, 2051 options->ciphername_defined, 2052 options->use_iv, options->replay, true); 2053 2054 /* Sanity check on IV, sequence number, and cipher mode options */ 2055 check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, 2056 options->use_iv); 2057} 2058 2059#ifdef ENABLE_SSL 2060 2061/* 2062 * Initialize the persistent component of OpenVPN's TLS mode, 2063 * which is preserved across SIGUSR1 resets. 2064 */ 2065static void 2066do_init_crypto_tls_c1 (struct context *c) 2067{ 2068 const struct options *options = &c->options; 2069 2070 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) 2071 { 2072 /* 2073 * Initialize the OpenSSL library's global 2074 * SSL context. 2075 */ 2076 init_ssl (options, &(c->c1.ks.ssl_ctx)); 2077 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) 2078 { 2079#if P2MP 2080 switch (auth_retry_get ()) 2081 { 2082 case AR_NONE: 2083 msg (M_FATAL, "Error: private key password verification failed"); 2084 break; 2085 case AR_INTERACT: 2086 ssl_purge_auth (false); 2087 case AR_NOINTERACT: 2088 c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ 2089 break; 2090 default: 2091 ASSERT (0); 2092 } 2093 c->sig->signal_text = "private-key-password-failure"; 2094 return; 2095#else 2096 msg (M_FATAL, "Error: private key password verification failed"); 2097#endif 2098 } 2099 2100 /* Get cipher & hash algorithms */ 2101 init_key_type (&c->c1.ks.key_type, options->ciphername, 2102 options->ciphername_defined, options->authname, 2103 options->authname_defined, options->keysize, true, true); 2104 2105 /* Initialize PRNG with config-specified digest */ 2106 prng_init (options->prng_hash, options->prng_nonce_secret_len); 2107 2108 /* TLS handshake authentication (--tls-auth) */ 2109 if (options->tls_auth_file) 2110 { 2111 unsigned int flags = 0; 2112 const char *file = options->tls_auth_file; 2113 2114 if (options->tls_auth_file_inline) 2115 { 2116 flags |= GHK_INLINE; 2117 file = options->tls_auth_file_inline; 2118 } 2119 get_tls_handshake_key (&c->c1.ks.key_type, 2120 &c->c1.ks.tls_auth_key, 2121 file, 2122 options->key_direction, 2123 flags); 2124 } 2125 2126#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ 2127 if (options->priv_key_file_inline) 2128 { 2129 string_clear (c->options.priv_key_file_inline); 2130 c->options.priv_key_file_inline = NULL; 2131 } 2132#endif 2133 } 2134 else 2135 { 2136 msg (D_INIT_MEDIUM, "Re-using SSL/TLS context"); 2137 } 2138} 2139 2140static void 2141do_init_crypto_tls (struct context *c, const unsigned int flags) 2142{ 2143 const struct options *options = &c->options; 2144 struct tls_options to; 2145 bool packet_id_long_form; 2146 2147 ASSERT (options->tls_server || options->tls_client); 2148 ASSERT (!options->test_crypto); 2149 2150 init_crypto_pre (c, flags); 2151 2152 /* Make sure we are either a TLS client or server but not both */ 2153 ASSERT (options->tls_server == !options->tls_client); 2154 2155 /* initialize persistent component */ 2156 do_init_crypto_tls_c1 (c); 2157 if (IS_SIG (c)) 2158 return; 2159 2160 /* Sanity check on IV, sequence number, and cipher mode options */ 2161 check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, 2162 options->use_iv); 2163 2164 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ 2165 packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type); 2166 2167 /* Compute MTU parameters */ 2168 crypto_adjust_frame_parameters (&c->c2.frame, 2169 &c->c1.ks.key_type, 2170 options->ciphername_defined, 2171 options->use_iv, 2172 options->replay, packet_id_long_form); 2173 tls_adjust_frame_parameters (&c->c2.frame); 2174 2175 /* Set all command-line TLS-related options */ 2176 CLEAR (to); 2177 2178 to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM); 2179 if (packet_id_long_form) 2180 to.crypto_flags_or = CO_PACKET_ID_LONG_FORM; 2181 2182 to.ssl_ctx = c->c1.ks.ssl_ctx; 2183 to.key_type = c->c1.ks.key_type; 2184 to.server = options->tls_server; 2185 to.key_method = options->key_method; 2186 to.replay = options->replay; 2187 to.replay_window = options->replay_window; 2188 to.replay_time = options->replay_time; 2189 to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto); 2190 to.transition_window = options->transition_window; 2191 to.handshake_window = options->handshake_window; 2192 to.packet_timeout = options->tls_timeout; 2193 to.renegotiate_bytes = options->renegotiate_bytes; 2194 to.renegotiate_packets = options->renegotiate_packets; 2195 to.renegotiate_seconds = options->renegotiate_seconds; 2196 to.single_session = options->single_session; 2197#ifdef ENABLE_PUSH_PEER_INFO 2198 if (options->push_peer_info) /* all there is */ 2199 to.push_peer_info_detail = 2; 2200 else if (options->pull) /* pull clients send some details */ 2201 to.push_peer_info_detail = 1; 2202 else /* default: no peer-info at all */ 2203 to.push_peer_info_detail = 0; 2204#endif 2205 2206 /* should we not xmit any packets until we get an initial 2207 response from client? */ 2208 if (to.server && options->ce.proto == PROTO_TCPv4_SERVER) 2209 to.xmit_hold = true; 2210 2211#ifdef ENABLE_OCC 2212 to.disable_occ = !options->occ; 2213#endif 2214 2215 to.verify_command = options->tls_verify; 2216 to.verify_export_cert = options->tls_export_cert; 2217 to.verify_x509_type = (options->verify_x509_type & 0xff); 2218 to.verify_x509_name = options->verify_x509_name; 2219 to.crl_file = options->crl_file; 2220 to.ssl_flags = options->ssl_flags; 2221 to.ns_cert_type = options->ns_cert_type; 2222 memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); 2223 to.remote_cert_eku = options->remote_cert_eku; 2224 to.verify_hash = options->verify_hash; 2225#ifdef ENABLE_X509ALTUSERNAME 2226 to.x509_username_field = (char *) options->x509_username_field; 2227#else 2228 to.x509_username_field = X509_USERNAME_FIELD_DEFAULT; 2229#endif 2230 to.es = c->c2.es; 2231 2232#ifdef ENABLE_DEBUG 2233 to.gremlin = c->options.gremlin; 2234#endif 2235 2236 to.plugins = c->plugins; 2237 2238#ifdef MANAGEMENT_DEF_AUTH 2239 to.mda_context = &c->c2.mda_context; 2240#endif 2241 2242#if P2MP_SERVER 2243 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; 2244 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; 2245 to.tmp_dir = options->tmp_dir; 2246 if (options->ccd_exclusive) 2247 to.client_config_dir_exclusive = options->client_config_dir; 2248#endif 2249 2250#ifdef ENABLE_X509_TRACK 2251 to.x509_track = options->x509_track; 2252#endif 2253 2254#if P2MP 2255#ifdef ENABLE_CLIENT_CR 2256 to.sci = &options->sc_info; 2257#endif 2258#endif 2259 2260 /* TLS handshake authentication (--tls-auth) */ 2261 if (options->tls_auth_file) 2262 { 2263 to.tls_auth_key = c->c1.ks.tls_auth_key; 2264 to.tls_auth.pid_persist = &c->c1.pid_persist; 2265 to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; 2266 crypto_adjust_frame_parameters (&to.frame, 2267 &c->c1.ks.key_type, 2268 false, false, true, true); 2269 } 2270 2271 /* If we are running over TCP, allow for 2272 length prefix */ 2273 socket_adjust_frame_parameters (&to.frame, options->ce.proto); 2274 2275 /* 2276 * Initialize OpenVPN's master TLS-mode object. 2277 */ 2278 if (flags & CF_INIT_TLS_MULTI) 2279 c->c2.tls_multi = tls_multi_init (&to); 2280 2281 if (flags & CF_INIT_TLS_AUTH_STANDALONE) 2282 c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc); 2283} 2284 2285static void 2286do_init_finalize_tls_frame (struct context *c) 2287{ 2288 if (c->c2.tls_multi) 2289 { 2290 tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame); 2291 ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <= 2292 EXPANDED_SIZE (&c->c2.frame)); 2293 frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO, 2294 "Control Channel MTU parms"); 2295 } 2296 if (c->c2.tls_auth_standalone) 2297 { 2298 tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame); 2299 frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO, 2300 "TLS-Auth MTU parms"); 2301 } 2302} 2303 2304#endif /* ENABLE_SSL */ 2305#endif /* ENABLE_CRYPTO */ 2306 2307#ifdef ENABLE_CRYPTO 2308/* 2309 * No encryption or authentication. 2310 */ 2311static void 2312do_init_crypto_none (const struct context *c) 2313{ 2314 ASSERT (!c->options.test_crypto); 2315 msg (M_WARN, 2316 "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); 2317} 2318#endif 2319 2320static void 2321do_init_crypto (struct context *c, const unsigned int flags) 2322{ 2323#ifdef ENABLE_CRYPTO 2324 if (c->options.shared_secret_file) 2325 do_init_crypto_static (c, flags); 2326#ifdef ENABLE_SSL 2327 else if (c->options.tls_server || c->options.tls_client) 2328 do_init_crypto_tls (c, flags); 2329#endif 2330 else /* no encryption or authentication. */ 2331 do_init_crypto_none (c); 2332#else /* ENABLE_CRYPTO */ 2333 msg (M_WARN, 2334 "******* WARNING *******: " PACKAGE_NAME 2335 " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); 2336#endif /* ENABLE_CRYPTO */ 2337} 2338 2339static void 2340do_init_frame (struct context *c) 2341{ 2342#ifdef ENABLE_LZO 2343 /* 2344 * Initialize LZO compression library. 2345 */ 2346 if (c->options.lzo & LZO_SELECTED) 2347 { 2348 lzo_adjust_frame_parameters (&c->c2.frame); 2349 2350 /* 2351 * LZO usage affects buffer alignment. 2352 */ 2353 if (CIPHER_ENABLED (c)) 2354 { 2355 frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN); 2356 frame_or_align_flags (&c->c2.frame, 2357 FRAME_HEADROOM_MARKER_FRAGMENT 2358 |FRAME_HEADROOM_MARKER_DECRYPT); 2359 } 2360 2361#ifdef ENABLE_FRAGMENT 2362 lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */ 2363#endif 2364 } 2365#endif /* ENABLE_LZO */ 2366 2367#ifdef ENABLE_SOCKS 2368 /* 2369 * Adjust frame size for UDP Socks support. 2370 */ 2371 if (c->options.ce.socks_proxy_server) 2372 socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); 2373#endif 2374 2375 /* 2376 * Adjust frame size based on the --tun-mtu-extra parameter. 2377 */ 2378 if (c->options.ce.tun_mtu_extra_defined) 2379 tun_adjust_frame_parameters (&c->c2.frame, c->options.ce.tun_mtu_extra); 2380 2381 /* 2382 * Adjust frame size based on link socket parameters. 2383 * (Since TCP is a stream protocol, we need to insert 2384 * a packet length uint16_t in the buffer.) 2385 */ 2386 socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); 2387 2388 /* 2389 * Fill in the blanks in the frame parameters structure, 2390 * make sure values are rational, etc. 2391 */ 2392 frame_finalize_options (c, NULL); 2393 2394#ifdef ENABLE_FRAGMENT 2395 /* 2396 * Set frame parameter for fragment code. This is necessary because 2397 * the fragmentation code deals with payloads which have already been 2398 * passed through the compression code. 2399 */ 2400 c->c2.frame_fragment = c->c2.frame; 2401 frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit); 2402#endif 2403 2404#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) 2405 /* 2406 * MTU advisories 2407 */ 2408 if (c->options.ce.fragment && c->options.mtu_test) 2409 msg (M_WARN, 2410 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); 2411#endif 2412 2413#ifdef ENABLE_FRAGMENT 2414 if ((c->options.ce.mssfix || c->options.ce.fragment) 2415 && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU) 2416 msg (M_WARN, 2417 "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", 2418 ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment)); 2419#endif 2420} 2421 2422static void 2423do_option_warnings (struct context *c) 2424{ 2425 const struct options *o = &c->options; 2426 2427 if (o->ping_send_timeout && !o->ping_rec_timeout) 2428 msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); 2429 2430 if (o->username || o->groupname || o->chroot_dir 2431#ifdef ENABLE_SELINUX 2432 || o->selinux_context 2433#endif 2434 ) 2435 { 2436 if (!o->persist_tun) 2437 msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); 2438 if (!o->persist_key 2439#ifdef ENABLE_PKCS11 2440 && !o->pkcs11_id 2441#endif 2442 ) 2443 msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); 2444 } 2445 2446 if (o->chroot_dir && !