2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
42
#include "occ-inline.h"
45
* Crypto initialization flags
47
#define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
48
#define CF_INIT_TLS_MULTI (1<<1)
49
#define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
51
static void do_init_first_time (struct context *c);
54
context_clear (struct context *c)
60
context_clear_1 (struct context *c)
66
context_clear_2 (struct context *c)
72
context_clear_all_except_first_time (struct context *c)
74
const bool first_time_save = c->first_time;
75
const struct context_persist cpsave = c->persist;
77
c->first_time = first_time_save;
82
* Should be called after options->ce is modified at the top
83
* of a SIGUSR1 restart.
86
update_options_ce_post (struct options *options)
90
* In pull mode, we usually import --ping/--ping-restart parameters from
91
* the server. However we should also set an initial default --ping-restart
92
* for the period of time before we pull the --ping-restart parameter
96
&& options->ping_rec_timeout_action == PING_UNDEF
97
&& options->ce.proto == PROTO_UDPv4)
99
options->ping_rec_timeout = PRE_PULL_INITIAL_PING_RESTART;
100
options->ping_rec_timeout_action = PING_RESTART;
105
* Don't use replay window for TCP mode (i.e. require that packets be strictly in sequence).
107
if (link_socket_proto_connection_oriented (options->ce.proto))
108
options->replay_window = options->replay_time = 0;
113
* Initialize and possibly randomize connection list.
116
init_connection_list (struct context *c)
118
#ifdef ENABLE_CONNECTION
119
struct connection_list *l = c->options.connection_list;
123
if (c->options.remote_random)
126
for (i = 0; i < l->len; ++i)
128
const int j = get_random () % l->len;
131
struct connection_entry *tmp;
133
l->array[i] = l->array[j];
143
* Increment to next connection entry
146
next_connection_entry (struct context *c)
148
#ifdef ENABLE_CONNECTION
149
struct connection_list *l = c->options.connection_list;
152
if (l->no_advance && l->current >= 0)
154
l->no_advance = false;
159
if (++l->current >= l->len)
162
dmsg (D_CONNECTION_LIST, "CONNECTION_LIST len=%d current=%d",
164
for (i = 0; i < l->len; ++i)
166
dmsg (D_CONNECTION_LIST, "[%d] %s:%d",
169
l->array[i]->remote_port);
172
c->options.ce = *l->array[l->current];
175
update_options_ce_post (&c->options);
179
* Query for private key and auth-user-pass username/passwords
182
init_query_passwords (struct context *c)
184
#if defined(USE_CRYPTO) && defined(USE_SSL)
185
/* Certificate password input */
186
if (c->options.key_pass_file)
187
pem_password_setup (c->options.key_pass_file);
191
/* Auth user/pass input */
192
if (c->options.auth_user_pass_file)
193
auth_user_pass_setup (c->options.auth_user_pass_file);
198
* Initialize/Uninitialize HTTP or SOCKS proxy
201
#ifdef GENERAL_PROXY_SUPPORT
204
proxy_scope (struct context *c)
206
return connection_list_defined (&c->options) ? 2 : 1;
210
uninit_proxy_dowork (struct context *c)
212
#ifdef ENABLE_HTTP_PROXY
213
if (c->c1.http_proxy_owned && c->c1.http_proxy)
215
http_proxy_close (c->c1.http_proxy);
216
c->c1.http_proxy = NULL;
217
c->c1.http_proxy_owned = false;
221
if (c->c1.socks_proxy_owned && c->c1.socks_proxy)
223
socks_proxy_close (c->c1.socks_proxy);
224
c->c1.socks_proxy = NULL;
225
c->c1.socks_proxy_owned = false;
231
init_proxy_dowork (struct context *c)
233
#ifdef ENABLE_HTTP_PROXY
234
bool did_http = false;
236
const bool did_http = false;
239
uninit_proxy_dowork (c);
241
#ifdef ENABLE_HTTP_PROXY
242
if (c->options.ce.http_proxy_options || c->options.auto_proxy_info)
244
/* Possible HTTP proxy user/pass input */
245
c->c1.http_proxy = http_proxy_new (c->options.ce.http_proxy_options,
246
c->options.auto_proxy_info);
247
if (c->c1.http_proxy)
250
c->c1.http_proxy_owned = true;
256
if (!did_http && (c->options.ce.socks_proxy_server || c->options.auto_proxy_info))
258
c->c1.socks_proxy = socks_proxy_new (c->options.ce.socks_proxy_server,
259
c->options.ce.socks_proxy_port,
260
c->options.ce.socks_proxy_retry,
261
c->options.auto_proxy_info);
262
if (c->c1.socks_proxy)
264
c->c1.socks_proxy_owned = true;
271
init_proxy (struct context *c, const int scope)
273
if (scope == proxy_scope (c))
274
init_proxy_dowork (c);
278
uninit_proxy (struct context *c)
280
if (c->sig->signal_received != SIGUSR1 || proxy_scope (c) == 2)
281
uninit_proxy_dowork (c);
287
init_proxy (struct context *c, const int scope)
292
uninit_proxy (struct context *c)
299
context_init_1 (struct context *c)
303
packet_id_persist_init (&c->c1.pid_persist);
305
init_connection_list (c);
307
init_query_passwords (c);
309
#if defined(ENABLE_PKCS11)
312
pkcs11_initialize (true, c->options.pkcs11_pin_cache_period);
313
for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++)
314
pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
315
c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
319
#if 0 /* test get_user_pass with GET_USER_PASS_NEED_OK flag */
322
* In the management interface, you can okay the request by entering "needok token-insertion-request ok"
326
strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
327
get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
328
msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
329
'needok' command, usually 'ok' or 'cancel'. */
333
/* initialize HTTP or SOCKS proxy object at scope level 1 */
338
context_gc_free (struct context *c)
341
gc_free (&c->options.gc);
348
close_port_share (void)
352
port_share_close (port_share);
358
init_port_share (struct context *c)
360
if (!port_share && (c->options.port_share_host && c->options.port_share_port))
362
port_share = port_share_open (c->options.port_share_host,
363
c->options.port_share_port);
364
if (port_share == NULL)
365
msg (M_FATAL, "Fatal error: Port sharing failed");
374
/* configure_path (); */
376
#if defined(USE_CRYPTO) && defined(DMALLOC)
377
openssl_dmalloc_init ();
380
init_random_seed (); /* init random() function, only used as
381
source for weak random numbers */
382
error_reset (); /* initialize error.c */
383
reset_check_status (); /* initialize status check code in socket.c */
389
#ifdef OPENVPN_DEBUG_COMMAND_LINE
392
for (i = 0; i < argc; ++i)
393
msg (M_INFO, "argv[%d] = '%s'", i, argv[i]);
402
/* init PRNG used for IV generation */
403
/* When forking, copy this to more places in the code to avoid fork
404
random-state predictability */
409
packet_id_interactive_test (); /* test the sequence number code */
423
#ifdef IFCONFIG_POOL_TEST
424
ifconfig_pool_test (0x0A010004, 0x0A0100FF);
428
#ifdef CHARACTER_CLASS_DEBUG
429
character_class_debug ();
433
#ifdef EXTRACT_X509_FIELD_TEST
434
extract_x509_field_test ();
445
struct gc_arena gc = gc_new ();
446
const char *fn = gen_path ("foo",
455
#ifdef STATUS_PRINTF_TEST
457
struct gc_arena gc = gc_new ();
458
const char *tmp_file = create_temp_filename ("/tmp", "foo", &gc);
459
struct status_output *so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
460
status_printf (so, "%s", "foo");
461
status_printf (so, "%s", "bar");
462
if (!status_close (so))
463
msg (M_WARN, "STATUS_PRINTF_TEST: %s: write error", tmp_file);
471
void argv_test (void);
479
struct gc_arena gc = gc_new ();
482
prng_init ("sha1", 16);
483
//prng_init (NULL, 0);
484
const int factor = 1;
485
for (i = 0; i < factor * 8; ++i)
488
prng_bytes (rndbuf, sizeof (rndbuf));
490
ASSERT(RAND_bytes (rndbuf, sizeof (rndbuf)));
492
printf ("[%d] %s\n", i, format_hex (rndbuf, sizeof (rndbuf), 0, &gc));
506
openvpn_thread_cleanup ();
520
#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
521
show_tls_performance_stats ();
526
init_verb_mute (struct context *c, unsigned int flags)
528
if (flags & IVM_LEVEL_1)
530
/* set verbosity and mute levels */
531
set_check_status (D_LINK_ERRORS, D_READ_WRITE);
532
set_debug_level (c->options.verbosity, SDL_CONSTRAIN);
533
set_mute_cutoff (c->options.mute);
536
/* special D_LOG_RW mode */
537
if (flags & IVM_LEVEL_2)
538
c->c2.log_rw = (check_debug_level (D_LOG_RW) && !check_debug_level (D_LOG_RW + 1));
542
* Possibly set --dev based on --dev-node.
543
* For example, if --dev-node /tmp/foo/tun, and --dev undefined,
547
init_options_dev (struct options *options)
550
options->dev = openvpn_basename (options->dev_node);
554
print_openssl_info (const struct options *options)
557
* OpenSSL info print mode?
560
if (options->show_ciphers || options->show_digests || options->show_engines
562
|| options->show_tls_ciphers
566
if (options->show_ciphers)
567
show_available_ciphers ();
568
if (options->show_digests)
569
show_available_digests ();
570
if (options->show_engines)
571
show_available_engines ();
573
if (options->show_tls_ciphers)
574
show_available_tls_ciphers ();
583
* Static pre-shared key generation mode?
586
do_genkey (const struct options * options)
593
notnull (options->shared_secret_file,
594
"shared secret output file (--secret)");
596
if (options->mlock) /* should we disable paging? */
599
nbits_written = write_key_file (2, options->shared_secret_file);
601
msg (D_GENKEY | M_NOPREFIX,
602
"Randomly generated %d bit key written to %s", nbits_written,
603
options->shared_secret_file);
611
* Persistent TUN/TAP device management mode?
