]>
Commit | Line | Data |
---|---|---|
6fbf66fa JY |
1 | /* |
2 | * OpenVPN -- An application to securely tunnel IP networks | |
3 | * over a single TCP/UDP port, with support for SSL/TLS-based | |
4 | * session authentication and key exchange, | |
5 | * packet encryption, packet authentication, and | |
6 | * packet compression. | |
7 | * | |
49979459 | 8 | * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> |
6fbf66fa JY |
9 | * |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License version 2 | |
12 | * as published by the Free Software Foundation. | |
13 | * | |
14 | * This program is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | * GNU General Public License for more details. | |
18 | * | |
caa54ac3 DS |
19 | * You should have received a copy of the GNU General Public License along |
20 | * with this program; if not, write to the Free Software Foundation, Inc., | |
21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
6fbf66fa JY |
22 | */ |
23 | ||
c110b289 ABL |
24 | #ifdef HAVE_CONFIG_H |
25 | #include "config.h" | |
26 | #elif defined(_MSC_VER) | |
27 | #include "config-msvc.h" | |
28 | #endif | |
29 | ||
6fbf66fa JY |
30 | #include "syshead.h" |
31 | ||
c5931897 CH |
32 | #ifdef ENABLE_SYSTEMD |
33 | #include <systemd/sd-daemon.h> | |
34 | #endif | |
35 | ||
6fbf66fa JY |
36 | #include "win32.h" |
37 | #include "init.h" | |
bf97c00f | 38 | #include "run_command.h" |
6fbf66fa JY |
39 | #include "sig.h" |
40 | #include "occ.h" | |
41 | #include "list.h" | |
42 | #include "otime.h" | |
43 | #include "pool.h" | |
44 | #include "gremlin.h" | |
a54f37d8 | 45 | #include "occ.h" |
ce98fd24 | 46 | #include "pkcs11.h" |
6add6b2f | 47 | #include "ps.h" |
e12fe286 | 48 | #include "lladdr.h" |
e7a65dfb | 49 | #include "ping.h" |
ffea644c | 50 | #include "mstats.h" |
63dc03d0 | 51 | #include "ssl_verify.h" |
c6e24fa3 | 52 | #include "tls_crypt.h" |
a54f37d8 | 53 | #include "forward.h" |
6fbf66fa JY |
54 | |
55 | #include "memdbg.h" | |
56 | ||
6fbf66fa | 57 | |
0c9eb1d3 JY |
58 | static struct context *static_context; /* GLOBAL */ |
59 | ||
6fbf66fa JY |
60 | /* |
61 | * Crypto initialization flags | |
62 | */ | |
63 | #define CF_LOAD_PERSISTED_PACKET_ID (1<<0) | |
64 | #define CF_INIT_TLS_MULTI (1<<1) | |
65 | #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) | |
66 | ||
81d882d5 | 67 | static void do_init_first_time(struct context *c); |
6fbf66fa JY |
68 | |
69 | void | |
81d882d5 | 70 | context_clear(struct context *c) |
6fbf66fa | 71 | { |
81d882d5 | 72 | CLEAR(*c); |
6fbf66fa JY |
73 | } |
74 | ||
75 | void | |
81d882d5 | 76 | context_clear_1(struct context *c) |
6fbf66fa | 77 | { |
81d882d5 | 78 | CLEAR(c->c1); |
6fbf66fa JY |
79 | } |
80 | ||
81 | void | |
81d882d5 | 82 | context_clear_2(struct context *c) |
6fbf66fa | 83 | { |
81d882d5 | 84 | CLEAR(c->c2); |
6fbf66fa JY |
85 | } |
86 | ||
87 | void | |
81d882d5 | 88 | context_clear_all_except_first_time(struct context *c) |
6fbf66fa | 89 | { |
81d882d5 DS |
90 | const bool first_time_save = c->first_time; |
91 | const struct context_persist cpsave = c->persist; | |
92 | context_clear(c); | |
93 | c->first_time = first_time_save; | |
94 | c->persist = cpsave; | |
6fbf66fa JY |
95 | } |
96 | ||
4a9d1d70 SK |
97 | /* |
98 | * Pass tunnel endpoint and MTU parms to a user-supplied script. | |
99 | * Used to execute the up/down script/plugins. | |
100 | */ | |
101 | static void | |
102 | run_up_down(const char *command, | |
103 | const struct plugin_list *plugins, | |
104 | int plugin_type, | |
105 | const char *arg, | |
106 | #ifdef _WIN32 | |
107 | DWORD adapter_index, | |
108 | #endif | |
109 | const char *dev_type, | |
110 | int tun_mtu, | |
111 | int link_mtu, | |
112 | const char *ifconfig_local, | |
113 | const char *ifconfig_remote, | |
114 | const char *context, | |
115 | const char *signal_text, | |
116 | const char *script_type, | |
117 | struct env_set *es) | |
118 | { | |
119 | struct gc_arena gc = gc_new(); | |
120 | ||
121 | if (signal_text) | |
122 | { | |
123 | setenv_str(es, "signal", signal_text); | |
124 | } | |
125 | setenv_str(es, "script_context", context); | |
126 | setenv_int(es, "tun_mtu", tun_mtu); | |
127 | setenv_int(es, "link_mtu", link_mtu); | |
128 | setenv_str(es, "dev", arg); | |
129 | if (dev_type) | |
130 | { | |
131 | setenv_str(es, "dev_type", dev_type); | |
132 | } | |
133 | #ifdef _WIN32 | |
134 | setenv_int(es, "dev_idx", adapter_index); | |
135 | #endif | |
136 | ||
137 | if (!ifconfig_local) | |
138 | { | |
139 | ifconfig_local = ""; | |
140 | } | |
141 | if (!ifconfig_remote) | |
142 | { | |
143 | ifconfig_remote = ""; | |
144 | } | |
145 | if (!context) | |
146 | { | |
147 | context = ""; | |
148 | } | |
149 | ||
150 | if (plugin_defined(plugins, plugin_type)) | |
151 | { | |
152 | struct argv argv = argv_new(); | |
153 | ASSERT(arg); | |
154 | argv_printf(&argv, | |
155 | "%s %d %d %s %s %s", | |
156 | arg, | |
157 | tun_mtu, link_mtu, | |
158 | ifconfig_local, ifconfig_remote, | |
159 | context); | |
160 | ||
161 | if (plugin_call(plugins, plugin_type, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) | |
162 | { | |
163 | msg(M_FATAL, "ERROR: up/down plugin call failed"); | |
164 | } | |
165 | ||
166 | argv_reset(&argv); | |
167 | } | |
168 | ||
169 | if (command) | |
170 | { | |
171 | struct argv argv = argv_new(); | |
172 | ASSERT(arg); | |
173 | setenv_str(es, "script_type", script_type); | |
174 | argv_parse_cmd(&argv, command); | |
175 | argv_printf_cat(&argv, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu, | |
176 | ifconfig_local, ifconfig_remote, context); | |
177 | argv_msg(M_INFO, &argv); | |
178 | openvpn_run_script(&argv, es, S_FATAL, "--up/--down"); | |
179 | argv_reset(&argv); | |
180 | } | |
181 | ||
182 | gc_free(&gc); | |
183 | } | |
184 | ||
6fbf66fa | 185 | /* |
4e9a51d7 JY |
186 | * Should be called after options->ce is modified at the top |
187 | * of a SIGUSR1 restart. | |
6fbf66fa JY |
188 | */ |
189 | static void | |
81d882d5 | 190 | update_options_ce_post(struct options *options) |
6fbf66fa | 191 | { |
4e9a51d7 | 192 | #if P2MP |
81d882d5 DS |
193 | /* |
194 | * In pull mode, we usually import --ping/--ping-restart parameters from | |
195 | * the server. However we should also set an initial default --ping-restart | |
196 | * for the period of time before we pull the --ping-restart parameter | |
197 | * from the server. | |
198 | */ | |
199 | if (options->pull | |
200 | && options->ping_rec_timeout_action == PING_UNDEF | |
201 | && proto_is_dgram(options->ce.proto)) | |
4e9a51d7 | 202 | { |
81d882d5 DS |
203 | options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART; |
204 | options->ping_rec_timeout_action = PING_RESTART; | |
4e9a51d7 JY |
205 | } |
206 | #endif | |
4e9a51d7 | 207 | } |
6fbf66fa | 208 | |
af1bf85a | 209 | #ifdef ENABLE_MANAGEMENT |
3cf6c932 | 210 | static bool |
81d882d5 | 211 | management_callback_proxy_cmd(void *arg, const char **p) |
3cf6c932 | 212 | { |
81d882d5 DS |
213 | struct context *c = arg; |
214 | struct connection_entry *ce = &c->options.ce; | |
215 | struct gc_arena *gc = &c->c2.gc; | |
216 | bool ret = false; | |
3cf6c932 | 217 | |
81d882d5 DS |
218 | update_time(); |
219 | if (streq(p[1], "NONE")) | |
220 | { | |
221 | ret = true; | |
222 | } | |
223 | else if (p[2] && p[3]) | |
af1bf85a | 224 | { |
81d882d5 | 225 | if (streq(p[1], "HTTP")) |
af1bf85a | 226 | { |
81d882d5 DS |
227 | struct http_proxy_options *ho; |
228 | if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT) | |
e719a053 | 229 | { |
81d882d5 DS |
230 | msg(M_WARN, "HTTP proxy support only works for TCP based connections"); |
231 | return false; | |
af1bf85a | 232 | } |
81d882d5 DS |
233 | ho = init_http_proxy_options_once(&ce->http_proxy_options, gc); |
234 | ho->server = string_alloc(p[2], gc); | |
235 | ho->port = string_alloc(p[3], gc); | |
236 | ho->auth_retry = (p[4] && streq(p[4], "nct") ? PAR_NCT : PAR_ALL); | |
237 | ret = true; | |
af1bf85a | 238 | } |
81d882d5 | 239 | else if (streq(p[1], "SOCKS")) |
af1bf85a | 240 | { |
81d882d5 | 241 | ce->socks_proxy_server = string_alloc(p[2], gc); |
aa9d3a5b | 242 | ce->socks_proxy_port = string_alloc(p[3], gc); |
81d882d5 | 243 | ret = true; |
af1bf85a | 244 | } |
3cf6c932 | 245 | } |
81d882d5 DS |
246 | else |
247 | { | |
248 | msg(M_WARN, "Bad proxy command"); | |
249 | } | |
3cf6c932 | 250 | |
81d882d5 | 251 | ce->flags &= ~CE_MAN_QUERY_PROXY; |
3cf6c932 | 252 | |
81d882d5 | 253 | return ret; |
3cf6c932 JY |
254 | } |
255 | ||
256 | static bool | |
81d882d5 DS |
257 | ce_management_query_proxy(struct context *c) |
258 | { | |
259 | const struct connection_list *l = c->options.connection_list; | |
260 | struct connection_entry *ce = &c->options.ce; | |
261 | struct gc_arena gc; | |
262 | bool ret = true; | |
263 | ||
264 | update_time(); | |
265 | if (management) | |
266 | { | |
267 | gc = gc_new(); | |
268 | { | |
269 | struct buffer out = alloc_buf_gc(256, &gc); | |
270 | buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, | |
271 | (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); | |
272 | management_notify_generic(management, BSTR(&out)); | |
273 | } | |
274 | ce->flags |= CE_MAN_QUERY_PROXY; | |
275 | while (ce->flags & CE_MAN_QUERY_PROXY) | |
276 | { | |
277 | management_event_loop_n_seconds(management, 1); | |
278 | if (IS_SIG(c)) | |
af1bf85a | 279 | { |
81d882d5 DS |
280 | ret = false; |
281 | break; | |
af1bf85a HH |
282 | } |
283 | } | |
81d882d5 | 284 | gc_free(&gc); |
3cf6c932 | 285 | } |
af1bf85a | 286 | |
81d882d5 | 287 | return ret; |
3cf6c932 JY |
288 | } |
289 | ||
3cf6c932 | 290 | |
54561af6 | 291 | static bool |
81d882d5 DS |
292 | management_callback_remote_cmd(void *arg, const char **p) |
293 | { | |
294 | struct context *c = (struct context *) arg; | |
295 | struct connection_entry *ce = &c->options.ce; | |
296 | int ret = false; | |
297 | if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) | |
298 | { | |
299 | int flags = 0; | |
300 | if (!strcmp(p[1], "ACCEPT")) | |
301 | { | |
302 | flags = CE_MAN_QUERY_REMOTE_ACCEPT; | |
303 | ret = true; | |
304 | } | |
305 | else if (!strcmp(p[1], "SKIP")) | |
306 | { | |
307 | flags = CE_MAN_QUERY_REMOTE_SKIP; | |
308 | ret = true; | |
309 | } | |
310 | else if (!strcmp(p[1], "MOD") && p[2] && p[3]) | |
311 | { | |
312 | if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) | |
313 | { | |
314 | struct remote_host_store *rhs = c->options.rh_store; | |
315 | if (!rhs) | |
316 | { | |
317 | ALLOC_OBJ_CLEAR_GC(rhs, struct remote_host_store, &c->options.gc); | |
318 | c->options.rh_store = rhs; | |
319 | } | |
320 | strncpynt(rhs->host, p[2], RH_HOST_LEN); | |
321 | strncpynt(rhs->port, p[3], RH_PORT_LEN); | |
322 | ||
323 | ce->remote = rhs->host; | |
324 | ce->remote_port = rhs->port; | |
325 | flags = CE_MAN_QUERY_REMOTE_MOD; | |
326 | ret = true; | |
327 | } | |
328 | } | |
329 | if (ret) | |
330 | { | |
331 | ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); | |
332 | ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT); | |
333 | } | |
334 | } | |
335 | return ret; | |
54561af6 JY |
336 | } |
337 | ||
338 | static bool | |
81d882d5 DS |
339 | ce_management_query_remote(struct context *c) |
340 | { | |
341 | struct gc_arena gc = gc_new(); | |
342 | volatile struct connection_entry *ce = &c->options.ce; | |
e81f313a DS |
343 | int ce_changed = true; /* presume the connection entry will be changed */ |
344 | ||
81d882d5 DS |
345 | update_time(); |
346 | if (management) | |
347 | { | |
348 | struct buffer out = alloc_buf_gc(256, &gc); | |
e81f313a DS |
349 | |
350 | buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, | |
351 | proto2ascii(ce->proto, ce->af, false)); | |
81d882d5 | 352 | management_notify_generic(management, BSTR(&out)); |
e81f313a DS |
353 | |
354 | ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); | |
355 | ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); | |
356 | while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) | |
357 | & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) | |
81d882d5 DS |
358 | { |
359 | management_event_loop_n_seconds(management, 1); | |
360 | if (IS_SIG(c)) | |
361 | { | |
e81f313a | 362 | ce_changed = false; /* connection entry have not been set */ |
81d882d5 DS |
363 | break; |
364 | } | |
365 | } | |
366 | } | |
e81f313a DS |
367 | gc_free(&gc); |
368 | ||
369 | if (ce_changed) | |
81d882d5 | 370 | { |
e81f313a DS |
371 | /* If it is likely a connection entry was modified, |
372 | * check what changed in the flags and that it was not skipped | |
373 | */ | |
374 | const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) | |
375 | & CE_MAN_QUERY_REMOTE_MASK); | |
376 | ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP); | |
81d882d5 | 377 | } |
e81f313a | 378 | return ce_changed; |
54561af6 | 379 | } |
cf93f0e0 | 380 | #endif /* ENABLE_MANAGEMENT */ |
54561af6 | 381 | |
4e9a51d7 JY |
382 | /* |
383 | * Initialize and possibly randomize connection list. | |
384 | */ | |
385 | static void | |
81d882d5 | 386 | init_connection_list(struct context *c) |
4e9a51d7 | 387 | { |
81d882d5 | 388 | struct connection_list *l = c->options.connection_list; |
23d61c56 | 389 | |
81d882d5 DS |
390 | l->current = -1; |
391 | if (c->options.remote_random) | |
6fbf66fa | 392 | { |
81d882d5 DS |
393 | int i; |
394 | for (i = 0; i < l->len; ++i) | |
23d61c56 | 395 | { |
81d882d5 DS |
396 | const int j = get_random() % l->len; |
397 | if (i != j) | |
23d61c56 | 398 | { |
81d882d5 DS |
399 | struct connection_entry *tmp; |
400 | tmp = l->array[i]; | |
401 | l->array[i] = l->array[j]; | |
402 | l->array[j] = tmp; | |
23d61c56 AS |
403 | } |
404 | } | |
6fbf66fa | 405 | } |
4e9a51d7 JY |
406 | } |
407 | ||
23d61c56 AS |
408 | /* |
409 | * Clear the remote address list | |
410 | */ | |
81d882d5 DS |
411 | static void |
412 | clear_remote_addrlist(struct link_socket_addr *lsa, bool free) | |
23d61c56 | 413 | { |
e719a053 | 414 | if (lsa->remote_list && free) |
81d882d5 DS |
415 | { |
416 | freeaddrinfo(lsa->remote_list); | |
417 | } | |
23d61c56 AS |
418 | lsa->remote_list = NULL; |
419 | lsa->current_remote = NULL; | |
420 | } | |
421 | ||
4e9a51d7 JY |
422 | /* |
423 | * Increment to next connection entry | |
424 | */ | |
425 | static void | |
81d882d5 DS |
426 | next_connection_entry(struct context *c) |
427 | { | |
428 | struct connection_list *l = c->options.connection_list; | |
429 | bool ce_defined; | |
430 | struct connection_entry *ce; | |
431 | int n_cycles = 0; | |
432 | ||
4cd4899e SK |
433 | do |
434 | { | |
81d882d5 DS |
435 | ce_defined = true; |
436 | if (c->options.no_advance && l->current >= 0) | |
437 | { | |
438 | c->options.no_advance = false; | |
439 | } | |
23d61c56 | 440 | else |
81d882d5 DS |
441 | { |
442 | /* Check if there is another resolved address to try for | |
443 | * the current connection */ | |
444 | if (c->c1.link_socket_addr.current_remote | |
445 | && c->c1.link_socket_addr.current_remote->ai_next) | |
446 | { | |
23d61c56 | 447 | c->c1.link_socket_addr.current_remote = |
81d882d5 DS |
448 | c->c1.link_socket_addr.current_remote->ai_next; |
449 | } | |
450 | else | |
451 | { | |
452 | /* FIXME (schwabe) fix the persist-remote-ip option for real, | |
453 | * this is broken probably ever since connection lists and multiple | |
454 | * remote existed | |
455 | */ | |
456 | if (!c->options.persist_remote_ip) | |
457 | { | |
458 | /* close_instance should have cleared the addrinfo objects */ | |
459 | ASSERT(c->c1.link_socket_addr.current_remote == NULL); | |
460 | ASSERT(c->c1.link_socket_addr.remote_list == NULL); | |
461 | } | |
462 | else | |
463 | { | |
464 | c->c1.link_socket_addr.current_remote = | |
465 | c->c1.link_socket_addr.remote_list; | |
466 | } | |
467 | ||
468 | /* | |
469 | * Increase the number of connection attempts | |
470 | * If this is connect-retry-max * size(l) | |
471 | * OpenVPN will quit | |
472 | */ | |
473 | ||
474 | c->options.unsuccessful_attempts++; | |
475 | ||
476 | if (++l->current >= l->len) | |
477 | { | |
478 | ||
479 | l->current = 0; | |
480 | if (++n_cycles >= 2) | |
481 | { | |
482 | msg(M_FATAL, "No usable connection profiles are present"); | |
483 | } | |
484 | } | |
485 | } | |
486 | } | |
3cf6c932 | 487 | |
81d882d5 | 488 | ce = l->array[l->current]; |
3cf6c932 | 489 | |
81d882d5 DS |
490 | if (ce->flags & CE_DISABLED) |
491 | { | |
492 | ce_defined = false; | |
493 | } | |
3cf6c932 | 494 | |
81d882d5 | 495 | c->options.ce = *ce; |
cf93f0e0 | 496 | #ifdef ENABLE_MANAGEMENT |
81d882d5 DS |
497 | if (ce_defined && management && management_query_remote_enabled(management)) |
498 | { | |
499 | /* allow management interface to override connection entry details */ | |
500 | ce_defined = ce_management_query_remote(c); | |
501 | if (IS_SIG(c)) | |
502 | { | |
503 | break; | |
504 | } | |
505 | } | |
7b02cc2a | 506 | else if (ce_defined && management && management_query_proxy_enabled(management)) |
23d61c56 | 507 | { |
81d882d5 DS |
508 | ce_defined = ce_management_query_proxy(c); |
509 | if (IS_SIG(c)) | |
510 | { | |
511 | break; | |
512 | } | |
23d61c56 | 513 | } |
3cf6c932 | 514 | #endif |
81d882d5 | 515 | } while (!ce_defined); |
23d61c56 | 516 | |
81d882d5 DS |
517 | /* Check if this connection attempt would bring us over the limit */ |
518 | if (c->options.connect_retry_max > 0 | |
519 | && c->options.unsuccessful_attempts > (l->len * c->options.connect_retry_max)) | |
520 | { | |
521 | msg(M_FATAL, "All connections have been connect-retry-max (%d) times unsuccessful, exiting", | |
522 | c->options.connect_retry_max); | |
523 | } | |
524 | update_options_ce_post(&c->options); | |
6fbf66fa JY |
525 | } |
526 | ||
92bbb061 JY |
527 | /* |
528 | * Query for private key and auth-user-pass username/passwords | |
529 | */ | |
315f6fbc | 530 | void |
81d882d5 | 531 | init_query_passwords(const struct context *c) |
92bbb061 | 532 | { |
81d882d5 DS |
533 | /* Certificate password input */ |
534 | if (c->options.key_pass_file) | |
535 | { | |
536 | pem_password_setup(c->options.key_pass_file); | |
537 | } | |
81d882d5 | 538 | |
92bbb061 | 539 | #if P2MP |
81d882d5 DS |
540 | /* Auth user/pass input */ |
541 | if (c->options.auth_user_pass_file) | |
eab3e22f | 542 | { |
66b9409b | 543 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 544 | auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); |
eab3e22f | 545 | #else |
81d882d5 | 546 | auth_user_pass_setup(c->options.auth_user_pass_file, NULL); |
eab3e22f JY |
547 | #endif |
548 | } | |
92bbb061 JY |
549 | #endif |
550 | } | |
551 | ||
4e9a51d7 JY |
552 | /* |
553 | * Initialize/Uninitialize HTTP or SOCKS proxy | |
554 | */ | |
555 | ||
4e9a51d7 | 556 | static void |
81d882d5 | 557 | uninit_proxy_dowork(struct context *c) |
4e9a51d7 | 558 | { |
81d882d5 | 559 | if (c->c1.http_proxy_owned && c->c1.http_proxy) |
4e9a51d7 | 560 | { |
81d882d5 DS |
561 | http_proxy_close(c->c1.http_proxy); |
562 | c->c1.http_proxy = NULL; | |
563 | c->c1.http_proxy_owned = false; | |
4e9a51d7 | 564 | } |
81d882d5 | 565 | if (c->c1.socks_proxy_owned && c->c1.socks_proxy) |
4e9a51d7 | 566 | { |
81d882d5 DS |
567 | socks_proxy_close(c->c1.socks_proxy); |
568 | c->c1.socks_proxy = NULL; | |
569 | c->c1.socks_proxy_owned = false; | |
4e9a51d7 | 570 | } |
4e9a51d7 JY |
571 | } |
572 | ||
573 | static void | |
81d882d5 | 574 | init_proxy_dowork(struct context *c) |
6fbf66fa | 575 | { |
81d882d5 | 576 | bool did_http = false; |
f214bb21 | 577 | |
81d882d5 | 578 | uninit_proxy_dowork(c); |
4e9a51d7 | 579 | |
81d882d5 | 580 | if (c->options.ce.http_proxy_options) |
4e9a51d7 | 581 | { |
81d882d5 DS |
582 | /* Possible HTTP proxy user/pass input */ |
583 | c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); | |
584 | if (c->c1.http_proxy) | |
585 | { | |
586 | did_http = true; | |
587 | c->c1.http_proxy_owned = true; | |
588 | } | |
4e9a51d7 | 589 | } |
4e9a51d7 | 590 | |
a4b8f653 | 591 | if (!did_http && c->options.ce.socks_proxy_server) |
4e9a51d7 | 592 | { |
81d882d5 DS |
593 | c->c1.socks_proxy = socks_proxy_new(c->options.ce.socks_proxy_server, |
594 | c->options.ce.socks_proxy_port, | |
595 | c->options.ce.socks_proxy_authfile); | |
596 | if (c->c1.socks_proxy) | |
597 | { | |
598 | c->c1.socks_proxy_owned = true; | |
599 | } | |
4e9a51d7 | 600 | } |
4e9a51d7 JY |
601 | } |
602 | ||
603 | static void | |
81d882d5 | 604 | init_proxy(struct context *c) |
4e9a51d7 | 605 | { |
81d882d5 | 606 | init_proxy_dowork(c); |
4e9a51d7 JY |
607 | } |
608 | ||
609 | static void | |
81d882d5 | 610 | uninit_proxy(struct context *c) |
4e9a51d7 | 611 | { |
