OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #ifdef HAVE_SYS_INOTIFY_H
29 #include <sys/inotify.h>
30 #define INOTIFY_EVENT_BUFFER_SIZE 16384
31 #endif
32 
33 #include "syshead.h"
34 
35 #include "forward.h"
36 #include "multi.h"
37 #include "push.h"
38 #include "run_command.h"
39 #include "otime.h"
40 #include "gremlin.h"
41 #include "mstats.h"
42 #include "ssl_verify.h"
43 #include "ssl_ncp.h"
44 #include "vlan.h"
45 #include "auth_token.h"
46 #include <inttypes.h>
47 #include <string.h>
48 
49 #include "memdbg.h"
50 
51 
52 #include "crypto_backend.h"
53 #include "ssl_util.h"
54 #include "dco.h"
55 #include "reflect_filter.h"
56 
57 /*#define MULTI_DEBUG_EVENT_LOOP*/
58 
59 #ifdef MULTI_DEBUG_EVENT_LOOP
60 static const char *
61 id(struct multi_instance *mi)
62 {
63  if (mi)
64  {
65  return tls_common_name(mi->context.c2.tls_multi, false);
66  }
67  else
68  {
69  return "NULL";
70  }
71 }
72 #endif
73 
74 #ifdef ENABLE_MANAGEMENT
75 static void
76 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
77 {
78  buffer_list_free(mi->cc_config);
79  mi->cc_config = cc_config;
80 }
81 #endif
82 
83 static inline void
84 update_mstat_n_clients(const int n_clients)
85 {
86 #ifdef ENABLE_MEMSTATS
87  if (mmap_stats)
88  {
89  mmap_stats->n_clients = n_clients;
90  }
91 #endif
92 }
93 
94 static bool
95 learn_address_script(const struct multi_context *m,
96  const struct multi_instance *mi,
97  const char *op,
98  const struct mroute_addr *addr)
99 {
100  struct gc_arena gc = gc_new();
101  struct env_set *es;
102  bool ret = true;
103  struct plugin_list *plugins;
104 
105  /* get environmental variable source */
106  if (mi && mi->context.c2.es)
107  {
108  es = mi->context.c2.es;
109  }
110  else
111  {
112  es = env_set_create(&gc);
113  }
114 
115  /* get plugin source */
116  if (mi)
117  {
118  plugins = mi->context.plugins;
119  }
120  else
121  {
122  plugins = m->top.plugins;
123  }
124 
125  if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
126  {
127  struct argv argv = argv_new();
128  argv_printf(&argv, "%s %s",
129  op,
130  mroute_addr_print(addr, &gc));
131  if (mi)
132  {
133  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
134  }
135  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
136  {
137  msg(M_WARN, "WARNING: learn-address plugin call failed");
138  ret = false;
139  }
140  argv_free(&argv);
141  }
142 
143  if (m->top.options.learn_address_script)
144  {
145  struct argv argv = argv_new();
146  setenv_str(es, "script_type", "learn-address");
147  argv_parse_cmd(&argv, m->top.options.learn_address_script);
148  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
149  if (mi)
150  {
151  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
152  }
153  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
154  {
155  ret = false;
156  }
157  argv_free(&argv);
158  }
159 
160  gc_free(&gc);
161  return ret;
162 }
163 
164 void
165 multi_ifconfig_pool_persist(struct multi_context *m, bool force)
166 {
167  /* write pool data to file */
168  if (m->ifconfig_pool
169  && m->top.c1.ifconfig_pool_persist
170  && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
171  {
172  ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
173  }
174 }
175 
176 static void
177 multi_reap_range(const struct multi_context *m,
178  int start_bucket,
179  int end_bucket)
180 {
181  struct gc_arena gc = gc_new();
182  struct hash_iterator hi;
183  struct hash_element *he;
184 
185  if (start_bucket < 0)
186  {
187  start_bucket = 0;
188  end_bucket = hash_n_buckets(m->vhash);
189  }
190 
191  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
192  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
193  while ((he = hash_iterator_next(&hi)) != NULL)
194  {
195  struct multi_route *r = (struct multi_route *) he->value;
196  if (!multi_route_defined(m, r))
197  {
198  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
199  mroute_addr_print(&r->addr, &gc));
200  learn_address_script(m, NULL, "delete", &r->addr);
201  multi_route_del(r);
202  hash_iterator_delete_element(&hi);
203  }
204  }
205  hash_iterator_free(&hi);
206  gc_free(&gc);
207 }
208 
209 static void
210 multi_reap_all(const struct multi_context *m)
211 {
212  multi_reap_range(m, -1, 0);
213 }
214 
215 static struct multi_reap *
216 multi_reap_new(int buckets_per_pass)
217 {
218  struct multi_reap *mr;
219  ALLOC_OBJ(mr, struct multi_reap);
220  mr->bucket_base = 0;
221  mr->buckets_per_pass = buckets_per_pass;
222  mr->last_call = now;
223  return mr;
224 }
225 
226 void
227 multi_reap_process_dowork(const struct multi_context *m)
228 {
229  struct multi_reap *mr = m->reaper;
230  if (mr->bucket_base >= hash_n_buckets(m->vhash))
231  {
232  mr->bucket_base = 0;
233  }
234  multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
235  mr->bucket_base += mr->buckets_per_pass;
236  mr->last_call = now;
237 }
238 
239 static void
240 multi_reap_free(struct multi_reap *mr)
241 {
242  free(mr);
243 }
244 
245 /*
246  * How many buckets in vhash to reap per pass.
247  */
248 static int
249 reap_buckets_per_pass(int n_buckets)
250 {
251  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
252 }
253 
254 #ifdef ENABLE_MANAGEMENT
255 
256 static uint32_t
257 cid_hash_function(const void *key, uint32_t iv)
258 {
259  const unsigned long *k = (const unsigned long *)key;
260  return (uint32_t) *k;
261 }
262 
263 static bool
264 cid_compare_function(const void *key1, const void *key2)
265 {
266  const unsigned long *k1 = (const unsigned long *)key1;
267  const unsigned long *k2 = (const unsigned long *)key2;
268  return *k1 == *k2;
269 }
270 
271 #endif
272 
273 #ifdef ENABLE_ASYNC_PUSH
274 static uint32_t
275 /*
276  * inotify watcher descriptors are used as hash value
277  */
278 int_hash_function(const void *key, uint32_t iv)
279 {
280  return (unsigned long)key;
281 }
282 
283 static bool
284 int_compare_function(const void *key1, const void *key2)
285 {
286  return (unsigned long)key1 == (unsigned long)key2;
287 }
288 #endif
289 
290 /*
291  * Main initialization function, init multi_context object.
292  */
293 void
294 multi_init(struct multi_context *m, struct context *t)
295 {
296  int dev = DEV_TYPE_UNDEF;
297 
298  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
299  t->options.real_hash_size,
300  t->options.virtual_hash_size);
301 
302  /*
303  * Get tun/tap/null device type
304  */
305  dev = dev_type_enum(t->options.dev, t->options.dev_type);
306 
307  /*
308  * Init our multi_context object.
309  */
310  CLEAR(*m);
311 
312  /*
313  * Real address hash table (source port number is
314  * considered to be part of the address). Used
315  * to determine which client sent an incoming packet
316  * which is seen on the TCP/UDP socket.
317  */
318  m->hash = hash_init(t->options.real_hash_size,
319  get_random(),
320  mroute_addr_hash_function,
321  mroute_addr_compare_function);
322 
323  /*
324  * Virtual address hash table. Used to determine
325  * which client to route a packet to.
326  */
327  m->vhash = hash_init(t->options.virtual_hash_size,
328  get_random(),
329  mroute_addr_hash_function,
330  mroute_addr_compare_function);
331 
332  /*
333  * This hash table is a clone of m->hash but with a
334  * bucket size of one so that it can be used
335  * for fast iteration through the list.
336  */
337  m->iter = hash_init(1,
338  get_random(),
339  mroute_addr_hash_function,
340  mroute_addr_compare_function);
341 
342 #ifdef ENABLE_MANAGEMENT
343  m->cid_hash = hash_init(t->options.real_hash_size,
344  0,
345  cid_hash_function,
346  cid_compare_function);
347 #endif
348 
349 #ifdef ENABLE_ASYNC_PUSH
350  /*
351  * Mapping between inotify watch descriptors and
352  * multi_instances.
353  */
354  m->inotify_watchers = hash_init(t->options.real_hash_size,
355  get_random(),
356  int_hash_function,
357  int_compare_function);
358 #endif
359 
360  /*
361  * This is our scheduler, for time-based wakeup
362  * events.
363  */
364  m->schedule = schedule_init();
365 
366  /*
367  * Limit frequency of incoming connections to control
368  * DoS.
369  */
370  m->new_connection_limiter = frequency_limit_init(t->options.cf_max,
371  t->options.cf_per);
372  m->initial_rate_limiter = initial_rate_limit_init(t->options.cf_initial_max,
373  t->options.cf_initial_per);
374 
375  /*
376  * Allocate broadcast/multicast buffer list
377  */
378  m->mbuf = mbuf_init(t->options.n_bcast_buf);
379 
380  /*
381  * Different status file format options are available
382  */
383  m->status_file_version = t->options.status_file_version;
384 
385  /*
386  * Possibly allocate an ifconfig pool, do it
387  * differently based on whether a tun or tap style
388  * tunnel.
389  */
390  if (t->options.ifconfig_pool_defined
391  || t->options.ifconfig_ipv6_pool_defined)
392  {
393  int pool_type = IFCONFIG_POOL_INDIV;
394 
395  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
396  {
397  pool_type = IFCONFIG_POOL_30NET;
398  }
399 
400  m->ifconfig_pool = ifconfig_pool_init(t->options.ifconfig_pool_defined,
401  pool_type,
402  t->options.ifconfig_pool_start,
403  t->options.ifconfig_pool_end,
404  t->options.duplicate_cn,
405  t->options.ifconfig_ipv6_pool_defined,
406  t->options.ifconfig_ipv6_pool_base,
407  t->options.ifconfig_ipv6_pool_netbits );
408 
409  /* reload pool data from file */
410  if (t->c1.ifconfig_pool_persist)
411  {
412  ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool);
413  }
414  }
415 
416  /*
417  * Help us keep track of routing table.
418  */
419  m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL);
420 
421  /*
422  * Initialize route and instance reaper.
423  */
424  m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size));
425 
426  /*
427  * Get local ifconfig address
428  */
429  CLEAR(m->local);
430  ASSERT(t->c1.tuntap);
431  mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local);
432 
433  /*
434  * Per-client limits
435  */
436  m->max_clients = t->options.max_clients;
437 
438  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
439 
440  m->top.c2.event_set = t->c2.event_set;
441 
442  /*
443  * Initialize multi-socket I/O wait object
444  */
445  m->multi_io = multi_io_init(t->options.max_clients, &m->max_clients);
446  m->tcp_queue_limit = t->options.tcp_queue_limit;
447 
448  /*
449  * Allow client <-> client communication, without going through
450  * tun/tap interface and network stack?
451  */
452  m->enable_c2c = t->options.enable_c2c;
453 
454  /* initialize stale routes check timer */
455  if (t->options.stale_routes_check_interval > 0)
456  {
457  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
458  t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
459  event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
460  }
461 
462  m->deferred_shutdown_signal.signal_received = 0;
463 }
464 
465 const char *
466 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
467 {
468  if (mi)
469  {
470  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
471  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
472 
473  if (cn)
474  {
475  buf_printf(&out, "%s/", cn);
476  }
477  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
478  if (mi->context.c2.tls_multi
479  && check_debug_level(D_DCO_DEBUG)
480  && dco_enabled(&mi->context.options))
481  {
482  buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
483  }
484  return BSTR(&out);
485  }
486  else if (null)
487  {
488  return NULL;
489  }
490  else
491  {
492  return "UNDEF";
493  }
494 }
495 
496 static void
497 generate_prefix(struct multi_instance *mi)
498 {
499  struct gc_arena gc = gc_new();
500  const char *prefix = multi_instance_string(mi, true, &gc);
501  if (prefix)
502  {
503  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
504  }
505  else
506  {
507  mi->msg_prefix[0] = '\0';
508  }
509  set_prefix(mi);
510  gc_free(&gc);
511 }
512 
513 void
514 ungenerate_prefix(struct multi_instance *mi)
515 {
516  mi->msg_prefix[0] = '\0';
517  set_prefix(mi);
518 }
519 
520 /*
521  * Tell the route helper about deleted iroutes so
522  * that it can update its mask of currently used
523  * CIDR netlengths.
524  */
525 static void
526 multi_del_iroutes(struct multi_context *m,
527  struct multi_instance *mi)
528 {
529  const struct iroute *ir;
530  const struct iroute_ipv6 *ir6;
531 
532  dco_delete_iroutes(m, mi);
533 
534  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
535  {
536  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
537  {
538  mroute_helper_del_iroute46(m->route_helper, ir->netbits);
539  }
540 
541  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
542  {
543  mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
544  }
545  }
546 }
547 
548 static void
549 setenv_stats(struct multi_context *m, struct context *c)
550 {
551  if (dco_enabled(&m->top.options))
552  {
553  if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, false) < 0)
554  {
555  return;
556  }
557  }
558 
559  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
560  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
561 }
562 
563 static void
564 multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
565 {
566  /* setenv client real IP address */
567  setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
568 
569  /* setenv stats */
570  setenv_stats(m, &mi->context);
571 
572  /* setenv connection duration */
573  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
574 }
575 
576 static void
577 multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
578 {
579  multi_client_disconnect_setenv(m, mi);
580 
581  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
582  {
583  if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
584  {
585  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
586  }
587  }
588 
589  if (mi->context.options.client_disconnect_script)
590  {
591  struct argv argv = argv_new();
592  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
593  argv_parse_cmd(&argv, mi->context.options.client_disconnect_script);
594  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
595  argv_free(&argv);
596  }
597 #ifdef ENABLE_MANAGEMENT
598  if (management)
599  {
600  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
601  }
602 #endif
603 }
604 
605 void
606 multi_close_instance(struct multi_context *m,
607  struct multi_instance *mi,
608  bool shutdown)
609 {
610  perf_push(PERF_MULTI_CLOSE_INSTANCE);
611 
612  ASSERT(!mi->halt);
613  mi->halt = true;
614  bool is_dgram = proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto);
615 
616  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
617 
618  /* adjust current client connection count */
619  m->n_clients += mi->n_clients_delta;
620  update_mstat_n_clients(m->n_clients);
621  mi->n_clients_delta = 0;
622 
623  /* prevent dangling pointers */
624  if (m->pending == mi)
625  {
626  multi_set_pending(m, NULL);
627  }
628  if (m->earliest_wakeup == mi)
629  {
630  m->earliest_wakeup = NULL;
631  }
632 
633  if (!shutdown)
634  {
635  if (mi->did_real_hash)
636  {
637  ASSERT(hash_remove(m->hash, &mi->real));
638  }
639  if (mi->did_iter)
640  {
641  ASSERT(hash_remove(m->iter, &mi->real));
642  }
643 #ifdef ENABLE_MANAGEMENT
644  if (mi->did_cid_hash)
645  {
646  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
647  }
648 #endif
649 
650 #ifdef ENABLE_ASYNC_PUSH
651  if (mi->inotify_watch != -1)
652  {
653  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
654  mi->inotify_watch = -1;
655  }
656 #endif
657 
658  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
659  {
660  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
661  }
662 
663  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
664 
665  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
666 
667  if (mi->did_iroutes)
668  {
669  multi_del_iroutes(m, mi);
670  mi->did_iroutes = false;
671  }
672 
673  if (!is_dgram)
674  {
675  multi_tcp_dereference_instance(m->multi_io, mi);
676  }
677 
678  mbuf_dereference_instance(m->mbuf, mi);
679  }
680 
681 #ifdef ENABLE_MANAGEMENT
682  set_cc_config(mi, NULL);
683 #endif
684 
685  if (mi->context.c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
686  {
687  multi_client_disconnect_script(m, mi);
688  }
689 
690  close_context(&mi->context, SIGTERM, CC_GC_FREE);
691 
692  multi_tcp_instance_specific_free(mi);
693 
694  ungenerate_prefix(mi);
695 
696  /*
697  * Don't actually delete the instance memory allocation yet,
698  * because virtual routes may still point to it. Let the
699  * vhash reaper deal with it.
700  */
701  multi_instance_dec_refcount(mi);
702 
703  perf_pop();
704 }
705 
706 /*
707  * Called on shutdown or restart.
708  */
709 void
710 multi_uninit(struct multi_context *m)
711 {
712  if (m->hash)
713  {
714  struct hash_iterator hi;
715  struct hash_element *he;
716 
717  hash_iterator_init(m->iter, &hi);
718  while ((he = hash_iterator_next(&hi)))
719  {
720  struct multi_instance *mi = (struct multi_instance *) he->value;
721  mi->did_iter = false;
722  multi_close_instance(m, mi, true);
723  }
724  hash_iterator_free(&hi);
725 
726  multi_reap_all(m);
727 
728  hash_free(m->hash);
729  hash_free(m->vhash);
730  hash_free(m->iter);
731 #ifdef ENABLE_MANAGEMENT
732  hash_free(m->cid_hash);
733 #endif
734  m->hash = NULL;
735 
736  free(m->instances);
737 
738 #ifdef ENABLE_ASYNC_PUSH
739  hash_free(m->inotify_watchers);
740  m->inotify_watchers = NULL;
741 #endif
742 
743  schedule_free(m->schedule);
744  mbuf_free(m->mbuf);
745  ifconfig_pool_free(m->ifconfig_pool);
746  frequency_limit_free(m->new_connection_limiter);
747  initial_rate_limit_free(m->initial_rate_limiter);
748  multi_reap_free(m->reaper);
749  mroute_helper_free(m->route_helper);
750  multi_io_free(m->multi_io);
751  }
752 }
753 
754 /*
755  * Create a client instance object for a newly connected client.
