]> git.ipfire.org Git - thirdparty/openvpn.git/blame - init.c
projects / thirdparty / openvpn.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
First attempt at automatic proxy detection,
[thirdparty/openvpn.git] / init.c
CommitLineData
6fbf66fa
JY		 1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25#ifdef WIN32
26#include "config-win32.h"
27#else
28#include "config.h"
29#endif
30
31#include "syshead.h"
32
33#include "win32.h"
34#include "init.h"
35#include "sig.h"
36#include "occ.h"
37#include "list.h"
38#include "otime.h"
39#include "pool.h"
40#include "gremlin.h"
ce98fd24 41#include "pkcs11.h"
6fbf66fa
JY		 42
43#include "memdbg.h"
44
45#include "occ-inline.h"
46
47/*
48 * Crypto initialization flags
49 */
50#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
51#define CF_INIT_TLS_MULTI (1<<1)
52#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
53
54static void do_init_first_time (struct context *c);
55
56void
57context_clear (struct context *c)
58{
59 CLEAR (*c);
60}
61
62void
63context_clear_1 (struct context *c)
64{
65 CLEAR (c->c1);
66}
67
68void
69context_clear_2 (struct context *c)
70{
71 CLEAR (c->c2);
72}
73
74void
75context_clear_all_except_first_time (struct context *c)
76{
77 const bool first_time_save = c->first_time;
78 context_clear (c);
79 c->first_time = first_time_save;
80}
81
82/*
83 * Initialize and possibly randomize remote list.
84 */
85static void
86init_remote_list (struct context *c)
87{
88 c->c1.remote_list = NULL;
89
90 if (c->options.remote_list)
91 {
92 struct remote_list *l;
93 ALLOC_OBJ_GC (c->c1.remote_list, struct remote_list, &c->gc);
94 l = c->c1.remote_list;
95 *l = *c->options.remote_list;
96 l->current = -1;
97 if (c->options.remote_random)
98 remote_list_randomize (l);
99 }
100}
101
102void
103context_init_1 (struct context *c)
104{
105 context_clear_1 (c);
106
107 packet_id_persist_init (&c->c1.pid_persist);
108 init_remote_list (c);
109
110#if defined(USE_CRYPTO) && defined(USE_SSL)
111 /* Certificate password input */
112 if (c->options.key_pass_file)
113 pem_password_setup (c->options.key_pass_file);
6835555e 114#endif
ce98fd24
JY		 115
116#if defined(ENABLE_PKCS11)
06d92b29 117 if (c->first_time) {
ce98fd24 118 int i;
984cf003 119 pkcs11_initialize (c->options.pkcs11_pin_cache_period);
ce98fd24 120 for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++)
984cf003 121 pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_sign_mode[i]);
ce98fd24
JY		 122 }
123#endif
984cf003 124
c67d59cd 125#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
dd1047f5
JY		 126 {
127 /*
128 * In the management interface, you can okay the request by entering "needok token-insertion-request ok"
129 */
130 struct user_pass up;
131 CLEAR (up);
132 strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
133 get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
134 msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
135 'needok' command, usually 'ok' or 'cancel'. */
136 }
137#endif
138
6fbf66fa
JY		 139#if P2MP
140 /* Auth user/pass input */
141 if (c->options.auth_user_pass_file)
142 {
143 auth_user_pass_setup (c->options.auth_user_pass_file);
144 }
145#endif
146
147#ifdef ENABLE_HTTP_PROXY
148 if (c->options.http_proxy_options)
149 {
150 /* Possible HTTP proxy user/pass input */
151 c->c1.http_proxy = new_http_proxy (c->options.http_proxy_options,
152 &c->gc);
153 }
154#endif
155
156#ifdef ENABLE_SOCKS
157 if (c->options.socks_proxy_server)
158 {
159 c->c1.socks_proxy = new_socks_proxy (c->options.socks_proxy_server,
160 c->options.socks_proxy_port,
161 c->options.socks_proxy_retry,
162 &c->gc);
163 }
164#endif
165}
166
167void
168context_gc_free (struct context *c)
169{
170 gc_free (&c->c2.gc);
171 gc_free (&c->options.gc);
172 gc_free (&c->gc);
173}
174
175bool
176init_static (void)
177{
c67d59cd
JY		 178 configure_path ();
179
6fbf66fa
JY		 180#if defined(USE_CRYPTO) && defined(DMALLOC)
181 openssl_dmalloc_init ();
182#endif
183
184 init_random_seed (); /* init random() function, only used as
185 source for weak random numbers */
186 error_reset (); /* initialize error.c */
187 reset_check_status (); /* initialize status check code in socket.c */
188
189#ifdef WIN32
190 init_win32 ();
191#endif
192
193#ifdef OPENVPN_DEBUG_COMMAND_LINE
194 {
195 int i;
196 for (i = 0; i < argc; ++i)
197 msg (M_INFO, "argv[%d] = '%s'", i, argv[i]);
198 }
199#endif
200
201 update_time ();
202
203#ifdef USE_CRYPTO
204 init_ssl_lib ();
205
206 /* init PRNG used for IV generation */
207 /* When forking, copy this to more places in the code to avoid fork
208 random-state predictability */
209 prng_init ();
210#endif
211
212#ifdef PID_TEST
213 packet_id_interactive_test (); /* test the sequence number code */
214 return false;
215#endif
216
217#ifdef SCHEDULE_TEST
218 schedule_test ();
219 return false;
220#endif
221
222#ifdef LIST_TEST
223 list_test ();
224 return false;
225#endif
226
227#ifdef IFCONFIG_POOL_TEST
228 ifconfig_pool_test (0x0A010004, 0x0A0100FF);
229 return false;
230#endif
231
232#ifdef CHARACTER_CLASS_DEBUG
233 character_class_debug ();
234 return false;
235#endif
236
237#ifdef EXTRACT_X509_FIELD_TEST
238 extract_x509_field_test ();
239 return false;
240#endif
241
242 return true;
243}
244
245void
246uninit_static (void)
247{
248 openvpn_thread_cleanup ();
249
250#ifdef USE_CRYPTO
251 free_ssl_lib ();
6835555e 252#endif
ce98fd24 253
ce98fd24 254#ifdef ENABLE_PKCS11
984cf003 255 pkcs11_terminate ();
ce98fd24 256#endif
6fbf66fa
JY		 257
258#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
259 show_tls_performance_stats ();
260#endif
261}
262
263void
264init_verb_mute (struct context *c, unsigned int flags)
265{
266 if (flags & IVM_LEVEL_1)
267 {
268 /* set verbosity and mute levels */
269 set_check_status (D_LINK_ERRORS, D_READ_WRITE);
270 set_debug_level (c->options.verbosity, SDL_CONSTRAIN);
271 set_mute_cutoff (c->options.mute);
272 }
273
274 /* special D_LOG_RW mode */
275 if (flags & IVM_LEVEL_2)
276 c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1));
277}
278
279/*
280 * Possibly set --dev based on --dev-node.
281 * For example, if --dev-node /tmp/foo/tun, and --dev undefined,
282 * set --dev to tun.
283 */
284void
285init_options_dev (struct options *options)
286{
287 if (!options->dev)
288 options->dev = dev_component_in_dev_node (options->dev_node);
289}
290
291bool
292print_openssl_info (const struct options *options)
293{
294 /*
295 * OpenSSL info print mode?
296 */
297#ifdef USE_CRYPTO
298 if (options->show_ciphers || options->show_digests || options->show_engines
299#ifdef USE_SSL
300 || options->show_tls_ciphers
301#endif
302 )
303 {
304 if (options->show_ciphers)
305 show_available_ciphers ();
306 if (options->show_digests)
307 show_available_digests ();
308 if (options->show_engines)
309 show_available_engines ();
310#ifdef USE_SSL
311 if (options->show_tls_ciphers)
312 show_available_tls_ciphers ();
313#endif
314 return true;
315 }
316#endif
317 return false;
318}
319
320/*
321 * Static pre-shared key generation mode?
322 */
323bool
324do_genkey (const struct options * options)
325{
326#ifdef USE_CRYPTO
327 if (options->genkey)
328 {
329 int nbits_written;
330
331 notnull (options->shared_secret_file,
332 "shared secret output file (--secret)");
333
334 if (options->mlock) /* should we disable paging? */
335 do_mlockall (true);
336
337 nbits_written = write_key_file (2, options->shared_secret_file);
338
339 msg (D_GENKEY | M_NOPREFIX,
340 "Randomly generated %d bit key written to %s", nbits_written,
341 options->shared_secret_file);
342 return true;
343 }
344#endif
345 return false;
346}
347
348/*
349 * Persistent TUN/TAP device management mode?
350 */
351bool
352do_persist_tuntap (const struct options *options)
353{
354#ifdef TUNSETPERSIST
355 if (options->persist_config)
356 {
357 /* sanity check on options for --mktun or --rmtun */
358 notnull (options->dev, "TUN/TAP device (--dev)");
359 if (options->remote_list || options->ifconfig_local
360 || options->ifconfig_remote_netmask
361#ifdef USE_CRYPTO
362 || options->shared_secret_file
363#ifdef USE_SSL
364 || options->tls_server || options->tls_client
365#endif
366#endif
367 )
368 msg (M_FATAL|M_OPTERR,
369 "options --mktun or --rmtun should only be used together with --dev");
370 tuncfg (options->dev, options->dev_type, options->dev_node,
371 options->tun_ipv6, options->persist_mode);
372 return true;
373 }
374#endif
375 return false;
376}
377
378/*
379 * Should we become a daemon?
380 * Return true if we did it.
381 */
382static bool
383possibly_become_daemon (const struct options *options, const bool first_time)
384{
385 bool ret = false;
386 if (first_time && options->daemon)
387 {
388 ASSERT (!options->inetd);
389 if (daemon (options->cd_dir != NULL, options->log) < 0)
390 msg (M_ERR, "daemon() failed");
391 if (options->log)
392 set_std_files_to_null (true);
6835555e
JY		 393
394#if defined(ENABLE_PKCS11)
984cf003 395 pkcs11_forkFixup ();
6835555e
JY		 396#endif
397
6fbf66fa
JY		 398 ret = true;
399 }
400 return ret;
401}
402
403/*
404 * Actually do UID/GID downgrade, and chroot, if requested.
405 */
406static void
407do_uid_gid_chroot (struct context *c, bool no_delay)
408{
409 static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
410
411 if (c->first_time && !c->c2.uid_gid_set)
412 {
413 /* chroot if requested */
414 if (c->options.chroot_dir)
415 {
416 if (no_delay)
417 do_chroot (c->options.chroot_dir);
418 else
419 msg (M_INFO, "NOTE: chroot %s", why_not);
420 }
421
422 /* set user and/or group that we want to setuid/setgid to */
423 if (no_delay)
424 {
425 set_group (&c->c2.group_state);
426 set_user (&c->c2.user_state);
427 c->c2.uid_gid_set = true;
428 }
429 else if (c->c2.uid_gid_specified)
430 {
431 msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
432 }
433 }
434}
435
436/*
437 * Return common name in a way that is formatted for
438 * prepending to msg() output.
