OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "pf.h"
43 #include "gremlin.h"
44 #include "mstats.h"
45 #include "ssl_verify.h"
46 #include "ssl_ncp.h"
47 #include "vlan.h"
48 #include <inttypes.h>
49 
50 #include "memdbg.h"
51 
52 
53 #include "crypto_backend.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef ENABLE_MANAGEMENT
73 static void
75 {
77  mi->cc_config = cc_config;
78 }
79 #endif
80 
81 static inline void
82 update_mstat_n_clients(const int n_clients)
83 {
84 #ifdef ENABLE_MEMSTATS
85  if (mmap_stats)
86  {
87  mmap_stats->n_clients = n_clients;
88  }
89 #endif
90 }
91 
92 static bool
94  const struct multi_instance *mi,
95  const char *op,
96  const struct mroute_addr *addr)
97 {
98  struct gc_arena gc = gc_new();
99  struct env_set *es;
100  bool ret = true;
101  struct plugin_list *plugins;
102 
103  /* get environmental variable source */
104  if (mi && mi->context.c2.es)
105  {
106  es = mi->context.c2.es;
107  }
108  else
109  {
110  es = env_set_create(&gc);
111  }
112 
113  /* get plugin source */
114  if (mi)
115  {
116  plugins = mi->context.plugins;
117  }
118  else
119  {
120  plugins = m->top.plugins;
121  }
122 
124  {
125  struct argv argv = argv_new();
126  argv_printf(&argv, "%s %s",
127  op,
128  mroute_addr_print(addr, &gc));
129  if (mi)
130  {
131  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
132  }
133  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
134  {
135  msg(M_WARN, "WARNING: learn-address plugin call failed");
136  ret = false;
137  }
138  argv_free(&argv);
139  }
140 
142  {
143  struct argv argv = argv_new();
144  setenv_str(es, "script_type", "learn-address");
146  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
147  if (mi)
148  {
149  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
150  }
151  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
152  {
153  ret = false;
154  }
155  argv_free(&argv);
156  }
157 
158  gc_free(&gc);
159  return ret;
160 }
161 
162 void
164 {
165  /* write pool data to file */
166  if (m->ifconfig_pool
169  {
171  }
172 }
173 
174 static void
176  int start_bucket,
177  int end_bucket)
178 {
179  struct gc_arena gc = gc_new();
180  struct hash_iterator hi;
181  struct hash_element *he;
182 
183  if (start_bucket < 0)
184  {
185  start_bucket = 0;
186  end_bucket = hash_n_buckets(m->vhash);
187  }
188 
189  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
190  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
191  while ((he = hash_iterator_next(&hi)) != NULL)
192  {
193  struct multi_route *r = (struct multi_route *) he->value;
194  if (!multi_route_defined(m, r))
195  {
196  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
197  mroute_addr_print(&r->addr, &gc));
198  learn_address_script(m, NULL, "delete", &r->addr);
199  multi_route_del(r);
201  }
202  }
203  hash_iterator_free(&hi);
204  gc_free(&gc);
205 }
206 
207 static void
209 {
210  multi_reap_range(m, -1, 0);
211 }
212 
213 static struct multi_reap *
215 {
216  struct multi_reap *mr;
217  ALLOC_OBJ(mr, struct multi_reap);
218  mr->bucket_base = 0;
220  mr->last_call = now;
221  return mr;
222 }
223 
224 void
226 {
227  struct multi_reap *mr = m->reaper;
228  if (mr->bucket_base >= hash_n_buckets(m->vhash))
229  {
230  mr->bucket_base = 0;
231  }
233  mr->bucket_base += mr->buckets_per_pass;
234  mr->last_call = now;
235 }
236 
237 static void
239 {
240  free(mr);
241 }
242 
243 /*
244  * How many buckets in vhash to reap per pass.
245  */
246 static int
247 reap_buckets_per_pass(int n_buckets)
248 {
249  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
250 }
251 
252 #ifdef ENABLE_MANAGEMENT
253 
254 static uint32_t
256 {
257  const unsigned long *k = (const unsigned long *)key;
258  return (uint32_t) *k;
259 }
260 
261 static bool
262 cid_compare_function(const void *key1, const void *key2)
263 {
264  const unsigned long *k1 = (const unsigned long *)key1;
265  const unsigned long *k2 = (const unsigned long *)key2;
266  return *k1 == *k2;
267 }
268 
269 #endif
270 
271 #ifdef ENABLE_ASYNC_PUSH
272 static uint32_t
273 /*
274  * inotify watcher descriptors are used as hash value
275  */
276 int_hash_function(const void *key, uint32_t iv)
277 {
278  return (unsigned long)key;
279 }
280 
281 static bool
282 int_compare_function(const void *key1, const void *key2)
283 {
284  return (unsigned long)key1 == (unsigned long)key2;
285 }
286 #endif
287 
288 /*
289  * Main initialization function, init multi_context object.
290  */
291 void
292 multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
293 {
294  int dev = DEV_TYPE_UNDEF;
295 
296  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
299 
300  /*
301  * Get tun/tap/null device type
302  */
303  dev = dev_type_enum(t->options.dev, t->options.dev_type);
304 
305  /*
306  * Init our multi_context object.
307  */
308  CLEAR(*m);
309 
310  m->thread_mode = thread_mode;
311 
312  /*
313  * Real address hash table (source port number is
314  * considered to be part of the address). Used
315  * to determine which client sent an incoming packet
316  * which is seen on the TCP/UDP socket.
317  */
319  get_random(),
322 
323  /*
324  * Virtual address hash table. Used to determine
325  * which client to route a packet to.
326  */
328  get_random(),
331 
332  /*
333  * This hash table is a clone of m->hash but with a
334  * bucket size of one so that it can be used
335  * for fast iteration through the list.
336  */
337  m->iter = hash_init(1,
338  get_random(),
341 
342 #ifdef ENABLE_MANAGEMENT
344  0,
347 #endif
348 
349 #ifdef ENABLE_ASYNC_PUSH
350  /*
351  * Mapping between inotify watch descriptors and
352  * multi_instances.
353  */
354  m->inotify_watchers = hash_init(t->options.real_hash_size,
355  get_random(),
356  int_hash_function,
357  int_compare_function);
358 #endif
359 
360  /*
361  * This is our scheduler, for time-based wakeup
362  * events.
363  */
364  m->schedule = schedule_init();
365 
366  /*
367  * Limit frequency of incoming connections to control
368  * DoS.
369  */
371  t->options.cf_per);
372 
373  /*
374  * Allocate broadcast/multicast buffer list
375  */
377 
378  /*
379  * Different status file format options are available
380  */
382 
383  /*
384  * Possibly allocate an ifconfig pool, do it
385  * differently based on whether a tun or tap style
386  * tunnel.
387  */
390  {
392 
393  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
394  {
395  pool_type = IFCONFIG_POOL_30NET;
396  }
397 
399  pool_type,
406 
407  /* reload pool data from file */
408  if (t->c1.ifconfig_pool_persist)
409  {
411  }
412  }
413 
414  /*
415  * Help us keep track of routing table.
416  */
418 
419  /*
420  * Initialize route and instance reaper.
421  */
423 
424  /*
425  * Get local ifconfig address
426  */
427  CLEAR(m->local);
428  ASSERT(t->c1.tuntap);
430 
431  /*
432  * Per-client limits
433  */
435 
436  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
437 
438  /*
439  * Initialize multi-socket TCP I/O wait object
440  */
441  if (tcp_mode)
442  {
444  }
446 
447  /*
448  * Allow client <-> client communication, without going through
449  * tun/tap interface and network stack?
450  */
451  m->enable_c2c = t->options.enable_c2c;
452 
453  /* initialize stale routes check timer */
455  {
456  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
459  }
460 
462 }
463 
464 const char *
465 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
466 {
467  if (mi)
468  {
469  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
470  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
471 
472  if (cn)
473  {
474  buf_printf(&out, "%s/", cn);
475  }
476  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
477  return BSTR(&out);
478  }
479  else if (null)
480  {
481  return NULL;
482  }
483  else
484  {
485  return "UNDEF";
486  }
487 }
488 
489 static void
491 {
492  struct gc_arena gc = gc_new();
493  const char *prefix = multi_instance_string(mi, true, &gc);
494  if (prefix)
495  {
496  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
497  }
498  else
499  {
500  mi->msg_prefix[0] = '\0';
501  }
502  set_prefix(mi);
503  gc_free(&gc);
504 }
505 
506 void
508 {
509  mi->msg_prefix[0] = '\0';
510  set_prefix(mi);
511 }
512 
513 static const char *
514 mi_prefix(const struct multi_instance *mi)
515 {
516  if (mi && mi->msg_prefix[0])
517  {
518  return mi->msg_prefix;
519  }
520  else
521  {
522  return "UNDEF_I";
523  }
524 }
525 
526 /*
527  * Tell the route helper about deleted iroutes so
528  * that it can update its mask of currently used
529  * CIDR netlengths.
530  */
531 static void
533  struct multi_instance *mi)
534 {
535  const struct iroute *ir;
536  const struct iroute_ipv6 *ir6;
538  {
539  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
540  {
542  }
543 
544  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
545  {
547  }
548  }
549 }
550 
551 static void
553 {
554  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
555  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
556 }
557 
558 static void
560 {
561  /* setenv client real IP address */
563 
564  /* setenv stats */
565  setenv_stats(&mi->context);
566 
567  /* setenv connection duration */
568  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
569 }
570 
571 static void
573 {
575 
577  {
579  {
580  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
581  }
582  }
583 
585  {
586  struct argv argv = argv_new();
587  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
589  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
590  argv_free(&argv);
591  }
592 #ifdef ENABLE_MANAGEMENT
593  if (management)
594  {
596  }
597 #endif
598 }
599 
600 void
602  struct multi_instance *mi,
603  bool shutdown)
604 {
606 
607  ASSERT(!mi->halt);
608  mi->halt = true;
609 
610  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
611 
612  /* adjust current client connection count */
613  m->n_clients += mi->n_clients_delta;
615  mi->n_clients_delta = 0;
616 
617  /* prevent dangling pointers */
618  if (m->pending == mi)
619  {
620  multi_set_pending(m, NULL);
621  }
622  if (m->earliest_wakeup == mi)
623  {
624  m->earliest_wakeup = NULL;
625  }
626 
627  if (!shutdown)
628  {
629  if (mi->did_real_hash)
630  {
631  ASSERT(hash_remove(m->hash, &mi->real));
632  }
633  if (mi->did_iter)
634  {
635  ASSERT(hash_remove(m->iter, &mi->real));
636  }
637 #ifdef ENABLE_MANAGEMENT
638  if (mi->did_cid_hash)
639  {
641  }
642 #endif
643 
644 #ifdef ENABLE_ASYNC_PUSH
645  if (mi->inotify_watch != -1)
646  {
647  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
648  mi->inotify_watch = -1;
649  }
650 #endif
651 
652  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
653  {
654  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
655  }
656 
657  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
658 
659  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
660 
661  if (mi->did_iroutes)
662  {
663  multi_del_iroutes(m, mi);
664  mi->did_iroutes = false;
665  }
666 
667  if (m->mtcp)
668  {
670  }
671 
673  }
674 
675 #ifdef ENABLE_MANAGEMENT
676  set_cc_config(mi, NULL);
677 #endif
679  {
681  }
682 
684 
686 
687  ungenerate_prefix(mi);
688 
689  /*
690  * Don't actually delete the instance memory allocation yet,
691  * because virtual routes may still point to it. Let the
692  * vhash reaper deal with it.
693  */
695 
696  perf_pop();
697 }
698 
699 /*
700  * Called on shutdown or restart.
701  */
702 void
704 {
705  if (m->thread_mode & MC_WORK_THREAD)
706  {
707  multi_top_free(m);
708  m->thread_mode = MC_UNDEF;
709  }
710  else if (m->thread_mode)
711  {
712  if (m->hash)
713  {
714  struct hash_iterator hi;
715  struct hash_element *he;
716 
717  hash_iterator_init(m->iter, &hi);
718  while ((he = hash_iterator_next(&hi)))
719  {
720  struct multi_instance *mi = (struct multi_instance *) he->value;
721  mi->did_iter = false;
722  multi_close_instance(m, mi, true);
723  }
724  hash_iterator_free(&hi);
725 
726  multi_reap_all(m);
727 
728  hash_free(m->hash);
729  hash_free(m->vhash);
730  hash_free(m->iter);
731 #ifdef ENABLE_MANAGEMENT
732  hash_free(m->cid_hash);
733 #endif
734  m->hash = NULL;
735 
736  free(m->instances);
737 
738 #ifdef ENABLE_ASYNC_PUSH
739  hash_free(m->inotify_watchers);
740  m->inotify_watchers = NULL;
741 #endif
742 
744  mbuf_free(m->mbuf);
749  multi_tcp_free(m->mtcp);
750  m->thread_mode = MC_UNDEF;
751  }
752  }
753 }
754 
755 /*
756  * Create a client instance object for a newly connected client.
