OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #if P2MP_SERVER
38 
39 #include "forward.h"
40 #include "multi.h"
41 #include "push.h"
42 #include "run_command.h"
43 #include "otime.h"
44 #include "pf.h"
45 #include "gremlin.h"
46 #include "mstats.h"
47 #include "ssl_verify.h"
48 #include <inttypes.h>
49 
50 #include "memdbg.h"
51 
52 
53 #include "crypto_backend.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef MANAGEMENT_DEF_AUTH
73 static void
74 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
75 {
76  if (mi->cc_config)
77  {
78  buffer_list_free(mi->cc_config);
79  }
80  mi->cc_config = cc_config;
81 }
82 #endif
83 
84 static inline void
85 update_mstat_n_clients(const int n_clients)
86 {
87 #ifdef ENABLE_MEMSTATS
88  if (mmap_stats)
89  {
90  mmap_stats->n_clients = n_clients;
91  }
92 #endif
93 }
94 
95 static bool
97  const struct multi_instance *mi,
98  const char *op,
99  const struct mroute_addr *addr)
100 {
101  struct gc_arena gc = gc_new();
102  struct env_set *es;
103  bool ret = true;
104  struct plugin_list *plugins;
105 
106  /* get environmental variable source */
107  if (mi && mi->context.c2.es)
108  {
109  es = mi->context.c2.es;
110  }
111  else
112  {
113  es = env_set_create(&gc);
114  }
115 
116  /* get plugin source */
117  if (mi)
118  {
119  plugins = mi->context.plugins;
120  }
121  else
122  {
123  plugins = m->top.plugins;
124  }
125 
127  {
128  struct argv argv = argv_new();
129  argv_printf(&argv, "%s %s",
130  op,
131  mroute_addr_print(addr, &gc));
132  if (mi)
133  {
134  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
135  }
136  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
137  {
138  msg(M_WARN, "WARNING: learn-address plugin call failed");
139  ret = false;
140  }
141  argv_reset(&argv);
142  }
143 
145  {
146  struct argv argv = argv_new();
147  setenv_str(es, "script_type", "learn-address");
149  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
150  if (mi)
151  {
152  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
153  }
154  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
155  {
156  ret = false;
157  }
158  argv_reset(&argv);
159  }
160 
161  gc_free(&gc);
162  return ret;
163 }
164 
165 void
167 {
168  /* write pool data to file */
169  if (m->ifconfig_pool
172  {
174  }
175 }
176 
177 static void
179  int start_bucket,
180  int end_bucket)
181 {
182  struct gc_arena gc = gc_new();
183  struct hash_iterator hi;
184  struct hash_element *he;
185 
186  if (start_bucket < 0)
187  {
188  start_bucket = 0;
189  end_bucket = hash_n_buckets(m->vhash);
190  }
191 
192  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
193  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
194  while ((he = hash_iterator_next(&hi)) != NULL)
195  {
196  struct multi_route *r = (struct multi_route *) he->value;
197  if (!multi_route_defined(m, r))
198  {
199  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
200  mroute_addr_print(&r->addr, &gc));
201  learn_address_script(m, NULL, "delete", &r->addr);
202  multi_route_del(r);
204  }
205  }
206  hash_iterator_free(&hi);
207  gc_free(&gc);
208 }
209 
210 static void
212 {
213  multi_reap_range(m, -1, 0);
214 }
215 
216 static struct multi_reap *
218 {
219  struct multi_reap *mr;
220  ALLOC_OBJ(mr, struct multi_reap);
221  mr->bucket_base = 0;
223  mr->last_call = now;
224  return mr;
225 }
226 
227 void
229 {
230  struct multi_reap *mr = m->reaper;
231  if (mr->bucket_base >= hash_n_buckets(m->vhash))
232  {
233  mr->bucket_base = 0;
234  }
236  mr->bucket_base += mr->buckets_per_pass;
237  mr->last_call = now;
238 }
239 
240 static void
242 {
243  free(mr);
244 }
245 
246 /*
247  * How many buckets in vhash to reap per pass.
248  */
249 static int
250 reap_buckets_per_pass(int n_buckets)
251 {
252  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
253 }
254 
255 #ifdef MANAGEMENT_DEF_AUTH
256 
257 static uint32_t
258 cid_hash_function(const void *key, uint32_t iv)
259 {
260  const unsigned long *k = (const unsigned long *)key;
261  return (uint32_t) *k;
262 }
263 
264 static bool
265 cid_compare_function(const void *key1, const void *key2)
266 {
267  const unsigned long *k1 = (const unsigned long *)key1;
268  const unsigned long *k2 = (const unsigned long *)key2;
269  return *k1 == *k2;
270 }
271 
272 #endif
273 
274 #ifdef ENABLE_ASYNC_PUSH
275 static uint32_t
276 /*
277  * inotify watcher descriptors are used as hash value
278  */
279 int_hash_function(const void *key, uint32_t iv)
280 {
281  return (unsigned long)key;
282 }
283 
284 static bool
285 int_compare_function(const void *key1, const void *key2)
286 {
287  return (unsigned long)key1 == (unsigned long)key2;
288 }
289 #endif
290 
291 /*
292  * Main initialization function, init multi_context object.
293  */
294 void
295 multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
296 {
297  int dev = DEV_TYPE_UNDEF;
298 
299  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
302 
303  /*
304  * Get tun/tap/null device type
305  */
306  dev = dev_type_enum(t->options.dev, t->options.dev_type);
307 
308  /*
309  * Init our multi_context object.
310  */
311  CLEAR(*m);
312 
313  m->thread_mode = thread_mode;
314 
315  /*
316  * Real address hash table (source port number is
317  * considered to be part of the address). Used
318  * to determine which client sent an incoming packet
319  * which is seen on the TCP/UDP socket.
320  */
322  get_random(),
325 
326  /*
327  * Virtual address hash table. Used to determine
328  * which client to route a packet to.
329  */
331  get_random(),
334 
335  /*
336  * This hash table is a clone of m->hash but with a
337  * bucket size of one so that it can be used
338  * for fast iteration through the list.
339  */
340  m->iter = hash_init(1,
341  get_random(),
344 
345 #ifdef MANAGEMENT_DEF_AUTH
346  m->cid_hash = hash_init(t->options.real_hash_size,
347  0,
348  cid_hash_function,
349  cid_compare_function);
350 #endif
351 
352 #ifdef ENABLE_ASYNC_PUSH
353  /*
354  * Mapping between inotify watch descriptors and
355  * multi_instances.
356  */
357  m->inotify_watchers = hash_init(t->options.real_hash_size,
358  get_random(),
359  int_hash_function,
360  int_compare_function);
361 #endif
362 
363  /*
364  * This is our scheduler, for time-based wakeup
365  * events.
366  */
367  m->schedule = schedule_init();
368 
369  /*
370  * Limit frequency of incoming connections to control
371  * DoS.
372  */
374  t->options.cf_per);
375 
376  /*
377  * Allocate broadcast/multicast buffer list
378  */
380 
381  /*
382  * Different status file format options are available
383  */
385 
386  /*
387  * Possibly allocate an ifconfig pool, do it
388  * differently based on whether a tun or tap style
389  * tunnel.
390  */
392  {
394 
395  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
396  {
397  pool_type = IFCONFIG_POOL_30NET;
398  }
399 
400  m->ifconfig_pool = ifconfig_pool_init(pool_type,
407 
408  /* reload pool data from file */
409  if (t->c1.ifconfig_pool_persist)
410  {
412  }
413  }
414 
415  /*
416  * Help us keep track of routing table.
417  */
419 
420  /*
421  * Initialize route and instance reaper.
422  */
424 
425  /*
426  * Get local ifconfig address
427  */
428  CLEAR(m->local);
429  ASSERT(t->c1.tuntap);
431 
432  /*
433  * Per-client limits
434  */
436 
437  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
438 
439  /*
440  * Initialize multi-socket TCP I/O wait object
441  */
442  if (tcp_mode)
443  {
445  }
447 
448  /*
449  * Allow client <-> client communication, without going through
450  * tun/tap interface and network stack?
451  */
452  m->enable_c2c = t->options.enable_c2c;
453 
454  /* initialize stale routes check timer */
456  {
457  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
460  }
461 
463 }
464 
465 const char *
466 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
467 {
468  if (mi)
469  {
470  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
471  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
472 
473  if (cn)
474  {
475  buf_printf(&out, "%s/", cn);
476  }
477  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
478  return BSTR(&out);
479  }
480  else if (null)
481  {
482  return NULL;
483  }
484  else
485  {
486  return "UNDEF";
487  }
488 }
489 
490 static void
492 {
493  struct gc_arena gc = gc_new();
494  const char *prefix = multi_instance_string(mi, true, &gc);
495  if (prefix)
496  {
497  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
498  }
499  else
500  {
501  mi->msg_prefix[0] = '\0';
502  }
503  set_prefix(mi);
504  gc_free(&gc);
505 }
506 
507 void
509 {
510  mi->msg_prefix[0] = '\0';
511  set_prefix(mi);
512 }
513 
514 static const char *
515 mi_prefix(const struct multi_instance *mi)
516 {
517  if (mi && mi->msg_prefix[0])
518  {
519  return mi->msg_prefix;
520  }
521  else
522  {
523  return "UNDEF_I";
524  }
525 }
526 
527 /*
528  * Tell the route helper about deleted iroutes so
529  * that it can update its mask of currently used
530  * CIDR netlengths.
531  */
532 static void
534  struct multi_instance *mi)
535 {
536  const struct iroute *ir;
537  const struct iroute_ipv6 *ir6;
539  {
540  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
541  {
543  }
544 
545  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
546  {
548  }
549  }
550 }
551 
552 static void
554 {
555  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
556  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
557 }
558 
559 static void
561 {
562  /* setenv client real IP address */
564 
565  /* setenv stats */
566  setenv_stats(&mi->context);
567 
568  /* setenv connection duration */
569  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
570 }
571 
572 static void
574 {
577  {
579 
581  {
583  {
584  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
585  }
586  }
587 
589  {
590  struct argv argv = argv_new();
591  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
593  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
594  argv_reset(&argv);
595  }
596 #ifdef MANAGEMENT_DEF_AUTH
597  if (management)
598  {
599  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
600  }
601 #endif
602 
603  }
604 }
605 
606 void
608  struct multi_instance *mi,
609  bool shutdown)
610 {
612 
613  ASSERT(!mi->halt);
614  mi->halt = true;
615 
616  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
617 
618  /* adjust current client connection count */
619  m->n_clients += mi->n_clients_delta;
621  mi->n_clients_delta = 0;
622 
623  /* prevent dangling pointers */
624  if (m->pending == mi)
625  {
626  multi_set_pending(m, NULL);
627  }
628  if (m->earliest_wakeup == mi)
629  {
630  m->earliest_wakeup = NULL;
631  }
632 
633  if (!shutdown)
634  {
635  if (mi->did_real_hash)
636  {
637  ASSERT(hash_remove(m->hash, &mi->real));
638  }
639  if (mi->did_iter)
640  {
641  ASSERT(hash_remove(m->iter, &mi->real));
642  }
643 #ifdef MANAGEMENT_DEF_AUTH
644  if (mi->did_cid_hash)
645  {
646  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
647  }
648 #endif
649 
650 #ifdef ENABLE_ASYNC_PUSH
651  if (mi->inotify_watch != -1)
652  {
653  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
654  mi->inotify_watch = -1;
655  }
656 #endif
657 
658  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
659  {
660  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
661  }
662 
663  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
664 
665  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
666 
667  if (mi->did_iroutes)
668  {
669  multi_del_iroutes(m, mi);
670  mi->did_iroutes = false;
671  }
672 
673  if (m->mtcp)
674  {
676  }
677 
679  }
680 
681 #ifdef MANAGEMENT_DEF_AUTH
682  set_cc_config(mi, NULL);
683 #endif
684 
686 
687  if (mi->did_open_context)
688  {
690  }
691 
693 
694  ungenerate_prefix(mi);
695 
696  /*
697  * Don't actually delete the instance memory allocation yet,
698  * because virtual routes may still point to it. Let the
699  * vhash reaper deal with it.
