OpenVPN
multi.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#ifdef HAVE_SYS_INOTIFY_H
28#include <sys/inotify.h>
29#define INOTIFY_EVENT_BUFFER_SIZE 16384
30#endif
31
32#include "syshead.h"
33
34#include "forward.h"
35#include "multi.h"
36#include "push.h"
37#include "run_command.h"
38#include "otime.h"
39#include "gremlin.h"
40#include "ssl_verify.h"
41#include "ssl_ncp.h"
42#include "vlan.h"
43#include "auth_token.h"
44#include "route.h"
45#include <inttypes.h>
46#include <string.h>
47
48#include "memdbg.h"
49
50
51#include "crypto_backend.h"
52#include "ssl_util.h"
53#include "dco.h"
54#include "reflect_filter.h"
55
56/*#define MULTI_DEBUG_EVENT_LOOP*/
57
58#ifdef MULTI_DEBUG_EVENT_LOOP
59static const char *
60id(struct multi_instance *mi)
61{
62 if (mi)
63 {
64 return tls_common_name(mi->context.c2.tls_multi, false);
65 }
66 else
67 {
68 return "NULL";
69 }
70}
71#endif
72
73#ifdef ENABLE_MANAGEMENT
74static void
75set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
76{
77 buffer_list_free(mi->cc_config);
78 mi->cc_config = cc_config;
79}
80#endif
81
82static bool
83learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op,
84 const struct mroute_addr *addr)
85{
86 struct gc_arena gc = gc_new();
87 struct env_set *es;
88 bool ret = true;
89 struct plugin_list *plugins;
90
91 /* get environmental variable source */
92 if (mi && mi->context.c2.es)
93 {
94 es = mi->context.c2.es;
95 }
96 else
97 {
98 es = env_set_create(&gc);
99 }
100
101 /* get plugin source */
102 if (mi)
103 {
104 plugins = mi->context.plugins;
105 }
106 else
107 {
108 plugins = m->top.plugins;
109 }
110
111 if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
112 {
113 struct argv argv = argv_new();
114 argv_printf(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
115 if (mi)
116 {
117 argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
118 }
119 if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es)
120 != OPENVPN_PLUGIN_FUNC_SUCCESS)
121 {
122 msg(M_WARN, "WARNING: learn-address plugin call failed");
123 ret = false;
124 }
125 argv_free(&argv);
126 }
127
128 if (m->top.options.learn_address_script)
129 {
130 struct argv argv = argv_new();
131 setenv_str(es, "script_type", "learn-address");
132 argv_parse_cmd(&argv, m->top.options.learn_address_script);
133 argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
134 if (mi)
135 {
136 argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
137 }
138 if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
139 {
140 ret = false;
141 }
142 argv_free(&argv);
143 }
144
145 gc_free(&gc);
146 return ret;
147}
148
149void
150multi_ifconfig_pool_persist(struct multi_context *m, bool force)
151{
152 /* write pool data to file */
153 if (m->ifconfig_pool && m->top.c1.ifconfig_pool_persist
154 && (force || ifconfig_pool_write_trigger(m->top.c1.ifconfig_pool_persist)))
155 {
156 ifconfig_pool_write(m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
157 }
158}
159
160static void
161multi_reap_range(const struct multi_context *m, uint32_t start_bucket, uint32_t end_bucket)
162{
163 struct gc_arena gc = gc_new();
164 struct hash_iterator hi;
165 struct hash_element *he;
166
167 dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
168 hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
169 while ((he = hash_iterator_next(&hi)) != NULL)
170 {
171 struct multi_route *r = (struct multi_route *)he->value;
172 if (!multi_route_defined(m, r))
173 {
174 dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s", mroute_addr_print(&r->addr, &gc));
175 learn_address_script(m, NULL, "delete", &r->addr);
176 multi_route_del(r);
177 hash_iterator_delete_element(&hi);
178 }
179 }
180 hash_iterator_free(&hi);
181 gc_free(&gc);
182}
183
184static void
185multi_reap_all(const struct multi_context *m)
186{
187 multi_reap_range(m, 0, hash_n_buckets(m->vhash));
188}
189
190static struct multi_reap *
191multi_reap_new(uint32_t buckets_per_pass)
192{
193 struct multi_reap *mr;
194 ALLOC_OBJ(mr, struct multi_reap);
195 mr->bucket_base = 0;
196 mr->buckets_per_pass = buckets_per_pass;
197 mr->last_call = now;
198 return mr;
199}
200
201void
202multi_reap_process_dowork(const struct multi_context *m)
203{
204 struct multi_reap *mr = m->reaper;
205 if (mr->bucket_base >= hash_n_buckets(m->vhash))
206 {
207 mr->bucket_base = 0;
208 }
209 multi_reap_range(m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
210 mr->bucket_base += mr->buckets_per_pass;
211 mr->last_call = now;
212}
213
214static void
215multi_reap_free(struct multi_reap *mr)
216{
217 free(mr);
218}
219
220/*
221 * How many buckets in vhash to reap per pass.
