OpenVPN
manage.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #ifdef ENABLE_MANAGEMENT
31 
32 #include "error.h"
33 #include "fdmisc.h"
34 #include "options.h"
35 #include "sig.h"
36 #include "event.h"
37 #include "otime.h"
38 #include "integer.h"
39 #include "misc.h"
40 #include "ssl.h"
41 #include "common.h"
42 #include "manage.h"
43 #include "openvpn.h"
44 #include "dco.h"
45 
46 #include "memdbg.h"
47 
48 #ifdef ENABLE_PKCS11
49 #include "pkcs11.h"
50 #endif
51 
52 #define MANAGEMENT_ECHO_PULL_INFO 0
53 
54 #if MANAGEMENT_ECHO_PULL_INFO
55 #define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
56 #else
57 #define MANAGEMENT_ECHO_FLAGS 0
58 #endif
59 
60 /* tag for blank username/password */
61 static const char blank_up[] = "[[BLANK]]";
62 
63 struct management *management; /* GLOBAL */
64 
65 /* static forward declarations */
66 static void man_output_standalone(struct management *man, volatile int *signal_received);
67 
68 static void man_reset_client_socket(struct management *man, const bool exiting);
69 
70 static void
71 man_help(void)
72 {
73  msg(M_CLIENT, "Management Interface for %s", title_string);
74  msg(M_CLIENT, "Commands:");
75  msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
76  msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
77  msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
78  msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
79  msg(M_CLIENT, "exit|quit : Close management session.");
80  msg(M_CLIENT, "forget-passwords : Forget passwords entered so far.");
81  msg(M_CLIENT, "help : Print this message.");
82  msg(M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or");
83  msg(M_CLIENT, " release current hold and start tunnel.");
84  msg(M_CLIENT, "kill cn : Kill the client instance(s) having common name cn.");
85  msg(M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port.");
86  msg(M_CLIENT, "load-stats : Show global server load stats.");
87  msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
88  msg(M_CLIENT, " + show last N lines or 'all' for entire history.");
89  msg(M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
90  msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
91  msg(M_CLIENT, " where action = 'ok' or 'cancel'.");
92  msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
93  msg(M_CLIENT, " where action is reply string.");
94  msg(M_CLIENT, "net : (Windows only) Show network info and routing table.");
95  msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
96  msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
97  msg(M_CLIENT, "remote-entry-count : Get number of available remote entries.");
98  msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all.");
99  msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info.");
100  msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
101 #ifdef ENABLE_PKCS11
102  msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
103  msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
104 #endif
105  msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
106  msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
107  msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
108  msg(M_CLIENT, " text R and optional client reason text CR");
109  msg(M_CLIENT, "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
110  msg(M_CLIENT, " to the client and wait for a final client-auth/client-deny");
111  msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
112  msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
113  msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
114  msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
115  msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
116  msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
117  msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge");
118  msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END");
119  msg(M_CLIENT, "signal s : Send signal s to daemon,");
120  msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
121  msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
122  msg(M_CLIENT, "status [n] : Show current daemon status info using format #n.");
123  msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
124  msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
125  msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
126  msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
127  msg(M_CLIENT, "END");
128 }
129 
130 static const char *
131 man_state_name(const int state)
132 {
133  switch (state)
134  {
136  return "INITIAL";
137 
139  return "CONNECTING";
140 
141  case OPENVPN_STATE_WAIT:
142  return "WAIT";
143 
144  case OPENVPN_STATE_AUTH:
145  return "AUTH";
146 
148  return "GET_CONFIG";
149 
151  return "ASSIGN_IP";
152 
154  return "ADD_ROUTES";
155 
157  return "CONNECTED";
158 
160  return "RECONNECTING";
161 
163  return "EXITING";
164 
166  return "RESOLVE";
167 
169  return "TCP_CONNECT";
170 
172  return "AUTH_PENDING";
173 
174  default:
175  return "?";
176  }
177 }
178 
179 static void
181 {
182  msg(M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
184  if (man->persist.special_state_msg)
185  {
186  msg(M_CLIENT, "%s", man->persist.special_state_msg);
187  }
188 }
189 
190 static inline bool
192 {
193  return man->settings.up.defined && !man->connection.password_verified;
194 }
195 
196 static void
197 man_check_password(struct management *man, const char *line)
198 {
199  if (man_password_needed(man))
200  {
201  /* This comparison is not fixed time but since strlen(time) is based on
202  * the attacker choice, it should not give any indication of the real
203  * password length, use + 1 to include the NUL byte that terminates the
204  * string*/
205  size_t compare_len = min_uint(strlen(line) + 1, sizeof(man->settings.up.password));
206  if (memcmp_constant_time(line, man->settings.up.password, compare_len) == 0)
207  {
208  man->connection.password_verified = true;
209  msg(M_CLIENT, "SUCCESS: password is correct");
210  man_welcome(man);
211  }
212  else
213  {
214  man->connection.password_verified = false;
215  msg(M_CLIENT, "ERROR: bad password");
217  {
218  msg(M_WARN, "MAN: client connection rejected after %d failed password attempts",
220  man->connection.halt = true;
221  }
222  }
223  }
224 }
225 
226 static void
228 {
229  if (socket_defined(man->connection.sd_cli))
230  {
232  {
234  }
235  else
236  {
238  }
239  }
240 }
241 
242 static void
244 {
245  if (management_connected(man))
246  {
247  man_update_io_state(man);
248  if (!man->persist.standalone_disabled)
249  {
250  volatile int signal_received = 0;
251  man_output_standalone(man, &signal_received);
252  }
253  }
254 }
255 
256 static void
257 man_output_list_push_str(struct management *man, const char *str)
258 {
259  if (management_connected(man) && str)
260  {
261  buffer_list_push(man->connection.out, str);
262  }
263 }
264 
265 static void
266 man_output_list_push(struct management *man, const char *str)
267 {
268  man_output_list_push_str(man, str);
270 }
271 
272 static void
273 man_prompt(struct management *man)
274 {
275  if (man_password_needed(man))
276  {
277  man_output_list_push(man, "ENTER PASSWORD:");
278  }
279 #if 0 /* should we use prompt? */
280  else
281  {
282  man_output_list_push(man, ">");
283  }
284 #endif
285 }
286 
287 
292 static void
293 report_command_status(const bool status, const char *command)
294 {
295  if (status)
296  {
297  msg(M_CLIENT, "SUCCESS: %s command succeeded", command);
298  }
299  else
300  {
301  msg(M_CLIENT, "ERROR: %s command failed", command);
302  }
303 }
304 
305 static void
307 {
308 #if UNIX_SOCK_SUPPORT
310  {
311  socket_delete_unix(&man->settings.local_unix);
312  }
313 #endif
314 }
315 
316 static void
318 {
319 #ifndef _WIN32
320  /*
321  * Windows doesn't need this because the ne32 event is permanently
322  * enabled at struct management scope.
323  */
324  if (man->persist.callback.delete_event)
325  {
326  (*man->persist.callback.delete_event)(man->persist.callback.arg, sd);
327  }
328 #endif
330 }
331 
332 static void
333 virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
334 {
335  struct management *man = (struct management *) arg;
336  static int recursive_level = 0; /* GLOBAL */
337 
338 #define AF_DID_PUSH (1<<0)
339 #define AF_DID_RESET (1<<1)
340  if (recursive_level < 5) /* limit recursion */
341  {
342  struct gc_arena gc = gc_new();
343  struct log_entry e;
344  const char *out = NULL;
345  unsigned int action_flags = 0;
346 
347  ++recursive_level;
348 
349  CLEAR(e);
350  update_time();
351  e.timestamp = now;
352  e.u.msg_flags = flags;
353  e.string = str;
354 
355  if (flags & M_FATAL)
356  {
357  man->persist.standalone_disabled = false;
358  }
359 
360  if (flags != M_CLIENT)
361  {
362  log_history_add(man->persist.log, &e);
363  }
364 
365  if (!man_password_needed(man))
366  {
367  if (flags == M_CLIENT)
368  {
369  out = log_entry_print(&e, LOG_PRINT_CRLF, &gc);
370  }
371  else if (man->connection.log_realtime)
372  {
376  | LOG_PRINT_CRLF, &gc);
377  }
378  if (out)
379  {
380  man_output_list_push_str(man, out);
381  action_flags |= AF_DID_PUSH;
382  }
383  if (flags & M_FATAL)
384  {
386  if (out)
387  {
388  man_output_list_push_str(man, out);
389  action_flags |= (AF_DID_PUSH|AF_DID_RESET);
390  }
391  }
392  }
393 
394  gc_free(&gc);
395 
396  if (action_flags & AF_DID_PUSH)
397  {
399  }
400  if (action_flags & AF_DID_RESET)
401  {
402  man_reset_client_socket(man, true);
403  }
404 
405  --recursive_level;
406  }
407  else
408  {
409  /* cannot use msg here */
410  printf("virtual_output: message to management interface "
411  "dropped due to recursion: <%s>\n", str);
412  }
413 }
414 
415 /*
416  * Given a signal, return the signal with possible remapping applied,
417  * or -1 if the signal should be ignored.
418  */
419 static int
420 man_mod_signal(const struct management *man, const int signum)
421 {
422  const unsigned int flags = man->settings.mansig;
423  int s = signum;
424  if (s == SIGUSR1)
425  {
426  if (flags & MANSIG_MAP_USR1_TO_HUP)
427  {
428  s = SIGHUP;
429  }
430  if (flags & MANSIG_MAP_USR1_TO_TERM)
431  {
432  s = SIGTERM;
433  }
434  }
435  if (flags & MANSIG_IGNORE_USR1_HUP)
436  {
437  if (s == SIGHUP || s == SIGUSR1)
438  {
439  s = -1;
440  }
441  }
442  return s;
443 }
444 
445 static void
446 man_signal(struct management *man, const char *name)
447 {
448  const int sig = parse_signal(name);
449  if (sig >= 0)
450  {
451  const int sig_mod = man_mod_signal(man, sig);
452  if (sig_mod >= 0)
453  {
454  throw_signal(sig_mod);
455  msg(M_CLIENT, "SUCCESS: signal %s thrown", signal_name(sig_mod, true));
456  }
457  else
458  {
459  msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
460  if (man->persist.special_state_msg)
461  {
462  msg(M_CLIENT, "%s", man->persist.special_state_msg);
463  }
464  }
465  }
466  else
467  {
468  msg(M_CLIENT, "ERROR: signal '%s' is not a known signal type", name);
469  }
470 }
471 
472 static void
473 man_command_unsupported(const char *command_name)
474 {
475  msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode", command_name);
476 }
477 
478 static void
479 man_status(struct management *man, const int version, struct status_output *so)
480 {
481  if (man->persist.callback.status)
482  {
483  (*man->persist.callback.status)(man->persist.callback.arg, version, so);
484  }
485  else
486  {
487  man_command_unsupported("status");
488  }
489 }
490 
491 static void
492 man_bytecount(struct management *man, const int update_seconds)
493 {
494  if (update_seconds > 0)
495  {
496  man->connection.bytecount_update_seconds = update_seconds;
499  now);
500  }
501  else
502  {
505  }
506  msg(M_CLIENT, "SUCCESS: bytecount interval changed");
507 }
508 
509 static void
511  counter_type dco_read_bytes,
512  counter_type dco_write_bytes)
513 {
514  char in[32];
515  char out[32];
516 
517  /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
518  openvpn_snprintf(in, sizeof(in), counter_format, man->persist.bytes_in + dco_read_bytes);
519  openvpn_snprintf(out, sizeof(out), counter_format, man->persist.bytes_out + dco_write_bytes);
520  msg(M_CLIENT, ">BYTECOUNT:%s,%s", in, out);
521 }
522 
523 void
525  const counter_type *bytes_out_total,
526  struct man_def_auth_context *mdac)
527 {
528  char in[32];
529  char out[32];
530  /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
531  openvpn_snprintf(in, sizeof(in), counter_format, *bytes_in_total);
532  openvpn_snprintf(out, sizeof(out), counter_format, *bytes_out_total);
533  msg(M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out);
534  mdac->bytecount_last_update = now;
535 }
536 
537 static void
538 man_kill(struct management *man, const char *victim)
539 {
540  struct gc_arena gc = gc_new();
541 
543  {
544  struct buffer buf;
545  char p1[128];
546  char p2[128];
547  int n_killed;
548 
549  buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1);
550  buf_parse(&buf, ':', p1, sizeof(p1));
551  buf_parse(&buf, ':', p2, sizeof(p2));
552 
553  if (strlen(p1) && strlen(p2))
554  {
555  /* IP:port specified */
556  bool status;
557  const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL);
558  if (status)
559  {
560  const int port = atoi(p2);
561  if (port > 0 && port < 65536)
562  {
563  n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port);
564  if (n_killed > 0)
565  {
566  msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed",
567  n_killed,
568  print_in_addr_t(addr, 0, &gc),
569  port);
570  }
571  else
572  {
573  msg(M_CLIENT, "ERROR: client at address %s:%d not found",
574  print_in_addr_t(addr, 0, &gc),
575  port);
576  }
577  }
578  else
579  {
580  msg(M_CLIENT, "ERROR: port number is out of range: %s", p2);
581  }
582  }
583  else
584  {
585  msg(M_CLIENT, "ERROR: error parsing IP address: %s", p1);
586  }
587  }
588  else if (strlen(p1))
589  {
590  /* common name specified */
591  n_killed = (*man->persist.callback.kill_by_cn)(man->persist.callback.arg, p1);
592  if (n_killed > 0)
593  {
594  msg(M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed);
595  }
596  else
597  {
598  msg(M_CLIENT, "ERROR: common name '%s' not found", p1);
599  }
600  }
601  else
602  {
603  msg(M_CLIENT, "ERROR: kill parse");
604  }
605  }
606  else
607  {
608  man_command_unsupported("kill");
609  }
610 
611  gc_free(&gc);
612 }
613 
614 /*
615  * General-purpose history command handler
616  * for the log and echo commands.
