OpenVPN
push.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#include "push.h"
31#include "options.h"
32#include "crypto.h"
33#include "ssl.h"
34#include "ssl_verify.h"
35#include "ssl_ncp.h"
36#include "manage.h"
37
38#include "memdbg.h"
39#include "ssl_util.h"
40#include "options_util.h"
41
42static char push_reply_cmd[] = "PUSH_REPLY";
43
44/*
45 * Auth username/password
46 *
47 * Client received an authentication failed message from server.
48 * Runs on client.
49 */
50void
51receive_auth_failed(struct context *c, const struct buffer *buffer)
52{
53 msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
54 c->options.no_advance = true;
55
56 if (!c->options.pull)
57 {
58 return;
59 }
60
61 struct buffer buf = *buffer;
62
63 /* If the AUTH_FAIL message ends with a , it is an extended message that
64 * contains further flags */
65 bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,");
66
67 const char *reason = NULL;
68 if (authfail_extended && BLEN(&buf))
69 {
70 reason = BSTR(&buf);
71 }
72
74 {
75 parse_auth_failed_temp(&c->options, reason + strlen("TEMP"));
76 register_signal(c->sig, SIGUSR1, "auth-temp-failure (server temporary reject)");
77 }
78
79 /* Before checking how to react on AUTH_FAILED, first check if the
80 * failed auth might be the result of an expired auth-token.
81 * Note that a server restart will trigger a generic AUTH_FAILED
82 * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
83 * identical for this scenario */
84 else if (ssl_clean_auth_token())
85 {
86 /* SOFT-SIGUSR1 -- Auth failure error */
87 register_signal(c->sig, SIGUSR1, "auth-failure (auth-token)");
88 c->options.no_advance = true;
89 }
90 else
91 {
92 switch (auth_retry_get())
93 {
94 case AR_NONE:
95 /* SOFT-SIGTERM -- Auth failure error */
96 register_signal(c->sig, SIGTERM, "auth-failure");
97 break;
98
99 case AR_INTERACT:
100 ssl_purge_auth(false);
101 /* Intentional [[fallthrough]]; */
102
103 case AR_NOINTERACT:
104 /* SOFT-SIGTUSR1 -- Auth failure error */
105 register_signal(c->sig, SIGUSR1, "auth-failure");
106 break;
107
108 default:
109 ASSERT(0);
110 }
111 }
112#ifdef ENABLE_MANAGEMENT
113 if (management)
114 {
116 }
117 /*
118 * Save the dynamic-challenge text even when management is defined
119 */
121 && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
122 {
124 }
125#endif /* ifdef ENABLE_MANAGEMENT */
126
127}
128
129/*
130 * Act on received restart message from server
131 */
132void
133server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
134{
135 if (c->options.pull)
136 {
137 struct buffer buf = *buffer;
138 const char *m = "";
139 if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
140 {
141 m = BSTR(&buf);
142 }
143
144 /* preserve cached passwords? */
145 /* advance to next server? */
146 {
147 bool purge = true;
148
149 if (m[0] == '[')
150 {
151 int i;
152 for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
153 {
154 if (m[i] == 'P')
155 {
156 purge = false;
157 }
158 else if (m[i] == 'N')
159 {
160 /* next server? */
161 c->options.no_advance = false;
162 }
163 }
164 }
165 if (purge)
166 {
167 ssl_purge_auth(true);
168 }
169 }
170
171 if (restart)
172 {
173 msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
174 /* SOFT-SIGUSR1 -- server-pushed connection reset */
175 register_signal(c->sig, SIGUSR1, "server-pushed-connection-reset");
176 }
177 else
178 {
179 msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
180 /* SOFT-SIGTERM -- server-pushed halt */
181 register_signal(c->sig, SIGTERM, "server-pushed-halt");
182 }
183#ifdef ENABLE_MANAGEMENT
184 if (management)
185 {
186 management_notify(management, "info", c->sig->signal_text, m);
187 }
188#endif
189 }
190}
191
192void
194{
195 dmsg(D_STREAM_ERRORS, "CC-EEN exit message received by peer");
196 /* With control channel exit notification, we want to give the session
197 * enough time to handle retransmits and acknowledgment, so that eventual
198 * retries from the client to resend the exit or ACKs will not trigger
199 * a new session (we already forgot the session but the packet's HMAC
200 * is still valid). This could happen for the entire period that the
201 * HMAC timeslot is still valid, but waiting five seconds here does not
202 * hurt much, takes care of the retransmits, and is easier code-wise.
