OpenVPN
push.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "push.h"
33 #include "options.h"
34 #include "ssl.h"
35 #include "ssl_verify.h"
36 #include "ssl_ncp.h"
37 #include "manage.h"
38 
39 #include "memdbg.h"
40 #include "ssl_util.h"
41 
42 static char push_reply_cmd[] = "PUSH_REPLY";
43 
44 /*
45  * Auth username/password
46  *
47  * Client received an authentication failed message from server.
48  * Runs on client.
49  */
50 void
51 receive_auth_failed(struct context *c, const struct buffer *buffer)
52 {
53  msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
54  c->options.no_advance = true;
55 
56  if (c->options.pull)
57  {
58  /* Before checking how to react on AUTH_FAILED, first check if the
59  * failed auth might be the result of an expired auth-token.
60  * Note that a server restart will trigger a generic AUTH_FAILED
61  * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
62  * identical for this scenario */
63  if (ssl_clean_auth_token())
64  {
65  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */
66  c->sig->signal_text = "auth-failure (auth-token)";
67  }
68  else
69  {
70  switch (auth_retry_get())
71  {
72  case AR_NONE:
73  c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */
74  break;
75 
76  case AR_INTERACT:
77  ssl_purge_auth(false);
78 
79  case AR_NOINTERACT:
80  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */
81  break;
82 
83  default:
84  ASSERT(0);
85  }
86  c->sig->signal_text = "auth-failure";
87  }
88 #ifdef ENABLE_MANAGEMENT
89  if (management)
90  {
91  const char *reason = NULL;
92  struct buffer buf = *buffer;
93  if (buf_string_compare_advance(&buf, "AUTH_FAILED,") && BLEN(&buf))
94  {
95  reason = BSTR(&buf);
96  }
97  management_auth_failure(management, UP_TYPE_AUTH, reason);
98  }
99 #endif
100  /*
101  * Save the dynamic-challenge text even when management is defined
102  */
103  {
104 #ifdef ENABLE_MANAGEMENT
105  struct buffer buf = *buffer;
106  if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf))
107  {
108  buf_advance(&buf, 12); /* Length of "AUTH_FAILED," substring */
109  ssl_put_auth_challenge(BSTR(&buf));
110  }
111 #endif
112  }
113  }
114 }
115 
116 /*
117  * Act on received restart message from server
118  */
119 void
120 server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
121 {
122  if (c->options.pull)
123  {
124  struct buffer buf = *buffer;
125  const char *m = "";
126  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
127  {
128  m = BSTR(&buf);
129  }
130 
131  /* preserve cached passwords? */
132  /* advance to next server? */
133  {
134  bool purge = true;
135 
136  if (m[0] == '[')
137  {
138  int i;
139  for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
140  {
141  if (m[i] == 'P')
142  {
143  purge = false;
144  }
145  else if (m[i] == 'N')
146  {
147  /* next server? */
148  c->options.no_advance = false;
149  }
150  }
151  }
152  if (purge)
153  {
154  ssl_purge_auth(true);
155  }
156  }
157 
158  if (restart)
159  {
160  msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
161  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
162  c->sig->signal_text = "server-pushed-connection-reset";
163  }
164  else
165  {
166  msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
167  c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- server-pushed halt */
168  c->sig->signal_text = "server-pushed-halt";
169  }
170 #ifdef ENABLE_MANAGEMENT
171  if (management)
172  {
173  management_notify(management, "info", c->sig->signal_text, m);
174  }
175 #endif
176  }
177 }
178 
179 void
180 server_pushed_info(struct context *c, const struct buffer *buffer,
181  const int adv)
182 {
183  const char *m = "";
184  struct buffer buf = *buffer;
185 
186  if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
187  {
188  m = BSTR(&buf);
189  }
190 
191 #ifdef ENABLE_MANAGEMENT
192  struct gc_arena gc;
193  if (management)
194  {
195  gc = gc_new();
196 
197  /*
198  * We use >INFOMSG here instead of plain >INFO since INFO is used to
199  * for management greeting and we don't want to confuse the client
200  */
201  struct buffer out = alloc_buf_gc(256, &gc);
202  buf_printf(&out, ">%s:%s", "INFOMSG", m);
203  management_notify_generic(management, BSTR(&out));
204 
205  gc_free(&gc);
206  }
207  #endif
208  msg(D_PUSH, "Info command was pushed by server ('%s')", m);
209 }
210 
211 void
212 receive_cr_response(struct context *c, const struct buffer *buffer)
213 {
214  struct buffer buf = *buffer;
215  const char *m = "";
216 
217  if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf))
218  {
219  m = BSTR(&buf);
220  }
221 #ifdef ENABLE_MANAGEMENT
222  struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
223  struct man_def_auth_context *mda = session->opt->mda_context;
224  struct env_set *es = session->opt->es;
225  int key_id = get_primary_key(c->c2.tls_multi)->key_id;
226 
227 
228  management_notify_client_cr_response(key_id, mda, es, m);
229 #endif
230  msg(D_PUSH, "CR response was sent by client ('%s')", m);
231 }
232 
240 static void