81d882d5 | 612 | uninit_proxy_dowork(c); |
4e9a51d7 JY |
613 | } |
614 | ||
5fa25eeb | 615 | /* |
39326238 LS |
616 | * Saves the initial state of NCP-regotiable |
617 | * options into a storage which persists over SIGUSR1. | |
5fa25eeb LS |
618 | */ |
619 | static void | |
39326238 | 620 | save_ncp_options(struct context *c) |
5fa25eeb LS |
621 | { |
622 | c->c1.ciphername = c->options.ciphername; | |
623 | c->c1.authname = c->options.authname; | |
624 | c->c1.keysize = c->options.keysize; | |
625 | } | |
626 | ||
39326238 | 627 | /* Restores NCP-negotiable options to original values */ |
5fa25eeb | 628 | static void |
39326238 | 629 | restore_ncp_options(struct context *c) |
5fa25eeb LS |
630 | { |
631 | c->options.ciphername = c->c1.ciphername; | |
632 | c->options.authname = c->c1.authname; | |
633 | c->options.keysize = c->c1.keysize; | |
634 | } | |
635 | ||
4e9a51d7 | 636 | void |
81d882d5 | 637 | context_init_1(struct context *c) |
4e9a51d7 | 638 | { |
81d882d5 | 639 | context_clear_1(c); |
6fbf66fa | 640 | |
81d882d5 | 641 | packet_id_persist_init(&c->c1.pid_persist); |
4e9a51d7 | 642 | |
81d882d5 | 643 | init_connection_list(c); |
6fbf66fa | 644 | |
39326238 | 645 | save_ncp_options(c); |
5fa25eeb | 646 | |
ce98fd24 | 647 | #if defined(ENABLE_PKCS11) |
81d882d5 DS |
648 | if (c->first_time) |
649 | { | |
650 | int i; | |
651 | pkcs11_initialize(true, c->options.pkcs11_pin_cache_period); | |
652 | for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++) | |
4cd4899e | 653 | { |
81d882d5 DS |
654 | pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], |
655 | c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); | |
4cd4899e | 656 | } |
81d882d5 | 657 | } |
ce98fd24 | 658 | #endif |
984cf003 | 659 | |
c67d59cd | 660 | #if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */ |
81d882d5 DS |
661 | { |
662 | /* | |
663 | * In the management interface, you can okay the request by entering "needok token-insertion-request ok" | |
664 | */ | |
665 | struct user_pass up; | |
666 | CLEAR(up); | |
667 | strcpy(up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */ | |
668 | get_user_pass(&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK); | |
669 | msg(M_INFO, "RET:%s", up.password); /* will return the third argument to management interface | |
670 | * 'needok' command, usually 'ok' or 'cancel'. */ | |
671 | } | |
dd1047f5 JY |
672 | #endif |
673 | ||
e83a8684 DS |
674 | #ifdef ENABLE_SYSTEMD |
675 | /* We can report the PID via getpid() to systemd here as OpenVPN will not | |
676 | * do any fork due to daemon() a future call. | |
677 | * See possibly_become_daemon() [init.c] for more details. | |
678 | */ | |
b13bc6c9 | 679 | sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", |
e83a8684 DS |
680 | (unsigned long) getpid()); |
681 | #endif | |
682 | ||
6fbf66fa JY |
683 | } |
684 | ||
685 | void | |
81d882d5 | 686 | context_gc_free(struct context *c) |
6fbf66fa | 687 | { |
81d882d5 DS |
688 | gc_free(&c->c2.gc); |
689 | gc_free(&c->options.gc); | |
690 | gc_free(&c->gc); | |
6fbf66fa JY |
691 | } |
692 | ||
6add6b2f JY |
693 | #if PORT_SHARE |
694 | ||
695 | static void | |
81d882d5 | 696 | close_port_share(void) |
6add6b2f | 697 | { |
81d882d5 | 698 | if (port_share) |
6add6b2f | 699 | { |
81d882d5 DS |
700 | port_share_close(port_share); |
701 | port_share = NULL; | |
6add6b2f JY |
702 | } |
703 | } | |
704 | ||
705 | static void | |
81d882d5 | 706 | init_port_share(struct context *c) |
6add6b2f | 707 | { |
81d882d5 | 708 | if (!port_share && (c->options.port_share_host && c->options.port_share_port)) |
6add6b2f | 709 | { |
81d882d5 DS |
710 | port_share = port_share_open(c->options.port_share_host, |
711 | c->options.port_share_port, | |
712 | MAX_RW_SIZE_LINK(&c->c2.frame), | |
713 | c->options.port_share_journal_dir); | |
714 | if (port_share == NULL) | |
715 | { | |
716 | msg(M_FATAL, "Fatal error: Port sharing failed"); | |
717 | } | |
6add6b2f JY |
718 | } |
719 | } | |
720 | ||
81d882d5 | 721 | #endif /* if PORT_SHARE */ |
6add6b2f | 722 | |
e74e3a4d | 723 | |
6fbf66fa | 724 | bool |
81d882d5 | 725 | init_static(void) |
6fbf66fa | 726 | { |
81d882d5 | 727 | /* configure_path (); */ |
c67d59cd | 728 | |
c7ca9133 | 729 | #if defined(DMALLOC) |
81d882d5 | 730 | crypto_init_dmalloc(); |
6fbf66fa JY |
731 | #endif |
732 | ||
e74e3a4d DS |
733 | |
734 | /* | |
735 | * Initialize random number seed. random() is only used | |
736 | * when "weak" random numbers are acceptable. | |
737 | * SSL library routines are always used when cryptographically | |
738 | * strong random numbers are required. | |
739 | */ | |
740 | struct timeval tv; | |
741 | if (!gettimeofday(&tv, NULL)) | |
742 | { | |
743 | const unsigned int seed = (unsigned int) tv.tv_sec ^ tv.tv_usec; | |
744 | srandom(seed); | |
745 | } | |
746 | ||
81d882d5 DS |
747 | error_reset(); /* initialize error.c */ |
748 | reset_check_status(); /* initialize status check code in socket.c */ | |
6fbf66fa | 749 | |
445b192a | 750 | #ifdef _WIN32 |
81d882d5 | 751 | init_win32(); |
6fbf66fa JY |
752 | #endif |
753 | ||
754 | #ifdef OPENVPN_DEBUG_COMMAND_LINE | |
81d882d5 DS |
755 | { |
756 | int i; | |
757 | for (i = 0; i < argc; ++i) | |
4cd4899e | 758 | { |
81d882d5 | 759 | msg(M_INFO, "argv[%d] = '%s'", i, argv[i]); |
4cd4899e | 760 | } |
81d882d5 | 761 | } |
6fbf66fa JY |
762 | #endif |
763 | ||
81d882d5 | 764 | update_time(); |
6fbf66fa | 765 | |
81d882d5 | 766 | init_ssl_lib(); |
6fbf66fa | 767 | |
81d882d5 DS |
768 | /* init PRNG used for IV generation */ |
769 | /* When forking, copy this to more places in the code to avoid fork | |
770 | * random-state predictability */ | |
771 | prng_init(NULL, 0); | |
6fbf66fa JY |
772 | |
773 | #ifdef PID_TEST | |
81d882d5 DS |
774 | packet_id_interactive_test(); /* test the sequence number code */ |
775 | return false; | |
6fbf66fa JY |
776 | #endif |
777 | ||
778 | #ifdef SCHEDULE_TEST | |
81d882d5 DS |
779 | schedule_test(); |
780 | return false; | |
6fbf66fa JY |
781 | #endif |
782 | ||
783 | #ifdef LIST_TEST | |
81d882d5 DS |
784 | list_test(); |
785 | return false; | |
6fbf66fa JY |
786 | #endif |
787 | ||
788 | #ifdef IFCONFIG_POOL_TEST | |
81d882d5 DS |
789 | ifconfig_pool_test(0x0A010004, 0x0A0100FF); |
790 | return false; | |
6fbf66fa JY |
791 | #endif |
792 | ||
793 | #ifdef CHARACTER_CLASS_DEBUG | |
81d882d5 DS |
794 | character_class_debug(); |
795 | return false; | |
6fbf66fa JY |
796 | #endif |
797 | ||
798 | #ifdef EXTRACT_X509_FIELD_TEST | |
81d882d5 DS |
799 | extract_x509_field_test(); |
800 | return false; | |
6fbf66fa JY |
801 | #endif |
802 | ||
428b8279 | 803 | #ifdef TIME_TEST |
81d882d5 DS |
804 | time_test(); |
805 | return false; | |
428b8279 JY |
806 | #endif |
807 | ||
6a8ea970 | 808 | #ifdef TEST_GET_DEFAULT_GATEWAY |
81d882d5 DS |
809 | { |
810 | struct route_gateway_info rgi; | |
811 | struct route_ipv6_gateway_info rgi6; | |
812 | get_default_gateway(&rgi); | |
813 | get_default_gateway_ipv6(&rgi6, NULL); | |
814 | print_default_gateway(M_INFO, &rgi, &rgi6); | |
815 | return false; | |
816 | } | |
6a8ea970 JY |
817 | #endif |
818 | ||
6cd276ba | 819 | #ifdef GEN_PATH_TEST |
81d882d5 DS |
820 | { |
821 | struct gc_arena gc = gc_new(); | |
822 | const char *fn = gen_path("foo", | |
823 | "bar", | |
824 | &gc); | |
825 | printf("%s\n", fn); | |
826 | gc_free(&gc); | |
827 | } | |
828 | return false; | |
6cd276ba | 829 | #endif |
ddad0a8c | 830 | |
6cd276ba | 831 | #ifdef STATUS_PRINTF_TEST |
81d882d5 DS |
832 | { |
833 | struct gc_arena gc = gc_new(); | |
b7bea782 | 834 | const char *tmp_file = platform_create_temp_file("/tmp", "foo", &gc); |
81d882d5 DS |
835 | struct status_output *so = status_open(tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE); |
836 | status_printf(so, "%s", "foo"); | |
837 | status_printf(so, "%s", "bar"); | |
838 | if (!status_close(so)) | |
839 | { | |
840 | msg(M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file); | |
841 | } | |
842 | gc_free(&gc); | |
843 | } | |
844 | return false; | |
ddad0a8c JY |
845 | #endif |
846 | ||
26bb4c74 | 847 | #ifdef ARGV_TEST |
81d882d5 DS |
848 | { |
849 | void argv_test(void); | |
850 | ||
851 | argv_test(); | |
852 | return false; | |
853 | } | |
26bb4c74 JY |
854 | #endif |
855 | ||
03bfb228 | 856 | #ifdef PRNG_TEST |
81d882d5 DS |
857 | { |
858 | struct gc_arena gc = gc_new(); | |
859 | uint8_t rndbuf[8]; | |
860 | int i; | |
861 | prng_init("sha1", 16); | |
862 | /*prng_init (NULL, 0);*/ | |
863 | const int factor = 1; | |
864 | for (i = 0; i < factor * 8; ++i) | |
865 | { | |
03bfb228 | 866 | #if 1 |
81d882d5 | 867 | prng_bytes(rndbuf, sizeof(rndbuf)); |
03bfb228 | 868 | #else |
81d882d5 | 869 | ASSERT(rand_bytes(rndbuf, sizeof(rndbuf))); |
03bfb228 | 870 | #endif |
81d882d5 DS |
871 | printf("[%d] %s\n", i, format_hex(rndbuf, sizeof(rndbuf), 0, &gc)); |
872 | } | |
873 | gc_free(&gc); | |
874 | prng_uninit(); | |
875 | return false; | |
876 | } | |
877 | #endif /* ifdef PRNG_TEST */ | |
03bfb228 | 878 | |
7e1c085d | 879 | #ifdef BUFFER_LIST_AGGREGATE_TEST |
81d882d5 DS |
880 | /* test buffer_list_aggregate function */ |
881 | { | |
882 | static const char *text[] = { | |
883 | "It was a bright cold day in April, ", | |
884 | "and the clocks were striking ", | |
885 | "thirteen. ", | |
886 | "Winston Smith, ", | |
887 | "his chin nuzzled into his breast in an ", | |
888 | "effort to escape the vile wind, ", | |
889 | "slipped quickly through the glass doors ", | |
890 | "of Victory Mansions, though not quickly ", | |
891 | "enough to prevent a swirl of gritty dust from ", | |
892 | "entering along with him." | |
893 | }; | |
894 | ||
895 | int iter, listcap; | |
896 | for (listcap = 0; listcap < 12; ++listcap) | |
897 | { | |
898 | for (iter = 0; iter < 512; ++iter) | |
899 | { | |
900 | struct buffer_list *bl = buffer_list_new(listcap); | |
901 | { | |
902 | int i; | |
903 | for (i = 0; i < SIZE(text); ++i) | |
4cd4899e | 904 | { |
81d882d5 | 905 | buffer_list_push(bl, (unsigned char *)text[i]); |
4cd4899e | 906 | } |
81d882d5 DS |
907 | } |
908 | printf("[cap=%d i=%d] *************************\n", listcap, iter); | |
909 | if (!(iter & 8)) | |
910 | { | |
911 | buffer_list_aggregate(bl, iter/2); | |
912 | } | |
913 | if (!(iter & 16)) | |
914 | { | |
915 | buffer_list_push(bl, (unsigned char *)"Even more text..."); | |
916 | } | |
917 | buffer_list_aggregate(bl, iter); | |
918 | if (!(iter & 1)) | |
919 | { | |
920 | buffer_list_push(bl, (unsigned char *)"More text..."); | |
921 | } | |
922 | { | |
923 | struct buffer *buf; | |
924 | while ((buf = buffer_list_peek(bl))) | |
925 | { | |
926 | int c; | |
927 | printf("'"); | |
928 | while ((c = buf_read_u8(buf)) >= 0) | |
4cd4899e | 929 | { |
81d882d5 | 930 | putchar(c); |
4cd4899e | 931 | } |
81d882d5 DS |
932 | printf("'\n"); |
933 | buffer_list_advance(bl, 0); | |
934 | } | |
935 | } | |
936 | buffer_list_free(bl); | |
937 | } | |
938 | } | |
939 | return false; | |
940 | } | |
941 | #endif /* ifdef BUFFER_LIST_AGGREGATE_TEST */ | |
7e1c085d | 942 | |
ffea644c | 943 | #ifdef MSTATS_TEST |
81d882d5 DS |
944 | { |
945 | int i; | |
946 | mstats_open("/dev/shm/mstats.dat"); | |
947 | for (i = 0; i < 30; ++i) | |
948 | { | |
949 | mmap_stats->n_clients += 1; | |
950 | mmap_stats->link_write_bytes += 8; | |
951 | mmap_stats->link_read_bytes += 16; | |
952 | sleep(1); | |
953 | } | |
954 | mstats_close(); | |
955 | return false; | |
956 | } | |
ffea644c JY |
957 | #endif |
958 | ||
81d882d5 | 959 | return true; |
6fbf66fa JY |
960 | } |
961 | ||
962 | void | |
81d882d5 | 963 | uninit_static(void) |
6fbf66fa | 964 | { |
81d882d5 | 965 | free_ssl_lib(); |
ce98fd24 | 966 | |
ce98fd24 | 967 | #ifdef ENABLE_PKCS11 |
81d882d5 | 968 | pkcs11_terminate(); |
ce98fd24 | 969 | #endif |
6fbf66fa | 970 | |
6add6b2f | 971 | #if PORT_SHARE |
81d882d5 | 972 | close_port_share(); |
6add6b2f JY |
973 | #endif |
974 | ||
c7ca9133 | 975 | #if defined(MEASURE_TLS_HANDSHAKE_STATS) |
81d882d5 | 976 | show_tls_performance_stats(); |
6fbf66fa JY |
977 | #endif |
978 | } | |
979 | ||
980 | void | |
81d882d5 | 981 | init_verb_mute(struct context *c, unsigned int flags) |
6fbf66fa | 982 | { |
81d882d5 | 983 | if (flags & IVM_LEVEL_1) |
6fbf66fa | 984 | { |
81d882d5 DS |
985 | /* set verbosity and mute levels */ |
986 | set_check_status(D_LINK_ERRORS, D_READ_WRITE); | |
987 | set_debug_level(c->options.verbosity, SDL_CONSTRAIN); | |
988 | set_mute_cutoff(c->options.mute); | |
6fbf66fa JY |
989 | } |
990 | ||
81d882d5 DS |
991 | /* special D_LOG_RW mode */ |
992 | if (flags & IVM_LEVEL_2) | |
993 | { | |
994 | c->c2.log_rw = (check_debug_level(D_LOG_RW) && !check_debug_level(D_LOG_RW + 1)); | |
995 | } | |
6fbf66fa JY |
996 | } |
997 | ||
998 | /* | |
999 | * Possibly set --dev based on --dev-node. | |
1000 | * For example, if --dev-node /tmp/foo/tun, and --dev undefined, | |
1001 | * set --dev to tun. | |
1002 | */ | |
1003 | void | |
81d882d5 | 1004 | init_options_dev(struct options *options) |
6fbf66fa | 1005 | { |
81d882d5 DS |
1006 | if (!options->dev && options->dev_node) |
1007 | { | |
1008 | char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementaions may modify its arguments */ | |
1009 | options->dev = basename(dev_node); | |
1010 | } | |
6fbf66fa JY |
1011 | } |
1012 | ||
1013 | bool | |
81d882d5 | 1014 | print_openssl_info(const struct options *options) |
6fbf66fa | 1015 | { |
81d882d5 DS |
1016 | /* |
1017 | * OpenSSL info print mode? | |
1018 | */ | |
81d882d5 DS |
1019 | if (options->show_ciphers || options->show_digests || options->show_engines |
1020 | || options->show_tls_ciphers || options->show_curves) | |
6fbf66fa | 1021 | { |
81d882d5 DS |
1022 | if (options->show_ciphers) |
1023 | { | |
1024 | show_available_ciphers(); | |
1025 | } | |
1026 | if (options->show_digests) | |
1027 | { | |
1028 | show_available_digests(); | |
1029 | } | |
1030 | if (options->show_engines) | |
1031 | { | |
1032 | show_available_engines(); | |
1033 | } | |
1034 | if (options->show_tls_ciphers) | |
1035 | { | |
aba75874 | 1036 | show_available_tls_ciphers(options->cipher_list, |
7aeabadd | 1037 | options->cipher_list_tls13, |
aba75874 | 1038 | options->tls_cert_profile); |
81d882d5 DS |
1039 | } |
1040 | if (options->show_curves) | |
1041 | { | |
1042 | show_available_curves(); | |
1043 | } | |
1044 | return true; | |
6fbf66fa | 1045 | } |
81d882d5 | 1046 | return false; |
6fbf66fa JY |
1047 | } |
1048 | ||
1049 | /* | |
1050 | * Static pre-shared key generation mode? | |
1051 | */ | |
1052 | bool | |
81d882d5 | 1053 | do_genkey(const struct options *options) |
6fbf66fa | 1054 | { |
9d59029a SK |
1055 | /* should we disable paging? */ |
1056 | if (options->mlock && (options->genkey || options->tls_crypt_v2_genkey_file)) | |
1057 | { | |
1058 | platform_mlockall(true); | |
1059 | } | |
81d882d5 | 1060 | if (options->genkey) |
6fbf66fa | 1061 | { |
81d882d5 | 1062 | int nbits_written; |
6fbf66fa | 1063 | |
81d882d5 DS |
1064 | notnull(options->shared_secret_file, |
1065 | "shared secret output file (--secret)"); | |
6fbf66fa | 1066 | |
81d882d5 | 1067 | nbits_written = write_key_file(2, options->shared_secret_file); |
a8fa1679 SK |
1068 | if (nbits_written < 0) |
1069 | { | |
1070 | msg(M_FATAL, "Failed to write key file"); | |
1071 | } | |
6fbf66fa | 1072 | |
81d882d5 DS |
1073 | msg(D_GENKEY | M_NOPREFIX, |
1074 | "Randomly generated %d bit key written to %s", nbits_written, | |
1075 | options->shared_secret_file); | |
1076 | return true; | |
6fbf66fa | 1077 | } |
9d59029a SK |
1078 | if (options->tls_crypt_v2_genkey_type) |
1079 | { | |
1080 | if(!strcmp(options->tls_crypt_v2_genkey_type, "server")) | |
1081 | { | |
1082 | tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file); | |
1083 | return true; | |
1084 | } | |
1085 | if (options->tls_crypt_v2_genkey_type | |
1086 | && !strcmp(options->tls_crypt_v2_genkey_type, "client")) | |
1087 | { | |
1088 | if (!options->tls_crypt_v2_file) | |
1089 | { | |
658a8ee4 | 1090 | msg(M_USAGE, "--tls-crypt-v2-genkey requires a server key to be set via --tls-crypt-v2 to create a client key"); |
9d59029a SK |
1091 | } |
1092 | ||
1093 | tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file, | |
1094 | options->tls_crypt_v2_metadata, options->tls_crypt_v2_file, | |
1095 | options->tls_crypt_v2_inline); | |
1096 | return true; | |
1097 | } | |
1098 | ||
1099 | msg(M_USAGE, "--tls-crypt-v2-genkey type should be \"client\" or \"server\""); | |
1100 | } | |
81d882d5 | 1101 | return false; |
6fbf66fa JY |
1102 | } |
1103 | ||
1104 | /* | |
1105 | * Persistent TUN/TAP device management mode? | |
1106 | */ | |
1107 | bool | |
81d882d5 | 1108 | do_persist_tuntap(const struct options *options) |
6fbf66fa | 1109 | { |
81d882d5 | 1110 | if (options->persist_config) |
6fbf66fa | 1111 | { |
81d882d5 DS |
1112 | /* sanity check on options for --mktun or --rmtun */ |
1113 | notnull(options->dev, "TUN/TAP device (--dev)"); | |
1114 | if (options->ce.remote || options->ifconfig_local | |
1115 | || options->ifconfig_remote_netmask | |
81d882d5 DS |
1116 | || options->shared_secret_file |
1117 | || options->tls_server || options->tls_client | |
81d882d5 DS |
1118 | ) |
1119 | { | |
1120 | msg(M_FATAL|M_OPTERR, | |
1121 | "options --mktun or --rmtun should only be used together with --dev"); | |
1122 | } | |
4ad2b65d | 1123 | #ifdef ENABLE_FEATURE_TUN_PERSIST |
81d882d5 DS |
1124 | tuncfg(options->dev, options->dev_type, options->dev_node, |
1125 | options->persist_mode, | |
1126 | options->username, options->groupname, &options->tuntap_options); | |
1127 | if (options->persist_mode && options->lladdr) | |
1128 | { | |
1129 | set_lladdr(options->dev, options->lladdr, NULL); | |
1130 | } | |
1131 | return true; | |
1132 | #else /* ifdef ENABLE_FEATURE_TUN_PERSIST */ | |
1133 | msg( M_FATAL|M_OPTERR, | |
1134 | "options --mktun and --rmtun are not available on your operating " | |
1135 | "system. Please check 'man tun' (or 'tap'), whether your system " | |
1136 | "supports using 'ifconfig %s create' / 'destroy' to create/remove " | |
1137 | "persistant tunnel interfaces.", options->dev ); | |
6fbf66fa | 1138 | #endif |
4ad2b65d | 1139 | } |
81d882d5 | 1140 | return false; |
6fbf66fa JY |
1141 | } |
1142 | ||
1143 | /* | |
1144 | * Should we become a daemon? | |
1145 | * Return true if we did it. | |
1146 | */ | |
da9b2927 | 1147 | bool |
81d882d5 | 1148 | possibly_become_daemon(const struct options *options) |
6fbf66fa | 1149 | { |
81d882d5 | 1150 | bool ret = false; |
7660bba1 CH |
1151 | |
1152 | #ifdef ENABLE_SYSTEMD | |
81d882d5 DS |
1153 | /* return without forking if we are running from systemd */ |
1154 | if (sd_notify(0, "READY=0") > 0) | |
1155 | { | |
1156 | return ret; | |
1157 | } | |
7660bba1 CH |
1158 | #endif |
1159 | ||
81d882d5 | 1160 | if (options->daemon) |
6fbf66fa | 1161 | { |
81d882d5 DS |
1162 | ASSERT(!options->inetd); |
1163 | /* Don't chdir immediately, but the end of the init sequence, if needed */ | |
1164 | if (daemon(1, options->log) < 0) | |
1165 | { | |
1166 | msg(M_ERR, "daemon() failed or unsupported"); | |
1167 | } | |
1168 | restore_signal_state(); | |
1169 | if (options->log) | |
1170 | { | |
1171 | set_std_files_to_null(true); | |
1172 | } | |
6835555e | 1173 | |
81d882d5 | 1174 | ret = true; |
6fbf66fa | 1175 | } |
81d882d5 | 1176 | return ret; |
6fbf66fa JY |
1177 | } |
1178 | ||
1179 | /* | |
99385447 | 1180 | * Actually do UID/GID downgrade, chroot and SELinux context switching, if requested. |
6fbf66fa JY |
1181 | */ |
1182 | static void | |
81d882d5 | 1183 | do_uid_gid_chroot(struct context *c, bool no_delay) |
6fbf66fa | 1184 | { |
81d882d5 DS |
1185 | static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay"; |
1186 | struct context_0 *c0 = c->c0; | |
6fbf66fa | 1187 | |
81d882d5 | 1188 | if (c0 && !c0->uid_gid_chroot_set) |
6fbf66fa | 1189 | { |
81d882d5 DS |
1190 | /* chroot if requested */ |
1191 | if (c->options.chroot_dir) | |
1192 | { | |
1193 | if (no_delay) | |
65140a3a | 1194 | { |
81d882d5 DS |
1195 | platform_chroot(c->options.chroot_dir); |
1196 | } | |
1197 | else if (c->first_time) | |
1198 | { | |
1199 | msg(M_INFO, "NOTE: chroot %s", why_not); | |
1200 | } | |
1201 | } | |
1202 | ||
1203 | /* set user and/or group if we want to setuid/setgid */ | |
1204 | if (c0->uid_gid_specified) | |
1205 | { | |
1206 | if (no_delay) | |
1207 | { | |
1208 | platform_group_set(&c0->platform_state_group); | |
1209 | platform_user_set(&c0->platform_state_user); | |
1210 | } | |
1211 | else if (c->first_time) | |
1212 | { | |
1213 | msg(M_INFO, "NOTE: UID/GID downgrade %s", why_not); | |
