OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "pf.h"
43 #include "gremlin.h"
44 #include "mstats.h"
45 #include "ssl_verify.h"
46 #include "ssl_ncp.h"
47 #include "vlan.h"
48 #include <inttypes.h>
49 
50 #include "memdbg.h"
51 
52 
53 #include "crypto_backend.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef MANAGEMENT_DEF_AUTH
73 static void
74 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
75 {
76  if (mi->cc_config)
77  {
78  buffer_list_free(mi->cc_config);
79  }
80  mi->cc_config = cc_config;
81 }
82 #endif
83 
84 static inline void
85 update_mstat_n_clients(const int n_clients)
86 {
87 #ifdef ENABLE_MEMSTATS
88  if (mmap_stats)
89  {
90  mmap_stats->n_clients = n_clients;
91  }
92 #endif
93 }
94 
95 static bool
97  const struct multi_instance *mi,
98  const char *op,
99  const struct mroute_addr *addr)
100 {
101  struct gc_arena gc = gc_new();
102  struct env_set *es;
103  bool ret = true;
104  struct plugin_list *plugins;
105 
106  /* get environmental variable source */
107  if (mi && mi->context.c2.es)
108  {
109  es = mi->context.c2.es;
110  }
111  else
112  {
113  es = env_set_create(&gc);
114  }
115 
116  /* get plugin source */
117  if (mi)
118  {
119  plugins = mi->context.plugins;
120  }
121  else
122  {
123  plugins = m->top.plugins;
124  }
125 
127  {
128  struct argv argv = argv_new();
129  argv_printf(&argv, "%s %s",
130  op,
131  mroute_addr_print(addr, &gc));
132  if (mi)
133  {
134  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
135  }
136  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
137  {
138  msg(M_WARN, "WARNING: learn-address plugin call failed");
139  ret = false;
140  }
141  argv_free(&argv);
142  }
143 
145  {
146  struct argv argv = argv_new();
147  setenv_str(es, "script_type", "learn-address");
149  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
150  if (mi)
151  {
152  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
153  }
154  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
155  {
156  ret = false;
157  }
158  argv_free(&argv);
159  }
160 
161  gc_free(&gc);
162  return ret;
163 }
164 
165 void
167 {
168  /* write pool data to file */
169  if (m->ifconfig_pool
172  {
174  }
175 }
176 
177 static void
179  int start_bucket,
180  int end_bucket)
181 {
182  struct gc_arena gc = gc_new();
183  struct hash_iterator hi;
184  struct hash_element *he;
185 
186  if (start_bucket < 0)
187  {
188  start_bucket = 0;
189  end_bucket = hash_n_buckets(m->vhash);
190  }
191 
192  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
193  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
194  while ((he = hash_iterator_next(&hi)) != NULL)
195  {
196  struct multi_route *r = (struct multi_route *) he->value;
197  if (!multi_route_defined(m, r))
198  {
199  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
200  mroute_addr_print(&r->addr, &gc));
201  learn_address_script(m, NULL, "delete", &r->addr);
202  multi_route_del(r);
204  }
205  }
206  hash_iterator_free(&hi);
207  gc_free(&gc);
208 }
209 
210 static void
212 {
213  multi_reap_range(m, -1, 0);
214 }
215 
216 static struct multi_reap *
218 {
219  struct multi_reap *mr;
220  ALLOC_OBJ(mr, struct multi_reap);
221  mr->bucket_base = 0;
223  mr->last_call = now;
224  return mr;
225 }
226 
227 void
229 {
230  struct multi_reap *mr = m->reaper;
231  if (mr->bucket_base >= hash_n_buckets(m->vhash))
232  {
233  mr->bucket_base = 0;
234  }
236  mr->bucket_base += mr->buckets_per_pass;
237  mr->last_call = now;
238 }
239 
240 static void
242 {
243  free(mr);
244 }
245 
246 /*
247  * How many buckets in vhash to reap per pass.
248  */
249 static int
250 reap_buckets_per_pass(int n_buckets)
251 {
252  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
253 }
254 
255 #ifdef MANAGEMENT_DEF_AUTH
256 
257 static uint32_t
258 cid_hash_function(const void *key, uint32_t iv)
259 {
260  const unsigned long *k = (const unsigned long *)key;
261  return (uint32_t) *k;
262 }
263 
264 static bool
265 cid_compare_function(const void *key1, const void *key2)
266 {
267  const unsigned long *k1 = (const unsigned long *)key1;
268  const unsigned long *k2 = (const unsigned long *)key2;
269  return *k1 == *k2;
270 }
271 
272 #endif
273 
274 #ifdef ENABLE_ASYNC_PUSH
275 static uint32_t
276 /*
277  * inotify watcher descriptors are used as hash value
278  */
279 int_hash_function(const void *key, uint32_t iv)
280 {
281  return (unsigned long)key;
282 }
283 
284 static bool
285 int_compare_function(const void *key1, const void *key2)
286 {
287  return (unsigned long)key1 == (unsigned long)key2;
288 }
289 #endif
290 
291 /*
292  * Main initialization function, init multi_context object.
293  */
294 void
295 multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
296 {
297  int dev = DEV_TYPE_UNDEF;
298 
299  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
302 
303  /*
304  * Get tun/tap/null device type
305  */
306  dev = dev_type_enum(t->options.dev, t->options.dev_type);
307 
308  /*
309  * Init our multi_context object.
310  */
311  CLEAR(*m);
312 
313  m->thread_mode = thread_mode;
314 
315  /*
316  * Real address hash table (source port number is
317  * considered to be part of the address). Used
318  * to determine which client sent an incoming packet
319  * which is seen on the TCP/UDP socket.
320  */
322  get_random(),
325 
326  /*
327  * Virtual address hash table. Used to determine
328  * which client to route a packet to.
329  */
331  get_random(),
334 
335  /*
336  * This hash table is a clone of m->hash but with a
337  * bucket size of one so that it can be used
338  * for fast iteration through the list.
339  */
340  m->iter = hash_init(1,
341  get_random(),
344 
345 #ifdef MANAGEMENT_DEF_AUTH
346  m->cid_hash = hash_init(t->options.real_hash_size,
347  0,
348  cid_hash_function,
349  cid_compare_function);
350 #endif
351 
352 #ifdef ENABLE_ASYNC_PUSH
353  /*
354  * Mapping between inotify watch descriptors and
355  * multi_instances.
356  */
357  m->inotify_watchers = hash_init(t->options.real_hash_size,
358  get_random(),
359  int_hash_function,
360  int_compare_function);
361 #endif
362 
363  /*
364  * This is our scheduler, for time-based wakeup
365  * events.
366  */
367  m->schedule = schedule_init();
368 
369  /*
370  * Limit frequency of incoming connections to control
371  * DoS.
372  */
374  t->options.cf_per);
375 
376  /*
377  * Allocate broadcast/multicast buffer list
378  */
380 
381  /*
382  * Different status file format options are available
383  */
385 
386  /*
387  * Possibly allocate an ifconfig pool, do it
388  * differently based on whether a tun or tap style
389  * tunnel.
390  */
393  {
395 
396  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
397  {
398  pool_type = IFCONFIG_POOL_30NET;
399  }
400 
402  pool_type,
409 
410  /* reload pool data from file */
411  if (t->c1.ifconfig_pool_persist)
412  {
414  }
415  }
416 
417  /*
418  * Help us keep track of routing table.
419  */
421 
422  /*
423  * Initialize route and instance reaper.
424  */
426 
427  /*
428  * Get local ifconfig address
429  */
430  CLEAR(m->local);
431  ASSERT(t->c1.tuntap);
433 
434  /*
435  * Per-client limits
436  */
438 
439  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
440 
441  /*
442  * Initialize multi-socket TCP I/O wait object
443  */
444  if (tcp_mode)
445  {
447  }
449 
450  /*
451  * Allow client <-> client communication, without going through
452  * tun/tap interface and network stack?
453  */
454  m->enable_c2c = t->options.enable_c2c;
455 
456  /* initialize stale routes check timer */
458  {
459  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
462  }
463 
465 }
466 
467 const char *
468 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
469 {
470  if (mi)
471  {
472  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
473  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
474 
475  if (cn)
476  {
477  buf_printf(&out, "%s/", cn);
478  }
479  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
480  return BSTR(&out);
481  }
482  else if (null)
483  {
484  return NULL;
485  }
486  else
487  {
488  return "UNDEF";
489  }
490 }
491 
492 static void
494 {
495  struct gc_arena gc = gc_new();
496  const char *prefix = multi_instance_string(mi, true, &gc);
497  if (prefix)
498  {
499  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
500  }
501  else
502  {
503  mi->msg_prefix[0] = '\0';
504  }
505  set_prefix(mi);
506  gc_free(&gc);
507 }
508 
509 void
511 {
512  mi->msg_prefix[0] = '\0';
513  set_prefix(mi);
514 }
515 
516 static const char *
517 mi_prefix(const struct multi_instance *mi)
518 {
519  if (mi && mi->msg_prefix[0])
520  {
521  return mi->msg_prefix;
522  }
523  else
524  {
525  return "UNDEF_I";
526  }
527 }
528 
529 /*
530  * Tell the route helper about deleted iroutes so
531  * that it can update its mask of currently used
532  * CIDR netlengths.
533  */
534 static void
536  struct multi_instance *mi)
537 {
538  const struct iroute *ir;
539  const struct iroute_ipv6 *ir6;
541  {
542  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
543  {
545  }
546 
547  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
548  {
550  }
551  }
552 }
553 
554 static void
556 {
557  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
558  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
559 }
560 
561 static void
563 {
564  /* setenv client real IP address */
566 
567  /* setenv stats */
568  setenv_stats(&mi->context);
569 
570  /* setenv connection duration */
571  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
572 }
573 
574 static void
576 {
578 
580  {
582  {
583  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
584  }
585  }
586 
588  {
589  struct argv argv = argv_new();
590  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
592  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
593  argv_free(&argv);
594  }
595 #ifdef MANAGEMENT_DEF_AUTH
596  if (management)
597  {
598  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
599  }
600 #endif
601 }
602 
603 void
605  struct multi_instance *mi,
606  bool shutdown)
607 {
609 
610  ASSERT(!mi->halt);
611  mi->halt = true;
612 
613  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
614 
615  /* adjust current client connection count */
616  m->n_clients += mi->n_clients_delta;
618  mi->n_clients_delta = 0;
619 
620  /* prevent dangling pointers */
621  if (m->pending == mi)
622  {
623  multi_set_pending(m, NULL);
624  }
625  if (m->earliest_wakeup == mi)
626  {
627  m->earliest_wakeup = NULL;
628  }
629 
630  if (!shutdown)
631  {
632  if (mi->did_real_hash)
633  {
634  ASSERT(hash_remove(m->hash, &mi->real));
635  }
636  if (mi->did_iter)
637  {
638  ASSERT(hash_remove(m->iter, &mi->real));
639  }
640 #ifdef MANAGEMENT_DEF_AUTH
641  if (mi->did_cid_hash)
642  {
643  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
644  }
645 #endif
646 
647 #ifdef ENABLE_ASYNC_PUSH
648  if (mi->inotify_watch != -1)
649  {
650  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
651  mi->inotify_watch = -1;
652  }
653 #endif
654 
655  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
656  {
657  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
658  }
659 
660  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
661 
662  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
663 
664  if (mi->did_iroutes)
665  {
666  multi_del_iroutes(m, mi);
667  mi->did_iroutes = false;
668  }
669 
670  if (m->mtcp)
671  {
673  }
674 
676  }
677 
678 #ifdef MANAGEMENT_DEF_AUTH
679  set_cc_config(mi, NULL);
680 #endif
682  {
684  }
685 
687 
689 
690  ungenerate_prefix(mi);
691 
692  /*
693  * Don't actually delete the instance memory allocation yet,
694  * because virtual routes may still point to it. Let the
695  * vhash reaper deal with it.
696  */
698 
699  perf_pop();
700 }
701 
702 /*
703  * Called on shutdown or restart.
704  */
705 void
707 {
708  if (m->thread_mode & MC_WORK_THREAD)
709  {
710  multi_top_free(m);
711  m->thread_mode = MC_UNDEF;
712  }
713  else if (m->thread_mode)
714  {
715  if (m->hash)
716  {
717  struct hash_iterator hi;
718  struct hash_element *he;
719 
720  hash_iterator_init(m->iter, &hi);
721  while ((he = hash_iterator_next(&hi)))
722  {
723  struct multi_instance *mi = (struct multi_instance *) he->value;
724  mi->did_iter = false;
725  multi_close_instance(m, mi, true);
726  }
727  hash_iterator_free(&hi);
728 
729  multi_reap_all(m);
730 
731  hash_free(m->hash);
732  hash_free(m->vhash);
733  hash_free(m->iter);
734 #ifdef MANAGEMENT_DEF_AUTH
735  hash_free(m->cid_hash);
736 #endif
737  m->hash = NULL;
738 
739  free(m->instances);
740 
741 #ifdef ENABLE_ASYNC_PUSH
742  hash_free(m->inotify_watchers);
743  m->inotify_watchers = NULL;
744 #endif
745 
747  mbuf_free(m->mbuf);
752  multi_tcp_free(m->mtcp);
753  m->thread_mode = MC_UNDEF;
754  }
755  }
756 }
757 
758 /*
759  * Create a client instance object for a newly connected client.