614
do_persist_tuntap (const struct options *options)
617
if (options->persist_config)
619
/* sanity check on options for --mktun or --rmtun */
620
notnull (options->dev, "TUN/TAP device (--dev)");
621
if (options->ce.remote || options->ifconfig_local
622
|| options->ifconfig_remote_netmask
624
|| options->shared_secret_file
626
|| options->tls_server || options->tls_client
630
msg (M_FATAL|M_OPTERR,
631
"options --mktun or --rmtun should only be used together with --dev");
632
tuncfg (options->dev, options->dev_type, options->dev_node,
633
options->tun_ipv6, options->persist_mode,
634
options->username, options->groupname, &options->tuntap_options);
635
if (options->persist_mode && options->lladdr)
636
set_lladdr(options->dev, options->lladdr, NULL);
644
* Should we become a daemon?
645
* Return true if we did it.
648
possibly_become_daemon (const struct options *options, const bool first_time)
651
if (first_time && options->daemon)
653
ASSERT (!options->inetd);
654
if (daemon (options->cd_dir != NULL, options->log) < 0)
655
msg (M_ERR, "daemon() failed");
656
restore_signal_state ();
658
set_std_files_to_null (true);
660
#if defined(ENABLE_PKCS11)
670
* Actually do UID/GID downgrade, chroot and SELinux context switching, if requested.
673
do_uid_gid_chroot (struct context *c, bool no_delay)
675
static const char why_not[] = "will be delayed because of --client, --pull, or --up-delay";
676
struct context_0 *c0 = c->c0;
678
if (c->first_time && c0 && !c0->uid_gid_set)
680
/* chroot if requested */
681
if (c->options.chroot_dir)
684
do_chroot (c->options.chroot_dir);
686
msg (M_INFO, "NOTE: chroot %s", why_not);
689
/* set user and/or group that we want to setuid/setgid to */
692
set_group (&c0->group_state);
693
set_user (&c0->user_state);
694
c0->uid_gid_set = true;
696
else if (c0->uid_gid_specified)
698
msg (M_INFO, "NOTE: UID/GID downgrade %s", why_not);
702
/* Apply a SELinux context in order to restrict what OpenVPN can do
703
* to _only_ what it is supposed to do after initialization is complete
704
* (basically just network I/O operations). Doing it after chroot
705
* requires /proc to be mounted in the chroot (which is annoying indeed
706
* but doing it before requires more complex SELinux policies.
708
if (c->options.selinux_context)
711
if (-1 == setcon (c->options.selinux_context))
712
msg (M_ERR, "setcon to '%s' failed; is /proc accessible?", c->options.selinux_context);
714
msg (M_INFO, "setcon to '%s' succeeded", c->options.selinux_context);
717
msg (M_INFO, "NOTE: setcon %s", why_not);
724
* Return common name in a way that is formatted for
725
* prepending to msg() output.
728
format_common_name (struct context *c, struct gc_arena *gc)
730
struct buffer out = alloc_buf_gc (256, gc);
731
#if defined(USE_CRYPTO) && defined(USE_SSL)
734
buf_printf (&out, "[%s] ", tls_common_name (c->c2.tls_multi, false));
741
pre_setup (const struct options *options)
744
if (options->exit_event_name)
746
win32_signal_open (&win32_signal,
748
options->exit_event_name,
749
options->exit_event_initial_state);
753
win32_signal_open (&win32_signal,
758
/* put a title on the top window bar */
759
if (win32_signal.mode == WSO_MODE_CONSOLE)
761
window_title_save (&window_title);
762
window_title_generate (options->config);
769
reset_coarse_timers (struct context *c)
771
c->c2.coarse_timer_wakeup = 0;
778
do_init_timers (struct context *c, bool deferred)
781
reset_coarse_timers (c);
783
/* initialize inactivity timeout */
784
if (c->options.inactivity_timeout)
785
event_timeout_init (&c->c2.inactivity_interval, c->options.inactivity_timeout, now);
787
/* initialize pings */
789
if (c->options.ping_send_timeout)
790
event_timeout_init (&c->c2.ping_send_interval, c->options.ping_send_timeout, 0);
792
if (c->options.ping_rec_timeout)
793
event_timeout_init (&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now);
796
if (c->options.server_poll_timeout)
797
event_timeout_init (&c->c2.server_poll_interval, c->options.server_poll_timeout, now);
802
/* initialize connection establishment timer */
803
event_timeout_init (&c->c2.wait_for_connect, 1, now);
806
/* initialize occ timers */
810
&& c->c2.options_string_local && c->c2.options_string_remote)
811
event_timeout_init (&c->c2.occ_interval, OCC_INTERVAL_SECONDS, now);
813
if (c->options.mtu_test)
814
event_timeout_init (&c->c2.occ_mtu_load_test_interval, OCC_MTU_LOAD_INTERVAL_SECONDS, now);
817
/* initialize packet_id persistence timer */
819
if (c->options.packet_id_file)
820
event_timeout_init (&c->c2.packet_id_persist_interval, 60, now);
823
#if defined(USE_CRYPTO) && defined(USE_SSL)
824
/* initialize tmp_int optimization that limits the number of times we call
825
tls_multi_process in the main event loop */
826
interval_init (&c->c2.tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);
832
* Initialize traffic shaper.
835
do_init_traffic_shaper (struct context *c)
837
#ifdef HAVE_GETTIMEOFDAY
838
/* initialize traffic shaper (i.e. transmit bandwidth limiter) */
839
if (c->options.shaper)
841
shaper_init (&c->c2.shaper, c->options.shaper);
842
shaper_msg (&c->c2.shaper);
848
* Allocate a route list structure if at least one
849
* --route option was specified.
852
do_alloc_route_list (struct context *c)
854
if (c->options.routes && !c->c1.route_list)
855
c->c1.route_list = new_route_list (c->options.max_routes, &c->gc);
860
* Initialize the route list, resolving any DNS names in route
861
* options and saving routes in the environment.
864
do_init_route_list (const struct options *options,
865
struct route_list *route_list,
866
const struct link_socket_info *link_socket_info,
870
const char *gw = NULL;
871
int dev = dev_type_enum (options->dev, options->dev_type);
874
if (dev == DEV_TYPE_TUN && (options->topology == TOP_NET30 || options->topology == TOP_P2P))
875
gw = options->ifconfig_remote_netmask;
876
if (options->route_default_gateway)
877
gw = options->route_default_gateway;
878
if (options->route_default_metric)
879
metric = options->route_default_metric;
881
if (!init_route_list (route_list,
885
link_socket_current_remote (link_socket_info),
889
openvpn_exit (OPENVPN_EXIT_STATUS_ERROR); /* exit point */
893
/* copy routes to environment */
894
setenv_routes (es, route_list);
899
* Called after all initialization has been completed.
902
initialization_sequence_completed (struct context *c, const unsigned int flags)
904
static const char message[] = "Initialization Sequence Completed";
906
/* If we delayed UID/GID downgrade or chroot, do it now */
907
do_uid_gid_chroot (c, true);
910
if (flags & ISC_ERRORS)
913
show_routes (M_INFO|M_NOPREFIX);
914
show_adapters (M_INFO|M_NOPREFIX);
915
msg (M_INFO, "%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
917
msg (M_INFO, "%s With Errors", message);
921
msg (M_INFO, "%s", message);
923
/* Flag connection_list that we initialized */
924
if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0 && connection_list_defined (&c->options))
925
connection_list_set_no_advance (&c->options);
927
#ifdef ENABLE_MANAGEMENT
928
/* Tell management interface that we initialized */
931
in_addr_t tun_local = 0;
932
in_addr_t tun_remote = 0; /* FKS */
933
const char *detail = "SUCCESS";
935
tun_local = c->c1.tuntap->local;
936
tun_remote = htonl (c->c1.link_socket_addr.actual.dest.sa.sin_addr.s_addr);
937
if (flags & ISC_ERRORS)
939
management_set_state (management,
940
OPENVPN_STATE_CONNECTED,
945
management_post_tunnel_open (management, tun_local);
952
* Possibly add routes and/or call route-up script
956
do_route (const struct options *options,
957
struct route_list *route_list,
958
const struct tuntap *tt,
959
const struct plugin_list *plugins,
962
if (!options->route_noexec && route_list)
963
add_routes (route_list, tt, ROUTE_OPTION_FLAGS (options), es);
965
if (plugin_defined (plugins, OPENVPN_PLUGIN_ROUTE_UP))
967
if (plugin_call (plugins, OPENVPN_PLUGIN_ROUTE_UP, NULL, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
968
msg (M_WARN, "WARNING: route-up plugin call failed");
971
if (options->route_script)
973
struct argv argv = argv_new ();
974
setenv_str (es, "script_type", "route-up");
975
argv_printf (&argv, "%sc", options->route_script);
976
openvpn_execve_check (&argv, es, S_SCRIPT, "Route script failed");
981
if (options->show_net_up)
983
show_routes (M_INFO|M_NOPREFIX);
984
show_adapters (M_INFO|M_NOPREFIX);
986
else if (check_debug_level (D_SHOW_NET))
988
show_routes (D_SHOW_NET|M_NOPREFIX);
989
show_adapters (D_SHOW_NET|M_NOPREFIX);
995
* Save current pulled options string in the c1 context store, so we can
996
* compare against it after possible future restarts.
1000
save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest)
1003
c->c1.pulled_options_digest_save = *newdigest;
1005
md5_digest_clear (&c->c1.pulled_options_digest_save);
1010
* initialize tun/tap device object
1013
do_init_tun (struct context *c)
1015
c->c1.tuntap = init_tun (c->options.dev,
1016
c->options.dev_type,
1017
c->options.topology,
1018
c->options.ifconfig_local,
1019
c->options.ifconfig_remote_netmask,
1020
addr_host (&c->c1.link_socket_addr.local),
1021
addr_host (&c->c1.link_socket_addr.remote),
1022
!c->options.ifconfig_nowarn,
1025
init_tun_post (c->c1.tuntap,
1027
&c->options.tuntap_options);
1029
c->c1.tuntap_owned = true;
1033
* Open tun/tap device, ifconfig, call up script, etc.
