OpenVPN
manage.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#ifdef ENABLE_MANAGEMENT
30
31#include "error.h"
32#include "fdmisc.h"
33#include "options.h"
34#include "sig.h"
35#include "event.h"
36#include "otime.h"
37#include "integer.h"
38#include "misc.h"
39#include "ssl.h"
40#include "common.h"
41#include "manage.h"
42#include "openvpn.h"
43#include "dco.h"
44#include "push.h"
45#include "multi.h"
46
47#include "memdbg.h"
48
49#ifdef ENABLE_PKCS11
50#include "pkcs11.h"
51#endif
52
53#define MANAGEMENT_ECHO_PULL_INFO 0
54
55#if MANAGEMENT_ECHO_PULL_INFO
56#define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
57#else
58#define MANAGEMENT_ECHO_FLAGS 0
59#endif
60
61/* tag for blank username/password */
62static const char blank_up[] = "[[BLANK]]";
63
64struct management *management; /* GLOBAL */
65
66/* static forward declarations */
67static void man_output_standalone(struct management *man, volatile int *signal_received);
68
69static void man_reset_client_socket(struct management *man, const bool exiting);
70
71static void
73{
74 msg(M_CLIENT, "Management Interface for %s", title_string);
75 msg(M_CLIENT, "Commands:");
76 msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
77 msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
78 msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
80 "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
81 msg(M_CLIENT, "exit|quit : Close management session.");
82 msg(M_CLIENT, "forget-passwords : Forget passwords entered so far.");
83 msg(M_CLIENT, "help : Print this message.");
84 msg(M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or");
85 msg(M_CLIENT, " release current hold and start tunnel.");
86 msg(M_CLIENT, "kill cn : Kill the client instance(s) having common name cn.");
87 msg(M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port.");
88 msg(M_CLIENT, "load-stats : Show global server load stats.");
89 msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
90 msg(M_CLIENT, " + show last N lines or 'all' for entire history.");
92 "mute [n] : Set log mute level to n, or show level if n is absent.");
93 msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
94 msg(M_CLIENT, " where action = 'ok' or 'cancel'.");
95 msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
96 msg(M_CLIENT, " where action is reply string.");
97 msg(M_CLIENT, "net : (Windows only) Show network info and routing table.");
98 msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
99 msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
100 msg(M_CLIENT, "remote-entry-count : Get number of available remote entries.");
101 msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all.");
102 msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info.");
103 msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
104#ifdef ENABLE_PKCS11
105 msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
106 msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
107#endif
108 msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
109 msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
111 "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
112 msg(M_CLIENT, " text R and optional client reason text CR");
114 "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
116 " to the client and wait for a final client-auth/client-deny");
117 msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
118 msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
119 msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
121 " Enter signature base64 on subsequent lines followed by END");
122 msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
124 " Enter signature base64 on subsequent lines followed by END");
126 "certificate : Enter a client certificate in response to >NEED-CERT challenge");
128 " Enter certificate base64 on subsequent lines followed by END");
129 msg(M_CLIENT, "signal s : Send signal s to daemon,");
130 msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
131 msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
132 msg(M_CLIENT, "status [n] : Show current daemon status info using format #n.");
133 msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
134 msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
135 msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
136 msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
137 msg(M_CLIENT, "push-update-broad options : Broadcast a message to update the specified options.");
138 msg(M_CLIENT, " Ex. push-update-broad \"route something, -dns\"");
139 msg(M_CLIENT, "push-update-cid CID options : Send an update message to the client identified by CID.");
140 msg(M_CLIENT, "END");
141}
142
143static const char *
144man_state_name(const int state)
145{
146 switch (state)
147 {
149 return "INITIAL";
150
152 return "CONNECTING";
153
155 return "WAIT";
156
158 return "AUTH";
159
161 return "GET_CONFIG";
162
164 return "ASSIGN_IP";
165
167 return "ADD_ROUTES";
168
170 return "CONNECTED";
171
173 return "RECONNECTING";
174
176 return "EXITING";
177
179 return "RESOLVE";
180
182 return "TCP_CONNECT";
183
185 return "AUTH_PENDING";
186
187 default:
188 return "?";
189 }
190}
191
192static void
194{
195 msg(M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
197 if (man->persist.special_state_msg)
198 {
200 }
201}
202
203static inline bool
205{
206 return man->settings.up.defined && !man->connection.password_verified;
207}
208
209static void
210man_check_password(struct management *man, const char *line)
211{
212 if (man_password_needed(man))
213 {
214 /* This comparison is not fixed time but since strlen(time) is based on
215 * the attacker choice, it should not give any indication of the real
216 * password length, use + 1 to include the NUL byte that terminates the
217 * string*/
218 size_t compare_len = min_uint(strlen(line) + 1, sizeof(man->settings.up.password));
219 if (memcmp_constant_time(line, man->settings.up.password, compare_len) == 0)
220 {
221 man->connection.password_verified = true;
222 msg(M_CLIENT, "SUCCESS: password is correct");
223 man_welcome(man);
224 }
225 else
226 {
227 man->connection.password_verified = false;
228 msg(M_CLIENT, "ERROR: bad password");
230 {
231 msg(M_WARN, "MAN: client connection rejected after %d failed password attempts",
233 man->connection.halt = true;
234 }
235 }
236 }
237}
238
239static void
241{
243 {
245 {
247 }
248 else
249 {
251 }
252 }
253}
254
255static void
257{
258 if (management_connected(man))
259 {
262 {
263 volatile int signal_received = 0;
264 man_output_standalone(man, &signal_received);
265 }
266 }
267}
268
269static void
270man_output_list_push_str(struct management *man, const char *str)
271{
272 if (management_connected(man) && str)
273 {
275 }
276}
277
278static void
279man_output_list_push(struct management *man, const char *str)
280{
281 man_output_list_push_str(man, str);
283}
284
285static void
287{
288 if (man_password_needed(man))
289 {
290 man_output_list_push(man, "ENTER PASSWORD:");
291 }
292#if 0 /* should we use prompt? */
293 else
294 {
295 man_output_list_push(man, ">");
296 }
297#endif
298}
299
300
305static void
306report_command_status(const bool status, const char *command)
307{
308 if (status)
309 {
310 msg(M_CLIENT, "SUCCESS: %s command succeeded", command);
311 }
312 else
313 {
314 msg(M_CLIENT, "ERROR: %s command failed", command);
315 }
316}
317
318static void
320{
321#if UNIX_SOCK_SUPPORT
323 {
324 socket_delete_unix(&man->settings.local_unix);
325 }
326#endif
327}
328
329static void
331{
332#ifndef _WIN32
333 /*
334 * Windows doesn't need this because the ne32 event is permanently
335 * enabled at struct management scope.
336 */
338 {
340 }
341#endif
343}
344
345static void
346virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
347{
348 struct management *man = (struct management *)arg;
349 static int recursive_level = 0; /* GLOBAL */
350
351#define AF_DID_PUSH (1 << 0)
352#define AF_DID_RESET (1 << 1)
353 if (recursive_level < 5) /* limit recursion */
354 {
355 struct gc_arena gc = gc_new();
356 struct log_entry e;
357 const char *out = NULL;
358 unsigned int action_flags = 0;
359
360 ++recursive_level;
361
362 CLEAR(e);
363 update_time();
364 e.timestamp = now;
365 e.u.msg_flags = flags;
366 e.string = str;
367
368 if (flags & M_FATAL)
369 {
370 man->persist.standalone_disabled = false;
371 }
372
373 if (flags != M_CLIENT)
374 {
375 log_history_add(man->persist.log, &e);
376 }
377
378 if (!man_password_needed(man))
379 {
380 if (flags == M_CLIENT)
381 {
382 out = log_entry_print(&e, LOG_PRINT_CRLF, &gc);
383 }
384 else if (man->connection.log_realtime)
385 {
386 out = log_entry_print(&e,
389 &gc);
390 }
391 if (out)
392 {
393 man_output_list_push_str(man, out);
394 action_flags |= AF_DID_PUSH;
395 }
396 if (flags & M_FATAL)
397 {
399 if (out)
400 {
401 man_output_list_push_str(man, out);
402 action_flags |= (AF_DID_PUSH | AF_DID_RESET);
403 }
404 }
405 }
406
407 gc_free(&gc);
408
409 if (action_flags & AF_DID_PUSH)
410 {
412 }
413 if (action_flags & AF_DID_RESET)
414 {
415 man_reset_client_socket(man, true);
416 }
417
418 --recursive_level;
419 }
420 else
421 {
422 /* cannot use msg here */
423 printf("virtual_output: message to management interface "
424 "dropped due to recursion: <%s>\n",
425 str);
426 }
427}
428
429/*
430 * Given a signal, return the signal with possible remapping applied,
431 * or -1 if the signal should be ignored.
432 */
433static int
434man_mod_signal(const struct management *man, const int signum)
435{
436 const unsigned int flags = man->settings.mansig;
437 int s = signum;
438 if (s == SIGUSR1)
439 {
440 if (flags & MANSIG_MAP_USR1_TO_HUP)
441 {
442 s = SIGHUP;
443 }
444 if (flags & MANSIG_MAP_USR1_TO_TERM)
445 {
446 s = SIGTERM;
447 }
448 }
449 if (flags & MANSIG_IGNORE_USR1_HUP)
450 {
451 if (s == SIGHUP || s == SIGUSR1)
452 {
453 s = -1;
454 }
455 }
456 return s;
457}
458
459static void
460man_signal(struct management *man, const char *name)
461{
462 const int sig = parse_signal(name);
463 if (sig >= 0)
464 {
465 const int sig_mod = man_mod_signal(man, sig);
466 if (sig_mod >= 0)
467 {
468 throw_signal(sig_mod);
469 msg(M_CLIENT, "SUCCESS: signal %s thrown", signal_name(sig_mod, true));
470 }
471 else
472 {
473 msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
474 if (man->persist.special_state_msg)
475 {
477 }
478 }
479 }
480 else
481 {
482 msg(M_CLIENT, "ERROR: signal '%s' is not a known signal type", name);
483 }
484}
485
486static void
487man_command_unsupported(const char *command_name)
488{
489 msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode",
490 command_name);
491}
492
493static void
494man_status(struct management *man, const int version, struct status_output *so)
495{
496 if (man->persist.callback.status)
497 {
498 (*man->persist.callback.status)(man->persist.callback.arg, version, so);
499 }
500 else
501 {
502 man_command_unsupported("status");
503 }
504}
505
506static void
512
513static void
514man_bytecount(struct management *man, const int update_seconds)
515{
516 if (update_seconds > 0)
517 {
518 man->connection.bytecount_update_seconds = update_seconds;
521 }
522 else
523 {
525 }
526
527 /* The newly received bytecount interval may be sooner than the existing
528 * coarse timer wakeup. Reset the timer to ensure it fires at the correct,
529 * earlier time.
530 */
531 if (man->persist.callback.arg)
532 {
533 struct context *c;
534
535 if (man->settings.flags & MF_SERVER)
536 {
537 struct multi_context *m = man->persist.callback.arg;
538 c = &m->top;
539 }
540 else
541 {
542 c = man->persist.callback.arg;
543 }
544
546 }
547
548 msg(M_CLIENT, "SUCCESS: bytecount interval changed");
549}
550
551static void
553{
554 char in[32];
555 char out[32];
556
557 /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
558 snprintf(in, sizeof(in), counter_format, bytes_in_total);
559 snprintf(out, sizeof(out), counter_format, bytes_out_total);
560 msg(M_CLIENT, ">BYTECOUNT:%s,%s", in, out);
561}
562
563static void
564man_bytecount_output_server(const counter_type bytes_in_total, const counter_type bytes_out_total,
565 struct man_def_auth_context *mdac)
566{
567 char in[32];
568 char out[32];
569 /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
570 snprintf(in, sizeof(in), counter_format, bytes_in_total);
571 snprintf(out, sizeof(out), counter_format, bytes_out_total);
572 msg(M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out);
573}
574
575static void
576man_kill(struct management *man, const char *victim)
577{
578 struct gc_arena gc = gc_new();
579
581 {
582 struct buffer buf;
583 char p1[128];
584 char p2[128];
585 char p3[128];
586 int n_killed;
587
588 buf_set_read(&buf, (uint8_t *)victim, strlen(victim) + 1);
589 buf_parse(&buf, ':', p1, sizeof(p1));
590 buf_parse(&buf, ':', p2, sizeof(p2));
591 buf_parse(&buf, ':', p3, sizeof(p3));
592
593 if (strlen(p1) && strlen(p2) && strlen(p3))
594 {
595 /* IP:port specified */
596 bool status;
597 const in_addr_t addr =
599 if (status)
600 {
601 const int port = atoi(p3);
602 const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER
603 : (streq(p1, "udp")) ? PROTO_UDP
604 : PROTO_NONE;
605
606 if ((port > 0 && port < 65536) && (proto != PROTO_NONE))
607 {
608 n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg,
609 addr, port, proto);
610 if (n_killed > 0)
611 {
612 msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed", n_killed,
613 proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc),
614 port);
615 }
616 else
617 {
618 msg(M_CLIENT, "ERROR: client at address %s:%s:%d not found",
619 proto2ascii(proto, AF_UNSPEC, false), print_in_addr_t(addr, 0, &gc),
620 port);
621 }
622 }
623 else
624 {
625 msg(M_CLIENT, "ERROR: port number or protocol out of range: %s %s", p3, p1);
626 }
627 }
628 else
629 {
630 msg(M_CLIENT, "ERROR: error parsing IP address: %s", p2);
631 }
632 }
633 else if (strlen(p1))
634 {
635 /* common name specified */
636 n_killed = (*man->persist.callback.kill_by_cn)(man->persist.callback.arg, p1);
637 if (n_killed > 0)
638 {
639 msg(M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed);
640 }
641 else
642 {
643 msg(M_CLIENT, "ERROR: common name '%s' not found", p1);
644 }
645 }
646 else
647 {
648 msg(M_CLIENT, "ERROR: kill parse");
649 }
650 }
651 else
652 {
654 }
655
656 gc_free(&gc);
657}
658
659/*
660 * General-purpose history command handler
661 * for the log and echo commands.
