OpenVPN
push.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include "push.h"
31 #include "options.h"
32 #include "ssl.h"
33 #include "ssl_verify.h"
34 #include "ssl_ncp.h"
35 #include "manage.h"
36 
37 #include "memdbg.h"
38 #include "ssl_util.h"
39 #include "options_util.h"
40 
41 static char push_reply_cmd[] = "PUSH_REPLY";
42 
43 /*
44  * Auth username/password
45  *
46  * Client received an authentication failed message from server.
47  * Runs on client.
48  */
49 void
50 receive_auth_failed(struct context *c, const struct buffer *buffer)
51 {
52  msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
53  c->options.no_advance = true;
54 
55  if (!c->options.pull)
56  {
57  return;
58  }
59 
60  struct buffer buf = *buffer;
61 
62  /* If the AUTH_FAIL message ends with a , it is an extended message that
63  * contains further flags */
64  bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,");
65 
66  const char *reason = NULL;
67  if (authfail_extended && BLEN(&buf))
68  {
69  reason = BSTR(&buf);
70  }
71 
72  if (authfail_extended && buf_string_match_head_str(&buf, "TEMP"))
73  {
74  parse_auth_failed_temp(&c->options, reason + strlen("TEMP"));
75  register_signal(c->sig, SIGUSR1, "auth-temp-failure (server temporary reject)");
76  }
77 
78  /* Before checking how to react on AUTH_FAILED, first check if the
79  * failed auth might be the result of an expired auth-token.
80  * Note that a server restart will trigger a generic AUTH_FAILED
81  * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
82  * identical for this scenario */
83  else if (ssl_clean_auth_token())
84  {
85  /* SOFT-SIGUSR1 -- Auth failure error */
86  register_signal(c->sig, SIGUSR1, "auth-failure (auth-token)");
87  c->options.no_advance = true;
88  }
89  else
90  {
91  switch (auth_retry_get())
92  {
93  case AR_NONE:
94  /* SOFT-SIGTERM -- Auth failure error */
95  register_signal(c->sig, SIGTERM, "auth-failure");
96  break;
97 
98  case AR_INTERACT:
99  ssl_purge_auth(false);
100 
101  case AR_NOINTERACT:
102  /* SOFT-SIGTUSR1 -- Auth failure error */
103  register_signal(c->sig, SIGUSR1, "auth-failure");
104  break;
105 
106  default:
107  ASSERT(0);
108  }
109  }
110 #ifdef ENABLE_MANAGEMENT
111  if (management)
112  {
114  }
115  /*
116  * Save the dynamic-challenge text even when management is defined
117  */
118  if (authfail_extended
119  && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
120  {
122  }
123 #endif /* ifdef ENABLE_MANAGEMENT */
124 
125 }
126 
127 /*
128  * Act on received restart message from server
129  */
130 void
131 server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
132 {
133  if (c->options.pull)
134  {
135  struct buffer buf = *buffer;
136  const char *m = "";
137  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
138  {
139  m = BSTR(&buf);
140  }
141 
142  /* preserve cached passwords? */
143  /* advance to next server? */
144  {
145  bool purge = true;
146 
147  if (m[0] == '[')
148  {
149  int i;
150  for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
151  {
152  if (m[i] == 'P')
153  {
154  purge = false;
155  }
156  else if (m[i] == 'N')
157  {
158  /* next server? */
159  c->options.no_advance = false;
160  }
161  }
162  }
163  if (purge)
164  {
165  ssl_purge_auth(true);
166  }
167  }
168 
169  if (restart)
170  {
171  msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
172  /* SOFT-SIGUSR1 -- server-pushed connection reset */
173  register_signal(c->sig, SIGUSR1, "server-pushed-connection-reset");
174  }
175  else
176  {
177  msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
178  /* SOFT-SIGTERM -- server-pushed halt */
179  register_signal(c->sig, SIGTERM, "server-pushed-halt");
180  }
181 #ifdef ENABLE_MANAGEMENT
182  if (management)
183  {
184  management_notify(management, "info", c->sig->signal_text, m);
185  }
186 #endif
187  }
188 }
189 
190 void
192 {
193  dmsg(D_STREAM_ERRORS, "CC-EEN exit message received by peer");
194  /* With control channel exit notification, we want to give the session
195  * enough time to handle retransmits and acknowledgment, so that eventual
196  * retries from the client to resend the exit or ACKs will not trigger
197  * a new session (we already forgot the session but the packet's HMAC
198  * is still valid). This could happen for the entire period that the
199  * HMAC timeslot is still valid, but waiting five seconds here does not
200  * hurt much, takes care of the retransmits, and is easier code-wise.