617  */
618 static void
620  const char *parm,
621  const char *type,
622  struct log_history *log,
623  bool *realtime,
624  const unsigned int lep_flags)
625 {
626  struct gc_arena gc = gc_new();
627  int n = 0;
628 
629  if (streq(parm, "on"))
630  {
631  *realtime = true;
632  msg(M_CLIENT, "SUCCESS: real-time %s notification set to ON", type);
633  }
634  else if (streq(parm, "off"))
635  {
636  *realtime = false;
637  msg(M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type);
638  }
639  else if (streq(parm, "all") || (n = atoi(parm)) > 0)
640  {
641  const int size = log_history_size(log);
642  const int start = (n ? n : size) - 1;
643  int i;
644 
645  for (i = start; i >= 0; --i)
646  {
647  const struct log_entry *e = log_history_ref(log, i);
648  if (e)
649  {
650  const char *out = log_entry_print(e, lep_flags, &gc);
652  }
653  }
654  msg(M_CLIENT, "END");
655  }
656  else
657  {
658  msg(M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type);
659  }
660 
661  gc_free(&gc);
662 }
663 
664 static void
665 man_log(struct management *man, const char *parm)
666 {
667  man_history(man,
668  parm,
669  "log",
670  man->persist.log,
671  &man->connection.log_realtime,
673 }
674 
675 static void
676 man_echo(struct management *man, const char *parm)
677 {
678  man_history(man,
679  parm,
680  "echo",
681  man->persist.echo,
684 }
685 
686 static void
687 man_state(struct management *man, const char *parm)
688 {
689  man_history(man,
690  parm,
691  "state",
692  man->persist.state,
696 }
697 
698 static void
700 {
701  switch (man->connection.up_query_mode)
702  {
703  case UP_QUERY_USER_PASS:
704  if (!strlen(man->connection.up_query.username))
705  {
706  break;
707  }
708 
709  /* fall through */
710  case UP_QUERY_PASS:
711  case UP_QUERY_NEED_OK:
712  case UP_QUERY_NEED_STR:
713  if (strlen(man->connection.up_query.password))
714  {
715  man->connection.up_query.defined = true;
716  }
717  break;
718 
719  case UP_QUERY_DISABLED:
720  man->connection.up_query.defined = false;
721  break;
722 
723  default:
724  ASSERT(0);
725  }
726 }
727 
728 static void
730  const char *type,
731  const char *string,
732  const bool needed,
733  const char *prompt,
734  char *dest,
735  int len)
736 {
737  if (needed)
738  {
740  if (streq(man->connection.up_query_type, type))
741  {
742  strncpynt(dest, string, len);
743  man_up_finalize(man);
744  msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified",
745  type,
746  prompt);
747  }
748  else
749  {
750  msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
751  prompt,
752  type,
754  }
755  }
756  else
757  {
758  msg(M_CLIENT, "ERROR: no %s is currently needed at this time", prompt);
759  }
760 }
761 
762 static void
763 man_query_username(struct management *man, const char *type, const char *string)
764 {
765  const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
766  ) && man->connection.up_query_type);
767  man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
768 }
769 
770 static void
771 man_query_password(struct management *man, const char *type, const char *string)
772 {
773  const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
775  ) && man->connection.up_query_type);
776  if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
777  {
778  string = blank_up;
779  }
780  man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
781 }
782 
783 static void
784 man_query_need_ok(struct management *man, const char *type, const char *action)
785 {
786  const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
787  man_query_user_pass(man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
788 }
789 
790 static void
791 man_query_need_str(struct management *man, const char *type, const char *action)
792 {
793  const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
794  man_query_user_pass(man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN);
795 }
796 
797 static void
799 {
800  ssl_purge_auth(false);
801  (void)ssl_clean_auth_token();
802  msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
803 }
804 
805 static void
806 man_net(struct management *man)
807 {
808  if (man->persist.callback.show_net)
809  {
811  }
812  else
813  {
815  }
816 }
817 
818 static void
819 man_send_cc_message(struct management *man, const char *message, const char *parameters)
820 {
822  {
823  const bool status = (*man->persist.callback.send_cc_message)
824  (man->persist.callback.arg, message, parameters);
825  if (status)
826  {
827  msg(M_CLIENT, "SUCCESS: command succeeded");
828  }
829  else
830  {
831  msg(M_CLIENT, "ERROR: command failed");
832  }
833  }
834  else
835  {
836  man_command_unsupported("cr-repsonse");
837  }
838 }
839 #ifdef ENABLE_PKCS11
840 
841 static void
842 man_pkcs11_id_count(struct management *man)
843 {
844  msg(M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count());
845 }
846 
847 static void
848 man_pkcs11_id_get(struct management *man, const int index)
849 {
850  char *id = NULL;
851  char *base64 = NULL;
852 
853  if (pkcs11_management_id_get(index, &id, &base64))
854  {
855  msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64);
856  }
857  else
858  {
859  msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index);
860  }
861 
862  free(id);
863  free(base64);
864 }
865 
866 #endif /* ifdef ENABLE_PKCS11 */
867 
868 static void
870 {
871  unsigned count = 0;
873  {
874  count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg);
875  msg(M_CLIENT, "%u", count);
876  msg(M_CLIENT, "END");
877  }
878  else
879  {
880  man_command_unsupported("remote-entry-count");
881  }
882 }
883 
884 static void
885 man_remote_entry_get(struct management *man, const char *p1, const char *p2)
886 {
887  ASSERT(p1);
888 
891  {
892  unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg);
893 
894  unsigned int from = (unsigned int) atoi(p1);
895  unsigned int to = p2 ? (unsigned int) atoi(p2) : from + 1;
896 
897  if (!strcmp(p1, "all"))
898  {
899  from = 0;
900  to = count;
901  }
902 
903  for (unsigned int i = from; i < min_uint(to, count); i++)
904  {
905  char *remote = NULL;
906  bool res = (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote);
907  if (res && remote)
908  {
909  msg(M_CLIENT, "%u,%s", i, remote);
910  }
911  free(remote);
912  }
913  msg(M_CLIENT, "END");
914  }
915  else
916  {
917  man_command_unsupported("remote-entry-get");
918  }
919 }
920 
921 static void
922 man_hold(struct management *man, const char *cmd)
923 {
924  if (cmd)
925  {
926  if (streq(cmd, "on"))
927  {
928  man->settings.flags |= MF_HOLD;
929  msg(M_CLIENT, "SUCCESS: hold flag set to ON");
930  }
931  else if (streq(cmd, "off"))
932  {
933  man->settings.flags &= ~MF_HOLD;
934  msg(M_CLIENT, "SUCCESS: hold flag set to OFF");
935  }
936  else if (streq(cmd, "release"))
937  {
938  man->persist.hold_release = true;
939  msg(M_CLIENT, "SUCCESS: hold release succeeded");
940  }
941  else
942  {
943  msg(M_CLIENT, "ERROR: bad hold command parameter");
944  }
945  }
946  else
947  {
948  msg(M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD));
949  }
950 }
951 
952 #define IER_RESET 0
953 #define IER_NEW 1
954 
955 static void
956 in_extra_reset(struct man_connection *mc, const int mode)
957 {
958  if (mc)
959  {
960  if (mode != IER_NEW)
961  {
962  mc->in_extra_cmd = IEC_UNDEF;
963  mc->in_extra_cid = 0;
964  mc->in_extra_kid = 0;
965  }
966  if (mc->in_extra)
967  {
969  mc->in_extra = NULL;
970  }
971  if (mode == IER_NEW)
972  {
973  mc->in_extra = buffer_list_new();
974  }
975  }
976 }
977 
978 static void
980 {
981  switch (man->connection.in_extra_cmd)
982  {
983  case IEC_CLIENT_AUTH:
984  if (man->persist.callback.client_auth)
985  {
986  const bool status = (*man->persist.callback.client_auth)
987  (man->persist.callback.arg,
990  true,
991  NULL,
992  NULL,
993  man->connection.in_extra);
994  man->connection.in_extra = NULL;
995  report_command_status(status, "client-auth");
996  }
997  else
998  {
999  man_command_unsupported("client-auth");
1000  }
1001  break;
1002 
1003  case IEC_PK_SIGN:
1007  man->connection.in_extra = NULL;
1008  return;
1009 
1010  case IEC_CERTIFICATE:
1014  man->connection.in_extra = NULL;
1015  return;
1016  }
1018 }
1019 
1020 static bool
1021 parse_cid(const char *str, unsigned long *cid)
1022 {
1023  if (sscanf(str, "%lu", cid) == 1)
1024  {
1025  return true;
1026  }
1027  else
1028  {
1029  msg(M_CLIENT, "ERROR: cannot parse CID");
1030  return false;
1031  }
1032 }
1033 
1034 static bool
1035 parse_uint(const char *str, const char *what, unsigned int *uint)
1036 {
1037  if (sscanf(str, "%u", uint) == 1)
1038  {
1039  return true;
1040  }
1041  else
1042  {
1043  msg(M_CLIENT, "ERROR: cannot parse %s", what);
1044  return false;
1045  }
1046 }
1047 
1058 static void
1059 man_client_pending_auth(struct management *man, const char *cid_str,
1060  const char *kid_str, const char *extra,
1061  const char *timeout_str)
1062 {
1063  unsigned long cid = 0;
1064  unsigned int kid = 0;
1065  unsigned int timeout = 0;
1066  if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid)
1067  && parse_uint(timeout_str, "TIMEOUT", &timeout))
1068  {
1070  {
1071  bool ret = (*man->persist.callback.client_pending_auth)
1072  (man->persist.callback.arg, cid, kid, extra, timeout);
1073 
1074  if (ret)
1075  {
1076  msg(M_CLIENT, "SUCCESS: client-pending-auth command succeeded");
1077  }
1078  else
1079  {
1080  msg(M_CLIENT, "ERROR: client-pending-auth command failed."
1081  " Extra parameter might be too long");
1082  }
1083  }
1084  else
1085  {
1086  man_command_unsupported("client-pending-auth");
1087  }
1088  }
1089 }
1090 
1091 static void
1092 man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
1093 {
1094  struct man_connection *mc = &man->connection;
1095  mc->in_extra_cid = 0;
1096  mc->in_extra_kid = 0;
1097  if (parse_cid(cid_str, &mc->in_extra_cid)
1098  && parse_uint(kid_str, "KID", &mc->in_extra_kid))
1099  {
1101  in_extra_reset(mc, IER_NEW);
1102  if (!extra)
1103  {
1104  in_extra_dispatch(man);
1105  }
1106  }
1107 }
1108 
1109 static void
1110 man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
1111 {
1112  unsigned long cid = 0;
1113  unsigned int kid = 0;
1114  if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid))
1115  {
1116  if (man->persist.callback.client_auth)
1117  {
1118  const bool status = (*man->persist.callback.client_auth)
1119  (man->persist.callback.arg,
1120  cid,
1121  kid,
1122  false,
1123  reason,
1124  client_reason,
1125  NULL);
1126  if (status)
1127  {
1128  msg(M_CLIENT, "SUCCESS: client-deny command succeeded");
1129  }
1130  else
1131  {
1132  msg(M_CLIENT, "ERROR: client-deny command failed");
1133  }
1134  }
1135  else
1136  {
1137  man_command_unsupported("client-deny");
1138  }
1139  }
1140 }
1141 
1142 static void
1143 man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
1144 {
1145  unsigned long cid = 0;
1146  if (parse_cid(cid_str, &cid))
1147  {
1148  if (man->persist.callback.kill_by_cid)
1149  {
1150  const bool status = (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg);
1151  if (status)
1152  {
1153  msg(M_CLIENT, "SUCCESS: client-kill command succeeded");
1154  }
1155  else
1156  {
1157  msg(M_CLIENT, "ERROR: client-kill command failed");
1158  }
1159  }
1160  else
1161  {
1162  man_command_unsupported("client-kill");
1163  }
1164  }
1165 }
1166 
1167 static void
1169 {
1170  if (man->persist.callback.n_clients)
1171  {
1172  const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1173  msg(M_CLIENT, "SUCCESS: nclients=%d", nclients);
1174  }
1175  else
1176  {
1177  man_command_unsupported("nclients");
1178  }
1179 }
1180 
1181 static void
1182 man_env_filter(struct management *man, const int level)
1183 {
1184  man->connection.env_filter_level = level;
1185  msg(M_CLIENT, "SUCCESS: env_filter_level=%d", level);
1186 }
1187 
1188 
1189 static void
1190 man_pk_sig(struct management *man, const char *cmd_name)
1191 {
1192  struct man_connection *mc = &man->connection;
1193  if (mc->ext_key_state == EKS_SOLICIT)
1194  {
1195  mc->ext_key_state = EKS_INPUT;
1196  mc->in_extra_cmd = IEC_PK_SIGN;
1197  in_extra_reset(mc, IER_NEW);
1198  }
1199  else
1200  {
1201  msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name);
1202  }
1203 }
1204 
1205 static void
1207 {
1208  struct man_connection *mc = &man->connection;
1209  if (mc->ext_cert_state == EKS_SOLICIT)
1210  {
1211  mc->ext_cert_state = EKS_INPUT;
1213  in_extra_reset(mc, IER_NEW);
1214  }
1215  else
1216  {
1217  msg(M_CLIENT, "ERROR: The certificate command is not currently available");
1218  }
1219 }
1220 
1221 static void
1223 {
1226  int nclients = 0;
1227 
1228  if (man->persist.callback.n_clients)
1229  {
1230  nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1231  }
1232  msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
1233  nclients,
1236 }
1237 
1238 #define MN_AT_LEAST (1<<0)
1239 
1248 static bool
1249 man_need(struct management *man, const char **p, const int n, unsigned int flags)
1250 {
1251  int i;
1252  ASSERT(p[0]);
1253  for (i = 1; i <= n; ++i)
1254  {
1255  if (!p[i])
1256  {
1257  msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s",
1258  p[0],
1259  (flags & MN_AT_LEAST) ? "at least " : "",
1260  n,
1261  n > 1 ? "s" : "");
1262  return false;
1263  }
1264  }
1265  return true;
1266 }
1267 
1268 static void
1269 man_proxy(struct management *man, const char **p)
1270 {
1271  if (man->persist.callback.proxy_cmd)
1272  {
1273  const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p);
1274  report_command_status(status, "proxy");
1275  }
1276  else
1277  {
1278  man_command_unsupported("proxy");
1279  }
1280 }
1281 
1282 static void
1283 man_remote(struct management *man, const char **p)
1284 {
1285  if (man->persist.callback.remote_cmd)
1286  {
1287  const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);
1288  report_command_status(status, "remote");
1289  }
1290  else
1291  {
1292  man_command_unsupported("remote");
1293  }
1294 }
1295 
1296 #ifdef TARGET_ANDROID
1297 static void
1298 man_network_change(struct management *man, bool samenetwork)
1299 {
1300  /* Called to signal the OpenVPN that the network configuration has changed and
1301  * the client should either float or reconnect.
1302  *
1303  * The code is currently only used by ics-openvpn
1304  */
1305  if (man->persist.callback.network_change)
1306  {
1307  int fd = (*man->persist.callback.network_change)
1308  (man->persist.callback.arg, samenetwork);
1309  man->connection.fdtosend = fd;
1310  msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd);
1311  if (fd == -2)
1312  {
1313  man_signal(man, "SIGUSR1");
1314  }
1315  }
1316 }
1317 #endif
1318 
1319 static void
1320 set_client_version(struct management *man, const char *version)
1321 {
1322  if (version)
1323  {
1324  man->connection.client_version = atoi(version);
1325  }
1326 }
1327 
1328 static void
1329 man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
1330 {
1331  struct gc_arena gc = gc_new();
1332 
1333  ASSERT(p[0]);
1334  if (streq(p[0], "exit") || streq(p[0], "quit"))
1335  {
1336  man->connection.halt = true;
1337  goto done;
1338  }
1339  else if (streq(p[0], "help"))
1340  {
1341  man_help();
1342  }
1343  else if (streq(p[0], "version") && p[1])
1344  {
1345  set_client_version(man, p[1]);
1346  }
1347  else if (streq(p[0], "version"))
1348  {
1349  msg(M_CLIENT, "OpenVPN Version: %s", title_string);
1350  msg(M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION);
1351  msg(M_CLIENT, "END");
1352  }
1353  else if (streq(p[0], "pid"))
1354  {
1355  msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid());
1356  }
1357  else if (streq(p[0], "nclients"))
1358  {
1359  man_client_n_clients(man);
1360  }
1361  else if (streq(p[0], "env-filter"))
1362  {
1363  int level = 0;
1364  if (p[1])
1365  {
1366  level = atoi(p[1]);
1367  }
1368  man_env_filter(man, level);
1369  }
1370  else if (streq(p[0], "signal"))
1371  {
1372  if (man_need(man, p, 1, 0))
1373  {
1374  man_signal(man, p[1]);
1375  }
1376  }
1377 #ifdef TARGET_ANDROID
1378  else if (streq(p[0], "network-change"))
1379  {
1380  bool samenetwork = false;
1381  if (p[1] && streq(p[1], "samenetwork"))
1382  {
1383  samenetwork = true;
1384  }
1385 
1386  man_network_change(man, samenetwork);
1387  }
1388 #endif
1389  else if (streq(p[0], "load-stats"))
1390  {
1391  man_load_stats(man);
1392  }
1393  else if (streq(p[0], "status"))
1394  {
1395  int version = 0;
1396  if (p[1])
1397  {
1398  version = atoi(p[1]);
1399  }
1400  man_status(man, version, so);
1401  }
1402  else if (streq(p[0], "kill"))
1403  {
1404  if (man_need(man, p, 1, 0))
1405  {
1406  man_kill(man, p[1]);
1407  }
1408  }
1409  else if (streq(p[0], "verb"))
1410  {
1411  if (p[1])
1412  {
1413  const int level = atoi(p[1]);
1414  if (set_debug_level(level, 0))
1415  {
1416  msg(M_CLIENT, "SUCCESS: verb level changed");
1417  }
1418  else
1419  {
1420  msg(M_CLIENT, "ERROR: verb level is out of range");
1421  }
1422  }
1423  else
1424  {