203 *
204 * This does not affect OCC exit since the HMAC session code will
205 * ignore DATA packets
206 * */
207 if (c->options.mode == MODE_SERVER)
208 {
209 if (!schedule_exit(c))
210 {
211 /* Return early when we don't need to notify management */
212 return;
213 }
214 }
215 else
216 {
217 register_signal(c->sig, SIGUSR1, "remote-exit");
218 }
219#ifdef ENABLE_MANAGEMENT
220 if (management)
221 {
222 management_notify(management, "info", "remote-exit", "EXIT");
223 }
224#endif
225}
226
227
228void
229server_pushed_info(const struct buffer *buffer, const int adv)
230{
231 const char *m = "";
232 struct buffer buf = *buffer;
233
234 if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
235 {
236 m = BSTR(&buf);
237 }
238
239#ifdef ENABLE_MANAGEMENT
240 struct gc_arena gc;
241 if (management)
242 {
243 gc = gc_new();
244
245 /*
246 * We use >INFOMSG here instead of plain >INFO since INFO is used to
247 * for management greeting and we don't want to confuse the client
248 */
249 struct buffer out = alloc_buf_gc(256, &gc);
250 if (buf_printf(&out, ">%s:%s", "INFOMSG", m))
251 {
253 }
254 else
255 {
256 msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client.");
257 }
258
259 gc_free(&gc);
260 }
261#endif
262 msg(D_PUSH, "Info command was pushed by server ('%s')", m);
263}
264
265void
267{
268 struct buffer buf = *buffer;
269 const char *m = "";
270
271 if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf))
272 {
273 m = BSTR(&buf);
274 }
275#ifdef ENABLE_MANAGEMENT
277 struct man_def_auth_context *mda = session->opt->mda_context;
278 struct env_set *es = session->opt->es;
279 unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id;
280
281 management_notify_client_cr_response(mda_key_id, mda, es, m);
282#endif
283#if ENABLE_PLUGIN
285#endif
287 msg(D_PUSH, "CR response was sent by client ('%s')", m);
288}
289
297static void
299 unsigned int *server_timeout)
300{
301 struct buffer buf = *buffer;
302
303 /* does the buffer start with "AUTH_PENDING," ? */
304 if (!buf_advance(&buf, strlen("AUTH_PENDING"))
305 || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
306 {
307#ifdef ENABLE_MANAGEMENT
308 if (management)
309 {
311 "", NULL, NULL, NULL, NULL);
312 }
313#endif
314
315 return;
316 }
317
318 /* parse the keywords in the same way that push options are parsed */
320
321#ifdef ENABLE_MANAGEMENT
322 /* Need to do the management notification with the keywords before
323 * buf_parse is called, as it will insert \0 bytes into the buffer */
324 if (management)
325 {
327 BSTR(&buf), NULL, NULL, NULL, NULL);
328 }
329#endif
330
331 while (buf_parse(&buf, ',', line, sizeof(line)))
332 {
333 if (sscanf(line, "timeout %u", server_timeout) != 1)
334 {
335 msg(D_PUSH, "ignoring AUTH_PENDING parameter: %s", line);
336 }
337 }
338}
339
340void
342{
343 if (!c->options.pull)
344 {
345 return;
346 }
347
348 /* Cap the increase at the maximum time we are willing stay in the
349 * pending authentication state */
350 unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
351 c->options.handshake_window);
352
353 /* try to parse parameter keywords, default to hand-winow timeout if the
354 * server does not supply a timeout */
355 unsigned int server_timeout = c->options.handshake_window;
357
358 msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
359 "to %us", c->options.handshake_window,
361
362 const struct key_state *ks = get_primary_key(c->c2.tls_multi);
363 c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
364}
365
380static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
381 int msglevel, const char *fmt, ...)
382#ifdef __GNUC__
383#if __USE_MINGW_ANSI_STDIO
384__attribute__ ((format(gnu_printf, 4, 5)))
385#else
386__attribute__ ((format(__printf__, 4, 5)))
387#endif
388#endif
389;
390
391/*
392 * Send auth failed message from server to client.