65140a3a | 1214 | } |
81d882d5 | 1215 | } |
99385447 | 1216 | |
ffea644c | 1217 | #ifdef ENABLE_MEMSTATS |
81d882d5 DS |
1218 | if (c->first_time && c->options.memstats_fn) |
1219 | { | |
1220 | mstats_open(c->options.memstats_fn); | |
1221 | } | |
ffea644c JY |
1222 | #endif |
1223 | ||
cd5990e0 | 1224 | #ifdef ENABLE_SELINUX |
81d882d5 DS |
1225 | /* Apply a SELinux context in order to restrict what OpenVPN can do |
1226 | * to _only_ what it is supposed to do after initialization is complete | |
1227 | * (basically just network I/O operations). Doing it after chroot | |
1228 | * requires /proc to be mounted in the chroot (which is annoying indeed | |
1229 | * but doing it before requires more complex SELinux policies. | |
1230 | */ | |
1231 | if (c->options.selinux_context) | |
1232 | { | |
1233 | if (no_delay) | |
1234 | { | |
1235 | if (-1 == setcon(c->options.selinux_context)) | |
1236 | { | |
1237 | msg(M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context); | |
1238 | } | |
1239 | else | |
1240 | { | |
1241 | msg(M_INFO, "setcon to '%s' succeeded", c->options.selinux_context); | |
1242 | } | |
1243 | } | |
1244 | else if (c->first_time) | |
1245 | { | |
1246 | msg(M_INFO, "NOTE: setcon %s", why_not); | |
1247 | } | |
1248 | } | |
1249 | #endif | |
1250 | ||
1251 | /* Privileges are going to be dropped by now (if requested), be sure | |
1252 | * to prevent any future privilege dropping attempts from now on. | |
1253 | */ | |
1254 | if (no_delay) | |
1255 | { | |
1256 | c0->uid_gid_chroot_set = true; | |
1257 | } | |
6fbf66fa JY |
1258 | } |
1259 | } | |
1260 | ||
1261 | /* | |
1262 | * Return common name in a way that is formatted for | |
1263 | * prepending to msg() output. | |
1264 | */ | |
1265 | const char * | |
81d882d5 | 1266 | format_common_name(struct context *c, struct gc_arena *gc) |
6fbf66fa | 1267 | { |
81d882d5 | 1268 | struct buffer out = alloc_buf_gc(256, gc); |
81d882d5 | 1269 | if (c->c2.tls_multi) |
6fbf66fa | 1270 | { |
81d882d5 | 1271 | buf_printf(&out, "[%s] ", tls_common_name(c->c2.tls_multi, false)); |
6fbf66fa | 1272 | } |
81d882d5 | 1273 | return BSTR(&out); |
6fbf66fa JY |
1274 | } |
1275 | ||
1276 | void | |
81d882d5 | 1277 | pre_setup(const struct options *options) |
6fbf66fa | 1278 | { |
445b192a | 1279 | #ifdef _WIN32 |
81d882d5 | 1280 | if (options->exit_event_name) |
6fbf66fa | 1281 | { |
81d882d5 DS |
1282 | win32_signal_open(&win32_signal, |
1283 | WSO_FORCE_SERVICE, | |
1284 | options->exit_event_name, | |
1285 | options->exit_event_initial_state); | |
6fbf66fa | 1286 | } |
81d882d5 | 1287 | else |
6fbf66fa | 1288 | { |
81d882d5 DS |
1289 | win32_signal_open(&win32_signal, |
1290 | WSO_FORCE_CONSOLE, | |
1291 | NULL, | |
1292 | false); | |
6fbf66fa | 1293 | |
81d882d5 DS |
1294 | /* put a title on the top window bar */ |
1295 | if (win32_signal.mode == WSO_MODE_CONSOLE) | |
1296 | { | |
1297 | window_title_save(&window_title); | |
1298 | window_title_generate(options->config); | |
1299 | } | |
6fbf66fa | 1300 | } |
81d882d5 | 1301 | #endif /* ifdef _WIN32 */ |
6fbf66fa JY |
1302 | } |
1303 | ||
1304 | void | |
81d882d5 | 1305 | reset_coarse_timers(struct context *c) |
6fbf66fa | 1306 | { |
81d882d5 | 1307 | c->c2.coarse_timer_wakeup = 0; |
6fbf66fa JY |
1308 | } |
1309 | ||
f2134b7b AS |
1310 | /* |
1311 | * Initialise the server poll timeout timer | |
1312 | * This timer is used in the http/socks proxy setup so it needs to be setup | |
1313 | * before | |
1314 | */ | |
1315 | static void | |
81d882d5 | 1316 | do_init_server_poll_timeout(struct context *c) |
f2134b7b | 1317 | { |
81d882d5 | 1318 | update_time(); |
f2134b7b | 1319 | if (c->options.ce.connect_timeout) |
81d882d5 DS |
1320 | { |
1321 | event_timeout_init(&c->c2.server_poll_interval, c->options.ce.connect_timeout, now); | |
1322 | } | |
f2134b7b AS |
1323 | } |
1324 | ||
6fbf66fa JY |
1325 | /* |
1326 | * Initialize timers | |
1327 | */ | |
1328 | static void | |
81d882d5 | 1329 | do_init_timers(struct context *c, bool deferred) |
6fbf66fa | 1330 | { |
81d882d5 DS |
1331 | update_time(); |
1332 | reset_coarse_timers(c); | |
6fbf66fa | 1333 | |
81d882d5 DS |
1334 | /* initialize inactivity timeout */ |
1335 | if (c->options.inactivity_timeout) | |
1336 | { | |
1337 | event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now); | |
1338 | } | |
6fbf66fa | 1339 | |
81d882d5 | 1340 | /* initialize pings */ |
6fbf66fa | 1341 | |
81d882d5 DS |
1342 | if (c->options.ping_send_timeout) |
1343 | { | |
1344 | event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); | |
1345 | } | |
6fbf66fa | 1346 | |
81d882d5 DS |
1347 | if (c->options.ping_rec_timeout) |
1348 | { | |
1349 | event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); | |
1350 | } | |
6fbf66fa | 1351 | |
81d882d5 | 1352 | if (!deferred) |
6fbf66fa | 1353 | { |
81d882d5 DS |
1354 | /* initialize connection establishment timer */ |
1355 | event_timeout_init(&c->c2.wait_for_connect, 1, now); | |
6fbf66fa JY |
1356 | |
1357 | #ifdef ENABLE_OCC | |
81d882d5 | 1358 | /* initialize occ timers */ |
6fbf66fa | 1359 | |
81d882d5 DS |
1360 | if (c->options.occ |
1361 | && !TLS_MODE(c) | |
1362 | && c->c2.options_string_local && c->c2.options_string_remote) | |
1363 | { | |
1364 | event_timeout_init(&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now); | |
1365 | } | |
6fbf66fa | 1366 | |
81d882d5 DS |
1367 | if (c->options.mtu_test) |
1368 | { | |
1369 | event_timeout_init(&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now); | |
1370 | } | |
6fbf66fa JY |
1371 | #endif |
1372 | ||
81d882d5 | 1373 | /* initialize packet_id persistence timer */ |
81d882d5 DS |
1374 | if (c->options.packet_id_file) |
1375 | { | |
1376 | event_timeout_init(&c->c2.packet_id_persist_interval, 60, now); | |
1377 | } | |
6fbf66fa | 1378 | |
81d882d5 DS |
1379 | /* initialize tmp_int optimization that limits the number of times we call |
1380 | * tls_multi_process in the main event loop */ | |
1381 | interval_init(&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH); | |
6fbf66fa JY |
1382 | } |
1383 | } | |
1384 | ||
1385 | /* | |
1386 | * Initialize traffic shaper. | |
1387 | */ | |
1388 | static void | |
81d882d5 | 1389 | do_init_traffic_shaper(struct context *c) |
6fbf66fa | 1390 | { |
3d163bc5 | 1391 | #ifdef ENABLE_FEATURE_SHAPER |
81d882d5 DS |
1392 | /* initialize traffic shaper (i.e. transmit bandwidth limiter) */ |
1393 | if (c->options.shaper) | |
6fbf66fa | 1394 | { |
81d882d5 DS |
1395 | shaper_init(&c->c2.shaper, c->options.shaper); |
1396 | shaper_msg(&c->c2.shaper); | |
6fbf66fa JY |
1397 | } |
1398 | #endif | |
1399 | } | |
1400 | ||
1401 | /* | |
eb95f367 GD |
1402 | * Allocate route list structures for IPv4 and IPv6 |
1403 | * (we do this for IPv4 even if no --route option has been seen, as other | |
1404 | * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP) | |
6fbf66fa JY |
1405 | */ |
1406 | static void | |
81d882d5 | 1407 | do_alloc_route_list(struct context *c) |
6fbf66fa | 1408 | { |
81d882d5 DS |
1409 | if (!c->c1.route_list) |
1410 | { | |
1411 | ALLOC_OBJ_CLEAR_GC(c->c1.route_list, struct route_list, &c->gc); | |
1412 | } | |
1413 | if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) | |
1414 | { | |
1415 | ALLOC_OBJ_CLEAR_GC(c->c1.route_ipv6_list, struct route_ipv6_list, &c->gc); | |
1416 | } | |
6fbf66fa JY |
1417 | } |
1418 | ||
1419 | ||
1420 | /* | |
1421 | * Initialize the route list, resolving any DNS names in route | |
1422 | * options and saving routes in the environment. | |
1423 | */ | |
1424 | static void | |
81d882d5 DS |
1425 | do_init_route_list(const struct options *options, |
1426 | struct route_list *route_list, | |
1427 | const struct link_socket_info *link_socket_info, | |
1428 | struct env_set *es) | |
6fbf66fa | 1429 | { |
81d882d5 DS |
1430 | const char *gw = NULL; |
1431 | int dev = dev_type_enum(options->dev, options->dev_type); | |
1432 | int metric = 0; | |
6fbf66fa | 1433 | |
81d882d5 DS |
1434 | if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P)) |
1435 | { | |
1436 | gw = options->ifconfig_remote_netmask; | |
1437 | } | |
1438 | if (options->route_default_gateway) | |
1439 | { | |
1440 | gw = options->route_default_gateway; | |
1441 | } | |
1442 | if (options->route_default_metric) | |
1443 | { | |
1444 | metric = options->route_default_metric; | |
1445 | } | |
6fbf66fa | 1446 | |
81d882d5 DS |
1447 | if (init_route_list(route_list, |
1448 | options->routes, | |
1449 | gw, | |
1450 | metric, | |
1451 | link_socket_current_remote(link_socket_info), | |
1452 | es)) | |
6fbf66fa | 1453 | { |
81d882d5 DS |
1454 | /* copy routes to environment */ |
1455 | setenv_routes(es, route_list); | |
6fbf66fa JY |
1456 | } |
1457 | } | |
1458 | ||
512cda46 | 1459 | static void |
81d882d5 DS |
1460 | do_init_route_ipv6_list(const struct options *options, |
1461 | struct route_ipv6_list *route_ipv6_list, | |
1462 | const struct link_socket_info *link_socket_info, | |
1463 | struct env_set *es) | |
512cda46 | 1464 | { |
81d882d5 DS |
1465 | const char *gw = NULL; |
1466 | int metric = -1; /* no metric set */ | |
512cda46 | 1467 | |
81d882d5 DS |
1468 | gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ |
1469 | #if 0 /* not yet done for IPv6 - TODO!*/ | |
1470 | if (options->route_ipv6_default_gateway) /* override? */ | |
1471 | { | |
1472 | gw = options->route_ipv6_default_gateway; | |
1473 | } | |
512cda46 GD |
1474 | #endif |
1475 | ||
81d882d5 DS |
1476 | if (options->route_default_metric) |
1477 | { | |
1478 | metric = options->route_default_metric; | |
1479 | } | |
512cda46 | 1480 | |
81d882d5 DS |
1481 | /* redirect (IPv6) gateway to VPN? if yes, add a few more specifics |
1482 | */ | |
1483 | if (options->routes_ipv6->flags & RG_REROUTE_GW) | |
d227929b | 1484 | { |
81d882d5 DS |
1485 | char *opt_list[] = { "::/3", "2000::/4", "3000::/4", "fc00::/7", NULL }; |
1486 | int i; | |
d227929b | 1487 | |
81d882d5 DS |
1488 | for (i = 0; opt_list[i]; i++) |
1489 | { | |
1490 | add_route_ipv6_to_option_list( options->routes_ipv6, | |
1491 | string_alloc(opt_list[i], options->routes_ipv6->gc), | |
1492 | NULL, NULL ); | |
1493 | } | |
d227929b GD |
1494 | } |
1495 | ||
81d882d5 DS |
1496 | if (init_route_ipv6_list(route_ipv6_list, |
1497 | options->routes_ipv6, | |
1498 | gw, | |
1499 | metric, | |
1500 | link_socket_current_remote_ipv6(link_socket_info), | |
1501 | es)) | |
512cda46 | 1502 | { |
81d882d5 DS |
1503 | /* copy routes to environment */ |
1504 | setenv_routes_ipv6(es, route_ipv6_list); | |
512cda46 GD |
1505 | } |
1506 | } | |
1507 | ||
1508 | ||
6fbf66fa JY |
1509 | /* |
1510 | * Called after all initialization has been completed. | |
1511 | */ | |
1512 | void | |
81d882d5 | 1513 | initialization_sequence_completed(struct context *c, const unsigned int flags) |
6fbf66fa | 1514 | { |
81d882d5 | 1515 | static const char message[] = "Initialization Sequence Completed"; |
6fbf66fa | 1516 | |
81d882d5 DS |
1517 | /* Reset the unsuccessful connection counter on complete initialisation */ |
1518 | c->options.unsuccessful_attempts = 0; | |
23d61c56 | 1519 | |
81d882d5 DS |
1520 | /* If we delayed UID/GID downgrade or chroot, do it now */ |
1521 | do_uid_gid_chroot(c, true); | |
6fbf66fa | 1522 | |
5bde5b6d | 1523 | |
57116536 AQ |
1524 | /* |
1525 | * In some cases (i.e. when receiving auth-token via | |
1526 | * push-reply) the auth-nocache option configured on the | |
1527 | * client is overridden; for this reason we have to wait | |
1528 | * for the push-reply message before attempting to wipe | |
1529 | * the user/pass entered by the user | |
1530 | */ | |
1531 | if (c->options.mode == MODE_POINT_TO_POINT) | |
1532 | { | |
1533 | delayed_auth_pass_purge(); | |
1534 | } | |
1535 | ||
81d882d5 DS |
1536 | /* Test if errors */ |
1537 | if (flags & ISC_ERRORS) | |
a9c802b2 | 1538 | { |
445b192a | 1539 | #ifdef _WIN32 |
81d882d5 DS |
1540 | show_routes(M_INFO|M_NOPREFIX); |
1541 | show_adapters(M_INFO|M_NOPREFIX); | |
1542 | msg(M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message); | |
6fbf66fa | 1543 | #else |
c5931897 | 1544 | #ifdef ENABLE_SYSTEMD |
81d882d5 | 1545 | sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", message); |
c5931897 | 1546 | #endif /* HAVE_SYSTEMD_SD_DAEMON_H */ |
81d882d5 | 1547 | msg(M_INFO, "%s With Errors", message); |
6fbf66fa | 1548 | #endif |
a9c802b2 | 1549 | } |
81d882d5 | 1550 | else |
c5931897 CH |
1551 | { |
1552 | #ifdef ENABLE_SYSTEMD | |
e83a8684 | 1553 | sd_notifyf(0, "STATUS=%s", message); |
c5931897 | 1554 | #endif |
81d882d5 | 1555 | msg(M_INFO, "%s", message); |
c5931897 | 1556 | } |
6fbf66fa | 1557 | |
81d882d5 DS |
1558 | /* Flag that we initialized */ |
1559 | if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0) | |
1560 | { | |
1561 | c->options.no_advance = true; | |
1562 | } | |
6fbf66fa | 1563 | |
445b192a | 1564 | #ifdef _WIN32 |
81d882d5 | 1565 | fork_register_dns_action(c->c1.tuntap); |
b90c6f17 JY |
1566 | #endif |
1567 | ||
6fbf66fa | 1568 | #ifdef ENABLE_MANAGEMENT |
81d882d5 DS |
1569 | /* Tell management interface that we initialized */ |
1570 | if (management) | |
1571 | { | |
1572 | in_addr_t *tun_local = NULL; | |
1573 | struct in6_addr *tun_local6 = NULL; | |
1574 | struct openvpn_sockaddr local, remote; | |
1575 | struct link_socket_actual *actual; | |
1576 | socklen_t sa_len = sizeof(local); | |
1577 | const char *detail = "SUCCESS"; | |
1578 | if (flags & ISC_ERRORS) | |
1579 | { | |
1580 | detail = "ERROR"; | |
1581 | } | |
1582 | ||
1583 | CLEAR(local); | |
1584 | actual = &get_link_socket_info(c)->lsa->actual; | |
1585 | remote = actual->dest; | |
1586 | getsockname(c->c2.link_socket->sd, &local.addr.sa, &sa_len); | |
2191c471 | 1587 | #if ENABLE_IP_PKTINFO |
81d882d5 | 1588 | if (!addr_defined(&local)) |
2191c471 | 1589 | { |
81d882d5 | 1590 | switch (local.addr.sa.sa_family) |
2191c471 | 1591 | { |
81d882d5 | 1592 | case AF_INET: |
7efa60d9 | 1593 | #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) |
81d882d5 | 1594 | local.addr.in4.sin_addr = actual->pi.in4.ipi_spec_dst; |
4a82a9ac | 1595 | #else |
81d882d5 | 1596 | local.addr.in4.sin_addr = actual->pi.in4; |
4a82a9ac | 1597 | #endif |
81d882d5 DS |
1598 | break; |
1599 | ||
1600 | case AF_INET6: | |
1601 | local.addr.in6.sin6_addr = actual->pi.in6.ipi6_addr; | |
1602 | break; | |
2191c471 HH |
1603 | } |
1604 | } | |
1605 | #endif | |
1606 | ||
81d882d5 | 1607 | if (c->c1.tuntap) |
2191c471 | 1608 | { |
81d882d5 DS |
1609 | tun_local = &c->c1.tuntap->local; |
1610 | tun_local6 = &c->c1.tuntap->local_ipv6; | |
1611 | } | |
1612 | management_set_state(management, | |
1613 | OPENVPN_STATE_CONNECTED, | |
1614 | detail, | |
1615 | tun_local, | |
1616 | tun_local6, | |
1617 | &local, | |
1618 | &remote); | |
1619 | if (tun_local) | |
1620 | { | |
1621 | management_post_tunnel_open(management, *tun_local); | |
2191c471 | 1622 | } |
6fbf66fa | 1623 | } |
81d882d5 | 1624 | #endif /* ifdef ENABLE_MANAGEMENT */ |
6fbf66fa JY |
1625 | } |
1626 | ||
1627 | /* | |
1628 | * Possibly add routes and/or call route-up script | |
1629 | * based on options. | |
1630 | */ | |
1631 | void | |
81d882d5 DS |
1632 | do_route(const struct options *options, |
1633 | struct route_list *route_list, | |
1634 | struct route_ipv6_list *route_ipv6_list, | |
1635 | const struct tuntap *tt, | |
1636 | const struct plugin_list *plugins, | |
1637 | struct env_set *es) | |
6fbf66fa | 1638 | { |
81d882d5 | 1639 | if (!options->route_noexec && ( route_list || route_ipv6_list ) ) |
15be3202 | 1640 | { |
81d882d5 DS |
1641 | add_routes(route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS(options), es); |
1642 | setenv_int(es, "redirect_gateway", route_did_redirect_default_gateway(route_list)); | |
15be3202 JY |
1643 | } |
1644 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 DS |
1645 | if (management) |
1646 | { | |
1647 | management_up_down(management, "UP", es); | |
1648 | } | |
15be3202 | 1649 | #endif |
6fbf66fa | 1650 | |
81d882d5 | 1651 | if (plugin_defined(plugins, OPENVPN_PLUGIN_ROUTE_UP)) |
6fbf66fa | 1652 | { |
81d882d5 DS |
1653 | if (plugin_call(plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS) |
1654 | { | |
1655 | msg(M_WARN, "WARNING: route-up plugin call failed"); | |
1656 | } | |
6fbf66fa JY |
1657 | } |
1658 | ||
81d882d5 | 1659 | if (options->route_script) |
6fbf66fa | 1660 | { |
81d882d5 DS |
1661 | struct argv argv = argv_new(); |
1662 | setenv_str(es, "script_type", "route-up"); | |
1663 | argv_parse_cmd(&argv, options->route_script); | |
1664 | openvpn_run_script(&argv, es, 0, "--route-up"); | |
1665 | argv_reset(&argv); | |
6fbf66fa JY |
1666 | } |
1667 | ||
445b192a | 1668 | #ifdef _WIN32 |
81d882d5 | 1669 | if (options->show_net_up) |
6fbf66fa | 1670 | { |
81d882d5 DS |
1671 | show_routes(M_INFO|M_NOPREFIX); |
1672 | show_adapters(M_INFO|M_NOPREFIX); | |
6fbf66fa | 1673 | } |
81d882d5 | 1674 | else if (check_debug_level(D_SHOW_NET)) |
6fbf66fa | 1675 | { |
81d882d5 DS |
1676 | show_routes(D_SHOW_NET|M_NOPREFIX); |
1677 | show_adapters(D_SHOW_NET|M_NOPREFIX); | |
6fbf66fa JY |
1678 | } |
1679 | #endif | |
1680 | } | |
1681 | ||
6fbf66fa JY |
1682 | /* |
1683 | * initialize tun/tap device object | |
1684 | */ | |
1685 | static void | |
81d882d5 | 1686 | do_init_tun(struct context *c) |
6fbf66fa | 1687 | { |
81d882d5 DS |
1688 | c->c1.tuntap = init_tun(c->options.dev, |
1689 | c->options.dev_type, | |
1690 | c->options.topology, | |
1691 | c->options.ifconfig_local, | |
1692 | c->options.ifconfig_remote_netmask, | |
1693 | c->options.ifconfig_ipv6_local, | |
1694 | c->options.ifconfig_ipv6_netbits, | |
1695 | c->options.ifconfig_ipv6_remote, | |
1696 | c->c1.link_socket_addr.bind_local, | |
1697 | c->c1.link_socket_addr.remote_list, | |
1698 | !c->options.ifconfig_nowarn, | |
1699 | c->c2.es); | |
1700 | ||
1701 | init_tun_post(c->c1.tuntap, | |
1702 | &c->c2.frame, | |
1703 | &c->options.tuntap_options); | |
1704 | ||
1705 | c->c1.tuntap_owned = true; | |
6fbf66fa JY |
1706 | } |
1707 | ||
1708 | /* | |
1709 | * Open tun/tap device, ifconfig, call up script, etc. | |
1710 | */ | |
1711 | ||
1712 | static bool | |
81d882d5 | 1713 | do_open_tun(struct context *c) |
6fbf66fa | 1714 | { |
81d882d5 DS |
1715 | struct gc_arena gc = gc_new(); |
1716 | bool ret = false; | |
6fbf66fa | 1717 | |
bd14d55d | 1718 | #ifndef TARGET_ANDROID |
81d882d5 | 1719 | if (!c->c1.tuntap) |
6fbf66fa | 1720 | { |
bd14d55d AS |
1721 | #endif |
1722 | ||
1723 | #ifdef TARGET_ANDROID | |
81d882d5 DS |
1724 | /* If we emulate persist-tun on android we still have to open a new tun and |
1725 | * then close the old */ | |
1726 | int oldtunfd = -1; | |
1727 | if (c->c1.tuntap) | |
1728 | { | |
1729 | oldtunfd = c->c1.tuntap->fd; | |
da3f583f AS |
1730 | free(c->c1.tuntap); |
1731 | c->c1.tuntap = NULL; | |
1732 | c->c1.tuntap_owned = false; | |
81d882d5 | 1733 | } |
bd14d55d AS |
1734 | #endif |
1735 | ||
81d882d5 DS |
1736 | /* initialize (but do not open) tun/tap object */ |
1737 | do_init_tun(c); | |
6fbf66fa | 1738 | |
445b192a | 1739 | #ifdef _WIN32 |
81d882d5 DS |
1740 | /* store (hide) interactive service handle in tuntap_options */ |
1741 | c->c1.tuntap->options.msg_channel = c->options.msg_channel; | |
1742 | msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) c->options.msg_channel); | |
1743 | #endif | |
1744 | ||
1745 | /* allocate route list structure */ | |
1746 | do_alloc_route_list(c); | |
1747 | ||
1748 | /* parse and resolve the route option list */ | |
1749 | ASSERT(c->c2.link_socket); | |
1750 | if (c->options.routes && c->c1.route_list) | |
1751 | { | |
1752 | do_init_route_list(&c->options, c->c1.route_list, | |
1753 | &c->c2.link_socket->info, c->c2.es); | |
1754 | } | |
1755 | if (c->options.routes_ipv6 && c->c1.route_ipv6_list) | |
1756 | { | |
1757 | do_init_route_ipv6_list(&c->options, c->c1.route_ipv6_list, | |
1758 | &c->c2.link_socket->info, c->c2.es); | |
1759 | } | |
1760 | ||
1761 | /* do ifconfig */ | |
1762 | if (!c->options.ifconfig_noexec | |
1763 | && ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN) | |
1764 | { | |
1765 | /* guess actual tun/tap unit number that will be returned | |
1766 | * by open_tun */ | |
1767 | const char *guess = guess_tuntap_dev(c->options.dev, | |
1768 | c->options.dev_type, | |
1769 | c->options.dev_node, | |
1770 | &gc); | |
1771 | do_ifconfig(c->c1.tuntap, guess, TUN_MTU_SIZE(&c->c2.frame), c->c2.es); | |
1772 | } | |
1773 | ||
1774 | /* possibly add routes */ | |
1775 | if (route_order() == ROUTE_BEFORE_TUN) | |
1776 | { | |
94e6a2da | 1777 | /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */ |
81d882d5 DS |
1778 | do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, |
1779 | c->c1.tuntap, c->plugins, c->c2.es); | |
1780 | } | |
c058cbff | 1781 | #ifdef TARGET_ANDROID |
81d882d5 DS |
1782 | /* Store the old fd inside the fd so open_tun can use it */ |
1783 | c->c1.tuntap->fd = oldtunfd; | |
1784 | #endif | |
1785 | /* open the tun device */ | |
1786 | open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, | |
1787 | c->c1.tuntap); | |
1788 | ||
1789 | /* set the hardware address */ | |
1790 | if (c->options.lladdr) | |
1791 | { | |
1792 | set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es); | |
1793 | } | |
1794 | ||
1795 | /* do ifconfig */ | |
1796 | if (!c->options.ifconfig_noexec | |
1797 | && ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN) | |
1798 | { | |
1799 | do_ifconfig(c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE(&c->c2.frame), c->c2.es); | |
1800 | } | |
1801 | ||
1802 | /* run the up script */ | |
1803 | run_up_down(c->options.up_script, | |
1804 | c->plugins, | |
1805 | OPENVPN_PLUGIN_UP, | |
1806 | c->c1.tuntap->actual_name, | |
445b192a | 1807 | #ifdef _WIN32 |
81d882d5 DS |
1808 | c->c1.tuntap->adapter_index, |
1809 | #endif | |
1810 | dev_type_string(c->options.dev, c->options.dev_type), | |
1811 | TUN_MTU_SIZE(&c->c2.frame), | |
1812 | EXPANDED_SIZE(&c->c2.frame), | |
1813 | print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
1814 | print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1815 | "init", | |
1816 | NULL, | |
1817 | "up", | |
1818 | c->c2.es); | |
6fbf66fa | 1819 | |
445b192a | 1820 | #if defined(_WIN32) |
81d882d5 DS |
1821 | if (c->options.block_outside_dns) |
1822 | { | |
1823 | dmsg(D_LOW, "Blocking outside DNS"); | |
2282b1be | 1824 | if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) |
81d882d5 DS |
1825 | { |
1826 | msg(M_FATAL, "Blocking DNS failed!"); | |
1827 | } | |
1828 | } | |
38c85658 V |
1829 | #endif |
1830 | ||
81d882d5 DS |
1831 | /* possibly add routes */ |
1832 | if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined)) | |
1833 | { | |
1834 | do_route(&c->options, c->c1.route_list, c->c1.route_ipv6_list, | |
1835 | c->c1.tuntap, c->plugins, c->c2.es); | |
1836 | } | |
6fbf66fa | 1837 | |
81d882d5 DS |
1838 | /* |
1839 | * Did tun/tap driver give us an MTU? | |
1840 | */ | |
1841 | if (c->c1.tuntap->post_open_mtu) | |
1842 | { | |
1843 | frame_set_mtu_dynamic(&c->c2.frame, | |
1844 | c->c1.tuntap->post_open_mtu, | |
1845 | SET_MTU_TUN | SET_MTU_UPPER_BOUND); | |
1846 | } | |
6fbf66fa | 1847 | |
81d882d5 DS |
1848 | ret = true; |
1849 | static_context = c; | |
bd14d55d | 1850 | #ifndef TARGET_ANDROID |
81d882d5 DS |
1851 | } |
1852 | else | |
1853 | { | |
1854 | msg(M_INFO, "Preserving previous TUN/TAP instance: %s", | |
1855 | c->c1.tuntap->actual_name); | |
6fbf66fa | 1856 | |
81d882d5 DS |
1857 | /* explicitly set the ifconfig_* env vars */ |
1858 | do_ifconfig_setenv(c->c1.tuntap, c->c2.es); | |
db950be8 | 1859 | |
81d882d5 DS |
1860 | /* run the up script if user specified --up-restart */ |
1861 | if (c->options.up_restart) | |
1862 | { | |
1863 | run_up_down(c->options.up_script, | |
1864 | c->plugins, | |
1865 | OPENVPN_PLUGIN_UP, | |
1866 | c->c1.tuntap->actual_name, | |
445b192a | 1867 | #ifdef _WIN32 |
81d882d5 DS |
1868 | c->c1.tuntap->adapter_index, |
1869 | #endif | |
1870 | dev_type_string(c->options.dev, c->options.dev_type), | |
1871 | TUN_MTU_SIZE(&c->c2.frame), | |
1872 | EXPANDED_SIZE(&c->c2.frame), | |
1873 | print_in_addr_t(c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc), | |
1874 | print_in_addr_t(c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1875 | "restart", | |
1876 | NULL, | |
1877 | "up", | |
1878 | c->c2.es); | |
1879 | } | |
445b192a | 1880 | #if defined(_WIN32) |
81d882d5 DS |
1881 | if (c->options.block_outside_dns) |
1882 | { | |
1883 | dmsg(D_LOW, "Blocking outside DNS"); | |
1884 | if (!win_wfp_block_dns(c->c1.tuntap->adapter_index, c->options.msg_channel)) | |
451d2177 | 1885 | { |
81d882d5 | 1886 | msg(M_FATAL, "Blocking DNS failed!"); |
451d2177 | 1887 | } |
6fbf66fa | 1888 | } |
bd14d55d | 1889 | #endif |
81d882d5 DS |
1890 | |
1891 | } | |
1892 | #endif /* ifndef TARGET_ANDROID */ | |
1893 | gc_free(&gc); | |
1894 | return ret; | |
6fbf66fa JY |
1895 | } |
1896 | ||
1897 | /* | |
1898 | * Close TUN/TAP device | |
1899 | */ | |
1900 | ||
1901 | static void | |
81d882d5 | 1902 | do_close_tun_simple(struct context *c) |
6fbf66fa | 1903 | { |
81d882d5 | 1904 | msg(D_CLOSE, "Closing TUN/TAP interface"); |
0bea472c AQ |
1905 | if (c->c1.tuntap) |
1906 | { | |
1907 | close_tun(c->c1.tuntap); | |
1908 | c->c1.tuntap = NULL; | |
1909 | } | |
81d882d5 | 1910 | c->c1.tuntap_owned = false; |
6fbf66fa | 1911 | #if P2MP |
81d882d5 | 1912 | CLEAR(c->c1.pulled_options_digest_save); |
6fbf66fa JY |
1913 | #endif |
1914 | } | |
1915 | ||
1916 | static void | |
81d882d5 | 1917 | do_close_tun(struct context *c, bool force) |
6fbf66fa | 1918 | { |
81d882d5 DS |
1919 | struct gc_arena gc = gc_new(); |
1920 | if (c->c1.tuntap && c->c1.tuntap_owned) | |
6fbf66fa | 1921 | { |
81d882d5 | 1922 | const char *tuntap_actual = string_alloc(c->c1.tuntap->actual_name, &gc); |
445b192a | 1923 | #ifdef _WIN32 |
81d882d5 | 1924 | DWORD adapter_index = c->c1.tuntap->adapter_index; |
9dff2c1f | 1925 | #endif |
81d882d5 DS |
1926 | const in_addr_t local = c->c1.tuntap->local; |
1927 | const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask; | |
6fbf66fa | 1928 | |
81d882d5 DS |
1929 | if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun)) |
1930 | { | |
1931 | static_context = NULL; | |
0c9eb1d3 | 1932 | |
6fbf66fa | 1933 | #ifdef ENABLE_MANAGEMENT |
81d882d5 DS |
1934 | /* tell management layer we are about to close the TUN/TAP device */ |
1935 | if (management) | |
1936 | { | |
1937 | management_pre_tunnel_close(management); | |
1938 | management_up_down(management, "DOWN", c->c2.es); | |
1939 | } | |
1940 | #endif | |
1941 | ||
1942 | /* delete any routes we added */ | |
1943 | if (c->c1.route_list || c->c1.route_ipv6_list) | |
1944 | { | |
1945 | run_up_down(c->options.route_predown_script, | |
1946 | c->plugins, | |
1947 | OPENVPN_PLUGIN_ROUTE_PREDOWN, | |
1948 | tuntap_actual, | |
445b192a | 1949 | #ifdef _WIN32 |
81d882d5 DS |
1950 | adapter_index, |
1951 | #endif | |
1952 | NULL, | |
1953 | TUN_MTU_SIZE(&c->c2.frame), | |
1954 | EXPANDED_SIZE(&c->c2.frame), | |
1955 | print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), | |
1956 | print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1957 | "init", | |
1958 | signal_description(c->sig->signal_received, | |
415421c2 | 1959 | c->sig->signal_text), |
81d882d5 DS |
1960 | "route-pre-down", |
1961 | c->c2.es); | |
415421c2 | 1962 | |
81d882d5 DS |
1963 | delete_routes(c->c1.route_list, c->c1.route_ipv6_list, |
1964 | c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), c->c2.es); | |
415421c2 | 1965 | } |
6fbf66fa | 1966 | |
81d882d5 DS |
1967 | /* actually close tun/tap device based on --down-pre flag */ |
1968 | if (!c->options.down_pre) | |
1969 | { | |
1970 | do_close_tun_simple(c); | |
1971 | } | |
6fbf66fa | 1972 | |
81d882d5 DS |
1973 | /* Run the down script -- note that it will run at reduced |
1974 | * privilege if, for example, "--user nobody" was used. */ | |
1975 | run_up_down(c->options.down_script, | |
1976 | c->plugins, | |
1977 | OPENVPN_PLUGIN_DOWN, | |
1978 | tuntap_actual, | |
445b192a | 1979 | #ifdef _WIN32 |
81d882d5 DS |
1980 | adapter_index, |
1981 | #endif | |
1982 | NULL, | |
1983 | TUN_MTU_SIZE(&c->c2.frame), | |
1984 | EXPANDED_SIZE(&c->c2.frame), | |
1985 | print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), | |
1986 | print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
1987 | "init", | |
1988 | signal_description(c->sig->signal_received, | |
1989 | c->sig->signal_text), | |
1990 | "down", | |
1991 | c->c2.es); | |
6fbf66fa | 1992 | |
445b192a | 1993 | #if defined(_WIN32) |
38c85658 V |
1994 | if (c->options.block_outside_dns) |
1995 | { | |
27aa8728 | 1996 | if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) |
81d882d5 DS |
1997 | { |
1998 | msg(M_FATAL, "Uninitialising WFP failed!"); | |
1999 | } | |
38c85658 V |
2000 | } |
2001 | #endif | |
2002 | ||
81d882d5 DS |
2003 | /* actually close tun/tap device based on --down-pre flag */ |
2004 | if (c->options.down_pre) | |
2005 | { | |
2006 | do_close_tun_simple(c); | |
2007 | } | |
2008 | } | |
2009 | else | |
2010 | { | |
2011 | /* run the down script on this restart if --up-restart was specified */ | |
2012 | if (c->options.up_restart) | |
2013 | { | |
2014 | run_up_down(c->options.down_script, | |
2015 | c->plugins, | |
2016 | OPENVPN_PLUGIN_DOWN, | |
2017 | tuntap_actual, | |
445b192a | 2018 | #ifdef _WIN32 |
81d882d5 DS |
2019 | adapter_index, |
2020 | #endif | |
2021 | NULL, | |
2022 | TUN_MTU_SIZE(&c->c2.frame), | |
2023 | EXPANDED_SIZE(&c->c2.frame), | |
2024 | print_in_addr_t(local, IA_EMPTY_IF_UNDEF, &gc), | |
2025 | print_in_addr_t(remote_netmask, IA_EMPTY_IF_UNDEF, &gc), | |
2026 | "restart", | |
2027 | signal_description(c->sig->signal_received, | |
2028 | c->sig->signal_text), | |
2029 | "down", | |
2030 | c->c2.es); | |
2031 | } | |
451d2177 | 2032 | |
445b192a | 2033 | #if defined(_WIN32) |
81d882d5 | 2034 | if (c->options.block_outside_dns) |
451d2177 | 2035 | { |
27aa8728 | 2036 | if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) |
81d882d5 DS |
2037 | { |
2038 | msg(M_FATAL, "Uninitialising WFP failed!"); | |
2039 | } | |
451d2177 SN |
2040 | } |
2041 | #endif | |
2042 | ||
81d882d5 | 2043 | } |
6fbf66fa | 2044 | } |
81d882d5 | 2045 | gc_free(&gc); |
6fbf66fa JY |
2046 | } |
2047 | ||
0c9eb1d3 | 2048 | void |
e2a0cad4 | 2049 | tun_abort(void) |
0c9eb1d3 | 2050 | { |
81d882d5 DS |
2051 | struct context *c = static_context; |
2052 | if (c) | |
0c9eb1d3 | 2053 | { |
81d882d5 DS |
2054 | static_context = NULL; |
2055 | do_close_tun(c, true); | |
0c9eb1d3 JY |
2056 | } |
2057 | } | |
2058 | ||
6fbf66fa JY |
2059 | /* |
2060 | * Handle delayed tun/tap interface bringup due to --up-delay or --pull | |
2061 | */ | |
2062 | ||
827de237 SK |
2063 | #if P2MP |
2064 | /** | |
2065 | * Helper for do_up(). Take two option hashes and return true if they are not | |
2066 | * equal, or either one is all-zeroes. | |
2067 | */ | |
2068 | static bool | |
5b48e8c9 SK |
2069 | options_hash_changed_or_zero(const struct sha256_digest *a, |
2070 | const struct sha256_digest *b) | |
827de237 | 2071 | { |
5b48e8c9 SK |
2072 | const struct sha256_digest zero = {{0}}; |
2073 | return memcmp(a, b, sizeof(struct sha256_digest)) | |
2074 | || !memcmp(a, &zero, sizeof(struct sha256_digest)); | |
827de237 SK |
2075 | } |
2076 | #endif /* P2MP */ | |
2077 | ||
d728ebed | 2078 | bool |
81d882d5 | 2079 | do_up(struct context *c, bool pulled_options, unsigned int option_types_found) |
6fbf66fa | 2080 | { |
81d882d5 | 2081 | if (!c->c2.do_up_ran) |
6fbf66fa | 2082 | { |
81d882d5 | 2083 | reset_coarse_timers(c); |
6fbf66fa | 2084 | |
bd230079 | 2085 | if (pulled_options) |
81d882d5 DS |
2086 | { |
2087 | if (!do_deferred_options(c, option_types_found)) | |
2088 | { | |
2089 | msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options"); | |
2090 | return false; | |
2091 | } | |
2092 | } | |
6fbf66fa | 2093 | |
81d882d5 DS |
2094 | /* if --up-delay specified, open tun, do ifconfig, and run up script now */ |
2095 | if (c->options.up_delay || PULL_DEFINED(&c->options)) | |
2096 | { | |
2097 | c->c2.did_open_tun = do_open_tun(c); | |
2098 | update_time(); | |
6fbf66fa JY |
2099 | |
2100 | #if P2MP | |
81d882d5 DS |
2101 | /* |
2102 | * Was tun interface object persisted from previous restart iteration, | |
2103 | * and if so did pulled options string change from previous iteration? | |
2104 | */ | |
2105 | if (!c->c2.did_open_tun | |
2106 | && PULL_DEFINED(&c->options) | |
2107 | && c->c1.tuntap | |
2108 | && options_hash_changed_or_zero(&c->c1.pulled_options_digest_save, | |
2109 | &c->c2.pulled_options_digest)) | |
2110 | { | |
2111 | /* if so, close tun, delete routes, then reinitialize tun and add routes */ | |
2112 | msg(M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); | |
2113 | do_close_tun(c, true); | |
45b2af9c | 2114 | management_sleep(1); |
81d882d5 DS |
2115 | c->c2.did_open_tun = do_open_tun(c); |
2116 | update_time(); | |
2117 | } | |
2118 | #endif | |
2119 | } | |
2120 | ||
2121 | if (c->c2.did_open_tun) | |
2122 | { | |
6fbf66fa | 2123 | #if P2MP |
81d882d5 DS |
2124 | c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; |
2125 | #endif | |
2126 | ||
2127 | /* if --route-delay was specified, start timer */ | |
2128 | if ((route_order() == ROUTE_AFTER_TUN) && c->options.route_delay_defined) | |
2129 | { | |
2130 | event_timeout_init(&c->c2.route_wakeup, c->options.route_delay, now); | |
2131 | event_timeout_init(&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now); | |
2132 | if (c->c1.tuntap) | |
2133 | { | |
2134 | tun_standby_init(c->c1.tuntap); | |
2135 | } | |
2136 | } | |
2137 | else | |
2138 | { | |
2139 | initialization_sequence_completed(c, 0); /* client/p2p --route-delay undefined */ | |
2140 | } | |
2141 | } | |
2142 | else if (c->options.mode == MODE_POINT_TO_POINT) | |
2143 | { | |
2144 | initialization_sequence_completed(c, 0); /* client/p2p restart with --persist-tun */ | |
2145 | } | |
2146 | ||
2147 | c->c2.do_up_ran = true; | |
2148 | } | |
2149 | return true; | |
6fbf66fa JY |
2150 | } |
2151 | ||
2152 | /* | |
2153 | * These are the option categories which will be accepted by pull. | |
2154 | */ | |
2155 | unsigned int | |
81d882d5 DS |
2156 | pull_permission_mask(const struct context *c) |
2157 | { | |
2158 | unsigned int flags = | |
2159 | OPT_P_UP | |
2160 | | OPT_P_ROUTE_EXTRAS | |
2161 | | OPT_P_SOCKBUF | |
2162 | | OPT_P_SOCKFLAGS | |
2163 | | OPT_P_SETENV | |
2164 | | OPT_P_SHAPER | |
2165 | | OPT_P_TIMER | |
2166 | | OPT_P_COMP | |
2167 | | OPT_P_PERSIST | |
2168 | | OPT_P_MESSAGES | |
2169 | | OPT_P_EXPLICIT_NOTIFY | |
2170 | | OPT_P_ECHO | |
2171 | | OPT_P_PULL_MODE | |
2172 | | OPT_P_PEER_ID; | |
2173 | ||
2174 | if (!c->options.route_nopull) | |
2175 | { | |
2176 | flags |= (OPT_P_ROUTE | OPT_P_IPWIN32); | |
2177 | } | |
3c7f2f55 | 2178 | |
81d882d5 DS |
2179 | if (c->options.ncp_enabled) |
2180 | { | |
2181 | flags |= OPT_P_NCP; | |
2182 | } | |
d728ebed | 2183 | |
81d882d5 | 2184 | return flags; |
6fbf66fa JY |
2185 | } |
2186 | ||
2187 | /* | |
2188 | * Handle non-tun-related pulled options. | |
2189 | */ | |
d728ebed | 2190 | bool |
81d882d5 | 2191 | do_deferred_options(struct context *c, const unsigned int found) |
6fbf66fa | 2192 | { |
81d882d5 | 2193 | if (found & OPT_P_MESSAGES) |
6fbf66fa | 2194 | { |
81d882d5 DS |
2195 | init_verb_mute(c, IVM_LEVEL_1|IVM_LEVEL_2); |
2196 | msg(D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed"); | |
6fbf66fa | 2197 | } |
81d882d5 | 2198 | if (found & OPT_P_TIMER) |
6fbf66fa | 2199 | { |
81d882d5 DS |
2200 | do_init_timers(c, true); |
2201 | msg(D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified"); | |
6fbf66fa JY |
2202 | } |
2203 | ||
2204 | #ifdef ENABLE_OCC | |
81d882d5 | 2205 | if (found & OPT_P_EXPLICIT_NOTIFY) |
6fbf66fa | 2206 | { |
81d882d5 DS |
2207 | if (!proto_is_udp(c->options.ce.proto) && c->options.ce.explicit_exit_notification) |
2208 | { | |
2209 | msg(D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp"); | |
2210 | c->options.ce.explicit_exit_notification = 0; | |
2211 | } | |
2212 | else | |
2213 | { | |
2214 | msg(D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified"); | |
2215 | } | |
6fbf66fa JY |
2216 | } |
2217 | #endif | |
2218 | ||
38d96bd7 | 2219 | #ifdef USE_COMP |
81d882d5 | 2220 | if (found & OPT_P_COMP) |
537073fd | 2221 | { |
81d882d5 DS |
2222 | msg(D_PUSH, "OPTIONS IMPORT: compression parms modified"); |
2223 | comp_uninit(c->c2.comp_context); | |
2224 | c->c2.comp_context = comp_init(&c->options.comp); | |
537073fd JY |
2225 | } |
2226 | #endif | |
2227 | ||
81d882d5 | 2228 | if (found & OPT_P_SHAPER) |
6fbf66fa | 2229 | { |
81d882d5 DS |
2230 | msg(D_PUSH, "OPTIONS IMPORT: traffic shaper enabled"); |
2231 | do_init_traffic_shaper(c); | |
6fbf66fa JY |
2232 | } |
2233 | ||
81d882d5 | 2234 | if (found & OPT_P_SOCKBUF) |
00d39170 | 2235 | { |
81d882d5 DS |
2236 | msg(D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified"); |
2237 | link_socket_update_buffer_sizes(c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf); | |
00d39170 JY |
2238 | } |
2239 | ||
81d882d5 | 2240 | if (found & OPT_P_SOCKFLAGS) |
00d39170 | 2241 | { |
81d882d5 DS |
2242 | msg(D_PUSH, "OPTIONS IMPORT: --socket-flags option modified"); |
2243 | link_socket_update_flags(c->c2.link_socket, c->options.sockflags); | |
00d39170 JY |
2244 | } |
2245 | ||
81d882d5 DS |
2246 | if (found & OPT_P_PERSIST) |
2247 | { | |
2248 | msg(D_PUSH, "OPTIONS IMPORT: --persist options modified"); | |
2249 | } | |
2250 | if (found & OPT_P_UP) | |
2251 | { | |
2252 | msg(D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified"); | |
2253 | } | |
2254 | if (found & OPT_P_ROUTE) | |
2255 | { | |
2256 | msg(D_PUSH, "OPTIONS IMPORT: route options modified"); | |
2257 | } | |
2258 | if (found & OPT_P_ROUTE_EXTRAS) | |
2259 | { | |
2260 | msg(D_PUSH, "OPTIONS IMPORT: route-related options modified"); | |
2261 | } | |
2262 | if (found & OPT_P_IPWIN32) | |
2263 | { | |
2264 | msg(D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified"); | |
2265 | } | |
2266 | if (found & OPT_P_SETENV) | |
2267 | { | |
2268 | msg(D_PUSH, "OPTIONS IMPORT: environment modified"); | |
2269 | } | |
65eedc35 | 2270 | |
81d882d5 DS |
2271 | if (found & OPT_P_PEER_ID) |
2272 | { | |
2273 | msg(D_PUSH, "OPTIONS IMPORT: peer-id set"); | |
2274 | c->c2.tls_multi->use_peer_id = true; | |
2275 | c->c2.tls_multi->peer_id = c->options.peer_id; | |
2276 | frame_add_to_extra_frame(&c->c2.frame, +3); /* peer-id overhead */ | |
2277 | if (!c->options.ce.link_mtu_defined) | |
2278 | { | |
2279 | frame_add_to_link_mtu(&c->c2.frame, +3); | |
2280 | msg(D_PUSH, "OPTIONS IMPORT: adjusting link_mtu to %d", | |
2281 | EXPANDED_SIZE(&c->c2.frame)); | |
2282 | } | |
2283 | else | |
2284 | { | |
2285 | msg(M_WARN, "OPTIONS IMPORT: WARNING: peer-id set, but link-mtu" | |
2286 | " fixed by config - reducing tun-mtu to %d, expect" | |
2287 | " MTU problems", TUN_MTU_SIZE(&c->c2.frame) ); | |
2288 | } | |
2289 | } | |
2290 | ||
2291 | /* process (potentially pushed) crypto options */ | |
2292 | if (c->options.pull) | |
2293 | { | |
2294 | struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; | |
2295 | if (found & OPT_P_NCP) | |
2296 | { | |
2297 | msg(D_PUSH, "OPTIONS IMPORT: data channel crypto options modified"); | |
2298 | } | |
2299 | else if (c->options.ncp_enabled) | |
2300 | { | |
2301 | tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); | |
2302 | } | |
2303 | /* Do not regenerate keys if server sends an extra push reply */ | |
2304 | if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized | |
2305 | && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame)) | |
2306 | { | |
2307 | msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); | |
2308 | return false; | |
2309 | } | |
2310 | } | |
c7ca9133 | 2311 | |
81d882d5 | 2312 | return true; |
6fbf66fa JY |
2313 | } |
2314 | ||
2315 | /* | |
396d30c2 AS |
2316 | * Possible hold on initialization, holdtime is the |
2317 | * time OpenVPN would wait without management | |
6fbf66fa JY |
2318 | */ |
2319 | static bool | |
81d882d5 | 2320 | do_hold(int holdtime) |
6fbf66fa JY |
2321 | { |
2322 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 | 2323 | if (management) |
6fbf66fa | 2324 | { |
81d882d5 DS |
2325 | /* block until management hold is released */ |
2326 | if (management_hold(management, holdtime)) | |
2327 | { | |
2328 | return true; | |
2329 | } | |
6fbf66fa JY |
2330 | } |
2331 | #endif | |
81d882d5 | 2332 | return false; |
6fbf66fa JY |
2333 | } |
2334 | ||
2335 | /* | |
2336 | * Sleep before restart. | |
2337 | */ | |
2338 | static void | |
81d882d5 | 2339 | socket_restart_pause(struct context *c) |
6fbf66fa | 2340 | { |
81d882d5 DS |
2341 | int sec = 2; |
2342 | int backoff = 0; | |
6fbf66fa | 2343 | |
81d882d5 | 2344 | switch (c->options.ce.proto) |
6fbf66fa | 2345 | { |
81d882d5 DS |
2346 | case PROTO_TCP_SERVER: |
2347 | sec = 1; | |
2348 | break; | |
2349 | ||
2350 | case PROTO_UDP: | |
2351 | case PROTO_TCP_CLIENT: | |
2352 | sec = c->options.ce.connect_retry_seconds; | |
2353 | break; | |
6fbf66fa JY |
2354 | } |
2355 | ||