1425  msg(M_CLIENT, "SUCCESS: verb=%d", get_debug_level());
1426  }
1427  }
1428  else if (streq(p[0], "mute"))
1429  {
1430  if (p[1])
1431  {
1432  const int level = atoi(p[1]);
1433  if (set_mute_cutoff(level))
1434  {
1435  msg(M_CLIENT, "SUCCESS: mute level changed");
1436  }
1437  else
1438  {
1439  msg(M_CLIENT, "ERROR: mute level is out of range");
1440  }
1441  }
1442  else
1443  {
1444  msg(M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff());
1445  }
1446  }
1447  else if (streq(p[0], "auth-retry"))
1448  {
1449  if (p[1])
1450  {
1451  if (auth_retry_set(M_CLIENT, p[1]))
1452  {
1453  msg(M_CLIENT, "SUCCESS: auth-retry parameter changed");
1454  }
1455  else
1456  {
1457  msg(M_CLIENT, "ERROR: bad auth-retry parameter");
1458  }
1459  }
1460  else
1461  {
1462  msg(M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print());
1463  }
1464  }
1465  else if (streq(p[0], "state"))
1466  {
1467  if (!p[1])
1468  {
1469  man_state(man, "1");
1470  }
1471  else
1472  {
1473  if (p[1])
1474  {
1475  man_state(man, p[1]);
1476  }
1477  if (p[2])
1478  {
1479  man_state(man, p[2]);
1480  }
1481  }
1482  }
1483  else if (streq(p[0], "log"))
1484  {
1485  if (man_need(man, p, 1, MN_AT_LEAST))
1486  {
1487  if (p[1])
1488  {
1489  man_log(man, p[1]);
1490  }
1491  if (p[2])
1492  {
1493  man_log(man, p[2]);
1494  }
1495  }
1496  }
1497  else if (streq(p[0], "echo"))
1498  {
1499  if (man_need(man, p, 1, MN_AT_LEAST))
1500  {
1501  if (p[1])
1502  {
1503  man_echo(man, p[1]);
1504  }
1505  if (p[2])
1506  {
1507  man_echo(man, p[2]);
1508  }
1509  }
1510  }
1511  else if (streq(p[0], "username"))
1512  {
1513  if (man_need(man, p, 2, 0))
1514  {
1515  man_query_username(man, p[1], p[2]);
1516  }
1517  }
1518  else if (streq(p[0], "password"))
1519  {
1520  if (man_need(man, p, 2, 0))
1521  {
1522  man_query_password(man, p[1], p[2]);
1523  }
1524  }
1525  else if (streq(p[0], "forget-passwords"))
1526  {
1527  man_forget_passwords(man);
1528  }
1529  else if (streq(p[0], "needok"))
1530  {
1531  if (man_need(man, p, 2, 0))
1532  {
1533  man_query_need_ok(man, p[1], p[2]);
1534  }
1535  }
1536  else if (streq(p[0], "needstr"))
1537  {
1538  if (man_need(man, p, 2, 0))
1539  {
1540  man_query_need_str(man, p[1], p[2]);
1541  }
1542  }
1543  else if (streq(p[0], "cr-response"))
1544  {
1545  if (man_need(man, p, 1, 0))
1546  {
1547  man_send_cc_message(man, "CR_RESPONSE", p[1]);
1548  }
1549  }
1550  else if (streq(p[0], "net"))
1551  {
1552  man_net(man);
1553  }
1554  else if (streq(p[0], "hold"))
1555  {
1556  man_hold(man, p[1]);
1557  }
1558  else if (streq(p[0], "bytecount"))
1559  {
1560  if (man_need(man, p, 1, 0))
1561  {
1562  man_bytecount(man, atoi(p[1]));
1563  }
1564  }
1565  else if (streq(p[0], "client-kill"))
1566  {
1567  if (man_need(man, p, 1, MN_AT_LEAST))
1568  {
1569  man_client_kill(man, p[1], p[2]);
1570  }
1571  }
1572  else if (streq(p[0], "client-deny"))
1573  {
1574  if (man_need(man, p, 3, MN_AT_LEAST))
1575  {
1576  man_client_deny(man, p[1], p[2], p[3], p[4]);
1577  }
1578  }
1579  else if (streq(p[0], "client-auth-nt"))
1580  {
1581  if (man_need(man, p, 2, 0))
1582  {
1583  man_client_auth(man, p[1], p[2], false);
1584  }
1585  }
1586  else if (streq(p[0], "client-auth"))
1587  {
1588  if (man_need(man, p, 2, 0))
1589  {
1590  man_client_auth(man, p[1], p[2], true);
1591  }
1592  }
1593  else if (streq(p[0], "client-pending-auth"))
1594  {
1595  if (man_need(man, p, 4, 0))
1596  {
1597  man_client_pending_auth(man, p[1], p[2], p[3], p[4]);
1598  }
1599  }
1600  else if (streq(p[0], "rsa-sig"))
1601  {
1602  man_pk_sig(man, "rsa-sig");
1603  }
1604  else if (streq(p[0], "pk-sig"))
1605  {
1606  man_pk_sig(man, "pk-sig");
1607  }
1608  else if (streq(p[0], "certificate"))
1609  {
1610  man_certificate(man);
1611  }
1612 #ifdef ENABLE_PKCS11
1613  else if (streq(p[0], "pkcs11-id-count"))
1614  {
1615  man_pkcs11_id_count(man);
1616  }
1617  else if (streq(p[0], "pkcs11-id-get"))
1618  {
1619  if (man_need(man, p, 1, 0))
1620  {
1621  man_pkcs11_id_get(man, atoi(p[1]));
1622  }
1623  }
1624 #endif
1625  else if (streq(p[0], "remote-entry-count"))
1626  {
1628  }
1629  else if (streq(p[0], "remote-entry-get"))
1630  {
1631  if (man_need(man, p, 1, MN_AT_LEAST))
1632  {
1633  man_remote_entry_get(man, p[1], p[2]);
1634  }
1635  }
1636  else if (streq(p[0], "proxy"))
1637  {
1638  if (man_need(man, p, 1, MN_AT_LEAST))
1639  {
1640  man_proxy(man, p);
1641  }
1642  }
1643  else if (streq(p[0], "remote"))
1644  {
1645  if (man_need(man, p, 1, MN_AT_LEAST))
1646  {
1647  man_remote(man, p);
1648  }
1649  }
1650 #if 1
1651  else if (streq(p[0], "test"))
1652  {
1653  if (man_need(man, p, 1, 0))
1654  {
1655  int i;
1656  const int n = atoi(p[1]);
1657  for (i = 0; i < n; ++i)
1658  {
1659  msg(M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i);
1660  }
1661  }
1662  }
1663 #endif
1664  else
1665  {
1666  msg(M_CLIENT, "ERROR: unknown command, enter 'help' for more options");
1667  }
1668 
1669 done:
1670  gc_free(&gc);
1671 }
1672 
1673 #ifdef _WIN32
1674 
1675 static void
1677 {
1678  switch (man->connection.state)
1679  {
1680  case MS_LISTEN:
1681  net_event_win32_start(&man->connection.ne32, FD_ACCEPT, man->connection.sd_top);
1682  break;
1683 
1684  case MS_CC_WAIT_READ:
1685  case MS_CC_WAIT_WRITE:
1686  net_event_win32_start(&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli);
1687  break;
1688 
1689  default:
1690  ASSERT(0);
1691  }
1692 }
1693 
1694 static void
1696 {
1698 }
1699 
1700 #endif /* ifdef _WIN32 */
1701 
1702 static void
1704 {
1705  man->connection.state_realtime = false;
1706  man->connection.log_realtime = false;
1707  man->connection.echo_realtime = false;
1709  man->connection.password_verified = false;
1710  man->connection.password_tries = 0;
1711  man->connection.halt = false;
1713 }
1714 
1715 static void
1716 man_new_connection_post(struct management *man, const char *description)
1717 {
1718  struct gc_arena gc = gc_new();
1719 
1721 
1723 
1724 #ifdef _WIN32
1725  man_start_ne32(man);
1726 #endif
1727 
1728 #if UNIX_SOCK_SUPPORT
1729  if (man->settings.flags & MF_UNIX_SOCK)
1730  {
1731  msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
1732  description,
1733  sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1734  }
1735  else
1736 #endif
1737  if (man->settings.flags & MF_CONNECT_AS_CLIENT)
1738  {
1739  msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
1740  description,
1741  print_sockaddr(man->settings.local->ai_addr, &gc));
1742  }
1743  else
1744  {
1745  struct sockaddr_storage addr;
1746  socklen_t addrlen = sizeof(addr);
1747  if (!getpeername(man->connection.sd_cli, (struct sockaddr *) &addr,
1748  &addrlen))
1749  {
1750  msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
1751  print_sockaddr((struct sockaddr *) &addr, &gc));
1752  }
1753  else
1754  {
1755  msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, "unknown");
1756  }
1757  }
1758 
1760 
1761  if (!man_password_needed(man))
1762  {
1763  man_welcome(man);
1764  }
1765  man_prompt(man);
1766  man_update_io_state(man);
1767 
1768  gc_free(&gc);
1769 }
1770 
1771 #if UNIX_SOCK_SUPPORT
1772 static bool
1773 man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd)
1774 {
1775  if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
1776  {
1777  static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --";
1778  int uid, gid;
1779  if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid))
1780  {
1781  if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
1782  {
1783  msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1784  err_prefix, uid, man->settings.client_uid);
1785  return false;
1786  }
1787  if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
1788  {
1789  msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1790  err_prefix, gid, man->settings.client_gid);
1791  return false;
1792  }
1793  }
1794  else
1795  {
1796  msg(D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix);
1797  return false;
1798  }
1799  }
1800  return true;
1801 }
1802 #endif /* if UNIX_SOCK_SUPPORT */
1803 
1804 static void
1806 {
1807  struct link_socket_actual act;
1808  CLEAR(act);
1809 
1810  /*
1811  * Accept the TCP or Unix domain socket client.
1812  */
1813 #if UNIX_SOCK_SUPPORT
1814  if (man->settings.flags & MF_UNIX_SOCK)
1815  {
1816  struct sockaddr_un remote;
1817  man->connection.sd_cli = socket_accept_unix(man->connection.sd_top, &remote);
1818  if (!man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1819  {
1820  sd_close(&man->connection.sd_cli);
1821  }
1822  }
1823  else
1824 #endif
1825  man->connection.sd_cli = socket_do_accept(man->connection.sd_top, &act, false);
1826 
1827  if (socket_defined(man->connection.sd_cli))
1828  {
1829  man->connection.remote = act.dest;
1830 
1831  if (socket_defined(man->connection.sd_top))
1832  {
1833 #ifdef _WIN32
1834  man_stop_ne32(man);
1835 #endif
1836  }
1837 
1838  man_new_connection_post(man, "Client connected from");
1839  }
1840 }
1841 
1842 static void
1844 {
1845  struct gc_arena gc = gc_new();
1846 
1847  /*
1848  * Initialize state
1849  */
1850  man->connection.state = MS_LISTEN;
1852 
1853  /*
1854  * Initialize listening socket
1855  */
1856  if (man->connection.sd_top == SOCKET_UNDEFINED)
1857  {
1858 #if UNIX_SOCK_SUPPORT
1859  if (man->settings.flags & MF_UNIX_SOCK)
1860  {
1862  man->connection.sd_top = create_socket_unix();
1863  socket_bind_unix(man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT");
1864  }
1865  else
1866 #endif
1867  {
1870  man->settings.local->ai_family, "MANAGEMENT", false);
1871  }
1872 
1873  /*
1874  * Listen for connection
1875  */
1876  if (listen(man->connection.sd_top, 1))
1877  {
1878  msg(M_ERR, "MANAGEMENT: listen() failed");
1879  }
1880 
1881  /*
1882  * Set misc socket properties
1883  */
1885 
1886 #if UNIX_SOCK_SUPPORT
1887  if (man->settings.flags & MF_UNIX_SOCK)
1888  {
1889  msg(D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s",
1890  sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1891  }
1892  else
1893 #endif
1894  {
1895  const struct sockaddr *man_addr = man->settings.local->ai_addr;
1896  struct sockaddr_storage addr;
1897  socklen_t addrlen = sizeof(addr);
1898  if (!getsockname(man->connection.sd_top, (struct sockaddr *) &addr, &addrlen))
1899  {
1900  man_addr = (struct sockaddr *) &addr;
1901  }
1902  else
1903  {
1904  msg(M_WARN|M_ERRNO,
1905  "Failed to get the management socket address");
1906  }
1907  msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
1908  print_sockaddr(man_addr, &gc));
1909  }
1910  }
1911 
1912 #ifdef _WIN32
1913  man_start_ne32(man);
1914 #endif
1915 
1916  gc_free(&gc);
1917 }
1918 
1919 static void
1921 {
1922  struct gc_arena gc = gc_new();
1923  int status;
1924  int signal_received = 0;
1925 
1926  /*
1927  * Initialize state
1928  */
1929  man->connection.state = MS_INITIAL;
1931 
1932 #if UNIX_SOCK_SUPPORT
1933  if (man->settings.flags & MF_UNIX_SOCK)
1934  {
1935  man->connection.sd_cli = create_socket_unix();
1936  status = socket_connect_unix(man->connection.sd_cli, &man->settings.local_unix);
1937  if (!status && !man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1938  {
1939 #ifdef EPERM
1940  status = EPERM;
1941 #else
1942  status = 1;
1943 #endif
1944  sd_close(&man->connection.sd_cli);
1945  }
1946  }
1947  else
1948 #endif
1949  {
1952  man->settings.local->ai_addr,
1953  5,
1954  &signal_received);
1955  }
1956 
1957  if (signal_received)
1958  {
1959  throw_signal(signal_received);
1960  goto done;
1961  }
1962 
1963  if (status)
1964  {
1965 #if UNIX_SOCK_SUPPORT
1966  if (man->settings.flags & MF_UNIX_SOCK)
1967  {
1969  "MANAGEMENT: connect to unix socket %s failed",
1970  sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1971  }
1972  else
1973 #endif
1975  "MANAGEMENT: connect to %s failed",
1976  print_sockaddr(man->settings.local->ai_addr, &gc));
1977  throw_signal_soft(SIGTERM, "management-connect-failed");
1978  goto done;
1979  }
1980 
1981  man_new_connection_post(man, "Connected to management server at");
1982 
1983 done:
1984  gc_free(&gc);
1985 }
1986 
1987 static void
1988 man_reset_client_socket(struct management *man, const bool exiting)
1989 {
1990  if (socket_defined(man->connection.sd_cli))
1991  {
1992 #ifdef _WIN32
1993  man_stop_ne32(man);
1994 #endif
1995  man_close_socket(man, man->connection.sd_cli);
1997  man->connection.state = MS_INITIAL;
2001  msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected");
2002  }
2003  if (!exiting)
2004  {
2005  if (man->settings.flags & MF_FORGET_DISCONNECT)
2006  {
2007  ssl_purge_auth(false);
2008  (void)ssl_clean_auth_token();
2009  }
2010 
2011  if (man->settings.flags & MF_SIGNAL)
2012  {
2013  int mysig = man_mod_signal(man, SIGUSR1);
2014  if (mysig >= 0)
2015  {
2016  msg(D_MANAGEMENT, "MANAGEMENT: Triggering management signal");
2017  throw_signal_soft(mysig, "management-disconnect");
2018  }
2019  }
2020 
2021  if (man->settings.flags & MF_CONNECT_AS_CLIENT)
2022  {
2023  msg(D_MANAGEMENT, "MANAGEMENT: Triggering management exit");
2024  throw_signal_soft(SIGTERM, "management-exit");
2025  }
2026  else
2027  {
2028  man_listen(man);
2029  }
2030  }
2031 }
2032 
2033 static void
2034 man_process_command(struct management *man, const char *line)
2035 {
2036  struct gc_arena gc = gc_new();
2037  struct status_output *so;
2038  int nparms;
2039  char *parms[MAX_PARMS+1];
2040 
2041  CLEAR(parms);
2042  so = status_open(NULL, 0, -1, &man->persist.vout, 0);
2044 
2045  if (man_password_needed(man))
2046  {
2047  man_check_password(man, line);
2048  }
2049  else
2050  {
2051  nparms = parse_line(line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc);
2052  if (parms[0] && streq(parms[0], "password"))
2053  {
2054  msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'");
2055  }
2056  else if (!streq(line, "load-stats"))
2057  {
2058  msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line);
2059  }
2060 
2061 #if 0
2062  /* DEBUGGING -- print args */
2063  {
2064  int i;
2065  for (i = 0; i < nparms; ++i)
2066  {
2067  msg(M_INFO, "[%d] '%s'", i, parms[i]);
2068  }
2069  }
2070 #endif
2071 
2072  if (nparms > 0)
2073  {
2074  man_dispatch_command(man, so, (const char **)parms, nparms);
2075  }
2076  }
2077 
2078  CLEAR(parms);
2079  status_close(so);
2080  gc_free(&gc);
2081 }
2082 
2083 static bool
2084 man_io_error(struct management *man, const char *prefix)
2085 {
2086  bool crt_error = false;
2087  int err = openvpn_errno_maybe_crt(&crt_error);
2088 
2089  if (!ignore_sys_error(err, crt_error))
2090  {
2091  struct gc_arena gc = gc_new();
2092  msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix,
2093  strerror(err));
2094  gc_free(&gc);
2095  return true;
2096  }
2097  else
2098  {
2099  return false;
2100  }
2101 }
2102 
2103 #ifdef TARGET_ANDROID
2104 static ssize_t
2105 man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd)
2106 {
2107  struct msghdr msg = { 0 };
2108  struct iovec iov[1];
2109 
2110  union {
2111  struct cmsghdr cm;
2112  char control[CMSG_SPACE(sizeof(int))];
2113  } control_un;
2114  struct cmsghdr *cmptr;
2115 
2116  msg.msg_control = control_un.control;
2117  msg.msg_controllen = sizeof(control_un.control);
2118 
2119  cmptr = CMSG_FIRSTHDR(&msg);
2120  cmptr->cmsg_len = CMSG_LEN(sizeof(int));
2121  cmptr->cmsg_level = SOL_SOCKET;
2122  cmptr->cmsg_type = SCM_RIGHTS;
2123  *((int *) CMSG_DATA(cmptr)) = sendfd;
2124 
2125  msg.msg_name = NULL;
2126  msg.msg_namelen = 0;
2127 
2128  iov[0].iov_base = ptr;
2129  iov[0].iov_len = nbytes;
2130  msg.msg_iov = iov;
2131  msg.msg_iovlen = 1;
2132 
2133  return (sendmsg(fd, &msg, flags));
2134 }
2135 
2136 static ssize_t
2137 man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd)
2138 {
2139  struct msghdr msghdr = { 0 };
2140  struct iovec iov[1];
2141  ssize_t n;
2142 
2143  union {
2144  struct cmsghdr cm;
2145  char control[CMSG_SPACE(sizeof(int))];
2146  } control_un;
2147  struct cmsghdr *cmptr;
2148 
2149  msghdr.msg_control = control_un.control;
2150  msghdr.msg_controllen = sizeof(control_un.control);
2151 
2152  msghdr.msg_name = NULL;
2153  msghdr.msg_namelen = 0;
2154 
2155  iov[0].iov_base = ptr;
2156  iov[0].iov_len = nbytes;
2157  msghdr.msg_iov = iov;
2158  msghdr.msg_iovlen = 1;
2159 
2160  if ( (n = recvmsg(fd, &msghdr, flags)) <= 0)
2161  {
2162  return (n);
2163  }
2164 
2165  if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL
2166  && cmptr->cmsg_len == CMSG_LEN(sizeof(int)))
2167  {
2168  if (cmptr->cmsg_level != SOL_SOCKET)
2169  {
2170  msg(M_ERR, "control level != SOL_SOCKET");
2171  }
2172  if (cmptr->cmsg_type != SCM_RIGHTS)
2173  {
2174  msg(M_ERR, "control type != SCM_RIGHTS");
2175  }
2176  *recvfd = *((int *) CMSG_DATA(cmptr));
2177  }
2178  else
2179  {
2180  *recvfd = -1; /* descriptor was not passed */
2181 
2182  }
2183  return (n);
2184 }
2185 
2186 /*
2187  * The android control method will instruct the GUI part of openvpn to do
2188  * the route/ifconfig/open tun command. See doc/android.txt for details.
