OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "gremlin.h"
43 #include "mstats.h"
44 #include "ssl_verify.h"
45 #include "ssl_ncp.h"
46 #include "vlan.h"
47 #include <inttypes.h>
48 
49 #include "memdbg.h"
50 
51 
52 #include "crypto_backend.h"
53 #include "ssl_util.h"
54 #include "dco.h"
55 
56 /*#define MULTI_DEBUG_EVENT_LOOP*/
57 
58 #ifdef MULTI_DEBUG_EVENT_LOOP
59 static const char *
60 id(struct multi_instance *mi)
61 {
62  if (mi)
63  {
64  return tls_common_name(mi->context.c2.tls_multi, false);
65  }
66  else
67  {
68  return "NULL";
69  }
70 }
71 #endif
72 
73 #ifdef ENABLE_MANAGEMENT
74 static void
76 {
78  mi->cc_config = cc_config;
79 }
80 #endif
81 
82 static inline void
83 update_mstat_n_clients(const int n_clients)
84 {
85 #ifdef ENABLE_MEMSTATS
86  if (mmap_stats)
87  {
88  mmap_stats->n_clients = n_clients;
89  }
90 #endif
91 }
92 
93 static bool
95  const struct multi_instance *mi,
96  const char *op,
97  const struct mroute_addr *addr)
98 {
99  struct gc_arena gc = gc_new();
100  struct env_set *es;
101  bool ret = true;
102  struct plugin_list *plugins;
103 
104  /* get environmental variable source */
105  if (mi && mi->context.c2.es)
106  {
107  es = mi->context.c2.es;
108  }
109  else
110  {
111  es = env_set_create(&gc);
112  }
113 
114  /* get plugin source */
115  if (mi)
116  {
117  plugins = mi->context.plugins;
118  }
119  else
120  {
121  plugins = m->top.plugins;
122  }
123 
125  {
126  struct argv argv = argv_new();
127  argv_printf(&argv, "%s %s",
128  op,
129  mroute_addr_print(addr, &gc));
130  if (mi)
131  {
133  }
135  {
136  msg(M_WARN, "WARNING: learn-address plugin call failed");
137  ret = false;
138  }
139  argv_free(&argv);
140  }
141 
143  {
144  struct argv argv = argv_new();
145  setenv_str(es, "script_type", "learn-address");
147  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
148  if (mi)
149  {
151  }
152  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
153  {
154  ret = false;
155  }
156  argv_free(&argv);
157  }
158 
159  gc_free(&gc);
160  return ret;
161 }
162 
163 void
165 {
166  /* write pool data to file */
167  if (m->ifconfig_pool
170  {
172  }
173 }
174 
175 static void
177  int start_bucket,
178  int end_bucket)
179 {
180  struct gc_arena gc = gc_new();
181  struct hash_iterator hi;
182  struct hash_element *he;
183 
184  if (start_bucket < 0)
185  {
186  start_bucket = 0;
187  end_bucket = hash_n_buckets(m->vhash);
188  }
189 
190  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
191  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
192  while ((he = hash_iterator_next(&hi)) != NULL)
193  {
194  struct multi_route *r = (struct multi_route *) he->value;
195  if (!multi_route_defined(m, r))
196  {
197  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
198  mroute_addr_print(&r->addr, &gc));
199  learn_address_script(m, NULL, "delete", &r->addr);
200  multi_route_del(r);
202  }
203  }
204  hash_iterator_free(&hi);
205  gc_free(&gc);
206 }
207 
208 static void
210 {
211  multi_reap_range(m, -1, 0);
212 }
213 
214 static struct multi_reap *
216 {
217  struct multi_reap *mr;
218  ALLOC_OBJ(mr, struct multi_reap);
219  mr->bucket_base = 0;
221  mr->last_call = now;
222  return mr;
223 }
224 
225 void
227 {
228  struct multi_reap *mr = m->reaper;
229  if (mr->bucket_base >= hash_n_buckets(m->vhash))
230  {
231  mr->bucket_base = 0;
232  }
234  mr->bucket_base += mr->buckets_per_pass;
235  mr->last_call = now;
236 }
237 
238 static void
240 {
241  free(mr);
242 }
243 
244 /*
245  * How many buckets in vhash to reap per pass.
246  */
247 static int
248 reap_buckets_per_pass(int n_buckets)
249 {
250  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
251 }
252 
253 #ifdef ENABLE_MANAGEMENT
254 
255 static uint32_t
256 cid_hash_function(const void *key, uint32_t iv)
257 {
258  const unsigned long *k = (const unsigned long *)key;
259  return (uint32_t) *k;
260 }
261 
262 static bool
263 cid_compare_function(const void *key1, const void *key2)
264 {
265  const unsigned long *k1 = (const unsigned long *)key1;
266  const unsigned long *k2 = (const unsigned long *)key2;
267  return *k1 == *k2;
268 }
269 
270 #endif
271 
272 #ifdef ENABLE_ASYNC_PUSH
273 static uint32_t
274 /*
275  * inotify watcher descriptors are used as hash value
276  */
277 int_hash_function(const void *key, uint32_t iv)
278 {
279  return (unsigned long)key;
280 }
281 
282 static bool
283 int_compare_function(const void *key1, const void *key2)
284 {
285  return (unsigned long)key1 == (unsigned long)key2;
286 }
287 #endif
288 
289 /*
290  * Main initialization function, init multi_context object.
291  */
292 void
293 multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
294 {
295  int dev = DEV_TYPE_UNDEF;
296 
297  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
300 
301  /*
302  * Get tun/tap/null device type
303  */
304  dev = dev_type_enum(t->options.dev, t->options.dev_type);
305 
306  /*
307  * Init our multi_context object.
308  */
309  CLEAR(*m);
310 
311  /*
312  * Real address hash table (source port number is
313  * considered to be part of the address). Used
314  * to determine which client sent an incoming packet
315  * which is seen on the TCP/UDP socket.
316  */
318  get_random(),
321 
322  /*
323  * Virtual address hash table. Used to determine
324  * which client to route a packet to.
325  */
327  get_random(),
330 
331  /*
332  * This hash table is a clone of m->hash but with a
333  * bucket size of one so that it can be used
334  * for fast iteration through the list.
335  */
336  m->iter = hash_init(1,
337  get_random(),
340 
341 #ifdef ENABLE_MANAGEMENT
343  0,
346 #endif
347 
348 #ifdef ENABLE_ASYNC_PUSH
349  /*
350  * Mapping between inotify watch descriptors and
351  * multi_instances.
352  */
353  m->inotify_watchers = hash_init(t->options.real_hash_size,
354  get_random(),
355  int_hash_function,
356  int_compare_function);
357 #endif
358 
359  /*
360  * This is our scheduler, for time-based wakeup
361  * events.
362  */
363  m->schedule = schedule_init();
364 
365  /*
366  * Limit frequency of incoming connections to control
367  * DoS.
368  */
370  t->options.cf_per);
371 
372  /*
373  * Allocate broadcast/multicast buffer list
374  */
376 
377  /*
378  * Different status file format options are available
379  */
381 
382  /*
383  * Possibly allocate an ifconfig pool, do it
384  * differently based on whether a tun or tap style
385  * tunnel.
386  */
389  {
391 
392  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
393  {
395  }
396 
398  pool_type,
405 
406  /* reload pool data from file */
407  if (t->c1.ifconfig_pool_persist)
408  {
410  }
411  }
412 
413  /*
414  * Help us keep track of routing table.
415  */
417 
418  /*
419  * Initialize route and instance reaper.
420  */
422 
423  /*
424  * Get local ifconfig address
425  */
426  CLEAR(m->local);
427  ASSERT(t->c1.tuntap);
429 
430  /*
431  * Per-client limits
432  */
434 
435  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
436 
437  /*
438  * Initialize multi-socket TCP I/O wait object
439  */
440  if (tcp_mode)
441  {
443  }
445 
446  /*
447  * Allow client <-> client communication, without going through
448  * tun/tap interface and network stack?
449  */
450  m->enable_c2c = t->options.enable_c2c;
451 
452  /* initialize stale routes check timer */
454  {
455  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
458  }
459 
461 }
462 
463 const char *
464 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
465 {
466  if (mi)
467  {
468  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
469  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
470 
471  if (cn)
472  {
473  buf_printf(&out, "%s/", cn);
474  }
475  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
476  return BSTR(&out);
477  }
478  else if (null)
479  {
480  return NULL;
481  }
482  else
483  {
484  return "UNDEF";
485  }
486 }
487 
488 static void
490 {
491  struct gc_arena gc = gc_new();
492  const char *prefix = multi_instance_string(mi, true, &gc);
493  if (prefix)
494  {
495  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
496  }
497  else
498  {
499  mi->msg_prefix[0] = '\0';
500  }
501  set_prefix(mi);
502  gc_free(&gc);
503 }
504 
505 void
507 {
508  mi->msg_prefix[0] = '\0';
509  set_prefix(mi);
510 }
511 
512 /*
513  * Tell the route helper about deleted iroutes so
514  * that it can update its mask of currently used
515  * CIDR netlengths.
516  */
517 static void
519  struct multi_instance *mi)
520 {
521  const struct iroute *ir;
522  const struct iroute_ipv6 *ir6;
523 
524  dco_delete_iroutes(m, mi);
525 
527  {
528  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
529  {
531  }
532 
533  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
534  {
536  }
537  }
538 }
539 
540 static void
542 {
543  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
544  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
545 }
546 
547 static void
549 {
550  /* setenv client real IP address */
552 
553  /* setenv stats */
554  setenv_stats(&mi->context);
555 
556  /* setenv connection duration */
557  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
558 }
559 
560 static void
562 {
564 
566  {
568  {
569  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
570  }
571  }
572 
574  {
575  struct argv argv = argv_new();
576  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
578  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
579  argv_free(&argv);
580  }
581 #ifdef ENABLE_MANAGEMENT
582  if (management)
583  {
585  }
586 #endif
587 }
588 
589 void
591  struct multi_instance *mi,
592  bool shutdown)
593 {
595 
596  ASSERT(!mi->halt);
597  mi->halt = true;
598 
599  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
600 
601  /* adjust current client connection count */
602  m->n_clients += mi->n_clients_delta;
604  mi->n_clients_delta = 0;
605 
606  /* prevent dangling pointers */
607  if (m->pending == mi)
608  {
609  multi_set_pending(m, NULL);
610  }
611  if (m->earliest_wakeup == mi)
612  {
613  m->earliest_wakeup = NULL;
614  }
615 
616  if (!shutdown)
617  {
618  if (mi->did_real_hash)
619  {
620  ASSERT(hash_remove(m->hash, &mi->real));
621  }
622  if (mi->did_iter)
623  {
624  ASSERT(hash_remove(m->iter, &mi->real));
625  }
626 #ifdef ENABLE_MANAGEMENT
627  if (mi->did_cid_hash)
628  {
630  }
631 #endif
632 
633 #ifdef ENABLE_ASYNC_PUSH
634  if (mi->inotify_watch != -1)
635  {
636  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
637  mi->inotify_watch = -1;
638  }
639 #endif
640 
641  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
642  {
643  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
644  }
645 
646  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
647 
648  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
649 
650  if (mi->did_iroutes)
651  {
652  multi_del_iroutes(m, mi);
653  mi->did_iroutes = false;
654  }
655 
656  if (m->mtcp)
657  {
659  }
660 
662  }
663 
664 #ifdef ENABLE_MANAGEMENT
665  set_cc_config(mi, NULL);
666 #endif
667 
669  {
671  }
672 
674 
676 
677  ungenerate_prefix(mi);
678 
679  /*
680  * Don't actually delete the instance memory allocation yet,
681  * because virtual routes may still point to it. Let the
682  * vhash reaper deal with it.
683  */
685 
686  perf_pop();
687 }
688 
689 /*
690  * Called on shutdown or restart.
691  */
692 void
694 {
695  if (m->hash)
696  {
697  struct hash_iterator hi;
698  struct hash_element *he;
699 
700  hash_iterator_init(m->iter, &hi);
701  while ((he = hash_iterator_next(&hi)))
702  {
703  struct multi_instance *mi = (struct multi_instance *) he->value;
704  mi->did_iter = false;
705  multi_close_instance(m, mi, true);
706  }
707  hash_iterator_free(&hi);
708 
709  multi_reap_all(m);
710 
711  hash_free(m->hash);
712  hash_free(m->vhash);
713  hash_free(m->iter);
714 #ifdef ENABLE_MANAGEMENT
715  hash_free(m->cid_hash);
716 #endif
717  m->hash = NULL;
718 
719  free(m->instances);
720 
721 #ifdef ENABLE_ASYNC_PUSH
722  hash_free(m->inotify_watchers);
723  m->inotify_watchers = NULL;
724 #endif
725 
727  mbuf_free(m->mbuf);
732  multi_tcp_free(m->mtcp);
733  }
734 }
735 
736 /*
737  * Create a client instance object for a newly connected client.
