OpenVPN
manage.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #ifdef ENABLE_MANAGEMENT
33 
34 #include "error.h"
35 #include "fdmisc.h"
36 #include "options.h"
37 #include "sig.h"
38 #include "event.h"
39 #include "otime.h"
40 #include "integer.h"
41 #include "misc.h"
42 #include "ssl.h"
43 #include "common.h"
44 #include "manage.h"
45 
46 #include "memdbg.h"
47 
48 #ifdef ENABLE_PKCS11
49 #include "pkcs11.h"
50 #endif
51 
52 #define MANAGEMENT_ECHO_PULL_INFO 0
53 
54 #if MANAGEMENT_ECHO_PULL_INFO
55 #define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
56 #else
57 #define MANAGEMENT_ECHO_FLAGS 0
58 #endif
59 
60 /* tag for blank username/password */
61 static const char blank_up[] = "[[BLANK]]";
62 
63 struct management *management; /* GLOBAL */
64 
65 /* static forward declarations */
66 static void man_output_standalone(struct management *man, volatile int *signal_received);
67 
68 static void man_reset_client_socket(struct management *man, const bool exiting);
69 
70 static void
71 man_help(void)
72 {
73  msg(M_CLIENT, "Management Interface for %s", title_string);
74  msg(M_CLIENT, "Commands:");
75  msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
76  msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
77  msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
78  msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
79  msg(M_CLIENT, "exit|quit : Close management session.");
80  msg(M_CLIENT, "forget-passwords : Forget passwords entered so far.");
81  msg(M_CLIENT, "help : Print this message.");
82  msg(M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or");
83  msg(M_CLIENT, " release current hold and start tunnel.");
84  msg(M_CLIENT, "kill cn : Kill the client instance(s) having common name cn.");
85  msg(M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port.");
86  msg(M_CLIENT, "load-stats : Show global server load stats.");
87  msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
88  msg(M_CLIENT, " + show last N lines or 'all' for entire history.");
89  msg(M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
90  msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
91  msg(M_CLIENT, " where action = 'ok' or 'cancel'.");
92  msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
93  msg(M_CLIENT, " where action is reply string.");
94  msg(M_CLIENT, "net : (Windows only) Show network info and routing table.");
95  msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
96  msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
97  msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info.");
98  msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
99 #ifdef ENABLE_PKCS11
100  msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
101  msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
102 #endif
103  msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
104  msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
105  msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
106  msg(M_CLIENT, " text R and optional client reason text CR");
107  msg(M_CLIENT, "client-pending-auth CID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
108  msg(M_CLIENT, " to the client and wait for a final client-auth/client-deny");
109  msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
110  msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
111  msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
112  msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
113  msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
114  msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
115  msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge");
116  msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END");
117  msg(M_CLIENT, "signal s : Send signal s to daemon,");
118  msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
119  msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
120  msg(M_CLIENT, "status [n] : Show current daemon status info using format #n.");
121  msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
122  msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
123  msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
124  msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
125  msg(M_CLIENT, "END");
126 }
127 
128 static const char *
129 man_state_name(const int state)
130 {
131  switch (state)
132  {
134  return "INITIAL";
135 
137  return "CONNECTING";
138 
139  case OPENVPN_STATE_WAIT:
140  return "WAIT";
141 
142  case OPENVPN_STATE_AUTH:
143  return "AUTH";
144 
146  return "GET_CONFIG";
147 
149  return "ASSIGN_IP";
150 
152  return "ADD_ROUTES";
153 
155  return "CONNECTED";
156 
158  return "RECONNECTING";
159 
161  return "EXITING";
162 
164  return "RESOLVE";
165 
167  return "TCP_CONNECT";
168 
170  return "AUTH_PENDING";
171 
172  default:
173  return "?";
174  }
175 }
176 
177 static void
178 man_welcome(struct management *man)
179 {
180  msg(M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
182  if (man->persist.special_state_msg)
183  {
184  msg(M_CLIENT, "%s", man->persist.special_state_msg);
185  }
186 }
187 
188 static inline bool
189 man_password_needed(struct management *man)
190 {
191  return man->settings.up.defined && !man->connection.password_verified;
192 }
193 
194 static void
195 man_check_password(struct management *man, const char *line)
196 {
197  if (man_password_needed(man))
198  {
199  if (streq(line, man->settings.up.password))
200  {
201  man->connection.password_verified = true;
202  msg(M_CLIENT, "SUCCESS: password is correct");
203  man_welcome(man);
204  }
205  else
206  {
207  man->connection.password_verified = false;
208  msg(M_CLIENT, "ERROR: bad password");
210  {
211  msg(M_WARN, "MAN: client connection rejected after %d failed password attempts",
213  man->connection.halt = true;
214  }
215  }
216  }
217 }
218 
219 static void
220 man_update_io_state(struct management *man)
221 {
222  if (socket_defined(man->connection.sd_cli))
223  {
225  {
227  }
228  else
229  {
231  }
232  }
233 }
234 
235 static void
236 man_output_list_push_finalize(struct management *man)
237 {
238  if (management_connected(man))
239  {
240  man_update_io_state(man);
241  if (!man->persist.standalone_disabled)
242  {
243  volatile int signal_received = 0;
244  man_output_standalone(man, &signal_received);
245  }
246  }
247 }
248 
249 static void
250 man_output_list_push_str(struct management *man, const char *str)
251 {
252  if (management_connected(man) && str)
253  {
254  buffer_list_push(man->connection.out, str);
255  }
256 }
257 
258 static void
259 man_output_list_push(struct management *man, const char *str)
260 {
261  man_output_list_push_str(man, str);
263 }
264 
265 static void
266 man_prompt(struct management *man)
267 {
268  if (man_password_needed(man))
269  {
270  man_output_list_push(man, "ENTER PASSWORD:");
271  }
272 #if 0 /* should we use prompt? */
273  else
274  {
275  man_output_list_push(man, ">");
276  }
277 #endif
278 }
279 
280 static void
281 man_delete_unix_socket(struct management *man)
282 {
283 #if UNIX_SOCK_SUPPORT
285  {
286  socket_delete_unix(&man->settings.local_unix);
287  }
288 #endif
289 }
290 
291 static void
292 man_close_socket(struct management *man, const socket_descriptor_t sd)
293 {
294 #ifndef _WIN32
295  /*
296  * Windows doesn't need this because the ne32 event is permanently
297  * enabled at struct management scope.
298  */
299  if (man->persist.callback.delete_event)
300  {
301  (*man->persist.callback.delete_event)(man->persist.callback.arg, sd);
302  }
303 #endif
305 }
306 
307 static void
308 virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
309 {
310  struct management *man = (struct management *) arg;
311  static int recursive_level = 0; /* GLOBAL */
312 
313 #define AF_DID_PUSH (1<<0)
314 #define AF_DID_RESET (1<<1)
315 
316  if (!recursive_level) /* don't allow recursion */
317  {
318  struct gc_arena gc = gc_new();
319  struct log_entry e;
320  const char *out = NULL;
321  unsigned int action_flags = 0;
322 
323  ++recursive_level;
324 
325  CLEAR(e);
326  update_time();
327  e.timestamp = now;
328  e.u.msg_flags = flags;
329  e.string = str;
330 
331  if (flags & M_FATAL)
332  {
333  man->persist.standalone_disabled = false;
334  }
335 
336  if (flags != M_CLIENT)
337  {
338  log_history_add(man->persist.log, &e);
339  }
340 
341  if (!man_password_needed(man))
342  {
343  if (flags == M_CLIENT)
344  {
345  out = log_entry_print(&e, LOG_PRINT_CRLF, &gc);
346  }
347  else if (man->connection.log_realtime)
348  {
352  | LOG_PRINT_CRLF, &gc);
353  }
354  if (out)
355  {
356  man_output_list_push_str(man, out);
357  action_flags |= AF_DID_PUSH;
358  }
359  if (flags & M_FATAL)
360  {
362  if (out)
363  {
364  man_output_list_push_str(man, out);
365  action_flags |= (AF_DID_PUSH|AF_DID_RESET);
366  }
367  }
368  }
369 
370  gc_free(&gc);
371 
372  if (action_flags & AF_DID_PUSH)
373  {
375  }
376  if (action_flags & AF_DID_RESET)
377  {
378  man_reset_client_socket(man, true);
379  }
380 
381  --recursive_level;
382  }
383 }
384 
385 /*
386  * Given a signal, return the signal with possible remapping applied,
387  * or -1 if the signal should be ignored.
388  */
389 static int
390 man_mod_signal(const struct management *man, const int signum)
391 {
392  const unsigned int flags = man->settings.mansig;
393  int s = signum;
394  if (s == SIGUSR1)
395  {
396  if (flags & MANSIG_MAP_USR1_TO_HUP)
397  {
398  s = SIGHUP;
399  }
400  if (flags & MANSIG_MAP_USR1_TO_TERM)
401  {
402  s = SIGTERM;
403  }
404  }
405  if (flags & MANSIG_IGNORE_USR1_HUP)
406  {
407  if (s == SIGHUP || s == SIGUSR1)
408  {
409  s = -1;
410  }
411  }
412  return s;
413 }
414 
415 static void
416 man_signal(struct management *man, const char *name)
417 {
418  const int sig = parse_signal(name);
419  if (sig >= 0)
420  {
421  const int sig_mod = man_mod_signal(man, sig);
422  if (sig_mod >= 0)
423  {
424  throw_signal(sig_mod);
425  msg(M_CLIENT, "SUCCESS: signal %s thrown", signal_name(sig_mod, true));
426  }
427  else
428  {
429  if (man->persist.special_state_msg)
430  {
431  msg(M_CLIENT, "%s", man->persist.special_state_msg);
432  }
433  else
434  {
435  msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
436  }
437  }
438  }
439  else
440  {
441  msg(M_CLIENT, "ERROR: signal '%s' is not a known signal type", name);
442  }
443 }
444 
445 static void
446 man_status(struct management *man, const int version, struct status_output *so)
447 {
448  if (man->persist.callback.status)
449  {
450  (*man->persist.callback.status)(man->persist.callback.arg, version, so);
451  }
452  else
453  {
454  msg(M_CLIENT, "ERROR: The 'status' command is not supported by the current daemon mode");
455  }
456 }
457 
458 static void
459 man_bytecount(struct management *man, const int update_seconds)
460 {
461  if (update_seconds >= 0)
462  {
463  man->connection.bytecount_update_seconds = update_seconds;
464  }
465  else
466  {
468  }
469  msg(M_CLIENT, "SUCCESS: bytecount interval changed");
470 }
471 
472 void
473 man_bytecount_output_client(struct management *man)
474 {
475  char in[32];
476  char out[32];
477  /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
478  openvpn_snprintf(in, sizeof(in), counter_format, man->persist.bytes_in);
479  openvpn_snprintf(out, sizeof(out), counter_format, man->persist.bytes_out);
480  msg(M_CLIENT, ">BYTECOUNT:%s,%s", in, out);
482 }
483 
484 void
485 man_bytecount_output_server(struct management *man,
486  const counter_type *bytes_in_total,
487  const counter_type *bytes_out_total,
488  struct man_def_auth_context *mdac)
489 {
490  char in[32];
491  char out[32];
492  /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
493  openvpn_snprintf(in, sizeof(in), counter_format, *bytes_in_total);
494  openvpn_snprintf(out, sizeof(out), counter_format, *bytes_out_total);
495  msg(M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out);
496  mdac->bytecount_last_update = now;
497 }
498 
499 static void
500 man_kill(struct management *man, const char *victim)
501 {
502  struct gc_arena gc = gc_new();
503 
505  {
506  struct buffer buf;
507  char p1[128];
508  char p2[128];
509  int n_killed;
510 
511  buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1);
512  buf_parse(&buf, ':', p1, sizeof(p1));
513  buf_parse(&buf, ':', p2, sizeof(p2));
514 
515  if (strlen(p1) && strlen(p2))
516  {
517  /* IP:port specified */
518  bool status;
519  const in_addr_t addr = getaddr(GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL);
520  if (status)
521  {
522  const int port = atoi(p2);
523  if (port > 0 && port < 65536)
524  {
525  n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port);
526  if (n_killed > 0)
527  {
528  msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed",
529  n_killed,
530  print_in_addr_t(addr, 0, &gc),
531  port);
532  }
533  else
534  {
535  msg(M_CLIENT, "ERROR: client at address %s:%d not found",
536  print_in_addr_t(addr, 0, &gc),
537  port);
538  }
539  }
540  else
541  {
542  msg(M_CLIENT, "ERROR: port number is out of range: %s", p2);
543  }
544  }
545  else
546  {
547  msg(M_CLIENT, "ERROR: error parsing IP address: %s", p1);
548  }
549  }
550  else if (strlen(p1))
551  {
552  /* common name specified */
553  n_killed = (*man->persist.callback.kill_by_cn)(man->persist.callback.arg, p1);
554  if (n_killed > 0)
555  {
556  msg(M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed);
557  }
558  else
559  {
560  msg(M_CLIENT, "ERROR: common name '%s' not found", p1);
561  }
562  }
563  else
564  {
565  msg(M_CLIENT, "ERROR: kill parse");
566  }
567  }
568  else
569  {
570  msg(M_CLIENT, "ERROR: The 'kill' command is not supported by the current daemon mode");
571  }
572 
573  gc_free(&gc);
574 }
575 
576 /*
577  * General-purpose history command handler
578  * for the log and echo commands.
