OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #if P2MP_SERVER
38 
39 #include "forward.h"
40 #include "multi.h"
41 #include "push.h"
42 #include "run_command.h"
43 #include "otime.h"
44 #include "pf.h"
45 #include "gremlin.h"
46 #include "mstats.h"
47 #include "ssl_verify.h"
48 #include <inttypes.h>
49 
50 #include "memdbg.h"
51 
52 
53 #include "crypto_backend.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef MANAGEMENT_DEF_AUTH
73 static void
74 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
75 {
76  if (mi->cc_config)
77  {
78  buffer_list_free(mi->cc_config);
79  }
80  mi->cc_config = cc_config;
81 }
82 #endif
83 
84 static inline void
85 update_mstat_n_clients(const int n_clients)
86 {
87 #ifdef ENABLE_MEMSTATS
88  if (mmap_stats)
89  {
90  mmap_stats->n_clients = n_clients;
91  }
92 #endif
93 }
94 
95 static bool
97  const struct multi_instance *mi,
98  const char *op,
99  const struct mroute_addr *addr)
100 {
101  struct gc_arena gc = gc_new();
102  struct env_set *es;
103  bool ret = true;
104  struct plugin_list *plugins;
105 
106  /* get environmental variable source */
107  if (mi && mi->context.c2.es)
108  {
109  es = mi->context.c2.es;
110  }
111  else
112  {
113  es = env_set_create(&gc);
114  }
115 
116  /* get plugin source */
117  if (mi)
118  {
119  plugins = mi->context.plugins;
120  }
121  else
122  {
123  plugins = m->top.plugins;
124  }
125 
127  {
128  struct argv argv = argv_new();
129  argv_printf(&argv, "%s %s",
130  op,
131  mroute_addr_print(addr, &gc));
132  if (mi)
133  {
134  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
135  }
136  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
137  {
138  msg(M_WARN, "WARNING: learn-address plugin call failed");
139  ret = false;
140  }
141  argv_reset(&argv);
142  }
143 
145  {
146  struct argv argv = argv_new();
147  setenv_str(es, "script_type", "learn-address");
149  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
150  if (mi)
151  {
152  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
153  }
154  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
155  {
156  ret = false;
157  }
158  argv_reset(&argv);
159  }
160 
161  gc_free(&gc);
162  return ret;
163 }
164 
165 void
167 {
168  /* write pool data to file */
169  if (m->ifconfig_pool
172  {
174  }
175 }
176 
177 static void
179  int start_bucket,
180  int end_bucket)
181 {
182  struct gc_arena gc = gc_new();
183  struct hash_iterator hi;
184  struct hash_element *he;
185 
186  if (start_bucket < 0)
187  {
188  start_bucket = 0;
189  end_bucket = hash_n_buckets(m->vhash);
190  }
191 
192  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
193  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
194  while ((he = hash_iterator_next(&hi)) != NULL)
195  {
196  struct multi_route *r = (struct multi_route *) he->value;
197  if (!multi_route_defined(m, r))
198  {
199  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
200  mroute_addr_print(&r->addr, &gc));
201  learn_address_script(m, NULL, "delete", &r->addr);
202  multi_route_del(r);
204  }
205  }
206  hash_iterator_free(&hi);
207  gc_free(&gc);
208 }
209 
210 static void
212 {
213  multi_reap_range(m, -1, 0);
214 }
215 
216 static struct multi_reap *
218 {
219  struct multi_reap *mr;
220  ALLOC_OBJ(mr, struct multi_reap);
221  mr->bucket_base = 0;
223  mr->last_call = now;
224  return mr;
225 }
226 
227 void
229 {
230  struct multi_reap *mr = m->reaper;
231  if (mr->bucket_base >= hash_n_buckets(m->vhash))
232  {
233  mr->bucket_base = 0;
234  }
236  mr->bucket_base += mr->buckets_per_pass;
237  mr->last_call = now;
238 }
239 
240 static void
242 {
243  free(mr);
244 }
245 
246 /*
247  * How many buckets in vhash to reap per pass.
248  */
249 static int
250 reap_buckets_per_pass(int n_buckets)
251 {
252  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
253 }
254 
255 #ifdef MANAGEMENT_DEF_AUTH
256 
257 static uint32_t
258 cid_hash_function(const void *key, uint32_t iv)
259 {
260  const unsigned long *k = (const unsigned long *)key;
261  return (uint32_t) *k;
262 }
263 
264 static bool
265 cid_compare_function(const void *key1, const void *key2)
266 {
267  const unsigned long *k1 = (const unsigned long *)key1;
268  const unsigned long *k2 = (const unsigned long *)key2;
269  return *k1 == *k2;
270 }
271 
272 #endif
273 
274 #ifdef ENABLE_ASYNC_PUSH
275 static uint32_t
276 /*
277  * inotify watcher descriptors are used as hash value
278  */
279 int_hash_function(const void *key, uint32_t iv)
280 {
281  return (unsigned long)key;
282 }
283 
284 static bool
285 int_compare_function(const void *key1, const void *key2)
286 {
287  return (unsigned long)key1 == (unsigned long)key2;
288 }
289 #endif
290 
291 /*
292  * Main initialization function, init multi_context object.
293  */
294 void
295 multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
296 {
297  int dev = DEV_TYPE_UNDEF;
298 
299  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
302 
303  /*
304  * Get tun/tap/null device type
305  */
306  dev = dev_type_enum(t->options.dev, t->options.dev_type);
307 
308  /*
309  * Init our multi_context object.
310  */
311  CLEAR(*m);
312 
313  m->thread_mode = thread_mode;
314 
315  /*
316  * Real address hash table (source port number is
317  * considered to be part of the address). Used
318  * to determine which client sent an incoming packet
319  * which is seen on the TCP/UDP socket.
320  */
322  get_random(),
325 
326  /*
327  * Virtual address hash table. Used to determine
328  * which client to route a packet to.
329  */
331  get_random(),
334 
335  /*
336  * This hash table is a clone of m->hash but with a
337  * bucket size of one so that it can be used
338  * for fast iteration through the list.
339  */
340  m->iter = hash_init(1,
341  get_random(),
344 
345 #ifdef MANAGEMENT_DEF_AUTH
346  m->cid_hash = hash_init(t->options.real_hash_size,
347  0,
348  cid_hash_function,
349  cid_compare_function);
350 #endif
351 
352 #ifdef ENABLE_ASYNC_PUSH
353  /*
354  * Mapping between inotify watch descriptors and
355  * multi_instances.
356  */
357  m->inotify_watchers = hash_init(t->options.real_hash_size,
358  get_random(),
359  int_hash_function,
360  int_compare_function);
361 #endif
362 
363  /*
364  * This is our scheduler, for time-based wakeup
365  * events.
366  */
367  m->schedule = schedule_init();
368 
369  /*
370  * Limit frequency of incoming connections to control
371  * DoS.
372  */
374  t->options.cf_per);
375 
376  /*
377  * Allocate broadcast/multicast buffer list
378  */
380 
381  /*
382  * Different status file format options are available
383  */
385 
386  /*
387  * Possibly allocate an ifconfig pool, do it
388  * differently based on whether a tun or tap style
389  * tunnel.
390  */
392  {
394 
395  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
396  {
397  pool_type = IFCONFIG_POOL_30NET;
398  }
399 
400  m->ifconfig_pool = ifconfig_pool_init(pool_type,
407 
408  /* reload pool data from file */
409  if (t->c1.ifconfig_pool_persist)
410  {
412  }
413  }
414 
415  /*
416  * Help us keep track of routing table.
417  */
419 
420  /*
421  * Initialize route and instance reaper.
422  */
424 
425  /*
426  * Get local ifconfig address
427  */
428  CLEAR(m->local);
429  ASSERT(t->c1.tuntap);
431 
432  /*
433  * Per-client limits
434  */
436 
437  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
438 
439  /*
440  * Initialize multi-socket TCP I/O wait object
441  */
442  if (tcp_mode)
443  {
445  }
447 
448  /*
449  * Allow client <-> client communication, without going through
450  * tun/tap interface and network stack?
451  */
452  m->enable_c2c = t->options.enable_c2c;
453 
454  /* initialize stale routes check timer */
456  {
457  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
460  }
461 
463 }
464 
465 const char *
466 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
467 {
468  if (mi)
469  {
470  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
471  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
472 
473  if (cn)
474  {
475  buf_printf(&out, "%s/", cn);
476  }
477  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
478  return BSTR(&out);
479  }
480  else if (null)
481  {
482  return NULL;
483  }
484  else
485  {
486  return "UNDEF";
487  }
488 }
489 
490 static void
492 {
493  struct gc_arena gc = gc_new();
494  const char *prefix = multi_instance_string(mi, true, &gc);
495  if (prefix)
496  {
497  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
498  }
499  else
500  {
501  mi->msg_prefix[0] = '\0';
502  }
503  set_prefix(mi);
504  gc_free(&gc);
505 }
506 
507 void
509 {
510  mi->msg_prefix[0] = '\0';
511  set_prefix(mi);
512 }
513 
514 static const char *
515 mi_prefix(const struct multi_instance *mi)
516 {
517  if (mi && mi->msg_prefix[0])
518  {
519  return mi->msg_prefix;
520  }
521  else
522  {
523  return "UNDEF_I";
524  }
525 }
526 
527 /*
528  * Tell the route helper about deleted iroutes so
529  * that it can update its mask of currently used
530  * CIDR netlengths.
531  */
532 static void
534  struct multi_instance *mi)
535 {
536  const struct iroute *ir;
537  const struct iroute_ipv6 *ir6;
539  {
540  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
541  {
543  }
544 
545  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
546  {
548  }
549  }
550 }
551 
552 static void
554 {
555  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
556  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
557 }
558 
559 static void
561  struct multi_instance *mi)
562 {
563  /* setenv client real IP address */
565 
566  /* setenv stats */
567  setenv_stats(&mi->context);
568 
569  /* setenv connection duration */
570  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
571 }
572 
573 static void
575  struct multi_instance *mi)
576 {
579  {
581 
583  {
585  {
586  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
587  }
588  }
589 
591  {
592  struct argv argv = argv_new();
593  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
595  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
596  argv_reset(&argv);
597  }
598 #ifdef MANAGEMENT_DEF_AUTH
599  if (management)
600  {
601  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
602  }
603 #endif
604 
605  }
606 }
607 
608 void
610  struct multi_instance *mi,
611  bool shutdown)
612 {
614 
615  ASSERT(!mi->halt);
616  mi->halt = true;
617 
618  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
619 
620  /* adjust current client connection count */
621  m->n_clients += mi->n_clients_delta;
623  mi->n_clients_delta = 0;
624 
625  /* prevent dangling pointers */
626  if (m->pending == mi)
627  {
628  multi_set_pending(m, NULL);
629  }
630  if (m->earliest_wakeup == mi)
631  {
632  m->earliest_wakeup = NULL;
633  }
634 
635  if (!shutdown)
636  {
637  if (mi->did_real_hash)
638  {
639  ASSERT(hash_remove(m->hash, &mi->real));
640  }
641  if (mi->did_iter)
642  {
643  ASSERT(hash_remove(m->iter, &mi->real));
644  }
645 #ifdef MANAGEMENT_DEF_AUTH
646  if (mi->did_cid_hash)
647  {
648  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
649  }
650 #endif
651 
652 #ifdef ENABLE_ASYNC_PUSH
653  if (mi->inotify_watch != -1)
654  {
655  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
656  mi->inotify_watch = -1;
657  }
658 #endif
659 
660  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
661  {
662  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
663  }
664 
665  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
666 
667  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
668 
669  if (mi->did_iroutes)
670  {
671  multi_del_iroutes(m, mi);
672  mi->did_iroutes = false;
673  }
674 
675  if (m->mtcp)
676  {
678  }
679 
681  }
682 
683 #ifdef MANAGEMENT_DEF_AUTH
684  set_cc_config(mi, NULL);
685 #endif
686 
688 
689  if (mi->did_open_context)
690  {
692  }
693 
695 
696  ungenerate_prefix(mi);
697 
698  /*
699  * Don't actually delete the instance memory allocation yet,
700  * because virtual routes may still point to it. Let the
701  * vhash reaper deal with it.
