OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "gremlin.h"
43 #include "mstats.h"
44 #include "ssl_verify.h"
45 #include "ssl_ncp.h"
46 #include "vlan.h"
47 #include <inttypes.h>
48 
49 #include "memdbg.h"
50 
51 
52 #include "crypto_backend.h"
53 #include "ssl_util.h"
54 #include "dco.h"
55 #include "reflect_filter.h"
56 
57 /*#define MULTI_DEBUG_EVENT_LOOP*/
58 
59 #ifdef MULTI_DEBUG_EVENT_LOOP
60 static const char *
61 id(struct multi_instance *mi)
62 {
63  if (mi)
64  {
65  return tls_common_name(mi->context.c2.tls_multi, false);
66  }
67  else
68  {
69  return "NULL";
70  }
71 }
72 #endif
73 
74 #ifdef ENABLE_MANAGEMENT
75 static void
76 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
77 {
78  buffer_list_free(mi->cc_config);
79  mi->cc_config = cc_config;
80 }
81 #endif
82 
83 static inline void
84 update_mstat_n_clients(const int n_clients)
85 {
86 #ifdef ENABLE_MEMSTATS
87  if (mmap_stats)
88  {
89  mmap_stats->n_clients = n_clients;
90  }
91 #endif
92 }
93 
94 static bool
95 learn_address_script(const struct multi_context *m,
96  const struct multi_instance *mi,
97  const char *op,
98  const struct mroute_addr *addr)
99 {
100  struct gc_arena gc = gc_new();
101  struct env_set *es;
102  bool ret = true;
103  struct plugin_list *plugins;
104 
105  /* get environmental variable source */
106  if (mi && mi->context.c2.es)
107  {
108  es = mi->context.c2.es;
109  }
110  else
111  {
112  es = env_set_create(&gc);
113  }
114 
115  /* get plugin source */
116  if (mi)
117  {
118  plugins = mi->context.plugins;
119  }
120  else
121  {
122  plugins = m->top.plugins;
123  }
124 
125  if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
126  {
127  struct argv argv = argv_new();
128  argv_printf(&argv, "%s %s",
129  op,
130  mroute_addr_print(addr, &gc));
131  if (mi)
132  {
133  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
134  }
135  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
136  {
137  msg(M_WARN, "WARNING: learn-address plugin call failed");
138  ret = false;
139  }
140  argv_free(&argv);
141  }
142 
143  if (m->top.options.learn_address_script)
144  {
145  struct argv argv = argv_new();
146  setenv_str(es, "script_type", "learn-address");
147  argv_parse_cmd(&argv, m->top.options.learn_address_script);
148  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
149  if (mi)
150  {
151  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
152  }
153  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
154  {
155  ret = false;
156  }
157  argv_free(&argv);
158  }
159 
160  gc_free(&gc);
161  return ret;
162 }
163 
164 void
165 multi_ifconfig_pool_persist(struct multi_context *m, bool force)
166 {
167  /* write pool data to file */
168  if (m->ifconfig_pool
169  && m->top.c1.ifconfig_pool_persist
170  && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
171  {
172  ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
173  }
174 }
175 
176 static void
177 multi_reap_range(const struct multi_context *m,
178  int start_bucket,
179  int end_bucket)
180 {
181  struct gc_arena gc = gc_new();
182  struct hash_iterator hi;
183  struct hash_element *he;
184 
185  if (start_bucket < 0)
186  {
187  start_bucket = 0;
188  end_bucket = hash_n_buckets(m->vhash);
189  }
190 
191  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
192  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
193  while ((he = hash_iterator_next(&hi)) != NULL)
194  {
195  struct multi_route *r = (struct multi_route *) he->value;
196  if (!multi_route_defined(m, r))
197  {
198  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
199  mroute_addr_print(&r->addr, &gc));
200  learn_address_script(m, NULL, "delete", &r->addr);
201  multi_route_del(r);
202  hash_iterator_delete_element(&hi);
203  }
204  }
205  hash_iterator_free(&hi);
206  gc_free(&gc);
207 }
208 
209 static void
210 multi_reap_all(const struct multi_context *m)
211 {
212  multi_reap_range(m, -1, 0);
213 }
214 
215 static struct multi_reap *
216 multi_reap_new(int buckets_per_pass)
217 {
218  struct multi_reap *mr;
219  ALLOC_OBJ(mr, struct multi_reap);
220  mr->bucket_base = 0;
221  mr->buckets_per_pass = buckets_per_pass;
222  mr->last_call = now;
223  return mr;
224 }
225 
226 void
227 multi_reap_process_dowork(const struct multi_context *m)
228 {
229  struct multi_reap *mr = m->reaper;
230  if (mr->bucket_base >= hash_n_buckets(m->vhash))
231  {
232  mr->bucket_base = 0;
233  }
234  multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
235  mr->bucket_base += mr->buckets_per_pass;
236  mr->last_call = now;
237 }
238 
239 static void
240 multi_reap_free(struct multi_reap *mr)
241 {
242  free(mr);
243 }
244 
245 /*
246  * How many buckets in vhash to reap per pass.
247  */
248 static int
249 reap_buckets_per_pass(int n_buckets)
250 {
251  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
252 }
253 
254 #ifdef ENABLE_MANAGEMENT
255 
256 static uint32_t
257 cid_hash_function(const void *key, uint32_t iv)
258 {
259  const unsigned long *k = (const unsigned long *)key;
260  return (uint32_t) *k;
261 }
262 
263 static bool
264 cid_compare_function(const void *key1, const void *key2)
265 {
266  const unsigned long *k1 = (const unsigned long *)key1;
267  const unsigned long *k2 = (const unsigned long *)key2;
268  return *k1 == *k2;
269 }
270 
271 #endif
272 
273 #ifdef ENABLE_ASYNC_PUSH
274 static uint32_t
275 /*
276  * inotify watcher descriptors are used as hash value
277  */
278 int_hash_function(const void *key, uint32_t iv)
279 {
280  return (unsigned long)key;
281 }
282 
283 static bool
284 int_compare_function(const void *key1, const void *key2)
285 {
286  return (unsigned long)key1 == (unsigned long)key2;
287 }
288 #endif
289 
290 /*
291  * Main initialization function, init multi_context object.
292  */
293 void
294 multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
295 {
296  int dev = DEV_TYPE_UNDEF;
297 
298  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
299  t->options.real_hash_size,
300  t->options.virtual_hash_size);
301 
302  /*
303  * Get tun/tap/null device type
304  */
305  dev = dev_type_enum(t->options.dev, t->options.dev_type);
306 
307  /*
308  * Init our multi_context object.
309  */
310  CLEAR(*m);
311 
312  /*
313  * Real address hash table (source port number is
314  * considered to be part of the address). Used
315  * to determine which client sent an incoming packet
316  * which is seen on the TCP/UDP socket.
317  */
318  m->hash = hash_init(t->options.real_hash_size,
319  get_random(),
320  mroute_addr_hash_function,
321  mroute_addr_compare_function);
322 
323  /*
324  * Virtual address hash table. Used to determine
325  * which client to route a packet to.
326  */
327  m->vhash = hash_init(t->options.virtual_hash_size,
328  get_random(),
329  mroute_addr_hash_function,
330  mroute_addr_compare_function);
331 
332  /*
333  * This hash table is a clone of m->hash but with a
334  * bucket size of one so that it can be used
335  * for fast iteration through the list.
336  */
337  m->iter = hash_init(1,
338  get_random(),
339  mroute_addr_hash_function,
340  mroute_addr_compare_function);
341 
342 #ifdef ENABLE_MANAGEMENT
343  m->cid_hash = hash_init(t->options.real_hash_size,
344  0,
345  cid_hash_function,
346  cid_compare_function);
347 #endif
348 
349 #ifdef ENABLE_ASYNC_PUSH
350  /*
351  * Mapping between inotify watch descriptors and
352  * multi_instances.
353  */
354  m->inotify_watchers = hash_init(t->options.real_hash_size,
355  get_random(),
356  int_hash_function,
357  int_compare_function);
358 #endif
359 
360  /*
361  * This is our scheduler, for time-based wakeup
362  * events.
363  */
364  m->schedule = schedule_init();
365 
366  /*
367  * Limit frequency of incoming connections to control
368  * DoS.
369  */
370  m->new_connection_limiter = frequency_limit_init(t->options.cf_max,
371  t->options.cf_per);
372  m->initial_rate_limiter = initial_rate_limit_init(t->options.cf_initial_max,
373  t->options.cf_initial_per);
374 
375  /*
376  * Allocate broadcast/multicast buffer list
377  */
378  m->mbuf = mbuf_init(t->options.n_bcast_buf);
379 
380  /*
381  * Different status file format options are available
382  */
383  m->status_file_version = t->options.status_file_version;
384 
385  /*
386  * Possibly allocate an ifconfig pool, do it
387  * differently based on whether a tun or tap style
388  * tunnel.
389  */
390  if (t->options.ifconfig_pool_defined
391  || t->options.ifconfig_ipv6_pool_defined)
392  {
393  int pool_type = IFCONFIG_POOL_INDIV;
394 
395  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
396  {
397  pool_type = IFCONFIG_POOL_30NET;
398  }
399 
400  m->ifconfig_pool = ifconfig_pool_init(t->options.ifconfig_pool_defined,
401  pool_type,
402  t->options.ifconfig_pool_start,
403  t->options.ifconfig_pool_end,
404  t->options.duplicate_cn,
405  t->options.ifconfig_ipv6_pool_defined,
406  t->options.ifconfig_ipv6_pool_base,
407  t->options.ifconfig_ipv6_pool_netbits );
408 
409  /* reload pool data from file */
410  if (t->c1.ifconfig_pool_persist)
411  {
412  ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool);
413  }
414  }
415 
416  /*
417  * Help us keep track of routing table.
418  */
419  m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL);
420 
421  /*
422  * Initialize route and instance reaper.
423  */
424  m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size));
425 
426  /*
427  * Get local ifconfig address
428  */
429  CLEAR(m->local);
430  ASSERT(t->c1.tuntap);
431  mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local);
432 
433  /*
434  * Per-client limits
435  */
436  m->max_clients = t->options.max_clients;
437 
438  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
439 
440  /*
441  * Initialize multi-socket TCP I/O wait object
442  */
443  if (tcp_mode)
444  {
445  m->mtcp = multi_tcp_init(t->options.max_clients, &m->max_clients);
446  }
447  m->tcp_queue_limit = t->options.tcp_queue_limit;
448 
449  /*
450  * Allow client <-> client communication, without going through
451  * tun/tap interface and network stack?
452  */
453  m->enable_c2c = t->options.enable_c2c;
454 
455  /* initialize stale routes check timer */
456  if (t->options.stale_routes_check_interval > 0)
457  {
458  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
459  t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
460  event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
461  }
462 
463  m->deferred_shutdown_signal.signal_received = 0;
464 }
465 
466 const char *
467 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
468 {
469  if (mi)
470  {
471  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
472  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
473 
474  if (cn)
475  {
476  buf_printf(&out, "%s/", cn);
477  }
478  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
479  if (mi->context.c2.tls_multi
480  && check_debug_level(D_DCO_DEBUG)
481  && dco_enabled(&mi->context.options))
482  {
483  buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
484  }
485  return BSTR(&out);
486  }
487  else if (null)
488  {
489  return NULL;
490  }
491  else
492  {
493  return "UNDEF";
494  }
495 }
496 
497 static void
498 generate_prefix(struct multi_instance *mi)
499 {
500  struct gc_arena gc = gc_new();
501  const char *prefix = multi_instance_string(mi, true, &gc);
502  if (prefix)
503  {
504  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
505  }
506  else
507  {
508  mi->msg_prefix[0] = '\0';
509  }
510  set_prefix(mi);
511  gc_free(&gc);
512 }
513 
514 void
515 ungenerate_prefix(struct multi_instance *mi)
516 {
517  mi->msg_prefix[0] = '\0';
518  set_prefix(mi);
519 }
520 
521 /*
522  * Tell the route helper about deleted iroutes so
523  * that it can update its mask of currently used
524  * CIDR netlengths.
525  */
526 static void
527 multi_del_iroutes(struct multi_context *m,
528  struct multi_instance *mi)
529 {
530  const struct iroute *ir;
531  const struct iroute_ipv6 *ir6;
532 
533  dco_delete_iroutes(m, mi);
534 
535  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
536  {
537  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
538  {
539  mroute_helper_del_iroute46(m->route_helper, ir->netbits);
540  }
541 
542  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
543  {
544  mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
545  }
546  }
547 }
548 
549 static void
550 setenv_stats(struct multi_context *m, struct context *c)
551 {
552  dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
553 
554  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
555  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
556 }
557 
558 static void
559 multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
560 {
561  /* setenv client real IP address */
562  setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
563 
564  /* setenv stats */
565  setenv_stats(m, &mi->context);
566 
567  /* setenv connection duration */
568  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
569 }
570 
571 static void
572 multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
573 {
574  multi_client_disconnect_setenv(m, mi);
575 
576  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
577  {
578  if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
579  {
580  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
581  }
582  }
583 
584  if (mi->context.options.client_disconnect_script)
585  {
586  struct argv argv = argv_new();
587  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
588  argv_parse_cmd(&argv, mi->context.options.client_disconnect_script);
589  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
590  argv_free(&argv);
591  }
592 #ifdef ENABLE_MANAGEMENT
593  if (management)
594  {
595  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
596  }
597 #endif
598 }
599 
600 void
601 multi_close_instance(struct multi_context *m,
602  struct multi_instance *mi,
603  bool shutdown)
604 {
605  perf_push(PERF_MULTI_CLOSE_INSTANCE);
606 
607  ASSERT(!mi->halt);
608  mi->halt = true;
609 
610  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
611 
612  /* adjust current client connection count */
613  m->n_clients += mi->n_clients_delta;
614  update_mstat_n_clients(m->n_clients);
615  mi->n_clients_delta = 0;
616 
617  /* prevent dangling pointers */
618  if (m->pending == mi)
619  {
620  multi_set_pending(m, NULL);
621  }
622  if (m->earliest_wakeup == mi)
623  {
624  m->earliest_wakeup = NULL;
625  }
626 
627  if (!shutdown)
628  {
629  if (mi->did_real_hash)
630  {
631  ASSERT(hash_remove(m->hash, &mi->real));
632  }
633  if (mi->did_iter)
634  {
635  ASSERT(hash_remove(m->iter, &mi->real));
636  }
637 #ifdef ENABLE_MANAGEMENT
638  if (mi->did_cid_hash)
639  {
640  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
641  }
642 #endif
643 
644 #ifdef ENABLE_ASYNC_PUSH
645  if (mi->inotify_watch != -1)
646  {
647  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
648  mi->inotify_watch = -1;
649  }
650 #endif
651 
652  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
653  {
654  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
655  }
656 
657  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
658 
659  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
660 
661  if (mi->did_iroutes)
662  {
663  multi_del_iroutes(m, mi);
664  mi->did_iroutes = false;
665  }
666 
667  if (m->mtcp)
668  {
669  multi_tcp_dereference_instance(m->mtcp, mi);
670  }
671 
672  mbuf_dereference_instance(m->mbuf, mi);
673  }
674 
675 #ifdef ENABLE_MANAGEMENT
676  set_cc_config(mi, NULL);
677 #endif
678 
679  if (mi->context.c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
680  {
681  multi_client_disconnect_script(m, mi);
682  }
683 
684  close_context(&mi->context, SIGTERM, CC_GC_FREE);
685 
686  multi_tcp_instance_specific_free(mi);
687 
688  ungenerate_prefix(mi);
689 
690  /*
691  * Don't actually delete the instance memory allocation yet,
692  * because virtual routes may still point to it. Let the
693  * vhash reaper deal with it.
694  */
695  multi_instance_dec_refcount(mi);
696 
697  perf_pop();
698 }
699 
700 /*
701  * Called on shutdown or restart.