579  */
580 static void
581 man_history(struct management *man,
582  const char *parm,
583  const char *type,
584  struct log_history *log,
585  bool *realtime,
586  const unsigned int lep_flags)
587 {
588  struct gc_arena gc = gc_new();
589  int n = 0;
590 
591  if (streq(parm, "on"))
592  {
593  *realtime = true;
594  msg(M_CLIENT, "SUCCESS: real-time %s notification set to ON", type);
595  }
596  else if (streq(parm, "off"))
597  {
598  *realtime = false;
599  msg(M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type);
600  }
601  else if (streq(parm, "all") || (n = atoi(parm)) > 0)
602  {
603  const int size = log_history_size(log);
604  const int start = (n ? n : size) - 1;
605  int i;
606 
607  for (i = start; i >= 0; --i)
608  {
609  const struct log_entry *e = log_history_ref(log, i);
610  if (e)
611  {
612  const char *out = log_entry_print(e, lep_flags, &gc);
614  }
615  }
616  msg(M_CLIENT, "END");
617  }
618  else
619  {
620  msg(M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type);
621  }
622 
623  gc_free(&gc);
624 }
625 
626 static void
627 man_log(struct management *man, const char *parm)
628 {
629  man_history(man,
630  parm,
631  "log",
632  man->persist.log,
633  &man->connection.log_realtime,
635 }
636 
637 static void
638 man_echo(struct management *man, const char *parm)
639 {
640  man_history(man,
641  parm,
642  "echo",
643  man->persist.echo,
646 }
647 
648 static void
649 man_state(struct management *man, const char *parm)
650 {
651  man_history(man,
652  parm,
653  "state",
654  man->persist.state,
658 }
659 
660 static void
661 man_up_finalize(struct management *man)
662 {
663  switch (man->connection.up_query_mode)
664  {
665  case UP_QUERY_USER_PASS:
666  if (!strlen(man->connection.up_query.username))
667  {
668  break;
669  }
670 
671  /* fall through */
672  case UP_QUERY_PASS:
673  case UP_QUERY_NEED_OK:
674  case UP_QUERY_NEED_STR:
675  if (strlen(man->connection.up_query.password))
676  {
677  man->connection.up_query.defined = true;
678  }
679  break;
680 
681  case UP_QUERY_DISABLED:
682  man->connection.up_query.defined = false;
683  break;
684 
685  default:
686  ASSERT(0);
687  }
688 }
689 
690 static void
691 man_query_user_pass(struct management *man,
692  const char *type,
693  const char *string,
694  const bool needed,
695  const char *prompt,
696  char *dest,
697  int len)
698 {
699  if (needed)
700  {
702  if (streq(man->connection.up_query_type, type))
703  {
704  strncpynt(dest, string, len);
705  man_up_finalize(man);
706  msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified",
707  type,
708  prompt);
709  }
710  else
711  {
712  msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
713  prompt,
714  type,
716  }
717  }
718  else
719  {
720  msg(M_CLIENT, "ERROR: no %s is currently needed at this time", prompt);
721  }
722 }
723 
724 static void
725 man_query_username(struct management *man, const char *type, const char *string)
726 {
727  const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
728  ) && man->connection.up_query_type);
729  man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
730 }
731 
732 static void
733 man_query_password(struct management *man, const char *type, const char *string)
734 {
735  const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
737  ) && man->connection.up_query_type);
738  if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
739  {
740  string = blank_up;
741  }
742  man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
743 }
744 
745 static void
746 man_query_need_ok(struct management *man, const char *type, const char *action)
747 {
748  const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
749  man_query_user_pass(man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
750 }
751 
752 static void
753 man_query_need_str(struct management *man, const char *type, const char *action)
754 {
755  const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
756  man_query_user_pass(man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN);
757 }
758 
759 static void
760 man_forget_passwords(struct management *man)
761 {
762  ssl_purge_auth(false);
763  msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
764 }
765 
766 static void
767 man_net(struct management *man)
768 {
769  if (man->persist.callback.show_net)
770  {
772  }
773  else
774  {
775  msg(M_CLIENT, "ERROR: The 'net' command is not supported by the current daemon mode");
776  }
777 }
778 
779 static void
780 man_send_cc_message(struct management *man, const char *message, const char *parameters)
781 {
783  {
784  const bool status = (*man->persist.callback.send_cc_message)
785  (man->persist.callback.arg, message, parameters);
786  if (status)
787  {
788  msg(M_CLIENT, "SUCCESS: command succeeded");
789  }
790  else
791  {
792  msg(M_CLIENT, "ERROR: command failed");
793  }
794  }
795  else
796  {
797  msg(M_CLIENT, "ERROR: This command is not supported by the current daemon mode");
798  }
799 }
800 #ifdef ENABLE_PKCS11
801 
802 static void
803 man_pkcs11_id_count(struct management *man)
804 {
805  msg(M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count());
806 }
807 
808 static void
809 man_pkcs11_id_get(struct management *man, const int index)
810 {
811  char *id = NULL;
812  char *base64 = NULL;
813 
814  if (pkcs11_management_id_get(index, &id, &base64))
815  {
816  msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64);
817  }
818  else
819  {
820  msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index);
821  }
822 
823  free(id);
824  free(base64);
825 }
826 
827 #endif /* ifdef ENABLE_PKCS11 */
828 
829 static void
830 man_hold(struct management *man, const char *cmd)
831 {
832  if (cmd)
833  {
834  if (streq(cmd, "on"))
835  {
836  man->settings.flags |= MF_HOLD;
837  msg(M_CLIENT, "SUCCESS: hold flag set to ON");
838  }
839  else if (streq(cmd, "off"))
840  {
841  man->settings.flags &= ~MF_HOLD;
842  msg(M_CLIENT, "SUCCESS: hold flag set to OFF");
843  }
844  else if (streq(cmd, "release"))
845  {
846  man->persist.hold_release = true;
847  msg(M_CLIENT, "SUCCESS: hold release succeeded");
848  }
849  else
850  {
851  msg(M_CLIENT, "ERROR: bad hold command parameter");
852  }
853  }
854  else
855  {
856  msg(M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD));
857  }
858 }
859 
860 #define IER_RESET 0
861 #define IER_NEW 1
862 
863 static void
864 in_extra_reset(struct man_connection *mc, const int mode)
865 {
866  if (mc)
867  {
868  if (mode != IER_NEW)
869  {
870  mc->in_extra_cmd = IEC_UNDEF;
871  mc->in_extra_cid = 0;
872  mc->in_extra_kid = 0;
873  }
874  if (mc->in_extra)
875  {
877  mc->in_extra = NULL;
878  }
879  if (mode == IER_NEW)
880  {
881  mc->in_extra = buffer_list_new(0);
882  }
883  }
884 }
885 
886 static void
887 in_extra_dispatch(struct management *man)
888 {
889  switch (man->connection.in_extra_cmd)
890  {
891  case IEC_CLIENT_AUTH:
892  if (man->persist.callback.client_auth)
893  {
894  const bool status = (*man->persist.callback.client_auth)
895  (man->persist.callback.arg,
898  true,
899  NULL,
900  NULL,
901  man->connection.in_extra);
902  man->connection.in_extra = NULL;
903  if (status)
904  {
905  msg(M_CLIENT, "SUCCESS: client-auth command succeeded");
906  }
907  else
908  {
909  msg(M_CLIENT, "ERROR: client-auth command failed");
910  }
911  }
912  else
913  {
914  msg(M_CLIENT, "ERROR: The client-auth command is not supported by the current daemon mode");
915  }
916  break;
917 
918  case IEC_PK_SIGN:
922  man->connection.in_extra = NULL;
923  return;
924 
925  case IEC_CERTIFICATE:
929  man->connection.in_extra = NULL;
930  return;
931  }
933 }
934 
935 static bool
936 parse_cid(const char *str, unsigned long *cid)
937 {
938  if (sscanf(str, "%lu", cid) == 1)
939  {
940  return true;
941  }
942  else
943  {
944  msg(M_CLIENT, "ERROR: cannot parse CID");
945  return false;
946  }
947 }
948 
949 static bool
950 parse_uint(const char *str, const char* what, unsigned int *uint)
951 {
952  if (sscanf(str, "%u", uint) == 1)
953  {
954  return true;
955  }
956  else
957  {
958  msg(M_CLIENT, "ERROR: cannot parse %s", what);
959  return false;
960  }
961 }
962 
972 static void
973 man_client_pending_auth(struct management *man, const char *cid_str,
974  const char *extra, const char *timeout_str)
975 {
976  unsigned long cid = 0;
977  unsigned int timeout = 0;
978  if (parse_cid(cid_str, &cid)
979  && parse_uint(timeout_str, "TIMEOUT", &timeout))
980  {
982  {
983  bool ret = (*man->persist.callback.client_pending_auth)
984  (man->persist.callback.arg, cid, extra, timeout);
985 
986  if (ret)
987  {
988  msg(M_CLIENT, "SUCCESS: client-pending-auth command succeeded");
989  }
990  else
991  {
992  msg(M_CLIENT, "SUCCESS: client-pending-auth command failed."
993  " Extra paramter might be too long");
994  }
995  }
996  else
997  {
998  msg(M_CLIENT, "ERROR: The client-pending-auth command is not supported by the current daemon mode");
999  }
1000  }
1001 }
1002 
1003 static void
1004 man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
1005 {
1006  struct man_connection *mc = &man->connection;
1007  mc->in_extra_cid = 0;
1008  mc->in_extra_kid = 0;
1009  if (parse_cid(cid_str, &mc->in_extra_cid)
1010  && parse_uint(kid_str, "KID", &mc->in_extra_kid))
1011  {
1013  in_extra_reset(mc, IER_NEW);
1014  if (!extra)
1015  {
1016  in_extra_dispatch(man);
1017  }
1018  }
1019 }
1020 
1021 static void
1022 man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
1023 {
1024  unsigned long cid = 0;
1025  unsigned int kid = 0;
1026  if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid))
1027  {
1028  if (man->persist.callback.client_auth)
1029  {
1030  const bool status = (*man->persist.callback.client_auth)
1031  (man->persist.callback.arg,
1032  cid,
1033  kid,
1034  false,
1035  reason,
1036  client_reason,
1037  NULL);
1038  if (status)
1039  {
1040  msg(M_CLIENT, "SUCCESS: client-deny command succeeded");
1041  }
1042  else
1043  {
1044  msg(M_CLIENT, "ERROR: client-deny command failed");
1045  }
1046  }
1047  else
1048  {
1049  msg(M_CLIENT, "ERROR: The client-deny command is not supported by the current daemon mode");
1050  }
1051  }
1052 }
1053 
1054 static void
1055 man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
1056 {
1057  unsigned long cid = 0;
1058  if (parse_cid(cid_str, &cid))
1059  {
1060  if (man->persist.callback.kill_by_cid)
1061  {
1062  const bool status = (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg);
1063  if (status)
1064  {
1065  msg(M_CLIENT, "SUCCESS: client-kill command succeeded");
1066  }
1067  else
1068  {
1069  msg(M_CLIENT, "ERROR: client-kill command failed");
1070  }
1071  }
1072  else
1073  {
1074  msg(M_CLIENT, "ERROR: The client-kill command is not supported by the current daemon mode");
1075  }
1076  }
1077 }
1078 
1079 static void
1080 man_client_n_clients(struct management *man)
1081 {
1082  if (man->persist.callback.n_clients)
1083  {
1084  const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1085  msg(M_CLIENT, "SUCCESS: nclients=%d", nclients);
1086  }
1087  else
1088  {
1089  msg(M_CLIENT, "ERROR: The nclients command is not supported by the current daemon mode");
1090  }
1091 }
1092 
1093 static void
1094 man_env_filter(struct management *man, const int level)
1095 {
1096  man->connection.env_filter_level = level;
1097  msg(M_CLIENT, "SUCCESS: env_filter_level=%d", level);
1098 }
1099 
1100 
1101 static void
1102 man_pk_sig(struct management *man, const char *cmd_name)
1103 {
1104  struct man_connection *mc = &man->connection;
1105  if (mc->ext_key_state == EKS_SOLICIT)
1106  {
1107  mc->ext_key_state = EKS_INPUT;
1108  mc->in_extra_cmd = IEC_PK_SIGN;
1109  in_extra_reset(mc, IER_NEW);
1110  }
1111  else
1112  {
1113  msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name);
1114  }
1115 }
1116 
1117 static void
1118 man_certificate(struct management *man)
1119 {
1120  struct man_connection *mc = &man->connection;
1121  if (mc->ext_cert_state == EKS_SOLICIT)
1122  {
1123  mc->ext_cert_state = EKS_INPUT;
1125  in_extra_reset(mc, IER_NEW);
1126  }
1127  else
1128  {
1129  msg(M_CLIENT, "ERROR: The certificate command is not currently available");
1130  }
1131 }
1132 
1133 static void
1134 man_load_stats(struct management *man)
1135 {
1138  int nclients = 0;
1139 
1140  if (man->persist.callback.n_clients)
1141  {
1142  nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1143  }
1144  msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
1145  nclients,
1146  link_read_bytes_global,
1147  link_write_bytes_global);
1148 }
1149 
1150 #define MN_AT_LEAST (1<<0)
1151 
1160 static bool
1161 man_need(struct management *man, const char **p, const int n, unsigned int flags)
1162 {
1163  int i;
1164  ASSERT(p[0]);
1165  for (i = 1; i <= n; ++i)
1166  {
1167  if (!p[i])
1168  {
1169  msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s",
1170  p[0],
1171  (flags & MN_AT_LEAST) ? "at least " : "",
1172  n,
1173  n > 1 ? "s" : "");
1174  return false;
1175  }
1176  }
1177  return true;
1178 }
1179 
1180 static void
1181 man_proxy(struct management *man, const char **p)
1182 {
1183  if (man->persist.callback.proxy_cmd)
1184  {
1185  const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p);
1186  if (status)
1187  {
1188  msg(M_CLIENT, "SUCCESS: proxy command succeeded");
1189  }
1190  else
1191  {
1192  msg(M_CLIENT, "ERROR: proxy command failed");
1193  }
1194  }
1195  else
1196  {
1197  msg(M_CLIENT, "ERROR: The proxy command is not supported by the current daemon mode");
1198  }
1199 }
1200 
1201 static void
1202 man_remote(struct management *man, const char **p)
1203 {
1204  if (man->persist.callback.remote_cmd)
1205  {
1206  const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);
1207  if (status)
1208  {
1209  msg(M_CLIENT, "SUCCESS: remote command succeeded");
1210  }
1211  else
1212  {
1213  msg(M_CLIENT, "ERROR: remote command failed");
1214  }
1215  }
1216  else
1217  {
1218  msg(M_CLIENT, "ERROR: The remote command is not supported by the current daemon mode");
1219  }
1220 }
1221 
1222 #ifdef TARGET_ANDROID
1223 static void
1224 man_network_change(struct management *man, bool samenetwork)
1225 {
1226  /* Called to signal the OpenVPN that the network configuration has changed and
1227  * the client should either float or reconnect.
