OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #ifdef HAVE_SYS_INOTIFY_H
29 #include <sys/inotify.h>
30 #define INOTIFY_EVENT_BUFFER_SIZE 16384
31 #endif
32 
33 #include "syshead.h"
34 
35 #include "forward.h"
36 #include "multi.h"
37 #include "push.h"
38 #include "run_command.h"
39 #include "otime.h"
40 #include "gremlin.h"
41 #include "mstats.h"
42 #include "ssl_verify.h"
43 #include "ssl_ncp.h"
44 #include "vlan.h"
45 #include <inttypes.h>
46 
47 #include "memdbg.h"
48 
49 
50 #include "crypto_backend.h"
51 #include "ssl_util.h"
52 #include "dco.h"
53 #include "reflect_filter.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef ENABLE_MANAGEMENT
73 static void
74 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
75 {
76  buffer_list_free(mi->cc_config);
77  mi->cc_config = cc_config;
78 }
79 #endif
80 
81 static inline void
82 update_mstat_n_clients(const int n_clients)
83 {
84 #ifdef ENABLE_MEMSTATS
85  if (mmap_stats)
86  {
87  mmap_stats->n_clients = n_clients;
88  }
89 #endif
90 }
91 
92 static bool
93 learn_address_script(const struct multi_context *m,
94  const struct multi_instance *mi,
95  const char *op,
96  const struct mroute_addr *addr)
97 {
98  struct gc_arena gc = gc_new();
99  struct env_set *es;
100  bool ret = true;
101  struct plugin_list *plugins;
102 
103  /* get environmental variable source */
104  if (mi && mi->context.c2.es)
105  {
106  es = mi->context.c2.es;
107  }
108  else
109  {
110  es = env_set_create(&gc);
111  }
112 
113  /* get plugin source */
114  if (mi)
115  {
116  plugins = mi->context.plugins;
117  }
118  else
119  {
120  plugins = m->top.plugins;
121  }
122 
123  if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
124  {
125  struct argv argv = argv_new();
126  argv_printf(&argv, "%s %s",
127  op,
128  mroute_addr_print(addr, &gc));
129  if (mi)
130  {
131  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
132  }
133  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
134  {
135  msg(M_WARN, "WARNING: learn-address plugin call failed");
136  ret = false;
137  }
138  argv_free(&argv);
139  }
140 
141  if (m->top.options.learn_address_script)
142  {
143  struct argv argv = argv_new();
144  setenv_str(es, "script_type", "learn-address");
145  argv_parse_cmd(&argv, m->top.options.learn_address_script);
146  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
147  if (mi)
148  {
149  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
150  }
151  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
152  {
153  ret = false;
154  }
155  argv_free(&argv);
156  }
157 
158  gc_free(&gc);
159  return ret;
160 }
161 
162 void
163 multi_ifconfig_pool_persist(struct multi_context *m, bool force)
164 {
165  /* write pool data to file */
166  if (m->ifconfig_pool
167  && m->top.c1.ifconfig_pool_persist
168  && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
169  {
170  ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
171  }
172 }
173 
174 static void
175 multi_reap_range(const struct multi_context *m,
176  int start_bucket,
177  int end_bucket)
178 {
179  struct gc_arena gc = gc_new();
180  struct hash_iterator hi;
181  struct hash_element *he;
182 
183  if (start_bucket < 0)
184  {
185  start_bucket = 0;
186  end_bucket = hash_n_buckets(m->vhash);
187  }
188 
189  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
190  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
191  while ((he = hash_iterator_next(&hi)) != NULL)
192  {
193  struct multi_route *r = (struct multi_route *) he->value;
194  if (!multi_route_defined(m, r))
195  {
196  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
197  mroute_addr_print(&r->addr, &gc));
198  learn_address_script(m, NULL, "delete", &r->addr);
199  multi_route_del(r);
200  hash_iterator_delete_element(&hi);
201  }
202  }
203  hash_iterator_free(&hi);
204  gc_free(&gc);
205 }
206 
207 static void
208 multi_reap_all(const struct multi_context *m)
209 {
210  multi_reap_range(m, -1, 0);
211 }
212 
213 static struct multi_reap *
214 multi_reap_new(int buckets_per_pass)
215 {
216  struct multi_reap *mr;
217  ALLOC_OBJ(mr, struct multi_reap);
218  mr->bucket_base = 0;
219  mr->buckets_per_pass = buckets_per_pass;
220  mr->last_call = now;
221  return mr;
222 }
223 
224 void
225 multi_reap_process_dowork(const struct multi_context *m)
226 {
227  struct multi_reap *mr = m->reaper;
228  if (mr->bucket_base >= hash_n_buckets(m->vhash))
229  {
230  mr->bucket_base = 0;
231  }
232  multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
233  mr->bucket_base += mr->buckets_per_pass;
234  mr->last_call = now;
235 }
236 
237 static void
238 multi_reap_free(struct multi_reap *mr)
239 {
240  free(mr);
241 }
242 
243 /*
244  * How many buckets in vhash to reap per pass.
245  */
246 static int
247 reap_buckets_per_pass(int n_buckets)
248 {
249  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
250 }
251 
252 #ifdef ENABLE_MANAGEMENT
253 
254 static uint32_t
255 cid_hash_function(const void *key, uint32_t iv)
256 {
257  const unsigned long *k = (const unsigned long *)key;
258  return (uint32_t) *k;
259 }
260 
261 static bool
262 cid_compare_function(const void *key1, const void *key2)
263 {
264  const unsigned long *k1 = (const unsigned long *)key1;
265  const unsigned long *k2 = (const unsigned long *)key2;
266  return *k1 == *k2;
267 }
268 
269 #endif
270 
271 #ifdef ENABLE_ASYNC_PUSH
272 static uint32_t
273 /*
274  * inotify watcher descriptors are used as hash value
275  */
276 int_hash_function(const void *key, uint32_t iv)
277 {
278  return (unsigned long)key;
279 }
280 
281 static bool
282 int_compare_function(const void *key1, const void *key2)
283 {
284  return (unsigned long)key1 == (unsigned long)key2;
285 }
286 #endif
287 
288 /*
289  * Main initialization function, init multi_context object.
290  */
291 void
292 multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
293 {
294  int dev = DEV_TYPE_UNDEF;
295 
296  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
297  t->options.real_hash_size,
298  t->options.virtual_hash_size);
299 
300  /*
301  * Get tun/tap/null device type
302  */
303  dev = dev_type_enum(t->options.dev, t->options.dev_type);
304 
305  /*
306  * Init our multi_context object.
307  */
308  CLEAR(*m);
309 
310  /*
311  * Real address hash table (source port number is
312  * considered to be part of the address). Used
313  * to determine which client sent an incoming packet
314  * which is seen on the TCP/UDP socket.
315  */
316  m->hash = hash_init(t->options.real_hash_size,
317  get_random(),
318  mroute_addr_hash_function,
319  mroute_addr_compare_function);
320 
321  /*
322  * Virtual address hash table. Used to determine
323  * which client to route a packet to.
324  */
325  m->vhash = hash_init(t->options.virtual_hash_size,
326  get_random(),
327  mroute_addr_hash_function,
328  mroute_addr_compare_function);
329 
330  /*
331  * This hash table is a clone of m->hash but with a
332  * bucket size of one so that it can be used
333  * for fast iteration through the list.
334  */
335  m->iter = hash_init(1,
336  get_random(),
337  mroute_addr_hash_function,
338  mroute_addr_compare_function);
339 
340 #ifdef ENABLE_MANAGEMENT
341  m->cid_hash = hash_init(t->options.real_hash_size,
342  0,
343  cid_hash_function,
344  cid_compare_function);
345 #endif
346 
347 #ifdef ENABLE_ASYNC_PUSH
348  /*
349  * Mapping between inotify watch descriptors and
350  * multi_instances.
351  */
352  m->inotify_watchers = hash_init(t->options.real_hash_size,
353  get_random(),
354  int_hash_function,
355  int_compare_function);
356 #endif
357 
358  /*
359  * This is our scheduler, for time-based wakeup
360  * events.
361  */
362  m->schedule = schedule_init();
363 
364  /*
365  * Limit frequency of incoming connections to control
366  * DoS.
367  */
368  m->new_connection_limiter = frequency_limit_init(t->options.cf_max,
369  t->options.cf_per);
370  m->initial_rate_limiter = initial_rate_limit_init(t->options.cf_initial_max,
371  t->options.cf_initial_per);
372 
373  /*
374  * Allocate broadcast/multicast buffer list
375  */
376  m->mbuf = mbuf_init(t->options.n_bcast_buf);
377 
378  /*
379  * Different status file format options are available
380  */
381  m->status_file_version = t->options.status_file_version;
382 
383  /*
384  * Possibly allocate an ifconfig pool, do it
385  * differently based on whether a tun or tap style
386  * tunnel.
387  */
388  if (t->options.ifconfig_pool_defined
389  || t->options.ifconfig_ipv6_pool_defined)
390  {
391  int pool_type = IFCONFIG_POOL_INDIV;
392 
393  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
394  {
395  pool_type = IFCONFIG_POOL_30NET;
396  }
397 
398  m->ifconfig_pool = ifconfig_pool_init(t->options.ifconfig_pool_defined,
399  pool_type,
400  t->options.ifconfig_pool_start,
401  t->options.ifconfig_pool_end,
402  t->options.duplicate_cn,
403  t->options.ifconfig_ipv6_pool_defined,
404  t->options.ifconfig_ipv6_pool_base,
405  t->options.ifconfig_ipv6_pool_netbits );
406 
407  /* reload pool data from file */
408  if (t->c1.ifconfig_pool_persist)
409  {
410  ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool);
411  }
412  }
413 
414  /*
415  * Help us keep track of routing table.
416  */
417  m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL);
418 
419  /*
420  * Initialize route and instance reaper.
421  */
422  m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size));
423 
424  /*
425  * Get local ifconfig address
426  */
427  CLEAR(m->local);
428  ASSERT(t->c1.tuntap);
429  mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local);
430 
431  /*
432  * Per-client limits
433  */
434  m->max_clients = t->options.max_clients;
435 
436  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
437 
438  /*
439  * Initialize multi-socket TCP I/O wait object
440  */
441  if (tcp_mode)
442  {
443  m->mtcp = multi_tcp_init(t->options.max_clients, &m->max_clients);
444  }
445  m->tcp_queue_limit = t->options.tcp_queue_limit;
446 
447  /*
448  * Allow client <-> client communication, without going through
449  * tun/tap interface and network stack?
450  */
451  m->enable_c2c = t->options.enable_c2c;
452 
453  /* initialize stale routes check timer */
454  if (t->options.stale_routes_check_interval > 0)
455  {
456  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
457  t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
458  event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
459  }
460 
461  m->deferred_shutdown_signal.signal_received = 0;
462 }
463 
464 const char *
465 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
466 {
467  if (mi)
468  {
469  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
470  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
471 
472  if (cn)
473  {
474  buf_printf(&out, "%s/", cn);
475  }
476  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
477  if (mi->context.c2.tls_multi
478  && check_debug_level(D_DCO_DEBUG)
479  && dco_enabled(&mi->context.options))
480  {
481  buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
482  }
483  return BSTR(&out);
484  }
485  else if (null)
486  {
487  return NULL;
488  }
489  else
490  {
491  return "UNDEF";
492  }
493 }
494 
495 static void
496 generate_prefix(struct multi_instance *mi)
497 {
498  struct gc_arena gc = gc_new();
499  const char *prefix = multi_instance_string(mi, true, &gc);
500  if (prefix)
501  {
502  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
503  }
504  else
505  {
506  mi->msg_prefix[0] = '\0';
507  }
508  set_prefix(mi);
509  gc_free(&gc);
510 }
511 
512 void
513 ungenerate_prefix(struct multi_instance *mi)
514 {
515  mi->msg_prefix[0] = '\0';
516  set_prefix(mi);
517 }
518 
519 /*
520  * Tell the route helper about deleted iroutes so
521  * that it can update its mask of currently used
522  * CIDR netlengths.
523  */
524 static void
525 multi_del_iroutes(struct multi_context *m,
526  struct multi_instance *mi)
527 {
528  const struct iroute *ir;
529  const struct iroute_ipv6 *ir6;
530 
531  dco_delete_iroutes(m, mi);
532 
533  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
534  {
535  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
536  {
537  mroute_helper_del_iroute46(m->route_helper, ir->netbits);
538  }
539 
540  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
541  {
542  mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
543  }
544  }
545 }
546 
547 static void
548 setenv_stats(struct multi_context *m, struct context *c)
549 {
550  if (dco_enabled(&m->top.options))
551  {
552  dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
553  }
554 
555  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
556  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
557 }
558 
559 static void
560 multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
561 {
562  /* setenv client real IP address */
563  setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
564 
565  /* setenv stats */
566  setenv_stats(m, &mi->context);
567 
568  /* setenv connection duration */
569  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
570 }
571 
572 static void
573 multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
574 {
575  multi_client_disconnect_setenv(m, mi);
576 
577  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
578  {
579  if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
580  {
581  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
582  }
583  }
584 
585  if (mi->context.options.client_disconnect_script)
586  {
587  struct argv argv = argv_new();
588  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
589  argv_parse_cmd(&argv, mi->context.options.client_disconnect_script);
590  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
591  argv_free(&argv);
592  }
593 #ifdef ENABLE_MANAGEMENT
594  if (management)
595  {
596  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
597  }
598 #endif
599 }
600 
601 void
602 multi_close_instance(struct multi_context *m,
603  struct multi_instance *mi,
604  bool shutdown)
605 {
606  perf_push(PERF_MULTI_CLOSE_INSTANCE);
607 
608  ASSERT(!mi->halt);
609  mi->halt = true;
610 
611  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
612 
613  /* adjust current client connection count */
614  m->n_clients += mi->n_clients_delta;
615  update_mstat_n_clients(m->n_clients);
616  mi->n_clients_delta = 0;
617 
618  /* prevent dangling pointers */
619  if (m->pending == mi)
620  {
621  multi_set_pending(m, NULL);
622  }
623  if (m->earliest_wakeup == mi)
624  {
625  m->earliest_wakeup = NULL;
626  }
627 
628  if (!shutdown)
629  {
630  if (mi->did_real_hash)
631  {
632  ASSERT(hash_remove(m->hash, &mi->real));
633  }
634  if (mi->did_iter)
635  {
636  ASSERT(hash_remove(m->iter, &mi->real));
637  }
638 #ifdef ENABLE_MANAGEMENT
639  if (mi->did_cid_hash)
640  {
641  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
642  }
643 #endif
644 
645 #ifdef ENABLE_ASYNC_PUSH
646  if (mi->inotify_watch != -1)
647  {
648  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
649  mi->inotify_watch = -1;
650  }
651 #endif
652 
653  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
654  {
655  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
656  }
657 
658  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
659 
660  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
661 
662  if (mi->did_iroutes)
663  {
664  multi_del_iroutes(m, mi);
665  mi->did_iroutes = false;
666  }
667 
668  if (m->mtcp)
669  {
670  multi_tcp_dereference_instance(m->mtcp, mi);
671  }
672 
673  mbuf_dereference_instance(m->mbuf, mi);
674  }
675 
676 #ifdef ENABLE_MANAGEMENT
677  set_cc_config(mi, NULL);
678 #endif
679 
680  if (mi->context.c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
681  {
682  multi_client_disconnect_script(m, mi);
683  }
684 
685  close_context(&mi->context, SIGTERM, CC_GC_FREE);
686 
687  multi_tcp_instance_specific_free(mi);
688 
689  ungenerate_prefix(mi);
690 
691  /*
692  * Don't actually delete the instance memory allocation yet,
693  * because virtual routes may still point to it. Let the
694  * vhash reaper deal with it.
695  */
696  multi_instance_dec_refcount(mi);
697 
698  perf_pop();
699 }
700 
701 /*
702  * Called on shutdown or restart.
