]>
Commit | Line | Data |
---|---|---|
6fbf66fa JY |
1 | /* |
2 | * OpenVPN -- An application to securely tunnel IP networks | |
3 | * over a single TCP/UDP port, with support for SSL/TLS-based | |
4 | * session authentication and key exchange, | |
5 | * packet encryption, packet authentication, and | |
6 | * packet compression. | |
7 | * | |
8 | * Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License version 2 | |
12 | * as published by the Free Software Foundation. | |
13 | * | |
14 | * This program is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | * GNU General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU General Public License | |
20 | * along with this program (see the file COPYING included with this | |
21 | * distribution); if not, write to the Free Software Foundation, Inc., | |
22 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
23 | */ | |
24 | ||
25 | #ifdef WIN32 | |
26 | #include "config-win32.h" | |
27 | #else | |
28 | #include "config.h" | |
29 | #endif | |
30 | ||
31 | #include "syshead.h" | |
32 | ||
33 | #include "win32.h" | |
34 | #include "init.h" | |
35 | #include "sig.h" | |
36 | #include "occ.h" | |
37 | #include "list.h" | |
38 | #include "otime.h" | |
39 | #include "pool.h" | |
40 | #include "gremlin.h" | |
ce98fd24 | 41 | #include "pkcs11.h" |
6fbf66fa JY |
42 | |
43 | #include "memdbg.h" | |
44 | ||
45 | #include "occ-inline.h" | |
46 | ||
47 | /* | |
48 | * Crypto initialization flags | |
49 | */ | |
50 | #define CF_LOAD_PERSISTED_PACKET_ID (1<<0) | |
51 | #define CF_INIT_TLS_MULTI (1<<1) | |
52 | #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) | |
53 | ||
54 | static void do_init_first_time (struct context *c); | |
55 | ||
56 | void | |
57 | context_clear (struct context *c) | |
58 | { | |
59 | CLEAR (*c); | |
60 | } | |
61 | ||
62 | void | |
63 | context_clear_1 (struct context *c) | |
64 | { | |
65 | CLEAR (c->c1); | |
66 | } | |
67 | ||
68 | void | |
69 | context_clear_2 (struct context *c) | |
70 | { | |
71 | CLEAR (c->c2); | |
72 | } | |
73 | ||
74 | void | |
75 | context_clear_all_except_first_time (struct context *c) | |
76 | { | |
77 | const bool first_time_save = c->first_time; | |
78 | context_clear (c); | |
79 | c->first_time = first_time_save; | |
80 | } | |
81 | ||
82 | /* | |
83 | * Initialize and possibly randomize remote list. | |
84 | */ | |
85 | static void | |
86 | init_remote_list (struct context *c) | |
87 | { | |
88 | c->c1.remote_list = NULL; | |
89 | ||
90 | if (c->options.remote_list) | |
91 | { | |
92 | struct remote_list *l; | |
93 | ALLOC_OBJ_GC (c->c1.remote_list, struct remote_list, &c->gc); | |
94 | l = c->c1.remote_list; | |
95 | *l = *c->options.remote_list; | |
96 | l->current = -1; | |
97 | if (c->options.remote_random) | |
98 | remote_list_randomize (l); | |
99 | } | |
100 | } | |
101 | ||
102 | void | |
103 | context_init_1 (struct context *c) | |
104 | { | |
105 | context_clear_1 (c); | |
106 | ||
107 | packet_id_persist_init (&c->c1.pid_persist); | |
108 | init_remote_list (c); | |
109 | ||
110 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
111 | /* Certificate password input */ | |
112 | if (c->options.key_pass_file) | |
113 | pem_password_setup (c->options.key_pass_file); | |
6835555e | 114 | #endif |
ce98fd24 JY |
115 | |
116 | #if defined(ENABLE_PKCS11) | |
06d92b29 | 117 | if (c->first_time) { |
ce98fd24 | 118 | int i; |
984cf003 | 119 | pkcs11_initialize (c->options.pkcs11_pin_cache_period); |
ce98fd24 | 120 | for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++) |
984cf003 | 121 | pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_sign_mode[i]); |
ce98fd24 JY |
122 | } |
123 | #endif | |
984cf003 | 124 | |
c67d59cd | 125 | #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ |
dd1047f5 JY |
126 | { |
127 | /* | |
128 | * In the management interface, you can okay the request by entering "needok token-insertion-request ok" | |
129 | */ | |
130 | struct user_pass up; | |
131 | CLEAR (up); | |
132 | strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ | |
133 | get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); | |
134 | msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface | |
135 | 'needok' command, usually 'ok' or 'cancel'. */ | |
136 | } | |
137 | #endif | |
138 | ||
6fbf66fa JY |
139 | #if P2MP |
140 | /* Auth user/pass input */ | |
141 | if (c->options.auth_user_pass_file) | |
142 | { | |
143 | auth_user_pass_setup (c->options.auth_user_pass_file); | |
144 | } | |
145 | #endif | |
146 | ||
147 | #ifdef ENABLE_HTTP_PROXY | |
148 | if (c->options.http_proxy_options) | |
149 | { | |
150 | /* Possible HTTP proxy user/pass input */ | |
151 | c->c1.http_proxy = new_http_proxy (c->options.http_proxy_options, | |
152 | &c->gc); | |
153 | } | |
154 | #endif | |
155 | ||
156 | #ifdef ENABLE_SOCKS | |
157 | if (c->options.socks_proxy_server) | |
158 | { | |
159 | c->c1.socks_proxy = new_socks_proxy (c->options.socks_proxy_server, | |
160 | c->options.socks_proxy_port, | |
161 | c->options.socks_proxy_retry, | |
162 | &c->gc); | |
163 | } | |
164 | #endif | |
165 | } | |
166 | ||
167 | void | |
168 | context_gc_free (struct context *c) | |
169 | { | |
170 | gc_free (&c->c2.gc); | |
171 | gc_free (&c->options.gc); | |
172 | gc_free (&c->gc); | |
173 | } | |
174 | ||
175 | bool | |
176 | init_static (void) | |
177 | { | |
c67d59cd JY |
178 | configure_path (); |
179 | ||
6fbf66fa JY |
180 | #if defined(USE_CRYPTO) && defined(DMALLOC) |
181 | openssl_dmalloc_init (); | |
182 | #endif | |
183 | ||
184 | init_random_seed (); /* init random() function, only used as | |
185 | source for weak random numbers */ | |
186 | error_reset (); /* initialize error.c */ | |
187 | reset_check_status (); /* initialize status check code in socket.c */ | |
188 | ||
189 | #ifdef WIN32 | |
190 | init_win32 (); | |
191 | #endif | |
192 | ||
193 | #ifdef OPENVPN_DEBUG_COMMAND_LINE | |
194 | { | |
195 | int i; | |
196 | for (i = 0; i < argc; ++i) | |
197 | msg (M_INFO, "argv[%d] = '%s'", i, argv[i]); | |
198 | } | |
199 | #endif | |
200 | ||
201 | update_time (); | |
202 | ||
203 | #ifdef USE_CRYPTO | |
204 | init_ssl_lib (); | |
205 | ||
206 | /* init PRNG used for IV generation */ | |
207 | /* When forking, copy this to more places in the code to avoid fork | |
208 | random-state predictability */ | |
209 | prng_init (); | |
210 | #endif | |
211 | ||
212 | #ifdef PID_TEST | |
213 | packet_id_interactive_test (); /* test the sequence number code */ | |
214 | return false; | |
215 | #endif | |
216 | ||
217 | #ifdef SCHEDULE_TEST | |
218 | schedule_test (); | |
219 | return false; | |
220 | #endif | |
221 | ||
222 | #ifdef LIST_TEST | |
223 | list_test (); | |
224 | return false; | |
225 | #endif | |
226 | ||
227 | #ifdef IFCONFIG_POOL_TEST | |
228 | ifconfig_pool_test (0x0A010004, 0x0A0100FF); | |
229 | return false; | |
230 | #endif | |
231 | ||
232 | #ifdef CHARACTER_CLASS_DEBUG | |
233 | character_class_debug (); | |
234 | return false; | |
235 | #endif | |
236 | ||
237 | #ifdef EXTRACT_X509_FIELD_TEST | |
238 | extract_x509_field_test (); | |
239 | return false; | |
240 | #endif | |
241 | ||
242 | return true; | |
243 | } | |
244 | ||
245 | void | |
246 | uninit_static (void) | |
247 | { | |
248 | openvpn_thread_cleanup (); | |
249 | ||
250 | #ifdef USE_CRYPTO | |
251 | free_ssl_lib (); | |
6835555e | 252 | #endif |
ce98fd24 | 253 | |
ce98fd24 | 254 | #ifdef ENABLE_PKCS11 |
984cf003 | 255 | pkcs11_terminate (); |
ce98fd24 | 256 | #endif |
6fbf66fa JY |
257 | |
258 | #if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL) | |
259 | show_tls_performance_stats (); | |
260 | #endif | |
261 | } | |
262 | ||
263 | void | |
264 | init_verb_mute (struct context *c, unsigned int flags) | |
265 | { | |
266 | if (flags & IVM_LEVEL_1) | |
267 | { | |
268 | /* set verbosity and mute levels */ | |
269 | set_check_status (D_LINK_ERRORS, D_READ_WRITE); | |
270 | set_debug_level (c->options.verbosity, SDL_CONSTRAIN); | |
271 | set_mute_cutoff (c->options.mute); | |
272 | } | |
273 | ||
274 | /* special D_LOG_RW mode */ | |
275 | if (flags & IVM_LEVEL_2) | |
276 | c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1)); | |
277 | } | |
278 | ||
279 | /* | |
280 | * Possibly set --dev based on --dev-node. | |
281 | * For example, if --dev-node /tmp/foo/tun, and --dev undefined, | |
282 | * set --dev to tun. | |
283 | */ | |
284 | void | |
285 | init_options_dev (struct options *options) | |
286 | { | |
287 | if (!options->dev) | |
288 | options->dev = dev_component_in_dev_node (options->dev_node); | |
289 | } | |
290 | ||
291 | bool | |
292 | print_openssl_info (const struct options *options) | |
293 | { | |
294 | /* | |
295 | * OpenSSL info print mode? | |
296 | */ | |
297 | #ifdef USE_CRYPTO | |
298 | if (options->show_ciphers || options->show_digests || options->show_engines | |
299 | #ifdef USE_SSL | |
300 | || options->show_tls_ciphers | |
301 | #endif | |
302 | ) | |
303 | { | |
304 | if (options->show_ciphers) | |
305 | show_available_ciphers (); | |
306 | if (options->show_digests) | |
307 | show_available_digests (); | |
308 | if (options->show_engines) | |
309 | show_available_engines (); | |
310 | #ifdef USE_SSL | |
311 | if (options->show_tls_ciphers) | |
312 | show_available_tls_ciphers (); | |
313 | #endif | |
314 | return true; | |
315 | } | |
316 | #endif | |
317 | return false; | |
318 | } | |
319 | ||
320 | /* | |
321 | * Static pre-shared key generation mode? | |
322 | */ | |
323 | bool | |
324 | do_genkey (const struct options * options) | |
325 | { | |
326 | #ifdef USE_CRYPTO | |
327 | if (options->genkey) | |
328 | { | |
329 | int nbits_written; | |
330 | ||
331 | notnull (options->shared_secret_file, | |
332 | "shared secret output file (--secret)"); | |
333 | ||
334 | if (options->mlock) /* should we disable paging? */ | |
335 | do_mlockall (true); | |
336 | ||
337 | nbits_written = write_key_file (2, options->shared_secret_file); | |
338 | ||
339 | msg (D_GENKEY | M_NOPREFIX, | |
340 | "Randomly generated %d bit key written to %s", nbits_written, | |
341 | options->shared_secret_file); | |
342 | return true; | |
343 | } | |
344 | #endif | |
345 | return false; | |
346 | } | |
347 | ||
348 | /* | |
349 | * Persistent TUN/TAP device management mode? | |
350 | */ | |
351 | bool | |
352 | do_persist_tuntap (const struct options *options) | |
353 | { | |
354 | #ifdef TUNSETPERSIST | |
355 | if (options->persist_config) | |
356 | { | |
357 | /* sanity check on options for --mktun or --rmtun */ | |
358 | notnull (options->dev, "TUN/TAP device (--dev)"); | |
359 | if (options->remote_list || options->ifconfig_local | |
360 | || options->ifconfig_remote_netmask | |
361 | #ifdef USE_CRYPTO | |
362 | || options->shared_secret_file | |
363 | #ifdef USE_SSL | |
364 | || options->tls_server || options->tls_client | |
365 | #endif | |
366 | #endif | |
367 | ) | |
368 | msg (M_FATAL|M_OPTERR, | |
369 | "options --mktun or --rmtun should only be used together with --dev"); | |
370 | tuncfg (options->dev, options->dev_type, options->dev_node, | |
371 | options->tun_ipv6, options->persist_mode); | |
372 | return true; | |
373 | } | |
374 | #endif | |
375 | return false; | |
376 | } | |
377 | ||
378 | /* | |
379 | * Should we become a daemon? | |
380 | * Return true if we did it. | |
381 | */ | |
382 | static bool | |
383 | possibly_become_daemon (const struct options *options, const bool first_time) | |
384 | { | |
385 | bool ret = false; | |
386 | if (first_time && options->daemon) | |
387 | { | |
388 | ASSERT (!options->inetd); | |
389 | if (daemon (options->cd_dir != NULL, options->log) < 0) | |
390 | msg (M_ERR, "daemon() failed"); | |
391 | if (options->log) | |
392 | set_std_files_to_null (true); | |
6835555e JY |
393 | |
394 | #if defined(ENABLE_PKCS11) | |
984cf003 | 395 | pkcs11_forkFixup (); |
6835555e JY |
396 | #endif |
397 | ||
6fbf66fa JY |
398 | ret = true; |
399 | } | |
400 | return ret; | |
401 | } | |
402 | ||
