OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #include "forward.h"
38 #include "multi.h"
39 #include "push.h"
40 #include "run_command.h"
41 #include "otime.h"
42 #include "gremlin.h"
43 #include "mstats.h"
44 #include "ssl_verify.h"
45 #include "ssl_ncp.h"
46 #include "vlan.h"
47 #include <inttypes.h>
48 
49 #include "memdbg.h"
50 
51 
52 #include "crypto_backend.h"
53 #include "ssl_util.h"
54 
55 /*#define MULTI_DEBUG_EVENT_LOOP*/
56 
57 #ifdef MULTI_DEBUG_EVENT_LOOP
58 static const char *
59 id(struct multi_instance *mi)
60 {
61  if (mi)
62  {
63  return tls_common_name(mi->context.c2.tls_multi, false);
64  }
65  else
66  {
67  return "NULL";
68  }
69 }
70 #endif
71 
72 #ifdef ENABLE_MANAGEMENT
73 static void
75 {
77  mi->cc_config = cc_config;
78 }
79 #endif
80 
81 static inline void
82 update_mstat_n_clients(const int n_clients)
83 {
84 #ifdef ENABLE_MEMSTATS
85  if (mmap_stats)
86  {
87  mmap_stats->n_clients = n_clients;
88  }
89 #endif
90 }
91 
92 static bool
94  const struct multi_instance *mi,
95  const char *op,
96  const struct mroute_addr *addr)
97 {
98  struct gc_arena gc = gc_new();
99  struct env_set *es;
100  bool ret = true;
101  struct plugin_list *plugins;
102 
103  /* get environmental variable source */
104  if (mi && mi->context.c2.es)
105  {
106  es = mi->context.c2.es;
107  }
108  else
109  {
110  es = env_set_create(&gc);
111  }
112 
113  /* get plugin source */
114  if (mi)
115  {
116  plugins = mi->context.plugins;
117  }
118  else
119  {
120  plugins = m->top.plugins;
121  }
122 
124  {
125  struct argv argv = argv_new();
126  argv_printf(&argv, "%s %s",
127  op,
128  mroute_addr_print(addr, &gc));
129  if (mi)
130  {
131  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
132  }
133  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
134  {
135  msg(M_WARN, "WARNING: learn-address plugin call failed");
136  ret = false;
137  }
138  argv_free(&argv);
139  }
140 
142  {
143  struct argv argv = argv_new();
144  setenv_str(es, "script_type", "learn-address");
146  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
147  if (mi)
148  {
149  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
150  }
151  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
152  {
153  ret = false;
154  }
155  argv_free(&argv);
156  }
157 
158  gc_free(&gc);
159  return ret;
160 }
161 
162 void
164 {
165  /* write pool data to file */
166  if (m->ifconfig_pool
169  {
171  }
172 }
173 
174 static void
176  int start_bucket,
177  int end_bucket)
178 {
179  struct gc_arena gc = gc_new();
180  struct hash_iterator hi;
181  struct hash_element *he;
182 
183  if (start_bucket < 0)
184  {
185  start_bucket = 0;
186  end_bucket = hash_n_buckets(m->vhash);
187  }
188 
189  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
190  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
191  while ((he = hash_iterator_next(&hi)) != NULL)
192  {
193  struct multi_route *r = (struct multi_route *) he->value;
194  if (!multi_route_defined(m, r))
195  {
196  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
197  mroute_addr_print(&r->addr, &gc));
198  learn_address_script(m, NULL, "delete", &r->addr);
199  multi_route_del(r);
201  }
202  }
203  hash_iterator_free(&hi);
204  gc_free(&gc);
205 }
206 
207 static void
209 {
210  multi_reap_range(m, -1, 0);
211 }
212 
213 static struct multi_reap *
215 {
216  struct multi_reap *mr;
217  ALLOC_OBJ(mr, struct multi_reap);
218  mr->bucket_base = 0;
220  mr->last_call = now;
221  return mr;
222 }
223 
224 void
226 {
227  struct multi_reap *mr = m->reaper;
228  if (mr->bucket_base >= hash_n_buckets(m->vhash))
229  {
230  mr->bucket_base = 0;
231  }
233  mr->bucket_base += mr->buckets_per_pass;
234  mr->last_call = now;
235 }
236 
237 static void
239 {
240  free(mr);
241 }
242 
243 /*
244  * How many buckets in vhash to reap per pass.
245  */
246 static int
247 reap_buckets_per_pass(int n_buckets)
248 {
249  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
250 }
251 
252 #ifdef ENABLE_MANAGEMENT
253 
254 static uint32_t
255 cid_hash_function(const void *key, uint32_t iv)
256 {
257  const unsigned long *k = (const unsigned long *)key;
258  return (uint32_t) *k;
259 }
260 
261 static bool
262 cid_compare_function(const void *key1, const void *key2)
263 {
264  const unsigned long *k1 = (const unsigned long *)key1;
265  const unsigned long *k2 = (const unsigned long *)key2;
266  return *k1 == *k2;
267 }
268 
269 #endif
270 
271 #ifdef ENABLE_ASYNC_PUSH
272 static uint32_t
273 /*
274  * inotify watcher descriptors are used as hash value
275  */
276 int_hash_function(const void *key, uint32_t iv)
277 {
278  return (unsigned long)key;
279 }
280 
281 static bool
282 int_compare_function(const void *key1, const void *key2)
283 {
284  return (unsigned long)key1 == (unsigned long)key2;
285 }
286 #endif
287 
288 /*
289  * Main initialization function, init multi_context object.
290  */
291 void
292 multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
293 {
294  int dev = DEV_TYPE_UNDEF;
295 
296  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
299 
300  /*
301  * Get tun/tap/null device type
302  */
303  dev = dev_type_enum(t->options.dev, t->options.dev_type);
304 
305  /*
306  * Init our multi_context object.
307  */
308  CLEAR(*m);
309 
310  /*
311  * Real address hash table (source port number is
312  * considered to be part of the address). Used
313  * to determine which client sent an incoming packet
314  * which is seen on the TCP/UDP socket.
315  */
317  get_random(),
320 
321  /*
322  * Virtual address hash table. Used to determine
323  * which client to route a packet to.
324  */
326  get_random(),
329 
330  /*
331  * This hash table is a clone of m->hash but with a
332  * bucket size of one so that it can be used
333  * for fast iteration through the list.
334  */
335  m->iter = hash_init(1,
336  get_random(),
339 
340 #ifdef ENABLE_MANAGEMENT
342  0,
345 #endif
346 
347 #ifdef ENABLE_ASYNC_PUSH
348  /*
349  * Mapping between inotify watch descriptors and
350  * multi_instances.
351  */
352  m->inotify_watchers = hash_init(t->options.real_hash_size,
353  get_random(),
354  int_hash_function,
355  int_compare_function);
356 #endif
357 
358  /*
359  * This is our scheduler, for time-based wakeup
360  * events.
361  */
362  m->schedule = schedule_init();
363 
364  /*
365  * Limit frequency of incoming connections to control
366  * DoS.
367  */
369  t->options.cf_per);
370 
371  /*
372  * Allocate broadcast/multicast buffer list
373  */
375 
376  /*
377  * Different status file format options are available
378  */
380 
381  /*
382  * Possibly allocate an ifconfig pool, do it
383  * differently based on whether a tun or tap style
384  * tunnel.
385  */
388  {
390 
391  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
392  {
393  pool_type = IFCONFIG_POOL_30NET;
394  }
395 
397  pool_type,
404 
405  /* reload pool data from file */
406  if (t->c1.ifconfig_pool_persist)
407  {
409  }
410  }
411 
412  /*
413  * Help us keep track of routing table.
414  */
416 
417  /*
418  * Initialize route and instance reaper.
419  */
421 
422  /*
423  * Get local ifconfig address
424  */
425  CLEAR(m->local);
426  ASSERT(t->c1.tuntap);
428 
429  /*
430  * Per-client limits
431  */
433 
434  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
435 
436  /*
437  * Initialize multi-socket TCP I/O wait object
438  */
439  if (tcp_mode)
440  {
442  }
444 
445  /*
446  * Allow client <-> client communication, without going through
447  * tun/tap interface and network stack?
448  */
449  m->enable_c2c = t->options.enable_c2c;
450 
451  /* initialize stale routes check timer */
453  {
454  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
457  }
458 
460 }
461 
462 const char *
463 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
464 {
465  if (mi)
466  {
467  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
468  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
469 
470  if (cn)
471  {
472  buf_printf(&out, "%s/", cn);
473  }
474  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
475  return BSTR(&out);
476  }
477  else if (null)
478  {
479  return NULL;
480  }
481  else
482  {
483  return "UNDEF";
484  }
485 }
486 
487 static void
489 {
490  struct gc_arena gc = gc_new();
491  const char *prefix = multi_instance_string(mi, true, &gc);
492  if (prefix)
493  {
494  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
495  }
496  else
497  {
498  mi->msg_prefix[0] = '\0';
499  }
500  set_prefix(mi);
501  gc_free(&gc);
502 }
503 
504 void
506 {
507  mi->msg_prefix[0] = '\0';
508  set_prefix(mi);
509 }
510 
511 /*
512  * Tell the route helper about deleted iroutes so
513  * that it can update its mask of currently used
514  * CIDR netlengths.
515  */
516 static void
518  struct multi_instance *mi)
519 {
520  const struct iroute *ir;
521  const struct iroute_ipv6 *ir6;
523  {
524  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
525  {
527  }
528 
529  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
530  {
532  }
533  }
534 }
535 
536 static void
538 {
539  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
540  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
541 }
542 
543 static void
545 {
546  /* setenv client real IP address */
548 
549  /* setenv stats */
550  setenv_stats(&mi->context);
551 
552  /* setenv connection duration */
553  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
554 }
555 
556 static void
558 {
560 
562  {
564  {
565  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
566  }
567  }
568 
570  {
571  struct argv argv = argv_new();
572  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
574  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
575  argv_free(&argv);
576  }
577 #ifdef ENABLE_MANAGEMENT
578  if (management)
579  {
581  }
582 #endif
583 }
584 
585 void
587  struct multi_instance *mi,
588  bool shutdown)
589 {
591 
592  ASSERT(!mi->halt);
593  mi->halt = true;
594 
595  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
596 
597  /* adjust current client connection count */
598  m->n_clients += mi->n_clients_delta;
600  mi->n_clients_delta = 0;
601 
602  /* prevent dangling pointers */
603  if (m->pending == mi)
604  {
605  multi_set_pending(m, NULL);
606  }
607  if (m->earliest_wakeup == mi)
608  {
609  m->earliest_wakeup = NULL;
610  }
611 
612  if (!shutdown)
613  {
614  if (mi->did_real_hash)
615  {
616  ASSERT(hash_remove(m->hash, &mi->real));
617  }
618  if (mi->did_iter)
619  {
620  ASSERT(hash_remove(m->iter, &mi->real));
621  }
622 #ifdef ENABLE_MANAGEMENT
623  if (mi->did_cid_hash)
624  {
626  }
627 #endif
628 
629 #ifdef ENABLE_ASYNC_PUSH
630  if (mi->inotify_watch != -1)
631  {
632  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
633  mi->inotify_watch = -1;
634  }
635 #endif
636 
637  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
638  {
639  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
640  }
641 
642  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
643 
644  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
645 
646  if (mi->did_iroutes)
647  {
648  multi_del_iroutes(m, mi);
649  mi->did_iroutes = false;
650  }
651 
652  if (m->mtcp)
653  {
655  }
656 
658  }
659 
660 #ifdef ENABLE_MANAGEMENT
661  set_cc_config(mi, NULL);
662 #endif
663 
665  {
667  }
668 
670 
672 
673  ungenerate_prefix(mi);
674 
675  /*
676  * Don't actually delete the instance memory allocation yet,
677  * because virtual routes may still point to it. Let the
678  * vhash reaper deal with it.
679  */
681 
682  perf_pop();
683 }
684 
685 /*
686  * Called on shutdown or restart.
687  */
688 void
690 {
691  if (m->hash)
692  {
693  struct hash_iterator hi;
694  struct hash_element *he;
695 
696  hash_iterator_init(m->iter, &hi);
697  while ((he = hash_iterator_next(&hi)))
698  {
699  struct multi_instance *mi = (struct multi_instance *) he->value;
700  mi->did_iter = false;
701  multi_close_instance(m, mi, true);
702  }
703  hash_iterator_free(&hi);
704 
705  multi_reap_all(m);
706 
707  hash_free(m->hash);
708  hash_free(m->vhash);
709  hash_free(m->iter);
710 #ifdef ENABLE_MANAGEMENT
711  hash_free(m->cid_hash);
712 #endif
713  m->hash = NULL;
714 
715  free(m->instances);
716 
717 #ifdef ENABLE_ASYNC_PUSH
718  hash_free(m->inotify_watchers);
719  m->inotify_watchers = NULL;
720 #endif
721 
723  mbuf_free(m->mbuf);
728  multi_tcp_free(m->mtcp);
729  }
730 }
731 
732 /*
733  * Create a client instance object for a newly connected client.