1228  *
1229  * The code is currently only used by ics-openvpn
1230  */
1231  if (man->persist.callback.network_change)
1232  {
1233  int fd = (*man->persist.callback.network_change)
1234  (man->persist.callback.arg, samenetwork);
1235  man->connection.fdtosend = fd;
1236  msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd);
1237  if (fd == -2)
1238  {
1239  man_signal(man, "SIGUSR1");
1240  }
1241  }
1242 }
1243 #endif
1244 
1245 static void
1246 set_client_version(struct management *man, const char *version)
1247 {
1248  if (version)
1249  {
1250  man->connection.client_version = atoi(version);
1251  }
1252 }
1253 
1254 static void
1255 man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
1256 {
1257  struct gc_arena gc = gc_new();
1258 
1259  ASSERT(p[0]);
1260  if (streq(p[0], "exit") || streq(p[0], "quit"))
1261  {
1262  man->connection.halt = true;
1263  goto done;
1264  }
1265  else if (streq(p[0], "help"))
1266  {
1267  man_help();
1268  }
1269  else if (streq(p[0], "version") && p[1])
1270  {
1271  set_client_version(man, p[1]);
1272  }
1273  else if (streq(p[0], "version"))
1274  {
1275  msg(M_CLIENT, "OpenVPN Version: %s", title_string);
1276  msg(M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION);
1277  msg(M_CLIENT, "END");
1278  }
1279  else if (streq(p[0], "pid"))
1280  {
1281  msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid());
1282  }
1283  else if (streq(p[0], "nclients"))
1284  {
1285  man_client_n_clients(man);
1286  }
1287  else if (streq(p[0], "env-filter"))
1288  {
1289  int level = 0;
1290  if (p[1])
1291  {
1292  level = atoi(p[1]);
1293  }
1294  man_env_filter(man, level);
1295  }
1296  else if (streq(p[0], "signal"))
1297  {
1298  if (man_need(man, p, 1, 0))
1299  {
1300  man_signal(man, p[1]);
1301  }
1302  }
1303 #ifdef TARGET_ANDROID
1304  else if (streq(p[0], "network-change"))
1305  {
1306  bool samenetwork = false;
1307  if (p[1] && streq(p[1], "samenetwork"))
1308  {
1309  samenetwork = true;
1310  }
1311 
1312  man_network_change(man, samenetwork);
1313  }
1314 #endif
1315  else if (streq(p[0], "load-stats"))
1316  {
1317  man_load_stats(man);
1318  }
1319  else if (streq(p[0], "status"))
1320  {
1321  int version = 0;
1322  if (p[1])
1323  {
1324  version = atoi(p[1]);
1325  }
1326  man_status(man, version, so);
1327  }
1328  else if (streq(p[0], "kill"))
1329  {
1330  if (man_need(man, p, 1, 0))
1331  {
1332  man_kill(man, p[1]);
1333  }
1334  }
1335  else if (streq(p[0], "verb"))
1336  {
1337  if (p[1])
1338  {
1339  const int level = atoi(p[1]);
1340  if (set_debug_level(level, 0))
1341  {
1342  msg(M_CLIENT, "SUCCESS: verb level changed");
1343  }
1344  else
1345  {
1346  msg(M_CLIENT, "ERROR: verb level is out of range");
1347  }
1348  }
1349  else
1350  {
1351  msg(M_CLIENT, "SUCCESS: verb=%d", get_debug_level());
1352  }
1353  }
1354  else if (streq(p[0], "mute"))
1355  {
1356  if (p[1])
1357  {
1358  const int level = atoi(p[1]);
1359  if (set_mute_cutoff(level))
1360  {
1361  msg(M_CLIENT, "SUCCESS: mute level changed");
1362  }
1363  else
1364  {
1365  msg(M_CLIENT, "ERROR: mute level is out of range");
1366  }
1367  }
1368  else
1369  {
1370  msg(M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff());
1371  }
1372  }
1373  else if (streq(p[0], "auth-retry"))
1374  {
1375  if (p[1])
1376  {
1377  if (auth_retry_set(M_CLIENT, p[1]))
1378  {
1379  msg(M_CLIENT, "SUCCESS: auth-retry parameter changed");
1380  }
1381  else
1382  {
1383  msg(M_CLIENT, "ERROR: bad auth-retry parameter");
1384  }
1385  }
1386  else
1387  {
1388  msg(M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print());
1389  }
1390  }
1391  else if (streq(p[0], "state"))
1392  {
1393  if (!p[1])
1394  {
1395  man_state(man, "1");
1396  }
1397  else
1398  {
1399  if (p[1])
1400  {
1401  man_state(man, p[1]);
1402  }
1403  if (p[2])
1404  {
1405  man_state(man, p[2]);
1406  }
1407  }
1408  }
1409  else if (streq(p[0], "log"))
1410  {
1411  if (man_need(man, p, 1, MN_AT_LEAST))
1412  {
1413  if (p[1])
1414  {
1415  man_log(man, p[1]);
1416  }
1417  if (p[2])
1418  {
1419  man_log(man, p[2]);
1420  }
1421  }
1422  }
1423  else if (streq(p[0], "echo"))
1424  {
1425  if (man_need(man, p, 1, MN_AT_LEAST))
1426  {
1427  if (p[1])
1428  {
1429  man_echo(man, p[1]);
1430  }
1431  if (p[2])
1432  {
1433  man_echo(man, p[2]);
1434  }
1435  }
1436  }
1437  else if (streq(p[0], "username"))
1438  {
1439  if (man_need(man, p, 2, 0))
1440  {
1441  man_query_username(man, p[1], p[2]);
1442  }
1443  }
1444  else if (streq(p[0], "password"))
1445  {
1446  if (man_need(man, p, 2, 0))
1447  {
1448  man_query_password(man, p[1], p[2]);
1449  }
1450  }
1451  else if (streq(p[0], "forget-passwords"))
1452  {
1453  man_forget_passwords(man);
1454  }
1455  else if (streq(p[0], "needok"))
1456  {
1457  if (man_need(man, p, 2, 0))
1458  {
1459  man_query_need_ok(man, p[1], p[2]);
1460  }
1461  }
1462  else if (streq(p[0], "needstr"))
1463  {
1464  if (man_need(man, p, 2, 0))
1465  {
1466  man_query_need_str(man, p[1], p[2]);
1467  }
1468  }
1469  else if (streq(p[0], "cr-response"))
1470  {
1471  if (man_need(man, p, 1, 0))
1472  {
1473  man_send_cc_message(man, "CR_RESPONSE", p[1]);
1474  }
1475  }
1476  else if (streq(p[0], "net"))
1477  {
1478  man_net(man);
1479  }
1480  else if (streq(p[0], "hold"))
1481  {
1482  man_hold(man, p[1]);
1483  }
1484  else if (streq(p[0], "bytecount"))
1485  {
1486  if (man_need(man, p, 1, 0))
1487  {
1488  man_bytecount(man, atoi(p[1]));
1489  }
1490  }
1491  else if (streq(p[0], "client-kill"))
1492  {
1493  if (man_need(man, p, 1, MN_AT_LEAST))
1494  {
1495  man_client_kill(man, p[1], p[2]);
1496  }
1497  }
1498  else if (streq(p[0], "client-deny"))
1499  {
1500  if (man_need(man, p, 3, MN_AT_LEAST))
1501  {
1502  man_client_deny(man, p[1], p[2], p[3], p[4]);
1503  }
1504  }
1505  else if (streq(p[0], "client-auth-nt"))
1506  {
1507  if (man_need(man, p, 2, 0))
1508  {
1509  man_client_auth(man, p[1], p[2], false);
1510  }
1511  }
1512  else if (streq(p[0], "client-auth"))
1513  {
1514  if (man_need(man, p, 2, 0))
1515  {
1516  man_client_auth(man, p[1], p[2], true);
1517  }
1518  }
1519  else if (streq(p[0], "client-pending-auth"))
1520  {
1521  if (man_need(man, p, 3, 0))
1522  {
1523  man_client_pending_auth(man, p[1], p[2], p[3]);
1524  }
1525  }
1526  else if (streq(p[0], "rsa-sig"))
1527  {
1528  man_pk_sig(man, "rsa-sig");
1529  }
1530  else if (streq(p[0], "pk-sig"))
1531  {
1532  man_pk_sig(man, "pk-sig");
1533  }
1534  else if (streq(p[0], "certificate"))
1535  {
1536  man_certificate(man);
1537  }
1538 #ifdef ENABLE_PKCS11
1539  else if (streq(p[0], "pkcs11-id-count"))
1540  {
1541  man_pkcs11_id_count(man);
1542  }
1543  else if (streq(p[0], "pkcs11-id-get"))
1544  {
1545  if (man_need(man, p, 1, 0))
1546  {
1547  man_pkcs11_id_get(man, atoi(p[1]));
1548  }
1549  }
1550 #endif
1551  else if (streq(p[0], "proxy"))
1552  {
1553  if (man_need(man, p, 1, MN_AT_LEAST))
1554  {
1555  man_proxy(man, p);
1556  }
1557  }
1558  else if (streq(p[0], "remote"))
1559  {
1560  if (man_need(man, p, 1, MN_AT_LEAST))
1561  {
1562  man_remote(man, p);
1563  }
1564  }
1565 #if 1
1566  else if (streq(p[0], "test"))
1567  {
1568  if (man_need(man, p, 1, 0))
1569  {
1570  int i;
1571  const int n = atoi(p[1]);
1572  for (i = 0; i < n; ++i)
1573  {
1574  msg(M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i);
1575  }
1576  }
1577  }
1578 #endif
1579  else
1580  {
1581  msg(M_CLIENT, "ERROR: unknown command, enter 'help' for more options");
1582  }
1583 
1584 done:
1585  gc_free(&gc);
1586 }
1587 
1588 #ifdef _WIN32
1589 
1590 static void
1591 man_start_ne32(struct management *man)
1592 {
1593  switch (man->connection.state)
1594  {
1595  case MS_LISTEN:
1596  net_event_win32_start(&man->connection.ne32, FD_ACCEPT, man->connection.sd_top);
1597  break;
1598 
1599  case MS_CC_WAIT_READ:
1600  case MS_CC_WAIT_WRITE:
1601  net_event_win32_start(&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli);
1602  break;
1603 
1604  default:
1605  ASSERT(0);
1606  }
1607 }
1608 
1609 static void
1610 man_stop_ne32(struct management *man)
1611 {
1613 }
1614 
1615 #endif /* ifdef _WIN32 */
1616 
1617 static void
1618 man_record_peer_info(struct management *man)
1619 {
1620  struct gc_arena gc = gc_new();
1621  if (man->settings.write_peer_info_file)
1622  {
1623  bool success = false;
1624 #ifdef HAVE_GETSOCKNAME
1625  if (socket_defined(man->connection.sd_cli))
1626  {
1627  struct sockaddr_in addr;
1628  socklen_t addrlen = sizeof(addr);
1629  int status;
1630 
1631  CLEAR(addr);
1632  status = getsockname(man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen);
1633  if (!status && addrlen == sizeof(addr))
1634  {
1635  const in_addr_t a = ntohl(addr.sin_addr.s_addr);
1636  const int p = ntohs(addr.sin_port);
1637  FILE *fp = platform_fopen(man->settings.write_peer_info_file, "w");
1638  if (fp)
1639  {
1640  fprintf(fp, "%s\n%d\n", print_in_addr_t(a, 0, &gc), p);
1641  if (!fclose(fp))
1642  {
1643  success = true;
1644  }
1645  }
1646  }
1647  }
1648 #endif /* ifdef HAVE_GETSOCKNAME */
1649  if (!success)
1650  {
1651  msg(D_MANAGEMENT, "MANAGEMENT: failed to write peer info to file %s",
1653  throw_signal_soft(SIGTERM, "management-connect-failed");
1654  }
1655  }
1656  gc_free(&gc);
1657 }
1658 
1659 static void
1660 man_connection_settings_reset(struct management *man)
1661 {
1662  man->connection.state_realtime = false;
1663  man->connection.log_realtime = false;
1664  man->connection.echo_realtime = false;
1666  man->connection.password_verified = false;
1667  man->connection.password_tries = 0;
1668  man->connection.halt = false;
1670 }
1671 
1672 static void
1673 man_new_connection_post(struct management *man, const char *description)
1674 {
1675  struct gc_arena gc = gc_new();
1676 
1678 
1680 
1681 #ifdef _WIN32
1682  man_start_ne32(man);
1683 #endif
1684 
1685 #if UNIX_SOCK_SUPPORT
1686  if (man->settings.flags & MF_UNIX_SOCK)
1687  {
1688  msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
1689  description,
1690  sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1691  }
1692  else
1693 #endif
1694  msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
1695  description,
1696  print_sockaddr(man->settings.local->ai_addr, &gc));
1697 
1699 
1700  if (!man_password_needed(man))
1701  {
1702  man_welcome(man);
1703  }
1704  man_prompt(man);
1705  man_update_io_state(man);
1706 
1707  gc_free(&gc);
1708 }
1709 
1710 #if UNIX_SOCK_SUPPORT
1711 static bool
1712 man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd)
1713 {
1714  if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
1715  {
1716  static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --";
1717  int uid, gid;
1718  if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid))
1719  {
1720  if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
1721  {
1722  msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1723  err_prefix, uid, man->settings.client_uid);
1724  return false;
1725  }
1726  if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
1727  {
1728  msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1729  err_prefix, gid, man->settings.client_gid);
1730  return false;
1731  }
1732  }
1733  else
1734  {
1735  msg(D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix);
1736  return false;
1737  }
1738  }
1739  return true;
1740 }
1741 #endif /* if UNIX_SOCK_SUPPORT */
1742 
1743 static void
1744 man_accept(struct management *man)
1745 {
1746  struct link_socket_actual act;
1747  CLEAR(act);
1748 
1749  /*
1750  * Accept the TCP or Unix domain socket client.
1751  */
1752 #if UNIX_SOCK_SUPPORT
1753  if (man->settings.flags & MF_UNIX_SOCK)
1754  {
1755  struct sockaddr_un remote;
1756  man->connection.sd_cli = socket_accept_unix(man->connection.sd_top, &remote);
1757  if (!man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1758  {
1759  sd_close(&man->connection.sd_cli);
1760  }
1761  }
1762  else
1763 #endif
1764  man->connection.sd_cli = socket_do_accept(man->connection.sd_top, &act, false);
1765 
1766  if (socket_defined(man->connection.sd_cli))
1767  {
1768  man->connection.remote = act.dest;
1769 
1770  if (socket_defined(man->connection.sd_top))
1771  {
1772 #ifdef _WIN32
1773  man_stop_ne32(man);
1774 #endif
1775  }
1776 
1777  man_new_connection_post(man, "Client connected from");
1778  }
1779 }
1780 
1781 static void
1782 man_listen(struct management *man)
1783 {
1784  struct gc_arena gc = gc_new();
1785 
1786  /*
1787  * Initialize state
1788  */
1789  man->connection.state = MS_LISTEN;
1791 
1792  /*
1793  * Initialize listening socket
1794  */
1795  if (man->connection.sd_top == SOCKET_UNDEFINED)
1796  {
1797 #if UNIX_SOCK_SUPPORT
1798  if (man->settings.flags & MF_UNIX_SOCK)
1799  {
1801  man->connection.sd_top = create_socket_unix();
1802  socket_bind_unix(man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT");
1803  }
1804  else
1805 #endif
1806  {
1809  man->settings.local->ai_family, "MANAGEMENT", false);
1810  }
1811 
1812  /*
1813  * Listen for connection
1814  */
1815  if (listen(man->connection.sd_top, 1))
1816  {
1817  msg(M_ERR, "MANAGEMENT: listen() failed");
1818  }
1819 
1820  /*
1821  * Set misc socket properties
1822  */
1824 
1825 #if UNIX_SOCK_SUPPORT
1826  if (man->settings.flags & MF_UNIX_SOCK)
1827  {
1828  msg(D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s",
1829  sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1830  }
1831  else
1832 #endif
1833  msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
1834  print_sockaddr(man->settings.local->ai_addr, &gc));
1835  }
1836 
1837 #ifdef _WIN32
1838  man_start_ne32(man);
1839 #endif
1840 
1841  gc_free(&gc);
1842 }
1843 
1844 static void
1845 man_connect(struct management *man)
1846 {
1847  struct gc_arena gc = gc_new();
1848  int status;
1849  int signal_received = 0;
1850 
1851  /*
1852  * Initialize state
1853  */
1854  man->connection.state = MS_INITIAL;
1856 
1857 #if UNIX_SOCK_SUPPORT
1858  if (man->settings.flags & MF_UNIX_SOCK)
1859  {
1860  man->connection.sd_cli = create_socket_unix();
1861  status = socket_connect_unix(man->connection.sd_cli, &man->settings.local_unix);
1862  if (!status && !man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1863  {
1864 #ifdef EPERM
1865  status = EPERM;
1866 #else
1867  status = 1;
1868 #endif
1869  sd_close(&man->connection.sd_cli);
1870  }
1871  }
1872  else
1873 #endif
1874  {
1876  status = openvpn_connect(man->connection.sd_cli,
1877  man->settings.local->ai_addr,
1878  5,
1879  &signal_received);
1880  }
1881 
1882  if (signal_received)
1883  {
1884  throw_signal(signal_received);
1885  goto done;
1886  }
1887 
1888  if (status)
1889  {
1890 #if UNIX_SOCK_SUPPORT
1891  if (man->settings.flags & MF_UNIX_SOCK)
1892  {
1894  "MANAGEMENT: connect to unix socket %s failed",
1895  sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1896  }
1897  else
1898 #endif
1900  "MANAGEMENT: connect to %s failed",
1901  print_sockaddr(man->settings.local->ai_addr, &gc));
1902  throw_signal_soft(SIGTERM, "management-connect-failed");
1903  goto done;
1904  }
1905 
1906  man_record_peer_info(man);
1907  man_new_connection_post(man, "Connected to management server at");
1908 
1909 done:
1910  gc_free(&gc);
1911 }
1912 
1913 static void
1914 man_reset_client_socket(struct management *man, const bool exiting)
1915 {
1916  if (socket_defined(man->connection.sd_cli))
1917  {
1918 #ifdef _WIN32
1919  man_stop_ne32(man);
1920 #endif
1921  man_close_socket(man, man->connection.sd_cli);
1923  man->connection.state = MS_INITIAL;
1927  msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected");
1928  }
1929  if (!exiting)
1930  {
1931  if (man->settings.flags & MF_FORGET_DISCONNECT)
1932  {
1933  ssl_purge_auth(false);
1934  }
1935 
1936  if (man->settings.flags & MF_SIGNAL)
1937  {
1938  int mysig = man_mod_signal(man, SIGUSR1);
1939  if (mysig >= 0)
1940  {
1941  msg(D_MANAGEMENT, "MANAGEMENT: Triggering management signal");
1942  throw_signal_soft(mysig, "management-disconnect");
1943  }
1944  }
1945 
1946  if (man->settings.flags & MF_CONNECT_AS_CLIENT)
1947  {
1948  msg(D_MANAGEMENT, "MANAGEMENT: Triggering management exit");
1949  throw_signal_soft(SIGTERM, "management-exit");
1950  }
1951  else
1952  {
1953  man_listen(man);
1954  }
1955  }
1956 }
1957 
1958 static void
1959 man_process_command(struct management *man, const char *line)
1960 {
1961  struct gc_arena gc = gc_new();
1962  struct status_output *so;
1963  int nparms;
1964  char *parms[MAX_PARMS+1];
1965 
1966  CLEAR(parms);
1967  so = status_open(NULL, 0, -1, &man->persist.vout, 0);
1969 
1970  if (man_password_needed(man))
1971  {
1972  man_check_password(man, line);
1973  }
1974  else
1975  {
1976  nparms = parse_line(line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc);
1977  if (parms[0] && streq(parms[0], "password"))
1978  {
1979  msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'");
1980  }
1981  else if (!streq(line, "load-stats"))
1982  {
1983  msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line);
1984  }
1985 
1986 #if 0
1987  /* DEBUGGING -- print args */
1988  {
1989  int i;
1990  for (i = 0; i < nparms; ++i)
1991  {
1992  msg(M_INFO, "[%d] '%s'", i, parms[i]);
1993  }
1994  }
1995 #endif
1996 
1997  if (nparms > 0)
1998  {
1999  man_dispatch_command(man, so, (const char **)parms, nparms);
2000  }
2001  }
2002 
2003  CLEAR(parms);
2004  status_close(so);
2005  gc_free(&gc);
2006 }
2007 
2008 static bool
2009 man_io_error(struct management *man, const char *prefix)
2010 {
2011  const int err = openvpn_errno();
2012 
2013  if (!ignore_sys_error(err))
2014  {
2015  struct gc_arena gc = gc_new();
2016  msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix,
2017  strerror(err));
2018  gc_free(&gc);
2019  return true;
2020  }
2021  else
2022  {
2023  return false;
2024  }
2025 }
2026 
2027 #ifdef TARGET_ANDROID
2028 static ssize_t
2029 man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd)
2030 {
2031  struct msghdr msg = { 0 };
2032  struct iovec iov[1];
2033 
2034  union {
2035  struct cmsghdr cm;
2036  char control[CMSG_SPACE(sizeof(int))];
2037  } control_un;
2038  struct cmsghdr *cmptr;
2039 
2040  msg.msg_control = control_un.control;
2041  msg.msg_controllen = sizeof(control_un.control);
2042 
2043  cmptr = CMSG_FIRSTHDR(&msg);
2044  cmptr->cmsg_len = CMSG_LEN(sizeof(int));
2045  cmptr->cmsg_level = SOL_SOCKET;
2046  cmptr->cmsg_type = SCM_RIGHTS;
2047  *((int *) CMSG_DATA(cmptr)) = sendfd;
2048 
2049  msg.msg_name = NULL;
2050  msg.msg_namelen = 0;
2051 
2052  iov[0].iov_base = ptr;
2053  iov[0].iov_len = nbytes;
2054  msg.msg_iov = iov;
2055  msg.msg_iovlen = 1;
2056 
2057  return (sendmsg(fd, &msg, flags));
2058 }
2059 
2060 static ssize_t
2061 man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd)
2062 {
2063  struct msghdr msghdr = { 0 };
2064  struct iovec iov[1];
2065  ssize_t n;
2066 
2067  union {
2068  struct cmsghdr cm;
2069  char control[CMSG_SPACE(sizeof(int))];
2070  } control_un;
2071  struct cmsghdr *cmptr;
2072 
2073  msghdr.msg_control = control_un.control;
2074  msghdr.msg_controllen = sizeof(control_un.control);
2075 
2076  msghdr.msg_name = NULL;
2077  msghdr.msg_namelen = 0;
2078 
2079  iov[0].iov_base = ptr;
2080  iov[0].iov_len = nbytes;
2081  msghdr.msg_iov = iov;
2082  msghdr.msg_iovlen = 1;
2083 
2084  if ( (n = recvmsg(fd, &msghdr, flags)) <= 0)
2085  {
2086  return (n);
2087  }
2088 
2089  if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL
2090  && cmptr->cmsg_len == CMSG_LEN(sizeof(int)))
2091  {
2092  if (cmptr->cmsg_level != SOL_SOCKET)
2093  {
2094  msg(M_ERR, "control level != SOL_SOCKET");
2095  }
2096  if (cmptr->cmsg_type != SCM_RIGHTS)
2097  {
2098  msg(M_ERR, "control type != SCM_RIGHTS");
2099  }
2100  *recvfd = *((int *) CMSG_DATA(cmptr));
2101  }
2102  else
2103  {
2104  *recvfd = -1; /* descriptor was not passed */
2105 
2106  }
2107  return (n);
2108 }
2109 
2110 /*
2111  * The android control method will instruct the GUI part of openvpn to do
2112  * the route/ifconfig/open tun command. See doc/android.txt for details.