700  */
702 
703  perf_pop();
704 }
705 
706 /*
707  * Called on shutdown or restart.
708  */
709 void
711 {
712  if (m->thread_mode & MC_WORK_THREAD)
713  {
714  multi_top_free(m);
715  m->thread_mode = MC_UNDEF;
716  }
717  else if (m->thread_mode)
718  {
719  if (m->hash)
720  {
721  struct hash_iterator hi;
722  struct hash_element *he;
723 
724  hash_iterator_init(m->iter, &hi);
725  while ((he = hash_iterator_next(&hi)))
726  {
727  struct multi_instance *mi = (struct multi_instance *) he->value;
728  mi->did_iter = false;
729  multi_close_instance(m, mi, true);
730  }
731  hash_iterator_free(&hi);
732 
733  multi_reap_all(m);
734 
735  hash_free(m->hash);
736  hash_free(m->vhash);
737  hash_free(m->iter);
738 #ifdef MANAGEMENT_DEF_AUTH
739  hash_free(m->cid_hash);
740 #endif
741  m->hash = NULL;
742 
743  free(m->instances);
744 
745 #ifdef ENABLE_ASYNC_PUSH
746  hash_free(m->inotify_watchers);
747  m->inotify_watchers = NULL;
748 #endif
749 
751  mbuf_free(m->mbuf);
756  multi_tcp_free(m->mtcp);
757  m->thread_mode = MC_UNDEF;
758  }
759  }
760 }
761 
762 /*
763  * Create a client instance object for a newly connected client.
764  */
765 struct multi_instance *
767 {
768  struct gc_arena gc = gc_new();
769  struct multi_instance *mi;
770 
772 
773  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
774 
775  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
776 
777  mi->gc = gc_new();
779  mi->vaddr_handle = -1;
780  mi->created = now;
781  mroute_addr_init(&mi->real);
782 
783  if (real)
784  {
785  mi->real = *real;
786  generate_prefix(mi);
787  }
788 
789  mi->did_open_context = true;
790  inherit_context_child(&mi->context, &m->top);
791  if (IS_SIG(&mi->context))
792  {
793  goto err;
794  }
795 
797 
798  if (hash_n_elements(m->hash) >= m->max_clients)
799  {
800  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
801  goto err;
802  }
803 
804  if (!real) /* TCP mode? */
805  {
807  {
808  goto err;
809  }
810  generate_prefix(mi);
811  }
812 
813  if (!hash_add(m->iter, &mi->real, mi, false))
814  {
815  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
816  mroute_addr_print(&mi->real, &gc));
817  goto err;
818  }
819  mi->did_iter = true;
820 
821 #ifdef MANAGEMENT_DEF_AUTH
822  do
823  {
824  mi->context.c2.mda_context.cid = m->cid_counter++;
825  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
826  mi->did_cid_hash = true;
827 #endif
828 
829  mi->context.c2.push_reply_deferred = true;
830 
831 #ifdef ENABLE_ASYNC_PUSH
832  mi->context.c2.push_request_received = false;
833  mi->inotify_watch = -1;
834 #endif
835 
836  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
837  {
838  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
839  goto err;
840  }
841 
842  perf_pop();
843  gc_free(&gc);
844  return mi;
845 
846 err:
847  multi_close_instance(m, mi, false);
848  perf_pop();
849  gc_free(&gc);
850  return NULL;
851 }
852 
853 /*
854  * Dump tables -- triggered by SIGUSR2.
855  * If status file is defined, write to file.
856  * If status file is NULL, write to syslog.
857  */
858 void
859 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
860 {
861  if (m->hash)
862  {
863  struct gc_arena gc_top = gc_new();
864  struct hash_iterator hi;
865  const struct hash_element *he;
866 
867  status_reset(so);
868 
869  if (version == 1) /* WAS: m->status_file_version */
870  {
871  /*
872  * Status file version 1
873  */
874  status_printf(so, "OpenVPN CLIENT LIST");
875  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
876  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
877  hash_iterator_init(m->hash, &hi);
878  while ((he = hash_iterator_next(&hi)))
879  {
880  struct gc_arena gc = gc_new();
881  const struct multi_instance *mi = (struct multi_instance *) he->value;
882 
883  if (!mi->halt)
884  {
885  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
886  tls_common_name(mi->context.c2.tls_multi, false),
887  mroute_addr_print(&mi->real, &gc),
890  time_string(mi->created, 0, false, &gc));
891  }
892  gc_free(&gc);
893  }
894  hash_iterator_free(&hi);
895 
896  status_printf(so, "ROUTING TABLE");
897  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
898  hash_iterator_init(m->vhash, &hi);
899  while ((he = hash_iterator_next(&hi)))
900  {
901  struct gc_arena gc = gc_new();
902  const struct multi_route *route = (struct multi_route *) he->value;
903 
904  if (multi_route_defined(m, route))
905  {
906  const struct multi_instance *mi = route->instance;
907  const struct mroute_addr *ma = &route->addr;
908  char flags[2] = {0, 0};
909 
910  if (route->flags & MULTI_ROUTE_CACHE)
911  {
912  flags[0] = 'C';
913  }
914  status_printf(so, "%s%s,%s,%s,%s",
915  mroute_addr_print(ma, &gc),
916  flags,
917  tls_common_name(mi->context.c2.tls_multi, false),
918  mroute_addr_print(&mi->real, &gc),
919  time_string(route->last_reference, 0, false, &gc));
920  }
921  gc_free(&gc);
922  }
923  hash_iterator_free(&hi);
924 
925  status_printf(so, "GLOBAL STATS");
926  if (m->mbuf)
927  {
928  status_printf(so, "Max bcast/mcast queue length,%d",
930  }
931 
932  status_printf(so, "END");
933  }
934  else if (version == 2 || version == 3)
935  {
936  const char sep = (version == 3) ? '\t' : ',';
937 
938  /*
939  * Status file version 2 and 3
940  */
941  status_printf(so, "TITLE%c%s", sep, title_string);
942  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
943  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
944  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
945  hash_iterator_init(m->hash, &hi);
946  while ((he = hash_iterator_next(&hi)))
947  {
948  struct gc_arena gc = gc_new();
949  const struct multi_instance *mi = (struct multi_instance *) he->value;
950 
951  if (!mi->halt)
952  {
953  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
954 #ifdef MANAGEMENT_DEF_AUTH
955  "%lu"
956 #else
957  ""
958 #endif
959  "%c%" PRIu32 "%c%s",
960  sep, tls_common_name(mi->context.c2.tls_multi, false),
961  sep, mroute_addr_print(&mi->real, &gc),
964  sep, mi->context.c2.link_read_bytes,
965  sep, mi->context.c2.link_write_bytes,
966  sep, time_string(mi->created, 0, false, &gc),
967  sep, (unsigned int)mi->created,
968  sep, tls_username(mi->context.c2.tls_multi, false),
969 #ifdef MANAGEMENT_DEF_AUTH
970  sep, mi->context.c2.mda_context.cid,
971 #else
972  sep,
973 #endif
974  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
976  }
977  gc_free(&gc);
978  }
979  hash_iterator_free(&hi);
980 
981  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
982  sep, sep, sep, sep, sep, sep);
983  hash_iterator_init(m->vhash, &hi);
984  while ((he = hash_iterator_next(&hi)))
985  {
986  struct gc_arena gc = gc_new();
987  const struct multi_route *route = (struct multi_route *) he->value;
988 
989  if (multi_route_defined(m, route))
990  {
991  const struct multi_instance *mi = route->instance;
992  const struct mroute_addr *ma = &route->addr;
993  char flags[2] = {0, 0};
994 
995  if (route->flags & MULTI_ROUTE_CACHE)
996  {
997  flags[0] = 'C';
998  }
999  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
1000  sep, mroute_addr_print(ma, &gc), flags,
1001  sep, tls_common_name(mi->context.c2.tls_multi, false),
1002  sep, mroute_addr_print(&mi->real, &gc),
1003  sep, time_string(route->last_reference, 0, false, &gc),
1004  sep, (unsigned int)route->last_reference);
1005  }
1006  gc_free(&gc);
1007  }
1008  hash_iterator_free(&hi);
1009 
1010  if (m->mbuf)
1011  {
1012  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1013  sep, sep, mbuf_maximum_queued(m->mbuf));
1014  }
1015 
1016  status_printf(so, "END");
1017  }
1018  else
1019  {
1020  status_printf(so, "ERROR: bad status format version number");
1021  }
1022 
1023 #ifdef PACKET_TRUNCATION_CHECK
1024  {
1025  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1026  hash_iterator_init(m->hash, &hi);
1027  while ((he = hash_iterator_next(&hi)))
1028  {
1029  struct gc_arena gc = gc_new();
1030  const struct multi_instance *mi = (struct multi_instance *) he->value;
1031 
1032  if (!mi->halt)
1033  {
1035  tls_common_name(mi->context.c2.tls_multi, false),
1036  m->top.c2.n_trunc_tun_read,
1037  mi->context.c2.n_trunc_tun_write,
1038  mi->context.c2.n_trunc_pre_encrypt,
1039  mi->context.c2.n_trunc_post_decrypt);
1040  }
1041  gc_free(&gc);
1042  }
1043  hash_iterator_free(&hi);
1044  }
1045 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1046 
1047  status_flush(so);
1048  gc_free(&gc_top);
1049  }
1050 
1051 #ifdef ENABLE_ASYNC_PUSH
1052  if (m->inotify_watchers)
1053  {
1054  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1055  }
1056 #endif
1057 }
1058 
1059 /*
1060  * Learn a virtual address or route.
1061  * The learn will fail if the learn address
1062  * script/plugin fails. In this case the
1063  * return value may be != mi.
1064  * Return the instance which owns this route,
1065  * or NULL if none.