760  */
761 struct multi_instance *
763 {
764  struct gc_arena gc = gc_new();
765  struct multi_instance *mi;
766 
768 
769  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
770 
771  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
772 
773  mi->gc = gc_new();
775  mi->vaddr_handle = -1;
776  mi->created = now;
777  mroute_addr_init(&mi->real);
778 
779  if (real)
780  {
781  mi->real = *real;
782  generate_prefix(mi);
783  }
784 
785  inherit_context_child(&mi->context, &m->top);
786  if (IS_SIG(&mi->context))
787  {
788  goto err;
789  }
790 
792 
793  if (hash_n_elements(m->hash) >= m->max_clients)
794  {
795  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
796  goto err;
797  }
798 
799  if (!real) /* TCP mode? */
800  {
802  {
803  goto err;
804  }
805  generate_prefix(mi);
806  }
807 
808  if (!hash_add(m->iter, &mi->real, mi, false))
809  {
810  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
811  mroute_addr_print(&mi->real, &gc));
812  goto err;
813  }
814  mi->did_iter = true;
815 
816 #ifdef MANAGEMENT_DEF_AUTH
817  do
818  {
819  mi->context.c2.mda_context.cid = m->cid_counter++;
820  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
821  mi->did_cid_hash = true;
822 #endif
823 
824  mi->context.c2.push_request_received = false;
825 #ifdef ENABLE_ASYNC_PUSH
826  mi->inotify_watch = -1;
827 #endif
828 
829  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
830  {
831  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
832  goto err;
833  }
834 
835  perf_pop();
836  gc_free(&gc);
837  return mi;
838 
839 err:
840  multi_close_instance(m, mi, false);
841  perf_pop();
842  gc_free(&gc);
843  return NULL;
844 }
845 
846 /*
847  * Dump tables -- triggered by SIGUSR2.
848  * If status file is defined, write to file.
849  * If status file is NULL, write to syslog.
850  */
851 void
852 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
853 {
854  if (m->hash)
855  {
856  struct gc_arena gc_top = gc_new();
857  struct hash_iterator hi;
858  const struct hash_element *he;
859 
860  status_reset(so);
861 
862  if (version == 1) /* WAS: m->status_file_version */
863  {
864  /*
865  * Status file version 1
866  */
867  status_printf(so, "OpenVPN CLIENT LIST");
868  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
869  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
870  hash_iterator_init(m->hash, &hi);
871  while ((he = hash_iterator_next(&hi)))
872  {
873  struct gc_arena gc = gc_new();
874  const struct multi_instance *mi = (struct multi_instance *) he->value;
875 
876  if (!mi->halt)
877  {
878  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
879  tls_common_name(mi->context.c2.tls_multi, false),
880  mroute_addr_print(&mi->real, &gc),
883  time_string(mi->created, 0, false, &gc));
884  }
885  gc_free(&gc);
886  }
887  hash_iterator_free(&hi);
888 
889  status_printf(so, "ROUTING TABLE");
890  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
891  hash_iterator_init(m->vhash, &hi);
892  while ((he = hash_iterator_next(&hi)))
893  {
894  struct gc_arena gc = gc_new();
895  const struct multi_route *route = (struct multi_route *) he->value;
896 
897  if (multi_route_defined(m, route))
898  {
899  const struct multi_instance *mi = route->instance;
900  const struct mroute_addr *ma = &route->addr;
901  char flags[2] = {0, 0};
902 
903  if (route->flags & MULTI_ROUTE_CACHE)
904  {
905  flags[0] = 'C';
906  }
907  status_printf(so, "%s%s,%s,%s,%s",
908  mroute_addr_print(ma, &gc),
909  flags,
910  tls_common_name(mi->context.c2.tls_multi, false),
911  mroute_addr_print(&mi->real, &gc),
912  time_string(route->last_reference, 0, false, &gc));
913  }
914  gc_free(&gc);
915  }
916  hash_iterator_free(&hi);
917 
918  status_printf(so, "GLOBAL STATS");
919  if (m->mbuf)
920  {
921  status_printf(so, "Max bcast/mcast queue length,%d",
923  }
924 
925  status_printf(so, "END");
926  }
927  else if (version == 2 || version == 3)
928  {
929  const char sep = (version == 3) ? '\t' : ',';
930 
931  /*
932  * Status file version 2 and 3
933  */
934  status_printf(so, "TITLE%c%s", sep, title_string);
935  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
936  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
937  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
938  hash_iterator_init(m->hash, &hi);
939  while ((he = hash_iterator_next(&hi)))
940  {
941  struct gc_arena gc = gc_new();
942  const struct multi_instance *mi = (struct multi_instance *) he->value;
943 
944  if (!mi->halt)
945  {
946  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
947 #ifdef MANAGEMENT_DEF_AUTH
948  "%lu"
949 #else
950  ""
951 #endif
952  "%c%" PRIu32 "%c%s",
953  sep, tls_common_name(mi->context.c2.tls_multi, false),
954  sep, mroute_addr_print(&mi->real, &gc),
957  sep, mi->context.c2.link_read_bytes,
958  sep, mi->context.c2.link_write_bytes,
959  sep, time_string(mi->created, 0, false, &gc),
960  sep, (unsigned int)mi->created,
961  sep, tls_username(mi->context.c2.tls_multi, false),
962 #ifdef MANAGEMENT_DEF_AUTH
963  sep, mi->context.c2.mda_context.cid,
964 #else
965  sep,
966 #endif
967  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
969  }
970  gc_free(&gc);
971  }
972  hash_iterator_free(&hi);
973 
974  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
975  sep, sep, sep, sep, sep, sep);
976  hash_iterator_init(m->vhash, &hi);
977  while ((he = hash_iterator_next(&hi)))
978  {
979  struct gc_arena gc = gc_new();
980  const struct multi_route *route = (struct multi_route *) he->value;
981 
982  if (multi_route_defined(m, route))
983  {
984  const struct multi_instance *mi = route->instance;
985  const struct mroute_addr *ma = &route->addr;
986  char flags[2] = {0, 0};
987 
988  if (route->flags & MULTI_ROUTE_CACHE)
989  {
990  flags[0] = 'C';
991  }
992  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
993  sep, mroute_addr_print(ma, &gc), flags,
994  sep, tls_common_name(mi->context.c2.tls_multi, false),
995  sep, mroute_addr_print(&mi->real, &gc),
996  sep, time_string(route->last_reference, 0, false, &gc),
997  sep, (unsigned int)route->last_reference);
998  }
999  gc_free(&gc);
1000  }
1001  hash_iterator_free(&hi);
1002 
1003  if (m->mbuf)
1004  {
1005  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1006  sep, sep, mbuf_maximum_queued(m->mbuf));
1007  }
1008 
1009  status_printf(so, "END");
1010  }
1011  else
1012  {
1013  status_printf(so, "ERROR: bad status format version number");
1014  }
1015 
1016 #ifdef PACKET_TRUNCATION_CHECK
1017  {
1018  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1019  hash_iterator_init(m->hash, &hi);
1020  while ((he = hash_iterator_next(&hi)))
1021  {
1022  struct gc_arena gc = gc_new();
1023  const struct multi_instance *mi = (struct multi_instance *) he->value;
1024 
1025  if (!mi->halt)
1026  {
1028  tls_common_name(mi->context.c2.tls_multi, false),
1029  m->top.c2.n_trunc_tun_read,
1030  mi->context.c2.n_trunc_tun_write,
1031  mi->context.c2.n_trunc_pre_encrypt,
1032  mi->context.c2.n_trunc_post_decrypt);
1033  }
1034  gc_free(&gc);
1035  }
1036  hash_iterator_free(&hi);
1037  }
1038 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1039 
1040  status_flush(so);
1041  gc_free(&gc_top);
1042  }
1043 
1044 #ifdef ENABLE_ASYNC_PUSH
1045  if (m->inotify_watchers)
1046  {
1047  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1048  }
1049 #endif
1050 }
1051 
1052 /*
1053  * Learn a virtual address or route.
1054  * The learn will fail if the learn address
1055  * script/plugin fails. In this case the
1056  * return value may be != mi.
1057  * Return the instance which owns this route,
1058  * or NULL if none.
1059  */
1060 static struct multi_instance *
1062  struct multi_instance *mi,
1063  const struct mroute_addr *addr,
1064  const unsigned int flags)
1065 {
1066  struct hash_element *he;
1067  const uint32_t hv = hash_value(m->vhash, addr);
1068  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1069  struct multi_route *oldroute = NULL;
1070  struct multi_instance *owner = NULL;
1071  struct gc_arena gc = gc_new();
1072 
1073  /* if route currently exists, get the instance which owns it */
1074  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1075  if (he)
1076  {
1077  oldroute = (struct multi_route *) he->value;
1078  }
1079  if (oldroute && multi_route_defined(m, oldroute))
1080  {
1081  owner = oldroute->instance;
1082  }
1083 
1084  /* do we need to add address to hash table? */
1085  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1086  && !mroute_addr_equal(addr, &m->local))
1087  {
1088  struct multi_route *newroute;
1089  bool learn_succeeded = false;
1090 
1091  ALLOC_OBJ(newroute, struct multi_route);
1092  newroute->addr = *addr;
1093  newroute->instance = mi;
1094  newroute->flags = flags;
1095  newroute->last_reference = now;
1096  newroute->cache_generation = 0;
1097 
1098  /* The cache is invalidated when cache_generation is incremented */
1099  if (flags & MULTI_ROUTE_CACHE)
1100  {
1102  }
1103 
1104  if (oldroute) /* route already exists? */
1105  {
1106  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1107  {
1108  learn_succeeded = true;
1109  owner = mi;
1111  route_quota_inc(mi);
1112 
1113  /* delete old route */
1114  multi_route_del(oldroute);
1115 
1116  /* modify hash table entry, replacing old route */
1117  he->key = &newroute->addr;
1118  he->value = newroute;
1119  }
1120  }
1121  else
1122  {
1123  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1124  {
1125  learn_succeeded = true;
1126  owner = mi;
1128  route_quota_inc(mi);
1129 
1130  /* add new route */
1131  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1132  }
1133  }
1134 
1135  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1136  learn_succeeded ? "" : " FAILED",
1137  mroute_addr_print(&newroute->addr, &gc),
1138  multi_instance_string(mi, false, &gc));
1139 
1140  if (!learn_succeeded)
1141  {
1142  free(newroute);
1143  }
1144  }
1145  gc_free(&gc);
1146 
1147  return owner;
1148 }
1149 
1150 /*
1151  * Get client instance based on virtual address.
1152  */
1153 static struct multi_instance *
1155  const struct mroute_addr *addr,
1156  bool cidr_routing)
1157 {
1158  struct multi_route *route;
1159  struct multi_instance *ret = NULL;
1160 
1161  /* check for local address */
1162  if (mroute_addr_equal(addr, &m->local))
1163  {
1164  return NULL;
1165  }
1166 
1167  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1168 
1169  /* does host route (possible cached) exist? */
1170  if (route && multi_route_defined(m, route))
1171  {
1172  struct multi_instance *mi = route->instance;
1173  route->last_reference = now;
1174  ret = mi;
1175  }
1176  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1177  {
1178  struct mroute_helper *rh = m->route_helper;
1179  struct mroute_addr tryaddr;
1180  int i;
1181 
1182  /* cycle through each CIDR length */
1183  for (i = 0; i < rh->n_net_len; ++i)
1184  {
1185  tryaddr = *addr;
1186  tryaddr.type |= MR_WITH_NETBITS;
1187  tryaddr.netbits = rh->net_len[i];
1188  mroute_addr_mask_host_bits(&tryaddr);
1189 
1190  /* look up a possible route with netbits netmask */
1191  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1192 
1193  if (route && multi_route_defined(m, route))
1194  {
1195  /* found an applicable route, cache host route */
1196  struct multi_instance *mi = route->instance;
1198  ret = mi;
1199  break;
1200  }
1201  }
1202  }
1203 
1204 #ifdef ENABLE_DEBUG
1206  {
1207  struct gc_arena gc = gc_new();
1208  const char *addr_text = mroute_addr_print(addr, &gc);
1209  if (ret)
1210  {
1211  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1212  addr_text,
1213  multi_instance_string(ret, false, &gc),
1214  mroute_addr_print(&route->addr, &gc));
1215  }
1216  else
1217  {
1218  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1219  addr_text);
1220  }
1221  gc_free(&gc);
1222  }
1223 #endif
1224 
1225  ASSERT(!(ret && ret->halt));
1226  return ret;
1227 }
1228 
1229 /*
1230  * Helper function to multi_learn_addr().