734  */
735 struct multi_instance *
737 {
738  struct gc_arena gc = gc_new();
739  struct multi_instance *mi;
740 
742 
743  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
744 
745  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
746 
747  mi->gc = gc_new();
749  mi->vaddr_handle = -1;
750  mi->created = now;
751  mroute_addr_init(&mi->real);
752 
753  if (real)
754  {
755  mi->real = *real;
756  generate_prefix(mi);
757  }
758 
759  inherit_context_child(&mi->context, &m->top);
760  if (IS_SIG(&mi->context))
761  {
762  goto err;
763  }
764 
766 
767  if (hash_n_elements(m->hash) >= m->max_clients)
768  {
769  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
770  goto err;
771  }
772 
773  if (!real) /* TCP mode? */
774  {
776  {
777  goto err;
778  }
779  generate_prefix(mi);
780  }
781 
782  if (!hash_add(m->iter, &mi->real, mi, false))
783  {
784  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
785  mroute_addr_print(&mi->real, &gc));
786  goto err;
787  }
788  mi->did_iter = true;
789 
790 #ifdef ENABLE_MANAGEMENT
791  do
792  {
793  mi->context.c2.mda_context.cid = m->cid_counter++;
794  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
795  mi->did_cid_hash = true;
796 #endif
797 
798  mi->context.c2.push_request_received = false;
799 #ifdef ENABLE_ASYNC_PUSH
800  mi->inotify_watch = -1;
801 #endif
802 
803  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
804  {
805  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
806  goto err;
807  }
808 
809  perf_pop();
810  gc_free(&gc);
811  return mi;
812 
813 err:
814  multi_close_instance(m, mi, false);
815  perf_pop();
816  gc_free(&gc);
817  return NULL;
818 }
819 
820 /*
821  * Dump tables -- triggered by SIGUSR2.
822  * If status file is defined, write to file.
823  * If status file is NULL, write to syslog.
824  */
825 void
826 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
827 {
828  if (m->hash)
829  {
830  struct gc_arena gc_top = gc_new();
831  struct hash_iterator hi;
832  const struct hash_element *he;
833 
834  status_reset(so);
835 
836  if (version == 1) /* WAS: m->status_file_version */
837  {
838  /*
839  * Status file version 1
840  */
841  status_printf(so, "OpenVPN CLIENT LIST");
842  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
843  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
844  hash_iterator_init(m->hash, &hi);
845  while ((he = hash_iterator_next(&hi)))
846  {
847  struct gc_arena gc = gc_new();
848  const struct multi_instance *mi = (struct multi_instance *) he->value;
849 
850  if (!mi->halt)
851  {
852  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
853  tls_common_name(mi->context.c2.tls_multi, false),
854  mroute_addr_print(&mi->real, &gc),
857  time_string(mi->created, 0, false, &gc));
858  }
859  gc_free(&gc);
860  }
861  hash_iterator_free(&hi);
862 
863  status_printf(so, "ROUTING TABLE");
864  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
865  hash_iterator_init(m->vhash, &hi);
866  while ((he = hash_iterator_next(&hi)))
867  {
868  struct gc_arena gc = gc_new();
869  const struct multi_route *route = (struct multi_route *) he->value;
870 
871  if (multi_route_defined(m, route))
872  {
873  const struct multi_instance *mi = route->instance;
874  const struct mroute_addr *ma = &route->addr;
875  char flags[2] = {0, 0};
876 
877  if (route->flags & MULTI_ROUTE_CACHE)
878  {
879  flags[0] = 'C';
880  }
881  status_printf(so, "%s%s,%s,%s,%s",
882  mroute_addr_print(ma, &gc),
883  flags,
884  tls_common_name(mi->context.c2.tls_multi, false),
885  mroute_addr_print(&mi->real, &gc),
886  time_string(route->last_reference, 0, false, &gc));
887  }
888  gc_free(&gc);
889  }
890  hash_iterator_free(&hi);
891 
892  status_printf(so, "GLOBAL STATS");
893  if (m->mbuf)
894  {
895  status_printf(so, "Max bcast/mcast queue length,%d",
897  }
898 
899  status_printf(so, "END");
900  }
901  else if (version == 2 || version == 3)
902  {
903  const char sep = (version == 3) ? '\t' : ',';
904 
905  /*
906  * Status file version 2 and 3
907  */
908  status_printf(so, "TITLE%c%s", sep, title_string);
909  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
910  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
911  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
912  hash_iterator_init(m->hash, &hi);
913  while ((he = hash_iterator_next(&hi)))
914  {
915  struct gc_arena gc = gc_new();
916  const struct multi_instance *mi = (struct multi_instance *) he->value;
917 
918  if (!mi->halt)
919  {
920  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
921 #ifdef ENABLE_MANAGEMENT
922  "%lu"
923 #else
924  ""
925 #endif
926  "%c%" PRIu32 "%c%s",
927  sep, tls_common_name(mi->context.c2.tls_multi, false),
928  sep, mroute_addr_print(&mi->real, &gc),
931  sep, mi->context.c2.link_read_bytes,
932  sep, mi->context.c2.link_write_bytes,
933  sep, time_string(mi->created, 0, false, &gc),
934  sep, (unsigned int)mi->created,
935  sep, tls_username(mi->context.c2.tls_multi, false),
936 #ifdef ENABLE_MANAGEMENT
937  sep, mi->context.c2.mda_context.cid,
938 #else
939  sep,
940 #endif
941  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
943  }
944  gc_free(&gc);
945  }
946  hash_iterator_free(&hi);
947 
948  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
949  sep, sep, sep, sep, sep, sep);
950  hash_iterator_init(m->vhash, &hi);
951  while ((he = hash_iterator_next(&hi)))
952  {
953  struct gc_arena gc = gc_new();
954  const struct multi_route *route = (struct multi_route *) he->value;
955 
956  if (multi_route_defined(m, route))
957  {
958  const struct multi_instance *mi = route->instance;
959  const struct mroute_addr *ma = &route->addr;
960  char flags[2] = {0, 0};
961 
962  if (route->flags & MULTI_ROUTE_CACHE)
963  {
964  flags[0] = 'C';
965  }
966  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
967  sep, mroute_addr_print(ma, &gc), flags,
968  sep, tls_common_name(mi->context.c2.tls_multi, false),
969  sep, mroute_addr_print(&mi->real, &gc),
970  sep, time_string(route->last_reference, 0, false, &gc),
971  sep, (unsigned int)route->last_reference);
972  }
973  gc_free(&gc);
974  }
975  hash_iterator_free(&hi);
976 
977  if (m->mbuf)
978  {
979  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
980  sep, sep, mbuf_maximum_queued(m->mbuf));
981  }
982 
983  status_printf(so, "END");
984  }
985  else
986  {
987  status_printf(so, "ERROR: bad status format version number");
988  }
989 
990 #ifdef PACKET_TRUNCATION_CHECK
991  {
992  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
993  hash_iterator_init(m->hash, &hi);
994  while ((he = hash_iterator_next(&hi)))
995  {
996  struct gc_arena gc = gc_new();
997  const struct multi_instance *mi = (struct multi_instance *) he->value;
998 
999  if (!mi->halt)
1000  {
1002  tls_common_name(mi->context.c2.tls_multi, false),
1003  m->top.c2.n_trunc_tun_read,
1004  mi->context.c2.n_trunc_tun_write,
1005  mi->context.c2.n_trunc_pre_encrypt,
1006  mi->context.c2.n_trunc_post_decrypt);
1007  }
1008  gc_free(&gc);
1009  }
1010  hash_iterator_free(&hi);
1011  }
1012 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1013 
1014  status_flush(so);
1015  gc_free(&gc_top);
1016  }
1017 
1018 #ifdef ENABLE_ASYNC_PUSH
1019  if (m->inotify_watchers)
1020  {
1021  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1022  }
1023 #endif
1024 }
1025 
1026 /*
1027  * Learn a virtual address or route.
1028  * The learn will fail if the learn address
1029  * script/plugin fails. In this case the
1030  * return value may be != mi.
1031  * Return the instance which owns this route,
1032  * or NULL if none.
1033  */
1034 static struct multi_instance *
1036  struct multi_instance *mi,
1037  const struct mroute_addr *addr,
1038  const unsigned int flags)
1039 {
1040  struct hash_element *he;
1041  const uint32_t hv = hash_value(m->vhash, addr);
1042  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1043  struct multi_route *oldroute = NULL;
1044  struct multi_instance *owner = NULL;
1045  struct gc_arena gc = gc_new();
1046 
1047  /* if route currently exists, get the instance which owns it */
1048  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1049  if (he)
1050  {
1051  oldroute = (struct multi_route *) he->value;
1052  }
1053  if (oldroute && multi_route_defined(m, oldroute))
1054  {
1055  owner = oldroute->instance;
1056  }
1057 
1058  /* do we need to add address to hash table? */
1059  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1060  && !mroute_addr_equal(addr, &m->local))
1061  {
1062  struct multi_route *newroute;
1063  bool learn_succeeded = false;
1064 
1065  ALLOC_OBJ(newroute, struct multi_route);
1066  newroute->addr = *addr;
1067  newroute->instance = mi;
1068  newroute->flags = flags;
1069  newroute->last_reference = now;
1070  newroute->cache_generation = 0;
1071 
1072  /* The cache is invalidated when cache_generation is incremented */
1073  if (flags & MULTI_ROUTE_CACHE)
1074  {
1076  }
1077 
1078  if (oldroute) /* route already exists? */
1079  {
1080  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1081  {
1082  learn_succeeded = true;
1083  owner = mi;
1085  route_quota_inc(mi);
1086 
1087  /* delete old route */
1088  multi_route_del(oldroute);
1089 
1090  /* modify hash table entry, replacing old route */
1091  he->key = &newroute->addr;
1092  he->value = newroute;
1093  }
1094  }
1095  else
1096  {
1097  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1098  {
1099  learn_succeeded = true;
1100  owner = mi;
1102  route_quota_inc(mi);
1103 
1104  /* add new route */
1105  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1106  }
1107  }
1108 
1109  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1110  learn_succeeded ? "" : " FAILED",
1111  mroute_addr_print(&newroute->addr, &gc),
1112  multi_instance_string(mi, false, &gc));
1113 
1114  if (!learn_succeeded)
1115  {
1116  free(newroute);
1117  }
1118  }
1119  gc_free(&gc);
1120 
1121  return owner;
1122 }
1123 
1124 /*
1125  * Get client instance based on virtual address.
1126  */
1127 static struct multi_instance *
1129  const struct mroute_addr *addr,
1130  bool cidr_routing)
1131 {
1132  struct multi_route *route;
1133  struct multi_instance *ret = NULL;
1134 
1135  /* check for local address */
1136  if (mroute_addr_equal(addr, &m->local))
1137  {
1138  return NULL;
1139  }
1140 
1141  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1142 
1143  /* does host route (possible cached) exist? */
1144  if (route && multi_route_defined(m, route))
1145  {
1146  struct multi_instance *mi = route->instance;
1147  route->last_reference = now;
1148  ret = mi;
1149  }
1150  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1151  {
1152  struct mroute_helper *rh = m->route_helper;
1153  struct mroute_addr tryaddr;
1154  int i;
1155 
1156  /* cycle through each CIDR length */
1157  for (i = 0; i < rh->n_net_len; ++i)
1158  {
1159  tryaddr = *addr;
1160  tryaddr.type |= MR_WITH_NETBITS;
1161  tryaddr.netbits = rh->net_len[i];
1162  mroute_addr_mask_host_bits(&tryaddr);
1163 
1164  /* look up a possible route with netbits netmask */
1165  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1166 
1167  if (route && multi_route_defined(m, route))
1168  {
1169  /* found an applicable route, cache host route */
1170  struct multi_instance *mi = route->instance;
1172  ret = mi;
1173  break;
1174  }
1175  }
1176  }
1177 
1178 #ifdef ENABLE_DEBUG
1180  {
1181  struct gc_arena gc = gc_new();
1182  const char *addr_text = mroute_addr_print(addr, &gc);
1183  if (ret)
1184  {
1185  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1186  addr_text,
1187  multi_instance_string(ret, false, &gc),
1188  mroute_addr_print(&route->addr, &gc));
1189  }
1190  else
1191  {
1192  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1193  addr_text);
1194  }
1195  gc_free(&gc);
1196  }
1197 #endif
1198 
1199  ASSERT(!(ret && ret->halt));
1200  return ret;
1201 }
1202 
1203 /*
1204  * Helper function to multi_learn_addr().