756  */
757 struct multi_instance *
758 multi_create_instance(struct multi_context *m, const struct mroute_addr *real,
759  struct link_socket *sock)
760 {
761  struct gc_arena gc = gc_new();
762  struct multi_instance *mi;
763 
764  perf_push(PERF_MULTI_CREATE_INSTANCE);
765 
766  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
767 
768  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
769 
770  mi->gc = gc_new();
771  multi_instance_inc_refcount(mi);
772  mi->vaddr_handle = -1;
773  mi->created = now;
774  mroute_addr_init(&mi->real);
775 
776  if (real)
777  {
778  mi->real = *real;
779  generate_prefix(mi);
780  }
781 
782  inherit_context_child(&mi->context, &m->top, sock);
783  if (IS_SIG(&mi->context))
784  {
785  goto err;
786  }
787 
788  mi->context.c2.tls_multi->multi_state = CAS_NOT_CONNECTED;
789 
790  if (hash_n_elements(m->hash) >= m->max_clients)
791  {
792  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
793  goto err;
794  }
795 
796  if (!real) /* TCP mode? */
797  {
798  if (!multi_tcp_instance_specific_init(m, mi))
799  {
800  goto err;
801  }
802  generate_prefix(mi);
803  }
804 
805  if (!hash_add(m->iter, &mi->real, mi, false))
806  {
807  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
808  mroute_addr_print(&mi->real, &gc));
809  goto err;
810  }
811  mi->did_iter = true;
812 
813 #ifdef ENABLE_MANAGEMENT
814  do
815  {
816  mi->context.c2.mda_context.cid = m->cid_counter++;
817  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
818  mi->did_cid_hash = true;
819 #endif
820 
821  mi->context.c2.push_request_received = false;
822 #ifdef ENABLE_ASYNC_PUSH
823  mi->inotify_watch = -1;
824 #endif
825 
826  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
827  {
828  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
829  goto err;
830  }
831 
832  mi->ev_arg.type = EVENT_ARG_MULTI_INSTANCE;
833  mi->ev_arg.u.mi = mi;
834 
835  perf_pop();
836  gc_free(&gc);
837  return mi;
838 
839 err:
840  multi_close_instance(m, mi, false);
841  perf_pop();
842  gc_free(&gc);
843  return NULL;
844 }
845 
846 /*
847  * Dump tables -- triggered by SIGUSR2.
848  * If status file is defined, write to file.
849  * If status file is NULL, write to syslog.
850  */
851 void
852 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
853 {
854  if (m->hash)
855  {
856  struct gc_arena gc_top = gc_new();
857  struct hash_iterator hi;
858  const struct hash_element *he;
859 
860  status_reset(so);
861 
862  if (dco_enabled(&m->top.options))
863  {
864  if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, true) < 0)
865  {
866  return;
867  }
868  }
869 
870  if (version == 1)
871  {
872  /*
873  * Status file version 1
874  */
875  status_printf(so, "OpenVPN CLIENT LIST");
876  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
877  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
878  hash_iterator_init(m->hash, &hi);
879  while ((he = hash_iterator_next(&hi)))
880  {
881  struct gc_arena gc = gc_new();
882  const struct multi_instance *mi = (struct multi_instance *) he->value;
883 
884  if (!mi->halt)
885  {
886  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
887  tls_common_name(mi->context.c2.tls_multi, false),
888  mroute_addr_print(&mi->real, &gc),
889  mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
890  mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
891  time_string(mi->created, 0, false, &gc));
892  }
893  gc_free(&gc);
894  }
895  hash_iterator_free(&hi);
896 
897  status_printf(so, "ROUTING TABLE");
898  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
899  hash_iterator_init(m->vhash, &hi);
900  while ((he = hash_iterator_next(&hi)))
901  {
902  struct gc_arena gc = gc_new();
903  const struct multi_route *route = (struct multi_route *) he->value;
904 
905  if (multi_route_defined(m, route))
906  {
907  const struct multi_instance *mi = route->instance;
908  const struct mroute_addr *ma = &route->addr;
909  char flags[2] = {0, 0};
910 
911  if (route->flags & MULTI_ROUTE_CACHE)
912  {
913  flags[0] = 'C';
914  }
915  status_printf(so, "%s%s,%s,%s,%s",
916  mroute_addr_print(ma, &gc),
917  flags,
918  tls_common_name(mi->context.c2.tls_multi, false),
919  mroute_addr_print(&mi->real, &gc),
920  time_string(route->last_reference, 0, false, &gc));
921  }
922  gc_free(&gc);
923  }
924  hash_iterator_free(&hi);
925 
926  status_printf(so, "GLOBAL STATS");
927  if (m->mbuf)
928  {
929  status_printf(so, "Max bcast/mcast queue length,%d",
930  mbuf_maximum_queued(m->mbuf));
931  }
932 
933  status_printf(so, "END");
934  }
935  else if (version == 2 || version == 3)
936  {
937  const char sep = (version == 3) ? '\t' : ',';
938 
939  /*
940  * Status file version 2 and 3
941  */
942  status_printf(so, "TITLE%c%s", sep, title_string);
943  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
944  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
945  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
946  hash_iterator_init(m->hash, &hi);
947  while ((he = hash_iterator_next(&hi)))
948  {
949  struct gc_arena gc = gc_new();
950  const struct multi_instance *mi = (struct multi_instance *) he->value;
951 
952  if (!mi->halt)
953  {
954  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
955 #ifdef ENABLE_MANAGEMENT
956  "%lu"
957 #else
958  ""
959 #endif
960  "%c%" PRIu32 "%c%s",
961  sep, tls_common_name(mi->context.c2.tls_multi, false),
962  sep, mroute_addr_print(&mi->real, &gc),
963  sep, print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
964  sep, print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc),
965  sep, mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
966  sep, mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
967  sep, time_string(mi->created, 0, false, &gc),
968  sep, (unsigned int)mi->created,
969  sep, tls_username(mi->context.c2.tls_multi, false),
970 #ifdef ENABLE_MANAGEMENT
971  sep, mi->context.c2.mda_context.cid,
972 #else
973  sep,
974 #endif
975  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
976  sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
977  }
978  gc_free(&gc);
979  }
980  hash_iterator_free(&hi);
981 
982  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
983  sep, sep, sep, sep, sep, sep);
984  hash_iterator_init(m->vhash, &hi);
985  while ((he = hash_iterator_next(&hi)))
986  {
987  struct gc_arena gc = gc_new();
988  const struct multi_route *route = (struct multi_route *) he->value;
989 
990  if (multi_route_defined(m, route))
991  {
992  const struct multi_instance *mi = route->instance;
993  const struct mroute_addr *ma = &route->addr;
994  char flags[2] = {0, 0};
995 
996  if (route->flags & MULTI_ROUTE_CACHE)
997  {
998  flags[0] = 'C';
999  }
1000  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
1001  sep, mroute_addr_print(ma, &gc), flags,
1002  sep, tls_common_name(mi->context.c2.tls_multi, false),
1003  sep, mroute_addr_print(&mi->real, &gc),
1004  sep, time_string(route->last_reference, 0, false, &gc),
1005  sep, (unsigned int)route->last_reference);
1006  }
1007  gc_free(&gc);
1008  }
1009  hash_iterator_free(&hi);
1010 
1011  if (m->mbuf)
1012  {
1013  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1014  sep, sep, mbuf_maximum_queued(m->mbuf));
1015  }
1016 
1017  status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep, dco_enabled(&m->top.options));
1018  status_printf(so, "END");
1019  }
1020  else
1021  {
1022  status_printf(so, "ERROR: bad status format version number");
1023  }
1024 
1025 #ifdef PACKET_TRUNCATION_CHECK
1026  {
1027  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1028  hash_iterator_init(m->hash, &hi);
1029  while ((he = hash_iterator_next(&hi)))
1030  {
1031  struct gc_arena gc = gc_new();
1032  const struct multi_instance *mi = (struct multi_instance *) he->value;
1033 
1034  if (!mi->halt)
1035  {
1036  status_printf(so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
1037  tls_common_name(mi->context.c2.tls_multi, false),
1038  m->top.c2.n_trunc_tun_read,
1039  mi->context.c2.n_trunc_tun_write,
1040  mi->context.c2.n_trunc_pre_encrypt,
1041  mi->context.c2.n_trunc_post_decrypt);
1042  }
1043  gc_free(&gc);
1044  }
1045  hash_iterator_free(&hi);
1046  }
1047 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1048 
1049  status_flush(so);
1050  gc_free(&gc_top);
1051  }
1052 
1053 #ifdef ENABLE_ASYNC_PUSH
1054  if (m->inotify_watchers)
1055  {
1056  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1057  }
1058 #endif
1059 }
1060 
1061 /*
1062  * Learn a virtual address or route.
1063  * The learn will fail if the learn address
1064  * script/plugin fails. In this case the
1065  * return value may be != mi.
1066  * Return the instance which owns this route,
1067  * or NULL if none.
1068  */
1069 static struct multi_instance *
1070 multi_learn_addr(struct multi_context *m,
1071  struct multi_instance *mi,
1072  const struct mroute_addr *addr,
1073  const unsigned int flags)
1074 {
1075  struct hash_element *he;
1076  const uint32_t hv = hash_value(m->vhash, addr);
1077  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1078  struct multi_route *oldroute = NULL;
1079  struct multi_instance *owner = NULL;
1080  struct gc_arena gc = gc_new();
1081 
1082  /* if route currently exists, get the instance which owns it */
1083  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1084  if (he)
1085  {
1086  oldroute = (struct multi_route *) he->value;
1087  }
1088  if (oldroute && multi_route_defined(m, oldroute))
1089  {
1090  owner = oldroute->instance;
1091  }
1092 
1093  /* do we need to add address to hash table? */
1094  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1095  && !mroute_addr_equal(addr, &m->local))
1096  {
1097  struct multi_route *newroute;
1098  bool learn_succeeded = false;
1099 
1100  ALLOC_OBJ(newroute, struct multi_route);
1101  newroute->addr = *addr;
1102  newroute->instance = mi;
1103  newroute->flags = flags;
1104  newroute->last_reference = now;
1105  newroute->cache_generation = 0;
1106 
1107  /* The cache is invalidated when cache_generation is incremented */
1108  if (flags & MULTI_ROUTE_CACHE)
1109  {
1110  newroute->cache_generation = m->route_helper->cache_generation;
1111  }
1112 
1113  if (oldroute) /* route already exists? */
1114  {
1115  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1116  {
1117  learn_succeeded = true;
1118  owner = mi;
1119  multi_instance_inc_refcount(mi);
1120  route_quota_inc(mi);
1121 
1122  /* delete old route */
1123  multi_route_del(oldroute);
1124 
1125  /* modify hash table entry, replacing old route */
1126  he->key = &newroute->addr;
1127  he->value = newroute;
1128  }
1129  }
1130  else
1131  {
1132  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1133  {
1134  learn_succeeded = true;
1135  owner = mi;
1136  multi_instance_inc_refcount(mi);
1137  route_quota_inc(mi);
1138 
1139  /* add new route */
1140  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1141  }
1142  }
1143 
1144  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1145  learn_succeeded ? "" : " FAILED",
1146  mroute_addr_print(&newroute->addr, &gc),
1147  multi_instance_string(mi, false, &gc));
1148 
1149  if (!learn_succeeded)
1150  {
1151  free(newroute);
1152  }
1153  }
1154  gc_free(&gc);
1155 
1156  return owner;
1157 }
1158 
1159 /*
1160  * Get client instance based on virtual address.
1161  */
1162 static struct multi_instance *
1163 multi_get_instance_by_virtual_addr(struct multi_context *m,
1164  const struct mroute_addr *addr,
1165  bool cidr_routing)
1166 {
1167  struct multi_route *route;
1168  struct multi_instance *ret = NULL;
1169 
1170  /* check for local address */
1171  if (mroute_addr_equal(addr, &m->local))
1172  {
1173  return NULL;
1174  }
1175 
1176  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1177 
1178  /* does host route (possible cached) exist? */
1179  if (route && multi_route_defined(m, route))
1180  {
1181  struct multi_instance *mi = route->instance;
1182  route->last_reference = now;
1183  ret = mi;
1184  }
1185  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1186  {
1187  struct mroute_helper *rh = m->route_helper;
1188  struct mroute_addr tryaddr;
1189  int i;
1190 
1191  /* cycle through each CIDR length */
1192  for (i = 0; i < rh->n_net_len; ++i)
1193  {
1194  tryaddr = *addr;
1195  tryaddr.type |= MR_WITH_NETBITS;
1196  tryaddr.netbits = rh->net_len[i];
1197  mroute_addr_mask_host_bits(&tryaddr);
1198 
1199  /* look up a possible route with netbits netmask */
1200  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1201 
1202  if (route && multi_route_defined(m, route))
1203  {
1204  /* found an applicable route, cache host route */
1205  struct multi_instance *mi = route->instance;
1206  multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1207  ret = mi;
1208  break;
1209  }
1210  }
1211  }
1212 
1213 #ifdef ENABLE_DEBUG
1214  if (check_debug_level(D_MULTI_DEBUG))
1215  {
1216  struct gc_arena gc = gc_new();
1217  const char *addr_text = mroute_addr_print(addr, &gc);
1218  if (ret)
1219  {
1220  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1221  addr_text,
1222  multi_instance_string(ret, false, &gc),
1223  mroute_addr_print(&route->addr, &gc));
1224  }
1225  else
1226  {
1227  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1228  addr_text);
1229  }
1230  gc_free(&gc);
1231  }
1232 #endif
1233 
1234  ASSERT(!(ret && ret->halt));
1235  return ret;
1236 }
1237 
1238 /*
1239  * Helper function to multi_learn_addr().
1240  */
1241 static struct multi_instance *
1242 multi_learn_in_addr_t(struct multi_context *m,
1243  struct multi_instance *mi,
1244  in_addr_t a,
1245  int netbits, /* -1 if host route, otherwise # of network bits in address */
1246  bool primary)
1247 {
1248  struct openvpn_sockaddr remote_si;
1249  struct mroute_addr addr = {0};
1250 
1251  CLEAR(remote_si);
1252  remote_si.addr.in4.sin_family = AF_INET;
1253  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1254  addr.proto = 0;
1255  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1256 
1257  if (netbits >= 0)
1258  {
1259  addr.type |= MR_WITH_NETBITS;
1260  addr.netbits = (uint8_t) netbits;
1261  }
1262 
1263  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1264 #ifdef ENABLE_MANAGEMENT
1265  if (management && owner)
1266  {
1267  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1268  }
1269 #endif
1270  if (!primary)
1271  {
1272  /* "primary" is the VPN ifconfig address of the peer and already
1273  * known to DCO, so only install "extra" iroutes (primary = false)
1274  */
1275  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1276  dco_install_iroute(m, mi, &addr);
1277  }
1278 
1279  return owner;
1280 }
1281 
1282 static struct multi_instance *
1283 multi_learn_in6_addr(struct multi_context *m,
1284  struct multi_instance *mi,
1285  struct in6_addr a6,
1286  int netbits, /* -1 if host route, otherwise # of network bits in address */
1287  bool primary)
1288 {
1289  struct mroute_addr addr = {0};
1290 
1291  addr.len = 16;
1292  addr.type = MR_ADDR_IPV6;
1293  addr.netbits = 0;
1294  addr.v6.addr = a6;
1295 
1296  if (netbits >= 0)
1297  {
1298  addr.type |= MR_WITH_NETBITS;
1299  addr.netbits = (uint8_t) netbits;
1300  mroute_addr_mask_host_bits( &addr );
1301  }
1302 
1303  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1304 #ifdef ENABLE_MANAGEMENT
1305  if (management && owner)
1306  {
1307  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1308  }
1309 #endif
1310  if (!primary)
1311  {
1312  /* "primary" is the VPN ifconfig address of the peer and already
1313  * known to DCO, so only install "extra" iroutes (primary = false)
1314  */
1315  ASSERT(netbits >= 0); /* DCO requires populated netbits */
1316  dco_install_iroute(m, mi, &addr);
1317  }
1318 
1319  return owner;
1320 }
1321 
1322 /*
1323  * A new client has connected, add routes (server -> client)
1324  * to internal routing table.
1325  */
1326 static void
1327 multi_add_iroutes(struct multi_context *m,
1328  struct multi_instance *mi)
1329 {
1330  struct gc_arena gc = gc_new();
1331  const struct iroute *ir;
1332  const struct iroute_ipv6 *ir6;
1333  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
1334  {
1335  mi->did_iroutes = true;
1336  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1337  {
1338  if (ir->netbits >= 0)
1339  {
1340  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1341  print_in_addr_t(ir->network, 0, &gc),
1342  ir->netbits,
1343  multi_instance_string(mi, false, &gc));
1344  }
1345  else
1346  {
1347  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1348  print_in_addr_t(ir->network, 0, &gc),
1349  multi_instance_string(mi, false, &gc));
1350  }
1351 
1352  mroute_helper_add_iroute46(m->route_helper, ir->netbits);
1353 
1354  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1355  }
1356  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1357  {
1358  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1359  print_in6_addr(ir6->network, 0, &gc),
1360  ir6->netbits,
1361  multi_instance_string(mi, false, &gc));
1362 
1363  mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
1364 
1365  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1366  }
1367  }
1368  gc_free(&gc);
1369 }
1370 
1371 /*
1372  * Given an instance (new_mi), delete all other instances which use the
1373  * same common name.
1374  */
1375 static void
1376 multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
1377 {
1378  if (new_mi)
1379  {
1380  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1381  if (new_cn)
1382  {
1383  struct hash_iterator hi;
1384  struct hash_element *he;
1385  int count = 0;
1386 
1387  hash_iterator_init(m->iter, &hi);
1388  while ((he = hash_iterator_next(&hi)))
1389  {
1390  struct multi_instance *mi = (struct multi_instance *) he->value;
1391  if (mi != new_mi && !mi->halt)
1392  {
1393  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1394  if (cn && !strcmp(cn, new_cn))
1395  {
1396  mi->did_iter = false;
1397  multi_close_instance(m, mi, false);
1398  hash_iterator_delete_element(&hi);
1399  ++count;
1400  }
1401  }
1402  }
1403  hash_iterator_free(&hi);
1404 
1405  if (count)
1406  {
1407  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1408  }
1409  }
1410  }
1411 }
1412 
1413 static void
1414 check_stale_routes(struct multi_context *m)
1415 {
1416 
1417  struct gc_arena gc = gc_new();
1418  struct hash_iterator hi;
1419  struct hash_element *he;
1420 
1421  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1422  hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
1423  while ((he = hash_iterator_next(&hi)) != NULL)
1424  {
1425  struct multi_route *r = (struct multi_route *) he->value;
1426  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1427  {
1428  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1429  mroute_addr_print(&r->addr, &gc));
1430  learn_address_script(m, NULL, "delete", &r->addr);
1431  multi_route_del(r);
1432  hash_iterator_delete_element(&hi);
1433  }
1434  }
1435  hash_iterator_free(&hi);
1436  gc_free(&gc);
1437 }
1438 
1439 /*
1440  * Ensure that endpoint to be pushed to client
1441  * complies with --ifconfig-push-constraint directive.
