1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 12 * as published by the Free Software Foundation. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (see the file COPYING included with this 21 * distribution); if not, write to the Free Software Foundation, Inc., 22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifdef HAVE_CONFIG_H 26#include "config.h" 27#elif defined(_MSC_VER) 28#include "config-msvc.h" 29#endif 30 31#include "syshead.h" 32 33#include "win32.h" 34#include "init.h" 35#include "sig.h" 36#include "occ.h" 37#include "list.h" 38#include "otime.h" 39#include "pool.h" 40#include "gremlin.h" 41#include "pkcs11.h" 42#include "ps.h" 43#include "lladdr.h" 44#include "ping.h" 45#include "mstats.h" 46 47#include "memdbg.h" 48 49#include "occ-inline.h" 50 51static struct context *static_context; /* GLOBAL */ 52 53/* 54 * Crypto initialization flags 55 */ 56#define CF_LOAD_PERSISTED_PACKET_ID (1<<0) 57#define CF_INIT_TLS_MULTI (1<<1) 58#define CF_INIT_TLS_AUTH_STANDALONE (1<<2) 59 60int ambitWriteLog(char *pcLog, int iLen) 61{ 62 FILE *fp; 63 64 //system("echo '##########ambitWriteLog()step1' > /dev/console"); 65 if (!(fp = fopen("/dev/aglog", "r+"))) 66 { 67 printf("%s:open /dev/aglog fail\n", __FUNCTION__); 68 return -1; 69 } 70 71 *(pcLog + iLen) = '\0'; 72 fwrite(pcLog, sizeof(char), iLen+1, fp); 73 fclose(fp); 74 return 0; 75} 76 77 78static void do_init_first_time (struct context *c); 79 80void 81context_clear (struct context *c) 82{ 83 CLEAR (*c); 84} 85 86void 87context_clear_1 (struct context *c) 88{ 89 CLEAR (c->c1); 90} 91 92void 93context_clear_2 (struct context *c) 94{ 95 CLEAR (c->c2); 96} 97 98void 99context_clear_all_except_first_time (struct context *c) 100{ 101 const bool first_time_save = c->first_time; 102 const struct context_persist cpsave = c->persist; 103 context_clear (c); 104 c->first_time = first_time_save; 105 c->persist = cpsave; 106} 107 108/* 109 * Should be called after options->ce is modified at the top 110 * of a SIGUSR1 restart. 111 */ 112static void 113update_options_ce_post (struct options *options) 114{ 115#if P2MP 116 /* 117 * In pull mode, we usually import --ping/--ping-restart parameters from 118 * the server. However we should also set an initial default --ping-restart 119 * for the period of time before we pull the --ping-restart parameter 120 * from the server. 121 */ 122 if (options->pull 123 && options->ping_rec_timeout_action == PING_UNDEF 124 && proto_is_dgram(options->ce.proto)) 125 { 126 options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; 127 options->ping_rec_timeout_action = PING_RESTART; 128 } 129#endif 130} 131 132#ifdef ENABLE_MANAGEMENT 133static bool 134management_callback_proxy_cmd (void *arg, const char **p) 135{ 136 struct context *c = arg; 137 struct connection_entry *ce = &c->options.ce; 138 struct gc_arena *gc = &c->c2.gc; 139 bool ret = false; 140 141 update_time(); 142 if (streq (p[1], "NONE")) 143 ret = true; 144 else if (p[2] && p[3]) 145 { 146 const int port = atoi(p[3]); 147 if (!legal_ipv4_port (port)) 148 { 149 msg (M_WARN, "Bad proxy port number: %s", p[3]); 150 return false; 151 } 152 153 if (streq (p[1], "HTTP")) 154 { 155#ifndef ENABLE_HTTP_PROXY 156 msg (M_WARN, "HTTP proxy support is not available"); 157#else 158 struct http_proxy_options *ho; 159 if (ce->proto != PROTO_TCPv4 && ce->proto != PROTO_TCPv4_CLIENT && 160 ce->proto != PROTO_TCPv6 && ce->proto != PROTO_TCPv6_CLIENT) 161 { 162 msg (M_WARN, "HTTP proxy support only works for TCP based connections"); 163 return false; 164 } 165 ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); 166 ho->server = string_alloc (p[2], gc); 167 ho->port = port; 168 ho->retry = true; 169 ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); 170 ret = true; 171#endif 172 } 173 else if (streq (p[1], "SOCKS")) 174 { 175#ifndef ENABLE_SOCKS 176 msg (M_WARN, "SOCKS proxy support is not available"); 177#else 178 ce->socks_proxy_server = string_alloc (p[2], gc); 179 ce->socks_proxy_port = port; 180 ret = true; 181#endif 182 } 183 } 184 else 185 msg (M_WARN, "Bad proxy command"); 186 187 ce->flags &= ~CE_MAN_QUERY_PROXY; 188 189 return ret; 190} 191 192static bool 193ce_management_query_proxy (struct context *c) 194{ 195 const struct connection_list *l = c->options.connection_list; 196 struct connection_entry *ce = &c->options.ce; 197 struct gc_arena gc; 198 bool ret = true; 199 200 update_time(); 201 if (management) 202 { 203 gc = gc_new (); 204 struct buffer out = alloc_buf_gc (256, &gc); 205 buf_printf (&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, 206 (proto_is_udp (ce->proto) ? "UDP" : "TCP"), np (ce->remote)); 207 management_notify_generic (management, BSTR (&out)); 208 ce->flags |= CE_MAN_QUERY_PROXY; 209 while (ce->flags & CE_MAN_QUERY_PROXY) 210 { 211 management_event_loop_n_seconds (management, 1); 212 if (IS_SIG (c)) 213 { 214 ret = false; 215 break; 216 } 217 } 218 gc_free (&gc); 219 } 220 221 return ret; 222} 223 224 225static bool 226management_callback_remote_cmd (void *arg, const char **p) 227{ 228 struct context *c = (struct context *) arg; 229 struct connection_entry *ce = &c->options.ce; 230 int ret = false; 231 if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) 232 { 233 int flags = 0; 234 if (!strcmp(p[1], "ACCEPT")) 235 { 236 flags = CE_MAN_QUERY_REMOTE_ACCEPT; 237 ret = true; 238 } 239 else if (!strcmp(p[1], "SKIP")) 240 { 241 flags = CE_MAN_QUERY_REMOTE_SKIP; 242 ret = true; 243 } 244 else if (!strcmp(p[1], "MOD") && p[2] && p[3]) 245 { 246 const int port = atoi(p[3]); 247 if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port)) 248 { 249 struct remote_host_store *rhs = c->options.rh_store; 250 if (!rhs) 251 { 252 ALLOC_OBJ_CLEAR_GC (rhs, struct remote_host_store, &c->options.gc); 253 c->options.rh_store = rhs; 254 } 255 strncpynt(rhs->host, p[2], RH_HOST_LEN); 256 ce->remote = rhs->host; 257 ce->remote_port = port; 258 flags = CE_MAN_QUERY_REMOTE_MOD; 259 ret = true; 260 } 261 } 262 if (ret) 263 { 264 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); 265 ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT); 266 } 267 } 268 return ret; 269} 270 271static bool 272ce_management_query_remote (struct context *c, const char *remote_ip_hint) 273{ 274 struct gc_arena gc = gc_new (); 275 volatile struct connection_entry *ce = &c->options.ce; 276 int ret = true; 277 update_time(); 278 if (management) 279 { 280 struct buffer out = alloc_buf_gc (256, &gc); 281 buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false)); 282 management_notify_generic(management, BSTR (&out)); 283 ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); 284 ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT); 285 while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) 286 { 287 management_event_loop_n_seconds (management, 1); 288 if (IS_SIG (c)) 289 { 290 ret = false; 291 break; 292 } 293 } 294 } 295 { 296 const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); 297 if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint) 298 ce->remote = remote_ip_hint; 299 ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); 300 } 301 gc_free (&gc); 302 return ret; 303} 304#endif /* ENABLE_MANAGEMENT */ 305 306/* 307 * Initialize and possibly randomize connection list. 308 */ 309static void 310init_connection_list (struct context *c) 311{ 312 struct connection_list *l = c->options.connection_list; 313 if (l) 314 { 315 l->current = -1; 316 if (c->options.remote_random) 317 { 318 int i; 319 for (i = 0; i < l->len; ++i) 320 { 321 const int j = get_random () % l->len; 322 if (i != j) 323 { 324 struct connection_entry *tmp; 325 tmp = l->array[i]; 326 l->array[i] = l->array[j]; 327 l->array[j] = tmp; 328 } 329 } 330 } 331 } 332} 333 334/* 335 * Increment to next connection entry 336 */ 337static void 338next_connection_entry (struct context *c) 339{ 340 struct connection_list *l = c->options.connection_list; 341 if (l) 342 { 343 bool ce_defined; 344 struct connection_entry *ce; 345 int n_cycles = 0; 346 347 do { 348 const char *remote_ip_hint = NULL; 349 bool newcycle = false; 350 351 ce_defined = true; 352 if (l->no_advance && l->current >= 0) 353 { 354 l->no_advance = false; 355 } 356 else 357 { 358 if (++l->current >= l->len) 359 { 360 l->current = 0; 361 ++l->n_cycles; 362 if (++n_cycles >= 2) 363 msg (M_FATAL, "No usable connection profiles are present"); 364 } 365 366 if (l->current == 0) 367 newcycle = true; 368 } 369 370 ce = l->array[l->current]; 371 372 if (c->options.remote_ip_hint && !l->n_cycles) 373 remote_ip_hint = c->options.remote_ip_hint; 374 375 if (ce->flags & CE_DISABLED) 376 ce_defined = false; 377 378 c->options.ce = *ce; 379#ifdef ENABLE_MANAGEMENT 380 if (ce_defined && management && management_query_remote_enabled(management)) 381 { 382 /* allow management interface to override connection entry details */ 383 ce_defined = ce_management_query_remote(c, remote_ip_hint); 384 if (IS_SIG (c)) 385 break; 386 } 387 else 388#endif 389 if (remote_ip_hint) 390 c->options.ce.remote = remote_ip_hint; 391 392#ifdef ENABLE_MANAGEMENT 393 if (ce_defined && management && management_query_proxy_enabled (management)) 394 { 395 ce_defined = ce_management_query_proxy (c); 396 if (IS_SIG (c)) 397 break; 398 } 399#endif 400 } while (!ce_defined); 401 } 402 update_options_ce_post (&c->options); 403} 404 405/* 406 * Query for private key and auth-user-pass username/passwords 407 */ 408static void 409init_query_passwords (struct context *c) 410{ 411#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 412 /* Certificate password input */ 413 if (c->options.key_pass_file) 414 pem_password_setup (c->options.key_pass_file); 415#endif 416 417#if P2MP 418 /* Auth user/pass input */ 419 if (c->options.auth_user_pass_file) 420 { 421#ifdef ENABLE_CLIENT_CR 422 auth_user_pass_setup (c->options.auth_user_pass_file, &c->options.sc_info); 423#else 424 auth_user_pass_setup (c->options.auth_user_pass_file, NULL); 425#endif 426 } 427#endif 428} 429 430/* 431 * Initialize/Uninitialize HTTP or SOCKS proxy 432 */ 433 434#ifdef GENERAL_PROXY_SUPPORT 435 436static int 437proxy_scope (struct context *c) 438{ 439 return connection_list_defined (&c->options) ? 2 : 1; 440} 441 442static void 443uninit_proxy_dowork (struct context *c) 444{ 445#ifdef ENABLE_HTTP_PROXY 446 if (c->c1.http_proxy_owned && c->c1.http_proxy) 447 { 448 http_proxy_close (c->c1.http_proxy); 449 c->c1.http_proxy = NULL; 450 c->c1.http_proxy_owned = false; 451 } 452#endif 453#ifdef ENABLE_SOCKS 454 if (c->c1.socks_proxy_owned && c->c1.socks_proxy) 455 { 456 socks_proxy_close (c->c1.socks_proxy); 457 c->c1.socks_proxy = NULL; 458 c->c1.socks_proxy_owned = false; 459 } 460#endif 461} 462 463static void 464init_proxy_dowork (struct context *c) 465{ 466#ifdef ENABLE_HTTP_PROXY 467 bool did_http = false; 468#else 469 const bool did_http = false; 470#endif 471 472 uninit_proxy_dowork (c); 473 474#ifdef ENABLE_HTTP_PROXY 475 if (c->options.ce.http_proxy_options) 476 { 477 /* Possible HTTP proxy user/pass input */ 478 c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options); 479 if (c->c1.http_proxy) 480 { 481 did_http = true; 482 c->c1.http_proxy_owned = true; 483 } 484 } 485#endif 486 487#ifdef ENABLE_SOCKS 488 if (!did_http && c->options.ce.socks_proxy_server) 489 { 490 c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server, 491 c->options.ce.socks_proxy_port, 492 c->options.ce.socks_proxy_authfile, 493 c->options.ce.socks_proxy_retry); 494 if (c->c1.socks_proxy) 495 { 496 c->c1.socks_proxy_owned = true; 497 } 498 } 499#endif 500} 501 502static void 503init_proxy (struct context *c, const int scope) 504{ 505 if (scope == proxy_scope (c)) 506 init_proxy_dowork (c); 507} 508 509static void 510uninit_proxy (struct context *c) 511{ 512 if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2) 513 uninit_proxy_dowork (c); 514} 515 516#else 517 518static inline void 519init_proxy (struct context *c, const int scope) 520{ 521} 522 523static inline void 524uninit_proxy (struct context *c) 525{ 526} 527 528#endif 529 530void 531context_init_1 (struct context *c) 532{ 533 context_clear_1 (c); 534 535 packet_id_persist_init (&c->c1.pid_persist); 536 537 init_connection_list (c); 538 539 init_query_passwords (c); 540 