403 | /* | |
404 | * Actually do UID/GID downgrade, and chroot, if requested. | |
405 | */ | |
406 | static void | |
407 | do_uid_gid_chroot (struct context *c, bool no_delay) | |
408 | { | |
409 | static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; | |
410 | ||
411 | if (c->first_time && !c->c2.uid_gid_set) | |
412 | { | |
413 | /* chroot if requested */ | |
414 | if (c->options.chroot_dir) | |
415 | { | |
416 | if (no_delay) | |
417 | do_chroot (c->options.chroot_dir); | |
418 | else | |
419 | msg (M_INFO, "NOTE: chroot %s", why_not); | |
420 | } | |
421 | ||
422 | /* set user and/or group that we want to setuid/setgid to */ | |
423 | if (no_delay) | |
424 | { | |
425 | set_group (&c->c2.group_state); | |
426 | set_user (&c->c2.user_state); | |
427 | c->c2.uid_gid_set = true; | |
428 | } | |
429 | else if (c->c2.uid_gid_specified) | |
430 | { | |
431 | msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not); | |
432 | } | |
433 | } | |
434 | } | |
435 | ||
436 | /* | |
437 | * Return common name in a way that is formatted for | |
438 | * prepending to msg() output. | |
439 | */ | |
440 | const char * | |
441 | format_common_name (struct context *c, struct gc_arena *gc) | |
442 | { | |
443 | struct buffer out = alloc_buf_gc (256, gc); | |
444 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
445 | if (c->c2.tls_multi) | |
446 | { | |
447 | buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false)); | |
448 | } | |
449 | #endif | |
450 | return BSTR (&out); | |
451 | } | |
452 | ||
453 | void | |
454 | pre_setup (const struct options *options) | |
455 | { | |
456 | #ifdef WIN32 | |
457 | if (options->exit_event_name) | |
458 | { | |
459 | win32_signal_open (&win32_signal, | |
460 | WSO_FORCE_SERVICE, | |
461 | options->exit_event_name, | |
462 | options->exit_event_initial_state); | |
463 | } | |
464 | else | |
465 | { | |
466 | win32_signal_open (&win32_signal, | |
467 | WSO_FORCE_CONSOLE, | |
468 | NULL, | |
469 | false); | |
470 | ||
471 | /* put a title on the top window bar */ | |
472 | if (win32_signal.mode == WSO_MODE_CONSOLE) | |
473 | { | |
474 | window_title_save (&window_title); | |
475 | window_title_generate (options->config); | |
476 | } | |
477 | } | |
478 | #endif | |
479 | } | |
480 | ||
481 | void | |
482 | reset_coarse_timers (struct context *c) | |
483 | { | |
484 | c->c2.coarse_timer_wakeup = 0; | |
485 | } | |
486 | ||
487 | /* | |
488 | * Initialize timers | |
489 | */ | |
490 | static void | |
491 | do_init_timers (struct context *c, bool deferred) | |
492 | { | |
493 | update_time (); | |
494 | reset_coarse_timers (c); | |
495 | ||
496 | /* initialize inactivity timeout */ | |
497 | if (c->options.inactivity_timeout) | |
498 | event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now); | |
499 | ||
500 | /* initialize pings */ | |
501 | ||
502 | if (c->options.ping_send_timeout) | |
503 | event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); | |
504 | ||
505 | if (c->options.ping_rec_timeout) | |
506 | event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); | |
507 | ||
508 | if (!deferred) | |
509 | { | |
510 | /* initialize connection establishment timer */ | |
511 | event_timeout_init (&c->c2.wait_for_connect, 1, now); | |
512 | ||
513 | #ifdef ENABLE_OCC | |
514 | /* initialize occ timers */ | |
515 | ||
516 | if (c->options.occ | |
517 | && !TLS_MODE (c) | |
518 | && c->c2.options_string_local && c->c2.options_string_remote) | |
519 | event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); | |
520 | ||
521 | if (c->options.mtu_test) | |
522 | event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); | |
523 | #endif | |
524 | ||
525 | /* initialize packet_id persistence timer */ | |
526 | #ifdef USE_CRYPTO | |
527 | if (c->options.packet_id_file) | |
528 | event_timeout_init (&c->c2.packet_id_persist_interval, 60, now); | |
529 | #endif | |
530 | ||
531 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
532 | /* initialize tmp_int optimization that limits the number of times we call | |
533 | tls_multi_process in the main event loop */ | |
534 | interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); | |
535 | #endif | |
536 | } | |
537 | } | |
538 | ||
539 | /* | |
540 | * Initialize traffic shaper. | |
541 | */ | |
542 | static void | |
543 | do_init_traffic_shaper (struct context *c) | |
544 | { | |
545 | #ifdef HAVE_GETTIMEOFDAY | |
546 | /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ | |
547 | if (c->options.shaper) | |
548 | { | |
549 | shaper_init (&c->c2.shaper, c->options.shaper); | |
550 | shaper_msg (&c->c2.shaper); | |
551 | } | |
552 | #endif | |
553 | } | |
554 | ||
555 | /* | |
556 | * Allocate a route list structure if at least one | |
557 | * --route option was specified. | |
558 | */ | |
559 | static void | |
560 | do_alloc_route_list (struct context *c) | |
561 | { | |
562 | if (c->options.routes && !c->c1.route_list) | |
563 | c->c1.route_list = new_route_list (&c->gc); | |
564 | } | |
565 | ||
566 | ||
567 | /* | |
568 | * Initialize the route list, resolving any DNS names in route | |
569 | * options and saving routes in the environment. | |
570 | */ | |
571 | static void | |
572 | do_init_route_list (const struct options *options, | |
573 | struct route_list *route_list, | |
574 | const struct link_socket_info *link_socket_info, | |
575 | bool fatal, | |
576 | struct env_set *es) | |
577 | { | |
578 | const char *gw = NULL; | |
579 | int dev = dev_type_enum (options->dev, options->dev_type); | |
580 | ||
3c7f2f55 | 581 | if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) |
6fbf66fa JY |
582 | gw = options->ifconfig_remote_netmask; |
583 | if (options->route_default_gateway) | |
584 | gw = options->route_default_gateway; | |
585 | ||
586 | if (!init_route_list (route_list, | |
587 | options->routes, | |
588 | gw, | |
589 | link_socket_current_remote (link_socket_info), | |
590 | es)) | |
591 | { | |
592 | if (fatal) | |
593 | openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ | |
594 | } | |
595 | else | |
596 | { | |
597 | /* copy routes to environment */ | |
598 | setenv_routes (es, route_list); | |
599 | } | |
600 | } | |
601 | ||
602 | /* | |
603 | * Called after all initialization has been completed. | |
604 | */ | |
605 | void | |
606 | initialization_sequence_completed (struct context *c, const unsigned int flags) | |
607 | { | |
608 | static const char message[] = "Initialization Sequence Completed"; | |
609 | ||
610 | /* If we delayed UID/GID downgrade or chroot, do it now */ | |
611 | do_uid_gid_chroot (c, true); | |
612 | ||
613 | /* Test if errors */ | |
614 | if (flags & ISC_ERRORS) | |
615 | #ifdef WIN32 | |
616 | msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); | |
617 | #else | |
618 | msg (M_INFO, "%s With Errors", message); | |
619 | #endif | |
620 | else | |
621 | msg (M_INFO, "%s", message); | |
622 | ||
623 | /* Flag remote_list that we initialized */ | |
624 | if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && c->c1.remote_list && c->c1.remote_list->len > 1) | |
625 | c->c1.remote_list->no_advance = true; | |
626 | ||
627 | #ifdef ENABLE_MANAGEMENT | |
628 | /* Tell management interface that we initialized */ | |
629 | if (management) | |
630 | { | |
631 | in_addr_t tun_local = 0; | |
5ad84585 | 632 | in_addr_t tun_remote = 0; /* FKS */ |
6fbf66fa JY |
633 | const char *detail = "SUCCESS"; |
634 | if (c->c1.tuntap) | |
635 | tun_local = c->c1.tuntap->local; | |
5ad84585 | 636 | tun_remote = htonl (c->c1.link_socket_addr.actual.dest.sa.sin_addr.s_addr); |
6fbf66fa JY |
637 | if (flags & ISC_ERRORS) |
638 | detail = "ERROR"; | |
639 | management_set_state (management, | |
640 | OPENVPN_STATE_CONNECTED, | |
641 | detail, | |
5ad84585 JY |
642 | tun_local, |
643 | tun_remote); | |
6fbf66fa JY |
644 | if (tun_local) |
645 | management_post_tunnel_open (management, tun_local); | |
646 | } | |
647 | #endif | |
648 | ||
649 | } | |
650 | ||
651 | /* | |
652 | * Possibly add routes and/or call route-up script | |
653 | * based on options. | |
654 | */ | |
655 | void | |
656 | do_route (const struct options *options, | |
657 | struct route_list *route_list, | |
658 | const struct tuntap *tt, | |
659 | const struct plugin_list *plugins, | |
660 | struct env_set *es) | |
661 | { | |
662 | if (!options->route_noexec && route_list) | |
663 | add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es); | |
664 | ||
665 | if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP)) | |
666 | { | |
3c7f2f55 | 667 | if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es)) |
6fbf66fa JY |
668 | msg (M_WARN, "WARNING: route-up plugin call failed"); |
669 | } | |
670 | ||
671 | if (options->route_script) | |
672 | { | |
673 | setenv_str (es, "script_type", "route-up"); | |
674 | system_check (options->route_script, es, S_SCRIPT, "Route script failed"); | |
675 | } | |
676 | ||
677 | #ifdef WIN32 | |
678 | if (options->show_net_up) | |
679 | { | |
680 | show_routes (M_INFO|M_NOPREFIX); | |
681 | show_adapters (M_INFO|M_NOPREFIX); | |
682 | } | |
683 | else if (check_debug_level (D_SHOW_NET)) | |
684 | { | |
685 | show_routes (D_SHOW_NET|M_NOPREFIX); | |
686 | show_adapters (D_SHOW_NET|M_NOPREFIX); | |
687 | } | |
688 | #endif | |
689 | } | |
690 | ||
691 | /* | |
692 | * Save current pulled options string in the c1 context store, so we can | |
693 | * compare against it after possible future restarts. | |
694 | */ | |
695 | #if P2MP | |
696 | static void | |
697 | save_pulled_options_string (struct context *c, const char *newstring) | |
698 | { | |
699 | if (c->c1.pulled_options_string_save) | |
700 | free (c->c1.pulled_options_string_save); | |
701 | ||
702 | c->c1.pulled_options_string_save = NULL; | |
703 | ||
704 | if (newstring) | |
705 | c->c1.pulled_options_string_save = string_alloc (newstring, NULL); | |
706 | } | |
707 | #endif | |
708 | ||
709 | /* | |
710 | * initialize tun/tap device object | |
711 | */ | |
712 | static void | |
713 | do_init_tun (struct context *c) | |
714 | { | |
715 | c->c1.tuntap = init_tun (c->options.dev, | |
716 | c->options.dev_type, | |
3c7f2f55 | 717 | c->options.topology, |
6fbf66fa JY |
718 | c->options.ifconfig_local, |
719 | c->options.ifconfig_remote_netmask, | |
720 | addr_host (&c->c1.link_socket_addr.local), | |
721 | addr_host (&c->c1.link_socket_addr.remote), | |
722 | !c->options.ifconfig_nowarn, | |
723 | c->c2.es); | |
724 | ||
725 | init_tun_post (c->c1.tuntap, | |
726 | &c->c2.frame, | |
727 | &c->options.tuntap_options); | |
728 | ||
729 | c->c1.tuntap_owned = true; | |
730 | } | |
731 | ||
732 | /* | |
733 | * Open tun/tap device, ifconfig, call up script, etc. | |
734 | */ | |
735 | ||
736 | static bool | |
737 | do_open_tun (struct context *c) | |
738 | { | |
739 | struct gc_arena gc = gc_new (); | |
740 | bool ret = false; | |
741 | ||
742 | c->c2.ipv4_tun = (!c->options.tun_ipv6 | |
743 | && is_dev_type (c->options.dev, c->options.dev_type, "tun")); | |
744 | ||
745 | if (!c->c1.tuntap) | |
746 | { | |
747 | /* initialize (but do not open) tun/tap object */ | |
748 | do_init_tun (c); | |
749 | ||
750 | /* allocate route list structure */ | |
751 | do_alloc_route_list (c); | |
752 | ||
753 | /* parse and resolve the route option list */ | |
3c7f2f55 | 754 | if (c->options.routes && c->c1.route_list && c->c2.link_socket) |
6fbf66fa JY |
755 | do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es); |
756 | ||
757 | /* do ifconfig */ | |
758 | if (!c->options.ifconfig_noexec | |
759 | && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN) | |
760 | { | |
761 | /* guess actual tun/tap unit number that will be returned | |
762 | by open_tun */ | |
763 | const char *guess = guess_tuntap_dev (c->options.dev, | |
764 | c->options.dev_type, | |
765 | c->options.dev_node, | |
766 | &gc); | |
767 | do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); | |
768 | } | |
769 | ||
770 | /* open the tun device */ | |