1231  */
1232 static struct multi_instance *
1234  struct multi_instance *mi,
1235  in_addr_t a,
1236  int netbits, /* -1 if host route, otherwise # of network bits in address */
1237  bool primary)
1238 {
1239  struct openvpn_sockaddr remote_si;
1240  struct mroute_addr addr;
1241 
1242  CLEAR(remote_si);
1243  remote_si.addr.in4.sin_family = AF_INET;
1244  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1245  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1246 
1247  if (netbits >= 0)
1248  {
1249  addr.type |= MR_WITH_NETBITS;
1250  addr.netbits = (uint8_t) netbits;
1251  }
1252 
1253  {
1254  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1255 #ifdef MANAGEMENT_DEF_AUTH
1256  if (management && owner)
1257  {
1258  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1259  }
1260 #endif
1261  return owner;
1262  }
1263 }
1264 
1265 static struct multi_instance *
1267  struct multi_instance *mi,
1268  struct in6_addr a6,
1269  int netbits, /* -1 if host route, otherwise # of network bits in address */
1270  bool primary)
1271 {
1272  struct mroute_addr addr;
1273 
1274  addr.len = 16;
1275  addr.type = MR_ADDR_IPV6;
1276  addr.netbits = 0;
1277  addr.v6.addr = a6;
1278 
1279  if (netbits >= 0)
1280  {
1281  addr.type |= MR_WITH_NETBITS;
1282  addr.netbits = (uint8_t) netbits;
1283  mroute_addr_mask_host_bits( &addr );
1284  }
1285 
1286  {
1287  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1288 #ifdef MANAGEMENT_DEF_AUTH
1289  if (management && owner)
1290  {
1291  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1292  }
1293 #endif
1294  return owner;
1295  }
1296 }
1297 
1298 /*
1299  * A new client has connected, add routes (server -> client)
1300  * to internal routing table.
1301  */
1302 static void
1304  struct multi_instance *mi)
1305 {
1306  struct gc_arena gc = gc_new();
1307  const struct iroute *ir;
1308  const struct iroute_ipv6 *ir6;
1310  {
1311  mi->did_iroutes = true;
1312  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1313  {
1314  if (ir->netbits >= 0)
1315  {
1316  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1317  print_in_addr_t(ir->network, 0, &gc),
1318  ir->netbits,
1319  multi_instance_string(mi, false, &gc));
1320  }
1321  else
1322  {
1323  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1324  print_in_addr_t(ir->network, 0, &gc),
1325  multi_instance_string(mi, false, &gc));
1326  }
1327 
1329 
1330  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1331  }
1332  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1333  {
1334  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1335  print_in6_addr(ir6->network, 0, &gc),
1336  ir6->netbits,
1337  multi_instance_string(mi, false, &gc));
1338 
1340 
1341  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1342  }
1343  }
1344  gc_free(&gc);
1345 }
1346 
1347 /*
1348  * Given an instance (new_mi), delete all other instances which use the
1349  * same common name.
1350  */
1351 static void
1353 {
1354  if (new_mi)
1355  {
1356  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1357  if (new_cn)
1358  {
1359  struct hash_iterator hi;
1360  struct hash_element *he;
1361  int count = 0;
1362 
1363  hash_iterator_init(m->iter, &hi);
1364  while ((he = hash_iterator_next(&hi)))
1365  {
1366  struct multi_instance *mi = (struct multi_instance *) he->value;
1367  if (mi != new_mi && !mi->halt)
1368  {
1369  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1370  if (cn && !strcmp(cn, new_cn))
1371  {
1372  mi->did_iter = false;
1373  multi_close_instance(m, mi, false);
1375  ++count;
1376  }
1377  }
1378  }
1379  hash_iterator_free(&hi);
1380 
1381  if (count)
1382  {
1383  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1384  }
1385  }
1386  }
1387 }
1388 
1389 static void
1391 {
1392 
1393  struct gc_arena gc = gc_new();
1394  struct hash_iterator hi;
1395  struct hash_element *he;
1396 
1397  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1399  while ((he = hash_iterator_next(&hi)) != NULL)
1400  {
1401  struct multi_route *r = (struct multi_route *) he->value;
1402  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1403  {
1404  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1405  mroute_addr_print(&r->addr, &gc));
1406  learn_address_script(m, NULL, "delete", &r->addr);
1407  multi_route_del(r);
1409  }
1410  }
1411  hash_iterator_free(&hi);
1412  gc_free(&gc);
1413 }
1414 
1415 /*
1416  * Ensure that endpoint to be pushed to client
1417  * complies with --ifconfig-push-constraint directive.
1418  */
1419 static bool
1421 {
1422  const struct options *o = &c->options;
1424  {
1426  }
1427  else
1428  {
1429  return true;
1430  }
1431 }
1432 
1433 /*
1434  * Select a virtual address for a new client instance.
1435  * Use an --ifconfig-push directive, if given (static IP).
1436  * Otherwise use an --ifconfig-pool address (dynamic IP).
1437  */
1438 static void
1440 {
1441  struct gc_arena gc = gc_new();
1442 
1443  /*
1444  * If ifconfig addresses were set by dynamic config file,
1445  * release pool addresses, otherwise keep them.
1446  */
1448  {
1449  /* ifconfig addresses were set statically,
1450  * release dynamic allocation */
1451  if (mi->vaddr_handle >= 0)
1452  {
1454  mi->vaddr_handle = -1;
1455  }
1456 
1457  mi->context.c2.push_ifconfig_defined = true;
1461 
1462  /* the current implementation does not allow "static IPv4, pool IPv6",
1463  * (see below) so issue a warning if that happens - don't break the
1464  * session, though, as we don't even know if this client WANTS IPv6
1465  */
1468  {
1469  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1470  }
1471  }
1472  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1473  {
1474  in_addr_t local = 0, remote = 0;
1475  struct in6_addr remote_ipv6;
1476  const char *cn = NULL;
1477 
1478  if (!mi->context.options.duplicate_cn)
1479  {
1480  cn = tls_common_name(mi->context.c2.tls_multi, true);
1481  }
1482 
1483  CLEAR(remote_ipv6);
1484  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1485  if (mi->vaddr_handle >= 0)
1486  {
1487  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1488  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1489 
1490  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1492  ? print_in_addr_t(remote, 0, &gc)
1493  : "(Not enabled)"),
1495  ? print_in6_addr( remote_ipv6, 0, &gc )
1496  : "(Not enabled)") );
1497 
1499  {
1500  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1501  mi->context.c2.push_ifconfig_local = remote;
1502  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1503  {
1506  {
1508  }
1509  }
1510  else if (tunnel_type == DEV_TYPE_TUN)
1511  {
1512  if (tunnel_topology == TOP_P2P)
1513  {
1515  }
1516  else if (tunnel_topology == TOP_NET30)
1517  {
1519  }
1520  }
1521 
1523  {
1524  mi->context.c2.push_ifconfig_defined = true;
1525  }
1526  else
1527  {
1529  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1530  multi_instance_string(mi, false, &gc));
1531  }
1532  }
1533 
1535  {
1536  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1538  mi->context.c1.tuntap->local_ipv6;
1542  }
1543  }
1544  else
1545  {
1546  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1547  }
1548  }
1549 
1550  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1551  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1552  * will fail (because no pool will be allocated in this case).
1553  * OTOH, this doesn't make too much sense in reality - and the other
1554  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1555  * -> and so it's implemented right now
1556  */
1558  {
1566 
1567  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1570  }
1571 
1572  gc_free(&gc);
1573 }
1574 
1575 /*
1576  * Set virtual address environmental variables.
1577  */
1578 static void
1580 {
1581  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1582  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1583  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1584 
1586  {
1587  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1588  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1589 
1591  "ifconfig_pool_remote_ip",
1594 
1595  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1596  {
1598  "ifconfig_pool_netmask",
1601  }
1602  else if (tunnel_type == DEV_TYPE_TUN)
1603  {
1605  "ifconfig_pool_local_ip",
1608  }
1609  }
1610 
1611  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1612  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1613  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1614 
1616  {
1618  "ifconfig_pool_remote",
1622  "ifconfig_pool_local",
1625  setenv_int(mi->context.c2.es,
1626  "ifconfig_pool_ip6_netbits",
1628  }
1629 }
1630 
1631 /*
1632  * Called after client-connect script is called
1633  */
1634 static void
1636  struct multi_instance *mi,
1637  const char *dc_file,
1638  unsigned int *option_types_found)
1639 {
1640  /* Did script generate a dynamic config file? */
1641  if (platform_test_file(dc_file))
1642  {
1644  dc_file,
1647  option_types_found,
1648  mi->context.c2.es);
1649 
1650  /*
1651  * If the --client-connect script generates a config file
1652  * with an --ifconfig-push directive, it will override any
1653  * --ifconfig-push directive from the --client-config-dir
1654  * directory or any --ifconfig-pool dynamic address.
1655  */
1658  }
1659 }
1660 
1661 #ifdef ENABLE_PLUGIN
1662 
1663 /*
1664  * Called after client-connect plug-in is called
1665  */
1666 static void
1668  struct multi_instance *mi,
1669  const struct plugin_return *pr,
1670  unsigned int *option_types_found)
1671 {
1672  struct plugin_return config;
1673 
1674  plugin_return_get_column(pr, &config, "config");
1675 
1676  /* Did script generate a dynamic config file? */
1677  if (plugin_return_defined(&config))
1678  {
1679  int i;
1680  for (i = 0; i < config.n; ++i)
1681  {
1682  if (config.list[i] && config.list[i]->value)
1683  {
1685  config.list[i]->value,
1688  option_types_found,
1689  mi->context.c2.es);
1690  }
1691  }
1692 
1693  /*
1694  * If the --client-connect script generates a config file
1695  * with an --ifconfig-push directive, it will override any
1696  * --ifconfig-push directive from the --client-config-dir
1697  * directory or any --ifconfig-pool dynamic address.
1698  */
1701  }
1702 }
1703 
1704 #endif /* ifdef ENABLE_PLUGIN */
1705 
1706 
1707 /*
1708  * Called to load management-derived client-connect config
1709  */
1712  struct multi_instance *mi,
1713  bool deferred,
1714  unsigned int *option_types_found)
1715 {
1716  /* We never return CC_RET_DEFERRED */
1717  ASSERT(!deferred);
1719 #ifdef MANAGEMENT_DEF_AUTH
1720  if (mi->cc_config)
1721  {
1722  struct buffer_entry *be;
1723  for (be = mi->cc_config->head; be != NULL; be = be->next)
1724  {
1725  const char *opt = BSTR(&be->buf);
1727  opt,
1730  option_types_found,
1731  mi->context.c2.es);
1732  }
1733 
1734  /*
1735  * If the --client-connect script generates a config file
1736  * with an --ifconfig-push directive, it will override any
1737  * --ifconfig-push directive from the --client-config-dir
1738  * directory or any --ifconfig-pool dynamic address.
1739  */
1742 
1743  ret = CC_RET_SUCCEEDED;
1744  }
1745 #endif /* ifdef MANAGEMENT_DEF_AUTH */
1746  return ret;
1747 }
1748 
1749 static void
1751  struct multi_instance *mi)
1752 {
1753  struct gc_arena gc = gc_new();
1754 
1755  /* setenv incoming cert common name for script */
1756  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1757 
1758  /* setenv client real IP address */
1760 
1761  /* setenv client virtual IP address */
1763 
1764  /* setenv connection time */
1765  {
1766  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1767  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1768  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1769  }
1770 
1771  gc_free(&gc);
1772 }
1773 
1779 static unsigned int
1780 extract_iv_proto(const char *peer_info)
1781 {
1782 
1783  const char *optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL;
1784  if (optstr)
1785  {
1786  int proto = 0;
1787  int r = sscanf(optstr, "IV_PROTO=%d", &proto);
1788  if (r == 1 && proto > 0)
1789  {
1790  return proto;
1791  }
1792  }
1793  return 0;
1794 }
1795 
1802 static bool
1804 {
1805  struct tls_multi *tls_multi = c->c2.tls_multi;
1806  const char *const peer_info = tls_multi->peer_info;
1807  struct options *o = &c->options;
1808 
1809 
1810  unsigned int proto = extract_iv_proto(peer_info);
1811  if (proto & IV_PROTO_DATA_V2)
1812  {
1813  tls_multi->use_peer_id = true;
1814  }
1815  if (proto & IV_PROTO_REQUEST_PUSH)
1816  {
1817  c->c2.push_request_received = true;
1818  }
1819 
1820  /* Select cipher if client supports Negotiable Crypto Parameters */
1821  if (!o->ncp_enabled)
1822  {
1823  return true;
1824  }
1825 
1826  /* if we have already created our key, we cannot *change* our own
1827  * cipher -> so log the fact and push the "what we have now" cipher
1828  * (so the client is always told what we expect it to use)
1829  */
1830  const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
1832  {
1833  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1834  "server has already generated data channel keys, "
1835  "re-sending previously negotiated cipher '%s'",
1836  o->ciphername );
1837  return true;
1838  }
1839 
1840  /*
1841  * Push the first cipher from --data-ciphers to the client that
1842  * the client announces to be supporting.