757  */
758 struct multi_instance *
760 {
761  struct gc_arena gc = gc_new();
762  struct multi_instance *mi;
763 
765 
766  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
767 
768  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
769 
770  mi->gc = gc_new();
772  mi->vaddr_handle = -1;
773  mi->created = now;
774  mroute_addr_init(&mi->real);
775 
776  if (real)
777  {
778  mi->real = *real;
779  generate_prefix(mi);
780  }
781 
782  inherit_context_child(&mi->context, &m->top);
783  if (IS_SIG(&mi->context))
784  {
785  goto err;
786  }
787 
789 
790  if (hash_n_elements(m->hash) >= m->max_clients)
791  {
792  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
793  goto err;
794  }
795 
796  if (!real) /* TCP mode? */
797  {
799  {
800  goto err;
801  }
802  generate_prefix(mi);
803  }
804 
805  if (!hash_add(m->iter, &mi->real, mi, false))
806  {
807  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
808  mroute_addr_print(&mi->real, &gc));
809  goto err;
810  }
811  mi->did_iter = true;
812 
813 #ifdef ENABLE_MANAGEMENT
814  do
815  {
816  mi->context.c2.mda_context.cid = m->cid_counter++;
817  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
818  mi->did_cid_hash = true;
819 #endif
820 
821  mi->context.c2.push_request_received = false;
822 #ifdef ENABLE_ASYNC_PUSH
823  mi->inotify_watch = -1;
824 #endif
825 
826  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
827  {
828  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
829  goto err;
830  }
831 
832  perf_pop();
833  gc_free(&gc);
834  return mi;
835 
836 err:
837  multi_close_instance(m, mi, false);
838  perf_pop();
839  gc_free(&gc);
840  return NULL;
841 }
842 
843 /*
844  * Dump tables -- triggered by SIGUSR2.
845  * If status file is defined, write to file.
846  * If status file is NULL, write to syslog.
847  */
848 void
849 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
850 {
851  if (m->hash)
852  {
853  struct gc_arena gc_top = gc_new();
854  struct hash_iterator hi;
855  const struct hash_element *he;
856 
857  status_reset(so);
858 
859  if (version == 1) /* WAS: m->status_file_version */
860  {
861  /*
862  * Status file version 1
863  */
864  status_printf(so, "OpenVPN CLIENT LIST");
865  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
866  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
867  hash_iterator_init(m->hash, &hi);
868  while ((he = hash_iterator_next(&hi)))
869  {
870  struct gc_arena gc = gc_new();
871  const struct multi_instance *mi = (struct multi_instance *) he->value;
872 
873  if (!mi->halt)
874  {
875  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
876  tls_common_name(mi->context.c2.tls_multi, false),
877  mroute_addr_print(&mi->real, &gc),
880  time_string(mi->created, 0, false, &gc));
881  }
882  gc_free(&gc);
883  }
884  hash_iterator_free(&hi);
885 
886  status_printf(so, "ROUTING TABLE");
887  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
888  hash_iterator_init(m->vhash, &hi);
889  while ((he = hash_iterator_next(&hi)))
890  {
891  struct gc_arena gc = gc_new();
892  const struct multi_route *route = (struct multi_route *) he->value;
893 
894  if (multi_route_defined(m, route))
895  {
896  const struct multi_instance *mi = route->instance;
897  const struct mroute_addr *ma = &route->addr;
898  char flags[2] = {0, 0};
899 
900  if (route->flags & MULTI_ROUTE_CACHE)
901  {
902  flags[0] = 'C';
903  }
904  status_printf(so, "%s%s,%s,%s,%s",
905  mroute_addr_print(ma, &gc),
906  flags,
907  tls_common_name(mi->context.c2.tls_multi, false),
908  mroute_addr_print(&mi->real, &gc),
909  time_string(route->last_reference, 0, false, &gc));
910  }
911  gc_free(&gc);
912  }
913  hash_iterator_free(&hi);
914 
915  status_printf(so, "GLOBAL STATS");
916  if (m->mbuf)
917  {
918  status_printf(so, "Max bcast/mcast queue length,%d",
920  }
921 
922  status_printf(so, "END");
923  }
924  else if (version == 2 || version == 3)
925  {
926  const char sep = (version == 3) ? '\t' : ',';
927 
928  /*
929  * Status file version 2 and 3
930  */
931  status_printf(so, "TITLE%c%s", sep, title_string);
932  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
933  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
934  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
935  hash_iterator_init(m->hash, &hi);
936  while ((he = hash_iterator_next(&hi)))
937  {
938  struct gc_arena gc = gc_new();
939  const struct multi_instance *mi = (struct multi_instance *) he->value;
940 
941  if (!mi->halt)
942  {
943  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
944 #ifdef ENABLE_MANAGEMENT
945  "%lu"
946 #else
947  ""
948 #endif
949  "%c%" PRIu32 "%c%s",
950  sep, tls_common_name(mi->context.c2.tls_multi, false),
951  sep, mroute_addr_print(&mi->real, &gc),
954  sep, mi->context.c2.link_read_bytes,
955  sep, mi->context.c2.link_write_bytes,
956  sep, time_string(mi->created, 0, false, &gc),
957  sep, (unsigned int)mi->created,
958  sep, tls_username(mi->context.c2.tls_multi, false),
959 #ifdef ENABLE_MANAGEMENT
960  sep, mi->context.c2.mda_context.cid,
961 #else
962  sep,
963 #endif
964  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
966  }
967  gc_free(&gc);
968  }
969  hash_iterator_free(&hi);
970 
971  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
972  sep, sep, sep, sep, sep, sep);
973  hash_iterator_init(m->vhash, &hi);
974  while ((he = hash_iterator_next(&hi)))
975  {
976  struct gc_arena gc = gc_new();
977  const struct multi_route *route = (struct multi_route *) he->value;
978 
979  if (multi_route_defined(m, route))
980  {
981  const struct multi_instance *mi = route->instance;
982  const struct mroute_addr *ma = &route->addr;
983  char flags[2] = {0, 0};
984 
985  if (route->flags & MULTI_ROUTE_CACHE)
986  {
987  flags[0] = 'C';
988  }
989  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
990  sep, mroute_addr_print(ma, &gc), flags,
991  sep, tls_common_name(mi->context.c2.tls_multi, false),
992  sep, mroute_addr_print(&mi->real, &gc),
993  sep, time_string(route->last_reference, 0, false, &gc),
994  sep, (unsigned int)route->last_reference);
995  }
996  gc_free(&gc);
997  }
998  hash_iterator_free(&hi);
999 
1000  if (m->mbuf)
1001  {
1002  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1003  sep, sep, mbuf_maximum_queued(m->mbuf));
1004  }
1005 
1006  status_printf(so, "END");
1007  }
1008  else
1009  {
1010  status_printf(so, "ERROR: bad status format version number");
1011  }
1012 
1013 #ifdef PACKET_TRUNCATION_CHECK
1014  {
1015  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1016  hash_iterator_init(m->hash, &hi);
1017  while ((he = hash_iterator_next(&hi)))
1018  {
1019  struct gc_arena gc = gc_new();
1020  const struct multi_instance *mi = (struct multi_instance *) he->value;
1021 
1022  if (!mi->halt)
1023  {
1025  tls_common_name(mi->context.c2.tls_multi, false),
1026  m->top.c2.n_trunc_tun_read,
1027  mi->context.c2.n_trunc_tun_write,
1028  mi->context.c2.n_trunc_pre_encrypt,
1029  mi->context.c2.n_trunc_post_decrypt);
1030  }
1031  gc_free(&gc);
1032  }
1033  hash_iterator_free(&hi);
1034  }
1035 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1036 
1037  status_flush(so);
1038  gc_free(&gc_top);
1039  }
1040 
1041 #ifdef ENABLE_ASYNC_PUSH
1042  if (m->inotify_watchers)
1043  {
1044  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1045  }
1046 #endif
1047 }
1048 
1049 /*
1050  * Learn a virtual address or route.
1051  * The learn will fail if the learn address
1052  * script/plugin fails. In this case the
1053  * return value may be != mi.
1054  * Return the instance which owns this route,
1055  * or NULL if none.
1056  */
1057 static struct multi_instance *
1059  struct multi_instance *mi,
1060  const struct mroute_addr *addr,
1061  const unsigned int flags)
1062 {
1063  struct hash_element *he;
1064  const uint32_t hv = hash_value(m->vhash, addr);
1065  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1066  struct multi_route *oldroute = NULL;
1067  struct multi_instance *owner = NULL;
1068  struct gc_arena gc = gc_new();
1069 
1070  /* if route currently exists, get the instance which owns it */
1071  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1072  if (he)
1073  {
1074  oldroute = (struct multi_route *) he->value;
1075  }
1076  if (oldroute && multi_route_defined(m, oldroute))
1077  {
1078  owner = oldroute->instance;
1079  }
1080 
1081  /* do we need to add address to hash table? */
1082  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1083  && !mroute_addr_equal(addr, &m->local))
1084  {
1085  struct multi_route *newroute;
1086  bool learn_succeeded = false;
1087 
1088  ALLOC_OBJ(newroute, struct multi_route);
1089  newroute->addr = *addr;
1090  newroute->instance = mi;
1091  newroute->flags = flags;
1092  newroute->last_reference = now;
1093  newroute->cache_generation = 0;
1094 
1095  /* The cache is invalidated when cache_generation is incremented */
1096  if (flags & MULTI_ROUTE_CACHE)
1097  {
1099  }
1100 
1101  if (oldroute) /* route already exists? */
1102  {
1103  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1104  {
1105  learn_succeeded = true;
1106  owner = mi;
1108  route_quota_inc(mi);
1109 
1110  /* delete old route */
1111  multi_route_del(oldroute);
1112 
1113  /* modify hash table entry, replacing old route */
1114  he->key = &newroute->addr;
1115  he->value = newroute;
1116  }
1117  }
1118  else
1119  {
1120  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1121  {
1122  learn_succeeded = true;
1123  owner = mi;
1125  route_quota_inc(mi);
1126 
1127  /* add new route */
1128  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1129  }
1130  }
1131 
1132  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1133  learn_succeeded ? "" : " FAILED",
1134  mroute_addr_print(&newroute->addr, &gc),
1135  multi_instance_string(mi, false, &gc));
1136 
1137  if (!learn_succeeded)
1138  {
1139  free(newroute);
1140  }
1141  }
1142  gc_free(&gc);
1143 
1144  return owner;
1145 }
1146 
1147 /*
1148  * Get client instance based on virtual address.
1149  */
1150 static struct multi_instance *
1152  const struct mroute_addr *addr,
1153  bool cidr_routing)
1154 {
1155  struct multi_route *route;
1156  struct multi_instance *ret = NULL;
1157 
1158  /* check for local address */
1159  if (mroute_addr_equal(addr, &m->local))
1160  {
1161  return NULL;
1162  }
1163 
1164  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1165 
1166  /* does host route (possible cached) exist? */
1167  if (route && multi_route_defined(m, route))
1168  {
1169  struct multi_instance *mi = route->instance;
1170  route->last_reference = now;
1171  ret = mi;
1172  }
1173  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1174  {
1175  struct mroute_helper *rh = m->route_helper;
1176  struct mroute_addr tryaddr;
1177  int i;
1178 
1179  /* cycle through each CIDR length */
1180  for (i = 0; i < rh->n_net_len; ++i)
1181  {
1182  tryaddr = *addr;
1183  tryaddr.type |= MR_WITH_NETBITS;
1184  tryaddr.netbits = rh->net_len[i];
1185  mroute_addr_mask_host_bits(&tryaddr);
1186 
1187  /* look up a possible route with netbits netmask */
1188  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1189 
1190  if (route && multi_route_defined(m, route))
1191  {
1192  /* found an applicable route, cache host route */
1193  struct multi_instance *mi = route->instance;
1195  ret = mi;
1196  break;
1197  }
1198  }
1199  }
1200 
1201 #ifdef ENABLE_DEBUG
1203  {
1204  struct gc_arena gc = gc_new();
1205  const char *addr_text = mroute_addr_print(addr, &gc);
1206  if (ret)
1207  {
1208  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1209  addr_text,
1210  multi_instance_string(ret, false, &gc),
1211  mroute_addr_print(&route->addr, &gc));
1212  }
1213  else
1214  {
1215  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1216  addr_text);
1217  }
1218  gc_free(&gc);
1219  }
1220 #endif
1221 
1222  ASSERT(!(ret && ret->halt));
1223  return ret;
1224 }
1225 
1226 /*
1227  * Helper function to multi_learn_addr().
1228  */
1229 static struct multi_instance *
1231  struct multi_instance *mi,
1232  in_addr_t a,
1233  int netbits, /* -1 if host route, otherwise # of network bits in address */
1234  bool primary)
1235 {
1236  struct openvpn_sockaddr remote_si;
1237  struct mroute_addr addr;
1238 
1239  CLEAR(remote_si);
1240  remote_si.addr.in4.sin_family = AF_INET;
1241  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1242  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1243 
1244  if (netbits >= 0)
1245  {
1246  addr.type |= MR_WITH_NETBITS;
1247  addr.netbits = (uint8_t) netbits;
1248  }
1249 
1250  {
1251  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1252 #ifdef ENABLE_MANAGEMENT
1253  if (management && owner)
1254  {
1255  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1256  }
1257 #endif
1258  return owner;
1259  }
1260 }
1261 
1262 static struct multi_instance *
1264  struct multi_instance *mi,
1265  struct in6_addr a6,
1266  int netbits, /* -1 if host route, otherwise # of network bits in address */
1267  bool primary)
1268 {
1269  struct mroute_addr addr;
1270 
1271  addr.len = 16;
1272  addr.type = MR_ADDR_IPV6;
1273  addr.netbits = 0;
1274  addr.v6.addr = a6;
1275 
1276  if (netbits >= 0)
1277  {
1278  addr.type |= MR_WITH_NETBITS;
1279  addr.netbits = (uint8_t) netbits;
1280  mroute_addr_mask_host_bits( &addr );
1281  }
1282 
1283  {
1284  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1285 #ifdef ENABLE_MANAGEMENT
1286  if (management && owner)
1287  {
1288  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1289  }
1290 #endif
1291  return owner;
1292  }
1293 }
1294 
1295 /*
1296  * A new client has connected, add routes (server -> client)
1297  * to internal routing table.