702  */
704 
705  perf_pop();
706 }
707 
708 /*
709  * Called on shutdown or restart.
710  */
711 void
713 {
714  if (m->thread_mode & MC_WORK_THREAD)
715  {
716  multi_top_free(m);
717  m->thread_mode = MC_UNDEF;
718  }
719  else if (m->thread_mode)
720  {
721  if (m->hash)
722  {
723  struct hash_iterator hi;
724  struct hash_element *he;
725 
726  hash_iterator_init(m->iter, &hi);
727  while ((he = hash_iterator_next(&hi)))
728  {
729  struct multi_instance *mi = (struct multi_instance *) he->value;
730  mi->did_iter = false;
731  multi_close_instance(m, mi, true);
732  }
733  hash_iterator_free(&hi);
734 
735  multi_reap_all(m);
736 
737  hash_free(m->hash);
738  hash_free(m->vhash);
739  hash_free(m->iter);
740 #ifdef MANAGEMENT_DEF_AUTH
741  hash_free(m->cid_hash);
742 #endif
743  m->hash = NULL;
744 
745  free(m->instances);
746 
747 #ifdef ENABLE_ASYNC_PUSH
748  hash_free(m->inotify_watchers);
749  m->inotify_watchers = NULL;
750 #endif
751 
753  mbuf_free(m->mbuf);
758  multi_tcp_free(m->mtcp);
759  m->thread_mode = MC_UNDEF;
760  }
761  }
762 }
763 
764 /*
765  * Create a client instance object for a newly connected client.
766  */
767 struct multi_instance *
769 {
770  struct gc_arena gc = gc_new();
771  struct multi_instance *mi;
772 
774 
775  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
776 
777  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
778 
779  mi->gc = gc_new();
781  mi->vaddr_handle = -1;
782  mi->created = now;
783  mroute_addr_init(&mi->real);
784 
785  if (real)
786  {
787  mi->real = *real;
788  generate_prefix(mi);
789  }
790 
791  mi->did_open_context = true;
792  inherit_context_child(&mi->context, &m->top);
793  if (IS_SIG(&mi->context))
794  {
795  goto err;
796  }
797 
799 
800  if (hash_n_elements(m->hash) >= m->max_clients)
801  {
802  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
803  goto err;
804  }
805 
806  if (!real) /* TCP mode? */
807  {
809  {
810  goto err;
811  }
812  generate_prefix(mi);
813  }
814 
815  if (!hash_add(m->iter, &mi->real, mi, false))
816  {
817  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
818  mroute_addr_print(&mi->real, &gc));
819  goto err;
820  }
821  mi->did_iter = true;
822 
823 #ifdef MANAGEMENT_DEF_AUTH
824  do
825  {
826  mi->context.c2.mda_context.cid = m->cid_counter++;
827  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
828  mi->did_cid_hash = true;
829 #endif
830 
831  mi->context.c2.push_reply_deferred = true;
832 
833 #ifdef ENABLE_ASYNC_PUSH
834  mi->context.c2.push_request_received = false;
835  mi->inotify_watch = -1;
836 #endif
837 
838  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
839  {
840  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
841  goto err;
842  }
843 
844  perf_pop();
845  gc_free(&gc);
846  return mi;
847 
848 err:
849  multi_close_instance(m, mi, false);
850  perf_pop();
851  gc_free(&gc);
852  return NULL;
853 }
854 
855 /*
856  * Dump tables -- triggered by SIGUSR2.
857  * If status file is defined, write to file.
858  * If status file is NULL, write to syslog.
859  */
860 void
861 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
862 {
863  if (m->hash)
864  {
865  struct gc_arena gc_top = gc_new();
866  struct hash_iterator hi;
867  const struct hash_element *he;
868 
869  status_reset(so);
870 
871  if (version == 1) /* WAS: m->status_file_version */
872  {
873  /*
874  * Status file version 1
875  */
876  status_printf(so, "OpenVPN CLIENT LIST");
877  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
878  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
879  hash_iterator_init(m->hash, &hi);
880  while ((he = hash_iterator_next(&hi)))
881  {
882  struct gc_arena gc = gc_new();
883  const struct multi_instance *mi = (struct multi_instance *) he->value;
884 
885  if (!mi->halt)
886  {
887  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
888  tls_common_name(mi->context.c2.tls_multi, false),
889  mroute_addr_print(&mi->real, &gc),
892  time_string(mi->created, 0, false, &gc));
893  }
894  gc_free(&gc);
895  }
896  hash_iterator_free(&hi);
897 
898  status_printf(so, "ROUTING TABLE");
899  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
900  hash_iterator_init(m->vhash, &hi);
901  while ((he = hash_iterator_next(&hi)))
902  {
903  struct gc_arena gc = gc_new();
904  const struct multi_route *route = (struct multi_route *) he->value;
905 
906  if (multi_route_defined(m, route))
907  {
908  const struct multi_instance *mi = route->instance;
909  const struct mroute_addr *ma = &route->addr;
910  char flags[2] = {0, 0};
911 
912  if (route->flags & MULTI_ROUTE_CACHE)
913  {
914  flags[0] = 'C';
915  }
916  status_printf(so, "%s%s,%s,%s,%s",
917  mroute_addr_print(ma, &gc),
918  flags,
919  tls_common_name(mi->context.c2.tls_multi, false),
920  mroute_addr_print(&mi->real, &gc),
921  time_string(route->last_reference, 0, false, &gc));
922  }
923  gc_free(&gc);
924  }
925  hash_iterator_free(&hi);
926 
927  status_printf(so, "GLOBAL STATS");
928  if (m->mbuf)
929  {
930  status_printf(so, "Max bcast/mcast queue length,%d",
932  }
933 
934  status_printf(so, "END");
935  }
936  else if (version == 2 || version == 3)
937  {
938  const char sep = (version == 3) ? '\t' : ',';
939 
940  /*
941  * Status file version 2 and 3
942  */
943  status_printf(so, "TITLE%c%s", sep, title_string);
944  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
945  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
946  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
947  hash_iterator_init(m->hash, &hi);
948  while ((he = hash_iterator_next(&hi)))
949  {
950  struct gc_arena gc = gc_new();
951  const struct multi_instance *mi = (struct multi_instance *) he->value;
952 
953  if (!mi->halt)
954  {
955  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
956 #ifdef MANAGEMENT_DEF_AUTH
957  "%lu"
958 #else
959  ""
960 #endif
961  "%c%" PRIu32 "%c%s",
962  sep, tls_common_name(mi->context.c2.tls_multi, false),
963  sep, mroute_addr_print(&mi->real, &gc),
966  sep, mi->context.c2.link_read_bytes,
967  sep, mi->context.c2.link_write_bytes,
968  sep, time_string(mi->created, 0, false, &gc),
969  sep, (unsigned int)mi->created,
970  sep, tls_username(mi->context.c2.tls_multi, false),
971 #ifdef MANAGEMENT_DEF_AUTH
972  sep, mi->context.c2.mda_context.cid,
973 #else
974  sep,
975 #endif
976  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
978  }
979  gc_free(&gc);
980  }
981  hash_iterator_free(&hi);
982 
983  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
984  sep, sep, sep, sep, sep, sep);
985  hash_iterator_init(m->vhash, &hi);
986  while ((he = hash_iterator_next(&hi)))
987  {
988  struct gc_arena gc = gc_new();
989  const struct multi_route *route = (struct multi_route *) he->value;
990 
991  if (multi_route_defined(m, route))
992  {
993  const struct multi_instance *mi = route->instance;
994  const struct mroute_addr *ma = &route->addr;
995  char flags[2] = {0, 0};
996 
997  if (route->flags & MULTI_ROUTE_CACHE)
998  {
999  flags[0] = 'C';
1000  }
1001  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
1002  sep, mroute_addr_print(ma, &gc), flags,
1003  sep, tls_common_name(mi->context.c2.tls_multi, false),
1004  sep, mroute_addr_print(&mi->real, &gc),
1005  sep, time_string(route->last_reference, 0, false, &gc),
1006  sep, (unsigned int)route->last_reference);
1007  }
1008  gc_free(&gc);
1009  }
1010  hash_iterator_free(&hi);
1011 
1012  if (m->mbuf)
1013  {
1014  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1015  sep, sep, mbuf_maximum_queued(m->mbuf));
1016  }
1017 
1018  status_printf(so, "END");
1019  }
1020  else
1021  {
1022  status_printf(so, "ERROR: bad status format version number");
1023  }
1024 
1025 #ifdef PACKET_TRUNCATION_CHECK
1026  {
1027  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1028  hash_iterator_init(m->hash, &hi);
1029  while ((he = hash_iterator_next(&hi)))
1030  {
1031  struct gc_arena gc = gc_new();
1032  const struct multi_instance *mi = (struct multi_instance *) he->value;
1033 
1034  if (!mi->halt)
1035  {
1037  tls_common_name(mi->context.c2.tls_multi, false),
1038  m->top.c2.n_trunc_tun_read,
1039  mi->context.c2.n_trunc_tun_write,
1040  mi->context.c2.n_trunc_pre_encrypt,
1041  mi->context.c2.n_trunc_post_decrypt);
1042  }
1043  gc_free(&gc);
1044  }
1045  hash_iterator_free(&hi);
1046  }
1047 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1048 
1049  status_flush(so);
1050  gc_free(&gc_top);
1051  }
1052 
1053 #ifdef ENABLE_ASYNC_PUSH
1054  if (m->inotify_watchers)
1055  {
1056  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1057  }
1058 #endif
1059 }
1060 
1061 /*
1062  * Learn a virtual address or route.
1063  * The learn will fail if the learn address
1064  * script/plugin fails. In this case the
1065  * return value may be != mi.
1066  * Return the instance which owns this route,
1067  * or NULL if none.