201  *
202  * This does not affect OCC exit since the HMAC session code will
203  * ignore DATA packets
204  * */
205  if (c->options.mode == MODE_SERVER)
206  {
208  }
209  else
210  {
211  register_signal(c->sig, SIGUSR1, "remote-exit");
212  }
213 #ifdef ENABLE_MANAGEMENT
214  if (management)
215  {
216  management_notify(management, "info", "remote-exit", "EXIT");
217  }
218 #endif
219 }
220 
221 
222 void
223 server_pushed_info(struct context *c, const struct buffer *buffer,
224  const int adv)
225 {
226  const char *m = "";
227  struct buffer buf = *buffer;
228 
229  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
230  {
231  m = BSTR(&buf);
232  }
233 
234 #ifdef ENABLE_MANAGEMENT
235  struct gc_arena gc;
236  if (management)
237  {
238  gc = gc_new();
239 
240  /*
241  * We use >INFOMSG here instead of plain >INFO since INFO is used to
242  * for management greeting and we don't want to confuse the client
243  */
244  struct buffer out = alloc_buf_gc(256, &gc);
245  if (buf_printf(&out, ">%s:%s", "INFOMSG", m))
246  {
248  }
249  else
250  {
251  msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client.");
252  }
253 
254  gc_free(&gc);
255  }
256  #endif
257  msg(D_PUSH, "Info command was pushed by server ('%s')", m);
258 }
259 
260 void
261 receive_cr_response(struct context *c, const struct buffer *buffer)
262 {
263  struct buffer buf = *buffer;
264  const char *m = "";
265 
266  if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf))
267  {
268  m = BSTR(&buf);
269  }
270 #ifdef ENABLE_MANAGEMENT
272  struct man_def_auth_context *mda = session->opt->mda_context;
273  struct env_set *es = session->opt->es;
274  unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id;
275 
276  management_notify_client_cr_response(mda_key_id, mda, es, m);
277 #endif
278 #if ENABLE_PLUGIN
280 #endif
282  msg(D_PUSH, "CR response was sent by client ('%s')", m);
283 }
284 
292 static void
294  unsigned int *server_timeout)
295 {
296  struct buffer buf = *buffer;
297 
298  /* does the buffer start with "AUTH_PENDING," ? */
299  if (!buf_advance(&buf, strlen("AUTH_PENDING"))
300  || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
301  {
302 #ifdef ENABLE_MANAGEMENT
303  if (management)
304  {
306  "", NULL, NULL, NULL, NULL);
307  }
308 #endif
309 
310  return;
311  }
312 
313  /* parse the keywords in the same way that push options are parsed */
314  char line[OPTION_LINE_SIZE];
315 
316 #ifdef ENABLE_MANAGEMENT
317  /* Need to do the management notification with the keywords before
318  * buf_parse is called, as it will insert \0 bytes into the buffer */
319  if (management)
320  {
322  BSTR(&buf), NULL, NULL, NULL, NULL);
323  }
324 #endif
325 
326  while (buf_parse(&buf, ',', line, sizeof(line)))
327  {
328  if (sscanf(line, "timeout %u", server_timeout) != 1)
329  {
330  msg(D_PUSH, "ignoring AUTH_PENDING parameter: %s", line);
331  }
332  }
333 }
334 
335 void
336 receive_auth_pending(struct context *c, const struct buffer *buffer)
337 {
338  if (!c->options.pull)
339  {
340  return;
341  }
342 
343  /* Cap the increase at the maximum time we are willing stay in the
344  * pending authentication state */
345  unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
347 
348  /* try to parse parameter keywords, default to hand-winow timeout if the
349  * server does not supply a timeout */
350  unsigned int server_timeout = c->options.handshake_window;
351  parse_auth_pending_keywords(buffer, &server_timeout);
352 
353  msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
354  "to %us", c->options.handshake_window,
355  min_uint(max_timeout, server_timeout));
356 
357  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
358  c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
359 }
360 
375 static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
376  int msglevel, const char *fmt, ...)
377 #ifdef __GNUC__
378 #if __USE_MINGW_ANSI_STDIO
379 __attribute__ ((format(gnu_printf, 4, 5)))
380 #else
381 __attribute__ ((format(__printf__, 4, 5)))
382 #endif
383 #endif
384 ;
385 
386 /*
387  * Send auth failed message from server to client.
