OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "gremlin.h"
43 #include "mstats.h"
44 #include "ssl_verify.h"
45 #include "ssl_ncp.h"
46 #include "vlan.h"
47 #include <inttypes.h>
48 
49 #include "memdbg.h"
50 
51 
52 #include "crypto_backend.h"
53 #include "ssl_util.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef ENABLE_MANAGEMENT
73 static void
75 {
77  mi->cc_config = cc_config;
78 }
79 #endif
80 
81 static inline void
82 update_mstat_n_clients(const int n_clients)
83 {
84 #ifdef ENABLE_MEMSTATS
85  if (mmap_stats)
86  {
87  mmap_stats->n_clients = n_clients;
88  }
89 #endif
90 }
91 
92 static bool
94  const struct multi_instance *mi,
95  const char *op,
96  const struct mroute_addr *addr)
97 {
98  struct gc_arena gc = gc_new();
99  struct env_set *es;
100  bool ret = true;
101  struct plugin_list *plugins;
102 
103  /* get environmental variable source */
104  if (mi && mi->context.c2.es)
105  {
106  es = mi->context.c2.es;
107  }
108  else
109  {
110  es = env_set_create(&gc);
111  }
112 
113  /* get plugin source */
114  if (mi)
115  {
116  plugins = mi->context.plugins;
117  }
118  else
119  {
120  plugins = m->top.plugins;
121  }
122 
124  {
125  struct argv argv = argv_new();
126  argv_printf(&argv, "%s %s",
127  op,
128  mroute_addr_print(addr, &gc));
129  if (mi)
130  {
132  }
134  {
135  msg(M_WARN, "WARNING: learn-address plugin call failed");
136  ret = false;
137  }
138  argv_free(&argv);
139  }
140 
142  {
143  struct argv argv = argv_new();
144  setenv_str(es, "script_type", "learn-address");
146  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
147  if (mi)
148  {
150  }
151  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
152  {
153  ret = false;
154  }
155  argv_free(&argv);
156  }
157 
158  gc_free(&gc);
159  return ret;
160 }
161 
162 void
164 {
165  /* write pool data to file */
166  if (m->ifconfig_pool
169  {
171  }
172 }
173 
174 static void
176  int start_bucket,
177  int end_bucket)
178 {
179  struct gc_arena gc = gc_new();
180  struct hash_iterator hi;
181  struct hash_element *he;
182 
183  if (start_bucket < 0)
184  {
185  start_bucket = 0;
186  end_bucket = hash_n_buckets(m->vhash);
187  }
188 
189  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
190  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
191  while ((he = hash_iterator_next(&hi)) != NULL)
192  {
193  struct multi_route *r = (struct multi_route *) he->value;
194  if (!multi_route_defined(m, r))
195  {
196  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
197  mroute_addr_print(&r->addr, &gc));
198  learn_address_script(m, NULL, "delete", &r->addr);
199  multi_route_del(r);
201  }
202  }
203  hash_iterator_free(&hi);
204  gc_free(&gc);
205 }
206 
207 static void
209 {
210  multi_reap_range(m, -1, 0);
211 }
212 
213 static struct multi_reap *
215 {
216  struct multi_reap *mr;
217  ALLOC_OBJ(mr, struct multi_reap);
218  mr->bucket_base = 0;
220  mr->last_call = now;
221  return mr;
222 }
223 
224 void
226 {
227  struct multi_reap *mr = m->reaper;
228  if (mr->bucket_base >= hash_n_buckets(m->vhash))
229  {
230  mr->bucket_base = 0;
231  }
233  mr->bucket_base += mr->buckets_per_pass;
234  mr->last_call = now;
235 }
236 
237 static void
239 {
240  free(mr);
241 }
242 
243 /*
244  * How many buckets in vhash to reap per pass.
245  */
246 static int
247 reap_buckets_per_pass(int n_buckets)
248 {
249  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
250 }
251 
252 #ifdef ENABLE_MANAGEMENT
253 
254 static uint32_t
255 cid_hash_function(const void *key, uint32_t iv)
256 {
257  const unsigned long *k = (const unsigned long *)key;
258  return (uint32_t) *k;
259 }
260 
261 static bool
262 cid_compare_function(const void *key1, const void *key2)
263 {
264  const unsigned long *k1 = (const unsigned long *)key1;
265  const unsigned long *k2 = (const unsigned long *)key2;
266  return *k1 == *k2;
267 }
268 
269 #endif
270 
271 #ifdef ENABLE_ASYNC_PUSH
272 static uint32_t
273 /*
274  * inotify watcher descriptors are used as hash value
275  */
276 int_hash_function(const void *key, uint32_t iv)
277 {
278  return (unsigned long)key;
279 }
280 
281 static bool
282 int_compare_function(const void *key1, const void *key2)
283 {
284  return (unsigned long)key1 == (unsigned long)key2;
285 }
286 #endif
287 
288 /*
289  * Main initialization function, init multi_context object.
290  */
291 void
292 multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
293 {
294  int dev = DEV_TYPE_UNDEF;
295 
296  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
299 
300  /*
301  * Get tun/tap/null device type
302  */
303  dev = dev_type_enum(t->options.dev, t->options.dev_type);
304 
305  /*
306  * Init our multi_context object.
307  */
308  CLEAR(*m);
309 
310  /*
311  * Real address hash table (source port number is
312  * considered to be part of the address). Used
313  * to determine which client sent an incoming packet
314  * which is seen on the TCP/UDP socket.
315  */
317  get_random(),
320 
321  /*
322  * Virtual address hash table. Used to determine
323  * which client to route a packet to.
324  */
326  get_random(),
329 
330  /*
331  * This hash table is a clone of m->hash but with a
332  * bucket size of one so that it can be used
333  * for fast iteration through the list.
334  */
335  m->iter = hash_init(1,
336  get_random(),
339 
340 #ifdef ENABLE_MANAGEMENT
342  0,
345 #endif
346 
347 #ifdef ENABLE_ASYNC_PUSH
348  /*
349  * Mapping between inotify watch descriptors and
350  * multi_instances.
351  */
352  m->inotify_watchers = hash_init(t->options.real_hash_size,
353  get_random(),
354  int_hash_function,
355  int_compare_function);
356 #endif
357 
358  /*
359  * This is our scheduler, for time-based wakeup
360  * events.
361  */
362  m->schedule = schedule_init();
363 
364  /*
365  * Limit frequency of incoming connections to control
366  * DoS.
367  */
369  t->options.cf_per);
370 
371  /*
372  * Allocate broadcast/multicast buffer list
373  */
375 
376  /*
377  * Different status file format options are available
378  */
380 
381  /*
382  * Possibly allocate an ifconfig pool, do it
383  * differently based on whether a tun or tap style
384  * tunnel.
385  */
388  {
390 
391  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
392  {
394  }
395 
397  pool_type,
404 
405  /* reload pool data from file */
406  if (t->c1.ifconfig_pool_persist)
407  {
409  }
410  }
411 
412  /*
413  * Help us keep track of routing table.
414  */
416 
417  /*
418  * Initialize route and instance reaper.
419  */
421 
422  /*
423  * Get local ifconfig address
424  */
425  CLEAR(m->local);
426  ASSERT(t->c1.tuntap);
428 
429  /*
430  * Per-client limits
431  */
433 
434  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
435 
436  /*
437  * Initialize multi-socket TCP I/O wait object
438  */
439  if (tcp_mode)
440  {
442  }
444 
445  /*
446  * Allow client <-> client communication, without going through
447  * tun/tap interface and network stack?
448  */
449  m->enable_c2c = t->options.enable_c2c;
450 
451  /* initialize stale routes check timer */
453  {
454  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
457  }
458 
460 }
461 
462 const char *
463 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
464 {
465  if (mi)
466  {
467  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
468  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
469 
470  if (cn)
471  {
472  buf_printf(&out, "%s/", cn);
473  }
474  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
475  return BSTR(&out);
476  }
477  else if (null)
478  {
479  return NULL;
480  }
481  else
482  {
483  return "UNDEF";
484  }
485 }
486 
487 static void
489 {
490  struct gc_arena gc = gc_new();
491  const char *prefix = multi_instance_string(mi, true, &gc);
492  if (prefix)
493  {
494  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
495  }
496  else
497  {
498  mi->msg_prefix[0] = '\0';
499  }
500  set_prefix(mi);
501  gc_free(&gc);
502 }
503 
504 void
506 {
507  mi->msg_prefix[0] = '\0';
508  set_prefix(mi);
509 }
510 
511 /*
512  * Tell the route helper about deleted iroutes so
513  * that it can update its mask of currently used
514  * CIDR netlengths.
515  */
516 static void
518  struct multi_instance *mi)
519 {
520  const struct iroute *ir;
521  const struct iroute_ipv6 *ir6;
523  {
524  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
525  {
527  }
528 
529  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
530  {
532  }
533  }
534 }
535 
536 static void
538 {
539  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
540  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
541 }
542 
543 static void
545 {
546  /* setenv client real IP address */
548 
549  /* setenv stats */
550  setenv_stats(&mi->context);
551 
552  /* setenv connection duration */
553  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
554 }
555 
556 static void
558 {
560 
562  {
564  {
565  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
566  }
567  }
568 
570  {
571  struct argv argv = argv_new();
572  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
574  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
575  argv_free(&argv);
576  }
577 #ifdef ENABLE_MANAGEMENT
578  if (management)
579  {
581  }
582 #endif
583 }
584 
585 void
587  struct multi_instance *mi,
588  bool shutdown)
589 {
591 
592  ASSERT(!mi->halt);
593  mi->halt = true;
594 
595  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
596 
597  /* adjust current client connection count */
598  m->n_clients += mi->n_clients_delta;
600  mi->n_clients_delta = 0;
601 
602  /* prevent dangling pointers */
603  if (m->pending == mi)
604  {
605  multi_set_pending(m, NULL);
606  }
607  if (m->earliest_wakeup == mi)
608  {
609  m->earliest_wakeup = NULL;
610  }
611 
612  if (!shutdown)
613  {
614  if (mi->did_real_hash)
615  {
616  ASSERT(hash_remove(m->hash, &mi->real));
617  }
618  if (mi->did_iter)
619  {
620  ASSERT(hash_remove(m->iter, &mi->real));
621  }
622 #ifdef ENABLE_MANAGEMENT
623  if (mi->did_cid_hash)
624  {
626  }
627 #endif
628 
629 #ifdef ENABLE_ASYNC_PUSH
630  if (mi->inotify_watch != -1)
631  {
632  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
633  mi->inotify_watch = -1;
634  }
635 #endif
636 
637  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
638  {
639  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
640  }
641 
642  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
643 
644  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
645 
646  if (mi->did_iroutes)
647  {
648  multi_del_iroutes(m, mi);
649  mi->did_iroutes = false;
650  }
651 
652  if (m->mtcp)
653  {
655  }
656 
658  }
659 
660 #ifdef ENABLE_MANAGEMENT
661  set_cc_config(mi, NULL);
662 #endif
663 
665  {
667  }
668 
670 
672 
673  ungenerate_prefix(mi);
674 
675  /*
676  * Don't actually delete the instance memory allocation yet,
677  * because virtual routes may still point to it. Let the
678  * vhash reaper deal with it.
679  */
681 
682  perf_pop();
683 }
684 
685 /*
686  * Called on shutdown or restart.
687  */
688 void
690 {
691  if (m->hash)
692  {
693  struct hash_iterator hi;
694  struct hash_element *he;
695 
696  hash_iterator_init(m->iter, &hi);
697  while ((he = hash_iterator_next(&hi)))
698  {
699  struct multi_instance *mi = (struct multi_instance *) he->value;
700  mi->did_iter = false;
701  multi_close_instance(m, mi, true);
702  }
703  hash_iterator_free(&hi);
704 
705  multi_reap_all(m);
706 
707  hash_free(m->hash);
708  hash_free(m->vhash);
709  hash_free(m->iter);
710 #ifdef ENABLE_MANAGEMENT
711  hash_free(m->cid_hash);
712 #endif
713  m->hash = NULL;
714 
715  free(m->instances);
716 
717 #ifdef ENABLE_ASYNC_PUSH
718  hash_free(m->inotify_watchers);
719  m->inotify_watchers = NULL;
720 #endif
721 
723  mbuf_free(m->mbuf);
728  multi_tcp_free(m->mtcp);
729  }
730 }
731 
732 /*
733  * Create a client instance object for a newly connected client.