771 | open_tun (c->options.dev, c->options.dev_type, c->options.dev_node, | |
772 | c->options.tun_ipv6, c->c1.tuntap); | |
773 | ||
774 | /* do ifconfig */ | |
775 | if (!c->options.ifconfig_noexec | |
776 | && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN) | |
777 | { | |
778 | do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); | |
779 | } | |
780 | ||
781 | /* run the up script */ | |
782 | run_up_down (c->options.up_script, | |
3c7f2f55 | 783 | c->plugins, |
6fbf66fa JY |
784 | OPENVPN_PLUGIN_UP, |
785 | c->c1.tuntap->actual_name, | |
786 | TUN_MTU_SIZE (&c->c2.frame), | |
787 | EXPANDED_SIZE (&c->c2.frame), | |
788 | print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
789 | print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
790 | "init", | |
791 | NULL, | |
792 | "up", | |
793 | c->c2.es); | |
794 | ||
795 | /* possibly add routes */ | |
796 | if (!c->options.route_delay_defined) | |
3c7f2f55 | 797 | do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es); |
6fbf66fa JY |
798 | |
799 | /* | |
800 | * Did tun/tap driver give us an MTU? | |
801 | */ | |
802 | if (c->c1.tuntap->post_open_mtu) | |
803 | frame_set_mtu_dynamic (&c->c2.frame, | |
804 | c->c1.tuntap->post_open_mtu, | |
805 | SET_MTU_TUN | SET_MTU_UPPER_BOUND); | |
806 | ||
807 | ret = true; | |
808 | } | |
809 | else | |
810 | { | |
811 | msg (M_INFO, "Preserving previous TUN/TAP instance: %s", | |
812 | c->c1.tuntap->actual_name); | |
813 | ||
814 | /* run the up script if user specified --up-restart */ | |
815 | if (c->options.up_restart) | |
816 | run_up_down (c->options.up_script, | |
3c7f2f55 | 817 | c->plugins, |
6fbf66fa JY |
818 | OPENVPN_PLUGIN_UP, |
819 | c->c1.tuntap->actual_name, | |
820 | TUN_MTU_SIZE (&c->c2.frame), | |
821 | EXPANDED_SIZE (&c->c2.frame), | |
822 | print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
823 | print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
824 | "restart", | |
825 | NULL, | |
826 | "up", | |
827 | c->c2.es); | |
828 | } | |
829 | gc_free (&gc); | |
830 | return ret; | |
831 | } | |
832 | ||
833 | /* | |
834 | * Close TUN/TAP device | |
835 | */ | |
836 | ||
837 | static void | |
838 | do_close_tun_simple (struct context *c) | |
839 | { | |
840 | msg (D_CLOSE, "Closing TUN/TAP interface"); | |
841 | close_tun (c->c1.tuntap); | |
842 | c->c1.tuntap = NULL; | |
843 | c->c1.tuntap_owned = false; | |
844 | #if P2MP | |
845 | save_pulled_options_string (c, NULL); /* delete C1-saved pulled_options_string */ | |
846 | #endif | |
847 | } | |
848 | ||
849 | static void | |
850 | do_close_tun (struct context *c, bool force) | |
851 | { | |
852 | struct gc_arena gc = gc_new (); | |
853 | if (c->c1.tuntap && c->c1.tuntap_owned) | |
854 | { | |
855 | const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc); | |
856 | const in_addr_t local = c->c1.tuntap->local; | |
857 | const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; | |
858 | ||
859 | if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) | |
860 | { | |
861 | #ifdef ENABLE_MANAGEMENT | |
862 | /* tell management layer we are about to close the TUN/TAP device */ | |
863 | if (management) | |
864 | management_pre_tunnel_close (management); | |
865 | #endif | |
866 | ||
867 | /* delete any routes we added */ | |
868 | if (c->c1.route_list) | |
869 | delete_routes (c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es); | |
870 | ||
871 | /* actually close tun/tap device based on --down-pre flag */ | |
872 | if (!c->options.down_pre) | |
873 | do_close_tun_simple (c); | |
874 | ||
875 | /* Run the down script -- note that it will run at reduced | |
876 | privilege if, for example, "--user nobody" was used. */ | |
877 | run_up_down (c->options.down_script, | |
3c7f2f55 | 878 | c->plugins, |
6fbf66fa JY |
879 | OPENVPN_PLUGIN_DOWN, |
880 | tuntap_actual, | |
881 | TUN_MTU_SIZE (&c->c2.frame), | |
882 | EXPANDED_SIZE (&c->c2.frame), | |
883 | print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), | |
884 | print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
885 | "init", | |
886 | signal_description (c->sig->signal_received, | |
887 | c->sig->signal_text), | |
888 | "down", | |
889 | c->c2.es); | |
890 | ||
891 | /* actually close tun/tap device based on --down-pre flag */ | |
892 | if (c->options.down_pre) | |
893 | do_close_tun_simple (c); | |
894 | } | |
895 | else | |
896 | { | |
897 | /* run the down script on this restart if --up-restart was specified */ | |
898 | if (c->options.up_restart) | |
899 | run_up_down (c->options.down_script, | |
3c7f2f55 | 900 | c->plugins, |
6fbf66fa JY |
901 | OPENVPN_PLUGIN_DOWN, |
902 | tuntap_actual, | |
903 | TUN_MTU_SIZE (&c->c2.frame), | |
904 | EXPANDED_SIZE (&c->c2.frame), | |
905 | print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), | |
906 | print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
907 | "restart", | |
908 | signal_description (c->sig->signal_received, | |
909 | c->sig->signal_text), | |
910 | "down", | |
911 | c->c2.es); | |
912 | } | |
913 | } | |
914 | gc_free (&gc); | |
915 | } | |
916 | ||
917 | /* | |
918 | * Handle delayed tun/tap interface bringup due to --up-delay or --pull | |
919 | */ | |
920 | ||
921 | void | |
922 | do_up (struct context *c, bool pulled_options, unsigned int option_types_found) | |
923 | { | |
924 | if (!c->c2.do_up_ran) | |
925 | { | |
926 | reset_coarse_timers (c); | |
927 | ||
928 | if (pulled_options && option_types_found) | |
929 | do_deferred_options (c, option_types_found); | |
930 | ||
931 | /* if --up-delay specified, open tun, do ifconfig, and run up script now */ | |
932 | if (c->options.up_delay || PULL_DEFINED (&c->options)) | |
933 | { | |
934 | c->c2.did_open_tun = do_open_tun (c); | |
935 | update_time (); | |
936 | ||
937 | #if P2MP | |
938 | /* | |
939 | * Was tun interface object persisted from previous restart iteration, | |
940 | * and if so did pulled options string change from previous iteration? | |
941 | */ | |
942 | if (!c->c2.did_open_tun | |
943 | && PULL_DEFINED (&c->options) | |
944 | && c->c1.tuntap | |
945 | && (!c->c1.pulled_options_string_save || !c->c2.pulled_options_string | |
946 | || strcmp (c->c1.pulled_options_string_save, c->c2.pulled_options_string))) | |
947 | { | |
948 | /* if so, close tun, delete routes, then reinitialize tun and add routes */ | |
949 | msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); | |
950 | do_close_tun (c, true); | |
951 | openvpn_sleep (1); | |
952 | c->c2.did_open_tun = do_open_tun (c); | |
953 | update_time (); | |
954 | } | |
955 | #endif | |
956 | } | |
957 | ||
958 | if (c->c2.did_open_tun) | |
959 | { | |
960 | #if P2MP | |
961 | save_pulled_options_string (c, c->c2.pulled_options_string); | |
962 | #endif | |
963 | ||
964 | /* if --route-delay was specified, start timer */ | |
965 | if (c->options.route_delay_defined) | |
966 | { | |
967 | event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now); | |
968 | event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); | |
c67d59cd JY |
969 | if (c->c1.tuntap) |
970 | tun_standby_init (c->c1.tuntap); | |
6fbf66fa JY |
971 | } |
972 | else | |
973 | { | |
974 | initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */ | |
975 | } | |
976 | } | |
977 | else if (c->options.mode == MODE_POINT_TO_POINT) | |
978 | { | |
979 | initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */ | |
980 | } | |
981 | ||
982 | c->c2.do_up_ran = true; | |
983 | } | |
984 | } | |
985 | ||
986 | /* | |
987 | * These are the option categories which will be accepted by pull. | |
988 | */ | |
989 | unsigned int | |
3c7f2f55 | 990 | pull_permission_mask (const struct context *c) |
6fbf66fa | 991 | { |
3c7f2f55 JY |
992 | unsigned int flags = |
993 | OPT_P_UP | |
994 | | OPT_P_ROUTE_EXTRAS | |
995 | | OPT_P_IPWIN32 | |
00d39170 JY |
996 | | OPT_P_SOCKBUF |
997 | | OPT_P_SOCKFLAGS | |
3c7f2f55 JY |
998 | | OPT_P_SETENV |
999 | | OPT_P_SHAPER | |
1000 | | OPT_P_TIMER | |
537073fd | 1001 | | OPT_P_COMP |
3c7f2f55 JY |
1002 | | OPT_P_PERSIST |
1003 | | OPT_P_MESSAGES | |
1004 | | OPT_P_EXPLICIT_NOTIFY | |
1005 | | OPT_P_ECHO | |
1006 | | OPT_P_PULL_MODE; | |
1007 | ||
1008 | if (!c->options.route_nopull) | |
1009 | flags |= OPT_P_ROUTE; | |
1010 | ||
1011 | return flags; | |
6fbf66fa JY |
1012 | } |
1013 | ||
1014 | /* | |
1015 | * Handle non-tun-related pulled options. | |
1016 | */ | |
1017 | void | |
1018 | do_deferred_options (struct context *c, const unsigned int found) | |
1019 | { | |
1020 | if (found & OPT_P_MESSAGES) | |
1021 | { | |
1022 | init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2); | |
1023 | msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); | |
1024 | } | |
1025 | if (found & OPT_P_TIMER) | |
1026 | { | |
1027 | do_init_timers (c, true); | |
1028 | msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified"); | |
1029 | } | |
1030 | ||
1031 | #ifdef ENABLE_OCC | |
1032 | if (found & OPT_P_EXPLICIT_NOTIFY) | |
1033 | { | |
1034 | if (c->options.proto != PROTO_UDPv4 && c->options.explicit_exit_notification) | |
1035 | { | |
1036 | msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); | |
1037 | c->options.explicit_exit_notification = 0; | |
1038 | } | |
1039 | else | |
1040 | msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified"); | |
1041 | } | |
1042 | #endif | |
1043 | ||
537073fd JY |
1044 | #ifdef USE_LZO |
1045 | if (found & OPT_P_COMP) | |
1046 | { | |
1047 | if (lzo_defined (&c->c2.lzo_compwork)) | |
1048 | { | |
1049 | msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified"); | |
1050 | lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo); | |
1051 | } | |
1052 | } | |
1053 | #endif | |
1054 | ||
6fbf66fa JY |
1055 | if (found & OPT_P_SHAPER) |
1056 | { | |
1057 | msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); | |
1058 | do_init_traffic_shaper (c); | |
1059 | } | |
1060 | ||
00d39170 JY |
1061 | if (found & OPT_P_SOCKBUF) |
1062 | { | |
1063 | msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); | |
1064 | link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); | |
1065 | } | |
1066 | ||
1067 | if (found & OPT_P_SOCKFLAGS) | |
1068 | { | |
1069 | msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); | |
1070 | link_socket_update_flags (c->c2.link_socket, c->options.sockflags); | |
1071 | } | |
1072 | ||
6fbf66fa JY |
1073 | if (found & OPT_P_PERSIST) |
1074 | msg (D_PUSH, "OPTIONS IMPORT: --persist options modified"); | |
1075 | if (found & OPT_P_UP) | |
1076 | msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); | |
1077 | if (found & OPT_P_ROUTE) | |
1078 | msg (D_PUSH, "OPTIONS IMPORT: route options modified"); | |
3c7f2f55 JY |
1079 | if (found & OPT_P_ROUTE_EXTRAS) |
1080 | msg (D_PUSH, "OPTIONS IMPORT: route-related options modified"); | |
6fbf66fa JY |
1081 | if (found & OPT_P_IPWIN32) |
1082 | msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); | |
1083 | if (found & OPT_P_SETENV) | |
1084 | msg (D_PUSH, "OPTIONS IMPORT: environment modified"); | |
1085 | } | |
1086 | ||
1087 | /* | |
1088 | * Possible hold on initialization | |
1089 | */ | |
1090 | static bool | |
1091 | do_hold (struct context *c) | |
1092 | { | |
1093 | #ifdef ENABLE_MANAGEMENT | |
1094 | if (management) | |
1095 | { | |
1096 | /* if c is defined, daemonize before hold */ | |
1097 | if (c && c->options.daemon && management_would_hold (management)) | |
1098 | do_init_first_time (c); | |
1099 | ||
1100 | /* block until management hold is released */ | |
1101 | if (management_hold (management)) | |
1102 | return true; | |
1103 | } | |
1104 | #endif | |
1105 | return false; | |
1106 | } | |
1107 | ||
1108 | /* | |
1109 | * Sleep before restart. | |
1110 | */ | |
1111 | static void | |
1112 | socket_restart_pause (struct context *c) | |
1113 | { | |
1114 | bool proxy = false; | |
1115 | int sec = 2; | |
1116 | ||
1117 | #ifdef ENABLE_HTTP_PROXY | |
1118 | if (c->options.http_proxy_options) | |
1119 | proxy = true; | |
1120 | #endif | |