222 */
223static uint32_t
224reap_buckets_per_pass(uint32_t n_buckets)
225{
226 return constrain_uint(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
227}
228
229#ifdef ENABLE_MANAGEMENT
230
231static uint32_t
232cid_hash_function(const void *key, uint32_t iv)
233{
234 const unsigned long *k = (const unsigned long *)key;
235 return (uint32_t)*k;
236}
237
238static bool
239cid_compare_function(const void *key1, const void *key2)
240{
241 const unsigned long *k1 = (const unsigned long *)key1;
242 const unsigned long *k2 = (const unsigned long *)key2;
243 return *k1 == *k2;
244}
245
246#endif
247
248#ifdef ENABLE_ASYNC_PUSH
249static uint32_t
250/*
251 * inotify watcher descriptors are used as hash value
252 */
253int_hash_function(const void *key, uint32_t iv)
254{
255 return (uint32_t)(uintptr_t)key;
256}
257
258static bool
259int_compare_function(const void *key1, const void *key2)
260{
261 return (unsigned long)key1 == (unsigned long)key2;
262}
263#endif
264
265/*
266 * Main initialization function, init multi_context object.
267 */
268static void
269multi_init(struct context *t)
270{
271 struct multi_context *m = t->multi;
272 int dev = DEV_TYPE_UNDEF;
273
274 msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size,
275 t->options.virtual_hash_size);
276
277 /*
278 * Get tun/tap/null device type
279 */
280 dev = dev_type_enum(t->options.dev, t->options.dev_type);
281
282 /*
283 * Init our multi_context object.
284 */
285 CLEAR(*m);
286
287 /*
288 * Real address hash table (source port number is
289 * considered to be part of the address). Used
290 * to determine which client sent an incoming packet
291 * which is seen on the TCP/UDP socket.
292 */
293 m->hash = hash_init(t->options.real_hash_size, (uint32_t)get_random(),
294 mroute_addr_hash_function, mroute_addr_compare_function);
295
296 /*
297 * Virtual address hash table. Used to determine
298 * which client to route a packet to.
299 */
300 m->vhash = hash_init(t->options.virtual_hash_size, (uint32_t)get_random(),
301 mroute_addr_hash_function, mroute_addr_compare_function);
302
303 /*
304 * This hash table is a clone of m->hash but with a
305 * bucket size of one so that it can be used
306 * for fast iteration through the list.
307 */
308 m->iter = hash_init(1, (uint32_t)get_random(), mroute_addr_hash_function,
309 mroute_addr_compare_function);
310
311#ifdef ENABLE_MANAGEMENT
312 m->cid_hash = hash_init(t->options.real_hash_size, 0, cid_hash_function, cid_compare_function);
313#endif
314
315#ifdef ENABLE_ASYNC_PUSH
316 /*
317 * Mapping between inotify watch descriptors and
318 * multi_instances.
319 */
320 m->inotify_watchers = hash_init(t->options.real_hash_size, (uint32_t)get_random(),
321 int_hash_function, int_compare_function);
322#endif
323
324 /*
325 * This is our scheduler, for time-based wakeup
326 * events.
327 */
328 m->schedule = schedule_init();
329
330 /*
331 * Limit frequency of incoming connections to control
332 * DoS.
333 */
334 m->new_connection_limiter = frequency_limit_init(t->options.cf_max, t->options.cf_per);
335 m->initial_rate_limiter =
336 initial_rate_limit_init(t->options.cf_initial_max, t->options.cf_initial_per);
337
338 /*
339 * Allocate broadcast/multicast buffer list
340 */
341 m->mbuf = mbuf_init(t->options.n_bcast_buf);
342
343 /*
344 * Different status file format options are available
345 */
346 m->status_file_version = t->options.status_file_version;
347
348 /*
349 * Possibly allocate an ifconfig pool, do it
350 * differently based on whether a tun or tap style
351 * tunnel.
