OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "pf.h"
43 #include "gremlin.h"
44 #include "mstats.h"
45 #include "ssl_verify.h"
46 #include "ssl_ncp.h"
47 #include "vlan.h"
48 #include <inttypes.h>
49 
50 #include "memdbg.h"
51 
52 
53 #include "crypto_backend.h"
54 #include "ssl_util.h"
55 
56 /*#define MULTI_DEBUG_EVENT_LOOP*/
57 
58 #ifdef MULTI_DEBUG_EVENT_LOOP
59 static const char *
60 id(struct multi_instance *mi)
61 {
62  if (mi)
63  {
64  return tls_common_name(mi->context.c2.tls_multi, false);
65  }
66  else
67  {
68  return "NULL";
69  }
70 }
71 #endif
72 
73 #ifdef ENABLE_MANAGEMENT
74 static void
76 {
78  mi->cc_config = cc_config;
79 }
80 #endif
81 
82 static inline void
83 update_mstat_n_clients(const int n_clients)
84 {
85 #ifdef ENABLE_MEMSTATS
86  if (mmap_stats)
87  {
88  mmap_stats->n_clients = n_clients;
89  }
90 #endif
91 }
92 
93 static bool
95  const struct multi_instance *mi,
96  const char *op,
97  const struct mroute_addr *addr)
98 {
99  struct gc_arena gc = gc_new();
100  struct env_set *es;
101  bool ret = true;
102  struct plugin_list *plugins;
103 
104  /* get environmental variable source */
105  if (mi && mi->context.c2.es)
106  {
107  es = mi->context.c2.es;
108  }
109  else
110  {
111  es = env_set_create(&gc);
112  }
113 
114  /* get plugin source */
115  if (mi)
116  {
117  plugins = mi->context.plugins;
118  }
119  else
120  {
121  plugins = m->top.plugins;
122  }
123 
125  {
126  struct argv argv = argv_new();
127  argv_printf(&argv, "%s %s",
128  op,
129  mroute_addr_print(addr, &gc));
130  if (mi)
131  {
132  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
133  }
134  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
135  {
136  msg(M_WARN, "WARNING: learn-address plugin call failed");
137  ret = false;
138  }
139  argv_free(&argv);
140  }
141 
143  {
144  struct argv argv = argv_new();
145  setenv_str(es, "script_type", "learn-address");
147  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
148  if (mi)
149  {
150  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
151  }
152  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
153  {
154  ret = false;
155  }
156  argv_free(&argv);
157  }
158 
159  gc_free(&gc);
160  return ret;
161 }
162 
163 void
165 {
166  /* write pool data to file */
167  if (m->ifconfig_pool
170  {
172  }
173 }
174 
175 static void
177  int start_bucket,
178  int end_bucket)
179 {
180  struct gc_arena gc = gc_new();
181  struct hash_iterator hi;
182  struct hash_element *he;
183 
184  if (start_bucket < 0)
185  {
186  start_bucket = 0;
187  end_bucket = hash_n_buckets(m->vhash);
188  }
189 
190  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
191  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
192  while ((he = hash_iterator_next(&hi)) != NULL)
193  {
194  struct multi_route *r = (struct multi_route *) he->value;
195  if (!multi_route_defined(m, r))
196  {
197  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
198  mroute_addr_print(&r->addr, &gc));
199  learn_address_script(m, NULL, "delete", &r->addr);
200  multi_route_del(r);
202  }
203  }
204  hash_iterator_free(&hi);
205  gc_free(&gc);
206 }
207 
208 static void
210 {
211  multi_reap_range(m, -1, 0);
212 }
213 
214 static struct multi_reap *
216 {
217  struct multi_reap *mr;
218  ALLOC_OBJ(mr, struct multi_reap);
219  mr->bucket_base = 0;
221  mr->last_call = now;
222  return mr;
223 }
224 
225 void
227 {
228  struct multi_reap *mr = m->reaper;
229  if (mr->bucket_base >= hash_n_buckets(m->vhash))
230  {
231  mr->bucket_base = 0;
232  }
234  mr->bucket_base += mr->buckets_per_pass;
235  mr->last_call = now;
236 }
237 
238 static void
240 {
241  free(mr);
242 }
243 
244 /*
245  * How many buckets in vhash to reap per pass.
246  */
247 static int
248 reap_buckets_per_pass(int n_buckets)
249 {
250  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
251 }
252 
253 #ifdef ENABLE_MANAGEMENT
254 
255 static uint32_t
256 cid_hash_function(const void *key, uint32_t iv)
257 {
258  const unsigned long *k = (const unsigned long *)key;
259  return (uint32_t) *k;
260 }
261 
262 static bool
263 cid_compare_function(const void *key1, const void *key2)
264 {
265  const unsigned long *k1 = (const unsigned long *)key1;
266  const unsigned long *k2 = (const unsigned long *)key2;
267  return *k1 == *k2;
268 }
269 
270 #endif
271 
272 #ifdef ENABLE_ASYNC_PUSH
273 static uint32_t
274 /*
275  * inotify watcher descriptors are used as hash value
276  */
277 int_hash_function(const void *key, uint32_t iv)
278 {
279  return (unsigned long)key;
280 }
281 
282 static bool
283 int_compare_function(const void *key1, const void *key2)
284 {
285  return (unsigned long)key1 == (unsigned long)key2;
286 }
287 #endif
288 
289 /*
290  * Main initialization function, init multi_context object.
291  */
292 void
293 multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
294 {
295  int dev = DEV_TYPE_UNDEF;
296 
297  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
300 
301  /*
302  * Get tun/tap/null device type
303  */
304  dev = dev_type_enum(t->options.dev, t->options.dev_type);
305 
306  /*
307  * Init our multi_context object.
308  */
309  CLEAR(*m);
310 
311  /*
312  * Real address hash table (source port number is
313  * considered to be part of the address). Used
314  * to determine which client sent an incoming packet
315  * which is seen on the TCP/UDP socket.
316  */
318  get_random(),
321 
322  /*
323  * Virtual address hash table. Used to determine
324  * which client to route a packet to.
325  */
327  get_random(),
330 
331  /*
332  * This hash table is a clone of m->hash but with a
333  * bucket size of one so that it can be used
334  * for fast iteration through the list.
335  */
336  m->iter = hash_init(1,
337  get_random(),
340 
341 #ifdef ENABLE_MANAGEMENT
343  0,
346 #endif
347 
348 #ifdef ENABLE_ASYNC_PUSH
349  /*
350  * Mapping between inotify watch descriptors and
351  * multi_instances.
352  */
353  m->inotify_watchers = hash_init(t->options.real_hash_size,
354  get_random(),
355  int_hash_function,
356  int_compare_function);
357 #endif
358 
359  /*
360  * This is our scheduler, for time-based wakeup
361  * events.
362  */
363  m->schedule = schedule_init();
364 
365  /*
366  * Limit frequency of incoming connections to control
367  * DoS.
368  */
370  t->options.cf_per);
371 
372  /*
373  * Allocate broadcast/multicast buffer list
374  */
376 
377  /*
378  * Different status file format options are available
379  */
381 
382  /*
383  * Possibly allocate an ifconfig pool, do it
384  * differently based on whether a tun or tap style
385  * tunnel.
386  */
389  {
391 
392  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
393  {
394  pool_type = IFCONFIG_POOL_30NET;
395  }
396 
398  pool_type,
405 
406  /* reload pool data from file */
407  if (t->c1.ifconfig_pool_persist)
408  {
410  }
411  }
412 
413  /*
414  * Help us keep track of routing table.
415  */
417 
418  /*
419  * Initialize route and instance reaper.
420  */
422 
423  /*
424  * Get local ifconfig address
425  */
426  CLEAR(m->local);
427  ASSERT(t->c1.tuntap);
429 
430  /*
431  * Per-client limits
432  */
434 
435  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
436 
437  /*
438  * Initialize multi-socket TCP I/O wait object
439  */
440  if (tcp_mode)
441  {
443  }
445 
446  /*
447  * Allow client <-> client communication, without going through
448  * tun/tap interface and network stack?
449  */
450  m->enable_c2c = t->options.enable_c2c;
451 
452  /* initialize stale routes check timer */
454  {
455  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
458  }
459 
461 }
462 
463 const char *
464 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
465 {
466  if (mi)
467  {
468  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
469  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
470 
471  if (cn)
472  {
473  buf_printf(&out, "%s/", cn);
474  }
475  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
476  return BSTR(&out);
477  }
478  else if (null)
479  {
480  return NULL;
481  }
482  else
483  {
484  return "UNDEF";
485  }
486 }
487 
488 static void
490 {
491  struct gc_arena gc = gc_new();
492  const char *prefix = multi_instance_string(mi, true, &gc);
493  if (prefix)
494  {
495  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
496  }
497  else
498  {
499  mi->msg_prefix[0] = '\0';
500  }
501  set_prefix(mi);
502  gc_free(&gc);
503 }
504 
505 void
507 {
508  mi->msg_prefix[0] = '\0';
509  set_prefix(mi);
510 }
511 
512 static const char *
513 mi_prefix(const struct multi_instance *mi)
514 {
515  if (mi && mi->msg_prefix[0])
516  {
517  return mi->msg_prefix;
518  }
519  else
520  {
521  return "UNDEF_I";
522  }
523 }
524 
525 /*
526  * Tell the route helper about deleted iroutes so
527  * that it can update its mask of currently used
528  * CIDR netlengths.
529  */
530 static void
532  struct multi_instance *mi)
533 {
534  const struct iroute *ir;
535  const struct iroute_ipv6 *ir6;
537  {
538  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
539  {
541  }
542 
543  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
544  {
546  }
547  }
548 }
549 
550 static void
552 {
553  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
554  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
555 }
556 
557 static void
559 {
560  /* setenv client real IP address */
562 
563  /* setenv stats */
564  setenv_stats(&mi->context);
565 
566  /* setenv connection duration */
567  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
568 }
569 
570 static void
572 {
574 
576  {
578  {
579  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
580  }
581  }
582 
584  {
585  struct argv argv = argv_new();
586  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
588  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
589  argv_free(&argv);
590  }
591 #ifdef ENABLE_MANAGEMENT
592  if (management)
593  {
595  }
596 #endif
597 }
598 
599 void
601  struct multi_instance *mi,
602  bool shutdown)
603 {
605 
606  ASSERT(!mi->halt);
607  mi->halt = true;
608 
609  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
610 
611  /* adjust current client connection count */
612  m->n_clients += mi->n_clients_delta;
614  mi->n_clients_delta = 0;
615 
616  /* prevent dangling pointers */
617  if (m->pending == mi)
618  {
619  multi_set_pending(m, NULL);
620  }
621  if (m->earliest_wakeup == mi)
622  {
623  m->earliest_wakeup = NULL;
624  }
625 
626  if (!shutdown)
627  {
628  if (mi->did_real_hash)
629  {
630  ASSERT(hash_remove(m->hash, &mi->real));
631  }
632  if (mi->did_iter)
633  {
634  ASSERT(hash_remove(m->iter, &mi->real));
635  }
636 #ifdef ENABLE_MANAGEMENT
637  if (mi->did_cid_hash)
638  {
640  }
641 #endif
642 
643 #ifdef ENABLE_ASYNC_PUSH
644  if (mi->inotify_watch != -1)
645  {
646  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
647  mi->inotify_watch = -1;
648  }
649 #endif
650 
651  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
652  {
653  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
654  }
655 
656  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
657 
658  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
659 
660  if (mi->did_iroutes)
661  {
662  multi_del_iroutes(m, mi);
663  mi->did_iroutes = false;
664  }
665 
666  if (m->mtcp)
667  {
669  }
670 
672  }
673 
674 #ifdef ENABLE_MANAGEMENT
675  set_cc_config(mi, NULL);
676 #endif
678  {
680  }
681 
683 
685 
686  ungenerate_prefix(mi);
687 
688  /*
689  * Don't actually delete the instance memory allocation yet,
690  * because virtual routes may still point to it. Let the
691  * vhash reaper deal with it.
692  */
694 
695  perf_pop();
696 }
697 
698 /*
699  * Called on shutdown or restart.
700  */
701 void
703 {
704  if (m->hash)
705  {
706  struct hash_iterator hi;
707  struct hash_element *he;
708 
709  hash_iterator_init(m->iter, &hi);
710  while ((he = hash_iterator_next(&hi)))
711  {
712  struct multi_instance *mi = (struct multi_instance *) he->value;
713  mi->did_iter = false;
714  multi_close_instance(m, mi, true);
715  }
716  hash_iterator_free(&hi);
717 
718  multi_reap_all(m);
719 
720  hash_free(m->hash);
721  hash_free(m->vhash);
722  hash_free(m->iter);
723 #ifdef ENABLE_MANAGEMENT
724  hash_free(m->cid_hash);
725 #endif
726  m->hash = NULL;
727 
728  free(m->instances);
729 
730 #ifdef ENABLE_ASYNC_PUSH
731  hash_free(m->inotify_watchers);
732  m->inotify_watchers = NULL;
733 #endif
734 
736  mbuf_free(m->mbuf);
741  multi_tcp_free(m->mtcp);
742  }
743 }
744 
745 /*
746  * Create a client instance object for a newly connected client.
