OpenVPN
multi.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#ifdef HAVE_SYS_INOTIFY_H
28#include <sys/inotify.h>
29#define INOTIFY_EVENT_BUFFER_SIZE 16384
30#endif
31
32#include "syshead.h"
33
34#include "forward.h"
35#include "multi.h"
36#include "push.h"
37#include "run_command.h"
38#include "otime.h"
39#include "gremlin.h"
40#include "mstats.h"
41#include "ssl_verify.h"
42#include "ssl_ncp.h"
43#include "vlan.h"
44#include "auth_token.h"
45#include <inttypes.h>
46#include <string.h>
47
48#include "memdbg.h"
49
50
51#include "crypto_backend.h"
52#include "ssl_util.h"
53#include "dco.h"
54#include "reflect_filter.h"
55
56/*#define MULTI_DEBUG_EVENT_LOOP*/
57
58#ifdef MULTI_DEBUG_EVENT_LOOP
59static const char *
60id(struct multi_instance *mi)
61{
62 if (mi)
63 {
64 return tls_common_name(mi->context.c2.tls_multi, false);
65 }
66 else
67 {
68 return "NULL";
69 }
70}
71#endif
72
73#ifdef ENABLE_MANAGEMENT
74static void
75set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
76{
78 mi->cc_config = cc_config;
79}
80#endif
81
82static inline void
83update_mstat_n_clients(const int n_clients)
84{
85#ifdef ENABLE_MEMSTATS
86 if (mmap_stats)
87 {
88 mmap_stats->n_clients = n_clients;
89 }
90#endif
91}
92
93static bool
94learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op,
95 const struct mroute_addr *addr)
96{
97 struct gc_arena gc = gc_new();
98 struct env_set *es;
99 bool ret = true;
100 struct plugin_list *plugins;
101
102 /* get environmental variable source */
103 if (mi && mi->context.c2.es)
104 {
105 es = mi->context.c2.es;
106 }
107 else
108 {
109 es = env_set_create(&gc);
110 }
111
112 /* get plugin source */
113 if (mi)
114 {
115 plugins = mi->context.plugins;
116 }
117 else
118 {
119 plugins = m->top.plugins;
120 }
121
122 if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
123 {
124 struct argv argv = argv_new();
125 argv_printf(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
126 if (mi)
127 {
129 }
130 if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es)
131 != OPENVPN_PLUGIN_FUNC_SUCCESS)
132 {
133 msg(M_WARN, "WARNING: learn-address plugin call failed");
134 ret = false;
135 }
136 argv_free(&argv);
137 }
138
140 {
141 struct argv argv = argv_new();
142 setenv_str(es, "script_type", "learn-address");
144 argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
145 if (mi)
146 {
148 }
149 if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
150 {
151 ret = false;
152 }
153 argv_free(&argv);
154 }
155
156 gc_free(&gc);
157 return ret;
158}
159
160void
162{
163 /* write pool data to file */
166 {
168 }
169}
170
171static void
172multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
173{
174 struct gc_arena gc = gc_new();
175 struct hash_iterator hi;
176 struct hash_element *he;
177
178 if (start_bucket < 0)
179 {
180 start_bucket = 0;
181 end_bucket = hash_n_buckets(m->vhash);
182 }
183
184 dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
185 hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
186 while ((he = hash_iterator_next(&hi)) != NULL)
187 {
188 struct multi_route *r = (struct multi_route *)he->value;
189 if (!multi_route_defined(m, r))
190 {
191 dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", mroute_addr_print(&r->addr, &gc));
192 learn_address_script(m, NULL, "delete", &r->addr);
195 }
196 }
198 gc_free(&gc);
199}
200
201static void
203{
204 multi_reap_range(m, -1, 0);
205}
206
207static struct multi_reap *
209{
210 struct multi_reap *mr;
211 ALLOC_OBJ(mr, struct multi_reap);
212 mr->bucket_base = 0;
214 mr->last_call = now;
215 return mr;
216}
217
218void
220{
221 struct multi_reap *mr = m->reaper;
222 if (mr->bucket_base >= hash_n_buckets(m->vhash))
223 {
224 mr->bucket_base = 0;
225 }
227 mr->bucket_base += mr->buckets_per_pass;
228 mr->last_call = now;
229}
230
231static void
233{
234 free(mr);
235}
236
237/*
238 * How many buckets in vhash to reap per pass.
239 */
240static int
242{
243 return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
244}
245
246#ifdef ENABLE_MANAGEMENT
247
248static uint32_t
249cid_hash_function(const void *key, uint32_t iv)
250{
251 const unsigned long *k = (const unsigned long *)key;
252 return (uint32_t)*k;
253}
254
255static bool
256cid_compare_function(const void *key1, const void *key2)
257{
258 const unsigned long *k1 = (const unsigned long *)key1;
259 const unsigned long *k2 = (const unsigned long *)key2;
260 return *k1 == *k2;
261}
262
263#endif
264
265#ifdef ENABLE_ASYNC_PUSH
266static uint32_t
267/*
268 * inotify watcher descriptors are used as hash value
269 */
270int_hash_function(const void *key, uint32_t iv)
271{
272 return (unsigned long)key;
273}
274
275static bool
276int_compare_function(const void *key1, const void *key2)
277{
278 return (unsigned long)key1 == (unsigned long)key2;
279}
280#endif
281
282/*
283 * Main initialization function, init multi_context object.
284 */
285static void
287{
288 struct multi_context *m = t->multi;
289 int dev = DEV_TYPE_UNDEF;
290
291 msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size,
293
294 /*
295 * Get tun/tap/null device type
296 */
298
299 /*
300 * Init our multi_context object.
301 */
302 CLEAR(*m);
303
304 /*
305 * Real address hash table (source port number is
306 * considered to be part of the address). Used
307 * to determine which client sent an incoming packet
308 * which is seen on the TCP/UDP socket.
309 */
312
313 /*
314 * Virtual address hash table. Used to determine
315 * which client to route a packet to.
316 */
319
320 /*
321 * This hash table is a clone of m->hash but with a
322 * bucket size of one so that it can be used
323 * for fast iteration through the list.
324 */
326
327#ifdef ENABLE_MANAGEMENT
329#endif
330
331#ifdef ENABLE_ASYNC_PUSH
332 /*
333 * Mapping between inotify watch descriptors and
334 * multi_instances.
335 */
336 m->inotify_watchers =
337 hash_init(t->options.real_hash_size, get_random(), int_hash_function, int_compare_function);
338#endif
339
340 /*
341 * This is our scheduler, for time-based wakeup
342 * events.
343 */
344 m->schedule = schedule_init();
345
346 /*
347 * Limit frequency of incoming connections to control
348 * DoS.
349 */
353
354 /*
355 * Allocate broadcast/multicast buffer list
356 */
358
359 /*
360 * Different status file format options are available
361 */
363
364 /*
365 * Possibly allocate an ifconfig pool, do it
366 * differently based on whether a tun or tap style
367 * tunnel.
368 */
370 {
372
373 if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
374 {
376 }
377
383
384 /* reload pool data from file */
386 {
388 }
389 }
390
391 /*
392 * Help us keep track of routing table.
393 */
395
396 /*
397 * Initialize route and instance reaper.
398 */
400
401 /*
402 * Get local ifconfig address
403 */
404 CLEAR(m->local);
405 ASSERT(t->c1.tuntap);
407
408 /*
409 * Per-client limits
410 */
412
413 m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
414
415 m->top.c2.event_set = t->c2.event_set;
416
417 /*
418 * Initialize multi-socket I/O wait object
419 */
422
423 /*
424 * Allow client <-> client communication, without going through
425 * tun/tap interface and network stack?
426 */
428
429 /* initialize stale routes check timer */
431 {
432 msg(M_INFO,
433 "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
436 }
437
439}
440
441const char *
442multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
443{
444 if (mi)
445 {
447 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
448
449 if (cn)
450 {
451 buf_printf(&out, "%s/", cn);
452 }
453 buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
455 && dco_enabled(&mi->context.options))
456 {
457 buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
458 }
459 return BSTR(&out);
460 }
461 else if (null)
462 {
463 return NULL;
464 }
465 else
466 {
467 return "UNDEF";
468 }
469}
470
471static void
473{
474 struct gc_arena gc = gc_new();
475 const char *prefix = multi_instance_string(mi, true, &gc);
476 if (prefix)
477 {
478 strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
479 }
480 else
481 {
482 mi->msg_prefix[0] = '\0';
483 }
484 set_prefix(mi);
485 gc_free(&gc);
486}
487
488void
490{
491 mi->msg_prefix[0] = '\0';
492 set_prefix(mi);
493}
494
495/*
496 * Tell the route helper about deleted iroutes so
497 * that it can update its mask of currently used
498 * CIDR netlengths.
499 */
500static void
502{
503 const struct iroute *ir;
504 const struct iroute_ipv6 *ir6;
505
506 dco_delete_iroutes(m, mi);
507
509 {
510 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
511 {
513 }
514
515 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
516 {
518 }
519 }
520}
521
522static void
523setenv_stats(struct multi_context *m, struct context *c)
524{
525 if (dco_enabled(&m->top.options))
526 {
527 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, false) < 0)
528 {
529 return;
530 }
531 }
532
533 setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
534 setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
535}
536
537static void
539{
540 /* setenv client real IP address */
542
543 /* setenv stats */
544 setenv_stats(m, &mi->context);
545
546 /* setenv connection duration */
547 setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
548}
549
550static void
552{
554
555 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
556 {
557 if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL,
558 mi->context.c2.es)
559 != OPENVPN_PLUGIN_FUNC_SUCCESS)
560 {
561 msg(M_WARN, "WARNING: client-disconnect plugin call failed");
562 }
563 }
564
566 {
567 struct argv argv = argv_new();
568 setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
570 openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
571 argv_free(&argv);
572 }
573#ifdef ENABLE_MANAGEMENT
574 if (management)
575 {
577 }
578#endif
579}
580
581void
582multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
583{
585
586 ASSERT(!mi->halt);
587 mi->halt = true;
588 bool is_dgram = proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto);
589
590 dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
591
592 /* adjust current client connection count */
593 m->n_clients += mi->n_clients_delta;
595 mi->n_clients_delta = 0;
596
597 /* prevent dangling pointers */
598 if (m->pending == mi)
599 {
600 multi_set_pending(m, NULL);
601 }
602 if (m->earliest_wakeup == mi)
603 {
604 m->earliest_wakeup = NULL;
605 }
606
607 if (!shutdown)
608 {
609 if (mi->did_real_hash)
610 {
611 ASSERT(hash_remove(m->hash, &mi->real));
612 }
613 if (mi->did_iter)
614 {
615 ASSERT(hash_remove(m->iter, &mi->real));
616 }
617#ifdef ENABLE_MANAGEMENT
618 if (mi->did_cid_hash)
619 {
621 }
622#endif
623
624#ifdef ENABLE_ASYNC_PUSH
625 if (mi->inotify_watch != -1)
626 {
627 hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch);
628 mi->inotify_watch = -1;
629 }
630#endif
631
633 {
634 m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
635 }
636
638
639 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
640
641 if (mi->did_iroutes)
642 {
643 multi_del_iroutes(m, mi);
644 mi->did_iroutes = false;
645 }
646
647 if (!is_dgram)
648 {
650 }
651
653 }
654
655#ifdef ENABLE_MANAGEMENT
656 set_cc_config(mi, NULL);
657#endif
658
660 {
662 }
663
664 close_context(&mi->context, SIGTERM, CC_GC_FREE);
665
667
669
670 /*
671 * Don't actually delete the instance memory allocation yet,
672 * because virtual routes may still point to it. Let the
673 * vhash reaper deal with it.
674 */
676
677 perf_pop();
678}
679
680/*
681 * Called on shutdown or restart.
682 */
683static void
685{
686 if (m->hash)
687 {
688 struct hash_iterator hi;
689 struct hash_element *he;
690
691 hash_iterator_init(m->iter, &hi);
692 while ((he = hash_iterator_next(&hi)))
693 {
694 struct multi_instance *mi = (struct multi_instance *)he->value;
695 mi->did_iter = false;
696 multi_close_instance(m, mi, true);
697 }
699
701
702 hash_free(m->hash);
703 hash_free(m->vhash);
704 hash_free(m->iter);
705#ifdef ENABLE_MANAGEMENT
707#endif
708 m->hash = NULL;
709
710 free(m->instances);
711
712#ifdef ENABLE_ASYNC_PUSH
713 hash_free(m->inotify_watchers);
714 m->inotify_watchers = NULL;
715#endif
716
718 mbuf_free(m->mbuf);
725 }
726}
727
728/*
729 * Create a client instance object for a newly connected client.
730 */
731struct multi_instance *
733 struct link_socket *sock)
734{
735 struct gc_arena gc = gc_new();
736 struct multi_instance *mi;
737
739
740 msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
741
743
744 mi->gc = gc_new();
746 mi->vaddr_handle = -1;
747 mi->created = now;
749
750 if (real)
751 {
752 mi->real = *real;
753 generate_prefix(mi);
754 }
755
756 inherit_context_child(&mi->context, &m->top, sock);
757 if (IS_SIG(&mi->context))
758 {
759 goto err;
760 }
761
763
764 if (hash_n_elements(m->hash) >= m->max_clients)
765 {
767 "MULTI: new incoming connection would exceed maximum number of clients (%d)",
768 m->max_clients);
769 goto err;
770 }
771
772 if (!real) /* TCP mode? */
773 {
775 {
776 goto err;
777 }
778 generate_prefix(mi);
779 }
780
781 if (!hash_add(m->iter, &mi->real, mi, false))
782 {
783 msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
784 mroute_addr_print(&mi->real, &gc));
785 goto err;
786 }
787 mi->did_iter = true;
788
789#ifdef ENABLE_MANAGEMENT
790 do
791 {
793 } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
794 mi->did_cid_hash = true;
795#endif
796
797 mi->context.c2.push_request_received = false;
798#ifdef ENABLE_ASYNC_PUSH
799 mi->inotify_watch = -1;
800#endif
801
803 {
804 msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
805 goto err;
806 }
807
809 mi->ev_arg.u.mi = mi;
810
811 perf_pop();
812 gc_free(&gc);
813 return mi;
814
815err:
816 multi_close_instance(m, mi, false);
817 perf_pop();
818 gc_free(&gc);
819 return NULL;
820}
821
822/*
823 * Dump tables -- triggered by SIGUSR2.
824 * If status file is defined, write to file.
825 * If status file is NULL, write to syslog.