702  */
703 void
704 multi_uninit(struct multi_context *m)
705 {
706  if (m->hash)
707  {
708  struct hash_iterator hi;
709  struct hash_element *he;
710 
711  hash_iterator_init(m->iter, &hi);
712  while ((he = hash_iterator_next(&hi)))
713  {
714  struct multi_instance *mi = (struct multi_instance *) he->value;
715  mi->did_iter = false;
716  multi_close_instance(m, mi, true);
717  }
718  hash_iterator_free(&hi);
719 
720  multi_reap_all(m);
721 
722  hash_free(m->hash);
723  hash_free(m->vhash);
724  hash_free(m->iter);
725 #ifdef ENABLE_MANAGEMENT
726  hash_free(m->cid_hash);
727 #endif
728  m->hash = NULL;
729 
730  free(m->instances);
731 
732 #ifdef ENABLE_ASYNC_PUSH
733  hash_free(m->inotify_watchers);
734  m->inotify_watchers = NULL;
735 #endif
736 
737  schedule_free(m->schedule);
738  mbuf_free(m->mbuf);
739  ifconfig_pool_free(m->ifconfig_pool);
740  frequency_limit_free(m->new_connection_limiter);
741  initial_rate_limit_free(m->initial_rate_limiter);
742  multi_reap_free(m->reaper);
743  mroute_helper_free(m->route_helper);
744  multi_tcp_free(m->mtcp);
745  }
746 }
747 
748 /*
749  * Create a client instance object for a newly connected client.
750  */
751 struct multi_instance *
752 multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
753 {
754  struct gc_arena gc = gc_new();
755  struct multi_instance *mi;
756 
757  perf_push(PERF_MULTI_CREATE_INSTANCE);
758 
759  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
760 
761  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
762 
763  mi->gc = gc_new();
764  multi_instance_inc_refcount(mi);
765  mi->vaddr_handle = -1;
766  mi->created = now;
767  mroute_addr_init(&mi->real);
768 
769  if (real)
770  {
771  mi->real = *real;
772  generate_prefix(mi);
773  }
774 
775  inherit_context_child(&mi->context, &m->top);
776  if (IS_SIG(&mi->context))
777  {
778  goto err;
779  }
780 
781  mi->context.c2.tls_multi->multi_state = CAS_NOT_CONNECTED;
782 
783  if (hash_n_elements(m->hash) >= m->max_clients)
784  {
785  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
786  goto err;
787  }
788 
789  if (!real) /* TCP mode? */
790  {
791  if (!multi_tcp_instance_specific_init(m, mi))
792  {
793  goto err;
794  }
795  generate_prefix(mi);
796  }
797 
798  if (!hash_add(m->iter, &mi->real, mi, false))
799  {
800  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
801  mroute_addr_print(&mi->real, &gc));
802  goto err;
803  }
804  mi->did_iter = true;
805 
806 #ifdef ENABLE_MANAGEMENT
807  do
808  {
809  mi->context.c2.mda_context.cid = m->cid_counter++;
810  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
811  mi->did_cid_hash = true;
812 #endif
813 
814  mi->context.c2.push_request_received = false;
815 #ifdef ENABLE_ASYNC_PUSH
816  mi->inotify_watch = -1;
817 #endif
818 
819  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
820  {
821  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
822  goto err;
823  }
824 
825  perf_pop();
826  gc_free(&gc);
827  return mi;
828 
829 err:
830  multi_close_instance(m, mi, false);
831  perf_pop();
832  gc_free(&gc);
833  return NULL;
834 }
835 
836 /*
837  * Dump tables -- triggered by SIGUSR2.
838  * If status file is defined, write to file.
839  * If status file is NULL, write to syslog.
840  */
841 void
842 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
843 {
844  if (m->hash)
845  {
846  struct gc_arena gc_top = gc_new();
847  struct hash_iterator hi;
848  const struct hash_element *he;
849 
850  status_reset(so);
851 
852  dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
853 
854  if (version == 1)
855  {
856  /*
857  * Status file version 1
858  */
859  status_printf(so, "OpenVPN CLIENT LIST");
860  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
861  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
862  hash_iterator_init(m->hash, &hi);
863  while ((he = hash_iterator_next(&hi)))
864  {
865  struct gc_arena gc = gc_new();
866  const struct multi_instance *mi = (struct multi_instance *) he->value;
867 
868  if (!mi->halt)
869  {
870  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
871  tls_common_name(mi->context.c2.tls_multi, false),
872  mroute_addr_print(&mi->real, &gc),
873  mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
874  mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
875  time_string(mi->created, 0, false, &gc));
876  }
877  gc_free(&gc);
878  }
879  hash_iterator_free(&hi);
880 
881  status_printf(so, "ROUTING TABLE");
882  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
883  hash_iterator_init(m->vhash, &hi);
884  while ((he = hash_iterator_next(&hi)))
885  {
886  struct gc_arena gc = gc_new();
887  const struct multi_route *route = (struct multi_route *) he->value;
888 
889  if (multi_route_defined(m, route))
890  {
891  const struct multi_instance *mi = route->instance;
892  const struct mroute_addr *ma = &route->addr;
893  char flags[2] = {0, 0};
894 
895  if (route->flags & MULTI_ROUTE_CACHE)
896  {
897  flags[0] = 'C';
898  }
899  status_printf(so, "%s%s,%s,%s,%s",
900  mroute_addr_print(ma, &gc),
901  flags,
902  tls_common_name(mi->context.c2.tls_multi, false),
903  mroute_addr_print(&mi->real, &gc),
904  time_string(route->last_reference, 0, false, &gc));
905  }
906  gc_free(&gc);
907  }
908  hash_iterator_free(&hi);
909 
910  status_printf(so, "GLOBAL STATS");
911  if (m->mbuf)
912  {
913  status_printf(so, "Max bcast/mcast queue length,%d",
914  mbuf_maximum_queued(m->mbuf));
915  }
916 
917  status_printf(so, "END");
918  }
919  else if (version == 2 || version == 3)
920  {
921  const char sep = (version == 3) ? '\t' : ',';
922 
923  /*
924  * Status file version 2 and 3
925  */
926  status_printf(so, "TITLE%c%s", sep, title_string);
927  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
928  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
929  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
930  hash_iterator_init(m->hash, &hi);
931  while ((he = hash_iterator_next(&hi)))
932  {
933  struct gc_arena gc = gc_new();
934  const struct multi_instance *mi = (struct multi_instance *) he->value;
935 
936  if (!mi->halt)
937  {
938  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
939 #ifdef ENABLE_MANAGEMENT
940  "%lu"
941 #else
942  ""
943 #endif
944  "%c%" PRIu32 "%c%s",
945  sep, tls_common_name(mi->context.c2.tls_multi, false),
946  sep, mroute_addr_print(&mi->real, &gc),
947  sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
948  sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc),
949  sep, mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
950  sep, mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
951  sep, time_string(mi->created, 0, false, &gc),
952  sep, (unsigned int)mi->created,
953  sep, tls_username(mi->context.c2.tls_multi, false),
954 #ifdef ENABLE_MANAGEMENT
955  sep, mi->context.c2.mda_context.cid,
956 #else
957  sep,
958 #endif
959  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
960  sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
961  }
962  gc_free(&gc);
963  }
964  hash_iterator_free(&hi);
965 
966  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
967  sep, sep, sep, sep, sep, sep);
968  hash_iterator_init(m->vhash, &hi);
969  while ((he = hash_iterator_next(&hi)))
970  {
971  struct gc_arena gc = gc_new();
972  const struct multi_route *route = (struct multi_route *) he->value;
973 
974  if (multi_route_defined(m, route))
975  {
976  const struct multi_instance *mi = route->instance;
977  const struct mroute_addr *ma = &route->addr;
978  char flags[2] = {0, 0};
979 
980  if (route->flags & MULTI_ROUTE_CACHE)
981  {
982  flags[0] = 'C';
983  }
984  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
985  sep, mroute_addr_print(ma, &gc), flags,
986  sep, tls_common_name(mi->context.c2.tls_multi, false),
987  sep, mroute_addr_print(&mi->real, &gc),
988  sep, time_string(route->last_reference, 0, false, &gc),
989  sep, (unsigned int)route->last_reference);
990  }
991  gc_free(&gc);
992  }
993  hash_iterator_free(&hi);
994 
995  if (m->mbuf)
996  {
997  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
998  sep, sep, mbuf_maximum_queued(m->mbuf));
999  }
1000 
1001  status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options));
1002  status_printf(so, "END");
1003  }
1004  else
1005  {
1006  status_printf(so, "ERROR: bad status format version number");
1007  }
1008 
1009 #ifdef PACKET_TRUNCATION_CHECK
1010  {
1011  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1012  hash_iterator_init(m->hash, &hi);
1013  while ((he = hash_iterator_next(&hi)))
1014  {
1015  struct gc_arena gc = gc_new();
1016  const struct multi_instance *mi = (struct multi_instance *) he->value;
1017 
1018  if (!mi->halt)
1019  {
1020  status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
1021  tls_common_name(mi->context.c2.tls_multi, false),
1022  m->top.c2.n_trunc_tun_read,
1023  mi->context.c2.n_trunc_tun_write,
1024  mi->context.c2.n_trunc_pre_encrypt,
1025  mi->context.c2.n_trunc_post_decrypt);
1026  }
1027  gc_free(&gc);
1028  }
1029  hash_iterator_free(&hi);
1030  }
1031 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1032 
1033  status_flush(so);
1034  gc_free(&gc_top);
1035  }
1036 
1037 #ifdef ENABLE_ASYNC_PUSH
1038  if (m->inotify_watchers)
1039  {
1040  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1041  }
1042 #endif
1043 }
1044 
1045 /*
1046  * Learn a virtual address or route.
1047  * The learn will fail if the learn address
1048  * script/plugin fails. In this case the
1049  * return value may be != mi.
1050  * Return the instance which owns this route,
1051  * or NULL if none.
1052  */
1053 static struct multi_instance *
1054 multi_learn_addr(struct multi_context *m,
1055  struct multi_instance *mi,
1056  const struct mroute_addr *addr,
1057  const unsigned int flags)
1058 {
1059  struct hash_element *he;
1060  const uint32_t hv = hash_value(m->vhash, addr);
1061  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1062  struct multi_route *oldroute = NULL;
1063  struct multi_instance *owner = NULL;
1064  struct gc_arena gc = gc_new();
1065 
1066  /* if route currently exists, get the instance which owns it */
1067  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1068  if (he)
1069  {
1070  oldroute = (struct multi_route *) he->value;
1071  }
1072  if (oldroute && multi_route_defined(m, oldroute))
1073  {
1074  owner = oldroute->instance;
1075  }
1076 
1077  /* do we need to add address to hash table? */
1078  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1079  && !mroute_addr_equal(addr, &m->local))
1080  {
1081  struct multi_route *newroute;
1082  bool learn_succeeded = false;
1083 
1084  ALLOC_OBJ(newroute, struct multi_route);
1085  newroute->addr = *addr;
1086  newroute->instance = mi;
1087  newroute->flags = flags;
1088  newroute->last_reference = now;
1089  newroute->cache_generation = 0;
1090 
1091  /* The cache is invalidated when cache_generation is incremented */
1092  if (flags & MULTI_ROUTE_CACHE)
1093  {
1094  newroute->cache_generation = m->route_helper->cache_generation;
1095  }
1096 
1097  if (oldroute) /* route already exists? */
1098  {
1099  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1100  {
1101  learn_succeeded = true;
1102  owner = mi;
1103  multi_instance_inc_refcount(mi);
1104  route_quota_inc(mi);
1105 
1106  /* delete old route */
1107  multi_route_del(oldroute);
1108 
1109  /* modify hash table entry, replacing old route */
1110  he->key = &newroute->addr;
1111  he->value = newroute;
1112  }
1113  }
1114  else
1115  {
1116  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1117  {
1118  learn_succeeded = true;
1119  owner = mi;
1120  multi_instance_inc_refcount(mi);
1121  route_quota_inc(mi);
1122 
1123  /* add new route */
1124  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1125  }
1126  }
1127 
1128  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1129  learn_succeeded ? "" : " FAILED",
1130  mroute_addr_print(&newroute->addr, &gc),
1131  multi_instance_string(mi, false, &gc));
1132 
1133  if (!learn_succeeded)
1134  {
1135  free(newroute);
1136  }
1137  }
1138  gc_free(&gc);
1139 
1140  return owner;
1141 }
1142 
1143 /*
1144  * Get client instance based on virtual address.
1145  */
1146 static struct multi_instance *
1147 multi_get_instance_by_virtual_addr(struct multi_context *m,
1148  const struct mroute_addr *addr,
1149  bool cidr_routing)
1150 {
1151  struct multi_route *route;
1152  struct multi_instance *ret = NULL;
1153 
1154  /* check for local address */
1155  if (mroute_addr_equal(addr, &m->local))
1156  {
1157  return NULL;
1158  }
1159 
1160  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1161 
1162  /* does host route (possible cached) exist? */
1163  if (route && multi_route_defined(m, route))
1164  {
1165  struct multi_instance *mi = route->instance;
1166  route->last_reference = now;
1167  ret = mi;
1168  }
1169  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1170  {
1171  struct mroute_helper *rh = m->route_helper;
1172  struct mroute_addr tryaddr;
1173  int i;
1174 
1175  /* cycle through each CIDR length */
1176  for (i = 0; i < rh->n_net_len; ++i)
1177  {
1178  tryaddr = *addr;
1179  tryaddr.type |= MR_WITH_NETBITS;
1180  tryaddr.netbits = rh->net_len[i];
1181  mroute_addr_mask_host_bits(&tryaddr);
1182 
1183  /* look up a possible route with netbits netmask */
1184  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1185 
1186  if (route && multi_route_defined(m, route))
1187  {
1188  /* found an applicable route, cache host route */
1189  struct multi_instance *mi = route->instance;
1190  multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1191  ret = mi;
1192  break;
1193  }
1194  }
1195  }
1196 
1197 #ifdef ENABLE_DEBUG
1198  if (check_debug_level(D_MULTI_DEBUG))
1199  {
1200  struct gc_arena gc = gc_new();
1201  const char *addr_text = mroute_addr_print(addr, &gc);
1202  if (ret)
1203  {
1204  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1205  addr_text,
1206  multi_instance_string(ret, false, &gc),
1207  mroute_addr_print(&route->addr, &gc));
1208  }
1209  else
1210  {
1211  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1212  addr_text);
1213  }
1214  gc_free(&gc);
1215  }
1216 #endif
1217 
1218  ASSERT(!(ret && ret->halt));
1219  return ret;
1220 }
1221 
1222 /*
1223  * Helper function to multi_learn_addr().
1224  */
1225 static struct multi_instance *
1226 multi_learn_in_addr_t(struct multi_context *m,
1227  struct multi_instance *mi,
1228  in_addr_t a,
1229  int netbits, /* -1 if host route, otherwise # of network bits in address */
1230  bool primary)
1231 {
1232  struct openvpn_sockaddr remote_si;
1233  struct mroute_addr addr;
1234 
1235  CLEAR(remote_si);
1236  remote_si.addr.in4.sin_family = AF_INET;
1237  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1238  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1239 
1240  if (netbits >= 0)
1241  {
1242  addr.type |= MR_WITH_NETBITS;
1243  addr.netbits = (uint8_t) netbits;
1244  }
1245 
1246  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1247 #ifdef ENABLE_MANAGEMENT
1248  if (management && owner)
1249  {
1250  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1251  }
1252 #endif
1253  if (!primary)
1254  {
1255  /* "primary" is the VPN ifconfig address of the peer and already
1256  * known to DCO, so only install "extra" iroutes (primary = false)
1257  */
1258  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1259  dco_install_iroute(m, mi, &addr);
1260  }
1261 
1262  return owner;
1263 }
1264 
1265 static struct multi_instance *
1266 multi_learn_in6_addr(struct multi_context *m,
1267  struct multi_instance *mi,
1268  struct in6_addr a6,
1269  int netbits, /* -1 if host route, otherwise # of network bits in address */
1270  bool primary)
1271 {
1272  struct mroute_addr addr;
1273 
1274  addr.len = 16;
1275  addr.type = MR_ADDR_IPV6;
1276  addr.netbits = 0;
1277  addr.v6.addr = a6;
1278 
1279  if (netbits >= 0)
1280  {
1281  addr.type |= MR_WITH_NETBITS;
1282  addr.netbits = (uint8_t) netbits;
1283  mroute_addr_mask_host_bits( &addr );
1284  }
1285 
1286  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1287 #ifdef ENABLE_MANAGEMENT
1288  if (management && owner)
1289  {
1290  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1291  }
1292 #endif
1293  if (!primary)
1294  {
1295  /* "primary" is the VPN ifconfig address of the peer and already
1296  * known to DCO, so only install "extra" iroutes (primary = false)
1297  */
1298  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1299  dco_install_iroute(m, mi, &addr);
1300  }
1301 
1302  return owner;
1303 }
1304 
1305 /*
1306  * A new client has connected, add routes (server -> client)
1307  * to internal routing table.