1068  */
1069 static struct multi_instance *
1071  struct multi_instance *mi,
1072  const struct mroute_addr *addr,
1073  const unsigned int flags)
1074 {
1075  struct hash_element *he;
1076  const uint32_t hv = hash_value(m->vhash, addr);
1077  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1078  struct multi_route *oldroute = NULL;
1079  struct multi_instance *owner = NULL;
1080  struct gc_arena gc = gc_new();
1081 
1082  /* if route currently exists, get the instance which owns it */
1083  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1084  if (he)
1085  {
1086  oldroute = (struct multi_route *) he->value;
1087  }
1088  if (oldroute && multi_route_defined(m, oldroute))
1089  {
1090  owner = oldroute->instance;
1091  }
1092 
1093  /* do we need to add address to hash table? */
1094  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1095  && !mroute_addr_equal(addr, &m->local))
1096  {
1097  struct multi_route *newroute;
1098  bool learn_succeeded = false;
1099 
1100  ALLOC_OBJ(newroute, struct multi_route);
1101  newroute->addr = *addr;
1102  newroute->instance = mi;
1103  newroute->flags = flags;
1104  newroute->last_reference = now;
1105  newroute->cache_generation = 0;
1106 
1107  /* The cache is invalidated when cache_generation is incremented */
1108  if (flags & MULTI_ROUTE_CACHE)
1109  {
1111  }
1112 
1113  if (oldroute) /* route already exists? */
1114  {
1115  if (route_quota_test(m, mi) && learn_address_script(m, mi, "update", &newroute->addr))
1116  {
1117  learn_succeeded = true;
1118  owner = mi;
1120  route_quota_inc(mi);
1121 
1122  /* delete old route */
1123  multi_route_del(oldroute);
1124 
1125  /* modify hash table entry, replacing old route */
1126  he->key = &newroute->addr;
1127  he->value = newroute;
1128  }
1129  }
1130  else
1131  {
1132  if (route_quota_test(m, mi) && learn_address_script(m, mi, "add", &newroute->addr))
1133  {
1134  learn_succeeded = true;
1135  owner = mi;
1137  route_quota_inc(mi);
1138 
1139  /* add new route */
1140  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1141  }
1142  }
1143 
1144  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1145  learn_succeeded ? "" : " FAILED",
1146  mroute_addr_print(&newroute->addr, &gc),
1147  multi_instance_string(mi, false, &gc));
1148 
1149  if (!learn_succeeded)
1150  {
1151  free(newroute);
1152  }
1153  }
1154  gc_free(&gc);
1155 
1156  return owner;
1157 }
1158 
1159 /*
1160  * Get client instance based on virtual address.
1161  */
1162 static struct multi_instance *
1164  const struct mroute_addr *addr,
1165  bool cidr_routing)
1166 {
1167  struct multi_route *route;
1168  struct multi_instance *ret = NULL;
1169 
1170  /* check for local address */
1171  if (mroute_addr_equal(addr, &m->local))
1172  {
1173  return NULL;
1174  }
1175 
1176  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1177 
1178  /* does host route (possible cached) exist? */
1179  if (route && multi_route_defined(m, route))
1180  {
1181  struct multi_instance *mi = route->instance;
1182  route->last_reference = now;
1183  ret = mi;
1184  }
1185  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1186  {
1187  struct mroute_helper *rh = m->route_helper;
1188  struct mroute_addr tryaddr;
1189  int i;
1190 
1191  /* cycle through each CIDR length */
1192  for (i = 0; i < rh->n_net_len; ++i)
1193  {
1194  tryaddr = *addr;
1195  tryaddr.type |= MR_WITH_NETBITS;
1196  tryaddr.netbits = rh->net_len[i];
1197  mroute_addr_mask_host_bits(&tryaddr);
1198 
1199  /* look up a possible route with netbits netmask */
1200  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1201 
1202  if (route && multi_route_defined(m, route))
1203  {
1204  /* found an applicable route, cache host route */
1205  struct multi_instance *mi = route->instance;
1207  ret = mi;
1208  break;
1209  }
1210  }
1211  }
1212 
1213 #ifdef ENABLE_DEBUG
1215  {
1216  struct gc_arena gc = gc_new();
1217  const char *addr_text = mroute_addr_print(addr, &gc);
1218  if (ret)
1219  {
1220  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1221  addr_text,
1222  multi_instance_string(ret, false, &gc),
1223  mroute_addr_print(&route->addr, &gc));
1224  }
1225  else
1226  {
1227  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1228  addr_text);
1229  }
1230  gc_free(&gc);
1231  }
1232 #endif
1233 
1234  ASSERT(!(ret && ret->halt));
1235  return ret;
1236 }
1237 
1238 /*
1239  * Helper function to multi_learn_addr().
1240  */
1241 static struct multi_instance *
1243  struct multi_instance *mi,
1244  in_addr_t a,
1245  int netbits, /* -1 if host route, otherwise # of network bits in address */
1246  bool primary)
1247 {
1248  struct openvpn_sockaddr remote_si;
1249  struct mroute_addr addr;
1250 
1251  CLEAR(remote_si);
1252  remote_si.addr.in4.sin_family = AF_INET;
1253  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1254  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1255 
1256  if (netbits >= 0)
1257  {
1258  addr.type |= MR_WITH_NETBITS;
1259  addr.netbits = (uint8_t) netbits;
1260  }
1261 
1262  {
1263  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1264 #ifdef MANAGEMENT_DEF_AUTH
1265  if (management && owner)
1266  {
1267  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1268  }
1269 #endif
1270  return owner;
1271  }
1272 }
1273 
1274 static struct multi_instance *
1276  struct multi_instance *mi,
1277  struct in6_addr a6,
1278  int netbits, /* -1 if host route, otherwise # of network bits in address */
1279  bool primary)
1280 {
1281  struct mroute_addr addr;
1282 
1283  addr.len = 16;
1284  addr.type = MR_ADDR_IPV6;
1285  addr.netbits = 0;
1286  addr.v6.addr = a6;
1287 
1288  if (netbits >= 0)
1289  {
1290  addr.type |= MR_WITH_NETBITS;
1291  addr.netbits = (uint8_t) netbits;
1292  mroute_addr_mask_host_bits( &addr );
1293  }
1294 
1295  {
1296  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1297 #ifdef MANAGEMENT_DEF_AUTH
1298  if (management && owner)
1299  {
1300  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1301  }
1302 #endif
1303  return owner;
1304  }
1305 }
1306 
1307 /*
1308  * A new client has connected, add routes (server -> client)
1309  * to internal routing table.
1310  */
1311 static void
1313  struct multi_instance *mi)
1314 {
1315  struct gc_arena gc = gc_new();
1316  const struct iroute *ir;
1317  const struct iroute_ipv6 *ir6;
1319  {
1320  mi->did_iroutes = true;
1321  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1322  {
1323  if (ir->netbits >= 0)
1324  {
1325  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1326  print_in_addr_t(ir->network, 0, &gc),
1327  ir->netbits,
1328  multi_instance_string(mi, false, &gc));
1329  }
1330  else
1331  {
1332  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1333  print_in_addr_t(ir->network, 0, &gc),
1334  multi_instance_string(mi, false, &gc));
1335  }
1336 
1338 
1339  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1340  }
1341  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1342  {
1343  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1344  print_in6_addr(ir6->network, 0, &gc),
1345  ir6->netbits,
1346  multi_instance_string(mi, false, &gc));
1347 
1349 
1350  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1351  }
1352  }
1353  gc_free(&gc);
1354 }
1355 
1356 /*
1357  * Given an instance (new_mi), delete all other instances which use the
1358  * same common name.
1359  */
1360 static void
1362 {
1363  if (new_mi)
1364  {
1365  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1366  if (new_cn)
1367  {
1368  struct hash_iterator hi;
1369  struct hash_element *he;
1370  int count = 0;
1371 
1372  hash_iterator_init(m->iter, &hi);
1373  while ((he = hash_iterator_next(&hi)))
1374  {
1375  struct multi_instance *mi = (struct multi_instance *) he->value;
1376  if (mi != new_mi && !mi->halt)
1377  {
1378  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1379  if (cn && !strcmp(cn, new_cn))
1380  {
1381  mi->did_iter = false;
1382  multi_close_instance(m, mi, false);
1384  ++count;
1385  }
1386  }
1387  }
1388  hash_iterator_free(&hi);
1389 
1390  if (count)
1391  {
1392  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1393  }
1394  }
1395  }
1396 }
1397 
1398 static void
1400 {
1401 
1402  struct gc_arena gc = gc_new();
1403  struct hash_iterator hi;
1404  struct hash_element *he;
1405 
1406  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1408  while ((he = hash_iterator_next(&hi)) != NULL)
1409  {
1410  struct multi_route *r = (struct multi_route *) he->value;
1411  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1412  {
1413  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1414  mroute_addr_print(&r->addr, &gc));
1415  learn_address_script(m, NULL, "delete", &r->addr);
1416  multi_route_del(r);
1418  }
1419  }
1420  hash_iterator_free(&hi);
1421  gc_free(&gc);
1422 }
1423 
1424 /*
1425  * Ensure that endpoint to be pushed to client
1426  * complies with --ifconfig-push-constraint directive.
1427  */
1428 static bool
1430 {
1431  const struct options *o = &c->options;
1433  {
1435  }
1436  else
1437  {
1438  return true;
1439  }
1440 }
1441 
1442 /*
1443  * Select a virtual address for a new client instance.
1444  * Use an --ifconfig-push directive, if given (static IP).
1445  * Otherwise use an --ifconfig-pool address (dynamic IP).
1446  */
1447 static void
1449 {
1450  struct gc_arena gc = gc_new();
1451 
1452  /*
1453  * If ifconfig addresses were set by dynamic config file,
1454  * release pool addresses, otherwise keep them.
1455  */
1457  {
1458  /* ifconfig addresses were set statically,
1459  * release dynamic allocation */
1460  if (mi->vaddr_handle >= 0)
1461  {
1463  mi->vaddr_handle = -1;
1464  }
1465 
1466  mi->context.c2.push_ifconfig_defined = true;
1470 
1471  /* the current implementation does not allow "static IPv4, pool IPv6",
1472  * (see below) so issue a warning if that happens - don't break the
1473  * session, though, as we don't even know if this client WANTS IPv6
1474  */
1477  {
1478  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1479  }
1480  }
1481  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1482  {
1483  in_addr_t local = 0, remote = 0;
1484  struct in6_addr remote_ipv6;
1485  const char *cn = NULL;
1486 
1487  if (!mi->context.options.duplicate_cn)
1488  {
1489  cn = tls_common_name(mi->context.c2.tls_multi, true);
1490  }
1491 
1492  CLEAR(remote_ipv6);
1493  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1494  if (mi->vaddr_handle >= 0)
1495  {
1496  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1497  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1498 
1499  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1500  print_in_addr_t( remote, 0, &gc ),
1502  ? print_in6_addr( remote_ipv6, 0, &gc )
1503  : "(Not enabled)") );
1504 
1505  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1506  mi->context.c2.push_ifconfig_local = remote;
1507  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1508  {
1511  {
1513  }
1514  }
1515  else if (tunnel_type == DEV_TYPE_TUN)
1516  {
1517  if (tunnel_topology == TOP_P2P)
1518  {
1520  }
1521  else if (tunnel_topology == TOP_NET30)
1522  {
1524  }
1525  }
1526 
1528  {
1529  mi->context.c2.push_ifconfig_defined = true;
1530  }
1531  else
1532  {
1533  msg(D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1534  multi_instance_string(mi, false, &gc));
1535  }
1536 
1538  {
1539  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1541  mi->context.c1.tuntap->local_ipv6;
1545  }
1546  }
1547  else
1548  {
1549  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1550  }
1551  }
1552 
1553  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1554  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1555  * will fail (because no pool will be allocated in this case).
1556  * OTOH, this doesn't make too much sense in reality - and the other
1557  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1558  * -> and so it's implemented right now
1559  */
1561  {
1569 
1570  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1573  }
1574 
1575  gc_free(&gc);
1576 }
1577 
1578 /*
1579  * Set virtual address environmental variables.