2113  */
2114 bool
2115 management_android_control(struct management *man, const char *command, const char *msg)
2116 {
2117  struct user_pass up;
2118  CLEAR(up);
2119  strncpy(up.username, msg, sizeof(up.username)-1);
2120 
2121  management_query_user_pass(management, &up, command, GET_USER_PASS_NEED_OK,(void *) 0);
2122  return strcmp("ok", up.password)==0;
2123 }
2124 
2125 /*
2126  * In Android 4.4 it is not possible to open a new tun device and then close the
2127  * old tun device without breaking the whole VPNService stack until the device
2128  * is rebooted. This management method ask the UI what method should be taken to
2129  * ensure the optimal solution for the situation
2130  */
2131 int
2132 managment_android_persisttun_action(struct management *man)
2133 {
2134  struct user_pass up;
2135  CLEAR(up);
2136  strcpy(up.username,"tunmethod");
2137  management_query_user_pass(management, &up, "PERSIST_TUN_ACTION",
2138  GET_USER_PASS_NEED_OK,(void *) 0);
2139  if (!strcmp("NOACTION", up.password))
2140  {
2141  return ANDROID_KEEP_OLD_TUN;
2142  }
2143  else if (!strcmp("OPEN_AFTER_CLOSE", up.password))
2144  {
2145  return ANDROID_OPEN_AFTER_CLOSE;
2146  }
2147  else if (!strcmp("OPEN_BEFORE_CLOSE", up.password))
2148  {
2149  return ANDROID_OPEN_BEFORE_CLOSE;
2150  }
2151  else
2152  {
2153  msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password);
2154  }
2155 
2156  ASSERT(0);
2157  return ANDROID_OPEN_AFTER_CLOSE;
2158 }
2159 
2160 
2161 #endif /* ifdef TARGET_ANDROID */
2162 
2163 static int
2164 man_read(struct management *man)
2165 {
2166  /*
2167  * read command line from socket
2168  */
2169  unsigned char buf[256];
2170  int len = 0;
2171 
2172 #ifdef TARGET_ANDROID
2173  int fd;
2174  len = man_recv_with_fd(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL, &fd);
2175  if (fd >= 0)
2176  {
2177  man->connection.lastfdreceived = fd;
2178  }
2179 #else /* ifdef TARGET_ANDROID */
2180  len = recv(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL);
2181 #endif
2182 
2183  if (len == 0)
2184  {
2185  man_reset_client_socket(man, false);
2186  }
2187  else if (len > 0)
2188  {
2189  bool processed_command = false;
2190 
2191  ASSERT(len <= (int) sizeof(buf));
2192  command_line_add(man->connection.in, buf, len);
2193 
2194  /*
2195  * Reset output object
2196  */
2198 
2199  /*
2200  * process command line if complete
2201  */
2202  {
2203  const char *line;
2204  while ((line = command_line_get(man->connection.in)))
2205  {
2206  if (man->connection.in_extra)
2207  {
2208  if (!strcmp(line, "END"))
2209  {
2210  in_extra_dispatch(man);
2211  }
2212  else
2213  {
2214  buffer_list_push(man->connection.in_extra, line);
2215  }
2216  }
2217  else
2218  {
2219  man_process_command(man, (char *) line);
2220  }
2221  if (man->connection.halt)
2222  {
2223  break;
2224  }
2226  processed_command = true;
2227  }
2228  }
2229 
2230  /*
2231  * Reset output state to MS_CC_WAIT_(READ|WRITE)
2232  */
2233  if (man->connection.halt)
2234  {
2235  man_reset_client_socket(man, false);
2236  len = 0;
2237  }
2238  else
2239  {
2240  if (processed_command)
2241  {
2242  man_prompt(man);
2243  }
2244  man_update_io_state(man);
2245  }
2246  }
2247  else /* len < 0 */
2248  {
2249  if (man_io_error(man, "recv"))
2250  {
2251  man_reset_client_socket(man, false);
2252  }
2253  }
2254  return len;
2255 }
2256 
2257 static int
2258 man_write(struct management *man)
2259 {
2260  const int size_hint = 1024;
2261  int sent = 0;
2262  const struct buffer *buf;
2263 
2264  buffer_list_aggregate(man->connection.out, size_hint);
2265  buf = buffer_list_peek(man->connection.out);
2266  if (buf && BLEN(buf))
2267  {
2268  const int len = min_int(size_hint, BLEN(buf));
2269 #ifdef TARGET_ANDROID
2270  if (man->connection.fdtosend > 0)
2271  {
2272  sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL,man->connection.fdtosend);
2273  man->connection.fdtosend = -1;
2274  }
2275  else
2276 #endif
2277  sent = send(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL);
2278  if (sent >= 0)
2279  {
2280  buffer_list_advance(man->connection.out, sent);
2281  }
2282  else if (sent < 0)
2283  {
2284  if (man_io_error(man, "send"))
2285  {
2286  man_reset_client_socket(man, false);
2287  }
2288  }
2289  }
2290 
2291  /*
2292  * Reset output state to MS_CC_WAIT_(READ|WRITE)
2293  */
2294  man_update_io_state(man);
2295 
2296  return sent;
2297 }
2298 
2299 static void
2301 {
2302  CLEAR(*mc);
2303 
2304  /* set initial state */
2305  mc->state = MS_INITIAL;
2306 
2307  /* clear socket descriptors */
2308  mc->sd_top = SOCKET_UNDEFINED;
2309  mc->sd_cli = SOCKET_UNDEFINED;
2310 }
2311 
2312 static void
2313 man_persist_init(struct management *man,
2314  const int log_history_cache,
2315  const int echo_buffer_size,
2316  const int state_buffer_size)
2317 {
2318  struct man_persist *mp = &man->persist;
2319  if (!mp->defined)
2320  {
2321  CLEAR(*mp);
2322 
2323  /* initialize log history store */
2324  mp->log = log_history_init(log_history_cache);
2325 
2326  /*
2327  * Initialize virtual output object, so that functions
2328  * which write to a virtual_output object can be redirected
2329  * here to the management object.
2330  */
2332  mp->vout.arg = man;
2333  mp->vout.flags_default = M_CLIENT;
2335 
2336  /*
2337  * Initialize --echo list
2338  */
2339  man->persist.echo = log_history_init(echo_buffer_size);
2340 
2341  /*
2342  * Initialize --state list
2343  */
2344  man->persist.state = log_history_init(state_buffer_size);
2345 
2346  mp->defined = true;
2347  }
2348 }
2349 
2350 static void
2352 {
2353  if (mp->log)
2354  {
2355  msg_set_virtual_output(NULL);
2356  log_history_close(mp->log);
2357  }
2358 
2359  if (mp->echo)
2360  {
2361  log_history_close(mp->echo);
2362  }
2363 
2364  if (mp->state)
2365  {
2366  log_history_close(mp->state);
2367  }
2368 
2369  CLEAR(*mp);
2370 }
2371 
2372 static void
2374  const char *addr,
2375  const char *port,
2376  const char *pass_file,
2377  const char *client_user,
2378  const char *client_group,
2379  const int log_history_cache,
2380  const int echo_buffer_size,
2381  const int state_buffer_size,
2382  const char *write_peer_info_file,
2383  const int remap_sigusr1,
2384  const unsigned int flags)
2385 {
2386  if (!ms->defined)
2387  {
2388  CLEAR(*ms);
2389 
2390  ms->flags = flags;
2391  ms->client_uid = -1;
2392  ms->client_gid = -1;
2393 
2394  /*
2395  * Get username/password
2396  */
2397  if (pass_file)
2398  {
2399  get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
2400  }
2401 
2402  /*
2403  * lookup client UID/GID if specified
2404  */
2405  if (client_user)
2406  {
2407  struct platform_state_user s;
2408  platform_user_get(client_user, &s);
2410  msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid);
2411  ASSERT(ms->client_uid >= 0);
2412  }
2413  if (client_group)
2414  {
2415  struct platform_state_group s;
2416  platform_group_get(client_group, &s);
2418  msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid);
2419  ASSERT(ms->client_gid >= 0);
2420  }
2421 
2422  ms->write_peer_info_file = string_alloc(write_peer_info_file, NULL);
2423 
2424 #if UNIX_SOCK_SUPPORT
2425  if (ms->flags & MF_UNIX_SOCK)
2426  {
2427  sockaddr_unix_init(&ms->local_unix, addr);
2428  }
2429  else
2430 #endif
2431  {
2432 
2433  /*
2434  * Run management over tunnel, or
2435  * separate channel?
2436  */
2437  if (streq(addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT))
2438  {
2439  ms->management_over_tunnel = true;
2440  }
2441  else
2442  {
2443  int status;
2445 
2446  if (!(flags & MF_CONNECT_AS_CLIENT))
2447  {
2448  resolve_flags |= GETADDR_PASSIVE;
2449  }
2450 
2451  status = openvpn_getaddrinfo(resolve_flags, addr, port, 0,
2452  NULL, AF_UNSPEC, &ms->local);
2453  ASSERT(status==0);
2454  }
2455  }
2456 
2457  /*
2458  * Log history and echo buffer may need to be resized
2459  */
2460  ms->log_history_cache = log_history_cache;
2461  ms->echo_buffer_size = echo_buffer_size;
2462  ms->state_buffer_size = state_buffer_size;
2463 
2464  /*
2465  * Set remap sigusr1 flags
2466  */
2467  if (remap_sigusr1 == SIGHUP)
2468  {
2470  }
2471  else if (remap_sigusr1 == SIGTERM)
2472  {
2474  }
2475 
2476  ms->defined = true;
2477  }
2478 }
2479 
2480 static void
2482 {
2483  if (ms->local)
2484  {
2485  freeaddrinfo(ms->local);
2486  }
2488  CLEAR(*ms);
2489 }
2490 
2491 
2492 static void
2493 man_connection_init(struct management *man)
2494 {
2495  if (man->connection.state == MS_INITIAL)
2496  {
2497 #ifdef _WIN32
2498  /*
2499  * This object is a sort of TCP/IP helper
2500  * for Windows.
2501  */
2503 #endif
2504 
2505  /*
2506  * Allocate helper objects for command line input and
2507  * command output from/to the socket.
2508  */
2509  man->connection.in = command_line_new(1024);
2510  man->connection.out = buffer_list_new(0);
2511 
2512  /*
2513  * Initialize event set for standalone usage, when we are
2514  * running outside of the primary event loop.
2515  */
2516  {
2517  int maxevents = 1;
2518  man->connection.es = event_set_init(&maxevents, EVENT_METHOD_FAST);
2519  }
2520 
2521  man->connection.client_version = 1; /* default version */
2522 
2523  /*
2524  * Listen/connect socket
2525  */
2526  if (man->settings.flags & MF_CONNECT_AS_CLIENT)
2527  {
2528  man_connect(man);
2529  }
2530  else
2531  {
2532  man_listen(man);
2533  }
2534  }
2535 }
2536 
2537 static void
2538 man_connection_close(struct management *man)
2539 {
2540  struct man_connection *mc = &man->connection;
2541 
2542  event_free(mc->es);
2543 #ifdef _WIN32
2545 #endif
2546  if (socket_defined(mc->sd_top))
2547  {
2548  man_close_socket(man, mc->sd_top);
2550  }
2551  if (socket_defined(mc->sd_cli))
2552  {
2553  man_close_socket(man, mc->sd_cli);
2554  }
2555 
2556  command_line_free(mc->in);
2557  buffer_list_free(mc->out);
2558 
2562 }
2563 
2564 struct management *
2566 {
2567  struct management *man;
2568  ALLOC_OBJ_CLEAR(man, struct management);
2569 
2570  man_persist_init(man,
2574 
2576 
2577  return man;
2578 }
2579 
2580 bool
2581 management_open(struct management *man,
2582  const char *addr,
2583  const char *port,
2584  const char *pass_file,
2585  const char *client_user,
2586  const char *client_group,
2587  const int log_history_cache,
2588  const int echo_buffer_size,
2589  const int state_buffer_size,
2590  const char *write_peer_info_file,
2591  const int remap_sigusr1,
2592  const unsigned int flags)
2593 {
2594  bool ret = false;
2595 
2596  /*
2597  * Save the settings only if they have not
2598  * been saved before.
2599  */
2601  addr,
2602  port,
2603  pass_file,
2604  client_user,
2605  client_group,
2606  log_history_cache,
2607  echo_buffer_size,
2608  state_buffer_size,
2609  write_peer_info_file,
2610  remap_sigusr1,
2611  flags);
2612 
2613  /*
2614  * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2615  * but may be changed here. Ditto for echo and state buffers.
2616  */
2620 
2621  /*
2622  * If connection object is uninitialized and we are not doing
2623  * over-the-tunnel management, then open (listening) connection.