1843  */
1844  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1845  tls_multi->remote_ciphername,
1846  &o->gc);
1847 
1848  if (push_cipher)
1849  {
1850  o->ciphername = push_cipher;
1851  return true;
1852  }
1853 
1854  /* NCP cipher negotiation failed. Try to figure out why exactly it
1855  * failed and give good error messages and potentially do a fallback
1856  * for non NCP clients */
1857  struct gc_arena gc = gc_new();
1858  bool ret = false;
1859 
1860  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1861  /* If we are in a situation where we know the client ciphers, there is no
1862  * reason to fall back to a cipher that will not be accepted by the other
1863  * side, in this situation we fail the auth*/
1864  if (strlen(peer_ciphers) > 0)
1865  {
1866  msg(M_INFO, "PUSH: No common cipher between server and client. "
1867  "Server data-ciphers: '%s', client supported ciphers '%s'",
1868  o->ncp_ciphers, peer_ciphers);
1869  }
1870  else if (tls_multi->remote_ciphername)
1871  {
1872  msg(M_INFO, "PUSH: No common cipher between server and client. "
1873  "Server data-ciphers: '%s', client supports cipher '%s'",
1874  o->ncp_ciphers, tls_multi->remote_ciphername);
1875  }
1876  else
1877  {
1878  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1879 
1880  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1881  {
1882  msg(M_INFO, "Using data channel cipher '%s' since "
1883  "--data-ciphers-fallback is set.", o->ciphername);
1884  ret = true;
1885  }
1886  else
1887  {
1888  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1889  "client is using if you want to allow the client to connect");
1890  }
1891  }
1892  if (!ret)
1893  {
1894  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1895  "failed (no shared cipher)");
1896  }
1897 
1898  gc_free(&gc);
1899  return ret;
1900 }
1901 
1906 static void
1908 {
1910  if (!ccs->deferred_ret_file)
1911  {
1912  return;
1913  }
1914 
1915  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1917  {
1918  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1919  ccs->deferred_ret_file);
1920  }
1921  free(ccs->deferred_ret_file);
1922  ccs->deferred_ret_file = NULL;
1923 }
1924 
1932 static bool
1934 {
1936  struct gc_arena gc = gc_new();
1937  const char *fn;
1938 
1939  /* Delete file if it already exists */
1941 
1942  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1943  if (!fn)
1944  {
1945  gc_free(&gc);
1946  return false;
1947  }
1948  ccs->deferred_ret_file = string_alloc(fn, NULL);
1949 
1950  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1951  ccs->deferred_ret_file);
1952 
1953  gc_free(&gc);
1954  return true;
1955 }
1956 
1965 static enum client_connect_return
1967 {
1969  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1970  if (!fp)
1971  {
1972  return CC_RET_SKIPPED;
1973  }
1974 
1976  const int c = fgetc(fp);
1977  switch (c)
1978  {
1979  case '0':
1980  ret = CC_RET_FAILED;
1981  break;
1982 
1983  case '1':
1984  ret = CC_RET_SUCCEEDED;
1985  break;
1986 
1987  case '2':
1988  ret = CC_RET_DEFERRED;
1989  break;
1990 
1991  case EOF:
1992  if (feof(fp))
1993  {
1994  ret = CC_RET_SKIPPED;
1995  break;
1996  }
1997 
1998  /* Not EOF but other error -> fall through to error state */
1999  default:
2000  /* We received an unknown/unexpected value. Assume failure. */
2001  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
2002  "client-connect resultfile");
2003  ret = CC_RET_FAILED;
2004  }
2005  fclose(fp);
2006 
2007  return ret;
2008 }
2009 
2015 static void
2017 {
2019  if (ccs->config_file)
2020  {
2021  setenv_del(mi->context.c2.es, "client_connect_config_file");
2022  if (!platform_unlink(ccs->config_file))
2023  {
2024  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2025  ccs->config_file);
2026  }
2027  free(ccs->config_file);
2028  ccs->config_file = NULL;
2029  }
2030 }
2031 
2039 static bool
2041 {
2043  struct gc_arena gc = gc_new();
2044  const char *fn;
2045 
2046  if (ccs->config_file)
2047  {
2049  }
2050 
2051  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2052  if (!fn)
2053  {
2054  gc_free(&gc);
2055  return false;
2056  }
2057  ccs->config_file = string_alloc(fn, NULL);
2058 
2059  setenv_str(mi->context.c2.es, "client_connect_config_file",
2060  ccs->config_file);
2061 
2062  gc_free(&gc);
2063  return true;
2064 }
2065 
2066 static enum client_connect_return
2068  struct multi_instance *mi,
2069  bool deferred,
2070  unsigned int *option_types_found)
2071 {
2073 #ifdef ENABLE_PLUGIN
2074  ASSERT(m);
2075  ASSERT(mi);
2076  ASSERT(option_types_found);
2078 
2079  /* deprecated callback, use a file for passing back return info */
2081  {
2082  struct argv argv = argv_new();
2083  int call;
2084 
2085  if (!deferred)
2086  {
2088  if (!ccs_gen_config_file(mi)
2089  || !ccs_gen_deferred_ret_file(mi))
2090  {
2091  ret = CC_RET_FAILED;
2092  goto cleanup;
2093  }
2094  }
2095  else
2096  {
2097  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2098  /* the initial call should have created these files */
2099  ASSERT(ccs->config_file);
2100  ASSERT(ccs->deferred_ret_file);
2101  }
2102 
2103  argv_printf(&argv, "%s", ccs->config_file);
2104  int plug_ret = plugin_call(mi->context.plugins, call,
2105  &argv, NULL, mi->context.c2.es);
2106  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2107  {
2108  ret = CC_RET_SUCCEEDED;
2109  }
2110  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2111  {
2112  ret = CC_RET_DEFERRED;
2118  }
2119  else
2120  {
2121  msg(M_WARN, "WARNING: client-connect plugin call failed");
2122  ret = CC_RET_FAILED;
2123  }
2124 
2125 
2131  int file_ret = ccs_test_deferred_ret_file(mi);
2132 
2133  if (file_ret == CC_RET_FAILED)
2134  {
2135  ret = CC_RET_FAILED;
2136  }
2137  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2138  {
2139  ret = CC_RET_DEFERRED;
2140  }
2141 
2142  /* if we still think we have succeeded, do postprocessing */
2143  if (ret == CC_RET_SUCCEEDED)
2144  {
2146  option_types_found);
2147  }
2148 cleanup:
2149  argv_free(&argv);
2150 
2151  if (ret != CC_RET_DEFERRED)
2152  {
2155  }
2156  }
2157 #endif /* ifdef ENABLE_PLUGIN */
2158  return ret;
2159 }
2160 
2161 static enum client_connect_return
2163  struct multi_instance *mi,
2164  bool deferred,
2165  unsigned int *option_types_found)
2166 {
2168 #ifdef ENABLE_PLUGIN
2169  ASSERT(m);
2170  ASSERT(mi);
2171  ASSERT(option_types_found);
2172 
2173  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2175  /* V2 callback, use a plugin_return struct for passing back return info */
2176  if (plugin_defined(mi->context.plugins, call))
2177  {
2178  struct plugin_return pr;
2179 
2180  plugin_return_init(&pr);
2181 
2182  int plug_ret = plugin_call(mi->context.plugins, call,
2183  NULL, &pr, mi->context.c2.es);
2184  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2185  {
2186  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2187  ret = CC_RET_SUCCEEDED;
2188  }
2189  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2190  {
2191  ret = CC_RET_DEFERRED;
2192  if (!(plugin_defined(mi->context.plugins,
2193  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2194  {
2195  msg(M_WARN, "A plugin that defers from the "
2196  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2197  "declare support for "
2198  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2199  ret = CC_RET_FAILED;
2200  }
2201  }
2202  else
2203  {
2204  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2205  ret = CC_RET_FAILED;
2206  }
2207 
2208 
2209  plugin_return_free(&pr);
2210  }
2211 #endif /* ifdef ENABLE_PLUGIN */
2212  return ret;
2213 }
2214 
2215 static enum client_connect_return
2217  struct multi_instance *mi,
2218  unsigned int *option_types_found)
2219 {
2220  ASSERT(mi);
2221  ASSERT(option_types_found);
2224 
2225  ret = ccs_test_deferred_ret_file(mi);
2226 
2227  if (ret == CC_RET_SKIPPED)
2228  {
2229  /*
2230  * Skipped and deferred are equivalent in this context.
2231  * skipped means that the called program has not yet
2232  * written a return status implicitly needing more time
2233  * while deferred is the explicit notification that it
2234  * needs more time
2235  */
2236  ret = CC_RET_DEFERRED;
2237  }
2238 
2239  if (ret == CC_RET_SUCCEEDED)
2240  {
2243  option_types_found);
2245  }
2246  if (ret == CC_RET_FAILED)
2247  {
2248  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2251  }
2252  return ret;
2253 }
2254 
2258 static enum client_connect_return
2260  struct multi_instance *mi,
2261  bool deferred,
2262  unsigned int *option_types_found)
2263 {
2264  if (deferred)
2265  {
2266  return multi_client_connect_script_deferred(m, mi, option_types_found);
2267  }
2268  ASSERT(m);
2269  ASSERT(mi);
2270 
2273 
2275  {
2276  struct argv argv = argv_new();
2277  struct gc_arena gc = gc_new();
2278 
2279  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2280 
2281  if (!ccs_gen_config_file(mi)
2282  || !ccs_gen_deferred_ret_file(mi))
2283  {
2284  ret = CC_RET_FAILED;
2285  goto cleanup;
2286  }
2287 
2289  argv_printf_cat(&argv, "%s", ccs->config_file);
2290 
2291  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2292  {
2294  {
2295  ret = CC_RET_DEFERRED;
2296  }
2297  else
2298  {
2300  option_types_found);
2301  ret = CC_RET_SUCCEEDED;
2302  }
2303  }
2304  else
2305  {
2306  ret = CC_RET_FAILED;
2307  }
2308 cleanup:
2309  if (ret != CC_RET_DEFERRED)
2310  {
2313  }
2314  argv_free(&argv);
2315  gc_free(&gc);
2316  }
2317  return ret;
2318 }
2319 
2323 static bool
2325 {
2326  struct frame *frame_fragment = NULL;
2327 #ifdef ENABLE_FRAGMENT
2328  if (c->options.ce.fragment)
2329  {
2330  frame_fragment = &c->c2.frame_fragment;
2331  }
2332 #endif
2333  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2334  if (!tls_session_update_crypto_params(session, &c->options,
2335  &c->c2.frame, frame_fragment))
2336  {
2337  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2338  register_signal(c, SIGUSR1, "process-push-msg-failed");
2339  return false;
2340  }
2341 
2342  return true;
2343 }
2344 
2345 static void
2347  struct multi_instance *mi,
2348  const unsigned int option_types_found)
2349 {
2350  ASSERT(m);
2351  ASSERT(mi);
2352 
2353  struct gc_arena gc = gc_new();
2354  /*
2355  * Process sourced options.
2356  */
2357  do_deferred_options(&mi->context, option_types_found);
2358 
2359  /*
2360  * make sure we got ifconfig settings from somewhere
2361  */
2362  if (!mi->context.c2.push_ifconfig_defined)
2363  {
2364  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2365  "--ifconfig address is available for %s",
2366  multi_instance_string(mi, false, &gc));
2367  }
2368 
2369  /*
2370  * make sure that ifconfig settings comply with constraints
2371  */
2373  {
2374  const char *ifconfig_constraint_network =
2376  const char *ifconfig_constraint_netmask =
2378 
2379  /* JYFIXME -- this should cause the connection to fail */
2380  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2381  "violates tunnel network/netmask constraint (%s/%s)",
2382  multi_instance_string(mi, false, &gc),
2384  ifconfig_constraint_network, ifconfig_constraint_netmask);
2385  }
2386 
2387  /*
2388  * For routed tunnels, set up internal route to endpoint
2389  * plus add all iroute routes.
2390  */
2392  {
2394  {
2395  multi_learn_in_addr_t(m, mi,
2397  -1, true);
2398  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2399  multi_instance_string(mi, false, &gc),
2401  }
2402 
2404  {
2405  multi_learn_in6_addr(m, mi,
2407  -1, true);
2408  /* TODO: find out where addresses are "unlearned"!! */
2409  const char *ifconfig_local_ipv6 =
2411  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2412  multi_instance_string(mi, false, &gc),
2413  ifconfig_local_ipv6);
2414  }
2415 
2416  /* add routes locally, pointing to new client, if
2417  * --iroute options have been specified */
2418  multi_add_iroutes(m, mi);
2419 
2420  /*
2421  * iroutes represent subnets which are "owned" by a particular
2422  * client. Therefore, do not actually push a route to a client
2423  * if it matches one of the client's iroutes.