1308  */
1309 static void
1310 multi_add_iroutes(struct multi_context *m,
1311  struct multi_instance *mi)
1312 {
1313  struct gc_arena gc = gc_new();
1314  const struct iroute *ir;
1315  const struct iroute_ipv6 *ir6;
1316  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
1317  {
1318  mi->did_iroutes = true;
1319  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1320  {
1321  if (ir->netbits >= 0)
1322  {
1323  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1324  print_in_addr_t(ir->network, 0, &gc),
1325  ir->netbits,
1326  multi_instance_string(mi, false, &gc));
1327  }
1328  else
1329  {
1330  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1331  print_in_addr_t(ir->network, 0, &gc),
1332  multi_instance_string(mi, false, &gc));
1333  }
1334 
1335  mroute_helper_add_iroute46(m->route_helper, ir->netbits);
1336 
1337  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1338  }
1339  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1340  {
1341  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1342  print_in6_addr(ir6->network, 0, &gc),
1343  ir6->netbits,
1344  multi_instance_string(mi, false, &gc));
1345 
1346  mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
1347 
1348  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1349  }
1350  }
1351  gc_free(&gc);
1352 }
1353 
1354 /*
1355  * Given an instance (new_mi), delete all other instances which use the
1356  * same common name.
1357  */
1358 static void
1359 multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
1360 {
1361  if (new_mi)
1362  {
1363  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1364  if (new_cn)
1365  {
1366  struct hash_iterator hi;
1367  struct hash_element *he;
1368  int count = 0;
1369 
1370  hash_iterator_init(m->iter, &hi);
1371  while ((he = hash_iterator_next(&hi)))
1372  {
1373  struct multi_instance *mi = (struct multi_instance *) he->value;
1374  if (mi != new_mi && !mi->halt)
1375  {
1376  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1377  if (cn && !strcmp(cn, new_cn))
1378  {
1379  mi->did_iter = false;
1380  multi_close_instance(m, mi, false);
1381  hash_iterator_delete_element(&hi);
1382  ++count;
1383  }
1384  }
1385  }
1386  hash_iterator_free(&hi);
1387 
1388  if (count)
1389  {
1390  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1391  }
1392  }
1393  }
1394 }
1395 
1396 static void
1397 check_stale_routes(struct multi_context *m)
1398 {
1399 
1400  struct gc_arena gc = gc_new();
1401  struct hash_iterator hi;
1402  struct hash_element *he;
1403 
1404  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1405  hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
1406  while ((he = hash_iterator_next(&hi)) != NULL)
1407  {
1408  struct multi_route *r = (struct multi_route *) he->value;
1409  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1410  {
1411  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1412  mroute_addr_print(&r->addr, &gc));
1413  learn_address_script(m, NULL, "delete", &r->addr);
1414  multi_route_del(r);
1415  hash_iterator_delete_element(&hi);
1416  }
1417  }
1418  hash_iterator_free(&hi);
1419  gc_free(&gc);
1420 }
1421 
1422 /*
1423  * Ensure that endpoint to be pushed to client
1424  * complies with --ifconfig-push-constraint directive.
1425  */
1426 static bool
1427 ifconfig_push_constraint_satisfied(const struct context *c)
1428 {
1429  const struct options *o = &c->options;
1430  if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1431  {
1432  return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1433  }
1434  else
1435  {
1436  return true;
1437  }
1438 }
1439 
1440 /*
1441  * Select a virtual address for a new client instance.
1442  * Use an --ifconfig-push directive, if given (static IP).
1443  * Otherwise use an --ifconfig-pool address (dynamic IP).
1444  */
1445 static void
1446 multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
1447 {
1448  struct gc_arena gc = gc_new();
1449 
1450  /*
1451  * If ifconfig addresses were set by dynamic config file,
1452  * release pool addresses, otherwise keep them.
1453  */
1454  if (mi->context.options.push_ifconfig_defined)
1455  {
1456  /* ifconfig addresses were set statically,
1457  * release dynamic allocation */
1458  if (mi->vaddr_handle >= 0)
1459  {
1460  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true);
1461  mi->vaddr_handle = -1;
1462  }
1463 
1464  mi->context.c2.push_ifconfig_defined = true;
1465  mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1466  mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1467  mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
1468 
1469  /* the current implementation does not allow "static IPv4, pool IPv6",
1470  * (see below) so issue a warning if that happens - don't break the
1471  * session, though, as we don't even know if this client WANTS IPv6
1472  */
1473  if (mi->context.options.ifconfig_ipv6_pool_defined
1474  && !mi->context.options.push_ifconfig_ipv6_defined)
1475  {
1476  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1477  }
1478  }
1479  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1480  {
1481  in_addr_t local = 0, remote = 0;
1482  struct in6_addr remote_ipv6;
1483  const char *cn = NULL;
1484 
1485  if (!mi->context.options.duplicate_cn)
1486  {
1487  cn = tls_common_name(mi->context.c2.tls_multi, true);
1488  }
1489 
1490  CLEAR(remote_ipv6);
1491  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1492  if (mi->vaddr_handle >= 0)
1493  {
1494  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1495  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1496 
1497  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1498  (mi->context.options.ifconfig_pool_defined
1499  ? print_in_addr_t(remote, 0, &gc)
1500  : "(Not enabled)"),
1501  (mi->context.options.ifconfig_ipv6_pool_defined
1502  ? print_in6_addr( remote_ipv6, 0, &gc )
1503  : "(Not enabled)") );
1504 
1505  if (mi->context.options.ifconfig_pool_defined)
1506  {
1507  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1508  mi->context.c2.push_ifconfig_local = remote;
1509  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1510  {
1511  mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1512  if (!mi->context.c2.push_ifconfig_remote_netmask)
1513  {
1514  mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1515  }
1516  }
1517  else if (tunnel_type == DEV_TYPE_TUN)
1518  {
1519  if (tunnel_topology == TOP_P2P)
1520  {
1521  mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1522  }
1523  else if (tunnel_topology == TOP_NET30)
1524  {
1525  mi->context.c2.push_ifconfig_remote_netmask = local;
1526  }
1527  }
1528 
1529  if (mi->context.c2.push_ifconfig_remote_netmask)
1530  {
1531  mi->context.c2.push_ifconfig_defined = true;
1532  }
1533  else
1534  {
1535  msg(D_MULTI_ERRORS,
1536  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1537  multi_instance_string(mi, false, &gc));
1538  }
1539  }
1540 
1541  if (mi->context.options.ifconfig_ipv6_pool_defined)
1542  {
1543  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1544  mi->context.c2.push_ifconfig_ipv6_remote =
1545  mi->context.c1.tuntap->local_ipv6;
1546  mi->context.c2.push_ifconfig_ipv6_netbits =
1547  mi->context.options.ifconfig_ipv6_netbits;
1548  mi->context.c2.push_ifconfig_ipv6_defined = true;
1549  }
1550  }
1551  else
1552  {
1553  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1554  }
1555  }
1556 
1557  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1558  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1559  * will fail (because no pool will be allocated in this case).
1560  * OTOH, this doesn't make too much sense in reality - and the other
1561  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1562  * -> and so it's implemented right now
1563  */
1564  if (mi->context.options.push_ifconfig_ipv6_defined)
1565  {
1566  mi->context.c2.push_ifconfig_ipv6_local =
1567  mi->context.options.push_ifconfig_ipv6_local;
1568  mi->context.c2.push_ifconfig_ipv6_remote =
1569  mi->context.options.push_ifconfig_ipv6_remote;
1570  mi->context.c2.push_ifconfig_ipv6_netbits =
1571  mi->context.options.push_ifconfig_ipv6_netbits;
1572  mi->context.c2.push_ifconfig_ipv6_defined = true;
1573 
1574  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1575  print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
1576  mi->context.c2.push_ifconfig_ipv6_netbits );
1577  }
1578 
1579  gc_free(&gc);
1580 }
1581 
1582 /*
1583  * Set virtual address environmental variables.
1584  */
1585 static void
1586 multi_set_virtual_addr_env(struct multi_instance *mi)
1587 {
1588  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1589  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1590  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1591 
1592  if (mi->context.c2.push_ifconfig_defined)
1593  {
1594  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1595  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1596 
1597  setenv_in_addr_t(mi->context.c2.es,
1598  "ifconfig_pool_remote_ip",
1599  mi->context.c2.push_ifconfig_local,
1600  SA_SET_IF_NONZERO);
1601 
1602  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1603  {
1604  setenv_in_addr_t(mi->context.c2.es,
1605  "ifconfig_pool_netmask",
1606  mi->context.c2.push_ifconfig_remote_netmask,
1607  SA_SET_IF_NONZERO);
1608  }
1609  else if (tunnel_type == DEV_TYPE_TUN)
1610  {
1611  setenv_in_addr_t(mi->context.c2.es,
1612  "ifconfig_pool_local_ip",
1613  mi->context.c2.push_ifconfig_remote_netmask,
1614  SA_SET_IF_NONZERO);
1615  }
1616  }
1617 
1618  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1619  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1620  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1621 
1622  if (mi->context.c2.push_ifconfig_ipv6_defined)
1623  {
1624  setenv_in6_addr(mi->context.c2.es,
1625  "ifconfig_pool_remote",
1626  &mi->context.c2.push_ifconfig_ipv6_local,
1627  SA_SET_IF_NONZERO);
1628  setenv_in6_addr(mi->context.c2.es,
1629  "ifconfig_pool_local",
1630  &mi->context.c2.push_ifconfig_ipv6_remote,
1631  SA_SET_IF_NONZERO);
1632  setenv_int(mi->context.c2.es,
1633  "ifconfig_pool_ip6_netbits",
1634  mi->context.c2.push_ifconfig_ipv6_netbits);
1635  }
1636 }
1637 
1638 /*
1639  * Called after client-connect script is called
1640  */
1641 static void
1642 multi_client_connect_post(struct multi_context *m,
1643  struct multi_instance *mi,
1644  const char *dc_file,
1645  unsigned int *option_types_found)
1646 {
1647  /* Did script generate a dynamic config file? */
1648  if (platform_test_file(dc_file))
1649  {
1650  options_server_import(&mi->context.options,
1651  dc_file,
1652  D_IMPORT_ERRORS|M_OPTERR,
1653  CLIENT_CONNECT_OPT_MASK,
1654  option_types_found,
1655  mi->context.c2.es);
1656 
1657  /*
1658  * If the --client-connect script generates a config file
1659  * with an --ifconfig-push directive, it will override any
1660  * --ifconfig-push directive from the --client-config-dir
1661  * directory or any --ifconfig-pool dynamic address.
1662  */
1663  multi_select_virtual_addr(m, mi);
1664  multi_set_virtual_addr_env(mi);
1665  }
1666 }
1667 
1668 #ifdef ENABLE_PLUGIN
1669 
1670 /*
1671  * Called after client-connect plug-in is called
1672  */
1673 static void
1674 multi_client_connect_post_plugin(struct multi_context *m,
1675  struct multi_instance *mi,
1676  const struct plugin_return *pr,
1677  unsigned int *option_types_found)
1678 {
1679  struct plugin_return config;
1680 
1681  plugin_return_get_column(pr, &config, "config");
1682 
1683  /* Did script generate a dynamic config file? */
1684  if (plugin_return_defined(&config))
1685  {
1686  int i;
1687  for (i = 0; i < config.n; ++i)
1688  {
1689  if (config.list[i] && config.list[i]->value)
1690  {
1691  options_string_import(&mi->context.options,
1692  config.list[i]->value,
1693  D_IMPORT_ERRORS|M_OPTERR,
1694  CLIENT_CONNECT_OPT_MASK,
1695  option_types_found,
1696  mi->context.c2.es);
1697  }
1698  }
1699 
1700  /*
1701  * If the --client-connect script generates a config file
1702  * with an --ifconfig-push directive, it will override any
1703  * --ifconfig-push directive from the --client-config-dir
1704  * directory or any --ifconfig-pool dynamic address.
1705  */
1706  multi_select_virtual_addr(m, mi);
1707  multi_set_virtual_addr_env(mi);
1708  }
1709 }
1710 
1711 #endif /* ifdef ENABLE_PLUGIN */
1712 
1713 
1714 /*
1715  * Called to load management-derived client-connect config
1716  */
1717 enum client_connect_return
1718 multi_client_connect_mda(struct multi_context *m,
1719  struct multi_instance *mi,
1720  bool deferred,
1721  unsigned int *option_types_found)
1722 {
1723  /* We never return CC_RET_DEFERRED */
1724  ASSERT(!deferred);
1725  enum client_connect_return ret = CC_RET_SKIPPED;
1726 #ifdef ENABLE_MANAGEMENT
1727  if (mi->cc_config)
1728  {
1729  struct buffer_entry *be;
1730  for (be = mi->cc_config->head; be != NULL; be = be->next)
1731  {
1732  const char *opt = BSTR(&be->buf);
1733  options_string_import(&mi->context.options,
1734  opt,
1735  D_IMPORT_ERRORS|M_OPTERR,
1736  CLIENT_CONNECT_OPT_MASK,
1737  option_types_found,
1738  mi->context.c2.es);
1739  }
1740 
1741  /*
1742  * If the --client-connect script generates a config file
1743  * with an --ifconfig-push directive, it will override any
1744  * --ifconfig-push directive from the --client-config-dir
1745  * directory or any --ifconfig-pool dynamic address.
1746  */
1747  multi_select_virtual_addr(m, mi);
1748  multi_set_virtual_addr_env(mi);
1749 
1750  ret = CC_RET_SUCCEEDED;
1751  }
1752 #endif /* ifdef ENABLE_MANAGEMENT */
1753  return ret;
1754 }
1755 
1756 static void
1757 multi_client_connect_setenv(struct multi_context *m,
1758  struct multi_instance *mi)
1759 {
1760  struct gc_arena gc = gc_new();
1761 
1762  /* setenv incoming cert common name for script */
1763  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1764 
1765  /* setenv client real IP address */
1766  setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
1767 
1768  /* setenv client virtual IP address */
1769  multi_set_virtual_addr_env(mi);
1770 
1771  /* setenv connection time */
1772  {
1773  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1774  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1775  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1776  }
1777 
1778  gc_free(&gc);
1779 }
1780 
1787 static bool
1788 multi_client_set_protocol_options(struct context *c)
1789 {
1790  struct tls_multi *tls_multi = c->c2.tls_multi;
1791  const char *const peer_info = tls_multi->peer_info;
1792  struct options *o = &c->options;
1793 
1794 
1795  unsigned int proto = extract_iv_proto(peer_info);
1796  if (proto & IV_PROTO_DATA_V2)
1797  {
1798  tls_multi->use_peer_id = true;
1799  o->use_peer_id = true;
1800  }
1801  else if (dco_enabled(o))
1802  {
1803  msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing "
1804  "requires DATA_V2. Dropping client.");
1805  auth_set_client_reason(tls_multi, "Data channel negotiation "
1806  "failed (missing DATA_V2)");
1807  return false;
1808  }
1809 
1810  if (proto & IV_PROTO_REQUEST_PUSH)
1811  {
1812  c->c2.push_request_received = true;
1813  }
1814 
1815 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1816  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1817  {
1818  o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
1819  }
1820  if (proto & IV_PROTO_DYN_TLS_CRYPT)
1821  {
1822  o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
1823  }
1824 #endif
1825 
1826  if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1827  {
1828  o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
1829  }
1830 
1831  /* Select cipher if client supports Negotiable Crypto Parameters */
1832 
1833  /* if we have already created our key, we cannot *change* our own
1834  * cipher -> so log the fact and push the "what we have now" cipher
1835  * (so the client is always told what we expect it to use)
1836  */
1837  if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
1838  {
1839  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1840  "server has already generated data channel keys, "
1841  "re-sending previously negotiated cipher '%s'",
1842  o->ciphername );
1843  return true;
1844  }
1845 
1846  /*
1847  * Push the first cipher from --data-ciphers to the client that
1848  * the client announces to be supporting.
