OpenVPN
manage.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#ifdef ENABLE_MANAGEMENT
31
32#include "error.h"
33#include "fdmisc.h"
34#include "options.h"
35#include "sig.h"
36#include "event.h"
37#include "otime.h"
38#include "integer.h"
39#include "misc.h"
40#include "ssl.h"
41#include "common.h"
42#include "manage.h"
43#include "openvpn.h"
44#include "dco.h"
45
46#include "memdbg.h"
47
48#ifdef ENABLE_PKCS11
49#include "pkcs11.h"
50#endif
51
52#define MANAGEMENT_ECHO_PULL_INFO 0
53
54#if MANAGEMENT_ECHO_PULL_INFO
55#define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
56#else
57#define MANAGEMENT_ECHO_FLAGS 0
58#endif
59
60/* tag for blank username/password */
61static const char blank_up[] = "[[BLANK]]";
62
63struct management *management; /* GLOBAL */
64
65/* static forward declarations */
66static void man_output_standalone(struct management *man, volatile int *signal_received);
67
68static void man_reset_client_socket(struct management *man, const bool exiting);
69
70static void
72{
73 msg(M_CLIENT, "Management Interface for %s", title_string);
74 msg(M_CLIENT, "Commands:");
75 msg(M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
76 msg(M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
77 msg(M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
78 msg(M_CLIENT, "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
79 msg(M_CLIENT, "exit|quit : Close management session.");
80 msg(M_CLIENT, "forget-passwords : Forget passwords entered so far.");
81 msg(M_CLIENT, "help : Print this message.");
82 msg(M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or");
83 msg(M_CLIENT, " release current hold and start tunnel.");
84 msg(M_CLIENT, "kill cn : Kill the client instance(s) having common name cn.");
85 msg(M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port.");
86 msg(M_CLIENT, "load-stats : Show global server load stats.");
87 msg(M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
88 msg(M_CLIENT, " + show last N lines or 'all' for entire history.");
89 msg(M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
90 msg(M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
91 msg(M_CLIENT, " where action = 'ok' or 'cancel'.");
92 msg(M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
93 msg(M_CLIENT, " where action is reply string.");
94 msg(M_CLIENT, "net : (Windows only) Show network info and routing table.");
95 msg(M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
96 msg(M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
97 msg(M_CLIENT, "remote-entry-count : Get number of available remote entries.");
98 msg(M_CLIENT, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all.");
99 msg(M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info.");
100 msg(M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
101#ifdef ENABLE_PKCS11
102 msg(M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
103 msg(M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
104#endif
105 msg(M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
106 msg(M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
107 msg(M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
108 msg(M_CLIENT, " text R and optional client reason text CR");
109 msg(M_CLIENT, "client-pending-auth CID KID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
110 msg(M_CLIENT, " to the client and wait for a final client-auth/client-deny");
111 msg(M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
112 msg(M_CLIENT, "env-filter [level] : Set env-var filter level");
113 msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
114 msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
115 msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
116 msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
117 msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge");
118 msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END");
119 msg(M_CLIENT, "signal s : Send signal s to daemon,");
120 msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
121 msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
122 msg(M_CLIENT, "status [n] : Show current daemon status info using format #n.");
123 msg(M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
124 msg(M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
125 msg(M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
126 msg(M_CLIENT, "version [n] : Set client's version to n or show current version of daemon.");
127 msg(M_CLIENT, "END");
128}
129
130static const char *
131man_state_name(const int state)
132{
133 switch (state)
134 {
136 return "INITIAL";
137
139 return "CONNECTING";
140
142 return "WAIT";
143
145 return "AUTH";
146
148 return "GET_CONFIG";
149
151 return "ASSIGN_IP";
152
154 return "ADD_ROUTES";
155
157 return "CONNECTED";
158
160 return "RECONNECTING";
161
163 return "EXITING";
164
166 return "RESOLVE";
167
169 return "TCP_CONNECT";
170
172 return "AUTH_PENDING";
173
174 default:
175 return "?";
176 }
177}
178
179static void
181{
182 msg(M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
184 if (man->persist.special_state_msg)
185 {
187 }
188}
189
190static inline bool
192{
193 return man->settings.up.defined && !man->connection.password_verified;
194}
195
196static void
197man_check_password(struct management *man, const char *line)
198{
199 if (man_password_needed(man))
200 {
201 /* This comparison is not fixed time but since strlen(time) is based on
202 * the attacker choice, it should not give any indication of the real
203 * password length, use + 1 to include the NUL byte that terminates the
204 * string*/
205 size_t compare_len = min_uint(strlen(line) + 1, sizeof(man->settings.up.password));
206 if (memcmp_constant_time(line, man->settings.up.password, compare_len) == 0)
207 {
208 man->connection.password_verified = true;
209 msg(M_CLIENT, "SUCCESS: password is correct");
210 man_welcome(man);
211 }
212 else
213 {
214 man->connection.password_verified = false;
215 msg(M_CLIENT, "ERROR: bad password");
217 {
218 msg(M_WARN, "MAN: client connection rejected after %d failed password attempts",
220 man->connection.halt = true;
221 }
222 }
223 }
224}
225
226static void
228{
230 {
232 {
234 }
235 else
236 {
238 }
239 }
240}
241
242static void
244{
245 if (management_connected(man))
246 {
249 {
250 volatile int signal_received = 0;
251 man_output_standalone(man, &signal_received);
252 }
253 }
254}
255
256static void
257man_output_list_push_str(struct management *man, const char *str)
258{
259 if (management_connected(man) && str)
260 {
262 }
263}
264
265static void
266man_output_list_push(struct management *man, const char *str)
267{
268 man_output_list_push_str(man, str);
270}
271
272static void
274{
275 if (man_password_needed(man))
276 {
277 man_output_list_push(man, "ENTER PASSWORD:");
278 }
279#if 0 /* should we use prompt? */
280 else
281 {
282 man_output_list_push(man, ">");
283 }
284#endif
285}
286
287
292static void
293report_command_status(const bool status, const char *command)
294{
295 if (status)
296 {
297 msg(M_CLIENT, "SUCCESS: %s command succeeded", command);
298 }
299 else
300 {
301 msg(M_CLIENT, "ERROR: %s command failed", command);
302 }
303}
304
305static void
307{
308#if UNIX_SOCK_SUPPORT
310 {
311 socket_delete_unix(&man->settings.local_unix);
312 }
313#endif
314}
315
316static void
318{
319#ifndef _WIN32
320 /*
321 * Windows doesn't need this because the ne32 event is permanently
322 * enabled at struct management scope.
323 */
325 {
327 }
328#endif
330}
331
332static void
333virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
334{
335 struct management *man = (struct management *) arg;
336 static int recursive_level = 0; /* GLOBAL */
337
338#define AF_DID_PUSH (1<<0)
339#define AF_DID_RESET (1<<1)
340 if (recursive_level < 5) /* limit recursion */
341 {
342 struct gc_arena gc = gc_new();
343 struct log_entry e;
344 const char *out = NULL;
345 unsigned int action_flags = 0;
346
347 ++recursive_level;
348
349 CLEAR(e);
350 update_time();
351 e.timestamp = now;
352 e.u.msg_flags = flags;
353 e.string = str;
354
355 if (flags & M_FATAL)
356 {
357 man->persist.standalone_disabled = false;
358 }
359
360 if (flags != M_CLIENT)
361 {
362 log_history_add(man->persist.log, &e);
363 }
364
365 if (!man_password_needed(man))
366 {
367 if (flags == M_CLIENT)
368 {
369 out = log_entry_print(&e, LOG_PRINT_CRLF, &gc);
370 }
371 else if (man->connection.log_realtime)
372 {
376 | LOG_PRINT_CRLF, &gc);
377 }
378 if (out)
379 {
380 man_output_list_push_str(man, out);
381 action_flags |= AF_DID_PUSH;
382 }
383 if (flags & M_FATAL)
384 {
386 if (out)
387 {
388 man_output_list_push_str(man, out);
389 action_flags |= (AF_DID_PUSH|AF_DID_RESET);
390 }
391 }
392 }
393
394 gc_free(&gc);
395
396 if (action_flags & AF_DID_PUSH)
397 {
399 }
400 if (action_flags & AF_DID_RESET)
401 {
402 man_reset_client_socket(man, true);
403 }
404
405 --recursive_level;
406 }
407 else
408 {
409 /* cannot use msg here */
410 printf("virtual_output: message to management interface "
411 "dropped due to recursion: <%s>\n", str);
412 }
413}
414
415/*
416 * Given a signal, return the signal with possible remapping applied,
417 * or -1 if the signal should be ignored.
418 */
419static int
420man_mod_signal(const struct management *man, const int signum)
421{
422 const unsigned int flags = man->settings.mansig;
423 int s = signum;
424 if (s == SIGUSR1)
425 {
426 if (flags & MANSIG_MAP_USR1_TO_HUP)
427 {
428 s = SIGHUP;
429 }
430 if (flags & MANSIG_MAP_USR1_TO_TERM)
431 {
432 s = SIGTERM;
433 }
434 }
435 if (flags & MANSIG_IGNORE_USR1_HUP)
436 {
437 if (s == SIGHUP || s == SIGUSR1)
438 {
439 s = -1;
440 }
441 }
442 return s;
443}
444
445static void
446man_signal(struct management *man, const char *name)
447{
448 const int sig = parse_signal(name);
449 if (sig >= 0)
450 {
451 const int sig_mod = man_mod_signal(man, sig);
452 if (sig_mod >= 0)
453 {
454 throw_signal(sig_mod);
455 msg(M_CLIENT, "SUCCESS: signal %s thrown", signal_name(sig_mod, true));
456 }
457 else
458 {
459 msg(M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
460 if (man->persist.special_state_msg)
461 {
463 }
464 }
465 }
466 else
467 {
468 msg(M_CLIENT, "ERROR: signal '%s' is not a known signal type", name);
469 }
470}
471
472static void
473man_command_unsupported(const char *command_name)
474{
475 msg(M_CLIENT, "ERROR: The '%s' command is not supported by the current daemon mode", command_name);
476}
477
478static void
479man_status(struct management *man, const int version, struct status_output *so)
480{
481 if (man->persist.callback.status)
482 {
483 (*man->persist.callback.status)(man->persist.callback.arg, version, so);
484 }
485 else
486 {
487 man_command_unsupported("status");
488 }
489}
490
491static void
492man_bytecount(struct management *man, const int update_seconds)
493{
494 if (update_seconds > 0)
495 {
496 man->connection.bytecount_update_seconds = update_seconds;
499 now);
500 }
501 else
502 {
505 }
506 msg(M_CLIENT, "SUCCESS: bytecount interval changed");
507}
508
509static void
511 counter_type dco_read_bytes,
512 counter_type dco_write_bytes)
513{
514 char in[32];
515 char out[32];
516
517 /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
518 snprintf(in, sizeof(in), counter_format, man->persist.bytes_in + dco_read_bytes);
519 snprintf(out, sizeof(out), counter_format, man->persist.bytes_out + dco_write_bytes);
520 msg(M_CLIENT, ">BYTECOUNT:%s,%s", in, out);
521}
522
523void
525 const counter_type *bytes_out_total,
526 struct man_def_auth_context *mdac)
527{
528 char in[32];
529 char out[32];
530 /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
531 snprintf(in, sizeof(in), counter_format, *bytes_in_total);
532 snprintf(out, sizeof(out), counter_format, *bytes_out_total);
533 msg(M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out);
535}
536
537static void
538man_kill(struct management *man, const char *victim)
539{
540 struct gc_arena gc = gc_new();
541
543 {
544 struct buffer buf;
545 char p1[128];
546 char p2[128];
547 char p3[128];
548 int n_killed;
549
550 buf_set_read(&buf, (uint8_t *) victim, strlen(victim) + 1);
551 buf_parse(&buf, ':', p1, sizeof(p1));
552 buf_parse(&buf, ':', p2, sizeof(p2));
553 buf_parse(&buf, ':', p3, sizeof(p3));
554
555 if (strlen(p1) && strlen(p2) && strlen(p3))
556 {
557 /* IP:port specified */
558 bool status;
560 if (status)
561 {
562 const int port = atoi(p3);
563 const int proto = (streq(p1, "tcp")) ? PROTO_TCP_SERVER :
564 (streq(p1, "udp")) ? PROTO_UDP : PROTO_NONE;
565
566 if ((port > 0 && port < 65536) && (proto != PROTO_NONE))
567 {
568 n_killed = (*man->persist.callback.kill_by_addr)(man->persist.callback.arg, addr, port, proto);
569 if (n_killed > 0)
570 {
571 msg(M_CLIENT, "SUCCESS: %d client(s) at address %s:%s:%d killed",
572 n_killed,
573 proto2ascii(proto, AF_UNSPEC, false),
574 print_in_addr_t(addr, 0, &gc),
575 port);
576 }
577 else
578 {
579 msg(M_CLIENT, "ERROR: client at address %s:%s:%d not found",
580 proto2ascii(proto, AF_UNSPEC, false),
581 print_in_addr_t(addr, 0, &gc),
582 port);
583 }
584 }
585 else
586 {
587 msg(M_CLIENT, "ERROR: port number or protocol out of range: %s %s", p3, p1);
588 }
589 }
590 else
591 {
592 msg(M_CLIENT, "ERROR: error parsing IP address: %s", p2);
593 }
594 }
595 else if (strlen(p1))
596 {
597 /* common name specified */
598 n_killed = (*man->persist.callback.kill_by_cn)(man->persist.callback.arg, p1);
599 if (n_killed > 0)
600 {
601 msg(M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed);
602 }
603 else
604 {
605 msg(M_CLIENT, "ERROR: common name '%s' not found", p1);
606 }
607 }
608 else
609 {
610 msg(M_CLIENT, "ERROR: kill parse");
611 }
612 }
613 else
614 {
616 }
617
618 gc_free(&gc);
619}
620
621/*
622 * General-purpose history command handler
623 * for the log and echo commands.
