OpenVPN
multi.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#ifdef HAVE_SYS_INOTIFY_H
28#include <sys/inotify.h>
29#define INOTIFY_EVENT_BUFFER_SIZE 16384
30#endif
31
32#include "syshead.h"
33
34#include "forward.h"
35#include "multi.h"
36#include "push.h"
37#include "run_command.h"
38#include "otime.h"
39#include "gremlin.h"
40#include "mstats.h"
41#include "ssl_verify.h"
42#include "ssl_ncp.h"
43#include "vlan.h"
44#include "auth_token.h"
45#include <inttypes.h>
46#include <string.h>
47
48#include "memdbg.h"
49
50
51#include "crypto_backend.h"
52#include "ssl_util.h"
53#include "dco.h"
54#include "reflect_filter.h"
55
56/*#define MULTI_DEBUG_EVENT_LOOP*/
57
58#ifdef MULTI_DEBUG_EVENT_LOOP
59static const char *
60id(struct multi_instance *mi)
61{
62 if (mi)
63 {
64 return tls_common_name(mi->context.c2.tls_multi, false);
65 }
66 else
67 {
68 return "NULL";
69 }
70}
71#endif
72
73#ifdef ENABLE_MANAGEMENT
74static void
75set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
76{
77 buffer_list_free(mi->cc_config);
78 mi->cc_config = cc_config;
79}
80#endif
81
82static inline void
83update_mstat_n_clients(const int n_clients)
84{
85#ifdef ENABLE_MEMSTATS
86 if (mmap_stats)
87 {
88 mmap_stats->n_clients = n_clients;
89 }
90#endif
91}
92
93static bool
94learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op,
95 const struct mroute_addr *addr)
96{
97 struct gc_arena gc = gc_new();
98 struct env_set *es;
99 bool ret = true;
100 struct plugin_list *plugins;
101
102 /* get environmental variable source */
103 if (mi && mi->context.c2.es)
104 {
105 es = mi->context.c2.es;
106 }
107 else
108 {
109 es = env_set_create(&gc);
110 }
111
112 /* get plugin source */
113 if (mi)
114 {
115 plugins = mi->context.plugins;
116 }
117 else
118 {
119 plugins = m->top.plugins;
120 }
121
122 if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
123 {
124 struct argv argv = argv_new();
125 argv_printf(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
126 if (mi)
127 {
128 argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
129 }
130 if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es)
131 != OPENVPN_PLUGIN_FUNC_SUCCESS)
132 {
133 msg(M_WARN, "WARNING: learn-address plugin call failed");
134 ret = false;
135 }
136 argv_free(&argv);
137 }
138
139 if (m->top.options.learn_address_script)
140 {
141 struct argv argv = argv_new();
142 setenv_str(es, "script_type", "learn-address");
143 argv_parse_cmd(&argv, m->top.options.learn_address_script);
144 argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
145 if (mi)
146 {
147 argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
148 }
149 if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
150 {
151 ret = false;
152 }
153 argv_free(&argv);
154 }
155
156 gc_free(&gc);
157 return ret;
158}
159
160void
161multi_ifconfig_pool_persist(struct multi_context *m, bool force)
162{
163 /* write pool data to file */
164 if (m->ifconfig_pool && m->top.c1.ifconfig_pool_persist
165 && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
166 {
167 ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
168 }
169}
170
171static void
172multi_reap_range(const struct multi_context *m, uint32_t start_bucket, uint32_t end_bucket)
173{
174 struct gc_arena gc = gc_new();
175 struct hash_iterator hi;
176 struct hash_element *he;
177
178 dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
179 hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
180 while ((he = hash_iterator_next(&hi)) != NULL)
181 {
182 struct multi_route *r = (struct multi_route *)he->value;
183 if (!multi_route_defined(m, r))
184 {
185 dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", mroute_addr_print(&r->addr, &gc));
186 learn_address_script(m, NULL, "delete", &r->addr);
187 multi_route_del(r);
188 hash_iterator_delete_element(&hi);
189 }
190 }
191 hash_iterator_free(&hi);
192 gc_free(&gc);
193}
194
195static void
196multi_reap_all(const struct multi_context *m)
197{
198 multi_reap_range(m, 0, hash_n_buckets(m->vhash));
199}
200
201static struct multi_reap *
202multi_reap_new(uint32_t buckets_per_pass)
203{
204 struct multi_reap *mr;
205 ALLOC_OBJ(mr, struct multi_reap);
206 mr->bucket_base = 0;
207 mr->buckets_per_pass = buckets_per_pass;
208 mr->last_call = now;
209 return mr;
210}
211
212void
213multi_reap_process_dowork(const struct multi_context *m)
214{
215 struct multi_reap *mr = m->reaper;
216 if (mr->bucket_base >= hash_n_buckets(m->vhash))
217 {
218 mr->bucket_base = 0;
219 }
220 multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
221 mr->bucket_base += mr->buckets_per_pass;
222 mr->last_call = now;
223}
224
225static void
226multi_reap_free(struct multi_reap *mr)
227{
228 free(mr);
229}
230
231/*
232 * How many buckets in vhash to reap per pass.
233 */
234static uint32_t
235reap_buckets_per_pass(uint32_t n_buckets)
236{
237 return constrain_uint(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
238}
239
240#ifdef ENABLE_MANAGEMENT
241
242static uint32_t
243cid_hash_function(const void *key, uint32_t iv)
244{
245 const unsigned long *k = (const unsigned long *)key;
246 return (uint32_t)*k;
247}
248
249static bool
250cid_compare_function(const void *key1, const void *key2)
251{
252 const unsigned long *k1 = (const unsigned long *)key1;
253 const unsigned long *k2 = (const unsigned long *)key2;
254 return *k1 == *k2;
255}
256
257#endif
258
259#if defined(__GNUC__) || defined(__clang__)
260#pragma GCC diagnostic push
261#pragma GCC diagnostic ignored "-Wconversion"
262#endif
263
264#ifdef ENABLE_ASYNC_PUSH
265static uint32_t
266/*
267 * inotify watcher descriptors are used as hash value
268 */
269int_hash_function(const void *key, uint32_t iv)
270{
271 return (unsigned long)key;
272}
273
274static bool
275int_compare_function(const void *key1, const void *key2)
276{
277 return (unsigned long)key1 == (unsigned long)key2;
278}
279#endif
280
281/*
282 * Main initialization function, init multi_context object.
283 */
284static void
285multi_init(struct context *t)
286{
287 struct multi_context *m = t->multi;
288 int dev = DEV_TYPE_UNDEF;
289
290 msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size,
291 t->options.virtual_hash_size);
292
293 /*
294 * Get tun/tap/null device type
295 */
296 dev = dev_type_enum(t->options.dev, t->options.dev_type);
297
298 /*
299 * Init our multi_context object.
300 */
301 CLEAR(*m);
302
303 /*
304 * Real address hash table (source port number is
305 * considered to be part of the address). Used
306 * to determine which client sent an incoming packet
307 * which is seen on the TCP/UDP socket.
308 */
309 m->hash = hash_init(t->options.real_hash_size, get_random(), mroute_addr_hash_function,
310 mroute_addr_compare_function);
311
312 /*
313 * Virtual address hash table. Used to determine
314 * which client to route a packet to.
315 */
316 m->vhash = hash_init(t->options.virtual_hash_size, get_random(), mroute_addr_hash_function,
317 mroute_addr_compare_function);
318
319 /*
320 * This hash table is a clone of m->hash but with a
321 * bucket size of one so that it can be used
322 * for fast iteration through the list.
323 */
324 m->iter = hash_init(1, get_random(), mroute_addr_hash_function, mroute_addr_compare_function);
325
326#ifdef ENABLE_MANAGEMENT
327 m->cid_hash = hash_init(t->options.real_hash_size, 0, cid_hash_function, cid_compare_function);
328#endif
329
330#ifdef ENABLE_ASYNC_PUSH
331 /*
332 * Mapping between inotify watch descriptors and
333 * multi_instances.
334 */
335 m->inotify_watchers =
336 hash_init(t->options.real_hash_size, get_random(), int_hash_function, int_compare_function);
337#endif
338
339 /*
340 * This is our scheduler, for time-based wakeup
341 * events.
342 */
343 m->schedule = schedule_init();
344
345 /*
346 * Limit frequency of incoming connections to control
347 * DoS.
348 */
349 m->new_connection_limiter = frequency_limit_init(t->options.cf_max, t->options.cf_per);
350 m->initial_rate_limiter =
351 initial_rate_limit_init(t->options.cf_initial_max, t->options.cf_initial_per);
352
353 /*
354 * Allocate broadcast/multicast buffer list
355 */
356 m->mbuf = mbuf_init(t->options.n_bcast_buf);
357
358 /*
359 * Different status file format options are available
360 */
361 m->status_file_version = t->options.status_file_version;
362
363 /*
364 * Possibly allocate an ifconfig pool, do it
365 * differently based on whether a tun or tap style
366 * tunnel.
367 */
368 if (t->options.ifconfig_pool_defined || t->options.ifconfig_ipv6_pool_defined)
369 {
370 int pool_type = IFCONFIG_POOL_INDIV;
371
372 if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
373 {
374 pool_type = IFCONFIG_POOL_30NET;
375 }
376
377 m->ifconfig_pool = ifconfig_pool_init(
378 t->options.ifconfig_pool_defined, pool_type, t->options.ifconfig_pool_start,
379 t->options.ifconfig_pool_end, t->options.duplicate_cn,
380 t->options.ifconfig_ipv6_pool_defined, t->options.ifconfig_ipv6_pool_base,
381 t->options.ifconfig_ipv6_pool_netbits);
382
383 /* reload pool data from file */
384 if (t->c1.ifconfig_pool_persist)
385 {
386 ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool);
387 }
388 }
389
390 /*
391 * Help us keep track of routing table.
392 */
393 m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL);
394
395 /*
396 * Initialize route and instance reaper.
397 */
398 m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size));
399
400 /*
401 * Get local ifconfig address
402 */
403 CLEAR(m->local);
404 ASSERT(t->c1.tuntap);
405 mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local);
406
407 /*
408 * Per-client limits
409 */
410 m->max_clients = t->options.max_clients;
411
412 m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
413
414 m->top.c2.event_set = t->c2.event_set;
415
416 /*
417 * Initialize multi-socket I/O wait object
418 */
419 m->multi_io = multi_io_init(m->max_clients);
420 m->tcp_queue_limit = t->options.tcp_queue_limit;
421
422 /*
423 * Allow client <-> client communication, without going through
424 * tun/tap interface and network stack?
425 */
426 m->enable_c2c = t->options.enable_c2c;
427
428 /* initialize stale routes check timer */
429 if (t->options.stale_routes_check_interval > 0)
430 {
431 msg(M_INFO,
432 "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
433 t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
434 event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
435 }
436
437 m->deferred_shutdown_signal.signal_received = 0;
438}
439
440const char *
441multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
442{
443 if (mi)
444 {
445 struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
446 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
447
448 if (cn)
449 {
450 buf_printf(&out, "%s/", cn);
451 }
452 buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
453 if (mi->context.c2.tls_multi && check_debug_level(D_DCO_DEBUG)
454 && dco_enabled(&mi->context.options))
455 {
456 buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
457 }
458 return BSTR(&out);
459 }
460 else if (null)
461 {
462 return NULL;
463 }
464 else
465 {
466 return "UNDEF";
467 }
468}
469
470static void
471generate_prefix(struct multi_instance *mi)
472{
473 struct gc_arena gc = gc_new();
474 const char *prefix = multi_instance_string(mi, true, &gc);
475 if (prefix)
476 {
477 strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
478 }
479 else
480 {
481 mi->msg_prefix[0] = '\0';
482 }
483 set_prefix(mi);
484 gc_free(&gc);
485}
486
487void
488ungenerate_prefix(struct multi_instance *mi)
489{
490 mi->msg_prefix[0] = '\0';
491 set_prefix(mi);
492}
493
494/*
495 * Tell the route helper about deleted iroutes so
496 * that it can update its mask of currently used
497 * CIDR netlengths.
498 */
499static void
500multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
501{
502 const struct iroute *ir;
503 const struct iroute_ipv6 *ir6;
504
505 dco_delete_iroutes(m, mi);
506
507 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
508 {
509 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
510 {
511 mroute_helper_del_iroute46(m->route_helper, ir->netbits);
512 }
513
514 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
515 {
516 mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
517 }
518 }
519}
520
521static void
522setenv_stats(struct multi_context *m, struct context *c)
523{
524 if (dco_enabled(&m->top.options))
525 {
526 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, false) < 0)
527 {
528 return;
529 }
530 }
531
532 setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
533 setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
534}
535
536static void
537multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
538{
539 /* setenv client real IP address */
540 setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
541
542 /* setenv stats */
543 setenv_stats(m, &mi->context);
544
545 /* setenv connection duration */
546 setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
547}
548
549static void
550multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
551{
552 multi_client_disconnect_setenv(m, mi);
553
554 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
555 {
556 if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL,
557 mi->context.c2.es)
558 != OPENVPN_PLUGIN_FUNC_SUCCESS)
559 {
560 msg(M_WARN, "WARNING: client-disconnect plugin call failed");
561 }
562 }
563
564 if (mi->context.options.client_disconnect_script)
565 {
566 struct argv argv = argv_new();
567 setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
568 argv_parse_cmd(&argv, mi->context.options.client_disconnect_script);
569 openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
570 argv_free(&argv);
571 }
572#ifdef ENABLE_MANAGEMENT
573 if (management)
574 {
575 management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
576 }
577#endif
578}
579
580void
581multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
582{
583 perf_push(PERF_MULTI_CLOSE_INSTANCE);
584
585 ASSERT(!mi->halt);
586 mi->halt = true;
587 bool is_dgram = proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto);
588
589 dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
590
591 /* adjust current client connection count */
592 m->n_clients += mi->n_clients_delta;
593 update_mstat_n_clients(m->n_clients);
594 mi->n_clients_delta = 0;
595
596 /* prevent dangling pointers */
597 if (m->pending == mi)
598 {
599 multi_set_pending(m, NULL);
600 }
601 if (m->earliest_wakeup == mi)
602 {
603 m->earliest_wakeup = NULL;
604 }
605
606 if (!shutdown)
607 {
608 if (mi->did_real_hash)
609 {
610 ASSERT(hash_remove(m->hash, &mi->real));
611 }
612 if (mi->did_iter)
613 {
614 ASSERT(hash_remove(m->iter, &mi->real));
615 }
616#ifdef ENABLE_MANAGEMENT
617 if (mi->did_cid_hash)
618 {
619 ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
620 }
621#endif
622
623#ifdef ENABLE_ASYNC_PUSH
624 if (mi->inotify_watch != -1)
625 {
626 hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch);
627 mi->inotify_watch = -1;
628 }
629#endif
630
631 if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
632 {
633 m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
634 }
635
636 schedule_remove_entry(m->schedule, (struct schedule_entry *)mi);
637
638 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
639
640 if (mi->did_iroutes)
641 {
642 multi_del_iroutes(m, mi);
643 mi->did_iroutes = false;
644 }
645
646 if (!is_dgram)
647 {
648 multi_tcp_dereference_instance(m->multi_io, mi);
649 }
650
651 mbuf_dereference_instance(m->mbuf, mi);
652 }
653
654#ifdef ENABLE_MANAGEMENT
655 set_cc_config(mi, NULL);
656#endif
657
658 if (mi->context.c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
659 {
660 multi_client_disconnect_script(m, mi);
661 }
662
663 close_context(&mi->context, SIGTERM, CC_GC_FREE);
664
665 multi_tcp_instance_specific_free(mi);
666
667 ungenerate_prefix(mi);
668
669 /*
670 * Don't actually delete the instance memory allocation yet,
671 * because virtual routes may still point to it. Let the
672 * vhash reaper deal with it.
673 */
674 multi_instance_dec_refcount(mi);
675
676 perf_pop();
677}
678
679/*
680 * Called on shutdown or restart.
681 */
682static void
683multi_uninit(struct multi_context *m)
684{
685 if (m->hash)
686 {
687 struct hash_iterator hi;
688 struct hash_element *he;
689
690 hash_iterator_init(m->iter, &hi);
691 while ((he = hash_iterator_next(&hi)))
692 {
693 struct multi_instance *mi = (struct multi_instance *)he->value;
694 mi->did_iter = false;
695 multi_close_instance(m, mi, true);
696 }
697 hash_iterator_free(&hi);
698
699 multi_reap_all(m);
700
701 hash_free(m->hash);
702 hash_free(m->vhash);
703 hash_free(m->iter);
704#ifdef ENABLE_MANAGEMENT
705 hash_free(m->cid_hash);
706#endif
707 m->hash = NULL;
708
709 free(m->instances);
710
711#ifdef ENABLE_ASYNC_PUSH
712 hash_free(m->inotify_watchers);
713 m->inotify_watchers = NULL;
714#endif
715
716 schedule_free(m->schedule);
717 mbuf_free(m->mbuf);
718 ifconfig_pool_free(m->ifconfig_pool);
719 frequency_limit_free(m->new_connection_limiter);
720 initial_rate_limit_free(m->initial_rate_limiter);
721 multi_reap_free(m->reaper);
722 mroute_helper_free(m->route_helper);
723 multi_io_free(m->multi_io);
724 }
725}
726
727/*
728 * Create a client instance object for a newly connected client.
