OpenVPN
push.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "push.h"
33 #include "options.h"
34 #include "ssl.h"
35 #include "ssl_verify.h"
36 #include "ssl_ncp.h"
37 #include "manage.h"
38 
39 #include "memdbg.h"
40 #include "ssl_util.h"
41 #include "options_util.h"
42 
43 static char push_reply_cmd[] = "PUSH_REPLY";
44 
45 /*
46  * Auth username/password
47  *
48  * Client received an authentication failed message from server.
49  * Runs on client.
50  */
51 void
52 receive_auth_failed(struct context *c, const struct buffer *buffer)
53 {
54  msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
55  c->options.no_advance = true;
56 
57  if (!c->options.pull)
58  {
59  return;
60  }
61 
62  struct buffer buf = *buffer;
63 
64  /* If the AUTH_FAIL message ends with a , it is an extended message that
65  * contains further flags */
66  bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,");
67 
68  const char *reason = NULL;
69  if (authfail_extended && BLEN(&buf))
70  {
71  reason = BSTR(&buf);
72  }
73 
74  if (authfail_extended && buf_string_match_head_str(&buf, "TEMP"))
75  {
76  parse_auth_failed_temp(&c->options, reason + strlen("TEMP"));
77  register_signal(c->sig, SIGUSR1, "auth-temp-failure (server temporary reject)");
78  }
79 
80  /* Before checking how to react on AUTH_FAILED, first check if the
81  * failed auth might be the result of an expired auth-token.
82  * Note that a server restart will trigger a generic AUTH_FAILED
83  * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
84  * identical for this scenario */
85  else if (ssl_clean_auth_token())
86  {
87  /* SOFT-SIGUSR1 -- Auth failure error */
88  register_signal(c->sig, SIGUSR1, "auth-failure (auth-token)");
89  c->options.no_advance = true;
90  }
91  else
92  {
93  switch (auth_retry_get())
94  {
95  case AR_NONE:
96  /* SOFT-SIGTERM -- Auth failure error */
97  register_signal(c->sig, SIGTERM, "auth-failure");
98  break;
99 
100  case AR_INTERACT:
101  ssl_purge_auth(false);
102 
103  case AR_NOINTERACT:
104  /* SOFT-SIGTUSR1 -- Auth failure error */
105  register_signal(c->sig, SIGUSR1, "auth-failure");
106  break;
107 
108  default:
109  ASSERT(0);
110  }
111  }
112 #ifdef ENABLE_MANAGEMENT
113  if (management)
114  {
115  management_auth_failure(management, UP_TYPE_AUTH, reason);
116  }
117  /*
118  * Save the dynamic-challenge text even when management is defined
119  */
120  if (authfail_extended
121  && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
122  {
123  ssl_put_auth_challenge(BSTR(&buf));
124  }
125 #endif /* ifdef ENABLE_MANAGEMENT */
126 
127 }
128 
129 /*
130  * Act on received restart message from server
131  */
132 void
133 server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
134 {
135  if (c->options.pull)
136  {
137  struct buffer buf = *buffer;
138  const char *m = "";
139  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
140  {
141  m = BSTR(&buf);
142  }
143 
144  /* preserve cached passwords? */
145  /* advance to next server? */
146  {
147  bool purge = true;
148 
149  if (m[0] == '[')
150  {
151  int i;
152  for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
153  {
154  if (m[i] == 'P')
155  {
156  purge = false;
157  }
158  else if (m[i] == 'N')
159  {
160  /* next server? */
161  c->options.no_advance = false;
162  }
163  }
164  }
165  if (purge)
166  {
167  ssl_purge_auth(true);
168  }
169  }
170 
171  if (restart)
172  {
173  msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
174  /* SOFT-SIGUSR1 -- server-pushed connection reset */
175  register_signal(c->sig, SIGUSR1, "server-pushed-connection-reset");
176  }
177  else
178  {
179  msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
180  /* SOFT-SIGTERM -- server-pushed halt */
181  register_signal(c->sig, SIGTERM, "server-pushed-halt");
182  }
183 #ifdef ENABLE_MANAGEMENT
184  if (management)
185  {
186  management_notify(management, "info", c->sig->signal_text, m);
187  }
188 #endif
189  }
190 }
191 
192 void
193 receive_exit_message(struct context *c)
194 {
195  dmsg(D_STREAM_ERRORS, "Exit message received by peer");
196  /* With control channel exit notification, we want to give the session
197  * enough time to handle retransmits and acknowledgment, so that eventual
198  * retries from the client to resend the exit or ACKs will not trigger
199  * a new session (we already forgot the session but the packet's HMAC
200  * is still valid). This could happen for the entire period that the
201  * HMAC timeslot is still valid, but waiting five seconds here does not
202  * hurt much, takes care of the retransmits, and is easier code-wise.