624 */
625static void
627 const char *parm,
628 const char *type,
629 struct log_history *log,
630 bool *realtime,
631 const unsigned int lep_flags)
632{
633 struct gc_arena gc = gc_new();
634 int n = 0;
635
636 if (streq(parm, "on"))
637 {
638 *realtime = true;
639 msg(M_CLIENT, "SUCCESS: real-time %s notification set to ON", type);
640 }
641 else if (streq(parm, "off"))
642 {
643 *realtime = false;
644 msg(M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type);
645 }
646 else if (streq(parm, "all") || (n = atoi(parm)) > 0)
647 {
648 const int size = log_history_size(log);
649 const int start = (n ? n : size) - 1;
650 int i;
651
652 for (i = start; i >= 0; --i)
653 {
654 const struct log_entry *e = log_history_ref(log, i);
655 if (e)
656 {
657 const char *out = log_entry_print(e, lep_flags, &gc);
659 }
660 }
661 msg(M_CLIENT, "END");
662 }
663 else
664 {
665 msg(M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type);
666 }
667
668 gc_free(&gc);
669}
670
671static void
672man_log(struct management *man, const char *parm)
673{
674 man_history(man,
675 parm,
676 "log",
677 man->persist.log,
680}
681
682static void
683man_echo(struct management *man, const char *parm)
684{
685 man_history(man,
686 parm,
687 "echo",
688 man->persist.echo,
691}
692
693static void
694man_state(struct management *man, const char *parm)
695{
696 man_history(man,
697 parm,
698 "state",
699 man->persist.state,
703}
704
705static void
707{
708 switch (man->connection.up_query_mode)
709 {
711 if (!strlen(man->connection.up_query.username))
712 {
713 break;
714 }
715
716 /* fall through */
717 case UP_QUERY_PASS:
718 case UP_QUERY_NEED_OK:
720 if (strlen(man->connection.up_query.password))
721 {
722 man->connection.up_query.defined = true;
723 }
724 break;
725
727 man->connection.up_query.defined = false;
728 break;
729
730 default:
731 ASSERT(0);
732 }
733}
734
735static void
737 const char *type,
738 const char *string,
739 const bool needed,
740 const char *prompt,
741 char *dest,
742 int len)
743{
744 if (needed)
745 {
747 if (streq(man->connection.up_query_type, type))
748 {
749 strncpynt(dest, string, len);
750 man_up_finalize(man);
751 msg(M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified",
752 type,
753 prompt);
754 }
755 else
756 {
757 msg(M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
758 prompt,
759 type,
761 }
762 }
763 else
764 {
765 msg(M_CLIENT, "ERROR: no %s is currently needed at this time", prompt);
766 }
767}
768
769static void
770man_query_username(struct management *man, const char *type, const char *string)
771{
772 const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
773 ) && man->connection.up_query_type);
774 man_query_user_pass(man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
775}
776
777static void
778man_query_password(struct management *man, const char *type, const char *string)
779{
780 const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
782 ) && man->connection.up_query_type);
783 if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
784 {
785 string = blank_up;
786 }
787 man_query_user_pass(man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
788}
789
790static void
791man_query_need_ok(struct management *man, const char *type, const char *action)
792{
793 const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
794 man_query_user_pass(man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
795}
796
797static void
798man_query_need_str(struct management *man, const char *type, const char *action)
799{
800 const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
801 man_query_user_pass(man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN);
802}
803
804static void
806{
807 ssl_purge_auth(false);
808 (void)ssl_clean_auth_token();
809 msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
810}
811
812static void
813man_net(struct management *man)
814{
815 if (man->persist.callback.show_net)
816 {
818 }
819 else
820 {
822 }
823}
824
825static void
826man_send_cc_message(struct management *man, const char *message, const char *parameters)
827{
829 {
830 const bool status = (*man->persist.callback.send_cc_message)
831 (man->persist.callback.arg, message, parameters);
832 if (status)
833 {
834 msg(M_CLIENT, "SUCCESS: command succeeded");
835 }
836 else
837 {
838 msg(M_CLIENT, "ERROR: command failed");
839 }
840 }
841 else
842 {
843 man_command_unsupported("cr-repsonse");
844 }
845}
846#ifdef ENABLE_PKCS11
847
848static void
849man_pkcs11_id_count(struct management *man)
850{
851 msg(M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count());
852}
853
854static void
855man_pkcs11_id_get(struct management *man, const int index)
856{
857 char *id = NULL;
858 char *base64 = NULL;
859
860 if (pkcs11_management_id_get(index, &id, &base64))
861 {
862 msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64);
863 }
864 else
865 {
866 msg(M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index);
867 }
868
869 free(id);
870 free(base64);
871}
872
873#endif /* ifdef ENABLE_PKCS11 */
874
875static void
877{
878 unsigned count = 0;
880 {
882 msg(M_CLIENT, "%u", count);
883 msg(M_CLIENT, "END");
884 }
885 else
886 {
887 man_command_unsupported("remote-entry-count");
888 }
889}
890
891static void
892man_remote_entry_get(struct management *man, const char *p1, const char *p2)
893{
894 ASSERT(p1);
895
898 {
899 unsigned int count = (*man->persist.callback.remote_entry_count)(man->persist.callback.arg);
900
901 unsigned int from = (unsigned int) atoi(p1);
902 unsigned int to = p2 ? (unsigned int) atoi(p2) : from + 1;
903
904 if (!strcmp(p1, "all"))
905 {
906 from = 0;
907 to = count;
908 }
909
910 for (unsigned int i = from; i < min_uint(to, count); i++)
911 {
912 char *remote = NULL;
913 bool res = (*man->persist.callback.remote_entry_get)(man->persist.callback.arg, i, &remote);
914 if (res && remote)
915 {
916 msg(M_CLIENT, "%u,%s", i, remote);
917 }
918 free(remote);
919 }
920 msg(M_CLIENT, "END");
921 }
922 else
923 {
924 man_command_unsupported("remote-entry-get");
925 }
926}
927
928static void
929man_hold(struct management *man, const char *cmd)
930{
931 if (cmd)
932 {
933 if (streq(cmd, "on"))
934 {
935 man->settings.flags |= MF_HOLD;
936 msg(M_CLIENT, "SUCCESS: hold flag set to ON");
937 }
938 else if (streq(cmd, "off"))
939 {
940 man->settings.flags &= ~MF_HOLD;
941 msg(M_CLIENT, "SUCCESS: hold flag set to OFF");
942 }
943 else if (streq(cmd, "release"))
944 {
945 man->persist.hold_release = true;
946 msg(M_CLIENT, "SUCCESS: hold release succeeded");
947 }
948 else
949 {
950 msg(M_CLIENT, "ERROR: bad hold command parameter");
951 }
952 }
953 else
954 {
955 msg(M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD));
956 }
957}
958
959#define IER_RESET 0
960#define IER_NEW 1
961
962static void
963in_extra_reset(struct man_connection *mc, const int mode)
964{
965 if (mc)
966 {
967 if (mode != IER_NEW)
968 {
970 mc->in_extra_cid = 0;
971 mc->in_extra_kid = 0;
972 }
973 if (mc->in_extra)
974 {
976 mc->in_extra = NULL;
977 }
978 if (mode == IER_NEW)
979 {
981 }
982 }
983}
984
985static void
987{
988 switch (man->connection.in_extra_cmd)
989 {
990 case IEC_CLIENT_AUTH:
992 {
993 const bool status = (*man->persist.callback.client_auth)
994 (man->persist.callback.arg,
997 true,
998 NULL,
999 NULL,
1000 man->connection.in_extra);
1001 man->connection.in_extra = NULL;
1002 report_command_status(status, "client-auth");
1003 }
1004 else
1005 {
1006 man_command_unsupported("client-auth");
1007 }
1008 break;
1009
1010 case IEC_PK_SIGN:
1014 man->connection.in_extra = NULL;
1015 return;
1016
1017 case IEC_CERTIFICATE:
1021 man->connection.in_extra = NULL;
1022 return;
1023 }
1025}
1026
1027static bool
1028parse_cid(const char *str, unsigned long *cid)
1029{
1030 if (sscanf(str, "%lu", cid) == 1)
1031 {
1032 return true;
1033 }
1034 else
1035 {
1036 msg(M_CLIENT, "ERROR: cannot parse CID");
1037 return false;
1038 }
1039}
1040
1041static bool
1042parse_uint(const char *str, const char *what, unsigned int *uint)
1043{
1044 if (sscanf(str, "%u", uint) == 1)
1045 {
1046 return true;
1047 }
1048 else
1049 {
1050 msg(M_CLIENT, "ERROR: cannot parse %s", what);
1051 return false;
1052 }
1053}
1054
1066static void
1067man_client_pending_auth(struct management *man, const char *cid_str,
1068 const char *kid_str, const char *extra,
1069 const char *timeout_str)
1070{
1071 unsigned long cid = 0;
1072 unsigned int kid = 0;
1073 unsigned int timeout = 0;
1074 if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid)
1075 && parse_uint(timeout_str, "TIMEOUT", &timeout))
1076 {
1078 {
1079 bool ret = (*man->persist.callback.client_pending_auth)
1080 (man->persist.callback.arg, cid, kid, extra, timeout);
1081
1082 if (ret)
1083 {
1084 msg(M_CLIENT, "SUCCESS: client-pending-auth command succeeded");
1085 }
1086 else
1087 {
1088 msg(M_CLIENT, "ERROR: client-pending-auth command failed."
1089 " Extra parameter might be too long");
1090 }
1091 }
1092 else
1093 {
1094 man_command_unsupported("client-pending-auth");
1095 }
1096 }
1097}
1098
1099static void
1100man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
1101{
1102 struct man_connection *mc = &man->connection;
1103 mc->in_extra_cid = 0;
1104 mc->in_extra_kid = 0;
1105 if (parse_cid(cid_str, &mc->in_extra_cid)
1106 && parse_uint(kid_str, "KID", &mc->in_extra_kid))
1107 {
1110 if (!extra)
1111 {
1112 in_extra_dispatch(man);
1113 }
1114 }
1115}
1116
1117static void
1118man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
1119{
1120 unsigned long cid = 0;
1121 unsigned int kid = 0;
1122 if (parse_cid(cid_str, &cid) && parse_uint(kid_str, "KID", &kid))
1123 {
1124 if (man->persist.callback.client_auth)
1125 {
1126 const bool status = (*man->persist.callback.client_auth)
1127 (man->persist.callback.arg,
1128 cid,
1129 kid,
1130 false,
1131 reason,
1132 client_reason,
1133 NULL);
1134 if (status)
1135 {
1136 msg(M_CLIENT, "SUCCESS: client-deny command succeeded");
1137 }
1138 else
1139 {
1140 msg(M_CLIENT, "ERROR: client-deny command failed");
1141 }
1142 }
1143 else
1144 {
1145 man_command_unsupported("client-deny");
1146 }
1147 }
1148}
1149
1150static void
1151man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
1152{
1153 unsigned long cid = 0;
1154 if (parse_cid(cid_str, &cid))
1155 {
1156 if (man->persist.callback.kill_by_cid)
1157 {
1158 const bool status = (*man->persist.callback.kill_by_cid)(man->persist.callback.arg, cid, kill_msg);
1159 if (status)
1160 {
1161 msg(M_CLIENT, "SUCCESS: client-kill command succeeded");
1162 }
1163 else
1164 {
1165 msg(M_CLIENT, "ERROR: client-kill command failed");
1166 }
1167 }
1168 else
1169 {
1170 man_command_unsupported("client-kill");
1171 }
1172 }
1173}
1174
1175static void
1177{
1178 if (man->persist.callback.n_clients)
1179 {
1180 const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1181 msg(M_CLIENT, "SUCCESS: nclients=%d", nclients);
1182 }
1183 else
1184 {
1185 man_command_unsupported("nclients");
1186 }
1187}
1188
1189static void
1190man_env_filter(struct management *man, const int level)
1191{
1192 man->connection.env_filter_level = level;
1193 msg(M_CLIENT, "SUCCESS: env_filter_level=%d", level);
1194}
1195
1196
1197static void
1198man_pk_sig(struct management *man, const char *cmd_name)
1199{
1200 struct man_connection *mc = &man->connection;
1201 if (mc->ext_key_state == EKS_SOLICIT)
1202 {
1206 }
1207 else
1208 {
1209 msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name);
1210 }
1211}
1212
1213static void
1215{
1216 struct man_connection *mc = &man->connection;
1217 if (mc->ext_cert_state == EKS_SOLICIT)
1218 {
1222 }
1223 else
1224 {
1225 msg(M_CLIENT, "ERROR: The certificate command is not currently available");
1226 }
1227}
1228
1229static void
1231{
1234 int nclients = 0;
1235
1236 if (man->persist.callback.n_clients)
1237 {
1238 nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
1239 }
1240 msg(M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
1241 nclients,
1244}
1245
1246#define MN_AT_LEAST (1<<0)
1257static bool
1258man_need(struct management *man, const char **p, const int n, unsigned int flags)
1259{
1260 int i;
1261 ASSERT(p[0]);
1262 for (i = 1; i <= n; ++i)
1263 {
1264 if (!p[i])
1265 {
1266 msg(M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s",
1267 p[0],
1268 (flags & MN_AT_LEAST) ? "at least " : "",
1269 n,
1270 n > 1 ? "s" : "");
1271 return false;
1272 }
1273 }
1274 return true;
1275}
1276
1277static void
1278man_proxy(struct management *man, const char **p)
1279{
1280 if (man->persist.callback.proxy_cmd)
1281 {
1282 const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p);
1283 report_command_status(status, "proxy");
1284 }
1285 else
1286 {
1287 man_command_unsupported("proxy");
1288 }
1289}
1290
1291static void
1292man_remote(struct management *man, const char **p)
1293{
1294 if (man->persist.callback.remote_cmd)
1295 {
1296 const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);
1297 report_command_status(status, "remote");
1298 }
1299 else
1300 {
1301 man_command_unsupported("remote");
1302 }
1303}
1304
1305#ifdef TARGET_ANDROID
1306static void
1307man_network_change(struct management *man, bool samenetwork)
1308{
1309 /* Called to signal the OpenVPN that the network configuration has changed and
1310 * the client should either float or reconnect.