1066  */
1067 static struct multi_instance *
1069  struct multi_instance *mi,
1070  const struct mroute_addr *addr,
1071  const unsigned int flags)
1072 {
1073  struct hash_element *he;
1074  const uint32_t hv = hash_value(m->vhash, addr);
1075  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1076  struct multi_route *oldroute = NULL;
1077  struct multi_instance *owner = NULL;
1078  struct gc_arena gc = gc_new();
1079 
1080  /* if route currently exists, get the instance which owns it */
1081  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1082  if (he)
1083  {
1084  oldroute = (struct multi_route *) he->value;
1085  }
1086  if (oldroute && multi_route_defined(m, oldroute))
1087  {
1088  owner = oldroute->instance;
1089  }
1090 
1091  /* do we need to add address to hash table? */
1092  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1093  && !mroute_addr_equal(addr, &m->local))
1094  {
1095  struct multi_route *newroute;
1096  bool learn_succeeded = false;
1097 
1098  ALLOC_OBJ(newroute, struct multi_route);
1099  newroute->addr = *addr;
1100  newroute->instance = mi;
1101  newroute->flags = flags;
1102  newroute->last_reference = now;
1103  newroute->cache_generation = 0;
1104 
1105  /* The cache is invalidated when cache_generation is incremented */
1106  if (flags & MULTI_ROUTE_CACHE)
1107  {
1109  }
1110 
1111  if (oldroute) /* route already exists? */
1112  {
1113  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1114  {
1115  learn_succeeded = true;
1116  owner = mi;
1118  route_quota_inc(mi);
1119 
1120  /* delete old route */
1121  multi_route_del(oldroute);
1122 
1123  /* modify hash table entry, replacing old route */
1124  he->key = &newroute->addr;
1125  he->value = newroute;
1126  }
1127  }
1128  else
1129  {
1130  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1131  {
1132  learn_succeeded = true;
1133  owner = mi;
1135  route_quota_inc(mi);
1136 
1137  /* add new route */
1138  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1139  }
1140  }
1141 
1142  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1143  learn_succeeded ? "" : " FAILED",
1144  mroute_addr_print(&newroute->addr, &gc),
1145  multi_instance_string(mi, false, &gc));
1146 
1147  if (!learn_succeeded)
1148  {
1149  free(newroute);
1150  }
1151  }
1152  gc_free(&gc);
1153 
1154  return owner;
1155 }
1156 
1157 /*
1158  * Get client instance based on virtual address.
1159  */
1160 static struct multi_instance *
1162  const struct mroute_addr *addr,
1163  bool cidr_routing)
1164 {
1165  struct multi_route *route;
1166  struct multi_instance *ret = NULL;
1167 
1168  /* check for local address */
1169  if (mroute_addr_equal(addr, &m->local))
1170  {
1171  return NULL;
1172  }
1173 
1174  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1175 
1176  /* does host route (possible cached) exist? */
1177  if (route && multi_route_defined(m, route))
1178  {
1179  struct multi_instance *mi = route->instance;
1180  route->last_reference = now;
1181  ret = mi;
1182  }
1183  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1184  {
1185  struct mroute_helper *rh = m->route_helper;
1186  struct mroute_addr tryaddr;
1187  int i;
1188 
1189  /* cycle through each CIDR length */
1190  for (i = 0; i < rh->n_net_len; ++i)
1191  {
1192  tryaddr = *addr;
1193  tryaddr.type |= MR_WITH_NETBITS;
1194  tryaddr.netbits = rh->net_len[i];
1195  mroute_addr_mask_host_bits(&tryaddr);
1196 
1197  /* look up a possible route with netbits netmask */
1198  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1199 
1200  if (route && multi_route_defined(m, route))
1201  {
1202  /* found an applicable route, cache host route */
1203  struct multi_instance *mi = route->instance;
1205  ret = mi;
1206  break;
1207  }
1208  }
1209  }
1210 
1211 #ifdef ENABLE_DEBUG
1213  {
1214  struct gc_arena gc = gc_new();
1215  const char *addr_text = mroute_addr_print(addr, &gc);
1216  if (ret)
1217  {
1218  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1219  addr_text,
1220  multi_instance_string(ret, false, &gc),
1221  mroute_addr_print(&route->addr, &gc));
1222  }
1223  else
1224  {
1225  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1226  addr_text);
1227  }
1228  gc_free(&gc);
1229  }
1230 #endif
1231 
1232  ASSERT(!(ret && ret->halt));
1233  return ret;
1234 }
1235 
1236 /*
1237  * Helper function to multi_learn_addr().
1238  */
1239 static struct multi_instance *
1241  struct multi_instance *mi,
1242  in_addr_t a,
1243  int netbits, /* -1 if host route, otherwise # of network bits in address */
1244  bool primary)
1245 {
1246  struct openvpn_sockaddr remote_si;
1247  struct mroute_addr addr;
1248 
1249  CLEAR(remote_si);
1250  remote_si.addr.in4.sin_family = AF_INET;
1251  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1252  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1253 
1254  if (netbits >= 0)
1255  {
1256  addr.type |= MR_WITH_NETBITS;
1257  addr.netbits = (uint8_t) netbits;
1258  }
1259 
1260  {
1261  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1262 #ifdef MANAGEMENT_DEF_AUTH
1263  if (management && owner)
1264  {
1265  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1266  }
1267 #endif
1268  return owner;
1269  }
1270 }
1271 
1272 static struct multi_instance *
1274  struct multi_instance *mi,
1275  struct in6_addr a6,
1276  int netbits, /* -1 if host route, otherwise # of network bits in address */
1277  bool primary)
1278 {
1279  struct mroute_addr addr;
1280 
1281  addr.len = 16;
1282  addr.type = MR_ADDR_IPV6;
1283  addr.netbits = 0;
1284  addr.v6.addr = a6;
1285 
1286  if (netbits >= 0)
1287  {
1288  addr.type |= MR_WITH_NETBITS;
1289  addr.netbits = (uint8_t) netbits;
1290  mroute_addr_mask_host_bits( &addr );
1291  }
1292 
1293  {
1294  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1295 #ifdef MANAGEMENT_DEF_AUTH
1296  if (management && owner)
1297  {
1298  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1299  }
1300 #endif
1301  return owner;
1302  }
1303 }
1304 
1305 /*
1306  * A new client has connected, add routes (server -> client)
1307  * to internal routing table.
1308  */
1309 static void
1311  struct multi_instance *mi)
1312 {
1313  struct gc_arena gc = gc_new();
1314  const struct iroute *ir;
1315  const struct iroute_ipv6 *ir6;
1317  {
1318  mi->did_iroutes = true;
1319  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1320  {
1321  if (ir->netbits >= 0)
1322  {
1323  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1324  print_in_addr_t(ir->network, 0, &gc),
1325  ir->netbits,
1326  multi_instance_string(mi, false, &gc));
1327  }
1328  else
1329  {
1330  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1331  print_in_addr_t(ir->network, 0, &gc),
1332  multi_instance_string(mi, false, &gc));
1333  }
1334 
1336 
1337  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1338  }
1339  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1340  {
1341  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1342  print_in6_addr(ir6->network, 0, &gc),
1343  ir6->netbits,
1344  multi_instance_string(mi, false, &gc));
1345 
1347 
1348  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1349  }
1350  }
1351  gc_free(&gc);
1352 }
1353 
1354 /*
1355  * Given an instance (new_mi), delete all other instances which use the
1356  * same common name.
1357  */
1358 static void
1360 {
1361  if (new_mi)
1362  {
1363  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1364  if (new_cn)
1365  {
1366  struct hash_iterator hi;
1367  struct hash_element *he;
1368  int count = 0;
1369 
1370  hash_iterator_init(m->iter, &hi);
1371  while ((he = hash_iterator_next(&hi)))
1372  {
1373  struct multi_instance *mi = (struct multi_instance *) he->value;
1374  if (mi != new_mi && !mi->halt)
1375  {
1376  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1377  if (cn && !strcmp(cn, new_cn))
1378  {
1379  mi->did_iter = false;
1380  multi_close_instance(m, mi, false);
1382  ++count;
1383  }
1384  }
1385  }
1386  hash_iterator_free(&hi);
1387 
1388  if (count)
1389  {
1390  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1391  }
1392  }
1393  }
1394 }
1395 
1396 static void
1398 {
1399 
1400  struct gc_arena gc = gc_new();
1401  struct hash_iterator hi;
1402  struct hash_element *he;
1403 
1404  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1406  while ((he = hash_iterator_next(&hi)) != NULL)
1407  {
1408  struct multi_route *r = (struct multi_route *) he->value;
1409  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1410  {
1411  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1412  mroute_addr_print(&r->addr, &gc));
1413  learn_address_script(m, NULL, "delete", &r->addr);
1414  multi_route_del(r);
1416  }
1417  }
1418  hash_iterator_free(&hi);
1419  gc_free(&gc);
1420 }
1421 
1422 /*
1423  * Ensure that endpoint to be pushed to client
1424  * complies with --ifconfig-push-constraint directive.
1425  */
1426 static bool
1428 {
1429  const struct options *o = &c->options;
1431  {
1433  }
1434  else
1435  {
1436  return true;
1437  }
1438 }
1439 
1440 /*
1441  * Select a virtual address for a new client instance.
1442  * Use an --ifconfig-push directive, if given (static IP).
1443  * Otherwise use an --ifconfig-pool address (dynamic IP).
1444  */
1445 static void
1447 {
1448  struct gc_arena gc = gc_new();
1449 
1450  /*
1451  * If ifconfig addresses were set by dynamic config file,
1452  * release pool addresses, otherwise keep them.
1453  */
1455  {
1456  /* ifconfig addresses were set statically,
1457  * release dynamic allocation */
1458  if (mi->vaddr_handle >= 0)
1459  {
1461  mi->vaddr_handle = -1;
1462  }
1463 
1464  mi->context.c2.push_ifconfig_defined = true;
1468 
1469  /* the current implementation does not allow "static IPv4, pool IPv6",
1470  * (see below) so issue a warning if that happens - don't break the
1471  * session, though, as we don't even know if this client WANTS IPv6
1472  */
1475  {
1476  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1477  }
1478  }
1479  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1480  {
1481  in_addr_t local = 0, remote = 0;
1482  struct in6_addr remote_ipv6;
1483  const char *cn = NULL;
1484 
1485  if (!mi->context.options.duplicate_cn)
1486  {
1487  cn = tls_common_name(mi->context.c2.tls_multi, true);
1488  }
1489 
1490  CLEAR(remote_ipv6);
1491  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1492  if (mi->vaddr_handle >= 0)
1493  {
1494  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1495  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1496 
1497  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1498  print_in_addr_t( remote, 0, &gc ),
1500  ? print_in6_addr( remote_ipv6, 0, &gc )
1501  : "(Not enabled)") );
1502 
1503  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1504  mi->context.c2.push_ifconfig_local = remote;
1505  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1506  {
1509  {
1511  }
1512  }
1513  else if (tunnel_type == DEV_TYPE_TUN)
1514  {
1515  if (tunnel_topology == TOP_P2P)
1516  {
1518  }
1519  else if (tunnel_topology == TOP_NET30)
1520  {
1522  }
1523  }
1524 
1526  {
1527  mi->context.c2.push_ifconfig_defined = true;
1528  }
1529  else
1530  {
1531  msg(D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1532  multi_instance_string(mi, false, &gc));
1533  }
1534 
1536  {
1537  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1539  mi->context.c1.tuntap->local_ipv6;
1543  }
1544  }
1545  else
1546  {
1547  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1548  }
1549  }
1550 
1551  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1552  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1553  * will fail (because no pool will be allocated in this case).
1554  * OTOH, this doesn't make too much sense in reality - and the other
1555  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1556  * -> and so it's implemented right now
1557  */
1559  {
1567 
1568  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1571  }
1572 
1573  gc_free(&gc);
1574 }
1575 
1576 /*
1577  * Set virtual address environmental variables.