747  */
748 struct multi_instance *
750 {
751  struct gc_arena gc = gc_new();
752  struct multi_instance *mi;
753 
755 
756  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
757 
758  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
759 
760  mi->gc = gc_new();
762  mi->vaddr_handle = -1;
763  mi->created = now;
764  mroute_addr_init(&mi->real);
765 
766  if (real)
767  {
768  mi->real = *real;
769  generate_prefix(mi);
770  }
771 
772  inherit_context_child(&mi->context, &m->top);
773  if (IS_SIG(&mi->context))
774  {
775  goto err;
776  }
777 
779 
780  if (hash_n_elements(m->hash) >= m->max_clients)
781  {
782  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
783  goto err;
784  }
785 
786  if (!real) /* TCP mode? */
787  {
789  {
790  goto err;
791  }
792  generate_prefix(mi);
793  }
794 
795  if (!hash_add(m->iter, &mi->real, mi, false))
796  {
797  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
798  mroute_addr_print(&mi->real, &gc));
799  goto err;
800  }
801  mi->did_iter = true;
802 
803 #ifdef ENABLE_MANAGEMENT
804  do
805  {
806  mi->context.c2.mda_context.cid = m->cid_counter++;
807  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
808  mi->did_cid_hash = true;
809 #endif
810 
811  mi->context.c2.push_request_received = false;
812 #ifdef ENABLE_ASYNC_PUSH
813  mi->inotify_watch = -1;
814 #endif
815 
816  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
817  {
818  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
819  goto err;
820  }
821 
822  perf_pop();
823  gc_free(&gc);
824  return mi;
825 
826 err:
827  multi_close_instance(m, mi, false);
828  perf_pop();
829  gc_free(&gc);
830  return NULL;
831 }
832 
833 /*
834  * Dump tables -- triggered by SIGUSR2.
835  * If status file is defined, write to file.
836  * If status file is NULL, write to syslog.
837  */
838 void
839 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
840 {
841  if (m->hash)
842  {
843  struct gc_arena gc_top = gc_new();
844  struct hash_iterator hi;
845  const struct hash_element *he;
846 
847  status_reset(so);
848 
849  if (version == 1) /* WAS: m->status_file_version */
850  {
851  /*
852  * Status file version 1
853  */
854  status_printf(so, "OpenVPN CLIENT LIST");
855  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
856  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
857  hash_iterator_init(m->hash, &hi);
858  while ((he = hash_iterator_next(&hi)))
859  {
860  struct gc_arena gc = gc_new();
861  const struct multi_instance *mi = (struct multi_instance *) he->value;
862 
863  if (!mi->halt)
864  {
865  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
866  tls_common_name(mi->context.c2.tls_multi, false),
867  mroute_addr_print(&mi->real, &gc),
870  time_string(mi->created, 0, false, &gc));
871  }
872  gc_free(&gc);
873  }
874  hash_iterator_free(&hi);
875 
876  status_printf(so, "ROUTING TABLE");
877  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
878  hash_iterator_init(m->vhash, &hi);
879  while ((he = hash_iterator_next(&hi)))
880  {
881  struct gc_arena gc = gc_new();
882  const struct multi_route *route = (struct multi_route *) he->value;
883 
884  if (multi_route_defined(m, route))
885  {
886  const struct multi_instance *mi = route->instance;
887  const struct mroute_addr *ma = &route->addr;
888  char flags[2] = {0, 0};
889 
890  if (route->flags & MULTI_ROUTE_CACHE)
891  {
892  flags[0] = 'C';
893  }
894  status_printf(so, "%s%s,%s,%s,%s",
895  mroute_addr_print(ma, &gc),
896  flags,
897  tls_common_name(mi->context.c2.tls_multi, false),
898  mroute_addr_print(&mi->real, &gc),
899  time_string(route->last_reference, 0, false, &gc));
900  }
901  gc_free(&gc);
902  }
903  hash_iterator_free(&hi);
904 
905  status_printf(so, "GLOBAL STATS");
906  if (m->mbuf)
907  {
908  status_printf(so, "Max bcast/mcast queue length,%d",
910  }
911 
912  status_printf(so, "END");
913  }
914  else if (version == 2 || version == 3)
915  {
916  const char sep = (version == 3) ? '\t' : ',';
917 
918  /*
919  * Status file version 2 and 3
920  */
921  status_printf(so, "TITLE%c%s", sep, title_string);
922  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
923  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
924  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
925  hash_iterator_init(m->hash, &hi);
926  while ((he = hash_iterator_next(&hi)))
927  {
928  struct gc_arena gc = gc_new();
929  const struct multi_instance *mi = (struct multi_instance *) he->value;
930 
931  if (!mi->halt)
932  {
933  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
934 #ifdef ENABLE_MANAGEMENT
935  "%lu"
936 #else
937  ""
938 #endif
939  "%c%" PRIu32 "%c%s",
940  sep, tls_common_name(mi->context.c2.tls_multi, false),
941  sep, mroute_addr_print(&mi->real, &gc),
944  sep, mi->context.c2.link_read_bytes,
945  sep, mi->context.c2.link_write_bytes,
946  sep, time_string(mi->created, 0, false, &gc),
947  sep, (unsigned int)mi->created,
948  sep, tls_username(mi->context.c2.tls_multi, false),
949 #ifdef ENABLE_MANAGEMENT
950  sep, mi->context.c2.mda_context.cid,
951 #else
952  sep,
953 #endif
954  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
956  }
957  gc_free(&gc);
958  }
959  hash_iterator_free(&hi);
960 
961  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
962  sep, sep, sep, sep, sep, sep);
963  hash_iterator_init(m->vhash, &hi);
964  while ((he = hash_iterator_next(&hi)))
965  {
966  struct gc_arena gc = gc_new();
967  const struct multi_route *route = (struct multi_route *) he->value;
968 
969  if (multi_route_defined(m, route))
970  {
971  const struct multi_instance *mi = route->instance;
972  const struct mroute_addr *ma = &route->addr;
973  char flags[2] = {0, 0};
974 
975  if (route->flags & MULTI_ROUTE_CACHE)
976  {
977  flags[0] = 'C';
978  }
979  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
980  sep, mroute_addr_print(ma, &gc), flags,
981  sep, tls_common_name(mi->context.c2.tls_multi, false),
982  sep, mroute_addr_print(&mi->real, &gc),
983  sep, time_string(route->last_reference, 0, false, &gc),
984  sep, (unsigned int)route->last_reference);
985  }
986  gc_free(&gc);
987  }
988  hash_iterator_free(&hi);
989 
990  if (m->mbuf)
991  {
992  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
993  sep, sep, mbuf_maximum_queued(m->mbuf));
994  }
995 
996  status_printf(so, "END");
997  }
998  else
999  {
1000  status_printf(so, "ERROR: bad status format version number");
1001  }
1002 
1003 #ifdef PACKET_TRUNCATION_CHECK
1004  {
1005  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1006  hash_iterator_init(m->hash, &hi);
1007  while ((he = hash_iterator_next(&hi)))
1008  {
1009  struct gc_arena gc = gc_new();
1010  const struct multi_instance *mi = (struct multi_instance *) he->value;
1011 
1012  if (!mi->halt)
1013  {
1015  tls_common_name(mi->context.c2.tls_multi, false),
1016  m->top.c2.n_trunc_tun_read,
1017  mi->context.c2.n_trunc_tun_write,
1018  mi->context.c2.n_trunc_pre_encrypt,
1019  mi->context.c2.n_trunc_post_decrypt);
1020  }
1021  gc_free(&gc);
1022  }
1023  hash_iterator_free(&hi);
1024  }
1025 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1026 
1027  status_flush(so);
1028  gc_free(&gc_top);
1029  }
1030 
1031 #ifdef ENABLE_ASYNC_PUSH
1032  if (m->inotify_watchers)
1033  {
1034  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1035  }
1036 #endif
1037 }
1038 
1039 /*
1040  * Learn a virtual address or route.
1041  * The learn will fail if the learn address
1042  * script/plugin fails. In this case the
1043  * return value may be != mi.
1044  * Return the instance which owns this route,
1045  * or NULL if none.
1046  */
1047 static struct multi_instance *
1049  struct multi_instance *mi,
1050  const struct mroute_addr *addr,
1051  const unsigned int flags)
1052 {
1053  struct hash_element *he;
1054  const uint32_t hv = hash_value(m->vhash, addr);
1055  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1056  struct multi_route *oldroute = NULL;
1057  struct multi_instance *owner = NULL;
1058  struct gc_arena gc = gc_new();
1059 
1060  /* if route currently exists, get the instance which owns it */
1061  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1062  if (he)
1063  {
1064  oldroute = (struct multi_route *) he->value;
1065  }
1066  if (oldroute && multi_route_defined(m, oldroute))
1067  {
1068  owner = oldroute->instance;
1069  }
1070 
1071  /* do we need to add address to hash table? */
1072  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1073  && !mroute_addr_equal(addr, &m->local))
1074  {
1075  struct multi_route *newroute;
1076  bool learn_succeeded = false;
1077 
1078  ALLOC_OBJ(newroute, struct multi_route);
1079  newroute->addr = *addr;
1080  newroute->instance = mi;
1081  newroute->flags = flags;
1082  newroute->last_reference = now;
1083  newroute->cache_generation = 0;
1084 
1085  /* The cache is invalidated when cache_generation is incremented */
1086  if (flags & MULTI_ROUTE_CACHE)
1087  {
1089  }
1090 
1091  if (oldroute) /* route already exists? */
1092  {
1093  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1094  {
1095  learn_succeeded = true;
1096  owner = mi;
1098  route_quota_inc(mi);
1099 
1100  /* delete old route */
1101  multi_route_del(oldroute);
1102 
1103  /* modify hash table entry, replacing old route */
1104  he->key = &newroute->addr;
1105  he->value = newroute;
1106  }
1107  }
1108  else
1109  {
1110  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1111  {
1112  learn_succeeded = true;
1113  owner = mi;
1115  route_quota_inc(mi);
1116 
1117  /* add new route */
1118  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1119  }
1120  }
1121 
1122  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1123  learn_succeeded ? "" : " FAILED",
1124  mroute_addr_print(&newroute->addr, &gc),
1125  multi_instance_string(mi, false, &gc));
1126 
1127  if (!learn_succeeded)
1128  {
1129  free(newroute);
1130  }
1131  }
1132  gc_free(&gc);
1133 
1134  return owner;
1135 }
1136 
1137 /*
1138  * Get client instance based on virtual address.
1139  */
1140 static struct multi_instance *
1142  const struct mroute_addr *addr,
1143  bool cidr_routing)
1144 {
1145  struct multi_route *route;
1146  struct multi_instance *ret = NULL;
1147 
1148  /* check for local address */
1149  if (mroute_addr_equal(addr, &m->local))
1150  {
1151  return NULL;
1152  }
1153 
1154  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1155 
1156  /* does host route (possible cached) exist? */
1157  if (route && multi_route_defined(m, route))
1158  {
1159  struct multi_instance *mi = route->instance;
1160  route->last_reference = now;
1161  ret = mi;
1162  }
1163  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1164  {
1165  struct mroute_helper *rh = m->route_helper;
1166  struct mroute_addr tryaddr;
1167  int i;
1168 
1169  /* cycle through each CIDR length */
1170  for (i = 0; i < rh->n_net_len; ++i)
1171  {
1172  tryaddr = *addr;
1173  tryaddr.type |= MR_WITH_NETBITS;
1174  tryaddr.netbits = rh->net_len[i];
1175  mroute_addr_mask_host_bits(&tryaddr);
1176 
1177  /* look up a possible route with netbits netmask */
1178  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1179 
1180  if (route && multi_route_defined(m, route))
1181  {
1182  /* found an applicable route, cache host route */
1183  struct multi_instance *mi = route->instance;
1185  ret = mi;
1186  break;
1187  }
1188  }
1189  }
1190 
1191 #ifdef ENABLE_DEBUG
1193  {
1194  struct gc_arena gc = gc_new();
1195  const char *addr_text = mroute_addr_print(addr, &gc);
1196  if (ret)
1197  {
1198  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1199  addr_text,
1200  multi_instance_string(ret, false, &gc),
1201  mroute_addr_print(&route->addr, &gc));
1202  }
1203  else
1204  {
1205  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1206  addr_text);
1207  }
1208  gc_free(&gc);
1209  }
1210 #endif
1211 
1212  ASSERT(!(ret && ret->halt));
1213  return ret;
1214 }
1215 
1216 /*
1217  * Helper function to multi_learn_addr().