1442  */
1443 static bool
1444 ifconfig_push_constraint_satisfied(const struct context *c)
1445 {
1446  const struct options *o = &c->options;
1447  if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1448  {
1449  return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1450  }
1451  else
1452  {
1453  return true;
1454  }
1455 }
1456 
1457 /*
1458  * Select a virtual address for a new client instance.
1459  * Use an --ifconfig-push directive, if given (static IP).
1460  * Otherwise use an --ifconfig-pool address (dynamic IP).
1461  */
1462 static void
1463 multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
1464 {
1465  struct gc_arena gc = gc_new();
1466 
1467  /*
1468  * If ifconfig addresses were set by dynamic config file,
1469  * release pool addresses, otherwise keep them.
1470  */
1471  if (mi->context.options.push_ifconfig_defined)
1472  {
1473  /* ifconfig addresses were set statically,
1474  * release dynamic allocation */
1475  if (mi->vaddr_handle >= 0)
1476  {
1477  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true);
1478  mi->vaddr_handle = -1;
1479  }
1480 
1481  mi->context.c2.push_ifconfig_defined = true;
1482  mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1483  mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1484  mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
1485 
1486  /* the current implementation does not allow "static IPv4, pool IPv6",
1487  * (see below) so issue a warning if that happens - don't break the
1488  * session, though, as we don't even know if this client WANTS IPv6
1489  */
1490  if (mi->context.options.ifconfig_ipv6_pool_defined
1491  && !mi->context.options.push_ifconfig_ipv6_defined)
1492  {
1493  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1494  }
1495  }
1496  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1497  {
1498  in_addr_t local = 0, remote = 0;
1499  struct in6_addr remote_ipv6;
1500  const char *cn = NULL;
1501 
1502  if (!mi->context.options.duplicate_cn)
1503  {
1504  cn = tls_common_name(mi->context.c2.tls_multi, true);
1505  }
1506 
1507  CLEAR(remote_ipv6);
1508  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1509  if (mi->vaddr_handle >= 0)
1510  {
1511  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1512  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1513 
1514  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1515  (mi->context.options.ifconfig_pool_defined
1516  ? print_in_addr_t(remote, 0, &gc)
1517  : "(Not enabled)"),
1518  (mi->context.options.ifconfig_ipv6_pool_defined
1519  ? print_in6_addr( remote_ipv6, 0, &gc )
1520  : "(Not enabled)") );
1521 
1522  if (mi->context.options.ifconfig_pool_defined)
1523  {
1524  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1525  mi->context.c2.push_ifconfig_local = remote;
1526  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1527  {
1528  mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1529  if (!mi->context.c2.push_ifconfig_remote_netmask)
1530  {
1531  mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1532  }
1533  }
1534  else if (tunnel_type == DEV_TYPE_TUN)
1535  {
1536  if (tunnel_topology == TOP_P2P)
1537  {
1538  mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1539  }
1540  else if (tunnel_topology == TOP_NET30)
1541  {
1542  mi->context.c2.push_ifconfig_remote_netmask = local;
1543  }
1544  }
1545 
1546  if (mi->context.c2.push_ifconfig_remote_netmask)
1547  {
1548  mi->context.c2.push_ifconfig_defined = true;
1549  }
1550  else
1551  {
1552  msg(D_MULTI_ERRORS,
1553  "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1554  multi_instance_string(mi, false, &gc));
1555  }
1556  }
1557 
1558  if (mi->context.options.ifconfig_ipv6_pool_defined)
1559  {
1560  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1561  mi->context.c2.push_ifconfig_ipv6_remote =
1562  mi->context.c1.tuntap->local_ipv6;
1563  mi->context.c2.push_ifconfig_ipv6_netbits =
1564  mi->context.options.ifconfig_ipv6_netbits;
1565  mi->context.c2.push_ifconfig_ipv6_defined = true;
1566  }
1567  }
1568  else
1569  {
1570  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1571  }
1572  }
1573 
1574  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1575  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1576  * will fail (because no pool will be allocated in this case).
1577  * OTOH, this doesn't make too much sense in reality - and the other
1578  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1579  * -> and so it's implemented right now
1580  */
1581  if (mi->context.options.push_ifconfig_ipv6_defined)
1582  {
1583  mi->context.c2.push_ifconfig_ipv6_local =
1584  mi->context.options.push_ifconfig_ipv6_local;
1585  mi->context.c2.push_ifconfig_ipv6_remote =
1586  mi->context.options.push_ifconfig_ipv6_remote;
1587  mi->context.c2.push_ifconfig_ipv6_netbits =
1588  mi->context.options.push_ifconfig_ipv6_netbits;
1589  mi->context.c2.push_ifconfig_ipv6_defined = true;
1590 
1591  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1592  print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
1593  mi->context.c2.push_ifconfig_ipv6_netbits );
1594  }
1595 
1596  gc_free(&gc);
1597 }
1598 
1599 /*
1600  * Set virtual address environmental variables.
1601  */
1602 static void
1603 multi_set_virtual_addr_env(struct multi_instance *mi)
1604 {
1605  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1606  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1607  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1608 
1609  if (mi->context.c2.push_ifconfig_defined)
1610  {
1611  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1612  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1613 
1614  setenv_in_addr_t(mi->context.c2.es,
1615  "ifconfig_pool_remote_ip",
1616  mi->context.c2.push_ifconfig_local,
1617  SA_SET_IF_NONZERO);
1618 
1619  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1620  {
1621  setenv_in_addr_t(mi->context.c2.es,
1622  "ifconfig_pool_netmask",
1623  mi->context.c2.push_ifconfig_remote_netmask,
1624  SA_SET_IF_NONZERO);
1625  }
1626  else if (tunnel_type == DEV_TYPE_TUN)
1627  {
1628  setenv_in_addr_t(mi->context.c2.es,
1629  "ifconfig_pool_local_ip",
1630  mi->context.c2.push_ifconfig_remote_netmask,
1631  SA_SET_IF_NONZERO);
1632  }
1633  }
1634 
1635  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1636  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1637  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1638 
1639  if (mi->context.c2.push_ifconfig_ipv6_defined)
1640  {
1641  setenv_in6_addr(mi->context.c2.es,
1642  "ifconfig_pool_remote",
1643  &mi->context.c2.push_ifconfig_ipv6_local,
1644  SA_SET_IF_NONZERO);
1645  setenv_in6_addr(mi->context.c2.es,
1646  "ifconfig_pool_local",
1647  &mi->context.c2.push_ifconfig_ipv6_remote,
1648  SA_SET_IF_NONZERO);
1649  setenv_int(mi->context.c2.es,
1650  "ifconfig_pool_ip6_netbits",
1651  mi->context.c2.push_ifconfig_ipv6_netbits);
1652  }
1653 }
1654 
1655 /*
1656  * Called after client-connect script is called
1657  */
1658 static void
1659 multi_client_connect_post(struct multi_context *m,
1660  struct multi_instance *mi,
1661  const char *dc_file,
1662  unsigned int *option_types_found)
1663 {
1664  /* Did script generate a dynamic config file? */
1665  if (platform_test_file(dc_file))
1666  {
1667  options_server_import(&mi->context.options,
1668  dc_file,
1669  D_IMPORT_ERRORS|M_OPTERR,
1670  CLIENT_CONNECT_OPT_MASK,
1671  option_types_found,
1672  mi->context.c2.es);
1673 
1674  /*
1675  * If the --client-connect script generates a config file
1676  * with an --ifconfig-push directive, it will override any
1677  * --ifconfig-push directive from the --client-config-dir
1678  * directory or any --ifconfig-pool dynamic address.
1679  */
1680  multi_select_virtual_addr(m, mi);
1681  multi_set_virtual_addr_env(mi);
1682  }
1683 }
1684 
1685 #ifdef ENABLE_PLUGIN
1686 
1687 /*
1688  * Called after client-connect plug-in is called
1689  */
1690 static void
1691 multi_client_connect_post_plugin(struct multi_context *m,
1692  struct multi_instance *mi,
1693  const struct plugin_return *pr,
1694  unsigned int *option_types_found)
1695 {
1696  struct plugin_return config;
1697 
1698  plugin_return_get_column(pr, &config, "config");
1699 
1700  /* Did script generate a dynamic config file? */
1701  if (plugin_return_defined(&config))
1702  {
1703  int i;
1704  for (i = 0; i < config.n; ++i)
1705  {
1706  if (config.list[i] && config.list[i]->value)
1707  {
1708  options_string_import(&mi->context.options,
1709  config.list[i]->value,
1710  D_IMPORT_ERRORS|M_OPTERR,
1711  CLIENT_CONNECT_OPT_MASK,
1712  option_types_found,
1713  mi->context.c2.es);
1714  }
1715  }
1716 
1717  /*
1718  * If the --client-connect script generates a config file
1719  * with an --ifconfig-push directive, it will override any
1720  * --ifconfig-push directive from the --client-config-dir
1721  * directory or any --ifconfig-pool dynamic address.
1722  */
1723  multi_select_virtual_addr(m, mi);
1724  multi_set_virtual_addr_env(mi);
1725  }
1726 }
1727 
1728 #endif /* ifdef ENABLE_PLUGIN */
1729 
1730 
1731 /*
1732  * Called to load management-derived client-connect config
1733  */
1734 enum client_connect_return
1735 multi_client_connect_mda(struct multi_context *m,
1736  struct multi_instance *mi,
1737  bool deferred,
1738  unsigned int *option_types_found)
1739 {
1740  /* We never return CC_RET_DEFERRED */
1741  ASSERT(!deferred);
1742  enum client_connect_return ret = CC_RET_SKIPPED;
1743 #ifdef ENABLE_MANAGEMENT
1744  if (mi->cc_config)
1745  {
1746  struct buffer_entry *be;
1747  for (be = mi->cc_config->head; be != NULL; be = be->next)
1748  {
1749  const char *opt = BSTR(&be->buf);
1750  options_string_import(&mi->context.options,
1751  opt,
1752  D_IMPORT_ERRORS|M_OPTERR,
1753  CLIENT_CONNECT_OPT_MASK,
1754  option_types_found,
1755  mi->context.c2.es);
1756  }
1757 
1758  /*
1759  * If the --client-connect script generates a config file
1760  * with an --ifconfig-push directive, it will override any
1761  * --ifconfig-push directive from the --client-config-dir
1762  * directory or any --ifconfig-pool dynamic address.
1763  */
1764  multi_select_virtual_addr(m, mi);
1765  multi_set_virtual_addr_env(mi);
1766 
1767  ret = CC_RET_SUCCEEDED;
1768  }
1769 #endif /* ifdef ENABLE_MANAGEMENT */
1770  return ret;
1771 }
1772 
1773 static void
1774 multi_client_connect_setenv(struct multi_instance *mi)
1775 {
1776  struct gc_arena gc = gc_new();
1777 
1778  /* setenv incoming cert common name for script */
1779  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1780 
1781  /* setenv client real IP address */
1782  setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
1783 
1784  /* setenv client virtual IP address */
1785  multi_set_virtual_addr_env(mi);
1786 
1787  /* setenv connection time */
1788  {
1789  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1790  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1791  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1792  }
1793 
1794  gc_free(&gc);
1795 }
1796 
1803 static bool
1804 multi_client_set_protocol_options(struct context *c)
1805 {
1806  struct tls_multi *tls_multi = c->c2.tls_multi;
1807  const char *const peer_info = tls_multi->peer_info;
1808  struct options *o = &c->options;
1809 
1810 
1811  unsigned int proto = extract_iv_proto(peer_info);
1812  if (proto & IV_PROTO_DATA_V2)
1813  {
1814  tls_multi->use_peer_id = true;
1815  o->use_peer_id = true;
1816  }
1817  else if (dco_enabled(o))
1818  {
1819  msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
1820  "requires DATA_V2. Dropping client.");
1821  auth_set_client_reason(tls_multi, "Data channel negotiation "
1822  "failed (missing DATA_V2)");
1823  return false;
1824  }
1825 
1826  /* Print a warning if we detect the client being in P2P mode and will
1827  * not accept our pushed ciphers */
1828  if (proto & IV_PROTO_NCP_P2P)
1829  {
1830  msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client "
1831  "option). It will not negotiate ciphers with this server. "
1832  "Expect this connection to fail.");
1833  }
1834 
1835  if (proto & IV_PROTO_REQUEST_PUSH)
1836  {
1837  c->c2.push_request_received = true;
1838  }
1839 
1840 #ifdef HAVE_EXPORT_KEYING_MATERIAL
1841  if (proto & IV_PROTO_TLS_KEY_EXPORT)
1842  {
1843  o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
1844  }
1845  else if (o->force_key_material_export)
1846  {
1847  msg(M_INFO, "PUSH: client does not support TLS Keying Material "
1848  "Exporters but --force-tls-key-material-export is enabled.");
1849  auth_set_client_reason(tls_multi, "Client incompatible with this "
1850  "server. Keying Material Exporters (RFC 5705) "
1851  "support missing. Upgrade to a client that "
1852  "supports this feature (OpenVPN 2.6.0+).");
1853  return false;
1854  }
1855  if (proto & IV_PROTO_DYN_TLS_CRYPT)
1856  {
1857  o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
1858  }
1859 #endif
1860 
1861  if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1862  {
1863  o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
1864  }
1865 
1866  /* Select cipher if client supports Negotiable Crypto Parameters */
1867 
1868  /* if we have already created our key, we cannot *change* our own
1869  * cipher -> so log the fact and push the "what we have now" cipher
1870  * (so the client is always told what we expect it to use)
1871  */
1872  if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
1873  {
1874  msg(M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
1875  "server has already generated data channel keys, "
1876  "re-sending previously negotiated cipher '%s'",
1877  o->ciphername );
1878  return true;
1879  }
1880 
1881  /*
1882  * Push the first cipher from --data-ciphers to the client that
1883  * the client announces to be supporting.