729 */
730struct multi_instance *
731multi_create_instance(struct multi_context *m, const struct mroute_addr *real,
732 struct link_socket *sock)
733{
734 struct gc_arena gc = gc_new();
735 struct multi_instance *mi;
736
737 perf_push(PERF_MULTI_CREATE_INSTANCE);
738
739 msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
740
741 ALLOC_OBJ_CLEAR(mi, struct multi_instance);
742
743 mi->gc = gc_new();
744 multi_instance_inc_refcount(mi);
745 mi->vaddr_handle = -1;
746 mi->created = now;
747 mroute_addr_init(&mi->real);
748
749 if (real)
750 {
751 mi->real = *real;
752 generate_prefix(mi);
753 }
754
755 inherit_context_child(&mi->context, &m->top, sock);
756 if (IS_SIG(&mi->context))
757 {
758 goto err;
759 }
760
761 mi->context.c2.tls_multi->multi_state = CAS_NOT_CONNECTED;
762
763 if (hash_n_elements(m->hash) >= m->max_clients)
764 {
765 msg(D_MULTI_ERRORS,
766 "MULTI: new incoming connection would exceed maximum number of clients (%d)",
767 m->max_clients);
768 goto err;
769 }
770
771 if (!real) /* TCP mode? */
772 {
773 if (!multi_tcp_instance_specific_init(m, mi))
774 {
775 goto err;
776 }
777 generate_prefix(mi);
778 }
779
780 if (!hash_add(m->iter, &mi->real, mi, false))
781 {
782 msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
783 mroute_addr_print(&mi->real, &gc));
784 goto err;
785 }
786 mi->did_iter = true;
787
788#ifdef ENABLE_MANAGEMENT
789 do
790 {
791 mi->context.c2.mda_context.cid = m->cid_counter++;
792 } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
793 mi->did_cid_hash = true;
794#endif
795
796 mi->context.c2.push_request_received = false;
797#ifdef ENABLE_ASYNC_PUSH
798 mi->inotify_watch = -1;
799#endif
800
801 if (!multi_process_post(m, mi, MPP_PRE_SELECT))
802 {
803 msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
804 goto err;
805 }
806
807 mi->ev_arg.type = EVENT_ARG_MULTI_INSTANCE;
808 mi->ev_arg.u.mi = mi;
809
810 perf_pop();
811 gc_free(&gc);
812 return mi;
813
814err:
815 multi_close_instance(m, mi, false);
816 perf_pop();
817 gc_free(&gc);
818 return NULL;
819}
820
821/*
822 * Dump tables -- triggered by SIGUSR2.
823 * If status file is defined, write to file.
824 * If status file is NULL, write to syslog.
825 */
826static void
827multi_print_status(struct multi_context *m, struct status_output *so, const int version)
828{
829 if (m->hash)
830 {
831 struct gc_arena gc_top = gc_new();
832 struct hash_iterator hi;
833 const struct hash_element *he;
834
835 status_reset(so);
836
837 if (dco_enabled(&m->top.options))
838 {
839 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, true) < 0)
840 {
841 return;
842 }
843 }
844
845 if (version == 1)
846 {
847 /*
848 * Status file version 1
849 */
850 status_printf(so, "OpenVPN CLIENT LIST");
851 status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
852 status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
853 hash_iterator_init(m->hash, &hi);
854 while ((he = hash_iterator_next(&hi)))
855 {
856 struct gc_arena gc = gc_new();
857 const struct multi_instance *mi = (struct multi_instance *)he->value;
858
859 if (!mi->halt)
860 {
861 status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
862 tls_common_name(mi->context.c2.tls_multi, false),
863 mroute_addr_print(&mi->real, &gc),
864 mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
865 mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
866 time_string(mi->created, 0, false, &gc));
867 }
868 gc_free(&gc);
869 }
870 hash_iterator_free(&hi);
871
872 status_printf(so, "ROUTING TABLE");
873 status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
874 hash_iterator_init(m->vhash, &hi);
875 while ((he = hash_iterator_next(&hi)))
876 {
877 struct gc_arena gc = gc_new();
878 const struct multi_route *route = (struct multi_route *)he->value;
879
880 if (multi_route_defined(m, route))
881 {
882 const struct multi_instance *mi = route->instance;
883 const struct mroute_addr *ma = &route->addr;
884 char flags[2] = { 0, 0 };
885
886 if (route->flags & MULTI_ROUTE_CACHE)
887 {
888 flags[0] = 'C';
889 }
890 status_printf(so, "%s%s,%s,%s,%s", mroute_addr_print(ma, &gc), flags,
891 tls_common_name(mi->context.c2.tls_multi, false),
892 mroute_addr_print(&mi->real, &gc),
893 time_string(route->last_reference, 0, false, &gc));
894 }
895 gc_free(&gc);
896 }
897 hash_iterator_free(&hi);
898
899 status_printf(so, "GLOBAL STATS");
900 if (m->mbuf)
901 {
902 status_printf(so, "Max bcast/mcast queue length,%d", mbuf_maximum_queued(m->mbuf));
903 }
904
905 status_printf(so, "END");
906 }
907 else if (version == 2 || version == 3)
908 {
909 const char sep = (version == 3) ? '\t' : ',';
910
911 /*
912 * Status file version 2 and 3
913 */
914 status_printf(so, "TITLE%c%s", sep, title_string);
915 status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep,
916 (unsigned int)now);
917 status_printf(
918 so,
919 "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
920 sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
921 hash_iterator_init(m->hash, &hi);
922 while ((he = hash_iterator_next(&hi)))
923 {
924 struct gc_arena gc = gc_new();
925 const struct multi_instance *mi = (struct multi_instance *)he->value;
926
927 if (!mi->halt)
928 {
929 status_printf(
930 so,
931 "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format
932 "%c%s%c%u%c%s%c"
933#ifdef ENABLE_MANAGEMENT
934 "%lu"
935#else
936 ""
937#endif
938 "%c%" PRIu32 "%c%s",
939 sep, tls_common_name(mi->context.c2.tls_multi, false), sep,
940 mroute_addr_print(&mi->real, &gc), sep,
941 print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), sep,
942 print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), sep,
943 mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes, sep,
944 mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes, sep,
945 time_string(mi->created, 0, false, &gc), sep, (unsigned int)mi->created,
946 sep, tls_username(mi->context.c2.tls_multi, false),
947#ifdef ENABLE_MANAGEMENT
948 sep, mi->context.c2.mda_context.cid,
949#else
950 sep,
951#endif
952 sep,
953 mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
954 sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
955 }
956 gc_free(&gc);
957 }
958 hash_iterator_free(&hi);
959
960 status_printf(
961 so,
962 "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
963 sep, sep, sep, sep, sep, sep);
964 hash_iterator_init(m->vhash, &hi);
965 while ((he = hash_iterator_next(&hi)))
966 {
967 struct gc_arena gc = gc_new();
968 const struct multi_route *route = (struct multi_route *)he->value;
969
970 if (multi_route_defined(m, route))
971 {
972 const struct multi_instance *mi = route->instance;
973 const struct mroute_addr *ma = &route->addr;
974 char flags[2] = { 0, 0 };
975
976 if (route->flags & MULTI_ROUTE_CACHE)
977 {
978 flags[0] = 'C';
979 }
980 status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", sep,
981 mroute_addr_print(ma, &gc), flags, sep,
982 tls_common_name(mi->context.c2.tls_multi, false), sep,
983 mroute_addr_print(&mi->real, &gc), sep,
984 time_string(route->last_reference, 0, false, &gc), sep,
985 (unsigned int)route->last_reference);
986 }
987 gc_free(&gc);
988 }
989 hash_iterator_free(&hi);
990
991 if (m->mbuf)
992 {
993 status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", sep, sep,
994 mbuf_maximum_queued(m->mbuf));
995 }
996
997 status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep,
998 dco_enabled(&m->top.options));
999 status_printf(so, "END");
1000 }
1001 else
1002 {
1003 status_printf(so, "ERROR: bad status format version number");
1004 }
1005
1006#ifdef PACKET_TRUNCATION_CHECK
1007 {
1008 status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1009 hash_iterator_init(m->hash, &hi);
1010 while ((he = hash_iterator_next(&hi)))
1011 {
1012 struct gc_arena gc = gc_new();
1013 const struct multi_instance *mi = (struct multi_instance *)he->value;
1014
1015 if (!mi->halt)
1016 {
1017 status_printf(so,
1018 "ERRORS,%s," counter_format "," counter_format "," counter_format
1019 "," counter_format,
1020 tls_common_name(mi->context.c2.tls_multi, false),
1021 m->top.c2.n_trunc_tun_read, mi->context.c2.n_trunc_tun_write,
1022 mi->context.c2.n_trunc_pre_encrypt,
1023 mi->context.c2.n_trunc_post_decrypt);
1024 }
1025 gc_free(&gc);
1026 }
1027 hash_iterator_free(&hi);
1028 }
1029#endif /* ifdef PACKET_TRUNCATION_CHECK */
1030
1031 status_flush(so);
1032 gc_free(&gc_top);
1033 }
1034
1035#ifdef ENABLE_ASYNC_PUSH
1036 if (m->inotify_watchers)
1037 {
1038 msg(D_MULTI_DEBUG, "inotify watchers count: %d", hash_n_elements(m->inotify_watchers));
1039 }
1040#endif
1041}
1042
1043/*
1044 * Learn a virtual address or route.
1045 * The learn will fail if the learn address
1046 * script/plugin fails. In this case the
1047 * return value may be != mi.
1048 * Return the instance which owns this route,
1049 * or NULL if none.
1050 */
1051static struct multi_instance *
1052multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr,
1053 const unsigned int flags)
1054{
1055 struct hash_element *he;
1056 const uint32_t hv = hash_value(m->vhash, addr);
1057 struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1058 struct multi_route *oldroute = NULL;
1059 struct multi_instance *owner = NULL;
1060 struct gc_arena gc = gc_new();
1061
1062 /* if route currently exists, get the instance which owns it */
1063 he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1064 if (he)
1065 {
1066 oldroute = (struct multi_route *)he->value;
1067 }
1068 if (oldroute && multi_route_defined(m, oldroute))
1069 {
1070 owner = oldroute->instance;
1071 }
1072
1073 /* do we need to add address to hash table? */
1074 if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1075 && !mroute_addr_equal(addr, &m->local))
1076 {
1077 struct multi_route *newroute;
1078 bool learn_succeeded = false;
1079
1080 ALLOC_OBJ(newroute, struct multi_route);
1081 newroute->addr = *addr;
1082 newroute->instance = mi;
1083 newroute->flags = flags;
1084 newroute->last_reference = now;
1085 newroute->cache_generation = 0;
1086
1087 /* The cache is invalidated when cache_generation is incremented */
1088 if (flags & MULTI_ROUTE_CACHE)
1089 {
1090 newroute->cache_generation = m->route_helper->cache_generation;
1091 }
1092
1093 if (oldroute) /* route already exists? */
1094 {
1095 if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1096 {
1097 learn_succeeded = true;
1098 owner = mi;
1099 multi_instance_inc_refcount(mi);
1100 route_quota_inc(mi);
1101
1102 /* delete old route */
1103 multi_route_del(oldroute);
1104
1105 /* modify hash table entry, replacing old route */
1106 he->key = &newroute->addr;
1107 he->value = newroute;
1108 }
1109 }
1110 else
1111 {
1112 if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1113 {
1114 learn_succeeded = true;
1115 owner = mi;
1116 multi_instance_inc_refcount(mi);
1117 route_quota_inc(mi);
1118
1119 /* add new route */
1120 hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1121 }
1122 }
1123
1124 msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", learn_succeeded ? "" : " FAILED",
1125 mroute_addr_print(&newroute->addr, &gc), multi_instance_string(mi, false, &gc));
1126
1127 if (!learn_succeeded)
1128 {
1129 free(newroute);
1130 }
1131 }
1132 gc_free(&gc);
1133
1134 return owner;
1135}
1136
1137/*
1138 * Get client instance based on virtual address.
1139 */
1140static struct multi_instance *
1141multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr,
1142 bool cidr_routing)
1143{
1144 struct multi_route *route;
1145 struct multi_instance *ret = NULL;
1146
1147 /* check for local address */
1148 if (mroute_addr_equal(addr, &m->local))
1149 {
1150 return NULL;
1151 }
1152
1153 route = (struct multi_route *)hash_lookup(m->vhash, addr);
1154
1155 /* does host route (possible cached) exist? */
1156 if (route && multi_route_defined(m, route))
1157 {
1158 struct multi_instance *mi = route->instance;
1159 route->last_reference = now;
1160 ret = mi;
1161 }
1162 else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1163 {
1164 struct mroute_helper *rh = m->route_helper;
1165 struct mroute_addr tryaddr;
1166 int i;
1167
1168 /* cycle through each CIDR length */
1169 for (i = 0; i < rh->n_net_len; ++i)
1170 {
1171 tryaddr = *addr;
1172 tryaddr.type |= MR_WITH_NETBITS;
1173 tryaddr.netbits = rh->net_len[i];
1174 mroute_addr_mask_host_bits(&tryaddr);
1175
1176 /* look up a possible route with netbits netmask */
1177 route = (struct multi_route *)hash_lookup(m->vhash, &tryaddr);
1178
1179 if (route && multi_route_defined(m, route))
1180 {
1181 /* found an applicable route, cache host route */
1182 struct multi_instance *mi = route->instance;
1183 multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE | MULTI_ROUTE_AGEABLE);
1184 ret = mi;
1185 break;
1186 }
1187 }
1188 }
1189
1190#ifdef ENABLE_DEBUG
1191 if (check_debug_level(D_MULTI_DEBUG))
1192 {
1193 struct gc_arena gc = gc_new();
1194 const char *addr_text = mroute_addr_print(addr, &gc);
1195 if (ret)
1196 {
1197 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", addr_text,
1198 multi_instance_string(ret, false, &gc), mroute_addr_print(&route->addr, &gc));
1199 }
1200 else
1201 {
1202 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", addr_text);
1203 }
1204 gc_free(&gc);
1205 }
1206#endif
1207
1208 ASSERT(!(ret && ret->halt));
1209 return ret;
1210}
1211
1212/*
1213 * Helper function to multi_learn_addr().
1214 */
1215static struct multi_instance *
1216multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a,
1217 int netbits, /* -1 if host route, otherwise # of network bits in address */
1218 bool primary)
1219{
1220 struct openvpn_sockaddr remote_si;
1221 struct mroute_addr addr = { 0 };
1222
1223 CLEAR(remote_si);
1224 remote_si.addr.in4.sin_family = AF_INET;
1225 remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1226 addr.proto = 0;
1227 ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1228
1229 if (netbits >= 0)
1230 {
1231 addr.type |= MR_WITH_NETBITS;
1232 addr.netbits = (uint8_t)netbits;
1233 }
1234
1235 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1236#ifdef ENABLE_MANAGEMENT
1237 if (management && owner)
1238 {
1239 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1240 }
1241#endif
1242 if (!primary)
1243 {
1244 /* "primary" is the VPN ifconfig address of the peer and already
1245 * known to DCO, so only install "extra" iroutes (primary = false)
1246 */
1247 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1248 dco_install_iroute(m, mi, &addr);
1249 }
1250
1251 return owner;
1252}
1253
1254static struct multi_instance *
1255multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6,
1256 int netbits, /* -1 if host route, otherwise # of network bits in address */
1257 bool primary)
1258{
1259 struct mroute_addr addr = { 0 };
1260
1261 addr.len = 16;
1262 addr.type = MR_ADDR_IPV6;
1263 addr.netbits = 0;
1264 addr.v6.addr = a6;
1265
1266 if (netbits >= 0)
1267 {
1268 addr.type |= MR_WITH_NETBITS;
1269 addr.netbits = (uint8_t)netbits;
1270 mroute_addr_mask_host_bits(&addr);
1271 }
1272
1273 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1274#ifdef ENABLE_MANAGEMENT
1275 if (management && owner)
1276 {
1277 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1278 }
1279#endif
1280 if (!primary)
1281 {
1282 /* "primary" is the VPN ifconfig address of the peer and already
1283 * known to DCO, so only install "extra" iroutes (primary = false)
1284 */
1285 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1286 dco_install_iroute(m, mi, &addr);
1287 }
1288
1289 return owner;
1290}
1291
1292/*
1293 * A new client has connected, add routes (server -> client)
1294 * to internal routing table.
1295 */
1296static void
1297multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
1298{
1299 struct gc_arena gc = gc_new();
1300 const struct iroute *ir;
1301 const struct iroute_ipv6 *ir6;
1302 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
1303 {
1304 mi->did_iroutes = true;
1305 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1306 {
1307 if (ir->netbits >= 0)
1308 {
1309 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1310 print_in_addr_t(ir->network, 0, &gc), ir->netbits,
1311 multi_instance_string(mi, false, &gc));
1312 }
1313 else
1314 {
1315 msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1316 print_in_addr_t(ir->network, 0, &gc), multi_instance_string(mi, false, &gc));
1317 }
1318
1319 mroute_helper_add_iroute46(m->route_helper, ir->netbits);
1320
1321 multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1322 }
1323 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1324 {
1325 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1326 print_in6_addr(ir6->network, 0, &gc), ir6->netbits,
1327 multi_instance_string(mi, false, &gc));
1328
1329 mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
1330
1331 multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1332 }
1333 }
1334 gc_free(&gc);
1335}
1336
1337/*
1338 * Given an instance (new_mi), delete all other instances which use the
1339 * same common name.
1340 */
1341static void
1342multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
1343{
1344 if (new_mi)
1345 {
1346 const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1347 if (new_cn)
1348 {
1349 struct hash_iterator hi;
1350 struct hash_element *he;
1351 int count = 0;
1352
1353 hash_iterator_init(m->iter, &hi);
1354 while ((he = hash_iterator_next(&hi)))
1355 {
1356 struct multi_instance *mi = (struct multi_instance *)he->value;
1357 if (mi != new_mi && !mi->halt)
1358 {
1359 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1360 if (cn && !strcmp(cn, new_cn))
1361 {
1362 mi->did_iter = false;
1363 multi_close_instance(m, mi, false);
1364 hash_iterator_delete_element(&hi);
1365 ++count;
1366 }
1367 }
1368 }
1369 hash_iterator_free(&hi);
1370
1371 if (count)
1372 {
1373 msg(D_MULTI_LOW,
1374 "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.",
1375 new_cn);
1376 }
1377 }
1378 }
1379}
1380
1381static void
1382check_stale_routes(struct multi_context *m)
1383{
1384 struct gc_arena gc = gc_new();
1385 struct hash_iterator hi;
1386 struct hash_element *he;
1387
1388 dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1389 hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
1390 while ((he = hash_iterator_next(&hi)) != NULL)
1391 {
1392 struct multi_route *r = (struct multi_route *)he->value;
1393 if (multi_route_defined(m, r)
1394 && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1395 {
1396 dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1397 mroute_addr_print(&r->addr, &gc));
1398 learn_address_script(m, NULL, "delete", &r->addr);
1399 multi_route_del(r);
1400 hash_iterator_delete_element(&hi);
1401 }
1402 }
1403 hash_iterator_free(&hi);
1404 gc_free(&gc);
1405}
1406
1407/*
1408 * Ensure that endpoint to be pushed to client
1409 * complies with --ifconfig-push-constraint directive.
