frame_finalize_options (&frame, options);	  test_crypto (&crypto_options, &frame);	  key_schedule_free (ks);	  signal_received = 0;#ifdef USE_PTHREAD	  if (first_time)	    work_thread_join ();#endif	  goto done;	}    }#ifdef USE_SSL  else if (options->tls_server || options->tls_client)    {      /*       * TLS-based dynamic key exchange mode       */      struct tls_options to;      bool packet_id_long_form;      ASSERT (!options->test_crypto);      /* Make sure we are either a TLS client or server but not both */      ASSERT (options->tls_server == !options->tls_client);      /* Let user specify a script to verify the incoming certificate */      tls_set_verify_command (options->tls_verify);      if (!ks->ssl_ctx)	{	  /*	   * Initialize the OpenSSL library's global	   * SSL context.	   */	  ks->ssl_ctx = init_ssl (options->tls_server,				  options->ca_file,				  options->dh_file,				  options->cert_file,				  options->priv_key_file,				  options->cipher_list);	  /* Get cipher & hash algorithms */	  init_key_type (&ks->key_type, options->ciphername,			 options->ciphername_defined, options->authname,			 options->authname_defined, options->keysize,			 true);	  /* TLS handshake authentication (--tls-auth) */	  if (options->tls_auth_file)	    get_tls_handshake_key (&ks->key_type, &ks->tls_auth_key, options->tls_auth_file);	}      else	{	  msg (M_INFO, "Re-using SSL/TLS context");	}      /* Sanity check on IV, sequence number, and cipher mode options */      check_replay_iv_consistency(&ks->key_type, options->packet_id, options->iv);      /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */      packet_id_long_form = cfb_ofb_mode (&ks->key_type);      /* Compute MTU parameters */      crypto_adjust_frame_parameters(&frame,				     &ks->key_type,				     options->ciphername_defined,				     options->iv,				     options->packet_id,				     packet_id_long_form);      tls_adjust_frame_parameters(&frame);      /* Set all command-line TLS-related options */      CLEAR (to);      to.ssl_ctx = ks->ssl_ctx;      to.key_type = ks->key_type;      to.server = options->tls_server;      to.options = data_channel_options = options_string (options);      to.packet_id = options->packet_id;      to.packet_id_long_form = packet_id_long_form;      to.transition_window = options->transition_window;      to.handshake_window = options->handshake_window;      to.packet_timeout = options->tls_timeout;      to.renegotiate_bytes = options->renegotiate_bytes;      to.renegotiate_packets = options->renegotiate_packets;      to.renegotiate_seconds = options->renegotiate_seconds;      to.single_session = options->single_session;      to.disable_occ = options->disable_occ;      /* TLS handshake authentication (--tls-auth) */      if (options->tls_auth_file)	{	  to.tls_auth_key = ks->tls_auth_key;	  to.tls_auth.pid_persist = pid_persist;	  to.tls_auth.packet_id_long_form = true;	  crypto_adjust_frame_parameters(&to.frame,					 &ks->key_type,					 false,					 false,					 true,					 true);	}      /*       * Initialize OpenVPN's master TLS-mode object.       */      tls_multi = tls_multi_init (&to, &udp_socket);    }#endif  else    {      /*       * No encryption or authentication.       */      ASSERT (!options->test_crypto);      free_key_ctx_bi (&ks->static_key);      crypto_options.key_ctx_bi = &ks->static_key;      msg (M_WARN,	   "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");    }#else /* USE_CRYPTO */  msg (M_WARN,       "******* WARNING *******: OpenVPN built without OpenSSL -- encryption and authentication features disabled -- all data will be tunnelled as cleartext");#endif /* USE_CRYPTO */#ifdef USE_LZO  /*   * Initialize LZO compression library.   */  if (options->comp_lzo)    {      lzo_compress_init (&lzo_compwork, options->comp_lzo_adaptive);      lzo_adjust_frame_parameters (&frame);#ifdef FRAGMENT_ENABLE      lzo_adjust_frame_parameters (&frame_fragment_omit); /* omit LZO frame delta from final frame_fragment */#endif    }#endif  /*   * Adjust frame size based on the --tun-mtu-extra parameter.   */  tun_adjust_frame_parameters (&frame, options->tun_mtu_extra);  /*   * Fill in the blanks in the frame parameters structure,   * make sure values are rational, etc.   */  frame_finalize_options (&frame, options);  /*   * Set frame parameter for fragment code.  This is necessary because   * the fragmentation code deals with payloads which have already been   * passed through the compression code.   */#ifdef FRAGMENT_ENABLE  frame_fragment = frame;  frame_subtract_extra (&frame_fragment, &frame_fragment_omit);  frame_dynamic_finalize (&frame_fragment);#endif  max_rw_size_udp = MAX_RW_SIZE_UDP (&frame);  frame_print (&frame, D_MTU_INFO, "Data Channel MTU parms");#ifdef FRAGMENT_ENABLE  if (fragment)    frame_print (&frame_fragment, D_FRAG_DEBUG, "Fragmentation MTU parms");#endif#if defined(USE_CRYPTO) && defined(USE_SSL)  if (tls_multi)    {      int size;      tls_multi_init_finalize (tls_multi, &frame);      size = MAX_RW_SIZE_UDP (&tls_multi->opt.frame);      if (size > max_rw_size_udp)	max_rw_size_udp = size;      frame_print (&tls_multi->opt.frame, D_MTU_INFO, "Control Channel MTU parms");    }#endif  /*   * Now that we know all frame parameters, initialize   * our buffers.   */  read_udp_buf = alloc_buf (BUF_SIZE (&frame));  read_tun_buf = alloc_buf (BUF_SIZE (&frame));#ifdef USE_CRYPTO  encrypt_buf = alloc_buf (BUF_SIZE (&frame));  decrypt_buf = alloc_buf (BUF_SIZE (&frame));#endif#ifdef USE_LZO  if (options->comp_lzo)    {      lzo_compress_buf = alloc_buf (BUF_SIZE (&frame));      lzo_decompress_buf = alloc_buf (BUF_SIZE (&frame));    }#endif#ifdef FRAGMENT_ENABLE  /* fragmenting code has buffers to initialize once frame parameters are known */  if (fragment)    fragment_frame_init (fragment, &frame_fragment, (options->mtu_icmp && ipv4_tun));#endif  if (!tuntap_defined (tuntap))    {      /* do ifconfig */      if (ifconfig_order() == IFCONFIG_BEFORE_TUN_OPEN)	do_ifconfig (options->dev, options->dev_type,		     options->ifconfig_local, options->ifconfig_remote,		     TUN_MTU_SIZE (&frame));      /* open the tun device */      open_tun (options->dev, options->dev_type, options->dev_node, options->tun_ipv6, tuntap);      /* do ifconfig */        if (ifconfig_order() == IFCONFIG_AFTER_TUN_OPEN)	do_ifconfig (tuntap->actual, options->dev_type,		     options->ifconfig_local, options->ifconfig_remote,		     TUN_MTU_SIZE (&frame));      /* run the up script */      run_script (options->up_script, tuntap->actual, TUN_MTU_SIZE (&frame),		  max_rw_size_udp, options->ifconfig_local, options->ifconfig_remote);    }  else    {      msg (M_INFO, "Preserving previous TUN/TAP instance: %s", tuntap->actual);    }#ifdef HAVE_GETTIMEOFDAY  /* initialize traffic shaper (i.e. transmit bandwidth limiter) */  if (options->shaper)    {      shaper_init (&shaper, options->shaper);      shaper_msg (&shaper);    }#endif  if (first_time)    {      /* get user and/or group that we want to setuid/setgid to */      get_group (options->groupname, &group_state);      