2356 | #ifdef ENABLE_DEBUG | |
81d882d5 DS |
2357 | if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->options.gremlin)) |
2358 | { | |
2359 | sec = 0; | |
2360 | } | |
6fbf66fa JY |
2361 | #endif |
2362 | ||
2363 | #if P2MP | |
81d882d5 DS |
2364 | if (auth_retry_get() == AR_NOINTERACT) |
2365 | { | |
2366 | sec = 10; | |
2367 | } | |
6fbf66fa JY |
2368 | #endif |
2369 | ||
81d882d5 DS |
2370 | /* Slow down reconnection after 5 retries per remote -- for tcp only in client mode */ |
2371 | if (c->options.ce.proto != PROTO_TCP_SERVER) | |
5d429efd | 2372 | { |
81d882d5 DS |
2373 | backoff = (c->options.unsuccessful_attempts / c->options.connection_list->len) - 4; |
2374 | if (backoff > 0) | |
5d429efd | 2375 | { |
81d882d5 DS |
2376 | /* sec is less than 2^16; we can left shift it by up to 15 bits without overflow */ |
2377 | sec = max_int(sec, 1) << min_int(backoff, 15); | |
5d429efd SN |
2378 | } |
2379 | ||
81d882d5 DS |
2380 | if (sec > c->options.ce.connect_retry_seconds_max) |
2381 | { | |
2382 | sec = c->options.ce.connect_retry_seconds_max; | |
2383 | } | |
5d429efd SN |
2384 | } |
2385 | ||
81d882d5 DS |
2386 | if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec) |
2387 | { | |
2388 | sec = c->persist.restart_sleep_seconds; | |
2389 | } | |
2390 | else if (c->persist.restart_sleep_seconds == -1) | |
2391 | { | |
2392 | sec = 0; | |
2393 | } | |
2394 | c->persist.restart_sleep_seconds = 0; | |
a9c802b2 | 2395 | |
81d882d5 DS |
2396 | /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ |
2397 | if (do_hold(sec)) | |
2398 | { | |
2399 | sec = 0; | |
2400 | } | |
6fbf66fa | 2401 | |
81d882d5 | 2402 | if (sec) |
6fbf66fa | 2403 | { |
81d882d5 | 2404 | msg(D_RESTART, "Restart pause, %d second(s)", sec); |
45b2af9c | 2405 | management_sleep(sec); |
6fbf66fa JY |
2406 | } |
2407 | } | |
2408 | ||
2409 | /* | |
2410 | * Do a possible pause on context_2 initialization. | |
2411 | */ | |
2412 | static void | |
81d882d5 | 2413 | do_startup_pause(struct context *c) |
6fbf66fa | 2414 | { |
81d882d5 DS |
2415 | if (!c->first_time) |
2416 | { | |
2417 | socket_restart_pause(c); | |
2418 | } | |
2419 | else | |
2420 | { | |
2421 | do_hold(0); /* do management hold on first context initialization */ | |
2422 | } | |
6fbf66fa JY |
2423 | } |
2424 | ||
2425 | /* | |
2426 | * Finalize MTU parameters based on command line or config file options. | |
2427 | */ | |
2428 | static void | |
81d882d5 | 2429 | frame_finalize_options(struct context *c, const struct options *o) |
6fbf66fa | 2430 | { |
81d882d5 DS |
2431 | if (!o) |
2432 | { | |
2433 | o = &c->options; | |
2434 | } | |
6fbf66fa | 2435 | |
81d882d5 DS |
2436 | /* |
2437 | * Set adjustment factor for buffer alignment when no | |
2438 | * cipher is used. | |
2439 | */ | |
2440 | if (!CIPHER_ENABLED(c)) | |
6fbf66fa | 2441 | { |
81d882d5 DS |
2442 | frame_align_to_extra_frame(&c->c2.frame); |
2443 | frame_or_align_flags(&c->c2.frame, | |
2444 | FRAME_HEADROOM_MARKER_FRAGMENT | |
2445 | |FRAME_HEADROOM_MARKER_READ_LINK | |
2446 | |FRAME_HEADROOM_MARKER_READ_STREAM); | |
6fbf66fa | 2447 | } |
81d882d5 DS |
2448 | |
2449 | frame_add_to_extra_buffer(&c->c2.frame, PAYLOAD_ALIGN); | |
2450 | frame_finalize(&c->c2.frame, | |
2451 | o->ce.link_mtu_defined, | |
2452 | o->ce.link_mtu, | |
2453 | o->ce.tun_mtu_defined, | |
2454 | o->ce.tun_mtu); | |
6fbf66fa JY |
2455 | } |
2456 | ||
2457 | /* | |
2458 | * Free a key schedule, including OpenSSL components. | |
2459 | */ | |
2460 | static void | |
81d882d5 | 2461 | key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) |
6fbf66fa | 2462 | { |
81d882d5 DS |
2463 | free_key_ctx_bi(&ks->static_key); |
2464 | if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) | |
6fbf66fa | 2465 | { |
81d882d5 | 2466 | tls_ctx_free(&ks->ssl_ctx); |
19dffdbd | 2467 | free_key_ctx(&ks->tls_crypt_v2_server_key); |
6fbf66fa | 2468 | } |
81d882d5 | 2469 | CLEAR(*ks); |
6fbf66fa JY |
2470 | } |
2471 | ||
6fbf66fa | 2472 | static void |
81d882d5 | 2473 | init_crypto_pre(struct context *c, const unsigned int flags) |
6fbf66fa | 2474 | { |
81d882d5 DS |
2475 | if (c->options.engine) |
2476 | { | |
2477 | crypto_init_lib_engine(c->options.engine); | |
2478 | } | |
6fbf66fa | 2479 | |
81d882d5 | 2480 | if (flags & CF_LOAD_PERSISTED_PACKET_ID) |
6fbf66fa | 2481 | { |
81d882d5 DS |
2482 | /* load a persisted packet-id for cross-session replay-protection */ |
2483 | if (c->options.packet_id_file) | |
2484 | { | |
2485 | packet_id_persist_load(&c->c1.pid_persist, c->options.packet_id_file); | |
2486 | } | |
6fbf66fa JY |
2487 | } |
2488 | ||
0f25d296 | 2489 | #ifdef ENABLE_PREDICTION_RESISTANCE |
81d882d5 DS |
2490 | if (c->options.use_prediction_resistance) |
2491 | { | |
2492 | rand_ctx_enable_prediction_resistance(); | |
2493 | } | |
0f25d296 AJ |
2494 | #endif |
2495 | ||
6fbf66fa JY |
2496 | } |
2497 | ||
2498 | /* | |
2499 | * Static Key Mode (using a pre-shared key) | |
2500 | */ | |
2501 | static void | |
81d882d5 | 2502 | do_init_crypto_static(struct context *c, const unsigned int flags) |
6fbf66fa | 2503 | { |
81d882d5 DS |
2504 | const struct options *options = &c->options; |
2505 | ASSERT(options->shared_secret_file); | |
6fbf66fa | 2506 | |
81d882d5 | 2507 | init_crypto_pre(c, flags); |
2d9c6d20 | 2508 | |
81d882d5 | 2509 | /* Initialize flags */ |
81d882d5 | 2510 | if (c->options.mute_replay_warnings) |
6fbf66fa | 2511 | { |
81d882d5 | 2512 | c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS; |
6fbf66fa JY |
2513 | } |
2514 | ||
81d882d5 DS |
2515 | /* Initialize packet ID tracking */ |
2516 | if (options->replay) | |
6fbf66fa | 2517 | { |
81d882d5 DS |
2518 | packet_id_init(&c->c2.crypto_options.packet_id, |
2519 | options->replay_window, | |
2520 | options->replay_time, | |
2521 | "STATIC", 0); | |
2522 | c->c2.crypto_options.pid_persist = &c->c1.pid_persist; | |
2523 | c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; | |
2524 | packet_id_persist_load_obj(&c->c1.pid_persist, | |
2525 | &c->c2.crypto_options.packet_id); | |
2526 | } | |
6fbf66fa | 2527 | |
81d882d5 DS |
2528 | if (!key_ctx_bi_defined(&c->c1.ks.static_key)) |
2529 | { | |
2530 | /* Get cipher & hash algorithms */ | |
2531 | init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, | |
2532 | options->keysize, options->test_crypto, true); | |
2533 | ||
2534 | /* Read cipher and hmac keys from shared secret file */ | |
2535 | crypto_read_openvpn_key(&c->c1.ks.key_type, &c->c1.ks.static_key, | |
2536 | options->shared_secret_file, | |
2537 | options->shared_secret_file_inline, | |
2538 | options->key_direction, "Static Key Encryption", | |
2539 | "secret"); | |
6fbf66fa | 2540 | } |
81d882d5 | 2541 | else |
6fbf66fa | 2542 | { |
81d882d5 | 2543 | msg(M_INFO, "Re-using pre-shared static key"); |
6fbf66fa JY |
2544 | } |
2545 | ||
81d882d5 DS |
2546 | /* Get key schedule */ |
2547 | c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; | |
6fbf66fa | 2548 | |
81d882d5 | 2549 | /* Compute MTU parameters */ |
ef910e3e SK |
2550 | crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, |
2551 | options->replay, true); | |
6fbf66fa | 2552 | |
ef910e3e SK |
2553 | /* Sanity check on sequence number, and cipher mode options */ |
2554 | check_replay_consistency(&c->c1.ks.key_type, options->replay); | |
6fbf66fa JY |
2555 | } |
2556 | ||
5817b49b AQ |
2557 | /* |
2558 | * Initialize the tls-auth/crypt key context | |
2559 | */ | |
2560 | static void | |
2561 | do_init_tls_wrap_key(struct context *c) | |
2562 | { | |
2563 | const struct options *options = &c->options; | |
2564 | ||
2565 | /* TLS handshake authentication (--tls-auth) */ | |
57d6f103 | 2566 | if (options->ce.tls_auth_file) |
5817b49b AQ |
2567 | { |
2568 | /* Initialize key_type for tls-auth with auth only */ | |
2569 | CLEAR(c->c1.ks.tls_auth_key_type); | |
2570 | if (!streq(options->authname, "none")) | |
2571 | { | |
2572 | c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname); | |
2573 | c->c1.ks.tls_auth_key_type.hmac_length = | |
2574 | md_kt_size(c->c1.ks.tls_auth_key_type.digest); | |
2575 | } | |
2576 | else | |
2577 | { | |
2578 | msg(M_FATAL, "ERROR: tls-auth enabled, but no valid --auth " | |
2579 | "algorithm specified ('%s')", options->authname); | |
2580 | } | |
2581 | ||
2582 | crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, | |
2583 | &c->c1.ks.tls_wrap_key, | |
57d6f103 AQ |
2584 | options->ce.tls_auth_file, |
2585 | options->ce.tls_auth_file_inline, | |
2586 | options->ce.key_direction, | |
5817b49b AQ |
2587 | "Control Channel Authentication", "tls-auth"); |
2588 | } | |
2589 | ||
2590 | /* TLS handshake encryption+authentication (--tls-crypt) */ | |
57d6f103 | 2591 | if (options->ce.tls_crypt_file) |
5817b49b AQ |
2592 | { |
2593 | tls_crypt_init_key(&c->c1.ks.tls_wrap_key, | |
57d6f103 AQ |
2594 | options->ce.tls_crypt_file, |
2595 | options->ce.tls_crypt_inline, options->tls_server); | |
5817b49b | 2596 | } |
19d6d9c3 SK |
2597 | |
2598 | /* tls-crypt with client-specific keys (--tls-crypt-v2) */ | |
2599 | if (options->ce.tls_crypt_v2_file) | |
2600 | { | |
2601 | if (options->tls_server) | |
2602 | { | |
2603 | tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key, | |
2604 | true, options->ce.tls_crypt_v2_file, | |
2605 | options->ce.tls_crypt_v2_inline); | |
2606 | } | |
2607 | else | |
2608 | { | |
2609 | tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key, | |
2610 | &c->c1.ks.tls_crypt_v2_wkc, | |
2611 | options->ce.tls_crypt_v2_file, | |
2612 | options->ce.tls_crypt_v2_inline); | |
2613 | } | |
2614 | } | |
2615 | ||
2616 | ||
5817b49b AQ |
2617 | } |
2618 | ||
6fbf66fa JY |
2619 | /* |
2620 | * Initialize the persistent component of OpenVPN's TLS mode, | |
2621 | * which is preserved across SIGUSR1 resets. | |
2622 | */ | |
2623 | static void | |
81d882d5 | 2624 | do_init_crypto_tls_c1(struct context *c) |
6fbf66fa | 2625 | { |
81d882d5 | 2626 | const struct options *options = &c->options; |
6fbf66fa | 2627 | |
81d882d5 | 2628 | if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) |
6fbf66fa | 2629 | { |
81d882d5 DS |
2630 | /* |
2631 | * Initialize the OpenSSL library's global | |
2632 | * SSL context. | |
2633 | */ | |
2634 | init_ssl(options, &(c->c1.ks.ssl_ctx)); | |
2635 | if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) | |
2636 | { | |
6fbf66fa | 2637 | #if P2MP |
81d882d5 DS |
2638 | switch (auth_retry_get()) |
2639 | { | |
2640 | case AR_NONE: | |
2641 | msg(M_FATAL, "Error: private key password verification failed"); | |
2642 | break; | |
2643 | ||
2644 | case AR_INTERACT: | |
2645 | ssl_purge_auth(false); | |
2646 | ||
2647 | case AR_NOINTERACT: | |
2648 | c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */ | |
2649 | break; | |
2650 | ||
2651 | default: | |
2652 | ASSERT(0); | |
2653 | } | |
2654 | c->sig->signal_text = "private-key-password-failure"; | |
2655 | return; | |
2656 | #else /* if P2MP */ | |
2657 | msg(M_FATAL, "Error: private key password verification failed"); | |
2658 | #endif | |
2659 | } | |
2660 | ||
2661 | /* Get cipher & hash algorithms */ | |
2662 | init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, | |
2663 | options->keysize, true, true); | |
2664 | ||
2665 | /* Initialize PRNG with config-specified digest */ | |
2666 | prng_init(options->prng_hash, options->prng_nonce_secret_len); | |
2667 | ||
19d6d9c3 | 2668 | /* initialize tls-auth/crypt/crypt-v2 key */ |
5817b49b | 2669 | do_init_tls_wrap_key(c); |
81d882d5 | 2670 | |
1f4309ae | 2671 | #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ |
81d882d5 DS |
2672 | if (options->priv_key_file_inline) |
2673 | { | |
2674 | string_clear(c->options.priv_key_file_inline); | |
2675 | c->options.priv_key_file_inline = NULL; | |
2676 | } | |
d40f2b20 | 2677 | #endif |
6fbf66fa | 2678 | } |
81d882d5 | 2679 | else |
6fbf66fa | 2680 | { |
81d882d5 | 2681 | msg(D_INIT_MEDIUM, "Re-using SSL/TLS context"); |
129d2924 | 2682 | |
5817b49b AQ |
2683 | /* |
2684 | * tls-auth/crypt key can be configured per connection block, therefore | |
2685 | * we must reload it as it may have changed | |
2686 | */ | |
2687 | do_init_tls_wrap_key(c); | |
6fbf66fa JY |
2688 | } |
2689 | } | |
2690 | ||
2691 | static void | |
81d882d5 | 2692 | do_init_crypto_tls(struct context *c, const unsigned int flags) |
6fbf66fa | 2693 | { |
81d882d5 DS |
2694 | const struct options *options = &c->options; |
2695 | struct tls_options to; | |
2696 | bool packet_id_long_form; | |
6fbf66fa | 2697 | |
81d882d5 DS |
2698 | ASSERT(options->tls_server || options->tls_client); |
2699 | ASSERT(!options->test_crypto); | |
6fbf66fa | 2700 | |
81d882d5 | 2701 | init_crypto_pre(c, flags); |
6fbf66fa | 2702 | |
81d882d5 DS |
2703 | /* Make sure we are either a TLS client or server but not both */ |
2704 | ASSERT(options->tls_server == !options->tls_client); | |
6fbf66fa | 2705 | |
81d882d5 DS |
2706 | /* initialize persistent component */ |
2707 | do_init_crypto_tls_c1(c); | |
2708 | if (IS_SIG(c)) | |
2709 | { | |
2710 | return; | |
2711 | } | |
2712 | ||
ef910e3e SK |
2713 | /* Sanity check on sequence number, and cipher mode options */ |
2714 | check_replay_consistency(&c->c1.ks.key_type, options->replay); | |
81d882d5 DS |
2715 | |
2716 | /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ | |
2717 | packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); | |
2718 | ||
2719 | /* Compute MTU parameters (postpone if we push/pull options) */ | |
2720 | if (c->options.pull || c->options.mode == MODE_SERVER) | |
2721 | { | |
2722 | /* Account for worst-case crypto overhead before allocating buffers */ | |
2723 | frame_add_to_extra_frame(&c->c2.frame, crypto_max_overhead()); | |
2724 | } | |
2725 | else | |
2726 | { | |
2727 | crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type, | |
ef910e3e | 2728 | options->replay, packet_id_long_form); |
81d882d5 DS |
2729 | } |
2730 | tls_adjust_frame_parameters(&c->c2.frame); | |
6fbf66fa | 2731 | |
81d882d5 DS |
2732 | /* Set all command-line TLS-related options */ |
2733 | CLEAR(to); | |
2734 | ||
81d882d5 DS |
2735 | if (options->mute_replay_warnings) |
2736 | { | |
2737 | to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS; | |
2738 | } | |
2739 | ||
2740 | to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); | |
2741 | if (packet_id_long_form) | |
2742 | { | |
2743 | to.crypto_flags |= CO_PACKET_ID_LONG_FORM; | |
2744 | } | |
2745 | ||
2746 | to.ssl_ctx = c->c1.ks.ssl_ctx; | |
2747 | to.key_type = c->c1.ks.key_type; | |
2748 | to.server = options->tls_server; | |
2749 | to.key_method = options->key_method; | |
2750 | to.replay = options->replay; | |
2751 | to.replay_window = options->replay_window; | |
2752 | to.replay_time = options->replay_time; | |
2753 | to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); | |
2754 | to.config_ciphername = c->c1.ciphername; | |
2755 | to.config_authname = c->c1.authname; | |
2756 | to.ncp_enabled = options->ncp_enabled; | |
2757 | to.transition_window = options->transition_window; | |
2758 | to.handshake_window = options->handshake_window; | |
2759 | to.packet_timeout = options->tls_timeout; | |
2760 | to.renegotiate_bytes = options->renegotiate_bytes; | |
2761 | to.renegotiate_packets = options->renegotiate_packets; | |
dd996463 SM |
2762 | if (options->renegotiate_seconds_min < 0) |
2763 | { | |
2764 | /* Add 10% jitter to reneg-sec by default (server side only) */ | |
2765 | int auto_jitter = options->mode != MODE_SERVER ? 0 : | |
2766 | get_random() % max_int(options->renegotiate_seconds / 10, 1); | |
2767 | to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter; | |
2768 | } | |
2769 | else | |
2770 | { | |
2771 | /* Add user-specified jitter to reneg-sec */ | |
2772 | to.renegotiate_seconds = options->renegotiate_seconds - | |
2773 | (get_random() % max_int(options->renegotiate_seconds | |
2774 | - options->renegotiate_seconds_min, 1)); | |
2775 | } | |
81d882d5 DS |
2776 | to.single_session = options->single_session; |
2777 | to.mode = options->mode; | |
2778 | to.pull = options->pull; | |
81d882d5 DS |
2779 | if (options->push_peer_info) /* all there is */ |
2780 | { | |
2781 | to.push_peer_info_detail = 2; | |
2782 | } | |
2783 | else if (options->pull) /* pull clients send some details */ | |
2784 | { | |
2785 | to.push_peer_info_detail = 1; | |
2786 | } | |
2787 | else /* default: no peer-info at all */ | |
2788 | { | |
2789 | to.push_peer_info_detail = 0; | |
2790 | } | |
6fbf66fa | 2791 | |
81d882d5 DS |
2792 | /* should we not xmit any packets until we get an initial |
2793 | * response from client? */ | |
2794 | if (to.server && options->ce.proto == PROTO_TCP_SERVER) | |
2795 | { | |
2796 | to.xmit_hold = true; | |
2797 | } | |
6add6b2f | 2798 | |
6fbf66fa | 2799 | #ifdef ENABLE_OCC |
81d882d5 DS |
2800 | to.disable_occ = !options->occ; |
2801 | #endif | |
2802 | ||
2803 | to.verify_command = options->tls_verify; | |
2804 | to.verify_export_cert = options->tls_export_cert; | |
2805 | to.verify_x509_type = (options->verify_x509_type & 0xff); | |
2806 | to.verify_x509_name = options->verify_x509_name; | |
2807 | to.crl_file = options->crl_file; | |
2808 | to.crl_file_inline = options->crl_file_inline; | |
2809 | to.ssl_flags = options->ssl_flags; | |
2810 | to.ns_cert_type = options->ns_cert_type; | |
2811 | memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku)); | |
2812 | to.remote_cert_eku = options->remote_cert_eku; | |
2813 | to.verify_hash = options->verify_hash; | |
2193d7c0 | 2814 | to.verify_hash_algo = options->verify_hash_algo; |
19dd3ef1 | 2815 | #ifdef ENABLE_X509ALTUSERNAME |
81d882d5 | 2816 | to.x509_username_field = (char *) options->x509_username_field; |
19dd3ef1 | 2817 | #else |
81d882d5 | 2818 | to.x509_username_field = X509_USERNAME_FIELD_DEFAULT; |
19dd3ef1 | 2819 | #endif |
81d882d5 | 2820 | to.es = c->c2.es; |
6fbf66fa JY |
2821 | |
2822 | #ifdef ENABLE_DEBUG | |
81d882d5 | 2823 | to.gremlin = c->options.gremlin; |
6fbf66fa JY |
2824 | #endif |
2825 | ||
81d882d5 | 2826 | to.plugins = c->plugins; |
6fbf66fa | 2827 | |
90efcacb | 2828 | #ifdef MANAGEMENT_DEF_AUTH |
81d882d5 | 2829 | to.mda_context = &c->c2.mda_context; |
90efcacb JY |
2830 | #endif |
2831 | ||
6fbf66fa | 2832 | #if P2MP_SERVER |
81d882d5 DS |
2833 | to.auth_user_pass_verify_script = options->auth_user_pass_verify_script; |
2834 | to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; | |
2835 | to.tmp_dir = options->tmp_dir; | |
2836 | if (options->ccd_exclusive) | |
2837 | { | |
2838 | to.client_config_dir_exclusive = options->client_config_dir; | |
2839 | } | |
2840 | to.auth_user_pass_file = options->auth_user_pass_file; | |
2841 | to.auth_token_generate = options->auth_token_generate; | |
2842 | to.auth_token_lifetime = options->auth_token_lifetime; | |
6fbf66fa JY |
2843 | #endif |
2844 | ||
81d882d5 | 2845 | to.x509_track = options->x509_track; |
9356bae8 | 2846 | |
16d909e2 | 2847 | #if P2MP |
66b9409b | 2848 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 2849 | to.sci = &options->sc_info; |
16d909e2 | 2850 | #endif |
eab3e22f JY |
2851 | #endif |
2852 | ||
38d96bd7 | 2853 | #ifdef USE_COMP |
81d882d5 | 2854 | to.comp_options = options->comp; |
38d96bd7 JY |
2855 | #endif |
2856 | ||
685e486e | 2857 | #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 |
81d882d5 | 2858 | if (options->keying_material_exporter_label) |
685e486e | 2859 | { |
81d882d5 DS |
2860 | to.ekm_size = options->keying_material_exporter_length; |
2861 | if (to.ekm_size < 16 || to.ekm_size > 4095) | |
2862 | { | |
2863 | to.ekm_size = 0; | |
2864 | } | |
685e486e | 2865 | |
81d882d5 DS |
2866 | to.ekm_label = options->keying_material_exporter_label; |
2867 | to.ekm_label_size = strlen(to.ekm_label); | |
685e486e | 2868 | } |
81d882d5 | 2869 | else |
685e486e | 2870 | { |
81d882d5 | 2871 | to.ekm_size = 0; |
685e486e DK |
2872 | } |
2873 | #endif | |
2874 | ||
81d882d5 | 2875 | /* TLS handshake authentication (--tls-auth) */ |
57d6f103 | 2876 | if (options->ce.tls_auth_file) |
6fbf66fa | 2877 | { |
81d882d5 DS |
2878 | to.tls_wrap.mode = TLS_WRAP_AUTH; |
2879 | to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; | |
2880 | to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; | |
2881 | to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; | |
ef910e3e SK |
2882 | crypto_adjust_frame_parameters(&to.frame, &c->c1.ks.tls_auth_key_type, |
2883 | true, true); | |
6fbf66fa JY |
2884 | } |
2885 | ||
81d882d5 | 2886 | /* TLS handshake encryption (--tls-crypt) */ |
19dffdbd SK |
2887 | if (options->ce.tls_crypt_file |
2888 | || (options->ce.tls_crypt_v2_file && options->tls_client)) | |