1298  */
1299 static void
1301  struct multi_instance *mi)
1302 {
1303  struct gc_arena gc = gc_new();
1304  const struct iroute *ir;
1305  const struct iroute_ipv6 *ir6;
1307  {
1308  mi->did_iroutes = true;
1309  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1310  {
1311  if (ir->netbits >= 0)
1312  {
1313  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1314  print_in_addr_t(ir->network, 0, &gc),
1315  ir->netbits,
1316  multi_instance_string(mi, false, &gc));
1317  }
1318  else
1319  {
1320  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1321  print_in_addr_t(ir->network, 0, &gc),
1322  multi_instance_string(mi, false, &gc));
1323  }
1324 
1326 
1327  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1328  }
1329  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1330  {
1331  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1332  print_in6_addr(ir6->network, 0, &gc),
1333  ir6->netbits,
1334  multi_instance_string(mi, false, &gc));
1335 
1337 
1338  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1339  }
1340  }
1341  gc_free(&gc);
1342 }
1343 
1344 /*
1345  * Given an instance (new_mi), delete all other instances which use the
1346  * same common name.
1347  */
1348 static void
1350 {
1351  if (new_mi)
1352  {
1353  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1354  if (new_cn)
1355  {
1356  struct hash_iterator hi;
1357  struct hash_element *he;
1358  int count = 0;
1359 
1360  hash_iterator_init(m->iter, &hi);
1361  while ((he = hash_iterator_next(&hi)))
1362  {
1363  struct multi_instance *mi = (struct multi_instance *) he->value;
1364  if (mi != new_mi && !mi->halt)
1365  {
1366  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1367  if (cn && !strcmp(cn, new_cn))
1368  {
1369  mi->did_iter = false;
1370  multi_close_instance(m, mi, false);
1372  ++count;
1373  }
1374  }
1375  }
1376  hash_iterator_free(&hi);
1377 
1378  if (count)
1379  {
1380  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1381  }
1382  }
1383  }
1384 }
1385 
1386 static void
1388 {
1389 
1390  struct gc_arena gc = gc_new();
1391  struct hash_iterator hi;
1392  struct hash_element *he;
1393 
1394  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1396  while ((he = hash_iterator_next(&hi)) != NULL)
1397  {
1398  struct multi_route *r = (struct multi_route *) he->value;
1399  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1400  {
1401  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1402  mroute_addr_print(&r->addr, &gc));
1403  learn_address_script(m, NULL, "delete", &r->addr);
1404  multi_route_del(r);
1406  }
1407  }
1408  hash_iterator_free(&hi);
1409  gc_free(&gc);
1410 }
1411 
1412 /*
1413  * Ensure that endpoint to be pushed to client
1414  * complies with --ifconfig-push-constraint directive.
1415  */
1416 static bool
1418 {
1419  const struct options *o = &c->options;
1421  {
1423  }
1424  else
1425  {
1426  return true;
1427  }
1428 }
1429 
1430 /*
1431  * Select a virtual address for a new client instance.
1432  * Use an --ifconfig-push directive, if given (static IP).
1433  * Otherwise use an --ifconfig-pool address (dynamic IP).
1434  */
1435 static void
1437 {
1438  struct gc_arena gc = gc_new();
1439 
1440  /*
1441  * If ifconfig addresses were set by dynamic config file,
1442  * release pool addresses, otherwise keep them.
1443  */
1445  {
1446  /* ifconfig addresses were set statically,
1447  * release dynamic allocation */
1448  if (mi->vaddr_handle >= 0)
1449  {
1451  mi->vaddr_handle = -1;
1452  }
1453 
1454  mi->context.c2.push_ifconfig_defined = true;
1458 
1459  /* the current implementation does not allow "static IPv4, pool IPv6",
1460  * (see below) so issue a warning if that happens - don't break the
1461  * session, though, as we don't even know if this client WANTS IPv6
1462  */
1465  {
1466  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1467  }
1468  }
1469  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1470  {
1471  in_addr_t local = 0, remote = 0;
1472  struct in6_addr remote_ipv6;
1473  const char *cn = NULL;
1474 
1475  if (!mi->context.options.duplicate_cn)
1476  {
1477  cn = tls_common_name(mi->context.c2.tls_multi, true);
1478  }
1479 
1480  CLEAR(remote_ipv6);
1481  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1482  if (mi->vaddr_handle >= 0)
1483  {
1484  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1485  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1486 
1487  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1489  ? print_in_addr_t(remote, 0, &gc)
1490  : "(Not enabled)"),
1492  ? print_in6_addr( remote_ipv6, 0, &gc )
1493  : "(Not enabled)") );
1494 
1496  {
1497  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1498  mi->context.c2.push_ifconfig_local = remote;
1499  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1500  {
1503  {
1505  }
1506  }
1507  else if (tunnel_type == DEV_TYPE_TUN)
1508  {
1509  if (tunnel_topology == TOP_P2P)
1510  {
1512  }
1513  else if (tunnel_topology == TOP_NET30)
1514  {
1516  }
1517  }
1518 
1520  {
1521  mi->context.c2.push_ifconfig_defined = true;
1522  }
1523  else
1524  {
1526  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1527  multi_instance_string(mi, false, &gc));
1528  }
1529  }
1530 
1532  {
1533  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1535  mi->context.c1.tuntap->local_ipv6;
1539  }
1540  }
1541  else
1542  {
1543  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1544  }
1545  }
1546 
1547  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1548  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1549  * will fail (because no pool will be allocated in this case).
1550  * OTOH, this doesn't make too much sense in reality - and the other
1551  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1552  * -> and so it's implemented right now
1553  */
1555  {
1563 
1564  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1567  }
1568 
1569  gc_free(&gc);
1570 }
1571 
1572 /*
1573  * Set virtual address environmental variables.
1574  */
1575 static void
1577 {
1578  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1579  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1580  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1581 
1583  {
1584  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1585  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1586 
1588  "ifconfig_pool_remote_ip",
1591 
1592  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1593  {
1595  "ifconfig_pool_netmask",
1598  }
1599  else if (tunnel_type == DEV_TYPE_TUN)
1600  {
1602  "ifconfig_pool_local_ip",
1605  }
1606  }
1607 
1608  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1609  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1610  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1611 
1613  {
1615  "ifconfig_pool_remote",
1619  "ifconfig_pool_local",
1622  setenv_int(mi->context.c2.es,
1623  "ifconfig_pool_ip6_netbits",
1625  }
1626 }
1627 
1628 /*
1629  * Called after client-connect script is called
1630  */
1631 static void
1633  struct multi_instance *mi,
1634  const char *dc_file,
1635  unsigned int *option_types_found)
1636 {
1637  /* Did script generate a dynamic config file? */
1638  if (platform_test_file(dc_file))
1639  {
1641  dc_file,
1644  option_types_found,
1645  mi->context.c2.es);
1646 
1647  /*
1648  * If the --client-connect script generates a config file
1649  * with an --ifconfig-push directive, it will override any
1650  * --ifconfig-push directive from the --client-config-dir
1651  * directory or any --ifconfig-pool dynamic address.
1652  */
1655  }
1656 }
1657 
1658 #ifdef ENABLE_PLUGIN
1659 
1660 /*
1661  * Called after client-connect plug-in is called
1662  */
1663 static void
1665  struct multi_instance *mi,
1666  const struct plugin_return *pr,
1667  unsigned int *option_types_found)
1668 {
1669  struct plugin_return config;
1670 
1671  plugin_return_get_column(pr, &config, "config");
1672 
1673  /* Did script generate a dynamic config file? */
1674  if (plugin_return_defined(&config))
1675  {
1676  int i;
1677  for (i = 0; i < config.n; ++i)
1678  {
1679  if (config.list[i] && config.list[i]->value)
1680  {
1682  config.list[i]->value,
1685  option_types_found,
1686  mi->context.c2.es);
1687  }
1688  }
1689 
1690  /*
1691  * If the --client-connect script generates a config file
1692  * with an --ifconfig-push directive, it will override any
1693  * --ifconfig-push directive from the --client-config-dir
1694  * directory or any --ifconfig-pool dynamic address.
1695  */
1698  }
1699 }
1700 
1701 #endif /* ifdef ENABLE_PLUGIN */
1702 
1703 
1704 /*
1705  * Called to load management-derived client-connect config
1706  */
1709  struct multi_instance *mi,
1710  bool deferred,
1711  unsigned int *option_types_found)
1712 {
1713  /* We never return CC_RET_DEFERRED */
1714  ASSERT(!deferred);
1716 #ifdef ENABLE_MANAGEMENT
1717  if (mi->cc_config)
1718  {
1719  struct buffer_entry *be;
1720  for (be = mi->cc_config->head; be != NULL; be = be->next)
1721  {
1722  const char *opt = BSTR(&be->buf);
1724  opt,
1727  option_types_found,
1728  mi->context.c2.es);
1729  }
1730 
1731  /*
1732  * If the --client-connect script generates a config file
1733  * with an --ifconfig-push directive, it will override any
1734  * --ifconfig-push directive from the --client-config-dir
1735  * directory or any --ifconfig-pool dynamic address.
1736  */
1739 
1740  ret = CC_RET_SUCCEEDED;
1741  }
1742 #endif /* ifdef ENABLE_MANAGEMENT */
1743  return ret;
1744 }
1745 
1746 static void
1748  struct multi_instance *mi)
1749 {
1750  struct gc_arena gc = gc_new();
1751 
1752  /* setenv incoming cert common name for script */
1753  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1754 
1755  /* setenv client real IP address */
1757 
1758  /* setenv client virtual IP address */
1760 
1761  /* setenv connection time */
1762  {
1763  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1764  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1765  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1766  }
1767 
1768  gc_free(&gc);
1769 }
1770 
1776 static unsigned int
1777 extract_iv_proto(const char *peer_info)
1778 {
1779 
1780  const char *optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL;
1781  if (optstr)
1782  {
1783  int proto = 0;
1784  int r = sscanf(optstr, "IV_PROTO=%d", &proto);
1785  if (r == 1 && proto > 0)
1786  {
1787  return proto;
1788  }
1789  }
1790  return 0;
1791 }
1792 
1799 static bool
1801 {
1802  struct tls_multi *tls_multi = c->c2.tls_multi;
1803  const char *const peer_info = tls_multi->peer_info;
1804  struct options *o = &c->options;
1805 
1806 
1807  unsigned int proto = extract_iv_proto(peer_info);
1808  if (proto & IV_PROTO_DATA_V2)
1809  {
1810  tls_multi->use_peer_id = true;
1811  }
1812  if (proto & IV_PROTO_REQUEST_PUSH)
1813  {
1814  c->c2.push_request_received = true;
1815  }
1816 
1817 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1819 #endif
1820 
1821  /* Select cipher if client supports Negotiable Crypto Parameters */
1822  if (!o->ncp_enabled)
1823  {
1824  return true;
1825  }
1826 
1827  /* if we have already created our key, we cannot *change* our own
1828  * cipher -> so log the fact and push the "what we have now" cipher
1829  * (so the client is always told what we expect it to use)
1830  */
1831  const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
1833  {
1834  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1835  "server has already generated data channel keys, "
1836  "re-sending previously negotiated cipher '%s'",
1837  o->ciphername );
1838  return true;
1839  }
1840 
1841  /*
1842  * Push the first cipher from --data-ciphers to the client that
1843  * the client announces to be supporting.