1037
do_open_tun (struct context *c)
1039
struct gc_arena gc = gc_new ();
1042
c->c2.ipv4_tun = (!c->options.tun_ipv6
1043
&& is_dev_type (c->options.dev, c->options.dev_type, "tun"));
1047
/* initialize (but do not open) tun/tap object */
1050
/* allocate route list structure */
1051
do_alloc_route_list (c);
1053
/* parse and resolve the route option list */
1054
if (c->options.routes && c->c1.route_list && c->c2.link_socket)
1055
do_init_route_list (&c->options, c->c1.route_list, &c->c2.link_socket->info, false, c->c2.es);
1058
if (!c->options.ifconfig_noexec
1059
&& ifconfig_order () == IFCONFIG_BEFORE_TUN_OPEN)
1061
/* guess actual tun/tap unit number that will be returned
1063
const char *guess = guess_tuntap_dev (c->options.dev,
1064
c->options.dev_type,
1065
c->options.dev_node,
1067
do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
1070
/* open the tun device */
1071
open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
1072
c->options.tun_ipv6, c->c1.tuntap);
1074
/* set the hardware address */
1075
if (c->options.lladdr)
1076
set_lladdr(c->c1.tuntap->actual_name, c->options.lladdr, c->c2.es);
1079
if (!c->options.ifconfig_noexec
1080
&& ifconfig_order () == IFCONFIG_AFTER_TUN_OPEN)
1082
do_ifconfig (c->c1.tuntap, c->c1.tuntap->actual_name, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
1085
/* run the up script */
1086
run_up_down (c->options.up_script,
1089
c->c1.tuntap->actual_name,
1090
TUN_MTU_SIZE (&c->c2.frame),
1091
EXPANDED_SIZE (&c->c2.frame),
1092
print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1093
print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1099
/* possibly add routes */
1100
if (!c->options.route_delay_defined)
1101
do_route (&c->options, c->c1.route_list, c->c1.tuntap, c->plugins, c->c2.es);
1104
* Did tun/tap driver give us an MTU?
1106
if (c->c1.tuntap->post_open_mtu)
1107
frame_set_mtu_dynamic (&c->c2.frame,
1108
c->c1.tuntap->post_open_mtu,
1109
SET_MTU_TUN | SET_MTU_UPPER_BOUND);
1115
msg (M_INFO, "Preserving previous TUN/TAP instance: %s",
1116
c->c1.tuntap->actual_name);
1118
/* run the up script if user specified --up-restart */
1119
if (c->options.up_restart)
1120
run_up_down (c->options.up_script,
1123
c->c1.tuntap->actual_name,
1124
TUN_MTU_SIZE (&c->c2.frame),
1125
EXPANDED_SIZE (&c->c2.frame),
1126
print_in_addr_t (c->c1.tuntap->local, IA_EMPTY_IF_UNDEF, &gc),
1127
print_in_addr_t (c->c1.tuntap->remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1138
* Close TUN/TAP device
1142
do_close_tun_simple (struct context *c)
1144
msg (D_CLOSE, "Closing TUN/TAP interface");
1145
close_tun (c->c1.tuntap);
1146
c->c1.tuntap = NULL;
1147
c->c1.tuntap_owned = false;
1149
save_pulled_options_digest (c, NULL); /* delete C1-saved pulled_options_digest */
1154
do_close_tun (struct context *c, bool force)
1156
struct gc_arena gc = gc_new ();
1157
if (c->c1.tuntap && c->c1.tuntap_owned)
1159
const char *tuntap_actual = string_alloc (c->c1.tuntap->actual_name, &gc);
1160
const in_addr_t local = c->c1.tuntap->local;
1161
const in_addr_t remote_netmask = c->c1.tuntap->remote_netmask;
1163
if (force || !(c->sig->signal_received == SIGUSR1 && c->options.persist_tun))
1165
#ifdef ENABLE_MANAGEMENT
1166
/* tell management layer we are about to close the TUN/TAP device */
1168
management_pre_tunnel_close (management);
1171
/* delete any routes we added */
1172
if (c->c1.route_list)
1173
delete_routes (c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es);
1175
/* actually close tun/tap device based on --down-pre flag */
1176
if (!c->options.down_pre)
1177
do_close_tun_simple (c);
1179
/* Run the down script -- note that it will run at reduced
1180
privilege if, for example, "--user nobody" was used. */
1181
run_up_down (c->options.down_script,
1183
OPENVPN_PLUGIN_DOWN,
1185
TUN_MTU_SIZE (&c->c2.frame),
1186
EXPANDED_SIZE (&c->c2.frame),
1187
print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1188
print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1190
signal_description (c->sig->signal_received,
1191
c->sig->signal_text),
1195
/* actually close tun/tap device based on --down-pre flag */
1196
if (c->options.down_pre)
1197
do_close_tun_simple (c);
1201
/* run the down script on this restart if --up-restart was specified */
1202
if (c->options.up_restart)
1203
run_up_down (c->options.down_script,
1205
OPENVPN_PLUGIN_DOWN,
1207
TUN_MTU_SIZE (&c->c2.frame),
1208
EXPANDED_SIZE (&c->c2.frame),
1209
print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc),
1210
print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc),
1212
signal_description (c->sig->signal_received,
1213
c->sig->signal_text),
1222
* Handle delayed tun/tap interface bringup due to --up-delay or --pull
1226
do_up (struct context *c, bool pulled_options, unsigned int option_types_found)
1228
if (!c->c2.do_up_ran)
1230
reset_coarse_timers (c);
1232
if (pulled_options && option_types_found)
1233
do_deferred_options (c, option_types_found);
1235
/* if --up-delay specified, open tun, do ifconfig, and run up script now */
1236
if (c->options.up_delay || PULL_DEFINED (&c->options))
1238
c->c2.did_open_tun = do_open_tun (c);
1243
* Was tun interface object persisted from previous restart iteration,
1244
* and if so did pulled options string change from previous iteration?
1246
if (!c->c2.did_open_tun
1247
&& PULL_DEFINED (&c->options)
1249
&& (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest)
1250
|| !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)))
1252
/* if so, close tun, delete routes, then reinitialize tun and add routes */
1253
msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
1254
do_close_tun (c, true);
1256
c->c2.did_open_tun = do_open_tun (c);
1262
if (c->c2.did_open_tun)
1265
save_pulled_options_digest (c, &c->c2.pulled_options_digest);
1268
/* if --route-delay was specified, start timer */
1269
if (c->options.route_delay_defined)
1271
event_timeout_init (&c->c2.route_wakeup, c->options.route_delay, now);
1272
event_timeout_init (&c->c2.route_wakeup_expire, c->options.route_delay + c->options.route_delay_window, now);
1274
tun_standby_init (c->c1.tuntap);
1278
initialization_sequence_completed (c, 0); /* client/p2p --route-delay undefined */
1281
else if (c->options.mode == MODE_POINT_TO_POINT)
1283
initialization_sequence_completed (c, 0); /* client/p2p restart with --persist-tun */
1286
c->c2.do_up_ran = true;
1291
* These are the option categories which will be accepted by pull.
1294
pull_permission_mask (const struct context *c)
1296
unsigned int flags =
1298
| OPT_P_ROUTE_EXTRAS
1308
| OPT_P_EXPLICIT_NOTIFY
1312
if (!c->options.route_nopull)
1313
flags |= OPT_P_ROUTE;
1319
* Handle non-tun-related pulled options.
1322
do_deferred_options (struct context *c, const unsigned int found)
1324
if (found & OPT_P_MESSAGES)
1326
init_verb_mute (c, IVM_LEVEL_1|IVM_LEVEL_2);
1327
msg (D_PUSH, "OPTIONS IMPORT: --verb and/or --mute level changed");
1329
if (found & OPT_P_TIMER)
1331
do_init_timers (c, true);
1332
msg (D_PUSH, "OPTIONS IMPORT: timers and/or timeouts modified");
1336
if (found & OPT_P_EXPLICIT_NOTIFY)
1338
if (c->options.ce.proto != PROTO_UDPv4 && c->options.explicit_exit_notification)
1340
msg (D_PUSH, "OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
1341
c->options.explicit_exit_notification = 0;
1344
msg (D_PUSH, "OPTIONS IMPORT: explicit notify parm(s) modified");
1349
if (found & OPT_P_COMP)
1351
if (lzo_defined (&c->c2.lzo_compwork))
1353
msg (D_PUSH, "OPTIONS IMPORT: LZO parms modified");
1354
lzo_modify_flags (&c->c2.lzo_compwork, c->options.lzo);
1359
if (found & OPT_P_SHAPER)
1361
msg (D_PUSH, "OPTIONS IMPORT: traffic shaper enabled");
1362
do_init_traffic_shaper (c);
1365
if (found & OPT_P_SOCKBUF)
1367
msg (D_PUSH, "OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
1368
link_socket_update_buffer_sizes (c->c2.link_socket, c->options.rcvbuf, c->options.sndbuf);
1371
if (found & OPT_P_SOCKFLAGS)
1373
msg (D_PUSH, "OPTIONS IMPORT: --socket-flags option modified");
1374
link_socket_update_flags (c->c2.link_socket, c->options.sockflags);
1377
if (found & OPT_P_PERSIST)
1378
msg (D_PUSH, "OPTIONS IMPORT: --persist options modified");
1379
if (found & OPT_P_UP)
1380
msg (D_PUSH, "OPTIONS IMPORT: --ifconfig/up options modified");
1381
if (found & OPT_P_ROUTE)
1382
msg (D_PUSH, "OPTIONS IMPORT: route options modified");
1383
if (found & OPT_P_ROUTE_EXTRAS)
1384
msg (D_PUSH, "OPTIONS IMPORT: route-related options modified");
1385
if (found & OPT_P_IPWIN32)
1386
msg (D_PUSH, "OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
1387
if (found & OPT_P_SETENV)
1388
msg (D_PUSH, "OPTIONS IMPORT: environment modified");
1392
* Possible hold on initialization
1395
do_hold (struct context *c)
1397
#ifdef ENABLE_MANAGEMENT
1400
/* if c is defined, daemonize before hold */
1401
if (c && c->options.daemon && management_should_daemonize (management))
1402
do_init_first_time (c);
1404
/* block until management hold is released */
1405
if (management_hold (management))
1413
* Sleep before restart.
