OpenVPN
push.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "push.h"
33 #include "options.h"
34 #include "ssl.h"
35 #include "ssl_verify.h"
36 #include "manage.h"
37 
38 #include "memdbg.h"
39 
40 #if P2MP
41 
42 static char push_reply_cmd[] = "PUSH_REPLY";
43 
44 /*
45  * Auth username/password
46  *
47  * Client received an authentication failed message from server.
48  * Runs on client.
49  */
50 void
51 receive_auth_failed(struct context *c, const struct buffer *buffer)
52 {
53  msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
54  c->options.no_advance = true;
55 
56  if (c->options.pull)
57  {
58  /* Before checking how to react on AUTH_FAILED, first check if the
59  * failed auth might be the result of an expired auth-token.
60  * Note that a server restart will trigger a generic AUTH_FAILED
61  * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
62  * identical for this scenario */
64  {
65  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */
66  c->sig->signal_text = "auth-failure (auth-token)";
67  }
68  else
69  {
70  switch (auth_retry_get())
71  {
72  case AR_NONE:
73  c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */
74  break;
75 
76  case AR_INTERACT:
77  ssl_purge_auth(false);
78 
79  case AR_NOINTERACT:
80  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */
81  break;
82 
83  default:
84  ASSERT(0);
85  }
86  c->sig->signal_text = "auth-failure";
87  }
88 #ifdef ENABLE_MANAGEMENT
89  if (management)
90  {
91  const char *reason = NULL;
92  struct buffer buf = *buffer;
93  if (buf_string_compare_advance(&buf, "AUTH_FAILED,") && BLEN(&buf))
94  {
95  reason = BSTR(&buf);
96  }
98  }
99 #endif
100  /*
101  * Save the dynamic-challenge text even when management is defined
102  */
103  {
104 #ifdef ENABLE_MANAGEMENT
105  struct buffer buf = *buffer;
106  if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf))
107  {
108  buf_advance(&buf, 12); /* Length of "AUTH_FAILED," substring */
110  }
111 #endif
112  }
113  }
114 }
115 
116 /*
117  * Act on received restart message from server
118  */
119 void
120 server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
121 {
122  if (c->options.pull)
123  {
124  struct buffer buf = *buffer;
125  const char *m = "";
126  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
127  {
128  m = BSTR(&buf);
129  }
130 
131  /* preserve cached passwords? */
132  /* advance to next server? */
133  {
134  bool purge = true;
135 
136  if (m[0] == '[')
137  {
138  int i;
139  for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
140  {
141  if (m[i] == 'P')
142  {
143  purge = false;
144  }
145  else if (m[i] == 'N')
146  {
147  /* next server? */
148  c->options.no_advance = false;
149  }
150  }
151  }
152  if (purge)
153  {
154  ssl_purge_auth(true);
155  }
156  }
157 
158  if (restart)
159  {
160  msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
161  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
162  c->sig->signal_text = "server-pushed-connection-reset";
163  }
164  else
165  {
166  msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
167  c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- server-pushed halt */
168  c->sig->signal_text = "server-pushed-halt";
169  }
170 #ifdef ENABLE_MANAGEMENT
171  if (management)
172  {
173  management_notify(management, "info", c->sig->signal_text, m);
174  }
175 #endif
176  }
177 }
178 
179 #if P2MP_SERVER
180 
194 static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
195  int msglevel, const char *fmt, ...)
196 #ifdef __GNUC__
197 #if __USE_MINGW_ANSI_STDIO
198 __attribute__ ((format(gnu_printf, 4, 5)))
199 #else
200 __attribute__ ((format(__printf__, 4, 5)))
201 #endif
202 #endif
203 ;
204 
205 /*
206  * Send auth failed message from server to client.
207  */
208 void
209 send_auth_failed(struct context *c, const char *client_reason)
210 {
211  struct gc_arena gc = gc_new();
212  static const char auth_failed[] = "AUTH_FAILED";
213  size_t len;
214 
216 
217  len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
218  if (len > PUSH_BUNDLE_SIZE)
219  {
220  len = PUSH_BUNDLE_SIZE;
221  }
222 
223  {
224  struct buffer buf = alloc_buf_gc(len, &gc);
225  buf_printf(&buf, auth_failed);
226  if (client_reason)
227  {
228  buf_printf(&buf, ",%s", client_reason);
229  }
231  }
232 
233  gc_free(&gc);
234 }
235 
236 /*
237  * Send restart message from server to client.