1311 *
1312 * The code is currently only used by ics-openvpn
1313 */
1314 if (man->persist.callback.network_change)
1315 {
1316 int fd = (*man->persist.callback.network_change)
1317 (man->persist.callback.arg, samenetwork);
1318 man->connection.fdtosend = fd;
1319 msg(M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd);
1320 if (fd == -2)
1321 {
1322 man_signal(man, "SIGUSR1");
1323 }
1324 }
1325}
1326#endif
1327
1328static void
1329set_client_version(struct management *man, const char *version)
1330{
1331 if (version)
1332 {
1333 man->connection.client_version = atoi(version);
1334 }
1335}
1336
1337static void
1338man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
1339{
1340 struct gc_arena gc = gc_new();
1341
1342 ASSERT(p[0]);
1343 if (streq(p[0], "exit") || streq(p[0], "quit"))
1344 {
1345 man->connection.halt = true;
1346 goto done;
1347 }
1348 else if (streq(p[0], "help"))
1349 {
1350 man_help();
1351 }
1352 else if (streq(p[0], "version") && p[1])
1353 {
1354 set_client_version(man, p[1]);
1355 }
1356 else if (streq(p[0], "version"))
1357 {
1358 msg(M_CLIENT, "OpenVPN Version: %s", title_string);
1359 msg(M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION);
1360 msg(M_CLIENT, "END");
1361 }
1362 else if (streq(p[0], "pid"))
1363 {
1364 msg(M_CLIENT, "SUCCESS: pid=%d", platform_getpid());
1365 }
1366 else if (streq(p[0], "nclients"))
1367 {
1369 }
1370 else if (streq(p[0], "env-filter"))
1371 {
1372 int level = 0;
1373 if (p[1])
1374 {
1375 level = atoi(p[1]);
1376 }
1377 man_env_filter(man, level);
1378 }
1379 else if (streq(p[0], "signal"))
1380 {
1381 if (man_need(man, p, 1, 0))
1382 {
1383 man_signal(man, p[1]);
1384 }
1385 }
1386#ifdef TARGET_ANDROID
1387 else if (streq(p[0], "network-change"))
1388 {
1389 bool samenetwork = false;
1390 if (p[1] && streq(p[1], "samenetwork"))
1391 {
1392 samenetwork = true;
1393 }
1394
1395 man_network_change(man, samenetwork);
1396 }
1397#endif
1398 else if (streq(p[0], "load-stats"))
1399 {
1400 man_load_stats(man);
1401 }
1402 else if (streq(p[0], "status"))
1403 {
1404 int version = 0;
1405 if (p[1])
1406 {
1407 version = atoi(p[1]);
1408 }
1409 man_status(man, version, so);
1410 }
1411 else if (streq(p[0], "kill"))
1412 {
1413 if (man_need(man, p, 1, 0))
1414 {
1415 man_kill(man, p[1]);
1416 }
1417 }
1418 else if (streq(p[0], "verb"))
1419 {
1420 if (p[1])
1421 {
1422 const int level = atoi(p[1]);
1423 if (set_debug_level(level, 0))
1424 {
1425 msg(M_CLIENT, "SUCCESS: verb level changed");
1426 }
1427 else
1428 {
1429 msg(M_CLIENT, "ERROR: verb level is out of range");
1430 }
1431 }
1432 else
1433 {
1434 msg(M_CLIENT, "SUCCESS: verb=%d", get_debug_level());
1435 }
1436 }
1437 else if (streq(p[0], "mute"))
1438 {
1439 if (p[1])
1440 {
1441 const int level = atoi(p[1]);
1442 if (set_mute_cutoff(level))
1443 {
1444 msg(M_CLIENT, "SUCCESS: mute level changed");
1445 }
1446 else
1447 {
1448 msg(M_CLIENT, "ERROR: mute level is out of range");
1449 }
1450 }
1451 else
1452 {
1453 msg(M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff());
1454 }
1455 }
1456 else if (streq(p[0], "auth-retry"))
1457 {
1458 if (p[1])
1459 {
1460 if (auth_retry_set(M_CLIENT, p[1]))
1461 {
1462 msg(M_CLIENT, "SUCCESS: auth-retry parameter changed");
1463 }
1464 else
1465 {
1466 msg(M_CLIENT, "ERROR: bad auth-retry parameter");
1467 }
1468 }
1469 else
1470 {
1471 msg(M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print());
1472 }
1473 }
1474 else if (streq(p[0], "state"))
1475 {
1476 if (!p[1])
1477 {
1478 man_state(man, "1");
1479 }
1480 else
1481 {
1482 if (p[1])
1483 {
1484 man_state(man, p[1]);
1485 }
1486 if (p[2])
1487 {
1488 man_state(man, p[2]);
1489 }
1490 }
1491 }
1492 else if (streq(p[0], "log"))
1493 {
1494 if (man_need(man, p, 1, MN_AT_LEAST))
1495 {
1496 if (p[1])
1497 {
1498 man_log(man, p[1]);
1499 }
1500 if (p[2])
1501 {
1502 man_log(man, p[2]);
1503 }
1504 }
1505 }
1506 else if (streq(p[0], "echo"))
1507 {
1508 if (man_need(man, p, 1, MN_AT_LEAST))
1509 {
1510 if (p[1])
1511 {
1512 man_echo(man, p[1]);
1513 }
1514 if (p[2])
1515 {
1516 man_echo(man, p[2]);
1517 }
1518 }
1519 }
1520 else if (streq(p[0], "username"))
1521 {
1522 if (man_need(man, p, 2, 0))
1523 {
1524 man_query_username(man, p[1], p[2]);
1525 }
1526 }
1527 else if (streq(p[0], "password"))
1528 {
1529 if (man_need(man, p, 2, 0))
1530 {
1531 man_query_password(man, p[1], p[2]);
1532 }
1533 }
1534 else if (streq(p[0], "forget-passwords"))
1535 {
1537 }
1538 else if (streq(p[0], "needok"))
1539 {
1540 if (man_need(man, p, 2, 0))
1541 {
1542 man_query_need_ok(man, p[1], p[2]);
1543 }
1544 }
1545 else if (streq(p[0], "needstr"))
1546 {
1547 if (man_need(man, p, 2, 0))
1548 {
1549 man_query_need_str(man, p[1], p[2]);
1550 }
1551 }
1552 else if (streq(p[0], "cr-response"))
1553 {
1554 if (man_need(man, p, 1, 0))
1555 {
1556 man_send_cc_message(man, "CR_RESPONSE", p[1]);
1557 }
1558 }
1559 else if (streq(p[0], "net"))
1560 {
1561 man_net(man);
1562 }
1563 else if (streq(p[0], "hold"))
1564 {
1565 man_hold(man, p[1]);
1566 }
1567 else if (streq(p[0], "bytecount"))
1568 {
1569 if (man_need(man, p, 1, 0))
1570 {
1571 man_bytecount(man, atoi(p[1]));
1572 }
1573 }
1574 else if (streq(p[0], "client-kill"))
1575 {
1576 if (man_need(man, p, 1, MN_AT_LEAST))
1577 {
1578 man_client_kill(man, p[1], p[2]);
1579 }
1580 }
1581 else if (streq(p[0], "client-deny"))
1582 {
1583 if (man_need(man, p, 3, MN_AT_LEAST))
1584 {
1585 man_client_deny(man, p[1], p[2], p[3], p[4]);
1586 }
1587 }
1588 else if (streq(p[0], "client-auth-nt"))
1589 {
1590 if (man_need(man, p, 2, 0))
1591 {
1592 man_client_auth(man, p[1], p[2], false);
1593 }
1594 }
1595 else if (streq(p[0], "client-auth"))
1596 {
1597 if (man_need(man, p, 2, 0))
1598 {
1599 man_client_auth(man, p[1], p[2], true);
1600 }
1601 }
1602 else if (streq(p[0], "client-pending-auth"))
1603 {
1604 if (man_need(man, p, 4, 0))
1605 {
1606 man_client_pending_auth(man, p[1], p[2], p[3], p[4]);
1607 }
1608 }
1609 else if (streq(p[0], "rsa-sig"))
1610 {
1611 man_pk_sig(man, "rsa-sig");
1612 }
1613 else if (streq(p[0], "pk-sig"))
1614 {
1615 man_pk_sig(man, "pk-sig");
1616 }
1617 else if (streq(p[0], "certificate"))
1618 {
1619 man_certificate(man);
1620 }
1621#ifdef ENABLE_PKCS11
1622 else if (streq(p[0], "pkcs11-id-count"))
1623 {
1624 man_pkcs11_id_count(man);
1625 }
1626 else if (streq(p[0], "pkcs11-id-get"))
1627 {
1628 if (man_need(man, p, 1, 0))
1629 {
1630 man_pkcs11_id_get(man, atoi(p[1]));
1631 }
1632 }
1633#endif
1634 else if (streq(p[0], "remote-entry-count"))
1635 {
1637 }
1638 else if (streq(p[0], "remote-entry-get"))
1639 {
1640 if (man_need(man, p, 1, MN_AT_LEAST))
1641 {
1642 man_remote_entry_get(man, p[1], p[2]);
1643 }
1644 }
1645 else if (streq(p[0], "proxy"))
1646 {
1647 if (man_need(man, p, 1, MN_AT_LEAST))
1648 {
1649 man_proxy(man, p);
1650 }
1651 }
1652 else if (streq(p[0], "remote"))
1653 {
1654 if (man_need(man, p, 1, MN_AT_LEAST))
1655 {
1656 man_remote(man, p);
1657 }
1658 }
1659#if 1
1660 else if (streq(p[0], "test"))
1661 {
1662 if (man_need(man, p, 1, 0))
1663 {
1664 int i;
1665 const int n = atoi(p[1]);
1666 for (i = 0; i < n; ++i)
1667 {
1668 msg(M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i);
1669 }
1670 }
1671 }
1672#endif
1673 else
1674 {
1675 msg(M_CLIENT, "ERROR: unknown command [%s], enter 'help' for more options", p[0]);
1676 }
1677
1678done:
1679 gc_free(&gc);
1680}
1681
1682#ifdef _WIN32
1683
1684static void
1686{
1687 switch (man->connection.state)
1688 {
1689 case MS_LISTEN:
1690 net_event_win32_start(&man->connection.ne32, FD_ACCEPT, man->connection.sd_top);
1691 break;
1692
1693 case MS_CC_WAIT_READ:
1694 case MS_CC_WAIT_WRITE:
1695 net_event_win32_start(&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli);
1696 break;
1697
1698 default:
1699 ASSERT(0);
1700 }
1701}
1702
1703static void
1705{
1707}
1708
1709#endif /* ifdef _WIN32 */
1710
1711static void
1713{
1714 man->connection.state_realtime = false;
1715 man->connection.log_realtime = false;
1716 man->connection.echo_realtime = false;
1718 man->connection.password_verified = false;
1719 man->connection.password_tries = 0;
1720 man->connection.halt = false;
1722}
1723
1724static void
1725man_new_connection_post(struct management *man, const char *description)
1726{
1727 struct gc_arena gc = gc_new();
1728
1730
1732
1733#ifdef _WIN32
1734 man_start_ne32(man);
1735#endif
1736
1737#if UNIX_SOCK_SUPPORT
1738 if (man->settings.flags & MF_UNIX_SOCK)
1739 {
1740 msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
1741 description,
1742 sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1743 }
1744 else
1745#endif
1747 {
1748 msg(D_MANAGEMENT, "MANAGEMENT: %s %s",
1749 description,
1750 print_sockaddr(man->settings.local->ai_addr, &gc));
1751 }
1752 else
1753 {
1754 struct sockaddr_storage addr;
1755 socklen_t addrlen = sizeof(addr);
1756 if (!getpeername(man->connection.sd_cli, (struct sockaddr *) &addr,
1757 &addrlen))
1758 {
1759 msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description,
1760 print_sockaddr((struct sockaddr *) &addr, &gc));
1761 }
1762 else
1763 {
1764 msg(D_MANAGEMENT, "MANAGEMENT: %s %s", description, "unknown");
1765 }
1766 }
1767
1769
1770 if (!man_password_needed(man))
1771 {
1772 man_welcome(man);
1773 }
1774 man_prompt(man);
1776
1777 gc_free(&gc);
1778}
1779
1780#if UNIX_SOCK_SUPPORT
1781static bool
1782man_verify_unix_peer_uid_gid(struct management *man, const socket_descriptor_t sd)
1783{
1784 if (socket_defined(sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
1785 {
1786 static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --";
1787 int uid, gid;
1788 if (unix_socket_get_peer_uid_gid(man->connection.sd_cli, &uid, &gid))
1789 {
1790 if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
1791 {
1792 msg(D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1793 err_prefix, uid, man->settings.client_uid);
1794 return false;
1795 }
1796 if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
1797 {
1798 msg(D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1799 err_prefix, gid, man->settings.client_gid);
1800 return false;
1801 }
1802 }
1803 else
1804 {
1805 msg(D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix);
1806 return false;
1807 }
1808 }
1809 return true;
1810}
1811#endif /* if UNIX_SOCK_SUPPORT */
1812
1813static void
1815{
1816 struct link_socket_actual act;
1817 CLEAR(act);
1818
1819 /*
1820 * Accept the TCP or Unix domain socket client.
1821 */
1822#if UNIX_SOCK_SUPPORT
1823 if (man->settings.flags & MF_UNIX_SOCK)
1824 {
1825 struct sockaddr_un remote;
1826 man->connection.sd_cli = socket_accept_unix(man->connection.sd_top, &remote);
1827 if (!man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1828 {
1829 sd_close(&man->connection.sd_cli);
1830 }
1831 }
1832 else
1833#endif
1834 {
1835 man->connection.sd_cli = socket_do_accept(man->connection.sd_top, &act, false);
1836 }
1837
1839 {
1840 man->connection.remote = act.dest;
1841
1843 {
1844#ifdef _WIN32
1845 man_stop_ne32(man);
1846#endif
1847 }
1848
1849 man_new_connection_post(man, "Client connected from");
1850 }
1851}
1852
1853static void
1855{
1856 struct gc_arena gc = gc_new();
1857
1858 /*
1859 * Initialize state
1860 */
1861 man->connection.state = MS_LISTEN;
1863
1864 /*
1865 * Initialize listening socket
1866 */
1868 {
1869#if UNIX_SOCK_SUPPORT
1870 if (man->settings.flags & MF_UNIX_SOCK)
1871 {
1873 man->connection.sd_top = create_socket_unix();
1874 socket_bind_unix(man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT");
1875 }
1876 else
1877#endif
1878 {
1881 man->settings.local->ai_family, "MANAGEMENT", false);
1882 }
1883
1884 /*
1885 * Listen for connection
1886 */
1887 if (listen(man->connection.sd_top, 1))
1888 {
1889 msg(M_ERR, "MANAGEMENT: listen() failed");
1890 }
1891
1892 /*
1893 * Set misc socket properties
1894 */
1896
1897#if UNIX_SOCK_SUPPORT
1898 if (man->settings.flags & MF_UNIX_SOCK)
1899 {
1900 msg(D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s",
1901 sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1902 }
1903 else
1904#endif
1905 {
1906 const struct sockaddr *man_addr = man->settings.local->ai_addr;
1907 struct sockaddr_storage addr;
1908 socklen_t addrlen = sizeof(addr);
1909 if (!getsockname(man->connection.sd_top, (struct sockaddr *) &addr, &addrlen))
1910 {
1911 man_addr = (struct sockaddr *) &addr;
1912 }
1913 else
1914 {
1916 "Failed to get the management socket address");
1917 }
1918 msg(D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
1919 print_sockaddr(man_addr, &gc));
1920 }
1921 }
1922
1923#ifdef _WIN32
1924 man_start_ne32(man);
1925#endif
1926
1927 gc_free(&gc);
1928}
1929
1930static void
1932{
1933 struct gc_arena gc = gc_new();
1934 int status;
1935 int signal_received = 0;
1936
1937 /*
1938 * Initialize state
1939 */
1942
1943#if UNIX_SOCK_SUPPORT
1944 if (man->settings.flags & MF_UNIX_SOCK)
1945 {
1946 man->connection.sd_cli = create_socket_unix();
1947 status = socket_connect_unix(man->connection.sd_cli, &man->settings.local_unix);
1948 if (!status && !man_verify_unix_peer_uid_gid(man, man->connection.sd_cli))
1949 {
1950#ifdef EPERM
1951 status = EPERM;
1952#else
1953 status = 1;
1954#endif
1955 sd_close(&man->connection.sd_cli);
1956 }
1957 }
1958 else
1959#endif
1960 {
1963 man->settings.local->ai_addr,
1964 5,
1965 &signal_received);
1966 }
1967
1968 if (signal_received)
1969 {
1970 throw_signal(signal_received);
1971 goto done;
1972 }
1973
1974 if (status)
1975 {
1976#if UNIX_SOCK_SUPPORT
1977 if (man->settings.flags & MF_UNIX_SOCK)
1978 {
1980 "MANAGEMENT: connect to unix socket %s failed",
1981 sockaddr_unix_name(&man->settings.local_unix, "NULL"));
1982 }
1983 else
1984#endif
1985 {
1987 "MANAGEMENT: connect to %s failed",
1988 print_sockaddr(man->settings.local->ai_addr, &gc));
1989 }
1990 throw_signal_soft(SIGTERM, "management-connect-failed");
1991 goto done;
1992 }
1993
1994 man_new_connection_post(man, "Connected to management server at");
1995
1996done:
1997 gc_free(&gc);
1998}
1999
2000static void
2001man_reset_client_socket(struct management *man, const bool exiting)
2002{
2004 {
2005#ifdef _WIN32
2006 man_stop_ne32(man);
2007#endif
2014 msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected");
2015 }
2016 if (!exiting)
2017 {
2019 {
2020 ssl_purge_auth(false);
2021 (void)ssl_clean_auth_token();
2022 }
2023
2024 if (man->settings.flags & MF_SIGNAL)
2025 {
2026 int mysig = man_mod_signal(man, SIGUSR1);
2027 if (mysig >= 0)
2028 {
2029 msg(D_MANAGEMENT, "MANAGEMENT: Triggering management signal");
2030 throw_signal_soft(mysig, "management-disconnect");
2031 }
2032 }
2033
2035 {
2036 msg(D_MANAGEMENT, "MANAGEMENT: Triggering management exit");
2037 throw_signal_soft(SIGTERM, "management-exit");
2038 }
2039 else
2040 {
2041 man_listen(man);
2042 }
2043 }
2044}
2045
2046static void
2047man_process_command(struct management *man, const char *line)
2048{
2049 struct gc_arena gc = gc_new();
2050 struct status_output *so;
2051 int nparms;
2052 char *parms[MAX_PARMS+1];
2053
2054 CLEAR(parms);
2055 so = status_open(NULL, 0, -1, &man->persist.vout, 0);
2057
2058 if (man_password_needed(man))
2059 {
2060 man_check_password(man, line);
2061 }
2062 else
2063 {
2064 nparms = parse_line(line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc);
2065 if (parms[0] && streq(parms[0], "password"))
2066 {
2067 msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'");
2068 }
2069 else if (!streq(line, "load-stats"))
2070 {
2071 msg(D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line);
2072 }
2073
2074#if 0
2075 /* DEBUGGING -- print args */
2076 {
2077 int i;
2078 for (i = 0; i < nparms; ++i)
2079 {
2080 msg(M_INFO, "[%d] '%s'", i, parms[i]);
2081 }
2082 }
2083#endif
2084
2085 if (nparms > 0)
2086 {
2087 man_dispatch_command(man, so, (const char **)parms, nparms);
2088 }
2089 }
2090
2091 CLEAR(parms);
2092 status_close(so);
2093 gc_free(&gc);
2094}
2095
2096static bool
2097man_io_error(struct management *man, const char *prefix)
2098{
2099 bool crt_error = false;
2100 int err = openvpn_errno_maybe_crt(&crt_error);
2101
2102 if (!ignore_sys_error(err, crt_error))
2103 {
2104 struct gc_arena gc = gc_new();
2105 msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix,
2106 strerror(err));
2107 gc_free(&gc);
2108 return true;
2109 }
2110 else
2111 {
2112 return false;
2113 }
2114}
2115
2116#ifdef TARGET_ANDROID
2117static ssize_t
2118man_send_with_fd(int fd, void *ptr, size_t nbytes, int flags, int sendfd)
2119{
2120 struct msghdr msg = { 0 };
2121 struct iovec iov[1];
2122
2123 union {
2124 struct cmsghdr cm;
2125 char control[CMSG_SPACE(sizeof(int))];
2126 } control_un;
2127 struct cmsghdr *cmptr;
2128
2129 msg.msg_control = control_un.control;
2130 msg.msg_controllen = sizeof(control_un.control);
2131
2132 cmptr = CMSG_FIRSTHDR(&msg);
2133 cmptr->cmsg_len = CMSG_LEN(sizeof(int));
2134 cmptr->cmsg_level = SOL_SOCKET;
2135 cmptr->cmsg_type = SCM_RIGHTS;
2136 *((int *) CMSG_DATA(cmptr)) = sendfd;
2137
2138 msg.msg_name = NULL;
2139 msg.msg_namelen = 0;
2140
2141 iov[0].iov_base = ptr;
2142 iov[0].iov_len = nbytes;
2143 msg.msg_iov = iov;
2144 msg.msg_iovlen = 1;
2145
2146 return (sendmsg(fd, &msg, flags));
2147}
2148
2149static ssize_t
2150man_recv_with_fd(int fd, void *ptr, size_t nbytes, int flags, int *recvfd)
2151{
2152 struct msghdr msghdr = { 0 };
2153 struct iovec iov[1];
2154 ssize_t n;
2155
2156 union {
2157 struct cmsghdr cm;
2158 char control[CMSG_SPACE(sizeof(int))];
2159 } control_un;
2160 struct cmsghdr *cmptr;
2161
2162 msghdr.msg_control = control_un.control;
2163 msghdr.msg_controllen = sizeof(control_un.control);
2164
2165 msghdr.msg_name = NULL;
2166 msghdr.msg_namelen = 0;
2167
2168 iov[0].iov_base = ptr;
2169 iov[0].iov_len = nbytes;
2170 msghdr.msg_iov = iov;
2171 msghdr.msg_iovlen = 1;
2172
2173 if ( (n = recvmsg(fd, &msghdr, flags)) <= 0)
2174 {
2175 return (n);
2176 }
2177
2178 if ( (cmptr = CMSG_FIRSTHDR(&msghdr)) != NULL
2179 && cmptr->cmsg_len == CMSG_LEN(sizeof(int)))
2180 {
2181 if (cmptr->cmsg_level != SOL_SOCKET)
2182 {
2183 msg(M_ERR, "control level != SOL_SOCKET");
2184 }
2185 if (cmptr->cmsg_type != SCM_RIGHTS)
2186 {
2187 msg(M_ERR, "control type != SCM_RIGHTS");
2188 }
2189 *recvfd = *((int *) CMSG_DATA(cmptr));
2190 }
2191 else
2192 {
2193 *recvfd = -1; /* descriptor was not passed */
2194
2195 }
2196 return (n);
2197}
2198
2199/*
2200 * The android control method will instruct the GUI part of openvpn to do
2201 * the route/ifconfig/open tun command. See doc/android.txt for details.