662 */
663static void
664man_history(struct management *man, const char *parm, const char *type, struct log_history *log,
665 bool *realtime, const unsigned int lep_flags)
666{
667 struct gc_arena gc = gc_new();
668 int n = 0;
669
670 if (streq(parm, "on"))
671 {
672 *realtime = true;
673 msg(M_CLIENT, "SUCCESS: real-time %s notification set to ON", type);
674 }
675 else if (streq(parm, "off"))
676 {
677 *realtime = false;
678 msg(M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type);
679 }
680 else if (streq(parm, "all") || (n = atoi(parm)) > 0)
681 {
682 const int size = log_history_size(log);
683 const int start = (n ? n : size) - 1;
684 int i;
685
686 for (i = start; i >= 0; --i)
687 {
688 const struct log_entry *e = log_history_ref(log, i);
689 if (e)
690 {
691 const char *out = log_entry_print(e, lep_flags, &gc);
693 }
694 }
695 msg(M_CLIENT, "END");
696 }
697 else
698 {
699 msg(M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type);
700 }
701
702 gc_free(&gc);
703}
704
705static void
706man_log(struct management *man, const char *parm)
707{
708 man_history(man, parm, "log", man->persist.log, &man->connection.log_realtime,
710}
711
712static void
713man_echo(struct management *man, const char *parm)
714{
715 man_history(man, parm, "echo", man->persist.echo, &man->connection.echo_realtime,
717}
718
719static void
720man_state(struct management *man, const char *parm)
721{
722 man_history(man, parm, "state", man->persist.state, &man->connection.state_realtime,
724}
725
726static void
728{
729 switch (man->connection.up_query_mode)
730 {
732 if (!strlen(man->connection.up_query.username))
733 {
734 break;
735 }
736
737 /* fall through */
738 case UP_QUERY_PASS:
739 case UP_QUERY_NEED_OK:
741 if (strlen(man->connection.up_query.password))
742 {
743 man->connection.up_query.defined = true;
744 }
745 break;
746
748 man->connection.up_query.defined = false;
749 break;
750
751 default:
752 ASSERT(0);
753 }
754}
755
756static void
757man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed,
758 const char *prompt, char *dest, int len)
759{
760 if (needed)
761 {
763 if (streq(man->connection.up_query_type, type))
764 {
765 strncpynt(dest, string, len);
766 man_up_finalize(man);
767 msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified", type, prompt);
768 }
769 else
770 {
771 msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'", prompt,
772 type, man->connection.up_query_type);
773 }
774 }
775 else
776 {
777 msg(M_CLIENT, "ERROR: no %s is currently needed at this time", prompt);
778 }
779}
780
781static void
782man_query_username(struct management *man, const char *type, const char *string)
783{
784 const bool needed =
786 man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username,
788}
789
790static void
791man_query_password(struct management *man, const char *type, const char *string)
792{
793 const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
795 && man->connection.up_query_type);
796 if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
797 {
798 string = blank_up;
799 }
800 man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password,
802}
803
804static void
805man_query_need_ok(struct management *man, const char *type, const char *action)
806{
807 const bool needed =
809 man_query_user_pass(man, type, action, needed, "needok-confirmation",
811}
812
813static void
814man_query_need_str(struct management *man, const char *type, const char *action)
815{
816 const bool needed =
818 man_query_user_pass(man, type, action, needed, "needstr-string",
820}
821
822static void
824{
825 ssl_purge_auth(false);
826 (void)ssl_clean_auth_token();
827 msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
828}
829
830static void
831man_net(struct management *man)
832{
833 if (man->persist.callback.show_net)
834 {
836 }
837 else
838 {
840 }
841}
842
843static void
844man_send_cc_message(struct management *man, const char *message, const char *parameters)
845{
847 {
848 const bool status = (*man->persist.callback.send_cc_message)(man->persist.callback.arg,
849 message, parameters);
850 if (status)
851 {
852 msg(M_CLIENT, "SUCCESS: command succeeded");
853 }
854 else
855 {
856 msg(M_CLIENT, "ERROR: command failed");
857 }
858 }
859 else
860 {
861 man_command_unsupported("cr-repsonse");
862 }
863}
864#ifdef ENABLE_PKCS11
865
866static void
867man_pkcs11_id_count(struct management *man)
868{
869 msg(M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count());
870}
871
872static void
873man_pkcs11_id_get(struct management *man, const int index)
874{
875 char *id = NULL;
876 char *base64 = NULL;
877
878 if (pkcs11_management_id_get(index, &id, &base64))
879 {
880 msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64);
881 }
882 else
883 {
884 msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index);
885 }
886
887 free(id);
888 free(base64);
889}
890
891#endif /* ifdef ENABLE_PKCS11 */
892
893static void
895{
896 unsigned count = 0;
898 {
900 msg(M_CLIENT, "%u", count);
901 msg(M_CLIENT, "END");
902 }
903 else
904 {
905 man_command_unsupported("remote-entry-count");
906 }
907}
908
909static void
910man_remote_entry_get(struct management *man, const char *p1, const char *p2)
911{
912 ASSERT(p1);
913
915 {
916 unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg);
917
918 unsigned int from = (unsigned int)atoi(p1);
919 unsigned int to = p2 ? (unsigned int)atoi(p2) : from + 1;
920
921 if (!strcmp(p1, "all"))
922 {
923 from = 0;
924 to = count;
925 }
926
927 for (unsigned int i = from; i < min_uint(to, count); i++)
928 {
929 char *remote = NULL;
930 bool res =
931 (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote);
932 if (res && remote)
933 {
934 msg(M_CLIENT, "%u,%s", i, remote);
935 }
936 free(remote);
937 }
938 msg(M_CLIENT, "END");
939 }
940 else
941 {
942 man_command_unsupported("remote-entry-get");
943 }
944}
945
946static void
947man_hold(struct management *man, const char *cmd)
948{
949 if (cmd)
950 {
951 if (streq(cmd, "on"))
952 {
953 man->settings.flags |= MF_HOLD;
954 msg(M_CLIENT, "SUCCESS: hold flag set to ON");
955 }
956 else if (streq(cmd, "off"))
957 {
958 man->settings.flags &= ~MF_HOLD;
959 msg(M_CLIENT, "SUCCESS: hold flag set to OFF");
960 }
961 else if (streq(cmd, "release"))
962 {
963 man->persist.hold_release = true;
964 msg(M_CLIENT, "SUCCESS: hold release succeeded");
965 }
966 else
967 {
968 msg(M_CLIENT, "ERROR: bad hold command parameter");
969 }
970 }
971 else
972 {
973 msg(M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD));
974 }
975}
976
977#define IER_RESET 0
978#define IER_NEW 1
979
980static void
981in_extra_reset(struct man_connection *mc, const int mode)
982{
983 if (mc)
984 {
985 if (mode != IER_NEW)
986 {
988 mc->in_extra_cid = 0;
989 mc->in_extra_kid = 0;
990 }
991 if (mc->in_extra)
992 {
994 mc->in_extra = NULL;
995 }
996 if (mode == IER_NEW)
997 {
999 }
1000 }
1001}
1002
1003static void
1005{
1006 switch (man->connection.in_extra_cmd)
1007 {
1008 case IEC_CLIENT_AUTH:
1009 if (man->persist.callback.client_auth)
1010 {
1011 const bool status = (*man->persist.callback.client_auth)(
1013 man->connection.in_extra_kid, true, NULL, NULL, man->connection.in_extra);
1014 man->connection.in_extra = NULL;
1015 report_command_status(status, "client-auth");
1016 }
1017 else
1018 {
1019 man_command_unsupported("client-auth");
1020 }
1021 break;
1022
1023 case IEC_PK_SIGN:
1027 man->connection.in_extra = NULL;
1028 return;
1029
1030 case IEC_CERTIFICATE:
1034 man->connection.in_extra = NULL;
1035 return;
1036 }
1038}
1039
1040static bool
1041parse_cid(const char *str, unsigned long *cid)
1042{
1043 if (sscanf(str, "%lu", cid) == 1)
1044 {
1045 return true;
1046 }
1047 else
1048 {
1049 msg(M_CLIENT, "ERROR: cannot parse CID");
1050 return false;
1051 }
1052}
1053
1054static bool
1055parse_uint(const char *str, const char *what, unsigned int *uint)
1056{
1057 if (sscanf(str, "%u", uint) == 1)
1058 {
1059 return true;
1060 }
1061 else
1062 {
1063 msg(M_CLIENT, "ERROR: cannot parse %s", what);
1064 return false;
1065 }
1066}
1067
1079static void
1080man_client_pending_auth(struct management *man, const char *cid_str, const char *kid_str,
1081 const char *extra, const char *timeout_str)
1082{
1083 unsigned long cid = 0;
1084 unsigned int kid = 0;
1085 unsigned int timeout = 0;
1086 if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid)
1087 && parse_uint(timeout_str, "TIMEOUT", &timeout))
1088 {
1090 {
1091 bool ret = (*man->persist.callback.client_pending_auth)(man->persist.callback.arg, cid,
1092 kid, extra, timeout);
1093
1094 if (ret)
1095 {
1096 msg(M_CLIENT, "SUCCESS: client-pending-auth command succeeded");
1097 }
1098 else
1099 {
1100 msg(M_CLIENT, "ERROR: client-pending-auth command failed."
1101 " Extra parameter might be too long");
1102 }
1103 }
1104 else
1105 {
1106 man_command_unsupported("client-pending-auth");
1107 }
1108 }
1109}
1110
1111static void
1112man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
1113{
1114 struct man_connection *mc = &man->connection;
1115 mc->in_extra_cid = 0;
1116 mc->in_extra_kid = 0;
1117 if (parse_cid(cid_str, &mc->in_extra_cid) && parse_uint(kid_str, "KID", &mc->in_extra_kid))
1118 {
1121 if (!extra)
1122 {
1123 in_extra_dispatch(man);
1124 }
1125 }
1126}
1127
1128static void
1129man_client_deny(struct management *man, const char *cid_str, const char *kid_str,
1130 const char *reason, const char *client_reason)
1131{
1132 unsigned long cid = 0;
1133 unsigned int kid = 0;
1134 if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid))
1135 {
1136 if (man->persist.callback.client_auth)
1137 {
1138 const bool status = (*man->persist.callback.client_auth)(
1139 man->persist.callback.arg, cid, kid, false, reason, client_reason, NULL);
1140 if (status)
1141 {
1142 msg(M_CLIENT, "SUCCESS: client-deny command succeeded");
1143 }
1144 else
1145 {
1146 msg(M_CLIENT, "ERROR: client-deny command failed");
1147 }
1148 }
1149 else
1150 {
1151 man_command_unsupported("client-deny");
1152 }
1153 }
1154}
1155
1156static void
1157man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
1158{
1159 unsigned long cid = 0;
1160 if (parse_cid(cid_str, &cid))
1161 {
1162 if (man->persist.callback.kill_by_cid)
1163 {
1164 const bool status =
1165 (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg);
1166 if (status)
1167 {
1168 msg(M_CLIENT, "SUCCESS: client-kill command succeeded");
1169 }
1170 else
1171 {
1172 msg(M_CLIENT, "ERROR: client-kill command failed");
1173 }
1174 }
1175 else
1176 {
1177 man_command_unsupported("client-kill");
1178 }
1179 }
1180}
1181
1182static void
1184{
1185 if (man->persist.callback.n_clients)
1186 {
1187 const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1188 msg(M_CLIENT, "SUCCESS: nclients=%d", nclients);
1189 }
1190 else
1191 {
1192 man_command_unsupported("nclients");
1193 }
1194}
1195
1196static void
1197man_env_filter(struct management *man, const int level)
1198{
1199 man->connection.env_filter_level = level;
1200 msg(M_CLIENT, "SUCCESS: env_filter_level=%d", level);
1201}
1202
1203
1204static void
1205man_pk_sig(struct management *man, const char *cmd_name)
1206{
1207 struct man_connection *mc = &man->connection;
1208 if (mc->ext_key_state == EKS_SOLICIT)
1209 {
1213 }
1214 else
1215 {
1216 msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name);
1217 }
1218}
1219
1220static void
1222{
1223 struct man_connection *mc = &man->connection;
1224 if (mc->ext_cert_state == EKS_SOLICIT)
1225 {
1229 }
1230 else
1231 {
1232 msg(M_CLIENT, "ERROR: The certificate command is not currently available");
1233 }
1234}
1235
1236static void
1238{
1241 int nclients = 0;
1242
1243 if (man->persist.callback.n_clients)
1244 {
1245 nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1246 }
1247 msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
1249}
1250
1251#define MN_AT_LEAST (1 << 0)
1262static bool
1263man_need(struct management *man, const char **p, const int n, unsigned int flags)
1264{
1265 int i;
1266 ASSERT(p[0]);
1267 for (i = 1; i <= n; ++i)
1268 {
1269 if (!p[i])
1270 {
1271 msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s", p[0],
1272 (flags & MN_AT_LEAST) ? "at least " : "", n, n > 1 ? "s" : "");
1273 return false;
1274 }
1275 }
1276 return true;
1277}
1278
1279static void
1280man_proxy(struct management *man, const char **p)
1281{
1282 if (man->persist.callback.proxy_cmd)
1283 {
1284 const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p);
1285 report_command_status(status, "proxy");
1286 }
1287 else
1288 {
1289 man_command_unsupported("proxy");
1290 }
1291}
1292
1293static void
1294man_remote(struct management *man, const char **p)
1295{
1296 if (man->persist.callback.remote_cmd)
1297 {
1298 const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);
1299 report_command_status(status, "remote");
1300 }
1301 else
1302 {
1303 man_command_unsupported("remote");
1304 }
1305}
1306
1307#ifdef TARGET_ANDROID
1308static void
1309man_network_change(struct management *man, bool samenetwork)
1310{
1311 /* Called to signal the OpenVPN that the network configuration has changed and
1312 * the client should either float or reconnect.