2424  */
2426  }
2427  else if (mi->context.options.iroutes)
2428  {
2429  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2430  "only works with tun-style tunnels",
2431  multi_instance_string(mi, false, &gc));
2432  }
2433 
2434  /* set our client's VPN endpoint for status reporting purposes */
2437 
2438  /* set context-level authentication flag */
2440 
2441  /* authentication complete, calculate dynamic client specific options */
2443  {
2445  }
2446  /* Generate data channel keys only if setting protocol options
2447  * has not failed */
2448  else if (!multi_client_generate_tls_keys(&mi->context))
2449  {
2451  }
2452 
2453  /* send push reply if ready */
2455  {
2457  }
2458 
2459  gc_free(&gc);
2460 }
2461 
2462 static void
2464  struct multi_instance *mi)
2465 {
2466  ASSERT(mi->context.c1.tuntap);
2467  /*
2468  * lock down the common name and cert hashes so they can't change
2469  * during future TLS renegotiations
2470  */
2473 
2474  /* generate a msg() prefix for this client instance */
2475  generate_prefix(mi);
2476 
2477  /* delete instances of previous clients with same common-name */
2478  if (!mi->context.options.duplicate_cn)
2479  {
2480  multi_delete_dup(m, mi);
2481  }
2482 
2483  /* reset pool handle to null */
2484  mi->vaddr_handle = -1;
2485 
2486  /* do --client-connect setenvs */
2488 
2490 }
2491 
2496 static enum client_connect_return
2498  struct multi_instance *mi,
2499  bool deferred,
2500  unsigned int *option_types_found)
2501 {
2502  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2503  * problem */
2504  ASSERT(!deferred);
2507  {
2508  struct gc_arena gc = gc_new();
2509  const char *ccd_file = NULL;
2510 
2511  const char *ccd_client =
2513  tls_common_name(mi->context.c2.tls_multi, false),
2514  &gc);
2515 
2516  const char *ccd_default =
2518  CCD_DEFAULT, &gc);
2519 
2520 
2521  /* try common-name file */
2522  if (platform_test_file(ccd_client))
2523  {
2524  ccd_file = ccd_client;
2525  }
2526  /* try default file */
2527  else if (platform_test_file(ccd_default))
2528  {
2529  ccd_file = ccd_default;
2530  }
2531 
2532  if (ccd_file)
2533  {
2535  ccd_file,
2538  option_types_found,
2539  mi->context.c2.es);
2540  /*
2541  * Select a virtual address from either --ifconfig-push in
2542  * --client-config-dir file or --ifconfig-pool.
2543  */
2545 
2547 
2548  ret = CC_RET_SUCCEEDED;
2549  }
2550  gc_free(&gc);
2551  }
2552  return ret;
2553 }
2554 
2556  (struct multi_context *m, struct multi_instance *mi,
2557  bool from_deferred, unsigned int *option_types_found);
2558 
2565  NULL,
2566 };
2567 
2568 /*
2569  * Called as soon as the SSL/TLS connection is authenticated.
2570  *
2571  * Will collect the client specific configuration from the different
2572  * sources like ccd files, connect plugins and management interface.
2573  *
2574  * This method starts with cas_context CAS_PENDING and will move the
2575  * state machine to either CAS_SUCCEEDED on success or
2576  * CAS_FAILED/CAS_PARTIAL on failure.
2577  *
2578  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2579  * include:
2580  *
2581  * iroute start-ip end-ip
2582  * ifconfig-push local remote-netmask
2583  * push
2584  *
2585  *
2586  */
2587 static void
2589 {
2592  {
2593  return;
2594  }
2595 
2596  /* We are only called for the CAS_PENDING_x states, so we
2597  * can ignore other states here */
2598  bool from_deferred = (mi->context.c2.context_auth != CAS_PENDING);
2599 
2600  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2601  unsigned int *option_types_found =
2603 
2604  /* We are called for the first time */
2605  if (!from_deferred)
2606  {
2607  *cur_handler_index = 0;
2608  *option_types_found = 0;
2609  /* Initially we have no handler that has returned a result */
2611 
2613  }
2614 
2615  bool cc_succeeded = true;
2616 
2617  while (cc_succeeded
2618  && client_connect_handlers[*cur_handler_index] != NULL)
2619  {
2620  enum client_connect_return ret;
2621  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2622  option_types_found);
2623 
2624  from_deferred = false;
2625 
2626  switch (ret)
2627  {
2628  case CC_RET_SUCCEEDED:
2629  /*
2630  * Remember that we already had at least one handler
2631  * returning a result should we go to into deferred state
2632  */
2633  mi->context.c2.context_auth = CAS_PENDING_DEFERRED_PARTIAL;
2634  break;
2635 
2636  case CC_RET_SKIPPED:
2637  /*
2638  * Move on with the next handler without modifying any
2639  * other state
2640  */
2641  break;
2642 
2643  case CC_RET_DEFERRED:
2644  /*
2645  * we already set client_connect_status to DEFERRED_RESULT or
2646  * DEFERRED_NO_RESULT. We just return
2647  * from the function as having client_connect_status
2648  */
2649  return;
2650 
2651  case CC_RET_FAILED:
2652  /*
2653  * One handler failed. We abort the chain and set the final
2654  * result to failed
2655  */
2656  cc_succeeded = false;
2657  break;
2658 
2659  default:
2660  ASSERT(0);
2661  }
2662 
2663  /*
2664  * Check for "disable" directive in client-config-dir file
2665  * or config file generated by --client-connect script.
2666  */
2667  if (mi->context.options.disable)
2668  {
2669  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2670  "'disable' directive");
2671  cc_succeeded = false;
2672  }
2673 
2674  (*cur_handler_index)++;
2675  }
2676 
2677  if (cc_succeeded)
2678  {
2679  multi_client_connect_late_setup(m, mi, *option_types_found);
2680  }
2681  else
2682  {
2683  /* run the disconnect script if we had a connect script that
2684  * did not fail */
2686  {
2688  }
2689 
2691  }
2692 
2693  /* increment number of current authenticated clients */
2694  ++m->n_clients;
2696  --mi->n_clients_delta;
2697 
2698 #ifdef MANAGEMENT_DEF_AUTH
2699  if (management)
2700  {
2701  management_connection_established(management,
2702  &mi->context.c2.mda_context, mi->context.c2.es);
2703  }
2704 #endif
2705 }
2706 
2707 #ifdef ENABLE_ASYNC_PUSH
2708 /*
2709  * Called when inotify event is fired, which happens when acf
2710  * or connect-status file is closed or deleted.
2711  * Continues authentication and sends push_reply
2712  * (or be deferred again by client-connect)
2713  */
2714 void
2715 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2716 {
2717  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2718  size_t buffer_i = 0;
2719  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2720 
2721  while (buffer_i < r)
2722  {
2723  /* parse inotify events */
2724  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2725  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2726  buffer_i += event_size;
2727 
2728  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2729 
2730  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2731 
2732  if (pevent->mask & IN_CLOSE_WRITE)
2733  {
2734  if (mi)
2735  {
2736  /* continue authentication, perform NCP negotiation and send push_reply */
2737  multi_process_post(m, mi, mpp_flags);
2738  }
2739  else
2740  {
2741  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2742  }
2743  }
2744  else if (pevent->mask & IN_IGNORED)
2745  {
2746  /* this event is _always_ fired when watch is removed or file is deleted */
2747  if (mi)
2748  {
2749  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2750  mi->inotify_watch = -1;
2751  }
2752  }
2753  else
2754  {
2755  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2756  }
2757  }
2758 }
2759 #endif /* ifdef ENABLE_ASYNC_PUSH */
2760 
2761 /*
2762  * Add a mbuf buffer to a particular
2763  * instance.
2764  */
2765 void
2767  struct multi_instance *mi,
2768  struct mbuf_buffer *mb)
2769 {
2770  if (multi_output_queue_ready(m, mi))
2771  {
2772  struct mbuf_item item;
2773  item.buffer = mb;
2774  item.instance = mi;
2775  mbuf_add_item(m->mbuf, &item);
2776  }
2777  else
2778  {
2779  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2780  }
2781 }
2782 
2783 /*
2784  * Add a packet to a client instance output queue.
2785  */
2786 static inline void
2788  const struct buffer *buf,
2789  struct multi_instance *mi)
2790 {
2791  struct mbuf_buffer *mb;
2792 
2793  if (BLEN(buf) > 0)
2794  {
2795  mb = mbuf_alloc_buf(buf);
2796  mb->flags = MF_UNICAST;
2797  multi_add_mbuf(m, mi, mb);
2798  mbuf_free_buf(mb);
2799  }
2800 }
2801 
2802 /*
2803  * Broadcast a packet to all clients.
2804  */
2805 static void
2807  const struct buffer *buf,
2808  const struct multi_instance *sender_instance,
2809  const struct mroute_addr *sender_addr,
2810  uint16_t vid)
2811 {
2812  struct hash_iterator hi;
2813  struct hash_element *he;
2814  struct multi_instance *mi;
2815  struct mbuf_buffer *mb;
2816 
2817  if (BLEN(buf) > 0)
2818  {
2820 #ifdef MULTI_DEBUG_EVENT_LOOP
2821  printf("BCAST len=%d\n", BLEN(buf));
2822 #endif
2823  mb = mbuf_alloc_buf(buf);
2824  hash_iterator_init(m->iter, &hi);
2825 
2826  while ((he = hash_iterator_next(&hi)))
2827  {
2828  mi = (struct multi_instance *) he->value;
2829  if (mi != sender_instance && !mi->halt)
2830  {
2831 #ifdef ENABLE_PF
2832  if (sender_instance)
2833  {
2834  if (!pf_c2c_test(&sender_instance->context.c2.pf,
2835  sender_instance->context.c2.tls_multi,
2836  &mi->context.c2.pf,
2837  mi->context.c2.tls_multi,
2838  "bcast_c2c"))
2839  {
2840  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2841  mi_prefix(sender_instance),
2842  mi_prefix(mi));
2843  continue;
2844  }
2845  }
2846  if (sender_addr)
2847  {
2848  if (!pf_addr_test(&mi->context.c2.pf, &mi->context,
2849  sender_addr, "bcast_src_addr"))
2850  {
2851  struct gc_arena gc = gc_new();
2852  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2853  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2854  mi_prefix(mi));
2855  gc_free(&gc);
2856  continue;
2857  }
2858  }
2859 #endif /* ifdef ENABLE_PF */
2860  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2861  {
2862  continue;
2863  }
2864  multi_add_mbuf(m, mi, mb);
2865  }
2866  }
2867 
2868  hash_iterator_free(&hi);
2869  mbuf_free_buf(mb);
2870  perf_pop();
2871  }
2872 }
2873 
2874 /*
2875  * Given a time delta, indicating that we wish to be
2876  * awoken by the scheduler at time now + delta, figure
2877  * a sigma parameter (in microseconds) that represents
2878  * a sort of fuzz factor around delta, so that we're
2879  * really telling the scheduler to wake us up any time
2880  * between now + delta - sigma and now + delta + sigma.
2881  *
2882  * The sigma parameter helps the scheduler to run more efficiently.
2883  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2884  */
2885 static inline unsigned int
2886 compute_wakeup_sigma(const struct timeval *delta)
2887 {
2888  if (delta->tv_sec < 1)
2889  {
2890  /* if < 1 sec, fuzz = # of microseconds / 8 */
2891  return delta->tv_usec >> 3;
2892  }
2893  else
2894  {
2895  /* if < 10 minutes, fuzz = 13.1% of timeout */
2896  if (delta->tv_sec < 600)
2897  {
2898  return delta->tv_sec << 17;
2899  }
2900  else
2901  {
2902  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2903  }
2904  }
2905 }
2906 
2907 static void
2909 {
2910  /* calculate an absolute wakeup time */
2911  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2912  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2913 
2914  /* tell scheduler to wake us up at some point in the future */
2916  (struct schedule_entry *) mi,
2917  &mi->wakeup,
2918  compute_wakeup_sigma(&mi->context.c2.timeval));
2919 }
2920 
2921 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2922 static void
2923 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2924  int inotify_fd, const char *file)
2925 {
2926  /* watch acf file */
2927  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2928  IN_CLOSE_WRITE | IN_ONESHOT);
2929  if (watch_descriptor >= 0)
2930  {
2931  if (mi->inotify_watch != -1)
2932  {
2933  hash_remove(m->inotify_watchers,
2934  (void *) (unsigned long)mi->inotify_watch);
2935  }
2936  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2937  mi, true);
2938  mi->inotify_watch = watch_descriptor;
2939  }
2940  else
2941  {
2942  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2943  }
2944 }
2945 #endif /* if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) */
2946 
2947 /*
2948  * Figure instance-specific timers, convert
2949  * earliest to absolute time in mi->wakeup,
2950  * call scheduler with our future wakeup time.
2951  *
2952  * Also close context on signal.