1410 */
1411static bool
1412ifconfig_push_constraint_satisfied(const struct context *c)
1413{
1414 const struct options *o = &c->options;
1415 if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1416 {
1417 return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local)
1418 == o->push_ifconfig_constraint_network;
1419 }
1420 else
1421 {
1422 return true;
1423 }
1424}
1425
1426/*
1427 * Select a virtual address for a new client instance.
1428 * Use an --ifconfig-push directive, if given (static IP).
1429 * Otherwise use an --ifconfig-pool address (dynamic IP).
1430 */
1431static void
1432multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
1433{
1434 struct gc_arena gc = gc_new();
1435
1436 /*
1437 * If ifconfig addresses were set by dynamic config file,
1438 * release pool addresses, otherwise keep them.
1439 */
1440 if (mi->context.options.push_ifconfig_defined)
1441 {
1442 /* ifconfig addresses were set statically,
1443 * release dynamic allocation */
1444 if (mi->vaddr_handle >= 0)
1445 {
1446 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true);
1447 mi->vaddr_handle = -1;
1448 }
1449
1450 mi->context.c2.push_ifconfig_defined = true;
1451 mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1452 mi->context.c2.push_ifconfig_remote_netmask =
1453 mi->context.options.push_ifconfig_remote_netmask;
1454 mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
1455
1456 /* the current implementation does not allow "static IPv4, pool IPv6",
1457 * (see below) so issue a warning if that happens - don't break the
1458 * session, though, as we don't even know if this client WANTS IPv6
1459 */
1460 if (mi->context.options.ifconfig_ipv6_pool_defined
1461 && !mi->context.options.push_ifconfig_ipv6_defined)
1462 {
1463 msg(M_INFO,
1464 "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then.");
1465 }
1466 }
1467 else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1468 {
1469 in_addr_t local = 0, remote = 0;
1470 struct in6_addr remote_ipv6;
1471 const char *cn = NULL;
1472
1473 if (!mi->context.options.duplicate_cn)
1474 {
1475 cn = tls_common_name(mi->context.c2.tls_multi, true);
1476 }
1477
1478 CLEAR(remote_ipv6);
1479 mi->vaddr_handle =
1480 ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1481 if (mi->vaddr_handle >= 0)
1482 {
1483 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1484 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1485
1486 msg(M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1487 (mi->context.options.ifconfig_pool_defined ? print_in_addr_t(remote, 0, &gc)
1488 : "(Not enabled)"),
1489 (mi->context.options.ifconfig_ipv6_pool_defined
1490 ? print_in6_addr(remote_ipv6, 0, &gc)
1491 : "(Not enabled)"));
1492
1493 if (mi->context.options.ifconfig_pool_defined)
1494 {
1495 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1496 mi->context.c2.push_ifconfig_local = remote;
1497 if (tunnel_type == DEV_TYPE_TAP
1498 || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1499 {
1500 mi->context.c2.push_ifconfig_remote_netmask =
1501 mi->context.options.ifconfig_pool_netmask;
1502 if (!mi->context.c2.push_ifconfig_remote_netmask)
1503 {
1504 mi->context.c2.push_ifconfig_remote_netmask =
1505 mi->context.c1.tuntap->remote_netmask;
1506 }
1507 }
1508 else if (tunnel_type == DEV_TYPE_TUN)
1509 {
1510 if (tunnel_topology == TOP_P2P)
1511 {
1512 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1513 }
1514 else if (tunnel_topology == TOP_NET30)
1515 {
1516 mi->context.c2.push_ifconfig_remote_netmask = local;
1517 }
1518 }
1519
1520 if (mi->context.c2.push_ifconfig_remote_netmask)
1521 {
1522 mi->context.c2.push_ifconfig_defined = true;
1523 }
1524 else
1525 {
1526 msg(D_MULTI_ERRORS,
1527 "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1528 multi_instance_string(mi, false, &gc));
1529 }
1530 }
1531
1532 if (mi->context.options.ifconfig_ipv6_pool_defined)
1533 {
1534 mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1535 mi->context.c2.push_ifconfig_ipv6_remote = mi->context.c1.tuntap->local_ipv6;
1536 mi->context.c2.push_ifconfig_ipv6_netbits =
1537 mi->context.options.ifconfig_ipv6_netbits;
1538 mi->context.c2.push_ifconfig_ipv6_defined = true;
1539 }
1540 }
1541 else
1542 {
1543 msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1544 }
1545 }
1546
1547 /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1548 * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1549 * will fail (because no pool will be allocated in this case).
1550 * OTOH, this doesn't make too much sense in reality - and the other
1551 * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1552 * -> and so it's implemented right now
1553 */
1554 if (mi->context.options.push_ifconfig_ipv6_defined)
1555 {
1556 mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local;
1557 mi->context.c2.push_ifconfig_ipv6_remote = mi->context.options.push_ifconfig_ipv6_remote;
1558 mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.push_ifconfig_ipv6_netbits;
1559 mi->context.c2.push_ifconfig_ipv6_defined = true;
1560
1561 msg(M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1562 print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc),
1563 mi->context.c2.push_ifconfig_ipv6_netbits);
1564 }
1565
1566 gc_free(&gc);
1567}
1568
1569/*
1570 * Set virtual address environmental variables.
1571 */
1572static void
1573multi_set_virtual_addr_env(struct multi_instance *mi)
1574{
1575 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1576 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1577 setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1578
1579 if (mi->context.c2.push_ifconfig_defined)
1580 {
1581 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1582 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1583
1584 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_remote_ip",
1585 mi->context.c2.push_ifconfig_local, SA_SET_IF_NONZERO);
1586
1587 if (tunnel_type == DEV_TYPE_TAP
1588 || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1589 {
1590 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_netmask",
1591 mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO);
1592 }
1593 else if (tunnel_type == DEV_TYPE_TUN)
1594 {
1595 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_local_ip",
1596 mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO);
1597 }
1598 }
1599
1600 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1601 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1602 setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1603
1604 if (mi->context.c2.push_ifconfig_ipv6_defined)
1605 {
1606 setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_remote",
1607 &mi->context.c2.push_ifconfig_ipv6_local, SA_SET_IF_NONZERO);
1608 setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_local",
1609 &mi->context.c2.push_ifconfig_ipv6_remote, SA_SET_IF_NONZERO);
1610 setenv_int(mi->context.c2.es, "ifconfig_pool_ip6_netbits",
1611 mi->context.c2.push_ifconfig_ipv6_netbits);
1612 }
1613}
1614
1615/*
1616 * Called after client-connect script is called
1617 */
1618static void
1619multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file,
1620 unsigned int *option_types_found)
1621{
1622 /* Did script generate a dynamic config file? */
1623 if (platform_test_file(dc_file))
1624 {
1625 options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS | M_OPTERR,
1626 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
1627
1628 /*
1629 * If the --client-connect script generates a config file
1630 * with an --ifconfig-push directive, it will override any
1631 * --ifconfig-push directive from the --client-config-dir
1632 * directory or any --ifconfig-pool dynamic address.
1633 */
1634 multi_select_virtual_addr(m, mi);
1635 multi_set_virtual_addr_env(mi);
1636 }
1637}
1638
1639#ifdef ENABLE_PLUGIN
1640
1641/*
1642 * Called after client-connect plug-in is called
1643 */
1644static void
1645multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi,
1646 const struct plugin_return *pr, unsigned int *option_types_found)
1647{
1648 struct plugin_return config;
1649
1650 plugin_return_get_column(pr, &config, "config");
1651
1652 /* Did script generate a dynamic config file? */
1653 if (plugin_return_defined(&config))
1654 {
1655 int i;
1656 for (i = 0; i < config.n; ++i)
1657 {
1658 if (config.list[i] && config.list[i]->value)
1659 {
1660 options_string_import(&mi->context.options, config.list[i]->value,
1661 D_IMPORT_ERRORS | M_OPTERR, CLIENT_CONNECT_OPT_MASK,
1662 option_types_found, mi->context.c2.es);
1663 }
1664 }
1665
1666 /*
1667 * If the --client-connect script generates a config file
1668 * with an --ifconfig-push directive, it will override any
1669 * --ifconfig-push directive from the --client-config-dir
1670 * directory or any --ifconfig-pool dynamic address.
1671 */
1672 multi_select_virtual_addr(m, mi);
1673 multi_set_virtual_addr_env(mi);
1674 }
1675}
1676
1677#endif /* ifdef ENABLE_PLUGIN */
1678
1679
1680/*
1681 * Called to load management-derived client-connect config
1682 */
1683enum client_connect_return
1684multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred,
1685 unsigned int *option_types_found)
1686{
1687 /* We never return CC_RET_DEFERRED */
1688 ASSERT(!deferred);
1689 enum client_connect_return ret = CC_RET_SKIPPED;
1690#ifdef ENABLE_MANAGEMENT
1691 if (mi->cc_config)
1692 {
1693 struct buffer_entry *be;
1694 for (be = mi->cc_config->head; be != NULL; be = be->next)
1695 {
1696 const char *opt = BSTR(&be->buf);
1697 options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS | M_OPTERR,
1698 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
1699 }
1700
1701 /*
1702 * If the --client-connect script generates a config file
1703 * with an --ifconfig-push directive, it will override any
1704 * --ifconfig-push directive from the --client-config-dir
1705 * directory or any --ifconfig-pool dynamic address.
1706 */
1707 multi_select_virtual_addr(m, mi);
1708 multi_set_virtual_addr_env(mi);
1709
1710 ret = CC_RET_SUCCEEDED;
1711 }
1712#endif /* ifdef ENABLE_MANAGEMENT */
1713 return ret;
1714}
1715
1716static void
1717multi_client_connect_setenv(struct multi_instance *mi)
1718{
1719 struct gc_arena gc = gc_new();
1720
1721 /* setenv incoming cert common name for script */
1722 setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1723
1724 /* setenv client real IP address */
1725 setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
1726
1727 /* setenv client virtual IP address */
1728 multi_set_virtual_addr_env(mi);
1729
1730 /* setenv connection time */
1731 {
1732 const char *created_ascii = time_string(mi->created, 0, false, &gc);
1733 setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1734 setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1735 }
1736
1737 gc_free(&gc);
1738}
1739
1746static bool
1747multi_client_set_protocol_options(struct context *c)
1748{
1749 struct tls_multi *tls_multi = c->c2.tls_multi;
1750 const char *const peer_info = tls_multi->peer_info;
1751 struct options *o = &c->options;
1752
1753
1754 unsigned int proto = extract_iv_proto(peer_info);
1755 if (proto & IV_PROTO_DATA_V2)
1756 {
1757 tls_multi->use_peer_id = true;
1758 o->use_peer_id = true;
1759 }
1760 else if (dco_enabled(o))
1761 {
1762 msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
1763 "requires DATA_V2. Dropping client.");
1764 auth_set_client_reason(tls_multi, "Data channel negotiation "
1765 "failed (missing DATA_V2)");
1766 return false;
1767 }
1768
1769 /* Print a warning if we detect the client being in P2P mode and will
1770 * not accept our pushed ciphers */
1771 if (proto & IV_PROTO_NCP_P2P)
1772 {
1773 msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client "
1774 "option). It will not negotiate ciphers with this server. "
1775 "Expect this connection to fail.");
1776 }
1777
1778 if (proto & IV_PROTO_REQUEST_PUSH)
1779 {
1780 c->c2.push_request_received = true;
1781 }
1782
1783 if (proto & IV_PROTO_TLS_KEY_EXPORT)
1784 {
1785 o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
1786 }
1787 else if (o->force_key_material_export)
1788 {
1789 msg(M_INFO, "PUSH: client does not support TLS Keying Material "
1790 "Exporters but --force-tls-key-material-export is enabled.");
1791 auth_set_client_reason(tls_multi, "Client incompatible with this "
1792 "server. Keying Material Exporters (RFC 5705) "
1793 "support missing. Upgrade to a client that "
1794 "supports this feature (OpenVPN 2.6.0+).");
1795 return false;
1796 }
1797 if (proto & IV_PROTO_DYN_TLS_CRYPT)
1798 {
1799 o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
1800 }
1801
1802 if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1803 {
1804 o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
1805 }
1806
1807 /* Select cipher if client supports Negotiable Crypto Parameters */
1808
1809 /* if we have already created our key, we cannot *change* our own
1810 * cipher -> so log the fact and push the "what we have now" cipher
1811 * (so the client is always told what we expect it to use)
1812 */
1813 if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
1814 {
1815 msg(M_INFO,
1816 "PUSH: client wants to negotiate cipher (NCP), but "
1817 "server has already generated data channel keys, "
1818 "re-sending previously negotiated cipher '%s'",
1819 o->ciphername);
1820 return true;
1821 }
1822
1823 /*
1824 * Push the first cipher from --data-ciphers to the client that
1825 * the client announces to be supporting.
1826 */
1827 char *push_cipher =
1828 ncp_get_best_cipher(o->ncp_ciphers, peer_info, tls_multi->remote_ciphername, &o->gc);
1829 if (push_cipher)
1830 {
1831 /* Enable epoch data key format if supported and AEAD cipher in use */
1832 if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported && (proto & IV_PROTO_DATA_EPOCH)
1833 && cipher_kt_mode_aead(push_cipher))
1834 {
1835 o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
1836 }
1837
1838 o->ciphername = push_cipher;
1839 return true;
1840 }
1841
1842 /* NCP cipher negotiation failed. Try to figure out why exactly it
1843 * failed and give good error messages and potentially do a fallback
1844 * for non NCP clients */
1845 struct gc_arena gc = gc_new();
1846 bool ret = false;
1847
1848 const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1849 /* If we are in a situation where we know the client ciphers, there is no
1850 * reason to fall back to a cipher that will not be accepted by the other
1851 * side, in this situation we fail the auth*/
1852 if (strlen(peer_ciphers) > 0)
1853 {
1854 msg(M_INFO,
1855 "PUSH: No common cipher between server and client. "
1856 "Server data-ciphers: '%s'%s, client supported ciphers '%s'",
1857 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers);
1858 }
1859 else if (tls_multi->remote_ciphername)
1860 {
1861 msg(M_INFO,
1862 "PUSH: No common cipher between server and client. "
1863 "Server data-ciphers: '%s'%s, client supports cipher '%s'",
1864 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), tls_multi->remote_ciphername);
1865 }
1866 else
1867 {
1868 msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1869
1870 if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1871 {
1872 msg(M_INFO,
1873 "Using data channel cipher '%s' since "
1874 "--data-ciphers-fallback is set.",
1875 o->ciphername);
1876 ret = true;
1877 }
1878 else
1879 {
1880 msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1881 "client is using if you want to allow the client to connect");
1882 }
1883 }
1884 if (!ret)
1885 {
1886 auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1887 "failed (no shared cipher)");
1888 }
1889
1890 gc_free(&gc);
1891 return ret;
1892}
1893
1898static void
1899ccs_delete_deferred_ret_file(struct multi_instance *mi)
1900{
1901 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1902 if (!ccs->deferred_ret_file)
1903 {
1904 return;
1905 }
1906
1907 setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1908 if (!platform_unlink(ccs->deferred_ret_file))
1909 {
1910 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->deferred_ret_file);
1911 }
1912 free(ccs->deferred_ret_file);
1913 ccs->deferred_ret_file = NULL;
1914}
1915
1923static bool
1924ccs_gen_deferred_ret_file(struct multi_instance *mi)
1925{
1926 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1927 struct gc_arena gc = gc_new();
1928 const char *fn;
1929
1930 /* Delete file if it already exists */
1931 ccs_delete_deferred_ret_file(mi);
1932
1933 fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1934 if (!fn)
1935 {
1936 gc_free(&gc);
1937 return false;
1938 }
1939 ccs->deferred_ret_file = string_alloc(fn, NULL);
1940
1941 setenv_str(mi->context.c2.es, "client_connect_deferred_file", ccs->deferred_ret_file);
1942
1943 gc_free(&gc);
1944 return true;
1945}
1946
1955static enum client_connect_return
1956ccs_test_deferred_ret_file(struct multi_instance *mi)
1957{
1958 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1959 FILE *fp = fopen(ccs->deferred_ret_file, "r");
1960 if (!fp)
1961 {
1962 return CC_RET_SKIPPED;
1963 }
1964
1965 enum client_connect_return ret = CC_RET_SKIPPED;
1966 const int c = fgetc(fp);
1967 switch (c)
1968 {
1969 case '0':
1970 ret = CC_RET_FAILED;
1971 break;
1972
1973 case '1':
1974 ret = CC_RET_SUCCEEDED;
1975 break;
1976
1977 case '2':
1978 ret = CC_RET_DEFERRED;
1979 break;
1980
1981 case EOF:
1982 if (feof(fp))
1983 {
1984 ret = CC_RET_SKIPPED;
1985 break;
1986 }
1987
1988 /* Not EOF but other error -> fall through to error state */
1989 default:
1990 /* We received an unknown/unexpected value. Assume failure. */
1991 msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
1992 "client-connect resultfile");
1993 ret = CC_RET_FAILED;
1994 }
1995 fclose(fp);
1996
1997 return ret;
1998}
1999
2005static void
2006ccs_delete_config_file(struct multi_instance *mi)
2007{
2008 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2009 if (ccs->config_file)
2010 {
2011 setenv_del(mi->context.c2.es, "client_connect_config_file");
2012 if (!platform_unlink(ccs->config_file))
2013 {
2014 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->config_file);
2015 }
2016 free(ccs->config_file);
2017 ccs->config_file = NULL;
2018 }
2019}
2020
2028static bool
2029ccs_gen_config_file(struct multi_instance *mi)
2030{
2031 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2032 struct gc_arena gc = gc_new();
2033 const char *fn;
2034
2035 if (ccs->config_file)
2036 {
2037 ccs_delete_config_file(mi);
2038 }
2039
2040 fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2041 if (!fn)
2042 {
2043 gc_free(&gc);
2044 return false;
2045 }
2046 ccs->config_file = string_alloc(fn, NULL);
2047
2048 setenv_str(mi->context.c2.es, "client_connect_config_file", ccs->config_file);
2049
2050 gc_free(&gc);
2051 return true;
2052}
2053
2054static enum client_connect_return
2055multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi,
2056 bool deferred, unsigned int *option_types_found)
2057{
2058 enum client_connect_return ret = CC_RET_SKIPPED;
2059#ifdef ENABLE_PLUGIN
2060 ASSERT(m);
2061 ASSERT(mi);
2062 ASSERT(option_types_found);
2063 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2064
2065 /* deprecated callback, use a file for passing back return info */
2066 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2067 {
2068 struct argv argv = argv_new();
2069 int call;
2070
2071 if (!deferred)
2072 {
2073 call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2074 if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi))
2075 {
2076 ret = CC_RET_FAILED;
2077 goto cleanup;
2078 }
2079 }
2080 else
2081 {
2082 call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2083 /* the initial call should have created these files */
2084 ASSERT(ccs->config_file);
2085 ASSERT(ccs->deferred_ret_file);
2086 }
2087
2088 argv_printf(&argv, "%s", ccs->config_file);
2089 int plug_ret = plugin_call(mi->context.plugins, call, &argv, NULL, mi->context.c2.es);
2090 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2091 {
2092 ret = CC_RET_SUCCEEDED;
2093 }
2094 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2095 {
2096 ret = CC_RET_DEFERRED;
2102 }
2103 else
2104 {
2105 msg(M_WARN, "WARNING: client-connect plugin call failed");
2106 ret = CC_RET_FAILED;
2107 }
2108
2109
2115 int file_ret = ccs_test_deferred_ret_file(mi);
2116
2117 if (file_ret == CC_RET_FAILED)
2118 {
2119 ret = CC_RET_FAILED;
2120 }
2121 else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2122 {
2123 ret = CC_RET_DEFERRED;
2124 }
2125
2126 /* if we still think we have succeeded, do postprocessing */
2127 if (ret == CC_RET_SUCCEEDED)
2128 {
2129 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2130 }
2131cleanup:
2132 argv_free(&argv);
2133
2134 if (ret != CC_RET_DEFERRED)
2135 {
2136 ccs_delete_config_file(mi);
2137 ccs_delete_deferred_ret_file(mi);
2138 }
2139 }
2140#endif /* ifdef ENABLE_PLUGIN */
2141 return ret;
2142}
2143
2144static enum client_connect_return
2145multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi,
2146 bool deferred, unsigned int *option_types_found)
2147{
2148 enum client_connect_return ret = CC_RET_SKIPPED;
2149#ifdef ENABLE_PLUGIN
2150 ASSERT(m);
2151 ASSERT(mi);
2152 ASSERT(option_types_found);
2153
2154 int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2155 /* V2 callback, use a plugin_return struct for passing back return info */
2156 if (plugin_defined(mi->context.plugins, call))
2157 {
2158 struct plugin_return pr;
2159
2160 plugin_return_init(&pr);
2161
2162 int plug_ret = plugin_call(mi->context.plugins, call, NULL, &pr, mi->context.c2.es);
2163 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2164 {
2165 multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2166 ret = CC_RET_SUCCEEDED;
2167 }
2168 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2169 {
2170 ret = CC_RET_DEFERRED;
2171 if (!(plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2172 {
2173 msg(M_WARN, "A plugin that defers from the "
2174 "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2175 "declare support for "
2176 "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2177 ret = CC_RET_FAILED;
2178 }
2179 }
2180 else
2181 {
2182 msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2183 ret = CC_RET_FAILED;
2184 }
2185
2186
2187 plugin_return_free(&pr);
2188 }
2189#endif /* ifdef ENABLE_PLUGIN */
2190 return ret;
2191}
2192
2193static enum client_connect_return
2194multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi,
2195 unsigned int *option_types_found)
2196{
2197 ASSERT(mi);
2198 ASSERT(option_types_found);
2199 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2200 enum client_connect_return ret = CC_RET_SKIPPED;
2201
2202 ret = ccs_test_deferred_ret_file(mi);
2203
2204 if (ret == CC_RET_SKIPPED)
2205 {
2206 /*
2207 * Skipped and deferred are equivalent in this context.