241 parse_auth_pending_keywords(const struct buffer *buffer,
242  unsigned int *server_timeout)
243 {
244  struct buffer buf = *buffer;
245 
246  /* does the buffer start with "AUTH_PENDING," ? */
247  if (!buf_advance(&buf, strlen("AUTH_PENDING"))
248  || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
249  {
250 #ifdef ENABLE_MANAGEMENT
251  if (management)
252  {
253  management_set_state(management, OPENVPN_STATE_AUTH_PENDING,
254  "", NULL, NULL, NULL, NULL);
255  }
256 #endif
257 
258  return;
259  }
260 
261  /* parse the keywords in the same way that push options are parsed */
262  char line[OPTION_LINE_SIZE];
263 
264 #ifdef ENABLE_MANAGEMENT
265  /* Need to do the management notification with the keywords before
266  * buf_parse is called, as it will insert \0 bytes into the buffer */
267  if (management)
268  {
269  management_set_state(management, OPENVPN_STATE_AUTH_PENDING,
270  BSTR(&buf), NULL, NULL, NULL, NULL);
271  }
272 #endif
273 
274  while (buf_parse(&buf, ',', line, sizeof(line)))
275  {
276  if (sscanf(line, "timeout %u", server_timeout) != 1)
277  {
278  msg(D_PUSH, "ignoring AUTH_PENDING parameter: %s", line);
279  }
280  }
281 }
282 
283 void
284 receive_auth_pending(struct context *c, const struct buffer *buffer)
285 {
286  if (!c->options.pull)
287  return;
288 
289  /* Cap the increase at the maximum time we are willing stay in the
290  * pending authentication state */
291  unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
292  c->options.handshake_window);
293 
294  /* try to parse parameter keywords, default to hand-winow timeout if the
295  * server does not supply a timeout */
296  unsigned int server_timeout = c->options.handshake_window;
297  parse_auth_pending_keywords(buffer, &server_timeout);
298 
299  msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
300  "to %us", c->options.handshake_window,
301  min_uint(max_timeout, server_timeout));
302 
303  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
304  c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
305 }
306 
321 static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
322  int msglevel, const char *fmt, ...)
323 #ifdef __GNUC__
324 #if __USE_MINGW_ANSI_STDIO
325 __attribute__ ((format(gnu_printf, 4, 5)))
326 #else
327 __attribute__ ((format(__printf__, 4, 5)))
328 #endif
329 #endif
330 ;
331 
332 /*
333  * Send auth failed message from server to client.
334  *
335  * Does nothing if an exit is already scheduled
336  */
337 void
338 send_auth_failed(struct context *c, const char *client_reason)
339 {
340  if (event_timeout_defined(&c->c2.scheduled_exit))
341  {
342  msg(D_TLS_DEBUG, "exit already scheduled for context");
343  return;
344  }
345 
346  struct gc_arena gc = gc_new();
347  static const char auth_failed[] = "AUTH_FAILED";
348  size_t len;
349 
350  schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
351 
352  len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
353  if (len > PUSH_BUNDLE_SIZE)
354  {
355  len = PUSH_BUNDLE_SIZE;
356  }
357 
358  {
359  struct buffer buf = alloc_buf_gc(len, &gc);
360  buf_printf(&buf, auth_failed);
361  if (client_reason)
362  {
363  buf_printf(&buf, ",%s", client_reason);
364  }
365  send_control_channel_string(c, BSTR(&buf), D_PUSH);
366  }
367 
368  gc_free(&gc);
369 }
370 
371 
372 bool
373 send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra,
374  unsigned int timeout)
375 {
376  struct key_state *ks = get_key_scan(tls_multi, 0);
377 
378  static const char info_pre[] = "INFO_PRE,";
379 
380  const char *const peer_info = tls_multi->peer_info;
381  unsigned int proto = extract_iv_proto(peer_info);
382 
383 
384  /* Calculate the maximum timeout and subtract the time we already waited */
385  unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2,
386  tls_multi->opt.handshake_window);
387  max_timeout = max_timeout - (now - ks->initial);
388  timeout = min_uint(max_timeout, timeout);
389 
390  struct gc_arena gc = gc_new();
391  if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0)
392  {
393  send_control_channel_string_dowork(tls_multi, "AUTH_PENDING", D_PUSH);
394  }
395  else
396  {
397  static const char auth_pre[] = "AUTH_PENDING,timeout ";
398  // Assume a worst case of 8 byte uint64 in decimal which
399  // needs 20 bytes
400  size_t len = 20 + 1 + sizeof(auth_pre);
401  struct buffer buf = alloc_buf_gc(len, &gc);
402  buf_printf(&buf, auth_pre);
403  buf_printf(&buf, "%u", timeout);
404  send_control_channel_string_dowork(tls_multi, BSTR(&buf), D_PUSH);
405  }
406 
407  size_t len = strlen(extra) + 1 + sizeof(info_pre);
408  if (len > PUSH_BUNDLE_SIZE)
409  {
410  gc_free(&gc);
411  return false;
412  }
413 
414  struct buffer buf = alloc_buf_gc(len, &gc);
415  buf_printf(&buf, info_pre);
416  buf_printf(&buf, "%s", extra);
417  send_control_channel_string_dowork(tls_multi, BSTR(&buf), D_PUSH);
418 
419  ks->auth_deferred_expire = now + timeout;
420 
421  gc_free(&gc);
422  return true;
423 }
424 
425 /*
426  * Send restart message from server to client.