(o->username && o->groupname)) 2447 msg (M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); 2448 2449#if P2MP 2450 if (o->pull && o->ifconfig_local && c->first_time) 2451 msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); 2452 2453#if P2MP_SERVER 2454 if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) 2455 msg (M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); 2456 2457 if (o->mode == MODE_SERVER) 2458 { 2459 if (o->duplicate_cn && o->client_config_dir) 2460 msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); 2461 if (o->duplicate_cn && o->ifconfig_pool_persist_filename) 2462 msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); 2463 if (!o->keepalive_ping || !o->keepalive_timeout) 2464 msg (M_WARN, "WARNING: --keepalive option is missing from server config"); 2465 } 2466#endif 2467#endif 2468 2469#ifdef ENABLE_CRYPTO 2470 if (!o->replay) 2471 msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); 2472 if (!o->use_iv) 2473 msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); 2474 2475#ifdef ENABLE_SSL 2476 if (o->tls_server) 2477 warn_on_use_of_common_subnets (); 2478 if (o->tls_client 2479 && !o->tls_verify 2480 && o->verify_x509_type == VERIFY_X509_NONE 2481 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) 2482 && !o->remote_cert_eku) 2483 msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); 2484#endif 2485#endif 2486 2487#ifndef CONNECT_NONBLOCK 2488 if (o->ce.connect_timeout_defined) 2489 msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); 2490#endif 2491 2492 /* If a script is used, print appropiate warnings */ 2493 if (o->user_script_used) 2494 { 2495 if (script_security >= SSEC_SCRIPTS) 2496 msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); 2497 else if (script_security >= SSEC_PW_ENV) 2498 msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); 2499 else 2500 msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); 2501 } 2502} 2503 2504static void 2505do_init_frame_tls (struct context *c) 2506{ 2507#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 2508 do_init_finalize_tls_frame (c); 2509#endif 2510} 2511 2512struct context_buffers * 2513init_context_buffers (const struct frame *frame) 2514{ 2515 struct context_buffers *b; 2516 2517 ALLOC_OBJ_CLEAR (b, struct context_buffers); 2518 2519 b->read_link_buf = alloc_buf (BUF_SIZE (frame)); 2520 b->read_tun_buf = alloc_buf (BUF_SIZE (frame)); 2521 2522 b->aux_buf = alloc_buf (BUF_SIZE (frame)); 2523 2524#ifdef ENABLE_CRYPTO 2525 b->encrypt_buf = alloc_buf (BUF_SIZE (frame)); 2526 b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); 2527#endif 2528 2529#ifdef ENABLE_LZO 2530 b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame)); 2531 b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame)); 2532#endif 2533 2534 return b; 2535} 2536 2537void 2538free_context_buffers (struct context_buffers *b) 2539{ 2540 if (b) 2541 { 2542 free_buf (&b->read_link_buf); 2543 free_buf (&b->read_tun_buf); 2544 free_buf (&b->aux_buf); 2545 2546#ifdef ENABLE_LZO 2547 free_buf (&b->lzo_compress_buf); 2548 free_buf (&b->lzo_decompress_buf); 2549#endif 2550 2551#ifdef ENABLE_CRYPTO 2552 free_buf (&b->encrypt_buf); 2553 free_buf (&b->decrypt_buf); 2554#endif 2555 2556 free (b); 2557 } 2558} 2559 2560/* 2561 * Now that we know all frame parameters, initialize 2562 * our buffers. 2563 */ 2564static void 2565do_init_buffers (struct context *c) 2566{ 2567 c->c2.buffers = init_context_buffers (&c->c2.frame); 2568 c->c2.buffers_owned = true; 2569} 2570 2571#ifdef ENABLE_FRAGMENT 2572/* 2573 * Fragmenting code has buffers to initialize 2574 * once frame parameters are known. 2575 */ 2576static void 2577do_init_fragment (struct context *c) 2578{ 2579 ASSERT (c->options.ce.fragment); 2580 frame_set_mtu_dynamic (&c->c2.frame_fragment, 2581 c->options.ce.fragment, SET_MTU_UPPER_BOUND); 2582 fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment); 2583} 2584#endif 2585 2586/* 2587 * Set the --mssfix option. 2588 */ 2589static void 2590do_init_mssfix (struct context *c) 2591{ 2592 if (c->options.ce.mssfix) 2593 { 2594 frame_set_mtu_dynamic (&c->c2.frame, 2595 c->options.ce.mssfix, SET_MTU_UPPER_BOUND); 2596 } 2597} 2598 2599/* 2600 * Allocate our socket object. 2601 */ 2602static void 2603do_link_socket_new (struct context *c) 2604{ 2605 ASSERT (!c->c2.link_socket); 2606 c->c2.link_socket = link_socket_new (); 2607 c->c2.link_socket_owned = true; 2608} 2609 2610/* 2611 * bind the TCP/UDP socket 2612 */ 2613static void 2614do_init_socket_1 (struct context *c, const int mode) 2615{ 2616 unsigned int sockflags = c->options.sockflags; 2617 2618#if PORT_SHARE 2619 if (c->options.port_share_host && c->options.port_share_port) 2620 sockflags |= SF_PORT_SHARE; 2621#endif 2622 2623 link_socket_init_phase1 (c->c2.link_socket, 2624 connection_list_defined (&c->options), 2625 c->options.ce.local, 2626 c->options.ce.local_port, 2627 c->options.ce.remote, 2628 c->options.ce.remote_port, 2629 c->options.ce.proto, 2630 mode, 2631 c->c2.accept_from, 2632#ifdef ENABLE_HTTP_PROXY 2633 c->c1.http_proxy, 2634#endif 2635#ifdef ENABLE_SOCKS 