1884  */
1885  char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, peer_info,
1886  tls_multi->remote_ciphername,
1887  &o->gc);
1888  if (push_cipher)
1889  {
1890  /* Enable epoch data key format if supported and AEAD cipher in use */
1891  if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported
1892  && (proto & IV_PROTO_DATA_EPOCH) && cipher_kt_mode_aead(push_cipher))
1893  {
1894  o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
1895  }
1896 
1897  o->ciphername = push_cipher;
1898  return true;
1899  }
1900 
1901  /* NCP cipher negotiation failed. Try to figure out why exactly it
1902  * failed and give good error messages and potentially do a fallback
1903  * for non NCP clients */
1904  struct gc_arena gc = gc_new();
1905  bool ret = false;
1906 
1907  const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1908  /* If we are in a situation where we know the client ciphers, there is no
1909  * reason to fall back to a cipher that will not be accepted by the other
1910  * side, in this situation we fail the auth*/
1911  if (strlen(peer_ciphers) > 0)
1912  {
1913  msg(M_INFO, "PUSH: No common cipher between server and client. "
1914  "Server data-ciphers: '%s'%s, client supported ciphers '%s'",
1915  o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers);
1916  }
1917  else if (tls_multi->remote_ciphername)
1918  {
1919  msg(M_INFO, "PUSH: No common cipher between server and client. "
1920  "Server data-ciphers: '%s'%s, client supports cipher '%s'",
1921  o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc),
1922  tls_multi->remote_ciphername);
1923  }
1924  else
1925  {
1926  msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1927 
1928  if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1929  {
1930  msg(M_INFO, "Using data channel cipher '%s' since "
1931  "--data-ciphers-fallback is set.", o->ciphername);
1932  ret = true;
1933  }
1934  else
1935  {
1936  msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1937  "client is using if you want to allow the client to connect");
1938  }
1939  }
1940  if (!ret)
1941  {
1942  auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1943  "failed (no shared cipher)");
1944  }
1945 
1946  gc_free(&gc);
1947  return ret;
1948 }
1949 
1954 static void
1955 ccs_delete_deferred_ret_file(struct multi_instance *mi)
1956 {
1957  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1958  if (!ccs->deferred_ret_file)
1959  {
1960  return;
1961  }
1962 
1963  setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1964  if (!platform_unlink(ccs->deferred_ret_file))
1965  {
1966  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1967  ccs->deferred_ret_file);
1968  }
1969  free(ccs->deferred_ret_file);
1970  ccs->deferred_ret_file = NULL;
1971 }
1972 
1980 static bool
1981 ccs_gen_deferred_ret_file(struct multi_instance *mi)
1982 {
1983  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1984  struct gc_arena gc = gc_new();
1985  const char *fn;
1986 
1987  /* Delete file if it already exists */
1988  ccs_delete_deferred_ret_file(mi);
1989 
1990  fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1991  if (!fn)
1992  {
1993  gc_free(&gc);
1994  return false;
1995  }
1996  ccs->deferred_ret_file = string_alloc(fn, NULL);
1997 
1998  setenv_str(mi->context.c2.es, "client_connect_deferred_file",
1999  ccs->deferred_ret_file);
2000 
2001  gc_free(&gc);
2002  return true;
2003 }
2004 
2013 static enum client_connect_return
2014 ccs_test_deferred_ret_file(struct multi_instance *mi)
2015 {
2016  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2017  FILE *fp = fopen(ccs->deferred_ret_file, "r");
2018  if (!fp)
2019  {
2020  return CC_RET_SKIPPED;
2021  }
2022 
2023  enum client_connect_return ret = CC_RET_SKIPPED;
2024  const int c = fgetc(fp);
2025  switch (c)
2026  {
2027  case '0':
2028  ret = CC_RET_FAILED;
2029  break;
2030 
2031  case '1':
2032  ret = CC_RET_SUCCEEDED;
2033  break;
2034 
2035  case '2':
2036  ret = CC_RET_DEFERRED;
2037  break;
2038 
2039  case EOF:
2040  if (feof(fp))
2041  {
2042  ret = CC_RET_SKIPPED;
2043  break;
2044  }
2045 
2046  /* Not EOF but other error -> fall through to error state */
2047  default:
2048  /* We received an unknown/unexpected value. Assume failure. */
2049  msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
2050  "client-connect resultfile");
2051  ret = CC_RET_FAILED;
2052  }
2053  fclose(fp);
2054 
2055  return ret;
2056 }
2057 
2063 static void
2064 ccs_delete_config_file(struct multi_instance *mi)
2065 {
2066  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2067  if (ccs->config_file)
2068  {
2069  setenv_del(mi->context.c2.es, "client_connect_config_file");
2070  if (!platform_unlink(ccs->config_file))
2071  {
2072  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
2073  ccs->config_file);
2074  }
2075  free(ccs->config_file);
2076  ccs->config_file = NULL;
2077  }
2078 }
2079 
2087 static bool
2088 ccs_gen_config_file(struct multi_instance *mi)
2089 {
2090  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2091  struct gc_arena gc = gc_new();
2092  const char *fn;
2093 
2094  if (ccs->config_file)
2095  {
2096  ccs_delete_config_file(mi);
2097  }
2098 
2099  fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2100  if (!fn)
2101  {
2102  gc_free(&gc);
2103  return false;
2104  }
2105  ccs->config_file = string_alloc(fn, NULL);
2106 
2107  setenv_str(mi->context.c2.es, "client_connect_config_file",
2108  ccs->config_file);
2109 
2110  gc_free(&gc);
2111  return true;
2112 }
2113 
2114 static enum client_connect_return
2115 multi_client_connect_call_plugin_v1(struct multi_context *m,
2116  struct multi_instance *mi,
2117  bool deferred,
2118  unsigned int *option_types_found)
2119 {
2120  enum client_connect_return ret = CC_RET_SKIPPED;
2121 #ifdef ENABLE_PLUGIN
2122  ASSERT(m);
2123  ASSERT(mi);
2124  ASSERT(option_types_found);
2125  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2126 
2127  /* deprecated callback, use a file for passing back return info */
2128  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2129  {
2130  struct argv argv = argv_new();
2131  int call;
2132 
2133  if (!deferred)
2134  {
2135  call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2136  if (!ccs_gen_config_file(mi)
2137  || !ccs_gen_deferred_ret_file(mi))
2138  {
2139  ret = CC_RET_FAILED;
2140  goto cleanup;
2141  }
2142  }
2143  else
2144  {
2145  call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2146  /* the initial call should have created these files */
2147  ASSERT(ccs->config_file);
2148  ASSERT(ccs->deferred_ret_file);
2149  }
2150 
2151  argv_printf(&argv, "%s", ccs->config_file);
2152  int plug_ret = plugin_call(mi->context.plugins, call,
2153  &argv, NULL, mi->context.c2.es);
2154  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2155  {
2156  ret = CC_RET_SUCCEEDED;
2157  }
2158  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2159  {
2160  ret = CC_RET_DEFERRED;
2166  }
2167  else
2168  {
2169  msg(M_WARN, "WARNING: client-connect plugin call failed");
2170  ret = CC_RET_FAILED;
2171  }
2172 
2173 
2179  int file_ret = ccs_test_deferred_ret_file(mi);
2180 
2181  if (file_ret == CC_RET_FAILED)
2182  {
2183  ret = CC_RET_FAILED;
2184  }
2185  else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2186  {
2187  ret = CC_RET_DEFERRED;
2188  }
2189 
2190  /* if we still think we have succeeded, do postprocessing */
2191  if (ret == CC_RET_SUCCEEDED)
2192  {
2193  multi_client_connect_post(m, mi, ccs->config_file,
2194  option_types_found);
2195  }
2196 cleanup:
2197  argv_free(&argv);
2198 
2199  if (ret != CC_RET_DEFERRED)
2200  {
2201  ccs_delete_config_file(mi);
2202  ccs_delete_deferred_ret_file(mi);
2203  }
2204  }
2205 #endif /* ifdef ENABLE_PLUGIN */
2206  return ret;
2207 }
2208 
2209 static enum client_connect_return
2210 multi_client_connect_call_plugin_v2(struct multi_context *m,
2211  struct multi_instance *mi,
2212  bool deferred,
2213  unsigned int *option_types_found)
2214 {
2215  enum client_connect_return ret = CC_RET_SKIPPED;
2216 #ifdef ENABLE_PLUGIN
2217  ASSERT(m);
2218  ASSERT(mi);
2219  ASSERT(option_types_found);
2220 
2221  int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 :
2222  OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2223  /* V2 callback, use a plugin_return struct for passing back return info */
2224  if (plugin_defined(mi->context.plugins, call))
2225  {
2226  struct plugin_return pr;
2227 
2228  plugin_return_init(&pr);
2229 
2230  int plug_ret = plugin_call(mi->context.plugins, call,
2231  NULL, &pr, mi->context.c2.es);
2232  if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2233  {
2234  multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2235  ret = CC_RET_SUCCEEDED;
2236  }
2237  else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2238  {
2239  ret = CC_RET_DEFERRED;
2240  if (!(plugin_defined(mi->context.plugins,
2241  OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2242  {
2243  msg(M_WARN, "A plugin that defers from the "
2244  "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2245  "declare support for "
2246  "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2247  ret = CC_RET_FAILED;
2248  }
2249  }
2250  else
2251  {
2252  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2253  ret = CC_RET_FAILED;
2254  }
2255 
2256 
2257  plugin_return_free(&pr);
2258  }
2259 #endif /* ifdef ENABLE_PLUGIN */
2260  return ret;
2261 }
2262 
2263 static enum client_connect_return
2264 multi_client_connect_script_deferred(struct multi_context *m,
2265  struct multi_instance *mi,
2266  unsigned int *option_types_found)
2267 {
2268  ASSERT(mi);
2269  ASSERT(option_types_found);
2270  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2271  enum client_connect_return ret = CC_RET_SKIPPED;
2272 
2273  ret = ccs_test_deferred_ret_file(mi);
2274 
2275  if (ret == CC_RET_SKIPPED)
2276  {
2277  /*
2278  * Skipped and deferred are equivalent in this context.
2279  * skipped means that the called program has not yet
2280  * written a return status implicitly needing more time
2281  * while deferred is the explicit notification that it
2282  * needs more time
2283  */
2284  ret = CC_RET_DEFERRED;
2285  }
2286 
2287  if (ret == CC_RET_SUCCEEDED)
2288  {
2289  ccs_delete_deferred_ret_file(mi);
2290  multi_client_connect_post(m, mi, ccs->config_file,
2291  option_types_found);
2292  ccs_delete_config_file(mi);
2293  }
2294  if (ret == CC_RET_FAILED)
2295  {
2296  msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2297  ccs_delete_deferred_ret_file(mi);
2298  ccs_delete_config_file(mi);
2299  }
2300  return ret;
2301 }
2302 
2306 static enum client_connect_return
2307 multi_client_connect_call_script(struct multi_context *m,
2308  struct multi_instance *mi,
2309  bool deferred,
2310  unsigned int *option_types_found)
2311 {
2312  if (deferred)
2313  {
2314  return multi_client_connect_script_deferred(m, mi, option_types_found);
2315  }
2316  ASSERT(m);
2317  ASSERT(mi);
2318 
2319  enum client_connect_return ret = CC_RET_SKIPPED;
2320  struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2321 
2322  if (mi->context.options.client_connect_script)
2323  {
2324  struct argv argv = argv_new();
2325  struct gc_arena gc = gc_new();
2326 
2327  setenv_str(mi->context.c2.es, "script_type", "client-connect");
2328 
2329  if (!ccs_gen_config_file(mi)
2330  || !ccs_gen_deferred_ret_file(mi))
2331  {
2332  ret = CC_RET_FAILED;
2333  goto cleanup;
2334  }
2335 
2336  argv_parse_cmd(&argv, mi->context.options.client_connect_script);
2337  argv_printf_cat(&argv, "%s", ccs->config_file);
2338 
2339  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2340  {
2341  if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED)
2342  {
2343  ret = CC_RET_DEFERRED;
2344  }
2345  else
2346  {
2347  multi_client_connect_post(m, mi, ccs->config_file,
2348  option_types_found);
2349  ret = CC_RET_SUCCEEDED;
2350  }
2351  }
2352  else
2353  {
2354  ret = CC_RET_FAILED;
2355  }
2356 cleanup:
2357  if (ret != CC_RET_DEFERRED)
2358  {
2359  ccs_delete_config_file(mi);
2360  ccs_delete_deferred_ret_file(mi);
2361  }
2362  argv_free(&argv);
2363  gc_free(&gc);
2364  }
2365  return ret;
2366 }
2367 
2368 static bool
2369 multi_client_setup_dco_initial(struct multi_context *m,
2370  struct multi_instance *mi,
2371  struct gc_arena *gc)
2372 {
2373  if (!dco_enabled(&mi->context.options))
2374  {
2375  /* DCO not enabled, nothing to do, return sucess */
2376  return true;
2377  }
2378  int ret = dco_multi_add_new_peer(m, mi);
2379  if (ret < 0)
2380  {
2381  msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)",
2382  multi_instance_string(mi, false, gc), strerror(-ret), ret);
2383  return false;
2384  }
2385 
2386  return true;
2387 }
2388 
2392 static bool
2393 multi_client_generate_tls_keys(struct context *c)
2394 {
2395  struct frame *frame_fragment = NULL;
2396 #ifdef ENABLE_FRAGMENT
2397  if (c->options.ce.fragment)
2398  {
2399  frame_fragment = &c->c2.frame_fragment;
2400  }
2401 #endif
2402  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2403  if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options,
2404  &c->c2.frame, frame_fragment,
2405  get_link_socket_info(c),
2406  &c->c1.tuntap->dco))
2407  {
2408  msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2409  register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2410  return false;
2411  }
2412 
2413  return true;
2414 }
2415 
2416 static void
2417 multi_client_connect_late_setup(struct multi_context *m,
2418  struct multi_instance *mi,
2419  const unsigned int option_types_found)
2420 {
2421  ASSERT(m);
2422  ASSERT(mi);
2423 
2424  struct gc_arena gc = gc_new();
2425  /*
2426  * Process sourced options.
2427  */
2428  do_deferred_options(&mi->context, option_types_found);
2429 
2430  /*
2431  * make sure we got ifconfig settings from somewhere
2432  */
2433  if (!mi->context.c2.push_ifconfig_defined)
2434  {
2435  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote "
2436  "--ifconfig address is available for %s",
2437  multi_instance_string(mi, false, &gc));
2438  }
2439 
2440  /*
2441  * make sure that ifconfig settings comply with constraints
2442  */
2443  if (!ifconfig_push_constraint_satisfied(&mi->context))
2444  {
2445  const char *ifconfig_constraint_network =
2446  print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc);
2447  const char *ifconfig_constraint_netmask =
2448  print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
2449 
2450  /* JYFIXME -- this should cause the connection to fail */
2451  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) "
2452  "violates tunnel network/netmask constraint (%s/%s)",
2453  multi_instance_string(mi, false, &gc),
2454  print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
2455  ifconfig_constraint_network, ifconfig_constraint_netmask);
2456  }
2457 
2458  /* set our client's VPN endpoint for status reporting purposes */
2459  mi->reporting_addr = mi->context.c2.push_ifconfig_local;
2460  mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
2461 
2462  /* set context-level authentication flag */
2463  mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2464 
2465  /* Since dco-win maintains iroute routing table (subnet -> peer),
2466  * peer must be added before iroutes. For other platforms it doesn't matter. */
2467 
2468  /* authentication complete, calculate dynamic client specific options */
2469  if (!multi_client_set_protocol_options(&mi->context))
2470  {
2471  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2472  }
2473  /* only continue if setting protocol options worked */
2474  else if (!multi_client_setup_dco_initial(m, mi, &gc))
2475  {
2476  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2477  }
2478  /* Generate data channel keys only if setting protocol options
2479  * and DCO initial setup has not failed */
2480  else if (!multi_client_generate_tls_keys(&mi->context))
2481  {
2482  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2483  }
2484 
2485  /* dco peer has been added, it is now safe for Windows to add iroutes */
2486 
2487  /*
2488  * For routed tunnels, set up internal route to endpoint
2489  * plus add all iroute routes.
2490  */
2491  if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
2492  {
2493  if (mi->context.c2.push_ifconfig_defined)
2494  {
2495  multi_learn_in_addr_t(m, mi,
2496  mi->context.c2.push_ifconfig_local,
2497  -1, true);
2498  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2499  multi_instance_string(mi, false, &gc),
2500  print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
2501  }
2502 
2503  if (mi->context.c2.push_ifconfig_ipv6_defined)
2504  {
2505  multi_learn_in6_addr(m, mi,
2506  mi->context.c2.push_ifconfig_ipv6_local,
2507  -1, true);
2508  /* TODO: find out where addresses are "unlearned"!! */
2509  const char *ifconfig_local_ipv6 =
2510  print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
2511  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2512  multi_instance_string(mi, false, &gc),
2513  ifconfig_local_ipv6);
2514  }
2515 
2516  /* add routes locally, pointing to new client, if
2517  * --iroute options have been specified */
2518  multi_add_iroutes(m, mi);
2519 
2520  /*
2521  * iroutes represent subnets which are "owned" by a particular
2522  * client. Therefore, do not actually push a route to a client
2523  * if it matches one of the client's iroutes.
2524  */
2525  remove_iroutes_from_push_route_list(&mi->context.options);
2526  }
2527  else if (mi->context.options.iroutes)
2528  {
2529  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute "
2530  "only works with tun-style tunnels",
2531  multi_instance_string(mi, false, &gc));
2532  }
2533 
2534  /* send push reply if ready */
2535  if (mi->context.c2.push_request_received)
2536  {
2537  process_incoming_push_request(&mi->context);
2538  }
2539  gc_free(&gc);
2540 }
2541 
2542 static void
2543 multi_client_connect_early_setup(struct multi_context *m,
2544  struct multi_instance *mi)
2545 {
2546  ASSERT(mi->context.c1.tuntap);
2547  /*
2548  * lock down the common name and cert hashes so they can't change
2549  * during future TLS renegotiations
2550  */
2551  tls_lock_common_name(mi->context.c2.tls_multi);
2552  tls_lock_cert_hash_set(mi->context.c2.tls_multi);
2553 
2554  /* generate a msg() prefix for this client instance */
2555  generate_prefix(mi);
2556 
2557  /* delete instances of previous clients with same common-name */
2558  if (!mi->context.options.duplicate_cn)
2559  {
2560  multi_delete_dup(m, mi);
2561  }
2562 
2563  /* reset pool handle to null */
2564  mi->vaddr_handle = -1;
2565 
2566  /* do --client-connect setenvs */
2567  multi_select_virtual_addr(m, mi);
2568 
2569  multi_client_connect_setenv(mi);
2570 }
2571 
2578 static enum client_connect_return
2579 multi_client_connect_compress_migrate(struct multi_context *m,
2580  struct multi_instance *mi,
2581  bool deferred,
2582  unsigned int *option_types_found)
2583 {
2584 #ifdef USE_COMP
2585  struct options *o = &mi->context.options;
2586  const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2587 
2588  if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2589  {
2590  if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2591  {
2592  push_option(o, "compress stub-v2", M_USAGE);
2593  }
2594  else
2595  {
2596  /* Client is old and does not support STUBv2 but since it
2597  * announced comp-lzo via OCC we assume it uses comp-lzo, so
2598  * switch to that and push the uncompressed variant. */
2599  push_option(o, "comp-lzo no", M_USAGE);
2600  o->comp.alg = COMP_ALG_STUB;
2601  *option_types_found |= OPT_P_COMP;
2602  }
2603  }
2604 #endif
2605  return CC_RET_SUCCEEDED;
2606 }
2607 
2612 static enum client_connect_return
2613 multi_client_connect_source_ccd(struct multi_context *m,
2614  struct multi_instance *mi,
2615  bool deferred,
2616  unsigned int *option_types_found)
2617 {
2618  /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2619  * problem */
2620  ASSERT(!deferred);
2621  enum client_connect_return ret = CC_RET_SKIPPED;
2622  if (mi->context.options.client_config_dir)
2623  {
2624  struct gc_arena gc = gc_new();
2625  const char *ccd_file = NULL;
2626 
2627  const char *ccd_client =
2628  platform_gen_path(mi->context.options.client_config_dir,
2629  tls_common_name(mi->context.c2.tls_multi, false),
2630  &gc);
2631 
2632  const char *ccd_default =
2633  platform_gen_path(mi->context.options.client_config_dir,
2634  CCD_DEFAULT, &gc);
2635 
2636 
2637  /* try common-name file */
2638  if (platform_test_file(ccd_client))
2639  {
2640  ccd_file = ccd_client;
2641  }
2642  /* try default file */
2643  else if (platform_test_file(ccd_default))
2644  {
2645  ccd_file = ccd_default;
2646  }
2647 
2648  if (ccd_file)
2649  {
2650  options_server_import(&mi->context.options,
2651  ccd_file,
2652  D_IMPORT_ERRORS|M_OPTERR,
2653  CLIENT_CONNECT_OPT_MASK,
2654  option_types_found,
2655  mi->context.c2.es);
2656  /*
2657  * Select a virtual address from either --ifconfig-push in
2658  * --client-config-dir file or --ifconfig-pool.
2659  */
2660  multi_select_virtual_addr(m, mi);
2661 
2662  multi_client_connect_setenv(mi);
2663 
2664  ret = CC_RET_SUCCEEDED;
2665  }
2666  gc_free(&gc);
2667  }
2668  return ret;
2669 }
2670 
2671 typedef enum client_connect_return (*multi_client_connect_handler)
2672  (struct multi_context *m, struct multi_instance *mi,
2673  bool from_deferred, unsigned int *option_types_found);
2674 
2675 static const multi_client_connect_handler client_connect_handlers[] = {
2676  multi_client_connect_compress_migrate,
2677  multi_client_connect_source_ccd,
2678  multi_client_connect_call_plugin_v1,
2679  multi_client_connect_call_plugin_v2,
2680  multi_client_connect_call_script,
2681  multi_client_connect_mda,
2682  NULL,
2683 };
2684 
2689 static bool
2690 override_locked_username(struct multi_instance *mi)
2691 {
2692  struct tls_multi *multi = mi->context.c2.tls_multi;
2693  struct options *options = &mi->context.options;
2694  struct tls_session *session = &multi->session[TM_ACTIVE];
2695 
2696  if (!multi->locked_username)
2697  {
2698  msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
2699  "user/password method is enabled. Enable "
2700  "--management-client-auth, --auth-user-pass-verify, or a "
2701  "plugin with user/password verify capability.");
2702  return false;
2703  }
2704 
2705  if (!multi->locked_original_username
2706  && strcmp(multi->locked_username, options->override_username) != 0)
2707  {
2708  multi->locked_original_username = multi->locked_username;
2709  multi->locked_username = strdup(options->override_username);
2710 
2711  /* Override also the common name if username should be set as common
2712  * name */
2713  if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
2714  {
2715  set_common_name(session, multi->locked_username);
2716  free(multi->locked_cn);
2717  multi->locked_cn = NULL;
2718  tls_lock_common_name(multi);
2719  }
2720 
2721  /* Regenerate the auth-token if enabled */
2722  if (multi->auth_token_initial)
2723  {
2724  struct user_pass up;
2725  CLEAR(up);
2726  strncpynt(up.username, multi->locked_username,
2727  sizeof(up.username));
2728 
2729  generate_auth_token(&up, multi);
2730  }
2731 
2732  msg(D_MULTI_LOW, "MULTI: Note, override-username changes username "
2733  "from '%s' to '%s'",
2734  multi->locked_original_username,
2735  multi->locked_username);
2736  }
2737  return true;
2738 }
2739 /*
2740  * Called as soon as the SSL/TLS connection is authenticated.