238  */
239 void
240 send_restart(struct context *c, const char *kill_msg)
241 {
243  send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
244 }
245 
246 #endif /* if P2MP_SERVER */
247 
248 /*
249  * Push/Pull
250  */
251 
252 void
253 incoming_push_message(struct context *c, const struct buffer *buffer)
254 {
255  struct gc_arena gc = gc_new();
256  unsigned int option_types_found = 0;
257  int status;
258 
259  msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
260 
261  status = process_incoming_push_msg(c,
262  buffer,
263  c->options.pull,
265  &option_types_found);
266 
267  if (status == PUSH_MSG_ERROR)
268  {
269  msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
270  }
271  else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
272  {
273  c->options.push_option_types_found |= option_types_found;
274 
275  /* delay bringing tun/tap up until --push parms received from remote */
276  if (status == PUSH_MSG_REPLY)
277  {
278  if (!do_up(c, true, c->options.push_option_types_found))
279  {
280  msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
281  goto error;
282  }
283  }
285  }
286  else if (status == PUSH_MSG_REQUEST)
287  {
288  if (c->options.mode == MODE_SERVER)
289  {
291  /* Do not regenerate keys if client send a second push request */
293  && !tls_session_update_crypto_params(session, &c->options,
294  &c->c2.frame))
295  {
296  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
297  goto error;
298  }
299  }
300  }
301 
302  goto cleanup;
303 error:
304  register_signal(c, SIGUSR1, "process-push-msg-failed");
305 cleanup:
306  gc_free(&gc);
307 }
308 
309 bool
311 {
312  const int max_push_requests = c->options.handshake_window / PUSH_REQUEST_INTERVAL;
313  if (++c->c2.n_sent_push_requests <= max_push_requests)
314  {
315  return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
316  }
317  else
318  {
319  msg(D_STREAM_ERRORS, "No reply from server after sending %d push requests", max_push_requests);
320  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
321  c->sig->signal_text = "no-push-reply";
322  return false;
323  }
324 }
325 
326 #if P2MP_SERVER
327 
337 static bool
338 prepare_push_reply(struct context *c, struct gc_arena *gc,
339  struct push_list *push_list)
340 {
341  const char *optstr = NULL;
342  struct tls_multi *tls_multi = c->c2.tls_multi;
343  const char *const peer_info = tls_multi->peer_info;
344  struct options *o = &c->options;
345 
346  /* ipv6 */
348  {
349  push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
353  0, gc));
354  }
355 
356  /* ipv4 */
360  {
363  {
364  ifconfig_local = c->c2.push_ifconfig_local_alias;
365  }
366  push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
367  print_in_addr_t(ifconfig_local, 0, gc),
369  0, gc));
370  }
371 
372  /* Send peer-id if client supports it */
373  optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL;
374  if (optstr)
375  {
376  int proto = 0;
377  int r = sscanf(optstr, "IV_PROTO=%d", &proto);
378  if ((r == 1) && (proto >= 2))
379  {
380  push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
381  tls_multi->peer_id);
382  tls_multi->use_peer_id = true;
383  }
384  }
385 
386  /* Push cipher if client supports Negotiable Crypto Parameters */
387  if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled)
388  {
389  /* if we have already created our key, we cannot *change* our own
390  * cipher -> so log the fact and push the "what we have now" cipher
391  * (so the client is always told what we expect it to use)
392  */
393  const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
395  {
396  msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
397  "server has already generated data channel keys, "
398  "re-sending previously negotiated cipher '%s'",
399  o->ciphername );
400  }
401  else
402  {
403  /* Push the first cipher from --ncp-ciphers to the client.