2636 c->c1.socks_proxy, 2637#endif 2638#ifdef ENABLE_DEBUG 2639 c->options.gremlin, 2640#endif 2641 c->options.ce.bind_local, 2642 c->options.ce.remote_float, 2643 c->options.inetd, 2644 &c->c1.link_socket_addr, 2645 c->options.ipchange, 2646 c->plugins, 2647 c->options.resolve_retry_seconds, 2648 c->options.ce.connect_retry_seconds, 2649 c->options.ce.connect_timeout, 2650 c->options.ce.connect_retry_max, 2651 c->options.ce.mtu_discover_type, 2652 c->options.rcvbuf, 2653 c->options.sndbuf, 2654 c->options.mark, 2655 sockflags); 2656} 2657 2658/* 2659 * finalize the TCP/UDP socket 2660 */ 2661static void 2662do_init_socket_2 (struct context *c) 2663{ 2664 link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame, 2665 &c->sig->signal_received); 2666} 2667 2668/* 2669 * Print MTU INFO 2670 */ 2671static void 2672do_print_data_channel_mtu_parms (struct context *c) 2673{ 2674 frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); 2675#ifdef ENABLE_FRAGMENT 2676 if (c->c2.fragment) 2677 frame_print (&c->c2.frame_fragment, D_MTU_INFO, 2678 "Fragmentation MTU parms"); 2679#endif 2680} 2681 2682#ifdef ENABLE_OCC 2683/* 2684 * Get local and remote options compatibility strings. 2685 */ 2686static void 2687do_compute_occ_strings (struct context *c) 2688{ 2689 struct gc_arena gc = gc_new (); 2690 2691 c->c2.options_string_local = 2692 options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc); 2693 c->c2.options_string_remote = 2694 options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); 2695 2696 msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local); 2697 msg (D_SHOW_OCC, "Expected Remote Options String: '%s'", 2698 c->c2.options_string_remote); 2699 2700#ifdef ENABLE_CRYPTO 2701 msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", 2702 options_string_version (c->c2.options_string_local, &gc), 2703 md5sum ((uint8_t*)c->c2.options_string_local, 2704 strlen (c->c2.options_string_local), 9, &gc)); 2705 msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'", 2706 options_string_version (c->c2.options_string_remote, &gc), 2707 md5sum ((uint8_t*)c->c2.options_string_remote, 2708 strlen (c->c2.options_string_remote), 9, &gc)); 2709#endif 2710 2711#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 2712 if (c->c2.tls_multi) 2713 tls_multi_init_set_options (c->c2.tls_multi, 2714 c->c2.options_string_local, 2715 c->c2.options_string_remote); 2716#endif 2717 2718 gc_free (&gc); 2719} 2720#endif 2721 2722/* 2723 * These things can only be executed once per program instantiation. 2724 * Set up for possible UID/GID downgrade, but don't do it yet. 2725 * Daemonize if requested. 2726 */ 2727static void 2728do_init_first_time (struct context *c) 2729{ 2730 if (c->first_time && !c->did_we_daemonize && !c->c0) 2731 { 2732 struct context_0 *c0; 2733 2734 ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc); 2735 c0 = c->c0; 2736 2737 /* get user and/or group that we want to setuid/setgid to */ 2738 c0->uid_gid_specified = 2739 platform_group_get (c->options.groupname, &c0->platform_state_group) | 2740 platform_user_get (c->options.username, &c0->platform_state_user); 2741 2742 /* get --writepid file descriptor */ 2743 get_pid_file (c->options.writepid, &c0->pid_state); 2744 2745 /* become a daemon if --daemon */ 2746 c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time); 2747 2748 /* should we disable paging? */ 2749 if (c->options.mlock && c->did_we_daemonize) 2750 platform_mlockall (true); /* call again in case we daemonized */ 2751 2752 /* save process ID in a file */ 2753 write_pid (&c0->pid_state); 2754 2755 /* should we change scheduling priority? */ 2756 platform_nice (c->options.nice); 2757 } 2758} 2759 2760/* 2761 * If xinetd/inetd mode, don't allow restart. 2762 */ 2763static void 2764do_close_check_if_restart_permitted (struct context *c) 2765{ 2766 if (c->options.inetd 2767 && (c->sig->signal_received == SIGHUP 2768 || c->sig->signal_received == SIGUSR1)) 2769 { 2770 c->sig->signal_received = SIGTERM; 2771 msg (M_INFO, 2772 PACKAGE_NAME 2773 " started by inetd/xinetd cannot restart... Exiting."); 2774 } 2775} 2776 2777/* 2778 * free buffers 2779 */ 2780static void 2781do_close_free_buf (struct context *c) 2782{ 2783 if (c->c2.buffers_owned) 2784 { 2785 free_context_buffers (c->c2.buffers); 2786 c->c2.buffers = NULL; 2787 c->c2.buffers_owned = false; 2788 } 2789} 2790 2791/* 2792 * close TLS 2793 */ 2794static void 2795do_close_tls (struct context *c) 2796{ 2797#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 2798 if (c->c2.tls_multi) 2799 { 2800 tls_multi_free (c->c2.tls_multi, true); 2801 c->c2.tls_multi = NULL; 2802 } 2803 2804#ifdef ENABLE_OCC 2805 /* free options compatibility strings */ 2806 if (c->c2.options_string_local) 2807 free (c->c2.options_string_local); 2808 if (c->c2.options_string_remote) 2809 free (c->c2.options_string_remote); 2810 c->c2.options_string_local = c->c2.options_string_remote = NULL; 2811#endif 2812#endif 2813} 2814 2815/* 2816 * Free key schedules 2817 */ 2818static void 2819do_close_free_key_schedule (struct context *c, bool free_ssl_ctx) 2820{ 2821 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) 2822 key_schedule_free (&c->c1.ks, free_ssl_ctx); 2823} 2824 2825/* 2826 * Close TCP/UDP connection 2827 */ 2828static void 2829do_close_link_socket (struct context *c) 2830{ 2831 if (c->c2.link_socket && c->c2.link_socket_owned) 2832 { 2833 link_socket_close (c->c2.link_socket); 2834 c->c2.link_socket = NULL; 2835 } 2836 2837 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) 2838 { 2839 CLEAR (c->c1.link_socket_addr.remote); 2840 CLEAR (c->c1.link_socket_addr.actual); 2841 } 2842 2843 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) 2844 CLEAR (c->c1.link_socket_addr.local); 2845} 2846 2847/* 2848 * Close packet-id persistance file 2849 */ 2850static void 2851do_close_packet_id (struct context *c) 2852{ 2853#ifdef ENABLE_CRYPTO 2854 packet_id_free (&c->c2.packet_id); 2855 packet_id_persist_save (&c->c1.pid_persist); 2856 if (!