427  */
428 void
429 send_restart(struct context *c, const char *kill_msg)
430 {
431  schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
432  send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
433 }
434 
435 /*
436  * Push/Pull
437  */
438 
439 void
440 incoming_push_message(struct context *c, const struct buffer *buffer)
441 {
442  struct gc_arena gc = gc_new();
443  unsigned int option_types_found = 0;
444 
445  msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
446 
447  int status = process_incoming_push_msg(c, buffer, c->options.pull,
448  pull_permission_mask(c),
449  &option_types_found);
450 
451  if (status == PUSH_MSG_ERROR)
452  {
453  msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
454  }
455  else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
456  {
457  c->options.push_option_types_found |= option_types_found;
458 
459  /* delay bringing tun/tap up until --push parms received from remote */
460  if (status == PUSH_MSG_REPLY)
461  {
462  if (!do_up(c, true, c->options.push_option_types_found))
463  {
464  msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
465  goto error;
466  }
467  }
468  event_timeout_clear(&c->c2.push_request_interval);
469  event_timeout_clear(&c->c2.wait_for_connect);
470  }
471 
472  goto cleanup;
473 
474 error:
475  register_signal(c, SIGUSR1, "process-push-msg-failed");
476 cleanup:
477  gc_free(&gc);
478 }
479 
480 bool
481 send_push_request(struct context *c)
482 {
483  const struct key_state *ks = get_primary_key(c->c2.tls_multi);
484 
485  /* We timeout here under two conditions:
486  * a) we reached the hard limit of push_request_timeout
487  * b) we have not seen anything from the server in hand_window time
488  *
489  * for non auth-pending scenario, push_request_timeout is the same as
490  * hand_window timeout. For b) every PUSH_REQUEST is a acknowledged by
491  * the server by a P_ACK_V1 packet that reset the keepalive timer
492  */
493 
494  if (c->c2.push_request_timeout > now
495  && (now - ks->peer_last_packet) < c->options.handshake_window)
496  {
497  return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
498  }
499  else
500  {
501  msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
502  (int)(now - ks->established));
503  c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
504  c->sig->signal_text = "no-push-reply";
505  return false;
506  }
507 }
508 
517 void
518 prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc,
519  struct push_list *push_list)
520 {
521  /*
522  * If server uses --auth-gen-token and we have an auth token
523  * to send to the client
524  */
525  if (tls_multi->auth_token)
526  {
527  push_option_fmt(gc, push_list, M_USAGE,
528  "auth-token %s",
529  tls_multi->auth_token);
530  }
531 }
532 
542 bool
543 prepare_push_reply(struct context *c, struct gc_arena *gc,
544  struct push_list *push_list)
545 {
546  struct tls_multi *tls_multi = c->c2.tls_multi;
547  struct options *o = &c->options;
548 
549  /* ipv6 */
550  if (c->c2.push_ifconfig_ipv6_defined && !o->push_ifconfig_ipv6_blocked)
551  {
552  push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
553  print_in6_addr(c->c2.push_ifconfig_ipv6_local, 0, gc),
554  c->c2.push_ifconfig_ipv6_netbits,
555  print_in6_addr(c->c2.push_ifconfig_ipv6_remote,
556  0, gc));
557  }
558 
559  /* ipv4 */
560  if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local
561  && c->c2.push_ifconfig_remote_netmask
562  && !o->push_ifconfig_ipv4_blocked)
563  {
564  in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
565  if (c->c2.push_ifconfig_local_alias)
566  {
567  ifconfig_local = c->c2.push_ifconfig_local_alias;
568  }
569  push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
570  print_in_addr_t(ifconfig_local, 0, gc),
571  print_in_addr_t(c->c2.push_ifconfig_remote_netmask,
572  0, gc));
573  }
574 
575  if (tls_multi->use_peer_id)
576  {
577  push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
578  tls_multi->peer_id);
579  }
580  /*
581  * If server uses --auth-gen-token and we have an auth token
582  * to send to the client
583  */
584  prepare_auth_token_push_reply(tls_multi, gc, push_list);
585 
586  /*
587  * Push the selected cipher, at this point the cipher has been
588  * already negotiated and been fixed.