439 */
440const char *
441format_common_name (struct context *c, struct gc_arena *gc)
442{
443 struct buffer out = alloc_buf_gc (256, gc);
444#if defined(USE_CRYPTO) && defined(USE_SSL)
445 if (c->c2.tls_multi)
446 {
447 buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));
448 }
449#endif
450 return BSTR (&out);
451}
452
453void
454pre_setup (const struct options *options)
455{
456#ifdef WIN32
457 if (options->exit_event_name)
458 {
459 win32_signal_open (&win32_signal,
460 WSO_FORCE_SERVICE,
461 options->exit_event_name,
462 options->exit_event_initial_state);
463 }
464 else
465 {
466 win32_signal_open (&win32_signal,
467 WSO_FORCE_CONSOLE,
468 NULL,
469 false);
470
471 /* put a title on the top window bar */
472 if (win32_signal.mode == WSO_MODE_CONSOLE)
473 {
474 window_title_save (&window_title);
475 window_title_generate (options->config);
476 }
477 }
478#endif
479}
480
481void
482reset_coarse_timers (struct context *c)
483{
484 c->c2.coarse_timer_wakeup = 0;
485}
486
487/*
488 * Initialize timers
489 */
490static void
491do_init_timers (struct context *c, bool deferred)
492{
493 update_time ();
494 reset_coarse_timers (c);
495
496 /* initialize inactivity timeout */
497 if (c->options.inactivity_timeout)
498 event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
499
500 /* initialize pings */
501
502 if (c->options.ping_send_timeout)
503 event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
504
505 if (c->options.ping_rec_timeout)
506 event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
507
508 if (!deferred)
509 {
510 /* initialize connection establishment timer */
511 event_timeout_init (&c->c2.wait_for_connect, 1, now);
512
513#ifdef ENABLE_OCC
514 /* initialize occ timers */
515
516 if (c->options.occ
517 && !TLS_MODE (c)
518 && c->c2.options_string_local && c->c2.options_string_remote)
519 event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
520
521 if (c->options.mtu_test)
522 event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
523#endif
524
525 /* initialize packet_id persistence timer */
526#ifdef USE_CRYPTO
527 if (c->options.packet_id_file)
528 event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);
529#endif
530
531#if defined(USE_CRYPTO) && defined(USE_SSL)
532 /* initialize tmp_int optimization that limits the number of times we call
533 tls_multi_process in the main event loop */
534 interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
535#endif
536 }
537}
538
539/*
540 * Initialize traffic shaper.
541 */
542static void
543do_init_traffic_shaper (struct context *c)
544{
545#ifdef HAVE_GETTIMEOFDAY
546 /* initialize traffic shaper (i.e. transmit bandwidth limiter) */
547 if (c->options.shaper)
548 {
549 shaper_init (&c->c2.shaper, c->options.shaper);
550 shaper_msg (&c->c2.shaper);
551 }
552#endif
553}
554
555/*
556 * Allocate a route list structure if at least one
557 * --route option was specified.
558 */
559static void
560do_alloc_route_list (struct context *c)
561{
562 if (c->options.routes && !c->c1.route_list)
563 c->c1.route_list = new_route_list (&c->gc);
564}
565
566
567/*
568 * Initialize the route list, resolving any DNS names in route
569 * options and saving routes in the environment.
570 */
571static void
572do_init_route_list (const struct options *options,
573 struct route_list *route_list,
574 const struct link_socket_info *link_socket_info,
575 bool fatal,
576 struct env_set *es)
577{
578 const char *gw = NULL;
579 int dev = dev_type_enum (options->dev, options->dev_type);
580
3c7f2f55 581 if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
6fbf66fa
JY		 582 gw = options->ifconfig_remote_netmask;
583 if (options->route_default_gateway)
584 gw = options->route_default_gateway;
585
586 if (!init_route_list (route_list,
587 options->routes,
588 gw,
589 link_socket_current_remote (link_socket_info),
590 es))
591 {
592 if (fatal)
593 openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
594 }
595 else
596 {
597 /* copy routes to environment */
598 setenv_routes (es, route_list);
599 }
600}
601
602/*
603 * Called after all initialization has been completed.
604 */
605void
606initialization_sequence_completed (struct context *c, const unsigned int flags)
607{
608 static const char message[] = "Initialization Sequence Completed";
609
610 /* If we delayed UID/GID downgrade or chroot, do it now */
611 do_uid_gid_chroot (c, true);
612
613 /* Test if errors */
614 if (flags & ISC_ERRORS)
615#ifdef WIN32
616 msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
617#else
618 msg (M_INFO, "%s With Errors", message);
619#endif
620 else
621 msg (M_INFO, "%s", message);
622
623 /* Flag remote_list that we initialized */
624 if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && c->c1.remote_list && c->c1.remote_list->len > 1)
625 c->c1.remote_list->no_advance = true;
626
627#ifdef ENABLE_MANAGEMENT
628 /* Tell management interface that we initialized */
629 if (management)
630 {
631 in_addr_t tun_local = 0;
5ad84585 632 in_addr_t tun_remote = 0; /* FKS */
6fbf66fa
JY		 633 const char *detail = "SUCCESS";
634 if (c->c1.tuntap)
635 tun_local = c->c1.tuntap->local;
5ad84585 636 tun_remote = htonl (c->c1.link_socket_addr.actual.dest.sa.sin_addr.s_addr);
6fbf66fa
JY		 637 if (flags & ISC_ERRORS)
638 detail = "ERROR";
639 management_set_state (management,
640 OPENVPN_STATE_CONNECTED,
641 detail,
5ad84585
JY		 642 tun_local,
643 tun_remote);
6fbf66fa
JY		 644 if (tun_local)
645 management_post_tunnel_open (management, tun_local);
646 }
647#endif
648
649}
650
651/*
652 * Possibly add routes and/or call route-up script
653 * based on options.
654 */
655void
656do_route (const struct options *options,
657 struct route_list *route_list,
658 const struct tuntap *tt,
659 const struct plugin_list *plugins,
660 struct env_set *es)
661{
662 if (!options->route_noexec && route_list)
663 add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es);
664
665 if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP))
666 {
3c7f2f55 667 if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es))
6fbf66fa
JY		 668 msg (M_WARN, "WARNING: route-up plugin call failed");
669 }
670
671 if (options->route_script)
672 {
673 setenv_str (es, "script_type", "route-up");
674 system_check (options->route_script, es, S_SCRIPT, "Route script failed");
675 }
676
677#ifdef WIN32
678 if (options->show_net_up)
679 {
680 show_routes (M_INFO|M_NOPREFIX);
681 show_adapters (M_INFO|M_NOPREFIX);
682 }
683 else if (check_debug_level (D_SHOW_NET))
684 {
685 show_routes (D_SHOW_NET|M_NOPREFIX);
686 show_adapters (D_SHOW_NET|M_NOPREFIX);
687 }
688#endif
689}
690
691/*
692 * Save current pulled options string in the c1 context store, so we can
693 * compare against it after possible future restarts.
694 */
695#if P2MP
696static void
697save_pulled_options_string (struct context *c, const char *newstring)
698{
699 if (c->c1.pulled_options_string_save)
700 free (c->c1.pulled_options_string_save);
701
702 c->c1.pulled_options_string_save = NULL;
703
704 if (newstring)
705 c->c1.pulled_options_string_save = string_alloc (newstring, NULL);
706}
707#endif
708
709/*
710 * initialize tun/tap device object
711 */
712static void
713do_init_tun (struct context *c)
714{
715 c->c1.tuntap = init_tun (c->options.dev,
716 c->options.dev_type,
3c7f2f55 717 c->options.topology,
6fbf66fa
JY		 718 c->options.ifconfig_local,
719 c->options.ifconfig_remote_netmask,
720 addr_host (&c->c1.link_socket_addr.local),
721 addr_host (&c->c1.link_socket_addr.remote),
722 !c->options.ifconfig_nowarn,
723 c->c2.es);
724
725 init_tun_post (c->c1.tuntap,
726 &c->c2.frame,
727 &c->options.tuntap_options);
728
729 c->c1.tuntap_owned = true;
730}
731
732/*
733 * Open tun/tap device, ifconfig, call up script, etc.
734 */
735
736static bool
737do_open_tun (struct context *c)
738{
739 struct gc_arena gc = gc_new ();
740 bool ret = false;
741
742 c->c2.ipv4_tun = (!c->options.tun_ipv6
743 && is_dev_type (c->options.dev, c->options.dev_type, "tun"));
744
745 if (!c->c1.tuntap)
746 {
747 /* initialize (but do not open) tun/tap object */
748 do_init_tun (c);
749
750 /* allocate route list structure */
751 do_alloc_route_list (c);
752
753 /* parse and resolve the route option list */
3c7f2f55 754 if (c->options.routes && c->c1.route_list && c->c2.link_socket)
6fbf66fa
JY		 755 do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es);
756
757 /* do ifconfig */
758 if (!c->options.ifconfig_noexec
759 && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN)
760 {
761 /* guess actual tun/tap unit number that will be returned
762 by open_tun */
763 const char *guess = guess_tuntap_dev (c->options.dev,
764 c->options.dev_type,
765 c->options.dev_node,
766 &gc);
767 do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
768 }
769
770 /* open the tun device */
771 open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
772 c->options.tun_ipv6, c->c1.tuntap);
773
774 /* do ifconfig */
775 if (!c->options.ifconfig_noexec
776 && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN)
777 {
778 do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
779 }
780
781 /* run the up script */
782 run_up_down (c->options.up_script,
3c7f2f55 783 c->plugins,
6fbf66fa
JY		 784 OPENVPN_PLUGIN_UP,
785 c->c1.tuntap->actual_name,
786 TUN_MTU_SIZE (&c->c2.frame),
787 EXPANDED_SIZE (&c->c2.frame),
788 print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
789 print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
790 "init",
791 NULL,
792 "up",
793 c->c2.es);
794
795 /* possibly add routes */
796 if (!c->options.route_delay_defined)
3c7f2f55 797 do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es);
6fbf66fa
JY		 798
799 /*
800 * Did tun/tap driver give us an MTU?