1121 | #ifdef ENABLE_SOCKS | |
1122 | if (c->options.socks_proxy_server) | |
1123 | proxy = true; | |
1124 | #endif | |
1125 | ||
1126 | switch (c->options.proto) | |
1127 | { | |
1128 | case PROTO_UDPv4: | |
1129 | if (proxy) | |
1130 | sec = c->options.connect_retry_seconds; | |
1131 | break; | |
1132 | case PROTO_TCPv4_SERVER: | |
1133 | sec = 1; | |
1134 | break; | |
1135 | case PROTO_TCPv4_CLIENT: | |
1136 | sec = c->options.connect_retry_seconds; | |
1137 | break; | |
1138 | } | |
1139 | ||
1140 | #ifdef ENABLE_DEBUG | |
1141 | if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin)) | |
1142 | sec = 0; | |
1143 | #endif | |
1144 | ||
1145 | #if P2MP | |
1146 | if (auth_retry_get () == AR_NOINTERACT) | |
1147 | sec = 10; | |
1148 | #endif | |
1149 | ||
1150 | if (do_hold (NULL)) | |
1151 | sec = 0; | |
1152 | ||
1153 | if (sec) | |
1154 | { | |
1155 | msg (D_RESTART, "Restart pause, %d second(s)", sec); | |
1156 | openvpn_sleep (sec); | |
1157 | } | |
1158 | } | |
1159 | ||
1160 | /* | |
1161 | * Do a possible pause on context_2 initialization. | |
1162 | */ | |
1163 | static void | |
1164 | do_startup_pause (struct context *c) | |
1165 | { | |
1166 | if (!c->first_time) | |
1167 | socket_restart_pause (c); | |
1168 | else | |
1169 | do_hold (NULL); | |
1170 | } | |
1171 | ||
1172 | /* | |
1173 | * Finalize MTU parameters based on command line or config file options. | |
1174 | */ | |
1175 | static void | |
1176 | frame_finalize_options (struct context *c, const struct options *o) | |
1177 | { | |
1178 | if (!o) | |
1179 | o = &c->options; | |
1180 | ||
1181 | /* | |
1182 | * Set adjustment factor for buffer alignment when no | |
1183 | * cipher is used. | |
1184 | */ | |
1185 | if (!CIPHER_ENABLED (c)) | |
1186 | { | |
1187 | frame_align_to_extra_frame (&c->c2.frame); | |
1188 | frame_or_align_flags (&c->c2.frame, | |
1189 | FRAME_HEADROOM_MARKER_FRAGMENT | |
1190 | |FRAME_HEADROOM_MARKER_READ_LINK | |
1191 | |FRAME_HEADROOM_MARKER_READ_STREAM); | |
1192 | } | |
1193 | ||
1194 | frame_finalize (&c->c2.frame, | |
1195 | o->link_mtu_defined, | |
1196 | o->link_mtu, | |
1197 | o->tun_mtu_defined, | |
1198 | o->tun_mtu); | |
1199 | } | |
1200 | ||
1201 | /* | |
1202 | * Free a key schedule, including OpenSSL components. | |
1203 | */ | |
1204 | static void | |
1205 | key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx) | |
1206 | { | |
1207 | #ifdef USE_CRYPTO | |
1208 | free_key_ctx_bi (&ks->static_key); | |
1209 | #ifdef USE_SSL | |
1210 | if (ks->ssl_ctx && free_ssl_ctx) | |
1211 | { | |
1212 | SSL_CTX_free (ks->ssl_ctx); | |
1213 | free_key_ctx_bi (&ks->tls_auth_key); | |
1214 | } | |
1215 | #endif /* USE_SSL */ | |
1216 | #endif /* USE_CRYPTO */ | |
1217 | CLEAR (*ks); | |
1218 | } | |
1219 | ||
1220 | #ifdef USE_CRYPTO | |
1221 | ||
1222 | static void | |
1223 | init_crypto_pre (struct context *c, const unsigned int flags) | |
1224 | { | |
1225 | if (c->options.engine) | |
1226 | init_crypto_lib_engine (c->options.engine); | |
1227 | ||
1228 | if (flags & CF_LOAD_PERSISTED_PACKET_ID) | |
1229 | { | |
1230 | /* load a persisted packet-id for cross-session replay-protection */ | |
1231 | if (c->options.packet_id_file) | |
1232 | packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file); | |
1233 | } | |
1234 | ||
1235 | /* Initialize crypto options */ | |
1236 | ||
1237 | if (c->options.use_iv) | |
1238 | c->c2.crypto_options.flags |= CO_USE_IV; | |
1239 | ||
1240 | if (c->options.mute_replay_warnings) | |
1241 | c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; | |
1242 | } | |
1243 | ||
1244 | /* | |
1245 | * Static Key Mode (using a pre-shared key) | |
1246 | */ | |
1247 | static void | |
1248 | do_init_crypto_static (struct context *c, const unsigned int flags) | |
1249 | { | |
1250 | const struct options *options = &c->options; | |
1251 | ASSERT (options->shared_secret_file); | |
1252 | ||
1253 | init_crypto_pre (c, flags); | |
1254 | ||
1255 | /* Initialize packet ID tracking */ | |
1256 | if (options->replay) | |
1257 | { | |
1258 | packet_id_init (&c->c2.packet_id, options->replay_window, | |
1259 | options->replay_time); | |
1260 | c->c2.crypto_options.packet_id = &c->c2.packet_id; | |
1261 | c->c2.crypto_options.pid_persist = &c->c1.pid_persist; | |
1262 | c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; | |
1263 | packet_id_persist_load_obj (&c->c1.pid_persist, | |
1264 | c->c2.crypto_options.packet_id); | |
1265 | } | |
1266 | ||
1267 | if (!key_ctx_bi_defined (&c->c1.ks.static_key)) | |
1268 | { | |
1269 | struct key2 key2; | |
1270 | struct key_direction_state kds; | |
1271 | ||
1272 | /* Get cipher & hash algorithms */ | |
1273 | init_key_type (&c->c1.ks.key_type, options->ciphername, | |
1274 | options->ciphername_defined, options->authname, | |
1275 | options->authname_defined, options->keysize, | |
1276 | options->test_crypto, true); | |
1277 | ||
1278 | /* Read cipher and hmac keys from shared secret file */ | |
c959fc74 JY |
1279 | { |
1280 | unsigned int rkf_flags = RKF_MUST_SUCCEED; | |
1281 | const char *rkf_file = options->shared_secret_file; | |
1282 | ||
1283 | #if ENABLE_INLINE_FILES | |
1284 | if (options->shared_secret_file_inline) | |
1285 | { | |
1286 | rkf_file = options->shared_secret_file_inline; | |
1287 | rkf_flags |= RKF_INLINE; | |
1288 | } | |
1289 | #endif | |
1290 | read_key_file (&key2, rkf_file, rkf_flags); | |
1291 | } | |
6fbf66fa JY |
1292 | |
1293 | /* Check for and fix highly unlikely key problems */ | |
1294 | verify_fix_key2 (&key2, &c->c1.ks.key_type, | |
1295 | options->shared_secret_file); | |
1296 | ||
1297 | /* Initialize OpenSSL key objects */ | |
1298 | key_direction_state_init (&kds, options->key_direction); | |
1299 | must_have_n_keys (options->shared_secret_file, "secret", &key2, | |
1300 | kds.need_keys); | |
1301 | init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key], | |
1302 | &c->c1.ks.key_type, DO_ENCRYPT, "Static Encrypt"); | |
1303 | init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key], | |
1304 | &c->c1.ks.key_type, DO_DECRYPT, "Static Decrypt"); | |
1305 | ||
1306 | /* Erase the temporary copy of key */ | |
1307 | CLEAR (key2); | |
1308 | } | |
1309 | else | |
1310 | { | |
1311 | msg (M_INFO, "Re-using pre-shared static key"); | |
1312 | } | |
1313 | ||
1314 | /* Get key schedule */ | |
1315 | c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; | |
1316 | ||
1317 | /* Compute MTU parameters */ | |
1318 | crypto_adjust_frame_parameters (&c->c2.frame, | |
1319 | &c->c1.ks.key_type, | |
1320 | options->ciphername_defined, | |
1321 | options->use_iv, options->replay, true); | |
1322 | ||
1323 | /* Sanity check on IV, sequence number, and cipher mode options */ | |
1324 | check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, | |
1325 | options->use_iv); | |
1326 | } | |
1327 | ||
1328 | #ifdef USE_SSL | |
1329 | ||
1330 | /* | |
1331 | * Initialize the persistent component of OpenVPN's TLS mode, | |
1332 | * which is preserved across SIGUSR1 resets. | |
1333 | */ | |
1334 | static void | |
1335 | do_init_crypto_tls_c1 (struct context *c) | |
1336 | { | |
1337 | const struct options *options = &c->options; | |
1338 | ||
1339 | if (!c->c1.ks.ssl_ctx) | |
1340 | { | |
1341 | /* | |
1342 | * Initialize the OpenSSL library's global | |
1343 | * SSL context. | |
1344 | */ | |
1345 | c->c1.ks.ssl_ctx = init_ssl (options); | |
1346 | if (!c->c1.ks.ssl_ctx) | |
1347 | { | |
1348 | #if P2MP | |
1349 | switch (auth_retry_get ()) | |
1350 | { | |
1351 | case AR_NONE: | |
1352 | msg (M_FATAL, "Error: private key password verification failed"); | |
1353 | break; | |
1354 | case AR_INTERACT: | |
1355 | ssl_purge_auth (); | |
1356 | case AR_NOINTERACT: | |
1357 | c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ | |
1358 | break; | |
1359 | default: | |
1360 | ASSERT (0); | |
1361 | } | |
1362 | c->sig->signal_text = "private-key-password-failure"; | |
1363 | return; | |
1364 | #else | |
1365 | msg (M_FATAL, "Error: private key password verification failed"); | |
1366 | #endif | |
1367 | } | |
1368 | ||
1369 | /* Get cipher & hash algorithms */ | |
1370 | init_key_type (&c->c1.ks.key_type, options->ciphername, | |
1371 | options->ciphername_defined, options->authname, | |
1372 | options->authname_defined, options->keysize, true, true); | |
1373 | ||
1374 | /* TLS handshake authentication (--tls-auth) */ | |
1375 | if (options->tls_auth_file) | |
c959fc74 JY |
1376 | { |
1377 | unsigned int flags = options->key_direction ? GHK_KEY_DIR : 0; | |
1378 | const char *file = options->tls_auth_file; | |
1379 | ||
1380 | #if ENABLE_INLINE_FILES | |
1381 | if (options->tls_auth_file_inline) | |
1382 | { | |
1383 | flags |= GHK_INLINE; | |
1384 | file = options->tls_auth_file_inline; | |
1385 | } | |
1386 | #endif | |
1387 | get_tls_handshake_key (&c->c1.ks.key_type, | |
1388 | &c->c1.ks.tls_auth_key, | |
1389 | file, | |
1390 | flags); | |
1391 | } | |
d40f2b20 JY |
1392 | |
1393 | #if ENABLE_INLINE_FILES | |
1394 | if (options->priv_key_file_inline) | |
1395 | { | |
1396 | string_clear (c->options.priv_key_file_inline); | |
1397 | c->options.priv_key_file_inline = NULL; | |
1398 | } | |
1399 | #endif | |
6fbf66fa JY |
1400 | } |
1401 | else | |
1402 | { | |
1403 | msg (M_INFO, "Re-using SSL/TLS context"); | |
1404 | } | |
1405 | } | |
1406 | ||
1407 | static void | |
1408 | do_init_crypto_tls (struct context *c, const unsigned int flags) | |
1409 | { | |
1410 | const struct options *options = &c->options; | |
1411 | struct tls_options to; | |
1412 | bool packet_id_long_form; | |
1413 | ||
1414 | ASSERT (options->tls_server || options->tls_client); | |
1415 | ASSERT (!options->test_crypto); | |
1416 | ||
1417 | init_crypto_pre (c, flags); | |
1418 | ||
1419 | /* Make sure we are either a TLS client or server but not both */ | |
1420 | ASSERT (options->tls_server == !options->tls_client); | |
1421 | ||
1422 | /* initialize persistent component */ | |
1423 | do_init_crypto_tls_c1 (c); | |
1424 | if (IS_SIG (c)) | |
1425 | return; | |
1426 | ||
1427 | /* Sanity check on IV, sequence number, and cipher mode options */ | |
1428 | check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, | |
1429 | options->use_iv); | |
1430 | ||
1431 | /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ | |
1432 | packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type); | |
1433 | ||
1434 | /* Compute MTU parameters */ | |
1435 | crypto_adjust_frame_parameters (&c->c2.frame, | |
1436 | &c->c1.ks.key_type, | |
1437 | options->ciphername_defined, | |
1438 | options->use_iv, | |
1439 | options->replay, packet_id_long_form); | |
1440 | tls_adjust_frame_parameters (&c->c2.frame); | |
1441 | ||
1442 | /* Set all command-line TLS-related options */ | |
1443 | CLEAR (to); | |
1444 | ||
1445 | to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM); | |
1446 | if (packet_id_long_form) | |
1447 | to.crypto_flags_or = CO_PACKET_ID_LONG_FORM; | |
1448 | ||
1449 | to.ssl_ctx = c->c1.ks.ssl_ctx; | |
1450 | to.key_type = c->c1.ks.key_type; | |
1451 | to.server = options->tls_server; | |
1452 | to.key_method = options->key_method; | |
1453 | to.replay = options->replay; | |
1454 | to.replay_window = options->replay_window; | |
1455 | to.replay_time = options->replay_time; | |
1456 | to.transition_window = options->transition_window; | |
1457 | to.handshake_window = options->handshake_window; | |
1458 | to.packet_timeout = options->tls_timeout; | |
1459 | to.renegotiate_bytes = options->renegotiate_bytes; | |
1460 | to.renegotiate_packets = options->renegotiate_packets; | |
1461 | to.renegotiate_seconds = options->renegotiate_seconds; | |
1462 | to.single_session = options->single_session; | |
1463 | ||
1464 | #ifdef ENABLE_OCC | |
1465 | to.disable_occ = !options->occ; | |
1466 | #endif | |
1467 | ||
1468 | to.verify_command = options->tls_verify; | |
1469 | to.verify_x509name = options->tls_remote; | |
1470 | to.crl_file = options->crl_file; | |