404  * TODO: actual negotiation, instead of server dictatorship. */
405  char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
406  o->ciphername = strtok(push_cipher, ":");
407  }
408  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
409  }
410  else if (o->ncp_enabled)
411  {
412  tls_poor_mans_ncp(o, tls_multi->remote_ciphername);
413  }
414 
415  /* If server uses --auth-gen-token and we have an auth token
416  * to send to the client
417  */
418  if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token)
419  {
420  push_option_fmt(gc, push_list, M_USAGE,
421  "auth-token %s", tls_multi->auth_token);
422  tls_multi->auth_token_sent = true;
423  }
424  return true;
425 }
426 
427 static bool
428 send_push_options(struct context *c, struct buffer *buf,
429  struct push_list *push_list, int safe_cap,
430  bool *push_sent, bool *multi_push)
431 {
432  struct push_entry *e = push_list->head;
433 
434  while (e)
435  {
436  if (e->enable)
437  {
438  const int l = strlen(e->option);
439  if (BLEN(buf) + l >= safe_cap)
440  {
441  buf_printf(buf, ",push-continuation 2");
442  {
443  const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
444  if (!status)
445  {
446  return false;
447  }
448  *push_sent = true;
449  *multi_push = true;
450  buf_reset_len(buf);
451  buf_printf(buf, "%s", push_reply_cmd);
452  }
453  }
454  if (BLEN(buf) + l >= safe_cap)
455  {
456  msg(M_WARN, "--push option is too long");
457  return false;
458  }
459  buf_printf(buf, ",%s", e->option);
460  }
461  e = e->next;
462  }
463  return true;
464 }
465 
466 static bool
467 send_push_reply(struct context *c, struct push_list *per_client_push_list)
468 {
469  struct gc_arena gc = gc_new();
470  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
471  bool multi_push = false;
472  const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
473  const int safe_cap = BCAP(&buf) - extra;
474  bool push_sent = false;
475 
476  buf_printf(&buf, "%s", push_reply_cmd);
477 
478  /* send options which are common to all clients */
479  if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
480  &push_sent, &multi_push))
481  {
482  goto fail;
483  }
484 
485  /* send client-specific options */
486  if (!send_push_options(c, &buf, per_client_push_list, safe_cap,
487  &push_sent, &multi_push))
488  {
489  goto fail;
490  }
491 
492  if (multi_push)
493  {
494  buf_printf(&buf, ",push-continuation 1");
495  }
496 
497  if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
498  {
499  const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
500  if (!status)
501  {
502  goto fail;
503  }
504  push_sent = true;
505  }
506 
507  /* If nothing have been pushed, send an empty push,
508  * as the client is expecting a response
509  */
510  if (!push_sent)
511  {
512  bool status = false;
513 
514  buf_reset_len(&buf);
515  buf_printf(&buf, "%s", push_reply_cmd);
516  status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
517  if (!status)
518  {
519  goto fail;
520  }
521  }
522 
523  gc_free(&gc);
524  return true;
525 
526 fail:
527  gc_free(&gc);
528  return false;
529 }
530 
531 static void
532 push_option_ex(struct gc_arena *gc, struct push_list *push_list,
533  const char *opt, bool enable, int msglevel)
534 {
535  if (!string_class(opt, CC_ANY, CC_COMMA))
536  {
537  msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
538  }
539  else
540  {
541  struct push_entry *e;
542  ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
543  e->enable = true;
544  e->option = opt;
545  if (push_list->head)
546  {
547  ASSERT(push_list->tail);
548  push_list->tail->next = e;
549  push_list->tail = e;
550  }
551  else
552  {
553  ASSERT(!push_list->tail);
554  push_list->head = e;
555  push_list->tail = e;
556  }
557  }
558 }
559 
560 void
561 push_option(struct options *o, const char *opt, int msglevel)
562 {
563  push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
564 }
565 
566 void
568 {
569  if (o->push_list.head)
570  {
571  const struct push_entry *e = o->push_list.head;
572  push_reset(o);
573  while (e)
574  {
575  push_option_ex(&o->gc, &o->push_list,
576  string_alloc(e->option, &o->gc), true, M_FATAL);
577  e = e->next;
578  }
579  }
580 }
581 
582 void
583 push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
584 {
585  const char **argv = make_extended_arg_array(p, gc);
586  char *opt = print_argv(argv, gc, 0);
587  push_option(o, opt, msglevel);
588 }
589 
590 static bool
591 push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
592  int msglevel, const char *format, ...)