1578  */
1579 static void
1581 {
1582  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1583  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1584  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1585 
1587  {
1588  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1589  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1590 
1592  "ifconfig_pool_remote_ip",
1595 
1596  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1597  {
1599  "ifconfig_pool_netmask",
1602  }
1603  else if (tunnel_type == DEV_TYPE_TUN)
1604  {
1606  "ifconfig_pool_local_ip",
1609  }
1610  }
1611 
1612  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1613  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1614  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1615 
1617  {
1619  "ifconfig_pool_remote",
1623  "ifconfig_pool_local",
1626  setenv_int(mi->context.c2.es,
1627  "ifconfig_pool_ip6_netbits",
1629  }
1630 }
1631 
1632 /*
1633  * Called after client-connect script is called
1634  */
1635 static void
1637  struct multi_instance *mi,
1638  const char *dc_file,
1639  unsigned int option_permissions_mask,
1640  unsigned int *option_types_found)
1641 {
1642  /* Did script generate a dynamic config file? */
1643  if (platform_test_file(dc_file))
1644  {
1646  dc_file,
1648  option_permissions_mask,
1649  option_types_found,
1650  mi->context.c2.es);
1651 
1652  /*
1653  * If the --client-connect script generates a config file
1654  * with an --ifconfig-push directive, it will override any
1655  * --ifconfig-push directive from the --client-config-dir
1656  * directory or any --ifconfig-pool dynamic address.
1657  */
1660  }
1661 }
1662 
1663 #ifdef ENABLE_PLUGIN
1664 
1665 /*
1666  * Called after client-connect plug-in is called
1667  */
1668 static void
1670  struct multi_instance *mi,
1671  const struct plugin_return *pr,
1672  unsigned int option_permissions_mask,
1673  unsigned int *option_types_found)
1674 {
1675  struct plugin_return config;
1676 
1677  plugin_return_get_column(pr, &config, "config");
1678 
1679  /* Did script generate a dynamic config file? */
1680  if (plugin_return_defined(&config))
1681  {
1682  int i;
1683  for (i = 0; i < config.n; ++i)
1684  {
1685  if (config.list[i] && config.list[i]->value)
1686  {
1688  config.list[i]->value,
1690  option_permissions_mask,
1691  option_types_found,
1692  mi->context.c2.es);
1693  }
1694  }
1695 
1696  /*
1697  * If the --client-connect script generates a config file
1698  * with an --ifconfig-push directive, it will override any
1699  * --ifconfig-push directive from the --client-config-dir
1700  * directory or any --ifconfig-pool dynamic address.
1701  */
1704  }
1705 }
1706 
1707 #endif /* ifdef ENABLE_PLUGIN */
1708 
1709 #ifdef MANAGEMENT_DEF_AUTH
1710 
1711 /*
1712  * Called to load management-derived client-connect config
1713  */
1714 static void
1715 multi_client_connect_mda(struct multi_context *m,
1716  struct multi_instance *mi,
1717  const struct buffer_list *config,
1718  unsigned int option_permissions_mask,
1719  unsigned int *option_types_found)
1720 {
1721  if (config)
1722  {
1723  struct buffer_entry *be;
1724 
1725  for (be = config->head; be != NULL; be = be->next)
1726  {
1727  const char *opt = BSTR(&be->buf);
1729  opt,
1731  option_permissions_mask,
1732  option_types_found,
1733  mi->context.c2.es);
1734  }
1735 
1736  /*
1737  * If the --client-connect script generates a config file
1738  * with an --ifconfig-push directive, it will override any
1739  * --ifconfig-push directive from the --client-config-dir
1740  * directory or any --ifconfig-pool dynamic address.
1741  */
1744  }
1745 }
1746 
1747 #endif /* ifdef MANAGEMENT_DEF_AUTH */
1748 
1749 static void
1751  struct multi_instance *mi)
1752 {
1753  struct gc_arena gc = gc_new();
1754 
1755  /* setenv incoming cert common name for script */
1756  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1757 
1758  /* setenv client real IP address */
1760 
1761  /* setenv client virtual IP address */
1763 
1764  /* setenv connection time */
1765  {
1766  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1767  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1768  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1769  }
1770 
1771  gc_free(&gc);
1772 }
1773 
1774 /*
1775  * Called as soon as the SSL/TLS connection authenticates.
1776  *
1777  * Instance-specific directives to be processed:
1778  *
1779  * iroute start-ip end-ip
1780  * ifconfig-push local remote-netmask
1781  * push
1782  */
1783 static void
1785 {
1787  {
1788  struct gc_arena gc = gc_new();
1789  unsigned int option_types_found = 0;
1790 
1791  const unsigned int option_permissions_mask =
1793  | OPT_P_INHERIT
1794  | OPT_P_PUSH
1795  | OPT_P_TIMER
1796  | OPT_P_CONFIG
1797  | OPT_P_ECHO
1798  | OPT_P_COMP
1799  | OPT_P_SOCKFLAGS;
1800 
1801  int cc_succeeded = true; /* client connect script status */
1802  int cc_succeeded_count = 0;
1803 
1804  ASSERT(mi->context.c1.tuntap);
1805 
1806  /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */
1809 
1810  /* generate a msg() prefix for this client instance */
1811  generate_prefix(mi);
1812 
1813  /* delete instances of previous clients with same common-name */
1814  if (!mi->context.options.duplicate_cn)
1815  {
1816  multi_delete_dup(m, mi);
1817  }
1818 
1819  /* reset pool handle to null */
1820  mi->vaddr_handle = -1;
1821 
1822  /*
1823  * Try to source a dynamic config file from the
1824  * --client-config-dir directory.
1825  */
1827  {
1828  const char *ccd_file;
1829 
1832  false),
1833  &gc);
1834 
1835  /* try common-name file */
1836  if (platform_test_file(ccd_file))
1837  {
1839  ccd_file,
1841  option_permissions_mask,
1842  &option_types_found,
1843  mi->context.c2.es);
1844  }
1845  else /* try default file */
1846  {
1848  CCD_DEFAULT,
1849  &gc);
1850 
1851  if (platform_test_file(ccd_file))
1852  {
1854  ccd_file,
1856  option_permissions_mask,
1857  &option_types_found,
1858  mi->context.c2.es);
1859  }
1860  }
1861  }
1862 
1863  /*
1864  * Select a virtual address from either --ifconfig-push in --client-config-dir file
1865  * or --ifconfig-pool.
1866  */
1868 
1869  /* do --client-connect setenvs */
1871 
1872 #ifdef ENABLE_PLUGIN
1873  /*
1874  * Call client-connect plug-in.
1875  */
1876 
1877  /* deprecated callback, use a file for passing back return info */
1879  {
1880  struct argv argv = argv_new();
1881  const char *dc_file = platform_create_temp_file(mi->context.options.tmp_dir,
1882  "cc", &gc);
1883 
1884  if (!dc_file)
1885  {
1886  cc_succeeded = false;
1887  goto script_depr_failed;
1888  }
1889 
1890  argv_printf(&argv, "%s", dc_file);
1892  {
1893  msg(M_WARN, "WARNING: client-connect plugin call failed");
1894  cc_succeeded = false;
1895  }
1896  else
1897  {
1898  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1899  ++cc_succeeded_count;
1900  }
1901 
1902  if (!platform_unlink(dc_file))
1903  {
1904  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1905  dc_file);
1906  }
1907 
1908 script_depr_failed:
1909  argv_reset(&argv);
1910  }
1911 
1912  /* V2 callback, use a plugin_return struct for passing back return info */
1914  {
1915  struct plugin_return pr;
1916 
1917  plugin_return_init(&pr);
1918 
1920  {
1921  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
1922  cc_succeeded = false;
1923  }
1924  else
1925  {
1926  multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found);
1927  ++cc_succeeded_count;
1928  }
1929 
1930  plugin_return_free(&pr);
1931  }
1932 #endif /* ifdef ENABLE_PLUGIN */
1933 
1934  /*
1935  * Run --client-connect script.
1936  */
1937  if (mi->context.options.client_connect_script && cc_succeeded)
1938  {
1939  struct argv argv = argv_new();
1940  const char *dc_file = NULL;
1941 
1942  setenv_str(mi->context.c2.es, "script_type", "client-connect");
1943 
1945  "cc", &gc);
1946  if (!dc_file)
1947  {
1948  cc_succeeded = false;
1949  goto script_failed;
1950  }
1951 
1953  argv_printf_cat(&argv, "%s", dc_file);
1954 
1955  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
1956  {
1957  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1958  ++cc_succeeded_count;
1959  }
1960  else
1961  {
1962  cc_succeeded = false;
1963  }
1964 
1965  if (!platform_unlink(dc_file))
1966  {
1967  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1968  dc_file);
1969  }
1970 
1971 script_failed:
1972  argv_reset(&argv);
1973  }
1974 
1975  /*
1976  * Check for client-connect script left by management interface client
1977  */
1978 #ifdef MANAGEMENT_DEF_AUTH
1979  if (cc_succeeded && mi->cc_config)
1980  {
1981  multi_client_connect_mda(m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1982  ++cc_succeeded_count;
1983  }
1984 #endif
1985 
1986  /*
1987  * Check for "disable" directive in client-config-dir file
1988  * or config file generated by --client-connect script.
1989  */
1990  if (mi->context.options.disable)
1991  {
1992  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1993  cc_succeeded = false;
1994  cc_succeeded_count = 0;
1995  }
1996 
1997  if (cc_succeeded)
1998  {
1999  /*
2000  * Process sourced options.
2001  */
2002  do_deferred_options(&mi->context, option_types_found);
2003 
2004  /*
2005  * make sure we got ifconfig settings from somewhere
2006  */
2007  if (!mi->context.c2.push_ifconfig_defined)
2008  {
2009  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
2010  multi_instance_string(mi, false, &gc));
2011  }
2012 
2013  /*
2014  * make sure that ifconfig settings comply with constraints
2015  */
2017  {
2018  /* JYFIXME -- this should cause the connection to fail */
2019  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
2020  multi_instance_string(mi, false, &gc),
2024  }
2025 
2026  /*
2027  * For routed tunnels, set up internal route to endpoint
2028  * plus add all iroute routes.
2029  */
2031  {
2033  {
2034  multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
2035  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2036  multi_instance_string(mi, false, &gc),
2038  }
2039 
2041  {
2043  /* TODO: find out where addresses are "unlearned"!! */
2044  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2045  multi_instance_string(mi, false, &gc),
2047  }
2048 
2049  /* add routes locally, pointing to new client, if
2050  * --iroute options have been specified */
2051  multi_add_iroutes(m, mi);
2052 
2053  /*
2054  * iroutes represent subnets which are "owned" by a particular
2055  * client. Therefore, do not actually push a route to a client
2056  * if it matches one of the client's iroutes.
2057  */
2059  }
2060  else if (mi->context.options.iroutes)
2061  {
2062  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
2063  multi_instance_string(mi, false, &gc));
2064  }
2065 
2066  /* set our client's VPN endpoint for status reporting purposes */
2069 
2070  /* set context-level authentication flag */
2072 
2073 #ifdef ENABLE_ASYNC_PUSH
2074  /* authentication complete, send push reply */
2075  if (mi->context.c2.push_request_received)
2076  {
2078  }
2079 #endif
2080  }
2081  else
2082  {
2083  /* set context-level authentication flag */
2084  mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
2085  }
2086 
2087  /* set flag so we don't get called again */
2088  mi->connection_established_flag = true;
2089 
2090  /* increment number of current authenticated clients */
2091  ++m->n_clients;
2093  --mi->n_clients_delta;
2094 
2095 #ifdef MANAGEMENT_DEF_AUTH
2096  if (management)
2097  {
2098  management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es);
2099  }
2100 #endif
2101 
2102  gc_free(&gc);
2103  }
2104 
2105  /*
2106  * Reply now to client's PUSH_REQUEST query
2107  */
2108  mi->context.c2.push_reply_deferred = false;
2109 }
2110 
2111 #ifdef ENABLE_ASYNC_PUSH
2112 /*
2113  * Called when inotify event is fired, which happens when acf file is closed or deleted.