1471 | to.ns_cert_type = options->ns_cert_type; | |
411e89ae JY |
1472 | memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); |
1473 | to.remote_cert_eku = options->remote_cert_eku; | |
6fbf66fa JY |
1474 | to.es = c->c2.es; |
1475 | ||
1476 | #ifdef ENABLE_DEBUG | |
1477 | to.gremlin = c->options.gremlin; | |
1478 | #endif | |
1479 | ||
3c7f2f55 | 1480 | to.plugins = c->plugins; |
6fbf66fa JY |
1481 | |
1482 | #if P2MP_SERVER | |
1483 | to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; | |
1484 | to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; | |
1485 | to.tmp_dir = options->tmp_dir; | |
1486 | to.username_as_common_name = options->username_as_common_name; | |
1487 | if (options->ccd_exclusive) | |
1488 | to.client_config_dir_exclusive = options->client_config_dir; | |
1489 | #endif | |
1490 | ||
1491 | /* TLS handshake authentication (--tls-auth) */ | |
1492 | if (options->tls_auth_file) | |
1493 | { | |
1494 | to.tls_auth_key = c->c1.ks.tls_auth_key; | |
1495 | to.tls_auth.pid_persist = &c->c1.pid_persist; | |
1496 | to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; | |
1497 | crypto_adjust_frame_parameters (&to.frame, | |
1498 | &c->c1.ks.key_type, | |
1499 | false, false, true, true); | |
1500 | } | |
1501 | ||
1502 | /* If we are running over TCP, allow for | |
1503 | length prefix */ | |
1504 | socket_adjust_frame_parameters (&to.frame, options->proto); | |
1505 | ||
1506 | /* | |
1507 | * Initialize OpenVPN's master TLS-mode object. | |
1508 | */ | |
1509 | if (flags & CF_INIT_TLS_MULTI) | |
1510 | c->c2.tls_multi = tls_multi_init (&to); | |
1511 | ||
1512 | if (flags & CF_INIT_TLS_AUTH_STANDALONE) | |
1513 | c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc); | |
1514 | } | |
1515 | ||
1516 | static void | |
1517 | do_init_finalize_tls_frame (struct context *c) | |
1518 | { | |
1519 | if (c->c2.tls_multi) | |
1520 | { | |
1521 | tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame); | |
1522 | ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <= | |
1523 | EXPANDED_SIZE (&c->c2.frame)); | |
1524 | frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO, | |
1525 | "Control Channel MTU parms"); | |
1526 | } | |
1527 | if (c->c2.tls_auth_standalone) | |
1528 | { | |
1529 | tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame); | |
1530 | frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO, | |
1531 | "TLS-Auth MTU parms"); | |
1532 | } | |
1533 | } | |
1534 | ||
1535 | #endif /* USE_SSL */ | |
1536 | #endif /* USE_CRYPTO */ | |
1537 | ||
1538 | #ifdef USE_CRYPTO | |
1539 | /* | |
1540 | * No encryption or authentication. | |
1541 | */ | |
1542 | static void | |
1543 | do_init_crypto_none (const struct context *c) | |
1544 | { | |
1545 | ASSERT (!c->options.test_crypto); | |
1546 | msg (M_WARN, | |
1547 | "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); | |
1548 | } | |
1549 | #endif | |
1550 | ||
1551 | static void | |
1552 | do_init_crypto (struct context *c, const unsigned int flags) | |
1553 | { | |
1554 | #ifdef USE_CRYPTO | |
1555 | if (c->options.shared_secret_file) | |
1556 | do_init_crypto_static (c, flags); | |
1557 | #ifdef USE_SSL | |
1558 | else if (c->options.tls_server || c->options.tls_client) | |
1559 | do_init_crypto_tls (c, flags); | |
1560 | #endif | |
1561 | else /* no encryption or authentication. */ | |
1562 | do_init_crypto_none (c); | |
1563 | #else /* USE_CRYPTO */ | |
1564 | msg (M_WARN, | |
1565 | "******* WARNING *******: " PACKAGE_NAME | |
1566 | " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); | |
1567 | #endif /* USE_CRYPTO */ | |
1568 | } | |
1569 | ||
1570 | static void | |
1571 | do_init_frame (struct context *c) | |
1572 | { | |
1573 | #ifdef USE_LZO | |
1574 | /* | |
1575 | * Initialize LZO compression library. | |
1576 | */ | |
537073fd | 1577 | if (c->options.lzo & LZO_SELECTED) |
6fbf66fa JY |
1578 | { |
1579 | lzo_adjust_frame_parameters (&c->c2.frame); | |
1580 | ||
1581 | /* | |
1582 | * LZO usage affects buffer alignment. | |
1583 | */ | |
1584 | if (CIPHER_ENABLED (c)) | |
1585 | { | |
1586 | frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN); | |
1587 | frame_or_align_flags (&c->c2.frame, | |
1588 | FRAME_HEADROOM_MARKER_FRAGMENT | |
1589 | |FRAME_HEADROOM_MARKER_DECRYPT); | |
1590 | } | |
1591 | ||
1592 | #ifdef ENABLE_FRAGMENT | |
1593 | lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */ | |
1594 | #endif | |
1595 | } | |
537073fd | 1596 | #endif /* USE_LZO */ |
6fbf66fa JY |
1597 | |
1598 | #ifdef ENABLE_SOCKS | |
1599 | /* | |
1600 | * Adjust frame size for UDP Socks support. | |
1601 | */ | |
1602 | if (c->options.socks_proxy_server) | |
1603 | socks_adjust_frame_parameters (&c->c2.frame, c->options.proto); | |
1604 | #endif | |
1605 | ||
1606 | /* | |
1607 | * Adjust frame size based on the --tun-mtu-extra parameter. | |
1608 | */ | |
1609 | if (c->options.tun_mtu_extra_defined) | |
1610 | tun_adjust_frame_parameters (&c->c2.frame, c->options.tun_mtu_extra); | |
1611 | ||
1612 | /* | |
1613 | * Adjust frame size based on link socket parameters. | |
1614 | * (Since TCP is a stream protocol, we need to insert | |
1615 | * a packet length uint16_t in the buffer.) | |
1616 | */ | |
1617 | socket_adjust_frame_parameters (&c->c2.frame, c->options.proto); | |
1618 | ||
1619 | /* | |
1620 | * Fill in the blanks in the frame parameters structure, | |
1621 | * make sure values are rational, etc. | |
1622 | */ | |
1623 | frame_finalize_options (c, NULL); | |
1624 | ||
1625 | #ifdef ENABLE_FRAGMENT | |
1626 | /* | |
1627 | * Set frame parameter for fragment code. This is necessary because | |
1628 | * the fragmentation code deals with payloads which have already been | |
1629 | * passed through the compression code. | |
1630 | */ | |
1631 | c->c2.frame_fragment = c->c2.frame; | |
1632 | frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit); | |
1633 | #endif | |
1634 | ||
1635 | #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) | |
1636 | /* | |
1637 | * MTU advisories | |
1638 | */ | |
1639 | if (c->options.fragment && c->options.mtu_test) | |
1640 | msg (M_WARN, | |
1641 | "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); | |
1642 | #endif | |
1643 | ||
1644 | #ifdef ENABLE_FRAGMENT | |
1645 | if ((c->options.mssfix || c->options.fragment) | |
1646 | && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU) | |
1647 | msg (M_WARN, | |
1648 | "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", | |
1649 | ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment)); | |
1650 | #endif | |
1651 | } | |
1652 | ||
1653 | static void | |
1654 | do_option_warnings (struct context *c) | |
1655 | { | |
1656 | const struct options *o = &c->options; | |
1657 | ||
1658 | #if 1 /* JYFIXME -- port warning */ | |
1659 | if (!o->port_option_used && (o->local_port == OPENVPN_PORT && o->remote_port == OPENVPN_PORT)) | |
1660 | msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.", | |
1661 | OPENVPN_PORT); | |
1662 | #endif | |
1663 | ||
1664 | if (o->ping_send_timeout && !o->ping_rec_timeout) | |
1665 | msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); | |
1666 | ||
1667 | if ((o->username || o->groupname || o->chroot_dir) && (!o->persist_tun || !o->persist_key)) | |
1668 | msg (M_WARN, "WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail"); | |
1669 | ||
1670 | #if P2MP | |
1671 | if (o->pull && o->ifconfig_local && c->first_time) | |
1672 | msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); | |
1673 | ||
1674 | #if P2MP_SERVER | |
1675 | if (o->mode == MODE_SERVER) | |
1676 | { | |
1677 | if (o->duplicate_cn && o->client_config_dir) | |
1678 | msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); | |
1679 | if (o->duplicate_cn && o->ifconfig_pool_persist_filename) | |
1680 | msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); | |
1681 | if (!o->keepalive_ping || !o->keepalive_timeout) | |
1682 | msg (M_WARN, "WARNING: --keepalive option is missing from server config"); | |
1683 | } | |
1684 | #endif | |
1685 | #endif | |
1686 | ||
1687 | #ifdef USE_CRYPTO | |
1688 | if (!o->replay) | |
1689 | msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); | |
1690 | if (!o->use_iv) | |
1691 | msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); | |
1692 | ||
1693 | #ifdef USE_SSL | |
1694 | if (o->tls_client | |
1695 | && !o->tls_verify | |
1696 | && !o->tls_remote | |
027a87ce | 1697 | && !(o->ns_cert_type & NS_SSL_SERVER) |
bed73623 | 1698 | && (o->remote_cert_eku == NULL || !o->remote_cert_eku[0])) |
6fbf66fa JY |
1699 | msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); |
1700 | #endif | |
1ae9d051 | 1701 | #endif |
6fbf66fa | 1702 | |
1ae9d051 JY |
1703 | #ifndef CONNECT_NONBLOCK |
1704 | if (o->connect_timeout_defined) | |
1705 | msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); | |
6fbf66fa JY |
1706 | #endif |
1707 | } | |
1708 | ||
1709 | static void | |
1710 | do_init_frame_tls (struct context *c) | |
1711 | { | |
1712 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
1713 | do_init_finalize_tls_frame (c); | |
1714 | #endif | |
1715 | } | |
1716 | ||
1717 | struct context_buffers * | |
1718 | init_context_buffers (const struct frame *frame) | |
1719 | { | |
1720 | struct context_buffers *b; | |
1721 | ||
1722 | ALLOC_OBJ_CLEAR (b, struct context_buffers); | |
1723 | ||
1724 | b->read_link_buf = alloc_buf (BUF_SIZE (frame)); | |
1725 | b->read_tun_buf = alloc_buf (BUF_SIZE (frame)); | |
1726 | ||
1727 | b->aux_buf = alloc_buf (BUF_SIZE (frame)); | |
1728 | ||
1729 | #ifdef USE_CRYPTO | |
1730 | b->encrypt_buf = alloc_buf (BUF_SIZE (frame)); | |
1731 | b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); | |
1732 | #endif | |
1733 | ||
1734 | #ifdef USE_LZO | |
1735 | b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame)); | |
1736 | b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame)); | |
1737 | #endif | |
1738 | ||
1739 | return b; | |
1740 | } | |
1741 | ||
1742 | void | |
1743 | free_context_buffers (struct context_buffers *b) | |
1744 | { | |
1745 | if (b) | |
1746 | { | |
1747 | free_buf (&b->read_link_buf); | |
1748 | free_buf (&b->read_tun_buf); | |
1749 | free_buf (&b->aux_buf); | |
1750 | ||
1751 | #ifdef USE_LZO | |
1752 | free_buf (&b->lzo_compress_buf); | |
1753 | free_buf (&b->lzo_decompress_buf); | |
1754 | #endif | |
1755 | ||
1756 | #ifdef USE_CRYPTO | |
1757 | free_buf (&b->encrypt_buf); | |
1758 | free_buf (&b->decrypt_buf); | |
1759 | #endif | |
1760 | ||
1761 | free (b); | |
1762 | } | |
1763 | } | |
1764 | ||
1765 | /* | |
1766 | * Now that we know all frame parameters, initialize | |
1767 | * our buffers. | |
1768 | */ | |
1769 | static void | |
1770 | do_init_buffers (struct context *c) | |
1771 | { | |
1772 | c->c2.buffers = init_context_buffers (&c->c2.frame); | |
1773 | c->c2.buffers_owned = true; | |
1774 | } | |
1775 | ||
1776 | #ifdef ENABLE_FRAGMENT | |
1777 | /* | |
1778 | * Fragmenting code has buffers to initialize | |
1779 | * once frame parameters are known. | |
1780 | */ | |
1781 | static void | |
1782 | do_init_fragment (struct context *c) | |
1783 | { | |
1784 | ASSERT (c->options.fragment); | |
1785 | frame_set_mtu_dynamic (&c->c2.frame_fragment, | |
1786 | c->options.fragment, SET_MTU_UPPER_BOUND); | |
1787 | fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment); | |
1788 | } | |
1789 | #endif | |
1790 | ||
1791 | /* | |
1792 | * Set the --mssfix option. | |
1793 | */ | |
1794 | static void | |
1795 | do_init_mssfix (struct context *c) | |
1796 | { | |
1797 | if (c->options.mssfix) | |
1798 | { | |
1799 | frame_set_mtu_dynamic (&c->c2.frame, | |
1800 | c->options.mssfix, SET_MTU_UPPER_BOUND); | |
1801 | } | |
1802 | } | |
1803 | ||
1804 | /* | |
1805 | * Allocate our socket object. | |
1806 | */ | |
1807 | static void | |
1808 | do_link_socket_new (struct context *c) | |
1809 | { | |
1810 | ASSERT (!c->c2.link_socket); | |
1811 | c->c2.link_socket = link_socket_new (); | |