826 */
827static void
828multi_print_status(struct multi_context *m, struct status_output *so, const int version)
829{
830 if (m->hash)
831 {
832 struct gc_arena gc_top = gc_new();
833 struct hash_iterator hi;
834 const struct hash_element *he;
835
836 status_reset(so);
837
838 if (dco_enabled(&m->top.options))
839 {
840 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, true) < 0)
841 {
842 return;
843 }
844 }
845
846 if (version == 1)
847 {
848 /*
849 * Status file version 1
850 */
851 status_printf(so, "OpenVPN CLIENT LIST");
852 status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
853 status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
854 hash_iterator_init(m->hash, &hi);
855 while ((he = hash_iterator_next(&hi)))
856 {
857 struct gc_arena gc = gc_new();
858 const struct multi_instance *mi = (struct multi_instance *)he->value;
859
860 if (!mi->halt)
861 {
862 status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
864 mroute_addr_print(&mi->real, &gc),
867 time_string(mi->created, 0, false, &gc));
868 }
869 gc_free(&gc);
870 }
872
873 status_printf(so, "ROUTING TABLE");
874 status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
875 hash_iterator_init(m->vhash, &hi);
876 while ((he = hash_iterator_next(&hi)))
877 {
878 struct gc_arena gc = gc_new();
879 const struct multi_route *route = (struct multi_route *)he->value;
880
882 {
883 const struct multi_instance *mi = route->instance;
884 const struct mroute_addr *ma = &route->addr;
885 char flags[2] = { 0, 0 };
886
887 if (route->flags & MULTI_ROUTE_CACHE)
888 {
889 flags[0] = 'C';
890 }
891 status_printf(so, "%s%s,%s,%s,%s", mroute_addr_print(ma, &gc), flags,
893 mroute_addr_print(&mi->real, &gc),
894 time_string(route->last_reference, 0, false, &gc));
895 }
896 gc_free(&gc);
897 }
899
900 status_printf(so, "GLOBAL STATS");
901 if (m->mbuf)
902 {
903 status_printf(so, "Max bcast/mcast queue length,%d", mbuf_maximum_queued(m->mbuf));
904 }
905
906 status_printf(so, "END");
907 }
908 else if (version == 2 || version == 3)
909 {
910 const char sep = (version == 3) ? '\t' : ',';
911
912 /*
913 * Status file version 2 and 3
914 */
915 status_printf(so, "TITLE%c%s", sep, title_string);
916 status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep,
917 (unsigned int)now);
919 so,
920 "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
921 sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
922 hash_iterator_init(m->hash, &hi);
923 while ((he = hash_iterator_next(&hi)))
924 {
925 struct gc_arena gc = gc_new();
926 const struct multi_instance *mi = (struct multi_instance *)he->value;
927
928 if (!mi->halt)
929 {
931 so,
932 "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format
933 "%c%s%c%u%c%s%c"
934#ifdef ENABLE_MANAGEMENT
935 "%lu"
936#else
937 ""
938#endif
939 "%c%" PRIu32 "%c%s",
940 sep, tls_common_name(mi->context.c2.tls_multi, false), sep,
941 mroute_addr_print(&mi->real, &gc), sep,
946 time_string(mi->created, 0, false, &gc), sep, (unsigned int)mi->created,
947 sep, tls_username(mi->context.c2.tls_multi, false),
948#ifdef ENABLE_MANAGEMENT
949 sep, mi->context.c2.mda_context.cid,
950#else
951 sep,
952#endif
953 sep,
954 mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
956 }
957 gc_free(&gc);
958 }
960
962 so,
963 "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
964 sep, sep, sep, sep, sep, sep);
965 hash_iterator_init(m->vhash, &hi);
966 while ((he = hash_iterator_next(&hi)))
967 {
968 struct gc_arena gc = gc_new();
969 const struct multi_route *route = (struct multi_route *)he->value;
970
972 {
973 const struct multi_instance *mi = route->instance;
974 const struct mroute_addr *ma = &route->addr;
975 char flags[2] = { 0, 0 };
976
977 if (route->flags & MULTI_ROUTE_CACHE)
978 {
979 flags[0] = 'C';
980 }
981 status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", sep,
982 mroute_addr_print(ma, &gc), flags, sep,
984 mroute_addr_print(&mi->real, &gc), sep,
985 time_string(route->last_reference, 0, false, &gc), sep,
986 (unsigned int)route->last_reference);
987 }
988 gc_free(&gc);
989 }
991
992 if (m->mbuf)
993 {
994 status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", sep, sep,
995 mbuf_maximum_queued(m->mbuf));
996 }
997
998 status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep,
999 dco_enabled(&m->top.options));
1000 status_printf(so, "END");
1001 }
1002 else
1003 {
1004 status_printf(so, "ERROR: bad status format version number");
1005 }
1006
1007#ifdef PACKET_TRUNCATION_CHECK
1008 {
1009 status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1010 hash_iterator_init(m->hash, &hi);
1011 while ((he = hash_iterator_next(&hi)))
1012 {
1013 struct gc_arena gc = gc_new();
1014 const struct multi_instance *mi = (struct multi_instance *)he->value;
1015
1016 if (!mi->halt)
1017 {
1018 status_printf(so,
1019 "ERRORS,%s," counter_format "," counter_format "," counter_format
1020 "," counter_format,
1021 tls_common_name(mi->context.c2.tls_multi, false),
1022 m->top.c2.n_trunc_tun_read, mi->context.c2.n_trunc_tun_write,
1023 mi->context.c2.n_trunc_pre_encrypt,
1024 mi->context.c2.n_trunc_post_decrypt);
1025 }
1026 gc_free(&gc);
1027 }
1028 hash_iterator_free(&hi);
1029 }
1030#endif /* ifdef PACKET_TRUNCATION_CHECK */
1031
1032 status_flush(so);
1033 gc_free(&gc_top);
1034 }
1035
1036#ifdef ENABLE_ASYNC_PUSH
1037 if (m->inotify_watchers)
1038 {
1039 msg(D_MULTI_DEBUG, "inotify watchers count: %d", hash_n_elements(m->inotify_watchers));
1040 }
1041#endif
1042}
1043
1044/*
1045 * Learn a virtual address or route.
1046 * The learn will fail if the learn address
1047 * script/plugin fails. In this case the
1048 * return value may be != mi.
1049 * Return the instance which owns this route,
1050 * or NULL if none.
1051 */
1052static struct multi_instance *
1053multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr,
1054 const unsigned int flags)
1055{
1056 struct hash_element *he;
1057 const uint32_t hv = hash_value(m->vhash, addr);
1058 struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1059 struct multi_route *oldroute = NULL;
1060 struct multi_instance *owner = NULL;
1061 struct gc_arena gc = gc_new();
1062
1063 /* if route currently exists, get the instance which owns it */
1064 he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1065 if (he)
1066 {
1067 oldroute = (struct multi_route *)he->value;
1068 }
1069 if (oldroute && multi_route_defined(m, oldroute))
1070 {
1071 owner = oldroute->instance;
1072 }
1073
1074 /* do we need to add address to hash table? */
1075 if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1076 && !mroute_addr_equal(addr, &m->local))
1077 {
1078 struct multi_route *newroute;
1079 bool learn_succeeded = false;
1080
1081 ALLOC_OBJ(newroute, struct multi_route);
1082 newroute->addr = *addr;
1083 newroute->instance = mi;
1084 newroute->flags = flags;
1085 newroute->last_reference = now;
1086 newroute->cache_generation = 0;
1087
1088 /* The cache is invalidated when cache_generation is incremented */
1090 {
1092 }
1093
1094 if (oldroute) /* route already exists? */
1095 {
1096 if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1097 {
1098 learn_succeeded = true;
1099 owner = mi;
1101 route_quota_inc(mi);
1102
1103 /* delete old route */
1104 multi_route_del(oldroute);
1105
1106 /* modify hash table entry, replacing old route */
1107 he->key = &newroute->addr;
1108 he->value = newroute;
1109 }
1110 }
1111 else
1112 {
1113 if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1114 {
1115 learn_succeeded = true;
1116 owner = mi;
1118 route_quota_inc(mi);
1119
1120 /* add new route */
1121 hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1122 }
1123 }
1124
1125 msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", learn_succeeded ? "" : " FAILED",
1126 mroute_addr_print(&newroute->addr, &gc), multi_instance_string(mi, false, &gc));
1127
1128 if (!learn_succeeded)
1129 {
1130 free(newroute);
1131 }
1132 }
1133 gc_free(&gc);
1134
1135 return owner;
1136}
1137
1138/*
1139 * Get client instance based on virtual address.
1140 */
1141static struct multi_instance *
1143 bool cidr_routing)
1144{
1145 struct multi_route *route;
1146 struct multi_instance *ret = NULL;
1147
1148 /* check for local address */
1149 if (mroute_addr_equal(addr, &m->local))
1150 {
1151 return NULL;
1152 }
1153
1154 route = (struct multi_route *)hash_lookup(m->vhash, addr);
1155
1156 /* does host route (possible cached) exist? */
1157 if (route && multi_route_defined(m, route))
1158 {
1159 struct multi_instance *mi = route->instance;
1160 route->last_reference = now;
1161 ret = mi;
1162 }
1163 else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1164 {
1165 struct mroute_helper *rh = m->route_helper;
1166 struct mroute_addr tryaddr;
1167 int i;
1168
1169 /* cycle through each CIDR length */
1170 for (i = 0; i < rh->n_net_len; ++i)
1171 {
1172 tryaddr = *addr;
1174 tryaddr.netbits = rh->net_len[i];
1176
1177 /* look up a possible route with netbits netmask */
1178 route = (struct multi_route *)hash_lookup(m->vhash, &tryaddr);
1179
1180 if (route && multi_route_defined(m, route))
1181 {
1182 /* found an applicable route, cache host route */
1183 struct multi_instance *mi = route->instance;
1185 ret = mi;
1186 break;
1187 }
1188 }
1189 }
1190
1191#ifdef ENABLE_DEBUG
1193 {
1194 struct gc_arena gc = gc_new();
1195 const char *addr_text = mroute_addr_print(addr, &gc);
1196 if (ret)
1197 {
1198 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", addr_text,
1199 multi_instance_string(ret, false, &gc), mroute_addr_print(&route->addr, &gc));
1200 }
1201 else
1202 {
1203 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", addr_text);
1204 }
1205 gc_free(&gc);
1206 }
1207#endif
1208
1209 ASSERT(!(ret && ret->halt));
1210 return ret;
1211}
1212
1213/*
1214 * Helper function to multi_learn_addr().
1215 */
1216static struct multi_instance *
1217multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a,
1218 int netbits, /* -1 if host route, otherwise # of network bits in address */
1219 bool primary)
1220{
1221 struct openvpn_sockaddr remote_si;
1222 struct mroute_addr addr = { 0 };
1223
1225 remote_si.addr.in4.sin_family = AF_INET;
1226 remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1227 addr.proto = 0;
1229
1230 if (netbits >= 0)
1231 {
1232 addr.type |= MR_WITH_NETBITS;
1233 addr.netbits = (uint8_t)netbits;
1234 }
1235
1236 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1237#ifdef ENABLE_MANAGEMENT
1238 if (management && owner)
1239 {
1240 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1241 }
1242#endif
1243 if (!primary)
1244 {
1245 /* "primary" is the VPN ifconfig address of the peer and already
1246 * known to DCO, so only install "extra" iroutes (primary = false)
1247 */
1248 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1249 dco_install_iroute(m, mi, &addr);
1250 }
1251
1252 return owner;
1253}
1254
1255static struct multi_instance *
1256multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6,
1257 int netbits, /* -1 if host route, otherwise # of network bits in address */
1258 bool primary)
1259{
1260 struct mroute_addr addr = { 0 };
1261
1262 addr.len = 16;
1263 addr.type = MR_ADDR_IPV6;
1264 addr.netbits = 0;
1265 addr.v6.addr = a6;
1266
1267 if (netbits >= 0)
1268 {
1269 addr.type |= MR_WITH_NETBITS;
1270 addr.netbits = (uint8_t)netbits;
1272 }
1273
1274 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1275#ifdef ENABLE_MANAGEMENT
1276 if (management && owner)
1277 {
1278 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1279 }
1280#endif
1281 if (!primary)
1282 {
1283 /* "primary" is the VPN ifconfig address of the peer and already
1284 * known to DCO, so only install "extra" iroutes (primary = false)
1285 */
1286 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1287 dco_install_iroute(m, mi, &addr);
1288 }
1289
1290 return owner;
1291}
1292
1293/*
1294 * A new client has connected, add routes (server -> client)
1295 * to internal routing table.
1296 */
1297static void
1299{
1300 struct gc_arena gc = gc_new();
1301 const struct iroute *ir;
1302 const struct iroute_ipv6 *ir6;
1304 {
1305 mi->did_iroutes = true;
1306 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1307 {
1308 if (ir->netbits >= 0)
1309 {
1310 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1311 print_in_addr_t(ir->network, 0, &gc), ir->netbits,
1312 multi_instance_string(mi, false, &gc));
1313 }
1314 else
1315 {
1316 msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1317 print_in_addr_t(ir->network, 0, &gc), multi_instance_string(mi, false, &gc));
1318 }
1319
1321
1322 multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1323 }
1324 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1325 {
1326 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1327 print_in6_addr(ir6->network, 0, &gc), ir6->netbits,
1328 multi_instance_string(mi, false, &gc));
1329
1331
1332 multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1333 }
1334 }
1335 gc_free(&gc);
1336}
1337
1338/*
1339 * Given an instance (new_mi), delete all other instances which use the
1340 * same common name.
1341 */
1342static void
1344{
1345 if (new_mi)
1346 {
1347 const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1348 if (new_cn)
1349 {
1350 struct hash_iterator hi;
1351 struct hash_element *he;
1352 int count = 0;
1353
1354 hash_iterator_init(m->iter, &hi);
1355 while ((he = hash_iterator_next(&hi)))
1356 {
1357 struct multi_instance *mi = (struct multi_instance *)he->value;
1358 if (mi != new_mi && !mi->halt)
1359 {
1360 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1361 if (cn && !strcmp(cn, new_cn))
1362 {
1363 mi->did_iter = false;
1364 multi_close_instance(m, mi, false);
1366 ++count;
1367 }
1368 }
1369 }
1370 hash_iterator_free(&hi);
1371
1372 if (count)
1373 {
1375 "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.",
1376 new_cn);
1377 }
1378 }
1379 }
1380}
1381
1382static void
1384{
1385 struct gc_arena gc = gc_new();
1386 struct hash_iterator hi;
1387 struct hash_element *he;
1388
1389 dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1391 while ((he = hash_iterator_next(&hi)) != NULL)
1392 {
1393 struct multi_route *r = (struct multi_route *)he->value;
1394 if (multi_route_defined(m, r)
1395 && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1396 {
1397 dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1398 mroute_addr_print(&r->addr, &gc));
1399 learn_address_script(m, NULL, "delete", &r->addr);
1400 multi_route_del(r);
1402 }
1403 }
1404 hash_iterator_free(&hi);
1405 gc_free(&gc);
1406}
1407
1408/*
1409 * Ensure that endpoint to be pushed to client
1410 * complies with --ifconfig-push-constraint directive.
1411 */
1412static bool
1414{
1415 const struct options *o = &c->options;
1417 {
1420 }
1421 else
1422 {
1423 return true;
1424 }
1425}
1426
1427/*
1428 * Select a virtual address for a new client instance.
1429 * Use an --ifconfig-push directive, if given (static IP).
1430 * Otherwise use an --ifconfig-pool address (dynamic IP).
1431 */
1432static void
1434{
1435 struct gc_arena gc = gc_new();
1436
1437 /*
1438 * If ifconfig addresses were set by dynamic config file,
1439 * release pool addresses, otherwise keep them.