203  *
204  * This does not affect OCC exit since the HMAC session code will
205  * ignore DATA packets
206  * */
207  if (c->options.mode == MODE_SERVER)
208  {
209  schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
210  }
211  else
212  {
213  register_signal(c->sig, SIGUSR1, "remote-exit");
214  }
215 #ifdef ENABLE_MANAGEMENT
216  if (management)
217  {
218  management_notify(management, "info", "remote-exit", "EXIT");
219  }
220 #endif
221 }
222 
223 
224 void
225 server_pushed_info(struct context *c, const struct buffer *buffer,
226  const int adv)
227 {
228  const char *m = "";
229  struct buffer buf = *buffer;
230 
231  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
232  {
233  m = BSTR(&buf);
234  }
235 
236 #ifdef ENABLE_MANAGEMENT
237  struct gc_arena gc;
238  if (management)
239  {
240  gc = gc_new();
241 
242  /*
243  * We use >INFOMSG here instead of plain >INFO since INFO is used to
244  * for management greeting and we don't want to confuse the client
245  */
246  struct buffer out = alloc_buf_gc(256, &gc);
247  buf_printf(&out, ">%s:%s", "INFOMSG", m);
248  management_notify_generic(management, BSTR(&out));
249 
250  gc_free(&gc);
251  }
252  #endif
253  msg(D_PUSH, "Info command was pushed by server ('%s')", m);
254 }
255 
256 void
257 receive_cr_response(struct context *c, const struct buffer *buffer)
258 {
259  struct buffer buf = *buffer;
260  const char *m = "";
261 
262  if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf))
263  {
264  m = BSTR(&buf);
265  }
266 #ifdef ENABLE_MANAGEMENT
267  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
268  struct man_def_auth_context *mda = session->opt->mda_context;
269  struct env_set *es = session->opt->es;
270  int key_id = get_primary_key(c->c2.tls_multi)->key_id;
271 
272  management_notify_client_cr_response(key_id, mda, es, m);
273 #endif
274 #if ENABLE_PLUGIN
275  verify_crresponse_plugin(c->c2.tls_multi, m);
276 #endif
277  verify_crresponse_script(c->c2.tls_multi, m);
278  msg(D_PUSH, "CR response was sent by client ('%s')", m);
279 }
280 
288 static void
289 parse_auth_pending_keywords(const struct buffer *buffer,
290  unsigned int *server_timeout)
291 {
292  struct buffer buf = *buffer;
293 
294  /* does the buffer start with "AUTH_PENDING," ? */
295  if (!buf_advance(&buf, strlen("AUTH_PENDING"))
296  || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
297  {
298 #ifdef ENABLE_MANAGEMENT
299  if (management)
300  {
301  management_set_state(management, OPENVPN_STATE_AUTH_PENDING,
302  "", NULL, NULL, NULL, NULL);
303  }
304 #endif
305 
306  return;
307  }
308 
309  /* parse the keywords in the same way that push options are parsed */
310  char line[OPTION_LINE_SIZE];
311 
312 #ifdef ENABLE_MANAGEMENT
313  /* Need to do the management notification with the keywords before
314  * buf_parse is called, as it will insert \0 bytes into the buffer */
315  if (management)
316  {
317  management_set_state(management, OPENVPN_STATE_AUTH_PENDING,
318  BSTR(&buf), NULL, NULL, NULL, NULL);
319  }
320 #endif
321 
322  while (buf_parse(&buf, ',', line, sizeof(line)))
323  {
324  if (sscanf(line, "timeout %u", server_timeout) != 1)
325  {
326  msg(D_PUSH, "ignoring AUTH_PENDING parameter: %s", line);
327  }
328  }
329 }
330 
331 void
332 receive_auth_pending(struct context *c, const struct buffer *buffer)
333 {
334  if (!c->options.pull)
335  {
336  return;
337  }
338 
339  /* Cap the increase at the maximum time we are willing stay in the
340  * pending authentication state */
341  unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
342  c->options.handshake_window);
343 
344  /* try to parse parameter keywords, default to hand-winow timeout if the
345  * server does not supply a timeout */
346  unsigned int server_timeout = c->options.handshake_window;
347  parse_auth_pending_keywords(buffer, &server_timeout);
348 
349  msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
350  "to %us", c->options.handshake_window,
351  min_uint(max_timeout, server_timeout));
352 
353  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
354  c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
355 }
356 
371 static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
372  int msglevel, const char *fmt, ...)
373 #ifdef __GNUC__
374 #if __USE_MINGW_ANSI_STDIO
375 __attribute__ ((format(gnu_printf, 4, 5)))
376 #else
377 __attribute__ ((format(__printf__, 4, 5)))
378 #endif
379 #endif
380 ;
381 
382 /*
383  * Send auth failed message from server to client.