2114  * Continues authentication and sends push_reply.
2115  */
2116 void
2117 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2118 {
2119  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2120  size_t buffer_i = 0;
2121  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2122 
2123  while (buffer_i < r)
2124  {
2125  /* parse inotify events */
2126  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2127  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2128  buffer_i += event_size;
2129 
2130  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2131 
2132  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2133 
2134  if (pevent->mask & IN_CLOSE_WRITE)
2135  {
2136  if (mi)
2137  {
2138  /* continue authentication and send push_reply */
2139  multi_process_post(m, mi, mpp_flags);
2140  }
2141  else
2142  {
2143  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2144  }
2145  }
2146  else if (pevent->mask & IN_IGNORED)
2147  {
2148  /* this event is _always_ fired when watch is removed or file is deleted */
2149  if (mi)
2150  {
2151  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2152  mi->inotify_watch = -1;
2153  }
2154  }
2155  else
2156  {
2157  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2158  }
2159  }
2160 }
2161 #endif /* ifdef ENABLE_ASYNC_PUSH */
2162 
2163 /*
2164  * Add a mbuf buffer to a particular
2165  * instance.
2166  */
2167 void
2169  struct multi_instance *mi,
2170  struct mbuf_buffer *mb)
2171 {
2172  if (multi_output_queue_ready(m, mi))
2173  {
2174  struct mbuf_item item;
2175  item.buffer = mb;
2176  item.instance = mi;
2177  mbuf_add_item(m->mbuf, &item);
2178  }
2179  else
2180  {
2181  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2182  }
2183 }
2184 
2185 /*
2186  * Add a packet to a client instance output queue.
2187  */
2188 static inline void
2190  const struct buffer *buf,
2191  struct multi_instance *mi)
2192 {
2193  struct mbuf_buffer *mb;
2194 
2195  if (BLEN(buf) > 0)
2196  {
2197  mb = mbuf_alloc_buf(buf);
2198  mb->flags = MF_UNICAST;
2199  multi_add_mbuf(m, mi, mb);
2200  mbuf_free_buf(mb);
2201  }
2202 }
2203 
2204 /*
2205  * Broadcast a packet to all clients.
2206  */
2207 static void
2209  const struct buffer *buf,
2210  const struct multi_instance *sender_instance,
2211  const struct mroute_addr *sender_addr)
2212 {
2213  struct hash_iterator hi;
2214  struct hash_element *he;
2215  struct multi_instance *mi;
2216  struct mbuf_buffer *mb;
2217 
2218  if (BLEN(buf) > 0)
2219  {
2221 #ifdef MULTI_DEBUG_EVENT_LOOP
2222  printf("BCAST len=%d\n", BLEN(buf));
2223 #endif
2224  mb = mbuf_alloc_buf(buf);
2225  hash_iterator_init(m->iter, &hi);
2226 
2227  while ((he = hash_iterator_next(&hi)))
2228  {
2229  mi = (struct multi_instance *) he->value;
2230  if (mi != sender_instance && !mi->halt)
2231  {
2232 #ifdef ENABLE_PF
2233  if (sender_instance)
2234  {
2235  if (!pf_c2c_test(&sender_instance->context.c2.pf,
2236  sender_instance->context.c2.tls_multi,
2237  &mi->context.c2.pf,
2238  mi->context.c2.tls_multi,
2239  "bcast_c2c"))
2240  {
2241  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2242  mi_prefix(sender_instance),
2243  mi_prefix(mi));
2244  continue;
2245  }
2246  }
2247  if (sender_addr)
2248  {
2249  if (!pf_addr_test(&mi->context.c2.pf, &mi->context,
2250  sender_addr, "bcast_src_addr"))
2251  {
2252  struct gc_arena gc = gc_new();
2253  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2254  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2255  mi_prefix(mi));
2256  gc_free(&gc);
2257  continue;
2258  }
2259  }
2260 #endif /* ifdef ENABLE_PF */
2261  multi_add_mbuf(m, mi, mb);
2262  }
2263  }
2264 
2265  hash_iterator_free(&hi);
2266  mbuf_free_buf(mb);
2267  perf_pop();
2268  }
2269 }
2270 
2271 /*
2272  * Given a time delta, indicating that we wish to be
2273  * awoken by the scheduler at time now + delta, figure
2274  * a sigma parameter (in microseconds) that represents
2275  * a sort of fuzz factor around delta, so that we're
2276  * really telling the scheduler to wake us up any time
2277  * between now + delta - sigma and now + delta + sigma.
2278  *
2279  * The sigma parameter helps the scheduler to run more efficiently.
2280  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2281  */
2282 static inline unsigned int
2283 compute_wakeup_sigma(const struct timeval *delta)
2284 {
2285  if (delta->tv_sec < 1)
2286  {
2287  /* if < 1 sec, fuzz = # of microseconds / 8 */
2288  return delta->tv_usec >> 3;
2289  }
2290  else
2291  {
2292  /* if < 10 minutes, fuzz = 13.1% of timeout */
2293  if (delta->tv_sec < 600)
2294  {
2295  return delta->tv_sec << 17;
2296  }
2297  else
2298  {
2299  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2300  }
2301  }
2302 }
2303 
2304 static void
2306 {
2307  /* calculate an absolute wakeup time */
2308  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2309  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2310 
2311  /* tell scheduler to wake us up at some point in the future */
2313  (struct schedule_entry *) mi,
2314  &mi->wakeup,
2315  compute_wakeup_sigma(&mi->context.c2.timeval));
2316 }
2317 
2318 /*
2319  * Figure instance-specific timers, convert
2320  * earliest to absolute time in mi->wakeup,
2321  * call scheduler with our future wakeup time.
2322  *
2323  * Also close context on signal.
2324  */
2325 bool
2326 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2327 {
2328  bool ret = true;
2329 
2330  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2331  {
2332 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2333  bool was_authenticated = false;
2334  struct key_state *ks = NULL;
2335  if (mi->context.c2.tls_multi)
2336  {
2338  was_authenticated = ks->authenticated;
2339  }
2340 #endif
2341 
2342  /* figure timeouts and fetch possible outgoing
2343  * to_link packets (such as ping or TLS control) */
2344  pre_select(&mi->context);
2345 
2346 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2347  if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated)
2348  {
2349  /* watch acf file */
2350  long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT);
2351  if (watch_descriptor >= 0)
2352  {
2353  if (mi->inotify_watch != -1)
2354  {
2355  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
2356  }
2357  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
2358  mi->inotify_watch = watch_descriptor;
2359  }
2360  else
2361  {
2362  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2363  }
2364  }
2365 #endif
2366 
2367  if (!IS_SIG(&mi->context))
2368  {
2369  /* connection is "established" when SSL/TLS key negotiation succeeds
2370  * and (if specified) auth user/pass succeeds */
2372  {
2374  }
2375 
2376  /* tell scheduler to wake us up at some point in the future */
2378  }
2379  }
2380 
2381  if (IS_SIG(&mi->context))
2382  {
2383  if (flags & MPP_CLOSE_ON_SIGNAL)
2384  {
2386  ret = false;
2387  }
2388  }
2389  else
2390  {
2391  /* continue to pend on output? */
2392  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
2393 
2394 #ifdef MULTI_DEBUG_EVENT_LOOP
2395  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
2396  id(mi),
2397  (int) (mi == m->pending),
2398  mi ? mi->context.c2.to_tun.len : -1,
2399  mi ? mi->context.c2.to_link.len : -1,
2400  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2401  (int64_t)mi->context.c2.timeval.tv_sec,
2402  (long)mi->context.c2.timeval.tv_usec);
2403 #endif
2404  }
2405 
2406  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
2407  {
2408  *m->mpp_touched = mi;
2409  }
2410 
2411  return ret;
2412 }
2413 
2414 void
2416 {
2417  struct mroute_addr real;
2418  struct hash *hash = m->hash;
2419  struct gc_arena gc = gc_new();
2420 
2421  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
2422  {
2423  goto done;
2424  }
2425 
2426  const uint32_t hv = hash_value(hash, &real);
2427  struct hash_bucket *bucket = hash_bucket(hash, hv);
2428 
2429  /* make sure that we don't float to an address taken by another client */
2430  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
2431  if (he)
2432  {
2433  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
2434 
2435  struct tls_multi *m1 = mi->context.c2.tls_multi;
2436  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
2437 
2438  /* do not float if target address is taken by client with another cert */
2439  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
2440  {
2441  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
2442  multi_instance_string(ex_mi, false, &gc));
2443 
2444  mi->context.c2.buf.len = 0;
2445 
2446  goto done;
2447  }
2448 
2449  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
2450  multi_close_instance(m, ex_mi, false);
2451  }
2452 
2453  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
2454  mi->context.c2.tls_multi->peer_id,
2455  tls_common_name(mi->context.c2.tls_multi, false),
2456  mroute_addr_print(&mi->real, &gc),
2457  print_link_socket_actual(&m->top.c2.from, &gc));
2458 
2459  /* remove old address from hash table before changing address */
2460  ASSERT(hash_remove(m->hash, &mi->real));
2461  ASSERT(hash_remove(m->iter, &mi->real));
2462 
2463  /* change external network address of the remote peer */
2464  mi->real = real;
2465  generate_prefix(mi);
2466 
2467  mi->context.c2.from = m->top.c2.from;
2468  mi->context.c2.to_link_addr = &mi->context.c2.from;
2469 
2470  /* inherit parent link_socket and link_socket_info */
2473 
2475 
2476  ASSERT(hash_add(m->hash, &mi->real, mi, false));
2477  ASSERT(hash_add(m->iter, &mi->real, mi, false));
2478 
2479 #ifdef MANAGEMENT_DEF_AUTH
2480  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
2481 #endif
2482 
2483 done:
2484  gc_free(&gc);
2485 }
2486 
2487 /*
2488  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
2489  * i.e. client -> server direction.