2741  *
2742  * Will collect the client specific configuration from the different
2743  * sources like ccd files, connect plugins and management interface.
2744  *
2745  * This method starts with cas_context CAS_PENDING and will move the
2746  * state machine to either CAS_SUCCEEDED on success or
2747  * CAS_FAILED/CAS_PARTIAL on failure.
2748  *
2749  * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2750  * include:
2751  *
2752  * iroute start-ip end-ip
2753  * ifconfig-push local remote-netmask
2754  * push
2755  *
2756  *
2757  */
2758 static void
2759 multi_connection_established(struct multi_context *m, struct multi_instance *mi)
2760 {
2761  /* We are only called for the CAS_PENDING_x states, so we
2762  * can ignore other states here */
2763  bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2764 
2765  int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2766  unsigned int *option_types_found =
2767  &mi->client_connect_defer_state.option_types_found;
2768 
2769  /* We are called for the first time */
2770  if (!from_deferred)
2771  {
2772  *cur_handler_index = 0;
2773  *option_types_found = 0;
2774  /* Initially we have no handler that has returned a result */
2775  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED;
2776 
2777  multi_client_connect_early_setup(m, mi);
2778  }
2779 
2780  bool cc_succeeded = true;
2781 
2782  while (cc_succeeded
2783  && client_connect_handlers[*cur_handler_index] != NULL)
2784  {
2785  enum client_connect_return ret;
2786  ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred,
2787  option_types_found);
2788 
2789  from_deferred = false;
2790 
2791  switch (ret)
2792  {
2793  case CC_RET_SUCCEEDED:
2794  /*
2795  * Remember that we already had at least one handler
2796  * returning a result should we go to into deferred state
2797  */
2798  mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2799  break;
2800 
2801  case CC_RET_SKIPPED:
2802  /*
2803  * Move on with the next handler without modifying any
2804  * other state
2805  */
2806  break;
2807 
2808  case CC_RET_DEFERRED:
2809  /*
2810  * we already set multi_status to DEFERRED_RESULT or
2811  * DEFERRED_NO_RESULT. We just return
2812  * from the function as having multi_status
2813  */
2814  return;
2815 
2816  case CC_RET_FAILED:
2817  /*
2818  * One handler failed. We abort the chain and set the final
2819  * result to failed
2820  */
2821  cc_succeeded = false;
2822  break;
2823 
2824  default:
2825  ASSERT(0);
2826  }
2827 
2828  /*
2829  * Check for "disable" directive in client-config-dir file
2830  * or config file generated by --client-connect script.
2831  */
2832  if (mi->context.options.disable)
2833  {
2834  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2835  "'disable' directive");
2836  cc_succeeded = false;
2837  }
2838 
2839  (*cur_handler_index)++;
2840  }
2841 
2842  if (mi->context.options.override_username)
2843  {
2844  if (!override_locked_username(mi))
2845  {
2846  cc_succeeded = false;
2847  }
2848  }
2849 
2850  /* Check if we have forbidding options in the current mode */
2851  if (dco_enabled(&mi->context.options)
2852  && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
2853  {
2854  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2855  cc_succeeded = false;
2856  }
2857 
2858  if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS))
2859  {
2860  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
2861  cc_succeeded = false;
2862  }
2863 
2864  if (cc_succeeded)
2865  {
2866  multi_client_connect_late_setup(m, mi, *option_types_found);
2867  }
2868  else
2869  {
2870  /* run the disconnect script if we had a connect script that
2871  * did not fail */
2872  if (mi->context.c2.tls_multi->multi_state == CAS_PENDING_DEFERRED_PARTIAL)
2873  {
2874  multi_client_disconnect_script(m, mi);
2875  }
2876 
2877  mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2878  }
2879 
2880  /* increment number of current authenticated clients */
2881  ++m->n_clients;
2882  update_mstat_n_clients(m->n_clients);
2883  --mi->n_clients_delta;
2884 
2885 #ifdef ENABLE_MANAGEMENT
2886  if (management)
2887  {
2888  management_connection_established(management,
2889  &mi->context.c2.mda_context, mi->context.c2.es);
2890  }
2891 #endif
2892 }
2893 
2894 #ifdef ENABLE_ASYNC_PUSH
2895 /*
2896  * Called when inotify event is fired, which happens when acf
2897  * or connect-status file is closed or deleted.
2898  * Continues authentication and sends push_reply
2899  * (or be deferred again by client-connect)
2900  */
2901 void
2902 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2903 {
2904  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2905  size_t buffer_i = 0;
2906  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2907 
2908  while (buffer_i < r)
2909  {
2910  /* parse inotify events */
2911  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2912  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2913  buffer_i += event_size;
2914 
2915  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2916 
2917  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2918 
2919  if (pevent->mask & IN_CLOSE_WRITE)
2920  {
2921  if (mi)
2922  {
2923  /* continue authentication, perform NCP negotiation and send push_reply */
2924  multi_process_post(m, mi, mpp_flags);
2925  }
2926  else
2927  {
2928  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2929  }
2930  }
2931  else if (pevent->mask & IN_IGNORED)
2932  {
2933  /* this event is _always_ fired when watch is removed or file is deleted */
2934  if (mi)
2935  {
2936  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2937  mi->inotify_watch = -1;
2938  }
2939  }
2940  else
2941  {
2942  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2943  }
2944  }
2945 }
2946 #endif /* ifdef ENABLE_ASYNC_PUSH */
2947 
2948 /*
2949  * Add a mbuf buffer to a particular
2950  * instance.
2951  */
2952 void
2953 multi_add_mbuf(struct multi_context *m,
2954  struct multi_instance *mi,
2955  struct mbuf_buffer *mb)
2956 {
2957  if (multi_output_queue_ready(m, mi))
2958  {
2959  struct mbuf_item item;
2960  item.buffer = mb;
2961  item.instance = mi;
2962  mbuf_add_item(m->mbuf, &item);
2963  }
2964  else
2965  {
2966  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2967  }
2968 }
2969 
2970 /*
2971  * Add a packet to a client instance output queue.
2972  */
2973 static inline void
2974 multi_unicast(struct multi_context *m,
2975  const struct buffer *buf,
2976  struct multi_instance *mi)
2977 {
2978  struct mbuf_buffer *mb;
2979 
2980  if (BLEN(buf) > 0)
2981  {
2982  mb = mbuf_alloc_buf(buf);
2983  mb->flags = MF_UNICAST;
2984  multi_add_mbuf(m, mi, mb);
2985  mbuf_free_buf(mb);
2986  }
2987 }
2988 
2989 /*
2990  * Broadcast a packet to all clients.
2991  */
2992 static void
2993 multi_bcast(struct multi_context *m,
2994  const struct buffer *buf,
2995  const struct multi_instance *sender_instance,
2996  uint16_t vid)
2997 {
2998  struct hash_iterator hi;
2999  struct hash_element *he;
3000  struct multi_instance *mi;
3001  struct mbuf_buffer *mb;
3002 
3003  if (BLEN(buf) > 0)
3004  {
3005  perf_push(PERF_MULTI_BCAST);
3006 #ifdef MULTI_DEBUG_EVENT_LOOP
3007  printf("BCAST len=%d\n", BLEN(buf));
3008 #endif
3009  mb = mbuf_alloc_buf(buf);
3010  hash_iterator_init(m->iter, &hi);
3011 
3012  while ((he = hash_iterator_next(&hi)))
3013  {
3014  mi = (struct multi_instance *) he->value;
3015  if (mi != sender_instance && !mi->halt)
3016  {
3017  if (vid != 0 && vid != mi->context.options.vlan_pvid)
3018  {
3019  continue;
3020  }
3021  multi_add_mbuf(m, mi, mb);
3022  }
3023  }
3024 
3025  hash_iterator_free(&hi);
3026  mbuf_free_buf(mb);
3027  perf_pop();
3028  }
3029 }
3030 
3031 /*
3032  * Given a time delta, indicating that we wish to be
3033  * awoken by the scheduler at time now + delta, figure
3034  * a sigma parameter (in microseconds) that represents
3035  * a sort of fuzz factor around delta, so that we're
3036  * really telling the scheduler to wake us up any time
3037  * between now + delta - sigma and now + delta + sigma.
3038  *
3039  * The sigma parameter helps the scheduler to run more efficiently.
3040  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
3041  */
3042 static inline unsigned int
3043 compute_wakeup_sigma(const struct timeval *delta)
3044 {
3045  if (delta->tv_sec < 1)
3046  {
3047  /* if < 1 sec, fuzz = # of microseconds / 8 */
3048  return delta->tv_usec >> 3;
3049  }
3050  else
3051  {
3052  /* if < 10 minutes, fuzz = 13.1% of timeout */
3053  if (delta->tv_sec < 600)
3054  {
3055  return delta->tv_sec << 17;
3056  }
3057  else
3058  {
3059  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
3060  }
3061  }
3062 }
3063 
3064 static void
3065 multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
3066 {
3067  /* calculate an absolute wakeup time */
3068  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
3069  tv_add(&mi->wakeup, &mi->context.c2.timeval);
3070 
3071  /* tell scheduler to wake us up at some point in the future */
3072  schedule_add_entry(m->schedule,
3073  (struct schedule_entry *) mi,
3074  &mi->wakeup,
3075  compute_wakeup_sigma(&mi->context.c2.timeval));
3076 }
3077 
3078 #if defined(ENABLE_ASYNC_PUSH)
3079 static void
3080 add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi,
3081  int inotify_fd, const char *file)
3082 {
3083  /* watch acf file */
3084  long watch_descriptor = inotify_add_watch(inotify_fd, file,
3085  IN_CLOSE_WRITE | IN_ONESHOT);
3086  if (watch_descriptor >= 0)
3087  {
3088  if (mi->inotify_watch != -1)
3089  {
3090  hash_remove(m->inotify_watchers,
3091  (void *) (unsigned long)mi->inotify_watch);
3092  }
3093  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor,
3094  mi, true);
3095  mi->inotify_watch = watch_descriptor;
3096  }
3097  else
3098  {
3099  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3100  }
3101 }
3102 #endif /* if defined(ENABLE_ASYNC_PUSH) */
3103 
3104 /*
3105  * Figure instance-specific timers, convert
3106  * earliest to absolute time in mi->wakeup,
3107  * call scheduler with our future wakeup time.
3108  *
3109  * Also close context on signal.
3110  */
3111 bool
3112 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3113 {
3114  bool ret = true;
3115 
3116  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
3117  {
3118 #if defined(ENABLE_ASYNC_PUSH)
3119  bool was_unauthenticated = true;
3120  struct key_state *ks = NULL;
3121  if (mi->context.c2.tls_multi)
3122  {
3123  ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
3124  was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3125  }
3126 #endif
3127 
3128  /* figure timeouts and fetch possible outgoing
3129  * to_link packets (such as ping or TLS control) */
3130  pre_select(&mi->context);
3131 
3132 #if defined(ENABLE_ASYNC_PUSH)
3133  /*
3134  * if we see the state transition from unauthenticated to deferred
3135  * and an auth_control_file, we assume it got just added and add
3136  * inotify watch to that file
3137  */
3138  if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3139  && (ks->authenticated == KS_AUTH_DEFERRED))
3140  {
3141  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3142  ks->plugin_auth.auth_control_file);
3143  }
3144  if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3145  && (ks->authenticated == KS_AUTH_DEFERRED))
3146  {
3147  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3148  ks->script_auth.auth_control_file);
3149  }
3150 #endif
3151 
3152  if (!IS_SIG(&mi->context))
3153  {
3154  /* connection is "established" when SSL/TLS key negotiation succeeds
3155  * and (if specified) auth user/pass succeeds */
3156 
3157  if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
3158  {
3159  multi_connection_established(m, mi);
3160  }
3161 #if defined(ENABLE_ASYNC_PUSH)
3162  if (is_cas_pending(mi->context.c2.tls_multi->multi_state)
3163  && mi->client_connect_defer_state.deferred_ret_file)
3164  {
3165  add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3166  mi->client_connect_defer_state.
3167  deferred_ret_file);
3168  }
3169 #endif
3170  /* tell scheduler to wake us up at some point in the future */
3171  multi_schedule_context_wakeup(m, mi);
3172  }
3173  }
3174 
3175  if (IS_SIG(&mi->context))
3176  {
3177  if (flags & MPP_CLOSE_ON_SIGNAL)
3178  {
3179  multi_close_instance_on_signal(m, mi);
3180  ret = false;
3181  }
3182  }
3183  else
3184  {
3185  /* continue to pend on output? */
3186  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3187 
3188 #ifdef MULTI_DEBUG_EVENT_LOOP
3189  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
3190  id(mi),
3191  (int) (mi == m->pending),
3192  mi ? mi->context.c2.to_tun.len : -1,
3193  mi ? mi->context.c2.to_link.len : -1,
3194  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3195  (int64_t)mi->context.c2.timeval.tv_sec,
3196  (long)mi->context.c2.timeval.tv_usec);
3197 #endif
3198  }
3199 
3200  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3201  {
3202  *m->mpp_touched = mi;
3203  }
3204 
3205  return ret;
3206 }
3207 
3208 void
3209 multi_process_float(struct multi_context *m, struct multi_instance *mi,
3210  struct link_socket *sock)
3211 {
3212  struct mroute_addr real = {0};
3213  struct hash *hash = m->hash;
3214  struct gc_arena gc = gc_new();
3215 
3216  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3217  {
3218  goto done;
3219  }
3220 
3221  const uint32_t hv = hash_value(hash, &real);
3222  struct hash_bucket *bucket = hash_bucket(hash, hv);
3223 
3224  /* make sure that we don't float to an address taken by another client */
3225  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3226  if (he)
3227  {
3228  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
3229 
3230  struct tls_multi *m1 = mi->context.c2.tls_multi;
3231  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3232 
3233  /* do not float if target address is taken by client with another cert */
3234  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3235  {
3236  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3237  multi_instance_string(ex_mi, false, &gc));
3238 
3239  mi->context.c2.buf.len = 0;
3240 
3241  goto done;
3242  }
3243 
3244  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
3245  multi_close_instance(m, ex_mi, false);
3246  }
3247 
3248  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3249  mi->context.c2.tls_multi->peer_id,
3250  tls_common_name(mi->context.c2.tls_multi, false),
3251  mroute_addr_print(&mi->real, &gc),
3252  print_link_socket_actual(&m->top.c2.from, &gc));
3253 
3254  /* remove old address from hash table before changing address */
3255  ASSERT(hash_remove(m->hash, &mi->real));
3256  ASSERT(hash_remove(m->iter, &mi->real));
3257 
3258  /* change external network address of the remote peer */
3259  mi->real = real;
3260  generate_prefix(mi);
3261 
3262  mi->context.c2.from = m->top.c2.from;
3263  mi->context.c2.to_link_addr = &mi->context.c2.from;
3264 
3265  /* inherit parent link_socket and link_socket_info */
3266  mi->context.c2.link_sockets[0] = sock;
3267  mi->context.c2.link_socket_infos[0]->lsa->actual = m->top.c2.from;
3268 
3269  tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from);
3270 
3271  ASSERT(hash_add(m->hash, &mi->real, mi, false));
3272  ASSERT(hash_add(m->iter, &mi->real, mi, false));
3273 
3274 #ifdef ENABLE_MANAGEMENT
3275  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3276 #endif
3277 
3278 done:
3279  gc_free(&gc);
3280 }
3281 
3282 /*
3283  * Called when an instance should be closed due to the
3284  * reception of a soft signal.
3285  */
3286 void
3287 multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
3288 {
3289  remap_signal(&mi->context);
3290  set_prefix(mi);
3291  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3292  clear_prefix();
3293  multi_close_instance(m, mi, false);
3294 }
3295 
3296 #if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) || defined(ENABLE_MANAGEMENT)
3297 static void
3298 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3299 {
3300  mi->context.sig->signal_received = sig;
3301  multi_close_instance_on_signal(m, mi);
3302 }
3303 #endif
3304 
3305 #if defined(ENABLE_DCO) \
3306  && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(TARGET_WIN32))
3307 static void
3308 process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
3309  dco_context_t *dco)
3310 {
3311  const char *reason = "ovpn-dco: unknown reason";
3312  switch (dco->dco_del_peer_reason)
3313  {
3314  case OVPN_DEL_PEER_REASON_EXPIRED:
3315  reason = "ovpn-dco: ping expired";
3316  break;
3317 
3318  case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR:
3319  reason = "ovpn-dco: transport error";
3320  break;
3321 
3322  case OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT:
3323  reason = "ovpn-dco: transport disconnected";
3324  break;
3325 
3326  case OVPN_DEL_PEER_REASON_USERSPACE:
3327  /* We assume that is ourselves. Unfortunately, sometimes these
3328  * events happen with enough delay that they can have an order of
3329  *
3330  * dco_del_peer x
3331  * [new client connecting]
3332  * dco_new_peer x
3333  * event from dco_del_peer arrives.
3334  *
3335  * if we do not ignore this we get desynced with the kernel
3336  * since we assume the peer-id is free again. The other way would
3337  * be to send a dco_del_peer again
3338  */
3339  return;
3340  }
3341 
3342  /* When kernel already deleted the peer, the socket is no longer
3343  * installed, and we do not need to clean up the state in the kernel */
3344  mi->context.c2.tls_multi->dco_peer_id = -1;
3345  mi->context.sig->signal_text = reason;
3346  mi->context.c2.dco_read_bytes = dco->dco_read_bytes;
3347  mi->context.c2.dco_write_bytes = dco->dco_write_bytes;
3348  multi_signal_instance(m, mi, SIGTERM);
3349 }
3350 
3351 bool
3352 multi_process_incoming_dco(struct multi_context *m)
3353 {
3354  dco_context_t *dco = &m->top.c1.tuntap->dco;
3355 
3356  struct multi_instance *mi = NULL;
3357 
3358  int ret = dco_do_read(&m->top.c1.tuntap->dco);
3359 
3360  int peer_id = dco->dco_message_peer_id;
3361 
3362  /* no peer-specific message delivered -> nothing to process.
