OpenVPN
multi.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#ifdef HAVE_SYS_INOTIFY_H
29#include <sys/inotify.h>
30#define INOTIFY_EVENT_BUFFER_SIZE 16384
31#endif
32
33#include "syshead.h"
34
35#include "forward.h"
36#include "multi.h"
37#include "push.h"
38#include "run_command.h"
39#include "otime.h"
40#include "gremlin.h"
41#include "mstats.h"
42#include "ssl_verify.h"
43#include "ssl_ncp.h"
44#include "vlan.h"
45#include "auth_token.h"
46#include <inttypes.h>
47#include <string.h>
48
49#include "memdbg.h"
50
51
52#include "crypto_backend.h"
53#include "ssl_util.h"
54#include "dco.h"
55#include "reflect_filter.h"
56
57/*#define MULTI_DEBUG_EVENT_LOOP*/
58
59#ifdef MULTI_DEBUG_EVENT_LOOP
60static const char *
61id(struct multi_instance *mi)
62{
63 if (mi)
64 {
65 return tls_common_name(mi->context.c2.tls_multi, false);
66 }
67 else
68 {
69 return "NULL";
70 }
71}
72#endif
73
74#ifdef ENABLE_MANAGEMENT
75static void
76set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
77{
78 buffer_list_free(mi->cc_config);
79 mi->cc_config = cc_config;
80}
81#endif
82
83static inline void
84update_mstat_n_clients(const int n_clients)
85{
86#ifdef ENABLE_MEMSTATS
87 if (mmap_stats)
88 {
89 mmap_stats->n_clients = n_clients;
90 }
91#endif
92}
93
94static bool
95learn_address_script(const struct multi_context *m,
96 const struct multi_instance *mi,
97 const char *op,
98 const struct mroute_addr *addr)
99{
100 struct gc_arena gc = gc_new();
101 struct env_set *es;
102 bool ret = true;
103 struct plugin_list *plugins;
104
105 /* get environmental variable source */
106 if (mi && mi->context.c2.es)
107 {
108 es = mi->context.c2.es;
109 }
110 else
111 {
112 es = env_set_create(&gc);
113 }
114
115 /* get plugin source */
116 if (mi)
117 {
118 plugins = mi->context.plugins;
119 }
120 else
121 {
122 plugins = m->top.plugins;
123 }
124
125 if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
126 {
127 struct argv argv = argv_new();
128 argv_printf(&argv, "%s %s",
129 op,
130 mroute_addr_print(addr, &gc));
131 if (mi)
132 {
133 argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
134 }
135 if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
136 {
137 msg(M_WARN, "WARNING: learn-address plugin call failed");
138 ret = false;
139 }
140 argv_free(&argv);
141 }
142
143 if (m->top.options.learn_address_script)
144 {
145 struct argv argv = argv_new();
146 setenv_str(es, "script_type", "learn-address");
147 argv_parse_cmd(&argv, m->top.options.learn_address_script);
148 argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
149 if (mi)
150 {
151 argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
152 }
153 if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
154 {
155 ret = false;
156 }
157 argv_free(&argv);
158 }
159
160 gc_free(&gc);
161 return ret;
162}
163
164void
165multi_ifconfig_pool_persist(struct multi_context *m, bool force)
166{
167 /* write pool data to file */
168 if (m->ifconfig_pool
169 && m->top.c1.ifconfig_pool_persist
170 && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
171 {
172 ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
173 }
174}
175
176static void
177multi_reap_range(const struct multi_context *m,
178 int start_bucket,
179 int end_bucket)
180{
181 struct gc_arena gc = gc_new();
182 struct hash_iterator hi;
183 struct hash_element *he;
184
185 if (start_bucket < 0)
186 {
187 start_bucket = 0;
188 end_bucket = hash_n_buckets(m->vhash);
189 }
190
191 dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
192 hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
193 while ((he = hash_iterator_next(&hi)) != NULL)
194 {
195 struct multi_route *r = (struct multi_route *) he->value;
196 if (!multi_route_defined(m, r))
197 {
198 dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
199 mroute_addr_print(&r->addr, &gc));
200 learn_address_script(m, NULL, "delete", &r->addr);
201 multi_route_del(r);
202 hash_iterator_delete_element(&hi);
203 }
204 }
205 hash_iterator_free(&hi);
206 gc_free(&gc);
207}
208
209static void
210multi_reap_all(const struct multi_context *m)
211{
212 multi_reap_range(m, -1, 0);
213}
214
215static struct multi_reap *
216multi_reap_new(int buckets_per_pass)
217{
218 struct multi_reap *mr;
219 ALLOC_OBJ(mr, struct multi_reap);
220 mr->bucket_base = 0;
221 mr->buckets_per_pass = buckets_per_pass;
222 mr->last_call = now;
223 return mr;
224}
225
226void
227multi_reap_process_dowork(const struct multi_context *m)
228{
229 struct multi_reap *mr = m->reaper;
230 if (mr->bucket_base >= hash_n_buckets(m->vhash))
231 {
232 mr->bucket_base = 0;
233 }
234 multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
235 mr->bucket_base += mr->buckets_per_pass;
236 mr->last_call = now;
237}
238
239static void
240multi_reap_free(struct multi_reap *mr)
241{
242 free(mr);
243}
244
245/*
246 * How many buckets in vhash to reap per pass.
247 */
248static int
249reap_buckets_per_pass(int n_buckets)
250{
251 return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
252}
253
254#ifdef ENABLE_MANAGEMENT
255
256static uint32_t
257cid_hash_function(const void *key, uint32_t iv)
258{
259 const unsigned long *k = (const unsigned long *)key;
260 return (uint32_t) *k;
261}
262
263static bool
264cid_compare_function(const void *key1, const void *key2)
265{
266 const unsigned long *k1 = (const unsigned long *)key1;
267 const unsigned long *k2 = (const unsigned long *)key2;
268 return *k1 == *k2;
269}
270
271#endif
272
273#ifdef ENABLE_ASYNC_PUSH
274static uint32_t
275/*
276 * inotify watcher descriptors are used as hash value
277 */
278int_hash_function(const void *key, uint32_t iv)
279{
280 return (unsigned long)key;
281}
282
283static bool
284int_compare_function(const void *key1, const void *key2)
285{
286 return (unsigned long)key1 == (unsigned long)key2;
287}
288#endif
289
290/*
291 * Main initialization function, init multi_context object.
292 */
293void
294multi_init(struct multi_context *m, struct context *t)
295{
296 int dev = DEV_TYPE_UNDEF;
297
298 msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
299 t->options.real_hash_size,
300 t->options.virtual_hash_size);
301
302 /*
303 * Get tun/tap/null device type
304 */
305 dev = dev_type_enum(t->options.dev, t->options.dev_type);
306
307 /*
308 * Init our multi_context object.
309 */
310 CLEAR(*m);
311
312 /*
313 * Real address hash table (source port number is
314 * considered to be part of the address). Used
315 * to determine which client sent an incoming packet
316 * which is seen on the TCP/UDP socket.
317 */
318 m->hash = hash_init(t->options.real_hash_size,
319 get_random(),
320 mroute_addr_hash_function,
321 mroute_addr_compare_function);
322
323 /*
324 * Virtual address hash table. Used to determine
325 * which client to route a packet to.
326 */
327 m->vhash = hash_init(t->options.virtual_hash_size,
328 get_random(),
329 mroute_addr_hash_function,
330 mroute_addr_compare_function);
331
332 /*
333 * This hash table is a clone of m->hash but with a
334 * bucket size of one so that it can be used
335 * for fast iteration through the list.
336 */
337 m->iter = hash_init(1,
338 get_random(),
339 mroute_addr_hash_function,
340 mroute_addr_compare_function);
341
342#ifdef ENABLE_MANAGEMENT
343 m->cid_hash = hash_init(t->options.real_hash_size,
344 0,
345 cid_hash_function,
346 cid_compare_function);
347#endif
348
349#ifdef ENABLE_ASYNC_PUSH
350 /*
351 * Mapping between inotify watch descriptors and
352 * multi_instances.
353 */
354 m->inotify_watchers = hash_init(t->options.real_hash_size,
355 get_random(),
356 int_hash_function,
357 int_compare_function);
358#endif
359
360 /*
361 * This is our scheduler, for time-based wakeup
362 * events.
363 */
364 m->schedule = schedule_init();
365
366 /*
367 * Limit frequency of incoming connections to control
368 * DoS.
369 */
370 m->new_connection_limiter = frequency_limit_init(t->options.cf_max,
371 t->options.cf_per);
372 m->initial_rate_limiter = initial_rate_limit_init(t->options.cf_initial_max,
373 t->options.cf_initial_per);
374
375 /*
376 * Allocate broadcast/multicast buffer list
377 */
378 m->mbuf = mbuf_init(t->options.n_bcast_buf);
379
380 /*
381 * Different status file format options are available
382 */
383 m->status_file_version = t->options.status_file_version;
384
385 /*
386 * Possibly allocate an ifconfig pool, do it
387 * differently based on whether a tun or tap style
388 * tunnel.
389 */
390 if (t->options.ifconfig_pool_defined
391 || t->options.ifconfig_ipv6_pool_defined)
392 {
393 int pool_type = IFCONFIG_POOL_INDIV;
394
395 if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
396 {
397 pool_type = IFCONFIG_POOL_30NET;
398 }
399
400 m->ifconfig_pool = ifconfig_pool_init(t->options.ifconfig_pool_defined,
401 pool_type,
402 t->options.ifconfig_pool_start,
403 t->options.ifconfig_pool_end,
404 t->options.duplicate_cn,
405 t->options.ifconfig_ipv6_pool_defined,
406 t->options.ifconfig_ipv6_pool_base,
407 t->options.ifconfig_ipv6_pool_netbits );
408
409 /* reload pool data from file */
410 if (t->c1.ifconfig_pool_persist)
411 {
412 ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool);
413 }
414 }
415
416 /*
417 * Help us keep track of routing table.
418 */
419 m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL);
420
421 /*
422 * Initialize route and instance reaper.
423 */
424 m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size));
425
426 /*
427 * Get local ifconfig address
428 */
429 CLEAR(m->local);
430 ASSERT(t->c1.tuntap);
431 mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local);
432
433 /*
434 * Per-client limits
435 */
436 m->max_clients = t->options.max_clients;
437
438 m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
439
440 m->top.c2.event_set = t->c2.event_set;
441
442 /*
443 * Initialize multi-socket I/O wait object
444 */
445 m->multi_io = multi_io_init(t->options.max_clients, &m->max_clients);
446 m->tcp_queue_limit = t->options.tcp_queue_limit;
447
448 /*
449 * Allow client <-> client communication, without going through
450 * tun/tap interface and network stack?
451 */
452 m->enable_c2c = t->options.enable_c2c;
453
454 /* initialize stale routes check timer */
455 if (t->options.stale_routes_check_interval > 0)
456 {
457 msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
458 t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
459 event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
460 }
461
462 m->deferred_shutdown_signal.signal_received = 0;
463}
464
465const char *
466multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
467{
468 if (mi)
469 {
470 struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
471 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
472
473 if (cn)
474 {
475 buf_printf(&out, "%s/", cn);
476 }
477 buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
478 if (mi->context.c2.tls_multi
479 && check_debug_level(D_DCO_DEBUG)
480 && dco_enabled(&mi->context.options))
481 {
482 buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
483 }
484 return BSTR(&out);
485 }
486 else if (null)
487 {
488 return NULL;
489 }
490 else
491 {
492 return "UNDEF";
493 }
494}
495
496static void
497generate_prefix(struct multi_instance *mi)
498{
499 struct gc_arena gc = gc_new();
500 const char *prefix = multi_instance_string(mi, true, &gc);
501 if (prefix)
502 {
503 strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
504 }
505 else
506 {
507 mi->msg_prefix[0] = '\0';
508 }
509 set_prefix(mi);
510 gc_free(&gc);
511}
512
513void
514ungenerate_prefix(struct multi_instance *mi)
515{
516 mi->msg_prefix[0] = '\0';
517 set_prefix(mi);
518}
519
520/*
521 * Tell the route helper about deleted iroutes so
522 * that it can update its mask of currently used
523 * CIDR netlengths.
524 */
525static void
526multi_del_iroutes(struct multi_context *m,
527 struct multi_instance *mi)
528{
529 const struct iroute *ir;
530 const struct iroute_ipv6 *ir6;
531
532 dco_delete_iroutes(m, mi);
533
534 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
535 {
536 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
537 {
538 mroute_helper_del_iroute46(m->route_helper, ir->netbits);
539 }
540
541 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
542 {
543 mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
544 }
545 }
546}
547
548static void
549setenv_stats(struct multi_context *m, struct context *c)
550{
551 if (dco_enabled(&m->top.options))
552 {
553 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, false) < 0)
554 {
555 return;
556 }
557 }
558
559 setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
560 setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
561}
562
563static void
564multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
565{
566 /* setenv client real IP address */
567 setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
568
569 /* setenv stats */
570 setenv_stats(m, &mi->context);
571
572 /* setenv connection duration */
573 setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
574}
575
576static void
577multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
578{
579 multi_client_disconnect_setenv(m, mi);
580
581 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
582 {
583 if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
584 {
585 msg(M_WARN, "WARNING: client-disconnect plugin call failed");
586 }
587 }
588
589 if (mi->context.options.client_disconnect_script)
590 {
591 struct argv argv = argv_new();
592 setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
593 argv_parse_cmd(&argv, mi->context.options.client_disconnect_script);
594 openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
595 argv_free(&argv);
596 }
597#ifdef ENABLE_MANAGEMENT
598 if (management)
599 {
600 management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
601 }
602#endif
603}
604
605void
606multi_close_instance(struct multi_context *m,
607 struct multi_instance *mi,
608 bool shutdown)
609{
610 perf_push(PERF_MULTI_CLOSE_INSTANCE);
611
612 ASSERT(!mi->halt);
613 mi->halt = true;
614 bool is_dgram = proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto);
615
616 dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
617
618 /* adjust current client connection count */
619 m->n_clients += mi->n_clients_delta;
620 update_mstat_n_clients(m->n_clients);
621 mi->n_clients_delta = 0;
622
623 /* prevent dangling pointers */
624 if (m->pending == mi)
625 {
626 multi_set_pending(m, NULL);
627 }
628 if (m->earliest_wakeup == mi)
629 {
630 m->earliest_wakeup = NULL;
631 }
632
633 if (!shutdown)
634 {
635 if (mi->did_real_hash)
636 {
637 ASSERT(hash_remove(m->hash, &mi->real));
638 }
639 if (mi->did_iter)
640 {
641 ASSERT(hash_remove(m->iter, &mi->real));
642 }
643#ifdef ENABLE_MANAGEMENT
644 if (mi->did_cid_hash)
645 {
646 ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
647 }
648#endif
649
650#ifdef ENABLE_ASYNC_PUSH
651 if (mi->inotify_watch != -1)
652 {
653 hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
654 mi->inotify_watch = -1;
655 }
656#endif
657
658 if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
659 {
660 m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
661 }
662
663 schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
664
665 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
666
667 if (mi->did_iroutes)
668 {
669 multi_del_iroutes(m, mi);
670 mi->did_iroutes = false;
671 }
672
673 if (!is_dgram)
674 {
675 multi_tcp_dereference_instance(m->multi_io, mi);
676 }
677
678 mbuf_dereference_instance(m->mbuf, mi);
679 }
680
681#ifdef ENABLE_MANAGEMENT
682 set_cc_config(mi, NULL);
683#endif
684
685 if (mi->context.c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
686 {
687 multi_client_disconnect_script(m, mi);
688 }
689
690 close_context(&mi->context, SIGTERM, CC_GC_FREE);
691
692 multi_tcp_instance_specific_free(mi);
693
694 ungenerate_prefix(mi);
695
696 /*
697 * Don't actually delete the instance memory allocation yet,
698 * because virtual routes may still point to it. Let the
699 * vhash reaper deal with it.
700 */
701 multi_instance_dec_refcount(mi);
702
703 perf_pop();
704}
705
706/*
707 * Called on shutdown or restart.
708 */
709void
710multi_uninit(struct multi_context *m)
711{
712 if (m->hash)
713 {
714 struct hash_iterator hi;
715 struct hash_element *he;
716
717 hash_iterator_init(m->iter, &hi);
718 while ((he = hash_iterator_next(&hi)))
719 {
720 struct multi_instance *mi = (struct multi_instance *) he->value;
721 mi->did_iter = false;
722 multi_close_instance(m, mi, true);
723 }
724 hash_iterator_free(&hi);
725
726 multi_reap_all(m);
727
728 hash_free(m->hash);
729 hash_free(m->vhash);
730 hash_free(m->iter);
731#ifdef ENABLE_MANAGEMENT
732 hash_free(m->cid_hash);
733#endif
734 m->hash = NULL;
735
736 free(m->instances);
737
738#ifdef ENABLE_ASYNC_PUSH
739 hash_free(m->inotify_watchers);
740 m->inotify_watchers = NULL;
741#endif
742
743 schedule_free(m->schedule);
744 mbuf_free(m->mbuf);
745 ifconfig_pool_free(m->ifconfig_pool);
746 frequency_limit_free(m->new_connection_limiter);
747 initial_rate_limit_free(m->initial_rate_limiter);
748 multi_reap_free(m->reaper);
749 mroute_helper_free(m->route_helper);
750 multi_io_free(m->multi_io);
751 }
752}
753
754/*
755 * Create a client instance object for a newly connected client.