1218  */
1219 static struct multi_instance *
1221  struct multi_instance *mi,
1222  in_addr_t a,
1223  int netbits, /* -1 if host route, otherwise # of network bits in address */
1224  bool primary)
1225 {
1226  struct openvpn_sockaddr remote_si;
1227  struct mroute_addr addr;
1228 
1229  CLEAR(remote_si);
1230  remote_si.addr.in4.sin_family = AF_INET;
1231  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1232  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1233 
1234  if (netbits >= 0)
1235  {
1236  addr.type |= MR_WITH_NETBITS;
1237  addr.netbits = (uint8_t) netbits;
1238  }
1239 
1240  {
1241  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1242 #ifdef ENABLE_MANAGEMENT
1243  if (management && owner)
1244  {
1245  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1246  }
1247 #endif
1248  return owner;
1249  }
1250 }
1251 
1252 static struct multi_instance *
1254  struct multi_instance *mi,
1255  struct in6_addr a6,
1256  int netbits, /* -1 if host route, otherwise # of network bits in address */
1257  bool primary)
1258 {
1259  struct mroute_addr addr;
1260 
1261  addr.len = 16;
1262  addr.type = MR_ADDR_IPV6;
1263  addr.netbits = 0;
1264  addr.v6.addr = a6;
1265 
1266  if (netbits >= 0)
1267  {
1268  addr.type |= MR_WITH_NETBITS;
1269  addr.netbits = (uint8_t) netbits;
1270  mroute_addr_mask_host_bits( &addr );
1271  }
1272 
1273  {
1274  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1275 #ifdef ENABLE_MANAGEMENT
1276  if (management && owner)
1277  {
1278  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1279  }
1280 #endif
1281  return owner;
1282  }
1283 }
1284 
1285 /*
1286  * A new client has connected, add routes (server -> client)
1287  * to internal routing table.
1288  */
1289 static void
1291  struct multi_instance *mi)
1292 {
1293  struct gc_arena gc = gc_new();
1294  const struct iroute *ir;
1295  const struct iroute_ipv6 *ir6;
1297  {
1298  mi->did_iroutes = true;
1299  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1300  {
1301  if (ir->netbits >= 0)
1302  {
1303  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1304  print_in_addr_t(ir->network, 0, &gc),
1305  ir->netbits,
1306  multi_instance_string(mi, false, &gc));
1307  }
1308  else
1309  {
1310  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1311  print_in_addr_t(ir->network, 0, &gc),
1312  multi_instance_string(mi, false, &gc));
1313  }
1314 
1316 
1317  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1318  }
1319  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1320  {
1321  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1322  print_in6_addr(ir6->network, 0, &gc),
1323  ir6->netbits,
1324  multi_instance_string(mi, false, &gc));
1325 
1327 
1328  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1329  }
1330  }
1331  gc_free(&gc);
1332 }
1333 
1334 /*
1335  * Given an instance (new_mi), delete all other instances which use the
1336  * same common name.
1337  */
1338 static void
1340 {
1341  if (new_mi)
1342  {
1343  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1344  if (new_cn)
1345  {
1346  struct hash_iterator hi;
1347  struct hash_element *he;
1348  int count = 0;
1349 
1350  hash_iterator_init(m->iter, &hi);
1351  while ((he = hash_iterator_next(&hi)))
1352  {
1353  struct multi_instance *mi = (struct multi_instance *) he->value;
1354  if (mi != new_mi && !mi->halt)
1355  {
1356  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1357  if (cn && !strcmp(cn, new_cn))
1358  {
1359  mi->did_iter = false;
1360  multi_close_instance(m, mi, false);
1362  ++count;
1363  }
1364  }
1365  }
1366  hash_iterator_free(&hi);
1367 
1368  if (count)
1369  {
1370  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1371  }
1372  }
1373  }
1374 }
1375 
1376 static void
1378 {
1379 
1380  struct gc_arena gc = gc_new();
1381  struct hash_iterator hi;
1382  struct hash_element *he;
1383 
1384  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1386  while ((he = hash_iterator_next(&hi)) != NULL)
1387  {
1388  struct multi_route *r = (struct multi_route *) he->value;
1389  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1390  {
1391  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1392  mroute_addr_print(&r->addr, &gc));
1393  learn_address_script(m, NULL, "delete", &r->addr);
1394  multi_route_del(r);
1396  }
1397  }
1398  hash_iterator_free(&hi);
1399  gc_free(&gc);
1400 }
1401 
1402 /*
1403  * Ensure that endpoint to be pushed to client
1404  * complies with --ifconfig-push-constraint directive.
1405  */
1406 static bool
1408 {
1409  const struct options *o = &c->options;
1411  {
1413  }
1414  else
1415  {
1416  return true;
1417  }
1418 }
1419 
1420 /*
1421  * Select a virtual address for a new client instance.
1422  * Use an --ifconfig-push directive, if given (static IP).
1423  * Otherwise use an --ifconfig-pool address (dynamic IP).
1424  */
1425 static void
1427 {
1428  struct gc_arena gc = gc_new();
1429 
1430  /*
1431  * If ifconfig addresses were set by dynamic config file,
1432  * release pool addresses, otherwise keep them.
1433  */
1435  {
1436  /* ifconfig addresses were set statically,
1437  * release dynamic allocation */
1438  if (mi->vaddr_handle >= 0)
1439  {
1441  mi->vaddr_handle = -1;
1442  }
1443 
1444  mi->context.c2.push_ifconfig_defined = true;
1448 
1449  /* the current implementation does not allow "static IPv4, pool IPv6",
1450  * (see below) so issue a warning if that happens - don't break the
1451  * session, though, as we don't even know if this client WANTS IPv6
1452  */
1455  {
1456  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1457  }
1458  }
1459  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1460  {
1461  in_addr_t local = 0, remote = 0;
1462  struct in6_addr remote_ipv6;
1463  const char *cn = NULL;
1464 
1465  if (!mi->context.options.duplicate_cn)
1466  {
1467  cn = tls_common_name(mi->context.c2.tls_multi, true);
1468  }
1469 
1470  CLEAR(remote_ipv6);
1471  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1472  if (mi->vaddr_handle >= 0)
1473  {
1474  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1475  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1476 
1477  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1479  ? print_in_addr_t(remote, 0, &gc)
1480  : "(Not enabled)"),
1482  ? print_in6_addr( remote_ipv6, 0, &gc )
1483  : "(Not enabled)") );
1484 
1486  {
1487  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1488  mi->context.c2.push_ifconfig_local = remote;
1489  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1490  {
1493  {
1495  }
1496  }
1497  else if (tunnel_type == DEV_TYPE_TUN)
1498  {
1499  if (tunnel_topology == TOP_P2P)
1500  {
1502  }
1503  else if (tunnel_topology == TOP_NET30)
1504  {
1506  }
1507  }
1508 
1510  {
1511  mi->context.c2.push_ifconfig_defined = true;
1512  }
1513  else
1514  {
1516  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1517  multi_instance_string(mi, false, &gc));
1518  }
1519  }
1520 
1522  {
1523  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1525  mi->context.c1.tuntap->local_ipv6;
1529  }
1530  }
1531  else
1532  {
1533  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1534  }
1535  }
1536 
1537  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1538  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1539  * will fail (because no pool will be allocated in this case).
1540  * OTOH, this doesn't make too much sense in reality - and the other
1541  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1542  * -> and so it's implemented right now
1543  */
1545  {
1553 
1554  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1557  }
1558 
1559  gc_free(&gc);
1560 }
1561 
1562 /*
1563  * Set virtual address environmental variables.
1564  */
1565 static void
1567 {
1568  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1569  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1570  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1571 
1573  {
1574  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1575  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1576 
1578  "ifconfig_pool_remote_ip",
1581 
1582  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1583  {
1585  "ifconfig_pool_netmask",
1588  }
1589  else if (tunnel_type == DEV_TYPE_TUN)
1590  {
1592  "ifconfig_pool_local_ip",
1595  }
1596  }
1597 
1598  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1599  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1600  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1601 
1603  {
1605  "ifconfig_pool_remote",
1609  "ifconfig_pool_local",
1612  setenv_int(mi->context.c2.es,
1613  "ifconfig_pool_ip6_netbits",
1615  }
1616 }
1617 
1618 /*
1619  * Called after client-connect script is called
1620  */
1621 static void
1623  struct multi_instance *mi,
1624  const char *dc_file,
1625  unsigned int *option_types_found)
1626 {
1627  /* Did script generate a dynamic config file? */
1628  if (platform_test_file(dc_file))
1629  {
1631  dc_file,
1634  option_types_found,
1635  mi->context.c2.es);
1636 
1637  /*
1638  * If the --client-connect script generates a config file
1639  * with an --ifconfig-push directive, it will override any
1640  * --ifconfig-push directive from the --client-config-dir
1641  * directory or any --ifconfig-pool dynamic address.
1642  */
1645  }
1646 }
1647 
1648 #ifdef ENABLE_PLUGIN
1649 
1650 /*
1651  * Called after client-connect plug-in is called
1652  */
1653 static void
1655  struct multi_instance *mi,
1656  const struct plugin_return *pr,
1657  unsigned int *option_types_found)
1658 {
1659  struct plugin_return config;
1660 
1661  plugin_return_get_column(pr, &config, "config");
1662 
1663  /* Did script generate a dynamic config file? */
1664  if (plugin_return_defined(&config))
1665  {
1666  int i;
1667  for (i = 0; i < config.n; ++i)
1668  {
1669  if (config.list[i] && config.list[i]->value)
1670  {
1672  config.list[i]->value,
1675  option_types_found,
1676  mi->context.c2.es);
1677  }
1678  }
1679 
1680  /*
1681  * If the --client-connect script generates a config file
1682  * with an --ifconfig-push directive, it will override any
1683  * --ifconfig-push directive from the --client-config-dir
1684  * directory or any --ifconfig-pool dynamic address.
1685  */
1688  }
1689 }
1690 
1691 #endif /* ifdef ENABLE_PLUGIN */
1692 
1693 
1694 /*
1695  * Called to load management-derived client-connect config
1696  */
1699  struct multi_instance *mi,
1700  bool deferred,
1701  unsigned int *option_types_found)
1702 {
1703  /* We never return CC_RET_DEFERRED */
1704  ASSERT(!deferred);
1706 #ifdef ENABLE_MANAGEMENT
1707  if (mi->cc_config)
1708  {
1709  struct buffer_entry *be;
1710  for (be = mi->cc_config->head; be != NULL; be = be->next)
1711  {
1712  const char *opt = BSTR(&be->buf);
1714  opt,
1717  option_types_found,
1718  mi->context.c2.es);
1719  }
1720 
1721  /*
1722  * If the --client-connect script generates a config file
1723  * with an --ifconfig-push directive, it will override any
1724  * --ifconfig-push directive from the --client-config-dir
1725  * directory or any --ifconfig-pool dynamic address.
1726  */
1729 
1730  ret = CC_RET_SUCCEEDED;
1731  }
1732 #endif /* ifdef ENABLE_MANAGEMENT */
1733  return ret;
1734 }
1735 
1736 static void
1738  struct multi_instance *mi)
1739 {
1740  struct gc_arena gc = gc_new();
1741 
1742  /* setenv incoming cert common name for script */
1743  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1744 
1745  /* setenv client real IP address */
1747 
1748  /* setenv client virtual IP address */
1750 
1751  /* setenv connection time */
1752  {
1753  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1754  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1755  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1756  }
1757 
1758  gc_free(&gc);
1759 }
1760 
1767 static bool
1769 {
1770  struct tls_multi *tls_multi = c->c2.tls_multi;
1771  const char *const peer_info = tls_multi->peer_info;
1772  struct options *o = &c->options;
1773 
1774 
1775  unsigned int proto = extract_iv_proto(peer_info);
1776  if (proto & IV_PROTO_DATA_V2)
1777  {
1778  tls_multi->use_peer_id = true;
1779  }
1780  if (proto & IV_PROTO_REQUEST_PUSH)
1781  {
1782  c->c2.push_request_received = true;
1783  }
1784 
1785 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1786  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1787  {
1789  }
1790 #endif
1791 
1792  /* Select cipher if client supports Negotiable Crypto Parameters */
1793  if (!o->ncp_enabled)
1794  {
1795  return true;
1796  }
1797 
1798  /* if we have already created our key, we cannot *change* our own
1799  * cipher -> so log the fact and push the "what we have now" cipher
1800  * (so the client is always told what we expect it to use)
1801  */
1803  {
1804  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1805  "server has already generated data channel keys, "
1806  "re-sending previously negotiated cipher '%s'",
1807  o->ciphername );
1808  return true;
1809  }
1810 
1811  /*
1812  * Push the first cipher from --data-ciphers to the client that
1813  * the client announces to be supporting.