2624  */
2625  if (man->connection.state == MS_INITIAL)
2626  {
2627  if (!man->settings.management_over_tunnel)
2628  {
2629  man_connection_init(man);
2630  ret = true;
2631  }
2632  }
2633 
2634  return ret;
2635 }
2636 
2637 void
2638 management_close(struct management *man)
2639 {
2640  man_output_list_push_finalize(man); /* flush output queue */
2641  man_connection_close(man);
2643  man_persist_close(&man->persist);
2644  free(man);
2645 }
2646 
2647 void
2648 management_set_callback(struct management *man,
2649  const struct management_callback *cb)
2650 {
2651  man->persist.standalone_disabled = true;
2652  man->persist.callback = *cb;
2653 }
2654 
2655 void
2656 management_clear_callback(struct management *man)
2657 {
2658  man->persist.standalone_disabled = false;
2659  man->persist.hold_release = false;
2660  CLEAR(man->persist.callback);
2661  man_output_list_push_finalize(man); /* flush output queue */
2662 }
2663 
2664 void
2665 management_set_state(struct management *man,
2666  const int state,
2667  const char *detail,
2668  const in_addr_t *tun_local_ip,
2669  const struct in6_addr *tun_local_ip6,
2670  const struct openvpn_sockaddr *local,
2671  const struct openvpn_sockaddr *remote)
2672 {
2673  if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
2674  {
2675  struct gc_arena gc = gc_new();
2676  struct log_entry e;
2677  const char *out = NULL;
2678 
2679  update_time();
2680  CLEAR(e);
2681  e.timestamp = now;
2682  e.u.state = state;
2683  e.string = detail;
2684  if (tun_local_ip)
2685  {
2686  e.local_ip = *tun_local_ip;
2687  }
2688  if (tun_local_ip6)
2689  {
2690  e.local_ip6 = *tun_local_ip6;
2691  }
2692  if (local)
2693  {
2694  e.local_sock = *local;
2695  }
2696  if (remote)
2697  {
2698  e.remote_sock = *remote;
2699  }
2700 
2701  log_history_add(man->persist.state, &e);
2702 
2703  if (man->connection.state_realtime)
2704  {
2707  | LOG_PRINT_STATE
2710  | LOG_PRINT_CRLF
2711  | LOG_ECHO_TO_LOG, &gc);
2712  }
2713 
2714  if (out)
2715  {
2716  man_output_list_push(man, out);
2717  }
2718 
2719  gc_free(&gc);
2720  }
2721 }
2722 
2723 static bool
2724 env_filter_match(const char *env_str, const int env_filter_level)
2725 {
2726  static const char *env_names[] = {
2727  "username=",
2728  "password=",
2729  "X509_0_CN=",
2730  "tls_serial_",
2731  "untrusted_ip=",
2732  "ifconfig_local=",
2733  "ifconfig_netmask=",
2734  "daemon_start_time=",
2735  "daemon_pid=",
2736  "dev=",
2737  "ifconfig_pool_remote_ip=",
2738  "ifconfig_pool_netmask=",
2739  "time_duration=",
2740  "bytes_sent=",
2741  "bytes_received=",
2742  "session_id=",
2743  "session_state="
2744  };
2745 
2746  if (env_filter_level == 0)
2747  {
2748  return true;
2749  }
2750  else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5))
2751  {
2752  return true;
2753  }
2754  else if (env_filter_level <= 2)
2755  {
2756  size_t i;
2757  for (i = 0; i < SIZE(env_names); ++i)
2758  {
2759  const char *en = env_names[i];
2760  const size_t len = strlen(en);
2761  if (!strncmp(env_str, en, len))
2762  {
2763  return true;
2764  }
2765  }
2766  return false;
2767  }
2768  return false;
2769 }
2770 
2771 static void
2772 man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
2773 {
2774  if (es)
2775  {
2776  struct env_item *e;
2777  for (e = es->list; e != NULL; e = e->next)
2778  {
2779  if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level)))
2780  {
2781  msg(M_CLIENT, ">%s:ENV,%s", prefix, e->string);
2782  }
2783  }
2784  }
2785  if (tail)
2786  {
2787  msg(M_CLIENT, ">%s:ENV,END", prefix);
2788  }
2789 }
2790 
2791 static void
2792 man_output_extra_env(struct management *man, const char *prefix)
2793 {
2794  struct gc_arena gc = gc_new();
2795  struct env_set *es = env_set_create(&gc);
2796  if (man->persist.callback.n_clients)
2797  {
2798  const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
2799  setenv_int(es, "n_clients", nclients);
2800  }
2801  man_output_env(es, false, man->connection.env_filter_level, prefix);
2802  gc_free(&gc);
2803 }
2804 
2805 void
2806 management_up_down(struct management *man, const char *updown, const struct env_set *es)
2807 {
2808  if (man->settings.flags & MF_UP_DOWN)
2809  {
2810  msg(M_CLIENT, ">UPDOWN:%s", updown);
2811  man_output_env(es, true, 0, "UPDOWN");
2812  }
2813 }
2814 
2815 void
2816 management_notify(struct management *man, const char *severity, const char *type, const char *text)
2817 {
2818  msg(M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);
2819 }
2820 
2821 void
2822 management_notify_generic(struct management *man, const char *str)
2823 {
2824  msg(M_CLIENT, "%s", str);
2825 }
2826 
2827 static void
2828 man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
2829 {
2830  char line[256];
2831  if (man->persist.callback.get_peer_info)
2832  {
2833  const char *peer_info = (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid);
2834  if (peer_info)
2835  {
2836  struct buffer buf;
2837  buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info));
2838  while (buf_parse(&buf, '\n', line, sizeof(line)))
2839  {
2840  chomp(line);
2841  if (validate_peer_info_line(line))
2842  {
2843  msg(M_CLIENT, ">CLIENT:ENV,%s", line);
2844  }
2845  else
2846  {
2847  msg(D_MANAGEMENT, "validation failed on peer_info line received from client");
2848  }
2849  }
2850  }
2851  }
2852 }
2853 
2854 void
2855 management_notify_client_needing_auth(struct management *management,
2856  const unsigned int mda_key_id,
2857  struct man_def_auth_context *mdac,
2858  const struct env_set *es)
2859 {
2860  if (!(mdac->flags & DAF_CONNECTION_CLOSED))
2861  {
2862  const char *mode = "CONNECT";
2863  if (mdac->flags & DAF_CONNECTION_ESTABLISHED)
2864  {
2865  mode = "REAUTH";
2866  }
2867  msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
2868  man_output_extra_env(management, "CLIENT");
2869  if (management->connection.env_filter_level>0)
2870  {
2871  man_output_peer_info_env(management, mdac);
2872  }
2873  man_output_env(es, true, management->connection.env_filter_level, "CLIENT");
2874  mdac->flags |= DAF_INITIAL_AUTH;
2875  }
2876 }
2877 
2878 void
2880  const struct man_def_auth_context *mdac,
2881  const struct env_set *es,
2882  const char *response)
2883 {
2884  struct gc_arena gc;
2885  if (management)
2886  {
2887  gc = gc_new();
2888 
2889  struct buffer out = alloc_buf_gc(256, &gc);
2890  msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s",
2891  mdac->cid, mda_key_id, response);
2892  man_output_extra_env(management, "CLIENT");
2893  if (management->connection.env_filter_level>0)
2894  {
2895  man_output_peer_info_env(management, mdac);
2896  }
2897  man_output_env(es, true, management->connection.env_filter_level, "CLIENT");
2898  management_notify_generic(management, BSTR(&out));
2899 
2900  gc_free(&gc);
2901  }
2902 }
2903 
2904 void
2905 management_connection_established(struct management *management,
2906  struct man_def_auth_context *mdac,
2907  const struct env_set *es)
2908 {
2910  msg(M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid);
2911  man_output_extra_env(management, "CLIENT");
2912  man_output_env(es, true, management->connection.env_filter_level, "CLIENT");
2913 }
2914 
2915 void
2916 management_notify_client_close(struct management *management,
2917  struct man_def_auth_context *mdac,
2918  const struct env_set *es)
2919 {
2920  if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2921  {
2922  msg(M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
2923  man_output_env(es, true, management->connection.env_filter_level, "CLIENT");
2924  mdac->flags |= DAF_CONNECTION_CLOSED;
2925  }
2926 }
2927 
2928 void
2929 management_learn_addr(struct management *management,
2930  struct man_def_auth_context *mdac,
2931  const struct mroute_addr *addr,
2932  const bool primary)
2933 {
2934  struct gc_arena gc = gc_new();
2935  if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2936  {
2937  msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
2938  mdac->cid,
2939  mroute_addr_print_ex(addr, MAPF_SUBNET, &gc),
2940  BOOL_CAST(primary));
2941  }
2942  gc_free(&gc);
2943 }
2944 
2945 void
2946 management_echo(struct management *man, const char *string, const bool pull)
2947 {
2948  if (man->persist.echo)
2949  {
2950  struct gc_arena gc = gc_new();
2951  struct log_entry e;
2952  const char *out = NULL;
2953 
2954  update_time();
2955  CLEAR(e);
2956  e.timestamp = now;
2957  e.string = string;
2958  e.u.intval = BOOL_CAST(pull);
2959 
2960  log_history_add(man->persist.echo, &e);
2961 
2962  if (man->connection.echo_realtime)
2963  {
2965  }
2966 
2967  if (out)
2968  {
2969  man_output_list_push(man, out);
2970  }
2971 
2972  gc_free(&gc);
2973  }
2974 }
2975 
2976 void
2977 management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
2978 {
2979  /*
2980  * If we are running management over the tunnel,
2981  * this is the place to initialize the connection.
2982  */
2984  && man->connection.state == MS_INITIAL)
2985  {
2986  /* listen on our local TUN/TAP IP address */
2987  struct in_addr ia;
2988  int ret;
2989 
2990  ia.s_addr = htonl(tun_local_ip);
2991  ret = openvpn_getaddrinfo(GETADDR_PASSIVE, inet_ntoa(ia), NULL, 0, NULL,
2992  AF_INET, &man->settings.local);
2993  ASSERT(ret==0);
2994  man_connection_init(man);
2995  }
2996 
2997 }
2998 
2999 void
3000 management_pre_tunnel_close(struct management *man)
3001 {
3003  {
3004  man_connection_close(man);
3005  }
3006 }
3007 
3008 void
3009 management_auth_failure(struct management *man, const char *type, const char *reason)
3010 {
3011  if (reason)
3012  {
3013  msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s' ['%s']", type, reason);
3014  }
3015  else
3016  {
3017  msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type);
3018  }
3019 }
3020 
3021 void
3022 management_auth_token(struct management *man, const char *token)
3023 {
3024  msg(M_CLIENT, ">PASSWORD:Auth-Token:%s", token);
3025 }
3026 
3027 static inline bool
3028 man_persist_state(unsigned int *persistent, const int n)
3029 {
3030  if (persistent)
3031  {
3032  if (*persistent == (unsigned int)n)
3033  {
3034  return false;
3035  }
3036  *persistent = n;
3037  }
3038  return true;
3039 }
3040 
3041 #ifdef _WIN32
3042 
3043 void
3044 management_socket_set(struct management *man,
3045  struct event_set *es,
3046  void *arg,
3047  unsigned int *persistent)
3048 {
3049  if (man->connection.state != MS_INITIAL)
3050  {
3053 
3054  switch (man->connection.state)
3055  {
3056  case MS_LISTEN:
3057  if (man_persist_state(persistent, 1))
3058  {
3059  event_ctl(es, ev, EVENT_READ, arg);
3060  }
3061  break;
3062 
3063  case MS_CC_WAIT_READ:
3064  if (man_persist_state(persistent, 2))
3065  {
3066  event_ctl(es, ev, EVENT_READ, arg);
3067  }
3068  break;
3069 
3070  case MS_CC_WAIT_WRITE:
3071  if (man_persist_state(persistent, 3))
3072  {
3073  event_ctl(es, ev, EVENT_READ|EVENT_WRITE, arg);
3074  }
3075  break;
3076 
3077  default:
3078  ASSERT(0);
3079  }
3080  }
3081 }
3082 
3083 void
3084 management_io(struct management *man)
3085 {
3086  if (man->connection.state != MS_INITIAL)
3087  {
3088  long net_events;
3090  net_events = net_event_win32_get_event_mask(&man->connection.ne32);
3091 
3092  if (net_events & FD_CLOSE)
3093  {
3094  man_reset_client_socket(man, false);
3095  }
3096  else
3097  {
3098  if (man->connection.state == MS_LISTEN)
3099  {
3100  if (net_events & FD_ACCEPT)
3101  {
3102  man_accept(man);
3104  }
3105  }
3106  else if (man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE)
3107  {
3108  if (net_events & FD_READ)
3109  {
3110  while (man_read(man) > 0)
3111  {
3112  }
3114  }
3115 
3116  if (net_events & FD_WRITE)
3117  {
3118  int status;
3119  status = man_write(man);
3120  if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK)
3121  {
3123  }
3124  }
3125  }
3126  }
3127  }
3128 }
3129 
3130 #else /* ifdef _WIN32 */
3131 
3132 void
3133 management_socket_set(struct management *man,
3134  struct event_set *es,
3135  void *arg,
3136  unsigned int *persistent)
3137 {
3138  switch (man->connection.state)
3139  {
3140  case MS_LISTEN:
3141  if (man_persist_state(persistent, 1))
3142  {
3143  event_ctl(es, man->connection.sd_top, EVENT_READ, arg);
3144  }
3145  break;
3146 
3147  case MS_CC_WAIT_READ:
3148  if (man_persist_state(persistent, 2))
3149  {
3150  event_ctl(es, man->connection.sd_cli, EVENT_READ, arg);
3151  }
3152  break;
3153 
3154  case MS_CC_WAIT_WRITE:
3155  if (man_persist_state(persistent, 3))
3156  {
3157  event_ctl(es, man->connection.sd_cli, EVENT_WRITE, arg);
3158  }
3159  break;
3160 
3161  case MS_INITIAL:
3162  break;
3163 
3164  default:
3165  ASSERT(0);
3166  }
3167 }
3168 
3169 void
3170 management_io(struct management *man)
3171 {
3172  switch (man->connection.state)
3173  {
3174  case MS_LISTEN:
3175  man_accept(man);
3176  break;
3177 
3178  case MS_CC_WAIT_READ:
3179  man_read(man);
3180  break;
3181 
3182  case MS_CC_WAIT_WRITE:
3183  man_write(man);
3184  break;
3185 
3186  case MS_INITIAL:
3187  break;
3188 
3189  default:
3190  ASSERT(0);
3191  }
3192 }
3193 
3194 #endif /* ifdef _WIN32 */
3195 
3196 static inline bool
3197 man_standalone_ok(const struct management *man)
3198 {
3199  return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL;
3200 }
3201 
3202 static bool
3203 man_check_for_signals(volatile int *signal_received)
3204 {
3205  if (signal_received)
3206  {
3207  get_signal(signal_received);
3208  if (*signal_received)
3209  {
3210  return true;
3211  }
3212  }
3213  return false;
3214 }
3215 
3216 /*
3217  * Wait for socket I/O when outside primary event loop
3218  */
3219 static int
3220 man_block(struct management *man, volatile int *signal_received, const time_t expire)
3221 {
3222  struct timeval tv;
3223  struct event_set_return esr;
3224  int status = -1;
3225 
3226  if (man_standalone_ok(man))
3227  {
3228  /* expire time can be already overdue, for this case init zero
3229  * timeout to avoid waiting first time and exit loop early with
3230  * either obtained event or timeout.