1580  */
1581 static void
1583 {
1584  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1585  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1586  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1587 
1589  {
1590  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1591  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1592 
1594  "ifconfig_pool_remote_ip",
1597 
1598  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1599  {
1601  "ifconfig_pool_netmask",
1604  }
1605  else if (tunnel_type == DEV_TYPE_TUN)
1606  {
1608  "ifconfig_pool_local_ip",
1611  }
1612  }
1613 
1614  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1615  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1616  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1617 
1619  {
1621  "ifconfig_pool_remote",
1625  "ifconfig_pool_local",
1628  setenv_int(mi->context.c2.es,
1629  "ifconfig_pool_ip6_netbits",
1631  }
1632 }
1633 
1634 /*
1635  * Called after client-connect script is called
1636  */
1637 static void
1639  struct multi_instance *mi,
1640  const char *dc_file,
1641  unsigned int option_permissions_mask,
1642  unsigned int *option_types_found)
1643 {
1644  /* Did script generate a dynamic config file? */
1645  if (platform_test_file(dc_file))
1646  {
1648  dc_file,
1650  option_permissions_mask,
1651  option_types_found,
1652  mi->context.c2.es);
1653 
1654  /*
1655  * If the --client-connect script generates a config file
1656  * with an --ifconfig-push directive, it will override any
1657  * --ifconfig-push directive from the --client-config-dir
1658  * directory or any --ifconfig-pool dynamic address.
1659  */
1662  }
1663 }
1664 
1665 #ifdef ENABLE_PLUGIN
1666 
1667 /*
1668  * Called after client-connect plug-in is called
1669  */
1670 static void
1672  struct multi_instance *mi,
1673  const struct plugin_return *pr,
1674  unsigned int option_permissions_mask,
1675  unsigned int *option_types_found)
1676 {
1677  struct plugin_return config;
1678 
1679  plugin_return_get_column(pr, &config, "config");
1680 
1681  /* Did script generate a dynamic config file? */
1682  if (plugin_return_defined(&config))
1683  {
1684  int i;
1685  for (i = 0; i < config.n; ++i)
1686  {
1687  if (config.list[i] && config.list[i]->value)
1688  {
1690  config.list[i]->value,
1692  option_permissions_mask,
1693  option_types_found,
1694  mi->context.c2.es);
1695  }
1696  }
1697 
1698  /*
1699  * If the --client-connect script generates a config file
1700  * with an --ifconfig-push directive, it will override any
1701  * --ifconfig-push directive from the --client-config-dir
1702  * directory or any --ifconfig-pool dynamic address.
1703  */
1706  }
1707 }
1708 
1709 #endif /* ifdef ENABLE_PLUGIN */
1710 
1711 #ifdef MANAGEMENT_DEF_AUTH
1712 
1713 /*
1714  * Called to load management-derived client-connect config
1715  */
1716 static void
1717 multi_client_connect_mda(struct multi_context *m,
1718  struct multi_instance *mi,
1719  const struct buffer_list *config,
1720  unsigned int option_permissions_mask,
1721  unsigned int *option_types_found)
1722 {
1723  if (config)
1724  {
1725  struct buffer_entry *be;
1726 
1727  for (be = config->head; be != NULL; be = be->next)
1728  {
1729  const char *opt = BSTR(&be->buf);
1731  opt,
1733  option_permissions_mask,
1734  option_types_found,
1735  mi->context.c2.es);
1736  }
1737 
1738  /*
1739  * If the --client-connect script generates a config file
1740  * with an --ifconfig-push directive, it will override any
1741  * --ifconfig-push directive from the --client-config-dir
1742  * directory or any --ifconfig-pool dynamic address.
1743  */
1746  }
1747 }
1748 
1749 #endif /* ifdef MANAGEMENT_DEF_AUTH */
1750 
1751 static void
1753  struct multi_instance *mi)
1754 {
1755  struct gc_arena gc = gc_new();
1756 
1757  /* setenv incoming cert common name for script */
1758  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1759 
1760  /* setenv client real IP address */
1762 
1763  /* setenv client virtual IP address */
1765 
1766  /* setenv connection time */
1767  {
1768  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1769  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1770  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1771  }
1772 
1773  gc_free(&gc);
1774 }
1775 
1776 /*
1777  * Called as soon as the SSL/TLS connection authenticates.
1778  *
1779  * Instance-specific directives to be processed:
1780  *
1781  * iroute start-ip end-ip
1782  * ifconfig-push local remote-netmask
1783  * push
1784  */
1785 static void
1787 {
1789  {
1790  struct gc_arena gc = gc_new();
1791  unsigned int option_types_found = 0;
1792 
1793  const unsigned int option_permissions_mask =
1795  | OPT_P_INHERIT
1796  | OPT_P_PUSH
1797  | OPT_P_TIMER
1798  | OPT_P_CONFIG
1799  | OPT_P_ECHO
1800  | OPT_P_COMP
1801  | OPT_P_SOCKFLAGS;
1802 
1803  int cc_succeeded = true; /* client connect script status */
1804  int cc_succeeded_count = 0;
1805 
1806  ASSERT(mi->context.c1.tuntap);
1807 
1808  /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */
1811 
1812  /* generate a msg() prefix for this client instance */
1813  generate_prefix(mi);
1814 
1815  /* delete instances of previous clients with same common-name */
1816  if (!mi->context.options.duplicate_cn)
1817  {
1818  multi_delete_dup(m, mi);
1819  }
1820 
1821  /* reset pool handle to null */
1822  mi->vaddr_handle = -1;
1823 
1824  /*
1825  * Try to source a dynamic config file from the
1826  * --client-config-dir directory.
1827  */
1829  {
1830  const char *ccd_file;
1831 
1834  false),
1835  &gc);
1836 
1837  /* try common-name file */
1838  if (platform_test_file(ccd_file))
1839  {
1841  ccd_file,
1843  option_permissions_mask,
1844  &option_types_found,
1845  mi->context.c2.es);
1846  }
1847  else /* try default file */
1848  {
1850  CCD_DEFAULT,
1851  &gc);
1852 
1853  if (platform_test_file(ccd_file))
1854  {
1856  ccd_file,
1858  option_permissions_mask,
1859  &option_types_found,
1860  mi->context.c2.es);
1861  }
1862  }
1863  }
1864 
1865  /*
1866  * Select a virtual address from either --ifconfig-push in --client-config-dir file
1867  * or --ifconfig-pool.
1868  */
1870 
1871  /* do --client-connect setenvs */
1873 
1874 #ifdef ENABLE_PLUGIN
1875  /*
1876  * Call client-connect plug-in.
1877  */
1878 
1879  /* deprecated callback, use a file for passing back return info */
1881  {
1882  struct argv argv = argv_new();
1883  const char *dc_file = platform_create_temp_file(mi->context.options.tmp_dir,
1884  "cc", &gc);
1885 
1886  if (!dc_file)
1887  {
1888  cc_succeeded = false;
1889  goto script_depr_failed;
1890  }
1891 
1892  argv_printf(&argv, "%s", dc_file);
1894  {
1895  msg(M_WARN, "WARNING: client-connect plugin call failed");
1896  cc_succeeded = false;
1897  }
1898  else
1899  {
1900  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1901  ++cc_succeeded_count;
1902  }
1903 
1904  if (!platform_unlink(dc_file))
1905  {
1906  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1907  dc_file);
1908  }
1909 
1910 script_depr_failed:
1911  argv_reset(&argv);
1912  }
1913 
1914  /* V2 callback, use a plugin_return struct for passing back return info */
1916  {
1917  struct plugin_return pr;
1918 
1919  plugin_return_init(&pr);
1920 
1922  {
1923  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
1924  cc_succeeded = false;
1925  }
1926  else
1927  {
1928  multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found);
1929  ++cc_succeeded_count;
1930  }
1931 
1932  plugin_return_free(&pr);
1933  }
1934 #endif /* ifdef ENABLE_PLUGIN */
1935 
1936  /*
1937  * Run --client-connect script.
1938  */
1939  if (mi->context.options.client_connect_script && cc_succeeded)
1940  {
1941  struct argv argv = argv_new();
1942  const char *dc_file = NULL;
1943 
1944  setenv_str(mi->context.c2.es, "script_type", "client-connect");
1945 
1947  "cc", &gc);
1948  if (!dc_file)
1949  {
1950  cc_succeeded = false;
1951  goto script_failed;
1952  }
1953 
1955  argv_printf_cat(&argv, "%s", dc_file);
1956 
1957  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
1958  {
1959  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1960  ++cc_succeeded_count;
1961  }
1962  else
1963  {
1964  cc_succeeded = false;
1965  }
1966 
1967  if (!platform_unlink(dc_file))
1968  {
1969  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1970  dc_file);
1971  }
1972 
1973 script_failed:
1974  argv_reset(&argv);
1975  }
1976 
1977  /*
1978  * Check for client-connect script left by management interface client
1979  */
1980 #ifdef MANAGEMENT_DEF_AUTH
1981  if (cc_succeeded && mi->cc_config)
1982  {
1983  multi_client_connect_mda(m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1984  ++cc_succeeded_count;
1985  }
1986 #endif
1987 
1988  /*
1989  * Check for "disable" directive in client-config-dir file
1990  * or config file generated by --client-connect script.
1991  */
1992  if (mi->context.options.disable)
1993  {
1994  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1995  cc_succeeded = false;
1996  cc_succeeded_count = 0;
1997  }
1998 
1999  if (cc_succeeded)
2000  {
2001  /*
2002  * Process sourced options.
2003  */
2004  do_deferred_options(&mi->context, option_types_found);
2005 
2006  /*
2007  * make sure we got ifconfig settings from somewhere
2008  */
2009  if (!mi->context.c2.push_ifconfig_defined)
2010  {
2011  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
2012  multi_instance_string(mi, false, &gc));
2013  }
2014 
2015  /*
2016  * make sure that ifconfig settings comply with constraints
2017  */
2019  {
2020  /* JYFIXME -- this should cause the connection to fail */
2021  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
2022  multi_instance_string(mi, false, &gc),
2026  }
2027 
2028  /*
2029  * For routed tunnels, set up internal route to endpoint
2030  * plus add all iroute routes.
2031  */
2033  {
2035  {
2036  multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
2037  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2038  multi_instance_string(mi, false, &gc),
2040  }
2041 
2043  {
2045  /* TODO: find out where addresses are "unlearned"!! */
2046  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2047  multi_instance_string(mi, false, &gc),
2049  }
2050 
2051  /* add routes locally, pointing to new client, if
2052  * --iroute options have been specified */
2053  multi_add_iroutes(m, mi);
2054 
2055  /*
2056  * iroutes represent subnets which are "owned" by a particular
2057  * client. Therefore, do not actually push a route to a client
2058  * if it matches one of the client's iroutes.
2059  */
2061  }
2062  else if (mi->context.options.iroutes)
2063  {
2064  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
2065  multi_instance_string(mi, false, &gc));
2066  }
2067 
2068  /* set our client's VPN endpoint for status reporting purposes */
2071 
2072  /* set context-level authentication flag */
2074 
2075 #ifdef ENABLE_ASYNC_PUSH
2076  /* authentication complete, send push reply */
2077  if (mi->context.c2.push_request_received)
2078  {
2080  }
2081 #endif
2082  }
2083  else
2084  {
2085  /* set context-level authentication flag */
2086  mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
2087  }
2088 
2089  /* set flag so we don't get called again */
2090  mi->connection_established_flag = true;
2091 
2092  /* increment number of current authenticated clients */
2093  ++m->n_clients;
2095  --mi->n_clients_delta;
2096 
2097 #ifdef MANAGEMENT_DEF_AUTH
2098  if (management)
2099  {
2100  management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es);
2101  }
2102 #endif
2103 
2104  gc_free(&gc);
2105  }
2106 
2107  /*
2108  * Reply now to client's PUSH_REQUEST query
2109  */
2110  mi->context.c2.push_reply_deferred = false;
2111 }
2112 
2113 #ifdef ENABLE_ASYNC_PUSH
2114 /*
2115  * Called when inotify event is fired, which happens when acf file is closed or deleted.
2116  * Continues authentication and sends push_reply.