1440 */
1442 {
1443 /* ifconfig addresses were set statically,
1444 * release dynamic allocation */
1445 if (mi->vaddr_handle >= 0)
1446 {
1448 mi->vaddr_handle = -1;
1449 }
1450
1451 mi->context.c2.push_ifconfig_defined = true;
1456
1457 /* the current implementation does not allow "static IPv4, pool IPv6",
1458 * (see below) so issue a warning if that happens - don't break the
1459 * session, though, as we don't even know if this client WANTS IPv6
1460 */
1463 {
1464 msg(M_INFO,
1465 "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then.");
1466 }
1467 }
1468 else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1469 {
1470 in_addr_t local = 0, remote = 0;
1471 struct in6_addr remote_ipv6;
1472 const char *cn = NULL;
1473
1474 if (!mi->context.options.duplicate_cn)
1475 {
1476 cn = tls_common_name(mi->context.c2.tls_multi, true);
1477 }
1478
1479 CLEAR(remote_ipv6);
1480 mi->vaddr_handle =
1481 ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1482 if (mi->vaddr_handle >= 0)
1483 {
1484 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1485 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1486
1487 msg(M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1489 : "(Not enabled)"),
1491 ? print_in6_addr(remote_ipv6, 0, &gc)
1492 : "(Not enabled)"));
1493
1495 {
1496 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1497 mi->context.c2.push_ifconfig_local = remote;
1498 if (tunnel_type == DEV_TYPE_TAP
1499 || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1500 {
1504 {
1507 }
1508 }
1509 else if (tunnel_type == DEV_TYPE_TUN)
1510 {
1511 if (tunnel_topology == TOP_P2P)
1512 {
1514 }
1515 else if (tunnel_topology == TOP_NET30)
1516 {
1518 }
1519 }
1520
1522 {
1523 mi->context.c2.push_ifconfig_defined = true;
1524 }
1525 else
1526 {
1528 "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1529 multi_instance_string(mi, false, &gc));
1530 }
1531 }
1532
1534 {
1535 mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1540 }
1541 }
1542 else
1543 {
1544 msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1545 }
1546 }
1547
1548 /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1549 * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1550 * will fail (because no pool will be allocated in this case).
1551 * OTOH, this doesn't make too much sense in reality - and the other
1552 * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1553 * -> and so it's implemented right now
1554 */
1556 {
1561
1562 msg(M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1565 }
1566
1567 gc_free(&gc);
1568}
1569
1570/*
1571 * Set virtual address environmental variables.
1572 */
1573static void
1575{
1576 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1577 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1578 setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1579
1581 {
1582 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1583 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1584
1585 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_remote_ip",
1587
1588 if (tunnel_type == DEV_TYPE_TAP
1589 || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1590 {
1591 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_netmask",
1593 }
1594 else if (tunnel_type == DEV_TYPE_TUN)
1595 {
1596 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_local_ip",
1598 }
1599 }
1600
1601 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1602 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1603 setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1604
1606 {
1607 setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_remote",
1609 setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_local",
1611 setenv_int(mi->context.c2.es, "ifconfig_pool_ip6_netbits",
1613 }
1614}
1615
1616/*
1617 * Called after client-connect script is called
1618 */
1619static void
1620multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file,
1621 unsigned int *option_types_found)
1622{
1623 /* Did script generate a dynamic config file? */
1624 if (platform_test_file(dc_file))
1625 {
1627 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
1628
1629 /*
1630 * If the --client-connect script generates a config file
1631 * with an --ifconfig-push directive, it will override any
1632 * --ifconfig-push directive from the --client-config-dir
1633 * directory or any --ifconfig-pool dynamic address.
1634 */
1637 }
1638}
1639
1640#ifdef ENABLE_PLUGIN
1641
1642/*
1643 * Called after client-connect plug-in is called
1644 */
1645static void
1647 const struct plugin_return *pr, unsigned int *option_types_found)
1648{
1649 struct plugin_return config;
1650
1651 plugin_return_get_column(pr, &config, "config");
1652
1653 /* Did script generate a dynamic config file? */
1654 if (plugin_return_defined(&config))
1655 {
1656 int i;
1657 for (i = 0; i < config.n; ++i)
1658 {
1659 if (config.list[i] && config.list[i]->value)
1660 {
1661 options_string_import(&mi->context.options, config.list[i]->value,
1663 option_types_found, mi->context.c2.es);
1664 }
1665 }
1666
1667 /*
1668 * If the --client-connect script generates a config file
1669 * with an --ifconfig-push directive, it will override any
1670 * --ifconfig-push directive from the --client-config-dir
1671 * directory or any --ifconfig-pool dynamic address.
1672 */
1675 }
1676}
1677
1678#endif /* ifdef ENABLE_PLUGIN */
1679
1680
1681/*
1682 * Called to load management-derived client-connect config
1683 */
1685multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred,
1686 unsigned int *option_types_found)
1687{
1688 /* We never return CC_RET_DEFERRED */
1689 ASSERT(!deferred);
1691#ifdef ENABLE_MANAGEMENT
1692 if (mi->cc_config)
1693 {
1694 struct buffer_entry *be;
1695 for (be = mi->cc_config->head; be != NULL; be = be->next)
1696 {
1697 const char *opt = BSTR(&be->buf);
1699 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
1700 }
1701
1702 /*
1703 * If the --client-connect script generates a config file
1704 * with an --ifconfig-push directive, it will override any
1705 * --ifconfig-push directive from the --client-config-dir
1706 * directory or any --ifconfig-pool dynamic address.
1707 */
1710
1711 ret = CC_RET_SUCCEEDED;
1712 }
1713#endif /* ifdef ENABLE_MANAGEMENT */
1714 return ret;
1715}
1716
1717static void
1719{
1720 struct gc_arena gc = gc_new();
1721
1722 /* setenv incoming cert common name for script */
1723 setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1724
1725 /* setenv client real IP address */
1727
1728 /* setenv client virtual IP address */
1730
1731 /* setenv connection time */
1732 {
1733 const char *created_ascii = time_string(mi->created, 0, false, &gc);
1734 setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1735 setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1736 }
1737
1738 gc_free(&gc);
1739}
1740
1747static bool
1749{
1750 struct tls_multi *tls_multi = c->c2.tls_multi;
1751 const char *const peer_info = tls_multi->peer_info;
1752 struct options *o = &c->options;
1753
1754
1755 unsigned int proto = extract_iv_proto(peer_info);
1756 if (proto & IV_PROTO_DATA_V2)
1757 {
1758 tls_multi->use_peer_id = true;
1759 o->use_peer_id = true;
1760 }
1761 else if (dco_enabled(o))
1762 {
1763 msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
1764 "requires DATA_V2. Dropping client.");
1765 auth_set_client_reason(tls_multi, "Data channel negotiation "
1766 "failed (missing DATA_V2)");
1767 return false;
1768 }
1769
1770 /* Print a warning if we detect the client being in P2P mode and will
1771 * not accept our pushed ciphers */
1772 if (proto & IV_PROTO_NCP_P2P)
1773 {
1774 msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client "
1775 "option). It will not negotiate ciphers with this server. "
1776 "Expect this connection to fail.");
1777 }
1778
1779 if (proto & IV_PROTO_REQUEST_PUSH)
1780 {
1781 c->c2.push_request_received = true;
1782 }
1783
1784 if (proto & IV_PROTO_TLS_KEY_EXPORT)
1785 {
1787 }
1788 else if (o->force_key_material_export)
1789 {
1790 msg(M_INFO, "PUSH: client does not support TLS Keying Material "
1791 "Exporters but --force-tls-key-material-export is enabled.");
1792 auth_set_client_reason(tls_multi, "Client incompatible with this "
1793 "server. Keying Material Exporters (RFC 5705) "
1794 "support missing. Upgrade to a client that "
1795 "supports this feature (OpenVPN 2.6.0+).");
1796 return false;
1797 }
1798 if (proto & IV_PROTO_DYN_TLS_CRYPT)
1799 {
1801 }
1802
1803 if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1804 {
1806 }
1807
1808 /* Select cipher if client supports Negotiable Crypto Parameters */
1809
1810 /* if we have already created our key, we cannot *change* our own
1811 * cipher -> so log the fact and push the "what we have now" cipher
1812 * (so the client is always told what we expect it to use)
1813 */
1815 {
1816 msg(M_INFO,
1817 "PUSH: client wants to negotiate cipher (NCP), but "
1818 "server has already generated data channel keys, "
1819 "re-sending previously negotiated cipher '%s'",
1820 o->ciphername);
1821 return true;
1822 }
1823
1824 /*
1825 * Push the first cipher from --data-ciphers to the client that
1826 * the client announces to be supporting.
1827 */
1828 char *push_cipher =
1830 if (push_cipher)
1831 {
1832 /* Enable epoch data key format if supported and AEAD cipher in use */
1834 && cipher_kt_mode_aead(push_cipher))
1835 {
1837 }
1838
1839 o->ciphername = push_cipher;
1840 return true;
1841 }
1842
1843 /* NCP cipher negotiation failed. Try to figure out why exactly it
1844 * failed and give good error messages and potentially do a fallback
1845 * for non NCP clients */
1846 struct gc_arena gc = gc_new();
1847 bool ret = false;
1848
1849 const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1850 /* If we are in a situation where we know the client ciphers, there is no
1851 * reason to fall back to a cipher that will not be accepted by the other
1852 * side, in this situation we fail the auth*/
1853 if (strlen(peer_ciphers) > 0)
1854 {
1855 msg(M_INFO,
1856 "PUSH: No common cipher between server and client. "
1857 "Server data-ciphers: '%s'%s, client supported ciphers '%s'",
1858 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers);
1859 }
1860 else if (tls_multi->remote_ciphername)
1861 {
1862 msg(M_INFO,
1863 "PUSH: No common cipher between server and client. "
1864 "Server data-ciphers: '%s'%s, client supports cipher '%s'",
1866 }
1867 else
1868 {
1869 msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1870
1872 {
1873 msg(M_INFO,
1874 "Using data channel cipher '%s' since "
1875 "--data-ciphers-fallback is set.",
1876 o->ciphername);
1877 ret = true;
1878 }
1879 else
1880 {
1881 msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1882 "client is using if you want to allow the client to connect");
1883 }
1884 }
1885 if (!ret)
1886 {
1887 auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1888 "failed (no shared cipher)");
1889 }
1890
1891 gc_free(&gc);
1892 return ret;
1893}
1894
1899static void
1901{
1903 if (!ccs->deferred_ret_file)
1904 {
1905 return;
1906 }
1907
1908 setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1910 {
1911 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->deferred_ret_file);
1912 }
1913 free(ccs->deferred_ret_file);
1914 ccs->deferred_ret_file = NULL;
1915}
1916
1924static bool
1926{
1928 struct gc_arena gc = gc_new();
1929 const char *fn;
1930
1931 /* Delete file if it already exists */
1933
1935 if (!fn)
1936 {
1937 gc_free(&gc);
1938 return false;
1939 }
1940 ccs->deferred_ret_file = string_alloc(fn, NULL);
1941
1942 setenv_str(mi->context.c2.es, "client_connect_deferred_file", ccs->deferred_ret_file);
1943
1944 gc_free(&gc);
1945 return true;
1946}
1947
1956static enum client_connect_return
1958{
1960 FILE *fp = fopen(ccs->deferred_ret_file, "r");
1961 if (!fp)
1962 {
1963 return CC_RET_SKIPPED;
1964 }
1965
1967 const int c = fgetc(fp);
1968 switch (c)
1969 {
1970 case '0':
1971 ret = CC_RET_FAILED;
1972 break;
1973
1974 case '1':
1975 ret = CC_RET_SUCCEEDED;
1976 break;
1977
1978 case '2':
1979 ret = CC_RET_DEFERRED;
1980 break;
1981
1982 case EOF:
1983 if (feof(fp))
1984 {
1985 ret = CC_RET_SKIPPED;
1986 break;
1987 }
1988
1989 /* Not EOF but other error -> fall through to error state */
1990 default:
1991 /* We received an unknown/unexpected value. Assume failure. */
1992 msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
1993 "client-connect resultfile");
1994 ret = CC_RET_FAILED;
1995 }
1996 fclose(fp);
1997
1998 return ret;
1999}
2000
2006static void
2008{
2010 if (ccs->config_file)
2011 {
2012 setenv_del(mi->context.c2.es, "client_connect_config_file");
2013 if (!platform_unlink(ccs->config_file))
2014 {
2015 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->config_file);
2016 }
2017 free(ccs->config_file);
2018 ccs->config_file = NULL;
2019 }
2020}
2021
2029static bool
2031{
2033 struct gc_arena gc = gc_new();
2034 const char *fn;
2035
2036 if (ccs->config_file)
2037 {
2039 }
2040
2042 if (!fn)
2043 {
2044 gc_free(&gc);
2045 return false;
2046 }
2047 ccs->config_file = string_alloc(fn, NULL);
2048
2049 setenv_str(mi->context.c2.es, "client_connect_config_file", ccs->config_file);
2050
2051 gc_free(&gc);
2052 return true;
2053}
2054
2055static enum client_connect_return
2057 bool deferred, unsigned int *option_types_found)
2058{
2060#ifdef ENABLE_PLUGIN
2061 ASSERT(m);
2062 ASSERT(mi);
2063 ASSERT(option_types_found);
2065
2066 /* deprecated callback, use a file for passing back return info */
2067 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2068 {
2069 struct argv argv = argv_new();
2070 int call;
2071
2072 if (!deferred)
2073 {
2074 call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2076 {
2077 ret = CC_RET_FAILED;
2078 goto cleanup;
2079 }
2080 }
2081 else
2082 {
2083 call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2084 /* the initial call should have created these files */
2085 ASSERT(ccs->config_file);
2087 }
2088
2089 argv_printf(&argv, "%s", ccs->config_file);
2090 int plug_ret = plugin_call(mi->context.plugins, call, &argv, NULL, mi->context.c2.es);
2091 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2092 {
2093 ret = CC_RET_SUCCEEDED;
2094 }
2095 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2096 {
2097 ret = CC_RET_DEFERRED;
2103 }
2104 else
2105 {
2106 msg(M_WARN, "WARNING: client-connect plugin call failed");
2107 ret = CC_RET_FAILED;
2108 }
2109
2110
2116 int file_ret = ccs_test_deferred_ret_file(mi);
2117
2118 if (file_ret == CC_RET_FAILED)
2119 {
2120 ret = CC_RET_FAILED;
2121 }
2122 else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2123 {
2124 ret = CC_RET_DEFERRED;
2125 }
2126
2127 /* if we still think we have succeeded, do postprocessing */
2128 if (ret == CC_RET_SUCCEEDED)
2129 {
2130 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2131 }
2132cleanup:
2133 argv_free(&argv);
2134
2135 if (ret != CC_RET_DEFERRED)
2136 {
2139 }
2140 }
2141#endif /* ifdef ENABLE_PLUGIN */
2142 return ret;
2143}
2144
2145static enum client_connect_return
2147 bool deferred, unsigned int *option_types_found)
2148{
2150#ifdef ENABLE_PLUGIN
2151 ASSERT(m);
2152 ASSERT(mi);
2153 ASSERT(option_types_found);
2154
2155 int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2156 /* V2 callback, use a plugin_return struct for passing back return info */
2157 if (plugin_defined(mi->context.plugins, call))
2158 {
2159 struct plugin_return pr;
2160
2161 plugin_return_init(&pr);
2162
2163 int plug_ret = plugin_call(mi->context.plugins, call, NULL, &pr, mi->context.c2.es);
2164 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2165 {
2166 multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2167 ret = CC_RET_SUCCEEDED;
2168 }
2169 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2170 {
2171 ret = CC_RET_DEFERRED;
2172 if (!(plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2173 {
2174 msg(M_WARN, "A plugin that defers from the "
2175 "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2176 "declare support for "
2177 "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2178 ret = CC_RET_FAILED;
2179 }
2180 }
2181 else
2182 {
2183 msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2184 ret = CC_RET_FAILED;
2185 }
2186
2187
2188 plugin_return_free(&pr);
2189 }
2190#endif /* ifdef ENABLE_PLUGIN */
2191 return ret;
2192}
2193
2194static enum client_connect_return
2196 unsigned int *option_types_found)
2197{
2198 ASSERT(mi);
2199 ASSERT(option_types_found);
2202
2204
2205 if (ret == CC_RET_SKIPPED)
2206 {
2207 /*
2208 * Skipped and deferred are equivalent in this context.