2189  */
2190 bool
2191 management_android_control(struct management *man, const char *command, const char *msg)
2192 {
2193  if (!man)
2194  {
2195  msg(M_FATAL, "Required management interface not available.");
2196  }
2197  struct user_pass up;
2198  CLEAR(up);
2199  strncpy(up.username, msg, sizeof(up.username)-1);
2200 
2201  management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK, (void *) 0);
2202  return strcmp("ok", up.password)==0;
2203 }
2204 
2205 /*
2206  * In Android 4.4 it is not possible to open a new tun device and then close the
2207  * old tun device without breaking the whole VPNService stack until the device
2208  * is rebooted. This management method ask the UI what method should be taken to
2209  * ensure the optimal solution for the situation
2210  */
2211 int
2212 managment_android_persisttun_action(struct management *man)
2213 {
2214  struct user_pass up;
2215  CLEAR(up);
2216  strcpy(up.username, "tunmethod");
2217  management_query_user_pass(management, &up, "PERSIST_TUN_ACTION",
2218  GET_USER_PASS_NEED_OK, (void *) 0);
2219  if (!strcmp("NOACTION", up.password))
2220  {
2221  return ANDROID_KEEP_OLD_TUN;
2222  }
2223  else if (!strcmp("OPEN_BEFORE_CLOSE", up.password))
2224  {
2225  return ANDROID_OPEN_BEFORE_CLOSE;
2226  }
2227  else
2228  {
2229  msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password);
2230  }
2231 
2232  ASSERT(0);
2233  return ANDROID_OPEN_BEFORE_CLOSE;
2234 }
2235 
2236 
2237 #endif /* ifdef TARGET_ANDROID */
2238 
2239 static int
2240 man_read(struct management *man)
2241 {
2242  /*
2243  * read command line from socket
2244  */
2245  unsigned char buf[256];
2246  int len = 0;
2247 
2248 #ifdef TARGET_ANDROID
2249  int fd;
2250  len = man_recv_with_fd(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL, &fd);
2251  if (fd >= 0)
2252  {
2253  man->connection.lastfdreceived = fd;
2254  }
2255 #else /* ifdef TARGET_ANDROID */
2256  len = recv(man->connection.sd_cli, (void *)buf, sizeof(buf), MSG_NOSIGNAL);
2257 #endif
2258 
2259  if (len == 0)
2260  {
2261  man_reset_client_socket(man, false);
2262  }
2263  else if (len > 0)
2264  {
2265  bool processed_command = false;
2266 
2267  ASSERT(len <= (int) sizeof(buf));
2268  command_line_add(man->connection.in, buf, len);
2269 
2270  /*
2271  * Reset output object
2272  */
2274 
2275  /*
2276  * process command line if complete
2277  */
2278  {
2279  const char *line;
2280  while ((line = command_line_get(man->connection.in)))
2281  {
2282  if (man->connection.in_extra)
2283  {
2284  if (!strcmp(line, "END"))
2285  {
2286  in_extra_dispatch(man);
2287  }
2288  else
2289  {
2290  buffer_list_push(man->connection.in_extra, line);
2291  }
2292  }
2293  else
2294  {
2295  man_process_command(man, (char *) line);
2296  }
2297  if (man->connection.halt)
2298  {
2299  break;
2300  }
2302  processed_command = true;
2303  }
2304  }
2305 
2306  /*
2307  * Reset output state to MS_CC_WAIT_(READ|WRITE)
2308  */
2309  if (man->connection.halt)
2310  {
2311  man_reset_client_socket(man, false);
2312  len = 0;
2313  }
2314  else
2315  {
2316  if (processed_command)
2317  {
2318  man_prompt(man);
2319  }
2320  man_update_io_state(man);
2321  }
2322  }
2323  else /* len < 0 */
2324  {
2325  if (man_io_error(man, "recv"))
2326  {
2327  man_reset_client_socket(man, false);
2328  }
2329  }
2330  return len;
2331 }
2332 
2333 static int
2334 man_write(struct management *man)
2335 {
2336  const int size_hint = 1024;
2337  int sent = 0;
2338  const struct buffer *buf;
2339 
2340  buffer_list_aggregate(man->connection.out, size_hint);
2341  buf = buffer_list_peek(man->connection.out);
2342  if (buf && BLEN(buf))
2343  {
2344  const int len = min_int(size_hint, BLEN(buf));
2345 #ifdef TARGET_ANDROID
2346  if (man->connection.fdtosend > 0)
2347  {
2348  sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL, man->connection.fdtosend);
2349  man->connection.fdtosend = -1;
2350  }
2351  else
2352 #endif
2353  sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL);
2354  if (sent >= 0)
2355  {
2356  buffer_list_advance(man->connection.out, sent);
2357  }
2358  else if (sent < 0)
2359  {
2360  if (man_io_error(man, "send"))
2361  {
2362  man_reset_client_socket(man, false);
2363  }
2364  }
2365  }
2366 
2367  /*
2368  * Reset output state to MS_CC_WAIT_(READ|WRITE)
2369  */
2370  man_update_io_state(man);
2371 
2372  return sent;
2373 }
2374 
2375 static void
2377 {
2378  CLEAR(*mc);
2379 
2380  /* set initial state */
2381  mc->state = MS_INITIAL;
2382 
2383  /* clear socket descriptors */
2384  mc->sd_top = SOCKET_UNDEFINED;
2385  mc->sd_cli = SOCKET_UNDEFINED;
2386 }
2387 
2388 static void
2390  const int log_history_cache,
2391  const int echo_buffer_size,
2392  const int state_buffer_size)
2393 {
2394  struct man_persist *mp = &man->persist;
2395  if (!mp->defined)
2396  {
2397  CLEAR(*mp);
2398 
2399  /* initialize log history store */
2400  mp->log = log_history_init(log_history_cache);
2401 
2402  /*
2403  * Initialize virtual output object, so that functions
2404  * which write to a virtual_output object can be redirected
2405  * here to the management object.
2406  */
2408  mp->vout.arg = man;
2409  mp->vout.flags_default = M_CLIENT;
2411 
2412  /*
2413  * Initialize --echo list
2414  */
2415  man->persist.echo = log_history_init(echo_buffer_size);
2416 
2417  /*
2418  * Initialize --state list
2419  */
2420  man->persist.state = log_history_init(state_buffer_size);
2421 
2422  mp->defined = true;
2423  }
2424 }
2425 
2426 static void
2428 {
2429  if (mp->log)
2430  {
2431  msg_set_virtual_output(NULL);
2432  log_history_close(mp->log);
2433  }
2434 
2435  if (mp->echo)
2436  {
2437  log_history_close(mp->echo);
2438  }
2439 
2440  if (mp->state)
2441  {
2442  log_history_close(mp->state);
2443  }
2444 
2445  CLEAR(*mp);
2446 }
2447 
2448 static void
2450  const char *addr,
2451  const char *port,
2452  const char *pass_file,
2453  const char *client_user,
2454  const char *client_group,
2455  const int log_history_cache,
2456  const int echo_buffer_size,
2457  const int state_buffer_size,
2458  const int remap_sigusr1,
2459  const unsigned int flags)
2460 {
2461  if (!ms->defined)
2462  {
2463  CLEAR(*ms);
2464 
2465  ms->flags = flags;
2466  ms->client_uid = -1;
2467  ms->client_gid = -1;
2468 
2469  /*
2470  * Get username/password
2471  */
2472  if (pass_file)
2473  {
2474  get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
2475  }
2476 
2477  /*
2478  * lookup client UID/GID if specified
2479  */
2480  if (client_user)
2481  {
2482  struct platform_state_user s;
2483  platform_user_get(client_user, &s);
2485  msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid);
2486  ASSERT(ms->client_uid >= 0);
2487  }
2488  if (client_group)
2489  {
2490  struct platform_state_group s;
2491  platform_group_get(client_group, &s);
2493  msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid);
2494  ASSERT(ms->client_gid >= 0);
2495  }
2496 
2497 #if UNIX_SOCK_SUPPORT
2498  if (ms->flags & MF_UNIX_SOCK)
2499  {
2500  sockaddr_unix_init(&ms->local_unix, addr);
2501  }
2502  else
2503 #endif
2504  {
2505 
2506  /*
2507  * Run management over tunnel, or
2508  * separate channel?
2509  */
2510  if (streq(addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT))
2511  {
2512  ms->management_over_tunnel = true;
2513  }
2514  else
2515  {
2516  int status;
2518 
2519  if (!(flags & MF_CONNECT_AS_CLIENT))
2520  {
2521  resolve_flags |= GETADDR_PASSIVE;
2522  }
2523 
2524  status = openvpn_getaddrinfo(resolve_flags, addr, port, 0,
2525  NULL, AF_UNSPEC, &ms->local);
2526  ASSERT(status==0);
2527  }
2528  }
2529 
2530  /*
2531  * Log history and echo buffer may need to be resized
2532  */
2533  ms->log_history_cache = log_history_cache;
2534  ms->echo_buffer_size = echo_buffer_size;
2535  ms->state_buffer_size = state_buffer_size;
2536 
2537  /*
2538  * Set remap sigusr1 flags
2539  */
2540  if (remap_sigusr1 == SIGHUP)
2541  {
2543  }
2544  else if (remap_sigusr1 == SIGTERM)
2545  {
2547  }
2548 
2549  ms->defined = true;
2550  }
2551 }
2552 
2553 static void
2555 {
2556  if (ms->local)
2557  {
2558  freeaddrinfo(ms->local);
2559  }
2560  CLEAR(*ms);
2561 }
2562 
2563 
2564 static void
2566 {
2567  if (man->connection.state == MS_INITIAL)
2568  {
2569 #ifdef _WIN32
2570  /*
2571  * This object is a sort of TCP/IP helper
2572  * for Windows.
2573  */
2575 #endif
2576 
2577  /*
2578  * Allocate helper objects for command line input and
2579  * command output from/to the socket.
2580  */
2581  man->connection.in = command_line_new(1024);
2582  man->connection.out = buffer_list_new();
2583 
2584  /*
2585  * Initialize event set for standalone usage, when we are
2586  * running outside of the primary event loop.
2587  */
2588  {
2589  int maxevents = 1;
2590  man->connection.es = event_set_init(&maxevents, EVENT_METHOD_FAST);
2591  }
2592 
2593  man->connection.client_version = 1; /* default version */
2594 
2595  /*
2596  * Listen/connect socket
2597  */
2598  if (man->settings.flags & MF_CONNECT_AS_CLIENT)
2599  {
2600  man_connect(man);
2601  }
2602  else
2603  {
2604  man_listen(man);
2605  }
2606  }
2607 }
2608 
2609 static void
2611 {
2612  struct man_connection *mc = &man->connection;
2613 
2614  event_free(mc->es);
2615 #ifdef _WIN32
2617 #endif
2618  if (socket_defined(mc->sd_top))
2619  {
2620  man_close_socket(man, mc->sd_top);
2622  }
2623  if (socket_defined(mc->sd_cli))
2624  {
2625  man_close_socket(man, mc->sd_cli);
2626  }
2627 
2628  command_line_free(mc->in);
2629  buffer_list_free(mc->out);
2630 
2632 
2636 }
2637 
2638 struct management *
2640 {
2641  struct management *man;
2642  ALLOC_OBJ_CLEAR(man, struct management);
2643 
2644  man_persist_init(man,
2648 
2650 
2651  return man;
2652 }
2653 
2654 bool
2656  const char *addr,
2657  const char *port,
2658  const char *pass_file,
2659  const char *client_user,
2660  const char *client_group,
2661  const int log_history_cache,
2662  const int echo_buffer_size,
2663  const int state_buffer_size,
2664  const int remap_sigusr1,
2665  const unsigned int flags)
2666 {
2667  bool ret = false;
2668 
2669  /*
2670  * Save the settings only if they have not
2671  * been saved before.
2672  */
2674  addr,
2675  port,
2676  pass_file,
2677  client_user,
2678  client_group,
2679  log_history_cache,
2680  echo_buffer_size,
2681  state_buffer_size,
2682  remap_sigusr1,
2683  flags);
2684 
2685  /*
2686  * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2687  * but may be changed here. Ditto for echo and state buffers.
2688  */
2692 
2693  /*
2694  * If connection object is uninitialized and we are not doing
2695  * over-the-tunnel management, then open (listening) connection.
2696  */
2697  if (man->connection.state == MS_INITIAL)
2698  {
2699  if (!man->settings.management_over_tunnel)
2700  {
2701  man_connection_init(man);
2702  ret = true;
2703  }
2704  }
2705 
2706  return ret;
2707 }
2708 
2709 void
2711 {
2712  man_output_list_push_finalize(man); /* flush output queue */
2713  man_connection_close(man);
2715  man_persist_close(&man->persist);
2716  free(man);
2717 }
2718 
2719 void
2721  const struct management_callback *cb)
2722 {
2723  man->persist.standalone_disabled = true;
2724  man->persist.callback = *cb;
2725 }
2726 
2727 void
2729 {
2730  man->persist.standalone_disabled = false;
2731  man->persist.hold_release = false;
2732  CLEAR(man->persist.callback);
2733  man_output_list_push_finalize(man); /* flush output queue */
2734 }
2735 
2736 void
2738  const int state,
2739  const char *detail,
2740  const in_addr_t *tun_local_ip,
2741  const struct in6_addr *tun_local_ip6,
2742  const struct openvpn_sockaddr *local,
2743  const struct openvpn_sockaddr *remote)
2744 {
2745  if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
2746  {
2747  struct gc_arena gc = gc_new();
2748  struct log_entry e;
2749  const char *out = NULL;
2750 
2751  update_time();
2752  CLEAR(e);
2753  e.timestamp = now;
2754  e.u.state = state;
2755  e.string = detail;
2756  if (tun_local_ip)
2757  {
2758  e.local_ip = *tun_local_ip;
2759  }
2760  if (tun_local_ip6)
2761  {
2762  e.local_ip6 = *tun_local_ip6;
2763  }
2764  if (local)
2765  {
2766  e.local_sock = *local;
2767  }
2768  if (remote)
2769  {
2770  e.remote_sock = *remote;
2771  }
2772 
2773  log_history_add(man->persist.state, &e);
2774 
2775  if (man->connection.state_realtime)
2776  {
2779  | LOG_PRINT_STATE
2782  | LOG_PRINT_CRLF
2783  | LOG_ECHO_TO_LOG, &gc);
2784  }
2785 
2786  if (out)
2787  {
2788  man_output_list_push(man, out);
2789  }
2790 
2791  gc_free(&gc);
2792  }
2793 }
2794 
2795 static bool
2796 env_filter_match(const char *env_str, const int env_filter_level)
2797 {
2798  static const char *env_names[] = {
2799  "username=",
2800  "password=",
2801  "X509_0_CN=",
2802  "tls_serial_",
2803  "untrusted_ip=",
2804  "ifconfig_local=",
2805  "ifconfig_netmask=",
2806  "daemon_start_time=",
2807  "daemon_pid=",
2808  "dev=",
2809  "ifconfig_pool_remote_ip=",
2810  "ifconfig_pool_netmask=",
2811  "time_duration=",
2812  "bytes_sent=",
2813  "bytes_received=",
2814  "session_id=",
2815  "session_state="
2816  };
2817 
2818  if (env_filter_level == 0)
2819  {
2820  return true;
2821  }
2822  else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5))
2823  {
2824  return true;
2825  }
2826  else if (env_filter_level <= 2)
2827  {
2828  size_t i;
2829  for (i = 0; i < SIZE(env_names); ++i)
2830  {
2831  const char *en = env_names[i];
2832  const size_t len = strlen(en);
2833  if (!strncmp(env_str, en, len))
2834  {
2835  return true;
2836  }
2837  }
2838  return false;
2839  }
2840  return false;
2841 }
2842 
2843 static void
2844 man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
2845 {
2846  if (es)
2847  {
2848  struct env_item *e;
2849  for (e = es->list; e != NULL; e = e->next)
2850  {
2851  if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level)))
2852  {
2853  msg(M_CLIENT, ">%s:ENV,%s", prefix, e->string);
2854  }
2855  }
2856  }
2857  if (tail)
2858  {
2859  msg(M_CLIENT, ">%s:ENV,END", prefix);
2860  }
2861 }
2862 
2863 static void
2864 man_output_extra_env(struct management *man, const char *prefix)
2865 {
2866  struct gc_arena gc = gc_new();
2867  struct env_set *es = env_set_create(&gc);
2868  if (man->persist.callback.n_clients)
2869  {
2870  const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
2871  setenv_int(es, "n_clients", nclients);
2872  }
2873  man_output_env(es, false, man->connection.env_filter_level, prefix);
2874  gc_free(&gc);
2875 }
2876 
2877 void
2878 management_up_down(struct management *man, const char *updown, const struct env_set *es)
2879 {
2880  if (man->settings.flags & MF_UP_DOWN)
2881  {
2882  msg(M_CLIENT, ">UPDOWN:%s", updown);
2883  man_output_env(es, true, 0, "UPDOWN");
2884  }
2885 }
2886 
2887 void
2888 management_notify(struct management *man, const char *severity, const char *type, const char *text)
2889 {
2890  msg(M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);
2891 }
2892 
2893 void
2894 management_notify_generic(struct management *man, const char *str)
2895 {
2896  msg(M_CLIENT, "%s", str);
2897 }
2898 
2899 static void
2901 {
2902  char line[256];
2903  if (man->persist.callback.get_peer_info)
2904  {
2905  const char *peer_info = (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid);
2906  if (peer_info)
2907  {
2908  struct buffer buf;
2909  buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info));
2910  while (buf_parse(&buf, '\n', line, sizeof(line)))
2911  {
2912  chomp(line);
2913  if (validate_peer_info_line(line))
2914  {
2915  msg(M_CLIENT, ">CLIENT:ENV,%s", line);
2916  }
2917  else
2918  {
2919  msg(D_MANAGEMENT, "validation failed on peer_info line received from client");
2920  }
2921  }
2922  }
2923  }
2924 }
2925 
2926 void
2928  const unsigned int mda_key_id,
2929  struct man_def_auth_context *mdac,
2930  const struct env_set *es)
2931 {
2932  if (!(mdac->flags & DAF_CONNECTION_CLOSED))
2933  {
2934  const char *mode = "CONNECT";
2935  if (mdac->flags & DAF_CONNECTION_ESTABLISHED)
2936  {
2937  mode = "REAUTH";
2938  }
2939  msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
2940  man_output_extra_env(management, "CLIENT");
2942  {
2944  }
2946  mdac->flags |= DAF_INITIAL_AUTH;
2947  }
2948 }
2949 
2950 void
2952  const struct man_def_auth_context *mdac,
2953  const struct env_set *es,
2954  const char *response)
2955 {
2956  struct gc_arena gc;
2957  if (management)
2958  {
2959  gc = gc_new();
2960 
2961  msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s",
2962  mdac->cid, mda_key_id, response);
2963  man_output_extra_env(management, "CLIENT");
2965  {
2967  }
2969  gc_free(&gc);
2970  }
2971 }
2972 
2973 void
2975  struct man_def_auth_context *mdac,
2976  const struct env_set *es)
2977 {
2979  msg(M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid);
2980  man_output_extra_env(management, "CLIENT");
2982 }
2983 
2984 void
2986  struct man_def_auth_context *mdac,
2987  const struct env_set *es)
2988 {
2989  if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2990  {
2991  msg(M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
2993  mdac->flags |= DAF_CONNECTION_CLOSED;
2994  }
2995 }
2996 
2997 void
2999  struct man_def_auth_context *mdac,
3000  const struct mroute_addr *addr,
3001  const bool primary)
3002 {
3003  struct gc_arena gc = gc_new();
3004  if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
3005  {
3006  msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
3007  mdac->cid,
3008  mroute_addr_print_ex(addr, MAPF_SUBNET, &gc),
3009  BOOL_CAST(primary));
3010  }
3011  gc_free(&gc);
3012 }
3013 
3014 void
3015 management_echo(struct management *man, const char *string, const bool pull)
3016 {
3017  if (man->persist.echo)
3018  {
3019  struct gc_arena gc = gc_new();
3020  struct log_entry e;
3021  const char *out = NULL;
3022 
3023  update_time();
3024  CLEAR(e);
3025  e.timestamp = now;
3026  e.string = string;
3027  e.u.intval = BOOL_CAST(pull);
3028 
3029  log_history_add(man->persist.echo, &e);
3030 
3031  if (man->connection.echo_realtime)
3032  {
3034  }
3035 
3036  if (out)
3037  {
3038  man_output_list_push(man, out);
3039  }
3040 
3041  gc_free(&gc);
3042  }
3043 }
3044 
3045 void
3046 management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
3047 {
3048  /*
3049  * If we are running management over the tunnel,
3050  * this is the place to initialize the connection.