1416
socket_restart_pause (struct context *c)
1421
#ifdef ENABLE_HTTP_PROXY
1422
if (c->options.ce.http_proxy_options)
1426
if (c->options.ce.socks_proxy_server)
1430
switch (c->options.ce.proto)
1434
sec = c->options.ce.connect_retry_seconds;
1436
case PROTO_TCPv4_SERVER:
1439
case PROTO_TCPv4_CLIENT:
1440
sec = c->options.ce.connect_retry_seconds;
1445
if (GREMLIN_CONNECTION_FLOOD_LEVEL (c->options.gremlin))
1450
if (auth_retry_get () == AR_NOINTERACT)
1453
if (c->options.server_poll_timeout && sec > 1)
1457
if (c->persist.restart_sleep_seconds > 0 && c->persist.restart_sleep_seconds > sec)
1458
sec = c->persist.restart_sleep_seconds;
1459
else if (c->persist.restart_sleep_seconds == -1)
1461
c->persist.restart_sleep_seconds = 0;
1463
/* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
1469
msg (D_RESTART, "Restart pause, %d second(s)", sec);
1470
openvpn_sleep (sec);
1475
* Do a possible pause on context_2 initialization.
1478
do_startup_pause (struct context *c)
1481
socket_restart_pause (c);
1483
do_hold (NULL); /* do management hold on first context initialization */
1487
* Finalize MTU parameters based on command line or config file options.
1490
frame_finalize_options (struct context *c, const struct options *o)
1496
* Set adjustment factor for buffer alignment when no
1499
if (!CIPHER_ENABLED (c))
1501
frame_align_to_extra_frame (&c->c2.frame);
1502
frame_or_align_flags (&c->c2.frame,
1503
FRAME_HEADROOM_MARKER_FRAGMENT
1504
|FRAME_HEADROOM_MARKER_READ_LINK
1505
|FRAME_HEADROOM_MARKER_READ_STREAM);
1508
frame_finalize (&c->c2.frame,
1509
o->link_mtu_defined,
1516
* Free a key schedule, including OpenSSL components.
1519
key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
1522
free_key_ctx_bi (&ks->static_key);
1524
if (ks->ssl_ctx && free_ssl_ctx)
1526
SSL_CTX_free (ks->ssl_ctx);
1527
free_key_ctx_bi (&ks->tls_auth_key);
1529
#endif /* USE_SSL */
1530
#endif /* USE_CRYPTO */
1537
init_crypto_pre (struct context *c, const unsigned int flags)
1539
if (c->options.engine)
1540
init_crypto_lib_engine (c->options.engine);
1542
if (flags & CF_LOAD_PERSISTED_PACKET_ID)
1544
/* load a persisted packet-id for cross-session replay-protection */
1545
if (c->options.packet_id_file)
1546
packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file);
1549
/* Initialize crypto options */
1551
if (c->options.use_iv)
1552
c->c2.crypto_options.flags |= CO_USE_IV;
1554
if (c->options.mute_replay_warnings)
1555
c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
1559
* Static Key Mode (using a pre-shared key)
1562
do_init_crypto_static (struct context *c, const unsigned int flags)
1564
const struct options *options = &c->options;
1565
ASSERT (options->shared_secret_file);
1567
init_crypto_pre (c, flags);
1569
/* Initialize packet ID tracking */
1570
if (options->replay)
1572
packet_id_init (&c->c2.packet_id, options->replay_window,
1573
options->replay_time);
1574
c->c2.crypto_options.packet_id = &c->c2.packet_id;
1575
c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
1576
c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
1577
packet_id_persist_load_obj (&c->c1.pid_persist,
1578
c->c2.crypto_options.packet_id);
1581
if (!key_ctx_bi_defined (&c->c1.ks.static_key))
1584
struct key_direction_state kds;
1586
/* Get cipher & hash algorithms */
1587
init_key_type (&c->c1.ks.key_type, options->ciphername,
1588
options->ciphername_defined, options->authname,
1589
options->authname_defined, options->keysize,
1590
options->test_crypto, true);
1592
/* Read cipher and hmac keys from shared secret file */
1594
unsigned int rkf_flags = RKF_MUST_SUCCEED;
1595
const char *rkf_file = options->shared_secret_file;
1597
#if ENABLE_INLINE_FILES
1598
if (options->shared_secret_file_inline)
1600
rkf_file = options->shared_secret_file_inline;
1601
rkf_flags |= RKF_INLINE;
1604
read_key_file (&key2, rkf_file, rkf_flags);
1607
/* Check for and fix highly unlikely key problems */
1608
verify_fix_key2 (&key2, &c->c1.ks.key_type,
1609
options->shared_secret_file);
1611
/* Initialize OpenSSL key objects */
1612
key_direction_state_init (&kds, options->key_direction);
1613
must_have_n_keys (options->shared_secret_file, "secret", &key2,
1615
init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
1616
&c->c1.ks.key_type, DO_ENCRYPT, "Static Encrypt");
1617
init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
1618
&c->c1.ks.key_type, DO_DECRYPT, "Static Decrypt");
1620
/* Erase the temporary copy of key */
1625
msg (M_INFO, "Re-using pre-shared static key");
1628
/* Get key schedule */
1629
c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key;
1631
/* Compute MTU parameters */
1632
crypto_adjust_frame_parameters (&c->c2.frame,
1634
options->ciphername_defined,
1635
options->use_iv, options->replay, true);
1637
/* Sanity check on IV, sequence number, and cipher mode options */
1638
check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
1645
* Initialize the persistent component of OpenVPN's TLS mode,
1646
* which is preserved across SIGUSR1 resets.
1649
do_init_crypto_tls_c1 (struct context *c)
1651
const struct options *options = &c->options;
1653
if (!c->c1.ks.ssl_ctx)
1656
* Initialize the OpenSSL library's global
1659
c->c1.ks.ssl_ctx = init_ssl (options);
1660
if (!c->c1.ks.ssl_ctx)
1663
switch (auth_retry_get ())
1666
msg (M_FATAL, "Error: private key password verification failed");
1671
c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Password failure error */
1676
c->sig->signal_text = "private-key-password-failure";
1679
msg (M_FATAL, "Error: private key password verification failed");
1683
/* Get cipher & hash algorithms */
1684
init_key_type (&c->c1.ks.key_type, options->ciphername,
1685
options->ciphername_defined, options->authname,
1686
options->authname_defined, options->keysize, true, true);
1688
/* Initialize PRNG with config-specified digest */
1689
prng_init (options->prng_hash, options->prng_nonce_secret_len);
1691
/* TLS handshake authentication (--tls-auth) */
1692
if (options->tls_auth_file)
1694
unsigned int flags = 0;
1695
const char *file = options->tls_auth_file;
1697
#if ENABLE_INLINE_FILES
1698
if (options->tls_auth_file_inline)
1700
flags |= GHK_INLINE;
1701
file = options->tls_auth_file_inline;
1704
get_tls_handshake_key (&c->c1.ks.key_type,
1705
&c->c1.ks.tls_auth_key,
1707
options->key_direction,
1711
#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
1712
if (options->priv_key_file_inline)
1714
string_clear (c->options.priv_key_file_inline);
1715
c->options.priv_key_file_inline = NULL;
1721
msg (M_INFO, "Re-using SSL/TLS context");
1726
do_init_crypto_tls (struct context *c, const unsigned int flags)
1728
const struct options *options = &c->options;
1729
struct tls_options to;
1730
bool packet_id_long_form;
1732
ASSERT (options->tls_server || options->tls_client);
1733
ASSERT (!options->test_crypto);
1735
init_crypto_pre (c, flags);
1737
/* Make sure we are either a TLS client or server but not both */
1738
ASSERT (options->tls_server == !options->tls_client);
1740
/* initialize persistent component */
1741
do_init_crypto_tls_c1 (c);
1745
/* Sanity check on IV, sequence number, and cipher mode options */
1746
check_replay_iv_consistency (&c->c1.ks.key_type, options->replay,
1749
/* In short form, unique datagram identifier is 32 bits, in long form 64 bits */
1750
packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type);
1752
/* Compute MTU parameters */
1753
crypto_adjust_frame_parameters (&c->c2.frame,
1755
options->ciphername_defined,
1757
options->replay, packet_id_long_form);
1758
tls_adjust_frame_parameters (&c->c2.frame);
1760
/* Set all command-line TLS-related options */
1763
to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
1764
if (packet_id_long_form)
1765
to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
1767
to.ssl_ctx = c->c1.ks.ssl_ctx;
1768
to.key_type = c->c1.ks.key_type;
1769
to.server = options->tls_server;
1770
to.key_method = options->key_method;
1771
to.replay = options->replay;
1772
to.replay_window = options->replay_window;
1773
to.replay_time = options->replay_time;
1774
to.transition_window = options->transition_window;
1775
to.handshake_window = options->handshake_window;
1776
to.packet_timeout = options->tls_timeout;
1777
to.renegotiate_bytes = options->renegotiate_bytes;
1778
to.renegotiate_packets = options->renegotiate_packets;
1779
to.renegotiate_seconds = options->renegotiate_seconds;
1780
to.single_session = options->single_session;
1782
/* should we not xmit any packets until we get an initial
1783
response from client? */
1784
if (to.server && options->ce.proto == PROTO_TCPv4_SERVER)
1785
to.xmit_hold = true;
1788
to.disable_occ = !options->occ;
1791
to.verify_command = options->tls_verify;
1792
to.verify_x509name = options->tls_remote;
1793
to.crl_file = options->crl_file;
1794
to.ns_cert_type = options->ns_cert_type;
1795
memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
1796
to.remote_cert_eku = options->remote_cert_eku;
1800
to.gremlin = c->options.gremlin;
1803
to.plugins = c->plugins;
1805
#ifdef MANAGEMENT_DEF_AUTH
1806
to.mda_context = &c->c2.mda_context;
1810
to.auth_user_pass_verify_script = options->auth_user_pass_verify_script;
1811
to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file;
1812
to.tmp_dir = options->tmp_dir;
1813
to.ssl_flags = options->ssl_flags;
1814
if (options->ccd_exclusive)
1815
to.client_config_dir_exclusive = options->client_config_dir;
1818
/* TLS handshake authentication (--tls-auth) */
1819
if (options->tls_auth_file)
1821
to.tls_auth_key = c->c1.ks.tls_auth_key;
1822
to.tls_auth.pid_persist = &c->c1.pid_persist;
1823
to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM;
1824
crypto_adjust_frame_parameters (&to.frame,
1826
false, false, true, true);
1829
/* If we are running over TCP, allow for
1831
socket_adjust_frame_parameters (&to.frame, options->ce.proto);
1834
* Initialize OpenVPN's master TLS-mode object.