738  */
739 struct multi_instance *
741 {
742  struct gc_arena gc = gc_new();
743  struct multi_instance *mi;
744 
746 
747  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
748 
749  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
750 
751  mi->gc = gc_new();
753  mi->vaddr_handle = -1;
754  mi->created = now;
755  mroute_addr_init(&mi->real);
756 
757  if (real)
758  {
759  mi->real = *real;
760  generate_prefix(mi);
761  }
762 
763  inherit_context_child(&mi->context, &m->top);
764  if (IS_SIG(&mi->context))
765  {
766  goto err;
767  }
768 
770 
771  if (hash_n_elements(m->hash) >= m->max_clients)
772  {
773  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
774  goto err;
775  }
776 
777  if (!real) /* TCP mode? */
778  {
780  {
781  goto err;
782  }
783  generate_prefix(mi);
784  }
785 
786  if (!hash_add(m->iter, &mi->real, mi, false))
787  {
788  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
789  mroute_addr_print(&mi->real, &gc));
790  goto err;
791  }
792  mi->did_iter = true;
793 
794 #ifdef ENABLE_MANAGEMENT
795  do
796  {
797  mi->context.c2.mda_context.cid = m->cid_counter++;
798  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
799  mi->did_cid_hash = true;
800 #endif
801 
802  mi->context.c2.push_request_received = false;
803 #ifdef ENABLE_ASYNC_PUSH
804  mi->inotify_watch = -1;
805 #endif
806 
807  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
808  {
809  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
810  goto err;
811  }
812 
813  perf_pop();
814  gc_free(&gc);
815  return mi;
816 
817 err:
818  multi_close_instance(m, mi, false);
819  perf_pop();
820  gc_free(&gc);
821  return NULL;
822 }
823 
824 /*
825  * Dump tables -- triggered by SIGUSR2.
826  * If status file is defined, write to file.
827  * If status file is NULL, write to syslog.
828  */
829 void
830 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
831 {
832  if (m->hash)
833  {
834  struct gc_arena gc_top = gc_new();
835  struct hash_iterator hi;
836  const struct hash_element *he;
837 
838  status_reset(so);
839 
840  if (version == 1)
841  {
842  /*
843  * Status file version 1
844  */
845  status_printf(so, "OpenVPN CLIENT LIST");
846  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
847  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
848  hash_iterator_init(m->hash, &hi);
849  while ((he = hash_iterator_next(&hi)))
850  {
851  struct gc_arena gc = gc_new();
852  const struct multi_instance *mi = (struct multi_instance *) he->value;
853 
854  if (!mi->halt)
855  {
856  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
857  tls_common_name(mi->context.c2.tls_multi, false),
858  mroute_addr_print(&mi->real, &gc),
861  time_string(mi->created, 0, false, &gc));
862  }
863  gc_free(&gc);
864  }
865  hash_iterator_free(&hi);
866 
867  status_printf(so, "ROUTING TABLE");
868  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
869  hash_iterator_init(m->vhash, &hi);
870  while ((he = hash_iterator_next(&hi)))
871  {
872  struct gc_arena gc = gc_new();
873  const struct multi_route *route = (struct multi_route *) he->value;
874 
875  if (multi_route_defined(m, route))
876  {
877  const struct multi_instance *mi = route->instance;
878  const struct mroute_addr *ma = &route->addr;
879  char flags[2] = {0, 0};
880 
881  if (route->flags & MULTI_ROUTE_CACHE)
882  {
883  flags[0] = 'C';
884  }
885  status_printf(so, "%s%s,%s,%s,%s",
886  mroute_addr_print(ma, &gc),
887  flags,
888  tls_common_name(mi->context.c2.tls_multi, false),
889  mroute_addr_print(&mi->real, &gc),
890  time_string(route->last_reference, 0, false, &gc));
891  }
892  gc_free(&gc);
893  }
894  hash_iterator_free(&hi);
895 
896  status_printf(so, "GLOBAL STATS");
897  if (m->mbuf)
898  {
899  status_printf(so, "Max bcast/mcast queue length,%d",
901  }
902 
903  status_printf(so, "END");
904  }
905  else if (version == 2 || version == 3)
906  {
907  const char sep = (version == 3) ? '\t' : ',';
908 
909  /*
910  * Status file version 2 and 3
911  */
912  status_printf(so, "TITLE%c%s", sep, title_string);
913  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
914  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
915  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
916  hash_iterator_init(m->hash, &hi);
917  while ((he = hash_iterator_next(&hi)))
918  {
919  struct gc_arena gc = gc_new();
920  const struct multi_instance *mi = (struct multi_instance *) he->value;
921 
922  if (!mi->halt)
923  {
924  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
925 #ifdef ENABLE_MANAGEMENT
926  "%lu"
927 #else
928  ""
929 #endif
930  "%c%" PRIu32 "%c%s",
931  sep, tls_common_name(mi->context.c2.tls_multi, false),
932  sep, mroute_addr_print(&mi->real, &gc),
935  sep, mi->context.c2.link_read_bytes,
936  sep, mi->context.c2.link_write_bytes,
937  sep, time_string(mi->created, 0, false, &gc),
938  sep, (unsigned int)mi->created,
939  sep, tls_username(mi->context.c2.tls_multi, false),
940 #ifdef ENABLE_MANAGEMENT
941  sep, mi->context.c2.mda_context.cid,
942 #else
943  sep,
944 #endif
945  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
947  }
948  gc_free(&gc);
949  }
950  hash_iterator_free(&hi);
951 
952  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
953  sep, sep, sep, sep, sep, sep);
954  hash_iterator_init(m->vhash, &hi);
955  while ((he = hash_iterator_next(&hi)))
956  {
957  struct gc_arena gc = gc_new();
958  const struct multi_route *route = (struct multi_route *) he->value;
959 
960  if (multi_route_defined(m, route))
961  {
962  const struct multi_instance *mi = route->instance;
963  const struct mroute_addr *ma = &route->addr;
964  char flags[2] = {0, 0};
965 
966  if (route->flags & MULTI_ROUTE_CACHE)
967  {
968  flags[0] = 'C';
969  }
970  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
971  sep, mroute_addr_print(ma, &gc), flags,
972  sep, tls_common_name(mi->context.c2.tls_multi, false),
973  sep, mroute_addr_print(&mi->real, &gc),
974  sep, time_string(route->last_reference, 0, false, &gc),
975  sep, (unsigned int)route->last_reference);
976  }
977  gc_free(&gc);
978  }
979  hash_iterator_free(&hi);
980 
981  if (m->mbuf)
982  {
983  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
984  sep, sep, mbuf_maximum_queued(m->mbuf));
985  }
986 
987  status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options));
988  status_printf(so, "END");
989  }
990  else
991  {
992  status_printf(so, "ERROR: bad status format version number");
993  }
994 
995 #ifdef PACKET_TRUNCATION_CHECK
996  {
997  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
998  hash_iterator_init(m->hash, &hi);
999  while ((he = hash_iterator_next(&hi)))
1000  {
1001  struct gc_arena gc = gc_new();
1002  const struct multi_instance *mi = (struct multi_instance *) he->value;
1003 
1004  if (!mi->halt)
1005  {
1007  tls_common_name(mi->context.c2.tls_multi, false),
1008  m->top.c2.n_trunc_tun_read,
1009  mi->context.c2.n_trunc_tun_write,
1010  mi->context.c2.n_trunc_pre_encrypt,
1011  mi->context.c2.n_trunc_post_decrypt);
1012  }
1013  gc_free(&gc);
1014  }
1015  hash_iterator_free(&hi);
1016  }
1017 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1018 
1019  status_flush(so);
1020  gc_free(&gc_top);
1021  }
1022 
1023 #ifdef ENABLE_ASYNC_PUSH
1024  if (m->inotify_watchers)
1025  {
1026  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1027  }
1028 #endif
1029 }
1030 
1031 /*
1032  * Learn a virtual address or route.
1033  * The learn will fail if the learn address
1034  * script/plugin fails. In this case the
1035  * return value may be != mi.
1036  * Return the instance which owns this route,
1037  * or NULL if none.
1038  */
1039 static struct multi_instance *
1041  struct multi_instance *mi,
1042  const struct mroute_addr *addr,
1043  const unsigned int flags)
1044 {
1045  struct hash_element *he;
1046  const uint32_t hv = hash_value(m->vhash, addr);
1047  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1048  struct multi_route *oldroute = NULL;
1049  struct multi_instance *owner = NULL;
1050  struct gc_arena gc = gc_new();
1051 
1052  /* if route currently exists, get the instance which owns it */
1053  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1054  if (he)
1055  {
1056  oldroute = (struct multi_route *) he->value;
1057  }
1058  if (oldroute && multi_route_defined(m, oldroute))
1059  {
1060  owner = oldroute->instance;
1061  }
1062 
1063  /* do we need to add address to hash table? */
1064  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1065  && !mroute_addr_equal(addr, &m->local))
1066  {
1067  struct multi_route *newroute;
1068  bool learn_succeeded = false;
1069 
1070  ALLOC_OBJ(newroute, struct multi_route);
1071  newroute->addr = *addr;
1072  newroute->instance = mi;
1073  newroute->flags = flags;
1074  newroute->last_reference = now;
1075  newroute->cache_generation = 0;
1076 
1077  /* The cache is invalidated when cache_generation is incremented */
1078  if (flags & MULTI_ROUTE_CACHE)
1079  {
1081  }
1082 
1083  if (oldroute) /* route already exists? */
1084  {
1085  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1086  {
1087  learn_succeeded = true;
1088  owner = mi;
1090  route_quota_inc(mi);
1091 
1092  /* delete old route */
1093  multi_route_del(oldroute);
1094 
1095  /* modify hash table entry, replacing old route */
1096  he->key = &newroute->addr;
1097  he->value = newroute;
1098  }
1099  }
1100  else
1101  {
1102  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1103  {
1104  learn_succeeded = true;
1105  owner = mi;
1107  route_quota_inc(mi);
1108 
1109  /* add new route */
1110  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1111  }
1112  }
1113 
1114  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1115  learn_succeeded ? "" : " FAILED",
1116  mroute_addr_print(&newroute->addr, &gc),
1117  multi_instance_string(mi, false, &gc));
1118 
1119  if (!learn_succeeded)
1120  {
1121  free(newroute);
1122  }
1123  }
1124  gc_free(&gc);
1125 
1126  return owner;
1127 }
1128 
1129 /*
1130  * Get client instance based on virtual address.
1131  */
1132 static struct multi_instance *
1134  const struct mroute_addr *addr,
1135  bool cidr_routing)
1136 {
1137  struct multi_route *route;
1138  struct multi_instance *ret = NULL;
1139 
1140  /* check for local address */
1141  if (mroute_addr_equal(addr, &m->local))
1142  {
1143  return NULL;
1144  }
1145 
1146  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1147 
1148  /* does host route (possible cached) exist? */
1149  if (route && multi_route_defined(m, route))
1150  {
1151  struct multi_instance *mi = route->instance;
1152  route->last_reference = now;
1153  ret = mi;
1154  }
1155  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1156  {
1157  struct mroute_helper *rh = m->route_helper;
1158  struct mroute_addr tryaddr;
1159  int i;
1160 
1161  /* cycle through each CIDR length */
1162  for (i = 0; i < rh->n_net_len; ++i)
1163  {
1164  tryaddr = *addr;
1165  tryaddr.type |= MR_WITH_NETBITS;
1166  tryaddr.netbits = rh->net_len[i];
1167  mroute_addr_mask_host_bits(&tryaddr);
1168 
1169  /* look up a possible route with netbits netmask */
1170  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1171 
1172  if (route && multi_route_defined(m, route))
1173  {
1174  /* found an applicable route, cache host route */
1175  struct multi_instance *mi = route->instance;
1177  ret = mi;
1178  break;
1179  }
1180  }
1181  }
1182 
1183 #ifdef ENABLE_DEBUG
1185  {
1186  struct gc_arena gc = gc_new();
1187  const char *addr_text = mroute_addr_print(addr, &gc);
1188  if (ret)
1189  {
1190  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1191  addr_text,
1192  multi_instance_string(ret, false, &gc),
1193  mroute_addr_print(&route->addr, &gc));
1194  }
1195  else
1196  {
1197  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1198  addr_text);
1199  }
1200  gc_free(&gc);
1201  }
1202 #endif
1203 
1204  ASSERT(!(ret && ret->halt));
1205  return ret;
1206 }
1207 
1208 /*
1209  * Helper function to multi_learn_addr().
1210  */
1211 static struct multi_instance *
1213  struct multi_instance *mi,
1214  in_addr_t a,
1215  int netbits, /* -1 if host route, otherwise # of network bits in address */
1216  bool primary)
1217 {
1218  struct openvpn_sockaddr remote_si;
1219  struct mroute_addr addr;
1220 
1221  CLEAR(remote_si);
1222  remote_si.addr.in4.sin_family = AF_INET;
1223  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1224  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1225 
1226  if (netbits >= 0)
1227  {
1228  addr.type |= MR_WITH_NETBITS;
1229  addr.netbits = (uint8_t) netbits;
1230  }
1231 
1232  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1233 #ifdef ENABLE_MANAGEMENT
1234  if (management && owner)
1235  {
1236  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1237  }
1238 #endif
1239  if (!primary)
1240  {
1241  /* "primary" is the VPN ifconfig address of the peer and already
1242  * known to DCO, so only install "extra" iroutes (primary = false)
1243  */
1244  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1245  dco_install_iroute(m, mi, &addr);
1246  }
1247 
1248  return owner;
1249 }
1250 
1251 static struct multi_instance *
1253  struct multi_instance *mi,
1254  struct in6_addr a6,
1255  int netbits, /* -1 if host route, otherwise # of network bits in address */
1256  bool primary)
1257 {
1258  struct mroute_addr addr;
1259 
1260  addr.len = 16;
1261  addr.type = MR_ADDR_IPV6;
1262  addr.netbits = 0;
1263  addr.v6.addr = a6;
1264 
1265  if (netbits >= 0)
1266  {
1267  addr.type |= MR_WITH_NETBITS;
1268  addr.netbits = (uint8_t) netbits;
1270  }
1271 
1272  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1273 #ifdef ENABLE_MANAGEMENT
1274  if (management && owner)
1275  {
1276  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1277  }
1278 #endif
1279  if (!primary)
1280  {
1281  /* "primary" is the VPN ifconfig address of the peer and already
1282  * known to DCO, so only install "extra" iroutes (primary = false)
1283  */
1284  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1285  dco_install_iroute(m, mi, &addr);
1286  }
1287 
1288  return owner;
1289 }
1290 
1291 /*
1292  * A new client has connected, add routes (server -> client)
1293  * to internal routing table.