2208 * skipped means that the called program has not yet
2209 * written a return status implicitly needing more time
2210 * while deferred is the explicit notification that it
2211 * needs more time
2212 */
2213 ret = CC_RET_DEFERRED;
2214 }
2215
2216 if (ret == CC_RET_SUCCEEDED)
2217 {
2218 ccs_delete_deferred_ret_file(mi);
2219 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2220 ccs_delete_config_file(mi);
2221 }
2222 if (ret == CC_RET_FAILED)
2223 {
2224 msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2225 ccs_delete_deferred_ret_file(mi);
2226 ccs_delete_config_file(mi);
2227 }
2228 return ret;
2229}
2230
2234static enum client_connect_return
2235multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred,
2236 unsigned int *option_types_found)
2237{
2238 if (deferred)
2239 {
2240 return multi_client_connect_script_deferred(m, mi, option_types_found);
2241 }
2242 ASSERT(m);
2243 ASSERT(mi);
2244
2245 enum client_connect_return ret = CC_RET_SKIPPED;
2246 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2247
2248 if (mi->context.options.client_connect_script)
2249 {
2250 struct argv argv = argv_new();
2251 struct gc_arena gc = gc_new();
2252
2253 setenv_str(mi->context.c2.es, "script_type", "client-connect");
2254
2255 if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi))
2256 {
2257 ret = CC_RET_FAILED;
2258 goto cleanup;
2259 }
2260
2261 argv_parse_cmd(&argv, mi->context.options.client_connect_script);
2262 argv_printf_cat(&argv, "%s", ccs->config_file);
2263
2264 if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2265 {
2266 if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED)
2267 {
2268 ret = CC_RET_DEFERRED;
2269 }
2270 else
2271 {
2272 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2273 ret = CC_RET_SUCCEEDED;
2274 }
2275 }
2276 else
2277 {
2278 ret = CC_RET_FAILED;
2279 }
2280cleanup:
2281 if (ret != CC_RET_DEFERRED)
2282 {
2283 ccs_delete_config_file(mi);
2284 ccs_delete_deferred_ret_file(mi);
2285 }
2286 argv_free(&argv);
2287 gc_free(&gc);
2288 }
2289 return ret;
2290}
2291
2292static bool
2293multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi,
2294 struct gc_arena *gc)
2295{
2296 if (!dco_enabled(&mi->context.options))
2297 {
2298 /* DCO not enabled, nothing to do, return sucess */
2299 return true;
2300 }
2301 int ret = dco_multi_add_new_peer(m, mi);
2302 if (ret < 0)
2303 {
2304 msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)", multi_instance_string(mi, false, gc),
2305 strerror(-ret), ret);
2306 return false;
2307 }
2308
2309 return true;
2310}
2311
2315static bool
2316multi_client_generate_tls_keys(struct context *c)
2317{
2318 struct frame *frame_fragment = NULL;
2319#ifdef ENABLE_FRAGMENT
2320 if (c->options.ce.fragment)
2321 {
2322 frame_fragment = &c->c2.frame_fragment;
2323 }
2324#endif
2325 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2326 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2327 frame_fragment, get_link_socket_info(c),
2328 &c->c1.tuntap->dco))
2329 {
2330 msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2331 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2332 return false;
2333 }
2334
2335 return true;
2336}
2337
2338static void
2339multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi,
2340 const unsigned int option_types_found)
2341{
2342 ASSERT(m);
2343 ASSERT(mi);
2344
2345 struct gc_arena gc = gc_new();
2346 /*
2347 * Process sourced options.
2348 */
2349 do_deferred_options(&mi->context, option_types_found, false);
2350
2351 /*
2352 * make sure we got ifconfig settings from somewhere
2353 */
2354 if (!mi->context.c2.push_ifconfig_defined)
2355 {
2356 msg(D_MULTI_ERRORS,
2357 "MULTI: no dynamic or static remote "
2358 "--ifconfig address is available for %s",
2359 multi_instance_string(mi, false, &gc));
2360 }
2361
2362 /*
2363 * make sure that ifconfig settings comply with constraints
2364 */
2365 if (!ifconfig_push_constraint_satisfied(&mi->context))
2366 {
2367 const char *ifconfig_constraint_network =
2368 print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc);
2369 const char *ifconfig_constraint_netmask =
2370 print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
2371
2372 /* JYFIXME -- this should cause the connection to fail */
2373 msg(D_MULTI_ERRORS,
2374 "MULTI ERROR: primary virtual IP for %s (%s) "
2375 "violates tunnel network/netmask constraint (%s/%s)",
2376 multi_instance_string(mi, false, &gc),
2377 print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
2378 ifconfig_constraint_network, ifconfig_constraint_netmask);
2379 }
2380
2381 /* set our client's VPN endpoint for status reporting purposes */
2382 mi->reporting_addr = mi->context.c2.push_ifconfig_local;
2383 mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
2384
2385 /* set context-level authentication flag */
2386 mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2387
2388 /* Since dco-win maintains iroute routing table (subnet -> peer),
2389 * peer must be added before iroutes. For other platforms it doesn't matter. */
2390
2391 /* authentication complete, calculate dynamic client specific options */
2392 if (!multi_client_set_protocol_options(&mi->context))
2393 {
2394 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2395 }
2396 /* only continue if setting protocol options worked */
2397 else if (!multi_client_setup_dco_initial(m, mi, &gc))
2398 {
2399 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2400 }
2401 /* Generate data channel keys only if setting protocol options
2402 * and DCO initial setup has not failed */
2403 else if (!multi_client_generate_tls_keys(&mi->context))
2404 {
2405 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2406 }
2407
2408 /* dco peer has been added, it is now safe for Windows to add iroutes */
2409
2410 /*
2411 * For routed tunnels, set up internal route to endpoint
2412 * plus add all iroute routes.
2413 */
2414 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
2415 {
2416 if (mi->context.c2.push_ifconfig_defined)
2417 {
2418 multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
2419 msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2420 multi_instance_string(mi, false, &gc),
2421 print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
2422 }
2423
2424 if (mi->context.c2.push_ifconfig_ipv6_defined)
2425 {
2426 multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true);
2427 /* TODO: find out where addresses are "unlearned"!! */
2428 const char *ifconfig_local_ipv6 =
2429 print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
2430 msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2431 multi_instance_string(mi, false, &gc), ifconfig_local_ipv6);
2432 }
2433
2434 /* add routes locally, pointing to new client, if
2435 * --iroute options have been specified */
2436 multi_add_iroutes(m, mi);
2437
2438 /*
2439 * iroutes represent subnets which are "owned" by a particular
2440 * client. Therefore, do not actually push a route to a client
2441 * if it matches one of the client's iroutes.
2442 */
2443 remove_iroutes_from_push_route_list(&mi->context.options);
2444 }
2445 else if (mi->context.options.iroutes)
2446 {
2447 msg(D_MULTI_ERRORS,
2448 "MULTI: --iroute options rejected for %s -- iroute "
2449 "only works with tun-style tunnels",
2450 multi_instance_string(mi, false, &gc));
2451 }
2452
2453 /* send push reply if ready */
2454 if (mi->context.c2.push_request_received)
2455 {
2456 process_incoming_push_request(&mi->context);
2457 }
2458 gc_free(&gc);
2459}
2460
2461static void
2462multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
2463{
2464 ASSERT(mi->context.c1.tuntap);
2465 /*
2466 * lock down the common name and cert hashes so they can't change
2467 * during future TLS renegotiations
2468 */
2469 tls_lock_common_name(mi->context.c2.tls_multi);
2470 tls_lock_cert_hash_set(mi->context.c2.tls_multi);
2471
2472 /* generate a msg() prefix for this client instance */
2473 generate_prefix(mi);
2474
2475 /* delete instances of previous clients with same common-name */
2476 if (!mi->context.options.duplicate_cn)
2477 {
2478 multi_delete_dup(m, mi);
2479 }
2480
2481 /* reset pool handle to null */
2482 mi->vaddr_handle = -1;
2483
2484 /* do --client-connect setenvs */
2485 multi_select_virtual_addr(m, mi);
2486
2487 multi_client_connect_setenv(mi);
2488}
2489
2496static enum client_connect_return
2497multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi,
2498 bool deferred, unsigned int *option_types_found)
2499{
2500#ifdef USE_COMP
2501 struct options *o = &mi->context.options;
2502 const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2503
2504 if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2505 {
2506 if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2507 {
2508 push_option(o, "compress stub-v2", M_USAGE);
2509 }
2510 else
2511 {
2512 /* Client is old and does not support STUBv2 but since it
2513 * announced comp-lzo via OCC we assume it uses comp-lzo, so
2514 * switch to that and push the uncompressed variant. */
2515 push_option(o, "comp-lzo no", M_USAGE);
2516 o->comp.alg = COMP_ALG_STUB;
2517 *option_types_found |= OPT_P_COMP;
2518 }
2519 }
2520#endif
2521 return CC_RET_SUCCEEDED;
2522}
2523
2528static enum client_connect_return
2529multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred,
2530 unsigned int *option_types_found)
2531{
2532 /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2533 * problem */
2534 ASSERT(!deferred);
2535 enum client_connect_return ret = CC_RET_SKIPPED;
2536 if (mi->context.options.client_config_dir)
2537 {
2538 struct gc_arena gc = gc_new();
2539 const char *ccd_file = NULL;
2540
2541 const char *ccd_client =
2542 platform_gen_path(mi->context.options.client_config_dir,
2543 tls_common_name(mi->context.c2.tls_multi, false), &gc);
2544
2545 const char *ccd_default =
2546 platform_gen_path(mi->context.options.client_config_dir, CCD_DEFAULT, &gc);
2547
2548
2549 /* try common-name file */
2550 if (platform_test_file(ccd_client))
2551 {
2552 ccd_file = ccd_client;
2553 }
2554 /* try default file */
2555 else if (platform_test_file(ccd_default))
2556 {
2557 ccd_file = ccd_default;
2558 }
2559
2560 if (ccd_file)
2561 {
2562 options_server_import(&mi->context.options, ccd_file, D_IMPORT_ERRORS | M_OPTERR,
2563 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
2564 /*
2565 * Select a virtual address from either --ifconfig-push in
2566 * --client-config-dir file or --ifconfig-pool.
2567 */
2568 multi_select_virtual_addr(m, mi);
2569
2570 multi_client_connect_setenv(mi);
2571
2572 ret = CC_RET_SUCCEEDED;
2573 }
2574 gc_free(&gc);
2575 }
2576 return ret;
2577}
2578
2579typedef enum client_connect_return (*multi_client_connect_handler)(
2580 struct multi_context *m, struct multi_instance *mi, bool from_deferred,
2581 unsigned int *option_types_found);
2582
2592
2597static bool
2598override_locked_username(struct multi_instance *mi)
2599{
2600 struct tls_multi *multi = mi->context.c2.tls_multi;
2601 struct options *options = &mi->context.options;
2602 struct tls_session *session = &multi->session[TM_ACTIVE];
2603
2604 if (!multi->locked_username)
2605 {
2606 msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
2607 "user/password method is enabled. Enable "
2608 "--management-client-auth, --auth-user-pass-verify, or a "
2609 "plugin with user/password verify capability.");
2610 return false;
2611 }
2612
2613 if (!multi->locked_original_username
2614 && strcmp(multi->locked_username, options->override_username) != 0)
2615 {
2616 /* Check if the username length is acceptable */
2617 if (!ssl_verify_username_length(session, options->override_username))
2618 {
2619 return false;
2620 }
2621
2622 multi->locked_original_username = multi->locked_username;
2623 multi->locked_username = strdup(options->override_username);
2624
2625 /* Override also the common name if username should be set as common
2626 * name */
2627 if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
2628 {
2629 set_common_name(session, multi->locked_username);
2630 free(multi->locked_cn);
2631 multi->locked_cn = NULL;
2632 tls_lock_common_name(multi);
2633 }
2634
2635 /* Regenerate the auth-token if enabled */
2636 if (multi->auth_token_initial)
2637 {
2638 struct user_pass up;
2639 CLEAR(up);
2640 strncpynt(up.username, multi->locked_username, sizeof(up.username));
2641
2642 generate_auth_token(&up, multi);
2643 }
2644
2645 msg(D_MULTI_LOW,
2646 "MULTI: Note, override-username changes username "
2647 "from '%s' to '%s'",
2648 multi->locked_original_username, multi->locked_username);
2649 }
2650 return true;
2651}
2652/*
2653 * Called as soon as the SSL/TLS connection is authenticated.
2654 *
2655 * Will collect the client specific configuration from the different
2656 * sources like ccd files, connect plugins and management interface.
2657 *
2658 * This method starts with cas_context CAS_PENDING and will move the
2659 * state machine to either CAS_SUCCEEDED on success or
2660 * CAS_FAILED/CAS_PARTIAL on failure.