1313 *
1314 * The code is currently only used by ics-openvpn
1315 */
1316 if (man->persist.callback.network_change)
1317 {
1318 int fd = (*man->persist.callback.network_change)(man->persist.callback.arg, samenetwork);
1319 man->connection.fdtosend = fd;
1320 msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd);
1321 if (fd == -2)
1322 {
1323 man_signal(man, "SIGUSR1");
1324 }
1325 }
1326}
1327#endif
1328
1329static void
1330set_client_version(struct management *man, const char *version)
1331{
1332 if (version)
1333 {
1334 man->connection.client_version = atoi(version);
1335 }
1336}
1337
1338static void
1339man_push_update(struct management *man, const char **p, const push_update_type type)
1340{
1341 bool status = false;
1342
1343 if (type == UPT_BROADCAST)
1344 {
1346 {
1347 man_command_unsupported("push-update-broad");
1348 return;
1349 }
1350
1352 }
1353 else if (type == UPT_BY_CID)
1354 {
1356 {
1357 man_command_unsupported("push-update-cid");
1358 return;
1359 }
1360
1361 unsigned long cid = 0;
1362
1363 if (!parse_cid(p[1], &cid))
1364 {
1365 msg(M_CLIENT, "ERROR: push-update-cid fail during cid parsing");
1366 return;
1367 }
1368
1369 status = (*man->persist.callback.push_update_by_cid)(man->persist.callback.arg, cid, p[2]);
1370 }
1371
1372 if (status)
1373 {
1374 msg(M_CLIENT, "SUCCESS: push-update command succeeded");
1375 return;
1376 }
1377 msg(M_CLIENT, "ERROR: push-update command failed");
1378}
1379
1380static void
1381man_dispatch_command(struct management *man, struct status_output *so, const char **p,
1382 const int nparms)
1383{
1384 struct gc_arena gc = gc_new();
1385
1386 ASSERT(p[0]);
1387 if (streq(p[0], "exit") || streq(p[0], "quit"))
1388 {
1389 man->connection.halt = true;
1390 goto done;
1391 }
1392 else if (streq(p[0], "help"))
1393 {
1394 man_help();
1395 }
1396 else if (streq(p[0], "version") && p[1])
1397 {
1398 set_client_version(man, p[1]);
1399 }
1400 else if (streq(p[0], "version"))
1401 {
1402 msg(M_CLIENT, "OpenVPN Version: %s", title_string);
1403 msg(M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION);
1404 msg(M_CLIENT, "END");
1405 }
1406 else if (streq(p[0], "pid"))
1407 {
1408 msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid());
1409 }
1410 else if (streq(p[0], "nclients"))
1411 {
1413 }
1414 else if (streq(p[0], "env-filter"))
1415 {
1416 int level = 0;
1417 if (p[1])
1418 {
1419 level = atoi(p[1]);
1420 }
1421 man_env_filter(man, level);
1422 }
1423 else if (streq(p[0], "signal"))
1424 {
1425 if (man_need(man, p, 1, 0))
1426 {
1427 man_signal(man, p[1]);
1428 }
1429 }
1430#ifdef TARGET_ANDROID
1431 else if (streq(p[0], "network-change"))
1432 {
1433 bool samenetwork = false;
1434 if (p[1] && streq(p[1], "samenetwork"))
1435 {
1436 samenetwork = true;
1437 }
1438
1439 man_network_change(man, samenetwork);
1440 }
1441#endif
1442 else if (streq(p[0], "load-stats"))
1443 {
1444 man_load_stats(man);
1445 }
1446 else if (streq(p[0], "status"))
1447 {
1448 int version = 0;
1449 if (p[1])
1450 {
1451 version = atoi(p[1]);
1452 }
1453 man_status(man, version, so);
1454 }
1455 else if (streq(p[0], "kill"))
1456 {
1457 if (man_need(man, p, 1, 0))
1458 {
1459 man_kill(man, p[1]);
1460 }
1461 }
1462 else if (streq(p[0], "verb"))
1463 {
1464 if (p[1])
1465 {
1466 const int level = atoi(p[1]);
1467 if (set_debug_level(level, 0))
1468 {
1469 msg(M_CLIENT, "SUCCESS: verb level changed");
1470 }
1471 else
1472 {
1473 msg(M_CLIENT, "ERROR: verb level is out of range");
1474 }
1475 }
1476 else
1477 {
1478 msg(M_CLIENT, "SUCCESS: verb=%d", get_debug_level());
1479 }
1480 }
1481 else if (streq(p[0], "mute"))
1482 {
1483 if (p[1])
1484 {
1485 const int level = atoi(p[1]);
1486 if (set_mute_cutoff(level))
1487 {
1488 msg(M_CLIENT, "SUCCESS: mute level changed");
1489 }
1490 else
1491 {
1492 msg(M_CLIENT, "ERROR: mute level is out of range");
1493 }
1494 }
1495 else
1496 {
1497 msg(M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff());
1498 }
1499 }
1500 else if (streq(p[0], "auth-retry"))
1501 {
1502 if (p[1])
1503 {
1504 if (auth_retry_set(M_CLIENT, p[1]))
1505 {
1506 msg(M_CLIENT, "SUCCESS: auth-retry parameter changed");
1507 }
1508 else
1509 {
1510 msg(M_CLIENT, "ERROR: bad auth-retry parameter");
1511 }
1512 }
1513 else
1514 {
1515 msg(M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print());
1516 }
1517 }
1518 else if (streq(p[0], "state"))
1519 {
1520 if (!p[1])
1521 {
1522 man_state(man, "1");
1523 }
1524 else
1525 {
1526 if (p[1])
1527 {
1528 man_state(man, p[1]);
1529 }
1530 if (p[2])
1531 {
1532 man_state(man, p[2]);
1533 }
1534 }
1535 }
1536 else if (streq(p[0], "log"))
1537 {
1538 if (man_need(man, p, 1, MN_AT_LEAST))
1539 {
1540 if (p[1])
1541 {
1542 man_log(man, p[1]);
1543 }
1544 if (p[2])
1545 {
1546 man_log(man, p[2]);
1547 }
1548 }
1549 }
1550 else if (streq(p[0], "echo"))
1551 {
1552 if (man_need(man, p, 1, MN_AT_LEAST))
1553 {
1554 if (p[1])
1555 {
1556 man_echo(man, p[1]);
1557 }
1558 if (p[2])
1559 {
1560 man_echo(man, p[2]);
1561 }
1562 }
1563 }
1564 else if (streq(p[0], "username"))
1565 {
1566 if (man_need(man, p, 2, 0))
1567 {
1568 man_query_username(man, p[1], p[2]);
1569 }
1570 }
1571 else if (streq(p[0], "password"))
1572 {
1573 if (man_need(man, p, 2, 0))
1574 {
1575 man_query_password(man, p[1], p[2]);
1576 }
1577 }
1578 else if (streq(p[0], "forget-passwords"))
1579 {
1581 }
1582 else if (streq(p[0], "needok"))
1583 {
1584 if (man_need(man, p, 2, 0))
1585 {
1586 man_query_need_ok(man, p[1], p[2]);
1587 }
1588 }
1589 else if (streq(p[0], "needstr"))
1590 {
1591 if (man_need(man, p, 2, 0))
1592 {
1593 man_query_need_str(man, p[1], p[2]);
1594 }
1595 }
1596 else if (streq(p[0], "cr-response"))
1597 {
1598 if (man_need(man, p, 1, 0))
1599 {
1600 man_send_cc_message(man, "CR_RESPONSE", p[1]);
1601 }
1602 }
1603 else if (streq(p[0], "net"))
1604 {
1605 man_net(man);
1606 }
1607 else if (streq(p[0], "hold"))
1608 {
1609 man_hold(man, p[1]);
1610 }
1611 else if (streq(p[0], "bytecount"))
1612 {
1613 if (man_need(man, p, 1, 0))
1614 {
1615 man_bytecount(man, atoi(p[1]));
1616 }
1617 }
1618 else if (streq(p[0], "client-kill"))
1619 {
1620 if (man_need(man, p, 1, MN_AT_LEAST))
1621 {
1622 man_client_kill(man, p[1], p[2]);
1623 }
1624 }
1625 else if (streq(p[0], "client-deny"))
1626 {
1627 if (man_need(man, p, 3, MN_AT_LEAST))
1628 {
1629 man_client_deny(man, p[1], p[2], p[3], p[4]);
1630 }
1631 }
1632 else if (streq(p[0], "client-auth-nt"))
1633 {
1634 if (man_need(man, p, 2, 0))
1635 {
1636 man_client_auth(man, p[1], p[2], false);
1637 }
1638 }
1639 else if (streq(p[0], "client-auth"))
1640 {
1641 if (man_need(man, p, 2, 0))
1642 {
1643 man_client_auth(man, p[1], p[2], true);
1644 }
1645 }
1646 else if (streq(p[0], "client-pending-auth"))
1647 {
1648 if (man_need(man, p, 4, 0))
1649 {
1650 man_client_pending_auth(man, p[1], p[2], p[3], p[4]);
1651 }
1652 }
1653 else if (streq(p[0], "rsa-sig"))
1654 {
1655 man_pk_sig(man, "rsa-sig");
1656 }
1657 else if (streq(p[0], "pk-sig"))
1658 {
1659 man_pk_sig(man, "pk-sig");
1660 }
1661 else if (streq(p[0], "certificate"))
1662 {
1663 man_certificate(man);
1664 }
1665#ifdef ENABLE_PKCS11
1666 else if (streq(p[0], "pkcs11-id-count"))
1667 {
1668 man_pkcs11_id_count(man);
1669 }
1670 else if (streq(p[0], "pkcs11-id-get"))
1671 {
1672 if (man_need(man, p, 1, 0))
1673 {
1674 man_pkcs11_id_get(man, atoi(p[1]));
1675 }
1676 }
1677#endif
1678 else if (streq(p[0], "remote-entry-count"))
1679 {
1681 }
1682 else if (streq(p[0], "remote-entry-get"))
1683 {
1684 if (man_need(man, p, 1, MN_AT_LEAST))
1685 {
1686 man_remote_entry_get(man, p[1], p[2]);
1687 }
1688 }
1689 else if (streq(p[0], "proxy"))
1690 {
1691 if (man_need(man, p, 1, MN_AT_LEAST))
1692 {
1693 man_proxy(man, p);
1694 }
1695 }
1696 else if (streq(p[0], "remote"))
1697 {
1698 if (man_need(man, p, 1, MN_AT_LEAST))
1699 {
1700 man_remote(man, p);
1701 }
1702 }
1703 else if (streq(p[0], "push-update-broad"))
1704 {
1705 if (man_need(man, p, 1, 0))
1706 {
1708 }
1709 }
1710 else if (streq(p[0], "push-update-cid"))
1711 {
1712 if (man_need(man, p, 2, 0))
1713 {
1714 man_push_update(man, p, UPT_BY_CID);
1715 }
1716 }
1717#if 1
1718 else if (streq(p[0], "test"))
1719 {
1720 if (man_need(man, p, 1, 0))
1721 {
1722 int i;
1723 const int n = atoi(p[1]);
1724 for (i = 0; i < n; ++i)
1725 {
1726 msg(M_CLIENT,
1727 "[%d] The purpose of this command is to generate large amounts of output.", i);
1728 }
1729 }
1730 }
1731#endif
1732 else
1733 {
1734 msg(M_CLIENT, "ERROR: unknown command [%s], enter 'help' for more options", p[0]);
1735 }
1736
1737done:
1738 gc_free(&gc);
1739}
1740
1741#ifdef _WIN32
1742
1743static void
1745{
1746 switch (man->connection.state)
1747 {
1748 case MS_LISTEN:
1749 net_event_win32_start(&man->connection.ne32, FD_ACCEPT, man->connection.sd_top);
1750 break;
1751
1752 case MS_CC_WAIT_READ:
1753 case MS_CC_WAIT_WRITE:
1754 net_event_win32_start(&man->connection.ne32, FD_READ | FD_WRITE | FD_CLOSE,
1755 man->connection.sd_cli);
1756 break;
1757
1758 default:
1759 ASSERT(0);
1760 }
1761}
1762
1763static void
1765{
1767}
1768
1769#endif /* ifdef _WIN32 */
1770
1771static void
1773{
1774 man->connection.state_realtime = false;
1775 man->connection.log_realtime = false;
1776 man->connection.echo_realtime = false;
1778 man->connection.password_verified = false;
1779 man->connection.password_tries = 0;
1780 man->connection.halt = false;
1782}
1783
1784static void
1785man_new_connection_post(struct management *man, const char *description)
1786{
1787 struct gc_arena gc = gc_new();
1788
1790
1792
1793#ifdef _WIN32
1794 man_start_ne32(man);
1795#endif
1796
1797#if UNIX_SOCK_SUPPORT
1798 if (man->settings.flags & MF_UNIX_SOCK)
1799 {
1800 msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
1801 sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1802 }
1803 else
1804#endif
1806 {
1807 msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
1808 print_sockaddr(man->settings.local->ai_addr, &gc));
1809 }
1810 else
1811 {
1812 struct sockaddr_storage addr;
1813 socklen_t addrlen = sizeof(addr);
1814 if (!getpeername(man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen))
1815 {
1816 msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
1817 print_sockaddr((struct sockaddr *)&addr, &gc));
1818 }
1819 else
1820 {
1821 msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, "unknown");
1822 }
1823 }
1824
1826
1827 if (!man_password_needed(man))
1828 {
1829 man_welcome(man);
1830 }
1831 man_prompt(man);
1833
1834 gc_free(&gc);
1835}
1836
1837#if UNIX_SOCK_SUPPORT
1838static bool
1839man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd)
1840{
1841 if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
1842 {
1843 static const char err_prefix[] =
1844 "MANAGEMENT: unix domain socket client connection rejected --";
1845 int uid, gid;
1846 if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid))
1847 {
1848 if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
1849 {
1851 "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1852 err_prefix, uid, man->settings.client_uid);
1853 return false;
1854 }
1855 if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
1856 {
1858 "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1859 err_prefix, gid, man->settings.client_gid);
1860 return false;
1861 }
1862 }
1863 else
1864 {
1865 msg(D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix);
1866 return false;
1867 }
1868 }
1869 return true;
1870}
1871#endif /* if UNIX_SOCK_SUPPORT */
1872
1873static void
1875{
1876 struct link_socket_actual act;
1877 CLEAR(act);
1878
1879 /*
1880 * Accept the TCP or Unix domain socket client.
1881 */
1882#if UNIX_SOCK_SUPPORT
1883 if (man->settings.flags & MF_UNIX_SOCK)
1884 {
1885 struct sockaddr_un remote;
1886 man->connection.sd_cli = socket_accept_unix(man->connection.sd_top, &remote);
1887 if (!man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1888 {
1889 sd_close(&man->connection.sd_cli);
1890 }
1891 }
1892 else
1893#endif
1894 {
1895 man->connection.sd_cli = socket_do_accept(man->connection.sd_top, &act, false);
1896 }
1897
1899 {
1900 man->connection.remote = act.dest;
1901
1903 {
1904#ifdef _WIN32
1905 man_stop_ne32(man);
1906#endif
1907 }
1908
1909 man_new_connection_post(man, "Client connected from");
1910 }
1911}
1912
1913static void
1915{
1916 struct gc_arena gc = gc_new();
1917
1918 /*
1919 * Initialize state
1920 */
1921 man->connection.state = MS_LISTEN;
1923
1924 /*
1925 * Initialize listening socket
1926 */
1928 {
1929#if UNIX_SOCK_SUPPORT
1930 if (man->settings.flags & MF_UNIX_SOCK)
1931 {
1933 man->connection.sd_top = create_socket_unix();
1934 socket_bind_unix(man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT");
1935 }
1936 else
1937#endif
1938 {
1940 socket_bind(man->connection.sd_top, man->settings.local, man->settings.local->ai_family,
1941 "MANAGEMENT", false);
1942 }
1943
1944 /*
1945 * Listen for connection
1946 */
1947 if (listen(man->connection.sd_top, 1))
1948 {
1949 msg(M_ERR, "MANAGEMENT: listen() failed");
1950 }
1951
1952 /*
1953 * Set misc socket properties
1954 */
1956
1957#if UNIX_SOCK_SUPPORT
1958 if (man->settings.flags & MF_UNIX_SOCK)
1959 {
1960 msg(D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s",
1961 sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1962 }
1963 else
1964#endif
1965 {
1966 const struct sockaddr *man_addr = man->settings.local->ai_addr;
1967 struct sockaddr_storage addr;
1968 socklen_t addrlen = sizeof(addr);
1969 if (!getsockname(man->connection.sd_top, (struct sockaddr *)&addr, &addrlen))
1970 {
1971 man_addr = (struct sockaddr *)&addr;
1972 }
1973 else
1974 {
1975 msg(M_WARN | M_ERRNO, "Failed to get the management socket address");
1976 }
1977 msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
1978 print_sockaddr(man_addr, &gc));
1979 }
1980 }
1981
1982#ifdef _WIN32
1983 man_start_ne32(man);
1984#endif
1985
1986 gc_free(&gc);
1987}
1988
1989static void
1991{
1992 struct gc_arena gc = gc_new();
1993 int status;
1994 int signal_received = 0;
1995
1996 /*
1997 * Initialize state
1998 */
2001
2002#if UNIX_SOCK_SUPPORT
2003 if (man->settings.flags & MF_UNIX_SOCK)
2004 {
2005 man->connection.sd_cli = create_socket_unix();
2006 status = socket_connect_unix(man->connection.sd_cli, &man->settings.local_unix);
2007 if (!status && !man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
2008 {
2009#ifdef EPERM
2010 status = EPERM;
2011#else
2012 status = 1;
2013#endif
2014 sd_close(&man->connection.sd_cli);
2015 }
2016 }
2017 else
2018#endif
2019 {
2021 status = openvpn_connect(man->connection.sd_cli, man->settings.local->ai_addr, 5,
2022 &signal_received);
2023 }
2024
2025 if (signal_received)
2026 {
2027 throw_signal(signal_received);
2028 goto done;
2029 }
2030
2031 if (status)
2032 {
2033#if UNIX_SOCK_SUPPORT
2034 if (man->settings.flags & MF_UNIX_SOCK)
2035 {
2036 msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to unix socket %s failed",
2037 sockaddr_unix_name(&man->settings.local_unix, "NULL"));
2038 }
2039 else
2040#endif
2041 {
2042 msg(D_LINK_ERRORS | M_ERRNO, "MANAGEMENT: connect to %s failed",
2043 print_sockaddr(man->settings.local->ai_addr, &gc));
2044 }
2045 throw_signal_soft(SIGTERM, "management-connect-failed");
2046 goto done;
2047 }
2048
2049 man_new_connection_post(man, "Connected to management server at");
2050
2051done:
2052 gc_free(&gc);
2053}
2054
2055static void
2056man_reset_client_socket(struct management *man, const bool exiting)
2057{
2059 {
2060 man_bytecount_stop(man);
2061#ifdef _WIN32
2062 man_stop_ne32(man);
2063#endif
2070 msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected");
2071 }
2072 if (!exiting)
2073 {
2075 {
2076 ssl_purge_auth(false);
2077 (void)ssl_clean_auth_token();
2078 }
2079
2080 if (man->settings.flags & MF_SIGNAL)
2081 {
2082 int mysig = man_mod_signal(man, SIGUSR1);
2083 if (mysig >= 0)
2084 {
2085 msg(D_MANAGEMENT, "MANAGEMENT: Triggering management signal");
2086 throw_signal_soft(mysig, "management-disconnect");
2087 }
2088 }
2089
2091 {
2092 msg(D_MANAGEMENT, "MANAGEMENT: Triggering management exit");
2093 throw_signal_soft(SIGTERM, "management-exit");
2094 }
2095 else
2096 {
2097 man_listen(man);
2098 }
2099 }
2100}
2101
2102static void
2103man_process_command(struct management *man, const char *line)
2104{
2105 struct gc_arena gc = gc_new();
2106 struct status_output *so;
2107 int nparms;
2108 char *parms[MAX_PARMS + 1];
2109
2110 CLEAR(parms);
2111 so = status_open(NULL, 0, -1, &man->persist.vout, 0);
2113
2114 if (man_password_needed(man))
2115 {
2116 man_check_password(man, line);
2117 }
2118 else
2119 {
2120 nparms = parse_line(line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc);
2121 if (parms[0] && streq(parms[0], "password"))
2122 {
2123 msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'");
2124 }
2125 else if (!streq(line, "load-stats"))
2126 {
2127 msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line);
2128 }
2129
2130#if 0
2131 /* DEBUGGING -- print args */
2132 {
2133 int i;
2134 for (i = 0; i < nparms; ++i)
2135 {
2136 msg(M_INFO, "[%d] '%s'", i, parms[i]);
2137 }
2138 }
2139#endif
2140
2141 if (nparms > 0)
2142 {
2143 man_dispatch_command(man, so, (const char **)parms, nparms);
2144 }
2145 }
2146
2147 CLEAR(parms);
2148 status_close(so);
2149 gc_free(&gc);
2150}
2151
2152static bool
2153man_io_error(struct management *man, const char *prefix)
2154{
2155 bool crt_error = false;
2156 int err = openvpn_errno_maybe_crt(&crt_error);
2157
2158 if (!ignore_sys_error(err, crt_error))
2159 {
2160 struct gc_arena gc = gc_new();
2161 msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix, strerror(err));
2162 gc_free(&gc);
2163 return true;
2164 }
2165 else
2166 {
2167 return false;
2168 }
2169}
2170
2171#ifdef TARGET_ANDROID
2172static ssize_t
2173man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd)
2174{
2175 struct msghdr msg = { 0 };
2176 struct iovec iov[1];
2177
2178 union
2179 {
2180 struct cmsghdr cm;
2181 char control[CMSG_SPACE(sizeof(int))];
2182 } control_un;
2183 struct cmsghdr *cmptr;
2184
2185 msg.msg_control = control_un.control;
2186 msg.msg_controllen = sizeof(control_un.control);
2187
2188 cmptr = CMSG_FIRSTHDR(&msg);
2189 cmptr->cmsg_len = CMSG_LEN(sizeof(int));
2190 cmptr->cmsg_level = SOL_SOCKET;
2191 cmptr->cmsg_type = SCM_RIGHTS;
2192 *((int *)CMSG_DATA(cmptr)) = sendfd;
2193
2194 msg.msg_name = NULL;
2195 msg.msg_namelen = 0;
2196
2197 iov[0].iov_base = ptr;
2198 iov[0].iov_len = nbytes;
2199 msg.msg_iov = iov;
2200 msg.msg_iovlen = 1;
2201
2202 return (sendmsg(fd, &msg, flags));
2203}
2204
2205static ssize_t
2206man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd)
2207{
2208 struct msghdr msghdr = { 0 };
2209 struct iovec iov[1];
2210 ssize_t n;
2211
2212 union
2213 {
2214 struct cmsghdr cm;
2215 char control[CMSG_SPACE(sizeof(int))];
2216 } control_un;
2217 struct cmsghdr *cmptr;
2218
2219 msghdr.msg_control = control_un.control;
2220 msghdr.msg_controllen = sizeof(control_un.control);
2221
2222 msghdr.msg_name = NULL;
2223 msghdr.msg_namelen = 0;
2224
2225 iov[0].iov_base = ptr;
2226 iov[0].iov_len = nbytes;
2227 msghdr.msg_iov = iov;
2228 msghdr.msg_iovlen = 1;
2229
2230 if ((n = recvmsg(fd, &msghdr, flags)) <= 0)
2231 {
2232 return (n);
2233 }
2234
2235 if ((cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL && cmptr->cmsg_len == CMSG_LEN(sizeof(int)))
2236 {
2237 if (cmptr->cmsg_level != SOL_SOCKET)
2238 {
2239 msg(M_ERR, "control level != SOL_SOCKET");
2240 }
2241 if (cmptr->cmsg_type != SCM_RIGHTS)
2242 {
2243 msg(M_ERR, "control type != SCM_RIGHTS");
2244 }
2245 *recvfd = *((int *)CMSG_DATA(cmptr));
2246 }
2247 else
2248 {
2249 *recvfd = -1; /* descriptor was not passed */
2250 }
2251 return (n);
2252}
2253
2254/*
2255 * The android control method will instruct the GUI part of openvpn to do
2256 * the route/ifconfig/open tun command. See doc/android.txt for details.