1294  */
1295 static void
1297  struct multi_instance *mi)
1298 {
1299  struct gc_arena gc = gc_new();
1300  const struct iroute *ir;
1301  const struct iroute_ipv6 *ir6;
1303  {
1304  mi->did_iroutes = true;
1305  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1306  {
1307  if (ir->netbits >= 0)
1308  {
1309  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1310  print_in_addr_t(ir->network, 0, &gc),
1311  ir->netbits,
1312  multi_instance_string(mi, false, &gc));
1313  }
1314  else
1315  {
1316  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1317  print_in_addr_t(ir->network, 0, &gc),
1318  multi_instance_string(mi, false, &gc));
1319  }
1320 
1322 
1323  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1324  }
1325  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1326  {
1327  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1328  print_in6_addr(ir6->network, 0, &gc),
1329  ir6->netbits,
1330  multi_instance_string(mi, false, &gc));
1331 
1333 
1334  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1335  }
1336  }
1337  gc_free(&gc);
1338 }
1339 
1340 /*
1341  * Given an instance (new_mi), delete all other instances which use the
1342  * same common name.
1343  */
1344 static void
1346 {
1347  if (new_mi)
1348  {
1349  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1350  if (new_cn)
1351  {
1352  struct hash_iterator hi;
1353  struct hash_element *he;
1354  int count = 0;
1355 
1356  hash_iterator_init(m->iter, &hi);
1357  while ((he = hash_iterator_next(&hi)))
1358  {
1359  struct multi_instance *mi = (struct multi_instance *) he->value;
1360  if (mi != new_mi && !mi->halt)
1361  {
1362  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1363  if (cn && !strcmp(cn, new_cn))
1364  {
1365  mi->did_iter = false;
1366  multi_close_instance(m, mi, false);
1368  ++count;
1369  }
1370  }
1371  }
1372  hash_iterator_free(&hi);
1373 
1374  if (count)
1375  {
1376  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1377  }
1378  }
1379  }
1380 }
1381 
1382 static void
1384 {
1385 
1386  struct gc_arena gc = gc_new();
1387  struct hash_iterator hi;
1388  struct hash_element *he;
1389 
1390  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1392  while ((he = hash_iterator_next(&hi)) != NULL)
1393  {
1394  struct multi_route *r = (struct multi_route *) he->value;
1395  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1396  {
1397  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1398  mroute_addr_print(&r->addr, &gc));
1399  learn_address_script(m, NULL, "delete", &r->addr);
1400  multi_route_del(r);
1402  }
1403  }
1404  hash_iterator_free(&hi);
1405  gc_free(&gc);
1406 }
1407 
1408 /*
1409  * Ensure that endpoint to be pushed to client
1410  * complies with --ifconfig-push-constraint directive.
1411  */
1412 static bool
1414 {
1415  const struct options *o = &c->options;
1417  {
1419  }
1420  else
1421  {
1422  return true;
1423  }
1424 }
1425 
1426 /*
1427  * Select a virtual address for a new client instance.
1428  * Use an --ifconfig-push directive, if given (static IP).
1429  * Otherwise use an --ifconfig-pool address (dynamic IP).
1430  */
1431 static void
1433 {
1434  struct gc_arena gc = gc_new();
1435 
1436  /*
1437  * If ifconfig addresses were set by dynamic config file,
1438  * release pool addresses, otherwise keep them.
1439  */
1441  {
1442  /* ifconfig addresses were set statically,
1443  * release dynamic allocation */
1444  if (mi->vaddr_handle >= 0)
1445  {
1447  mi->vaddr_handle = -1;
1448  }
1449 
1450  mi->context.c2.push_ifconfig_defined = true;
1454 
1455  /* the current implementation does not allow "static IPv4, pool IPv6",
1456  * (see below) so issue a warning if that happens - don't break the
1457  * session, though, as we don't even know if this client WANTS IPv6
1458  */
1461  {
1462  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1463  }
1464  }
1465  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1466  {
1467  in_addr_t local = 0, remote = 0;
1468  struct in6_addr remote_ipv6;
1469  const char *cn = NULL;
1470 
1471  if (!mi->context.options.duplicate_cn)
1472  {
1473  cn = tls_common_name(mi->context.c2.tls_multi, true);
1474  }
1475 
1476  CLEAR(remote_ipv6);
1477  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1478  if (mi->vaddr_handle >= 0)
1479  {
1480  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1481  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1482 
1483  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1485  ? print_in_addr_t(remote, 0, &gc)
1486  : "(Not enabled)"),
1488  ? print_in6_addr( remote_ipv6, 0, &gc )
1489  : "(Not enabled)") );
1490 
1492  {
1493  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1494  mi->context.c2.push_ifconfig_local = remote;
1495  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1496  {
1499  {
1501  }
1502  }
1503  else if (tunnel_type == DEV_TYPE_TUN)
1504  {
1505  if (tunnel_topology == TOP_P2P)
1506  {
1508  }
1509  else if (tunnel_topology == TOP_NET30)
1510  {
1512  }
1513  }
1514 
1516  {
1517  mi->context.c2.push_ifconfig_defined = true;
1518  }
1519  else
1520  {
1522  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1523  multi_instance_string(mi, false, &gc));
1524  }
1525  }
1526 
1528  {
1529  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1531  mi->context.c1.tuntap->local_ipv6;
1535  }
1536  }
1537  else
1538  {
1539  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1540  }
1541  }
1542 
1543  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1544  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1545  * will fail (because no pool will be allocated in this case).
1546  * OTOH, this doesn't make too much sense in reality - and the other
1547  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1548  * -> and so it's implemented right now
1549  */
1551  {
1559 
1560  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1563  }
1564 
1565  gc_free(&gc);
1566 }
1567 
1568 /*
1569  * Set virtual address environmental variables.
1570  */
1571 static void
1573 {
1574  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1575  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1576  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1577 
1579  {
1580  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1581  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1582 
1584  "ifconfig_pool_remote_ip",
1587 
1588  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1589  {
1591  "ifconfig_pool_netmask",
1594  }
1595  else if (tunnel_type == DEV_TYPE_TUN)
1596  {
1598  "ifconfig_pool_local_ip",
1601  }
1602  }
1603 
1604  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1605  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1606  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1607 
1609  {
1611  "ifconfig_pool_remote",
1615  "ifconfig_pool_local",
1618  setenv_int(mi->context.c2.es,
1619  "ifconfig_pool_ip6_netbits",
1621  }
1622 }
1623 
1624 /*
1625  * Called after client-connect script is called
1626  */
1627 static void
1629  struct multi_instance *mi,
1630  const char *dc_file,
1631  unsigned int *option_types_found)
1632 {
1633  /* Did script generate a dynamic config file? */
1634  if (platform_test_file(dc_file))
1635  {
1637  dc_file,
1640  option_types_found,
1641  mi->context.c2.es);
1642 
1643  /*
1644  * If the --client-connect script generates a config file
1645  * with an --ifconfig-push directive, it will override any
1646  * --ifconfig-push directive from the --client-config-dir
1647  * directory or any --ifconfig-pool dynamic address.
1648  */
1651  }
1652 }
1653 
1654 #ifdef ENABLE_PLUGIN
1655 
1656 /*
1657  * Called after client-connect plug-in is called
1658  */
1659 static void
1661  struct multi_instance *mi,
1662  const struct plugin_return *pr,
1663  unsigned int *option_types_found)
1664 {
1665  struct plugin_return config;
1666 
1667  plugin_return_get_column(pr, &config, "config");
1668 
1669  /* Did script generate a dynamic config file? */
1670  if (plugin_return_defined(&config))
1671  {
1672  int i;
1673  for (i = 0; i < config.n; ++i)
1674  {
1675  if (config.list[i] && config.list[i]->value)
1676  {
1678  config.list[i]->value,
1681  option_types_found,
1682  mi->context.c2.es);
1683  }
1684  }
1685 
1686  /*
1687  * If the --client-connect script generates a config file
1688  * with an --ifconfig-push directive, it will override any
1689  * --ifconfig-push directive from the --client-config-dir
1690  * directory or any --ifconfig-pool dynamic address.
1691  */
1694  }
1695 }
1696 
1697 #endif /* ifdef ENABLE_PLUGIN */
1698 
1699 
1700 /*
1701  * Called to load management-derived client-connect config
1702  */
1705  struct multi_instance *mi,
1706  bool deferred,
1707  unsigned int *option_types_found)
1708 {
1709  /* We never return CC_RET_DEFERRED */
1710  ASSERT(!deferred);
1712 #ifdef ENABLE_MANAGEMENT
1713  if (mi->cc_config)
1714  {
1715  struct buffer_entry *be;
1716  for (be = mi->cc_config->head; be != NULL; be = be->next)
1717  {
1718  const char *opt = BSTR(&be->buf);
1720  opt,
1723  option_types_found,
1724  mi->context.c2.es);
1725  }
1726 
1727  /*
1728  * If the --client-connect script generates a config file
1729  * with an --ifconfig-push directive, it will override any
1730  * --ifconfig-push directive from the --client-config-dir
1731  * directory or any --ifconfig-pool dynamic address.
1732  */
1735 
1736  ret = CC_RET_SUCCEEDED;
1737  }
1738 #endif /* ifdef ENABLE_MANAGEMENT */
1739  return ret;
1740 }
1741 
1742 static void
1744  struct multi_instance *mi)
1745 {
1746  struct gc_arena gc = gc_new();
1747 
1748  /* setenv incoming cert common name for script */
1749  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1750 
1751  /* setenv client real IP address */
1753 
1754  /* setenv client virtual IP address */
1756 
1757  /* setenv connection time */
1758  {
1759  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1760  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1761  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1762  }
1763 
1764  gc_free(&gc);
1765 }
1766 
1773 static bool
1775 {
1776  struct tls_multi *tls_multi = c->c2.tls_multi;
1777  const char *const peer_info = tls_multi->peer_info;
1778  struct options *o = &c->options;
1779 
1780 
1781  unsigned int proto = extract_iv_proto(peer_info);
1782  if (proto & IV_PROTO_DATA_V2)
1783  {
1784  tls_multi->use_peer_id = true;
1785  o->use_peer_id = true;
1786  }
1787  else if (dco_enabled(o))
1788  {
1789  msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing "
1790  "requires DATA_V2. Dropping client.");
1791  auth_set_client_reason(tls_multi, "Data channel negotiation "
1792  "failed (missing DATA_V2)");
1793  return false;
1794  }
1795 
1796  if (proto & IV_PROTO_REQUEST_PUSH)
1797  {
1798  c->c2.push_request_received = true;
1799  }
1800 
1801 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1802  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1803  {
1805  }
1806 #endif
1807 
1808  if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1809  {
1811  }
1812 
1813  /* Select cipher if client supports Negotiable Crypto Parameters */
1814 
1815  /* if we have already created our key, we cannot *change* our own
1816  * cipher -> so log the fact and push the "what we have now" cipher
1817  * (so the client is always told what we expect it to use)
1818  */
1820  {
1821  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1822  "server has already generated data channel keys, "
1823  "re-sending previously negotiated cipher '%s'",
1824  o->ciphername );
1825  return true;
1826  }
1827 
1828  /*
1829  * Push the first cipher from --data-ciphers to the client that
1830  * the client announces to be supporting.