3051  */
3053  && man->connection.state == MS_INITIAL)
3054  {
3055  /* listen on our local TUN/TAP IP address */
3056  struct in_addr ia;
3057  int ret;
3058  char buf[INET_ADDRSTRLEN];
3059 
3060  ia.s_addr = htonl(tun_local_ip);
3061  inet_ntop(AF_INET, &ia, buf, sizeof(buf));
3062  ret = openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL,
3063  AF_INET, &man->settings.local);
3064  ASSERT(ret==0);
3065  man_connection_init(man);
3066  }
3067 
3068 }
3069 
3070 void
3072 {
3074  {
3075  man_connection_close(man);
3076  }
3077 }
3078 
3079 void
3080 management_auth_failure(struct management *man, const char *type, const char *reason)
3081 {
3082  if (reason)
3083  {
3084  msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s' ['%s']", type, reason);
3085  }
3086  else
3087  {
3088  msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type);
3089  }
3090 }
3091 
3092 void
3093 management_auth_token(struct management *man, const char *token)
3094 {
3095  msg(M_CLIENT, ">PASSWORD:Auth-Token:%s", token);
3096 }
3097 
3098 static inline bool
3099 man_persist_state(unsigned int *persistent, const int n)
3100 {
3101  if (persistent)
3102  {
3103  if (*persistent == (unsigned int)n)
3104  {
3105  return false;
3106  }
3107  *persistent = n;
3108  }
3109  return true;
3110 }
3111 
3112 #ifdef _WIN32
3113 
3114 void
3116  struct event_set *es,
3117  void *arg,
3118  unsigned int *persistent)
3119 {
3120  if (man->connection.state != MS_INITIAL)
3121  {
3124 
3125  switch (man->connection.state)
3126  {
3127  case MS_LISTEN:
3128  if (man_persist_state(persistent, 1))
3129  {
3130  event_ctl(es, ev, EVENT_READ, arg);
3131  }
3132  break;
3133 
3134  case MS_CC_WAIT_READ:
3135  if (man_persist_state(persistent, 2))
3136  {
3137  event_ctl(es, ev, EVENT_READ, arg);
3138  }
3139  break;
3140 
3141  case MS_CC_WAIT_WRITE:
3142  if (man_persist_state(persistent, 3))
3143  {
3144  event_ctl(es, ev, EVENT_READ|EVENT_WRITE, arg);
3145  }
3146  break;
3147 
3148  default:
3149  ASSERT(0);
3150  }
3151  }
3152 }
3153 
3154 void
3156 {
3157  if (man->connection.state != MS_INITIAL)
3158  {
3159  long net_events;
3161  net_events = net_event_win32_get_event_mask(&man->connection.ne32);
3162 
3163  if (net_events & FD_CLOSE)
3164  {
3165  man_reset_client_socket(man, false);
3166  }
3167  else
3168  {
3169  if (man->connection.state == MS_LISTEN)
3170  {
3171  if (net_events & FD_ACCEPT)
3172  {
3173  man_accept(man);
3175  }
3176  }
3177  else if (man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE)
3178  {
3179  if (net_events & FD_READ)
3180  {
3181  while (man_read(man) > 0)
3182  {
3183  }
3185  }
3186 
3187  if (net_events & FD_WRITE)
3188  {
3189  int status;
3190  status = man_write(man);
3191  if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK)
3192  {
3194  }
3195  }
3196  }
3197  }
3198  }
3199 }
3200 
3201 #else /* ifdef _WIN32 */
3202 
3203 void
3204 management_socket_set(struct management *man,
3205  struct event_set *es,
3206  void *arg,
3207  unsigned int *persistent)
3208 {
3209  switch (man->connection.state)
3210  {
3211  case MS_LISTEN:
3212  if (man_persist_state(persistent, 1))
3213  {
3214  event_ctl(es, man->connection.sd_top, EVENT_READ, arg);
3215  }
3216  break;
3217 
3218  case MS_CC_WAIT_READ:
3219  if (man_persist_state(persistent, 2))
3220  {
3221  event_ctl(es, man->connection.sd_cli, EVENT_READ, arg);
3222  }
3223  break;
3224 
3225  case MS_CC_WAIT_WRITE:
3226  if (man_persist_state(persistent, 3))
3227  {
3228  event_ctl(es, man->connection.sd_cli, EVENT_WRITE, arg);
3229  }
3230  break;
3231 
3232  case MS_INITIAL:
3233  break;
3234 
3235  default:
3236  ASSERT(0);
3237  }
3238 }
3239 
3240 void
3241 management_io(struct management *man)
3242 {
3243  switch (man->connection.state)
3244  {
3245  case MS_LISTEN:
3246  man_accept(man);
3247  break;
3248 
3249  case MS_CC_WAIT_READ:
3250  man_read(man);
3251  break;
3252 
3253  case MS_CC_WAIT_WRITE:
3254  man_write(man);
3255  break;
3256 
3257  case MS_INITIAL:
3258  break;
3259 
3260  default:
3261  ASSERT(0);
3262  }
3263 }
3264 
3265 #endif /* ifdef _WIN32 */
3266 
3267 static inline bool
3268 man_standalone_ok(const struct management *man)
3269 {
3270  return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL;
3271 }
3272 
3273 static bool
3274 man_check_for_signals(volatile int *signal_received)
3275 {
3276  if (signal_received)
3277  {
3278  get_signal(signal_received);
3279  if (*signal_received)
3280  {
3281  return true;
3282  }
3283  }
3284  return false;
3285 }
3286 
3287 /*
3288  * Wait for socket I/O when outside primary event loop
3289  */
3290 static int
3291 man_block(struct management *man, volatile int *signal_received, const time_t expire)
3292 {
3293  struct timeval tv;
3294  struct event_set_return esr;
3295  int status = -1;
3296 
3297  if (man_standalone_ok(man))
3298  {
3299  /* expire time can be already overdue, for this case init zero
3300  * timeout to avoid waiting first time and exit loop early with
3301  * either obtained event or timeout.
3302  */
3303  tv.tv_usec = 0;
3304  tv.tv_sec = 0;
3305 
3306  while (true)
3307  {
3308  event_reset(man->connection.es);
3309  management_socket_set(man, man->connection.es, NULL, NULL);
3310  if (man_check_for_signals(signal_received))
3311  {
3312  status = -1;
3313  break;
3314  }
3315  status = event_wait(man->connection.es, &tv, &esr, 1);
3316  update_time();
3317  if (man_check_for_signals(signal_received))
3318  {
3319  status = -1;
3320  break;
3321  }
3322 
3323  if (status > 0)
3324  {
3325  break;
3326  }
3327  else if (expire && now >= expire)
3328  {
3329  /* set SIGINT signal if expiration time exceeded */
3330  status = 0;
3331  if (signal_received)
3332  {
3333  *signal_received = SIGINT;
3334  }
3335  break;
3336  }
3337 
3338  /* wait one second more */
3339  tv.tv_sec = 1;
3340  tv.tv_usec = 0;
3341  }
3342  }
3343  return status;
3344 }
3345 
3346 /*
3347  * Perform management socket output outside primary event loop
3348  */
3349 static void
3350 man_output_standalone(struct management *man, volatile int *signal_received)
3351 {
3352  if (man_standalone_ok(man))
3353  {
3354  while (man->connection.state == MS_CC_WAIT_WRITE)
3355  {
3356  management_io(man);
3357  if (man->connection.state == MS_CC_WAIT_WRITE)
3358  {
3359  man_block(man, signal_received, 0);
3360  }
3361  if (signal_received && *signal_received)
3362  {
3363  break;
3364  }
3365  }
3366  }
3367 }
3368 
3369 /*
3370  * Process management event loop outside primary event loop
3371  */
3372 static int
3373 man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
3374 {
3375  int status = -1;
3376  if (man_standalone_ok(man))
3377  {
3378  status = man_block(man, signal_received, expire);
3379  if (status > 0)
3380  {
3381  management_io(man);
3382  }
3383  }
3384  return status;
3385 }
3386 
3387 #define MWCC_PASSWORD_WAIT (1<<0)
3388 #define MWCC_HOLD_WAIT (1<<1)
3389 #define MWCC_OTHER_WAIT (1<<2)
3390 
3391 /*
3392  * Block until client connects
3393  */
3394 static void
3396  volatile int *signal_received,
3397  const time_t expire,
3398  unsigned int flags)
3399 {
3400  ASSERT(man_standalone_ok(man));
3401  if (man->connection.state == MS_LISTEN)
3402  {
3403  if (flags & MWCC_PASSWORD_WAIT)
3404  {
3405  msg(D_MANAGEMENT, "Need password(s) from management interface, waiting...");
3406  }
3407  if (flags & MWCC_HOLD_WAIT)
3408  {
3409  msg(D_MANAGEMENT, "Need hold release from management interface, waiting...");
3410  }
3411  if (flags & MWCC_OTHER_WAIT)
3412  {
3413  msg(D_MANAGEMENT, "Need information from management interface, waiting...");
3414  }
3415  do
3416  {
3417  man_standalone_event_loop(man, signal_received, expire);
3418  if (signal_received && *signal_received)
3419  {
3420  break;
3421  }
3422  } while (man->connection.state == MS_LISTEN || man_password_needed(man));
3423  }
3424 }
3425 
3426 /*
3427  * Process the management event loop for sec seconds
3428  */
3429 void
3431 {
3432  if (man_standalone_ok(man))
3433  {
3434  volatile int signal_received = 0;
3435  const bool standalone_disabled_save = man->persist.standalone_disabled;
3436  time_t expire = 0;
3437 
3438  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3439 
3440  /* set expire time */
3441  update_time();
3442  if (sec >= 0)
3443  {
3444  expire = now + sec;
3445  }
3446 
3447  /* if no client connection, wait for one */
3448  man_wait_for_client_connection(man, &signal_received, expire, 0);
3449  if (signal_received)
3450  {
3451  return;
3452  }
3453 
3454  /* run command processing event loop */
3455  do
3456  {
3457  man_standalone_event_loop(man, &signal_received, expire);
3458  if (!signal_received)
3459  {
3460  man_check_for_signals(&signal_received);
3461  }
3462  if (signal_received)
3463  {
3464  return;
3465  }
3466  update_time();
3467  } while (expire && expire > now);
3468 
3469  /* revert state */
3470  man->persist.standalone_disabled = standalone_disabled_save;
3471  }
3472  else if (sec > 0)
3473  {
3474  sleep(sec);
3475  }
3476 }
3477 
3478 /*
3479  * Get a username/password from management channel in standalone mode.
3480  */
3481 bool
3483  struct user_pass *up,
3484  const char *type,
3485  const unsigned int flags,
3486  const char *static_challenge)
3487 {
3488  struct gc_arena gc = gc_new();
3489  bool ret = false;
3490 
3491  if (man_standalone_ok(man))
3492  {
3493  volatile int signal_received = 0;
3494  const bool standalone_disabled_save = man->persist.standalone_disabled;
3495  struct buffer alert_msg = alloc_buf_gc(128, &gc);
3496  const char *alert_type = NULL;
3497  const char *prefix = NULL;
3498  unsigned int up_query_mode = 0;
3499  const char *sc = NULL;
3500  ret = true;
3501  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3502  man->persist.special_state_msg = NULL;
3503 
3504  CLEAR(man->connection.up_query);
3505 
3506  if (flags & GET_USER_PASS_NEED_OK)
3507  {
3508  up_query_mode = UP_QUERY_NEED_OK;
3509  prefix = "NEED-OK";
3510  alert_type = "confirmation";
3511  }
3512  else if (flags & GET_USER_PASS_NEED_STR)
3513  {
3514  up_query_mode = UP_QUERY_NEED_STR;
3515  prefix = "NEED-STR";
3516  alert_type = "string";
3517  }
3518  else if (flags & GET_USER_PASS_PASSWORD_ONLY)
3519  {
3520  up_query_mode = UP_QUERY_PASS;
3521  prefix = "PASSWORD";
3522  alert_type = "password";
3523  }
3524  else
3525  {
3526  up_query_mode = UP_QUERY_USER_PASS;
3527  prefix = "PASSWORD";
3528  alert_type = "username/password";
3529  if (static_challenge)
3530  {
3531  sc = static_challenge;
3532  }
3533  }
3534  buf_printf(&alert_msg, ">%s:Need '%s' %s",
3535  prefix,
3536  type,
3537  alert_type);
3538 
3540  {
3541  buf_printf(&alert_msg, " MSG:%s", up->username);
3542  }
3543 
3544  if (sc)
3545  {
3546  buf_printf(&alert_msg, " SC:%d,%s",
3548  sc);
3549  }
3550 
3551  man_wait_for_client_connection(man, &signal_received, 0, MWCC_PASSWORD_WAIT);
3552  if (signal_received)
3553  {
3554  ret = false;
3555  }
3556 
3557  if (ret)
3558  {
3559  man->persist.special_state_msg = BSTR(&alert_msg);
3560  msg(M_CLIENT, "%s", man->persist.special_state_msg);
3561 
3562  /* tell command line parser which info we need */
3563  man->connection.up_query_mode = up_query_mode;
3564  man->connection.up_query_type = type;
3565 
3566  /* run command processing event loop until we get our username/password/response */
3567  do
3568  {
3569  man_standalone_event_loop(man, &signal_received, 0);
3570  if (!signal_received)
3571  {
3572  man_check_for_signals(&signal_received);
3573  }
3574  if (signal_received)
3575  {
3576  ret = false;
3577  break;
3578  }
3579  } while (!man->connection.up_query.defined);
3580  }
3581 
3582  /* revert state */
3584  man->connection.up_query_type = NULL;
3585  man->persist.standalone_disabled = standalone_disabled_save;
3586  man->persist.special_state_msg = NULL;
3587 
3588  /* pass through blank passwords */
3589  if (!strcmp(man->connection.up_query.password, blank_up))
3590  {
3592  }
3593 
3594  /*
3595  * Transfer u/p to return object, zero any record
3596  * we hold in the management object.