2257 */
2258bool
2259management_android_control(struct management *man, const char *command, const char *msg)
2260{
2261 if (!man)
2262 {
2263 msg(M_FATAL, "Required management interface not available.");
2264 }
2265 struct user_pass up;
2266 CLEAR(up);
2267 strncpy(up.username, msg, sizeof(up.username) - 1);
2268
2270 return strcmp("ok", up.password) == 0;
2271}
2272
2273/*
2274 * In Android 4.4 it is not possible to open a new tun device and then close the
2275 * old tun device without breaking the whole VPNService stack until the device
2276 * is rebooted. This management method ask the UI what method should be taken to
2277 * ensure the optimal solution for the situation
2278 */
2279int
2280managment_android_persisttun_action(struct management *man)
2281{
2282 struct user_pass up;
2283 CLEAR(up);
2284 strcpy(up.username, "tunmethod");
2286 (void *)0);
2287 if (!strcmp("NOACTION", up.password))
2288 {
2289 return ANDROID_KEEP_OLD_TUN;
2290 }
2291 else if (!strcmp("OPEN_BEFORE_CLOSE", up.password))
2292 {
2293 return ANDROID_OPEN_BEFORE_CLOSE;
2294 }
2295 else
2296 {
2297 msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query",
2298 up.password);
2299 }
2300
2301 ASSERT(0);
2302 return ANDROID_OPEN_BEFORE_CLOSE;
2303}
2304
2305
2306#endif /* ifdef TARGET_ANDROID */
2307
2308static int
2310{
2311 /*
2312 * read command line from socket
2313 */
2314 unsigned char buf[256];
2315 int len = 0;
2316
2317#ifdef TARGET_ANDROID
2318 int fd;
2319 len = man_recv_with_fd(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL, &fd);
2320 if (fd >= 0)
2321 {
2322 man->connection.lastfdreceived = fd;
2323 }
2324#else /* ifdef TARGET_ANDROID */
2325 len = recv(man->connection.sd_cli, (void *)buf, sizeof(buf), MSG_NOSIGNAL);
2326#endif
2327
2328 if (len == 0)
2329 {
2330 man_reset_client_socket(man, false);
2331 }
2332 else if (len > 0)
2333 {
2334 bool processed_command = false;
2335
2336 ASSERT(len <= (int)sizeof(buf));
2337 command_line_add(man->connection.in, buf, len);
2338
2339 /*
2340 * Reset output object
2341 */
2343
2344 /*
2345 * process command line if complete
2346 */
2347 {
2348 const char *line;
2349 while ((line = command_line_get(man->connection.in)))
2350 {
2351 if (man->connection.in_extra)
2352 {
2353 if (!strcmp(line, "END"))
2354 {
2355 in_extra_dispatch(man);
2356 }
2357 else
2358 {
2360 }
2361 }
2362 else
2363 {
2364 man_process_command(man, (char *)line);
2365 }
2366 if (man->connection.halt)
2367 {
2368 break;
2369 }
2371 processed_command = true;
2372 }
2373 }
2374
2375 /*
2376 * Reset output state to MS_CC_WAIT_(READ|WRITE)
2377 */
2378 if (man->connection.halt)
2379 {
2380 man_reset_client_socket(man, false);
2381 len = 0;
2382 }
2383 else
2384 {
2385 if (processed_command)
2386 {
2387 man_prompt(man);
2388 }
2390 }
2391 }
2392 else /* len < 0 */
2393 {
2394 if (man_io_error(man, "recv"))
2395 {
2396 man_reset_client_socket(man, false);
2397 }
2398 }
2399 return len;
2400}
2401
2402static int
2404{
2405 const int size_hint = 1024;
2406 int sent = 0;
2407 const struct buffer *buf;
2408
2409 buffer_list_aggregate(man->connection.out, size_hint);
2410 buf = buffer_list_peek(man->connection.out);
2411 if (buf && BLEN(buf))
2412 {
2413 const int len = min_int(size_hint, BLEN(buf));
2414#ifdef TARGET_ANDROID
2415 if (man->connection.fdtosend > 0)
2416 {
2417 sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL,
2418 man->connection.fdtosend);
2419 man->connection.fdtosend = -1;
2420 }
2421 else
2422#endif
2423 sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL);
2424 if (sent >= 0)
2425 {
2426 buffer_list_advance(man->connection.out, sent);
2427 }
2428 else if (sent < 0)
2429 {
2430 if (man_io_error(man, "send"))
2431 {
2433 }
2434 }
2435 }
2436
2437 /*
2438 * Reset output state to MS_CC_WAIT_(READ|WRITE)
2439 */
2441
2442 return sent;
2443}
2444
2445static void
2447{
2448 CLEAR(*mc);
2449
2450 /* set initial state */
2451 mc->state = MS_INITIAL;
2452
2453 /* clear socket descriptors */
2454 mc->sd_top = SOCKET_UNDEFINED;
2455 mc->sd_cli = SOCKET_UNDEFINED;
2456}
2457
2458static void
2459man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size,
2460 const int state_buffer_size)
2461{
2462 struct man_persist *mp = &man->persist;
2463 if (!mp->defined)
2464 {
2465 CLEAR(*mp);
2466
2467 /* initialize log history store */
2468 mp->log = log_history_init(log_history_cache);
2469
2470 /*
2471 * Initialize virtual output object, so that functions
2472 * which write to a virtual_output object can be redirected
2473 * here to the management object.
2474 */
2476 mp->vout.arg = man;
2479
2480 /*
2481 * Initialize --echo list
2482 */
2483 man->persist.echo = log_history_init(echo_buffer_size);
2484
2485 /*
2486 * Initialize --state list
2487 */
2488 man->persist.state = log_history_init(state_buffer_size);
2489
2490 mp->defined = true;
2491 }
2492}
2493
2494static void
2496{
2497 if (mp->log)
2498 {
2501 }
2502
2503 if (mp->echo)
2504 {
2506 }
2507
2508 if (mp->state)
2509 {
2511 }
2512
2513 CLEAR(*mp);
2514}
2515
2516static void
2517man_settings_init(struct man_settings *ms, const char *addr, const char *port,
2518 const char *pass_file, const char *client_user, const char *client_group,
2519 const int log_history_cache, const int echo_buffer_size,
2520 const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
2521{
2522 if (!ms->defined)
2523 {
2524 CLEAR(*ms);
2525
2526 ms->flags = flags;
2527 ms->client_uid = -1;
2528 ms->client_gid = -1;
2529
2530 /*
2531 * Get username/password
2532 */
2533 if (pass_file)
2534 {
2535 get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
2536 }
2537
2538 /*
2539 * lookup client UID/GID if specified
2540 */
2541 if (client_user)
2542 {
2543 struct platform_state_user s;
2544 platform_user_get(client_user, &s);
2546 msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid);
2547 ASSERT(ms->client_uid >= 0);
2548 }
2549 if (client_group)
2550 {
2551 struct platform_state_group s;
2552 platform_group_get(client_group, &s);
2554 msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid);
2555 ASSERT(ms->client_gid >= 0);
2556 }
2557
2558#if UNIX_SOCK_SUPPORT
2559 if (ms->flags & MF_UNIX_SOCK)
2560 {
2561 sockaddr_unix_init(&ms->local_unix, addr);
2562 }
2563 else
2564#endif
2565 {
2566 /*
2567 * Run management over tunnel, or
2568 * separate channel?
2569 */
2570 if (streq(addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT))
2571 {
2572 ms->management_over_tunnel = true;
2573 }
2574 else
2575 {
2576 int status;
2578
2579 if (!(flags & MF_CONNECT_AS_CLIENT))
2580 {
2581 resolve_flags |= GETADDR_PASSIVE;
2582 }
2583
2584 status =
2585 openvpn_getaddrinfo(resolve_flags, addr, port, 0, NULL, AF_UNSPEC, &ms->local);
2586 ASSERT(status == 0);
2587 }
2588 }
2589
2590 /*
2591 * Log history and echo buffer may need to be resized
2592 */
2593 ms->log_history_cache = log_history_cache;
2594 ms->echo_buffer_size = echo_buffer_size;
2595 ms->state_buffer_size = state_buffer_size;
2596
2597 /*
2598 * Set remap sigusr1 flags
2599 */
2600 if (remap_sigusr1 == SIGHUP)
2601 {
2603 }
2604 else if (remap_sigusr1 == SIGTERM)
2605 {
2607 }
2608
2609 ms->defined = true;
2610 }
2611}
2612
2613static void
2615{
2616 if (ms->local)
2617 {
2618 freeaddrinfo(ms->local);
2619 }
2620 CLEAR(*ms);
2621}
2622
2623
2624static void
2626{
2627 if (man->connection.state == MS_INITIAL)
2628 {
2629#ifdef _WIN32
2630 /*
2631 * This object is a sort of TCP/IP helper
2632 * for Windows.
2633 */
2635#endif
2636
2637 /*
2638 * Allocate helper objects for command line input and
2639 * command output from/to the socket.
2640 */
2641 man->connection.in = command_line_new(1024);
2643
2644 /*
2645 * Initialize event set for standalone usage, when we are
2646 * running outside of the primary event loop.
2647 */
2648 {
2649 int maxevents = 1;
2650 man->connection.es = event_set_init(&maxevents, EVENT_METHOD_FAST);
2651 }
2652
2653 man->connection.client_version = 1; /* default version */
2654
2655 /*
2656 * Listen/connect socket
2657 */
2659 {
2660 man_connect(man);
2661 }
2662 else
2663 {
2664 man_listen(man);
2665 }
2666 }
2667}
2668
2669static void
2671{
2672 struct man_connection *mc = &man->connection;
2673
2674 event_free(mc->es);
2675#ifdef _WIN32
2677#endif
2678 if (socket_defined(mc->sd_top))
2679 {
2680 man_close_socket(man, mc->sd_top);
2682 }
2683 if (socket_defined(mc->sd_cli))
2684 {
2685 man_close_socket(man, mc->sd_cli);
2686 }
2687
2688 command_line_free(mc->in);
2689 buffer_list_free(mc->out);
2690
2692
2696}
2697
2698struct management *
2700{
2701 struct management *man;
2702 ALLOC_OBJ_CLEAR(man, struct management);
2703
2706
2708
2709 return man;
2710}
2711
2712bool
2713management_open(struct management *man, const char *addr, const char *port, const char *pass_file,
2714 const char *client_user, const char *client_group, const int log_history_cache,
2715 const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1,
2716 const unsigned int flags)
2717{
2718 bool ret = false;
2719
2720 /*
2721 * Save the settings only if they have not
2722 * been saved before.
2723 */
2724 man_settings_init(&man->settings, addr, port, pass_file, client_user, client_group,
2725 log_history_cache, echo_buffer_size, state_buffer_size, remap_sigusr1, flags);
2726
2727 /*
2728 * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2729 * but may be changed here. Ditto for echo and state buffers.
2730 */
2734
2735 /*
2736 * If connection object is uninitialized and we are not doing
2737 * over-the-tunnel management, then open (listening) connection.