589  *
590  * We avoid pushing the cipher to clients not supporting NCP
591  * to avoid error messages in their logs
592  */
593  if (tls_peer_supports_ncp(c->c2.tls_multi->peer_info))
594  {
595  push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
596  }
597  if (o->data_channel_crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
598  {
599  push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
600  }
601  return true;
602 }
603 
604 static bool
605 send_push_options(struct context *c, struct buffer *buf,
606  struct push_list *push_list, int safe_cap,
607  bool *push_sent, bool *multi_push)
608 {
609  struct push_entry *e = push_list->head;
610 
611  e = push_list->head;
612  while (e)
613  {
614  if (e->enable)
615  {
616  const int l = strlen(e->option);
617  if (BLEN(buf) + l >= safe_cap)
618  {
619  buf_printf(buf, ",push-continuation 2");
620  {
621  const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
622  if (!status)
623  {
624  return false;
625  }
626  *push_sent = true;
627  *multi_push = true;
628  buf_reset_len(buf);
629  buf_printf(buf, "%s", push_reply_cmd);
630  }
631  }
632  if (BLEN(buf) + l >= safe_cap)
633  {
634  msg(M_WARN, "--push option is too long");
635  return false;
636  }
637  buf_printf(buf, ",%s", e->option);
638  }
639  e = e->next;
640  }
641  return true;
642 }
643 
644 void
645 send_push_reply_auth_token(struct tls_multi *multi)
646 {
647  struct gc_arena gc = gc_new();
648  struct push_list push_list = { 0 };
649 
650  prepare_auth_token_push_reply(multi, &gc, &push_list);
651 
652  /* prepare auth token should always add the auth-token option */
653  struct push_entry *e = push_list.head;
654  ASSERT(e && e->enable);
655 
656  /* Construct a mimimal control channel push reply message */
657  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
658  buf_printf(&buf, "%s, %s", push_reply_cmd, e->option);
659  send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH);
660  gc_free(&gc);
661 }
662 
663 bool
664 send_push_reply(struct context *c, struct push_list *per_client_push_list)
665 {
666  struct gc_arena gc = gc_new();
667  struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
668  bool multi_push = false;
669  const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
670  const int safe_cap = BCAP(&buf) - extra;
671  bool push_sent = false;
672 
673  buf_printf(&buf, "%s", push_reply_cmd);
674 
675  /* send options which are common to all clients */
676  if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
677  &push_sent, &multi_push))
678  {
679  goto fail;
680  }
681 
682  /* send client-specific options */
683  if (!send_push_options(c, &buf, per_client_push_list, safe_cap,
684  &push_sent, &multi_push))
685  {
686  goto fail;
687  }
688 
689  if (multi_push)
690  {
691  buf_printf(&buf, ",push-continuation 1");
692  }
693 
694  if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
695  {
696  const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
697  if (!status)
698  {
699  goto fail;
700  }
701  push_sent = true;
702  }
703 
704  /* If nothing have been pushed, send an empty push,
705  * as the client is expecting a response
706  */
707  if (!push_sent)
708  {
709  bool status = false;
710 
711  buf_reset_len(&buf);
712  buf_printf(&buf, "%s", push_reply_cmd);
713  status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
714  if (!status)
715  {
716  goto fail;
717  }
718  }
719 
720  gc_free(&gc);
721  return true;
722 
723 fail:
724  gc_free(&gc);
725  return false;
726 }
727 
728 static void
729 push_option_ex(struct gc_arena *gc, struct push_list *push_list,
730  const char *opt, bool enable, int msglevel)
731 {
732  if (!string_class(opt, CC_ANY, CC_COMMA))
733  {
734  msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
735  }
736  else
737  {
738  struct push_entry *e;
739  ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
740  e->enable = true;
741  e->option = opt;
742  if (push_list->head)
743  {
744  ASSERT(push_list->tail);
745  push_list->tail->next = e;
746  push_list->tail = e;
747  }
748  else
749  {
750  ASSERT(!push_list->tail);
751  push_list->head = e;
752  push_list->tail = e;
753  }
754  }
755 }
756 
757 void
758 push_option(struct options *o, const char *opt, int msglevel)
759 {
760  push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
761 }
762 
763 void
764 clone_push_list(struct options *o)
765 {
766  if (o->push_list.head)
767  {
768  const struct push_entry *e = o->push_list.head;
769  push_reset(o);
770  while (e)
771  {
772  push_option_ex(&o->gc, &o->push_list,
773  string_alloc(e->option, &o->gc), true, M_FATAL);
774  e = e->next;
775  }
776  }
777 }
778 
779 void
780 push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
781 {
782  const char **argv = make_extended_arg_array(p, false, gc);
783  char *opt = print_argv(argv, gc, 0);
784  push_option(o, opt, msglevel);
785 }
786 
787 static bool
788 push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
789  int msglevel, const char *format, ...)