2661 *
2662 * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2663 * include:
2664 *
2665 * iroute start-ip end-ip
2666 * ifconfig-push local remote-netmask
2667 * push
2668 *
2669 *
2670 */
2671static void
2672multi_connection_established(struct multi_context *m, struct multi_instance *mi)
2673{
2674 /* We are only called for the CAS_PENDING_x states, so we
2675 * can ignore other states here */
2676 bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2677
2678 int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2679 unsigned int *option_types_found = &mi->client_connect_defer_state.option_types_found;
2680
2681 /* We are called for the first time */
2682 if (!from_deferred)
2683 {
2684 *cur_handler_index = 0;
2685 *option_types_found = 0;
2686 /* Initially we have no handler that has returned a result */
2687 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED;
2688
2689 multi_client_connect_early_setup(m, mi);
2690 }
2691
2692 bool cc_succeeded = true;
2693
2694 while (cc_succeeded && client_connect_handlers[*cur_handler_index] != NULL)
2695 {
2696 enum client_connect_return ret;
2697 ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, option_types_found);
2698
2699 from_deferred = false;
2700
2701 switch (ret)
2702 {
2703 case CC_RET_SUCCEEDED:
2704 /*
2705 * Remember that we already had at least one handler
2706 * returning a result should we go to into deferred state
2707 */
2708 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2709 break;
2710
2711 case CC_RET_SKIPPED:
2712 /*
2713 * Move on with the next handler without modifying any
2714 * other state
2715 */
2716 break;
2717
2718 case CC_RET_DEFERRED:
2719 /*
2720 * we already set multi_status to DEFERRED_RESULT or
2721 * DEFERRED_NO_RESULT. We just return
2722 * from the function as having multi_status
2723 */
2724 return;
2725
2726 case CC_RET_FAILED:
2727 /*
2728 * One handler failed. We abort the chain and set the final
2729 * result to failed
2730 */
2731 cc_succeeded = false;
2732 break;
2733
2734 default:
2735 ASSERT(0);
2736 }
2737
2738 /*
2739 * Check for "disable" directive in client-config-dir file
2740 * or config file generated by --client-connect script.
2741 */
2742 if (mi->context.options.disable)
2743 {
2744 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2745 "'disable' directive");
2746 cc_succeeded = false;
2747 }
2748
2749 (*cur_handler_index)++;
2750 }
2751
2752 if (mi->context.options.override_username)
2753 {
2754 if (!override_locked_username(mi))
2755 {
2756 cc_succeeded = false;
2757 }
2758 }
2759
2760 /* Check if we have forbidding options in the current mode */
2761 if (dco_enabled(&mi->context.options)
2762 && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
2763 {
2764 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2765 cc_succeeded = false;
2766 }
2767
2768 if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS))
2769 {
2770 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
2771 cc_succeeded = false;
2772 }
2773
2774 if (cc_succeeded)
2775 {
2776 multi_client_connect_late_setup(m, mi, *option_types_found);
2777 }
2778 else
2779 {
2780 /* run the disconnect script if we had a connect script that
2781 * did not fail */
2782 if (mi->context.c2.tls_multi->multi_state == CAS_PENDING_DEFERRED_PARTIAL)
2783 {
2784 multi_client_disconnect_script(m, mi);
2785 }
2786
2787 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2788 }
2789
2790 /* increment number of current authenticated clients */
2791 ++m->n_clients;
2792 update_mstat_n_clients(m->n_clients);
2793 --mi->n_clients_delta;
2794
2795#ifdef ENABLE_MANAGEMENT
2796 if (management)
2797 {
2798 management_connection_established(management, &mi->context.c2.mda_context,
2799 mi->context.c2.es);
2800 }
2801#endif
2802}
2803
2804#ifdef ENABLE_ASYNC_PUSH
2805/*
2806 * Called when inotify event is fired, which happens when acf
2807 * or connect-status file is closed or deleted.
2808 * Continues authentication and sends push_reply
2809 * (or be deferred again by client-connect)
2810 */
2811void
2812multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2813{
2814 char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2815 size_t buffer_i = 0;
2816 int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2817
2818 while (buffer_i < r)
2819 {
2820 /* parse inotify events */
2821 struct inotify_event *pevent = (struct inotify_event *)&buffer[buffer_i];
2822 size_t event_size = sizeof(struct inotify_event) + pevent->len;
2823 buffer_i += event_size;
2824
2825 msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2826
2827 struct multi_instance *mi =
2828 hash_lookup(m->inotify_watchers, (void *)(unsigned long)pevent->wd);
2829
2830 if (pevent->mask & IN_CLOSE_WRITE)
2831 {
2832 if (mi)
2833 {
2834 /* continue authentication, perform NCP negotiation and send push_reply */
2835 multi_process_post(m, mi, mpp_flags);
2836 }
2837 else
2838 {
2839 msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2840 }
2841 }
2842 else if (pevent->mask & IN_IGNORED)
2843 {
2844 /* this event is _always_ fired when watch is removed or file is deleted */
2845 if (mi)
2846 {
2847 hash_remove(m->inotify_watchers, (void *)(unsigned long)pevent->wd);
2848 mi->inotify_watch = -1;
2849 }
2850 }
2851 else
2852 {
2853 msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2854 }
2855 }
2856}
2857#endif /* ifdef ENABLE_ASYNC_PUSH */
2858
2859/*
2860 * Add a mbuf buffer to a particular
2861 * instance.
2862 */
2863void
2864multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
2865{
2866 if (multi_output_queue_ready(m, mi))
2867 {
2868 struct mbuf_item item;
2869 item.buffer = mb;
2870 item.instance = mi;
2871 mbuf_add_item(m->mbuf, &item);
2872 }
2873 else
2874 {
2875 msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2876 }
2877}
2878
2879/*
2880 * Add a packet to a client instance output queue.
2881 */
2882static inline void
2883multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
2884{
2885 struct mbuf_buffer *mb;
2886
2887 if (BLEN(buf) > 0)
2888 {
2889 mb = mbuf_alloc_buf(buf);
2890 mb->flags = MF_UNICAST;
2891 multi_add_mbuf(m, mi, mb);
2892 mbuf_free_buf(mb);
2893 }
2894}
2895
2896/*
2897 * Broadcast a packet to all clients.
2898 */
2899static void
2900multi_bcast(struct multi_context *m, const struct buffer *buf,
2901 const struct multi_instance *sender_instance, uint16_t vid)
2902{
2903 struct hash_iterator hi;
2904 struct hash_element *he;
2905 struct multi_instance *mi;
2906 struct mbuf_buffer *mb;
2907
2908 if (BLEN(buf) > 0)
2909 {
2910 perf_push(PERF_MULTI_BCAST);
2911#ifdef MULTI_DEBUG_EVENT_LOOP
2912 printf("BCAST len=%d\n", BLEN(buf));
2913#endif
2914 mb = mbuf_alloc_buf(buf);
2915 hash_iterator_init(m->iter, &hi);
2916
2917 while ((he = hash_iterator_next(&hi)))
2918 {
2919 mi = (struct multi_instance *)he->value;
2920 if (mi != sender_instance && !mi->halt)
2921 {
2922 if (vid != 0 && vid != mi->context.options.vlan_pvid)
2923 {
2924 continue;
2925 }
2926 multi_add_mbuf(m, mi, mb);
2927 }
2928 }
2929
2930 hash_iterator_free(&hi);
2931 mbuf_free_buf(mb);
2932 perf_pop();
2933 }
2934}
2935
2936/*
2937 * Given a time delta, indicating that we wish to be
2938 * awoken by the scheduler at time now + delta, figure
2939 * a sigma parameter (in microseconds) that represents
2940 * a sort of fuzz factor around delta, so that we're
2941 * really telling the scheduler to wake us up any time
2942 * between now + delta - sigma and now + delta + sigma.
2943 *
2944 * The sigma parameter helps the scheduler to run more efficiently.
2945 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2946 */
2947static inline unsigned int
2948compute_wakeup_sigma(const struct timeval *delta)
2949{
2950 if (delta->tv_sec < 1)
2951 {
2952 /* if < 1 sec, fuzz = # of microseconds / 8 */
2953 return delta->tv_usec >> 3;
2954 }
2955 else
2956 {
2957 /* if < 10 minutes, fuzz = 13.1% of timeout */
2958 if (delta->tv_sec < 600)
2959 {
2960 return delta->tv_sec << 17;
2961 }
2962 else
2963 {
2964 return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2965 }
2966 }
2967}
2968
2969static void
2970multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
2971{
2972 /* calculate an absolute wakeup time */
2973 ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2974 tv_add(&mi->wakeup, &mi->context.c2.timeval);
2975
2976 /* tell scheduler to wake us up at some point in the future */
2977 schedule_add_entry(m->schedule, (struct schedule_entry *)mi, &mi->wakeup,
2978 compute_wakeup_sigma(&mi->context.c2.timeval));
2979}
2980
2981#if defined(ENABLE_ASYNC_PUSH)
2982static void
2983add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, int inotify_fd,
2984 const char *file)
2985{
2986 /* watch acf file */
2987 long watch_descriptor = inotify_add_watch(inotify_fd, file, IN_CLOSE_WRITE | IN_ONESHOT);
2988 if (watch_descriptor >= 0)
2989 {
2990 if (mi->inotify_watch != -1)
2991 {
2992 hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch);
2993 }
2994 hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
2995 mi->inotify_watch = watch_descriptor;
2996 }
2997 else
2998 {
2999 msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3000 }
3001}
3002#endif /* if defined(ENABLE_ASYNC_PUSH) */
3003
3004/*
3005 * Figure instance-specific timers, convert
3006 * earliest to absolute time in mi->wakeup,
3007 * call scheduler with our future wakeup time.
3008 *
3009 * Also close context on signal.
3010 */
3011bool
3012multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3013{
3014 bool ret = true;
3015
3016 if (!IS_SIG(&mi->context)
3017 && ((flags & MPP_PRE_SELECT)
3018 || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
3019 {
3020#if defined(ENABLE_ASYNC_PUSH)
3021 bool was_unauthenticated = true;
3022 struct key_state *ks = NULL;
3023 if (mi->context.c2.tls_multi)
3024 {
3025 ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
3026 was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3027 }
3028#endif
3029
3030 /* figure timeouts and fetch possible outgoing
3031 * to_link packets (such as ping or TLS control) */
3032 pre_select(&mi->context);
3033
3034#if defined(ENABLE_ASYNC_PUSH)
3035 /*
3036 * if we see the state transition from unauthenticated to deferred
3037 * and an auth_control_file, we assume it got just added and add
3038 * inotify watch to that file
3039 */
3040 if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3041 && (ks->authenticated == KS_AUTH_DEFERRED))
3042 {
3043 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->plugin_auth.auth_control_file);
3044 }
3045 if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3046 && (ks->authenticated == KS_AUTH_DEFERRED))
3047 {
3048 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->script_auth.auth_control_file);
3049 }
3050#endif
3051
3052 if (!IS_SIG(&mi->context))
3053 {
3054 /* connection is "established" when SSL/TLS key negotiation succeeds
3055 * and (if specified) auth user/pass succeeds */
3056
3057 if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
3058 {
3059 multi_connection_established(m, mi);
3060 }
3061#if defined(ENABLE_ASYNC_PUSH)
3062 if (is_cas_pending(mi->context.c2.tls_multi->multi_state)
3063 && mi->client_connect_defer_state.deferred_ret_file)
3064 {
3065 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3066 mi->client_connect_defer_state.deferred_ret_file);
3067 }
3068#endif
3069 /* tell scheduler to wake us up at some point in the future */
3070 multi_schedule_context_wakeup(m, mi);
3071 }
3072 }
3073
3074 if (IS_SIG(&mi->context))
3075 {
3076 if (flags & MPP_CLOSE_ON_SIGNAL)
3077 {
3078 multi_close_instance_on_signal(m, mi);
3079 ret = false;
3080 }
3081 }
3082 else
3083 {
3084 /* continue to pend on output? */
3085 multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3086
3087#ifdef MULTI_DEBUG_EVENT_LOOP
3088 printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", id(mi), (int)(mi == m->pending),
3089 mi ? mi->context.c2.to_tun.len : -1, mi ? mi->context.c2.to_link.len : -1,
3090 (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3091 (int64_t)mi->context.c2.timeval.tv_sec, (long)mi->context.c2.timeval.tv_usec);
3092#endif
3093 }
3094
3095 if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3096 {
3097 *m->mpp_touched = mi;
3098 }
3099
3100 return ret;
3101}
3102
3111static void
3112multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
3113{
3114 struct mroute_addr real = { 0 };
3115 struct hash *hash = m->hash;
3116 struct gc_arena gc = gc_new();
3117
3118 if (mi->real.type & MR_WITH_PROTO)
3119 {
3120 real.type |= MR_WITH_PROTO;
3121 real.proto = sock->info.proto;
3122 }
3123
3124 if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3125 {
3126 goto done;
3127 }
3128
3129 const uint32_t hv = hash_value(hash, &real);
3130 struct hash_bucket *bucket = hash_bucket(hash, hv);
3131
3132 /* make sure that we don't float to an address taken by another client */
3133 struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3134 if (he)
3135 {
3136 struct multi_instance *ex_mi = (struct multi_instance *)he->value;
3137
3138 struct tls_multi *m1 = mi->context.c2.tls_multi;
3139 struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3140
3141 /* do not float if target address is taken by client with another cert */
3142 if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3143 {
3144 msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3145 multi_instance_string(ex_mi, false, &gc));
3146
3147 mi->context.c2.buf.len = 0;
3148
3149 goto done;
3150 }
3151
3152 /* It doesn't make sense to let a peer float to the address it already
3153 * has, so we disallow it. This can happen if a DCO netlink notification
3154 * gets lost and we miss a floating step.
3155 */
3156 if (m1->peer_id == m2->peer_id)
3157 {
3158 msg(M_WARN,
3159 "disallowing peer %" PRIu32 " (%s) from floating to "
3160 "its own address (%s)",
3161 m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
3162 mroute_addr_print(&mi->real, &gc));
3163 goto done;
3164 }
3165
3166 msg(D_MULTI_LOW,
3167 "closing instance %s due to float collision with %s "
3168 "using the same certificate",
3169 multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc));
3170 multi_close_instance(m, ex_mi, false);
3171 }
3172
3173 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3174 mi->context.c2.tls_multi->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
3175 mroute_addr_print_ex(&mi->real, MAPF_SHOW_FAMILY, &gc),
3176 mroute_addr_print_ex(&real, MAPF_SHOW_FAMILY, &gc));
3177
3178 /* remove old address from hash table before changing address */
3179 ASSERT(hash_remove(m->hash, &mi->real));
3180 ASSERT(hash_remove(m->iter, &mi->real));
3181
3182 /* change external network address of the remote peer */
3183 mi->real = real;
3184 generate_prefix(mi);
3185
3186 mi->context.c2.from = m->top.c2.from;
3187 mi->context.c2.to_link_addr = &mi->context.c2.from;
3188
3189 /* inherit parent link_socket and link_socket_info */
3190 mi->context.c2.link_sockets[0] = sock;
3191 mi->context.c2.link_socket_infos[0]->lsa->actual = m->top.c2.from;
3192
3193 tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from);
3194
3195 ASSERT(hash_add(m->hash, &mi->real, mi, false));
3196 ASSERT(hash_add(m->iter, &mi->real, mi, false));
3197
3198#ifdef ENABLE_MANAGEMENT
3199 ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3200#endif
3201
3202done:
3203 gc_free(&gc);
3204}
3205
3206/*
3207 * Called when an instance should be closed due to the
3208 * reception of a soft signal.
3209 */
3210void
3211multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
3212{
3213 remap_signal(&mi->context);
3214 set_prefix(mi);
3215 print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3216 clear_prefix();
3217 multi_close_instance(m, mi, false);
3218}
3219
3220#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) \
3221 || defined(ENABLE_MANAGEMENT)
3222static void
3223multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3224{
3225 mi->context.sig->signal_received = sig;
3226 multi_close_instance_on_signal(m, mi);
3227}
3228#endif
3229
3230#if defined(ENABLE_DCO)
3231static void
3232process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, dco_context_t *dco)
3233{
3234 const char *reason = "ovpn-dco: unknown reason";
3235 switch (dco->dco_del_peer_reason)
3236 {
3237 case OVPN_DEL_PEER_REASON_EXPIRED:
3238 reason = "ovpn-dco: ping expired";
3239 break;
3240
3241 case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR:
3242 reason = "ovpn-dco: transport error";
3243 break;
3244
3245 case OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT:
3246 reason = "ovpn-dco: transport disconnected";
3247 break;
3248
3249 case OVPN_DEL_PEER_REASON_USERSPACE:
3250 /* We assume that is ourselves. Unfortunately, sometimes these
3251 * events happen with enough delay that they can have an order of
3252 *
3253 * dco_del_peer x
3254 * [new client connecting]
3255 * dco_new_peer x
3256 * event from dco_del_peer arrives.
3257 *
3258 * if we do not ignore this we get desynced with the kernel
3259 * since we assume the peer-id is free again. The other way would
3260 * be to send a dco_del_peer again
3261 */
3262 return;
3263 }
3264
3265 /* When kernel already deleted the peer, the socket is no longer
3266 * installed, and we do not need to clean up the state in the kernel */
3267 mi->context.c2.tls_multi->dco_peer_id = -1;
3268 mi->context.sig->signal_text = reason;
3269 mi->context.c2.dco_read_bytes = dco->dco_read_bytes;
3270 mi->context.c2.dco_write_bytes = dco->dco_write_bytes;
3271 multi_signal_instance(m, mi, SIGTERM);
3272}
3273
3274bool
3275multi_process_incoming_dco(struct multi_context *m)
3276{
3277 dco_context_t *dco = &m->top.c1.tuntap->dco;
3278
3279 struct multi_instance *mi = NULL;
3280
3281 int ret = dco_do_read(&m->top.c1.tuntap->dco);
3282
3283 int peer_id = dco->dco_message_peer_id;
3284
3285 /* no peer-specific message delivered -> nothing to process.
3286 * bail out right away
3287 */
3288 if (peer_id < 0)
3289 {
3290 return ret > 0;
3291 }
3292
3293 if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3294 {
3295 mi = m->instances[peer_id];
3296 set_prefix(mi);
3297 if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3298 {
3299 process_incoming_del_peer(m, mi, dco);
3300 }
3301 else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
3302 {
3303 ASSERT(mi->context.c2.link_sockets[0]);
3304 extract_dco_float_peer_addr(mi->context.c2.link_sockets[0]->info.af,
3305 &m->top.c2.from.dest,
3306 (struct sockaddr *)&dco->dco_float_peer_ss);
3307 multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
3308 CLEAR(dco->dco_float_peer_ss);
3309 }
3310 else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
3311 {
3312 tls_session_soft_reset(mi->context.c2.tls_multi);
3313 }
3314 clear_prefix();
3315 }
3316 else
3317 {
3318 msglvl_t msglevel = D_DCO;
3319 if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3320 && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3321 {
3322 /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3323 * after we kill the peer ourselves. This peer may have already
3324 * been deleted, so we end up here.