734  */
735 struct multi_instance *
737 {
738  struct gc_arena gc = gc_new();
739  struct multi_instance *mi;
740 
742 
743  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
744 
745  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
746 
747  mi->gc = gc_new();
749  mi->vaddr_handle = -1;
750  mi->created = now;
751  mroute_addr_init(&mi->real);
752 
753  if (real)
754  {
755  mi->real = *real;
756  generate_prefix(mi);
757  }
758 
759  inherit_context_child(&mi->context, &m->top);
760  if (IS_SIG(&mi->context))
761  {
762  goto err;
763  }
764 
766 
767  if (hash_n_elements(m->hash) >= m->max_clients)
768  {
769  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
770  goto err;
771  }
772 
773  if (!real) /* TCP mode? */
774  {
776  {
777  goto err;
778  }
779  generate_prefix(mi);
780  }
781 
782  if (!hash_add(m->iter, &mi->real, mi, false))
783  {
784  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
785  mroute_addr_print(&mi->real, &gc));
786  goto err;
787  }
788  mi->did_iter = true;
789 
790 #ifdef ENABLE_MANAGEMENT
791  do
792  {
793  mi->context.c2.mda_context.cid = m->cid_counter++;
794  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
795  mi->did_cid_hash = true;
796 #endif
797 
798  mi->context.c2.push_request_received = false;
799 #ifdef ENABLE_ASYNC_PUSH
800  mi->inotify_watch = -1;
801 #endif
802 
803  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
804  {
805  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
806  goto err;
807  }
808 
809  perf_pop();
810  gc_free(&gc);
811  return mi;
812 
813 err:
814  multi_close_instance(m, mi, false);
815  perf_pop();
816  gc_free(&gc);
817  return NULL;
818 }
819 
820 /*
821  * Dump tables -- triggered by SIGUSR2.
822  * If status file is defined, write to file.
823  * If status file is NULL, write to syslog.
824  */
825 void
826 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
827 {
828  if (m->hash)
829  {
830  struct gc_arena gc_top = gc_new();
831  struct hash_iterator hi;
832  const struct hash_element *he;
833 
834  status_reset(so);
835 
836  if (version == 1) /* WAS: m->status_file_version */
837  {
838  /*
839  * Status file version 1
840  */
841  status_printf(so, "OpenVPN CLIENT LIST");
842  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
843  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
844  hash_iterator_init(m->hash, &hi);
845  while ((he = hash_iterator_next(&hi)))
846  {
847  struct gc_arena gc = gc_new();
848  const struct multi_instance *mi = (struct multi_instance *) he->value;
849 
850  if (!mi->halt)
851  {
852  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
853  tls_common_name(mi->context.c2.tls_multi, false),
854  mroute_addr_print(&mi->real, &gc),
857  time_string(mi->created, 0, false, &gc));
858  }
859  gc_free(&gc);
860  }
861  hash_iterator_free(&hi);
862 
863  status_printf(so, "ROUTING TABLE");
864  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
865  hash_iterator_init(m->vhash, &hi);
866  while ((he = hash_iterator_next(&hi)))
867  {
868  struct gc_arena gc = gc_new();
869  const struct multi_route *route = (struct multi_route *) he->value;
870 
871  if (multi_route_defined(m, route))
872  {
873  const struct multi_instance *mi = route->instance;
874  const struct mroute_addr *ma = &route->addr;
875  char flags[2] = {0, 0};
876 
877  if (route->flags & MULTI_ROUTE_CACHE)
878  {
879  flags[0] = 'C';
880  }
881  status_printf(so, "%s%s,%s,%s,%s",
882  mroute_addr_print(ma, &gc),
883  flags,
884  tls_common_name(mi->context.c2.tls_multi, false),
885  mroute_addr_print(&mi->real, &gc),
886  time_string(route->last_reference, 0, false, &gc));
887  }
888  gc_free(&gc);
889  }
890  hash_iterator_free(&hi);
891 
892  status_printf(so, "GLOBAL STATS");
893  if (m->mbuf)
894  {
895  status_printf(so, "Max bcast/mcast queue length,%d",
897  }
898 
899  status_printf(so, "END");
900  }
901  else if (version == 2 || version == 3)
902  {
903  const char sep = (version == 3) ? '\t' : ',';
904 
905  /*
906  * Status file version 2 and 3
907  */
908  status_printf(so, "TITLE%c%s", sep, title_string);
909  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
910  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
911  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
912  hash_iterator_init(m->hash, &hi);
913  while ((he = hash_iterator_next(&hi)))
914  {
915  struct gc_arena gc = gc_new();
916  const struct multi_instance *mi = (struct multi_instance *) he->value;
917 
918  if (!mi->halt)
919  {
920  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
921 #ifdef ENABLE_MANAGEMENT
922  "%lu"
923 #else
924  ""
925 #endif
926  "%c%" PRIu32 "%c%s",
927  sep, tls_common_name(mi->context.c2.tls_multi, false),
928  sep, mroute_addr_print(&mi->real, &gc),
931  sep, mi->context.c2.link_read_bytes,
932  sep, mi->context.c2.link_write_bytes,
933  sep, time_string(mi->created, 0, false, &gc),
934  sep, (unsigned int)mi->created,
935  sep, tls_username(mi->context.c2.tls_multi, false),
936 #ifdef ENABLE_MANAGEMENT
937  sep, mi->context.c2.mda_context.cid,
938 #else
939  sep,
940 #endif
941  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
943  }
944  gc_free(&gc);
945  }
946  hash_iterator_free(&hi);
947 
948  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
949  sep, sep, sep, sep, sep, sep);
950  hash_iterator_init(m->vhash, &hi);
951  while ((he = hash_iterator_next(&hi)))
952  {
953  struct gc_arena gc = gc_new();
954  const struct multi_route *route = (struct multi_route *) he->value;
955 
956  if (multi_route_defined(m, route))
957  {
958  const struct multi_instance *mi = route->instance;
959  const struct mroute_addr *ma = &route->addr;
960  char flags[2] = {0, 0};
961 
962  if (route->flags & MULTI_ROUTE_CACHE)
963  {
964  flags[0] = 'C';
965  }
966  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
967  sep, mroute_addr_print(ma, &gc), flags,
968  sep, tls_common_name(mi->context.c2.tls_multi, false),
969  sep, mroute_addr_print(&mi->real, &gc),
970  sep, time_string(route->last_reference, 0, false, &gc),
971  sep, (unsigned int)route->last_reference);
972  }
973  gc_free(&gc);
974  }
975  hash_iterator_free(&hi);
976 
977  if (m->mbuf)
978  {
979  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
980  sep, sep, mbuf_maximum_queued(m->mbuf));
981  }
982 
983  status_printf(so, "END");
984  }
985  else
986  {
987  status_printf(so, "ERROR: bad status format version number");
988  }
989 
990 #ifdef PACKET_TRUNCATION_CHECK
991  {
992  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
993  hash_iterator_init(m->hash, &hi);
994  while ((he = hash_iterator_next(&hi)))
995  {
996  struct gc_arena gc = gc_new();
997  const struct multi_instance *mi = (struct multi_instance *) he->value;
998 
999  if (!mi->halt)
1000  {
1002  tls_common_name(mi->context.c2.tls_multi, false),
1003  m->top.c2.n_trunc_tun_read,
1004  mi->context.c2.n_trunc_tun_write,
1005  mi->context.c2.n_trunc_pre_encrypt,
1006  mi->context.c2.n_trunc_post_decrypt);
1007  }
1008  gc_free(&gc);
1009  }
1010  hash_iterator_free(&hi);
1011  }
1012 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1013 
1014  status_flush(so);
1015  gc_free(&gc_top);
1016  }
1017 
1018 #ifdef ENABLE_ASYNC_PUSH
1019  if (m->inotify_watchers)
1020  {
1021  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1022  }
1023 #endif
1024 }
1025 
1026 /*
1027  * Learn a virtual address or route.
1028  * The learn will fail if the learn address
1029  * script/plugin fails. In this case the
1030  * return value may be != mi.
1031  * Return the instance which owns this route,
1032  * or NULL if none.
1033  */
1034 static struct multi_instance *
1036  struct multi_instance *mi,
1037  const struct mroute_addr *addr,
1038  const unsigned int flags)
1039 {
1040  struct hash_element *he;
1041  const uint32_t hv = hash_value(m->vhash, addr);
1042  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1043  struct multi_route *oldroute = NULL;
1044  struct multi_instance *owner = NULL;
1045  struct gc_arena gc = gc_new();
1046 
1047  /* if route currently exists, get the instance which owns it */
1048  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1049  if (he)
1050  {
1051  oldroute = (struct multi_route *) he->value;
1052  }
1053  if (oldroute && multi_route_defined(m, oldroute))
1054  {
1055  owner = oldroute->instance;
1056  }
1057 
1058  /* do we need to add address to hash table? */
1059  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1060  && !mroute_addr_equal(addr, &m->local))
1061  {
1062  struct multi_route *newroute;
1063  bool learn_succeeded = false;
1064 
1065  ALLOC_OBJ(newroute, struct multi_route);
1066  newroute->addr = *addr;
1067  newroute->instance = mi;
1068  newroute->flags = flags;
1069  newroute->last_reference = now;
1070  newroute->cache_generation = 0;
1071 
1072  /* The cache is invalidated when cache_generation is incremented */
1073  if (flags & MULTI_ROUTE_CACHE)
1074  {
1076  }
1077 
1078  if (oldroute) /* route already exists? */
1079  {
1080  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1081  {
1082  learn_succeeded = true;
1083  owner = mi;
1085  route_quota_inc(mi);
1086 
1087  /* delete old route */
1088  multi_route_del(oldroute);
1089 
1090  /* modify hash table entry, replacing old route */
1091  he->key = &newroute->addr;
1092  he->value = newroute;
1093  }
1094  }
1095  else
1096  {
1097  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1098  {
1099  learn_succeeded = true;
1100  owner = mi;
1102  route_quota_inc(mi);
1103 
1104  /* add new route */
1105  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1106  }
1107  }
1108 
1109  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1110  learn_succeeded ? "" : " FAILED",
1111  mroute_addr_print(&newroute->addr, &gc),
1112  multi_instance_string(mi, false, &gc));
1113 
1114  if (!learn_succeeded)
1115  {
1116  free(newroute);
1117  }
1118  }
1119  gc_free(&gc);
1120 
1121  return owner;
1122 }
1123 
1124 /*
1125  * Get client instance based on virtual address.
1126  */
1127 static struct multi_instance *
1129  const struct mroute_addr *addr,
1130  bool cidr_routing)
1131 {
1132  struct multi_route *route;
1133  struct multi_instance *ret = NULL;
1134 
1135  /* check for local address */
1136  if (mroute_addr_equal(addr, &m->local))
1137  {
1138  return NULL;
1139  }
1140 
1141  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1142 
1143  /* does host route (possible cached) exist? */
1144  if (route && multi_route_defined(m, route))
1145  {
1146  struct multi_instance *mi = route->instance;
1147  route->last_reference = now;
1148  ret = mi;
1149  }
1150  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1151  {
1152  struct mroute_helper *rh = m->route_helper;
1153  struct mroute_addr tryaddr;
1154  int i;
1155 
1156  /* cycle through each CIDR length */
1157  for (i = 0; i < rh->n_net_len; ++i)
1158  {
1159  tryaddr = *addr;
1160  tryaddr.type |= MR_WITH_NETBITS;
1161  tryaddr.netbits = rh->net_len[i];
1162  mroute_addr_mask_host_bits(&tryaddr);
1163 
1164  /* look up a possible route with netbits netmask */
1165  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1166 
1167  if (route && multi_route_defined(m, route))
1168  {
1169  /* found an applicable route, cache host route */
1170  struct multi_instance *mi = route->instance;
1172  ret = mi;
1173  break;
1174  }
1175  }
1176  }
1177 
1178 #ifdef ENABLE_DEBUG
1180  {
1181  struct gc_arena gc = gc_new();
1182  const char *addr_text = mroute_addr_print(addr, &gc);
1183  if (ret)
1184  {
1185  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1186  addr_text,
1187  multi_instance_string(ret, false, &gc),
1188  mroute_addr_print(&route->addr, &gc));
1189  }
1190  else
1191  {
1192  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1193  addr_text);
1194  }
1195  gc_free(&gc);
1196  }
1197 #endif
1198 
1199  ASSERT(!(ret && ret->halt));
1200  return ret;
1201 }
1202 
1203 /*
1204  * Helper function to multi_learn_addr().
1205  */
1206 static struct multi_instance *
1208  struct multi_instance *mi,
1209  in_addr_t a,
1210  int netbits, /* -1 if host route, otherwise # of network bits in address */
1211  bool primary)
1212 {
1213  struct openvpn_sockaddr remote_si;
1214  struct mroute_addr addr;
1215 
1216  CLEAR(remote_si);
1217  remote_si.addr.in4.sin_family = AF_INET;
1218  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1219  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1220 
1221  if (netbits >= 0)
1222  {
1223  addr.type |= MR_WITH_NETBITS;
1224  addr.netbits = (uint8_t) netbits;
1225  }
1226 
1227  {
1228  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1229 #ifdef ENABLE_MANAGEMENT
1230  if (management && owner)
1231  {
1232  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1233  }
1234 #endif
1235  return owner;
1236  }
1237 }
1238 
1239 static struct multi_instance *
1241  struct multi_instance *mi,
1242  struct in6_addr a6,
1243  int netbits, /* -1 if host route, otherwise # of network bits in address */
1244  bool primary)
1245 {
1246  struct mroute_addr addr;
1247 
1248  addr.len = 16;
1249  addr.type = MR_ADDR_IPV6;
1250  addr.netbits = 0;
1251  addr.v6.addr = a6;
1252 
1253  if (netbits >= 0)
1254  {
1255  addr.type |= MR_WITH_NETBITS;
1256  addr.netbits = (uint8_t) netbits;
1258  }
1259 
1260  {
1261  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1262 #ifdef ENABLE_MANAGEMENT
1263  if (management && owner)
1264  {
1265  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1266  }
1267 #endif
1268  return owner;
1269  }
1270 }
1271 
1272 /*
1273  * A new client has connected, add routes (server -> client)
1274  * to internal routing table.