1836
if (flags & CF_INIT_TLS_MULTI)
1837
c->c2.tls_multi = tls_multi_init (&to);
1839
if (flags & CF_INIT_TLS_AUTH_STANDALONE)
1840
c->c2.tls_auth_standalone = tls_auth_standalone_init (&to, &c->c2.gc);
1844
do_init_finalize_tls_frame (struct context *c)
1846
if (c->c2.tls_multi)
1848
tls_multi_init_finalize (c->c2.tls_multi, &c->c2.frame);
1849
ASSERT (EXPANDED_SIZE (&c->c2.tls_multi->opt.frame) <=
1850
EXPANDED_SIZE (&c->c2.frame));
1851
frame_print (&c->c2.tls_multi->opt.frame, D_MTU_INFO,
1852
"Control Channel MTU parms");
1854
if (c->c2.tls_auth_standalone)
1856
tls_auth_standalone_finalize (c->c2.tls_auth_standalone, &c->c2.frame);
1857
frame_print (&c->c2.tls_auth_standalone->frame, D_MTU_INFO,
1858
"TLS-Auth MTU parms");
1862
#endif /* USE_SSL */
1863
#endif /* USE_CRYPTO */
1867
* No encryption or authentication.
1870
do_init_crypto_none (const struct context *c)
1872
ASSERT (!c->options.test_crypto);
1874
"******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1879
do_init_crypto (struct context *c, const unsigned int flags)
1882
if (c->options.shared_secret_file)
1883
do_init_crypto_static (c, flags);
1885
else if (c->options.tls_server || c->options.tls_client)
1886
do_init_crypto_tls (c, flags);
1888
else /* no encryption or authentication. */
1889
do_init_crypto_none (c);
1890
#else /* USE_CRYPTO */
1892
"******* WARNING *******: " PACKAGE_NAME
1893
" built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");
1894
#endif /* USE_CRYPTO */
1898
do_init_frame (struct context *c)
1902
* Initialize LZO compression library.
1904
if (c->options.lzo & LZO_SELECTED)
1906
lzo_adjust_frame_parameters (&c->c2.frame);
1909
* LZO usage affects buffer alignment.
1911
if (CIPHER_ENABLED (c))
1913
frame_add_to_align_adjust (&c->c2.frame, LZO_PREFIX_LEN);
1914
frame_or_align_flags (&c->c2.frame,
1915
FRAME_HEADROOM_MARKER_FRAGMENT
1916
|FRAME_HEADROOM_MARKER_DECRYPT);
1919
#ifdef ENABLE_FRAGMENT
1920
lzo_adjust_frame_parameters (&c->c2.frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */
1923
#endif /* USE_LZO */
1927
* Adjust frame size for UDP Socks support.
1929
if (c->options.ce.socks_proxy_server)
1930
socks_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);
1934
* Adjust frame size based on the --tun-mtu-extra parameter.
1936
if (c->options.tun_mtu_extra_defined)
1937
tun_adjust_frame_parameters (&c->c2.frame, c->options.tun_mtu_extra);
1940
* Adjust frame size based on link socket parameters.
1941
* (Since TCP is a stream protocol, we need to insert
1942
* a packet length uint16_t in the buffer.)
1944
socket_adjust_frame_parameters (&c->c2.frame, c->options.ce.proto);
1947
* Fill in the blanks in the frame parameters structure,
1948
* make sure values are rational, etc.
1950
frame_finalize_options (c, NULL);
1952
#ifdef ENABLE_FRAGMENT
1954
* Set frame parameter for fragment code. This is necessary because
1955
* the fragmentation code deals with payloads which have already been
1956
* passed through the compression code.
1958
c->c2.frame_fragment = c->c2.frame;
1959
frame_subtract_extra (&c->c2.frame_fragment, &c->c2.frame_fragment_omit);
1962
#if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC)
1966
if (c->options.fragment && c->options.mtu_test)
1968
"WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
1971
#ifdef ENABLE_FRAGMENT
1972
if ((c->options.mssfix || c->options.fragment)
1973
&& TUN_MTU_SIZE (&c->c2.frame_fragment) != ETHERNET_MTU)
1975
"WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu %d (currently it is %d)",
1976
ETHERNET_MTU, TUN_MTU_SIZE (&c->c2.frame_fragment));
1981
do_option_warnings (struct context *c)
1983
const struct options *o = &c->options;
1985
#if 1 /* JYFIXME -- port warning */
1986
if (!o->ce.port_option_used && (o->ce.local_port == OPENVPN_PORT && o->ce.remote_port == OPENVPN_PORT))
1987
msg (M_WARN, "IMPORTANT: OpenVPN's default port number is now %d, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.",
1991
if (o->ping_send_timeout && !o->ping_rec_timeout)
1992
msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
1994
if (o->username || o->groupname || o->chroot_dir
1996
|| o->selinux_context
2000
if (!o->persist_tun)
2001
msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
2003
#ifdef ENABLE_PKCS11
2007
msg (M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
2010
if (o->chroot_dir && !(o->username && o->groupname))
2011
msg (M_WARN, "WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
2014
if (o->pull && o->ifconfig_local && c->first_time)
2015
msg (M_WARN, "WARNING: using --pull/--client and --ifconfig together is probably not what you want");
2018
if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
2019
msg (M_WARN, "NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
2021
if (o->mode == MODE_SERVER)
2023
if (o->duplicate_cn && o->client_config_dir)
2024
msg (M_WARN, "WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
2025
if (o->duplicate_cn && o->ifconfig_pool_persist_filename)
2026
msg (M_WARN, "WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
2027
if (!o->keepalive_ping || !o->keepalive_timeout)
2028
msg (M_WARN, "WARNING: --keepalive option is missing from server config");
2035
msg (M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
2037
msg (M_WARN, "WARNING: You have disabled Crypto IVs (--no-iv) which may make " PACKAGE_NAME " less secure");
2041
warn_on_use_of_common_subnets ();
2045
&& !(o->ns_cert_type & NS_SSL_SERVER)
2046
&& !o->remote_cert_eku)
2047
msg (M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
2049
msg (M_WARN, "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).");
2053
#ifndef CONNECT_NONBLOCK
2054
if (o->ce.connect_timeout_defined)
2055
msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
2058
if (script_security >= SSEC_SCRIPTS)
2059
msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
2060
else if (script_security >= SSEC_PW_ENV)
2061
msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
2063
msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");
2065
if (script_method == SM_SYSTEM)
2066
msg (M_WARN, "NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion");
2070
do_init_frame_tls (struct context *c)
2072
#if defined(USE_CRYPTO) && defined(USE_SSL)
2073
do_init_finalize_tls_frame (c);
2077
struct context_buffers *
2078
init_context_buffers (const struct frame *frame)
2080
struct context_buffers *b;
2082
ALLOC_OBJ_CLEAR (b, struct context_buffers);
2084
b->read_link_buf = alloc_buf (BUF_SIZE (frame));
2085
b->read_tun_buf = alloc_buf (BUF_SIZE (frame));
2087
b->aux_buf = alloc_buf (BUF_SIZE (frame));
2090
b->encrypt_buf = alloc_buf (BUF_SIZE (frame));
2091
b->decrypt_buf = alloc_buf (BUF_SIZE (frame));
2095
b->lzo_compress_buf = alloc_buf (BUF_SIZE (frame));
2096
b->lzo_decompress_buf = alloc_buf (BUF_SIZE (frame));
2103
free_context_buffers (struct context_buffers *b)
2107
free_buf (&b->read_link_buf);
2108
free_buf (&b->read_tun_buf);
2109
free_buf (&b->aux_buf);
2112
free_buf (&b->lzo_compress_buf);
2113
free_buf (&b->lzo_decompress_buf);
2117
free_buf (&b->encrypt_buf);
2118
free_buf (&b->decrypt_buf);
2126
* Now that we know all frame parameters, initialize
2130
do_init_buffers (struct context *c)
2132
c->c2.buffers = init_context_buffers (&c->c2.frame);
2133
c->c2.buffers_owned = true;
2136
#ifdef ENABLE_FRAGMENT
2138
* Fragmenting code has buffers to initialize
2139
* once frame parameters are known.