756 */
757struct multi_instance *
758multi_create_instance(struct multi_context *m, const struct mroute_addr *real,
759 struct link_socket *sock)
760{
761 struct gc_arena gc = gc_new();
762 struct multi_instance *mi;
763
764 perf_push(PERF_MULTI_CREATE_INSTANCE);
765
766 msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
767
768 ALLOC_OBJ_CLEAR(mi, struct multi_instance);
769
770 mi->gc = gc_new();
771 multi_instance_inc_refcount(mi);
772 mi->vaddr_handle = -1;
773 mi->created = now;
774 mroute_addr_init(&mi->real);
775
776 if (real)
777 {
778 mi->real = *real;
779 generate_prefix(mi);
780 }
781
782 inherit_context_child(&mi->context, &m->top, sock);
783 if (IS_SIG(&mi->context))
784 {
785 goto err;
786 }
787
788 mi->context.c2.tls_multi->multi_state = CAS_NOT_CONNECTED;
789
790 if (hash_n_elements(m->hash) >= m->max_clients)
791 {
792 msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
793 goto err;
794 }
795
796 if (!real) /* TCP mode? */
797 {
798 if (!multi_tcp_instance_specific_init(m, mi))
799 {
800 goto err;
801 }
802 generate_prefix(mi);
803 }
804
805 if (!hash_add(m->iter, &mi->real, mi, false))
806 {
807 msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
808 mroute_addr_print(&mi->real, &gc));
809 goto err;
810 }
811 mi->did_iter = true;
812
813#ifdef ENABLE_MANAGEMENT
814 do
815 {
816 mi->context.c2.mda_context.cid = m->cid_counter++;
817 } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
818 mi->did_cid_hash = true;
819#endif
820
821 mi->context.c2.push_request_received = false;
822#ifdef ENABLE_ASYNC_PUSH
823 mi->inotify_watch = -1;
824#endif
825
826 if (!multi_process_post(m, mi, MPP_PRE_SELECT))
827 {
828 msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
829 goto err;
830 }
831
832 mi->ev_arg.type = EVENT_ARG_MULTI_INSTANCE;
833 mi->ev_arg.u.mi = mi;
834
835 perf_pop();
836 gc_free(&gc);
837 return mi;
838
839err:
840 multi_close_instance(m, mi, false);
841 perf_pop();
842 gc_free(&gc);
843 return NULL;
844}
845
846/*
847 * Dump tables -- triggered by SIGUSR2.
848 * If status file is defined, write to file.
849 * If status file is NULL, write to syslog.
850 */
851void
852multi_print_status(struct multi_context *m, struct status_output *so, const int version)
853{
854 if (m->hash)
855 {
856 struct gc_arena gc_top = gc_new();
857 struct hash_iterator hi;
858 const struct hash_element *he;
859
860 status_reset(so);
861
862 if (dco_enabled(&m->top.options))
863 {
864 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, true) < 0)
865 {
866 return;
867 }
868 }
869
870 if (version == 1)
871 {
872 /*
873 * Status file version 1
874 */
875 status_printf(so, "OpenVPN CLIENT LIST");
876 status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
877 status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
878 hash_iterator_init(m->hash, &hi);
879 while ((he = hash_iterator_next(&hi)))
880 {
881 struct gc_arena gc = gc_new();
882 const struct multi_instance *mi = (struct multi_instance *) he->value;
883
884 if (!mi->halt)
885 {
886 status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
887 tls_common_name(mi->context.c2.tls_multi, false),
888 mroute_addr_print(&mi->real, &gc),
889 mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
890 mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
891 time_string(mi->created, 0, false, &gc));
892 }
893 gc_free(&gc);
894 }
895 hash_iterator_free(&hi);
896
897 status_printf(so, "ROUTING TABLE");
898 status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
899 hash_iterator_init(m->vhash, &hi);
900 while ((he = hash_iterator_next(&hi)))
901 {
902 struct gc_arena gc = gc_new();
903 const struct multi_route *route = (struct multi_route *) he->value;
904
905 if (multi_route_defined(m, route))
906 {
907 const struct multi_instance *mi = route->instance;
908 const struct mroute_addr *ma = &route->addr;
909 char flags[2] = {0, 0};
910
911 if (route->flags & MULTI_ROUTE_CACHE)
912 {
913 flags[0] = 'C';
914 }
915 status_printf(so, "%s%s,%s,%s,%s",
916 mroute_addr_print(ma, &gc),
917 flags,
918 tls_common_name(mi->context.c2.tls_multi, false),
919 mroute_addr_print(&mi->real, &gc),
920 time_string(route->last_reference, 0, false, &gc));
921 }
922 gc_free(&gc);
923 }
924 hash_iterator_free(&hi);
925
926 status_printf(so, "GLOBAL STATS");
927 if (m->mbuf)
928 {
929 status_printf(so, "Max bcast/mcast queue length,%d",
930 mbuf_maximum_queued(m->mbuf));
931 }
932
933 status_printf(so, "END");
934 }
935 else if (version == 2 || version == 3)
936 {
937 const char sep = (version == 3) ? '\t' : ',';
938
939 /*
940 * Status file version 2 and 3
941 */
942 status_printf(so, "TITLE%c%s", sep, title_string);
943 status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
944 status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
945 sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
946 hash_iterator_init(m->hash, &hi);
947 while ((he = hash_iterator_next(&hi)))
948 {
949 struct gc_arena gc = gc_new();
950 const struct multi_instance *mi = (struct multi_instance *) he->value;
951
952 if (!mi->halt)
953 {
954 status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
955#ifdef ENABLE_MANAGEMENT
956 "%lu"
957#else
958 ""
959#endif
960 "%c%" PRIu32 "%c%s",
961 sep, tls_common_name(mi->context.c2.tls_multi, false),
962 sep, mroute_addr_print(&mi->real, &gc),
963 sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
964 sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc),
965 sep, mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
966 sep, mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
967 sep, time_string(mi->created, 0, false, &gc),
968 sep, (unsigned int)mi->created,
969 sep, tls_username(mi->context.c2.tls_multi, false),
970#ifdef ENABLE_MANAGEMENT
971 sep, mi->context.c2.mda_context.cid,
972#else
973 sep,
974#endif
975 sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
976 sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
977 }
978 gc_free(&gc);
979 }
980 hash_iterator_free(&hi);
981
982 status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
983 sep, sep, sep, sep, sep, sep);
984 hash_iterator_init(m->vhash, &hi);
985 while ((he = hash_iterator_next(&hi)))
986 {
987 struct gc_arena gc = gc_new();
988 const struct multi_route *route = (struct multi_route *) he->value;
989
990 if (multi_route_defined(m, route))
991 {
992 const struct multi_instance *mi = route->instance;
993 const struct mroute_addr *ma = &route->addr;
994 char flags[2] = {0, 0};
995
996 if (route->flags & MULTI_ROUTE_CACHE)
997 {
998 flags[0] = 'C';
999 }
1000 status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
1001 sep, mroute_addr_print(ma, &gc), flags,
1002 sep, tls_common_name(mi->context.c2.tls_multi, false),
1003 sep, mroute_addr_print(&mi->real, &gc),
1004 sep, time_string(route->last_reference, 0, false, &gc),
1005 sep, (unsigned int)route->last_reference);
1006 }
1007 gc_free(&gc);
1008 }
1009 hash_iterator_free(&hi);
1010
1011 if (m->mbuf)
1012 {
1013 status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1014 sep, sep, mbuf_maximum_queued(m->mbuf));
1015 }
1016
1017 status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options));
1018 status_printf(so, "END");
1019 }
1020 else
1021 {
1022 status_printf(so, "ERROR: bad status format version number");
1023 }
1024
1025#ifdef PACKET_TRUNCATION_CHECK
1026 {
1027 status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1028 hash_iterator_init(m->hash, &hi);
1029 while ((he = hash_iterator_next(&hi)))
1030 {
1031 struct gc_arena gc = gc_new();
1032 const struct multi_instance *mi = (struct multi_instance *) he->value;
1033
1034 if (!mi->halt)
1035 {
1036 status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
1037 tls_common_name(mi->context.c2.tls_multi, false),
1038 m->top.c2.n_trunc_tun_read,
1039 mi->context.c2.n_trunc_tun_write,
1040 mi->context.c2.n_trunc_pre_encrypt,
1041 mi->context.c2.n_trunc_post_decrypt);
1042 }
1043 gc_free(&gc);
1044 }
1045 hash_iterator_free(&hi);
1046 }
1047#endif /* ifdef PACKET_TRUNCATION_CHECK */
1048
1049 status_flush(so);
1050 gc_free(&gc_top);
1051 }
1052
1053#ifdef ENABLE_ASYNC_PUSH
1054 if (m->inotify_watchers)
1055 {
1056 msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1057 }
1058#endif
1059}
1060
1061/*
1062 * Learn a virtual address or route.
1063 * The learn will fail if the learn address
1064 * script/plugin fails. In this case the
1065 * return value may be != mi.
1066 * Return the instance which owns this route,
1067 * or NULL if none.
1068 */
1069static struct multi_instance *
1070multi_learn_addr(struct multi_context *m,
1071 struct multi_instance *mi,
1072 const struct mroute_addr *addr,
1073 const unsigned int flags)
1074{
1075 struct hash_element *he;
1076 const uint32_t hv = hash_value(m->vhash, addr);
1077 struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1078 struct multi_route *oldroute = NULL;
1079 struct multi_instance *owner = NULL;
1080 struct gc_arena gc = gc_new();
1081
1082 /* if route currently exists, get the instance which owns it */
1083 he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1084 if (he)
1085 {
1086 oldroute = (struct multi_route *) he->value;
1087 }
1088 if (oldroute && multi_route_defined(m, oldroute))
1089 {
1090 owner = oldroute->instance;
1091 }
1092
1093 /* do we need to add address to hash table? */
1094 if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1095 && !mroute_addr_equal(addr, &m->local))
1096 {
1097 struct multi_route *newroute;
1098 bool learn_succeeded = false;
1099
1100 ALLOC_OBJ(newroute, struct multi_route);
1101 newroute->addr = *addr;
1102 newroute->instance = mi;
1103 newroute->flags = flags;
1104 newroute->last_reference = now;
1105 newroute->cache_generation = 0;
1106
1107 /* The cache is invalidated when cache_generation is incremented */
1108 if (flags & MULTI_ROUTE_CACHE)
1109 {
1110 newroute->cache_generation = m->route_helper->cache_generation;
1111 }
1112
1113 if (oldroute) /* route already exists? */
1114 {
1115 if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1116 {
1117 learn_succeeded = true;
1118 owner = mi;
1119 multi_instance_inc_refcount(mi);
1120 route_quota_inc(mi);
1121
1122 /* delete old route */
1123 multi_route_del(oldroute);
1124
1125 /* modify hash table entry, replacing old route */
1126 he->key = &newroute->addr;
1127 he->value = newroute;
1128 }
1129 }
1130 else
1131 {
1132 if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1133 {
1134 learn_succeeded = true;
1135 owner = mi;
1136 multi_instance_inc_refcount(mi);
1137 route_quota_inc(mi);
1138
1139 /* add new route */
1140 hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1141 }
1142 }
1143
1144 msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1145 learn_succeeded ? "" : " FAILED",
1146 mroute_addr_print(&newroute->addr, &gc),
1147 multi_instance_string(mi, false, &gc));
1148
1149 if (!learn_succeeded)
1150 {
1151 free(newroute);
1152 }
1153 }
1154 gc_free(&gc);
1155
1156 return owner;
1157}
1158
1159/*
1160 * Get client instance based on virtual address.
1161 */
1162static struct multi_instance *
1163multi_get_instance_by_virtual_addr(struct multi_context *m,
1164 const struct mroute_addr *addr,
1165 bool cidr_routing)
1166{
1167 struct multi_route *route;
1168 struct multi_instance *ret = NULL;
1169
1170 /* check for local address */
1171 if (mroute_addr_equal(addr, &m->local))
1172 {
1173 return NULL;
1174 }
1175
1176 route = (struct multi_route *) hash_lookup(m->vhash, addr);
1177
1178 /* does host route (possible cached) exist? */
1179 if (route && multi_route_defined(m, route))
1180 {
1181 struct multi_instance *mi = route->instance;
1182 route->last_reference = now;
1183 ret = mi;
1184 }
1185 else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1186 {
1187 struct mroute_helper *rh = m->route_helper;
1188 struct mroute_addr tryaddr;
1189 int i;
1190
1191 /* cycle through each CIDR length */
1192 for (i = 0; i < rh->n_net_len; ++i)
1193 {
1194 tryaddr = *addr;
1195 tryaddr.type |= MR_WITH_NETBITS;
1196 tryaddr.netbits = rh->net_len[i];
1197 mroute_addr_mask_host_bits(&tryaddr);
1198
1199 /* look up a possible route with netbits netmask */
1200 route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1201
1202 if (route && multi_route_defined(m, route))
1203 {
1204 /* found an applicable route, cache host route */
1205 struct multi_instance *mi = route->instance;
1206 multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1207 ret = mi;
1208 break;
1209 }
1210 }
1211 }
1212
1213#ifdef ENABLE_DEBUG
1214 if (check_debug_level(D_MULTI_DEBUG))
1215 {
1216 struct gc_arena gc = gc_new();
1217 const char *addr_text = mroute_addr_print(addr, &gc);
1218 if (ret)
1219 {
1220 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1221 addr_text,
1222 multi_instance_string(ret, false, &gc),
1223 mroute_addr_print(&route->addr, &gc));
1224 }
1225 else
1226 {
1227 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1228 addr_text);
1229 }
1230 gc_free(&gc);
1231 }
1232#endif
1233
1234 ASSERT(!(ret && ret->halt));
1235 return ret;
1236}
1237
1238/*
1239 * Helper function to multi_learn_addr().
1240 */
1241static struct multi_instance *
1242multi_learn_in_addr_t(struct multi_context *m,
1243 struct multi_instance *mi,
1244 in_addr_t a,
1245 int netbits, /* -1 if host route, otherwise # of network bits in address */
1246 bool primary)
1247{
1248 struct openvpn_sockaddr remote_si;
1249 struct mroute_addr addr = {0};
1250
1251 CLEAR(remote_si);
1252 remote_si.addr.in4.sin_family = AF_INET;
1253 remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1254 addr.proto = 0;
1255 ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1256
1257 if (netbits >= 0)
1258 {
1259 addr.type |= MR_WITH_NETBITS;
1260 addr.netbits = (uint8_t) netbits;
1261 }
1262
1263 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1264#ifdef ENABLE_MANAGEMENT
1265 if (management && owner)
1266 {
1267 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1268 }
1269#endif
1270 if (!primary)
1271 {
1272 /* "primary" is the VPN ifconfig address of the peer and already
1273 * known to DCO, so only install "extra" iroutes (primary = false)
1274 */
1275 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1276 dco_install_iroute(m, mi, &addr);
1277 }
1278
1279 return owner;
1280}
1281
1282static struct multi_instance *
1283multi_learn_in6_addr(struct multi_context *m,
1284 struct multi_instance *mi,
1285 struct in6_addr a6,
1286 int netbits, /* -1 if host route, otherwise # of network bits in address */
1287 bool primary)
1288{
1289 struct mroute_addr addr = {0};
1290
1291 addr.len = 16;
1292 addr.type = MR_ADDR_IPV6;
1293 addr.netbits = 0;
1294 addr.v6.addr = a6;
1295
1296 if (netbits >= 0)
1297 {
1298 addr.type |= MR_WITH_NETBITS;
1299 addr.netbits = (uint8_t) netbits;
1300 mroute_addr_mask_host_bits( &addr );
1301 }
1302
1303 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1304#ifdef ENABLE_MANAGEMENT
1305 if (management && owner)
1306 {
1307 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1308 }
1309#endif
1310 if (!primary)
1311 {
1312 /* "primary" is the VPN ifconfig address of the peer and already
1313 * known to DCO, so only install "extra" iroutes (primary = false)
1314 */
1315 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1316 dco_install_iroute(m, mi, &addr);
1317 }
1318
1319 return owner;
1320}
1321
1322/*
1323 * A new client has connected, add routes (server -> client)
1324 * to internal routing table.
1325 */
1326static void
1327multi_add_iroutes(struct multi_context *m,
1328 struct multi_instance *mi)
1329{
1330 struct gc_arena gc = gc_new();
1331 const struct iroute *ir;
1332 const struct iroute_ipv6 *ir6;
1333 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
1334 {
1335 mi->did_iroutes = true;
1336 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1337 {
1338 if (ir->netbits >= 0)
1339 {
1340 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1341 print_in_addr_t(ir->network, 0, &gc),
1342 ir->netbits,
1343 multi_instance_string(mi, false, &gc));
1344 }
1345 else
1346 {
1347 msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1348 print_in_addr_t(ir->network, 0, &gc),
1349 multi_instance_string(mi, false, &gc));
1350 }
1351
1352 mroute_helper_add_iroute46(m->route_helper, ir->netbits);
1353
1354 multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1355 }
1356 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1357 {
1358 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1359 print_in6_addr(ir6->network, 0, &gc),
1360 ir6->netbits,
1361 multi_instance_string(mi, false, &gc));
1362
1363 mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
1364
1365 multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1366 }
1367 }
1368 gc_free(&gc);
1369}
1370
1371/*
1372 * Given an instance (new_mi), delete all other instances which use the
1373 * same common name.