2490  */
2491 bool
2492 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
2493 {
2494  struct gc_arena gc = gc_new();
2495 
2496  struct context *c;
2497  struct mroute_addr src, dest;
2498  unsigned int mroute_flags;
2499  struct multi_instance *mi;
2500  bool ret = true;
2501  bool floated = false;
2502 
2503  if (m->pending)
2504  {
2505  return true;
2506  }
2507 
2508  if (!instance)
2509  {
2510 #ifdef MULTI_DEBUG_EVENT_LOOP
2511  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
2512 #endif
2514  }
2515  else
2516  {
2517  multi_set_pending(m, instance);
2518  }
2519 
2520  if (m->pending)
2521  {
2522  set_prefix(m->pending);
2523 
2524  /* get instance context */
2525  c = &m->pending->context;
2526 
2527  if (!instance)
2528  {
2529  /* transfer packet pointer from top-level context buffer to instance */
2530  c->c2.buf = m->top.c2.buf;
2531 
2532  /* transfer from-addr from top-level context buffer to instance */
2533  if (!floated)
2534  {
2535  c->c2.from = m->top.c2.from;
2536  }
2537  }
2538 
2539  if (BLEN(&c->c2.buf) > 0)
2540  {
2541  struct link_socket_info *lsi;
2542  const uint8_t *orig_buf;
2543 
2544  /* decrypt in instance context */
2545 
2547  lsi = get_link_socket_info(c);
2548  orig_buf = c->c2.buf.data;
2549  if (process_incoming_link_part1(c, lsi, floated))
2550  {
2551  if (floated)
2552  {
2554  }
2555 
2556  process_incoming_link_part2(c, lsi, orig_buf);
2557  }
2558  perf_pop();
2559 
2560  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
2561  {
2562  /* extract packet source and dest addresses */
2563  mroute_flags = mroute_extract_addr_from_packet(&src,
2564  &dest,
2565  NULL,
2566  NULL,
2567  &c->c2.to_tun,
2568  DEV_TYPE_TUN);
2569 
2570  /* drop packet if extract failed */
2571  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
2572  {
2573  c->c2.to_tun.len = 0;
2574  }
2575  /* make sure that source address is associated with this client */
2576  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
2577  {
2578  /* IPv6 link-local address (fe80::xxx)? */
2579  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
2580  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
2581  {
2582  /* do nothing, for now. TODO: add address learning */
2583  }
2584  else
2585  {
2586  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2587  mroute_addr_print(&src, &gc));
2588  }
2589  c->c2.to_tun.len = 0;
2590  }
2591  /* client-to-client communication enabled? */
2592  else if (m->enable_c2c)
2593  {
2594  /* multicast? */
2595  if (mroute_flags & MROUTE_EXTRACT_MCAST)
2596  {
2597  /* for now, treat multicast as broadcast */
2598  multi_bcast(m, &c->c2.to_tun, m->pending, NULL);
2599  }
2600  else /* possible client to client routing */
2601  {
2602  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
2603  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
2604 
2605  /* if dest addr is a known client, route to it */
2606  if (mi)
2607  {
2608 #ifdef ENABLE_PF
2609  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
2610  &mi->context.c2.pf,
2611  mi->context.c2.tls_multi,
2612  "tun_c2c"))
2613  {
2614  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
2615  mi_prefix(mi));
2616  }
2617  else
2618 #endif
2619  {
2620  multi_unicast(m, &c->c2.to_tun, mi);
2621  register_activity(c, BLEN(&c->c2.to_tun));
2622  }
2623  c->c2.to_tun.len = 0;
2624  }
2625  }
2626  }
2627 #ifdef ENABLE_PF
2628  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest,
2629  "tun_dest_addr"))
2630  {
2631  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2632  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
2633  c->c2.to_tun.len = 0;
2634  }
2635 #endif
2636  }
2637  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
2638  {
2639 #ifdef ENABLE_PF
2640  struct mroute_addr edest;
2641  mroute_addr_reset(&edest);
2642 #endif
2643  /* extract packet source and dest addresses */
2644  mroute_flags = mroute_extract_addr_from_packet(&src,
2645  &dest,
2646  NULL,
2647 #ifdef ENABLE_PF
2648  &edest,
2649 #else
2650  NULL,
2651 #endif
2652  &c->c2.to_tun,
2653  DEV_TYPE_TAP);
2654 
2655  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2656  {
2657  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
2658  {
2659  /* check for broadcast */
2660  if (m->enable_c2c)
2661  {
2662  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2663  {
2664  multi_bcast(m, &c->c2.to_tun, m->pending, NULL);
2665  }
2666  else /* try client-to-client routing */
2667  {
2668  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
2669 
2670  /* if dest addr is a known client, route to it */
2671  if (mi)
2672  {
2673 #ifdef ENABLE_PF
2674  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
2675  &mi->context.c2.pf,
2676  mi->context.c2.tls_multi,
2677  "tap_c2c"))
2678  {
2679  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2680  mi_prefix(mi));
2681  }
2682  else
2683 #endif
2684  {
2685  multi_unicast(m, &c->c2.to_tun, mi);
2686  register_activity(c, BLEN(&c->c2.to_tun));
2687  }
2688  c->c2.to_tun.len = 0;
2689  }
2690  }
2691  }
2692 #ifdef ENABLE_PF
2693  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c,
2694  &edest,
2695  "tap_dest_addr"))
2696  {
2697  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2698  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
2699  c->c2.to_tun.len = 0;
2700  }
2701 #endif
2702  }
2703  else
2704  {
2705  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2706  mroute_addr_print(&src, &gc));
2707  c->c2.to_tun.len = 0;
2708  }
2709  }
2710  else
2711  {
2712  c->c2.to_tun.len = 0;
2713  }
2714  }
2715  }
2716 
2717  /* postprocess and set wakeup */
2718  ret = multi_process_post(m, m->pending, mpp_flags);
2719 
2720  clear_prefix();
2721  }
2722 
2723  gc_free(&gc);
2724  return ret;
2725 }
2726 
2727 /*
2728  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2729  * i.e. server -> client direction.
2730  */
2731 bool
2732 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
2733 {
2734  struct gc_arena gc = gc_new();
2735  bool ret = true;
2736 
2737  if (BLEN(&m->top.c2.buf) > 0)
2738  {
2739  unsigned int mroute_flags;
2740  struct mroute_addr src, dest;
2741  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
2742 
2743 #ifdef ENABLE_PF
2744  struct mroute_addr esrc, *e1, *e2;
2745  if (dev_type == DEV_TYPE_TUN)
2746  {
2747  e1 = NULL;
2748  e2 = &src;
2749  }
2750  else
2751  {
2752  e1 = e2 = &esrc;
2753  mroute_addr_reset(&esrc);
2754  }
2755 #endif
2756 
2757 #ifdef MULTI_DEBUG_EVENT_LOOP
2758  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
2759 #endif
2760 
2761  if (m->pending)
2762  {
2763  return true;
2764  }
2765 
2766  /*
2767  * Route an incoming tun/tap packet to
2768  * the appropriate multi_instance object.
2769  */
2770 
2771  mroute_flags = mroute_extract_addr_from_packet(&src,
2772  &dest,
2773 #ifdef ENABLE_PF
2774  e1,
2775 #else
2776  NULL,
2777 #endif
2778  NULL,
2779  &m->top.c2.buf,
2780  dev_type);
2781 
2782  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2783  {
2784  struct context *c;
2785 
2786  /* broadcast or multicast dest addr? */
2787  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2788  {
2789  /* for now, treat multicast as broadcast */
2790 #ifdef ENABLE_PF
2791  multi_bcast(m, &m->top.c2.buf, NULL, e2);
2792 #else
2793  multi_bcast(m, &m->top.c2.buf, NULL, NULL);
2794 #endif
2795  }
2796  else
2797  {
2799 
2800  if (m->pending)
2801  {
2802  /* get instance context */
2803  c = &m->pending->context;
2804 
2805  set_prefix(m->pending);
2806 
2807 #ifdef ENABLE_PF
2808  if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr"))
2809  {
2810  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2811  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
2812  buf_reset_len(&c->c2.buf);
2813  }
2814  else
2815 #endif
2816  {
2817  if (multi_output_queue_ready(m, m->pending))
2818  {
2819  /* transfer packet pointer from top-level context buffer to instance */
2820  c->c2.buf = m->top.c2.buf;
2821  }
2822  else
2823  {
2824  /* drop packet */
2825  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2826  buf_reset_len(&c->c2.buf);
2827  }
2828  }
2829 
2830  /* encrypt in instance context */
2832 
2833  /* postprocess and set wakeup */
2834  ret = multi_process_post(m, m->pending, mpp_flags);
2835 
2836  clear_prefix();
2837  }
2838  }
2839  }
2840  }
2841  gc_free(&gc);
2842  return ret;
2843 }
2844 
2845 /*
2846  * Process a possible client-to-client/bcast/mcast message in the
2847  * queue.
2848  */
2849 struct multi_instance *
2851 {
2852  struct mbuf_item item;
2853 
2854  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
2855  {
2856  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
2857 
2858  set_prefix(item.instance);
2859  item.instance->context.c2.buf = item.buffer->buf;
2860  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2861  {
2862  pip_flags |= PIP_MSSFIX;
2863  }
2864  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
2865  encrypt_sign(&item.instance->context, true);
2866  mbuf_free_buf(item.buffer);
2867 
2868  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2869 
2870  clear_prefix();
2871  return item.instance;
2872  }
2873  else
2874  {
2875  return NULL;
2876  }
2877 }
2878 
2879 /*
2880  * Called when an I/O wait times out. Usually means that a particular
2881  * client instance object needs timer-based service.
2882  */
2883 bool
2884 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
2885 {
2886  bool ret = true;
2887 
2888 #ifdef MULTI_DEBUG_EVENT_LOOP
2889  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2890 #endif
2891 
2892  /* instance marked for wakeup? */
2893  if (m->earliest_wakeup)
2894  {
2896  {
2899  }
2900  else
2901  {
2903  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
2904  clear_prefix();
2905  }
2906  m->earliest_wakeup = NULL;
2907  }
2908  return ret;
2909 }
2910 
2911 /*
2912  * Drop a TUN/TAP outgoing packet..
2913  */
2914 void
2915 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
2916 {
2917  struct multi_instance *mi = m->pending;
2918 
2919  ASSERT(mi);
2920 
2921  set_prefix(mi);
2922 
2923  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2924  mi->context.c2.to_tun.len);
2925 
2926  buf_reset(&mi->context.c2.to_tun);
2927 
2928  multi_process_post(m, mi, mpp_flags);
2929  clear_prefix();
2930 }
2931 
2932 /*
2933  * Per-client route quota management
2934  */
2935 
2936 void
2938 {
2939  struct gc_arena gc = gc_new();
2940  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2942  multi_instance_string(mi, false, &gc));
2943  gc_free(&gc);
2944 }
2945 
2946 #ifdef ENABLE_DEBUG
2947 /*
2948  * Flood clients with random packets
2949  */
2950 static void
2951 gremlin_flood_clients(struct multi_context *m)
2952 {
2953  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
2954  if (level)
2955  {
2956  struct gc_arena gc = gc_new();
2957  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
2958  struct packet_flood_parms parm = get_packet_flood_parms(level);
2959  int i;
2960 
2961  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
2962  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
2963 
2964  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2965  parm.n_packets,
2966  parm.packet_size);
2967 
2968  for (i = 0; i < parm.packet_size; ++i)
2969  {
2970  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
2971  }
2972 
2973  for (i = 0; i < parm.n_packets; ++i)
2974  {
2975  multi_bcast(m, &buf, NULL, NULL);
2976  }
2977 
2978  gc_free(&gc);
2979  }
2980 }
2981 #endif /* ifdef ENABLE_DEBUG */
2982 
2983 static bool
2985 {
2986  struct timeval null;
2987  CLEAR(null);
2989 }
2990 
2991 /*
2992  * Process timers in the top-level context
2993  */
2994 void
2996 {
2997  /* possibly reap instances/routes in vhash */
2998  multi_reap_process(m);
2999 
3000  /* possibly print to status log */
3001  if (m->top.c1.status_output)
3002  {
3004  {
3006  }
3007  }
3008 
3009  /* possibly flush ifconfig-pool file */
3010  multi_ifconfig_pool_persist(m, false);
3011 
3012 #ifdef ENABLE_DEBUG
3013  gremlin_flood_clients(m);
3014 #endif
3015 
3016  /* Should we check for stale routes? */
3018  {
3019  check_stale_routes(m);
3020  }
3021 }
3022 
3023 void
3024 multi_top_init(struct multi_context *m, const struct context *top)
3025 {
3026  inherit_context_top(&m->top, top);
3027  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3028 }
3029 
3030 void
3032 {
3033  close_context(&m->top, -1, CC_GC_FREE);
3035 }
3036 
3037 static bool
3039 {
3040  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3041 }
3042 
3043 static void
3045 {
3046  struct hash_iterator hi;
3047  struct hash_element *he;
3048  struct timeval tv;
3049 
3050  /* tell all clients to restart */
3051  hash_iterator_init(m->iter, &hi);
3052  while ((he = hash_iterator_next(&hi)))
3053  {
3054  struct multi_instance *mi = (struct multi_instance *) he->value;
3055  if (!mi->halt)
3056  {
3057  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3059  }
3060  }
3061  hash_iterator_free(&hi);
3062 
3063  /* reschedule signal */
3065  tv.tv_sec = 2;
3066  tv.tv_usec = 0;
3068 
3070 
3075 
3076  m->top.sig->signal_received = 0;
3077 }
3078 
3079 /*
3080  * Return true if event loop should break,
3081  * false if it should continue.