1814  */
1815  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1816  tls_multi->remote_ciphername,
1817  &o->gc);
1818 
1819  if (push_cipher)
1820  {
1821  o->ciphername = push_cipher;
1822  return true;
1823  }
1824 
1825  /* NCP cipher negotiation failed. Try to figure out why exactly it
1826  * failed and give good error messages and potentially do a fallback
1827  * for non NCP clients */
1828  struct gc_arena gc = gc_new();
1829  bool ret = false;
1830 
1831  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1832  /* If we are in a situation where we know the client ciphers, there is no
1833  * reason to fall back to a cipher that will not be accepted by the other
1834  * side, in this situation we fail the auth*/
1835  if (strlen(peer_ciphers) > 0)
1836  {
1837  msg(M_INFO, "PUSH: No common cipher between server and client. "
1838  "Server data-ciphers: '%s', client supported ciphers '%s'",
1839  o->ncp_ciphers, peer_ciphers);
1840  }
1841  else if (tls_multi->remote_ciphername)
1842  {
1843  msg(M_INFO, "PUSH: No common cipher between server and client. "
1844  "Server data-ciphers: '%s', client supports cipher '%s'",
1845  o->ncp_ciphers, tls_multi->remote_ciphername);
1846  }
1847  else
1848  {
1849  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1850 
1851  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1852  {
1853  msg(M_INFO, "Using data channel cipher '%s' since "
1854  "--data-ciphers-fallback is set.", o->ciphername);
1855  ret = true;
1856  }
1857  else
1858  {
1859  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1860  "client is using if you want to allow the client to connect");
1861  }
1862  }
1863  if (!ret)
1864  {
1865  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1866  "failed (no shared cipher)");
1867  }
1868 
1869  gc_free(&gc);
1870  return ret;
1871 }
1872 
1877 static void
1879 {
1881  if (!ccs->deferred_ret_file)
1882  {
1883  return;
1884  }
1885 
1886  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1888  {
1889  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1890  ccs->deferred_ret_file);
1891  }
1892  free(ccs->deferred_ret_file);
1893  ccs->deferred_ret_file = NULL;
1894 }
1895 
1903 static bool
1905 {
1907  struct gc_arena gc = gc_new();
1908  const char *fn;
1909 
1910  /* Delete file if it already exists */
1912 
1913  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1914  if (!fn)
1915  {
1916  gc_free(&gc);
1917  return false;
1918  }
1919  ccs->deferred_ret_file = string_alloc(fn, NULL);
1920 
1921  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1922  ccs->deferred_ret_file);
1923 
1924  gc_free(&gc);
1925  return true;
1926 }
1927 
1936 static enum client_connect_return
1938 {
1940  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1941  if (!fp)
1942  {
1943  return CC_RET_SKIPPED;
1944  }
1945 
1947  const int c = fgetc(fp);
1948  switch (c)
1949  {
1950  case '0':
1951  ret = CC_RET_FAILED;
1952  break;
1953 
1954  case '1':
1955  ret = CC_RET_SUCCEEDED;
1956  break;
1957 
1958  case '2':
1959  ret = CC_RET_DEFERRED;
1960  break;
1961 
1962  case EOF:
1963  if (feof(fp))
1964  {
1965  ret = CC_RET_SKIPPED;
1966  break;
1967  }
1968 
1969  /* Not EOF but other error -> fall through to error state */
1970  default:
1971  /* We received an unknown/unexpected value. Assume failure. */
1972  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
1973  "client-connect resultfile");
1974  ret = CC_RET_FAILED;
1975  }
1976  fclose(fp);
1977 
1978  return ret;
1979 }
1980 
1986 static void
1988 {
1990  if (ccs->config_file)
1991  {
1992  setenv_del(mi->context.c2.es, "client_connect_config_file");
1993  if (!platform_unlink(ccs->config_file))
1994  {
1995  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1996  ccs->config_file);
1997  }
1998  free(ccs->config_file);
1999  ccs->config_file = NULL;
2000  }
2001 }
2002 
2010 static bool
2012 {
2014  struct gc_arena gc = gc_new();
2015  const char *fn;
2016 
2017  if (ccs->config_file)
2018  {
2020  }
2021 
2022  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2023  if (!fn)
2024  {
2025  gc_free(&gc);
2026  return false;
2027  }
2028  ccs->config_file = string_alloc(fn, NULL);
2029 
2030  setenv_str(mi->context.c2.es, "client_connect_config_file",
2031  ccs->config_file);
2032 
2033  gc_free(&gc);
2034  return true;
2035 }
2036 
2037 static enum client_connect_return
2039  struct multi_instance *mi,
2040  bool deferred,
2041  unsigned int *option_types_found)
2042 {
2044 #ifdef ENABLE_PLUGIN
2045  ASSERT(m);
2046  ASSERT(mi);
2047  ASSERT(option_types_found);
2049 
2050  /* deprecated callback, use a file for passing back return info */
2052  {
2053  struct argv argv = argv_new();
2054  int call;
2055 
2056  if (!deferred)
2057  {
2059  if (!ccs_gen_config_file(mi)
2060  || !ccs_gen_deferred_ret_file(mi))
2061  {
2062  ret = CC_RET_FAILED;
2063  goto cleanup;
2064  }
2065  }
2066  else
2067  {
2068  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2069  /* the initial call should have created these files */
2070  ASSERT(ccs->config_file);
2071  ASSERT(ccs->deferred_ret_file);
2072  }
2073 
2074  argv_printf(&argv, "%s", ccs->config_file);
2075  int plug_ret = plugin_call(mi->context.plugins, call,
2076  &argv, NULL, mi->context.c2.es);
2077  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2078  {
2079  ret = CC_RET_SUCCEEDED;
2080  }
2081  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2082  {
2083  ret = CC_RET_DEFERRED;
2089  }
2090  else
2091  {
2092  msg(M_WARN, "WARNING: client-connect plugin call failed");
2093  ret = CC_RET_FAILED;
2094  }
2095 
2096 
2102  int file_ret = ccs_test_deferred_ret_file(mi);
2103 
2104  if (file_ret == CC_RET_FAILED)
2105  {
2106  ret = CC_RET_FAILED;
2107  }
2108  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2109  {
2110  ret = CC_RET_DEFERRED;
2111  }
2112 
2113  /* if we still think we have succeeded, do postprocessing */
2114  if (ret == CC_RET_SUCCEEDED)
2115  {
2117  option_types_found);
2118  }
2119 cleanup:
2120  argv_free(&argv);
2121 
2122  if (ret != CC_RET_DEFERRED)
2123  {
2126  }
2127  }
2128 #endif /* ifdef ENABLE_PLUGIN */
2129  return ret;
2130 }
2131 
2132 static enum client_connect_return
2134  struct multi_instance *mi,
2135  bool deferred,
2136  unsigned int *option_types_found)
2137 {
2139 #ifdef ENABLE_PLUGIN
2140  ASSERT(m);
2141  ASSERT(mi);
2142  ASSERT(option_types_found);
2143 
2144  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2146  /* V2 callback, use a plugin_return struct for passing back return info */
2147  if (plugin_defined(mi->context.plugins, call))
2148  {
2149  struct plugin_return pr;
2150 
2151  plugin_return_init(&pr);
2152 
2153  int plug_ret = plugin_call(mi->context.plugins, call,
2154  NULL, &pr, mi->context.c2.es);
2155  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2156  {
2157  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2158  ret = CC_RET_SUCCEEDED;
2159  }
2160  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2161  {
2162  ret = CC_RET_DEFERRED;
2163  if (!(plugin_defined(mi->context.plugins,
2164  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2165  {
2166  msg(M_WARN, "A plugin that defers from the "
2167  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2168  "declare support for "
2169  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2170  ret = CC_RET_FAILED;
2171  }
2172  }
2173  else
2174  {
2175  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2176  ret = CC_RET_FAILED;
2177  }
2178 
2179 
2180  plugin_return_free(&pr);
2181  }
2182 #endif /* ifdef ENABLE_PLUGIN */
2183  return ret;
2184 }
2185 
2186 static enum client_connect_return
2188  struct multi_instance *mi,
2189  unsigned int *option_types_found)
2190 {
2191  ASSERT(mi);
2192  ASSERT(option_types_found);
2195 
2196  ret = ccs_test_deferred_ret_file(mi);
2197 
2198  if (ret == CC_RET_SKIPPED)
2199  {
2200  /*
2201  * Skipped and deferred are equivalent in this context.
2202  * skipped means that the called program has not yet
2203  * written a return status implicitly needing more time
2204  * while deferred is the explicit notification that it
2205  * needs more time
2206  */
2207  ret = CC_RET_DEFERRED;
2208  }
2209 
2210  if (ret == CC_RET_SUCCEEDED)
2211  {
2214  option_types_found);
2216  }
2217  if (ret == CC_RET_FAILED)
2218  {
2219  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2222  }
2223  return ret;
2224 }
2225 
2229 static enum client_connect_return
2231  struct multi_instance *mi,
2232  bool deferred,
2233  unsigned int *option_types_found)
2234 {
2235  if (deferred)
2236  {
2237  return multi_client_connect_script_deferred(m, mi, option_types_found);
2238  }
2239  ASSERT(m);
2240  ASSERT(mi);
2241 
2244 
2246  {
2247  struct argv argv = argv_new();
2248  struct gc_arena gc = gc_new();
2249 
2250  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2251 
2252  if (!ccs_gen_config_file(mi)
2253  || !ccs_gen_deferred_ret_file(mi))
2254  {
2255  ret = CC_RET_FAILED;
2256  goto cleanup;
2257  }
2258 
2260  argv_printf_cat(&argv, "%s", ccs->config_file);
2261 
2262  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2263  {
2265  {
2266  ret = CC_RET_DEFERRED;
2267  }
2268  else
2269  {
2271  option_types_found);
2272  ret = CC_RET_SUCCEEDED;
2273  }
2274  }
2275  else
2276  {
2277  ret = CC_RET_FAILED;
2278  }
2279 cleanup:
2280  if (ret != CC_RET_DEFERRED)
2281  {
2284  }
2285  argv_free(&argv);
2286  gc_free(&gc);
2287  }
2288  return ret;
2289 }
2290 
2294 static bool
2296 {
2297  struct frame *frame_fragment = NULL;
2298 #ifdef ENABLE_FRAGMENT
2299  if (c->options.ce.fragment)
2300  {
2301  frame_fragment = &c->c2.frame_fragment;
2302  }
2303 #endif
2304  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2305  if (!tls_session_update_crypto_params(session, &c->options,
2306  &c->c2.frame, frame_fragment))
2307  {
2308  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2309  register_signal(c, SIGUSR1, "process-push-msg-failed");
2310  return false;
2311  }
2312 
2313  return true;
2314 }
2315 
2316 static void
2318  struct multi_instance *mi,
2319  const unsigned int option_types_found)
2320 {
2321  ASSERT(m);
2322  ASSERT(mi);
2323 
2324  struct gc_arena gc = gc_new();
2325  /*
2326  * Process sourced options.
2327  */
2328  do_deferred_options(&mi->context, option_types_found);
2329 
2330  /*
2331  * make sure we got ifconfig settings from somewhere
2332  */
2333  if (!mi->context.c2.push_ifconfig_defined)
2334  {
2335  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2336  "--ifconfig address is available for %s",
2337  multi_instance_string(mi, false, &gc));
2338  }
2339 
2340  /*
2341  * make sure that ifconfig settings comply with constraints
2342  */
2344  {
2345  const char *ifconfig_constraint_network =
2347  const char *ifconfig_constraint_netmask =
2349 
2350  /* JYFIXME -- this should cause the connection to fail */
2351  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2352  "violates tunnel network/netmask constraint (%s/%s)",
2353  multi_instance_string(mi, false, &gc),
2355  ifconfig_constraint_network, ifconfig_constraint_netmask);
2356  }
2357 
2358  /*
2359  * For routed tunnels, set up internal route to endpoint
2360  * plus add all iroute routes.
2361  */
2363  {
2365  {
2366  multi_learn_in_addr_t(m, mi,
2368  -1, true);
2369  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2370  multi_instance_string(mi, false, &gc),
2372  }
2373 
2375  {
2376  multi_learn_in6_addr(m, mi,
2378  -1, true);
2379  /* TODO: find out where addresses are "unlearned"!! */
2380  const char *ifconfig_local_ipv6 =
2382  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2383  multi_instance_string(mi, false, &gc),
2384  ifconfig_local_ipv6);
2385  }
2386 
2387  /* add routes locally, pointing to new client, if
2388  * --iroute options have been specified */
2389  multi_add_iroutes(m, mi);
2390 
2391  /*
2392  * iroutes represent subnets which are "owned" by a particular
2393  * client. Therefore, do not actually push a route to a client
2394  * if it matches one of the client's iroutes.
2395  */
2397  }
2398  else if (mi->context.options.iroutes)
2399  {
2400  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2401  "only works with tun-style tunnels",
2402  multi_instance_string(mi, false, &gc));
2403  }
2404 
2405  /* set our client's VPN endpoint for status reporting purposes */
2408 
2409  /* set context-level authentication flag */
2411 
2412  /* authentication complete, calculate dynamic client specific options */
2414  {
2416  }
2417  /* Generate data channel keys only if setting protocol options
2418  * has not failed */
2419  else if (!multi_client_generate_tls_keys(&mi->context))
2420  {
2422  }
2423 
2424  /* send push reply if ready */
2426  {
2428  }
2429 
2430  gc_free(&gc);
2431 }
2432 
2433 static void
2435  struct multi_instance *mi)
2436 {
2437  ASSERT(mi->context.c1.tuntap);
2438  /*
2439  * lock down the common name and cert hashes so they can't change
2440  * during future TLS renegotiations
2441  */
2444 
2445  /* generate a msg() prefix for this client instance */
2446  generate_prefix(mi);
2447 
2448  /* delete instances of previous clients with same common-name */
2449  if (!mi->context.options.duplicate_cn)
2450  {
2451  multi_delete_dup(m, mi);
2452  }
2453 
2454  /* reset pool handle to null */
2455  mi->vaddr_handle = -1;
2456 
2457  /* do --client-connect setenvs */
2459 
2461 }
2462 
2469 static enum client_connect_return
2471  struct multi_instance *mi,
2472  bool deferred,
2473  unsigned int *option_types_found)
2474 {
2475 #ifdef USE_COMP
2476  struct options *o = &mi->context.options;
2477  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2478 
2479  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2480  {
2481  if(peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2482  {
2483  push_option(o, "compress stub-v2", M_USAGE);
2484  }
2485  else
2486  {
2487  /* Client is old and does not support STUBv2 but since it
2488  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2489  * switch to that and push the uncompressed variant. */
2490  push_option(o, "comp-lzo no", M_USAGE);
2491  o->comp.alg = COMP_ALG_STUB;
2492  *option_types_found |= OPT_P_COMP;
2493  }
2494  }
2495 #endif
2496  return CC_RET_SUCCEEDED;
2497 }
2498 
2503 static enum client_connect_return
2505  struct multi_instance *mi,
2506  bool deferred,
2507  unsigned int *option_types_found)
2508 {
2509  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2510  * problem */
2511  ASSERT(!deferred);
2514  {
2515  struct gc_arena gc = gc_new();
2516  const char *ccd_file = NULL;
2517 
2518  const char *ccd_client =
2520  tls_common_name(mi->context.c2.tls_multi, false),
2521  &gc);
2522 
2523  const char *ccd_default =
2525  CCD_DEFAULT, &gc);
2526 
2527 
2528  /* try common-name file */
2529  if (platform_test_file(ccd_client))
2530  {
2531  ccd_file = ccd_client;
2532  }
2533  /* try default file */
2534  else if (platform_test_file(ccd_default))
2535  {
2536  ccd_file = ccd_default;
2537  }
2538 
2539  if (ccd_file)
2540  {
2542  ccd_file,
2545  option_types_found,
2546  mi->context.c2.es);
2547  /*
2548  * Select a virtual address from either --ifconfig-push in
2549  * --client-config-dir file or --ifconfig-pool.