703  */
704 void
705 multi_uninit(struct multi_context *m)
706 {
707  if (m->hash)
708  {
709  struct hash_iterator hi;
710  struct hash_element *he;
711 
712  hash_iterator_init(m->iter, &hi);
713  while ((he = hash_iterator_next(&hi)))
714  {
715  struct multi_instance *mi = (struct multi_instance *) he->value;
716  mi->did_iter = false;
717  multi_close_instance(m, mi, true);
718  }
719  hash_iterator_free(&hi);
720 
721  multi_reap_all(m);
722 
723  hash_free(m->hash);
724  hash_free(m->vhash);
725  hash_free(m->iter);
726 #ifdef ENABLE_MANAGEMENT
727  hash_free(m->cid_hash);
728 #endif
729  m->hash = NULL;
730 
731  free(m->instances);
732 
733 #ifdef ENABLE_ASYNC_PUSH
734  hash_free(m->inotify_watchers);
735  m->inotify_watchers = NULL;
736 #endif
737 
738  schedule_free(m->schedule);
739  mbuf_free(m->mbuf);
740  ifconfig_pool_free(m->ifconfig_pool);
741  frequency_limit_free(m->new_connection_limiter);
742  initial_rate_limit_free(m->initial_rate_limiter);
743  multi_reap_free(m->reaper);
744  mroute_helper_free(m->route_helper);
745  multi_tcp_free(m->mtcp);
746  }
747 }
748 
749 /*
750  * Create a client instance object for a newly connected client.
751  */
752 struct multi_instance *
753 multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
754 {
755  struct gc_arena gc = gc_new();
756  struct multi_instance *mi;
757 
758  perf_push(PERF_MULTI_CREATE_INSTANCE);
759 
760  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
761 
762  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
763 
764  mi->gc = gc_new();
765  multi_instance_inc_refcount(mi);
766  mi->vaddr_handle = -1;
767  mi->created = now;
768  mroute_addr_init(&mi->real);
769 
770  if (real)
771  {
772  mi->real = *real;
773  generate_prefix(mi);
774  }
775 
776  inherit_context_child(&mi->context, &m->top);
777  if (IS_SIG(&mi->context))
778  {
779  goto err;
780  }
781 
782  mi->context.c2.tls_multi->multi_state = CAS_NOT_CONNECTED;
783 
784  if (hash_n_elements(m->hash) >= m->max_clients)
785  {
786  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
787  goto err;
788  }
789 
790  if (!real) /* TCP mode? */
791  {
792  if (!multi_tcp_instance_specific_init(m, mi))
793  {
794  goto err;
795  }
796  generate_prefix(mi);
797  }
798 
799  if (!hash_add(m->iter, &mi->real, mi, false))
800  {
801  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
802  mroute_addr_print(&mi->real, &gc));
803  goto err;
804  }
805  mi->did_iter = true;
806 
807 #ifdef ENABLE_MANAGEMENT
808  do
809  {
810  mi->context.c2.mda_context.cid = m->cid_counter++;
811  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
812  mi->did_cid_hash = true;
813 #endif
814 
815  mi->context.c2.push_request_received = false;
816 #ifdef ENABLE_ASYNC_PUSH
817  mi->inotify_watch = -1;
818 #endif
819 
820  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
821  {
822  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
823  goto err;
824  }
825 
826  perf_pop();
827  gc_free(&gc);
828  return mi;
829 
830 err:
831  multi_close_instance(m, mi, false);
832  perf_pop();
833  gc_free(&gc);
834  return NULL;
835 }
836 
837 /*
838  * Dump tables -- triggered by SIGUSR2.
839  * If status file is defined, write to file.
840  * If status file is NULL, write to syslog.
841  */
842 void
843 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
844 {
845  if (m->hash)
846  {
847  struct gc_arena gc_top = gc_new();
848  struct hash_iterator hi;
849  const struct hash_element *he;
850 
851  status_reset(so);
852 
853  if (dco_enabled(&m->top.options))
854  {
855  dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
856  }
857 
858  if (version == 1)
859  {
860  /*
861  * Status file version 1
862  */
863  status_printf(so, "OpenVPN CLIENT LIST");
864  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
865  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
866  hash_iterator_init(m->hash, &hi);
867  while ((he = hash_iterator_next(&hi)))
868  {
869  struct gc_arena gc = gc_new();
870  const struct multi_instance *mi = (struct multi_instance *) he->value;
871 
872  if (!mi->halt)
873  {
874  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
875  tls_common_name(mi->context.c2.tls_multi, false),
876  mroute_addr_print(&mi->real, &gc),
877  mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
878  mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
879  time_string(mi->created, 0, false, &gc));
880  }
881  gc_free(&gc);
882  }
883  hash_iterator_free(&hi);
884 
885  status_printf(so, "ROUTING TABLE");
886  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
887  hash_iterator_init(m->vhash, &hi);
888  while ((he = hash_iterator_next(&hi)))
889  {
890  struct gc_arena gc = gc_new();
891  const struct multi_route *route = (struct multi_route *) he->value;
892 
893  if (multi_route_defined(m, route))
894  {
895  const struct multi_instance *mi = route->instance;
896  const struct mroute_addr *ma = &route->addr;
897  char flags[2] = {0, 0};
898 
899  if (route->flags & MULTI_ROUTE_CACHE)
900  {
901  flags[0] = 'C';
902  }
903  status_printf(so, "%s%s,%s,%s,%s",
904  mroute_addr_print(ma, &gc),
905  flags,
906  tls_common_name(mi->context.c2.tls_multi, false),
907  mroute_addr_print(&mi->real, &gc),
908  time_string(route->last_reference, 0, false, &gc));
909  }
910  gc_free(&gc);
911  }
912  hash_iterator_free(&hi);
913 
914  status_printf(so, "GLOBAL STATS");
915  if (m->mbuf)
916  {
917  status_printf(so, "Max bcast/mcast queue length,%d",
918  mbuf_maximum_queued(m->mbuf));
919  }
920 
921  status_printf(so, "END");
922  }
923  else if (version == 2 || version == 3)
924  {
925  const char sep = (version == 3) ? '\t' : ',';
926 
927  /*
928  * Status file version 2 and 3
929  */
930  status_printf(so, "TITLE%c%s", sep, title_string);
931  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
932  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
933  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
934  hash_iterator_init(m->hash, &hi);
935  while ((he = hash_iterator_next(&hi)))
936  {
937  struct gc_arena gc = gc_new();
938  const struct multi_instance *mi = (struct multi_instance *) he->value;
939 
940  if (!mi->halt)
941  {
942  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
943 #ifdef ENABLE_MANAGEMENT
944  "%lu"
945 #else
946  ""
947 #endif
948  "%c%" PRIu32 "%c%s",
949  sep, tls_common_name(mi->context.c2.tls_multi, false),
950  sep, mroute_addr_print(&mi->real, &gc),
951  sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
952  sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc),
953  sep, mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
954  sep, mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
955  sep, time_string(mi->created, 0, false, &gc),
956  sep, (unsigned int)mi->created,
957  sep, tls_username(mi->context.c2.tls_multi, false),
958 #ifdef ENABLE_MANAGEMENT
959  sep, mi->context.c2.mda_context.cid,
960 #else
961  sep,
962 #endif
963  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
964  sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
965  }
966  gc_free(&gc);
967  }
968  hash_iterator_free(&hi);
969 
970  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
971  sep, sep, sep, sep, sep, sep);
972  hash_iterator_init(m->vhash, &hi);
973  while ((he = hash_iterator_next(&hi)))
974  {
975  struct gc_arena gc = gc_new();
976  const struct multi_route *route = (struct multi_route *) he->value;
977 
978  if (multi_route_defined(m, route))
979  {
980  const struct multi_instance *mi = route->instance;
981  const struct mroute_addr *ma = &route->addr;
982  char flags[2] = {0, 0};
983 
984  if (route->flags & MULTI_ROUTE_CACHE)
985  {
986  flags[0] = 'C';
987  }
988  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
989  sep, mroute_addr_print(ma, &gc), flags,
990  sep, tls_common_name(mi->context.c2.tls_multi, false),
991  sep, mroute_addr_print(&mi->real, &gc),
992  sep, time_string(route->last_reference, 0, false, &gc),
993  sep, (unsigned int)route->last_reference);
994  }
995  gc_free(&gc);
996  }
997  hash_iterator_free(&hi);
998 
999  if (m->mbuf)
1000  {
1001  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1002  sep, sep, mbuf_maximum_queued(m->mbuf));
1003  }
1004 
1005  status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options));
1006  status_printf(so, "END");
1007  }
1008  else
1009  {
1010  status_printf(so, "ERROR: bad status format version number");
1011  }
1012 
1013 #ifdef PACKET_TRUNCATION_CHECK
1014  {
1015  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1016  hash_iterator_init(m->hash, &hi);
1017  while ((he = hash_iterator_next(&hi)))
1018  {
1019  struct gc_arena gc = gc_new();
1020  const struct multi_instance *mi = (struct multi_instance *) he->value;
1021 
1022  if (!mi->halt)
1023  {
1024  status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
1025  tls_common_name(mi->context.c2.tls_multi, false),
1026  m->top.c2.n_trunc_tun_read,
1027  mi->context.c2.n_trunc_tun_write,
1028  mi->context.c2.n_trunc_pre_encrypt,
1029  mi->context.c2.n_trunc_post_decrypt);
1030  }
1031  gc_free(&gc);
1032  }
1033  hash_iterator_free(&hi);
1034  }
1035 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1036 
1037  status_flush(so);
1038  gc_free(&gc_top);
1039  }
1040 
1041 #ifdef ENABLE_ASYNC_PUSH
1042  if (m->inotify_watchers)
1043  {
1044  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1045  }
1046 #endif
1047 }
1048 
1049 /*
1050  * Learn a virtual address or route.
1051  * The learn will fail if the learn address
1052  * script/plugin fails. In this case the
1053  * return value may be != mi.
1054  * Return the instance which owns this route,
1055  * or NULL if none.
1056  */
1057 static struct multi_instance *
1058 multi_learn_addr(struct multi_context *m,
1059  struct multi_instance *mi,
1060  const struct mroute_addr *addr,
1061  const unsigned int flags)
1062 {
1063  struct hash_element *he;
1064  const uint32_t hv = hash_value(m->vhash, addr);
1065  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1066  struct multi_route *oldroute = NULL;
1067  struct multi_instance *owner = NULL;
1068  struct gc_arena gc = gc_new();
1069 
1070  /* if route currently exists, get the instance which owns it */
1071  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1072  if (he)
1073  {
1074  oldroute = (struct multi_route *) he->value;
1075  }
1076  if (oldroute && multi_route_defined(m, oldroute))
1077  {
1078  owner = oldroute->instance;
1079  }
1080 
1081  /* do we need to add address to hash table? */
1082  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1083  && !mroute_addr_equal(addr, &m->local))
1084  {
1085  struct multi_route *newroute;
1086  bool learn_succeeded = false;
1087 
1088  ALLOC_OBJ(newroute, struct multi_route);
1089  newroute->addr = *addr;
1090  newroute->instance = mi;
1091  newroute->flags = flags;
1092  newroute->last_reference = now;
1093  newroute->cache_generation = 0;
1094 
1095  /* The cache is invalidated when cache_generation is incremented */
1096  if (flags & MULTI_ROUTE_CACHE)
1097  {
1098  newroute->cache_generation = m->route_helper->cache_generation;
1099  }
1100 
1101  if (oldroute) /* route already exists? */
1102  {
1103  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1104  {
1105  learn_succeeded = true;
1106  owner = mi;
1107  multi_instance_inc_refcount(mi);
1108  route_quota_inc(mi);
1109 
1110  /* delete old route */
1111  multi_route_del(oldroute);
1112 
1113  /* modify hash table entry, replacing old route */
1114  he->key = &newroute->addr;
1115  he->value = newroute;
1116  }
1117  }
1118  else
1119  {
1120  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1121  {
1122  learn_succeeded = true;
1123  owner = mi;
1124  multi_instance_inc_refcount(mi);
1125  route_quota_inc(mi);
1126 
1127  /* add new route */
1128  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1129  }
1130  }
1131 
1132  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1133  learn_succeeded ? "" : " FAILED",
1134  mroute_addr_print(&newroute->addr, &gc),
1135  multi_instance_string(mi, false, &gc));
1136 
1137  if (!learn_succeeded)
1138  {
1139  free(newroute);
1140  }
1141  }
1142  gc_free(&gc);
1143 
1144  return owner;
1145 }
1146 
1147 /*
1148  * Get client instance based on virtual address.
1149  */
1150 static struct multi_instance *
1151 multi_get_instance_by_virtual_addr(struct multi_context *m,
1152  const struct mroute_addr *addr,
1153  bool cidr_routing)
1154 {
1155  struct multi_route *route;
1156  struct multi_instance *ret = NULL;
1157 
1158  /* check for local address */
1159  if (mroute_addr_equal(addr, &m->local))
1160  {
1161  return NULL;
1162  }
1163 
1164  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1165 
1166  /* does host route (possible cached) exist? */
1167  if (route && multi_route_defined(m, route))
1168  {
1169  struct multi_instance *mi = route->instance;
1170  route->last_reference = now;
1171  ret = mi;
1172  }
1173  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1174  {
1175  struct mroute_helper *rh = m->route_helper;
1176  struct mroute_addr tryaddr;
1177  int i;
1178 
1179  /* cycle through each CIDR length */
1180  for (i = 0; i < rh->n_net_len; ++i)
1181  {
1182  tryaddr = *addr;
1183  tryaddr.type |= MR_WITH_NETBITS;
1184  tryaddr.netbits = rh->net_len[i];
1185  mroute_addr_mask_host_bits(&tryaddr);
1186 
1187  /* look up a possible route with netbits netmask */
1188  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1189 
1190  if (route && multi_route_defined(m, route))
1191  {
1192  /* found an applicable route, cache host route */
1193  struct multi_instance *mi = route->instance;
1194  multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1195  ret = mi;
1196  break;
1197  }
1198  }
1199  }
1200 
1201 #ifdef ENABLE_DEBUG
1202  if (check_debug_level(D_MULTI_DEBUG))
1203  {
1204  struct gc_arena gc = gc_new();
1205  const char *addr_text = mroute_addr_print(addr, &gc);
1206  if (ret)
1207  {
1208  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1209  addr_text,
1210  multi_instance_string(ret, false, &gc),
1211  mroute_addr_print(&route->addr, &gc));
1212  }
1213  else
1214  {
1215  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1216  addr_text);
1217  }
1218  gc_free(&gc);
1219  }
1220 #endif
1221 
1222  ASSERT(!(ret && ret->halt));
1223  return ret;
1224 }
1225 
1226 /*
1227  * Helper function to multi_learn_addr().
1228  */
1229 static struct multi_instance *
1230 multi_learn_in_addr_t(struct multi_context *m,
1231  struct multi_instance *mi,
1232  in_addr_t a,
1233  int netbits, /* -1 if host route, otherwise # of network bits in address */
1234  bool primary)
1235 {
1236  struct openvpn_sockaddr remote_si;
1237  struct mroute_addr addr;
1238 
1239  CLEAR(remote_si);
1240  remote_si.addr.in4.sin_family = AF_INET;
1241  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1242  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1243 
1244  if (netbits >= 0)
1245  {
1246  addr.type |= MR_WITH_NETBITS;
1247  addr.netbits = (uint8_t) netbits;
1248  }
1249 
1250  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1251 #ifdef ENABLE_MANAGEMENT
1252  if (management && owner)
1253  {
1254  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1255  }
1256 #endif
1257  if (!primary)
1258  {
1259  /* "primary" is the VPN ifconfig address of the peer and already
1260  * known to DCO, so only install "extra" iroutes (primary = false)
1261  */
1262  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1263  dco_install_iroute(m, mi, &addr);
1264  }
1265 
1266  return owner;
1267 }
1268 
1269 static struct multi_instance *
1270 multi_learn_in6_addr(struct multi_context *m,
1271  struct multi_instance *mi,
1272  struct in6_addr a6,
1273  int netbits, /* -1 if host route, otherwise # of network bits in address */
1274  bool primary)
1275 {
1276  struct mroute_addr addr;
1277 
1278  addr.len = 16;
1279  addr.type = MR_ADDR_IPV6;
1280  addr.netbits = 0;
1281  addr.v6.addr = a6;
1282 
1283  if (netbits >= 0)
1284  {
1285  addr.type |= MR_WITH_NETBITS;
1286  addr.netbits = (uint8_t) netbits;
1287  mroute_addr_mask_host_bits( &addr );
1288  }
1289 
1290  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1291 #ifdef ENABLE_MANAGEMENT
1292  if (management && owner)
1293  {
1294  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1295  }
1296 #endif
1297  if (!primary)
1298  {
1299  /* "primary" is the VPN ifconfig address of the peer and already
1300  * known to DCO, so only install "extra" iroutes (primary = false)
1301  */
1302  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1303  dco_install_iroute(m, mi, &addr);
1304  }
1305 
1306  return owner;
1307 }
1308 
1309 /*
1310  * A new client has connected, add routes (server -> client)
1311  * to internal routing table.