541#if defined(ENABLE_PKCS11) 542 if (c->first_time) { 543 int i; 544 pkcs11_initialize (true, c->options.pkcs11_pin_cache_period); 545 for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++) 546 pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], 547 c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); 548 } 549#endif 550 551#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ 552 { 553 /* 554 * In the management interface, you can okay the request by entering "needok token-insertion-request ok" 555 */ 556 struct user_pass up; 557 CLEAR (up); 558 strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ 559 get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); 560 msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface 561 'needok' command, usually 'ok' or 'cancel'. */ 562 } 563#endif 564 565 /* initialize HTTP or SOCKS proxy object at scope level 1 */ 566 init_proxy (c, 1); 567} 568 569void 570context_gc_free (struct context *c) 571{ 572 gc_free (&c->c2.gc); 573 gc_free (&c->options.gc); 574 gc_free (&c->gc); 575} 576 577#if PORT_SHARE 578 579static void 580close_port_share (void) 581{ 582 if (port_share) 583 { 584 port_share_close (port_share); 585 port_share = NULL; 586 } 587} 588 589static void 590init_port_share (struct context *c) 591{ 592 if (!port_share && (c->options.port_share_host && c->options.port_share_port)) 593 { 594 port_share = port_share_open (c->options.port_share_host, 595 c->options.port_share_port, 596 MAX_RW_SIZE_LINK (&c->c2.frame), 597 c->options.port_share_journal_dir); 598 if (port_share == NULL) 599 msg (M_FATAL, "Fatal error: Port sharing failed"); 600 } 601} 602 603#endif 604 605bool 606init_static (void) 607{ 608 /* configure_path (); */ 609 610#if defined(ENABLE_CRYPTO) && defined(DMALLOC) 611 crypto_init_dmalloc(); 612#endif 613 614 init_random_seed (); /* init random() function, only used as 615 source for weak random numbers */ 616 error_reset (); /* initialize error.c */ 617 reset_check_status (); /* initialize status check code in socket.c */ 618 619#ifdef WIN32 620 init_win32 (); 621#endif 622 623#ifdef OPENVPN_DEBUG_COMMAND_LINE 624 { 625 int i; 626 for (i = 0; i < argc; ++i) 627 msg (M_INFO, "argv[%d] = '%s'", i, argv[i]); 628 } 629#endif 630 631 update_time (); 632 633#ifdef ENABLE_CRYPTO 634 init_ssl_lib (); 635 636 /* init PRNG used for IV generation */ 637 /* When forking, copy this to more places in the code to avoid fork 638 random-state predictability */ 639 prng_init (NULL, 0); 640#endif 641 642#ifdef PID_TEST 643 packet_id_interactive_test (); /* test the sequence number code */ 644 return false; 645#endif 646 647#ifdef SCHEDULE_TEST 648 schedule_test (); 649 return false; 650#endif 651 652#ifdef LIST_TEST 653 list_test (); 654 return false; 655#endif 656 657#ifdef IFCONFIG_POOL_TEST 658 ifconfig_pool_test (0x0A010004, 0x0A0100FF); 659 return false; 660#endif 661 662#ifdef CHARACTER_CLASS_DEBUG 663 character_class_debug (); 664 return false; 665#endif 666 667#ifdef EXTRACT_X509_FIELD_TEST 668 extract_x509_field_test (); 669 return false; 670#endif 671 672#ifdef TIME_TEST 673 time_test (); 674 return false; 675#endif 676 677#ifdef TEST_GET_DEFAULT_GATEWAY 678 { 679 struct route_gateway_info rgi; 680 get_default_gateway(&rgi); 681 print_default_gateway(M_INFO, &rgi); 682 return false; 683 } 684#endif 685 686#ifdef GEN_PATH_TEST 687 { 688 struct gc_arena gc = gc_new (); 689 const char *fn = gen_path ("foo", 690 "bar", 691 &gc); 692 printf ("%s\n", fn); 693 gc_free (&gc); 694 } 695 return false; 696#endif 697 698#ifdef STATUS_PRINTF_TEST 699 { 700 struct gc_arena gc = gc_new (); 701 const char *tmp_file = create_temp_file ("/tmp", "foo", &gc); 702 struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); 703 status_printf (so, "%s", "foo"); 704 status_printf (so, "%s", "bar"); 705 if (!status_close (so)) 706 msg (M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file); 707 gc_free (&gc); 708 } 709 return false; 710#endif 711 712#ifdef ARGV_TEST 713 { 714 void argv_test (void); 715 argv_test (); 716 return false; 717 } 718#endif 719 720#ifdef PRNG_TEST 721 { 722 struct gc_arena gc = gc_new (); 723 uint8_t rndbuf[8]; 724 int i; 725 prng_init ("sha1", 16); 726 /*prng_init (NULL, 0);*/ 727 const int factor = 1; 728 for (i = 0; i < factor * 8; ++i) 729 { 730#if 1 731 prng_bytes (rndbuf, sizeof (rndbuf)); 732#else 733 ASSERT(rand_bytes (rndbuf, sizeof (rndbuf))); 734#endif 735 printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc)); 736 } 737 gc_free (&gc); 738 prng_uninit (); 739 return false; 740 } 741#endif 742 743#ifdef BUFFER_LIST_AGGREGATE_TEST 744 /* test buffer_list_aggregate function */ 745 { 746 static const char *text[] = { 747 "It was a bright cold day in April, ", 748 "and the clocks were striking ", 749 "thirteen. ", 750 "Winston Smith, ", 751 "his chin nuzzled into his breast in an ", 752 "effort to escape the vile wind, ", 753 "slipped quickly through the glass doors ", 754 "of Victory Mansions, though not quickly ", 755 "enough to prevent a swirl of gritty dust from ", 756 "entering along with him." 757 }; 758 759 int iter, listcap; 760 for (listcap = 0; listcap < 12; ++listcap) 761 { 762 for (iter = 0; iter < 512; ++iter) 763 { 764 struct buffer_list *bl = buffer_list_new(listcap); 765 { 766 int i; 767 for (i = 0; i < SIZE(text); ++i) 768 buffer_list_push(bl, (unsigned char *)text[i]); 769 } 770 printf("[cap=%d i=%d] *************************\n", listcap, iter); 771 if (!(iter & 8)) 772 buffer_list_aggregate(bl, iter/2); 773 if (!(iter & 16)) 774 buffer_list_push(bl, (unsigned char *)"Even more text..."); 775 buffer_list_aggregate(bl, iter); 776 if (!(iter & 1)) 777 buffer_list_push(bl, (unsigned char *)"More text..."); 778 { 779 struct buffer *buf; 780 while ((buf = buffer_list_peek(bl))) 781 { 782 int c; 783 printf ("'"); 784 while ((c = buf_read_u8(buf)) >= 0) 785 putchar(c); 786 printf ("'\n"); 787 buffer_list_advance(bl, 0); 788 } 789 } 790 buffer_list_free(bl); 791 } 792 } 793 return false; 794 } 795#endif 796 797#ifdef MSTATS_TEST 798 { 799 int i; 800 mstats_open("/dev/shm/mstats.dat"); 801 for (i = 0; i < 30; ++i) 802 { 803 mmap_stats->n_clients += 1; 804 mmap_stats->link_write_bytes += 8; 805 mmap_stats->link_read_bytes += 16; 806 sleep(1); 807 } 808 mstats_close(); 809 return false; 810 } 811#endif 812 813 return true; 814} 815 816void 817uninit_static (void) 818{ 819#ifdef ENABLE_CRYPTO 820 free_ssl_lib (); 821#endif 822 823#ifdef ENABLE_PKCS11 824 pkcs11_terminate (); 825#endif 826 827#if PORT_SHARE 828 close_port_share (); 829#endif 830 831#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 832 show_tls_performance_stats (); 833#endif 834} 835 836void 837init_verb_mute (struct context *c, unsigned int flags) 838{ 839 if (flags & IVM_LEVEL_1) 840 { 841 /* set verbosity and mute levels */ 842 set_check_status (D_LINK_ERRORS, D_READ_WRITE); 843 set_debug_level (c->options.verbosity, SDL_CONSTRAIN); 844 set_mute_cutoff (c->options.mute); 845 } 846 847 /* special D_LOG_RW mode */ 848 if (flags & IVM_LEVEL_2) 849 c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1)); 850} 851 852/* 853 * Possibly set --dev based on --dev-node. 854 * For example, if --dev-node /tmp/foo/tun, and --dev undefined, 855 * set --dev to tun. 856 */ 857void 858init_options_dev (struct options *options) 859{ 860 if (!options->dev && options->dev_node) { 861 char *dev_node = strdup(options->dev_node); /* POSIX basename() implementaions may modify its arguments */ 862 options->dev = basename (dev_node); 863 } 864} 865 866bool 867print_openssl_info (const struct options *options) 868{ 869 /* 870 * OpenSSL info print mode? 871 */ 872#ifdef ENABLE_CRYPTO 873 if (options->show_ciphers || options->show_digests || options->show_engines 874#ifdef ENABLE_SSL 875 || options->show_tls_ciphers 876#endif 877 ) 878 { 879 if (options->show_ciphers) 880 show_available_ciphers (); 881 if (options->show_digests) 882 show_available_digests (); 883 if (options->show_engines) 884 show_available_engines (); 885#ifdef ENABLE_SSL 886 if (options->show_tls_ciphers) 887 show_available_tls_ciphers (); 888#endif 889 return true; 890 } 891#endif 892 return false; 893} 894 895/* 896 * Static pre-shared key generation mode? 897 */ 898bool 899do_genkey (const struct options * options) 900{ 901#ifdef ENABLE_CRYPTO 902 if (options->genkey) 903 { 904 int nbits_written; 905 906 notnull (options->shared_secret_file, 907 "shared secret output file (--secret)"); 908 909 if (options->mlock) /* should we disable paging? */ 910 platform_mlockall (true); 911 912 nbits_written = write_key_file (2, options->shared_secret_file); 913 914 msg (D_GENKEY | M_NOPREFIX, 915 "Randomly generated %d bit key written to %s", nbits_written, 916 options->shared_secret_file); 917 return true; 918 } 919#endif 920 return false; 921} 922 923/* 924 * Persistent TUN/TAP device management mode? 925 */ 926bool 927do_persist_tuntap (const struct options *options) 928{ 929#ifdef ENABLE_FEATURE_TUN_PERSIST 930 if (options->persist_config) 931 { 932 /* sanity check on options for --mktun or --rmtun */ 933 notnull (options->dev, "TUN/TAP device (--dev)"); 934 if (options->ce.remote || options->ifconfig_local 935 || options->ifconfig_remote_netmask 936#ifdef ENABLE_CRYPTO 937 || options->shared_secret_file 938#ifdef ENABLE_SSL 939 || options->tls_server || options->tls_client 940#endif 941#endif 942 ) 943 msg (M_FATAL|M_OPTERR, 944 "options --mktun or --rmtun should only be used together with --dev"); 945 tuncfg (options->dev, options->dev_type, options->dev_node, 946 options->persist_mode, 947 options->username, options->groupname, &options->tuntap_options); 948 if (options->persist_mode && options->lladdr) 949 set_lladdr(options->dev, options->lladdr, NULL); 950 return true; 951 } 952#endif 953 return false; 954} 955 956/* 957 * Should we become a daemon? 958 * Return true if we did it. 959 */ 960static bool 961possibly_become_daemon (const struct options *options, const bool first_time) 962{ 963 bool ret = false; 964 if (first_time && options->daemon) 965 { 966 ASSERT (!options->inetd); 967 if (daemon (options->cd_dir != NULL, options->log) < 0) 968 msg (M_ERR, "daemon() failed or unsupported"); 969 restore_signal_state (); 970 if (options->log) 971 set_std_files_to_null (true); 972 973#if defined(ENABLE_PKCS11) 974 pkcs11_forkFixup (); 975#endif 976 977 ret = true; 978 } 979 return ret; 980} 981 982/* 983 * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested. 984 */ 985static void 986do_uid_gid_chroot (struct context *c, bool no_delay) 987{ 988 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; 989 struct context_0 *c0 = c->c0; 990 991 if (c->first_time && c0 && !c0->uid_gid_set) 992 { 993 /* chroot if requested */ 994 if (c->options.chroot_dir) 995 { 996 if (no_delay) 997 platform_chroot (c->options.chroot_dir); 998 else 999 msg (M_INFO, "NOTE: chroot %s", why_not); 1000 } 1001 1002 /* set user and/or group that we want to setuid/setgid to */ 1003 if (no_delay) 1004 { 1005 platform_group_set (&c0->platform_state_group); 1006 platform_user_set (&c0->platform_state_user); 1007 c0->uid_gid_set = true; 1008 } 1009 else if (c0->uid_gid_specified) 1010 { 1011 msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not); 1012 } 1013 1014#ifdef ENABLE_MEMSTATS 1015 if (c->options.memstats_fn) 1016 mstats_open(c->options.memstats_fn); 1017#endif 1018 1019#ifdef ENABLE_SELINUX 1020 /* Apply a SELinux context in order to restrict what OpenVPN can do 1021 * to _only_ what it is supposed to do after initialization is complete 1022 * (basically just network I/O operations). Doing it after chroot 1023 * requires /proc to be mounted in the chroot (which is annoying indeed 1024 * but doing it before requires more complex SELinux policies. 1025 */ 1026 if (c->options.selinux_context) 1027 { 1028 if (no_delay) { 1029 if (-1 == setcon (c->options.selinux_context)) 1030 msg (M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); 1031 else 1032 msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context); 1033 } 1034 else 1035 msg (M_INFO, "NOTE: setcon %s", why_not); 1036 } 1037#endif 1038 } 1039} 1040 1041/* 1042 * Return common name in a way that is formatted for 1043 * prepending to msg() output. 