1374 */
1375static void
1376multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
1377{
1378 if (new_mi)
1379 {
1380 const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1381 if (new_cn)
1382 {
1383 struct hash_iterator hi;
1384 struct hash_element *he;
1385 int count = 0;
1386
1387 hash_iterator_init(m->iter, &hi);
1388 while ((he = hash_iterator_next(&hi)))
1389 {
1390 struct multi_instance *mi = (struct multi_instance *) he->value;
1391 if (mi != new_mi && !mi->halt)
1392 {
1393 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1394 if (cn && !strcmp(cn, new_cn))
1395 {
1396 mi->did_iter = false;
1397 multi_close_instance(m, mi, false);
1398 hash_iterator_delete_element(&hi);
1399 ++count;
1400 }
1401 }
1402 }
1403 hash_iterator_free(&hi);
1404
1405 if (count)
1406 {
1407 msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1408 }
1409 }
1410 }
1411}
1412
1413static void
1414check_stale_routes(struct multi_context *m)
1415{
1416
1417 struct gc_arena gc = gc_new();
1418 struct hash_iterator hi;
1419 struct hash_element *he;
1420
1421 dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1422 hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
1423 while ((he = hash_iterator_next(&hi)) != NULL)
1424 {
1425 struct multi_route *r = (struct multi_route *) he->value;
1426 if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1427 {
1428 dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1429 mroute_addr_print(&r->addr, &gc));
1430 learn_address_script(m, NULL, "delete", &r->addr);
1431 multi_route_del(r);
1432 hash_iterator_delete_element(&hi);
1433 }
1434 }
1435 hash_iterator_free(&hi);
1436 gc_free(&gc);
1437}
1438
1439/*
1440 * Ensure that endpoint to be pushed to client
1441 * complies with --ifconfig-push-constraint directive.
1442 */
1443static bool
1444ifconfig_push_constraint_satisfied(const struct context *c)
1445{
1446 const struct options *o = &c->options;
1447 if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1448 {
1449 return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1450 }
1451 else
1452 {
1453 return true;
1454 }
1455}
1456
1457/*
1458 * Select a virtual address for a new client instance.
1459 * Use an --ifconfig-push directive, if given (static IP).
1460 * Otherwise use an --ifconfig-pool address (dynamic IP).
1461 */
1462static void
1463multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
1464{
1465 struct gc_arena gc = gc_new();
1466
1467 /*
1468 * If ifconfig addresses were set by dynamic config file,
1469 * release pool addresses, otherwise keep them.
1470 */
1471 if (mi->context.options.push_ifconfig_defined)
1472 {
1473 /* ifconfig addresses were set statically,
1474 * release dynamic allocation */
1475 if (mi->vaddr_handle >= 0)
1476 {
1477 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true);
1478 mi->vaddr_handle = -1;
1479 }
1480
1481 mi->context.c2.push_ifconfig_defined = true;
1482 mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1483 mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1484 mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
1485
1486 /* the current implementation does not allow "static IPv4, pool IPv6",
1487 * (see below) so issue a warning if that happens - don't break the
1488 * session, though, as we don't even know if this client WANTS IPv6
1489 */
1490 if (mi->context.options.ifconfig_ipv6_pool_defined
1491 && !mi->context.options.push_ifconfig_ipv6_defined)
1492 {
1493 msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1494 }
1495 }
1496 else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1497 {
1498 in_addr_t local = 0, remote = 0;
1499 struct in6_addr remote_ipv6;
1500 const char *cn = NULL;
1501
1502 if (!mi->context.options.duplicate_cn)
1503 {
1504 cn = tls_common_name(mi->context.c2.tls_multi, true);
1505 }
1506
1507 CLEAR(remote_ipv6);
1508 mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1509 if (mi->vaddr_handle >= 0)
1510 {
1511 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1512 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1513
1514 msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1515 (mi->context.options.ifconfig_pool_defined
1516 ? print_in_addr_t(remote, 0, &gc)
1517 : "(Not enabled)"),
1518 (mi->context.options.ifconfig_ipv6_pool_defined
1519 ? print_in6_addr( remote_ipv6, 0, &gc )
1520 : "(Not enabled)") );
1521
1522 if (mi->context.options.ifconfig_pool_defined)
1523 {
1524 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1525 mi->context.c2.push_ifconfig_local = remote;
1526 if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1527 {
1528 mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1529 if (!mi->context.c2.push_ifconfig_remote_netmask)
1530 {
1531 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1532 }
1533 }
1534 else if (tunnel_type == DEV_TYPE_TUN)
1535 {
1536 if (tunnel_topology == TOP_P2P)
1537 {
1538 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1539 }
1540 else if (tunnel_topology == TOP_NET30)
1541 {
1542 mi->context.c2.push_ifconfig_remote_netmask = local;
1543 }
1544 }
1545
1546 if (mi->context.c2.push_ifconfig_remote_netmask)
1547 {
1548 mi->context.c2.push_ifconfig_defined = true;
1549 }
1550 else
1551 {
1552 msg(D_MULTI_ERRORS,
1553 "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1554 multi_instance_string(mi, false, &gc));
1555 }
1556 }
1557
1558 if (mi->context.options.ifconfig_ipv6_pool_defined)
1559 {
1560 mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1561 mi->context.c2.push_ifconfig_ipv6_remote =
1562 mi->context.c1.tuntap->local_ipv6;
1563 mi->context.c2.push_ifconfig_ipv6_netbits =
1564 mi->context.options.ifconfig_ipv6_netbits;
1565 mi->context.c2.push_ifconfig_ipv6_defined = true;
1566 }
1567 }
1568 else
1569 {
1570 msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1571 }
1572 }
1573
1574 /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1575 * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1576 * will fail (because no pool will be allocated in this case).
1577 * OTOH, this doesn't make too much sense in reality - and the other
1578 * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1579 * -> and so it's implemented right now
1580 */
1581 if (mi->context.options.push_ifconfig_ipv6_defined)
1582 {
1583 mi->context.c2.push_ifconfig_ipv6_local =
1584 mi->context.options.push_ifconfig_ipv6_local;
1585 mi->context.c2.push_ifconfig_ipv6_remote =
1586 mi->context.options.push_ifconfig_ipv6_remote;
1587 mi->context.c2.push_ifconfig_ipv6_netbits =
1588 mi->context.options.push_ifconfig_ipv6_netbits;
1589 mi->context.c2.push_ifconfig_ipv6_defined = true;
1590
1591 msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1592 print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
1593 mi->context.c2.push_ifconfig_ipv6_netbits );
1594 }
1595
1596 gc_free(&gc);
1597}
1598
1599/*
1600 * Set virtual address environmental variables.
1601 */
1602static void
1603multi_set_virtual_addr_env(struct multi_instance *mi)
1604{
1605 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1606 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1607 setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1608
1609 if (mi->context.c2.push_ifconfig_defined)
1610 {
1611 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1612 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1613
1614 setenv_in_addr_t(mi->context.c2.es,
1615 "ifconfig_pool_remote_ip",
1616 mi->context.c2.push_ifconfig_local,
1617 SA_SET_IF_NONZERO);
1618
1619 if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1620 {
1621 setenv_in_addr_t(mi->context.c2.es,
1622 "ifconfig_pool_netmask",
1623 mi->context.c2.push_ifconfig_remote_netmask,
1624 SA_SET_IF_NONZERO);
1625 }
1626 else if (tunnel_type == DEV_TYPE_TUN)
1627 {
1628 setenv_in_addr_t(mi->context.c2.es,
1629 "ifconfig_pool_local_ip",
1630 mi->context.c2.push_ifconfig_remote_netmask,
1631 SA_SET_IF_NONZERO);
1632 }
1633 }
1634
1635 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1636 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1637 setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1638
1639 if (mi->context.c2.push_ifconfig_ipv6_defined)
1640 {
1641 setenv_in6_addr(mi->context.c2.es,
1642 "ifconfig_pool_remote",
1643 &mi->context.c2.push_ifconfig_ipv6_local,
1644 SA_SET_IF_NONZERO);
1645 setenv_in6_addr(mi->context.c2.es,
1646 "ifconfig_pool_local",
1647 &mi->context.c2.push_ifconfig_ipv6_remote,
1648 SA_SET_IF_NONZERO);
1649 setenv_int(mi->context.c2.es,
1650 "ifconfig_pool_ip6_netbits",
1651 mi->context.c2.push_ifconfig_ipv6_netbits);
1652 }
1653}
1654
1655/*
1656 * Called after client-connect script is called
1657 */
1658static void
1659multi_client_connect_post(struct multi_context *m,
1660 struct multi_instance *mi,
1661 const char *dc_file,
1662 unsigned int *option_types_found)
1663{
1664 /* Did script generate a dynamic config file? */
1665 if (platform_test_file(dc_file))
1666 {
1667 options_server_import(&mi->context.options,
1668 dc_file,
1669 D_IMPORT_ERRORS|M_OPTERR,
1670 CLIENT_CONNECT_OPT_MASK,
1671 option_types_found,
1672 mi->context.c2.es);
1673
1674 /*
1675 * If the --client-connect script generates a config file
1676 * with an --ifconfig-push directive, it will override any
1677 * --ifconfig-push directive from the --client-config-dir
1678 * directory or any --ifconfig-pool dynamic address.
1679 */
1680 multi_select_virtual_addr(m, mi);
1681 multi_set_virtual_addr_env(mi);
1682 }
1683}
1684
1685#ifdef ENABLE_PLUGIN
1686
1687/*
1688 * Called after client-connect plug-in is called
1689 */
1690static void
1691multi_client_connect_post_plugin(struct multi_context *m,
1692 struct multi_instance *mi,
1693 const struct plugin_return *pr,
1694 unsigned int *option_types_found)
1695{
1696 struct plugin_return config;
1697
1698 plugin_return_get_column(pr, &config, "config");
1699
1700 /* Did script generate a dynamic config file? */
1701 if (plugin_return_defined(&config))
1702 {
1703 int i;
1704 for (i = 0; i < config.n; ++i)
1705 {
1706 if (config.list[i] && config.list[i]->value)
1707 {
1708 options_string_import(&mi->context.options,
1709 config.list[i]->value,
1710 D_IMPORT_ERRORS|M_OPTERR,
1711 CLIENT_CONNECT_OPT_MASK,
1712 option_types_found,
1713 mi->context.c2.es);
1714 }
1715 }
1716
1717 /*
1718 * If the --client-connect script generates a config file
1719 * with an --ifconfig-push directive, it will override any
1720 * --ifconfig-push directive from the --client-config-dir
1721 * directory or any --ifconfig-pool dynamic address.
1722 */
1723 multi_select_virtual_addr(m, mi);
1724 multi_set_virtual_addr_env(mi);
1725 }
1726}
1727
1728#endif /* ifdef ENABLE_PLUGIN */
1729
1730
1731/*
1732 * Called to load management-derived client-connect config
1733 */
1734enum client_connect_return
1735multi_client_connect_mda(struct multi_context *m,
1736 struct multi_instance *mi,
1737 bool deferred,
1738 unsigned int *option_types_found)
1739{
1740 /* We never return CC_RET_DEFERRED */
1741 ASSERT(!deferred);
1742 enum client_connect_return ret = CC_RET_SKIPPED;
1743#ifdef ENABLE_MANAGEMENT
1744 if (mi->cc_config)
1745 {
1746 struct buffer_entry *be;
1747 for (be = mi->cc_config->head; be != NULL; be = be->next)
1748 {
1749 const char *opt = BSTR(&be->buf);
1750 options_string_import(&mi->context.options,
1751 opt,
1752 D_IMPORT_ERRORS|M_OPTERR,
1753 CLIENT_CONNECT_OPT_MASK,
1754 option_types_found,
1755 mi->context.c2.es);
1756 }
1757
1758 /*
1759 * If the --client-connect script generates a config file
1760 * with an --ifconfig-push directive, it will override any
1761 * --ifconfig-push directive from the --client-config-dir
1762 * directory or any --ifconfig-pool dynamic address.
1763 */
1764 multi_select_virtual_addr(m, mi);
1765 multi_set_virtual_addr_env(mi);
1766
1767 ret = CC_RET_SUCCEEDED;
1768 }
1769#endif /* ifdef ENABLE_MANAGEMENT */
1770 return ret;
1771}
1772
1773static void
1774multi_client_connect_setenv(struct multi_instance *mi)
1775{
1776 struct gc_arena gc = gc_new();
1777
1778 /* setenv incoming cert common name for script */
1779 setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1780
1781 /* setenv client real IP address */
1782 setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
1783
1784 /* setenv client virtual IP address */
1785 multi_set_virtual_addr_env(mi);
1786
1787 /* setenv connection time */
1788 {
1789 const char *created_ascii = time_string(mi->created, 0, false, &gc);
1790 setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1791 setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1792 }
1793
1794 gc_free(&gc);
1795}
1796
1803static bool
1804multi_client_set_protocol_options(struct context *c)
1805{
1806 struct tls_multi *tls_multi = c->c2.tls_multi;
1807 const char *const peer_info = tls_multi->peer_info;
1808 struct options *o = &c->options;
1809
1810
1811 unsigned int proto = extract_iv_proto(peer_info);
1812 if (proto & IV_PROTO_DATA_V2)
1813 {
1814 tls_multi->use_peer_id = true;
1815 o->use_peer_id = true;
1816 }
1817 else if (dco_enabled(o))
1818 {
1819 msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
1820 "requires DATA_V2. Dropping client.");
1821 auth_set_client_reason(tls_multi, "Data channel negotiation "
1822 "failed (missing DATA_V2)");
1823 return false;
1824 }
1825
1826 /* Print a warning if we detect the client being in P2P mode and will
1827 * not accept our pushed ciphers */
1828 if (proto & IV_PROTO_NCP_P2P)
1829 {
1830 msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client "
1831 "option). It will not negotiate ciphers with this server. "
1832 "Expect this connection to fail.");
1833 }
1834
1835 if (proto & IV_PROTO_REQUEST_PUSH)
1836 {
1837 c->c2.push_request_received = true;
1838 }
1839
1840 if (proto & IV_PROTO_TLS_KEY_EXPORT)
1841 {
1842 o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
1843 }
1844 else if (o->force_key_material_export)
1845 {
1846 msg(M_INFO, "PUSH: client does not support TLS Keying Material "
1847 "Exporters but --force-tls-key-material-export is enabled.");
1848 auth_set_client_reason(tls_multi, "Client incompatible with this "
1849 "server. Keying Material Exporters (RFC 5705) "
1850 "support missing. Upgrade to a client that "
1851 "supports this feature (OpenVPN 2.6.0+).");
1852 return false;
1853 }
1854 if (proto & IV_PROTO_DYN_TLS_CRYPT)
1855 {
1856 o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
1857 }
1858
1859 if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1860 {
1861 o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
1862 }
1863
1864 /* Select cipher if client supports Negotiable Crypto Parameters */
1865
1866 /* if we have already created our key, we cannot *change* our own
1867 * cipher -> so log the fact and push the "what we have now" cipher
1868 * (so the client is always told what we expect it to use)
1869 */
1870 if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
1871 {
1872 msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1873 "server has already generated data channel keys, "
1874 "re-sending previously negotiated cipher '%s'",
1875 o->ciphername );
1876 return true;
1877 }
1878
1879 /*
1880 * Push the first cipher from --data-ciphers to the client that
1881 * the client announces to be supporting.