1312  */
1313 static void
1314 multi_add_iroutes(struct multi_context *m,
1315  struct multi_instance *mi)
1316 {
1317  struct gc_arena gc = gc_new();
1318  const struct iroute *ir;
1319  const struct iroute_ipv6 *ir6;
1320  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
1321  {
1322  mi->did_iroutes = true;
1323  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1324  {
1325  if (ir->netbits >= 0)
1326  {
1327  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1328  print_in_addr_t(ir->network, 0, &gc),
1329  ir->netbits,
1330  multi_instance_string(mi, false, &gc));
1331  }
1332  else
1333  {
1334  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1335  print_in_addr_t(ir->network, 0, &gc),
1336  multi_instance_string(mi, false, &gc));
1337  }
1338 
1339  mroute_helper_add_iroute46(m->route_helper, ir->netbits);
1340 
1341  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1342  }
1343  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1344  {
1345  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1346  print_in6_addr(ir6->network, 0, &gc),
1347  ir6->netbits,
1348  multi_instance_string(mi, false, &gc));
1349 
1350  mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
1351 
1352  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1353  }
1354  }
1355  gc_free(&gc);
1356 }
1357 
1358 /*
1359  * Given an instance (new_mi), delete all other instances which use the
1360  * same common name.
1361  */
1362 static void
1363 multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
1364 {
1365  if (new_mi)
1366  {
1367  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1368  if (new_cn)
1369  {
1370  struct hash_iterator hi;
1371  struct hash_element *he;
1372  int count = 0;
1373 
1374  hash_iterator_init(m->iter, &hi);
1375  while ((he = hash_iterator_next(&hi)))
1376  {
1377  struct multi_instance *mi = (struct multi_instance *) he->value;
1378  if (mi != new_mi && !mi->halt)
1379  {
1380  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1381  if (cn && !strcmp(cn, new_cn))
1382  {
1383  mi->did_iter = false;
1384  multi_close_instance(m, mi, false);
1385  hash_iterator_delete_element(&hi);
1386  ++count;
1387  }
1388  }
1389  }
1390  hash_iterator_free(&hi);
1391 
1392  if (count)
1393  {
1394  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1395  }
1396  }
1397  }
1398 }
1399 
1400 static void
1401 check_stale_routes(struct multi_context *m)
1402 {
1403 
1404  struct gc_arena gc = gc_new();
1405  struct hash_iterator hi;
1406  struct hash_element *he;
1407 
1408  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1409  hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
1410  while ((he = hash_iterator_next(&hi)) != NULL)
1411  {
1412  struct multi_route *r = (struct multi_route *) he->value;
1413  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1414  {
1415  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1416  mroute_addr_print(&r->addr, &gc));
1417  learn_address_script(m, NULL, "delete", &r->addr);
1418  multi_route_del(r);
1419  hash_iterator_delete_element(&hi);
1420  }
1421  }
1422  hash_iterator_free(&hi);
1423  gc_free(&gc);
1424 }
1425 
1426 /*
1427  * Ensure that endpoint to be pushed to client
1428  * complies with --ifconfig-push-constraint directive.
1429  */
1430 static bool
1431 ifconfig_push_constraint_satisfied(const struct context *c)
1432 {
1433  const struct options *o = &c->options;
1434  if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1435  {
1436  return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1437  }
1438  else
1439  {
1440  return true;
1441  }
1442 }
1443 
1444 /*
1445  * Select a virtual address for a new client instance.
1446  * Use an --ifconfig-push directive, if given (static IP).
1447  * Otherwise use an --ifconfig-pool address (dynamic IP).
1448  */
1449 static void
1450 multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
1451 {
1452  struct gc_arena gc = gc_new();
1453 
1454  /*
1455  * If ifconfig addresses were set by dynamic config file,
1456  * release pool addresses, otherwise keep them.
1457  */
1458  if (mi->context.options.push_ifconfig_defined)
1459  {
1460  /* ifconfig addresses were set statically,
1461  * release dynamic allocation */
1462  if (mi->vaddr_handle >= 0)
1463  {
1464  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true);
1465  mi->vaddr_handle = -1;
1466  }
1467 
1468  mi->context.c2.push_ifconfig_defined = true;
1469  mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1470  mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1471  mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
1472 
1473  /* the current implementation does not allow "static IPv4, pool IPv6",
1474  * (see below) so issue a warning if that happens - don't break the
1475  * session, though, as we don't even know if this client WANTS IPv6
1476  */
1477  if (mi->context.options.ifconfig_ipv6_pool_defined
1478  && !mi->context.options.push_ifconfig_ipv6_defined)
1479  {
1480  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1481  }
1482  }
1483  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1484  {
1485  in_addr_t local = 0, remote = 0;
1486  struct in6_addr remote_ipv6;
1487  const char *cn = NULL;
1488 
1489  if (!mi->context.options.duplicate_cn)
1490  {
1491  cn = tls_common_name(mi->context.c2.tls_multi, true);
1492  }
1493 
1494  CLEAR(remote_ipv6);
1495  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1496  if (mi->vaddr_handle >= 0)
1497  {
1498  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1499  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1500 
1501  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1502  (mi->context.options.ifconfig_pool_defined
1503  ? print_in_addr_t(remote, 0, &gc)
1504  : "(Not enabled)"),
1505  (mi->context.options.ifconfig_ipv6_pool_defined
1506  ? print_in6_addr( remote_ipv6, 0, &gc )
1507  : "(Not enabled)") );
1508 
1509  if (mi->context.options.ifconfig_pool_defined)
1510  {
1511  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1512  mi->context.c2.push_ifconfig_local = remote;
1513  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1514  {
1515  mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1516  if (!mi->context.c2.push_ifconfig_remote_netmask)
1517  {
1518  mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1519  }
1520  }
1521  else if (tunnel_type == DEV_TYPE_TUN)
1522  {
1523  if (tunnel_topology == TOP_P2P)
1524  {
1525  mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1526  }
1527  else if (tunnel_topology == TOP_NET30)
1528  {
1529  mi->context.c2.push_ifconfig_remote_netmask = local;
1530  }
1531  }
1532 
1533  if (mi->context.c2.push_ifconfig_remote_netmask)
1534  {
1535  mi->context.c2.push_ifconfig_defined = true;
1536  }
1537  else
1538  {
1539  msg(D_MULTI_ERRORS,
1540  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1541  multi_instance_string(mi, false, &gc));
1542  }
1543  }
1544 
1545  if (mi->context.options.ifconfig_ipv6_pool_defined)
1546  {
1547  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1548  mi->context.c2.push_ifconfig_ipv6_remote =
1549  mi->context.c1.tuntap->local_ipv6;
1550  mi->context.c2.push_ifconfig_ipv6_netbits =
1551  mi->context.options.ifconfig_ipv6_netbits;
1552  mi->context.c2.push_ifconfig_ipv6_defined = true;
1553  }
1554  }
1555  else
1556  {
1557  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1558  }
1559  }
1560 
1561  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1562  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1563  * will fail (because no pool will be allocated in this case).
1564  * OTOH, this doesn't make too much sense in reality - and the other
1565  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1566  * -> and so it's implemented right now
1567  */
1568  if (mi->context.options.push_ifconfig_ipv6_defined)
1569  {
1570  mi->context.c2.push_ifconfig_ipv6_local =
1571  mi->context.options.push_ifconfig_ipv6_local;
1572  mi->context.c2.push_ifconfig_ipv6_remote =
1573  mi->context.options.push_ifconfig_ipv6_remote;
1574  mi->context.c2.push_ifconfig_ipv6_netbits =
1575  mi->context.options.push_ifconfig_ipv6_netbits;
1576  mi->context.c2.push_ifconfig_ipv6_defined = true;
1577 
1578  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1579  print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
1580  mi->context.c2.push_ifconfig_ipv6_netbits );
1581  }
1582 
1583  gc_free(&gc);
1584 }
1585 
1586 /*
1587  * Set virtual address environmental variables.
1588  */
1589 static void
1590 multi_set_virtual_addr_env(struct multi_instance *mi)
1591 {
1592  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1593  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1594  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1595 
1596  if (mi->context.c2.push_ifconfig_defined)
1597  {
1598  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1599  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1600 
1601  setenv_in_addr_t(mi->context.c2.es,
1602  "ifconfig_pool_remote_ip",
1603  mi->context.c2.push_ifconfig_local,
1604  SA_SET_IF_NONZERO);
1605 
1606  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1607  {
1608  setenv_in_addr_t(mi->context.c2.es,
1609  "ifconfig_pool_netmask",
1610  mi->context.c2.push_ifconfig_remote_netmask,
1611  SA_SET_IF_NONZERO);
1612  }
1613  else if (tunnel_type == DEV_TYPE_TUN)
1614  {
1615  setenv_in_addr_t(mi->context.c2.es,
1616  "ifconfig_pool_local_ip",
1617  mi->context.c2.push_ifconfig_remote_netmask,
1618  SA_SET_IF_NONZERO);
1619  }
1620  }
1621 
1622  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1623  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1624  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1625 
1626  if (mi->context.c2.push_ifconfig_ipv6_defined)
1627  {
1628  setenv_in6_addr(mi->context.c2.es,
1629  "ifconfig_pool_remote",
1630  &mi->context.c2.push_ifconfig_ipv6_local,
1631  SA_SET_IF_NONZERO);
1632  setenv_in6_addr(mi->context.c2.es,
1633  "ifconfig_pool_local",
1634  &mi->context.c2.push_ifconfig_ipv6_remote,
1635  SA_SET_IF_NONZERO);
1636  setenv_int(mi->context.c2.es,
1637  "ifconfig_pool_ip6_netbits",
1638  mi->context.c2.push_ifconfig_ipv6_netbits);
1639  }
1640 }
1641 
1642 /*
1643  * Called after client-connect script is called
1644  */
1645 static void
1646 multi_client_connect_post(struct multi_context *m,
1647  struct multi_instance *mi,
1648  const char *dc_file,
1649  unsigned int *option_types_found)
1650 {
1651  /* Did script generate a dynamic config file? */
1652  if (platform_test_file(dc_file))
1653  {
1654  options_server_import(&mi->context.options,
1655  dc_file,
1656  D_IMPORT_ERRORS|M_OPTERR,
1657  CLIENT_CONNECT_OPT_MASK,
1658  option_types_found,
1659  mi->context.c2.es);
1660 
1661  /*
1662  * If the --client-connect script generates a config file
1663  * with an --ifconfig-push directive, it will override any
1664  * --ifconfig-push directive from the --client-config-dir
1665  * directory or any --ifconfig-pool dynamic address.
1666  */
1667  multi_select_virtual_addr(m, mi);
1668  multi_set_virtual_addr_env(mi);
1669  }
1670 }
1671 
1672 #ifdef ENABLE_PLUGIN
1673 
1674 /*
1675  * Called after client-connect plug-in is called
1676  */
1677 static void
1678 multi_client_connect_post_plugin(struct multi_context *m,
1679  struct multi_instance *mi,
1680  const struct plugin_return *pr,
1681  unsigned int *option_types_found)
1682 {
1683  struct plugin_return config;
1684 
1685  plugin_return_get_column(pr, &config, "config");
1686 
1687  /* Did script generate a dynamic config file? */
1688  if (plugin_return_defined(&config))
1689  {
1690  int i;
1691  for (i = 0; i < config.n; ++i)
1692  {
1693  if (config.list[i] && config.list[i]->value)
1694  {
1695  options_string_import(&mi->context.options,
1696  config.list[i]->value,
1697  D_IMPORT_ERRORS|M_OPTERR,
1698  CLIENT_CONNECT_OPT_MASK,
1699  option_types_found,
1700  mi->context.c2.es);
1701  }
1702  }
1703 
1704  /*
1705  * If the --client-connect script generates a config file
1706  * with an --ifconfig-push directive, it will override any
1707  * --ifconfig-push directive from the --client-config-dir
1708  * directory or any --ifconfig-pool dynamic address.
1709  */
1710  multi_select_virtual_addr(m, mi);
1711  multi_set_virtual_addr_env(mi);
1712  }
1713 }
1714 
1715 #endif /* ifdef ENABLE_PLUGIN */
1716 
1717 
1718 /*
1719  * Called to load management-derived client-connect config
1720  */
1721 enum client_connect_return
1722 multi_client_connect_mda(struct multi_context *m,
1723  struct multi_instance *mi,
1724  bool deferred,
1725  unsigned int *option_types_found)
1726 {
1727  /* We never return CC_RET_DEFERRED */
1728  ASSERT(!deferred);
1729  enum client_connect_return ret = CC_RET_SKIPPED;
1730 #ifdef ENABLE_MANAGEMENT
1731  if (mi->cc_config)
1732  {
1733  struct buffer_entry *be;
1734  for (be = mi->cc_config->head; be != NULL; be = be->next)
1735  {
1736  const char *opt = BSTR(&be->buf);
1737  options_string_import(&mi->context.options,
1738  opt,
1739  D_IMPORT_ERRORS|M_OPTERR,
1740  CLIENT_CONNECT_OPT_MASK,
1741  option_types_found,
1742  mi->context.c2.es);
1743  }
1744 
1745  /*
1746  * If the --client-connect script generates a config file
1747  * with an --ifconfig-push directive, it will override any
1748  * --ifconfig-push directive from the --client-config-dir
1749  * directory or any --ifconfig-pool dynamic address.
1750  */
1751  multi_select_virtual_addr(m, mi);
1752  multi_set_virtual_addr_env(mi);
1753 
1754  ret = CC_RET_SUCCEEDED;
1755  }
1756 #endif /* ifdef ENABLE_MANAGEMENT */
1757  return ret;
1758 }
1759 
1760 static void
1761 multi_client_connect_setenv(struct multi_context *m,
1762  struct multi_instance *mi)
1763 {
1764  struct gc_arena gc = gc_new();
1765 
1766  /* setenv incoming cert common name for script */
1767  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1768 
1769  /* setenv client real IP address */
1770  setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
1771 
1772  /* setenv client virtual IP address */
1773  multi_set_virtual_addr_env(mi);
1774 
1775  /* setenv connection time */
1776  {
1777  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1778  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1779  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1780  }
1781 
1782  gc_free(&gc);
1783 }
1784 
1791 static bool
1792 multi_client_set_protocol_options(struct context *c)
1793 {
1794  struct tls_multi *tls_multi = c->c2.tls_multi;
1795  const char *const peer_info = tls_multi->peer_info;
1796  struct options *o = &c->options;
1797 
1798 
1799  unsigned int proto = extract_iv_proto(peer_info);
1800  if (proto & IV_PROTO_DATA_V2)
1801  {
1802  tls_multi->use_peer_id = true;
1803  o->use_peer_id = true;
1804  }
1805  else if (dco_enabled(o))
1806  {
1807  msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing "
1808  "requires DATA_V2. Dropping client.");
1809  auth_set_client_reason(tls_multi, "Data channel negotiation "
1810  "failed (missing DATA_V2)");
1811  return false;
1812  }
1813 
1814  if (proto & IV_PROTO_REQUEST_PUSH)
1815  {
1816  c->c2.push_request_received = true;
1817  }
1818 
1819 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1820  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1821  {
1822  o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
1823  }
1824  if (proto & IV_PROTO_DYN_TLS_CRYPT)
1825  {
1826  o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
1827  }
1828 #endif
1829 
1830  if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1831  {
1832  o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
1833  }
1834 
1835  /* Select cipher if client supports Negotiable Crypto Parameters */
1836 
1837  /* if we have already created our key, we cannot *change* our own
1838  * cipher -> so log the fact and push the "what we have now" cipher
1839  * (so the client is always told what we expect it to use)
1840  */
1841  if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
1842  {
1843  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1844  "server has already generated data channel keys, "
1845  "re-sending previously negotiated cipher '%s'",
1846  o->ciphername );
1847  return true;
1848  }
1849 
1850  /*
1851  * Push the first cipher from --data-ciphers to the client that
1852  * the client announces to be supporting.