388  *
389  * Does nothing if an exit is already scheduled
390  */
391 void
392 send_auth_failed(struct context *c, const char *client_reason)
393 {
395  {
396  msg(D_TLS_DEBUG, "exit already scheduled for context");
397  return;
398  }
399 
400  struct gc_arena gc = gc_new();
401  static const char auth_failed[] = "AUTH_FAILED";
402  size_t len;
403 
405 
406  len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
407  if (len > PUSH_BUNDLE_SIZE)
408  {
409  len = PUSH_BUNDLE_SIZE;
410  }
411 
412  {
413  struct buffer buf = alloc_buf_gc(len, &gc);
414  buf_printf(&buf, auth_failed);
415  if (client_reason)
416  {
417  buf_printf(&buf, ",%s", client_reason);
418  }
419 
420  /* We kill the whole session, send the AUTH_FAILED to any TLS session
421  * that might be active */
423  BSTR(&buf), D_PUSH);
425  BSTR(&buf), D_PUSH);
426 
428 
429  }
430 
431  gc_free(&gc);
432 }
433 
434 
435 bool
437  struct tls_session *session,
438  const char *extra, unsigned int timeout)
439 {
440  struct key_state *ks = &session->key[KS_PRIMARY];
441 
442  static const char info_pre[] = "INFO_PRE,";
443 
444  const char *const peer_info = tls_multi->peer_info;
445  unsigned int proto = extract_iv_proto(peer_info);
446 
447 
448  /* Calculate the maximum timeout and subtract the time we already waited */
449  unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2,
451  max_timeout = max_timeout - (now - ks->initial);
452  timeout = min_uint(max_timeout, timeout);
453 
454  struct gc_arena gc = gc_new();
455  if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0)
456  {
458  }
459  else
460  {
461  static const char auth_pre[] = "AUTH_PENDING,timeout ";
462  /* Assume a worst case of 8 byte uint64 in decimal which */
463  /* needs 20 bytes */
464  size_t len = 20 + 1 + sizeof(auth_pre);
465  struct buffer buf = alloc_buf_gc(len, &gc);
466  buf_printf(&buf, auth_pre);
467  buf_printf(&buf, "%u", timeout);
469  }
470 
471  size_t len = strlen(extra) + 1 + sizeof(info_pre);
472  if (len > PUSH_BUNDLE_SIZE)
473  {
474  gc_free(&gc);
475  return false;
476  }
477 
478  struct buffer buf = alloc_buf_gc(len, &gc);
479  buf_printf(&buf, info_pre);
480  buf_printf(&buf, "%s", extra);
482 
483  ks->auth_deferred_expire = now + timeout;
484 
485  gc_free(&gc);
486  return true;
487 }
488 
489 /*
490  * Send restart message from server to client.
491  */
492 void
493 send_restart(struct context *c, const char *kill_msg)
494 {
496  send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
497 }
498 
499 /*
500  * Push/Pull
501  */
502 
503 void
504 incoming_push_message(struct context *c, const struct buffer *buffer)
505 {
506  struct gc_arena gc = gc_new();
507  unsigned int option_types_found = 0;
508 
509  msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
510 
513  &option_types_found);
514 
515  if (status == PUSH_MSG_ERROR)
516  {
517  msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
518  }
520  {
521  c->options.push_option_types_found |= option_types_found;
522 
523  /* delay bringing tun/tap up until --push parms received from remote */
524  if (status == PUSH_MSG_REPLY)
525  {
526  if (!options_postprocess_pull(&c->options, c->c2.es))
527  {
528  goto error;
529  }
530  if (!do_up(c, true, c->options.push_option_types_found))
531  {
532  msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
533  goto error;
534  }
535  }
538  }
539 
540  goto cleanup;
541 
542 error:
543  register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
544 cleanup:
545  gc_free(&gc);
546 }
547 
548 bool
550 {
551  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
552 
553  /* We timeout here under two conditions:
554  * a) we reached the hard limit of push_request_timeout
555  * b) we have not seen anything from the server in hand_window time
556  *
557  * for non auth-pending scenario, push_request_timeout is the same as
558  * hand_window timeout. For b) every PUSH_REQUEST is a acknowledged by
559  * the server by a P_ACK_V1 packet that reset the keepalive timer
560  */
561 
562  if (c->c2.push_request_timeout > now
564  {
565  return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
566  }
567  else
568  {
569  msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
570  (int)(now - ks->established));
571  /* SOFT-SIGUSR1 -- server-pushed connection reset */
572  register_signal(c->sig, SIGUSR1, "no-push-reply");
573  return false;
574  }
575 }
576 
585 void
587  struct push_list *push_list)
588 {
589  /*
590  * If server uses --auth-gen-token and we have an auth token
591  * to send to the client
592  */
593  if (tls_multi->auth_token)
594  {
596  "auth-token %s",
598  }
599 }
600 
610 bool
611 prepare_push_reply(struct context *c, struct gc_arena *gc,
612  struct push_list *push_list)
613 {
614  struct tls_multi *tls_multi = c->c2.tls_multi;
615  struct options *o = &c->options;
616 
617  /* ipv6 */
619  {
620  push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
624  0, gc));
625  }
626 
627  /* ipv4 */
631  {
632  in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
634  {
636  }
637  push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
640  0, gc));
641  }
642 
643  if (tls_multi->use_peer_id)
644  {
645  push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
646  tls_multi->peer_id);
647  }
648  /*
649  * If server uses --auth-gen-token and we have an auth token
650  * to send to the client
651  */
653 
654  /*
655  * Push the selected cipher, at this point the cipher has been
656  * already negotiated and been fixed.