352 */
353 if (t->options.ifconfig_pool_defined || t->options.ifconfig_ipv6_pool_defined)
354 {
355 int pool_type = IFCONFIG_POOL_INDIV;
356
357 if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
358 {
359 pool_type = IFCONFIG_POOL_30NET;
360 }
361
362 m->ifconfig_pool = ifconfig_pool_init(
363 t->options.ifconfig_pool_defined, pool_type, t->options.ifconfig_pool_start,
364 t->options.ifconfig_pool_end, t->options.duplicate_cn,
365 t->options.ifconfig_ipv6_pool_defined, t->options.ifconfig_ipv6_pool_base,
366 t->options.ifconfig_ipv6_pool_netbits);
367
368 /* reload pool data from file */
369 if (t->c1.ifconfig_pool_persist)
370 {
371 ifconfig_pool_read(t->c1.ifconfig_pool_persist, m->ifconfig_pool);
372 }
373 }
374
375 /*
376 * Help us keep track of routing table.
377 */
378 m->route_helper = mroute_helper_init(MULTI_CACHE_ROUTE_TTL);
379
380 /*
381 * Initialize route and instance reaper.
382 */
383 m->reaper = multi_reap_new(reap_buckets_per_pass(t->options.virtual_hash_size));
384
385 /*
386 * Get local ifconfig address
387 */
388 CLEAR(m->local);
389 ASSERT(t->c1.tuntap);
390 mroute_extract_in_addr_t(&m->local, t->c1.tuntap->local);
391
392 /*
393 * Per-client limits
394 */
395 m->max_clients = t->options.max_clients;
396
397 m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
398
399 m->top.c2.event_set = t->c2.event_set;
400
401 /*
402 * Initialize multi-socket I/O wait object
403 */
404 m->multi_io = multi_io_init(m->max_clients);
405 m->tcp_queue_limit = t->options.tcp_queue_limit;
406
407 /*
408 * Allow client <-> client communication, without going through
409 * tun/tap interface and network stack?
410 */
411 m->enable_c2c = t->options.enable_c2c;
412
413 /* initialize stale routes check timer */
414 if (t->options.stale_routes_check_interval > 0)
415 {
416 msg(M_INFO,
417 "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
418 t->options.stale_routes_check_interval, t->options.stale_routes_ageing_time);
419 event_timeout_init(&m->stale_routes_check_et, t->options.stale_routes_check_interval, 0);
420 }
421
422 m->deferred_shutdown_signal.signal_received = 0;
423}
424
425const char *
426multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
427{
428 if (mi)
429 {
430 struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
431 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
432
433 if (cn)
434 {
435 buf_printf(&out, "%s/", cn);
436 }
437 buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
438 if (mi->context.c2.tls_multi && check_debug_level(D_DCO_DEBUG)
439 && dco_enabled(&mi->context.options))
440 {
441 buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
442 }
443 return BSTR(&out);
444 }
445 else if (null)
446 {
447 return NULL;
448 }
449 else
450 {
451 return "UNDEF";
452 }
453}
454
455static void
456generate_prefix(struct multi_instance *mi)
457{
458 struct gc_arena gc = gc_new();
459 const char *prefix = multi_instance_string(mi, true, &gc);
460 if (prefix)
461 {
462 strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
463 }
464 else
465 {
466 mi->msg_prefix[0] = '\0';
467 }
468 set_prefix(mi);
469 gc_free(&gc);
470}
471
472void
473ungenerate_prefix(struct multi_instance *mi)
474{
475 mi->msg_prefix[0] = '\0';
476 set_prefix(mi);
477}
478
479/*
480 * Tell the route helper about deleted iroutes so
481 * that it can update its mask of currently used
482 * CIDR netlengths.