(c->sig->signal_received == SIGUSR1)) 2857 packet_id_persist_close (&c->c1.pid_persist); 2858#endif 2859} 2860 2861#ifdef ENABLE_FRAGMENT 2862/* 2863 * Close fragmentation handler. 2864 */ 2865static void 2866do_close_fragment (struct context *c) 2867{ 2868 if (c->c2.fragment) 2869 { 2870 fragment_free (c->c2.fragment); 2871 c->c2.fragment = NULL; 2872 } 2873} 2874#endif 2875 2876/* 2877 * Open and close our event objects. 2878 */ 2879 2880static void 2881do_event_set_init (struct context *c, 2882 bool need_us_timeout) 2883{ 2884 unsigned int flags = 0; 2885 2886 c->c2.event_set_max = BASE_N_EVENTS; 2887 2888 flags |= EVENT_METHOD_FAST; 2889 2890 if (need_us_timeout) 2891 flags |= EVENT_METHOD_US_TIMEOUT; 2892 2893 c->c2.event_set = event_set_init (&c->c2.event_set_max, flags); 2894 c->c2.event_set_owned = true; 2895} 2896 2897static void 2898do_close_event_set (struct context *c) 2899{ 2900 if (c->c2.event_set && c->c2.event_set_owned) 2901 { 2902 event_free (c->c2.event_set); 2903 c->c2.event_set = NULL; 2904 c->c2.event_set_owned = false; 2905 } 2906} 2907 2908/* 2909 * Open and close --status file 2910 */ 2911 2912static void 2913do_open_status_output (struct context *c) 2914{ 2915 if (!c->c1.status_output) 2916 { 2917 c->c1.status_output = status_open (c->options.status_file, 2918 c->options.status_file_update_freq, 2919 -1, 2920 NULL, 2921 STATUS_OUTPUT_WRITE); 2922 c->c1.status_output_owned = true; 2923 } 2924} 2925 2926static void 2927do_close_status_output (struct context *c) 2928{ 2929 if (!(c->sig->signal_received == SIGUSR1)) 2930 { 2931 if (c->c1.status_output_owned && c->c1.status_output) 2932 { 2933 status_close (c->c1.status_output); 2934 c->c1.status_output = NULL; 2935 c->c1.status_output_owned = false; 2936 } 2937 } 2938} 2939 2940/* 2941 * Handle ifconfig-pool persistance object. 2942 */ 2943static void 2944do_open_ifconfig_pool_persist (struct context *c) 2945{ 2946#if P2MP_SERVER 2947 if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) 2948 { 2949 c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename, 2950 c->options.ifconfig_pool_persist_refresh_freq); 2951 c->c1.ifconfig_pool_persist_owned = true; 2952 } 2953#endif 2954} 2955 2956static void 2957do_close_ifconfig_pool_persist (struct context *c) 2958{ 2959#if P2MP_SERVER 2960 if (!(c->sig->signal_received == SIGUSR1)) 2961 { 2962 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) 2963 { 2964 ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist); 2965 c->c1.ifconfig_pool_persist = NULL; 2966 c->c1.ifconfig_pool_persist_owned = false; 2967 } 2968 } 2969#endif 2970} 2971 2972/* 2973 * Inherit environmental variables 2974 */ 2975 2976static void 2977do_inherit_env (struct context *c, const struct env_set *src) 2978{ 2979 c->c2.es = env_set_create (&c->c2.gc); 2980 c->c2.es_owned = true; 2981 env_set_inherit (c->c2.es, src); 2982} 2983 2984static void 2985do_env_set_destroy (struct context *c) 2986{ 2987 if (c->c2.es && c->c2.es_owned) 2988 { 2989 env_set_destroy (c->c2.es); 2990 c->c2.es = NULL; 2991 c->c2.es_owned = false; 2992 } 2993} 2994 2995/* 2996 * Fast I/O setup. Fast I/O is an optimization which only works 2997 * if all of the following are true: 2998 * 2999 * (1) The platform is not Windows 3000 * (2) --proto udp is enabled 3001 * (3) --shaper is disabled 3002 */ 3003static void 3004do_setup_fast_io (struct context *c) 3005{ 3006 if (c->options.fast_io) 3007 { 3008#ifdef WIN32 3009 msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); 3010#else 3011 if (!proto_is_udp(c->options.ce.proto)) 3012 msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); 3013 else 3014 { 3015#ifdef ENABLE_FEATURE_SHAPER 3016 if (c->options.shaper) 3017 msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); 3018 else 3019#endif 3020 { 3021 c->c2.fast_io = true; 3022 } 3023 } 3024#endif 3025 } 3026} 3027 3028static void 3029do_signal_on_tls_errors (struct context *c) 3030{ 3031#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 3032 if (c->options.tls_exit) 3033 c->c2.tls_exit_signal = SIGTERM; 3034 else 3035 c->c2.tls_exit_signal = SIGUSR1; 3036#endif 3037} 3038 3039#ifdef ENABLE_PLUGIN 3040 3041void 3042init_plugins (struct context *c) 3043{ 3044 if (c->options.plugin_list && !c->plugins) 3045 { 3046 c->plugins = plugin_list_init (c->options.plugin_list); 3047 c->plugins_owned = true; 3048 } 3049} 3050 3051void 3052open_plugins (struct context *c, const bool import_options, int init_point) 3053{ 3054 if (c->plugins && c->plugins_owned) 3055 { 3056 if (import_options) 3057 { 3058 struct plugin_return pr, config; 3059 plugin_return_init (&pr); 3060 plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); 3061 plugin_return_get_column (&pr, &config, "config"); 3062 if (plugin_return_defined (&config)) 3063 { 3064 int i; 3065 for (i = 0; i < config.n; ++i) 3066 { 3067 unsigned int option_types_found = 0; 3068 if (config.list[i] && config.list[i]->value) 3069 options_string_import (&c->options, 3070 config.list[i]->value, 3071 D_IMPORT_ERRORS|M_OPTERR, 3072 OPT_P_DEFAULT & ~OPT_P_PLUGIN, 3073 &option_types_found, 3074 c->es); 3075 } 3076 } 3077 plugin_return_free (&pr); 3078 } 3079 else 3080 { 3081 plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); 3082 } 3083 } 3084} 3085 3086static void 3087do_close_plugins (struct context *c) 3088{ 3089 