384  *
385  * Does nothing if an exit is already scheduled
386  */
387 void
388 send_auth_failed(struct context *c, const char *client_reason)
389 {
390  if (event_timeout_defined(&c->c2.scheduled_exit))
391  {
392  msg(D_TLS_DEBUG, "exit already scheduled for context");
393  return;
394  }
395 
396  struct gc_arena gc = gc_new();
397  static const char auth_failed[] = "AUTH_FAILED";
398  size_t len;
399 
400  schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
401 
402  len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
403  if (len > PUSH_BUNDLE_SIZE)
404  {
405  len = PUSH_BUNDLE_SIZE;
406  }
407 
408  {
409  struct buffer buf = alloc_buf_gc(len, &gc);
410  buf_printf(&buf, auth_failed);
411  if (client_reason)
412  {
413  buf_printf(&buf, ",%s", client_reason);
414  }
415 
416  /* We kill the whole session, send the AUTH_FAILED to any TLS session
417  * that might be active */
418  send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL],
419  BSTR(&buf), D_PUSH);
420  send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE],
421  BSTR(&buf), D_PUSH);
422 
423  reschedule_multi_process(c);
424 
425  }
426 
427  gc_free(&gc);
428 }
429 
430 
431 bool
432 send_auth_pending_messages(struct tls_multi *tls_multi,
433  struct tls_session *session,
434  const char *extra, unsigned int timeout)
435 {
436  struct key_state *ks = &session->key[KS_PRIMARY];
437 
438  static const char info_pre[] = "INFO_PRE,";
439 
440  const char *const peer_info = tls_multi->peer_info;
441  unsigned int proto = extract_iv_proto(peer_info);
442 
443 
444  /* Calculate the maximum timeout and subtract the time we already waited */
445  unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2,
446  tls_multi->opt.handshake_window);
447  max_timeout = max_timeout - (now - ks->initial);
448  timeout = min_uint(max_timeout, timeout);
449 
450  struct gc_arena gc = gc_new();
451  if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0)
452  {
453  send_control_channel_string_dowork(session, "AUTH_PENDING", D_PUSH);
454  }
455  else
456  {
457  static const char auth_pre[] = "AUTH_PENDING,timeout ";
458  /* Assume a worst case of 8 byte uint64 in decimal which */
459  /* needs 20 bytes */
460  size_t len = 20 + 1 + sizeof(auth_pre);
461  struct buffer buf = alloc_buf_gc(len, &gc);
462  buf_printf(&buf, auth_pre);
463  buf_printf(&buf, "%u", timeout);
464  send_control_channel_string_dowork(session, BSTR(&buf), D_PUSH);
465  }
466 
467  size_t len = strlen(extra) + 1 + sizeof(info_pre);
468  if (len > PUSH_BUNDLE_SIZE)
469  {
470  gc_free(&gc);
471  return false;
472  }
473 
474  struct buffer buf = alloc_buf_gc(len, &gc);
475  buf_printf(&buf, info_pre);
476  buf_printf(&buf, "%s", extra);
477  send_control_channel_string_dowork(session, BSTR(&buf), D_PUSH);
478 
479  ks->auth_deferred_expire = now + timeout;
480 
481  gc_free(&gc);
482  return true;
483 }
484 
485 /*
486  * Send restart message from server to client.
487  */
488 void
489 send_restart(struct context *c, const char *kill_msg)
490 {
491  schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
492  send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
493 }
494 
495 /*
496  * Push/Pull
497  */
498 
499 void
500 incoming_push_message(struct context *c, const struct buffer *buffer)
501 {
502  struct gc_arena gc = gc_new();
503  unsigned int option_types_found = 0;
504 
505  msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
506 
507  int status = process_incoming_push_msg(c, buffer, c->options.pull,
508  pull_permission_mask(c),
509  &option_types_found);
510 
511  if (status == PUSH_MSG_ERROR)
512  {
513  msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
514  }
515  else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
516  {
517  c->options.push_option_types_found |= option_types_found;
518 
519  /* delay bringing tun/tap up until --push parms received from remote */
520  if (status == PUSH_MSG_REPLY)
521  {
522  if (!options_postprocess_pull(&c->options, c->c2.es))
523  {
524  goto error;
525  }
526  if (!do_up(c, true, c->options.push_option_types_found))
527  {
528  msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
529  goto error;
530  }
531  }
532  event_timeout_clear(&c->c2.push_request_interval);
533  event_timeout_clear(&c->c2.wait_for_connect);
534  }
535 
536  goto cleanup;
537 
538 error:
539  register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
540 cleanup:
541  gc_free(&gc);
542 }
543 
544 bool
545 send_push_request(struct context *c)
546 {
547  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
548 
549  /* We timeout here under two conditions:
550  * a) we reached the hard limit of push_request_timeout
551  * b) we have not seen anything from the server in hand_window time
552  *
553  * for non auth-pending scenario, push_request_timeout is the same as
554  * hand_window timeout. For b) every PUSH_REQUEST is a acknowledged by
555  * the server by a P_ACK_V1 packet that reset the keepalive timer
556  */
557 
558  if (c->c2.push_request_timeout > now
559  && (now - ks->peer_last_packet) < c->options.handshake_window)
560  {
561  return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
562  }
563  else
564  {
565  msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
566  (int)(now - ks->established));
567  /* SOFT-SIGUSR1 -- server-pushed connection reset */
568  register_signal(c->sig, SIGUSR1, "no-push-reply");
569  return false;
570  }
571 }
572 
581 void
582 prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc,
583  struct push_list *push_list)
584 {
585  /*
586  * If server uses --auth-gen-token and we have an auth token
587  * to send to the client
588  */
589  if (tls_multi->auth_token)
590  {
591  push_option_fmt(gc, push_list, M_USAGE,
592  "auth-token %s",
593  tls_multi->auth_token);
594  }
595 }
596 
606 bool
607 prepare_push_reply(struct context *c, struct gc_arena *gc,
608  struct push_list *push_list)
609 {
610  struct tls_multi *tls_multi = c->c2.tls_multi;
611  struct options *o = &c->options;
612 
613  /* ipv6 */
614  if (c->c2.push_ifconfig_ipv6_defined && !o->push_ifconfig_ipv6_blocked)
615  {
616  push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
617  print_in6_addr(c->c2.push_ifconfig_ipv6_local, 0, gc),
618  c->c2.push_ifconfig_ipv6_netbits,
619  print_in6_addr(c->c2.push_ifconfig_ipv6_remote,
620  0, gc));
621  }
622 
623  /* ipv4 */
624  if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local
625  && c->c2.push_ifconfig_remote_netmask
626  && !o->push_ifconfig_ipv4_blocked)
627  {
628  in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
629  if (c->c2.push_ifconfig_local_alias)
630  {
631  ifconfig_local = c->c2.push_ifconfig_local_alias;
632  }
633  push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
634  print_in_addr_t(ifconfig_local, 0, gc),
635  print_in_addr_t(c->c2.push_ifconfig_remote_netmask,
636  0, gc));
637  }
638 
639  if (tls_multi->use_peer_id)
640  {
641  push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
642  tls_multi->peer_id);
643  }
644  /*
645  * If server uses --auth-gen-token and we have an auth token
646  * to send to the client
647  */
648  prepare_auth_token_push_reply(tls_multi, gc, push_list);
649 
650  /*
651  * Push the selected cipher, at this point the cipher has been
652  * already negotiated and been fixed.