1844  */
1845  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1846  tls_multi->remote_ciphername,
1847  &o->gc);
1848 
1849  if (push_cipher)
1850  {
1851  o->ciphername = push_cipher;
1852  return true;
1853  }
1854 
1855  /* NCP cipher negotiation failed. Try to figure out why exactly it
1856  * failed and give good error messages and potentially do a fallback
1857  * for non NCP clients */
1858  struct gc_arena gc = gc_new();
1859  bool ret = false;
1860 
1861  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1862  /* If we are in a situation where we know the client ciphers, there is no
1863  * reason to fall back to a cipher that will not be accepted by the other
1864  * side, in this situation we fail the auth*/
1865  if (strlen(peer_ciphers) > 0)
1866  {
1867  msg(M_INFO, "PUSH: No common cipher between server and client. "
1868  "Server data-ciphers: '%s', client supported ciphers '%s'",
1869  o->ncp_ciphers, peer_ciphers);
1870  }
1871  else if (tls_multi->remote_ciphername)
1872  {
1873  msg(M_INFO, "PUSH: No common cipher between server and client. "
1874  "Server data-ciphers: '%s', client supports cipher '%s'",
1875  o->ncp_ciphers, tls_multi->remote_ciphername);
1876  }
1877  else
1878  {
1879  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1880 
1881  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1882  {
1883  msg(M_INFO, "Using data channel cipher '%s' since "
1884  "--data-ciphers-fallback is set.", o->ciphername);
1885  ret = true;
1886  }
1887  else
1888  {
1889  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1890  "client is using if you want to allow the client to connect");
1891  }
1892  }
1893  if (!ret)
1894  {
1895  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1896  "failed (no shared cipher)");
1897  }
1898 
1899  gc_free(&gc);
1900  return ret;
1901 }
1902 
1907 static void
1909 {
1911  if (!ccs->deferred_ret_file)
1912  {
1913  return;
1914  }
1915 
1916  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1918  {
1919  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1920  ccs->deferred_ret_file);
1921  }
1922  free(ccs->deferred_ret_file);
1923  ccs->deferred_ret_file = NULL;
1924 }
1925 
1933 static bool
1935 {
1937  struct gc_arena gc = gc_new();
1938  const char *fn;
1939 
1940  /* Delete file if it already exists */
1942 
1943  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1944  if (!fn)
1945  {
1946  gc_free(&gc);
1947  return false;
1948  }
1949  ccs->deferred_ret_file = string_alloc(fn, NULL);
1950 
1951  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1952  ccs->deferred_ret_file);
1953 
1954  gc_free(&gc);
1955  return true;
1956 }
1957 
1966 static enum client_connect_return
1968 {
1970  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1971  if (!fp)
1972  {
1973  return CC_RET_SKIPPED;
1974  }
1975 
1977  const int c = fgetc(fp);
1978  switch (c)
1979  {
1980  case '0':
1981  ret = CC_RET_FAILED;
1982  break;
1983 
1984  case '1':
1985  ret = CC_RET_SUCCEEDED;
1986  break;
1987 
1988  case '2':
1989  ret = CC_RET_DEFERRED;
1990  break;
1991 
1992  case EOF:
1993  if (feof(fp))
1994  {
1995  ret = CC_RET_SKIPPED;
1996  break;
1997  }
1998 
1999  /* Not EOF but other error -> fall through to error state */
2000  default:
2001  /* We received an unknown/unexpected value. Assume failure. */
2002  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
2003  "client-connect resultfile");
2004  ret = CC_RET_FAILED;
2005  }
2006  fclose(fp);
2007 
2008  return ret;
2009 }
2010 
2016 static void
2018 {
2020  if (ccs->config_file)
2021  {
2022  setenv_del(mi->context.c2.es, "client_connect_config_file");
2023  if (!platform_unlink(ccs->config_file))
2024  {
2025  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2026  ccs->config_file);
2027  }
2028  free(ccs->config_file);
2029  ccs->config_file = NULL;
2030  }
2031 }
2032 
2040 static bool
2042 {
2044  struct gc_arena gc = gc_new();
2045  const char *fn;
2046 
2047  if (ccs->config_file)
2048  {
2050  }
2051 
2052  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2053  if (!fn)
2054  {
2055  gc_free(&gc);
2056  return false;
2057  }
2058  ccs->config_file = string_alloc(fn, NULL);
2059 
2060  setenv_str(mi->context.c2.es, "client_connect_config_file",
2061  ccs->config_file);
2062 
2063  gc_free(&gc);
2064  return true;
2065 }
2066 
2067 static enum client_connect_return
2069  struct multi_instance *mi,
2070  bool deferred,
2071  unsigned int *option_types_found)
2072 {
2074 #ifdef ENABLE_PLUGIN
2075  ASSERT(m);
2076  ASSERT(mi);
2077  ASSERT(option_types_found);
2079 
2080  /* deprecated callback, use a file for passing back return info */
2082  {
2083  struct argv argv = argv_new();
2084  int call;
2085 
2086  if (!deferred)
2087  {
2089  if (!ccs_gen_config_file(mi)
2090  || !ccs_gen_deferred_ret_file(mi))
2091  {
2092  ret = CC_RET_FAILED;
2093  goto cleanup;
2094  }
2095  }
2096  else
2097  {
2098  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2099  /* the initial call should have created these files */
2100  ASSERT(ccs->config_file);
2101  ASSERT(ccs->deferred_ret_file);
2102  }
2103 
2104  argv_printf(&argv, "%s", ccs->config_file);
2105  int plug_ret = plugin_call(mi->context.plugins, call,
2106  &argv, NULL, mi->context.c2.es);
2107  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2108  {
2109  ret = CC_RET_SUCCEEDED;
2110  }
2111  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2112  {
2113  ret = CC_RET_DEFERRED;
2119  }
2120  else
2121  {
2122  msg(M_WARN, "WARNING: client-connect plugin call failed");
2123  ret = CC_RET_FAILED;
2124  }
2125 
2126 
2132  int file_ret = ccs_test_deferred_ret_file(mi);
2133 
2134  if (file_ret == CC_RET_FAILED)
2135  {
2136  ret = CC_RET_FAILED;
2137  }
2138  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2139  {
2140  ret = CC_RET_DEFERRED;
2141  }
2142 
2143  /* if we still think we have succeeded, do postprocessing */
2144  if (ret == CC_RET_SUCCEEDED)
2145  {
2147  option_types_found);
2148  }
2149 cleanup:
2150  argv_free(&argv);
2151 
2152  if (ret != CC_RET_DEFERRED)
2153  {
2156  }
2157  }
2158 #endif /* ifdef ENABLE_PLUGIN */
2159  return ret;
2160 }
2161 
2162 static enum client_connect_return
2164  struct multi_instance *mi,
2165  bool deferred,
2166  unsigned int *option_types_found)
2167 {
2169 #ifdef ENABLE_PLUGIN
2170  ASSERT(m);
2171  ASSERT(mi);
2172  ASSERT(option_types_found);
2173 
2174  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2176  /* V2 callback, use a plugin_return struct for passing back return info */
2177  if (plugin_defined(mi->context.plugins, call))
2178  {
2179  struct plugin_return pr;
2180 
2181  plugin_return_init(&pr);
2182 
2183  int plug_ret = plugin_call(mi->context.plugins, call,
2184  NULL, &pr, mi->context.c2.es);
2185  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2186  {
2187  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2188  ret = CC_RET_SUCCEEDED;
2189  }
2190  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2191  {
2192  ret = CC_RET_DEFERRED;
2193  if (!(plugin_defined(mi->context.plugins,
2194  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2195  {
2196  msg(M_WARN, "A plugin that defers from the "
2197  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2198  "declare support for "
2199  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2200  ret = CC_RET_FAILED;
2201  }
2202  }
2203  else
2204  {
2205  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2206  ret = CC_RET_FAILED;
2207  }
2208 
2209 
2210  plugin_return_free(&pr);
2211  }
2212 #endif /* ifdef ENABLE_PLUGIN */
2213  return ret;
2214 }
2215 
2216 static enum client_connect_return
2218  struct multi_instance *mi,
2219  unsigned int *option_types_found)
2220 {
2221  ASSERT(mi);
2222  ASSERT(option_types_found);
2225 
2226  ret = ccs_test_deferred_ret_file(mi);
2227 
2228  if (ret == CC_RET_SKIPPED)
2229  {
2230  /*
2231  * Skipped and deferred are equivalent in this context.
2232  * skipped means that the called program has not yet
2233  * written a return status implicitly needing more time
2234  * while deferred is the explicit notification that it
2235  * needs more time
2236  */
2237  ret = CC_RET_DEFERRED;
2238  }
2239 
2240  if (ret == CC_RET_SUCCEEDED)
2241  {
2244  option_types_found);
2246  }
2247  if (ret == CC_RET_FAILED)
2248  {
2249  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2252  }
2253  return ret;
2254 }
2255 
2259 static enum client_connect_return
2261  struct multi_instance *mi,
2262  bool deferred,
2263  unsigned int *option_types_found)
2264 {
2265  if (deferred)
2266  {
2267  return multi_client_connect_script_deferred(m, mi, option_types_found);
2268  }
2269  ASSERT(m);
2270  ASSERT(mi);
2271 
2274 
2276  {
2277  struct argv argv = argv_new();
2278  struct gc_arena gc = gc_new();
2279 
2280  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2281 
2282  if (!ccs_gen_config_file(mi)
2283  || !ccs_gen_deferred_ret_file(mi))
2284  {
2285  ret = CC_RET_FAILED;
2286  goto cleanup;
2287  }
2288 
2290  argv_printf_cat(&argv, "%s", ccs->config_file);
2291 
2292  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2293  {
2295  {
2296  ret = CC_RET_DEFERRED;
2297  }
2298  else
2299  {
2301  option_types_found);
2302  ret = CC_RET_SUCCEEDED;
2303  }
2304  }
2305  else
2306  {
2307  ret = CC_RET_FAILED;
2308  }
2309 cleanup:
2310  if (ret != CC_RET_DEFERRED)
2311  {
2314  }
2315  argv_free(&argv);
2316  gc_free(&gc);
2317  }
2318  return ret;
2319 }
2320 
2324 static bool
2326 {
2327  struct frame *frame_fragment = NULL;
2328 #ifdef ENABLE_FRAGMENT
2329  if (c->options.ce.fragment)
2330  {
2331  frame_fragment = &c->c2.frame_fragment;
2332  }
2333 #endif
2334  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2335  if (!tls_session_update_crypto_params(session, &c->options,
2336  &c->c2.frame, frame_fragment))
2337  {
2338  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2339  register_signal(c, SIGUSR1, "process-push-msg-failed");
2340  return false;
2341  }
2342 
2343  return true;
2344 }
2345 
2346 static void
2348  struct multi_instance *mi,
2349  const unsigned int option_types_found)
2350 {
2351  ASSERT(m);
2352  ASSERT(mi);
2353 
2354  struct gc_arena gc = gc_new();
2355  /*
2356  * Process sourced options.
2357  */
2358  do_deferred_options(&mi->context, option_types_found);
2359 
2360  /*
2361  * make sure we got ifconfig settings from somewhere
2362  */
2363  if (!mi->context.c2.push_ifconfig_defined)
2364  {
2365  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2366  "--ifconfig address is available for %s",
2367  multi_instance_string(mi, false, &gc));
2368  }
2369 
2370  /*
2371  * make sure that ifconfig settings comply with constraints
2372  */
2374  {
2375  const char *ifconfig_constraint_network =
2377  const char *ifconfig_constraint_netmask =
2379 
2380  /* JYFIXME -- this should cause the connection to fail */
2381  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2382  "violates tunnel network/netmask constraint (%s/%s)",
2383  multi_instance_string(mi, false, &gc),
2385  ifconfig_constraint_network, ifconfig_constraint_netmask);
2386  }
2387 
2388  /*
2389  * For routed tunnels, set up internal route to endpoint
2390  * plus add all iroute routes.
2391  */
2393  {
2395  {
2396  multi_learn_in_addr_t(m, mi,
2398  -1, true);
2399  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2400  multi_instance_string(mi, false, &gc),
2402  }
2403 
2405  {
2406  multi_learn_in6_addr(m, mi,
2408  -1, true);
2409  /* TODO: find out where addresses are "unlearned"!! */
2410  const char *ifconfig_local_ipv6 =
2412  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2413  multi_instance_string(mi, false, &gc),
2414  ifconfig_local_ipv6);
2415  }
2416 
2417  /* add routes locally, pointing to new client, if
2418  * --iroute options have been specified */
2419  multi_add_iroutes(m, mi);
2420 
2421  /*
2422  * iroutes represent subnets which are "owned" by a particular
2423  * client. Therefore, do not actually push a route to a client
2424  * if it matches one of the client's iroutes.
2425  */
2427  }
2428  else if (mi->context.options.iroutes)
2429  {
2430  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2431  "only works with tun-style tunnels",
2432  multi_instance_string(mi, false, &gc));
2433  }
2434 
2435  /* set our client's VPN endpoint for status reporting purposes */
2438 
2439  /* set context-level authentication flag */
2441 
2442  /* authentication complete, calculate dynamic client specific options */
2444  {
2446  }
2447  /* Generate data channel keys only if setting protocol options
2448  * has not failed */
2449  else if (!multi_client_generate_tls_keys(&mi->context))
2450  {
2452  }
2453 
2454  /* send push reply if ready */
2456  {
2458  }
2459 
2460  gc_free(&gc);
2461 }
2462 
2463 static void
2465  struct multi_instance *mi)
2466 {
2467  ASSERT(mi->context.c1.tuntap);
2468  /*
2469  * lock down the common name and cert hashes so they can't change
2470  * during future TLS renegotiations
2471  */
2474 
2475  /* generate a msg() prefix for this client instance */
2476  generate_prefix(mi);
2477 
2478  /* delete instances of previous clients with same common-name */
2479  if (!mi->context.options.duplicate_cn)
2480  {
2481  multi_delete_dup(m, mi);
2482  }
2483 
2484  /* reset pool handle to null */
2485  mi->vaddr_handle = -1;
2486 
2487  /* do --client-connect setenvs */
2489 
2491 }
2492 
2497 static enum client_connect_return
2499  struct multi_instance *mi,
2500  bool deferred,
2501  unsigned int *option_types_found)
2502 {
2503  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2504  * problem */
2505  ASSERT(!deferred);
2508  {
2509  struct gc_arena gc = gc_new();
2510  const char *ccd_file = NULL;
2511 
2512  const char *ccd_client =
2514  tls_common_name(mi->context.c2.tls_multi, false),
2515  &gc);
2516 
2517  const char *ccd_default =
2519  CCD_DEFAULT, &gc);
2520 
2521 
2522  /* try common-name file */
2523  if (platform_test_file(ccd_client))
2524  {
2525  ccd_file = ccd_client;
2526  }
2527  /* try default file */
2528  else if (platform_test_file(ccd_default))
2529  {
2530  ccd_file = ccd_default;
2531  }
2532 
2533  if (ccd_file)
2534  {
2536  ccd_file,
2539  option_types_found,
2540  mi->context.c2.es);
2541  /*
2542  * Select a virtual address from either --ifconfig-push in
2543  * --client-config-dir file or --ifconfig-pool.