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) 3090 { 3091 plugin_list_close (c->plugins); 3092 c->plugins = NULL; 3093 c->plugins_owned = false; 3094 } 3095} 3096 3097static void 3098do_inherit_plugins (struct context *c, const struct context *src) 3099{ 3100 if (!c->plugins && src->plugins) 3101 { 3102 c->plugins = plugin_list_inherit (src->plugins); 3103 c->plugins_owned = true; 3104 } 3105} 3106 3107#endif 3108 3109#ifdef ENABLE_MANAGEMENT 3110 3111static void 3112management_callback_status_p2p (void *arg, const int version, struct status_output *so) 3113{ 3114 struct context *c = (struct context *) arg; 3115 print_status (c, so); 3116} 3117 3118void 3119management_show_net_callback (void *arg, const int msglevel) 3120{ 3121#ifdef WIN32 3122 show_routes (msglevel); 3123 show_adapters (msglevel); 3124 msg (msglevel, "END"); 3125#else 3126 msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); 3127#endif 3128} 3129 3130#endif 3131 3132void 3133init_management_callback_p2p (struct context *c) 3134{ 3135#ifdef ENABLE_MANAGEMENT 3136 if (management) 3137 { 3138 struct management_callback cb; 3139 CLEAR (cb); 3140 cb.arg = c; 3141 cb.status = management_callback_status_p2p; 3142 cb.show_net = management_show_net_callback; 3143 cb.proxy_cmd = management_callback_proxy_cmd; 3144 cb.remote_cmd = management_callback_remote_cmd; 3145 management_set_callback (management, &cb); 3146 } 3147#endif 3148} 3149 3150#ifdef ENABLE_MANAGEMENT 3151 3152void 3153init_management (struct context *c) 3154{ 3155 if (!management) 3156 management = management_init (); 3157} 3158 3159bool 3160open_management (struct context *c) 3161{ 3162 /* initialize management layer */ 3163 if (management) 3164 { 3165 if (c->options.management_addr) 3166 { 3167 unsigned int flags = c->options.management_flags; 3168 if (c->options.mode == MODE_SERVER) 3169 flags |= MF_SERVER; 3170 if (management_open (management, 3171 c->options.management_addr, 3172 c->options.management_port, 3173 c->options.management_user_pass, 3174 c->options.management_client_user, 3175 c->options.management_client_group, 3176 c->options.management_log_history_cache, 3177 c->options.management_echo_buffer_size, 3178 c->options.management_state_buffer_size, 3179 c->options.management_write_peer_info_file, 3180 c->options.remap_sigusr1, 3181 flags)) 3182 { 3183 management_set_state (management, 3184 OPENVPN_STATE_CONNECTING, 3185 NULL, 3186 (in_addr_t)0, 3187 (in_addr_t)0); 3188 } 3189 3190 /* initial management hold, called early, before first context initialization */ 3191 do_hold (c); 3192 if (IS_SIG (c)) 3193 { 3194 msg (M_WARN, "Signal received from management interface, exiting"); 3195 return false; 3196 } 3197 } 3198 else 3199 close_management (); 3200 } 3201 return true; 3202} 3203 3204void 3205close_management (void) 3206{ 3207 if (management) 3208 { 3209 management_close (management); 3210 management = NULL; 3211 } 3212} 3213 3214#endif 3215 3216 3217void 3218uninit_management_callback (void) 3219{ 3220#ifdef ENABLE_MANAGEMENT 3221 if (management) 3222 { 3223 management_clear_callback (management); 3224 } 3225#endif 3226} 3227 3228/* 3229 * Initialize a tunnel instance, handle pre and post-init 3230 * signal settings. 3231 */ 3232void 3233init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags) 3234{ 3235 pre_init_signal_catch (); 3236 init_instance (c, env, flags); 3237 post_init_signal_catch (); 3238 3239 /* 3240 * This is done so that signals thrown during 3241 * initialization can bring us back to 3242 * a management hold. 3243 */ 3244 if (IS_SIG (c)) 3245 { 3246 remap_signal (c); 3247 uninit_management_callback (); 3248 } 3249} 3250 3251/* 3252 * Initialize a tunnel instance. 3253 */ 3254void 3255init_instance (struct context *c, const struct env_set *env, const unsigned int flags) 3256{ 3257 const struct options *options = &c->options; 3258 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); 3259 int link_socket_mode = LS_MODE_DEFAULT; 3260 3261 /* init garbage collection level */ 3262 gc_init (&c->c2.gc); 3263 3264 /* signals caught here will abort */ 3265 c->sig->signal_received = 0; 3266 c->sig->signal_text = NULL; 3267 c->sig->hard = false; 3268 3269 if (c->mode == CM_P2P) 3270 init_management_callback_p2p (c); 3271 3272 /* possible sleep or management hold if restart */ 3273 if (c->mode == CM_P2P || c->mode == CM_TOP) 3274 { 3275 do_startup_pause (c); 3276 if (IS_SIG (c)) 3277 goto sig; 3278 } 3279 3280 /* map in current connection entry */ 3281 next_connection_entry (c); 3282 3283 /* link_socket_mode allows CM_CHILD_TCP 3284 instances to inherit acceptable fds 3285 from a top-level parent */ 3286 if (c->options.ce.proto == PROTO_TCPv4_SERVER 3287 || c->options.ce.proto == PROTO_TCPv6_SERVER) 3288 { 3289 if (c->mode == CM_TOP) 3290 link_socket_mode = LS_MODE_TCP_LISTEN; 3291 else if (c->mode == CM_CHILD_TCP) 3292 link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; 3293 } 3294 3295 /* should we disable paging? */ 3296 if (c->first_time && options->mlock) 3297 platform_mlockall (true); 3298 3299#if P2MP 3300 /* get passwords if undefined */ 3301 if (auth_retry_get () == AR_INTERACT) 3302 init_query_passwords (c); 3303#endif 3304 3305 /* initialize context level 2 --verb/--mute parms */ 3306 init_verb_mute (c, IVM_LEVEL_2); 3307 3308 /* set error message delay for non-server modes */ 3309 if (c->mode == CM_P2P) 3310 set_check_status_error_delay (P2P_ERROR_DELAY_MS); 3311 3312 /* warn about inconsistent options */ 3313 if (c->mode == CM_P2P || c->mode == CM_TOP) 3314 do_option_warnings (c); 3315 3316 /* inherit environmental variables */ 3317 if (env) 3318 do_inherit_env (c, env); 3319 3320#ifdef ENABLE_PLUGIN 