653  *
654  * We avoid pushing the cipher to clients not supporting NCP
655  * to avoid error messages in their logs
656  */
657  if (tls_peer_supports_ncp(c->c2.tls_multi->peer_info))
658  {
659  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
660  }
661 
662  struct buffer proto_flags = alloc_buf_gc(128, gc);
663 
664  if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
665  {
666  buf_printf(&proto_flags, " cc-exit");
667 
668  /* if the cc exit flag is supported, pushing tls-ekm via protocol-flags
669  * is also supported */
670  if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
671  {
672  buf_printf(&proto_flags, " tls-ekm");
673  }
674  }
675  else if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
676  {
677  push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
678  }
679 
680  if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
681  {
682  buf_printf(&proto_flags, " dyn-tls-crypt");
683  }
684 
685  if (buf_len(&proto_flags) > 0)
686  {
687  push_option_fmt(gc, push_list, M_USAGE, "protocol-flags%s", buf_str(&proto_flags));
688  }
689 
690  /* Push our mtu to the peer if it supports pushable MTUs */
691  int client_max_mtu = 0;
692  const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc);
693 
694  if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1)
695  {
696  push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu);
697  if (client_max_mtu < o->ce.tun_mtu)
698  {
699  msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower "
700  "than MTU used on the server (%d). Add tun-max-mtu %d "
701  "to client configuration.", client_max_mtu,
702  o->ce.tun_mtu, o->ce.tun_mtu);
703  }
704  }
705 
706  return true;
707 }
708 
709 static bool
710 send_push_options(struct context *c, struct buffer *buf,
711  struct push_list *push_list, int safe_cap,
712  bool *push_sent, bool *multi_push)
713 {
714  struct push_entry *e = push_list->head;
715 
716  while (e)
717  {
718  if (e->enable)
719  {
720  const int l = strlen(e->option);
721  if (BLEN(buf) + l >= safe_cap)
722  {
723  buf_printf(buf, ",push-continuation 2");
724  {
725  const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
726  if (!status)
727  {
728  return false;
729  }
730  *push_sent = true;
731  *multi_push = true;
732  buf_reset_len(buf);
733  buf_printf(buf, "%s", push_reply_cmd);
734  }
735  }
736  if (BLEN(buf) + l >= safe_cap)
737  {
738  msg(M_WARN, "--push option is too long");
739  return false;
740  }
741  buf_printf(buf, ",%s", e->option);
742  }
743  e = e->next;
744  }
745  return true;
746 }
747 
748 void
749 send_push_reply_auth_token(struct tls_multi *multi)
750 {
751  struct gc_arena gc = gc_new();
752  struct push_list push_list = { 0 };
753  struct tls_session *session = &multi->session[TM_ACTIVE];
754 
755  prepare_auth_token_push_reply(multi, &gc, &push_list);
756 
757  /* prepare auth token should always add the auth-token option */
758  struct push_entry *e = push_list.head;
759  ASSERT(e && e->enable);
760 
761  /* Construct a mimimal control channel push reply message */
762  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
763  buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
764  send_control_channel_string_dowork(session, BSTR(&buf), D_PUSH);
765  gc_free(&gc);
766 }
767 
768 bool
769 send_push_reply(struct context *c, struct push_list *per_client_push_list)
770 {
771  struct gc_arena gc = gc_new();
772  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
773  bool multi_push = false;
774  const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
775  const int safe_cap = BCAP(&buf) - extra;
776  bool push_sent = false;
777 
778  buf_printf(&buf, "%s", push_reply_cmd);
779 
780  /* send options which are common to all clients */
781  if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
782  &push_sent, &multi_push))
783  {
784  goto fail;
785  }
786 
787  /* send client-specific options */
788  if (!send_push_options(c, &buf, per_client_push_list, safe_cap,
789  &push_sent, &multi_push))
790  {
791  goto fail;
792  }
793 
794  if (multi_push)
795  {
796  buf_printf(&buf, ",push-continuation 1");
797  }
798 
799  if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
800  {
801  const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
802  if (!status)
803  {
804  goto fail;
805  }
806  push_sent = true;
807  }
808 
809  /* If nothing have been pushed, send an empty push,
810  * as the client is expecting a response
811  */
812  if (!push_sent)
813  {
814  bool status = false;
815 
816  buf_reset_len(&buf);
817  buf_printf(&buf, "%s", push_reply_cmd);