1812 | c->c2.link_socket_owned = true; | |
1813 | } | |
1814 | ||
1815 | /* | |
1816 | * bind the TCP/UDP socket | |
1817 | */ | |
1818 | static void | |
1819 | do_init_socket_1 (struct context *c, int mode) | |
1820 | { | |
1821 | link_socket_init_phase1 (c->c2.link_socket, | |
1822 | c->options.local, | |
1823 | c->c1.remote_list, | |
1824 | c->options.local_port, | |
1825 | c->options.proto, | |
1826 | mode, | |
1827 | c->c2.accept_from, | |
1828 | #ifdef ENABLE_HTTP_PROXY | |
1829 | c->c1.http_proxy, | |
1830 | #endif | |
1831 | #ifdef ENABLE_SOCKS | |
1832 | c->c1.socks_proxy, | |
1833 | #endif | |
1834 | #ifdef ENABLE_DEBUG | |
1835 | c->options.gremlin, | |
1836 | #endif | |
1837 | c->options.bind_local, | |
1838 | c->options.remote_float, | |
1839 | c->options.inetd, | |
1840 | &c->c1.link_socket_addr, | |
1841 | c->options.ipchange, | |
3c7f2f55 | 1842 | c->plugins, |
6fbf66fa JY |
1843 | c->options.resolve_retry_seconds, |
1844 | c->options.connect_retry_seconds, | |
1ae9d051 | 1845 | c->options.connect_timeout, |
b540a9e0 | 1846 | c->options.connect_retry_max, |
6fbf66fa JY |
1847 | c->options.mtu_discover_type, |
1848 | c->options.rcvbuf, | |
00d39170 JY |
1849 | c->options.sndbuf, |
1850 | c->options.sockflags); | |
6fbf66fa JY |
1851 | } |
1852 | ||
1853 | /* | |
1854 | * finalize the TCP/UDP socket | |
1855 | */ | |
1856 | static void | |
1857 | do_init_socket_2 (struct context *c) | |
1858 | { | |
1859 | link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame, | |
1860 | &c->sig->signal_received); | |
1861 | } | |
1862 | ||
1863 | /* | |
1864 | * Print MTU INFO | |
1865 | */ | |
1866 | static void | |
1867 | do_print_data_channel_mtu_parms (struct context *c) | |
1868 | { | |
1869 | frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); | |
1870 | #ifdef ENABLE_FRAGMENT | |
1871 | if (c->c2.fragment) | |
1872 | frame_print (&c->c2.frame_fragment, D_MTU_INFO, | |
1873 | "Fragmentation MTU parms"); | |
1874 | #endif | |
1875 | } | |
1876 | ||
1877 | #ifdef ENABLE_OCC | |
1878 | /* | |
1879 | * Get local and remote options compatibility strings. | |
1880 | */ | |
1881 | static void | |
1882 | do_compute_occ_strings (struct context *c) | |
1883 | { | |
1884 | struct gc_arena gc = gc_new (); | |
1885 | ||
1886 | c->c2.options_string_local = | |
1887 | options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc); | |
1888 | c->c2.options_string_remote = | |
1889 | options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); | |
1890 | ||
1891 | msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local); | |
1892 | msg (D_SHOW_OCC, "Expected Remote Options String: '%s'", | |
1893 | c->c2.options_string_remote); | |
1894 | ||
1895 | #ifdef USE_CRYPTO | |
1896 | msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", | |
1897 | options_string_version (c->c2.options_string_local, &gc), | |
1898 | md5sum ((uint8_t*)c->c2.options_string_local, | |
1899 | strlen (c->c2.options_string_local), 9, &gc)); | |
1900 | msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'", | |
1901 | options_string_version (c->c2.options_string_remote, &gc), | |
1902 | md5sum ((uint8_t*)c->c2.options_string_remote, | |
1903 | strlen (c->c2.options_string_remote), 9, &gc)); | |
1904 | #endif | |
1905 | ||
1906 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
1907 | if (c->c2.tls_multi) | |
1908 | tls_multi_init_set_options (c->c2.tls_multi, | |
1909 | c->c2.options_string_local, | |
1910 | c->c2.options_string_remote); | |
1911 | #endif | |
1912 | ||
1913 | gc_free (&gc); | |
1914 | } | |
1915 | #endif | |
1916 | ||
1917 | /* | |
1918 | * These things can only be executed once per program instantiation. | |
1919 | * Set up for possible UID/GID downgrade, but don't do it yet. | |
1920 | * Daemonize if requested. | |
1921 | */ | |
1922 | static void | |
1923 | do_init_first_time (struct context *c) | |
1924 | { | |
90e105d2 | 1925 | if (c->first_time && !c->did_we_daemonize) |
6fbf66fa JY |
1926 | { |
1927 | /* get user and/or group that we want to setuid/setgid to */ | |
1928 | c->c2.uid_gid_specified = | |
1929 | get_group (c->options.groupname, &c->c2.group_state) | | |
1930 | get_user (c->options.username, &c->c2.user_state); | |
1931 | ||
1932 | /* get --writepid file descriptor */ | |
1933 | get_pid_file (c->options.writepid, &c->c2.pid_state); | |
1934 | ||
1935 | /* become a daemon if --daemon */ | |
90e105d2 | 1936 | c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time); |
6fbf66fa JY |
1937 | |
1938 | /* should we disable paging? */ | |
90e105d2 | 1939 | if (c->options.mlock && c->did_we_daemonize) |
6fbf66fa JY |
1940 | do_mlockall (true); /* call again in case we daemonized */ |
1941 | ||
1942 | /* save process ID in a file */ | |
1943 | write_pid (&c->c2.pid_state); | |
1944 | ||
1945 | /* should we change scheduling priority? */ | |
1946 | set_nice (c->options.nice); | |
1947 | } | |
1948 | } | |
1949 | ||
1950 | /* | |
1951 | * If xinetd/inetd mode, don't allow restart. | |
1952 | */ | |
1953 | static void | |
1954 | do_close_check_if_restart_permitted (struct context *c) | |
1955 | { | |
1956 | if (c->options.inetd | |
1957 | && (c->sig->signal_received == SIGHUP | |
1958 | || c->sig->signal_received == SIGUSR1)) | |
1959 | { | |
1960 | c->sig->signal_received = SIGTERM; | |
1961 | msg (M_INFO, | |
1962 | PACKAGE_NAME | |
1963 | " started by inetd/xinetd cannot restart... Exiting."); | |
1964 | } | |
1965 | } | |
1966 | ||
1967 | /* | |
1968 | * free buffers | |
1969 | */ | |
1970 | static void | |
1971 | do_close_free_buf (struct context *c) | |
1972 | { | |
1973 | if (c->c2.buffers_owned) | |
1974 | { | |
1975 | free_context_buffers (c->c2.buffers); | |
1976 | c->c2.buffers = NULL; | |
1977 | c->c2.buffers_owned = false; | |
1978 | } | |
1979 | } | |
1980 | ||
1981 | /* | |
1982 | * close TLS | |
1983 | */ | |
1984 | static void | |
1985 | do_close_tls (struct context *c) | |
1986 | { | |
1987 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
1988 | if (c->c2.tls_multi) | |
1989 | { | |
1990 | tls_multi_free (c->c2.tls_multi, true); | |
1991 | c->c2.tls_multi = NULL; | |
1992 | } | |
1993 | ||
1994 | #ifdef ENABLE_OCC | |
1995 | /* free options compatibility strings */ | |
1996 | if (c->c2.options_string_local) | |
1997 | free (c->c2.options_string_local); | |
1998 | if (c->c2.options_string_remote) | |
1999 | free (c->c2.options_string_remote); | |
2000 | c->c2.options_string_local = c->c2.options_string_remote = NULL; | |
2001 | #endif | |
2002 | #endif | |
2003 | } | |
2004 | ||
2005 | /* | |
2006 | * Free key schedules | |
2007 | */ | |
2008 | static void | |
2009 | do_close_free_key_schedule (struct context *c, bool free_ssl_ctx) | |
2010 | { | |
2011 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) | |
2012 | key_schedule_free (&c->c1.ks, free_ssl_ctx); | |
2013 | } | |
2014 | ||
2015 | /* | |
2016 | * Close TCP/UDP connection | |
2017 | */ | |
2018 | static void | |
2019 | do_close_link_socket (struct context *c) | |
2020 | { | |
2021 | if (c->c2.link_socket && c->c2.link_socket_owned) | |
2022 | { | |
2023 | link_socket_close (c->c2.link_socket); | |
2024 | c->c2.link_socket = NULL; | |
2025 | } | |
2026 | ||
2027 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) | |
2028 | { | |
2029 | CLEAR (c->c1.link_socket_addr.remote); | |
2030 | CLEAR (c->c1.link_socket_addr.actual); | |
2031 | } | |
2032 | ||
2033 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) | |
2034 | CLEAR (c->c1.link_socket_addr.local); | |
2035 | } | |
2036 | ||
2037 | /* | |
2038 | * Close packet-id persistance file | |
2039 | */ | |
2040 | static void | |
2041 | do_close_packet_id (struct context *c) | |
2042 | { | |
2043 | #ifdef USE_CRYPTO | |
2044 | packet_id_free (&c->c2.packet_id); | |
2045 | packet_id_persist_save (&c->c1.pid_persist); | |
2046 | if (!(c->sig->signal_received == SIGUSR1)) | |
2047 | packet_id_persist_close (&c->c1.pid_persist); | |
2048 | #endif | |
2049 | } | |
2050 | ||
2051 | #ifdef ENABLE_FRAGMENT | |
2052 | /* | |
2053 | * Close fragmentation handler. | |
2054 | */ | |
2055 | static void | |
2056 | do_close_fragment (struct context *c) | |
2057 | { | |
2058 | if (c->c2.fragment) | |
2059 | { | |
2060 | fragment_free (c->c2.fragment); | |
2061 | c->c2.fragment = NULL; | |
2062 | } | |
2063 | } | |
2064 | #endif | |
2065 | ||
2066 | /* | |
2067 | * Open and close our event objects. | |
2068 | */ | |
2069 | ||
2070 | static void | |
2071 | do_event_set_init (struct context *c, | |
2072 | bool need_us_timeout) | |
2073 | { | |
2074 | unsigned int flags = 0; | |
2075 | ||
2076 | c->c2.event_set_max = BASE_N_EVENTS; | |
2077 | ||
2078 | flags |= EVENT_METHOD_FAST; | |
2079 | ||
2080 | if (need_us_timeout) | |
2081 | flags |= EVENT_METHOD_US_TIMEOUT; | |
2082 | ||
2083 | c->c2.event_set = event_set_init (&c->c2.event_set_max, flags); | |
2084 | c->c2.event_set_owned = true; | |
2085 | } | |
2086 | ||
2087 | static void | |
2088 | do_close_event_set (struct context *c) | |
2089 | { | |
2090 | if (c->c2.event_set && c->c2.event_set_owned) | |
2091 | { | |
2092 | event_free (c->c2.event_set); | |
2093 | c->c2.event_set = NULL; | |
2094 | c->c2.event_set_owned = false; | |
2095 | } | |
2096 | } | |
2097 | ||
2098 | /* | |
2099 | * Open and close --status file | |
2100 | */ | |
2101 | ||
2102 | static void | |
2103 | do_open_status_output (struct context *c) | |
2104 | { | |
2105 | if (!c->c1.status_output) | |
2106 | { | |
2107 | c->c1.status_output = status_open (c->options.status_file, | |
2108 | c->options.status_file_update_freq, | |
2109 | -1, | |
2110 | NULL, | |
2111 | STATUS_OUTPUT_WRITE); | |
2112 | c->c1.status_output_owned = true; | |
2113 | } | |
2114 | } | |
2115 | ||
2116 | static void | |
2117 | do_close_status_output (struct context *c) | |
2118 | { | |
2119 | if (!(c->sig->signal_received == SIGUSR1)) | |
2120 | { | |
2121 | if (c->c1.status_output_owned && c->c1.status_output) | |
2122 | { | |
2123 | status_close (c->c1.status_output); | |
2124 | c->c1.status_output = NULL; | |
2125 | c->c1.status_output_owned = false; | |
2126 | } | |
2127 | } | |
2128 | } | |
2129 | ||
2130 | /* | |
2131 | * Handle ifconfig-pool persistance object. | |
2132 | */ | |
2133 | static void | |
2134 | do_open_ifconfig_pool_persist (struct context *c) | |
2135 | { | |
2136 | #if P2MP_SERVER | |
2137 | if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) | |
2138 | { | |
2139 | c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename, | |
2140 | c->options.ifconfig_pool_persist_refresh_freq); | |
2141 | c->c1.ifconfig_pool_persist_owned = true; | |
2142 | } | |
2143 | #endif | |
2144 | } | |
2145 | ||
2146 | static void | |
2147 | do_close_ifconfig_pool_persist (struct context *c) | |
2148 | { | |
2149 | #if P2MP_SERVER | |
2150 | if (!(c->sig->signal_received == SIGUSR1)) | |
2151 | { | |
2152 | if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) | |
2153 | { | |
2154 | ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist); | |
2155 | c->c1.ifconfig_pool_persist = NULL; | |
2156 | c->c1.ifconfig_pool_persist_owned = false; | |
2157 | } | |
2158 | } | |
2159 | #endif | |
2160 | } | |
2161 | ||
2162 | /* | |
2163 | * Inherit environmental variables | |
2164 | */ | |
2165 | ||
2166 | static void | |
2167 | do_inherit_env (struct context *c, const struct env_set *src) | |
2168 | { | |
2169 | c->c2.es = env_set_create (&c->c2.gc); | |
2170 | env_set_inherit (c->c2.es, src); | |
2171 | } | |
2172 | ||
2173 | /* | |
2174 | * Fast I/O setup. Fast I/O is an optimization which only works | |
2175 | * if all of the following are true: | |
2176 | * | |
2177 | * (1) The platform is not Windows | |
2178 | * (2) --proto udp is enabled | |
2179 | * (3) --shaper is disabled | |
2180 | */ | |
2181 | static void | |
2182 | do_setup_fast_io (struct context *c) | |
2183 | { | |
2184 | if (c->options.fast_io) | |
2185 | { | |
2186 | #ifdef WIN32 | |
2187 | msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); | |
