]>
Commit | Line | Data |
---|---|---|
6fbf66fa JY |
1 | /* |
2 | * OpenVPN -- An application to securely tunnel IP networks | |
3 | * over a single TCP/UDP port, with support for SSL/TLS-based | |
4 | * session authentication and key exchange, | |
5 | * packet encryption, packet authentication, and | |
6 | * packet compression. | |
7 | * | |
564a2109 | 8 | * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
6fbf66fa JY |
9 | * |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License version 2 | |
12 | * as published by the Free Software Foundation. | |
13 | * | |
14 | * This program is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | * GNU General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU General Public License | |
20 | * along with this program (see the file COPYING included with this | |
21 | * distribution); if not, write to the Free Software Foundation, Inc., | |
22 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
23 | */ | |
24 | ||
c110b289 ABL |
25 | #ifdef HAVE_CONFIG_H |
26 | #include "config.h" | |
27 | #elif defined(_MSC_VER) | |
28 | #include "config-msvc.h" | |
29 | #endif | |
30 | ||
6fbf66fa JY |
31 | #include "syshead.h" |
32 | ||
33 | #include "win32.h" | |
34 | #include "init.h" | |
35 | #include "sig.h" | |
36 | #include "occ.h" | |
37 | #include "list.h" | |
38 | #include "otime.h" | |
39 | #include "pool.h" | |
40 | #include "gremlin.h" | |
ce98fd24 | 41 | #include "pkcs11.h" |
6add6b2f | 42 | #include "ps.h" |
e12fe286 | 43 | #include "lladdr.h" |
e7a65dfb | 44 | #include "ping.h" |
ffea644c | 45 | #include "mstats.h" |
63dc03d0 | 46 | #include "ssl_verify.h" |
2191c471 | 47 | #include "forward-inline.h" |
6fbf66fa JY |
48 | |
49 | #include "memdbg.h" | |
50 | ||
51 | #include "occ-inline.h" | |
52 | ||
0c9eb1d3 JY |
53 | static struct context *static_context; /* GLOBAL */ |
54 | ||
6fbf66fa JY |
55 | /* |
56 | * Crypto initialization flags | |
57 | */ | |
58 | #define CF_LOAD_PERSISTED_PACKET_ID (1<<0) | |
59 | #define CF_INIT_TLS_MULTI (1<<1) | |
60 | #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) | |
61 | ||
62 | static void do_init_first_time (struct context *c); | |
63 | ||
64 | void | |
65 | context_clear (struct context *c) | |
66 | { | |
67 | CLEAR (*c); | |
68 | } | |
69 | ||
70 | void | |
71 | context_clear_1 (struct context *c) | |
72 | { | |
73 | CLEAR (c->c1); | |
74 | } | |
75 | ||
76 | void | |
77 | context_clear_2 (struct context *c) | |
78 | { | |
79 | CLEAR (c->c2); | |
80 | } | |
81 | ||
82 | void | |
83 | context_clear_all_except_first_time (struct context *c) | |
84 | { | |
85 | const bool first_time_save = c->first_time; | |
a9c802b2 | 86 | const struct context_persist cpsave = c->persist; |
6fbf66fa JY |
87 | context_clear (c); |
88 | c->first_time = first_time_save; | |
a9c802b2 | 89 | c->persist = cpsave; |
6fbf66fa JY |
90 | } |
91 | ||
92 | /* | |
4e9a51d7 JY |
93 | * Should be called after options->ce is modified at the top |
94 | * of a SIGUSR1 restart. | |
6fbf66fa JY |
95 | */ |
96 | static void | |
4e9a51d7 | 97 | update_options_ce_post (struct options *options) |
6fbf66fa | 98 | { |
4e9a51d7 JY |
99 | #if P2MP |
100 | /* | |
101 | * In pull mode, we usually import --ping/--ping-restart parameters from | |
102 | * the server. However we should also set an initial default --ping-restart | |
103 | * for the period of time before we pull the --ping-restart parameter | |
104 | * from the server. | |
105 | */ | |
106 | if (options->pull | |
107 | && options->ping_rec_timeout_action == PING_UNDEF | |
8335caf9 | 108 | && proto_is_dgram(options->ce.proto)) |
4e9a51d7 JY |
109 | { |
110 | options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; | |
111 | options->ping_rec_timeout_action = PING_RESTART; | |
112 | } | |
113 | #endif | |
4e9a51d7 | 114 | } |
6fbf66fa | 115 | |
af1bf85a | 116 | #ifdef ENABLE_MANAGEMENT |
3cf6c932 | 117 | static bool |
af1bf85a | 118 | management_callback_proxy_cmd (void *arg, const char **p) |
3cf6c932 | 119 | { |
af1bf85a HH |
120 | struct context *c = arg; |
121 | struct connection_entry *ce = &c->options.ce; | |
122 | struct gc_arena *gc = &c->c2.gc; | |
123 | bool ret = false; | |
3cf6c932 | 124 | |
af1bf85a HH |
125 | update_time(); |
126 | if (streq (p[1], "NONE")) | |
127 | ret = true; | |
128 | else if (p[2] && p[3]) | |
129 | { | |
af1bf85a HH |
130 | if (streq (p[1], "HTTP")) |
131 | { | |
af1bf85a | 132 | struct http_proxy_options *ho; |
e719a053 AS |
133 | if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT ) |
134 | { | |
af1bf85a HH |
135 | msg (M_WARN, "HTTP proxy support only works for TCP based connections"); |
136 | return false; | |
137 | } | |
4f879dae | 138 | ho = init_http_proxy_options_once (&ce->http_proxy_options, gc); |
af1bf85a | 139 | ho->server = string_alloc (p[2], gc); |
076fd3e4 | 140 | ho->port = string_alloc (p[3], gc); |
af1bf85a HH |
141 | ho->retry = true; |
142 | ho->auth_retry = (p[4] && streq (p[4], "nct") ? PAR_NCT : PAR_ALL); | |
af1bf85a | 143 | ret = true; |
af1bf85a HH |
144 | } |
145 | else if (streq (p[1], "SOCKS")) | |
146 | { | |
af1bf85a | 147 | ce->socks_proxy_server = string_alloc (p[2], gc); |
076fd3e4 | 148 | ce->socks_proxy_port = p[3]; |
af1bf85a | 149 | ret = true; |
af1bf85a | 150 | } |
3cf6c932 | 151 | } |
af1bf85a HH |
152 | else |
153 | msg (M_WARN, "Bad proxy command"); | |
3cf6c932 | 154 | |
af1bf85a | 155 | ce->flags &= ~CE_MAN_QUERY_PROXY; |
3cf6c932 | 156 | |
af1bf85a | 157 | return ret; |
3cf6c932 JY |
158 | } |
159 | ||
160 | static bool | |
af1bf85a | 161 | ce_management_query_proxy (struct context *c) |
3cf6c932 | 162 | { |
3cf6c932 | 163 | const struct connection_list *l = c->options.connection_list; |
af1bf85a HH |
164 | struct connection_entry *ce = &c->options.ce; |
165 | struct gc_arena gc; | |
166 | bool ret = true; | |
3cf6c932 JY |
167 | |
168 | update_time(); | |
af1bf85a | 169 | if (management) |
3cf6c932 | 170 | { |
af1bf85a | 171 | gc = gc_new (); |
46e02127 JY |
172 | { |
173 | struct buffer out = alloc_buf_gc (256, &gc); | |
174 | buf_printf (&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, | |
175 | (proto_is_udp (ce->proto) ? "UDP" : "TCP"), np (ce->remote)); | |
176 | management_notify_generic (management, BSTR (&out)); | |
177 | } | |
af1bf85a HH |
178 | ce->flags |= CE_MAN_QUERY_PROXY; |
179 | while (ce->flags & CE_MAN_QUERY_PROXY) | |
180 | { | |
181 | management_event_loop_n_seconds (management, 1); | |
182 | if (IS_SIG (c)) | |
183 | { | |
184 | ret = false; | |
185 | break; | |
186 | } | |
187 | } | |
188 | gc_free (&gc); | |
3cf6c932 | 189 | } |
af1bf85a | 190 | |
3cf6c932 JY |
191 | return ret; |
192 | } | |
193 | ||
3cf6c932 | 194 | |
54561af6 JY |
195 | static bool |
196 | management_callback_remote_cmd (void *arg, const char **p) | |
197 | { | |
198 | struct context *c = (struct context *) arg; | |
199 | struct connection_entry *ce = &c->options.ce; | |
200 | int ret = false; | |
201 | if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) | |
202 | { | |
203 | int flags = 0; | |
204 | if (!strcmp(p[1], "ACCEPT")) | |
205 | { | |
206 | flags = CE_MAN_QUERY_REMOTE_ACCEPT; | |
207 | ret = true; | |
208 | } | |
209 | else if (!strcmp(p[1], "SKIP")) | |
210 | { | |
211 | flags = CE_MAN_QUERY_REMOTE_SKIP; | |
212 | ret = true; | |
213 | } | |
214 | else if (!strcmp(p[1], "MOD") && p[2] && p[3]) | |
215 | { | |
076fd3e4 | 216 | if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) |
54561af6 JY |
217 | { |
218 | struct remote_host_store *rhs = c->options.rh_store; | |
219 | if (!rhs) | |
220 | { | |
221 | ALLOC_OBJ_CLEAR_GC (rhs, struct remote_host_store, &c->options.gc); | |
222 | c->options.rh_store = rhs; | |
223 | } | |
224 | strncpynt(rhs->host, p[2], RH_HOST_LEN); | |
076fd3e4 AS |
225 | strncpynt(rhs->port, p[3], RH_PORT_LEN); |
226 | ||
54561af6 | 227 | ce->remote = rhs->host; |
076fd3e4 | 228 | ce->remote_port = rhs->port; |
54561af6 JY |
229 | flags = CE_MAN_QUERY_REMOTE_MOD; |
230 | ret = true; | |
231 | } | |
232 | } | |
233 | if (ret) | |
234 | { | |
235 | ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); | |
236 | ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT); | |
237 | } | |
238 | } | |
239 | return ret; | |
240 | } | |
241 | ||
242 | static bool | |
bb9026a6 | 243 | ce_management_query_remote (struct context *c) |
54561af6 JY |
244 | { |
245 | struct gc_arena gc = gc_new (); | |
246 | volatile struct connection_entry *ce = &c->options.ce; | |
247 | int ret = true; | |
248 | update_time(); | |
249 | if (management) | |
250 | { | |
251 | struct buffer out = alloc_buf_gc (256, &gc); | |
30077d1f | 252 | buf_printf (&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); |
54561af6 JY |
253 | management_notify_generic(management, BSTR (&out)); |
254 | ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); | |
255 | ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT); | |
256 | while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) | |
257 | { | |
258 | management_event_loop_n_seconds (management, 1); | |
259 | if (IS_SIG (c)) | |
260 | { | |
261 | ret = false; | |
262 | break; | |
263 | } | |
264 | } | |
265 | } | |
266 | { | |
267 | const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); | |
54561af6 JY |
268 | ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); |
269 | } | |
270 | gc_free (&gc); | |
271 | return ret; | |
272 | } | |
cf93f0e0 | 273 | #endif /* ENABLE_MANAGEMENT */ |
54561af6 | 274 | |
4e9a51d7 JY |
275 | /* |
276 | * Initialize and possibly randomize connection list. | |
277 | */ | |
278 | static void | |
279 | init_connection_list (struct context *c) | |
280 | { | |
4e9a51d7 | 281 | struct connection_list *l = c->options.connection_list; |
23d61c56 AS |
282 | |
283 | l->current = -1; | |
284 | if (c->options.remote_random) | |
6fbf66fa | 285 | { |
23d61c56 AS |
286 | int i; |
287 | for (i = 0; i < l->len; ++i) | |
288 | { | |
289 | const int j = get_random () % l->len; | |
290 | if (i != j) | |
291 | { | |
292 | struct connection_entry *tmp; | |
293 | tmp = l->array[i]; | |
294 | l->array[i] = l->array[j]; | |
295 | l->array[j] = tmp; | |
296 | } | |
297 | } | |
6fbf66fa | 298 | } |
4e9a51d7 JY |
299 | } |
300 | ||
23d61c56 AS |
301 | /* |
302 | * Clear the remote address list | |
303 | */ | |
e719a053 | 304 | static void clear_remote_addrlist (struct link_socket_addr *lsa, bool free) |
23d61c56 | 305 | { |
e719a053 AS |
306 | if (lsa->remote_list && free) |
307 | freeaddrinfo(lsa->remote_list); | |
23d61c56 AS |
308 | lsa->remote_list = NULL; |
309 | lsa->current_remote = NULL; | |
310 | } | |
311 | ||
4e9a51d7 JY |
312 | /* |
313 | * Increment to next connection entry | |
314 | */ | |
315 | static void | |
316 | next_connection_entry (struct context *c) | |
317 | { | |
4e9a51d7 | 318 | struct connection_list *l = c->options.connection_list; |
23d61c56 AS |
319 | bool ce_defined; |
320 | struct connection_entry *ce; | |
321 | int n_cycles = 0; | |
4e9a51d7 | 322 | |
23d61c56 AS |
323 | do { |
324 | ce_defined = true; | |
325 | if (c->options.no_advance && l->current >= 0) | |
326 | { | |
327 | c->options.no_advance = false; | |
328 | } | |
329 | else | |
330 | { | |
331 | /* Check if there is another resolved address to try for | |
332 | * the current connection */ | |
333 | if (c->c1.link_socket_addr.current_remote && | |
334 | c->c1.link_socket_addr.current_remote->ai_next) | |
335 | { | |
336 | c->c1.link_socket_addr.current_remote = | |
337 | c->c1.link_socket_addr.current_remote->ai_next; | |
338 | } | |
339 | else | |
340 | { | |
341 | /* FIXME (schwabe) fix the persist-remote-ip option for real, | |
342 | * this is broken probably ever since connection lists and multiple | |
343 | * remote existed | |
344 | */ | |
23d61c56 | 345 | if (!c->options.persist_remote_ip) |
e719a053 AS |
346 | { |
347 | /* close_instance should have cleared the addrinfo objects */ | |
348 | ASSERT (c->c1.link_socket_addr.current_remote == NULL); | |
349 | ASSERT (c->c1.link_socket_addr.remote_list == NULL); | |
350 | } | |
23d61c56 AS |
351 | else |
352 | c->c1.link_socket_addr.current_remote = | |
353 | c->c1.link_socket_addr.remote_list; | |
354 | ||
355 | /* | |
356 | * Increase the number of connection attempts | |
357 | * If this is connect-retry-max * size(l) | |
358 | * OpenVPN will quit | |
359 | */ | |
360 | ||
361 | c->options.unsuccessful_attempts++; | |
362 | ||
363 | if (++l->current >= l->len) | |
364 | { | |
365 | ||
366 | l->current = 0; | |
367 | if (++n_cycles >= 2) | |
368 | msg (M_FATAL, "No usable connection profiles are present"); | |
369 | } | |
370 | } | |
371 | } | |
3cf6c932 | 372 | |
23d61c56 | 373 | ce = l->array[l->current]; |
3cf6c932 | 374 | |
23d61c56 AS |
375 | if (ce->flags & CE_DISABLED) |
376 | ce_defined = false; | |
3cf6c932 | 377 | |
23d61c56 | 378 | c->options.ce = *ce; |
cf93f0e0 | 379 | #ifdef ENABLE_MANAGEMENT |
23d61c56 AS |
380 | if (ce_defined && management && management_query_remote_enabled(management)) |
381 | { | |
382 | /* allow management interface to override connection entry details */ | |
383 | ce_defined = ce_management_query_remote(c); | |
384 | if (IS_SIG (c)) | |
385 | break; | |
386 | } | |
387 | else | |
cf93f0e0 | 388 | #endif |
3cf6c932 | 389 | |
af1bf85a | 390 | #ifdef ENABLE_MANAGEMENT |
23d61c56 AS |
391 | if (ce_defined && management && management_query_proxy_enabled (management)) |
392 | { | |
393 | ce_defined = ce_management_query_proxy (c); | |
394 | if (IS_SIG (c)) | |
395 | break; | |
396 | } | |
3cf6c932 | 397 | #endif |
23d61c56 AS |
398 | } while (!ce_defined); |
399 | ||
400 | /* Check if this connection attempt would bring us over the limit */ | |
401 | if (c->options.connect_retry_max > 0 && | |
402 | c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) | |
403 | msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", | |
404 | c->options.connect_retry_max); | |
4e9a51d7 | 405 | update_options_ce_post (&c->options); |
6fbf66fa JY |
406 | } |
407 | ||
92bbb061 JY |
408 | /* |
409 | * Query for private key and auth-user-pass username/passwords | |
410 | */ | |
315f6fbc SK |
411 | void |
412 | init_query_passwords (const struct context *c) | |
92bbb061 | 413 | { |
ec828db6 | 414 | #ifdef ENABLE_CRYPTO |
92bbb061 JY |
415 | /* Certificate password input */ |
416 | if (c->options.key_pass_file) | |
417 | pem_password_setup (c->options.key_pass_file); | |
418 | #endif | |
419 | ||
420 | #if P2MP | |
421 | /* Auth user/pass input */ | |
422 | if (c->options.auth_user_pass_file) | |
eab3e22f JY |
423 | { |
424 | #ifdef ENABLE_CLIENT_CR | |
425 | auth_user_pass_setup (c->options.auth_user_pass_file, &c->options.sc_info); | |
426 | #else | |
427 | auth_user_pass_setup (c->options.auth_user_pass_file, NULL); | |
428 | #endif | |
429 | } | |
92bbb061 JY |
430 | #endif |
431 | } | |
432 | ||
4e9a51d7 JY |
433 | /* |
434 | * Initialize/Uninitialize HTTP or SOCKS proxy | |
435 | */ | |
436 | ||
4e9a51d7 JY |
437 | static void |
438 | uninit_proxy_dowork (struct context *c) | |
439 | { | |
4e9a51d7 JY |
440 | if (c->c1.http_proxy_owned && c->c1.http_proxy) |
441 | { | |
442 | http_proxy_close (c->c1.http_proxy); | |
443 | c->c1.http_proxy = NULL; | |
444 | c->c1.http_proxy_owned = false; | |
445 | } | |
4e9a51d7 JY |
446 | if (c->c1.socks_proxy_owned && c->c1.socks_proxy) |
447 | { | |
448 | socks_proxy_close (c->c1.socks_proxy); | |
449 | c->c1.socks_proxy = NULL; | |
450 | c->c1.socks_proxy_owned = false; | |
451 | } | |
4e9a51d7 JY |
452 | } |
453 | ||
454 | static void | |
455 | init_proxy_dowork (struct context *c) | |
6fbf66fa | 456 | { |
f214bb21 | 457 | bool did_http = false; |
f214bb21 | 458 | |
4e9a51d7 JY |
459 | uninit_proxy_dowork (c); |
460 | ||
8e1975b0 | 461 | if (c->options.ce.http_proxy_options) |
4e9a51d7 JY |
462 | { |
463 | /* Possible HTTP proxy user/pass input */ | |
8e1975b0 | 464 | c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options); |
4e9a51d7 JY |
465 | if (c->c1.http_proxy) |
466 | { | |
467 | did_http = true; | |
468 | c->c1.http_proxy_owned = true; | |
469 | } | |
470 | } | |
4e9a51d7 | 471 | |
a4b8f653 | 472 | if (!did_http && c->options.ce.socks_proxy_server) |
4e9a51d7 JY |
473 | { |
474 | c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server, | |
475 | c->options.ce.socks_proxy_port, | |
fc1fa9ff | 476 | c->options.ce.socks_proxy_authfile, |
8e1975b0 | 477 | c->options.ce.socks_proxy_retry); |
4e9a51d7 JY |
478 | if (c->c1.socks_proxy) |
479 | { | |
480 | c->c1.socks_proxy_owned = true; | |
481 | } | |
482 | } | |
4e9a51d7 JY |
483 | } |
484 | ||
485 | static void | |
23d61c56 | 486 | init_proxy (struct context *c) |
4e9a51d7 | 487 | { |
23d61c56 | 488 | init_proxy_dowork (c); |
4e9a51d7 JY |
489 | } |
490 | ||
491 | static void | |
492 | uninit_proxy (struct context *c) | |
493 | { | |
23d61c56 | 494 | uninit_proxy_dowork (c); |
4e9a51d7 JY |
495 | } |
496 | ||
4e9a51d7 JY |
497 | void |
498 | context_init_1 (struct context *c) | |
499 | { | |
6fbf66fa JY |
500 | context_clear_1 (c); |
501 | ||
502 | packet_id_persist_init (&c->c1.pid_persist); | |
4e9a51d7 JY |
503 | |
504 | init_connection_list (c); | |
6fbf66fa | 505 | |
ce98fd24 | 506 | #if defined(ENABLE_PKCS11) |
06d92b29 | 507 | if (c->first_time) { |