3597  */
3598  if (ret)
3599  {
3600  /* preserve caller's settings */
3601  man->connection.up_query.nocache = up->nocache;
3602  *up = man->connection.up_query;
3603  }
3604  secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));
3605  }
3606 
3607  gc_free(&gc);
3608  return ret;
3609 }
3610 
3611 static int
3613  const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3614 {
3615  struct gc_arena gc = gc_new();
3616  int ret = 0;
3617  volatile int signal_received = 0;
3618  struct buffer alert_msg = clear_buf();
3619  const bool standalone_disabled_save = man->persist.standalone_disabled;
3620  struct man_connection *mc = &man->connection;
3621 
3622  if (man_standalone_ok(man))
3623  {
3624  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3625  man->persist.special_state_msg = NULL;
3626 
3627  *state = EKS_SOLICIT;
3628 
3629  if (b64_data)
3630  {
3631  alert_msg = alloc_buf_gc(strlen(b64_data)+strlen(prompt)+3, &gc);
3632  buf_printf(&alert_msg, ">%s:%s", prompt, b64_data);
3633  }
3634  else
3635  {
3636  alert_msg = alloc_buf_gc(strlen(prompt)+3, &gc);
3637  buf_printf(&alert_msg, ">%s", prompt);
3638  }
3639 
3640  man_wait_for_client_connection(man, &signal_received, 0, MWCC_OTHER_WAIT);
3641 
3642  if (signal_received)
3643  {
3644  goto done;
3645  }
3646 
3647  man->persist.special_state_msg = BSTR(&alert_msg);
3648  msg(M_CLIENT, "%s", man->persist.special_state_msg);
3649 
3650  /* run command processing event loop until we get our signature */
3651  do
3652  {
3653  man_standalone_event_loop(man, &signal_received, 0);
3654  if (!signal_received)
3655  {
3656  man_check_for_signals(&signal_received);
3657  }
3658  if (signal_received)
3659  {
3660  goto done;
3661  }
3662  } while (*state != EKS_READY);
3663 
3664  ret = 1;
3665  }
3666 
3667 done:
3668  if (*state == EKS_READY && ret)
3669  {
3670  msg(M_CLIENT, "SUCCESS: %s command succeeded", cmd);
3671  }
3672  else if (*state == EKS_INPUT || *state == EKS_READY)
3673  {
3674  msg(M_CLIENT, "ERROR: %s command failed", cmd);
3675  }
3676 
3677  /* revert state */
3678  man->persist.standalone_disabled = standalone_disabled_save;
3679  man->persist.special_state_msg = NULL;
3681  *state = EKS_UNDEF;
3682 
3683  gc_free(&gc);
3684  return ret;
3685 }
3686 
3687 static char *
3688 /* returns allocated base64 signature */
3690  const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3691 {
3692  int ok;
3693  char *result = NULL;
3694  struct buffer *buf;
3695 
3696  ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3697  if (ok && buffer_list_defined(*input))
3698  {
3699  buffer_list_aggregate_separator(*input, 10000, "\n");
3700  buf = buffer_list_peek(*input);
3701  if (buf && BLEN(buf) > 0)
3702  {
3703  result = (char *) malloc(BLEN(buf)+1);
3704  check_malloc_return(result);
3705  memcpy(result, buf->data, BLEN(buf));
3706  result[BLEN(buf)] = '\0';
3707  }
3708  }
3709 
3710  buffer_list_free(*input);
3711  *input = NULL;
3712 
3713  return result;
3714 }
3715 
3716 static char *
3717 /* returns allocated base64 signature */
3719  const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3720 {
3721  int ok;
3722  char *result = NULL;
3723  struct buffer *buf;
3724 
3725  ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3726  if (ok && buffer_list_defined(*input))
3727  {
3728  buffer_list_aggregate(*input, 2048);
3729  buf = buffer_list_peek(*input);
3730  if (buf && BLEN(buf) > 0)
3731  {
3732  result = (char *) malloc(BLEN(buf)+1);
3733  check_malloc_return(result);
3734  memcpy(result, buf->data, BLEN(buf));
3735  result[BLEN(buf)] = '\0';
3736  }
3737  }
3738 
3739  buffer_list_free(*input);
3740  *input = NULL;
3741 
3742  return result;
3743 }
3744 
3745 char *
3746 /* returns allocated base64 signature */
3747 management_query_pk_sig(struct management *man, const char *b64_data,
3748  const char *algorithm)
3749 {
3750  const char *prompt = "PK_SIGN";
3751  const char *desc = "pk-sign";
3752  struct buffer buf_data = alloc_buf(strlen(b64_data) + strlen(algorithm) + 20);
3753 
3754  if (man->connection.client_version <= 1)
3755  {
3756  prompt = "RSA_SIGN";
3757  desc = "rsa-sign";
3758  }
3759 
3760  buf_write(&buf_data, b64_data, (int) strlen(b64_data));
3761  if (man->connection.client_version > 2)
3762  {
3763  buf_write(&buf_data, ",", (int) strlen(","));
3764  buf_write(&buf_data, algorithm, (int) strlen(algorithm));
3765  }
3766  char *ret = management_query_multiline_flatten(man,
3767  (char *)buf_bptr(&buf_data), prompt, desc,
3769  free_buf(&buf_data);
3770  return ret;
3771 }
3772 
3773 char *
3774 management_query_cert(struct management *man, const char *cert_name)
3775 {
3776  const char prompt_1[] = "NEED-CERTIFICATE:";
3777  struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20);
3778  buf_write(&buf_prompt, prompt_1, strlen(prompt_1));
3779  buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); /* +1 for \0 */
3780 
3781  char *result;
3783  NULL, (char *)buf_bptr(&buf_prompt), "certificate",
3785  free_buf(&buf_prompt);
3786  return result;
3787 }
3788 
3789 /*
3790  * Return true if management_hold() would block
3791  */
3792 bool
3794 {
3795  return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok(man);
3796 }
3797 
3798 /*
3799  * Return true if (from the management interface's perspective) OpenVPN should
3800  * daemonize.
3801  */
3802 bool
3804 {
3805  return management_would_hold(man) || (man->settings.flags & MF_QUERY_PASSWORDS);
3806 }
3807 
3808 /*
3809  * If the hold flag is enabled, hibernate until a management client releases the hold.
3810  * Return true if the caller should not sleep for an additional time interval.
3811  */
3812 bool
3813 management_hold(struct management *man, int holdtime)
3814 {
3815  if (management_would_hold(man))
3816  {
3817  volatile int signal_received = 0;
3818  const bool standalone_disabled_save = man->persist.standalone_disabled;
3819  struct gc_arena gc = gc_new();
3820 
3821  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3822  man->persist.special_state_msg = NULL;
3824 
3825  man_wait_for_client_connection(man, &signal_received, 0, MWCC_HOLD_WAIT);
3826 
3827  if (!signal_received)
3828  {
3829  struct buffer out = alloc_buf_gc(128, &gc);
3830  buf_printf(&out, ">HOLD:Waiting for hold release:%d", holdtime);
3831  man->persist.special_state_msg = BSTR(&out);
3832  msg(M_CLIENT, "%s", man->persist.special_state_msg);
3833 
3834  /* run command processing event loop until we get our username/password */
3835  do
3836  {
3837  man_standalone_event_loop(man, &signal_received, 0);
3838  if (!signal_received)
3839  {
3840  man_check_for_signals(&signal_received);
3841  }
3842  if (signal_received)
3843  {
3844  break;
3845  }
3846  } while (!man->persist.hold_release);
3847  }
3848 
3849  /* revert state */
3850  man->persist.standalone_disabled = standalone_disabled_save;
3851  man->persist.special_state_msg = NULL;
3853 
3854  gc_free(&gc);
3855  return true;
3856  }
3857  return false;
3858 }
3859 
3860 /*
3861  * struct command_line
3862  */
3863 
3864 struct command_line *
3866 {
3867  struct command_line *cl;
3868  ALLOC_OBJ_CLEAR(cl, struct command_line);
3869  cl->buf = alloc_buf(buf_len);
3870  cl->residual = alloc_buf(buf_len);
3871  return cl;
3872 }
3873 
3874 void
3876 {
3877  buf_clear(&cl->buf);
3878  buf_clear(&cl->residual);
3879 }
3880 
3881 void
3883 {
3884  if (!cl)
3885  {
3886  return;
3887  }
3888  command_line_reset(cl);
3889  free_buf(&cl->buf);
3890  free_buf(&cl->residual);
3891  free(cl);
3892 }
3893 
3894 void
3895 command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
3896 {
3897  int i;
3898  for (i = 0; i < len; ++i)
3899  {
3900  if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE)))
3901  {
3902  if (!buf_write_u8(&cl->buf, buf[i]))
3903  {
3904  buf_clear(&cl->buf);
3905  }
3906  }
3907  }
3908 }
3909 
3910 const char *
3912 {
3913  int i;
3914  const char *ret = NULL;
3915 
3916  i = buf_substring_len(&cl->buf, '\n');
3917  if (i >= 0)
3918  {
3919  buf_copy_excess(&cl->residual, &cl->buf, i);
3920  buf_chomp(&cl->buf);
3921  ret = BSTR(&cl->buf);
3922  }
3923  return ret;
3924 }
3925 
3926 void
3928 {
3929  buf_clear(&cl->buf);
3930  buf_copy(&cl->buf, &cl->residual);
3931  buf_clear(&cl->residual);
3932 }
3933 
3934 /*
3935  * struct log_entry
3936  */
3937 
3938 const char *
3939 log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
3940 {
3941  struct buffer out = alloc_buf_gc(ERR_BUF_SIZE, gc);
3942  if (flags & LOG_FATAL_NOTIFY)
3943  {
3944  buf_printf(&out, ">FATAL:");
3945  }
3946  if (flags & LOG_PRINT_LOG_PREFIX)
3947  {
3948  buf_printf(&out, ">LOG:");
3949  }
3950  if (flags & LOG_PRINT_ECHO_PREFIX)
3951  {
3952  buf_printf(&out, ">ECHO:");
3953  }
3954  if (flags & LOG_PRINT_STATE_PREFIX)
3955  {
3956  buf_printf(&out, ">STATE:");
3957  }
3958  if (flags & LOG_PRINT_INT_DATE)
3959  {
3960  buf_printf(&out, "%u,", (unsigned int)e->timestamp);
3961  }
3962  if (flags & LOG_PRINT_MSG_FLAGS)
3963  {
3964  buf_printf(&out, "%s,", msg_flags_string(e->u.msg_flags, gc));
3965  }
3966  if (flags & LOG_PRINT_STATE)
3967  {
3968  buf_printf(&out, "%s,", man_state_name(e->u.state));
3969  }
3970  if (flags & LOG_PRINT_INTVAL)
3971  {
3972  buf_printf(&out, "%d,", e->u.intval);
3973  }
3974  if (e->string)
3975  {
3976  buf_printf(&out, "%s", e->string);
3977  }
3978  if (flags & LOG_PRINT_LOCAL_IP)
3979  {
3980  buf_printf(&out, ",%s", print_in_addr_t(e->local_ip, IA_EMPTY_IF_UNDEF, gc));
3981  }
3982  if (flags & LOG_PRINT_REMOTE_IP)
3983  {
3984  buf_printf(&out, ",%s", (!addr_defined(&e->remote_sock) ? "," :
3986  buf_printf(&out, ",%s", (!addr_defined(&e->local_sock) ? "," :
3988  }
3989  if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6))
3990  {
3991  buf_printf(&out, ",%s", print_in6_addr(e->local_ip6, IA_EMPTY_IF_UNDEF, gc));
3992  }
3993  if (flags & LOG_ECHO_TO_LOG)
3994  {
3995  msg(D_MANAGEMENT, "MANAGEMENT: %s", BSTR(&out));
3996  }
3997  if (flags & LOG_PRINT_CRLF)
3998  {
3999  buf_printf(&out, "\r\n");
4000  }
4001  return BSTR(&out);
4002 }
4003 
4004 static void
4006 {
4007  /* Cast away constness of const char* */
4008  free((char *)e->string);
4009  CLEAR(*e);
4010 }
4011 
4012 /*
4013  * struct log_history
4014  */
4015 
4016 static inline int
4017 log_index(const struct log_history *h, int i)
4018 {
4019  return modulo_add(h->base, i, h->capacity);
4020 }
4021 
4022 static void
4024 {
4025  CLEAR(*h);
4026  h->capacity = capacity;
4028 }
4029 
4030 struct log_history *
4032 {
4033  struct log_history *h;
4034  ASSERT(capacity > 0);
4035  ALLOC_OBJ(h, struct log_history);
4037  return h;
4038 }
4039 
4040 static void
4042 {
4043  int i;
4044  for (i = 0; i < h->size; ++i)
4045  {
4047  }
4048  free(h->array);
4049 }
4050 
4051 void
4053 {
4055  free(h);
4056 }
4057 
4058 void
4059 log_history_add(struct log_history *h, const struct log_entry *le)
4060 {
4061  struct log_entry *e;
4062  ASSERT(h->size >= 0 && h->size <= h->capacity);
4063  if (h->size == h->capacity)
4064  {
4065  e = &h->array[h->base];
4067  h->base = log_index(h, 1);
4068  }
4069  else
4070  {
4071  e = &h->array[log_index(h, h->size)];
4072  ++h->size;
4073  }
4074 
4075  *e = *le;
4076  e->string = string_alloc(le->string, NULL);
4077 }
4078 
4079 void
4080 log_history_resize(struct log_history *h, const int capacity)
4081 {
4082  if (capacity != h->capacity)
4083  {
4084  struct log_history newlog;
4085  int i;
4086 
4087  ASSERT(capacity > 0);
4088  log_history_obj_init(&newlog, capacity);
4089 
4090  for (i = 0; i < h->size; ++i)
4091  {
4092  log_history_add(&newlog, &h->array[log_index(h, i)]);
4093  }
4094 
4096  *h = newlog;
4097  }
4098 }
4099 
4100 const struct log_entry *
4101 log_history_ref(const struct log_history *h, const int index)
4102 {
4103  if (index >= 0 && index < h->size)
4104  {
4105  return &h->array[log_index(h, (h->size - 1) - index)];
4106  }
4107  else
4108  {
4109  return NULL;
4110  }
4111 }
4112 
4113 void
4114 management_sleep(const int n)
4115 {
4116  if (n < 0)
4117  {
4118  return;
4119  }
4120  else if (management)
4121  {
4123  }
4124  else
4125  {
4126 #ifdef _WIN32
4127  win32_sleep(n);
4128 #else
4129  if (n > 0)
4130  {
4131  sleep(n);
4132  }
4133 #endif
4134  }
4135 }
4136 
4137 void
4138 management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
4139 {
4141  timeval, ETT_DEFAULT))
4142  {
4143  counter_type dco_read_bytes = 0;
4144  counter_type dco_write_bytes = 0;
4145 
4146  if (dco_enabled(&c->options) && (dco_get_peer_stats(c) == 0))
4147  {
4148  dco_read_bytes = c->c2.dco_read_bytes;
4149  dco_write_bytes = c->c2.dco_write_bytes;
4150  }
4151 
4152  if (!(man->persist.callback.flags & MCF_SERVER))
4153  {
4154  man_bytecount_output_client(man, dco_read_bytes, dco_write_bytes);
4155  }
4156  }
4157 }
4158 
4159 /* DCO resets stats on reconnect. Since client expects stats
4160  * to be preserved across reconnects, we need to save DCO
4161  * stats before tearing the tunnel down.
4162  */
4163 void
4165 {
4166  if (dco_enabled(&c->options) && (dco_get_peer_stats(c) == 0))
4167  {
4169  }
4170 }
4171 
4172 #else /* ifdef ENABLE_MANAGEMENT */
4173 
4174 #include "win32.h"
4175 void
4176 management_sleep(const int n)
4177 {
4178 #ifdef _WIN32
4179  win32_sleep(n);
4180 #else
4181  if (n > 0)
4182  {
4183  sleep(n);
4184  }
4185 #endif /* ifdef _WIN32 */
4186 }
4187 
4188 #endif /* ENABLE_MANAGEMENT */
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:61
UP_QUERY_USER_PASS
#define UP_QUERY_USER_PASS
Definition: manage.h:268
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:188
log_history
Definition: manage.h:139
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2737
man_connection::echo_realtime
bool echo_realtime
Definition: manage.h:320
UP_QUERY_NEED_OK
#define UP_QUERY_NEED_OK
Definition: manage.h:270
management::settings
struct man_settings settings
Definition: manage.h:338
GETADDR_WARN_ON_SIGNAL
#define GETADDR_WARN_ON_SIGNAL
Definition: socket.h:509
man_signal
static void man_signal(struct management *man, const char *name)
Definition: manage.c:446
log_history::base
int base
Definition: manage.h:141
man_proxy
static void man_proxy(struct management *man, const char **p)
Definition: manage.c:1269
man_persist
Definition: manage.h:224
openvpn_sockaddr::addr
union openvpn_sockaddr::@14 addr
min_uint
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition: integer.h:63
M_INFO
#define M_INFO
Definition: errlevel.h:55
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition: manage.c:3093
man_query_password
static void man_query_password(struct management *man, const char *type, const char *string)
Definition: manage.c:771
env_item::next
struct env_item * next
Definition: env_set.h:39
management_post_tunnel_open
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition: manage.c:3046
man_connection::up_query_mode
int up_query_mode
Definition: manage.h:325
UP_QUERY_DISABLED
#define UP_QUERY_DISABLED
Definition: manage.h:267
ALLOC_ARRAY_CLEAR
#define ALLOC_ARRAY_CLEAR(dptr, type, n)
Definition: buffer.h:1082
env_set::gc
struct gc_arena * gc
Definition: env_set.h:43
error.h
in_extra_dispatch
static void in_extra_dispatch(struct management *man)
Definition: manage.c:979
man_query_username
static void man_query_username(struct management *man, const char *type, const char *string)
Definition: manage.c:763
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1031
man_command_unsupported
static void man_command_unsupported(const char *command_name)
Definition: manage.c:473
M_ERRNO
#define M_ERRNO
Definition: error.h:100
LOG_PRINT_MSG_FLAGS
#define LOG_PRINT_MSG_FLAGS
Definition: manage.h:124
log_entry_union::state
int state
Definition: manage.h:104
MANAGEMENT_ECHO_FLAGS
#define MANAGEMENT_ECHO_FLAGS
Definition: manage.c:57
print_sockaddr
static const char * print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc)
Definition: socket.h:371
log_entry::remote_sock
struct openvpn_sockaddr remote_sock
Definition: manage.h:115
env_item::string
char * string
Definition: env_set.h:38
OPENVPN_STATE_EXITING
#define OPENVPN_STATE_EXITING
Definition: manage.h:477
management_query_multiline
static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition: manage.c:3612
D_MANAGEMENT
#define D_MANAGEMENT
Definition: errlevel.h:88
management_socket_set
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3115
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
AF_DID_PUSH
#define AF_DID_PUSH
man_settings::mansig
unsigned int mansig
Definition: manage.h:263
GET_USER_PASS_STATIC_CHALLENGE_ECHO
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:117
D_LINK_ERRORS
#define D_LINK_ERRORS
Definition: errlevel.h:57
management_hold
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3813
M_FATAL
#define M_FATAL
Definition: error.h:95
win32.h
man_client_deny
static void man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
Definition: manage.c:1110
sd_close
void sd_close(socket_descriptor_t *sd)
Definition: socket.c:3912
DAF_INITIAL_AUTH
#define DAF_INITIAL_AUTH
Definition: manage.h:69
LOG_PRINT_STATE_PREFIX
#define LOG_PRINT_STATE_PREFIX
Definition: manage.h:121
man_check_password
static void man_check_password(struct management *man, const char *line)
Definition: manage.c:197
man_connection::out
struct buffer_list * out
Definition: manage.h:295
streq
#define streq(x, y)
Definition: options.h:708
management_auth_failure
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:3080
manage.h
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:200
management_sleep
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition: manage.c:4114
buf_copy_excess
static bool buf_copy_excess(struct buffer *dest, struct buffer *src, int len)
Definition: buffer.h:771
context
Contains all state information for one tunnel.