1044 */ 1045const char * 1046format_common_name (struct context *c, struct gc_arena *gc) 1047{ 1048 struct buffer out = alloc_buf_gc (256, gc); 1049#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 1050 if (c->c2.tls_multi) 1051 { 1052 buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false)); 1053 } 1054#endif 1055 return BSTR (&out); 1056} 1057 1058void 1059pre_setup (const struct options *options) 1060{ 1061#ifdef WIN32 1062 if (options->exit_event_name) 1063 { 1064 win32_signal_open (&win32_signal, 1065 WSO_FORCE_SERVICE, 1066 options->exit_event_name, 1067 options->exit_event_initial_state); 1068 } 1069 else 1070 { 1071 win32_signal_open (&win32_signal, 1072 WSO_FORCE_CONSOLE, 1073 NULL, 1074 false); 1075 1076 /* put a title on the top window bar */ 1077 if (win32_signal.mode == WSO_MODE_CONSOLE) 1078 { 1079 window_title_save (&window_title); 1080 window_title_generate (options->config); 1081 } 1082 } 1083#endif 1084} 1085 1086void 1087reset_coarse_timers (struct context *c) 1088{ 1089 c->c2.coarse_timer_wakeup = 0; 1090} 1091 1092/* 1093 * Initialize timers 1094 */ 1095static void 1096do_init_timers (struct context *c, bool deferred) 1097{ 1098 update_time (); 1099 reset_coarse_timers (c); 1100 1101 /* initialize inactivity timeout */ 1102 if (c->options.inactivity_timeout) 1103 event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now); 1104 1105 /* initialize pings */ 1106 1107 if (c->options.ping_send_timeout) 1108 event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); 1109 1110 if (c->options.ping_rec_timeout) 1111 event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); 1112 1113#if P2MP 1114 if (c->options.server_poll_timeout) 1115 event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now); 1116#endif 1117 1118 if (!deferred) 1119 { 1120 /* initialize connection establishment timer */ 1121 event_timeout_init (&c->c2.wait_for_connect, 1, now); 1122 1123#ifdef ENABLE_OCC 1124 /* initialize occ timers */ 1125 1126 if (c->options.occ 1127 && !TLS_MODE (c) 1128 && c->c2.options_string_local && c->c2.options_string_remote) 1129 event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); 1130 1131 if (c->options.mtu_test) 1132 event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); 1133#endif 1134 1135 /* initialize packet_id persistence timer */ 1136#ifdef ENABLE_CRYPTO 1137 if (c->options.packet_id_file) 1138 event_timeout_init (&c->c2.packet_id_persist_interval, 60, now); 1139#endif 1140 1141#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 1142 /* initialize tmp_int optimization that limits the number of times we call 1143 tls_multi_process in the main event loop */ 1144 interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); 1145#endif 1146 } 1147} 1148 1149/* 1150 * Initialize traffic shaper. 1151 */ 1152static void 1153do_init_traffic_shaper (struct context *c) 1154{ 1155#ifdef ENABLE_FEATURE_SHAPER 1156 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ 1157 if (c->options.shaper) 1158 { 1159 shaper_init (&c->c2.shaper, c->options.shaper); 1160 shaper_msg (&c->c2.shaper); 1161 } 1162#endif 1163} 1164 1165/* 1166 * Allocate a route list structure if at least one 1167 * --route option was specified. 1168 */ 1169static void 1170do_alloc_route_list (struct context *c) 1171{ 1172 if (c->options.routes && !c->c1.route_list) 1173 c->c1.route_list = new_route_list (c->options.max_routes, &c->gc); 1174 if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) 1175 c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc); 1176} 1177 1178 1179/* 1180 * Initialize the route list, resolving any DNS names in route 1181 * options and saving routes in the environment. 1182 */ 1183static void 1184do_init_route_list (const struct options *options, 1185 struct route_list *route_list, 1186 const struct link_socket_info *link_socket_info, 1187 bool fatal, 1188 struct env_set *es) 1189{ 1190 const char *gw = NULL; 1191 int dev = dev_type_enum (options->dev, options->dev_type); 1192 int metric = 0; 1193 1194 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) 1195 gw = options->ifconfig_remote_netmask; 1196 if (options->route_default_gateway) 1197 gw = options->route_default_gateway; 1198 if (options->route_default_metric) 1199 metric = options->route_default_metric; 1200 1201 if (!init_route_list (route_list, 1202 options->routes, 1203 gw, 1204 metric, 1205 link_socket_current_remote (link_socket_info), 1206 es)) 1207 { 1208 if (fatal) 1209 openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ 1210 } 1211 else 1212 { 1213 /* copy routes to environment */ 1214 setenv_routes (es, route_list); 1215 } 1216} 1217 1218static void 1219do_init_route_ipv6_list (const struct options *options, 1220 struct route_ipv6_list *route_ipv6_list, 1221 bool fatal, 1222 struct env_set *es) 1223{ 1224 const char *gw = NULL; 1225 int dev = dev_type_enum (options->dev, options->dev_type); 1226 int metric = -1; /* no metric set */ 1227 1228 gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ 1229#if 0 /* not yet done for IPv6 - TODO!*/ 1230 if ( options->route_ipv6_default_gateway ) /* override? */ 1231 gw = options->route_ipv6_default_gateway; 1232#endif 1233 1234 if (options->route_default_metric) 1235 metric = options->route_default_metric; 1236 1237 if (!init_route_ipv6_list (route_ipv6_list, 1238 options->routes_ipv6, 1239 gw, 1240 metric, 1241 es)) 1242 { 1243 if (fatal) 1244 openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ 1245 } 1246 else 1247 { 1248 /* copy routes to environment */ 1249 setenv_routes_ipv6 (es, route_ipv6_list); 1250 } 1251} 1252 1253 1254/* 1255 * Called after all initialization has been completed. 1256 */ 1257void 1258initialization_sequence_completed (struct context *c, const unsigned int flags) 1259{ 1260 static const char message[] = "Initialization Sequence Completed"; 1261 1262 /* If we delayed UID/GID downgrade or chroot, do it now */ 1263 do_uid_gid_chroot (c, true); 1264 1265 /* Test if errors */ 1266 if (flags & ISC_ERRORS) 1267 { 1268#ifdef WIN32 1269 show_routes (M_INFO|M_NOPREFIX); 1270 show_adapters (M_INFO|M_NOPREFIX); 1271 msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); 1272#else 1273 msg (M_INFO, "%s With Errors", message); 1274#endif 1275 } 1276 else 1277 msg (M_INFO, "%s", message); 1278 1279 /* Flag connection_list that we initialized */ 1280 if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options)) 1281 connection_list_set_no_advance (&c->options); 1282 1283#ifdef WIN32 1284 fork_register_dns_action (c->c1.tuntap); 1285#endif 1286 1287#ifdef ENABLE_MANAGEMENT 1288 /* Tell management interface that we initialized */ 1289 if (management) 1290 { 1291 in_addr_t tun_local = 0; 1292 in_addr_t tun_remote = 0; /* FKS */ 1293 const char *detail = "SUCCESS"; 1294 if (c->c1.tuntap) 1295 tun_local = c->c1.tuntap->local; 1296 /* TODO(jjo): for ipv6 this will convert some 32bits in the ipv6 addr 1297 * to a meaningless ipv4 address. 1298 * In any case, is somewhat inconsistent to send local tunnel 1299 * addr with remote _endpoint_ addr (?) 1300 */ 1301 tun_remote = htonl (c->c1.link_socket_addr.actual.dest.addr.in4.sin_addr.s_addr); 1302 if (flags & ISC_ERRORS) 1303 detail = "ERROR"; 1304 management_set_state (management, 1305 OPENVPN_STATE_CONNECTED, 1306 detail, 1307 tun_local, 1308 tun_remote); 1309 if (tun_local) 1310 management_post_tunnel_open (management, tun_local); 1311 } 1312#endif 1313} 1314 1315/* 1316 * Possibly add routes and/or call route-up script 1317 * based on options. 1318 */ 1319void 1320do_route (const struct options *options, 1321 struct route_list *route_list, 1322 struct route_ipv6_list *route_ipv6_list, 1323 const struct tuntap *tt, 1324 const struct plugin_list *plugins, 1325 struct env_set *es) 1326{ 1327 if (!options->route_noexec && ( route_list || route_ipv6_list ) ) 1328 { 1329 add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es); 1330 setenv_int (es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); 1331 } 1332#ifdef ENABLE_MANAGEMENT 1333 if (management) 1334 management_up_down (management, "UP", es); 1335#endif 1336 1337 if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP)) 1338 { 1339 if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) 1340 msg (M_WARN, "WARNING: route-up plugin call failed"); 1341 } 1342 1343 if (options->route_script) 1344 { 1345 struct argv argv = argv_new (); 1346 setenv_str (es, "script_type", "route-up"); 1347 argv_printf (&argv, "%sc", options->route_script); 1348 openvpn_run_script (&argv, es, 0, "--route-up"); 1349 argv_reset (&argv); 1350 } 1351 1352#ifdef WIN32 1353 if (options->show_net_up) 1354 { 1355 show_routes (M_INFO|M_NOPREFIX); 1356 show_adapters (M_INFO|M_NOPREFIX); 1357 } 1358 else if (check_debug_level (D_SHOW_NET)) 1359 { 1360 show_routes (D_SHOW_NET|M_NOPREFIX); 1361 show_adapters (D_SHOW_NET|M_NOPREFIX); 1362 } 1363#endif 1364} 1365 1366/* 1367 * Save current pulled options string in the c1 context store, so we can 1368 * compare against it after possible future restarts. 1369 */ 1370#if P2MP 1371static void 1372save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest) 1373{ 1374 if (newdigest) 1375 c->c1.pulled_options_digest_save = *newdigest; 1376 else 1377 md5_digest_clear (&c->c1.pulled_options_digest_save); 1378} 1379#endif 1380 1381/* 1382 * initialize tun/tap device object 1383 */ 1384static void 1385do_init_tun (struct context *c) 1386{ 1387 c->c1.tuntap = init_tun (c->options.dev, 1388 c->options.dev_type, 1389 c->options.topology, 1390 c->options.ifconfig_local, 1391 c->options.ifconfig_remote_netmask, 1392 c->options.ifconfig_ipv6_local, 1393 c->options.ifconfig_ipv6_netbits, 1394 c->options.ifconfig_ipv6_remote, 1395 addr_host (&c->c1.link_socket_addr.local), 1396 addr_host (&c->c1.link_socket_addr.remote), 1397 !c->options.ifconfig_nowarn, 1398 c->c2.es); 1399 1400 /* flag tunnel for IPv6 config if --tun-ipv6 is set */ 1401 c->c1.tuntap->ipv6 = c->options.tun_ipv6; 1402 1403 init_tun_post (c->c1.tuntap, 1404 &c->c2.frame, 1405 &c->options.tuntap_options); 1406 1407 c->c1.tuntap_owned = true; 1408} 1409 1410/* 1411 * Open tun/tap device, ifconfig, call up script, etc. 1412 */ 1413 1414static bool 1415do_open_tun (struct context *c) 1416{ 1417 struct gc_arena gc = gc_new (); 1418 bool ret = false; 1419 1420 c->c2.ipv4_tun = (!c->options.tun_ipv6 1421 && is_dev_type (c->options.dev, c->options.dev_type, "tun")); 1422 1423 if (!c->c1.tuntap) 1424 { 1425 /* initialize (but do not open) tun/tap object */ 1426 do_init_tun (c); 1427 1428 /* allocate route list structure */ 1429 do_alloc_route_list (c); 1430 1431 /* parse and resolve the route option list */ 1432 if (c->options.routes && c->c1.route_list && c->c2.link_socket) 1433 do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es); 1434 if (c->options.routes_ipv6 && c->c1.route_ipv6_list ) 1435 do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, false, c->c2.es); 1436 1437 /* do ifconfig */ 1438 if (!c->options.ifconfig_noexec 1439 && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN) 1440 { 1441 /* guess actual tun/tap unit number that will be returned 1442 by open_tun */ 1443 const char *guess = guess_tuntap_dev (c->options.dev, 1444 c->options.dev_type, 1445 c->options.dev_node, 1446 &gc); 1447 do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); 1448 } 1449 1450 /* open the tun device */ 1451 open_tun (c->options.dev, c->options.dev_type, c->options.dev_node, 1452 c->c1.tuntap); 1453 1454 /* set the hardware address */ 1455 if (c->options.lladdr) 1456 set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es); 1457 1458 /* do ifconfig */ 1459 if (!c->options.ifconfig_noexec 1460 && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN) 1461 { 1462 do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); 1463 } 1464 1465 /* run the up script */ 1466 run_up_down (c->options.up_script, 1467 c->plugins, 1468 OPENVPN_PLUGIN_UP, 1469 c->c1.tuntap->actual_name, 1470 dev_type_string (c->options.dev, c->options.dev_type), 1471 TUN_MTU_SIZE (&c->c2.frame), 1472 EXPANDED_SIZE (&c->c2.frame), 1473 print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), 1474 print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1475 "init", 1476 NULL, 1477 "up", 1478 c->c2.es); 1479 1480 /* possibly