ce98fd24 | 508 | int i; |
18597b93 | 509 | pkcs11_initialize (true, c->options.pkcs11_pin_cache_period); |
ce98fd24 | 510 | for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++) |
18597b93 | 511 | pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], |
718526e0 | 512 | c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); |
ce98fd24 JY |
513 | } |
514 | #endif | |
984cf003 | 515 | |
c67d59cd | 516 | #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ |
dd1047f5 JY |
517 | { |
518 | /* | |
519 | * In the management interface, you can okay the request by entering "needok token-insertion-request ok" | |
520 | */ | |
521 | struct user_pass up; | |
522 | CLEAR (up); | |
523 | strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ | |
524 | get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); | |
525 | msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface | |
526 | 'needok' command, usually 'ok' or 'cancel'. */ | |
527 | } | |
528 | #endif | |
529 | ||
6fbf66fa JY |
530 | } |
531 | ||
532 | void | |
533 | context_gc_free (struct context *c) | |
534 | { | |
535 | gc_free (&c->c2.gc); | |
536 | gc_free (&c->options.gc); | |
537 | gc_free (&c->gc); | |
538 | } | |
539 | ||
6add6b2f JY |
540 | #if PORT_SHARE |
541 | ||
542 | static void | |
543 | close_port_share (void) | |
544 | { | |
545 | if (port_share) | |
546 | { | |
547 | port_share_close (port_share); | |
548 | port_share = NULL; | |
549 | } | |
550 | } | |
551 | ||
552 | static void | |
553 | init_port_share (struct context *c) | |
554 | { | |
555 | if (!port_share && (c->options.port_share_host && c->options.port_share_port)) | |
556 | { | |
557 | port_share = port_share_open (c->options.port_share_host, | |
1c5ff772 JY |
558 | c->options.port_share_port, |
559 | MAX_RW_SIZE_LINK (&c->c2.frame), | |
560 | c->options.port_share_journal_dir); | |
6add6b2f JY |
561 | if (port_share == NULL) |
562 | msg (M_FATAL, "Fatal error: Port sharing failed"); | |
563 | } | |
564 | } | |
565 | ||
566 | #endif | |
567 | ||
6fbf66fa JY |
568 | bool |
569 | init_static (void) | |
570 | { | |
5a2e9a25 | 571 | /* configure_path (); */ |
c67d59cd | 572 | |
9b33b5a4 | 573 | #if defined(ENABLE_CRYPTO) && defined(DMALLOC) |
b01cb9ef | 574 | crypto_init_dmalloc(); |
6fbf66fa JY |
575 | #endif |
576 | ||
577 | init_random_seed (); /* init random() function, only used as | |
578 | source for weak random numbers */ | |
579 | error_reset (); /* initialize error.c */ | |
580 | reset_check_status (); /* initialize status check code in socket.c */ | |
581 | ||
582 | #ifdef WIN32 | |
583 | init_win32 (); | |
584 | #endif | |
585 | ||
586 | #ifdef OPENVPN_DEBUG_COMMAND_LINE | |
587 | { | |
588 | int i; | |
589 | for (i = 0; i < argc; ++i) | |
590 | msg (M_INFO, "argv[%d] = '%s'", i, argv[i]); | |
591 | } | |
592 | #endif | |
593 | ||
594 | update_time (); | |
595 | ||
9b33b5a4 | 596 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
597 | init_ssl_lib (); |
598 | ||
599 | /* init PRNG used for IV generation */ | |
600 | /* When forking, copy this to more places in the code to avoid fork | |
601 | random-state predictability */ | |
03bfb228 | 602 | prng_init (NULL, 0); |
6fbf66fa JY |
603 | #endif |
604 | ||
605 | #ifdef PID_TEST | |
606 | packet_id_interactive_test (); /* test the sequence number code */ | |
607 | return false; | |
608 | #endif | |
609 | ||
610 | #ifdef SCHEDULE_TEST | |
611 | schedule_test (); | |
612 | return false; | |
613 | #endif | |
614 | ||
615 | #ifdef LIST_TEST | |
616 | list_test (); | |
617 | return false; | |
618 | #endif | |
619 | ||
620 | #ifdef IFCONFIG_POOL_TEST | |
621 | ifconfig_pool_test (0x0A010004, 0x0A0100FF); | |
622 | return false; | |
623 | #endif | |
624 | ||
625 | #ifdef CHARACTER_CLASS_DEBUG | |
626 | character_class_debug (); | |
627 | return false; | |
628 | #endif | |
629 | ||
630 | #ifdef EXTRACT_X509_FIELD_TEST | |
631 | extract_x509_field_test (); | |
632 | return false; | |
633 | #endif | |
634 | ||
428b8279 JY |
635 | #ifdef TIME_TEST |
636 | time_test (); | |
637 | return false; | |
638 | #endif | |
639 | ||
6a8ea970 JY |
640 | #ifdef TEST_GET_DEFAULT_GATEWAY |
641 | { | |
7fb0e07e | 642 | struct route_gateway_info rgi; |
d8a8656f | 643 | struct route_ipv6_gateway_info rgi6; |
7fb0e07e | 644 | get_default_gateway(&rgi); |
d8a8656f GD |
645 | get_default_gateway_ipv6(&rgi6, NULL); |
646 | print_default_gateway(M_INFO, &rgi, &rgi6); | |
6a8ea970 JY |
647 | return false; |
648 | } | |
649 | #endif | |
650 | ||
6cd276ba | 651 | #ifdef GEN_PATH_TEST |
ddad0a8c JY |
652 | { |
653 | struct gc_arena gc = gc_new (); | |
654 | const char *fn = gen_path ("foo", | |
655 | "bar", | |
656 | &gc); | |
657 | printf ("%s\n", fn); | |
658 | gc_free (&gc); | |
659 | } | |
6cd276ba JY |
660 | return false; |
661 | #endif | |
ddad0a8c | 662 | |
6cd276ba JY |
663 | #ifdef STATUS_PRINTF_TEST |
664 | { | |
665 | struct gc_arena gc = gc_new (); | |
495e3cec | 666 | const char *tmp_file = create_temp_file ("/tmp", "foo", &gc); |
6cd276ba JY |
667 | struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); |
668 | status_printf (so, "%s", "foo"); | |
669 | status_printf (so, "%s", "bar"); | |
670 | if (!status_close (so)) | |
671 | msg (M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file); | |
672 | gc_free (&gc); | |
673 | } | |
ddad0a8c JY |
674 | return false; |
675 | #endif | |
676 | ||
26bb4c74 JY |
677 | #ifdef ARGV_TEST |
678 | { | |
679 | void argv_test (void); | |
680 | argv_test (); | |
681 | return false; | |
682 | } | |
683 | #endif | |
684 | ||
03bfb228 JY |
685 | #ifdef PRNG_TEST |
686 | { | |
687 | struct gc_arena gc = gc_new (); | |
688 | uint8_t rndbuf[8]; | |
689 | int i; | |
690 | prng_init ("sha1", 16); | |
cc8dd144 | 691 | /*prng_init (NULL, 0);*/ |
03bfb228 JY |
692 | const int factor = 1; |
693 | for (i = 0; i < factor * 8; ++i) | |
694 | { | |
695 | #if 1 | |
696 | prng_bytes (rndbuf, sizeof (rndbuf)); | |
697 | #else | |
6825182b | 698 | ASSERT(rand_bytes (rndbuf, sizeof (rndbuf))); |
03bfb228 JY |
699 | #endif |
700 | printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc)); | |
701 | } | |
702 | gc_free (&gc); | |
703 | prng_uninit (); | |
704 | return false; | |
705 | } | |
706 | #endif | |
707 | ||
7e1c085d JY |
708 | #ifdef BUFFER_LIST_AGGREGATE_TEST |
709 | /* test buffer_list_aggregate function */ | |
710 | { | |
711 | static const char *text[] = { | |
712 | "It was a bright cold day in April, ", | |
713 | "and the clocks were striking ", | |
714 | "thirteen. ", | |
715 | "Winston Smith, ", | |
716 | "his chin nuzzled into his breast in an ", | |
717 | "effort to escape the vile wind, ", | |
718 | "slipped quickly through the glass doors ", | |
719 | "of Victory Mansions, though not quickly ", | |
720 | "enough to prevent a swirl of gritty dust from ", | |
721 | "entering along with him." | |
722 | }; | |
723 | ||
724 | int iter, listcap; | |
725 | for (listcap = 0; listcap < 12; ++listcap) | |
726 | { | |
727 | for (iter = 0; iter < 512; ++iter) | |
728 | { | |
729 | struct buffer_list *bl = buffer_list_new(listcap); | |
730 | { | |
731 | int i; | |
732 | for (i = 0; i < SIZE(text); ++i) | |
733 | buffer_list_push(bl, (unsigned char *)text[i]); | |
734 | } | |
735 | printf("[cap=%d i=%d] *************************\n", listcap, iter); | |
736 | if (!(iter & 8)) | |
737 | buffer_list_aggregate(bl, iter/2); | |
738 | if (!(iter & 16)) | |
739 | buffer_list_push(bl, (unsigned char *)"Even more text..."); | |
740 | buffer_list_aggregate(bl, iter); | |
741 | if (!(iter & 1)) | |
742 | buffer_list_push(bl, (unsigned char *)"More text..."); | |
743 | { | |
744 | struct buffer *buf; | |
745 | while ((buf = buffer_list_peek(bl))) | |
746 | { | |
747 | int c; | |
748 | printf ("'"); | |
749 | while ((c = buf_read_u8(buf)) >= 0) | |
750 | putchar(c); | |
751 | printf ("'\n"); | |
752 | buffer_list_advance(bl, 0); | |
753 | } | |
754 | } | |
755 | buffer_list_free(bl); | |
756 | } | |
757 | } | |
758 | return false; | |
759 | } | |
760 | #endif | |
761 | ||
ffea644c JY |
762 | #ifdef MSTATS_TEST |
763 | { | |
764 | int i; | |
765 | mstats_open("/dev/shm/mstats.dat"); | |
766 | for (i = 0; i < 30; ++i) | |
767 | { | |
768 | mmap_stats->n_clients += 1; | |
769 | mmap_stats->link_write_bytes += 8; | |
770 | mmap_stats->link_read_bytes += 16; | |
771 | sleep(1); | |
772 | } | |
773 | mstats_close(); | |
774 | return false; | |
775 | } | |
776 | #endif | |
777 | ||
6fbf66fa JY |
778 | return true; |
779 | } | |
780 | ||
781 | void | |
782 | uninit_static (void) | |
783 | { | |
9b33b5a4 | 784 | #ifdef ENABLE_CRYPTO |
6fbf66fa | 785 | free_ssl_lib (); |
6835555e | 786 | #endif |
ce98fd24 | 787 | |
ce98fd24 | 788 | #ifdef ENABLE_PKCS11 |
984cf003 | 789 | pkcs11_terminate (); |
ce98fd24 | 790 | #endif |
6fbf66fa | 791 | |
6add6b2f JY |
792 | #if PORT_SHARE |
793 | close_port_share (); | |
794 | #endif | |
795 | ||
ec828db6 | 796 | #if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(ENABLE_CRYPTO) |
6fbf66fa JY |
797 | show_tls_performance_stats (); |
798 | #endif | |
799 | } | |
800 | ||
801 | void | |
802 | init_verb_mute (struct context *c, unsigned int flags) | |
803 | { | |
804 | if (flags & IVM_LEVEL_1) | |
805 | { | |
806 | /* set verbosity and mute levels */ | |
807 | set_check_status (D_LINK_ERRORS, D_READ_WRITE); | |
808 | set_debug_level (c->options.verbosity, SDL_CONSTRAIN); | |
809 | set_mute_cutoff (c->options.mute); | |
810 | } | |
811 | ||
812 | /* special D_LOG_RW mode */ | |
813 | if (flags & IVM_LEVEL_2) | |
814 | c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1)); | |
815 | } | |
816 | ||
817 | /* | |
818 | * Possibly set --dev based on --dev-node. | |
819 | * For example, if --dev-node /tmp/foo/tun, and --dev undefined, | |
820 | * set --dev to tun. | |
821 | */ | |
822 | void | |
823 | init_options_dev (struct options *options) | |
824 | { | |
ec302f70 | 825 | if (!options->dev && options->dev_node) { |
ddc7692d | 826 | char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */ |
ec302f70 DS |
827 | options->dev = basename (dev_node); |
828 | } | |
6fbf66fa JY |
829 | } |
830 | ||
831 | bool | |
832 | print_openssl_info (const struct options *options) | |
833 | { | |
834 | /* | |
835 | * OpenSSL info print mode? | |
836 | */ | |
9b33b5a4 | 837 | #ifdef ENABLE_CRYPTO |
6fbf66fa | 838 | if (options->show_ciphers || options->show_digests || options->show_engines |
ec828db6 | 839 | || options->show_tls_ciphers || options->show_curves) |
6fbf66fa JY |
840 | { |
841 | if (options->show_ciphers) | |
842 | show_available_ciphers (); | |
843 | if (options->show_digests) | |
844 | show_available_digests (); | |
845 | if (options->show_engines) | |
846 | show_available_engines (); | |
6fbf66fa | 847 | if (options->show_tls_ciphers) |
cb03dca8 | 848 | show_available_tls_ciphers (options->cipher_list); |
609e8131 SK |
849 | if (options->show_curves) |
850 | show_available_curves(); | |
6fbf66fa JY |
851 | return true; |
852 | } | |
853 | #endif | |
854 | return false; | |
855 | } | |
856 | ||
857 | /* | |
858 | * Static pre-shared key generation mode? | |
859 | */ | |
860 | bool | |
861 | do_genkey (const struct options * options) | |
862 | { | |
9b33b5a4 | 863 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
864 | if (options->genkey) |
865 | { | |
866 | int nbits_written; | |
867 | ||
868 | notnull (options->shared_secret_file, | |
869 | "shared secret output file (--secret)"); | |
870 | ||
871 | if (options->mlock) /* should we disable paging? */ | |
14a131ac | 872 | platform_mlockall (true); |
6fbf66fa JY |
873 | |
874 | nbits_written = write_key_file (2, options->shared_secret_file); | |
875 | ||
876 | msg (D_GENKEY | M_NOPREFIX, | |
877 | "Randomly generated %d bit key written to %s", nbits_written, | |
878 | options->shared_secret_file); | |
879 | return true; | |
880 | } | |
881 | #endif | |
882 | return false; | |
883 | } | |
884 | ||
885 | /* | |
886 | * Persistent TUN/TAP device management mode? | |
887 | */ | |
888 | bool | |
889 | do_persist_tuntap (const struct options *options) | |
890 | { | |
6fbf66fa JY |
891 | if (options->persist_config) |
892 | { | |
893 | /* sanity check on options for --mktun or --rmtun */ | |
894 | notnull (options->dev, "TUN/TAP device (--dev)"); | |
4e9a51d7 | 895 | if (options->ce.remote || options->ifconfig_local |
6fbf66fa | 896 | || options->ifconfig_remote_netmask |
9b33b5a4 | 897 | #ifdef ENABLE_CRYPTO |
6fbf66fa | 898 | || options->shared_secret_file |
6fbf66fa | 899 | || options->tls_server || options->tls_client |
6fbf66fa JY |
900 | #endif |
901 | ) | |
902 | msg (M_FATAL|M_OPTERR, | |
903 | "options --mktun or --rmtun should only be used together with --dev"); | |
4ad2b65d | 904 | #ifdef ENABLE_FEATURE_TUN_PERSIST |
6fbf66fa | 905 | tuncfg (options->dev, options->dev_type, options->dev_node, |
b52c5256 | 906 | options->persist_mode, |
0aee9ca7 | 907 | options->username, options->groupname, &options->tuntap_options); |
e12fe286 JY |
908 | if (options->persist_mode && options->lladdr) |
909 | set_lladdr(options->dev, options->lladdr, NULL); | |
6fbf66fa | 910 | return true; |
4ad2b65d GD |
911 | #else |
912 | msg( M_FATAL|M_OPTERR, | |
913 | "options --mktun and --rmtun are not available on your operating " | |
914 | "system. Please check 'man tun' (or 'tap'), whether your system " | |
915 | "supports using 'ifconfig %s create' / 'destroy' to create/remove " | |
916 | "persistant tunnel interfaces.", options->dev ); | |
6fbf66fa | 917 | #endif |
4ad2b65d | 918 | } |
6fbf66fa JY |
919 | return false; |
920 | } | |
921 | ||
922 | /* | |
923 | * Should we become a daemon? | |
924 | * Return true if we did it. | |
925 | */ | |
da9b2927 | 926 | bool |
857c04ef | 927 | possibly_become_daemon (const struct options *options) |
6fbf66fa JY |
928 | { |
929 | bool ret = false; | |
857c04ef | 930 | if (options->daemon) |
6fbf66fa JY |
931 | { |
932 | ASSERT (!options->inetd); | |
da9b2927 SK |
933 | /* Don't chdir immediately, but the end of the init sequence, if needed */ |
934 | if (daemon (1, options->log) < 0) | |
7b49c167 | 935 | msg (M_ERR, "daemon() failed or unsupported"); |
225d5fe9 | 936 | restore_signal_state (); |
6fbf66fa JY |
937 | if (options->log) |
938 | set_std_files_to_null (true); | |
6835555e | 939 | |
6fbf66fa JY |
940 | ret = true; |
941 | } | |
942 | return ret; | |
943 | } | |
944 | ||
945 | /* | |
99385447 | 946 | * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested. |
6fbf66fa JY |
947 | */ |
948 | static void | |
949 | do_uid_gid_chroot (struct context *c, bool no_delay) | |
950 | { | |
951 | static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; | |
92bbb061 | 952 | struct context_0 *c0 = c->c0; |
6fbf66fa | 953 | |
825b3272 | 954 | if (c0 && !c0->uid_gid_chroot_set) |
6fbf66fa JY |
955 | { |
956 | /* chroot if requested */ | |
957 | if (c->options.chroot_dir) | |
958 | { | |
959 | if (no_delay) | |
14a131ac | 960 | platform_chroot (c->options.chroot_dir); |
825b3272 | 961 | else if (c->first_time) |
6fbf66fa JY |
962 | msg (M_INFO, "NOTE: chroot %s", why_not); |
963 | } | |
964 | ||
825b3272 LK |
965 | /* set user and/or group if we want to setuid/setgid */ |
966 | if (c0->uid_gid_specified) | |
6fbf66fa | 967 | { |
825b3272 LK |
968 | if (no_delay) { |
969 | platform_group_set (&c0->platform_state_group); | |
970 | platform_user_set (&c0->platform_state_user); | |
971 | } | |
972 | else if (c->first_time) | |
973 | msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not); | |
6fbf66fa | 974 | } |
99385447 | 975 | |
ffea644c | 976 | #ifdef ENABLE_MEMSTATS |
825b3272 | 977 | if (c->first_time && c->options.memstats_fn) |
ffea644c JY |
978 | mstats_open(c->options.memstats_fn); |
979 | #endif | |
980 | ||
cd5990e0 | 981 | #ifdef ENABLE_SELINUX |
99385447 JY |
982 | /* Apply a SELinux context in order to restrict what OpenVPN can do |
983 | * to _only_ what it is supposed to do after initialization is complete | |
984 | * (basically just network I/O operations). Doing it after chroot | |
985 | * requires /proc to be mounted in the chroot (which is annoying indeed | |
986 | * but doing it before requires more complex SELinux policies. | |
987 | */ | |
988 | if (c->options.selinux_context) | |
989 | { | |
990 | if (no_delay) { | |
991 | if (-1 == setcon (c->options.selinux_context)) | |
992 | msg (M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); | |
993 | else | |
994 | msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context); | |
995 | } | |
825b3272 | 996 | else if (c->first_time) |
99385447 JY |
997 | msg (M_INFO, "NOTE: setcon %s", why_not); |
998 | } | |
999 | #endif | |
825b3272 LK |
1000 | |
1001 | /* Privileges are going to be dropped by now (if requested), be sure | |
1002 | * to prevent any future privilege dropping attempts from now on. | |
1003 | */ | |
1004 | if (no_delay) | |
1005 | c0->uid_gid_chroot_set = true; | |
6fbf66fa JY |
1006 | } |
1007 | } | |
1008 | ||
1009 | /* | |
1010 | * Return common name in a way that is formatted for | |
1011 | * prepending to msg() output. | |
1012 | */ | |
1013 | const char * | |
1014 | format_common_name (struct context *c, struct gc_arena *gc) | |
1015 | { | |
1016 | struct buffer out = alloc_buf_gc (256, gc); | |
ec828db6 | 1017 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