2738 */
2739 if (man->connection.state == MS_INITIAL)
2740 {
2742 {
2744 ret = true;
2745 }
2746 }
2747
2748 return ret;
2749}
2750
2751void
2753{
2754 man_output_list_push_finalize(man); /* flush output queue */
2758 free(man);
2759}
2760
2761void
2763{
2764 man->persist.standalone_disabled = true;
2765 man->persist.callback = *cb;
2766}
2767
2768void
2770{
2771 man->persist.standalone_disabled = false;
2772 man->persist.hold_release = false;
2773 CLEAR(man->persist.callback);
2774 man_output_list_push_finalize(man); /* flush output queue */
2775}
2776
2777void
2778management_set_state(struct management *man, const int state, const char *detail,
2779 const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6,
2780 const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
2781{
2782 if (man->persist.state
2783 && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
2784 {
2785 struct gc_arena gc = gc_new();
2786 struct log_entry e;
2787 const char *out = NULL;
2788
2789 update_time();
2790 CLEAR(e);
2791 e.timestamp = now;
2792 e.u.state = state;
2793 e.string = detail;
2794 if (tun_local_ip)
2795 {
2796 e.local_ip = *tun_local_ip;
2797 }
2798 if (tun_local_ip6)
2799 {
2800 e.local_ip6 = *tun_local_ip6;
2801 }
2802 if (local)
2803 {
2804 e.local_sock = *local;
2805 }
2806 if (remote)
2807 {
2808 e.remote_sock = *remote;
2809 }
2810
2811 log_history_add(man->persist.state, &e);
2812
2813 if (man->connection.state_realtime)
2814 {
2815 out = log_entry_print(&e,
2819 &gc);
2820 }
2821
2822 if (out)
2823 {
2824 man_output_list_push(man, out);
2825 }
2826
2827 gc_free(&gc);
2828 }
2829}
2830
2831static bool
2832env_filter_match(const char *env_str, const int env_filter_level)
2833{
2834 static const char *env_names[] = { "username=",
2835 "password=",
2836 "X509_0_CN=",
2837 "tls_serial_",
2838 "untrusted_ip=",
2839 "ifconfig_local=",
2840 "ifconfig_netmask=",
2841 "daemon_start_time=",
2842 "daemon_pid=",
2843 "dev=",
2844 "ifconfig_pool_remote_ip=",
2845 "ifconfig_pool_netmask=",
2846 "time_duration=",
2847 "bytes_sent=",
2848 "bytes_received=",
2849 "session_id=",
2850 "session_state=" };
2851
2852 if (env_filter_level == 0)
2853 {
2854 return true;
2855 }
2856 else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5))
2857 {
2858 return true;
2859 }
2860 else if (env_filter_level <= 2)
2861 {
2862 size_t i;
2863 for (i = 0; i < SIZE(env_names); ++i)
2864 {
2865 const char *en = env_names[i];
2866 const size_t len = strlen(en);
2867 if (!strncmp(env_str, en, len))
2868 {
2869 return true;
2870 }
2871 }
2872 return false;
2873 }
2874 return false;
2875}
2876
2877static void
2878man_output_env(const struct env_set *es, const bool tail, const int env_filter_level,
2879 const char *prefix)
2880{
2881 if (es)
2882 {
2883 struct env_item *e;
2884 for (e = es->list; e != NULL; e = e->next)
2885 {
2886 if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level)))
2887 {
2888 msg(M_CLIENT, ">%s:ENV,%s", prefix, e->string);
2889 }
2890 }
2891 }
2892 if (tail)
2893 {
2894 msg(M_CLIENT, ">%s:ENV,END", prefix);
2895 }
2896}
2897
2898static void
2899man_output_extra_env(struct management *man, const char *prefix)
2900{
2901 struct gc_arena gc = gc_new();
2902 struct env_set *es = env_set_create(&gc);
2903 if (man->persist.callback.n_clients)
2904 {
2905 const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
2906 setenv_int(es, "n_clients", nclients);
2907 }
2908 man_output_env(es, false, man->connection.env_filter_level, prefix);
2909 gc_free(&gc);
2910}
2911
2912void
2913management_up_down(struct management *man, const char *updown, const struct env_set *es)
2914{
2915 if (man->settings.flags & MF_UP_DOWN)
2916 {
2917 msg(M_CLIENT, ">UPDOWN:%s", updown);
2918 man_output_env(es, true, 0, "UPDOWN");
2919 }
2920}
2921
2922void
2923management_notify(struct management *man, const char *severity, const char *type, const char *text)
2924{
2925 msg(M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);
2926}
2927
2928void
2929management_notify_generic(struct management *man, const char *str)
2930{
2931 msg(M_CLIENT, "%s", str);
2932}
2933
2934static void
2936{
2937 char line[256];
2939 {
2940 const char *peer_info =
2941 (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid);
2942 if (peer_info)
2943 {
2944 struct buffer buf;
2945 buf_set_read(&buf, (const uint8_t *)peer_info, strlen(peer_info));
2946 while (buf_parse(&buf, '\n', line, sizeof(line)))
2947 {
2948 chomp(line);
2950 {
2951 msg(M_CLIENT, ">CLIENT:ENV,%s", line);
2952 }
2953 else
2954 {
2955 msg(D_MANAGEMENT, "validation failed on peer_info line received from client");
2956 }
2957 }
2958 }
2959 }
2960}
2961
2962void
2963management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id,
2964 struct man_def_auth_context *mdac, const struct env_set *es)
2965{
2966 if (!(mdac->flags & DAF_CONNECTION_CLOSED))
2967 {
2968 const char *mode = "CONNECT";
2969 if (mdac->flags & DAF_CONNECTION_ESTABLISHED)
2970 {
2971 mode = "REAUTH";
2972 }
2973 msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
2976 {
2978 }
2980 mdac->flags |= DAF_INITIAL_AUTH;
2981 }
2982}
2983
2984void
2986 const struct env_set *es, const char *response)
2987{
2988 struct gc_arena gc;
2989 if (management)
2990 {
2991 gc = gc_new();
2992
2993 msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s", mdac->cid, mda_key_id, response);
2996 {
2998 }
3000 gc_free(&gc);
3001 }
3002}
3003
3004void
3006 const struct env_set *es)
3007{
3009 msg(M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid);
3012}
3013
3014void
3016 const struct env_set *es)
3017{
3018 if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
3019 {
3020 msg(M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
3023 }
3024}
3025
3026void
3028 const struct mroute_addr *addr, const bool primary)
3029{
3030 struct gc_arena gc = gc_new();
3031 if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
3032 {
3033 msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d", mdac->cid,
3034 mroute_addr_print_ex(addr, MAPF_SUBNET, &gc), BOOL_CAST(primary));
3035 }
3036 gc_free(&gc);
3037}
3038
3039void
3040management_echo(struct management *man, const char *string, const bool pull)
3041{
3042 if (man->persist.echo)
3043 {
3044 struct gc_arena gc = gc_new();
3045 struct log_entry e;
3046 const char *out = NULL;
3047
3048 update_time();
3049 CLEAR(e);
3050 e.timestamp = now;
3051 e.string = string;
3052 e.u.intval = BOOL_CAST(pull);
3053
3054 log_history_add(man->persist.echo, &e);
3055
3056 if (man->connection.echo_realtime)
3057 {
3058 out = log_entry_print(&e,
3061 &gc);
3062 }
3063
3064 if (out)
3065 {
3066 man_output_list_push(man, out);
3067 }
3068
3069 gc_free(&gc);
3070 }
3071}
3072
3073void
3074management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
3075{
3076 /*
3077 * If we are running management over the tunnel,
3078 * this is the place to initialize the connection.
3079 */
3081 {
3082 /* listen on our local TUN/TAP IP address */
3083 struct in_addr ia;
3084 int ret;
3085 char buf[INET_ADDRSTRLEN];
3086
3087 ia.s_addr = htonl(tun_local_ip);
3088 inet_ntop(AF_INET, &ia, buf, sizeof(buf));
3089 ret =
3090 openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL, AF_INET, &man->settings.local);
3091 ASSERT(ret == 0);
3093 }
3094}
3095
3096void
3098{
3100 {
3102 }
3103}
3104
3105void
3106management_auth_failure(struct management *man, const char *type, const char *reason)
3107{
3108 if (reason)
3109 {
3110 msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s' ['%s']", type, reason);
3111 }
3112 else
3113 {
3114 msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type);
3115 }
3116}
3117
3118void
3119management_auth_token(struct management *man, const char *token)
3120{
3121 msg(M_CLIENT, ">PASSWORD:Auth-Token:%s", token);
3122}
3123
3124static inline bool
3125man_persist_state(unsigned int *persistent, const int n)
3126{
3127 if (persistent)
3128 {
3129 if (*persistent == (unsigned int)n)
3130 {
3131 return false;
3132 }
3133 *persistent = n;
3134 }
3135 return true;
3136}
3137
3138#ifdef _WIN32
3139
3140void
3141management_socket_set(struct management *man, struct event_set *es, void *arg,
3142 unsigned int *persistent)
3143{
3144 if (man->connection.state != MS_INITIAL)
3145 {
3148
3149 switch (man->connection.state)
3150 {
3151 case MS_LISTEN:
3152 if (man_persist_state(persistent, 1))
3153 {
3154 event_ctl(es, ev, EVENT_READ, arg);
3155 }
3156 break;
3157
3158 case MS_CC_WAIT_READ:
3159 if (man_persist_state(persistent, 2))
3160 {
3161 event_ctl(es, ev, EVENT_READ, arg);
3162 }
3163 break;
3164
3165 case MS_CC_WAIT_WRITE:
3166 if (man_persist_state(persistent, 3))
3167 {
3168 event_ctl(es, ev, EVENT_READ | EVENT_WRITE, arg);
3169 }
3170 break;
3171
3172 default:
3173 ASSERT(0);
3174 }
3175 }
3176}
3177
3178void
3180{
3181 if (man->connection.state != MS_INITIAL)
3182 {
3183 long net_events;
3186
3187 if (net_events & FD_CLOSE)
3188 {
3189 man_reset_client_socket(man, false);
3190 }
3191 else
3192 {
3193 if (man->connection.state == MS_LISTEN)
3194 {
3195 if (net_events & FD_ACCEPT)
3196 {
3197 man_accept(man);
3199 }
3200 }
3201 else if (man->connection.state == MS_CC_WAIT_READ
3203 {
3204 if (net_events & FD_READ)
3205 {
3206 while (man_read(man) > 0)
3207 {
3208 }
3210 }
3211
3212 if (net_events & FD_WRITE)
3213 {
3214 int status;
3215 status = man_write(man);
3216 if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK)
3217 {
3219 }
3220 }
3221 }
3222 }
3223 }
3224}
3225
3226#else /* ifdef _WIN32 */
3227
3228void
3229management_socket_set(struct management *man, struct event_set *es, void *arg,
3230 unsigned int *persistent)
3231{
3232 switch (man->connection.state)
3233 {
3234 case MS_LISTEN:
3235 if (man_persist_state(persistent, 1))
3236 {
3238 }
3239 break;
3240
3241 case MS_CC_WAIT_READ:
3242 if (man_persist_state(persistent, 2))
3243 {
3245 }
3246 break;
3247
3248 case MS_CC_WAIT_WRITE:
3249 if (man_persist_state(persistent, 3))
3250 {
3252 }
3253 break;
3254
3255 case MS_INITIAL:
3256 break;
3257
3258 default:
3259 ASSERT(0);
3260 }
3261}
3262
3263void
3264management_io(struct management *man)
3265{
3266 switch (man->connection.state)
3267 {
3268 case MS_LISTEN:
3269 man_accept(man);
3270 break;
3271
3272 case MS_CC_WAIT_READ:
3273 man_read(man);
3274 break;
3275
3276 case MS_CC_WAIT_WRITE:
3277 man_write(man);
3278 break;
3279
3280 case MS_INITIAL:
3281 break;
3282
3283 default:
3284 ASSERT(0);
3285 }
3286}
3287
3288#endif /* ifdef _WIN32 */
3289
3290static inline bool
3292{
3294}
3295
3296static bool
3297man_check_for_signals(volatile int *signal_received)
3298{
3299 if (signal_received)
3300 {
3301 get_signal(signal_received);
3302 if (*signal_received)
3303 {
3304 return true;
3305 }
3306 }
3307 return false;
3308}
3309
3310/*
3311 * Wait for socket I/O when outside primary event loop
3312 */
3313static int
3314man_block(struct management *man, volatile int *signal_received, const time_t expire)
3315{
3316 struct timeval tv;
3317 struct event_set_return esr;
3318 int status = -1;
3319
3320 if (man_standalone_ok(man))
3321 {
3322 /* expire time can be already overdue, for this case init zero
3323 * timeout to avoid waiting first time and exit loop early with
3324 * either obtained event or timeout.
3325 */
3326 tv.tv_usec = 0;
3327 tv.tv_sec = 0;
3328
3329 while (true)
3330 {
3332 management_socket_set(man, man->connection.es, NULL, NULL);
3333 if (man_check_for_signals(signal_received))
3334 {
3335 status = -1;
3336 break;
3337 }
3338 status = event_wait(man->connection.es, &tv, &esr, 1);
3339 update_time();
3340 if (man_check_for_signals(signal_received))
3341 {
3342 status = -1;
3343 break;
3344 }
3345
3346 if (status > 0)
3347 {
3348 break;
3349 }
3350 else if (expire && now >= expire)
3351 {
3352 /* set SIGINT signal if expiration time exceeded */
3353 status = 0;
3354 if (signal_received)
3355 {
3356 *signal_received = SIGINT;
3357 }
3358 break;
3359 }
3360
3361 /* wait one second more */
3362 tv.tv_sec = 1;
3363 tv.tv_usec = 0;
3364 }
3365 }
3366 return status;
3367}
3368
3369/*
3370 * Perform management socket output outside primary event loop
3371 */
3372static void
3373man_output_standalone(struct management *man, volatile int *signal_received)
3374{
3375 if (man_standalone_ok(man))
3376 {
3377 while (man->connection.state == MS_CC_WAIT_WRITE)
3378 {
3379 management_io(man);
3380 if (man->connection.state == MS_CC_WAIT_WRITE)
3381 {
3382 man_block(man, signal_received, 0);
3383 }
3384 if (signal_received && *signal_received)
3385 {
3386 break;
3387 }
3388 }
3389 }
3390}
3391
3392/*
3393 * Process management event loop outside primary event loop
3394 */
3395static int
3396man_standalone_event_loop(struct management *man, volatile int *signal_received,
3397 const time_t expire)
3398{
3399 int status = -1;
3400 if (man_standalone_ok(man))
3401 {
3402 status = man_block(man, signal_received, expire);
3403 if (status > 0)
3404 {
3405 management_io(man);
3406 }
3407 }
3408 return status;
3409}
3410
3411#define MWCC_PASSWORD_WAIT (1 << 0)
3412#define MWCC_HOLD_WAIT (1 << 1)
3413#define MWCC_OTHER_WAIT (1 << 2)
3414
3415/*
3416 * Block until client connects
3417 */
3418static void
3419man_wait_for_client_connection(struct management *man, volatile int *signal_received,
3420 const time_t expire, unsigned int flags)
3421{
3423 if (man->connection.state == MS_LISTEN)
3424 {
3425 if (flags & MWCC_PASSWORD_WAIT)
3426 {
3427 msg(D_MANAGEMENT, "Need password(s) from management interface, waiting...");
3428 }
3429 if (flags & MWCC_HOLD_WAIT)
3430 {
3431 msg(D_MANAGEMENT, "Need hold release from management interface, waiting...");
3432 }
3433 if (flags & MWCC_OTHER_WAIT)
3434 {
3435 msg(D_MANAGEMENT, "Need information from management interface, waiting...");
3436 }
3437 do
3438 {
3439 man_standalone_event_loop(man, signal_received, expire);
3440 if (signal_received && *signal_received)
3441 {
3442 break;
3443 }
3444 } while (man->connection.state == MS_LISTEN || man_password_needed(man));
3445 }
3446}
3447
3448/*
3449 * Process the management event loop for sec seconds
3450 */
3451void
3453{
3454 if (man_standalone_ok(man))
3455 {
3456 volatile int signal_received = 0;
3457 const bool standalone_disabled_save = man->persist.standalone_disabled;
3458 time_t expire = 0;
3459
3460 /* This is so M_CLIENT messages will be correctly passed through msg() */
3461 man->persist.standalone_disabled = false;
3462
3463 /* set expire time */
3464 update_time();
3465 if (sec >= 0)
3466 {
3467 expire = now + sec;
3468 }
3469
3470 /* if no client connection, wait for one */
3471 man_wait_for_client_connection(man, &signal_received, expire, 0);
3472 if (signal_received)
3473 {
3474 return;
3475 }
3476
3477 /* run command processing event loop */
3478 do
3479 {
3480 man_standalone_event_loop(man, &signal_received, expire);
3481 if (!signal_received)
3482 {
3483 man_check_for_signals(&signal_received);
3484 }
3485 if (signal_received)
3486 {
3487 return;
3488 }
3489 update_time();
3490 } while (expire && expire > now);
3491
3492 /* revert state */
3493 man->persist.standalone_disabled = standalone_disabled_save;
3494 }
3495 else if (sec > 0)
3496 {
3497 sleep(sec);
3498 }
3499}
3500
3501/*
3502 * Get a username/password from management channel in standalone mode.