2209 * skipped means that the called program has not yet
2210 * written a return status implicitly needing more time
2211 * while deferred is the explicit notification that it
2212 * needs more time
2213 */
2214 ret = CC_RET_DEFERRED;
2215 }
2216
2217 if (ret == CC_RET_SUCCEEDED)
2218 {
2222 }
2223 if (ret == CC_RET_FAILED)
2224 {
2225 msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2228 }
2229 return ret;
2230}
2231
2235static enum client_connect_return
2237 unsigned int *option_types_found)
2238{
2239 if (deferred)
2240 {
2242 }
2243 ASSERT(m);
2244 ASSERT(mi);
2245
2248
2250 {
2251 struct argv argv = argv_new();
2252 struct gc_arena gc = gc_new();
2253
2254 setenv_str(mi->context.c2.es, "script_type", "client-connect");
2255
2257 {
2258 ret = CC_RET_FAILED;
2259 goto cleanup;
2260 }
2261
2263 argv_printf_cat(&argv, "%s", ccs->config_file);
2264
2265 if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2266 {
2268 {
2269 ret = CC_RET_DEFERRED;
2270 }
2271 else
2272 {
2273 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2274 ret = CC_RET_SUCCEEDED;
2275 }
2276 }
2277 else
2278 {
2279 ret = CC_RET_FAILED;
2280 }
2281cleanup:
2282 if (ret != CC_RET_DEFERRED)
2283 {
2286 }
2287 argv_free(&argv);
2288 gc_free(&gc);
2289 }
2290 return ret;
2291}
2292
2293static bool
2295 struct gc_arena *gc)
2296{
2297 if (!dco_enabled(&mi->context.options))
2298 {
2299 /* DCO not enabled, nothing to do, return sucess */
2300 return true;
2301 }
2302 int ret = dco_multi_add_new_peer(m, mi);
2303 if (ret < 0)
2304 {
2305 msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)", multi_instance_string(mi, false, gc),
2306 strerror(-ret), ret);
2307 return false;
2308 }
2309
2310 return true;
2311}
2312
2316static bool
2318{
2319 struct frame *frame_fragment = NULL;
2320#ifdef ENABLE_FRAGMENT
2321 if (c->options.ce.fragment)
2322 {
2323 frame_fragment = &c->c2.frame_fragment;
2324 }
2325#endif
2328 frame_fragment, get_link_socket_info(c),
2329 &c->c1.tuntap->dco))
2330 {
2331 msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2332 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2333 return false;
2334 }
2335
2336 return true;
2337}
2338
2339static void
2341 const unsigned int option_types_found)
2342{
2343 ASSERT(m);
2344 ASSERT(mi);
2345
2346 struct gc_arena gc = gc_new();
2347 /*
2348 * Process sourced options.
2349 */
2350 do_deferred_options(&mi->context, option_types_found, false);
2351
2352 /*
2353 * make sure we got ifconfig settings from somewhere
2354 */
2356 {
2358 "MULTI: no dynamic or static remote "
2359 "--ifconfig address is available for %s",
2360 multi_instance_string(mi, false, &gc));
2361 }
2362
2363 /*
2364 * make sure that ifconfig settings comply with constraints
2365 */
2367 {
2368 const char *ifconfig_constraint_network =
2370 const char *ifconfig_constraint_netmask =
2372
2373 /* JYFIXME -- this should cause the connection to fail */
2375 "MULTI ERROR: primary virtual IP for %s (%s) "
2376 "violates tunnel network/netmask constraint (%s/%s)",
2377 multi_instance_string(mi, false, &gc),
2379 ifconfig_constraint_network, ifconfig_constraint_netmask);
2380 }
2381
2382 /* set our client's VPN endpoint for status reporting purposes */
2385
2386 /* set context-level authentication flag */
2388
2389 /* Since dco-win maintains iroute routing table (subnet -> peer),
2390 * peer must be added before iroutes. For other platforms it doesn't matter. */
2391
2392 /* authentication complete, calculate dynamic client specific options */
2394 {
2396 }
2397 /* only continue if setting protocol options worked */
2398 else if (!multi_client_setup_dco_initial(m, mi, &gc))
2399 {
2401 }
2402 /* Generate data channel keys only if setting protocol options
2403 * and DCO initial setup has not failed */
2405 {
2407 }
2408
2409 /* dco peer has been added, it is now safe for Windows to add iroutes */
2410
2411 /*
2412 * For routed tunnels, set up internal route to endpoint
2413 * plus add all iroute routes.
2414 */
2416 {
2418 {
2420 msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2421 multi_instance_string(mi, false, &gc),
2423 }
2424
2426 {
2428 /* TODO: find out where addresses are "unlearned"!! */
2429 const char *ifconfig_local_ipv6 =
2431 msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2432 multi_instance_string(mi, false, &gc), ifconfig_local_ipv6);
2433 }
2434
2435 /* add routes locally, pointing to new client, if
2436 * --iroute options have been specified */
2437 multi_add_iroutes(m, mi);
2438
2439 /*
2440 * iroutes represent subnets which are "owned" by a particular
2441 * client. Therefore, do not actually push a route to a client
2442 * if it matches one of the client's iroutes.
2443 */
2445 }
2446 else if (mi->context.options.iroutes)
2447 {
2449 "MULTI: --iroute options rejected for %s -- iroute "
2450 "only works with tun-style tunnels",
2451 multi_instance_string(mi, false, &gc));
2452 }
2453
2454 /* send push reply if ready */
2456 {
2458 }
2459 gc_free(&gc);
2460}
2461
2462static void
2464{
2465 ASSERT(mi->context.c1.tuntap);
2466 /*
2467 * lock down the common name and cert hashes so they can't change
2468 * during future TLS renegotiations
2469 */
2472
2473 /* generate a msg() prefix for this client instance */
2474 generate_prefix(mi);
2475
2476 /* delete instances of previous clients with same common-name */
2477 if (!mi->context.options.duplicate_cn)
2478 {
2479 multi_delete_dup(m, mi);
2480 }
2481
2482 /* reset pool handle to null */
2483 mi->vaddr_handle = -1;
2484
2485 /* do --client-connect setenvs */
2487
2489}
2490
2497static enum client_connect_return
2499 bool deferred, unsigned int *option_types_found)
2500{
2501#ifdef USE_COMP
2502 struct options *o = &mi->context.options;
2503 const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2504
2506 {
2507 if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2508 {
2509 push_option(o, "compress stub-v2", M_USAGE);
2510 }
2511 else
2512 {
2513 /* Client is old and does not support STUBv2 but since it
2514 * announced comp-lzo via OCC we assume it uses comp-lzo, so
2515 * switch to that and push the uncompressed variant. */
2516 push_option(o, "comp-lzo no", M_USAGE);
2517 o->comp.alg = COMP_ALG_STUB;
2518 *option_types_found |= OPT_P_COMP;
2519 }
2520 }
2521#endif
2522 return CC_RET_SUCCEEDED;
2523}
2524
2529static enum client_connect_return
2531 unsigned int *option_types_found)
2532{
2533 /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2534 * problem */
2535 ASSERT(!deferred);
2538 {
2539 struct gc_arena gc = gc_new();
2540 const char *ccd_file = NULL;
2541
2542 const char *ccd_client =
2544 tls_common_name(mi->context.c2.tls_multi, false), &gc);
2545
2546 const char *ccd_default =
2548
2549
2550 /* try common-name file */
2551 if (platform_test_file(ccd_client))
2552 {
2553 ccd_file = ccd_client;
2554 }
2555 /* try default file */
2556 else if (platform_test_file(ccd_default))
2557 {
2558 ccd_file = ccd_default;
2559 }
2560
2561 if (ccd_file)
2562 {
2564 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
2565 /*
2566 * Select a virtual address from either --ifconfig-push in
2567 * --client-config-dir file or --ifconfig-pool.
2568 */
2570
2572
2573 ret = CC_RET_SUCCEEDED;
2574 }
2575 gc_free(&gc);
2576 }
2577 return ret;
2578}
2579
2581 struct multi_context *m, struct multi_instance *mi, bool from_deferred,
2582 unsigned int *option_types_found);
2583
2593
2598static bool
2600{
2601 struct tls_multi *multi = mi->context.c2.tls_multi;
2602 struct options *options = &mi->context.options;
2603 struct tls_session *session = &multi->session[TM_ACTIVE];
2604
2605 if (!multi->locked_username)
2606 {
2607 msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
2608 "user/password method is enabled. Enable "
2609 "--management-client-auth, --auth-user-pass-verify, or a "
2610 "plugin with user/password verify capability.");
2611 return false;
2612 }
2613
2614 if (!multi->locked_original_username
2615 && strcmp(multi->locked_username, options->override_username) != 0)
2616 {
2617 /* Check if the username length is acceptable */
2619 {
2620 return false;
2621 }
2622
2624 multi->locked_username = strdup(options->override_username);
2625
2626 /* Override also the common name if username should be set as common
2627 * name */
2628 if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
2629 {
2631 free(multi->locked_cn);
2632 multi->locked_cn = NULL;
2633 tls_lock_common_name(multi);
2634 }
2635
2636 /* Regenerate the auth-token if enabled */
2637 if (multi->auth_token_initial)
2638 {
2639 struct user_pass up;
2640 CLEAR(up);
2641 strncpynt(up.username, multi->locked_username, sizeof(up.username));
2642
2643 generate_auth_token(&up, multi);
2644 }
2645
2647 "MULTI: Note, override-username changes username "
2648 "from '%s' to '%s'",
2650 }
2651 return true;
2652}
2653/*
2654 * Called as soon as the SSL/TLS connection is authenticated.
2655 *
2656 * Will collect the client specific configuration from the different
2657 * sources like ccd files, connect plugins and management interface.
2658 *
2659 * This method starts with cas_context CAS_PENDING and will move the
2660 * state machine to either CAS_SUCCEEDED on success or
2661 * CAS_FAILED/CAS_PARTIAL on failure.
2662 *
2663 * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2664 * include:
2665 *
2666 * iroute start-ip end-ip
2667 * ifconfig-push local remote-netmask
2668 * push
2669 *
2670 *
2671 */
2672static void
2674{
2675 /* We are only called for the CAS_PENDING_x states, so we
2676 * can ignore other states here */
2677 bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2678
2679 int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2680 unsigned int *option_types_found = &mi->client_connect_defer_state.option_types_found;
2681
2682 /* We are called for the first time */
2683 if (!from_deferred)
2684 {
2685 *cur_handler_index = 0;
2686 *option_types_found = 0;
2687 /* Initially we have no handler that has returned a result */
2689
2691 }
2692
2693 bool cc_succeeded = true;
2694
2695 while (cc_succeeded && client_connect_handlers[*cur_handler_index] != NULL)
2696 {
2697 enum client_connect_return ret;
2698 ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, option_types_found);
2699
2700 from_deferred = false;
2701
2702 switch (ret)
2703 {
2704 case CC_RET_SUCCEEDED:
2705 /*
2706 * Remember that we already had at least one handler
2707 * returning a result should we go to into deferred state
2708 */
2709 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2710 break;
2711
2712 case CC_RET_SKIPPED:
2713 /*
2714 * Move on with the next handler without modifying any
2715 * other state
2716 */
2717 break;
2718
2719 case CC_RET_DEFERRED:
2720 /*
2721 * we already set multi_status to DEFERRED_RESULT or
2722 * DEFERRED_NO_RESULT. We just return
2723 * from the function as having multi_status
2724 */
2725 return;
2726
2727 case CC_RET_FAILED:
2728 /*
2729 * One handler failed. We abort the chain and set the final
2730 * result to failed
2731 */
2732 cc_succeeded = false;
2733 break;
2734
2735 default:
2736 ASSERT(0);
2737 }
2738
2739 /*
2740 * Check for "disable" directive in client-config-dir file
2741 * or config file generated by --client-connect script.
2742 */
2743 if (mi->context.options.disable)
2744 {
2745 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2746 "'disable' directive");
2747 cc_succeeded = false;
2748 }
2749
2750 (*cur_handler_index)++;
2751 }
2752
2754 {
2755 if (!override_locked_username(mi))
2756 {
2757 cc_succeeded = false;
2758 }
2759 }
2760
2761 /* Check if we have forbidding options in the current mode */
2762 if (dco_enabled(&mi->context.options)
2764 {
2765 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2766 cc_succeeded = false;
2767 }
2768
2770 {
2771 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
2772 cc_succeeded = false;
2773 }
2774
2775 if (cc_succeeded)
2776 {
2777 multi_client_connect_late_setup(m, mi, *option_types_found);
2778 }
2779 else
2780 {
2781 /* run the disconnect script if we had a connect script that
2782 * did not fail */
2784 {
2786 }
2787
2789 }
2790
2791 /* increment number of current authenticated clients */
2792 ++m->n_clients;
2794 --mi->n_clients_delta;
2795
2796#ifdef ENABLE_MANAGEMENT
2797 if (management)
2798 {
2800 mi->context.c2.es);
2801 }
2802#endif
2803}
2804
2805#ifdef ENABLE_ASYNC_PUSH
2806/*
2807 * Called when inotify event is fired, which happens when acf
2808 * or connect-status file is closed or deleted.
2809 * Continues authentication and sends push_reply
2810 * (or be deferred again by client-connect)
2811 */
2812void
2813multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2814{
2815 char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2816 size_t buffer_i = 0;
2817 int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2818
2819 while (buffer_i < r)
2820 {
2821 /* parse inotify events */
2822 struct inotify_event *pevent = (struct inotify_event *)&buffer[buffer_i];
2823 size_t event_size = sizeof(struct inotify_event) + pevent->len;
2824 buffer_i += event_size;
2825
2826 msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2827
2828 struct multi_instance *mi =
2829 hash_lookup(m->inotify_watchers, (void *)(unsigned long)pevent->wd);
2830
2831 if (pevent->mask & IN_CLOSE_WRITE)
2832 {
2833 if (mi)
2834 {
2835 /* continue authentication, perform NCP negotiation and send push_reply */
2836 multi_process_post(m, mi, mpp_flags);
2837 }
2838 else
2839 {
2840 msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2841 }
2842 }
2843 else if (pevent->mask & IN_IGNORED)
2844 {
2845 /* this event is _always_ fired when watch is removed or file is deleted */
2846 if (mi)
2847 {
2848 hash_remove(m->inotify_watchers, (void *)(unsigned long)pevent->wd);
2849 mi->inotify_watch = -1;
2850 }
2851 }
2852 else
2853 {
2854 msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2855 }
2856 }
2857}
2858#endif /* ifdef ENABLE_ASYNC_PUSH */
2859
2860/*
2861 * Add a mbuf buffer to a particular
2862 * instance.
2863 */
2864void
2865multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
2866{
2867 if (multi_output_queue_ready(m, mi))
2868 {
2869 struct mbuf_item item;
2870 item.buffer = mb;
2871 item.instance = mi;
2872 mbuf_add_item(m->mbuf, &item);
2873 }
2874 else
2875 {
2876 msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2877 }
2878}
2879
2880/*
2881 * Add a packet to a client instance output queue.
2882 */
2883static inline void
2884multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
2885{
2886 struct mbuf_buffer *mb;
2887
2888 if (BLEN(buf) > 0)
2889 {
2890 mb = mbuf_alloc_buf(buf);
2891 mb->flags = MF_UNICAST;
2892 multi_add_mbuf(m, mi, mb);
2893 mbuf_free_buf(mb);
2894 }
2895}
2896
2897/*
2898 * Broadcast a packet to all clients.