2953  */
2954 bool
2955 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2956 {
2957  bool ret = true;
2958 
2959  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2960  {
2961 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2962  bool was_unauthenticated = true;
2963  struct key_state *ks = NULL;
2964  if (mi->context.c2.tls_multi)
2965  {
2967  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
2968  }
2969 #endif
2970 
2971  /* figure timeouts and fetch possible outgoing
2972  * to_link packets (such as ping or TLS control) */
2973  pre_select(&mi->context);
2974 
2975 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2976  /*
2977  * if we see the state transition from unauthenticated to deferred
2978  * and an auth_control_file, we assume it got just added and add
2979  * inotify watch to that file
2980  */
2981  if (ks && ks->auth_control_file && was_unauthenticated
2982  && (ks->authenticated == KS_AUTH_DEFERRED))
2983  {
2984  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2985  ks->auth_control_file);
2986  }
2987 #endif
2988 
2989  if (!IS_SIG(&mi->context))
2990  {
2991  /* connection is "established" when SSL/TLS key negotiation succeeds
2992  * and (if specified) auth user/pass succeeds */
2995  {
2997  }
2998 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
3001  {
3002  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3004  deferred_ret_file);
3005  }
3006 #endif
3007  /* tell scheduler to wake us up at some point in the future */
3009  }
3010  }
3011 
3012  if (IS_SIG(&mi->context))
3013  {
3014  if (flags & MPP_CLOSE_ON_SIGNAL)
3015  {
3017  ret = false;
3018  }
3019  }
3020  else
3021  {
3022  /* continue to pend on output? */
3023  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3024 
3025 #ifdef MULTI_DEBUG_EVENT_LOOP
3026  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3027  id(mi),
3028  (int) (mi == m->pending),
3029  mi ? mi->context.c2.to_tun.len : -1,
3030  mi ? mi->context.c2.to_link.len : -1,
3031  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3032  (int64_t)mi->context.c2.timeval.tv_sec,
3033  (long)mi->context.c2.timeval.tv_usec);
3034 #endif
3035  }
3036 
3037  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3038  {
3039  *m->mpp_touched = mi;
3040  }
3041 
3042  return ret;
3043 }
3044 
3045 void
3047 {
3048  struct mroute_addr real;
3049  struct hash *hash = m->hash;
3050  struct gc_arena gc = gc_new();
3051 
3052  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3053  {
3054  goto done;
3055  }
3056 
3057  const uint32_t hv = hash_value(hash, &real);
3058  struct hash_bucket *bucket = hash_bucket(hash, hv);
3059 
3060  /* make sure that we don't float to an address taken by another client */
3061  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3062  if (he)
3063  {
3064  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3065 
3066  struct tls_multi *m1 = mi->context.c2.tls_multi;
3067  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3068 
3069  /* do not float if target address is taken by client with another cert */
3070  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3071  {
3072  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3073  multi_instance_string(ex_mi, false, &gc));
3074 
3075  mi->context.c2.buf.len = 0;
3076 
3077  goto done;
3078  }
3079 
3080  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3081  multi_close_instance(m, ex_mi, false);
3082  }
3083 
3084  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3085  mi->context.c2.tls_multi->peer_id,
3086  tls_common_name(mi->context.c2.tls_multi, false),
3087  mroute_addr_print(&mi->real, &gc),
3088  print_link_socket_actual(&m->top.c2.from, &gc));
3089 
3090  /* remove old address from hash table before changing address */
3091  ASSERT(hash_remove(m->hash, &mi->real));
3092  ASSERT(hash_remove(m->iter, &mi->real));
3093 
3094  /* change external network address of the remote peer */
3095  mi->real = real;
3096  generate_prefix(mi);
3097 
3098  mi->context.c2.from = m->top.c2.from;
3099  mi->context.c2.to_link_addr = &mi->context.c2.from;
3100 
3101  /* inherit parent link_socket and link_socket_info */
3104 
3106 
3107  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3108  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3109 
3110 #ifdef MANAGEMENT_DEF_AUTH
3111  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3112 #endif
3113 
3114 done:
3115  gc_free(&gc);
3116 }
3117 
3118 /*
3119  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3120  * i.e. client -> server direction.
3121  */
3122 bool
3123 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3124 {
3125  struct gc_arena gc = gc_new();
3126 
3127  struct context *c;
3128  struct mroute_addr src, dest;
3129  unsigned int mroute_flags;
3130  struct multi_instance *mi;
3131  bool ret = true;
3132  bool floated = false;
3133 
3134  if (m->pending)
3135  {
3136  return true;
3137  }
3138 
3139  if (!instance)
3140  {
3141 #ifdef MULTI_DEBUG_EVENT_LOOP
3142  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3143 #endif
3145  }
3146  else
3147  {
3148  multi_set_pending(m, instance);
3149  }
3150 
3151  if (m->pending)
3152  {
3153  set_prefix(m->pending);
3154 
3155  /* get instance context */
3156  c = &m->pending->context;
3157 
3158  if (!instance)
3159  {
3160  /* transfer packet pointer from top-level context buffer to instance */
3161  c->c2.buf = m->top.c2.buf;
3162 
3163  /* transfer from-addr from top-level context buffer to instance */
3164  if (!floated)
3165  {
3166  c->c2.from = m->top.c2.from;
3167  }
3168  }
3169 
3170  if (BLEN(&c->c2.buf) > 0)
3171  {
3172  struct link_socket_info *lsi;
3173  const uint8_t *orig_buf;
3174 
3175  /* decrypt in instance context */
3176 
3178  lsi = get_link_socket_info(c);
3179  orig_buf = c->c2.buf.data;
3180  if (process_incoming_link_part1(c, lsi, floated))
3181  {
3182  /* nonzero length means that we have a valid, decrypted packed */
3183  if (floated && c->c2.buf.len > 0)
3184  {
3186  }
3187 
3188  process_incoming_link_part2(c, lsi, orig_buf);
3189  }
3190  perf_pop();
3191 
3192  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3193  {
3194  /* extract packet source and dest addresses */
3195  mroute_flags = mroute_extract_addr_from_packet(&src,
3196  &dest,
3197  NULL,
3198  NULL,
3199  0,
3200  &c->c2.to_tun,
3201  DEV_TYPE_TUN);
3202 
3203  /* drop packet if extract failed */
3204  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3205  {
3206  c->c2.to_tun.len = 0;
3207  }
3208  /* make sure that source address is associated with this client */
3209  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3210  {
3211  /* IPv6 link-local address (fe80::xxx)? */
3212  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3213  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3214  {
3215  /* do nothing, for now. TODO: add address learning */
3216  }
3217  else
3218  {
3219  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3220  mroute_addr_print(&src, &gc));
3221  }
3222  c->c2.to_tun.len = 0;
3223  }
3224  /* client-to-client communication enabled? */
3225  else if (m->enable_c2c)
3226  {
3227  /* multicast? */
3228  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3229  {
3230  /* for now, treat multicast as broadcast */
3231  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3232  }
3233  else /* possible client to client routing */
3234  {
3235  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3236  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3237 
3238  /* if dest addr is a known client, route to it */
3239  if (mi)
3240  {
3241 #ifdef ENABLE_PF
3242  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
3243  &mi->context.c2.pf,
3244  mi->context.c2.tls_multi,
3245  "tun_c2c"))
3246  {
3247  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
3248  mi_prefix(mi));
3249  }
3250  else
3251 #endif
3252  {
3253  multi_unicast(m, &c->c2.to_tun, mi);
3254  register_activity(c, BLEN(&c->c2.to_tun));
3255  }
3256  c->c2.to_tun.len = 0;
3257  }
3258  }
3259  }
3260 #ifdef ENABLE_PF
3261  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest,
3262  "tun_dest_addr"))
3263  {
3264  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
3265  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
3266  c->c2.to_tun.len = 0;
3267  }
3268 #endif
3269  }
3270  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3271  {
3272  uint16_t vid = 0;
3273 #ifdef ENABLE_PF
3274  struct mroute_addr edest;
3275  mroute_addr_reset(&edest);
3276 #endif
3277 
3278  if (m->top.options.vlan_tagging)
3279  {
3280  if (vlan_is_tagged(&c->c2.to_tun))
3281  {
3282  /* Drop VLAN-tagged frame. */
3283  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3284  c->c2.to_tun.len = 0;
3285  }
3286  else
3287  {
3288  vid = c->options.vlan_pvid;
3289  }
3290  }
3291  /* extract packet source and dest addresses */
3292  mroute_flags = mroute_extract_addr_from_packet(&src,
3293  &dest,
3294  NULL,
3295 #ifdef ENABLE_PF
3296  &edest,
3297 #else
3298  NULL,
3299 #endif
3300  vid,
3301  &c->c2.to_tun,
3302  DEV_TYPE_TAP);
3303 
3304  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3305  {
3306  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3307  {
3308  /* check for broadcast */
3309  if (m->enable_c2c)
3310  {
3311  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3312  {
3313  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3314  vid);
3315  }
3316  else /* try client-to-client routing */
3317  {
3318  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3319 
3320  /* if dest addr is a known client, route to it */
3321  if (mi)
3322  {
3323 #ifdef ENABLE_PF
3324  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
3325  &mi->context.c2.pf,
3326  mi->context.c2.tls_multi,
3327  "tap_c2c"))
3328  {
3329  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
3330  mi_prefix(mi));
3331  }
3332  else
3333 #endif
3334  {
3335  multi_unicast(m, &c->c2.to_tun, mi);
3336  register_activity(c, BLEN(&c->c2.to_tun));
3337  }
3338  c->c2.to_tun.len = 0;
3339  }
3340  }
3341  }
3342 #ifdef ENABLE_PF
3343  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c,
3344  &edest,
3345  "tap_dest_addr"))
3346  {
3347  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
3348  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
3349  c->c2.to_tun.len = 0;
3350  }
3351 #endif
3352  }
3353  else
3354  {
3355  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3356  mroute_addr_print(&src, &gc));
3357  c->c2.to_tun.len = 0;
3358  }
3359  }
3360  else
3361  {
3362  c->c2.to_tun.len = 0;
3363  }
3364  }
3365  }
3366 
3367  /* postprocess and set wakeup */
3368  ret = multi_process_post(m, m->pending, mpp_flags);
3369 
3370  clear_prefix();
3371  }
3372 
3373  gc_free(&gc);
3374  return ret;
3375 }
3376 
3377 /*
3378  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3379  * i.e. server -> client direction.
3380  */
3381 bool
3382 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3383 {
3384  struct gc_arena gc = gc_new();
3385  bool ret = true;
3386 
3387  if (BLEN(&m->top.c2.buf) > 0)
3388  {
3389  unsigned int mroute_flags;
3390  struct mroute_addr src, dest;
3391  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3392  int16_t vid = 0;
3393 
3394 #ifdef ENABLE_PF
3395  struct mroute_addr esrc, *e1, *e2;
3396  if (dev_type == DEV_TYPE_TUN)
3397  {
3398  e1 = NULL;
3399  e2 = &src;
3400  }
3401  else
3402  {
3403  e1 = e2 = &esrc;
3404  mroute_addr_reset(&esrc);
3405  }
3406 #endif
3407 
3408 #ifdef MULTI_DEBUG_EVENT_LOOP
3409  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3410 #endif
3411 
3412  if (m->pending)
3413  {
3414  return true;
3415  }
3416 
3417  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3418  {
3419  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3420  if (vid < 0)
3421  {
3422  return false;
3423  }
3424  }
3425 
3426  /*
3427  * Route an incoming tun/tap packet to
3428  * the appropriate multi_instance object.
3429  */
3430 
3431  mroute_flags = mroute_extract_addr_from_packet(&src,
3432  &dest,
3433 #ifdef ENABLE_PF
3434  e1,
3435 #else
3436  NULL,
3437 #endif
3438  NULL,
3439  vid,
3440  &m->top.c2.buf,
3441  dev_type);
3442 
3443  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3444  {
3445  struct context *c;
3446 
3447  /* broadcast or multicast dest addr? */
3448  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3449  {
3450  /* for now, treat multicast as broadcast */
3451 #ifdef ENABLE_PF
3452  multi_bcast(m, &m->top.c2.buf, NULL, e2, vid);
3453 #else
3454  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3455 #endif
3456  }
3457  else
3458  {
3460 
3461  if (m->pending)
3462  {
3463  /* get instance context */
3464  c = &m->pending->context;
3465 
3466  set_prefix(m->pending);
3467 
3468 #ifdef ENABLE_PF
3469  if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr"))
3470  {
3471  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
3472  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
3473  buf_reset_len(&c->c2.buf);
3474  }
3475  else
3476 #endif
3477  {
3478  if (multi_output_queue_ready(m, m->pending))
3479  {
3480  /* transfer packet pointer from top-level context buffer to instance */
3481  c->c2.buf = m->top.c2.buf;
3482  }
3483  else
3484  {
3485  /* drop packet */
3486  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3487  buf_reset_len(&c->c2.buf);
3488  }
3489  }
3490 
3491  /* encrypt in instance context */
3493 
3494  /* postprocess and set wakeup */
3495  ret = multi_process_post(m, m->pending, mpp_flags);
3496 
3497  clear_prefix();
3498  }
3499  }
3500  }
3501  }
3502  gc_free(&gc);
3503  return ret;
3504 }
3505 
3506 /*
3507  * Process a possible client-to-client/bcast/mcast message in the
3508  * queue.
3509  */
3510 struct multi_instance *
3512 {
3513  struct mbuf_item item;
3514 
3515  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3516  {
3517  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3518 
3519  set_prefix(item.instance);
3520  item.instance->context.c2.buf = item.buffer->buf;
3521  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3522  {
3523  pip_flags |= PIP_MSSFIX;
3524  }
3525  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3526  encrypt_sign(&item.instance->context, true);
3527  mbuf_free_buf(item.buffer);
3528 
3529  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3530 
3531  clear_prefix();
3532  return item.instance;
3533  }
3534  else
3535  {
3536  return NULL;
3537  }
3538 }
3539 
3540 /*
3541  * Called when an I/O wait times out. Usually means that a particular
3542  * client instance object needs timer-based service.
3543  */
3544 bool
3545 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3546 {
3547  bool ret = true;
3548 
3549 #ifdef MULTI_DEBUG_EVENT_LOOP
3550  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3551 #endif
3552 
3553  /* instance marked for wakeup? */
3554  if (m->earliest_wakeup)
3555  {
3557  {
3560  }
3561  else
3562  {
3564  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3565  clear_prefix();
3566  }
3567  m->earliest_wakeup = NULL;
3568  }
3569  return ret;
3570 }
3571 
3572 /*
3573  * Drop a TUN/TAP outgoing packet..