2142
do_init_fragment (struct context *c)
2144
ASSERT (c->options.fragment);
2145
frame_set_mtu_dynamic (&c->c2.frame_fragment,
2146
c->options.fragment, SET_MTU_UPPER_BOUND);
2147
fragment_frame_init (c->c2.fragment, &c->c2.frame_fragment);
2152
* Set the --mssfix option.
2155
do_init_mssfix (struct context *c)
2157
if (c->options.mssfix)
2159
frame_set_mtu_dynamic (&c->c2.frame,
2160
c->options.mssfix, SET_MTU_UPPER_BOUND);
2165
* Allocate our socket object.
2168
do_link_socket_new (struct context *c)
2170
ASSERT (!c->c2.link_socket);
2171
c->c2.link_socket = link_socket_new ();
2172
c->c2.link_socket_owned = true;
2176
* bind the TCP/UDP socket
2179
do_init_socket_1 (struct context *c, const int mode)
2181
unsigned int sockflags = c->options.sockflags;
2184
if (c->options.port_share_host && c->options.port_share_port)
2185
sockflags |= SF_PORT_SHARE;
2188
link_socket_init_phase1 (c->c2.link_socket,
2189
connection_list_defined (&c->options),
2190
c->options.ce.local,
2191
c->options.ce.local_port,
2192
c->options.ce.remote,
2193
c->options.ce.remote_port,
2194
c->options.ce.proto,
2197
#ifdef ENABLE_HTTP_PROXY
2206
c->options.ce.bind_local,
2207
c->options.ce.remote_float,
2209
&c->c1.link_socket_addr,
2210
c->options.ipchange,
2212
c->options.resolve_retry_seconds,
2213
c->options.ce.connect_retry_seconds,
2214
c->options.ce.connect_timeout,
2215
c->options.ce.connect_retry_max,
2216
c->options.mtu_discover_type,
2223
* finalize the TCP/UDP socket
2226
do_init_socket_2 (struct context *c)
2228
link_socket_init_phase2 (c->c2.link_socket, &c->c2.frame,
2229
&c->sig->signal_received);
2236
do_print_data_channel_mtu_parms (struct context *c)
2238
frame_print (&c->c2.frame, D_MTU_INFO, "Data Channel MTU parms");
2239
#ifdef ENABLE_FRAGMENT
2241
frame_print (&c->c2.frame_fragment, D_MTU_INFO,
2242
"Fragmentation MTU parms");
2248
* Get local and remote options compatibility strings.
2251
do_compute_occ_strings (struct context *c)
2253
struct gc_arena gc = gc_new ();
2255
c->c2.options_string_local =
2256
options_string (&c->options, &c->c2.frame, c->c1.tuntap, false, &gc);
2257
c->c2.options_string_remote =
2258
options_string (&c->options, &c->c2.frame, c->c1.tuntap, true, &gc);
2260
msg (D_SHOW_OCC, "Local Options String: '%s'", c->c2.options_string_local);
2261
msg (D_SHOW_OCC, "Expected Remote Options String: '%s'",
2262
c->c2.options_string_remote);
2265
msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
2266
options_string_version (c->c2.options_string_local, &gc),
2267
md5sum ((uint8_t*)c->c2.options_string_local,
2268
strlen (c->c2.options_string_local), 9, &gc));
2269
msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
2270
options_string_version (c->c2.options_string_remote, &gc),
2271
md5sum ((uint8_t*)c->c2.options_string_remote,
2272
strlen (c->c2.options_string_remote), 9, &gc));
2275
#if defined(USE_CRYPTO) && defined(USE_SSL)
2276
if (c->c2.tls_multi)
2277
tls_multi_init_set_options (c->c2.tls_multi,
2278
c->c2.options_string_local,
2279
c->c2.options_string_remote);
2287
* These things can only be executed once per program instantiation.
2288
* Set up for possible UID/GID downgrade, but don't do it yet.
2289
* Daemonize if requested.
2292
do_init_first_time (struct context *c)
2294
if (c->first_time && !c->did_we_daemonize && !c->c0)
2296
struct context_0 *c0;
2298
ALLOC_OBJ_CLEAR_GC (c->c0, struct context_0, &c->gc);
2301
/* get user and/or group that we want to setuid/setgid to */
2302
c0->uid_gid_specified =
2303
get_group (c->options.groupname, &c0->group_state) |
2304
get_user (c->options.username, &c0->user_state);
2306
/* get --writepid file descriptor */
2307
get_pid_file (c->options.writepid, &c0->pid_state);
2309
/* become a daemon if --daemon */
2310
c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
2312
/* should we disable paging? */
2313
if (c->options.mlock && c->did_we_daemonize)
2314
do_mlockall (true); /* call again in case we daemonized */
2316
/* save process ID in a file */
2317
write_pid (&c0->pid_state);
2319
/* should we change scheduling priority? */
2320
set_nice (c->options.nice);
2325
* If xinetd/inetd mode, don't allow restart.
2328
do_close_check_if_restart_permitted (struct context *c)
2330
if (c->options.inetd
2331
&& (c->sig->signal_received == SIGHUP
2332
|| c->sig->signal_received == SIGUSR1))
2334
c->sig->signal_received = SIGTERM;
2337
" started by inetd/xinetd cannot restart... Exiting.");
2345
do_close_free_buf (struct context *c)
2347
if (c->c2.buffers_owned)
2349
free_context_buffers (c->c2.buffers);
2350
c->c2.buffers = NULL;
2351
c->c2.buffers_owned = false;
2359
do_close_tls (struct context *c)
2361
#if defined(USE_CRYPTO) && defined(USE_SSL)
2362
if (c->c2.tls_multi)
2364
tls_multi_free (c->c2.tls_multi, true);
2365
c->c2.tls_multi = NULL;
2369
/* free options compatibility strings */
2370
if (c->c2.options_string_local)
2371
free (c->c2.options_string_local);
2372
if (c->c2.options_string_remote)
2373
free (c->c2.options_string_remote);
2374
c->c2.options_string_local = c->c2.options_string_remote = NULL;
2380
* Free key schedules
2383
do_close_free_key_schedule (struct context *c, bool free_ssl_ctx)
2385
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
2386
key_schedule_free (&c->c1.ks, free_ssl_ctx);
2390
* Close TCP/UDP connection
2393
do_close_link_socket (struct context *c)
2395
if (c->c2.link_socket && c->c2.link_socket_owned)
2397
link_socket_close (c->c2.link_socket);
2398
c->c2.link_socket = NULL;
2401
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_remote_ip))
2403
CLEAR (c->c1.link_socket_addr.remote);
2404
CLEAR (c->c1.link_socket_addr.actual);
2407
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_local_ip))
2408
CLEAR (c->c1.link_socket_addr.local);
2412
* Close packet-id persistance file
2415
do_close_packet_id (struct context *c)
2418
packet_id_free (&c->c2.packet_id);
2419
packet_id_persist_save (&c->c1.pid_persist);
2420
if (!(c->sig->signal_received == SIGUSR1))
2421
packet_id_persist_close (&c->c1.pid_persist);
2425
#ifdef ENABLE_FRAGMENT
2427
* Close fragmentation handler.
2430
do_close_fragment (struct context *c)
2434
fragment_free (c->c2.fragment);
2435
c->c2.fragment = NULL;
2441
* Open and close our event objects.
2445
do_event_set_init (struct context *c,
2446
bool need_us_timeout)
2448
unsigned int flags = 0;
2450
c->c2.event_set_max = BASE_N_EVENTS;
2452
flags |= EVENT_METHOD_FAST;
2454
if (need_us_timeout)
2455
flags |= EVENT_METHOD_US_TIMEOUT;
2457
c->c2.event_set = event_set_init (&c->c2.event_set_max, flags);
2458
c->c2.event_set_owned = true;
2462
do_close_event_set (struct context *c)
2464
if (c->c2.event_set && c->c2.event_set_owned)
2466
event_free (c->c2.event_set);
2467
c->c2.event_set = NULL;
2468
c->c2.event_set_owned = false;
2473
* Open and close --status file
2477
do_open_status_output (struct context *c)
2479
if (!c->c1.status_output)
2481
c->c1.status_output = status_open (c->options.status_file,
2482
c->options.status_file_update_freq,
2485
STATUS_OUTPUT_WRITE);
2486
c->c1.status_output_owned = true;
2491
do_close_status_output (struct context *c)
2493
if (!(c->sig->signal_received == SIGUSR1))
2495
if (c->c1.status_output_owned && c->c1.status_output)
2497
status_close (c->c1.status_output);
2498
c->c1.status_output = NULL;
2499
c->c1.status_output_owned = false;
2505
* Handle ifconfig-pool persistance object.