2899 */
2900static void
2901multi_bcast(struct multi_context *m, const struct buffer *buf,
2902 const struct multi_instance *sender_instance, uint16_t vid)
2903{
2904 struct hash_iterator hi;
2905 struct hash_element *he;
2906 struct multi_instance *mi;
2907 struct mbuf_buffer *mb;
2908
2909 if (BLEN(buf) > 0)
2910 {
2912#ifdef MULTI_DEBUG_EVENT_LOOP
2913 printf("BCAST len=%d\n", BLEN(buf));
2914#endif
2915 mb = mbuf_alloc_buf(buf);
2916 hash_iterator_init(m->iter, &hi);
2917
2918 while ((he = hash_iterator_next(&hi)))
2919 {
2920 mi = (struct multi_instance *)he->value;
2921 if (mi != sender_instance && !mi->halt)
2922 {
2923 if (vid != 0 && vid != mi->context.options.vlan_pvid)
2924 {
2925 continue;
2926 }
2927 multi_add_mbuf(m, mi, mb);
2928 }
2929 }
2930
2931 hash_iterator_free(&hi);
2932 mbuf_free_buf(mb);
2933 perf_pop();
2934 }
2935}
2936
2937/*
2938 * Given a time delta, indicating that we wish to be
2939 * awoken by the scheduler at time now + delta, figure
2940 * a sigma parameter (in microseconds) that represents
2941 * a sort of fuzz factor around delta, so that we're
2942 * really telling the scheduler to wake us up any time
2943 * between now + delta - sigma and now + delta + sigma.
2944 *
2945 * The sigma parameter helps the scheduler to run more efficiently.
2946 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2947 */
2948static inline unsigned int
2949compute_wakeup_sigma(const struct timeval *delta)
2950{
2951 if (delta->tv_sec < 1)
2952 {
2953 /* if < 1 sec, fuzz = # of microseconds / 8 */
2954 return delta->tv_usec >> 3;
2955 }
2956 else
2957 {
2958 /* if < 10 minutes, fuzz = 13.1% of timeout */
2959 if (delta->tv_sec < 600)
2960 {
2961 return delta->tv_sec << 17;
2962 }
2963 else
2964 {
2965 return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2966 }
2967 }
2968}
2969
2970static void
2972{
2973 /* calculate an absolute wakeup time */
2974 ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2975 tv_add(&mi->wakeup, &mi->context.c2.timeval);
2976
2977 /* tell scheduler to wake us up at some point in the future */
2978 schedule_add_entry(m->schedule, (struct schedule_entry *)mi, &mi->wakeup,
2980}
2981
2982#if defined(ENABLE_ASYNC_PUSH)
2983static void
2984add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, int inotify_fd,
2985 const char *file)
2986{
2987 /* watch acf file */
2988 long watch_descriptor = inotify_add_watch(inotify_fd, file, IN_CLOSE_WRITE | IN_ONESHOT);
2989 if (watch_descriptor >= 0)
2990 {
2991 if (mi->inotify_watch != -1)
2992 {
2993 hash_remove(m->inotify_watchers, (void *)(unsigned long)mi->inotify_watch);
2994 }
2995 hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
2996 mi->inotify_watch = watch_descriptor;
2997 }
2998 else
2999 {
3000 msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3001 }
3002}
3003#endif /* if defined(ENABLE_ASYNC_PUSH) */
3004
3005/*
3006 * Figure instance-specific timers, convert
3007 * earliest to absolute time in mi->wakeup,
3008 * call scheduler with our future wakeup time.
3009 *
3010 * Also close context on signal.
3011 */
3012bool
3013multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3014{
3015 bool ret = true;
3016
3017 if (!IS_SIG(&mi->context)
3018 && ((flags & MPP_PRE_SELECT)
3019 || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
3020 {
3021#if defined(ENABLE_ASYNC_PUSH)
3022 bool was_unauthenticated = true;
3023 struct key_state *ks = NULL;
3024 if (mi->context.c2.tls_multi)
3025 {
3027 was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3028 }
3029#endif
3030
3031 /* figure timeouts and fetch possible outgoing
3032 * to_link packets (such as ping or TLS control) */
3033 pre_select(&mi->context);
3034
3035#if defined(ENABLE_ASYNC_PUSH)
3036 /*
3037 * if we see the state transition from unauthenticated to deferred
3038 * and an auth_control_file, we assume it got just added and add
3039 * inotify watch to that file
3040 */
3041 if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3042 && (ks->authenticated == KS_AUTH_DEFERRED))
3043 {
3044 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->plugin_auth.auth_control_file);
3045 }
3046 if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3047 && (ks->authenticated == KS_AUTH_DEFERRED))
3048 {
3049 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->script_auth.auth_control_file);
3050 }
3051#endif
3052
3053 if (!IS_SIG(&mi->context))
3054 {
3055 /* connection is "established" when SSL/TLS key negotiation succeeds
3056 * and (if specified) auth user/pass succeeds */
3057
3059 {
3061 }
3062#if defined(ENABLE_ASYNC_PUSH)
3065 {
3066 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3068 }
3069#endif
3070 /* tell scheduler to wake us up at some point in the future */
3072 }
3073 }
3074
3075 if (IS_SIG(&mi->context))
3076 {
3077 if (flags & MPP_CLOSE_ON_SIGNAL)
3078 {
3080 ret = false;
3081 }
3082 }
3083 else
3084 {
3085 /* continue to pend on output? */
3086 multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3087
3088#ifdef MULTI_DEBUG_EVENT_LOOP
3089 printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", id(mi), (int)(mi == m->pending),
3090 mi ? mi->context.c2.to_tun.len : -1, mi ? mi->context.c2.to_link.len : -1,
3091 (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3092 (int64_t)mi->context.c2.timeval.tv_sec, (long)mi->context.c2.timeval.tv_usec);
3093#endif
3094 }
3095
3096 if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3097 {
3098 *m->mpp_touched = mi;
3099 }
3100
3101 return ret;
3102}
3103
3112static void
3114{
3115 struct mroute_addr real = { 0 };
3116 struct hash *hash = m->hash;
3117 struct gc_arena gc = gc_new();
3118
3119 if (mi->real.type & MR_WITH_PROTO)
3120 {
3121 real.type |= MR_WITH_PROTO;
3122 real.proto = sock->info.proto;
3123 }
3124
3125 if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3126 {
3127 goto done;
3128 }
3129
3130 const uint32_t hv = hash_value(hash, &real);
3131 struct hash_bucket *bucket = hash_bucket(hash, hv);
3132
3133 /* make sure that we don't float to an address taken by another client */
3134 struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3135 if (he)
3136 {
3137 struct multi_instance *ex_mi = (struct multi_instance *)he->value;
3138
3139 struct tls_multi *m1 = mi->context.c2.tls_multi;
3140 struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3141
3142 /* do not float if target address is taken by client with another cert */
3144 {
3145 msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3146 multi_instance_string(ex_mi, false, &gc));
3147
3148 mi->context.c2.buf.len = 0;
3149
3150 goto done;
3151 }
3152
3153 /* It doesn't make sense to let a peer float to the address it already
3154 * has, so we disallow it. This can happen if a DCO netlink notification
3155 * gets lost and we miss a floating step.
3156 */
3157 if (m1->peer_id == m2->peer_id)
3158 {
3159 msg(M_WARN,
3160 "disallowing peer %" PRIu32 " (%s) from floating to "
3161 "its own address (%s)",
3162 m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
3163 mroute_addr_print(&mi->real, &gc));
3164 goto done;
3165 }
3166
3168 "closing instance %s due to float collision with %s "
3169 "using the same certificate",
3170 multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc));
3171 multi_close_instance(m, ex_mi, false);
3172 }
3173
3174 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3178
3179 /* remove old address from hash table before changing address */
3180 ASSERT(hash_remove(m->hash, &mi->real));
3181 ASSERT(hash_remove(m->iter, &mi->real));
3182
3183 /* change external network address of the remote peer */
3184 mi->real = real;
3185 generate_prefix(mi);
3186
3187 mi->context.c2.from = m->top.c2.from;
3188 mi->context.c2.to_link_addr = &mi->context.c2.from;
3189
3190 /* inherit parent link_socket and link_socket_info */
3191 mi->context.c2.link_sockets[0] = sock;
3193
3195
3196 ASSERT(hash_add(m->hash, &mi->real, mi, false));
3197 ASSERT(hash_add(m->iter, &mi->real, mi, false));
3198
3199#ifdef ENABLE_MANAGEMENT
3200 ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3201#endif
3202
3203done:
3204 gc_free(&gc);
3205}
3206
3207/*
3208 * Called when an instance should be closed due to the
3209 * reception of a soft signal.
3210 */
3211void
3213{
3214 remap_signal(&mi->context);
3215 set_prefix(mi);
3216 print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3217 clear_prefix();
3218 multi_close_instance(m, mi, false);
3219}
3220
3221#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) \
3222 || defined(ENABLE_MANAGEMENT)
3223static void
3224multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3225{
3226 mi->context.sig->signal_received = sig;
3228}
3229#endif
3230
3231#if defined(ENABLE_DCO)
3232static void
3233process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, dco_context_t *dco)
3234{
3235 const char *reason = "ovpn-dco: unknown reason";
3236 switch (dco->dco_del_peer_reason)
3237 {
3239 reason = "ovpn-dco: ping expired";
3240 break;
3241
3243 reason = "ovpn-dco: transport error";
3244 break;
3245
3247 reason = "ovpn-dco: transport disconnected";
3248 break;
3249
3251 /* We assume that is ourselves. Unfortunately, sometimes these
3252 * events happen with enough delay that they can have an order of
3253 *
3254 * dco_del_peer x
3255 * [new client connecting]
3256 * dco_new_peer x
3257 * event from dco_del_peer arrives.
3258 *
3259 * if we do not ignore this we get desynced with the kernel
3260 * since we assume the peer-id is free again. The other way would
3261 * be to send a dco_del_peer again
3262 */
3263 return;
3264 }
3265
3266 /* When kernel already deleted the peer, the socket is no longer
3267 * installed, and we do not need to clean up the state in the kernel */
3268 mi->context.c2.tls_multi->dco_peer_id = -1;
3269 mi->context.sig->signal_text = reason;
3270 mi->context.c2.dco_read_bytes = dco->dco_read_bytes;
3271 mi->context.c2.dco_write_bytes = dco->dco_write_bytes;
3272 multi_signal_instance(m, mi, SIGTERM);
3273}
3274
3275bool
3277{
3278 dco_context_t *dco = &m->top.c1.tuntap->dco;
3279
3280 struct multi_instance *mi = NULL;
3281
3282 int ret = dco_do_read(&m->top.c1.tuntap->dco);
3283
3284 int peer_id = dco->dco_message_peer_id;
3285
3286 /* no peer-specific message delivered -> nothing to process.
3287 * bail out right away
3288 */
3289 if (peer_id < 0)
3290 {
3291 return ret > 0;
3292 }
3293
3294 if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3295 {
3296 mi = m->instances[peer_id];
3297 set_prefix(mi);
3298 if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3299 {
3300 process_incoming_del_peer(m, mi, dco);
3301 }
3302 else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
3303 {
3304 ASSERT(mi->context.c2.link_sockets[0]);
3306 &m->top.c2.from.dest,
3307 (struct sockaddr *)&dco->dco_float_peer_ss);
3309 CLEAR(dco->dco_float_peer_ss);
3310 }
3311 else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
3312 {
3314 }
3315 clear_prefix();
3316 }
3317 else
3318 {
3319 int msglevel = D_DCO;
3320 if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3321 && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3322 {
3323 /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3324 * after we kill the peer ourselves. This peer may have already
3325 * been deleted, so we end up here.
3326 * In this case, print the following debug message with DCO_DEBUG
3327 * level only to avoid polluting the standard DCO level with this
3328 * harmless event.
3329 */
3330 msglevel = D_DCO_DEBUG;
3331 }
3332 msg(msglevel,
3333 "Received DCO message for unknown peer-id: %d, "
3334 "type %d, del_peer_reason %d",
3335 peer_id, dco->dco_message_type, dco->dco_del_peer_reason);
3336 }
3337
3338 dco->dco_message_type = 0;
3339 dco->dco_message_peer_id = -1;
3340 dco->dco_del_peer_reason = -1;
3341 dco->dco_read_bytes = 0;
3342 dco->dco_write_bytes = 0;
3343 return ret > 0;
3344}
3345#endif /* if defined(ENABLE_DCO) */
3346
3347/*
3348 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3349 * i.e. client -> server direction.
3350 */
3351bool
3353 const unsigned int mpp_flags, struct link_socket *sock)
3354{
3355 struct gc_arena gc = gc_new();
3356
3357 struct context *c;
3358 struct mroute_addr src, dest;
3359 unsigned int mroute_flags;
3360 struct multi_instance *mi;
3361 bool ret = true;
3362 bool floated = false;
3363
3364 if (m->pending)
3365 {
3366 return true;
3367 }
3368
3369 if (!instance)
3370 {
3371#ifdef MULTI_DEBUG_EVENT_LOOP
3372 printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3373#endif
3374 multi_set_pending(m, multi_get_create_instance_udp(m, &floated, sock));
3375 }
3376 else
3377 {
3378 multi_set_pending(m, instance);
3379 }
3380
3381 if (m->pending)
3382 {
3383 set_prefix(m->pending);
3384
3385 /* get instance context */
3386 c = &m->pending->context;
3387
3388 if (!instance)
3389 {
3390 /* transfer packet pointer from top-level context buffer to instance */
3391 c->c2.buf = m->top.c2.buf;
3392
3393 /* transfer from-addr from top-level context buffer to instance */
3394 if (!floated)
3395 {
3396 c->c2.from = m->top.c2.from;
3397 }
3398 }
3399
3400 if (BLEN(&c->c2.buf) > 0)
3401 {
3402 struct link_socket_info *lsi;
3403 const uint8_t *orig_buf;
3404
3405 /* decrypt in instance context */
3406
3408 lsi = &sock->info;
3409 orig_buf = c->c2.buf.data;
3410 if (process_incoming_link_part1(c, lsi, floated))
3411 {
3412 /* nonzero length means that we have a valid, decrypted packed */
3413 if (floated && c->c2.buf.len > 0)
3414 {
3415 multi_process_float(m, m->pending, sock);
3416 }
3417
3418 process_incoming_link_part2(c, lsi, orig_buf);
3419 }
3420 perf_pop();
3421
3423 {
3424 /* extract packet source and dest addresses */
3425 mroute_flags =
3427
3428 /* drop packet if extract failed */
3429 if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3430 {
3431 c->c2.to_tun.len = 0;
3432 }
3433 /* make sure that source address is associated with this client */
3434 else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3435 {
3436 /* IPv6 link-local address (fe80::xxx)? */
3437 if ((src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3438 && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr))
3439 {
3440 /* do nothing, for now. TODO: add address learning */
3441 }
3442 else
3443 {
3445 "MULTI: bad source address from client [%s], packet dropped",
3446 mroute_addr_print(&src, &gc));
3447 }
3448 c->c2.to_tun.len = 0;
3449 }
3450 /* client-to-client communication enabled? */
3451 else if (m->enable_c2c)
3452 {
3453 /* multicast? */
3454 if (mroute_flags & MROUTE_EXTRACT_MCAST)
3455 {
3456 /* for now, treat multicast as broadcast */
3457 multi_bcast(m, &c->c2.to_tun, m->pending, 0);
3458 }
3459 else /* possible client to client routing */
3460 {
3461 ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3462 mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3463
3464 /* if dest addr is a known client, route to it */
3465 if (mi)
3466 {
3467 {
3468 multi_unicast(m, &c->c2.to_tun, mi);
3470 }
3471 c->c2.to_tun.len = 0;
3472 }
3473 }
3474 }
3475 }
3476 else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3477 {
3478 uint16_t vid = 0;
3479
3480 if (m->top.options.vlan_tagging)
3481 {
3482 if (vlan_is_tagged(&c->c2.to_tun))
3483 {
3484 /* Drop VLAN-tagged frame. */
3485 msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3486 c->c2.to_tun.len = 0;
3487 }
3488 else
3489 {
3490 vid = c->options.vlan_pvid;
3491 }
3492 }
3493 /* extract packet source and dest addresses */
3494 mroute_flags =
3495 mroute_extract_addr_from_packet(&src, &dest, vid, &c->c2.to_tun, DEV_TYPE_TAP);
3496
3497 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3498 {
3499 if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3500 {
3501 /* check for broadcast */
3502 if (m->enable_c2c)
3503 {
3504 if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
3505 {
3506 multi_bcast(m, &c->c2.to_tun, m->pending, vid);
3507 }
3508 else /* try client-to-client routing */
3509 {
3510 mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3511
3512 /* if dest addr is a known client, route to it */
3513 if (mi)
3514 {
3515 multi_unicast(m, &c->c2.to_tun, mi);
3517 c->c2.to_tun.len = 0;
3518 }
3519 }
3520 }
3521 }
3522 else
3523 {
3525 "MULTI: bad source address from client [%s], packet dropped",
3526 mroute_addr_print(&src, &gc));
3527 c->c2.to_tun.len = 0;
3528 }
3529 }
3530 else
3531 {
3532 c->c2.to_tun.len = 0;
3533 }
3534 }
3535 }
3536
3537 /* postprocess and set wakeup */
3538 ret = multi_process_post(m, m->pending, mpp_flags);
3539
3540 clear_prefix();
3541 }
3542
3543 gc_free(&gc);
3544 return ret;
3545}
3546
3547/*
3548 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3549 * i.e. server -> client direction.