add routes */ 1481 if (!c->options.route_delay_defined) 1482 do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, 1483 c->c1.tuntap, c->plugins, c->c2.es); 1484 1485 /* 1486 * Did tun/tap driver give us an MTU? 1487 */ 1488 if (c->c1.tuntap->post_open_mtu) 1489 frame_set_mtu_dynamic (&c->c2.frame, 1490 c->c1.tuntap->post_open_mtu, 1491 SET_MTU_TUN | SET_MTU_UPPER_BOUND); 1492 1493 ret = true; 1494 static_context = c; 1495 } 1496 else 1497 { 1498 msg (M_INFO, "Preserving previous TUN/TAP instance: %s", 1499 c->c1.tuntap->actual_name); 1500 1501 /* run the up script if user specified --up-restart */ 1502 if (c->options.up_restart) 1503 run_up_down (c->options.up_script, 1504 c->plugins, 1505 OPENVPN_PLUGIN_UP, 1506 c->c1.tuntap->actual_name, 1507 dev_type_string (c->options.dev, c->options.dev_type), 1508 TUN_MTU_SIZE (&c->c2.frame), 1509 EXPANDED_SIZE (&c->c2.frame), 1510 print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), 1511 print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1512 "restart", 1513 NULL, 1514 "up", 1515 c->c2.es); 1516 } 1517 gc_free (&gc); 1518 return ret; 1519} 1520 1521/* 1522 * Close TUN/TAP device 1523 */ 1524 1525static void 1526do_close_tun_simple (struct context *c) 1527{ 1528 msg (D_CLOSE, "Closing TUN/TAP interface"); 1529 close_tun (c->c1.tuntap); 1530 c->c1.tuntap = NULL; 1531 c->c1.tuntap_owned = false; 1532#if P2MP 1533 save_pulled_options_digest (c, NULL); /* delete C1-saved pulled_options_digest */ 1534#endif 1535} 1536 1537static void 1538do_close_tun (struct context *c, bool force) 1539{ 1540 struct gc_arena gc = gc_new (); 1541 if (c->c1.tuntap && c->c1.tuntap_owned) 1542 { 1543 const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc); 1544 const in_addr_t local = c->c1.tuntap->local; 1545 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; 1546 1547 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) 1548 { 1549 static_context = NULL; 1550 1551#ifdef ENABLE_MANAGEMENT 1552 /* tell management layer we are about to close the TUN/TAP device */ 1553 if (management) 1554 { 1555 management_pre_tunnel_close (management); 1556 management_up_down (management, "DOWN", c->c2.es); 1557 } 1558#endif 1559 1560 /* delete any routes we added */ 1561 if (c->c1.route_list || c->c1.route_ipv6_list ) 1562 { 1563 run_up_down (c->options.route_predown_script, 1564 c->plugins, 1565 OPENVPN_PLUGIN_ROUTE_PREDOWN, 1566 tuntap_actual, 1567 NULL, 1568 TUN_MTU_SIZE (&c->c2.frame), 1569 EXPANDED_SIZE (&c->c2.frame), 1570 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), 1571 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1572 "init", 1573 signal_description (c->sig->signal_received, 1574 c->sig->signal_text), 1575 "route-pre-down", 1576 c->c2.es); 1577 1578 delete_routes (c->c1.route_list, c->c1.route_ipv6_list, 1579 c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es); 1580 } 1581 1582 /* actually close tun/tap device based on --down-pre flag */ 1583 if (!c->options.down_pre) 1584 do_close_tun_simple (c); 1585 1586 /* Run the down script -- note that it will run at reduced 1587 privilege if, for example, "--user nobody" was used. */ 1588 run_up_down (c->options.down_script, 1589 c->plugins, 1590 OPENVPN_PLUGIN_DOWN, 1591 tuntap_actual, 1592 NULL, 1593 TUN_MTU_SIZE (&c->c2.frame), 1594 EXPANDED_SIZE (&c->c2.frame), 1595 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), 1596 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1597 "init", 1598 signal_description (c->sig->signal_received, 1599 c->sig->signal_text), 1600 "down", 1601 c->c2.es); 1602 1603 /* actually close tun/tap device based on --down-pre flag */ 1604 if (c->options.down_pre) 1605 do_close_tun_simple (c); 1606 } 1607 else 1608 { 1609 /* run the down script on this restart if --up-restart was specified */ 1610 if (c->options.up_restart) 1611 run_up_down (c->options.down_script, 1612 c->plugins, 1613 OPENVPN_PLUGIN_DOWN, 1614 tuntap_actual, 1615 NULL, 1616 TUN_MTU_SIZE (&c->c2.frame), 1617 EXPANDED_SIZE (&c->c2.frame), 1618 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), 1619 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), 1620 "restart", 1621 signal_description (c->sig->signal_received, 1622 c->sig->signal_text), 1623 "down", 1624 c->c2.es); 1625 } 1626 } 1627 gc_free (&gc); 1628} 1629 1630void 1631tun_abort() 1632{ 1633 struct context *c = static_context; 1634 if (c) 1635 { 1636 static_context = NULL; 1637 do_close_tun (c, true); 1638 } 1639} 1640 1641/* 1642 * Handle delayed tun/tap interface bringup due to --up-delay or --pull 1643 */ 1644 1645void 1646do_up (struct context *c, bool pulled_options, unsigned int option_types_found) 1647{ 1648 if (!c->c2.do_up_ran) 1649 { 1650 reset_coarse_timers (c); 1651 1652 if (pulled_options && option_types_found) 1653 do_deferred_options (c, option_types_found); 1654 1655 /* if --up-delay specified, open tun, do ifconfig, and run up script now */ 1656 if (c->options.up_delay || PULL_DEFINED (&c->options)) 1657 { 1658 c->c2.did_open_tun = do_open_tun (c); 1659 update_time (); 1660 1661#if P2MP 1662 /* 1663 * Was tun interface object persisted from previous restart iteration, 1664 * and if so did pulled options string change from previous iteration? 1665 */ 1666 if (!c->c2.did_open_tun 1667 && PULL_DEFINED (&c->options) 1668 && c->c1.tuntap 1669 && (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest) 1670 || !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) 1671 { 1672 /* if so, close tun, delete routes, then reinitialize tun and add routes */ 1673 msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); 1674 do_close_tun (c, true); 1675 openvpn_sleep (1); 1676 c->c2.did_open_tun = do_open_tun (c); 1677 update_time (); 1678 } 1679#endif 1680 } 1681 1682 if (c->c2.did_open_tun) 1683 { 1684#if P2MP 1685 save_pulled_options_digest (c, &c->c2.pulled_options_digest); 1686#endif 1687 1688 /* if --route-delay was specified, start timer */ 1689 if (c->options.route_delay_defined) 1690 { 1691 event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now); 1692 event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); 1693 if (c->c1.tuntap) 1694 tun_standby_init (c->c1.tuntap); 1695 } 1696 else 1697 { 1698 initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */ 1699 } 1700 } 1701 else if (c->options.mode == MODE_POINT_TO_POINT) 1702 { 1703 initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */ 1704 } 1705 1706 c->c2.do_up_ran = true; 1707 } 1708} 1709 1710/* 1711 * These are the option categories which will be accepted by pull. 1712 */ 1713unsigned int 1714pull_permission_mask (const struct context *c) 1715{ 1716 unsigned int flags = 1717 OPT_P_UP 1718 | OPT_P_ROUTE_EXTRAS 1719 | OPT_P_SOCKBUF 1720 | OPT_P_SOCKFLAGS 1721 | OPT_P_SETENV 1722 | OPT_P_SHAPER 1723 | OPT_P_TIMER 1724 | OPT_P_COMP 1725 | OPT_P_PERSIST 1726 | OPT_P_MESSAGES 1727 | OPT_P_EXPLICIT_NOTIFY 1728 | OPT_P_ECHO 1729 | OPT_P_PULL_MODE; 1730 1731 if (!c->options.route_nopull) 1732 flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); 1733 1734 return flags; 1735} 1736 1737/* 1738 * Handle non-tun-related pulled options. 1739 */ 1740void 1741do_deferred_options (struct context *c, const unsigned int found) 1742{ 1743 if (found & OPT_P_MESSAGES) 1744 { 1745 init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2); 1746 msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); 1747 } 1748 if (found & OPT_P_TIMER) 1749 { 1750 do_init_timers (c, true); 1751 msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified"); 1752 } 1753 1754#ifdef ENABLE_OCC 1755 if (found & OPT_P_EXPLICIT_NOTIFY) 1756 { 1757 if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification) 1758 { 1759 msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); 1760 c->options.ce.explicit_exit_notification = 0; 1761 } 1762 else 1763 msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified"); 1764 } 1765#endif 1766 1767#ifdef ENABLE_LZO 1768 if (found & OPT_P_COMP) 1769 { 1770 if (lzo_defined (&c->c2.lzo_compwork)) 1771 { 1772 msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified"); 1773 lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo); 1774 } 1775 } 1776#endif 1777 1778 if (found & OPT_P_SHAPER) 1779 { 1780 msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); 1781 do_init_traffic_shaper (c); 1782 } 1783 1784 if (found & OPT_P_SOCKBUF) 1785 { 1786 msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); 1787 link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); 1788 } 1789 1790 if (found & OPT_P_SOCKFLAGS) 1791 { 1792 msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); 1793 link_socket_update_flags (c->c2.link_socket, c->options.sockflags); 1794 } 1795 1796 if (found & OPT_P_PERSIST) 1797 msg (D_PUSH, "OPTIONS IMPORT: --persist options modified"); 1798 if (found & OPT_P_UP) 1799 msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); 1800 if (found & OPT_P_ROUTE) 1801 msg (D_PUSH, "OPTIONS IMPORT: route options modified"); 1802 if (found & OPT_P_ROUTE_EXTRAS) 1803 msg (D_PUSH, "OPTIONS IMPORT: route-related options modified"); 1804 if (found & OPT_P_IPWIN32) 1805 msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); 1806 if (found & OPT_P_SETENV) 1807 msg (D_PUSH, "OPTIONS IMPORT: environment modified"); 1808} 1809 1810/* 1811 * Possible hold on initialization 1812 */ 1813static bool 1814do_hold (struct context *c) 1815{ 1816#ifdef ENABLE_MANAGEMENT 1817 if (management) 1818 { 1819 /* if c is defined, daemonize before hold */ 1820 if (c && c->options.daemon && management_should_daemonize (management)) 1821 do_init_first_time (c); 1822 1823 /* block until management hold is released */ 1824 if (management_hold (management)) 1825 return true; 1826 } 1827#endif 1828 return false; 1829} 1830 1831/* 1832 * Sleep before restart. 1833 */ 1834static void 1835socket_restart_pause (struct context *c) 1836{ 1837 bool proxy = false; 1838 int sec = 2; 1839 1840#ifdef ENABLE_HTTP_PROXY 1841 if (c->options.ce.http_proxy_options) 1842 proxy = true; 1843#endif 1844#ifdef ENABLE_SOCKS 1845 if (c->options.ce.socks_proxy_server) 1846 proxy = true; 1847#endif 1848 1849 switch (c->options.ce.proto) 1850 { 1851 case PROTO_UDPv4: 1852 case PROTO_UDPv6: 1853 if (proxy) 1854 sec = c->options.ce.connect_retry_seconds; 1855 break; 1856 case PROTO_TCPv4_SERVER: 1857 case PROTO_TCPv6_SERVER: 1858 sec = 1; 1859 break; 1860 case PROTO_TCPv4_CLIENT: 1861 case PROTO_TCPv6_CLIENT: 1862 sec = c->options.ce.connect_retry_seconds; 1863 break; 1864 } 1865 1866#ifdef ENABLE_DEBUG 1867 if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin)) 1868 sec = 0; 1869#endif 1870 1871#if P2MP 1872 if (auth_retry_get () == AR_NOINTERACT) 1873 sec = 10; 1874 1875#if 0 /* not really needed because of c->persist.restart_sleep_seconds */ 1876 if (c->options.server_poll_timeout && sec > 1) 1877 sec = 1; 1878#endif 1879#endif 1880 1881 if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) 1882 sec = c->persist.restart_sleep_seconds; 1883 else if (c->persist.restart_sleep_seconds == -1) 1884 sec = 0; 1885 c->persist.restart_sleep_seconds = 0; 1886 1887 /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ 1888 if (do_hold (NULL)) 1889 sec = 0; 1890 1891 if (sec) 1892 { 1893 msg (D_RESTART, "Restart pause, %d second(s)", sec); 1894 openvpn_sleep (sec); 1895 } 1896} 1897 1898/* 1899 * Do a possible pause on context_2 initialization. 1900 */ 1901static void 1902do_startup_pause (struct context *c) 1903{ 1904 if (!c->first_time) 1905 socket_restart_pause (c); 1906 else 1907 do_hold (NULL); /* do management hold on first context initialization */ 1908} 1909 1910/* 1911 * Finalize MTU parameters based on command line or config file options. 1912 */ 1913static void 1914frame_finalize_options (struct context *c, const struct options *o) 1915{ 1916 if (!o) 1917 o = &c->options; 1918 1919 /* 1920 * Set adjustment factor for buffer alignment when no 1921 * cipher is used. 1922 */ 1923 if (!CIPHER_ENABLED (c)) 1924 { 1925 frame_align_to_extra_frame (&c->c2.frame); 1926 frame_or_align_flags (&c->c2.frame, 1927 FRAME_HEADROOM_MARKER_FRAGMENT 1928 |FRAME_HEADROOM_MARKER_READ_LINK 1929 |FRAME_HEADROOM_MARKER_READ_STREAM); 1930 } 1931 1932 frame_finalize (&c->c2.frame, 1933 o->ce.link_mtu_defined, 1934 o->ce.link_mtu, 1935 o->ce.tun_mtu_defined, 1936 o->ce.tun_mtu); 1937} 1938 1939/* 1940 * Free a key schedule, including OpenSSL components. 