2117  */
2118 void
2119 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2120 {
2121  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2122  size_t buffer_i = 0;
2123  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2124 
2125  while (buffer_i < r)
2126  {
2127  /* parse inotify events */
2128  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2129  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2130  buffer_i += event_size;
2131 
2132  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2133 
2134  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2135 
2136  if (pevent->mask & IN_CLOSE_WRITE)
2137  {
2138  if (mi)
2139  {
2140  /* continue authentication and send push_reply */
2141  multi_process_post(m, mi, mpp_flags);
2142  }
2143  else
2144  {
2145  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2146  }
2147  }
2148  else if (pevent->mask & IN_IGNORED)
2149  {
2150  /* this event is _always_ fired when watch is removed or file is deleted */
2151  if (mi)
2152  {
2153  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2154  mi->inotify_watch = -1;
2155  }
2156  }
2157  else
2158  {
2159  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2160  }
2161  }
2162 }
2163 #endif /* ifdef ENABLE_ASYNC_PUSH */
2164 
2165 /*
2166  * Add a mbuf buffer to a particular
2167  * instance.
2168  */
2169 void
2171  struct multi_instance *mi,
2172  struct mbuf_buffer *mb)
2173 {
2174  if (multi_output_queue_ready(m, mi))
2175  {
2176  struct mbuf_item item;
2177  item.buffer = mb;
2178  item.instance = mi;
2179  mbuf_add_item(m->mbuf, &item);
2180  }
2181  else
2182  {
2183  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2184  }
2185 }
2186 
2187 /*
2188  * Add a packet to a client instance output queue.
2189  */
2190 static inline void
2192  const struct buffer *buf,
2193  struct multi_instance *mi)
2194 {
2195  struct mbuf_buffer *mb;
2196 
2197  if (BLEN(buf) > 0)
2198  {
2199  mb = mbuf_alloc_buf(buf);
2200  mb->flags = MF_UNICAST;
2201  multi_add_mbuf(m, mi, mb);
2202  mbuf_free_buf(mb);
2203  }
2204 }
2205 
2206 /*
2207  * Broadcast a packet to all clients.
2208  */
2209 static void
2211  const struct buffer *buf,
2212  const struct multi_instance *sender_instance,
2213  const struct mroute_addr *sender_addr)
2214 {
2215  struct hash_iterator hi;
2216  struct hash_element *he;
2217  struct multi_instance *mi;
2218  struct mbuf_buffer *mb;
2219 
2220  if (BLEN(buf) > 0)
2221  {
2223 #ifdef MULTI_DEBUG_EVENT_LOOP
2224  printf("BCAST len=%d\n", BLEN(buf));
2225 #endif
2226  mb = mbuf_alloc_buf(buf);
2227  hash_iterator_init(m->iter, &hi);
2228 
2229  while ((he = hash_iterator_next(&hi)))
2230  {
2231  mi = (struct multi_instance *) he->value;
2232  if (mi != sender_instance && !mi->halt)
2233  {
2234 #ifdef ENABLE_PF
2235  if (sender_instance)
2236  {
2237  if (!pf_c2c_test(&sender_instance->context.c2.pf,
2238  sender_instance->context.c2.tls_multi,
2239  &mi->context.c2.pf,
2240  mi->context.c2.tls_multi,
2241  "bcast_c2c"))
2242  {
2243  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2244  mi_prefix(sender_instance),
2245  mi_prefix(mi));
2246  continue;
2247  }
2248  }
2249  if (sender_addr)
2250  {
2251  if (!pf_addr_test(&mi->context.c2.pf, &mi->context,
2252  sender_addr, "bcast_src_addr"))
2253  {
2254  struct gc_arena gc = gc_new();
2255  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2256  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2257  mi_prefix(mi));
2258  gc_free(&gc);
2259  continue;
2260  }
2261  }
2262 #endif /* ifdef ENABLE_PF */
2263  multi_add_mbuf(m, mi, mb);
2264  }
2265  }
2266 
2267  hash_iterator_free(&hi);
2268  mbuf_free_buf(mb);
2269  perf_pop();
2270  }
2271 }
2272 
2273 /*
2274  * Given a time delta, indicating that we wish to be
2275  * awoken by the scheduler at time now + delta, figure
2276  * a sigma parameter (in microseconds) that represents
2277  * a sort of fuzz factor around delta, so that we're
2278  * really telling the scheduler to wake us up any time
2279  * between now + delta - sigma and now + delta + sigma.
2280  *
2281  * The sigma parameter helps the scheduler to run more efficiently.
2282  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2283  */
2284 static inline unsigned int
2285 compute_wakeup_sigma(const struct timeval *delta)
2286 {
2287  if (delta->tv_sec < 1)
2288  {
2289  /* if < 1 sec, fuzz = # of microseconds / 8 */
2290  return delta->tv_usec >> 3;
2291  }
2292  else
2293  {
2294  /* if < 10 minutes, fuzz = 13.1% of timeout */
2295  if (delta->tv_sec < 600)
2296  {
2297  return delta->tv_sec << 17;
2298  }
2299  else
2300  {
2301  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2302  }
2303  }
2304 }
2305 
2306 static void
2308 {
2309  /* calculate an absolute wakeup time */
2310  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2311  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2312 
2313  /* tell scheduler to wake us up at some point in the future */
2315  (struct schedule_entry *) mi,
2316  &mi->wakeup,
2317  compute_wakeup_sigma(&mi->context.c2.timeval));
2318 }
2319 
2320 /*
2321  * Figure instance-specific timers, convert
2322  * earliest to absolute time in mi->wakeup,
2323  * call scheduler with our future wakeup time.
2324  *
2325  * Also close context on signal.
2326  */
2327 bool
2328 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2329 {
2330  bool ret = true;
2331 
2332  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2333  {
2334 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2335  bool was_authenticated = false;
2336  struct key_state *ks = NULL;
2337  if (mi->context.c2.tls_multi)
2338  {
2340  was_authenticated = ks->authenticated;
2341  }
2342 #endif
2343 
2344  /* figure timeouts and fetch possible outgoing
2345  * to_link packets (such as ping or TLS control) */
2346  pre_select(&mi->context);
2347 
2348 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2349  if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated)
2350  {
2351  /* watch acf file */
2352  long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT);
2353  if (watch_descriptor >= 0)
2354  {
2355  if (mi->inotify_watch != -1)
2356  {
2357  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
2358  }
2359  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
2360  mi->inotify_watch = watch_descriptor;
2361  }
2362  else
2363  {
2364  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2365  }
2366  }
2367 #endif
2368 
2369  if (!IS_SIG(&mi->context))
2370  {
2371  /* connection is "established" when SSL/TLS key negotiation succeeds
2372  * and (if specified) auth user/pass succeeds */
2374  {
2376  }
2377 
2378  /* tell scheduler to wake us up at some point in the future */
2380  }
2381  }
2382 
2383  if (IS_SIG(&mi->context))
2384  {
2385  if (flags & MPP_CLOSE_ON_SIGNAL)
2386  {
2388  ret = false;
2389  }
2390  }
2391  else
2392  {
2393  /* continue to pend on output? */
2394  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
2395 
2396 #ifdef MULTI_DEBUG_EVENT_LOOP
2397  printf("POST %s[%d] to=%d lo=%d/%d w=%"PRIi64"/%ld\n",
2398  id(mi),
2399  (int) (mi == m->pending),
2400  mi ? mi->context.c2.to_tun.len : -1,
2401  mi ? mi->context.c2.to_link.len : -1,
2402  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2403  (int64_t)mi->context.c2.timeval.tv_sec,
2404  (long)mi->context.c2.timeval.tv_usec);
2405 #endif
2406  }
2407 
2408  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
2409  {
2410  *m->mpp_touched = mi;
2411  }
2412 
2413  return ret;
2414 }
2415 
2416 void
2418 {
2419  struct mroute_addr real;
2420  struct hash *hash = m->hash;
2421  struct gc_arena gc = gc_new();
2422 
2423  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
2424  {
2425  goto done;
2426  }
2427 
2428  const uint32_t hv = hash_value(hash, &real);
2429  struct hash_bucket *bucket = hash_bucket(hash, hv);
2430 
2431  /* make sure that we don't float to an address taken by another client */
2432  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
2433  if (he)
2434  {
2435  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
2436 
2437  struct tls_multi *m1 = mi->context.c2.tls_multi;
2438  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
2439 
2440  /* do not float if target address is taken by client with another cert */
2441  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
2442  {
2443  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
2444  multi_instance_string(ex_mi, false, &gc));
2445 
2446  mi->context.c2.buf.len = 0;
2447 
2448  goto done;
2449  }
2450 
2451  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
2452  multi_close_instance(m, ex_mi, false);
2453  }
2454 
2455  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
2456  mi->context.c2.tls_multi->peer_id,
2457  tls_common_name(mi->context.c2.tls_multi, false),
2458  mroute_addr_print(&mi->real, &gc),
2459  print_link_socket_actual(&m->top.c2.from, &gc));
2460 
2461  /* remove old address from hash table before changing address */
2462  ASSERT(hash_remove(m->hash, &mi->real));
2463  ASSERT(hash_remove(m->iter, &mi->real));
2464 
2465  /* change external network address of the remote peer */
2466  mi->real = real;
2467  generate_prefix(mi);
2468 
2469  mi->context.c2.from = m->top.c2.from;
2470  mi->context.c2.to_link_addr = &mi->context.c2.from;
2471 
2472  /* inherit parent link_socket and link_socket_info */
2475 
2477 
2478  ASSERT(hash_add(m->hash, &mi->real, mi, false));
2479  ASSERT(hash_add(m->iter, &mi->real, mi, false));
2480 
2481 #ifdef MANAGEMENT_DEF_AUTH
2482  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
2483 #endif
2484 
2485 done:
2486  gc_free(&gc);
2487 }
2488 
2489 /*
2490  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
2491  * i.e. client -> server direction.