1205  */
1206 static struct multi_instance *
1208  struct multi_instance *mi,
1209  in_addr_t a,
1210  int netbits, /* -1 if host route, otherwise # of network bits in address */
1211  bool primary)
1212 {
1213  struct openvpn_sockaddr remote_si;
1214  struct mroute_addr addr;
1215 
1216  CLEAR(remote_si);
1217  remote_si.addr.in4.sin_family = AF_INET;
1218  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1219  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1220 
1221  if (netbits >= 0)
1222  {
1223  addr.type |= MR_WITH_NETBITS;
1224  addr.netbits = (uint8_t) netbits;
1225  }
1226 
1227  {
1228  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1229 #ifdef ENABLE_MANAGEMENT
1230  if (management && owner)
1231  {
1232  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1233  }
1234 #endif
1235  return owner;
1236  }
1237 }
1238 
1239 static struct multi_instance *
1241  struct multi_instance *mi,
1242  struct in6_addr a6,
1243  int netbits, /* -1 if host route, otherwise # of network bits in address */
1244  bool primary)
1245 {
1246  struct mroute_addr addr;
1247 
1248  addr.len = 16;
1249  addr.type = MR_ADDR_IPV6;
1250  addr.netbits = 0;
1251  addr.v6.addr = a6;
1252 
1253  if (netbits >= 0)
1254  {
1255  addr.type |= MR_WITH_NETBITS;
1256  addr.netbits = (uint8_t) netbits;
1257  mroute_addr_mask_host_bits( &addr );
1258  }
1259 
1260  {
1261  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1262 #ifdef ENABLE_MANAGEMENT
1263  if (management && owner)
1264  {
1265  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1266  }
1267 #endif
1268  return owner;
1269  }
1270 }
1271 
1272 /*
1273  * A new client has connected, add routes (server -> client)
1274  * to internal routing table.
1275  */
1276 static void
1278  struct multi_instance *mi)
1279 {
1280  struct gc_arena gc = gc_new();
1281  const struct iroute *ir;
1282  const struct iroute_ipv6 *ir6;
1284  {
1285  mi->did_iroutes = true;
1286  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1287  {
1288  if (ir->netbits >= 0)
1289  {
1290  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1291  print_in_addr_t(ir->network, 0, &gc),
1292  ir->netbits,
1293  multi_instance_string(mi, false, &gc));
1294  }
1295  else
1296  {
1297  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1298  print_in_addr_t(ir->network, 0, &gc),
1299  multi_instance_string(mi, false, &gc));
1300  }
1301 
1303 
1304  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1305  }
1306  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1307  {
1308  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1309  print_in6_addr(ir6->network, 0, &gc),
1310  ir6->netbits,
1311  multi_instance_string(mi, false, &gc));
1312 
1314 
1315  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1316  }
1317  }
1318  gc_free(&gc);
1319 }
1320 
1321 /*
1322  * Given an instance (new_mi), delete all other instances which use the
1323  * same common name.
1324  */
1325 static void
1327 {
1328  if (new_mi)
1329  {
1330  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1331  if (new_cn)
1332  {
1333  struct hash_iterator hi;
1334  struct hash_element *he;
1335  int count = 0;
1336 
1337  hash_iterator_init(m->iter, &hi);
1338  while ((he = hash_iterator_next(&hi)))
1339  {
1340  struct multi_instance *mi = (struct multi_instance *) he->value;
1341  if (mi != new_mi && !mi->halt)
1342  {
1343  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1344  if (cn && !strcmp(cn, new_cn))
1345  {
1346  mi->did_iter = false;
1347  multi_close_instance(m, mi, false);
1349  ++count;
1350  }
1351  }
1352  }
1353  hash_iterator_free(&hi);
1354 
1355  if (count)
1356  {
1357  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1358  }
1359  }
1360  }
1361 }
1362 
1363 static void
1365 {
1366 
1367  struct gc_arena gc = gc_new();
1368  struct hash_iterator hi;
1369  struct hash_element *he;
1370 
1371  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1373  while ((he = hash_iterator_next(&hi)) != NULL)
1374  {
1375  struct multi_route *r = (struct multi_route *) he->value;
1376  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1377  {
1378  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1379  mroute_addr_print(&r->addr, &gc));
1380  learn_address_script(m, NULL, "delete", &r->addr);
1381  multi_route_del(r);
1383  }
1384  }
1385  hash_iterator_free(&hi);
1386  gc_free(&gc);
1387 }
1388 
1389 /*
1390  * Ensure that endpoint to be pushed to client
1391  * complies with --ifconfig-push-constraint directive.
1392  */
1393 static bool
1395 {
1396  const struct options *o = &c->options;
1398  {
1400  }
1401  else
1402  {
1403  return true;
1404  }
1405 }
1406 
1407 /*
1408  * Select a virtual address for a new client instance.
1409  * Use an --ifconfig-push directive, if given (static IP).
1410  * Otherwise use an --ifconfig-pool address (dynamic IP).
1411  */
1412 static void
1414 {
1415  struct gc_arena gc = gc_new();
1416 
1417  /*
1418  * If ifconfig addresses were set by dynamic config file,
1419  * release pool addresses, otherwise keep them.
1420  */
1422  {
1423  /* ifconfig addresses were set statically,
1424  * release dynamic allocation */
1425  if (mi->vaddr_handle >= 0)
1426  {
1428  mi->vaddr_handle = -1;
1429  }
1430 
1431  mi->context.c2.push_ifconfig_defined = true;
1435 
1436  /* the current implementation does not allow "static IPv4, pool IPv6",
1437  * (see below) so issue a warning if that happens - don't break the
1438  * session, though, as we don't even know if this client WANTS IPv6
1439  */
1442  {
1443  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1444  }
1445  }
1446  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1447  {
1448  in_addr_t local = 0, remote = 0;
1449  struct in6_addr remote_ipv6;
1450  const char *cn = NULL;
1451 
1452  if (!mi->context.options.duplicate_cn)
1453  {
1454  cn = tls_common_name(mi->context.c2.tls_multi, true);
1455  }
1456 
1457  CLEAR(remote_ipv6);
1458  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1459  if (mi->vaddr_handle >= 0)
1460  {
1461  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1462  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1463 
1464  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1466  ? print_in_addr_t(remote, 0, &gc)
1467  : "(Not enabled)"),
1469  ? print_in6_addr( remote_ipv6, 0, &gc )
1470  : "(Not enabled)") );
1471 
1473  {
1474  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1475  mi->context.c2.push_ifconfig_local = remote;
1476  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1477  {
1480  {
1482  }
1483  }
1484  else if (tunnel_type == DEV_TYPE_TUN)
1485  {
1486  if (tunnel_topology == TOP_P2P)
1487  {
1489  }
1490  else if (tunnel_topology == TOP_NET30)
1491  {
1493  }
1494  }
1495 
1497  {
1498  mi->context.c2.push_ifconfig_defined = true;
1499  }
1500  else
1501  {
1503  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1504  multi_instance_string(mi, false, &gc));
1505  }
1506  }
1507 
1509  {
1510  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1512  mi->context.c1.tuntap->local_ipv6;
1516  }
1517  }
1518  else
1519  {
1520  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1521  }
1522  }
1523 
1524  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1525  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1526  * will fail (because no pool will be allocated in this case).
1527  * OTOH, this doesn't make too much sense in reality - and the other
1528  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1529  * -> and so it's implemented right now
1530  */
1532  {
1540 
1541  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1544  }
1545 
1546  gc_free(&gc);
1547 }
1548 
1549 /*
1550  * Set virtual address environmental variables.
1551  */
1552 static void
1554 {
1555  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1556  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1557  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1558 
1560  {
1561  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1562  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1563 
1565  "ifconfig_pool_remote_ip",
1568 
1569  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1570  {
1572  "ifconfig_pool_netmask",
1575  }
1576  else if (tunnel_type == DEV_TYPE_TUN)
1577  {
1579  "ifconfig_pool_local_ip",
1582  }
1583  }
1584 
1585  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1586  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1587  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1588 
1590  {
1592  "ifconfig_pool_remote",
1596  "ifconfig_pool_local",
1599  setenv_int(mi->context.c2.es,
1600  "ifconfig_pool_ip6_netbits",
1602  }
1603 }
1604 
1605 /*
1606  * Called after client-connect script is called
1607  */
1608 static void
1610  struct multi_instance *mi,
1611  const char *dc_file,
1612  unsigned int *option_types_found)
1613 {
1614  /* Did script generate a dynamic config file? */
1615  if (platform_test_file(dc_file))
1616  {
1618  dc_file,
1621  option_types_found,
1622  mi->context.c2.es);
1623 
1624  /*
1625  * If the --client-connect script generates a config file
1626  * with an --ifconfig-push directive, it will override any
1627  * --ifconfig-push directive from the --client-config-dir
1628  * directory or any --ifconfig-pool dynamic address.
1629  */
1632  }
1633 }
1634 
1635 #ifdef ENABLE_PLUGIN
1636 
1637 /*
1638  * Called after client-connect plug-in is called
1639  */
1640 static void
1642  struct multi_instance *mi,
1643  const struct plugin_return *pr,
1644  unsigned int *option_types_found)
1645 {
1646  struct plugin_return config;
1647 
1648  plugin_return_get_column(pr, &config, "config");
1649 
1650  /* Did script generate a dynamic config file? */
1651  if (plugin_return_defined(&config))
1652  {
1653  int i;
1654  for (i = 0; i < config.n; ++i)
1655  {
1656  if (config.list[i] && config.list[i]->value)
1657  {
1659  config.list[i]->value,
1662  option_types_found,
1663  mi->context.c2.es);
1664  }
1665  }
1666 
1667  /*
1668  * If the --client-connect script generates a config file
1669  * with an --ifconfig-push directive, it will override any
1670  * --ifconfig-push directive from the --client-config-dir
1671  * directory or any --ifconfig-pool dynamic address.
1672  */
1675  }
1676 }
1677 
1678 #endif /* ifdef ENABLE_PLUGIN */
1679 
1680 
1681 /*
1682  * Called to load management-derived client-connect config
1683  */
1686  struct multi_instance *mi,
1687  bool deferred,
1688  unsigned int *option_types_found)
1689 {
1690  /* We never return CC_RET_DEFERRED */
1691  ASSERT(!deferred);
1693 #ifdef ENABLE_MANAGEMENT
1694  if (mi->cc_config)
1695  {
1696  struct buffer_entry *be;
1697  for (be = mi->cc_config->head; be != NULL; be = be->next)
1698  {
1699  const char *opt = BSTR(&be->buf);
1701  opt,
1704  option_types_found,
1705  mi->context.c2.es);
1706  }
1707 
1708  /*
1709  * If the --client-connect script generates a config file
1710  * with an --ifconfig-push directive, it will override any
1711  * --ifconfig-push directive from the --client-config-dir
1712  * directory or any --ifconfig-pool dynamic address.
1713  */
1716 
1717  ret = CC_RET_SUCCEEDED;
1718  }
1719 #endif /* ifdef ENABLE_MANAGEMENT */
1720  return ret;
1721 }
1722 
1723 static void
1725  struct multi_instance *mi)
1726 {
1727  struct gc_arena gc = gc_new();
1728 
1729  /* setenv incoming cert common name for script */
1730  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1731 
1732  /* setenv client real IP address */
1734 
1735  /* setenv client virtual IP address */
1737 
1738  /* setenv connection time */
1739  {
1740  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1741  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1742  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1743  }
1744 
1745  gc_free(&gc);
1746 }
1747 
1754 static bool
1756 {
1757  struct tls_multi *tls_multi = c->c2.tls_multi;
1758  const char *const peer_info = tls_multi->peer_info;
1759  struct options *o = &c->options;
1760 
1761 
1762  unsigned int proto = extract_iv_proto(peer_info);
1763  if (proto & IV_PROTO_DATA_V2)
1764  {
1765  tls_multi->use_peer_id = true;
1766  }
1767  if (proto & IV_PROTO_REQUEST_PUSH)
1768  {
1769  c->c2.push_request_received = true;
1770  }
1771 
1772 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1773  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1774  {
1776  }
1777 #endif
1778 
1779  /* Select cipher if client supports Negotiable Crypto Parameters */
1780 
1781  /* if we have already created our key, we cannot *change* our own
1782  * cipher -> so log the fact and push the "what we have now" cipher
1783  * (so the client is always told what we expect it to use)
1784  */
1786  {
1787  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1788  "server has already generated data channel keys, "
1789  "re-sending previously negotiated cipher '%s'",
1790  o->ciphername );
1791  return true;
1792  }
1793 
1794  /*
1795  * Push the first cipher from --data-ciphers to the client that
1796  * the client announces to be supporting.