1849  */
1850  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1851  tls_multi->remote_ciphername,
1852  &o->gc);
1853 
1854  if (push_cipher)
1855  {
1856  o->ciphername = push_cipher;
1857  return true;
1858  }
1859 
1860  /* NCP cipher negotiation failed. Try to figure out why exactly it
1861  * failed and give good error messages and potentially do a fallback
1862  * for non NCP clients */
1863  struct gc_arena gc = gc_new();
1864  bool ret = false;
1865 
1866  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1867  /* If we are in a situation where we know the client ciphers, there is no
1868  * reason to fall back to a cipher that will not be accepted by the other
1869  * side, in this situation we fail the auth*/
1870  if (strlen(peer_ciphers) > 0)
1871  {
1872  msg(M_INFO, "PUSH: No common cipher between server and client. "
1873  "Server data-ciphers: '%s', client supported ciphers '%s'",
1874  o->ncp_ciphers, peer_ciphers);
1875  }
1876  else if (tls_multi->remote_ciphername)
1877  {
1878  msg(M_INFO, "PUSH: No common cipher between server and client. "
1879  "Server data-ciphers: '%s', client supports cipher '%s'",
1880  o->ncp_ciphers, tls_multi->remote_ciphername);
1881  }
1882  else
1883  {
1884  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1885 
1886  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1887  {
1888  msg(M_INFO, "Using data channel cipher '%s' since "
1889  "--data-ciphers-fallback is set.", o->ciphername);
1890  ret = true;
1891  }
1892  else
1893  {
1894  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1895  "client is using if you want to allow the client to connect");
1896  }
1897  }
1898  if (!ret)
1899  {
1900  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1901  "failed (no shared cipher)");
1902  }
1903 
1904  gc_free(&gc);
1905  return ret;
1906 }
1907 
1912 static void
1913 ccs_delete_deferred_ret_file(struct multi_instance *mi)
1914 {
1915  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1916  if (!ccs->deferred_ret_file)
1917  {
1918  return;
1919  }
1920 
1921  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1922  if (!platform_unlink(ccs->deferred_ret_file))
1923  {
1924  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1925  ccs->deferred_ret_file);
1926  }
1927  free(ccs->deferred_ret_file);
1928  ccs->deferred_ret_file = NULL;
1929 }
1930 
1938 static bool
1939 ccs_gen_deferred_ret_file(struct multi_instance *mi)
1940 {
1941  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1942  struct gc_arena gc = gc_new();
1943  const char *fn;
1944 
1945  /* Delete file if it already exists */
1946  ccs_delete_deferred_ret_file(mi);
1947 
1948  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1949  if (!fn)
1950  {
1951  gc_free(&gc);
1952  return false;
1953  }
1954  ccs->deferred_ret_file = string_alloc(fn, NULL);
1955 
1956  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1957  ccs->deferred_ret_file);
1958 
1959  gc_free(&gc);
1960  return true;
1961 }
1962 
1971 static enum client_connect_return
1972 ccs_test_deferred_ret_file(struct multi_instance *mi)
1973 {
1974  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1975  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1976  if (!fp)
1977  {
1978  return CC_RET_SKIPPED;
1979  }
1980 
1981  enum client_connect_return ret = CC_RET_SKIPPED;
1982  const int c = fgetc(fp);
1983  switch (c)
1984  {
1985  case '0':
1986  ret = CC_RET_FAILED;
1987  break;
1988 
1989  case '1':
1990  ret = CC_RET_SUCCEEDED;
1991  break;
1992 
1993  case '2':
1994  ret = CC_RET_DEFERRED;
1995  break;
1996 
1997  case EOF:
1998  if (feof(fp))
1999  {
2000  ret = CC_RET_SKIPPED;
2001  break;
2002  }
2003 
2004  /* Not EOF but other error -> fall through to error state */
2005  default:
2006  /* We received an unknown/unexpected value. Assume failure. */
2007  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
2008  "client-connect resultfile");
2009  ret = CC_RET_FAILED;
2010  }
2011  fclose(fp);
2012 
2013  return ret;
2014 }
2015 
2021 static void
2022 ccs_delete_config_file(struct multi_instance *mi)
2023 {
2024  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2025  if (ccs->config_file)
2026  {
2027  setenv_del(mi->context.c2.es, "client_connect_config_file");
2028  if (!platform_unlink(ccs->config_file))
2029  {
2030  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2031  ccs->config_file);
2032  }
2033  free(ccs->config_file);
2034  ccs->config_file = NULL;
2035  }
2036 }
2037 
2045 static bool
2046 ccs_gen_config_file(struct multi_instance *mi)
2047 {
2048  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2049  struct gc_arena gc = gc_new();
2050  const char *fn;
2051 
2052  if (ccs->config_file)
2053  {
2054  ccs_delete_config_file(mi);
2055  }
2056 
2057  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2058  if (!fn)
2059  {
2060  gc_free(&gc);
2061  return false;
2062  }
2063  ccs->config_file = string_alloc(fn, NULL);
2064 
2065  setenv_str(mi->context.c2.es, "client_connect_config_file",
2066  ccs->config_file);
2067 
2068  gc_free(&gc);
2069  return true;
2070 }
2071 
2072 static enum client_connect_return
2073 multi_client_connect_call_plugin_v1(struct multi_context *m,
2074  struct multi_instance *mi,
2075  bool deferred,
2076  unsigned int *option_types_found)
2077 {
2078  enum client_connect_return ret = CC_RET_SKIPPED;
2079 #ifdef ENABLE_PLUGIN
2080  ASSERT(m);
2081  ASSERT(mi);
2082  ASSERT(option_types_found);
2083  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2084 
2085  /* deprecated callback, use a file for passing back return info */
2086  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2087  {
2088  struct argv argv = argv_new();
2089  int call;
2090 
2091  if (!deferred)
2092  {
2093  call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2094  if (!ccs_gen_config_file(mi)
2095  || !ccs_gen_deferred_ret_file(mi))
2096  {
2097  ret = CC_RET_FAILED;
2098  goto cleanup;
2099  }
2100  }
2101  else
2102  {
2103  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2104  /* the initial call should have created these files */
2105  ASSERT(ccs->config_file);
2106  ASSERT(ccs->deferred_ret_file);
2107  }
2108 
2109  argv_printf(&argv, "%s", ccs->config_file);
2110  int plug_ret = plugin_call(mi->context.plugins, call,
2111  &argv, NULL, mi->context.c2.es);
2112  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2113  {
2114  ret = CC_RET_SUCCEEDED;
2115  }
2116  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2117  {
2118  ret = CC_RET_DEFERRED;
2124  }
2125  else
2126  {
2127  msg(M_WARN, "WARNING: client-connect plugin call failed");
2128  ret = CC_RET_FAILED;
2129  }
2130 
2131 
2137  int file_ret = ccs_test_deferred_ret_file(mi);
2138 
2139  if (file_ret == CC_RET_FAILED)
2140  {
2141  ret = CC_RET_FAILED;
2142  }
2143  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2144  {
2145  ret = CC_RET_DEFERRED;
2146  }
2147 
2148  /* if we still think we have succeeded, do postprocessing */
2149  if (ret == CC_RET_SUCCEEDED)
2150  {
2151  multi_client_connect_post(m, mi, ccs->config_file,
2152  option_types_found);
2153  }
2154 cleanup:
2155  argv_free(&argv);
2156 
2157  if (ret != CC_RET_DEFERRED)
2158  {
2159  ccs_delete_config_file(mi);
2160  ccs_delete_deferred_ret_file(mi);
2161  }
2162  }
2163 #endif /* ifdef ENABLE_PLUGIN */
2164  return ret;
2165 }
2166 
2167 static enum client_connect_return
2168 multi_client_connect_call_plugin_v2(struct multi_context *m,
2169  struct multi_instance *mi,
2170  bool deferred,
2171  unsigned int *option_types_found)
2172 {
2173  enum client_connect_return ret = CC_RET_SKIPPED;
2174 #ifdef ENABLE_PLUGIN
2175  ASSERT(m);
2176  ASSERT(mi);
2177  ASSERT(option_types_found);
2178 
2179  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2180  OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2181  /* V2 callback, use a plugin_return struct for passing back return info */
2182  if (plugin_defined(mi->context.plugins, call))
2183  {
2184  struct plugin_return pr;
2185 
2186  plugin_return_init(&pr);
2187 
2188  int plug_ret = plugin_call(mi->context.plugins, call,
2189  NULL, &pr, mi->context.c2.es);
2190  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2191  {
2192  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2193  ret = CC_RET_SUCCEEDED;
2194  }
2195  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2196  {
2197  ret = CC_RET_DEFERRED;
2198  if (!(plugin_defined(mi->context.plugins,
2199  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2200  {
2201  msg(M_WARN, "A plugin that defers from the "
2202  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2203  "declare support for "
2204  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2205  ret = CC_RET_FAILED;
2206  }
2207  }
2208  else
2209  {
2210  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2211  ret = CC_RET_FAILED;
2212  }
2213 
2214 
2215  plugin_return_free(&pr);
2216  }
2217 #endif /* ifdef ENABLE_PLUGIN */
2218  return ret;
2219 }
2220 
2221 static enum client_connect_return
2222 multi_client_connect_script_deferred(struct multi_context *m,
2223  struct multi_instance *mi,
2224  unsigned int *option_types_found)
2225 {
2226  ASSERT(mi);
2227  ASSERT(option_types_found);
2228  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2229  enum client_connect_return ret = CC_RET_SKIPPED;
2230 
2231  ret = ccs_test_deferred_ret_file(mi);
2232 
2233  if (ret == CC_RET_SKIPPED)
2234  {
2235  /*
2236  * Skipped and deferred are equivalent in this context.
2237  * skipped means that the called program has not yet
2238  * written a return status implicitly needing more time
2239  * while deferred is the explicit notification that it
2240  * needs more time
2241  */
2242  ret = CC_RET_DEFERRED;
2243  }
2244 
2245  if (ret == CC_RET_SUCCEEDED)
2246  {
2247  ccs_delete_deferred_ret_file(mi);
2248  multi_client_connect_post(m, mi, ccs->config_file,
2249  option_types_found);
2250  ccs_delete_config_file(mi);
2251  }
2252  if (ret == CC_RET_FAILED)
2253  {
2254  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2255  ccs_delete_deferred_ret_file(mi);
2256  ccs_delete_config_file(mi);
2257  }
2258  return ret;
2259 }
2260 
2264 static enum client_connect_return
2265 multi_client_connect_call_script(struct multi_context *m,
2266  struct multi_instance *mi,
2267  bool deferred,
2268  unsigned int *option_types_found)
2269 {
2270  if (deferred)
2271  {
2272  return multi_client_connect_script_deferred(m, mi, option_types_found);
2273  }
2274  ASSERT(m);
2275  ASSERT(mi);
2276 
2277  enum client_connect_return ret = CC_RET_SKIPPED;
2278  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2279 
2280  if (mi->context.options.client_connect_script)
2281  {
2282  struct argv argv = argv_new();
2283  struct gc_arena gc = gc_new();
2284 
2285  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2286 
2287  if (!ccs_gen_config_file(mi)
2288  || !ccs_gen_deferred_ret_file(mi))
2289  {
2290  ret = CC_RET_FAILED;
2291  goto cleanup;
2292  }
2293 
2294  argv_parse_cmd(&argv, mi->context.options.client_connect_script);
2295  argv_printf_cat(&argv, "%s", ccs->config_file);
2296 
2297  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2298  {
2299  if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED)
2300  {
2301  ret = CC_RET_DEFERRED;
2302  }
2303  else
2304  {
2305  multi_client_connect_post(m, mi, ccs->config_file,
2306  option_types_found);
2307  ret = CC_RET_SUCCEEDED;
2308  }
2309  }
2310  else
2311  {
2312  ret = CC_RET_FAILED;
2313  }
2314 cleanup:
2315  if (ret != CC_RET_DEFERRED)
2316  {
2317  ccs_delete_config_file(mi);
2318  ccs_delete_deferred_ret_file(mi);
2319  }
2320  argv_free(&argv);
2321  gc_free(&gc);
2322  }
2323  return ret;
2324 }
2325 
2326 static bool
2327 multi_client_setup_dco_initial(struct multi_context *m,
2328  struct multi_instance *mi,
2329  struct gc_arena *gc)
2330 {
2331  if (!dco_enabled(&mi->context.options))
2332  {
2333  /* DCO not enabled, nothing to do, return sucess */
2334  return true;
2335  }
2336  int ret = dco_multi_add_new_peer(m, mi);
2337  if (ret < 0)
2338  {
2339  msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)",
2340  multi_instance_string(mi, false, gc), strerror(-ret), ret);
2341  return false;
2342  }
2343 
2344  if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix)
2345  {
2346  ret = dco_set_peer(&mi->context.c1.tuntap->dco,
2347  mi->context.c2.tls_multi->dco_peer_id,
2348  mi->context.options.ping_send_timeout,
2349  mi->context.options.ping_rec_timeout,
2350  mi->context.c2.frame.mss_fix);
2351  if (ret < 0)
2352  {
2353  msg(D_DCO, "Cannot set DCO peer parameters for %s (id=%u): %s",
2354  multi_instance_string(mi, false, gc),
2355  mi->context.c2.tls_multi->dco_peer_id, strerror(-ret));
2356  return false;
2357  }
2358  }
2359  return true;
2360 }
2361 
2365 static bool
2366 multi_client_generate_tls_keys(struct context *c)
2367 {
2368  struct frame *frame_fragment = NULL;
2369 #ifdef ENABLE_FRAGMENT
2370  if (c->options.ce.fragment)
2371  {
2372  frame_fragment = &c->c2.frame_fragment;
2373  }
2374 #endif
2375  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2376  if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2377  &c->c2.frame, frame_fragment,
2378  get_link_socket_info(c)))
2379  {
2380  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2381  register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2382  return false;
2383  }
2384 
2385  return true;
2386 }
2387 
2388 static void
2389 multi_client_connect_late_setup(struct multi_context *m,
2390  struct multi_instance *mi,
2391  const unsigned int option_types_found)
2392 {
2393  ASSERT(m);
2394  ASSERT(mi);
2395 
2396  struct gc_arena gc = gc_new();
2397  /*
2398  * Process sourced options.