Definition: openvpn.h:476
management_open
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2655
es
struct env_set * es
Definition: test_pkcs11.c:133
man_connection::sd_top
socket_descriptor_t sd_top
Definition: manage.h:282
M_CLIENT
#define M_CLIENT
Definition: error.h:113
MS_INITIAL
#define MS_INITIAL
Definition: manage.h:274
man_log
static void man_log(struct management *man, const char *parm)
Definition: manage.c:665
BSTR
#define BSTR(buf)
Definition: buffer.h:129
MS_LISTEN
#define MS_LISTEN
Definition: manage.h:275
management_callback::flags
unsigned int flags
Definition: manage.h:178
man_connection::in_extra_cmd
int in_extra_cmd
Definition: manage.h:303
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:71
management_query_user_pass
bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, const unsigned int flags, const char *static_challenge)
Definition: manage.c:3482
man_close_socket
static void man_close_socket(struct management *man, const socket_descriptor_t sd)
Definition: manage.c:317
man_query_need_str
static void man_query_need_str(struct management *man, const char *type, const char *action)
Definition: manage.c:791
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:333
PS_DONT_SHOW_FAMILY
#define PS_DONT_SHOW_FAMILY
Definition: socket.h:344
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
command_line_add
void command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
Definition: manage.c:3895
man_connection::log_realtime
bool log_realtime
Definition: manage.h:319
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:105
man_persist::special_state_msg
const char * special_state_msg
Definition: manage.h:238
man_persist::state
struct log_history * state
Definition: manage.h:234
user_pass::defined
bool defined
Definition: misc.h:58
log_entry::u
union log_entry_union u
Definition: manage.h:116
openvpn.h
man_connection::ne32
struct net_event_win32 ne32
Definition: manage.h:287
D_MANAGEMENT_DEBUG
#define D_MANAGEMENT_DEBUG
Definition: errlevel.h:138
management_callback::remote_cmd
bool(* remote_cmd)(void *arg, const char **p)
Definition: manage.h:202
man_client_pending_auth
static void man_client_pending_auth(struct management *man, const char *cid_str, const char *kid_str, const char *extra, const char *timeout_str)
Will send a notification to the client that succesful authentication will require an additional step ...
Definition: manage.c:1059
net_event_win32_reset
void net_event_win32_reset(struct net_event_win32 *ne)
Definition: win32.c:355
buf_bptr
static uint8_t * buf_bptr(const struct buffer *buf)
Definition: buffer.h:240
platform_group_get
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:123
buffer_list_peek
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1266
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4961
MF_HOLD
#define MF_HOLD
Definition: manage.h:30
buffer_list_aggregate_separator
void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len .
Definition: buffer.c:1279
MF_SERVER
#define MF_SERVER
Definition: manage.h:28
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:182
man_wait_for_client_connection
static void man_wait_for_client_connection(struct management *man, volatile int *signal_received, const time_t expire, unsigned int flags)
Definition: manage.c:3395
man_connection::remote
struct openvpn_sockaddr remote
Definition: manage.h:284
net_event_win32_start
void net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_descriptor_t sd)
Definition: win32.c:328
OPENVPN_STATE_ASSIGN_IP
#define OPENVPN_STATE_ASSIGN_IP
Definition: manage.h:473
man_connection::sd_cli
socket_descriptor_t sd_cli
Definition: manage.h:283
fdmisc.h
DAF_CONNECTION_CLOSED
#define DAF_CONNECTION_CLOSED
Definition: manage.h:68
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:730
man_settings::state_buffer_size
int state_buffer_size
Definition: manage.h:255
openvpn_sockaddr
Definition: socket.h:65
man_certificate
static void man_certificate(struct management *man)
Definition: manage.c:1206
clear_buf
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:222
dco_get_peer_stats
int dco_get_peer_stats(struct context *c)
Definition: dco_win.c:433
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
EVENT_READ
#define EVENT_READ
Definition: event.h:39
command_line::buf
struct buffer buf
Definition: manage.h:82
man_connection_settings_reset
static void man_connection_settings_reset(struct management *man)
Definition: manage.c:1703
platform_state_group
Definition: platform.h:74
man_connection::in
struct command_line * in
Definition: manage.h:294
man_io_error
static bool man_io_error(struct management *man, const char *prefix)
Definition: manage.c:2084
MCF_SERVER
#define MCF_SERVER
Definition: manage.h:177
options.h
MANAGEMENT_N_PASSWORD_RETRIES
#define MANAGEMENT_N_PASSWORD_RETRIES
Definition: manage.h:56
management_notify_client_cr_response
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition: manage.c:2951
man_connection::in_extra_kid
unsigned int in_extra_kid
Definition: manage.h:306
man_settings::client_uid
int client_uid
Definition: manage.h:256
EKS_UNDEF
#define EKS_UNDEF
Definition: manage.h:307
man_history
static void man_history(struct management *man, const char *parm, const char *type, struct log_history *log, bool *realtime, const unsigned int lep_flags)
Definition: manage.c:619
man_connection::password_verified
bool password_verified
Definition: manage.h:291
modulo_add
static int modulo_add(int x, int y, int mod)
Definition: integer.h:148
man_persist::defined
bool defined
Definition: manage.h:225
man_env_filter
static void man_env_filter(struct management *man, const int level)
Definition: manage.c:1182
man_listen
static void man_listen(struct management *man)
Definition: manage.c:1843
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
man_hold
static void man_hold(struct management *man, const char *cmd)
Definition: manage.c:922
openvpn_getaddrinfo
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
Definition: socket.c:429
man_persist::bytes_out
counter_type bytes_out
Definition: manage.h:241
throw_signal_soft
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition: sig.c:206
management_check_bytecount
void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
Definition: manage.c:4138
man_state_name
static const char * man_state_name(const int state)
Definition: manage.c:131
log_entry_free_contents
static void log_entry_free_contents(struct log_entry *e)
Definition: manage.c:4005
man_forget_passwords
static void man_forget_passwords(struct management *man)
Definition: manage.c:798
log_entry::timestamp
time_t timestamp
Definition: manage.h:110
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2894
command_line_get
const char * command_line_get(struct command_line *cl)
Definition: manage.c:3911
log_entry_print
const char * log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
Definition: manage.c:3939
man_pk_sig
static void man_pk_sig(struct management *man, const char *cmd_name)
Definition: manage.c:1190
sleep
#define sleep(x)
Definition: syshead.h:43
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition: manage.c:3015
man_help
static void man_help(void)
Definition: manage.c:71
management_should_daemonize
bool management_should_daemonize(struct management *man)
Definition: manage.c:3803
OPENVPN_STATE_INITIAL
#define OPENVPN_STATE_INITIAL
Definition: manage.h:471
man_check_for_signals
static bool man_check_for_signals(volatile int *signal_received)
Definition: manage.c:3274
log_entry::local_ip6
struct in6_addr local_ip6
Definition: manage.h:113
man_prompt
static void man_prompt(struct management *man)
Definition: manage.c:273
CLEAR
#define CLEAR(x)
Definition: basic.h:33
net_event_win32_stop
void net_event_win32_stop(struct net_event_win32 *ne)
Definition: win32.c:361
man_persist_client_stats
void man_persist_client_stats(struct management *man, struct context *c)
Definition: manage.c:4164
CC_NEWLINE
#define CC_NEWLINE
newline
Definition: buffer.h:915
man_connection
Definition: manage.h:279
man_def_auth_context
Definition: manage.h:64
IEC_CERTIFICATE
#define IEC_CERTIFICATE
Definition: manage.h:301
man_persist::log
struct log_history * log
Definition: manage.h:227
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:160
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:517
OPENVPN_STATE_AUTH
#define OPENVPN_STATE_AUTH
Definition: manage.h:481
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:180
env_set::list
struct env_item * list
Definition: env_set.h:44
MS_CC_WAIT_READ
#define MS_CC_WAIT_READ
Definition: manage.h:276
log_history::capacity
int capacity
Definition: manage.h:143
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:693
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:414
PS_SHOW_PORT
#define PS_SHOW_PORT
Definition: socket.h:341
ERR_BUF_SIZE
#define ERR_BUF_SIZE
Definition: error.h:41
ASSERT
#define ASSERT(x)
Definition: error.h:201
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2921
MN_AT_LEAST
#define MN_AT_LEAST
Definition: manage.c:1238
buf_chomp
void buf_chomp(struct buffer *buf)
Definition: buffer.c:598
link_read_bytes_global
counter_type link_read_bytes_global
Definition: forward.c:49
log_entry::local_ip
in_addr_t local_ip
Definition: manage.h:112
counter_type
uint64_t counter_type
Definition: common.h:30
parse_signal
int parse_signal(const char *signame)
Definition: sig.c:66
management_notify
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition: manage.c:2888
man_connection::client_version
int client_version
Definition: manage.h:332
man_query_need_ok
static void man_query_need_ok(struct management *man, const char *type, const char *action)
Definition: manage.c:784
command_line_reset
void command_line_reset(struct command_line *cl)
Definition: manage.c:3875
ignore_sys_error
static bool ignore_sys_error(const int err, bool crt_error)
Definition: error.h:347
UP_QUERY_PASS
#define UP_QUERY_PASS
Definition: manage.h:269
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition: ssl.c:356
man_state
static void man_state(struct management *man, const char *parm)
Definition: manage.c:687
man_settings
Definition: manage.h:244
man_def_auth_context::flags
unsigned int flags
Definition: manage.h:70
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
BLEN
#define BLEN(buf)
Definition: buffer.h:127
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:187
net_event_win32_get_event_mask
static long net_event_win32_get_event_mask(const struct net_event_win32 *ne)
Definition: win32.h:137
report_command_status
static void report_command_status(const bool status, const char *command)
Small function to report the success or failure of a command to the management interface.
Definition: manage.c:293
man_settings::client_gid
int client_gid
Definition: manage.h:257
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2985
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1061
get_mute_cutoff
int get_mute_cutoff(void)
Definition: error.c:143
signal_name
const char * signal_name(const int sig, const bool upper)
Definition: sig.c:93
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:710
OPENVPN_STATE_WAIT
#define OPENVPN_STATE_WAIT
Definition: manage.h:480
man_connection::ext_cert_input
struct buffer_list * ext_cert_input
Definition: manage.h:314
man_up_finalize
static void man_up_finalize(struct management *man)
Definition: manage.c:699
virtual_output::func
void(* func)(void *arg, const unsigned int flags, const char *str)
Definition: status.h:35
CC_PRINT
#define CC_PRINT
printable (>= 32, != 127)
Definition: buffer.h:909
LOG_PRINT_INTVAL
#define LOG_PRINT_INTVAL
Definition: manage.h:131
man_persist::standalone_disabled
bool standalone_disabled
Definition: manage.h:230
update_time
static void update_time(void)
Definition: otime.h:77
man_block
static int man_block(struct management *man, volatile int *signal_received, const time_t expire)
Definition: manage.c:3291
log_history_ref
const struct log_entry * log_history_ref(const struct log_history *h, const int index)
Definition: manage.c:4101
LOG_FATAL_NOTIFY
#define LOG_FATAL_NOTIFY
Definition: manage.h:129
OPENVPN_STATE_TCP_CONNECT
#define OPENVPN_STATE_TCP_CONNECT
Definition: manage.h:484
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition: manage.h:29
misc.h
buffer_list_push
void buffer_list_push(struct buffer_list *ol, const char *str)
Allocates and appends a new buffer containing str as data to ol.
Definition: buffer.c:1225
management_notify_client_needing_auth
void management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2927
get_debug_level
int get_debug_level(void)
Definition: error.c:137
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition: openvpn.h:273
M_WARN
#define M_WARN
Definition: error.h:97
log_history_close
void log_history_close(struct log_history *h)
Definition: manage.c:4052
man_settings::management_over_tunnel
bool management_over_tunnel
Definition: manage.h:251
man_connection::in_extra
struct buffer_list * in_extra
Definition: manage.h:304
management_init
struct management * management_init(void)
Definition: manage.c:2639
man_connection::env_filter_level
int env_filter_level
Definition: manage.h:316
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:478
parse_uint
static bool parse_uint(const char *str, const char *what, unsigned int *uint)
Definition: manage.c:1035
IEC_PK_SIGN
#define IEC_PK_SIGN
Definition: manage.h:302
man_remote_entry_get
static void man_remote_entry_get(struct management *man, const char *p1, const char *p2)
Definition: manage.c:885
management_connected
static bool management_connected(const struct management *man)
Definition: manage.h:436
man_output_env
static void man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
Definition: manage.c:2844
OPENVPN_STATE_CONNECTING
#define OPENVPN_STATE_CONNECTING
Definition: manage.h:472
man_dispatch_command
static void man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
Definition: manage.c:1329
char_class
bool char_class(const unsigned char c, const unsigned int flags)
Definition: buffer.c:921
EKS_SOLICIT
#define EKS_SOLICIT
Definition: manage.h:308
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition: socket.h:504
man_connection::state
int state
Definition: manage.h:280
man_remote_entry_count
static void man_remote_entry_count(struct management *man)
Definition: manage.c:869
man_net
static void man_net(struct management *man)
Definition: manage.c:806
throw_signal
void throw_signal(const int signum)
Throw a hard signal.