790 {
791  va_list arglist;
792  char tmp[256] = {0};
793  int len;
794  va_start(arglist, format);
795  len = vsnprintf(tmp, sizeof(tmp), format, arglist);
796  va_end(arglist);
797  if (len > sizeof(tmp)-1)
798  {
799  return false;
800  }
801  push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
802  return true;
803 }
804 
805 void
806 push_reset(struct options *o)
807 {
808  CLEAR(o->push_list);
809 }
810 
811 void
812 push_remove_option(struct options *o, const char *p)
813 {
814  msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
815 
816  /* ifconfig is special, as not part of the push list */
817  if (streq(p, "ifconfig"))
818  {
819  o->push_ifconfig_ipv4_blocked = true;
820  return;
821  }
822 
823  /* ifconfig-ipv6 is special, as not part of the push list */
824  if (streq( p, "ifconfig-ipv6" ))
825  {
826  o->push_ifconfig_ipv6_blocked = true;
827  return;
828  }
829 
830  if (o && o->push_list.head)
831  {
832  struct push_entry *e = o->push_list.head;
833 
834  /* cycle through the push list */
835  while (e)
836  {
837  if (e->enable
838  && strncmp( e->option, p, strlen(p) ) == 0)
839  {
840  msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
841  e->enable = false;
842  }
843 
844  e = e->next;
845  }
846  }
847 }
848 
849 int
850 process_incoming_push_request(struct context *c)
851 {
852  int ret = PUSH_MSG_ERROR;
853 
854 
855  if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_FAILED
856  || c->c2.tls_multi->multi_state == CAS_FAILED)
857  {
858  const char *client_reason = tls_client_reason(c->c2.tls_multi);
859  send_auth_failed(c, client_reason);
860  ret = PUSH_MSG_AUTH_FAILURE;
861  }
862  else if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_SUCCEEDED
863  && c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
864  {
865  time_t now;
866 
867  openvpn_time(&now);
868  if (c->c2.sent_push_reply_expiry > now)
869  {
870  ret = PUSH_MSG_ALREADY_REPLIED;
871  }
872  else
873  {
874  /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
875  struct push_list push_list = { 0 };
876  struct gc_arena gc = gc_new();
877 
878  if (prepare_push_reply(c, &gc, &push_list)
879  && send_push_reply(c, &push_list))
880  {
881  ret = PUSH_MSG_REQUEST;
882  c->c2.sent_push_reply_expiry = now + 30;
883  }
884  gc_free(&gc);
885  }
886  }
887  else
888  {
889  ret = PUSH_MSG_REQUEST_DEFERRED;
890  }
891 
892  return ret;
893 }
894 
895 static void
896 push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
897 {
898  char line[OPTION_PARM_SIZE];
899  while (buf_parse(buf, ',', line, sizeof(line)))
900  {
901  /* peer-id might change on restart and this should not trigger reopening tun */
902  if (strprefix(line, "peer-id "))
903  {
904  continue;
905  }
906  /* tun reopen only needed if cipher change can change tun MTU */
907  if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
908  {
909  continue;
910  }
911  md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
912  }
913 }
914 
915 static int
916 process_incoming_push_reply(struct context *c,
917  unsigned int permission_mask,
918  unsigned int *option_types_found,
919  struct buffer *buf)
920 {
921  int ret = PUSH_MSG_ERROR;
922  const uint8_t ch = buf_read_u8(buf);
923  if (ch == ',')
924  {
925  struct buffer buf_orig = (*buf);
926  if (!c->c2.pulled_options_digest_init_done)
927  {
928  c->c2.pulled_options_state = md_ctx_new();
929  md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256"));
930  c->c2.pulled_options_digest_init_done = true;
931  }
932  if (apply_push_options(&c->options,
933  buf,
934  permission_mask,
935  option_types_found,
936  c->c2.es))
937  {
938  push_update_digest(c->c2.pulled_options_state, &buf_orig,
939  &c->options);
940  switch (c->options.push_continuation)
941  {
942  case 0:
943  case 1:
944  md_ctx_final(c->c2.pulled_options_state,
945  c->c2.pulled_options_digest.digest);
946  md_ctx_cleanup(c->c2.pulled_options_state);
947  md_ctx_free(c->c2.pulled_options_state);
948  c->c2.pulled_options_state = NULL;
949  c->c2.pulled_options_digest_init_done = false;
950  ret = PUSH_MSG_REPLY;
951  break;
952 
953  case 2:
954  ret = PUSH_MSG_CONTINUATION;
955  break;
956  }
957  }
958  }
959  else if (ch == '\0')
960  {
961  ret = PUSH_MSG_REPLY;
962  }
963  /* show_settings (&c->options); */
964  return ret;
965 }
966 
967 int
968 process_incoming_push_msg(struct context *c,
969  const struct buffer *buffer,
970  bool honor_received_options,
971  unsigned int permission_mask,
972  unsigned int *option_types_found)
973 {
974  struct buffer buf = *buffer;
975 
976  if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
977  {
978  c->c2.push_request_received = true;
979  return process_incoming_push_request(c);
980  }
981  else if (honor_received_options
982  && buf_string_compare_advance(&buf, push_reply_cmd))
983  {
984  return process_incoming_push_reply(c, permission_mask,
985  option_types_found, &buf);
986  }
987  else
988  {
989  return PUSH_MSG_ERROR;
990  }
991 }
992 
993 
994 /*
995  * Remove iroutes from the push_list.