2399  */
2400  do_deferred_options(&mi->context, option_types_found);
2401 
2402  /*
2403  * make sure we got ifconfig settings from somewhere
2404  */
2405  if (!mi->context.c2.push_ifconfig_defined)
2406  {
2407  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2408  "--ifconfig address is available for %s",
2409  multi_instance_string(mi, false, &gc));
2410  }
2411 
2412  /*
2413  * make sure that ifconfig settings comply with constraints
2414  */
2415  if (!ifconfig_push_constraint_satisfied(&mi->context))
2416  {
2417  const char *ifconfig_constraint_network =
2418  print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc);
2419  const char *ifconfig_constraint_netmask =
2420  print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
2421 
2422  /* JYFIXME -- this should cause the connection to fail */
2423  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2424  "violates tunnel network/netmask constraint (%s/%s)",
2425  multi_instance_string(mi, false, &gc),
2426  print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
2427  ifconfig_constraint_network, ifconfig_constraint_netmask);
2428  }
2429 
2430  /*
2431  * For routed tunnels, set up internal route to endpoint
2432  * plus add all iroute routes.
2433  */
2434  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
2435  {
2436  if (mi->context.c2.push_ifconfig_defined)
2437  {
2438  multi_learn_in_addr_t(m, mi,
2439  mi->context.c2.push_ifconfig_local,
2440  -1, true);
2441  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2442  multi_instance_string(mi, false, &gc),
2443  print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
2444  }
2445 
2446  if (mi->context.c2.push_ifconfig_ipv6_defined)
2447  {
2448  multi_learn_in6_addr(m, mi,
2449  mi->context.c2.push_ifconfig_ipv6_local,
2450  -1, true);
2451  /* TODO: find out where addresses are "unlearned"!! */
2452  const char *ifconfig_local_ipv6 =
2453  print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
2454  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2455  multi_instance_string(mi, false, &gc),
2456  ifconfig_local_ipv6);
2457  }
2458 
2459  /* add routes locally, pointing to new client, if
2460  * --iroute options have been specified */
2461  multi_add_iroutes(m, mi);
2462 
2463  /*
2464  * iroutes represent subnets which are "owned" by a particular
2465  * client. Therefore, do not actually push a route to a client
2466  * if it matches one of the client's iroutes.
2467  */
2468  remove_iroutes_from_push_route_list(&mi->context.options);
2469  }
2470  else if (mi->context.options.iroutes)
2471  {
2472  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2473  "only works with tun-style tunnels",
2474  multi_instance_string(mi, false, &gc));
2475  }
2476 
2477  /* set our client's VPN endpoint for status reporting purposes */
2478  mi->reporting_addr = mi->context.c2.push_ifconfig_local;
2479  mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
2480 
2481  /* set context-level authentication flag */
2482  mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2483 
2484  /* authentication complete, calculate dynamic client specific options */
2485  if (!multi_client_set_protocol_options(&mi->context))
2486  {
2487  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2488  }
2489  /* only continue if setting protocol options worked */
2490  else if (!multi_client_setup_dco_initial(m, mi, &gc))
2491  {
2492  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2493  }
2494  /* Generate data channel keys only if setting protocol options
2495  * and DCO initial setup has not failed */
2496  else if (!multi_client_generate_tls_keys(&mi->context))
2497  {
2498  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2499  }
2500 
2501  /* send push reply if ready */
2502  if (mi->context.c2.push_request_received)
2503  {
2504  process_incoming_push_request(&mi->context);
2505  }
2506  gc_free(&gc);
2507 }
2508 
2509 static void
2510 multi_client_connect_early_setup(struct multi_context *m,
2511  struct multi_instance *mi)
2512 {
2513  ASSERT(mi->context.c1.tuntap);
2514  /*
2515  * lock down the common name and cert hashes so they can't change
2516  * during future TLS renegotiations
2517  */
2518  tls_lock_common_name(mi->context.c2.tls_multi);
2519  tls_lock_cert_hash_set(mi->context.c2.tls_multi);
2520 
2521  /* generate a msg() prefix for this client instance */
2522  generate_prefix(mi);
2523 
2524  /* delete instances of previous clients with same common-name */
2525  if (!mi->context.options.duplicate_cn)
2526  {
2527  multi_delete_dup(m, mi);
2528  }
2529 
2530  /* reset pool handle to null */
2531  mi->vaddr_handle = -1;
2532 
2533  /* do --client-connect setenvs */
2534  multi_select_virtual_addr(m, mi);
2535 
2536  multi_client_connect_setenv(m, mi);
2537 }
2538 
2545 static enum client_connect_return
2546 multi_client_connect_compress_migrate(struct multi_context *m,
2547  struct multi_instance *mi,
2548  bool deferred,
2549  unsigned int *option_types_found)
2550 {
2551 #ifdef USE_COMP
2552  struct options *o = &mi->context.options;
2553  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2554 
2555  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2556  {
2557  if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2558  {
2559  push_option(o, "compress stub-v2", M_USAGE);
2560  }
2561  else
2562  {
2563  /* Client is old and does not support STUBv2 but since it
2564  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2565  * switch to that and push the uncompressed variant. */
2566  push_option(o, "comp-lzo no", M_USAGE);
2567  o->comp.alg = COMP_ALG_STUB;
2568  *option_types_found |= OPT_P_COMP;
2569  }
2570  }
2571 #endif
2572  return CC_RET_SUCCEEDED;
2573 }
2574 
2579 static enum client_connect_return
2580 multi_client_connect_source_ccd(struct multi_context *m,
2581  struct multi_instance *mi,
2582  bool deferred,
2583  unsigned int *option_types_found)
2584 {
2585  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2586  * problem */
2587  ASSERT(!deferred);
2588  enum client_connect_return ret = CC_RET_SKIPPED;
2589  if (mi->context.options.client_config_dir)
2590  {
2591  struct gc_arena gc = gc_new();
2592  const char *ccd_file = NULL;
2593 
2594  const char *ccd_client =
2595  platform_gen_path(mi->context.options.client_config_dir,
2596  tls_common_name(mi->context.c2.tls_multi, false),
2597  &gc);
2598 
2599  const char *ccd_default =
2600  platform_gen_path(mi->context.options.client_config_dir,
2601  CCD_DEFAULT, &gc);
2602 
2603 
2604  /* try common-name file */
2605  if (platform_test_file(ccd_client))
2606  {
2607  ccd_file = ccd_client;
2608  }
2609  /* try default file */
2610  else if (platform_test_file(ccd_default))
2611  {
2612  ccd_file = ccd_default;
2613  }
2614 
2615  if (ccd_file)
2616  {
2617  options_server_import(&mi->context.options,
2618  ccd_file,
2619  D_IMPORT_ERRORS|M_OPTERR,
2620  CLIENT_CONNECT_OPT_MASK,
2621  option_types_found,
2622  mi->context.c2.es);
2623  /*
2624  * Select a virtual address from either --ifconfig-push in
2625  * --client-config-dir file or --ifconfig-pool.
2626  */
2627  multi_select_virtual_addr(m, mi);
2628 
2629  multi_client_connect_setenv(m, mi);
2630 
2631  ret = CC_RET_SUCCEEDED;
2632  }
2633  gc_free(&gc);
2634  }
2635  return ret;
2636 }
2637 
2638 typedef enum client_connect_return (*multi_client_connect_handler)
2639  (struct multi_context *m, struct multi_instance *mi,
2640  bool from_deferred, unsigned int *option_types_found);
2641 
2642 static const multi_client_connect_handler client_connect_handlers[] = {
2643  multi_client_connect_compress_migrate,
2644  multi_client_connect_source_ccd,
2645  multi_client_connect_call_plugin_v1,
2646  multi_client_connect_call_plugin_v2,
2647  multi_client_connect_call_script,
2648  multi_client_connect_mda,
2649  NULL,
2650 };
2651 
2652 /*
2653  * Called as soon as the SSL/TLS connection is authenticated.
2654  *
2655  * Will collect the client specific configuration from the different
2656  * sources like ccd files, connect plugins and management interface.
2657  *
2658  * This method starts with cas_context CAS_PENDING and will move the
2659  * state machine to either CAS_SUCCEEDED on success or
2660  * CAS_FAILED/CAS_PARTIAL on failure.
2661  *
2662  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2663  * include:
2664  *
2665  * iroute start-ip end-ip
2666  * ifconfig-push local remote-netmask
2667  * push
2668  *
2669  *
2670  */
2671 static void
2672 multi_connection_established(struct multi_context *m, struct multi_instance *mi)
2673 {
2674  /* We are only called for the CAS_PENDING_x states, so we
2675  * can ignore other states here */
2676  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2677 
2678  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2679  unsigned int *option_types_found =
2680  &mi->client_connect_defer_state.option_types_found;
2681 
2682  /* We are called for the first time */
2683  if (!from_deferred)
2684  {
2685  *cur_handler_index = 0;
2686  *option_types_found = 0;
2687  /* Initially we have no handler that has returned a result */
2688  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED;
2689 
2690  multi_client_connect_early_setup(m, mi);
2691  }
2692 
2693  bool cc_succeeded = true;
2694 
2695  while (cc_succeeded
2696  && client_connect_handlers[*cur_handler_index] != NULL)
2697  {
2698  enum client_connect_return ret;
2699  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2700  option_types_found);
2701 
2702  from_deferred = false;
2703 
2704  switch (ret)
2705  {
2706  case CC_RET_SUCCEEDED:
2707  /*
2708  * Remember that we already had at least one handler
2709  * returning a result should we go to into deferred state
2710  */
2711  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2712  break;
2713 
2714  case CC_RET_SKIPPED:
2715  /*
2716  * Move on with the next handler without modifying any
2717  * other state
2718  */
2719  break;
2720 
2721  case CC_RET_DEFERRED:
2722  /*
2723  * we already set multi_status to DEFERRED_RESULT or
2724  * DEFERRED_NO_RESULT. We just return
2725  * from the function as having multi_status
2726  */
2727  return;
2728 
2729  case CC_RET_FAILED:
2730  /*
2731  * One handler failed. We abort the chain and set the final
2732  * result to failed
2733  */
2734  cc_succeeded = false;
2735  break;
2736 
2737  default:
2738  ASSERT(0);
2739  }
2740 
2741  /*
2742  * Check for "disable" directive in client-config-dir file
2743  * or config file generated by --client-connect script.
2744  */
2745  if (mi->context.options.disable)
2746  {
2747  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2748  "'disable' directive");
2749  cc_succeeded = false;
2750  }
2751 
2752  (*cur_handler_index)++;
2753  }
2754 
2755  /* Check if we have forbidding options in the current mode */
2756  if (dco_enabled(&mi->context.options)
2757  && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
2758  {
2759  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2760  cc_succeeded = false;
2761  }
2762 
2763  if (cc_succeeded)
2764  {
2765  multi_client_connect_late_setup(m, mi, *option_types_found);
2766  }
2767  else
2768  {
2769  /* run the disconnect script if we had a connect script that
2770  * did not fail */
2771  if (mi->context.c2.tls_multi->multi_state == CAS_PENDING_DEFERRED_PARTIAL)
2772  {
2773  multi_client_disconnect_script(m, mi);
2774  }
2775 
2776  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2777  }
2778 
2779  /* increment number of current authenticated clients */
2780  ++m->n_clients;
2781  update_mstat_n_clients(m->n_clients);
2782  --mi->n_clients_delta;
2783 
2784 #ifdef ENABLE_MANAGEMENT
2785  if (management)
2786  {
2787  management_connection_established(management,
2788  &mi->context.c2.mda_context, mi->context.c2.es);
2789  }
2790 #endif
2791 }
2792 
2793 #ifdef ENABLE_ASYNC_PUSH
2794 /*
2795  * Called when inotify event is fired, which happens when acf
2796  * or connect-status file is closed or deleted.
2797  * Continues authentication and sends push_reply
2798  * (or be deferred again by client-connect)
2799  */
2800 void
2801 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2802 {
2803  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2804  size_t buffer_i = 0;
2805  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2806 
2807  while (buffer_i < r)
2808  {
2809  /* parse inotify events */
2810  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2811  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2812  buffer_i += event_size;
2813 
2814  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2815 
2816  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2817 
2818  if (pevent->mask & IN_CLOSE_WRITE)
2819  {
2820  if (mi)
2821  {
2822  /* continue authentication, perform NCP negotiation and send push_reply */
2823  multi_process_post(m, mi, mpp_flags);
2824  }
2825  else
2826  {
2827  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2828  }
2829  }
2830  else if (pevent->mask & IN_IGNORED)
2831  {
2832  /* this event is _always_ fired when watch is removed or file is deleted */
2833  if (mi)
2834  {
2835  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2836  mi->inotify_watch = -1;
2837  }
2838  }
2839  else
2840  {
2841  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2842  }
2843  }
2844 }
2845 #endif /* ifdef ENABLE_ASYNC_PUSH */
2846 
2847 /*
2848  * Add a mbuf buffer to a particular
2849  * instance.
2850  */
2851 void
2852 multi_add_mbuf(struct multi_context *m,
2853  struct multi_instance *mi,
2854  struct mbuf_buffer *mb)
2855 {
2856  if (multi_output_queue_ready(m, mi))
2857  {
2858  struct mbuf_item item;
2859  item.buffer = mb;
2860  item.instance = mi;
2861  mbuf_add_item(m->mbuf, &item);
2862  }
2863  else
2864  {
2865  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2866  }
2867 }
2868 
2869 /*
2870  * Add a packet to a client instance output queue.
2871  */
2872 static inline void
2873 multi_unicast(struct multi_context *m,
2874  const struct buffer *buf,
2875  struct multi_instance *mi)
2876 {
2877  struct mbuf_buffer *mb;
2878 
2879  if (BLEN(buf) > 0)
2880  {
2881  mb = mbuf_alloc_buf(buf);
2882  mb->flags = MF_UNICAST;
2883  multi_add_mbuf(m, mi, mb);
2884  mbuf_free_buf(mb);
2885  }
2886 }
2887 
2888 /*
2889  * Broadcast a packet to all clients.
2890  */
2891 static void
2892 multi_bcast(struct multi_context *m,
2893  const struct buffer *buf,
2894  const struct multi_instance *sender_instance,
2895  const struct mroute_addr *sender_addr,
2896  uint16_t vid)
2897 {
2898  struct hash_iterator hi;
2899  struct hash_element *he;
2900  struct multi_instance *mi;
2901  struct mbuf_buffer *mb;
2902 
2903  if (BLEN(buf) > 0)
2904  {
2905  perf_push(PERF_MULTI_BCAST);
2906 #ifdef MULTI_DEBUG_EVENT_LOOP
2907  printf("BCAST len=%d\n", BLEN(buf));
2908 #endif
2909  mb = mbuf_alloc_buf(buf);
2910  hash_iterator_init(m->iter, &hi);
2911 
2912  while ((he = hash_iterator_next(&hi)))
2913  {
2914  mi = (struct multi_instance *) he->value;
2915  if (mi != sender_instance && !mi->halt)
2916  {
2917  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2918  {
2919  continue;
2920  }
2921  multi_add_mbuf(m, mi, mb);
2922  }
2923  }
2924 
2925  hash_iterator_free(&hi);
2926  mbuf_free_buf(mb);
2927  perf_pop();
2928  }
2929 }
2930 
2931 /*
2932  * Given a time delta, indicating that we wish to be
2933  * awoken by the scheduler at time now + delta, figure
2934  * a sigma parameter (in microseconds) that represents
2935  * a sort of fuzz factor around delta, so that we're
2936  * really telling the scheduler to wake us up any time
2937  * between now + delta - sigma and now + delta + sigma.
2938  *
2939  * The sigma parameter helps the scheduler to run more efficiently.