1941 */ 1942static void 1943key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx) 1944{ 1945#ifdef ENABLE_CRYPTO 1946 free_key_ctx_bi (&ks->static_key); 1947#ifdef ENABLE_SSL 1948 if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) 1949 { 1950 tls_ctx_free (&ks->ssl_ctx); 1951 free_key_ctx_bi (&ks->tls_auth_key); 1952 } 1953#endif /* ENABLE_SSL */ 1954#endif /* ENABLE_CRYPTO */ 1955 CLEAR (*ks); 1956} 1957 1958#ifdef ENABLE_CRYPTO 1959 1960static void 1961init_crypto_pre (struct context *c, const unsigned int flags) 1962{ 1963 if (c->options.engine) 1964 crypto_init_lib_engine (c->options.engine); 1965 1966 if (flags & CF_LOAD_PERSISTED_PACKET_ID) 1967 { 1968 /* load a persisted packet-id for cross-session replay-protection */ 1969 if (c->options.packet_id_file) 1970 packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file); 1971 } 1972 1973 /* Initialize crypto options */ 1974 1975 if (c->options.use_iv) 1976 c->c2.crypto_options.flags |= CO_USE_IV; 1977 1978 if (c->options.mute_replay_warnings) 1979 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; 1980 1981#ifdef ENABLE_PREDICTION_RESISTANCE 1982 if (c->options.use_prediction_resistance) 1983 rand_ctx_enable_prediction_resistance(); 1984#endif 1985 1986} 1987 1988/* 1989 * Static Key Mode (using a pre-shared key) 1990 */ 1991static void 1992do_init_crypto_static (struct context *c, const unsigned int flags) 1993{ 1994 const struct options *options = &c->options; 1995 ASSERT (options->shared_secret_file); 1996 1997 init_crypto_pre (c, flags); 1998 1999 /* Initialize packet ID tracking */ 2000 if (options->replay) 2001 { 2002 packet_id_init (&c->c2.packet_id, 2003 link_socket_proto_connection_oriented (options->ce.proto), 2004 options->replay_window, 2005 options->replay_time, 2006 "STATIC", 0); 2007 c->c2.crypto_options.packet_id = &c->c2.packet_id; 2008 c->c2.crypto_options.pid_persist = &c->c1.pid_persist; 2009 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; 2010 packet_id_persist_load_obj (&c->c1.pid_persist, 2011 c->c2.crypto_options.packet_id); 2012 } 2013 2014 if (!key_ctx_bi_defined (&c->c1.ks.static_key)) 2015 { 2016 struct key2 key2; 2017 struct key_direction_state kds; 2018 2019 /* Get cipher & hash algorithms */ 2020 init_key_type (&c->c1.ks.key_type, options->ciphername, 2021 options->ciphername_defined, options->authname, 2022 options->authname_defined, options->keysize, 2023 options->test_crypto, true); 2024 2025 /* Read cipher and hmac keys from shared secret file */ 2026 { 2027 unsigned int rkf_flags = RKF_MUST_SUCCEED; 2028 const char *rkf_file = options->shared_secret_file; 2029 2030 if (options->shared_secret_file_inline) 2031 { 2032 rkf_file = options->shared_secret_file_inline; 2033 rkf_flags |= RKF_INLINE; 2034 } 2035 read_key_file (&key2, rkf_file, rkf_flags); 2036 } 2037 2038 /* Check for and fix highly unlikely key problems */ 2039 verify_fix_key2 (&key2, &c->c1.ks.key_type, 2040 options->shared_secret_file); 2041 2042 /* Initialize OpenSSL key objects */ 2043 key_direction_state_init (&kds, options->key_direction); 2044 must_have_n_keys (options->shared_secret_file, "secret", &key2, 2045 kds.need_keys); 2046 init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key], 2047 &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt"); 2048 init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key], 2049 &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt"); 2050 2051 /* Erase the temporary copy of key */ 2052 CLEAR (key2); 2053 } 2054 else 2055 { 2056 msg (M_INFO, "Re-using pre-shared static key"); 2057 } 2058 2059 /* Get key schedule */ 2060 c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; 2061 2062 /* Compute MTU parameters */ 2063 crypto_adjust_frame_parameters (&c->c2.frame, 2064 &c->c1.ks.key_type, 2065 options->ciphername_defined, 2066 options->use_iv, options->replay, true); 2067 2068 /* Sanity check on IV, sequence number, and cipher mode options */ 2069 check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, 2070 options->use_iv); 2071} 2072 2073#ifdef ENABLE_SSL 2074 2075/* 2076 * Initialize the persistent component of OpenVPN's TLS mode, 2077 * which is preserved across SIGUSR1 resets. 2078 */ 2079static void 2080do_init_crypto_tls_c1 (struct context *c) 2081{ 2082 const struct options *options = &c->options; 2083 2084 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) 2085 { 2086 /* 2087 * Initialize the OpenSSL library's global 2088 * SSL context. 2089 */ 2090 init_ssl (options, &(c->c1.ks.ssl_ctx)); 2091 if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) 2092 { 2093#if P2MP 2094 switch (auth_retry_get ()) 2095 { 2096 case AR_NONE: 2097 msg (M_FATAL, "Error: private key password verification failed"); 2098 break; 2099 case AR_INTERACT: 2100 ssl_purge_auth (false); 2101 case AR_NOINTERACT: 2102 c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ 2103 break; 2104 default: 2105 ASSERT (0); 2106 } 2107 c->sig->signal_text = "private-key-password-failure"; 2108 return; 2109#else 2110 msg (M_FATAL, "Error: private key password verification failed"); 2111#endif 2112 } 2113 2114 /* Get cipher & hash algorithms */ 2115 init_key_type (&c->c1.ks.key_type, options->ciphername, 2116 options->ciphername_defined, options->authname, 2117 options->authname_defined, options->keysize, true, true); 2118 2119 /* Initialize PRNG with config-specified digest */ 2120 prng_init (options->prng_hash, options->prng_nonce_secret_len); 2121 2122 /* TLS handshake authentication (--tls-auth) */ 2123 if (options->tls_auth_file) 2124 { 2125 unsigned int flags = 0; 2126 const char *file = options->tls_auth_file; 2127 2128 if (options->tls_auth_file_inline) 2129 { 2130 flags |= GHK_INLINE; 2131 file = options->tls_auth_file_inline; 2132 } 2133 get_tls_handshake_key (&c->c1.ks.key_type, 2134 &c->c1.ks.tls_auth_key, 2135 file, 2136 options->key_direction, 2137 flags); 2138 } 2139 2140#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ 2141 if (options->priv_key_file_inline) 2142 { 2143 string_clear (c->options.priv_key_file_inline); 2144 c->options.priv_key_file_inline = NULL; 2145 } 2146#endif 2147 } 2148 else 2149 { 2150 msg (D_INIT_MEDIUM, "Re-using SSL/TLS context"); 2151 } 2152} 2153 2154static void 2155do_init_crypto_tls (struct context *c, const unsigned int flags) 2156{ 2157 const struct options *options = &c->options; 2158 struct tls_options to; 2159 bool packet_id_long_form; 2160 2161 ASSERT (options->tls_server || options->tls_client); 2162 ASSERT (!options->test_crypto); 2163 2164 init_crypto_pre (c, flags); 2165 2166 /* Make sure we are either a TLS client or server but not both */ 2167 ASSERT (options->tls_server == !options->tls_client); 2168 2169 /* initialize persistent component */ 2170 do_init_crypto_tls_c1 (c); 2171 if (IS_SIG (c)) 2172 return; 2173 2174 /* Sanity check on IV, sequence number, and cipher mode options */ 2175 check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, 2176 options->use_iv); 2177 2178 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ 2179 packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type); 2180 2181 /* Compute MTU parameters */ 2182 crypto_adjust_frame_parameters (&c->c2.frame, 2183 &c->c1.ks.key_type, 2184 options->ciphername_defined, 2185 options->use_iv, 2186 options->replay, packet_id_long_form); 2187 tls_adjust_frame_parameters (&c->c2.frame); 2188 2189 /* Set all command-line TLS-related options */ 2190 CLEAR (to); 2191 2192 to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM); 2193 if (packet_id_long_form) 2194 to.crypto_flags_or = CO_PACKET_ID_LONG_FORM; 2195 2196 to.ssl_ctx = c->c1.ks.ssl_ctx; 2197 to.key_type = c->c1.ks.key_type; 2198 to.server = options->tls_server; 2199 to.key_method = options->key_method; 2200 to.replay = options->replay; 2201 to.replay_window = options->replay_window; 2202 to.replay_time = options->replay_time; 2203 to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto); 2204 to.transition_window = options->transition_window; 2205 to.handshake_window = options->handshake_window; 2206 to.packet_timeout = options->tls_timeout; 2207 to.renegotiate_bytes = options->renegotiate_bytes; 2208 to.renegotiate_packets = options->renegotiate_packets; 2209 to.renegotiate_seconds = options->renegotiate_seconds; 2210 to.single_session = options->single_session; 2211#ifdef ENABLE_PUSH_PEER_INFO 2212 to.push_peer_info = options->push_peer_info; 2213#endif 2214 2215 /* should we not xmit any packets until we get an initial 2216 response from client? */ 2217 if (to.server && options->ce.proto == PROTO_TCPv4_SERVER) 2218 to.xmit_hold = true; 2219 2220#ifdef ENABLE_OCC 2221 to.disable_occ = !options->occ; 2222#endif 2223 2224 to.verify_command = options->tls_verify; 2225 to.verify_export_cert = options->tls_export_cert; 2226 to.verify_x509_type = (options->verify_x509_type & 0xff); 2227 to.verify_x509_name = options->verify_x509_name; 2228 to.crl_file = options->crl_file; 2229 to.ssl_flags = options->ssl_flags; 2230 to.ns_cert_type = options->ns_cert_type; 2231 memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); 2232 to.remote_cert_eku = options->remote_cert_eku; 2233 to.verify_hash = options->verify_hash; 2234#ifdef ENABLE_X509ALTUSERNAME 2235 to.x509_username_field = (char *) options->x509_username_field; 2236#else 2237 to.x509_username_field = X509_USERNAME_FIELD_DEFAULT; 2238#endif 2239 to.es = c->c2.es; 2240 2241#ifdef ENABLE_DEBUG 2242 to.gremlin = c->options.gremlin; 2243#endif 2244 2245 to.plugins = c->plugins; 2246 2247#ifdef MANAGEMENT_DEF_AUTH 2248 to.mda_context = &c->c2.mda_context; 2249#endif 2250 2251#if P2MP_SERVER 2252 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; 2253 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; 2254 to.tmp_dir = options->tmp_dir; 2255 if (options->ccd_exclusive) 2256 to.client_config_dir_exclusive = options->client_config_dir; 2257#endif 2258 2259#ifdef ENABLE_X509_TRACK 2260 to.x509_track = options->x509_track; 2261#endif 2262 2263#if P2MP 2264#ifdef ENABLE_CLIENT_CR 2265 to.sci = &options->sc_info; 2266#endif 2267#endif 2268 2269 /* TLS handshake authentication (--tls-auth) */ 2270 if (options->tls_auth_file) 2271 { 2272 to.tls_auth_key = c->c1.ks.tls_auth_key; 2273 to.tls_auth.pid_persist = &c->c1.pid_persist; 2274 to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; 2275 crypto_adjust_frame_parameters (&to.frame, 2276 &c->c1.ks.key_type, 2277 false, false, true, true); 2278 } 2279 2280 /* If we are running over TCP, allow for 2281 length prefix */ 2282 socket_adjust_frame_parameters (&to.frame, options->ce.proto); 2283 2284 /* 2285 * Initialize OpenVPN's master TLS-mode object. 2286 */ 2287 if (flags & CF_INIT_TLS_MULTI) 2288 c->c2.tls_multi = tls_multi_init (&to); 2289 2290 if (flags & CF_INIT_TLS_AUTH_STANDALONE) 2291 c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc); 2292} 2293 2294static void 2295do_init_finalize_tls_frame (struct context *c) 2296{ 2297 if (c->c2.tls_multi) 2298 { 2299 tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame); 2300 ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <= 2301 EXPANDED_SIZE (&c->c2.frame)); 2302 frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO, 2303 "Control Channel MTU parms"); 2304 } 2305 if (c->c2.tls_auth_standalone) 2306 { 2307 tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame); 2308 frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO, 2309 "TLS-Auth MTU parms"); 2310 } 2311} 2312 2313#endif /* ENABLE_SSL */ 2314#endif /* ENABLE_CRYPTO */ 2315 2316#ifdef ENABLE_CRYPTO 2317/* 2318 * No encryption or authentication. 2319 */ 2320static void 2321do_init_crypto_none (const struct context *c) 2322{ 2323 ASSERT (!c->options.test_crypto); 2324 msg (M_WARN, 2325 "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); 2326} 2327#endif 2328 2329static void 2330do_init_crypto (struct context *c, const unsigned int flags) 2331{ 2332#ifdef ENABLE_CRYPTO 2333 if (c->options.shared_secret_file) 2334 do_init_crypto_static (c, flags); 2335#ifdef ENABLE_SSL 2336 else if (c->options.tls_server || c->options.tls_client) 2337 do_init_crypto_tls (c, flags); 2338#endif 2339 else /* no encryption or authentication. */ 2340 do_init_crypto_none (c); 2341#else /* ENABLE_CRYPTO */ 2342 msg (M_WARN, 2343 "******* WARNING *******: " PACKAGE_NAME 2344 " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); 2345#endif /* ENABLE_CRYPTO */ 2346} 2347 2348static void 2349do_init_frame (struct context *c) 2350{ 2351#ifdef ENABLE_LZO 2352 /* 2353 * Initialize LZO compression library. 