996  */
997 void
998 remove_iroutes_from_push_route_list(struct options *o)
999 {
1000  if (o && o->push_list.head && o->iroutes)
1001  {
1002  struct gc_arena gc = gc_new();
1003  struct push_entry *e = o->push_list.head;
1004 
1005  /* cycle through the push list */
1006  while (e)
1007  {
1008  char *p[MAX_PARMS];
1009  bool enable = true;
1010 
1011  /* parse the push item */
1012  CLEAR(p);
1013  if (e->enable
1014  && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
1015  {
1016  /* is the push item a route directive? */
1017  if (p[0] && !strcmp(p[0], "route") && !p[3])
1018  {
1019  /* get route parameters */
1020  bool status1, status2;
1021  const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
1022  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
1023 
1024  /* did route parameters parse correctly? */
1025  if (status1 && status2)
1026  {
1027  const struct iroute *ir;
1028 
1029  /* does route match an iroute? */
1030  for (ir = o->iroutes; ir != NULL; ir = ir->next)
1031  {
1032  if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
1033  {
1034  enable = false;
1035  break;
1036  }
1037  }
1038  }
1039  }
1040 
1041  /* should we copy the push item? */
1042  e->enable = enable;
1043  if (!enable)
1044  {
1045  msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
1046  }
1047  }
1048 
1049  e = e->next;
1050  }
1051 
1052  gc_free(&gc);
1053  }
1054 }
context_2::es
struct env_set * es
Definition: openvpn.h:408
string_class
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition: buffer.c:1058
receive_auth_failed
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition: push.c:51
prepare_auth_token_push_reply
void prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, struct push_list *push_list)
Prepare push option for auth-token.
Definition: push.c:518
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:203
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:118
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:429
iroute::next
struct iroute * next
Definition: route.h:237
tls_client_reason
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:231
md_ctx_new
md_ctx_t * md_ctx_new(void)
Definition: crypto_openssl.c:947
context::options
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:463
PUSH_MSG_CONTINUATION
#define PUSH_MSG_CONTINUATION
Definition: push.h:34
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition: options.h:475
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:495
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:159
streq
#define streq(x, y)
Definition: options.h:667
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:193
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
push_list::head
struct push_entry * head
Definition: pushlist.h:36
do_up
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition: init.c:2142
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2896
clone_push_list
void clone_push_list(struct options *o)
Definition: push.c:764
context
Contains all state information for one tunnel.
Definition: openvpn.h:461
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition: ssl.h:120
PUSH_BUNDLE_SIZE
#define PUSH_BUNDLE_SIZE
Definition: common.h:75
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
M_USAGE
#define M_USAGE
Definition: error.h:115
tls_session::opt
struct tls_options * opt
Definition: ssl_common.h:457
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition: openvpn.h:416
tls_multi::peer_info
char * peer_info
Definition: ssl_common.h:619
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
receive_auth_pending
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition: push.c:284
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:681
send_auth_failed
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:338
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:345
management_auth_failure
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:3009
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: openvpn.h:418
tls_multi::multi_state
enum multi_status multi_state
Definition: ssl_common.h:588
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:566
management_notify
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition: manage.c:2816
send_push_reply_auth_token
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client...