1275  */
1276 static void
1278  struct multi_instance *mi)
1279 {
1280  struct gc_arena gc = gc_new();
1281  const struct iroute *ir;
1282  const struct iroute_ipv6 *ir6;
1284  {
1285  mi->did_iroutes = true;
1286  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1287  {
1288  if (ir->netbits >= 0)
1289  {
1290  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1291  print_in_addr_t(ir->network, 0, &gc),
1292  ir->netbits,
1293  multi_instance_string(mi, false, &gc));
1294  }
1295  else
1296  {
1297  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1298  print_in_addr_t(ir->network, 0, &gc),
1299  multi_instance_string(mi, false, &gc));
1300  }
1301 
1303 
1304  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1305  }
1306  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1307  {
1308  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1309  print_in6_addr(ir6->network, 0, &gc),
1310  ir6->netbits,
1311  multi_instance_string(mi, false, &gc));
1312 
1314 
1315  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1316  }
1317  }
1318  gc_free(&gc);
1319 }
1320 
1321 /*
1322  * Given an instance (new_mi), delete all other instances which use the
1323  * same common name.
1324  */
1325 static void
1327 {
1328  if (new_mi)
1329  {
1330  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1331  if (new_cn)
1332  {
1333  struct hash_iterator hi;
1334  struct hash_element *he;
1335  int count = 0;
1336 
1337  hash_iterator_init(m->iter, &hi);
1338  while ((he = hash_iterator_next(&hi)))
1339  {
1340  struct multi_instance *mi = (struct multi_instance *) he->value;
1341  if (mi != new_mi && !mi->halt)
1342  {
1343  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1344  if (cn && !strcmp(cn, new_cn))
1345  {
1346  mi->did_iter = false;
1347  multi_close_instance(m, mi, false);
1349  ++count;
1350  }
1351  }
1352  }
1353  hash_iterator_free(&hi);
1354 
1355  if (count)
1356  {
1357  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1358  }
1359  }
1360  }
1361 }
1362 
1363 static void
1365 {
1366 
1367  struct gc_arena gc = gc_new();
1368  struct hash_iterator hi;
1369  struct hash_element *he;
1370 
1371  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1373  while ((he = hash_iterator_next(&hi)) != NULL)
1374  {
1375  struct multi_route *r = (struct multi_route *) he->value;
1376  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1377  {
1378  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1379  mroute_addr_print(&r->addr, &gc));
1380  learn_address_script(m, NULL, "delete", &r->addr);
1381  multi_route_del(r);
1383  }
1384  }
1385  hash_iterator_free(&hi);
1386  gc_free(&gc);
1387 }
1388 
1389 /*
1390  * Ensure that endpoint to be pushed to client
1391  * complies with --ifconfig-push-constraint directive.
1392  */
1393 static bool
1395 {
1396  const struct options *o = &c->options;
1398  {
1400  }
1401  else
1402  {
1403  return true;
1404  }
1405 }
1406 
1407 /*
1408  * Select a virtual address for a new client instance.
1409  * Use an --ifconfig-push directive, if given (static IP).
1410  * Otherwise use an --ifconfig-pool address (dynamic IP).
1411  */
1412 static void
1414 {
1415  struct gc_arena gc = gc_new();
1416 
1417  /*
1418  * If ifconfig addresses were set by dynamic config file,
1419  * release pool addresses, otherwise keep them.
1420  */
1422  {
1423  /* ifconfig addresses were set statically,
1424  * release dynamic allocation */
1425  if (mi->vaddr_handle >= 0)
1426  {
1428  mi->vaddr_handle = -1;
1429  }
1430 
1431  mi->context.c2.push_ifconfig_defined = true;
1435 
1436  /* the current implementation does not allow "static IPv4, pool IPv6",
1437  * (see below) so issue a warning if that happens - don't break the
1438  * session, though, as we don't even know if this client WANTS IPv6
1439  */
1442  {
1443  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1444  }
1445  }
1446  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1447  {
1448  in_addr_t local = 0, remote = 0;
1449  struct in6_addr remote_ipv6;
1450  const char *cn = NULL;
1451 
1452  if (!mi->context.options.duplicate_cn)
1453  {
1454  cn = tls_common_name(mi->context.c2.tls_multi, true);
1455  }
1456 
1457  CLEAR(remote_ipv6);
1458  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1459  if (mi->vaddr_handle >= 0)
1460  {
1461  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1462  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1463 
1464  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1466  ? print_in_addr_t(remote, 0, &gc)
1467  : "(Not enabled)"),
1469  ? print_in6_addr( remote_ipv6, 0, &gc )
1470  : "(Not enabled)") );
1471 
1473  {
1474  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1475  mi->context.c2.push_ifconfig_local = remote;
1476  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1477  {
1480  {
1482  }
1483  }
1484  else if (tunnel_type == DEV_TYPE_TUN)
1485  {
1486  if (tunnel_topology == TOP_P2P)
1487  {
1489  }
1490  else if (tunnel_topology == TOP_NET30)
1491  {
1493  }
1494  }
1495 
1497  {
1498  mi->context.c2.push_ifconfig_defined = true;
1499  }
1500  else
1501  {
1503  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1504  multi_instance_string(mi, false, &gc));
1505  }
1506  }
1507 
1509  {
1510  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1512  mi->context.c1.tuntap->local_ipv6;
1516  }
1517  }
1518  else
1519  {
1520  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1521  }
1522  }
1523 
1524  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1525  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1526  * will fail (because no pool will be allocated in this case).
1527  * OTOH, this doesn't make too much sense in reality - and the other
1528  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1529  * -> and so it's implemented right now
1530  */
1532  {
1540 
1541  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1544  }
1545 
1546  gc_free(&gc);
1547 }
1548 
1549 /*
1550  * Set virtual address environmental variables.
1551  */
1552 static void
1554 {
1555  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1556  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1557  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1558 
1560  {
1561  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1562  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1563 
1565  "ifconfig_pool_remote_ip",
1568 
1569  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1570  {
1572  "ifconfig_pool_netmask",
1575  }
1576  else if (tunnel_type == DEV_TYPE_TUN)
1577  {
1579  "ifconfig_pool_local_ip",
1582  }
1583  }
1584 
1585  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1586  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1587  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1588 
1590  {
1592  "ifconfig_pool_remote",
1596  "ifconfig_pool_local",
1599  setenv_int(mi->context.c2.es,
1600  "ifconfig_pool_ip6_netbits",
1602  }
1603 }
1604 
1605 /*
1606  * Called after client-connect script is called
1607  */
1608 static void
1610  struct multi_instance *mi,
1611  const char *dc_file,
1612  unsigned int *option_types_found)
1613 {
1614  /* Did script generate a dynamic config file? */
1615  if (platform_test_file(dc_file))
1616  {
1618  dc_file,
1621  option_types_found,
1622  mi->context.c2.es);
1623 
1624  /*
1625  * If the --client-connect script generates a config file
1626  * with an --ifconfig-push directive, it will override any
1627  * --ifconfig-push directive from the --client-config-dir
1628  * directory or any --ifconfig-pool dynamic address.
1629  */
1632  }
1633 }
1634 
1635 #ifdef ENABLE_PLUGIN
1636 
1637 /*
1638  * Called after client-connect plug-in is called
1639  */
1640 static void
1642  struct multi_instance *mi,
1643  const struct plugin_return *pr,
1644  unsigned int *option_types_found)
1645 {
1646  struct plugin_return config;
1647 
1648  plugin_return_get_column(pr, &config, "config");
1649 
1650  /* Did script generate a dynamic config file? */
1651  if (plugin_return_defined(&config))
1652  {
1653  int i;
1654  for (i = 0; i < config.n; ++i)
1655  {
1656  if (config.list[i] && config.list[i]->value)
1657  {
1659  config.list[i]->value,
1662  option_types_found,
1663  mi->context.c2.es);
1664  }
1665  }
1666 
1667  /*
1668  * If the --client-connect script generates a config file
1669  * with an --ifconfig-push directive, it will override any
1670  * --ifconfig-push directive from the --client-config-dir
1671  * directory or any --ifconfig-pool dynamic address.
1672  */
1675  }
1676 }
1677 
1678 #endif /* ifdef ENABLE_PLUGIN */
1679 
1680 
1681 /*
1682  * Called to load management-derived client-connect config
1683  */
1686  struct multi_instance *mi,
1687  bool deferred,
1688  unsigned int *option_types_found)
1689 {
1690  /* We never return CC_RET_DEFERRED */
1691  ASSERT(!deferred);
1693 #ifdef ENABLE_MANAGEMENT
1694  if (mi->cc_config)
1695  {
1696  struct buffer_entry *be;
1697  for (be = mi->cc_config->head; be != NULL; be = be->next)
1698  {
1699  const char *opt = BSTR(&be->buf);
1701  opt,
1704  option_types_found,
1705  mi->context.c2.es);
1706  }
1707 
1708  /*
1709  * If the --client-connect script generates a config file
1710  * with an --ifconfig-push directive, it will override any
1711  * --ifconfig-push directive from the --client-config-dir
1712  * directory or any --ifconfig-pool dynamic address.
1713  */
1716 
1717  ret = CC_RET_SUCCEEDED;
1718  }
1719 #endif /* ifdef ENABLE_MANAGEMENT */
1720  return ret;
1721 }
1722 
1723 static void
1725  struct multi_instance *mi)
1726 {
1727  struct gc_arena gc = gc_new();
1728 
1729  /* setenv incoming cert common name for script */
1730  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1731 
1732  /* setenv client real IP address */
1734 
1735  /* setenv client virtual IP address */
1737 
1738  /* setenv connection time */
1739  {
1740  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1741  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1742  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1743  }
1744 
1745  gc_free(&gc);
1746 }
1747 
1754 static bool
1756 {
1757  struct tls_multi *tls_multi = c->c2.tls_multi;
1758  const char *const peer_info = tls_multi->peer_info;
1759  struct options *o = &c->options;
1760 
1761 
1762  unsigned int proto = extract_iv_proto(peer_info);
1763  if (proto & IV_PROTO_DATA_V2)
1764  {
1765  tls_multi->use_peer_id = true;
1766  o->use_peer_id = true;
1767  }
1768  if (proto & IV_PROTO_REQUEST_PUSH)
1769  {
1770  c->c2.push_request_received = true;
1771  }
1772 
1773 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1774  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1775  {
1777  }
1778 #endif
1779 
1780  /* Select cipher if client supports Negotiable Crypto Parameters */
1781 
1782  /* if we have already created our key, we cannot *change* our own
1783  * cipher -> so log the fact and push the "what we have now" cipher
1784  * (so the client is always told what we expect it to use)
1785  */
1787  {
1788  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1789  "server has already generated data channel keys, "
1790  "re-sending previously negotiated cipher '%s'",
1791  o->ciphername );
1792  return true;
1793  }
1794 
1795  /*
1796  * Push the first cipher from --data-ciphers to the client that
1797  * the client announces to be supporting.