801 */
802 if (c->c1.tuntap->post_open_mtu)
803 frame_set_mtu_dynamic (&c->c2.frame,
804 c->c1.tuntap->post_open_mtu,
805 SET_MTU_TUN | SET_MTU_UPPER_BOUND);
806
807 ret = true;
808 }
809 else
810 {
811 msg (M_INFO, "Preserving previous TUN/TAP instance: %s",
812 c->c1.tuntap->actual_name);
813
814 /* run the up script if user specified --up-restart */
815 if (c->options.up_restart)
816 run_up_down (c->options.up_script,
3c7f2f55 817 c->plugins,
6fbf66fa
JY		 818 OPENVPN_PLUGIN_UP,
819 c->c1.tuntap->actual_name,
820 TUN_MTU_SIZE (&c->c2.frame),
821 EXPANDED_SIZE (&c->c2.frame),
822 print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
823 print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
824 "restart",
825 NULL,
826 "up",
827 c->c2.es);
828 }
829 gc_free (&gc);
830 return ret;
831}
832
833/*
834 * Close TUN/TAP device
835 */
836
837static void
838do_close_tun_simple (struct context *c)
839{
840 msg (D_CLOSE, "Closing TUN/TAP interface");
841 close_tun (c->c1.tuntap);
842 c->c1.tuntap = NULL;
843 c->c1.tuntap_owned = false;
844#if P2MP
845 save_pulled_options_string (c, NULL); /* delete C1-saved pulled_options_string */
846#endif
847}
848
849static void
850do_close_tun (struct context *c, bool force)
851{
852 struct gc_arena gc = gc_new ();
853 if (c->c1.tuntap && c->c1.tuntap_owned)
854 {
855 const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc);
856 const in_addr_t local = c->c1.tuntap->local;
857 const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
858
859 if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
860 {
861#ifdef ENABLE_MANAGEMENT
862 /* tell management layer we are about to close the TUN/TAP device */
863 if (management)
864 management_pre_tunnel_close (management);
865#endif
866
867 /* delete any routes we added */
868 if (c->c1.route_list)
869 delete_routes (c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);
870
871 /* actually close tun/tap device based on --down-pre flag */
872 if (!c->options.down_pre)
873 do_close_tun_simple (c);
874
875 /* Run the down script -- note that it will run at reduced
876 privilege if, for example, "--user nobody" was used. */
877 run_up_down (c->options.down_script,
3c7f2f55 878 c->plugins,
6fbf66fa
JY		 879 OPENVPN_PLUGIN_DOWN,
880 tuntap_actual,
881 TUN_MTU_SIZE (&c->c2.frame),
882 EXPANDED_SIZE (&c->c2.frame),
883 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
884 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
885 "init",
886 signal_description (c->sig->signal_received,
887 c->sig->signal_text),
888 "down",
889 c->c2.es);
890
891 /* actually close tun/tap device based on --down-pre flag */
892 if (c->options.down_pre)
893 do_close_tun_simple (c);
894 }
895 else
896 {
897 /* run the down script on this restart if --up-restart was specified */
898 if (c->options.up_restart)
899 run_up_down (c->options.down_script,
3c7f2f55 900 c->plugins,
6fbf66fa
JY		 901 OPENVPN_PLUGIN_DOWN,
902 tuntap_actual,
903 TUN_MTU_SIZE (&c->c2.frame),
904 EXPANDED_SIZE (&c->c2.frame),
905 print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
906 print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
907 "restart",
908 signal_description (c->sig->signal_received,
909 c->sig->signal_text),
910 "down",
911 c->c2.es);
912 }
913 }
914 gc_free (&gc);
915}
916
917/*
918 * Handle delayed tun/tap interface bringup due to --up-delay or --pull
919 */
920
921void
922do_up (struct context *c, bool pulled_options, unsigned int option_types_found)
923{
924 if (!c->c2.do_up_ran)
925 {
926 reset_coarse_timers (c);
927
928 if (pulled_options && option_types_found)
929 do_deferred_options (c, option_types_found);
930
931 /* if --up-delay specified, open tun, do ifconfig, and run up script now */
932 if (c->options.up_delay || PULL_DEFINED (&c->options))
933 {
934 c->c2.did_open_tun = do_open_tun (c);
935 update_time ();
936
937#if P2MP
938 /*
939 * Was tun interface object persisted from previous restart iteration,
940 * and if so did pulled options string change from previous iteration?
941 */
942 if (!c->c2.did_open_tun
943 && PULL_DEFINED (&c->options)
944 && c->c1.tuntap
945 && (!c->c1.pulled_options_string_save || !c->c2.pulled_options_string
946 || strcmp (c->c1.pulled_options_string_save, c->c2.pulled_options_string)))
947 {
948 /* if so, close tun, delete routes, then reinitialize tun and add routes */
949 msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
950 do_close_tun (c, true);
951 openvpn_sleep (1);
952 c->c2.did_open_tun = do_open_tun (c);
953 update_time ();
954 }
955#endif
956 }
957
958 if (c->c2.did_open_tun)
959 {
960#if P2MP
961 save_pulled_options_string (c, c->c2.pulled_options_string);
962#endif
963
964 /* if --route-delay was specified, start timer */
965 if (c->options.route_delay_defined)
966 {
967 event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now);
968 event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
c67d59cd
JY		 969 if (c->c1.tuntap)
970 tun_standby_init (c->c1.tuntap);
6fbf66fa
JY		 971 }
972 else
973 {
974 initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */
975 }
976 }
977 else if (c->options.mode == MODE_POINT_TO_POINT)
978 {
979 initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */
980 }
981
982 c->c2.do_up_ran = true;
983 }
984}
985
986/*
987 * These are the option categories which will be accepted by pull.
988 */
989unsigned int
3c7f2f55 990pull_permission_mask (const struct context *c)
6fbf66fa 991{
3c7f2f55
JY		 992 unsigned int flags =
993 OPT_P_UP
994 | OPT_P_ROUTE_EXTRAS
995 | OPT_P_IPWIN32
00d39170
JY		 996 | OPT_P_SOCKBUF
997 | OPT_P_SOCKFLAGS
3c7f2f55
JY		 998 | OPT_P_SETENV
999 | OPT_P_SHAPER
1000 | OPT_P_TIMER
537073fd 1001 | OPT_P_COMP
3c7f2f55
JY		 1002 | OPT_P_PERSIST
1003 | OPT_P_MESSAGES
1004 | OPT_P_EXPLICIT_NOTIFY
1005 | OPT_P_ECHO
1006 | OPT_P_PULL_MODE;
1007
1008 if (!c->options.route_nopull)
1009 flags |= OPT_P_ROUTE;
1010
1011 return flags;
6fbf66fa
JY		 1012}
1013
1014/*
1015 * Handle non-tun-related pulled options.
1016 */
1017void
1018do_deferred_options (struct context *c, const unsigned int found)
1019{
1020 if (found & OPT_P_MESSAGES)
1021 {
1022 init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2);
1023 msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
1024 }
1025 if (found & OPT_P_TIMER)
1026 {
1027 do_init_timers (c, true);
1028 msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
1029 }
1030
1031#ifdef ENABLE_OCC
1032 if (found & OPT_P_EXPLICIT_NOTIFY)
1033 {
1034 if (c->options.proto != PROTO_UDPv4 && c->options.explicit_exit_notification)
1035 {
1036 msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
1037 c->options.explicit_exit_notification = 0;
1038 }
1039 else
1040 msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
1041 }
1042#endif
1043
537073fd
JY		 1044#ifdef USE_LZO
1045 if (found & OPT_P_COMP)
1046 {
1047 if (lzo_defined (&c->c2.lzo_compwork))
1048 {
1049 msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified");
1050 lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo);
1051 }
1052 }
1053#endif
1054
6fbf66fa
JY		 1055 if (found & OPT_P_SHAPER)
1056 {
1057 msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
1058 do_init_traffic_shaper (c);
1059 }
1060
00d39170
JY		 1061 if (found & OPT_P_SOCKBUF)
1062 {
1063 msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
1064 link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
1065 }
1066
1067 if (found & OPT_P_SOCKFLAGS)
1068 {
1069 msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
1070 link_socket_update_flags (c->c2.link_socket, c->options.sockflags);
1071 }
1072
6fbf66fa
JY		 1073 if (found & OPT_P_PERSIST)
1074 msg (D_PUSH, "OPTIONS IMPORT: --persist options modified");
1075 if (found & OPT_P_UP)
1076 msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
1077 if (found & OPT_P_ROUTE)
1078 msg (D_PUSH, "OPTIONS IMPORT: route options modified");
3c7f2f55
JY		 1079 if (found & OPT_P_ROUTE_EXTRAS)
1080 msg (D_PUSH, "OPTIONS IMPORT: route-related options modified");
6fbf66fa
JY		 1081 if (found & OPT_P_IPWIN32)
1082 msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
1083 if (found & OPT_P_SETENV)
1084 msg (D_PUSH, "OPTIONS IMPORT: environment modified");
1085}
1086
1087/*
1088 * Possible hold on initialization
1089 */
1090static bool
1091do_hold (struct context *c)
1092{
1093#ifdef ENABLE_MANAGEMENT
1094 if (management)
1095 {
1096 /* if c is defined, daemonize before hold */
1097 if (c && c->options.daemon && management_would_hold (management))
1098 do_init_first_time (c);
1099
1100 /* block until management hold is released */
1101 if (management_hold (management))
1102 return true;
1103 }
1104#endif
1105 return false;
1106}
1107
1108/*
1109 * Sleep before restart.
1110 */
1111static void
1112socket_restart_pause (struct context *c)
1113{
1114 bool proxy = false;
1115 int sec = 2;
1116
1117#ifdef ENABLE_HTTP_PROXY
1118 if (c->options.http_proxy_options)
1119 proxy = true;
1120#endif
1121#ifdef ENABLE_SOCKS
1122 if (c->options.socks_proxy_server)
1123 proxy = true;
1124#endif
1125
1126 switch (c->options.proto)
1127 {
1128 case PROTO_UDPv4:
1129 if (proxy)
1130 sec = c->options.connect_retry_seconds;
1131 break;
1132 case PROTO_TCPv4_SERVER:
1133 sec = 1;
1134 break;
1135 case PROTO_TCPv4_CLIENT:
1136 sec = c->options.connect_retry_seconds;
1137 break;
1138 }
1139
1140#ifdef ENABLE_DEBUG
1141 if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin))
1142 sec = 0;
1143#endif
1144
1145#if P2MP
1146 if (auth_retry_get () == AR_NOINTERACT)
1147 sec = 10;
1148#endif
1149
1150 if (do_hold (NULL))
1151 sec = 0;
1152
1153 if (sec)
1154 {
1155 msg (D_RESTART, "Restart pause, %d second(s)", sec);
1156 openvpn_sleep (sec);
1157 }
1158}
1159
1160/*
1161 * Do a possible pause on context_2 initialization.
1162 */
1163static void
1164do_startup_pause (struct context *c)
1165{
1166 if (!c->first_time)
1167 socket_restart_pause (c);
1168 else
1169 do_hold (NULL);
1170}
1171
1172/*
1173 * Finalize MTU parameters based on command line or config file options.
1174 */
1175static void
1176frame_finalize_options (struct context *c, const struct options *o)
1177{
1178 if (!o)
1179 o = &c->options;
1180
1181 /*
1182 * Set adjustment factor for buffer alignment when no
1183 * cipher is used.