2544  */
2546 
2548 
2549  ret = CC_RET_SUCCEEDED;
2550  }
2551  gc_free(&gc);
2552  }
2553  return ret;
2554 }
2555 
2557  (struct multi_context *m, struct multi_instance *mi,
2558  bool from_deferred, unsigned int *option_types_found);
2559 
2566  NULL,
2567 };
2568 
2569 /*
2570  * Called as soon as the SSL/TLS connection is authenticated.
2571  *
2572  * Will collect the client specific configuration from the different
2573  * sources like ccd files, connect plugins and management interface.
2574  *
2575  * This method starts with cas_context CAS_PENDING and will move the
2576  * state machine to either CAS_SUCCEEDED on success or
2577  * CAS_FAILED/CAS_PARTIAL on failure.
2578  *
2579  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2580  * include:
2581  *
2582  * iroute start-ip end-ip
2583  * ifconfig-push local remote-netmask
2584  * push
2585  *
2586  *
2587  */
2588 static void
2590 {
2593  {
2594  return;
2595  }
2596 
2597  /* We are only called for the CAS_PENDING_x states, so we
2598  * can ignore other states here */
2599  bool from_deferred = (mi->context.c2.context_auth != CAS_PENDING);
2600 
2601  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2602  unsigned int *option_types_found =
2604 
2605  /* We are called for the first time */
2606  if (!from_deferred)
2607  {
2608  *cur_handler_index = 0;
2609  *option_types_found = 0;
2610  /* Initially we have no handler that has returned a result */
2612 
2614  }
2615 
2616  bool cc_succeeded = true;
2617 
2618  while (cc_succeeded
2619  && client_connect_handlers[*cur_handler_index] != NULL)
2620  {
2621  enum client_connect_return ret;
2622  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2623  option_types_found);
2624 
2625  from_deferred = false;
2626 
2627  switch (ret)
2628  {
2629  case CC_RET_SUCCEEDED:
2630  /*
2631  * Remember that we already had at least one handler
2632  * returning a result should we go to into deferred state
2633  */
2634  mi->context.c2.context_auth = CAS_PENDING_DEFERRED_PARTIAL;
2635  break;
2636 
2637  case CC_RET_SKIPPED:
2638  /*
2639  * Move on with the next handler without modifying any
2640  * other state
2641  */
2642  break;
2643 
2644  case CC_RET_DEFERRED:
2645  /*
2646  * we already set client_connect_status to DEFERRED_RESULT or
2647  * DEFERRED_NO_RESULT. We just return
2648  * from the function as having client_connect_status
2649  */
2650  return;
2651 
2652  case CC_RET_FAILED:
2653  /*
2654  * One handler failed. We abort the chain and set the final
2655  * result to failed
2656  */
2657  cc_succeeded = false;
2658  break;
2659 
2660  default:
2661  ASSERT(0);
2662  }
2663 
2664  /*
2665  * Check for "disable" directive in client-config-dir file
2666  * or config file generated by --client-connect script.
2667  */
2668  if (mi->context.options.disable)
2669  {
2670  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2671  "'disable' directive");
2672  cc_succeeded = false;
2673  }
2674 
2675  (*cur_handler_index)++;
2676  }
2677 
2678  if (cc_succeeded)
2679  {
2680  multi_client_connect_late_setup(m, mi, *option_types_found);
2681  }
2682  else
2683  {
2684  /* run the disconnect script if we had a connect script that
2685  * did not fail */
2687  {
2689  }
2690 
2692  }
2693 
2694  /* increment number of current authenticated clients */
2695  ++m->n_clients;
2697  --mi->n_clients_delta;
2698 
2699 #ifdef ENABLE_MANAGEMENT
2700  if (management)
2701  {
2703  &mi->context.c2.mda_context, mi->context.c2.es);
2704  }
2705 #endif
2706 }
2707 
2708 #ifdef ENABLE_ASYNC_PUSH
2709 /*
2710  * Called when inotify event is fired, which happens when acf
2711  * or connect-status file is closed or deleted.
2712  * Continues authentication and sends push_reply
2713  * (or be deferred again by client-connect)
2714  */
2715 void
2716 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2717 {
2718  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2719  size_t buffer_i = 0;
2720  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2721 
2722  while (buffer_i < r)
2723  {
2724  /* parse inotify events */
2725  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2726  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2727  buffer_i += event_size;
2728 
2729  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2730 
2731  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2732 
2733  if (pevent->mask & IN_CLOSE_WRITE)
2734  {
2735  if (mi)
2736  {
2737  /* continue authentication, perform NCP negotiation and send push_reply */
2738  multi_process_post(m, mi, mpp_flags);
2739  }
2740  else
2741  {
2742  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2743  }
2744  }
2745  else if (pevent->mask & IN_IGNORED)
2746  {
2747  /* this event is _always_ fired when watch is removed or file is deleted */
2748  if (mi)
2749  {
2750  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2751  mi->inotify_watch = -1;
2752  }
2753  }
2754  else
2755  {
2756  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2757  }
2758  }
2759 }
2760 #endif /* ifdef ENABLE_ASYNC_PUSH */
2761 
2762 /*
2763  * Add a mbuf buffer to a particular
2764  * instance.
2765  */
2766 void
2768  struct multi_instance *mi,
2769  struct mbuf_buffer *mb)
2770 {
2771  if (multi_output_queue_ready(m, mi))
2772  {
2773  struct mbuf_item item;
2774  item.buffer = mb;
2775  item.instance = mi;
2776  mbuf_add_item(m->mbuf, &item);
2777  }
2778  else
2779  {
2780  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2781  }
2782 }
2783 
2784 /*
2785  * Add a packet to a client instance output queue.
2786  */
2787 static inline void
2789  const struct buffer *buf,
2790  struct multi_instance *mi)
2791 {
2792  struct mbuf_buffer *mb;
2793 
2794  if (BLEN(buf) > 0)
2795  {
2796  mb = mbuf_alloc_buf(buf);
2797  mb->flags = MF_UNICAST;
2798  multi_add_mbuf(m, mi, mb);
2799  mbuf_free_buf(mb);
2800  }
2801 }
2802 
2803 /*
2804  * Broadcast a packet to all clients.
2805  */
2806 static void
2808  const struct buffer *buf,
2809  const struct multi_instance *sender_instance,
2810  const struct mroute_addr *sender_addr,
2811  uint16_t vid)
2812 {
2813  struct hash_iterator hi;
2814  struct hash_element *he;
2815  struct multi_instance *mi;
2816  struct mbuf_buffer *mb;
2817 
2818  if (BLEN(buf) > 0)
2819  {
2821 #ifdef MULTI_DEBUG_EVENT_LOOP
2822  printf("BCAST len=%d\n", BLEN(buf));
2823 #endif
2824  mb = mbuf_alloc_buf(buf);
2825  hash_iterator_init(m->iter, &hi);
2826 
2827  while ((he = hash_iterator_next(&hi)))
2828  {
2829  mi = (struct multi_instance *) he->value;
2830  if (mi != sender_instance && !mi->halt)
2831  {
2832 #ifdef ENABLE_PF
2833  if (sender_instance)
2834  {
2835  if (!pf_c2c_test(&sender_instance->context.c2.pf,
2836  sender_instance->context.c2.tls_multi,
2837  &mi->context.c2.pf,
2838  mi->context.c2.tls_multi,
2839  "bcast_c2c"))
2840  {
2841  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2842  mi_prefix(sender_instance),
2843  mi_prefix(mi));
2844  continue;
2845  }
2846  }
2847  if (sender_addr)
2848  {
2849  if (!pf_addr_test(&mi->context.c2.pf, &mi->context,
2850  sender_addr, "bcast_src_addr"))
2851  {
2852  struct gc_arena gc = gc_new();
2853  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2854  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2855  mi_prefix(mi));
2856  gc_free(&gc);
2857  continue;
2858  }
2859  }
2860 #endif /* ifdef ENABLE_PF */
2861  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2862  {
2863  continue;
2864  }
2865  multi_add_mbuf(m, mi, mb);
2866  }
2867  }
2868 
2869  hash_iterator_free(&hi);
2870  mbuf_free_buf(mb);
2871  perf_pop();
2872  }
2873 }
2874 
2875 /*
2876  * Given a time delta, indicating that we wish to be
2877  * awoken by the scheduler at time now + delta, figure
2878  * a sigma parameter (in microseconds) that represents
2879  * a sort of fuzz factor around delta, so that we're
2880  * really telling the scheduler to wake us up any time
2881  * between now + delta - sigma and now + delta + sigma.
2882  *
2883  * The sigma parameter helps the scheduler to run more efficiently.
2884  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2885  */
2886 static inline unsigned int
2887 compute_wakeup_sigma(const struct timeval *delta)
2888 {
2889  if (delta->tv_sec < 1)
2890  {
2891  /* if < 1 sec, fuzz = # of microseconds / 8 */
2892  return delta->tv_usec >> 3;
2893  }
2894  else
2895  {
2896  /* if < 10 minutes, fuzz = 13.1% of timeout */
2897  if (delta->tv_sec < 600)
2898  {
2899  return delta->tv_sec << 17;
2900  }
2901  else
2902  {
2903  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2904  }
2905  }
2906 }
2907 
2908 static void
2910 {
2911  /* calculate an absolute wakeup time */
2912  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2913  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2914 
2915  /* tell scheduler to wake us up at some point in the future */
2917  (struct schedule_entry *) mi,
2918  &mi->wakeup,
2919  compute_wakeup_sigma(&mi->context.c2.timeval));
2920 }
2921 
2922 #if defined(ENABLE_ASYNC_PUSH)
2923 static void
2924 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2925  int inotify_fd, const char *file)
2926 {
2927  /* watch acf file */
2928  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2929  IN_CLOSE_WRITE | IN_ONESHOT);
2930  if (watch_descriptor >= 0)
2931  {
2932  if (mi->inotify_watch != -1)
2933  {
2934  hash_remove(m->inotify_watchers,
2935  (void *) (unsigned long)mi->inotify_watch);
2936  }
2937  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2938  mi, true);
2939  mi->inotify_watch = watch_descriptor;
2940  }
2941  else
2942  {
2943  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2944  }
2945 }
2946 #endif /* if defined(ENABLE_ASYNC_PUSH) */
2947 
2948 /*
2949  * Figure instance-specific timers, convert
2950  * earliest to absolute time in mi->wakeup,
2951  * call scheduler with our future wakeup time.
2952  *
2953  * Also close context on signal.