393 *
394 * Does nothing if an exit is already scheduled
395 */
396void
397send_auth_failed(struct context *c, const char *client_reason)
398{
399 if (!schedule_exit(c))
400 {
401 msg(D_TLS_DEBUG, "exit already scheduled for context");
402 return;
403 }
404
405 struct gc_arena gc = gc_new();
406 static const char auth_failed[] = "AUTH_FAILED";
407 size_t len;
408
409 len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
410 if (len > PUSH_BUNDLE_SIZE)
411 {
412 len = PUSH_BUNDLE_SIZE;
413 }
414
415 {
416 struct buffer buf = alloc_buf_gc(len, &gc);
417 buf_printf(&buf, auth_failed);
418 if (client_reason)
419 {
420 buf_printf(&buf, ",%s", client_reason);
421 }
422
423 /* We kill the whole session, send the AUTH_FAILED to any TLS session
424 * that might be active */
425 send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL],
426 BSTR(&buf), D_PUSH);
427 send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE],
428 BSTR(&buf), D_PUSH);
429
431
432 }
433
434 gc_free(&gc);
435}
436
437
438bool
440 struct tls_session *session,
441 const char *extra, unsigned int timeout)
442{
443 struct key_state *ks = &session->key[KS_PRIMARY];
444
445 static const char info_pre[] = "INFO_PRE,";
446
447 const char *const peer_info = tls_multi->peer_info;
448 unsigned int proto = extract_iv_proto(peer_info);
449
450
451 /* Calculate the maximum timeout and subtract the time we already waited */
452 unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2,
454 max_timeout = max_timeout - (now - ks->initial);
455 timeout = min_uint(max_timeout, timeout);
456
457 struct gc_arena gc = gc_new();
458 if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0)
459 {
461 }
462 else
463 {
464 static const char auth_pre[] = "AUTH_PENDING,timeout ";
465 /* Assume a worst case of 8 byte uint64 in decimal which */
466 /* needs 20 bytes */
467 size_t len = 20 + 1 + sizeof(auth_pre);
468 struct buffer buf = alloc_buf_gc(len, &gc);
469 buf_printf(&buf, auth_pre);
470 buf_printf(&buf, "%u", timeout);
472 }
473
474 size_t len = strlen(extra) + 1 + sizeof(info_pre);
475 if (len > PUSH_BUNDLE_SIZE)
476 {
477 gc_free(&gc);
478 return false;
479 }
480
481 struct buffer buf = alloc_buf_gc(len, &gc);
482 buf_printf(&buf, info_pre);
483 buf_printf(&buf, "%s", extra);
485
486 ks->auth_deferred_expire = now + timeout;
487
488 gc_free(&gc);
489 return true;
490}
491
492/*
493 * Send restart message from server to client.
494 */
495void
496send_restart(struct context *c, const char *kill_msg)
497{
500}
501
502/*
503 * Push/Pull
504 */
505
506void
508{
509 struct gc_arena gc = gc_new();
510 unsigned int option_types_found = 0;
511
512 msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
513
516 &option_types_found);
517
518 if (status == PUSH_MSG_ERROR)
519 {
520 msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
521 }
523 {
524 c->options.push_option_types_found |= option_types_found;
525
526 /* delay bringing tun/tap up until --push parms received from remote */
527 if (status == PUSH_MSG_REPLY)
528 {
530 {
531 goto error;
532 }
533 if (!do_up(c, true, c->options.push_option_types_found))
534 {
535 msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
536 goto error;
537 }
538 }
541 }
542
543 goto cleanup;
544
545error:
546 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
547cleanup:
548 gc_free(&gc);
549}
550
551bool
553{
554 const struct key_state *ks = get_primary_key(c->c2.tls_multi);
555
556 /* We timeout here under two conditions:
557 * a) we reached the hard limit of push_request_timeout
558 * b) we have not seen anything from the server in hand_window time
559 *
560 * for non auth-pending scenario, push_request_timeout is the same as
561 * hand_window timeout. For b) every PUSH_REQUEST is a acknowledged by
562 * the server by a P_ACK_V1 packet that reset the keepalive timer
563 */
564
567 {
568 return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
569 }
570 else
571 {
572 msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
573 (int)(now - ks->established));
574 /* SOFT-SIGUSR1 -- server-pushed connection reset */
575 register_signal(c->sig, SIGUSR1, "no-push-reply");
576 return false;
577 }
578}
579
588void
590 struct push_list *push_list)
591{
592 /*
593 * If server uses --auth-gen-token and we have an auth token
594 * to send to the client
595 */
597 {
598 push_option_fmt(gc, push_list, M_USAGE, "auth-token %s",
600
601 char *base64user = NULL;
603 (int)strlen(tls_multi->locked_username),
604 &base64user);
605 if (ret < USER_PASS_LEN && ret > 0)
606 {
607 push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s",
608 base64user);
609 }
610 free(base64user);
611 }
612}
613
623bool
625 struct push_list *push_list)
626{
627 struct tls_multi *tls_multi = c->c2.tls_multi;
628 struct options *o = &c->options;
629
630 /* ipv6 */
632 {
633 push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
637 0, gc));
638 }
639
640 /* ipv4 */
644 {
647 {
649 }
650 push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
653 0, gc));
654 }
655
657 {
658 push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
660 }
661 /*
662 * If server uses --auth-gen-token and we have an auth token
663 * to send to the client
664 */
666
667 /*
668 * Push the selected cipher, at this point the cipher has been
669 * already negotiated and been fixed.