1184 */
1185 if (!CIPHER_ENABLED (c))
1186 {
1187 frame_align_to_extra_frame (&c->c2.frame);
1188 frame_or_align_flags (&c->c2.frame,
1189 FRAME_HEADROOM_MARKER_FRAGMENT
1190 |FRAME_HEADROOM_MARKER_READ_LINK
1191 |FRAME_HEADROOM_MARKER_READ_STREAM);
1192 }
1193
1194 frame_finalize (&c->c2.frame,
1195 o->link_mtu_defined,
1196 o->link_mtu,
1197 o->tun_mtu_defined,
1198 o->tun_mtu);
1199}
1200
1201/*
1202 * Free a key schedule, including OpenSSL components.
1203 */
1204static void
1205key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
1206{
1207#ifdef USE_CRYPTO
1208 free_key_ctx_bi (&ks->static_key);
1209#ifdef USE_SSL
1210 if (ks->ssl_ctx && free_ssl_ctx)
1211 {
1212 SSL_CTX_free (ks->ssl_ctx);
1213 free_key_ctx_bi (&ks->tls_auth_key);
1214 }
1215#endif /* USE_SSL */
1216#endif /* USE_CRYPTO */
1217 CLEAR (*ks);
1218}
1219
1220#ifdef USE_CRYPTO
1221
1222static void
1223init_crypto_pre (struct context *c, const unsigned int flags)
1224{
1225 if (c->options.engine)
1226 init_crypto_lib_engine (c->options.engine);
1227
1228 if (flags & CF_LOAD_PERSISTED_PACKET_ID)
1229 {
1230 /* load a persisted packet-id for cross-session replay-protection */
1231 if (c->options.packet_id_file)
1232 packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file);
1233 }
1234
1235 /* Initialize crypto options */
1236
1237 if (c->options.use_iv)
1238 c->c2.crypto_options.flags |= CO_USE_IV;
1239
1240 if (c->options.mute_replay_warnings)
1241 c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
1242}
1243
1244/*
1245 * Static Key Mode (using a pre-shared key)
1246 */
1247static void
1248do_init_crypto_static (struct context *c, const unsigned int flags)
1249{
1250 const struct options *options = &c->options;
1251 ASSERT (options->shared_secret_file);
1252
1253 init_crypto_pre (c, flags);
1254
1255 /* Initialize packet ID tracking */
1256 if (options->replay)
1257 {
1258 packet_id_init (&c->c2.packet_id, options->replay_window,
1259 options->replay_time);
1260 c->c2.crypto_options.packet_id = &c->c2.packet_id;
1261 c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
1262 c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
1263 packet_id_persist_load_obj (&c->c1.pid_persist,
1264 c->c2.crypto_options.packet_id);
1265 }
1266
1267 if (!key_ctx_bi_defined (&c->c1.ks.static_key))
1268 {
1269 struct key2 key2;
1270 struct key_direction_state kds;
1271
1272 /* Get cipher & hash algorithms */
1273 init_key_type (&c->c1.ks.key_type, options->ciphername,
1274 options->ciphername_defined, options->authname,
1275 options->authname_defined, options->keysize,
1276 options->test_crypto, true);
1277
1278 /* Read cipher and hmac keys from shared secret file */
c959fc74
JY		 1279 {
1280 unsigned int rkf_flags = RKF_MUST_SUCCEED;
1281 const char *rkf_file = options->shared_secret_file;
1282
1283#if ENABLE_INLINE_FILES
1284 if (options->shared_secret_file_inline)
1285 {
1286 rkf_file = options->shared_secret_file_inline;
1287 rkf_flags |= RKF_INLINE;
1288 }
1289#endif
1290 read_key_file (&key2, rkf_file, rkf_flags);
1291 }
6fbf66fa
JY		 1292
1293 /* Check for and fix highly unlikely key problems */
1294 verify_fix_key2 (&key2, &c->c1.ks.key_type,
1295 options->shared_secret_file);
1296
1297 /* Initialize OpenSSL key objects */
1298 key_direction_state_init (&kds, options->key_direction);
1299 must_have_n_keys (options->shared_secret_file, "secret", &key2,
1300 kds.need_keys);
1301 init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
1302 &c->c1.ks.key_type, DO_ENCRYPT, "Static Encrypt");
1303 init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
1304 &c->c1.ks.key_type, DO_DECRYPT, "Static Decrypt");
1305
1306 /* Erase the temporary copy of key */
1307 CLEAR (key2);
1308 }
1309 else
1310 {
1311 msg (M_INFO, "Re-using pre-shared static key");
1312 }
1313
1314 /* Get key schedule */
1315 c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key;
1316
1317 /* Compute MTU parameters */
1318 crypto_adjust_frame_parameters (&c->c2.frame,
1319 &c->c1.ks.key_type,
1320 options->ciphername_defined,
1321 options->use_iv, options->replay, true);
1322
1323 /* Sanity check on IV, sequence number, and cipher mode options */
1324 check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
1325 options->use_iv);
1326}
1327
1328#ifdef USE_SSL
1329
1330/*
1331 * Initialize the persistent component of OpenVPN's TLS mode,
1332 * which is preserved across SIGUSR1 resets.
1333 */
1334static void
1335do_init_crypto_tls_c1 (struct context *c)
1336{
1337 const struct options *options = &c->options;
1338
1339 if (!c->c1.ks.ssl_ctx)
1340 {
1341 /*
1342 * Initialize the OpenSSL library's global
1343 * SSL context.
1344 */
1345 c->c1.ks.ssl_ctx = init_ssl (options);
1346 if (!c->c1.ks.ssl_ctx)
1347 {
1348#if P2MP
1349 switch (auth_retry_get ())
1350 {
1351 case AR_NONE:
1352 msg (M_FATAL, "Error: private key password verification failed");
1353 break;
1354 case AR_INTERACT:
1355 ssl_purge_auth ();
1356 case AR_NOINTERACT:
1357 c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
1358 break;
1359 default:
1360 ASSERT (0);
1361 }
1362 c->sig->signal_text = "private-key-password-failure";
1363 return;
1364#else
1365 msg (M_FATAL, "Error: private key password verification failed");
1366#endif
1367 }
1368
1369 /* Get cipher & hash algorithms */
1370 init_key_type (&c->c1.ks.key_type, options->ciphername,
1371 options->ciphername_defined, options->authname,
1372 options->authname_defined, options->keysize, true, true);
1373
1374 /* TLS handshake authentication (--tls-auth) */
1375 if (options->tls_auth_file)
c959fc74
JY		 1376 {
1377 unsigned int flags = options->key_direction ? GHK_KEY_DIR : 0;
1378 const char *file = options->tls_auth_file;
1379
1380#if ENABLE_INLINE_FILES
1381 if (options->tls_auth_file_inline)
1382 {
1383 flags |= GHK_INLINE;
1384 file = options->tls_auth_file_inline;
1385 }
1386#endif
1387 get_tls_handshake_key (&c->c1.ks.key_type,
1388 &c->c1.ks.tls_auth_key,
1389 file,
1390 flags);
1391 }
d40f2b20
JY		 1392
1393#if ENABLE_INLINE_FILES
1394 if (options->priv_key_file_inline)
1395 {
1396 string_clear (c->options.priv_key_file_inline);
1397 c->options.priv_key_file_inline = NULL;
1398 }
1399#endif
6fbf66fa
JY		 1400 }
1401 else
1402 {
1403 msg (M_INFO, "Re-using SSL/TLS context");
1404 }
1405}
1406
1407static void
1408do_init_crypto_tls (struct context *c, const unsigned int flags)
1409{
1410 const struct options *options = &c->options;
1411 struct tls_options to;
1412 bool packet_id_long_form;
1413
1414 ASSERT (options->tls_server || options->tls_client);
1415 ASSERT (!options->test_crypto);
1416
1417 init_crypto_pre (c, flags);
1418
1419 /* Make sure we are either a TLS client or server but not both */
1420 ASSERT (options->tls_server == !options->tls_client);
1421
1422 /* initialize persistent component */
1423 do_init_crypto_tls_c1 (c);
1424 if (IS_SIG (c))
1425 return;
1426
1427 /* Sanity check on IV, sequence number, and cipher mode options */
1428 check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
1429 options->use_iv);
1430
1431 /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
1432 packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type);
1433
1434 /* Compute MTU parameters */
1435 crypto_adjust_frame_parameters (&c->c2.frame,
1436 &c->c1.ks.key_type,
1437 options->ciphername_defined,
1438 options->use_iv,
1439 options->replay, packet_id_long_form);
1440 tls_adjust_frame_parameters (&c->c2.frame);
1441
1442 /* Set all command-line TLS-related options */
1443 CLEAR (to);
1444
1445 to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
1446 if (packet_id_long_form)
1447 to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
1448
1449 to.ssl_ctx = c->c1.ks.ssl_ctx;
1450 to.key_type = c->c1.ks.key_type;
1451 to.server = options->tls_server;
1452 to.key_method = options->key_method;
1453 to.replay = options->replay;
1454 to.replay_window = options->replay_window;
1455 to.replay_time = options->replay_time;
1456 to.transition_window = options->transition_window;
1457 to.handshake_window = options->handshake_window;
1458 to.packet_timeout = options->tls_timeout;
1459 to.renegotiate_bytes = options->renegotiate_bytes;
1460 to.renegotiate_packets = options->renegotiate_packets;
1461 to.renegotiate_seconds = options->renegotiate_seconds;
1462 to.single_session = options->single_session;
1463
1464#ifdef ENABLE_OCC
1465 to.disable_occ = !options->occ;
1466#endif
1467
1468 to.verify_command = options->tls_verify;
1469 to.verify_x509name = options->tls_remote;
1470 to.crl_file = options->crl_file;
1471 to.ns_cert_type = options->ns_cert_type;
411e89ae
JY		 1472 memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
1473 to.remote_cert_eku = options->remote_cert_eku;
6fbf66fa
JY		 1474 to.es = c->c2.es;
1475
1476#ifdef ENABLE_DEBUG
1477 to.gremlin = c->options.gremlin;
1478#endif
1479
3c7f2f55 1480 to.plugins = c->plugins;
6fbf66fa
JY		 1481
1482#if P2MP_SERVER
1483 to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
1484 to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
1485 to.tmp_dir = options->tmp_dir;
1486 to.username_as_common_name = options->username_as_common_name;
1487 if (options->ccd_exclusive)
1488 to.client_config_dir_exclusive = options->client_config_dir;
1489#endif
1490
1491 /* TLS handshake authentication (--tls-auth) */
1492 if (options->tls_auth_file)
1493 {
1494 to.tls_auth_key = c->c1.ks.tls_auth_key;
1495 to.tls_auth.pid_persist = &c->c1.pid_persist;
1496 to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM;
1497 crypto_adjust_frame_parameters (&to.frame,
1498 &c->c1.ks.key_type,
1499 false, false, true, true);
1500 }
1501
1502 /* If we are running over TCP, allow for
1503 length prefix */
1504 socket_adjust_frame_parameters (&to.frame, options->proto);
1505
1506 /*
1507 * Initialize OpenVPN's master TLS-mode object.