657  *
658  * We avoid pushing the cipher to clients not supporting NCP
659  * to avoid error messages in their logs
660  */
662  {
663  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
664  }
665 
666  struct buffer proto_flags = alloc_buf_gc(128, gc);
667 
669  {
670  buf_printf(&proto_flags, " cc-exit");
671 
672  /* if the cc exit flag is supported, pushing tls-ekm via protocol-flags
673  * is also supported */
675  {
676  buf_printf(&proto_flags, " tls-ekm");
677  }
678  }
680  {
681  push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
682  }
683 
685  {
686  buf_printf(&proto_flags, " dyn-tls-crypt");
687  }
688 
689  if (buf_len(&proto_flags) > 0)
690  {
691  push_option_fmt(gc, push_list, M_USAGE, "protocol-flags%s", buf_str(&proto_flags));
692  }
693 
694  /* Push our mtu to the peer if it supports pushable MTUs */
695  int client_max_mtu = 0;
696  const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc);
697 
698  if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1)
699  {
700  push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu);
701  if (client_max_mtu < o->ce.tun_mtu)
702  {
703  msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower "
704  "than MTU used on the server (%d). Add tun-max-mtu %d "
705  "to client configuration.", client_max_mtu,
706  o->ce.tun_mtu, o->ce.tun_mtu);
707  }
708  }
709 
710  return true;
711 }
712 
713 static bool
714 send_push_options(struct context *c, struct buffer *buf,
715  struct push_list *push_list, int safe_cap,
716  bool *push_sent, bool *multi_push)
717 {
718  struct push_entry *e = push_list->head;
719 
720  while (e)
721  {
722  if (e->enable)
723  {
724  const int l = strlen(e->option);
725  if (BLEN(buf) + l >= safe_cap)
726  {
727  buf_printf(buf, ",push-continuation 2");
728  {
729  const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
730  if (!status)
731  {
732  return false;
733  }
734  *push_sent = true;
735  *multi_push = true;
736  buf_reset_len(buf);
737  buf_printf(buf, "%s", push_reply_cmd);
738  }
739  }
740  if (BLEN(buf) + l >= safe_cap)
741  {
742  msg(M_WARN, "--push option is too long");
743  return false;
744  }
745  buf_printf(buf, ",%s", e->option);
746  }
747  e = e->next;
748  }
749  return true;
750 }
751 
752 void
754 {
755  struct gc_arena gc = gc_new();
756  struct push_list push_list = { 0 };
757  struct tls_session *session = &multi->session[TM_ACTIVE];
758 
760 
761  /* prepare auth token should always add the auth-token option */
762  struct push_entry *e = push_list.head;
763  ASSERT(e && e->enable);
764 
765  /* Construct a mimimal control channel push reply message */
766  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
767  buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
769  gc_free(&gc);
770 }
771 
772 bool
773 send_push_reply(struct context *c, struct push_list *per_client_push_list)
774 {
775  struct gc_arena gc = gc_new();
776  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
777  bool multi_push = false;
778  const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
779  const int safe_cap = BCAP(&buf) - extra;
780  bool push_sent = false;
781 
782  buf_printf(&buf, "%s", push_reply_cmd);
783 
784  /* send options which are common to all clients */
785  if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
786  &push_sent, &multi_push))
787  {
788  goto fail;
789  }
790 
791  /* send client-specific options */
792  if (!send_push_options(c, &buf, per_client_push_list, safe_cap,
793  &push_sent, &multi_push))
794  {
795  goto fail;
796  }
797 
798  if (multi_push)
799  {
800  buf_printf(&buf, ",push-continuation 1");
801  }
802 
803  if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
804  {
805  const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
806  if (!status)
807  {
808  goto fail;
809  }
810  push_sent = true;
811  }
812 
813  /* If nothing have been pushed, send an empty push,
814  * as the client is expecting a response
815  */
816  if (!push_sent)
817  {
818  bool status = false;
819 
820  buf_reset_len(&buf);
821  buf_printf(&buf, "%s", push_reply_cmd);
823  if (!status)
824  {
825  goto fail;
826  }
827  }
828 
829  gc_free(&gc);
830  return true;
831 
832 fail:
833  gc_free(&gc);
834  return false;
835 }
836 
837 static void