2492  */
2493 bool
2494 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
2495 {
2496  struct gc_arena gc = gc_new();
2497 
2498  struct context *c;
2499  struct mroute_addr src, dest;
2500  unsigned int mroute_flags;
2501  struct multi_instance *mi;
2502  bool ret = true;
2503  bool floated = false;
2504 
2505  if (m->pending)
2506  {
2507  return true;
2508  }
2509 
2510  if (!instance)
2511  {
2512 #ifdef MULTI_DEBUG_EVENT_LOOP
2513  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
2514 #endif
2516  }
2517  else
2518  {
2519  multi_set_pending(m, instance);
2520  }
2521 
2522  if (m->pending)
2523  {
2524  set_prefix(m->pending);
2525 
2526  /* get instance context */
2527  c = &m->pending->context;
2528 
2529  if (!instance)
2530  {
2531  /* transfer packet pointer from top-level context buffer to instance */
2532  c->c2.buf = m->top.c2.buf;
2533 
2534  /* transfer from-addr from top-level context buffer to instance */
2535  if (!floated)
2536  {
2537  c->c2.from = m->top.c2.from;
2538  }
2539  }
2540 
2541  if (BLEN(&c->c2.buf) > 0)
2542  {
2543  struct link_socket_info *lsi;
2544  const uint8_t *orig_buf;
2545 
2546  /* decrypt in instance context */
2547 
2549  lsi = get_link_socket_info(c);
2550  orig_buf = c->c2.buf.data;
2551  if (process_incoming_link_part1(c, lsi, floated))
2552  {
2553  if (floated)
2554  {
2556  }
2557 
2558  process_incoming_link_part2(c, lsi, orig_buf);
2559  }
2560  perf_pop();
2561 
2562  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
2563  {
2564  /* extract packet source and dest addresses */
2565  mroute_flags = mroute_extract_addr_from_packet(&src,
2566  &dest,
2567  NULL,
2568  NULL,
2569  &c->c2.to_tun,
2570  DEV_TYPE_TUN);
2571 
2572  /* drop packet if extract failed */
2573  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
2574  {
2575  c->c2.to_tun.len = 0;
2576  }
2577  /* make sure that source address is associated with this client */
2578  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
2579  {
2580  /* IPv6 link-local address (fe80::xxx)? */
2581  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
2582  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
2583  {
2584  /* do nothing, for now. TODO: add address learning */
2585  }
2586  else
2587  {
2588  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2589  mroute_addr_print(&src, &gc));
2590  }
2591  c->c2.to_tun.len = 0;
2592  }
2593  /* client-to-client communication enabled? */
2594  else if (m->enable_c2c)
2595  {
2596  /* multicast? */
2597  if (mroute_flags & MROUTE_EXTRACT_MCAST)
2598  {
2599  /* for now, treat multicast as broadcast */
2600  multi_bcast(m, &c->c2.to_tun, m->pending, NULL);
2601  }
2602  else /* possible client to client routing */
2603  {
2604  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
2605  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
2606 
2607  /* if dest addr is a known client, route to it */
2608  if (mi)
2609  {
2610 #ifdef ENABLE_PF
2611  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
2612  &mi->context.c2.pf,
2613  mi->context.c2.tls_multi,
2614  "tun_c2c"))
2615  {
2616  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
2617  mi_prefix(mi));
2618  }
2619  else
2620 #endif
2621  {
2622  multi_unicast(m, &c->c2.to_tun, mi);
2623  register_activity(c, BLEN(&c->c2.to_tun));
2624  }
2625  c->c2.to_tun.len = 0;
2626  }
2627  }
2628  }
2629 #ifdef ENABLE_PF
2630  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest,
2631  "tun_dest_addr"))
2632  {
2633  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2634  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
2635  c->c2.to_tun.len = 0;
2636  }
2637 #endif
2638  }
2639  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
2640  {
2641 #ifdef ENABLE_PF
2642  struct mroute_addr edest;
2643  mroute_addr_reset(&edest);
2644 #endif
2645  /* extract packet source and dest addresses */
2646  mroute_flags = mroute_extract_addr_from_packet(&src,
2647  &dest,
2648  NULL,
2649 #ifdef ENABLE_PF
2650  &edest,
2651 #else
2652  NULL,
2653 #endif
2654  &c->c2.to_tun,
2655  DEV_TYPE_TAP);
2656 
2657  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2658  {
2659  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
2660  {
2661  /* check for broadcast */
2662  if (m->enable_c2c)
2663  {
2664  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2665  {
2666  multi_bcast(m, &c->c2.to_tun, m->pending, NULL);
2667  }
2668  else /* try client-to-client routing */
2669  {
2670  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
2671 
2672  /* if dest addr is a known client, route to it */
2673  if (mi)
2674  {
2675 #ifdef ENABLE_PF
2676  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
2677  &mi->context.c2.pf,
2678  mi->context.c2.tls_multi,
2679  "tap_c2c"))
2680  {
2681  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2682  mi_prefix(mi));
2683  }
2684  else
2685 #endif
2686  {
2687  multi_unicast(m, &c->c2.to_tun, mi);
2688  register_activity(c, BLEN(&c->c2.to_tun));
2689  }
2690  c->c2.to_tun.len = 0;
2691  }
2692  }
2693  }
2694 #ifdef ENABLE_PF
2695  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c,
2696  &edest,
2697  "tap_dest_addr"))
2698  {
2699  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2700  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
2701  c->c2.to_tun.len = 0;
2702  }
2703 #endif
2704  }
2705  else
2706  {
2707  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2708  mroute_addr_print(&src, &gc));
2709  c->c2.to_tun.len = 0;
2710  }
2711  }
2712  else
2713  {
2714  c->c2.to_tun.len = 0;
2715  }
2716  }
2717  }
2718 
2719  /* postprocess and set wakeup */
2720  ret = multi_process_post(m, m->pending, mpp_flags);
2721 
2722  clear_prefix();
2723  }
2724 
2725  gc_free(&gc);
2726  return ret;
2727 }
2728 
2729 /*
2730  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2731  * i.e. server -> client direction.
2732  */
2733 bool
2734 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
2735 {
2736  struct gc_arena gc = gc_new();
2737  bool ret = true;
2738 
2739  if (BLEN(&m->top.c2.buf) > 0)
2740  {
2741  unsigned int mroute_flags;
2742  struct mroute_addr src, dest;
2743  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
2744 
2745 #ifdef ENABLE_PF
2746  struct mroute_addr esrc, *e1, *e2;
2747  if (dev_type == DEV_TYPE_TUN)
2748  {
2749  e1 = NULL;
2750  e2 = &src;
2751  }
2752  else
2753  {
2754  e1 = e2 = &esrc;
2755  mroute_addr_reset(&esrc);
2756  }
2757 #endif
2758 
2759 #ifdef MULTI_DEBUG_EVENT_LOOP
2760  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
2761 #endif
2762 
2763  if (m->pending)
2764  {
2765  return true;
2766  }
2767 
2768  /*
2769  * Route an incoming tun/tap packet to
2770  * the appropriate multi_instance object.
2771  */
2772 
2773  mroute_flags = mroute_extract_addr_from_packet(&src,
2774  &dest,
2775 #ifdef ENABLE_PF
2776  e1,
2777 #else
2778  NULL,
2779 #endif
2780  NULL,
2781  &m->top.c2.buf,
2782  dev_type);
2783 
2784  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2785  {
2786  struct context *c;
2787 
2788  /* broadcast or multicast dest addr? */
2789  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2790  {
2791  /* for now, treat multicast as broadcast */
2792 #ifdef ENABLE_PF
2793  multi_bcast(m, &m->top.c2.buf, NULL, e2);
2794 #else
2795  multi_bcast(m, &m->top.c2.buf, NULL, NULL);
2796 #endif
2797  }
2798  else
2799  {
2801 
2802  if (m->pending)
2803  {
2804  /* get instance context */
2805  c = &m->pending->context;
2806 
2807  set_prefix(m->pending);
2808 
2809 #ifdef ENABLE_PF
2810  if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr"))
2811  {
2812  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2813  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
2814  buf_reset_len(&c->c2.buf);
2815  }
2816  else
2817 #endif
2818  {
2819  if (multi_output_queue_ready(m, m->pending))
2820  {
2821  /* transfer packet pointer from top-level context buffer to instance */
2822  c->c2.buf = m->top.c2.buf;
2823  }
2824  else
2825  {
2826  /* drop packet */
2827  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2828  buf_reset_len(&c->c2.buf);
2829  }
2830  }
2831 
2832  /* encrypt in instance context */
2834 
2835  /* postprocess and set wakeup */
2836  ret = multi_process_post(m, m->pending, mpp_flags);
2837 
2838  clear_prefix();
2839  }
2840  }
2841  }
2842  }
2843  gc_free(&gc);
2844  return ret;
2845 }
2846 
2847 /*
2848  * Process a possible client-to-client/bcast/mcast message in the
2849  * queue.
2850  */
2851 struct multi_instance *
2853 {
2854  struct mbuf_item item;
2855 
2856  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
2857  {
2858  unsigned int pip_flags = PIPV4_PASSTOS;
2859 
2860  set_prefix(item.instance);
2861  item.instance->context.c2.buf = item.buffer->buf;
2862  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2863  {
2864  pip_flags |= PIP_MSSFIX;
2865  }
2866  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
2867  encrypt_sign(&item.instance->context, true);
2868  mbuf_free_buf(item.buffer);
2869 
2870  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2871 
2872  clear_prefix();
2873  return item.instance;
2874  }
2875  else
2876  {
2877  return NULL;
2878  }
2879 }
2880 
2881 /*
2882  * Called when an I/O wait times out. Usually means that a particular
2883  * client instance object needs timer-based service.
2884  */
2885 bool
2886 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
2887 {
2888  bool ret = true;
2889 
2890 #ifdef MULTI_DEBUG_EVENT_LOOP
2891  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2892 #endif
2893 
2894  /* instance marked for wakeup? */
2895  if (m->earliest_wakeup)
2896  {
2898  {
2901  }
2902  else
2903  {
2905  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
2906  clear_prefix();
2907  }
2908  m->earliest_wakeup = NULL;
2909  }
2910  return ret;
2911 }
2912 
2913 /*
2914  * Drop a TUN/TAP outgoing packet..
2915  */
2916 void
2917 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
2918 {
2919  struct multi_instance *mi = m->pending;
2920 
2921  ASSERT(mi);
2922 
2923  set_prefix(mi);
2924 
2925  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2926  mi->context.c2.to_tun.len);
2927 
2928  buf_reset(&mi->context.c2.to_tun);
2929 
2930  multi_process_post(m, mi, mpp_flags);
2931  clear_prefix();
2932 }
2933 
2934 /*
2935  * Per-client route quota management
2936  */
2937 
2938 void
2939 route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi)
2940 {
2941  struct gc_arena gc = gc_new();
2942  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2944  multi_instance_string(mi, false, &gc));
2945  gc_free(&gc);
2946 }
2947 
2948 #ifdef ENABLE_DEBUG
2949 /*
2950  * Flood clients with random packets
2951  */
2952 static void
2953 gremlin_flood_clients(struct multi_context *m)
2954 {
2955  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
2956  if (level)
2957  {
2958  struct gc_arena gc = gc_new();
2959  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
2960  struct packet_flood_parms parm = get_packet_flood_parms(level);
2961  int i;
2962 
2963  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
2964  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
2965 
2966  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2967  parm.n_packets,
2968  parm.packet_size);
2969 
2970  for (i = 0; i < parm.packet_size; ++i)
2971  {
2972  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
2973  }
2974 
2975  for (i = 0; i < parm.n_packets; ++i)
2976  {
2977  multi_bcast(m, &buf, NULL, NULL);
2978  }
2979 
2980  gc_free(&gc);
2981  }
2982 }
2983 #endif /* ifdef ENABLE_DEBUG */
2984 
2985 static bool
2987 {
2988  struct timeval null;
2989  CLEAR(null);
2991 }
2992 
2993 /*
2994  * Process timers in the top-level context
2995  */
2996 void
2998 {
2999  /* possibly reap instances/routes in vhash */
3000  multi_reap_process(m);
3001 
3002  /* possibly print to status log */
3003  if (m->top.c1.status_output)
3004  {
3006  {
3008  }
3009  }
3010 
3011  /* possibly flush ifconfig-pool file */
3012  multi_ifconfig_pool_persist(m, false);
3013 
3014 #ifdef ENABLE_DEBUG
3015  gremlin_flood_clients(m);
3016 #endif
3017 
3018  /* Should we check for stale routes? */
3020  {
3021  check_stale_routes(m);
3022  }
3023 }
3024 
3025 void
3026 multi_top_init(struct multi_context *m, const struct context *top)
3027 {
3028  inherit_context_top(&m->top, top);
3029  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3030 }
3031 
3032 void
3034 {
3035  close_context(&m->top, -1, CC_GC_FREE);
3037 }
3038 
3039 static bool
3041 {
3042  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3043 }
3044 
3045 static void
3047 {
3048  struct hash_iterator hi;
3049  struct hash_element *he;
3050  struct timeval tv;
3051 
3052  /* tell all clients to restart */
3053  hash_iterator_init(m->iter, &hi);
3054  while ((he = hash_iterator_next(&hi)))
3055  {
3056  struct multi_instance *mi = (struct multi_instance *) he->value;
3057  if (!mi->halt)
3058  {
3059  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3061  }
3062  }
3063  hash_iterator_free(&hi);
3064 
3065  /* reschedule signal */
3067  tv.tv_sec = 2;
3068  tv.tv_usec = 0;
3070 
3072 
3077 
3078  m->top.sig->signal_received = 0;
3079 }
3080 
3081 /*
3082  * Return true if event loop should break,
3083  * false if it should continue.