1798  */
1799  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1801  &o->gc);
1802 
1803  if (push_cipher)
1804  {
1805  o->ciphername = push_cipher;
1806  return true;
1807  }
1808 
1809  /* NCP cipher negotiation failed. Try to figure out why exactly it
1810  * failed and give good error messages and potentially do a fallback
1811  * for non NCP clients */
1812  struct gc_arena gc = gc_new();
1813  bool ret = false;
1814 
1815  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1816  /* If we are in a situation where we know the client ciphers, there is no
1817  * reason to fall back to a cipher that will not be accepted by the other
1818  * side, in this situation we fail the auth*/
1819  if (strlen(peer_ciphers) > 0)
1820  {
1821  msg(M_INFO, "PUSH: No common cipher between server and client. "
1822  "Server data-ciphers: '%s', client supported ciphers '%s'",
1823  o->ncp_ciphers, peer_ciphers);
1824  }
1825  else if (tls_multi->remote_ciphername)
1826  {
1827  msg(M_INFO, "PUSH: No common cipher between server and client. "
1828  "Server data-ciphers: '%s', client supports cipher '%s'",
1830  }
1831  else
1832  {
1833  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1834 
1836  {
1837  msg(M_INFO, "Using data channel cipher '%s' since "
1838  "--data-ciphers-fallback is set.", o->ciphername);
1839  ret = true;
1840  }
1841  else
1842  {
1843  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1844  "client is using if you want to allow the client to connect");
1845  }
1846  }
1847  if (!ret)
1848  {
1849  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1850  "failed (no shared cipher)");
1851  }
1852 
1853  gc_free(&gc);
1854  return ret;
1855 }
1856 
1861 static void
1863 {
1865  if (!ccs->deferred_ret_file)
1866  {
1867  return;
1868  }
1869 
1870  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1872  {
1873  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1874  ccs->deferred_ret_file);
1875  }
1876  free(ccs->deferred_ret_file);
1877  ccs->deferred_ret_file = NULL;
1878 }
1879 
1887 static bool
1889 {
1891  struct gc_arena gc = gc_new();
1892  const char *fn;
1893 
1894  /* Delete file if it already exists */
1896 
1897  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1898  if (!fn)
1899  {
1900  gc_free(&gc);
1901  return false;
1902  }
1903  ccs->deferred_ret_file = string_alloc(fn, NULL);
1904 
1905  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1906  ccs->deferred_ret_file);
1907 
1908  gc_free(&gc);
1909  return true;
1910 }
1911 
1920 static enum client_connect_return
1922 {
1924  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1925  if (!fp)
1926  {
1927  return CC_RET_SKIPPED;
1928  }
1929 
1931  const int c = fgetc(fp);
1932  switch (c)
1933  {
1934  case '0':
1935  ret = CC_RET_FAILED;
1936  break;
1937 
1938  case '1':
1939  ret = CC_RET_SUCCEEDED;
1940  break;
1941 
1942  case '2':
1943  ret = CC_RET_DEFERRED;
1944  break;
1945 
1946  case EOF:
1947  if (feof(fp))
1948  {
1949  ret = CC_RET_SKIPPED;
1950  break;
1951  }
1952 
1953  /* Not EOF but other error -> fall through to error state */
1954  default:
1955  /* We received an unknown/unexpected value. Assume failure. */
1956  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
1957  "client-connect resultfile");
1958  ret = CC_RET_FAILED;
1959  }
1960  fclose(fp);
1961 
1962  return ret;
1963 }
1964 
1970 static void
1972 {
1974  if (ccs->config_file)
1975  {
1976  setenv_del(mi->context.c2.es, "client_connect_config_file");
1977  if (!platform_unlink(ccs->config_file))
1978  {
1979  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1980  ccs->config_file);
1981  }
1982  free(ccs->config_file);
1983  ccs->config_file = NULL;
1984  }
1985 }
1986 
1994 static bool
1996 {
1998  struct gc_arena gc = gc_new();
1999  const char *fn;
2000 
2001  if (ccs->config_file)
2002  {
2004  }
2005 
2006  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2007  if (!fn)
2008  {
2009  gc_free(&gc);
2010  return false;
2011  }
2012  ccs->config_file = string_alloc(fn, NULL);
2013 
2014  setenv_str(mi->context.c2.es, "client_connect_config_file",
2015  ccs->config_file);
2016 
2017  gc_free(&gc);
2018  return true;
2019 }
2020 
2021 static enum client_connect_return
2023  struct multi_instance *mi,
2024  bool deferred,
2025  unsigned int *option_types_found)
2026 {
2028 #ifdef ENABLE_PLUGIN
2029  ASSERT(m);
2030  ASSERT(mi);
2031  ASSERT(option_types_found);
2033 
2034  /* deprecated callback, use a file for passing back return info */
2036  {
2037  struct argv argv = argv_new();
2038  int call;
2039 
2040  if (!deferred)
2041  {
2043  if (!ccs_gen_config_file(mi)
2044  || !ccs_gen_deferred_ret_file(mi))
2045  {
2046  ret = CC_RET_FAILED;
2047  goto cleanup;
2048  }
2049  }
2050  else
2051  {
2053  /* the initial call should have created these files */
2054  ASSERT(ccs->config_file);
2055  ASSERT(ccs->deferred_ret_file);
2056  }
2057 
2058  argv_printf(&argv, "%s", ccs->config_file);
2059  int plug_ret = plugin_call(mi->context.plugins, call,
2060  &argv, NULL, mi->context.c2.es);
2061  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2062  {
2063  ret = CC_RET_SUCCEEDED;
2064  }
2065  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2066  {
2067  ret = CC_RET_DEFERRED;
2073  }
2074  else
2075  {
2076  msg(M_WARN, "WARNING: client-connect plugin call failed");
2077  ret = CC_RET_FAILED;
2078  }
2079 
2080 
2086  int file_ret = ccs_test_deferred_ret_file(mi);
2087 
2088  if (file_ret == CC_RET_FAILED)
2089  {
2090  ret = CC_RET_FAILED;
2091  }
2092  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2093  {
2094  ret = CC_RET_DEFERRED;
2095  }
2096 
2097  /* if we still think we have succeeded, do postprocessing */
2098  if (ret == CC_RET_SUCCEEDED)
2099  {
2101  option_types_found);
2102  }
2103 cleanup:
2104  argv_free(&argv);
2105 
2106  if (ret != CC_RET_DEFERRED)
2107  {
2110  }
2111  }
2112 #endif /* ifdef ENABLE_PLUGIN */
2113  return ret;
2114 }
2115 
2116 static enum client_connect_return
2118  struct multi_instance *mi,
2119  bool deferred,
2120  unsigned int *option_types_found)
2121 {
2123 #ifdef ENABLE_PLUGIN
2124  ASSERT(m);
2125  ASSERT(mi);
2126  ASSERT(option_types_found);
2127 
2128  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2130  /* V2 callback, use a plugin_return struct for passing back return info */
2131  if (plugin_defined(mi->context.plugins, call))
2132  {
2133  struct plugin_return pr;
2134 
2135  plugin_return_init(&pr);
2136 
2137  int plug_ret = plugin_call(mi->context.plugins, call,
2138  NULL, &pr, mi->context.c2.es);
2139  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2140  {
2141  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2142  ret = CC_RET_SUCCEEDED;
2143  }
2144  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2145  {
2146  ret = CC_RET_DEFERRED;
2147  if (!(plugin_defined(mi->context.plugins,
2149  {
2150  msg(M_WARN, "A plugin that defers from the "
2151  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2152  "declare support for "
2153  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2154  ret = CC_RET_FAILED;
2155  }
2156  }
2157  else
2158  {
2159  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2160  ret = CC_RET_FAILED;
2161  }
2162 
2163 
2164  plugin_return_free(&pr);
2165  }
2166 #endif /* ifdef ENABLE_PLUGIN */
2167  return ret;
2168 }
2169 
2170 static enum client_connect_return
2172  struct multi_instance *mi,
2173  unsigned int *option_types_found)
2174 {
2175  ASSERT(mi);
2176  ASSERT(option_types_found);
2179 
2180  ret = ccs_test_deferred_ret_file(mi);
2181 
2182  if (ret == CC_RET_SKIPPED)
2183  {
2184  /*
2185  * Skipped and deferred are equivalent in this context.
2186  * skipped means that the called program has not yet
2187  * written a return status implicitly needing more time
2188  * while deferred is the explicit notification that it
2189  * needs more time
2190  */
2191  ret = CC_RET_DEFERRED;
2192  }
2193 
2194  if (ret == CC_RET_SUCCEEDED)
2195  {
2200  }
2201  if (ret == CC_RET_FAILED)
2202  {
2203  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2206  }
2207  return ret;
2208 }
2209 
2213 static enum client_connect_return
2215  struct multi_instance *mi,
2216  bool deferred,
2217  unsigned int *option_types_found)
2218 {
2219  if (deferred)
2220  {
2222  }
2223  ASSERT(m);
2224  ASSERT(mi);
2225 
2228 
2230  {
2231  struct argv argv = argv_new();
2232  struct gc_arena gc = gc_new();
2233 
2234  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2235 
2236  if (!ccs_gen_config_file(mi)
2237  || !ccs_gen_deferred_ret_file(mi))
2238  {
2239  ret = CC_RET_FAILED;
2240  goto cleanup;
2241  }
2242 
2244  argv_printf_cat(&argv, "%s", ccs->config_file);
2245 
2246  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2247  {
2249  {
2250  ret = CC_RET_DEFERRED;
2251  }
2252  else
2253  {
2255  option_types_found);
2256  ret = CC_RET_SUCCEEDED;
2257  }
2258  }
2259  else
2260  {
2261  ret = CC_RET_FAILED;
2262  }
2263 cleanup:
2264  if (ret != CC_RET_DEFERRED)
2265  {
2268  }
2269  argv_free(&argv);
2270  gc_free(&gc);
2271  }
2272  return ret;
2273 }
2274 
2278 static bool
2280 {
2281  struct frame *frame_fragment = NULL;
2282 #ifdef ENABLE_FRAGMENT
2283  if (c->options.ce.fragment)
2284  {
2285  frame_fragment = &c->c2.frame_fragment;
2286  }
2287 #endif
2288  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2290  &c->c2.frame, frame_fragment,
2292  {
2293  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2294  register_signal(c, SIGUSR1, "process-push-msg-failed");
2295  return false;
2296  }
2297 
2298  return true;
2299 }
2300 
2301 static void
2303  struct multi_instance *mi,
2304  const unsigned int option_types_found)
2305 {
2306  ASSERT(m);
2307  ASSERT(mi);
2308 
2309  struct gc_arena gc = gc_new();
2310  /*
2311  * Process sourced options.
2312  */
2313  do_deferred_options(&mi->context, option_types_found);
2314 
2315  /*
2316  * make sure we got ifconfig settings from somewhere
2317  */
2318  if (!mi->context.c2.push_ifconfig_defined)
2319  {
2320  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2321  "--ifconfig address is available for %s",
2322  multi_instance_string(mi, false, &gc));
2323  }
2324 
2325  /*
2326  * make sure that ifconfig settings comply with constraints
2327  */
2329  {
2330  const char *ifconfig_constraint_network =
2332  const char *ifconfig_constraint_netmask =
2334 
2335  /* JYFIXME -- this should cause the connection to fail */
2336  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2337  "violates tunnel network/netmask constraint (%s/%s)",
2338  multi_instance_string(mi, false, &gc),
2340  ifconfig_constraint_network, ifconfig_constraint_netmask);
2341  }
2342 
2343  /*
2344  * For routed tunnels, set up internal route to endpoint
2345  * plus add all iroute routes.
2346  */
2348  {
2350  {
2351  multi_learn_in_addr_t(m, mi,
2353  -1, true);
2354  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2355  multi_instance_string(mi, false, &gc),
2357  }
2358 
2360  {
2361  multi_learn_in6_addr(m, mi,
2363  -1, true);
2364  /* TODO: find out where addresses are "unlearned"!! */
2365  const char *ifconfig_local_ipv6 =
2367  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2368  multi_instance_string(mi, false, &gc),
2369  ifconfig_local_ipv6);
2370  }
2371 
2372  /* add routes locally, pointing to new client, if
2373  * --iroute options have been specified */
2374  multi_add_iroutes(m, mi);
2375 
2376  /*
2377  * iroutes represent subnets which are "owned" by a particular
2378  * client. Therefore, do not actually push a route to a client
2379  * if it matches one of the client's iroutes.
2380  */
2382  }
2383  else if (mi->context.options.iroutes)
2384  {
2385  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2386  "only works with tun-style tunnels",
2387  multi_instance_string(mi, false, &gc));
2388  }
2389 
2390  /* set our client's VPN endpoint for status reporting purposes */
2393 
2394  /* set context-level authentication flag */
2396 
2397  /* authentication complete, calculate dynamic client specific options */
2399  {
2401  }
2402  /* Generate data channel keys only if setting protocol options
2403  * has not failed */
2404  else if (!multi_client_generate_tls_keys(&mi->context))
2405  {
2407  }
2408 
2409  /* send push reply if ready */
2411  {
2413  }
2414 
2415  gc_free(&gc);
2416 }
2417 
2418 static void
2420  struct multi_instance *mi)
2421 {
2422  ASSERT(mi->context.c1.tuntap);
2423  /*
2424  * lock down the common name and cert hashes so they can't change
2425  * during future TLS renegotiations
2426  */
2429 
2430  /* generate a msg() prefix for this client instance */
2431  generate_prefix(mi);
2432 
2433  /* delete instances of previous clients with same common-name */
2434  if (!mi->context.options.duplicate_cn)
2435  {
2436  multi_delete_dup(m, mi);
2437  }
2438 
2439  /* reset pool handle to null */
2440  mi->vaddr_handle = -1;
2441 
2442  /* do --client-connect setenvs */
2444 
2446 }
2447 
2454 static enum client_connect_return
2456  struct multi_instance *mi,
2457  bool deferred,
2458  unsigned int *option_types_found)
2459 {
2460 #ifdef USE_COMP
2461  struct options *o = &mi->context.options;
2462  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2463 
2464  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2465  {
2466  if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2467  {
2468  push_option(o, "compress stub-v2", M_USAGE);
2469  }
2470  else
2471  {
2472  /* Client is old and does not support STUBv2 but since it
2473  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2474  * switch to that and push the uncompressed variant. */
2475  push_option(o, "comp-lzo no", M_USAGE);
2476  o->comp.alg = COMP_ALG_STUB;
2477  *option_types_found |= OPT_P_COMP;
2478  }
2479  }
2480 #endif
2481  return CC_RET_SUCCEEDED;
2482 }
2483 
2488 static enum client_connect_return
2490  struct multi_instance *mi,
2491  bool deferred,
2492  unsigned int *option_types_found)
2493 {
2494  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2495  * problem */
2496  ASSERT(!deferred);
2499  {
2500  struct gc_arena gc = gc_new();
2501  const char *ccd_file = NULL;
2502 
2503  const char *ccd_client =
2505  tls_common_name(mi->context.c2.tls_multi, false),
2506  &gc);
2507 
2508  const char *ccd_default =
2510  CCD_DEFAULT, &gc);
2511 
2512 
2513  /* try common-name file */
2514  if (platform_test_file(ccd_client))
2515  {
2516  ccd_file = ccd_client;
2517  }
2518  /* try default file */
2519  else if (platform_test_file(ccd_default))
2520  {
2521  ccd_file = ccd_default;
2522  }
2523 
2524  if (ccd_file)
2525  {
2527  ccd_file,
2530  option_types_found,
2531  mi->context.c2.es);
2532  /*
2533  * Select a virtual address from either --ifconfig-push in
2534  * --client-config-dir file or --ifconfig-pool.