593 {
594  va_list arglist;
595  char tmp[256] = {0};
596  int len;
597  va_start(arglist, format);
598  len = vsnprintf(tmp, sizeof(tmp), format, arglist);
599  va_end(arglist);
600  if (len > sizeof(tmp)-1)
601  {
602  return false;
603  }
604  push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
605  return true;
606 }
607 
608 void
609 push_reset(struct options *o)
610 {
611  CLEAR(o->push_list);
612 }
613 
614 void
615 push_remove_option(struct options *o, const char *p)
616 {
617  msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
618 
619  /* ifconfig is special, as not part of the push list */
620  if (streq(p, "ifconfig"))
621  {
622  o->push_ifconfig_ipv4_blocked = true;
623  return;
624  }
625 
626  /* ifconfig-ipv6 is special, as not part of the push list */
627  if (streq( p, "ifconfig-ipv6" ))
628  {
629  o->push_ifconfig_ipv6_blocked = true;
630  return;
631  }
632 
633  if (o && o->push_list.head)
634  {
635  struct push_entry *e = o->push_list.head;
636 
637  /* cycle through the push list */
638  while (e)
639  {
640  if (e->enable
641  && strncmp( e->option, p, strlen(p) ) == 0)
642  {
643  msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
644  e->enable = false;
645  }
646 
647  e = e->next;
648  }
649  }
650 }
651 #endif /* if P2MP_SERVER */
652 
653 #if P2MP_SERVER
654 int
656 {
657  int ret = PUSH_MSG_ERROR;
658 
659 #ifdef ENABLE_ASYNC_PUSH
660  c->c2.push_request_received = true;
661 #endif
663  {
664  const char *client_reason = tls_client_reason(c->c2.tls_multi);
665  send_auth_failed(c, client_reason);
666  ret = PUSH_MSG_AUTH_FAILURE;
667  }
668  else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
669  {
670  time_t now;
671 
672  openvpn_time(&now);
673  if (c->c2.sent_push_reply_expiry > now)
674  {
676  }
677  else
678  {
679  /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
680  struct push_list push_list;
681  struct gc_arena gc = gc_new();
682 
683  CLEAR(push_list);
684  if (prepare_push_reply(c, &gc, &push_list)
685  && send_push_reply(c, &push_list))
686  {
687  ret = PUSH_MSG_REQUEST;
688  c->c2.sent_push_reply_expiry = now + 30;
689  }
690  gc_free(&gc);
691  }
692  }
693  else
694  {
696  }
697 
698  return ret;
699 }
700 #endif /* if P2MP_SERVER */
701 
702 static void
703 push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
704 {
705  char line[OPTION_PARM_SIZE];
706  while (buf_parse(buf, ',', line, sizeof(line)))
707  {
708  /* peer-id might change on restart and this should not trigger reopening tun */
709  if (strprefix(line, "peer-id "))
710  {
711  continue;
712  }
713  /* tun reopen only needed if cipher change can change tun MTU */
714  if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
715  {
716  continue;
717  }
718  md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
719  }
720 }
721 
722 int
724  const struct buffer *buffer,
725  bool honor_received_options,
726  unsigned int permission_mask,
727  unsigned int *option_types_found)
728 {
729  int ret = PUSH_MSG_ERROR;
730  struct buffer buf = *buffer;
731 
732 #if P2MP_SERVER
733  if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
734  {
736  }
737  else
738 #endif
739 
740  if (honor_received_options && buf_string_compare_advance(&buf, "PUSH_REPLY"))
741  {
742  const uint8_t ch = buf_read_u8(&buf);
743  if (ch == ',')
744  {
745  struct buffer buf_orig = buf;
747  {
751  }
752  if (!c->c2.did_pre_pull_restore)
753  {
754  pre_pull_restore(&c->options, &c->c2.gc);
755  c->c2.did_pre_pull_restore = true;
756  }
757  if (apply_push_options(&c->options,
758  &buf,
759  permission_mask,
760  option_types_found,
761  c->c2.es))
762  {
764  &c->options);
765  switch (c->options.push_continuation)
766  {
767  case 0:
768  case 1:
772  c->c2.pulled_options_state = NULL;
774  ret = PUSH_MSG_REPLY;
775  break;
776 
777  case 2:
778  ret = PUSH_MSG_CONTINUATION;
779  break;
780  }
781  }
782  }
783  else if (ch == '\0')
784  {
785  ret = PUSH_MSG_REPLY;
786  }
787  /* show_settings (&c->options); */
788  }
789  return ret;
790 }
791 
792 #if P2MP_SERVER
793 
794 /*
795  * Remove iroutes from the push_list.