2354 */ 2355 if (c->options.lzo & LZO_SELECTED) 2356 { 2357 lzo_adjust_frame_parameters (&c->c2.frame); 2358 2359 /* 2360 * LZO usage affects buffer alignment. 2361 */ 2362 if (CIPHER_ENABLED (c)) 2363 { 2364 frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN); 2365 frame_or_align_flags (&c->c2.frame, 2366 FRAME_HEADROOM_MARKER_FRAGMENT 2367 |FRAME_HEADROOM_MARKER_DECRYPT); 2368 } 2369 2370#ifdef ENABLE_FRAGMENT 2371 lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */ 2372#endif 2373 } 2374#endif /* ENABLE_LZO */ 2375 2376#ifdef ENABLE_SOCKS 2377 /* 2378 * Adjust frame size for UDP Socks support. 2379 */ 2380 if (c->options.ce.socks_proxy_server) 2381 socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); 2382#endif 2383 2384 /* 2385 * Adjust frame size based on the --tun-mtu-extra parameter. 2386 */ 2387 if (c->options.ce.tun_mtu_extra_defined) 2388 tun_adjust_frame_parameters (&c->c2.frame, c->options.ce.tun_mtu_extra); 2389 2390 /* 2391 * Adjust frame size based on link socket parameters. 2392 * (Since TCP is a stream protocol, we need to insert 2393 * a packet length uint16_t in the buffer.) 2394 */ 2395 socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); 2396 2397 /* 2398 * Fill in the blanks in the frame parameters structure, 2399 * make sure values are rational, etc. 2400 */ 2401 frame_finalize_options (c, NULL); 2402 2403#ifdef ENABLE_FRAGMENT 2404 /* 2405 * Set frame parameter for fragment code. This is necessary because 2406 * the fragmentation code deals with payloads which have already been 2407 * passed through the compression code. 2408 */ 2409 c->c2.frame_fragment = c->c2.frame; 2410 frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit); 2411#endif 2412 2413#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) 2414 /* 2415 * MTU advisories 2416 */ 2417 if (c->options.ce.fragment && c->options.mtu_test) 2418 msg (M_WARN, 2419 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); 2420#endif 2421 2422#ifdef ENABLE_FRAGMENT 2423 if ((c->options.ce.mssfix || c->options.ce.fragment) 2424 && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU) 2425 msg (M_WARN, 2426 "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", 2427 ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment)); 2428#endif 2429} 2430 2431static void 2432do_option_warnings (struct context *c) 2433{ 2434 const struct options *o = &c->options; 2435 2436 if (o->ping_send_timeout && !o->ping_rec_timeout) 2437 msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); 2438 2439 if (o->username || o->groupname || o->chroot_dir 2440#ifdef ENABLE_SELINUX 2441 || o->selinux_context 2442#endif 2443 ) 2444 { 2445 if (!o->persist_tun) 2446 msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); 2447 if (!o->persist_key 2448#ifdef ENABLE_PKCS11 2449 && !o->pkcs11_id 2450#endif 2451 ) 2452 msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); 2453 } 2454 2455 if (o->chroot_dir && !(o->username && o->groupname)) 2456 msg (M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); 2457 2458#if P2MP 2459 if (o->pull && o->ifconfig_local && c->first_time) 2460 msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); 2461 2462#if P2MP_SERVER 2463 if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) 2464 msg (M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); 2465 2466 if (o->mode == MODE_SERVER) 2467 { 2468 if (o->duplicate_cn && o->client_config_dir) 2469 msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); 2470 if (o->duplicate_cn && o->ifconfig_pool_persist_filename) 2471 msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); 2472 if (!o->keepalive_ping || !o->keepalive_timeout) 2473 msg (M_WARN, "WARNING: --keepalive option is missing from server config"); 2474 } 2475#endif 2476#endif 2477 2478#ifdef ENABLE_CRYPTO 2479 if (!o->replay) 2480 msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); 2481 if (!o->use_iv) 2482 msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); 2483 2484#ifdef ENABLE_SSL 2485 if (o->tls_server) 2486 warn_on_use_of_common_subnets (); 2487 if (o->tls_client 2488 && !o->tls_verify 2489 && o->verify_x509_type == VERIFY_X509_NONE 2490 && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) 2491 && !o->remote_cert_eku) 2492 msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); 2493#endif 2494#endif 2495 2496#ifndef CONNECT_NONBLOCK 2497 if (o->ce.connect_timeout_defined) 2498 msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); 2499#endif 2500 2501 if (script_security >= SSEC_SCRIPTS) 2502 msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); 2503 else if (script_security >= SSEC_PW_ENV) 2504 msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); 2505 else 2506 msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables"); 2507} 2508 2509static void 2510do_init_frame_tls (struct context *c) 2511{ 2512#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 2513 do_init_finalize_tls_frame (c); 2514#endif 2515} 2516 2517struct context_buffers * 2518init_context_buffers (const struct frame *frame) 2519{ 2520 struct context_buffers *b; 2521 2522 ALLOC_OBJ_CLEAR (b, struct context_buffers); 2523 2524 b->read_link_buf = alloc_buf (BUF_SIZE (frame)); 2525 b->read_tun_buf = alloc_buf (BUF_SIZE (frame)); 2526 2527 b->aux_buf = alloc_buf (BUF_SIZE (frame)); 2528 2529#ifdef ENABLE_CRYPTO 2530 b->encrypt_buf = alloc_buf (BUF_SIZE (frame)); 2531 b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); 2532#endif 2533 2534#ifdef ENABLE_LZO 2535 b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame)); 2536 b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame)); 2537#endif 2538 2539 return b; 2540} 2541 2542void 2543free_context_buffers (struct context_buffers *b) 2544{ 2545 if (b) 2546 { 2547 free_buf (&b->read_link_buf); 2548 free_buf (&b->read_tun_buf); 2549 free_buf (&b->aux_buf); 2550 2551#ifdef ENABLE_LZO 2552 free_buf (&b->lzo_compress_buf); 2553 free_buf (&b->lzo_decompress_buf); 2554#endif 2555 2556#ifdef ENABLE_CRYPTO 2557 free_buf (&b->encrypt_buf); 2558 free_buf (&b->decrypt_buf); 2559#endif 2560 2561 free (b); 2562 } 2563} 2564 2565/* 2566 * Now that we know all frame parameters, initialize 2567 * our buffers. 2568 */ 2569static void 2570do_init_buffers (struct context *c) 2571{ 2572 c->c2.buffers = init_context_buffers (&c->c2.frame); 2573 c->c2.buffers_owned = true; 2574} 2575 2576#ifdef ENABLE_FRAGMENT 2577/* 2578 * Fragmenting code has buffers to initialize 2579 * once frame parameters are known. 2580 */ 2581static void 2582do_init_fragment (struct context *c) 2583{ 2584 ASSERT (c->options.ce.fragment); 2585 frame_set_mtu_dynamic (&c->c2.frame_fragment, 2586 c->options.ce.fragment, SET_MTU_UPPER_BOUND); 2587 fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment); 2588} 2589#endif 2590 2591/* 2592 * Set the --mssfix option. 2593 */ 2594static void 2595do_init_mssfix (struct context *c) 2596{ 2597 if (c->options.ce.mssfix) 2598 { 2599 frame_set_mtu_dynamic (&c->c2.frame, 2600 c->options.ce.mssfix, SET_MTU_UPPER_BOUND); 2601 } 2602} 2603 2604/* 2605 * Allocate our socket object. 2606 */ 2607static void 2608do_link_socket_new (struct context *c) 2609{ 2610 ASSERT (!c->c2.link_socket); 2611 c->c2.link_socket = link_socket_new (); 2612 c->c2.link_socket_owned = true; 2613} 2614 2615/* 2616 * bind the TCP/UDP socket 2617 */ 2618static void 2619do_init_socket_1 (struct context *c, const int mode) 2620{ 2621 unsigned int sockflags = c->options.sockflags; 2622 2623#if PORT_SHARE 2624 if (c->options.port_share_host && c->options.port_share_port) 2625 sockflags |= SF_PORT_SHARE; 2626#endif 2627 2628 link_socket_init_phase1 (c->c2.link_socket, 2629 connection_list_defined (&c->options), 2630 c->options.ce.local, 2631 c->options.ce.local_port, 2632 c->options.ce.remote, 2633 c->options.ce.remote_port, 2634 c->options.ce.proto, 2635 mode, 2636 c->c2.accept_from, 2637#ifdef ENABLE_HTTP_PROXY 2638 c->c1.http_proxy, 2639#endif 2640#ifdef ENABLE_SOCKS 2641 c->c1.socks_proxy, 2642#endif 2643#ifdef ENABLE_DEBUG 2644 c->options.gremlin, 2645#endif 2646 c->options.ce.bind_local, 2647 c->options.ce.remote_float, 2648 c->options.inetd, 2649 &c->c1.link_socket_addr, 2650 c->options.ipchange, 2651 c->plugins, 2652 c->options.resolve_retry_seconds, 2653 c->options.ce.connect_retry_seconds, 2654 c->options.ce.connect_timeout, 2655 c->options.ce.connect_retry_max, 2656 c->options.ce.mtu_discover_type, 2657 c->options.rcvbuf, 2658 c->options.sndbuf, 2659 c->options.mark, 2660 sockflags); 2661} 2662 2663/* 2664 * finalize the TCP/UDP socket 2665 */ 2666static void 2667do_init_socket_2 (struct context *c) 2668{ 2669 link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame, 2670 &c->sig->signal_received); 2671} 2672 2673/* 2674 * Print MTU INFO 2675 */ 2676static void 2677do_print_data_channel_mtu_parms (struct context *c) 2678{ 2679 frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); 2680#ifdef ENABLE_FRAGMENT 2681 if (c->c2.fragment) 2682 frame_print (&c->c2.frame_fragment, D_MTU_INFO, 2683 "Fragmentation MTU parms"); 2684#endif 2685} 2686 2687#ifdef ENABLE_OCC 2688/* 2689 * Get local and remote options compatibility strings. 2690 */ 2691static void 2692do_compute_occ_strings (struct context *c) 2693{ 2694 struct gc_arena gc = gc_new (); 2695 2696 c->c2.options_string_local = 2697 options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc); 2698 c->c2.options_string_remote = 2699 options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); 2700 2701 msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local); 2702 msg (D_SHOW_OCC, "Expected Remote Options String: '%s'", 2703 c->c2.options_string_remote); 2704 2705#ifdef ENABLE_CRYPTO 2706 msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", 2707 options_string_version (c->c2.options_string_local, &gc), 2708 md5sum ((uint8_t*)c->c2.options_string_local, 2709 strlen (c->c2.options_string_local), 9, &gc)); 2710 msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'", 2711 options_string_version (c->c2.options_string_remote, &gc), 2712 md5sum ((uint8_t*)c->c2.options_string_remote, 2713 strlen (c->c2.options_string_remote), 9, &gc)); 2714#endif 2715 2716#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 2717 if (c->c2.tls_multi) 2718 tls_multi_init_set_options (c->c2.tls_multi, 2719 c->c2.options_string_local, 2720 c->c2.options_string_remote); 2721#endif 2722 2723 gc_free (&gc); 2724} 2725#endif 2726 2727/* 2728 * These things can only be executed once per program instantiation. 2729 * Set up for possible UID/GID downgrade, but don't do it yet. 2730 * Daemonize if requested. 2731 */ 2732static void 2733do_init_first_time (struct context *c) 2734{ 2735 if (c->first_time && !c->did_we_daemonize && !c->c0) 2736 { 2737 struct context_0 *c0; 2738 2739 ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc); 2740 c0 = c->c0; 2741 2742 /* get user and/or group that we want to setuid/setgid to */ 2743 c0->uid_gid_specified = 2744 platform_group_get (c->options.groupname, &c0->platform_state_group) | 2745 platform_user_get (c->options.username, &c0->platform_state_user); 2746 2747 /* get --writepid file descriptor */ 2748 get_pid_file (c->options.writepid, &c0->pid_state); 2749 2750 /* become a daemon if --daemon */ 2751 c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time); 2752 2753 /* should we disable paging? */ 2754 if (c->options.mlock && c->did_we_daemonize) 2755 platform_mlockall (true); /* call again in case we daemonized */ 2756 2757 /* save process ID in a file */ 2758 write_pid (&c0->pid_state); 2759 2760 /* should we change scheduling priority? */ 2761 platform_nice (c->options.nice); 2762 } 2763} 2764 2765/* 2766 * If xinetd/inetd mode, don't allow restart. 