2202 */
2203bool
2204management_android_control(struct management *man, const char *command, const char *msg)
2205{
2206 if (!man)
2207 {
2208 msg(M_FATAL, "Required management interface not available.");
2209 }
2210 struct user_pass up;
2211 CLEAR(up);
2212 strncpy(up.username, msg, sizeof(up.username)-1);
2213
2215 return strcmp("ok", up.password)==0;
2216}
2217
2218/*
2219 * In Android 4.4 it is not possible to open a new tun device and then close the
2220 * old tun device without breaking the whole VPNService stack until the device
2221 * is rebooted. This management method ask the UI what method should be taken to
2222 * ensure the optimal solution for the situation
2223 */
2224int
2225managment_android_persisttun_action(struct management *man)
2226{
2227 struct user_pass up;
2228 CLEAR(up);
2229 strcpy(up.username, "tunmethod");
2230 management_query_user_pass(management, &up, "PERSIST_TUN_ACTION",
2231 GET_USER_PASS_NEED_OK, (void *) 0);
2232 if (!strcmp("NOACTION", up.password))
2233 {
2234 return ANDROID_KEEP_OLD_TUN;
2235 }
2236 else if (!strcmp("OPEN_BEFORE_CLOSE", up.password))
2237 {
2238 return ANDROID_OPEN_BEFORE_CLOSE;
2239 }
2240 else
2241 {
2242 msg(M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password);
2243 }
2244
2245 ASSERT(0);
2246 return ANDROID_OPEN_BEFORE_CLOSE;
2247}
2248
2249
2250#endif /* ifdef TARGET_ANDROID */
2251
2252static int
2254{
2255 /*
2256 * read command line from socket
2257 */
2258 unsigned char buf[256];
2259 int len = 0;
2260
2261#ifdef TARGET_ANDROID
2262 int fd;
2263 len = man_recv_with_fd(man->connection.sd_cli, buf, sizeof(buf), MSG_NOSIGNAL, &fd);
2264 if (fd >= 0)
2265 {
2266 man->connection.lastfdreceived = fd;
2267 }
2268#else /* ifdef TARGET_ANDROID */
2269 len = recv(man->connection.sd_cli, (void *)buf, sizeof(buf), MSG_NOSIGNAL);
2270#endif
2271
2272 if (len == 0)
2273 {
2274 man_reset_client_socket(man, false);
2275 }
2276 else if (len > 0)
2277 {
2278 bool processed_command = false;
2279
2280 ASSERT(len <= (int) sizeof(buf));
2281 command_line_add(man->connection.in, buf, len);
2282
2283 /*
2284 * Reset output object
2285 */
2287
2288 /*
2289 * process command line if complete
2290 */
2291 {
2292 const char *line;
2293 while ((line = command_line_get(man->connection.in)))
2294 {
2295 if (man->connection.in_extra)
2296 {
2297 if (!strcmp(line, "END"))
2298 {
2299 in_extra_dispatch(man);
2300 }
2301 else
2302 {
2304 }
2305 }
2306 else
2307 {
2308 man_process_command(man, (char *) line);
2309 }
2310 if (man->connection.halt)
2311 {
2312 break;
2313 }
2315 processed_command = true;
2316 }
2317 }
2318
2319 /*
2320 * Reset output state to MS_CC_WAIT_(READ|WRITE)
2321 */
2322 if (man->connection.halt)
2323 {
2324 man_reset_client_socket(man, false);
2325 len = 0;
2326 }
2327 else
2328 {
2329 if (processed_command)
2330 {
2331 man_prompt(man);
2332 }
2334 }
2335 }
2336 else /* len < 0 */
2337 {
2338 if (man_io_error(man, "recv"))
2339 {
2340 man_reset_client_socket(man, false);
2341 }
2342 }
2343 return len;
2344}
2345
2346static int
2348{
2349 const int size_hint = 1024;
2350 int sent = 0;
2351 const struct buffer *buf;
2352
2353 buffer_list_aggregate(man->connection.out, size_hint);
2354 buf = buffer_list_peek(man->connection.out);
2355 if (buf && BLEN(buf))
2356 {
2357 const int len = min_int(size_hint, BLEN(buf));
2358#ifdef TARGET_ANDROID
2359 if (man->connection.fdtosend > 0)
2360 {
2361 sent = man_send_with_fd(man->connection.sd_cli, BPTR(buf), len, MSG_NOSIGNAL, man->connection.fdtosend);
2362 man->connection.fdtosend = -1;
2363 }
2364 else
2365#endif
2366 sent = send(man->connection.sd_cli, (const void *)BPTR(buf), len, MSG_NOSIGNAL);
2367 if (sent >= 0)
2368 {
2369 buffer_list_advance(man->connection.out, sent);
2370 }
2371 else if (sent < 0)
2372 {
2373 if (man_io_error(man, "send"))
2374 {
2376 }
2377 }
2378 }
2379
2380 /*
2381 * Reset output state to MS_CC_WAIT_(READ|WRITE)
2382 */
2384
2385 return sent;
2386}
2387
2388static void
2390{
2391 CLEAR(*mc);
2392
2393 /* set initial state */
2394 mc->state = MS_INITIAL;
2395
2396 /* clear socket descriptors */
2397 mc->sd_top = SOCKET_UNDEFINED;
2398 mc->sd_cli = SOCKET_UNDEFINED;
2399}
2400
2401static void
2403 const int log_history_cache,
2404 const int echo_buffer_size,
2405 const int state_buffer_size)
2406{
2407 struct man_persist *mp = &man->persist;
2408 if (!mp->defined)
2409 {
2410 CLEAR(*mp);
2411
2412 /* initialize log history store */
2413 mp->log = log_history_init(log_history_cache);
2414
2415 /*
2416 * Initialize virtual output object, so that functions
2417 * which write to a virtual_output object can be redirected
2418 * here to the management object.
2419 */
2421 mp->vout.arg = man;
2424
2425 /*
2426 * Initialize --echo list
2427 */
2428 man->persist.echo = log_history_init(echo_buffer_size);
2429
2430 /*
2431 * Initialize --state list
2432 */
2433 man->persist.state = log_history_init(state_buffer_size);
2434
2435 mp->defined = true;
2436 }
2437}
2438
2439static void
2441{
2442 if (mp->log)
2443 {
2446 }
2447
2448 if (mp->echo)
2449 {
2451 }
2452
2453 if (mp->state)
2454 {
2456 }
2457
2458 CLEAR(*mp);
2459}
2460
2461static void
2463 const char *addr,
2464 const char *port,
2465 const char *pass_file,
2466 const char *client_user,
2467 const char *client_group,
2468 const int log_history_cache,
2469 const int echo_buffer_size,
2470 const int state_buffer_size,
2471 const int remap_sigusr1,
2472 const unsigned int flags)
2473{
2474 if (!ms->defined)
2475 {
2476 CLEAR(*ms);
2477
2478 ms->flags = flags;
2479 ms->client_uid = -1;
2480 ms->client_gid = -1;
2481
2482 /*
2483 * Get username/password
2484 */
2485 if (pass_file)
2486 {
2487 get_user_pass(&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
2488 }
2489
2490 /*
2491 * lookup client UID/GID if specified
2492 */
2493 if (client_user)
2494 {
2495 struct platform_state_user s;
2496 platform_user_get(client_user, &s);
2498 msg(D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid);
2499 ASSERT(ms->client_uid >= 0);
2500 }
2501 if (client_group)
2502 {
2503 struct platform_state_group s;
2504 platform_group_get(client_group, &s);
2506 msg(D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid);
2507 ASSERT(ms->client_gid >= 0);
2508 }
2509
2510#if UNIX_SOCK_SUPPORT
2511 if (ms->flags & MF_UNIX_SOCK)
2512 {
2513 sockaddr_unix_init(&ms->local_unix, addr);
2514 }
2515 else
2516#endif
2517 {
2518
2519 /*
2520 * Run management over tunnel, or
2521 * separate channel?
2522 */
2523 if (streq(addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT))
2524 {
2525 ms->management_over_tunnel = true;
2526 }
2527 else
2528 {
2529 int status;
2531
2532 if (!(flags & MF_CONNECT_AS_CLIENT))
2533 {
2534 resolve_flags |= GETADDR_PASSIVE;
2535 }
2536
2537 status = openvpn_getaddrinfo(resolve_flags, addr, port, 0,
2538 NULL, AF_UNSPEC, &ms->local);
2539 ASSERT(status==0);
2540 }
2541 }
2542
2543 /*
2544 * Log history and echo buffer may need to be resized
2545 */
2546 ms->log_history_cache = log_history_cache;
2547 ms->echo_buffer_size = echo_buffer_size;
2548 ms->state_buffer_size = state_buffer_size;
2549
2550 /*
2551 * Set remap sigusr1 flags
2552 */
2553 if (remap_sigusr1 == SIGHUP)
2554 {
2556 }
2557 else if (remap_sigusr1 == SIGTERM)
2558 {
2560 }
2561
2562 ms->defined = true;
2563 }
2564}
2565
2566static void
2568{
2569 if (ms->local)
2570 {
2571 freeaddrinfo(ms->local);
2572 }
2573 CLEAR(*ms);
2574}
2575
2576
2577static void
2579{
2580 if (man->connection.state == MS_INITIAL)
2581 {
2582#ifdef _WIN32
2583 /*
2584 * This object is a sort of TCP/IP helper
2585 * for Windows.
2586 */
2588#endif
2589
2590 /*
2591 * Allocate helper objects for command line input and
2592 * command output from/to the socket.
2593 */
2594 man->connection.in = command_line_new(1024);
2596
2597 /*
2598 * Initialize event set for standalone usage, when we are
2599 * running outside of the primary event loop.
2600 */
2601 {
2602 int maxevents = 1;
2603 man->connection.es = event_set_init(&maxevents, EVENT_METHOD_FAST);
2604 }
2605
2606 man->connection.client_version = 1; /* default version */
2607
2608 /*
2609 * Listen/connect socket
2610 */
2612 {
2613 man_connect(man);
2614 }
2615 else
2616 {
2617 man_listen(man);
2618 }
2619 }
2620}
2621
2622static void
2624{
2625 struct man_connection *mc = &man->connection;
2626
2627 event_free(mc->es);
2628#ifdef _WIN32
2630#endif
2631 if (socket_defined(mc->sd_top))
2632 {
2633 man_close_socket(man, mc->sd_top);
2635 }
2636 if (socket_defined(mc->sd_cli))
2637 {
2638 man_close_socket(man, mc->sd_cli);
2639 }
2640
2641 command_line_free(mc->in);
2642 buffer_list_free(mc->out);
2643
2645
2649}
2650
2651struct management *
2653{
2654 struct management *man;
2655 ALLOC_OBJ_CLEAR(man, struct management);
2656
2657 man_persist_init(man,
2661
2663
2664 return man;
2665}
2666
2667bool
2669 const char *addr,
2670 const char *port,
2671 const char *pass_file,
2672 const char *client_user,
2673 const char *client_group,
2674 const int log_history_cache,
2675 const int echo_buffer_size,
2676 const int state_buffer_size,
2677 const int remap_sigusr1,
2678 const unsigned int flags)
2679{
2680 bool ret = false;
2681
2682 /*
2683 * Save the settings only if they have not
2684 * been saved before.
2685 */
2687 addr,
2688 port,
2689 pass_file,
2690 client_user,
2691 client_group,
2692 log_history_cache,
2693 echo_buffer_size,
2694 state_buffer_size,
2695 remap_sigusr1,
2696 flags);
2697
2698 /*
2699 * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2700 * but may be changed here. Ditto for echo and state buffers.
2701 */
2705
2706 /*
2707 * If connection object is uninitialized and we are not doing
2708 * over-the-tunnel management, then open (listening) connection.