2535  */
2537 
2539 
2540  ret = CC_RET_SUCCEEDED;
2541  }
2542  gc_free(&gc);
2543  }
2544  return ret;
2545 }
2546 
2548  (struct multi_context *m, struct multi_instance *mi,
2549  bool from_deferred, unsigned int *option_types_found);
2550 
2558  NULL,
2559 };
2560 
2561 /*
2562  * Called as soon as the SSL/TLS connection is authenticated.
2563  *
2564  * Will collect the client specific configuration from the different
2565  * sources like ccd files, connect plugins and management interface.
2566  *
2567  * This method starts with cas_context CAS_PENDING and will move the
2568  * state machine to either CAS_SUCCEEDED on success or
2569  * CAS_FAILED/CAS_PARTIAL on failure.
2570  *
2571  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2572  * include:
2573  *
2574  * iroute start-ip end-ip
2575  * ifconfig-push local remote-netmask
2576  * push
2577  *
2578  *
2579  */
2580 static void
2582 {
2583  /* We are only called for the CAS_PENDING_x states, so we
2584  * can ignore other states here */
2585  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2586 
2587  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2588  unsigned int *option_types_found =
2590 
2591  /* We are called for the first time */
2592  if (!from_deferred)
2593  {
2594  *cur_handler_index = 0;
2595  *option_types_found = 0;
2596  /* Initially we have no handler that has returned a result */
2598 
2600  }
2601 
2602  bool cc_succeeded = true;
2603 
2604  while (cc_succeeded
2605  && client_connect_handlers[*cur_handler_index] != NULL)
2606  {
2607  enum client_connect_return ret;
2608  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2609  option_types_found);
2610 
2611  from_deferred = false;
2612 
2613  switch (ret)
2614  {
2615  case CC_RET_SUCCEEDED:
2616  /*
2617  * Remember that we already had at least one handler
2618  * returning a result should we go to into deferred state
2619  */
2620  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2621  break;
2622 
2623  case CC_RET_SKIPPED:
2624  /*
2625  * Move on with the next handler without modifying any
2626  * other state
2627  */
2628  break;
2629 
2630  case CC_RET_DEFERRED:
2631  /*
2632  * we already set multi_status to DEFERRED_RESULT or
2633  * DEFERRED_NO_RESULT. We just return
2634  * from the function as having multi_status
2635  */
2636  return;
2637 
2638  case CC_RET_FAILED:
2639  /*
2640  * One handler failed. We abort the chain and set the final
2641  * result to failed
2642  */
2643  cc_succeeded = false;
2644  break;
2645 
2646  default:
2647  ASSERT(0);
2648  }
2649 
2650  /*
2651  * Check for "disable" directive in client-config-dir file
2652  * or config file generated by --client-connect script.
2653  */
2654  if (mi->context.options.disable)
2655  {
2656  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2657  "'disable' directive");
2658  cc_succeeded = false;
2659  }
2660 
2661  (*cur_handler_index)++;
2662  }
2663 
2664  if (cc_succeeded)
2665  {
2666  multi_client_connect_late_setup(m, mi, *option_types_found);
2667  }
2668  else
2669  {
2670  /* run the disconnect script if we had a connect script that
2671  * did not fail */
2673  {
2675  }
2676 
2678  }
2679 
2680  /* increment number of current authenticated clients */
2681  ++m->n_clients;
2683  --mi->n_clients_delta;
2684 
2685 #ifdef ENABLE_MANAGEMENT
2686  if (management)
2687  {
2689  &mi->context.c2.mda_context, mi->context.c2.es);
2690  }
2691 #endif
2692 }
2693 
2694 #ifdef ENABLE_ASYNC_PUSH
2695 /*
2696  * Called when inotify event is fired, which happens when acf
2697  * or connect-status file is closed or deleted.
2698  * Continues authentication and sends push_reply
2699  * (or be deferred again by client-connect)
2700  */
2701 void
2702 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2703 {
2704  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2705  size_t buffer_i = 0;
2706  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2707 
2708  while (buffer_i < r)
2709  {
2710  /* parse inotify events */
2711  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2712  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2713  buffer_i += event_size;
2714 
2715  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2716 
2717  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2718 
2719  if (pevent->mask & IN_CLOSE_WRITE)
2720  {
2721  if (mi)
2722  {
2723  /* continue authentication, perform NCP negotiation and send push_reply */
2724  multi_process_post(m, mi, mpp_flags);
2725  }
2726  else
2727  {
2728  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2729  }
2730  }
2731  else if (pevent->mask & IN_IGNORED)
2732  {
2733  /* this event is _always_ fired when watch is removed or file is deleted */
2734  if (mi)
2735  {
2736  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2737  mi->inotify_watch = -1;
2738  }
2739  }
2740  else
2741  {
2742  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2743  }
2744  }
2745 }
2746 #endif /* ifdef ENABLE_ASYNC_PUSH */
2747 
2748 /*
2749  * Add a mbuf buffer to a particular
2750  * instance.
2751  */
2752 void
2754  struct multi_instance *mi,
2755  struct mbuf_buffer *mb)
2756 {
2757  if (multi_output_queue_ready(m, mi))
2758  {
2759  struct mbuf_item item;
2760  item.buffer = mb;
2761  item.instance = mi;
2762  mbuf_add_item(m->mbuf, &item);
2763  }
2764  else
2765  {
2766  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2767  }
2768 }
2769 
2770 /*
2771  * Add a packet to a client instance output queue.
2772  */
2773 static inline void
2775  const struct buffer *buf,
2776  struct multi_instance *mi)
2777 {
2778  struct mbuf_buffer *mb;
2779 
2780  if (BLEN(buf) > 0)
2781  {
2782  mb = mbuf_alloc_buf(buf);
2783  mb->flags = MF_UNICAST;
2784  multi_add_mbuf(m, mi, mb);
2785  mbuf_free_buf(mb);
2786  }
2787 }
2788 
2789 /*
2790  * Broadcast a packet to all clients.
2791  */
2792 static void
2794  const struct buffer *buf,
2795  const struct multi_instance *sender_instance,
2796  const struct mroute_addr *sender_addr,
2797  uint16_t vid)
2798 {
2799  struct hash_iterator hi;
2800  struct hash_element *he;
2801  struct multi_instance *mi;
2802  struct mbuf_buffer *mb;
2803 
2804  if (BLEN(buf) > 0)
2805  {
2807 #ifdef MULTI_DEBUG_EVENT_LOOP
2808  printf("BCAST len=%d\n", BLEN(buf));
2809 #endif
2810  mb = mbuf_alloc_buf(buf);
2811  hash_iterator_init(m->iter, &hi);
2812 
2813  while ((he = hash_iterator_next(&hi)))
2814  {
2815  mi = (struct multi_instance *) he->value;
2816  if (mi != sender_instance && !mi->halt)
2817  {
2818  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2819  {
2820  continue;
2821  }
2822  multi_add_mbuf(m, mi, mb);
2823  }
2824  }
2825 
2826  hash_iterator_free(&hi);
2827  mbuf_free_buf(mb);
2828  perf_pop();
2829  }
2830 }
2831 
2832 /*
2833  * Given a time delta, indicating that we wish to be
2834  * awoken by the scheduler at time now + delta, figure
2835  * a sigma parameter (in microseconds) that represents
2836  * a sort of fuzz factor around delta, so that we're
2837  * really telling the scheduler to wake us up any time
2838  * between now + delta - sigma and now + delta + sigma.
2839  *
2840  * The sigma parameter helps the scheduler to run more efficiently.
2841  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2842  */
2843 static inline unsigned int
2844 compute_wakeup_sigma(const struct timeval *delta)
2845 {
2846  if (delta->tv_sec < 1)
2847  {
2848  /* if < 1 sec, fuzz = # of microseconds / 8 */
2849  return delta->tv_usec >> 3;
2850  }
2851  else
2852  {
2853  /* if < 10 minutes, fuzz = 13.1% of timeout */
2854  if (delta->tv_sec < 600)
2855  {
2856  return delta->tv_sec << 17;
2857  }
2858  else
2859  {
2860  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2861  }
2862  }
2863 }
2864 
2865 static void
2867 {
2868  /* calculate an absolute wakeup time */
2869  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2870  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2871 
2872  /* tell scheduler to wake us up at some point in the future */
2874  (struct schedule_entry *) mi,
2875  &mi->wakeup,
2876  compute_wakeup_sigma(&mi->context.c2.timeval));
2877 }
2878 
2879 #if defined(ENABLE_ASYNC_PUSH)
2880 static void
2881 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2882  int inotify_fd, const char *file)
2883 {
2884  /* watch acf file */
2885  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2886  IN_CLOSE_WRITE | IN_ONESHOT);
2887  if (watch_descriptor >= 0)
2888  {
2889  if (mi->inotify_watch != -1)
2890  {
2891  hash_remove(m->inotify_watchers,
2892  (void *) (unsigned long)mi->inotify_watch);
2893  }
2894  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2895  mi, true);
2896  mi->inotify_watch = watch_descriptor;
2897  }
2898  else
2899  {
2900  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2901  }
2902 }
2903 #endif /* if defined(ENABLE_ASYNC_PUSH) */
2904 
2905 /*
2906  * Figure instance-specific timers, convert
2907  * earliest to absolute time in mi->wakeup,
2908  * call scheduler with our future wakeup time.
2909  *
2910  * Also close context on signal.
2911  */
2912 bool
2913 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2914 {
2915  bool ret = true;
2916 
2917  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2918  {
2919 #if defined(ENABLE_ASYNC_PUSH)
2920  bool was_unauthenticated = true;
2921  struct key_state *ks = NULL;
2922  if (mi->context.c2.tls_multi)
2923  {
2925  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
2926  }
2927 #endif
2928 
2929  /* figure timeouts and fetch possible outgoing
2930  * to_link packets (such as ping or TLS control) */
2931  pre_select(&mi->context);
2932 
2933 #if defined(ENABLE_ASYNC_PUSH)
2934  /*
2935  * if we see the state transition from unauthenticated to deferred
2936  * and an auth_control_file, we assume it got just added and add
2937  * inotify watch to that file
2938  */
2939  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
2940  && (ks->authenticated == KS_AUTH_DEFERRED))
2941  {
2942  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2944  }
2945  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
2946  && (ks->authenticated == KS_AUTH_DEFERRED))
2947  {
2948  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2950  }
2951 #endif
2952 
2953  if (!IS_SIG(&mi->context))
2954  {
2955  /* connection is "established" when SSL/TLS key negotiation succeeds
2956  * and (if specified) auth user/pass succeeds */
2957 
2959  {
2961  }
2962 #if defined(ENABLE_ASYNC_PUSH)
2965  {
2966  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2968  deferred_ret_file);
2969  }
2970 #endif
2971  /* tell scheduler to wake us up at some point in the future */
2973  }
2974  }
2975 
2976  if (IS_SIG(&mi->context))
2977  {
2978  if (flags & MPP_CLOSE_ON_SIGNAL)
2979  {
2981  ret = false;
2982  }
2983  }
2984  else
2985  {
2986  /* continue to pend on output? */
2987  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
2988 
2989 #ifdef MULTI_DEBUG_EVENT_LOOP
2990  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
2991  id(mi),
2992  (int) (mi == m->pending),
2993  mi ? mi->context.c2.to_tun.len : -1,
2994  mi ? mi->context.c2.to_link.len : -1,
2995  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2996  (int64_t)mi->context.c2.timeval.tv_sec,
2997  (long)mi->context.c2.timeval.tv_usec);
2998 #endif
2999  }
3000 
3001  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3002  {
3003  *m->mpp_touched = mi;
3004  }
3005 
3006  return ret;
3007 }
3008 
3009 void
3011 {
3012  struct mroute_addr real;
3013  struct hash *hash = m->hash;
3014  struct gc_arena gc = gc_new();
3015 
3016  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3017  {
3018  goto done;
3019  }
3020 
3021  const uint32_t hv = hash_value(hash, &real);
3022  struct hash_bucket *bucket = hash_bucket(hash, hv);
3023 
3024  /* make sure that we don't float to an address taken by another client */
3025  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3026  if (he)
3027  {
3028  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3029 
3030  struct tls_multi *m1 = mi->context.c2.tls_multi;
3031  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3032 
3033  /* do not float if target address is taken by client with another cert */
3034  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3035  {
3036  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3037  multi_instance_string(ex_mi, false, &gc));
3038 
3039  mi->context.c2.buf.len = 0;
3040 
3041  goto done;
3042  }
3043 
3044  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3045  multi_close_instance(m, ex_mi, false);
3046  }
3047 
3048  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3049  mi->context.c2.tls_multi->peer_id,
3050  tls_common_name(mi->context.c2.tls_multi, false),
3051  mroute_addr_print(&mi->real, &gc),
3053 
3054  /* remove old address from hash table before changing address */
3055  ASSERT(hash_remove(m->hash, &mi->real));
3056  ASSERT(hash_remove(m->iter, &mi->real));
3057 
3058  /* change external network address of the remote peer */
3059  mi->real = real;
3060  generate_prefix(mi);
3061 
3062  mi->context.c2.from = m->top.c2.from;
3063  mi->context.c2.to_link_addr = &mi->context.c2.from;
3064 
3065  /* inherit parent link_socket and link_socket_info */
3068 
3070 
3071  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3072  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3073 
3074 #ifdef ENABLE_MANAGEMENT
3075  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3076 #endif
3077 
3078 done:
3079  gc_free(&gc);
3080 }
3081 
3082 /*
3083  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3084  * i.e. client -> server direction.