839  const char *opt, bool enable, int msglevel)
840 {
841  if (!string_class(opt, CC_ANY, CC_COMMA))
842  {
843  msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
844  }
845  else
846  {
847  struct push_entry *e;
848  ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
849  e->enable = true;
850  e->option = opt;
851  if (push_list->head)
852  {
854  push_list->tail->next = e;
855  push_list->tail = e;
856  }
857  else
858  {
859  ASSERT(!push_list->tail);
860  push_list->head = e;
861  push_list->tail = e;
862  }
863  }
864 }
865 
866 void
867 push_option(struct options *o, const char *opt, int msglevel)
868 {
869  push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
870 }
871 
872 void
874 {
875  if (o->push_list.head)
876  {
877  const struct push_entry *e = o->push_list.head;
878  push_reset(o);
879  while (e)
880  {
881  push_option_ex(&o->gc, &o->push_list,
882  string_alloc(e->option, &o->gc), true, M_FATAL);
883  e = e->next;
884  }
885  }
886 }
887 
888 void
889 push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
890 {
891  const char **argv = make_extended_arg_array(p, false, gc);
892  char *opt = print_argv(argv, gc, 0);
893  push_option(o, opt, msglevel);
894 }
895 
896 static bool
898  int msglevel, const char *format, ...)
899 {
900  va_list arglist;
901  char tmp[256] = {0};
902  int len;
903  va_start(arglist, format);
904  len = vsnprintf(tmp, sizeof(tmp), format, arglist);
905  va_end(arglist);
906  if (len > sizeof(tmp)-1)
907  {
908  return false;
909  }
910  push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
911  return true;
912 }
913 
914 void
915 push_reset(struct options *o)
916 {
917  CLEAR(o->push_list);
918 }
919 
920 void
921 push_remove_option(struct options *o, const char *p)
922 {
923  msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
924 
925  /* ifconfig is special, as not part of the push list */
926  if (streq(p, "ifconfig"))
927  {
928  o->push_ifconfig_ipv4_blocked = true;
929  return;
930  }
931 
932  /* ifconfig-ipv6 is special, as not part of the push list */
933  if (streq( p, "ifconfig-ipv6" ))
934  {
935  o->push_ifconfig_ipv6_blocked = true;
936  return;
937  }
938 
939  if (o && o->push_list.head)
940  {
941  struct push_entry *e = o->push_list.head;
942 
943  /* cycle through the push list */
944  while (e)
945  {
946  if (e->enable
947  && strncmp( e->option, p, strlen(p) ) == 0)
948  {
949  msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
950  e->enable = false;
951  }
952 
953  e = e->next;
954  }
955  }
956 }
957 
958 int
960 {
961  int ret = PUSH_MSG_ERROR;
962 
963 
966  {
967  const char *client_reason = tls_client_reason(c->c2.tls_multi);
968  send_auth_failed(c, client_reason);
969  ret = PUSH_MSG_AUTH_FAILURE;
970  }
973  {
974  time_t now;
975 
976  openvpn_time(&now);
977  if (c->c2.sent_push_reply_expiry > now)
978  {
980  }
981  else
982  {
983  /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
984  struct push_list push_list = { 0 };
985  struct gc_arena gc = gc_new();
986 
987  if (prepare_push_reply(c, &gc, &push_list)
988  && send_push_reply(c, &push_list))
989  {
990  ret = PUSH_MSG_REQUEST;
991  c->c2.sent_push_reply_expiry = now + 30;
992  }
993  gc_free(&gc);
994  }
995  }
996  else
997  {
999  }
1000 
1001  return ret;
1002 }
1003 
1004 static void
1005 push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
1006 {
1007  char line[OPTION_PARM_SIZE];
1008  while (buf_parse(buf, ',', line, sizeof(line)))
1009  {
1010  /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
1011  if (strprefix(line, "peer-id ")
1012  || strprefix(line, "auth-token ")
1013  || strprefix(line, "auth-token-user "))
1014  {
1015  continue;
1016  }
1017  /* tun reopen only needed if cipher change can change tun MTU */
1018  if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
1019  {
1020  continue;
1021  }
1022  md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
1023  }
1024 }
1025 
1026 static int
1028  unsigned int permission_mask,
1029  unsigned int *option_types_found,
1030  struct buffer *buf)
1031 {
1032  int ret = PUSH_MSG_ERROR;
1033  const uint8_t ch = buf_read_u8(buf);
1034  if (ch == ',')
1035  {
1036  struct buffer buf_orig = (*buf);
1038  {
1040  md_ctx_init(c->c2.pulled_options_state, "SHA256");
1042  }
1043  if (apply_push_options(&c->options,