c6e24fa3 | 2889 | { |
81d882d5 DS |
2890 | to.tls_wrap.mode = TLS_WRAP_CRYPT; |
2891 | to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; | |
2892 | to.tls_wrap.opt.pid_persist = &c->c1.pid_persist; | |
2893 | to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM; | |
2894 | tls_crypt_adjust_frame_parameters(&to.frame); | |
19dffdbd | 2895 | |
19d6d9c3 | 2896 | if (options->ce.tls_crypt_v2_file) |
19dffdbd SK |
2897 | { |
2898 | to.tls_wrap.tls_crypt_v2_wkc = &c->c1.ks.tls_crypt_v2_wkc; | |
2899 | } | |
2900 | } | |
2901 | ||
19d6d9c3 | 2902 | if (options->ce.tls_crypt_v2_file) |
19dffdbd SK |
2903 | { |
2904 | to.tls_crypt_v2 = true; | |
2905 | if (options->tls_server) | |
2906 | { | |
2907 | to.tls_wrap.tls_crypt_v2_server_key = c->c1.ks.tls_crypt_v2_server_key; | |
ff931c5e | 2908 | to.tls_crypt_v2_verify_script = c->options.tls_crypt_v2_verify_script; |
19dffdbd | 2909 | } |
c6e24fa3 SK |
2910 | } |
2911 | ||
81d882d5 DS |
2912 | /* If we are running over TCP, allow for |
2913 | * length prefix */ | |
2914 | socket_adjust_frame_parameters(&to.frame, options->ce.proto); | |
6fbf66fa | 2915 | |
81d882d5 DS |
2916 | /* |
2917 | * Initialize OpenVPN's master TLS-mode object. | |
2918 | */ | |
2919 | if (flags & CF_INIT_TLS_MULTI) | |
2920 | { | |
2921 | c->c2.tls_multi = tls_multi_init(&to); | |
2922 | } | |
6fbf66fa | 2923 | |
81d882d5 DS |
2924 | if (flags & CF_INIT_TLS_AUTH_STANDALONE) |
2925 | { | |
2926 | c->c2.tls_auth_standalone = tls_auth_standalone_init(&to, &c->c2.gc); | |
2927 | } | |
6fbf66fa JY |
2928 | } |
2929 | ||
2930 | static void | |
81d882d5 | 2931 | do_init_finalize_tls_frame(struct context *c) |
6fbf66fa | 2932 | { |
81d882d5 | 2933 | if (c->c2.tls_multi) |
6fbf66fa | 2934 | { |
81d882d5 DS |
2935 | tls_multi_init_finalize(c->c2.tls_multi, &c->c2.frame); |
2936 | ASSERT(EXPANDED_SIZE(&c->c2.tls_multi->opt.frame) <= | |
2937 | EXPANDED_SIZE(&c->c2.frame)); | |
2938 | frame_print(&c->c2.tls_multi->opt.frame, D_MTU_INFO, | |
2939 | "Control Channel MTU parms"); | |
6fbf66fa | 2940 | } |
81d882d5 | 2941 | if (c->c2.tls_auth_standalone) |
6fbf66fa | 2942 | { |
81d882d5 DS |
2943 | tls_auth_standalone_finalize(c->c2.tls_auth_standalone, &c->c2.frame); |
2944 | frame_print(&c->c2.tls_auth_standalone->frame, D_MTU_INFO, | |
2945 | "TLS-Auth MTU parms"); | |
6fbf66fa JY |
2946 | } |
2947 | } | |
2948 | ||
6fbf66fa JY |
2949 | /* |
2950 | * No encryption or authentication. | |
2951 | */ | |
2952 | static void | |
81d882d5 | 2953 | do_init_crypto_none(const struct context *c) |
6fbf66fa | 2954 | { |
81d882d5 DS |
2955 | ASSERT(!c->options.test_crypto); |
2956 | msg(M_WARN, | |
7a1b6a0d DS |
2957 | "******* WARNING *******: All encryption and authentication features " |
2958 | "disabled -- All data will be tunnelled as clear text and will not be " | |
2959 | "protected against man-in-the-middle changes. " | |
2960 | "PLEASE DO RECONSIDER THIS CONFIGURATION!"); | |
6fbf66fa | 2961 | } |
6fbf66fa JY |
2962 | |
2963 | static void | |
81d882d5 | 2964 | do_init_crypto(struct context *c, const unsigned int flags) |
6fbf66fa | 2965 | { |
81d882d5 DS |
2966 | if (c->options.shared_secret_file) |
2967 | { | |
2968 | do_init_crypto_static(c, flags); | |
2969 | } | |
2970 | else if (c->options.tls_server || c->options.tls_client) | |
2971 | { | |
2972 | do_init_crypto_tls(c, flags); | |
2973 | } | |
2974 | else /* no encryption or authentication. */ | |
2975 | { | |
2976 | do_init_crypto_none(c); | |
2977 | } | |
6fbf66fa JY |
2978 | } |
2979 | ||
2980 | static void | |
81d882d5 | 2981 | do_init_frame(struct context *c) |
6fbf66fa | 2982 | { |
38d96bd7 | 2983 | #ifdef USE_COMP |
81d882d5 DS |
2984 | /* |
2985 | * modify frame parameters if compression is enabled | |
2986 | */ | |
2987 | if (comp_enabled(&c->options.comp)) | |
6fbf66fa | 2988 | { |
81d882d5 | 2989 | comp_add_to_extra_frame(&c->c2.frame); |
6fbf66fa | 2990 | |
9403e3f4 | 2991 | #if !defined(ENABLE_LZ4) |
81d882d5 DS |
2992 | /* |
2993 | * Compression usage affects buffer alignment when non-swapped algs | |
2994 | * such as LZO is used. | |
2995 | * Newer algs like LZ4 and comp-stub with COMP_F_SWAP don't need | |
2996 | * any special alignment because of the control-byte swap approach. | |
2997 | * LZO alignment (on the other hand) is problematic because | |
2998 | * the presence of the control byte means that either the output of | |
2999 | * decryption must be written to an unaligned buffer, or the input | |
3000 | * to compression (or packet dispatch if packet is uncompressed) | |
3001 | * must be read from an unaligned buffer. | |
3002 | * This code tries to align the input to compression (or packet | |
3003 | * dispatch if packet is uncompressed) at the cost of requiring | |
3004 | * decryption output to be written to an unaligned buffer, so | |
3005 | * it's more of a tradeoff than an optimal solution and we don't | |
3006 | * include it when we are doing a modern build with LZ4. | |
3007 | * Strictly speaking, on the server it would be better to execute | |
3008 | * this code for every connection after we decide the compression | |
3009 | * method, but currently the frame code doesn't appear to be | |
3010 | * flexible enough for this, since the frame is already established | |
3011 | * before it is known which compression options will be pushed. | |
3012 | */ | |
3013 | if (comp_unswapped_prefix(&c->options.comp) && CIPHER_ENABLED(c)) | |
3014 | { | |
3015 | frame_add_to_align_adjust(&c->c2.frame, COMP_PREFIX_LEN); | |
3016 | frame_or_align_flags(&c->c2.frame, | |
3017 | FRAME_HEADROOM_MARKER_FRAGMENT | |
3018 | |FRAME_HEADROOM_MARKER_DECRYPT); | |
3019 | } | |
38d96bd7 | 3020 | #endif |
6fbf66fa JY |
3021 | |
3022 | #ifdef ENABLE_FRAGMENT | |
81d882d5 | 3023 | comp_add_to_extra_frame(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ |
6fbf66fa JY |
3024 | #endif |
3025 | } | |
38d96bd7 | 3026 | #endif /* USE_COMP */ |
6fbf66fa | 3027 | |
81d882d5 DS |
3028 | /* |
3029 | * Adjust frame size for UDP Socks support. | |
3030 | */ | |
3031 | if (c->options.ce.socks_proxy_server) | |
3032 | { | |
3033 | socks_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); | |
3034 | } | |
3035 | ||
3036 | /* | |
3037 | * Adjust frame size based on the --tun-mtu-extra parameter. | |
3038 | */ | |
3039 | if (c->options.ce.tun_mtu_extra_defined) | |
3040 | { | |
3041 | tun_adjust_frame_parameters(&c->c2.frame, c->options.ce.tun_mtu_extra); | |
3042 | } | |
3043 | ||
3044 | /* | |
3045 | * Adjust frame size based on link socket parameters. | |
3046 | * (Since TCP is a stream protocol, we need to insert | |
3047 | * a packet length uint16_t in the buffer.) | |
3048 | */ | |
3049 | socket_adjust_frame_parameters(&c->c2.frame, c->options.ce.proto); | |
3050 | ||
3051 | /* | |
3052 | * Fill in the blanks in the frame parameters structure, | |
3053 | * make sure values are rational, etc. | |
3054 | */ | |
3055 | frame_finalize_options(c, NULL); | |
6fbf66fa | 3056 | |
38d96bd7 | 3057 | #ifdef USE_COMP |
81d882d5 DS |
3058 | /* |
3059 | * Modify frame parameters if compression is compiled in. | |
3060 | * Should be called after frame_finalize_options. | |
3061 | */ | |
3062 | comp_add_to_extra_buffer(&c->c2.frame); | |
38d96bd7 | 3063 | #ifdef ENABLE_FRAGMENT |
81d882d5 | 3064 | comp_add_to_extra_buffer(&c->c2.frame_fragment_omit); /* omit compression frame delta from final frame_fragment */ |
38d96bd7 JY |
3065 | #endif |
3066 | #endif /* USE_COMP */ | |
3067 | ||
81d882d5 DS |
3068 | /* packets with peer-id (P_DATA_V2) need 3 extra bytes in frame (on client) |
3069 | * and need link_mtu+3 bytes on socket reception (on server). | |
3070 | * | |
3071 | * accomodate receive path in f->extra_link, which has the side effect of | |
3072 | * also increasing send buffers (BUF_SIZE() macro), which need to be | |
3073 | * allocated big enough before receiving peer-id option from server. | |
3074 | * | |
3075 | * f->extra_frame is adjusted when peer-id option is push-received | |
3076 | */ | |
3077 | frame_add_to_extra_link(&c->c2.frame, 3); | |
9e0963c1 | 3078 | |
6fbf66fa | 3079 | #ifdef ENABLE_FRAGMENT |
81d882d5 DS |
3080 | /* |
3081 | * Set frame parameter for fragment code. This is necessary because | |
3082 | * the fragmentation code deals with payloads which have already been | |
3083 | * passed through the compression code. | |
3084 | */ | |
3085 | c->c2.frame_fragment = c->c2.frame; | |
3086 | frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit); | |
6fbf66fa JY |
3087 | #endif |
3088 | ||
3089 | #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) | |
81d882d5 DS |
3090 | /* |
3091 | * MTU advisories | |
3092 | */ | |
3093 | if (c->options.ce.fragment && c->options.mtu_test) | |
3094 | { | |
3095 | msg(M_WARN, | |
3096 | "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result"); | |
3097 | } | |
6fbf66fa JY |
3098 | #endif |
3099 | ||
3100 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
3101 | if ((c->options.ce.mssfix || c->options.ce.fragment) |
3102 | && TUN_MTU_SIZE(&c->c2.frame_fragment) != ETHERNET_MTU) | |
3103 | { | |
3104 | msg(M_WARN, | |
3105 | "WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)", | |
3106 | ETHERNET_MTU, TUN_MTU_SIZE(&c->c2.frame_fragment)); | |
3107 | } | |
6fbf66fa JY |
3108 | #endif |
3109 | } | |
3110 | ||
3111 | static void | |
81d882d5 | 3112 | do_option_warnings(struct context *c) |
6fbf66fa | 3113 | { |
81d882d5 | 3114 | const struct options *o = &c->options; |
6fbf66fa | 3115 | |
81d882d5 DS |
3116 | if (o->ping_send_timeout && !o->ping_rec_timeout) |
3117 | { | |
3118 | msg(M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); | |
3119 | } | |
6fbf66fa | 3120 | |
81d882d5 | 3121 | if (o->username || o->groupname || o->chroot_dir |
cd5990e0 | 3122 | #ifdef ENABLE_SELINUX |
81d882d5 | 3123 | || o->selinux_context |
99385447 | 3124 | #endif |
81d882d5 DS |
3125 | ) |
3126 | { | |
3127 | if (!o->persist_tun) | |
3128 | { | |
3129 | msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); | |
3130 | } | |
3131 | if (!o->persist_key | |
51b1d4c2 | 3132 | #ifdef ENABLE_PKCS11 |
81d882d5 | 3133 | && !o->pkcs11_id |
51b1d4c2 | 3134 | #endif |
81d882d5 DS |
3135 | ) |
3136 | { | |
3137 | msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); | |
3138 | } | |
3139 | } | |
6fbf66fa | 3140 | |
81d882d5 DS |
3141 | if (o->chroot_dir && !(o->username && o->groupname)) |
3142 | { | |
3143 | msg(M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure"); | |
3144 | } | |
31f90e64 | 3145 | |
6fbf66fa | 3146 | #if P2MP |
81d882d5 DS |
3147 | if (o->pull && o->ifconfig_local && c->first_time) |
3148 | { | |
3149 | msg(M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want"); | |
3150 | } | |
6fbf66fa JY |
3151 | |
3152 | #if P2MP_SERVER | |
81d882d5 DS |
3153 | if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) |
3154 | { | |
3155 | msg(M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to"); | |
3156 | } | |
f77c60d3 | 3157 | |
81d882d5 | 3158 | if (o->mode == MODE_SERVER) |
6fbf66fa | 3159 | { |
81d882d5 DS |
3160 | if (o->duplicate_cn && o->client_config_dir) |
3161 | { | |
3162 | msg(M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want"); | |
3163 | } | |
3164 | if (o->duplicate_cn && o->ifconfig_pool_persist_filename) | |
3165 | { | |
3166 | msg(M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn"); | |
3167 | } | |
3168 | if (!o->keepalive_ping || !o->keepalive_timeout) | |
3169 | { | |
3170 | msg(M_WARN, "WARNING: --keepalive option is missing from server config"); | |
3171 | } | |
6fbf66fa | 3172 | } |
81d882d5 DS |
3173 | #endif /* if P2MP_SERVER */ |
3174 | #endif /* if P2MP */ | |
6fbf66fa | 3175 | |
81d882d5 DS |
3176 | if (!o->replay) |
3177 | { | |
3178 | msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); | |
3179 | } | |
81d882d5 DS |
3180 | |
3181 | if (o->tls_server) | |
3182 | { | |
3183 | warn_on_use_of_common_subnets(); | |
3184 | } | |
3185 | if (o->tls_client | |
3186 | && !o->tls_verify | |
3187 | && o->verify_x509_type == VERIFY_X509_NONE | |
3188 | && !(o->ns_cert_type & NS_CERT_CHECK_SERVER) | |
3189 | && !o->remote_cert_eku) | |
3190 | { | |
3191 | msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); | |
3192 | } | |
2dc33226 SK |
3193 | if (o->ns_cert_type) |
3194 | { | |
3195 | msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."); | |
3196 | } | |
81d882d5 DS |
3197 | |
3198 | /* If a script is used, print appropiate warnings */ | |
3199 | if (o->user_script_used) | |
3200 | { | |
bf97c00f | 3201 | if (script_security() >= SSEC_SCRIPTS) |
81d882d5 DS |
3202 | { |
3203 | msg(M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); | |
3204 | } | |
bf97c00f | 3205 | else if (script_security() >= SSEC_PW_ENV) |
81d882d5 DS |
3206 | { |
3207 | msg(M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); | |
3208 | } | |
3209 | else | |
3210 | { | |
3211 | msg(M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); | |
3212 | } | |
3213 | } | |
6fbf66fa JY |
3214 | } |
3215 | ||
3216 | static void | |
81d882d5 | 3217 | do_init_frame_tls(struct context *c) |
6fbf66fa | 3218 | { |
81d882d5 | 3219 | do_init_finalize_tls_frame(c); |
6fbf66fa JY |
3220 | } |
3221 | ||
3222 | struct context_buffers * | |
81d882d5 | 3223 | init_context_buffers(const struct frame *frame) |
6fbf66fa | 3224 | { |
81d882d5 | 3225 | struct context_buffers *b; |
6fbf66fa | 3226 | |
81d882d5 | 3227 | ALLOC_OBJ_CLEAR(b, struct context_buffers); |
6fbf66fa | 3228 | |
81d882d5 DS |
3229 | b->read_link_buf = alloc_buf(BUF_SIZE(frame)); |
3230 | b->read_tun_buf = alloc_buf(BUF_SIZE(frame)); | |
6fbf66fa | 3231 | |
81d882d5 | 3232 | b->aux_buf = alloc_buf(BUF_SIZE(frame)); |
6fbf66fa | 3233 | |
81d882d5 DS |
3234 | b->encrypt_buf = alloc_buf(BUF_SIZE(frame)); |
3235 | b->decrypt_buf = alloc_buf(BUF_SIZE(frame)); | |
6fbf66fa | 3236 | |
38d96bd7 | 3237 | #ifdef USE_COMP |
81d882d5 DS |
3238 | b->compress_buf = alloc_buf(BUF_SIZE(frame)); |
3239 | b->decompress_buf = alloc_buf(BUF_SIZE(frame)); | |
6fbf66fa JY |
3240 | #endif |
3241 | ||
81d882d5 | 3242 | return b; |
6fbf66fa JY |
3243 | } |
3244 | ||
3245 | void | |
81d882d5 | 3246 | free_context_buffers(struct context_buffers *b) |
6fbf66fa | 3247 | { |
81d882d5 | 3248 | if (b) |
6fbf66fa | 3249 | { |
81d882d5 DS |
3250 | free_buf(&b->read_link_buf); |
3251 | free_buf(&b->read_tun_buf); | |
3252 | free_buf(&b->aux_buf); | |
6fbf66fa | 3253 | |
38d96bd7 | 3254 | #ifdef USE_COMP |
81d882d5 DS |
3255 | free_buf(&b->compress_buf); |
3256 | free_buf(&b->decompress_buf); | |
6fbf66fa JY |
3257 | #endif |
3258 | ||
81d882d5 DS |
3259 | free_buf(&b->encrypt_buf); |
3260 | free_buf(&b->decrypt_buf); | |
6fbf66fa | 3261 | |
81d882d5 | 3262 | free(b); |
6fbf66fa JY |
3263 | } |
3264 | } | |
3265 | ||
3266 | /* | |
3267 | * Now that we know all frame parameters, initialize | |
3268 | * our buffers. | |
3269 | */ | |
3270 | static void | |
81d882d5 | 3271 | do_init_buffers(struct context *c) |
6fbf66fa | 3272 | { |
81d882d5 DS |
3273 | c->c2.buffers = init_context_buffers(&c->c2.frame); |
3274 | c->c2.buffers_owned = true; | |
6fbf66fa JY |
3275 | } |
3276 | ||
3277 | #ifdef ENABLE_FRAGMENT | |
3278 | /* | |
3279 | * Fragmenting code has buffers to initialize | |
3280 | * once frame parameters are known. | |
3281 | */ | |
3282 | static void | |
81d882d5 | 3283 | do_init_fragment(struct context *c) |
6fbf66fa | 3284 | { |
81d882d5 DS |
3285 | ASSERT(c->options.ce.fragment); |
3286 | frame_set_mtu_dynamic(&c->c2.frame_fragment, | |
3287 | c->options.ce.fragment, SET_MTU_UPPER_BOUND); | |
3288 | fragment_frame_init(c->c2.fragment, &c->c2.frame_fragment); | |
6fbf66fa JY |
3289 | } |
3290 | #endif | |
3291 | ||
6fbf66fa JY |
3292 | /* |
3293 | * Allocate our socket object. | |
3294 | */ | |
3295 | static void | |
81d882d5 | 3296 | do_link_socket_new(struct context *c) |
6fbf66fa | 3297 | { |
81d882d5 DS |
3298 | ASSERT(!c->c2.link_socket); |
3299 | c->c2.link_socket = link_socket_new(); | |
3300 | c->c2.link_socket_owned = true; | |
6fbf66fa JY |
3301 | } |
3302 | ||
3303 | /* | |
3304 | * bind the TCP/UDP socket | |
3305 | */ | |
3306 | static void | |
81d882d5 | 3307 | do_init_socket_1(struct context *c, const int mode) |
6fbf66fa | 3308 | { |
81d882d5 | 3309 | unsigned int sockflags = c->options.sockflags; |
dc46c067 JY |
3310 | |
3311 | #if PORT_SHARE | |
81d882d5 DS |
3312 | if (c->options.port_share_host && c->options.port_share_port) |
3313 | { | |
3314 | sockflags |= SF_PORT_SHARE; | |
3315 | } | |
3316 | #endif | |
3317 | ||
3318 | link_socket_init_phase1(c->c2.link_socket, | |
3319 | c->options.ce.local, | |
3320 | c->options.ce.local_port, | |
3321 | c->options.ce.remote, | |
3322 | c->options.ce.remote_port, | |
3323 | c->c1.dns_cache, | |
3324 | c->options.ce.proto, | |
3325 | c->options.ce.af, | |
3326 | c->options.ce.bind_ipv6_only, | |
3327 | mode, | |
3328 | c->c2.accept_from, | |
3329 | c->c1.http_proxy, | |
3330 | c->c1.socks_proxy, | |
6fbf66fa | 3331 | #ifdef ENABLE_DEBUG |
81d882d5 DS |
3332 | c->options.gremlin, |
3333 | #endif | |
3334 | c->options.ce.bind_local, | |
3335 | c->options.ce.remote_float, | |
3336 | c->options.inetd, | |
3337 | &c->c1.link_socket_addr, | |
3338 | c->options.ipchange, | |
3339 | c->plugins, | |
3340 | c->options.resolve_retry_seconds, | |
3341 | c->options.ce.mtu_discover_type, | |
3342 | c->options.rcvbuf, | |
3343 | c->options.sndbuf, | |
3344 | c->options.mark, | |
3345 | &c->c2.server_poll_interval, | |
3346 | sockflags); | |
6fbf66fa JY |
3347 | } |
3348 | ||
3349 | /* | |
3350 | * finalize the TCP/UDP socket | |
3351 | */ | |
3352 | static void | |
81d882d5 | 3353 | do_init_socket_2(struct context *c) |
6fbf66fa | 3354 | { |
81d882d5 DS |
3355 | link_socket_init_phase2(c->c2.link_socket, &c->c2.frame, |
3356 | c->sig); | |
6fbf66fa JY |
3357 | } |
3358 | ||
3359 | /* | |
3360 | * Print MTU INFO | |
3361 | */ | |
3362 | static void | |
81d882d5 | 3363 | do_print_data_channel_mtu_parms(struct context *c) |
6fbf66fa | 3364 | { |
81d882d5 | 3365 | frame_print(&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms"); |
6fbf66fa | 3366 | #ifdef ENABLE_FRAGMENT |
81d882d5 DS |
3367 | if (c->c2.fragment) |
3368 | { | |
3369 | frame_print(&c->c2.frame_fragment, D_MTU_INFO, | |
3370 | "Fragmentation MTU parms"); | |
3371 | } | |
6fbf66fa JY |
3372 | #endif |
3373 | } | |
3374 | ||
3375 | #ifdef ENABLE_OCC | |
3376 | /* | |
3377 | * Get local and remote options compatibility strings. | |
3378 | */ | |
3379 | static void | |
81d882d5 | 3380 | do_compute_occ_strings(struct context *c) |
6fbf66fa | 3381 | { |
81d882d5 | 3382 | struct gc_arena gc = gc_new(); |
6fbf66fa | 3383 | |
81d882d5 DS |
3384 | c->c2.options_string_local = |
3385 | options_string(&c->options, &c->c2.frame, c->c1.tuntap, false, &gc); | |
3386 | c->c2.options_string_remote = | |
3387 | options_string(&c->options, &c->c2.frame, c->c1.tuntap, true, &gc); | |
6fbf66fa | 3388 | |
81d882d5 DS |
3389 | msg(D_SHOW_OCC, "Local Options String (VER=%s): '%s'", |
3390 | options_string_version(c->c2.options_string_local, &gc), | |
3391 | c->c2.options_string_local); | |
3392 | msg(D_SHOW_OCC, "Expected Remote Options String (VER=%s): '%s'", | |
3393 | options_string_version(c->c2.options_string_remote, &gc), | |
3394 | c->c2.options_string_remote); | |
6fbf66fa | 3395 | |
81d882d5 DS |
3396 | if (c->c2.tls_multi) |
3397 | { | |
3398 | tls_multi_init_set_options(c->c2.tls_multi, | |
3399 | c->c2.options_string_local, | |
3400 | c->c2.options_string_remote); | |
3401 | } | |
6fbf66fa | 3402 | |
81d882d5 | 3403 | gc_free(&gc); |
6fbf66fa | 3404 | } |
81d882d5 | 3405 | #endif /* ifdef ENABLE_OCC */ |
6fbf66fa JY |
3406 | |
3407 | /* | |
3408 | * These things can only be executed once per program instantiation. | |
3409 | * Set up for possible UID/GID downgrade, but don't do it yet. | |
3410 | * Daemonize if requested. | |
3411 | */ | |
3412 | static void | |
81d882d5 | 3413 | do_init_first_time(struct context *c) |
6fbf66fa | 3414 | { |
81d882d5 | 3415 | if (c->first_time && !c->c0) |
6fbf66fa | 3416 | { |
81d882d5 | 3417 | struct context_0 *c0; |
92bbb061 | 3418 | |
81d882d5 DS |
3419 | ALLOC_OBJ_CLEAR_GC(c->c0, struct context_0, &c->gc); |
3420 | c0 = c->c0; | |
6fbf66fa | 3421 | |
81d882d5 DS |
3422 | /* get user and/or group that we want to setuid/setgid to */ |
3423 | c0->uid_gid_specified = | |
3424 | platform_group_get(c->options.groupname, &c0->platform_state_group) | |
3425 | |platform_user_get(c->options.username, &c0->platform_state_user); | |
6fbf66fa | 3426 | |
81d882d5 DS |
3427 | /* perform postponed chdir if --daemon */ |