1018 | if (c->c2.tls_multi) |
1019 | { | |
1020 | buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false)); | |
1021 | } | |
1022 | #endif | |
1023 | return BSTR (&out); | |
1024 | } | |
1025 | ||
1026 | void | |
1027 | pre_setup (const struct options *options) | |
1028 | { | |
1029 | #ifdef WIN32 | |
1030 | if (options->exit_event_name) | |
1031 | { | |
1032 | win32_signal_open (&win32_signal, | |
1033 | WSO_FORCE_SERVICE, | |
1034 | options->exit_event_name, | |
1035 | options->exit_event_initial_state); | |
1036 | } | |
1037 | else | |
1038 | { | |
1039 | win32_signal_open (&win32_signal, | |
1040 | WSO_FORCE_CONSOLE, | |
1041 | NULL, | |
1042 | false); | |
1043 | ||
1044 | /* put a title on the top window bar */ | |
1045 | if (win32_signal.mode == WSO_MODE_CONSOLE) | |
1046 | { | |
1047 | window_title_save (&window_title); | |
1048 | window_title_generate (options->config); | |
1049 | } | |
1050 | } | |
1051 | #endif | |
1052 | } | |
1053 | ||
1054 | void | |
1055 | reset_coarse_timers (struct context *c) | |
1056 | { | |
1057 | c->c2.coarse_timer_wakeup = 0; | |
1058 | } | |
1059 | ||
1060 | /* | |
1061 | * Initialize timers | |
1062 | */ | |
1063 | static void | |
1064 | do_init_timers (struct context *c, bool deferred) | |
1065 | { | |
1066 | update_time (); | |
1067 | reset_coarse_timers (c); | |
1068 | ||
1069 | /* initialize inactivity timeout */ | |
1070 | if (c->options.inactivity_timeout) | |
1071 | event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now); | |
1072 | ||
1073 | /* initialize pings */ | |
1074 | ||
1075 | if (c->options.ping_send_timeout) | |
1076 | event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); | |
1077 | ||
1078 | if (c->options.ping_rec_timeout) | |
1079 | event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); | |
1080 | ||
e1e977f3 JY |
1081 | #if P2MP |
1082 | if (c->options.server_poll_timeout) | |
1083 | event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now); | |
1084 | #endif | |
1085 | ||
6fbf66fa JY |
1086 | if (!deferred) |
1087 | { | |
1088 | /* initialize connection establishment timer */ | |
1089 | event_timeout_init (&c->c2.wait_for_connect, 1, now); | |
1090 | ||
1091 | #ifdef ENABLE_OCC | |
1092 | /* initialize occ timers */ | |
1093 | ||
1094 | if (c->options.occ | |
1095 | && !TLS_MODE (c) | |
1096 | && c->c2.options_string_local && c->c2.options_string_remote) | |
1097 | event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); | |
1098 | ||
1099 | if (c->options.mtu_test) | |
1100 | event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); | |
1101 | #endif | |
1102 | ||
1103 | /* initialize packet_id persistence timer */ | |
9b33b5a4 | 1104 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
1105 | if (c->options.packet_id_file) |
1106 | event_timeout_init (&c->c2.packet_id_persist_interval, 60, now); | |
6fbf66fa | 1107 | |
6fbf66fa JY |
1108 | /* initialize tmp_int optimization that limits the number of times we call |
1109 | tls_multi_process in the main event loop */ | |
1110 | interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); | |
1111 | #endif | |
1112 | } | |
1113 | } | |
1114 | ||
1115 | /* | |
1116 | * Initialize traffic shaper. | |
1117 | */ | |
1118 | static void | |
1119 | do_init_traffic_shaper (struct context *c) | |
1120 | { | |
3d163bc5 | 1121 | #ifdef ENABLE_FEATURE_SHAPER |
6fbf66fa JY |
1122 | /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ |
1123 | if (c->options.shaper) | |
1124 | { | |
1125 | shaper_init (&c->c2.shaper, c->options.shaper); | |
1126 | shaper_msg (&c->c2.shaper); | |
1127 | } | |
1128 | #endif | |
1129 | } | |
1130 | ||
1131 | /* | |
eb95f367 GD |
1132 | * Allocate route list structures for IPv4 and IPv6 |
1133 | * (we do this for IPv4 even if no --route option has been seen, as other | |
1134 | * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP) | |
6fbf66fa JY |
1135 | */ |
1136 | static void | |
1137 | do_alloc_route_list (struct context *c) | |
1138 | { | |
eb95f367 | 1139 | if (!c->c1.route_list) |
d0085293 | 1140 | ALLOC_OBJ_CLEAR_GC (c->c1.route_list, struct route_list, &c->gc); |
512cda46 | 1141 | if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) |
d0085293 | 1142 | ALLOC_OBJ_CLEAR_GC (c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc); |
6fbf66fa JY |
1143 | } |
1144 | ||
1145 | ||
1146 | /* | |
1147 | * Initialize the route list, resolving any DNS names in route | |
1148 | * options and saving routes in the environment. | |
1149 | */ | |
1150 | static void | |
1151 | do_init_route_list (const struct options *options, | |
1152 | struct route_list *route_list, | |
1153 | const struct link_socket_info *link_socket_info, | |
1154 | bool fatal, | |
1155 | struct env_set *es) | |
1156 | { | |
1157 | const char *gw = NULL; | |
1158 | int dev = dev_type_enum (options->dev, options->dev_type); | |
40ac3d7a | 1159 | int metric = 0; |
6fbf66fa | 1160 | |
3c7f2f55 | 1161 | if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) |
6fbf66fa JY |
1162 | gw = options->ifconfig_remote_netmask; |
1163 | if (options->route_default_gateway) | |
1164 | gw = options->route_default_gateway; | |
40ac3d7a JY |
1165 | if (options->route_default_metric) |
1166 | metric = options->route_default_metric; | |
6fbf66fa JY |
1167 | |
1168 | if (!init_route_list (route_list, | |
1169 | options->routes, | |
1170 | gw, | |
40ac3d7a | 1171 | metric, |
6fbf66fa JY |
1172 | link_socket_current_remote (link_socket_info), |
1173 | es)) | |
1174 | { | |
1175 | if (fatal) | |
1176 | openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ | |
1177 | } | |
1178 | else | |
1179 | { | |
1180 | /* copy routes to environment */ | |
1181 | setenv_routes (es, route_list); | |
1182 | } | |
1183 | } | |
1184 | ||
512cda46 GD |
1185 | static void |
1186 | do_init_route_ipv6_list (const struct options *options, | |
1187 | struct route_ipv6_list *route_ipv6_list, | |
3ddb5643 | 1188 | const struct link_socket_info *link_socket_info, |
512cda46 GD |
1189 | bool fatal, |
1190 | struct env_set *es) | |
1191 | { | |
1192 | const char *gw = NULL; | |
c37d9135 | 1193 | int metric = -1; /* no metric set */ |
512cda46 | 1194 | |
512cda46 GD |
1195 | gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ |
1196 | #if 0 /* not yet done for IPv6 - TODO!*/ | |
1197 | if ( options->route_ipv6_default_gateway ) /* override? */ | |
1198 | gw = options->route_ipv6_default_gateway; | |
1199 | #endif | |
1200 | ||
1201 | if (options->route_default_metric) | |
1202 | metric = options->route_default_metric; | |
1203 | ||
d227929b GD |
1204 | /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics |
1205 | */ | |
1206 | if ( options->routes_ipv6->flags & RG_REROUTE_GW ) | |
1207 | { | |
1208 | char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL }; | |
1209 | int i; | |
1210 | ||
1211 | for (i=0; opt_list[i]; i++) | |
1212 | { | |
1213 | add_route_ipv6_to_option_list( options->routes_ipv6, | |
1214 | string_alloc (opt_list[i], options->routes_ipv6->gc), | |
1215 | NULL, NULL ); | |
1216 | } | |
1217 | } | |
1218 | ||
512cda46 GD |
1219 | if (!init_route_ipv6_list (route_ipv6_list, |
1220 | options->routes_ipv6, | |
1221 | gw, | |
1222 | metric, | |
3ddb5643 | 1223 | link_socket_current_remote_ipv6 (link_socket_info), |
512cda46 GD |
1224 | es)) |
1225 | { | |
1226 | if (fatal) | |
1227 | openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */ | |
1228 | } | |
1229 | else | |
1230 | { | |
1231 | /* copy routes to environment */ | |
1232 | setenv_routes_ipv6 (es, route_ipv6_list); | |
1233 | } | |
1234 | } | |
1235 | ||
1236 | ||
6fbf66fa JY |
1237 | /* |
1238 | * Called after all initialization has been completed. | |
1239 | */ | |
1240 | void | |
1241 | initialization_sequence_completed (struct context *c, const unsigned int flags) | |
1242 | { | |
1243 | static const char message[] = "Initialization Sequence Completed"; | |
1244 | ||
23d61c56 AS |
1245 | /* Reset the unsuccessful connection counter on complete initialisation */ |
1246 | c->options.unsuccessful_attempts=0; | |
1247 | ||
6fbf66fa JY |
1248 | /* If we delayed UID/GID downgrade or chroot, do it now */ |
1249 | do_uid_gid_chroot (c, true); | |
1250 | ||
1251 | /* Test if errors */ | |
1252 | if (flags & ISC_ERRORS) | |
a9c802b2 | 1253 | { |
6fbf66fa | 1254 | #ifdef WIN32 |
a9c802b2 JY |
1255 | show_routes (M_INFO|M_NOPREFIX); |
1256 | show_adapters (M_INFO|M_NOPREFIX); | |
1257 | msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); | |
6fbf66fa | 1258 | #else |
a9c802b2 | 1259 | msg (M_INFO, "%s With Errors", message); |
6fbf66fa | 1260 | #endif |
a9c802b2 | 1261 | } |
6fbf66fa JY |
1262 | else |
1263 | msg (M_INFO, "%s", message); | |
1264 | ||
23d61c56 AS |
1265 | /* Flag that we initialized */ |
1266 | if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) | |
1267 | c->options.no_advance=true; | |
6fbf66fa | 1268 | |
b90c6f17 JY |
1269 | #ifdef WIN32 |
1270 | fork_register_dns_action (c->c1.tuntap); | |
1271 | #endif | |
1272 | ||
6fbf66fa JY |
1273 | #ifdef ENABLE_MANAGEMENT |
1274 | /* Tell management interface that we initialized */ | |
1275 | if (management) | |
1276 | { | |
2191c471 HH |
1277 | in_addr_t *tun_local = NULL; |
1278 | struct in6_addr *tun_local6 = NULL; | |
1279 | struct openvpn_sockaddr local, remote; | |
1280 | struct link_socket_actual *actual; | |
1281 | socklen_t sa_len = sizeof(local); | |
6fbf66fa | 1282 | const char *detail = "SUCCESS"; |
6fbf66fa | 1283 | if (flags & ISC_ERRORS) |
2191c471 HH |
1284 | detail = "ERROR"; |
1285 | ||
1286 | CLEAR (local); | |
1287 | actual = &get_link_socket_info(c)->lsa->actual; | |
1288 | remote = actual->dest; | |
1289 | getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len); | |
1290 | #if ENABLE_IP_PKTINFO | |
1291 | if (!addr_defined(&local)) | |
1292 | { | |
1293 | switch (local.addr.sa.sa_family) | |
1294 | { | |
1295 | case AF_INET: | |
1296 | local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst; | |
1297 | break; | |
1298 | case AF_INET6: | |
1299 | local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr; | |
1300 | break; | |
1301 | } | |
1302 | } | |
1303 | #endif | |
1304 | ||
1305 | if (c->c1.tuntap) | |
1306 | { | |
1307 | tun_local = &c->c1.tuntap->local; | |
1308 | tun_local6 = &c->c1.tuntap->local_ipv6; | |
1309 | } | |
6fbf66fa JY |
1310 | management_set_state (management, |
1311 | OPENVPN_STATE_CONNECTED, | |
1312 | detail, | |
5ad84585 | 1313 | tun_local, |
2191c471 HH |
1314 | tun_local6, |
1315 | &local, | |
1316 | &remote); | |
6fbf66fa | 1317 | if (tun_local) |
2191c471 | 1318 | management_post_tunnel_open (management, *tun_local); |
6fbf66fa JY |
1319 | } |
1320 | #endif | |
6fbf66fa JY |
1321 | } |
1322 | ||
1323 | /* | |
1324 | * Possibly add routes and/or call route-up script | |
1325 | * based on options. | |
1326 | */ | |
1327 | void | |
1328 | do_route (const struct options *options, | |
1329 | struct route_list *route_list, | |
512cda46 | 1330 | struct route_ipv6_list *route_ipv6_list, |
6fbf66fa JY |
1331 | const struct tuntap *tt, |
1332 | const struct plugin_list *plugins, | |
1333 | struct env_set *es) | |
1334 | { | |
512cda46 | 1335 | if (!options->route_noexec && ( route_list || route_ipv6_list ) ) |
15be3202 | 1336 | { |
20b18fd7 | 1337 | add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es); |
7fb0e07e | 1338 | setenv_int (es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); |
15be3202 JY |
1339 | } |
1340 | #ifdef ENABLE_MANAGEMENT | |
1341 | if (management) | |
1342 | management_up_down (management, "UP", es); | |
1343 | #endif | |
6fbf66fa JY |
1344 | |
1345 | if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP)) | |
1346 | { | |
1876ccd0 | 1347 | if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) |
6fbf66fa JY |
1348 | msg (M_WARN, "WARNING: route-up plugin call failed"); |
1349 | } | |
1350 | ||
1351 | if (options->route_script) | |
1352 | { | |
5a2e9a25 | 1353 | struct argv argv = argv_new (); |
6fbf66fa | 1354 | setenv_str (es, "script_type", "route-up"); |
b8fb090c | 1355 | argv_printf (&argv, "%sc", options->route_script); |
c2533d18 | 1356 | openvpn_run_script (&argv, es, 0, "--route-up"); |
5a2e9a25 | 1357 | argv_reset (&argv); |
6fbf66fa JY |
1358 | } |
1359 | ||
1360 | #ifdef WIN32 | |
1361 | if (options->show_net_up) | |
1362 | { | |
1363 | show_routes (M_INFO|M_NOPREFIX); | |
1364 | show_adapters (M_INFO|M_NOPREFIX); | |
1365 | } | |
1366 | else if (check_debug_level (D_SHOW_NET)) | |
1367 | { | |
1368 | show_routes (D_SHOW_NET|M_NOPREFIX); | |
1369 | show_adapters (D_SHOW_NET|M_NOPREFIX); | |
1370 | } | |
1371 | #endif | |
1372 | } | |
1373 | ||
6fbf66fa JY |
1374 | /* |
1375 | * initialize tun/tap device object | |
1376 | */ | |
1377 | static void | |
1378 | do_init_tun (struct context *c) | |
1379 | { | |
1380 | c->c1.tuntap = init_tun (c->options.dev, | |
1381 | c->options.dev_type, | |
3c7f2f55 | 1382 | c->options.topology, |
6fbf66fa JY |
1383 | c->options.ifconfig_local, |
1384 | c->options.ifconfig_remote_netmask, | |
512cda46 | 1385 | c->options.ifconfig_ipv6_local, |
c55e9562 | 1386 | c->options.ifconfig_ipv6_netbits, |
512cda46 | 1387 | c->options.ifconfig_ipv6_remote, |
23d61c56 | 1388 | c->c1.link_socket_addr.bind_local, |
6c5db192 | 1389 | c->c1.link_socket_addr.remote_list, |
6fbf66fa JY |
1390 | !c->options.ifconfig_nowarn, |
1391 | c->c2.es); | |
1392 | ||
b52c5256 GD |
1393 | /* flag tunnel for IPv6 config if --tun-ipv6 is set */ |
1394 | c->c1.tuntap->ipv6 = c->options.tun_ipv6; | |
1395 | ||
6fbf66fa JY |
1396 | init_tun_post (c->c1.tuntap, |
1397 | &c->c2.frame, | |
1398 | &c->options.tuntap_options); | |
1399 | ||
1400 | c->c1.tuntap_owned = true; | |
1401 | } | |
1402 | ||
1403 | /* | |
1404 | * Open tun/tap device, ifconfig, call up script, etc. | |
1405 | */ | |
1406 | ||
1407 | static bool | |
1408 | do_open_tun (struct context *c) | |
1409 | { | |
1410 | struct gc_arena gc = gc_new (); | |
1411 | bool ret = false; | |
1412 | ||
1413 | c->c2.ipv4_tun = (!c->options.tun_ipv6 | |
1414 | && is_dev_type (c->options.dev, c->options.dev_type, "tun")); | |
1415 | ||
bd14d55d | 1416 | #ifndef TARGET_ANDROID |
6fbf66fa JY |
1417 | if (!c->c1.tuntap) |
1418 | { | |
bd14d55d AS |
1419 | #endif |
1420 | ||
1421 | #ifdef TARGET_ANDROID | |
1422 | /* If we emulate persist-tun on android we still have to open a new tun and | |
c058cbff | 1423 | * then close the old */ |
bd14d55d AS |
1424 | int oldtunfd=-1; |
1425 | if (c->c1.tuntap) | |
c058cbff | 1426 | oldtunfd = c->c1.tuntap->fd; |
bd14d55d AS |
1427 | #endif |
1428 | ||
6fbf66fa JY |
1429 | /* initialize (but do not open) tun/tap object */ |
1430 | do_init_tun (c); | |
1431 | ||
1432 | /* allocate route list structure */ | |
1433 | do_alloc_route_list (c); | |
1434 | ||
1435 | /* parse and resolve the route option list */ | |
3c7f2f55 | 1436 | if (c->options.routes && c->c1.route_list && c->c2.link_socket) |
6fbf66fa | 1437 | do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es); |
512cda46 | 1438 | if (c->options.routes_ipv6 && c->c1.route_ipv6_list ) |
3ddb5643 | 1439 | do_init_route_ipv6_list (&c->options, c->c1.route_ipv6_list, &c->c2.link_socket->info, false, c->c2.es); |
6fbf66fa JY |
1440 | |
1441 | /* do ifconfig */ | |
1442 | if (!c->options.ifconfig_noexec | |
1443 | && ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN) | |
1444 | { | |
1445 | /* guess actual tun/tap unit number that will be returned | |
1446 | by open_tun */ | |
1447 | const char *guess = guess_tuntap_dev (c->options.dev, | |
1448 | c->options.dev_type, | |
1449 | c->options.dev_node, | |
1450 | &gc); | |
1451 | do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); | |
1452 | } | |
1453 | ||
94e6a2da AS |
1454 | /* possibly add routes */ |
1455 | if (route_order() == ROUTE_BEFORE_TUN) { | |
1456 | /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */ | |
1457 | do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, | |
1458 | c->c1.tuntap, c->plugins, c->c2.es); | |
1459 | } | |
c058cbff AS |
1460 | #ifdef TARGET_ANDROID |
1461 | /* Store the old fd inside the fd so open_tun can use it */ | |
1462 | c->c1.tuntap->fd = oldtunfd; | |
1463 | #endif | |
6fbf66fa JY |
1464 | /* open the tun device */ |
1465 | open_tun (c->options.dev, c->options.dev_type, c->options.dev_node, | |
b52c5256 | 1466 | c->c1.tuntap); |
c058cbff | 1467 | |
e12fe286 JY |
1468 | /* set the hardware address */ |
1469 | if (c->options.lladdr) | |
1470 | set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es); | |
1471 | ||
6fbf66fa JY |
1472 | /* do ifconfig */ |
1473 | if (!c->options.ifconfig_noexec | |
1474 | && ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN) | |
1475 | { | |
1476 | do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es); | |
1477 | } | |
1478 | ||
1479 | /* run the up script */ | |
1480 | run_up_down (c->options.up_script, | |
3c7f2f55 | 1481 | c->plugins, |
6fbf66fa JY |
1482 | OPENVPN_PLUGIN_UP, |
1483 | c->c1.tuntap->actual_name, | |
a0a547a7 | 1484 | dev_type_string (c->options.dev, c->options.dev_type), |
6fbf66fa JY |
1485 | TUN_MTU_SIZE (&c->c2.frame), |
1486 | EXPANDED_SIZE (&c->c2.frame), | |
1487 | print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