2188 | #else | |
2189 | if (c->options.proto != PROTO_UDPv4) | |
2190 | msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); | |
2191 | else | |
2192 | { | |
0475d17e | 2193 | #ifdef HAVE_GETTIMEOFDAY |
6fbf66fa JY |
2194 | if (c->options.shaper) |
2195 | msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); | |
2196 | else | |
0475d17e | 2197 | #endif |
6fbf66fa JY |
2198 | { |
2199 | c->c2.fast_io = true; | |
2200 | } | |
2201 | } | |
2202 | #endif | |
2203 | } | |
2204 | } | |
2205 | ||
2206 | static void | |
2207 | do_signal_on_tls_errors (struct context *c) | |
2208 | { | |
2209 | #if defined(USE_CRYPTO) && defined(USE_SSL) | |
2210 | if (c->options.tls_exit) | |
2211 | c->c2.tls_exit_signal = SIGTERM; | |
2212 | else | |
2213 | c->c2.tls_exit_signal = SIGUSR1; | |
2214 | #endif | |
2215 | } | |
2216 | ||
3c7f2f55 | 2217 | #ifdef ENABLE_PLUGIN |
6fbf66fa | 2218 | |
3c7f2f55 | 2219 | void |
e1791bb1 | 2220 | init_plugins (struct context *c) |
6fbf66fa | 2221 | { |
3c7f2f55 | 2222 | if (c->options.plugin_list && !c->plugins) |
e1791bb1 JY |
2223 | { |
2224 | c->plugins = plugin_list_init (c->options.plugin_list); | |
2225 | c->plugins_owned = true; | |
2226 | } | |
2227 | } | |
2228 | ||
2229 | void | |
2230 | open_plugins (struct context *c, const bool import_options, int init_point) | |
2231 | { | |
2232 | if (c->plugins && c->plugins_owned) | |
6fbf66fa | 2233 | { |
3c7f2f55 JY |
2234 | if (import_options) |
2235 | { | |
2236 | struct plugin_return pr, config; | |
2237 | plugin_return_init (&pr); | |
e1791bb1 | 2238 | plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); |
3c7f2f55 JY |
2239 | plugin_return_get_column (&pr, &config, "config"); |
2240 | if (plugin_return_defined (&config)) | |
2241 | { | |
2242 | int i; | |
2243 | for (i = 0; i < config.n; ++i) | |
2244 | { | |
2245 | unsigned int option_types_found = 0; | |
2246 | if (config.list[i] && config.list[i]->value) | |
2247 | options_plugin_import (&c->options, | |
2248 | config.list[i]->value, | |
2249 | D_IMPORT_ERRORS|M_OPTERR, | |
2250 | OPT_P_DEFAULT & ~OPT_P_PLUGIN, | |
2251 | &option_types_found, | |
2252 | c->es); | |
2253 | } | |
2254 | } | |
2255 | plugin_return_free (&pr); | |
2256 | } | |
2257 | else | |
2258 | { | |
e1791bb1 | 2259 | plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); |
3c7f2f55 | 2260 | } |
6fbf66fa | 2261 | } |
6fbf66fa JY |
2262 | } |
2263 | ||
2264 | static void | |
2265 | do_close_plugins (struct context *c) | |
2266 | { | |
3c7f2f55 | 2267 | if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 2268 | { |
3c7f2f55 JY |
2269 | plugin_list_close (c->plugins); |
2270 | c->plugins = NULL; | |
2271 | c->plugins_owned = false; | |
6fbf66fa | 2272 | } |
6fbf66fa JY |
2273 | } |
2274 | ||
3c7f2f55 JY |
2275 | static void |
2276 | do_inherit_plugins (struct context *c, const struct context *src) | |
2277 | { | |
2278 | if (!c->plugins && src->plugins) | |
2279 | { | |
2280 | c->plugins = plugin_list_inherit (src->plugins); | |
2281 | c->plugins_owned = true; | |
2282 | } | |
2283 | } | |
2284 | ||
2285 | #endif | |
2286 | ||
6fbf66fa JY |
2287 | #ifdef ENABLE_MANAGEMENT |
2288 | ||
2289 | static void | |
2290 | management_callback_status_p2p (void *arg, const int version, struct status_output *so) | |
2291 | { | |
2292 | struct context *c = (struct context *) arg; | |
2293 | print_status (c, so); | |
2294 | } | |
2295 | ||
2296 | void | |
2297 | management_show_net_callback (void *arg, const int msglevel) | |
2298 | { | |
2299 | #ifdef WIN32 | |
2300 | show_routes (msglevel); | |
2301 | show_adapters (msglevel); | |
2302 | msg (msglevel, "END"); | |
2303 | #else | |
2304 | msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); | |
2305 | #endif | |
2306 | } | |
2307 | ||
2308 | #endif | |
2309 | ||
2310 | void | |
2311 | init_management_callback_p2p (struct context *c) | |
2312 | { | |
2313 | #ifdef ENABLE_MANAGEMENT | |
2314 | if (management) | |
2315 | { | |
2316 | struct management_callback cb; | |
2317 | CLEAR (cb); | |
2318 | cb.arg = c; | |
2319 | cb.status = management_callback_status_p2p; | |
2320 | cb.show_net = management_show_net_callback; | |
2321 | management_set_callback (management, &cb); | |
2322 | } | |
2323 | #endif | |
2324 | } | |
2325 | ||
2326 | #ifdef ENABLE_MANAGEMENT | |
2327 | ||
2328 | void | |
2329 | init_management (struct context *c) | |
2330 | { | |
2331 | if (!management) | |
2332 | management = management_init (); | |
2333 | } | |
2334 | ||
2335 | bool | |
2336 | open_management (struct context *c) | |
2337 | { | |
2338 | /* initialize management layer */ | |
2339 | if (management) | |
2340 | { | |
2341 | if (c->options.management_addr) | |
2342 | { | |
2343 | if (management_open (management, | |
2344 | c->options.management_addr, | |
2345 | c->options.management_port, | |
2346 | c->options.management_user_pass, | |
2347 | c->options.mode == MODE_SERVER, | |
2348 | c->options.management_query_passwords, | |
2349 | c->options.management_log_history_cache, | |
2350 | c->options.management_echo_buffer_size, | |
2351 | c->options.management_state_buffer_size, | |
2352 | c->options.management_hold)) | |
2353 | { | |
2354 | management_set_state (management, | |
2355 | OPENVPN_STATE_CONNECTING, | |
2356 | NULL, | |
5ad84585 | 2357 | (in_addr_t)0, |
6fbf66fa JY |
2358 | (in_addr_t)0); |
2359 | } | |
2360 | ||
2361 | /* possible wait */ | |
2362 | do_hold (c); | |
2363 | if (IS_SIG (c)) | |
2364 | { | |
2365 | msg (M_WARN, "Signal received from management interface, exiting"); | |
2366 | return false; | |
2367 | } | |
2368 | } | |
2369 | else | |
2370 | close_management (); | |
2371 | } | |
2372 | return true; | |
2373 | } | |
2374 | ||
2375 | void | |
2376 | close_management (void) | |
2377 | { | |
2378 | if (management) | |
2379 | { | |
2380 | management_close (management); | |
2381 | management = NULL; | |
2382 | } | |
2383 | } | |
2384 | ||
2385 | #endif | |
2386 | ||
2387 | ||
2388 | void | |
2389 | uninit_management_callback (void) | |
2390 | { | |
2391 | #ifdef ENABLE_MANAGEMENT | |
2392 | if (management) | |
2393 | { | |
2394 | management_clear_callback (management); | |
2395 | } | |
2396 | #endif | |
2397 | } | |
2398 | ||
2399 | /* | |
2400 | * Initialize a tunnel instance, handle pre and post-init | |
2401 | * signal settings. | |
2402 | */ | |
2403 | void | |
2404 | init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags) | |
2405 | { | |
2406 | pre_init_signal_catch (); | |
2407 | init_instance (c, env, flags); | |
2408 | post_init_signal_catch (); | |
b540a9e0 JY |
2409 | |
2410 | /* | |
2411 | * This is done so that signals thrown during | |
2412 | * initialization can bring us back to | |
2413 | * a management hold. | |
2414 | */ | |
2415 | if (IS_SIG (c)) | |
d5badcf1 JY |
2416 | { |
2417 | remap_signal (c); | |
2418 | uninit_management_callback (); | |
2419 | } | |
6fbf66fa JY |
2420 | } |
2421 | ||
2422 | /* | |
2423 | * Initialize a tunnel instance. | |
2424 | */ | |
2425 | void | |
2426 | init_instance (struct context *c, const struct env_set *env, const unsigned int flags) | |
2427 | { | |
2428 | const struct options *options = &c->options; | |
2429 | const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); | |
2430 | int link_socket_mode = LS_MODE_DEFAULT; | |
2431 | ||
2432 | /* init garbage collection level */ | |
2433 | gc_init (&c->c2.gc); | |
2434 | ||
2435 | /* signals caught here will abort */ | |
2436 | c->sig->signal_received = 0; | |
2437 | c->sig->signal_text = NULL; | |
2438 | c->sig->hard = false; | |
2439 | ||
2440 | /* link_socket_mode allows CM_CHILD_TCP | |
2441 | instances to inherit acceptable fds | |
2442 | from a top-level parent */ | |
2443 | if (c->options.proto == PROTO_TCPv4_SERVER) | |
2444 | { | |
2445 | if (c->mode == CM_TOP) | |
2446 | link_socket_mode = LS_MODE_TCP_LISTEN; | |
2447 | else if (c->mode == CM_CHILD_TCP) | |
2448 | link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; | |
2449 | } | |
2450 | ||
2451 | /* should we disable paging? */ | |
2452 | if (c->first_time && options->mlock) | |
2453 | do_mlockall (true); | |
2454 | ||
2455 | /* possible sleep or management hold if restart */ | |
2456 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
2457 | { | |
2458 | do_startup_pause (c); | |
2459 | if (IS_SIG (c)) | |
2460 | goto sig; | |
2461 | } | |
2462 | ||
2463 | /* initialize context level 2 --verb/--mute parms */ | |
2464 | init_verb_mute (c, IVM_LEVEL_2); | |
2465 | ||
2466 | /* set error message delay for non-server modes */ | |
2467 | if (c->mode == CM_P2P) | |
2468 | set_check_status_error_delay (P2P_ERROR_DELAY_MS); | |
2469 | ||
2470 | /* warn about inconsistent options */ | |
2471 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
2472 | do_option_warnings (c); | |
2473 | ||
2474 | /* inherit environmental variables */ | |
2475 | if (env) | |
2476 | do_inherit_env (c, env); | |
2477 | ||
3c7f2f55 | 2478 | #ifdef ENABLE_PLUGIN |
6fbf66fa JY |
2479 | /* initialize plugins */ |
2480 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
e1791bb1 | 2481 | open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); |
3c7f2f55 | 2482 | #endif |
6fbf66fa JY |
2483 | |
2484 | /* should we enable fast I/O? */ | |
2485 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
2486 | do_setup_fast_io (c); | |
2487 | ||
2488 | /* should we throw a signal on TLS errors? */ | |
2489 | do_signal_on_tls_errors (c); | |
2490 | ||
2491 | /* open --status file */ | |
2492 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
2493 | do_open_status_output (c); | |
2494 | ||
2495 | /* open --ifconfig-pool-persist file */ | |
2496 | if (c->mode == CM_TOP) | |
2497 | do_open_ifconfig_pool_persist (c); | |
2498 | ||
2499 | #ifdef ENABLE_OCC | |
2500 | /* reset OCC state */ | |
2501 | if (c->mode == CM_P2P || child) | |
2502 | c->c2.occ_op = occ_reset_op (); | |
2503 | #endif | |
2504 | ||
2505 | /* our wait-for-i/o objects, different for posix vs. win32 */ | |
2506 | if (c->mode == CM_P2P) | |
2507 | do_event_set_init (c, SHAPER_DEFINED (&c->options)); | |
2508 | else if (c->mode == CM_CHILD_TCP) | |
2509 | do_event_set_init (c, false); | |
2510 | ||
2511 | /* allocate our socket object */ | |
2512 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
2513 | do_link_socket_new (c); | |
2514 | ||
2515 | #ifdef ENABLE_FRAGMENT | |
2516 | /* initialize internal fragmentation object */ | |
2517 | if (options->fragment && (c->mode == CM_P2P || child)) | |
2518 | c->c2.fragment = fragment_init (&c->c2.frame); | |
2519 | #endif | |
2520 | ||
2521 | /* init crypto layer */ | |
2522 | { | |
2523 | unsigned int crypto_flags = 0; | |
2524 | if (c->mode == CM_TOP) | |
2525 | crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; | |
2526 | else if (c->mode == CM_P2P) | |
2527 | crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; | |
2528 | else if (child) | |
2529 | crypto_flags = CF_INIT_TLS_MULTI; | |
2530 | do_init_crypto (c, crypto_flags); | |
76a59eae | 2531 | if (IS_SIG (c) && !child) |
6fbf66fa JY |
2532 | goto sig; |
2533 | } | |
2534 | ||
2535 | #ifdef USE_LZO | |
2536 | /* initialize LZO compression library. */ | |
537073fd JY |
2537 | if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child)) |
2538 | lzo_compress_init (&c->c2.lzo_compwork, options->lzo); | |
6fbf66fa JY |
2539 | #endif |
2540 | ||
2541 | /* initialize MTU variables */ | |
2542 | do_init_frame (c); | |
2543 | ||
2544 | /* initialize TLS MTU variables */ | |
2545 | do_init_frame_tls (c); | |
2546 | ||
2547 | /* init workspace buffers whose size is derived from frame size */ | |
2548 | if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) | |
2549 | do_init_buffers (c); | |
2550 | ||
2551 | #ifdef ENABLE_FRAGMENT | |
2552 | /* initialize internal fragmentation capability with known frame size */ | |
2553 | if (options->fragment && (c->mode == CM_P2P || child)) | |
2554 | do_init_fragment (c); | |
2555 | #endif | |
2556 | ||