3363  * bail out right away
3364  */
3365  if (peer_id < 0)
3366  {
3367  return ret > 0;
3368  }
3369 
3370  if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3371  {
3372  mi = m->instances[peer_id];
3373  if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3374  {
3375  process_incoming_del_peer(m, mi, dco);
3376  }
3377  else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
3378  {
3379  tls_session_soft_reset(mi->context.c2.tls_multi);
3380  }
3381  }
3382  else
3383  {
3384  int msglevel = D_DCO;
3385  if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3386  && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3387  {
3388  /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3389  * after we kill the peer ourselves. This peer may have already
3390  * been deleted, so we end up here.
3391  * In this case, print the following debug message with DCO_DEBUG
3392  * level only to avoid polluting the standard DCO level with this
3393  * harmless event.
3394  */
3395  msglevel = D_DCO_DEBUG;
3396  }
3397  msg(msglevel, "Received DCO message for unknown peer-id: %d, "
3398  "type %d, del_peer_reason %d", peer_id, dco->dco_message_type,
3399  dco->dco_del_peer_reason);
3400  }
3401 
3402  dco->dco_message_type = 0;
3403  dco->dco_message_peer_id = -1;
3404  dco->dco_del_peer_reason = -1;
3405  dco->dco_read_bytes = 0;
3406  dco->dco_write_bytes = 0;
3407  return ret > 0;
3408 }
3409 #endif /* if defined(ENABLE_DCO) && defined(TARGET_LINUX) */
3410 
3411 /*
3412  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3413  * i.e. client -> server direction.
3414  */
3415 bool
3416 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance,
3417  const unsigned int mpp_flags, struct link_socket *sock)
3418 {
3419  struct gc_arena gc = gc_new();
3420 
3421  struct context *c;
3422  struct mroute_addr src, dest;
3423  unsigned int mroute_flags;
3424  struct multi_instance *mi;
3425  bool ret = true;
3426  bool floated = false;
3427 
3428  if (m->pending)
3429  {
3430  return true;
3431  }
3432 
3433  if (!instance)
3434  {
3435 #ifdef MULTI_DEBUG_EVENT_LOOP
3436  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3437 #endif
3438  multi_set_pending(m, multi_get_create_instance_udp(m, &floated, sock));
3439  }
3440  else
3441  {
3442  multi_set_pending(m, instance);
3443  }
3444 
3445  if (m->pending)
3446  {
3447  set_prefix(m->pending);
3448 
3449  /* get instance context */
3450  c = &m->pending->context;
3451 
3452  if (!instance)
3453  {
3454  /* transfer packet pointer from top-level context buffer to instance */
3455  c->c2.buf = m->top.c2.buf;
3456 
3457  /* transfer from-addr from top-level context buffer to instance */
3458  if (!floated)
3459  {
3460  c->c2.from = m->top.c2.from;
3461  }
3462  }
3463 
3464  if (BLEN(&c->c2.buf) > 0)
3465  {
3466  struct link_socket_info *lsi;
3467  const uint8_t *orig_buf;
3468 
3469  /* decrypt in instance context */
3470 
3471  perf_push(PERF_PROC_IN_LINK);
3472  lsi = &sock->info;
3473  orig_buf = c->c2.buf.data;
3474  if (process_incoming_link_part1(c, lsi, floated))
3475  {
3476  /* nonzero length means that we have a valid, decrypted packed */
3477  if (floated && c->c2.buf.len > 0)
3478  {
3479  multi_process_float(m, m->pending, sock);
3480  }
3481 
3482  process_incoming_link_part2(c, lsi, orig_buf);
3483  }
3484  perf_pop();
3485 
3486  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3487  {
3488  /* extract packet source and dest addresses */
3489  mroute_flags = mroute_extract_addr_from_packet(&src,
3490  &dest,
3491  0,
3492  &c->c2.to_tun,
3493  DEV_TYPE_TUN);
3494 
3495  /* drop packet if extract failed */
3496  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3497  {
3498  c->c2.to_tun.len = 0;
3499  }
3500  /* make sure that source address is associated with this client */
3501  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3502  {
3503  /* IPv6 link-local address (fe80::xxx)? */
3504  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3505  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
3506  {
3507  /* do nothing, for now. TODO: add address learning */
3508  }
3509  else
3510  {
3511  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3512  mroute_addr_print(&src, &gc));
3513  }
3514  c->c2.to_tun.len = 0;
3515  }
3516  /* client-to-client communication enabled? */
3517  else if (m->enable_c2c)
3518  {
3519  /* multicast? */
3520  if (mroute_flags & MROUTE_EXTRACT_MCAST)
3521  {
3522  /* for now, treat multicast as broadcast */
3523  multi_bcast(m, &c->c2.to_tun, m->pending, 0);
3524  }
3525  else /* possible client to client routing */
3526  {
3527  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3528  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3529 
3530  /* if dest addr is a known client, route to it */
3531  if (mi)
3532  {
3533  {
3534  multi_unicast(m, &c->c2.to_tun, mi);
3535  register_activity(c, BLEN(&c->c2.to_tun));
3536  }
3537  c->c2.to_tun.len = 0;
3538  }
3539  }
3540  }
3541  }
3542  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3543  {
3544  uint16_t vid = 0;
3545 
3546  if (m->top.options.vlan_tagging)
3547  {
3548  if (vlan_is_tagged(&c->c2.to_tun))
3549  {
3550  /* Drop VLAN-tagged frame. */
3551  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3552  c->c2.to_tun.len = 0;
3553  }
3554  else
3555  {
3556  vid = c->options.vlan_pvid;
3557  }
3558  }
3559  /* extract packet source and dest addresses */
3560  mroute_flags = mroute_extract_addr_from_packet(&src,
3561  &dest,
3562  vid,
3563  &c->c2.to_tun,
3564  DEV_TYPE_TAP);
3565 
3566  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3567  {
3568  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3569  {
3570  /* check for broadcast */
3571  if (m->enable_c2c)
3572  {
3573  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3574  {
3575  multi_bcast(m, &c->c2.to_tun, m->pending, vid);
3576  }
3577  else /* try client-to-client routing */
3578  {
3579  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3580 
3581  /* if dest addr is a known client, route to it */
3582  if (mi)
3583  {
3584  multi_unicast(m, &c->c2.to_tun, mi);
3585  register_activity(c, BLEN(&c->c2.to_tun));
3586  c->c2.to_tun.len = 0;
3587  }
3588  }
3589  }
3590  }
3591  else
3592  {
3593  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
3594  mroute_addr_print(&src, &gc));
3595  c->c2.to_tun.len = 0;
3596  }
3597  }
3598  else
3599  {
3600  c->c2.to_tun.len = 0;
3601  }
3602  }
3603  }
3604 
3605  /* postprocess and set wakeup */
3606  ret = multi_process_post(m, m->pending, mpp_flags);
3607 
3608  clear_prefix();
3609  }
3610 
3611  gc_free(&gc);
3612  return ret;
3613 }
3614 
3615 /*
3616  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3617  * i.e. server -> client direction.
3618  */
3619 bool
3620 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3621 {
3622  bool ret = true;
3623 
3624  if (BLEN(&m->top.c2.buf) > 0)
3625  {
3626  unsigned int mroute_flags;
3627  struct mroute_addr src = {0}, dest = {0};
3628  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3629  int16_t vid = 0;
3630 
3631 #ifdef MULTI_DEBUG_EVENT_LOOP
3632  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3633 #endif
3634 
3635  if (m->pending)
3636  {
3637  return true;
3638  }
3639 
3640  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3641  {
3642  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3643  if (vid < 0)
3644  {
3645  return false;
3646  }
3647  }
3648 
3649  /*
3650  * Route an incoming tun/tap packet to
3651  * the appropriate multi_instance object.
3652  */
3653 
3654  mroute_flags = mroute_extract_addr_from_packet(&src,
3655  &dest,
3656  vid,
3657  &m->top.c2.buf,
3658  dev_type);
3659 
3660  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3661  {
3662  struct context *c;
3663 
3664  /* broadcast or multicast dest addr? */
3665  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
3666  {
3667  /* for now, treat multicast as broadcast */
3668  multi_bcast(m, &m->top.c2.buf, NULL, vid);
3669  }
3670  else
3671  {
3672  multi_set_pending(m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3673 
3674  if (m->pending)
3675  {
3676  /* get instance context */
3677  c = &m->pending->context;
3678 
3679  set_prefix(m->pending);
3680 
3681  {
3682  if (multi_output_queue_ready(m, m->pending))
3683  {
3684  /* transfer packet pointer from top-level context buffer to instance */
3685  c->c2.buf = m->top.c2.buf;
3686  }
3687  else
3688  {
3689  /* drop packet */
3690  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3691  buf_reset_len(&c->c2.buf);
3692  }
3693  }
3694 
3695  /* encrypt in instance context */
3696  process_incoming_tun(c, c->c2.link_sockets[0]);
3697 
3698  /* postprocess and set wakeup */
3699  ret = multi_process_post(m, m->pending, mpp_flags);
3700 
3701  clear_prefix();
3702  }
3703  }
3704  }
3705  }
3706  return ret;
3707 }
3708 
3709 /*
3710  * Process a possible client-to-client/bcast/mcast message in the
3711  * queue.
3712  */
3713 struct multi_instance *
3714 multi_get_queue(struct mbuf_set *ms)
3715 {
3716  struct mbuf_item item;
3717 
3718  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3719  {
3720  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;
3721 
3722  set_prefix(item.instance);
3723  item.instance->context.c2.buf = item.buffer->buf;
3724  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3725  {
3726  pip_flags |= PIP_MSSFIX;
3727  }
3728  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf,
3729  item.instance->context.c2.link_sockets[0]);
3730  encrypt_sign(&item.instance->context, true);
3731  mbuf_free_buf(item.buffer);
3732 
3733  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3734 
3735  clear_prefix();
3736  return item.instance;
3737  }
3738  else
3739  {
3740  return NULL;
3741  }
3742 }
3743 
3744 /*
3745  * Called when an I/O wait times out. Usually means that a particular
3746  * client instance object needs timer-based service.
3747  */
3748 bool
3749 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3750 {
3751  bool ret = true;
3752 
3753 #ifdef MULTI_DEBUG_EVENT_LOOP
3754  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3755 #endif
3756 
3757  /* instance marked for wakeup? */
3758  if (m->earliest_wakeup)
3759  {
3760  if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
3761  {
3762  schedule_remove_entry(m->schedule, (struct schedule_entry *) &m->deferred_shutdown_signal);
3763  throw_signal(m->deferred_shutdown_signal.signal_received);
3764  }
3765  else
3766  {
3767  set_prefix(m->earliest_wakeup);
3768  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3769  clear_prefix();
3770  }
3771  m->earliest_wakeup = NULL;
3772  }
3773  return ret;
3774 }
3775 
3776 /*
3777  * Drop a TUN/TAP outgoing packet..
3778  */
3779 void
3780 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3781 {
3782  struct multi_instance *mi = m->pending;
3783 
3784  ASSERT(mi);
3785 
3786  set_prefix(mi);
3787 
3788  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3789  mi->context.c2.to_tun.len);
3790 
3791  buf_reset(&mi->context.c2.to_tun);
3792 
3793  multi_process_post(m, mi, mpp_flags);
3794  clear_prefix();
3795 }
3796 
3797 /*
3798  * Per-client route quota management
3799  */
3800 
3801 void
3802 route_quota_exceeded(const struct multi_instance *mi)
3803 {
3804  struct gc_arena gc = gc_new();
3805  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3806  mi->context.options.max_routes_per_client,
3807  multi_instance_string(mi, false, &gc));
3808  gc_free(&gc);
3809 }
3810 
3811 #ifdef ENABLE_DEBUG
3812 /*
3813  * Flood clients with random packets
3814  */
3815 static void
3816 gremlin_flood_clients(struct multi_context *m)
3817 {
3818  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3819  if (level)
3820  {
3821  struct gc_arena gc = gc_new();
3822  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3823  struct packet_flood_parms parm = get_packet_flood_parms(level);
3824  int i;
3825 
3826  ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3827  parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3828 
3829  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3830  parm.n_packets,
3831  parm.packet_size);
3832 
3833  for (i = 0; i < parm.packet_size; ++i)
3834  {
3835  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3836  }
3837 
3838  for (i = 0; i < parm.n_packets; ++i)
3839  {
3840  multi_bcast(m, &buf, NULL, 0);
3841  }
3842 
3843  gc_free(&gc);
3844  }
3845 }
3846 #endif /* ifdef ENABLE_DEBUG */
3847 
3848 static bool
3849 stale_route_check_trigger(struct multi_context *m)
3850 {
3851  struct timeval null;
3852  CLEAR(null);
3853  return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT);
3854 }
3855 
3856 /*
3857  * Process timers in the top-level context
3858  */
3859 void
3860 multi_process_per_second_timers_dowork(struct multi_context *m)
3861 {
3862  /* possibly reap instances/routes in vhash */
3863  multi_reap_process(m);
3864 
3865  /* possibly print to status log */
3866  if (m->top.c1.status_output)
3867  {
3868  if (status_trigger(m->top.c1.status_output))
3869  {
3870  multi_print_status(m, m->top.c1.status_output, m->status_file_version);
3871  }
3872  }
3873 
3874  /* possibly flush ifconfig-pool file */
3875  multi_ifconfig_pool_persist(m, false);
3876 
3877 #ifdef ENABLE_DEBUG
3878  gremlin_flood_clients(m);
3879 #endif
3880 
3881  /* Should we check for stale routes? */
3882  if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m))
3883  {
3884  check_stale_routes(m);
3885  }
3886 }
3887 
3888 void
3889 multi_top_init(struct multi_context *m, struct context *top)
3890 {
3891  inherit_context_top(&m->top, top);
3892  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3893 }
3894 
3895 void
3896 multi_top_free(struct multi_context *m)
3897 {
3898  close_context(&m->top, -1, CC_GC_FREE);
3899  free_context_buffers(m->top.c2.buffers);
3900 }
3901 
3902 static bool
3903 is_exit_restart(int sig)
3904 {
3905  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3906 }
3907 
3908 static void
3909 multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
3910 {
3911  struct hash_iterator hi;
3912  struct hash_element *he;
3913  struct timeval tv;
3914 
3915  /* tell all clients to restart */
3916  hash_iterator_init(m->iter, &hi);
3917  while ((he = hash_iterator_next(&hi)))
3918  {
3919  struct multi_instance *mi = (struct multi_instance *) he->value;
3920  if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
3921  {
3922  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3923  multi_schedule_context_wakeup(m, mi);
3924  }
3925  }
3926  hash_iterator_free(&hi);
3927 
3928  /* reschedule signal */
3929  ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL));
3930  tv.tv_sec = 2;
3931  tv.tv_usec = 0;
3932  tv_add(&m->deferred_shutdown_signal.wakeup, &tv);
3933 
3934  m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
3935 
3936  schedule_add_entry(m->schedule,
3937  (struct schedule_entry *) &m->deferred_shutdown_signal,
3938  &m->deferred_shutdown_signal.wakeup,
3939  compute_wakeup_sigma(&m->deferred_shutdown_signal.wakeup));
3940 
3941  signal_reset(m->top.sig, 0);
3942 }
3943 
3944 /*
3945  * Return true if event loop should break,
3946  * false if it should continue.