1488 | print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1489 | "init", | |
1490 | NULL, | |
1491 | "up", | |
1492 | c->c2.es); | |
1493 | ||
1494 | /* possibly add routes */ | |
94e6a2da | 1495 | if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined)) |
512cda46 GD |
1496 | do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list, |
1497 | c->c1.tuntap, c->plugins, c->c2.es); | |
6fbf66fa JY |
1498 | |
1499 | /* | |
1500 | * Did tun/tap driver give us an MTU? | |
1501 | */ | |
1502 | if (c->c1.tuntap->post_open_mtu) | |
1503 | frame_set_mtu_dynamic (&c->c2.frame, | |
1504 | c->c1.tuntap->post_open_mtu, | |
1505 | SET_MTU_TUN | SET_MTU_UPPER_BOUND); | |
1506 | ||
1507 | ret = true; | |
0c9eb1d3 | 1508 | static_context = c; |
bd14d55d | 1509 | #ifndef TARGET_ANDROID |
6fbf66fa JY |
1510 | } |
1511 | else | |
1512 | { | |
1513 | msg (M_INFO, "Preserving previous TUN/TAP instance: %s", | |
1514 | c->c1.tuntap->actual_name); | |
1515 | ||
db950be8 JJK |
1516 | /* explicitly set the ifconfig_* env vars */ |
1517 | do_ifconfig_setenv(c->c1.tuntap, c->c2.es); | |
1518 | ||
6fbf66fa JY |
1519 | /* run the up script if user specified --up-restart */ |
1520 | if (c->options.up_restart) | |
1521 | run_up_down (c->options.up_script, | |
3c7f2f55 | 1522 | c->plugins, |
6fbf66fa JY |
1523 | OPENVPN_PLUGIN_UP, |
1524 | c->c1.tuntap->actual_name, | |
a0a547a7 | 1525 | dev_type_string (c->options.dev, c->options.dev_type), |
6fbf66fa JY |
1526 | TUN_MTU_SIZE (&c->c2.frame), |
1527 | EXPANDED_SIZE (&c->c2.frame), | |
1528 | print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
1529 | print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1530 | "restart", | |
1531 | NULL, | |
1532 | "up", | |
1533 | c->c2.es); | |
1534 | } | |
bd14d55d | 1535 | #endif |
6fbf66fa JY |
1536 | gc_free (&gc); |
1537 | return ret; | |
1538 | } | |
1539 | ||
1540 | /* | |
1541 | * Close TUN/TAP device | |
1542 | */ | |
1543 | ||
1544 | static void | |
1545 | do_close_tun_simple (struct context *c) | |
1546 | { | |
1547 | msg (D_CLOSE, "Closing TUN/TAP interface"); | |
1548 | close_tun (c->c1.tuntap); | |
1549 | c->c1.tuntap = NULL; | |
1550 | c->c1.tuntap_owned = false; | |
1551 | #if P2MP | |
827de237 | 1552 | CLEAR (c->c1.pulled_options_digest_save); |
6fbf66fa JY |
1553 | #endif |
1554 | } | |
1555 | ||
1556 | static void | |
1557 | do_close_tun (struct context *c, bool force) | |
1558 | { | |
1559 | struct gc_arena gc = gc_new (); | |
1560 | if (c->c1.tuntap && c->c1.tuntap_owned) | |
1561 | { | |
1562 | const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc); | |
1563 | const in_addr_t local = c->c1.tuntap->local; | |
1564 | const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; | |
1565 | ||
1566 | if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) | |
1567 | { | |
0c9eb1d3 JY |
1568 | static_context = NULL; |
1569 | ||
6fbf66fa JY |
1570 | #ifdef ENABLE_MANAGEMENT |
1571 | /* tell management layer we are about to close the TUN/TAP device */ | |
1572 | if (management) | |
15be3202 JY |
1573 | { |
1574 | management_pre_tunnel_close (management); | |
1575 | management_up_down (management, "DOWN", c->c2.es); | |
1576 | } | |
6fbf66fa JY |
1577 | #endif |
1578 | ||
1579 | /* delete any routes we added */ | |
512cda46 | 1580 | if (c->c1.route_list || c->c1.route_ipv6_list ) |
23d61c56 | 1581 | { |
415421c2 DS |
1582 | run_up_down (c->options.route_predown_script, |
1583 | c->plugins, | |
1584 | OPENVPN_PLUGIN_ROUTE_PREDOWN, | |
1585 | tuntap_actual, | |
1586 | NULL, | |
1587 | TUN_MTU_SIZE (&c->c2.frame), | |
1588 | EXPANDED_SIZE (&c->c2.frame), | |
1589 | print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), | |
1590 | print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1591 | "init", | |
1592 | signal_description (c->sig->signal_received, | |
1593 | c->sig->signal_text), | |
1594 | "route-pre-down", | |
1595 | c->c2.es); | |
1596 | ||
1597 | delete_routes (c->c1.route_list, c->c1.route_ipv6_list, | |
1598 | c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es); | |
1599 | } | |
6fbf66fa JY |
1600 | |
1601 | /* actually close tun/tap device based on --down-pre flag */ | |
1602 | if (!c->options.down_pre) | |
1603 | do_close_tun_simple (c); | |
1604 | ||
1605 | /* Run the down script -- note that it will run at reduced | |
1606 | privilege if, for example, "--user nobody" was used. */ | |
1607 | run_up_down (c->options.down_script, | |
3c7f2f55 | 1608 | c->plugins, |
6fbf66fa JY |
1609 | OPENVPN_PLUGIN_DOWN, |
1610 | tuntap_actual, | |
a0a547a7 | 1611 | NULL, |
6fbf66fa JY |
1612 | TUN_MTU_SIZE (&c->c2.frame), |
1613 | EXPANDED_SIZE (&c->c2.frame), | |
1614 | print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), | |
1615 | print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1616 | "init", | |
1617 | signal_description (c->sig->signal_received, | |
1618 | c->sig->signal_text), | |
1619 | "down", | |
1620 | c->c2.es); | |
1621 | ||
1622 | /* actually close tun/tap device based on --down-pre flag */ | |
1623 | if (c->options.down_pre) | |
1624 | do_close_tun_simple (c); | |
1625 | } | |
1626 | else | |
1627 | { | |
1628 | /* run the down script on this restart if --up-restart was specified */ | |
1629 | if (c->options.up_restart) | |
1630 | run_up_down (c->options.down_script, | |
3c7f2f55 | 1631 | c->plugins, |
6fbf66fa JY |
1632 | OPENVPN_PLUGIN_DOWN, |
1633 | tuntap_actual, | |
a0a547a7 | 1634 | NULL, |
6fbf66fa JY |
1635 | TUN_MTU_SIZE (&c->c2.frame), |
1636 | EXPANDED_SIZE (&c->c2.frame), | |
1637 | print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), | |
1638 | print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1639 | "restart", | |
1640 | signal_description (c->sig->signal_received, | |
1641 | c->sig->signal_text), | |
1642 | "down", | |
1643 | c->c2.es); | |
1644 | } | |
1645 | } | |
1646 | gc_free (&gc); | |
1647 | } | |
1648 | ||
0c9eb1d3 JY |
1649 | void |
1650 | tun_abort() | |
1651 | { | |
1652 | struct context *c = static_context; | |
1653 | if (c) | |
1654 | { | |
1655 | static_context = NULL; | |
1656 | do_close_tun (c, true); | |
1657 | } | |
1658 | } | |
1659 | ||
6fbf66fa JY |
1660 | /* |
1661 | * Handle delayed tun/tap interface bringup due to --up-delay or --pull | |
1662 | */ | |
1663 | ||
827de237 SK |
1664 | #if P2MP |
1665 | /** | |
1666 | * Helper for do_up(). Take two option hashes and return true if they are not | |
1667 | * equal, or either one is all-zeroes. | |
1668 | */ | |
1669 | static bool | |
2dd6501e SK |
1670 | options_hash_changed_or_zero(const struct md5_digest *a, |
1671 | const struct md5_digest *b) | |
827de237 | 1672 | { |
2dd6501e SK |
1673 | const struct md5_digest zero = {{0}}; |
1674 | return memcmp (a, b, sizeof(struct md5_digest)) || | |
1675 | memcmp (a, &zero, sizeof(struct md5_digest)); | |
827de237 SK |
1676 | } |
1677 | #endif /* P2MP */ | |
1678 | ||
6fbf66fa JY |
1679 | void |
1680 | do_up (struct context *c, bool pulled_options, unsigned int option_types_found) | |
1681 | { | |
1682 | if (!c->c2.do_up_ran) | |
1683 | { | |
1684 | reset_coarse_timers (c); | |
1685 | ||
1686 | if (pulled_options && option_types_found) | |
1687 | do_deferred_options (c, option_types_found); | |
1688 | ||
1689 | /* if --up-delay specified, open tun, do ifconfig, and run up script now */ | |
1690 | if (c->options.up_delay || PULL_DEFINED (&c->options)) | |
1691 | { | |
1692 | c->c2.did_open_tun = do_open_tun (c); | |
1693 | update_time (); | |
1694 | ||
1695 | #if P2MP | |
1696 | /* | |
1697 | * Was tun interface object persisted from previous restart iteration, | |
1698 | * and if so did pulled options string change from previous iteration? | |
1699 | */ | |
1700 | if (!c->c2.did_open_tun | |
1701 | && PULL_DEFINED (&c->options) | |
1702 | && c->c1.tuntap | |
827de237 SK |
1703 | && options_hash_changed_or_zero (&c->c1.pulled_options_digest_save, |
1704 | &c->c2.pulled_options_digest)) | |
6fbf66fa JY |
1705 | { |
1706 | /* if so, close tun, delete routes, then reinitialize tun and add routes */ | |
1707 | msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); | |
1708 | do_close_tun (c, true); | |
1709 | openvpn_sleep (1); | |
1710 | c->c2.did_open_tun = do_open_tun (c); | |
1711 | update_time (); | |
1712 | } | |
1713 | #endif | |
1714 | } | |
1715 | ||
1716 | if (c->c2.did_open_tun) | |
1717 | { | |
1718 | #if P2MP | |
2dd6501e | 1719 | c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; |
6fbf66fa JY |
1720 | #endif |
1721 | ||
1722 | /* if --route-delay was specified, start timer */ | |
94e6a2da | 1723 | if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined) |
6fbf66fa JY |
1724 | { |
1725 | event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now); | |
1726 | event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); | |
c67d59cd JY |
1727 | if (c->c1.tuntap) |
1728 | tun_standby_init (c->c1.tuntap); | |
6fbf66fa JY |
1729 | } |
1730 | else | |
1731 | { | |
1732 | initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */ | |
1733 | } | |
1734 | } | |
1735 | else if (c->options.mode == MODE_POINT_TO_POINT) | |
1736 | { | |
1737 | initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */ | |
1738 | } | |
1739 | ||
1740 | c->c2.do_up_ran = true; | |
1741 | } | |
1742 | } | |
1743 | ||
1744 | /* | |
1745 | * These are the option categories which will be accepted by pull. | |
1746 | */ | |
1747 | unsigned int | |
3c7f2f55 | 1748 | pull_permission_mask (const struct context *c) |
6fbf66fa | 1749 | { |
3c7f2f55 JY |
1750 | unsigned int flags = |
1751 | OPT_P_UP | |
1752 | | OPT_P_ROUTE_EXTRAS | |
00d39170 JY |
1753 | | OPT_P_SOCKBUF |
1754 | | OPT_P_SOCKFLAGS | |
3c7f2f55 JY |
1755 | | OPT_P_SETENV |
1756 | | OPT_P_SHAPER | |
1757 | | OPT_P_TIMER | |
537073fd | 1758 | | OPT_P_COMP |
3c7f2f55 JY |
1759 | | OPT_P_PERSIST |
1760 | | OPT_P_MESSAGES | |
1761 | | OPT_P_EXPLICIT_NOTIFY | |
1762 | | OPT_P_ECHO | |
65eedc35 LS |
1763 | | OPT_P_PULL_MODE |
1764 | | OPT_P_PEER_ID; | |
3c7f2f55 JY |
1765 | |
1766 | if (!c->options.route_nopull) | |
15be3202 | 1767 | flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); |
3c7f2f55 JY |
1768 | |
1769 | return flags; | |
6fbf66fa JY |
1770 | } |
1771 | ||
1772 | /* | |
1773 | * Handle non-tun-related pulled options. | |
1774 | */ | |
1775 | void | |
1776 | do_deferred_options (struct context *c, const unsigned int found) | |
1777 | { | |
1778 | if (found & OPT_P_MESSAGES) | |
1779 | { | |
1780 | init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2); | |
1781 | msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); | |
1782 | } | |
1783 | if (found & OPT_P_TIMER) | |
1784 | { | |
1785 | do_init_timers (c, true); | |
1786 | msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified"); | |
1787 | } | |
1788 | ||
1789 | #ifdef ENABLE_OCC | |
1790 | if (found & OPT_P_EXPLICIT_NOTIFY) | |
1791 | { | |
76809cae | 1792 | if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification) |
6fbf66fa JY |
1793 | { |
1794 | msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); | |
76809cae | 1795 | c->options.ce.explicit_exit_notification = 0; |
6fbf66fa JY |
1796 | } |
1797 | else | |
1798 | msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified"); | |
1799 | } | |
1800 | #endif | |
1801 | ||
38d96bd7 | 1802 | #ifdef USE_COMP |
537073fd JY |
1803 | if (found & OPT_P_COMP) |
1804 | { | |
38d96bd7 JY |
1805 | msg (D_PUSH, "OPTIONS IMPORT: compression parms modified"); |
1806 | comp_uninit (c->c2.comp_context); | |
1807 | c->c2.comp_context = comp_init (&c->options.comp); | |
537073fd JY |
1808 | } |
1809 | #endif | |
1810 | ||
6fbf66fa JY |
1811 | if (found & OPT_P_SHAPER) |
1812 | { | |
1813 | msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); | |
1814 | do_init_traffic_shaper (c); | |
1815 | } | |
1816 | ||
00d39170 JY |
1817 | if (found & OPT_P_SOCKBUF) |
1818 | { | |
1819 | msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); | |
1820 | link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); | |
1821 | } | |
1822 | ||
1823 | if (found & OPT_P_SOCKFLAGS) | |
1824 | { | |
1825 | msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); | |
1826 | link_socket_update_flags (c->c2.link_socket, c->options.sockflags); | |
1827 | } | |
1828 | ||
6fbf66fa JY |
1829 | if (found & OPT_P_PERSIST) |
1830 | msg (D_PUSH, "OPTIONS IMPORT: --persist options modified"); | |
1831 | if (found & OPT_P_UP) | |
1832 | msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); | |
1833 | if (found & OPT_P_ROUTE) | |
1834 | msg (D_PUSH, "OPTIONS IMPORT: route options modified"); | |
3c7f2f55 JY |
1835 | if (found & OPT_P_ROUTE_EXTRAS) |
1836 | msg (D_PUSH, "OPTIONS IMPORT: route-related options modified"); | |
6fbf66fa JY |
1837 | if (found & OPT_P_IPWIN32) |
1838 | msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); | |
1839 | if (found & OPT_P_SETENV) | |
1840 | msg (D_PUSH, "OPTIONS IMPORT: environment modified"); | |
65eedc35 | 1841 | |
ec828db6 | 1842 | #ifdef ENABLE_CRYPTO |
65eedc35 LS |
1843 | if (found & OPT_P_PEER_ID) |
1844 | { | |
1845 | msg (D_PUSH, "OPTIONS IMPORT: peer-id set"); | |
1846 | c->c2.tls_multi->use_peer_id = true; | |
1847 | c->c2.tls_multi->peer_id = c->options.peer_id; | |
9e0963c1 GD |
1848 | frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */ |
1849 | if ( !c->options.ce.link_mtu_defined ) | |
1850 | { | |
1851 | frame_add_to_link_mtu(&c->c2.frame, +3); | |
1852 | msg (D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d", | |
1853 | EXPANDED_SIZE(&c->c2.frame)); | |
1854 | } | |
1855 | else | |
1856 | { | |
1857 | msg (M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" | |
1858 | " fixed by config - reducing tun-mtu to %d, expect" | |
1859 | " MTU problems", TUN_MTU_SIZE(&c->c2.frame) ); | |
1860 | } | |
65eedc35 LS |
1861 | } |
1862 | #endif | |
6fbf66fa JY |
1863 | } |
1864 | ||
1865 | /* | |
1866 | * Possible hold on initialization | |
1867 | */ | |
1868 | static bool | |
da9b2927 | 1869 | do_hold (void) |
6fbf66fa JY |
1870 | { |
1871 | #ifdef ENABLE_MANAGEMENT | |
1872 | if (management) | |
1873 | { | |
6fbf66fa JY |
1874 | /* block until management hold is released */ |
1875 | if (management_hold (management)) | |
1876 | return true; | |
1877 | } | |
1878 | #endif | |
1879 | return false; | |
1880 | } | |
1881 | ||
1882 | /* | |
1883 | * Sleep before restart. | |
1884 | */ | |
1885 | static void | |
1886 | socket_restart_pause (struct context *c) | |
1887 | { | |
6fbf66fa JY |
1888 | int sec = 2; |
1889 | ||
4e9a51d7 | 1890 | switch (c->options.ce.proto) |
6fbf66fa | 1891 | { |
30077d1f | 1892 | case PROTO_TCP_SERVER: |
6fbf66fa JY |
1893 | sec = 1; |
1894 | break; | |
23d61c56 | 1895 | case PROTO_UDP: |
30077d1f | 1896 | case PROTO_TCP_CLIENT: |
4e9a51d7 | 1897 | sec = c->options.ce.connect_retry_seconds; |
6fbf66fa JY |
1898 | break; |
1899 | } | |
1900 | ||
1901 | #ifdef ENABLE_DEBUG | |
1902 | if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin)) | |
1903 | sec = 0; | |
1904 | #endif | |
1905 | ||
1906 | #if P2MP | |
1907 | if (auth_retry_get () == AR_NOINTERACT) | |
1908 | sec = 10; | |
e1e977f3 | 1909 | |
7966d75a | 1910 | #if 0 /* not really needed because of c->persist.restart_sleep_seconds */ |
e1e977f3 JY |
1911 | if (c->options.server_poll_timeout && sec > 1) |
1912 | sec = 1; | |
7966d75a | 1913 | #endif |
6fbf66fa JY |
1914 | #endif |
1915 | ||
a9c802b2 JY |
1916 | if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) |
1917 | sec = c->persist.restart_sleep_seconds; | |
e1e977f3 JY |
1918 | else if (c->persist.restart_sleep_seconds == -1) |
1919 | sec = 0; | |
a9c802b2 JY |
1920 | c->persist.restart_sleep_seconds = 0; |
1921 | ||
2c21891e | 1922 | /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ |
da9b2927 | 1923 | if (do_hold ()) |
6fbf66fa JY |
1924 | sec = 0; |
1925 | ||
1926 | if (sec) | |
1927 | { | |
1928 | msg (D_RESTART, "Restart pause, %d second(s)", sec); | |
1929 | openvpn_sleep (sec); | |
1930 | } | |
1931 | } | |
1932 | ||
1933 | /* | |
1934 | * Do a possible pause on context_2 initialization. | |
1935 | */ | |
1936 | static void | |
1937 | do_startup_pause (struct context *c) | |
1938 | { | |
1939 | if (!c->first_time) | |
1940 | socket_restart_pause (c); | |
1941 | else | |
da9b2927 | 1942 | do_hold (); /* do management hold on first context initialization */ |
6fbf66fa JY |
1943 | } |
1944 | ||
1945 | /* | |
1946 | * Finalize MTU parameters based on command line or config file options. | |
1947 | */ | |
1948 | static void | |
1949 | frame_finalize_options (struct context *c, const struct options *o) | |
1950 | { | |
1951 | if (!o) | |
1952 | o = &c->options; | |
1953 | ||
1954 | /* | |
1955 | * Set adjustment factor for buffer alignment when no | |
1956 | * cipher is used. | |
1957 | */ | |
1958 | if (!CIPHER_ENABLED (c)) | |
1959 | { | |
1960 | frame_align_to_extra_frame (&c->c2.frame); | |
1961 | frame_or_align_flags (&c->c2.frame, | |
1962 | FRAME_HEADROOM_MARKER_FRAGMENT | |
1963 | |FRAME_HEADROOM_MARKER_READ_LINK | |
1964 | |FRAME_HEADROOM_MARKER_READ_STREAM); | |
1965 | } | |
1966 | ||
1967 | frame_finalize (&c->c2.frame, | |
76809cae JJK |
1968 | o->ce.link_mtu_defined, |
1969 | o->ce.link_mtu, | |
1970 | o->ce.tun_mtu_defined, | |
1971 | o->ce.tun_mtu); | |
6fbf66fa JY |