2550  */
2552 
2554 
2555  ret = CC_RET_SUCCEEDED;
2556  }
2557  gc_free(&gc);
2558  }
2559  return ret;
2560 }
2561 
2563  (struct multi_context *m, struct multi_instance *mi,
2564  bool from_deferred, unsigned int *option_types_found);
2565 
2573  NULL,
2574 };
2575 
2576 /*
2577  * Called as soon as the SSL/TLS connection is authenticated.
2578  *
2579  * Will collect the client specific configuration from the different
2580  * sources like ccd files, connect plugins and management interface.
2581  *
2582  * This method starts with cas_context CAS_PENDING and will move the
2583  * state machine to either CAS_SUCCEEDED on success or
2584  * CAS_FAILED/CAS_PARTIAL on failure.
2585  *
2586  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2587  * include:
2588  *
2589  * iroute start-ip end-ip
2590  * ifconfig-push local remote-netmask
2591  * push
2592  *
2593  *
2594  */
2595 static void
2597 {
2600  {
2601  return;
2602  }
2603 
2604  /* We are only called for the CAS_PENDING_x states, so we
2605  * can ignore other states here */
2606  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2607 
2608  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2609  unsigned int *option_types_found =
2611 
2612  /* We are called for the first time */
2613  if (!from_deferred)
2614  {
2615  *cur_handler_index = 0;
2616  *option_types_found = 0;
2617  /* Initially we have no handler that has returned a result */
2619 
2621  }
2622 
2623  bool cc_succeeded = true;
2624 
2625  while (cc_succeeded
2626  && client_connect_handlers[*cur_handler_index] != NULL)
2627  {
2628  enum client_connect_return ret;
2629  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2630  option_types_found);
2631 
2632  from_deferred = false;
2633 
2634  switch (ret)
2635  {
2636  case CC_RET_SUCCEEDED:
2637  /*
2638  * Remember that we already had at least one handler
2639  * returning a result should we go to into deferred state
2640  */
2641  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2642  break;
2643 
2644  case CC_RET_SKIPPED:
2645  /*
2646  * Move on with the next handler without modifying any
2647  * other state
2648  */
2649  break;
2650 
2651  case CC_RET_DEFERRED:
2652  /*
2653  * we already set client_connect_status to DEFERRED_RESULT or
2654  * DEFERRED_NO_RESULT. We just return
2655  * from the function as having client_connect_status
2656  */
2657  return;
2658 
2659  case CC_RET_FAILED:
2660  /*
2661  * One handler failed. We abort the chain and set the final
2662  * result to failed
2663  */
2664  cc_succeeded = false;
2665  break;
2666 
2667  default:
2668  ASSERT(0);
2669  }
2670 
2671  /*
2672  * Check for "disable" directive in client-config-dir file
2673  * or config file generated by --client-connect script.
2674  */
2675  if (mi->context.options.disable)
2676  {
2677  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2678  "'disable' directive");
2679  cc_succeeded = false;
2680  }
2681 
2682  (*cur_handler_index)++;
2683  }
2684 
2685  if (cc_succeeded)
2686  {
2687  multi_client_connect_late_setup(m, mi, *option_types_found);
2688  }
2689  else
2690  {
2691  /* run the disconnect script if we had a connect script that
2692  * did not fail */
2694  {
2696  }
2697 
2699  }
2700 
2701  /* increment number of current authenticated clients */
2702  ++m->n_clients;
2704  --mi->n_clients_delta;
2705 
2706 #ifdef ENABLE_MANAGEMENT
2707  if (management)
2708  {
2710  &mi->context.c2.mda_context, mi->context.c2.es);
2711  }
2712 #endif
2713 }
2714 
2715 #ifdef ENABLE_ASYNC_PUSH
2716 /*
2717  * Called when inotify event is fired, which happens when acf
2718  * or connect-status file is closed or deleted.
2719  * Continues authentication and sends push_reply
2720  * (or be deferred again by client-connect)
2721  */
2722 void
2723 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2724 {
2725  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2726  size_t buffer_i = 0;
2727  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2728 
2729  while (buffer_i < r)
2730  {
2731  /* parse inotify events */
2732  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2733  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2734  buffer_i += event_size;
2735 
2736  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2737 
2738  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2739 
2740  if (pevent->mask & IN_CLOSE_WRITE)
2741  {
2742  if (mi)
2743  {
2744  /* continue authentication, perform NCP negotiation and send push_reply */
2745  multi_process_post(m, mi, mpp_flags);
2746  }
2747  else
2748  {
2749  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2750  }
2751  }
2752  else if (pevent->mask & IN_IGNORED)
2753  {
2754  /* this event is _always_ fired when watch is removed or file is deleted */
2755  if (mi)
2756  {
2757  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2758  mi->inotify_watch = -1;
2759  }
2760  }
2761  else
2762  {
2763  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2764  }
2765  }
2766 }
2767 #endif /* ifdef ENABLE_ASYNC_PUSH */
2768 
2769 /*
2770  * Add a mbuf buffer to a particular
2771  * instance.
2772  */
2773 void
2775  struct multi_instance *mi,
2776  struct mbuf_buffer *mb)
2777 {
2778  if (multi_output_queue_ready(m, mi))
2779  {
2780  struct mbuf_item item;
2781  item.buffer = mb;
2782  item.instance = mi;
2783  mbuf_add_item(m->mbuf, &item);
2784  }
2785  else
2786  {
2787  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2788  }
2789 }
2790 
2791 /*
2792  * Add a packet to a client instance output queue.
2793  */
2794 static inline void
2796  const struct buffer *buf,
2797  struct multi_instance *mi)
2798 {
2799  struct mbuf_buffer *mb;
2800 
2801  if (BLEN(buf) > 0)
2802  {
2803  mb = mbuf_alloc_buf(buf);
2804  mb->flags = MF_UNICAST;
2805  multi_add_mbuf(m, mi, mb);
2806  mbuf_free_buf(mb);
2807  }
2808 }
2809 
2810 /*
2811  * Broadcast a packet to all clients.
2812  */
2813 static void
2815  const struct buffer *buf,
2816  const struct multi_instance *sender_instance,
2817  const struct mroute_addr *sender_addr,
2818  uint16_t vid)
2819 {
2820  struct hash_iterator hi;
2821  struct hash_element *he;
2822  struct multi_instance *mi;
2823  struct mbuf_buffer *mb;
2824 
2825  if (BLEN(buf) > 0)
2826  {
2828 #ifdef MULTI_DEBUG_EVENT_LOOP
2829  printf("BCAST len=%d\n", BLEN(buf));
2830 #endif
2831  mb = mbuf_alloc_buf(buf);
2832  hash_iterator_init(m->iter, &hi);
2833 
2834  while ((he = hash_iterator_next(&hi)))
2835  {
2836  mi = (struct multi_instance *) he->value;
2837  if (mi != sender_instance && !mi->halt)
2838  {
2839 #ifdef ENABLE_PF
2840  if (sender_instance)
2841  {
2842  if (!pf_c2c_test(&sender_instance->context.c2.pf,
2843  sender_instance->context.c2.tls_multi,
2844  &mi->context.c2.pf,
2845  mi->context.c2.tls_multi,
2846  "bcast_c2c"))
2847  {
2848  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2849  mi_prefix(sender_instance),
2850  mi_prefix(mi));
2851  continue;
2852  }
2853  }
2854  if (sender_addr)
2855  {
2856  if (!pf_addr_test(&mi->context.c2.pf, &mi->context,
2857  sender_addr, "bcast_src_addr"))
2858  {
2859  struct gc_arena gc = gc_new();
2860  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2861  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2862  mi_prefix(mi));
2863  gc_free(&gc);
2864  continue;
2865  }
2866  }
2867 #endif /* ifdef ENABLE_PF */
2868  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2869  {
2870  continue;
2871  }
2872  multi_add_mbuf(m, mi, mb);
2873  }
2874  }
2875 
2876  hash_iterator_free(&hi);
2877  mbuf_free_buf(mb);
2878  perf_pop();
2879  }
2880 }
2881 
2882 /*
2883  * Given a time delta, indicating that we wish to be
2884  * awoken by the scheduler at time now + delta, figure
2885  * a sigma parameter (in microseconds) that represents
2886  * a sort of fuzz factor around delta, so that we're
2887  * really telling the scheduler to wake us up any time
2888  * between now + delta - sigma and now + delta + sigma.
2889  *
2890  * The sigma parameter helps the scheduler to run more efficiently.
2891  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2892  */
2893 static inline unsigned int
2894 compute_wakeup_sigma(const struct timeval *delta)
2895 {
2896  if (delta->tv_sec < 1)
2897  {
2898  /* if < 1 sec, fuzz = # of microseconds / 8 */
2899  return delta->tv_usec >> 3;
2900  }
2901  else
2902  {
2903  /* if < 10 minutes, fuzz = 13.1% of timeout */
2904  if (delta->tv_sec < 600)
2905  {
2906  return delta->tv_sec << 17;
2907  }
2908  else
2909  {
2910  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2911  }
2912  }
2913 }
2914 
2915 static void
2917 {
2918  /* calculate an absolute wakeup time */
2919  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2920  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2921 
2922  /* tell scheduler to wake us up at some point in the future */
2924  (struct schedule_entry *) mi,
2925  &mi->wakeup,
2926  compute_wakeup_sigma(&mi->context.c2.timeval));
2927 }
2928 
2929 #if defined(ENABLE_ASYNC_PUSH)
2930 static void
2931 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2932  int inotify_fd, const char *file)
2933 {
2934  /* watch acf file */
2935  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2936  IN_CLOSE_WRITE | IN_ONESHOT);
2937  if (watch_descriptor >= 0)
2938  {
2939  if (mi->inotify_watch != -1)
2940  {
2941  hash_remove(m->inotify_watchers,
2942  (void *) (unsigned long)mi->inotify_watch);
2943  }
2944  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2945  mi, true);
2946  mi->inotify_watch = watch_descriptor;
2947  }
2948  else
2949  {
2950  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2951  }
2952 }
2953 #endif /* if defined(ENABLE_ASYNC_PUSH) */
2954 
2955 /*
2956  * Figure instance-specific timers, convert
2957  * earliest to absolute time in mi->wakeup,
2958  * call scheduler with our future wakeup time.
2959  *
2960  * Also close context on signal.