3325 * In this case, print the following debug message with DCO_DEBUG
3326 * level only to avoid polluting the standard DCO level with this
3327 * harmless event.
3328 */
3329 msglevel = D_DCO_DEBUG;
3330 }
3331 msg(msglevel,
3332 "Received DCO message for unknown peer-id: %d, "
3333 "type %d, del_peer_reason %d",
3334 peer_id, dco->dco_message_type, dco->dco_del_peer_reason);
3335 }
3336
3337 dco->dco_message_type = 0;
3338 dco->dco_message_peer_id = -1;
3339 dco->dco_del_peer_reason = -1;
3340 dco->dco_read_bytes = 0;
3341 dco->dco_write_bytes = 0;
3342 return ret > 0;
3343}
3344#endif /* if defined(ENABLE_DCO) */
3345
3346/*
3347 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3348 * i.e. client -> server direction.
3349 */
3350bool
3351multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance,
3352 const unsigned int mpp_flags, struct link_socket *sock)
3353{
3354 struct gc_arena gc = gc_new();
3355
3356 struct context *c;
3357 struct mroute_addr src, dest;
3358 unsigned int mroute_flags;
3359 struct multi_instance *mi;
3360 bool ret = true;
3361 bool floated = false;
3362
3363 if (m->pending)
3364 {
3365 return true;
3366 }
3367
3368 if (!instance)
3369 {
3370#ifdef MULTI_DEBUG_EVENT_LOOP
3371 printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3372#endif
3373 multi_set_pending(m, multi_get_create_instance_udp(m, &floated, sock));
3374 }
3375 else
3376 {
3377 multi_set_pending(m, instance);
3378 }
3379
3380 if (m->pending)
3381 {
3382 set_prefix(m->pending);
3383
3384 /* get instance context */
3385 c = &m->pending->context;
3386
3387 if (!instance)
3388 {
3389 /* transfer packet pointer from top-level context buffer to instance */
3390 c->c2.buf = m->top.c2.buf;
3391
3392 /* transfer from-addr from top-level context buffer to instance */
3393 if (!floated)
3394 {
3395 c->c2.from = m->top.c2.from;
3396 }
3397 }
3398
3399 if (BLEN(&c->c2.buf) > 0)
3400 {
3401 struct link_socket_info *lsi;
3402 const uint8_t *orig_buf;
3403
3404 /* decrypt in instance context */
3405
3406 perf_push(PERF_PROC_IN_LINK);
3407 lsi = &sock->info;
3408 orig_buf = c->c2.buf.data;
3409 if (process_incoming_link_part1(c, lsi, floated))
3410 {
3411 /* nonzero length means that we have a valid, decrypted packed */
3412 if (floated && c->c2.buf.len > 0)
3413 {
3414 multi_process_float(m, m->pending, sock);
3415 }
3416
3417 process_incoming_link_part2(c, lsi, orig_buf);
3418 }
3419 perf_pop();
3420
3421 if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3422 {
3423 /* extract packet source and dest addresses */
3424 mroute_flags =
3425 mroute_extract_addr_from_packet(&src, &dest, 0, &c->c2.to_tun, DEV_TYPE_TUN);
3426
3427 /* drop packet if extract failed */
3428 if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3429 {
3430 c->c2.to_tun.len = 0;
3431 }
3432 /* make sure that source address is associated with this client */
3433 else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3434 {
3435 /* IPv6 link-local address (fe80::xxx)? */
3436 if ((src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3437 && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr))
3438 {
3439 /* do nothing, for now. TODO: add address learning */
3440 }
3441 else
3442 {
3443 msg(D_MULTI_DROPPED,
3444 "MULTI: bad source address from client [%s], packet dropped",
3445 mroute_addr_print(&src, &gc));
3446 }
3447 c->c2.to_tun.len = 0;
3448 }
3449 /* client-to-client communication enabled? */
3450 else if (m->enable_c2c)
3451 {
3452 /* multicast? */
3453 if (mroute_flags & MROUTE_EXTRACT_MCAST)
3454 {
3455 /* for now, treat multicast as broadcast */
3456 multi_bcast(m, &c->c2.to_tun, m->pending, 0);
3457 }
3458 else /* possible client to client routing */
3459 {
3460 ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3461 mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3462
3463 /* if dest addr is a known client, route to it */
3464 if (mi)
3465 {
3466 {
3467 multi_unicast(m, &c->c2.to_tun, mi);
3468 register_activity(c, BLEN(&c->c2.to_tun));
3469 }
3470 c->c2.to_tun.len = 0;
3471 }
3472 }
3473 }
3474 }
3475 else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3476 {
3477 uint16_t vid = 0;
3478
3479 if (m->top.options.vlan_tagging)
3480 {
3481 if (vlan_is_tagged(&c->c2.to_tun))
3482 {
3483 /* Drop VLAN-tagged frame. */
3484 msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3485 c->c2.to_tun.len = 0;
3486 }
3487 else
3488 {
3489 vid = c->options.vlan_pvid;
3490 }
3491 }
3492 /* extract packet source and dest addresses */
3493 mroute_flags =
3494 mroute_extract_addr_from_packet(&src, &dest, vid, &c->c2.to_tun, DEV_TYPE_TAP);
3495
3496 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3497 {
3498 if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3499 {
3500 /* check for broadcast */
3501 if (m->enable_c2c)
3502 {
3503 if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
3504 {
3505 multi_bcast(m, &c->c2.to_tun, m->pending, vid);
3506 }
3507 else /* try client-to-client routing */
3508 {
3509 mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3510
3511 /* if dest addr is a known client, route to it */
3512 if (mi)
3513 {
3514 multi_unicast(m, &c->c2.to_tun, mi);
3515 register_activity(c, BLEN(&c->c2.to_tun));
3516 c->c2.to_tun.len = 0;
3517 }
3518 }
3519 }
3520 }
3521 else
3522 {
3523 msg(D_MULTI_DROPPED,
3524 "MULTI: bad source address from client [%s], packet dropped",
3525 mroute_addr_print(&src, &gc));
3526 c->c2.to_tun.len = 0;
3527 }
3528 }
3529 else
3530 {
3531 c->c2.to_tun.len = 0;
3532 }
3533 }
3534 }
3535
3536 /* postprocess and set wakeup */
3537 ret = multi_process_post(m, m->pending, mpp_flags);
3538
3539 clear_prefix();
3540 }
3541
3542 gc_free(&gc);
3543 return ret;
3544}
3545
3546/*
3547 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3548 * i.e. server -> client direction.
3549 */
3550bool
3551multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3552{
3553 bool ret = true;
3554
3555 if (BLEN(&m->top.c2.buf) > 0)
3556 {
3557 unsigned int mroute_flags;
3558 struct mroute_addr src = { 0 }, dest = { 0 };
3559 const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3560 int16_t vid = 0;
3561
3562#ifdef MULTI_DEBUG_EVENT_LOOP
3563 printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3564#endif
3565
3566 if (m->pending)
3567 {
3568 return true;
3569 }
3570
3571 if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3572 {
3573 vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3574 if (vid < 0)
3575 {
3576 return false;
3577 }
3578 }
3579
3580 /*
3581 * Route an incoming tun/tap packet to
3582 * the appropriate multi_instance object.
3583 */
3584
3585 mroute_flags = mroute_extract_addr_from_packet(&src, &dest, vid, &m->top.c2.buf, dev_type);
3586
3587 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3588 {
3589 struct context *c;
3590
3591 /* broadcast or multicast dest addr? */
3592 if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
3593 {
3594 /* for now, treat multicast as broadcast */
3595 multi_bcast(m, &m->top.c2.buf, NULL, vid);
3596 }
3597 else
3598 {
3599 multi_set_pending(
3600 m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3601
3602 if (m->pending)
3603 {
3604 /* get instance context */
3605 c = &m->pending->context;
3606
3607 set_prefix(m->pending);
3608
3609 {
3610 if (multi_output_queue_ready(m, m->pending))
3611 {
3612 /* transfer packet pointer from top-level context buffer to instance */
3613 c->c2.buf = m->top.c2.buf;
3614 }
3615 else
3616 {
3617 /* drop packet */
3618 msg(D_MULTI_DROPPED,
3619 "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3620 buf_reset_len(&c->c2.buf);
3621 }
3622 }
3623
3624 /* encrypt in instance context */
3625 process_incoming_tun(c, c->c2.link_sockets[0]);
3626
3627 /* postprocess and set wakeup */
3628 ret = multi_process_post(m, m->pending, mpp_flags);
3629
3630 clear_prefix();
3631 }
3632 }
3633 }
3634 }
3635 return ret;
3636}
3637
3638/*
3639 * Process a possible client-to-client/bcast/mcast message in the
3640 * queue.
3641 */
3642struct multi_instance *
3643multi_get_queue(struct mbuf_set *ms)
3644{
3645 struct mbuf_item item;
3646
3647 if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3648 {
3649 unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;
3650
3651 set_prefix(item.instance);
3652 item.instance->context.c2.buf = item.buffer->buf;
3653 if (item.buffer->flags
3654 & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3655 {
3656 pip_flags |= PIP_MSSFIX;
3657 }
3658 process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf,
3659 item.instance->context.c2.link_sockets[0]);
3660 encrypt_sign(&item.instance->context, true);
3661 mbuf_free_buf(item.buffer);
3662
3663 dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3664
3665 clear_prefix();
3666 return item.instance;
3667 }
3668 else
3669 {
3670 return NULL;
3671 }
3672}
3673
3674/*
3675 * Called when an I/O wait times out. Usually means that a particular
3676 * client instance object needs timer-based service.
3677 */
3678bool
3679multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3680{
3681 bool ret = true;
3682
3683#ifdef MULTI_DEBUG_EVENT_LOOP
3684 printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3685#endif
3686
3687 /* instance marked for wakeup? */
3688 if (m->earliest_wakeup)
3689 {
3690 if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
3691 {
3692 schedule_remove_entry(m->schedule,
3693 (struct schedule_entry *)&m->deferred_shutdown_signal);
3694 throw_signal(m->deferred_shutdown_signal.signal_received);
3695 }
3696 else
3697 {
3698 set_prefix(m->earliest_wakeup);
3699 ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3700 clear_prefix();
3701 }
3702 m->earliest_wakeup = NULL;
3703 }
3704 return ret;
3705}
3706
3707/*
3708 * Drop a TUN/TAP outgoing packet..
3709 */
3710void
3711multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3712{
3713 struct multi_instance *mi = m->pending;
3714
3715 ASSERT(mi);
3716
3717 set_prefix(mi);
3718
3719 msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3720 mi->context.c2.to_tun.len);
3721
3722 buf_reset(&mi->context.c2.to_tun);
3723
3724 multi_process_post(m, mi, mpp_flags);
3725 clear_prefix();
3726}
3727
3728/*
3729 * Per-client route quota management
3730 */
3731
3732void
3733route_quota_exceeded(const struct multi_instance *mi)
3734{
3735 struct gc_arena gc = gc_new();
3736 msg(D_ROUTE_QUOTA,
3737 "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3738 mi->context.options.max_routes_per_client, multi_instance_string(mi, false, &gc));
3739 gc_free(&gc);
3740}
3741
3742#ifdef ENABLE_DEBUG
3743/*
3744 * Flood clients with random packets
3745 */
3746static void
3747gremlin_flood_clients(struct multi_context *m)
3748{
3749 const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3750 if (level)
3751 {
3752 struct gc_arena gc = gc_new();
3753 struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3754 struct packet_flood_parms parm = get_packet_flood_parms(level);
3755 int i;
3756
3757 ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3758 parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3759
3760 msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3761 parm.n_packets, parm.packet_size);
3762
3763 for (i = 0; i < parm.packet_size; ++i)
3764 {
3765 ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3766 }
3767
3768 for (i = 0; i < parm.n_packets; ++i)
3769 {
3770 multi_bcast(m, &buf, NULL, 0);
3771 }
3772
3773 gc_free(&gc);
3774 }
3775}
3776#endif /* ifdef ENABLE_DEBUG */
3777
3778static bool
3779stale_route_check_trigger(struct multi_context *m)
3780{
3781 struct timeval null;
3782 CLEAR(null);
3783 return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT);
3784}
3785
3786/*
3787 * Process timers in the top-level context
3788 */
3789void
3790multi_process_per_second_timers_dowork(struct multi_context *m)
3791{
3792 /* possibly reap instances/routes in vhash */
3793 multi_reap_process(m);
3794
3795 /* possibly print to status log */
3796 if (m->top.c1.status_output)
3797 {
3798 if (status_trigger(m->top.c1.status_output))
3799 {
3800 multi_print_status(m, m->top.c1.status_output, m->status_file_version);
3801 }
3802 }
3803
3804 /* possibly flush ifconfig-pool file */
3805 multi_ifconfig_pool_persist(m, false);
3806
3807#ifdef ENABLE_DEBUG
3808 gremlin_flood_clients(m);
3809#endif
3810
3811 /* Should we check for stale routes? */
3812 if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m))
3813 {
3814 check_stale_routes(m);
3815 }
3816
3817#ifdef ENABLE_MANAGEMENT
3818 if (management)
3819 {
3820 management_check_bytecount_server(m);
3821 }
3822#endif /* ENABLE_MANAGEMENT */
3823}
3824
3825static void
3826multi_top_init(struct context *top)
3827{
3828 inherit_context_top(&top->multi->top, top);
3829 top->multi->top.c2.buffers = init_context_buffers(&top->c2.frame);
3830}
3831
3832static void
3838
3839static bool
3840is_exit_restart(int sig)
3841{
3842 return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3843}
3844
3845static void
3846multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
3847{
3848 struct hash_iterator hi;
3849 struct hash_element *he;
3850 struct timeval tv;
3851
3852 /* tell all clients to restart */
3853 hash_iterator_init(m->iter, &hi);
3854 while ((he = hash_iterator_next(&hi)))
3855 {
3856 struct multi_instance *mi = (struct multi_instance *)he->value;
3857 if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
3858 {
3859 send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART",
3860 D_PUSH);
3861 multi_schedule_context_wakeup(m, mi);
3862 }
3863 }
3864 hash_iterator_free(&hi);
3865
3866 /* reschedule signal */
3867 ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL));
3868 tv.tv_sec = 2;
3869 tv.tv_usec = 0;
3870 tv_add(&m->deferred_shutdown_signal.wakeup, &tv);
3871
3872 m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
3873
3874 schedule_add_entry(m->schedule, (struct schedule_entry *)&m->deferred_shutdown_signal,
3875 &m->deferred_shutdown_signal.wakeup,
3876 compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup));
3877
3878 signal_reset(m->top.sig, 0);
3879}
3880
3881/*
3882 * Return true if event loop should break,
3883 * false if it should continue.