483 */
484static void
485multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
486{
487 const struct iroute *ir;
488 const struct iroute_ipv6 *ir6;
489
490 dco_delete_iroutes(m, mi);
491
492 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
493 {
494 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
495 {
496 mroute_helper_del_iroute46(m->route_helper, ir->netbits);
497 }
498
499 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
500 {
501 mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
502 }
503 }
504}
505
506static void
507setenv_stats(struct multi_context *m, struct context *c)
508{
509 if (dco_enabled(&m->top.options))
510 {
511 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, false) < 0)
512 {
513 return;
514 }
515 }
516
517 setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
518 setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes + c->c2.dco_write_bytes);
519}
520
521static void
522multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
523{
524 /* setenv client real IP address */
525 setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
526
527 /* setenv stats */
528 setenv_stats(m, &mi->context);
529
530 /* setenv connection duration */
531 setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
532}
533
534static void
535multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
536{
537 multi_client_disconnect_setenv(m, mi);
538
539 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
540 {
541 if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL,
542 mi->context.c2.es)
543 != OPENVPN_PLUGIN_FUNC_SUCCESS)
544 {
545 msg(M_WARN, "WARNING: client-disconnect plugin call failed");
546 }
547 }
548
549 if (mi->context.options.client_disconnect_script)
550 {
551 struct argv argv = argv_new();
552 setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
553 argv_parse_cmd(&argv, mi->context.options.client_disconnect_script);
554 openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
555 argv_free(&argv);
556 }
557#ifdef ENABLE_MANAGEMENT
558 if (management)
559 {
560 management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
561 }
562#endif
563}
564
565void
566multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
567{
568 ASSERT(!mi->halt);
569 mi->halt = true;
570 bool is_dgram = proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto);
571
572 dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
573
574 /* adjust current client connection count */
575 m->n_clients += mi->n_clients_delta;
576 mi->n_clients_delta = 0;
577
578 /* prevent dangling pointers */
579 if (m->pending == mi)
580 {
581 multi_set_pending(m, NULL);
582 }
583 if (m->earliest_wakeup == mi)
584 {
585 m->earliest_wakeup = NULL;
586 }
587
588 if (!shutdown)
589 {
590 if (mi->did_real_hash)
591 {
592 ASSERT(hash_remove(m->hash, &mi->real));
593 }
594 if (mi->did_iter)
595 {
596 ASSERT(hash_remove(m->iter, &mi->real));
597 }
598#ifdef ENABLE_MANAGEMENT
599 if (mi->did_cid_hash)
600 {
601 ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
602 }
603#endif
604
605#ifdef ENABLE_ASYNC_PUSH
606 if (mi->inotify_watch != -1)
607 {
608 hash_remove(m->inotify_watchers, (void *)(uintptr_t)mi->inotify_watch);
609 mi->inotify_watch = -1;
610 }
611#endif
612
613 if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
614 {
615 m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
616 }
617
618 schedule_remove_entry(m->schedule, (struct schedule_entry *)mi);
619
620 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
621
622 if (mi->did_iroutes)
623 {
624 multi_del_iroutes(m, mi);
625 mi->did_iroutes = false;
626 }
627
628 if (!is_dgram)
629 {
630 multi_tcp_dereference_instance(m->multi_io, mi);
631 }
632
633 mbuf_dereference_instance(m->mbuf, mi);
634 }
635
636#ifdef ENABLE_MANAGEMENT
637 set_cc_config(mi, NULL);
638#endif
639
640 if (mi->context.c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
641 {
642 multi_client_disconnect_script(m, mi);
643 }
644
645 close_context(&mi->context, SIGTERM, CC_GC_FREE);
646
647 multi_tcp_instance_specific_free(mi);
648
649 ungenerate_prefix(mi);
650
651 /*
652 * Don't actually delete the instance memory allocation yet,
653 * because virtual routes may still point to it. Let the
654 * vhash reaper deal with it.
655 */
656 multi_instance_dec_refcount(mi);
657}
658
659/*
660 * Called on shutdown or restart.
661 */
662static void
663multi_uninit(struct multi_context *m)
664{
665 if (m->hash)
666 {
667 struct hash_iterator hi;
668 struct hash_element *he;
669
670 hash_iterator_init(m->iter, &hi);
671 while ((he = hash_iterator_next(&hi)))
672 {
673 struct multi_instance *mi = (struct multi_instance *)he->value;
674 mi->did_iter = false;
675 multi_close_instance(m, mi, true);
676 }
677 hash_iterator_free(&hi);
678
679 multi_reap_all(m);
680
681 hash_free(m->hash);
682 hash_free(m->vhash);
683 hash_free(m->iter);
684#ifdef ENABLE_MANAGEMENT
685 hash_free(m->cid_hash);
686#endif
687 m->hash = NULL;
688
689 free(m->instances);
690
691#ifdef ENABLE_ASYNC_PUSH
692 hash_free(m->inotify_watchers);
693 m->inotify_watchers = NULL;
694#endif
695
696 schedule_free(m->schedule);
697 mbuf_free(m->mbuf);
698 ifconfig_pool_free(m->ifconfig_pool);
699 frequency_limit_free(m->new_connection_limiter);
700 initial_rate_limit_free(m->initial_rate_limiter);
701 multi_reap_free(m->reaper);
702 mroute_helper_free(m->route_helper);
703 multi_io_free(m->multi_io);
704 }
705}
706
707#if defined(__GNUC__) || defined(__clang__)
708#pragma GCC diagnostic push
709#pragma GCC diagnostic ignored "-Wsign-compare"
710#endif
711
712/*
713 * Create a client instance object for a newly connected client.