1044  buf,
1045  permission_mask,
1046  option_types_found,
1047  c->c2.es))
1048  {
1050  &c->options);
1051  switch (c->options.push_continuation)
1052  {
1053  case 0:
1054  case 1:
1059  c->c2.pulled_options_state = NULL;
1061  ret = PUSH_MSG_REPLY;
1062  break;
1063 
1064  case 2:
1065  ret = PUSH_MSG_CONTINUATION;
1066  break;
1067  }
1068  }
1069  }
1070  else if (ch == '\0')
1071  {
1072  ret = PUSH_MSG_REPLY;
1073  }
1074  /* show_settings (&c->options); */
1075  return ret;
1076 }
1077 
1078 int
1080  const struct buffer *buffer,
1081  bool honor_received_options,
1082  unsigned int permission_mask,
1083  unsigned int *option_types_found)
1084 {
1085  struct buffer buf = *buffer;
1086 
1087  if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
1088  {
1089  c->c2.push_request_received = true;
1091  }
1092  else if (honor_received_options
1094  {
1095  return process_incoming_push_reply(c, permission_mask,
1096  option_types_found, &buf);
1097  }
1098  else
1099  {
1100  return PUSH_MSG_ERROR;
1101  }
1102 }
1103 
1104 
1105 /*
1106  * Remove iroutes from the push_list.
1107  */
1108 void
1110 {
1111  if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6))
1112  {
1113  struct gc_arena gc = gc_new();
1114  struct push_entry *e = o->push_list.head;
1115 
1116  /* cycle through the push list */
1117  while (e)
1118  {
1119  char *p[MAX_PARMS+1];
1120  bool enable = true;
1121 
1122  /* parse the push item */
1123  CLEAR(p);
1124  if (e->enable
1125  && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
1126  {
1127  /* is the push item a route directive? */
1128  if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)
1129  {
1130  /* get route parameters */
1131  bool status1, status2;
1132  const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
1133  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
1134 
1135  /* did route parameters parse correctly? */
1136  if (status1 && status2)
1137  {
1138  const struct iroute *ir;
1139 
1140  /* does route match an iroute? */
1141  for (ir = o->iroutes; ir != NULL; ir = ir->next)
1142  {
1143  if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
1144  {
1145  enable = false;
1146  break;
1147  }
1148  }
1149  }
1150  }
1151  else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2]
1152  && o->iroutes_ipv6)
1153  {
1154  /* get route parameters */
1155  struct in6_addr network;
1156  unsigned int netbits;
1157 
1158  /* parse route-ipv6 arguments */
1159  if (get_ipv6_addr(p[1], &network, &netbits, D_ROUTE_DEBUG))
1160  {
1161  struct iroute_ipv6 *ir;
1162 
1163  /* does this route-ipv6 match an iroute-ipv6? */
1164  for (ir = o->iroutes_ipv6; ir != NULL; ir = ir->next)
1165  {
1166  if (!memcmp(&network, &ir->network, sizeof(network))
1167  && netbits == ir->netbits)
1168  {
1169  enable = false;
1170  break;
1171  }
1172  }
1173  }
1174  }
1175 
1176  /* should we copy the push item? */
1177  e->enable = enable;
1178  if (!enable)
1179  {
1180  msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
1181  }
1182  }
1183 
1184  e = e->next;
1185  }
1186 
1187  gc_free(&gc);
1188  }
1189 }
context_2::pulled_options_digest_init_done
bool pulled_options_digest_init_done
Definition: openvpn.h:446
parse_auth_pending_keywords
static void parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
Parse the keyword for the AUTH_PENDING request.
Definition: push.c:293
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2511
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:165
tls_multi::auth_token
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition: ssl_common.h:641
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2737
iroute
Definition: route.h:234
min_uint
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition: integer.h:63
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1154
PUSH_MSG_REQUEST_DEFERRED
#define PUSH_MSG_REQUEST_DEFERRED
Definition: push.h:32
push_list::head
struct push_entry * head
Definition: pushlist.h:36
verify_crresponse_script
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Definition: ssl_verify.c:1420
process_incoming_push_reply
static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf)
Definition: push.c:1027
send_push_reply_auth_token
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client.