3884 */
3885bool
3886multi_process_signal(struct multi_context *m)
3887{
3888 if (signal_reset(m->top.sig, SIGUSR2) == SIGUSR2)
3889 {
3890 struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3891 multi_print_status(m, so, m->status_file_version);
3892 status_close(so);
3893 return false;
3894 }
3895 else if (has_udp_in_local_list(&m->top.options) && is_exit_restart(m->top.sig->signal_received)
3896 && (m->deferred_shutdown_signal.signal_received == 0)
3897 && m->top.options.ce.explicit_exit_notification != 0)
3898 {
3899 multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2);
3900 return false;
3901 }
3902 return true;
3903}
3904
3905/*
3906 * Management subsystem callbacks
3907 */
3908#ifdef ENABLE_MANAGEMENT
3909
3910static void
3911management_callback_status(void *arg, const int version, struct status_output *so)
3912{
3913 struct multi_context *m = (struct multi_context *)arg;
3914
3915 if (!version)
3916 {
3917 multi_print_status(m, so, m->status_file_version);
3918 }
3919 else
3920 {
3921 multi_print_status(m, so, version);
3922 }
3923}
3924
3925static int
3926management_callback_n_clients(void *arg)
3927{
3928 struct multi_context *m = (struct multi_context *)arg;
3929 return m->n_clients;
3930}
3931
3932static int
3933management_callback_kill_by_cn(void *arg, const char *del_cn)
3934{
3935 struct multi_context *m = (struct multi_context *)arg;
3936 struct hash_iterator hi;
3937 struct hash_element *he;
3938 int count = 0;
3939
3940 hash_iterator_init(m->iter, &hi);
3941 while ((he = hash_iterator_next(&hi)))
3942 {
3943 struct multi_instance *mi = (struct multi_instance *)he->value;
3944 if (!mi->halt)
3945 {
3946 const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3947 if (cn && !strcmp(cn, del_cn))
3948 {
3949 multi_signal_instance(m, mi, SIGTERM);
3950 ++count;
3951 }
3952 }
3953 }
3954 hash_iterator_free(&hi);
3955 return count;
3956}
3957
3958static int
3959management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
3960{
3961 struct multi_context *m = (struct multi_context *)arg;
3962 struct hash_iterator hi;
3963 struct hash_element *he;
3964 struct openvpn_sockaddr saddr;
3965 struct mroute_addr maddr;
3966 int count = 0;
3967
3968 CLEAR(saddr);
3969 saddr.addr.in4.sin_family = AF_INET;
3970 saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3971 saddr.addr.in4.sin_port = htons(port);
3972 if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3973 {
3974 maddr.proto = proto;
3975 hash_iterator_init(m->iter, &hi);
3976 while ((he = hash_iterator_next(&hi)))
3977 {
3978 struct multi_instance *mi = (struct multi_instance *)he->value;
3979 if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3980 {
3981 multi_signal_instance(m, mi, SIGTERM);
3982 ++count;
3983 }
3984 }
3985 hash_iterator_free(&hi);
3986 }
3987 return count;
3988}
3989
3990#if defined(__GNUC__) || defined(__clang__)
3991#pragma GCC diagnostic pop
3992#endif
3993
3994static void
3995management_delete_event(void *arg, event_t event)
3996{
3997 struct multi_context *m = (struct multi_context *)arg;
3998 if (m->multi_io)
3999 {
4000 multi_tcp_delete_event(m->multi_io, event);
4001 }
4002}
4003
4004struct multi_instance *
4005lookup_by_cid(struct multi_context *m, const unsigned long cid)
4006{
4007 if (m)
4008 {
4009 struct multi_instance *mi = (struct multi_instance *)hash_lookup(m->cid_hash, &cid);
4010 if (mi && !mi->halt)
4011 {
4012 return mi;
4013 }
4014 }
4015 return NULL;
4016}
4017
4018static bool
4019management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
4020{
4021 struct multi_context *m = (struct multi_context *)arg;
4022 struct multi_instance *mi = lookup_by_cid(m, cid);
4023 if (mi)
4024 {
4025 send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
4026 multi_schedule_context_wakeup(m, mi);
4027 return true;
4028 }
4029 else
4030 {
4031 return false;
4032 }
4033}
4034
4035static bool
4036management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
4037 const char *extra, unsigned int timeout)
4038{
4039 struct multi_context *m = (struct multi_context *)arg;
4040 struct multi_instance *mi = lookup_by_cid(m, cid);
4041
4042 if (mi)
4043 {
4044 struct tls_multi *multi = mi->context.c2.tls_multi;
4045 struct tls_session *session;
4046
4047 if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id)
4048 {
4049 session = &multi->session[TM_INITIAL];
4050 }
4051 else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id)
4052 {
4053 session = &multi->session[TM_ACTIVE];
4054 }
4055 else
4056 {
4057 return false;
4058 }
4059
4060 /* sends INFO_PRE and AUTH_PENDING messages to client */
4061 bool ret = send_auth_pending_messages(multi, session, extra, timeout);
4062 reschedule_multi_process(&mi->context);
4063 multi_schedule_context_wakeup(m, mi);
4064 return ret;
4065 }
4066 return false;
4067}
4068
4069
4070static bool
4071management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
4072 const bool auth, const char *reason, const char *client_reason,
4073 struct buffer_list *cc_config) /* ownership transferred */
4074{
4075 struct multi_context *m = (struct multi_context *)arg;
4076 struct multi_instance *mi = lookup_by_cid(m, cid);
4077 bool cc_config_owned = true;
4078 bool ret = false;
4079
4080 if (mi)
4081 {
4082 ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4083 if (ret)
4084 {
4085 if (auth)
4086 {
4087 if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
4088 {
4089 set_cc_config(mi, cc_config);
4090 cc_config_owned = false;
4091 }
4092 }
4093 else if (reason)
4094 {
4095 msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason,
4096 np(client_reason));
4097 }
4098 }
4099 }
4100 if (cc_config_owned && cc_config)
4101 {
4102 buffer_list_free(cc_config);
4103 }
4104 return ret;
4105}
4106
4107static char *
4108management_get_peer_info(void *arg, const unsigned long cid)
4109{
4110 struct multi_context *m = (struct multi_context *)arg;
4111 struct multi_instance *mi = lookup_by_cid(m, cid);
4112 char *ret = NULL;
4113
4114 if (mi)
4115 {
4116 ret = mi->context.c2.tls_multi->peer_info;
4117 }
4118
4119 return ret;
4120}
4121
4122#endif /* ifdef ENABLE_MANAGEMENT */
4123
4124
4125void
4151
4152void
4153multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
4154{
4155 /* max_clients must be less then max peer-id value */
4156 ASSERT(m->max_clients < MAX_PEER_ID);
4157
4158 for (int i = 0; i < m->max_clients; ++i)
4159 {
4160 if (!m->instances[i])
4161 {
4162 mi->context.c2.tls_multi->peer_id = i;
4163 m->instances[i] = mi;
4164 break;
4165 }
4166 }
4167
4168 /* should not really end up here, since multi_create_instance returns null
4169 * if amount of clients exceeds max_clients */
4170 ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
4171}
4172
4173/**************************************************************************/
4180static void
4181tunnel_server_loop(struct multi_context *multi)
4182{
4183 int status;
4184
4185 while (true)
4186 {
4187 perf_push(PERF_EVENT_LOOP);
4188
4189 /* wait on tun/socket list */
4190 multi_get_timeout(multi, &multi->top.c2.timeval);
4191 status = multi_io_wait(multi);
4192 MULTI_CHECK_SIG(multi);
4193
4194 /* check on status of coarse timers */
4195 multi_process_per_second_timers(multi);
4196
4197 /* timeout? */
4198 if (status > 0)
4199 {
4200 /* process the I/O which triggered select */
4201 multi_io_process_io(multi);
4202 }
4203 else if (status == 0)
4204 {
4205 multi_io_action(multi, NULL, TA_TIMEOUT, false);
4206 }
4207
4208 MULTI_CHECK_SIG(multi);
4209 perf_pop();
4210 }
4211}
4212
4213/*
4214 * Top level event loop.
4215 */
4216void
4217tunnel_server(struct context *top)
4218{
4219 ASSERT(top->options.mode == MODE_SERVER);
4220
4221 struct multi_context multi;
4222
4223 top->mode = CM_TOP;
4224 top->multi = &multi;
4225 context_clear_2(top);
4226
4227 /* initialize top-tunnel instance */
4228 init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP);
4229 if (IS_SIG(top))
4230 {
4231 return;
4232 }
4233
4234 /* initialize global multi_context object */
4235 multi_init(top);
4236
4237 /* initialize our cloned top object */
4238 multi_top_init(top);
4239
4240 /* initialize management interface */
4241 init_management_callback_multi(&multi);
4242
4243 /* finished with initialization */
4244 initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto tcp-server */
4245
4246#ifdef ENABLE_ASYNC_PUSH
4247 multi.top.c2.inotify_fd = inotify_init();
4248 if (multi.top.c2.inotify_fd < 0)
4249 {
4250 msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
4251 }
4252#endif
4253
4254 tunnel_server_loop(&multi);
4255
4256#ifdef ENABLE_ASYNC_PUSH
4257 close(top->c2.inotify_fd);
4258#endif
4259
4260 /* shut down management interface */
4261 uninit_management_callback();
4262
4263 /* save ifconfig-pool */
4264 multi_ifconfig_pool_persist(&multi, true);
4265
4266 /* tear down tunnel instance (unless --persist-tun) */
4267 multi_uninit(&multi);
4268 multi_top_free(&multi);
4269 close_instance(top);
4270}
4271
4279void
4280update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
4281{
4282 struct in_addr addr;
4283 struct in6_addr new_ipv6;
4284
4285 if ((mi->context.options.ifconfig_local && (!old_ip || strcmp(old_ip, mi->context.options.ifconfig_local)))
4286 && inet_pton(AF_INET, mi->context.options.ifconfig_local, &addr) == 1)
4287 {
4288 in_addr_t new_ip = ntohl(addr.s_addr);
4289
4290 /* Add new IP */
4291 multi_learn_in_addr_t(m, mi, new_ip, -1, true);
4292 }
4293
4294 /* TO DO:
4295 * else if (old_ip)
4296 * {
4297 * // remove old IP
4298 * }
4299 */
4300
4301 if ((mi->context.options.ifconfig_ipv6_local && (!old_ipv6 || strcmp(old_ipv6, mi->context.options.ifconfig_ipv6_local)))
4302 && inet_pton(AF_INET6, mi->context.options.ifconfig_ipv6_local, &new_ipv6) == 1)
4303 {
4304 /* Add new IPv6 */
4305 multi_learn_in6_addr(m, mi, new_ipv6, -1, true);
4306 }
4307
4308 /* TO DO:
4309 * else if (old_ipv6)
4310 * {
4311 * // remove old IPv6
4312 * }
4313 */
4314}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
generate_auth_token
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition auth_token.c:161
auth_token.h
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1158
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1037
BSTR
#define BSTR(buf)
Definition buffer.h:128
buf_reset
static void buf_reset(struct buffer *buf)
Definition buffer.h:303
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
BLEN
#define BLEN(buf)
Definition buffer.h:126
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:312
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007
key1
static const char *const key1
Definition cert_data.h:55
CCD_DEFAULT
#define CCD_DEFAULT
Definition common.h:61
counter_format
#define counter_format
Definition common.h:30
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition config.h:53
get_random
long int get_random(void)
Definition crypto.c:1725
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition crypto.c:1799
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
crypto_backend.h
Data Channel Cryptography SSL library-specific backend interface.
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:811
dco_get_peer_stats_multi
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco.h:371
dco_do_read
static int dco_do_read(dco_context_t *dco)
Definition dco.h:311
dco_install_iroute
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition dco.h:361
dco_check_option
static bool dco_check_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:276
dco_context_t
void * dco_context_t
Definition dco.h:261
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:355
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:366
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition env_set.c:283
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition errlevel.h:64
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition errlevel.h:153
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:63
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition errlevel.h:89
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition errlevel.h:101
D_DCO
#define D_DCO
Definition errlevel.h:93
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition errlevel.h:126
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:100
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition errlevel.h:117
D_MULTI_LOW
#define D_MULTI_LOW
Definition errlevel.h:85
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
D_GREMLIN
#define D_GREMLIN
Definition errlevel.h:77
EVENT_ARG_MULTI_INSTANCE
@ EVENT_ARG_MULTI_INSTANCE
Definition event.h:137
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:397
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:404
pre_select
void pre_select(struct context *c)
Definition forward.c:1979
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1658
extract_dco_float_peer_addr
void extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, const struct sockaddr *float_sa)
Transfers float_sa data extracted from an incoming DCO PEER_FLOAT_NTF to out_osaddr for later process...
Definition forward.c:1227
forward.h
Interface functions to the internal and external multiplexers.
PIP_MSSFIX
#define PIP_MSSFIX
Definition forward.h:319
PIPV6_ICMP_NOHOST_SERVER
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:324
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:333
ANY_OUT
#define ANY_OUT(c)
Definition forward.h:39
register_activity
static void register_activity(struct context *c, const int size)
Definition forward.h:346
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition forward.h:318
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:546
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:620
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition multi.c:4217
tunnel_server_loop
static void tunnel_server_loop(struct multi_context *multi)
Main event loop for OpenVPN in point-to-multipoint server mode.
Definition multi.c:4181
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:991
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1130
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, struct link_socket *sock)
Demultiplex and process a packet received over the external network interface.
Definition multi.c:3351
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition mudp.c:195
process_incoming_tun
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1470
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition multi.c:3551
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4435
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1552
close_instance
void close_instance(struct context *c)
Definition init.c:4775
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4936
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3705
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4461
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2605
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4848
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:88
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4982
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3680
management_show_net_callback
void management_show_net_callback(void *arg, const msglvl_t msglevel)
Definition init.c:4285
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:115
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:117
ISC_SERVER
#define ISC_SERVER
Definition init.h:127
constrain_uint
static unsigned int constrain_uint(unsigned int x, unsigned int min, unsigned int max)
Definition integer.h:139
min_int
static int min_int(int x, int y)
Definition integer.h:105
status
static SERVICE_STATUS status
Definition interactive.c:51
route
@ route
Definition interactive.c:85
read
@ read
Definition interactive.c:211
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:47
ETT_DEFAULT
#define ETT_DEFAULT
Definition interval.h:222
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition list.c:270
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition list.c:276
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition list.c:308
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition list.c:79
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition list.c:234
hash_init
struct hash * hash_init(const uint32_t n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition list.c:37
hash_free
void hash_free(struct hash *hash)
Definition list.c:60
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition list.c:137
hash_iterator_init_range
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, uint32_t start_bucket, uint32_t end_bucket)
Definition list.c:213
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition list.h:161
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition list.h:128
hash_n_elements
static uint32_t hash_n_elements(const struct hash *hash)
Definition list.h:110
hash_n_buckets
static uint32_t hash_n_buckets(const struct hash *hash)
Definition list.h:116
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition list.h:104
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition list.h:146
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3033
management_check_bytecount_server
void management_check_bytecount_server(struct multi_context *multi)
Definition manage.c:4194
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition manage.c:3045
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3023
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2780
MCF_SERVER
#define MCF_SERVER
Definition manage.h:175
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition mbuf.c:97
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition mbuf.c:73
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition mbuf.c:84
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition mbuf.c:160
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition mbuf.c:119
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition mbuf.c:57
mbuf_init
struct mbuf_set * mbuf_init(unsigned int size)
Definition mbuf.c:43
MF_UNICAST
#define MF_UNICAST
Definition mbuf.h:45
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition mbuf.h:91
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition mroute.c:323
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:525
mroute_addr_print_ex
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition mroute.c:382
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition mroute.c:259
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition mroute.c:376
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition mroute.c:363
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:540
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition mroute.c:63
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition mroute.c:370
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition mroute.c:487
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition mroute.c:38
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition mroute.c:560
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition mroute.h:37
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition mroute.h:39
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition mroute.h:179
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition mroute.h:69
MR_WITH_PROTO
#define MR_WITH_PROTO
Definition mroute.h:75
mroute_extract_in_addr_t
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition mroute.h:240
mroute_addr_equal
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition mroute.h:205
MAPF_SHOW_FAMILY
#define MAPF_SHOW_FAMILY
Definition mroute.h:154
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition mroute.h:38
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition mroute.h:62
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition mroute.h:63
multi_tcp_instance_specific_free
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition mtcp.c:133
multi_tcp_delete_event
void multi_tcp_delete_event(struct multi_io *multi_io, event_t event)
Definition mtcp.c:139
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition mtcp.c:107
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance *mi)
Definition mtcp.c:148
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:178
np
static const char * np(const char *str)
Definition multi-auth.c:146
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition multi.c:1052
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2970
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2462
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition multi.c:226
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition multi.c:1924
multi_process_float
static void multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
Handles peer floating.
Definition multi.c:3112
multi_reap_range
static void multi_reap_range(const struct multi_context *m, uint32_t start_bucket, uint32_t end_bucket)
Definition multi.c:172
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real, struct link_socket *sock)
Definition multi.c:731
multi_add_iroutes
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1297
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition multi.c:161
multi_top_free
static void multi_top_free(struct multi_context *m)
Definition multi.c:3833
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition multi.c:3223
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition multi.c:213
override_locked_username
static bool override_locked_username(struct multi_instance *mi)
Overrides the locked username with the username of –override-username.
Definition multi.c:2598
management_callback_n_clients
static int management_callback_n_clients(void *arg)
Definition multi.c:3926
multi_process_signal
bool multi_process_signal(struct multi_context *m)
Definition multi.c:3886
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1432
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition multi.c:2235
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:3211
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition multi.c:3012
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2672
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition multi.c:3790
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition multi.c:1573
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_instance *mi)
Definition multi.c:1717
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition multi.c:3643
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3679
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition multi.c:3933
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition multi.c:3779
lookup_by_cid
struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition multi.c:4005
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition multi.c:4019
multi_init
static void multi_init(struct context *t)
Definition multi.c:285
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition multi.c:471
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:500
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition multi.c:3995
multi_client_setup_dco_initial
static bool multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi, struct gc_arena *gc)
Definition multi.c:2293
multi_uninit
static void multi_uninit(struct multi_context *m)
Definition multi.c:683
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition multi.c:441
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition multi.c:2339
update_vhash
void update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
Update the vhash with new IP/IPv6 addresses in the multi_context when a push-update message containin...
Definition multi.c:4280
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition multi.c:2948
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:94
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition multi.c:2883
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition multi.c:581
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const char *extra, unsigned int timeout)
Definition multi.c:4036
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition multi.c:2579
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition multi.c:3846
multi_top_init
static void multi_top_init(struct context *top)
Definition multi.c:3826
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:550
ccs_gen_config_file
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition multi.c:2029
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition multi.c:1382
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
Definition multi.c:3959
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition multi.c:4071
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, uint16_t vid)
Definition multi.c:2900
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition multi.c:2497
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition multi.c:196
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition multi.c:2864
multi_print_status
static void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition multi.c:827
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition multi.c:3733
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition multi.c:488
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition multi.c:4153
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2145
multi_reap_new
static struct multi_reap * multi_reap_new(uint32_t buckets_per_pass)
Definition multi.c:202
multi_client_connect_source_ccd
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition multi.c:2529
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2055
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition multi.c:1619
multi_delete_dup
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition multi.c:1342
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition multi.c:1141
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition multi.c:4126
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition multi.c:1956
reap_buckets_per_pass
static uint32_t reap_buckets_per_pass(uint32_t n_buckets)
Definition multi.c:235
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition multi.c:4108
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition multi.c:2194
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition multi.c:1747
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition multi.c:1645
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition multi.c:1216
is_exit_restart
static bool is_exit_restart(int sig)
Definition multi.c:3840
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition multi.c:1412
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition multi.c:75
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3711
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition multi.c:250
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:1684
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition multi.c:2316
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition multi.c:1255
setenv_stats
static void setenv_stats(struct multi_context *m, struct context *c)
Definition multi.c:522
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition multi.c:243
management_callback_status
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition multi.c:3911
update_mstat_n_clients
static void update_mstat_n_clients(const int n_clients)
Definition multi.c:83
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition multi.c:2006
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition multi.c:1899
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition multi.c:2583
multi_client_disconnect_setenv
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:537
multi.h
Header file for server-mode related structures and functions.