670 *
671 * We avoid pushing the cipher to clients not supporting NCP
672 * to avoid error messages in their logs
673 */
675 {
676 push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
677 }
678
679 struct buffer proto_flags = alloc_buf_gc(128, gc);
680
681 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
682 {
683 buf_printf(&proto_flags, " cc-exit");
684
685 /* if the cc exit flag is supported, pushing tls-ekm via protocol-flags
686 * is also supported */
687 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
688 {
689 buf_printf(&proto_flags, " tls-ekm");
690 }
691 }
692 else if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
693 {
694 push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
695 }
696
697 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
698 {
699 buf_printf(&proto_flags, " dyn-tls-crypt");
700 }
701
702 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
703 {
704 buf_printf(&proto_flags, " aead-epoch");
705 }
706
707 if (buf_len(&proto_flags) > 0)
708 {
709 push_option_fmt(gc, push_list, M_USAGE, "protocol-flags%s", buf_str(&proto_flags));
710 }
711
712 /* Push our mtu to the peer if it supports pushable MTUs */
713 int client_max_mtu = 0;
714 const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc);
715
716 if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1)
717 {
718 push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu);
719 if (client_max_mtu < o->ce.tun_mtu)
720 {
721 msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower "
722 "than MTU used on the server (%d). Add tun-max-mtu %d "
723 "to client configuration.", client_max_mtu,
724 o->ce.tun_mtu, o->ce.tun_mtu);
725 }
726 }
727
728 return true;
729}
730
731static bool
732send_push_options(struct context *c, struct buffer *buf,
733 struct push_list *push_list, int safe_cap,
734 bool *push_sent, bool *multi_push)
735{
736 struct push_entry *e = push_list->head;
737
738 while (e)
739 {
740 if (e->enable)
741 {
742 const int l = strlen(e->option);
743 if (BLEN(buf) + l >= safe_cap)
744 {
745 buf_printf(buf, ",push-continuation 2");
746 {
747 const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
748 if (!status)
749 {
750 return false;
751 }
752 *push_sent = true;
753 *multi_push = true;
754 buf_reset_len(buf);
755 buf_printf(buf, "%s", push_reply_cmd);
756 }
757 }
758 if (BLEN(buf) + l >= safe_cap)
759 {
760 msg(M_WARN, "--push option is too long");
761 return false;
762 }
763 buf_printf(buf, ",%s", e->option);
764 }
765 e = e->next;
766 }
767 return true;
768}
769
770void
772{
773 struct gc_arena gc = gc_new();
774 struct push_list push_list = { 0 };
775 struct tls_session *session = &multi->session[TM_ACTIVE];
776
778
779 /* prepare auth token should always add the auth-token option */
780 struct push_entry *e = push_list.head;
781 ASSERT(e && e->enable);
782
783 /* Construct a mimimal control channel push reply message */
784 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
785 buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
787 gc_free(&gc);
788}
789
790bool
792{
793 struct gc_arena gc = gc_new();
794 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
795 bool multi_push = false;
796 const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
797 const int safe_cap = BCAP(&buf) - extra;
798 bool push_sent = false;
799
800 buf_printf(&buf, "%s", push_reply_cmd);
801
802 /* send options which are common to all clients */
803 if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
805 {
806 goto fail;
807 }
808
809 /* send client-specific options */
812 {
813 goto fail;
814 }
815
816 if (multi_push)
817 {
818 buf_printf(&buf, ",push-continuation 1");
819 }
820
821 if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
822 {
823 const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
824 if (!status)
825 {
826 goto fail;
827 }
828 push_sent = true;
829 }
830
831 /* If nothing have been pushed, send an empty push,
832 * as the client is expecting a response
833 */
834 if (!push_sent)
835 {
836 bool status = false;
837
838 buf_reset_len(&buf);
839 buf_printf(&buf, "%s", push_reply_cmd);
841 if (!status)
842 {
843 goto fail;
844 }
845 }
846
847 gc_free(&gc);
848 return true;
849
850fail:
851 gc_free(&gc);