714 */
715struct multi_instance *
716multi_create_instance(struct multi_context *m, const struct mroute_addr *real,
717 struct link_socket *sock)
718{
719 struct gc_arena gc = gc_new();
720 struct multi_instance *mi;
721
722 msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
723
724 ALLOC_OBJ_CLEAR(mi, struct multi_instance);
725
726 mi->gc = gc_new();
727 multi_instance_inc_refcount(mi);
728 mi->vaddr_handle = -1;
729 mi->created = now;
730 mroute_addr_init(&mi->real);
731
732 if (real)
733 {
734 mi->real = *real;
735 generate_prefix(mi);
736 }
737
738 inherit_context_child(&mi->context, &m->top, sock);
739 if (IS_SIG(&mi->context))
740 {
741 goto err;
742 }
743
744 mi->context.c2.tls_multi->multi_state = CAS_NOT_CONNECTED;
745
746 if (hash_n_elements(m->hash) >= m->max_clients)
747 {
748 msg(D_MULTI_ERRORS,
749 "MULTI: new incoming connection would exceed maximum number of clients (%d)",
750 m->max_clients);
751 goto err;
752 }
753
754 if (!real) /* TCP mode? */
755 {
756 if (!multi_tcp_instance_specific_init(m, mi))
757 {
758 goto err;
759 }
760 generate_prefix(mi);
761 }
762
763 if (!hash_add(m->iter, &mi->real, mi, false))
764 {
765 msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
766 mroute_addr_print(&mi->real, &gc));
767 goto err;
768 }
769 mi->did_iter = true;
770
771#ifdef ENABLE_MANAGEMENT
772 do
773 {
774 mi->context.c2.mda_context.cid = m->cid_counter++;
775 } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
776 mi->did_cid_hash = true;
777#endif
778
779 mi->context.c2.push_request_received = false;
780#ifdef ENABLE_ASYNC_PUSH
781 mi->inotify_watch = -1;
782#endif
783
784 if (!multi_process_post(m, mi, MPP_PRE_SELECT))
785 {
786 msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
787 goto err;
788 }
789
790 mi->ev_arg.type = EVENT_ARG_MULTI_INSTANCE;
791 mi->ev_arg.u.mi = mi;
792
793 gc_free(&gc);
794 return mi;
795
796err:
797 multi_close_instance(m, mi, false);
798 gc_free(&gc);
799 return NULL;
800}
801
802#if defined(__GNUC__) || defined(__clang__)
803#pragma GCC diagnostic pop
804#endif
805
806/*
807 * Dump tables -- triggered by SIGUSR2.
808 * If status file is defined, write to file.
809 * If status file is NULL, write to syslog.