3503 */
3504bool
3505management_query_user_pass(struct management *man, struct user_pass *up, const char *type,
3506 const unsigned int flags, const char *static_challenge)
3507{
3508 struct gc_arena gc = gc_new();
3509 bool ret = false;
3510
3511 if (man_standalone_ok(man))
3512 {
3513 volatile int signal_received = 0;
3514 const bool standalone_disabled_save = man->persist.standalone_disabled;
3515 struct buffer alert_msg = alloc_buf_gc(128, &gc);
3516 const char *alert_type = NULL;
3517 const char *prefix = NULL;
3518 unsigned int up_query_mode = 0;
3519 const char *sc = NULL;
3520 ret = true;
3521 /* This is so M_CLIENT messages will be correctly passed through msg() */
3522 man->persist.standalone_disabled = false;
3523 man->persist.special_state_msg = NULL;
3524
3525 CLEAR(man->connection.up_query);
3526
3527 if (flags & GET_USER_PASS_NEED_OK)
3528 {
3529 up_query_mode = UP_QUERY_NEED_OK;
3530 prefix = "NEED-OK";
3531 alert_type = "confirmation";
3532 }
3533 else if (flags & GET_USER_PASS_NEED_STR)
3534 {
3535 up_query_mode = UP_QUERY_NEED_STR;
3536 prefix = "NEED-STR";
3537 alert_type = "string";
3538 }
3539 else if (flags & GET_USER_PASS_PASSWORD_ONLY)
3540 {
3541 up_query_mode = UP_QUERY_PASS;
3542 prefix = "PASSWORD";
3543 alert_type = "password";
3544 }
3545 else
3546 {
3547 up_query_mode = UP_QUERY_USER_PASS;
3548 prefix = "PASSWORD";
3549 alert_type = "username/password";
3550 if (static_challenge)
3551 {
3553 }
3554 }
3555 buf_printf(&alert_msg, ">%s:Need '%s' %s", prefix, type, alert_type);
3556
3558 {
3559 buf_printf(&alert_msg, " MSG:%s", up->username);
3560 }
3561
3562 if (sc)
3563 {
3564 buf_printf(&alert_msg, " SC:%d,%s",
3567 sc);
3568 }
3569
3571 if (signal_received)
3572 {
3573 ret = false;
3574 }
3575
3576 if (ret)
3577 {
3578 man->persist.special_state_msg = BSTR(&alert_msg);
3579 msg(M_CLIENT, "%s", man->persist.special_state_msg);
3580
3581 /* tell command line parser which info we need */
3582 man->connection.up_query_mode = up_query_mode;
3583 man->connection.up_query_type = type;
3584
3585 /* run command processing event loop until we get our username/password/response */
3586 do
3587 {
3588 man_standalone_event_loop(man, &signal_received, 0);
3589 if (!signal_received)
3590 {
3591 man_check_for_signals(&signal_received);
3592 }
3593 if (signal_received)
3594 {
3595 ret = false;
3596 break;
3597 }
3598 } while (!man->connection.up_query.defined);
3599 }
3600
3601 /* revert state */
3602 man->connection.up_query_mode = UP_QUERY_DISABLED;
3603 man->connection.up_query_type = NULL;
3604 man->persist.standalone_disabled = standalone_disabled_save;
3605 man->persist.special_state_msg = NULL;
3606
3607 /* pass through blank passwords */
3608 if (!strcmp(man->connection.up_query.password, blank_up))
3609 {
3610 CLEAR(man->connection.up_query.password);
3611 }
3612
3613 /*
3614 * Transfer u/p to return object, zero any record
3615 * we hold in the management object.
3616 */
3617 if (ret)
3618 {
3619 /* preserve caller's settings */
3620 man->connection.up_query.nocache = up->nocache;
3621 *up = man->connection.up_query;
3622 }
3623 secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));
3624 }
3625
3626 gc_free(&gc);
3627 return ret;
3628}
3629
3630static int
3631management_query_multiline(struct management *man, const char *b64_data, const char *prompt,
3632 const char *cmd, int *state, struct buffer_list **input)
3633{
3634 struct gc_arena gc = gc_new();
3635 int ret = 0;
3636 volatile int signal_received = 0;
3637 struct buffer alert_msg = clear_buf();
3638 const bool standalone_disabled_save = man->persist.standalone_disabled;
3639 struct man_connection *mc = &man->connection;
3640
3641 if (man_standalone_ok(man))
3642 {
3643 /* This is so M_CLIENT messages will be correctly passed through msg() */
3644 man->persist.standalone_disabled = false;
3645 man->persist.special_state_msg = NULL;
3646
3647 *state = EKS_SOLICIT;
3648
3649 if (b64_data)
3650 {
3651 alert_msg = alloc_buf_gc(strlen(b64_data) + strlen(prompt) + 3, &gc);
3652 buf_printf(&alert_msg, ">%s:%s", prompt, b64_data);
3653 }
3654 else
3655 {
3656 alert_msg = alloc_buf_gc(strlen(prompt) + 3, &gc);
3657 buf_printf(&alert_msg, ">%s", prompt);
3658 }
3659
3660 man_wait_for_client_connection(man, &signal_received, 0, MWCC_OTHER_WAIT);
3661
3662 if (signal_received)
3663 {
3664 goto done;
3665 }
3666
3667 man->persist.special_state_msg = BSTR(&alert_msg);
3669
3670 /* run command processing event loop until we get our signature */
3671 do
3672 {
3673 man_standalone_event_loop(man, &signal_received, 0);
3674 if (!signal_received)
3675 {
3676 man_check_for_signals(&signal_received);
3677 }
3678 if (signal_received)
3679 {
3680 goto done;
3681 }
3682 } while (*state != EKS_READY);
3683
3684 ret = 1;
3685 }
3686
3687done:
3688 if (*state == EKS_READY && ret)
3689 {
3690 msg(M_CLIENT, "SUCCESS: %s command succeeded", cmd);
3691 }
3692 else if (*state == EKS_INPUT || *state == EKS_READY)
3693 {
3694 msg(M_CLIENT, "ERROR: %s command failed", cmd);
3695 }
3696
3697 /* revert state */
3698 man->persist.standalone_disabled = standalone_disabled_save;
3699 man->persist.special_state_msg = NULL;
3701 *state = EKS_UNDEF;
3702
3703 gc_free(&gc);
3704 return ret;
3705}
3706
3707static char *
3708/* returns allocated base64 signature */
3710 const char *prompt, const char *cmd, int *state,
3711 struct buffer_list **input)
3712{
3713 int ok;
3714 char *result = NULL;
3715 struct buffer *buf;
3716
3717 ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3718 if (ok && buffer_list_defined(*input))
3719 {
3721 buf = buffer_list_peek(*input);
3722 if (buf && BLEN(buf) > 0)
3723 {
3724 result = (char *)malloc(BLEN(buf) + 1);
3726 memcpy(result, buf->data, BLEN(buf));
3727 result[BLEN(buf)] = '\0';
3728 }
3729 }
3730
3732 *input = NULL;
3733
3734 return result;
3735}
3736
3737static char *
3738/* returns allocated base64 signature */
3739management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt,
3740 const char *cmd, int *state, struct buffer_list **input)
3741{
3742 int ok;
3743 char *result = NULL;
3744 struct buffer *buf;
3745
3746 ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3747 if (ok && buffer_list_defined(*input))
3748 {
3750 buf = buffer_list_peek(*input);
3751 if (buf && BLEN(buf) > 0)
3752 {
3753 result = (char *)malloc(BLEN(buf) + 1);
3755 memcpy(result, buf->data, BLEN(buf));
3756 result[BLEN(buf)] = '\0';
3757 }
3758 }
3759
3761 *input = NULL;
3762
3763 return result;
3764}
3765
3766char *
3767/* returns allocated base64 signature */
3768management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
3769{
3770 const char *prompt = "PK_SIGN";
3771 const char *desc = "pk-sign";
3773
3774 if (man->connection.client_version <= 1)
3775 {
3776 prompt = "RSA_SIGN";
3777 desc = "rsa-sign";
3778 }
3779
3781 if (man->connection.client_version > 2)
3782 {
3783 buf_write(&buf_data, ",", (int)strlen(","));
3785 }
3786 char *ret = management_query_multiline_flatten(man, (char *)buf_bptr(&buf_data), prompt, desc,
3787 &man->connection.ext_key_state,
3788 &man->connection.ext_key_input);
3790 return ret;
3791}
3792
3793char *
3795{
3796 const char prompt_1[] = "NEED-CERTIFICATE:";
3797 struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20);
3799 buf_write(&buf_prompt, cert_name, strlen(cert_name) + 1); /* +1 for \0 */
3800
3801 char *result;
3803 management, NULL, (char *)buf_bptr(&buf_prompt), "certificate",
3804 &man->connection.ext_cert_state, &man->connection.ext_cert_input);
3806 return result;
3807}
3808
3809/*
3810 * Return true if management_hold() would block
3811 */
3812bool
3814{
3815 return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok(man);
3816}
3817
3818/*
3819 * If the hold flag is enabled, hibernate until a management client releases the hold.
3820 * Return true if the caller should not sleep for an additional time interval.
3821 */
3822bool
3824{
3826 {
3827 volatile int signal_received = 0;
3828 const bool standalone_disabled_save = man->persist.standalone_disabled;
3829 struct gc_arena gc = gc_new();
3830
3832 false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3833 man->persist.special_state_msg = NULL;
3835
3836 man_wait_for_client_connection(man, &signal_received, 0, MWCC_HOLD_WAIT);
3837
3838 if (!signal_received)
3839 {
3840 struct buffer out = alloc_buf_gc(128, &gc);
3841 buf_printf(&out, ">HOLD:Waiting for hold release:%d", holdtime);
3842 man->persist.special_state_msg = BSTR(&out);
3843 msg(M_CLIENT, "%s", man->persist.special_state_msg);
3844
3845 /* run command processing event loop until we get our username/password */
3846 do
3847 {
3848 man_standalone_event_loop(man, &signal_received, 0);
3849 if (!signal_received)
3850 {
3851 man_check_for_signals(&signal_received);
3852 }
3853 if (signal_received)
3854 {
3855 break;
3856 }
3857 } while (!man->persist.hold_release);
3858 }
3859
3860 /* revert state */
3861 man->persist.standalone_disabled = standalone_disabled_save;
3862 man->persist.special_state_msg = NULL;
3863 man->settings.mansig &= ~MANSIG_IGNORE_USR1_HUP;
3864
3865 gc_free(&gc);
3866 return true;
3867 }
3868 return false;
3869}
3870
3871/*
3872 * struct command_line
3873 */
3874
3875struct command_line *
3877{
3878 struct command_line *cl;
3879 ALLOC_OBJ_CLEAR(cl, struct command_line);
3880 cl->buf = alloc_buf(buf_len);
3881 cl->residual = alloc_buf(buf_len);
3882 return cl;
3883}
3884
3885void
3887{
3888 buf_clear(&cl->buf);
3889 buf_clear(&cl->residual);
3890}
3891
3892void
3894{
3895 if (!cl)
3896 {
3897 return;
3898 }
3900 free_buf(&cl->buf);
3901 free_buf(&cl->residual);
3902 free(cl);
3903}
3904
3905void
3906command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
3907{
3908 int i;
3909 for (i = 0; i < len; ++i)
3910 {
3911 if (buf[i] && char_class(buf[i], (CC_PRINT | CC_NEWLINE)))
3912 {
3913 if (!buf_write_u8(&cl->buf, buf[i]))
3914 {
3915 buf_clear(&cl->buf);
3916 }
3917 }
3918 }
3919}
3920
3921const char *
3923{
3924 int i;
3925 const char *ret = NULL;
3926
3927 i = buf_substring_len(&cl->buf, '\n');
3928 if (i >= 0)
3929 {
3930 buf_copy_excess(&cl->residual, &cl->buf, i);
3931 buf_chomp(&cl->buf);
3932 ret = BSTR(&cl->buf);
3933 }
3934 return ret;
3935}
3936
3937void
3939{
3940 buf_clear(&cl->buf);
3941 buf_copy(&cl->buf, &cl->residual);
3942 buf_clear(&cl->residual);
3943}
3944
3945/*
3946 * struct log_entry
3947 */
3948
3949const char *
3950log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
3951{
3952 struct buffer out = alloc_buf_gc(ERR_BUF_SIZE, gc);
3953 if (flags & LOG_FATAL_NOTIFY)
3954 {
3955 buf_printf(&out, ">FATAL:");
3956 }
3957 if (flags & LOG_PRINT_LOG_PREFIX)
3958 {
3959 buf_printf(&out, ">LOG:");
3960 }
3961 if (flags & LOG_PRINT_ECHO_PREFIX)
3962 {
3963 buf_printf(&out, ">ECHO:");
3964 }
3965 if (flags & LOG_PRINT_STATE_PREFIX)
3966 {
3967 buf_printf(&out, ">STATE:");
3968 }
3969 if (flags & LOG_PRINT_INT_DATE)
3970 {
3971 buf_printf(&out, "%u,", (unsigned int)e->timestamp);
3972 }
3973 if (flags & LOG_PRINT_MSG_FLAGS)
3974 {
3975 buf_printf(&out, "%s,", msg_flags_string(e->u.msg_flags, gc));
3976 }
3977 if (flags & LOG_PRINT_STATE)
3978 {
3979 buf_printf(&out, "%s,", man_state_name(e->u.state));
3980 }
3981 if (flags & LOG_PRINT_INTVAL)
3982 {
3983 buf_printf(&out, "%d,", e->u.intval);
3984 }
3985 if (e->string)
3986 {
3987 buf_printf(&out, "%s", e->string);
3988 }
3989 if (flags & LOG_PRINT_LOCAL_IP)
3990 {
3991 buf_printf(&out, ",%s", print_in_addr_t(e->local_ip, IA_EMPTY_IF_UNDEF, gc));
3992 }
3993 if (flags & LOG_PRINT_REMOTE_IP)
3994 {
3995 buf_printf(&out, ",%s",
3996 (!addr_defined(&e->remote_sock)
3997 ? ","
3998 : print_sockaddr_ex(&e->remote_sock.addr.sa, ",",
4000 buf_printf(&out, ",%s",
4001 (!addr_defined(&e->local_sock)
4002 ? ","
4003 : print_sockaddr_ex(&e->local_sock.addr.sa, ",",
4005 }
4006 if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6))
4007 {
4008 buf_printf(&out, ",%s", print_in6_addr(e->local_ip6, IA_EMPTY_IF_UNDEF, gc));
4009 }
4010 if (flags & LOG_ECHO_TO_LOG)
4011 {
4012 msg(D_MANAGEMENT, "MANAGEMENT: %s", BSTR(&out));
4013 }
4014 if (flags & LOG_PRINT_CRLF)
4015 {
4016 buf_printf(&out, "\r\n");
4017 }
4018 return BSTR(&out);
4019}
4020
4021static void
4023{
4024 /* Cast away constness of const char* */
4025 free((char *)e->string);
4026 CLEAR(*e);
4027}
4028
4029/*
4030 * struct log_history
4031 */
4032
4033static inline int
4034log_index(const struct log_history *h, int i)
4035{
4036 return modulo_add(h->base, i, h->capacity);
4037}
4038
4039static void
4041{
4042 CLEAR(*h);
4043 h->capacity = capacity;
4045}
4046
4047struct log_history *
4049{
4050 struct log_history *h;
4051 ASSERT(capacity > 0);
4052 ALLOC_OBJ(h, struct log_history);
4054 return h;
4055}
4056
4057static void
4059{
4060 int i;
4061 for (i = 0; i < h->size; ++i)
4062 {
4064 }
4065 free(h->array);
4066}
4067
4068void
4070{
4072 free(h);
4073}
4074
4075void
4076log_history_add(struct log_history *h, const struct log_entry *le)
4077{
4078 struct log_entry *e;
4079 ASSERT(h->size >= 0 && h->size <= h->capacity);
4080 if (h->size == h->capacity)
4081 {
4082 e = &h->array[h->base];
4084 h->base = log_index(h, 1);
4085 }
4086 else
4087 {
4088 e = &h->array[log_index(h, h->size)];
4089 ++h->size;
4090 }
4091
4092 *e = *le;
4093 e->string = string_alloc(le->string, NULL);
4094}
4095
4096void
4097log_history_resize(struct log_history *h, const int capacity)
4098{
4099 if (capacity != h->capacity)
4100 {
4101 struct log_history newlog;
4102 int i;
4103
4104 ASSERT(capacity > 0);
4106
4107 for (i = 0; i < h->size; ++i)
4108 {
4109 log_history_add(&newlog, &h->array[log_index(h, i)]);
4110 }
4111
4113 *h = newlog;
4114 }
4115}
4116
4117const struct log_entry *
4118log_history_ref(const struct log_history *h, const int index)
4119{
4120 if (index >= 0 && index < h->size)
4121 {
4122 return &h->array[log_index(h, (h->size - 1) - index)];
4123 }
4124 else
4125 {
4126 return NULL;
4127 }
4128}
4129
4130void
4132{
4133 if (n < 0)
4134 {
4135 return;
4136 }
4137 else if (management)
4138 {
4140 }
4141 else
4142 {
4143#ifdef _WIN32
4144 win32_sleep(n);
4145#else
4146 if (n > 0)
4147 {
4148 sleep(n);
4149 }
4150#endif
4151 }
4152}
4153
4154void
4155management_check_bytecount_client(struct context *c, struct management *man, struct timeval *timeval)
4156{
4157 if (man->persist.callback.flags & MCF_SERVER)
4158 {
4159 return;
4160 }
4161
4163 {
4164 if (dco_enabled(&c->options))
4165 {
4166 if (dco_get_peer_stats(c, true) < 0)
4167 {
4168 return;
4169 }
4170 }
4171
4174 }
4175}
4176
4177void
4179{
4181 {
4182 return;
4183 }
4184
4185 struct timeval null;
4186 CLEAR(null);
4188 {
4189 /* fetch counters from dco */
4190 if (dco_enabled(&multi->top.options))
4191 {
4192 if (dco_get_peer_stats_multi(&multi->top.c1.tuntap->dco, true) < 0)
4193 {
4194 return;
4195 }
4196 }
4197
4198 /* iterate over peers and report counters for each connected peer */
4199 struct hash_iterator hi;
4200 struct hash_element *he;
4201 hash_iterator_init(multi->hash, &hi);
4202 while ((he = hash_iterator_next(&hi)))
4203 {
4204 struct multi_instance *mi = (struct multi_instance *)he->value;
4205 struct context_2 *c2 = &mi->context.c2;
4206
4208 {
4210 }
4211 }
4212 hash_iterator_free(&hi);
4213 }
4214}
4215
4216/* context_2 stats are reset on reconnect. Since client expects stats
4217 * to be preserved across reconnects, we need to save context_2
4218 * stats before tearing the tunnel down.