818  status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
819  if (!status)
820  {
821  goto fail;
822  }
823  }
824 
825  gc_free(&gc);
826  return true;
827 
828 fail:
829  gc_free(&gc);
830  return false;
831 }
832 
833 static void
834 push_option_ex(struct gc_arena *gc, struct push_list *push_list,
835  const char *opt, bool enable, int msglevel)
836 {
837  if (!string_class(opt, CC_ANY, CC_COMMA))
838  {
839  msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
840  }
841  else
842  {
843  struct push_entry *e;
844  ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
845  e->enable = true;
846  e->option = opt;
847  if (push_list->head)
848  {
849  ASSERT(push_list->tail);
850  push_list->tail->next = e;
851  push_list->tail = e;
852  }
853  else
854  {
855  ASSERT(!push_list->tail);
856  push_list->head = e;
857  push_list->tail = e;
858  }
859  }
860 }
861 
862 void
863 push_option(struct options *o, const char *opt, int msglevel)
864 {
865  push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
866 }
867 
868 void
869 clone_push_list(struct options *o)
870 {
871  if (o->push_list.head)
872  {
873  const struct push_entry *e = o->push_list.head;
874  push_reset(o);
875  while (e)
876  {
877  push_option_ex(&o->gc, &o->push_list,
878  string_alloc(e->option, &o->gc), true, M_FATAL);
879  e = e->next;
880  }
881  }
882 }
883 
884 void
885 push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
886 {
887  const char **argv = make_extended_arg_array(p, false, gc);
888  char *opt = print_argv(argv, gc, 0);
889  push_option(o, opt, msglevel);
890 }
891 
892 static bool
893 push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
894  int msglevel, const char *format, ...)
895 {
896  va_list arglist;
897  char tmp[256] = {0};
898  int len;
899  va_start(arglist, format);
900  len = vsnprintf(tmp, sizeof(tmp), format, arglist);
901  va_end(arglist);
902  if (len > sizeof(tmp)-1)
903  {
904  return false;
905  }
906  push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
907  return true;
908 }
909 
910 void
911 push_reset(struct options *o)
912 {
913  CLEAR(o->push_list);
914 }
915 
916 void
917 push_remove_option(struct options *o, const char *p)
918 {
919  msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
920 
921  /* ifconfig is special, as not part of the push list */
922  if (streq(p, "ifconfig"))
923  {
924  o->push_ifconfig_ipv4_blocked = true;
925  return;
926  }
927 
928  /* ifconfig-ipv6 is special, as not part of the push list */
929  if (streq( p, "ifconfig-ipv6" ))
930  {
931  o->push_ifconfig_ipv6_blocked = true;
932  return;
933  }
934 
935  if (o && o->push_list.head)
936  {
937  struct push_entry *e = o->push_list.head;
938 
939  /* cycle through the push list */
940  while (e)
941  {
942  if (e->enable
943  && strncmp( e->option, p, strlen(p) ) == 0)
944  {
945  msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
946  e->enable = false;
947  }
948 
949  e = e->next;
950  }
951  }
952 }
953 
954 int
955 process_incoming_push_request(struct context *c)
956 {
957  int ret = PUSH_MSG_ERROR;
958 
959 
960  if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_FAILED
961  || c->c2.tls_multi->multi_state == CAS_FAILED)
962  {
963  const char *client_reason = tls_client_reason(c->c2.tls_multi);
964  send_auth_failed(c, client_reason);
965  ret = PUSH_MSG_AUTH_FAILURE;
966  }
967  else if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_SUCCEEDED
968  && c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
969  {
970  time_t now;
971 
972  openvpn_time(&now);
973  if (c->c2.sent_push_reply_expiry > now)
974  {
975  ret = PUSH_MSG_ALREADY_REPLIED;
976  }
977  else
978  {
979  /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
980  struct push_list push_list = { 0 };
981  struct gc_arena gc = gc_new();
982 
983  if (prepare_push_reply(c, &gc, &push_list)
984  && send_push_reply(c, &push_list))
985  {
986  ret = PUSH_MSG_REQUEST;
987  c->c2.sent_push_reply_expiry = now + 30;
988  }
989  gc_free(&gc);
990  }
991  }
992  else
993  {
994  ret = PUSH_MSG_REQUEST_DEFERRED;
995  }
996 
997  return ret;
998 }
999 
1000 static void
1001 push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
1002 {
1003  char line[OPTION_PARM_SIZE];
1004  while (buf_parse(buf, ',', line, sizeof(line)))
1005  {
1006  /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
1007  if (strprefix(line, "peer-id ")
1008  || strprefix(line, "auth-token ")
1009  || strprefix(line, "auth-token-user "))
1010  {
1011  continue;
1012  }
1013  /* tun reopen only needed if cipher change can change tun MTU */
1014  if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