2940  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2941  */
2942 static inline unsigned int
2943 compute_wakeup_sigma(const struct timeval *delta)
2944 {
2945  if (delta->tv_sec < 1)
2946  {
2947  /* if < 1 sec, fuzz = # of microseconds / 8 */
2948  return delta->tv_usec >> 3;
2949  }
2950  else
2951  {
2952  /* if < 10 minutes, fuzz = 13.1% of timeout */
2953  if (delta->tv_sec < 600)
2954  {
2955  return delta->tv_sec << 17;
2956  }
2957  else
2958  {
2959  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2960  }
2961  }
2962 }
2963 
2964 static void
2965 multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
2966 {
2967  /* calculate an absolute wakeup time */
2968  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2969  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2970 
2971  /* tell scheduler to wake us up at some point in the future */
2972  schedule_add_entry(m->schedule,
2973  (struct schedule_entry *) mi,
2974  &mi->wakeup,
2975  compute_wakeup_sigma(&mi->context.c2.timeval));
2976 }
2977 
2978 #if defined(ENABLE_ASYNC_PUSH)
2979 static void
2980 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2981  int inotify_fd, const char *file)
2982 {
2983  /* watch acf file */
2984  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2985  IN_CLOSE_WRITE | IN_ONESHOT);
2986  if (watch_descriptor >= 0)
2987  {
2988  if (mi->inotify_watch != -1)
2989  {
2990  hash_remove(m->inotify_watchers,
2991  (void *) (unsigned long)mi->inotify_watch);
2992  }
2993  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2994  mi, true);
2995  mi->inotify_watch = watch_descriptor;
2996  }
2997  else
2998  {
2999  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3000  }
3001 }
3002 #endif /* if defined(ENABLE_ASYNC_PUSH) */
3003 
3004 /*
3005  * Figure instance-specific timers, convert
3006  * earliest to absolute time in mi->wakeup,
3007  * call scheduler with our future wakeup time.
3008  *
3009  * Also close context on signal.
3010  */
3011 bool
3012 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3013 {
3014  bool ret = true;
3015 
3016  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
3017  {
3018 #if defined(ENABLE_ASYNC_PUSH)
3019  bool was_unauthenticated = true;
3020  struct key_state *ks = NULL;
3021  if (mi->context.c2.tls_multi)
3022  {
3023  ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
3024  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3025  }
3026 #endif
3027 
3028  /* figure timeouts and fetch possible outgoing
3029  * to_link packets (such as ping or TLS control) */
3030  pre_select(&mi->context);
3031 
3032 #if defined(ENABLE_ASYNC_PUSH)
3033  /*
3034  * if we see the state transition from unauthenticated to deferred
3035  * and an auth_control_file, we assume it got just added and add
3036  * inotify watch to that file
3037  */
3038  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3039  && (ks->authenticated == KS_AUTH_DEFERRED))
3040  {
3041  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3042  ks->plugin_auth.auth_control_file);
3043  }
3044  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3045  && (ks->authenticated == KS_AUTH_DEFERRED))
3046  {
3047  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3048  ks->script_auth.auth_control_file);
3049  }
3050 #endif
3051 
3052  if (!IS_SIG(&mi->context))
3053  {
3054  /* connection is "established" when SSL/TLS key negotiation succeeds
3055  * and (if specified) auth user/pass succeeds */
3056 
3057  if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
3058  {
3059  multi_connection_established(m, mi);
3060  }
3061 #if defined(ENABLE_ASYNC_PUSH)
3062  if (is_cas_pending(mi->context.c2.tls_multi->multi_state)
3063  && mi->client_connect_defer_state.deferred_ret_file)
3064  {
3065  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3066  mi->client_connect_defer_state.
3067  deferred_ret_file);
3068  }
3069 #endif
3070  /* tell scheduler to wake us up at some point in the future */
3071  multi_schedule_context_wakeup(m, mi);
3072  }
3073  }
3074 
3075  if (IS_SIG(&mi->context))
3076  {
3077  if (flags & MPP_CLOSE_ON_SIGNAL)
3078  {
3079  multi_close_instance_on_signal(m, mi);
3080  ret = false;
3081  }
3082  }
3083  else
3084  {
3085  /* continue to pend on output? */
3086  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3087 
3088 #ifdef MULTI_DEBUG_EVENT_LOOP
3089  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3090  id(mi),
3091  (int) (mi == m->pending),
3092  mi ? mi->context.c2.to_tun.len : -1,
3093  mi ? mi->context.c2.to_link.len : -1,
3094  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3095  (int64_t)mi->context.c2.timeval.tv_sec,
3096  (long)mi->context.c2.timeval.tv_usec);
3097 #endif
3098  }
3099 
3100  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3101  {
3102  *m->mpp_touched = mi;
3103  }
3104 
3105  return ret;
3106 }
3107 
3108 void
3109 multi_process_float(struct multi_context *m, struct multi_instance *mi)
3110 {
3111  struct mroute_addr real;
3112  struct hash *hash = m->hash;
3113  struct gc_arena gc = gc_new();
3114 
3115  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3116  {
3117  goto done;
3118  }
3119 
3120  const uint32_t hv = hash_value(hash, &real);
3121  struct hash_bucket *bucket = hash_bucket(hash, hv);
3122 
3123  /* make sure that we don't float to an address taken by another client */
3124  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3125  if (he)
3126  {
3127  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3128 
3129  struct tls_multi *m1 = mi->context.c2.tls_multi;
3130  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3131 
3132  /* do not float if target address is taken by client with another cert */
3133  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3134  {
3135  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3136  multi_instance_string(ex_mi, false, &gc));
3137 
3138  mi->context.c2.buf.len = 0;
3139 
3140  goto done;
3141  }
3142 
3143  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3144  multi_close_instance(m, ex_mi, false);
3145  }
3146 
3147  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3148  mi->context.c2.tls_multi->peer_id,
3149  tls_common_name(mi->context.c2.tls_multi, false),
3150  mroute_addr_print(&mi->real, &gc),
3151  print_link_socket_actual(&m->top.c2.from, &gc));
3152 
3153  /* remove old address from hash table before changing address */
3154  ASSERT(hash_remove(m->hash, &mi->real));
3155  ASSERT(hash_remove(m->iter, &mi->real));
3156 
3157  /* change external network address of the remote peer */
3158  mi->real = real;
3159  generate_prefix(mi);
3160 
3161  mi->context.c2.from = m->top.c2.from;
3162  mi->context.c2.to_link_addr = &mi->context.c2.from;
3163 
3164  /* inherit parent link_socket and link_socket_info */
3165  mi->context.c2.link_socket = m->top.c2.link_socket;
3166  mi->context.c2.link_socket_info->lsa->actual = m->top.c2.from;
3167 
3168  tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from);
3169 
3170  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3171  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3172 
3173 #ifdef ENABLE_MANAGEMENT
3174  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3175 #endif
3176 
3177 done:
3178  gc_free(&gc);
3179 }
3180 
3181 /*
3182  * Called when an instance should be closed due to the
3183  * reception of a soft signal.
3184  */
3185 void
3186 multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
3187 {
3188  remap_signal(&mi->context);
3189  set_prefix(mi);
3190  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3191  clear_prefix();
3192  multi_close_instance(m, mi, false);
3193 }
3194 
3195 #if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT)
3196 static void
3197 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3198 {
3199  mi->context.sig->signal_received = sig;
3200  multi_close_instance_on_signal(m, mi);
3201 }
3202 #endif
3203 
3204 #if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))
3205 static void
3206 process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
3207  dco_context_t *dco)
3208 {
3209  const char *reason = "ovpn-dco: unknown reason";
3210  switch (dco->dco_del_peer_reason)
3211  {
3212  case OVPN_DEL_PEER_REASON_EXPIRED:
3213  reason = "ovpn-dco: ping expired";
3214  break;
3215 
3216  case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR:
3217  reason = "ovpn-dco: transport error";
3218  break;
3219 
3220  case OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT:
3221  reason = "ovpn-dco: transport disconnected";
3222  break;
3223 
3224  case OVPN_DEL_PEER_REASON_USERSPACE:
3225  /* We assume that is ourselves. Unfortunately, sometimes these
3226  * events happen with enough delay that they can have an order of
3227  *
3228  * dco_del_peer x
3229  * [new client connecting]
3230  * dco_new_peer x
3231  * event from dco_del_peer arrives.
3232  *
3233  * if we do not ignore this we get desynced with the kernel
3234  * since we assume the peer-id is free again. The other way would
3235  * be to send a dco_del_peer again
3236  */
3237  return;
3238  }
3239 
3240  /* When kernel already deleted the peer, the socket is no longer
3241  * installed, and we do not need to clean up the state in the kernel */
3242  mi->context.c2.tls_multi->dco_peer_id = -1;
3243  mi->context.sig->signal_text = reason;
3244  mi->context.c2.dco_read_bytes = dco->dco_read_bytes;
3245  mi->context.c2.dco_write_bytes = dco->dco_write_bytes;
3246  multi_signal_instance(m, mi, SIGTERM);
3247 }
3248 
3249 bool
3250 multi_process_incoming_dco(struct multi_context *m)
3251 {
3252  dco_context_t *dco = &m->top.c1.tuntap->dco;
3253 
3254  struct multi_instance *mi = NULL;
3255 
3256  int ret = dco_do_read(&m->top.c1.tuntap->dco);
3257 
3258  int peer_id = dco->dco_message_peer_id;
3259 
3260  /* no peer-specific message delivered -> nothing to process.
3261  * bail out right away
3262  */
3263  if (peer_id < 0)
3264  {
3265  return ret > 0;
3266  }
3267 
3268  if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3269  {
3270  mi = m->instances[peer_id];
3271  if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3272  {
3273  process_incoming_del_peer(m, mi, dco);
3274  }
3275  }
3276  else
3277  {
3278  int msglevel = D_DCO;
3279  if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3280  && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3281  {
3282  /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3283  * after we kill the peer ourselves. This peer may have already
3284  * been deleted, so we end up here.
3285  * In this case, print the following debug message with DCO_DEBUG
3286  * level only to avoid polluting the standard DCO level with this
3287  * harmless event.
3288  */
3289  msglevel = D_DCO_DEBUG;
3290  }
3291  msg(msglevel, "Received DCO message for unknown peer-id: %d, "
3292  "type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
3293  dco->dco_del_peer_reason);
3294  }
3295 
3296  dco->dco_message_type = 0;
3297  dco->dco_message_peer_id = -1;
3298  dco->dco_del_peer_reason = -1;
3299  dco->dco_read_bytes = 0;
3300  dco->dco_write_bytes = 0;
3301  return ret > 0;
3302 }
3303 #endif /* if defined(ENABLE_DCO) && defined(TARGET_LINUX) */
3304 
3305 /*
3306  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3307  * i.e. client -> server direction.
3308  */
3309 bool
3310 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3311 {
3312  struct gc_arena gc = gc_new();
3313 
3314  struct context *c;
3315  struct mroute_addr src, dest;
3316  unsigned int mroute_flags;
3317  struct multi_instance *mi;
3318  bool ret = true;
3319  bool floated = false;
3320 
3321  if (m->pending)
3322  {
3323  return true;
3324  }
3325 
3326  if (!instance)
3327  {
3328 #ifdef MULTI_DEBUG_EVENT_LOOP
3329  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3330 #endif
3331  multi_set_pending(m, multi_get_create_instance_udp(m, &floated));
3332  }
3333  else
3334  {
3335  multi_set_pending(m, instance);
3336  }
3337 
3338  if (m->pending)
3339  {
3340  set_prefix(m->pending);
3341 
3342  /* get instance context */
3343  c = &m->pending->context;
3344 
3345  if (!instance)
3346  {
3347  /* transfer packet pointer from top-level context buffer to instance */
3348  c->c2.buf = m->top.c2.buf;
3349 
3350  /* transfer from-addr from top-level context buffer to instance */
3351  if (!floated)
3352  {
3353  c->c2.from = m->top.c2.from;
3354  }
3355  }
3356 
3357  if (BLEN(&c->c2.buf) > 0)
3358  {
3359  struct link_socket_info *lsi;
3360  const uint8_t *orig_buf;
3361 
3362  /* decrypt in instance context */
3363 
3364  perf_push(PERF_PROC_IN_LINK);
3365  lsi = get_link_socket_info(c);
3366  orig_buf = c->c2.buf.data;
3367  if (process_incoming_link_part1(c, lsi, floated))
3368  {
3369  /* nonzero length means that we have a valid, decrypted packed */
3370  if (floated && c->c2.buf.len > 0)
3371  {
3372  multi_process_float(m, m->pending);
3373  }
3374 
3375  process_incoming_link_part2(c, lsi, orig_buf);
3376  }
3377  perf_pop();
3378 
3379  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3380  {
3381  /* extract packet source and dest addresses */
3382  mroute_flags = mroute_extract_addr_from_packet(&src,
3383  &dest,
3384  0,
3385  &c->c2.to_tun,
3386  DEV_TYPE_TUN);
3387 
3388  /* drop packet if extract failed */
3389  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3390  {
3391  c->c2.to_tun.len = 0;
3392  }
3393  /* make sure that source address is associated with this client */
3394  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3395  {
3396  /* IPv6 link-local address (fe80::xxx)? */
3397  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3398  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3399  {
3400  /* do nothing, for now. TODO: add address learning */
3401  }
3402  else
3403  {
3404  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3405  mroute_addr_print(&src, &gc));
3406  }
3407  c->c2.to_tun.len = 0;
3408  }
3409  /* client-to-client communication enabled? */
3410  else if (m->enable_c2c)
3411  {
3412  /* multicast? */
3413  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3414  {
3415  /* for now, treat multicast as broadcast */
3416  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3417  }
3418  else /* possible client to client routing */
3419  {
3420  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3421  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3422 
3423  /* if dest addr is a known client, route to it */
3424  if (mi)
3425  {
3426  {
3427  multi_unicast(m, &c->c2.to_tun, mi);
3428  register_activity(c, BLEN(&c->c2.to_tun));
3429  }
3430  c->c2.to_tun.len = 0;
3431  }
3432  }
3433  }
3434  }
3435  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3436  {
3437  uint16_t vid = 0;
3438 
3439  if (m->top.options.vlan_tagging)
3440  {
3441  if (vlan_is_tagged(&c->c2.to_tun))
3442  {
3443  /* Drop VLAN-tagged frame. */
3444  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3445  c->c2.to_tun.len = 0;
3446  }
3447  else
3448  {
3449  vid = c->options.vlan_pvid;
3450  }
3451  }
3452  /* extract packet source and dest addresses */
3453  mroute_flags = mroute_extract_addr_from_packet(&src,
3454  &dest,
3455  vid,
3456  &c->c2.to_tun,
3457  DEV_TYPE_TAP);
3458 
3459  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3460  {
3461  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3462  {
3463  /* check for broadcast */
3464  if (m->enable_c2c)
3465  {
3466  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3467  {
3468  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3469  vid);
3470  }
3471  else /* try client-to-client routing */
3472  {
3473  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3474 
3475  /* if dest addr is a known client, route to it */
3476  if (mi)
3477  {
3478  multi_unicast(m, &c->c2.to_tun, mi);
3479  register_activity(c, BLEN(&c->c2.to_tun));
3480  c->c2.to_tun.len = 0;
3481  }
3482  }
3483  }
3484  }
3485  else
3486  {
3487  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3488  mroute_addr_print(&src, &gc));
3489  c->c2.to_tun.len = 0;
3490  }
3491  }
3492  else
3493  {
3494  c->c2.to_tun.len = 0;
3495  }
3496  }
3497  }
3498 
3499  /* postprocess and set wakeup */
3500  ret = multi_process_post(m, m->pending, mpp_flags);
3501 
3502  clear_prefix();
3503  }
3504 
3505  gc_free(&gc);
3506  return ret;
3507 }
3508 
3509 /*
3510  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3511  * i.e. server -> client direction.
3512  */
3513 bool
3514 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3515 {
3516  bool ret = true;
3517 
3518  if (BLEN(&m->top.c2.buf) > 0)
3519  {
3520  unsigned int mroute_flags;
3521  struct mroute_addr src, dest;
3522  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3523  int16_t vid = 0;
3524 
3525 
3526 #ifdef MULTI_DEBUG_EVENT_LOOP
3527  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3528 #endif
3529 
3530  if (m->pending)
3531  {
3532  return true;
3533  }
3534 
3535  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3536  {
3537  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3538  if (vid < 0)
3539  {
3540  return false;
3541  }
3542  }
3543 
3544  /*
3545  * Route an incoming tun/tap packet to
3546  * the appropriate multi_instance object.