1797  */
1798  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1799  tls_multi->remote_ciphername,
1800  &o->gc);
1801 
1802  if (push_cipher)
1803  {
1804  o->ciphername = push_cipher;
1805  return true;
1806  }
1807 
1808  /* NCP cipher negotiation failed. Try to figure out why exactly it
1809  * failed and give good error messages and potentially do a fallback
1810  * for non NCP clients */
1811  struct gc_arena gc = gc_new();
1812  bool ret = false;
1813 
1814  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1815  /* If we are in a situation where we know the client ciphers, there is no
1816  * reason to fall back to a cipher that will not be accepted by the other
1817  * side, in this situation we fail the auth*/
1818  if (strlen(peer_ciphers) > 0)
1819  {
1820  msg(M_INFO, "PUSH: No common cipher between server and client. "
1821  "Server data-ciphers: '%s', client supported ciphers '%s'",
1822  o->ncp_ciphers, peer_ciphers);
1823  }
1824  else if (tls_multi->remote_ciphername)
1825  {
1826  msg(M_INFO, "PUSH: No common cipher between server and client. "
1827  "Server data-ciphers: '%s', client supports cipher '%s'",
1828  o->ncp_ciphers, tls_multi->remote_ciphername);
1829  }
1830  else
1831  {
1832  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1833 
1834  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1835  {
1836  msg(M_INFO, "Using data channel cipher '%s' since "
1837  "--data-ciphers-fallback is set.", o->ciphername);
1838  ret = true;
1839  }
1840  else
1841  {
1842  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1843  "client is using if you want to allow the client to connect");
1844  }
1845  }
1846  if (!ret)
1847  {
1848  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1849  "failed (no shared cipher)");
1850  }
1851 
1852  gc_free(&gc);
1853  return ret;
1854 }
1855 
1860 static void
1862 {
1864  if (!ccs->deferred_ret_file)
1865  {
1866  return;
1867  }
1868 
1869  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1871  {
1872  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1873  ccs->deferred_ret_file);
1874  }
1875  free(ccs->deferred_ret_file);
1876  ccs->deferred_ret_file = NULL;
1877 }
1878 
1886 static bool
1888 {
1890  struct gc_arena gc = gc_new();
1891  const char *fn;
1892 
1893  /* Delete file if it already exists */
1895 
1896  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1897  if (!fn)
1898  {
1899  gc_free(&gc);
1900  return false;
1901  }
1902  ccs->deferred_ret_file = string_alloc(fn, NULL);
1903 
1904  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1905  ccs->deferred_ret_file);
1906 
1907  gc_free(&gc);
1908  return true;
1909 }
1910 
1919 static enum client_connect_return
1921 {
1923  FILE *fp = fopen(ccs->deferred_ret_file, "r");
1924  if (!fp)
1925  {
1926  return CC_RET_SKIPPED;
1927  }
1928 
1930  const int c = fgetc(fp);
1931  switch (c)
1932  {
1933  case '0':
1934  ret = CC_RET_FAILED;
1935  break;
1936 
1937  case '1':
1938  ret = CC_RET_SUCCEEDED;
1939  break;
1940 
1941  case '2':
1942  ret = CC_RET_DEFERRED;
1943  break;
1944 
1945  case EOF:
1946  if (feof(fp))
1947  {
1948  ret = CC_RET_SKIPPED;
1949  break;
1950  }
1951 
1952  /* Not EOF but other error -> fall through to error state */
1953  default:
1954  /* We received an unknown/unexpected value. Assume failure. */
1955  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred"
1956  "client-connect resultfile");
1957  ret = CC_RET_FAILED;
1958  }
1959  fclose(fp);
1960 
1961  return ret;
1962 }
1963 
1969 static void
1971 {
1973  if (ccs->config_file)
1974  {
1975  setenv_del(mi->context.c2.es, "client_connect_config_file");
1976  if (!platform_unlink(ccs->config_file))
1977  {
1978  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1979  ccs->config_file);
1980  }
1981  free(ccs->config_file);
1982  ccs->config_file = NULL;
1983  }
1984 }
1985 
1993 static bool
1995 {
1997  struct gc_arena gc = gc_new();
1998  const char *fn;
1999 
2000  if (ccs->config_file)
2001  {
2003  }
2004 
2005  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2006  if (!fn)
2007  {
2008  gc_free(&gc);
2009  return false;
2010  }
2011  ccs->config_file = string_alloc(fn, NULL);
2012 
2013  setenv_str(mi->context.c2.es, "client_connect_config_file",
2014  ccs->config_file);
2015 
2016  gc_free(&gc);
2017  return true;
2018 }
2019 
2020 static enum client_connect_return
2022  struct multi_instance *mi,
2023  bool deferred,
2024  unsigned int *option_types_found)
2025 {
2027 #ifdef ENABLE_PLUGIN
2028  ASSERT(m);
2029  ASSERT(mi);
2030  ASSERT(option_types_found);
2032 
2033  /* deprecated callback, use a file for passing back return info */
2035  {
2036  struct argv argv = argv_new();
2037  int call;
2038 
2039  if (!deferred)
2040  {
2042  if (!ccs_gen_config_file(mi)
2043  || !ccs_gen_deferred_ret_file(mi))
2044  {
2045  ret = CC_RET_FAILED;
2046  goto cleanup;
2047  }
2048  }
2049  else
2050  {
2051  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2052  /* the initial call should have created these files */
2053  ASSERT(ccs->config_file);
2054  ASSERT(ccs->deferred_ret_file);
2055  }
2056 
2057  argv_printf(&argv, "%s", ccs->config_file);
2058  int plug_ret = plugin_call(mi->context.plugins, call,
2059  &argv, NULL, mi->context.c2.es);
2060  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2061  {
2062  ret = CC_RET_SUCCEEDED;
2063  }
2064  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2065  {
2066  ret = CC_RET_DEFERRED;
2072  }
2073  else
2074  {
2075  msg(M_WARN, "WARNING: client-connect plugin call failed");
2076  ret = CC_RET_FAILED;
2077  }
2078 
2079 
2085  int file_ret = ccs_test_deferred_ret_file(mi);
2086 
2087  if (file_ret == CC_RET_FAILED)
2088  {
2089  ret = CC_RET_FAILED;
2090  }
2091  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2092  {
2093  ret = CC_RET_DEFERRED;
2094  }
2095 
2096  /* if we still think we have succeeded, do postprocessing */
2097  if (ret == CC_RET_SUCCEEDED)
2098  {
2100  option_types_found);
2101  }
2102 cleanup:
2103  argv_free(&argv);
2104 
2105  if (ret != CC_RET_DEFERRED)
2106  {
2109  }
2110  }
2111 #endif /* ifdef ENABLE_PLUGIN */
2112  return ret;
2113 }
2114 
2115 static enum client_connect_return
2117  struct multi_instance *mi,
2118  bool deferred,
2119  unsigned int *option_types_found)
2120 {
2122 #ifdef ENABLE_PLUGIN
2123  ASSERT(m);
2124  ASSERT(mi);
2125  ASSERT(option_types_found);
2126 
2127  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2129  /* V2 callback, use a plugin_return struct for passing back return info */
2130  if (plugin_defined(mi->context.plugins, call))
2131  {
2132  struct plugin_return pr;
2133 
2134  plugin_return_init(&pr);
2135 
2136  int plug_ret = plugin_call(mi->context.plugins, call,
2137  NULL, &pr, mi->context.c2.es);
2138  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2139  {
2140  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2141  ret = CC_RET_SUCCEEDED;
2142  }
2143  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2144  {
2145  ret = CC_RET_DEFERRED;
2146  if (!(plugin_defined(mi->context.plugins,
2147  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2148  {
2149  msg(M_WARN, "A plugin that defers from the "
2150  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2151  "declare support for "
2152  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2153  ret = CC_RET_FAILED;
2154  }
2155  }
2156  else
2157  {
2158  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2159  ret = CC_RET_FAILED;
2160  }
2161 
2162 
2163  plugin_return_free(&pr);
2164  }
2165 #endif /* ifdef ENABLE_PLUGIN */
2166  return ret;
2167 }
2168 
2169 static enum client_connect_return
2171  struct multi_instance *mi,
2172  unsigned int *option_types_found)
2173 {
2174  ASSERT(mi);
2175  ASSERT(option_types_found);
2178 
2179  ret = ccs_test_deferred_ret_file(mi);
2180 
2181  if (ret == CC_RET_SKIPPED)
2182  {
2183  /*
2184  * Skipped and deferred are equivalent in this context.
2185  * skipped means that the called program has not yet
2186  * written a return status implicitly needing more time
2187  * while deferred is the explicit notification that it
2188  * needs more time
2189  */
2190  ret = CC_RET_DEFERRED;
2191  }
2192 
2193  if (ret == CC_RET_SUCCEEDED)
2194  {
2197  option_types_found);
2199  }
2200  if (ret == CC_RET_FAILED)
2201  {
2202  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2205  }
2206  return ret;
2207 }
2208 
2212 static enum client_connect_return
2214  struct multi_instance *mi,
2215  bool deferred,
2216  unsigned int *option_types_found)
2217 {
2218  if (deferred)
2219  {
2220  return multi_client_connect_script_deferred(m, mi, option_types_found);
2221  }
2222  ASSERT(m);
2223  ASSERT(mi);
2224 
2227 
2229  {
2230  struct argv argv = argv_new();
2231  struct gc_arena gc = gc_new();
2232 
2233  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2234 
2235  if (!ccs_gen_config_file(mi)
2236  || !ccs_gen_deferred_ret_file(mi))
2237  {
2238  ret = CC_RET_FAILED;
2239  goto cleanup;
2240  }
2241 
2243  argv_printf_cat(&argv, "%s", ccs->config_file);
2244 
2245  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2246  {
2248  {
2249  ret = CC_RET_DEFERRED;
2250  }
2251  else
2252  {
2254  option_types_found);
2255  ret = CC_RET_SUCCEEDED;
2256  }
2257  }
2258  else
2259  {
2260  ret = CC_RET_FAILED;
2261  }
2262 cleanup:
2263  if (ret != CC_RET_DEFERRED)
2264  {
2267  }
2268  argv_free(&argv);
2269  gc_free(&gc);
2270  }
2271  return ret;
2272 }
2273 
2277 static bool
2279 {
2280  struct frame *frame_fragment = NULL;
2281 #ifdef ENABLE_FRAGMENT
2282  if (c->options.ce.fragment)
2283  {
2284  frame_fragment = &c->c2.frame_fragment;
2285  }
2286 #endif
2287  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2288  if (!tls_session_update_crypto_params(session, &c->options,
2289  &c->c2.frame, frame_fragment))
2290  {
2291  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2292  register_signal(c, SIGUSR1, "process-push-msg-failed");
2293  return false;
2294  }
2295 
2296  return true;
2297 }
2298 
2299 static void
2301  struct multi_instance *mi,
2302  const unsigned int option_types_found)
2303 {
2304  ASSERT(m);
2305  ASSERT(mi);
2306 
2307  struct gc_arena gc = gc_new();
2308  /*
2309  * Process sourced options.
2310  */
2311  do_deferred_options(&mi->context, option_types_found);
2312 
2313  /*
2314  * make sure we got ifconfig settings from somewhere
2315  */
2316  if (!mi->context.c2.push_ifconfig_defined)
2317  {
2318  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote"
2319  "--ifconfig address is available for %s",
2320  multi_instance_string(mi, false, &gc));
2321  }
2322 
2323  /*
2324  * make sure that ifconfig settings comply with constraints
2325  */
2327  {
2328  const char *ifconfig_constraint_network =
2330  const char *ifconfig_constraint_netmask =
2332 
2333  /* JYFIXME -- this should cause the connection to fail */
2334  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)"
2335  "violates tunnel network/netmask constraint (%s/%s)",
2336  multi_instance_string(mi, false, &gc),
2338  ifconfig_constraint_network, ifconfig_constraint_netmask);
2339  }
2340 
2341  /*
2342  * For routed tunnels, set up internal route to endpoint
2343  * plus add all iroute routes.
2344  */
2346  {
2348  {
2349  multi_learn_in_addr_t(m, mi,
2351  -1, true);
2352  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2353  multi_instance_string(mi, false, &gc),
2355  }
2356 
2358  {
2359  multi_learn_in6_addr(m, mi,
2361  -1, true);
2362  /* TODO: find out where addresses are "unlearned"!! */
2363  const char *ifconfig_local_ipv6 =
2365  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2366  multi_instance_string(mi, false, &gc),
2367  ifconfig_local_ipv6);
2368  }
2369 
2370  /* add routes locally, pointing to new client, if
2371  * --iroute options have been specified */
2372  multi_add_iroutes(m, mi);
2373 
2374  /*
2375  * iroutes represent subnets which are "owned" by a particular
2376  * client. Therefore, do not actually push a route to a client
2377  * if it matches one of the client's iroutes.