1015  {
1016  continue;
1017  }
1018  md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
1019  }
1020 }
1021 
1022 static int
1023 process_incoming_push_reply(struct context *c,
1024  unsigned int permission_mask,
1025  unsigned int *option_types_found,
1026  struct buffer *buf)
1027 {
1028  int ret = PUSH_MSG_ERROR;
1029  const uint8_t ch = buf_read_u8(buf);
1030  if (ch == ',')
1031  {
1032  struct buffer buf_orig = (*buf);
1033  if (!c->c2.pulled_options_digest_init_done)
1034  {
1035  c->c2.pulled_options_state = md_ctx_new();
1036  md_ctx_init(c->c2.pulled_options_state, "SHA256");
1037  c->c2.pulled_options_digest_init_done = true;
1038  }
1039  if (apply_push_options(&c->options,
1040  buf,
1041  permission_mask,
1042  option_types_found,
1043  c->c2.es))
1044  {
1045  push_update_digest(c->c2.pulled_options_state, &buf_orig,
1046  &c->options);
1047  switch (c->options.push_continuation)
1048  {
1049  case 0:
1050  case 1:
1051  md_ctx_final(c->c2.pulled_options_state,
1052  c->c2.pulled_options_digest.digest);
1053  md_ctx_cleanup(c->c2.pulled_options_state);
1054  md_ctx_free(c->c2.pulled_options_state);
1055  c->c2.pulled_options_state = NULL;
1056  c->c2.pulled_options_digest_init_done = false;
1057  ret = PUSH_MSG_REPLY;
1058  break;
1059 
1060  case 2:
1061  ret = PUSH_MSG_CONTINUATION;
1062  break;
1063  }
1064  }
1065  }
1066  else if (ch == '\0')
1067  {
1068  ret = PUSH_MSG_REPLY;
1069  }
1070  /* show_settings (&c->options); */
1071  return ret;
1072 }
1073 
1074 int
1075 process_incoming_push_msg(struct context *c,
1076  const struct buffer *buffer,
1077  bool honor_received_options,
1078  unsigned int permission_mask,
1079  unsigned int *option_types_found)
1080 {
1081  struct buffer buf = *buffer;
1082 
1083  if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
1084  {
1085  c->c2.push_request_received = true;
1086  return process_incoming_push_request(c);
1087  }
1088  else if (honor_received_options
1089  && buf_string_compare_advance(&buf, push_reply_cmd))
1090  {
1091  return process_incoming_push_reply(c, permission_mask,
1092  option_types_found, &buf);
1093  }
1094  else
1095  {
1096  return PUSH_MSG_ERROR;
1097  }
1098 }
1099 
1100 
1101 /*
1102  * Remove iroutes from the push_list.
1103  */
1104 void
1105 remove_iroutes_from_push_route_list(struct options *o)
1106 {
1107  if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6))
1108  {
1109  struct gc_arena gc = gc_new();
1110  struct push_entry *e = o->push_list.head;
1111 
1112  /* cycle through the push list */
1113  while (e)
1114  {
1115  char *p[MAX_PARMS+1];
1116  bool enable = true;
1117 
1118  /* parse the push item */
1119  CLEAR(p);
1120  if (e->enable
1121  && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
1122  {
1123  /* is the push item a route directive? */
1124  if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)
1125  {
1126  /* get route parameters */
1127  bool status1, status2;
1128  const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
1129  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
1130 
1131  /* did route parameters parse correctly? */
1132  if (status1 && status2)
1133  {
1134  const struct iroute *ir;
1135 
1136  /* does route match an iroute? */
1137  for (ir = o->iroutes; ir != NULL; ir = ir->next)
1138  {
1139  if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
1140  {
1141  enable = false;
1142  break;
1143  }
1144  }
1145  }
1146  }
1147  else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2]
1148  && o->iroutes_ipv6)
1149  {
1150  /* get route parameters */
1151  struct in6_addr network;
1152  unsigned int netbits;
1153 
1154  /* parse route-ipv6 arguments */
1155  if (get_ipv6_addr(p[1], &network, &netbits, D_ROUTE_DEBUG))
1156  {
1157  struct iroute_ipv6 *ir;
1158 
1159  /* does this route-ipv6 match an iroute-ipv6? */
1160  for (ir = o->iroutes_ipv6; ir != NULL; ir = ir->next)
1161  {
1162  if (!memcmp(&network, &ir->network, sizeof(network))
1163  && netbits == ir->netbits)
1164  {
1165  enable = false;
1166  break;
1167  }
1168  }
1169  }
1170  }
1171 
1172  /* should we copy the push item? */
1173  e->enable = enable;
1174  if (!enable)
1175  {
1176  msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
1177  }
1178  }
1179 
1180  e = e->next;
1181  }
1182 
1183  gc_free(&gc);
1184  }
1185 }
context_2::pulled_options_digest_init_done
bool pulled_options_digest_init_done
Definition: openvpn.h:449
parse_auth_pending_keywords
static void parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
Parse the keyword for the AUTH_PENDING request.