3547  */
3548 
3549  mroute_flags = mroute_extract_addr_from_packet(&src,
3550  &dest,
3551  vid,
3552  &m->top.c2.buf,
3553  dev_type);
3554 
3555  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3556  {
3557  struct context *c;
3558 
3559  /* broadcast or multicast dest addr? */
3560  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3561  {
3562  /* for now, treat multicast as broadcast */
3563  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3564  }
3565  else
3566  {
3567  multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3568 
3569  if (m->pending)
3570  {
3571  /* get instance context */
3572  c = &m->pending->context;
3573 
3574  set_prefix(m->pending);
3575 
3576  {
3577  if (multi_output_queue_ready(m, m->pending))
3578  {
3579  /* transfer packet pointer from top-level context buffer to instance */
3580  c->c2.buf = m->top.c2.buf;
3581  }
3582  else
3583  {
3584  /* drop packet */
3585  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3586  buf_reset_len(&c->c2.buf);
3587  }
3588  }
3589 
3590  /* encrypt in instance context */
3591  process_incoming_tun(c);
3592 
3593  /* postprocess and set wakeup */
3594  ret = multi_process_post(m, m->pending, mpp_flags);
3595 
3596  clear_prefix();
3597  }
3598  }
3599  }
3600  }
3601  return ret;
3602 }
3603 
3604 /*
3605  * Process a possible client-to-client/bcast/mcast message in the
3606  * queue.
3607  */
3608 struct multi_instance *
3609 multi_get_queue(struct mbuf_set *ms)
3610 {
3611  struct mbuf_item item;
3612 
3613  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3614  {
3615  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3616 
3617  set_prefix(item.instance);
3618  item.instance->context.c2.buf = item.buffer->buf;
3619  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3620  {
3621  pip_flags |= PIP_MSSFIX;
3622  }
3623  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3624  encrypt_sign(&item.instance->context, true);
3625  mbuf_free_buf(item.buffer);
3626 
3627  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3628 
3629  clear_prefix();
3630  return item.instance;
3631  }
3632  else
3633  {
3634  return NULL;
3635  }
3636 }
3637 
3638 /*
3639  * Called when an I/O wait times out. Usually means that a particular
3640  * client instance object needs timer-based service.
3641  */
3642 bool
3643 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3644 {
3645  bool ret = true;
3646 
3647 #ifdef MULTI_DEBUG_EVENT_LOOP
3648  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3649 #endif
3650 
3651  /* instance marked for wakeup? */
3652  if (m->earliest_wakeup)
3653  {
3654  if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
3655  {
3656  schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal);
3657  throw_signal(m->deferred_shutdown_signal.signal_received);
3658  }
3659  else
3660  {
3661  set_prefix(m->earliest_wakeup);
3662  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3663  clear_prefix();
3664  }
3665  m->earliest_wakeup = NULL;
3666  }
3667  return ret;
3668 }
3669 
3670 /*
3671  * Drop a TUN/TAP outgoing packet..
3672  */
3673 void
3674 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3675 {
3676  struct multi_instance *mi = m->pending;
3677 
3678  ASSERT(mi);
3679 
3680  set_prefix(mi);
3681 
3682  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3683  mi->context.c2.to_tun.len);
3684 
3685  buf_reset(&mi->context.c2.to_tun);
3686 
3687  multi_process_post(m, mi, mpp_flags);
3688  clear_prefix();
3689 }
3690 
3691 /*
3692  * Per-client route quota management
3693  */
3694 
3695 void
3696 route_quota_exceeded(const struct multi_instance *mi)
3697 {
3698  struct gc_arena gc = gc_new();
3699  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3700  mi->context.options.max_routes_per_client,
3701  multi_instance_string(mi, false, &gc));
3702  gc_free(&gc);
3703 }
3704 
3705 #ifdef ENABLE_DEBUG
3706 /*
3707  * Flood clients with random packets
3708  */
3709 static void
3710 gremlin_flood_clients(struct multi_context *m)
3711 {
3712  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3713  if (level)
3714  {
3715  struct gc_arena gc = gc_new();
3716  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3717  struct packet_flood_parms parm = get_packet_flood_parms(level);
3718  int i;
3719 
3720  ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3721  parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3722 
3723  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3724  parm.n_packets,
3725  parm.packet_size);
3726 
3727  for (i = 0; i < parm.packet_size; ++i)
3728  {
3729  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3730  }
3731 
3732  for (i = 0; i < parm.n_packets; ++i)
3733  {
3734  multi_bcast(m, &buf, NULL, NULL, 0);
3735  }
3736 
3737  gc_free(&gc);
3738  }
3739 }
3740 #endif /* ifdef ENABLE_DEBUG */
3741 
3742 static bool
3743 stale_route_check_trigger(struct multi_context *m)
3744 {
3745  struct timeval null;
3746  CLEAR(null);
3747  return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT);
3748 }
3749 
3750 /*
3751  * Process timers in the top-level context
3752  */
3753 void
3754 multi_process_per_second_timers_dowork(struct multi_context *m)
3755 {
3756  /* possibly reap instances/routes in vhash */
3757  multi_reap_process(m);
3758 
3759  /* possibly print to status log */
3760  if (m->top.c1.status_output)
3761  {
3762  if (status_trigger(m->top.c1.status_output))
3763  {
3764  multi_print_status(m, m->top.c1.status_output, m->status_file_version);
3765  }
3766  }
3767 
3768  /* possibly flush ifconfig-pool file */
3769  multi_ifconfig_pool_persist(m, false);
3770 
3771 #ifdef ENABLE_DEBUG
3772  gremlin_flood_clients(m);
3773 #endif
3774 
3775  /* Should we check for stale routes? */
3776  if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m))
3777  {
3778  check_stale_routes(m);
3779  }
3780 }
3781 
3782 void
3783 multi_top_init(struct multi_context *m, struct context *top)
3784 {
3785  inherit_context_top(&m->top, top);
3786  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3787 }
3788 
3789 void
3790 multi_top_free(struct multi_context *m)
3791 {
3792  close_context(&m->top, -1, CC_GC_FREE);
3793  free_context_buffers(m->top.c2.buffers);
3794 }
3795 
3796 static bool
3797 is_exit_restart(int sig)
3798 {
3799  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3800 }
3801 
3802 static void
3803 multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
3804 {
3805  struct hash_iterator hi;
3806  struct hash_element *he;
3807  struct timeval tv;
3808 
3809  /* tell all clients to restart */
3810  hash_iterator_init(m->iter, &hi);
3811  while ((he = hash_iterator_next(&hi)))
3812  {
3813  struct multi_instance *mi = (struct multi_instance *) he->value;
3814  if (!mi->halt)
3815  {
3816  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3817  multi_schedule_context_wakeup(m, mi);
3818  }
3819  }
3820  hash_iterator_free(&hi);
3821 
3822  /* reschedule signal */
3823  ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL));
3824  tv.tv_sec = 2;
3825  tv.tv_usec = 0;
3826  tv_add(&m->deferred_shutdown_signal.wakeup, &tv);
3827 
3828  m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
3829 
3830  schedule_add_entry(m->schedule,
3831  (struct schedule_entry *) &m->deferred_shutdown_signal,
3832  &m->deferred_shutdown_signal.wakeup,
3833  compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup));
3834 
3835  signal_reset(m->top.sig);
3836 }
3837 
3838 /*
3839  * Return true if event loop should break,
3840  * false if it should continue.
3841  */
3842 bool
3843 multi_process_signal(struct multi_context *m)
3844 {
3845  if (m->top.sig->signal_received == SIGUSR2)
3846  {
3847  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3848  multi_print_status(m, so, m->status_file_version);
3849  status_close(so);
3850  signal_reset(m->top.sig);
3851  return false;
3852  }
3853  else if (proto_is_dgram(m->top.options.ce.proto)
3854  && is_exit_restart(m->top.sig->signal_received)
3855  && (m->deferred_shutdown_signal.signal_received == 0)
3856  && m->top.options.ce.explicit_exit_notification != 0)
3857  {
3858  multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2);
3859  return false;
3860  }
3861  return true;
3862 }
3863 
3864 /*
3865  * Management subsystem callbacks
3866  */
3867 #ifdef ENABLE_MANAGEMENT
3868 
3869 static void
3870 management_callback_status(void *arg, const int version, struct status_output *so)
3871 {
3872  struct multi_context *m = (struct multi_context *) arg;
3873 
3874  if (!version)
3875  {
3876  multi_print_status(m, so, m->status_file_version);
3877  }
3878  else
3879  {
3880  multi_print_status(m, so, version);
3881  }
3882 }
3883 
3884 static int
3885 management_callback_n_clients(void *arg)
3886 {
3887  struct multi_context *m = (struct multi_context *) arg;
3888  return m->n_clients;
3889 }
3890 
3891 static int
3892 management_callback_kill_by_cn(void *arg, const char *del_cn)
3893 {
3894  struct multi_context *m = (struct multi_context *) arg;
3895  struct hash_iterator hi;
3896  struct hash_element *he;
3897  int count = 0;
3898 
3899  hash_iterator_init(m->iter, &hi);
3900  while ((he = hash_iterator_next(&hi)))
3901  {
3902  struct multi_instance *mi = (struct multi_instance *) he->value;
3903  if (!mi->halt)
3904  {
3905  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3906  if (cn && !strcmp(cn, del_cn))
3907  {
3908  multi_signal_instance(m, mi, SIGTERM);
3909  ++count;
3910  }
3911  }
3912  }
3913  hash_iterator_free(&hi);
3914  return count;
3915 }
3916 
3917 static int
3918 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3919 {
3920  struct multi_context *m = (struct multi_context *) arg;
3921  struct hash_iterator hi;
3922  struct hash_element *he;
3923  struct openvpn_sockaddr saddr;
3924  struct mroute_addr maddr;
3925  int count = 0;
3926 
3927  CLEAR(saddr);
3928  saddr.addr.in4.sin_family = AF_INET;
3929  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3930  saddr.addr.in4.sin_port = htons(port);
3931  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3932  {
3933  hash_iterator_init(m->iter, &hi);
3934  while ((he = hash_iterator_next(&hi)))
3935  {
3936  struct multi_instance *mi = (struct multi_instance *) he->value;
3937  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3938  {
3939  multi_signal_instance(m, mi, SIGTERM);
3940  ++count;
3941  }
3942  }
3943  hash_iterator_free(&hi);
3944  }
3945  return count;
3946 }
3947 
3948 static void
3949 management_delete_event(void *arg, event_t event)
3950 {
3951  struct multi_context *m = (struct multi_context *) arg;
3952  if (m->mtcp)
3953  {
3954  multi_tcp_delete_event(m->mtcp, event);
3955  }
3956 }
3957 
3958 static struct multi_instance *
3959 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3960 {
3961  if (m)
3962  {
3963  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3964  if (mi && !mi->halt)
3965  {
3966  return mi;
3967  }
3968  }
3969  return NULL;
3970 }
3971 
3972 static bool
3973 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3974 {
3975  struct multi_context *m = (struct multi_context *) arg;
3976  struct multi_instance *mi = lookup_by_cid(m, cid);
3977  if (mi)
3978  {
3979  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3980  multi_schedule_context_wakeup(m, mi);
3981  return true;
3982  }
3983  else
3984  {
3985  return false;
3986  }
3987 }
3988 
3989 static bool
3990 management_client_pending_auth(void *arg,
3991  const unsigned long cid,
3992  const char *extra,
3993  unsigned int timeout)
3994 {
3995  struct multi_context *m = (struct multi_context *) arg;
3996  struct multi_instance *mi = lookup_by_cid(m, cid);
3997  if (mi)
3998  {
3999  /* sends INFO_PRE and AUTH_PENDING messages to client */
4000  bool ret = send_auth_pending_messages(mi->context.c2.tls_multi, extra,
4001  timeout);
4002  reschedule_multi_process(&mi->context);
4003  multi_schedule_context_wakeup(m, mi);
4004  return ret;
4005  }
4006  return false;
4007 }
4008 
4009 
4010 static bool
4011 management_client_auth(void *arg,
4012  const unsigned long cid,
4013  const unsigned int mda_key_id,
4014  const bool auth,
4015  const char *reason,
4016  const char *client_reason,
4017  struct buffer_list *cc_config) /* ownership transferred */
4018 {
4019  struct multi_context *m = (struct multi_context *) arg;
4020  struct multi_instance *mi = lookup_by_cid(m, cid);
4021  bool cc_config_owned = true;
4022  bool ret = false;
4023 
4024  if (mi)
4025  {
4026  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4027  if (ret)
4028  {
4029  if (auth)
4030  {
4031  if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
4032  {
4033  set_cc_config(mi, cc_config);
4034  cc_config_owned = false;
4035  }
4036  }
4037  else if (reason)
4038  {
4039  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
4040  }
4041  }
4042  }
4043  if (cc_config_owned && cc_config)
4044  {
4045  buffer_list_free(cc_config);
4046  }
4047  return ret;
4048 }
4049 
4050 static char *
4051 management_get_peer_info(void *arg, const unsigned long cid)
4052 {
4053  struct multi_context *m = (struct multi_context *) arg;
4054  struct multi_instance *mi = lookup_by_cid(m, cid);
4055  char *ret = NULL;
4056 
4057  if (mi)
4058  {
4059  ret = mi->context.c2.tls_multi->peer_info;
4060  }
4061 
4062  return ret;
4063 }
4064 
4065 #endif /* ifdef ENABLE_MANAGEMENT */
4066 
4067 
4068 void
4069 init_management_callback_multi(struct multi_context *m)
4070 {
4071 #ifdef ENABLE_MANAGEMENT
4072  if (management)
4073  {
4074  struct management_callback cb;
4075  CLEAR(cb);
4076  cb.arg = m;
4077  cb.flags = MCF_SERVER;
4078  cb.status = management_callback_status;
4079  cb.show_net = management_show_net_callback;
4080  cb.kill_by_cn = management_callback_kill_by_cn;
4081  cb.kill_by_addr = management_callback_kill_by_addr;
4082  cb.delete_event = management_delete_event;
4083  cb.n_clients = management_callback_n_clients;
4084  cb.kill_by_cid = management_kill_by_cid;
4085  cb.client_auth = management_client_auth;
4086  cb.client_pending_auth = management_client_pending_auth;
4087  cb.get_peer_info = management_get_peer_info;
4088  management_set_callback(management, &cb);
4089  }
4090 #endif /* ifdef ENABLE_MANAGEMENT */
4091 }
4092 
4093 void
4094 multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
4095 {
4096  /* max_clients must be less then max peer-id value */
4097  ASSERT(m->max_clients < MAX_PEER_ID);
4098 
4099  for (int i = 0; i < m->max_clients; ++i)
4100  {
4101  if (!m->instances[i])
4102  {
4103  mi->context.c2.tls_multi->peer_id = i;
4104  m->instances[i] = mi;
4105  break;
4106  }
4107  }
4108 
4109  /* should not really end up here, since multi_create_instance returns null
4110  * if amount of clients exceeds max_clients */
4111  ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
4112 }
4113 
4114 
4115 /*
4116  * Top level event loop.
4117  */
4118 void
4119 tunnel_server(struct context *top)
4120 {
4121  ASSERT(top->options.mode == MODE_SERVER);
4122 
4123  if (proto_is_dgram(top->options.ce.proto))
4124  {
4125  tunnel_server_udp(top);
4126  }
4127  else
4128  {
4129  tunnel_server_tcp(top);
4130  }
4131 }
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:473
multi_reap::buckets_per_pass
int buckets_per_pass
Definition: multi.h:54
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2348
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2073
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:188
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition: perf.h:48
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:556
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1266
multi_context::n_clients
int n_clients
Definition: multi.h:182
options::vlan_tagging
bool vlan_tagging
Definition: options.h:696
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:113
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: openvpn-plugin.h:126
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition: ovpn_dco_linux.h:40
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition: mroute.h:64
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:269
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:101
status_trigger
bool status_trigger(struct status_output *so)
Definition: status.c:135
iroute
Definition: route.h:234
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition: errlevel.h:118
multi_instance::halt
bool halt
Definition: multi.h:106
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2546
reflect_filter.h
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition: openvpn-plugin.h:125
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition: ssl_common.h:563
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
frame::mss_fix
unsigned int mss_fix
The actual MSS value that should be written to the payload packets.