3550 */
3551bool
3552multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3553{
3554 bool ret = true;
3555
3556 if (BLEN(&m->top.c2.buf) > 0)
3557 {
3558 unsigned int mroute_flags;
3559 struct mroute_addr src = { 0 }, dest = { 0 };
3560 const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3561 int16_t vid = 0;
3562
3563#ifdef MULTI_DEBUG_EVENT_LOOP
3564 printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3565#endif
3566
3567 if (m->pending)
3568 {
3569 return true;
3570 }
3571
3572 if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3573 {
3574 vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3575 if (vid < 0)
3576 {
3577 return false;
3578 }
3579 }
3580
3581 /*
3582 * Route an incoming tun/tap packet to
3583 * the appropriate multi_instance object.
3584 */
3585
3586 mroute_flags = mroute_extract_addr_from_packet(&src, &dest, vid, &m->top.c2.buf, dev_type);
3587
3589 {
3590 struct context *c;
3591
3592 /* broadcast or multicast dest addr? */
3593 if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
3594 {
3595 /* for now, treat multicast as broadcast */
3596 multi_bcast(m, &m->top.c2.buf, NULL, vid);
3597 }
3598 else
3599 {
3601 m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3602
3603 if (m->pending)
3604 {
3605 /* get instance context */
3606 c = &m->pending->context;
3607
3608 set_prefix(m->pending);
3609
3610 {
3612 {
3613 /* transfer packet pointer from top-level context buffer to instance */
3614 c->c2.buf = m->top.c2.buf;
3615 }
3616 else
3617 {
3618 /* drop packet */
3620 "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3621 buf_reset_len(&c->c2.buf);
3622 }
3623 }
3624
3625 /* encrypt in instance context */
3627
3628 /* postprocess and set wakeup */
3629 ret = multi_process_post(m, m->pending, mpp_flags);
3630
3631 clear_prefix();
3632 }
3633 }
3634 }
3635 }
3636 return ret;
3637}
3638
3639/*
3640 * Process a possible client-to-client/bcast/mcast message in the
3641 * queue.
3642 */
3643struct multi_instance *
3645{
3646 struct mbuf_item item;
3647
3648 if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3649 {
3650 unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;
3651
3652 set_prefix(item.instance);
3653 item.instance->context.c2.buf = item.buffer->buf;
3654 if (item.buffer->flags
3655 & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3656 {
3657 pip_flags |= PIP_MSSFIX;
3658 }
3659 process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf,
3660 item.instance->context.c2.link_sockets[0]);
3661 encrypt_sign(&item.instance->context, true);
3662 mbuf_free_buf(item.buffer);
3663
3664 dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3665
3666 clear_prefix();
3667 return item.instance;
3668 }
3669 else
3670 {
3671 return NULL;
3672 }
3673}
3674
3675/*
3676 * Called when an I/O wait times out. Usually means that a particular
3677 * client instance object needs timer-based service.
3678 */
3679bool
3680multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3681{
3682 bool ret = true;
3683
3684#ifdef MULTI_DEBUG_EVENT_LOOP
3685 printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3686#endif
3687
3688 /* instance marked for wakeup? */
3689 if (m->earliest_wakeup)
3690 {
3692 {
3696 }
3697 else
3698 {
3700 ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3701 clear_prefix();
3702 }
3703 m->earliest_wakeup = NULL;
3704 }
3705 return ret;
3706}
3707
3708/*
3709 * Drop a TUN/TAP outgoing packet..
3710 */
3711void
3712multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3713{
3714 struct multi_instance *mi = m->pending;
3715
3716 ASSERT(mi);
3717
3718 set_prefix(mi);
3719
3720 msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3721 mi->context.c2.to_tun.len);
3722
3723 buf_reset(&mi->context.c2.to_tun);
3724
3725 multi_process_post(m, mi, mpp_flags);
3726 clear_prefix();
3727}
3728
3729/*
3730 * Per-client route quota management
3731 */
3732
3733void
3735{
3736 struct gc_arena gc = gc_new();
3738 "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3740 gc_free(&gc);
3741}
3742
3743#ifdef ENABLE_DEBUG
3744/*
3745 * Flood clients with random packets
3746 */
3747static void
3748gremlin_flood_clients(struct multi_context *m)
3749{
3750 const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3751 if (level)
3752 {
3753 struct gc_arena gc = gc_new();
3754 struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3755 struct packet_flood_parms parm = get_packet_flood_parms(level);
3756 int i;
3757
3758 ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3759 parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3760
3761 msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3762 parm.n_packets, parm.packet_size);
3763
3764 for (i = 0; i < parm.packet_size; ++i)
3765 {
3766 ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3767 }
3768
3769 for (i = 0; i < parm.n_packets; ++i)
3770 {
3771 multi_bcast(m, &buf, NULL, 0);
3772 }
3773
3774 gc_free(&gc);
3775 }
3776}
3777#endif /* ifdef ENABLE_DEBUG */
3778
3779static bool
3781{
3782 struct timeval null;
3783 CLEAR(null);
3785}
3786
3787/*
3788 * Process timers in the top-level context
3789 */
3790void
3792{
3793 /* possibly reap instances/routes in vhash */
3795
3796 /* possibly print to status log */
3797 if (m->top.c1.status_output)
3798 {
3800 {
3802 }
3803 }
3804
3805 /* possibly flush ifconfig-pool file */
3807
3808#ifdef ENABLE_DEBUG
3809 gremlin_flood_clients(m);
3810#endif
3811
3812 /* Should we check for stale routes? */
3814 {
3816 }
3817
3818#ifdef ENABLE_MANAGEMENT
3819 if (management)
3820 {
3822 }
3823#endif /* ENABLE_MANAGEMENT */
3824}
3825
3826static void
3828{
3829 inherit_context_top(&top->multi->top, top);
3831}
3832
3833static void
3839
3840static bool
3842{
3843 return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3844}
3845
3846static void
3848{
3849 struct hash_iterator hi;
3850 struct hash_element *he;
3851 struct timeval tv;
3852
3853 /* tell all clients to restart */
3854 hash_iterator_init(m->iter, &hi);
3855 while ((he = hash_iterator_next(&hi)))
3856 {
3857 struct multi_instance *mi = (struct multi_instance *)he->value;
3858 if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
3859 {
3860 send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART",
3861 D_PUSH);
3863 }
3864 }
3865 hash_iterator_free(&hi);
3866
3867 /* reschedule signal */
3869 tv.tv_sec = 2;
3870 tv.tv_usec = 0;
3872
3874
3878
3879 signal_reset(m->top.sig, 0);
3880}
3881
3882/*
3883 * Return true if event loop should break,
3884 * false if it should continue.
3885 */
3886bool
3888{
3889 if (signal_reset(m->top.sig, SIGUSR2) == SIGUSR2)
3890 {
3891 struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3893 status_close(so);
3894 return false;
3895 }
3899 {
3901 return false;
3902 }
3903 return true;
3904}
3905
3906/*
3907 * Management subsystem callbacks
3908 */
3909#ifdef ENABLE_MANAGEMENT
3910
3911static void
3912management_callback_status(void *arg, const int version, struct status_output *so)
3913{
3914 struct multi_context *m = (struct multi_context *)arg;
3915
3916 if (!version)
3917 {
3919 }
3920 else
3921 {
3922 multi_print_status(m, so, version);
3923 }
3924}
3925
3926static int
3928{
3929 struct multi_context *m = (struct multi_context *)arg;
3930 return m->n_clients;
3931}
3932
3933static int
3934management_callback_kill_by_cn(void *arg, const char *del_cn)
3935{
3936 struct multi_context *m = (struct multi_context *)arg;
3937 struct hash_iterator hi;
3938 struct hash_element *he;
3939 int count = 0;
3940
3941 hash_iterator_init(m->iter, &hi);
3942 while ((he = hash_iterator_next(&hi)))
3943 {
3944 struct multi_instance *mi = (struct multi_instance *)he->value;
3945 if (!mi->halt)
3946 {
3947 const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3948 if (cn && !strcmp(cn, del_cn))
3949 {
3950 multi_signal_instance(m, mi, SIGTERM);
3951 ++count;
3952 }
3953 }
3954 }
3955 hash_iterator_free(&hi);
3956 return count;
3957}
3958
3959static int
3960management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
3961{
3962 struct multi_context *m = (struct multi_context *)arg;
3963 struct hash_iterator hi;
3964 struct hash_element *he;
3965 struct openvpn_sockaddr saddr;
3966 struct mroute_addr maddr;
3967 int count = 0;
3968
3969 CLEAR(saddr);
3970 saddr.addr.in4.sin_family = AF_INET;
3971 saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3972 saddr.addr.in4.sin_port = htons(port);
3973 if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3974 {
3975 maddr.proto = proto;
3976 hash_iterator_init(m->iter, &hi);
3977 while ((he = hash_iterator_next(&hi)))
3978 {
3979 struct multi_instance *mi = (struct multi_instance *)he->value;
3980 if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3981 {
3982 multi_signal_instance(m, mi, SIGTERM);
3983 ++count;
3984 }
3985 }
3986 hash_iterator_free(&hi);
3987 }
3988 return count;
3989}
3990
3991static void
3993{
3994 struct multi_context *m = (struct multi_context *)arg;
3995 if (m->multi_io)
3996 {
3998 }
3999}
4000
4001struct multi_instance *
4002lookup_by_cid(struct multi_context *m, const unsigned long cid)
4003{
4004 if (m)
4005 {
4006 struct multi_instance *mi = (struct multi_instance *)hash_lookup(m->cid_hash, &cid);
4007 if (mi && !mi->halt)
4008 {
4009 return mi;
4010 }
4011 }
4012 return NULL;
4013}
4014
4015static bool
4016management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
4017{
4018 struct multi_context *m = (struct multi_context *)arg;
4019 struct multi_instance *mi = lookup_by_cid(m, cid);
4020 if (mi)
4021 {
4022 send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
4024 return true;
4025 }
4026 else
4027 {
4028 return false;
4029 }
4030}
4031
4032static bool
4033management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
4034 const char *extra, unsigned int timeout)
4035{
4036 struct multi_context *m = (struct multi_context *)arg;
4037 struct multi_instance *mi = lookup_by_cid(m, cid);
4038
4039 if (mi)
4040 {
4041 struct tls_multi *multi = mi->context.c2.tls_multi;
4042 struct tls_session *session;
4043
4044 if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id)
4045 {
4046 session = &multi->session[TM_INITIAL];
4047 }
4048 else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id)
4049 {
4050 session = &multi->session[TM_ACTIVE];
4051 }
4052 else
4053 {
4054 return false;
4055 }
4056
4057 /* sends INFO_PRE and AUTH_PENDING messages to client */
4058 bool ret = send_auth_pending_messages(multi, session, extra, timeout);
4061 return ret;
4062 }
4063 return false;
4064}
4065
4066
4067static bool
4068management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
4069 const bool auth, const char *reason, const char *client_reason,
4070 struct buffer_list *cc_config) /* ownership transferred */
4071{
4072 struct multi_context *m = (struct multi_context *)arg;
4073 struct multi_instance *mi = lookup_by_cid(m, cid);
4074 bool cc_config_owned = true;
4075 bool ret = false;
4076
4077 if (mi)
4078 {
4079 ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4080 if (ret)
4081 {
4082 if (auth)
4083 {
4085 {
4087 cc_config_owned = false;
4088 }
4089 }
4090 else if (reason)
4091 {
4092 msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason,
4093 np(client_reason));
4094 }
4095 }
4096 }
4097 if (cc_config_owned && cc_config)
4098 {
4100 }
4101 return ret;
4102}
4103
4104static char *
4105management_get_peer_info(void *arg, const unsigned long cid)
4106{
4107 struct multi_context *m = (struct multi_context *)arg;
4108 struct multi_instance *mi = lookup_by_cid(m, cid);
4109 char *ret = NULL;
4110
4111 if (mi)
4112 {
4113 ret = mi->context.c2.tls_multi->peer_info;
4114 }
4115
4116 return ret;
4117}
4118
4119#endif /* ifdef ENABLE_MANAGEMENT */
4120
4121
4122void
4148
4149void
4151{
4152 /* max_clients must be less then max peer-id value */
4154
4155 for (int i = 0; i < m->max_clients; ++i)
4156 {
4157 if (!m->instances[i])
4158 {
4159 mi->context.c2.tls_multi->peer_id = i;
4160 m->instances[i] = mi;
4161 break;
4162 }
4163 }
4164
4165 /* should not really end up here, since multi_create_instance returns null
4166 * if amount of clients exceeds max_clients */
4168}
4169
4170/**************************************************************************/
4177static void
4179{
4180 int status;
4181
4182 while (true)
4183 {
4185
4186 /* wait on tun/socket list */
4187 multi_get_timeout(multi, &multi->top.c2.timeval);
4188 status = multi_io_wait(multi);
4189 MULTI_CHECK_SIG(multi);
4190
4191 /* check on status of coarse timers */
4193
4194 /* timeout? */
4195 if (status > 0)
4196 {
4197 /* process the I/O which triggered select */
4198 multi_io_process_io(multi);
4199 }
4200 else if (status == 0)
4201 {
4202 multi_io_action(multi, NULL, TA_TIMEOUT, false);
4203 }
4204
4205 MULTI_CHECK_SIG(multi);
4206 perf_pop();
4207 }
4208}
4209
4210/*
4211 * Top level event loop.