1831  */
1832  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1834  &o->gc);
1835 
1836  if (push_cipher)
1837  {
1838  o->ciphername = push_cipher;
1839  return true;
1840  }
1841 
1842  /* NCP cipher negotiation failed. Try to figure out why exactly it
1843  * failed and give good error messages and potentially do a fallback
1844  * for non NCP clients */
1845  struct gc_arena gc = gc_new();
1846  bool ret = false;
1847 
1848  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1849  /* If we are in a situation where we know the client ciphers, there is no
1850  * reason to fall back to a cipher that will not be accepted by the other
1851  * side, in this situation we fail the auth*/
1852  if (strlen(peer_ciphers) > 0)
1853  {
1854  msg(M_INFO, "PUSH: No common cipher between server and client. "
1855  "Server data-ciphers: '%s', client supported ciphers '%s'",
1856  o->ncp_ciphers, peer_ciphers);
1857  }
1858  else if (tls_multi->remote_ciphername)
1859  {
1860  msg(M_INFO, "PUSH: No common cipher between server and client. "
1861  "Server data-ciphers: '%s', client supports cipher '%s'",
1863  }
1864  else
1865  {
1866  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1867 
1869  {
1870  msg(M_INFO, "Using data channel cipher '%s' since "
1871  "--data-ciphers-fallback is set.", o->ciphername);
1872  ret = true;
1873  }
1874  else
1875  {
1876  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1877  "client is using if you want to allow the client to connect");
1878  }
1879  }
1880  if (!ret)
1881  {
1882  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1883  "failed (no shared cipher)");
1884  }
1885 
1886  gc_free(&gc);
1887  return ret;
1888 }
1889 
1894 static void
1896 {
1898  if (!ccs->deferred_ret_file)
1899  {
1900  return;
1901  }
1902 
1903  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1905  {
1906  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1907  ccs->deferred_ret_file);
1908  }
1909  free(ccs->deferred_ret_file);
1910  ccs->deferred_ret_file = NULL;
1911 }
1912 
1920 static bool
1922 {
1924  struct gc_arena gc = gc_new();
1925  const char *fn;
1926 
1927  /* Delete file if it already exists */
1929 
1930  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1931  if (!fn)
1932  {
1933  gc_free(&gc);
1934  return false;
1935  }
1936  ccs->deferred_ret_file = string_alloc(fn, NULL);
1937 
1938  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1939  ccs->deferred_ret_file);
1940 
1941  gc_free(&gc);
1942  return true;
1943 }
1944 
1953 static enum client_connect_return
1955 {
1957  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1958  if (!fp)
1959  {
1960  return CC_RET_SKIPPED;
1961  }
1962 
1964  const int c = fgetc(fp);
1965  switch (c)
1966  {
1967  case '0':
1968  ret = CC_RET_FAILED;
1969  break;
1970 
1971  case '1':
1972  ret = CC_RET_SUCCEEDED;
1973  break;
1974 
1975  case '2':
1976  ret = CC_RET_DEFERRED;
1977  break;
1978 
1979  case EOF:
1980  if (feof(fp))
1981  {
1982  ret = CC_RET_SKIPPED;
1983  break;
1984  }
1985 
1986  /* Not EOF but other error -> fall through to error state */
1987  default:
1988  /* We received an unknown/unexpected value. Assume failure. */
1989  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
1990  "client-connect resultfile");
1991  ret = CC_RET_FAILED;
1992  }
1993  fclose(fp);
1994 
1995  return ret;
1996 }
1997 
2003 static void
2005 {
2007  if (ccs->config_file)
2008  {
2009  setenv_del(mi->context.c2.es, "client_connect_config_file");
2010  if (!platform_unlink(ccs->config_file))
2011  {
2012  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2013  ccs->config_file);
2014  }
2015  free(ccs->config_file);
2016  ccs->config_file = NULL;
2017  }
2018 }
2019 
2027 static bool
2029 {
2031  struct gc_arena gc = gc_new();
2032  const char *fn;
2033 
2034  if (ccs->config_file)
2035  {
2037  }
2038 
2039  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2040  if (!fn)
2041  {
2042  gc_free(&gc);
2043  return false;
2044  }
2045  ccs->config_file = string_alloc(fn, NULL);
2046 
2047  setenv_str(mi->context.c2.es, "client_connect_config_file",
2048  ccs->config_file);
2049 
2050  gc_free(&gc);
2051  return true;
2052 }
2053 
2054 static enum client_connect_return
2056  struct multi_instance *mi,
2057  bool deferred,
2058  unsigned int *option_types_found)
2059 {
2061 #ifdef ENABLE_PLUGIN
2062  ASSERT(m);
2063  ASSERT(mi);
2064  ASSERT(option_types_found);
2066 
2067  /* deprecated callback, use a file for passing back return info */
2069  {
2070  struct argv argv = argv_new();
2071  int call;
2072 
2073  if (!deferred)
2074  {
2076  if (!ccs_gen_config_file(mi)
2077  || !ccs_gen_deferred_ret_file(mi))
2078  {
2079  ret = CC_RET_FAILED;
2080  goto cleanup;
2081  }
2082  }
2083  else
2084  {
2086  /* the initial call should have created these files */
2087  ASSERT(ccs->config_file);
2088  ASSERT(ccs->deferred_ret_file);
2089  }
2090 
2091  argv_printf(&argv, "%s", ccs->config_file);
2092  int plug_ret = plugin_call(mi->context.plugins, call,
2093  &argv, NULL, mi->context.c2.es);
2094  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2095  {
2096  ret = CC_RET_SUCCEEDED;
2097  }
2098  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2099  {
2100  ret = CC_RET_DEFERRED;
2106  }
2107  else
2108  {
2109  msg(M_WARN, "WARNING: client-connect plugin call failed");
2110  ret = CC_RET_FAILED;
2111  }
2112 
2113 
2119  int file_ret = ccs_test_deferred_ret_file(mi);
2120 
2121  if (file_ret == CC_RET_FAILED)
2122  {
2123  ret = CC_RET_FAILED;
2124  }
2125  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2126  {
2127  ret = CC_RET_DEFERRED;
2128  }
2129 
2130  /* if we still think we have succeeded, do postprocessing */
2131  if (ret == CC_RET_SUCCEEDED)
2132  {
2134  option_types_found);
2135  }
2136 cleanup:
2137  argv_free(&argv);
2138 
2139  if (ret != CC_RET_DEFERRED)
2140  {
2143  }
2144  }
2145 #endif /* ifdef ENABLE_PLUGIN */
2146  return ret;
2147 }
2148 
2149 static enum client_connect_return
2151  struct multi_instance *mi,
2152  bool deferred,
2153  unsigned int *option_types_found)
2154 {
2156 #ifdef ENABLE_PLUGIN
2157  ASSERT(m);
2158  ASSERT(mi);
2159  ASSERT(option_types_found);
2160 
2161  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2163  /* V2 callback, use a plugin_return struct for passing back return info */
2164  if (plugin_defined(mi->context.plugins, call))
2165  {
2166  struct plugin_return pr;
2167 
2168  plugin_return_init(&pr);
2169 
2170  int plug_ret = plugin_call(mi->context.plugins, call,
2171  NULL, &pr, mi->context.c2.es);
2172  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2173  {
2174  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2175  ret = CC_RET_SUCCEEDED;
2176  }
2177  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2178  {
2179  ret = CC_RET_DEFERRED;
2180  if (!(plugin_defined(mi->context.plugins,
2182  {
2183  msg(M_WARN, "A plugin that defers from the "
2184  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2185  "declare support for "
2186  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2187  ret = CC_RET_FAILED;
2188  }
2189  }
2190  else
2191  {
2192  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2193  ret = CC_RET_FAILED;
2194  }
2195 
2196 
2197  plugin_return_free(&pr);
2198  }
2199 #endif /* ifdef ENABLE_PLUGIN */
2200  return ret;
2201 }
2202 
2203 static enum client_connect_return
2205  struct multi_instance *mi,
2206  unsigned int *option_types_found)
2207 {
2208  ASSERT(mi);
2209  ASSERT(option_types_found);
2212 
2213  ret = ccs_test_deferred_ret_file(mi);
2214 
2215  if (ret == CC_RET_SKIPPED)
2216  {
2217  /*
2218  * Skipped and deferred are equivalent in this context.
2219  * skipped means that the called program has not yet
2220  * written a return status implicitly needing more time
2221  * while deferred is the explicit notification that it
2222  * needs more time
2223  */
2224  ret = CC_RET_DEFERRED;
2225  }
2226 
2227  if (ret == CC_RET_SUCCEEDED)
2228  {
2233  }
2234  if (ret == CC_RET_FAILED)
2235  {
2236  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2239  }
2240  return ret;
2241 }
2242 
2246 static enum client_connect_return
2248  struct multi_instance *mi,
2249  bool deferred,
2250  unsigned int *option_types_found)
2251 {
2252  if (deferred)
2253  {
2255  }
2256  ASSERT(m);
2257  ASSERT(mi);
2258 
2261 
2263  {
2264  struct argv argv = argv_new();
2265  struct gc_arena gc = gc_new();
2266 
2267  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2268 
2269  if (!ccs_gen_config_file(mi)
2270  || !ccs_gen_deferred_ret_file(mi))
2271  {
2272  ret = CC_RET_FAILED;
2273  goto cleanup;
2274  }
2275 
2277  argv_printf_cat(&argv, "%s", ccs->config_file);
2278 
2279  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2280  {
2282  {
2283  ret = CC_RET_DEFERRED;
2284  }
2285  else
2286  {
2288  option_types_found);
2289  ret = CC_RET_SUCCEEDED;
2290  }
2291  }
2292  else
2293  {
2294  ret = CC_RET_FAILED;
2295  }
2296 cleanup:
2297  if (ret != CC_RET_DEFERRED)
2298  {
2301  }
2302  argv_free(&argv);
2303  gc_free(&gc);
2304  }
2305  return ret;
2306 }
2307 
2311 static bool
2313 {
2314  struct frame *frame_fragment = NULL;
2315 #ifdef ENABLE_FRAGMENT
2316  if (c->options.ce.fragment)
2317  {
2318  frame_fragment = &c->c2.frame_fragment;
2319  }
2320 #endif
2321  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2323  &c->c2.frame, frame_fragment,
2325  {
2326  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2327  register_signal(c, SIGUSR1, "process-push-msg-failed");
2328  return false;
2329  }
2330 
2331  return true;
2332 }
2333 
2334 static void
2336  struct multi_instance *mi,
2337  const unsigned int option_types_found)
2338 {
2339  ASSERT(m);
2340  ASSERT(mi);
2341 
2342  struct gc_arena gc = gc_new();
2343  /*
2344  * Process sourced options.
2345  */
2346  do_deferred_options(&mi->context, option_types_found);
2347 
2348  /*
2349  * make sure we got ifconfig settings from somewhere
2350  */
2351  if (!mi->context.c2.push_ifconfig_defined)
2352  {
2353  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2354  "--ifconfig address is available for %s",
2355  multi_instance_string(mi, false, &gc));
2356  }
2357 
2358  /*
2359  * make sure that ifconfig settings comply with constraints
2360  */
2362  {
2363  const char *ifconfig_constraint_network =
2365  const char *ifconfig_constraint_netmask =
2367 
2368  /* JYFIXME -- this should cause the connection to fail */
2369  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2370  "violates tunnel network/netmask constraint (%s/%s)",
2371  multi_instance_string(mi, false, &gc),
2373  ifconfig_constraint_network, ifconfig_constraint_netmask);
2374  }
2375 
2376  /*
2377  * For routed tunnels, set up internal route to endpoint
2378  * plus add all iroute routes.
2379  */
2381  {
2383  {
2384  multi_learn_in_addr_t(m, mi,
2386  -1, true);
2387  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2388  multi_instance_string(mi, false, &gc),
2390  }
2391 
2393  {
2394  multi_learn_in6_addr(m, mi,
2396  -1, true);
2397  /* TODO: find out where addresses are "unlearned"!! */
2398  const char *ifconfig_local_ipv6 =
2400  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2401  multi_instance_string(mi, false, &gc),
2402  ifconfig_local_ipv6);
2403  }
2404 
2405  /* add routes locally, pointing to new client, if
2406  * --iroute options have been specified */
2407  multi_add_iroutes(m, mi);
2408 
2409  /*
2410  * iroutes represent subnets which are "owned" by a particular
2411  * client. Therefore, do not actually push a route to a client
2412  * if it matches one of the client's iroutes.
2413  */
2415  }
2416  else if (mi->context.options.iroutes)
2417  {
2418  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2419  "only works with tun-style tunnels",
2420  multi_instance_string(mi, false, &gc));
2421  }
2422 
2423  /* set our client's VPN endpoint for status reporting purposes */
2426 
2427  /* set context-level authentication flag */
2429 
2430  /* authentication complete, calculate dynamic client specific options */
2432  {
2434  }
2435  /* Generate data channel keys only if setting protocol options
2436  * has not failed */
2437  else
2438  {
2439  if (dco_enabled(&mi->context.options))
2440  {
2441  int ret = dco_multi_add_new_peer(m, mi);
2442  if (ret < 0)
2443  {
2444  msg(D_DCO, "Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2446  }
2447 
2449  {
2450  int ret = dco_set_peer(&mi->context.c1.tuntap->dco,
2451  mi->context.c2.tls_multi->peer_id,
2454  mi->context.c2.frame.mss_fix);
2455  if (ret < 0)
2456  {
2457  msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s",
2458  mi->context.c2.tls_multi->peer_id, strerror(-ret));
2460  }
2461  }
2462  }
2463 
2465  {
2467  }
2468  }
2469 
2470  /* send push reply if ready */
2472  {
2474  }
2475 
2476  gc_free(&gc);
2477 }
2478 
2479 static void
2481  struct multi_instance *mi)
2482 {
2483  ASSERT(mi->context.c1.tuntap);
2484  /*
2485  * lock down the common name and cert hashes so they can't change
2486  * during future TLS renegotiations
2487  */
2490 
2491  /* generate a msg() prefix for this client instance */
2492  generate_prefix(mi);
2493 
2494  /* delete instances of previous clients with same common-name */
2495  if (!mi->context.options.duplicate_cn)
2496  {
2497  multi_delete_dup(m, mi);
2498  }
2499 
2500  /* reset pool handle to null */
2501  mi->vaddr_handle = -1;
2502 
2503  /* do --client-connect setenvs */
2505 
2507 }
2508 
2515 static enum client_connect_return
2517  struct multi_instance *mi,
2518  bool deferred,
2519  unsigned int *option_types_found)
2520 {
2521 #ifdef USE_COMP
2522  struct options *o = &mi->context.options;
2523  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2524 
2525  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2526  {
2527  if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2528  {
2529  push_option(o, "compress stub-v2", M_USAGE);
2530  }
2531  else
2532  {
2533  /* Client is old and does not support STUBv2 but since it
2534  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2535  * switch to that and push the uncompressed variant. */
2536  push_option(o, "comp-lzo no", M_USAGE);
2537  o->comp.alg = COMP_ALG_STUB;
2538  *option_types_found |= OPT_P_COMP;
2539  }
2540  }
2541 #endif
2542  return CC_RET_SUCCEEDED;
2543 }
2544 
2549 static enum client_connect_return
2551  struct multi_instance *mi,
2552  bool deferred,
2553  unsigned int *option_types_found)
2554 {
2555  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2556  * problem */
2557  ASSERT(!deferred);
2560  {
2561  struct gc_arena gc = gc_new();
2562  const char *ccd_file = NULL;
2563 
2564  const char *ccd_client =
2566  tls_common_name(mi->context.c2.tls_multi, false),
2567  &gc);
2568 
2569  const char *ccd_default =
2571  CCD_DEFAULT, &gc);
2572 
2573 
2574  /* try common-name file */
2575  if (platform_test_file(ccd_client))
2576  {
2577  ccd_file = ccd_client;
2578  }
2579  /* try default file */
2580  else if (platform_test_file(ccd_default))
2581  {
2582  ccd_file = ccd_default;
2583  }
2584 
2585  if (ccd_file)
2586  {
2588  ccd_file,
2591  option_types_found,
2592  mi->context.c2.es);
2593  /*
2594  * Select a virtual address from either --ifconfig-push in
2595  * --client-config-dir file or --ifconfig-pool.