2954  */
2955 bool
2956 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2957 {
2958  bool ret = true;
2959 
2960  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2961  {
2962 #if defined(ENABLE_ASYNC_PUSH)
2963  bool was_unauthenticated = true;
2964  struct key_state *ks = NULL;
2965  if (mi->context.c2.tls_multi)
2966  {
2968  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
2969  }
2970 #endif
2971 
2972  /* figure timeouts and fetch possible outgoing
2973  * to_link packets (such as ping or TLS control) */
2974  pre_select(&mi->context);
2975 
2976 #if defined(ENABLE_ASYNC_PUSH)
2977  /*
2978  * if we see the state transition from unauthenticated to deferred
2979  * and an auth_control_file, we assume it got just added and add
2980  * inotify watch to that file
2981  */
2982  if (ks && ks->auth_control_file && was_unauthenticated
2983  && (ks->authenticated == KS_AUTH_DEFERRED))
2984  {
2985  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2986  ks->auth_control_file);
2987  }
2988 #endif
2989 
2990  if (!IS_SIG(&mi->context))
2991  {
2992  /* connection is "established" when SSL/TLS key negotiation succeeds
2993  * and (if specified) auth user/pass succeeds */
2996  {
2998  }
2999 #if defined(ENABLE_ASYNC_PUSH)
3002  {
3003  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3005  deferred_ret_file);
3006  }
3007 #endif
3008  /* tell scheduler to wake us up at some point in the future */
3010  }
3011  }
3012 
3013  if (IS_SIG(&mi->context))
3014  {
3015  if (flags & MPP_CLOSE_ON_SIGNAL)
3016  {
3018  ret = false;
3019  }
3020  }
3021  else
3022  {
3023  /* continue to pend on output? */
3024  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3025 
3026 #ifdef MULTI_DEBUG_EVENT_LOOP
3027  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3028  id(mi),
3029  (int) (mi == m->pending),
3030  mi ? mi->context.c2.to_tun.len : -1,
3031  mi ? mi->context.c2.to_link.len : -1,
3032  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3033  (int64_t)mi->context.c2.timeval.tv_sec,
3034  (long)mi->context.c2.timeval.tv_usec);
3035 #endif
3036  }
3037 
3038  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3039  {
3040  *m->mpp_touched = mi;
3041  }
3042 
3043  return ret;
3044 }
3045 
3046 void
3048 {
3049  struct mroute_addr real;
3050  struct hash *hash = m->hash;
3051  struct gc_arena gc = gc_new();
3052 
3053  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3054  {
3055  goto done;
3056  }
3057 
3058  const uint32_t hv = hash_value(hash, &real);
3059  struct hash_bucket *bucket = hash_bucket(hash, hv);
3060 
3061  /* make sure that we don't float to an address taken by another client */
3062  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3063  if (he)
3064  {
3065  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3066 
3067  struct tls_multi *m1 = mi->context.c2.tls_multi;
3068  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3069 
3070  /* do not float if target address is taken by client with another cert */
3071  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3072  {
3073  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3074  multi_instance_string(ex_mi, false, &gc));
3075 
3076  mi->context.c2.buf.len = 0;
3077 
3078  goto done;
3079  }
3080 
3081  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3082  multi_close_instance(m, ex_mi, false);
3083  }
3084 
3085  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3086  mi->context.c2.tls_multi->peer_id,
3087  tls_common_name(mi->context.c2.tls_multi, false),
3088  mroute_addr_print(&mi->real, &gc),
3089  print_link_socket_actual(&m->top.c2.from, &gc));
3090 
3091  /* remove old address from hash table before changing address */
3092  ASSERT(hash_remove(m->hash, &mi->real));
3093  ASSERT(hash_remove(m->iter, &mi->real));
3094 
3095  /* change external network address of the remote peer */
3096  mi->real = real;
3097  generate_prefix(mi);
3098 
3099  mi->context.c2.from = m->top.c2.from;
3100  mi->context.c2.to_link_addr = &mi->context.c2.from;
3101 
3102  /* inherit parent link_socket and link_socket_info */
3105 
3107 
3108  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3109  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3110 
3111 #ifdef ENABLE_MANAGEMENT
3112  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3113 #endif
3114 
3115 done:
3116  gc_free(&gc);
3117 }
3118 
3119 /*
3120  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3121  * i.e. client -> server direction.
3122  */
3123 bool
3124 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3125 {
3126  struct gc_arena gc = gc_new();
3127 
3128  struct context *c;
3129  struct mroute_addr src, dest;
3130  unsigned int mroute_flags;
3131  struct multi_instance *mi;
3132  bool ret = true;
3133  bool floated = false;
3134 
3135  if (m->pending)
3136  {
3137  return true;
3138  }
3139 
3140  if (!instance)
3141  {
3142 #ifdef MULTI_DEBUG_EVENT_LOOP
3143  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3144 #endif
3146  }
3147  else
3148  {
3149  multi_set_pending(m, instance);
3150  }
3151 
3152  if (m->pending)
3153  {
3154  set_prefix(m->pending);
3155 
3156  /* get instance context */
3157  c = &m->pending->context;
3158 
3159  if (!instance)
3160  {
3161  /* transfer packet pointer from top-level context buffer to instance */
3162  c->c2.buf = m->top.c2.buf;
3163 
3164  /* transfer from-addr from top-level context buffer to instance */
3165  if (!floated)
3166  {
3167  c->c2.from = m->top.c2.from;
3168  }
3169  }
3170 
3171  if (BLEN(&c->c2.buf) > 0)
3172  {
3173  struct link_socket_info *lsi;
3174  const uint8_t *orig_buf;
3175 
3176  /* decrypt in instance context */
3177 
3179  lsi = get_link_socket_info(c);
3180  orig_buf = c->c2.buf.data;
3181  if (process_incoming_link_part1(c, lsi, floated))
3182  {
3183  /* nonzero length means that we have a valid, decrypted packed */
3184  if (floated && c->c2.buf.len > 0)
3185  {
3187  }
3188 
3189  process_incoming_link_part2(c, lsi, orig_buf);
3190  }
3191  perf_pop();
3192 
3193  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3194  {
3195  /* extract packet source and dest addresses */
3196  mroute_flags = mroute_extract_addr_from_packet(&src,
3197  &dest,
3198  NULL,
3199  NULL,
3200  0,
3201  &c->c2.to_tun,
3202  DEV_TYPE_TUN);
3203 
3204  /* drop packet if extract failed */
3205  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3206  {
3207  c->c2.to_tun.len = 0;
3208  }
3209  /* make sure that source address is associated with this client */
3210  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3211  {
3212  /* IPv6 link-local address (fe80::xxx)? */
3213  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3214  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3215  {
3216  /* do nothing, for now. TODO: add address learning */
3217  }
3218  else
3219  {
3220  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3221  mroute_addr_print(&src, &gc));
3222  }
3223  c->c2.to_tun.len = 0;
3224  }
3225  /* client-to-client communication enabled? */
3226  else if (m->enable_c2c)
3227  {
3228  /* multicast? */
3229  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3230  {
3231  /* for now, treat multicast as broadcast */
3232  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3233  }
3234  else /* possible client to client routing */
3235  {
3236  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3237  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3238 
3239  /* if dest addr is a known client, route to it */
3240  if (mi)
3241  {
3242 #ifdef ENABLE_PF
3243  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
3244  &mi->context.c2.pf,
3245  mi->context.c2.tls_multi,
3246  "tun_c2c"))
3247  {
3248  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
3249  mi_prefix(mi));
3250  }
3251  else
3252 #endif
3253  {
3254  multi_unicast(m, &c->c2.to_tun, mi);
3255  register_activity(c, BLEN(&c->c2.to_tun));
3256  }
3257  c->c2.to_tun.len = 0;
3258  }
3259  }
3260  }
3261 #ifdef ENABLE_PF
3262  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest,
3263  "tun_dest_addr"))
3264  {
3265  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
3266  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
3267  c->c2.to_tun.len = 0;
3268  }
3269 #endif
3270  }
3271  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3272  {
3273  uint16_t vid = 0;
3274 #ifdef ENABLE_PF
3275  struct mroute_addr edest;
3276  mroute_addr_reset(&edest);
3277 #endif
3278 
3279  if (m->top.options.vlan_tagging)
3280  {
3281  if (vlan_is_tagged(&c->c2.to_tun))
3282  {
3283  /* Drop VLAN-tagged frame. */
3284  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3285  c->c2.to_tun.len = 0;
3286  }
3287  else
3288  {
3289  vid = c->options.vlan_pvid;
3290  }
3291  }
3292  /* extract packet source and dest addresses */
3293  mroute_flags = mroute_extract_addr_from_packet(&src,
3294  &dest,
3295  NULL,
3296 #ifdef ENABLE_PF
3297  &edest,
3298 #else
3299  NULL,
3300 #endif
3301  vid,
3302  &c->c2.to_tun,
3303  DEV_TYPE_TAP);
3304 
3305  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3306  {
3307  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3308  {
3309  /* check for broadcast */
3310  if (m->enable_c2c)
3311  {
3312  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3313  {
3314  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3315  vid);
3316  }
3317  else /* try client-to-client routing */
3318  {
3319  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3320 
3321  /* if dest addr is a known client, route to it */
3322  if (mi)
3323  {
3324 #ifdef ENABLE_PF
3325  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
3326  &mi->context.c2.pf,
3327  mi->context.c2.tls_multi,
3328  "tap_c2c"))
3329  {
3330  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
3331  mi_prefix(mi));
3332  }
3333  else
3334 #endif
3335  {
3336  multi_unicast(m, &c->c2.to_tun, mi);
3337  register_activity(c, BLEN(&c->c2.to_tun));
3338  }
3339  c->c2.to_tun.len = 0;
3340  }
3341  }
3342  }
3343 #ifdef ENABLE_PF
3344  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c,
3345  &edest,
3346  "tap_dest_addr"))
3347  {
3348  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
3349  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
3350  c->c2.to_tun.len = 0;
3351  }
3352 #endif
3353  }
3354  else
3355  {
3356  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3357  mroute_addr_print(&src, &gc));
3358  c->c2.to_tun.len = 0;
3359  }
3360  }
3361  else
3362  {
3363  c->c2.to_tun.len = 0;
3364  }
3365  }
3366  }
3367 
3368  /* postprocess and set wakeup */
3369  ret = multi_process_post(m, m->pending, mpp_flags);
3370 
3371  clear_prefix();
3372  }
3373 
3374  gc_free(&gc);
3375  return ret;
3376 }
3377 
3378 /*
3379  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3380  * i.e. server -> client direction.
3381  */
3382 bool
3383 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3384 {
3385  struct gc_arena gc = gc_new();
3386  bool ret = true;
3387 
3388  if (BLEN(&m->top.c2.buf) > 0)
3389  {
3390  unsigned int mroute_flags;
3391  struct mroute_addr src, dest;
3392  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3393  int16_t vid = 0;
3394 
3395 #ifdef ENABLE_PF
3396  struct mroute_addr esrc, *e1, *e2;
3397  if (dev_type == DEV_TYPE_TUN)
3398  {
3399  e1 = NULL;
3400  e2 = &src;
3401  }
3402  else
3403  {
3404  e1 = e2 = &esrc;
3405  mroute_addr_reset(&esrc);
3406  }
3407 #endif
3408 
3409 #ifdef MULTI_DEBUG_EVENT_LOOP
3410  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3411 #endif
3412 
3413  if (m->pending)
3414  {
3415  return true;
3416  }
3417 
3418  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3419  {
3420  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3421  if (vid < 0)
3422  {
3423  return false;
3424  }
3425  }
3426 
3427  /*
3428  * Route an incoming tun/tap packet to
3429  * the appropriate multi_instance object.
3430  */
3431 
3432  mroute_flags = mroute_extract_addr_from_packet(&src,
3433  &dest,
3434 #ifdef ENABLE_PF
3435  e1,
3436 #else
3437  NULL,
3438 #endif
3439  NULL,
3440  vid,
3441  &m->top.c2.buf,
3442  dev_type);
3443 
3444  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3445  {
3446  struct context *c;
3447 
3448  /* broadcast or multicast dest addr? */
3449  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3450  {
3451  /* for now, treat multicast as broadcast */
3452 #ifdef ENABLE_PF
3453  multi_bcast(m, &m->top.c2.buf, NULL, e2, vid);
3454 #else
3455  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3456 #endif
3457  }
3458  else
3459  {
3461 
3462  if (m->pending)
3463  {
3464  /* get instance context */
3465  c = &m->pending->context;
3466 
3467  set_prefix(m->pending);
3468 
3469 #ifdef ENABLE_PF
3470  if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr"))
3471  {
3472  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
3473  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
3474  buf_reset_len(&c->c2.buf);
3475  }
3476  else
3477 #endif
3478  {
3479  if (multi_output_queue_ready(m, m->pending))
3480  {
3481  /* transfer packet pointer from top-level context buffer to instance */
3482  c->c2.buf = m->top.c2.buf;
3483  }
3484  else
3485  {
3486  /* drop packet */
3487  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3488  buf_reset_len(&c->c2.buf);
3489  }
3490  }
3491 
3492  /* encrypt in instance context */
3494 
3495  /* postprocess and set wakeup */
3496  ret = multi_process_post(m, m->pending, mpp_flags);
3497 
3498  clear_prefix();
3499  }
3500  }
3501  }
3502  }
3503  gc_free(&gc);
3504  return ret;
3505 }
3506 
3507 /*
3508  * Process a possible client-to-client/bcast/mcast message in the
3509  * queue.
3510  */
3511 struct multi_instance *
3513 {
3514  struct mbuf_item item;
3515 
3516  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3517  {
3518  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3519 
3520  set_prefix(item.instance);
3521  item.instance->context.c2.buf = item.buffer->buf;
3522  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3523  {
3524  pip_flags |= PIP_MSSFIX;
3525  }
3526  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3527  encrypt_sign(&item.instance->context, true);
3528  mbuf_free_buf(item.buffer);
3529 
3530  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3531 
3532  clear_prefix();
3533  return item.instance;
3534  }
3535  else
3536  {
3537  return NULL;
3538  }
3539 }
3540 
3541 /*
3542  * Called when an I/O wait times out. Usually means that a particular
3543  * client instance object needs timer-based service.
3544  */
3545 bool
3546 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3547 {
3548  bool ret = true;
3549 
3550 #ifdef MULTI_DEBUG_EVENT_LOOP
3551  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3552 #endif
3553 
3554  /* instance marked for wakeup? */
3555  if (m->earliest_wakeup)
3556  {
3558  {
3561  }
3562  else
3563  {
3565  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3566  clear_prefix();
3567  }
3568  m->earliest_wakeup = NULL;
3569  }
3570  return ret;
3571 }
3572 
3573 /*
3574  * Drop a TUN/TAP outgoing packet..