1853  */
1854  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1855  tls_multi->remote_ciphername,
1856  &o->gc);
1857 
1858  if (push_cipher)
1859  {
1860  o->ciphername = push_cipher;
1861  return true;
1862  }
1863 
1864  /* NCP cipher negotiation failed. Try to figure out why exactly it
1865  * failed and give good error messages and potentially do a fallback
1866  * for non NCP clients */
1867  struct gc_arena gc = gc_new();
1868  bool ret = false;
1869 
1870  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1871  /* If we are in a situation where we know the client ciphers, there is no
1872  * reason to fall back to a cipher that will not be accepted by the other
1873  * side, in this situation we fail the auth*/
1874  if (strlen(peer_ciphers) > 0)
1875  {
1876  msg(M_INFO, "PUSH: No common cipher between server and client. "
1877  "Server data-ciphers: '%s', client supported ciphers '%s'",
1878  o->ncp_ciphers, peer_ciphers);
1879  }
1880  else if (tls_multi->remote_ciphername)
1881  {
1882  msg(M_INFO, "PUSH: No common cipher between server and client. "
1883  "Server data-ciphers: '%s', client supports cipher '%s'",
1884  o->ncp_ciphers, tls_multi->remote_ciphername);
1885  }
1886  else
1887  {
1888  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1889 
1890  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1891  {
1892  msg(M_INFO, "Using data channel cipher '%s' since "
1893  "--data-ciphers-fallback is set.", o->ciphername);
1894  ret = true;
1895  }
1896  else
1897  {
1898  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1899  "client is using if you want to allow the client to connect");
1900  }
1901  }
1902  if (!ret)
1903  {
1904  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1905  "failed (no shared cipher)");
1906  }
1907 
1908  gc_free(&gc);
1909  return ret;
1910 }
1911 
1916 static void
1917 ccs_delete_deferred_ret_file(struct multi_instance *mi)
1918 {
1919  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1920  if (!ccs->deferred_ret_file)
1921  {
1922  return;
1923  }
1924 
1925  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1926  if (!platform_unlink(ccs->deferred_ret_file))
1927  {
1928  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1929  ccs->deferred_ret_file);
1930  }
1931  free(ccs->deferred_ret_file);
1932  ccs->deferred_ret_file = NULL;
1933 }
1934 
1942 static bool
1943 ccs_gen_deferred_ret_file(struct multi_instance *mi)
1944 {
1945  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1946  struct gc_arena gc = gc_new();
1947  const char *fn;
1948 
1949  /* Delete file if it already exists */
1950  ccs_delete_deferred_ret_file(mi);
1951 
1952  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1953  if (!fn)
1954  {
1955  gc_free(&gc);
1956  return false;
1957  }
1958  ccs->deferred_ret_file = string_alloc(fn, NULL);
1959 
1960  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1961  ccs->deferred_ret_file);
1962 
1963  gc_free(&gc);
1964  return true;
1965 }
1966 
1975 static enum client_connect_return
1976 ccs_test_deferred_ret_file(struct multi_instance *mi)
1977 {
1978  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1979  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1980  if (!fp)
1981  {
1982  return CC_RET_SKIPPED;
1983  }
1984 
1985  enum client_connect_return ret = CC_RET_SKIPPED;
1986  const int c = fgetc(fp);
1987  switch (c)
1988  {
1989  case '0':
1990  ret = CC_RET_FAILED;
1991  break;
1992 
1993  case '1':
1994  ret = CC_RET_SUCCEEDED;
1995  break;
1996 
1997  case '2':
1998  ret = CC_RET_DEFERRED;
1999  break;
2000 
2001  case EOF:
2002  if (feof(fp))
2003  {
2004  ret = CC_RET_SKIPPED;
2005  break;
2006  }
2007 
2008  /* Not EOF but other error -> fall through to error state */
2009  default:
2010  /* We received an unknown/unexpected value. Assume failure. */
2011  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
2012  "client-connect resultfile");
2013  ret = CC_RET_FAILED;
2014  }
2015  fclose(fp);
2016 
2017  return ret;
2018 }
2019 
2025 static void
2026 ccs_delete_config_file(struct multi_instance *mi)
2027 {
2028  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2029  if (ccs->config_file)
2030  {
2031  setenv_del(mi->context.c2.es, "client_connect_config_file");
2032  if (!platform_unlink(ccs->config_file))
2033  {
2034  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2035  ccs->config_file);
2036  }
2037  free(ccs->config_file);
2038  ccs->config_file = NULL;
2039  }
2040 }
2041 
2049 static bool
2050 ccs_gen_config_file(struct multi_instance *mi)
2051 {
2052  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2053  struct gc_arena gc = gc_new();
2054  const char *fn;
2055 
2056  if (ccs->config_file)
2057  {
2058  ccs_delete_config_file(mi);
2059  }
2060 
2061  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2062  if (!fn)
2063  {
2064  gc_free(&gc);
2065  return false;
2066  }
2067  ccs->config_file = string_alloc(fn, NULL);
2068 
2069  setenv_str(mi->context.c2.es, "client_connect_config_file",
2070  ccs->config_file);
2071 
2072  gc_free(&gc);
2073  return true;
2074 }
2075 
2076 static enum client_connect_return
2077 multi_client_connect_call_plugin_v1(struct multi_context *m,
2078  struct multi_instance *mi,
2079  bool deferred,
2080  unsigned int *option_types_found)
2081 {
2082  enum client_connect_return ret = CC_RET_SKIPPED;
2083 #ifdef ENABLE_PLUGIN
2084  ASSERT(m);
2085  ASSERT(mi);
2086  ASSERT(option_types_found);
2087  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2088 
2089  /* deprecated callback, use a file for passing back return info */
2090  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2091  {
2092  struct argv argv = argv_new();
2093  int call;
2094 
2095  if (!deferred)
2096  {
2097  call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2098  if (!ccs_gen_config_file(mi)
2099  || !ccs_gen_deferred_ret_file(mi))
2100  {
2101  ret = CC_RET_FAILED;
2102  goto cleanup;
2103  }
2104  }
2105  else
2106  {
2107  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2108  /* the initial call should have created these files */
2109  ASSERT(ccs->config_file);
2110  ASSERT(ccs->deferred_ret_file);
2111  }
2112 
2113  argv_printf(&argv, "%s", ccs->config_file);
2114  int plug_ret = plugin_call(mi->context.plugins, call,
2115  &argv, NULL, mi->context.c2.es);
2116  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2117  {
2118  ret = CC_RET_SUCCEEDED;
2119  }
2120  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2121  {
2122  ret = CC_RET_DEFERRED;
2128  }
2129  else
2130  {
2131  msg(M_WARN, "WARNING: client-connect plugin call failed");
2132  ret = CC_RET_FAILED;
2133  }
2134 
2135 
2141  int file_ret = ccs_test_deferred_ret_file(mi);
2142 
2143  if (file_ret == CC_RET_FAILED)
2144  {
2145  ret = CC_RET_FAILED;
2146  }
2147  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2148  {
2149  ret = CC_RET_DEFERRED;
2150  }
2151 
2152  /* if we still think we have succeeded, do postprocessing */
2153  if (ret == CC_RET_SUCCEEDED)
2154  {
2155  multi_client_connect_post(m, mi, ccs->config_file,
2156  option_types_found);
2157  }
2158 cleanup:
2159  argv_free(&argv);
2160 
2161  if (ret != CC_RET_DEFERRED)
2162  {
2163  ccs_delete_config_file(mi);
2164  ccs_delete_deferred_ret_file(mi);
2165  }
2166  }
2167 #endif /* ifdef ENABLE_PLUGIN */
2168  return ret;
2169 }
2170 
2171 static enum client_connect_return
2172 multi_client_connect_call_plugin_v2(struct multi_context *m,
2173  struct multi_instance *mi,
2174  bool deferred,
2175  unsigned int *option_types_found)
2176 {
2177  enum client_connect_return ret = CC_RET_SKIPPED;
2178 #ifdef ENABLE_PLUGIN
2179  ASSERT(m);
2180  ASSERT(mi);
2181  ASSERT(option_types_found);
2182 
2183  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2184  OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2185  /* V2 callback, use a plugin_return struct for passing back return info */
2186  if (plugin_defined(mi->context.plugins, call))
2187  {
2188  struct plugin_return pr;
2189 
2190  plugin_return_init(&pr);
2191 
2192  int plug_ret = plugin_call(mi->context.plugins, call,
2193  NULL, &pr, mi->context.c2.es);
2194  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2195  {
2196  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2197  ret = CC_RET_SUCCEEDED;
2198  }
2199  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2200  {
2201  ret = CC_RET_DEFERRED;
2202  if (!(plugin_defined(mi->context.plugins,
2203  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2204  {
2205  msg(M_WARN, "A plugin that defers from the "
2206  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2207  "declare support for "
2208  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2209  ret = CC_RET_FAILED;
2210  }
2211  }
2212  else
2213  {
2214  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2215  ret = CC_RET_FAILED;
2216  }
2217 
2218 
2219  plugin_return_free(&pr);
2220  }
2221 #endif /* ifdef ENABLE_PLUGIN */
2222  return ret;
2223 }
2224 
2225 static enum client_connect_return
2226 multi_client_connect_script_deferred(struct multi_context *m,
2227  struct multi_instance *mi,
2228  unsigned int *option_types_found)
2229 {
2230  ASSERT(mi);
2231  ASSERT(option_types_found);
2232  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2233  enum client_connect_return ret = CC_RET_SKIPPED;
2234 
2235  ret = ccs_test_deferred_ret_file(mi);
2236 
2237  if (ret == CC_RET_SKIPPED)
2238  {
2239  /*
2240  * Skipped and deferred are equivalent in this context.
2241  * skipped means that the called program has not yet
2242  * written a return status implicitly needing more time
2243  * while deferred is the explicit notification that it
2244  * needs more time
2245  */
2246  ret = CC_RET_DEFERRED;
2247  }
2248 
2249  if (ret == CC_RET_SUCCEEDED)
2250  {
2251  ccs_delete_deferred_ret_file(mi);
2252  multi_client_connect_post(m, mi, ccs->config_file,
2253  option_types_found);
2254  ccs_delete_config_file(mi);
2255  }
2256  if (ret == CC_RET_FAILED)
2257  {
2258  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2259  ccs_delete_deferred_ret_file(mi);
2260  ccs_delete_config_file(mi);
2261  }
2262  return ret;
2263 }
2264 
2268 static enum client_connect_return
2269 multi_client_connect_call_script(struct multi_context *m,
2270  struct multi_instance *mi,
2271  bool deferred,
2272  unsigned int *option_types_found)
2273 {
2274  if (deferred)
2275  {
2276  return multi_client_connect_script_deferred(m, mi, option_types_found);
2277  }
2278  ASSERT(m);
2279  ASSERT(mi);
2280 
2281  enum client_connect_return ret = CC_RET_SKIPPED;
2282  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2283 
2284  if (mi->context.options.client_connect_script)
2285  {
2286  struct argv argv = argv_new();
2287  struct gc_arena gc = gc_new();
2288 
2289  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2290 
2291  if (!ccs_gen_config_file(mi)
2292  || !ccs_gen_deferred_ret_file(mi))
2293  {
2294  ret = CC_RET_FAILED;
2295  goto cleanup;
2296  }
2297 
2298  argv_parse_cmd(&argv, mi->context.options.client_connect_script);
2299  argv_printf_cat(&argv, "%s", ccs->config_file);
2300 
2301  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2302  {
2303  if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED)
2304  {
2305  ret = CC_RET_DEFERRED;
2306  }
2307  else
2308  {
2309  multi_client_connect_post(m, mi, ccs->config_file,
2310  option_types_found);
2311  ret = CC_RET_SUCCEEDED;
2312  }
2313  }
2314  else
2315  {
2316  ret = CC_RET_FAILED;
2317  }
2318 cleanup:
2319  if (ret != CC_RET_DEFERRED)
2320  {
2321  ccs_delete_config_file(mi);
2322  ccs_delete_deferred_ret_file(mi);
2323  }
2324  argv_free(&argv);
2325  gc_free(&gc);
2326  }
2327  return ret;
2328 }
2329 
2330 static bool
2331 multi_client_setup_dco_initial(struct multi_context *m,
2332  struct multi_instance *mi,
2333  struct gc_arena *gc)
2334 {
2335  if (!dco_enabled(&mi->context.options))
2336  {
2337  /* DCO not enabled, nothing to do, return sucess */
2338  return true;
2339  }
2340  int ret = dco_multi_add_new_peer(m, mi);
2341  if (ret < 0)
2342  {
2343  msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)",
2344  multi_instance_string(mi, false, gc), strerror(-ret), ret);
2345  return false;
2346  }
2347 
2348  if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix)
2349  {
2350  ret = dco_set_peer(&mi->context.c1.tuntap->dco,
2351  mi->context.c2.tls_multi->dco_peer_id,
2352  mi->context.options.ping_send_timeout,
2353  mi->context.options.ping_rec_timeout,
2354  mi->context.c2.frame.mss_fix);
2355  if (ret < 0)
2356  {
2357  msg(D_DCO, "Cannot set DCO peer parameters for %s (id=%u): %s",
2358  multi_instance_string(mi, false, gc),
2359  mi->context.c2.tls_multi->dco_peer_id, strerror(-ret));
2360  return false;
2361  }
2362  }
2363  return true;
2364 }
2365 
2369 static bool
2370 multi_client_generate_tls_keys(struct context *c)
2371 {
2372  struct frame *frame_fragment = NULL;
2373 #ifdef ENABLE_FRAGMENT
2374  if (c->options.ce.fragment)
2375  {
2376  frame_fragment = &c->c2.frame_fragment;
2377  }
2378 #endif
2379  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2380  if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2381  &c->c2.frame, frame_fragment,
2382  get_link_socket_info(c)))
2383  {
2384  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2385  register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2386  return false;
2387  }
2388 
2389  return true;
2390 }
2391 
2392 static void
2393 multi_client_connect_late_setup(struct multi_context *m,
2394  struct multi_instance *mi,
2395  const unsigned int option_types_found)
2396 {
2397  ASSERT(m);
2398  ASSERT(mi);
2399 
2400  struct gc_arena gc = gc_new();
2401  /*
2402  * Process sourced options.
2403  */
2404  do_deferred_options(&mi->context, option_types_found);
2405 
2406  /*
2407  * make sure we got ifconfig settings from somewhere
2408  */
2409  if (!mi->context.c2.push_ifconfig_defined)
2410  {
2411  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2412  "--ifconfig address is available for %s",
2413  multi_instance_string(mi, false, &gc));
2414  }
2415 
2416  /*
2417  * make sure that ifconfig settings comply with constraints
2418  */
2419  if (!ifconfig_push_constraint_satisfied(&mi->context))
2420  {
2421  const char *ifconfig_constraint_network =
2422  print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc);
2423  const char *ifconfig_constraint_netmask =
2424  print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
2425 
2426  /* JYFIXME -- this should cause the connection to fail */
2427  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2428  "violates tunnel network/netmask constraint (%s/%s)",
2429  multi_instance_string(mi, false, &gc),
2430  print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
2431  ifconfig_constraint_network, ifconfig_constraint_netmask);
2432  }
2433 
2434  /*
2435  * For routed tunnels, set up internal route to endpoint
2436  * plus add all iroute routes.