2596  */
2598 
2600 
2601  ret = CC_RET_SUCCEEDED;
2602  }
2603  gc_free(&gc);
2604  }
2605  return ret;
2606 }
2607 
2609  (struct multi_context *m, struct multi_instance *mi,
2610  bool from_deferred, unsigned int *option_types_found);
2611 
2619  NULL,
2620 };
2621 
2622 /*
2623  * Called as soon as the SSL/TLS connection is authenticated.
2624  *
2625  * Will collect the client specific configuration from the different
2626  * sources like ccd files, connect plugins and management interface.
2627  *
2628  * This method starts with cas_context CAS_PENDING and will move the
2629  * state machine to either CAS_SUCCEEDED on success or
2630  * CAS_FAILED/CAS_PARTIAL on failure.
2631  *
2632  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2633  * include:
2634  *
2635  * iroute start-ip end-ip
2636  * ifconfig-push local remote-netmask
2637  * push
2638  *
2639  *
2640  */
2641 static void
2643 {
2644  /* We are only called for the CAS_PENDING_x states, so we
2645  * can ignore other states here */
2646  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2647 
2648  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2649  unsigned int *option_types_found =
2651 
2652  /* We are called for the first time */
2653  if (!from_deferred)
2654  {
2655  *cur_handler_index = 0;
2656  *option_types_found = 0;
2657  /* Initially we have no handler that has returned a result */
2659 
2661  }
2662 
2663  bool cc_succeeded = true;
2664 
2665  while (cc_succeeded
2666  && client_connect_handlers[*cur_handler_index] != NULL)
2667  {
2668  enum client_connect_return ret;
2669  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2670  option_types_found);
2671 
2672  from_deferred = false;
2673 
2674  switch (ret)
2675  {
2676  case CC_RET_SUCCEEDED:
2677  /*
2678  * Remember that we already had at least one handler
2679  * returning a result should we go to into deferred state
2680  */
2681  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2682  break;
2683 
2684  case CC_RET_SKIPPED:
2685  /*
2686  * Move on with the next handler without modifying any
2687  * other state
2688  */
2689  break;
2690 
2691  case CC_RET_DEFERRED:
2692  /*
2693  * we already set multi_status to DEFERRED_RESULT or
2694  * DEFERRED_NO_RESULT. We just return
2695  * from the function as having multi_status
2696  */
2697  return;
2698 
2699  case CC_RET_FAILED:
2700  /*
2701  * One handler failed. We abort the chain and set the final
2702  * result to failed
2703  */
2704  cc_succeeded = false;
2705  break;
2706 
2707  default:
2708  ASSERT(0);
2709  }
2710 
2711  /*
2712  * Check for "disable" directive in client-config-dir file
2713  * or config file generated by --client-connect script.
2714  */
2715  if (mi->context.options.disable)
2716  {
2717  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2718  "'disable' directive");
2719  cc_succeeded = false;
2720  }
2721 
2722  (*cur_handler_index)++;
2723  }
2724 
2725  /* Check if we have forbidding options in the current mode */
2726  if (dco_enabled(&mi->context.options)
2728  {
2729  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2730  cc_succeeded = false;
2731  }
2732 
2733  if (cc_succeeded)
2734  {
2735  multi_client_connect_late_setup(m, mi, *option_types_found);
2736  }
2737  else
2738  {
2739  /* run the disconnect script if we had a connect script that
2740  * did not fail */
2742  {
2744  }
2745 
2747  }
2748 
2749  /* increment number of current authenticated clients */
2750  ++m->n_clients;
2752  --mi->n_clients_delta;
2753 
2754 #ifdef ENABLE_MANAGEMENT
2755  if (management)
2756  {
2758  &mi->context.c2.mda_context, mi->context.c2.es);
2759  }
2760 #endif
2761 }
2762 
2763 #ifdef ENABLE_ASYNC_PUSH
2764 /*
2765  * Called when inotify event is fired, which happens when acf
2766  * or connect-status file is closed or deleted.
2767  * Continues authentication and sends push_reply
2768  * (or be deferred again by client-connect)
2769  */
2770 void
2771 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2772 {
2773  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2774  size_t buffer_i = 0;
2775  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2776 
2777  while (buffer_i < r)
2778  {
2779  /* parse inotify events */
2780  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2781  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2782  buffer_i += event_size;
2783 
2784  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2785 
2786  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2787 
2788  if (pevent->mask & IN_CLOSE_WRITE)
2789  {
2790  if (mi)
2791  {
2792  /* continue authentication, perform NCP negotiation and send push_reply */
2793  multi_process_post(m, mi, mpp_flags);
2794  }
2795  else
2796  {
2797  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2798  }
2799  }
2800  else if (pevent->mask & IN_IGNORED)
2801  {
2802  /* this event is _always_ fired when watch is removed or file is deleted */
2803  if (mi)
2804  {
2805  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2806  mi->inotify_watch = -1;
2807  }
2808  }
2809  else
2810  {
2811  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2812  }
2813  }
2814 }
2815 #endif /* ifdef ENABLE_ASYNC_PUSH */
2816 
2817 /*
2818  * Add a mbuf buffer to a particular
2819  * instance.
2820  */
2821 void
2823  struct multi_instance *mi,
2824  struct mbuf_buffer *mb)
2825 {
2826  if (multi_output_queue_ready(m, mi))
2827  {
2828  struct mbuf_item item;
2829  item.buffer = mb;
2830  item.instance = mi;
2831  mbuf_add_item(m->mbuf, &item);
2832  }
2833  else
2834  {
2835  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2836  }
2837 }
2838 
2839 /*
2840  * Add a packet to a client instance output queue.
2841  */
2842 static inline void
2844  const struct buffer *buf,
2845  struct multi_instance *mi)
2846 {
2847  struct mbuf_buffer *mb;
2848 
2849  if (BLEN(buf) > 0)
2850  {
2851  mb = mbuf_alloc_buf(buf);
2852  mb->flags = MF_UNICAST;
2853  multi_add_mbuf(m, mi, mb);
2854  mbuf_free_buf(mb);
2855  }
2856 }
2857 
2858 /*
2859  * Broadcast a packet to all clients.
2860  */
2861 static void
2863  const struct buffer *buf,
2864  const struct multi_instance *sender_instance,
2865  const struct mroute_addr *sender_addr,
2866  uint16_t vid)
2867 {
2868  struct hash_iterator hi;
2869  struct hash_element *he;
2870  struct multi_instance *mi;
2871  struct mbuf_buffer *mb;
2872 
2873  if (BLEN(buf) > 0)
2874  {
2876 #ifdef MULTI_DEBUG_EVENT_LOOP
2877  printf("BCAST len=%d\n", BLEN(buf));
2878 #endif
2879  mb = mbuf_alloc_buf(buf);
2880  hash_iterator_init(m->iter, &hi);
2881 
2882  while ((he = hash_iterator_next(&hi)))
2883  {
2884  mi = (struct multi_instance *) he->value;
2885  if (mi != sender_instance && !mi->halt)
2886  {
2887  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2888  {
2889  continue;
2890  }
2891  multi_add_mbuf(m, mi, mb);
2892  }
2893  }
2894 
2895  hash_iterator_free(&hi);
2896  mbuf_free_buf(mb);
2897  perf_pop();
2898  }
2899 }
2900 
2901 /*
2902  * Given a time delta, indicating that we wish to be
2903  * awoken by the scheduler at time now + delta, figure
2904  * a sigma parameter (in microseconds) that represents
2905  * a sort of fuzz factor around delta, so that we're
2906  * really telling the scheduler to wake us up any time
2907  * between now + delta - sigma and now + delta + sigma.
2908  *
2909  * The sigma parameter helps the scheduler to run more efficiently.
2910  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2911  */
2912 static inline unsigned int
2913 compute_wakeup_sigma(const struct timeval *delta)
2914 {
2915  if (delta->tv_sec < 1)
2916  {
2917  /* if < 1 sec, fuzz = # of microseconds / 8 */
2918  return delta->tv_usec >> 3;
2919  }
2920  else
2921  {
2922  /* if < 10 minutes, fuzz = 13.1% of timeout */
2923  if (delta->tv_sec < 600)
2924  {
2925  return delta->tv_sec << 17;
2926  }
2927  else
2928  {
2929  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2930  }
2931  }
2932 }
2933 
2934 static void
2936 {
2937  /* calculate an absolute wakeup time */
2938  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2939  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2940 
2941  /* tell scheduler to wake us up at some point in the future */
2943  (struct schedule_entry *) mi,
2944  &mi->wakeup,
2945  compute_wakeup_sigma(&mi->context.c2.timeval));
2946 }
2947 
2948 #if defined(ENABLE_ASYNC_PUSH)
2949 static void
2950 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2951  int inotify_fd, const char *file)
2952 {
2953  /* watch acf file */
2954  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2955  IN_CLOSE_WRITE | IN_ONESHOT);
2956  if (watch_descriptor >= 0)
2957  {
2958  if (mi->inotify_watch != -1)
2959  {
2960  hash_remove(m->inotify_watchers,
2961  (void *) (unsigned long)mi->inotify_watch);
2962  }
2963  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2964  mi, true);
2965  mi->inotify_watch = watch_descriptor;
2966  }
2967  else
2968  {
2969  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2970  }
2971 }
2972 #endif /* if defined(ENABLE_ASYNC_PUSH) */
2973 
2974 /*
2975  * Figure instance-specific timers, convert
2976  * earliest to absolute time in mi->wakeup,
2977  * call scheduler with our future wakeup time.
2978  *
2979  * Also close context on signal.
2980  */
2981 bool
2982 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2983 {
2984  bool ret = true;
2985 
2986  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2987  {
2988 #if defined(ENABLE_ASYNC_PUSH)
2989  bool was_unauthenticated = true;
2990  struct key_state *ks = NULL;
2991  if (mi->context.c2.tls_multi)
2992  {
2994  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
2995  }
2996 #endif
2997 
2998  /* figure timeouts and fetch possible outgoing
2999  * to_link packets (such as ping or TLS control) */
3000  pre_select(&mi->context);
3001 
3002 #if defined(ENABLE_ASYNC_PUSH)
3003  /*
3004  * if we see the state transition from unauthenticated to deferred
3005  * and an auth_control_file, we assume it got just added and add
3006  * inotify watch to that file
3007  */
3008  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3009  && (ks->authenticated == KS_AUTH_DEFERRED))
3010  {
3011  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3013  }
3014  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3015  && (ks->authenticated == KS_AUTH_DEFERRED))
3016  {
3017  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3019  }
3020 #endif
3021 
3022  if (!IS_SIG(&mi->context))
3023  {
3024  /* connection is "established" when SSL/TLS key negotiation succeeds
3025  * and (if specified) auth user/pass succeeds */
3026 
3028  {
3030  }
3031 #if defined(ENABLE_ASYNC_PUSH)
3034  {
3035  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3037  deferred_ret_file);
3038  }
3039 #endif
3040  /* tell scheduler to wake us up at some point in the future */
3042  }
3043  }
3044 
3045  if (IS_SIG(&mi->context))
3046  {
3047  if (flags & MPP_CLOSE_ON_SIGNAL)
3048  {
3050  ret = false;
3051  }
3052  }
3053  else
3054  {
3055  /* continue to pend on output? */
3056  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3057 
3058 #ifdef MULTI_DEBUG_EVENT_LOOP
3059  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3060  id(mi),
3061  (int) (mi == m->pending),
3062  mi ? mi->context.c2.to_tun.len : -1,
3063  mi ? mi->context.c2.to_link.len : -1,
3064  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3065  (int64_t)mi->context.c2.timeval.tv_sec,
3066  (long)mi->context.c2.timeval.tv_usec);
3067 #endif
3068  }
3069 
3070  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3071  {
3072  *m->mpp_touched = mi;
3073  }
3074 
3075  return ret;
3076 }
3077 
3078 void
3080 {
3081  struct mroute_addr real;
3082  struct hash *hash = m->hash;
3083  struct gc_arena gc = gc_new();
3084 
3085  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3086  {
3087  goto done;
3088  }
3089 
3090  const uint32_t hv = hash_value(hash, &real);
3091  struct hash_bucket *bucket = hash_bucket(hash, hv);
3092 
3093  /* make sure that we don't float to an address taken by another client */
3094  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3095  if (he)
3096  {
3097  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3098 
3099  struct tls_multi *m1 = mi->context.c2.tls_multi;
3100  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3101 
3102  /* do not float if target address is taken by client with another cert */
3103  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3104  {
3105  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3106  multi_instance_string(ex_mi, false, &gc));
3107 
3108  mi->context.c2.buf.len = 0;
3109 
3110  goto done;
3111  }
3112 
3113  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3114  multi_close_instance(m, ex_mi, false);
3115  }
3116 
3117  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3118  mi->context.c2.tls_multi->peer_id,
3119  tls_common_name(mi->context.c2.tls_multi, false),
3120  mroute_addr_print(&mi->real, &gc),
3122 
3123  /* remove old address from hash table before changing address */
3124  ASSERT(hash_remove(m->hash, &mi->real));
3125  ASSERT(hash_remove(m->iter, &mi->real));
3126 
3127  /* change external network address of the remote peer */
3128  mi->real = real;
3129  generate_prefix(mi);
3130 
3131  mi->context.c2.from = m->top.c2.from;
3132  mi->context.c2.to_link_addr = &mi->context.c2.from;
3133 
3134  /* inherit parent link_socket and link_socket_info */
3137 
3139 
3140  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3141  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3142 
3143 #ifdef ENABLE_MANAGEMENT
3144  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3145 #endif
3146 
3147 done:
3148  gc_free(&gc);
3149 }
3150 
3151 /*
3152  * Called when an instance should be closed due to the
3153  * reception of a soft signal.