3947  */
3948 bool
3949 multi_process_signal(struct multi_context *m)
3950 {
3951  if (signal_reset(m->top.sig, SIGUSR2) == SIGUSR2)
3952  {
3953  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3954  multi_print_status(m, so, m->status_file_version);
3955  status_close(so);
3956  return false;
3957  }
3958  else if (has_udp_in_local_list(&m->top.options)
3959  && is_exit_restart(m->top.sig->signal_received)
3960  && (m->deferred_shutdown_signal.signal_received == 0)
3961  && m->top.options.ce.explicit_exit_notification != 0)
3962  {
3963  multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2);
3964  return false;
3965  }
3966  return true;
3967 }
3968 
3969 /*
3970  * Management subsystem callbacks
3971  */
3972 #ifdef ENABLE_MANAGEMENT
3973 
3974 static void
3975 management_callback_status(void *arg, const int version, struct status_output *so)
3976 {
3977  struct multi_context *m = (struct multi_context *) arg;
3978 
3979  if (!version)
3980  {
3981  multi_print_status(m, so, m->status_file_version);
3982  }
3983  else
3984  {
3985  multi_print_status(m, so, version);
3986  }
3987 }
3988 
3989 static int
3990 management_callback_n_clients(void *arg)
3991 {
3992  struct multi_context *m = (struct multi_context *) arg;
3993  return m->n_clients;
3994 }
3995 
3996 static int
3997 management_callback_kill_by_cn(void *arg, const char *del_cn)
3998 {
3999  struct multi_context *m = (struct multi_context *) arg;
4000  struct hash_iterator hi;
4001  struct hash_element *he;
4002  int count = 0;
4003 
4004  hash_iterator_init(m->iter, &hi);
4005  while ((he = hash_iterator_next(&hi)))
4006  {
4007  struct multi_instance *mi = (struct multi_instance *) he->value;
4008  if (!mi->halt)
4009  {
4010  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
4011  if (cn && !strcmp(cn, del_cn))
4012  {
4013  multi_signal_instance(m, mi, SIGTERM);
4014  ++count;
4015  }
4016  }
4017  }
4018  hash_iterator_free(&hi);
4019  return count;
4020 }
4021 
4022 static int
4023 management_callback_kill_by_addr(void *arg, const in_addr_t addr,
4024  const int port, const int proto)
4025 {
4026  struct multi_context *m = (struct multi_context *) arg;
4027  struct hash_iterator hi;
4028  struct hash_element *he;
4029  struct openvpn_sockaddr saddr;
4030  struct mroute_addr maddr;
4031  int count = 0;
4032 
4033  CLEAR(saddr);
4034  saddr.addr.in4.sin_family = AF_INET;
4035  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
4036  saddr.addr.in4.sin_port = htons(port);
4037  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
4038  {
4039  maddr.proto = proto;
4040  hash_iterator_init(m->iter, &hi);
4041  while ((he = hash_iterator_next(&hi)))
4042  {
4043  struct multi_instance *mi = (struct multi_instance *) he->value;
4044  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
4045  {
4046  multi_signal_instance(m, mi, SIGTERM);
4047  ++count;
4048  }
4049  }
4050  hash_iterator_free(&hi);
4051  }
4052  return count;
4053 }
4054 
4055 static void
4056 management_delete_event(void *arg, event_t event)
4057 {
4058  struct multi_context *m = (struct multi_context *) arg;
4059  if (m->multi_io)
4060  {
4061  multi_tcp_delete_event(m->multi_io, event);
4062  }
4063 }
4064 
4065 static struct multi_instance *
4066 lookup_by_cid(struct multi_context *m, const unsigned long cid)
4067 {
4068  if (m)
4069  {
4070  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
4071  if (mi && !mi->halt)
4072  {
4073  return mi;
4074  }
4075  }
4076  return NULL;
4077 }
4078 
4079 static bool
4080 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
4081 {
4082  struct multi_context *m = (struct multi_context *) arg;
4083  struct multi_instance *mi = lookup_by_cid(m, cid);
4084  if (mi)
4085  {
4086  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
4087  multi_schedule_context_wakeup(m, mi);
4088  return true;
4089  }
4090  else
4091  {
4092  return false;
4093  }
4094 }
4095 
4096 static bool
4097 management_client_pending_auth(void *arg,
4098  const unsigned long cid,
4099  const unsigned int mda_key_id,
4100  const char *extra,
4101  unsigned int timeout)
4102 {
4103  struct multi_context *m = (struct multi_context *) arg;
4104  struct multi_instance *mi = lookup_by_cid(m, cid);
4105 
4106  if (mi)
4107  {
4108  struct tls_multi *multi = mi->context.c2.tls_multi;
4109  struct tls_session *session;
4110 
4111  if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id)
4112  {
4113  session = &multi->session[TM_INITIAL];
4114  }
4115  else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id)
4116  {
4117  session = &multi->session[TM_ACTIVE];
4118  }
4119  else
4120  {
4121  return false;
4122  }
4123 
4124  /* sends INFO_PRE and AUTH_PENDING messages to client */
4125  bool ret = send_auth_pending_messages(multi, session, extra,
4126  timeout);
4127  reschedule_multi_process(&mi->context);
4128  multi_schedule_context_wakeup(m, mi);
4129  return ret;
4130  }
4131  return false;
4132 }
4133 
4134 
4135 static bool
4136 management_client_auth(void *arg,
4137  const unsigned long cid,
4138  const unsigned int mda_key_id,
4139  const bool auth,
4140  const char *reason,
4141  const char *client_reason,
4142  struct buffer_list *cc_config) /* ownership transferred */
4143 {
4144  struct multi_context *m = (struct multi_context *) arg;
4145  struct multi_instance *mi = lookup_by_cid(m, cid);
4146  bool cc_config_owned = true;
4147  bool ret = false;
4148 
4149  if (mi)
4150  {
4151  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4152  if (ret)
4153  {
4154  if (auth)
4155  {
4156  if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
4157  {
4158  set_cc_config(mi, cc_config);
4159  cc_config_owned = false;
4160  }
4161  }
4162  else if (reason)
4163  {
4164  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
4165  }
4166  }
4167  }
4168  if (cc_config_owned && cc_config)
4169  {
4170  buffer_list_free(cc_config);
4171  }
4172  return ret;
4173 }
4174 
4175 static char *
4176 management_get_peer_info(void *arg, const unsigned long cid)
4177 {
4178  struct multi_context *m = (struct multi_context *) arg;
4179  struct multi_instance *mi = lookup_by_cid(m, cid);
4180  char *ret = NULL;
4181 
4182  if (mi)
4183  {
4184  ret = mi->context.c2.tls_multi->peer_info;
4185  }
4186 
4187  return ret;
4188 }
4189 
4190 #endif /* ifdef ENABLE_MANAGEMENT */
4191 
4192 
4193 void
4194 init_management_callback_multi(struct multi_context *m)
4195 {
4196 #ifdef ENABLE_MANAGEMENT
4197  if (management)
4198  {
4199  struct management_callback cb;
4200  CLEAR(cb);
4201  cb.arg = m;
4202  cb.flags = MCF_SERVER;
4203  cb.status = management_callback_status;
4204  cb.show_net = management_show_net_callback;
4205  cb.kill_by_cn = management_callback_kill_by_cn;
4206  cb.kill_by_addr = management_callback_kill_by_addr;
4207  cb.delete_event = management_delete_event;
4208  cb.n_clients = management_callback_n_clients;
4209  cb.kill_by_cid = management_kill_by_cid;
4210  cb.client_auth = management_client_auth;
4211  cb.client_pending_auth = management_client_pending_auth;
4212  cb.get_peer_info = management_get_peer_info;
4213  management_set_callback(management, &cb);
4214  }
4215 #endif /* ifdef ENABLE_MANAGEMENT */
4216 }
4217 
4218 void
4219 multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
4220 {
4221  /* max_clients must be less then max peer-id value */
4222  ASSERT(m->max_clients < MAX_PEER_ID);
4223 
4224  for (int i = 0; i < m->max_clients; ++i)
4225  {
4226  if (!m->instances[i])
4227  {
4228  mi->context.c2.tls_multi->peer_id = i;
4229  m->instances[i] = mi;
4230  break;
4231  }
4232  }
4233 
4234  /* should not really end up here, since multi_create_instance returns null
4235  * if amount of clients exceeds max_clients */
4236  ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
4237 }
4238 
4239 /**************************************************************************/
4246 static void
4247 tunnel_server_loop(struct multi_context *multi)
4248 {
4249  int status;
4250 
4251  while (true)
4252  {
4253  perf_push(PERF_EVENT_LOOP);
4254 
4255  /* wait on tun/socket list */
4256  multi_get_timeout(multi, &multi->top.c2.timeval);
4257  status = multi_io_wait(multi);
4258  MULTI_CHECK_SIG(multi);
4259 
4260  /* check on status of coarse timers */
4261  multi_process_per_second_timers(multi);
4262 
4263  /* timeout? */
4264  if (status > 0)
4265  {
4266  /* process the I/O which triggered select */
4267  multi_io_process_io(multi);
4268  MULTI_CHECK_SIG(multi);
4269  }
4270  else if (status == 0)
4271  {
4272  multi_io_action(multi, NULL, TA_TIMEOUT, false);
4273  }
4274 
4275  perf_pop();
4276  }
4277 }
4278 
4279 /*
4280  * Top level event loop.
4281  */
4282 void
4283 tunnel_server(struct context *top)
4284 {
4285  ASSERT(top->options.mode == MODE_SERVER);
4286 
4287  struct multi_context multi;
4288 
4289  top->mode = CM_TOP;
4290  context_clear_2(top);
4291 
4292  /* initialize top-tunnel instance */
4293  init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP);
4294  if (IS_SIG(top))
4295  {
4296  return;
4297  }
4298 
4299  /* initialize global multi_context object */
4300  multi_init(&multi, top);
4301 
4302  /* initialize our cloned top object */
4303  multi_top_init(&multi, top);
4304 
4305  /* initialize management interface */
4306  init_management_callback_multi(&multi);
4307 
4308  /* finished with initialization */
4309  initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto tcp-server */
4310 
4311 #ifdef ENABLE_ASYNC_PUSH
4312  multi.top.c2.inotify_fd = inotify_init();
4313  if (multi.top.c2.inotify_fd < 0)
4314  {
4315  msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
4316  }
4317 #endif
4318 
4319  tunnel_server_loop(&multi);
4320 
4321  #ifdef ENABLE_ASYNC_PUSH
4322  close(top->c2.inotify_fd);
4323 #endif
4324 
4325  /* shut down management interface */
4326  uninit_management_callback();
4327 
4328  /* save ifconfig-pool */
4329  multi_ifconfig_pool_persist(&multi, true);
4330 
4331  /* tear down tunnel instance (unless --persist-tun) */
4332  multi_uninit(&multi);
4333  multi_top_free(&multi);
4334  close_instance(top);
4335 
4336 }
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1708
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:61
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:488
multi_reap::buckets_per_pass
int buckets_per_pass
Definition: multi.h:56
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2436
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2115
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: manage.h:188
PERF_MULTI_BCAST
#define PERF_MULTI_BCAST
Definition: perf.h:48
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
Definition: multi.c:4023
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:541
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1283
multi_context::n_clients
int n_clients
Definition: multi.h:189
options::vlan_tagging
bool vlan_tagging
Definition: options.h:712
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:111
link_socket
Definition: socket.h:177
OPENVPN_PLUGIN_CLIENT_CONNECT_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: openvpn-plugin.h:126
ncp_expanded_ciphers
const char * ncp_expanded_ciphers(struct options *o, struct gc_arena *gc)
returns the o->ncp_ciphers in brackets, e.g.
Definition: ssl_ncp.c:634
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
@OVPN_CMD_DEL_PEER: Remove peer from internal table
Definition: ovpn_dco_linux.h:40
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition: mroute.h:64
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:282
signal_info::signal_received
volatile int signal_received
Definition: sig.h:43
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:103
status_trigger
bool status_trigger(struct status_output *so)
Definition: status.c:133
iroute
Definition: route.h:241
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition: errlevel.h:118
multi_instance::halt
bool halt
Definition: multi.h:114
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition: multi.c:2579
reflect_filter.h
OPENVPN_PLUGIN_LEARN_ADDRESS
#define OPENVPN_PLUGIN_LEARN_ADDRESS
Definition: openvpn-plugin.h:125
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition: ssl_common.h:571
multi_process_incoming_dco
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
M_INFO
#define M_INFO
Definition: errlevel.h:55
hash_n_elements
static int hash_n_elements(const struct hash *hash)
Definition: list.h:122
multi_process_float
void multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
Handles peer floating.
Definition: multi.c:3209
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto)
Definition: manage.h:183
compress_options::alg
int alg
Definition: comp.h:68
options::use_peer_id
bool use_peer_id
Definition: options.h:701
lookup_by_cid
static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition: multi.c:4066
multi_context::route_helper
struct mroute_helper * route_helper
Definition: multi.h:182
M_OPTERR
#define M_OPTERR
Definition: error.h:100
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition: multi.h:295
options::client_connect_script
const char * client_connect_script
Definition: options.h:501
CC_RET_FAILED
@ CC_RET_FAILED
Definition: multi.h:227
hash_init
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:38
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:467
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:510
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:574
print_signal
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:294
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:294
hash_bucket
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:134
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition: multi.h:212
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
options::cf_initial_per
int cf_initial_per
Definition: options.h:533
run_command.h
M_ERRNO
#define M_ERRNO
Definition: error.h:94
tls_session::opt
struct tls_options * opt
Definition: ssl_common.h:482
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:80
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1150
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:36
auth_token.h
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:148
context_2::to_link
struct buffer to_link
Definition: openvpn.h:377
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:323
multi_context::reaper
struct multi_reap * reaper
Definition: multi.h:183
forward.h
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition: multi.h:132
setenv_stats
static void setenv_stats(struct multi_context *m, struct context *c)
Definition: multi.c:549
plugin_return
Definition: plugin.h:101
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER
Definition: openvpn-plugin.h:130
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition: init.c:4947
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
time_string
const char * time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:108
gremlin.h
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3849
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition: multi.h:228
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5515
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
context_2::buf
struct buffer buf
Definition: openvpn.h:375
buf_reset
static void buf_reset(struct buffer *buf)
Definition: buffer.h:303
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition: multi.h:187
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:242
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:526
hash_iterator
Definition: list.h:88
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
argv
Definition: argv.h:35
options::enable_c2c
bool enable_c2c
Definition: options.h:526
options::duplicate_cn
bool duplicate_cn
Definition: options.h:527
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition: multi.c:1659
M_NONFATAL
#define M_NONFATAL
Definition: error.h:90
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition: manage.h:200
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition: multi.h:678
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:456
context_2::link_write_bytes
counter_type link_write_bytes
Definition: openvpn.h:269
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition: forward.c:1658
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1833
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:209
context
Contains all state information for one tunnel.
Definition: openvpn.h:473
es
struct env_set * es
Definition: test_pkcs11.c:141
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:497
hash
Definition: list.h:56
EVENT_ARG_MULTI_INSTANCE
@ EVENT_ARG_MULTI_INSTANCE
Definition: event.h:136
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:690
CC_GC_FREE
#define CC_GC_FREE
Definition: init.h:104
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition: multi.h:65
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1444
multi_io_action
void multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, bool poll)
Definition: multi_io.c:577
options::topology
int topology
Definition: options.h:320
key1
static const char *const key1
Definition: cert_data.h:56
link_socket_info::lsa
struct link_socket_addr * lsa
Definition: socket.h:115
BSTR
#define BSTR(buf)
Definition: buffer.h:129
management_callback::flags
unsigned int flags
Definition: manage.h:178
mbuf_set
Definition: mbuf.h:56
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:175
options::dev_type
const char * dev_type
Definition: options.h:317
user_pass::username
char username[USER_PASS_LEN]
Definition: misc.h:72
get_random
long int get_random(void)
Definition: crypto.c:1757
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition: ssl_common.h:417
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:122
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:435
multi_instance::gc
struct gc_arena gc
Definition: multi.h:113
options::iroutes
struct iroute * iroutes
Definition: options.h:511
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:544
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:502
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:171
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:3714
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition: errlevel.h:65
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition: multi.h:84
multi_instance::wakeup
struct timeval wakeup
Definition: multi.h:121
multi_instance::ev_arg
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition: multi.h:108
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:464
register_activity
static void register_activity(struct context *c, const int size)
Definition: forward.h:334
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:87
context_2::es
struct env_set * es
Definition: openvpn.h:420
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:2210
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:428
vlan.h
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1127
multi_uninit
void multi_uninit(struct multi_context *m)
Definition: multi.c:710
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition: multi.h:292
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition: crypto.h:376
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:87
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:430
options::mode
int mode
Definition: options.h:260
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:147
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:3043
hash_element::value
void * value
Definition: list.h:45
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition: ssl_common.h:570
multi_io_process_io
void multi_io_process_io(struct multi_context *m)
Definition: multi_io.c:441
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:737
pre_select
void pre_select(struct context *c)
Definition: forward.c:1997
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:182
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition: ssl_common.h:148
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:522
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const char *extra, unsigned int timeout)
Definition: multi.c:4097
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:176
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:95
key_ctx_bi::initialized
bool initialized
Definition: crypto.h:284
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real, struct link_socket *sock)
Definition: multi.c:758
dmsg
#define dmsg(flags,...)
Definition: error.h:148
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance *mi)
Definition: mtcp.c:141
ENABLE_MANAGEMENT
#define ENABLE_MANAGEMENT
Definition: config.h:53
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1242
event_arg::u
union event_arg::@1 u
options::ce
struct connection_entry ce
Definition: options.h:288
PERF_MULTI_CLOSE_INSTANCE
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition: multi.c:76
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:140
openvpn_sockaddr
Definition: socket.h:65
iroute::netbits
int netbits
Definition: route.h:243
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition: socket.h:412
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:509
context_2::buffers
struct context_buffers * buffers
Definition: openvpn.h:367
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3287
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:495
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2974
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1603
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:577
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition: interval.h:174
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3752
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:44
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:597
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition: multi.h:90
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:165
reap_buckets_per_pass
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:249
tunnel_server_loop
static void tunnel_server_loop(struct multi_context *multi)
Main event loop for OpenVPN in point-to-multipoint server mode.
Definition: multi.c:4247
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition: options.c:9565
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition: errlevel.h:154
mroute_addr::netbits
uint8_t netbits
Definition: mroute.h:82
MCF_SERVER
#define MCF_SERVER
Definition: manage.h:177
multi_context::schedule
struct schedule * schedule
Definition: multi.h:174
context::mode
int mode
Role of this context within the OpenVPN process.
Definition: openvpn.h:487
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:369
MODE_SERVER
#define MODE_SERVER
Definition: options.h:259
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition: multi.c:1981
PERF_MULTI_CREATE_INSTANCE
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
client_connect_defer_state
Detached client connection state.
Definition: multi.h:72
dco_do_read
int dco_do_read(dco_context_t *dco)
Definition: dco_win.c:674
frame
Packet geometry parameters.