1508 */
1509 if (flags & CF_INIT_TLS_MULTI)
1510 c->c2.tls_multi = tls_multi_init (&to);
1511
1512 if (flags & CF_INIT_TLS_AUTH_STANDALONE)
1513 c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc);
1514}
1515
1516static void
1517do_init_finalize_tls_frame (struct context *c)
1518{
1519 if (c->c2.tls_multi)
1520 {
1521 tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame);
1522 ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <=
1523 EXPANDED_SIZE (&c->c2.frame));
1524 frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO,
1525 "Control Channel MTU parms");
1526 }
1527 if (c->c2.tls_auth_standalone)
1528 {
1529 tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame);
1530 frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
1531 "TLS-Auth MTU parms");
1532 }
1533}
1534
1535#endif /* USE_SSL */
1536#endif /* USE_CRYPTO */
1537
1538#ifdef USE_CRYPTO
1539/*
1540 * No encryption or authentication.
1541 */
1542static void
1543do_init_crypto_none (const struct context *c)
1544{
1545 ASSERT (!c->options.test_crypto);
1546 msg (M_WARN,
1547 "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1548}
1549#endif
1550
1551static void
1552do_init_crypto (struct context *c, const unsigned int flags)
1553{
1554#ifdef USE_CRYPTO
1555 if (c->options.shared_secret_file)
1556 do_init_crypto_static (c, flags);
1557#ifdef USE_SSL
1558 else if (c->options.tls_server || c->options.tls_client)
1559 do_init_crypto_tls (c, flags);
1560#endif
1561 else /* no encryption or authentication. */
1562 do_init_crypto_none (c);
1563#else /* USE_CRYPTO */
1564 msg (M_WARN,
1565 "******* WARNING *******: " PACKAGE_NAME
1566 " built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1567#endif /* USE_CRYPTO */
1568}
1569
1570static void
1571do_init_frame (struct context *c)
1572{
1573#ifdef USE_LZO
1574 /*
1575 * Initialize LZO compression library.
1576 */
537073fd 1577 if (c->options.lzo & LZO_SELECTED)
6fbf66fa
JY		 1578 {
1579 lzo_adjust_frame_parameters (&c->c2.frame);
1580
1581 /*
1582 * LZO usage affects buffer alignment.
1583 */
1584 if (CIPHER_ENABLED (c))
1585 {
1586 frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN);
1587 frame_or_align_flags (&c->c2.frame,
1588 FRAME_HEADROOM_MARKER_FRAGMENT
1589 |FRAME_HEADROOM_MARKER_DECRYPT);
1590 }
1591
1592#ifdef ENABLE_FRAGMENT
1593 lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */
1594#endif
1595 }
537073fd 1596#endif /* USE_LZO */
6fbf66fa
JY		 1597
1598#ifdef ENABLE_SOCKS
1599 /*
1600 * Adjust frame size for UDP Socks support.
1601 */
1602 if (c->options.socks_proxy_server)
1603 socks_adjust_frame_parameters (&c->c2.frame, c->options.proto);
1604#endif
1605
1606 /*
1607 * Adjust frame size based on the --tun-mtu-extra parameter.
1608 */
1609 if (c->options.tun_mtu_extra_defined)
1610 tun_adjust_frame_parameters (&c->c2.frame, c->options.tun_mtu_extra);
1611
1612 /*
1613 * Adjust frame size based on link socket parameters.
1614 * (Since TCP is a stream protocol, we need to insert
1615 * a packet length uint16_t in the buffer.)
1616 */
1617 socket_adjust_frame_parameters (&c->c2.frame, c->options.proto);
1618
1619 /*
1620 * Fill in the blanks in the frame parameters structure,
1621 * make sure values are rational, etc.
1622 */
1623 frame_finalize_options (c, NULL);
1624
1625#ifdef ENABLE_FRAGMENT
1626 /*
1627 * Set frame parameter for fragment code. This is necessary because
1628 * the fragmentation code deals with payloads which have already been
1629 * passed through the compression code.
1630 */
1631 c->c2.frame_fragment = c->c2.frame;
1632 frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
1633#endif
1634
1635#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
1636 /*
1637 * MTU advisories
1638 */
1639 if (c->options.fragment && c->options.mtu_test)
1640 msg (M_WARN,
1641 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
1642#endif
1643
1644#ifdef ENABLE_FRAGMENT
1645 if ((c->options.mssfix || c->options.fragment)
1646 && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU)
1647 msg (M_WARN,
1648 "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
1649 ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment));
1650#endif
1651}
1652
1653static void
1654do_option_warnings (struct context *c)
1655{
1656 const struct options *o = &c->options;
1657
1658#if 1 /* JYFIXME -- port warning */
1659 if (!o->port_option_used && (o->local_port == OPENVPN_PORT && o->remote_port == OPENVPN_PORT))
1660 msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.",
1661 OPENVPN_PORT);
1662#endif
1663
1664 if (o->ping_send_timeout && !o->ping_rec_timeout)
1665 msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
1666
1667 if ((o->username || o->groupname || o->chroot_dir) && (!o->persist_tun || !o->persist_key))
1668 msg (M_WARN, "WARNING: you are using user/group/chroot without persist-key/persist-tun -- this may cause restarts to fail");
1669
1670#if P2MP
1671 if (o->pull && o->ifconfig_local && c->first_time)
1672 msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
1673
1674#if P2MP_SERVER
1675 if (o->mode == MODE_SERVER)
1676 {
1677 if (o->duplicate_cn && o->client_config_dir)
1678 msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
1679 if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
1680 msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
1681 if (!o->keepalive_ping || !o->keepalive_timeout)
1682 msg (M_WARN, "WARNING: --keepalive option is missing from server config");
1683 }
1684#endif
1685#endif
1686
1687#ifdef USE_CRYPTO
1688 if (!o->replay)
1689 msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
1690 if (!o->use_iv)
1691 msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");
1692
1693#ifdef USE_SSL
1694 if (o->tls_client
1695 && !o->tls_verify
1696 && !o->tls_remote
027a87ce 1697 && !(o->ns_cert_type & NS_SSL_SERVER)
bed73623 1698 && (o->remote_cert_eku == NULL || !o->remote_cert_eku[0]))
6fbf66fa
JY		 1699 msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
1700#endif
1ae9d051 1701#endif
6fbf66fa 1702
1ae9d051
JY		 1703#ifndef CONNECT_NONBLOCK
1704 if (o->connect_timeout_defined)
1705 msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
6fbf66fa
JY		 1706#endif
1707}
1708
1709static void
1710do_init_frame_tls (struct context *c)
1711{
1712#if defined(USE_CRYPTO) && defined(USE_SSL)
1713 do_init_finalize_tls_frame (c);
1714#endif
1715}
1716
1717struct context_buffers *
1718init_context_buffers (const struct frame *frame)
1719{
1720 struct context_buffers *b;
1721
1722 ALLOC_OBJ_CLEAR (b, struct context_buffers);
1723
1724 b->read_link_buf = alloc_buf (BUF_SIZE (frame));
1725 b->read_tun_buf = alloc_buf (BUF_SIZE (frame));
1726
1727 b->aux_buf = alloc_buf (BUF_SIZE (frame));
1728
1729#ifdef USE_CRYPTO
1730 b->encrypt_buf = alloc_buf (BUF_SIZE (frame));
1731 b->decrypt_buf = alloc_buf (BUF_SIZE (frame));
1732#endif
1733
1734#ifdef USE_LZO
1735 b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame));
1736 b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame));
1737#endif
1738
1739 return b;
1740}
1741
1742void
1743free_context_buffers (struct context_buffers *b)
1744{
1745 if (b)
1746 {
1747 free_buf (&b->read_link_buf);
1748 free_buf (&b->read_tun_buf);
1749 free_buf (&b->aux_buf);
1750
1751#ifdef USE_LZO
1752 free_buf (&b->lzo_compress_buf);
1753 free_buf (&b->lzo_decompress_buf);
1754#endif
1755
1756#ifdef USE_CRYPTO
1757 free_buf (&b->encrypt_buf);
1758 free_buf (&b->decrypt_buf);
1759#endif
1760
1761 free (b);
1762 }
1763}
1764
1765/*
1766 * Now that we know all frame parameters, initialize
1767 * our buffers.
1768 */
1769static void
1770do_init_buffers (struct context *c)
1771{
1772 c->c2.buffers = init_context_buffers (&c->c2.frame);
1773 c->c2.buffers_owned = true;
1774}
1775
1776#ifdef ENABLE_FRAGMENT
1777/*
1778 * Fragmenting code has buffers to initialize
1779 * once frame parameters are known.
1780 */
1781static void
1782do_init_fragment (struct context *c)
1783{
1784 ASSERT (c->options.fragment);
1785 frame_set_mtu_dynamic (&c->c2.frame_fragment,
1786 c->options.fragment, SET_MTU_UPPER_BOUND);
1787 fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment);
1788}
1789#endif
1790
1791/*
1792 * Set the --mssfix option.
1793 */
1794static void
1795do_init_mssfix (struct context *c)
1796{
1797 if (c->options.mssfix)
1798 {
1799 frame_set_mtu_dynamic (&c->c2.frame,
1800 c->options.mssfix, SET_MTU_UPPER_BOUND);
1801 }
1802}
1803
1804/*
1805 * Allocate our socket object.
1806 */
1807static void
1808do_link_socket_new (struct context *c)
1809{
1810 ASSERT (!c->c2.link_socket);
1811 c->c2.link_socket = link_socket_new ();
1812 c->c2.link_socket_owned = true;
1813}
1814
1815/*
1816 * bind the TCP/UDP socket
1817 */
1818static void
1819do_init_socket_1 (struct context *c, int mode)
1820{
1821 link_socket_init_phase1 (c->c2.link_socket,
1822 c->options.local,
1823 c->c1.remote_list,
1824 c->options.local_port,
1825 c->options.proto,
1826 mode,
1827 c->c2.accept_from,
1828#ifdef ENABLE_HTTP_PROXY
1829 c->c1.http_proxy,
1830#endif
1831#ifdef ENABLE_SOCKS
1832 c->c1.socks_proxy,
1833#endif
1834#ifdef ENABLE_DEBUG
1835 c->options.gremlin,
1836#endif
1837 c->options.bind_local,
1838 c->options.remote_float,
1839 c->options.inetd,
1840 &c->c1.link_socket_addr,
1841 c->options.ipchange,
3c7f2f55 1842 c->plugins,
6fbf66fa
JY		 1843 c->options.resolve_retry_seconds,
1844 c->options.connect_retry_seconds,
1ae9d051 1845 c->options.connect_timeout,
b540a9e0 1846 c->options.connect_retry_max,
6fbf66fa
JY		 1847 c->options.mtu_discover_type,
1848 c->options.rcvbuf,
00d39170
JY		 1849 c->options.sndbuf,
1850 c->options.sockflags);
6fbf66fa
JY		 1851}
1852
1853/*
1854 * finalize the TCP/UDP socket
1855 */
1856static void
1857do_init_socket_2 (struct context *c)
1858{
1859 link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame,
1860 &c->sig->signal_received);
1861}
1862
1863/*
1864 * Print MTU INFO
1865 */
1866static void
1867do_print_data_channel_mtu_parms (struct context *c)
1868{
1869 frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
1870#ifdef ENABLE_FRAGMENT
1871 if (c->c2.fragment)
1872 frame_print (&c->c2.frame_fragment, D_MTU_INFO,
1873 "Fragmentation MTU parms");
1874#endif
1875}
1876
1877#ifdef ENABLE_OCC
1878/*
1879 * Get local and remote options compatibility strings.