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition multi.h:276
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition multi.h:227
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition multi.h:230
CC_RET_FAILED
@ CC_RET_FAILED
Definition multi.h:228
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition multi.h:231
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition multi.h:229
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition multi.h:393
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition multi.h:45
MULTI_CHECK_SIG
#define MULTI_CHECK_SIG(m)
Definition multi.h:672
REAP_MIN
#define REAP_MIN
Definition multi.h:552
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition multi.h:521
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition multi.h:480
multi_reap_process
static void multi_reap_process(const struct multi_context *m)
Definition multi.h:566
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition multi.h:433
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition multi.h:242
clear_prefix
static void clear_prefix(void)
Definition multi.h:533
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition multi.h:489
REAP_DIVISOR
#define REAP_DIVISOR
Definition multi.h:551
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition multi.h:559
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition multi.h:277
REAP_MAX
#define REAP_MAX
Definition multi.h:553
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition multi.h:470
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition multi.h:464
multi_get_timeout
static void multi_get_timeout(struct multi_context *m, struct timeval *dest)
Definition multi.h:593
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition multi.h:653
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition multi.h:675
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition multi.h:243
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition multi.h:278
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition multi.h:275
multi_process_per_second_timers
static void multi_process_per_second_timers(struct multi_context *m)
Definition multi.h:575
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition multi.h:446
multi_io_init
struct multi_io * multi_io_init(const int maxclients)
Definition multi_io.c:116
multi_io_process_io
void multi_io_process_io(struct multi_context *m)
Definition multi_io.c:420
multi_io_free
void multi_io_free(struct multi_io *multi_io)
Definition multi_io.c:155
multi_io_wait
int multi_io_wait(struct multi_context *m)
Definition multi_io.c:166
multi_io_action
void multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, bool poll)
Definition multi_io.c:556
TA_TIMEOUT
#define TA_TIMEOUT
Definition multi_io.h:45
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition openvpn-plugin.h:130
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
Definition openvpn-plugin.h:131
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition openvpn-plugin.h:126
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition openvpn-plugin.h:125
OPENVPN_PLUGIN_CLIENT_CONNECT
#define OPENVPN_PLUGIN_CLIENT_CONNECT
Definition openvpn-plugin.h:123
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition openvpn-plugin.h:150
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition openvpn-plugin.h:148
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition openvpn-plugin.h:124
CLEAR
#define CLEAR(x)
Definition basic.h:32
M_OPTERR
#define M_OPTERR
Definition error.h:101
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:259
M_USAGE
#define M_USAGE
Definition error.h:107
M_NONFATAL
#define M_NONFATAL
Definition error.h:91
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition openvpn.h:209
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:554
CM_TOP
#define CM_TOP
Definition openvpn.h:483
options_string_import
void options_string_import(struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5537
options_server_import
void options_server_import(struct options *o, const char *filename, msglvl_t msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5527
title_string
const char title_string[]
Definition options.c:71
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9939
MODE_SERVER
#define MODE_SERVER
Definition options.h:261
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:742
time_string
const char * time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc)
Definition otime.c:109
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition otime.c:150
now
time_t now
Definition otime.c:33
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition otime.c:165
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition otime.h:68
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:136
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition ovpn_dco_linux.h:23
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
Definition ovpn_dco_linux.h:25
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition ovpn_dco_linux.h:24
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition ovpn_dco_linux.h:22
OVPN_CMD_FLOAT_PEER
@ OVPN_CMD_FLOAT_PEER
Definition ovpn_dco_win.h:160
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition ovpn_dco_win.h:159
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
Definition ovpn_dco_win.h:158
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition perf.h:47
perf_push
static void perf_push(int type)
Definition perf.h:77
PERF_EVENT_LOOP
#define PERF_EVENT_LOOP
Definition perf.h:43
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition perf.h:45
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition perf.h:51
perf_pop
static void perf_pop(void)
Definition perf.h:81
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition perf.h:44
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition platform.c:659
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition platform.c:595
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:491
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition pool.c:297
ifconfig_pool_release
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition pool.c:349
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition pool.c:712
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition pool.c:573
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition pool.c:281
ifconfig_pool_read
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition pool.c:586
ifconfig_pool_init
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition pool.c:140
pool_type
pool_type
Definition pool.h:35
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition pool.h:36
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition pool.h:37
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:34
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition push.c:978
push_option
void push_option(struct options *o, const char *opt, msglvl_t msglevel)
Definition push.c:888
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:494
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:438
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1128
management_callback_send_push_update_by_cid
bool management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options)
Definition push_util.c:307
management_callback_send_push_update_broadcast
bool management_callback_send_push_update_broadcast(void *arg, const char *options)
Definition push_util.c:299
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition reflect_filter.c:103
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition reflect_filter.c:87
reflect_filter.h
run_command.h
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition schedule.c:430
schedule_init
struct schedule * schedule_init(void)
Definition schedule.c:415
schedule_free
void schedule_free(struct schedule *s)
Definition schedule.c:424
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition schedule.h:97
signal_reset
int signal_reset(struct signal_info *si, int signum)
Clear the signal if its current value equals signum.
Definition sig.c:262
remap_signal
void remap_signal(struct context *c)
Definition sig.c:588
throw_signal
void throw_signal(const int signum)
Throw a hard signal.
Definition sig.c:175
print_signal
void print_signal(const struct signal_info *si, const char *title, msglvl_t msglevel)
Definition sig.c:290
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
IS_SIG
#define IS_SIG(c)
Definition sig.h:47
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition socket.c:1883
setenv_in_addr_t
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition socket_util.c:316
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition socket_util.c:330
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition socket_util.h:100
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4092
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1779
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1651
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition ssl_common.h:584
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:582
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition ssl_common.h:585
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:583
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:581
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:586
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:756
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:426
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition ssl_ncp.c:246
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition ssl_ncp.c:225
ncp_expanded_ciphers
const char * ncp_expanded_ciphers(struct options *o, struct gc_arena *gc)
returns the o->ncp_ciphers in brackets, e.g.
Definition ssl_ncp.c:627
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:60
ssl_util.h
SSL utility functions.
ssl_verify_username_length
bool ssl_verify_username_length(struct tls_session *session, const char *username)
Checks if the username length is valid to use.
Definition ssl_verify.c:1577
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition ssl_verify.c:1244
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition ssl_verify.c:229
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition ssl_verify.c:286
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition ssl_verify.c:132
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition ssl_verify.c:172
set_common_name
void set_common_name(struct tls_session *session, const char *common_name)
Sets the common name field for the given tunnel.
Definition ssl_verify.c:85
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
ssl_verify.h
Control Channel Verification Module.
status_trigger
bool status_trigger(struct status_output *so)
Definition status.c:124
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:218
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
status_flush
void status_flush(struct status_output *so)
Definition status.c:148
status_reset
void status_reset(struct status_output *so)
Definition status.c:139
status_close
bool status_close(struct status_output *so)
Definition status.c:179
argv
Definition argv.h:35
auth_deferred_status::auth_control_file
char * auth_control_file
Definition ssl_common.h:166
buffer_entry
Definition buffer.h:1097
buffer_entry::next
struct buffer_entry * next
Definition buffer.h:1099
buffer_entry::buf
struct buffer buf
Definition buffer.h:1098
buffer_list
Definition buffer.h:1103
buffer_list::head
struct buffer_entry * head
Definition buffer.h:1104
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
client_connect_defer_state
Detached client connection state.
Definition multi.h:72
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition multi.h:74
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition multi.h:89
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition multi.h:77
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition multi.h:83
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:147
connection_entry::fragment
int fragment
Definition options.h:138
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
context_1::status_output
struct status_output * status_output
Definition openvpn.h:185
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::push_request_received
bool push_request_received
Definition openvpn.h:427
context_2::link_read_bytes
counter_type link_read_bytes
Definition openvpn.h:266
context_2::link_write_bytes
counter_type link_write_bytes
Definition openvpn.h:269
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition openvpn.h:434
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition openvpn.h:428
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition openvpn.h:267
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:453
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition openvpn.h:270
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:437
context_2::from
struct link_socket_actual from
Definition openvpn.h:245
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition openvpn.h:436
context_2::to_link
struct buffer to_link
Definition openvpn.h:377
context_2::to_tun
struct buffer to_tun
Definition openvpn.h:376
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:435
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:432
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:431
context_2::buf
struct buffer buf
Definition openvpn.h:375
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:396
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition openvpn.h:430
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
context::multi
struct multi_context * multi
Pointer to the main P2MP context.
Definition openvpn.h:492
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:293
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
deferred_signal_schedule_entry::signal_received
int signal_received
Definition multi.h:63
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition multi.h:64
env_set
Definition env_set.h:43
event_arg::mi
struct multi_instance * mi
Definition event.h:147
event_arg::u
union event_arg::@1 u
event_arg::type
event_arg_t type
Definition event.h:144
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition fragment.h:172
frame
Packet geometry parameters.
Definition mtu.h:103
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
frame::buf
struct frame::@8 buf
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
hash_bucket
Definition list.h:48
hash_element
Definition list.h:40
hash_element::value
void * value
Definition list.h:41
hash_element::key
const void * key
Definition list.h:42
hash_iterator
Definition list.h:79
hash
Definition list.h:53
iroute_ipv6
Definition route.h:266
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:269
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:268
iroute_ipv6::network
struct in6_addr network
Definition route.h:267
iroute::network
in_addr_t network
Definition route.h:260
iroute::netbits
int netbits
Definition route.h:261
iroute::next
struct iroute * next
Definition route.h:262
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
key_ctx_bi::initialized
bool initialized
Definition crypto.h:285
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:263
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:269
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:259
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket_util.h:53
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_info
Definition socket.h:86
link_socket_info::af
sa_family_t af
Definition socket.h:93
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
link_socket_info::proto
int proto
Definition socket.h:92
link_socket
Definition socket.h:148
link_socket::info
struct link_socket_info info
Definition socket.h:149
man_def_auth_context::cid
unsigned long cid
Definition manage.h:64
management_callback
Definition manage.h:172
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition manage.h:191
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition manage.h:186
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition manage.h:182
management_callback::arg
void * arg
Definition manage.h:173
management_callback::push_update_broadcast
bool(* push_update_broadcast)(void *arg, const char *options)
Definition manage.h:199
management_callback::push_update_by_cid
bool(* push_update_by_cid)(void *arg, unsigned long cid, const char *options)
Definition manage.h:200
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto)
Definition manage.h:181
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition manage.h:189
management_callback::n_clients
int(* n_clients)(void *arg)
Definition manage.h:183
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
management_callback::show_net
void(* show_net)(void *arg, const msglvl_t msglevel)
Definition manage.h:179
management_callback::flags
unsigned int flags
Definition manage.h:176
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition manage.h:180
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition manage.h:185
mbuf_buffer
Definition mbuf.h:41
mbuf_buffer::flags
unsigned int flags
Definition mbuf.h:46
mbuf_buffer::buf
struct buffer buf
Definition mbuf.h:42
mbuf_item
Definition mbuf.h:50
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition mbuf.h:51
mbuf_item::instance
struct multi_instance * instance
Definition mbuf.h:52
mbuf_set
Definition mbuf.h:56
mroute_addr
Definition mroute.h:78
mroute_addr::vid
uint16_t vid
Definition mroute.h:90
mroute_addr::v6
struct mroute_addr::@2::@6 v6
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition mroute.h:89
mroute_addr::proto
uint8_t proto
Definition mroute.h:80
mroute_addr::type
uint8_t type
Definition mroute.h:81
mroute_addr::port
in_port_t port
Definition mroute.h:95
mroute_addr::len
uint8_t len
Definition mroute.h:79
mroute_addr::netbits
uint8_t netbits
Definition mroute.h:82
mroute_helper
Definition mroute.h:128
mroute_helper::cache_generation
unsigned int cache_generation
Definition mroute.h:129
multi_context
Main OpenVPN server state structure.
Definition multi.h:164
multi_context::n_clients
int n_clients
Definition multi.h:190
multi_context::local
struct mroute_addr local
Definition multi.h:185
multi_context::schedule
struct schedule * schedule
Definition multi.h:175
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition multi.h:176
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition multi.h:182
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition multi.h:220
multi_context::max_clients
int max_clients
Definition multi.h:187
multi_context::reaper
struct multi_reap * reaper
Definition multi.h:184
multi_context::multi_io
struct multi_io * multi_io
I/O state and events tracker.
Definition multi.h:179
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition multi.h:168
multi_context::cid_hash
struct hash * cid_hash
Definition multi.h:193
multi_context::cid_counter
unsigned long cid_counter
Definition multi.h:194
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition multi.h:213
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition multi.h:188
multi_context::ifconfig_pool
struct ifconfig_pool * ifconfig_pool
Definition multi.h:180
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition multi.h:181
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition multi.h:203
multi_context::status_file_version
int status_file_version
Definition multi.h:189
multi_context::pending
struct multi_instance * pending
Definition multi.h:197
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition multi.h:170
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition multi.h:172
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:165
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition multi.h:199
multi_context::enable_c2c
bool enable_c2c
Definition multi.h:186
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition multi.h:198
multi_context::route_helper
struct mroute_helper * route_helper
Definition multi.h:183
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
multi_instance::cc_config
struct buffer_list * cc_config
Definition multi.h:139
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition multi.h:146
multi_instance::did_cid_hash
bool did_cid_hash
Definition multi.h:138
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition multi.h:117
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition multi.h:132
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition multi.h:125
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition multi.h:122
multi_instance::did_iroutes
bool did_iroutes
Definition multi.h:141
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition multi.h:124
multi_instance::did_real_hash
bool did_real_hash
Definition multi.h:135
multi_instance::gc
struct gc_arena gc
Definition multi.h:113
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition multi.h:133
multi_instance::wakeup
struct timeval wakeup
Definition multi.h:121
multi_instance::halt
bool halt
Definition multi.h:114
multi_instance::ev_arg
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition multi.h:108
multi_instance::did_iter
bool did_iter
Definition multi.h:136
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
multi_instance::n_clients_delta
int n_clients_delta
Definition multi.h:142
multi_reap
Definition multi.h:53
multi_reap::last_call
time_t last_call
Definition multi.h:56
multi_reap::buckets_per_pass
uint32_t buckets_per_pass
Definition multi.h:55
multi_reap::bucket_base
uint32_t bucket_base
Definition multi.h:54
multi_route
Definition multi.h:238
multi_route::addr
struct mroute_addr addr
Definition multi.h:239
multi_route::last_reference
time_t last_reference
Definition multi.h:247
multi_route::cache_generation
unsigned int cache_generation
Definition multi.h:246
multi_route::flags
unsigned int flags
Definition multi.h:244
multi_route::instance
struct multi_instance * instance
Definition multi.h:240
openvpn_plugin_string_list::value
char * value
Definition openvpn-plugin.h:194
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket_util.h:43
options::comp
struct compress_options comp
Definition options.h:413
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:526
options::max_routes_per_client
int max_routes_per_client
Definition options.h:539
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:580
options::status_file_version
int status_file_version
Definition options.h:407
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:521
options::tmp_dir
const char * tmp_dir
Definition options.h:469
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:724
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:541
options::duplicate_cn
bool duplicate_cn
Definition options.h:530
options::real_hash_size
uint32_t real_hash_size
Definition options.h:502
options::use_peer_id
bool use_peer_id
Definition options.h:704
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:494
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:325
options::cf_max
int cf_max
Definition options.h:532
options::dev_type
const char * dev_type
Definition options.h:319
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:516
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:491
options::vlan_tagging
bool vlan_tagging
Definition options.h:713
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:493
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:498
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:505
options::n_bcast_buf
int n_bcast_buf
Definition options.h:512
options::ifconfig_local
const char * ifconfig_local
Definition options.h:323
options::ce
struct connection_entry ce
Definition options.h:290
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:515
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:519
options::topology
int topology
Definition options.h:322
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:581
options::virtual_hash_size
uint32_t virtual_hash_size
Definition options.h:503
options::learn_address_script
const char * learn_address_script
Definition options.h:506
options::ciphername
const char * ciphername
Definition options.h:576
options::cf_initial_max
int cf_initial_max
Definition options.h:535
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:540
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:715
options::mode
int mode
Definition options.h:262
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:500
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:522
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:517
options::gc
struct gc_arena gc
Definition options.h:253
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:520
options::cf_initial_per
int cf_initial_per
Definition options.h:536
options::force_key_material_export
bool force_key_material_export
Definition options.h:711
options::iroutes
struct iroute * iroutes
Definition options.h:514
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:527
options::client_connect_script
const char * client_connect_script
Definition options.h:504
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:524
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:513
options::override_username
const char * override_username
Definition options.h:511
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:525
options::max_clients
int max_clients
Definition options.h:538
options::enable_c2c
bool enable_c2c
Definition options.h:529
options::cf_per
int cf_per
Definition options.h:533
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:492
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:518
options::dev
const char * dev
Definition options.h:318
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:499
options::client_config_dir
const char * client_config_dir
Definition options.h:508
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:326
plugin_list
Definition plugin.h:97
plugin_return
Definition plugin.h:104
plugin_return::n
int n
Definition plugin.h:105
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
rw_handle
Definition win32.h:80
schedule_entry
Definition schedule.h:44
signal_info::signal_text
const char * signal_text
Definition sig.h:44
signal_info::signal_received
volatile int signal_received
Definition sig.h:42
status_output
Definition status.h:49
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
tls_multi::auth_token_initial
char * auth_token_initial
The first auth-token we sent to a client.
Definition ssl_common.h:684
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:704
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:726
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:703
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:650
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:633
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:656
tls_multi::locked_cn
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:645
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:700
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:701
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:654
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:525
tls_session::opt
struct tls_options * opt
Definition ssl_common.h:492
tuntap::local
in_addr_t local
Definition tun.h:210
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:213
tuntap::dco
dco_context_t dco
Definition tun.h:249
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:211
user_pass
Definition misc.h:52
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
es
struct env_set * es
Definition test_pkcs11.c:138
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
i
int i
Definition test_push_update_msg.c:120
gc
struct gc_arena gc
Definition test_ssl.c:131
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:520
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition tun.h:187
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition tun.h:184
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition vlan.c:90
vlan_is_tagged
bool vlan_is_tagged(const struct buffer *buf)
Definition vlan.c:270
Generated by doxygen 1.9.8