1972 | } |
1973 | ||
1974 | /* | |
1975 | * Free a key schedule, including OpenSSL components. | |
1976 | */ | |
1977 | static void | |
1978 | key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx) | |
1979 | { | |
9b33b5a4 | 1980 | #ifdef ENABLE_CRYPTO |
6fbf66fa | 1981 | free_key_ctx_bi (&ks->static_key); |
62451786 | 1982 | if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) |
6fbf66fa | 1983 | { |
62451786 | 1984 | tls_ctx_free (&ks->ssl_ctx); |
6fbf66fa JY |
1985 | free_key_ctx_bi (&ks->tls_auth_key); |
1986 | } | |
9b33b5a4 | 1987 | #endif /* ENABLE_CRYPTO */ |
6fbf66fa JY |
1988 | CLEAR (*ks); |
1989 | } | |
1990 | ||
9b33b5a4 | 1991 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
1992 | |
1993 | static void | |
1994 | init_crypto_pre (struct context *c, const unsigned int flags) | |
1995 | { | |
1996 | if (c->options.engine) | |
b01cb9ef | 1997 | crypto_init_lib_engine (c->options.engine); |
6fbf66fa JY |
1998 | |
1999 | if (flags & CF_LOAD_PERSISTED_PACKET_ID) | |
2000 | { | |
2001 | /* load a persisted packet-id for cross-session replay-protection */ | |
2002 | if (c->options.packet_id_file) | |
2003 | packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file); | |
2004 | } | |
2005 | ||
2006 | /* Initialize crypto options */ | |
2007 | ||
2008 | if (c->options.use_iv) | |
2009 | c->c2.crypto_options.flags |= CO_USE_IV; | |
2010 | ||
2011 | if (c->options.mute_replay_warnings) | |
2012 | c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; | |
0f25d296 AJ |
2013 | |
2014 | #ifdef ENABLE_PREDICTION_RESISTANCE | |
2015 | if (c->options.use_prediction_resistance) | |
2016 | rand_ctx_enable_prediction_resistance(); | |
2017 | #endif | |
2018 | ||
6fbf66fa JY |
2019 | } |
2020 | ||
2021 | /* | |
2022 | * Static Key Mode (using a pre-shared key) | |
2023 | */ | |
2024 | static void | |
2025 | do_init_crypto_static (struct context *c, const unsigned int flags) | |
2026 | { | |
2027 | const struct options *options = &c->options; | |
2028 | ASSERT (options->shared_secret_file); | |
2029 | ||
2030 | init_crypto_pre (c, flags); | |
2031 | ||
2032 | /* Initialize packet ID tracking */ | |
2033 | if (options->replay) | |
2034 | { | |
4d453a17 JY |
2035 | packet_id_init (&c->c2.packet_id, |
2036 | link_socket_proto_connection_oriented (options->ce.proto), | |
2037 | options->replay_window, | |
2038 | options->replay_time, | |
2039 | "STATIC", 0); | |
6fbf66fa JY |
2040 | c->c2.crypto_options.packet_id = &c->c2.packet_id; |
2041 | c->c2.crypto_options.pid_persist = &c->c1.pid_persist; | |
2042 | c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; | |
2043 | packet_id_persist_load_obj (&c->c1.pid_persist, | |
2044 | c->c2.crypto_options.packet_id); | |
2045 | } | |
2046 | ||
2047 | if (!key_ctx_bi_defined (&c->c1.ks.static_key)) | |
2048 | { | |
2049 | struct key2 key2; | |
2050 | struct key_direction_state kds; | |
2051 | ||
2052 | /* Get cipher & hash algorithms */ | |
2053 | init_key_type (&c->c1.ks.key_type, options->ciphername, | |
2054 | options->ciphername_defined, options->authname, | |
2055 | options->authname_defined, options->keysize, | |
2056 | options->test_crypto, true); | |
2057 | ||
2058 | /* Read cipher and hmac keys from shared secret file */ | |
c959fc74 JY |
2059 | { |
2060 | unsigned int rkf_flags = RKF_MUST_SUCCEED; | |
2061 | const char *rkf_file = options->shared_secret_file; | |
2062 | ||
c959fc74 JY |
2063 | if (options->shared_secret_file_inline) |
2064 | { | |
2065 | rkf_file = options->shared_secret_file_inline; | |
2066 | rkf_flags |= RKF_INLINE; | |
2067 | } | |
c959fc74 JY |
2068 | read_key_file (&key2, rkf_file, rkf_flags); |
2069 | } | |
6fbf66fa JY |
2070 | |
2071 | /* Check for and fix highly unlikely key problems */ | |
2072 | verify_fix_key2 (&key2, &c->c1.ks.key_type, | |
2073 | options->shared_secret_file); | |
2074 | ||
2075 | /* Initialize OpenSSL key objects */ | |
2076 | key_direction_state_init (&kds, options->key_direction); | |
2077 | must_have_n_keys (options->shared_secret_file, "secret", &key2, | |
2078 | kds.need_keys); | |
2079 | init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key], | |
b5738e5b | 2080 | &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt"); |
6fbf66fa | 2081 | init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key], |
b5738e5b | 2082 | &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt"); |
6fbf66fa JY |
2083 | |
2084 | /* Erase the temporary copy of key */ | |
2085 | CLEAR (key2); | |
2086 | } | |
2087 | else | |
2088 | { | |
2089 | msg (M_INFO, "Re-using pre-shared static key"); | |
2090 | } | |
2091 | ||
2092 | /* Get key schedule */ | |
2093 | c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; | |
2094 | ||
2095 | /* Compute MTU parameters */ | |
2096 | crypto_adjust_frame_parameters (&c->c2.frame, | |
2097 | &c->c1.ks.key_type, | |
2098 | options->ciphername_defined, | |
2099 | options->use_iv, options->replay, true); | |
2100 | ||
2101 | /* Sanity check on IV, sequence number, and cipher mode options */ | |
2102 | check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, | |
2103 | options->use_iv); | |
2104 | } | |
2105 | ||
6fbf66fa JY |
2106 | /* |
2107 | * Initialize the persistent component of OpenVPN's TLS mode, | |
2108 | * which is preserved across SIGUSR1 resets. | |
2109 | */ | |
2110 | static void | |
2111 | do_init_crypto_tls_c1 (struct context *c) | |
2112 | { | |
2113 | const struct options *options = &c->options; | |
2114 | ||
62451786 | 2115 | if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) |
6fbf66fa JY |
2116 | { |
2117 | /* | |
2118 | * Initialize the OpenSSL library's global | |
2119 | * SSL context. | |
2120 | */ | |
62451786 AJ |
2121 | init_ssl (options, &(c->c1.ks.ssl_ctx)); |
2122 | if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) | |
6fbf66fa JY |
2123 | { |
2124 | #if P2MP | |
2125 | switch (auth_retry_get ()) | |
2126 | { | |
2127 | case AR_NONE: | |
2128 | msg (M_FATAL, "Error: private key password verification failed"); | |
2129 | break; | |
2130 | case AR_INTERACT: | |
0db046f2 | 2131 | ssl_purge_auth (false); |
6fbf66fa JY |
2132 | case AR_NOINTERACT: |
2133 | c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ | |
2134 | break; | |
2135 | default: | |
2136 | ASSERT (0); | |
2137 | } | |
2138 | c->sig->signal_text = "private-key-password-failure"; | |
2139 | return; | |
2140 | #else | |
2141 | msg (M_FATAL, "Error: private key password verification failed"); | |
2142 | #endif | |
2143 | } | |
2144 | ||
2145 | /* Get cipher & hash algorithms */ | |
2146 | init_key_type (&c->c1.ks.key_type, options->ciphername, | |
2147 | options->ciphername_defined, options->authname, | |
2148 | options->authname_defined, options->keysize, true, true); | |
2149 | ||
03bfb228 JY |
2150 | /* Initialize PRNG with config-specified digest */ |
2151 | prng_init (options->prng_hash, options->prng_nonce_secret_len); | |
2152 | ||
6fbf66fa JY |
2153 | /* TLS handshake authentication (--tls-auth) */ |
2154 | if (options->tls_auth_file) | |
c959fc74 | 2155 | { |
e5d281cf | 2156 | unsigned int flags = 0; |
c959fc74 JY |
2157 | const char *file = options->tls_auth_file; |
2158 | ||
c959fc74 JY |
2159 | if (options->tls_auth_file_inline) |
2160 | { | |
2161 | flags |= GHK_INLINE; | |
2162 | file = options->tls_auth_file_inline; | |
2163 | } | |
c959fc74 JY |
2164 | get_tls_handshake_key (&c->c1.ks.key_type, |
2165 | &c->c1.ks.tls_auth_key, | |
2166 | file, | |
e5d281cf | 2167 | options->key_direction, |
c959fc74 JY |
2168 | flags); |
2169 | } | |
d40f2b20 | 2170 | |
1f4309ae | 2171 | #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ |
d40f2b20 JY |
2172 | if (options->priv_key_file_inline) |
2173 | { | |
2174 | string_clear (c->options.priv_key_file_inline); | |
2175 | c->options.priv_key_file_inline = NULL; | |
2176 | } | |
2177 | #endif | |
6fbf66fa JY |
2178 | } |
2179 | else | |
2180 | { | |
9df9e13f | 2181 | msg (D_INIT_MEDIUM, "Re-using SSL/TLS context"); |
6fbf66fa JY |
2182 | } |
2183 | } | |
2184 | ||
2185 | static void | |
2186 | do_init_crypto_tls (struct context *c, const unsigned int flags) | |
2187 | { | |
2188 | const struct options *options = &c->options; | |
2189 | struct tls_options to; | |
2190 | bool packet_id_long_form; | |
2191 | ||
2192 | ASSERT (options->tls_server || options->tls_client); | |
2193 | ASSERT (!options->test_crypto); | |
2194 | ||
2195 | init_crypto_pre (c, flags); | |
2196 | ||
2197 | /* Make sure we are either a TLS client or server but not both */ | |
2198 | ASSERT (options->tls_server == !options->tls_client); | |
2199 | ||
2200 | /* initialize persistent component */ | |
2201 | do_init_crypto_tls_c1 (c); | |
2202 | if (IS_SIG (c)) | |
2203 | return; | |
2204 | ||
2205 | /* Sanity check on IV, sequence number, and cipher mode options */ | |
2206 | check_replay_iv_consistency (&c->c1.ks.key_type, options->replay, | |
2207 | options->use_iv); | |
2208 | ||
2209 | /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ | |
a4b27b64 | 2210 | packet_id_long_form = cipher_kt_mode_ofb_cfb (c->c1.ks.key_type.cipher); |
6fbf66fa JY |
2211 | |
2212 | /* Compute MTU parameters */ | |
2213 | crypto_adjust_frame_parameters (&c->c2.frame, | |
2214 | &c->c1.ks.key_type, | |
2215 | options->ciphername_defined, | |
2216 | options->use_iv, | |
2217 | options->replay, packet_id_long_form); | |
2218 | tls_adjust_frame_parameters (&c->c2.frame); | |
2219 | ||
2220 | /* Set all command-line TLS-related options */ | |
2221 | CLEAR (to); | |
2222 | ||
2223 | to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM); | |
2224 | if (packet_id_long_form) | |
2225 | to.crypto_flags_or = CO_PACKET_ID_LONG_FORM; | |
2226 | ||
67d8a0d4 | 2227 | to.ssl_ctx = c->c1.ks.ssl_ctx; |
6fbf66fa JY |
2228 | to.key_type = c->c1.ks.key_type; |
2229 | to.server = options->tls_server; | |
2230 | to.key_method = options->key_method; | |
2231 | to.replay = options->replay; | |
2232 | to.replay_window = options->replay_window; | |
2233 | to.replay_time = options->replay_time; | |
4d453a17 | 2234 | to.tcp_mode = link_socket_proto_connection_oriented (options->ce.proto); |
6fbf66fa JY |
2235 | to.transition_window = options->transition_window; |
2236 | to.handshake_window = options->handshake_window; | |
2237 | to.packet_timeout = options->tls_timeout; | |
2238 | to.renegotiate_bytes = options->renegotiate_bytes; | |
2239 | to.renegotiate_packets = options->renegotiate_packets; | |
2240 | to.renegotiate_seconds = options->renegotiate_seconds; | |
2241 | to.single_session = options->single_session; | |
aaf72974 | 2242 | #ifdef ENABLE_PUSH_PEER_INFO |
598e03f0 JY |
2243 | if (options->push_peer_info) /* all there is */ |
2244 | to.push_peer_info_detail = 2; | |
2245 | else if (options->pull) /* pull clients send some details */ | |
2246 | to.push_peer_info_detail = 1; | |
2247 | else /* default: no peer-info at all */ | |
2248 | to.push_peer_info_detail = 0; | |
aaf72974 | 2249 | #endif |
6fbf66fa | 2250 | |
6add6b2f JY |
2251 | /* should we not xmit any packets until we get an initial |
2252 | response from client? */ | |
30077d1f | 2253 | if (to.server && options->ce.proto == PROTO_TCP_SERVER) |
6add6b2f JY |
2254 | to.xmit_hold = true; |
2255 | ||
6fbf66fa JY |
2256 | #ifdef ENABLE_OCC |
2257 | to.disable_occ = !options->occ; | |
2258 | #endif | |
2259 | ||
2260 | to.verify_command = options->tls_verify; | |
39238d1b | 2261 | to.verify_export_cert = options->tls_export_cert; |
9f0fc745 HH |
2262 | to.verify_x509_type = (options->verify_x509_type & 0xff); |
2263 | to.verify_x509_name = options->verify_x509_name; | |
6fbf66fa | 2264 | to.crl_file = options->crl_file; |
e4359af4 | 2265 | to.ssl_flags = options->ssl_flags; |
6fbf66fa | 2266 | to.ns_cert_type = options->ns_cert_type; |
411e89ae JY |
2267 | memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); |
2268 | to.remote_cert_eku = options->remote_cert_eku; | |
7966d75a | 2269 | to.verify_hash = options->verify_hash; |
19dd3ef1 AJ |
2270 | #ifdef ENABLE_X509ALTUSERNAME |
2271 | to.x509_username_field = (char *) options->x509_username_field; | |
2272 | #else | |
2273 | to.x509_username_field = X509_USERNAME_FIELD_DEFAULT; | |
2274 | #endif | |
6fbf66fa JY |
2275 | to.es = c->c2.es; |
2276 | ||
2277 | #ifdef ENABLE_DEBUG | |
2278 | to.gremlin = c->options.gremlin; | |
2279 | #endif | |
2280 | ||
3c7f2f55 | 2281 | to.plugins = c->plugins; |
6fbf66fa | 2282 | |
90efcacb JY |
2283 | #ifdef MANAGEMENT_DEF_AUTH |
2284 | to.mda_context = &c->c2.mda_context; | |
2285 | #endif | |
2286 | ||
6fbf66fa JY |
2287 | #if P2MP_SERVER |
2288 | to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; | |
2289 | to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; | |
2290 | to.tmp_dir = options->tmp_dir; | |
6fbf66fa JY |
2291 | if (options->ccd_exclusive) |
2292 | to.client_config_dir_exclusive = options->client_config_dir; | |
ac1cb5bf | 2293 | to.auth_user_pass_file = options->auth_user_pass_file; |
6fbf66fa JY |
2294 | #endif |
2295 | ||
9356bae8 JY |
2296 | #ifdef ENABLE_X509_TRACK |
2297 | to.x509_track = options->x509_track; | |
2298 | #endif | |
2299 | ||
16d909e2 | 2300 | #if P2MP |
eab3e22f JY |
2301 | #ifdef ENABLE_CLIENT_CR |
2302 | to.sci = &options->sc_info; | |
16d909e2 | 2303 | #endif |
eab3e22f JY |
2304 | #endif |
2305 | ||
38d96bd7 JY |
2306 | #ifdef USE_COMP |
2307 | to.comp_options = options->comp; | |
2308 | #endif | |
2309 | ||
685e486e DK |
2310 | #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 |
2311 | if (options->keying_material_exporter_label) | |
2312 | { | |
2313 | to.ekm_size = options->keying_material_exporter_length; | |
2314 | if (to.ekm_size < 16 || to.ekm_size > 4095) | |
2315 | to.ekm_size = 0; | |
2316 | ||
2317 | to.ekm_label = options->keying_material_exporter_label; | |
2318 | to.ekm_label_size = strlen(to.ekm_label); | |
2319 | } | |
2320 | else | |
2321 | { | |
2322 | to.ekm_size = 0; | |
2323 | } | |
2324 | #endif | |
2325 | ||
6fbf66fa JY |
2326 | /* TLS handshake authentication (--tls-auth) */ |
2327 | if (options->tls_auth_file) | |
2328 | { | |
2329 | to.tls_auth_key = c->c1.ks.tls_auth_key; | |
2330 | to.tls_auth.pid_persist = &c->c1.pid_persist; | |
2331 | to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; | |
2332 | crypto_adjust_frame_parameters (&to.frame, | |
2333 | &c->c1.ks.key_type, | |
2334 | false, false, true, true); | |
2335 | } | |
2336 | ||
2337 | /* If we are running over TCP, allow for | |
2338 | length prefix */ | |
4e9a51d7 | 2339 | socket_adjust_frame_parameters (&to.frame, options->ce.proto); |
6fbf66fa JY |
2340 | |
2341 | /* | |
2342 | * Initialize OpenVPN's master TLS-mode object. | |
2343 | */ | |
2344 | if (flags & CF_INIT_TLS_MULTI) | |
2345 | c->c2.tls_multi = tls_multi_init (&to); | |
2346 | ||
2347 | if (flags & CF_INIT_TLS_AUTH_STANDALONE) | |
2348 | c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc); | |
2349 | } | |
2350 | ||
2351 | static void | |
2352 | do_init_finalize_tls_frame (struct context *c) | |
2353 | { | |
2354 | if (c->c2.tls_multi) | |
2355 | { | |
2356 | tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame); | |
2357 | ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <= | |
2358 | EXPANDED_SIZE (&c->c2.frame)); | |
2359 | frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO, | |
2360 | "Control Channel MTU parms"); | |
2361 | } | |
2362 | if (c->c2.tls_auth_standalone) | |
2363 | { | |
2364 | tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame); | |
2365 | frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO, | |
2366 | "TLS-Auth MTU parms"); | |
2367 | } | |
2368 | } | |
2369 | ||
6fbf66fa JY |
2370 | /* |
2371 | * No encryption or authentication. | |
2372 | */ | |
2373 | static void | |
2374 | do_init_crypto_none (const struct context *c) | |
2375 | { | |
2376 | ASSERT (!c->options.test_crypto); | |
2377 | msg (M_WARN, | |
2378 | "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); | |
2379 | } | |
2380 | #endif | |
2381 | ||
2382 | static void | |
2383 | do_init_crypto (struct context *c, const unsigned int flags) | |
2384 | { | |
9b33b5a4 | 2385 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2386 | if (c->options.shared_secret_file) |
2387 | do_init_crypto_static (c, flags); | |
6fbf66fa JY |
2388 | else if (c->options.tls_server || c->options.tls_client) |
2389 | do_init_crypto_tls (c, flags); | |
6fbf66fa JY |
2390 | else /* no encryption or authentication. */ |
2391 | do_init_crypto_none (c); | |
9b33b5a4 | 2392 | #else /* ENABLE_CRYPTO */ |
6fbf66fa JY |
2393 | msg (M_WARN, |
2394 | "******* WARNING *******: " PACKAGE_NAME | |
ec828db6 | 2395 | " built without crypto library -- encryption and authentication features disabled -- all data will be tunnelled as cleartext"); |
9b33b5a4 | 2396 | #endif /* ENABLE_CRYPTO */ |
6fbf66fa JY |
2397 | } |
2398 | ||
2399 | static void | |
2400 | do_init_frame (struct context *c) | |
2401 | { | |
38d96bd7 | 2402 | #ifdef USE_COMP |
6fbf66fa | 2403 | /* |
38d96bd7 | 2404 | * modify frame parameters if compression is enabled |
6fbf66fa | 2405 | */ |
38d96bd7 | 2406 | if (comp_enabled(&c->options.comp)) |
6fbf66fa | 2407 | { |
38d96bd7 | 2408 | comp_add_to_extra_frame (&c->c2.frame); |
6fbf66fa | 2409 | |
9403e3f4 | 2410 | #if !defined(ENABLE_LZ4) |