2709 */
2710 if (man->connection.state == MS_INITIAL)
2711 {
2713 {
2715 ret = true;
2716 }
2717 }
2718
2719 return ret;
2720}
2721
2722void
2724{
2725 man_output_list_push_finalize(man); /* flush output queue */
2729 free(man);
2730}
2731
2732void
2734 const struct management_callback *cb)
2735{
2736 man->persist.standalone_disabled = true;
2737 man->persist.callback = *cb;
2738}
2739
2740void
2742{
2743 man->persist.standalone_disabled = false;
2744 man->persist.hold_release = false;
2745 CLEAR(man->persist.callback);
2746 man_output_list_push_finalize(man); /* flush output queue */
2747}
2748
2749void
2751 const int state,
2752 const char *detail,
2753 const in_addr_t *tun_local_ip,
2754 const struct in6_addr *tun_local_ip6,
2755 const struct openvpn_sockaddr *local,
2756 const struct openvpn_sockaddr *remote)
2757{
2758 if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
2759 {
2760 struct gc_arena gc = gc_new();
2761 struct log_entry e;
2762 const char *out = NULL;
2763
2764 update_time();
2765 CLEAR(e);
2766 e.timestamp = now;
2767 e.u.state = state;
2768 e.string = detail;
2769 if (tun_local_ip)
2770 {
2771 e.local_ip = *tun_local_ip;
2772 }
2773 if (tun_local_ip6)
2774 {
2775 e.local_ip6 = *tun_local_ip6;
2776 }
2777 if (local)
2778 {
2779 e.local_sock = *local;
2780 }
2781 if (remote)
2782 {
2783 e.remote_sock = *remote;
2784 }
2785
2786 log_history_add(man->persist.state, &e);
2787
2788 if (man->connection.state_realtime)
2789 {
2796 | LOG_ECHO_TO_LOG, &gc);
2797 }
2798
2799 if (out)
2800 {
2801 man_output_list_push(man, out);
2802 }
2803
2804 gc_free(&gc);
2805 }
2806}
2807
2808static bool
2809env_filter_match(const char *env_str, const int env_filter_level)
2810{
2811 static const char *env_names[] = {
2812 "username=",
2813 "password=",
2814 "X509_0_CN=",
2815 "tls_serial_",
2816 "untrusted_ip=",
2817 "ifconfig_local=",
2818 "ifconfig_netmask=",
2819 "daemon_start_time=",
2820 "daemon_pid=",
2821 "dev=",
2822 "ifconfig_pool_remote_ip=",
2823 "ifconfig_pool_netmask=",
2824 "time_duration=",
2825 "bytes_sent=",
2826 "bytes_received=",
2827 "session_id=",
2828 "session_state="
2829 };
2830
2831 if (env_filter_level == 0)
2832 {
2833 return true;
2834 }
2835 else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5))
2836 {
2837 return true;
2838 }
2839 else if (env_filter_level <= 2)
2840 {
2841 size_t i;
2842 for (i = 0; i < SIZE(env_names); ++i)
2843 {
2844 const char *en = env_names[i];
2845 const size_t len = strlen(en);
2846 if (!strncmp(env_str, en, len))
2847 {
2848 return true;
2849 }
2850 }
2851 return false;
2852 }
2853 return false;
2854}
2855
2856static void
2857man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
2858{
2859 if (es)
2860 {
2861 struct env_item *e;
2862 for (e = es->list; e != NULL; e = e->next)
2863 {
2864 if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level)))
2865 {
2866 msg(M_CLIENT, ">%s:ENV,%s", prefix, e->string);
2867 }
2868 }
2869 }
2870 if (tail)
2871 {
2872 msg(M_CLIENT, ">%s:ENV,END", prefix);
2873 }
2874}
2875
2876static void
2877man_output_extra_env(struct management *man, const char *prefix)
2878{
2879 struct gc_arena gc = gc_new();
2880 struct env_set *es = env_set_create(&gc);
2881 if (man->persist.callback.n_clients)
2882 {
2883 const int nclients = (*man->persist.callback.n_clients)(man->persist.callback.arg);
2884 setenv_int(es, "n_clients", nclients);
2885 }
2886 man_output_env(es, false, man->connection.env_filter_level, prefix);
2887 gc_free(&gc);
2888}
2889
2890void
2891management_up_down(struct management *man, const char *updown, const struct env_set *es)
2892{
2893 if (man->settings.flags & MF_UP_DOWN)
2894 {
2895 msg(M_CLIENT, ">UPDOWN:%s", updown);
2896 man_output_env(es, true, 0, "UPDOWN");
2897 }
2898}
2899
2900void
2901management_notify(struct management *man, const char *severity, const char *type, const char *text)
2902{
2903 msg(M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);
2904}
2905
2906void
2907management_notify_generic(struct management *man, const char *str)
2908{
2909 msg(M_CLIENT, "%s", str);
2910}
2911
2912static void
2914{
2915 char line[256];
2917 {
2918 const char *peer_info = (*man->persist.callback.get_peer_info)(man->persist.callback.arg, mdac->cid);
2919 if (peer_info)
2920 {
2921 struct buffer buf;
2922 buf_set_read(&buf, (const uint8_t *) peer_info, strlen(peer_info));
2923 while (buf_parse(&buf, '\n', line, sizeof(line)))
2924 {
2925 chomp(line);
2927 {
2928 msg(M_CLIENT, ">CLIENT:ENV,%s", line);
2929 }
2930 else
2931 {
2932 msg(D_MANAGEMENT, "validation failed on peer_info line received from client");
2933 }
2934 }
2935 }
2936 }
2937}
2938
2939void
2941 const unsigned int mda_key_id,
2942 struct man_def_auth_context *mdac,
2943 const struct env_set *es)
2944{
2945 if (!(mdac->flags & DAF_CONNECTION_CLOSED))
2946 {
2947 const char *mode = "CONNECT";
2948 if (mdac->flags & DAF_CONNECTION_ESTABLISHED)
2949 {
2950 mode = "REAUTH";
2951 }
2952 msg(M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
2955 {
2957 }
2959 mdac->flags |= DAF_INITIAL_AUTH;
2960 }
2961}
2962
2963void
2965 const struct man_def_auth_context *mdac,
2966 const struct env_set *es,
2967 const char *response)
2968{
2969 struct gc_arena gc;
2970 if (management)
2971 {
2972 gc = gc_new();
2973
2974 msg(M_CLIENT, ">CLIENT:CR_RESPONSE,%lu,%u,%s",
2975 mdac->cid, mda_key_id, response);
2978 {
2980 }
2982 gc_free(&gc);
2983 }
2984}
2985
2986void
2988 struct man_def_auth_context *mdac,
2989 const struct env_set *es)
2990{
2992 msg(M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid);
2995}
2996
2997void
2999 struct man_def_auth_context *mdac,
3000 const struct env_set *es)
3001{
3002 if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
3003 {
3004 msg(M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
3007 }
3008}
3009
3010void
3012 struct man_def_auth_context *mdac,
3013 const struct mroute_addr *addr,
3014 const bool primary)
3015{
3016 struct gc_arena gc = gc_new();
3017 if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
3018 {
3019 msg(M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
3020 mdac->cid,
3022 BOOL_CAST(primary));
3023 }
3024 gc_free(&gc);
3025}
3026
3027void
3028management_echo(struct management *man, const char *string, const bool pull)
3029{
3030 if (man->persist.echo)
3031 {
3032 struct gc_arena gc = gc_new();
3033 struct log_entry e;
3034 const char *out = NULL;
3035
3036 update_time();
3037 CLEAR(e);
3038 e.timestamp = now;
3039 e.string = string;
3040 e.u.intval = BOOL_CAST(pull);
3041
3042 log_history_add(man->persist.echo, &e);
3043
3044 if (man->connection.echo_realtime)
3045 {
3047 }
3048
3049 if (out)
3050 {
3051 man_output_list_push(man, out);
3052 }
3053
3054 gc_free(&gc);
3055 }
3056}
3057
3058void
3059management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
3060{
3061 /*
3062 * If we are running management over the tunnel,
3063 * this is the place to initialize the connection.
3064 */
3066 && man->connection.state == MS_INITIAL)
3067 {
3068 /* listen on our local TUN/TAP IP address */
3069 struct in_addr ia;
3070 int ret;
3071 char buf[INET_ADDRSTRLEN];
3072
3073 ia.s_addr = htonl(tun_local_ip);
3074 inet_ntop(AF_INET, &ia, buf, sizeof(buf));
3075 ret = openvpn_getaddrinfo(GETADDR_PASSIVE, buf, NULL, 0, NULL,
3076 AF_INET, &man->settings.local);
3077 ASSERT(ret==0);
3079 }
3080
3081}
3082
3083void
3085{
3087 {
3089 }
3090}
3091
3092void
3093management_auth_failure(struct management *man, const char *type, const char *reason)
3094{
3095 if (reason)
3096 {
3097 msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s' ['%s']", type, reason);
3098 }
3099 else
3100 {
3101 msg(M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type);
3102 }
3103}
3104
3105void
3106management_auth_token(struct management *man, const char *token)
3107{
3108 msg(M_CLIENT, ">PASSWORD:Auth-Token:%s", token);
3109}
3110
3111static inline bool
3112man_persist_state(unsigned int *persistent, const int n)
3113{
3114 if (persistent)
3115 {
3116 if (*persistent == (unsigned int)n)
3117 {
3118 return false;
3119 }
3120 *persistent = n;
3121 }
3122 return true;
3123}
3124
3125#ifdef _WIN32
3126
3127void
3129 struct event_set *es,
3130 void *arg,
3131 unsigned int *persistent)
3132{
3133 if (man->connection.state != MS_INITIAL)
3134 {
3137
3138 switch (man->connection.state)
3139 {
3140 case MS_LISTEN:
3141 if (man_persist_state(persistent, 1))
3142 {
3143 event_ctl(es, ev, EVENT_READ, arg);
3144 }
3145 break;
3146
3147 case MS_CC_WAIT_READ:
3148 if (man_persist_state(persistent, 2))
3149 {
3150 event_ctl(es, ev, EVENT_READ, arg);
3151 }
3152 break;
3153
3154 case MS_CC_WAIT_WRITE:
3155 if (man_persist_state(persistent, 3))
3156 {
3158 }
3159 break;
3160
3161 default:
3162 ASSERT(0);
3163 }
3164 }
3165}
3166
3167void
3169{
3170 if (man->connection.state != MS_INITIAL)
3171 {
3172 long net_events;
3175
3176 if (net_events & FD_CLOSE)
3177 {
3178 man_reset_client_socket(man, false);
3179 }
3180 else
3181 {
3182 if (man->connection.state == MS_LISTEN)
3183 {
3184 if (net_events & FD_ACCEPT)
3185 {
3186 man_accept(man);
3188 }
3189 }
3191 {
3192 if (net_events & FD_READ)
3193 {
3194 while (man_read(man) > 0)
3195 {
3196 }
3198 }
3199
3200 if (net_events & FD_WRITE)
3201 {
3202 int status;
3203 status = man_write(man);
3204 if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK)
3205 {
3207 }
3208 }
3209 }
3210 }
3211 }
3212}
3213
3214#else /* ifdef _WIN32 */
3215
3216void
3218 struct event_set *es,
3219 void *arg,
3220 unsigned int *persistent)
3221{
3222 switch (man->connection.state)
3223 {
3224 case MS_LISTEN:
3225 if (man_persist_state(persistent, 1))
3226 {
3228 }
3229 break;
3230
3231 case MS_CC_WAIT_READ:
3232 if (man_persist_state(persistent, 2))
3233 {
3235 }
3236 break;
3237
3238 case MS_CC_WAIT_WRITE:
3239 if (man_persist_state(persistent, 3))
3240 {
3242 }
3243 break;
3244
3245 case MS_INITIAL:
3246 break;
3247
3248 default:
3249 ASSERT(0);
3250 }
3251}
3252
3253void
3254management_io(struct management *man)
3255{
3256 switch (man->connection.state)
3257 {
3258 case MS_LISTEN:
3259 man_accept(man);
3260 break;
3261
3262 case MS_CC_WAIT_READ:
3263 man_read(man);
3264 break;
3265
3266 case MS_CC_WAIT_WRITE:
3267 man_write(man);
3268 break;
3269
3270 case MS_INITIAL:
3271 break;
3272
3273 default:
3274 ASSERT(0);
3275 }
3276}
3277
3278#endif /* ifdef _WIN32 */
3279
3280static inline bool
3282{
3284}
3285
3286static bool
3287man_check_for_signals(volatile int *signal_received)
3288{
3289 if (signal_received)
3290 {
3291 get_signal(signal_received);
3292 if (*signal_received)
3293 {
3294 return true;
3295 }
3296 }
3297 return false;
3298}
3299
3300/*
3301 * Wait for socket I/O when outside primary event loop
3302 */
3303static int
3304man_block(struct management *man, volatile int *signal_received, const time_t expire)
3305{
3306 struct timeval tv;
3307 struct event_set_return esr;
3308 int status = -1;
3309
3310 if (man_standalone_ok(man))
3311 {
3312 /* expire time can be already overdue, for this case init zero
3313 * timeout to avoid waiting first time and exit loop early with
3314 * either obtained event or timeout.
3315 */
3316 tv.tv_usec = 0;
3317 tv.tv_sec = 0;
3318
3319 while (true)
3320 {
3322 management_socket_set(man, man->connection.es, NULL, NULL);
3323 if (man_check_for_signals(signal_received))
3324 {
3325 status = -1;
3326 break;
3327 }
3328 status = event_wait(man->connection.es, &tv, &esr, 1);
3329 update_time();
3330 if (man_check_for_signals(signal_received))
3331 {
3332 status = -1;
3333 break;
3334 }
3335
3336 if (status > 0)
3337 {
3338 break;
3339 }
3340 else if (expire && now >= expire)
3341 {
3342 /* set SIGINT signal if expiration time exceeded */
3343 status = 0;
3344 if (signal_received)
3345 {
3346 *signal_received = SIGINT;
3347 }
3348 break;
3349 }
3350
3351 /* wait one second more */
3352 tv.tv_sec = 1;
3353 tv.tv_usec = 0;
3354 }
3355 }
3356 return status;
3357}
3358
3359/*
3360 * Perform management socket output outside primary event loop
3361 */
3362static void
3363man_output_standalone(struct management *man, volatile int *signal_received)
3364{
3365 if (man_standalone_ok(man))
3366 {
3367 while (man->connection.state == MS_CC_WAIT_WRITE)
3368 {
3369 management_io(man);
3370 if (man->connection.state == MS_CC_WAIT_WRITE)
3371 {
3372 man_block(man, signal_received, 0);
3373 }
3374 if (signal_received && *signal_received)
3375 {
3376 break;
3377 }
3378 }
3379 }
3380}
3381
3382/*
3383 * Process management event loop outside primary event loop
3384 */
3385static int
3386man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
3387{
3388 int status = -1;
3389 if (man_standalone_ok(man))
3390 {
3391 status = man_block(man, signal_received, expire);
3392 if (status > 0)
3393 {
3394 management_io(man);
3395 }
3396 }
3397 return status;
3398}
3399
3400#define MWCC_PASSWORD_WAIT (1<<0)
3401#define MWCC_HOLD_WAIT (1<<1)
3402#define MWCC_OTHER_WAIT (1<<2)
3403
3404/*
3405 * Block until client connects
3406 */
3407static void
3409 volatile int *signal_received,
3410 const time_t expire,
3411 unsigned int flags)
3412{
3414 if (man->connection.state == MS_LISTEN)
3415 {
3416 if (flags & MWCC_PASSWORD_WAIT)
3417 {
3418 msg(D_MANAGEMENT, "Need password(s) from management interface, waiting...");
3419 }
3420 if (flags & MWCC_HOLD_WAIT)
3421 {
3422 msg(D_MANAGEMENT, "Need hold release from management interface, waiting...");
3423 }
3424 if (flags & MWCC_OTHER_WAIT)
3425 {
3426 msg(D_MANAGEMENT, "Need information from management interface, waiting...");
3427 }
3428 do
3429 {
3430 man_standalone_event_loop(man, signal_received, expire);
3431 if (signal_received && *signal_received)
3432 {
3433 break;
3434 }
3435 } while (man->connection.state == MS_LISTEN || man_password_needed(man));
3436 }
3437}
3438
3439/*
3440 * Process the management event loop for sec seconds
3441 */
3442void
3444{
3445 if (man_standalone_ok(man))
3446 {
3447 volatile int signal_received = 0;
3448 const bool standalone_disabled_save = man->persist.standalone_disabled;
3449 time_t expire = 0;
3450
3451 /* This is so M_CLIENT messages will be correctly passed through msg() */
3452 man->persist.standalone_disabled = false;
3453
3454 /* set expire time */
3455 update_time();
3456 if (sec >= 0)
3457 {
3458 expire = now + sec;
3459 }
3460
3461 /* if no client connection, wait for one */
3462 man_wait_for_client_connection(man, &signal_received, expire, 0);
3463 if (signal_received)
3464 {
3465 return;
3466 }
3467
3468 /* run command processing event loop */
3469 do
3470 {
3471 man_standalone_event_loop(man, &signal_received, expire);
3472 if (!signal_received)
3473 {
3474 man_check_for_signals(&signal_received);
3475 }
3476 if (signal_received)
3477 {
3478 return;
3479 }
3480 update_time();
3481 } while (expire && expire > now);
3482
3483 /* revert state */
3484 man->persist.standalone_disabled = standalone_disabled_save;
3485 }
3486 else if (sec > 0)
3487 {
3488 sleep(sec);
3489 }
3490}
3491
3492/*
3493 * Get a username/password from management channel in standalone mode.