Definition: push.c:753
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1031
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition: push.c:921
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:326
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
options::push_list
struct push_list push_list
Definition: options.h:472
M_FATAL
#define M_FATAL
Definition: error.h:95
md_ctx_t
mbedtls_md_context_t md_ctx_t
Generic message digest context.
Definition: crypto_mbedtls.h:43
push_entry
Definition: pushlist.h:29
argv
Definition: argv.h:35
PUSH_MSG_REQUEST
#define PUSH_MSG_REQUEST
Definition: push.h:30
streq
#define streq(x, y)
Definition: options.h:708
management_auth_failure
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:3080
manage.h
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:445
context
Contains all state information for one tunnel.
Definition: openvpn.h:476
es
struct env_set * es
Definition: test_pkcs11.c:133
receive_auth_pending
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition: push.c:336
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:672
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:122
BSTR
#define BSTR(buf)
Definition: buffer.h:129
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:438
AR_NONE
#define AR_NONE
Definition: options.h:885
options::iroutes
struct iroute * iroutes
Definition: options.h:495
push_option_fmt
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition: push.c:897
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:889
make_extended_arg_array
const char ** make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc)
Definition: misc.c:624
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:70
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
context_2::es
struct env_set * es
Definition: openvpn.h:423
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:431
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1109
session::key
char key[48]
Definition: keyingmaterialexporter.c:58
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:433
options::mode
int mode
Definition: options.h:247
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4961
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:719
dmsg
#define dmsg(flags,...)
Definition: error.h:154
options::ce
struct connection_entry ce
Definition: options.h:275
iroute::netbits
int netbits
Definition: route.h:236
tls_client_reason
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:254
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:447
PUSH_MSG_ERROR
#define PUSH_MSG_ERROR
Definition: push.h:29
options.h
management_notify_client_cr_response
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition: manage.c:2951
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:333
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2367
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
options::push_continuation
int push_continuation
Definition: options.h:541
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:587
push_entry::option
const char * option
Definition: pushlist.h:32
md_ctx_new
md_ctx_t * md_ctx_new(void)
Definition: crypto_openssl.c:1108
parse_auth_failed_temp
const char * parse_auth_failed_temp(struct options *o, const char *reason)
Definition: options_util.c:34
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:564
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
push_reset
void push_reset(struct options *o)
Definition: push.c:915
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:430
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2894
iroute::next
struct iroute * next
Definition: route.h:237
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:629
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:285
CLEAR
#define CLEAR(x)
Definition: basic.h:33
options_util.h
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:609
man_def_auth_context
Definition: manage.h:64
iroute::network
in_addr_t network
Definition: route.h:235
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:517
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition: options.c:4188
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:180
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:440
md_ctx_final
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:867
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:526
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:693
prepare_auth_token_push_reply
void prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, struct push_list *push_list)
Prepare push option for auth-token.
Definition: push.c:586
ssl_verify.h
ASSERT
#define ASSERT(x)
Definition: error.h:201
D_STREAM_ERRORS
#define D_STREAM_ERRORS
Definition: errlevel.h:63
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2921
send_auth_failed
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:392
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:636
push_option_ex
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition: push.c:838
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition: options.h:57
management_notify
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition: manage.c:2888
PUSH_MSG_ALREADY_REPLIED
#define PUSH_MSG_ALREADY_REPLIED
Definition: push.h:35
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition: ssl.c:356
M_VERB0
#define M_VERB0
Definition: errlevel.h:53
BLEN
#define BLEN(buf)
Definition: buffer.h:127
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:392
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition: options.h:58
send_push_request
bool send_push_request(struct context *c)
Definition: push.c:549
clone_push_list
void clone_push_list(struct options *o)
Definition: push.c:873
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:705
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:436
send_push_options
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition: push.c:714
server_pushed_signal
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:131
tls_multi::opt
struct tls_options opt
Definition: ssl_common.h:593
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition: options.h:509
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:389
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
M_WARN
#define M_WARN
Definition: error.h:97
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1103
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:478
verify_crresponse_plugin
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
Definition: ssl_verify.c:1407
PUSH_MSG_AUTH_FAILURE
#define PUSH_MSG_AUTH_FAILURE
Definition: push.h:33
tls_peer_supports_ncp
bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.