2961  */
2962 bool
2963 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2964 {
2965  bool ret = true;
2966 
2967  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2968  {
2969 #if defined(ENABLE_ASYNC_PUSH)
2970  bool was_unauthenticated = true;
2971  struct key_state *ks = NULL;
2972  if (mi->context.c2.tls_multi)
2973  {
2975  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
2976  }
2977 #endif
2978 
2979  /* figure timeouts and fetch possible outgoing
2980  * to_link packets (such as ping or TLS control) */
2981  pre_select(&mi->context);
2982 
2983 #if defined(ENABLE_ASYNC_PUSH)
2984  /*
2985  * if we see the state transition from unauthenticated to deferred
2986  * and an auth_control_file, we assume it got just added and add
2987  * inotify watch to that file
2988  */
2989  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
2990  && (ks->authenticated == KS_AUTH_DEFERRED))
2991  {
2992  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2994  }
2995  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
2996  && (ks->authenticated == KS_AUTH_DEFERRED))
2997  {
2998  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3000  }
3001 #endif
3002 
3003  if (!IS_SIG(&mi->context))
3004  {
3005  /* connection is "established" when SSL/TLS key negotiation succeeds
3006  * and (if specified) auth user/pass succeeds */
3009  {
3011  }
3012 #if defined(ENABLE_ASYNC_PUSH)
3015  {
3016  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3018  deferred_ret_file);
3019  }
3020 #endif
3021  /* tell scheduler to wake us up at some point in the future */
3023  }
3024  }
3025 
3026  if (IS_SIG(&mi->context))
3027  {
3028  if (flags & MPP_CLOSE_ON_SIGNAL)
3029  {
3031  ret = false;
3032  }
3033  }
3034  else
3035  {
3036  /* continue to pend on output? */
3037  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3038 
3039 #ifdef MULTI_DEBUG_EVENT_LOOP
3040  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3041  id(mi),
3042  (int) (mi == m->pending),
3043  mi ? mi->context.c2.to_tun.len : -1,
3044  mi ? mi->context.c2.to_link.len : -1,
3045  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3046  (int64_t)mi->context.c2.timeval.tv_sec,
3047  (long)mi->context.c2.timeval.tv_usec);
3048 #endif
3049  }
3050 
3051  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3052  {
3053  *m->mpp_touched = mi;
3054  }
3055 
3056  return ret;
3057 }
3058 
3059 void
3061 {
3062  struct mroute_addr real;
3063  struct hash *hash = m->hash;
3064  struct gc_arena gc = gc_new();
3065 
3066  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3067  {
3068  goto done;
3069  }
3070 
3071  const uint32_t hv = hash_value(hash, &real);
3072  struct hash_bucket *bucket = hash_bucket(hash, hv);
3073 
3074  /* make sure that we don't float to an address taken by another client */
3075  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3076  if (he)
3077  {
3078  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3079 
3080  struct tls_multi *m1 = mi->context.c2.tls_multi;
3081  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3082 
3083  /* do not float if target address is taken by client with another cert */
3084  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3085  {
3086  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3087  multi_instance_string(ex_mi, false, &gc));
3088 
3089  mi->context.c2.buf.len = 0;
3090 
3091  goto done;
3092  }
3093 
3094  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3095  multi_close_instance(m, ex_mi, false);
3096  }
3097 
3098  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3099  mi->context.c2.tls_multi->peer_id,
3100  tls_common_name(mi->context.c2.tls_multi, false),
3101  mroute_addr_print(&mi->real, &gc),
3102  print_link_socket_actual(&m->top.c2.from, &gc));
3103 
3104  /* remove old address from hash table before changing address */
3105  ASSERT(hash_remove(m->hash, &mi->real));
3106  ASSERT(hash_remove(m->iter, &mi->real));
3107 
3108  /* change external network address of the remote peer */
3109  mi->real = real;
3110  generate_prefix(mi);
3111 
3112  mi->context.c2.from = m->top.c2.from;
3113  mi->context.c2.to_link_addr = &mi->context.c2.from;
3114 
3115  /* inherit parent link_socket and link_socket_info */
3118 
3120 
3121  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3122  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3123 
3124 #ifdef ENABLE_MANAGEMENT
3125  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3126 #endif
3127 
3128 done:
3129  gc_free(&gc);
3130 }
3131 
3132 /*
3133  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3134  * i.e. client -> server direction.
3135  */
3136 bool
3137 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3138 {
3139  struct gc_arena gc = gc_new();
3140 
3141  struct context *c;
3142  struct mroute_addr src, dest;
3143  unsigned int mroute_flags;
3144  struct multi_instance *mi;
3145  bool ret = true;
3146  bool floated = false;
3147 
3148  if (m->pending)
3149  {
3150  return true;
3151  }
3152 
3153  if (!instance)
3154  {
3155 #ifdef MULTI_DEBUG_EVENT_LOOP
3156  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3157 #endif
3159  }
3160  else
3161  {
3162  multi_set_pending(m, instance);
3163  }
3164 
3165  if (m->pending)
3166  {
3167  set_prefix(m->pending);
3168 
3169  /* get instance context */
3170  c = &m->pending->context;
3171 
3172  if (!instance)
3173  {
3174  /* transfer packet pointer from top-level context buffer to instance */
3175  c->c2.buf = m->top.c2.buf;
3176 
3177  /* transfer from-addr from top-level context buffer to instance */
3178  if (!floated)
3179  {
3180  c->c2.from = m->top.c2.from;
3181  }
3182  }
3183 
3184  if (BLEN(&c->c2.buf) > 0)
3185  {
3186  struct link_socket_info *lsi;
3187  const uint8_t *orig_buf;
3188 
3189  /* decrypt in instance context */
3190 
3192  lsi = get_link_socket_info(c);
3193  orig_buf = c->c2.buf.data;
3194  if (process_incoming_link_part1(c, lsi, floated))
3195  {
3196  /* nonzero length means that we have a valid, decrypted packed */
3197  if (floated && c->c2.buf.len > 0)
3198  {
3200  }
3201 
3202  process_incoming_link_part2(c, lsi, orig_buf);
3203  }
3204  perf_pop();
3205 
3206  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3207  {
3208  /* extract packet source and dest addresses */
3209  mroute_flags = mroute_extract_addr_from_packet(&src,
3210  &dest,
3211  NULL,
3212  NULL,
3213  0,
3214  &c->c2.to_tun,
3215  DEV_TYPE_TUN);
3216 
3217  /* drop packet if extract failed */
3218  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3219  {
3220  c->c2.to_tun.len = 0;
3221  }
3222  /* make sure that source address is associated with this client */
3223  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3224  {
3225  /* IPv6 link-local address (fe80::xxx)? */
3226  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3227  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3228  {
3229  /* do nothing, for now. TODO: add address learning */
3230  }
3231  else
3232  {
3233  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3234  mroute_addr_print(&src, &gc));
3235  }
3236  c->c2.to_tun.len = 0;
3237  }
3238  /* client-to-client communication enabled? */
3239  else if (m->enable_c2c)
3240  {
3241  /* multicast? */
3242  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3243  {
3244  /* for now, treat multicast as broadcast */
3245  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3246  }
3247  else /* possible client to client routing */
3248  {
3249  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3250  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3251 
3252  /* if dest addr is a known client, route to it */
3253  if (mi)
3254  {
3255 #ifdef ENABLE_PF
3256  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
3257  &mi->context.c2.pf,
3258  mi->context.c2.tls_multi,
3259  "tun_c2c"))
3260  {
3261  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
3262  mi_prefix(mi));
3263  }
3264  else
3265 #endif
3266  {
3267  multi_unicast(m, &c->c2.to_tun, mi);
3268  register_activity(c, BLEN(&c->c2.to_tun));
3269  }
3270  c->c2.to_tun.len = 0;
3271  }
3272  }
3273  }
3274 #ifdef ENABLE_PF
3275  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest,
3276  "tun_dest_addr"))
3277  {
3278  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
3279  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
3280  c->c2.to_tun.len = 0;
3281  }
3282 #endif
3283  }
3284  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3285  {
3286  uint16_t vid = 0;
3287 #ifdef ENABLE_PF
3288  struct mroute_addr edest;
3289  mroute_addr_reset(&edest);
3290 #endif
3291 
3292  if (m->top.options.vlan_tagging)
3293  {
3294  if (vlan_is_tagged(&c->c2.to_tun))
3295  {
3296  /* Drop VLAN-tagged frame. */
3297  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3298  c->c2.to_tun.len = 0;
3299  }
3300  else
3301  {
3302  vid = c->options.vlan_pvid;
3303  }
3304  }
3305  /* extract packet source and dest addresses */
3306  mroute_flags = mroute_extract_addr_from_packet(&src,
3307  &dest,
3308  NULL,
3309 #ifdef ENABLE_PF
3310  &edest,
3311 #else
3312  NULL,
3313 #endif
3314  vid,
3315  &c->c2.to_tun,
3316  DEV_TYPE_TAP);
3317 
3318  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3319  {
3320  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3321  {
3322  /* check for broadcast */
3323  if (m->enable_c2c)
3324  {
3325  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3326  {
3327  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3328  vid);
3329  }
3330  else /* try client-to-client routing */
3331  {
3332  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3333 
3334  /* if dest addr is a known client, route to it */
3335  if (mi)
3336  {
3337 #ifdef ENABLE_PF
3338  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
3339  &mi->context.c2.pf,
3340  mi->context.c2.tls_multi,
3341  "tap_c2c"))
3342  {
3343  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
3344  mi_prefix(mi));
3345  }
3346  else
3347 #endif
3348  {
3349  multi_unicast(m, &c->c2.to_tun, mi);
3350  register_activity(c, BLEN(&c->c2.to_tun));
3351  }
3352  c->c2.to_tun.len = 0;
3353  }
3354  }
3355  }
3356 #ifdef ENABLE_PF
3357  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c,
3358  &edest,
3359  "tap_dest_addr"))
3360  {
3361  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
3362  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
3363  c->c2.to_tun.len = 0;
3364  }
3365 #endif
3366  }
3367  else
3368  {
3369  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3370  mroute_addr_print(&src, &gc));
3371  c->c2.to_tun.len = 0;
3372  }
3373  }
3374  else
3375  {
3376  c->c2.to_tun.len = 0;
3377  }
3378  }
3379  }
3380 
3381  /* postprocess and set wakeup */
3382  ret = multi_process_post(m, m->pending, mpp_flags);
3383 
3384  clear_prefix();
3385  }
3386 
3387  gc_free(&gc);
3388  return ret;
3389 }
3390 
3391 /*
3392  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3393  * i.e. server -> client direction.
3394  */
3395 bool
3396 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3397 {
3398  struct gc_arena gc = gc_new();
3399  bool ret = true;
3400 
3401  if (BLEN(&m->top.c2.buf) > 0)
3402  {
3403  unsigned int mroute_flags;
3404  struct mroute_addr src, dest;
3405  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3406  int16_t vid = 0;
3407 
3408 #ifdef ENABLE_PF
3409  struct mroute_addr esrc, *e1, *e2;
3410  if (dev_type == DEV_TYPE_TUN)
3411  {
3412  e1 = NULL;
3413  e2 = &src;
3414  }
3415  else
3416  {
3417  e1 = e2 = &esrc;
3418  mroute_addr_reset(&esrc);
3419  }
3420 #endif
3421 
3422 #ifdef MULTI_DEBUG_EVENT_LOOP
3423  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3424 #endif
3425 
3426  if (m->pending)
3427  {
3428  return true;
3429  }
3430 
3431  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3432  {
3433  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3434  if (vid < 0)
3435  {
3436  return false;
3437  }
3438  }
3439 
3440  /*
3441  * Route an incoming tun/tap packet to
3442  * the appropriate multi_instance object.
3443  */
3444 
3445  mroute_flags = mroute_extract_addr_from_packet(&src,
3446  &dest,
3447 #ifdef ENABLE_PF
3448  e1,
3449 #else
3450  NULL,
3451 #endif
3452  NULL,
3453  vid,
3454  &m->top.c2.buf,
3455  dev_type);
3456 
3457  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3458  {
3459  struct context *c;
3460 
3461  /* broadcast or multicast dest addr? */
3462  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3463  {
3464  /* for now, treat multicast as broadcast */
3465 #ifdef ENABLE_PF
3466  multi_bcast(m, &m->top.c2.buf, NULL, e2, vid);
3467 #else
3468  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3469 #endif
3470  }
3471  else
3472  {
3474 
3475  if (m->pending)
3476  {
3477  /* get instance context */
3478  c = &m->pending->context;
3479 
3480  set_prefix(m->pending);
3481 
3482 #ifdef ENABLE_PF
3483  if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr"))
3484  {
3485  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
3486  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
3487  buf_reset_len(&c->c2.buf);
3488  }
3489  else
3490 #endif
3491  {
3492  if (multi_output_queue_ready(m, m->pending))
3493  {
3494  /* transfer packet pointer from top-level context buffer to instance */
3495  c->c2.buf = m->top.c2.buf;
3496  }
3497  else
3498  {
3499  /* drop packet */
3500  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3501  buf_reset_len(&c->c2.buf);
3502  }
3503  }
3504 
3505  /* encrypt in instance context */
3507 
3508  /* postprocess and set wakeup */
3509  ret = multi_process_post(m, m->pending, mpp_flags);
3510 
3511  clear_prefix();
3512  }
3513  }
3514  }
3515  }
3516  gc_free(&gc);
3517  return ret;
3518 }
3519 
3520 /*
3521  * Process a possible client-to-client/bcast/mcast message in the
3522  * queue.
3523  */
3524 struct multi_instance *
3526 {
3527  struct mbuf_item item;
3528 
3529  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3530  {
3531  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3532 
3533  set_prefix(item.instance);
3534  item.instance->context.c2.buf = item.buffer->buf;
3535  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3536  {
3537  pip_flags |= PIP_MSSFIX;
3538  }
3539  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3540  encrypt_sign(&item.instance->context, true);
3541  mbuf_free_buf(item.buffer);
3542 
3543  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3544 
3545  clear_prefix();
3546  return item.instance;
3547  }
3548  else
3549  {
3550  return NULL;
3551  }
3552 }
3553 
3554 /*
3555  * Called when an I/O wait times out. Usually means that a particular
3556  * client instance object needs timer-based service.
3557  */
3558 bool
3559 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3560 {
3561  bool ret = true;
3562 
3563 #ifdef MULTI_DEBUG_EVENT_LOOP
3564  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3565 #endif
3566 
3567  /* instance marked for wakeup? */
3568  if (m->earliest_wakeup)
3569  {
3571  {
3574  }
3575  else
3576  {
3578  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3579  clear_prefix();
3580  }
3581  m->earliest_wakeup = NULL;
3582  }
3583  return ret;
3584 }
3585 
3586 /*
3587  * Drop a TUN/TAP outgoing packet..