2557 | /* initialize dynamic MTU variable */ | |
2558 | do_init_mssfix (c); | |
2559 | ||
2560 | /* bind the TCP/UDP socket */ | |
2561 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
2562 | do_init_socket_1 (c, link_socket_mode); | |
2563 | ||
2564 | /* initialize tun/tap device object, | |
2565 | open tun/tap device, ifconfig, run up script, etc. */ | |
2566 | if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
2567 | c->c2.did_open_tun = do_open_tun (c); | |
2568 | ||
2569 | /* print MTU info */ | |
2570 | do_print_data_channel_mtu_parms (c); | |
2571 | ||
2572 | #ifdef ENABLE_OCC | |
2573 | /* get local and remote options compatibility strings */ | |
2574 | if (c->mode == CM_P2P || child) | |
2575 | do_compute_occ_strings (c); | |
2576 | #endif | |
2577 | ||
2578 | /* initialize output speed limiter */ | |
2579 | if (c->mode == CM_P2P) | |
2580 | do_init_traffic_shaper (c); | |
2581 | ||
2582 | /* do one-time inits, and possibily become a daemon here */ | |
2583 | do_init_first_time (c); | |
2584 | ||
e1791bb1 JY |
2585 | #ifdef ENABLE_PLUGIN |
2586 | /* initialize plugins */ | |
2587 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
2588 | open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); | |
2589 | #endif | |
2590 | ||
6fbf66fa JY |
2591 | /* |
2592 | * Actually do UID/GID downgrade, and chroot, if requested. | |
2593 | * May be delayed by --client, --pull, or --up-delay. | |
2594 | */ | |
2595 | do_uid_gid_chroot (c, c->c2.did_open_tun); | |
2596 | ||
2597 | /* finalize the TCP/UDP socket */ | |
2598 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
2599 | do_init_socket_2 (c); | |
2600 | ||
2601 | /* initialize timers */ | |
2602 | if (c->mode == CM_P2P || child) | |
2603 | do_init_timers (c, false); | |
2604 | ||
e1791bb1 JY |
2605 | #ifdef ENABLE_PLUGIN |
2606 | /* initialize plugins */ | |
2607 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
2608 | open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); | |
2609 | #endif | |
2610 | ||
6fbf66fa JY |
2611 | /* Check for signals */ |
2612 | if (IS_SIG (c)) | |
2613 | goto sig; | |
2614 | ||
2615 | return; | |
2616 | ||
2617 | sig: | |
2618 | c->sig->signal_text = "init_instance"; | |
2619 | close_context (c, -1, flags); | |
2620 | return; | |
2621 | } | |
2622 | ||
2623 | /* | |
2624 | * Close a tunnel instance. | |
2625 | */ | |
2626 | void | |
2627 | close_instance (struct context *c) | |
2628 | { | |
2629 | /* close event objects */ | |
2630 | do_close_event_set (c); | |
2631 | ||
2632 | if (c->mode == CM_P2P | |
2633 | || c->mode == CM_CHILD_TCP | |
2634 | || c->mode == CM_CHILD_UDP | |
2635 | || c->mode == CM_TOP) | |
2636 | { | |
2637 | /* if xinetd/inetd mode, don't allow restart */ | |
2638 | do_close_check_if_restart_permitted (c); | |
2639 | ||
2640 | #ifdef USE_LZO | |
537073fd | 2641 | if (lzo_defined (&c->c2.lzo_compwork)) |
6fbf66fa JY |
2642 | lzo_compress_uninit (&c->c2.lzo_compwork); |
2643 | #endif | |
2644 | ||
2645 | /* free buffers */ | |
2646 | do_close_free_buf (c); | |
2647 | ||
2648 | /* close TLS */ | |
2649 | do_close_tls (c); | |
2650 | ||
2651 | /* free key schedules */ | |
2652 | do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP)); | |
2653 | ||
2654 | /* close TCP/UDP connection */ | |
2655 | do_close_link_socket (c); | |
2656 | ||
2657 | /* close TUN/TAP device */ | |
2658 | do_close_tun (c, false); | |
2659 | ||
3c7f2f55 | 2660 | #ifdef ENABLE_PLUGIN |
6fbf66fa JY |
2661 | /* call plugin close functions and unload */ |
2662 | do_close_plugins (c); | |
3c7f2f55 | 2663 | #endif |
6fbf66fa JY |
2664 | |
2665 | /* close packet-id persistance file */ | |
2666 | do_close_packet_id (c); | |
2667 | ||
2668 | /* close --status file */ | |
2669 | do_close_status_output (c); | |
2670 | ||
2671 | #ifdef ENABLE_FRAGMENT | |
2672 | /* close fragmentation handler */ | |
2673 | do_close_fragment (c); | |
2674 | #endif | |
2675 | ||
2676 | /* close --ifconfig-pool-persist obj */ | |
2677 | do_close_ifconfig_pool_persist (c); | |
2678 | ||
2679 | /* garbage collect */ | |
2680 | gc_free (&c->c2.gc); | |
2681 | } | |
2682 | } | |
2683 | ||
2684 | void | |
2685 | inherit_context_child (struct context *dest, | |
2686 | const struct context *src) | |
2687 | { | |
2688 | CLEAR (*dest); | |
2689 | ||
2690 | switch (src->options.proto) | |
2691 | { | |
2692 | case PROTO_UDPv4: | |
2693 | dest->mode = CM_CHILD_UDP; | |
2694 | break; | |
2695 | case PROTO_TCPv4_SERVER: | |
2696 | dest->mode = CM_CHILD_TCP; | |
2697 | break; | |
2698 | default: | |
2699 | ASSERT (0); | |
2700 | } | |
2701 | ||
2702 | dest->first_time = false; | |
2703 | ||
2704 | dest->gc = gc_new (); | |
2705 | ||
2706 | ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc); | |
2707 | ||
2708 | /* c1 init */ | |
2709 | packet_id_persist_init (&dest->c1.pid_persist); | |
2710 | ||
2711 | #ifdef USE_CRYPTO | |
2712 | dest->c1.ks.key_type = src->c1.ks.key_type; | |
2713 | #ifdef USE_SSL | |
2714 | /* inherit SSL context */ | |
2715 | dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; | |
2716 | dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key; | |
2717 | #endif | |
2718 | #endif | |
2719 | ||
2720 | /* options */ | |
2721 | dest->options = src->options; | |
2722 | options_detach (&dest->options); | |
2723 | ||
2724 | if (dest->mode == CM_CHILD_TCP) | |
2725 | { | |
2726 | /* | |
2727 | * The CM_TOP context does the socket listen(), | |
2728 | * and the CM_CHILD_TCP context does the accept(). | |
2729 | */ | |
2730 | dest->c2.accept_from = src->c2.link_socket; | |
2731 | } | |
2732 | ||
3c7f2f55 | 2733 | #ifdef ENABLE_PLUGIN |
6fbf66fa | 2734 | /* inherit plugins */ |
3c7f2f55 JY |
2735 | do_inherit_plugins (dest, src); |
2736 | #endif | |
6fbf66fa JY |
2737 | |
2738 | /* context init */ | |
79df31c8 | 2739 | init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); |
6fbf66fa JY |
2740 | if (IS_SIG (dest)) |
2741 | return; | |
2742 | ||
2743 | /* inherit tun/tap interface object */ | |
2744 | dest->c1.tuntap = src->c1.tuntap; | |
2745 | ||
2746 | /* UDP inherits some extra things which TCP does not */ | |
2747 | if (dest->mode == CM_CHILD_UDP) | |
2748 | { | |
2749 | /* inherit buffers */ | |
2750 | dest->c2.buffers = src->c2.buffers; | |
2751 | ||
2752 | /* inherit parent link_socket and tuntap */ | |
2753 | dest->c2.link_socket = src->c2.link_socket; | |
2754 | ||
2755 | ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc); | |
2756 | *dest->c2.link_socket_info = src->c2.link_socket->info; | |
2757 | ||
2758 | /* locally override some link_socket_info fields */ | |
2759 | dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; | |
2760 | dest->c2.link_socket_info->connection_established = false; | |
2761 | } | |
2762 | } | |
2763 | ||
2764 | void | |
2765 | inherit_context_top (struct context *dest, | |
2766 | const struct context *src) | |
2767 | { | |
2768 | /* copy parent */ | |
2769 | *dest = *src; | |
2770 | ||
2771 | /* | |
2772 | * CM_TOP_CLONE will prevent close_instance from freeing or closing | |
2773 | * resources owned by the parent. | |
2774 | * | |
2775 | * Also note that CM_TOP_CLONE context objects are | |
2776 | * closed by multi_top_free in multi.c. | |
2777 | */ | |
2778 | dest->mode = CM_TOP_CLONE; | |
2779 | ||
2780 | dest->first_time = false; | |
2781 | ||
2782 | options_detach (&dest->options); | |
2783 | gc_detach (&dest->gc); | |
2784 | gc_detach (&dest->c2.gc); | |
2785 | ||
3c7f2f55 JY |
2786 | /* detach plugins */ |
2787 | dest->plugins_owned = false; | |
2788 | ||
6fbf66fa JY |
2789 | #if defined(USE_CRYPTO) && defined(USE_SSL) |
2790 | dest->c2.tls_multi = NULL; | |
2791 | #endif | |
2792 | ||
3c7f2f55 | 2793 | /* detach c1 ownership */ |
6fbf66fa JY |
2794 | dest->c1.tuntap_owned = false; |
2795 | dest->c1.status_output_owned = false; | |
2796 | #if P2MP_SERVER | |
2797 | dest->c1.ifconfig_pool_persist_owned = false; | |
2798 | #endif | |
3c7f2f55 JY |
2799 | |
2800 | /* detach c2 ownership */ | |
6fbf66fa JY |
2801 | dest->c2.event_set_owned = false; |
2802 | dest->c2.link_socket_owned = false; | |
2803 | dest->c2.buffers_owned = false; | |
2804 | ||
2805 | dest->c2.event_set = NULL; | |
2806 | if (src->options.proto == PROTO_UDPv4) | |
2807 | do_event_set_init (dest, false); | |
2808 | } | |
2809 | ||
2810 | void | |
2811 | close_context (struct context *c, int sig, unsigned int flags) | |
2812 | { | |
79df31c8 JY |
2813 | ASSERT (c); |
2814 | ASSERT (c->sig); | |
2815 | ||
6fbf66fa JY |
2816 | if (sig >= 0) |
2817 | c->sig->signal_received = sig; | |
2818 | ||
2819 | if (c->sig->signal_received == SIGUSR1) | |
2820 | { | |
2821 | if ((flags & CC_USR1_TO_HUP) | |
2822 | || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP))) | |
2823 | c->sig->signal_received = SIGHUP; | |
2824 | } | |
2825 | ||
79df31c8 JY |
2826 | if (!(flags & CC_NO_CLOSE)) |
2827 | close_instance (c); | |
6fbf66fa JY |
2828 | |
2829 | if (flags & CC_GC_FREE) | |
2830 | context_gc_free (c); | |
2831 | } | |
2832 | ||
2833 | #ifdef USE_CRYPTO | |
2834 | ||
2835 | static void | |
2836 | test_malloc (void) | |
2837 | { | |
2838 | int i, j; | |
2839 | msg (M_INFO, "Multithreaded malloc test..."); | |
2840 | for (i = 0; i < 25; ++i) | |
2841 | { | |
2842 | struct gc_arena gc = gc_new (); | |
2843 | const int limit = get_random () & 0x03FF; | |
2844 | for (j = 0; j < limit; ++j) | |
2845 | { | |
2846 | gc_malloc (get_random () & 0x03FF, false, &gc); | |
2847 | } | |
2848 | gc_free (&gc); | |
2849 | } | |
2850 | } | |
2851 | ||
2852 | /* | |
2853 | * Do a loopback test | |
2854 | * on the crypto subsystem. | |
2855 | */ | |
2856 | static void * | |
2857 | test_crypto_thread (void *arg) | |
2858 | { | |
2859 | struct context *c = (struct context *) arg; | |
2860 | const struct options *options = &c->options; | |
2861 | #if defined(USE_PTHREAD) | |
2862 | struct context *child = NULL; | |
2863 | openvpn_thread_t child_id = 0; | |
2864 | #endif | |
2865 | ||
2866 | ASSERT (options->test_crypto); | |
2867 | init_verb_mute (c, IVM_LEVEL_1); | |
2868 | context_init_1 (c); | |
2869 | do_init_crypto_static (c, 0); | |
2870 | ||
2871 | #if defined(USE_PTHREAD) | |
2872 | { | |
2873 | if (c->first_time && options->n_threads > 1) | |
2874 | { | |
2875 | if (options->n_threads > 2) | |
2876 | msg (M_FATAL, "ERROR: --test-crypto option only works with --threads set to 1 or 2"); | |
2877 | openvpn_thread_init (); | |
2878 | ALLOC_OBJ (child, struct context); | |
2879 | context_clear (child); | |
2880 | child->options = *options; | |
2881 | options_detach (&child->options); | |
2882 | child->first_time = false; | |
2883 | child_id = openvpn_thread_create (test_crypto_thread, (void *) child); | |
2884 | } | |
2885 | } | |
2886 | #endif | |
2887 | frame_finalize_options (c, options); | |
2888 | ||
2889 | #if defined(USE_PTHREAD) | |
2890 | if (options->n_threads == 2) | |
2891 | test_malloc (); | |
2892 | #endif | |
2893 | ||
2894 | test_crypto (&c->c2.crypto_options, &c->c2.frame); | |
2895 | ||
2896 | key_schedule_free (&c->c1.ks, true); | |
2897 | packet_id_free (&c->c2.packet_id); | |
2898 | ||
2899 | #if defined(USE_PTHREAD) | |
2900 | if (c->first_time && options->n_threads > 1) | |
2901 | openvpn_thread_join (child_id); | |
2902 | if (child) | |
2903 | free (child); | |
2904 | #endif | |
2905 | context_gc_free (c); | |
2906 | return NULL; | |
2907 | } | |
2908 | ||
2909 | #endif | |
2910 | ||
2911 | bool | |
2912 | do_test_crypto (const struct options *o) | |
2913 | { | |
2914 | #ifdef USE_CRYPTO | |
2915 | if (o->test_crypto) | |
2916 | { | |
2917 | struct context c; | |
2918 | ||
2919 | /* print version number */ | |
2920 | msg (M_INFO, "%s", title_string); | |
2921 | ||
3c7f2f55 | 2922 | context_clear (&c); |
6fbf66fa JY |
2923 | c.options = *o; |
2924 | options_detach (&c.options); | |
2925 | c.first_time = true; | |
2926 | test_crypto_thread ((void *) &c); | |
2927 | return true; | |
2928 | } | |
2929 | #endif | |
2930 | return false; | |
2931 | } |