1880 */
1881static void
1882do_compute_occ_strings (struct context *c)
1883{
1884 struct gc_arena gc = gc_new ();
1885
1886 c->c2.options_string_local =
1887 options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
1888 c->c2.options_string_remote =
1889 options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
1890
1891 msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local);
1892 msg (D_SHOW_OCC, "Expected Remote Options String: '%s'",
1893 c->c2.options_string_remote);
1894
1895#ifdef USE_CRYPTO
1896 msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
1897 options_string_version (c->c2.options_string_local, &gc),
1898 md5sum ((uint8_t*)c->c2.options_string_local,
1899 strlen (c->c2.options_string_local), 9, &gc));
1900 msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
1901 options_string_version (c->c2.options_string_remote, &gc),
1902 md5sum ((uint8_t*)c->c2.options_string_remote,
1903 strlen (c->c2.options_string_remote), 9, &gc));
1904#endif
1905
1906#if defined(USE_CRYPTO) && defined(USE_SSL)
1907 if (c->c2.tls_multi)
1908 tls_multi_init_set_options (c->c2.tls_multi,
1909 c->c2.options_string_local,
1910 c->c2.options_string_remote);
1911#endif
1912
1913 gc_free (&gc);
1914}
1915#endif
1916
1917/*
1918 * These things can only be executed once per program instantiation.
1919 * Set up for possible UID/GID downgrade, but don't do it yet.
1920 * Daemonize if requested.
1921 */
1922static void
1923do_init_first_time (struct context *c)
1924{
90e105d2 1925 if (c->first_time && !c->did_we_daemonize)
6fbf66fa
JY		 1926 {
1927 /* get user and/or group that we want to setuid/setgid to */
1928 c->c2.uid_gid_specified =
1929 get_group (c->options.groupname, &c->c2.group_state) |
1930 get_user (c->options.username, &c->c2.user_state);
1931
1932 /* get --writepid file descriptor */
1933 get_pid_file (c->options.writepid, &c->c2.pid_state);
1934
1935 /* become a daemon if --daemon */
90e105d2 1936 c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
6fbf66fa
JY		 1937
1938 /* should we disable paging? */
90e105d2 1939 if (c->options.mlock && c->did_we_daemonize)
6fbf66fa
JY		 1940 do_mlockall (true); /* call again in case we daemonized */
1941
1942 /* save process ID in a file */
1943 write_pid (&c->c2.pid_state);
1944
1945 /* should we change scheduling priority? */
1946 set_nice (c->options.nice);
1947 }
1948}
1949
1950/*
1951 * If xinetd/inetd mode, don't allow restart.
1952 */
1953static void
1954do_close_check_if_restart_permitted (struct context *c)
1955{
1956 if (c->options.inetd
1957 && (c->sig->signal_received == SIGHUP
1958 || c->sig->signal_received == SIGUSR1))
1959 {
1960 c->sig->signal_received = SIGTERM;
1961 msg (M_INFO,
1962 PACKAGE_NAME
1963 " started by inetd/xinetd cannot restart... Exiting.");
1964 }
1965}
1966
1967/*
1968 * free buffers
1969 */
1970static void
1971do_close_free_buf (struct context *c)
1972{
1973 if (c->c2.buffers_owned)
1974 {
1975 free_context_buffers (c->c2.buffers);
1976 c->c2.buffers = NULL;
1977 c->c2.buffers_owned = false;
1978 }
1979}
1980
1981/*
1982 * close TLS
1983 */
1984static void
1985do_close_tls (struct context *c)
1986{
1987#if defined(USE_CRYPTO) && defined(USE_SSL)
1988 if (c->c2.tls_multi)
1989 {
1990 tls_multi_free (c->c2.tls_multi, true);
1991 c->c2.tls_multi = NULL;
1992 }
1993
1994#ifdef ENABLE_OCC
1995 /* free options compatibility strings */
1996 if (c->c2.options_string_local)
1997 free (c->c2.options_string_local);
1998 if (c->c2.options_string_remote)
1999 free (c->c2.options_string_remote);
2000 c->c2.options_string_local = c->c2.options_string_remote = NULL;
2001#endif
2002#endif
2003}
2004
2005/*
2006 * Free key schedules
2007 */
2008static void
2009do_close_free_key_schedule (struct context *c, bool free_ssl_ctx)
2010{
2011 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
2012 key_schedule_free (&c->c1.ks, free_ssl_ctx);
2013}
2014
2015/*
2016 * Close TCP/UDP connection
2017 */
2018static void
2019do_close_link_socket (struct context *c)
2020{
2021 if (c->c2.link_socket && c->c2.link_socket_owned)
2022 {
2023 link_socket_close (c->c2.link_socket);
2024 c->c2.link_socket = NULL;
2025 }
2026
2027 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
2028 {
2029 CLEAR (c->c1.link_socket_addr.remote);
2030 CLEAR (c->c1.link_socket_addr.actual);
2031 }
2032
2033 if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
2034 CLEAR (c->c1.link_socket_addr.local);
2035}
2036
2037/*
2038 * Close packet-id persistance file
2039 */
2040static void
2041do_close_packet_id (struct context *c)
2042{
2043#ifdef USE_CRYPTO
2044 packet_id_free (&c->c2.packet_id);
2045 packet_id_persist_save (&c->c1.pid_persist);
2046 if (!(c->sig->signal_received == SIGUSR1))
2047 packet_id_persist_close (&c->c1.pid_persist);
2048#endif
2049}
2050
2051#ifdef ENABLE_FRAGMENT
2052/*
2053 * Close fragmentation handler.
2054 */
2055static void
2056do_close_fragment (struct context *c)
2057{
2058 if (c->c2.fragment)
2059 {
2060 fragment_free (c->c2.fragment);
2061 c->c2.fragment = NULL;
2062 }
2063}
2064#endif
2065
2066/*
2067 * Open and close our event objects.
2068 */
2069
2070static void
2071do_event_set_init (struct context *c,
2072 bool need_us_timeout)
2073{
2074 unsigned int flags = 0;
2075
2076 c->c2.event_set_max = BASE_N_EVENTS;
2077
2078 flags |= EVENT_METHOD_FAST;
2079
2080 if (need_us_timeout)
2081 flags |= EVENT_METHOD_US_TIMEOUT;
2082
2083 c->c2.event_set = event_set_init (&c->c2.event_set_max, flags);
2084 c->c2.event_set_owned = true;
2085}
2086
2087static void
2088do_close_event_set (struct context *c)
2089{
2090 if (c->c2.event_set && c->c2.event_set_owned)
2091 {
2092 event_free (c->c2.event_set);
2093 c->c2.event_set = NULL;
2094 c->c2.event_set_owned = false;
2095 }
2096}
2097
2098/*
2099 * Open and close --status file
2100 */
2101
2102static void
2103do_open_status_output (struct context *c)
2104{
2105 if (!c->c1.status_output)
2106 {
2107 c->c1.status_output = status_open (c->options.status_file,
2108 c->options.status_file_update_freq,
2109 -1,
2110 NULL,
2111 STATUS_OUTPUT_WRITE);
2112 c->c1.status_output_owned = true;
2113 }
2114}
2115
2116static void
2117do_close_status_output (struct context *c)
2118{
2119 if (!(c->sig->signal_received == SIGUSR1))
2120 {
2121 if (c->c1.status_output_owned && c->c1.status_output)
2122 {
2123 status_close (c->c1.status_output);
2124 c->c1.status_output = NULL;
2125 c->c1.status_output_owned = false;
2126 }
2127 }
2128}
2129
2130/*
2131 * Handle ifconfig-pool persistance object.