3574  */
3575 void
3576 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3577 {
3578  struct multi_instance *mi = m->pending;
3579 
3580  ASSERT(mi);
3581 
3582  set_prefix(mi);
3583 
3584  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3585  mi->context.c2.to_tun.len);
3586 
3587  buf_reset(&mi->context.c2.to_tun);
3588 
3589  multi_process_post(m, mi, mpp_flags);
3590  clear_prefix();
3591 }
3592 
3593 /*
3594  * Per-client route quota management
3595  */
3596 
3597 void
3599 {
3600  struct gc_arena gc = gc_new();
3601  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3603  multi_instance_string(mi, false, &gc));
3604  gc_free(&gc);
3605 }
3606 
3607 #ifdef ENABLE_DEBUG
3608 /*
3609  * Flood clients with random packets
3610  */
3611 static void
3612 gremlin_flood_clients(struct multi_context *m)
3613 {
3614  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3615  if (level)
3616  {
3617  struct gc_arena gc = gc_new();
3618  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3619  struct packet_flood_parms parm = get_packet_flood_parms(level);
3620  int i;
3621 
3622  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
3623  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
3624 
3625  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3626  parm.n_packets,
3627  parm.packet_size);
3628 
3629  for (i = 0; i < parm.packet_size; ++i)
3630  {
3631  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3632  }
3633 
3634  for (i = 0; i < parm.n_packets; ++i)
3635  {
3636  multi_bcast(m, &buf, NULL, NULL, 0);
3637  }
3638 
3639  gc_free(&gc);
3640  }
3641 }
3642 #endif /* ifdef ENABLE_DEBUG */
3643 
3644 static bool
3646 {
3647  struct timeval null;
3648  CLEAR(null);
3650 }
3651 
3652 /*
3653  * Process timers in the top-level context
3654  */
3655 void
3657 {
3658  /* possibly reap instances/routes in vhash */
3659  multi_reap_process(m);
3660 
3661  /* possibly print to status log */
3662  if (m->top.c1.status_output)
3663  {
3665  {
3667  }
3668  }
3669 
3670  /* possibly flush ifconfig-pool file */
3671  multi_ifconfig_pool_persist(m, false);
3672 
3673 #ifdef ENABLE_DEBUG
3674  gremlin_flood_clients(m);
3675 #endif
3676 
3677  /* Should we check for stale routes? */
3679  {
3680  check_stale_routes(m);
3681  }
3682 }
3683 
3684 void
3685 multi_top_init(struct multi_context *m, const struct context *top)
3686 {
3687  inherit_context_top(&m->top, top);
3688  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3689 }
3690 
3691 void
3693 {
3694  close_context(&m->top, -1, CC_GC_FREE);
3696 }
3697 
3698 static bool
3700 {
3701  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3702 }
3703 
3704 static void
3706 {
3707  struct hash_iterator hi;
3708  struct hash_element *he;
3709  struct timeval tv;
3710 
3711  /* tell all clients to restart */
3712  hash_iterator_init(m->iter, &hi);
3713  while ((he = hash_iterator_next(&hi)))
3714  {
3715  struct multi_instance *mi = (struct multi_instance *) he->value;
3716  if (!mi->halt)
3717  {
3718  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3720  }
3721  }
3722  hash_iterator_free(&hi);
3723 
3724  /* reschedule signal */
3726  tv.tv_sec = 2;
3727  tv.tv_usec = 0;
3729 
3731 
3736 
3737  m->top.sig->signal_received = 0;
3738 }
3739 
3740 /*
3741  * Return true if event loop should break,
3742  * false if it should continue.
3743  */
3744 bool
3746 {
3747  if (m->top.sig->signal_received == SIGUSR2)
3748  {
3749  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3751  status_close(so);
3752  m->top.sig->signal_received = 0;
3753  return false;
3754  }
3755  else if (proto_is_dgram(m->top.options.ce.proto)
3759  {
3761  return false;
3762  }
3763  return true;
3764 }
3765 
3766 /*
3767  * Called when an instance should be closed due to the
3768  * reception of a soft signal.
3769  */
3770 void
3772 {
3773  remap_signal(&mi->context);
3774  set_prefix(mi);
3775  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3776  clear_prefix();
3777  multi_close_instance(m, mi, false);
3778 }
3779 
3780 static void
3781 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3782 {
3783  mi->context.sig->signal_received = sig;
3785 }
3786 
3787 /*
3788  * Management subsystem callbacks
3789  */
3790 
3791 #ifdef ENABLE_MANAGEMENT
3792 
3793 static void
3794 management_callback_status(void *arg, const int version, struct status_output *so)
3795 {
3796  struct multi_context *m = (struct multi_context *) arg;
3797 
3798  if (!version)
3799  {
3801  }
3802  else
3803  {
3804  multi_print_status(m, so, version);
3805  }
3806 }
3807 
3808 static int
3810 {
3811  struct multi_context *m = (struct multi_context *) arg;
3812  return m->n_clients;
3813 }
3814 
3815 static int
3816 management_callback_kill_by_cn(void *arg, const char *del_cn)
3817 {
3818  struct multi_context *m = (struct multi_context *) arg;
3819  struct hash_iterator hi;
3820  struct hash_element *he;
3821  int count = 0;
3822 
3823  hash_iterator_init(m->iter, &hi);
3824  while ((he = hash_iterator_next(&hi)))
3825  {
3826  struct multi_instance *mi = (struct multi_instance *) he->value;
3827  if (!mi->halt)
3828  {
3829  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3830  if (cn && !strcmp(cn, del_cn))
3831  {
3833  ++count;
3834  }
3835  }
3836  }
3837  hash_iterator_free(&hi);
3838  return count;
3839 }
3840 
3841 static int
3842 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3843 {
3844  struct multi_context *m = (struct multi_context *) arg;
3845  struct hash_iterator hi;
3846  struct hash_element *he;
3847  struct openvpn_sockaddr saddr;
3848  struct mroute_addr maddr;
3849  int count = 0;
3850 
3851  CLEAR(saddr);
3852  saddr.addr.in4.sin_family = AF_INET;
3853  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3854  saddr.addr.in4.sin_port = htons(port);
3855  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3856  {
3857  hash_iterator_init(m->iter, &hi);
3858  while ((he = hash_iterator_next(&hi)))
3859  {
3860  struct multi_instance *mi = (struct multi_instance *) he->value;
3861  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3862  {
3864  ++count;
3865  }
3866  }
3867  hash_iterator_free(&hi);
3868  }
3869  return count;
3870 }
3871 
3872 static void
3874 {
3875  struct multi_context *m = (struct multi_context *) arg;
3876  if (m->mtcp)
3877  {
3878  multi_tcp_delete_event(m->mtcp, event);
3879  }
3880 }
3881 
3882 #endif /* ifdef ENABLE_MANAGEMENT */
3883 
3884 #ifdef MANAGEMENT_DEF_AUTH
3885 
3886 static struct multi_instance *
3887 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3888 {
3889  if (m)
3890  {
3891  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3892  if (mi && !mi->halt)
3893  {
3894  return mi;
3895  }
3896  }
3897  return NULL;
3898 }
3899 
3900 static bool
3901 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3902 {
3903  struct multi_context *m = (struct multi_context *) arg;
3904  struct multi_instance *mi = lookup_by_cid(m, cid);
3905  if (mi)
3906  {
3907  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3909  return true;
3910  }
3911  else
3912  {
3913  return false;
3914  }
3915 }
3916 
3917 static bool
3918 management_client_pending_auth(void *arg,
3919  const unsigned long cid,
3920  const char *extra)
3921 {
3922  struct multi_context *m = (struct multi_context *) arg;
3923  struct multi_instance *mi = lookup_by_cid(m, cid);
3924  if (mi)
3925  {
3926  /* sends INFO_PRE and AUTH_PENDING messages to client */
3927  bool ret = send_auth_pending_messages(&mi->context, extra);
3929  return ret;
3930  }
3931  return false;
3932 }
3933 
3934 
3935 static bool
3936 management_client_auth(void *arg,
3937  const unsigned long cid,
3938  const unsigned int mda_key_id,
3939  const bool auth,
3940  const char *reason,
3941  const char *client_reason,
3942  struct buffer_list *cc_config) /* ownership transferred */
3943 {
3944  struct multi_context *m = (struct multi_context *) arg;
3945  struct multi_instance *mi = lookup_by_cid(m, cid);
3946  bool cc_config_owned = true;
3947  bool ret = false;
3948 
3949  if (mi)
3950  {
3951  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3952  if (ret)
3953  {
3954  if (auth)
3955  {
3957  {
3958  set_cc_config(mi, cc_config);
3959  cc_config_owned = false;
3960  }
3961  }
3962  else
3963  {
3964  if (reason)
3965  {
3966  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3967  }
3969  {
3970  send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */
3972  }
3973  }
3974  }
3975  }
3976  if (cc_config_owned && cc_config)
3977  {
3978  buffer_list_free(cc_config);
3979  }
3980  return ret;
3981 }
3982 
3983 static char *
3984 management_get_peer_info(void *arg, const unsigned long cid)
3985 {
3986  struct multi_context *m = (struct multi_context *) arg;
3987  struct multi_instance *mi = lookup_by_cid(m, cid);
3988  char *ret = NULL;
3989 
3990  if (mi)
3991  {
3992  ret = tls_get_peer_info(mi->context.c2.tls_multi);
3993  }
3994 
3995  return ret;
3996 }
3997 
3998 #endif /* ifdef MANAGEMENT_DEF_AUTH */
3999 
4000 #ifdef MANAGEMENT_PF
4001 static bool
4002 management_client_pf(void *arg,
4003  const unsigned long cid,
4004  struct buffer_list *pf_config) /* ownership transferred */
4005 {
4006  struct multi_context *m = (struct multi_context *) arg;
4007  struct multi_instance *mi = lookup_by_cid(m, cid);
4008  bool ret = false;
4009 
4010  if (mi && pf_config)
4011  {
4012  ret = pf_load_from_buffer_list(&mi->context, pf_config);
4013  }
4014 
4015  if (pf_config)
4016  {
4017  buffer_list_free(pf_config);
4018  }
4019  return ret;
4020 }
4021 #endif /* ifdef MANAGEMENT_PF */
4022 
4023 void
4025 {
4026 #ifdef ENABLE_MANAGEMENT
4027  if (management)
4028  {
4029  struct management_callback cb;
4030  CLEAR(cb);
4031  cb.arg = m;
4032  cb.flags = MCF_SERVER;
4039 #ifdef MANAGEMENT_DEF_AUTH
4040  cb.kill_by_cid = management_kill_by_cid;
4041  cb.client_auth = management_client_auth;
4042  cb.client_pending_auth = management_client_pending_auth;
4043  cb.get_peer_info = management_get_peer_info;
4044 #endif
4045 #ifdef MANAGEMENT_PF
4046  cb.client_pf = management_client_pf;
4047 #endif
4049  }
4050 #endif /* ifdef ENABLE_MANAGEMENT */
4051 }
4052 
4053 /*
4054  * Top level event loop.
4055  */
4056 void
4058 {
4059  ASSERT(top->options.mode == MODE_SERVER);
4060 
4061  if (proto_is_dgram(top->options.ce.proto))
4062  {
4063  tunnel_server_udp(top);
4064  }
4065  else
4066  {
4067  tunnel_server_tcp(top);
4068  }
4069 }
#define M_NONFATAL
Definition: error.h:95
struct env_set * es
Definition: openvpn.h:440
uint8_t type
Definition: mroute.h:78
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3705
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:195
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2806
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:469
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
#define MR_WITH_NETBITS
Definition: mroute.h:70
static bool is_exit_restart(int sig)
Definition: multi.c:3699
static void register_activity(struct context *c, const int size)
Definition: forward.h:349
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:276
struct buffer to_link
Definition: openvpn.h:399
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1750
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3781
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3576
#define ETT_DEFAULT
Definition: interval.h:213
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:343
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:165
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:179
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:472
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:178
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1154
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:318
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:302
bool ncp_enabled
Definition: options.h:508
#define REAP_DIVISOR
Definition: multi.h:558
struct key_state key[KS_SIZE]
Definition: ssl_common.h:452
struct iroute * next
Definition: route.h:238
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:161
struct in6_addr reporting_addr_ipv6
Definition: multi.h:122
static bool is_cas_pending(enum client_connect_status cas)
Definition: openvpn.h:226
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:505
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2259
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
counter_type link_write_bytes
Definition: openvpn.h:303
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:438
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2431
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:506
#define MULTI_ROUTE_CACHE
Definition: multi.h:234
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:113
#define M_OPTERR
Definition: error.h:105
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:393
int signal_received
Definition: multi.h:61
unsigned int option_types_found
Definition: multi.h:75
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:247
void hash_free(struct hash *hash)
Definition: list.c:65
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:2040
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3005
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:503
Packet geometry parameters.