2378  */
2380  }
2381  else if (mi->context.options.iroutes)
2382  {
2383  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute"
2384  "only works with tun-style tunnels",
2385  multi_instance_string(mi, false, &gc));
2386  }
2387 
2388  /* set our client's VPN endpoint for status reporting purposes */
2391 
2392  /* set context-level authentication flag */
2394 
2395  /* authentication complete, calculate dynamic client specific options */
2397  {
2399  }
2400  /* Generate data channel keys only if setting protocol options
2401  * has not failed */
2402  else if (!multi_client_generate_tls_keys(&mi->context))
2403  {
2405  }
2406 
2407  /* send push reply if ready */
2409  {
2411  }
2412 
2413  gc_free(&gc);
2414 }
2415 
2416 static void
2418  struct multi_instance *mi)
2419 {
2420  ASSERT(mi->context.c1.tuntap);
2421  /*
2422  * lock down the common name and cert hashes so they can't change
2423  * during future TLS renegotiations
2424  */
2427 
2428  /* generate a msg() prefix for this client instance */
2429  generate_prefix(mi);
2430 
2431  /* delete instances of previous clients with same common-name */
2432  if (!mi->context.options.duplicate_cn)
2433  {
2434  multi_delete_dup(m, mi);
2435  }
2436 
2437  /* reset pool handle to null */
2438  mi->vaddr_handle = -1;
2439 
2440  /* do --client-connect setenvs */
2442 
2444 }
2445 
2452 static enum client_connect_return
2454  struct multi_instance *mi,
2455  bool deferred,
2456  unsigned int *option_types_found)
2457 {
2458 #ifdef USE_COMP
2459  struct options *o = &mi->context.options;
2460  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2461 
2462  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2463  {
2464  if(peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2465  {
2466  push_option(o, "compress stub-v2", M_USAGE);
2467  }
2468  else
2469  {
2470  /* Client is old and does not support STUBv2 but since it
2471  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2472  * switch to that and push the uncompressed variant. */
2473  push_option(o, "comp-lzo no", M_USAGE);
2474  o->comp.alg = COMP_ALG_STUB;
2475  *option_types_found |= OPT_P_COMP;
2476  }
2477  }
2478 #endif
2479  return CC_RET_SUCCEEDED;
2480 }
2481 
2486 static enum client_connect_return
2488  struct multi_instance *mi,
2489  bool deferred,
2490  unsigned int *option_types_found)
2491 {
2492  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2493  * problem */
2494  ASSERT(!deferred);
2497  {
2498  struct gc_arena gc = gc_new();
2499  const char *ccd_file = NULL;
2500 
2501  const char *ccd_client =
2503  tls_common_name(mi->context.c2.tls_multi, false),
2504  &gc);
2505 
2506  const char *ccd_default =
2508  CCD_DEFAULT, &gc);
2509 
2510 
2511  /* try common-name file */
2512  if (platform_test_file(ccd_client))
2513  {
2514  ccd_file = ccd_client;
2515  }
2516  /* try default file */
2517  else if (platform_test_file(ccd_default))
2518  {
2519  ccd_file = ccd_default;
2520  }
2521 
2522  if (ccd_file)
2523  {
2525  ccd_file,
2528  option_types_found,
2529  mi->context.c2.es);
2530  /*
2531  * Select a virtual address from either --ifconfig-push in
2532  * --client-config-dir file or --ifconfig-pool.
2533  */
2535 
2537 
2538  ret = CC_RET_SUCCEEDED;
2539  }
2540  gc_free(&gc);
2541  }
2542  return ret;
2543 }
2544 
2546  (struct multi_context *m, struct multi_instance *mi,
2547  bool from_deferred, unsigned int *option_types_found);
2548 
2556  NULL,
2557 };
2558 
2559 /*
2560  * Called as soon as the SSL/TLS connection is authenticated.
2561  *
2562  * Will collect the client specific configuration from the different
2563  * sources like ccd files, connect plugins and management interface.
2564  *
2565  * This method starts with cas_context CAS_PENDING and will move the
2566  * state machine to either CAS_SUCCEEDED on success or
2567  * CAS_FAILED/CAS_PARTIAL on failure.
2568  *
2569  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2570  * include:
2571  *
2572  * iroute start-ip end-ip
2573  * ifconfig-push local remote-netmask
2574  * push
2575  *
2576  *
2577  */
2578 static void
2580 {
2581  /* We are only called for the CAS_PENDING_x states, so we
2582  * can ignore other states here */
2583  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2584 
2585  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2586  unsigned int *option_types_found =
2588 
2589  /* We are called for the first time */
2590  if (!from_deferred)
2591  {
2592  *cur_handler_index = 0;
2593  *option_types_found = 0;
2594  /* Initially we have no handler that has returned a result */
2596 
2598  }
2599 
2600  bool cc_succeeded = true;
2601 
2602  while (cc_succeeded
2603  && client_connect_handlers[*cur_handler_index] != NULL)
2604  {
2605  enum client_connect_return ret;
2606  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2607  option_types_found);
2608 
2609  from_deferred = false;
2610 
2611  switch (ret)
2612  {
2613  case CC_RET_SUCCEEDED:
2614  /*
2615  * Remember that we already had at least one handler
2616  * returning a result should we go to into deferred state
2617  */
2618  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2619  break;
2620 
2621  case CC_RET_SKIPPED:
2622  /*
2623  * Move on with the next handler without modifying any
2624  * other state
2625  */
2626  break;
2627 
2628  case CC_RET_DEFERRED:
2629  /*
2630  * we already set multi_status to DEFERRED_RESULT or
2631  * DEFERRED_NO_RESULT. We just return
2632  * from the function as having multi_status
2633  */
2634  return;
2635 
2636  case CC_RET_FAILED:
2637  /*
2638  * One handler failed. We abort the chain and set the final
2639  * result to failed
2640  */
2641  cc_succeeded = false;
2642  break;
2643 
2644  default:
2645  ASSERT(0);
2646  }
2647 
2648  /*
2649  * Check for "disable" directive in client-config-dir file
2650  * or config file generated by --client-connect script.
2651  */
2652  if (mi->context.options.disable)
2653  {
2654  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2655  "'disable' directive");
2656  cc_succeeded = false;
2657  }
2658 
2659  (*cur_handler_index)++;
2660  }
2661 
2662  if (cc_succeeded)
2663  {
2664  multi_client_connect_late_setup(m, mi, *option_types_found);
2665  }
2666  else
2667  {
2668  /* run the disconnect script if we had a connect script that
2669  * did not fail */
2671  {
2673  }
2674 
2676  }
2677 
2678  /* increment number of current authenticated clients */
2679  ++m->n_clients;
2681  --mi->n_clients_delta;
2682 
2683 #ifdef ENABLE_MANAGEMENT
2684  if (management)
2685  {
2687  &mi->context.c2.mda_context, mi->context.c2.es);
2688  }
2689 #endif
2690 }
2691 
2692 #ifdef ENABLE_ASYNC_PUSH
2693 /*
2694  * Called when inotify event is fired, which happens when acf
2695  * or connect-status file is closed or deleted.
2696  * Continues authentication and sends push_reply
2697  * (or be deferred again by client-connect)
2698  */
2699 void
2700 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2701 {
2702  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2703  size_t buffer_i = 0;
2704  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2705 
2706  while (buffer_i < r)
2707  {
2708  /* parse inotify events */
2709  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2710  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2711  buffer_i += event_size;
2712 
2713  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2714 
2715  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2716 
2717  if (pevent->mask & IN_CLOSE_WRITE)
2718  {
2719  if (mi)
2720  {
2721  /* continue authentication, perform NCP negotiation and send push_reply */
2722  multi_process_post(m, mi, mpp_flags);
2723  }
2724  else
2725  {
2726  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2727  }
2728  }
2729  else if (pevent->mask & IN_IGNORED)
2730  {
2731  /* this event is _always_ fired when watch is removed or file is deleted */
2732  if (mi)
2733  {
2734  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2735  mi->inotify_watch = -1;
2736  }
2737  }
2738  else
2739  {
2740  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2741  }
2742  }
2743 }
2744 #endif /* ifdef ENABLE_ASYNC_PUSH */
2745 
2746 /*
2747  * Add a mbuf buffer to a particular
2748  * instance.
2749  */
2750 void
2752  struct multi_instance *mi,
2753  struct mbuf_buffer *mb)
2754 {
2755  if (multi_output_queue_ready(m, mi))
2756  {
2757  struct mbuf_item item;
2758  item.buffer = mb;
2759  item.instance = mi;
2760  mbuf_add_item(m->mbuf, &item);
2761  }
2762  else
2763  {
2764  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2765  }
2766 }
2767 
2768 /*
2769  * Add a packet to a client instance output queue.
2770  */
2771 static inline void
2773  const struct buffer *buf,
2774  struct multi_instance *mi)
2775 {
2776  struct mbuf_buffer *mb;
2777 
2778  if (BLEN(buf) > 0)
2779  {
2780  mb = mbuf_alloc_buf(buf);
2781  mb->flags = MF_UNICAST;
2782  multi_add_mbuf(m, mi, mb);
2783  mbuf_free_buf(mb);
2784  }
2785 }
2786 
2787 /*
2788  * Broadcast a packet to all clients.
2789  */
2790 static void
2792  const struct buffer *buf,
2793  const struct multi_instance *sender_instance,
2794  const struct mroute_addr *sender_addr,
2795  uint16_t vid)
2796 {
2797  struct hash_iterator hi;
2798  struct hash_element *he;
2799  struct multi_instance *mi;
2800  struct mbuf_buffer *mb;
2801 
2802  if (BLEN(buf) > 0)
2803  {
2805 #ifdef MULTI_DEBUG_EVENT_LOOP
2806  printf("BCAST len=%d\n", BLEN(buf));
2807 #endif
2808  mb = mbuf_alloc_buf(buf);
2809  hash_iterator_init(m->iter, &hi);
2810 
2811  while ((he = hash_iterator_next(&hi)))
2812  {
2813  mi = (struct multi_instance *) he->value;
2814  if (mi != sender_instance && !mi->halt)
2815  {
2816  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2817  {
2818  continue;
2819  }
2820  multi_add_mbuf(m, mi, mb);
2821  }
2822  }
2823 
2824  hash_iterator_free(&hi);
2825  mbuf_free_buf(mb);
2826  perf_pop();
2827  }
2828 }
2829 
2830 /*
2831  * Given a time delta, indicating that we wish to be
2832  * awoken by the scheduler at time now + delta, figure
2833  * a sigma parameter (in microseconds) that represents
2834  * a sort of fuzz factor around delta, so that we're
2835  * really telling the scheduler to wake us up any time
2836  * between now + delta - sigma and now + delta + sigma.
2837  *
2838  * The sigma parameter helps the scheduler to run more efficiently.
2839  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2840  */
2841 static inline unsigned int
2842 compute_wakeup_sigma(const struct timeval *delta)
2843 {
2844  if (delta->tv_sec < 1)
2845  {
2846  /* if < 1 sec, fuzz = # of microseconds / 8 */
2847  return delta->tv_usec >> 3;
2848  }
2849  else
2850  {
2851  /* if < 10 minutes, fuzz = 13.1% of timeout */
2852  if (delta->tv_sec < 600)
2853  {
2854  return delta->tv_sec << 17;
2855  }
2856  else
2857  {
2858  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2859  }
2860  }
2861 }
2862 
2863 static void
2865 {
2866  /* calculate an absolute wakeup time */
2867  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2868  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2869 
2870  /* tell scheduler to wake us up at some point in the future */
2872  (struct schedule_entry *) mi,
2873  &mi->wakeup,
2874  compute_wakeup_sigma(&mi->context.c2.timeval));
2875 }
2876 
2877 #if defined(ENABLE_ASYNC_PUSH)
2878 static void
2879 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
2880  int inotify_fd, const char *file)
2881 {
2882  /* watch acf file */
2883  long watch_descriptor = inotify_add_watch(inotify_fd, file,
2884  IN_CLOSE_WRITE | IN_ONESHOT);
2885  if (watch_descriptor >= 0)
2886  {
2887  if (mi->inotify_watch != -1)
2888  {
2889  hash_remove(m->inotify_watchers,
2890  (void *) (unsigned long)mi->inotify_watch);
2891  }
2892  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
2893  mi, true);
2894  mi->inotify_watch = watch_descriptor;
2895  }
2896  else
2897  {
2898  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2899  }
2900 }
2901 #endif /* if defined(ENABLE_ASYNC_PUSH) */
2902 
2903 /*
2904  * Figure instance-specific timers, convert
2905  * earliest to absolute time in mi->wakeup,
2906  * call scheduler with our future wakeup time.
2907  *
2908  * Also close context on signal.