2437  */
2438  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
2439  {
2440  if (mi->context.c2.push_ifconfig_defined)
2441  {
2442  multi_learn_in_addr_t(m, mi,
2443  mi->context.c2.push_ifconfig_local,
2444  -1, true);
2445  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2446  multi_instance_string(mi, false, &gc),
2447  print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
2448  }
2449 
2450  if (mi->context.c2.push_ifconfig_ipv6_defined)
2451  {
2452  multi_learn_in6_addr(m, mi,
2453  mi->context.c2.push_ifconfig_ipv6_local,
2454  -1, true);
2455  /* TODO: find out where addresses are "unlearned"!! */
2456  const char *ifconfig_local_ipv6 =
2457  print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
2458  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2459  multi_instance_string(mi, false, &gc),
2460  ifconfig_local_ipv6);
2461  }
2462 
2463  /* add routes locally, pointing to new client, if
2464  * --iroute options have been specified */
2465  multi_add_iroutes(m, mi);
2466 
2467  /*
2468  * iroutes represent subnets which are "owned" by a particular
2469  * client. Therefore, do not actually push a route to a client
2470  * if it matches one of the client's iroutes.
2471  */
2472  remove_iroutes_from_push_route_list(&mi->context.options);
2473  }
2474  else if (mi->context.options.iroutes)
2475  {
2476  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2477  "only works with tun-style tunnels",
2478  multi_instance_string(mi, false, &gc));
2479  }
2480 
2481  /* set our client's VPN endpoint for status reporting purposes */
2482  mi->reporting_addr = mi->context.c2.push_ifconfig_local;
2483  mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
2484 
2485  /* set context-level authentication flag */
2486  mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2487 
2488  /* authentication complete, calculate dynamic client specific options */
2489  if (!multi_client_set_protocol_options(&mi->context))
2490  {
2491  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2492  }
2493  /* only continue if setting protocol options worked */
2494  else if (!multi_client_setup_dco_initial(m, mi, &gc))
2495  {
2496  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2497  }
2498  /* Generate data channel keys only if setting protocol options
2499  * and DCO initial setup has not failed */
2500  else if (!multi_client_generate_tls_keys(&mi->context))
2501  {
2502  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2503  }
2504 
2505  /* send push reply if ready */
2506  if (mi->context.c2.push_request_received)
2507  {
2508  process_incoming_push_request(&mi->context);
2509  }
2510  gc_free(&gc);
2511 }
2512 
2513 static void
2514 multi_client_connect_early_setup(struct multi_context *m,
2515  struct multi_instance *mi)
2516 {
2517  ASSERT(mi->context.c1.tuntap);
2518  /*
2519  * lock down the common name and cert hashes so they can't change
2520  * during future TLS renegotiations
2521  */
2522  tls_lock_common_name(mi->context.c2.tls_multi);
2523  tls_lock_cert_hash_set(mi->context.c2.tls_multi);
2524 
2525  /* generate a msg() prefix for this client instance */
2526  generate_prefix(mi);
2527 
2528  /* delete instances of previous clients with same common-name */
2529  if (!mi->context.options.duplicate_cn)
2530  {
2531  multi_delete_dup(m, mi);
2532  }
2533 
2534  /* reset pool handle to null */
2535  mi->vaddr_handle = -1;
2536 
2537  /* do --client-connect setenvs */
2538  multi_select_virtual_addr(m, mi);
2539 
2540  multi_client_connect_setenv(m, mi);
2541 }
2542 
2549 static enum client_connect_return
2550 multi_client_connect_compress_migrate(struct multi_context *m,
2551  struct multi_instance *mi,
2552  bool deferred,
2553  unsigned int *option_types_found)
2554 {
2555 #ifdef USE_COMP
2556  struct options *o = &mi->context.options;
2557  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2558 
2559  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2560  {
2561  if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2562  {
2563  push_option(o, "compress stub-v2", M_USAGE);
2564  }
2565  else
2566  {
2567  /* Client is old and does not support STUBv2 but since it
2568  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2569  * switch to that and push the uncompressed variant. */
2570  push_option(o, "comp-lzo no", M_USAGE);
2571  o->comp.alg = COMP_ALG_STUB;
2572  *option_types_found |= OPT_P_COMP;
2573  }
2574  }
2575 #endif
2576  return CC_RET_SUCCEEDED;
2577 }
2578 
2583 static enum client_connect_return
2584 multi_client_connect_source_ccd(struct multi_context *m,
2585  struct multi_instance *mi,
2586  bool deferred,
2587  unsigned int *option_types_found)
2588 {
2589  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2590  * problem */
2591  ASSERT(!deferred);
2592  enum client_connect_return ret = CC_RET_SKIPPED;
2593  if (mi->context.options.client_config_dir)
2594  {
2595  struct gc_arena gc = gc_new();
2596  const char *ccd_file = NULL;
2597 
2598  const char *ccd_client =
2599  platform_gen_path(mi->context.options.client_config_dir,
2600  tls_common_name(mi->context.c2.tls_multi, false),
2601  &gc);
2602 
2603  const char *ccd_default =
2604  platform_gen_path(mi->context.options.client_config_dir,
2605  CCD_DEFAULT, &gc);
2606 
2607 
2608  /* try common-name file */
2609  if (platform_test_file(ccd_client))
2610  {
2611  ccd_file = ccd_client;
2612  }
2613  /* try default file */
2614  else if (platform_test_file(ccd_default))
2615  {
2616  ccd_file = ccd_default;
2617  }
2618 
2619  if (ccd_file)
2620  {
2621  options_server_import(&mi->context.options,
2622  ccd_file,
2623  D_IMPORT_ERRORS|M_OPTERR,
2624  CLIENT_CONNECT_OPT_MASK,
2625  option_types_found,
2626  mi->context.c2.es);
2627  /*
2628  * Select a virtual address from either --ifconfig-push in
2629  * --client-config-dir file or --ifconfig-pool.
2630  */
2631  multi_select_virtual_addr(m, mi);
2632 
2633  multi_client_connect_setenv(m, mi);
2634 
2635  ret = CC_RET_SUCCEEDED;
2636  }
2637  gc_free(&gc);
2638  }
2639  return ret;
2640 }
2641 
2642 typedef enum client_connect_return (*multi_client_connect_handler)
2643  (struct multi_context *m, struct multi_instance *mi,
2644  bool from_deferred, unsigned int *option_types_found);
2645 
2646 static const multi_client_connect_handler client_connect_handlers[] = {
2647  multi_client_connect_compress_migrate,
2648  multi_client_connect_source_ccd,
2649  multi_client_connect_call_plugin_v1,
2650  multi_client_connect_call_plugin_v2,
2651  multi_client_connect_call_script,
2652  multi_client_connect_mda,
2653  NULL,
2654 };
2655 
2656 /*
2657  * Called as soon as the SSL/TLS connection is authenticated.
2658  *
2659  * Will collect the client specific configuration from the different
2660  * sources like ccd files, connect plugins and management interface.
2661  *
2662  * This method starts with cas_context CAS_PENDING and will move the
2663  * state machine to either CAS_SUCCEEDED on success or
2664  * CAS_FAILED/CAS_PARTIAL on failure.
2665  *
2666  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2667  * include:
2668  *
2669  * iroute start-ip end-ip
2670  * ifconfig-push local remote-netmask
2671  * push
2672  *
2673  *
2674  */
2675 static void
2676 multi_connection_established(struct multi_context *m, struct multi_instance *mi)
2677 {
2678  /* We are only called for the CAS_PENDING_x states, so we
2679  * can ignore other states here */
2680  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2681 
2682  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2683  unsigned int *option_types_found =
2684  &mi->client_connect_defer_state.option_types_found;
2685 
2686  /* We are called for the first time */
2687  if (!from_deferred)
2688  {
2689  *cur_handler_index = 0;
2690  *option_types_found = 0;
2691  /* Initially we have no handler that has returned a result */
2692  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED;
2693 
2694  multi_client_connect_early_setup(m, mi);
2695  }
2696 
2697  bool cc_succeeded = true;
2698 
2699  while (cc_succeeded
2700  && client_connect_handlers[*cur_handler_index] != NULL)
2701  {
2702  enum client_connect_return ret;
2703  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2704  option_types_found);
2705 
2706  from_deferred = false;
2707 
2708  switch (ret)
2709  {
2710  case CC_RET_SUCCEEDED:
2711  /*
2712  * Remember that we already had at least one handler
2713  * returning a result should we go to into deferred state
2714  */
2715  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2716  break;
2717 
2718  case CC_RET_SKIPPED:
2719  /*
2720  * Move on with the next handler without modifying any
2721  * other state
2722  */
2723  break;
2724 
2725  case CC_RET_DEFERRED:
2726  /*
2727  * we already set multi_status to DEFERRED_RESULT or
2728  * DEFERRED_NO_RESULT. We just return
2729  * from the function as having multi_status
2730  */
2731  return;
2732 
2733  case CC_RET_FAILED:
2734  /*
2735  * One handler failed. We abort the chain and set the final
2736  * result to failed
2737  */
2738  cc_succeeded = false;
2739  break;
2740 
2741  default:
2742  ASSERT(0);
2743  }
2744 
2745  /*
2746  * Check for "disable" directive in client-config-dir file
2747  * or config file generated by --client-connect script.
2748  */
2749  if (mi->context.options.disable)
2750  {
2751  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2752  "'disable' directive");
2753  cc_succeeded = false;
2754  }
2755 
2756  (*cur_handler_index)++;
2757  }
2758 
2759  /* Check if we have forbidding options in the current mode */
2760  if (dco_enabled(&mi->context.options)
2761  && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
2762  {
2763  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2764  cc_succeeded = false;
2765  }
2766 
2767  if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS))
2768  {
2769  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
2770  cc_succeeded = false;
2771  }
2772 
2773  if (cc_succeeded)
2774  {
2775  multi_client_connect_late_setup(m, mi, *option_types_found);
2776  }
2777  else
2778  {
2779  /* run the disconnect script if we had a connect script that
2780  * did not fail */
2781  if (mi->context.c2.tls_multi->multi_state == CAS_PENDING_DEFERRED_PARTIAL)
2782  {
2783  multi_client_disconnect_script(m, mi);
2784  }
2785 
2786  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2787  }
2788 
2789  /* increment number of current authenticated clients */
2790  ++m->n_clients;
2791  update_mstat_n_clients(m->n_clients);
2792  --mi->n_clients_delta;
2793 
2794 #ifdef ENABLE_MANAGEMENT
2795  if (management)
2796  {
2797  management_connection_established(management,
2798  &mi->context.c2.mda_context, mi->context.c2.es);
2799  }
2800 #endif
2801 }
2802 
2803 #ifdef ENABLE_ASYNC_PUSH
2804 /*
2805  * Called when inotify event is fired, which happens when acf
2806  * or connect-status file is closed or deleted.
2807  * Continues authentication and sends push_reply
2808  * (or be deferred again by client-connect)
2809  */
2810 void
2811 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2812 {
2813  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2814  size_t buffer_i = 0;
2815  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2816 
2817  while (buffer_i < r)
2818  {
2819  /* parse inotify events */
2820  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2821  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2822  buffer_i += event_size;
2823 
2824  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2825 
2826  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2827 
2828  if (pevent->mask & IN_CLOSE_WRITE)
2829  {
2830  if (mi)
2831  {
2832  /* continue authentication, perform NCP negotiation and send push_reply */
2833  multi_process_post(m, mi, mpp_flags);
2834  }
2835  else
2836  {
2837  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2838  }
2839  }
2840  else if (pevent->mask & IN_IGNORED)
2841  {
2842  /* this event is _always_ fired when watch is removed or file is deleted */
2843  if (mi)
2844  {
2845  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2846  mi->inotify_watch = -1;
2847  }
2848  }
2849  else
2850  {
2851  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2852  }
2853  }
2854 }
2855 #endif /* ifdef ENABLE_ASYNC_PUSH */
2856 
2857 /*
2858  * Add a mbuf buffer to a particular
2859  * instance.
2860  */
2861 void
2862 multi_add_mbuf(struct multi_context *m,
2863  struct multi_instance *mi,
2864  struct mbuf_buffer *mb)
2865 {
2866  if (multi_output_queue_ready(m, mi))
2867  {
2868  struct mbuf_item item;
2869  item.buffer = mb;
2870  item.instance = mi;
2871  mbuf_add_item(m->mbuf, &item);
2872  }
2873  else
2874  {
2875  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2876  }
2877 }
2878 
2879 /*
2880  * Add a packet to a client instance output queue.
2881  */
2882 static inline void
2883 multi_unicast(struct multi_context *m,
2884  const struct buffer *buf,
2885  struct multi_instance *mi)
2886 {
2887  struct mbuf_buffer *mb;
2888 
2889  if (BLEN(buf) > 0)
2890  {
2891  mb = mbuf_alloc_buf(buf);
2892  mb->flags = MF_UNICAST;
2893  multi_add_mbuf(m, mi, mb);
2894  mbuf_free_buf(mb);
2895  }
2896 }
2897 
2898 /*
2899  * Broadcast a packet to all clients.
2900  */
2901 static void
2902 multi_bcast(struct multi_context *m,
2903  const struct buffer *buf,
2904  const struct multi_instance *sender_instance,
2905  const struct mroute_addr *sender_addr,
2906  uint16_t vid)
2907 {
2908  struct hash_iterator hi;
2909  struct hash_element *he;
2910  struct multi_instance *mi;
2911  struct mbuf_buffer *mb;
2912 
2913  if (BLEN(buf) > 0)
2914  {
2915  perf_push(PERF_MULTI_BCAST);
2916 #ifdef MULTI_DEBUG_EVENT_LOOP
2917  printf("BCAST len=%d\n", BLEN(buf));
2918 #endif
2919  mb = mbuf_alloc_buf(buf);
2920  hash_iterator_init(m->iter, &hi);
2921 
2922  while ((he = hash_iterator_next(&hi)))
2923  {
2924  mi = (struct multi_instance *) he->value;
2925  if (mi != sender_instance && !mi->halt)
2926  {
2927  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2928  {
2929  continue;
2930  }
2931  multi_add_mbuf(m, mi, mb);
2932  }
2933  }
2934 
2935  hash_iterator_free(&hi);
2936  mbuf_free_buf(mb);
2937  perf_pop();
2938  }
2939 }
2940 
2941 /*
2942  * Given a time delta, indicating that we wish to be
2943  * awoken by the scheduler at time now + delta, figure
2944  * a sigma parameter (in microseconds) that represents
2945  * a sort of fuzz factor around delta, so that we're
2946  * really telling the scheduler to wake us up any time
2947  * between now + delta - sigma and now + delta + sigma.
2948  *
2949  * The sigma parameter helps the scheduler to run more efficiently.