3494 */
3495bool
3497 struct user_pass *up,
3498 const char *type,
3499 const unsigned int flags,
3500 const char *static_challenge)
3501{
3502 struct gc_arena gc = gc_new();
3503 bool ret = false;
3504
3505 if (man_standalone_ok(man))
3506 {
3507 volatile int signal_received = 0;
3508 const bool standalone_disabled_save = man->persist.standalone_disabled;
3509 struct buffer alert_msg = alloc_buf_gc(128, &gc);
3510 const char *alert_type = NULL;
3511 const char *prefix = NULL;
3512 unsigned int up_query_mode = 0;
3513 const char *sc = NULL;
3514 ret = true;
3515 /* This is so M_CLIENT messages will be correctly passed through msg() */
3516 man->persist.standalone_disabled = false;
3517 man->persist.special_state_msg = NULL;
3518
3519 CLEAR(man->connection.up_query);
3520
3521 if (flags & GET_USER_PASS_NEED_OK)
3522 {
3523 up_query_mode = UP_QUERY_NEED_OK;
3524 prefix = "NEED-OK";
3525 alert_type = "confirmation";
3526 }
3527 else if (flags & GET_USER_PASS_NEED_STR)
3528 {
3529 up_query_mode = UP_QUERY_NEED_STR;
3530 prefix = "NEED-STR";
3531 alert_type = "string";
3532 }
3533 else if (flags & GET_USER_PASS_PASSWORD_ONLY)
3534 {
3535 up_query_mode = UP_QUERY_PASS;
3536 prefix = "PASSWORD";
3537 alert_type = "password";
3538 }
3539 else
3540 {
3541 up_query_mode = UP_QUERY_USER_PASS;
3542 prefix = "PASSWORD";
3543 alert_type = "username/password";
3544 if (static_challenge)
3545 {
3547 }
3548 }
3549 buf_printf(&alert_msg, ">%s:Need '%s' %s",
3550 prefix,
3551 type,
3552 alert_type);
3553
3555 {
3556 buf_printf(&alert_msg, " MSG:%s", up->username);
3557 }
3558
3559 if (sc)
3560 {
3561 buf_printf(&alert_msg, " SC:%d,%s",
3564 sc);
3565 }
3566
3568 if (signal_received)
3569 {
3570 ret = false;
3571 }
3572
3573 if (ret)
3574 {
3575 man->persist.special_state_msg = BSTR(&alert_msg);
3576 msg(M_CLIENT, "%s", man->persist.special_state_msg);
3577
3578 /* tell command line parser which info we need */
3579 man->connection.up_query_mode = up_query_mode;
3580 man->connection.up_query_type = type;
3581
3582 /* run command processing event loop until we get our username/password/response */
3583 do
3584 {
3585 man_standalone_event_loop(man, &signal_received, 0);
3586 if (!signal_received)
3587 {
3588 man_check_for_signals(&signal_received);
3589 }
3590 if (signal_received)
3591 {
3592 ret = false;
3593 break;
3594 }
3595 } while (!man->connection.up_query.defined);
3596 }
3597
3598 /* revert state */
3599 man->connection.up_query_mode = UP_QUERY_DISABLED;
3600 man->connection.up_query_type = NULL;
3601 man->persist.standalone_disabled = standalone_disabled_save;
3602 man->persist.special_state_msg = NULL;
3603
3604 /* pass through blank passwords */
3605 if (!strcmp(man->connection.up_query.password, blank_up))
3606 {
3607 CLEAR(man->connection.up_query.password);
3608 }
3609
3610 /*
3611 * Transfer u/p to return object, zero any record
3612 * we hold in the management object.
3613 */
3614 if (ret)
3615 {
3616 /* preserve caller's settings */
3617 man->connection.up_query.nocache = up->nocache;
3618 *up = man->connection.up_query;
3619 }
3620 secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));
3621 }
3622
3623 gc_free(&gc);
3624 return ret;
3625}
3626
3627static int
3629 const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3630{
3631 struct gc_arena gc = gc_new();
3632 int ret = 0;
3633 volatile int signal_received = 0;
3634 struct buffer alert_msg = clear_buf();
3635 const bool standalone_disabled_save = man->persist.standalone_disabled;
3636 struct man_connection *mc = &man->connection;
3637
3638 if (man_standalone_ok(man))
3639 {
3640 /* This is so M_CLIENT messages will be correctly passed through msg() */
3641 man->persist.standalone_disabled = false;
3642 man->persist.special_state_msg = NULL;
3643
3644 *state = EKS_SOLICIT;
3645
3646 if (b64_data)
3647 {
3648 alert_msg = alloc_buf_gc(strlen(b64_data)+strlen(prompt)+3, &gc);
3649 buf_printf(&alert_msg, ">%s:%s", prompt, b64_data);
3650 }
3651 else
3652 {
3653 alert_msg = alloc_buf_gc(strlen(prompt)+3, &gc);
3654 buf_printf(&alert_msg, ">%s", prompt);
3655 }
3656
3657 man_wait_for_client_connection(man, &signal_received, 0, MWCC_OTHER_WAIT);
3658
3659 if (signal_received)
3660 {
3661 goto done;
3662 }
3663
3664 man->persist.special_state_msg = BSTR(&alert_msg);
3666
3667 /* run command processing event loop until we get our signature */
3668 do
3669 {
3670 man_standalone_event_loop(man, &signal_received, 0);
3671 if (!signal_received)
3672 {
3673 man_check_for_signals(&signal_received);
3674 }
3675 if (signal_received)
3676 {
3677 goto done;
3678 }
3679 } while (*state != EKS_READY);
3680
3681 ret = 1;
3682 }
3683
3684done:
3685 if (*state == EKS_READY && ret)
3686 {
3687 msg(M_CLIENT, "SUCCESS: %s command succeeded", cmd);
3688 }
3689 else if (*state == EKS_INPUT || *state == EKS_READY)
3690 {
3691 msg(M_CLIENT, "ERROR: %s command failed", cmd);
3692 }
3693
3694 /* revert state */
3695 man->persist.standalone_disabled = standalone_disabled_save;
3696 man->persist.special_state_msg = NULL;
3698 *state = EKS_UNDEF;
3699
3700 gc_free(&gc);
3701 return ret;
3702}
3703
3704static char *
3705/* returns allocated base64 signature */
3707 const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3708{
3709 int ok;
3710 char *result = NULL;
3711 struct buffer *buf;
3712
3713 ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3714 if (ok && buffer_list_defined(*input))
3715 {
3717 buf = buffer_list_peek(*input);
3718 if (buf && BLEN(buf) > 0)
3719 {
3720 result = (char *) malloc(BLEN(buf)+1);
3722 memcpy(result, buf->data, BLEN(buf));
3723 result[BLEN(buf)] = '\0';
3724 }
3725 }
3726
3728 *input = NULL;
3729
3730 return result;
3731}
3732
3733static char *
3734/* returns allocated base64 signature */
3736 const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
3737{
3738 int ok;
3739 char *result = NULL;
3740 struct buffer *buf;
3741
3742 ok = management_query_multiline(man, b64_data, prompt, cmd, state, input);
3743 if (ok && buffer_list_defined(*input))
3744 {
3746 buf = buffer_list_peek(*input);
3747 if (buf && BLEN(buf) > 0)
3748 {
3749 result = (char *) malloc(BLEN(buf)+1);
3751 memcpy(result, buf->data, BLEN(buf));
3752 result[BLEN(buf)] = '\0';
3753 }
3754 }
3755
3757 *input = NULL;
3758
3759 return result;
3760}
3761
3762char *
3763/* returns allocated base64 signature */
3765 const char *algorithm)
3766{
3767 const char *prompt = "PK_SIGN";
3768 const char *desc = "pk-sign";
3770
3771 if (man->connection.client_version <= 1)
3772 {
3773 prompt = "RSA_SIGN";
3774 desc = "rsa-sign";
3775 }
3776
3778 if (man->connection.client_version > 2)
3779 {
3780 buf_write(&buf_data, ",", (int) strlen(","));
3782 }
3784 (char *)buf_bptr(&buf_data), prompt, desc,
3785 &man->connection.ext_key_state, &man->connection.ext_key_input);
3787 return ret;
3788}
3789
3790char *
3792{
3793 const char prompt_1[] = "NEED-CERTIFICATE:";
3794 struct buffer buf_prompt = alloc_buf(strlen(cert_name) + 20);
3796 buf_write(&buf_prompt, cert_name, strlen(cert_name)+1); /* +1 for \0 */
3797
3798 char *result;
3800 NULL, (char *)buf_bptr(&buf_prompt), "certificate",
3801 &man->connection.ext_cert_state, &man->connection.ext_cert_input);
3803 return result;
3804}
3805
3806/*
3807 * Return true if management_hold() would block
3808 */
3809bool
3811{
3812 return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok(man);
3813}
3814
3815/*
3816 * If the hold flag is enabled, hibernate until a management client releases the hold.
3817 * Return true if the caller should not sleep for an additional time interval.
3818 */
3819bool
3821{
3823 {
3824 volatile int signal_received = 0;
3825 const bool standalone_disabled_save = man->persist.standalone_disabled;
3826 struct gc_arena gc = gc_new();
3827
3828 man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3829 man->persist.special_state_msg = NULL;
3831
3832 man_wait_for_client_connection(man, &signal_received, 0, MWCC_HOLD_WAIT);
3833
3834 if (!signal_received)
3835 {
3836 struct buffer out = alloc_buf_gc(128, &gc);
3837 buf_printf(&out, ">HOLD:Waiting for hold release:%d", holdtime);
3838 man->persist.special_state_msg = BSTR(&out);
3839 msg(M_CLIENT, "%s", man->persist.special_state_msg);
3840
3841 /* run command processing event loop until we get our username/password */
3842 do
3843 {
3844 man_standalone_event_loop(man, &signal_received, 0);
3845 if (!signal_received)
3846 {
3847 man_check_for_signals(&signal_received);
3848 }
3849 if (signal_received)
3850 {
3851 break;
3852 }
3853 } while (!man->persist.hold_release);
3854 }
3855
3856 /* revert state */
3857 man->persist.standalone_disabled = standalone_disabled_save;
3858 man->persist.special_state_msg = NULL;
3859 man->settings.mansig &= ~MANSIG_IGNORE_USR1_HUP;
3860
3861 gc_free(&gc);
3862 return true;
3863 }
3864 return false;
3865}
3866
3867/*
3868 * struct command_line
3869 */
3870
3871struct command_line *
3873{
3874 struct command_line *cl;
3875 ALLOC_OBJ_CLEAR(cl, struct command_line);
3876 cl->buf = alloc_buf(buf_len);
3877 cl->residual = alloc_buf(buf_len);
3878 return cl;
3879}
3880
3881void
3883{
3884 buf_clear(&cl->buf);
3885 buf_clear(&cl->residual);
3886}
3887
3888void
3890{
3891 if (!cl)
3892 {
3893 return;
3894 }
3896 free_buf(&cl->buf);
3897 free_buf(&cl->residual);
3898 free(cl);
3899}
3900
3901void
3902command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
3903{
3904 int i;
3905 for (i = 0; i < len; ++i)
3906 {
3907 if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE)))
3908 {
3909 if (!buf_write_u8(&cl->buf, buf[i]))
3910 {
3911 buf_clear(&cl->buf);
3912 }
3913 }
3914 }
3915}
3916
3917const char *
3919{
3920 int i;
3921 const char *ret = NULL;
3922
3923 i = buf_substring_len(&cl->buf, '\n');
3924 if (i >= 0)
3925 {
3926 buf_copy_excess(&cl->residual, &cl->buf, i);
3927 buf_chomp(&cl->buf);
3928 ret = BSTR(&cl->buf);
3929 }
3930 return ret;
3931}
3932
3933void
3935{
3936 buf_clear(&cl->buf);
3937 buf_copy(&cl->buf, &cl->residual);
3938 buf_clear(&cl->residual);
3939}
3940
3941/*
3942 * struct log_entry
3943 */
3944
3945const char *
3946log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
3947{
3948 struct buffer out = alloc_buf_gc(ERR_BUF_SIZE, gc);
3949 if (flags & LOG_FATAL_NOTIFY)
3950 {
3951 buf_printf(&out, ">FATAL:");
3952 }
3953 if (flags & LOG_PRINT_LOG_PREFIX)
3954 {
3955 buf_printf(&out, ">LOG:");
3956 }
3957 if (flags & LOG_PRINT_ECHO_PREFIX)
3958 {
3959 buf_printf(&out, ">ECHO:");
3960 }
3961 if (flags & LOG_PRINT_STATE_PREFIX)
3962 {
3963 buf_printf(&out, ">STATE:");
3964 }
3965 if (flags & LOG_PRINT_INT_DATE)
3966 {
3967 buf_printf(&out, "%u,", (unsigned int)e->timestamp);
3968 }
3969 if (flags & LOG_PRINT_MSG_FLAGS)
3970 {
3971 buf_printf(&out, "%s,", msg_flags_string(e->u.msg_flags, gc));
3972 }
3973 if (flags & LOG_PRINT_STATE)
3974 {
3975 buf_printf(&out, "%s,", man_state_name(e->u.state));
3976 }
3977 if (flags & LOG_PRINT_INTVAL)
3978 {
3979 buf_printf(&out, "%d,", e->u.intval);
3980 }
3981 if (e->string)
3982 {
3983 buf_printf(&out, "%s", e->string);
3984 }
3985 if (flags & LOG_PRINT_LOCAL_IP)
3986 {
3987 buf_printf(&out, ",%s", print_in_addr_t(e->local_ip, IA_EMPTY_IF_UNDEF, gc));
3988 }
3989 if (flags & LOG_PRINT_REMOTE_IP)
3990 {
3991 buf_printf(&out, ",%s", (!addr_defined(&e->remote_sock) ? "," :
3992 print_sockaddr_ex(&e->remote_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc)));
3993 buf_printf(&out, ",%s", (!addr_defined(&e->local_sock) ? "," :
3994 print_sockaddr_ex(&e->local_sock.addr.sa, ",", PS_DONT_SHOW_FAMILY|PS_SHOW_PORT, gc)));
3995 }
3996 if (flags & LOG_PRINT_LOCAL_IP && !IN6_IS_ADDR_UNSPECIFIED(&e->local_ip6))
3997 {
3998 buf_printf(&out, ",%s", print_in6_addr(e->local_ip6, IA_EMPTY_IF_UNDEF, gc));
3999 }
4000 if (flags & LOG_ECHO_TO_LOG)
4001 {
4002 msg(D_MANAGEMENT, "MANAGEMENT: %s", BSTR(&out));
4003 }
4004 if (flags & LOG_PRINT_CRLF)
4005 {
4006 buf_printf(&out, "\r\n");
4007 }
4008 return BSTR(&out);
4009}
4010
4011static void
4013{
4014 /* Cast away constness of const char* */
4015 free((char *)e->string);
4016 CLEAR(*e);
4017}
4018
4019/*
4020 * struct log_history
4021 */
4022
4023static inline int
4024log_index(const struct log_history *h, int i)
4025{
4026 return modulo_add(h->base, i, h->capacity);
4027}
4028
4029static void
4031{
4032 CLEAR(*h);
4033 h->capacity = capacity;
4035}
4036
4037struct log_history *
4039{
4040 struct log_history *h;
4041 ASSERT(capacity > 0);
4042 ALLOC_OBJ(h, struct log_history);
4044 return h;
4045}
4046
4047static void
4049{
4050 int i;
4051 for (i = 0; i < h->size; ++i)
4052 {
4054 }
4055 free(h->array);
4056}
4057
4058void
4060{
4062 free(h);
4063}
4064
4065void
4066log_history_add(struct log_history *h, const struct log_entry *le)
4067{
4068 struct log_entry *e;
4069 ASSERT(h->size >= 0 && h->size <= h->capacity);
4070 if (h->size == h->capacity)
4071 {
4072 e = &h->array[h->base];
4074 h->base = log_index(h, 1);
4075 }
4076 else
4077 {
4078 e = &h->array[log_index(h, h->size)];
4079 ++h->size;
4080 }
4081
4082 *e = *le;
4083 e->string = string_alloc(le->string, NULL);
4084}
4085
4086void
4087log_history_resize(struct log_history *h, const int capacity)
4088{
4089 if (capacity != h->capacity)
4090 {
4091 struct log_history newlog;
4092 int i;
4093
4094 ASSERT(capacity > 0);
4096
4097 for (i = 0; i < h->size; ++i)
4098 {
4099 log_history_add(&newlog, &h->array[log_index(h, i)]);
4100 }
4101
4103 *h = newlog;
4104 }
4105}
4106
4107const struct log_entry *
4108log_history_ref(const struct log_history *h, const int index)
4109{
4110 if (index >= 0 && index < h->size)
4111 {
4112 return &h->array[log_index(h, (h->size - 1) - index)];
4113 }
4114 else
4115 {
4116 return NULL;
4117 }
4118}
4119
4120void
4122{
4123 if (n < 0)
4124 {
4125 return;
4126 }
4127 else if (management)
4128 {
4130 }
4131 else
4132 {
4133#ifdef _WIN32
4134 win32_sleep(n);
4135#else
4136 if (n > 0)
4137 {
4138 sleep(n);
4139 }
4140#endif
4141 }
4142}
4143
4144void
4145management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
4146{
4148 timeval, ETT_DEFAULT))
4149 {
4150 counter_type dco_read_bytes = 0;
4151 counter_type dco_write_bytes = 0;
4152
4153 if (dco_enabled(&c->options))
4154 {
4155 if (dco_get_peer_stats(c, true) < 0)
4156 {
4157 return;
4158 }
4159
4160 dco_read_bytes = c->c2.dco_read_bytes;
4161 dco_write_bytes = c->c2.dco_write_bytes;
4162 }
4163
4164 if (!(man->persist.callback.flags & MCF_SERVER))
4165 {
4166 man_bytecount_output_client(man, dco_read_bytes, dco_write_bytes);
4167 }
4168 }
4169}
4170
4171/* DCO resets stats on reconnect. Since client expects stats
4172 * to be preserved across reconnects, we need to save DCO
4173 * stats before tearing the tunnel down.