1882 */
1883 char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1884 tls_multi->remote_ciphername,
1885 &o->gc);
1886 if (push_cipher)
1887 {
1888 /* Enable epoch data key format if supported and AEAD cipher in use */
1889 if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported
1890 && (proto & IV_PROTO_DATA_EPOCH) && cipher_kt_mode_aead(push_cipher))
1891 {
1892 o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
1893 }
1894
1895 o->ciphername = push_cipher;
1896 return true;
1897 }
1898
1899 /* NCP cipher negotiation failed. Try to figure out why exactly it
1900 * failed and give good error messages and potentially do a fallback
1901 * for non NCP clients */
1902 struct gc_arena gc = gc_new();
1903 bool ret = false;
1904
1905 const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1906 /* If we are in a situation where we know the client ciphers, there is no
1907 * reason to fall back to a cipher that will not be accepted by the other
1908 * side, in this situation we fail the auth*/
1909 if (strlen(peer_ciphers) > 0)
1910 {
1911 msg(M_INFO, "PUSH: No common cipher between server and client. "
1912 "Server data-ciphers: '%s'%s, client supported ciphers '%s'",
1913 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers);
1914 }
1915 else if (tls_multi->remote_ciphername)
1916 {
1917 msg(M_INFO, "PUSH: No common cipher between server and client. "
1918 "Server data-ciphers: '%s'%s, client supports cipher '%s'",
1919 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc),
1920 tls_multi->remote_ciphername);
1921 }
1922 else
1923 {
1924 msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1925
1926 if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1927 {
1928 msg(M_INFO, "Using data channel cipher '%s' since "
1929 "--data-ciphers-fallback is set.", o->ciphername);
1930 ret = true;
1931 }
1932 else
1933 {
1934 msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1935 "client is using if you want to allow the client to connect");
1936 }
1937 }
1938 if (!ret)
1939 {
1940 auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1941 "failed (no shared cipher)");
1942 }
1943
1944 gc_free(&gc);
1945 return ret;
1946}
1947
1952static void
1953ccs_delete_deferred_ret_file(struct multi_instance *mi)
1954{
1955 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1956 if (!ccs->deferred_ret_file)
1957 {
1958 return;
1959 }
1960
1961 setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1962 if (!platform_unlink(ccs->deferred_ret_file))
1963 {
1964 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1965 ccs->deferred_ret_file);
1966 }
1967 free(ccs->deferred_ret_file);
1968 ccs->deferred_ret_file = NULL;
1969}
1970
1978static bool
1979ccs_gen_deferred_ret_file(struct multi_instance *mi)
1980{
1981 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1982 struct gc_arena gc = gc_new();
1983 const char *fn;
1984
1985 /* Delete file if it already exists */
1986 ccs_delete_deferred_ret_file(mi);
1987
1988 fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1989 if (!fn)
1990 {
1991 gc_free(&gc);
1992 return false;
1993 }
1994 ccs->deferred_ret_file = string_alloc(fn, NULL);
1995
1996 setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1997 ccs->deferred_ret_file);
1998
1999 gc_free(&gc);
2000 return true;
2001}
2002
2011static enum client_connect_return
2012ccs_test_deferred_ret_file(struct multi_instance *mi)
2013{
2014 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2015 FILE *fp = fopen(ccs->deferred_ret_file, "r");
2016 if (!fp)
2017 {
2018 return CC_RET_SKIPPED;
2019 }
2020
2021 enum client_connect_return ret = CC_RET_SKIPPED;
2022 const int c = fgetc(fp);
2023 switch (c)
2024 {
2025 case '0':
2026 ret = CC_RET_FAILED;
2027 break;
2028
2029 case '1':
2030 ret = CC_RET_SUCCEEDED;
2031 break;
2032
2033 case '2':
2034 ret = CC_RET_DEFERRED;
2035 break;
2036
2037 case EOF:
2038 if (feof(fp))
2039 {
2040 ret = CC_RET_SKIPPED;
2041 break;
2042 }
2043
2044 /* Not EOF but other error -> fall through to error state */
2045 default:
2046 /* We received an unknown/unexpected value. Assume failure. */
2047 msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
2048 "client-connect resultfile");
2049 ret = CC_RET_FAILED;
2050 }
2051 fclose(fp);
2052
2053 return ret;
2054}
2055
2061static void
2062ccs_delete_config_file(struct multi_instance *mi)
2063{
2064 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2065 if (ccs->config_file)
2066 {
2067 setenv_del(mi->context.c2.es, "client_connect_config_file");
2068 if (!platform_unlink(ccs->config_file))
2069 {
2070 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2071 ccs->config_file);
2072 }
2073 free(ccs->config_file);
2074 ccs->config_file = NULL;
2075 }
2076}
2077
2085static bool
2086ccs_gen_config_file(struct multi_instance *mi)
2087{
2088 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2089 struct gc_arena gc = gc_new();
2090 const char *fn;
2091
2092 if (ccs->config_file)
2093 {
2094 ccs_delete_config_file(mi);
2095 }
2096
2097 fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2098 if (!fn)
2099 {
2100 gc_free(&gc);
2101 return false;
2102 }
2103 ccs->config_file = string_alloc(fn, NULL);
2104
2105 setenv_str(mi->context.c2.es, "client_connect_config_file",
2106 ccs->config_file);
2107
2108 gc_free(&gc);
2109 return true;
2110}
2111
2112static enum client_connect_return
2113multi_client_connect_call_plugin_v1(struct multi_context *m,
2114 struct multi_instance *mi,
2115 bool deferred,
2116 unsigned int *option_types_found)
2117{
2118 enum client_connect_return ret = CC_RET_SKIPPED;
2119#ifdef ENABLE_PLUGIN
2120 ASSERT(m);
2121 ASSERT(mi);
2122 ASSERT(option_types_found);
2123 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2124
2125 /* deprecated callback, use a file for passing back return info */
2126 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2127 {
2128 struct argv argv = argv_new();
2129 int call;
2130
2131 if (!deferred)
2132 {
2133 call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2134 if (!ccs_gen_config_file(mi)
2135 || !ccs_gen_deferred_ret_file(mi))
2136 {
2137 ret = CC_RET_FAILED;
2138 goto cleanup;
2139 }
2140 }
2141 else
2142 {
2143 call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2144 /* the initial call should have created these files */
2145 ASSERT(ccs->config_file);
2146 ASSERT(ccs->deferred_ret_file);
2147 }
2148
2149 argv_printf(&argv, "%s", ccs->config_file);
2150 int plug_ret = plugin_call(mi->context.plugins, call,
2151 &argv, NULL, mi->context.c2.es);
2152 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2153 {
2154 ret = CC_RET_SUCCEEDED;
2155 }
2156 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2157 {
2158 ret = CC_RET_DEFERRED;
2164 }
2165 else
2166 {
2167 msg(M_WARN, "WARNING: client-connect plugin call failed");
2168 ret = CC_RET_FAILED;
2169 }
2170
2171
2177 int file_ret = ccs_test_deferred_ret_file(mi);
2178
2179 if (file_ret == CC_RET_FAILED)
2180 {
2181 ret = CC_RET_FAILED;
2182 }
2183 else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2184 {
2185 ret = CC_RET_DEFERRED;
2186 }
2187
2188 /* if we still think we have succeeded, do postprocessing */
2189 if (ret == CC_RET_SUCCEEDED)
2190 {
2191 multi_client_connect_post(m, mi, ccs->config_file,
2192 option_types_found);
2193 }
2194cleanup:
2195 argv_free(&argv);
2196
2197 if (ret != CC_RET_DEFERRED)
2198 {
2199 ccs_delete_config_file(mi);
2200 ccs_delete_deferred_ret_file(mi);
2201 }
2202 }
2203#endif /* ifdef ENABLE_PLUGIN */
2204 return ret;
2205}
2206
2207static enum client_connect_return
2208multi_client_connect_call_plugin_v2(struct multi_context *m,
2209 struct multi_instance *mi,
2210 bool deferred,
2211 unsigned int *option_types_found)
2212{
2213 enum client_connect_return ret = CC_RET_SKIPPED;
2214#ifdef ENABLE_PLUGIN
2215 ASSERT(m);
2216 ASSERT(mi);
2217 ASSERT(option_types_found);
2218
2219 int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2220 OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2221 /* V2 callback, use a plugin_return struct for passing back return info */
2222 if (plugin_defined(mi->context.plugins, call))
2223 {
2224 struct plugin_return pr;
2225
2226 plugin_return_init(&pr);
2227
2228 int plug_ret = plugin_call(mi->context.plugins, call,
2229 NULL, &pr, mi->context.c2.es);
2230 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2231 {
2232 multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2233 ret = CC_RET_SUCCEEDED;
2234 }
2235 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2236 {
2237 ret = CC_RET_DEFERRED;
2238 if (!(plugin_defined(mi->context.plugins,
2239 OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2240 {
2241 msg(M_WARN, "A plugin that defers from the "
2242 "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2243 "declare support for "
2244 "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2245 ret = CC_RET_FAILED;
2246 }
2247 }
2248 else
2249 {
2250 msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2251 ret = CC_RET_FAILED;
2252 }
2253
2254
2255 plugin_return_free(&pr);
2256 }
2257#endif /* ifdef ENABLE_PLUGIN */
2258 return ret;
2259}
2260
2261static enum client_connect_return
2262multi_client_connect_script_deferred(struct multi_context *m,
2263 struct multi_instance *mi,
2264 unsigned int *option_types_found)
2265{
2266 ASSERT(mi);
2267 ASSERT(option_types_found);
2268 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2269 enum client_connect_return ret = CC_RET_SKIPPED;
2270
2271 ret = ccs_test_deferred_ret_file(mi);
2272
2273 if (ret == CC_RET_SKIPPED)
2274 {
2275 /*
2276 * Skipped and deferred are equivalent in this context.
2277 * skipped means that the called program has not yet
2278 * written a return status implicitly needing more time
2279 * while deferred is the explicit notification that it
2280 * needs more time
2281 */
2282 ret = CC_RET_DEFERRED;
2283 }
2284
2285 if (ret == CC_RET_SUCCEEDED)
2286 {
2287 ccs_delete_deferred_ret_file(mi);
2288 multi_client_connect_post(m, mi, ccs->config_file,
2289 option_types_found);
2290 ccs_delete_config_file(mi);
2291 }
2292 if (ret == CC_RET_FAILED)
2293 {
2294 msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2295 ccs_delete_deferred_ret_file(mi);
2296 ccs_delete_config_file(mi);
2297 }
2298 return ret;
2299}
2300
2304static enum client_connect_return
2305multi_client_connect_call_script(struct multi_context *m,
2306 struct multi_instance *mi,
2307 bool deferred,
2308 unsigned int *option_types_found)
2309{
2310 if (deferred)
2311 {
2312 return multi_client_connect_script_deferred(m, mi, option_types_found);
2313 }
2314 ASSERT(m);
2315 ASSERT(mi);
2316
2317 enum client_connect_return ret = CC_RET_SKIPPED;
2318 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2319
2320 if (mi->context.options.client_connect_script)
2321 {
2322 struct argv argv = argv_new();
2323 struct gc_arena gc = gc_new();
2324
2325 setenv_str(mi->context.c2.es, "script_type", "client-connect");
2326
2327 if (!ccs_gen_config_file(mi)
2328 || !ccs_gen_deferred_ret_file(mi))
2329 {
2330 ret = CC_RET_FAILED;
2331 goto cleanup;
2332 }
2333
2334 argv_parse_cmd(&argv, mi->context.options.client_connect_script);
2335 argv_printf_cat(&argv, "%s", ccs->config_file);
2336
2337 if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2338 {
2339 if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED)
2340 {
2341 ret = CC_RET_DEFERRED;
2342 }
2343 else
2344 {
2345 multi_client_connect_post(m, mi, ccs->config_file,
2346 option_types_found);
2347 ret = CC_RET_SUCCEEDED;
2348 }
2349 }
2350 else
2351 {
2352 ret = CC_RET_FAILED;
2353 }
2354cleanup:
2355 if (ret != CC_RET_DEFERRED)
2356 {
2357 ccs_delete_config_file(mi);
2358 ccs_delete_deferred_ret_file(mi);
2359 }
2360 argv_free(&argv);
2361 gc_free(&gc);
2362 }
2363 return ret;
2364}
2365
2366static bool
2367multi_client_setup_dco_initial(struct multi_context *m,
2368 struct multi_instance *mi,
2369 struct gc_arena *gc)
2370{
2371 if (!dco_enabled(&mi->context.options))
2372 {
2373 /* DCO not enabled, nothing to do, return sucess */
2374 return true;
2375 }
2376 int ret = dco_multi_add_new_peer(m, mi);
2377 if (ret < 0)
2378 {
2379 msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)",
2380 multi_instance_string(mi, false, gc), strerror(-ret), ret);
2381 return false;
2382 }
2383
2384 return true;
2385}
2386
2390static bool
2391multi_client_generate_tls_keys(struct context *c)
2392{
2393 struct frame *frame_fragment = NULL;
2394#ifdef ENABLE_FRAGMENT
2395 if (c->options.ce.fragment)
2396 {
2397 frame_fragment = &c->c2.frame_fragment;
2398 }
2399#endif
2400 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2401 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2402 &c->c2.frame, frame_fragment,
2403 get_link_socket_info(c),
2404 &c->c1.tuntap->dco))
2405 {
2406 msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2407 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2408 return false;
2409 }
2410
2411 return true;
2412}
2413
2414static void
2415multi_client_connect_late_setup(struct multi_context *m,
2416 struct multi_instance *mi,
2417 const unsigned int option_types_found)
2418{
2419 ASSERT(m);
2420 ASSERT(mi);
2421
2422 struct gc_arena gc = gc_new();
2423 /*
2424 * Process sourced options.
2425 */
2426 do_deferred_options(&mi->context, option_types_found);
2427
2428 /*
2429 * make sure we got ifconfig settings from somewhere
2430 */
2431 if (!mi->context.c2.push_ifconfig_defined)
2432 {
2433 msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote "
2434 "--ifconfig address is available for %s",
2435 multi_instance_string(mi, false, &gc));
2436 }
2437
2438 /*
2439 * make sure that ifconfig settings comply with constraints
2440 */
2441 if (!ifconfig_push_constraint_satisfied(&mi->context))
2442 {
2443 const char *ifconfig_constraint_network =
2444 print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc);
2445 const char *ifconfig_constraint_netmask =
2446 print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
2447
2448 /* JYFIXME -- this should cause the connection to fail */
2449 msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) "
2450 "violates tunnel network/netmask constraint (%s/%s)",
2451 multi_instance_string(mi, false, &gc),
2452 print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
2453 ifconfig_constraint_network, ifconfig_constraint_netmask);
2454 }
2455
2456 /* set our client's VPN endpoint for status reporting purposes */
2457 mi->reporting_addr = mi->context.c2.push_ifconfig_local;
2458 mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
2459
2460 /* set context-level authentication flag */
2461 mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2462
2463 /* Since dco-win maintains iroute routing table (subnet -> peer),
2464 * peer must be added before iroutes. For other platforms it doesn't matter. */
2465
2466 /* authentication complete, calculate dynamic client specific options */
2467 if (!multi_client_set_protocol_options(&mi->context))
2468 {
2469 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2470 }
2471 /* only continue if setting protocol options worked */
2472 else if (!multi_client_setup_dco_initial(m, mi, &gc))
2473 {
2474 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2475 }
2476 /* Generate data channel keys only if setting protocol options
2477 * and DCO initial setup has not failed */
2478 else if (!multi_client_generate_tls_keys(&mi->context))
2479 {
2480 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2481 }
2482
2483 /* dco peer has been added, it is now safe for Windows to add iroutes */
2484
2485 /*
2486 * For routed tunnels, set up internal route to endpoint
2487 * plus add all iroute routes.
2488 */
2489 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
2490 {
2491 if (mi->context.c2.push_ifconfig_defined)
2492 {
2493 multi_learn_in_addr_t(m, mi,
2494 mi->context.c2.push_ifconfig_local,
2495 -1, true);
2496 msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2497 multi_instance_string(mi, false, &gc),
2498 print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
2499 }
2500
2501 if (mi->context.c2.push_ifconfig_ipv6_defined)
2502 {
2503 multi_learn_in6_addr(m, mi,
2504 mi->context.c2.push_ifconfig_ipv6_local,
2505 -1, true);
2506 /* TODO: find out where addresses are "unlearned"!! */
2507 const char *ifconfig_local_ipv6 =
2508 print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
2509 msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2510 multi_instance_string(mi, false, &gc),
2511 ifconfig_local_ipv6);
2512 }
2513
2514 /* add routes locally, pointing to new client, if
2515 * --iroute options have been specified */
2516 multi_add_iroutes(m, mi);
2517
2518 /*
2519 * iroutes represent subnets which are "owned" by a particular
2520 * client. Therefore, do not actually push a route to a client
2521 * if it matches one of the client's iroutes.
2522 */
2523 remove_iroutes_from_push_route_list(&mi->context.options);
2524 }
2525 else if (mi->context.options.iroutes)
2526 {
2527 msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute "
2528 "only works with tun-style tunnels",
2529 multi_instance_string(mi, false, &gc));
2530 }
2531
2532 /* send push reply if ready */
2533 if (mi->context.c2.push_request_received)
2534 {
2535 process_incoming_push_request(&mi->context);
2536 }
2537 gc_free(&gc);
2538}
2539
2540static void
2541multi_client_connect_early_setup(struct multi_context *m,
2542 struct multi_instance *mi)
2543{
2544 ASSERT(mi->context.c1.tuntap);
2545 /*
2546 * lock down the common name and cert hashes so they can't change
2547 * during future TLS renegotiations
2548 */
2549 tls_lock_common_name(mi->context.c2.tls_multi);
2550 tls_lock_cert_hash_set(mi->context.c2.tls_multi);
2551
2552 /* generate a msg() prefix for this client instance */
2553 generate_prefix(mi);
2554
2555 /* delete instances of previous clients with same common-name */
2556 if (!mi->context.options.duplicate_cn)
2557 {
2558 multi_delete_dup(m, mi);
2559 }
2560
2561 /* reset pool handle to null */
2562 mi->vaddr_handle = -1;
2563
2564 /* do --client-connect setenvs */
2565 multi_select_virtual_addr(m, mi);
2566
2567 multi_client_connect_setenv(mi);
2568}
2569
2576static enum client_connect_return
2577multi_client_connect_compress_migrate(struct multi_context *m,
2578 struct multi_instance *mi,
2579 bool deferred,
2580 unsigned int *option_types_found)
2581{
2582#ifdef USE_COMP
2583 struct options *o = &mi->context.options;
2584 const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2585
2586 if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2587 {
2588 if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2589 {
2590 push_option(o, "compress stub-v2", M_USAGE);
2591 }
2592 else
2593 {
2594 /* Client is old and does not support STUBv2 but since it
2595 * announced comp-lzo via OCC we assume it uses comp-lzo, so
2596 * switch to that and push the uncompressed variant. */
2597 push_option(o, "comp-lzo no", M_USAGE);
2598 o->comp.alg = COMP_ALG_STUB;
2599 *option_types_found |= OPT_P_COMP;
2600 }
2601 }
2602#endif
2603 return CC_RET_SUCCEEDED;
2604}
2605
2610static enum client_connect_return
2611multi_client_connect_source_ccd(struct multi_context *m,
2612 struct multi_instance *mi,
2613 bool deferred,
2614 unsigned int *option_types_found)
2615{
2616 /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2617 * problem */
2618 ASSERT(!deferred);
2619 enum client_connect_return ret = CC_RET_SKIPPED;
2620 if (mi->context.options.client_config_dir)
2621 {
2622 struct gc_arena gc = gc_new();
2623 const char *ccd_file = NULL;
2624
2625 const char *ccd_client =
2626 platform_gen_path(mi->context.options.client_config_dir,
2627 tls_common_name(mi->context.c2.tls_multi, false),
2628 &gc);
2629
2630 const char *ccd_default =
2631 platform_gen_path(mi->context.options.client_config_dir,
2632 CCD_DEFAULT, &gc);
2633
2634
2635 /* try common-name file */
2636 if (platform_test_file(ccd_client))
2637 {
2638 ccd_file = ccd_client;
2639 }
2640 /* try default file */
2641 else if (platform_test_file(ccd_default))
2642 {
2643 ccd_file = ccd_default;
2644 }
2645
2646 if (ccd_file)
2647 {
2648 options_server_import(&mi->context.options,
2649 ccd_file,
2650 D_IMPORT_ERRORS|M_OPTERR,
2651 CLIENT_CONNECT_OPT_MASK,
2652 option_types_found,
2653 mi->context.c2.es);
2654 /*
2655 * Select a virtual address from either --ifconfig-push in
2656 * --client-config-dir file or --ifconfig-pool.