2909  */
2910 bool
2911 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2912 {
2913  bool ret = true;
2914 
2915  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2916  {
2917 #if defined(ENABLE_ASYNC_PUSH)
2918  bool was_unauthenticated = true;
2919  struct key_state *ks = NULL;
2920  if (mi->context.c2.tls_multi)
2921  {
2923  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
2924  }
2925 #endif
2926 
2927  /* figure timeouts and fetch possible outgoing
2928  * to_link packets (such as ping or TLS control) */
2929  pre_select(&mi->context);
2930 
2931 #if defined(ENABLE_ASYNC_PUSH)
2932  /*
2933  * if we see the state transition from unauthenticated to deferred
2934  * and an auth_control_file, we assume it got just added and add
2935  * inotify watch to that file
2936  */
2937  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
2938  && (ks->authenticated == KS_AUTH_DEFERRED))
2939  {
2940  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2942  }
2943  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
2944  && (ks->authenticated == KS_AUTH_DEFERRED))
2945  {
2946  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2948  }
2949 #endif
2950 
2951  if (!IS_SIG(&mi->context))
2952  {
2953  /* connection is "established" when SSL/TLS key negotiation succeeds
2954  * and (if specified) auth user/pass succeeds */
2955 
2957  {
2959  }
2960 #if defined(ENABLE_ASYNC_PUSH)
2963  {
2964  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
2966  deferred_ret_file);
2967  }
2968 #endif
2969  /* tell scheduler to wake us up at some point in the future */
2971  }
2972  }
2973 
2974  if (IS_SIG(&mi->context))
2975  {
2976  if (flags & MPP_CLOSE_ON_SIGNAL)
2977  {
2979  ret = false;
2980  }
2981  }
2982  else
2983  {
2984  /* continue to pend on output? */
2985  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
2986 
2987 #ifdef MULTI_DEBUG_EVENT_LOOP
2988  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
2989  id(mi),
2990  (int) (mi == m->pending),
2991  mi ? mi->context.c2.to_tun.len : -1,
2992  mi ? mi->context.c2.to_link.len : -1,
2993  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2994  (int64_t)mi->context.c2.timeval.tv_sec,
2995  (long)mi->context.c2.timeval.tv_usec);
2996 #endif
2997  }
2998 
2999  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3000  {
3001  *m->mpp_touched = mi;
3002  }
3003 
3004  return ret;
3005 }
3006 
3007 void
3009 {
3010  struct mroute_addr real;
3011  struct hash *hash = m->hash;
3012  struct gc_arena gc = gc_new();
3013 
3014  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3015  {
3016  goto done;
3017  }
3018 
3019  const uint32_t hv = hash_value(hash, &real);
3020  struct hash_bucket *bucket = hash_bucket(hash, hv);
3021 
3022  /* make sure that we don't float to an address taken by another client */
3023  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3024  if (he)
3025  {
3026  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3027 
3028  struct tls_multi *m1 = mi->context.c2.tls_multi;
3029  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3030 
3031  /* do not float if target address is taken by client with another cert */
3032  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3033  {
3034  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3035  multi_instance_string(ex_mi, false, &gc));
3036 
3037  mi->context.c2.buf.len = 0;
3038 
3039  goto done;
3040  }
3041 
3042  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3043  multi_close_instance(m, ex_mi, false);
3044  }
3045 
3046  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3047  mi->context.c2.tls_multi->peer_id,
3048  tls_common_name(mi->context.c2.tls_multi, false),
3049  mroute_addr_print(&mi->real, &gc),
3050  print_link_socket_actual(&m->top.c2.from, &gc));
3051 
3052  /* remove old address from hash table before changing address */
3053  ASSERT(hash_remove(m->hash, &mi->real));
3054  ASSERT(hash_remove(m->iter, &mi->real));
3055 
3056  /* change external network address of the remote peer */
3057  mi->real = real;
3058  generate_prefix(mi);
3059 
3060  mi->context.c2.from = m->top.c2.from;
3061  mi->context.c2.to_link_addr = &mi->context.c2.from;
3062 
3063  /* inherit parent link_socket and link_socket_info */
3066 
3068 
3069  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3070  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3071 
3072 #ifdef ENABLE_MANAGEMENT
3073  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3074 #endif
3075 
3076 done:
3077  gc_free(&gc);
3078 }
3079 
3080 /*
3081  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3082  * i.e. client -> server direction.
3083  */
3084 bool
3085 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
3086 {
3087  struct gc_arena gc = gc_new();
3088 
3089  struct context *c;
3090  struct mroute_addr src, dest;
3091  unsigned int mroute_flags;
3092  struct multi_instance *mi;
3093  bool ret = true;
3094  bool floated = false;
3095 
3096  if (m->pending)
3097  {
3098  return true;
3099  }
3100 
3101  if (!instance)
3102  {
3103 #ifdef MULTI_DEBUG_EVENT_LOOP
3104  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3105 #endif
3107  }
3108  else
3109  {
3110  multi_set_pending(m, instance);
3111  }
3112 
3113  if (m->pending)
3114  {
3115  set_prefix(m->pending);
3116 
3117  /* get instance context */
3118  c = &m->pending->context;
3119 
3120  if (!instance)
3121  {
3122  /* transfer packet pointer from top-level context buffer to instance */
3123  c->c2.buf = m->top.c2.buf;
3124 
3125  /* transfer from-addr from top-level context buffer to instance */
3126  if (!floated)
3127  {
3128  c->c2.from = m->top.c2.from;
3129  }
3130  }
3131 
3132  if (BLEN(&c->c2.buf) > 0)
3133  {
3134  struct link_socket_info *lsi;
3135  const uint8_t *orig_buf;
3136 
3137  /* decrypt in instance context */
3138 
3140  lsi = get_link_socket_info(c);
3141  orig_buf = c->c2.buf.data;
3142  if (process_incoming_link_part1(c, lsi, floated))
3143  {
3144  /* nonzero length means that we have a valid, decrypted packed */
3145  if (floated && c->c2.buf.len > 0)
3146  {
3148  }
3149 
3150  process_incoming_link_part2(c, lsi, orig_buf);
3151  }
3152  perf_pop();
3153 
3154  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3155  {
3156  /* extract packet source and dest addresses */
3157  mroute_flags = mroute_extract_addr_from_packet(&src,
3158  &dest,
3159  0,
3160  &c->c2.to_tun,
3161  DEV_TYPE_TUN);
3162 
3163  /* drop packet if extract failed */
3164  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3165  {
3166  c->c2.to_tun.len = 0;
3167  }
3168  /* make sure that source address is associated with this client */
3169  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3170  {
3171  /* IPv6 link-local address (fe80::xxx)? */
3172  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3173  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3174  {
3175  /* do nothing, for now. TODO: add address learning */
3176  }
3177  else
3178  {
3179  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3180  mroute_addr_print(&src, &gc));
3181  }
3182  c->c2.to_tun.len = 0;
3183  }
3184  /* client-to-client communication enabled? */
3185  else if (m->enable_c2c)
3186  {
3187  /* multicast? */
3188  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3189  {
3190  /* for now, treat multicast as broadcast */
3191  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
3192  }
3193  else /* possible client to client routing */
3194  {
3195  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3196  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3197 
3198  /* if dest addr is a known client, route to it */
3199  if (mi)
3200  {
3201  {
3202  multi_unicast(m, &c->c2.to_tun, mi);
3203  register_activity(c, BLEN(&c->c2.to_tun));
3204  }
3205  c->c2.to_tun.len = 0;
3206  }
3207  }
3208  }
3209  }
3210  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3211  {
3212  uint16_t vid = 0;
3213 
3214  if (m->top.options.vlan_tagging)
3215  {
3216  if (vlan_is_tagged(&c->c2.to_tun))
3217  {
3218  /* Drop VLAN-tagged frame. */
3219  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3220  c->c2.to_tun.len = 0;
3221  }
3222  else
3223  {
3224  vid = c->options.vlan_pvid;
3225  }
3226  }
3227  /* extract packet source and dest addresses */
3228  mroute_flags = mroute_extract_addr_from_packet(&src,
3229  &dest,
3230  vid,
3231  &c->c2.to_tun,
3232  DEV_TYPE_TAP);
3233 
3234  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3235  {
3236  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3237  {
3238  /* check for broadcast */
3239  if (m->enable_c2c)
3240  {
3241  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3242  {
3243  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
3244  vid);
3245  }
3246  else /* try client-to-client routing */
3247  {
3248  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3249 
3250  /* if dest addr is a known client, route to it */
3251  if (mi)
3252  {
3253  multi_unicast(m, &c->c2.to_tun, mi);
3254  register_activity(c, BLEN(&c->c2.to_tun));
3255  c->c2.to_tun.len = 0;
3256  }
3257  }
3258  }
3259  }
3260  else
3261  {
3262  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3263  mroute_addr_print(&src, &gc));
3264  c->c2.to_tun.len = 0;
3265  }
3266  }
3267  else
3268  {
3269  c->c2.to_tun.len = 0;
3270  }
3271  }
3272  }
3273 
3274  /* postprocess and set wakeup */
3275  ret = multi_process_post(m, m->pending, mpp_flags);
3276 
3277  clear_prefix();
3278  }
3279 
3280  gc_free(&gc);
3281  return ret;
3282 }
3283 
3284 /*
3285  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3286  * i.e. server -> client direction.
3287  */
3288 bool
3289 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3290 {
3291  struct gc_arena gc = gc_new();
3292  bool ret = true;
3293 
3294  if (BLEN(&m->top.c2.buf) > 0)
3295  {
3296  unsigned int mroute_flags;
3297  struct mroute_addr src, dest;
3298  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3299  int16_t vid = 0;
3300 
3301 
3302 #ifdef MULTI_DEBUG_EVENT_LOOP
3303  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3304 #endif
3305 
3306  if (m->pending)
3307  {
3308  return true;
3309  }
3310 
3311  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3312  {
3313  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3314  if (vid < 0)
3315  {
3316  return false;
3317  }
3318  }
3319 
3320  /*
3321  * Route an incoming tun/tap packet to
3322  * the appropriate multi_instance object.
3323  */
3324 
3325  mroute_flags = mroute_extract_addr_from_packet(&src,
3326  &dest,
3327  vid,
3328  &m->top.c2.buf,
3329  dev_type);
3330 
3331  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3332  {
3333  struct context *c;
3334 
3335  /* broadcast or multicast dest addr? */
3336  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3337  {
3338  /* for now, treat multicast as broadcast */
3339  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
3340  }
3341  else
3342  {
3344 
3345  if (m->pending)
3346  {
3347  /* get instance context */
3348  c = &m->pending->context;
3349 
3350  set_prefix(m->pending);
3351 
3352  {
3353  if (multi_output_queue_ready(m, m->pending))
3354  {
3355  /* transfer packet pointer from top-level context buffer to instance */
3356  c->c2.buf = m->top.c2.buf;
3357  }
3358  else
3359  {
3360  /* drop packet */
3361  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3362  buf_reset_len(&c->c2.buf);
3363  }
3364  }
3365 
3366  /* encrypt in instance context */
3368 
3369  /* postprocess and set wakeup */
3370  ret = multi_process_post(m, m->pending, mpp_flags);
3371 
3372  clear_prefix();
3373  }
3374  }
3375  }
3376  }
3377  gc_free(&gc);
3378  return ret;
3379 }
3380 
3381 /*
3382  * Process a possible client-to-client/bcast/mcast message in the
3383  * queue.
3384  */
3385 struct multi_instance *
3387 {
3388  struct mbuf_item item;
3389 
3390  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3391  {
3392  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
3393 
3394  set_prefix(item.instance);
3395  item.instance->context.c2.buf = item.buffer->buf;
3396  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3397  {
3398  pip_flags |= PIP_MSSFIX;
3399  }
3400  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
3401  encrypt_sign(&item.instance->context, true);
3402  mbuf_free_buf(item.buffer);
3403 
3404  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3405 
3406  clear_prefix();
3407  return item.instance;
3408  }
3409  else
3410  {
3411  return NULL;
3412  }
3413 }
3414 
3415 /*
3416  * Called when an I/O wait times out. Usually means that a particular
3417  * client instance object needs timer-based service.
3418  */
3419 bool
3420 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3421 {
3422  bool ret = true;
3423 
3424 #ifdef MULTI_DEBUG_EVENT_LOOP
3425  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3426 #endif
3427 
3428  /* instance marked for wakeup? */
3429  if (m->earliest_wakeup)
3430  {
3432  {
3435  }
3436  else
3437  {
3439  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3440  clear_prefix();
3441  }
3442  m->earliest_wakeup = NULL;
3443  }
3444  return ret;
3445 }
3446 
3447 /*
3448  * Drop a TUN/TAP outgoing packet..