852 return false;
853}
854
855static void
857 const char *opt, bool enable, int msglevel)
858{
859 if (!string_class(opt, CC_ANY, CC_COMMA))
860 {
861 msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
862 }
863 else
864 {
865 struct push_entry *e;
866 ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
867 e->enable = true;
868 e->option = opt;
869 if (push_list->head)
870 {
872 push_list->tail->next = e;
873 push_list->tail = e;
874 }
875 else
876 {
878 push_list->head = e;
879 push_list->tail = e;
880 }
881 }
882}
883
884void
885push_option(struct options *o, const char *opt, int msglevel)
886{
887 push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
888}
889
890void
892{
893 if (o->push_list.head)
894 {
895 const struct push_entry *e = o->push_list.head;
896 push_reset(o);
897 while (e)
898 {
899 push_option_ex(&o->gc, &o->push_list,
900 string_alloc(e->option, &o->gc), true, M_FATAL);
901 e = e->next;
902 }
903 }
904}
905
906void
907push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
908{
909 const char **argv = make_extended_arg_array(p, false, gc);
910 char *opt = print_argv(argv, gc, 0);
911 push_option(o, opt, msglevel);
912}
913
914static bool
916 int msglevel, const char *format, ...)
917{
918 va_list arglist;
919 char tmp[256] = {0};
920 int len;
921 va_start(arglist, format);
922 len = vsnprintf(tmp, sizeof(tmp), format, arglist);
923 va_end(arglist);
924 if (len > sizeof(tmp)-1)
925 {
926 return false;
927 }
928 push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
929 return true;
930}
931
932void
934{
935 CLEAR(o->push_list);
936}
937
938void
939push_remove_option(struct options *o, const char *p)
940{
941 msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
942
943 /* ifconfig is special, as not part of the push list */
944 if (streq(p, "ifconfig"))
945 {
947 return;
948 }
949
950 /* ifconfig-ipv6 is special, as not part of the push list */
951 if (streq( p, "ifconfig-ipv6" ))
952 {
954 return;
955 }
956
957 if (o && o->push_list.head)
958 {
959 struct push_entry *e = o->push_list.head;
960
961 /* cycle through the push list */
962 while (e)
963 {
964 if (e->enable
965 && strncmp( e->option, p, strlen(p) ) == 0)
966 {
967 msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
968 e->enable = false;
969 }
970
971 e = e->next;
972 }
973 }
974}
975
976int
978{
979 int ret = PUSH_MSG_ERROR;
980
981
984 {
985 const char *client_reason = tls_client_reason(c->c2.tls_multi);
986 send_auth_failed(c, client_reason);
988 }
991 {
992 time_t now;
993
996 {
998 }
999 else
1000 {
1001 /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
1002 struct push_list push_list = { 0 };
1003 struct gc_arena gc = gc_new();
1004
1006 && send_push_reply(c, &push_list))
1007 {
1008 ret = PUSH_MSG_REQUEST;
1009 c->c2.sent_push_reply_expiry = now + 30;
1010 }
1011 gc_free(&gc);
1012 }
1013 }
1014 else
1015 {
1017 }
1018
1019 return ret;
1020}
1021
1022static void
1023push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
1024{
1025 char line[OPTION_PARM_SIZE];
1026 while (buf_parse(buf, ',', line, sizeof(line)))
1027 {
1028 /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
1029 if (strprefix(line, "peer-id ")
1030 || strprefix(line, "auth-token ")
1031 || strprefix(line, "auth-token-user "))
1032 {
1033 continue;
1034 }
1035 /* tun reopen only needed if cipher change can change tun MTU */
1036 if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
1037 {
1038 continue;
1039 }
1040 md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
1041 }
1042}
1043
1044static int
1046 unsigned int permission_mask,
1047 unsigned int *option_types_found,
1048 struct buffer *buf)
1049{
1050 int ret = PUSH_MSG_ERROR;
1051 const uint8_t ch = buf_read_u8(buf);
1052 if (ch == ',')
1053 {
1054 struct buffer buf_orig = (*buf);
1055 if (!c->c2.pulled_options_digest_init_done)
1056 {
1057 c->c2.pulled_options_state = md_ctx_new();
1058 md_ctx_init(c->c2.pulled_options_state, "SHA256");
1059 c->c2.pulled_options_digest_init_done = true;
1060 }
1061 if (apply_push_options(&c->options,
1062 buf,
1064 option_types_found,
1065 c->c2.es))
1066 {
1067 push_update_digest(c->c2.pulled_options_state, &buf_orig,
1068 &c->options);