3428 | if (c->did_we_daemonize && c->options.cd_dir == NULL) | |
3429 | { | |
3430 | platform_chdir("/"); | |
3431 | } | |
3432 | ||
3433 | /* should we change scheduling priority? */ | |
3434 | platform_nice(c->options.nice); | |
6fbf66fa JY |
3435 | } |
3436 | } | |
3437 | ||
3438 | /* | |
3439 | * If xinetd/inetd mode, don't allow restart. | |
3440 | */ | |
3441 | static void | |
81d882d5 | 3442 | do_close_check_if_restart_permitted(struct context *c) |
6fbf66fa | 3443 | { |
81d882d5 DS |
3444 | if (c->options.inetd |
3445 | && (c->sig->signal_received == SIGHUP | |
3446 | || c->sig->signal_received == SIGUSR1)) | |
6fbf66fa | 3447 | { |
81d882d5 DS |
3448 | c->sig->signal_received = SIGTERM; |
3449 | msg(M_INFO, | |
3450 | PACKAGE_NAME | |
3451 | " started by inetd/xinetd cannot restart... Exiting."); | |
6fbf66fa JY |
3452 | } |
3453 | } | |
3454 | ||
3455 | /* | |
3456 | * free buffers | |
3457 | */ | |
3458 | static void | |
81d882d5 | 3459 | do_close_free_buf(struct context *c) |
6fbf66fa | 3460 | { |
81d882d5 | 3461 | if (c->c2.buffers_owned) |
6fbf66fa | 3462 | { |
81d882d5 DS |
3463 | free_context_buffers(c->c2.buffers); |
3464 | c->c2.buffers = NULL; | |
3465 | c->c2.buffers_owned = false; | |
6fbf66fa JY |
3466 | } |
3467 | } | |
3468 | ||
3469 | /* | |
3470 | * close TLS | |
3471 | */ | |
3472 | static void | |
81d882d5 | 3473 | do_close_tls(struct context *c) |
6fbf66fa | 3474 | { |
81d882d5 | 3475 | if (c->c2.tls_multi) |
6fbf66fa | 3476 | { |
81d882d5 DS |
3477 | tls_multi_free(c->c2.tls_multi, true); |
3478 | c->c2.tls_multi = NULL; | |
6fbf66fa JY |
3479 | } |
3480 | ||
3481 | #ifdef ENABLE_OCC | |
81d882d5 DS |
3482 | /* free options compatibility strings */ |
3483 | if (c->c2.options_string_local) | |
3484 | { | |
3485 | free(c->c2.options_string_local); | |
3486 | } | |
3487 | if (c->c2.options_string_remote) | |
3488 | { | |
3489 | free(c->c2.options_string_remote); | |
3490 | } | |
3491 | c->c2.options_string_local = c->c2.options_string_remote = NULL; | |
6fbf66fa | 3492 | #endif |
07036fd3 SK |
3493 | |
3494 | if (c->c2.pulled_options_state) | |
3495 | { | |
3496 | md_ctx_cleanup(c->c2.pulled_options_state); | |
3497 | md_ctx_free(c->c2.pulled_options_state); | |
3498 | } | |
6fbf66fa JY |
3499 | } |
3500 | ||
3501 | /* | |
3502 | * Free key schedules | |
3503 | */ | |
3504 | static void | |
81d882d5 | 3505 | do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) |
6fbf66fa | 3506 | { |
5817b49b AQ |
3507 | /* |
3508 | * always free the tls_auth/crypt key. If persist_key is true, the key will | |
3509 | * be reloaded from memory (pre-cached) | |
3510 | */ | |
3511 | free_key_ctx_bi(&c->c1.ks.tls_wrap_key); | |
3512 | CLEAR(c->c1.ks.tls_wrap_key); | |
19dffdbd SK |
3513 | buf_clear(&c->c1.ks.tls_crypt_v2_wkc); |
3514 | free_buf(&c->c1.ks.tls_crypt_v2_wkc); | |
5817b49b | 3515 | |
81d882d5 DS |
3516 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) |
3517 | { | |
3518 | key_schedule_free(&c->c1.ks, free_ssl_ctx); | |
3519 | } | |
6fbf66fa JY |
3520 | } |
3521 | ||
3522 | /* | |
3523 | * Close TCP/UDP connection | |
3524 | */ | |
3525 | static void | |
81d882d5 | 3526 | do_close_link_socket(struct context *c) |
6fbf66fa | 3527 | { |
81d882d5 | 3528 | if (c->c2.link_socket && c->c2.link_socket_owned) |
6fbf66fa | 3529 | { |
81d882d5 DS |
3530 | link_socket_close(c->c2.link_socket); |
3531 | c->c2.link_socket = NULL; | |
6fbf66fa JY |
3532 | } |
3533 | ||
81d882d5 DS |
3534 | |
3535 | /* Preserve the resolved list of remote if the user request to or if we want | |
3536 | * reconnect to the same host again or there are still addresses that need | |
3537 | * to be tried */ | |
3538 | if (!(c->sig->signal_received == SIGUSR1 | |
3539 | && ( (c->options.persist_remote_ip) | |
3540 | || | |
3541 | ( c->sig->source != SIG_SOURCE_HARD | |
3542 | && ((c->c1.link_socket_addr.current_remote && c->c1.link_socket_addr.current_remote->ai_next) | |
3543 | || c->options.no_advance)) | |
3544 | ))) | |
23d61c56 | 3545 | { |
81d882d5 | 3546 | clear_remote_addrlist(&c->c1.link_socket_addr, !c->options.resolve_in_advance); |
23d61c56 AS |
3547 | } |
3548 | ||
3549 | /* Clear the remote actual address when persist_remote_ip is not in use */ | |
3550 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip)) | |
81d882d5 DS |
3551 | { |
3552 | CLEAR(c->c1.link_socket_addr.actual); | |
3553 | } | |
6fbf66fa | 3554 | |
81d882d5 DS |
3555 | if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip)) |
3556 | { | |
3557 | if (c->c1.link_socket_addr.bind_local && !c->options.resolve_in_advance) | |
3558 | { | |
3559 | freeaddrinfo(c->c1.link_socket_addr.bind_local); | |
3560 | } | |
e719a053 | 3561 | |
81d882d5 DS |
3562 | c->c1.link_socket_addr.bind_local = NULL; |
3563 | } | |
6fbf66fa JY |
3564 | } |
3565 | ||
3566 | /* | |
3567 | * Close packet-id persistance file | |
3568 | */ | |
3569 | static void | |
81d882d5 | 3570 | do_close_packet_id(struct context *c) |
6fbf66fa | 3571 | { |
81d882d5 DS |
3572 | packet_id_free(&c->c2.crypto_options.packet_id); |
3573 | packet_id_persist_save(&c->c1.pid_persist); | |
3574 | if (!(c->sig->signal_received == SIGUSR1)) | |
3575 | { | |
3576 | packet_id_persist_close(&c->c1.pid_persist); | |
3577 | } | |
6fbf66fa JY |
3578 | } |
3579 | ||
3580 | #ifdef ENABLE_FRAGMENT | |
3581 | /* | |
3582 | * Close fragmentation handler. | |
3583 | */ | |
3584 | static void | |
81d882d5 | 3585 | do_close_fragment(struct context *c) |
6fbf66fa | 3586 | { |
81d882d5 | 3587 | if (c->c2.fragment) |
6fbf66fa | 3588 | { |
81d882d5 DS |
3589 | fragment_free(c->c2.fragment); |
3590 | c->c2.fragment = NULL; | |
6fbf66fa JY |
3591 | } |
3592 | } | |
3593 | #endif | |
3594 | ||
3595 | /* | |
3596 | * Open and close our event objects. | |
3597 | */ | |
3598 | ||
3599 | static void | |
81d882d5 DS |
3600 | do_event_set_init(struct context *c, |
3601 | bool need_us_timeout) | |
6fbf66fa | 3602 | { |
81d882d5 | 3603 | unsigned int flags = 0; |
6fbf66fa | 3604 | |
81d882d5 | 3605 | c->c2.event_set_max = BASE_N_EVENTS; |
6fbf66fa | 3606 | |
81d882d5 | 3607 | flags |= EVENT_METHOD_FAST; |
6fbf66fa | 3608 | |
81d882d5 DS |
3609 | if (need_us_timeout) |
3610 | { | |
3611 | flags |= EVENT_METHOD_US_TIMEOUT; | |
3612 | } | |
6fbf66fa | 3613 | |
81d882d5 DS |
3614 | c->c2.event_set = event_set_init(&c->c2.event_set_max, flags); |
3615 | c->c2.event_set_owned = true; | |
6fbf66fa JY |
3616 | } |
3617 | ||
3618 | static void | |
81d882d5 | 3619 | do_close_event_set(struct context *c) |
6fbf66fa | 3620 | { |
81d882d5 | 3621 | if (c->c2.event_set && c->c2.event_set_owned) |
6fbf66fa | 3622 | { |
81d882d5 DS |
3623 | event_free(c->c2.event_set); |
3624 | c->c2.event_set = NULL; | |
3625 | c->c2.event_set_owned = false; | |
6fbf66fa JY |
3626 | } |
3627 | } | |
3628 | ||
3629 | /* | |
3630 | * Open and close --status file | |
3631 | */ | |
3632 | ||
3633 | static void | |
81d882d5 | 3634 | do_open_status_output(struct context *c) |
6fbf66fa | 3635 | { |
81d882d5 | 3636 | if (!c->c1.status_output) |
6fbf66fa | 3637 | { |
81d882d5 DS |
3638 | c->c1.status_output = status_open(c->options.status_file, |
3639 | c->options.status_file_update_freq, | |
3640 | -1, | |
3641 | NULL, | |
3642 | STATUS_OUTPUT_WRITE); | |
3643 | c->c1.status_output_owned = true; | |
6fbf66fa JY |
3644 | } |
3645 | } | |
3646 | ||
3647 | static void | |
81d882d5 | 3648 | do_close_status_output(struct context *c) |
6fbf66fa | 3649 | { |
81d882d5 | 3650 | if (!(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 3651 | { |
81d882d5 DS |
3652 | if (c->c1.status_output_owned && c->c1.status_output) |
3653 | { | |
3654 | status_close(c->c1.status_output); | |
3655 | c->c1.status_output = NULL; | |
3656 | c->c1.status_output_owned = false; | |
3657 | } | |
6fbf66fa JY |
3658 | } |
3659 | } | |
3660 | ||
3661 | /* | |
3662 | * Handle ifconfig-pool persistance object. | |
3663 | */ | |
3664 | static void | |
81d882d5 | 3665 | do_open_ifconfig_pool_persist(struct context *c) |
6fbf66fa JY |
3666 | { |
3667 | #if P2MP_SERVER | |
81d882d5 | 3668 | if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename) |
6fbf66fa | 3669 | { |
81d882d5 DS |
3670 | c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init(c->options.ifconfig_pool_persist_filename, |
3671 | c->options.ifconfig_pool_persist_refresh_freq); | |
3672 | c->c1.ifconfig_pool_persist_owned = true; | |
6fbf66fa JY |
3673 | } |
3674 | #endif | |
3675 | } | |
3676 | ||
3677 | static void | |
81d882d5 | 3678 | do_close_ifconfig_pool_persist(struct context *c) |
6fbf66fa JY |
3679 | { |
3680 | #if P2MP_SERVER | |
81d882d5 | 3681 | if (!(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 3682 | { |
81d882d5 DS |
3683 | if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned) |
3684 | { | |
3685 | ifconfig_pool_persist_close(c->c1.ifconfig_pool_persist); | |
3686 | c->c1.ifconfig_pool_persist = NULL; | |
3687 | c->c1.ifconfig_pool_persist_owned = false; | |
3688 | } | |
6fbf66fa JY |
3689 | } |
3690 | #endif | |
3691 | } | |
3692 | ||
3693 | /* | |
3694 | * Inherit environmental variables | |
3695 | */ | |
3696 | ||
3697 | static void | |
81d882d5 | 3698 | do_inherit_env(struct context *c, const struct env_set *src) |
6fbf66fa | 3699 | { |
81d882d5 DS |
3700 | c->c2.es = env_set_create(NULL); |
3701 | c->c2.es_owned = true; | |
3702 | env_set_inherit(c->c2.es, src); | |
6fbf66fa JY |
3703 | } |
3704 | ||
2a64816b | 3705 | static void |
81d882d5 | 3706 | do_env_set_destroy(struct context *c) |
2a64816b | 3707 | { |
81d882d5 | 3708 | if (c->c2.es && c->c2.es_owned) |
2a64816b | 3709 | { |
81d882d5 DS |
3710 | env_set_destroy(c->c2.es); |
3711 | c->c2.es = NULL; | |
3712 | c->c2.es_owned = false; | |
2a64816b JY |
3713 | } |
3714 | } | |
3715 | ||
6fbf66fa JY |
3716 | /* |
3717 | * Fast I/O setup. Fast I/O is an optimization which only works | |
3718 | * if all of the following are true: | |
3719 | * | |
3720 | * (1) The platform is not Windows | |
3721 | * (2) --proto udp is enabled | |
3722 | * (3) --shaper is disabled | |
3723 | */ | |
3724 | static void | |
81d882d5 | 3725 | do_setup_fast_io(struct context *c) |
6fbf66fa | 3726 | { |
81d882d5 | 3727 | if (c->options.fast_io) |
6fbf66fa | 3728 | { |
445b192a | 3729 | #ifdef _WIN32 |
81d882d5 | 3730 | msg(M_INFO, "NOTE: --fast-io is disabled since we are running on Windows"); |
6fbf66fa | 3731 | #else |
81d882d5 DS |
3732 | if (!proto_is_udp(c->options.ce.proto)) |
3733 | { | |
3734 | msg(M_INFO, "NOTE: --fast-io is disabled since we are not using UDP"); | |
3735 | } | |
3736 | else | |
3737 | { | |
3d163bc5 | 3738 | #ifdef ENABLE_FEATURE_SHAPER |
81d882d5 DS |
3739 | if (c->options.shaper) |
3740 | { | |
3741 | msg(M_INFO, "NOTE: --fast-io is disabled since we are using --shaper"); | |
3742 | } | |
3743 | else | |
0475d17e | 3744 | #endif |
81d882d5 DS |
3745 | { |
3746 | c->c2.fast_io = true; | |
3747 | } | |
3748 | } | |
6fbf66fa JY |
3749 | #endif |
3750 | } | |
3751 | } | |
3752 | ||
3753 | static void | |
81d882d5 | 3754 | do_signal_on_tls_errors(struct context *c) |
6fbf66fa | 3755 | { |
81d882d5 DS |
3756 | if (c->options.tls_exit) |
3757 | { | |
3758 | c->c2.tls_exit_signal = SIGTERM; | |
3759 | } | |
3760 | else | |
3761 | { | |
3762 | c->c2.tls_exit_signal = SIGUSR1; | |
3763 | } | |
6fbf66fa JY |
3764 | } |
3765 | ||
3c7f2f55 | 3766 | #ifdef ENABLE_PLUGIN |
6fbf66fa | 3767 | |
3c7f2f55 | 3768 | void |
81d882d5 | 3769 | init_plugins(struct context *c) |
6fbf66fa | 3770 | { |
81d882d5 | 3771 | if (c->options.plugin_list && !c->plugins) |
e1791bb1 | 3772 | { |
81d882d5 DS |
3773 | c->plugins = plugin_list_init(c->options.plugin_list); |
3774 | c->plugins_owned = true; | |
e1791bb1 JY |
3775 | } |
3776 | } | |
3777 | ||
3778 | void | |
81d882d5 DS |
3779 | open_plugins(struct context *c, const bool import_options, int init_point) |
3780 | { | |
3781 | if (c->plugins && c->plugins_owned) | |
3782 | { | |
3783 | if (import_options) | |
3784 | { | |
3785 | struct plugin_return pr, config; | |
3786 | plugin_return_init(&pr); | |
3787 | plugin_list_open(c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point); | |
3788 | plugin_return_get_column(&pr, &config, "config"); | |
3789 | if (plugin_return_defined(&config)) | |
3790 | { | |
3791 | int i; | |
3792 | for (i = 0; i < config.n; ++i) | |
3793 | { | |
3794 | unsigned int option_types_found = 0; | |
3795 | if (config.list[i] && config.list[i]->value) | |
3796 | { | |
3797 | options_string_import(&c->options, | |
3798 | config.list[i]->value, | |
3799 | D_IMPORT_ERRORS|M_OPTERR, | |
3800 | OPT_P_DEFAULT & ~OPT_P_PLUGIN, | |
3801 | &option_types_found, | |
3802 | c->es); | |
3803 | } | |
3804 | } | |
3805 | } | |
3806 | plugin_return_free(&pr); | |
3807 | } | |
3808 | else | |
3809 | { | |
3810 | plugin_list_open(c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point); | |
3811 | } | |
6fbf66fa | 3812 | } |
6fbf66fa JY |
3813 | } |
3814 | ||
3815 | static void | |
81d882d5 | 3816 | do_close_plugins(struct context *c) |
6fbf66fa | 3817 | { |
81d882d5 | 3818 | if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1)) |
6fbf66fa | 3819 | { |
81d882d5 DS |
3820 | plugin_list_close(c->plugins); |
3821 | c->plugins = NULL; | |
3822 | c->plugins_owned = false; | |
6fbf66fa | 3823 | } |
6fbf66fa JY |
3824 | } |
3825 | ||
3c7f2f55 | 3826 | static void |
81d882d5 | 3827 | do_inherit_plugins(struct context *c, const struct context *src) |
3c7f2f55 | 3828 | { |
81d882d5 | 3829 | if (!c->plugins && src->plugins) |
3c7f2f55 | 3830 | { |
81d882d5 DS |
3831 | c->plugins = plugin_list_inherit(src->plugins); |
3832 | c->plugins_owned = true; | |
3c7f2f55 JY |
3833 | } |
3834 | } | |
3835 | ||
81d882d5 | 3836 | #endif /* ifdef ENABLE_PLUGIN */ |
3c7f2f55 | 3837 | |
6fbf66fa JY |
3838 | #ifdef ENABLE_MANAGEMENT |
3839 | ||
3840 | static void | |
81d882d5 | 3841 | management_callback_status_p2p(void *arg, const int version, struct status_output *so) |
6fbf66fa | 3842 | { |
81d882d5 DS |
3843 | struct context *c = (struct context *) arg; |
3844 | print_status(c, so); | |
6fbf66fa JY |
3845 | } |
3846 | ||
3847 | void | |
81d882d5 | 3848 | management_show_net_callback(void *arg, const int msglevel) |
6fbf66fa | 3849 | { |
445b192a | 3850 | #ifdef _WIN32 |
81d882d5 DS |
3851 | show_routes(msglevel); |
3852 | show_adapters(msglevel); | |
3853 | msg(msglevel, "END"); | |
6fbf66fa | 3854 | #else |
81d882d5 | 3855 | msg(msglevel, "ERROR: Sorry, this command is currently only implemented on Windows"); |
6fbf66fa JY |
3856 | #endif |
3857 | } | |
3858 | ||
30003978 AS |
3859 | #ifdef TARGET_ANDROID |
3860 | int | |
81d882d5 | 3861 | management_callback_network_change(void *arg, bool samenetwork) |
30003978 AS |
3862 | { |
3863 | /* Check if the client should translate the network change to a SIGUSR1 to | |
81d882d5 DS |
3864 | * reestablish the connection or just reprotect the socket |
3865 | * | |
3866 | * At the moment just assume that, for all settings that use pull (not | |
3867 | * --static) and are not using peer-id reestablishing the connection is | |
3868 | * required (unless the network is the same) | |
3869 | * | |
3870 | * The function returns -1 on invalid fd and -2 if the socket cannot be | |
3871 | * reused. On the -2 return value the man_network_change function triggers | |
3872 | * a SIGUSR1 to force a reconnect. | |
3873 | */ | |
3874 | ||
3875 | int socketfd = -1; | |
3876 | struct context *c = (struct context *) arg; | |
3877 | if (!c->c2.link_socket) | |
3878 | { | |
3879 | return -1; | |
3880 | } | |
3881 | if (c->c2.link_socket->sd == SOCKET_UNDEFINED) | |
3882 | { | |
3883 | return -1; | |
3884 | } | |
30003978 | 3885 | |
81d882d5 DS |
3886 | socketfd = c->c2.link_socket->sd; |
3887 | if (!c->options.pull || c->c2.tls_multi->use_peer_id || samenetwork) | |
3888 | { | |
3889 | return socketfd; | |
3890 | } | |
3891 | else | |
3892 | { | |
3893 | return -2; | |
3894 | } | |
30003978 | 3895 | } |
81d882d5 | 3896 | #endif /* ifdef TARGET_ANDROID */ |
30003978 | 3897 | |
81d882d5 | 3898 | #endif /* ifdef ENABLE_MANAGEMENT */ |
6fbf66fa JY |
3899 | |
3900 | void | |
81d882d5 | 3901 | init_management_callback_p2p(struct context *c) |
6fbf66fa JY |
3902 | { |
3903 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 DS |
3904 | if (management) |
3905 | { | |
3906 | struct management_callback cb; | |
3907 | CLEAR(cb); | |
3908 | cb.arg = c; | |
3909 | cb.status = management_callback_status_p2p; | |
3910 | cb.show_net = management_show_net_callback; | |
3911 | cb.proxy_cmd = management_callback_proxy_cmd; | |
3912 | cb.remote_cmd = management_callback_remote_cmd; | |
30003978 | 3913 | #ifdef TARGET_ANDROID |
81d882d5 | 3914 | cb.network_change = management_callback_network_change; |
30003978 | 3915 | #endif |
81d882d5 | 3916 | management_set_callback(management, &cb); |
6fbf66fa JY |
3917 | } |
3918 | #endif | |
3919 | } | |
3920 | ||
3921 | #ifdef ENABLE_MANAGEMENT | |
3922 | ||
3923 | void | |
81d882d5 | 3924 | init_management(struct context *c) |
6fbf66fa | 3925 | { |
81d882d5 DS |
3926 | if (!management) |
3927 | { | |
3928 | management = management_init(); | |
3929 | } | |
6fbf66fa JY |
3930 | } |
3931 | ||
3932 | bool | |
81d882d5 DS |
3933 | open_management(struct context *c) |
3934 | { | |
3935 | /* initialize management layer */ | |
3936 | if (management) | |
3937 | { | |
3938 | if (c->options.management_addr) | |
3939 | { | |
3940 | unsigned int flags = c->options.management_flags; | |
3941 | if (c->options.mode == MODE_SERVER) | |
3942 | { | |
3943 | flags |= MF_SERVER; | |
3944 | } | |
3945 | if (management_open(management, | |
3946 | c->options.management_addr, | |
3947 | c->options.management_port, | |
3948 | c->options.management_user_pass, | |
3949 | c->options.management_client_user, | |
3950 | c->options.management_client_group, | |
3951 | c->options.management_log_history_cache, | |
3952 | c->options.management_echo_buffer_size, | |
3953 | c->options.management_state_buffer_size, | |
3954 | c->options.management_write_peer_info_file, | |
3955 | c->options.remap_sigusr1, | |
3956 | flags)) | |
3957 | { | |
3958 | management_set_state(management, | |
3959 | OPENVPN_STATE_CONNECTING, | |
3960 | NULL, | |
3961 | NULL, | |
3962 | NULL, | |
3963 | NULL, | |
3964 | NULL); | |
3965 | } | |
3966 | ||
3967 | /* initial management hold, called early, before first context initialization */ | |
3968 | do_hold(0); | |
3969 | if (IS_SIG(c)) | |
3970 | { | |
3971 | msg(M_WARN, "Signal received from management interface, exiting"); | |
3972 | return false; | |
3973 | } | |
3974 | } | |
3975 | else | |
3976 | { | |
3977 | close_management(); | |
3978 | } | |
3979 | } | |
3980 | return true; | |
6fbf66fa JY |
3981 | } |
3982 | ||
3983 | void | |
81d882d5 | 3984 | close_management(void) |
6fbf66fa | 3985 | { |
81d882d5 | 3986 | if (management) |
6fbf66fa | 3987 | { |
81d882d5 DS |
3988 | management_close(management); |
3989 | management = NULL; | |
6fbf66fa JY |
3990 | } |
3991 | } | |
3992 | ||
81d882d5 | 3993 | #endif /* ifdef ENABLE_MANAGEMENT */ |
6fbf66fa JY |
3994 | |
3995 | ||
3996 | void | |
81d882d5 | 3997 | uninit_management_callback(void) |
6fbf66fa JY |
3998 | { |
3999 | #ifdef ENABLE_MANAGEMENT | |
81d882d5 | 4000 | if (management) |
6fbf66fa | 4001 | { |
81d882d5 | 4002 | management_clear_callback(management); |
6fbf66fa JY |
4003 | } |
4004 | #endif | |
4005 | } | |
4006 | ||
4007 | /* | |
4008 | * Initialize a tunnel instance, handle pre and post-init | |
4009 | * signal settings. | |
4010 | */ | |
4011 | void | |
81d882d5 | 4012 | init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags) |
6fbf66fa | 4013 | { |
81d882d5 DS |
4014 | pre_init_signal_catch(); |
4015 | init_instance(c, env, flags); | |
4016 | post_init_signal_catch(); | |
4017 | ||
4018 | /* | |
4019 | * This is done so that signals thrown during | |
4020 | * initialization can bring us back to | |
4021 | * a management hold. | |
4022 | */ | |
4023 | if (IS_SIG(c)) | |
d5badcf1 | 4024 | { |
81d882d5 DS |
4025 | remap_signal(c); |
4026 | uninit_management_callback(); | |
d5badcf1 | 4027 | } |
6fbf66fa JY |
4028 | } |
4029 | ||
4030 | /* | |
4031 | * Initialize a tunnel instance. | |
4032 | */ | |
4033 | void | |
81d882d5 | 4034 | init_instance(struct context *c, const struct env_set *env, const unsigned int flags) |
6fbf66fa | 4035 | { |
81d882d5 DS |
4036 | const struct options *options = &c->options; |
4037 | const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP); | |
4038 | int link_socket_mode = LS_MODE_DEFAULT; | |
6fbf66fa | 4039 | |
81d882d5 DS |
4040 | /* init garbage collection level */ |