Definition: sig.c:177
man_client_n_clients
static void man_client_n_clients(struct management *man)
Definition: manage.c:1168
management_callback::remote_entry_count
unsigned int(* remote_entry_count)(void *arg)
Definition: manage.h:206
man_welcome
static void man_welcome(struct management *man)
Definition: manage.c:180
log_history_add
void log_history_add(struct log_history *h, const struct log_entry *le)
Definition: manage.c:4059
MANAGEMENT_VERSION
#define MANAGEMENT_VERSION
Definition: manage.h:55
man_remote
static void man_remote(struct management *man, const char **p)
Definition: manage.c:1283
M_ERR
#define M_ERR
Definition: error.h:111
man_standalone_event_loop
static int man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
Definition: manage.c:3373
log_history::size
int size
Definition: manage.h:142
man_output_extra_env
static void man_output_extra_env(struct management *man, const char *prefix)
Definition: manage.c:2864
man_bytecount_output_server
void man_bytecount_output_server(const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition: manage.c:524
status_output
Definition: status.h:48
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition: misc.h:147
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:181
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition: manage.h:32
management_callback::arg
void * arg
Definition: manage.h:175
user_pass::nocache
bool nocache
Definition: misc.h:62
management_query_pk_sig
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition: manage.c:3747
blank_up
static const char blank_up[]
Definition: manage.c:61
win32_sleep
void win32_sleep(const int n)
Definition: win32.c:1566
msg_set_virtual_output
static void msg_set_virtual_output(const struct virtual_output *vo)
Definition: error.h:331
set_nonblock
void set_nonblock(socket_descriptor_t fd)
Definition: fdmisc.c:69
man_output_list_push_finalize
static void man_output_list_push_finalize(struct management *man)
Definition: manage.c:243
command_line_new
struct command_line * command_line_new(const int buf_len)
Definition: manage.c:3865
management_up_down
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition: manage.c:2878
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
platform_state_group_gid
static int platform_state_group_gid(const struct platform_state_group *s)
Definition: platform.h:106
management_query_multiline_flatten_newline
static char * management_query_multiline_flatten_newline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition: manage.c:3689
man_connect
static void man_connect(struct management *man)
Definition: manage.c:1920
man_settings::local
struct addrinfo * local
Definition: manage.h:247
log_history_free_contents
static void log_history_free_contents(struct log_history *h)
Definition: manage.c:4041
man_output_standalone
static void man_output_standalone(struct management *man, volatile int *signal_received)
Definition: manage.c:3350
man_connection::bytecount_update_seconds
int bytecount_update_seconds
Definition: manage.h:321
LOG_PRINT_INT_DATE
#define LOG_PRINT_INT_DATE
Definition: manage.h:123
event_reset
static void event_reset(struct event_set *es)
Definition: event.h:148
log_history_init
struct log_history * log_history_init(const int capacity)
Definition: manage.c:4031
man_output_list_push
static void man_output_list_push(struct management *man, const char *str)
Definition: manage.c:266
event.h
print_sockaddr_ex
const char * print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2739
man_delete_unix_socket
static void man_delete_unix_socket(struct management *man)
Definition: manage.c:306
buffer_list_new
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1185
set_mute_cutoff
bool set_mute_cutoff(const int cutoff)
Definition: error.c:123
IER_RESET
#define IER_RESET
Definition: manage.c:952
socket_defined
static int socket_defined(const socket_descriptor_t sd)
Definition: syshead.h:437
in_extra_reset
static void in_extra_reset(struct man_connection *mc, const int mode)
Definition: manage.c:956
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2901
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:686
man_send_cc_message
static void man_send_cc_message(struct management *man, const char *message, const char *parameters)
Definition: manage.c:819
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition: manage.h:195
log_history::array
struct log_entry * array
Definition: manage.h:144
IEC_UNDEF
#define IEC_UNDEF
Definition: manage.h:297
ssl.h
LOG_PRINT_LOG_PREFIX
#define LOG_PRINT_LOG_PREFIX
Definition: manage.h:119
MWCC_HOLD_WAIT
#define MWCC_HOLD_WAIT
Definition: manage.c:3388
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:156
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:180
MANSIG_IGNORE_USR1_HUP
#define MANSIG_IGNORE_USR1_HUP
Definition: manage.h:260
EVENT_METHOD_FAST
#define EVENT_METHOD_FAST
Definition: event.h:83
log_entry_union::intval
int intval
Definition: manage.h:105
management_event_loop_n_seconds
void management_event_loop_n_seconds(struct management *man, int sec)
Definition: manage.c:3430
OPENVPN_STATE_GET_CONFIG
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:482
command_line_free
void command_line_free(struct command_line *cl)
Definition: manage.c:3882
man_persist::bytes_in
counter_type bytes_in
Definition: manage.h:240
man_stop_ne32
static void man_stop_ne32(struct management *man)
Definition: manage.c:1695
status_close
bool status_close(struct status_output *so)
Definition: status.c:188
mroute_addr
Definition: mroute.h:75
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2974
LOG_PRINT_ECHO_PREFIX
#define LOG_PRINT_ECHO_PREFIX
Definition: manage.h:120
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
pkcs11.h
man_connection::ext_key_state
int ext_key_state
Definition: manage.h:311
DAF_CONNECTION_ESTABLISHED
#define DAF_CONNECTION_ESTABLISHED
Definition: manage.h:67
man_settings::up
struct user_pass up
Definition: manage.h:252
auth_retry_print
const char * auth_retry_print(void)
Definition: options.c:4790
LOG_PRINT_REMOTE_IP
#define LOG_PRINT_REMOTE_IP
Definition: manage.h:133
man_connection::ext_key_input
struct buffer_list * ext_key_input
Definition: manage.h:312
platform_state_user_uid
static int platform_state_user_uid(const struct platform_state_user *s)
Definition: platform.h:97
OPENVPN_STATE_RECONNECTING
#define OPENVPN_STATE_RECONNECTING
Definition: manage.h:476
log_history_obj_init
static void log_history_obj_init(struct log_history *h, int capacity)
Definition: manage.c:4023
virtual_output::arg
void * arg
Definition: status.h:33
MWCC_OTHER_WAIT
#define MWCC_OTHER_WAIT
Definition: manage.c:3389
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
openvpn_errno_maybe_crt
static int openvpn_errno_maybe_crt(bool *crt_error)
Definition: error.h:385
GETADDR_MSG_VIRT_OUT
#define GETADDR_MSG_VIRT_OUT
Definition: socket.h:510
management_callback::remote_entry_get
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition: manage.h:207
man_bytecount
static void man_bytecount(struct management *man, const int update_seconds)
Definition: manage.c:492
log_index
static int log_index(const struct log_history *h, int i)
Definition: manage.c:4017
SOCKET_UNDEFINED
#define SOCKET_UNDEFINED
Definition: syshead.h:427
man_reset_client_socket
static void man_reset_client_socket(struct management *man, const bool exiting)
Definition: manage.c:1988
MWCC_PASSWORD_WAIT
#define MWCC_PASSWORD_WAIT
Definition: manage.c:3387
log_entry
Definition: manage.h:108
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
env_set
Definition: env_set.h:42
man_read
static int man_read(struct management *man)
Definition: manage.c:2240
mroute_addr_print_ex
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:383
msg_flags_string
const char * msg_flags_string(const unsigned int flags, struct gc_arena *gc)
Definition: error.c:783
man_accept
static void man_accept(struct management *man)
Definition: manage.c:1805
man_update_io_state
static void man_update_io_state(struct management *man)
Definition: manage.c:227
MF_SIGNAL
#define MF_SIGNAL
Definition: manage.h:31
set_client_version
static void set_client_version(struct management *man, const char *version)
Definition: manage.c:1320
man_connection_init
static void man_connection_init(struct management *man)
Definition: manage.c:2565
counter_format
#define counter_format
Definition: common.h:31
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:908
man_settings::log_history_cache
int log_history_cache
Definition: manage.h:253
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
net_event_win32_clear_selected_events
static void net_event_win32_clear_selected_events(struct net_event_win32 *ne, long selected_events)
Definition: win32.h:143
memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto_openssl.c:1328
socket_descriptor_t
SOCKET socket_descriptor_t
Definition: syshead.h:429
dco.h
man_echo
static void man_echo(struct management *man, const char *parm)
Definition: manage.c:676
common.h
net_event_win32_reset_write
void net_event_win32_reset_write(struct net_event_win32 *ne)
Definition: win32.c:337
man_def_auth_context::cid
unsigned long cid
Definition: manage.h:65
MANAGEMENT_LOG_HISTORY_INITIAL_SIZE
#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE
Definition: manage.h:57
LOG_PRINT_STATE
#define LOG_PRINT_STATE
Definition: manage.h:125
man_connection::es
struct event_set * es
Definition: manage.h:315
man_output_peer_info_env
static void man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
Definition: manage.c:2900
management_pre_tunnel_close
void management_pre_tunnel_close(struct management *man)
Definition: manage.c:3071
event_free
static void event_free(struct event_set *es)
Definition: event.h:139
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
chomp
void chomp(char *str)
Definition: buffer.c:658
management_callback::send_cc_message
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition: manage.h:186
event_set
Definition: event.h:124
management_query_multiline_flatten
static char * management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition: manage.c:3718
management_bytes_client
static void management_bytes_client(struct management *man, const int size_in, const int size_out)
Definition: manage.h:524
man_persist::callback
struct management_callback callback
Definition: manage.h:231
OPENVPN_STATE_AUTH_PENDING
#define OPENVPN_STATE_AUTH_PENDING
Definition: manage.h:485
buf_len
static int buf_len(const struct buffer *buf)
Definition: buffer.h:253
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:506
man_persist_close
static void man_persist_close(struct man_persist *mp)
Definition: manage.c:2427
man_start_ne32
static void man_start_ne32(struct management *man)
Definition: manage.c:1676
platform_state_user
Definition: platform.h:63
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:43
man_settings::echo_buffer_size
int echo_buffer_size
Definition: manage.h:254
virtual_output_callback_func
static void virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
Definition: manage.c:333
addr_defined
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:648
management_callback::proxy_cmd
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:201
link_write_bytes_global
counter_type link_write_bytes_global
Definition: forward.c:50
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition: manage.h:33
buffer_list_advance
void buffer_list_advance(struct buffer_list *ol, int n)
Definition: buffer.c:1348
man_standalone_ok
static bool man_standalone_ok(const struct management *man)
Definition: manage.c:3268
man_connection::ext_cert_state
int ext_cert_state
Definition: manage.h:313
man_need
static bool man_need(struct management *man, const char **p, const int n, unsigned int flags)
Checks if the correct number of arguments to a management command are present and otherwise prints an...
Definition: manage.c:1249
otime.h
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:367
man_process_command
static void man_process_command(struct management *man, const char *line)
Definition: manage.c:2034
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition: manage.h:36
net_event_win32_get_event
static struct rw_handle * net_event_win32_get_event(struct net_event_win32 *ne)
Definition: win32.h:131
man_connection::halt
bool halt
Definition: manage.h:290
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition: openvpn.h:270
openvpn_snprintf
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:294
status
static SERVICE_STATUS status
Definition: interactive.c:52
MANAGEMENT_STATE_BUFFER_SIZE
#define MANAGEMENT_STATE_BUFFER_SIZE
Definition: manage.h:59
man_settings_close
static void man_settings_close(struct man_settings *ms)
Definition: manage.c:2554
man_connection::up_query
struct user_pass up_query
Definition: manage.h:326
OPENVPN_STATE_CONNECTED
#define OPENVPN_STATE_CONNECTED
Definition: manage.h:475
management
Definition: manage.h:335
management
struct management * management
Definition: manage.c:63
min_int
static int min_int(int x, int y)
Definition: integer.h:89
man_write
static int man_write(struct management *man)
Definition: manage.c:2334
IER_NEW
#define IER_NEW
Definition: manage.c:953
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1039
event_set_init
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1186
env_filter_match
static bool env_filter_match(const char *env_str, const int env_filter_level)
Definition: manage.c:2796
event_set_return
Definition: event.h:118
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:109
EKS_INPUT
#define EKS_INPUT
Definition: manage.h:309
MS_CC_WAIT_WRITE
#define MS_CC_WAIT_WRITE
Definition: manage.h:277
USER_PASS_LEN
#define USER_PASS_LEN
Definition: misc.h:68
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition: misc.h:110
man_settings::defined
bool defined
Definition: manage.h:245
rw_handle
Definition: win32.h:77
management_close
void management_close(struct management *man)
Definition: manage.c:2710
buffer_list_defined
bool buffer_list_defined(const struct buffer_list *ol)
Checks if the list is valid and non-empty.
Definition: buffer.c:1204
MANSIG_MAP_USR1_TO_HUP
#define MANSIG_MAP_USR1_TO_HUP
Definition: manage.h:261
man_persist::hold_release
bool hold_release
Definition: manage.h:236
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1066
man_bytecount_output_client
static void man_bytecount_output_client(struct management *man, counter_type dco_read_bytes, counter_type dco_write_bytes)
Definition: manage.c:510
man_mod_signal
static int man_mod_signal(const struct management *man, const int signum)
Definition: manage.c:420
now
time_t now
Definition: otime.c:34
OPENVPN_STATE_RESOLVE
#define OPENVPN_STATE_RESOLVE
Definition: manage.h:483
man_connection::password_tries
int password_tries
Definition: manage.h:292
log_entry::local_sock
struct openvpn_sockaddr local_sock
Definition: manage.h:114
socket_do_accept
socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait)
Definition: socket.c:1214
man_settings_init
static void man_settings_init(struct man_settings *ms, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2449
man_persist::echo
struct log_history * echo
Definition: manage.h:233
parse_cid
static bool parse_cid(const char *str, unsigned long *cid)
Definition: manage.c:1021
IEC_CLIENT_AUTH
#define IEC_CLIENT_AUTH
Definition: manage.h:298
openvpn_close_socket
#define openvpn_close_socket(s)
Definition: socket.h:259
man_connection_clear
static void man_connection_clear(struct man_connection *mc)
Definition: manage.c:2376
env_item
Definition: env_set.h:37
man_load_stats
static void man_load_stats(struct management *man)
Definition: manage.c:1222
man_status
static void man_status(struct management *man, const int version, struct status_output *so)
Definition: manage.c:479
config.h
MAPF_SUBNET
#define MAPF_SUBNET
Definition: mroute.h:157
validate_peer_info_line
bool validate_peer_info_line(char *line)
Definition: misc.c:717
OPENVPN_STATE_ADD_ROUTES
#define OPENVPN_STATE_ADD_ROUTES
Definition: manage.h:474
MANAGEMENT_ECHO_BUFFER_SIZE
#define MANAGEMENT_ECHO_BUFFER_SIZE
Definition: manage.h:58
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1194
platform_user_get
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:79
buffer_list_aggregate
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len .
Definition: buffer.c:1325
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:183
openvpn_connect
int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received)
Definition: socket.c:1434
man_persist::vout
struct virtual_output vout
Definition: manage.h:228
man_client_kill
static void man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
Definition: manage.c:1143
EVENT_WRITE
#define EVENT_WRITE
Definition: event.h:40
command_line_next
void command_line_next(struct command_line *cl)
Definition: manage.c:3927
EKS_READY
#define EKS_READY
Definition: manage.h:310
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2720
management_would_hold
bool management_would_hold(struct management *man)
Definition: manage.c:3793
management_clear_callback
void management_clear_callback(struct management *man)
Definition: manage.c:2728
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:388
net_event_win32_close
void net_event_win32_close(struct net_event_win32 *ne)
Definition: win32.c:372
man_persist_init
static void man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size)
Definition: manage.c:2389
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2998
check_malloc_return
static void check_malloc_return(void *p)
Definition: buffer.h:1109
user_pass::password
char password[USER_PASS_LEN]
Definition: misc.h:72
get_signal
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition: sig.h:110
man_connection::in_extra_cid
unsigned long in_extra_cid
Definition: manage.h:305
buf_substring_len
int buf_substring_len(const struct buffer *buf, int delim)
Definition: buffer.c:847
LOG_PRINT_CRLF
#define LOG_PRINT_CRLF
Definition: manage.h:128
MSG_NOSIGNAL
#define MSG_NOSIGNAL
Definition: socket.h:254
man_connection::state_realtime
bool state_realtime
Definition: manage.h:318
man_connection::up_query_type
const char * up_query_type
Definition: manage.h:324
log_entry::string
const char * string
Definition: manage.h:111
management_query_cert
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3774
man_def_auth_context::bytecount_last_update
time_t bytecount_last_update
Definition: manage.h:74
sig.h
net_event_win32_init
void net_event_win32_init(struct net_event_win32 *ne)
Definition: win32.c:321
log_history_resize
void log_history_resize(struct log_history *h, const int capacity)
Definition: manage.c:4080
LOG_PRINT_LOCAL_IP
#define LOG_PRINT_LOCAL_IP
Definition: manage.h:126
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
man_output_list_push_str
static void man_output_list_push_str(struct management *man, const char *str)
Definition: manage.c:257
log_history_size
static int log_history_size(const struct log_history *h)
Definition: manage.h:158
create_socket_tcp
socket_descriptor_t create_socket_tcp(struct addrinfo *addrinfo)
Definition: socket.c:999
user_pass
Definition: misc.h:56
GET_USER_PASS_NEED_STR
#define GET_USER_PASS_NEED_STR
Definition: misc.h:112
socket_bind
void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix, bool ipv6only)
Definition: socket.c:1380
virtual_output::flags_default
unsigned int flags_default
Definition: status.h:34
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:184
OPENVPN_STATE_CLIENT_BASE
#define OPENVPN_STATE_CLIENT_BASE
Definition: manage.h:487
memdbg.h
man_new_connection_post
static void man_new_connection_post(struct management *man, const char *description)
Definition: manage.c:1716
command_line::residual
struct buffer residual
Definition: manage.h:83
LOG_ECHO_TO_LOG
#define LOG_ECHO_TO_LOG
Definition: manage.h:135
auth_retry_set
bool auth_retry_set(const int msglevel, const char *option)
Definition: options.c:4767
management_callback
Definition: manage.h:173
buffer_list_reset
void buffer_list_reset(struct buffer_list *ol)
Empty the list ol and frees all the contained buffers.
Definition: buffer.c:1210
GETADDR_PASSIVE
#define GETADDR_PASSIVE
Definition: socket.h:514
title_string
const char title_string[]
Definition: options.c:67
buffer_list
Definition: buffer.h:1126
man_connection::bytecount_update_interval
struct event_timeout bytecount_update_interval
Definition: manage.h:322
msg
#define msg(flags,...)
Definition: error.h:150
man_query_user_pass
static void man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed, const char *prompt, char *dest, int len)
Definition: manage.c:729
man_kill
static void man_kill(struct management *man, const char *victim)
Definition: manage.c:538
AF_DID_RESET
#define AF_DID_RESET
integer.h
MF_UP_DOWN
#define MF_UP_DOWN
Definition: manage.h:40
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
man_password_needed
static bool man_password_needed(struct management *man)
Definition: manage.c:191
man_persist_state
static bool man_persist_state(unsigned int *persistent, const int n)
Definition: manage.c:3099
management_io
void management_io(struct management *man)
Definition: manage.c:3155
MANSIG_MAP_USR1_TO_TERM
#define MANSIG_MAP_USR1_TO_TERM
Definition: manage.h:262
UP_QUERY_NEED_STR
#define UP_QUERY_NEED_STR
Definition: manage.h:271
BOOL_CAST
#define BOOL_CAST(x)
Definition: basic.h:27
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:348
man_settings::flags
unsigned int flags
Definition: manage.h:246
man_client_auth
static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
Definition: manage.c:1092
event_wait
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:166
GETADDR_FATAL
#define GETADDR_FATAL
Definition: socket.h:505
management_callback::n_clients
int(* n_clients)(void *arg)
Definition: manage.h:185
log_entry_union::msg_flags
unsigned int msg_flags
Definition: manage.h:103
management::persist
struct man_persist persist
Definition: manage.h:337
management::connection
struct man_connection connection
Definition: manage.h:339
man_connection_close
static void man_connection_close(struct management *man)
Definition: manage.c:2610
command_line
Definition: manage.h:80
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:869