get_user (options->username, &user_state);      /* get --writepid file descriptor */      get_pid_file (options->writepid, &pid_state);      /* chroot if requested */      do_chroot (options->chroot_dir);    }  /* become a daemon if --daemon */  did_we_daemonize = possibly_become_daemon (1, options, first_time);#ifdef HAVE_SIGNAL_H  /* catch signals */  signal (SIGINT, signal_handler);  signal (SIGTERM, signal_handler);  signal (SIGHUP, signal_handler);  signal (SIGUSR1, signal_handler);  signal (SIGUSR2, signal_handler);#endif /* HAVE_SIGNAL_H */  if (first_time)    {      /* should we disable paging? */      if (options->mlock && did_we_daemonize)	do_mlockall (true); /* call again in case we daemonized */      /* set user and/or group that we want to setuid/setgid to */      set_group (&group_state);      set_user (&user_state);      /* save process ID in a file */      write_pid (&pid_state);      /* initialize threading if pthread configure option enabled */      thread_init();    }  /* start the TLS thread */#if defined(USE_CRYPTO) && defined(USE_SSL) && defined(USE_PTHREAD)  if (tls_multi)    tls_thread_create (&thread_parms, tls_multi, &udp_socket,		       options->nice_work, options->mlock);#endif  /* change scheduling priority if requested */  if (first_time)    set_nice (options->nice);  /*   * MAIN EVENT LOOP   *   * Pipe UDP -> tun and tun -> UDP using nonblocked i/o.   *   * If tls_multi is defined, multiplex a TLS   * control channel over the UDP connection which   * will be used for secure key exchange with our peer.   *   */  /* calculate max file handle + 1 for select */  fm = udp_socket.sd;  if (tuntap->fd > fm)    fm = tuntap->fd;  current = time (NULL);  /* initialize inactivity timeout */  if (options->inactivity_timeout)    event_timeout_init (&inactivity_interval, current, options->inactivity_timeout);  /* initialize pings */  if (options->ping_send_timeout)    {      ping_buf = alloc_buf (BUF_SIZE (&frame));      event_timeout_init (&ping_send_interval, 0, options->ping_send_timeout);    }  if (options->ping_rec_timeout)    event_timeout_init (&ping_rec_interval, current, options->ping_rec_timeout);#if defined(USE_CRYPTO) && defined(USE_SSL)#ifdef USE_PTHREAD  if (tls_multi && TLS_THREAD_SOCKET (&thread_parms) > fm)    fm = TLS_THREAD_SOCKET (&thread_parms);#else  /* initialize tmp_int optimization that limits the number of times we call     tls_multi_process in the main event loop */  interval_init (&tmp_int, TLS_MULTI_HORIZON, TLS_MULTI_REFRESH);#endif#endif  /* select() needs this */  ++fm;  /* this flag is true for buffers coming from the TLS background thread */  free_to_udp = false;  while (true)    {      int stat = 0;      struct timeval *tv = NULL;      struct timeval timeval;      /* initialize select() timeout */      timeval.tv_sec = 0;      timeval.tv_usec = 0;#ifdef USE_CRYPTO      /* flush current packet-id to file once per 60	 seconds if --replay-persist was specified */      packet_id_persist_flush (pid_persist, current, 60);#endif#if defined(USE_CRYPTO) && defined(USE_SSL) && !defined(USE_PTHREAD)      /*       * In TLS mode, let TLS level respond to any control-channel packets which were       * received, or prepare any packets for transmission.       *       * tmp_int is purely an optimization that allows us to call tls_multi_process       * less frequently when there's not much traffic on the control-channel.       *       */      if (tls_multi)	{	  interval_t wakeup = 0;	  if (interval_test (&tmp_int, current))	    {	      if (tls_multi_process (tls_multi, &to_udp, &to_udp_addr, &udp_socket, &wakeup, current))		interval_action (&tmp_int, current);	      interval_future_trigger (&tmp_int, wakeup, current);	      free_to_udp = false;	    }	  interval_schedule_wakeup (&tmp_int, current, &wakeup);	  if (wakeup)	    {	      timeval.tv_sec = wakeup;	      timeval.tv_usec = 0;	      tv = &timeval;	    }	}#endif      current = time (NULL);      /*       * Should we exit due to inactivity timeout?       */      if (options->inactivity_timeout)	{	  if (event_timeout_trigger (&inactivity_interval, current)) 	    {	      msg (M_INFO, "Inactivity timeout (--inactive), exiting");	      signal_received = 0;	      break;	    }	  event_timeout_wakeup (&inactivity_interval, current, &timeval);	  tv = &timeval;	}      /*       * Should we exit or restart due to ping (or other authenticated packet)       * not received in n seconds?       */      if (options->ping_rec_timeout &&	  (!options->ping_timer_remote || addr_defined (&udp_socket_addr->actual)))	{	  if (event_timeout_trigger (&ping_rec_interval, current)) 	    {	      switch (options->ping_rec_timeout_action)		{		case PING_EXIT:		  msg (M_INFO, "Inactivity timeout (--ping-exit), exiting");		  signal_received = 0;		  break;		case PING_RESTART:		  msg (M_INFO, "Inactivity timeout (--ping-restart), restarting");		  signal_received = SIGUSR1;		  break;		default:		  ASSERT (0);		}	      break;	    }	  event_timeout_wakeup (&ping_rec_interval, current, &timeval);	  tv = &timeval;	}#ifdef FRAGMENT_ENABLE      /*       * Should we deliver a datagram fragment to remote?       */      if (fragment)	{	  /* OS MTU Hint? */	  if (udp_socket.mtu_changed && ipv4_tun)	    {	      frame_adjust_path_mtu (&frame_fragment, udp_socket.mtu, ipv6_udp_transport);	      udp_socket.mtu_changed = false;	    }	  if (!to_udp.len	      && fragment_outgoing_defined (fragment)	      && fragment_ready_to_send (fragment, &buf, &frame_fragment))	    {#ifdef USE_CRYPTO#ifdef USE_SSL	      /*	       * If TLS mode, get the key we will use to encrypt	       * the packet.	       */	      mutex_lock (L_TLS);	      if (tls_multi)		tls_pre_encrypt (tls_multi, &buf, &crypto_options);#endif	      /*	       * Encrypt the packet and write an optional	       * HMAC authentication record.	       */	      openvpn_encrypt (&buf, encrypt_buf, &crypto_options, &frame, current);#endif	      /*	       * Get the address we will be sending the packet to.	       */	      udp_socket_get_outgoing_addr (&buf, &udp_socket,					    &to_udp_addr);#ifdef USE_CRYPTO#ifdef USE_SSL	      /*	       * In TLS mode, prepend the appropriate one-byte opcode	       * to the packet which identifies it as a data channel	       * packet and gives the low-permutation version of	       * the key-id to the recipient so it knows which	       * decrypt key to use.	       */	      if (tls_multi)		tls_post_encrypt (tls_multi, &buf);	      mutex_unlock (L_TLS);#endif#endif	      to_udp = buf;	      free_to_udp = false;	    }	  if (!to_tun.len && fragment_icmp (fragment, &buf))	    {	      to_tun = buf;	    }	  fragment_housekeeping (fragment, &frame_fragment, current, &timeval);	  tv = &timeval;	}#endif /* FRAGMENT_ENABLE */      /*       * Should we ping the remote?       */      if (options->ping_send_timeout)	{	  if (!to_udp.len)	    {	      if (event_timeout_trigger (&ping_send_interval, current))		{		  buf = ping_buf;		  ASSERT (buf_init (&buf, EXTRA_FRAME (&frame)));		  ASSERT (buf_safe (&buf, MAX_RW_SIZE_TUN (&frame)));