6fbf66fa | 2411 | /* |
38d96bd7 JY |
2412 | * Compression usage affects buffer alignment when non-swapped algs |
2413 | * such as LZO is used. | |
9403e3f4 | 2414 | * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need |
38d96bd7 JY |
2415 | * any special alignment because of the control-byte swap approach. |
2416 | * LZO alignment (on the other hand) is problematic because | |
2417 | * the presence of the control byte means that either the output of | |
2418 | * decryption must be written to an unaligned buffer, or the input | |
2419 | * to compression (or packet dispatch if packet is uncompressed) | |
2420 | * must be read from an unaligned buffer. | |
2421 | * This code tries to align the input to compression (or packet | |
2422 | * dispatch if packet is uncompressed) at the cost of requiring | |
2423 | * decryption output to be written to an unaligned buffer, so | |
2424 | * it's more of a tradeoff than an optimal solution and we don't | |
9403e3f4 | 2425 | * include it when we are doing a modern build with LZ4. |
38d96bd7 JY |
2426 | * Strictly speaking, on the server it would be better to execute |
2427 | * this code for every connection after we decide the compression | |
2428 | * method, but currently the frame code doesn't appear to be | |
2429 | * flexible enough for this, since the frame is already established | |
2430 | * before it is known which compression options will be pushed. | |
6fbf66fa | 2431 | */ |
38d96bd7 | 2432 | if (comp_unswapped_prefix (&c->options.comp) && CIPHER_ENABLED (c)) |
6fbf66fa | 2433 | { |
38d96bd7 | 2434 | frame_add_to_align_adjust (&c->c2.frame, COMP_PREFIX_LEN); |
6fbf66fa JY |
2435 | frame_or_align_flags (&c->c2.frame, |
2436 | FRAME_HEADROOM_MARKER_FRAGMENT | |
2437 | |FRAME_HEADROOM_MARKER_DECRYPT); | |
2438 | } | |
38d96bd7 | 2439 | #endif |
6fbf66fa JY |
2440 | |
2441 | #ifdef ENABLE_FRAGMENT | |
38d96bd7 | 2442 | comp_add_to_extra_frame (&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ |
6fbf66fa JY |
2443 | #endif |
2444 | } | |
38d96bd7 | 2445 | #endif /* USE_COMP */ |
6fbf66fa | 2446 | |
6fbf66fa JY |
2447 | /* |
2448 | * Adjust frame size for UDP Socks support. | |
2449 | */ | |
4e9a51d7 JY |
2450 | if (c->options.ce.socks_proxy_server) |
2451 | socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); | |
6fbf66fa JY |
2452 | |
2453 | /* | |
2454 | * Adjust frame size based on the --tun-mtu-extra parameter. | |
2455 | */ | |
76809cae JJK |
2456 | if (c->options.ce.tun_mtu_extra_defined) |
2457 | tun_adjust_frame_parameters (&c->c2.frame, c->options.ce.tun_mtu_extra); | |
6fbf66fa JY |
2458 | |
2459 | /* | |
2460 | * Adjust frame size based on link socket parameters. | |
2461 | * (Since TCP is a stream protocol, we need to insert | |
2462 | * a packet length uint16_t in the buffer.) | |
2463 | */ | |
4e9a51d7 | 2464 | socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto); |
6fbf66fa JY |
2465 | |
2466 | /* | |
2467 | * Fill in the blanks in the frame parameters structure, | |
2468 | * make sure values are rational, etc. | |
2469 | */ | |
2470 | frame_finalize_options (c, NULL); | |
2471 | ||
38d96bd7 JY |
2472 | #ifdef USE_COMP |
2473 | /* | |
2474 | * Modify frame parameters if compression is compiled in. | |
2475 | * Should be called after frame_finalize_options. | |
2476 | */ | |
2477 | comp_add_to_extra_buffer (&c->c2.frame); | |
2478 | #ifdef ENABLE_FRAGMENT | |
2479 | comp_add_to_extra_buffer (&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ | |
2480 | #endif | |
2481 | #endif /* USE_COMP */ | |
2482 | ||
9e0963c1 GD |
2483 | /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) |
2484 | * and need link_mtu+3 bytes on socket reception (on server). | |
2485 | * | |
2486 | * accomodate receive path in f->extra_link, which has the side effect of | |
2487 | * also increasing send buffers (BUF_SIZE() macro), which need to be | |
2488 | * allocated big enough before receiving peer-id option from server. | |
2489 | * | |
2490 | * f->extra_frame is adjusted when peer-id option is push-received | |
2491 | */ | |
2492 | frame_add_to_extra_link(&c->c2.frame, 3); | |
2493 | ||
6fbf66fa JY |
2494 | #ifdef ENABLE_FRAGMENT |
2495 | /* | |
2496 | * Set frame parameter for fragment code. This is necessary because | |
2497 | * the fragmentation code deals with payloads which have already been | |
2498 | * passed through the compression code. | |
2499 | */ | |
2500 | c->c2.frame_fragment = c->c2.frame; | |
2501 | frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit); | |
2502 | #endif | |
2503 | ||
2504 | #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) | |
2505 | /* | |
2506 | * MTU advisories | |
2507 | */ | |
76809cae | 2508 | if (c->options.ce.fragment && c->options.mtu_test) |
6fbf66fa JY |
2509 | msg (M_WARN, |
2510 | "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); | |
2511 | #endif | |
2512 | ||
2513 | #ifdef ENABLE_FRAGMENT | |
76809cae | 2514 | if ((c->options.ce.mssfix || c->options.ce.fragment) |
6fbf66fa JY |
2515 | && TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU) |
2516 | msg (M_WARN, | |
2517 | "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", | |
2518 | ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment)); | |
2519 | #endif | |
2520 | } | |
2521 | ||
2522 | static void | |
2523 | do_option_warnings (struct context *c) | |
2524 | { | |
2525 | const struct options *o = &c->options; | |
2526 | ||
6fbf66fa JY |
2527 | if (o->ping_send_timeout && !o->ping_rec_timeout) |
2528 | msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); | |
2529 | ||
99385447 | 2530 | if (o->username || o->groupname || o->chroot_dir |
cd5990e0 | 2531 | #ifdef ENABLE_SELINUX |
99385447 JY |
2532 | || o->selinux_context |
2533 | #endif | |
2534 | ) | |
6d89ede6 JY |
2535 | { |
2536 | if (!o->persist_tun) | |
99385447 | 2537 | msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); |
51b1d4c2 JY |
2538 | if (!o->persist_key |
2539 | #ifdef ENABLE_PKCS11 | |
2540 | && !o->pkcs11_id | |
2541 | #endif | |
2542 | ) | |
99385447 | 2543 | msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); |
6d89ede6 | 2544 | } |
6fbf66fa | 2545 | |
31f90e64 JY |
2546 | if (o->chroot_dir && !(o->username && o->groupname)) |
2547 | msg (M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); | |
2548 | ||
6fbf66fa JY |
2549 | #if P2MP |
2550 | if (o->pull && o->ifconfig_local && c->first_time) | |
2551 | msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); | |
2552 | ||
2553 | #if P2MP_SERVER | |
f77c60d3 JY |
2554 | if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) |
2555 | msg (M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); | |
2556 | ||
6fbf66fa JY |
2557 | if (o->mode == MODE_SERVER) |
2558 | { | |
2559 | if (o->duplicate_cn && o->client_config_dir) | |
2560 | msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); | |
2561 | if (o->duplicate_cn && o->ifconfig_pool_persist_filename) | |
2562 | msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); | |
2563 | if (!o->keepalive_ping || !o->keepalive_timeout) | |
2564 | msg (M_WARN, "WARNING: --keepalive option is missing from server config"); | |
2565 | } | |
2566 | #endif | |
2567 | #endif | |
2568 | ||
9b33b5a4 | 2569 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2570 | if (!o->replay) |
2571 | msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); | |
2572 | if (!o->use_iv) | |
2573 | msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure"); | |
2574 | ||
f77c60d3 JY |
2575 | if (o->tls_server) |
2576 | warn_on_use_of_common_subnets (); | |
6fbf66fa JY |
2577 | if (o->tls_client |
2578 | && !o->tls_verify | |
9f0fc745 | 2579 | && o->verify_x509_type == VERIFY_X509_NONE |
06d22777 | 2580 | && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) |
6117b639 | 2581 | && !o->remote_cert_eku) |
6fbf66fa JY |
2582 | msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); |
2583 | #endif | |
2584 | ||
1ae9d051 | 2585 | #ifndef CONNECT_NONBLOCK |
4e9a51d7 | 2586 | if (o->ce.connect_timeout_defined) |
1ae9d051 | 2587 | msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); |
6fbf66fa | 2588 | #endif |
c04bc022 | 2589 | |
9b6a5028 AS |
2590 | /* If a script is used, print appropiate warnings */ |
2591 | if (o->user_script_used) | |
8476edbb AS |
2592 | { |
2593 | if (script_security >= SSEC_SCRIPTS) | |
2594 | msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); | |
2595 | else if (script_security >= SSEC_PW_ENV) | |
2596 | msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); | |
2597 | else | |
36009965 | 2598 | msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); |
8476edbb | 2599 | } |
6fbf66fa JY |
2600 | } |
2601 | ||
2602 | static void | |
2603 | do_init_frame_tls (struct context *c) | |
2604 | { | |
ec828db6 | 2605 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2606 | do_init_finalize_tls_frame (c); |
2607 | #endif | |
2608 | } | |
2609 | ||
2610 | struct context_buffers * | |
2611 | init_context_buffers (const struct frame *frame) | |
2612 | { | |
2613 | struct context_buffers *b; | |
2614 | ||
2615 | ALLOC_OBJ_CLEAR (b, struct context_buffers); | |
2616 | ||
2617 | b->read_link_buf = alloc_buf (BUF_SIZE (frame)); | |
2618 | b->read_tun_buf = alloc_buf (BUF_SIZE (frame)); | |
2619 | ||
2620 | b->aux_buf = alloc_buf (BUF_SIZE (frame)); | |
2621 | ||
9b33b5a4 | 2622 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2623 | b->encrypt_buf = alloc_buf (BUF_SIZE (frame)); |
2624 | b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); | |
2625 | #endif | |
2626 | ||
38d96bd7 JY |
2627 | #ifdef USE_COMP |
2628 | b->compress_buf = alloc_buf (BUF_SIZE (frame)); | |
2629 | b->decompress_buf = alloc_buf (BUF_SIZE (frame)); | |
6fbf66fa JY |
2630 | #endif |
2631 | ||
2632 | return b; | |
2633 | } | |
2634 | ||
2635 | void | |
2636 | free_context_buffers (struct context_buffers *b) | |
2637 | { | |
2638 | if (b) | |
2639 | { | |
2640 | free_buf (&b->read_link_buf); | |
2641 | free_buf (&b->read_tun_buf); | |
2642 | free_buf (&b->aux_buf); | |
2643 | ||
38d96bd7 JY |
2644 | #ifdef USE_COMP |
2645 | free_buf (&b->compress_buf); | |
2646 | free_buf (&b->decompress_buf); | |
6fbf66fa JY |
2647 | #endif |
2648 | ||
9b33b5a4 | 2649 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2650 | free_buf (&b->encrypt_buf); |
2651 | free_buf (&b->decrypt_buf); | |
2652 | #endif | |
2653 | ||
2654 | free (b); | |
2655 | } | |
2656 | } | |
2657 | ||
2658 | /* | |
2659 | * Now that we know all frame parameters, initialize | |
2660 | * our buffers. | |
2661 | */ | |
2662 | static void | |
2663 | do_init_buffers (struct context *c) | |
2664 | { | |
2665 | c->c2.buffers = init_context_buffers (&c->c2.frame); | |
2666 | c->c2.buffers_owned = true; | |
2667 | } | |
2668 | ||
2669 | #ifdef ENABLE_FRAGMENT | |
2670 | /* | |
2671 | * Fragmenting code has buffers to initialize | |
2672 | * once frame parameters are known. | |
2673 | */ | |
2674 | static void | |
2675 | do_init_fragment (struct context *c) | |
2676 | { | |
76809cae | 2677 | ASSERT (c->options.ce.fragment); |
6fbf66fa | 2678 | frame_set_mtu_dynamic (&c->c2.frame_fragment, |
76809cae | 2679 | c->options.ce.fragment, SET_MTU_UPPER_BOUND); |
6fbf66fa JY |
2680 | fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment); |
2681 | } | |
2682 | #endif | |
2683 | ||
2684 | /* | |
2685 | * Set the --mssfix option. | |
2686 | */ | |
2687 | static void | |
2688 | do_init_mssfix (struct context *c) | |
2689 | { | |
76809cae | 2690 | if (c->options.ce.mssfix) |
6fbf66fa JY |
2691 | { |
2692 | frame_set_mtu_dynamic (&c->c2.frame, | |
76809cae | 2693 | c->options.ce.mssfix, SET_MTU_UPPER_BOUND); |
6fbf66fa JY |
2694 | } |
2695 | } | |
2696 | ||
2697 | /* | |
2698 | * Allocate our socket object. | |
2699 | */ | |
2700 | static void | |
2701 | do_link_socket_new (struct context *c) | |
2702 | { | |
2703 | ASSERT (!c->c2.link_socket); | |
2704 | c->c2.link_socket = link_socket_new (); | |
2705 | c->c2.link_socket_owned = true; | |
2706 | } | |
2707 | ||
2708 | /* | |
2709 | * bind the TCP/UDP socket | |
2710 | */ | |
2711 | static void | |
dc46c067 | 2712 | do_init_socket_1 (struct context *c, const int mode) |
6fbf66fa | 2713 | { |
dc46c067 JY |
2714 | unsigned int sockflags = c->options.sockflags; |
2715 | ||
2716 | #if PORT_SHARE | |
2717 | if (c->options.port_share_host && c->options.port_share_port) | |
2718 | sockflags |= SF_PORT_SHARE; | |
2719 | #endif | |
2720 | ||
6fbf66fa | 2721 | link_socket_init_phase1 (c->c2.link_socket, |
4e9a51d7 JY |
2722 | c->options.ce.local, |
2723 | c->options.ce.local_port, | |
2724 | c->options.ce.remote, | |
2725 | c->options.ce.remote_port, | |
e719a053 | 2726 | c->c1.dns_cache, |
4e9a51d7 | 2727 | c->options.ce.proto, |
30077d1f | 2728 | c->options.ce.af, |
8832c6c4 | 2729 | c->options.ce.bind_ipv6_only, |
6fbf66fa JY |
2730 | mode, |
2731 | c->c2.accept_from, | |
6fbf66fa | 2732 | c->c1.http_proxy, |
6fbf66fa | 2733 | c->c1.socks_proxy, |
6fbf66fa JY |
2734 | #ifdef ENABLE_DEBUG |
2735 | c->options.gremlin, | |
2736 | #endif | |
4e9a51d7 JY |
2737 | c->options.ce.bind_local, |
2738 | c->options.ce.remote_float, | |
6fbf66fa JY |
2739 | c->options.inetd, |
2740 | &c->c1.link_socket_addr, | |
2741 | c->options.ipchange, | |
3c7f2f55 | 2742 | c->plugins, |
6fbf66fa | 2743 | c->options.resolve_retry_seconds, |
4e9a51d7 | 2744 | c->options.ce.connect_timeout, |
76809cae | 2745 | c->options.ce.mtu_discover_type, |
6fbf66fa | 2746 | c->options.rcvbuf, |
00d39170 | 2747 | c->options.sndbuf, |
d90428d1 | 2748 | c->options.mark, |
dc46c067 | 2749 | sockflags); |
6fbf66fa JY |
2750 | } |
2751 | ||
2752 | /* | |
2753 | * finalize the TCP/UDP socket | |
2754 | */ | |
2755 | static void | |
2756 | do_init_socket_2 (struct context *c) | |
2757 | { | |
2758 | link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame, | |
23d61c56 | 2759 | c->sig); |
6fbf66fa JY |
2760 | } |
2761 | ||
2762 | /* | |
2763 | * Print MTU INFO | |
2764 | */ | |
2765 | static void | |
2766 | do_print_data_channel_mtu_parms (struct context *c) | |
2767 | { | |
2768 | frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); | |
2769 | #ifdef ENABLE_FRAGMENT | |
2770 | if (c->c2.fragment) | |
2771 | frame_print (&c->c2.frame_fragment, D_MTU_INFO, | |
2772 | "Fragmentation MTU parms"); | |
2773 | #endif | |
2774 | } | |
2775 | ||
2776 | #ifdef ENABLE_OCC | |
2777 | /* | |
2778 | * Get local and remote options compatibility strings. | |
2779 | */ | |
2780 | static void | |
2781 | do_compute_occ_strings (struct context *c) | |
2782 | { | |
2783 | struct gc_arena gc = gc_new (); | |
2784 | ||
2785 | c->c2.options_string_local = | |
2786 | options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc); | |
2787 | c->c2.options_string_remote = | |
2788 | options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); | |
2789 | ||
827de237 SK |
2790 | msg (D_SHOW_OCC, "Local Options String (VER=%s): '%s'", |
2791 | options_string_version (c->c2.options_string_local, &gc), | |
2792 | c->c2.options_string_local); | |
2793 | msg (D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'", | |
2794 | options_string_version (c->c2.options_string_remote, &gc), | |
2795 | c->c2.options_string_remote); | |
6fbf66fa | 2796 | |
9b33b5a4 | 2797 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2798 | if (c->c2.tls_multi) |
2799 | tls_multi_init_set_options (c->c2.tls_multi, | |
2800 | c->c2.options_string_local, | |
2801 | c->c2.options_string_remote); | |
2802 | #endif | |
2803 | ||
2804 | gc_free (&gc); | |
2805 | } | |
2806 | #endif | |
2807 | ||
2808 | /* | |
2809 | * These things can only be executed once per program instantiation. | |
2810 | * Set up for possible UID/GID downgrade, but don't do it yet. | |
2811 | * Daemonize if requested. | |
2812 | */ | |
2813 | static void | |
2814 | do_init_first_time (struct context *c) | |
2815 | { | |
da9b2927 | 2816 | if (c->first_time && !c->c0) |
6fbf66fa | 2817 | { |
92bbb061 JY |
2818 | struct context_0 *c0; |
2819 | ||
2820 | ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc); | |
2821 | c0 = c->c0; | |
2822 | ||
6fbf66fa | 2823 | /* get user and/or group that we want to setuid/setgid to */ |
92bbb061 | 2824 | c0->uid_gid_specified = |
14a131ac ABL |
2825 | platform_group_get (c->options.groupname, &c0->platform_state_group) | |
2826 | platform_user_get (c->options.username, &c0->platform_state_user); | |
6fbf66fa | 2827 | |
da9b2927 SK |
2828 | /* perform postponed chdir if --daemon */ |
2829 | if (c->did_we_daemonize && c->options.cd_dir == NULL) | |
2830 | platform_chdir("/"); | |
6fbf66fa | 2831 | |
6fbf66fa | 2832 | /* should we change scheduling priority? */ |
14a131ac | 2833 | platform_nice (c->options.nice); |
6fbf66fa JY |
2834 | } |
2835 | } | |
2836 | ||
2837 | /* | |
2838 | * If xinetd/inetd mode, don't allow restart. | |
2839 | */ | |
2840 | static void | |
2841 | do_close_check_if_restart_permitted (struct context *c) | |
2842 | { | |
2843 | if (c->options.inetd | |
2844 | && (c->sig->signal_received == SIGHUP | |
2845 | || c->sig->signal_received == SIGUSR1)) | |
2846 | { | |
2847 | c->sig->signal_received = SIGTERM; | |
2848 | msg (M_INFO, | |
2849 | PACKAGE_NAME | |
2850 | " started by inetd/xinetd cannot restart... Exiting."); | |