4212 */
4213void
4215{
4216 ASSERT(top->options.mode == MODE_SERVER);
4217
4218 struct multi_context multi;
4219
4220 top->mode = CM_TOP;
4221 top->multi = &multi;
4223
4224 /* initialize top-tunnel instance */
4226 if (IS_SIG(top))
4227 {
4228 return;
4229 }
4230
4231 /* initialize global multi_context object */
4232 multi_init(top);
4233
4234 /* initialize our cloned top object */
4236
4237 /* initialize management interface */
4239
4240 /* finished with initialization */
4241 initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto tcp-server */
4242
4243#ifdef ENABLE_ASYNC_PUSH
4244 multi.top.c2.inotify_fd = inotify_init();
4245 if (multi.top.c2.inotify_fd < 0)
4246 {
4247 msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
4248 }
4249#endif
4250
4251 tunnel_server_loop(&multi);
4252
4253#ifdef ENABLE_ASYNC_PUSH
4254 close(top->c2.inotify_fd);
4255#endif
4256
4257 /* shut down management interface */
4259
4260 /* save ifconfig-pool */
4261 multi_ifconfig_pool_persist(&multi, true);
4262
4263 /* tear down tunnel instance (unless --persist-tun) */
4264 multi_uninit(&multi);
4265 multi_top_free(&multi);
4267}
4268
4276void
4277update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
4278{
4279 struct in_addr addr;
4280 struct in6_addr new_ipv6;
4281
4282 if ((mi->context.options.ifconfig_local && (!old_ip || strcmp(old_ip, mi->context.options.ifconfig_local)))
4283 && inet_pton(AF_INET, mi->context.options.ifconfig_local, &addr) == 1)
4284 {
4285 in_addr_t new_ip = ntohl(addr.s_addr);
4286
4287 /* Add new IP */
4288 multi_learn_in_addr_t(m, mi, new_ip, -1, true);
4289 }
4290
4291 /* TO DO:
4292 * else if (old_ip)
4293 * {
4294 * // remove old IP
4295 * }
4296 */
4297
4298 if ((mi->context.options.ifconfig_ipv6_local && (!old_ipv6 || strcmp(old_ipv6, mi->context.options.ifconfig_ipv6_local)))
4299 && inet_pton(AF_INET6, mi->context.options.ifconfig_ipv6_local, &new_ipv6) == 1)
4300 {
4301 /* Add new IPv6 */
4302 multi_learn_in6_addr(m, mi, new_ipv6, -1, true);
4303 }
4304
4305 /* TO DO:
4306 * else if (old_ipv6)
4307 * {
4308 * // remove old IPv6
4309 * }
4310 */
4311}
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition auth_token.c:161
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1158
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1037
#define BSTR(buf)
Definition buffer.h:128
static void buf_reset(struct buffer *buf)
Definition buffer.h:303
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
#define BLEN(buf)
Definition buffer.h:126
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:312
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
#define buf_init(buf, offset)
Definition buffer.h:209
static struct gc_arena gc_new(void)
Definition buffer.h:1007
static const char *const key1
Definition cert_data.h:55
#define CCD_DEFAULT
Definition common.h:61
#define counter_format
Definition common.h:30
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
long int get_random(void)
Definition crypto.c:1716
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition crypto.c:1790
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
Data Channel Cryptography SSL library-specific backend interface.
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco.h:371
static int dco_do_read(dco_context_t *dco)
Definition dco.h:311
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition dco.h:361
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:276
void * dco_context_t
Definition dco.h:261
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:355
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:366
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition env_set.c:283
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
#define D_PUSH
Definition errlevel.h:82
#define D_MULTI_ERRORS
Definition errlevel.h:64
#define D_VLAN_DEBUG
Definition errlevel.h:153
#define D_IMPORT_ERRORS
Definition errlevel.h:63
#define D_ROUTE_QUOTA
Definition errlevel.h:89
#define D_MULTI_MEDIUM
Definition errlevel.h:101
#define D_DCO
Definition errlevel.h:93
#define D_MULTI_DEBUG
Definition errlevel.h:126
#define D_MULTI_DROPPED
Definition errlevel.h:100
#define D_DCO_DEBUG
Definition errlevel.h:117
#define D_MULTI_LOW
Definition errlevel.h:85
#define D_TLS_ERRORS
Definition errlevel.h:58
#define M_INFO
Definition errlevel.h:54
#define D_GREMLIN
Definition errlevel.h:77
@ EVENT_ARG_MULTI_INSTANCE
Definition event.h:137
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:391
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:398
void pre_select(struct context *c)
Definition forward.c:1969
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1652
void extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, const struct sockaddr *float_sa)
Transfers float_sa data extracted from an incoming DCO PEER_FLOAT_NTF to out_osaddr for later process...
Definition forward.c:1221
Interface functions to the internal and external multiplexers.
#define PIP_MSSFIX
Definition forward.h:318
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:323
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:332
#define ANY_OUT(c)
Definition forward.h:39
static void register_activity(struct context *c, const int size)
Definition forward.h:345
#define PIPV4_PASSTOS
Definition forward.h:317
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:546
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:614
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition multi.c:4214
static void tunnel_server_loop(struct multi_context *multi)
Main event loop for OpenVPN in point-to-multipoint server mode.
Definition multi.c:4178
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:985
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1124
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, struct link_socket *sock)
Demultiplex and process a packet received over the external network interface.
Definition multi.c:3352
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition mudp.c:190
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1464
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition multi.c:3552
void uninit_management_callback(void)
Definition init.c:4426
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1547
void close_instance(struct context *c)
Definition init.c:4766
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4927
void free_context_buffers(struct context_buffers *b)
Definition init.c:3696
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4452
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2600
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4839
void context_clear_2(struct context *c)
Definition init.c:88
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4973
void management_show_net_callback(void *arg, const int msglevel)
Definition init.c:4276
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3671
#define CC_GC_FREE
Definition init.h:115
#define CC_HARD_USR1_TO_HUP
Definition init.h:117
#define ISC_SERVER
Definition init.h:127
static int min_int(int x, int y)
Definition integer.h:105
static int constrain_int(int x, int min, int max)
Definition integer.h:118
static SERVICE_STATUS status
Definition interactive.c:51
@ route
Definition interactive.c:85
@ read
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:42
#define ETT_DEFAULT
Definition interval.h:222
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
void hash_iterator_free(struct hash_iterator *hi)
Definition list.c:272
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition list.c:278
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition list.c:310
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition list.c:81
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition list.c:236
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition list.c:37
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition list.c:215
void hash_free(struct hash *hash)
Definition list.c:61
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition list.c:139
static bool hash_remove(struct hash *hash, const void *key)
Definition list.h:164
static void * hash_lookup(struct hash *hash, const void *key)
Definition list.h:131
static int hash_n_elements(const struct hash *hash)
Definition list.h:113
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition list.h:107
static int hash_n_buckets(const struct hash *hash)
Definition list.h:119
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition list.h:149
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3015
void management_check_bytecount_server(struct multi_context *multi)
Definition manage.c:4178
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition manage.c:3027
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3005
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2762
#define MCF_SERVER
Definition manage.h:175
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition mbuf.c:88
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition mbuf.c:64
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition mbuf.c:75
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition mbuf.c:151
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition mbuf.c:110
void mbuf_free(struct mbuf_set *ms)
Definition mbuf.c:48
struct mbuf_set * mbuf_init(unsigned int size)
Definition mbuf.c:38
#define MF_UNICAST
Definition mbuf.h:45
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition mbuf.h:91
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition mroute.c:318
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:520
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition mroute.c:377
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition mroute.c:254
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition mroute.c:371
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition mroute.c:358
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:535
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition mroute.c:63
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition mroute.c:365
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition mroute.c:482
void mroute_addr_init(struct mroute_addr *addr)
Definition mroute.c:38
void mroute_helper_free(struct mroute_helper *mh)
Definition mroute.c:551
#define MROUTE_EXTRACT_SUCCEEDED
Definition mroute.h:37
#define MROUTE_EXTRACT_MCAST
Definition mroute.h:39
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition mroute.h:179
#define MR_WITH_NETBITS
Definition mroute.h:69
#define MR_WITH_PROTO
Definition mroute.h:75
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition mroute.h:240
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition mroute.h:205
#define MAPF_SHOW_FAMILY
Definition mroute.h:154
#define MROUTE_EXTRACT_BCAST
Definition mroute.h:38
#define MR_ADDR_IPV6
Definition mroute.h:62
#define MR_ADDR_MASK
Definition mroute.h:63
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition mtcp.c:124
void multi_tcp_delete_event(struct multi_io *multi_io, event_t event)
Definition mtcp.c:130
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition mtcp.c:102
void multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance *mi)
Definition mtcp.c:139
#define BUF_SIZE(f)
Definition mtu.h:178
static const char * np(const char *str)
Definition multi-auth.c:146
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition multi.c:1053
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2971
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2463
static void multi_reap_free(struct multi_reap *mr)
Definition multi.c:232
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition multi.c:1925
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition multi.c:208
static void multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
Handles peer floating.
Definition multi.c:3113
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real, struct link_socket *sock)
Definition multi.c:732
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1298
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition multi.c:161
static void multi_top_free(struct multi_context *m)
Definition multi.c:3834
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition multi.c:3224
void multi_reap_process_dowork(const struct multi_context *m)
Definition multi.c:219
static bool override_locked_username(struct multi_instance *mi)
Overrides the locked username with the username of –override-username.
Definition multi.c:2599
static int management_callback_n_clients(void *arg)
Definition multi.c:3927
bool multi_process_signal(struct multi_context *m)
Definition multi.c:3887
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1433
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition multi.c:2236
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:3212
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition multi.c:3013
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2673
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition multi.c:3791
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition multi.c:1574
static void multi_client_connect_setenv(struct multi_instance *mi)
Definition multi.c:1718
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition multi.c:3644
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3680
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition multi.c:3934
static bool stale_route_check_trigger(struct multi_context *m)
Definition multi.c:3780
struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition multi.c:4002
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition multi.c:4016
static void multi_init(struct context *t)
Definition multi.c:286
static void generate_prefix(struct multi_instance *mi)
Definition multi.c:472
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:501
static void management_delete_event(void *arg, event_t event)
Definition multi.c:3992
static bool multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi, struct gc_arena *gc)
Definition multi.c:2294
static void multi_uninit(struct multi_context *m)
Definition multi.c:684
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition multi.c:442
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition multi.c:2340
void update_vhash(struct multi_context *m, struct multi_instance *mi, const char *old_ip, const char *old_ipv6)
Update the vhash with new IP/IPv6 addresses in the multi_context when a push-update message containin...
Definition multi.c:4277
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition multi.c:2949
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:94
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition multi.c:2884
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition multi.c:582
static bool management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const char *extra, unsigned int timeout)
Definition multi.c:4033
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition multi.c:2580
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition multi.c:3847
static void multi_top_init(struct context *top)
Definition multi.c:3827
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:551
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition multi.c:2030
static void check_stale_routes(struct multi_context *m)
Definition multi.c:1383
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port, const int proto)
Definition multi.c:3960
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition multi.c:172
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition multi.c:4068
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, uint16_t vid)
Definition multi.c:2901
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition multi.c:2498
static void multi_reap_all(const struct multi_context *m)
Definition multi.c:202
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition multi.c:2865
static int reap_buckets_per_pass(int n_buckets)
Definition multi.c:241
static void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition multi.c:828
void route_quota_exceeded(const struct multi_instance *mi)
Definition multi.c:3734
void ungenerate_prefix(struct multi_instance *mi)
Definition multi.c:489
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition multi.c:4150
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2146
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition multi.c:2530
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2056
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition multi.c:1620
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition multi.c:1343
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition multi.c:1142
void init_management_callback_multi(struct multi_context *m)
Definition multi.c:4123
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition multi.c:1957
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition multi.c:4105
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition multi.c:2195
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition multi.c:1748
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition multi.c:1646
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition multi.c:1217
static bool is_exit_restart(int sig)
Definition multi.c:3841
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition multi.c:1413
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition multi.c:75
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3712
static bool cid_compare_function(const void *key1, const void *key2)
Definition multi.c:256
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:1685
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition multi.c:2317
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition multi.c:1256
static void setenv_stats(struct multi_context *m, struct context *c)
Definition multi.c:523
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition multi.c:249
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition multi.c:3912
static void update_mstat_n_clients(const int n_clients)
Definition multi.c:83
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition multi.c:2007
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition multi.c:1900
static const multi_client_connect_handler client_connect_handlers[]
Definition multi.c:2584
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:538
Header file for server-mode related structures and functions.
bool multi_process_incoming_dco(struct multi_context *m)
Process an incoming DCO message (from kernel space).
#define MPP_CONDITIONAL_PRE_SELECT
Definition multi.h:276
client_connect_return
Return values used by the client connect call-back functions.
Definition multi.h:227
@ CC_RET_DEFERRED
Definition multi.h:230
@ CC_RET_FAILED
Definition multi.h:228
@ CC_RET_SKIPPED
Definition multi.h:231
@ CC_RET_SUCCEEDED
Definition multi.h:229
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition multi.h:393
#define MULTI_PREFIX_MAX_LENGTH
Definition multi.h:45
#define MULTI_CHECK_SIG(m)
Definition multi.h:672
#define REAP_MIN
Definition multi.h:552
static void set_prefix(struct multi_instance *mi)
Definition multi.h:521
static void multi_route_del(struct multi_route *route)
Definition multi.h:480
static void multi_reap_process(const struct multi_context *m)
Definition multi.h:566
static void route_quota_inc(struct multi_instance *mi)
Definition multi.h:433
#define MULTI_ROUTE_CACHE
Definition multi.h:242
static void clear_prefix(void)
Definition multi.h:533
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition multi.h:489
#define REAP_DIVISOR
Definition multi.h:551
#define MULTI_CACHE_ROUTE_TTL
Definition multi.h:559
#define MPP_CLOSE_ON_SIGNAL
Definition multi.h:277
#define REAP_MAX
Definition multi.h:553
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition multi.h:470
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition multi.h:464
static void multi_get_timeout(struct multi_context *m, struct timeval *dest)
Definition multi.h:593
#define CLIENT_CONNECT_OPT_MASK
Definition multi.h:653
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition multi.h:675
#define MULTI_ROUTE_AGEABLE
Definition multi.h:243
#define MPP_RECORD_TOUCH
Definition multi.h:278
#define MPP_PRE_SELECT
Definition multi.h:275
static void multi_process_per_second_timers(struct multi_context *m)
Definition multi.h:575
static bool route_quota_test(const struct multi_instance *mi)
Definition multi.h:446
void multi_io_process_io(struct multi_context *m)
Definition multi_io.c:423
struct multi_io * multi_io_init(int maxevents, int *maxclients)
Definition multi_io.c:116
void multi_io_free(struct multi_io *multi_io)
Definition multi_io.c:158
int multi_io_wait(struct multi_context *m)
Definition multi_io.c:169
void multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, bool poll)
Definition multi_io.c:559
#define TA_TIMEOUT
Definition multi_io.h:45
#define CLEAR(x)
Definition basic.h:32
#define M_OPTERR
Definition error.h:99
#define M_USAGE
Definition error.h:105
static bool check_debug_level(unsigned int level)
Definition error.h:257
#define M_NONFATAL
Definition error.h:89
#define dmsg(flags,...)