796  */
797 void
799 {
800  if (o && o->push_list.head && o->iroutes)
801  {
802  struct gc_arena gc = gc_new();
803  struct push_entry *e = o->push_list.head;
804 
805  /* cycle through the push list */
806  while (e)
807  {
808  char *p[MAX_PARMS];
809  bool enable = true;
810 
811  /* parse the push item */
812  CLEAR(p);
813  if (e->enable
814  && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
815  {
816  /* is the push item a route directive? */
817  if (p[0] && !strcmp(p[0], "route") && !p[3])
818  {
819  /* get route parameters */
820  bool status1, status2;
821  const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
822  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
823 
824  /* did route parameters parse correctly? */
825  if (status1 && status2)
826  {
827  const struct iroute *ir;
828 
829  /* does route match an iroute? */
830  for (ir = o->iroutes; ir != NULL; ir = ir->next)
831  {
832  if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
833  {
834  enable = false;
835  break;
836  }
837  }
838  }
839  }
840 
841  /* should we copy the push item? */
842  e->enable = enable;
843  if (!enable)
844  {
845  msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
846  }
847  }
848 
849  e = e->next;
850  }
851 
852  gc_free(&gc);
853  }
854 }
855 
856 #endif /* if P2MP_SERVER */
857 
858 #endif /* if P2MP */
struct env_set * es
Definition: openvpn.h:427
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition: buffer.c:1062
static bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options and available peer info.
Definition: push.c:338
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:465
bool tun_mtu_defined
Definition: options.h:108
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:240
bool ncp_enabled
Definition: options.h:489
struct key_state key[KS_SIZE]
Definition: ssl_common.h:445
struct iroute * next
Definition: route.h:233
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:232
md_ctx_t * md_ctx_new(void)
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:502
#define PUSH_MSG_CONTINUATION
Definition: push.h:36
bool push_ifconfig_ipv6_blocked
Definition: options.h:449
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:502
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define streq(x, y)
Definition: options.h:635
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:193
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
struct push_entry * head
Definition: pushlist.h:36
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2077
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2992
#define M_INFO
Definition: errlevel.h:55
void clone_push_list(struct options *o)
Definition: push.c:567
Contains all state information for one tunnel.
Definition: openvpn.h:500
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
#define PUSH_BUNDLE_SIZE
Definition: common.h:84
#define D_PUSH
Definition: errlevel.h:83
#define M_USAGE
Definition: error.h:111
bool push_ifconfig_defined
Definition: openvpn.h:441
char * peer_info
Definition: ssl_common.h:559
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:209
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:487
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:2983
in_addr_t push_ifconfig_local
Definition: openvpn.h:443
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
#define D_TLS_ERRORS
Definition: errlevel.h:59
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition: manage.c:2812
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:927
#define SIGUSR1
Definition: config-msvc.h:116
bool pulled_options_digest_init_done
Definition: openvpn.h:466
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:448
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:369
void push_reset(struct options *o)
Definition: push.c:609
#define AR_NONE
Definition: options.h:821
void md_ctx_free(md_ctx_t *ctx)
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:450
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
#define SIZE(x)
Definition: basic.h:30
#define in_addr_t
Definition: config-msvc.h:104
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:525
#define MAX_PARMS
Definition: options.h:51
struct push_entry * next
Definition: pushlist.h:30
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4231
bool did_pre_pull_restore
Definition: openvpn.h:463
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition: buffer.c:757
#define SIGTERM
Definition: config-msvc.h:118
int handshake_window
Definition: options.h:569
#define ASSERT(x)
Definition: error.h:221
struct gc_arena gc
Garbage collection arena for allocations done in the level 2 scope of this context_2 structure...
Definition: openvpn.h:226
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:578
int scheduled_exit_interval
Definition: options.h:477
int context_auth
Definition: openvpn.h:458
#define MODE_SERVER
Definition: options.h:191
bool send_push_request(struct context *c)
Definition: push.c:310
bool use_peer_id
Definition: ssl_common.h:564
bool initialized
Definition: crypto.h:225
int netbits
Definition: route.h:232
#define BCAP(buf)
Definition: buffer.h:130
#define CC_COMMA
Definition: buffer.h:928
#define fail()
Definition: cmocka.h:1531
const char * ncp_ciphers
Definition: options.h:490
Definition: pushlist.h:29
#define CLEAR(x)
Definition: basic.h:33
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition: push.c:591
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
void push_remove_option(struct options *o, const char *p)
Definition: push.c:615
#define PUSH_MSG_REPLY
Definition: push.h:33
md_ctx_t * pulled_options_state
Definition: openvpn.h:467
static bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition: push.c:467
#define PUSH_MSG_REQUEST
Definition: push.h:32
#define OPTION_PARM_SIZE
Definition: options.h:56
static char push_reply_cmd[]
Definition: push.c:42
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition: push.c:723
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
int mode
Definition: options.h:192
#define PUSH_MSG_REQUEST_DEFERRED
Definition: push.h:34
void pre_pull_restore(struct options *o, struct gc_arena *gc)
Definition: options.c:3422
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:377
time_t now
Definition: otime.c:36
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:445
struct crypto_options crypto_options
Definition: ssl_common.h:181
int auth_retry_get(void)
Definition: options.c:4040
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition: push.c:532
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2972
struct iroute * iroutes
Definition: options.h:435
struct frame frame
Definition: openvpn.h:261
const char * option
Definition: pushlist.h:32
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:449
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:798
uint8_t digest[SHA256_DIGEST_LENGTH]
Definition: crypto.h:133
const char * ciphername
Definition: options.h:488
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:477
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:583
in_addr_t network
Definition: route.h:231
static SERVICE_STATUS status
Definition: automatic.c:43
#define vsnprintf
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition: push.c:428
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1992
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:614
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
static time_t openvpn_time(time_t *t)
Definition: otime.h:123
bool enable
Definition: pushlist.h:31
bool push_ifconfig_ipv4_blocked
Definition: options.h:444
#define msg
Definition: error.h:173
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:253
#define GETADDR_HOST_ORDER
Definition: socket.h:522
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:566
struct connection_entry ce
Definition: options.h:213
struct context_2 c2
Level 2 context.