3085  */
3086 bool
3087 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3088 {
3089  struct gc_arena gc = gc_new();
3090 
3091  struct context *c;
3092  struct mroute_addr src, dest;
3093  unsigned int mroute_flags;
3094  struct multi_instance *mi;
3095  bool ret = true;
3096  bool floated = false;
3097 
3098  if (m->pending)
3099  {
3100  return true;
3101  }
3102 
3103  if (!instance)
3104  {
3105 #ifdef MULTI_DEBUG_EVENT_LOOP
3106  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3107 #endif
3109  }
3110  else
3111  {
3112  multi_set_pending(m, instance);
3113  }
3114 
3115  if (m->pending)
3116  {
3117  set_prefix(m->pending);
3118 
3119  /* get instance context */
3120  c = &m->pending->context;
3121 
3122  if (!instance)
3123  {
3124  /* transfer packet pointer from top-level context buffer to instance */
3125  c->c2.buf = m->top.c2.buf;
3126 
3127  /* transfer from-addr from top-level context buffer to instance */
3128  if (!floated)
3129  {
3130  c->c2.from = m->top.c2.from;
3131  }
3132  }
3133 
3134  if (BLEN(&c->c2.buf) > 0)
3135  {
3136  struct link_socket_info *lsi;
3137  const uint8_t *orig_buf;
3138 
3139  /* decrypt in instance context */
3140 
3142  lsi = get_link_socket_info(c);
3143  orig_buf = c->c2.buf.data;
3144  if (process_incoming_link_part1(c, lsi, floated))
3145  {
3146  /* nonzero length means that we have a valid, decrypted packed */
3147  if (floated && c->c2.buf.len > 0)
3148  {
3150  }
3151 
3152  process_incoming_link_part2(c, lsi, orig_buf);
3153  }
3154  perf_pop();
3155 
3156  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3157  {
3158  /* extract packet source and dest addresses */
3159  mroute_flags = mroute_extract_addr_from_packet(&src,
3160  &dest,
3161  0,
3162  &c->c2.to_tun,
3163  DEV_TYPE_TUN);
3164 
3165  /* drop packet if extract failed */
3166  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3167  {
3168  c->c2.to_tun.len = 0;
3169  }
3170  /* make sure that source address is associated with this client */
3171  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3172  {
3173  /* IPv6 link-local address (fe80::xxx)? */
3174  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3175  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3176  {
3177  /* do nothing, for now. TODO: add address learning */
3178  }
3179  else
3180  {
3181  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3182  mroute_addr_print(&src, &gc));
3183  }
3184  c->c2.to_tun.len = 0;
3185  }
3186  /* client-to-client communication enabled? */
3187  else if (m->enable_c2c)
3188  {
3189  /* multicast? */
3190  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3191  {
3192  /* for now, treat multicast as broadcast */
3193  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3194  }
3195  else /* possible client to client routing */
3196  {
3197  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3198  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3199 
3200  /* if dest addr is a known client, route to it */
3201  if (mi)
3202  {
3203  {
3204  multi_unicast(m, &c->c2.to_tun, mi);
3205  register_activity(c, BLEN(&c->c2.to_tun));
3206  }
3207  c->c2.to_tun.len = 0;
3208  }
3209  }
3210  }
3211  }
3212  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3213  {
3214  uint16_t vid = 0;
3215 
3216  if (m->top.options.vlan_tagging)
3217  {
3218  if (vlan_is_tagged(&c->c2.to_tun))
3219  {
3220  /* Drop VLAN-tagged frame. */
3221  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3222  c->c2.to_tun.len = 0;
3223  }
3224  else
3225  {
3226  vid = c->options.vlan_pvid;
3227  }
3228  }
3229  /* extract packet source and dest addresses */
3230  mroute_flags = mroute_extract_addr_from_packet(&src,
3231  &dest,
3232  vid,
3233  &c->c2.to_tun,
3234  DEV_TYPE_TAP);
3235 
3236  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3237  {
3238  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3239  {
3240  /* check for broadcast */
3241  if (m->enable_c2c)
3242  {
3243  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3244  {
3245  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3246  vid);
3247  }
3248  else /* try client-to-client routing */
3249  {
3250  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3251 
3252  /* if dest addr is a known client, route to it */
3253  if (mi)
3254  {
3255  multi_unicast(m, &c->c2.to_tun, mi);
3256  register_activity(c, BLEN(&c->c2.to_tun));
3257  c->c2.to_tun.len = 0;
3258  }
3259  }
3260  }
3261  }
3262  else
3263  {
3264  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3265  mroute_addr_print(&src, &gc));
3266  c->c2.to_tun.len = 0;
3267  }
3268  }
3269  else
3270  {
3271  c->c2.to_tun.len = 0;
3272  }
3273  }
3274  }
3275 
3276  /* postprocess and set wakeup */
3277  ret = multi_process_post(m, m->pending, mpp_flags);
3278 
3279  clear_prefix();
3280  }
3281 
3282  gc_free(&gc);
3283  return ret;
3284 }
3285 
3286 /*
3287  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3288  * i.e. server -> client direction.
3289  */
3290 bool
3291 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3292 {
3293  struct gc_arena gc = gc_new();
3294  bool ret = true;
3295 
3296  if (BLEN(&m->top.c2.buf) > 0)
3297  {
3298  unsigned int mroute_flags;
3299  struct mroute_addr src, dest;
3300  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3301  int16_t vid = 0;
3302 
3303 
3304 #ifdef MULTI_DEBUG_EVENT_LOOP
3305  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3306 #endif
3307 
3308  if (m->pending)
3309  {
3310  return true;
3311  }
3312 
3313  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3314  {
3315  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3316  if (vid < 0)
3317  {
3318  return false;
3319  }
3320  }
3321 
3322  /*
3323  * Route an incoming tun/tap packet to
3324  * the appropriate multi_instance object.
3325  */
3326 
3327  mroute_flags = mroute_extract_addr_from_packet(&src,
3328  &dest,
3329  vid,
3330  &m->top.c2.buf,
3331  dev_type);
3332 
3333  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3334  {
3335  struct context *c;
3336 
3337  /* broadcast or multicast dest addr? */
3338  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3339  {
3340  /* for now, treat multicast as broadcast */
3341  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3342  }
3343  else
3344  {
3346 
3347  if (m->pending)
3348  {
3349  /* get instance context */
3350  c = &m->pending->context;
3351 
3352  set_prefix(m->pending);
3353 
3354  {
3355  if (multi_output_queue_ready(m, m->pending))
3356  {
3357  /* transfer packet pointer from top-level context buffer to instance */
3358  c->c2.buf = m->top.c2.buf;
3359  }
3360  else
3361  {
3362  /* drop packet */
3363  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3364  buf_reset_len(&c->c2.buf);
3365  }
3366  }
3367 
3368  /* encrypt in instance context */
3370 
3371  /* postprocess and set wakeup */
3372  ret = multi_process_post(m, m->pending, mpp_flags);
3373 
3374  clear_prefix();
3375  }
3376  }
3377  }
3378  }
3379  gc_free(&gc);
3380  return ret;
3381 }
3382 
3383 /*
3384  * Process a possible client-to-client/bcast/mcast message in the
3385  * queue.
3386  */
3387 struct multi_instance *
3389 {
3390  struct mbuf_item item;
3391 
3392  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3393  {
3394  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3395 
3396  set_prefix(item.instance);
3397  item.instance->context.c2.buf = item.buffer->buf;
3398  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3399  {
3400  pip_flags |= PIP_MSSFIX;
3401  }
3402  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3403  encrypt_sign(&item.instance->context, true);
3404  mbuf_free_buf(item.buffer);
3405 
3406  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3407 
3408  clear_prefix();
3409  return item.instance;
3410  }
3411  else
3412  {
3413  return NULL;
3414  }
3415 }
3416 
3417 /*
3418  * Called when an I/O wait times out. Usually means that a particular
3419  * client instance object needs timer-based service.
3420  */
3421 bool
3422 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3423 {
3424  bool ret = true;
3425 
3426 #ifdef MULTI_DEBUG_EVENT_LOOP
3427  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3428 #endif
3429 
3430  /* instance marked for wakeup? */
3431  if (m->earliest_wakeup)
3432  {
3434  {
3437  }
3438  else
3439  {
3441  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3442  clear_prefix();
3443  }
3444  m->earliest_wakeup = NULL;
3445  }
3446  return ret;
3447 }
3448 
3449 /*
3450  * Drop a TUN/TAP outgoing packet..
3451  */
3452 void
3453 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3454 {
3455  struct multi_instance *mi = m->pending;
3456 
3457  ASSERT(mi);
3458 
3459  set_prefix(mi);
3460 
3461  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3462  mi->context.c2.to_tun.len);
3463 
3464  buf_reset(&mi->context.c2.to_tun);
3465 
3466  multi_process_post(m, mi, mpp_flags);
3467  clear_prefix();
3468 }
3469 
3470 /*
3471  * Per-client route quota management
3472  */
3473 
3474 void
3476 {
3477  struct gc_arena gc = gc_new();
3478  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3480  multi_instance_string(mi, false, &gc));
3481  gc_free(&gc);
3482 }
3483 
3484 #ifdef ENABLE_DEBUG
3485 /*
3486  * Flood clients with random packets
3487  */
3488 static void
3489 gremlin_flood_clients(struct multi_context *m)
3490 {
3491  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3492  if (level)
3493  {
3494  struct gc_arena gc = gc_new();
3495  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3496  struct packet_flood_parms parm = get_packet_flood_parms(level);
3497  int i;
3498 
3499  ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3500  parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3501 
3502  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3503  parm.n_packets,
3504  parm.packet_size);
3505 
3506  for (i = 0; i < parm.packet_size; ++i)
3507  {
3508  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3509  }
3510 
3511  for (i = 0; i < parm.n_packets; ++i)
3512  {
3513  multi_bcast(m, &buf, NULL, NULL, 0);
3514  }
3515 
3516  gc_free(&gc);
3517  }
3518 }
3519 #endif /* ifdef ENABLE_DEBUG */
3520 
3521 static bool
3523 {
3524  struct timeval null;
3525  CLEAR(null);
3527 }
3528 
3529 /*
3530  * Process timers in the top-level context
3531  */
3532 void
3534 {
3535  /* possibly reap instances/routes in vhash */
3536  multi_reap_process(m);
3537 
3538  /* possibly print to status log */
3539  if (m->top.c1.status_output)
3540  {
3542  {
3544  }
3545  }
3546 
3547  /* possibly flush ifconfig-pool file */
3548  multi_ifconfig_pool_persist(m, false);
3549 
3550 #ifdef ENABLE_DEBUG
3551  gremlin_flood_clients(m);
3552 #endif
3553 
3554  /* Should we check for stale routes? */
3556  {
3557  check_stale_routes(m);
3558  }
3559 }
3560 
3561 void
3562 multi_top_init(struct multi_context *m, struct context *top)
3563 {
3564  inherit_context_top(&m->top, top);
3565  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3566 }
3567 
3568 void
3570 {
3571  close_context(&m->top, -1, CC_GC_FREE);
3573 }
3574 
3575 static bool
3577 {
3578  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3579 }
3580 
3581 static void
3583 {
3584  struct hash_iterator hi;
3585  struct hash_element *he;
3586  struct timeval tv;
3587 
3588  /* tell all clients to restart */
3589  hash_iterator_init(m->iter, &hi);
3590  while ((he = hash_iterator_next(&hi)))
3591  {
3592  struct multi_instance *mi = (struct multi_instance *) he->value;
3593  if (!mi->halt)
3594  {
3595  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3597  }
3598  }
3599  hash_iterator_free(&hi);
3600 
3601  /* reschedule signal */
3603  tv.tv_sec = 2;
3604  tv.tv_usec = 0;
3606 
3608 
3613 
3614  m->top.sig->signal_received = 0;
3615 }
3616 
3617 /*
3618  * Return true if event loop should break,
3619  * false if it should continue.