1069 switch (c->options.push_continuation)
1070 {
1071 case 0:
1072 case 1:
1073 md_ctx_final(c->c2.pulled_options_state,
1074 c->c2.pulled_options_digest.digest);
1075 md_ctx_cleanup(c->c2.pulled_options_state);
1076 md_ctx_free(c->c2.pulled_options_state);
1077 c->c2.pulled_options_state = NULL;
1078 c->c2.pulled_options_digest_init_done = false;
1079 ret = PUSH_MSG_REPLY;
1080 break;
1081
1082 case 2:
1084 break;
1085 }
1086 }
1087 }
1088 else if (ch == '\0')
1089 {
1090 ret = PUSH_MSG_REPLY;
1091 }
1092 /* show_settings (&c->options); */
1093 return ret;
1094}
1095
1096int
1098 const struct buffer *buffer,
1100 unsigned int permission_mask,
1101 unsigned int *option_types_found)
1102{
1103 struct buffer buf = *buffer;
1104
1105 if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
1106 {
1107 c->c2.push_request_received = true;
1109 }
1110 else if (honor_received_options
1112 {
1114 option_types_found, &buf);
1115 }
1116 else
1117 {
1118 return PUSH_MSG_ERROR;
1119 }
1120}
1121
1122
1123/*
1124 * Remove iroutes from the push_list.
1125 */
1126void
1128{
1129 if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6))
1130 {
1131 struct gc_arena gc = gc_new();
1132 struct push_entry *e = o->push_list.head;
1133
1134 /* cycle through the push list */
1135 while (e)
1136 {
1137 char *p[MAX_PARMS+1];
1138 bool enable = true;
1139
1140 /* parse the push item */
1141 CLEAR(p);
1142 if (e->enable
1143 && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
1144 {
1145 /* is the push item a route directive? */
1146 if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)
1147 {
1148 /* get route parameters */
1149 bool status1, status2;
1150 const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
1151 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
1152
1153 /* did route parameters parse correctly? */
1154 if (status1 && status2)
1155 {
1156 const struct iroute *ir;
1157
1158 /* does route match an iroute? */
1159 for (ir = o->iroutes; ir != NULL; ir = ir->next)
1160 {
1161 if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
1162 {
1163 enable = false;
1164 break;
1165 }
1166 }
1167 }
1168 }
1169 else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2]
1170 && o->iroutes_ipv6)
1171 {
1172 /* get route parameters */
1173 struct in6_addr network;
1174 unsigned int netbits;
1175
1176 /* parse route-ipv6 arguments */
1177 if (get_ipv6_addr(p[1], &network, &netbits, D_ROUTE_DEBUG))
1178 {
1179 struct iroute_ipv6 *ir;
1180
1181 /* does this route-ipv6 match an iroute-ipv6? */
1182 for (ir = o->iroutes_ipv6; ir != NULL; ir = ir->next)
1183 {
1184 if (!memcmp(&network, &ir->network, sizeof(network))
1185 && netbits == ir->netbits)
1186 {
1187 enable = false;
1188 break;
1189 }
1190 }
1191 }
1192 }
1193
1194 /* should we copy the push item? */
1195 e->enable = enable;
1196 if (!enable)
1197 {
1198 msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
1199 }
1200 }
1201
1202 e = e->next;
1203 }
1204
1205 gc_free(&gc);
1206 }
1207}
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition buffer.c:789
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition buffer.c:1022
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition buffer.c:717
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition buffer.c:778
#define CC_COMMA
comma
Definition buffer.h:904
#define BSTR(buf)
Definition buffer.h:129
#define CC_ANY
any character
Definition buffer.h:883
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:790
#define BLEN(buf)
Definition buffer.h:127
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:312
#define BCAP(buf)
Definition buffer.h:130
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
static char * buf_str(const struct buffer *buf)
Definition buffer.h:297
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:977
static struct gc_arena gc_new(void)
Definition buffer.h:1025
#define PUSH_BUNDLE_SIZE
Definition common.h:88
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:368
md_ctx_t * md_ctx_new(void)
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
void md_ctx_cleanup(md_ctx_t *ctx)
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
void md_ctx_init(md_ctx_t *ctx, const char *mdname)
Initialises the given message digest context.