2950  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2951  */
2952 static inline unsigned int
2953 compute_wakeup_sigma(const struct timeval *delta)
2954 {
2955  if (delta->tv_sec < 1)
2956  {
2957  /* if < 1 sec, fuzz = # of microseconds / 8 */
2958  return delta->tv_usec >> 3;
2959  }
2960  else
2961  {
2962  /* if < 10 minutes, fuzz = 13.1% of timeout */
2963  if (delta->tv_sec < 600)
2964  {
2965  return delta->tv_sec << 17;
2966  }
2967  else
2968  {
2969  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2970  }
2971  }
2972 }
2973 
2974 static void
2975 multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
2976 {
2977  /* calculate an absolute wakeup time */
2978  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2979  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2980 
2981  /* tell scheduler to wake us up at some point in the future */
2982  schedule_add_entry(m->schedule,
2983  (struct schedule_entry *) mi,
2984  &mi->wakeup,
2985  compute_wakeup_sigma(&mi->context.c2.timeval));
2986 }
2987 
2988 #if defined(ENABLE_ASYNC_PUSH)
2989 static void
2990 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2991  int inotify_fd, const char *file)
2992 {
2993  /* watch acf file */
2994  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2995  IN_CLOSE_WRITE | IN_ONESHOT);
2996  if (watch_descriptor >= 0)
2997  {
2998  if (mi->inotify_watch != -1)
2999  {
3000  hash_remove(m->inotify_watchers,
3001  (void *) (unsigned long)mi->inotify_watch);
3002  }
3003  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
3004  mi, true);
3005  mi->inotify_watch = watch_descriptor;
3006  }
3007  else
3008  {
3009  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3010  }
3011 }
3012 #endif /* if defined(ENABLE_ASYNC_PUSH) */
3013 
3014 /*
3015  * Figure instance-specific timers, convert
3016  * earliest to absolute time in mi->wakeup,
3017  * call scheduler with our future wakeup time.
3018  *
3019  * Also close context on signal.
3020  */
3021 bool
3022 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3023 {
3024  bool ret = true;
3025 
3026  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
3027  {
3028 #if defined(ENABLE_ASYNC_PUSH)
3029  bool was_unauthenticated = true;
3030  struct key_state *ks = NULL;
3031  if (mi->context.c2.tls_multi)
3032  {
3033  ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
3034  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3035  }
3036 #endif
3037 
3038  /* figure timeouts and fetch possible outgoing
3039  * to_link packets (such as ping or TLS control) */
3040  pre_select(&mi->context);
3041 
3042 #if defined(ENABLE_ASYNC_PUSH)
3043  /*
3044  * if we see the state transition from unauthenticated to deferred
3045  * and an auth_control_file, we assume it got just added and add
3046  * inotify watch to that file
3047  */
3048  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3049  && (ks->authenticated == KS_AUTH_DEFERRED))
3050  {
3051  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3052  ks->plugin_auth.auth_control_file);
3053  }
3054  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3055  && (ks->authenticated == KS_AUTH_DEFERRED))
3056  {
3057  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3058  ks->script_auth.auth_control_file);
3059  }
3060 #endif
3061 
3062  if (!IS_SIG(&mi->context))
3063  {
3064  /* connection is "established" when SSL/TLS key negotiation succeeds
3065  * and (if specified) auth user/pass succeeds */
3066 
3067  if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
3068  {
3069  multi_connection_established(m, mi);
3070  }
3071 #if defined(ENABLE_ASYNC_PUSH)
3072  if (is_cas_pending(mi->context.c2.tls_multi->multi_state)
3073  && mi->client_connect_defer_state.deferred_ret_file)
3074  {
3075  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3076  mi->client_connect_defer_state.
3077  deferred_ret_file);
3078  }
3079 #endif
3080  /* tell scheduler to wake us up at some point in the future */
3081  multi_schedule_context_wakeup(m, mi);
3082  }
3083  }
3084 
3085  if (IS_SIG(&mi->context))
3086  {
3087  if (flags & MPP_CLOSE_ON_SIGNAL)
3088  {
3089  multi_close_instance_on_signal(m, mi);
3090  ret = false;
3091  }
3092  }
3093  else
3094  {
3095  /* continue to pend on output? */
3096  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3097 
3098 #ifdef MULTI_DEBUG_EVENT_LOOP
3099  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3100  id(mi),
3101  (int) (mi == m->pending),
3102  mi ? mi->context.c2.to_tun.len : -1,
3103  mi ? mi->context.c2.to_link.len : -1,
3104  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3105  (int64_t)mi->context.c2.timeval.tv_sec,
3106  (long)mi->context.c2.timeval.tv_usec);
3107 #endif
3108  }
3109 
3110  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3111  {
3112  *m->mpp_touched = mi;
3113  }
3114 
3115  return ret;
3116 }
3117 
3118 void
3119 multi_process_float(struct multi_context *m, struct multi_instance *mi)
3120 {
3121  struct mroute_addr real;
3122  struct hash *hash = m->hash;
3123  struct gc_arena gc = gc_new();
3124 
3125  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3126  {
3127  goto done;
3128  }
3129 
3130  const uint32_t hv = hash_value(hash, &real);
3131  struct hash_bucket *bucket = hash_bucket(hash, hv);
3132 
3133  /* make sure that we don't float to an address taken by another client */
3134  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3135  if (he)
3136  {
3137  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3138 
3139  struct tls_multi *m1 = mi->context.c2.tls_multi;
3140  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3141 
3142  /* do not float if target address is taken by client with another cert */
3143  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3144  {
3145  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3146  multi_instance_string(ex_mi, false, &gc));
3147 
3148  mi->context.c2.buf.len = 0;
3149 
3150  goto done;
3151  }
3152 
3153  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3154  multi_close_instance(m, ex_mi, false);
3155  }
3156 
3157  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3158  mi->context.c2.tls_multi->peer_id,
3159  tls_common_name(mi->context.c2.tls_multi, false),
3160  mroute_addr_print(&mi->real, &gc),
3161  print_link_socket_actual(&m->top.c2.from, &gc));
3162 
3163  /* remove old address from hash table before changing address */
3164  ASSERT(hash_remove(m->hash, &mi->real));
3165  ASSERT(hash_remove(m->iter, &mi->real));
3166 
3167  /* change external network address of the remote peer */
3168  mi->real = real;
3169  generate_prefix(mi);
3170 
3171  mi->context.c2.from = m->top.c2.from;
3172  mi->context.c2.to_link_addr = &mi->context.c2.from;
3173 
3174  /* inherit parent link_socket and link_socket_info */
3175  mi->context.c2.link_socket = m->top.c2.link_socket;
3176  mi->context.c2.link_socket_info->lsa->actual = m->top.c2.from;
3177 
3178  tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from);
3179 
3180  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3181  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3182 
3183 #ifdef ENABLE_MANAGEMENT
3184  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3185 #endif
3186 
3187 done:
3188  gc_free(&gc);
3189 }
3190 
3191 /*
3192  * Called when an instance should be closed due to the
3193  * reception of a soft signal.
3194  */
3195 void
3196 multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
3197 {
3198  remap_signal(&mi->context);
3199  set_prefix(mi);
3200  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3201  clear_prefix();
3202  multi_close_instance(m, mi, false);
3203 }
3204 
3205 #if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT)
3206 static void
3207 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3208 {
3209  mi->context.sig->signal_received = sig;
3210  multi_close_instance_on_signal(m, mi);
3211 }
3212 #endif
3213 
3214 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
3215 static void
3216 process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
3217  dco_context_t *dco)
3218 {
3219  const char *reason = "ovpn-dco: unknown reason";
3220  switch (dco->dco_del_peer_reason)
3221  {
3222  case OVPN_DEL_PEER_REASON_EXPIRED:
3223  reason = "ovpn-dco: ping expired";
3224  break;
3225 
3226  case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR:
3227  reason = "ovpn-dco: transport error";
3228  break;
3229 
3230  case OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT:
3231  reason = "ovpn-dco: transport disconnected";
3232  break;
3233 
3234  case OVPN_DEL_PEER_REASON_USERSPACE:
3235  /* We assume that is ourselves. Unfortunately, sometimes these
3236  * events happen with enough delay that they can have an order of
3237  *
3238  * dco_del_peer x
3239  * [new client connecting]
3240  * dco_new_peer x
3241  * event from dco_del_peer arrives.
3242  *
3243  * if we do not ignore this we get desynced with the kernel
3244  * since we assume the peer-id is free again. The other way would
3245  * be to send a dco_del_peer again
3246  */
3247  return;
3248  }
3249 
3250  /* When kernel already deleted the peer, the socket is no longer
3251  * installed, and we do not need to clean up the state in the kernel */
3252  mi->context.c2.tls_multi->dco_peer_id = -1;
3253  mi->context.sig->signal_text = reason;
3254  mi->context.c2.dco_read_bytes = dco->dco_read_bytes;
3255  mi->context.c2.dco_write_bytes = dco->dco_write_bytes;
3256  multi_signal_instance(m, mi, SIGTERM);
3257 }
3258 
3259 bool
3260 multi_process_incoming_dco(struct multi_context *m)
3261 {
3262  dco_context_t *dco = &m->top.c1.tuntap->dco;
3263 
3264  struct multi_instance *mi = NULL;
3265 
3266  int ret = dco_do_read(&m->top.c1.tuntap->dco);
3267 
3268  int peer_id = dco->dco_message_peer_id;
3269 
3270  /* no peer-specific message delivered -> nothing to process.
3271  * bail out right away
3272  */
3273  if (peer_id < 0)
3274  {
3275  return ret > 0;
3276  }
3277 
3278  if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3279  {
3280  mi = m->instances[peer_id];
3281  if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3282  {
3283  process_incoming_del_peer(m, mi, dco);
3284  }
3285  else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
3286  {
3287  tls_session_soft_reset(mi->context.c2.tls_multi);
3288  }
3289  }
3290  else
3291  {
3292  int msglevel = D_DCO;
3293  if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3294  && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3295  {
3296  /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3297  * after we kill the peer ourselves. This peer may have already
3298  * been deleted, so we end up here.
3299  * In this case, print the following debug message with DCO_DEBUG
3300  * level only to avoid polluting the standard DCO level with this
3301  * harmless event.
3302  */
3303  msglevel = D_DCO_DEBUG;
3304  }
3305  msg(msglevel, "Received DCO message for unknown peer-id: %d, "
3306  "type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
3307  dco->dco_del_peer_reason);
3308  }
3309 
3310  dco->dco_message_type = 0;
3311  dco->dco_message_peer_id = -1;
3312  dco->dco_del_peer_reason = -1;
3313  dco->dco_read_bytes = 0;
3314  dco->dco_write_bytes = 0;
3315  return ret > 0;
3316 }
3317 #endif /* if defined(ENABLE_DCO) && defined(TARGET_LINUX) */
3318 
3319 /*
3320  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3321  * i.e. client -> server direction.
3322  */
3323 bool
3324 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3325 {
3326  struct gc_arena gc = gc_new();
3327 
3328  struct context *c;
3329  struct mroute_addr src, dest;
3330  unsigned int mroute_flags;
3331  struct multi_instance *mi;
3332  bool ret = true;
3333  bool floated = false;
3334 
3335  if (m->pending)
3336  {
3337  return true;
3338  }
3339 
3340  if (!instance)
3341  {
3342 #ifdef MULTI_DEBUG_EVENT_LOOP
3343  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3344 #endif
3345  multi_set_pending(m, multi_get_create_instance_udp(m, &floated));
3346  }
3347  else
3348  {
3349  multi_set_pending(m, instance);
3350  }
3351 
3352  if (m->pending)
3353  {
3354  set_prefix(m->pending);
3355 
3356  /* get instance context */
3357  c = &m->pending->context;
3358 
3359  if (!instance)
3360  {
3361  /* transfer packet pointer from top-level context buffer to instance */
3362  c->c2.buf = m->top.c2.buf;
3363 
3364  /* transfer from-addr from top-level context buffer to instance */
3365  if (!floated)
3366  {
3367  c->c2.from = m->top.c2.from;
3368  }
3369  }
3370 
3371  if (BLEN(&c->c2.buf) > 0)
3372  {
3373  struct link_socket_info *lsi;
3374  const uint8_t *orig_buf;
3375 
3376  /* decrypt in instance context */
3377 
3378  perf_push(PERF_PROC_IN_LINK);
3379  lsi = get_link_socket_info(c);
3380  orig_buf = c->c2.buf.data;
3381  if (process_incoming_link_part1(c, lsi, floated))
3382  {
3383  /* nonzero length means that we have a valid, decrypted packed */
3384  if (floated && c->c2.buf.len > 0)
3385  {
3386  multi_process_float(m, m->pending);
3387  }
3388 
3389  process_incoming_link_part2(c, lsi, orig_buf);
3390  }
3391  perf_pop();
3392 
3393  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3394  {
3395  /* extract packet source and dest addresses */
3396  mroute_flags = mroute_extract_addr_from_packet(&src,
3397  &dest,
3398  0,
3399  &c->c2.to_tun,
3400  DEV_TYPE_TUN);
3401 
3402  /* drop packet if extract failed */
3403  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3404  {
3405  c->c2.to_tun.len = 0;
3406  }
3407  /* make sure that source address is associated with this client */
3408  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3409  {
3410  /* IPv6 link-local address (fe80::xxx)? */
3411  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3412  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3413  {
3414  /* do nothing, for now. TODO: add address learning */
3415  }
3416  else
3417  {
3418  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3419  mroute_addr_print(&src, &gc));
3420  }
3421  c->c2.to_tun.len = 0;
3422  }
3423  /* client-to-client communication enabled? */
3424  else if (m->enable_c2c)
3425  {
3426  /* multicast? */
3427  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3428  {
3429  /* for now, treat multicast as broadcast */
3430  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3431  }
3432  else /* possible client to client routing */
3433  {
3434  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3435  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3436 
3437  /* if dest addr is a known client, route to it */
3438  if (mi)
3439  {
3440  {
3441  multi_unicast(m, &c->c2.to_tun, mi);
3442  register_activity(c, BLEN(&c->c2.to_tun));
3443  }
3444  c->c2.to_tun.len = 0;
3445  }
3446  }
3447  }
3448  }
3449  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3450  {
3451  uint16_t vid = 0;
3452 
3453  if (m->top.options.vlan_tagging)
3454  {
3455  if (vlan_is_tagged(&c->c2.to_tun))
3456  {
3457  /* Drop VLAN-tagged frame. */
3458  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3459  c->c2.to_tun.len = 0;
3460  }
3461  else
3462  {
3463  vid = c->options.vlan_pvid;
3464  }
3465  }
3466  /* extract packet source and dest addresses */
3467  mroute_flags = mroute_extract_addr_from_packet(&src,
3468  &dest,
3469  vid,
3470  &c->c2.to_tun,
3471  DEV_TYPE_TAP);
3472 
3473  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3474  {
3475  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3476  {
3477  /* check for broadcast */
3478  if (m->enable_c2c)
3479  {
3480  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3481  {
3482  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3483  vid);
3484  }
3485  else /* try client-to-client routing */
3486  {
3487  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3488 
3489  /* if dest addr is a known client, route to it */
3490  if (mi)
3491  {
3492  multi_unicast(m, &c->c2.to_tun, mi);
3493  register_activity(c, BLEN(&c->c2.to_tun));
3494  c->c2.to_tun.len = 0;
3495  }
3496  }
3497  }
3498  }
3499  else
3500  {
3501  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3502  mroute_addr_print(&src, &gc));
3503  c->c2.to_tun.len = 0;
3504  }
3505  }
3506  else
3507  {
3508  c->c2.to_tun.len = 0;
3509  }
3510  }
3511  }
3512 
3513  /* postprocess and set wakeup */
3514  ret = multi_process_post(m, m->pending, mpp_flags);
3515 
3516  clear_prefix();
3517  }
3518 
3519  gc_free(&gc);
3520  return ret;
3521 }
3522 
3523 /*
3524  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3525  * i.e. server -> client direction.
3526  */
3527 bool
3528 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3529 {
3530  bool ret = true;
3531 
3532  if (BLEN(&m->top.c2.buf) > 0)
3533  {
3534  unsigned int mroute_flags;
3535  struct mroute_addr src, dest;
3536  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3537  int16_t vid = 0;
3538 
3539 
3540 #ifdef MULTI_DEBUG_EVENT_LOOP
3541  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3542 #endif
3543 
3544  if (m->pending)
3545  {
3546  return true;
3547  }
3548 
3549  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3550  {
3551  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3552  if (vid < 0)
3553  {
3554  return false;
3555  }
3556  }
3557 
3558  /*
3559  * Route an incoming tun/tap packet to
3560  * the appropriate multi_instance object.