4219 */
4220void
4222{
4225
4226 /* no need to raise SIGUSR1 on error since we are already closing the instance */
4227 if (dco_enabled(&c->options) && (dco_get_peer_stats(c, false) == 0))
4228 {
4229 man->persist.bytes_in += c->c2.dco_read_bytes;
4231 }
4232}
4233
4234#else /* ifdef ENABLE_MANAGEMENT */
4235
4236#include "win32.h"
4237void
4238management_sleep(const int n)
4239{
4240#ifdef _WIN32
4241 win32_sleep(n);
4242#else
4243 if (n > 0)
4244 {
4245 sleep(n);
4246 }
4247#endif /* ifdef _WIN32 */
4248}
4249
4250#endif /* ENABLE_MANAGEMENT */
bool buffer_list_defined(const struct buffer_list *ol)
Checks if the list is valid and non-empty.
Definition buffer.c:1168
void buffer_list_advance(struct buffer_list *ol, int n)
Definition buffer.c:1311
void free_buf(struct buffer *buf)
Definition buffer.c:184
void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len .
Definition buffer.c:1243
void buf_clear(struct buffer *buf)
Definition buffer.c:163
void buffer_list_reset(struct buffer_list *ol)
Empty the list ol and frees all the contained buffers.
Definition buffer.c:1174
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len .
Definition buffer.c:1288
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1149
void chomp(char *str)
Definition buffer.c:614
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1230
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1158
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
void buffer_list_push(struct buffer_list *ol, const char *str)
Allocates and appends a new buffer containing str as data to ol.
Definition buffer.c:1189
void buf_chomp(struct buffer *buf)
Definition buffer.c:554
bool char_class(const unsigned char c, const unsigned int flags)
Definition buffer.c:876
int buf_substring_len(const struct buffer *buf, int delim)
Definition buffer.c:803
static uint8_t * buf_bptr(const struct buffer *buf)
Definition buffer.h:240
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1037
#define BSTR(buf)
Definition buffer.h:128
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition buffer.h:222
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
#define BPTR(buf)
Definition buffer.h:123
#define ALLOC_ARRAY_CLEAR(dptr, type, n)
Definition buffer.h:1058
static bool buf_copy_excess(struct buffer *dest, struct buffer *src, int len)
Definition buffer.h:739
#define CC_NEWLINE
newline
Definition buffer.h:881
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:660
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
#define BLEN(buf)
Definition buffer.h:126
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void check_malloc_return(void *p)
Definition buffer.h:1085
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define CC_PRINT
printable (>= 32, != 127)
Definition buffer.h:875
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
static struct gc_arena gc_new(void)
Definition buffer.h:1007
uint64_t counter_type
Definition common.h:29
#define counter_format
Definition common.h:30
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco.h:371
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:377
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
#define D_MANAGEMENT_DEBUG
Definition errlevel.h:137
#define M_INFO
Definition errlevel.h:54
#define D_MANAGEMENT
Definition errlevel.h:87
#define D_LINK_ERRORS
Definition errlevel.h:56
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1167
#define EVENT_METHOD_FAST
Definition event.h:82
static void event_free(struct event_set *es)
Definition event.h:162
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:189
#define EVENT_WRITE
Definition event.h:39
#define EVENT_READ
Definition event.h:38
static void event_reset(struct event_set *es)
Definition event.h:171
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:183
void set_nonblock(socket_descriptor_t fd)
Definition fdmisc.c:68
counter_type link_write_bytes_global
Definition forward.c:50
counter_type link_read_bytes_global
Definition forward.c:49
void reset_coarse_timers(struct context *c)
Definition init.c:1315
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition integer.h:66
static int min_int(int x, int y)
Definition integer.h:105
static int modulo_add(int x, int y, int mod)
Definition integer.h:164
static SERVICE_STATUS status
Definition interactive.c:51
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:42
#define ETT_DEFAULT
Definition interval.h:222
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
void hash_iterator_free(struct hash_iterator *hi)
Definition list.c:272
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition list.c:278
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition list.c:236
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3097
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3106
void log_history_close(struct log_history *h)
Definition manage.c:4069
struct management * management
Definition manage.c:64
static void man_status(struct management *man, const int version, struct status_output *so)
Definition manage.c:494
static void man_up_finalize(struct management *man)
Definition manage.c:727
static bool man_io_error(struct management *man, const char *prefix)
Definition manage.c:2153
static void man_log(struct management *man, const char *parm)
Definition manage.c:706
static void man_reset_client_socket(struct management *man, const bool exiting)
Definition manage.c:2056
static void man_bytecount(struct management *man, const int update_seconds)
Definition manage.c:514
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3015
static void man_connect(struct management *man)
Definition manage.c:1990
#define MWCC_OTHER_WAIT
Definition manage.c:3413
static int man_write(struct management *man)
Definition manage.c:2403
void management_check_bytecount_server(struct multi_context *multi)
Definition manage.c:4178
static bool man_check_for_signals(volatile int *signal_received)
Definition manage.c:3297
static void man_bytecount_output_server(const counter_type bytes_in_total, const counter_type bytes_out_total, struct man_def_auth_context *mdac)
Definition manage.c:564
static void man_output_list_push(struct management *man, const char *str)
Definition manage.c:279
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition manage.c:3141
void command_line_free(struct command_line *cl)
Definition manage.c:3893
static int man_block(struct management *man, volatile int *signal_received, const time_t expire)
Definition manage.c:3314
static void man_certificate(struct management *man)
Definition manage.c:1221
void command_line_next(struct command_line *cl)
Definition manage.c:3938
static void man_net(struct management *man)
Definition manage.c:831
void management_clear_callback(struct management *man)
Definition manage.c:2769
static void man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size)
Definition manage.c:2459
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3794
static bool man_standalone_ok(const struct management *man)
Definition manage.c:3291
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3823
static void man_settings_init(struct man_settings *ms, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2517
static int log_index(const struct log_history *h, int i)
Definition manage.c:4034
static void man_connection_clear(struct man_connection *mc)
Definition manage.c:2446
#define AF_DID_RESET
static void man_start_ne32(struct management *man)
Definition manage.c:1744
static void man_connection_settings_reset(struct management *man)
Definition manage.c:1772
static void man_help(void)
Definition manage.c:72
static void man_update_io_state(struct management *man)
Definition manage.c:240
static void man_bytecount_stop(struct management *man)
Definition manage.c:507
static void man_check_password(struct management *man, const char *line)
Definition manage.c:210
static bool man_persist_state(unsigned int *persistent, const int n)
Definition manage.c:3125
static bool man_need(struct management *man, const char **p, const int n, unsigned int flags)
Checks if the correct number of arguments to a management command are present and otherwise prints an...
Definition manage.c:1263
static void man_connection_init(struct management *man)
Definition manage.c:2625
static bool env_filter_match(const char *env_str, const int env_filter_level)
Definition manage.c:2832
static void man_client_pending_auth(struct management *man, const char *cid_str, const char *kid_str, const char *extra, const char *timeout_str)
Will send a notification to the client that succesful authentication will require an additional step ...
Definition manage.c:1080
static void man_connection_close(struct management *man)
Definition manage.c:2670
static void man_query_password(struct management *man, const char *type, const char *string)
Definition manage.c:791
static void man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
Definition manage.c:1157
struct log_history * log_history_init(const int capacity)
Definition manage.c:4048
static void man_listen(struct management *man)
Definition manage.c:1914
static void man_stop_ne32(struct management *man)
Definition manage.c:1764
static void man_query_username(struct management *man, const char *type, const char *string)
Definition manage.c:782
static void man_push_update(struct management *man, const char **p, const push_update_type type)
Definition manage.c:1339
#define MWCC_PASSWORD_WAIT
Definition manage.c:3411
static void man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
Definition manage.c:1381
static void virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
Definition manage.c:346
static void man_signal(struct management *man, const char *name)
Definition manage.c:460
static void man_prompt(struct management *man)
Definition manage.c:286
static void man_state(struct management *man, const char *parm)
Definition manage.c:720
static void man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
Definition manage.c:1129
static void man_echo(struct management *man, const char *parm)
Definition manage.c:713
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition manage.c:3027
static char * management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition manage.c:3739
static void man_proxy(struct management *man, const char **p)
Definition manage.c:1280
struct command_line * command_line_new(const int buf_len)
Definition manage.c:3876
struct management * management_init(void)
Definition manage.c:2699
static void in_extra_reset(struct man_connection *mc, const int mode)
Definition manage.c:981
void command_line_reset(struct command_line *cl)
Definition manage.c:3886
static void man_query_need_str(struct management *man, const char *type, const char *action)
Definition manage.c:814
bool management_would_hold(struct management *man)
Definition manage.c:3813
static int man_read(struct management *man)
Definition manage.c:2309
static void man_history(struct management *man, const char *parm, const char *type, struct log_history *log, bool *realtime, const unsigned int lep_flags)
Definition manage.c:664
bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, const unsigned int flags, const char *static_challenge)
Definition manage.c:3505
void command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
Definition manage.c:3906
static void man_bytecount_output_client(counter_type bytes_in_total, counter_type bytes_out_total)
Definition manage.c:552
void log_history_add(struct log_history *h, const struct log_entry *le)
Definition manage.c:4076
static void log_entry_free_contents(struct log_entry *e)
Definition manage.c:4022
static int man_mod_signal(const struct management *man, const int signum)
Definition manage.c:434
#define MN_AT_LEAST
Definition manage.c:1251
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3452
static void man_persist_close(struct man_persist *mp)
Definition manage.c:2495
static void man_kill(struct management *man, const char *victim)
Definition manage.c:576
void management_close(struct management *man)
Definition manage.c:2752
static void man_pk_sig(struct management *man, const char *cmd_name)
Definition manage.c:1205
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2778
static void man_output_list_push_finalize(struct management *man)
Definition manage.c:256
static void man_load_stats(struct management *man)
Definition manage.c:1237
static bool man_password_needed(struct management *man)
Definition manage.c:204
static void set_client_version(struct management *man, const char *version)
Definition manage.c:1330
const char * log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
Definition manage.c:3950
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3119
static void man_accept(struct management *man)
Definition manage.c:1874
static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
Definition manage.c:1112
static bool parse_cid(const char *str, unsigned long *cid)
Definition manage.c:1041
static void man_send_cc_message(struct management *man, const char *message, const char *parameters)
Definition manage.c:844
static void man_delete_unix_socket(struct management *man)
Definition manage.c:319
void management_io(struct management *man)
Definition manage.c:3179
static void man_wait_for_client_connection(struct management *man, volatile int *signal_received, const time_t expire, unsigned int flags)
Definition manage.c:3419
#define IER_NEW
Definition manage.c:978
static void man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
Definition manage.c:2935
#define AF_DID_PUSH
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2713
static void man_welcome(struct management *man)
Definition manage.c:193
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2929
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3005
static void man_query_need_ok(struct management *man, const char *type, const char *action)
Definition manage.c:805
static char * management_query_multiline_flatten_newline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition manage.c:3709
static void man_output_extra_env(struct management *man, const char *prefix)
Definition manage.c:2899
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4221
static void man_new_connection_post(struct management *man, const char *description)
Definition manage.c:1785
static void log_history_obj_init(struct log_history *h, int capacity)
Definition manage.c:4040
static void report_command_status(const bool status, const char *command)
Small function to report the success or failure of a command to the management interface.