2132 */
2133static void
2134do_open_ifconfig_pool_persist (struct context *c)
2135{
2136#if P2MP_SERVER
2137 if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
2138 {
2139 c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename,
2140 c->options.ifconfig_pool_persist_refresh_freq);
2141 c->c1.ifconfig_pool_persist_owned = true;
2142 }
2143#endif
2144}
2145
2146static void
2147do_close_ifconfig_pool_persist (struct context *c)
2148{
2149#if P2MP_SERVER
2150 if (!(c->sig->signal_received == SIGUSR1))
2151 {
2152 if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
2153 {
2154 ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist);
2155 c->c1.ifconfig_pool_persist = NULL;
2156 c->c1.ifconfig_pool_persist_owned = false;
2157 }
2158 }
2159#endif
2160}
2161
2162/*
2163 * Inherit environmental variables
2164 */
2165
2166static void
2167do_inherit_env (struct context *c, const struct env_set *src)
2168{
2169 c->c2.es = env_set_create (&c->c2.gc);
2170 env_set_inherit (c->c2.es, src);
2171}
2172
2173/*
2174 * Fast I/O setup. Fast I/O is an optimization which only works
2175 * if all of the following are true:
2176 *
2177 * (1) The platform is not Windows
2178 * (2) --proto udp is enabled
2179 * (3) --shaper is disabled
2180 */
2181static void
2182do_setup_fast_io (struct context *c)
2183{
2184 if (c->options.fast_io)
2185 {
2186#ifdef WIN32
2187 msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
2188#else
2189 if (c->options.proto != PROTO_UDPv4)
2190 msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
2191 else
2192 {
0475d17e 2193#ifdef HAVE_GETTIMEOFDAY
6fbf66fa
JY		 2194 if (c->options.shaper)
2195 msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
2196 else
0475d17e 2197#endif
6fbf66fa
JY		 2198 {
2199 c->c2.fast_io = true;
2200 }
2201 }
2202#endif
2203 }
2204}
2205
2206static void
2207do_signal_on_tls_errors (struct context *c)
2208{
2209#if defined(USE_CRYPTO) && defined(USE_SSL)
2210 if (c->options.tls_exit)
2211 c->c2.tls_exit_signal = SIGTERM;
2212 else
2213 c->c2.tls_exit_signal = SIGUSR1;
2214#endif
2215}
2216
3c7f2f55 2217#ifdef ENABLE_PLUGIN
6fbf66fa 2218
3c7f2f55 2219void
e1791bb1 2220init_plugins (struct context *c)
6fbf66fa 2221{
3c7f2f55 2222 if (c->options.plugin_list && !c->plugins)
e1791bb1
JY		 2223 {
2224 c->plugins = plugin_list_init (c->options.plugin_list);
2225 c->plugins_owned = true;
2226 }
2227}
2228
2229void
2230open_plugins (struct context *c, const bool import_options, int init_point)
2231{
2232 if (c->plugins && c->plugins_owned)
6fbf66fa 2233 {
3c7f2f55
JY		 2234 if (import_options)
2235 {
2236 struct plugin_return pr, config;
2237 plugin_return_init (&pr);
e1791bb1 2238 plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
3c7f2f55
JY		 2239 plugin_return_get_column (&pr, &config, "config");
2240 if (plugin_return_defined (&config))
2241 {
2242 int i;
2243 for (i = 0; i < config.n; ++i)
2244 {
2245 unsigned int option_types_found = 0;
2246 if (config.list[i] && config.list[i]->value)
2247 options_plugin_import (&c->options,
2248 config.list[i]->value,
2249 D_IMPORT_ERRORS|M_OPTERR,
2250 OPT_P_DEFAULT & ~OPT_P_PLUGIN,
2251 &option_types_found,
2252 c->es);
2253 }
2254 }
2255 plugin_return_free (&pr);
2256 }
2257 else
2258 {
e1791bb1 2259 plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
3c7f2f55 2260 }
6fbf66fa 2261 }
6fbf66fa
JY		 2262}
2263
2264static void
2265do_close_plugins (struct context *c)
2266{
3c7f2f55 2267 if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
6fbf66fa 2268 {
3c7f2f55
JY		 2269 plugin_list_close (c->plugins);
2270 c->plugins = NULL;
2271 c->plugins_owned = false;
6fbf66fa 2272 }
6fbf66fa
JY		 2273}
2274
3c7f2f55
JY		 2275static void
2276do_inherit_plugins (struct context *c, const struct context *src)
2277{
2278 if (!c->plugins && src->plugins)
2279 {
2280 c->plugins = plugin_list_inherit (src->plugins);
2281 c->plugins_owned = true;
2282 }
2283}
2284
2285#endif
2286
6fbf66fa
JY		 2287#ifdef ENABLE_MANAGEMENT
2288
2289static void
2290management_callback_status_p2p (void *arg, const int version, struct status_output *so)
2291{
2292 struct context *c = (struct context *) arg;
2293 print_status (c, so);
2294}
2295
2296void
2297management_show_net_callback (void *arg, const int msglevel)
2298{
2299#ifdef WIN32
2300 show_routes (msglevel);
2301 show_adapters (msglevel);
2302 msg (msglevel, "END");
2303#else
2304 msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
2305#endif
2306}
2307
2308#endif
2309
2310void
2311init_management_callback_p2p (struct context *c)
2312{
2313#ifdef ENABLE_MANAGEMENT
2314 if (management)
2315 {
2316 struct management_callback cb;
2317 CLEAR (cb);
2318 cb.arg = c;
2319 cb.status = management_callback_status_p2p;
2320 cb.show_net = management_show_net_callback;
2321 management_set_callback (management, &cb);
2322 }
2323#endif
2324}
2325
2326#ifdef ENABLE_MANAGEMENT
2327
2328void
2329init_management (struct context *c)
2330{
2331 if (!management)
2332 management = management_init ();
2333}
2334
2335bool
2336open_management (struct context *c)
2337{
2338 /* initialize management layer */
2339 if (management)
2340 {
2341 if (c->options.management_addr)
2342 {
2343 if (management_open (management,
2344 c->options.management_addr,
2345 c->options.management_port,
2346 c->options.management_user_pass,
2347 c->options.mode == MODE_SERVER,
2348 c->options.management_query_passwords,
2349 c->options.management_log_history_cache,
2350 c->options.management_echo_buffer_size,
2351 c->options.management_state_buffer_size,
2352 c->options.management_hold))
2353 {
2354 management_set_state (management,
2355 OPENVPN_STATE_CONNECTING,
2356 NULL,
5ad84585 2357 (in_addr_t)0,
6fbf66fa
JY		 2358 (in_addr_t)0);
2359 }
2360
2361 /* possible wait */
2362 do_hold (c);
2363 if (IS_SIG (c))
2364 {
2365 msg (M_WARN, "Signal received from management interface, exiting");
2366 return false;
2367 }
2368 }
2369 else
2370 close_management ();
2371 }
2372 return true;
2373}
2374
2375void
2376close_management (void)
2377{
2378 if (management)
2379 {
2380 management_close (management);
2381 management = NULL;
2382 }
2383}
2384
2385#endif
2386
2387
2388void
2389uninit_management_callback (void)
2390{
2391#ifdef ENABLE_MANAGEMENT
2392 if (management)
2393 {
2394 management_clear_callback (management);
2395 }
2396#endif
2397}
2398
2399/*
2400 * Initialize a tunnel instance, handle pre and post-init
2401 * signal settings.
2402 */
2403void
2404init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags)
2405{
2406 pre_init_signal_catch ();
2407 init_instance (c, env, flags);
2408 post_init_signal_catch ();
b540a9e0
JY		 2409
2410 /*
2411 * This is done so that signals thrown during
2412 * initialization can bring us back to
2413 * a management hold.
2414 */
2415 if (IS_SIG (c))
d5badcf1
JY		 2416 {
2417 remap_signal (c);
2418 uninit_management_callback ();
2419 }
6fbf66fa
JY		 2420}
2421
2422/*
2423 * Initialize a tunnel instance.
2424 */
2425void
2426init_instance (struct context *c, const struct env_set *env, const unsigned int flags)
2427{
2428 const struct options *options = &c->options;
2429 const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
2430 int link_socket_mode = LS_MODE_DEFAULT;
2431
2432 /* init garbage collection level */
2433 gc_init (&c->c2.gc);
2434
2435 /* signals caught here will abort */
2436 c->sig->signal_received = 0;
2437 c->sig->signal_text = NULL;
2438 c->sig->hard = false;
2439
2440 /* link_socket_mode allows CM_CHILD_TCP
2441 instances to inherit acceptable fds
2442 from a top-level parent */
2443 if (c->options.proto == PROTO_TCPv4_SERVER)
2444 {
2445 if (c->mode == CM_TOP)
2446 link_socket_mode = LS_MODE_TCP_LISTEN;
2447 else if (c->mode == CM_CHILD_TCP)
2448 link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
2449 }
2450
2451 /* should we disable paging? */
2452 if (c->first_time && options->mlock)
2453 do_mlockall (true);
2454
2455 /* possible sleep or management hold if restart */
2456 if (c->mode == CM_P2P || c->mode == CM_TOP)
2457 {
2458 do_startup_pause (c);
2459 if (IS_SIG (c))
2460 goto sig;
2461 }
2462
2463 /* initialize context level 2 --verb/--mute parms */
2464 init_verb_mute (c, IVM_LEVEL_2);
2465
2466 /* set error message delay for non-server modes */
2467 if (c->mode == CM_P2P)
2468 set_check_status_error_delay (P2P_ERROR_DELAY_MS);
2469
2470 /* warn about inconsistent options */
2471 if (c->mode == CM_P2P || c->mode == CM_TOP)
2472 do_option_warnings (c);
2473
2474 /* inherit environmental variables */
2475 if (env)
2476 do_inherit_env (c, env);
2477
3c7f2f55 2478#ifdef ENABLE_PLUGIN
6fbf66fa
JY		 2479 /* initialize plugins */
2480 if (c->mode == CM_P2P || c->mode == CM_TOP)
e1791bb1 2481 open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
3c7f2f55 2482#endif
6fbf66fa
JY		 2483
2484 /* should we enable fast I/O? */
2485 if (c->mode == CM_P2P || c->mode == CM_TOP)
2486 do_setup_fast_io (c);
2487
2488 /* should we throw a signal on TLS errors? */
2489 do_signal_on_tls_errors (c);
2490
2491 /* open --status file */
2492 if (c->mode == CM_P2P || c->mode == CM_TOP)
2493 do_open_status_output (c);
2494
2495 /* open --ifconfig-pool-persist file */
2496 if (c->mode == CM_TOP)
2497 do_open_ifconfig_pool_persist (c);
2498
2499#ifdef ENABLE_OCC
2500 /* reset OCC state */
2501 if (c->mode == CM_P2P || child)
2502 c->c2.occ_op = occ_reset_op ();
2503#endif
2504
2505 /* our wait-for-i/o objects, different for posix vs. win32 */
2506 if (c->mode == CM_P2P)
2507 do_event_set_init (c, SHAPER_DEFINED (&c->options));
2508 else if (c->mode == CM_CHILD_TCP)
2509 do_event_set_init (c, false);
2510
2511 /* allocate our socket object */
2512 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
2513 do_link_socket_new (c);
2514
2515#ifdef ENABLE_FRAGMENT
2516 /* initialize internal fragmentation object */
2517 if (options->fragment && (c->mode == CM_P2P || child))
2518 c->c2.fragment = fragment_init (&c->c2.frame);
2519#endif
2520
2521 /* init crypto layer */
2522 {
2523 unsigned int crypto_flags = 0;
2524 if (c->mode == CM_TOP)
2525 crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
2526 else if (c->mode == CM_P2P)
2527 crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
2528 else if (child)
2529 crypto_flags = CF_INIT_TLS_MULTI;
2530 do_init_crypto (c, crypto_flags);
76a59eae 2531 if (IS_SIG (c) && !child)
6fbf66fa
JY		 2532 goto sig;
2533 }
2534
2535#ifdef USE_LZO
2536 /* initialize LZO compression library. */
537073fd
JY		 2537 if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child))
2538 lzo_compress_init (&c->c2.lzo_compwork, options->lzo);
6fbf66fa
JY		 2539#endif
2540
2541 /* initialize MTU variables */
2542 do_init_frame (c);
2543
2544 /* initialize TLS MTU variables */
2545 do_init_frame_tls (c);
2546
2547 /* init workspace buffers whose size is derived from frame size */
2548 if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
2549 do_init_buffers (c);
2550
2551#ifdef ENABLE_FRAGMENT
2552 /* initialize internal fragmentation capability with known frame size */
2553 if (options->fragment && (c->mode == CM_P2P || child))
2554 do_init_fragment (c);
2555#endif
2556
2557 /* initialize dynamic MTU variable */
2558 do_init_mssfix (c);
2559
2560 /* bind the TCP/UDP socket */
2561 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
2562 do_init_socket_1 (c, link_socket_mode);
2563
2564 /* initialize tun/tap device object,
2565 open tun/tap device, ifconfig, run up script, etc. */
2566 if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
2567 c->c2.did_open_tun = do_open_tun (c);
2568
2569 /* print MTU info */
2570 do_print_data_channel_mtu_parms (c);
2571
2572#ifdef ENABLE_OCC
2573 /* get local and remote options compatibility strings */
2574 if (c->mode == CM_P2P || child)
2575 do_compute_occ_strings (c);
2576#endif
2577
2578 /* initialize output speed limiter */
2579 if (c->mode == CM_P2P)
2580 do_init_traffic_shaper (c);
2581
2582 /* do one-time inits, and possibily become a daemon here */
2583 do_init_first_time (c);
2584
e1791bb1
JY		 2585#ifdef ENABLE_PLUGIN
2586 /* initialize plugins */
2587 if (c->mode == CM_P2P || c->mode == CM_TOP)
2588 open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
2589#endif
2590
6fbf66fa
JY		 2591 /*
2592 * Actually do UID/GID downgrade, and chroot, if requested.