Definition: push.c:289
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2534
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:164
tls_multi::auth_token
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition: ssl_common.h:642
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2742
iroute
Definition: route.h:234
min_uint
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition: integer.h:56
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1172
PUSH_MSG_REQUEST_DEFERRED
#define PUSH_MSG_REQUEST_DEFERRED
Definition: push.h:32
push_list::head
struct push_entry * head
Definition: pushlist.h:36
verify_crresponse_script
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Definition: ssl_verify.c:1438
process_incoming_push_reply
static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf)
Definition: push.c:1023
send_push_reply_auth_token
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client.
Definition: push.c:749
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1011
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition: push.c:917
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:329
signal_info::signal_text
const char * signal_text
Definition: sig.h:45
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
options::push_list
struct push_list push_list
Definition: options.h:472
M_FATAL
#define M_FATAL
Definition: error.h:95
md_ctx_t
mbedtls_md_context_t md_ctx_t
Generic message digest context.
Definition: crypto_mbedtls.h:43
push_entry
Definition: pushlist.h:29
argv
Definition: argv.h:35
in_addr_t
#define in_addr_t
Definition: config-msvc.h:67
PUSH_MSG_REQUEST
#define PUSH_MSG_REQUEST
Definition: push.h:30
streq
#define streq(x, y)
Definition: options.h:706
management_auth_failure
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:3083
manage.h
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:446
context
Contains all state information for one tunnel.
Definition: openvpn.h:479
es
struct env_set * es
Definition: test_pkcs11.c:122
receive_auth_pending
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition: push.c:332
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition: ssl_common.h:673
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:122
BSTR
#define BSTR(buf)
Definition: buffer.h:129
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:441
AR_NONE
#define AR_NONE
Definition: options.h:883
options::iroutes
struct iroute * iroutes
Definition: options.h:495
push_option_fmt
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition: push.c:893
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:885
make_extended_arg_array
const char ** make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc)
Definition: misc.c:626
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:70
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
context_2::es
struct env_set * es
Definition: openvpn.h:426
config-msvc.h
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:434
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:1105
session::key
char key[48]
Definition: keyingmaterialexporter.c:58
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:436
options::mode
int mode
Definition: options.h:247
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4935
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:720
dmsg
#define dmsg(flags,...)
Definition: error.h:154
options::ce
struct connection_entry ce
Definition: options.h:275
iroute::netbits
int netbits
Definition: route.h:236
tls_client_reason
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:254
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:450
PUSH_MSG_ERROR
#define PUSH_MSG_ERROR
Definition: push.h:29
options.h
management_notify_client_cr_response
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition: manage.c:2956
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:334
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2390
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
options::push_continuation
int push_continuation
Definition: options.h:541
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:588
push_entry::option
const char * option
Definition: pushlist.h:32
md_ctx_new
md_ctx_t * md_ctx_new(void)
Definition: crypto_openssl.c:1137
parse_auth_failed_temp
const char * parse_auth_failed_temp(struct options *o, const char *reason)
Definition: options_util.c:36
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition: ssl_common.h:565
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
push_reset
void push_reset(struct options *o)
Definition: push.c:911
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:433
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2899
iroute::next
struct iroute * next
Definition: route.h:237
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:629
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:288
CLEAR
#define CLEAR(x)
Definition: basic.h:33
options_util.h
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:610
man_def_auth_context
Definition: manage.h:64
iroute::network
in_addr_t network
Definition: route.h:235
ssl_util.h
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:520
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition: options.c:4157
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:182
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:443
md_ctx_final
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:863
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:527
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:695
prepare_auth_token_push_reply
void prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, struct push_list *push_list)
Prepare push option for auth-token.
Definition: push.c:582
register_signal
void register_signal(struct signal_info *si, int sig, const char *text)
Definition: sig.c:483
ssl_verify.h
ASSERT
#define ASSERT(x)
Definition: error.h:201
D_STREAM_ERRORS
#define D_STREAM_ERRORS
Definition: errlevel.h:63
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2925
send_auth_failed
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:388
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:636
push_option_ex
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition: push.c:834
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition: options.h:57
management_notify
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition: manage.c:2893
PUSH_MSG_ALREADY_REPLIED
#define PUSH_MSG_ALREADY_REPLIED
Definition: push.h:35
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition: ssl.c:521
M_VERB0
#define M_VERB0
Definition: errlevel.h:53
BLEN
#define BLEN(buf)
Definition: buffer.h:127
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:557
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition: options.h:58
send_push_request
bool send_push_request(struct context *c)
Definition: push.c:545
clone_push_list
void clone_push_list(struct options *o)
Definition: push.c:869
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:703
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:432
send_push_options
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition: push.c:710
server_pushed_signal
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:133
tls_multi::opt
struct tls_options opt
Definition: ssl_common.h:594
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition: options.h:509
push.h
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition: forward.c:391
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
M_WARN
#define M_WARN
Definition: error.h:97
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1083
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:481
verify_crresponse_plugin
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
Definition: ssl_verify.c:1425
PUSH_MSG_AUTH_FAILURE
#define PUSH_MSG_AUTH_FAILURE
Definition: push.h:33
tls_peer_supports_ncp
bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.