Definition: push.c:645
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:590
SIGUSR1
#define SIGUSR1
Definition: config-msvc.h:115
context_2::pulled_options_digest_init_done
bool pulled_options_digest_init_done
Definition: openvpn.h:431
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:423
context_2::wait_for_connect
struct event_timeout wait_for_connect
Definition: openvpn.h:283
netbits_to_netmask
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:377
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition: ssl_util.c:64
CAS_CONNECT_DONE
Definition: ssl_common.h:549
push_reset
void push_reset(struct options *o)
Definition: push.c:806
tls_options::handshake_window
int handshake_window
Definition: ssl_common.h:319
AR_NONE
#define AR_NONE
Definition: options.h:841
md_ctx_free
void md_ctx_free(md_ctx_t *ctx)
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:425
receive_cr_response
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition: push.c:212
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
tls_options::mda_context
struct man_def_auth_context * mda_context
Definition: ssl_common.h:405
event_timeout_clear
static void event_timeout_clear(struct event_timeout *et)
Definition: interval.h:150
SIZE
#define SIZE(x)
Definition: basic.h:30
in_addr_t
#define in_addr_t
Definition: config-msvc.h:103
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
context::sig
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:488
MAX_PARMS
#define MAX_PARMS
Definition: options.h:51
push_entry::next
struct push_entry * next
Definition: pushlist.h:30
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4579
print_argv
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition: buffer.c:753
SIGTERM
#define SIGTERM
Definition: config-msvc.h:117
options::handshake_window
int handshake_window
Definition: options.h:595
ASSERT
#define ASSERT(x)
Definition: error.h:204
TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:70
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:507
ssl_verify.h
process_incoming_push_reply
static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf)
Definition: push.c:916
send_push_request
bool send_push_request(struct context *c)
Definition: push.c:481
options::data_channel_crypto_flags
unsigned int data_channel_crypto_flags
Definition: options.h:664
tls_multi::use_peer_id
bool use_peer_id
Definition: ssl_common.h:643
parse_auth_pending_keywords
static void parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
Parse the keyword for the AUTH_PENDING request.
Definition: push.c:241
iroute::netbits
int netbits
Definition: route.h:236
tls_peer_supports_ncp
bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list...
Definition: ssl_ncp.c:79
BCAP
#define BCAP(buf)
Definition: buffer.h:130
send_control_channel_string_dowork
bool send_control_channel_string_dowork(struct tls_multi *multi, const char *str, int msglevel)
Definition: forward.c:320
CC_COMMA
#define CC_COMMA
Definition: buffer.h:928
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
fail
#define fail()
Definition: cmocka.h:1531
context_2::push_request_received
bool push_request_received
Definition: openvpn.h:415
push_entry
Definition: pushlist.h:29
CLEAR
#define CLEAR(x)
Definition: basic.h:33
push_option_fmt
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition: push.c:788
md_ctx_final
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition: push.c:812
PUSH_MSG_REPLY
#define PUSH_MSG_REPLY
Definition: push.h:31
context_2::pulled_options_state
md_ctx_t * pulled_options_state
Definition: openvpn.h:432
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition: ssl_common.h:323
PUSH_MSG_REQUEST
#define PUSH_MSG_REQUEST
Definition: push.h:30
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition: options.h:56
push_reply_cmd
static char push_reply_cmd[]
Definition: push.c:42
process_incoming_push_msg
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition: push.c:968
md_ctx_update
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
PUSH_MSG_REQUEST_DEFERRED
#define PUSH_MSG_REQUEST_DEFERRED
Definition: push.h:32
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
now
time_t now
Definition: otime.c:36
TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:71
key_state::established
time_t established
Definition: ssl_common.h:218
management_notify_generic
void management_notify_generic(struct management *man, const char *str)
Definition: manage.c:2822
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:420
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition: options.h:57
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4390
push_option_ex
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition: push.c:729
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2876
options::iroutes
struct iroute * iroutes
Definition: options.h:461
event_timeout_defined
static bool event_timeout_defined(const struct event_timeout *et)
Definition: interval.h:144
push_entry::option
const char * option
Definition: pushlist.h:32
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:424
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1135
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:998
sha256_digest::digest
uint8_t digest[SHA256_DIGEST_LENGTH]
Definition: crypto.h:133
options::ciphername
const char * ciphername
Definition: options.h:516
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:470
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:780
iroute::network
in_addr_t network
Definition: route.h:235
__attribute__
__attribute__((unused))
Definition: test.c:41
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:257
vsnprintf
#define vsnprintf
Definition: calculator_test.c:24
context_2::scheduled_exit
struct event_timeout scheduled_exit
Definition: openvpn.h:435
send_push_options
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition: push.c:605
tls_multi::opt
struct tls_options opt
Definition: ssl_common.h:572
sanitize_control_message
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition: misc.c:656
make_extended_arg_array
const char ** make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc)
Definition: misc.c:626
md_kt_get
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
Definition: crypto_openssl.c:896
openvpn_time
static time_t openvpn_time(time_t *t)
Definition: otime.h:90
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:661
push_entry::enable
bool enable
Definition: pushlist.h:31
options::push_ifconfig_ipv4_blocked
bool push_ifconfig_ipv4_blocked
Definition: options.h:470
incoming_push_message
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition: push.c:440
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:473
options::ce
struct connection_entry ce
Definition: options.h:252
context::c2
struct context_2 c2
Level 2 context.