3449  */
3450 void
3451 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3452 {
3453  struct multi_instance *mi = m->pending;
3454 
3455  ASSERT(mi);
3456 
3457  set_prefix(mi);
3458 
3459  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3460  mi->context.c2.to_tun.len);
3461 
3462  buf_reset(&mi->context.c2.to_tun);
3463 
3464  multi_process_post(m, mi, mpp_flags);
3465  clear_prefix();
3466 }
3467 
3468 /*
3469  * Per-client route quota management
3470  */
3471 
3472 void
3474 {
3475  struct gc_arena gc = gc_new();
3476  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3478  multi_instance_string(mi, false, &gc));
3479  gc_free(&gc);
3480 }
3481 
3482 #ifdef ENABLE_DEBUG
3483 /*
3484  * Flood clients with random packets
3485  */
3486 static void
3487 gremlin_flood_clients(struct multi_context *m)
3488 {
3489  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3490  if (level)
3491  {
3492  struct gc_arena gc = gc_new();
3493  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3494  struct packet_flood_parms parm = get_packet_flood_parms(level);
3495  int i;
3496 
3497  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
3498  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
3499 
3500  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3501  parm.n_packets,
3502  parm.packet_size);
3503 
3504  for (i = 0; i < parm.packet_size; ++i)
3505  {
3506  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3507  }
3508 
3509  for (i = 0; i < parm.n_packets; ++i)
3510  {
3511  multi_bcast(m, &buf, NULL, NULL, 0);
3512  }
3513 
3514  gc_free(&gc);
3515  }
3516 }
3517 #endif /* ifdef ENABLE_DEBUG */
3518 
3519 static bool
3521 {
3522  struct timeval null;
3523  CLEAR(null);
3525 }
3526 
3527 /*
3528  * Process timers in the top-level context
3529  */
3530 void
3532 {
3533  /* possibly reap instances/routes in vhash */
3534  multi_reap_process(m);
3535 
3536  /* possibly print to status log */
3537  if (m->top.c1.status_output)
3538  {
3540  {
3542  }
3543  }
3544 
3545  /* possibly flush ifconfig-pool file */
3546  multi_ifconfig_pool_persist(m, false);
3547 
3548 #ifdef ENABLE_DEBUG
3549  gremlin_flood_clients(m);
3550 #endif
3551 
3552  /* Should we check for stale routes? */
3554  {
3555  check_stale_routes(m);
3556  }
3557 }
3558 
3559 void
3560 multi_top_init(struct multi_context *m, const struct context *top)
3561 {
3562  inherit_context_top(&m->top, top);
3563  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3564 }
3565 
3566 void
3568 {
3569  close_context(&m->top, -1, CC_GC_FREE);
3571 }
3572 
3573 static bool
3575 {
3576  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3577 }
3578 
3579 static void
3581 {
3582  struct hash_iterator hi;
3583  struct hash_element *he;
3584  struct timeval tv;
3585 
3586  /* tell all clients to restart */
3587  hash_iterator_init(m->iter, &hi);
3588  while ((he = hash_iterator_next(&hi)))
3589  {
3590  struct multi_instance *mi = (struct multi_instance *) he->value;
3591  if (!mi->halt)
3592  {
3593  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3595  }
3596  }
3597  hash_iterator_free(&hi);
3598 
3599  /* reschedule signal */
3601  tv.tv_sec = 2;
3602  tv.tv_usec = 0;
3604 
3606 
3611 
3612  m->top.sig->signal_received = 0;
3613 }
3614 
3615 /*
3616  * Return true if event loop should break,
3617  * false if it should continue.
3618  */
3619 bool
3621 {
3622  if (m->top.sig->signal_received == SIGUSR2)
3623  {
3624  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3626  status_close(so);
3627  m->top.sig->signal_received = 0;
3628  return false;
3629  }
3630  else if (proto_is_dgram(m->top.options.ce.proto)
3634  {
3636  return false;
3637  }
3638  return true;
3639 }
3640 
3641 /*
3642  * Called when an instance should be closed due to the
3643  * reception of a soft signal.
3644  */
3645 void
3647 {
3648  remap_signal(&mi->context);
3649  set_prefix(mi);
3650  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3651  clear_prefix();
3652  multi_close_instance(m, mi, false);
3653 }
3654 
3655 static void
3656 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3657 {
3658  mi->context.sig->signal_received = sig;
3660 }
3661 
3662 /*
3663  * Management subsystem callbacks
3664  */
3665 
3666 #ifdef ENABLE_MANAGEMENT
3667 
3668 static void
3669 management_callback_status(void *arg, const int version, struct status_output *so)
3670 {
3671  struct multi_context *m = (struct multi_context *) arg;
3672 
3673  if (!version)
3674  {
3676  }
3677  else
3678  {
3679  multi_print_status(m, so, version);
3680  }
3681 }
3682 
3683 static int
3685 {
3686  struct multi_context *m = (struct multi_context *) arg;
3687  return m->n_clients;
3688 }
3689 
3690 static int
3691 management_callback_kill_by_cn(void *arg, const char *del_cn)
3692 {
3693  struct multi_context *m = (struct multi_context *) arg;
3694  struct hash_iterator hi;
3695  struct hash_element *he;
3696  int count = 0;
3697 
3698  hash_iterator_init(m->iter, &hi);
3699  while ((he = hash_iterator_next(&hi)))
3700  {
3701  struct multi_instance *mi = (struct multi_instance *) he->value;
3702  if (!mi->halt)
3703  {
3704  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3705  if (cn && !strcmp(cn, del_cn))
3706  {
3708  ++count;
3709  }
3710  }
3711  }
3712  hash_iterator_free(&hi);
3713  return count;
3714 }
3715 
3716 static int
3717 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3718 {
3719  struct multi_context *m = (struct multi_context *) arg;
3720  struct hash_iterator hi;
3721  struct hash_element *he;
3722  struct openvpn_sockaddr saddr;
3723  struct mroute_addr maddr;
3724  int count = 0;
3725 
3726  CLEAR(saddr);
3727  saddr.addr.in4.sin_family = AF_INET;
3728  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3729  saddr.addr.in4.sin_port = htons(port);
3730  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3731  {
3732  hash_iterator_init(m->iter, &hi);
3733  while ((he = hash_iterator_next(&hi)))
3734  {
3735  struct multi_instance *mi = (struct multi_instance *) he->value;
3736  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3737  {
3739  ++count;
3740  }
3741  }
3742  hash_iterator_free(&hi);
3743  }
3744  return count;
3745 }
3746 
3747 static void
3749 {
3750  struct multi_context *m = (struct multi_context *) arg;
3751  if (m->mtcp)
3752  {
3753  multi_tcp_delete_event(m->mtcp, event);
3754  }
3755 }
3756 
3757 #endif /* ifdef ENABLE_MANAGEMENT */
3758 
3759 #ifdef ENABLE_MANAGEMENT
3760 
3761 static struct multi_instance *
3762 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3763 {
3764  if (m)
3765  {
3766  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3767  if (mi && !mi->halt)
3768  {
3769  return mi;
3770  }
3771  }
3772  return NULL;
3773 }
3774 
3775 static bool
3776 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3777 {
3778  struct multi_context *m = (struct multi_context *) arg;
3779  struct multi_instance *mi = lookup_by_cid(m, cid);
3780  if (mi)
3781  {
3782  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3784  return true;
3785  }
3786  else
3787  {
3788  return false;
3789  }
3790 }
3791 
3792 static bool
3794  const unsigned long cid,
3795  const char *extra,
3796  unsigned int timeout)
3797 {
3798  struct multi_context *m = (struct multi_context *) arg;
3799  struct multi_instance *mi = lookup_by_cid(m, cid);
3800  if (mi)
3801  {
3802  /* sends INFO_PRE and AUTH_PENDING messages to client */
3803  bool ret = send_auth_pending_messages(mi->context.c2.tls_multi, extra,
3804  timeout);
3807  return ret;
3808  }
3809  return false;
3810 }
3811 
3812 
3813 static bool
3815  const unsigned long cid,
3816  const unsigned int mda_key_id,
3817  const bool auth,
3818  const char *reason,
3819  const char *client_reason,
3820  struct buffer_list *cc_config) /* ownership transferred */
3821 {
3822  struct multi_context *m = (struct multi_context *) arg;
3823  struct multi_instance *mi = lookup_by_cid(m, cid);
3824  bool cc_config_owned = true;
3825  bool ret = false;
3826 
3827  if (mi)
3828  {
3829  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3830  if (ret)
3831  {
3832  if (auth)
3833  {
3835  {
3836  set_cc_config(mi, cc_config);
3837  cc_config_owned = false;
3838  }
3839  }
3840  else if (reason)
3841  {
3842  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3843  }
3844  }
3845  }
3846  if (cc_config_owned && cc_config)
3847  {
3848  buffer_list_free(cc_config);
3849  }
3850  return ret;
3851 }
3852 
3853 static char *
3854 management_get_peer_info(void *arg, const unsigned long cid)
3855 {
3856  struct multi_context *m = (struct multi_context *) arg;
3857  struct multi_instance *mi = lookup_by_cid(m, cid);
3858  char *ret = NULL;
3859 
3860  if (mi)
3861  {
3862  ret = mi->context.c2.tls_multi->peer_info;
3863  }
3864 
3865  return ret;
3866 }
3867 
3868 #endif /* ifdef ENABLE_MANAGEMENT */
3869 
3870 
3871 void
3873 {
3874 #ifdef ENABLE_MANAGEMENT
3875  if (management)
3876  {
3877  struct management_callback cb;
3878  CLEAR(cb);
3879  cb.arg = m;
3880  cb.flags = MCF_SERVER;
3892  }
3893 #endif /* ifdef ENABLE_MANAGEMENT */
3894 }
3895 
3897 {
3898  /* max_clients must be less then max peer-id value */
3900 
3901  for (int i = 0; i < m->max_clients; ++i)
3902  {
3903  if (!m->instances[i])
3904  {
3905  mi->context.c2.tls_multi->peer_id = i;
3906  m->instances[i] = mi;
3907  break;
3908  }
3909  }
3910 
3911  /* should not really end up here, since multi_create_instance returns null
3912  * if amount of clients exceeds max_clients */
3914 }
3915 
3916 
3917 /*
3918  * Top level event loop.
3919  */
3920 void
3922 {
3923  ASSERT(top->options.mode == MODE_SERVER);
3924 
3925  if (proto_is_dgram(top->options.ce.proto))
3926  {
3927  tunnel_server_udp(top);
3928  }
3929  else
3930  {
3931  tunnel_server_tcp(top);
3932  }
3933 }
#define M_NONFATAL
Definition: error.h:99
struct env_set * es
Definition: openvpn.h:408
uint8_t type
Definition: mroute.h:78
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3580
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:187
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2791
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:461
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
#define MR_WITH_NETBITS
Definition: mroute.h:70
static bool is_exit_restart(int sig)
Definition: multi.c:3574
static void register_activity(struct context *c, const int size)
Definition: forward.h:320
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:292
struct buffer to_link
Definition: openvpn.h:367
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1724
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3656
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3451
#define ETT_DEFAULT
Definition: interval.h:213
Security parameter state for processing data channel packets.
Definition: crypto.h:232
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:359
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:163
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:171
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:203
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1128
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:429
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
#define REAP_DIVISOR
Definition: multi.h:550
struct key_state key[KS_SIZE]
Definition: ssl_common.h:488
struct iroute * next
Definition: route.h:237
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:153
struct in6_addr reporting_addr_ipv6
Definition: multi.h:122
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2213
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:960
bool did_cid_hash
Definition: multi.h:127
counter_type link_write_bytes
Definition: openvpn.h:271
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:430
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2321
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode)
Definition: multi.c:292
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:517
#define MULTI_ROUTE_CACHE
Definition: multi.h:226
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:110
#define M_OPTERR
Definition: error.h:109
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:323
int signal_received
Definition: multi.h:61
unsigned int option_types_found
Definition: multi.h:75
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:269
void hash_free(struct hash *hash)
Definition: list.c:65
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:165
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:1994
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2896
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:461
Packet geometry parameters.
Definition: mtu.h:93
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:488
pool_type
Definition: pool.h:35
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1112
#define M_USAGE
Definition: error.h:115
enum ks_auth_state authenticated
Definition: ssl_common.h:247
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:3896
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:167
bool push_ifconfig_defined
Definition: openvpn.h:416
char * peer_info
Definition: ssl_common.h:619
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2546
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:365
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2795
struct mroute_addr::@0::@3 v6
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
const char * learn_address_script
Definition: options.h:455
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:600
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:681
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:505
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4567
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:371
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
in_addr_t push_ifconfig_local
Definition: openvpn.h:418
bool enable_c2c
Definition: options.h:476
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2300
enum multi_status multi_state
Definition: ssl_common.h:588
int push_ifconfig_ipv6_netbits
Definition: options.h:473
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:566
#define D_TLS_ERRORS
Definition: errlevel.h:59
struct in6_addr network
Definition: route.h:241
struct buffer buf
Definition: openvpn.h:365
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1443
unsigned int flags
Definition: mbuf.h:47
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:106
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5141
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3669
#define SIGUSR1
Definition: config-msvc.h:115
const void * key
Definition: list.h:48
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2278
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:526
#define MR_ADDR_MASK
Definition: mroute.h:64
struct multi_reap * reaper
Definition: multi.h:172
struct context_buffers * buffers
Definition: openvpn.h:357
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2021
struct multi_instance * instance
Definition: multi.h:224
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:465
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:423
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:551
bool ifconfig_pool_defined
Definition: options.h:440
void multi_top_free(struct multi_context *m)
Definition: multi.c:3567
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:154
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:544
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:188
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:93
struct link_socket_info * link_socket_info
This variable is used instead link_socket->info for P2MP UDP childs.