Definition: mtu.h:118
M_INFO
#define M_INFO
Definition: errlevel.h:55
hash_n_elements
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
SIGUSR2
#define SIGUSR2
Definition: config-msvc.h:81
options::use_peer_id
bool use_peer_id
Definition: options.h:687
lookup_by_cid
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3959
multi_context::route_helper
struct mroute_helper * route_helper
Definition: multi.h:175
M_OPTERR
#define M_OPTERR
Definition: error.h:106
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition: multi.h:290
options::client_connect_script
const char * client_connect_script
Definition: options.h:490
CC_RET_FAILED
@ CC_RET_FAILED
Definition: multi.h:219
hash_init
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:460
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:498
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:561
print_signal
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:150
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:289
hash_bucket
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition: multi.h:204
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1011
options::cf_initial_per
int cf_initial_per
Definition: options.h:521
run_command.h
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: manage.h:195
M_ERRNO
#define M_ERRNO
Definition: error.h:100
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:79
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1094
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:143
context_2::to_link
struct buffer to_link
Definition: openvpn.h:383
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:329
multi_context::reaper
struct multi_reap * reaper
Definition: multi.h:176
forward.h
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition: multi.h:124
setenv_stats
static void setenv_stats(struct multi_context *m, struct context *c)
Definition: multi.c:550
plugin_return
Definition: plugin.h:101
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition: openvpn-plugin.h:130
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
gremlin.h
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3743
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition: multi.h:220
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5487
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: multi.c:3990
context_2::buf
struct buffer buf
Definition: openvpn.h:381
signal_reset
void signal_reset(struct signal_info *si)
Definition: sig.c:139
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:303
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition: multi.h:180
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:234
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:527
hash_iterator
Definition: list.h:90
tunnel_server_udp
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:464
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:170
argv
Definition: argv.h:35
in_addr_t
#define in_addr_t
Definition: config-msvc.h:67
options::enable_c2c
bool enable_c2c
Definition: options.h:514
options::duplicate_cn
bool duplicate_cn
Definition: options.h:515
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1642
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:423
M_NONFATAL
#define M_NONFATAL
Definition: error.h:96
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:199
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:671
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:446
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:275
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1716
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:209
context
Contains all state information for one tunnel.
Definition: openvpn.h:479
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:498
hash
Definition: list.h:58
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:673
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:103
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition: multi.h:63
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1427
options::topology
int topology
Definition: options.h:309
key1
static const char *const key1
Definition: cert_data.h:56
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:178
mbuf_set
Definition: mbuf.h:56
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:167
options::dev_type
const char * dev_type
Definition: options.h:306
get_random
long int get_random(void)
Definition: crypto.c:1640
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:114
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:441
multi_instance::gc
struct gc_arena gc
Definition: multi.h:105
options::iroutes
struct iroute * iroutes
Definition: options.h:499
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:537
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:508
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3609
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition: errlevel.h:65
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:82
multi_instance::wakeup
struct timeval wakeup
Definition: multi.h:113
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:320
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
context_2::es
struct env_set * es
Definition: openvpn.h:426
config-msvc.h
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2168
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:238
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:434
vlan.h
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1095
multi_uninit
void multi_uninit(struct multi_context *m)
Definition: multi.c:704
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition: multi.h:287
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:86
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:436
options::mode
int mode
Definition: options.h:249
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2943
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1757
hash_element::value
void * value
Definition: list.h:47
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition: ssl_common.h:562
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:720
pre_select
void pre_select(struct context *c)
Definition: forward.c:1926
frame::buf
struct frame::@5 buf
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:182
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition: ssl_common.h:144
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:510
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:95
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:223
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1583
dmsg
#define dmsg(flags,...)
Definition: error.h:154
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1226
options::ce
struct connection_entry ce
Definition: options.h:277
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:76
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
openvpn_sockaddr
Definition: socket.h:65
iroute::netbits
int netbits
Definition: route.h:236
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition: socket.h:399
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:497
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:373
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3186
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:484
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2873
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1586
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:572
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3683
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition: multi.h:88
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:165
reap_buckets_per_pass
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:249
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition: errlevel.h:153
mroute_addr::netbits
uint8_t netbits
Definition: mroute.h:79
MCF_SERVER
#define MCF_SERVER
Definition: manage.h:177
multi_context::schedule
struct schedule * schedule
Definition: multi.h:166
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:363
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:244
MODE_SERVER
#define MODE_SERVER
Definition: options.h:248
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1939
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
client_connect_defer_state
Detached client connection state.
Definition: multi.h:70
dco_do_read
int dco_do_read(dco_context_t *dco)
Definition: dco_win.c:395
frame
Packet geometry parameters.
Definition: mtu.h:98
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
multi_route::addr
struct mroute_addr addr
Definition: multi.h:230
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:588
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:247
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition: ovpn_dco_linux.h:74
multi_route::last_reference
time_t last_reference
Definition: multi.h:238
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:551
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:295
multi_reap::last_call
time_t last_call
Definition: multi.h:55
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:565
mroute_helper::net_len
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3696
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:4240
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:247
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3754
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2892
multi_context::enable_c2c
bool enable_c2c
Definition: multi.h:178
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1718
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:433
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition: reflect_filter.c:88
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:272
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition: ssl_common.h:561
multi_route::instance
struct multi_instance * instance
Definition: multi.h:231
iroute::next
struct iroute * next
Definition: route.h:237
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3197
np
static const char * np(const char *str)
Definition: multi-auth.c:146
multi_context::max_clients
int max_clients
Definition: multi.h:179
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition: multi.h:173
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition: pool.h:37
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:575
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2265
CLEAR
#define CLEAR(x)
Definition: basic.h:33
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:83
multi_context::cid_counter
unsigned long cid_counter
Definition: multi.h:186
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:610
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:173
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:211
clear_prefix
static void clear_prefix(void)
Definition: multi.h:549
iroute::network
in_addr_t network
Definition: route.h:235
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:484
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:520
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition: mroute.h:63
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:542
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:443
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:853
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:526
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:527
options::max_clients
int max_clients
Definition: options.h:523
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:695
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4073
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:156
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:668
register_signal
void register_signal(struct signal_info *si, int sig, const char *text)
Definition: sig.c:478
ssl_verify.h
options::dev
const char * dev
Definition: options.h:305
ASSERT
#define ASSERT(x)
Definition: error.h:201
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition: ssl_common.h:560
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:447
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:192
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2923
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
read
@ read
Definition: interactive.c:208
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:675
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:178
buffer_entry::buf
struct buffer buf
Definition: buffer.h:1102
D_DCO
#define D_DCO
Definition: errlevel.h:94
multi_init
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:294
multi_instance::cc_config
struct buffer_list * cc_config
Definition: multi.h:131
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:195
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:91
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3973
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:227
options::cf_initial_max
int cf_initial_max
Definition: options.h:520
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:337
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:139
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:580
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2639
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:229
multi_context::status_file_version
int status_file_version
Definition: multi.h:181
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2672
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
BLEN
#define BLEN(buf)
Definition: buffer.h:127
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:240
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:4094
status_reset
void status_reset(struct status_output *so)
Definition: status.c:150
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:187
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:313
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:563
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:509
tunnel_server_tcp
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:791
multi_context::local
struct mroute_addr local
Definition: multi.h:177
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2987
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:288
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:294
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1041
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1913
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:710
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3643
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:257
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4119
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:707
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:601
ANY_OUT
#define ANY_OUT(c)
Definition: forward.h:40
hash_element::key
const void * key
Definition: list.h:48
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:507
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2366
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:515
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:173
buffer_entry::next
struct buffer_entry * next
Definition: buffer.h:1103
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1005
multi_context::cid_hash
struct hash * cid_hash
Definition: multi.h:185
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:51
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:388
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3803
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition: openvpn.h:276
M_WARN
#define M_WARN
Definition: error.h:97
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition: openvpn-plugin.h:150
plugin_return::n
int n
Definition: plugin.h:103
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:501
perf_pop
static void perf_pop(void)
Definition: perf.h:82
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:478
MF_UNICAST
#define MF_UNICAST
Definition: mbuf.h:46
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
D_GREMLIN
#define D_GREMLIN
Definition: errlevel.h:78
mroute_addr::port
in_port_t port
Definition: mroute.h:89
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:481
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition: multi.h:191
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2611
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:505
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
D_MULTI_LOW
#define D_MULTI_LOW
Definition: errlevel.h:86
options
Definition: options.h:238
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:438
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:688
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2965
options::gc
struct gc_arena gc
Definition: options.h:240
throw_signal
void throw_signal(const int signum)
Definition: sig.c:118
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:725
mroute_helper::cache_generation
unsigned int cache_generation
Definition: mroute.h:132
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5507
multi.h
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:211
CCD_DEFAULT
#define CCD_DEFAULT
Definition: common.h:62
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:159
pool_type
pool_type
Definition: pool.h:35
dco_context_t
void * dco_context_t
Definition: dco.h:254
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition: multi.h:125
status_output
Definition: status.h:48
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:181
mbuf_item::instance
struct multi_instance * instance
Definition: mbuf.h:53
management_callback::arg
void * arg
Definition: manage.h:175
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:489
multi_instance::did_cid_hash
bool did_cid_hash
Definition: multi.h:130
multi_reap
Definition: multi.h:51
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:480
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1446
multi_context::pending
struct multi_instance * pending
Definition: multi.h:189
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:442
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:257
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:511
multi_reap_new
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:216
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:3012
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition: ovpn_dco_linux.h:72
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:737
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:525
mbuf_buffer::buf
struct buffer buf
Definition: mbuf.h:43
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:338
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:266
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:161
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:641
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1788
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:752
deferred_signal_schedule_entry::signal_received
int signal_received
Definition: multi.h:62
argv::gc
struct gc_arena gc
Definition: argv.h:36
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition: multi.h:190
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition: mudp.c:190
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition: pool.h:38
dco_set_peer
int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition: dco_win.c:274
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1147
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:512
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:235
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition: multi.h:116
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:293
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1268
multi_route::flags
unsigned int flags
Definition: multi.h:235
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2903
options::status_file_version
int status_file_version
Definition: options.h:392
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:110
mbuf_item
Definition: mbuf.h:50
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:117
auth_deferred_status::auth_control_file
char * auth_control_file
Definition: ssl_common.h:156
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:503
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:692
mroute_addr::vid
uint16_t vid
Definition: mroute.h:85
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition: ovpn_dco_linux.h:73
link_socket_info
Definition: socket.h:113
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1397
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:361
REAP_MAX
#define REAP_MAX
Definition: multi.h:569
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:469
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:180
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:402
status_close
bool status_close(struct status_output *so)
Definition: status.c:190
context_2::frame
struct frame frame
Definition: openvpn.h:251
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:240
mroute_addr
Definition: mroute.h:75
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2389
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:571
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3514
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2976
syshead.h
SIGTERM
#define SIGTERM
Definition: config-msvc.h:82
multi_reap_range
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:177
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:67
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4823
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
schedule_entry
Definition: schedule.h:44
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:176
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3892
options::client_config_dir
const char * client_config_dir
Definition: options.h:494
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition: reflect_filter.c:104
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:80
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:506
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:378
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
mbuf_buffer
Definition: mbuf.h:41
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:587
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:698
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition: multi.c:1972
mbuf_buffer::flags
unsigned int flags
Definition: mbuf.h:47
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition: ssl.h:107
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:308
route
@ route
Definition: interactive.c:90
multi_route
Definition: multi.h:228
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2222
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
env_set
Definition: env_set.h:42
multi_instance::did_iter
bool did_iter
Definition: multi.h:128
status_flush
void status_flush(struct status_output *so)
Definition: status.c:159
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:256
multi_tcp_free
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:227
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:264
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3045
plugin_list
Definition: plugin.h:94
multi_context
Main OpenVPN server state structure.
Definition: multi.h:155
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4901
counter_format
#define counter_format
Definition: common.h:31
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3708
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4069
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:910
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition: multi.c:3783
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:292
dco.h
man_def_auth_context::cid
unsigned long cid
Definition: manage.h:65
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:226
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:665
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:990
SIGINT
#define SIGINT
Definition: config-msvc.h:79
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2642
hash_free
void hash_free(struct hash *hash)
Definition: list.c:65
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
SIGHUP
#define SIGHUP
Definition: config-msvc.h:78
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:609
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:479
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:4011
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:406
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:250
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition: multi.h:73
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3949
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:217
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition: errlevel.h:101
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:479
tuntap::local
in_addr_t local
Definition: tun.h:189
schedule_init
struct schedule * schedule_init(void)
Definition: schedule.c:414
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:459
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:45
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:382
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:163
multi_tcp_init
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:199
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:477
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition: openvpn-plugin.h:124
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:511
key_state::script_auth
struct auth_deferred_status script_auth
Definition: ssl_common.h:257
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition: multi.h:76
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:256
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:78
otime.h
tuntap::dco
dco_context_t dco
Definition: tun.h:234
is_exit_restart
static bool is_exit_restart(int sig)
Definition: multi.c:3797
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition: openvpn.h:273
iroute_ipv6
Definition: route.h:240
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:4051
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3674
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:835
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:437
REAP_DIVISOR
#define REAP_DIVISOR
Definition: multi.h:567
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2822
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:503
management
Definition: manage.h:334
mroute_helper
Definition: mroute.h:131
hash_element
Definition: list.h:45
min_int
static int min_int(int x, int y)
Definition: integer.h:82
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1054
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1019
mroute_addr::type
uint8_t type
Definition: mroute.h:78
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition: multi.h:222
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1674
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:2022
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:371
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:190
REAP_MIN
#define REAP_MIN
Definition: multi.h:568
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:210
multi_route::cache_generation
unsigned int cache_generation
Definition: multi.h:237
options::cf_per
int cf_per
Definition: options.h:518
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3918
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2510
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition: mroute.h:70
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:145
rw_handle
Definition: win32.h:76
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1788
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:486
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:467
hash_bucket
Definition: list.h:53
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:503
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:524
multi_reap::bucket_base
int bucket_base
Definition: multi.h:53
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1046
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition: multi.h:233
now
time_t now
Definition: otime.c:36
multi_instance::did_iroutes
bool did_iroutes
Definition: multi.h:133
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:109
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:148
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:183
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition: ssl_common.h:564
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:478
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:11
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
Definition: ovpn_dco_linux.h:75
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2852
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
ssl_ncp.h
connection_entry::fragment
int fragment
Definition: options.h:134
context_2::from
struct link_socket_actual from
Definition: openvpn.h:248
time_string
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:110
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition: multi.h:494
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:195
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1216
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3310
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition: multi.h:174
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition: ssl_common.h:667
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:664
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:183
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:138
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition: mbuf.h:52
connection_entry::proto
int proto
Definition: options.h:101
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:163
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2722
multi_context::mtcp
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:170
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:485
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:388
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:3000
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
options::real_hash_size
int real_hash_size
Definition: options.h:488
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:491
dco_get_peer_stats_multi
int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
Definition: dco_win.c:403
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:349
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:526
hash_n_buckets
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
session
Definition: keyingmaterialexporter.c:56
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:954
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:440
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:922
options::tmp_dir
const char * tmp_dir
Definition: options.h:455
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:323
options::cf_max
int cf_max
Definition: options.h:517
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:500
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:95
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition: socket.h:90
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:154
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:396
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition: multi.h:221
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:504
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:44
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:506
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition: errlevel.h:102