2657 */
2658 multi_select_virtual_addr(m, mi);
2659
2660 multi_client_connect_setenv(mi);
2661
2662 ret = CC_RET_SUCCEEDED;
2663 }
2664 gc_free(&gc);
2665 }
2666 return ret;
2667}
2668
2669typedef enum client_connect_return (*multi_client_connect_handler)
2670 (struct multi_context *m, struct multi_instance *mi,
2671 bool from_deferred, unsigned int *option_types_found);
2672
2682
2687static bool
2688override_locked_username(struct multi_instance *mi)
2689{
2690 struct tls_multi *multi = mi->context.c2.tls_multi;
2691 struct options *options = &mi->context.options;
2692 struct tls_session *session = &multi->session[TM_ACTIVE];
2693
2694 if (!multi->locked_username)
2695 {
2696 msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
2697 "user/password method is enabled. Enable "
2698 "--management-client-auth, --auth-user-pass-verify, or a "
2699 "plugin with user/password verify capability.");
2700 return false;
2701 }
2702
2703 if (!multi->locked_original_username
2704 && strcmp(multi->locked_username, options->override_username) != 0)
2705 {
2706 /* Check if the username length is acceptable */
2707 if (!ssl_verify_username_length(session, options->override_username))
2708 {
2709 return false;
2710 }
2711
2712 multi->locked_original_username = multi->locked_username;
2713 multi->locked_username = strdup(options->override_username);
2714
2715 /* Override also the common name if username should be set as common
2716 * name */
2717 if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
2718 {
2719 set_common_name(session, multi->locked_username);
2720 free(multi->locked_cn);
2721 multi->locked_cn = NULL;
2722 tls_lock_common_name(multi);
2723 }
2724
2725 /* Regenerate the auth-token if enabled */
2726 if (multi->auth_token_initial)
2727 {
2728 struct user_pass up;
2729 CLEAR(up);
2730 strncpynt(up.username, multi->locked_username,
2731 sizeof(up.username));
2732
2733 generate_auth_token(&up, multi);
2734 }
2735
2736 msg(D_MULTI_LOW, "MULTI: Note, override-username changes username "
2737 "from '%s' to '%s'",
2738 multi->locked_original_username,
2739 multi->locked_username);
2740 }
2741 return true;
2742}
2743/*
2744 * Called as soon as the SSL/TLS connection is authenticated.
2745 *
2746 * Will collect the client specific configuration from the different
2747 * sources like ccd files, connect plugins and management interface.
2748 *
2749 * This method starts with cas_context CAS_PENDING and will move the
2750 * state machine to either CAS_SUCCEEDED on success or
2751 * CAS_FAILED/CAS_PARTIAL on failure.
2752 *
2753 * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2754 * include:
2755 *
2756 * iroute start-ip end-ip
2757 * ifconfig-push local remote-netmask
2758 * push
2759 *
2760 *
2761 */
2762static void
2763multi_connection_established(struct multi_context *m, struct multi_instance *mi)
2764{
2765 /* We are only called for the CAS_PENDING_x states, so we
2766 * can ignore other states here */
2767 bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2768
2769 int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2770 unsigned int *option_types_found =
2771 &mi->client_connect_defer_state.option_types_found;
2772
2773 /* We are called for the first time */
2774 if (!from_deferred)
2775 {
2776 *cur_handler_index = 0;
2777 *option_types_found = 0;
2778 /* Initially we have no handler that has returned a result */
2779 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED;
2780
2781 multi_client_connect_early_setup(m, mi);
2782 }
2783
2784 bool cc_succeeded = true;
2785
2786 while (cc_succeeded
2787 && client_connect_handlers[*cur_handler_index] != NULL)
2788 {
2789 enum client_connect_return ret;
2790 ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2791 option_types_found);
2792
2793 from_deferred = false;
2794
2795 switch (ret)
2796 {
2797 case CC_RET_SUCCEEDED:
2798 /*
2799 * Remember that we already had at least one handler
2800 * returning a result should we go to into deferred state
2801 */
2802 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2803 break;
2804
2805 case CC_RET_SKIPPED:
2806 /*
2807 * Move on with the next handler without modifying any
2808 * other state
2809 */
2810 break;
2811
2812 case CC_RET_DEFERRED:
2813 /*
2814 * we already set multi_status to DEFERRED_RESULT or
2815 * DEFERRED_NO_RESULT. We just return
2816 * from the function as having multi_status
2817 */
2818 return;
2819
2820 case CC_RET_FAILED:
2821 /*
2822 * One handler failed. We abort the chain and set the final
2823 * result to failed
2824 */
2825 cc_succeeded = false;
2826 break;
2827
2828 default:
2829 ASSERT(0);
2830 }
2831
2832 /*
2833 * Check for "disable" directive in client-config-dir file
2834 * or config file generated by --client-connect script.
2835 */
2836 if (mi->context.options.disable)
2837 {
2838 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2839 "'disable' directive");
2840 cc_succeeded = false;
2841 }
2842
2843 (*cur_handler_index)++;
2844 }
2845
2846 if (mi->context.options.override_username)
2847 {
2848 if (!override_locked_username(mi))
2849 {
2850 cc_succeeded = false;
2851 }
2852 }
2853
2854 /* Check if we have forbidding options in the current mode */
2855 if (dco_enabled(&mi->context.options)
2856 && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
2857 {
2858 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2859 cc_succeeded = false;
2860 }
2861
2862 if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS))
2863 {
2864 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
2865 cc_succeeded = false;
2866 }
2867
2868 if (cc_succeeded)
2869 {
2870 multi_client_connect_late_setup(m, mi, *option_types_found);
2871 }
2872 else
2873 {
2874 /* run the disconnect script if we had a connect script that
2875 * did not fail */
2876 if (mi->context.c2.tls_multi->multi_state == CAS_PENDING_DEFERRED_PARTIAL)
2877 {
2878 multi_client_disconnect_script(m, mi);
2879 }
2880
2881 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2882 }
2883
2884 /* increment number of current authenticated clients */
2885 ++m->n_clients;
2886 update_mstat_n_clients(m->n_clients);
2887 --mi->n_clients_delta;
2888
2889#ifdef ENABLE_MANAGEMENT
2890 if (management)
2891 {
2892 management_connection_established(management,
2893 &mi->context.c2.mda_context, mi->context.c2.es);
2894 }
2895#endif
2896}
2897
2898#ifdef ENABLE_ASYNC_PUSH
2899/*
2900 * Called when inotify event is fired, which happens when acf
2901 * or connect-status file is closed or deleted.
2902 * Continues authentication and sends push_reply
2903 * (or be deferred again by client-connect)
2904 */
2905void
2906multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2907{
2908 char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2909 size_t buffer_i = 0;
2910 int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2911
2912 while (buffer_i < r)
2913 {
2914 /* parse inotify events */
2915 struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2916 size_t event_size = sizeof(struct inotify_event) + pevent->len;
2917 buffer_i += event_size;
2918
2919 msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2920
2921 struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2922
2923 if (pevent->mask & IN_CLOSE_WRITE)
2924 {
2925 if (mi)
2926 {
2927 /* continue authentication, perform NCP negotiation and send push_reply */
2928 multi_process_post(m, mi, mpp_flags);
2929 }
2930 else
2931 {
2932 msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2933 }
2934 }
2935 else if (pevent->mask & IN_IGNORED)
2936 {
2937 /* this event is _always_ fired when watch is removed or file is deleted */
2938 if (mi)
2939 {
2940 hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2941 mi->inotify_watch = -1;
2942 }
2943 }
2944 else
2945 {
2946 msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2947 }
2948 }
2949}
2950#endif /* ifdef ENABLE_ASYNC_PUSH */
2951
2952/*
2953 * Add a mbuf buffer to a particular
2954 * instance.
2955 */
2956void
2957multi_add_mbuf(struct multi_context *m,
2958 struct multi_instance *mi,
2959 struct mbuf_buffer *mb)
2960{
2961 if (multi_output_queue_ready(m, mi))
2962 {
2963 struct mbuf_item item;
2964 item.buffer = mb;
2965 item.instance = mi;
2966 mbuf_add_item(m->mbuf, &item);
2967 }
2968 else
2969 {
2970 msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2971 }
2972}
2973
2974/*
2975 * Add a packet to a client instance output queue.
2976 */
2977static inline void
2978multi_unicast(struct multi_context *m,
2979 const struct buffer *buf,
2980 struct multi_instance *mi)
2981{
2982 struct mbuf_buffer *mb;
2983
2984 if (BLEN(buf) > 0)
2985 {
2986 mb = mbuf_alloc_buf(buf);
2987 mb->flags = MF_UNICAST;
2988 multi_add_mbuf(m, mi, mb);
2989 mbuf_free_buf(mb);
2990 }
2991}
2992
2993/*
2994 * Broadcast a packet to all clients.
2995 */
2996static void
2997multi_bcast(struct multi_context *m,
2998 const struct buffer *buf,
2999 const struct multi_instance *sender_instance,
3000 uint16_t vid)
3001{
3002 struct hash_iterator hi;
3003 struct hash_element *he;
3004 struct multi_instance *mi;
3005 struct mbuf_buffer *mb;
3006
3007 if (BLEN(buf) > 0)
3008 {
3009 perf_push(PERF_MULTI_BCAST);
3010#ifdef MULTI_DEBUG_EVENT_LOOP
3011 printf("BCAST len=%d\n", BLEN(buf));
3012#endif
3013 mb = mbuf_alloc_buf(buf);
3014 hash_iterator_init(m->iter, &hi);
3015
3016 while ((he = hash_iterator_next(&hi)))
3017 {
3018 mi = (struct multi_instance *) he->value;
3019 if (mi != sender_instance && !mi->halt)
3020 {
3021 if (vid != 0 && vid != mi->context.options.vlan_pvid)
3022 {
3023 continue;
3024 }
3025 multi_add_mbuf(m, mi, mb);
3026 }
3027 }
3028
3029 hash_iterator_free(&hi);
3030 mbuf_free_buf(mb);
3031 perf_pop();
3032 }
3033}
3034
3035/*
3036 * Given a time delta, indicating that we wish to be
3037 * awoken by the scheduler at time now + delta, figure
3038 * a sigma parameter (in microseconds) that represents
3039 * a sort of fuzz factor around delta, so that we're
3040 * really telling the scheduler to wake us up any time
3041 * between now + delta - sigma and now + delta + sigma.
3042 *
3043 * The sigma parameter helps the scheduler to run more efficiently.
3044 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
3045 */
3046static inline unsigned int
3047compute_wakeup_sigma(const struct timeval *delta)
3048{
3049 if (delta->tv_sec < 1)
3050 {
3051 /* if < 1 sec, fuzz = # of microseconds / 8 */
3052 return delta->tv_usec >> 3;
3053 }
3054 else
3055 {
3056 /* if < 10 minutes, fuzz = 13.1% of timeout */
3057 if (delta->tv_sec < 600)
3058 {
3059 return delta->tv_sec << 17;
3060 }
3061 else
3062 {
3063 return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
3064 }
3065 }
3066}
3067
3068static void
3069multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
3070{
3071 /* calculate an absolute wakeup time */
3072 ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
3073 tv_add(&mi->wakeup, &mi->context.c2.timeval);
3074
3075 /* tell scheduler to wake us up at some point in the future */
3076 schedule_add_entry(m->schedule,
3077 (struct schedule_entry *) mi,
3078 &mi->wakeup,
3079 compute_wakeup_sigma(&mi->context.c2.timeval));
3080}
3081
3082#if defined(ENABLE_ASYNC_PUSH)
3083static void
3084add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
3085 int inotify_fd, const char *file)
3086{
3087 /* watch acf file */
3088 long watch_descriptor = inotify_add_watch(inotify_fd, file,
3089 IN_CLOSE_WRITE | IN_ONESHOT);
3090 if (watch_descriptor >= 0)
3091 {
3092 if (mi->inotify_watch != -1)
3093 {
3094 hash_remove(m->inotify_watchers,
3095 (void *) (unsigned long)mi->inotify_watch);
3096 }
3097 hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
3098 mi, true);
3099 mi->inotify_watch = watch_descriptor;
3100 }
3101 else
3102 {
3103 msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3104 }
3105}
3106#endif /* if defined(ENABLE_ASYNC_PUSH) */
3107
3108/*
3109 * Figure instance-specific timers, convert
3110 * earliest to absolute time in mi->wakeup,
3111 * call scheduler with our future wakeup time.
3112 *
3113 * Also close context on signal.
3114 */
3115bool
3116multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3117{
3118 bool ret = true;
3119
3120 if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
3121 {
3122#if defined(ENABLE_ASYNC_PUSH)
3123 bool was_unauthenticated = true;
3124 struct key_state *ks = NULL;
3125 if (mi->context.c2.tls_multi)
3126 {
3127 ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
3128 was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3129 }
3130#endif
3131
3132 /* figure timeouts and fetch possible outgoing
3133 * to_link packets (such as ping or TLS control) */
3134 pre_select(&mi->context);
3135
3136#if defined(ENABLE_ASYNC_PUSH)
3137 /*
3138 * if we see the state transition from unauthenticated to deferred
3139 * and an auth_control_file, we assume it got just added and add
3140 * inotify watch to that file
3141 */
3142 if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3143 && (ks->authenticated == KS_AUTH_DEFERRED))
3144 {
3145 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3146 ks->plugin_auth.auth_control_file);
3147 }
3148 if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3149 && (ks->authenticated == KS_AUTH_DEFERRED))
3150 {
3151 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3152 ks->script_auth.auth_control_file);
3153 }
3154#endif
3155
3156 if (!IS_SIG(&mi->context))
3157 {
3158 /* connection is "established" when SSL/TLS key negotiation succeeds
3159 * and (if specified) auth user/pass succeeds */
3160
3161 if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
3162 {
3163 multi_connection_established(m, mi);
3164 }
3165#if defined(ENABLE_ASYNC_PUSH)
3166 if (is_cas_pending(mi->context.c2.tls_multi->multi_state)
3167 && mi->client_connect_defer_state.deferred_ret_file)
3168 {
3169 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3170 mi->client_connect_defer_state.
3171 deferred_ret_file);
3172 }
3173#endif
3174 /* tell scheduler to wake us up at some point in the future */
3175 multi_schedule_context_wakeup(m, mi);
3176 }
3177 }
3178
3179 if (IS_SIG(&mi->context))
3180 {
3181 if (flags & MPP_CLOSE_ON_SIGNAL)
3182 {
3183 multi_close_instance_on_signal(m, mi);
3184 ret = false;
3185 }
3186 }
3187 else
3188 {
3189 /* continue to pend on output? */
3190 multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3191
3192#ifdef MULTI_DEBUG_EVENT_LOOP
3193 printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3194 id(mi),
3195 (int) (mi == m->pending),
3196 mi ? mi->context.c2.to_tun.len : -1,
3197 mi ? mi->context.c2.to_link.len : -1,
3198 (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3199 (int64_t)mi->context.c2.timeval.tv_sec,
3200 (long)mi->context.c2.timeval.tv_usec);
3201#endif
3202 }
3203
3204 if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3205 {
3206 *m->mpp_touched = mi;
3207 }
3208
3209 return ret;
3210}
3211
3212void
3213multi_process_float(struct multi_context *m, struct multi_instance *mi,
3214 struct link_socket *sock)
3215{
3216 struct mroute_addr real = {0};
3217 struct hash *hash = m->hash;
3218 struct gc_arena gc = gc_new();
3219
3220 if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3221 {
3222 goto done;
3223 }
3224
3225 const uint32_t hv = hash_value(hash, &real);
3226 struct hash_bucket *bucket = hash_bucket(hash, hv);
3227
3228 /* make sure that we don't float to an address taken by another client */
3229 struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3230 if (he)
3231 {
3232 struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3233
3234 struct tls_multi *m1 = mi->context.c2.tls_multi;
3235 struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3236
3237 /* do not float if target address is taken by client with another cert */
3238 if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3239 {
3240 msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3241 multi_instance_string(ex_mi, false, &gc));
3242
3243 mi->context.c2.buf.len = 0;
3244
3245 goto done;
3246 }
3247
3248 msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3249 multi_close_instance(m, ex_mi, false);
3250 }
3251
3252 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3253 mi->context.c2.tls_multi->peer_id,
3254 tls_common_name(mi->context.c2.tls_multi, false),
3255 mroute_addr_print(&mi->real, &gc),
3256 print_link_socket_actual(&m->top.c2.from, &gc));
3257
3258 /* remove old address from hash table before changing address */
3259 ASSERT(hash_remove(m->hash, &mi->real));
3260 ASSERT(hash_remove(m->iter, &mi->real));
3261
3262 /* change external network address of the remote peer */
3263 mi->real = real;
3264 generate_prefix(mi);
3265
3266 mi->context.c2.from = m->top.c2.from;
3267 mi->context.c2.to_link_addr = &mi->context.c2.from;
3268
3269 /* inherit parent link_socket and link_socket_info */
3270 mi->context.c2.link_sockets[0] = sock;
3271 mi->context.c2.link_socket_infos[0]->lsa->actual = m->top.c2.from;
3272
3273 tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from);
3274
3275 ASSERT(hash_add(m->hash, &mi->real, mi, false));
3276 ASSERT(hash_add(m->iter, &mi->real, mi, false));
3277
3278#ifdef ENABLE_MANAGEMENT
3279 ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3280#endif
3281
3282done:
3283 gc_free(&gc);
3284}
3285
3286/*
3287 * Called when an instance should be closed due to the
3288 * reception of a soft signal.