2593 * May be delayed by --client, --pull, or --up-delay.
2594 */
2595 do_uid_gid_chroot (c, c->c2.did_open_tun);
2596
2597 /* finalize the TCP/UDP socket */
2598 if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
2599 do_init_socket_2 (c);
2600
2601 /* initialize timers */
2602 if (c->mode == CM_P2P || child)
2603 do_init_timers (c, false);
2604
e1791bb1
JY		 2605#ifdef ENABLE_PLUGIN
2606 /* initialize plugins */
2607 if (c->mode == CM_P2P || c->mode == CM_TOP)
2608 open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
2609#endif
2610
6fbf66fa
JY		 2611 /* Check for signals */
2612 if (IS_SIG (c))
2613 goto sig;
2614
2615 return;
2616
2617 sig:
2618 c->sig->signal_text = "init_instance";
2619 close_context (c, -1, flags);
2620 return;
2621}
2622
2623/*
2624 * Close a tunnel instance.
2625 */
2626void
2627close_instance (struct context *c)
2628{
2629 /* close event objects */
2630 do_close_event_set (c);
2631
2632 if (c->mode == CM_P2P
2633 || c->mode == CM_CHILD_TCP
2634 || c->mode == CM_CHILD_UDP
2635 || c->mode == CM_TOP)
2636 {
2637 /* if xinetd/inetd mode, don't allow restart */
2638 do_close_check_if_restart_permitted (c);
2639
2640#ifdef USE_LZO
537073fd 2641 if (lzo_defined (&c->c2.lzo_compwork))
6fbf66fa
JY		 2642 lzo_compress_uninit (&c->c2.lzo_compwork);
2643#endif
2644
2645 /* free buffers */
2646 do_close_free_buf (c);
2647
2648 /* close TLS */
2649 do_close_tls (c);
2650
2651 /* free key schedules */
2652 do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP));
2653
2654 /* close TCP/UDP connection */
2655 do_close_link_socket (c);
2656
2657 /* close TUN/TAP device */
2658 do_close_tun (c, false);
2659
3c7f2f55 2660#ifdef ENABLE_PLUGIN
6fbf66fa
JY		 2661 /* call plugin close functions and unload */
2662 do_close_plugins (c);
3c7f2f55 2663#endif
6fbf66fa
JY		 2664
2665 /* close packet-id persistance file */
2666 do_close_packet_id (c);
2667
2668 /* close --status file */
2669 do_close_status_output (c);
2670
2671#ifdef ENABLE_FRAGMENT
2672 /* close fragmentation handler */
2673 do_close_fragment (c);
2674#endif
2675
2676 /* close --ifconfig-pool-persist obj */
2677 do_close_ifconfig_pool_persist (c);
2678
2679 /* garbage collect */
2680 gc_free (&c->c2.gc);
2681 }
2682}
2683
2684void
2685inherit_context_child (struct context *dest,
2686 const struct context *src)
2687{
2688 CLEAR (*dest);
2689
2690 switch (src->options.proto)
2691 {
2692 case PROTO_UDPv4:
2693 dest->mode = CM_CHILD_UDP;
2694 break;
2695 case PROTO_TCPv4_SERVER:
2696 dest->mode = CM_CHILD_TCP;
2697 break;
2698 default:
2699 ASSERT (0);
2700 }
2701
2702 dest->first_time = false;
2703
2704 dest->gc = gc_new ();
2705
2706 ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc);
2707
2708 /* c1 init */
2709 packet_id_persist_init (&dest->c1.pid_persist);
2710
2711#ifdef USE_CRYPTO
2712 dest->c1.ks.key_type = src->c1.ks.key_type;
2713#ifdef USE_SSL
2714 /* inherit SSL context */
2715 dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
2716 dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
2717#endif
2718#endif
2719
2720 /* options */
2721 dest->options = src->options;
2722 options_detach (&dest->options);
2723
2724 if (dest->mode == CM_CHILD_TCP)
2725 {
2726 /*
2727 * The CM_TOP context does the socket listen(),
2728 * and the CM_CHILD_TCP context does the accept().
2729 */
2730 dest->c2.accept_from = src->c2.link_socket;
2731 }
2732
3c7f2f55 2733#ifdef ENABLE_PLUGIN
6fbf66fa 2734 /* inherit plugins */
3c7f2f55
JY		 2735 do_inherit_plugins (dest, src);
2736#endif
6fbf66fa
JY		 2737
2738 /* context init */
79df31c8 2739 init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
6fbf66fa
JY		 2740 if (IS_SIG (dest))
2741 return;
2742
2743 /* inherit tun/tap interface object */
2744 dest->c1.tuntap = src->c1.tuntap;
2745
2746 /* UDP inherits some extra things which TCP does not */
2747 if (dest->mode == CM_CHILD_UDP)
2748 {
2749 /* inherit buffers */
2750 dest->c2.buffers = src->c2.buffers;
2751
2752 /* inherit parent link_socket and tuntap */
2753 dest->c2.link_socket = src->c2.link_socket;
2754
2755 ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
2756 *dest->c2.link_socket_info = src->c2.link_socket->info;
2757
2758 /* locally override some link_socket_info fields */
2759 dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
2760 dest->c2.link_socket_info->connection_established = false;
2761 }
2762}
2763
2764void
2765inherit_context_top (struct context *dest,
2766 const struct context *src)
2767{
2768 /* copy parent */
2769 *dest = *src;
2770
2771 /*
2772 * CM_TOP_CLONE will prevent close_instance from freeing or closing
2773 * resources owned by the parent.
2774 *
2775 * Also note that CM_TOP_CLONE context objects are
2776 * closed by multi_top_free in multi.c.
2777 */
2778 dest->mode = CM_TOP_CLONE;
2779
2780 dest->first_time = false;
2781
2782 options_detach (&dest->options);
2783 gc_detach (&dest->gc);
2784 gc_detach (&dest->c2.gc);
2785
3c7f2f55
JY		 2786 /* detach plugins */
2787 dest->plugins_owned = false;
2788
6fbf66fa
JY		 2789#if defined(USE_CRYPTO) && defined(USE_SSL)
2790 dest->c2.tls_multi = NULL;
2791#endif
2792
3c7f2f55 2793 /* detach c1 ownership */
6fbf66fa
JY		 2794 dest->c1.tuntap_owned = false;
2795 dest->c1.status_output_owned = false;
2796#if P2MP_SERVER
2797 dest->c1.ifconfig_pool_persist_owned = false;
2798#endif
3c7f2f55
JY		 2799
2800 /* detach c2 ownership */
6fbf66fa
JY		 2801 dest->c2.event_set_owned = false;
2802 dest->c2.link_socket_owned = false;
2803 dest->c2.buffers_owned = false;
2804
2805 dest->c2.event_set = NULL;
2806 if (src->options.proto == PROTO_UDPv4)
2807 do_event_set_init (dest, false);
2808}
2809
2810void
2811close_context (struct context *c, int sig, unsigned int flags)
2812{
79df31c8
JY		 2813 ASSERT (c);
2814 ASSERT (c->sig);
2815
6fbf66fa
JY		 2816 if (sig >= 0)
2817 c->sig->signal_received = sig;
2818
2819 if (c->sig->signal_received == SIGUSR1)
2820 {
2821 if ((flags & CC_USR1_TO_HUP)
2822 || (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP)))
2823 c->sig->signal_received = SIGHUP;
2824 }
2825
79df31c8
JY		 2826 if (!(flags & CC_NO_CLOSE))
2827 close_instance (c);
6fbf66fa
JY		 2828
2829 if (flags & CC_GC_FREE)
2830 context_gc_free (c);
2831}
2832
2833#ifdef USE_CRYPTO
2834
2835static void
2836test_malloc (void)
2837{
2838 int i, j;
2839 msg (M_INFO, "Multithreaded malloc test...");
2840 for (i = 0; i < 25; ++i)
2841 {
2842 struct gc_arena gc = gc_new ();
2843 const int limit = get_random () & 0x03FF;
2844 for (j = 0; j < limit; ++j)
2845 {
2846 gc_malloc (get_random () & 0x03FF, false, &gc);
2847 }
2848 gc_free (&gc);
2849 }
2850}
2851
2852/*
2853 * Do a loopback test
2854 * on the crypto subsystem.
2855 */
2856static void *
2857test_crypto_thread (void *arg)
2858{
2859 struct context *c = (struct context *) arg;
2860 const struct options *options = &c->options;
2861#if defined(USE_PTHREAD)
2862 struct context *child = NULL;
2863 openvpn_thread_t child_id = 0;
2864#endif
2865
2866 ASSERT (options->test_crypto);
2867 init_verb_mute (c, IVM_LEVEL_1);
2868 context_init_1 (c);
2869 do_init_crypto_static (c, 0);
2870
2871#if defined(USE_PTHREAD)
2872 {
2873 if (c->first_time && options->n_threads > 1)
2874 {
2875 if (options->n_threads > 2)
2876 msg (M_FATAL, "ERROR: --test-crypto option only works with --threads set to 1 or 2");
2877 openvpn_thread_init ();
2878 ALLOC_OBJ (child, struct context);
2879 context_clear (child);
2880 child->options = *options;
2881 options_detach (&child->options);
2882 child->first_time = false;
2883 child_id = openvpn_thread_create (test_crypto_thread, (void *) child);
2884 }
2885 }
2886#endif
2887 frame_finalize_options (c, options);
2888
2889#if defined(USE_PTHREAD)
2890 if (options->n_threads == 2)
2891 test_malloc ();
2892#endif
2893
2894 test_crypto (&c->c2.crypto_options, &c->c2.frame);
2895
2896 key_schedule_free (&c->c1.ks, true);
2897 packet_id_free (&c->c2.packet_id);
2898
2899#if defined(USE_PTHREAD)
2900 if (c->first_time && options->n_threads > 1)
2901 openvpn_thread_join (child_id);
2902 if (child)
2903 free (child);
2904#endif
2905 context_gc_free (c);
2906 return NULL;
2907}
2908
2909#endif
2910
2911bool
2912do_test_crypto (const struct options *o)
2913{
2914#ifdef USE_CRYPTO
2915 if (o->test_crypto)
2916 {
2917 struct context c;
2918
2919 /* print version number */
2920 msg (M_INFO, "%s", title_string);
2921
3c7f2f55 2922 context_clear (&c);
6fbf66fa
JY		 2923 c.options = *o;
2924 options_detach (&c.options);
2925 c.first_time = true;
2926 test_crypto_thread ((void *) &c);
2927 return true;
2928 }
2929#endif
2930 return false;
2931}
Mirror of https://github.com/OpenVPN/openvpn.git