Definition error.h:170
#define msg(flags,...)
Definition error.h:150
#define ASSERT(x)
Definition error.h:217
#define M_WARN
Definition error.h:90
#define M_ERRNO
Definition error.h:93
static bool is_cas_pending(enum multi_status cas)
Definition openvpn.h:209
#define MAX_PEER_ID
Definition openvpn.h:554
#define CM_TOP
Definition openvpn.h:483
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5517
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5527
const char title_string[]
Definition options.c:70
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9911
#define MODE_SERVER
Definition options.h:261
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
#define OPT_P_COMP
Definition options.h:742
const char * time_string(time_t t, long usec, bool show_usec, struct gc_arena *gc)
Definition otime.c:104
struct frequency_limit * frequency_limit_init(int max, int per)
Definition otime.c:141
time_t now
Definition otime.c:33
void frequency_limit_free(struct frequency_limit *f)
Definition otime.c:156
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition otime.h:63
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:131
@ OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_CMD_FLOAT_PEER
@ OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_DEL_PEER
#define PERF_MULTI_BCAST
Definition perf.h:47
static void perf_push(int type)
Definition perf.h:77
#define PERF_EVENT_LOOP
Definition perf.h:43
#define PERF_MULTI_CLOSE_INSTANCE
Definition perf.h:45
#define PERF_PROC_IN_LINK
Definition perf.h:51
static void perf_pop(void)
Definition perf.h:81
#define PERF_MULTI_CREATE_INSTANCE
Definition perf.h:44
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition platform.c:659
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:544
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition platform.c:595
bool platform_unlink(const char *filename)
Definition platform.c:491
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition pool.c:297
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition pool.c:349
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition pool.c:712
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition pool.c:573
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition pool.c:281
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition pool.c:586
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition pool.c:140
pool_type
Definition pool.h:35
@ IFCONFIG_POOL_30NET
Definition pool.h:36
@ IFCONFIG_POOL_INDIV
Definition pool.h:37
#define DEV_TYPE_TAP
Definition proto.h:36
#define DEV_TYPE_UNDEF
Definition proto.h:34
#define TOP_NET30
Definition proto.h:41
#define DEV_TYPE_TUN
Definition proto.h:35
#define TOP_P2P
Definition proto.h:42
#define TOP_SUBNET
Definition proto.h:43
int process_incoming_push_request(struct context *c)
Definition push.c:974
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:490
void push_option(struct options *o, const char *opt, int msglevel)
Definition push.c:884
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:434
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1120
bool management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options)
Definition push_util.c:302
bool management_callback_send_push_update_broadcast(void *arg, const char *options)
Definition push_util.c:294
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition schedule.c:421
struct schedule * schedule_init(void)
Definition schedule.c:406
void schedule_free(struct schedule *s)
Definition schedule.c:415
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition schedule.h:97
int signal_reset(struct signal_info *si, int signum)
Clear the signal if its current value equals signum.
Definition sig.c:262
void remap_signal(struct context *c)
Definition sig.c:588
void throw_signal(const int signum)
Throw a hard signal.
Definition sig.c:175
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition sig.c:290
#define IS_SIG(c)
Definition sig.h:47
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition socket.c:1877
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
#define SA_SET_IF_NONZERO
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4074
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1765
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1637
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition ssl_common.h:584
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:582
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition ssl_common.h:585
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:583
@ CAS_NOT_CONNECTED
Definition ssl_common.h:581
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:586
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:756
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:426
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition ssl_ncp.c:246
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition ssl_ncp.c:225
const char * ncp_expanded_ciphers(struct options *o, struct gc_arena *gc)
returns the o->ncp_ciphers in brackets, e.g.
Definition ssl_ncp.c:618
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:60
SSL utility functions.
bool ssl_verify_username_length(struct tls_session *session, const char *username)
Checks if the username length is valid to use.
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition ssl_verify.c:229
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition ssl_verify.c:286
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition ssl_verify.c:132
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition ssl_verify.c:172
void set_common_name(struct tls_session *session, const char *common_name)
Sets the common name field for the given tunnel.
Definition ssl_verify.c:85
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
Control Channel Verification Module.
bool status_trigger(struct status_output *so)
Definition status.c:124
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:213
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:60
void status_flush(struct status_output *so)
Definition status.c:148
void status_reset(struct status_output *so)
Definition status.c:139
bool status_close(struct status_output *so)
Definition status.c:179
Definition argv.h:35
Definition buffer.h:1097
struct buffer_entry * next
Definition buffer.h:1099
struct buffer buf
Definition buffer.h:1098
struct buffer_entry * head
Definition buffer.h:1104
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
Detached client connection state.
Definition multi.h:72
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition multi.h:89
unsigned int option_types_found
Definition multi.h:77
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition multi.h:83
unsigned int flags
Definition comp.h:77
int explicit_exit_notification
Definition options.h:147
int fragment
Definition options.h:138
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
struct status_output * status_output
Definition openvpn.h:185
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
bool push_request_received
Definition openvpn.h:427
counter_type link_read_bytes
Definition openvpn.h:266
counter_type link_write_bytes
Definition openvpn.h:269
bool push_ifconfig_ipv6_defined
Definition openvpn.h:434
struct fragment_master * fragment
Definition openvpn.h:252
bool push_ifconfig_defined
Definition openvpn.h:428
counter_type dco_read_bytes
Definition openvpn.h:267
struct man_def_auth_context mda_context
Definition openvpn.h:453
counter_type dco_write_bytes
Definition openvpn.h:270
struct env_set * es
Definition openvpn.h:420
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
struct frame frame
Definition openvpn.h:248
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:437
struct link_socket_actual from
Definition openvpn.h:245
struct frame frame_fragment
Definition openvpn.h:253
int push_ifconfig_ipv6_netbits
Definition openvpn.h:436
struct buffer to_link
Definition openvpn.h:377
struct buffer to_tun
Definition openvpn.h:376
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:435
struct link_socket ** link_sockets
Definition openvpn.h:237
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:432
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:431
struct buffer buf
Definition openvpn.h:375
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:396
struct event_set * event_set
Definition openvpn.h:230
struct context_buffers * buffers
Definition openvpn.h:367
in_addr_t push_ifconfig_local
Definition openvpn.h:430
Contains all state information for one tunnel.
Definition openvpn.h:474
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:487
struct multi_context * multi
Pointer to the main P2MP context.
Definition openvpn.h:492
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:505
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct env_set * es
Set of environment variables.
Definition openvpn.h:499
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
Security parameter state for processing data channel packets.
Definition crypto.h:293
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
int signal_received
Definition multi.h:63
struct timeval wakeup
Definition multi.h:64
struct multi_instance * mi
Definition event.h:147
union event_arg::@1 u
event_arg_t type
Definition event.h:144
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition fragment.h:172
Packet geometry parameters.
Definition mtu.h:103
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
struct frame::@8 buf
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
void * value
Definition list.h:44
const void * key
Definition list.h:45
Definition list.h:56
struct iroute_ipv6 * next
Definition route.h:269
unsigned int netbits
Definition route.h:268
struct in6_addr network
Definition route.h:267
in_addr_t network
Definition route.h:260
int netbits
Definition route.h:261
struct iroute * next
Definition route.h:262
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
bool initialized
Definition crypto.h:285
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
unsigned int mda_key_id
Definition ssl_common.h:263
struct auth_deferred_status script_auth
Definition ssl_common.h:269
enum ks_auth_state authenticated
Definition ssl_common.h:259
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
unsigned long cid
Definition manage.h:64
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition manage.h:191
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition manage.h:186
void(* delete_event)(void *arg, event_t event)
Definition manage.h:182
bool(* push_update_broadcast)(void *arg, const char *options)
Definition manage.h:199
bool(* push_update_by_cid)(void *arg, unsigned long cid, const char *options)
Definition manage.h:200
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port, const int proto)
Definition manage.h:181
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition manage.h:189
int(* n_clients)(void *arg)
Definition manage.h:183
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
unsigned int flags
Definition manage.h:176
int(* kill_by_cn)(void *arg, const char *common_name)
Definition manage.h:180
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition manage.h:185
void(* show_net)(void *arg, const int msglevel)
Definition manage.h:179
unsigned int flags
Definition mbuf.h:46
struct buffer buf
Definition mbuf.h:42
struct mbuf_buffer * buffer
Definition mbuf.h:51
struct multi_instance * instance
Definition mbuf.h:52
uint16_t vid
Definition mroute.h:90
struct mroute_addr::@2::@6 v6
uint8_t addr[OPENVPN_ETH_ALEN]
Definition mroute.h:89
uint8_t proto
Definition mroute.h:80
uint8_t type
Definition mroute.h:81
in_port_t port
Definition mroute.h:95
uint8_t len
Definition mroute.h:79
uint8_t netbits
Definition mroute.h:82
unsigned int cache_generation
Definition mroute.h:129
Main OpenVPN server state structure.
Definition multi.h:164
int n_clients
Definition multi.h:190
struct mroute_addr local
Definition multi.h:185
struct schedule * schedule
Definition multi.h:175
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition multi.h:176
struct initial_packet_rate_limit * initial_rate_limiter
Definition multi.h:182
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition multi.h:220
int max_clients
Definition multi.h:187
struct multi_reap * reaper
Definition multi.h:184
struct multi_io * multi_io
I/O state and events tracker.
Definition multi.h:179
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition multi.h:168
struct hash * cid_hash
Definition multi.h:193
unsigned long cid_counter
Definition multi.h:194
struct event_timeout stale_routes_check_et
Definition multi.h:213
int tcp_queue_limit
Definition multi.h:188
struct ifconfig_pool * ifconfig_pool
Definition multi.h:180
struct frequency_limit * new_connection_limiter
Definition multi.h:181
struct context top
Storage structure for process-wide configuration.
Definition multi.h:203
int status_file_version
Definition multi.h:189
struct multi_instance * pending
Definition multi.h:197
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition multi.h:170
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition multi.h:172
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:165
struct multi_instance ** mpp_touched
Definition multi.h:199
bool enable_c2c
Definition multi.h:186
struct multi_instance * earliest_wakeup
Definition multi.h:198
struct mroute_helper * route_helper
Definition multi.h:183
Server-mode state structure for one single VPN tunnel.
Definition multi.h:103
struct buffer_list * cc_config
Definition multi.h:139
struct client_connect_defer_state client_connect_defer_state
Definition multi.h:146
bool did_cid_hash
Definition multi.h:138
time_t created
Time at which a VPN tunnel instance was created.
Definition multi.h:117
in_addr_t reporting_addr
Definition multi.h:132
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition multi.h:125
struct mroute_addr real
External network address of the remote peer.
Definition multi.h:122
bool did_iroutes
Definition multi.h:141
ifconfig_pool_handle vaddr_handle
Definition multi.h:124
bool did_real_hash
Definition multi.h:135
struct gc_arena gc
Definition multi.h:113
struct in6_addr reporting_addr_ipv6
Definition multi.h:133
struct timeval wakeup
Definition multi.h:121
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition multi.h:108
bool did_iter
Definition multi.h:136
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:144
int n_clients_delta
Definition multi.h:142
time_t last_call
Definition multi.h:56
int buckets_per_pass
Definition multi.h:55
int bucket_base
Definition multi.h:54
struct mroute_addr addr
Definition multi.h:239
time_t last_reference
Definition multi.h:247
unsigned int cache_generation
Definition multi.h:246
unsigned int flags
Definition multi.h:244
struct multi_instance * instance
Definition multi.h:240
union openvpn_sockaddr::@27 addr
struct sockaddr_in in4
Definition socket_util.h:43
struct compress_options comp
Definition options.h:413
int push_ifconfig_ipv6_netbits
Definition options.h:526
int max_routes_per_client
Definition options.h:539
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:580
int status_file_version
Definition options.h:407
in_addr_t push_ifconfig_constraint_network
Definition options.h:521
const char * tmp_dir
Definition options.h:469
unsigned int imported_protocol_flags
Definition options.h:724
int stale_routes_ageing_time
Definition options.h:541
bool duplicate_cn
Definition options.h:530
bool use_peer_id
Definition options.h:704
in_addr_t ifconfig_pool_netmask
Definition options.h:494
const char * ifconfig_ipv6_local
Definition options.h:325
int cf_max
Definition options.h:532
const char * dev_type
Definition options.h:319
bool push_ifconfig_defined
Definition options.h:516
bool ifconfig_pool_defined
Definition options.h:491
bool vlan_tagging
Definition options.h:713
in_addr_t ifconfig_pool_end
Definition options.h:493
bool ifconfig_ipv6_pool_defined
Definition options.h:498
const char * client_disconnect_script
Definition options.h:505
int n_bcast_buf
Definition options.h:512
const char * ifconfig_local
Definition options.h:323
struct connection_entry ce
Definition options.h:290
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:515
in_addr_t push_ifconfig_local_alias
Definition options.h:519
int topology
Definition options.h:322
const char * ncp_ciphers
Definition options.h:581
const char * learn_address_script
Definition options.h:506
const char * ciphername
Definition options.h:576
int cf_initial_max
Definition options.h:535
int stale_routes_check_interval
Definition options.h:540
uint16_t vlan_pvid
Definition options.h:715
int mode
Definition options.h:262
int ifconfig_ipv6_pool_netbits
Definition options.h:500
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:522
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
int real_hash_size
Definition options.h:502
in_addr_t push_ifconfig_local
Definition options.h:517
struct gc_arena gc
Definition options.h:253
bool push_ifconfig_constraint_defined
Definition options.h:520
int cf_initial_per
Definition options.h:536
bool force_key_material_export
Definition options.h:711
struct iroute * iroutes
Definition options.h:514
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:527
const char * client_connect_script
Definition options.h:504
bool push_ifconfig_ipv6_defined
Definition options.h:524
int tcp_queue_limit
Definition options.h:513
const char * override_username
Definition options.h:511
int virtual_hash_size
Definition options.h:503
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:525
int max_clients
Definition options.h:538
bool enable_c2c
Definition options.h:529
int cf_per
Definition options.h:533
in_addr_t ifconfig_pool_start
Definition options.h:492
in_addr_t push_ifconfig_remote_netmask
Definition options.h:518
const char * dev
Definition options.h:318
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:499
const char * client_config_dir
Definition options.h:508
int ifconfig_ipv6_netbits
Definition options.h:326
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
Definition schedule.h:44
const char * signal_text
Definition sig.h:44
volatile int signal_received
Definition sig.h:42
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
char * auth_token_initial
The first auth-token we sent to a client.
Definition ssl_common.h:684
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:704
dco_context_t * dco
Definition ssl_common.h:726
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:703
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:650
enum multi_status multi_state
Definition ssl_common.h:633
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:656
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:645
uint32_t peer_id
Definition ssl_common.h:700
bool use_peer_id
Definition ssl_common.h:701
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:654
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:382
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
struct key_state key[KS_SIZE]
Definition ssl_common.h:525
struct tls_options * opt
Definition ssl_common.h:492
in_addr_t local
Definition tun.h:210
struct in6_addr local_ipv6
Definition tun.h:213
dco_context_t dco
Definition tun.h:249
in_addr_t remote_netmask
Definition tun.h:211
char username[USER_PASS_LEN]
Definition misc.h:67
struct env_set * es
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:154
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:517
#define TUNNEL_TOPOLOGY(tt)
Definition tun.h:187
#define TUNNEL_TYPE(tt)
Definition tun.h:184
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition vlan.c:81
bool vlan_is_tagged(const struct buffer *buf)
Definition vlan.c:261