3620  */
3621 bool
3623 {
3624  if (m->top.sig->signal_received == SIGUSR2)
3625  {
3626  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3628  status_close(so);
3629  m->top.sig->signal_received = 0;
3630  return false;
3631  }
3632  else if (proto_is_dgram(m->top.options.ce.proto)
3636  {
3638  return false;
3639  }
3640  return true;
3641 }
3642 
3643 /*
3644  * Called when an instance should be closed due to the
3645  * reception of a soft signal.
3646  */
3647 void
3649 {
3650  remap_signal(&mi->context);
3651  set_prefix(mi);
3652  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3653  clear_prefix();
3654  multi_close_instance(m, mi, false);
3655 }
3656 
3657 /*
3658  * Management subsystem callbacks
3659  */
3660 #ifdef ENABLE_MANAGEMENT
3661 
3662 static void
3663 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3664 {
3665  mi->context.sig->signal_received = sig;
3667 }
3668 
3669 static void
3670 management_callback_status(void *arg, const int version, struct status_output *so)
3671 {
3672  struct multi_context *m = (struct multi_context *) arg;
3673 
3674  if (!version)
3675  {
3677  }
3678  else
3679  {
3680  multi_print_status(m, so, version);
3681  }
3682 }
3683 
3684 static int
3686 {
3687  struct multi_context *m = (struct multi_context *) arg;
3688  return m->n_clients;
3689 }
3690 
3691 static int
3692 management_callback_kill_by_cn(void *arg, const char *del_cn)
3693 {
3694  struct multi_context *m = (struct multi_context *) arg;
3695  struct hash_iterator hi;
3696  struct hash_element *he;
3697  int count = 0;
3698 
3699  hash_iterator_init(m->iter, &hi);
3700  while ((he = hash_iterator_next(&hi)))
3701  {
3702  struct multi_instance *mi = (struct multi_instance *) he->value;
3703  if (!mi->halt)
3704  {
3705  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3706  if (cn && !strcmp(cn, del_cn))
3707  {
3709  ++count;
3710  }
3711  }
3712  }
3713  hash_iterator_free(&hi);
3714  return count;
3715 }
3716 
3717 static int
3718 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3719 {
3720  struct multi_context *m = (struct multi_context *) arg;
3721  struct hash_iterator hi;
3722  struct hash_element *he;
3723  struct openvpn_sockaddr saddr;
3724  struct mroute_addr maddr;
3725  int count = 0;
3726 
3727  CLEAR(saddr);
3728  saddr.addr.in4.sin_family = AF_INET;
3729  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3730  saddr.addr.in4.sin_port = htons(port);
3731  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3732  {
3733  hash_iterator_init(m->iter, &hi);
3734  while ((he = hash_iterator_next(&hi)))
3735  {
3736  struct multi_instance *mi = (struct multi_instance *) he->value;
3737  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3738  {
3740  ++count;
3741  }
3742  }
3743  hash_iterator_free(&hi);
3744  }
3745  return count;
3746 }
3747 
3748 static void
3750 {
3751  struct multi_context *m = (struct multi_context *) arg;
3752  if (m->mtcp)
3753  {
3754  multi_tcp_delete_event(m->mtcp, event);
3755  }
3756 }
3757 
3758 #endif /* ifdef ENABLE_MANAGEMENT */
3759 
3760 #ifdef ENABLE_MANAGEMENT
3761 
3762 static struct multi_instance *
3763 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3764 {
3765  if (m)
3766  {
3767  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3768  if (mi && !mi->halt)
3769  {
3770  return mi;
3771  }
3772  }
3773  return NULL;
3774 }
3775 
3776 static bool
3777 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3778 {
3779  struct multi_context *m = (struct multi_context *) arg;
3780  struct multi_instance *mi = lookup_by_cid(m, cid);
3781  if (mi)
3782  {
3783  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3785  return true;
3786  }
3787  else
3788  {
3789  return false;
3790  }
3791 }
3792 
3793 static bool
3795  const unsigned long cid,
3796  const char *extra,
3797  unsigned int timeout)
3798 {
3799  struct multi_context *m = (struct multi_context *) arg;
3800  struct multi_instance *mi = lookup_by_cid(m, cid);
3801  if (mi)
3802  {
3803  /* sends INFO_PRE and AUTH_PENDING messages to client */
3804  bool ret = send_auth_pending_messages(mi->context.c2.tls_multi, extra,
3805  timeout);
3808  return ret;
3809  }
3810  return false;
3811 }
3812 
3813 
3814 static bool
3816  const unsigned long cid,
3817  const unsigned int mda_key_id,
3818  const bool auth,
3819  const char *reason,
3820  const char *client_reason,
3821  struct buffer_list *cc_config) /* ownership transferred */
3822 {
3823  struct multi_context *m = (struct multi_context *) arg;
3824  struct multi_instance *mi = lookup_by_cid(m, cid);
3825  bool cc_config_owned = true;
3826  bool ret = false;
3827 
3828  if (mi)
3829  {
3830  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3831  if (ret)
3832  {
3833  if (auth)
3834  {
3836  {
3837  set_cc_config(mi, cc_config);
3838  cc_config_owned = false;
3839  }
3840  }
3841  else if (reason)
3842  {
3843  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3844  }
3845  }
3846  }
3847  if (cc_config_owned && cc_config)
3848  {
3850  }
3851  return ret;
3852 }
3853 
3854 static char *
3855 management_get_peer_info(void *arg, const unsigned long cid)
3856 {
3857  struct multi_context *m = (struct multi_context *) arg;
3858  struct multi_instance *mi = lookup_by_cid(m, cid);
3859  char *ret = NULL;
3860 
3861  if (mi)
3862  {
3863  ret = mi->context.c2.tls_multi->peer_info;
3864  }
3865 
3866  return ret;
3867 }
3868 
3869 #endif /* ifdef ENABLE_MANAGEMENT */
3870 
3871 
3872 void
3874 {
3875 #ifdef ENABLE_MANAGEMENT
3876  if (management)
3877  {
3878  struct management_callback cb;
3879  CLEAR(cb);
3880  cb.arg = m;
3881  cb.flags = MCF_SERVER;
3893  }
3894 #endif /* ifdef ENABLE_MANAGEMENT */
3895 }
3896 
3897 void
3899 {
3900  /* max_clients must be less then max peer-id value */
3902 
3903  for (int i = 0; i < m->max_clients; ++i)
3904  {
3905  if (!m->instances[i])
3906  {
3907  mi->context.c2.tls_multi->peer_id = i;
3908  m->instances[i] = mi;
3909  break;
3910  }
3911  }
3912 
3913  /* should not really end up here, since multi_create_instance returns null
3914  * if amount of clients exceeds max_clients */
3916 }
3917 
3918 
3919 /*
3920  * Top level event loop.
3921  */
3922 void
3924 {
3925  ASSERT(top->options.mode == MODE_SERVER);
3926 
3927  if (proto_is_dgram(top->options.ce.proto))
3928  {
3929  tunnel_server_udp(top);
3930  }
3931  else
3932  {
3933  tunnel_server_tcp(top);
3934  }
3935 }
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:473
multi_reap::buckets_per_pass
int buckets_per_pass
Definition: multi.h:53
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2289
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2022
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:167
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition: perf.h:48
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:403
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1240
multi_context::n_clients
int n_clients
Definition: multi.h:178
options::vlan_tagging
bool vlan_tagging
Definition: options.h:673
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:113
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: openvpn-plugin.h:126
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition: mroute.h:64
signal_info::signal_received
volatile int signal_received
Definition: sig.h:45
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100
status_trigger
bool status_trigger(struct status_output *so)
Definition: status.c:135
iroute
Definition: route.h:234
multi_instance::halt
bool halt
Definition: multi.h:103
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2455
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition: openvpn-plugin.h:125
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition: ssl_common.h:529
M_INFO
#define M_INFO
Definition: errlevel.h:55
hash_n_elements
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
SIGUSR2
#define SIGUSR2
Definition: config-msvc.h:81
options::use_peer_id
bool use_peer_id
Definition: options.h:664
lookup_by_cid
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3763
multi_context::route_helper
struct mroute_helper * route_helper
Definition: multi.h:171
M_OPTERR
#define M_OPTERR
Definition: error.h:106
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition: multi.h:286
options::client_connect_script
const char * client_connect_script
Definition: options.h:474
CC_RET_FAILED
@ CC_RET_FAILED
Definition: multi.h:215
hash_init
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:446
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:481
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:538
print_signal
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:285
hash_bucket
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition: multi.h:200
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:998
run_command.h
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: manage.h:174
M_ERRNO
#define M_ERRNO
Definition: error.h:100
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:78
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:991
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:139
context_2::to_link
struct buffer to_link
Definition: openvpn.h:373
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:319
multi_context::reaper
struct multi_reap * reaper
Definition: multi.h:172
forward.h
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition: multi.h:121
plugin_return
Definition: plugin.h:101
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition: openvpn-plugin.h:130
gremlin.h
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3522
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition: multi.h:216
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5252
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: multi.c:3794
context_2::buf
struct buffer buf
Definition: openvpn.h:371
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition: multi.h:176
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:230
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:517
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1676
hash_iterator
Definition: list.h:90
tunnel_server_udp
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:427
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
argv
Definition: argv.h:35
in_addr_t
#define in_addr_t
Definition: config-msvc.h:67
options::enable_c2c
bool enable_c2c
Definition: options.h:497
options::duplicate_cn
bool duplicate_cn
Definition: options.h:498
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1609
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:374
M_NONFATAL
#define M_NONFATAL
Definition: error.h:96
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:178
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:657
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:416
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:271
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1708
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:196
context
Contains all state information for one tunnel.
Definition: openvpn.h:467
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:488
hash
Definition: list.h:58
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:635
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:106
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition: multi.h:62
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1394
options::topology
int topology
Definition: options.h:294
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:157
mbuf_set
Definition: mbuf.h:56
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:164
options::dev_type
const char * dev_type
Definition: options.h:291
get_random
long int get_random(void)
Definition: crypto.c:1632
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:111
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:429
multi_instance::gc
struct gc_arena gc
Definition: multi.h:102
options::iroutes
struct iroute * iroutes
Definition: options.h:482
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:523
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:496
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3388
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition: errlevel.h:65
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:81
multi_instance::wakeup
struct timeval wakeup
Definition: multi.h:110
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:320
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
context_2::es
struct env_set * es
Definition: openvpn.h:414
config-msvc.h
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2117
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:233
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:422
vlan.h
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1003
multi_uninit
void multi_uninit(struct multi_context *m)
Definition: multi.c:689
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition: multi.h:283
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:85
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:424
options::mode
int mode
Definition: options.h:243
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2844
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1724
hash_element::value
void * value
Definition: list.h:47
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition: ssl_common.h:528
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:668
pre_select
void pre_select(struct context *c)
Definition: forward.c:1792
frame::buf
struct frame::@5 buf
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:161
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition: ssl_common.h:144
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:493
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:93
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:223
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1444
dmsg
#define dmsg(flags,...)
Definition: error.h:154
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1207
options::ce
struct connection_entry ce
Definition: options.h:271
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:74
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
openvpn_sockaddr
Definition: socket.h:64
iroute::netbits
int netbits
Definition: route.h:236
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition: socket.h:397
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:480
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:363
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3648
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:468
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2774
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1553
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3198
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:582
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition: multi.h:87
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:163
reap_buckets_per_pass
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:247
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition: errlevel.h:149
mroute_addr::netbits
uint8_t netbits
Definition: mroute.h:79
MCF_SERVER
#define MCF_SERVER
Definition: manage.h:156
multi_context::schedule
struct schedule * schedule
Definition: multi.h:163
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:363
context_2::link_socket_info
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
MODE_SERVER
#define MODE_SERVER
Definition: options.h:242
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1888
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
client_connect_defer_state
Detached client connection state.
Definition: multi.h:69
frame
Packet geometry parameters.