Definition: openvpn.h:241
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:51
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4049
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3748
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:227
in_addr_t remote_netmask
Definition: tun.h:174
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:363
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:425
static int management_callback_n_clients(void *arg)
Definition: multi.c:3684
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:474
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define D_MULTI_DROPPED
Definition: errlevel.h:101
static void perf_push(int type)
Definition: perf.h:78
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1553
int status_file_version
Definition: multi.h:177
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:558
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1326
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:103
ifconfig_pool_handle vaddr_handle
Definition: multi.h:113
bool did_iter
Definition: multi.h:125
#define dmsg(flags,...)
Definition: error.h:157
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:114
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3620
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1413
struct event_timeout stale_routes_check_et
Definition: multi.h:197
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
#define MAX_PEER_ID
Definition: openvpn.h:535
int cf_max
Definition: options.h:478
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:486
void pre_select(struct context *c)
Definition: forward.c:1783
unsigned int cache_generation
Definition: mroute.h:132
#define SIGTERM
Definition: config-msvc.h:117
#define SIGHUP
Definition: config-msvc.h:113
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:167
#define MCF_SERVER
Definition: manage.h:156
#define ASSERT(x)
Definition: error.h:204
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2751
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:3776
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:114
in_addr_t ifconfig_pool_end
Definition: options.h:442
static bool check_debug_level(unsigned int level)
Definition: error.h:234
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
const char * client_disconnect_script
Definition: options.h:454
int explicit_exit_notification
Definition: options.h:131
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1240
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3289
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:166
bool platform_unlink(const char *filename)
Definition: platform.c:350
unsigned int flags
Definition: multi.h:228
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1940
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:159
int n_clients
Definition: multi.h:178
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:338
at least handler succeeded, no result yet
Definition: ssl_common.h:546
#define MF_UNICAST
Definition: mbuf.h:46
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:224
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:117
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:527
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:1970
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:40
static void clear_prefix(void)
Definition: multi.h:532
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:41
static void setenv_stats(struct context *c)
Definition: multi.c:537
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3717
bool did_real_hash
Definition: multi.h:124
#define MODE_SERVER
Definition: options.h:223
unsigned int data_channel_crypto_flags
Definition: options.h:664
bool use_peer_id
Definition: ssl_common.h:643
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:282
#define PIP_MSSFIX
Definition: forward.h:295
bool initialized
Definition: crypto.h:225
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:213
int netbits
Definition: route.h:236
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:586
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:3762
void status_flush(struct status_output *so)
Definition: status.c:159
int n_clients_delta
Definition: multi.h:131
#define D_MULTI_MEDIUM
Definition: errlevel.h:102
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:443
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool push_request_received
Definition: openvpn.h:415
const char * ncp_ciphers
Definition: options.h:519
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:149
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:43
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:268
int cf_per
Definition: options.h:479
void multi_uninit(struct multi_context *m)
Definition: multi.c:689
bool status_close(struct status_output *so)
Definition: status.c:190
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:78
struct context_1 c1
Level 1 context.
Definition: openvpn.h:501
Definition: mbuf.h:56
#define PIPV4_PASSTOS
Definition: forward.h:294
static void multi_route_del(struct multi_route *route)
Definition: multi.h:477
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:84
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:467
#define CLEAR(x)
Definition: basic.h:33
struct schedule * schedule_init(void)
Definition: schedule.c:414
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:82
in_addr_t push_ifconfig_local
Definition: options.h:464
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3560
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4442
struct frame frame_fragment
Definition: openvpn.h:254
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3691
time_t last_reference
Definition: multi.h:231
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:307
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:2929
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3360
#define OPENVPN_PLUGIN_FUNC_DEFERRED
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:654
in_addr_t local
Definition: tun.h:173
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:160
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3872
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:357
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:737
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:3008
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:98
int stale_routes_check_interval
Definition: options.h:482
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:163
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:378
uint16_t vlan_pvid
Definition: options.h:655
counter_type link_read_bytes
Definition: openvpn.h:269
static const char * np(const char *str)
Definition: simple.c:128
#define counter_format
Definition: common.h:31
int mode
Definition: options.h:224
bool ifconfig_ipv6_pool_defined
Definition: options.h:447
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:430
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1861
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:469
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5161
Key state is not authenticated.
Definition: ssl_common.h:159
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:178
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:244
int ifconfig_ipv6_netbits
Definition: options.h:277
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:520
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:420
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
Definition: mbuf.h:50
bool did_iroutes
Definition: multi.h:130
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:12
#define MPP_PRE_SELECT
Definition: multi.h:280
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:736
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:160
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:389
int topology
Definition: options.h:273
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2876
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:233
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:522
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1207
struct iroute * iroutes
Definition: options.h:461
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define OPT_P_COMP
Definition: options.h:682
unsigned int cache_generation
Definition: multi.h:230
struct frame frame
Definition: openvpn.h:248
#define DEV_TYPE_TUN
Definition: proto.h:37
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:833
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2864
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:266
struct timeval timeval
Definition: openvpn.h:384
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:248
int virtual_hash_size
Definition: options.h:452
Definition: schedule.h:44
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3646
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:194
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:424
#define D_MULTI_DEBUG
Definition: errlevel.h:123
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3337
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value...
Definition: multi.c:1920
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:998
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:135
int tcp_queue_limit
Definition: options.h:460
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:133
const char * client_config_dir
Definition: options.h:456
const char * ciphername
Definition: options.h:516
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:110
uint8_t len
Definition: mroute.h:76
#define REAP_MAX
Definition: multi.h:552
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:262
struct multi_instance * pending
Definition: multi.h:185
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:161
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:147
int buckets_per_pass
Definition: multi.h:53
struct gc_arena gc
Definition: multi.h:102
bool vlan_tagging
Definition: options.h:653
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:565
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2417
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:148
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
in_addr_t network
Definition: route.h:235
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise...
Definition: run_command.h:64
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:208
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:463
int bucket_base
Definition: multi.h:52
in_addr_t reporting_addr
Definition: multi.h:121
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:257
int max_routes_per_client
Definition: options.h:481
struct buffer buf
Definition: buffer.h:1106
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2905
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:163
char * config_file
The temporary file name that contains the config directives returned by the client-connect script...
Definition: multi.h:87
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:542
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:225
int n_bcast_buf
Definition: options.h:459
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1887
struct multi_instance * instance
Definition: mbuf.h:53
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:233
int max_clients
Definition: multi.h:175
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:448
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:225
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:230
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1685
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:456
union openvpn_sockaddr::@10 addr
in_addr_t ifconfig_pool_start
Definition: options.h:441
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:158
struct link_socket * link_socket
Definition: openvpn.h:237
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3531
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3878
bool status_trigger(struct status_output *so)
Definition: status.c:135
uint16_t vid
Definition: mroute.h:85
#define M_ERRNO
Definition: error.h:103
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2916
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:148
struct multi_instance * earliest_wakeup
Definition: multi.h:186
struct auth_deferred_status script_auth
Definition: ssl_common.h:257
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:645
#define DEV_TYPE_UNDEF
Definition: proto.h:35
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:168
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1035
struct connection_entry ce
Definition: options.h:252
unsigned long cid_counter
Definition: multi.h:182
bool push_ifconfig_defined
Definition: options.h:463
void schedule_free(struct schedule *s)
Definition: schedule.c:423
struct context_2 c2
Level 2 context.
Definition: openvpn.h:502
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1394
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:135
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:164
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:113
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:169
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:41
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:291
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2322
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:453
#define CCD_DEFAULT
Definition: common.h:62
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:160
static bool management_client_pending_auth(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: multi.c:3793
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:429
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1609
#define BLEN(buf)
Definition: buffer.h:127
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
in_addr_t ifconfig_pool_netmask
Definition: options.h:443
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:776
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:91
#define SA_SET_IF_NONZERO
Definition: socket.h:366
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:192
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:141
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition: multi.c:2487
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1277
#define msg(flags,...)
Definition: error.h:153
int(* n_clients)(void *arg)
Definition: manage.h:164
bool halt
Definition: multi.h:103
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:3921
struct buffer_entry * next
Definition: buffer.h:1107
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1641
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:167
#define REAP_MIN
Definition: multi.h:551
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:123
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1217
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1755
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2648
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3386
const char * tmp_dir
Definition: options.h:418
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:255
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2772
struct mroute_addr local
Definition: multi.h:173
unsigned int netbits
Definition: route.h:242
int max_clients
Definition: options.h:480
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:285
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:422
unsigned int uintptr_t
Definition: cmocka.h:103
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:975
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:308
int status_file_version
Definition: options.h:354
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:111
#define SIGINT
Definition: config-msvc.h:114
struct timeval wakeup
Definition: multi.h:110
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3007
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2911
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:162
struct hash * cid_hash
Definition: multi.h:181
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:892
#define SIGUSR2
Definition: config-msvc.h:116
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:175
#define D_VLAN_DEBUG
Definition: errlevel.h:148
struct buffer_list * cc_config
Definition: multi.h:128
bool push_ifconfig_ipv6_defined
Definition: options.h:471
Main OpenVPN server state structure.
Definition: multi.h:152
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:447
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:454
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:473
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:209
time_t last_call
Definition: multi.h:54
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:84
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:283
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:85
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:511
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1854
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:675
struct fragment_master * fragment
Definition: openvpn.h:253
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:587
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1364
struct status_output * status_output
Definition: openvpn.h:180
struct buffer buf
Definition: mbuf.h:43
static int hash_n_elements(const struct hash *hash)
Definition: list.h:129
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:300
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:490
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:451
int n_net_len
Definition: mroute.h:134
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3520
#define MR_ADDR_IPV6
Definition: mroute.h:63
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:239
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:208
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:156
in_addr_t push_ifconfig_local_alias
Definition: options.h:466
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3085
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:517
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:112
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:183
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:256
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:81
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:642
Definition: route.h:234
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:462
static int constrain_int(int x, int min, int max)
Definition: integer.h:95
#define M_WARN
Definition: error.h:100
static int min_int(int x, int y)
Definition: integer.h:82
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:176
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:174
struct frequency_limit * new_connection_limiter
Definition: multi.h:170
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:214
unsigned int flags
Definition: manage.h:157
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1104
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:323
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:176
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:191
void * value
Definition: list.h:47
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:238
#define TUNNEL_TYPE(tt)
Definition: tun.h:157
#define CC_GC_FREE
Definition: init.h:106
void tunnel_server_udp(struct context *top)
Main event loop for OpenVPN in UDP server mode.
Definition: mudp.c:270
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:137
Detached client connection state.
Definition: multi.h:69
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2453
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:291
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:403
unsigned long cid
Definition: manage.h:44
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:204
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2579
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:826
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:467
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:3854
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:991
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:208
struct link_socket_actual from
Definition: openvpn.h:245
int process_incoming_push_request(struct context *c)
Definition: push.c:850
struct iroute_ipv6 * next
Definition: route.h:243
#define BSTR(buf)
Definition: buffer.h:129
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2116
long int get_random(void)
Definition: crypto.c:1775
TLS connection established but deferred auth not finished.
Definition: ssl_common.h:543
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2549
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:758
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:188
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:135
struct man_def_auth_context mda_context
Definition: openvpn.h:441
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:49
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:160
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:210
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:100
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:851
Definition: argv.h:35
bool send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:373
struct gc_arena gc
Definition: options.h:215
uint8_t netbits
Definition: mroute.h:79
struct buffer to_tun
Definition: openvpn.h:366
in_addr_t push_ifconfig_constraint_network
Definition: options.h:468
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:2994
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2842
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:557
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: list.h:58
bool duplicate_cn
Definition: options.h:477
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:67
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:74
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:646
int stale_routes_ageing_time
Definition: options.h:483
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:319
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:163
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:222
struct timeval wakeup
Definition: multi.h:62
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:419
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1249
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:281
struct in6_addr local_ipv6
Definition: tun.h:176
bool(* client_pending_auth)(void *arg, const unsigned long cid, const char *extra, unsigned int timeout)
Definition: manage.h:174
struct mroute_addr addr
Definition: multi.h:223
void status_reset(struct status_output *so)
Definition: status.c:150
const char title_string[]
Definition: options.c:67
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2170
#define D_MULTI_LOW
Definition: errlevel.h:86
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:247
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3420
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:472
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:67
int ifconfig_ipv6_pool_netbits
Definition: options.h:449
int fragment
Definition: options.h:127
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:52
const char * dev_type
Definition: options.h:270
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4517
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3473
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:3814