4174 */
4175void
4177{
4178 /* no need to raise SIGUSR1 since we are already closing the instance */
4179 if (dco_enabled(&c->options) && (dco_get_peer_stats(c, false) == 0))
4180 {
4182 }
4183}
4184
4185#else /* ifdef ENABLE_MANAGEMENT */
4186
4187#include "win32.h"
4188void
4189management_sleep(const int n)
4190{
4191#ifdef _WIN32
4192 win32_sleep(n);
4193#else
4194 if (n > 0)
4195 {
4196 sleep(n);
4197 }
4198#endif /* ifdef _WIN32 */
4199}
4200
4201#endif /* ENABLE_MANAGEMENT */
bool buffer_list_defined(const struct buffer_list *ol)
Checks if the list is valid and non-empty.
Definition buffer.c:1178
void buffer_list_advance(struct buffer_list *ol, int n)
Definition buffer.c:1322
void free_buf(struct buffer *buf)
Definition buffer.c:183
void buffer_list_aggregate_separator(struct buffer_list *bl, const size_t max_len, const char *sep)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len .
Definition buffer.c:1253
void buf_clear(struct buffer *buf)
Definition buffer.c:162
void buffer_list_reset(struct buffer_list *ol)
Empty the list ol and frees all the contained buffers.
Definition buffer.c:1184
void buffer_list_aggregate(struct buffer_list *bl, const size_t max)
Aggregates as many buffers as possible from bl in a new buffer of maximum length max_len .
Definition buffer.c:1299
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1159
void chomp(char *str)
Definition buffer.c:614
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1240
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1168
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
struct buffer alloc_buf(size_t size)
Definition buffer.c:62
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
void buffer_list_push(struct buffer_list *ol, const char *str)
Allocates and appends a new buffer containing str as data to ol.
Definition buffer.c:1199
void buf_chomp(struct buffer *buf)
Definition buffer.c:554
bool char_class(const unsigned char c, const unsigned int flags)
Definition buffer.c:877
int buf_substring_len(const struct buffer *buf, int delim)
Definition buffer.c:803
static uint8_t * buf_bptr(const struct buffer *buf)
Definition buffer.h:240
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1055
#define BSTR(buf)
Definition buffer.h:129
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition buffer.h:222
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
#define BPTR(buf)
Definition buffer.h:124
#define ALLOC_ARRAY_CLEAR(dptr, type, n)
Definition buffer.h:1076
static bool buf_copy_excess(struct buffer *dest, struct buffer *src, int len)
Definition buffer.h:753
#define CC_NEWLINE
newline
Definition buffer.h:897
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:668
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:692
#define BLEN(buf)
Definition buffer.h:127
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void check_malloc_return(void *p)
Definition buffer.h:1103
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
#define CC_PRINT
printable (>= 32, != 127)
Definition buffer.h:891
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1060
static struct gc_arena gc_new(void)
Definition buffer.h:1025
uint64_t counter_type
Definition common.h:30
#define counter_format
Definition common.h:31
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:386
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:292
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:157
#define D_MANAGEMENT_DEBUG
Definition errlevel.h:138
#define M_INFO
Definition errlevel.h:55
#define D_MANAGEMENT
Definition errlevel.h:88
#define D_LINK_ERRORS
Definition errlevel.h:57
struct event_set * event_set_init(int *maxevents, unsigned int flags)
Definition event.c:1186
#define EVENT_METHOD_FAST
Definition event.h:83
static void event_free(struct event_set *es)
Definition event.h:160
static int event_wait(struct event_set *es, const struct timeval *tv, struct event_set_return *out, int outlen)
Definition event.h:187
#define EVENT_WRITE
Definition event.h:40
#define EVENT_READ
Definition event.h:39
static void event_reset(struct event_set *es)
Definition event.h:169
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:181
void set_nonblock(socket_descriptor_t fd)
Definition fdmisc.c:69
counter_type link_write_bytes_global
Definition forward.c:51
counter_type link_read_bytes_global
Definition forward.c:50
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition integer.h:63
static int min_int(int x, int y)
Definition integer.h:102
static int modulo_add(int x, int y, int mod)
Definition integer.h:161
static SERVICE_STATUS status
Definition interactive.c:52
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:43
#define ETT_DEFAULT
Definition interval.h:224
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:174
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:155
void management_check_bytecount(struct context *c, struct management *man, struct timeval *timeval)
Definition manage.c:4145
void management_pre_tunnel_close(struct management *man)
Definition manage.c:3084
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3093
void log_history_close(struct log_history *h)
Definition manage.c:4059
struct management * management
Definition manage.c:63
static void man_status(struct management *man, const int version, struct status_output *so)
Definition manage.c:479
static void man_up_finalize(struct management *man)
Definition manage.c:706
static bool man_io_error(struct management *man, const char *prefix)
Definition manage.c:2097
static void man_log(struct management *man, const char *parm)
Definition manage.c:672
static void man_reset_client_socket(struct management *man, const bool exiting)
Definition manage.c:2001
static void man_bytecount(struct management *man, const int update_seconds)
Definition manage.c:492
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2998
static void man_connect(struct management *man)
Definition manage.c:1931
#define MWCC_OTHER_WAIT
Definition manage.c:3402
static int man_write(struct management *man)
Definition manage.c:2347
void man_bytecount_output_server(const counter_type *bytes_in_total, const counter_type *bytes_out_total, struct man_def_auth_context *mdac)
Definition manage.c:524
static bool man_check_for_signals(volatile int *signal_received)
Definition manage.c:3287
static void man_output_list_push(struct management *man, const char *str)
Definition manage.c:266
void management_socket_set(struct management *man, struct event_set *es, void *arg, unsigned int *persistent)
Definition manage.c:3128
void command_line_free(struct command_line *cl)
Definition manage.c:3889
static int man_block(struct management *man, volatile int *signal_received, const time_t expire)
Definition manage.c:3304
static void man_certificate(struct management *man)
Definition manage.c:1214
void command_line_next(struct command_line *cl)
Definition manage.c:3934
static void man_net(struct management *man)
Definition manage.c:813
void management_clear_callback(struct management *man)
Definition manage.c:2741
static void man_persist_init(struct management *man, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size)
Definition manage.c:2402
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3791
static bool man_standalone_ok(const struct management *man)
Definition manage.c:3281
bool management_hold(struct management *man, int holdtime)
Definition manage.c:3820
static void man_settings_init(struct man_settings *ms, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2462
static int log_index(const struct log_history *h, int i)
Definition manage.c:4024
static void man_connection_clear(struct man_connection *mc)
Definition manage.c:2389
#define AF_DID_RESET
static void man_start_ne32(struct management *man)
Definition manage.c:1685
static void man_connection_settings_reset(struct management *man)
Definition manage.c:1712
static void man_help(void)
Definition manage.c:71
static void man_update_io_state(struct management *man)
Definition manage.c:227
static void man_check_password(struct management *man, const char *line)
Definition manage.c:197
static bool man_persist_state(unsigned int *persistent, const int n)
Definition manage.c:3112
static bool man_need(struct management *man, const char **p, const int n, unsigned int flags)
Checks if the correct number of arguments to a management command are present and otherwise prints an...
Definition manage.c:1258
static void man_connection_init(struct management *man)
Definition manage.c:2578
static bool env_filter_match(const char *env_str, const int env_filter_level)
Definition manage.c:2809
static void man_client_pending_auth(struct management *man, const char *cid_str, const char *kid_str, const char *extra, const char *timeout_str)
Will send a notification to the client that succesful authentication will require an additional step ...
Definition manage.c:1067
static void man_connection_close(struct management *man)
Definition manage.c:2623
static void man_query_password(struct management *man, const char *type, const char *string)
Definition manage.c:778
static void man_client_kill(struct management *man, const char *cid_str, const char *kill_msg)
Definition manage.c:1151
struct log_history * log_history_init(const int capacity)
Definition manage.c:4038
static void man_listen(struct management *man)
Definition manage.c:1854
static void man_stop_ne32(struct management *man)
Definition manage.c:1704
static void man_query_username(struct management *man, const char *type, const char *string)
Definition manage.c:770
#define MWCC_PASSWORD_WAIT
Definition manage.c:3400
static void man_dispatch_command(struct management *man, struct status_output *so, const char **p, const int nparms)
Definition manage.c:1338
static void virtual_output_callback_func(void *arg, const unsigned int flags, const char *str)
Definition manage.c:333
static void man_signal(struct management *man, const char *name)
Definition manage.c:446
static void man_prompt(struct management *man)
Definition manage.c:273
static void man_state(struct management *man, const char *parm)
Definition manage.c:694
static void man_client_deny(struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
Definition manage.c:1118
static void man_echo(struct management *man, const char *parm)
Definition manage.c:683
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition manage.c:3011
static char * management_query_multiline_flatten(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition manage.c:3735
static void man_proxy(struct management *man, const char **p)
Definition manage.c:1278
struct command_line * command_line_new(const int buf_len)
Definition manage.c:3872
struct management * management_init(void)
Definition manage.c:2652
static void in_extra_reset(struct man_connection *mc, const int mode)
Definition manage.c:963
void command_line_reset(struct command_line *cl)
Definition manage.c:3882
static void man_query_need_str(struct management *man, const char *type, const char *action)
Definition manage.c:798
bool management_would_hold(struct management *man)
Definition manage.c:3810
static int man_read(struct management *man)
Definition manage.c:2253
static void man_history(struct management *man, const char *parm, const char *type, struct log_history *log, bool *realtime, const unsigned int lep_flags)
Definition manage.c:626
bool management_query_user_pass(struct management *man, struct user_pass *up, const char *type, const unsigned int flags, const char *static_challenge)
Definition manage.c:3496
void command_line_add(struct command_line *cl, const unsigned char *buf, const int len)
Definition manage.c:3902
void log_history_add(struct log_history *h, const struct log_entry *le)
Definition manage.c:4066
static void log_entry_free_contents(struct log_entry *e)
Definition manage.c:4012
static void man_bytecount_output_client(struct management *man, counter_type dco_read_bytes, counter_type dco_write_bytes)
Definition manage.c:510
static int man_mod_signal(const struct management *man, const int signum)
Definition manage.c:420
#define MN_AT_LEAST
Definition manage.c:1246
void management_event_loop_n_seconds(struct management *man, int sec)
Definition manage.c:3443
static void man_persist_close(struct man_persist *mp)
Definition manage.c:2440
static void man_kill(struct management *man, const char *victim)
Definition manage.c:538
void management_close(struct management *man)
Definition manage.c:2723
static void man_pk_sig(struct management *man, const char *cmd_name)
Definition manage.c:1198
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2750
static void man_output_list_push_finalize(struct management *man)
Definition manage.c:243
static void man_load_stats(struct management *man)
Definition manage.c:1230
static bool man_password_needed(struct management *man)
Definition manage.c:191
static void set_client_version(struct management *man, const char *version)
Definition manage.c:1329
const char * log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
Definition manage.c:3946
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3106
static void man_accept(struct management *man)
Definition manage.c:1814
static void man_client_auth(struct management *man, const char *cid_str, const char *kid_str, const bool extra)
Definition manage.c:1100
static bool parse_cid(const char *str, unsigned long *cid)
Definition manage.c:1028
static void man_send_cc_message(struct management *man, const char *message, const char *parameters)
Definition manage.c:826
static void man_delete_unix_socket(struct management *man)
Definition manage.c:306
void management_io(struct management *man)
Definition manage.c:3168
static void man_wait_for_client_connection(struct management *man, volatile int *signal_received, const time_t expire, unsigned int flags)
Definition manage.c:3408
#define IER_NEW
Definition manage.c:960
static void man_output_peer_info_env(struct management *man, const struct man_def_auth_context *mdac)
Definition manage.c:2913
#define AF_DID_PUSH
bool management_open(struct management *man, const char *addr, const char *port, const char *pass_file, const char *client_user, const char *client_group, const int log_history_cache, const int echo_buffer_size, const int state_buffer_size, const int remap_sigusr1, const unsigned int flags)
Definition manage.c:2668
static void man_welcome(struct management *man)
Definition manage.c:180
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2907
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2987
static void man_query_need_ok(struct management *man, const char *type, const char *action)
Definition manage.c:791
static char * management_query_multiline_flatten_newline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition manage.c:3706
static void man_output_extra_env(struct management *man, const char *prefix)
Definition manage.c:2877
void man_persist_client_stats(struct management *man, struct context *c)
Definition manage.c:4176
static void man_new_connection_post(struct management *man, const char *description)
Definition manage.c:1725
static void log_history_obj_init(struct log_history *h, int capacity)
Definition manage.c:4030
static void report_command_status(const bool status, const char *command)
Small function to report the success or failure of a command to the management interface.