3082  */
3083 bool
3085 {
3086  if (m->top.sig->signal_received == SIGUSR2)
3087  {
3088  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3090  status_close(so);
3091  m->top.sig->signal_received = 0;
3092  return false;
3093  }
3094  else if (proto_is_dgram(m->top.options.ce.proto)
3098  {
3100  return false;
3101  }
3102  return true;
3103 }
3104 
3105 /*
3106  * Called when an instance should be closed due to the
3107  * reception of a soft signal.
3108  */
3109 void
3111 {
3112  remap_signal(&mi->context);
3113  set_prefix(mi);
3114  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3115  clear_prefix();
3116  multi_close_instance(m, mi, false);
3117 }
3118 
3119 static void
3120 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3121 {
3122  mi->context.sig->signal_received = sig;
3124 }
3125 
3126 /*
3127  * Management subsystem callbacks
3128  */
3129 
3130 #ifdef ENABLE_MANAGEMENT
3131 
3132 static void
3133 management_callback_status(void *arg, const int version, struct status_output *so)
3134 {
3135  struct multi_context *m = (struct multi_context *) arg;
3136 
3137  if (!version)
3138  {
3140  }
3141  else
3142  {
3143  multi_print_status(m, so, version);
3144  }
3145 }
3146 
3147 static int
3149 {
3150  struct multi_context *m = (struct multi_context *) arg;
3151  return m->n_clients;
3152 }
3153 
3154 static int
3155 management_callback_kill_by_cn(void *arg, const char *del_cn)
3156 {
3157  struct multi_context *m = (struct multi_context *) arg;
3158  struct hash_iterator hi;
3159  struct hash_element *he;
3160  int count = 0;
3161 
3162  hash_iterator_init(m->iter, &hi);
3163  while ((he = hash_iterator_next(&hi)))
3164  {
3165  struct multi_instance *mi = (struct multi_instance *) he->value;
3166  if (!mi->halt)
3167  {
3168  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3169  if (cn && !strcmp(cn, del_cn))
3170  {
3172  ++count;
3173  }
3174  }
3175  }
3176  hash_iterator_free(&hi);
3177  return count;
3178 }
3179 
3180 static int
3181 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3182 {
3183  struct multi_context *m = (struct multi_context *) arg;
3184  struct hash_iterator hi;
3185  struct hash_element *he;
3186  struct openvpn_sockaddr saddr;
3187  struct mroute_addr maddr;
3188  int count = 0;
3189 
3190  CLEAR(saddr);
3191  saddr.addr.in4.sin_family = AF_INET;
3192  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3193  saddr.addr.in4.sin_port = htons(port);
3194  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3195  {
3196  hash_iterator_init(m->iter, &hi);
3197  while ((he = hash_iterator_next(&hi)))
3198  {
3199  struct multi_instance *mi = (struct multi_instance *) he->value;
3200  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3201  {
3203  ++count;
3204  }
3205  }
3206  hash_iterator_free(&hi);
3207  }
3208  return count;
3209 }
3210 
3211 static void
3213 {
3214  struct multi_context *m = (struct multi_context *) arg;
3215  if (m->mtcp)
3216  {
3217  multi_tcp_delete_event(m->mtcp, event);
3218  }
3219 }
3220 
3221 #endif /* ifdef ENABLE_MANAGEMENT */
3222 
3223 #ifdef MANAGEMENT_DEF_AUTH
3224 
3225 static struct multi_instance *
3226 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3227 {
3228  if (m)
3229  {
3230  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3231  if (mi && !mi->halt)
3232  {
3233  return mi;
3234  }
3235  }
3236  return NULL;
3237 }
3238 
3239 static bool
3240 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3241 {
3242  struct multi_context *m = (struct multi_context *) arg;
3243  struct multi_instance *mi = lookup_by_cid(m, cid);
3244  if (mi)
3245  {
3246  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3248  return true;
3249  }
3250  else
3251  {
3252  return false;
3253  }
3254 }
3255 
3256 static bool
3257 management_client_auth(void *arg,
3258  const unsigned long cid,
3259  const unsigned int mda_key_id,
3260  const bool auth,
3261  const char *reason,
3262  const char *client_reason,
3263  struct buffer_list *cc_config) /* ownership transferred */
3264 {
3265  struct multi_context *m = (struct multi_context *) arg;
3266  struct multi_instance *mi = lookup_by_cid(m, cid);
3267  bool cc_config_owned = true;
3268  bool ret = false;
3269 
3270  if (mi)
3271  {
3272  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3273  if (ret)
3274  {
3275  if (auth)
3276  {
3277  if (!mi->connection_established_flag)
3278  {
3279  set_cc_config(mi, cc_config);
3280  cc_config_owned = false;
3281  }
3282  }
3283  else
3284  {
3285  if (reason)
3286  {
3287  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3288  }
3290  {
3291  send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */
3293  }
3294  }
3295  }
3296  }
3297  if (cc_config_owned && cc_config)
3298  {
3299  buffer_list_free(cc_config);
3300  }
3301  return ret;
3302 }
3303 
3304 static char *
3305 management_get_peer_info(void *arg, const unsigned long cid)
3306 {
3307  struct multi_context *m = (struct multi_context *) arg;
3308  struct multi_instance *mi = lookup_by_cid(m, cid);
3309  char *ret = NULL;
3310 
3311  if (mi)
3312  {
3313  ret = tls_get_peer_info(mi->context.c2.tls_multi);
3314  }
3315 
3316  return ret;
3317 }
3318 
3319 #endif /* ifdef MANAGEMENT_DEF_AUTH */
3320 
3321 #ifdef MANAGEMENT_PF
3322 static bool
3323 management_client_pf(void *arg,
3324  const unsigned long cid,
3325  struct buffer_list *pf_config) /* ownership transferred */
3326 {
3327  struct multi_context *m = (struct multi_context *) arg;
3328  struct multi_instance *mi = lookup_by_cid(m, cid);
3329  bool ret = false;
3330 
3331  if (mi && pf_config)
3332  {
3333  ret = pf_load_from_buffer_list(&mi->context, pf_config);
3334  }
3335 
3336  if (pf_config)
3337  {
3338  buffer_list_free(pf_config);
3339  }
3340  return ret;
3341 }
3342 #endif /* ifdef MANAGEMENT_PF */
3343 
3344 void
3346 {
3347 #ifdef ENABLE_MANAGEMENT
3348  if (management)
3349  {
3350  struct management_callback cb;
3351  CLEAR(cb);
3352  cb.arg = m;
3353  cb.flags = MCF_SERVER;
3360 #ifdef MANAGEMENT_DEF_AUTH
3361  cb.kill_by_cid = management_kill_by_cid;
3362  cb.client_auth = management_client_auth;
3363  cb.get_peer_info = management_get_peer_info;
3364 #endif
3365 #ifdef MANAGEMENT_PF
3366  cb.client_pf = management_client_pf;
3367 #endif
3369  }
3370 #endif /* ifdef ENABLE_MANAGEMENT */
3371 }
3372 
3373 /*
3374  * Top level event loop.
3375  */
3376 void
3378 {
3379  ASSERT(top->options.mode == MODE_SERVER);
3380 
3381  if (proto_is_dgram(top->options.ce.proto))
3382  {
3383  tunnel_server_udp(top);
3384  }
3385  else
3386  {
3387  tunnel_server_tcp(top);
3388  }
3389 }
3390 
3391 #else /* if P2MP_SERVER */
3392 static void
3393 dummy(void)
3394 {
3395 }
3396 #endif /* P2MP_SERVER */
#define M_NONFATAL
Definition: error.h:95
struct env_set * es
Definition: openvpn.h:428
uint8_t type
Definition: mroute.h:80
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3044
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:174
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:437
#define MR_WITH_NETBITS
Definition: mroute.h:72
static bool is_exit_restart(int sig)
Definition: multi.c:3038
static void register_activity(struct context *c, const int size)
Definition: forward.h:349
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:211
struct buffer to_link
Definition: openvpn.h:385
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1750
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3120
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2915
#define ETT_DEFAULT
Definition: interval.h:213
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:274
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:165
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:158
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:100
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1161
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:240
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:240
#define REAP_DIVISOR
Definition: multi.h:526
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
struct iroute * next
Definition: route.h:238
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:140
struct in6_addr reporting_addr_ipv6
Definition: multi.h:99
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:503
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
#define CAS_PENDING
Definition: openvpn.h:455
counter_type link_write_bytes
Definition: openvpn.h:286
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:406
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2417
#define MULTI_ROUTE_CACHE
Definition: multi.h:202
struct argv argv_new(void)
Definition: argv.c:52
#define M_OPTERR
Definition: error.h:105
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:369
int signal_received
Definition: multi.h:62
bool connection_established_flag
Definition: multi.h:108
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:239
void hash_free(struct hash *hash)
Definition: list.c:66
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:167
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2992
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:501
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:295
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:491
pool_type
Definition: pool.h:37
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1112
bool push_ifconfig_defined
Definition: openvpn.h:442
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:374
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2892
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
const char * learn_address_script
Definition: options.h:438
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:473
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:42
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:508
#define dmsg
Definition: error.h:174
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:209
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4601
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:417
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:487
in_addr_t push_ifconfig_local
Definition: openvpn.h:444
bool enable_c2c
Definition: options.h:459
union openvpn_sockaddr::@8 addr
struct ifconfig_pool * ifconfig_pool_init(enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:150
int push_ifconfig_ipv6_netbits
Definition: options.h:456
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:504
struct in6_addr network
Definition: route.h:242
struct buffer buf
Definition: openvpn.h:383
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1584
unsigned int flags
Definition: mbuf.h:49
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:83
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4781
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:927
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3133
#define SIGUSR1
Definition: config-msvc.h:116
const void * key
Definition: list.h:50
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:571
#define MR_ADDR_MASK
Definition: mroute.h:66
struct multi_reap * reaper
Definition: multi.h:159
struct context_buffers * buffers
Definition: openvpn.h:375
struct multi_instance * instance
Definition: multi.h:200
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:448
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:449
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
bool ifconfig_pool_defined
Definition: options.h:423
void multi_top_free(struct multi_context *m)
Definition: multi.c:3031
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:156
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:560
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:195
#define D_PF_DROPPED
Definition: errlevel.h:101
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:96
struct link_socket_info * link_socket_info
Definition: openvpn.h:254
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:53
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4127
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3212
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:203
in_addr_t remote_netmask
Definition: tun.h:154
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:409
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:451
static int management_callback_n_clients(void *arg)
Definition: multi.c:3148
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:457
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static void perf_push(int type)
Definition: perf.h:78
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1580
int status_file_version
Definition: multi.h:164
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:534
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:431
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1359
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr)
Definition: multi.c:2208
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:104
ifconfig_pool_handle vaddr_handle
Definition: multi.h:90
bool did_iter
Definition: multi.h:103
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:91
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3084
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1446
struct event_timeout stale_routes_check_et
Definition: multi.h:184
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:528
#define MAX_PEER_ID
Definition: openvpn.h:575
int cf_max
Definition: options.h:461
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:462
void pre_select(struct context *c)
Definition: forward.c:1927
static void dummy(void)
Definition: comp-lz4.c:319
unsigned int cache_generation
Definition: mroute.h:131
#define SIGTERM
Definition: config-msvc.h:118
struct mroute_addr::@0::@2 v6
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
#define MCF_SERVER
Definition: manage.h:158
#define ASSERT(x)
Definition: error.h:221
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2168
in_addr_t ifconfig_pool_end
Definition: options.h:425
static bool check_debug_level(unsigned int level)
Definition: error.h:245
bool did_open_context
Definition: multi.h:101
#define OPENVPN_PLUGIN_FUNC_SUCCESS
bool authenticated
Definition: ssl_common.h:201
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:579
const char * client_disconnect_script
Definition: options.h:437
int explicit_exit_notification
Definition: options.h:121
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1273
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:2732
bool platform_unlink(const char *filename)
Definition: platform.c:287
unsigned int flags
Definition: multi.h:204
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
int context_auth
Definition: openvpn.h:459
int n_clients
Definition: multi.h:165
#define MF_UNICAST
Definition: mbuf.h:48
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:679
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:41
static void clear_prefix(void)
Definition: multi.h:508
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:42
static void setenv_stats(struct context *c)
Definition: multi.c:553
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3181
bool did_real_hash
Definition: multi.h:102
#define MODE_SERVER
Definition: options.h:197
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:258
#define PIP_MSSFIX
Definition: forward.h:321
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:220
int netbits
Definition: route.h:237
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:607
in_addr_t addr
Definition: mroute.h:87
void status_flush(struct status_output *so)
Definition: status.c:172
int n_clients_delta
Definition: multi.h:110
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:419
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:150
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:44
int cf_per
Definition: options.h:462
void multi_uninit(struct multi_context *m)
Definition: multi.c:710
bool status_close(struct status_output *so)
Definition: status.c:203
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:80
struct context_1 c1
Level 1 context.