4041 | gc_init(&c->c2.gc); | |
6fbf66fa | 4042 | |
81d882d5 DS |
4043 | /* inherit environmental variables */ |
4044 | if (env) | |
4045 | { | |
4046 | do_inherit_env(c, env); | |
4047 | } | |
ac1c2f25 | 4048 | |
81d882d5 DS |
4049 | /* signals caught here will abort */ |
4050 | c->sig->signal_received = 0; | |
4051 | c->sig->signal_text = NULL; | |
4052 | c->sig->source = SIG_SOURCE_SOFT; | |
6fbf66fa | 4053 | |
81d882d5 DS |
4054 | if (c->mode == CM_P2P) |
4055 | { | |
4056 | init_management_callback_p2p(c); | |
4057 | } | |
3cf6c932 | 4058 | |
81d882d5 DS |
4059 | /* possible sleep or management hold if restart */ |
4060 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
3cf6c932 | 4061 | { |
81d882d5 DS |
4062 | do_startup_pause(c); |
4063 | if (IS_SIG(c)) | |
4064 | { | |
4065 | goto sig; | |
4066 | } | |
3cf6c932 JY |
4067 | } |
4068 | ||
81d882d5 | 4069 | if (c->options.resolve_in_advance) |
e719a053 | 4070 | { |
81d882d5 DS |
4071 | do_preresolve(c); |
4072 | if (IS_SIG(c)) | |
4073 | { | |
4074 | goto sig; | |
4075 | } | |
e719a053 AS |
4076 | } |
4077 | ||
81d882d5 DS |
4078 | /* map in current connection entry */ |
4079 | next_connection_entry(c); | |
4e9a51d7 | 4080 | |
81d882d5 DS |
4081 | /* link_socket_mode allows CM_CHILD_TCP |
4082 | * instances to inherit acceptable fds | |
4083 | * from a top-level parent */ | |
4084 | if (c->options.ce.proto == PROTO_TCP_SERVER) | |
6fbf66fa | 4085 | { |
81d882d5 DS |
4086 | if (c->mode == CM_TOP) |
4087 | { | |
4088 | link_socket_mode = LS_MODE_TCP_LISTEN; | |
4089 | } | |
4090 | else if (c->mode == CM_CHILD_TCP) | |
4091 | { | |
4092 | link_socket_mode = LS_MODE_TCP_ACCEPT_FROM; | |
4093 | } | |
6fbf66fa JY |
4094 | } |
4095 | ||
81d882d5 DS |
4096 | /* should we disable paging? */ |
4097 | if (c->first_time && options->mlock) | |
4098 | { | |
4099 | platform_mlockall(true); | |
4100 | } | |
6fbf66fa | 4101 | |
92bbb061 | 4102 | #if P2MP |
81d882d5 DS |
4103 | /* get passwords if undefined */ |
4104 | if (auth_retry_get() == AR_INTERACT) | |
4105 | { | |
4106 | init_query_passwords(c); | |
4107 | } | |
92bbb061 JY |
4108 | #endif |
4109 | ||
81d882d5 DS |
4110 | /* initialize context level 2 --verb/--mute parms */ |
4111 | init_verb_mute(c, IVM_LEVEL_2); | |
4112 | ||
4113 | /* set error message delay for non-server modes */ | |
4114 | if (c->mode == CM_P2P) | |
4115 | { | |
4116 | set_check_status_error_delay(P2P_ERROR_DELAY_MS); | |
4117 | } | |
6fbf66fa | 4118 | |
81d882d5 DS |
4119 | /* warn about inconsistent options */ |
4120 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4121 | { | |
4122 | do_option_warnings(c); | |
4123 | } | |
6fbf66fa | 4124 | |
3c7f2f55 | 4125 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4126 | /* initialize plugins */ |
4127 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4128 | { | |
4129 | open_plugins(c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON); | |
4130 | } | |
3c7f2f55 | 4131 | #endif |
6fbf66fa | 4132 | |
81d882d5 DS |
4133 | /* should we enable fast I/O? */ |
4134 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4135 | { | |
4136 | do_setup_fast_io(c); | |
4137 | } | |
6fbf66fa | 4138 | |
81d882d5 DS |
4139 | /* should we throw a signal on TLS errors? */ |
4140 | do_signal_on_tls_errors(c); | |
6fbf66fa | 4141 | |
81d882d5 DS |
4142 | /* open --status file */ |
4143 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4144 | { | |
4145 | do_open_status_output(c); | |
4146 | } | |
6fbf66fa | 4147 | |
81d882d5 DS |
4148 | /* open --ifconfig-pool-persist file */ |
4149 | if (c->mode == CM_TOP) | |
4150 | { | |
4151 | do_open_ifconfig_pool_persist(c); | |
4152 | } | |
6fbf66fa JY |
4153 | |
4154 | #ifdef ENABLE_OCC | |
81d882d5 DS |
4155 | /* reset OCC state */ |
4156 | if (c->mode == CM_P2P || child) | |
4157 | { | |
4158 | c->c2.occ_op = occ_reset_op(); | |
4159 | } | |
6fbf66fa JY |
4160 | #endif |
4161 | ||
81d882d5 DS |
4162 | /* our wait-for-i/o objects, different for posix vs. win32 */ |
4163 | if (c->mode == CM_P2P) | |
4164 | { | |
4165 | do_event_set_init(c, SHAPER_DEFINED(&c->options)); | |
4166 | } | |
4167 | else if (c->mode == CM_CHILD_TCP) | |
4168 | { | |
4169 | do_event_set_init(c, false); | |
4170 | } | |
6fbf66fa | 4171 | |
81d882d5 DS |
4172 | /* initialize HTTP or SOCKS proxy object at scope level 2 */ |
4173 | init_proxy(c); | |
4e9a51d7 | 4174 | |
81d882d5 DS |
4175 | /* allocate our socket object */ |
4176 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
4177 | { | |
4178 | do_link_socket_new(c); | |
4179 | } | |
6fbf66fa JY |
4180 | |
4181 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
4182 | /* initialize internal fragmentation object */ |
4183 | if (options->ce.fragment && (c->mode == CM_P2P || child)) | |
4184 | { | |
4185 | c->c2.fragment = fragment_init(&c->c2.frame); | |
4186 | } | |
6fbf66fa JY |
4187 | #endif |
4188 | ||
81d882d5 DS |
4189 | /* init crypto layer */ |
4190 | { | |
4191 | unsigned int crypto_flags = 0; | |
4192 | if (c->mode == CM_TOP) | |
4193 | { | |
4194 | crypto_flags = CF_INIT_TLS_AUTH_STANDALONE; | |
4195 | } | |
4196 | else if (c->mode == CM_P2P) | |
4197 | { | |
4198 | crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI; | |
4199 | } | |
4200 | else if (child) | |
4201 | { | |
4202 | crypto_flags = CF_INIT_TLS_MULTI; | |
4203 | } | |
4204 | do_init_crypto(c, crypto_flags); | |
4205 | if (IS_SIG(c) && !child) | |
4206 | { | |
4207 | goto sig; | |
4208 | } | |
4209 | } | |
6fbf66fa | 4210 | |
38d96bd7 | 4211 | #ifdef USE_COMP |
81d882d5 DS |
4212 | /* initialize compression library. */ |
4213 | if (comp_enabled(&options->comp) && (c->mode == CM_P2P || child)) | |
4214 | { | |
4215 | c->c2.comp_context = comp_init(&options->comp); | |
4216 | } | |
6fbf66fa JY |
4217 | #endif |
4218 | ||
81d882d5 DS |
4219 | /* initialize MTU variables */ |
4220 | do_init_frame(c); | |
6fbf66fa | 4221 | |
81d882d5 DS |
4222 | /* initialize TLS MTU variables */ |
4223 | do_init_frame_tls(c); | |
6fbf66fa | 4224 | |
81d882d5 DS |
4225 | /* init workspace buffers whose size is derived from frame size */ |
4226 | if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP) | |
4227 | { | |
4228 | do_init_buffers(c); | |
4229 | } | |
6fbf66fa JY |
4230 | |
4231 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
4232 | /* initialize internal fragmentation capability with known frame size */ |
4233 | if (options->ce.fragment && (c->mode == CM_P2P || child)) | |
4234 | { | |
4235 | do_init_fragment(c); | |
4236 | } | |
6fbf66fa JY |
4237 | #endif |
4238 | ||
81d882d5 DS |
4239 | /* initialize dynamic MTU variable */ |
4240 | frame_init_mssfix(&c->c2.frame, &c->options); | |
6fbf66fa | 4241 | |
81d882d5 DS |
4242 | /* bind the TCP/UDP socket */ |
4243 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
4244 | { | |
4245 | do_init_socket_1(c, link_socket_mode); | |
4246 | } | |
6fbf66fa | 4247 | |
81d882d5 DS |
4248 | /* initialize tun/tap device object, |
4249 | * open tun/tap device, ifconfig, run up script, etc. */ | |
4250 | if (!(options->up_delay || PULL_DEFINED(options)) && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
4251 | { | |
4252 | c->c2.did_open_tun = do_open_tun(c); | |
4253 | } | |
6fbf66fa | 4254 | |
9900e023 SK |
4255 | c->c2.frame_initial = c->c2.frame; |
4256 | ||
81d882d5 DS |
4257 | /* print MTU info */ |
4258 | do_print_data_channel_mtu_parms(c); | |
6fbf66fa JY |
4259 | |
4260 | #ifdef ENABLE_OCC | |
81d882d5 DS |
4261 | /* get local and remote options compatibility strings */ |
4262 | if (c->mode == CM_P2P || child) | |
4263 | { | |
4264 | do_compute_occ_strings(c); | |
4265 | } | |
6fbf66fa JY |
4266 | #endif |
4267 | ||
81d882d5 DS |
4268 | /* initialize output speed limiter */ |
4269 | if (c->mode == CM_P2P) | |
4270 | { | |
4271 | do_init_traffic_shaper(c); | |
4272 | } | |
6fbf66fa | 4273 | |
81d882d5 DS |
4274 | /* do one-time inits, and possibily become a daemon here */ |
4275 | do_init_first_time(c); | |
6fbf66fa | 4276 | |
e1791bb1 | 4277 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4278 | /* initialize plugins */ |
4279 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4280 | { | |
4281 | open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON); | |
4282 | } | |
e1791bb1 JY |
4283 | #endif |
4284 | ||
81d882d5 DS |
4285 | /* initialise connect timeout timer */ |
4286 | do_init_server_poll_timeout(c); | |
4db06290 | 4287 | |
81d882d5 DS |
4288 | /* finalize the TCP/UDP socket */ |
4289 | if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP) | |
4290 | { | |
4291 | do_init_socket_2(c); | |
4292 | } | |
b3e97582 | 4293 | |
81d882d5 DS |
4294 | /* |
4295 | * Actually do UID/GID downgrade, and chroot, if requested. | |
4296 | * May be delayed by --client, --pull, or --up-delay. | |
4297 | */ | |
4298 | do_uid_gid_chroot(c, c->c2.did_open_tun); | |
6fbf66fa | 4299 | |
81d882d5 DS |
4300 | /* initialize timers */ |
4301 | if (c->mode == CM_P2P || child) | |
4302 | { | |
4303 | do_init_timers(c, false); | |
4304 | } | |
6fbf66fa | 4305 | |
e1791bb1 | 4306 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4307 | /* initialize plugins */ |
4308 | if (c->mode == CM_P2P || c->mode == CM_TOP) | |
4309 | { | |
4310 | open_plugins(c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE); | |
4311 | } | |
e1791bb1 JY |
4312 | #endif |
4313 | ||
6add6b2f | 4314 | #if PORT_SHARE |
81d882d5 DS |
4315 | /* share OpenVPN port with foreign (such as HTTPS) server */ |
4316 | if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP)) | |
4317 | { | |
4318 | init_port_share(c); | |
4319 | } | |
6add6b2f | 4320 | #endif |
81d882d5 | 4321 | |
47ae8457 | 4322 | #ifdef ENABLE_PF |
81d882d5 DS |
4323 | if (child) |
4324 | { | |
4325 | pf_init_context(c); | |
4326 | } | |
47ae8457 JY |
4327 | #endif |
4328 | ||
81d882d5 DS |
4329 | /* Check for signals */ |
4330 | if (IS_SIG(c)) | |
4331 | { | |
4332 | goto sig; | |
4333 | } | |
6fbf66fa | 4334 | |
81d882d5 | 4335 | return; |
6fbf66fa | 4336 | |
81d882d5 DS |
4337 | sig: |
4338 | if (!c->sig->signal_text) | |
4339 | { | |
4340 | c->sig->signal_text = "init_instance"; | |
4341 | } | |
4342 | close_context(c, -1, flags); | |
4343 | return; | |
6fbf66fa JY |
4344 | } |
4345 | ||
4346 | /* | |
4347 | * Close a tunnel instance. | |
4348 | */ | |
4349 | void | |
81d882d5 | 4350 | close_instance(struct context *c) |
6fbf66fa | 4351 | { |
81d882d5 DS |
4352 | /* close event objects */ |
4353 | do_close_event_set(c); | |
6fbf66fa JY |
4354 | |
4355 | if (c->mode == CM_P2P | |
81d882d5 DS |
4356 | || c->mode == CM_CHILD_TCP |
4357 | || c->mode == CM_CHILD_UDP | |
4358 | || c->mode == CM_TOP) | |
4359 | { | |
4360 | /* if xinetd/inetd mode, don't allow restart */ | |
4361 | do_close_check_if_restart_permitted(c); | |
6fbf66fa | 4362 | |
38d96bd7 | 4363 | #ifdef USE_COMP |
81d882d5 DS |
4364 | if (c->c2.comp_context) |
4365 | { | |
4366 | comp_uninit(c->c2.comp_context); | |
4367 | c->c2.comp_context = NULL; | |
4368 | } | |
6fbf66fa JY |
4369 | #endif |
4370 | ||
81d882d5 DS |
4371 | /* free buffers */ |
4372 | do_close_free_buf(c); | |
6fbf66fa | 4373 | |
81d882d5 DS |
4374 | /* close TLS */ |
4375 | do_close_tls(c); | |
6fbf66fa | 4376 | |
81d882d5 DS |
4377 | /* free key schedules */ |
4378 | do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP)); | |
6fbf66fa | 4379 | |
39326238 | 4380 | restore_ncp_options(c); |
5fa25eeb | 4381 | |
81d882d5 DS |
4382 | /* close TCP/UDP connection */ |
4383 | do_close_link_socket(c); | |
6fbf66fa | 4384 | |
81d882d5 DS |
4385 | /* close TUN/TAP device */ |
4386 | do_close_tun(c, false); | |
6fbf66fa | 4387 | |
90efcacb | 4388 | #ifdef MANAGEMENT_DEF_AUTH |
81d882d5 DS |
4389 | if (management) |
4390 | { | |
4391 | management_notify_client_close(management, &c->c2.mda_context, NULL); | |
4392 | } | |
90efcacb JY |
4393 | #endif |
4394 | ||
47ae8457 | 4395 | #ifdef ENABLE_PF |
81d882d5 | 4396 | pf_destroy_context(&c->c2.pf); |
47ae8457 JY |
4397 | #endif |
4398 | ||
3c7f2f55 | 4399 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4400 | /* call plugin close functions and unload */ |
4401 | do_close_plugins(c); | |
3c7f2f55 | 4402 | #endif |
6fbf66fa | 4403 | |
81d882d5 DS |
4404 | /* close packet-id persistance file */ |
4405 | do_close_packet_id(c); | |
6fbf66fa | 4406 | |
81d882d5 DS |
4407 | /* close --status file */ |
4408 | do_close_status_output(c); | |
6fbf66fa JY |
4409 | |
4410 | #ifdef ENABLE_FRAGMENT | |
81d882d5 DS |
4411 | /* close fragmentation handler */ |
4412 | do_close_fragment(c); | |
6fbf66fa JY |
4413 | #endif |
4414 | ||
81d882d5 DS |
4415 | /* close --ifconfig-pool-persist obj */ |
4416 | do_close_ifconfig_pool_persist(c); | |
6fbf66fa | 4417 | |
81d882d5 DS |
4418 | /* free up environmental variable store */ |
4419 | do_env_set_destroy(c); | |
2a64816b | 4420 | |
81d882d5 DS |
4421 | /* close HTTP or SOCKS proxy */ |
4422 | uninit_proxy(c); | |
4e9a51d7 | 4423 | |
81d882d5 DS |
4424 | /* garbage collect */ |
4425 | gc_free(&c->c2.gc); | |
4426 | } | |
6fbf66fa JY |
4427 | } |
4428 | ||
4429 | void | |
81d882d5 DS |
4430 | inherit_context_child(struct context *dest, |
4431 | const struct context *src) | |
6fbf66fa | 4432 | { |
81d882d5 | 4433 | CLEAR(*dest); |
6fbf66fa | 4434 | |
81d882d5 DS |
4435 | /* proto_is_dgram will ASSERT(0) if proto is invalid */ |
4436 | dest->mode = proto_is_dgram(src->options.ce.proto) ? CM_CHILD_UDP : CM_CHILD_TCP; | |
6fbf66fa | 4437 | |
81d882d5 | 4438 | dest->gc = gc_new(); |
6fbf66fa | 4439 | |
81d882d5 | 4440 | ALLOC_OBJ_CLEAR_GC(dest->sig, struct signal_info, &dest->gc); |
6fbf66fa | 4441 | |
81d882d5 DS |
4442 | /* c1 init */ |
4443 | packet_id_persist_init(&dest->c1.pid_persist); | |
6fbf66fa | 4444 | |
81d882d5 DS |
4445 | dest->c1.ks.key_type = src->c1.ks.key_type; |
4446 | /* inherit SSL context */ | |
4447 | dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx; | |
4448 | dest->c1.ks.tls_wrap_key = src->c1.ks.tls_wrap_key; | |
4449 | dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type; | |
19dffdbd | 4450 | dest->c1.ks.tls_crypt_v2_server_key = src->c1.ks.tls_crypt_v2_server_key; |
81d882d5 DS |
4451 | /* inherit pre-NCP ciphers */ |
4452 | dest->c1.ciphername = src->c1.ciphername; | |
4453 | dest->c1.authname = src->c1.authname; | |
4454 | dest->c1.keysize = src->c1.keysize; | |
81d882d5 DS |
4455 | |
4456 | /* options */ | |
4457 | dest->options = src->options; | |
4458 | options_detach(&dest->options); | |
4459 | ||
4460 | if (dest->mode == CM_CHILD_TCP) | |
6fbf66fa | 4461 | { |
81d882d5 DS |
4462 | /* |
4463 | * The CM_TOP context does the socket listen(), | |
4464 | * and the CM_CHILD_TCP context does the accept(). | |
4465 | */ | |
4466 | dest->c2.accept_from = src->c2.link_socket; | |
6fbf66fa JY |
4467 | } |
4468 | ||
3c7f2f55 | 4469 | #ifdef ENABLE_PLUGIN |
81d882d5 DS |
4470 | /* inherit plugins */ |
4471 | do_inherit_plugins(dest, src); | |
3c7f2f55 | 4472 | #endif |
6fbf66fa | 4473 | |
81d882d5 DS |
4474 | /* context init */ |
4475 | init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); | |
4476 | if (IS_SIG(dest)) | |
4477 | { | |
4478 | return; | |
4479 | } | |
6fbf66fa | 4480 | |
81d882d5 DS |
4481 | /* inherit tun/tap interface object */ |
4482 | dest->c1.tuntap = src->c1.tuntap; | |
6fbf66fa | 4483 | |
81d882d5 DS |
4484 | /* UDP inherits some extra things which TCP does not */ |
4485 | if (dest->mode == CM_CHILD_UDP) | |
6fbf66fa | 4486 | { |
81d882d5 DS |
4487 | /* inherit buffers */ |
4488 | dest->c2.buffers = src->c2.buffers; | |
6fbf66fa | 4489 | |
81d882d5 DS |
4490 | /* inherit parent link_socket and tuntap */ |
4491 | dest->c2.link_socket = src->c2.link_socket; | |
6fbf66fa | 4492 | |
81d882d5 DS |
4493 | ALLOC_OBJ_GC(dest->c2.link_socket_info, struct link_socket_info, &dest->gc); |
4494 | *dest->c2.link_socket_info = src->c2.link_socket->info; | |
6fbf66fa | 4495 | |
81d882d5 DS |
4496 | /* locally override some link_socket_info fields */ |
4497 | dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr; | |
4498 | dest->c2.link_socket_info->connection_established = false; | |
6fbf66fa JY |
4499 | } |
4500 | } | |
4501 | ||
4502 | void | |
81d882d5 DS |
4503 | inherit_context_top(struct context *dest, |
4504 | const struct context *src) | |
6fbf66fa | 4505 | { |
81d882d5 DS |
4506 | /* copy parent */ |
4507 | *dest = *src; | |
6fbf66fa | 4508 | |
81d882d5 DS |
4509 | /* |
4510 | * CM_TOP_CLONE will prevent close_instance from freeing or closing | |
4511 | * resources owned by the parent. | |
4512 | * | |
4513 | * Also note that CM_TOP_CLONE context objects are | |
4514 | * closed by multi_top_free in multi.c. | |
4515 | */ | |
4516 | dest->mode = CM_TOP_CLONE; | |
6fbf66fa | 4517 | |
81d882d5 DS |
4518 | dest->first_time = false; |
4519 | dest->c0 = NULL; | |
6fbf66fa | 4520 | |
81d882d5 DS |
4521 | options_detach(&dest->options); |
4522 | gc_detach(&dest->gc); | |
4523 | gc_detach(&dest->c2.gc); | |
6fbf66fa | 4524 | |
81d882d5 DS |
4525 | /* detach plugins */ |
4526 | dest->plugins_owned = false; | |
3c7f2f55 | 4527 | |
81d882d5 | 4528 | dest->c2.tls_multi = NULL; |
6fbf66fa | 4529 | |
81d882d5 DS |
4530 | /* detach c1 ownership */ |
4531 | dest->c1.tuntap_owned = false; | |
4532 | dest->c1.status_output_owned = false; | |
6fbf66fa | 4533 | #if P2MP_SERVER |
81d882d5 | 4534 | dest->c1.ifconfig_pool_persist_owned = false; |
6fbf66fa | 4535 | #endif |
3c7f2f55 | 4536 | |
81d882d5 DS |
4537 | /* detach c2 ownership */ |
4538 | dest->c2.event_set_owned = false; | |
4539 | dest->c2.link_socket_owned = false; | |
4540 | dest->c2.buffers_owned = false; | |
4541 | dest->c2.es_owned = false; | |
6fbf66fa | 4542 | |
81d882d5 DS |
4543 | dest->c2.event_set = NULL; |
4544 | if (proto_is_dgram(src->options.ce.proto)) | |
4545 | { | |
4546 | do_event_set_init(dest, false); | |
4547 | } | |
38d96bd7 JY |
4548 | |
4549 | #ifdef USE_COMP | |
81d882d5 | 4550 | dest->c2.comp_context = NULL; |
38d96bd7 | 4551 | #endif |
6fbf66fa JY |
4552 | } |
4553 | ||
4554 | void | |
81d882d5 | 4555 | close_context(struct context *c, int sig, unsigned int flags) |
6fbf66fa | 4556 | { |
81d882d5 DS |
4557 | ASSERT(c); |
4558 | ASSERT(c->sig); | |
79df31c8 | 4559 | |
81d882d5 DS |
4560 | if (sig >= 0) |
4561 | { | |
4562 | c->sig->signal_received = sig; | |
4563 | } | |
6fbf66fa | 4564 | |
81d882d5 | 4565 | if (c->sig->signal_received == SIGUSR1) |
6fbf66fa | 4566 | { |
81d882d5 DS |
4567 | if ((flags & CC_USR1_TO_HUP) |
4568 | || (c->sig->source == SIG_SOURCE_HARD && (flags & CC_HARD_USR1_TO_HUP))) | |
c058cbff | 4569 | { |
81d882d5 DS |
4570 | c->sig->signal_received = SIGHUP; |
4571 | c->sig->signal_text = "close_context usr1 to hup"; | |
c058cbff | 4572 | } |
6fbf66fa JY |
4573 | } |
4574 | ||
81d882d5 DS |
4575 | if (!(flags & CC_NO_CLOSE)) |
4576 | { | |
4577 | close_instance(c); | |
4578 | } | |
6fbf66fa | 4579 | |
81d882d5 DS |
4580 | if (flags & CC_GC_FREE) |
4581 | { | |
4582 | context_gc_free(c); | |
4583 | } | |
6fbf66fa JY |
4584 | } |
4585 | ||
6fbf66fa JY |
4586 | /* |
4587 | * Do a loopback test | |
4588 | * on the crypto subsystem. | |
4589 | */ | |
4590 | static void * | |
81d882d5 | 4591 | test_crypto_thread(void *arg) |
6fbf66fa | 4592 | { |
81d882d5 DS |
4593 | struct context *c = (struct context *) arg; |
4594 | const struct options *options = &c->options; | |
6fbf66fa | 4595 | |
81d882d5 DS |
4596 | ASSERT(options->test_crypto); |
4597 | init_verb_mute(c, IVM_LEVEL_1); | |
4598 | context_init_1(c); | |
4599 | next_connection_entry(c); | |
4600 | do_init_crypto_static(c, 0); | |
6fbf66fa | 4601 | |
81d882d5 | 4602 | frame_finalize_options(c, options); |
6fbf66fa | 4603 | |
81d882d5 | 4604 | test_crypto(&c->c2.crypto_options, &c->c2.frame); |
6fbf66fa | 4605 | |
81d882d5 DS |
4606 | key_schedule_free(&c->c1.ks, true); |
4607 | packet_id_free(&c->c2.crypto_options.packet_id); | |
6fbf66fa | 4608 | |
81d882d5 DS |
4609 | context_gc_free(c); |
4610 | return NULL; | |
6fbf66fa JY |
4611 | } |
4612 | ||
6fbf66fa | 4613 | bool |
81d882d5 | 4614 | do_test_crypto(const struct options *o) |
6fbf66fa | 4615 | { |
81d882d5 | 4616 | if (o->test_crypto) |
6fbf66fa | 4617 | { |
81d882d5 | 4618 | struct context c; |
6fbf66fa | 4619 | |
81d882d5 DS |
4620 | /* print version number */ |
4621 | msg(M_INFO, "%s", title_string); | |
6fbf66fa | 4622 | |
81d882d5 DS |
4623 | context_clear(&c); |
4624 | c.options = *o; | |
4625 | options_detach(&c.options); | |
4626 | c.first_time = true; | |
4627 | test_crypto_thread((void *) &c); | |
4628 | return true; | |
6fbf66fa | 4629 | } |
81d882d5 | 4630 | return false; |
6fbf66fa | 4631 | } |