3231  */
3232  tv.tv_usec = 0;
3233  tv.tv_sec = 0;
3234 
3235  while (true)
3236  {
3237  event_reset(man->connection.es);
3238  management_socket_set(man, man->connection.es, NULL, NULL);
3239  if (man_check_for_signals(signal_received))
3240  {
3241  status = -1;
3242  break;
3243  }
3244  status = event_wait(man->connection.es, &tv, &esr, 1);
3245  update_time();
3246  if (man_check_for_signals(signal_received))
3247  {
3248  status = -1;
3249  break;
3250  }
3251 
3252  if (status > 0)
3253  {
3254  break;
3255  }
3256  else if (expire && now >= expire)
3257  {
3258  /* set SIGINT signal if expiration time exceeded */
3259  status = 0;
3260  if (signal_received)
3261  {
3262  *signal_received = SIGINT;
3263  }
3264  break;
3265  }
3266 
3267  /* wait one second more */
3268  tv.tv_sec = 1;
3269  tv.tv_usec = 0;
3270  }
3271  }
3272  return status;
3273 }
3274 
3275 /*
3276  * Perform management socket output outside primary event loop
3277  */
3278 static void
3279 man_output_standalone(struct management *man, volatile int *signal_received)
3280 {
3281  if (man_standalone_ok(man))
3282  {
3283  while (man->connection.state == MS_CC_WAIT_WRITE)
3284  {
3285  management_io(man);
3286  if (man->connection.state == MS_CC_WAIT_WRITE)
3287  {
3288  man_block(man, signal_received, 0);
3289  }
3290  if (signal_received && *signal_received)
3291  {
3292  break;
3293  }
3294  }
3295  }
3296 }
3297 
3298 /*
3299  * Process management event loop outside primary event loop
3300  */
3301 static int
3302 man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
3303 {
3304  int status = -1;
3305  if (man_standalone_ok(man))
3306  {
3307  status = man_block(man, signal_received, expire);
3308  if (status > 0)
3309  {
3310  management_io(man);
3311  }
3312  }
3313  return status;
3314 }
3315 
3316 #define MWCC_PASSWORD_WAIT (1<<0)
3317 #define MWCC_HOLD_WAIT (1<<1)
3318 #define MWCC_OTHER_WAIT (1<<2)
3319 
3320 /*
3321  * Block until client connects
3322  */
3323 static void
3324 man_wait_for_client_connection(struct management *man,
3325  volatile int *signal_received,
3326  const time_t expire,
3327  unsigned int flags)
3328 {
3329  ASSERT(man_standalone_ok(man));
3330  if (man->connection.state == MS_LISTEN)
3331  {
3332  if (flags & MWCC_PASSWORD_WAIT)
3333  {
3334  msg(D_MANAGEMENT, "Need password(s) from management interface, waiting...");
3335  }
3336  if (flags & MWCC_HOLD_WAIT)
3337  {
3338  msg(D_MANAGEMENT, "Need hold release from management interface, waiting...");
3339  }
3340  if (flags & MWCC_OTHER_WAIT)
3341  {
3342  msg(D_MANAGEMENT, "Need information from management interface, waiting...");
3343  }
3344  do
3345  {
3346  man_standalone_event_loop(man, signal_received, expire);
3347  if (signal_received && *signal_received)
3348  {
3349  break;
3350  }
3351  } while (man->connection.state == MS_LISTEN || man_password_needed(man));
3352  }
3353 }
3354 
3355 /*
3356  * Process the management event loop for sec seconds
3357  */
3358 void
3359 management_event_loop_n_seconds(struct management *man, int sec)
3360 {
3361  if (man_standalone_ok(man))
3362  {
3363  volatile int signal_received = 0;
3364  const bool standalone_disabled_save = man->persist.standalone_disabled;
3365  time_t expire = 0;
3366 
3367  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3368 
3369  /* set expire time */
3370  update_time();
3371  if (sec >= 0)
3372  {
3373  expire = now + sec;
3374  }
3375 
3376  /* if no client connection, wait for one */
3377  man_wait_for_client_connection(man, &signal_received, expire, 0);
3378  if (signal_received)
3379  {
3380  return;
3381  }
3382 
3383  /* run command processing event loop */
3384  do
3385  {
3386  man_standalone_event_loop(man, &signal_received, expire);
3387  if (!signal_received)
3388  {
3389  man_check_for_signals(&signal_received);
3390  }
3391  if (signal_received)
3392  {
3393  return;
3394  }
3395  update_time();
3396  } while (expire && expire > now);
3397 
3398  /* revert state */
3399  man->persist.standalone_disabled = standalone_disabled_save;
3400  }
3401  else if (sec > 0)
3402  {
3403  sleep(sec);
3404  }
3405 }
3406 
3407 /*
3408  * Get a username/password from management channel in standalone mode.
3409  */
3410 bool
3411 management_query_user_pass(struct management *man,
3412  struct user_pass *up,
3413  const char *type,
3414  const unsigned int flags,
3415  const char *static_challenge)
3416 {
3417  struct gc_arena gc = gc_new();
3418  bool ret = false;
3419 
3420  if (man_standalone_ok(man))
3421  {
3422  volatile int signal_received = 0;
3423  const bool standalone_disabled_save = man->persist.standalone_disabled;
3424  struct buffer alert_msg = alloc_buf_gc(128, &gc);
3425  const char *alert_type = NULL;
3426  const char *prefix = NULL;
3427  unsigned int up_query_mode = 0;
3428  const char *sc = NULL;
3429  ret = true;
3430  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3431  man->persist.special_state_msg = NULL;
3432 
3433  CLEAR(man->connection.up_query);
3434 
3435  if (flags & GET_USER_PASS_NEED_OK)
3436  {
3437  up_query_mode = UP_QUERY_NEED_OK;
3438  prefix = "NEED-OK";
3439  alert_type = "confirmation";
3440  }
3441  else if (flags & GET_USER_PASS_NEED_STR)
3442  {
3443  up_query_mode = UP_QUERY_NEED_STR;
3444  prefix = "NEED-STR";
3445  alert_type = "string";
3446  }
3447  else if (flags & GET_USER_PASS_PASSWORD_ONLY)
3448  {
3449  up_query_mode = UP_QUERY_PASS;
3450  prefix = "PASSWORD";
3451  alert_type = "password";
3452  }
3453  else
3454  {
3455  up_query_mode = UP_QUERY_USER_PASS;
3456  prefix = "PASSWORD";
3457  alert_type = "username/password";
3458  if (static_challenge)
3459  {
3460  sc = static_challenge;
3461  }
3462  }
3463  buf_printf(&alert_msg, ">%s:Need '%s' %s",
3464  prefix,
3465  type,
3466  alert_type);
3467 
3468  if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR))
3469  {
3470  buf_printf(&alert_msg, " MSG:%s", up->username);
3471  }
3472 
3473  if (sc)
3474  {
3475  buf_printf(&alert_msg, " SC:%d,%s",
3477  sc);
3478  }
3479 
3480  man_wait_for_client_connection(man, &signal_received, 0, MWCC_PASSWORD_WAIT);
3481  if (signal_received)
3482  {
3483  ret = false;
3484  }
3485 
3486  if (ret)
3487  {
3488  man->persist.special_state_msg = BSTR(&alert_msg);
3489  msg(M_CLIENT, "%s", man->persist.special_state_msg);
3490 
3491  /* tell command line parser which info we need */
3492  man->connection.up_query_mode = up_query_mode;
3493  man->connection.up_query_type = type;
3494 
3495  /* run command processing event loop until we get our username/password/response */
3496  do
3497  {
3498  man_standalone_event_loop(man, &signal_received, 0);
3499  if (!signal_received)
3500  {
3501  man_check_for_signals(&signal_received);
3502  }
3503  if (signal_received)
3504  {
3505  ret = false;
3506  break;
3507  }
3508  } while (!man->connection.up_query.defined);
3509  }
3510 
3511  /* revert state */
3513  man->connection.up_query_type = NULL;
3514  man->persist.standalone_disabled = standalone_disabled_save;
3515  man->persist.special_state_msg = NULL;
3516 
3517  /* pass through blank passwords */
3518  if (!strcmp(man->connection.up_query.password, blank_up))
3519  {
3521  }
3522 
3523  /*
3524  * Transfer u/p to return object, zero any record
3525  * we hold in the management object.
3526  */
3527  if (ret)
3528  {
3529  /* preserve caller's settings */
3530  man->connection.up_query.nocache = up->nocache;
3531  *up = man->connection.up_query;
3532  }
3533  secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));
3534  }
3535 
3536  gc_free(&gc);
3537  return ret;
3538 }
3539 
3540 static int
3541 management_query_multiline(struct management *man,
3542  const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3543 {
3544  struct gc_arena gc = gc_new();
3545  int ret = 0;
3546  volatile int signal_received = 0;
3547  struct buffer alert_msg = clear_buf();
3548  const bool standalone_disabled_save = man->persist.standalone_disabled;
3549  struct man_connection *mc = &man->connection;
3550 
3551  if (man_standalone_ok(man))
3552  {
3553  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3554  man->persist.special_state_msg = NULL;
3555 
3556  *state = EKS_SOLICIT;
3557 
3558  if (b64_data)
3559  {
3560  alert_msg = alloc_buf_gc(strlen(b64_data)+strlen(prompt)+3, &gc);
3561  buf_printf(&alert_msg, ">%s:%s", prompt, b64_data);
3562  }
3563  else
3564  {
3565  alert_msg = alloc_buf_gc(strlen(prompt)+3, &gc);
3566  buf_printf(&alert_msg, ">%s", prompt);
3567  }
3568 
3569  man_wait_for_client_connection(man, &signal_received, 0, MWCC_OTHER_WAIT);
3570 
3571  if (signal_received)
3572  {
3573  goto done;
3574  }
3575 
3576  man->persist.special_state_msg = BSTR(&alert_msg);
3577  msg(M_CLIENT, "%s", man->persist.special_state_msg);
3578 
3579  /* run command processing event loop until we get our signature */
3580  do
3581  {
3582  man_standalone_event_loop(man, &signal_received, 0);
3583  if (!signal_received)
3584  {
3585  man_check_for_signals(&signal_received);
3586  }
3587  if (signal_received)
3588  {
3589  goto done;
3590  }
3591  } while (*state != EKS_READY);
3592 
3593  ret = 1;
3594  }
3595 
3596 done:
3597  if (*state == EKS_READY && ret)
3598  {
3599  msg(M_CLIENT, "SUCCESS: %s command succeeded", cmd);
3600  }
3601  else if (*state == EKS_INPUT || *state == EKS_READY)
3602  {
3603  msg(M_CLIENT, "ERROR: %s command failed", cmd);
3604  }
3605 
3606  /* revert state */
3607  man->persist.standalone_disabled = standalone_disabled_save;
3608  man->persist.special_state_msg = NULL;
3610  *state = EKS_UNDEF;
3611 
3612  gc_free(&gc);
3613  return ret;
3614 }
3615 
3616 static char *
3617 /* returns allocated base64 signature */
3619  const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3620 {
3621  int ok;
3622  char *result = NULL;
3623  struct buffer *buf;
3624 
3625  ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3626  if (ok && buffer_list_defined(*input))
3627  {
3628  buffer_list_aggregate_separator(*input, 10000, "\n");
3629  buf = buffer_list_peek(*input);
3630  if (buf && BLEN(buf) > 0)
3631  {
3632  result = (char *) malloc(BLEN(buf)+1);
3633  check_malloc_return(result);
3634  memcpy(result, buf->data, BLEN(buf));
3635  result[BLEN(buf)] = '\0';
3636  }
3637  }
3638 
3639  buffer_list_free(*input);
3640  *input = NULL;
3641 
3642  return result;
3643 }
3644 
3645 static char *
3646 /* returns allocated base64 signature */
3647 management_query_multiline_flatten(struct management *man,
3648  const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3649 {
3650  int ok;
3651  char *result = NULL;
3652  struct buffer *buf;
3653 
3654  ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3655  if (ok && buffer_list_defined(*input))
3656  {
3657  buffer_list_aggregate(*input, 2048);
3658  buf = buffer_list_peek(*input);
3659  if (buf && BLEN(buf) > 0)
3660  {
3661  result = (char *) malloc(BLEN(buf)+1);
3662  check_malloc_return(result);
3663  memcpy(result, buf->data, BLEN(buf));
3664  result[BLEN(buf)] = '\0';
3665  }
3666  }
3667 
3668  buffer_list_free(*input);
3669  *input = NULL;
3670 
3671  return result;
3672 }
3673 
3674 char *
3675 /* returns allocated base64 signature */
3676 management_query_pk_sig(struct management *man, const char *b64_data,
3677  const char *algorithm)
3678 {
3679  const char *prompt = "PK_SIGN";
3680  const char *desc = "pk-sign";
3681  struct buffer buf_data = alloc_buf(strlen(b64_data) + strlen(algorithm) + 20);
3682 
3683  if (man->connection.client_version <= 1)
3684  {
3685  prompt = "RSA_SIGN";
3686  desc = "rsa-sign";
3687  }
3688 
3689  buf_write(&buf_data, b64_data, (int) strlen(b64_data));
3690  if (man->connection.client_version > 2)
3691  {
3692  buf_write(&buf_data, ",", (int) strlen(","));
3693  buf_write(&buf_data, algorithm, (int) strlen(algorithm));
3694  }
3695  char *ret = management_query_multiline_flatten(man,
3696  (char *)buf_bptr(&buf_data), prompt, desc,
3698  free_buf(&buf_data);
3699  return ret;
3700 }
3701 
3702 char *
3703 management_query_cert(struct management *man, const char *cert_name)
3704 {
3705  const char prompt_1[] = "NEED-CERTIFICATE:";
3706  struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20);
3707  buf_write(&buf_prompt, prompt_1, strlen(prompt_1));
3708  buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); /* +1 for \0 */
3709 
3710  char *result;
3711  result = management_query_multiline_flatten_newline(management,
3712  NULL, (char *)buf_bptr(&buf_prompt), "certificate",
3714  free_buf(&buf_prompt);
3715  return result;
3716 }
3717 
3718 /*
3719  * Return true if management_hold() would block
3720  */
3721 bool
3722 management_would_hold(struct management *man)
3723 {
3724  return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok(man);
3725 }
3726 
3727 /*
3728  * Return true if (from the management interface's perspective) OpenVPN should
3729  * daemonize.
3730  */
3731 bool
3732 management_should_daemonize(struct management *man)
3733 {
3734  return management_would_hold(man) || (man->settings.flags & MF_QUERY_PASSWORDS);
3735 }
3736 
3737 /*
3738  * If the hold flag is enabled, hibernate until a management client releases the hold.
3739  * Return true if the caller should not sleep for an additional time interval.