2851 | } | |
2852 | } | |
2853 | ||
2854 | /* | |
2855 | * free buffers | |
2856 | */ | |
2857 | static void | |
2858 | do_close_free_buf (struct context *c) | |
2859 | { | |
2860 | if (c->c2.buffers_owned) | |
2861 | { | |
2862 | free_context_buffers (c->c2.buffers); | |
2863 | c->c2.buffers = NULL; | |
2864 | c->c2.buffers_owned = false; | |
2865 | } | |
2866 | } | |
2867 | ||
2868 | /* | |
2869 | * close TLS | |
2870 | */ | |
2871 | static void | |
2872 | do_close_tls (struct context *c) | |
2873 | { | |
ec828db6 | 2874 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2875 | if (c->c2.tls_multi) |
2876 | { | |
2877 | tls_multi_free (c->c2.tls_multi, true); | |
2878 | c->c2.tls_multi = NULL; | |
2879 | } | |
2880 | ||
2881 | #ifdef ENABLE_OCC | |
2882 | /* free options compatibility strings */ | |
2883 | if (c->c2.options_string_local) | |
2884 | free (c->c2.options_string_local); | |
2885 | if (c->c2.options_string_remote) | |
2886 | free (c->c2.options_string_remote); | |
2887 | c->c2.options_string_local = c->c2.options_string_remote = NULL; | |
2888 | #endif | |
2889 | #endif | |
2890 | } | |
2891 | ||
2892 | /* | |
2893 | * Free key schedules | |
2894 | */ | |
2895 | static void | |
2896 | do_close_free_key_schedule (struct context *c, bool free_ssl_ctx) | |
2897 | { | |
2898 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) | |
2899 | key_schedule_free (&c->c1.ks, free_ssl_ctx); | |
2900 | } | |
2901 | ||
2902 | /* | |
2903 | * Close TCP/UDP connection | |
2904 | */ | |
2905 | static void | |
2906 | do_close_link_socket (struct context *c) | |
2907 | { | |
2908 | if (c->c2.link_socket && c->c2.link_socket_owned) | |
2909 | { | |
2910 | link_socket_close (c->c2.link_socket); | |
2911 | c->c2.link_socket = NULL; | |
2912 | } | |
2913 | ||
23d61c56 AS |
2914 | |
2915 | /* Preserve the resolved list of remote if the user request to or if we want | |
2916 | * reconnect to the same host again or there are still addresses that need | |
2917 | * to be tried */ | |
2918 | if (!(c->sig->signal_received == SIGUSR1 && | |
2919 | ( (c->options.persist_remote_ip) | |
2920 | || | |
2921 | ( c->sig->source != SIG_SOURCE_HARD && | |
2922 | ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next) | |
2923 | || c->options.no_advance)) | |
2924 | ))) | |
2925 | { | |
e719a053 | 2926 | clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance); |
23d61c56 AS |
2927 | } |
2928 | ||
2929 | /* Clear the remote actual address when persist_remote_ip is not in use */ | |
2930 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) | |
6fbf66fa | 2931 | CLEAR (c->c1.link_socket_addr.actual); |
6fbf66fa | 2932 | |
23d61c56 | 2933 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) { |
e719a053 AS |
2934 | if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance) |
2935 | freeaddrinfo(c->c1.link_socket_addr.bind_local); | |
2936 | ||
23d61c56 AS |
2937 | c->c1.link_socket_addr.bind_local=NULL; |
2938 | } | |
6fbf66fa JY |
2939 | } |
2940 | ||
2941 | /* | |
2942 | * Close packet-id persistance file | |
2943 | */ | |
2944 | static void | |
2945 | do_close_packet_id (struct context *c) | |
2946 | { | |
9b33b5a4 | 2947 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
2948 | packet_id_free (&c->c2.packet_id); |
2949 | packet_id_persist_save (&c->c1.pid_persist); | |
2950 | if (!(c->sig->signal_received == SIGUSR1)) | |
2951 | packet_id_persist_close (&c->c1.pid_persist); | |
2952 | #endif | |
2953 | } | |
2954 | ||
2955 | #ifdef ENABLE_FRAGMENT | |
2956 | /* | |
2957 | * Close fragmentation handler. | |
2958 | */ | |
2959 | static void | |
2960 | do_close_fragment (struct context *c) | |
2961 | { | |
2962 | if (c->c2.fragment) | |
2963 | { | |
2964 | fragment_free (c->c2.fragment); | |
2965 | c->c2.fragment = NULL; | |
2966 | } | |
2967 | } | |
2968 | #endif | |
2969 | ||
2970 | /* | |
2971 | * Open and close our event objects. | |
2972 | */ | |
2973 | ||
2974 | static void | |
2975 | do_event_set_init (struct context *c, | |
2976 | bool need_us_timeout) | |
2977 | { | |
2978 | unsigned int flags = 0; | |
2979 | ||
2980 | c->c2.event_set_max = BASE_N_EVENTS; | |
2981 | ||
2982 | flags |= EVENT_METHOD_FAST; | |
2983 | ||
2984 | if (need_us_timeout) | |
2985 | flags |= EVENT_METHOD_US_TIMEOUT; | |
2986 | ||
2987 | c->c2.event_set = event_set_init (&c->c2.event_set_max, flags); | |
2988 | c->c2.event_set_owned = true; | |
2989 | } | |
2990 | ||
2991 | static void | |
2992 | do_close_event_set (struct context *c) | |
2993 | { | |
2994 | if (c->c2.event_set && c->c2.event_set_owned) | |
2995 | { | |
2996 | event_free (c->c2.event_set); | |
2997 | c->c2.event_set = NULL; | |
2998 | c->c2.event_set_owned = false; | |
2999 | } | |
3000 | } | |
3001 | ||
3002 | /* | |
3003 | * Open and close --status file | |
3004 | */ | |
3005 | ||
3006 | static void | |
3007 | do_open_status_output (struct context *c) | |
3008 | { | |
3009 | if (!c->c1.status_output) | |
3010 | { | |
3011 | c->c1.status_output = status_open (c->options.status_file, | |
3012 | c->options.status_file_update_freq, | |
3013 | -1, | |
3014 | NULL, | |
3015 | STATUS_OUTPUT_WRITE); | |
3016 | c->c1.status_output_owned = true; | |
3017 | } | |
3018 | } | |
3019 | ||
3020 | static void | |
3021 | do_close_status_output (struct context *c) | |
3022 | { | |
3023 | if (!(c->sig->signal_received == SIGUSR1)) | |
3024 | { | |
3025 | if (c->c1.status_output_owned && c->c1.status_output) | |
3026 | { | |
3027 | status_close (c->c1.status_output); | |
3028 | c->c1.status_output = NULL; | |
3029 | c->c1.status_output_owned = false; | |
3030 | } | |
3031 | } | |
3032 | } | |
3033 | ||
3034 | /* | |
3035 | * Handle ifconfig-pool persistance object. | |
3036 | */ | |
3037 | static void | |
3038 | do_open_ifconfig_pool_persist (struct context *c) | |
3039 | { | |
3040 | #if P2MP_SERVER | |
3041 | if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) | |
3042 | { | |
3043 | c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename, | |
3044 | c->options.ifconfig_pool_persist_refresh_freq); | |
3045 | c->c1.ifconfig_pool_persist_owned = true; | |
3046 | } | |
3047 | #endif | |
3048 | } | |
3049 | ||
3050 | static void | |
3051 | do_close_ifconfig_pool_persist (struct context *c) | |
3052 | { | |
3053 | #if P2MP_SERVER | |
3054 | if (!(c->sig->signal_received == SIGUSR1)) | |
3055 | { | |
3056 | if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) | |
3057 | { | |
3058 | ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist); | |
3059 | c->c1.ifconfig_pool_persist = NULL; | |
3060 | c->c1.ifconfig_pool_persist_owned = false; | |
3061 | } | |
3062 | } | |
3063 | #endif | |
3064 | } | |
3065 | ||
3066 | /* | |
3067 | * Inherit environmental variables | |
3068 | */ | |
3069 | ||
3070 | static void | |
3071 | do_inherit_env (struct context *c, const struct env_set *src) | |
3072 | { | |
43681479 | 3073 | c->c2.es = env_set_create (NULL); |
2a64816b | 3074 | c->c2.es_owned = true; |
6fbf66fa JY |
3075 | env_set_inherit (c->c2.es, src); |
3076 | } | |
3077 | ||
2a64816b JY |
3078 | static void |
3079 | do_env_set_destroy (struct context *c) | |
3080 | { | |
3081 | if (c->c2.es && c->c2.es_owned) | |
3082 | { | |
3083 | env_set_destroy (c->c2.es); | |
3084 | c->c2.es = NULL; | |
3085 | c->c2.es_owned = false; | |
3086 | } | |
3087 | } | |
3088 | ||
6fbf66fa JY |
3089 | /* |
3090 | * Fast I/O setup. Fast I/O is an optimization which only works | |
3091 | * if all of the following are true: | |
3092 | * | |
3093 | * (1) The platform is not Windows | |
3094 | * (2) --proto udp is enabled | |
3095 | * (3) --shaper is disabled | |
3096 | */ | |
3097 | static void | |
3098 | do_setup_fast_io (struct context *c) | |
3099 | { | |
3100 | if (c->options.fast_io) | |
3101 | { | |
3102 | #ifdef WIN32 | |
3103 | msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); | |
3104 | #else | |
8335caf9 | 3105 | if (!proto_is_udp(c->options.ce.proto)) |
6fbf66fa JY |
3106 | msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); |
3107 | else | |
3108 | { | |
3d163bc5 | 3109 | #ifdef ENABLE_FEATURE_SHAPER |
6fbf66fa JY |
3110 | if (c->options.shaper) |
3111 | msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); | |
3112 | else | |
0475d17e | 3113 | #endif |
6fbf66fa JY |
3114 | { |
3115 | c->c2.fast_io = true; | |
3116 | } | |
3117 | } | |
3118 | #endif | |
3119 | } | |
3120 | } | |
3121 | ||
3122 | static void | |
3123 | do_signal_on_tls_errors (struct context *c) | |
3124 | { | |
ec828db6 | 3125 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
3126 | if (c->options.tls_exit) |
3127 | c->c2.tls_exit_signal = SIGTERM; | |
3128 | else | |
3129 | c->c2.tls_exit_signal = SIGUSR1; | |
3130 | #endif | |
3131 | } | |
3132 | ||
3c7f2f55 | 3133 | #ifdef ENABLE_PLUGIN |
6fbf66fa | 3134 | |
3c7f2f55 | 3135 | void |
e1791bb1 | 3136 | init_plugins (struct context *c) |
6fbf66fa | 3137 | { |
3c7f2f55 | 3138 | if (c->options.plugin_list && !c->plugins) |
e1791bb1 JY |
3139 | { |
3140 | c->plugins = plugin_list_init (c->options.plugin_list); | |
3141 | c->plugins_owned = true; | |
3142 | } | |
3143 | } | |
3144 | ||
3145 | void | |
3146 | open_plugins (struct context *c, const bool import_options, int init_point) | |
3147 | { | |
3148 | if (c->plugins && c->plugins_owned) | |
6fbf66fa | 3149 | { |
3c7f2f55 JY |
3150 | if (import_options) |
3151 | { | |
3152 | struct plugin_return pr, config; | |
3153 | plugin_return_init (&pr); | |
e1791bb1 | 3154 | plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); |
3c7f2f55 JY |
3155 | plugin_return_get_column (&pr, &config, "config"); |
3156 | if (plugin_return_defined (&config)) | |
3157 | { | |
3158 | int i; | |
3159 | for (i = 0; i < config.n; ++i) | |
3160 | { | |
3161 | unsigned int option_types_found = 0; | |
3162 | if (config.list[i] && config.list[i]->value) | |
90efcacb | 3163 | options_string_import (&c->options, |
3c7f2f55 JY |
3164 | config.list[i]->value, |
3165 | D_IMPORT_ERRORS|M_OPTERR, | |
3166 | OPT_P_DEFAULT & ~OPT_P_PLUGIN, | |
3167 | &option_types_found, | |
3168 | c->es); | |
3169 | } | |
3170 | } | |
3171 | plugin_return_free (&pr); | |
3172 | } | |
3173 | else | |
3174 | { | |
e1791bb1 | 3175 | plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); |
3c7f2f55 | 3176 | } |
6fbf66fa | 3177 | } |
6fbf66fa JY |
3178 | } |
3179 | ||
3180 | static void | |
3181 | do_close_plugins (struct context *c) | |
3182 | { | |
3c7f2f55 | 3183 | if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 3184 | { |
3c7f2f55 JY |
3185 | plugin_list_close (c->plugins); |
3186 | c->plugins = NULL; | |
3187 | c->plugins_owned = false; | |
6fbf66fa | 3188 | } |
6fbf66fa JY |
3189 | } |
3190 | ||
3c7f2f55 JY |
3191 | static void |
3192 | do_inherit_plugins (struct context *c, const struct context *src) | |
3193 | { | |
3194 | if (!c->plugins && src->plugins) | |
3195 | { | |
3196 | c->plugins = plugin_list_inherit (src->plugins); | |
3197 | c->plugins_owned = true; | |
3198 | } | |
3199 | } | |
3200 | ||
3201 | #endif | |
3202 | ||
6fbf66fa JY |
3203 | #ifdef ENABLE_MANAGEMENT |
3204 | ||
3205 | static void | |
3206 | management_callback_status_p2p (void *arg, const int version, struct status_output *so) | |
3207 | { | |
3208 | struct context *c = (struct context *) arg; | |
3209 | print_status (c, so); | |
3210 | } | |
3211 | ||
3212 | void | |
3213 | management_show_net_callback (void *arg, const int msglevel) | |
3214 | { | |
3215 | #ifdef WIN32 | |
3216 | show_routes (msglevel); | |
3217 | show_adapters (msglevel); | |
3218 | msg (msglevel, "END"); | |
3219 | #else | |
3220 | msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); | |
3221 | #endif | |
3222 | } | |
3223 | ||
30003978 AS |
3224 | #ifdef TARGET_ANDROID |
3225 | int | |
d967ec28 | 3226 | management_callback_network_change (void *arg, bool samenetwork) |
30003978 AS |
3227 | { |
3228 | /* Check if the client should translate the network change to a SIGUSR1 to | |
3229 | reestablish the connection or just reprotect the socket | |
3230 | ||
3231 | At the moment just assume that, for all settings that use pull (not | |
3232 | --static) and are not using peer-id reestablishing the connection is | |
d967ec28 | 3233 | required (unless the network is the same) |
30003978 AS |
3234 | |
3235 | The function returns -1 on invalid fd and -2 if the socket cannot be | |
3236 | reused. On the -2 return value the man_network_change function triggers | |
3237 | a SIGUSR1 to force a reconnect. | |
3238 | */ | |
3239 | ||
3240 | int socketfd=-1; | |
3241 | struct context *c = (struct context *) arg; | |
3242 | if (!c->c2.link_socket) | |
3243 | return -1; | |
3244 | if (c->c2.link_socket->sd == SOCKET_UNDEFINED) | |
3245 | return -1; | |
3246 | ||
3247 | socketfd = c->c2.link_socket->sd; | |
d967ec28 | 3248 | if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork) |
30003978 AS |
3249 | return socketfd; |
3250 | else | |
3251 | return -2; | |
3252 | } | |
3253 | #endif | |
3254 | ||
6fbf66fa JY |
3255 | #endif |
3256 | ||
3257 | void | |
3258 | init_management_callback_p2p (struct context *c) | |
3259 | { | |
3260 | #ifdef ENABLE_MANAGEMENT | |
3261 | if (management) | |
3262 | { | |
3263 | struct management_callback cb; | |
3264 | CLEAR (cb); | |
3265 | cb.arg = c; | |
3266 | cb.status = management_callback_status_p2p; | |
3267 | cb.show_net = management_show_net_callback; | |
af1bf85a | 3268 | cb.proxy_cmd = management_callback_proxy_cmd; |
54561af6 | 3269 | cb.remote_cmd = management_callback_remote_cmd; |
30003978 AS |
3270 | #ifdef TARGET_ANDROID |
3271 | cb.network_change = management_callback_network_change; | |
3272 | #endif | |
6fbf66fa JY |
3273 | management_set_callback (management, &cb); |
3274 | } | |
3275 | #endif | |
3276 | } | |
3277 | ||
3278 | #ifdef ENABLE_MANAGEMENT | |
3279 | ||
3280 | void | |
3281 | init_management (struct context *c) | |
3282 | { | |
3283 | if (!management) | |
3284 | management = management_init (); | |
3285 | } | |
3286 | ||
3287 | bool | |
3288 | open_management (struct context *c) | |
3289 | { | |
3290 | /* initialize management layer */ | |
3291 | if (management) | |
3292 | { | |
3293 | if (c->options.management_addr) | |
3294 | { | |
90efcacb JY |
3295 | unsigned int flags = c->options.management_flags; |
3296 | if (c->options.mode == MODE_SERVER) | |
3297 | flags |= MF_SERVER; | |
6fbf66fa JY |
3298 | if (management_open (management, |
3299 | c->options.management_addr, | |
3300 | c->options.management_port, | |
3301 | c->options.management_user_pass, | |
bb564a59 JY |
3302 | c->options.management_client_user, |
3303 | c->options.management_client_group, | |
6fbf66fa JY |
3304 | c->options.management_log_history_cache, |
3305 | c->options.management_echo_buffer_size, | |
3306 | c->options.management_state_buffer_size, | |
2c21891e | 3307 | c->options.management_write_peer_info_file, |
90efcacb JY |
3308 | c->options.remap_sigusr1, |
3309 | flags)) | |
6fbf66fa JY |
3310 | { |
3311 | management_set_state (management, | |
3312 | OPENVPN_STATE_CONNECTING, | |
3313 | NULL, | |
2191c471 HH |
3314 | NULL, |
3315 | NULL, | |
3316 | NULL, | |
3317 | NULL); | |
6fbf66fa JY |
3318 | } |
3319 | ||
2c21891e | 3320 | /* initial management hold, called early, before first context initialization */ |
da9b2927 | 3321 | do_hold (); |
6fbf66fa JY |
3322 | if (IS_SIG (c)) |
3323 | { | |
3324 | msg (M_WARN, "Signal received from management interface, exiting"); | |
3325 | return false; | |
3326 | } | |
3327 | } | |
3328 | else | |
3329 | close_management (); | |
3330 | } | |
3331 | return true; | |
3332 | } | |
3333 | ||
3334 | void | |
3335 | close_management (void) | |
3336 | { | |
3337 | if (management) | |
3338 | { | |
3339 | management_close (management); | |
3340 | management = NULL; | |
3341 | } | |
3342 | } | |
3343 | ||
3344 | #endif | |
3345 | ||
3346 | ||
3347 | void | |
3348 | uninit_management_callback (void) | |
3349 | { | |
3350 | #ifdef ENABLE_MANAGEMENT | |
3351 | if (management) | |
3352 | { | |
3353 | management_clear_callback (management); | |
3354 | } | |
3355 | #endif | |
3356 | } | |
3357 | ||
3358 | /* | |
3359 | * Initialize a tunnel instance, handle pre and post-init | |
3360 | * signal settings. | |
3361 | */ | |
3362 | void | |
3363 | init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags) | |
3364 | { | |
3365 | pre_init_signal_catch (); | |
3366 | init_instance (c, env, flags); | |
3367 | post_init_signal_catch (); | |
b540a9e0 JY |
3368 | |
3369 | /* | |
3370 | * This is done so that signals thrown during | |
3371 | * initialization can bring us back to | |
3372 | * a management hold. | |
3373 | */ | |
3374 | if (IS_SIG (c)) | |
d5badcf1 JY |
3375 | { |
3376 | remap_signal (c); | |
3377 | uninit_management_callback (); | |
3378 | } | |
6fbf66fa JY |
3379 | } |
3380 | ||
3381 | /* | |
3382 | * Initialize a tunnel instance. | |
3383 | */ | |
3384 | void | |
3385 | init_instance (struct context *c, const struct env_set *env, const unsigned int flags) | |
3386 | { | |
3387 | const struct options *options = &c->options; | |
3388 | const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); | |
3389 | int link_socket_mode = LS_MODE_DEFAULT; | |
3390 | ||
3391 | /* init garbage collection level */ | |
3392 | gc_init (&c->c2.gc); | |