3588  */
3589 void
3590 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3591 {
3592  struct multi_instance *mi = m->pending;
3593 
3594  ASSERT(mi);
3595 
3596  set_prefix(mi);
3597 
3598  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3599  mi->context.c2.to_tun.len);
3600 
3601  buf_reset(&mi->context.c2.to_tun);
3602 
3603  multi_process_post(m, mi, mpp_flags);
3604  clear_prefix();
3605 }
3606 
3607 /*
3608  * Per-client route quota management
3609  */
3610 
3611 void
3613 {
3614  struct gc_arena gc = gc_new();
3615  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3617  multi_instance_string(mi, false, &gc));
3618  gc_free(&gc);
3619 }
3620 
3621 #ifdef ENABLE_DEBUG
3622 /*
3623  * Flood clients with random packets
3624  */
3625 static void
3626 gremlin_flood_clients(struct multi_context *m)
3627 {
3628  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3629  if (level)
3630  {
3631  struct gc_arena gc = gc_new();
3632  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3633  struct packet_flood_parms parm = get_packet_flood_parms(level);
3634  int i;
3635 
3636  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
3637  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
3638 
3639  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3640  parm.n_packets,
3641  parm.packet_size);
3642 
3643  for (i = 0; i < parm.packet_size; ++i)
3644  {
3645  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3646  }
3647 
3648  for (i = 0; i < parm.n_packets; ++i)
3649  {
3650  multi_bcast(m, &buf, NULL, NULL, 0);
3651  }
3652 
3653  gc_free(&gc);
3654  }
3655 }
3656 #endif /* ifdef ENABLE_DEBUG */
3657 
3658 static bool
3660 {
3661  struct timeval null;
3662  CLEAR(null);
3664 }
3665 
3666 /*
3667  * Process timers in the top-level context
3668  */
3669 void
3671 {
3672  /* possibly reap instances/routes in vhash */
3673  multi_reap_process(m);
3674 
3675  /* possibly print to status log */
3676  if (m->top.c1.status_output)
3677  {
3679  {
3681  }
3682  }
3683 
3684  /* possibly flush ifconfig-pool file */
3685  multi_ifconfig_pool_persist(m, false);
3686 
3687 #ifdef ENABLE_DEBUG
3688  gremlin_flood_clients(m);
3689 #endif
3690 
3691  /* Should we check for stale routes? */
3693  {
3694  check_stale_routes(m);
3695  }
3696 }
3697 
3698 void
3699 multi_top_init(struct multi_context *m, const struct context *top)
3700 {
3701  inherit_context_top(&m->top, top);
3702  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3703 }
3704 
3705 void
3707 {
3708  close_context(&m->top, -1, CC_GC_FREE);
3710 }
3711 
3712 static bool
3714 {
3715  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3716 }
3717 
3718 static void
3720 {
3721  struct hash_iterator hi;
3722  struct hash_element *he;
3723  struct timeval tv;
3724 
3725  /* tell all clients to restart */
3726  hash_iterator_init(m->iter, &hi);
3727  while ((he = hash_iterator_next(&hi)))
3728  {
3729  struct multi_instance *mi = (struct multi_instance *) he->value;
3730  if (!mi->halt)
3731  {
3732  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3734  }
3735  }
3736  hash_iterator_free(&hi);
3737 
3738  /* reschedule signal */
3740  tv.tv_sec = 2;
3741  tv.tv_usec = 0;
3743 
3745 
3750 
3751  m->top.sig->signal_received = 0;
3752 }
3753 
3754 /*
3755  * Return true if event loop should break,
3756  * false if it should continue.
3757  */
3758 bool
3760 {
3761  if (m->top.sig->signal_received == SIGUSR2)
3762  {
3763  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3765  status_close(so);
3766  m->top.sig->signal_received = 0;
3767  return false;
3768  }
3769  else if (proto_is_dgram(m->top.options.ce.proto)
3773  {
3775  return false;
3776  }
3777  return true;
3778 }
3779 
3780 /*
3781  * Called when an instance should be closed due to the
3782  * reception of a soft signal.
3783  */
3784 void
3786 {
3787  remap_signal(&mi->context);
3788  set_prefix(mi);
3789  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3790  clear_prefix();
3791  multi_close_instance(m, mi, false);
3792 }
3793 
3794 static void
3795 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3796 {
3797  mi->context.sig->signal_received = sig;
3799 }
3800 
3801 /*
3802  * Management subsystem callbacks
3803  */
3804 
3805 #ifdef ENABLE_MANAGEMENT
3806 
3807 static void
3808 management_callback_status(void *arg, const int version, struct status_output *so)
3809 {
3810  struct multi_context *m = (struct multi_context *) arg;
3811 
3812  if (!version)
3813  {
3815  }
3816  else
3817  {
3818  multi_print_status(m, so, version);
3819  }
3820 }
3821 
3822 static int
3824 {
3825  struct multi_context *m = (struct multi_context *) arg;
3826  return m->n_clients;
3827 }
3828 
3829 static int
3830 management_callback_kill_by_cn(void *arg, const char *del_cn)
3831 {
3832  struct multi_context *m = (struct multi_context *) arg;
3833  struct hash_iterator hi;
3834  struct hash_element *he;
3835  int count = 0;
3836 
3837  hash_iterator_init(m->iter, &hi);
3838  while ((he = hash_iterator_next(&hi)))
3839  {
3840  struct multi_instance *mi = (struct multi_instance *) he->value;
3841  if (!mi->halt)
3842  {
3843  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3844  if (cn && !strcmp(cn, del_cn))
3845  {
3847  ++count;
3848  }
3849  }
3850  }
3851  hash_iterator_free(&hi);
3852  return count;
3853 }
3854 
3855 static int
3856 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3857 {
3858  struct multi_context *m = (struct multi_context *) arg;
3859  struct hash_iterator hi;
3860  struct hash_element *he;
3861  struct openvpn_sockaddr saddr;
3862  struct mroute_addr maddr;
3863  int count = 0;
3864 
3865  CLEAR(saddr);
3866  saddr.addr.in4.sin_family = AF_INET;
3867  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3868  saddr.addr.in4.sin_port = htons(port);
3869  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3870  {
3871  hash_iterator_init(m->iter, &hi);
3872  while ((he = hash_iterator_next(&hi)))
3873  {
3874  struct multi_instance *mi = (struct multi_instance *) he->value;
3875  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3876  {
3878  ++count;
3879  }
3880  }
3881  hash_iterator_free(&hi);
3882  }
3883  return count;
3884 }
3885 
3886 static void
3888 {
3889  struct multi_context *m = (struct multi_context *) arg;
3890  if (m->mtcp)
3891  {
3892  multi_tcp_delete_event(m->mtcp, event);
3893  }
3894 }
3895 
3896 #endif /* ifdef ENABLE_MANAGEMENT */
3897 
3898 #ifdef ENABLE_MANAGEMENT
3899 
3900 static struct multi_instance *
3901 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3902 {
3903  if (m)
3904  {
3905  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3906  if (mi && !mi->halt)
3907  {
3908  return mi;
3909  }
3910  }
3911  return NULL;
3912 }
3913 
3914 static bool
3915 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3916 {
3917  struct multi_context *m = (struct multi_context *) arg;
3918  struct multi_instance *mi = lookup_by_cid(m, cid);
3919  if (mi)
3920  {
3921  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3923  return true;
3924  }
3925  else
3926  {
3927  return false;
3928  }
3929 }
3930 
3931 static bool
3933  const unsigned long cid,
3934  const char *extra,
3935  unsigned int timeout)
3936 {
3937  struct multi_context *m = (struct multi_context *) arg;
3938  struct multi_instance *mi = lookup_by_cid(m, cid);
3939  if (mi)
3940  {
3941  /* sends INFO_PRE and AUTH_PENDING messages to client */
3942  bool ret = send_auth_pending_messages(mi->context.c2.tls_multi, extra,
3943  timeout);
3946  return ret;
3947  }
3948  return false;
3949 }
3950 
3951 
3952 static bool
3954  const unsigned long cid,
3955  const unsigned int mda_key_id,
3956  const bool auth,
3957  const char *reason,
3958  const char *client_reason,
3959  struct buffer_list *cc_config) /* ownership transferred */
3960 {
3961  struct multi_context *m = (struct multi_context *) arg;
3962  struct multi_instance *mi = lookup_by_cid(m, cid);
3963  bool cc_config_owned = true;
3964  bool ret = false;
3965 
3966  if (mi)
3967  {
3968  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3969  if (ret)
3970  {
3971  if (auth)
3972  {
3974  {
3975  set_cc_config(mi, cc_config);
3976  cc_config_owned = false;
3977  }
3978  }
3979  else if (reason)
3980  {
3981  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3982  }
3983  }
3984  }
3985  if (cc_config_owned && cc_config)
3986  {
3987  buffer_list_free(cc_config);
3988  }
3989  return ret;
3990 }
3991 
3992 static char *
3993 management_get_peer_info(void *arg, const unsigned long cid)
3994 {
3995  struct multi_context *m = (struct multi_context *) arg;
3996  struct multi_instance *mi = lookup_by_cid(m, cid);
3997  char *ret = NULL;
3998 
3999  if (mi)
4000  {
4001  ret = mi->context.c2.tls_multi->peer_info;
4002  }
4003 
4004  return ret;
4005 }
4006 
4007 #endif /* ifdef ENABLE_MANAGEMENT */
4008 
4009 #ifdef MANAGEMENT_PF
4010 static bool
4011 management_client_pf(void *arg,
4012  const unsigned long cid,
4013  struct buffer_list *pf_config) /* ownership transferred */
4014 {
4015  struct multi_context *m = (struct multi_context *) arg;
4016  struct multi_instance *mi = lookup_by_cid(m, cid);
4017  bool ret = false;
4018 
4019  if (mi && pf_config)
4020  {
4021  ret = pf_load_from_buffer_list(&mi->context, pf_config);
4022  }
4023 
4024  buffer_list_free(pf_config);
4025  return ret;
4026 }
4027 #endif /* ifdef MANAGEMENT_PF */
4028 
4029 void
4031 {
4032 #ifdef ENABLE_MANAGEMENT
4033  if (management)
4034  {
4035  struct management_callback cb;
4036  CLEAR(cb);
4037  cb.arg = m;
4038  cb.flags = MCF_SERVER;
4049 #ifdef MANAGEMENT_PF
4050  cb.client_pf = management_client_pf;
4051 #endif
4053  }
4054 #endif /* ifdef ENABLE_MANAGEMENT */
4055 }
4056 
4058 {
4059  /* max_clients must be less then max peer-id value */
4061 
4062  for (int i = 0; i < m->max_clients; ++i)
4063  {
4064  if (!m->instances[i])
4065  {
4066  mi->context.c2.tls_multi->peer_id = i;
4067  m->instances[i] = mi;
4068  break;
4069  }
4070  }
4071 
4072  /* should not really end up here, since multi_create_instance returns null
4073  * if amount of clients exceeds max_clients */
4075 }
4076 
4077 
4078 /*
4079  * Top level event loop.
4080  */
4081 void
4083 {
4084  ASSERT(top->options.mode == MODE_SERVER);
4085 
4086  if (proto_is_dgram(top->options.ce.proto))
4087  {
4088  tunnel_server_udp(top);
4089  }
4090  else
4091  {
4092  tunnel_server_tcp(top);
4093  }
4094 }
#define M_NONFATAL
Definition: error.h:95
struct env_set * es
Definition: openvpn.h:407
uint8_t type
Definition: mroute.h:78
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3719
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:187
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2814
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:461
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
#define MR_WITH_NETBITS
Definition: mroute.h:70
static bool is_exit_restart(int sig)
Definition: multi.c:3713
static void register_activity(struct context *c, const int size)
Definition: forward.h:352
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:292
struct buffer to_link
Definition: openvpn.h:366
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1737
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3795
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3590
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:359
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:163
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:171
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:483
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:185
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1141
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:421
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
bool ncp_enabled
Definition: options.h:515
#define REAP_DIVISOR
Definition: multi.h:550
struct key_state key[KS_SIZE]
Definition: ssl_common.h:463
struct iroute * next
Definition: route.h:237
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:153
struct in6_addr reporting_addr_ipv6
Definition: multi.h:122
static bool is_cas_pending(enum client_connect_status cas)
Definition: openvpn.h:209
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:465
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2230
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:969
bool did_cid_hash
Definition: multi.h:127
counter_type link_write_bytes
Definition: openvpn.h:270
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:430
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2328
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:293
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:513
#define MULTI_ROUTE_CACHE
Definition: multi.h:226
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:113
#define M_OPTERR
Definition: error.h:105
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:393
int signal_received
Definition: multi.h:61
unsigned int option_types_found
Definition: multi.h:75
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:265
void hash_free(struct hash *hash)
Definition: list.c:65
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:2011
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2903
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:463
Packet geometry parameters.