Definition: ssl_ncp.c:77
options
Definition: options.h:236
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:435
push_update_digest
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition: push.c:1005
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:71
key_state::established
time_t established
Definition: ssl_common.h:216
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:329
options::gc
struct gc_arena gc
Definition: options.h:238
options::no_advance
bool no_advance
Definition: options.h:280
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4761
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:439
D_ROUTE_DEBUG
#define D_ROUTE_DEBUG
Definition: errlevel.h:133
PUSH_MSG_REPLY
#define PUSH_MSG_REPLY
Definition: push.h:31
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:547
process_incoming_push_msg
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition: push.c:1079
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:640
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
context_2::sent_push_reply_expiry
time_t sent_push_reply_expiry
Definition: openvpn.h:432
md_ctx_update
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
context_2::push_request_timeout
time_t push_request_timeout
Definition: openvpn.h:443
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
md_ctx_init
void md_ctx_init(md_ctx_t *ctx, const char *mdname)
Initialises the given message digest context.
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
CC_COMMA
#define CC_COMMA
comma
Definition: buffer.h:922
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2901
options::handshake_window
int handshake_window
Definition: options.h:634
BCAP
#define BCAP(buf)
Definition: buffer.h:130
ssl.h
CC_ANY
#define CC_ANY
any character
Definition: buffer.h:901
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:468
key_state::mda_key_id
unsigned int mda_key_id
Definition: ssl_common.h:251
context_2::scheduled_exit
struct event_timeout scheduled_exit
Definition: openvpn.h:450
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:570
syshead.h
options::push_ifconfig_ipv4_blocked
bool push_ifconfig_ipv4_blocked
Definition: options.h:504
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition: ssl.h:89
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:503
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
string_class
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition: buffer.c:1066
send_control_channel_string_dowork
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition: forward.c:367
sha256_digest::digest
uint8_t digest[SHA256_DIGEST_LENGTH]
Definition: crypto.h:133
env_set
Definition: env_set.h:42
key_state::initial
time_t initial
Definition: ssl_common.h:215
push_list::tail
struct push_entry * tail
Definition: pushlist.h:37
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:983
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:664
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:211
buf_string_match_head_str
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:822
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
OPENVPN_STATE_AUTH_PENDING
#define OPENVPN_STATE_AUTH_PENDING
Definition: manage.h:485
buf_len
static int buf_len(const struct buffer *buf)
Definition: buffer.h:253
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:506
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:493
openvpn_time
static time_t openvpn_time(time_t *t)
Definition: otime.h:90
buf_string_compare_advance
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition: buffer.c:833
netbits_to_netmask
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:367
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:367
receive_exit_message
void receive_exit_message(struct context *c)
Definition: push.c:191
iroute_ipv6
Definition: route.h:240
status
static SERVICE_STATUS status
Definition: interactive.c:52
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:434
management
Definition: manage.h:335
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1039
server_pushed_info
void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv)
Definition: push.c:223
prepare_push_reply
bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options.
Definition: push.c:611
__attribute__
__attribute__((unused))
Definition: test.c:42
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:62
schedule_exit
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:520
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition: openvpn.h:448
now
time_t now
Definition: otime.c:34
AR_INTERACT
#define AR_INTERACT
Definition: options.h:886
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition: ssl_common.h:248
config.h
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition: errlevel.h:150
ssl_ncp.h
key_state::peer_last_packet
time_t peer_last_packet
Definition: ssl_common.h:219
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:663
sanitize_control_message
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:654
context_2::push_request_interval
struct event_timeout push_request_interval
Definition: openvpn.h:442
push_reply_cmd
static char push_reply_cmd[]
Definition: push.c:41
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:527
push_entry::next
struct push_entry * next
Definition: pushlist.h:30
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:887
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:88
buf_str
static char * buf_str(const struct buffer *buf)
Definition: buffer.h:297
options::push_option_types_found
unsigned int push_option_types_found
Definition: options.h:542
session
Definition: keyingmaterialexporter.c:56
receive_auth_failed
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:50
receive_cr_response
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition: push.c:261
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:808
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:437
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5498
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:496
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
send_push_reply
bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition: push.c:773
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
max_uint
static unsigned int max_uint(unsigned int x, unsigned int y)
Definition: integer.h:50
print_argv
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition: buffer.c:761
extract_var_peer_info
char * extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
Extracts a variable from peer info, the returned string will be allocated using the supplied gc_arena...
Definition: ssl_util.c:32
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition: sig.c:231
PUSH_MSG_CONTINUATION
#define PUSH_MSG_CONTINUATION
Definition: push.h:34
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:262
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:308
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:118
memdbg.h
incoming_push_message
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:504
options::ciphername
const char * ciphername
Definition: options.h:557
M_USAGE
#define M_USAGE
Definition: error.h:112
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:274
msg
#define msg(flags,...)
Definition: error.h:150
push_entry::enable
bool enable
Definition: pushlist.h:31
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
options::pull
bool pull
Definition: options.h:540
push_list
Definition: pushlist.h:35
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition: push.c:959
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:396
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:869
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:280