Definition: mtu.h:93
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:295
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:493
pool_type
Definition: pool.h:37
#define D_PUSH
Definition: errlevel.h:83
enum ks_auth_state authenticated
Definition: ssl_common.h:218
bool push_ifconfig_defined
Definition: openvpn.h:450
char * peer_info
Definition: ssl_common.h:564
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2556
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:375
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2905
struct mroute_addr::@0::@3 v6
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
const char * learn_address_script
Definition: options.h:442
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:584
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:510
#define dmsg
Definition: error.h:174
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:263
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4645
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:441
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:329
in_addr_t push_ifconfig_local
Definition: openvpn.h:452
bool enable_c2c
Definition: options.h:463
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2346
int push_ifconfig_ipv6_netbits
Definition: options.h:460
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:509
#define D_TLS_ERRORS
Definition: errlevel.h:59
struct in6_addr network
Definition: route.h:242
struct buffer buf
Definition: openvpn.h:397
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1456
unsigned int flags
Definition: mbuf.h:49
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:106
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4983
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:915
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3794
#define SIGUSR1
Definition: config-msvc.h:152
const void * key
Definition: list.h:48
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2324
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:596
#define MR_ADDR_MASK
Definition: mroute.h:64
struct multi_reap * reaper
Definition: multi.h:180
struct context_buffers * buffers
Definition: openvpn.h:389
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2067
struct multi_instance * instance
Definition: multi.h:232
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:452
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:457
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
bool ifconfig_pool_defined
Definition: options.h:427
void multi_top_free(struct multi_context *m)
Definition: multi.c:3692
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:156
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:562
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:193
#define D_PF_DROPPED
Definition: errlevel.h:101
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:96
struct link_socket_info * link_socket_info
Definition: openvpn.h:271
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:53
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:3926
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3873
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:235
in_addr_t remote_netmask
Definition: tun.h:173
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:433
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:459
static int management_callback_n_clients(void *arg)
Definition: multi.c:3809
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:461
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static void perf_push(int type)
Definition: perf.h:78
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1579
int status_file_version
Definition: multi.h:185
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:566
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:455
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1352
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:140
ifconfig_pool_handle vaddr_handle
Definition: multi.h:113
bool did_iter
Definition: multi.h:125
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:114
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3745
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1439
struct event_timeout stale_routes_check_et
Definition: multi.h:205
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:530
#define MAX_PEER_ID
Definition: openvpn.h:577
int cf_max
Definition: options.h:465
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:494
void pre_select(struct context *c)
Definition: forward.c:1799
unsigned int cache_generation
Definition: mroute.h:132
#define SIGTERM
Definition: config-msvc.h:154
at least handler succeeded, no result yet
Definition: openvpn.h:221
#define SIGHUP
Definition: config-msvc.h:150
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
#define MCF_SERVER
Definition: manage.h:158
#define ASSERT(x)
Definition: error.h:221
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2766
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:117
in_addr_t ifconfig_pool_end
Definition: options.h:429
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:597
const char * client_disconnect_script
Definition: options.h:441
int explicit_exit_notification
Definition: options.h:121
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1266
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3382
bool platform_unlink(const char *filename)
Definition: platform.c:287
unsigned int flags
Definition: multi.h:236
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1911
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
int n_clients
Definition: multi.h:186
#define MF_UNICAST
Definition: mbuf.h:48
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:226
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:521
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:2016
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
static void clear_prefix(void)
Definition: multi.h:540
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
static void setenv_stats(struct context *c)
Definition: multi.c:555
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3842
bool did_real_hash
Definition: multi.h:124
#define MODE_SERVER
Definition: options.h:205
bool use_peer_id
Definition: ssl_common.h:590
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:290
#define PIP_MSSFIX
Definition: forward.h:321
bool initialized
Definition: crypto.h:225
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:218
int netbits
Definition: route.h:237
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:604
void status_flush(struct status_output *so)
Definition: status.c:159
int n_clients_delta
Definition: multi.h:131
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:451
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool push_request_received
Definition: openvpn.h:449
const char * ncp_ciphers
Definition: options.h:509
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:43
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:268
int cf_per
Definition: options.h:466
void multi_uninit(struct multi_context *m)
Definition: multi.c:706
bool status_close(struct status_output *so)
Definition: status.c:190
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:80
struct context_1 c1
Level 1 context.
Definition: openvpn.h:543
Definition: mbuf.h:58
#define PIPV4_PASSTOS
Definition: forward.h:320
static void multi_route_del(struct multi_route *route)
Definition: multi.h:485
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:454
#define CLEAR(x)
Definition: basic.h:33
struct schedule * schedule_init(void)
Definition: schedule.c:414
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:85
in_addr_t push_ifconfig_local
Definition: options.h:451
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3685
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4519
struct frame frame_fragment
Definition: openvpn.h:284
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3816
time_t last_reference
Definition: multi.h:239
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:336
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:94
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3343
#define OPENVPN_PLUGIN_FUNC_DEFERRED
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:662
in_addr_t local
Definition: tun.h:172
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:151
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4024
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:397
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:721
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:3046
static unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: multi.c:1780
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define MAPF_SHOW_ARP
Definition: mroute.h:159
int stale_routes_check_interval
Definition: options.h:469
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:166
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:448
uint16_t vlan_pvid
Definition: options.h:644
counter_type link_read_bytes
Definition: openvpn.h:301
static const char * np(const char *str)
Definition: simple.c:108
#define counter_format
Definition: common.h:39
int mode
Definition: options.h:206
bool ifconfig_ipv6_pool_defined
Definition: options.h:434
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:390
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1907
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:456
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5003
Key state is not authenticated.
Definition: ssl_common.h:150
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:274
int ifconfig_ipv6_netbits
Definition: options.h:255
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:528
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:454
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
Definition: mbuf.h:52
struct crypto_options crypto_options
Definition: ssl_common.h:198
bool did_iroutes
Definition: multi.h:130
#define MPP_PRE_SELECT
Definition: multi.h:288
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:762
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:168
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:397
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:190
int topology
Definition: options.h:251
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2985
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:241
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:461
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1233
struct iroute * iroutes
Definition: options.h:448
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
unsigned int cache_generation
Definition: multi.h:238
struct frame frame
Definition: openvpn.h:278
#define DEV_TYPE_TUN
Definition: proto.h:37
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:815
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2908
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:336
struct timeval timeval
Definition: openvpn.h:416
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
int virtual_hash_size
Definition: options.h:439
Definition: schedule.h:44
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3771
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:199
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:458
#define D_MULTI_DEBUG
Definition: errlevel.h:124
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3320
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value...
Definition: multi.c:1966
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:882
unsigned __int32 uint32_t
Definition: config-msvc.h:157
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:135
int tcp_queue_limit
Definition: options.h:447
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:133
const char * client_config_dir
Definition: options.h:443
const char * ciphername
Definition: options.h:505
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:114
uint8_t len
Definition: mroute.h:76
#define REAP_MAX
Definition: multi.h:560
struct multi_instance * pending
Definition: multi.h:193
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:163
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
int buckets_per_pass
Definition: multi.h:53
struct gc_arena gc
Definition: multi.h:102
bool vlan_tagging
Definition: options.h:642
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:573
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2463
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:152
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
in_addr_t network
Definition: route.h:236
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:468
int bucket_base
Definition: multi.h:52
in_addr_t reporting_addr
Definition: multi.h:121
int max_routes_per_client
Definition: options.h:468
struct buffer buf
Definition: buffer.h:1106
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:171
char * config_file
The temporary file name that contains the config directives returned by the client-connect script...
Definition: multi.h:87
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:612
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:228
int n_bcast_buf
Definition: options.h:446
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1933
struct multi_instance * instance
Definition: mbuf.h:55
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:248
int max_clients
Definition: multi.h:183
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:435
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:225
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:215
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1711
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:395
union openvpn_sockaddr::@10 addr
in_addr_t ifconfig_pool_start
Definition: options.h:428
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:166
struct link_socket * link_socket
Definition: openvpn.h:269
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3656
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3940
bool status_trigger(struct status_output *so)
Definition: status.c:135
uint16_t vid
Definition: mroute.h:85
#define M_ERRNO
Definition: error.h:99
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:150
#define msg
Definition: error.h:173
struct multi_instance * earliest_wakeup
Definition: multi.h:194
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:592
#define DEV_TYPE_UNDEF
Definition: proto.h:35
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:173
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1061
struct connection_entry ce
Definition: options.h:230
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:517
bool push_ifconfig_defined
Definition: options.h:450
void schedule_free(struct schedule *s)
Definition: schedule.c:423
struct context_2 c2
Level 2 context.
Definition: openvpn.h:544
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1420
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:172
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:115
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:177
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:43
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2267
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:440
#define CCD_DEFAULT
Definition: common.h:71
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:162
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1635
#define BLEN(buf)
Definition: buffer.h:127
enum client_connect_status context_auth
Definition: openvpn.h:462
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:115
in_addr_t ifconfig_pool_netmask
Definition: options.h:430
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:784
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:93
#define SA_SET_IF_NONZERO
Definition: socket.h:406
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:194
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition: multi.c:2497
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1303
int(* n_clients)(void *arg)
Definition: manage.h:166
bool halt
Definition: multi.h:103
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4057
struct buffer_entry * next
Definition: buffer.h:1107
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1667
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:175
#define REAP_MIN
Definition: multi.h:559
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:123
__int64 int64_t
Definition: config-msvc.h:160
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1803
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2729
unsigned __int8 uint8_t
Definition: config-msvc.h:159
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3511
const char * tmp_dir
Definition: options.h:405
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:147
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2787
struct mroute_addr local
Definition: multi.h:181
unsigned int netbits
Definition: route.h:243
int max_clients
Definition: options.h:467
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:456
unsigned int uintptr_t
Definition: cmocka.h:103
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:445
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:984
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:292
int status_file_version
Definition: options.h:337
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:111
#define SIGINT
Definition: config-msvc.h:151
struct timeval wakeup
Definition: multi.h:110
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3116
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2955
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:164
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:901
#define SIGUSR2
Definition: config-msvc.h:153
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:178
#define D_VLAN_DEBUG
Definition: errlevel.h:151
bool push_ifconfig_ipv6_defined
Definition: options.h:458
Main OpenVPN server state structure.
Definition: multi.h:152
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:457
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:414
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:543
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:181
time_t last_call
Definition: multi.h:54
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
#define ENABLE_PF
Definition: config-msvc.h:6
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:291
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:581
bool proto_is_dgram(int proto)
Definition: socket.c:3181
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1852
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:683
struct fragment_master * fragment
Definition: openvpn.h:283
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:571
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1390
struct status_output * status_output
Definition: openvpn.h:181
struct buffer buf
Definition: mbuf.h:45
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:326
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:532
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:438
int n_net_len
Definition: mroute.h:134
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3645
#define MR_ADDR_IPV6
Definition: mroute.h:63
int thread_mode
Definition: multi.h:159
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:243
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:211
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:164
in_addr_t push_ifconfig_local_alias
Definition: options.h:453
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3123
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:535
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:127
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:81
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:589
Definition: route.h:235
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:449
static int constrain_int(int x, int min, int max)
Definition: integer.h:70
#define M_WARN
Definition: error.h:96
static int min_int(int x, int y)
Definition: integer.h:57
#define MC_WORK_THREAD
Definition: multi.h:158
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:191
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:182
struct frequency_limit * new_connection_limiter
Definition: multi.h:178
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:217
unsigned int flags
Definition: manage.h:159
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1104
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:184
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:199
void * value
Definition: list.h:47
unsigned __int16 uint16_t
Definition: config-msvc.h:158
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
bool send_auth_pending_messages(struct context *c, const char *extra)
Sends the auth pending control messages to a client.
Definition: push.c:291
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:241
#define TUNNEL_TYPE(tt)
Definition: tun.h:153
#define CC_GC_FREE
Definition: init.h:106
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:380
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:152
Detached client connection state.
Definition: multi.h:69
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:306
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:342
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:212
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2588
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:852
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:475
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1004
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:212
struct link_socket_actual from
Definition: openvpn.h:275
int process_incoming_push_request(struct context *c)
Definition: push.c:732
struct iroute_ipv6 * next
Definition: route.h:244
#define BSTR(buf)
Definition: buffer.h:129
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2162
long int get_random(void)
Definition: crypto.c:1779
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2559
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:49
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:156
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:218
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:863
Definition: argv.h:35
struct gc_arena gc
Definition: options.h:197
uint8_t netbits
Definition: mroute.h:79
struct buffer to_tun
Definition: openvpn.h:398
in_addr_t push_ifconfig_constraint_network
Definition: options.h:455
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3103
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2886
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:575
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: list.h:58
bool duplicate_cn
Definition: options.h:464
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:69
int stale_routes_ageing_time
Definition: options.h:470
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:351
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:167
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:227
struct timeval wakeup
Definition: multi.h:62
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:453
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1262
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:289
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:57
struct in6_addr local_ipv6
Definition: tun.h:175
struct mroute_addr addr
Definition: multi.h:231
void status_reset(struct status_output *so)
Definition: status.c:150
const char title_string[]
Definition: options.c:67
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2216
#define D_MULTI_LOW
Definition: errlevel.h:86
#define MC_UNDEF
Definition: multi.h:153
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:265
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:250
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3545
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:459
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
int ifconfig_ipv6_pool_netbits
Definition: options.h:436
__int16 int16_t
Definition: config-msvc.h:162
int fragment
Definition: options.h:117
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:54
const char * dev_type
Definition: options.h:248
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4595
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3598
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442