Definition: mtu.h:98
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:98
multi_route::addr
struct mroute_addr addr
Definition: multi.h:238
multi_tcp_delete_event
void multi_tcp_delete_event(struct multi_io *multi_io, event_t event)
Definition: mtcp.c:132
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:596
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition: openvpn.h:244
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition: ovpn_dco_linux.h:74
multi_route::last_reference
time_t last_reference
Definition: multi.h:246
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:546
PIP_MSSFIX
#define PIP_MSSFIX
Definition: forward.h:307
multi_reap::last_call
time_t last_call
Definition: multi.h:57
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:573
mroute_helper::net_len
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:128
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:3802
management_show_net_callback
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:4372
key_state::authenticated
enum ks_auth_state authenticated
Definition: ssl_common.h:251
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3860
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:259
multi_context::enable_c2c
bool enable_c2c
Definition: multi.h:185
iroute_ipv6::network
struct in6_addr network
Definition: route.h:248
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:199
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition: multi.c:1735
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:427
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition: reflect_filter.c:86
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
context_2::link_read_bytes
counter_type link_read_bytes
Definition: openvpn.h:266
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition: ssl_common.h:569
multi_route::instance
struct multi_instance * instance
Definition: multi.h:239
iroute::next
struct iroute * next
Definition: route.h:244
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3298
np
static const char * np(const char *str)
Definition: multi-auth.c:146
multi_context::max_clients
int max_clients
Definition: multi.h:186
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition: multi.h:180
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition: pool.h:37
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:283
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:582
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition: multi.c:2307
CLEAR
#define CLEAR(x)
Definition: basic.h:33
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:84
dco_get_peer_stats_multi
int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m, const bool raise_sigusr1_on_err)
Definition: dco_win.c:715
multi_context::cid_counter
unsigned long cid_counter
Definition: multi.h:193
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:618
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition: tun.h:182
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:219
clear_prefix
static void clear_prefix(void)
Definition: multi.h:556
iroute::network
in_addr_t network
Definition: route.h:242
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:491
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:514
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition: mroute.h:63
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:557
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:437
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:885
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition: options.h:577
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:541
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:535
options::max_clients
int max_clients
Definition: options.h:535
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:649
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4217
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:164
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:685
ssl_verify.h
options::dev
const char * dev
Definition: options.h:316
ASSERT
#define ASSERT(x)
Definition: error.h:195
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition: ssl_common.h:568
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition: ssl.c:1843
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:454
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition: tun.h:211
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3011
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
read
@ read
Definition: interactive.c:223
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:249
frame::buf
struct frame::@8 buf
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_instance *mi)
Definition: multi.c:1774
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:660
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:172
buffer_entry::buf
struct buffer buf
Definition: buffer.h:1116
D_DCO
#define D_DCO
Definition: errlevel.h:94
multi_instance::cc_config
struct buffer_list * cc_config
Definition: multi.h:139
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:289
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:202
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:89
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition: multi.c:4080
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:227
options::cf_initial_max
int cf_initial_max
Definition: options.h:532
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:133
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:625
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition: multi.c:2672
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl_ncp.c:229
multi_context::status_file_version
int status_file_version
Definition: multi.h:188
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2759
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:87
BLEN
#define BLEN(buf)
Definition: buffer.h:127
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:240
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:158
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition: comp.h:42
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition: multi.c:4219
status_reset
void status_reset(struct status_output *so)
Definition: status.c:148
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition: manage.h:187
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:324
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:578
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:521
multi_context::local
struct mroute_addr local
Definition: multi.h:184
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2997
MPP_CONDITIONAL_PRE_SELECT
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:293
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition: forward.h:306
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1055
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition: multi.c:1955
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:692
options::comp
struct compress_options comp
Definition: options.h:411
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3749
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition: mtu.h:102
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition: multi.c:257
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:4283
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:723
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:606
ANY_OUT
#define ANY_OUT(c)
Definition: forward.h:40
hash_element::key
const void * key
Definition: list.h:46
tls_session::key
struct key_state key[KS_SIZE]
Definition: ssl_common.h:515
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition: multi.c:2393
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition: ssl.h:111
set_common_name
void set_common_name(struct tls_session *session, const char *common_name)
Sets the common name field for the given tunnel.
Definition: ssl_verify.c:86
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:514
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:439
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:39
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:102
mroute_addr::v6
struct mroute_addr::@2::@6 v6
buffer_entry::next
struct buffer_entry * next
Definition: buffer.h:1117
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:1015
multi_context::cid_hash
struct hash * cid_hash
Definition: multi.h:192
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:49
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:403
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3909
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition: openvpn.h:270
M_WARN
#define M_WARN
Definition: error.h:91
OPENVPN_PLUGIN_FUNC_DEFERRED
#define OPENVPN_PLUGIN_FUNC_DEFERRED
Definition: openvpn-plugin.h:150
plugin_return::n
int n
Definition: plugin.h:103
close_instance
void close_instance(struct context *c)
Definition: init.c:4872
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:513
perf_pop
static void perf_pop(void)
Definition: perf.h:82
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:485
MF_UNICAST
#define MF_UNICAST
Definition: mbuf.h:46
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:82
D_GREMLIN
#define D_GREMLIN
Definition: errlevel.h:78
mroute_addr::port
in_port_t port
Definition: mroute.h:92
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:83
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:475
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:170
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition: multi.h:198
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2670
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:517
tls_multi::locked_cn
char * locked_cn
Definition: ssl_common.h:629
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:222
D_MULTI_LOW
#define D_MULTI_LOW
Definition: errlevel.h:86
options
Definition: options.h:249
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:432
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition: ssl_common.h:705
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3065
options::gc
struct gc_arena gc
Definition: options.h:251
throw_signal
void throw_signal(const int signum)
Throw a hard signal.
Definition: sig.c:177
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:741
mroute_helper::cache_generation
unsigned int cache_generation
Definition: mroute.h:125
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5535
multi.h
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition: openvpn.h:208
CCD_DEFAULT
#define CCD_DEFAULT
Definition: common.h:62
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:167
pool_type
pool_type
Definition: pool.h:35
dco_context_t
void * dco_context_t
Definition: dco.h:267
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition: multi.h:133
multi_process_per_second_timers
static void multi_process_per_second_timers(struct multi_context *m)
Definition: multi.h:598
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition: mudp.c:190
status_output
Definition: status.h:48
management_callback::show_net
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:181
mbuf_item::instance
struct multi_instance * instance
Definition: mbuf.h:53
management_callback::arg
void * arg
Definition: manage.h:175
MULTI_CHECK_SIG
#define MULTI_CHECK_SIG(m)
Definition: multi.h:696
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:500
multi_instance::did_cid_hash
bool did_cid_hash
Definition: multi.h:138
multi_reap
Definition: multi.h:53
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:491
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1463
multi_context::pending
struct multi_instance * pending
Definition: multi.h:196
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:436
context_2::frame_fragment
struct frame frame_fragment
Definition: openvpn.h:253
compress_options::flags
unsigned int flags
Definition: comp.h:69
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition: crypto_openssl.c:817
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:523
multi_reap_new
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:216
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:3112
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition: ovpn_dco_linux.h:72
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:37
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:733
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:537
mbuf_buffer::buf
struct buffer buf
Definition: mbuf.h:43
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:264
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:169
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:321
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:658
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
deferred_signal_schedule_entry::signal_received
int signal_received
Definition: multi.h:64
PERF_PROC_IN_LINK
#define PERF_PROC_IN_LINK
Definition: perf.h:52
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition: multi.h:197
openvpn_plugin_string_list::value
char * value
Definition: openvpn-plugin.h:194
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition: pool.h:38
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1163
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:524
ISC_SERVER
#define ISC_SERVER
Definition: init.h:116
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:229
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:165
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition: multi.h:124
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:287
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:372
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:321
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1238
link_socket::info
struct link_socket_info info
Definition: socket.h:179
multi_route::flags
unsigned int flags
Definition: multi.h:243
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2991
options::status_file_version
int status_file_version
Definition: options.h:405
link_socket_addr::actual
struct link_socket_actual actual
Definition: socket.h:110
mbuf_item
Definition: mbuf.h:50
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:427
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:125
context_2::event_set
struct event_set * event_set
Definition: openvpn.h:230
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition: manage.h:195
auth_deferred_status::auth_control_file
char * auth_control_file
Definition: ssl_common.h:160
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:488
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:699
mroute_addr::vid
uint16_t vid
Definition: mroute.h:88
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition: ovpn_dco_linux.h:73
link_socket_info
Definition: socket.h:113
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1414
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:374
options::override_username
const char * override_username
Definition: options.h:508
REAP_MAX
#define REAP_MAX
Definition: multi.h:576
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:479
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:156
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:180
link_socket_info::proto
int proto
Definition: socket.h:120
generate_auth_token
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition: auth_token.c:164
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition: openvpn.h:396
signal_reset
int signal_reset(struct signal_info *si, int signum)
Clear the signal if its current value equals signum.
Definition: sig.c:266
key_state::mda_key_id
unsigned int mda_key_id
Definition: ssl_common.h:255
status_close
bool status_close(struct status_output *so)
Definition: status.c:188
context_2::frame
struct frame frame
Definition: openvpn.h:248
mroute_addr
Definition: mroute.h:78
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition: multi.c:2417
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:579
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:3620
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition: manage.c:2986
options::force_key_material_export
bool force_key_material_export
Definition: options.h:710
syshead.h
multi_reap_range
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:177
event_arg::mi
struct multi_instance * mi
Definition: event.h:145
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:65
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:246
schedule_entry
Definition: schedule.h:44
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:185
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition: ssl_common.h:638
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:132
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3997
mroute_addr::proto
uint8_t proto
Definition: mroute.h:80
options::client_config_dir
const char * client_config_dir
Definition: options.h:505
PIPV6_ICMP_NOHOST_SERVER
#define PIPV6_ICMP_NOHOST_SERVER
Definition: forward.h:312
context_2::link_sockets
struct link_socket ** link_sockets
Definition: openvpn.h:237
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition: reflect_filter.c:102
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:92
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:500
context_clear_2
void context_clear_2(struct context *c)
Definition: init.c:89
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:250
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:384
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
mbuf_buffer
Definition: mbuf.h:41
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:585
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:714
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition: multi.c:2014
mbuf_buffer::flags
unsigned int flags
Definition: mbuf.h:47
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition: ssl.h:108
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:306
route
@ route
Definition: interactive.c:87
multi_route
Definition: multi.h:236
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition: multi.c:2264
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition: openvpn.h:238
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
env_set
Definition: env_set.h:42
multi_instance::did_iter
bool did_iter
Definition: multi.h:136
uninit_management_callback
void uninit_management_callback(void)
Definition: init.c:4532
status_flush
void status_flush(struct status_output *so)
Definition: status.c:157
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:260
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition: multi.c:264
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3131
plugin_list
Definition: plugin.h:94
multi_context
Main OpenVPN server state structure.
Definition: multi.h:163
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:5037
counter_format
#define counter_format
Definition: common.h:31
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3777
TOP_P2P
#define TOP_P2P
Definition: proto.h:43
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:4194
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:930
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:440
multi_top_init
void multi_top_init(struct multi_context *m, struct context *top)
Definition: multi.c:3889
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:290
dco.h
man_def_auth_context::cid
unsigned long cid
Definition: manage.h:65
check_debug_level
static bool check_debug_level(unsigned int level)
Definition: error.h:220
context::es
struct env_set * es
Set of environment variables.
Definition: openvpn.h:496
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:682
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:1000
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition: init.h:106
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition: multi.c:2675
hash_free
void hash_free(struct hash *hash)
Definition: list.c:63
ETT_DEFAULT
#define ETT_DEFAULT
Definition: interval.h:224
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:594
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:490
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition: multi.c:4136
multi_io_wait
int multi_io_wait(struct multi_context *m)
Definition: multi_io.c:174
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:413
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl_ncp.c:250
COMP_ALG_STUB
#define COMP_ALG_STUB
Definition: comp.h:48
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, struct link_socket *sock)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:3416
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition: multi.h:75
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:4056
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition: multi.h:225
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition: errlevel.h:101
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:496
tuntap::local
in_addr_t local
Definition: tun.h:208
schedule_init
struct schedule * schedule_init(void)
Definition: schedule.c:412
context_2::mda_context
struct man_def_auth_context mda_context
Definition: openvpn.h:453
mstats.h
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition: interval.c:43
context_2::to_tun
struct buffer to_tun
Definition: openvpn.h:376
IS_SIG
#define IS_SIG(c)
Definition: sig.h:48
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:171
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition: ssl.h:95
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:488
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition: init.c:4558
OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
Definition: openvpn-plugin.h:124
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:526
multi_io_init
struct multi_io * multi_io_init(int maxevents, int *maxclients)
Definition: multi_io.c:117
process_incoming_tun
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1464
key_state::script_auth
struct auth_deferred_status script_auth
Definition: ssl_common.h:261
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition: multi.h:78
context_2::fragment
struct fragment_master * fragment
Definition: openvpn.h:252
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:76
otime.h
tuntap::dco
dco_context_t dco
Definition: tun.h:249
CM_TOP
#define CM_TOP
Definition: openvpn.h:483
multi_context::multi_io
struct multi_io * multi_io
I/O state and events tracker.
Definition: multi.h:178
is_exit_restart
static bool is_exit_restart(int sig)
Definition: multi.c:3903
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition: openvpn.h:267
iroute_ipv6
Definition: route.h:247
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:64
status
static SERVICE_STATUS status
Definition: interactive.c:53
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition: multi.c:4176
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:3780
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:805
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:431
REAP_DIVISOR
#define REAP_DIVISOR
Definition: multi.h:574
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2910
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:515
management
Definition: manage.h:335
mroute_helper
Definition: mroute.h:124
hash_element
Definition: list.h:43
min_int
static int min_int(int x, int y)
Definition: integer.h:102
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1070
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
mroute_addr::type
uint8_t type
Definition: mroute.h:81
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition: multi.h:230
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition: multi.c:1691
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, uint16_t vid)
Definition: multi.c:2993
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition: multi.c:2064
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:377
tuntap::remote_netmask
in_addr_t remote_netmask
Definition: tun.h:209
REAP_MIN
#define REAP_MIN
Definition: multi.h:575
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:210
multi_route::cache_generation
unsigned int cache_generation
Definition: multi.h:245
options::cf_per
int cf_per
Definition: options.h:530
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2543
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition: mroute.h:70
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:149
rw_handle
Definition: win32.h:79
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition: multi.c:1804
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:497
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:466
hash_bucket
Definition: list.h:51
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:62
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:510
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:536
multi_reap::bucket_base
int bucket_base
Definition: multi.h:55
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1060
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:293
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition: multi.h:241
now
time_t now
Definition: otime.c:34
multi_instance::did_iroutes
bool did_iroutes
Definition: multi.h:141
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:117
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:65
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:146
context_1::status_output
struct status_output * status_output
Definition: openvpn.h:184
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition: ssl_common.h:572
TOP_NET30
#define TOP_NET30
Definition: proto.h:42
OPENVPN_PLUGIN_FUNC_SUCCESS
#define OPENVPN_PLUGIN_FUNC_SUCCESS
Definition: openvpn-plugin.h:148
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:489
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
Definition: ovpn_dco_linux.h:75
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2953
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:39
ssl_ncp.h
connection_entry::fragment
int fragment
Definition: options.h:139
context_2::from
struct link_socket_actual from
Definition: openvpn.h:245
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition: multi.h:501
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:196
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1167
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition: multi.h:181
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition: ssl_common.h:684
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:681
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition: multi.h:146
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:238
PERF_EVENT_LOOP
#define PERF_EVENT_LOOP
Definition: perf.h:44
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition: mbuf.h:52
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:161
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2732
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:496
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:401
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition: ssl_common.h:373
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition: manage.c:3010
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:181
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:536
options::real_hash_size
int real_hash_size
Definition: options.h:499
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition: ovpn_dco_linux.h:44
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:502
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition: dco.h:362
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:538
hash_n_buckets
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:128
session
Definition: keyingmaterialexporter.c:56
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1000
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:40
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:434
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:932
options::tmp_dir
const char * tmp_dir
Definition: options.h:466
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:329
options::cf_max
int cf_max
Definition: options.h:529
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:512
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:115
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition: socket.h:90
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:152
remap_signal
void remap_signal(struct context *c)
Definition: sig.c:591
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition: multi.h:229
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition: ssl_common.h:634
tls_multi::auth_token_initial
char * auth_token_initial
The first auth-token we sent to a client.
Definition: ssl_common.h:663
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:38
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:516
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:46
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition: sig.c:231
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:518
user_pass
Definition: misc.h:56
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition: errlevel.h:102
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:356
event_arg::type
event_arg_t type
Definition: event.h:143
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:184
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:328
management_callback_status
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3975
management_callback_n_clients
static int management_callback_n_clients(void *arg)
Definition: multi.c:3990
multi_context::ifconfig_pool
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:179
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: options.h:514
memdbg.h
multi_client_setup_dco_initial
static bool multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi, struct gc_arena *gc)
Definition: multi.c:2369
options::learn_address_script
const char * learn_address_script
Definition: options.h:503
mbuf_init
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:39
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition: proto.h:35
management_callback
Definition: manage.h:173
options::ciphername
const char * ciphername
Definition: options.h:573
multi_top_free
void multi_top_free(struct multi_context *m)
Definition: multi.c:3896
update_mstat_n_clients
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:84
override_locked_username
static bool override_locked_username(struct multi_instance *mi)
Overrides the locked username with the username of –override-username.
Definition: multi.c:2690
title_string
const char title_string[]
Definition: options.c:69
ifconfig_pool_release
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:357
ccs_gen_config_file
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition: multi.c:2088
buffer_list
Definition: buffer.h:1120
multi_tcp_instance_specific_free
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:126
ifconfig_pool_init
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:146
M_USAGE
#define M_USAGE
Definition: error.h:106
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:368
multi_client_disconnect_setenv
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:564
ifconfig_pool_read
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:598
OPENVPN_PLUGIN_CLIENT_CONNECT
#define OPENVPN_PLUGIN_CLIENT_CONNECT
Definition: openvpn-plugin.h:123
msg
#define msg(flags,...)
Definition: error.h:144
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition: ssl.h:102
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:275
dco_install_iroute
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition: dco.h:368
multi_add_iroutes
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1327
buffer_entry
Definition: buffer.h:1114
multi_instance::did_real_hash
bool did_real_hash
Definition: multi.h:135
crypto_backend.h
hash_iterator_init_range
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:223
vlan_is_tagged
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:266
multi_io_free
void multi_io_free(struct multi_io *multi_io)
Definition: multi_io.c:163
perf_push
static void perf_push(int type)
Definition: perf.h:78
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
multi_process_signal
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3949
multi_print_status
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:852
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:144
multi_client_connect_source_ccd
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition: multi.c:2613
buffer_list::head
struct buffer_entry * head
Definition: buffer.h:1122
multi_delete_dup
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1376
multi_init
void multi_init(struct multi_context *m, struct context *t)
Definition: multi.c:294
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition: errlevel.h:127
multi_get_timeout
static void multi_get_timeout(struct multi_context *m, struct timeval *dest)
Definition: multi.h:616
schedule_free
void schedule_free(struct schedule *s)
Definition: schedule.c:421
setenv_in_addr_t
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3118
mroute_extract_in_addr_t
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:245
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition: init.c:1590
multi_instance::n_clients_delta
int n_clients_delta
Definition: multi.h:142
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
TA_TIMEOUT
#define TA_TIMEOUT
Definition: multi_io.h:46
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:519
mroute_helper::n_net_len
int n_net_len
Definition: mroute.h:127
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:116
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:291
openvpn_sockaddr::addr
union openvpn_sockaddr::@20 addr
context::c1
struct context_1 c1
Level 1 context.
Definition: openvpn.h:513
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:108
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:5084
mroute_addr_equal
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:210
management_callback::n_clients
int(* n_clients)(void *arg)
Definition: manage.h:185
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:489
gc
struct gc_arena gc
Definition: test_ssl.c:155
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition: push.c:977
OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2
Definition: openvpn-plugin.h:131
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:410
multi_reap_process
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:589
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:290
Generated by   doxygen 1.8.17