3084  */
3085 bool
3087 {
3088  if (m->top.sig->signal_received == SIGUSR2)
3089  {
3090  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3092  status_close(so);
3093  m->top.sig->signal_received = 0;
3094  return false;
3095  }
3096  else if (proto_is_dgram(m->top.options.ce.proto)
3100  {
3102  return false;
3103  }
3104  return true;
3105 }
3106 
3107 /*
3108  * Called when an instance should be closed due to the
3109  * reception of a soft signal.
3110  */
3111 void
3113 {
3114  remap_signal(&mi->context);
3115  set_prefix(mi);
3116  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3117  clear_prefix();
3118  multi_close_instance(m, mi, false);
3119 }
3120 
3121 static void
3122 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3123 {
3124  mi->context.sig->signal_received = sig;
3126 }
3127 
3128 /*
3129  * Management subsystem callbacks
3130  */
3131 
3132 #ifdef ENABLE_MANAGEMENT
3133 
3134 static void
3135 management_callback_status(void *arg, const int version, struct status_output *so)
3136 {
3137  struct multi_context *m = (struct multi_context *) arg;
3138 
3139  if (!version)
3140  {
3142  }
3143  else
3144  {
3145  multi_print_status(m, so, version);
3146  }
3147 }
3148 
3149 static int
3151 {
3152  struct multi_context *m = (struct multi_context *) arg;
3153  return m->n_clients;
3154 }
3155 
3156 static int
3157 management_callback_kill_by_cn(void *arg, const char *del_cn)
3158 {
3159  struct multi_context *m = (struct multi_context *) arg;
3160  struct hash_iterator hi;
3161  struct hash_element *he;
3162  int count = 0;
3163 
3164  hash_iterator_init(m->iter, &hi);
3165  while ((he = hash_iterator_next(&hi)))
3166  {
3167  struct multi_instance *mi = (struct multi_instance *) he->value;
3168  if (!mi->halt)
3169  {
3170  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3171  if (cn && !strcmp(cn, del_cn))
3172  {
3174  ++count;
3175  }
3176  }
3177  }
3178  hash_iterator_free(&hi);
3179  return count;
3180 }
3181 
3182 static int
3183 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3184 {
3185  struct multi_context *m = (struct multi_context *) arg;
3186  struct hash_iterator hi;
3187  struct hash_element *he;
3188  struct openvpn_sockaddr saddr;
3189  struct mroute_addr maddr;
3190  int count = 0;
3191 
3192  CLEAR(saddr);
3193  saddr.addr.in4.sin_family = AF_INET;
3194  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3195  saddr.addr.in4.sin_port = htons(port);
3196  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3197  {
3198  hash_iterator_init(m->iter, &hi);
3199  while ((he = hash_iterator_next(&hi)))
3200  {
3201  struct multi_instance *mi = (struct multi_instance *) he->value;
3202  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3203  {
3205  ++count;
3206  }
3207  }
3208  hash_iterator_free(&hi);
3209  }
3210  return count;
3211 }
3212 
3213 static void
3215 {
3216  struct multi_context *m = (struct multi_context *) arg;
3217  if (m->mtcp)
3218  {
3219  multi_tcp_delete_event(m->mtcp, event);
3220  }
3221 }
3222 
3223 #endif /* ifdef ENABLE_MANAGEMENT */
3224 
3225 #ifdef MANAGEMENT_DEF_AUTH
3226 
3227 static struct multi_instance *
3228 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3229 {
3230  if (m)
3231  {
3232  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3233  if (mi && !mi->halt)
3234  {
3235  return mi;
3236  }
3237  }
3238  return NULL;
3239 }
3240 
3241 static bool
3242 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3243 {
3244  struct multi_context *m = (struct multi_context *) arg;
3245  struct multi_instance *mi = lookup_by_cid(m, cid);
3246  if (mi)
3247  {
3248  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3250  return true;
3251  }
3252  else
3253  {
3254  return false;
3255  }
3256 }
3257 
3258 static bool
3259 management_client_auth(void *arg,
3260  const unsigned long cid,
3261  const unsigned int mda_key_id,
3262  const bool auth,
3263  const char *reason,
3264  const char *client_reason,
3265  struct buffer_list *cc_config) /* ownership transferred */
3266 {
3267  struct multi_context *m = (struct multi_context *) arg;
3268  struct multi_instance *mi = lookup_by_cid(m, cid);
3269  bool cc_config_owned = true;
3270  bool ret = false;
3271 
3272  if (mi)
3273  {
3274  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3275  if (ret)
3276  {
3277  if (auth)
3278  {
3279  if (!mi->connection_established_flag)
3280  {
3281  set_cc_config(mi, cc_config);
3282  cc_config_owned = false;
3283  }
3284  }
3285  else
3286  {
3287  if (reason)
3288  {
3289  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3290  }
3292  {
3293  send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */
3295  }
3296  }
3297  }
3298  }
3299  if (cc_config_owned && cc_config)
3300  {
3301  buffer_list_free(cc_config);
3302  }
3303  return ret;
3304 }
3305 
3306 static char *
3307 management_get_peer_info(void *arg, const unsigned long cid)
3308 {
3309  struct multi_context *m = (struct multi_context *) arg;
3310  struct multi_instance *mi = lookup_by_cid(m, cid);
3311  char *ret = NULL;
3312 
3313  if (mi)
3314  {
3315  ret = tls_get_peer_info(mi->context.c2.tls_multi);
3316  }
3317 
3318  return ret;
3319 }
3320 
3321 #endif /* ifdef MANAGEMENT_DEF_AUTH */
3322 
3323 #ifdef MANAGEMENT_PF
3324 static bool
3325 management_client_pf(void *arg,
3326  const unsigned long cid,
3327  struct buffer_list *pf_config) /* ownership transferred */
3328 {
3329  struct multi_context *m = (struct multi_context *) arg;
3330  struct multi_instance *mi = lookup_by_cid(m, cid);
3331  bool ret = false;
3332 
3333  if (mi && pf_config)
3334  {
3335  ret = pf_load_from_buffer_list(&mi->context, pf_config);
3336  }
3337 
3338  if (pf_config)
3339  {
3340  buffer_list_free(pf_config);
3341  }
3342  return ret;
3343 }
3344 #endif /* ifdef MANAGEMENT_PF */
3345 
3346 void
3348 {
3349 #ifdef ENABLE_MANAGEMENT
3350  if (management)
3351  {
3352  struct management_callback cb;
3353  CLEAR(cb);
3354  cb.arg = m;
3355  cb.flags = MCF_SERVER;
3362 #ifdef MANAGEMENT_DEF_AUTH
3363  cb.kill_by_cid = management_kill_by_cid;
3364  cb.client_auth = management_client_auth;
3365  cb.get_peer_info = management_get_peer_info;
3366 #endif
3367 #ifdef MANAGEMENT_PF
3368  cb.client_pf = management_client_pf;
3369 #endif
3371  }
3372 #endif /* ifdef ENABLE_MANAGEMENT */
3373 }
3374 
3375 void
3377 {
3379 }
3380 
3381 /*
3382  * Top level event loop.
3383  */
3384 void
3386 {
3387  ASSERT(top->options.mode == MODE_SERVER);
3388 
3389  if (proto_is_dgram(top->options.ce.proto))
3390  {
3391  tunnel_server_udp(top);
3392  }
3393  else
3394  {
3395  tunnel_server_tcp(top);
3396  }
3397 }
3398 
3399 #else /* if P2MP_SERVER */
3400 static void
3401 dummy(void)
3402 {
3403 }
3404 #endif /* P2MP_SERVER */
struct env_set * es
Definition: openvpn.h:425
uint8_t type
Definition: mroute.h:80
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3046
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:174
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:696
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:440
#define MR_WITH_NETBITS
Definition: mroute.h:72
static bool is_exit_restart(int sig)
Definition: multi.c:3040
static void register_activity(struct context *c, const int size)
Definition: forward.h:316
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:211
struct buffer to_link
Definition: openvpn.h:382
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1752
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3122
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2917
#define ETT_DEFAULT
Definition: interval.h:213
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:274
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:165
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:158
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:456
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:100
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1163
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:227
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:239
#define REAP_DIVISOR
Definition: multi.h:529
struct key_state key[KS_SIZE]
Definition: ssl_common.h:436
struct iroute * next
Definition: route.h:233
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:140
struct in6_addr reporting_addr_ipv6
Definition: multi.h:99
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:500
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1021
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:963
#define CAS_PENDING
Definition: openvpn.h:452
counter_type link_write_bytes
Definition: openvpn.h:283
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:409
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2413
#define MULTI_ROUTE_CACHE
Definition: multi.h:202
struct argv argv_new(void)
Definition: argv.c:52
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:369
int signal_received
Definition: multi.h:62
bool connection_established_flag
Definition: multi.h:108
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:225
void hash_free(struct hash *hash)
Definition: list.c:66
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:167
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2988
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:498
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:295
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:491
pool_type
Definition: pool.h:37
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1088
static void multi_set_virtual_addr_env(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1582
bool push_ifconfig_defined
Definition: openvpn.h:439
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:374
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2888
static void gc_free(struct gc_arena *a)
Definition: buffer.h:999
const char * learn_address_script
Definition: options.h:422
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:473
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:42
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:508
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:196
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4492
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:417
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:473
in_addr_t push_ifconfig_local
Definition: openvpn.h:441
bool enable_c2c
Definition: options.h:443
union openvpn_sockaddr::@8 addr
struct ifconfig_pool * ifconfig_pool_init(enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:150
int push_ifconfig_ipv6_netbits
Definition: options.h:440
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:494
struct in6_addr network
Definition: route.h:237
struct buffer buf
Definition: openvpn.h:380
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1437
unsigned int flags
Definition: mbuf.h:49
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:83
#define ASSERT(x)
Definition: error.h:221
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4742
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:941
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3135
#define SIGUSR1
Definition: config-msvc.h:116
const void * key
Definition: list.h:50
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:564
#define MR_ADDR_MASK
Definition: mroute.h:66
struct multi_reap * reaper
Definition: multi.h:159
struct context_buffers * buffers
Definition: openvpn.h:372
struct multi_instance * instance
Definition: multi.h:200
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:432
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:446
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1186
bool ifconfig_pool_defined
Definition: options.h:407
void multi_top_free(struct multi_context *m)
Definition: multi.c:3033
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:156
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:195
#define D_PF_DROPPED
Definition: errlevel.h:101
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:96
struct link_socket_info * link_socket_info
Definition: openvpn.h:252
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:53
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4051
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3214
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:203
in_addr_t remote_netmask
Definition: tun.h:153
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:409
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:448
static int management_callback_n_clients(void *arg)
Definition: multi.c:3150
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:441
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:243
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static void perf_push(int type)
Definition: perf.h:78
int status_file_version
Definition: multi.h:164
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:537
#define CLEAR(x)
Definition: basic.h:33
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:431
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1361
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr)
Definition: multi.c:2210
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:104
static bool route_quota_test(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:422
ifconfig_pool_handle vaddr_handle
Definition: multi.h:90
bool did_iter
Definition: multi.h:103
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:91
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3086
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1448
struct event_timeout stale_routes_check_et
Definition: multi.h:184
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:523
#define MAX_PEER_ID
Definition: openvpn.h:570
int cf_max
Definition: options.h:445
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:465
void pre_select(struct context *c)
Definition: forward.c:1764
static void dummy(void)
Definition: comp-lz4.c:319
unsigned int cache_generation
Definition: mroute.h:131
#define SIGTERM
Definition: config-msvc.h:118
struct mroute_addr::@0::@2 v6
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:165
#define MCF_SERVER
Definition: manage.h:158
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2170
in_addr_t ifconfig_pool_end
Definition: options.h:409
bool did_open_context
Definition: multi.h:101
#define OPENVPN_PLUGIN_FUNC_SUCCESS
bool authenticated
Definition: ssl_common.h:201
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:569
const char * client_disconnect_script
Definition: options.h:421
int explicit_exit_notification
Definition: options.h:121
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1275
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:2734
bool platform_unlink(const char *filename)
Definition: platform.c:287
unsigned int flags
Definition: multi.h:204
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
int context_auth
Definition: openvpn.h:456
int n_clients
Definition: multi.h:165
#define MF_UNICAST
Definition: mbuf.h:48
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:676
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:41
static void clear_prefix(void)
Definition: multi.h:511
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:42
static void setenv_stats(struct context *c)
Definition: multi.c:553
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3183
bool did_real_hash
Definition: multi.h:102
#define MODE_SERVER
Definition: options.h:186
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:258
#define PIP_MSSFIX
Definition: forward.h:290
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:220
int netbits
Definition: route.h:232
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:609
in_addr_t addr
Definition: mroute.h:87
void status_flush(struct status_output *so)
Definition: status.c:172
int n_clients_delta
Definition: multi.h:110
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:150
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:44
int cf_per
Definition: options.h:446
void multi_uninit(struct multi_context *m)
Definition: multi.c:712
bool status_close(struct status_output *so)
Definition: status.c:203
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:80
struct context_1 c1
Level 1 context.