Definition: openvpn.h:502
options::push_list
struct push_list push_list
Definition: options.h:439
pull_permission_mask
unsigned int pull_permission_mask(const struct context *c)
Definition: init.c:2227
context_2::sent_push_reply_expiry
time_t sent_push_reply_expiry
Definition: openvpn.h:417
md_ctx_cleanup
void md_ctx_cleanup(md_ctx_t *ctx)
PUSH_MSG_AUTH_FAILURE
#define PUSH_MSG_AUTH_FAILURE
Definition: push.h:33
PUSH_MSG_ERROR
#define PUSH_MSG_ERROR
Definition: push.h:29
BLEN
#define BLEN(buf)
Definition: buffer.h:127
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition: ssl_common.h:248
push_list
Definition: pushlist.h:35
prepare_push_reply
bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options.
Definition: push.c:543
options::push_continuation
int push_continuation
Definition: options.h:502
msg
#define msg(flags,...)
Definition: error.h:153
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:213
context_2::push_request_interval
struct event_timeout push_request_interval
Definition: openvpn.h:427
ssl_util.h
options::push_option_types_found
unsigned int push_option_types_found
Definition: options.h:503
options::no_advance
bool no_advance
Definition: options.h:257
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:422
signal_info::signal_received
volatile int signal_received
Definition: sig.h:45
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
tls_multi::auth_token
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition: ssl_common.h:620
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition: ssl.c:459
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:861
context_2::push_request_timeout
time_t push_request_timeout
Definition: openvpn.h:428
push_list::tail
struct push_entry * tail
Definition: pushlist.h:37
register_signal
void register_signal(struct context *c, int sig, const char *text)
Definition: sig.c:447
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:454
context_2::pulled_options_digest
struct sha256_digest pulled_options_digest
Definition: openvpn.h:433
send_push_reply
bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition: push.c:664
ssl_ncp.h
CAS_FAILED
Definition: ssl_common.h:547
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
M_FATAL
#define M_FATAL
Definition: error.h:98
PUSH_MSG_ALREADY_REPLIED
#define PUSH_MSG_ALREADY_REPLIED
Definition: push.h:35
key_state::peer_last_packet
time_t peer_last_packet
Definition: ssl_common.h:221
server_pushed_signal
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition: push.c:120
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2665
push_update_digest
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition: push.c:896
management_notify_client_cr_response
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition: manage.c:2879
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:843
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
tls_multi::peer_id
uint32_t peer_id
Definition: ssl_common.h:642
iroute
Definition: route.h:234
env_set
Definition: env_set.h:42
M_WARN
#define M_WARN
Definition: error.h:100
max_uint
static unsigned int max_uint(unsigned int x, unsigned int y)
Definition: integer.h:43
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
key_state::initial
time_t initial
Definition: ssl_common.h:217
md_ctx_init
void md_ctx_init(md_ctx_t *ctx, const md_kt_t *kt)
AR_INTERACT
#define AR_INTERACT
Definition: options.h:842
min_uint
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition: integer.h:56
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:274
D_STREAM_ERRORS
#define D_STREAM_ERRORS
Definition: errlevel.h:63
options::pull
bool pull
Definition: options.h:501
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition: push.c:850
man_def_auth_context
Definition: manage.h:43
BSTR
#define BSTR(buf)
Definition: buffer.h:129
push_option
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:758
D_PUSH_DEBUG
#define D_PUSH_DEBUG
Definition: errlevel.h:146
argv
Definition: argv.h:35
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition: push.c:373
options::gc
struct gc_arena gc
Definition: options.h:215
M_VERB0
#define M_VERB0
Definition: errlevel.h:53
status
static SERVICE_STATUS status
Definition: interactive.c:56
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:319
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:419
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5111
schedule_exit
void schedule_exit(struct context *c, const int n_seconds, const int signal)
Definition: forward.c:442
CC_ANY
#define CC_ANY
Definition: buffer.h:907
OPENVPN_STATE_AUTH_PENDING
#define OPENVPN_STATE_AUTH_PENDING
Definition: manage.h:482
signal_info::signal_text
const char * signal_text
Definition: sig.h:47
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:962
md_ctx_t
mbedtls_md_context_t md_ctx_t
Generic message digest context.
Definition: crypto_mbedtls.h:46
buf_string_match_head_str
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition: buffer.c:814
tls_options::es
struct env_set * es
Definition: ssl_common.h:381
D_ROUTE_DEBUG
#define D_ROUTE_DEBUG
Definition: errlevel.h:129
server_pushed_info
void server_pushed_info(struct context *c, const struct buffer *buffer, const int adv)
Definition: push.c:180
buf_string_compare_advance
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition: buffer.c:825
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
Generated by   doxygen 1.8.13