3289 */
3290void
3291multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
3292{
3293 remap_signal(&mi->context);
3294 set_prefix(mi);
3295 print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3296 clear_prefix();
3297 multi_close_instance(m, mi, false);
3298}
3299
3300#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT)
3301static void
3302multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3303{
3304 mi->context.sig->signal_received = sig;
3305 multi_close_instance_on_signal(m, mi);
3306}
3307#endif
3308
3309#if defined(ENABLE_DCO) \
3310 && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(TARGET_WIN32))
3311static void
3312process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
3313 dco_context_t *dco)
3314{
3315 const char *reason = "ovpn-dco: unknown reason";
3316 switch (dco->dco_del_peer_reason)
3317 {
3318 case OVPN_DEL_PEER_REASON_EXPIRED:
3319 reason = "ovpn-dco: ping expired";
3320 break;
3321
3322 case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR:
3323 reason = "ovpn-dco: transport error";
3324 break;
3325
3326 case OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT:
3327 reason = "ovpn-dco: transport disconnected";
3328 break;
3329
3330 case OVPN_DEL_PEER_REASON_USERSPACE:
3331 /* We assume that is ourselves. Unfortunately, sometimes these
3332 * events happen with enough delay that they can have an order of
3333 *
3334 * dco_del_peer x
3335 * [new client connecting]
3336 * dco_new_peer x
3337 * event from dco_del_peer arrives.
3338 *
3339 * if we do not ignore this we get desynced with the kernel
3340 * since we assume the peer-id is free again. The other way would
3341 * be to send a dco_del_peer again
3342 */
3343 return;
3344 }
3345
3346 /* When kernel already deleted the peer, the socket is no longer
3347 * installed, and we do not need to clean up the state in the kernel */
3348 mi->context.c2.tls_multi->dco_peer_id = -1;
3349 mi->context.sig->signal_text = reason;
3350 mi->context.c2.dco_read_bytes = dco->dco_read_bytes;
3351 mi->context.c2.dco_write_bytes = dco->dco_write_bytes;
3352 multi_signal_instance(m, mi, SIGTERM);
3353}
3354
3355bool
3356multi_process_incoming_dco(struct multi_context *m)
3357{
3358 dco_context_t *dco = &m->top.c1.tuntap->dco;
3359
3360 struct multi_instance *mi = NULL;
3361
3362 int ret = dco_do_read(&m->top.c1.tuntap->dco);
3363
3364 int peer_id = dco->dco_message_peer_id;
3365
3366 /* no peer-specific message delivered -> nothing to process.
3367 * bail out right away
3368 */
3369 if (peer_id < 0)
3370 {
3371 return ret > 0;
3372 }
3373
3374 if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3375 {
3376 mi = m->instances[peer_id];
3377 if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3378 {
3379 process_incoming_del_peer(m, mi, dco);
3380 }
3381 else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
3382 {
3383 tls_session_soft_reset(mi->context.c2.tls_multi);
3384 }
3385 }
3386 else
3387 {
3388 int msglevel = D_DCO;
3389 if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3390 && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3391 {
3392 /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3393 * after we kill the peer ourselves. This peer may have already
3394 * been deleted, so we end up here.
3395 * In this case, print the following debug message with DCO_DEBUG
3396 * level only to avoid polluting the standard DCO level with this
3397 * harmless event.
3398 */
3399 msglevel = D_DCO_DEBUG;
3400 }
3401 msg(msglevel, "Received DCO message for unknown peer-id: %d, "
3402 "type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
3403 dco->dco_del_peer_reason);
3404 }
3405
3406 dco->dco_message_type = 0;
3407 dco->dco_message_peer_id = -1;
3408 dco->dco_del_peer_reason = -1;
3409 dco->dco_read_bytes = 0;
3410 dco->dco_write_bytes = 0;
3411 return ret > 0;
3412}
3413#endif /* if defined(ENABLE_DCO) && defined(TARGET_LINUX) */
3414
3415/*
3416 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3417 * i.e. client -> server direction.
3418 */
3419bool
3420multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance,
3421 const unsigned int mpp_flags, struct link_socket *sock)
3422{
3423 struct gc_arena gc = gc_new();
3424
3425 struct context *c;
3426 struct mroute_addr src, dest;
3427 unsigned int mroute_flags;
3428 struct multi_instance *mi;
3429 bool ret = true;
3430 bool floated = false;
3431
3432 if (m->pending)
3433 {
3434 return true;
3435 }
3436
3437 if (!instance)
3438 {
3439#ifdef MULTI_DEBUG_EVENT_LOOP
3440 printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3441#endif
3442 multi_set_pending(m, multi_get_create_instance_udp(m, &floated, sock));
3443 }
3444 else
3445 {
3446 multi_set_pending(m, instance);
3447 }
3448
3449 if (m->pending)
3450 {
3451 set_prefix(m->pending);
3452
3453 /* get instance context */
3454 c = &m->pending->context;
3455
3456 if (!instance)
3457 {
3458 /* transfer packet pointer from top-level context buffer to instance */
3459 c->c2.buf = m->top.c2.buf;
3460
3461 /* transfer from-addr from top-level context buffer to instance */
3462 if (!floated)
3463 {
3464 c->c2.from = m->top.c2.from;
3465 }
3466 }
3467
3468 if (BLEN(&c->c2.buf) > 0)
3469 {
3470 struct link_socket_info *lsi;
3471 const uint8_t *orig_buf;
3472
3473 /* decrypt in instance context */
3474
3475 perf_push(PERF_PROC_IN_LINK);
3476 lsi = &sock->info;
3477 orig_buf = c->c2.buf.data;
3478 if (process_incoming_link_part1(c, lsi, floated))
3479 {
3480 /* nonzero length means that we have a valid, decrypted packed */
3481 if (floated && c->c2.buf.len > 0)
3482 {
3483 multi_process_float(m, m->pending, sock);
3484 }
3485
3486 process_incoming_link_part2(c, lsi, orig_buf);
3487 }
3488 perf_pop();
3489
3490 if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3491 {
3492 /* extract packet source and dest addresses */
3493 mroute_flags = mroute_extract_addr_from_packet(&src,
3494 &dest,
3495 0,
3496 &c->c2.to_tun,
3497 DEV_TYPE_TUN);
3498
3499 /* drop packet if extract failed */
3500 if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3501 {
3502 c->c2.to_tun.len = 0;
3503 }
3504 /* make sure that source address is associated with this client */
3505 else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3506 {
3507 /* IPv6 link-local address (fe80::xxx)? */
3508 if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3509 && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3510 {
3511 /* do nothing, for now. TODO: add address learning */
3512 }
3513 else
3514 {
3515 msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3516 mroute_addr_print(&src, &gc));
3517 }
3518 c->c2.to_tun.len = 0;
3519 }
3520 /* client-to-client communication enabled? */
3521 else if (m->enable_c2c)
3522 {
3523 /* multicast? */
3524 if (mroute_flags & MROUTE_EXTRACT_MCAST)
3525 {
3526 /* for now, treat multicast as broadcast */
3527 multi_bcast(m, &c->c2.to_tun, m->pending, 0);
3528 }
3529 else /* possible client to client routing */
3530 {
3531 ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3532 mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3533
3534 /* if dest addr is a known client, route to it */
3535 if (mi)
3536 {
3537 {
3538 multi_unicast(m, &c->c2.to_tun, mi);
3539 register_activity(c, BLEN(&c->c2.to_tun));
3540 }
3541 c->c2.to_tun.len = 0;
3542 }
3543 }
3544 }
3545 }
3546 else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3547 {
3548 uint16_t vid = 0;
3549
3550 if (m->top.options.vlan_tagging)
3551 {
3552 if (vlan_is_tagged(&c->c2.to_tun))
3553 {
3554 /* Drop VLAN-tagged frame. */
3555 msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3556 c->c2.to_tun.len = 0;
3557 }
3558 else
3559 {
3560 vid = c->options.vlan_pvid;
3561 }
3562 }
3563 /* extract packet source and dest addresses */
3564 mroute_flags = mroute_extract_addr_from_packet(&src,
3565 &dest,
3566 vid,
3567 &c->c2.to_tun,
3568 DEV_TYPE_TAP);
3569
3570 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3571 {
3572 if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3573 {
3574 /* check for broadcast */
3575 if (m->enable_c2c)
3576 {
3577 if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3578 {
3579 multi_bcast(m, &c->c2.to_tun, m->pending, vid);
3580 }
3581 else /* try client-to-client routing */
3582 {
3583 mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3584
3585 /* if dest addr is a known client, route to it */
3586 if (mi)
3587 {
3588 multi_unicast(m, &c->c2.to_tun, mi);
3589 register_activity(c, BLEN(&c->c2.to_tun));
3590 c->c2.to_tun.len = 0;
3591 }
3592 }
3593 }
3594 }
3595 else
3596 {
3597 msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3598 mroute_addr_print(&src, &gc));
3599 c->c2.to_tun.len = 0;
3600 }
3601 }
3602 else
3603 {
3604 c->c2.to_tun.len = 0;
3605 }
3606 }
3607 }
3608
3609 /* postprocess and set wakeup */
3610 ret = multi_process_post(m, m->pending, mpp_flags);
3611
3612 clear_prefix();
3613 }
3614
3615 gc_free(&gc);
3616 return ret;
3617}
3618
3619/*
3620 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3621 * i.e. server -> client direction.
3622 */
3623bool
3624multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3625{
3626 bool ret = true;
3627
3628 if (BLEN(&m->top.c2.buf) > 0)
3629 {
3630 unsigned int mroute_flags;
3631 struct mroute_addr src = {0}, dest = {0};
3632 const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3633 int16_t vid = 0;
3634
3635#ifdef MULTI_DEBUG_EVENT_LOOP
3636 printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3637#endif
3638
3639 if (m->pending)
3640 {
3641 return true;
3642 }
3643
3644 if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3645 {
3646 vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3647 if (vid < 0)
3648 {
3649 return false;
3650 }
3651 }
3652
3653 /*
3654 * Route an incoming tun/tap packet to
3655 * the appropriate multi_instance object.
3656 */
3657
3658 mroute_flags = mroute_extract_addr_from_packet(&src,
3659 &dest,
3660 vid,
3661 &m->top.c2.buf,
3662 dev_type);
3663
3664 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3665 {
3666 struct context *c;
3667
3668 /* broadcast or multicast dest addr? */
3669 if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3670 {
3671 /* for now, treat multicast as broadcast */
3672 multi_bcast(m, &m->top.c2.buf, NULL, vid);
3673 }
3674 else
3675 {
3676 multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3677
3678 if (m->pending)
3679 {
3680 /* get instance context */
3681 c = &m->pending->context;
3682
3683 set_prefix(m->pending);
3684
3685 {
3686 if (multi_output_queue_ready(m, m->pending))
3687 {
3688 /* transfer packet pointer from top-level context buffer to instance */
3689 c->c2.buf = m->top.c2.buf;
3690 }
3691 else
3692 {
3693 /* drop packet */
3694 msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3695 buf_reset_len(&c->c2.buf);
3696 }
3697 }
3698
3699 /* encrypt in instance context */
3700 process_incoming_tun(c, c->c2.link_sockets[0]);
3701
3702 /* postprocess and set wakeup */
3703 ret = multi_process_post(m, m->pending, mpp_flags);
3704
3705 clear_prefix();
3706 }
3707 }
3708 }
3709 }
3710 return ret;
3711}
3712
3713/*
3714 * Process a possible client-to-client/bcast/mcast message in the
3715 * queue.
3716 */
3717struct multi_instance *
3718multi_get_queue(struct mbuf_set *ms)
3719{
3720 struct mbuf_item item;
3721
3722 if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3723 {
3724 unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;
3725
3726 set_prefix(item.instance);
3727 item.instance->context.c2.buf = item.buffer->buf;
3728 if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3729 {
3730 pip_flags |= PIP_MSSFIX;
3731 }
3732 process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf,
3733 item.instance->context.c2.link_sockets[0]);
3734 encrypt_sign(&item.instance->context, true);
3735 mbuf_free_buf(item.buffer);
3736
3737 dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3738
3739 clear_prefix();
3740 return item.instance;
3741 }
3742 else
3743 {
3744 return NULL;
3745 }
3746}
3747
3748/*
3749 * Called when an I/O wait times out. Usually means that a particular
3750 * client instance object needs timer-based service.
3751 */
3752bool
3753multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3754{
3755 bool ret = true;
3756
3757#ifdef MULTI_DEBUG_EVENT_LOOP
3758 printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3759#endif
3760
3761 /* instance marked for wakeup? */
3762 if (m->earliest_wakeup)
3763 {
3764 if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
3765 {
3766 schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal);
3767 throw_signal(m->deferred_shutdown_signal.signal_received);
3768 }
3769 else
3770 {
3771 set_prefix(m->earliest_wakeup);
3772 ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3773 clear_prefix();
3774 }
3775 m->earliest_wakeup = NULL;
3776 }
3777 return ret;
3778}
3779
3780/*
3781 * Drop a TUN/TAP outgoing packet..
3782 */
3783void
3784multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3785{
3786 struct multi_instance *mi = m->pending;
3787
3788 ASSERT(mi);
3789
3790 set_prefix(mi);
3791
3792 msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3793 mi->context.c2.to_tun.len);
3794
3795 buf_reset(&mi->context.c2.to_tun);
3796
3797 multi_process_post(m, mi, mpp_flags);
3798 clear_prefix();
3799}
3800
3801/*
3802 * Per-client route quota management
3803 */
3804
3805void
3806route_quota_exceeded(const struct multi_instance *mi)
3807{
3808 struct gc_arena gc = gc_new();
3809 msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3810 mi->context.options.max_routes_per_client,
3811 multi_instance_string(mi, false, &gc));
3812 gc_free(&gc);
3813}
3814
3815#ifdef ENABLE_DEBUG
3816/*
3817 * Flood clients with random packets
3818 */
3819static void
3820gremlin_flood_clients(struct multi_context *m)
3821{
3822 const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3823 if (level)
3824 {
3825 struct gc_arena gc = gc_new();
3826 struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3827 struct packet_flood_parms parm = get_packet_flood_parms(level);
3828 int i;
3829
3830 ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3831 parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3832
3833 msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3834 parm.n_packets,
3835 parm.packet_size);
3836
3837 for (i = 0; i < parm.packet_size; ++i)
3838 {
3839 ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3840 }
3841
3842 for (i = 0; i < parm.n_packets; ++i)
3843 {
3844 multi_bcast(m, &buf, NULL, 0);
3845 }
3846
3847 gc_free(&gc);
3848 }
3849}
3850#endif /* ifdef ENABLE_DEBUG */
3851
3852static bool
3853stale_route_check_trigger(struct multi_context *m)
3854{
3855 struct timeval null;
3856 CLEAR(null);
3857 return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT);
3858}
3859
3860/*
3861 * Process timers in the top-level context
3862 */
3863void
3864multi_process_per_second_timers_dowork(struct multi_context *m)
3865{
3866 /* possibly reap instances/routes in vhash */
3867 multi_reap_process(m);
3868
3869 /* possibly print to status log */
3870 if (m->top.c1.status_output)
3871 {
3872 if (status_trigger(m->top.c1.status_output))
3873 {
3874 multi_print_status(m, m->top.c1.status_output, m->status_file_version);
3875 }
3876 }
3877
3878 /* possibly flush ifconfig-pool file */
3879 multi_ifconfig_pool_persist(m, false);
3880
3881#ifdef ENABLE_DEBUG
3882 gremlin_flood_clients(m);
3883#endif
3884
3885 /* Should we check for stale routes? */
3886 if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m))
3887 {
3888 check_stale_routes(m);
3889 }
3890}
3891
3892void
3893multi_top_init(struct multi_context *m, struct context *top)
3894{
3895 inherit_context_top(&m->top, top);
3896 m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3897}
3898
3899void
3905
3906static bool
3907is_exit_restart(int sig)
3908{
3909 return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3910}
3911
3912static void
3913multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
3914{
3915 struct hash_iterator hi;
3916 struct hash_element *he;
3917 struct timeval tv;
3918
3919 /* tell all clients to restart */
3920 hash_iterator_init(m->iter, &hi);
3921 while ((he = hash_iterator_next(&hi)))
3922 {
3923 struct multi_instance *mi = (struct multi_instance *) he->value;
3924 if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
3925 {
3926 send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3927 multi_schedule_context_wakeup(m, mi);
3928 }
3929 }
3930 hash_iterator_free(&hi);
3931
3932 /* reschedule signal */
3933 ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL));
3934 tv.tv_sec = 2;
3935 tv.tv_usec = 0;
3936 tv_add(&m->deferred_shutdown_signal.wakeup, &tv);
3937
3938 m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
3939
3940 schedule_add_entry(m->schedule,
3941 (struct schedule_entry *) &m->deferred_shutdown_signal,
3942 &m->deferred_shutdown_signal.wakeup,
3943 compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup));
3944
3945 signal_reset(m->top.sig, 0);
3946}
3947
3948/*
3949 * Return true if event loop should break,
3950 * false if it should continue.