3740  */
3741 bool
3742 management_hold(struct management *man, int holdtime)
3743 {
3744  if (management_would_hold(man))
3745  {
3746  volatile int signal_received = 0;
3747  const bool standalone_disabled_save = man->persist.standalone_disabled;
3748  struct gc_arena gc = gc_new();
3749 
3750  man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3751  man->persist.special_state_msg = NULL;
3753 
3754  man_wait_for_client_connection(man, &signal_received, 0, MWCC_HOLD_WAIT);
3755 
3756  if (!signal_received)
3757  {
3758  struct buffer out = alloc_buf_gc(128, &gc);
3759  buf_printf(&out, ">HOLD:Waiting for hold release:%d", holdtime);
3760  man->persist.special_state_msg = BSTR(&out);
3761  msg(M_CLIENT, "%s", man->persist.special_state_msg);
3762 
3763  /* run command processing event loop until we get our username/password */
3764  do
3765  {
3766  man_standalone_event_loop(man, &signal_received, 0);
3767  if (!signal_received)
3768  {
3769  man_check_for_signals(&signal_received);
3770  }
3771  if (signal_received)
3772  {
3773  break;
3774  }
3775  } while (!man->persist.hold_release);
3776  }
3777 
3778  /* revert state */
3779  man->persist.standalone_disabled = standalone_disabled_save;
3780  man->persist.special_state_msg = NULL;
3782 
3783  gc_free(&gc);
3784  return true;
3785  }
3786  return false;
3787 }
3788 
3789 /*
3790  * struct command_line
3791  */
3792 
3793 struct command_line *
3795 {
3796  struct command_line *cl;
3797  ALLOC_OBJ_CLEAR(cl, struct command_line);
3798  cl->buf = alloc_buf(buf_len);
3799  cl->residual = alloc_buf(buf_len);
3800  return cl;
3801 }
3802 
3803 void
3805 {
3806  buf_clear(&cl->buf);
3807  buf_clear(&cl->residual);
3808 }
3809 
3810 void
3812 {
3813  if (!cl)
3814  {
3815  return;
3816  }
3817  command_line_reset(cl);
3818  free_buf(&cl->buf);
3819  free_buf(&cl->residual);
3820  free(cl);
3821 }
3822 
3823 void
3824 command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
3825 {
3826  int i;
3827  for (i = 0; i < len; ++i)
3828  {
3829  if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE)))
3830  {
3831  if (!buf_write_u8(&cl->buf, buf[i]))
3832  {
3833  buf_clear(&cl->buf);
3834  }
3835  }
3836  }
3837 }
3838 
3839 const char *
3841 {
3842  int i;
3843  const char *ret = NULL;
3844 
3845  i = buf_substring_len(&cl->buf, '\n');
3846  if (i >= 0)
3847  {
3848  buf_copy_excess(&cl->residual, &cl->buf, i);
3849  buf_chomp(&cl->buf);
3850  ret = BSTR(&cl->buf);
3851  }
3852  return ret;
3853 }
3854 
3855 void
3857 {
3858  buf_clear(&cl->buf);
3859  buf_copy(&cl->buf, &cl->residual);
3860  buf_clear(&cl->residual);
3861 }
3862 
3863 /*
3864  * struct log_entry
3865  */
3866 
3867 const char *
3868 log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
3869 {
3870  struct buffer out = alloc_buf_gc(ERR_BUF_SIZE, gc);
3871  if (flags & LOG_FATAL_NOTIFY)
3872  {
3873  buf_printf(&out, ">FATAL:");
3874  }
3875  if (flags & LOG_PRINT_LOG_PREFIX)
3876  {
3877  buf_printf(&out, ">LOG:");
3878  }
3879  if (flags & LOG_PRINT_ECHO_PREFIX)
3880  {
3881  buf_printf(&out, ">ECHO:");
3882  }
3883  if (flags & LOG_PRINT_STATE_PREFIX)
3884  {
3885  buf_printf(&out, ">STATE:");
3886  }
3887  if (flags & LOG_PRINT_INT_DATE)
3888  {
3889  buf_printf(&out, "%u,", (unsigned int)e->timestamp);
3890  }
3891  if (flags & LOG_PRINT_MSG_FLAGS)
3892  {
3893  buf_printf(&out, "%s,", msg_flags_string(e->u.msg_flags, gc));
3894  }
3895  if (flags & LOG_PRINT_STATE)
3896  {
3897  buf_printf(&out, "%s,", man_state_name(e->u.state));
3898  }
3899  if (flags & LOG_PRINT_INTVAL)
3900  {
3901  buf_printf(&out, "%d,", e->u.intval);
3902  }
3903  if (e->string)
3904  {
3905  buf_printf(&out, "%s", e->string);
3906  }
3907  if (flags & LOG_PRINT_LOCAL_IP)
3908  {
3909  buf_printf(&out, ",%s", print_in_addr_t(e->local_ip, IA_EMPTY_IF_UNDEF, gc));
3910  }
3911  if (flags & LOG_PRINT_REMOTE_IP)
3912  {
3913  buf_printf(&out, ",%s", (!addr_defined(&e->remote_sock) ? "," :
3915  buf_printf(&out, ",%s", (!addr_defined(&e->local_sock) ? "," :
3917  }
3918  if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6))
3919  {
3920  buf_printf(&out, ",%s", print_in6_addr(e->local_ip6, IA_EMPTY_IF_UNDEF, gc));
3921  }
3922  if (flags & LOG_ECHO_TO_LOG)
3923  {
3924  msg(D_MANAGEMENT, "MANAGEMENT: %s", BSTR(&out));
3925  }
3926  if (flags & LOG_PRINT_CRLF)
3927  {
3928  buf_printf(&out, "\r\n");
3929  }
3930  return BSTR(&out);
3931 }
3932 
3933 static void
3935 {
3936  /* Cast away constness of const char* */
3937  free((char *)e->string);
3938  CLEAR(*e);
3939 }
3940 
3941 /*
3942  * struct log_history
3943  */
3944 
3945 static inline int
3946 log_index(const struct log_history *h, int i)
3947 {
3948  return modulo_add(h->base, i, h->capacity);
3949 }
3950 
3951 static void
3953 {
3954  CLEAR(*h);
3955  h->capacity = capacity;
3956  ALLOC_ARRAY_CLEAR(h->array, struct log_entry, capacity);
3957 }
3958 
3959 struct log_history *
3961 {
3962  struct log_history *h;
3963  ASSERT(capacity > 0);
3964  ALLOC_OBJ(h, struct log_history);
3965  log_history_obj_init(h, capacity);
3966  return h;
3967 }
3968 
3969 static void
3971 {
3972  int i;
3973  for (i = 0; i < h->size; ++i)
3974  {
3976  }
3977  free(h->array);
3978 }
3979 
3980 void
3982 {
3984  free(h);
3985 }
3986 
3987 void
3988 log_history_add(struct log_history *h, const struct log_entry *le)
3989 {
3990  struct log_entry *e;
3991  ASSERT(h->size >= 0 && h->size <= h->capacity);
3992  if (h->size == h->capacity)
3993  {
3994  e = &h->array[h->base];
3996  h->base = log_index(h, 1);
3997  }
3998  else
3999  {
4000  e = &h->array[log_index(h, h->size)];
4001  ++h->size;
4002  }
4003 
4004  *e = *le;
4005  e->string = string_alloc(le->string, NULL);
4006 }
4007 
4008 void
4009 log_history_resize(struct log_history *h, const int capacity)
4010 {
4011  if (capacity != h->capacity)
4012  {
4013  struct log_history newlog;
4014  int i;
4015 
4016  ASSERT(capacity > 0);
4017  log_history_obj_init(&newlog, capacity);
4018 
4019  for (i = 0; i < h->size; ++i)
4020  {
4021  log_history_add(&newlog, &h->array[log_index(h, i)]);
4022  }
4023 
4025  *h = newlog;
4026  }
4027 }
4028 
4029 const struct log_entry *
4030 log_history_ref(const struct log_history *h, const int index)
4031 {
4032  if (index >= 0 && index < h->size)
4033  {
4034  return &h->array[log_index(h, (h->size - 1) - index)];
4035  }
4036  else
4037  {
4038  return NULL;
4039  }
4040 }
4041 
4042 void
4043 management_sleep(const int n)
4044 {
4045  if (n < 0)
4046  {
4047  return;
4048  }
4049  else if (management)
4050  {
4051  management_event_loop_n_seconds(management, n);
4052  }
4053  else if (n > 0)
4054  {
4055  sleep(n);
4056  }
4057 }
4058 
4059 #else /* ifdef ENABLE_MANAGEMENT */
4060 
4061 void
4062 management_sleep(const int n)
4063 {
4064  if (n > 0)
4065  {
4066  sleep(n);
4067  }
4068 }
4069 
4070 #endif /* ENABLE_MANAGEMENT */
#define EKS_INPUT
Definition: manage.h:286
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3703
unsigned int platform_getpid(void)
Definition: platform.c:182
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
#define UP_QUERY_DISABLED
Definition: manage.h:244
static const char * man_state_name(const int state)
Definition: manage.c:129
void management_close(struct management *man)
Definition: manage.c:2638
#define OPENVPN_STATE_RESOLVE
Definition: manage.h:480
void command_line_reset(struct command_line *cl)
Definition: manage.c:3804
union log_entry_union u
Definition: manage.h:95
static void man_status(struct management *man, const int version, struct status_output *so)
Definition: manage.c:446
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:163
#define MANAGEMENT_STATE_BUFFER_SIZE
Definition: manage.h:38
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
#define MSG_NOSIGNAL
Definition: socket.h:252
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition: platform.c:112
const char * string
Definition: manage.h:90
int client_uid
Definition: manage.h:233
static void man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed, const char *prompt, char *dest, int len)
Definition: manage.c:691
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, struct addrinfo **res)
Definition: socket.c:442
#define GETADDR_WARN_ON_SIGNAL
Definition: socket.h:476
static void msg_set_virtual_output(const struct virtual_output *vo)
Definition: error.h:339
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
bool buffer_list_defined(const struct buffer_list *ol)
Checks if the list is valid and non-empty.
Definition: buffer.c:1217
static void man_echo(struct management *man, const char *parm)
Definition: manage.c:638
unsigned int flags_default
Definition: status.h:34
static void man_forget_passwords(struct management *man)
Definition: manage.c:760
void free_buf(struct buffer *buf)
Definition: buffer.c:185
static void man_output_extra_env(struct management *man, const char *prefix)
Definition: manage.c:2792
#define D_MANAGEMENT_DEBUG
Definition: errlevel.h:134
static int buf_len(const struct buffer *buf)
Definition: buffer.h:240
bool management_over_tunnel
Definition: manage.h:227
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
const char * log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
Definition: manage.c:3868
int password_tries
Definition: manage.h:269
struct log_history * state
Definition: manage.h:210
#define UP_QUERY_USER_PASS
Definition: manage.h:245
#define USER_PASS_LEN
Definition: misc.h:68
#define openvpn_errno()
Definition: error.h:78
static void man_wait_for_client_connection(struct management *man, volatile int *signal_received, const time_t expire, unsigned int flags)
Definition: manage.c:3324
bool validate_peer_info_line(char *line)
Definition: misc.c:719
#define streq(x, y)
Definition: options.h:667
static void in_extra_dispatch(struct management *man)
Definition: manage.c:887
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:193
int state
Definition: manage.h:83
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2896
#define M_INFO
Definition: errlevel.h:55
static int log_history_size(const struct log_history *h)
Definition: manage.h:137
static void man_process_command(struct management *man, const char *line)
Definition: manage.c:1959
static bool man_password_needed(struct management *man)
Definition: manage.c:189
struct openvpn_sockaddr remote_sock
Definition: manage.h:94
static struct rw_handle * net_event_win32_get_event(struct net_event_win32 *ne)
Definition: win32.h:130
#define BOOL_CAST(x)
Definition: basic.h:27
struct man_persist persist
Definition: manage.h:314
static void man_output_list_push(struct management *man, const char *str)
Definition: manage.c:259
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:167
unsigned int msg_flags
Definition: manage.h:82
static bool man_persist_state(unsigned int *persistent, const int n)
Definition: manage.c:3028
void throw_signal_soft(const int signum, const char *signal_text)
Definition: sig.c:111
struct user_pass up_query
Definition: manage.h:303
bool char_class(const unsigned char c, const unsigned int flags)
Definition: buffer.c:913
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition: platform.c:73
const char * up_query_type
Definition: manage.h:301
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:3009
const char * msg_flags_string(const unsigned int flags, struct gc_arena *gc)
Definition: error.c:764
#define EVENT_METHOD_FAST
Definition: event.h:80
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition: manage.c:2816
#define CC_PRINT
Definition: buffer.h:915
#define UP_QUERY_PASS
Definition: manage.h:246
struct man_connection connection
Definition: manage.h:316
void man_bytecount_output_server(struct management *man, const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition: manage.c:485
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
static void man_proxy(struct management *man, const char **p)
Definition: manage.c:1181
struct management_callback callback
Definition: manage.h:207
#define SIGUSR1
Definition: config-msvc.h:115
static void man_record_peer_info(struct management *man)
Definition: manage.c:1618
int size
Definition: manage.h:121
const struct log_entry * log_history_ref(const struct log_history *h, const int index)
Definition: manage.c:4030
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
struct command_line * command_line_new(const int buf_len)
Definition: manage.c:3794
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1338
#define MF_UNIX_SOCK
Definition: manage.h:334
static void man_log(struct management *man, const char *parm)
Definition: manage.c:627
static void man_settings_init(struct man_settings *ms, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2373
static void man_bytecount(struct management *man, const int update_seconds)
Definition: manage.c:459
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
static void man_listen(struct management *man)
Definition: manage.c:1782
struct buffer_list * in_extra
Definition: manage.h:281
static void man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
Definition: manage.c:1055
static int modulo_add(int x, int y, int mod)
Definition: integer.h:141
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:385
void man_bytecount_output_client(struct management *man)
Definition: manage.c:473
bool defined
Definition: misc.h:58
#define OPENVPN_STATE_TCP_CONNECT
Definition: manage.h:481
unsigned long in_extra_cid
Definition: manage.h:282
#define SIZE(x)
Definition: basic.h:30
static void man_help(void)
Definition: manage.c:71
#define in_addr_t
Definition: config-msvc.h:103
struct buffer buf
Definition: manage.h:61
#define MAX_PARMS
Definition: options.h:51
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:335
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4579
struct addrinfo * local
Definition: manage.h:223
void command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
Definition: manage.c:3824
#define UP_QUERY_NEED_OK
Definition: manage.h:247
void command_line_free(struct command_line *cl)
Definition: manage.c:3811
#define SIGTERM
Definition: config-msvc.h:117
counter_type bytes_in
Definition: manage.h:216
static void get_signal(volatile int *sig)
Definition: sig.h:89
#define SIGHUP
Definition: config-msvc.h:113
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition: event.h:163
static void man_net(struct management *man)
Definition: manage.c:767
int echo_buffer_size
Definition: manage.h:230
bool management_hold(struct management *man, int holdtime)
Definition: manage.c:3742
struct in6_addr local_ip6
Definition: manage.h:92
#define ASSERT(x)
Definition: error.h:204
int ext_key_state
Definition: manage.h:288
static void virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
Definition: manage.c:308
void management_echo(struct management *man, const char *string, const bool pull)
Definition: manage.c:2946
#define OPENVPN_STATE_AUTH
Definition: manage.h:478
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:166
static char * management_query_multiline_flatten_newline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition: manage.c:3618
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
int get_debug_level(void)
Definition: error.c:139
in_addr_t local_ip
Definition: manage.h:91
static void man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
Definition: manage.c:2772
char username[USER_PASS_LEN]
Definition: misc.h:70
counter_type link_read_bytes_global
Definition: forward.c:49
#define LOG_PRINT_CRLF
Definition: manage.h:107
#define PS_SHOW_PORT
Definition: socket.h:310
const char * command_line_get(struct command_line *cl)
Definition: manage.c:3840
static const char blank_up[]
Definition: manage.c:61
bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, const unsigned int flags, const char *static_challenge)
Definition: manage.c:3411
#define MF_SERVER
Definition: manage.h:326
static void man_hold(struct management *man, const char *cmd)
Definition: manage.c:830
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition: event.c:1188
static void man_certificate(struct management *man)
Definition: manage.c:1118
static bool parse_uint(const char *str, const char *what, unsigned int *uint)
Definition: manage.c:950
#define LOG_PRINT_LOG_PREFIX
Definition: manage.h:98
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define LOG_PRINT_LOCAL_IP
Definition: manage.h:105
#define IEC_CLIENT_AUTH
Definition: manage.h:275
#define openvpn_close_socket(s)
Definition: socket.h:257
bool status_close(struct status_output *so)
Definition: status.c:190
time_t bytecount_last_update
Definition: manage.h:299
#define LOG_PRINT_ECHO_PREFIX
Definition: manage.h:99
#define DAF_INITIAL_AUTH
Definition: manage.h:48
const char * signal_name(const int sig, const bool upper)
Definition: sig.c:77
static void man_check_password(struct management *man, const char *line)
Definition: manage.c:195
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:363
static bool parse_cid(const char *str, unsigned long *cid)
Definition: manage.c:936
#define EKS_SOLICIT
Definition: manage.h:285
bool nocache
Definition: misc.h:62
#define CLEAR(x)
Definition: basic.h:33
#define BPTR(buf)
Definition: buffer.h:124
static int platform_state_user_uid(const struct platform_state_user *s)
Definition: platform.h:93
#define PS_DONT_SHOW_FAMILY
Definition: socket.h:313
struct buffer_list * ext_key_input
Definition: manage.h:289
void * arg
Definition: status.h:33
void net_event_win32_stop(struct net_event_win32 *ne)
Definition: win32.c:360
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const char *write_peer_info_file, const int remap_sigusr1, const unsigned int flags)
Definition: manage.c:2581
#define LOG_PRINT_INTVAL
Definition: manage.h:110
#define OPENVPN_STATE_WAIT
Definition: manage.h:477
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition: socket.h:620
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:118
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:296
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2929
char * write_peer_info_file
Definition: manage.h:232
#define MF_HOLD
Definition: manage.h:328
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:357
static void man_connection_settings_reset(struct management *man)
Definition: manage.c:1660
int up_query_mode
Definition: manage.h:302
struct env_item * list
Definition: env_set.h:44
time_t bytecount_last_update
Definition: manage.h:53
#define MN_AT_LEAST
Definition: manage.c:1150
#define counter_format
Definition: common.h:31
time_t timestamp
Definition: manage.h:89
bool(* proxy_cmd)(void *arg, const char **p)
Definition: manage.h:179
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
struct user_pass up
Definition: manage.h:228
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:178
time_t now
Definition: otime.c:36
bool standalone_disabled
Definition: manage.h:206
void log_history_close(struct log_history *h)
Definition: manage.c:3981
#define malloc
Definition: cmocka.c:1795
unsigned int flags
Definition: manage.h:49
static const char * print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc)
Definition: socket.h:340
void chomp(char *str)
Definition: buffer.c:650
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2822
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
static void man_pk_sig(struct management *man, const char *cmd_name)
Definition: manage.c:1102
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition: manage.c:3676
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition: manage.c:3044
struct event_set * es
Definition: manage.h:292
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2876
#define OPENVPN_STATE_ADD_ROUTES
Definition: manage.h:471
static int man_read(struct management *man)
Definition: manage.c:2164
#define LOG_PRINT_STATE_PREFIX
Definition: manage.h:100
void buffer_list_advance(struct buffer_list *ol, int n)
Definition: buffer.c:1361
#define sleep(x)
Definition: syshead.h:43
#define MANAGEMENT_VERSION
Definition: manage.h:34
static bool buf_copy_excess(struct buffer *dest, struct buffer *src, int len)
Definition: buffer.h:775
void management_event_loop_n_seconds(struct management *man, int sec)
Definition: manage.c:3359
uint64_t counter_type
Definition: common.h:30
struct management * management_init(void)
Definition: manage.c:2565
void management_auth_token(struct management *man, const char *token)
Definition: manage.c:3022
static void man_query_password(struct management *man, const char *type, const char *string)
Definition: manage.c:733
static void man_kill(struct management *man, const char *victim)
Definition: manage.c:500
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:110
int in_extra_cmd
Definition: manage.h:280
#define GET_USER_PASS_NEED_OK
Definition: misc.h:111
static void man_history(struct management *man, const char *parm, const char *type, struct log_history *log, bool *realtime, const unsigned int lep_flags)
Definition: manage.c:581
int capacity
Definition: manage.h:122
#define OPENVPN_STATE_CONNECTING
Definition: manage.h:469
static int socket_defined(const socket_descriptor_t sd)
Definition: syshead.h:452
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:470
#define MANSIG_MAP_USR1_TO_TERM
Definition: manage.h:239
#define EKS_UNDEF
Definition: manage.h:284
static void man_accept(struct management *man)
Definition: manage.c:1744
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:161
struct command_line * in
Definition: manage.h:271
static void man_delete_unix_socket(struct management *man)
Definition: manage.c:281
static void man_env_filter(struct management *man, const int level)
Definition: manage.c:1094
static void man_send_cc_message(struct management *man, const char *message, const char *parameters)
Definition: manage.c:780
static void man_connect(struct management *man)
Definition: manage.c:1845
static bool man_check_for_signals(volatile int *signal_received)
Definition: manage.c:3203
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2905
#define MWCC_PASSWORD_WAIT
Definition: manage.c:3316
#define AF_DID_PUSH
static void event_reset(struct event_set *es)
Definition: event.h:145
void net_event_win32_reset(struct net_event_win32 *ne)
Definition: win32.c:354
struct net_event_win32 ne32
Definition: manage.h:264
static int man_block(struct management *man, volatile int *signal_received, const time_t expire)
Definition: manage.c:3220
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition: event.h:157
void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix, bool ipv6only)
Definition: socket.c:1382
int state_buffer_size
Definition: manage.h:231
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
void net_event_win32_init(struct net_event_win32 *ne)
Definition: win32.c:320
void buffer_list_reset(struct buffer_list *ol)
Empty the list ol and frees all the contained buffers.