Definition manage.c:293
#define IER_RESET
Definition manage.c:959
static void man_close_socket(struct management *man, const socket_descriptor_t sd)
Definition manage.c:317
static bool parse_uint(const char *str, const char *what, unsigned int *uint)
Definition manage.c:1042
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2733
void management_notify_client_needing_auth(struct management *management, const unsigned int mda_key_id, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:2940
static void man_client_n_clients(struct management *man)
Definition manage.c:1176
static void man_output_standalone(struct management *man, volatile int *signal_received)
Definition manage.c:3363
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition manage.c:2964
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3028
static const char blank_up[]
Definition manage.c:61
static void man_remote_entry_get(struct management *man, const char *p1, const char *p2)
Definition manage.c:892
const struct log_entry * log_history_ref(const struct log_history *h, const int index)
Definition manage.c:4108
static void man_remote_entry_count(struct management *man)
Definition manage.c:876
static void man_settings_close(struct man_settings *ms)
Definition manage.c:2567
static void man_env_filter(struct management *man, const int level)
Definition manage.c:1190
#define MANAGEMENT_ECHO_FLAGS
Definition manage.c:57
static void man_output_list_push_str(struct management *man, const char *str)
Definition manage.c:257
void management_up_down(struct management *man, const char *updown, const struct env_set *es)
Definition manage.c:2891
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition manage.c:3764
static void man_remote(struct management *man, const char **p)
Definition manage.c:1292
static void man_forget_passwords(struct management *man)
Definition manage.c:805
static int man_standalone_event_loop(struct management *man, volatile int *signal_received, const time_t expire)
Definition manage.c:3386
static void man_process_command(struct management *man, const char *line)
Definition manage.c:2047
static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input)
Definition manage.c:3628
static void man_output_env(const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
Definition manage.c:2857
const char * command_line_get(struct command_line *cl)
Definition manage.c:3918
static void log_history_free_contents(struct log_history *h)
Definition manage.c:4048
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
Definition manage.c:4121
static const char * man_state_name(const int state)
Definition manage.c:131
void log_history_resize(struct log_history *h, const int capacity)
Definition manage.c:4087
static void in_extra_dispatch(struct management *man)
Definition manage.c:986
static void man_command_unsupported(const char *command_name)
Definition manage.c:473
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition manage.c:2901
#define MWCC_HOLD_WAIT
Definition manage.c:3401
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
Definition manage.c:3059
static void man_query_user_pass(struct management *man, const char *type, const char *string, const bool needed, const char *prompt, char *dest, int len)
Definition manage.c:736
static void man_hold(struct management *man, const char *cmd)
Definition manage.c:929
#define MANSIG_MAP_USR1_TO_TERM
Definition manage.h:262
#define MS_LISTEN
Definition manage.h:275
#define OPENVPN_STATE_ADD_ROUTES
Definition manage.h:472
#define UP_QUERY_USER_PASS
Definition manage.h:268
#define OPENVPN_STATE_INITIAL
Definition manage.h:469
#define MF_FORGET_DISCONNECT
Definition manage.h:32
#define UP_QUERY_DISABLED
Definition manage.h:267
#define LOG_FATAL_NOTIFY
Definition manage.h:129
#define MS_INITIAL
Definition manage.h:274
#define MANAGEMENT_STATE_BUFFER_SIZE
Definition manage.h:59
#define MANAGEMENT_VERSION
Definition manage.h:55
#define OPENVPN_STATE_CONNECTING
Definition manage.h:470
#define EKS_SOLICIT
Definition manage.h:308
#define MS_CC_WAIT_WRITE
Definition manage.h:277
#define LOG_PRINT_REMOTE_IP
Definition manage.h:133
#define LOG_PRINT_STATE_PREFIX
Definition manage.h:121
#define OPENVPN_STATE_RECONNECTING
Definition manage.h:474
#define LOG_PRINT_INT_DATE
Definition manage.h:123
#define DAF_INITIAL_AUTH
Definition manage.h:69
#define IEC_PK_SIGN
Definition manage.h:302
#define MANSIG_MAP_USR1_TO_HUP
Definition manage.h:261
#define LOG_PRINT_ECHO_PREFIX
Definition manage.h:120
#define LOG_PRINT_LOCAL_IP
Definition manage.h:126
#define MANAGEMENT_ECHO_BUFFER_SIZE
Definition manage.h:58
#define DAF_CONNECTION_CLOSED
Definition manage.h:68
#define MCF_SERVER
Definition manage.h:177
#define OPENVPN_STATE_CLIENT_BASE
Definition manage.h:485
#define MS_CC_WAIT_READ
Definition manage.h:276
#define LOG_PRINT_STATE
Definition manage.h:125
#define OPENVPN_STATE_CONNECTED
Definition manage.h:473
#define OPENVPN_STATE_RESOLVE
Definition manage.h:481
#define LOG_ECHO_TO_LOG
Definition manage.h:135
#define UP_QUERY_NEED_STR
Definition manage.h:271
#define OPENVPN_STATE_EXITING
Definition manage.h:475
static bool management_connected(const struct management *man)
Definition manage.h:434
#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE
Definition manage.h:57
#define OPENVPN_STATE_AUTH_PENDING
Definition manage.h:483
static int log_history_size(const struct log_history *h)
Definition manage.h:158
#define IEC_UNDEF
Definition manage.h:297
#define IEC_CERTIFICATE
Definition manage.h:301
#define MANSIG_IGNORE_USR1_HUP
Definition manage.h:260
#define OPENVPN_STATE_AUTH
Definition manage.h:479
#define EKS_READY
Definition manage.h:310
static void management_bytes_client(struct management *man, const int size_in, const int size_out)
Definition manage.h:522
#define LOG_PRINT_LOG_PREFIX
Definition manage.h:119
#define OPENVPN_STATE_WAIT
Definition manage.h:478
#define LOG_PRINT_INTVAL
Definition manage.h:131
#define LOG_PRINT_CRLF
Definition manage.h:128
#define DAF_CONNECTION_ESTABLISHED
Definition manage.h:67
#define MF_SERVER
Definition manage.h:28
#define OPENVPN_STATE_ASSIGN_IP
Definition manage.h:471
#define MANAGEMENT_N_PASSWORD_RETRIES
Definition manage.h:56
#define MF_UP_DOWN
Definition manage.h:40
#define UP_QUERY_PASS
Definition manage.h:269
#define EKS_UNDEF
Definition manage.h:307
#define MF_HOLD
Definition manage.h:30
#define IEC_CLIENT_AUTH
Definition manage.h:298
#define MF_SIGNAL
Definition manage.h:31
#define UP_QUERY_NEED_OK
Definition manage.h:270
#define MF_UNIX_SOCK
Definition manage.h:36
#define OPENVPN_STATE_GET_CONFIG
Definition manage.h:480
#define MF_CONNECT_AS_CLIENT
Definition manage.h:33
#define OPENVPN_STATE_TCP_CONNECT
Definition manage.h:482
#define LOG_PRINT_MSG_FLAGS
Definition manage.h:124
#define EKS_INPUT
Definition manage.h:309
bool validate_peer_info_line(char *line)
Definition misc.c:733
#define USER_PASS_LEN
Definition misc.h:69
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
indicates password and response should be concatenated
Definition misc.h:124
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:111
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
SCRV1 protocol – echo response.
Definition misc.h:119
#define GET_USER_PASS_NEED_OK
Definition misc.h:112
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:152
#define GET_USER_PASS_NEED_STR
Definition misc.h:114
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition mroute.c:391
#define MAPF_SUBNET
Definition mroute.h:150
#define BOOL_CAST(x)
Definition basic.h:27
#define CLEAR(x)
Definition basic.h:33
#define SIZE(x)
Definition basic.h:30
int get_debug_level(void)
Definition error.c:137
bool set_mute_cutoff(const int cutoff)
Definition error.c:123
const char * msg_flags_string(const unsigned int flags, struct gc_arena *gc)
Definition error.c:783
int get_mute_cutoff(void)
Definition error.c:143
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:105
#define M_CLIENT
Definition error.h:107
static void msg_set_virtual_output(const struct virtual_output *vo)
Definition error.h:321
#define ERR_BUF_SIZE
Definition error.h:35
#define M_FATAL
Definition error.h:89
static bool ignore_sys_error(const int err, bool crt_error)
Definition error.h:337
#define M_ERR
Definition error.h:105
#define msg(flags,...)
Definition error.h:144
static int openvpn_errno_maybe_crt(bool *crt_error)
Definition error.h:375
#define ASSERT(x)
Definition error.h:195
#define M_WARN
Definition error.h:91
#define M_ERRNO
Definition error.h:94
bool auth_retry_set(const int msglevel, const char *option)
Definition options.c:4835
const char * auth_retry_print(void)
Definition options.c:4858
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:5022
const char title_string[]
Definition options.c:69
#define streq(x, y)
Definition options.h:726
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
#define MAX_PARMS
Definition options.h:52
time_t now
Definition otime.c:34
static void update_time(void)
Definition otime.h:77
unsigned int platform_getpid(void)
Definition platform.c:333
bool platform_user_get(const char *username, struct platform_state_user *state)
Definition platform.c:79
bool platform_group_get(const char *groupname, struct platform_state_group *state)
Definition platform.c:123
static int platform_state_user_uid(const struct platform_state_user *s)
Definition platform.h:97
static int platform_state_group_gid(const struct platform_state_group *s)
Definition platform.h:106
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition sig.c:206
const char * signal_name(const int sig, const bool upper)
Definition sig.c:93
void throw_signal(const int signum)
Throw a hard signal.
Definition sig.c:177
int parse_signal(const char *signame)
Definition sig.c:66
static void get_signal(volatile int *sig)
Copy the global signal_received (if non-zero) to the passed-in argument sig.
Definition sig.h:110
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket.c:3225
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
Definition socket.c:469
const char * print_sockaddr_ex(const struct sockaddr *sa, const char *separator, const unsigned int flags, struct gc_arena *gc)
Definition socket.c:2845
void sd_close(socket_descriptor_t *sd)
Definition socket.c:4066
socket_descriptor_t socket_do_accept(socket_descriptor_t sd, struct link_socket_actual *act, const bool nowait)
Definition socket.c:1268
int openvpn_connect(socket_descriptor_t sd, const struct sockaddr *remote, int connect_timeout, volatile int *signal_received)
Definition socket.c:1488
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3027
void socket_bind(socket_descriptor_t sd, struct addrinfo *local, int ai_family, const char *prefix, bool ipv6only)
Definition socket.c:1434
socket_descriptor_t create_socket_tcp(struct addrinfo *addrinfo)
Definition socket.c:1053
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3007
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
#define IA_EMPTY_IF_UNDEF
Definition socket.h:401
static const char * print_sockaddr(const struct sockaddr *addr, struct gc_arena *gc)
Definition socket.h:384
#define GETADDR_MSG_VIRT_OUT
Definition socket.h:523
#define GETADDR_PASSIVE
Definition socket.h:527
#define GETADDR_FATAL
Definition socket.h:518
#define PS_SHOW_PORT
Definition socket.h:364
@ PROTO_NONE
Definition socket.h:567
@ PROTO_UDP
Definition socket.h:568
@ PROTO_TCP_SERVER
Definition socket.h:570
#define GETADDR_HOST_ORDER
Definition socket.h:519
#define MSG_NOSIGNAL
Definition socket.h:272
static bool addr_defined(const struct openvpn_sockaddr *addr)
Definition socket.h:661
#define GETADDR_RESOLVE
Definition socket.h:517
#define PS_DONT_SHOW_FAMILY
Definition socket.h:367
#define openvpn_close_socket(s)
Definition socket.h:277
#define GETADDR_WARN_ON_SIGNAL
Definition socket.h:522
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:392
bool ssl_clean_auth_token(void)
Definition ssl.c:381
Control Channel SSL/Data channel negotiation module.
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:61
bool status_close(struct status_output *so)
Definition status.c:188
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:62
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:68
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
struct buffer residual
Definition manage.h:83
struct buffer buf
Definition manage.h:82
counter_type dco_read_bytes
Definition openvpn.h:269
counter_type dco_write_bytes
Definition openvpn.h:272
Contains all state information for one tunnel.
Definition openvpn.h:476
struct context_2 c2
Level 2 context.
Definition openvpn.h:516
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:477
char * string
Definition env_set.h:38
struct env_item * next
Definition env_set.h:39
struct env_item * list
Definition env_set.h:44
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
Definition manage.h:109
struct in6_addr local_ip6
Definition manage.h:113
struct openvpn_sockaddr local_sock
Definition manage.h:114
struct openvpn_sockaddr remote_sock
Definition manage.h:115
time_t timestamp
Definition manage.h:110
const char * string
Definition manage.h:111
in_addr_t local_ip
Definition manage.h:112
union log_entry_union u
Definition manage.h:116
int capacity
Definition manage.h:143
struct log_entry * array
Definition manage.h:144
struct event_set * es
Definition manage.h:315
unsigned long in_extra_cid
Definition manage.h:305
const char * up_query_type
Definition manage.h:324
bool password_verified
Definition manage.h:291
int env_filter_level
Definition manage.h:316
struct user_pass up_query
Definition manage.h:326
socket_descriptor_t sd_top
Definition manage.h:282
struct buffer_list * ext_cert_input
Definition manage.h:314
struct command_line * in
Definition manage.h:294
unsigned int in_extra_kid
Definition manage.h:306
struct openvpn_sockaddr remote
Definition manage.h:284
socket_descriptor_t sd_cli
Definition manage.h:283
struct buffer_list * ext_key_input
Definition manage.h:312
int up_query_mode
Definition manage.h:325
int bytecount_update_seconds
Definition manage.h:321
int in_extra_cmd
Definition manage.h:303
struct buffer_list * in_extra
Definition manage.h:304
bool echo_realtime
Definition manage.h:320
bool state_realtime
Definition manage.h:318
struct event_timeout bytecount_update_interval
Definition manage.h:322
int ext_cert_state
Definition manage.h:313
struct buffer_list * out
Definition manage.h:295
int password_tries
Definition manage.h:292
int client_version
Definition manage.h:332
bool log_realtime
Definition manage.h:319
struct net_event_win32 ne32
Definition manage.h:287
int ext_key_state
Definition manage.h:311
unsigned long cid
Definition manage.h:65
time_t bytecount_last_update
Definition manage.h:74
unsigned int flags
Definition manage.h:70
counter_type bytes_in
Definition manage.h:240
struct log_history * state
Definition manage.h:234
struct management_callback callback
Definition manage.h:231
struct log_history * log
Definition manage.h:227
struct virtual_output vout
Definition manage.h:228
bool standalone_disabled
Definition manage.h:230
bool defined
Definition manage.h:225
bool hold_release
Definition manage.h:236
struct log_history * echo
Definition manage.h:233
const char * special_state_msg
Definition manage.h:238
counter_type bytes_out
Definition manage.h:241
bool management_over_tunnel
Definition manage.h:251
struct addrinfo * local
Definition manage.h:247
unsigned int flags
Definition manage.h:246
int echo_buffer_size
Definition manage.h:254
int client_uid
Definition manage.h:256
unsigned int mansig
Definition manage.h:263
int state_buffer_size
Definition manage.h:255
bool defined
Definition manage.h:245
int client_gid
Definition manage.h:257
int log_history_cache
Definition manage.h:253
struct user_pass up
Definition manage.h:252
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition manage.h:200
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition manage.h:188
void(* delete_event)(void *arg, event_t event)
Definition manage.h:184
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto)
Definition manage.h:183
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition manage.h:195
int(* n_clients)(void *arg)
Definition manage.h:185
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:180
bool(* remote_entry_get)(void *arg, unsigned int index, char **remote)
Definition manage.h:207
unsigned int(* remote_entry_count)(void *arg)
Definition manage.h:206
bool(* send_cc_message)(void *arg, const char *message, const char *parameter)
Definition manage.h:186
bool(* proxy_cmd)(void *arg, const char **p)
Definition manage.h:201
unsigned int flags
Definition manage.h:178
bool(* remote_cmd)(void *arg, const char **p)
Definition manage.h:202
int(* kill_by_cn)(void *arg, const char *common_name)
Definition manage.h:182
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition manage.h:187
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:181
struct man_persist persist
Definition manage.h:337
struct man_connection connection
Definition manage.h:339
struct man_settings settings
Definition manage.h:338
bool defined
Definition misc.h:58
char password[USER_PASS_LEN]
Definition misc.h:73
bool nocache
Definition misc.h:62
char username[USER_PASS_LEN]
Definition misc.h:72
unsigned int flags_default
Definition status.h:34
void * arg
Definition status.h:33
void(* func)(void *arg, const unsigned int flags, const char *str)
Definition status.h:35
#define SOCKET_UNDEFINED
Definition syshead.h:437
SOCKET socket_descriptor_t
Definition syshead.h:439
#define sleep(x)
Definition syshead.h:43
static int socket_defined(const socket_descriptor_t sd)
Definition syshead.h:447
struct env_set * es
struct gc_arena gc
Definition test_ssl.c:155
unsigned int msg_flags
Definition manage.h:103
int state
Definition manage.h:104
int intval
Definition manage.h:105
void net_event_win32_init(struct net_event_win32 *ne)
Definition win32.c:324
void net_event_win32_close(struct net_event_win32 *ne)
Definition win32.c:375
void net_event_win32_reset_write(struct net_event_win32 *ne)
Definition win32.c:340
void net_event_win32_start(struct net_event_win32 *ne, long network_events, socket_descriptor_t sd)
Definition win32.c:331
void win32_sleep(const int n)
Definition win32.c:1515
void net_event_win32_reset(struct net_event_win32 *ne)
Definition win32.c:358
void net_event_win32_stop(struct net_event_win32 *ne)
Definition win32.c:364
static long net_event_win32_get_event_mask(const struct net_event_win32 *ne)
Definition win32.h:139
static void net_event_win32_clear_selected_events(struct net_event_win32 *ne, long selected_events)
Definition win32.h:145
static struct rw_handle * net_event_win32_get_event(struct net_event_win32 *ne)
Definition win32.h:133