Definition: openvpn.h:541
Definition: mbuf.h:58
#define PIPV4_PASSTOS
Definition: forward.h:320
static void multi_route_del(struct multi_route *route)
Definition: multi.h:453
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:450
#define CLEAR(x)
Definition: basic.h:33
struct schedule * schedule_init(void)
Definition: schedule.c:416
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:85
in_addr_t push_ifconfig_local
Definition: options.h:447
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3024
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4476
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3155
time_t last_reference
Definition: multi.h:207
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:336
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:94
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
#define CAS_PARTIAL
Definition: openvpn.h:457
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3290
in_addr_t local
Definition: tun.h:153
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3345
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:528
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:2415
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define MAPF_SHOW_ARP
Definition: mroute.h:158
int stale_routes_check_interval
Definition: options.h:465
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:166
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:424
#define OPT_P_INSTANCE
Definition: options.h:664
counter_type link_read_bytes
Definition: openvpn.h:284
static const char * np(const char *str)
Definition: simple.c:108
#define counter_format
Definition: common.h:39
int mode
Definition: options.h:198
bool ifconfig_ipv6_pool_defined
Definition: options.h:430
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:378
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:452
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4801
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:257
int ifconfig_ipv6_netbits
Definition: options.h:247
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:496
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:446
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
Definition: mbuf.h:52
bool did_iroutes
Definition: multi.h:109
#define MPP_PRE_SELECT
Definition: multi.h:256
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:766
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:147
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:365
int topology
Definition: options.h:243
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2972
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:243
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:461
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1240
struct iroute * iroutes
Definition: options.h:444
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define OPT_P_COMP
Definition: options.h:657
unsigned int cache_generation
Definition: multi.h:206
struct frame frame
Definition: openvpn.h:261
#define DEV_TYPE_TUN
Definition: proto.h:37
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2305
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:312
struct timeval timeval
Definition: openvpn.h:402
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:249
int virtual_hash_size
Definition: options.h:435
Definition: schedule.h:46
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3110
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:201
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:450
#define D_MULTI_DEBUG
Definition: errlevel.h:124
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3267
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:805
unsigned __int32 uint32_t
Definition: config-msvc.h:121
int tcp_queue_limit
Definition: options.h:443
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:112
const char * client_config_dir
Definition: options.h:439
const char * ciphername
Definition: options.h:497
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:114
#define OPT_P_ECHO
Definition: options.h:667
uint8_t len
Definition: mroute.h:78
#define REAP_MAX
Definition: multi.h:528
struct multi_instance * pending
Definition: multi.h:172
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:163
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:149
int buckets_per_pass
Definition: multi.h:54
struct gc_arena gc
Definition: multi.h:78
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:541
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:149
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
in_addr_t network
Definition: route.h:236
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:466
int bucket_base
Definition: multi.h:53
in_addr_t reporting_addr
Definition: multi.h:98
int max_routes_per_client
Definition: options.h:464
struct buffer buf
Definition: buffer.h:1106
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:150
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:587
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:228
int n_bcast_buf
Definition: options.h:442
struct multi_instance * instance
Definition: mbuf.h:55
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:268
int max_clients
Definition: multi.h:162
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:431
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:226
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:395
in_addr_t ifconfig_pool_start
Definition: options.h:424
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:145
struct link_socket * link_socket
Definition: openvpn.h:252
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:41
void argv_parse_cmd(struct argv *a, const char *s)
Definition: argv.c:337
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:2995
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3894
bool status_trigger(struct status_output *so)
Definition: status.c:135
#define M_ERRNO
Definition: error.h:99
#define msg
Definition: error.h:173
struct multi_instance * earliest_wakeup
Definition: multi.h:173
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define DEV_TYPE_UNDEF
Definition: proto.h:35
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:175
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1068
struct connection_entry ce
Definition: options.h:222
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:515
bool push_ifconfig_defined
Definition: options.h:446
void schedule_free(struct schedule *s)
Definition: schedule.c:425
struct context_2 c2
Level 2 context.
Definition: openvpn.h:542
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1427
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:137
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:151
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:115
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:156
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:43
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:292
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2224
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:436
#define CCD_DEFAULT
Definition: common.h:71
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:162
#define OPT_P_TIMER
Definition: options.h:654
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:431
#define BLEN(buf)
Definition: buffer.h:127
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:115
in_addr_t ifconfig_pool_netmask
Definition: options.h:426
bool disable
Definition: options.h:441
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:769
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:93
#define SA_SET_IF_NONZERO
Definition: socket.h:402
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:195
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:143
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1310
int(* n_clients)(void *arg)
Definition: manage.h:166
bool halt
Definition: multi.h:80
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:3377
struct buffer_entry * next
Definition: buffer.h:1107
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:154
#define REAP_MIN
Definition: multi.h:527
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:125
#define CAS_SUCCEEDED
Definition: openvpn.h:454
__int64 int64_t
Definition: config-msvc.h:124
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2646
unsigned __int8 uint8_t
Definition: config-msvc.h:123
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:2850
const char * tmp_dir
Definition: options.h:401
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:147
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2189
struct mroute_addr local
Definition: multi.h:160
unsigned int netbits
Definition: route.h:243
int max_clients
Definition: options.h:463
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:286
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:448
unsigned int uintptr_t
Definition: cmocka.h:103
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:411
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:977
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:226
int status_file_version
Definition: options.h:331
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:88
#define SIGINT
Definition: config-msvc.h:115
struct timeval wakeup
Definition: multi.h:87
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3103
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2326
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:164
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:40
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:894
#define SIGUSR2
Definition: config-msvc.h:117
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:178
void argv_printf_cat(struct argv *a, const char *format,...)
Definition: argv.c:328
#define OPT_P_INHERIT
Definition: options.h:668
bool push_ifconfig_ipv6_defined
Definition: options.h:454
Main OpenVPN server state structure.
Definition: multi.h:131
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:518
bool push_reply_deferred
Definition: openvpn.h:438
#define CAS_FAILED
Definition: openvpn.h:456
time_t last_call
Definition: multi.h:55
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
#define ENABLE_PF
Definition: config-msvc.h:6
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:259
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:86
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:556
bool proto_is_dgram(int proto)
Definition: socket.c:3168
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1844
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:648
struct fragment_master * fragment
Definition: openvpn.h:266
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:460
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1397
struct status_output * status_output
Definition: openvpn.h:180
struct buffer buf
Definition: mbuf.h:45
static int hash_n_elements(const struct hash *hash)
Definition: list.h:131
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:326
#define OPT_P_SOCKFLAGS
Definition: options.h:673
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:530
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:434
int n_net_len
Definition: mroute.h:133
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:2984
#define MR_ADDR_IPV6
Definition: mroute.h:65
int thread_mode
Definition: multi.h:138
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:240
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:211
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:143
in_addr_t push_ifconfig_local_alias
Definition: options.h:449
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:2492
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1669
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:533
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:147
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:185
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:564
Definition: route.h:235
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:445
static int constrain_int(int x, int min, int max)
Definition: integer.h:70
#define M_WARN
Definition: error.h:96
static int min_int(int x, int y)
Definition: integer.h:57
#define MC_WORK_THREAD
Definition: multi.h:137
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:211
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:161
struct frequency_limit * new_connection_limiter
Definition: multi.h:157
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:217
unsigned int flags
Definition: manage.h:159
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1104
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:324
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:163
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:178
void * value
Definition: list.h:49
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:241
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1636
#define TUNNEL_TYPE(tt)
Definition: tun.h:134
#define CC_GC_FREE
Definition: init.h:106
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:377
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:164
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:172
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:326
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:342
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:191
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1784
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:859
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:443
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1146
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:209
struct link_socket_actual from
Definition: openvpn.h:258
void argv_reset(struct argv *a)
Definition: argv.c:60
int process_incoming_push_request(struct context *c)
Definition: push.c:662
struct iroute_ipv6 * next
Definition: route.h:244
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1771
#define OPT_P_CONFIG
Definition: options.h:665
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:134
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:51
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:137
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:76
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1004
Definition: argv.h:35
uint8_t netbits
Definition: mroute.h:81
struct buffer to_tun
Definition: openvpn.h:384
in_addr_t push_ifconfig_constraint_network
Definition: options.h:451
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3090
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2283
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:573
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: list.h:60
bool duplicate_cn
Definition: options.h:460
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:69
int stale_routes_ageing_time
Definition: options.h:466
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:337
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:164
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:229
struct timeval wakeup
Definition: multi.h:63
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:445
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1390
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:257
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:57
struct in6_addr local_ipv6
Definition: tun.h:157
struct mroute_addr addr
Definition: multi.h:199
void status_reset(struct status_output *so)
Definition: status.c:163
const char title_string[]
Definition: options.c:65
#define D_MULTI_LOW
Definition: errlevel.h:86
#define MC_UNDEF
Definition: multi.h:132
void argv_printf(struct argv *a, const char *format,...)
Definition: argv.c:318
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:262
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:250
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2884
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:455
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:68
int ifconfig_ipv6_pool_netbits
Definition: options.h:432
#define OPT_P_PUSH
Definition: options.h:663
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:54
const char * dev_type
Definition: options.h:240
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4549
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:2937