3154  */
3155 void
3157 {
3158  remap_signal(&mi->context);
3159  set_prefix(mi);
3160  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3161  clear_prefix();
3162  multi_close_instance(m, mi, false);
3163 }
3164 
3165 #if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT)
3166 static void
3167 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3168 {
3169  mi->context.sig->signal_received = sig;
3171 }
3172 #endif
3173 
3174 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
3175 static void
3176 process_incoming_dco_packet(struct multi_context *m, struct multi_instance *mi,
3177  dco_context_t *dco)
3178 {
3179  if (BLEN(&dco->dco_packet_in) < 1)
3180  {
3181  msg(D_DCO, "Received too short packet for peer %d",
3182  dco->dco_message_peer_id);
3183  goto done;
3184  }
3185 
3186  uint8_t *ptr = BPTR(&dco->dco_packet_in);
3187  uint8_t op = ptr[0] >> P_OPCODE_SHIFT;
3188  if ((op == P_DATA_V1) || (op == P_DATA_V2))
3189  {
3190  msg(D_DCO, "DCO: received data channel packet for peer %d",
3191  dco->dco_message_peer_id);
3192  goto done;
3193  }
3194 
3195  struct buffer orig_buf = mi->context.c2.buf;
3196  mi->context.c2.buf = dco->dco_packet_in;
3197 
3198  multi_process_incoming_link(m, mi, 0);
3199 
3200  mi->context.c2.buf = orig_buf;
3201 
3202 done:
3203  buf_init(&dco->dco_packet_in, 0);
3204 }
3205 
3206 static void
3207 process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
3208  dco_context_t *dco)
3209 {
3210  const char *reason = "ovpn-dco: unknown reason";
3211  switch (dco->dco_del_peer_reason)
3212  {
3214  reason = "ovpn-dco: ping expired";
3215  break;
3216 
3218  reason = "ovpn-dco: transport error";
3219  break;
3220 
3222  /* This very likely ourselves but might be another process, so
3223  * still process it */
3224  reason = "ovpn-dco: userspace request";
3225  break;
3226  }
3227 
3228  /* When kernel already deleted the peer, the socket is no longer
3229  * installed and we don't need to cleanup the state in the kernel */
3230  mi->context.c2.tls_multi->dco_peer_added = false;
3231  mi->context.sig->signal_text = reason;
3233 }
3234 
3235 bool
3237 {
3238  dco_context_t *dco = &m->top.c1.tuntap->dco;
3239 
3240  struct multi_instance *mi = NULL;
3241 
3242  int ret = dco_do_read(&m->top.c1.tuntap->dco);
3243 
3244  int peer_id = dco->dco_message_peer_id;
3245 
3246  if ((peer_id >= 0) && (peer_id < m->max_clients) && (m->instances[peer_id]))
3247  {
3248  mi = m->instances[peer_id];
3249  if (dco->dco_message_type == OVPN_CMD_PACKET)
3250  {
3251  process_incoming_dco_packet(m, mi, dco);
3252  }
3253  else if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3254  {
3255  process_incoming_del_peer(m, mi, dco);
3256  }
3257  }
3258  else
3259  {
3260  msg(D_DCO, "Received packet for peer-id unknown to OpenVPN: %d", peer_id);
3261  }
3262 
3263  dco->dco_message_type = 0;
3264  dco->dco_message_peer_id = -1;
3265  return ret > 0;
3266 }
3267 #endif /* if defined(ENABLE_DCO) && defined(TARGET_LINUX) */
3268 
3269 /*
3270  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3271  * i.e. client -> server direction.
3272  */
3273 bool
3274 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3275 {
3276  struct gc_arena gc = gc_new();
3277 
3278  struct context *c;
3279  struct mroute_addr src, dest;
3280  unsigned int mroute_flags;
3281  struct multi_instance *mi;
3282  bool ret = true;
3283  bool floated = false;
3284 
3285  if (m->pending)
3286  {
3287  return true;
3288  }
3289 
3290  if (!instance)
3291  {
3292 #ifdef MULTI_DEBUG_EVENT_LOOP
3293  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3294 #endif
3296  }
3297  else
3298  {
3299  multi_set_pending(m, instance);
3300  }
3301 
3302  if (m->pending)
3303  {
3304  set_prefix(m->pending);
3305 
3306  /* get instance context */
3307  c = &m->pending->context;
3308 
3309  if (!instance)
3310  {
3311  /* transfer packet pointer from top-level context buffer to instance */
3312  c->c2.buf = m->top.c2.buf;
3313 
3314  /* transfer from-addr from top-level context buffer to instance */
3315  if (!floated)
3316  {
3317  c->c2.from = m->top.c2.from;
3318  }
3319  }
3320 
3321  if (BLEN(&c->c2.buf) > 0)
3322  {
3323  struct link_socket_info *lsi;
3324  const uint8_t *orig_buf;
3325 
3326  /* decrypt in instance context */
3327 
3329  lsi = get_link_socket_info(c);
3330  orig_buf = c->c2.buf.data;
3331  if (process_incoming_link_part1(c, lsi, floated))
3332  {
3333  /* nonzero length means that we have a valid, decrypted packed */
3334  if (floated && c->c2.buf.len > 0)
3335  {
3337  }
3338 
3339  process_incoming_link_part2(c, lsi, orig_buf);
3340  }
3341  perf_pop();
3342 
3343  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3344  {
3345  /* extract packet source and dest addresses */
3346  mroute_flags = mroute_extract_addr_from_packet(&src,
3347  &dest,
3348  0,
3349  &c->c2.to_tun,
3350  DEV_TYPE_TUN);
3351 
3352  /* drop packet if extract failed */
3353  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3354  {
3355  c->c2.to_tun.len = 0;
3356  }
3357  /* make sure that source address is associated with this client */
3358  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3359  {
3360  /* IPv6 link-local address (fe80::xxx)? */
3361  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3362  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3363  {
3364  /* do nothing, for now. TODO: add address learning */
3365  }
3366  else
3367  {
3368  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3369  mroute_addr_print(&src, &gc));
3370  }
3371  c->c2.to_tun.len = 0;
3372  }
3373  /* client-to-client communication enabled? */
3374  else if (m->enable_c2c)
3375  {
3376  /* multicast? */
3377  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3378  {
3379  /* for now, treat multicast as broadcast */
3380  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3381  }
3382  else /* possible client to client routing */
3383  {
3384  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3385  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3386 
3387  /* if dest addr is a known client, route to it */
3388  if (mi)
3389  {
3390  {
3391  multi_unicast(m, &c->c2.to_tun, mi);
3392  register_activity(c, BLEN(&c->c2.to_tun));
3393  }
3394  c->c2.to_tun.len = 0;
3395  }
3396  }
3397  }
3398  }
3399  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3400  {
3401  uint16_t vid = 0;
3402 
3403  if (m->top.options.vlan_tagging)
3404  {
3405  if (vlan_is_tagged(&c->c2.to_tun))
3406  {
3407  /* Drop VLAN-tagged frame. */
3408  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3409  c->c2.to_tun.len = 0;
3410  }
3411  else
3412  {
3413  vid = c->options.vlan_pvid;
3414  }
3415  }
3416  /* extract packet source and dest addresses */
3417  mroute_flags = mroute_extract_addr_from_packet(&src,
3418  &dest,
3419  vid,
3420  &c->c2.to_tun,
3421  DEV_TYPE_TAP);
3422 
3423  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3424  {
3425  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3426  {
3427  /* check for broadcast */
3428  if (m->enable_c2c)
3429  {
3430  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3431  {
3432  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3433  vid);
3434  }
3435  else /* try client-to-client routing */
3436  {
3437  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3438 
3439  /* if dest addr is a known client, route to it */
3440  if (mi)
3441  {
3442  multi_unicast(m, &c->c2.to_tun, mi);
3443  register_activity(c, BLEN(&c->c2.to_tun));
3444  c->c2.to_tun.len = 0;
3445  }
3446  }
3447  }
3448  }
3449  else
3450  {
3451  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3452  mroute_addr_print(&src, &gc));
3453  c->c2.to_tun.len = 0;
3454  }
3455  }
3456  else
3457  {
3458  c->c2.to_tun.len = 0;
3459  }
3460  }
3461  }
3462 
3463  /* postprocess and set wakeup */
3464  ret = multi_process_post(m, m->pending, mpp_flags);
3465 
3466  clear_prefix();
3467  }
3468 
3469  gc_free(&gc);
3470  return ret;
3471 }
3472 
3473 /*
3474  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3475  * i.e. server -> client direction.
3476  */
3477 bool
3478 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3479 {
3480  struct gc_arena gc = gc_new();
3481  bool ret = true;
3482 
3483  if (BLEN(&m->top.c2.buf) > 0)
3484  {
3485  unsigned int mroute_flags;
3486  struct mroute_addr src, dest;
3487  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3488  int16_t vid = 0;
3489 
3490 
3491 #ifdef MULTI_DEBUG_EVENT_LOOP
3492  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3493 #endif
3494 
3495  if (m->pending)
3496  {
3497  return true;
3498  }
3499 
3500  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3501  {
3502  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3503  if (vid < 0)
3504  {
3505  return false;
3506  }
3507  }
3508 
3509  /*
3510  * Route an incoming tun/tap packet to
3511  * the appropriate multi_instance object.
3512  */
3513 
3514  mroute_flags = mroute_extract_addr_from_packet(&src,
3515  &dest,
3516  vid,
3517  &m->top.c2.buf,
3518  dev_type);
3519 
3520  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3521  {
3522  struct context *c;
3523 
3524  /* broadcast or multicast dest addr? */
3525  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3526  {
3527  /* for now, treat multicast as broadcast */
3528  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3529  }
3530  else
3531  {
3533 
3534  if (m->pending)
3535  {
3536  /* get instance context */
3537  c = &m->pending->context;
3538 
3539  set_prefix(m->pending);
3540 
3541  {
3542  if (multi_output_queue_ready(m, m->pending))
3543  {
3544  /* transfer packet pointer from top-level context buffer to instance */
3545  c->c2.buf = m->top.c2.buf;
3546  }
3547  else
3548  {
3549  /* drop packet */
3550  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3551  buf_reset_len(&c->c2.buf);
3552  }
3553  }
3554 
3555  /* encrypt in instance context */
3557 
3558  /* postprocess and set wakeup */
3559  ret = multi_process_post(m, m->pending, mpp_flags);
3560 
3561  clear_prefix();
3562  }
3563  }
3564  }
3565  }
3566  gc_free(&gc);
3567  return ret;
3568 }
3569 
3570 /*
3571  * Process a possible client-to-client/bcast/mcast message in the
3572  * queue.
3573  */
3574 struct multi_instance *
3576 {
3577  struct mbuf_item item;
3578 
3579  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3580  {
3581  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3582 
3583  set_prefix(item.instance);
3584  item.instance->context.c2.buf = item.buffer->buf;
3585  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3586  {
3587  pip_flags |= PIP_MSSFIX;
3588  }
3589  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3590  encrypt_sign(&item.instance->context, true);
3591  mbuf_free_buf(item.buffer);
3592 
3593  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3594 
3595  clear_prefix();
3596  return item.instance;
3597  }
3598  else
3599  {
3600  return NULL;
3601  }
3602 }
3603 
3604 /*
3605  * Called when an I/O wait times out. Usually means that a particular
3606  * client instance object needs timer-based service.
3607  */
3608 bool
3609 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3610 {
3611  bool ret = true;
3612 
3613 #ifdef MULTI_DEBUG_EVENT_LOOP
3614  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3615 #endif
3616 
3617  /* instance marked for wakeup? */
3618  if (m->earliest_wakeup)
3619  {
3621  {
3624  }
3625  else
3626  {
3628  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3629  clear_prefix();
3630  }
3631  m->earliest_wakeup = NULL;
3632  }
3633  return ret;
3634 }
3635 
3636 /*
3637  * Drop a TUN/TAP outgoing packet..