2767 */ 2768static void 2769do_close_check_if_restart_permitted (struct context *c) 2770{ 2771 if (c->options.inetd 2772 && (c->sig->signal_received == SIGHUP 2773 || c->sig->signal_received == SIGUSR1)) 2774 { 2775 c->sig->signal_received = SIGTERM; 2776 msg (M_INFO, 2777 PACKAGE_NAME 2778 " started by inetd/xinetd cannot restart... Exiting."); 2779 } 2780} 2781 2782/* 2783 * free buffers 2784 */ 2785static void 2786do_close_free_buf (struct context *c) 2787{ 2788 if (c->c2.buffers_owned) 2789 { 2790 free_context_buffers (c->c2.buffers); 2791 c->c2.buffers = NULL; 2792 c->c2.buffers_owned = false; 2793 } 2794} 2795 2796/* 2797 * close TLS 2798 */ 2799static void 2800do_close_tls (struct context *c) 2801{ 2802#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 2803 if (c->c2.tls_multi) 2804 { 2805 tls_multi_free (c->c2.tls_multi, true); 2806 c->c2.tls_multi = NULL; 2807 } 2808 2809#ifdef ENABLE_OCC 2810 /* free options compatibility strings */ 2811 if (c->c2.options_string_local) 2812 free (c->c2.options_string_local); 2813 if (c->c2.options_string_remote) 2814 free (c->c2.options_string_remote); 2815 c->c2.options_string_local = c->c2.options_string_remote = NULL; 2816#endif 2817#endif 2818} 2819 2820/* 2821 * Free key schedules 2822 */ 2823static void 2824do_close_free_key_schedule (struct context *c, bool free_ssl_ctx) 2825{ 2826 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) 2827 key_schedule_free (&c->c1.ks, free_ssl_ctx); 2828} 2829 2830/* 2831 * Close TCP/UDP connection 2832 */ 2833static void 2834do_close_link_socket (struct context *c) 2835{ 2836 if (c->c2.link_socket && c->c2.link_socket_owned) 2837 { 2838 link_socket_close (c->c2.link_socket); 2839 c->c2.link_socket = NULL; 2840 } 2841 2842 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) 2843 { 2844 CLEAR (c->c1.link_socket_addr.remote); 2845 CLEAR (c->c1.link_socket_addr.actual); 2846 } 2847 2848 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) 2849 CLEAR (c->c1.link_socket_addr.local); 2850} 2851 2852/* 2853 * Close packet-id persistance file 2854 */ 2855static void 2856do_close_packet_id (struct context *c) 2857{ 2858#ifdef ENABLE_CRYPTO 2859 packet_id_free (&c->c2.packet_id); 2860 packet_id_persist_save (&c->c1.pid_persist); 2861 if (!(c->sig->signal_received == SIGUSR1)) 2862 packet_id_persist_close (&c->c1.pid_persist); 2863#endif 2864} 2865 2866#ifdef ENABLE_FRAGMENT 2867/* 2868 * Close fragmentation handler. 2869 */ 2870static void 2871do_close_fragment (struct context *c) 2872{ 2873 if (c->c2.fragment) 2874 { 2875 fragment_free (c->c2.fragment); 2876 c->c2.fragment = NULL; 2877 } 2878} 2879#endif 2880 2881/* 2882 * Open and close our event objects. 2883 */ 2884 2885static void 2886do_event_set_init (struct context *c, 2887 bool need_us_timeout) 2888{ 2889 unsigned int flags = 0; 2890 2891 c->c2.event_set_max = BASE_N_EVENTS; 2892 2893 flags |= EVENT_METHOD_FAST; 2894 2895 if (need_us_timeout) 2896 flags |= EVENT_METHOD_US_TIMEOUT; 2897 2898 c->c2.event_set = event_set_init (&c->c2.event_set_max, flags); 2899 c->c2.event_set_owned = true; 2900} 2901 2902static void 2903do_close_event_set (struct context *c) 2904{ 2905 if (c->c2.event_set && c->c2.event_set_owned) 2906 { 2907 event_free (c->c2.event_set); 2908 c->c2.event_set = NULL; 2909 c->c2.event_set_owned = false; 2910 } 2911} 2912 2913/* 2914 * Open and close --status file 2915 */ 2916 2917static void 2918do_open_status_output (struct context *c) 2919{ 2920 if (!c->c1.status_output) 2921 { 2922 c->c1.status_output = status_open (c->options.status_file, 2923 c->options.status_file_update_freq, 2924 -1, 2925 NULL, 2926 STATUS_OUTPUT_WRITE); 2927 c->c1.status_output_owned = true; 2928 } 2929} 2930 2931static void 2932do_close_status_output (struct context *c) 2933{ 2934 if (!(c->sig->signal_received == SIGUSR1)) 2935 { 2936 if (c->c1.status_output_owned && c->c1.status_output) 2937 { 2938 status_close (c->c1.status_output); 2939 c->c1.status_output = NULL; 2940 c->c1.status_output_owned = false; 2941 } 2942 } 2943} 2944 2945/* 2946 * Handle ifconfig-pool persistance object. 2947 */ 2948static void 2949do_open_ifconfig_pool_persist (struct context *c) 2950{ 2951#if P2MP_SERVER 2952 if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) 2953 { 2954 c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename, 2955 c->options.ifconfig_pool_persist_refresh_freq); 2956 c->c1.ifconfig_pool_persist_owned = true; 2957 } 2958#endif 2959} 2960 2961static void 2962do_close_ifconfig_pool_persist (struct context *c) 2963{ 2964#if P2MP_SERVER 2965 if (!(c->sig->signal_received == SIGUSR1)) 2966 { 2967 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) 2968 { 2969 ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist); 2970 c->c1.ifconfig_pool_persist = NULL; 2971 c->c1.ifconfig_pool_persist_owned = false; 2972 } 2973 } 2974#endif 2975} 2976 2977/* 2978 * Inherit environmental variables 2979 */ 2980 2981static void 2982do_inherit_env (struct context *c, const struct env_set *src) 2983{ 2984 c->c2.es = env_set_create (&c->c2.gc); 2985 c->c2.es_owned = true; 2986 env_set_inherit (c->c2.es, src); 2987} 2988 2989static void 2990do_env_set_destroy (struct context *c) 2991{ 2992 if (c->c2.es && c->c2.es_owned) 2993 { 2994 env_set_destroy (c->c2.es); 2995 c->c2.es = NULL; 2996 c->c2.es_owned = false; 2997 } 2998} 2999 3000/* 3001 * Fast I/O setup. Fast I/O is an optimization which only works 3002 * if all of the following are true: 3003 * 3004 * (1) The platform is not Windows 3005 * (2) --proto udp is enabled 3006 * (3) --shaper is disabled 3007 */ 3008static void 3009do_setup_fast_io (struct context *c) 3010{ 3011 if (c->options.fast_io) 3012 { 3013#ifdef WIN32 3014 msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); 3015#else 3016 if (!proto_is_udp(c->options.ce.proto)) 3017 msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); 3018 else 3019 { 3020#ifdef ENABLE_FEATURE_SHAPER 3021 if (c->options.shaper) 3022 msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); 3023 else 3024#endif 3025 { 3026 c->c2.fast_io = true; 3027 } 3028 } 3029#endif 3030 } 3031} 3032 3033static void 3034do_signal_on_tls_errors (struct context *c) 3035{ 3036#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 3037 if (c->options.tls_exit) 3038 c->c2.tls_exit_signal = SIGTERM; 3039 else 3040 c->c2.tls_exit_signal = SIGUSR1; 3041#endif 3042} 3043 3044#ifdef ENABLE_PLUGIN 3045 3046void 3047init_plugins (struct context *c) 3048{ 3049 if (c->options.plugin_list && !c->plugins) 3050 { 3051 c->plugins = plugin_list_init (c->options.plugin_list); 3052 c->plugins_owned = true; 3053 } 3054} 3055 3056void 3057open_plugins (struct context *c, const bool import_options, int init_point) 3058{ 3059 if (c->plugins && c->plugins_owned) 3060 { 3061 if (import_options) 3062 { 3063 struct plugin_return pr, config; 3064 plugin_return_init (&pr); 3065 plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); 3066 plugin_return_get_column (&pr, &config, "config"); 3067 if (plugin_return_defined (&config)) 3068 { 3069 int i; 3070 for (i = 0; i < config.n; ++i) 3071 { 3072 unsigned int option_types_found = 0; 3073 if (config.list[i] && config.list[i]->value) 3074 options_string_import (&c->options, 3075 config.list[i]->value, 3076 D_IMPORT_ERRORS|M_OPTERR, 3077 OPT_P_DEFAULT & ~OPT_P_PLUGIN, 3078 &option_types_found, 3079 c->es); 3080 } 3081 } 3082 plugin_return_free (&pr); 3083 } 3084 else 3085 { 3086 plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); 3087 } 3088 } 3089} 3090 3091static void 3092do_close_plugins (struct context *c) 3093{ 3094 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) 3095 { 3096 plugin_list_close (c->plugins); 3097 c->plugins = NULL; 3098 c->plugins_owned = false; 3099 } 3100} 3101 3102static void 3103do_inherit_plugins (struct context *c, const struct context *src) 3104{ 3105 if (!c->plugins && src->plugins) 3106 { 3107 c->plugins = plugin_list_inherit (src->plugins); 3108 c->plugins_owned = true; 3109 } 3110} 3111 3112#endif 3113 3114#ifdef ENABLE_MANAGEMENT 3115 3116static void 3117management_callback_status_p2p (void *arg, const int version, struct status_output *so) 3118{ 3119 struct context *c = (struct context *) arg; 3120 print_status (c, so); 3121} 3122 3123void 3124management_show_net_callback (void *arg, const int msglevel) 3125{ 3126#ifdef WIN32 3127 show_routes (msglevel); 3128 show_adapters (msglevel); 3129 msg (msglevel, "END"); 3130#else 3131 msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); 3132#endif 3133} 3134 3135#endif 3136 3137void 3138init_management_callback_p2p (struct context *c) 3139{ 3140#ifdef ENABLE_MANAGEMENT 3141 if (management) 3142 { 3143 struct management_callback cb; 3144 CLEAR (cb); 3145 cb.arg = c; 3146 cb.status = management_callback_status_p2p; 3147 cb.show_net = management_show_net_callback; 3148 cb.proxy_cmd = management_callback_proxy_cmd; 3149 cb.remote_cmd = management_callback_remote_cmd; 3150 management_set_callback (management, &cb); 3151 } 3152#endif 3153} 3154 3155#ifdef ENABLE_MANAGEMENT 3156 3157void 3158init_management (struct context *c) 3159{ 3160 if (!management) 3161 management = management_init (); 3162} 3163 3164bool 3165open_management (struct context *c) 3166{ 3167 /* initialize management layer */ 3168 if (management) 3169 { 3170 if (c->options.management_addr) 3171 { 3172 unsigned int flags = c->options.management_flags; 3173 if (c->options.mode == MODE_SERVER) 3174 flags |= MF_SERVER; 3175 if (management_open (management, 3176 c->options.management_addr, 3177 c->options.management_port, 3178 c->options.management_user_pass, 3179 c->options.management_client_user, 3180 c->options.management_client_group, 3181 c->options.management_log_history_cache, 3182 c->options.management_echo_buffer_size, 3183 c->options.management_state_buffer_size, 3184 c->options.management_write_peer_info_file, 3185 c->options.remap_sigusr1, 3186 flags)) 3187 { 3188 management_set_state (management, 3189 OPENVPN_STATE_CONNECTING, 3190 NULL, 3191 (in_addr_t)0, 3192 (in_addr_t)0); 3193 } 3194 3195 /* initial management hold, called early, before first context initialization */ 3196 do_hold (c); 3197 if (IS_SIG (c)) 3198 { 3199 msg (M_WARN, "Signal received from management interface, exiting"); 3200 return false; 3201 } 3202 } 3203 else 3204 close_management (); 3205 } 3206 return true; 3207} 3208 3209void 3210close_management (void) 3211{ 3212 if (management) 3213 { 3214 management_close (management); 3215 management = NULL; 3216 } 3217} 3218 3219#endif 3220 3221 3222void 3223uninit_management_callback (void) 3224{ 3225#ifdef ENABLE_MANAGEMENT 3226 if (management) 3227 { 3228 management_clear_callback (management); 3229 } 3230#endif 3231} 3232 3233/* 3234 * Initialize a tunnel instance, handle pre and post-init 3235 * signal settings. 3236 */ 3237void 3238init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags) 3239{ 3240 pre_init_signal_catch (); 3241 init_instance (c, env, flags); 3242 post_init_signal_catch (); 3243 3244 /* 3245 * This is done so that signals thrown during 3246 * initialization can bring us back to 3247 * a management hold. 3248 */ 3249 if (IS_SIG (c)) 3250 { 3251 remap_signal (c); 3252 uninit_management_callback (); 3253 } 3254} 3255 3256/* 3257 * Initialize a tunnel instance. 