Definition: openvpn.h:536
Definition: mbuf.h:58
#define PIPV4_PASSTOS
Definition: forward.h:289
static void multi_route_del(struct multi_route *route)
Definition: multi.h:456
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:434
struct schedule * schedule_init(void)
Definition: schedule.c:416
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:85
in_addr_t push_ifconfig_local
Definition: options.h:431
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3026
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4368
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3157
time_t last_reference
Definition: multi.h:207
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:303
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:94
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
#define CAS_PARTIAL
Definition: openvpn.h:454
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3186
in_addr_t local
Definition: tun.h:152
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3347
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:528
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:2417
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define MAPF_SHOW_ARP
Definition: mroute.h:158
int stale_routes_check_interval
Definition: options.h:449
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:166
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:424
#define OPT_P_INSTANCE
Definition: options.h:639
counter_type link_read_bytes
Definition: openvpn.h:281
static const char * np(const char *str)
Definition: simple.c:108
#define counter_format
Definition: common.h:39
int mode
Definition: options.h:187
bool ifconfig_ipv6_pool_defined
Definition: options.h:414
static struct gc_arena gc_new(void)
Definition: buffer.h:991
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:368
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:436
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4762
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:255
int ifconfig_ipv6_netbits
Definition: options.h:233
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:499
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:443
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1026
Definition: mbuf.h:52
bool did_iroutes
Definition: multi.h:109
#define MPP_PRE_SELECT
Definition: multi.h:256
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:768
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:147
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:368
int topology
Definition: options.h:229
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2968
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:243
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:461
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1242
struct iroute * iroutes
Definition: options.h:428
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define OPT_P_COMP
Definition: options.h:632
unsigned int cache_generation
Definition: multi.h:206
struct frame frame
Definition: openvpn.h:259
#define DEV_TYPE_TUN
Definition: proto.h:37
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2307
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:312
struct timeval timeval
Definition: openvpn.h:399
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:249
int virtual_hash_size
Definition: options.h:419
Definition: schedule.h:46
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3112
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:201
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:447
#define D_MULTI_DEBUG
Definition: errlevel.h:123
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:560
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3163
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:785
unsigned __int32 uint32_t
Definition: config-msvc.h:121
int tcp_queue_limit
Definition: options.h:427
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:112
const char * client_config_dir
Definition: options.h:423
const char * ciphername
Definition: options.h:481
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:114
#define OPT_P_ECHO
Definition: options.h:642
uint8_t len
Definition: mroute.h:78
#define REAP_MAX
Definition: multi.h:531
struct multi_instance * pending
Definition: multi.h:172
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:163
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:149
int buckets_per_pass
Definition: multi.h:54
struct gc_arena gc
Definition: multi.h:78
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:543
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:149
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
in_addr_t network
Definition: route.h:231
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:466
int bucket_base
Definition: multi.h:53
in_addr_t reporting_addr
Definition: multi.h:98
int max_routes_per_client
Definition: options.h:448
struct buffer buf
Definition: buffer.h:1082
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:150
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:580
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:228
int n_bcast_buf
Definition: options.h:426
struct multi_instance * instance
Definition: mbuf.h:55
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:282
int max_clients
Definition: multi.h:162
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:415
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:226
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:395
in_addr_t ifconfig_pool_start
Definition: options.h:408
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:145
struct link_socket * link_socket
Definition: openvpn.h:250
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:41
void argv_parse_cmd(struct argv *a, const char *s)
Definition: argv.c:337
void route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.c:2939
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:2997
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3786
bool status_trigger(struct status_output *so)
Definition: status.c:135
struct multi_instance * earliest_wakeup
Definition: multi.h:173
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define DEV_TYPE_UNDEF
Definition: proto.h:35
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:175
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1070
struct connection_entry ce
Definition: options.h:208
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:515
bool push_ifconfig_defined
Definition: options.h:430
void schedule_free(struct schedule *s)
Definition: schedule.c:425
struct context_2 c2
Level 2 context.
Definition: openvpn.h:537
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define dmsg
Definition: error.h:174
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1429
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:137
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:151
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:115
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:156
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:43
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:292
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2168
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:420
#define CCD_DEFAULT
Definition: common.h:71
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:162
#define OPT_P_TIMER
Definition: options.h:629
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:431
#define BLEN(buf)
Definition: buffer.h:127
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:115
in_addr_t ifconfig_pool_netmask
Definition: options.h:410
bool disable
Definition: options.h:425
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:769
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:93
#define SA_SET_IF_NONZERO
Definition: socket.h:402
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:193
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:143
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1312
int(* n_clients)(void *arg)
Definition: manage.h:166
bool halt
Definition: multi.h:80
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:3385
struct buffer_entry * next
Definition: buffer.h:1083
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:154
#define REAP_MIN
Definition: multi.h:530
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:125
void uninit_management_callback_multi(struct multi_context *m)
Definition: multi.c:3376
#define CAS_SUCCEEDED
Definition: openvpn.h:451
__int64 int64_t
Definition: config-msvc.h:124
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2646
unsigned __int8 uint8_t
Definition: config-msvc.h:123
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:2852
const char * tmp_dir
Definition: options.h:385
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:146
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2191
struct mroute_addr local
Definition: multi.h:160
unsigned int netbits
Definition: route.h:238
int max_clients
Definition: options.h:447
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:286
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:445
unsigned int uintptr_t
Definition: cmocka.h:103
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:378
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:978
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:226
int status_file_version
Definition: options.h:317
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:88
#define SIGINT
Definition: config-msvc.h:115
struct timeval wakeup
Definition: multi.h:87
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3099
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2328
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:164
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:40
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:895
#define SIGUSR2
Definition: config-msvc.h:117
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:178
void argv_printf_cat(struct argv *a, const char *format,...)
Definition: argv.c:328
#define OPT_P_INHERIT
Definition: options.h:643
bool push_ifconfig_ipv6_defined
Definition: options.h:438
Main OpenVPN server state structure.
Definition: multi.h:131
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:511
bool push_reply_deferred
Definition: openvpn.h:435
#define CAS_FAILED
Definition: openvpn.h:453
#define msg
Definition: error.h:173
time_t last_call
Definition: multi.h:55
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
#define ENABLE_PF
Definition: config-msvc.h:6
#define M_OPTERR
Definition: error.h:105
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:259
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:86
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:549
bool proto_is_dgram(int proto)
Definition: socket.c:3164
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1834
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:650
struct fragment_master * fragment
Definition: openvpn.h:264
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:460
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1399
struct status_output * status_output
Definition: openvpn.h:178
struct buffer buf
Definition: mbuf.h:45
static int hash_n_elements(const struct hash *hash)
Definition: list.h:131
#define OPT_P_SOCKFLAGS
Definition: options.h:648
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:525
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:418
int n_net_len
Definition: mroute.h:133
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:2986
#define MR_ADDR_IPV6
Definition: mroute.h:65
int thread_mode
Definition: multi.h:138
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:240
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:211
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:143
in_addr_t push_ifconfig_local_alias
Definition: options.h:433
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:2494
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1671
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:533
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:161
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:185
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:554
Definition: route.h:230
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:429
static int constrain_int(int x, int min, int max)
Definition: integer.h:60
static int min_int(int x, int y)
Definition: integer.h:47
#define MC_WORK_THREAD
Definition: multi.h:137
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:225
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:161
struct frequency_limit * new_connection_limiter
Definition: multi.h:157
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:217
unsigned int flags
Definition: manage.h:159
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1080
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:324
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:163
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:178
void * value
Definition: list.h:49
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:241
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1638
#define TUNNEL_TYPE(tt)
Definition: tun.h:133
#define CC_GC_FREE
Definition: init.h:105
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:377
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:164
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:186
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:340
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:342
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:191
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1786
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:861
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:446
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1140
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:209
struct link_socket_actual from
Definition: openvpn.h:256
void argv_reset(struct argv *a)
Definition: argv.c:60
int process_incoming_push_request(struct context *c)
Definition: push.c:642
struct iroute_ipv6 * next
Definition: route.h:239
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1761
#define OPT_P_CONFIG
Definition: options.h:640
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:134
#define M_ERRNO
Definition: error.h:99
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:51
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:136
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:76
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1001
Definition: argv.h:35
uint8_t netbits
Definition: mroute.h:81
struct buffer to_tun
Definition: openvpn.h:381
in_addr_t push_ifconfig_constraint_network
Definition: options.h:435
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3086
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2285
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define M_NONFATAL
Definition: error.h:95
Definition: list.h:60
bool duplicate_cn
Definition: options.h:444
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:69
int stale_routes_ageing_time
Definition: options.h:450
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:334
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:164
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:229
struct timeval wakeup
Definition: multi.h:63
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:442
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1384
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:257
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:53
struct in6_addr local_ipv6
Definition: tun.h:156
struct mroute_addr addr
Definition: multi.h:199
void status_reset(struct status_output *so)
Definition: status.c:163
const char title_string[]
Definition: options.c:65
#define D_MULTI_LOW
Definition: errlevel.h:86
#define MC_UNDEF
Definition: multi.h:132
void argv_printf(struct argv *a, const char *format,...)
Definition: argv.c:318
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:262
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:250
void uninit_management_callback(void)
Definition: init.c:3935
#define M_WARN
Definition: error.h:96
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2886
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:439
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:574
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:68
int ifconfig_ipv6_pool_netbits
Definition: options.h:416
#define OPT_P_PUSH
Definition: options.h:638
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:54
const char * dev_type
Definition: options.h:226
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4440