3393 | ||
ac1c2f25 AS |
3394 | /* inherit environmental variables */ |
3395 | if (env) | |
3396 | do_inherit_env (c, env); | |
3397 | ||
6fbf66fa JY |
3398 | /* signals caught here will abort */ |
3399 | c->sig->signal_received = 0; | |
3400 | c->sig->signal_text = NULL; | |
23d61c56 | 3401 | c->sig->source = SIG_SOURCE_SOFT; |
6fbf66fa | 3402 | |
3cf6c932 JY |
3403 | if (c->mode == CM_P2P) |
3404 | init_management_callback_p2p (c); | |
3405 | ||
3406 | /* possible sleep or management hold if restart */ | |
3407 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3408 | { | |
3409 | do_startup_pause (c); | |
3410 | if (IS_SIG (c)) | |
3411 | goto sig; | |
3412 | } | |
3413 | ||
e719a053 AS |
3414 | if (c->options.resolve_in_advance) |
3415 | { | |
3416 | do_preresolve (c); | |
3417 | if (IS_SIG (c)) | |
3418 | goto sig; | |
3419 | } | |
3420 | ||
4e9a51d7 JY |
3421 | /* map in current connection entry */ |
3422 | next_connection_entry (c); | |
3423 | ||
6fbf66fa JY |
3424 | /* link_socket_mode allows CM_CHILD_TCP |
3425 | instances to inherit acceptable fds | |
3426 | from a top-level parent */ | |
30077d1f | 3427 | if (c->options.ce.proto == PROTO_TCP_SERVER) |
6fbf66fa JY |
3428 | { |
3429 | if (c->mode == CM_TOP) | |
3430 | link_socket_mode = LS_MODE_TCP_LISTEN; | |
3431 | else if (c->mode == CM_CHILD_TCP) | |
3432 | link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; | |
3433 | } | |
3434 | ||
3435 | /* should we disable paging? */ | |
3436 | if (c->first_time && options->mlock) | |
14a131ac | 3437 | platform_mlockall (true); |
6fbf66fa | 3438 | |
92bbb061 JY |
3439 | #if P2MP |
3440 | /* get passwords if undefined */ | |
3441 | if (auth_retry_get () == AR_INTERACT) | |
3442 | init_query_passwords (c); | |
3443 | #endif | |
3444 | ||
6fbf66fa JY |
3445 | /* initialize context level 2 --verb/--mute parms */ |
3446 | init_verb_mute (c, IVM_LEVEL_2); | |
3447 | ||
3448 | /* set error message delay for non-server modes */ | |
3449 | if (c->mode == CM_P2P) | |
3450 | set_check_status_error_delay (P2P_ERROR_DELAY_MS); | |
3451 | ||
3452 | /* warn about inconsistent options */ | |
3453 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3454 | do_option_warnings (c); | |
3455 | ||
3c7f2f55 | 3456 | #ifdef ENABLE_PLUGIN |
6fbf66fa JY |
3457 | /* initialize plugins */ |
3458 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
e1791bb1 | 3459 | open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); |
3c7f2f55 | 3460 | #endif |
6fbf66fa JY |
3461 | |
3462 | /* should we enable fast I/O? */ | |
3463 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3464 | do_setup_fast_io (c); | |
3465 | ||
3466 | /* should we throw a signal on TLS errors? */ | |
3467 | do_signal_on_tls_errors (c); | |
3468 | ||
3469 | /* open --status file */ | |
3470 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3471 | do_open_status_output (c); | |
3472 | ||
3473 | /* open --ifconfig-pool-persist file */ | |
3474 | if (c->mode == CM_TOP) | |
3475 | do_open_ifconfig_pool_persist (c); | |
3476 | ||
3477 | #ifdef ENABLE_OCC | |
3478 | /* reset OCC state */ | |
3479 | if (c->mode == CM_P2P || child) | |
3480 | c->c2.occ_op = occ_reset_op (); | |
3481 | #endif | |
3482 | ||
3483 | /* our wait-for-i/o objects, different for posix vs. win32 */ | |
3484 | if (c->mode == CM_P2P) | |
3485 | do_event_set_init (c, SHAPER_DEFINED (&c->options)); | |
3486 | else if (c->mode == CM_CHILD_TCP) | |
3487 | do_event_set_init (c, false); | |
3488 | ||
4e9a51d7 | 3489 | /* initialize HTTP or SOCKS proxy object at scope level 2 */ |
23d61c56 | 3490 | init_proxy (c); |
4e9a51d7 | 3491 | |
6fbf66fa JY |
3492 | /* allocate our socket object */ |
3493 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
3494 | do_link_socket_new (c); | |
3495 | ||
3496 | #ifdef ENABLE_FRAGMENT | |
3497 | /* initialize internal fragmentation object */ | |
76809cae | 3498 | if (options->ce.fragment && (c->mode == CM_P2P || child)) |
6fbf66fa JY |
3499 | c->c2.fragment = fragment_init (&c->c2.frame); |
3500 | #endif | |
3501 | ||
3502 | /* init crypto layer */ | |
3503 | { | |
3504 | unsigned int crypto_flags = 0; | |
3505 | if (c->mode == CM_TOP) | |
3506 | crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; | |
3507 | else if (c->mode == CM_P2P) | |
3508 | crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; | |
3509 | else if (child) | |
3510 | crypto_flags = CF_INIT_TLS_MULTI; | |
3511 | do_init_crypto (c, crypto_flags); | |
76a59eae | 3512 | if (IS_SIG (c) && !child) |
6fbf66fa JY |
3513 | goto sig; |
3514 | } | |
3515 | ||
38d96bd7 JY |
3516 | #ifdef USE_COMP |
3517 | /* initialize compression library. */ | |
3518 | if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child)) | |
3519 | c->c2.comp_context = comp_init (&options->comp); | |
6fbf66fa JY |
3520 | #endif |
3521 | ||
3522 | /* initialize MTU variables */ | |
3523 | do_init_frame (c); | |
3524 | ||
3525 | /* initialize TLS MTU variables */ | |
3526 | do_init_frame_tls (c); | |
3527 | ||
3528 | /* init workspace buffers whose size is derived from frame size */ | |
3529 | if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) | |
3530 | do_init_buffers (c); | |
3531 | ||
3532 | #ifdef ENABLE_FRAGMENT | |
3533 | /* initialize internal fragmentation capability with known frame size */ | |
76809cae | 3534 | if (options->ce.fragment && (c->mode == CM_P2P || child)) |
6fbf66fa JY |
3535 | do_init_fragment (c); |
3536 | #endif | |
3537 | ||
3538 | /* initialize dynamic MTU variable */ | |
3539 | do_init_mssfix (c); | |
3540 | ||
3541 | /* bind the TCP/UDP socket */ | |
3542 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
3543 | do_init_socket_1 (c, link_socket_mode); | |
3544 | ||
3545 | /* initialize tun/tap device object, | |
3546 | open tun/tap device, ifconfig, run up script, etc. */ | |
3547 | if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
3548 | c->c2.did_open_tun = do_open_tun (c); | |
3549 | ||
3550 | /* print MTU info */ | |
3551 | do_print_data_channel_mtu_parms (c); | |
3552 | ||
3553 | #ifdef ENABLE_OCC | |
3554 | /* get local and remote options compatibility strings */ | |
3555 | if (c->mode == CM_P2P || child) | |
3556 | do_compute_occ_strings (c); | |
3557 | #endif | |
3558 | ||
3559 | /* initialize output speed limiter */ | |
3560 | if (c->mode == CM_P2P) | |
3561 | do_init_traffic_shaper (c); | |
3562 | ||
3563 | /* do one-time inits, and possibily become a daemon here */ | |
3564 | do_init_first_time (c); | |
3565 | ||
e1791bb1 JY |
3566 | #ifdef ENABLE_PLUGIN |
3567 | /* initialize plugins */ | |
3568 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3569 | open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); | |
3570 | #endif | |
3571 | ||
6fbf66fa JY |
3572 | /* |
3573 | * Actually do UID/GID downgrade, and chroot, if requested. | |
3574 | * May be delayed by --client, --pull, or --up-delay. | |
3575 | */ | |
3576 | do_uid_gid_chroot (c, c->c2.did_open_tun); | |
3577 | ||
3578 | /* finalize the TCP/UDP socket */ | |
3579 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
3580 | do_init_socket_2 (c); | |
3581 | ||
3582 | /* initialize timers */ | |
3583 | if (c->mode == CM_P2P || child) | |
3584 | do_init_timers (c, false); | |
3585 | ||
e1791bb1 JY |
3586 | #ifdef ENABLE_PLUGIN |
3587 | /* initialize plugins */ | |
3588 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3589 | open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); | |
3590 | #endif | |
3591 | ||
6add6b2f JY |
3592 | #if PORT_SHARE |
3593 | /* share OpenVPN port with foreign (such as HTTPS) server */ | |
3594 | if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
3595 | init_port_share (c); | |
3596 | #endif | |
3597 | ||
47ae8457 JY |
3598 | #ifdef ENABLE_PF |
3599 | if (child) | |
3600 | pf_init_context (c); | |
3601 | #endif | |
3602 | ||
6fbf66fa JY |
3603 | /* Check for signals */ |
3604 | if (IS_SIG (c)) | |
3605 | goto sig; | |
3606 | ||
3607 | return; | |
3608 | ||
3609 | sig: | |
8d33c060 JY |
3610 | if (!c->sig->signal_text) |
3611 | c->sig->signal_text = "init_instance"; | |
6fbf66fa JY |
3612 | close_context (c, -1, flags); |
3613 | return; | |
3614 | } | |
3615 | ||
3616 | /* | |
3617 | * Close a tunnel instance. | |
3618 | */ | |
3619 | void | |
3620 | close_instance (struct context *c) | |
3621 | { | |
3622 | /* close event objects */ | |
3623 | do_close_event_set (c); | |
3624 | ||
3625 | if (c->mode == CM_P2P | |
3626 | || c->mode == CM_CHILD_TCP | |
3627 | || c->mode == CM_CHILD_UDP | |
3628 | || c->mode == CM_TOP) | |
3629 | { | |
3630 | /* if xinetd/inetd mode, don't allow restart */ | |
3631 | do_close_check_if_restart_permitted (c); | |
3632 | ||
38d96bd7 JY |
3633 | #ifdef USE_COMP |
3634 | if (c->c2.comp_context) | |
3635 | { | |
3636 | comp_uninit (c->c2.comp_context); | |
3637 | c->c2.comp_context = NULL; | |
3638 | } | |
6fbf66fa JY |
3639 | #endif |
3640 | ||
3641 | /* free buffers */ | |
3642 | do_close_free_buf (c); | |
3643 | ||
3644 | /* close TLS */ | |
3645 | do_close_tls (c); | |
3646 | ||
3647 | /* free key schedules */ | |
3648 | do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP)); | |
3649 | ||
3650 | /* close TCP/UDP connection */ | |
3651 | do_close_link_socket (c); | |
3652 | ||
3653 | /* close TUN/TAP device */ | |
3654 | do_close_tun (c, false); | |
3655 | ||
90efcacb JY |
3656 | #ifdef MANAGEMENT_DEF_AUTH |
3657 | if (management) | |
3658 | management_notify_client_close (management, &c->c2.mda_context, NULL); | |
3659 | #endif | |
3660 | ||
47ae8457 JY |
3661 | #ifdef ENABLE_PF |
3662 | pf_destroy_context (&c->c2.pf); | |
3663 | #endif | |
3664 | ||
3c7f2f55 | 3665 | #ifdef ENABLE_PLUGIN |
6fbf66fa JY |
3666 | /* call plugin close functions and unload */ |
3667 | do_close_plugins (c); | |
3c7f2f55 | 3668 | #endif |
6fbf66fa JY |
3669 | |
3670 | /* close packet-id persistance file */ | |
3671 | do_close_packet_id (c); | |
3672 | ||
3673 | /* close --status file */ | |
3674 | do_close_status_output (c); | |
3675 | ||
3676 | #ifdef ENABLE_FRAGMENT | |
3677 | /* close fragmentation handler */ | |
3678 | do_close_fragment (c); | |
3679 | #endif | |
3680 | ||
3681 | /* close --ifconfig-pool-persist obj */ | |
3682 | do_close_ifconfig_pool_persist (c); | |
3683 | ||
2a64816b JY |
3684 | /* free up environmental variable store */ |
3685 | do_env_set_destroy (c); | |
3686 | ||
4e9a51d7 JY |
3687 | /* close HTTP or SOCKS proxy */ |
3688 | uninit_proxy (c); | |
3689 | ||
6fbf66fa JY |
3690 | /* garbage collect */ |
3691 | gc_free (&c->c2.gc); | |
3692 | } | |
3693 | } | |
3694 | ||
3695 | void | |
3696 | inherit_context_child (struct context *dest, | |
3697 | const struct context *src) | |
3698 | { | |
3699 | CLEAR (*dest); | |
3700 | ||
8335caf9 JC |
3701 | /* proto_is_dgram will ASSERT(0) if proto is invalid */ |
3702 | dest->mode = proto_is_dgram(src->options.ce.proto)? CM_CHILD_UDP : CM_CHILD_TCP; | |
6fbf66fa | 3703 | |
6fbf66fa JY |
3704 | dest->gc = gc_new (); |
3705 | ||
3706 | ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc); | |
3707 | ||
3708 | /* c1 init */ | |
3709 | packet_id_persist_init (&dest->c1.pid_persist); | |
3710 | ||
9b33b5a4 | 3711 | #ifdef ENABLE_CRYPTO |
6fbf66fa | 3712 | dest->c1.ks.key_type = src->c1.ks.key_type; |
6fbf66fa JY |
3713 | /* inherit SSL context */ |
3714 | dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; | |
3715 | dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key; | |
6fbf66fa JY |
3716 | #endif |
3717 | ||
3718 | /* options */ | |
3719 | dest->options = src->options; | |
3720 | options_detach (&dest->options); | |
3721 | ||
3722 | if (dest->mode == CM_CHILD_TCP) | |
3723 | { | |
3724 | /* | |
3725 | * The CM_TOP context does the socket listen(), | |
3726 | * and the CM_CHILD_TCP context does the accept(). | |
3727 | */ | |
3728 | dest->c2.accept_from = src->c2.link_socket; | |
3729 | } | |
3730 | ||
3c7f2f55 | 3731 | #ifdef ENABLE_PLUGIN |
6fbf66fa | 3732 | /* inherit plugins */ |
3c7f2f55 JY |
3733 | do_inherit_plugins (dest, src); |
3734 | #endif | |
6fbf66fa JY |
3735 | |
3736 | /* context init */ | |
79df31c8 | 3737 | init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); |
6fbf66fa JY |
3738 | if (IS_SIG (dest)) |
3739 | return; | |
3740 | ||
3741 | /* inherit tun/tap interface object */ | |
3742 | dest->c1.tuntap = src->c1.tuntap; | |
3743 | ||
3744 | /* UDP inherits some extra things which TCP does not */ | |
3745 | if (dest->mode == CM_CHILD_UDP) | |
3746 | { | |
3747 | /* inherit buffers */ | |
3748 | dest->c2.buffers = src->c2.buffers; | |
3749 | ||
3750 | /* inherit parent link_socket and tuntap */ | |
3751 | dest->c2.link_socket = src->c2.link_socket; | |
3752 | ||
3753 | ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc); | |
3754 | *dest->c2.link_socket_info = src->c2.link_socket->info; | |
3755 | ||
3756 | /* locally override some link_socket_info fields */ | |
3757 | dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; | |
3758 | dest->c2.link_socket_info->connection_established = false; | |
3759 | } | |
3760 | } | |
3761 | ||
3762 | void | |
3763 | inherit_context_top (struct context *dest, | |
3764 | const struct context *src) | |
3765 | { | |
3766 | /* copy parent */ | |
3767 | *dest = *src; | |
3768 | ||
3769 | /* | |
3770 | * CM_TOP_CLONE will prevent close_instance from freeing or closing | |
3771 | * resources owned by the parent. | |
3772 | * | |
3773 | * Also note that CM_TOP_CLONE context objects are | |
3774 | * closed by multi_top_free in multi.c. | |
3775 | */ | |
3776 | dest->mode = CM_TOP_CLONE; | |
3777 | ||
3778 | dest->first_time = false; | |
92bbb061 | 3779 | dest->c0 = NULL; |
6fbf66fa JY |
3780 | |
3781 | options_detach (&dest->options); | |
3782 | gc_detach (&dest->gc); | |
3783 | gc_detach (&dest->c2.gc); | |
3784 | ||
3c7f2f55 JY |
3785 | /* detach plugins */ |
3786 | dest->plugins_owned = false; | |
3787 | ||
ec828db6 | 3788 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
3789 | dest->c2.tls_multi = NULL; |
3790 | #endif | |
3791 | ||
3c7f2f55 | 3792 | /* detach c1 ownership */ |
6fbf66fa JY |
3793 | dest->c1.tuntap_owned = false; |
3794 | dest->c1.status_output_owned = false; | |
3795 | #if P2MP_SERVER | |
3796 | dest->c1.ifconfig_pool_persist_owned = false; | |
3797 | #endif | |
3c7f2f55 JY |
3798 | |
3799 | /* detach c2 ownership */ | |
6fbf66fa JY |
3800 | dest->c2.event_set_owned = false; |
3801 | dest->c2.link_socket_owned = false; | |
3802 | dest->c2.buffers_owned = false; | |
2a64816b | 3803 | dest->c2.es_owned = false; |
6fbf66fa JY |
3804 | |
3805 | dest->c2.event_set = NULL; | |
8335caf9 | 3806 | if (proto_is_dgram(src->options.ce.proto)) |
6fbf66fa | 3807 | do_event_set_init (dest, false); |
38d96bd7 JY |
3808 | |
3809 | #ifdef USE_COMP | |
3810 | dest->c2.comp_context = NULL; | |
3811 | #endif | |
6fbf66fa JY |
3812 | } |
3813 | ||
3814 | void | |
3815 | close_context (struct context *c, int sig, unsigned int flags) | |
3816 | { | |
79df31c8 JY |
3817 | ASSERT (c); |
3818 | ASSERT (c->sig); | |
3819 | ||
6fbf66fa JY |
3820 | if (sig >= 0) |
3821 | c->sig->signal_received = sig; | |
3822 | ||
3823 | if (c->sig->signal_received == SIGUSR1) | |
3824 | { | |
3825 | if ((flags & CC_USR1_TO_HUP) | |
23d61c56 | 3826 | || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) |
c058cbff AS |
3827 | { |
3828 | c->sig->signal_received = SIGHUP; | |
3829 | c->sig->signal_text = "close_context usr1 to hup"; | |
3830 | } | |
6fbf66fa JY |
3831 | } |
3832 | ||
79df31c8 JY |
3833 | if (!(flags & CC_NO_CLOSE)) |
3834 | close_instance (c); | |
6fbf66fa JY |
3835 | |
3836 | if (flags & CC_GC_FREE) | |
3837 | context_gc_free (c); | |
3838 | } | |
3839 | ||
9b33b5a4 | 3840 | #ifdef ENABLE_CRYPTO |
6fbf66fa | 3841 | |
6fbf66fa JY |
3842 | /* |
3843 | * Do a loopback test | |
3844 | * on the crypto subsystem. | |
3845 | */ | |
3846 | static void * | |
3847 | test_crypto_thread (void *arg) | |
3848 | { | |
3849 | struct context *c = (struct context *) arg; | |
3850 | const struct options *options = &c->options; | |
6fbf66fa JY |
3851 | |
3852 | ASSERT (options->test_crypto); | |
3853 | init_verb_mute (c, IVM_LEVEL_1); | |
3854 | context_init_1 (c); | |
23d61c56 | 3855 | next_connection_entry(c); |
6fbf66fa JY |
3856 | do_init_crypto_static (c, 0); |
3857 | ||
6fbf66fa JY |
3858 | frame_finalize_options (c, options); |
3859 | ||
6fbf66fa JY |
3860 | test_crypto (&c->c2.crypto_options, &c->c2.frame); |
3861 | ||
3862 | key_schedule_free (&c->c1.ks, true); | |
3863 | packet_id_free (&c->c2.packet_id); | |
3864 | ||
6fbf66fa JY |
3865 | context_gc_free (c); |
3866 | return NULL; | |
3867 | } | |
3868 | ||
3869 | #endif | |
3870 | ||
3871 | bool | |
3872 | do_test_crypto (const struct options *o) | |
3873 | { | |
9b33b5a4 | 3874 | #ifdef ENABLE_CRYPTO |
6fbf66fa JY |
3875 | if (o->test_crypto) |
3876 | { | |
3877 | struct context c; | |
3878 | ||
3879 | /* print version number */ | |
3880 | msg (M_INFO, "%s", title_string); | |
3881 | ||
3c7f2f55 | 3882 | context_clear (&c); |
6fbf66fa JY |
3883 | c.options = *o; |
3884 | options_detach (&c.options); | |
3885 | c.first_time = true; | |
3886 | test_crypto_thread ((void *) &c); | |
3887 | return true; | |
3888 | } | |
3889 | #endif | |
3890 | return false; | |
3891 | } |