Definition: mtu.h:93
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:489
pool_type
Definition: pool.h:35
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1112
#define M_USAGE
Definition: error.h:111
enum ks_auth_state authenticated
Definition: ssl_common.h:227
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:4057
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:167
bool push_ifconfig_defined
Definition: openvpn.h:415
char * peer_info
Definition: ssl_common.h:582
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2563
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:365
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2802
struct mroute_addr::@0::@3 v6
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
const char * learn_address_script
Definition: options.h:451
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:600
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:646
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:506
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4523
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:441
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:346
in_addr_t push_ifconfig_local
Definition: openvpn.h:417
bool enable_c2c
Definition: options.h:472
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2317
int push_ifconfig_ipv6_netbits
Definition: options.h:469
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:533
#define D_TLS_ERRORS
Definition: errlevel.h:59
struct in6_addr network
Definition: route.h:241
struct buffer buf
Definition: openvpn.h:364
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1452
unsigned int flags
Definition: mbuf.h:47
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:106
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5064
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3808
#define SIGUSR1
Definition: config-msvc.h:115
const void * key
Definition: list.h:48
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2295
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:596
#define MR_ADDR_MASK
Definition: mroute.h:64
struct multi_reap * reaper
Definition: multi.h:172
struct context_buffers * buffers
Definition: openvpn.h:356
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2038
struct multi_instance * instance
Definition: multi.h:224
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:461
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:422
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
bool ifconfig_pool_defined
Definition: options.h:436
void multi_top_free(struct multi_context *m)
Definition: multi.c:3706
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:154
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:558
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:188
#define D_PF_DROPPED
Definition: errlevel.h:102
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:94
struct link_socket_info * link_socket_info
Definition: openvpn.h:240
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:51
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:3972
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3887
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:227
in_addr_t remote_netmask
Definition: tun.h:174
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:433
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:424
static int management_callback_n_clients(void *arg)
Definition: multi.c:3823
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:470
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define D_MULTI_DROPPED
Definition: errlevel.h:103
static void perf_push(int type)
Definition: perf.h:78
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1566
int status_file_version
Definition: multi.h:177
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:558
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:455
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1339
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:103
ifconfig_pool_handle vaddr_handle
Definition: multi.h:113
bool did_iter
Definition: multi.h:125
#define dmsg(flags,...)
Definition: error.h:153
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:114
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3759
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1426
struct event_timeout stale_routes_check_et
Definition: multi.h:197
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:490
#define MAX_PEER_ID
Definition: openvpn.h:537
int cf_max
Definition: options.h:474
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:486
void pre_select(struct context *c)
Definition: forward.c:1792
unsigned int cache_generation
Definition: mroute.h:132
#define SIGTERM
Definition: config-msvc.h:117
#define SIGHUP
Definition: config-msvc.h:113
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
#define MCF_SERVER
Definition: manage.h:156
#define ASSERT(x)
Definition: error.h:200
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2774
enum tls_auth_status tls_authentication_status(struct tls_multi *multi, const int latency)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1074
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3915
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:117
in_addr_t ifconfig_pool_end
Definition: options.h:438
static bool check_debug_level(unsigned int level)
Definition: error.h:224
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:616
const char * client_disconnect_script
Definition: options.h:450
int explicit_exit_notification
Definition: options.h:131
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1253
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3396
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:166
bool platform_unlink(const char *filename)
Definition: platform.c:354
unsigned int flags
Definition: multi.h:228
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1866
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
int n_clients
Definition: multi.h:178
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:339
#define MF_UNICAST
Definition: mbuf.h:46
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:120
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:528
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:1987
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
static void clear_prefix(void)
Definition: multi.h:532
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
static void setenv_stats(struct context *c)
Definition: multi.c:551
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3856
bool did_real_hash
Definition: multi.h:124
#define MODE_SERVER
Definition: options.h:223
unsigned int data_channel_crypto_flags
Definition: options.h:661
bool use_peer_id
Definition: ssl_common.h:608
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:282
#define PIP_MSSFIX
Definition: forward.h:327
bool initialized
Definition: crypto.h:225
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:213
int netbits
Definition: route.h:236
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:600
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3901
void status_flush(struct status_output *so)
Definition: status.c:159
int n_clients_delta
Definition: multi.h:131
#define D_MULTI_MEDIUM
Definition: errlevel.h:104
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:443
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool push_request_received
Definition: openvpn.h:414
const char * ncp_ciphers
Definition: options.h:516
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:43
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:268
int cf_per
Definition: options.h:475
void multi_uninit(struct multi_context *m)
Definition: multi.c:702
bool status_close(struct status_output *so)
Definition: status.c:190
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:78
struct context_1 c1
Level 1 context.
Definition: openvpn.h:503
Definition: mbuf.h:56
#define PIPV4_PASSTOS
Definition: forward.h:326
static void multi_route_del(struct multi_route *route)
Definition: multi.h:477
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:463
#define CLEAR(x)
Definition: basic.h:33
struct schedule * schedule_init(void)
Definition: schedule.c:414
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:83
in_addr_t push_ifconfig_local
Definition: options.h:460
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3699
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4398
struct frame frame_fragment
Definition: openvpn.h:253
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3830
time_t last_reference
Definition: multi.h:231
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:339
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2982
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3305
#define OPENVPN_PLUGIN_FUNC_DEFERRED
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:654
in_addr_t local
Definition: tun.h:173
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:151
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4030
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:357
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:737
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:3060
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:98
#define MAPF_SHOW_ARP
Definition: mroute.h:159
int stale_routes_check_interval
Definition: options.h:478
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:164
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:448
uint16_t vlan_pvid
Definition: options.h:652
counter_type link_read_bytes
Definition: openvpn.h:268
static const char * np(const char *str)
Definition: simple.c:128
#define counter_format
Definition: common.h:31
int mode
Definition: options.h:224
bool ifconfig_ipv6_pool_defined
Definition: options.h:443
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:401
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1878
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:465
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5084
Key state is not authenticated.
Definition: ssl_common.h:150
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:178
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:243
int ifconfig_ipv6_netbits
Definition: options.h:273
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:520
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:419
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
Definition: mbuf.h:50
bool did_iroutes
Definition: multi.h:130
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:12
#define MPP_PRE_SELECT
Definition: multi.h:280
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:749
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:160
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:389
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:190
int topology
Definition: options.h:269
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2883
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:233
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:526
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1220
struct iroute * iroutes
Definition: options.h:457
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define OPT_P_COMP
Definition: options.h:679
unsigned int cache_generation
Definition: multi.h:230
struct frame frame
Definition: openvpn.h:247
#define DEV_TYPE_TUN
Definition: proto.h:37
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:856
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2916
at least handler succeeded, no result yet
Definition: ssl_common.h:515
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:336
struct timeval timeval
Definition: openvpn.h:383
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
int virtual_hash_size
Definition: options.h:448
Definition: schedule.h:44
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3785
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:194
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:423
#define D_MULTI_DEBUG
Definition: errlevel.h:125
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3282
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value...
Definition: multi.c:1937
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:996
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:135
int tcp_queue_limit
Definition: options.h:456
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:133
const char * client_config_dir
Definition: options.h:452
const char * ciphername
Definition: options.h:512
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:110
uint8_t len
Definition: mroute.h:76
#define REAP_MAX
Definition: multi.h:552
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:263
struct multi_instance * pending
Definition: multi.h:185
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:161
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
int buckets_per_pass
Definition: multi.h:53
struct gc_arena gc
Definition: multi.h:102
bool vlan_tagging
Definition: options.h:650
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:565
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2434
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:148
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
in_addr_t network
Definition: route.h:235
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise...
Definition: run_command.h:64
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:464
int bucket_base
Definition: multi.h:52
in_addr_t reporting_addr
Definition: multi.h:121
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:257
int max_routes_per_client
Definition: options.h:477
struct buffer buf
Definition: buffer.h:1106
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2958
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:163
char * config_file
The temporary file name that contains the config directives returned by the client-connect script...
Definition: multi.h:87
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:612
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:226
int n_bcast_buf
Definition: options.h:455
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1904
struct multi_instance * instance
Definition: mbuf.h:53
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:249
int max_clients
Definition: multi.h:175
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:444
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:225
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:217
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1698
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:460
union openvpn_sockaddr::@10 addr
in_addr_t ifconfig_pool_start
Definition: options.h:437
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:158
struct link_socket * link_socket
Definition: openvpn.h:238
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3670
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3823
bool status_trigger(struct status_output *so)
Definition: status.c:135
uint16_t vid
Definition: mroute.h:85
#define M_ERRNO
Definition: error.h:99
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2969
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:148
struct multi_instance * earliest_wakeup
Definition: multi.h:186
struct auth_deferred_status script_auth
Definition: ssl_common.h:237
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:610
#define DEV_TYPE_UNDEF
Definition: proto.h:35
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:168
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1048
struct connection_entry ce
Definition: options.h:248
unsigned long cid_counter
Definition: multi.h:182
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:513
bool push_ifconfig_defined
Definition: options.h:459
void schedule_free(struct schedule *s)
Definition: schedule.c:423
struct context_2 c2
Level 2 context.
Definition: openvpn.h:504
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1407
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:164
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:113
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:169
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:41
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2248
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:449
#define CCD_DEFAULT
Definition: common.h:62
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:160
static bool management_client_pending_auth(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: multi.c:3932
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
enum client_connect_status multi_state
Definition: ssl_common.h:555
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1622
#define BLEN(buf)
Definition: buffer.h:127
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
in_addr_t ifconfig_pool_netmask
Definition: options.h:439
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:776
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:91
#define SA_SET_IF_NONZERO
Definition: socket.h:366
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:193
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition: multi.c:2504
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1290
#define msg(flags,...)
Definition: error.h:149
int(* n_clients)(void *arg)
Definition: manage.h:164
bool halt
Definition: multi.h:103
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4082
struct buffer_entry * next
Definition: buffer.h:1107
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1654
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:167
#define REAP_MIN
Definition: multi.h:551
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:123
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1180
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1768
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2701
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3525
const char * tmp_dir
Definition: options.h:414
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:256
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:148
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2795
struct mroute_addr local
Definition: multi.h:173
unsigned int netbits
Definition: route.h:242
int max_clients
Definition: options.h:476
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:421
unsigned int uintptr_t
Definition: cmocka.h:103
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:448
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:984
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:308
int status_file_version
Definition: options.h:350
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:111
#define SIGINT
Definition: config-msvc.h:114
struct timeval wakeup
Definition: multi.h:110
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3014
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2963
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:162
struct hash * cid_hash
Definition: multi.h:181
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:901
#define SIGUSR2
Definition: config-msvc.h:116
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:176
#define D_VLAN_DEBUG
Definition: errlevel.h:152
struct buffer_list * cc_config
Definition: multi.h:128
bool push_ifconfig_ipv6_defined
Definition: options.h:467
Main OpenVPN server state structure.
Definition: multi.h:152
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:447
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:425
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:543
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:196
time_t last_call
Definition: multi.h:54
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
#define ENABLE_PF
Definition: config-msvc.h:5
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:283
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:581
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1848
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:675
struct fragment_master * fragment
Definition: openvpn.h:252
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:587
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1377
struct status_output * status_output
Definition: openvpn.h:181
struct buffer buf
Definition: mbuf.h:43
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:332
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:492
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:447
int n_net_len
Definition: mroute.h:134
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3659
#define MR_ADDR_IPV6
Definition: mroute.h:63
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:243
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:209
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:156
in_addr_t push_ifconfig_local_alias
Definition: options.h:462
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3137
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:531
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:128
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:236
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:81
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:607
Definition: route.h:234
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:458
static int constrain_int(int x, int min, int max)
Definition: integer.h:95
#define M_WARN
Definition: error.h:96
static int min_int(int x, int y)
Definition: integer.h:82
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:192
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:174
struct frequency_limit * new_connection_limiter
Definition: multi.h:170
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:215
unsigned int flags
Definition: manage.h:157
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1104
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:176
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:191
void * value
Definition: list.h:47
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:239
#define TUNNEL_TYPE(tt)
Definition: tun.h:157
#define CC_GC_FREE
Definition: init.h:106
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:270
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:153
Detached client connection state.
Definition: multi.h:69
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2470
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:307
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:407
unsigned long cid
Definition: manage.h:44
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:204
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2596
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:839
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:467
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:3993
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1000
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:212
struct link_socket_actual from
Definition: openvpn.h:244
int process_incoming_push_request(struct context *c)
Definition: push.c:850
struct iroute_ipv6 * next
Definition: route.h:243
#define BSTR(buf)
Definition: buffer.h:129
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2133
long int get_random(void)
Definition: crypto.c:1775
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2566
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:758
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
struct man_def_auth_context mda_context
Definition: openvpn.h:443
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:49
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:160
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:210
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:860
Definition: argv.h:35
bool send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:365
struct gc_arena gc
Definition: options.h:215
uint8_t netbits
Definition: mroute.h:79
struct buffer to_tun
Definition: openvpn.h:365
in_addr_t push_ifconfig_constraint_network
Definition: options.h:464
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3001
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2894
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:571
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: list.h:58
bool duplicate_cn
Definition: options.h:473
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:67
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:75
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:611
int stale_routes_ageing_time
Definition: options.h:479
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:318
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:163
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:222
struct timeval wakeup
Definition: multi.h:62
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:418
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1258
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:281
struct in6_addr local_ipv6
Definition: tun.h:176
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: manage.h:174
struct mroute_addr addr
Definition: multi.h:223
void status_reset(struct status_output *so)
Definition: status.c:150
const char title_string[]
Definition: options.c:67
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2187
#define D_MULTI_LOW
Definition: errlevel.h:86
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:265
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:248
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3559
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:468
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
int ifconfig_ipv6_pool_netbits
Definition: options.h:445
int fragment
Definition: options.h:127
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:52
const char * dev_type
Definition: options.h:266
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4473
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3612
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:3953