void md_ctx_free(md_ctx_t *ctx)
mbedtls_md_context_t md_ctx_t
Generic message digest context.
#define D_PUSH
Definition errlevel.h:83
#define M_VERB0
Definition errlevel.h:53
#define D_ROUTE_DEBUG
Definition errlevel.h:133
#define D_PUSH_DEBUG
Definition errlevel.h:150
#define D_STREAM_ERRORS
Definition errlevel.h:63
#define D_PUSH_ERRORS
Definition errlevel.h:67
#define D_TLS_DEBUG
Definition errlevel.h:165
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:403
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition forward.c:381
bool schedule_exit(struct context *c)
Definition forward.c:533
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:410
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition ssl_common.h:539
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:459
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:538
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2464
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2601
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition integer.h:63
static unsigned int max_uint(unsigned int x, unsigned int y)
Definition integer.h:50
static SERVICE_STATUS status
Definition interactive.c:53
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:155
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3092
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2749
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2906
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition manage.c:2963
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition manage.c:2900
#define OPENVPN_STATE_AUTH_PENDING
Definition manage.h:483
const char ** make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc)
Definition misc.c:640
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition misc.c:670
#define CLEAR(x)
Definition basic.h:33
#define SIZE(x)
Definition basic.h:30
#define M_USAGE
Definition error.h:106
#define M_FATAL
Definition error.h:89
#define dmsg(flags,...)
Definition error.h:148
#define msg(flags,...)
Definition error.h:144
#define ASSERT(x)
Definition error.h:195
#define M_WARN
Definition error.h:91
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4183
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5486
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:4949
int auth_retry_get(void)
Definition options.c:4756
#define MODE_SERVER
Definition options.h:259
#define streq(x, y)
Definition options.h:726
#define AR_INTERACT
Definition options.h:904
#define OPTION_PARM_SIZE
Definition options.h:57
#define AR_NONE
Definition options.h:903
#define AR_NOINTERACT
Definition options.h:905
#define MAX_PARMS
Definition options.h:52
#define OPTION_LINE_SIZE
Definition options.h:58
const char * parse_auth_failed_temp(struct options *o, const char *reason)
time_t now
Definition otime.c:34
static time_t openvpn_time(time_t *t)
Definition otime.h:90
int process_incoming_push_request(struct context *c)
Definition push.c:977
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition push.c:341
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition push.c:915
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition push.c:51
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:496
void push_option(struct options *o, const char *opt, int msglevel)
Definition push.c:885
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition push.c:133
void push_reset(struct options *o)
Definition push.c:933
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition push.c:266
void send_auth_failed(struct context *c, const char *client_reason)
Definition push.c:397
static char push_reply_cmd[]
Definition push.c:42
void clone_push_list(struct options *o)
Definition push.c:891
void receive_exit_message(struct context *c)
Definition push.c:193
void prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, struct push_list *push_list)
Prepare push option for auth-token.
Definition push.c:589
static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf)
Definition push.c:1045
bool send_push_request(struct context *c)
Definition push.c:552
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition push.c:856
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:439
void push_remove_option(struct options *o, const char *p)
Definition push.c:939
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition push.c:507
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition push.c:907
bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options.