3575  */
3576 void
3577 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3578 {
3579  struct multi_instance *mi = m->pending;
3580 
3581  ASSERT(mi);
3582 
3583  set_prefix(mi);
3584 
3585  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3586  mi->context.c2.to_tun.len);
3587 
3588  buf_reset(&mi->context.c2.to_tun);
3589 
3590  multi_process_post(m, mi, mpp_flags);
3591  clear_prefix();
3592 }
3593 
3594 /*
3595  * Per-client route quota management
3596  */
3597 
3598 void
3600 {
3601  struct gc_arena gc = gc_new();
3602  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3604  multi_instance_string(mi, false, &gc));
3605  gc_free(&gc);
3606 }
3607 
3608 #ifdef ENABLE_DEBUG
3609 /*
3610  * Flood clients with random packets
3611  */
3612 static void
3613 gremlin_flood_clients(struct multi_context *m)
3614 {
3615  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3616  if (level)
3617  {
3618  struct gc_arena gc = gc_new();
3619  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3620  struct packet_flood_parms parm = get_packet_flood_parms(level);
3621  int i;
3622 
3623  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
3624  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
3625 
3626  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3627  parm.n_packets,
3628  parm.packet_size);
3629 
3630  for (i = 0; i < parm.packet_size; ++i)
3631  {
3632  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3633  }
3634 
3635  for (i = 0; i < parm.n_packets; ++i)
3636  {
3637  multi_bcast(m, &buf, NULL, NULL, 0);
3638  }
3639 
3640  gc_free(&gc);
3641  }
3642 }
3643 #endif /* ifdef ENABLE_DEBUG */
3644 
3645 static bool
3647 {
3648  struct timeval null;
3649  CLEAR(null);
3651 }
3652 
3653 /*
3654  * Process timers in the top-level context
3655  */
3656 void
3658 {
3659  /* possibly reap instances/routes in vhash */
3660  multi_reap_process(m);
3661 
3662  /* possibly print to status log */
3663  if (m->top.c1.status_output)
3664  {
3666  {
3668  }
3669  }
3670 
3671  /* possibly flush ifconfig-pool file */
3672  multi_ifconfig_pool_persist(m, false);
3673 
3674 #ifdef ENABLE_DEBUG
3675  gremlin_flood_clients(m);
3676 #endif
3677 
3678  /* Should we check for stale routes? */
3680  {
3681  check_stale_routes(m);
3682  }
3683 }
3684 
3685 void
3686 multi_top_init(struct multi_context *m, const struct context *top)
3687 {
3688  inherit_context_top(&m->top, top);
3689  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3690 }
3691 
3692 void
3694 {
3695  close_context(&m->top, -1, CC_GC_FREE);
3697 }
3698 
3699 static bool
3701 {
3702  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3703 }
3704 
3705 static void
3707 {
3708  struct hash_iterator hi;
3709  struct hash_element *he;
3710  struct timeval tv;
3711 
3712  /* tell all clients to restart */
3713  hash_iterator_init(m->iter, &hi);
3714  while ((he = hash_iterator_next(&hi)))
3715  {
3716  struct multi_instance *mi = (struct multi_instance *) he->value;
3717  if (!mi->halt)
3718  {
3719  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3721  }
3722  }
3723  hash_iterator_free(&hi);
3724 
3725  /* reschedule signal */
3727  tv.tv_sec = 2;
3728  tv.tv_usec = 0;
3730 
3732 
3737 
3738  m->top.sig->signal_received = 0;
3739 }
3740 
3741 /*
3742  * Return true if event loop should break,
3743  * false if it should continue.
3744  */
3745 bool
3747 {
3748  if (m->top.sig->signal_received == SIGUSR2)
3749  {
3750  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3752  status_close(so);
3753  m->top.sig->signal_received = 0;
3754  return false;
3755  }
3756  else if (proto_is_dgram(m->top.options.ce.proto)
3760  {
3762  return false;
3763  }
3764  return true;
3765 }
3766 
3767 /*
3768  * Called when an instance should be closed due to the
3769  * reception of a soft signal.
3770  */
3771 void
3773 {
3774  remap_signal(&mi->context);
3775  set_prefix(mi);
3776  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3777  clear_prefix();
3778  multi_close_instance(m, mi, false);
3779 }
3780 
3781 static void
3782 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3783 {
3784  mi->context.sig->signal_received = sig;
3786 }
3787 
3788 /*
3789  * Management subsystem callbacks
3790  */
3791 
3792 #ifdef ENABLE_MANAGEMENT
3793 
3794 static void
3795 management_callback_status(void *arg, const int version, struct status_output *so)
3796 {
3797  struct multi_context *m = (struct multi_context *) arg;
3798 
3799  if (!version)
3800  {
3802  }
3803  else
3804  {
3805  multi_print_status(m, so, version);
3806  }
3807 }
3808 
3809 static int
3811 {
3812  struct multi_context *m = (struct multi_context *) arg;
3813  return m->n_clients;
3814 }
3815 
3816 static int
3817 management_callback_kill_by_cn(void *arg, const char *del_cn)
3818 {
3819  struct multi_context *m = (struct multi_context *) arg;
3820  struct hash_iterator hi;
3821  struct hash_element *he;
3822  int count = 0;
3823 
3824  hash_iterator_init(m->iter, &hi);
3825  while ((he = hash_iterator_next(&hi)))
3826  {
3827  struct multi_instance *mi = (struct multi_instance *) he->value;
3828  if (!mi->halt)
3829  {
3830  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3831  if (cn && !strcmp(cn, del_cn))
3832  {
3834  ++count;
3835  }
3836  }
3837  }
3838  hash_iterator_free(&hi);
3839  return count;
3840 }
3841 
3842 static int
3843 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3844 {
3845  struct multi_context *m = (struct multi_context *) arg;
3846  struct hash_iterator hi;
3847  struct hash_element *he;
3848  struct openvpn_sockaddr saddr;
3849  struct mroute_addr maddr;
3850  int count = 0;
3851 
3852  CLEAR(saddr);
3853  saddr.addr.in4.sin_family = AF_INET;
3854  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3855  saddr.addr.in4.sin_port = htons(port);
3856  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3857  {
3858  hash_iterator_init(m->iter, &hi);
3859  while ((he = hash_iterator_next(&hi)))
3860  {
3861  struct multi_instance *mi = (struct multi_instance *) he->value;
3862  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3863  {
3865  ++count;
3866  }
3867  }
3868  hash_iterator_free(&hi);
3869  }
3870  return count;
3871 }
3872 
3873 static void
3875 {
3876  struct multi_context *m = (struct multi_context *) arg;
3877  if (m->mtcp)
3878  {
3879  multi_tcp_delete_event(m->mtcp, event);
3880  }
3881 }
3882 
3883 #endif /* ifdef ENABLE_MANAGEMENT */
3884 
3885 #ifdef ENABLE_MANAGEMENT
3886 
3887 static struct multi_instance *
3888 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3889 {
3890  if (m)
3891  {
3892  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3893  if (mi && !mi->halt)
3894  {
3895  return mi;
3896  }
3897  }
3898  return NULL;
3899 }
3900 
3901 static bool
3902 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3903 {
3904  struct multi_context *m = (struct multi_context *) arg;
3905  struct multi_instance *mi = lookup_by_cid(m, cid);
3906  if (mi)
3907  {
3908  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3910  return true;
3911  }
3912  else
3913  {
3914  return false;
3915  }
3916 }
3917 
3918 static bool
3920  const unsigned long cid,
3921  const char *extra)
3922 {
3923  struct multi_context *m = (struct multi_context *) arg;
3924  struct multi_instance *mi = lookup_by_cid(m, cid);
3925  if (mi)
3926  {
3927  /* sends INFO_PRE and AUTH_PENDING messages to client */
3928  bool ret = send_auth_pending_messages(&mi->context, extra);
3930  return ret;
3931  }
3932  return false;
3933 }
3934 
3935 
3936 static bool
3938  const unsigned long cid,
3939  const unsigned int mda_key_id,
3940  const bool auth,
3941  const char *reason,
3942  const char *client_reason,
3943  struct buffer_list *cc_config) /* ownership transferred */
3944 {
3945  struct multi_context *m = (struct multi_context *) arg;
3946  struct multi_instance *mi = lookup_by_cid(m, cid);
3947  bool cc_config_owned = true;
3948  bool ret = false;
3949 
3950  if (mi)
3951  {
3952  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3953  if (ret)
3954  {
3955  if (auth)
3956  {
3958  {
3959  set_cc_config(mi, cc_config);
3960  cc_config_owned = false;
3961  }
3962  }
3963  else
3964  {
3965  if (reason)
3966  {
3967  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3968  }
3970  {
3971  send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */
3973  }
3974  }
3975  }
3976  }
3977  if (cc_config_owned && cc_config)
3978  {
3979  buffer_list_free(cc_config);
3980  }
3981  return ret;
3982 }
3983 
3984 static char *
3985 management_get_peer_info(void *arg, const unsigned long cid)
3986 {
3987  struct multi_context *m = (struct multi_context *) arg;
3988  struct multi_instance *mi = lookup_by_cid(m, cid);
3989  char *ret = NULL;
3990 
3991  if (mi)
3992  {
3993  ret = mi->context.c2.tls_multi->peer_info;
3994  }
3995 
3996  return ret;
3997 }
3998 
3999 #endif /* ifdef ENABLE_MANAGEMENT */
4000 
4001 #ifdef MANAGEMENT_PF
4002 static bool
4003 management_client_pf(void *arg,
4004  const unsigned long cid,
4005  struct buffer_list *pf_config) /* ownership transferred */
4006 {
4007  struct multi_context *m = (struct multi_context *) arg;
4008  struct multi_instance *mi = lookup_by_cid(m, cid);
4009  bool ret = false;
4010 
4011  if (mi && pf_config)
4012  {
4013  ret = pf_load_from_buffer_list(&mi->context, pf_config);
4014  }
4015 
4016  buffer_list_free(pf_config);
4017  return ret;
4018 }
4019 #endif /* ifdef MANAGEMENT_PF */
4020 
4021 void
4023 {
4024 #ifdef ENABLE_MANAGEMENT
4025  if (management)
4026  {
4027  struct management_callback cb;
4028  CLEAR(cb);
4029  cb.arg = m;
4030  cb.flags = MCF_SERVER;
4041 #ifdef MANAGEMENT_PF
4042  cb.client_pf = management_client_pf;
4043 #endif
4045  }
4046 #endif /* ifdef ENABLE_MANAGEMENT */
4047 }
4048 
4049 /*
4050  * Top level event loop.
4051  */
4052 void
4054 {
4055  ASSERT(top->options.mode == MODE_SERVER);
4056 
4057  if (proto_is_dgram(top->options.ce.proto))
4058  {
4059  tunnel_server_udp(top);
4060  }
4061  else
4062  {
4063  tunnel_server_tcp(top);
4064  }
4065 }
#define M_NONFATAL
Definition: error.h:95
struct env_set * es
Definition: openvpn.h:440
uint8_t type
Definition: mroute.h:78
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3706
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:195
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2807
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:469
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
#define MR_WITH_NETBITS
Definition: mroute.h:70
static bool is_exit_restart(int sig)
Definition: multi.c:3700
static void register_activity(struct context *c, const int size)
Definition: forward.h:349
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:294
struct buffer to_link
Definition: openvpn.h:399
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1747
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3782
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3577
#define ETT_DEFAULT
Definition: interval.h:213
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:361
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:163
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:179
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:474
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:178
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1151
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:318
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:364
bool ncp_enabled
Definition: options.h:508
#define REAP_DIVISOR
Definition: multi.h:558
struct key_state key[KS_SIZE]
Definition: ssl_common.h:454
struct iroute * next
Definition: route.h:238
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:161
struct in6_addr reporting_addr_ipv6
Definition: multi.h:122
static bool is_cas_pending(enum client_connect_status cas)
Definition: openvpn.h:226
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2260
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
bool did_cid_hash
Definition: multi.h:127
counter_type link_write_bytes
Definition: openvpn.h:303
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:438
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2447
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:506
#define MULTI_ROUTE_CACHE
Definition: multi.h:234
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:113
#define M_OPTERR
Definition: error.h:105
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:393
int signal_received
Definition: multi.h:61
unsigned int option_types_found
Definition: multi.h:75
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:247
void hash_free(struct hash *hash)
Definition: list.c:65
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:2041
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3021
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:503
Packet geometry parameters.