Definition: openvpn.h:539
struct push_list push_list
Definition: options.h:413
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2154
time_t sent_push_reply_expiry
Definition: openvpn.h:442
#define TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:69
void md_ctx_cleanup(md_ctx_t *ctx)
#define PUSH_MSG_AUTH_FAILURE
Definition: push.h:35
#define PUSH_MSG_ERROR
Definition: push.h:31
#define BLEN(buf)
Definition: buffer.h:127
void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
"Poor man&#39;s NCP": Use peer cipher if it is an allowed (NCP) cipher.
Definition: ssl.c:1943
int push_continuation
Definition: options.h:472
struct event_timeout push_request_interval
Definition: openvpn.h:461
#define CAS_SUCCEEDED
Definition: openvpn.h:453
unsigned int push_option_types_found
Definition: options.h:473
unsigned __int8 uint8_t
Definition: config-msvc.h:123
bool no_advance
Definition: options.h:218
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:447
volatile int signal_received
Definition: sig.h:45
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
#define PUSH_REQUEST_INTERVAL
Definition: common.h:89
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition: ssl_common.h:568
bool ssl_clean_auth_token(void)
Definition: ssl.c:466
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:865
const char ** make_extended_arg_array(char **p, struct gc_arena *gc)
Definition: misc.c:584
struct push_entry * tail
Definition: pushlist.h:37
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:460
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:407
struct sha256_digest pulled_options_digest
Definition: openvpn.h:468
bool push_reply_deferred
Definition: openvpn.h:437
#define CAS_FAILED
Definition: openvpn.h:455
int n_sent_push_requests
Definition: openvpn.h:462
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
#define PUSH_MSG_ALREADY_REPLIED
Definition: push.h:37
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:120
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition: push.c:703
#define AR_NOINTERACT
Definition: options.h:823
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint32_t peer_id
Definition: ssl_common.h:563
Definition: route.h:230
#define M_WARN
Definition: error.h:96
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void md_ctx_init(md_ctx_t *ctx, const md_kt_t *kt)
#define AR_INTERACT
Definition: options.h:822
const char * ifconfig_local
Definition: options.h:235
#define D_STREAM_ERRORS
Definition: errlevel.h:63
bool pull
Definition: options.h:471
int process_incoming_push_request(struct context *c)
Definition: push.c:655
#define BSTR(buf)
Definition: buffer.h:129
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:561
#define D_PUSH_DEBUG
Definition: errlevel.h:148
Definition: argv.h:35
struct gc_arena gc
Definition: options.h:183
#define M_VERB0
Definition: errlevel.h:53
int tls_peer_info_ncp_ver(const char *peer_info)
Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified.
Definition: ssl.c:4140
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:336
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:444
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4752
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:592
#define CC_ANY
Definition: buffer.h:907
bool auth_token_sent
If server uses –auth-gen-token and token has been sent to client.
Definition: ssl_common.h:573
const char * signal_text
Definition: sig.h:47
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:962
mbedtls_md_context_t md_ctx_t
Generic message digest context.
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:818
#define D_ROUTE_DEBUG
Definition: errlevel.h:129
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition: buffer.c:829
#define D_PUSH_ERRORS
Definition: errlevel.h:67