3561  */
3562 
3563  mroute_flags = mroute_extract_addr_from_packet(&src,
3564  &dest,
3565  vid,
3566  &m->top.c2.buf,
3567  dev_type);
3568 
3569  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3570  {
3571  struct context *c;
3572 
3573  /* broadcast or multicast dest addr? */
3574  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3575  {
3576  /* for now, treat multicast as broadcast */
3577  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3578  }
3579  else
3580  {
3581  multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3582 
3583  if (m->pending)
3584  {
3585  /* get instance context */
3586  c = &m->pending->context;
3587 
3588  set_prefix(m->pending);
3589 
3590  {
3591  if (multi_output_queue_ready(m, m->pending))
3592  {
3593  /* transfer packet pointer from top-level context buffer to instance */
3594  c->c2.buf = m->top.c2.buf;
3595  }
3596  else
3597  {
3598  /* drop packet */
3599  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3600  buf_reset_len(&c->c2.buf);
3601  }
3602  }
3603 
3604  /* encrypt in instance context */
3605  process_incoming_tun(c);
3606 
3607  /* postprocess and set wakeup */
3608  ret = multi_process_post(m, m->pending, mpp_flags);
3609 
3610  clear_prefix();
3611  }
3612  }
3613  }
3614  }
3615  return ret;
3616 }
3617 
3618 /*
3619  * Process a possible client-to-client/bcast/mcast message in the
3620  * queue.
3621  */
3622 struct multi_instance *
3623 multi_get_queue(struct mbuf_set *ms)
3624 {
3625  struct mbuf_item item;
3626 
3627  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3628  {
3629  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3630 
3631  set_prefix(item.instance);
3632  item.instance->context.c2.buf = item.buffer->buf;
3633  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3634  {
3635  pip_flags |= PIP_MSSFIX;
3636  }
3637  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3638  encrypt_sign(&item.instance->context, true);
3639  mbuf_free_buf(item.buffer);
3640 
3641  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3642 
3643  clear_prefix();
3644  return item.instance;
3645  }
3646  else
3647  {
3648  return NULL;
3649  }
3650 }
3651 
3652 /*
3653  * Called when an I/O wait times out. Usually means that a particular
3654  * client instance object needs timer-based service.
3655  */
3656 bool
3657 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3658 {
3659  bool ret = true;
3660 
3661 #ifdef MULTI_DEBUG_EVENT_LOOP
3662  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3663 #endif
3664 
3665  /* instance marked for wakeup? */
3666  if (m->earliest_wakeup)
3667  {
3668  if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
3669  {
3670  schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal);
3671  throw_signal(m->deferred_shutdown_signal.signal_received);
3672  }
3673  else
3674  {
3675  set_prefix(m->earliest_wakeup);
3676  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3677  clear_prefix();
3678  }
3679  m->earliest_wakeup = NULL;
3680  }
3681  return ret;
3682 }
3683 
3684 /*
3685  * Drop a TUN/TAP outgoing packet..
3686  */
3687 void
3688 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3689 {
3690  struct multi_instance *mi = m->pending;
3691 
3692  ASSERT(mi);
3693 
3694  set_prefix(mi);
3695 
3696  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3697  mi->context.c2.to_tun.len);
3698 
3699  buf_reset(&mi->context.c2.to_tun);
3700 
3701  multi_process_post(m, mi, mpp_flags);
3702  clear_prefix();
3703 }
3704 
3705 /*
3706  * Per-client route quota management
3707  */
3708 
3709 void
3710 route_quota_exceeded(const struct multi_instance *mi)
3711 {
3712  struct gc_arena gc = gc_new();
3713  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3714  mi->context.options.max_routes_per_client,
3715  multi_instance_string(mi, false, &gc));
3716  gc_free(&gc);
3717 }
3718 
3719 #ifdef ENABLE_DEBUG
3720 /*
3721  * Flood clients with random packets
3722  */
3723 static void
3724 gremlin_flood_clients(struct multi_context *m)
3725 {
3726  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3727  if (level)
3728  {
3729  struct gc_arena gc = gc_new();
3730  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3731  struct packet_flood_parms parm = get_packet_flood_parms(level);
3732  int i;
3733 
3734  ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3735  parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3736 
3737  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3738  parm.n_packets,
3739  parm.packet_size);
3740 
3741  for (i = 0; i < parm.packet_size; ++i)
3742  {
3743  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3744  }
3745 
3746  for (i = 0; i < parm.n_packets; ++i)
3747  {
3748  multi_bcast(m, &buf, NULL, NULL, 0);
3749  }
3750 
3751  gc_free(&gc);
3752  }
3753 }
3754 #endif /* ifdef ENABLE_DEBUG */
3755 
3756 static bool
3757 stale_route_check_trigger(struct multi_context *m)
3758 {
3759  struct timeval null;
3760  CLEAR(null);
3761  return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT);
3762 }
3763 
3764 /*
3765  * Process timers in the top-level context
3766  */
3767 void
3768 multi_process_per_second_timers_dowork(struct multi_context *m)
3769 {
3770  /* possibly reap instances/routes in vhash */
3771  multi_reap_process(m);
3772 
3773  /* possibly print to status log */
3774  if (m->top.c1.status_output)
3775  {
3776  if (status_trigger(m->top.c1.status_output))
3777  {
3778  multi_print_status(m, m->top.c1.status_output, m->status_file_version);
3779  }
3780  }
3781 
3782  /* possibly flush ifconfig-pool file */
3783  multi_ifconfig_pool_persist(m, false);
3784 
3785 #ifdef ENABLE_DEBUG
3786  gremlin_flood_clients(m);
3787 #endif
3788 
3789  /* Should we check for stale routes? */
3790  if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m))
3791  {
3792  check_stale_routes(m);
3793  }
3794 }
3795 
3796 void
3797 multi_top_init(struct multi_context *m, struct context *top)
3798 {
3799  inherit_context_top(&m->top, top);
3800  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3801 }
3802 
3803 void
3804 multi_top_free(struct multi_context *m)
3805 {
3806  close_context(&m->top, -1, CC_GC_FREE);
3807  free_context_buffers(m->top.c2.buffers);
3808 }
3809 
3810 static bool
3811 is_exit_restart(int sig)
3812 {
3813  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3814 }
3815 
3816 static void
3817 multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
3818 {
3819  struct hash_iterator hi;
3820  struct hash_element *he;
3821  struct timeval tv;
3822 
3823  /* tell all clients to restart */
3824  hash_iterator_init(m->iter, &hi);
3825  while ((he = hash_iterator_next(&hi)))
3826  {
3827  struct multi_instance *mi = (struct multi_instance *) he->value;
3828  if (!mi->halt)
3829  {
3830  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3831  multi_schedule_context_wakeup(m, mi);
3832  }
3833  }
3834  hash_iterator_free(&hi);
3835 
3836  /* reschedule signal */
3837  ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL));
3838  tv.tv_sec = 2;
3839  tv.tv_usec = 0;
3840  tv_add(&m->deferred_shutdown_signal.wakeup, &tv);
3841 
3842  m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
3843 
3844  schedule_add_entry(m->schedule,
3845  (struct schedule_entry *) &m->deferred_shutdown_signal,
3846  &m->deferred_shutdown_signal.wakeup,
3847  compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup));
3848 
3849  signal_reset(m->top.sig, 0);
3850 }
3851 
3852 /*
3853  * Return true if event loop should break,
3854  * false if it should continue.
3855  */
3856 bool
3857 multi_process_signal(struct multi_context *m)
3858 {
3859  if (signal_reset(m->top.sig, SIGUSR2) == SIGUSR2)
3860  {
3861  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3862  multi_print_status(m, so, m->status_file_version);
3863  status_close(so);
3864  return false;
3865  }
3866  else if (proto_is_dgram(m->top.options.ce.proto)
3867  && is_exit_restart(m->top.sig->signal_received)
3868  && (m->deferred_shutdown_signal.signal_received == 0)
3869  && m->top.options.ce.explicit_exit_notification != 0)
3870  {
3871  multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2);
3872  return false;
3873  }
3874  return true;
3875 }
3876 
3877 /*
3878  * Management subsystem callbacks
3879  */
3880 #ifdef ENABLE_MANAGEMENT
3881 
3882 static void
3883 management_callback_status(void *arg, const int version, struct status_output *so)
3884 {
3885  struct multi_context *m = (struct multi_context *) arg;
3886 
3887  if (!version)
3888  {
3889  multi_print_status(m, so, m->status_file_version);
3890  }
3891  else
3892  {
3893  multi_print_status(m, so, version);
3894  }
3895 }
3896 
3897 static int
3898 management_callback_n_clients(void *arg)
3899 {
3900  struct multi_context *m = (struct multi_context *) arg;
3901  return m->n_clients;
3902 }
3903 
3904 static int
3905 management_callback_kill_by_cn(void *arg, const char *del_cn)
3906 {
3907  struct multi_context *m = (struct multi_context *) arg;
3908  struct hash_iterator hi;
3909  struct hash_element *he;
3910  int count = 0;
3911 
3912  hash_iterator_init(m->iter, &hi);
3913  while ((he = hash_iterator_next(&hi)))
3914  {
3915  struct multi_instance *mi = (struct multi_instance *) he->value;
3916  if (!mi->halt)
3917  {
3918  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3919  if (cn && !strcmp(cn, del_cn))
3920  {
3921  multi_signal_instance(m, mi, SIGTERM);
3922  ++count;
3923  }
3924  }
3925  }
3926  hash_iterator_free(&hi);
3927  return count;
3928 }
3929 
3930 static int
3931 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3932 {
3933  struct multi_context *m = (struct multi_context *) arg;
3934  struct hash_iterator hi;
3935  struct hash_element *he;
3936  struct openvpn_sockaddr saddr;
3937  struct mroute_addr maddr;
3938  int count = 0;
3939 
3940  CLEAR(saddr);
3941  saddr.addr.in4.sin_family = AF_INET;
3942  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3943  saddr.addr.in4.sin_port = htons(port);
3944  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3945  {
3946  hash_iterator_init(m->iter, &hi);
3947  while ((he = hash_iterator_next(&hi)))
3948  {
3949  struct multi_instance *mi = (struct multi_instance *) he->value;
3950  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3951  {
3952  multi_signal_instance(m, mi, SIGTERM);
3953  ++count;
3954  }
3955  }
3956  hash_iterator_free(&hi);
3957  }
3958  return count;
3959 }
3960 
3961 static void
3962 management_delete_event(void *arg, event_t event)
3963 {
3964  struct multi_context *m = (struct multi_context *) arg;
3965  if (m->mtcp)
3966  {
3967  multi_tcp_delete_event(m->mtcp, event);
3968  }
3969 }
3970 
3971 static struct multi_instance *
3972 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3973 {
3974  if (m)
3975  {
3976  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3977  if (mi && !mi->halt)
3978  {
3979  return mi;
3980  }
3981  }
3982  return NULL;
3983 }
3984 
3985 static bool
3986 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3987 {
3988  struct multi_context *m = (struct multi_context *) arg;
3989  struct multi_instance *mi = lookup_by_cid(m, cid);
3990  if (mi)
3991  {
3992  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3993  multi_schedule_context_wakeup(m, mi);
3994  return true;
3995  }
3996  else
3997  {
3998  return false;
3999  }
4000 }
4001 
4002 static bool
4003 management_client_pending_auth(void *arg,
4004  const unsigned long cid,
4005  const unsigned int mda_key_id,
4006  const char *extra,
4007  unsigned int timeout)
4008 {
4009  struct multi_context *m = (struct multi_context *) arg;
4010  struct multi_instance *mi = lookup_by_cid(m, cid);
4011 
4012  if (mi)
4013  {
4014  struct tls_multi *multi = mi->context.c2.tls_multi;
4015  struct tls_session *session;
4016 
4017  if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id)
4018  {
4019  session = &multi->session[TM_INITIAL];
4020  }
4021  else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id)
4022  {
4023  session = &multi->session[TM_ACTIVE];
4024  }
4025  else
4026  {
4027  return false;
4028  }
4029 
4030  /* sends INFO_PRE and AUTH_PENDING messages to client */
4031  bool ret = send_auth_pending_messages(multi, session, extra,
4032  timeout);
4033  reschedule_multi_process(&mi->context);
4034  multi_schedule_context_wakeup(m, mi);
4035  return ret;
4036  }
4037  return false;
4038 }
4039 
4040 
4041 static bool
4042 management_client_auth(void *arg,
4043  const unsigned long cid,
4044  const unsigned int mda_key_id,
4045  const bool auth,
4046  const char *reason,
4047  const char *client_reason,
4048  struct buffer_list *cc_config) /* ownership transferred */
4049 {
4050  struct multi_context *m = (struct multi_context *) arg;
4051  struct multi_instance *mi = lookup_by_cid(m, cid);
4052  bool cc_config_owned = true;
4053  bool ret = false;
4054 
4055  if (mi)
4056  {
4057  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4058  if (ret)
4059  {
4060  if (auth)
4061  {
4062  if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
4063  {
4064  set_cc_config(mi, cc_config);
4065  cc_config_owned = false;
4066  }
4067  }
4068  else if (reason)
4069  {
4070  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
4071  }
4072  }
4073  }
4074  if (cc_config_owned && cc_config)
4075  {
4076  buffer_list_free(cc_config);
4077  }
4078  return ret;
4079 }
4080 
4081 static char *
4082 management_get_peer_info(void *arg, const unsigned long cid)
4083 {
4084  struct multi_context *m = (struct multi_context *) arg;
4085  struct multi_instance *mi = lookup_by_cid(m, cid);
4086  char *ret = NULL;
4087 
4088  if (mi)
4089  {
4090  ret = mi->context.c2.tls_multi->peer_info;
4091  }
4092 
4093  return ret;
4094 }
4095 
4096 #endif /* ifdef ENABLE_MANAGEMENT */
4097 
4098 
4099 void
4100 init_management_callback_multi(struct multi_context *m)
4101 {
4102 #ifdef ENABLE_MANAGEMENT
4103  if (management)
4104  {
4105  struct management_callback cb;
4106  CLEAR(cb);
4107  cb.arg = m;
4108  cb.flags = MCF_SERVER;
4109  cb.status = management_callback_status;
4110  cb.show_net = management_show_net_callback;
4111  cb.kill_by_cn = management_callback_kill_by_cn;
4112  cb.kill_by_addr = management_callback_kill_by_addr;
4113  cb.delete_event = management_delete_event;
4114  cb.n_clients = management_callback_n_clients;
4115  cb.kill_by_cid = management_kill_by_cid;
4116  cb.client_auth = management_client_auth;
4117  cb.client_pending_auth = management_client_pending_auth;
4118  cb.get_peer_info = management_get_peer_info;
4119  management_set_callback(management, &cb);
4120  }
4121 #endif /* ifdef ENABLE_MANAGEMENT */
4122 }
4123 
4124 void
4125 multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
4126 {
4127  /* max_clients must be less then max peer-id value */
4128  ASSERT(m->max_clients < MAX_PEER_ID);
4129 
4130  for (int i = 0; i < m->max_clients; ++i)
4131  {
4132  if (!m->instances[i])
4133  {
4134  mi->context.c2.tls_multi->peer_id = i;
4135  m->instances[i] = mi;
4136  break;
4137  }
4138  }
4139 
4140  /* should not really end up here, since multi_create_instance returns null
4141  * if amount of clients exceeds max_clients */
4142  ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
4143 }
4144 
4145 
4146 /*
4147  * Top level event loop.