2508
do_open_ifconfig_pool_persist (struct context *c)
2511
if (!c->c1.ifconfig_pool_persist && c->options.ifconfig_pool_persist_filename)
2513
c->c1.ifconfig_pool_persist = ifconfig_pool_persist_init (c->options.ifconfig_pool_persist_filename,
2514
c->options.ifconfig_pool_persist_refresh_freq);
2515
c->c1.ifconfig_pool_persist_owned = true;
2521
do_close_ifconfig_pool_persist (struct context *c)
2524
if (!(c->sig->signal_received == SIGUSR1))
2526
if (c->c1.ifconfig_pool_persist && c->c1.ifconfig_pool_persist_owned)
2528
ifconfig_pool_persist_close (c->c1.ifconfig_pool_persist);
2529
c->c1.ifconfig_pool_persist = NULL;
2530
c->c1.ifconfig_pool_persist_owned = false;
2537
* Inherit environmental variables
2541
do_inherit_env (struct context *c, const struct env_set *src)
2543
c->c2.es = env_set_create (NULL);
2544
c->c2.es_owned = true;
2545
env_set_inherit (c->c2.es, src);
2549
do_env_set_destroy (struct context *c)
2551
if (c->c2.es && c->c2.es_owned)
2553
env_set_destroy (c->c2.es);
2555
c->c2.es_owned = false;
2560
* Fast I/O setup. Fast I/O is an optimization which only works
2561
* if all of the following are true:
2563
* (1) The platform is not Windows
2564
* (2) --proto udp is enabled
2565
* (3) --shaper is disabled
2568
do_setup_fast_io (struct context *c)
2570
if (c->options.fast_io)
2573
msg (M_INFO, "NOTE: --fast-io is disabled since we are running on Windows");
2575
if (c->options.ce.proto != PROTO_UDPv4)
2576
msg (M_INFO, "NOTE: --fast-io is disabled since we are not using UDP");
2579
#ifdef HAVE_GETTIMEOFDAY
2580
if (c->options.shaper)
2581
msg (M_INFO, "NOTE: --fast-io is disabled since we are using --shaper");
2585
c->c2.fast_io = true;
2593
do_signal_on_tls_errors (struct context *c)
2595
#if defined(USE_CRYPTO) && defined(USE_SSL)
2596
if (c->options.tls_exit)
2597
c->c2.tls_exit_signal = SIGTERM;
2599
c->c2.tls_exit_signal = SIGUSR1;
2603
#ifdef ENABLE_PLUGIN
2606
init_plugins (struct context *c)
2608
if (c->options.plugin_list && !c->plugins)
2610
c->plugins = plugin_list_init (c->options.plugin_list);
2611
c->plugins_owned = true;
2616
open_plugins (struct context *c, const bool import_options, int init_point)
2618
if (c->plugins && c->plugins_owned)
2622
struct plugin_return pr, config;
2623
plugin_return_init (&pr);
2624
plugin_list_open (c->plugins, c->options.plugin_list, &pr, c->c2.es, init_point);
2625
plugin_return_get_column (&pr, &config, "config");
2626
if (plugin_return_defined (&config))
2629
for (i = 0; i < config.n; ++i)
2631
unsigned int option_types_found = 0;
2632
if (config.list[i] && config.list[i]->value)
2633
options_string_import (&c->options,
2634
config.list[i]->value,
2635
D_IMPORT_ERRORS|M_OPTERR,
2636
OPT_P_DEFAULT & ~OPT_P_PLUGIN,
2637
&option_types_found,
2641
plugin_return_free (&pr);
2645
plugin_list_open (c->plugins, c->options.plugin_list, NULL, c->c2.es, init_point);
2651
do_close_plugins (struct context *c)
2653
if (c->plugins && c->plugins_owned && !(c->sig->signal_received == SIGUSR1))
2655
plugin_list_close (c->plugins);
2657
c->plugins_owned = false;
2662
do_inherit_plugins (struct context *c, const struct context *src)
2664
if (!c->plugins && src->plugins)
2666
c->plugins = plugin_list_inherit (src->plugins);
2667
c->plugins_owned = true;
2673
#ifdef ENABLE_MANAGEMENT
2676
management_callback_status_p2p (void *arg, const int version, struct status_output *so)
2678
struct context *c = (struct context *) arg;
2679
print_status (c, so);
2683
management_show_net_callback (void *arg, const int msglevel)
2686
show_routes (msglevel);
2687
show_adapters (msglevel);
2688
msg (msglevel, "END");
2690
msg (msglevel, "ERROR: Sorry, this command is currently only implemented on Windows");
2697
init_management_callback_p2p (struct context *c)
2699
#ifdef ENABLE_MANAGEMENT
2702
struct management_callback cb;
2705
cb.status = management_callback_status_p2p;
2706
cb.show_net = management_show_net_callback;
2707
management_set_callback (management, &cb);
2712
#ifdef ENABLE_MANAGEMENT
2715
init_management (struct context *c)
2718
management = management_init ();
2722
open_management (struct context *c)
2724
/* initialize management layer */
2727
if (c->options.management_addr)
2729
unsigned int flags = c->options.management_flags;
2730
if (c->options.mode == MODE_SERVER)
2732
if (management_open (management,
2733
c->options.management_addr,
2734
c->options.management_port,
2735
c->options.management_user_pass,
2736
c->options.management_client_user,
2737
c->options.management_client_group,
2738
c->options.management_log_history_cache,
2739
c->options.management_echo_buffer_size,
2740
c->options.management_state_buffer_size,
2741
c->options.management_write_peer_info_file,
2742
c->options.remap_sigusr1,
2745
management_set_state (management,
2746
OPENVPN_STATE_CONNECTING,
2752
/* initial management hold, called early, before first context initialization */
2756
msg (M_WARN, "Signal received from management interface, exiting");
2761
close_management ();
2767
close_management (void)
2771
management_close (management);
2780
uninit_management_callback (void)
2782
#ifdef ENABLE_MANAGEMENT
2785
management_clear_callback (management);
2791
* Initialize a tunnel instance, handle pre and post-init
2795
init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags)
2797
pre_init_signal_catch ();
2798
init_instance (c, env, flags);
2799
post_init_signal_catch ();
2802
* This is done so that signals thrown during
2803
* initialization can bring us back to
2804
* a management hold.
2809
uninit_management_callback ();
2814
* Initialize a tunnel instance.
2817
init_instance (struct context *c, const struct env_set *env, const unsigned int flags)
2819
const struct options *options = &c->options;
2820
const bool child = (c->mode == CM_CHILD_TCP || c->mode == CM_CHILD_UDP);
2821
int link_socket_mode = LS_MODE_DEFAULT;
2823
/* init garbage collection level */
2824
gc_init (&c->c2.gc);
2826
/* signals caught here will abort */
2827
c->sig->signal_received = 0;
2828
c->sig->signal_text = NULL;
2829
c->sig->hard = false;
2831
/* map in current connection entry */
2832
next_connection_entry (c);
2834
/* link_socket_mode allows CM_CHILD_TCP
2835
instances to inherit acceptable fds
2836
from a top-level parent */
2837
if (c->options.ce.proto == PROTO_TCPv4_SERVER)
2839
if (c->mode == CM_TOP)
2840
link_socket_mode = LS_MODE_TCP_LISTEN;
2841
else if (c->mode == CM_CHILD_TCP)
2842
link_socket_mode = LS_MODE_TCP_ACCEPT_FROM;
2845
/* should we disable paging? */
2846
if (c->first_time && options->mlock)
2849
/* possible sleep or management hold if restart */
2850
if (c->mode == CM_P2P || c->mode == CM_TOP)
2852
do_startup_pause (c);
2858
/* get passwords if undefined */
2859
if (auth_retry_get () == AR_INTERACT)
2860
init_query_passwords (c);
2863
/* initialize context level 2 --verb/--mute parms */
2864
init_verb_mute (c, IVM_LEVEL_2);
2866
/* set error message delay for non-server modes */
2867
if (c->mode == CM_P2P)
2868
set_check_status_error_delay (P2P_ERROR_DELAY_MS);
2870
/* warn about inconsistent options */
2871
if (c->mode == CM_P2P || c->mode == CM_TOP)
2872
do_option_warnings (c);
2874
/* inherit environmental variables */
2876
do_inherit_env (c, env);
2878
#ifdef ENABLE_PLUGIN
2879
/* initialize plugins */
2880
if (c->mode == CM_P2P || c->mode == CM_TOP)
2881
open_plugins (c, false, OPENVPN_PLUGIN_INIT_PRE_DAEMON);
2884
/* should we enable fast I/O? */
2885
if (c->mode == CM_P2P || c->mode == CM_TOP)
2886
do_setup_fast_io (c);
2888
/* should we throw a signal on TLS errors? */
2889
do_signal_on_tls_errors (c);
2891
/* open --status file */
2892
if (c->mode == CM_P2P || c->mode == CM_TOP)
2893
do_open_status_output (c);
2895
/* open --ifconfig-pool-persist file */
2896
if (c->mode == CM_TOP)
2897
do_open_ifconfig_pool_persist (c);
2900
/* reset OCC state */
2901
if (c->mode == CM_P2P || child)
2902
c->c2.occ_op = occ_reset_op ();
2905
/* our wait-for-i/o objects, different for posix vs. win32 */
2906
if (c->mode == CM_P2P)
2907
do_event_set_init (c, SHAPER_DEFINED (&c->options));
2908
else if (c->mode == CM_CHILD_TCP)
2909
do_event_set_init (c, false);
2911
/* initialize HTTP or SOCKS proxy object at scope level 2 */
2914
/* allocate our socket object */
2915
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
2916
do_link_socket_new (c);
2918
#ifdef ENABLE_FRAGMENT
2919
/* initialize internal fragmentation object */
2920
if (options->fragment && (c->mode == CM_P2P || child))
2921
c->c2.fragment = fragment_init (&c->c2.frame);
2924
/* init crypto layer */
2926
unsigned int crypto_flags = 0;
2927
if (c->mode == CM_TOP)
2928
crypto_flags = CF_INIT_TLS_AUTH_STANDALONE;
2929
else if (c->mode == CM_P2P)
2930
crypto_flags = CF_LOAD_PERSISTED_PACKET_ID | CF_INIT_TLS_MULTI;
2932
crypto_flags = CF_INIT_TLS_MULTI;
2933
do_init_crypto (c, crypto_flags);
2934
if (IS_SIG (c) && !child)
2939
/* initialize LZO compression library. */
2940
if ((options->lzo & LZO_SELECTED) && (c->mode == CM_P2P || child))
2941
lzo_compress_init (&c->c2.lzo_compwork, options->lzo);
2944
/* initialize MTU variables */
2947
/* initialize TLS MTU variables */
2948
do_init_frame_tls (c);
2950
/* init workspace buffers whose size is derived from frame size */
2951
if (c->mode == CM_P2P || c->mode == CM_CHILD_TCP)
2952
do_init_buffers (c);
2954
#ifdef ENABLE_FRAGMENT
2955
/* initialize internal fragmentation capability with known frame size */
2956
if (options->fragment && (c->mode == CM_P2P || child))
2957
do_init_fragment (c);
2960
/* initialize dynamic MTU variable */
2963
/* bind the TCP/UDP socket */
2964
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
2965
do_init_socket_1 (c, link_socket_mode);
2967
/* initialize tun/tap device object,
2968
open tun/tap device, ifconfig, run up script, etc. */
2969
if (!(options->up_delay || PULL_DEFINED (options)) && (c->mode == CM_P2P || c->mode == CM_TOP))
2970
c->c2.did_open_tun = do_open_tun (c);
2972
/* print MTU info */
2973
do_print_data_channel_mtu_parms (c);
2976
/* get local and remote options compatibility strings */
2977
if (c->mode == CM_P2P || child)
2978
do_compute_occ_strings (c);
2981
/* initialize output speed limiter */
2982
if (c->mode == CM_P2P)
2983
do_init_traffic_shaper (c);
2985
/* do one-time inits, and possibily become a daemon here */
2986
do_init_first_time (c);
2988
#ifdef ENABLE_PLUGIN
2989
/* initialize plugins */
2990
if (c->mode == CM_P2P || c->mode == CM_TOP)
2991
open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_DAEMON);
2995
* Actually do UID/GID downgrade, and chroot, if requested.