3951 */
3952bool
3953multi_process_signal(struct multi_context *m)
3954{
3955 if (signal_reset(m->top.sig, SIGUSR2) == SIGUSR2)
3956 {
3957 struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3958 multi_print_status(m, so, m->status_file_version);
3959 status_close(so);
3960 return false;
3961 }
3962 else if (has_udp_in_local_list(&m->top.options)
3963 && is_exit_restart(m->top.sig->signal_received)
3964 && (m->deferred_shutdown_signal.signal_received == 0)
3965 && m->top.options.ce.explicit_exit_notification != 0)
3966 {
3967 multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2);
3968 return false;
3969 }
3970 return true;
3971}
3972
3973/*
3974 * Management subsystem callbacks
3975 */
3976#ifdef ENABLE_MANAGEMENT
3977
3978static void
3979management_callback_status(void *arg, const int version, struct status_output *so)
3980{
3981 struct multi_context *m = (struct multi_context *) arg;
3982
3983 if (!version)
3984 {
3985 multi_print_status(m, so, m->status_file_version);
3986 }
3987 else
3988 {
3989 multi_print_status(m, so, version);
3990 }
3991}
3992
3993static int
3994management_callback_n_clients(void *arg)
3995{
3996 struct multi_context *m = (struct multi_context *) arg;
3997 return m->n_clients;
3998}
3999
4000static int
4001management_callback_kill_by_cn(void *arg, const char *del_cn)
4002{
4003 struct multi_context *m = (struct multi_context *) arg;
4004 struct hash_iterator hi;
4005 struct hash_element *he;
4006 int count = 0;
4007
4008 hash_iterator_init(m->iter, &hi);
4009 while ((he = hash_iterator_next(&hi)))
4010 {
4011 struct multi_instance *mi = (struct multi_instance *) he->value;
4012 if (!mi->halt)
4013 {
4014 const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
4015 if (cn && !strcmp(cn, del_cn))
4016 {
4017 multi_signal_instance(m, mi, SIGTERM);
4018 ++count;
4019 }
4020 }
4021 }
4022 hash_iterator_free(&hi);
4023 return count;
4024}
4025
4026static int
4027management_callback_kill_by_addr(void *arg, const in_addr_t addr,
4028 const int port, const int proto)
4029{
4030 struct multi_context *m = (struct multi_context *) arg;
4031 struct hash_iterator hi;
4032 struct hash_element *he;
4033 struct openvpn_sockaddr saddr;
4034 struct mroute_addr maddr;
4035 int count = 0;
4036
4037 CLEAR(saddr);
4038 saddr.addr.in4.sin_family = AF_INET;
4039 saddr.addr.in4.sin_addr.s_addr = htonl(addr);
4040 saddr.addr.in4.sin_port = htons(port);
4041 if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
4042 {
4043 maddr.proto = proto;
4044 hash_iterator_init(m->iter, &hi);
4045 while ((he = hash_iterator_next(&hi)))
4046 {
4047 struct multi_instance *mi = (struct multi_instance *) he->value;
4048 if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
4049 {
4050 multi_signal_instance(m, mi, SIGTERM);
4051 ++count;
4052 }
4053 }
4054 hash_iterator_free(&hi);
4055 }
4056 return count;
4057}
4058
4059static void
4060management_delete_event(void *arg, event_t event)
4061{
4062 struct multi_context *m = (struct multi_context *) arg;
4063 if (m->multi_io)
4064 {
4065 multi_tcp_delete_event(m->multi_io, event);
4066 }
4067}
4068
4069static struct multi_instance *
4070lookup_by_cid(struct multi_context *m, const unsigned long cid)
4071{
4072 if (m)
4073 {
4074 struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
4075 if (mi && !mi->halt)
4076 {
4077 return mi;
4078 }
4079 }
4080 return NULL;
4081}
4082
4083static bool
4084management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
4085{
4086 struct multi_context *m = (struct multi_context *) arg;
4087 struct multi_instance *mi = lookup_by_cid(m, cid);
4088 if (mi)
4089 {
4090 send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
4091 multi_schedule_context_wakeup(m, mi);
4092 return true;
4093 }
4094 else
4095 {
4096 return false;
4097 }
4098}
4099
4100static bool
4101management_client_pending_auth(void *arg,
4102 const unsigned long cid,
4103 const unsigned int mda_key_id,
4104 const char *extra,
4105 unsigned int timeout)
4106{
4107 struct multi_context *m = (struct multi_context *) arg;
4108 struct multi_instance *mi = lookup_by_cid(m, cid);
4109
4110 if (mi)
4111 {
4112 struct tls_multi *multi = mi->context.c2.tls_multi;
4113 struct tls_session *session;
4114
4115 if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id)
4116 {
4117 session = &multi->session[TM_INITIAL];
4118 }
4119 else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id)
4120 {
4121 session = &multi->session[TM_ACTIVE];
4122 }
4123 else
4124 {
4125 return false;
4126 }
4127
4128 /* sends INFO_PRE and AUTH_PENDING messages to client */
4129 bool ret = send_auth_pending_messages(multi, session, extra,
4130 timeout);
4131 reschedule_multi_process(&mi->context);
4132 multi_schedule_context_wakeup(m, mi);
4133 return ret;
4134 }
4135 return false;
4136}
4137
4138
4139static bool
4140management_client_auth(void *arg,
4141 const unsigned long cid,
4142 const unsigned int mda_key_id,
4143 const bool auth,
4144 const char *reason,
4145 const char *client_reason,
4146 struct buffer_list *cc_config) /* ownership transferred */
4147{
4148 struct multi_context *m = (struct multi_context *) arg;
4149 struct multi_instance *mi = lookup_by_cid(m, cid);
4150 bool cc_config_owned = true;
4151 bool ret = false;
4152
4153 if (mi)
4154 {
4155 ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4156 if (ret)
4157 {
4158 if (auth)
4159 {
4160 if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
4161 {
4162 set_cc_config(mi, cc_config);
4163 cc_config_owned = false;
4164 }
4165 }
4166 else if (reason)
4167 {
4168 msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
4169 }
4170 }
4171 }
4172 if (cc_config_owned && cc_config)
4173 {
4174 buffer_list_free(cc_config);
4175 }
4176 return ret;
4177}
4178
4179static char *
4180management_get_peer_info(void *arg, const unsigned long cid)
4181{
4182 struct multi_context *m = (struct multi_context *) arg;
4183 struct multi_instance *mi = lookup_by_cid(m, cid);
4184 char *ret = NULL;
4185
4186 if (mi)
4187 {
4188 ret = mi->context.c2.tls_multi->peer_info;
4189 }
4190
4191 return ret;
4192}
4193
4194#endif /* ifdef ENABLE_MANAGEMENT */
4195
4196
4197void
4221
4222void
4223multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
4224{
4225 /* max_clients must be less then max peer-id value */
4226 ASSERT(m->max_clients < MAX_PEER_ID);
4227
4228 for (int i = 0; i < m->max_clients; ++i)
4229 {
4230 if (!m->instances[i])
4231 {
4232 mi->context.c2.tls_multi->peer_id = i;
4233 m->instances[i] = mi;
4234 break;
4235 }
4236 }
4237
4238 /* should not really end up here, since multi_create_instance returns null
4239 * if amount of clients exceeds max_clients */
4240 ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
4241}
4242
4243/**************************************************************************/
4250static void
4251tunnel_server_loop(struct multi_context *multi)
4252{
4253 int status;
4254
4255 while (true)
4256 {
4257 perf_push(PERF_EVENT_LOOP);
4258
4259 /* wait on tun/socket list */
4260 multi_get_timeout(multi, &multi->top.c2.timeval);
4261 status = multi_io_wait(multi);
4262 MULTI_CHECK_SIG(multi);
4263
4264 /* check on status of coarse timers */
4265 multi_process_per_second_timers(multi);
4266
4267 /* timeout? */
4268 if (status > 0)
4269 {
4270 /* process the I/O which triggered select */
4271 multi_io_process_io(multi);
4272 }
4273 else if (status == 0)
4274 {
4275 multi_io_action(multi, NULL, TA_TIMEOUT, false);
4276 }
4277
4278 MULTI_CHECK_SIG(multi);
4279 perf_pop();
4280 }
4281}
4282
4283/*
4284 * Top level event loop.
4285 */
4286void
4287tunnel_server(struct context *top)
4288{
4289 ASSERT(top->options.mode == MODE_SERVER);
4290
4291 struct multi_context multi;
4292
4293 top->mode = CM_TOP;
4294 context_clear_2(top);
4295
4296 /* initialize top-tunnel instance */
4297 init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP);
4298 if (IS_SIG(top))
4299 {
4300 return;
4301 }
4302
4303 /* initialize global multi_context object */
4304 multi_init(&multi, top);
4305
4306 /* initialize our cloned top object */
4307 multi_top_init(&multi, top);
4308
4309 /* initialize management interface */
4310 init_management_callback_multi(&multi);
4311
4312 /* finished with initialization */
4313 initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto tcp-server */
4314
4315#ifdef ENABLE_ASYNC_PUSH
4316 multi.top.c2.inotify_fd = inotify_init();
4317 if (multi.top.c2.inotify_fd < 0)
4318 {
4319 msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
4320 }
4321#endif
4322
4323 tunnel_server_loop(&multi);
4324
4325 #ifdef ENABLE_ASYNC_PUSH
4326 close(top->c2.inotify_fd);
4327#endif
4328
4329 /* shut down management interface */
4330 uninit_management_callback();
4331
4332 /* save ifconfig-pool */
4333 multi_ifconfig_pool_persist(&multi, true);
4334
4335 /* tear down tunnel instance (unless --persist-tun) */
4336 multi_uninit(&multi);
4337 multi_top_free(&multi);
4338 close_instance(top);
4339
4340}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:483
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:102
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:440
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:464
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:88
generate_auth_token
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition auth_token.c:164
auth_token.h
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1167
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1055
BSTR
#define BSTR(buf)
Definition buffer.h:129
buf_reset
static void buf_reset(struct buffer *buf)
Definition buffer.h:303
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:692
BLEN
#define BLEN(buf)
Definition buffer.h:127
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:312
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1060
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
key1
static const char *const key1
Definition cert_data.h:56
CCD_DEFAULT
#define CCD_DEFAULT
Definition common.h:62
counter_format
#define counter_format
Definition common.h:31
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:163
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition config.h:53
get_random
long int get_random(void)
Definition crypto.c:1757
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition crypto.c:1833
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:368
crypto_backend.h
Data Channel Cryptography SSL library-specific backend interface.
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:817
dco_do_read
static int dco_do_read(dco_context_t *dco)
Definition dco.h:317
dco_get_peer_stats_multi
static int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m, const bool raise_sigusr1_on_err)
Definition dco.h:379
dco_install_iroute
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition dco.h:368
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:282
dco_context_t
void * dco_context_t
Definition dco.h:267
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:362
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:374
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition env_set.c:284
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:292
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:308
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:157
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:300
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:353
D_PUSH
#define D_PUSH
Definition errlevel.h:83
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition errlevel.h:65
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition errlevel.h:154
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:64
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition errlevel.h:90
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition errlevel.h:102
D_DCO
#define D_DCO
Definition errlevel.h:94
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition errlevel.h:127
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:101
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition errlevel.h:118
D_MULTI_LOW
#define D_MULTI_LOW
Definition errlevel.h:86
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
M_INFO
#define M_INFO
Definition errlevel.h:55
D_GREMLIN
#define D_GREMLIN
Definition errlevel.h:78
EVENT_ARG_MULTI_INSTANCE
@ EVENT_ARG_MULTI_INSTANCE
Definition event.h:136
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:403
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:410
pre_select
void pre_select(struct context *c)
Definition forward.c:1988
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1649
forward.h
Interface functions to the internal and external multiplexers.
PIP_MSSFIX
#define PIP_MSSFIX
Definition forward.h:307
PIPV6_ICMP_NOHOST_SERVER
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:312
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:321
ANY_OUT
#define ANY_OUT(c)
Definition forward.h:40
register_activity
static void register_activity(struct context *c, const int size)
Definition forward.h:334
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition forward.h:306
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition ssl_common.h:539
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:459
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:538
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:625
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition multi.c:4287
tunnel_server_loop
static void tunnel_server_loop(struct multi_context *multi)
Main event loop for OpenVPN in point-to-multipoint server mode.
Definition multi.c:4251
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:1000
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1150
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, struct link_socket *sock)
Demultiplex and process a packet received over the external network interface.
Definition multi.c:3420
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition mudp.c:190
process_incoming_tun
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1455
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition multi.c:3624
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4542
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1591
close_instance
void close_instance(struct context *c)
Definition init.c:4882
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:5047
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3784
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4568
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4957
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:89
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:5094
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition init.c:4382
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3759
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition init.c:2679
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:104
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:106
ISC_SERVER
#define ISC_SERVER
Definition init.h:116
min_int
static int min_int(int x, int y)
Definition integer.h:102
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:115
status
static SERVICE_STATUS status
Definition interactive.c:52
route
@ route
Definition interactive.c:86
read
@ read
Definition interactive.c:207
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:43
ETT_DEFAULT
#define ETT_DEFAULT
Definition interval.h:224
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:174
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition list.c:283
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition list.c:289
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition list.c:321
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition list.c:83
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition list.c:246
hash_init
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition list.c:38
hash_iterator_init_range
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition list.c:223
hash_free
void hash_free(struct hash *hash)
Definition list.c:63
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition list.c:147
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition list.h:176
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition list.h:140
hash_n_elements
static int hash_n_elements(const struct hash *hash)
Definition list.h:122
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition list.h:116
hash_n_buckets
static int hash_n_buckets(const struct hash *hash)
Definition list.h:128
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition list.h:158
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2998
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition manage.c:3011
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2987
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2733
MCF_SERVER
#define MCF_SERVER
Definition manage.h:177
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition mbuf.c:89
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition mbuf.c:65
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition mbuf.c:76
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition mbuf.c:152
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition mbuf.c:111
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition mbuf.c:49
mbuf_init
struct mbuf_set * mbuf_init(unsigned int size)
Definition mbuf.c:39
MF_UNICAST
#define MF_UNICAST
Definition mbuf.h:46
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition mbuf.h:92
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition mroute.c:329
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:526
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition mroute.c:264
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition mroute.c:384
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition mroute.c:369
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:541
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition mroute.c:65
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition mroute.c:377
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition mroute.c:488
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition mroute.c:39
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition mroute.c:557
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition mroute.h:38
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition mroute.h:40
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition mroute.h:181
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition mroute.h:70
mroute_extract_in_addr_t
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition mroute.h:245
mroute_addr_equal
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition mroute.h:210
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition mroute.h:39
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition mroute.h:63
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition mroute.h:64
multi_tcp_instance_specific_free
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition mtcp.c:126
multi_tcp_delete_event
void multi_tcp_delete_event(struct multi_io *multi_io, event_t event)
Definition mtcp.c:132
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition mtcp.c:102
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance *mi)
Definition mtcp.c:141
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:172
np
static const char * np(const char *str)
Definition multi-auth.c:146
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition multi.c:1070
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:3069
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2541
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition multi.c:240
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition multi.c:1979
multi_reap_new
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition multi.c:216
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real, struct link_socket *sock)
Definition multi.c:758
multi_add_iroutes
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1327
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition multi.c:165
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition multi.c:3302
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition multi.c:227
override_locked_username
static bool override_locked_username(struct multi_instance *mi)
Overrides the locked username with the username of –override-username.
Definition multi.c:2688
management_callback_n_clients
static int management_callback_n_clients(void *arg)
Definition multi.c:3994
multi_process_signal
bool multi_process_signal(struct multi_context *m)
Definition multi.c:3953
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1463
multi_init
void multi_init(struct multi_context *m, struct context *t)
Definition multi.c:294
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition multi.c:2305
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:3291
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition multi.c:3116
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2763
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition multi.c:3864
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition multi.c:1603
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_instance *mi)
Definition multi.c:1774
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition multi.c:3718
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3753
multi_process_float
void multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
Handles peer floating.
Definition multi.c:3213
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition multi.c:4001
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition multi.c:3853
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition multi.c:4084
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition multi.c:497
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:526
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition multi.c:4060
multi_client_setup_dco_initial
static bool multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi, struct gc_arena *gc)
Definition multi.c:2367
lookup_by_cid
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition multi.c:4070
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition multi.c:466
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition multi.c:2415
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition multi.c:3047
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:95
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition multi.c:2978
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition multi.c:606
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const char *extra, unsigned int timeout)
Definition multi.c:4101
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition multi.c:2670
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition multi.c:3913
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:577
ccs_gen_config_file
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition multi.c:2086
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition multi.c:1414
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
Definition multi.c:4027
multi_reap_range
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition multi.c:177
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition multi.c:4140
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, uint16_t vid)
Definition multi.c:2997
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition multi.c:2577
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition multi.c:210
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition multi.c:2957
reap_buckets_per_pass
static int reap_buckets_per_pass(int n_buckets)
Definition multi.c:249
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition multi.c:3806
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition multi.c:514
multi_top_free
void multi_top_free(struct multi_context *m)
Definition multi.c:3900
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition multi.c:4223
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2208
multi_client_connect_source_ccd
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition multi.c:2611
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2113
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition multi.c:1659
multi_delete_dup
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition multi.c:1376
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition multi.c:1163
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition multi.c:3893
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition multi.c:4198
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition multi.c:2012
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition multi.c:4180
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition multi.c:2262
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition multi.c:1804
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition multi.c:1691
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition multi.c:1242
is_exit_restart
static bool is_exit_restart(int sig)
Definition multi.c:3907
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition multi.c:1444
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition multi.c:76
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3784
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition multi.c:264
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:1735
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition multi.c:2391
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition multi.c:1283
setenv_stats
static void setenv_stats(struct multi_context *m, struct context *c)
Definition multi.c:549
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition multi.c:257
management_callback_status
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition multi.c:3979
update_mstat_n_clients
static void update_mstat_n_clients(const int n_clients)
Definition multi.c:84
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition multi.c:2062
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition multi.c:1953
multi_print_status
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition multi.c:852
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition multi.c:2673
multi_uninit
void multi_uninit(struct multi_context *m)
Definition multi.c:710
multi_client_disconnect_setenv
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:564
multi.h
Header file for server-mode related structures and functions.