Definition push.c:624
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition push.c:1023
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition push.c:732
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1127
static void parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
Parse the keyword for the AUTH_PENDING request.
Definition push.c:298
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition push.c:1097
bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition push.c:791
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition push.c:229
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client.
Definition push.c:771
#define PUSH_MSG_REQUEST
Definition push.h:30
#define PUSH_MSG_REQUEST_DEFERRED
Definition push.h:32
#define PUSH_MSG_ERROR
Definition push.h:29
#define PUSH_MSG_REPLY
Definition push.h:31
#define PUSH_MSG_AUTH_FAILURE
Definition push.h:33
#define PUSH_MSG_CONTINUATION
Definition push.h:34
#define PUSH_MSG_ALREADY_REPLIED
Definition push.h:35
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:394
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:231
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:226
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3017
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:2997
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
#define GETADDR_HOST_ORDER
Definition socket.h:519
int openvpn_base64_encode(const void *data, int size, char **str)
Definition base64.c:52
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:392
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:417
bool ssl_clean_auth_token(void)
Definition ssl.c:381
Control Channel SSL/Data channel negotiation module.
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
@ CAS_CONNECT_DONE
Definition ssl_common.h:586
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:578
#define UP_TYPE_AUTH
Definition ssl_common.h:42
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:748
bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.
Definition ssl_ncp.c:80
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
char * extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
Extracts a variable from peer info, the returned string will be allocated using the supplied gc_arena...
Definition ssl_util.c:32
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:62
SSL utility functions.
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Control Channel Verification Module.
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:74
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:75
static const char * tls_client_reason(struct tls_multi *multi)
Definition ssl_verify.h:282
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
bool tun_mtu_defined
Definition options.h:129
bool push_ifconfig_ipv6_defined
Definition openvpn.h:434
bool push_ifconfig_defined
Definition openvpn.h:428
struct env_set * es
Definition openvpn.h:420
time_t push_request_timeout
Definition openvpn.h:440
struct event_timeout wait_for_connect
Definition openvpn.h:282
struct event_timeout push_request_interval
Definition openvpn.h:439
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
time_t sent_push_reply_expiry
Definition openvpn.h:429
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:437
int push_ifconfig_ipv6_netbits
Definition openvpn.h:436
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:435
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:432
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:431
in_addr_t push_ifconfig_local
Definition openvpn.h:430
Contains all state information for one tunnel.
Definition openvpn.h:474
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:500
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
struct iroute_ipv6 * next
Definition route.h:250
unsigned int netbits
Definition route.h:249
struct in6_addr network
Definition route.h:248
in_addr_t network
Definition route.h:242
int netbits
Definition route.h:243
struct iroute * next
Definition route.h:244
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:203
time_t established
Definition ssl_common.h:223
unsigned int mda_key_id
Definition ssl_common.h:258
time_t initial
Definition ssl_common.h:222
time_t peer_last_packet
Definition ssl_common.h:226
time_t auth_deferred_expire
Definition ssl_common.h:255
unsigned int push_option_types_found
Definition options.h:558
bool push_ifconfig_ipv6_blocked
Definition options.h:525
int handshake_window
Definition options.h:652
const char * ifconfig_local
Definition options.h:321
struct connection_entry ce
Definition options.h:288
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:512
struct push_list push_list
Definition options.h:487
const char * ciphername
Definition options.h:573
bool pull
Definition options.h:556
struct gc_arena gc
Definition options.h:251
struct iroute * iroutes
Definition options.h:511
bool no_advance
Definition options.h:293
bool push_ifconfig_ipv4_blocked
Definition options.h:520
Definition pushlist.h:29
struct push_entry * next
Definition pushlist.h:30
bool enable
Definition pushlist.h:31
const char * option
Definition pushlist.h:32
struct push_entry * head
Definition pushlist.h:36
struct push_entry * tail
Definition pushlist.h:37
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:604
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:665
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:642
enum multi_status multi_state
Definition ssl_common.h:625
struct tls_options opt
Definition ssl_common.h:609
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:704
uint32_t peer_id
Definition ssl_common.h:692
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition ssl_common.h:671
bool use_peer_id
Definition ssl_common.h:693
interval_t renegotiate_seconds
Definition ssl_common.h:342
int handshake_window
Definition ssl_common.h:335
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:483
__attribute__((unused))
Definition test.c:42
struct env_set * es
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:155