Definition: buffer.c:1223
struct openvpn_sockaddr remote
Definition: manage.h:261
union openvpn_sockaddr::@10 addr
void sd_close(socket_descriptor_t *sd)
Definition: socket.c:3837
#define OPENVPN_STATE_ASSIGN_IP
Definition: manage.h:470
static void man_signal(struct management *man, const char *name)
Definition: manage.c:416
static void man_update_io_state(struct management *man)
Definition: manage.c:220
void net_event_win32_close(struct net_event_win32 *ne)
Definition: win32.c:371
struct env_item * next
Definition: env_set.h:39
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
#define M_ERRNO
Definition: error.h:103
char * string
Definition: env_set.h:38
socket_descriptor_t sd_cli
Definition: manage.h:260
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2916
#define LOG_PRINT_STATE
Definition: manage.h:104
void management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2855
counter_type link_write_bytes_global
Definition: forward.c:50
static char * management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition: manage.c:3647
#define GETADDR_HOST_ORDER
Definition: socket.h:473
void command_line_next(struct command_line *cl)
Definition: manage.c:3856
const char * auth_retry_print(void)
Definition: options.c:4419
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition: manage.h:165
int buf_substring_len(const struct buffer *buf, int delim)
Definition: buffer.c:839
static void man_output_standalone(struct management *man, volatile int *signal_received)
Definition: manage.c:3279
bool state_realtime
Definition: manage.h:295
struct management * management
Definition: manage.c:63
static bool management_connected(const struct management *man)
Definition: manage.h:433
#define IER_NEW
Definition: manage.c:861
static void net_event_win32_clear_selected_events(struct net_event_win32 *ne, long selected_events)
Definition: win32.h:142
static void event_free(struct event_set *es)
Definition: event.h:136
static int platform_state_group_gid(const struct platform_state_group *s)
Definition: platform.h:105
#define GET_USER_PASS_NEED_STR
Definition: misc.h:113
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
bool hold_release
Definition: manage.h:212
#define SOCKET_UNDEFINED
Definition: syshead.h:444
static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
Definition: manage.c:1004
#define IER_RESET
Definition: manage.c:860
unsigned int mansig
Definition: manage.h:240
void buf_chomp(struct buffer *buf)
Definition: buffer.c:590
static void man_connection_init(struct management *man)
Definition: manage.c:2493
struct log_history * log_history_init(const int capacity)
Definition: manage.c:3960
static void man_welcome(struct management *man)
Definition: manage.c:178
static void man_query_need_ok(struct management *man, const char *type, const char *action)
Definition: manage.c:746
static void man_stop_ne32(struct management *man)
Definition: manage.c:1610
#define EVENT_READ
Definition: event.h:39
bool defined
Definition: manage.h:201
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:160
counter_type bytes_out
Definition: manage.h:217
bool management_should_daemonize(struct management *man)
Definition: manage.c:3732
#define BLEN(buf)
Definition: buffer.h:127
void log_history_resize(struct log_history *h, const int capacity)
Definition: manage.c:4009
struct openvpn_sockaddr local_sock
Definition: manage.h:93
static int man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
Definition: manage.c:3302
static void man_up_finalize(struct management *man)
Definition: manage.c:661
#define LOG_FATAL_NOTIFY
Definition: manage.h:108
#define msg(flags,...)
Definition: error.h:153
int(* n_clients)(void *arg)
Definition: manage.h:164
void set_nonblock(socket_descriptor_t fd)
Definition: fdmisc.c:71
#define MF_FORGET_DISCONNECT
Definition: manage.h:330
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:129
void(* func)(void *arg, const unsigned int flags, const char *str)
Definition: status.h:35
int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received)
Definition: socket.c:1436
struct virtual_output vout
Definition: manage.h:204
#define IEC_PK_SIGN
Definition: manage.h:279
static int log_index(const struct log_history *h, int i)
Definition: manage.c:3946
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2648
void net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_descriptor_t sd)
Definition: win32.c:327
#define ALLOC_ARRAY_CLEAR(dptr, type, n)
Definition: buffer.h:1066
int base
Definition: manage.h:120
struct log_history * log
Definition: manage.h:203
static void man_persist_close(struct man_persist *mp)
Definition: manage.c:2351
#define OPENVPN_STATE_RECONNECTING
Definition: manage.h:473
#define MS_LISTEN
Definition: manage.h:252
static void man_query_need_str(struct management *man, const char *type, const char *action)
Definition: manage.c:753
int parse_signal(const char *signame)
Definition: sig.c:63
const char * print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2714
static void set_client_version(struct management *man, const char *version)
Definition: manage.c:1246
void buffer_list_push(struct buffer_list *ol, const char *str)
Allocates and appends a new buffer containing str as data to ol.
Definition: buffer.c:1238
#define SIGINT
Definition: config-msvc.h:114
#define MF_QUERY_PASSWORDS
Definition: manage.h:327
const char * special_state_msg
Definition: manage.h:214
int log_history_cache
Definition: manage.h:229
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:162
#define M_ERR
Definition: error.h:114
static void man_client_n_clients(struct management *man)
Definition: manage.c:1080
socket_descriptor_t create_socket_tcp(struct addrinfo *addrinfo)
Definition: socket.c:1010
static int man_mod_signal(const struct management *man, const int signum)
Definition: manage.c:390
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
#define MANSIG_MAP_USR1_TO_HUP
Definition: manage.h:238
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:861
static void log_entry_free_contents(struct log_entry *e)
Definition: manage.c:3934
#define IEC_UNDEF
Definition: manage.h:274
static void man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size)
Definition: manage.c:2313
#define GETADDR_FATAL
Definition: socket.h:472
int client_version
Definition: manage.h:309
#define EKS_READY
Definition: manage.h:287
static void man_remote(struct management *man, const char **p)
Definition: manage.c:1202
int env_filter_level
Definition: manage.h:293
void management_clear_callback(struct management *man)
Definition: manage.c:2656
static void man_state(struct management *man, const char *parm)
Definition: manage.c:649
#define MF_UP_DOWN
Definition: manage.h:338
static void log_history_free_contents(struct log_history *h)
Definition: manage.c:3970
SOCKET socket_descriptor_t
Definition: syshead.h:445
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:107
#define OPENVPN_STATE_GET_CONFIG
Definition: manage.h:479
struct log_entry * array
Definition: manage.h:123
#define OPENVPN_STATE_INITIAL
Definition: manage.h:468
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
Definition: misc.h:56
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition: manage.c:2806
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:98
void log_history_add(struct log_history *h, const struct log_entry *le)
Definition: manage.c:3988
struct buffer_list * ext_cert_input
Definition: manage.h:291
bool echo_realtime
Definition: manage.h:297
unsigned int flags
Definition: manage.h:222
#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE
Definition: manage.h:36
socket_descriptor_t sd_top
Definition: manage.h:259
struct buffer residual
Definition: manage.h:62
static void man_new_connection_post(struct management *man, const char *description)
Definition: manage.c:1673
#define IEC_CERTIFICATE
Definition: manage.h:278
int intval
Definition: manage.h:84
static void log_history_obj_init(struct log_history *h, int capacity)
Definition: manage.c:3952
int get_mute_cutoff(void)
Definition: error.c:145
void management_io(struct management *man)
Definition: manage.c:3084
#define LOG_PRINT_REMOTE_IP
Definition: manage.h:112
Definition: manage.h:87
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2665
static bool man_io_error(struct management *man, const char *prefix)
Definition: manage.c:2009
static void man_close_socket(struct management *man, const socket_descriptor_t sd)
Definition: manage.c:292
static void in_extra_reset(struct man_connection *mc, const int mode)
Definition: manage.c:864
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition: manage.c:2879
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define OPENVPN_STATE_EXITING
Definition: manage.h:474
#define MANSIG_IGNORE_USR1_HUP
Definition: manage.h:237
#define LOG_PRINT_MSG_FLAGS
Definition: manage.h:103
#define LOG_PRINT_INT_DATE
Definition: manage.h:102
#define MWCC_HOLD_WAIT
Definition: manage.c:3317
#define GETADDR_MSG_VIRT_OUT
Definition: socket.h:477
#define AF_DID_RESET
#define M_WARN
Definition: error.h:100
static bool ignore_sys_error(const int err)
Definition: error.h:355
static int min_int(int x, int y)
Definition: integer.h:82
#define ERR_BUF_SIZE
Definition: error.h:43
void management_pre_tunnel_close(struct management *man)
Definition: manage.c:3000
#define M_CLIENT
Definition: error.h:116
socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait)
Definition: socket.c:1216
void throw_signal(const int signum)
Definition: sig.c:104
#define free
Definition: cmocka.c:1850
#define EVENT_WRITE
Definition: event.h:40
static uint8_t * buf_bptr(const struct buffer *buf)
Definition: buffer.h:227
struct buffer_list * out
Definition: manage.h:272
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
static void man_query_username(struct management *man, const char *type, const char *string)
Definition: manage.c:725
static void man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
Definition: manage.c:1022
static bool env_filter_match(const char *env_str, const int env_filter_level)
Definition: manage.c:2724
#define DAF_CONNECTION_ESTABLISHED
Definition: manage.h:46
unsigned long cid
Definition: manage.h:44
#define MWCC_OTHER_WAIT
Definition: manage.c:3318
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:689
static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition: manage.c:3541
#define DAF_CONNECTION_CLOSED
Definition: manage.h:47
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:209
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing...
Definition: manage.c:4043
#define GETADDR_PASSIVE
Definition: socket.h:481
static bool man_need(struct management *man, const char **p, const int n, unsigned int flags)
Checks if the correct number of arguments to a management command are present and otherwise prints an...
Definition: manage.c:1161
bool defined
Definition: manage.h:221
void net_event_win32_reset_write(struct net_event_win32 *ne)
Definition: win32.c:336
#define MS_INITIAL
Definition: manage.h:251
static void man_reset_client_socket(struct management *man, const bool exiting)
Definition: manage.c:1914
bool(* remote_cmd)(void *arg, const char **p)
Definition: manage.h:180
#define BSTR(buf)
Definition: buffer.h:129
#define MAPF_SUBNET
Definition: mroute.h:157
static void man_settings_close(struct man_settings *ms)
Definition: manage.c:2481
#define LOG_ECHO_TO_LOG
Definition: manage.h:114
#define OPENVPN_STATE_CONNECTED
Definition: manage.h:472
static long net_event_win32_get_event_mask(const struct net_event_win32 *ne)
Definition: win32.h:136
static void man_output_list_push_finalize(struct management *man)
Definition: manage.c:236
char password[USER_PASS_LEN]
Definition: misc.h:71
static bool man_standalone_ok(const struct management *man)
Definition: manage.c:3197
#define MS_CC_WAIT_WRITE
Definition: manage.h:254
#define MANAGEMENT_N_PASSWORD_RETRIES
Definition: manage.h:35
bool log_realtime
Definition: manage.h:296
static void man_start_ne32(struct management *man)
Definition: manage.c:1591
bool password_verified
Definition: manage.h:268
static void update_time(void)
Definition: otime.h:77
unsigned int in_extra_kid
Definition: manage.h:283
static SERVICE_STATUS status
Definition: interactive.c:56
static void man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
Definition: manage.c:2828
static void man_connection_close(struct management *man)
Definition: manage.c:2538
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition: manage.c:2977
int bytecount_update_seconds
Definition: manage.h:298
#define MANAGEMENT_ECHO_FLAGS
Definition: manage.c:57
static void man_client_pending_auth(struct management *man, const char *cid_str, const char *extra, const char *timeout_str)
Will send a notification to the client that succesful authentication will require an additional step ...
Definition: manage.c:973
struct sockaddr sa
Definition: socket.h:68
static int man_write(struct management *man)
Definition: manage.c:2258
#define MF_SIGNAL
Definition: manage.h:329
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1279
#define GETADDR_RESOLVE
Definition: socket.h:471
#define ssize_t
Definition: config-msvc.h:104
void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len ...
Definition: buffer.c:1292
int client_gid
Definition: manage.h:234
static void man_load_stats(struct management *man)
Definition: manage.c:1134
static void man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
Definition: manage.c:1255
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: manage.h:174
#define OPENVPN_STATE_AUTH_PENDING
Definition: manage.h:482
bool auth_retry_set(const int msglevel, const char *option)
Definition: options.c:4396
const char title_string[]
Definition: options.c:67
bool set_mute_cutoff(const int cutoff)
Definition: error.c:125
static void man_prompt(struct management *man)
Definition: manage.c:266
#define CC_NEWLINE
Definition: buffer.h:921
static void man_connection_clear(struct man_connection *mc)
Definition: manage.c:2300
#define D_MANAGEMENT
Definition: errlevel.h:88
static void man_output_list_push_str(struct management *man, const char *str)
Definition: manage.c:250
struct man_settings settings
Definition: manage.h:315
bool management_would_hold(struct management *man)
Definition: manage.c:3722
#define MS_CC_WAIT_READ
Definition: manage.h:253
#define D_LINK_ERRORS
Definition: errlevel.h:57
struct log_history * echo
Definition: manage.h:209
#define MF_CONNECT_AS_CLIENT
Definition: manage.h:331
#define OPENVPN_STATE_CLIENT_BASE
Definition: manage.h:485
#define MANAGEMENT_ECHO_BUFFER_SIZE
Definition: manage.h:37
#define UP_QUERY_NEED_STR
Definition: manage.h:248
int ext_cert_state
Definition: manage.h:290