4148  */
4149 void
4150 tunnel_server(struct context *top)
4151 {
4152  ASSERT(top->options.mode == MODE_SERVER);
4153 
4154  if (proto_is_dgram(top->options.ce.proto))
4155  {
4156  tunnel_server_udp(top);
4157  }
4158  else
4159  {
4160  tunnel_server_tcp(top);
4161  }
4162 }
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:61
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:471
multi_reap::buckets_per_pass
int buckets_per_pass
Definition: multi.h:54
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2346
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2077
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:188
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition: perf.h:48
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:554
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1270
multi_context::n_clients
int n_clients
Definition: multi.h:182
options::vlan_tagging
bool vlan_tagging
Definition: options.h:692
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:111
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: openvpn-plugin.h:126
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition: ovpn_dco_linux.h:40
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition: mroute.h:64
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:269
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:101
status_trigger
bool status_trigger(struct status_output *so)
Definition: status.c:133
iroute
Definition: route.h:234
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition: errlevel.h:118
multi_instance::halt
bool halt
Definition: multi.h:106
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2550
reflect_filter.h
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition: openvpn-plugin.h:125
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition: ssl_common.h:563
openvpn_sockaddr::addr
union openvpn_sockaddr::@14 addr
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
frame::mss_fix
unsigned int mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
M_INFO
#define M_INFO
Definition: errlevel.h:55
hash_n_elements
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
compress_options::alg
int alg
Definition: comp.h:66
options::use_peer_id
bool use_peer_id
Definition: options.h:683
lookup_by_cid
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3972
multi_context::route_helper
struct mroute_helper * route_helper
Definition: multi.h:175
M_OPTERR
#define M_OPTERR
Definition: error.h:106
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition: multi.h:290
options::client_connect_script
const char * client_connect_script
Definition: options.h:486
CC_RET_FAILED
@ CC_RET_FAILED
Definition: multi.h:219
hash_init
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:38
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:460
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:494
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:557
print_signal
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:294
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:289
hash_bucket
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition: multi.h:204
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1011
options::cf_initial_per
int cf_initial_per
Definition: options.h:517
run_command.h
M_ERRNO
#define M_ERRNO
Definition: error.h:100
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:79
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1118
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:141
context_2::to_link
struct buffer to_link
Definition: openvpn.h:383
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:329
multi_context::reaper
struct multi_reap * reaper
Definition: multi.h:176
forward.h
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition: multi.h:124
setenv_stats
static void setenv_stats(struct multi_context *m, struct context *c)
Definition: multi.c:548
plugin_return
Definition: plugin.h:101
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition: openvpn-plugin.h:130
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
gremlin.h
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3757
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition: multi.h:220
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5498
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
context_2::buf
struct buffer buf
Definition: openvpn.h:381
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:303
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition: multi.h:180
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:234
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:525
hash_iterator
Definition: list.h:90
tunnel_server_udp
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:462
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:170
argv
Definition: argv.h:35
options::enable_c2c
bool enable_c2c
Definition: options.h:510
options::duplicate_cn
bool duplicate_cn
Definition: options.h:511
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1646
M_NONFATAL
#define M_NONFATAL
Definition: error.h:96
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:200
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:671
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:446
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:275
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1698
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:209
context
Contains all state information for one tunnel.
Definition: openvpn.h:479
es
struct env_set * es
Definition: test_pkcs11.c:120
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:496
hash
Definition: list.h:58
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:673
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:103
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition: multi.h:63
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1431
options::topology
int topology
Definition: options.h:307
key1
static const char *const key1
Definition: cert_data.h:56
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:178
mbuf_set
Definition: mbuf.h:56
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:167
options::dev_type
const char * dev_type
Definition: options.h:304
get_random
long int get_random(void)
Definition: crypto.c:1622
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:114
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:441
multi_instance::gc
struct gc_arena gc
Definition: multi.h:105
options::iroutes
struct iroute * iroutes
Definition: options.h:495
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:537
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:508
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3623
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition: errlevel.h:65
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:82
multi_instance::wakeup
struct timeval wakeup
Definition: multi.h:113
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:464
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:321
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
context_2::es
struct env_set * es
Definition: openvpn.h:426
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2172
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:236
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:434
vlan.h
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1103
multi_uninit
void multi_uninit(struct multi_context *m)
Definition: multi.c:705
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition: multi.h:287
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:86
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:436
options::mode
int mode
Definition: options.h:247
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:147
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2953
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1761
hash_element::value
void * value
Definition: list.h:47
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition: ssl_common.h:562
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:720
pre_select
void pre_select(struct context *c)
Definition: forward.c:1960
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:182
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition: ssl_common.h:144
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:506
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const char *extra, unsigned int timeout)
Definition: multi.c:4003
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:93
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:223
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1617
dmsg
#define dmsg(flags,...)
Definition: error.h:154
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition: config.h:53
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1230
options::ce
struct connection_entry ce
Definition: options.h:275
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:74
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
openvpn_sockaddr
Definition: socket.h:65
iroute::netbits
int netbits
Definition: route.h:236
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition: socket.h:399
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:493
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:373
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3196
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:480
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2883
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1590
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:573
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3689
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition: multi.h:88
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:163
reap_buckets_per_pass
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:247
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition: errlevel.h:154
mroute_addr::netbits
uint8_t netbits
Definition: mroute.h:79
MCF_SERVER
#define MCF_SERVER
Definition: manage.h:177
multi_context::schedule
struct schedule * schedule
Definition: multi.h:166
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:361
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:244
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1943
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
client_connect_defer_state
Detached client connection state.
Definition: multi.h:70
dco_do_read
int dco_do_read(dco_context_t *dco)
Definition: dco_win.c:393
frame
Packet geometry parameters.
Definition: mtu.h:98
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
multi_route::addr
struct mroute_addr addr
Definition: multi.h:230
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:588
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:247
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition: ovpn_dco_linux.h:74
multi_route::last_reference
time_t last_reference
Definition: multi.h:238
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:551
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:296
multi_reap::last_call
time_t last_call
Definition: multi.h:55
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:565
mroute_helper::net_len
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3710
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:4246
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:247
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3768
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:259
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2902
multi_context::enable_c2c
bool enable_c2c
Definition: multi.h:178
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1722
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:433
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition: reflect_filter.c:86
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:272
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition: ssl_common.h:561
multi_route::instance
struct multi_instance * instance
Definition: multi.h:231
iroute::next
struct iroute * next
Definition: route.h:237
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3207
np
static const char * np(const char *str)
Definition: multi-auth.c:146
multi_context::max_clients
int max_clients
Definition: multi.h:179
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition: multi.h:173
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition: pool.h:37
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:283
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:575
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2269
CLEAR
#define CLEAR(x)
Definition: basic.h:33
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:83
multi_context::cid_counter
unsigned long cid_counter
Definition: multi.h:186
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:610
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:173
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:211
clear_prefix
static void clear_prefix(void)
Definition: multi.h:549
iroute::network
in_addr_t network
Definition: route.h:235
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:484
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:520
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition: mroute.h:63
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:540
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:443
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:861
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:524
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:527
options::max_clients
int max_clients
Definition: options.h:519
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:693
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4074
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:156
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:668
ssl_verify.h
options::dev
const char * dev
Definition: options.h:303
ASSERT
#define ASSERT(x)
Definition: error.h:201
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition: ssl_common.h:560
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition: ssl.c:1920
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:447
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:192
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2921
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
read
@ read
Definition: interactive.c:209
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:673
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:176
buffer_entry::buf
struct buffer buf
Definition: buffer.h:1102
D_DCO
#define D_DCO
Definition: errlevel.h:94
multi_init
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:292
multi_instance::cc_config
struct buffer_list * cc_config
Definition: multi.h:131
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:289
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:195
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:89
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3986
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:225
options::cf_initial_max
int cf_initial_max
Definition: options.h:516
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:335
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:137
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:604
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2643
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:227
multi_context::status_file_version
int status_file_version
Definition: multi.h:181
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2676
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
BLEN
#define BLEN(buf)
Definition: buffer.h:127
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:238
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition: comp.h:40
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:4125
status_reset
void status_reset(struct status_output *so)
Definition: status.c:148
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:187
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:311
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:559
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:505
tunnel_server_tcp
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:789
multi_context::local
struct mroute_addr local
Definition: multi.h:177
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2988
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:288
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:295
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1041
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1917
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:710
options::comp
struct compress_options comp
Definition: options.h:396
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3657
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:255
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4150
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:703
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:602
ANY_OUT
#define ANY_OUT(c)
Definition: forward.h:40
hash_element::key
const void * key
Definition: list.h:48
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:507
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2370
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:513
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:430
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:39
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:171
buffer_entry::next
struct buffer_entry * next
Definition: buffer.h:1103
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1003
multi_context::cid_hash
struct hash * cid_hash
Definition: multi.h:185
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:49
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:389
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3817
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition: openvpn.h:276
M_WARN
#define M_WARN
Definition: error.h:97
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition: openvpn-plugin.h:150
plugin_return::n
int n
Definition: plugin.h:103
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:497
perf_pop
static void perf_pop(void)
Definition: perf.h:82
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:478
MF_UNICAST
#define MF_UNICAST
Definition: mbuf.h:46
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:82
D_GREMLIN
#define D_GREMLIN
Definition: errlevel.h:78
mroute_addr::port
in_port_t port
Definition: mroute.h:89
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:83
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:481
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition: multi.h:191
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2609
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:501
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:222
D_MULTI_LOW
#define D_MULTI_LOW
Definition: errlevel.h:86
options
Definition: options.h:236
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:438
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:688
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2975
options::gc
struct gc_arena gc
Definition: options.h:238
throw_signal
void throw_signal(const int signum)
Throw a hard signal.
Definition: sig.c:177
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:721
mroute_helper::cache_generation
unsigned int cache_generation
Definition: mroute.h:132
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5518
multi.h
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:211
CCD_DEFAULT
#define CCD_DEFAULT
Definition: common.h:62
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:159
pool_type
pool_type
Definition: pool.h:35
dco_context_t
void * dco_context_t
Definition: dco.h:254
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition: multi.h:125
status_output
Definition: status.h:48
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:181
mbuf_item::instance
struct multi_instance * instance
Definition: mbuf.h:53
management_callback::arg
void * arg
Definition: manage.h:175
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:485
multi_instance::did_cid_hash
bool did_cid_hash
Definition: multi.h:130
multi_reap
Definition: multi.h:51
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:476
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1450
multi_context::pending
struct multi_instance * pending
Definition: multi.h:189
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:442
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:257
compress_options::flags
unsigned int flags
Definition: comp.h:67
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:507
multi_reap_new
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:214
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:3022
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition: ovpn_dco_linux.h:72
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:733
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:521
mbuf_buffer::buf
struct buffer buf
Definition: mbuf.h:43
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:336
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:264
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:161
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:308
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:641
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1786
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:753
deferred_signal_schedule_entry::signal_received
int signal_received
Definition: multi.h:62
argv::gc
struct gc_arena gc
Definition: argv.h:36
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition: multi.h:190
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition: mudp.c:188
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition: pool.h:38
dco_set_peer
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition: dco_win.c:272
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1151
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:508
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:233
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition: multi.h:116
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:291
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:321
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1267
multi_route::flags
unsigned int flags
Definition: multi.h:235
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2901
options::status_file_version
int status_file_version
Definition: options.h:390
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:110
mbuf_item
Definition: mbuf.h:50
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:427
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:117
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition: manage.h:195
auth_deferred_status::auth_control_file
char * auth_control_file
Definition: ssl_common.h:156
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:501
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:692
mroute_addr::vid
uint16_t vid
Definition: mroute.h:85
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition: ovpn_dco_linux.h:73
link_socket_info
Definition: socket.h:113
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1401
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:361
REAP_MAX
#define REAP_MAX
Definition: multi.h:569
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:469
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:156
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:180
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:402
signal_reset
int signal_reset(struct signal_info *si, int signum)
Clear the signal if its current value equals signum.
Definition: sig.c:266
key_state::mda_key_id
unsigned int mda_key_id
Definition: ssl_common.h:251
status_close
bool status_close(struct status_output *so)
Definition: status.c:188
frame::buf
struct frame::@6 buf
context_2::frame
struct frame frame
Definition: openvpn.h:251
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:240
mroute_addr
Definition: mroute.h:75
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2393
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:571
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3528
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2977
syshead.h
multi_reap_range
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:175
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:65
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4827
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:246
schedule_entry
Definition: schedule.h:44
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:176
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3905
options::client_config_dir
const char * client_config_dir
Definition: options.h:490
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition: reflect_filter.c:102
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:506
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:376
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
mbuf_buffer
Definition: mbuf.h:41
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:585
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:694
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition: multi.c:1976
mbuf_buffer::flags
unsigned int flags
Definition: mbuf.h:47
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition: ssl.h:107
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:306
route
@ route
Definition: interactive.c:90
multi_route
Definition: multi.h:228
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2226
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
env_set
Definition: env_set.h:42
multi_instance::did_iter
bool did_iter
Definition: multi.h:128
status_flush
void status_flush(struct status_output *so)
Definition: status.c:157
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:256
multi_tcp_free
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:225
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:262
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3043
plugin_list
Definition: plugin.h:94
multi_context
Main OpenVPN server state structure.
Definition: multi.h:155
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4905
counter_format
#define counter_format
Definition: common.h:31
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3714
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4100
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:906
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:440
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition: multi.c:3797
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:290
dco.h
man_def_auth_context::cid
unsigned long cid
Definition: manage.h:65
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:226
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:665
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:988
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2646
hash_free
void hash_free(struct hash *hash)
Definition: list.c:63
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
mroute_addr::v6
struct mroute_addr::@1::@4 v6
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:607
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:475
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:4042
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:406
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:248
COMP_ALG_STUB
#define COMP_ALG_STUB
Definition: comp.h:46
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition: multi.h:73
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3962
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:217
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition: errlevel.h:101
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:487
tuntap::local
in_addr_t local
Definition: tun.h:189
schedule_init
struct schedule * schedule_init(void)
Definition: schedule.c:412
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:459
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:43
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:382
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:163
multi_tcp_init
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:197
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:473
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition: openvpn-plugin.h:124
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:509
key_state::script_auth
struct auth_deferred_status script_auth
Definition: ssl_common.h:257
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition: multi.h:76
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:256
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:76
otime.h
tuntap::dco
dco_context_t dco
Definition: tun.h:234
is_exit_restart
static bool is_exit_restart(int sig)
Definition: multi.c:3811
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition: openvpn.h:273
iroute_ipv6
Definition: route.h:240
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:4082
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3688
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:833
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:437
REAP_DIVISOR
#define REAP_DIVISOR
Definition: multi.h:567
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2820
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:499
management
Definition: manage.h:335
mroute_helper
Definition: mroute.h:131
hash_element
Definition: list.h:45
min_int
static int min_int(int x, int y)
Definition: integer.h:82
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1058
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1019
mroute_addr::type
uint8_t type
Definition: mroute.h:78
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition: multi.h:222
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1678
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:2026
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:369
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:190
REAP_MIN
#define REAP_MIN
Definition: multi.h:568
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:208
multi_route::cache_generation
unsigned int cache_generation
Definition: multi.h:237
options::cf_per
int cf_per
Definition: options.h:514
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3931
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2514
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition: mroute.h:70
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:145
rw_handle
Definition: win32.h:77
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1792
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:482
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:465
hash_bucket
Definition: list.h:53
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:62
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:503
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:520
multi_reap::bucket_base
int bucket_base
Definition: multi.h:53
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1046
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition: multi.h:233
now
time_t now
Definition: otime.c:34
multi_instance::did_iroutes
bool did_iroutes
Definition: multi.h:133
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:109
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:65
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:146
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:183
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition: ssl_common.h:564
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:474
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
Definition: ovpn_dco_linux.h:75
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2862
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
ssl_ncp.h
connection_entry::fragment
int fragment
Definition: options.h:132
context_2::from
struct link_socket_actual from
Definition: openvpn.h:248
time_string
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:108
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition: multi.h:494
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:195
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1214
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3324
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition: multi.h:174
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition: ssl_common.h:667
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:664
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:183
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:138
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition: mbuf.h:52
connection_entry::proto
int proto
Definition: options.h:99
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:161
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2723
multi_context::mtcp
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:170
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:481
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:388
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:3001
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:528
options::real_hash_size
int real_hash_size
Definition: options.h:484