Definition: ssl_ncp.c:79
options
Definition: options.h:236
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:438
push_update_digest
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition: push.c:1001
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:71
key_state::established
time_t established
Definition: ssl_common.h:216
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:330
options::gc
struct gc_arena gc
Definition: options.h:238
options::no_advance
bool no_advance
Definition: options.h:280
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4735
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:442
D_ROUTE_DEBUG
#define D_ROUTE_DEBUG
Definition: errlevel.h:132
PUSH_MSG_REPLY
#define PUSH_MSG_REPLY
Definition: push.h:31
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:547
process_incoming_push_msg
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition: push.c:1075
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:641
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
context_2::sent_push_reply_expiry
time_t sent_push_reply_expiry
Definition: openvpn.h:435
md_ctx_update
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
context_2::push_request_timeout
time_t push_request_timeout
Definition: openvpn.h:446
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
md_ctx_init
void md_ctx_init(md_ctx_t *ctx, const char *mdname)
Initialises the given message digest context.
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
CC_COMMA
#define CC_COMMA
Definition: buffer.h:924
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2905
options::handshake_window
int handshake_window
Definition: options.h:634
BCAP
#define BCAP(buf)
Definition: buffer.h:130
ssl.h
CC_ANY
#define CC_ANY
Definition: buffer.h:903
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:469
context_2::scheduled_exit
struct event_timeout scheduled_exit
Definition: openvpn.h:453
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition: ssl_common.h:571
syshead.h
options::push_ifconfig_ipv4_blocked
bool push_ifconfig_ipv4_blocked
Definition: options.h:504
SIGTERM
#define SIGTERM
Definition: config-msvc.h:82
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition: ssl.h:89
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:205
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:80
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:506
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
string_class
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition: buffer.c:1068
send_control_channel_string_dowork
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition: forward.c:369
sha256_digest::digest
uint8_t digest[SHA256_DIGEST_LENGTH]
Definition: crypto.h:133
env_set
Definition: env_set.h:42
key_state::initial
time_t initial
Definition: ssl_common.h:215
push_list::tail
struct push_entry * tail
Definition: pushlist.h:37
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:958
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:665
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:213
buf_string_match_head_str
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:824
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
OPENVPN_STATE_AUTH_PENDING
#define OPENVPN_STATE_AUTH_PENDING
Definition: manage.h:485
buf_len
static int buf_len(const struct buffer *buf)
Definition: buffer.h:253
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:506
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:489
openvpn_time
static time_t openvpn_time(time_t *t)
Definition: otime.h:90
buf_string_compare_advance
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition: buffer.c:835
netbits_to_netmask
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:367
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:532
receive_exit_message
void receive_exit_message(struct context *c)
Definition: push.c:193
iroute_ipv6
Definition: route.h:240
status
static SERVICE_STATUS status
Definition: interactive.c:56
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:437
management
Definition: manage.h:335
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1019
server_pushed_info
void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv)
Definition: push.c:225
prepare_push_reply
bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options.
Definition: push.c:607
__attribute__
__attribute__((unused))
Definition: test.c:42
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
schedule_exit
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:522
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition: openvpn.h:451
now
time_t now
Definition: otime.c:36
AR_INTERACT
#define AR_INTERACT
Definition: options.h:884
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition: ssl_common.h:248
config.h
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition: errlevel.h:149
ssl_ncp.h
key_state::peer_last_packet
time_t peer_last_packet
Definition: ssl_common.h:219
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:664
sanitize_control_message
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:656
context_2::push_request_interval
struct event_timeout push_request_interval
Definition: openvpn.h:445
push_reply_cmd
static char push_reply_cmd[]
Definition: push.c:43
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:528
push_entry::next
struct push_entry * next
Definition: pushlist.h:30
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:885
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:88
buf_str
static char * buf_str(const struct buffer *buf)
Definition: buffer.h:297
options::push_option_types_found
unsigned int push_option_types_found
Definition: options.h:542
session
Definition: keyingmaterialexporter.c:56
receive_auth_failed
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:52
receive_cr_response
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition: push.c:257
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:808
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:440
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5472
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:496
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
send_push_reply
bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition: push.c:769
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition: interval.h:155
max_uint
static unsigned int max_uint(unsigned int x, unsigned int y)
Definition: integer.h:43
print_argv
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition: buffer.c:763
extract_var_peer_info
char * extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
Extracts a variable from peer info, the returned string will be allocated using the supplied gc_arena...
Definition: ssl_util.c:34
PUSH_MSG_CONTINUATION
#define PUSH_MSG_CONTINUATION
Definition: push.h:34
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:262
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:308
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:118
memdbg.h
incoming_push_message
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:500
options::ciphername
const char * ciphername
Definition: options.h:556
M_USAGE
#define M_USAGE
Definition: error.h:112
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:274
msg
#define msg(flags,...)
Definition: error.h:150
push_entry::enable
bool enable
Definition: pushlist.h:31
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
options::pull
bool pull
Definition: options.h:540
push_list
Definition: pushlist.h:35
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition: push.c:955
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:398
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:871
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:269
Generated by   doxygen 1.8.17