3638  */
3639 void
3640 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3641 {
3642  struct multi_instance *mi = m->pending;
3643 
3644  ASSERT(mi);
3645 
3646  set_prefix(mi);
3647 
3648  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3649  mi->context.c2.to_tun.len);
3650 
3651  buf_reset(&mi->context.c2.to_tun);
3652 
3653  multi_process_post(m, mi, mpp_flags);
3654  clear_prefix();
3655 }
3656 
3657 /*
3658  * Per-client route quota management
3659  */
3660 
3661 void
3663 {
3664  struct gc_arena gc = gc_new();
3665  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3667  multi_instance_string(mi, false, &gc));
3668  gc_free(&gc);
3669 }
3670 
3671 #ifdef ENABLE_DEBUG
3672 /*
3673  * Flood clients with random packets
3674  */
3675 static void
3676 gremlin_flood_clients(struct multi_context *m)
3677 {
3678  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3679  if (level)
3680  {
3681  struct gc_arena gc = gc_new();
3682  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3683  struct packet_flood_parms parm = get_packet_flood_parms(level);
3684  int i;
3685 
3686  ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3687  parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3688 
3689  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3690  parm.n_packets,
3691  parm.packet_size);
3692 
3693  for (i = 0; i < parm.packet_size; ++i)
3694  {
3695  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3696  }
3697 
3698  for (i = 0; i < parm.n_packets; ++i)
3699  {
3700  multi_bcast(m, &buf, NULL, NULL, 0);
3701  }
3702 
3703  gc_free(&gc);
3704  }
3705 }
3706 #endif /* ifdef ENABLE_DEBUG */
3707 
3708 static bool
3710 {
3711  struct timeval null;
3712  CLEAR(null);
3714 }
3715 
3716 /*
3717  * Process timers in the top-level context
3718  */
3719 void
3721 {
3722  /* possibly reap instances/routes in vhash */
3723  multi_reap_process(m);
3724 
3725  /* possibly print to status log */
3726  if (m->top.c1.status_output)
3727  {
3729  {
3731  }
3732  }
3733 
3734  /* possibly flush ifconfig-pool file */
3735  multi_ifconfig_pool_persist(m, false);
3736 
3737 #ifdef ENABLE_DEBUG
3738  gremlin_flood_clients(m);
3739 #endif
3740 
3741  /* Should we check for stale routes? */
3743  {
3744  check_stale_routes(m);
3745  }
3746 }
3747 
3748 void
3749 multi_top_init(struct multi_context *m, struct context *top)
3750 {
3751  inherit_context_top(&m->top, top);
3752  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3753 }
3754 
3755 void
3757 {
3758  close_context(&m->top, -1, CC_GC_FREE);
3760 }
3761 
3762 static bool
3764 {
3765  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3766 }
3767 
3768 static void
3770 {
3771  struct hash_iterator hi;
3772  struct hash_element *he;
3773  struct timeval tv;
3774 
3775  /* tell all clients to restart */
3776  hash_iterator_init(m->iter, &hi);
3777  while ((he = hash_iterator_next(&hi)))
3778  {
3779  struct multi_instance *mi = (struct multi_instance *) he->value;
3780  if (!mi->halt)
3781  {
3782  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3784  }
3785  }
3786  hash_iterator_free(&hi);
3787 
3788  /* reschedule signal */
3790  tv.tv_sec = 2;
3791  tv.tv_usec = 0;
3793 
3795 
3800 
3801  m->top.sig->signal_received = 0;
3802 }
3803 
3804 /*
3805  * Return true if event loop should break,
3806  * false if it should continue.
3807  */
3808 bool
3810 {
3811  if (m->top.sig->signal_received == SIGUSR2)
3812  {
3813  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3815  status_close(so);
3816  m->top.sig->signal_received = 0;
3817  return false;
3818  }
3819  else if (proto_is_dgram(m->top.options.ce.proto)
3823  {
3825  return false;
3826  }
3827  return true;
3828 }
3829 
3830 /*
3831  * Management subsystem callbacks
3832  */
3833 #ifdef ENABLE_MANAGEMENT
3834 
3835 static void
3836 management_callback_status(void *arg, const int version, struct status_output *so)
3837 {
3838  struct multi_context *m = (struct multi_context *) arg;
3839 
3840  if (!version)
3841  {
3843  }
3844  else
3845  {
3846  multi_print_status(m, so, version);
3847  }
3848 }
3849 
3850 static int
3852 {
3853  struct multi_context *m = (struct multi_context *) arg;
3854  return m->n_clients;
3855 }
3856 
3857 static int
3858 management_callback_kill_by_cn(void *arg, const char *del_cn)
3859 {
3860  struct multi_context *m = (struct multi_context *) arg;
3861  struct hash_iterator hi;
3862  struct hash_element *he;
3863  int count = 0;
3864 
3865  hash_iterator_init(m->iter, &hi);
3866  while ((he = hash_iterator_next(&hi)))
3867  {
3868  struct multi_instance *mi = (struct multi_instance *) he->value;
3869  if (!mi->halt)
3870  {
3871  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3872  if (cn && !strcmp(cn, del_cn))
3873  {
3875  ++count;
3876  }
3877  }
3878  }
3879  hash_iterator_free(&hi);
3880  return count;
3881 }
3882 
3883 static int
3884 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3885 {
3886  struct multi_context *m = (struct multi_context *) arg;
3887  struct hash_iterator hi;
3888  struct hash_element *he;
3889  struct openvpn_sockaddr saddr;
3890  struct mroute_addr maddr;
3891  int count = 0;
3892 
3893  CLEAR(saddr);
3894  saddr.addr.in4.sin_family = AF_INET;
3895  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3896  saddr.addr.in4.sin_port = htons(port);
3897  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3898  {
3899  hash_iterator_init(m->iter, &hi);
3900  while ((he = hash_iterator_next(&hi)))
3901  {
3902  struct multi_instance *mi = (struct multi_instance *) he->value;
3903  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3904  {
3906  ++count;
3907  }
3908  }
3909  hash_iterator_free(&hi);
3910  }
3911  return count;
3912 }
3913 
3914 static void
3916 {
3917  struct multi_context *m = (struct multi_context *) arg;
3918  if (m->mtcp)
3919  {
3920  multi_tcp_delete_event(m->mtcp, event);
3921  }
3922 }
3923 
3924 static struct multi_instance *
3925 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3926 {
3927  if (m)
3928  {
3929  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3930  if (mi && !mi->halt)
3931  {
3932  return mi;
3933  }
3934  }
3935  return NULL;
3936 }
3937 
3938 static bool
3939 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3940 {
3941  struct multi_context *m = (struct multi_context *) arg;
3942  struct multi_instance *mi = lookup_by_cid(m, cid);
3943  if (mi)
3944  {
3945  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3947  return true;
3948  }
3949  else
3950  {
3951  return false;
3952  }
3953 }
3954 
3955 static bool
3957  const unsigned long cid,
3958  const char *extra,
3959  unsigned int timeout)
3960 {
3961  struct multi_context *m = (struct multi_context *) arg;
3962  struct multi_instance *mi = lookup_by_cid(m, cid);
3963  if (mi)
3964  {
3965  /* sends INFO_PRE and AUTH_PENDING messages to client */
3966  bool ret = send_auth_pending_messages(mi->context.c2.tls_multi, extra,
3967  timeout);
3970  return ret;
3971  }
3972  return false;
3973 }
3974 
3975 
3976 static bool
3978  const unsigned long cid,
3979  const unsigned int mda_key_id,
3980  const bool auth,
3981  const char *reason,
3982  const char *client_reason,
3983  struct buffer_list *cc_config) /* ownership transferred */
3984 {
3985  struct multi_context *m = (struct multi_context *) arg;
3986  struct multi_instance *mi = lookup_by_cid(m, cid);
3987  bool cc_config_owned = true;
3988  bool ret = false;
3989 
3990  if (mi)
3991  {
3992  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3993  if (ret)
3994  {
3995  if (auth)
3996  {
3998  {
3999  set_cc_config(mi, cc_config);
4000  cc_config_owned = false;
4001  }
4002  }
4003  else if (reason)
4004  {
4005  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
4006  }
4007  }
4008  }
4009  if (cc_config_owned && cc_config)
4010  {
4012  }
4013  return ret;
4014 }
4015 
4016 static char *
4017 management_get_peer_info(void *arg, const unsigned long cid)
4018 {
4019  struct multi_context *m = (struct multi_context *) arg;
4020  struct multi_instance *mi = lookup_by_cid(m, cid);
4021  char *ret = NULL;
4022 
4023  if (mi)
4024  {
4025  ret = mi->context.c2.tls_multi->peer_info;
4026  }
4027 
4028  return ret;
4029 }
4030 
4031 #endif /* ifdef ENABLE_MANAGEMENT */
4032 
4033 
4034 void
4036 {
4037 #ifdef ENABLE_MANAGEMENT
4038  if (management)
4039  {
4040  struct management_callback cb;
4041  CLEAR(cb);
4042  cb.arg = m;
4043  cb.flags = MCF_SERVER;
4055  }
4056 #endif /* ifdef ENABLE_MANAGEMENT */
4057 }
4058 
4059 void
4061 {
4062  /* max_clients must be less then max peer-id value */
4064 
4065  for (int i = 0; i < m->max_clients; ++i)
4066  {
4067  if (!m->instances[i])
4068  {
4069  mi->context.c2.tls_multi->peer_id = i;
4070  m->instances[i] = mi;
4071  break;
4072  }
4073  }
4074 
4075  /* should not really end up here, since multi_create_instance returns null
4076  * if amount of clients exceeds max_clients */
4078 }
4079 
4080 
4081 /*
4082  * Top level event loop.
4083  */
4084 void
4086 {
4087  ASSERT(top->options.mode == MODE_SERVER);
4088 
4089  if (proto_is_dgram(top->options.ce.proto))
4090  {
4091  tunnel_server_udp(top);
4092  }
4093  else
4094  {
4095  tunnel_server_tcp(top);
4096  }
4097 }
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:473
multi_reap::buckets_per_pass
int buckets_per_pass
Definition: multi.h:53
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2340
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2055
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:167
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition: perf.h:48
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:546
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1252
multi_context::n_clients
int n_clients
Definition: multi.h:180
options::vlan_tagging
bool vlan_tagging
Definition: options.h:687
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:113
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: openvpn-plugin.h:126
P_DATA_V2
#define P_DATA_V2
Definition: ssl_pkt.h:48
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition: ovpn_dco_linux.h:40
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition: mroute.h:64
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:246
signal_info::signal_received
volatile int signal_received
Definition: sig.h:45
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100
status_trigger
bool status_trigger(struct status_output *so)
Definition: status.c:135
iroute
Definition: route.h:234
multi_instance::halt
bool halt
Definition: multi.h:105
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2516
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition: openvpn-plugin.h:125
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition: ssl_common.h:550
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
frame::mss_fix
unsigned int mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
M_INFO
#define M_INFO
Definition: errlevel.h:55
hash_n_elements
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
SIGUSR2
#define SIGUSR2
Definition: config-msvc.h:81
options::use_peer_id
bool use_peer_id
Definition: options.h:678
lookup_by_cid
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3925
multi_context::route_helper
struct mroute_helper * route_helper
Definition: multi.h:173
M_OPTERR
#define M_OPTERR
Definition: error.h:106
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition: multi.h:288
options::client_connect_script
const char * client_connect_script
Definition: options.h:486
CC_RET_FAILED
@ CC_RET_FAILED
Definition: multi.h:217
hash_init
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:458
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:494
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:552
print_signal
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:287
hash_bucket
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition: multi.h:202
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:998
run_command.h
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: manage.h:174
M_ERRNO
#define M_ERRNO
Definition: error.h:100
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:78
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1058
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:143
context_2::to_link
struct buffer to_link
Definition: openvpn.h:378
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:324
multi_context::reaper
struct multi_reap * reaper
Definition: multi.h:174
forward.h
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition: multi.h:123
plugin_return
Definition: plugin.h:101
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition: openvpn-plugin.h:130
signal_info::signal_text
const char * signal_text
Definition: sig.h:47
gremlin.h
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3709
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition: multi.h:218
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5443
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: multi.c:3956
context_2::buf
struct buffer buf
Definition: openvpn.h:376
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition: multi.h:178
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:232
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:518
hash_iterator
Definition: list.h:90
tunnel_server_udp
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:445
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
argv
Definition: argv.h:35
in_addr_t
#define in_addr_t
Definition: config-msvc.h:67
options::enable_c2c
bool enable_c2c
Definition: options.h:510
options::duplicate_cn
bool duplicate_cn
Definition: options.h:511
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1628
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:424
M_NONFATAL
#define M_NONFATAL
Definition: error.h:96
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:178
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:669
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:437
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:271
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1710
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:196
context
Contains all state information for one tunnel.
Definition: openvpn.h:474
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:489
hash
Definition: list.h:58
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:656
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:106
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition: multi.h:62
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1413
options::topology
int topology
Definition: options.h:305
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:157
mbuf_set
Definition: mbuf.h:56
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:166
options::dev_type
const char * dev_type
Definition: options.h:302
get_random
long int get_random(void)
Definition: crypto.c:1634
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:113
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:436
multi_instance::gc
struct gc_arena gc
Definition: multi.h:104
options::iroutes
struct iroute * iroutes
Definition: options.h:495
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:535
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:503
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3575
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition: errlevel.h:65
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:81
multi_instance::wakeup
struct timeval wakeup
Definition: multi.h:112
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:320
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
context_2::es
struct env_set * es
Definition: openvpn.h:421
config-msvc.h
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2150
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:238
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:429
vlan.h
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1089
multi_uninit
void multi_uninit(struct multi_context *m)
Definition: multi.c:693
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition: multi.h:285
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:85
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:431
options::mode
int mode
Definition: options.h:247
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2913
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1743
hash_element::value
void * value
Definition: list.h:47
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition: ssl_common.h:549
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:696
pre_select
void pre_select(struct context *c)
Definition: forward.c:1921
frame::buf
struct frame::@5 buf
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:161
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition: ssl_common.h:144
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:506
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:94
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:223
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1545
dmsg
#define dmsg(flags,...)