2996
* May be delayed by --client, --pull, or --up-delay.
2998
do_uid_gid_chroot (c, c->c2.did_open_tun);
3000
/* finalize the TCP/UDP socket */
3001
if (c->mode == CM_P2P || c->mode == CM_TOP || c->mode == CM_CHILD_TCP)
3002
do_init_socket_2 (c);
3004
/* initialize timers */
3005
if (c->mode == CM_P2P || child)
3006
do_init_timers (c, false);
3008
#ifdef ENABLE_PLUGIN
3009
/* initialize plugins */
3010
if (c->mode == CM_P2P || c->mode == CM_TOP)
3011
open_plugins (c, false, OPENVPN_PLUGIN_INIT_POST_UID_CHANGE);
3015
/* share OpenVPN port with foreign (such as HTTPS) server */
3016
if (c->first_time && (c->mode == CM_P2P || c->mode == CM_TOP))
3017
init_port_share (c);
3022
pf_init_context (c);
3025
/* Check for signals */
3032
if (!c->sig->signal_text)
3033
c->sig->signal_text = "init_instance";
3034
close_context (c, -1, flags);
3039
* Close a tunnel instance.
3042
close_instance (struct context *c)
3044
/* close event objects */
3045
do_close_event_set (c);
3047
if (c->mode == CM_P2P
3048
|| c->mode == CM_CHILD_TCP
3049
|| c->mode == CM_CHILD_UDP
3050
|| c->mode == CM_TOP)
3052
/* if xinetd/inetd mode, don't allow restart */
3053
do_close_check_if_restart_permitted (c);
3056
if (lzo_defined (&c->c2.lzo_compwork))
3057
lzo_compress_uninit (&c->c2.lzo_compwork);
3061
do_close_free_buf (c);
3066
/* free key schedules */
3067
do_close_free_key_schedule (c, (c->mode == CM_P2P || c->mode == CM_TOP));
3069
/* close TCP/UDP connection */
3070
do_close_link_socket (c);
3072
/* close TUN/TAP device */
3073
do_close_tun (c, false);
3075
#ifdef MANAGEMENT_DEF_AUTH
3077
management_notify_client_close (management, &c->c2.mda_context, NULL);
3081
pf_destroy_context (&c->c2.pf);
3084
#ifdef ENABLE_PLUGIN
3085
/* call plugin close functions and unload */
3086
do_close_plugins (c);
3089
/* close packet-id persistance file */
3090
do_close_packet_id (c);
3092
/* close --status file */
3093
do_close_status_output (c);
3095
#ifdef ENABLE_FRAGMENT
3096
/* close fragmentation handler */
3097
do_close_fragment (c);
3100
/* close --ifconfig-pool-persist obj */
3101
do_close_ifconfig_pool_persist (c);
3103
/* free up environmental variable store */
3104
do_env_set_destroy (c);
3106
/* close HTTP or SOCKS proxy */
3109
/* garbage collect */
3110
gc_free (&c->c2.gc);
3115
inherit_context_child (struct context *dest,
3116
const struct context *src)
3120
switch (src->options.ce.proto)
3123
dest->mode = CM_CHILD_UDP;
3125
case PROTO_TCPv4_SERVER:
3126
dest->mode = CM_CHILD_TCP;
3132
dest->gc = gc_new ();
3134
ALLOC_OBJ_CLEAR_GC (dest->sig, struct signal_info, &dest->gc);
3137
packet_id_persist_init (&dest->c1.pid_persist);
3140
dest->c1.ks.key_type = src->c1.ks.key_type;
3142
/* inherit SSL context */
3143
dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
3144
dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
3149
dest->options = src->options;
3150
options_detach (&dest->options);
3152
if (dest->mode == CM_CHILD_TCP)
3155
* The CM_TOP context does the socket listen(),
3156
* and the CM_CHILD_TCP context does the accept().
3158
dest->c2.accept_from = src->c2.link_socket;
3161
#ifdef ENABLE_PLUGIN
3162
/* inherit plugins */
3163
do_inherit_plugins (dest, src);
3167
init_instance (dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP);
3171
/* inherit tun/tap interface object */
3172
dest->c1.tuntap = src->c1.tuntap;
3174
/* UDP inherits some extra things which TCP does not */
3175
if (dest->mode == CM_CHILD_UDP)
3177
/* inherit buffers */
3178
dest->c2.buffers = src->c2.buffers;
3180
/* inherit parent link_socket and tuntap */
3181
dest->c2.link_socket = src->c2.link_socket;
3183
ALLOC_OBJ_GC (dest->c2.link_socket_info, struct link_socket_info, &dest->gc);
3184
*dest->c2.link_socket_info = src->c2.link_socket->info;
3186
/* locally override some link_socket_info fields */
3187
dest->c2.link_socket_info->lsa = &dest->c1.link_socket_addr;
3188
dest->c2.link_socket_info->connection_established = false;
3193
inherit_context_top (struct context *dest,
3194
const struct context *src)
3200
* CM_TOP_CLONE will prevent close_instance from freeing or closing
3201
* resources owned by the parent.
3203
* Also note that CM_TOP_CLONE context objects are
3204
* closed by multi_top_free in multi.c.
3206
dest->mode = CM_TOP_CLONE;
3208
dest->first_time = false;
3211
options_detach (&dest->options);
3212
gc_detach (&dest->gc);
3213
gc_detach (&dest->c2.gc);
3215
/* detach plugins */
3216
dest->plugins_owned = false;
3218
#if defined(USE_CRYPTO) && defined(USE_SSL)
3219
dest->c2.tls_multi = NULL;
3222
/* detach c1 ownership */
3223
dest->c1.tuntap_owned = false;
3224
dest->c1.status_output_owned = false;
3226
dest->c1.ifconfig_pool_persist_owned = false;
3229
/* detach c2 ownership */
3230
dest->c2.event_set_owned = false;
3231
dest->c2.link_socket_owned = false;
3232
dest->c2.buffers_owned = false;
3233
dest->c2.es_owned = false;
3235
dest->c2.event_set = NULL;
3236
if (src->options.ce.proto == PROTO_UDPv4)
3237
do_event_set_init (dest, false);
3241
close_context (struct context *c, int sig, unsigned int flags)
3247
c->sig->signal_received = sig;
3249
if (c->sig->signal_received == SIGUSR1)
3251
if ((flags & CC_USR1_TO_HUP)
3252
|| (c->sig->hard && (flags & CC_HARD_USR1_TO_HUP)))
3253
c->sig->signal_received = SIGHUP;
3256
if (!(flags & CC_NO_CLOSE))
3259
if (flags & CC_GC_FREE)
3260
context_gc_free (c);
3269
msg (M_INFO, "Multithreaded malloc test...");
3270
for (i = 0; i < 25; ++i)
3272
struct gc_arena gc = gc_new ();
3273
const int limit = get_random () & 0x03FF;
3274
for (j = 0; j < limit; ++j)
3276
gc_malloc (get_random () & 0x03FF, false, &gc);
3283
* Do a loopback test
3284
* on the crypto subsystem.
3287
test_crypto_thread (void *arg)
3289
struct context *c = (struct context *) arg;
3290
const struct options *options = &c->options;
3291
#if defined(USE_PTHREAD)
3292
struct context *child = NULL;
3293
openvpn_thread_t child_id = 0;
3296
ASSERT (options->test_crypto);
3297
init_verb_mute (c, IVM_LEVEL_1);
3299
do_init_crypto_static (c, 0);
3301
#if defined(USE_PTHREAD)
3303
if (c->first_time && options->n_threads > 1)
3305
if (options->n_threads > 2)
3306
msg (M_FATAL, "ERROR: --test-crypto option only works with --threads set to 1 or 2");
3307
openvpn_thread_init ();
3308
ALLOC_OBJ (child, struct context);
3309
context_clear (child);
3310
child->options = *options;
3311
options_detach (&child->options);
3312
child->first_time = false;
3313
child_id = openvpn_thread_create (test_crypto_thread, (void *) child);
3317
frame_finalize_options (c, options);
3319
#if defined(USE_PTHREAD)
3320
if (options->n_threads == 2)
3324
test_crypto (&c->c2.crypto_options, &c->c2.frame);
3326
key_schedule_free (&c->c1.ks, true);
3327
packet_id_free (&c->c2.packet_id);
3329
#if defined(USE_PTHREAD)
3330
if (c->first_time && options->n_threads > 1)
3331
openvpn_thread_join (child_id);
3335
context_gc_free (c);
3342
do_test_crypto (const struct options *o)
3349
/* print version number */
3350
msg (M_INFO, "%s", title_string);
3354
options_detach (&c.options);
3355
c.first_time = true;
3356
test_crypto_thread ((void *) &c);