Definition: mtu.h:93
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
multi_route::addr
struct mroute_addr addr
Definition: multi.h:226
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:550
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:244
multi_route::last_reference
time_t last_reference
Definition: multi.h:234
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:539
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:295
multi_reap::last_call
time_t last_call
Definition: multi.h:54
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:531
mroute_helper::net_len
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3475
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3741
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:233
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3533
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2793
multi_context::enable_c2c
bool enable_c2c
Definition: multi.h:174
multi_client_disconnect_setenv
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:544
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:188
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1685
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:421
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:269
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition: ssl_common.h:527
multi_route::instance
struct multi_instance * instance
Definition: multi.h:227
setenv_stats
static void setenv_stats(struct context *c)
Definition: multi.c:537
iroute::next
struct iroute * next
Definition: route.h:237
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3663
np
static const char * np(const char *str)
Definition: multi-auth.c:146
multi_context::max_clients
int max_clients
Definition: multi.h:175
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition: multi.h:170
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition: pool.h:37
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:561
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2214
CLEAR
#define CLEAR(x)
Definition: basic.h:33
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:82
multi_context::cid_counter
unsigned long cid_counter
Definition: multi.h:182
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:572
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:156
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:207
clear_prefix
static void clear_prefix(void)
Definition: multi.h:535
iroute::network
in_addr_t network
Definition: route.h:235
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:470
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:508
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition: mroute.h:63
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:542
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:431
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:763
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:526
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:493
options::max_clients
int max_clients
Definition: options.h:501
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:662
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:3863
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:153
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:630
ssl_verify.h
options::dev
const char * dev
Definition: options.h:290
ASSERT
#define ASSERT(x)
Definition: error.h:201
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition: ssl_common.h:526
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:433
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:175
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2864
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
read
@ read
Definition: interactive.c:214
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:522
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:178
buffer_entry::buf
struct buffer buf
Definition: buffer.h:1089
multi_init
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:292
multi_instance::cc_config
struct buffer_list * cc_config
Definition: multi.h:128
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:191
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:91
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3777
context::gc
struct gc_arena gc
Garbage collection arena for allocations done in the scope of this context structure.
Definition: openvpn.h:486
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:225
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:139
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:527
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2548
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:221
multi_context::status_file_version
int status_file_version
Definition: multi.h:177
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2581
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
BLEN
#define BLEN(buf)
Definition: buffer.h:127
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:238
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:3898
status_reset
void status_reset(struct status_output *so)
Definition: status.c:150
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:166
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:298
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:540
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:492
tunnel_server_tcp
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:776
multi_context::local
struct mroute_addr local
Definition: multi.h:173
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2910
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:284
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:294
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1028
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1862
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:697
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3422
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:97
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:255
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:3923
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:586
ANY_OUT
#define ANY_OUT(c)
Definition: forward.h:40
hash_element::key
const void * key
Definition: list.h:48
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:473
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:69
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2279
options::data_channel_crypto_flags
unsigned int data_channel_crypto_flags
Definition: options.h:684
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:505
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:168
buffer_entry::next
struct buffer_entry * next
Definition: buffer.h:1090
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1002
multi_context::cid_hash
struct hash * cid_hash
Definition: multi.h:181
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:51
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:339
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3582
M_WARN
#define M_WARN
Definition: error.h:97
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition: openvpn-plugin.h:150
plugin_return::n
int n
Definition: plugin.h:103
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:484
perf_pop
static void perf_pop(void)
Definition: perf.h:82
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:464
MF_UNICAST
#define MF_UNICAST
Definition: mbuf.h:46
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
D_GREMLIN
#define D_GREMLIN
Definition: errlevel.h:78
mroute_addr::port
in_port_t port
Definition: mroute.h:89
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:469
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition: multi.h:187
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2185
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:488
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
D_MULTI_LOW
#define D_MULTI_LOW
Definition: errlevel.h:86
options
Definition: options.h:232
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:426
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2866
options::gc
struct gc_arena gc
Definition: options.h:234
throw_signal
void throw_signal(const int signum)
Definition: sig.c:104
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:702
mroute_helper::cache_generation
unsigned int cache_generation
Definition: mroute.h:132
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5272
multi.h
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:208
CCD_DEFAULT
#define CCD_DEFAULT
Definition: common.h:62
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:156
pool_type
pool_type
Definition: pool.h:35
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition: multi.h:122
status_output
Definition: status.h:48
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:160
mbuf_item::instance
struct multi_instance * instance
Definition: mbuf.h:53
management_callback::arg
void * arg
Definition: manage.h:154
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:473
multi_instance::did_cid_hash
bool did_cid_hash
Definition: multi.h:127
multi_reap
Definition: multi.h:50
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:464
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1413
multi_context::pending
struct multi_instance * pending
Definition: multi.h:185
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:430
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:254
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:494
multi_reap_new
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:214
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2913
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:737
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:503
mbuf_buffer::buf
struct buffer buf
Definition: mbuf.h:43
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:266
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:158
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:603
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:736
deferred_signal_schedule_entry::signal_received
int signal_received
Definition: multi.h:61
argv::gc
struct gc_arena gc
Definition: argv.h:36
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition: multi.h:186
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition: mudp.c:176
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition: pool.h:38
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1128
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:495
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:235
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition: multi.h:113
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:293
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1219
multi_route::flags
unsigned int flags
Definition: multi.h:231
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2844
options::status_file_version
int status_file_version
Definition: options.h:375
mbuf_item
Definition: mbuf.h:50
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:114
auth_deferred_status::auth_control_file
char * auth_control_file
Definition: ssl_common.h:156
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:350
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:678
mroute_addr::vid
uint16_t vid
Definition: mroute.h:85
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1364
REAP_MAX
#define REAP_MAX
Definition: multi.h:555
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:439
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
context_2::timeval
struct timeval timeval
Definition: openvpn.h:390
status_close
bool status_close(struct status_output *so)
Definition: status.c:190
context_2::frame
struct frame frame
Definition: openvpn.h:248
context_2::link_socket
struct link_socket * link_socket
Definition: openvpn.h:237
mroute_addr
Definition: mroute.h:75
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2302
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:533
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3291
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2899
syshead.h
SIGTERM
#define SIGTERM
Definition: config-msvc.h:82
multi_reap_range
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:175
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:67
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4309
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
schedule_entry
Definition: schedule.h:44
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:159
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3692
options::client_config_dir
const char * client_config_dir
Definition: options.h:477
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:80
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:494
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:378
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
mbuf_buffer
Definition: mbuf.h:41
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:587
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:675
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition: multi.c:1921
mbuf_buffer::flags
unsigned int flags
Definition: mbuf.h:47
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:308
route
@ route
Definition: interactive.c:90
multi_route
Definition: multi.h:224
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2171
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
env_set
Definition: env_set.h:42
multi_instance::did_iter
bool did_iter
Definition: multi.h:125
status_flush
void status_flush(struct status_output *so)
Definition: status.c:159
register_signal
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:448
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:242
multi_tcp_free
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:222
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:262
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:2986
plugin_list
Definition: plugin.h:94
multi_context
Main OpenVPN server state structure.
Definition: multi.h:152
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4384
counter_format
#define counter_format
Definition: common.h:31
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3223
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3873
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition: multi.c:3562
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:292
man_def_auth_context::cid
unsigned long cid
Definition: manage.h:44
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:231
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:627
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:987
SIGINT
#define SIGINT
Definition: config-msvc.h:79
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2551
hash_free
void hash_free(struct hash *hash)
Definition: list.c:65
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:213
SIGHUP
#define SIGHUP
Definition: config-msvc.h:78
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:456
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:463
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:3815
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:392
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:242
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition: multi.h:72
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3749
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:213
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition: errlevel.h:101
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:430
tuntap::local
in_addr_t local
Definition: tun.h:172
schedule_init
struct schedule * schedule_init(void)
Definition: schedule.c:414
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:447
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:372
IS_SIG
#define IS_SIG(c)
Definition: sig.h:50
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:160
multi_tcp_init
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:194
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:461
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition: openvpn-plugin.h:124
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:511
key_state::script_auth
struct auth_deferred_status script_auth
Definition: ssl_common.h:243
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition: multi.h:75
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:253
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:78
otime.h
is_exit_restart
static bool is_exit_restart(int sig)
Definition: multi.c:3576
iroute_ipv6
Definition: route.h:240
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:3855
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3453
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:835
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:425
REAP_DIVISOR
#define REAP_DIVISOR
Definition: multi.h:553
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2763
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:486
management
Definition: manage.h:312
mroute_helper
Definition: mroute.h:131
hash_element
Definition: list.h:45
min_int
static int min_int(int x, int y)
Definition: integer.h:82
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1035
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1006
mroute_addr::type
uint8_t type
Definition: mroute.h:78
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition: multi.h:218
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1641
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:164
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:1971
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:371
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:173
REAP_MIN
#define REAP_MIN
Definition: multi.h:554
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:208
multi_route::cache_generation
unsigned int cache_generation
Definition: multi.h:233
options::cf_per
int cf_per
Definition: options.h:500
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3718
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2419
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition: mroute.h:70
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:145
rw_handle
Definition: win32.h:76
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1755
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:470
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:463
hash_bucket
Definition: list.h:53
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:489
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:502
multi_reap::bucket_base
int bucket_base
Definition: multi.h:52
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1033
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition: multi.h:229
now
time_t now
Definition: otime.c:36
multi_instance::did_iroutes
bool did_iroutes
Definition: multi.h:130
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:106
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:557
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:148
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:180
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition: ssl_common.h:530
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:462
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:11
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2753
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
ssl_ncp.h
connection_entry::fragment
int fragment
Definition: options.h:130
context_2::from
struct link_socket_actual from
Definition: openvpn.h:245
time_string
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:110
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition: multi.h:480
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:192
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1183
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3087
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition: ssl_common.h:629
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:626
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:162
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:135
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition: mbuf.h:52
connection_entry::proto
int proto
Definition: options.h:101
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:163
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2645
multi_context::mtcp
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:167
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:469
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:386
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2923
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
options::real_hash_size
int real_hash_size
Definition: options.h:472
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:475
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:504
hash_n_buckets
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
session
Definition: keyingmaterialexporter.c:56
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:851
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:428
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:919
options::tmp_dir
const char * tmp_dir
Definition: options.h:439
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:323
options::cf_max
int cf_max
Definition: options.h:499
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:483
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:95
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:154
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:366
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition: multi.h:217
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:487
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:43
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:489
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition: errlevel.h:102
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:255
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:163
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
management_callback_status
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3670
management_callback_n_clients
static int management_callback_n_clients(void *arg)
Definition: multi.c:3685
multi_context::ifconfig_pool
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:169
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: options.h:485
memdbg.h
options::learn_address_script
const char * learn_address_script
Definition: options.h:476
mbuf_init
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:41
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition: proto.h:35
process_incoming_tun
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1250
management_callback
Definition: manage.h:152
options::ciphername
const char * ciphername
Definition: options.h:537
multi_top_free
void multi_top_free(struct multi_context *m)
Definition: multi.c:3569
update_mstat_n_clients
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:82
mroute_addr::v6
struct mroute_addr::@0::@3 v6
title_string
const char title_string[]
Definition: options.c:68
ifconfig_pool_release
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:359
ccs_gen_config_file
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:1995
buffer_list
Definition: buffer.h:1093
multi_tcp_instance_specific_free
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:188
openvpn_sockaddr::addr
union openvpn_sockaddr::@11 addr
ifconfig_pool_init
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:148
multi_tcp_delete_event
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:213
M_USAGE
#define M_USAGE
Definition: error.h:112
ifconfig_pool_read
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:600
OPENVPN_PLUGIN_CLIENT_CONNECT
#define OPENVPN_PLUGIN_CLIENT_CONNECT
Definition: openvpn-plugin.h:123
msg
#define msg(flags,...)
Definition: error.h:150
multi_process_float
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:3010
PIPV6_IMCP_NOHOST_SERVER
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:300
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
multi_add_iroutes
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1277
buffer_entry
Definition: buffer.h:1087
multi_instance::did_real_hash
bool did_real_hash
Definition: multi.h:124
crypto_backend.h
hash_iterator_init_range
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:225
vlan_is_tagged
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:268
perf_push
static void perf_push(int type)
Definition: perf.h:78
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
multi_process_signal
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3622
multi_print_status
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:826
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:133
multi_client_connect_source_ccd
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition: multi.c:2489
buffer_list::head
struct buffer_entry * head
Definition: buffer.h:1095
multi_delete_dup
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1326
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition: errlevel.h:124
schedule_free
void schedule_free(struct schedule *s)
Definition: schedule.c:423
setenv_in_addr_t
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:2973
mroute_extract_in_addr_t
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:239
multi_instance::n_clients_delta
int n_clients_delta
Definition: multi.h:131
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:103
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:490
mroute_helper::n_net_len
int n_net_len
Definition: mroute.h:134
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:123
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:230
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:507
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:114
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4434
mroute_addr_equal
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:208
management_callback::n_clients
int(* n_clients)(void *arg)
Definition: manage.h:164
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition: push.c:855
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
Definition: openvpn-plugin.h:131
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:346
multi_reap_process
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:568