Definition: error.h:154
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1212
options::ce
struct connection_entry ce
Definition: options.h:275
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:75
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
openvpn_sockaddr
Definition: socket.h:65
iroute::netbits
int netbits
Definition: route.h:236
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition: socket.h:399
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:493
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:368
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3156
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:480
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2843
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1572
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3445
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition: multi.h:87
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:164
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition: ssl_pkt.h:39
reap_buckets_per_pass
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:248
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition: errlevel.h:151
mroute_addr::netbits
uint8_t netbits
Definition: mroute.h:79
MCF_SERVER
#define MCF_SERVER
Definition: manage.h:156
multi_context::schedule
struct schedule * schedule
Definition: multi.h:165
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:363
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1921
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
client_connect_defer_state
Detached client connection state.
Definition: multi.h:69
dco_do_read
int dco_do_read(dco_context_t *dco)
Definition: dco_win.c:387
frame
Packet geometry parameters.
Definition: mtu.h:98
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
multi_route::addr
struct mroute_addr addr
Definition: multi.h:228
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:571
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:244
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition: ovpn_dco_linux.h:87
multi_route::last_reference
time_t last_reference
Definition: multi.h:236
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:546
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:295
multi_reap::last_call
time_t last_call
Definition: multi.h:54
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:552
mroute_helper::net_len
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3662
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:4001
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:247
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3720
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2862
multi_context::enable_c2c
bool enable_c2c
Definition: multi.h:176
multi_client_disconnect_setenv
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:548
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1704
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:428
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:269
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition: ssl_common.h:548
multi_route::instance
struct multi_instance * instance
Definition: multi.h:229
setenv_stats
static void setenv_stats(struct context *c)
Definition: multi.c:541
iroute::next
struct iroute * next
Definition: route.h:237
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3167
np
static const char * np(const char *str)
Definition: multi-auth.c:146
multi_context::max_clients
int max_clients
Definition: multi.h:177
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition: multi.h:172
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition: pool.h:37
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:573
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2247
CLEAR
#define CLEAR(x)
Definition: basic.h:33
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:82
multi_context::cid_counter
unsigned long cid_counter
Definition: multi.h:184
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:593
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:169
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:209
clear_prefix
static void clear_prefix(void)
Definition: multi.h:547
iroute::network
in_addr_t network
Definition: route.h:235
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:482
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:515
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition: mroute.h:63
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:542
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:438
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:849
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:526
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:514
options::max_clients
int max_clients
Definition: options.h:514
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:662
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4077
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:155
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:651
ssl_verify.h
options::dev
const char * dev
Definition: options.h:301
ASSERT
#define ASSERT(x)
Definition: error.h:201
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition: ssl_common.h:547
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:445
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:188
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2915
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
read
@ read
Definition: interactive.c:214
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:665
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:178
buffer_entry::buf
struct buffer buf
Definition: buffer.h:1089
D_DCO
#define D_DCO
Definition: errlevel.h:94
multi_init
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:293
multi_instance::cc_config
struct buffer_list * cc_config
Definition: multi.h:130
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:193
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:91
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3939
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition: openvpn.h:493
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:226
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:333
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:139
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:551
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2609
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:229
multi_context::status_file_version
int status_file_version
Definition: multi.h:179
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2642
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
BLEN
#define BLEN(buf)
Definition: buffer.h:127
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:239
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:4060
status_reset
void status_reset(struct status_output *so)
Definition: status.c:150
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:166
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:309
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:554
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:505
tunnel_server_tcp
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:809
multi_context::local
struct mroute_addr local
Definition: multi.h:175
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2897
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:286
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:294
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1028
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1895
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:697
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3609
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:256
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4085
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:698
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:590
ANY_OUT
#define ANY_OUT(c)
Definition: forward.h:40
hash_element::key
const void * key
Definition: list.h:48
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:494
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2312
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:506
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:173
buffer_entry::next
struct buffer_entry * next
Definition: buffer.h:1090
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1005
multi_context::cid_hash
struct hash * cid_hash
Definition: multi.h:183
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:51
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:363
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3769
M_WARN
#define M_WARN
Definition: error.h:97
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition: openvpn-plugin.h:150
plugin_return::n
int n
Definition: plugin.h:103
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:497
perf_pop
static void perf_pop(void)
Definition: perf.h:82
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:476
MF_UNICAST
#define MF_UNICAST
Definition: mbuf.h:46
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
D_GREMLIN
#define D_GREMLIN
Definition: errlevel.h:78
mroute_addr::port
in_port_t port
Definition: mroute.h:89
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:476
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition: multi.h:189
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2375
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:501
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
D_MULTI_LOW
#define D_MULTI_LOW
Definition: errlevel.h:86
options
Definition: options.h:236
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:433
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2935
options::gc
struct gc_arena gc
Definition: options.h:238
throw_signal
void throw_signal(const int signum)
Definition: sig.c:104
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:716
mroute_helper::cache_generation
unsigned int cache_generation
Definition: mroute.h:132
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5463
multi.h
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:208
CCD_DEFAULT
#define CCD_DEFAULT
Definition: common.h:62
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:158
pool_type
pool_type
Definition: pool.h:35
dco_context_t
void * dco_context_t
Definition: dco.h:237
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition: multi.h:124
status_output
Definition: status.h:48
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:160
mbuf_item::instance
struct multi_instance * instance
Definition: mbuf.h:53
management_callback::arg
void * arg
Definition: manage.h:154
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:485
multi_instance::did_cid_hash
bool did_cid_hash
Definition: multi.h:129
multi_reap
Definition: multi.h:50
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:476
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1432
multi_context::pending
struct multi_instance * pending
Definition: multi.h:187
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:437
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:254
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:507
multi_reap_new
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:215
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2982
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition: ovpn_dco_linux.h:85
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:737
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:516
mbuf_buffer::buf
struct buffer buf
Definition: mbuf.h:43
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:334
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:266
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:160
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:624
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1773
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:740
deferred_signal_schedule_entry::signal_received
int signal_received
Definition: multi.h:61
argv::gc
struct gc_arena gc
Definition: argv.h:36
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition: multi.h:188
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition: mudp.c:180
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition: pool.h:38
dco_set_peer
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition: dco_win.c:272
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1133
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:508
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:235
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition: multi.h:115
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:293
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1268
multi_route::flags
unsigned int flags
Definition: multi.h:233
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2895
options::status_file_version
int status_file_version
Definition: options.h:388
mbuf_item
Definition: mbuf.h:50
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:116
auth_deferred_status::auth_control_file
char * auth_control_file
Definition: ssl_common.h:156
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:493
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:690
mroute_addr::vid
uint16_t vid
Definition: mroute.h:85
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition: ovpn_dco_linux.h:86
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1383
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:344
REAP_MAX
#define REAP_MAX
Definition: multi.h:567
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:460
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:397
status_close
bool status_close(struct status_output *so)
Definition: status.c:190
context_2::frame
struct frame frame
Definition: openvpn.h:248
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:237
mroute_addr
Definition: mroute.h:75
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2335
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:554
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3478
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2886
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
SIGTERM
#define SIGTERM
Definition: config-msvc.h:82
multi_reap_range
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:176
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:67
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4572
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
schedule_entry
Definition: schedule.h:44
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:172
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3858
options::client_config_dir
const char * client_config_dir
Definition: options.h:490
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:80
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:501
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:378
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
mbuf_buffer
Definition: mbuf.h:41
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:587
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:689
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition: multi.c:1954
mbuf_buffer::flags
unsigned int flags
Definition: mbuf.h:47
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:308
route
@ route
Definition: interactive.c:90
multi_route
Definition: multi.h:226
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2204
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
env_set
Definition: env_set.h:42
multi_instance::did_iter
bool did_iter
Definition: multi.h:127
status_flush
void status_flush(struct status_output *so)
Definition: status.c:159
register_signal
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:474
tls_multi::dco_peer_added
bool dco_peer_added
Definition: ssl_common.h:664
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:256
multi_tcp_free
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:227
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:263
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3037
plugin_list
Definition: plugin.h:94
multi_context
Main OpenVPN server state structure.
Definition: multi.h:154
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4650
counter_format
#define counter_format
Definition: common.h:31
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3470
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4035
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:899
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition: multi.c:3749
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:292
dco.h
man_def_auth_context::cid
unsigned long cid
Definition: manage.h:44
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:226
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:648
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:990
SIGINT
#define SIGINT
Definition: config-msvc.h:79
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2612
hash_free
void hash_free(struct hash *hash)
Definition: list.c:65
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
SIGHUP
#define SIGHUP
Definition: config-msvc.h:78
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:599
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:475
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:3977
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:404
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:250
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition: multi.h:72
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3915
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:215
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition: errlevel.h:102
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:480
tuntap::local
in_addr_t local
Definition: tun.h:185
schedule_init
struct schedule * schedule_init(void)
Definition: schedule.c:414
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:454
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:45
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:377
IS_SIG
#define IS_SIG(c)
Definition: sig.h:50
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:162
multi_tcp_init
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:199
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:473
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition: openvpn-plugin.h:124
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:511
key_state::script_auth
struct auth_deferred_status script_auth
Definition: ssl_common.h:257
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition: multi.h:75
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:253
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:78
otime.h
tuntap::dco
dco_context_t dco
Definition: tun.h:230
is_exit_restart
static bool is_exit_restart(int sig)
Definition: multi.c:3763
iroute_ipv6
Definition: route.h:240
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:4017
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3640
OVPN_CMD_PACKET
@ OVPN_CMD_PACKET
@OVPN_CMD_PACKET: Send a packet from userspace to kernelspace.
Definition: ovpn_dco_linux.h:59
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:835
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:432
REAP_DIVISOR
#define REAP_DIVISOR
Definition: multi.h:565
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2814
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:499
management
Definition: manage.h:311
mroute_helper
Definition: mroute.h:131
hash_element
Definition: list.h:45
min_int
static int min_int(int x, int y)
Definition: integer.h:82
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1040
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1006
mroute_addr::type
uint8_t type
Definition: mroute.h:78
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition: multi.h:220
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1660
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:2004
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:371
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:186
REAP_MIN
#define REAP_MIN
Definition: multi.h:566
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:209
multi_route::cache_generation
unsigned int cache_generation
Definition: multi.h:235
options::cf_per
int cf_per
Definition: options.h:513
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3884
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2480
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition: mroute.h:70
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:145
rw_handle
Definition: win32.h:76
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1774
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:482
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:464
hash_bucket
Definition: list.h:53
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:501
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:515
multi_reap::bucket_base
int bucket_base
Definition: multi.h:52
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1033
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition: multi.h:231
now
time_t now
Definition: otime.c:36
multi_instance::did_iroutes
bool did_iroutes
Definition: multi.h:132
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:108
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:561
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:148
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:180
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition: ssl_common.h:551
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:474
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:11
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2822
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
ssl_ncp.h
connection_entry::fragment
int fragment
Definition: options.h:134
context_2::from
struct link_socket_actual from
Definition: openvpn.h:245
time_string
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:110
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition: multi.h:492
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:192
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1183
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3274
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition: ssl_common.h:650
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:647
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:162
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:137
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition: mbuf.h:52
connection_entry::proto
int proto
Definition: options.h:101
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:163
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2632
multi_context::mtcp
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:169
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:481
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:388
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2910
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
options::real_hash_size
int real_hash_size
Definition: options.h:484
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:487
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:332
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:517
hash_n_buckets
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
session
Definition: keyingmaterialexporter.c:56
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:918
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:435
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:922
options::tmp_dir
const char * tmp_dir
Definition: options.h:451
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:323
options::cf_max
int cf_max
Definition: options.h:512
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:496
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:95
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:154
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:392
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition: multi.h:219
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:500
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:43
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:502
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:255
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:163
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
management_callback_status
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3836
management_callback_n_clients
static int management_callback_n_clients(void *arg)
Definition: multi.c:3851
multi_context::ifconfig_pool
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:171
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: options.h:498
memdbg.h
options::learn_address_script
const char * learn_address_script
Definition: options.h:488
mbuf_init
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:41
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition: proto.h:35
process_incoming_tun
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1351
management_callback
Definition: manage.h:152
options::ciphername
const char * ciphername
Definition: options.h:551
multi_top_free
void multi_top_free(struct multi_context *m)
Definition: multi.c:3756
update_mstat_n_clients
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:83
mroute_addr::v6
struct mroute_addr::@0::@3 v6
title_string
const char title_string[]
Definition: options.c:69
ifconfig_pool_release
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:359
ccs_gen_config_file
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:2028
buffer_list
Definition: buffer.h:1093
multi_tcp_instance_specific_free
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:193
ifconfig_pool_init
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:148
multi_tcp_delete_event
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:218
M_USAGE
#define M_USAGE
Definition: error.h:112
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:267
ifconfig_pool_read
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:600
OPENVPN_PLUGIN_CLIENT_CONNECT
#define OPENVPN_PLUGIN_CLIENT_CONNECT
Definition: openvpn-plugin.h:123
msg
#define msg(flags,...)
Definition: error.h:150
multi_process_float
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:3079
P_DATA_V1
#define P_DATA_V1
Definition: ssl_pkt.h:47
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition: ssl.h:100
PIPV6_IMCP_NOHOST_SERVER
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:300
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
dco_install_iroute
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition: dco.h:338