Definition: mtu.h:93
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:292
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:490
pool_type
Definition: pool.h:37
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1112
enum ks_auth_state authenticated
Definition: ssl_common.h:218
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:167
bool push_ifconfig_defined
Definition: openvpn.h:450
char * peer_info
Definition: ssl_common.h:564
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2557
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:375
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2921
struct mroute_addr::@0::@3 v6
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
const char * learn_address_script
Definition: options.h:442
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:602
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:507
#define dmsg
Definition: error.h:174
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:263
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4661
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:441
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:329
in_addr_t push_ifconfig_local
Definition: openvpn.h:452
bool enable_c2c
Definition: options.h:463
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2347
int push_ifconfig_ipv6_netbits
Definition: options.h:460
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:511
#define D_TLS_ERRORS
Definition: errlevel.h:59
struct in6_addr network
Definition: route.h:242
struct buffer buf
Definition: openvpn.h:397
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1454
unsigned int flags
Definition: mbuf.h:49
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:106
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5009
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:935
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3795
#define SIGUSR1
Definition: config-msvc.h:152
const void * key
Definition: list.h:48
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2325
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:596
#define MR_ADDR_MASK
Definition: mroute.h:64
struct multi_reap * reaper
Definition: multi.h:180
struct context_buffers * buffers
Definition: openvpn.h:389
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2068
struct multi_instance * instance
Definition: multi.h:232
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:452
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:457
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1208
bool ifconfig_pool_defined
Definition: options.h:427
void multi_top_free(struct multi_context *m)
Definition: multi.c:3693
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:156
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:559
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:193
#define D_PF_DROPPED
Definition: errlevel.h:102
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:93
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:53
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4006
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3874
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:235
in_addr_t remote_netmask
Definition: tun.h:173
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:433
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:459
static int management_callback_n_clients(void *arg)
Definition: multi.c:3810
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:461
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define D_MULTI_DROPPED
Definition: errlevel.h:103
static void perf_push(int type)
Definition: perf.h:78
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1576
int status_file_version
Definition: multi.h:185
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:566
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:455
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1349
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:140
ifconfig_pool_handle vaddr_handle
Definition: multi.h:113
bool did_iter
Definition: multi.h:125
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:114
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3746
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1436
struct event_timeout stale_routes_check_et
Definition: multi.h:205
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
#define MAX_PEER_ID
Definition: openvpn.h:577
int cf_max
Definition: options.h:465
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:494
void pre_select(struct context *c)
Definition: forward.c:1795
unsigned int cache_generation
Definition: mroute.h:132
#define SIGTERM
Definition: config-msvc.h:154
at least handler succeeded, no result yet
Definition: openvpn.h:221
#define SIGHUP
Definition: config-msvc.h:150
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
#define MCF_SERVER
Definition: manage.h:156
#define ASSERT(x)
Definition: error.h:221
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2767
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3902
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:117
in_addr_t ifconfig_pool_end
Definition: options.h:429
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:597
const char * client_disconnect_script
Definition: options.h:441
int explicit_exit_notification
Definition: options.h:121
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1263
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3383
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:166
bool platform_unlink(const char *filename)
Definition: platform.c:287
unsigned int flags
Definition: multi.h:236
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1941
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
int n_clients
Definition: multi.h:186
#define MF_UNICAST
Definition: mbuf.h:48
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:120
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:521
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:2017
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
static void clear_prefix(void)
Definition: multi.h:540
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
static void setenv_stats(struct context *c)
Definition: multi.c:552
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3843
bool did_real_hash
Definition: multi.h:124
#define MODE_SERVER
Definition: options.h:205
bool use_peer_id
Definition: ssl_common.h:590
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:290
#define PIP_MSSFIX
Definition: forward.h:321
bool initialized
Definition: crypto.h:225
static bool management_client_pending_auth(void *arg, const unsigned long cid, const char *extra)
Definition: multi.c:3919
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:218
int netbits
Definition: route.h:237
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:601
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3888
void status_flush(struct status_output *so)
Definition: status.c:159
int n_clients_delta
Definition: multi.h:131
#define D_MULTI_MEDIUM
Definition: errlevel.h:104
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:451
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool push_request_received
Definition: openvpn.h:449
const char * ncp_ciphers
Definition: options.h:509
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:43
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:268
int cf_per
Definition: options.h:466
void multi_uninit(struct multi_context *m)
Definition: multi.c:703
bool status_close(struct status_output *so)
Definition: status.c:190
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:80
struct context_1 c1
Level 1 context.
Definition: openvpn.h:543
Definition: mbuf.h:58
#define PIPV4_PASSTOS
Definition: forward.h:320
static void multi_route_del(struct multi_route *route)
Definition: multi.h:485
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:454
#define CLEAR(x)
Definition: basic.h:33
struct schedule * schedule_init(void)
Definition: schedule.c:414
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:82
in_addr_t push_ifconfig_local
Definition: options.h:451
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3686
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4535
struct frame frame_fragment
Definition: openvpn.h:284
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3817
time_t last_reference
Definition: multi.h:239
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:336
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:94
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2980
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3363
#define OPENVPN_PLUGIN_FUNC_DEFERRED
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:662
in_addr_t local
Definition: tun.h:172
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:151
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4022
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:397
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:739
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:3047
static unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: multi.c:1777
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define MAPF_SHOW_ARP
Definition: mroute.h:159
int stale_routes_check_interval
Definition: options.h:469
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:163
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:448
uint16_t vlan_pvid
Definition: options.h:644
counter_type link_read_bytes
Definition: openvpn.h:301
static const char * np(const char *str)
Definition: simple.c:108
#define counter_format
Definition: common.h:39
int mode
Definition: options.h:206
bool ifconfig_ipv6_pool_defined
Definition: options.h:434
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:392
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1908
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:456
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5029
Key state is not authenticated.
Definition: ssl_common.h:150
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:177
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:274
int ifconfig_ipv6_netbits
Definition: options.h:255
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:528
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:454
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
Definition: mbuf.h:52
struct crypto_options crypto_options
Definition: ssl_common.h:198
bool did_iroutes
Definition: multi.h:130
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:14
#define MPP_PRE_SELECT
Definition: multi.h:288
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:759
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:168
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:397
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:190
int topology
Definition: options.h:251
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3001
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:238
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:461
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1230
struct iroute * iroutes
Definition: options.h:448
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
unsigned int cache_generation
Definition: multi.h:238
struct frame frame
Definition: openvpn.h:278
#define DEV_TYPE_TUN
Definition: proto.h:37
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:840
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2909
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:336
struct timeval timeval
Definition: openvpn.h:416
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
int virtual_hash_size
Definition: options.h:439
Definition: schedule.h:44
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3772
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:199
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:458
#define D_MULTI_DEBUG
Definition: errlevel.h:125
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3340
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value...
Definition: multi.c:1967
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:885
unsigned __int32 uint32_t
Definition: config-msvc.h:157
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:135
int tcp_queue_limit
Definition: options.h:447
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:133
const char * client_config_dir
Definition: options.h:443
const char * ciphername
Definition: options.h:505
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:114
uint8_t len
Definition: mroute.h:76
#define REAP_MAX
Definition: multi.h:560
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:262
struct multi_instance * pending
Definition: multi.h:193
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:161
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
int buckets_per_pass
Definition: multi.h:53
struct gc_arena gc
Definition: multi.h:102
bool vlan_tagging
Definition: options.h:642
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:573
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2464
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:152
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:166
in_addr_t network
Definition: route.h:236
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:465
int bucket_base
Definition: multi.h:52
in_addr_t reporting_addr
Definition: multi.h:121
int max_routes_per_client
Definition: options.h:468
struct buffer buf
Definition: buffer.h:1106
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2956
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:171
char * config_file
The temporary file name that contains the config directives returned by the client-connect script...
Definition: multi.h:87
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:612
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:225
int n_bcast_buf
Definition: options.h:446
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1934
struct multi_instance * instance
Definition: mbuf.h:55
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:248
int max_clients
Definition: multi.h:183
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:435
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:225
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:229
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1708
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:395
union openvpn_sockaddr::@10 addr
in_addr_t ifconfig_pool_start
Definition: options.h:428
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:166
struct link_socket * link_socket
Definition: openvpn.h:269
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3657
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3956
bool status_trigger(struct status_output *so)
Definition: status.c:135
uint16_t vid
Definition: mroute.h:85
#define M_ERRNO
Definition: error.h:99
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2967
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:150
#define msg
Definition: error.h:173
struct multi_instance * earliest_wakeup
Definition: multi.h:194
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:592
#define DEV_TYPE_UNDEF
Definition: proto.h:35
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:173
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1058
struct connection_entry ce
Definition: options.h:230
unsigned long cid_counter
Definition: multi.h:190
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:514
bool push_ifconfig_defined
Definition: options.h:450
void schedule_free(struct schedule *s)
Definition: schedule.c:423
struct context_2 c2
Level 2 context.
Definition: openvpn.h:544
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1417
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:172
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:115
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:177
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:43
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2287
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:440
#define CCD_DEFAULT
Definition: common.h:71
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:160
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1632
#define BLEN(buf)
Definition: buffer.h:127
enum client_connect_status context_auth
Definition: openvpn.h:462
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:116
in_addr_t ifconfig_pool_netmask
Definition: options.h:430
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:781
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:93
#define SA_SET_IF_NONZERO
Definition: socket.h:406
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:194
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition: multi.c:2498
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1300
int(* n_clients)(void *arg)
Definition: manage.h:164
bool halt
Definition: multi.h:103
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4053
struct buffer_entry * next
Definition: buffer.h:1107
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1664
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:175
#define REAP_MIN
Definition: multi.h:559
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:123
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1037
__int64 int64_t
Definition: config-msvc.h:160
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1800
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2699
unsigned __int8 uint8_t
Definition: config-msvc.h:159
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3512
const char * tmp_dir
Definition: options.h:405
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:255
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:148
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2788
struct mroute_addr local
Definition: multi.h:181
unsigned int netbits
Definition: route.h:243
int max_clients
Definition: options.h:467
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:456
unsigned int uintptr_t
Definition: cmocka.h:103
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:445
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:984
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:310
int status_file_version
Definition: options.h:337
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:111
#define SIGINT
Definition: config-msvc.h:151
struct timeval wakeup
Definition: multi.h:110
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3132
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2956
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:162
struct hash * cid_hash
Definition: multi.h:189
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:901
#define SIGUSR2
Definition: config-msvc.h:153
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:175
#define D_VLAN_DEBUG
Definition: errlevel.h:152
struct buffer_list * cc_config
Definition: multi.h:128
bool push_ifconfig_ipv6_defined
Definition: options.h:458
Main OpenVPN server state structure.
Definition: multi.h:152
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:457
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:416
char * auth_control_file
Definition: ssl_common.h:227
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:543
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:195
time_t last_call
Definition: multi.h:54
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
#define ENABLE_PF
Definition: config-msvc.h:5
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:291
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:581
bool proto_is_dgram(int proto)
Definition: socket.c:3198
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1852
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:683
struct fragment_master * fragment
Definition: openvpn.h:283
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:589
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1387
struct status_output * status_output
Definition: openvpn.h:181
struct buffer buf
Definition: mbuf.h:45
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:326
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:532
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:438
int n_net_len
Definition: mroute.h:134
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3646
#define MR_ADDR_IPV6
Definition: mroute.h:63
int thread_mode
Definition: multi.h:159
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:243
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:208
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:164
in_addr_t push_ifconfig_local_alias
Definition: options.h:453
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3124
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:532
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:127
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:81
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:589
Definition: route.h:235
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:449
static int constrain_int(int x, int min, int max)
Definition: integer.h:70
#define M_WARN
Definition: error.h:96
static int min_int(int x, int y)
Definition: integer.h:57
#define MC_WORK_THREAD
Definition: multi.h:158
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:191
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:182
struct frequency_limit * new_connection_limiter
Definition: multi.h:178
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:214
unsigned int flags
Definition: manage.h:157
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1104
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:184
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:199
void * value
Definition: list.h:47
unsigned __int16 uint16_t
Definition: config-msvc.h:158
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
bool send_auth_pending_messages(struct context *c, const char *extra)
Sends the auth pending control messages to a client.
Definition: push.c:291
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:238
#define TUNNEL_TYPE(tt)
Definition: tun.h:153
#define CC_GC_FREE
Definition: init.h:106
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:380
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:152
Detached client connection state.
Definition: multi.h:69
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:306
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:342
unsigned long cid
Definition: manage.h:44
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:212
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2589
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:849
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:475
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:3985
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1002
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:212
struct link_socket_actual from
Definition: openvpn.h:275
int process_incoming_push_request(struct context *c)
Definition: push.c:735
struct iroute_ipv6 * next
Definition: route.h:244
#define BSTR(buf)
Definition: buffer.h:129
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2163
long int get_random(void)
Definition: crypto.c:1779
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2560
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
struct man_def_auth_context mda_context
Definition: openvpn.h:483
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:49
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:156
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:218
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:863
Definition: argv.h:35
struct gc_arena gc
Definition: options.h:197
uint8_t netbits
Definition: mroute.h:79
struct buffer to_tun
Definition: openvpn.h:398
in_addr_t push_ifconfig_constraint_network
Definition: options.h:455
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3119
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2887
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:572
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: list.h:58
bool duplicate_cn
Definition: options.h:464
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:69
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:74
int stale_routes_ageing_time
Definition: options.h:470
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:351
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *url)
Definition: manage.h:174
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:167
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:227
struct timeval wakeup
Definition: multi.h:62
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:453
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1260
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:289
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:57
struct in6_addr local_ipv6
Definition: tun.h:175
struct mroute_addr addr
Definition: multi.h:231
void status_reset(struct status_output *so)
Definition: status.c:150
const char title_string[]
Definition: options.c:67
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2217
#define D_MULTI_LOW
Definition: errlevel.h:86
#define MC_UNDEF
Definition: multi.h:153
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:265
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:247
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3546
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:459
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
int ifconfig_ipv6_pool_netbits
Definition: options.h:436
__int16 int16_t
Definition: config-msvc.h:162
int fragment
Definition: options.h:117
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:54
const char * dev_type
Definition: options.h:248
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4611
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3599
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:3937
bool data_channel_use_ekm
Definition: options.h:653