3321 /* initialize plugins */ 3322 if (c->mode == CM_P2P || c->mode == CM_TOP) 3323 open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); 3324#endif 3325 3326 /* should we enable fast I/O? */ 3327 if (c->mode == CM_P2P || c->mode == CM_TOP) 3328 do_setup_fast_io (c); 3329 3330 /* should we throw a signal on TLS errors? */ 3331 do_signal_on_tls_errors (c); 3332 3333 /* open --status file */ 3334 if (c->mode == CM_P2P || c->mode == CM_TOP) 3335 do_open_status_output (c); 3336 3337 /* open --ifconfig-pool-persist file */ 3338 if (c->mode == CM_TOP) 3339 do_open_ifconfig_pool_persist (c); 3340 3341#ifdef ENABLE_OCC 3342 /* reset OCC state */ 3343 if (c->mode == CM_P2P || child) 3344 c->c2.occ_op = occ_reset_op (); 3345#endif 3346 3347 /* our wait-for-i/o objects, different for posix vs. win32 */ 3348 if (c->mode == CM_P2P) 3349 do_event_set_init (c, SHAPER_DEFINED (&c->options)); 3350 else if (c->mode == CM_CHILD_TCP) 3351 do_event_set_init (c, false); 3352 3353 /* initialize HTTP or SOCKS proxy object at scope level 2 */ 3354 init_proxy (c, 2); 3355 3356 /* allocate our socket object */ 3357 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) 3358 do_link_socket_new (c); 3359 3360#ifdef ENABLE_FRAGMENT 3361 /* initialize internal fragmentation object */ 3362 if (options->ce.fragment && (c->mode == CM_P2P || child)) 3363 c->c2.fragment = fragment_init (&c->c2.frame); 3364#endif 3365 3366 /* init crypto layer */ 3367 { 3368 unsigned int crypto_flags = 0; 3369 if (c->mode == CM_TOP) 3370 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; 3371 else if (c->mode == CM_P2P) 3372 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; 3373 else if (child) 3374 crypto_flags = CF_INIT_TLS_MULTI; 3375 do_init_crypto (c, crypto_flags); 3376 if (IS_SIG (c) && !child) 3377 goto sig; 3378 } 3379 3380#ifdef ENABLE_LZO 3381 /* initialize LZO compression library. */ 3382 if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child)) 3383 lzo_compress_init (&c->c2.lzo_compwork, options->lzo); 3384#endif 3385 3386 /* initialize MTU variables */ 3387 do_init_frame (c); 3388 3389 /* initialize TLS MTU variables */ 3390 do_init_frame_tls (c); 3391 3392 /* init workspace buffers whose size is derived from frame size */ 3393 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) 3394 do_init_buffers (c); 3395 3396#ifdef ENABLE_FRAGMENT 3397 /* initialize internal fragmentation capability with known frame size */ 3398 if (options->ce.fragment && (c->mode == CM_P2P || child)) 3399 do_init_fragment (c); 3400#endif 3401 3402 /* initialize dynamic MTU variable */ 3403 do_init_mssfix (c); 3404 3405 /* bind the TCP/UDP socket */ 3406 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) 3407 do_init_socket_1 (c, link_socket_mode); 3408 3409 /* initialize tun/tap device object, 3410 open tun/tap device, ifconfig, run up script, etc. */ 3411 if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) 3412 c->c2.did_open_tun = do_open_tun (c); 3413 3414 /* print MTU info */ 3415 do_print_data_channel_mtu_parms (c); 3416 3417#ifdef ENABLE_OCC 3418 /* get local and remote options compatibility strings */ 3419 if (c->mode == CM_P2P || child) 3420 do_compute_occ_strings (c); 3421#endif 3422 3423 /* initialize output speed limiter */ 3424 if (c->mode == CM_P2P) 3425 do_init_traffic_shaper (c); 3426 3427 /* do one-time inits, and possibily become a daemon here */ 3428 do_init_first_time (c); 3429 3430#ifdef ENABLE_PLUGIN 3431 /* initialize plugins */ 3432 if (c->mode == CM_P2P || c->mode == CM_TOP) 3433 open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); 3434#endif 3435 3436 /* 3437 * Actually do UID/GID downgrade, and chroot, if requested. 3438 * May be delayed by --client, --pull, or --up-delay. 3439 */ 3440 do_uid_gid_chroot (c, c->c2.did_open_tun); 3441 3442 /* finalize the TCP/UDP socket */ 3443 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) 3444 do_init_socket_2 (c); 3445 3446 /* initialize timers */ 3447 if (c->mode == CM_P2P || child) 3448 do_init_timers (c, false); 3449 3450#ifdef ENABLE_PLUGIN 3451 /* initialize plugins */ 3452 if (c->mode == CM_P2P || c->mode == CM_TOP) 3453 open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); 3454#endif 3455 3456#if PORT_SHARE 3457 /* share OpenVPN port with foreign (such as HTTPS) server */ 3458 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP)) 3459 init_port_share (c); 3460#endif 3461 3462#ifdef ENABLE_PF 3463 if (child) 3464 pf_init_context (c); 3465#endif 3466 3467 /* Check for signals */ 3468 if (IS_SIG (c)) 3469 goto sig; 3470 3471 return; 3472 3473 sig: 3474 if (!c->sig->signal_text) 3475 c->sig->signal_text = "init_instance"; 3476 close_context (c, -1, flags); 3477 return; 3478} 3479 3480/* 3481 * Close a tunnel instance. 3482 */ 3483void 3484close_instance (struct context *c) 3485{ 3486 /* close event objects */ 3487 do_close_event_set (c); 3488 3489 if (c->mode == CM_P2P 3490 || c->mode == CM_CHILD_TCP 3491 || c->mode == CM_CHILD_UDP 3492 || c->mode == CM_TOP) 3493 { 3494 /* if xinetd/inetd mode, don't allow restart */ 3495 do_close_check_if_restart_permitted (c); 3496 3497#ifdef ENABLE_LZO 3498 if (lzo_defined (&c->c2.lzo_compwork)) 3499 lzo_compress_uninit (&c->c2.lzo_compwork); 3500#endif 3501 3502 /* free buffers */ 3503 do_close_free_buf (c); 3504 3505 /* close TLS */ 3506 do_close_tls (c); 3507 3508 /* free key schedules */ 3509 do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP)); 3510 3511 /* close TCP/UDP connection */ 3512 do_close_link_socket (c); 3513 3514 /* close TUN/TAP device */ 3515 do_close_tun (c, false); 3516 3517#ifdef MANAGEMENT_DEF_AUTH 3518 if (management) 3519 management_notify_client_close (management, &c->c2.mda_context, NULL); 3520#endif 3521 3522#ifdef ENABLE_PF 3523 pf_destroy_context (&c->c2.pf); 3524#endif 3525 3526#ifdef ENABLE_PLUGIN 3527 /* call plugin close functions and unload */ 3528 do_close_plugins (c); 3529#endif 3530 3531 /* close packet-id persistance file */ 3532 do_close_packet_id (c); 3533 3534 /* close --status file */ 3535 do_close_status_output (c); 3536 3537#ifdef ENABLE_FRAGMENT 3538 /* close fragmentation handler */ 3539 do_close_fragment (c); 3540#endif 3541 3542 /* close --ifconfig-pool-persist obj */ 3543 do_close_ifconfig_pool_persist (c); 3544 3545 /* free up environmental variable store */ 3546 do_env_set_destroy (c); 3547 3548 /* close HTTP or SOCKS proxy */ 3549 uninit_proxy (c); 3550 3551 /* garbage collect */ 3552 gc_free (&c->c2.gc); 3553 } 3554} 3555 3556void 3557inherit_context_child (struct context *dest, 3558 const struct context *src) 3559{ 3560 CLEAR (*dest); 3561 3562 /* proto_is_dgram will ASSERT(0) if proto is invalid */ 3563 dest->mode = proto_is_dgram(src->options.ce.proto)? CM_CHILD_UDP : CM_CHILD_TCP; 3564 3565 dest->gc = gc_new (); 3566 3567 ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc); 3568 3569 /* c1 init */ 3570 packet_id_persist_init (&dest->c1.pid_persist); 3571 3572#ifdef ENABLE_CRYPTO 3573 dest->c1.ks.key_type = src->c1.ks.key_type; 3574#ifdef ENABLE_SSL 3575 /* inherit SSL context */ 3576 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; 3577 dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key; 3578#endif 3579#endif 3580 3581 /* options */ 3582 dest->options = src->options; 3583 options_detach (&dest->options); 3584 3585 if (dest->mode == CM_CHILD_TCP) 3586 { 3587 /* 3588 * The CM_TOP context does the socket listen(), 3589 * and the CM_CHILD_TCP context does the accept(). 3590 */ 3591 dest->c2.accept_from = src->c2.link_socket; 3592 } 3593 3594#ifdef ENABLE_PLUGIN 3595 /* inherit plugins */ 3596 do_inherit_plugins (dest, src); 3597#endif 3598 3599 /* context init */ 3600 init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); 3601 if (IS_SIG (dest)) 3602 return; 3603 3604 /* inherit tun/tap interface object */ 3605 dest->c1.tuntap = src->c1.tuntap; 3606 3607 /* UDP inherits some extra things which TCP does not */ 3608 if (dest->mode == CM_CHILD_UDP) 3609 { 3610 /* inherit buffers */ 3611 dest->c2.buffers = src->c2.buffers; 3612 3613 /* inherit parent link_socket and tuntap */ 3614 dest->c2.link_socket = src->c2.link_socket; 3615 3616 ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc); 3617 *dest->c2.link_socket_info = src->c2.link_socket->info; 3618 3619 /* locally override some link_socket_info fields */ 3620 dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; 3621 dest->c2.link_socket_info->connection_established = false; 3622 } 3623} 3624 3625void 3626inherit_context_top (struct context *dest, 3627 const struct context *src) 3628{ 3629 /* copy parent */ 3630 *dest = *src; 3631 3632 /* 3633 * CM_TOP_CLONE will prevent close_instance from freeing or closing 3634 * resources owned by the parent. 3635 * 3636 * Also note that CM_TOP_CLONE context objects are 3637 * closed by multi_top_free in multi.c. 3638 */ 3639 dest->mode = CM_TOP_CLONE; 3640 3641 dest->first_time = false; 3642 dest->c0 = NULL; 3643 3644 options_detach (&dest->options); 3645 gc_detach (&dest->gc); 3646 gc_detach (&dest->c2.gc); 3647 3648 /* detach plugins */ 3649 dest->plugins_owned = false; 3650 3651#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 3652 dest->c2.tls_multi = NULL; 3653#endif 3654 3655 /* detach c1 ownership */ 3656 dest->c1.tuntap_owned = false; 3657 dest->c1.status_output_owned = false; 3658#if P2MP_SERVER 3659 dest->c1.ifconfig_pool_persist_owned = false; 3660#endif 3661 3662 /* detach c2 ownership */ 3663 dest->c2.event_set_owned = false; 3664 dest->c2.link_socket_owned = false; 3665 dest->c2.buffers_owned = false; 3666 dest->c2.es_owned = false; 3667 3668 dest->c2.event_set = NULL; 3669 if (proto_is_dgram(src->options.ce.proto)) 3670 do_event_set_init (dest, false); 3671} 3672 3673void 3674close_context (struct context *c, int sig, unsigned int flags) 3675{ 3676 ASSERT (c); 3677 ASSERT (c->sig); 3678 3679 if (sig >= 0) 3680 c->sig->signal_received = sig; 3681 3682 if (c->sig->signal_received == SIGUSR1) 3683 { 3684 if ((flags & CC_USR1_TO_HUP) 3685 || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP))) 3686 c->sig->signal_received = SIGHUP; 3687 } 3688 3689 if (!(flags & CC_NO_CLOSE)) 3690 close_instance (c); 3691 3692 if (flags & CC_GC_FREE) 3693 context_gc_free (c); 3694} 3695 3696#ifdef ENABLE_CRYPTO 3697 3698/* 3699 * Do a loopback test 3700 * on the crypto subsystem. 3701 */ 3702static void * 3703test_crypto_thread (void *arg) 3704{ 3705 struct context *c = (struct context *) arg; 3706 const struct options *options = &c->options; 3707 3708 ASSERT (options->test_crypto); 3709 init_verb_mute (c, IVM_LEVEL_1); 3710 context_init_1 (c); 3711 do_init_crypto_static (c, 0); 3712 3713 frame_finalize_options (c, options); 3714 3715 test_crypto (&c->c2.crypto_options, &c->c2.frame); 3716 3717 key_schedule_free (&c->c1.ks, true); 3718 packet_id_free (&c->c2.packet_id); 3719 3720 context_gc_free (c); 3721 return NULL; 3722} 3723 3724#endif 3725 3726bool 3727do_test_crypto (const struct options *o) 3728{ 3729#ifdef ENABLE_CRYPTO 3730 if (o->test_crypto) 3731 { 3732 struct context c; 3733 3734 /* print version number */ 3735 msg (M_INFO, "%s", title_string); 3736 3737 context_clear (&c); 3738 c.options = *o; 3739 options_detach (&c.options); 3740 c.first_time = true; 3741 test_crypto_thread ((void *) &c); 3742 return true; 3743 } 3744#endif 3745 return false; 3746} 3747