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition multi.h:293
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition multi.h:226
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition multi.h:229
CC_RET_FAILED
@ CC_RET_FAILED
Definition multi.h:227
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition multi.h:230
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition multi.h:228
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition multi.h:413
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition multi.h:46
MULTI_CHECK_SIG
#define MULTI_CHECK_SIG(m)
Definition multi.h:696
REAP_MIN
#define REAP_MIN
Definition multi.h:575
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition multi.h:544
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition multi.h:501
multi_reap_process
static void multi_reap_process(const struct multi_context *m)
Definition multi.h:589
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition multi.h:454
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition multi.h:241
clear_prefix
static void clear_prefix(void)
Definition multi.h:556
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition multi.h:510
REAP_DIVISOR
#define REAP_DIVISOR
Definition multi.h:574
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition multi.h:582
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition multi.h:294
REAP_MAX
#define REAP_MAX
Definition multi.h:576
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition multi.h:491
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition multi.h:485
multi_get_timeout
static void multi_get_timeout(struct multi_context *m, struct timeval *dest)
Definition multi.h:616
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition multi.h:678
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition multi.h:699
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition multi.h:242
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition multi.h:295
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition multi.h:292
multi_process_per_second_timers
static void multi_process_per_second_timers(struct multi_context *m)
Definition multi.h:598
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition multi.h:467
multi_io_process_io
void multi_io_process_io(struct multi_context *m)
Definition multi_io.c:431
multi_io_init
struct multi_io * multi_io_init(int maxevents, int *maxclients)
Definition multi_io.c:117
multi_io_free
void multi_io_free(struct multi_io *multi_io)
Definition multi_io.c:163
multi_io_wait
int multi_io_wait(struct multi_context *m)
Definition multi_io.c:174
multi_io_action
void multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, bool poll)
Definition multi_io.c:568
TA_TIMEOUT
#define TA_TIMEOUT
Definition multi_io.h:46
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition openvpn-plugin.h:130
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
Definition openvpn-plugin.h:131
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition openvpn-plugin.h:126
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition openvpn-plugin.h:125
OPENVPN_PLUGIN_CLIENT_CONNECT
#define OPENVPN_PLUGIN_CLIENT_CONNECT
Definition openvpn-plugin.h:123
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition openvpn-plugin.h:150
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition openvpn-plugin.h:148
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition openvpn-plugin.h:124
CLEAR
#define CLEAR(x)
Definition basic.h:33
M_OPTERR
#define M_OPTERR
Definition error.h:100
M_USAGE
#define M_USAGE
Definition error.h:106
check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:220
M_NONFATAL
#define M_NONFATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:148
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
M_ERRNO
#define M_ERRNO
Definition error.h:94
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition openvpn.h:210
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:548
CM_TOP
#define CM_TOP
Definition openvpn.h:485
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5466
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5486
title_string
const char title_string[]
Definition options.c:69
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9544
MODE_SERVER
#define MODE_SERVER
Definition options.h:259
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:926
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:739
time_string
const char * time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc)
Definition otime.c:108
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition otime.c:146
now
time_t now
Definition otime.c:34
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition otime.c:161
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition otime.h:64
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:132
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition ovpn_dco_linux.h:23
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
Definition ovpn_dco_linux.h:25
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition ovpn_dco_linux.h:24
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition ovpn_dco_linux.h:22
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition ovpn_dco_win.h:152
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
Definition ovpn_dco_win.h:151
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition perf.h:48
perf_push
static void perf_push(int type)
Definition perf.h:78
PERF_EVENT_LOOP
#define PERF_EVENT_LOOP
Definition perf.h:44
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition perf.h:46
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition perf.h:52
perf_pop
static void perf_pop(void)
Definition perf.h:82
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition perf.h:45
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition platform.c:660
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:541
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition platform.c:594
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:488
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:1015
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:1000
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:932
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:171
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:202
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:165
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition pool.c:306
ifconfig_pool_release
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition pool.c:357
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition pool.c:733
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition pool.c:585
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition pool.c:290
ifconfig_pool_read
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition pool.c:598
ifconfig_pool_init
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition pool.c:146
pool_type
pool_type
Definition pool.h:36
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition pool.h:37
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition pool.h:38
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:37
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:35
TOP_NET30
#define TOP_NET30
Definition proto.h:42
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:36
TOP_P2P
#define TOP_P2P
Definition proto.h:43
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:44
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition push.c:977
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:496
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition push.c:885
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:439
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1127
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition reflect_filter.c:102
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition reflect_filter.c:86
reflect_filter.h
run_command.h
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:87
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition schedule.c:427
schedule_init
struct schedule * schedule_init(void)
Definition schedule.c:412
schedule_free
void schedule_free(struct schedule *s)
Definition schedule.c:421
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition schedule.h:98
signal_reset
int signal_reset(struct signal_info *si, int signum)
Clear the signal if its current value equals signum.
Definition sig.c:266
remap_signal
void remap_signal(struct context *c)
Definition sig.c:591
throw_signal
void throw_signal(const int signum)
Throw a hard signal.
Definition sig.c:177
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:231
print_signal
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition sig.c:294
IS_SIG
#define IS_SIG(c)
Definition sig.h:48
setenv_in_addr_t
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition socket.c:3130
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition socket.c:3143
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket.c:2926
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3027
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3007
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition socket.c:2452
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket.h:401
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket.h:597
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition socket.h:412
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4233
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1846
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1711
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:586
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition ssl_common.h:576
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:573
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition ssl_common.h:577
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:575
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:572
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:578
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:151
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:152
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:748
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:420
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition ssl_ncp.c:250
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition ssl_ncp.c:229
ncp_expanded_ciphers
const char * ncp_expanded_ciphers(struct options *o, struct gc_arena *gc)
returns the o->ncp_ciphers in brackets, e.g.
Definition ssl_ncp.c:632
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:62
ssl_util.h
SSL utility functions.
ssl_verify_username_length
bool ssl_verify_username_length(struct tls_session *session, const char *username)
Checks if the username length is valid to use.
Definition ssl_verify.c:1572
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition ssl_verify.c:1238
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition ssl_verify.c:229
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition ssl_verify.c:287
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition ssl_verify.c:133
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition ssl_verify.c:172
set_common_name
void set_common_name(struct tls_session *session, const char *common_name)
Sets the common name field for the given tunnel.
Definition ssl_verify.c:86
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:805
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:108
ssl_verify.h
Control Channel Verification Module.
status_trigger
bool status_trigger(struct status_output *so)
Definition status.c:133
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:222
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:61
status_flush
void status_flush(struct status_output *so)
Definition status.c:157
status_reset
void status_reset(struct status_output *so)
Definition status.c:148
status_close
bool status_close(struct status_output *so)
Definition status.c:188
argv
Definition argv.h:35
auth_deferred_status::auth_control_file
char * auth_control_file
Definition ssl_common.h:163
buffer_entry
Definition buffer.h:1115
buffer_entry::next
struct buffer_entry * next
Definition buffer.h:1117
buffer_entry::buf
struct buffer buf
Definition buffer.h:1116
buffer_list
Definition buffer.h:1121
buffer_list::head
struct buffer_entry * head
Definition buffer.h:1122
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:68
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
client_connect_defer_state
Detached client connection state.
Definition multi.h:73
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition multi.h:75
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition multi.h:90
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition multi.h:78
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition multi.h:84
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:148
connection_entry::fragment
int fragment
Definition options.h:139
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:198
context_1::status_output
struct status_output * status_output
Definition openvpn.h:186
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:173
context_2::push_request_received
bool push_request_received
Definition openvpn.h:429
context_2::link_read_bytes
counter_type link_read_bytes
Definition openvpn.h:268
context_2::link_write_bytes
counter_type link_write_bytes
Definition openvpn.h:271
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition openvpn.h:436
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:254
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition openvpn.h:430
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition openvpn.h:269
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:455
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition openvpn.h:272
context_2::es
struct env_set * es
Definition openvpn.h:422
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:325
context_2::frame
struct frame frame
Definition openvpn.h:250
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:439
context_2::from
struct link_socket_actual from
Definition openvpn.h:247
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:255
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition openvpn.h:438
context_2::to_link
struct buffer to_link
Definition openvpn.h:379
context_2::to_tun
struct buffer to_tun
Definition openvpn.h:378
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:437
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:239
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:434
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:240
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition openvpn.h:246
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:433
context_2::buf
struct buffer buf
Definition openvpn.h:377
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:398
context_2::event_set
struct event_set * event_set
Definition openvpn.h:232
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:369
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition openvpn.h:432
context
Contains all state information for one tunnel.
Definition openvpn.h:476
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:489
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:502
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:504
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:516
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:498
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:477
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:515
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
deferred_signal_schedule_entry::signal_received
int signal_received
Definition multi.h:64
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition multi.h:65
env_set
Definition env_set.h:42
event_arg::mi
struct multi_instance * mi
Definition event.h:145
event_arg::u
union event_arg::@1 u
event_arg::type
event_arg_t type
Definition event.h:143
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition fragment.h:171
frame
Packet geometry parameters.
Definition mtu.h:98
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:102
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:108
frame::buf
struct frame::@8 buf
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
hash_bucket
Definition list.h:52
hash_element
Definition list.h:44
hash_element::value
void * value
Definition list.h:45
hash_element::key
const void * key
Definition list.h:46
hash_iterator
Definition list.h:89
hash
Definition list.h:57
iroute_ipv6
Definition route.h:247
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:250
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:249
iroute_ipv6::network
struct in6_addr network
Definition route.h:248
iroute::network
in_addr_t network
Definition route.h:242
iroute::netbits
int netbits
Definition route.h:243
iroute::next
struct iroute * next
Definition route.h:244
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:239
key_ctx_bi::initialized
bool initialized
Definition crypto.h:284
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:203
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:263
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:258
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:264
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:254
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket.h:90
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:110
link_socket_info
Definition socket.h:114
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:115
link_socket_info::proto
int proto
Definition socket.h:120
link_socket
Definition socket.h:178
link_socket::info
struct link_socket_info info
Definition socket.h:179
man_def_auth_context::cid
unsigned long cid
Definition manage.h:65
management_callback
Definition manage.h:174
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition manage.h:200
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition manage.h:188
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition manage.h:184
management_callback::arg
void * arg
Definition manage.h:175
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto)
Definition manage.h:183
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition manage.h:195
management_callback::n_clients
int(* n_clients)(void *arg)
Definition manage.h:185
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:180
management_callback::flags
unsigned int flags
Definition manage.h:178
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition manage.h:182
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition manage.h:187
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:181
mbuf_buffer
Definition mbuf.h:42
mbuf_buffer::flags
unsigned int flags
Definition mbuf.h:47
mbuf_buffer::buf
struct buffer buf
Definition mbuf.h:43
mbuf_item
Definition mbuf.h:51
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition mbuf.h:52
mbuf_item::instance
struct multi_instance * instance
Definition mbuf.h:53
mbuf_set
Definition mbuf.h:57
mroute_addr
Definition mroute.h:78
mroute_addr::vid
uint16_t vid
Definition mroute.h:88
mroute_addr::v6
struct mroute_addr::@2::@6 v6
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition mroute.h:87
mroute_addr::proto
uint8_t proto
Definition mroute.h:80
mroute_addr::type
uint8_t type
Definition mroute.h:81
mroute_addr::port
in_port_t port
Definition mroute.h:92
mroute_addr::len
uint8_t len
Definition mroute.h:79
mroute_addr::netbits
uint8_t netbits
Definition mroute.h:82
mroute_helper
Definition mroute.h:124
mroute_helper::cache_generation
unsigned int cache_generation
Definition mroute.h:125
multi_context
Main OpenVPN server state structure.
Definition multi.h:163
multi_context::n_clients
int n_clients
Definition multi.h:189
multi_context::local
struct mroute_addr local
Definition multi.h:184
multi_context::schedule
struct schedule * schedule
Definition multi.h:174
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition multi.h:175
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition multi.h:181
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition multi.h:219
multi_context::max_clients
int max_clients
Definition multi.h:186
multi_context::reaper
struct multi_reap * reaper
Definition multi.h:183
multi_context::multi_io
struct multi_io * multi_io
I/O state and events tracker.
Definition multi.h:178
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition multi.h:167
multi_context::cid_hash
struct hash * cid_hash
Definition multi.h:192
multi_context::cid_counter
unsigned long cid_counter
Definition multi.h:193
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition multi.h:212
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition multi.h:187
multi_context::ifconfig_pool
struct ifconfig_pool * ifconfig_pool
Definition multi.h:179
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition multi.h:180
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition multi.h:202
multi_context::status_file_version
int status_file_version
Definition multi.h:188
multi_context::pending
struct multi_instance * pending
Definition multi.h:196
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition multi.h:169
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition multi.h:171
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:164
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition multi.h:198
multi_context::enable_c2c
bool enable_c2c
Definition multi.h:185
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition multi.h:197
multi_context::route_helper
struct mroute_helper * route_helper
Definition multi.h:182
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
multi_instance::cc_config
struct buffer_list * cc_config
Definition multi.h:139
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition multi.h:146
multi_instance::did_cid_hash
bool did_cid_hash
Definition multi.h:138
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition multi.h:117
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition multi.h:132
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition multi.h:125
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition multi.h:122
multi_instance::did_iroutes
bool did_iroutes
Definition multi.h:141
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition multi.h:124
multi_instance::did_real_hash
bool did_real_hash
Definition multi.h:135
multi_instance::gc
struct gc_arena gc
Definition multi.h:113
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition multi.h:133
multi_instance::wakeup
struct timeval wakeup
Definition multi.h:121
multi_instance::halt
bool halt
Definition multi.h:114
multi_instance::ev_arg
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition multi.h:108
multi_instance::did_iter
bool did_iter
Definition multi.h:136
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
multi_instance::n_clients_delta
int n_clients_delta
Definition multi.h:142
multi_reap
Definition multi.h:54
multi_reap::last_call
time_t last_call
Definition multi.h:57
multi_reap::buckets_per_pass
int buckets_per_pass
Definition multi.h:56
multi_reap::bucket_base
int bucket_base
Definition multi.h:55
multi_route
Definition multi.h:237
multi_route::addr
struct mroute_addr addr
Definition multi.h:238
multi_route::last_reference
time_t last_reference
Definition multi.h:246
multi_route::cache_generation
unsigned int cache_generation
Definition multi.h:245
multi_route::flags
unsigned int flags
Definition multi.h:243
multi_route::instance
struct multi_instance * instance
Definition multi.h:239
openvpn_plugin_string_list::value
char * value
Definition openvpn-plugin.h:194
openvpn_sockaddr
Definition socket.h:66
openvpn_sockaddr::addr
union openvpn_sockaddr::@24 addr
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket.h:70
options::comp
struct compress_options comp
Definition options.h:411
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:523
options::max_routes_per_client
int max_routes_per_client
Definition options.h:536
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:577
options::status_file_version
int status_file_version
Definition options.h:405
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:518
options::tmp_dir
const char * tmp_dir
Definition options.h:466
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:721
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:538
options::duplicate_cn
bool duplicate_cn
Definition options.h:527
options::use_peer_id
bool use_peer_id
Definition options.h:701
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:491
options::cf_max
int cf_max
Definition options.h:529
options::dev_type
const char * dev_type
Definition options.h:317
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:513
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:488
options::vlan_tagging
bool vlan_tagging
Definition options.h:710
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:490
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:495
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:502
options::n_bcast_buf
int n_bcast_buf
Definition options.h:509
options::ce
struct connection_entry ce
Definition options.h:288
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:512
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:516
options::topology
int topology
Definition options.h:320
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:578
options::learn_address_script
const char * learn_address_script
Definition options.h:503
options::ciphername
const char * ciphername
Definition options.h:573
options::cf_initial_max
int cf_initial_max
Definition options.h:532
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:537
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:712
options::mode
int mode
Definition options.h:260
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:497
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:519
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:574
options::real_hash_size
int real_hash_size
Definition options.h:499
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:514
options::gc
struct gc_arena gc
Definition options.h:251
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:517
options::cf_initial_per
int cf_initial_per
Definition options.h:533
options::force_key_material_export
bool force_key_material_export
Definition options.h:708
options::iroutes
struct iroute * iroutes
Definition options.h:511
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:524
options::client_connect_script
const char * client_connect_script
Definition options.h:501
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:521
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:510
options::override_username
const char * override_username
Definition options.h:508
options::virtual_hash_size
int virtual_hash_size
Definition options.h:500
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:522
options::max_clients
int max_clients
Definition options.h:535
options::enable_c2c
bool enable_c2c
Definition options.h:526
options::cf_per
int cf_per
Definition options.h:530
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:489
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:515
options::dev
const char * dev
Definition options.h:316
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:496
options::client_config_dir
const char * client_config_dir
Definition options.h:505
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:324
plugin_list
Definition plugin.h:95
plugin_return
Definition plugin.h:102
plugin_return::n
int n
Definition plugin.h:103
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:104
rw_handle
Definition win32.h:79
schedule_entry
Definition schedule.h:45
signal_info::signal_text
const char * signal_text
Definition sig.h:45
signal_info::signal_received
volatile int signal_received
Definition sig.h:43
status_output
Definition status.h:49
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:604
tls_multi::auth_token_initial
char * auth_token_initial
The first auth-token we sent to a client.
Definition ssl_common.h:676
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:696
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:718
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:665
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:695
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:642
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:625
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:704
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:648
tls_multi::locked_cn
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:637
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:692
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:693
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:646
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:716
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:376
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:483
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:518
tls_session::opt
struct tls_options * opt
Definition ssl_common.h:485
tuntap::local
in_addr_t local
Definition tun.h:205
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:208
tuntap::dco
dco_context_t dco
Definition tun.h:243
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:206
user_pass
Definition misc.h:57
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:72
es
struct env_set * es
Definition test_pkcs11.c:141
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:290
gc
struct gc_arena gc
Definition test_ssl.c:155
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:547
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition tun.h:182
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition tun.h:179
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition vlan.c:82
vlan_is_tagged
bool vlan_is_tagged(const struct buffer *buf)
Definition vlan.c:266
Generated by doxygen 1.9.8