Definition manage.c:306
#define IER_RESET
Definition manage.c:977
static void man_close_socket(struct management *man, const socket_descriptor_t sd)
Definition manage.c:330
static bool parse_uint(const char *str, const char *what, unsigned int *uint)
Definition manage.c:1055
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2762
void management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2963
static void man_client_n_clients(struct management *man)
Definition manage.c:1183
static void man_output_standalone(struct management *man, volatile int *signal_received)
Definition manage.c:3373
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition manage.c:2985
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3040
static const char blank_up[]
Definition manage.c:62
static void man_remote_entry_get(struct management *man, const char *p1, const char *p2)
Definition manage.c:910
const struct log_entry * log_history_ref(const struct log_history *h, const int index)
Definition manage.c:4118
static void man_remote_entry_count(struct management *man)
Definition manage.c:894
static void man_settings_close(struct man_settings *ms)
Definition manage.c:2614
void management_check_bytecount_client(struct context *c, struct management *man, struct timeval *timeval)
Definition manage.c:4155
static void man_env_filter(struct management *man, const int level)
Definition manage.c:1197
#define MANAGEMENT_ECHO_FLAGS
Definition manage.c:58
static void man_output_list_push_str(struct management *man, const char *str)
Definition manage.c:270
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2913
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition manage.c:3768
static void man_remote(struct management *man, const char **p)
Definition manage.c:1294
static void man_forget_passwords(struct management *man)
Definition manage.c:823
static int man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
Definition manage.c:3396
static void man_process_command(struct management *man, const char *line)
Definition manage.c:2103
static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition manage.c:3631
static void man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
Definition manage.c:2878
const char * command_line_get(struct command_line *cl)
Definition manage.c:3922
static void log_history_free_contents(struct log_history *h)
Definition manage.c:4058
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4131
static const char * man_state_name(const int state)
Definition manage.c:144
void log_history_resize(struct log_history *h, const int capacity)
Definition manage.c:4097
static void in_extra_dispatch(struct management *man)
Definition manage.c:1004
static void man_command_unsupported(const char *command_name)
Definition manage.c:487
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition manage.c:2923
#define MWCC_HOLD_WAIT
Definition manage.c:3412
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3074
static void man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed, const char *prompt, char *dest, int len)
Definition manage.c:757
static void man_hold(struct management *man, const char *cmd)
Definition manage.c:947
#define MANSIG_MAP_USR1_TO_TERM
Definition manage.h:257
#define MS_LISTEN
Definition manage.h:270
#define OPENVPN_STATE_ADD_ROUTES
Definition manage.h:451
#define UP_QUERY_USER_PASS
Definition manage.h:263
#define OPENVPN_STATE_INITIAL
Definition manage.h:448
#define MF_FORGET_DISCONNECT
Definition manage.h:31
#define UP_QUERY_DISABLED
Definition manage.h:262
#define LOG_FATAL_NOTIFY
Definition manage.h:127
#define MS_INITIAL
Definition manage.h:269
#define MANAGEMENT_STATE_BUFFER_SIZE
Definition manage.h:57
#define MANAGEMENT_VERSION
Definition manage.h:53
#define OPENVPN_STATE_CONNECTING
Definition manage.h:449
#define EKS_SOLICIT
Definition manage.h:304
#define MS_CC_WAIT_WRITE
Definition manage.h:272
#define LOG_PRINT_REMOTE_IP
Definition manage.h:131
#define LOG_PRINT_STATE_PREFIX
Definition manage.h:119
#define OPENVPN_STATE_RECONNECTING
Definition manage.h:453
#define LOG_PRINT_INT_DATE
Definition manage.h:121
#define DAF_INITIAL_AUTH
Definition manage.h:68
#define IEC_PK_SIGN
Definition manage.h:298
#define MANSIG_MAP_USR1_TO_HUP
Definition manage.h:256
#define LOG_PRINT_ECHO_PREFIX
Definition manage.h:118
#define LOG_PRINT_LOCAL_IP
Definition manage.h:124
#define MANAGEMENT_ECHO_BUFFER_SIZE
Definition manage.h:56
#define DAF_CONNECTION_CLOSED
Definition manage.h:67
#define MCF_SERVER
Definition manage.h:175
#define OPENVPN_STATE_CLIENT_BASE
Definition manage.h:465
#define MS_CC_WAIT_READ
Definition manage.h:271
#define LOG_PRINT_STATE
Definition manage.h:123
#define OPENVPN_STATE_CONNECTED
Definition manage.h:452
#define OPENVPN_STATE_RESOLVE
Definition manage.h:460
#define LOG_ECHO_TO_LOG
Definition manage.h:133
#define UP_QUERY_NEED_STR
Definition manage.h:266
#define OPENVPN_STATE_EXITING
Definition manage.h:454
static bool management_connected(const struct management *man)
Definition manage.h:413
#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE
Definition manage.h:55
#define OPENVPN_STATE_AUTH_PENDING
Definition manage.h:462
static int log_history_size(const struct log_history *h)
Definition manage.h:156
#define IEC_UNDEF
Definition manage.h:293
#define IEC_CERTIFICATE
Definition manage.h:297
#define MANSIG_IGNORE_USR1_HUP
Definition manage.h:255
#define OPENVPN_STATE_AUTH
Definition manage.h:458
#define EKS_READY
Definition manage.h:306
#define LOG_PRINT_LOG_PREFIX
Definition manage.h:117
#define OPENVPN_STATE_WAIT
Definition manage.h:457
#define LOG_PRINT_INTVAL
Definition manage.h:129
#define LOG_PRINT_CRLF
Definition manage.h:126
#define DAF_CONNECTION_ESTABLISHED
Definition manage.h:66
#define MF_SERVER
Definition manage.h:27
#define OPENVPN_STATE_ASSIGN_IP
Definition manage.h:450
#define MANAGEMENT_N_PASSWORD_RETRIES
Definition manage.h:54
#define MF_UP_DOWN
Definition manage.h:39
#define UP_QUERY_PASS
Definition manage.h:264
#define EKS_UNDEF
Definition manage.h:303
#define MF_HOLD
Definition manage.h:29
#define IEC_CLIENT_AUTH
Definition manage.h:294
#define MF_SIGNAL
Definition manage.h:30
#define UP_QUERY_NEED_OK
Definition manage.h:265
#define MF_UNIX_SOCK
Definition manage.h:35
#define OPENVPN_STATE_GET_CONFIG
Definition manage.h:459
#define MF_CONNECT_AS_CLIENT
Definition manage.h:32
#define OPENVPN_STATE_TCP_CONNECT
Definition manage.h:461
#define LOG_PRINT_MSG_FLAGS
Definition manage.h:122
#define EKS_INPUT
Definition manage.h:305
bool validate_peer_info_line(char *line)
Definition misc.c:713
#define USER_PASS_LEN
Definition misc.h:64
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
indicates password and response should be concatenated
Definition misc.h:125
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:112
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
SCRV1 protocol – echo response.
Definition misc.h:120
#define GET_USER_PASS_NEED_OK
Definition misc.h:113
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
#define GET_USER_PASS_NEED_STR
Definition misc.h:115
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition mroute.c:377
#define MAPF_SUBNET
Definition mroute.h:151
Header file for server-mode related structures and functions.
#define BOOL_CAST(x)
Definition basic.h:26
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
int get_debug_level(void)
Definition error.c:136
bool set_mute_cutoff(const int cutoff)
Definition error.c:122
const char * msg_flags_string(const unsigned int flags, struct gc_arena *gc)
Definition error.c:753
int get_mute_cutoff(void)
Definition error.c:142
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
#define M_CLIENT
Definition error.h:106
static void msg_set_virtual_output(const struct virtual_output *vo)
Definition error.h:356
#define ERR_BUF_SIZE
Definition error.h:34
#define M_FATAL
Definition error.h:88
static bool ignore_sys_error(const int err, bool crt_error)
Definition error.h:372
#define M_ERR
Definition error.h:104
#define msg(flags,...)
Definition error.h:150
static int openvpn_errno_maybe_crt(bool *crt_error)
Definition error.h:410
#define ASSERT(x)
Definition error.h:217
#define M_WARN
Definition error.h:90
#define M_ERRNO
Definition error.h:93
bool auth_retry_set(const int msglevel, const char *option)
Definition options.c:4788
const char * auth_retry_print(void)
Definition options.c:4811
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:4968
const char title_string[]
Definition options.c:70
#define streq(x, y)
Definition options.h:727
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
#define MAX_PARMS
Definition options.h:51
time_t now
Definition otime.c:33
static void update_time(void)
Definition otime.h:76
unsigned int platform_getpid(void)
Definition platform.c:337
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:80
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:126
static int platform_state_user_uid(const struct platform_state_user *s)
Definition platform.h:97
static int platform_state_group_gid(const struct platform_state_group *s)
Definition platform.h:106
push_update_type
Definition push.h:47
@ UPT_BY_CID
Definition push.h:49
@ UPT_BROADCAST
Definition push.h:48
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition sig.c:204
const char * signal_name(const int sig, const bool upper)
Definition sig.c:91
void throw_signal(const int signum)
Throw a hard signal.
Definition sig.c:175
int parse_signal(const char *signame)
Definition sig.c:64
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:109
void sd_close(socket_descriptor_t *sd)
Definition socket.c:2968
socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait)
Definition socket.c:776
int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received)
Definition socket.c:985
void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix, bool ipv6only)
Definition socket.c:935
socket_descriptor_t create_socket_tcp(struct addrinfo *addrinfo)
Definition socket.c:567
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:187
#define MSG_NOSIGNAL
Definition socket.h:242
#define openvpn_close_socket(s)
Definition socket.h:247
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
const char * print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:38
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
static const char * print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc)
Definition socket_util.h:77
#define GETADDR_MSG_VIRT_OUT
#define GETADDR_PASSIVE
#define GETADDR_FATAL
#define PS_SHOW_PORT
Definition socket_util.h:31
@ PROTO_NONE
@ PROTO_UDP
@ PROTO_TCP_SERVER
#define GETADDR_HOST_ORDER
static bool addr_defined(const struct openvpn_sockaddr *addr)
#define GETADDR_RESOLVE
#define PS_DONT_SHOW_FAMILY
Definition socket_util.h:34
#define GETADDR_WARN_ON_SIGNAL
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:382
bool ssl_clean_auth_token(void)
Definition ssl.c:371
Control Channel SSL/Data channel negotiation module.
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
bool status_close(struct status_output *so)
Definition status.c:179
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:61
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
struct buffer residual
Definition manage.h:80
struct buffer buf
Definition manage.h:79
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
Level 2 context containing state that is reset on both SIGHUP and SIGUSR1 restarts.
Definition openvpn.h:224
counter_type link_read_bytes
Definition openvpn.h:266
counter_type link_write_bytes
Definition openvpn.h:269
counter_type dco_read_bytes
Definition openvpn.h:267
struct man_def_auth_context mda_context
Definition openvpn.h:453
counter_type dco_write_bytes
Definition openvpn.h:270
Contains all state information for one tunnel.
Definition openvpn.h:474
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
char * string
Definition env_set.h:38
struct env_item * next
Definition env_set.h:39
struct env_item * list
Definition env_set.h:45
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
void * value
Definition list.h:44
Definition manage.h:107
struct in6_addr local_ip6
Definition manage.h:111
struct openvpn_sockaddr local_sock
Definition manage.h:112
struct openvpn_sockaddr remote_sock
Definition manage.h:113
time_t timestamp
Definition manage.h:108
const char * string
Definition manage.h:109
in_addr_t local_ip
Definition manage.h:110
union log_entry_union u
Definition manage.h:114
int capacity
Definition manage.h:141
struct log_entry * array
Definition manage.h:142
struct event_set * es
Definition manage.h:311
unsigned long in_extra_cid
Definition manage.h:301
const char * up_query_type
Definition manage.h:320
bool password_verified
Definition manage.h:287
int env_filter_level
Definition manage.h:312
struct user_pass up_query
Definition manage.h:322
socket_descriptor_t sd_top
Definition manage.h:278
struct buffer_list * ext_cert_input
Definition manage.h:310
struct command_line * in
Definition manage.h:290
unsigned int in_extra_kid
Definition manage.h:302
struct openvpn_sockaddr remote
Definition manage.h:280
socket_descriptor_t sd_cli
Definition manage.h:279
struct buffer_list * ext_key_input
Definition manage.h:308
int up_query_mode
Definition manage.h:321
int bytecount_update_seconds
Definition manage.h:317
int in_extra_cmd
Definition manage.h:299
struct buffer_list * in_extra
Definition manage.h:300
bool echo_realtime
Definition manage.h:316
bool state_realtime
Definition manage.h:314
struct event_timeout bytecount_update_interval
Definition manage.h:318
int ext_cert_state
Definition manage.h:309
struct buffer_list * out
Definition manage.h:291
int password_tries
Definition manage.h:288
int client_version
Definition manage.h:328
bool log_realtime
Definition manage.h:315
struct net_event_win32 ne32
Definition manage.h:283
int ext_key_state
Definition manage.h:307
unsigned long cid
Definition manage.h:64
unsigned int flags
Definition manage.h:69
counter_type bytes_in
Definition manage.h:234
struct log_history * state
Definition manage.h:228
struct management_callback callback
Definition manage.h:225
struct log_history * log
Definition manage.h:221
struct virtual_output vout
Definition manage.h:222
bool standalone_disabled
Definition manage.h:224
bool defined
Definition manage.h:219
bool hold_release
Definition manage.h:230
struct log_history * echo
Definition manage.h:227
const char * special_state_msg
Definition manage.h:232
counter_type bytes_out
Definition manage.h:235
bool management_over_tunnel
Definition manage.h:246
struct addrinfo * local
Definition manage.h:242
unsigned int flags
Definition manage.h:241
int echo_buffer_size
Definition manage.h:249
int client_uid
Definition manage.h:251
unsigned int mansig
Definition manage.h:258
int state_buffer_size
Definition manage.h:250
bool defined
Definition manage.h:240
int client_gid
Definition manage.h:252
int log_history_cache
Definition manage.h:248
struct user_pass up
Definition manage.h:247
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition manage.h:191
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition manage.h:186
void(* delete_event)(void *arg, event_t event)
Definition manage.h:182
bool(* push_update_broadcast)(void *arg, const char *options)
Definition manage.h:199
bool(* push_update_by_cid)(void *arg, unsigned long cid, const char *options)
Definition manage.h:200
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto)
Definition manage.h:181
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition manage.h:189
int(* n_clients)(void *arg)
Definition manage.h:183
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:198
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:197
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:184
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:192
unsigned int flags
Definition manage.h:176
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:193
int(* kill_by_cn)(void *arg, const char *common_name)
Definition manage.h:180
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition manage.h:185
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:179
struct man_persist persist
Definition manage.h:333
struct man_connection connection
Definition manage.h:335
struct man_settings settings
Definition manage.h:334
Main OpenVPN server state structure.
Definition multi.h:164
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition multi.h:168
struct context top
Storage structure for process-wide configuration.
Definition multi.h:203
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
dco_context_t dco
Definition tun.h:249
bool defined
Definition misc.h:53
char password[USER_PASS_LEN]
Definition misc.h:68
bool nocache
Definition misc.h:57
char username[USER_PASS_LEN]
Definition misc.h:67
unsigned int flags_default
Definition status.h:34
void * arg
Definition status.h:33
void(* func)(void *arg, const unsigned int flags, const char *str)
Definition status.h:35
#define SOCKET_UNDEFINED
Definition syshead.h:438
SOCKET socket_descriptor_t
Definition syshead.h:440
#define sleep(x)
Definition syshead.h:42
static int socket_defined(const socket_descriptor_t sd)
Definition syshead.h:448
struct env_set * es
char ** res
struct gc_arena gc
Definition test_ssl.c:154
unsigned int msg_flags
Definition manage.h:101
int state
Definition manage.h:102
int intval
Definition manage.h:103
void net_event_win32_init(struct net_event_win32 *ne)
Definition win32.c:323
void net_event_win32_close(struct net_event_win32 *ne)
Definition win32.c:374
void net_event_win32_reset_write(struct net_event_win32 *ne)
Definition win32.c:339
void net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_descriptor_t sd)
Definition win32.c:330
void win32_sleep(const int n)
Definition win32.c:1502
void net_event_win32_reset(struct net_event_win32 *ne)
Definition win32.c:357
void net_event_win32_stop(struct net_event_win32 *ne)
Definition win32.c:363
static long net_event_win32_get_event_mask(const struct net_event_win32 *ne)
Definition win32.h:141
static void net_event_win32_clear_selected_events(struct net_event_win32 *ne, long selected_events)
Definition win32.h:147
static struct rw_handle * net_event_win32_get_event(struct net_event_win32 *ne)
Definition win32.h:135