3258 */ 3259void 3260init_instance (struct context *c, const struct env_set *env, const unsigned int flags) 3261{ 3262 const struct options *options = &c->options; 3263 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); 3264 int link_socket_mode = LS_MODE_DEFAULT; 3265 3266 /* init garbage collection level */ 3267 gc_init (&c->c2.gc); 3268 3269 /* signals caught here will abort */ 3270 c->sig->signal_received = 0; 3271 c->sig->signal_text = NULL; 3272 c->sig->hard = false; 3273 3274 if (c->mode == CM_P2P) 3275 init_management_callback_p2p (c); 3276 3277 /* possible sleep or management hold if restart */ 3278 if (c->mode == CM_P2P || c->mode == CM_TOP) 3279 { 3280 do_startup_pause (c); 3281 if (IS_SIG (c)) 3282 goto sig; 3283 } 3284 3285 /* map in current connection entry */ 3286 next_connection_entry (c); 3287 3288 /* link_socket_mode allows CM_CHILD_TCP 3289 instances to inherit acceptable fds 3290 from a top-level parent */ 3291 if (c->options.ce.proto == PROTO_TCPv4_SERVER 3292 || c->options.ce.proto == PROTO_TCPv6_SERVER) 3293 { 3294 if (c->mode == CM_TOP) 3295 link_socket_mode = LS_MODE_TCP_LISTEN; 3296 else if (c->mode == CM_CHILD_TCP) 3297 link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; 3298 } 3299 3300 /* should we disable paging? */ 3301 if (c->first_time && options->mlock) 3302 platform_mlockall (true); 3303 3304#if P2MP 3305 /* get passwords if undefined */ 3306 if (auth_retry_get () == AR_INTERACT) 3307 init_query_passwords (c); 3308#endif 3309 3310 /* initialize context level 2 --verb/--mute parms */ 3311 init_verb_mute (c, IVM_LEVEL_2); 3312 3313 /* set error message delay for non-server modes */ 3314 if (c->mode == CM_P2P) 3315 set_check_status_error_delay (P2P_ERROR_DELAY_MS); 3316 3317 /* warn about inconsistent options */ 3318 if (c->mode == CM_P2P || c->mode == CM_TOP) 3319 do_option_warnings (c); 3320 3321 /* inherit environmental variables */ 3322 if (env) 3323 do_inherit_env (c, env); 3324 3325#ifdef ENABLE_PLUGIN 3326 /* initialize plugins */ 3327 if (c->mode == CM_P2P || c->mode == CM_TOP) 3328 open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); 3329#endif 3330 3331 /* should we enable fast I/O? */ 3332 if (c->mode == CM_P2P || c->mode == CM_TOP) 3333 do_setup_fast_io (c); 3334 3335 /* should we throw a signal on TLS errors? */ 3336 do_signal_on_tls_errors (c); 3337 3338 /* open --status file */ 3339 if (c->mode == CM_P2P || c->mode == CM_TOP) 3340 do_open_status_output (c); 3341 3342 /* open --ifconfig-pool-persist file */ 3343 if (c->mode == CM_TOP) 3344 do_open_ifconfig_pool_persist (c); 3345 3346#ifdef ENABLE_OCC 3347 /* reset OCC state */ 3348 if (c->mode == CM_P2P || child) 3349 c->c2.occ_op = occ_reset_op (); 3350#endif 3351 3352 /* our wait-for-i/o objects, different for posix vs. win32 */ 3353 if (c->mode == CM_P2P) 3354 do_event_set_init (c, SHAPER_DEFINED (&c->options)); 3355 else if (c->mode == CM_CHILD_TCP) 3356 do_event_set_init (c, false); 3357 3358 /* initialize HTTP or SOCKS proxy object at scope level 2 */ 3359 init_proxy (c, 2); 3360 3361 /* allocate our socket object */ 3362 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) 3363 do_link_socket_new (c); 3364 3365#ifdef ENABLE_FRAGMENT 3366 /* initialize internal fragmentation object */ 3367 if (options->ce.fragment && (c->mode == CM_P2P || child)) 3368 c->c2.fragment = fragment_init (&c->c2.frame); 3369#endif 3370 3371 /* init crypto layer */ 3372 { 3373 unsigned int crypto_flags = 0; 3374 if (c->mode == CM_TOP) 3375 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; 3376 else if (c->mode == CM_P2P) 3377 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; 3378 else if (child) 3379 crypto_flags = CF_INIT_TLS_MULTI; 3380 do_init_crypto (c, crypto_flags); 3381 if (IS_SIG (c) && !child) 3382 goto sig; 3383 } 3384 3385#ifdef ENABLE_LZO 3386 /* initialize LZO compression library. */ 3387 if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child)) 3388 lzo_compress_init (&c->c2.lzo_compwork, options->lzo); 3389#endif 3390 3391 /* initialize MTU variables */ 3392 do_init_frame (c); 3393 3394 /* initialize TLS MTU variables */ 3395 do_init_frame_tls (c); 3396 3397 /* init workspace buffers whose size is derived from frame size */ 3398 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) 3399 do_init_buffers (c); 3400 3401#ifdef ENABLE_FRAGMENT 3402 /* initialize internal fragmentation capability with known frame size */ 3403 if (options->ce.fragment && (c->mode == CM_P2P || child)) 3404 do_init_fragment (c); 3405#endif 3406 3407 /* initialize dynamic MTU variable */ 3408 do_init_mssfix (c); 3409 3410 /* bind the TCP/UDP socket */ 3411 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) 3412 do_init_socket_1 (c, link_socket_mode); 3413 3414 /* initialize tun/tap device object, 3415 open tun/tap device, ifconfig, run up script, etc. */ 3416 if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) 3417 c->c2.did_open_tun = do_open_tun (c); 3418 3419 /* print MTU info */ 3420 do_print_data_channel_mtu_parms (c); 3421 3422#ifdef ENABLE_OCC 3423 /* get local and remote options compatibility strings */ 3424 if (c->mode == CM_P2P || child) 3425 do_compute_occ_strings (c); 3426#endif 3427 3428 /* initialize output speed limiter */ 3429 if (c->mode == CM_P2P) 3430 do_init_traffic_shaper (c); 3431 3432 /* do one-time inits, and possibily become a daemon here */ 3433 do_init_first_time (c); 3434 3435#ifdef ENABLE_PLUGIN 3436 /* initialize plugins */ 3437 if (c->mode == CM_P2P || c->mode == CM_TOP) 3438 open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); 3439#endif 3440 3441 /* 3442 * Actually do UID/GID downgrade, and chroot, if requested. 3443 * May be delayed by --client, --pull, or --up-delay. 3444 */ 3445 do_uid_gid_chroot (c, c->c2.did_open_tun); 3446 3447 /* finalize the TCP/UDP socket */ 3448 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) 3449 do_init_socket_2 (c); 3450 3451 /* initialize timers */ 3452 if (c->mode == CM_P2P || child) 3453 do_init_timers (c, false); 3454 3455#ifdef ENABLE_PLUGIN 3456 /* initialize plugins */ 3457 if (c->mode == CM_P2P || c->mode == CM_TOP) 3458 open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); 3459#endif 3460 3461#if PORT_SHARE 3462 /* share OpenVPN port with foreign (such as HTTPS) server */ 3463 if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP)) 3464 init_port_share (c); 3465#endif 3466 3467#ifdef ENABLE_PF 3468 if (child) 3469 pf_init_context (c); 3470#endif 3471 3472 /* Check for signals */ 3473 if (IS_SIG (c)) 3474 goto sig; 3475 3476 return; 3477 3478 sig: 3479 if (!c->sig->signal_text) 3480 c->sig->signal_text = "init_instance"; 3481 close_context (c, -1, flags); 3482 return; 3483} 3484 3485/* 3486 * Close a tunnel instance. 3487 */ 3488void 3489close_instance (struct context *c) 3490{ 3491 /* close event objects */ 3492 do_close_event_set (c); 3493 3494 if (c->mode == CM_P2P 3495 || c->mode == CM_CHILD_TCP 3496 || c->mode == CM_CHILD_UDP 3497 || c->mode == CM_TOP) 3498 { 3499 /* if xinetd/inetd mode, don't allow restart */ 3500 do_close_check_if_restart_permitted (c); 3501 3502#ifdef ENABLE_LZO 3503 if (lzo_defined (&c->c2.lzo_compwork)) 3504 lzo_compress_uninit (&c->c2.lzo_compwork); 3505#endif 3506 3507 /* free buffers */ 3508 do_close_free_buf (c); 3509 3510 /* close TLS */ 3511 do_close_tls (c); 3512 3513 /* free key schedules */ 3514 do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP)); 3515 3516 /* close TCP/UDP connection */ 3517 do_close_link_socket (c); 3518 3519 /* close TUN/TAP device */ 3520 do_close_tun (c, false); 3521 3522#ifdef MANAGEMENT_DEF_AUTH 3523 if (management) 3524 management_notify_client_close (management, &c->c2.mda_context, NULL); 3525#endif 3526 3527#ifdef ENABLE_PF 3528 pf_destroy_context (&c->c2.pf); 3529#endif 3530 3531#ifdef ENABLE_PLUGIN 3532 /* call plugin close functions and unload */ 3533 do_close_plugins (c); 3534#endif 3535 3536 /* close packet-id persistance file */ 3537 do_close_packet_id (c); 3538 3539 /* close --status file */ 3540 do_close_status_output (c); 3541 3542#ifdef ENABLE_FRAGMENT 3543 /* close fragmentation handler */ 3544 do_close_fragment (c); 3545#endif 3546 3547 /* close --ifconfig-pool-persist obj */ 3548 do_close_ifconfig_pool_persist (c); 3549 3550 /* free up environmental variable store */ 3551 do_env_set_destroy (c); 3552 3553 /* close HTTP or SOCKS proxy */ 3554 uninit_proxy (c); 3555 3556 /* garbage collect */ 3557 gc_free (&c->c2.gc); 3558 } 3559} 3560 3561void 3562inherit_context_child (struct context *dest, 3563 const struct context *src) 3564{ 3565 CLEAR (*dest); 3566 3567 /* proto_is_dgram will ASSERT(0) if proto is invalid */ 3568 dest->mode = proto_is_dgram(src->options.ce.proto)? CM_CHILD_UDP : CM_CHILD_TCP; 3569 3570 dest->gc = gc_new (); 3571 3572 ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc); 3573 3574 /* c1 init */ 3575 packet_id_persist_init (&dest->c1.pid_persist); 3576 3577#ifdef ENABLE_CRYPTO 3578 dest->c1.ks.key_type = src->c1.ks.key_type; 3579#ifdef ENABLE_SSL 3580 /* inherit SSL context */ 3581 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; 3582 dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key; 3583#endif 3584#endif 3585 3586 /* options */ 3587 dest->options = src->options; 3588 options_detach (&dest->options); 3589 3590 if (dest->mode == CM_CHILD_TCP) 3591 { 3592 /* 3593 * The CM_TOP context does the socket listen(), 3594 * and the CM_CHILD_TCP context does the accept(). 3595 */ 3596 dest->c2.accept_from = src->c2.link_socket; 3597 } 3598 3599#ifdef ENABLE_PLUGIN 3600 /* inherit plugins */ 3601 do_inherit_plugins (dest, src); 3602#endif 3603 3604 /* context init */ 3605 init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); 3606 if (IS_SIG (dest)) 3607 return; 3608 3609 /* inherit tun/tap interface object */ 3610 dest->c1.tuntap = src->c1.tuntap; 3611 3612 /* UDP inherits some extra things which TCP does not */ 3613 if (dest->mode == CM_CHILD_UDP) 3614 { 3615 /* inherit buffers */ 3616 dest->c2.buffers = src->c2.buffers; 3617 3618 /* inherit parent link_socket and tuntap */ 3619 dest->c2.link_socket = src->c2.link_socket; 3620 3621 ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc); 3622 *dest->c2.link_socket_info = src->c2.link_socket->info; 3623 3624 /* locally override some link_socket_info fields */ 3625 dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; 3626 dest->c2.link_socket_info->connection_established = false; 3627 } 3628} 3629 3630void 3631inherit_context_top (struct context *dest, 3632 const struct context *src) 3633{ 3634 /* copy parent */ 3635 *dest = *src; 3636 3637 /* 3638 * CM_TOP_CLONE will prevent close_instance from freeing or closing 3639 * resources owned by the parent. 3640 * 3641 * Also note that CM_TOP_CLONE context objects are 3642 * closed by multi_top_free in multi.c. 3643 */ 3644 dest->mode = CM_TOP_CLONE; 3645 3646 dest->first_time = false; 3647 dest->c0 = NULL; 3648 3649 options_detach (&dest->options); 3650 gc_detach (&dest->gc); 3651 gc_detach (&dest->c2.gc); 3652 3653 /* detach plugins */ 3654 dest->plugins_owned = false; 3655 3656#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) 3657 dest->c2.tls_multi = NULL; 3658#endif 3659 3660 /* detach c1 ownership */ 3661 dest->c1.tuntap_owned = false; 3662 dest->c1.status_output_owned = false; 3663#if P2MP_SERVER 3664 dest->c1.ifconfig_pool_persist_owned = false; 3665#endif 3666 3667 /* detach c2 ownership */ 3668 dest->c2.event_set_owned = false; 3669 dest->c2.link_socket_owned = false; 3670 dest->c2.buffers_owned = false; 3671 dest->c2.es_owned = false; 3672 3673 dest->c2.event_set = NULL; 3674 if (proto_is_dgram(src->options.ce.proto)) 3675 do_event_set_init (dest, false); 3676} 3677 3678void 3679close_context (struct context *c, int sig, unsigned int flags) 3680{ 3681 ASSERT (c); 3682 ASSERT (c->sig); 3683 3684 if (sig >= 0) 3685 c->sig->signal_received = sig; 3686 3687 if (c->sig->signal_received == SIGUSR1) 3688 { 3689 if ((flags & CC_USR1_TO_HUP) 3690 || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP))) 3691 c->sig->signal_received = SIGHUP; 3692 } 3693 3694 if (!(flags & CC_NO_CLOSE)) 3695 close_instance (c); 3696 3697 if (flags & CC_GC_FREE) 3698 context_gc_free (c); 3699} 3700 3701#ifdef ENABLE_CRYPTO 3702 3703/* 3704 * Do a loopback test 3705 * on the crypto subsystem. 3706 */ 3707static void * 3708test_crypto_thread (void *arg) 3709{ 3710 struct context *c = (struct context *) arg; 3711 const struct options *options = &c->options; 3712 3713 ASSERT (options->test_crypto); 3714 init_verb_mute (c, IVM_LEVEL_1); 3715 context_init_1 (c); 3716 do_init_crypto_static (c, 0); 3717 3718 frame_finalize_options (c, options); 3719 3720 test_crypto (&c->c2.crypto_options, &c->c2.frame); 3721 3722 key_schedule_free (&c->c1.ks, true); 3723 packet_id_free (&c->c2.packet_id); 3724 3725 context_gc_free (c); 3726 return NULL; 3727} 3728 3729#endif 3730 3731bool 3732do_test_crypto (const struct options *o) 3733{ 3734#ifdef ENABLE_CRYPTO 3735 if (o->test_crypto) 3736 { 3737 struct context c; 3738 3739 /* print version number */ 3740 msg (M_INFO, "%s", title_string); 3741 3742 context_clear (&c); 3743 c.options = *o; 3744 options_detach (&c.options); 3745 c.first_time = true; 3746 test_crypto_thread ((void *) &c); 3747 return true; 3748 } 3749#endif 3750 return false; 3751} 3752