810 */
811static void
812multi_print_status(struct multi_context *m, struct status_output *so, const int version)
813{
814 if (m->hash)
815 {
816 struct gc_arena gc_top = gc_new();
817 struct hash_iterator hi;
818 const struct hash_element *he;
819
820 status_reset(so);
821
822 if (dco_enabled(&m->top.options))
823 {
824 if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, true) < 0)
825 {
826 return;
827 }
828 }
829
830 if (version == 1)
831 {
832 /*
833 * Status file version 1
834 */
835 status_printf(so, "OpenVPN CLIENT LIST");
836 status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
837 status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
838 hash_iterator_init(m->hash, &hi);
839 while ((he = hash_iterator_next(&hi)))
840 {
841 struct gc_arena gc = gc_new();
842 const struct multi_instance *mi = (struct multi_instance *)he->value;
843
844 if (!mi->halt)
845 {
846 status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
847 tls_common_name(mi->context.c2.tls_multi, false),
848 mroute_addr_print(&mi->real, &gc),
849 mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes,
850 mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes,
851 time_string(mi->created, 0, false, &gc));
852 }
853 gc_free(&gc);
854 }
855 hash_iterator_free(&hi);
856
857 status_printf(so, "ROUTING TABLE");
858 status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
859 hash_iterator_init(m->vhash, &hi);
860 while ((he = hash_iterator_next(&hi)))
861 {
862 struct gc_arena gc = gc_new();
863 const struct multi_route *route = (struct multi_route *)he->value;
864
865 if (multi_route_defined(m, route))
866 {
867 const struct multi_instance *mi = route->instance;
868 const struct mroute_addr *ma = &route->addr;
869 char flags[2] = { 0, 0 };
870
871 if (route->flags & MULTI_ROUTE_CACHE)
872 {
873 flags[0] = 'C';
874 }
875 status_printf(so, "%s%s,%s,%s,%s", mroute_addr_print(ma, &gc), flags,
876 tls_common_name(mi->context.c2.tls_multi, false),
877 mroute_addr_print(&mi->real, &gc),
878 time_string(route->last_reference, 0, false, &gc));
879 }
880 gc_free(&gc);
881 }
882 hash_iterator_free(&hi);
883
884 status_printf(so, "GLOBAL STATS");
885 if (m->mbuf)
886 {
887 status_printf(so, "Max bcast/mcast queue length,%d", mbuf_maximum_queued(m->mbuf));
888 }
889
890 status_printf(so, "END");
891 }
892 else if (version == 2 || version == 3)
893 {
894 const char sep = (version == 3) ? '\t' : ',';
895
896 /*
897 * Status file version 2 and 3
898 */
899 status_printf(so, "TITLE%c%s", sep, title_string);
900 status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep,
901 (unsigned int)now);
902 status_printf(
903 so,
904 "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
905 sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
906 hash_iterator_init(m->hash, &hi);
907 while ((he = hash_iterator_next(&hi)))
908 {
909 struct gc_arena gc = gc_new();
910 const struct multi_instance *mi = (struct multi_instance *)he->value;
911
912 if (!mi->halt)
913 {
914 status_printf(
915 so,
916 "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format
917 "%c%s%c%u%c%s%c"
918#ifdef ENABLE_MANAGEMENT
919 "%lu"
920#else
921 ""
922#endif
923 "%c%" PRIu32 "%c%s",
924 sep, tls_common_name(mi->context.c2.tls_multi, false), sep,
925 mroute_addr_print(&mi->real, &gc), sep,
926 print_in_addr_t(mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc), sep,
927 print_in6_addr(mi->reporting_addr_ipv6, IA_EMPTY_IF_UNDEF, &gc), sep,
928 mi->context.c2.link_read_bytes + mi->context.c2.dco_read_bytes, sep,
929 mi->context.c2.link_write_bytes + mi->context.c2.dco_write_bytes, sep,
930 time_string(mi->created, 0, false, &gc), sep, (unsigned int)mi->created,
931 sep, tls_username(mi->context.c2.tls_multi, false),
932#ifdef ENABLE_MANAGEMENT
933 sep, mi->context.c2.mda_context.cid,
934#else
935 sep,
936#endif
937 sep,
938 mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
939 sep, translate_cipher_name_to_openvpn(mi->context.options.ciphername));
940 }
941 gc_free(&gc);
942 }
943 hash_iterator_free(&hi);
944
945 status_printf(
946 so,
947 "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
948 sep, sep, sep, sep, sep, sep);
949 hash_iterator_init(m->vhash, &hi);
950 while ((he = hash_iterator_next(&hi)))
951 {
952 struct gc_arena gc = gc_new();
953 const struct multi_route *route = (struct multi_route *)he->value;
954
955 if (multi_route_defined(m, route))
956 {
957 const struct multi_instance *mi = route->instance;
958 const struct mroute_addr *ma = &route->addr;
959 char flags[2] = { 0, 0 };
960
961 if (route->flags & MULTI_ROUTE_CACHE)
962 {
963 flags[0] = 'C';
964 }
965 status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u", sep,
966 mroute_addr_print(ma, &gc), flags, sep,
967 tls_common_name(mi->context.c2.tls_multi, false), sep,
968 mroute_addr_print(&mi->real, &gc), sep,
969 time_string(route->last_reference, 0, false, &gc), sep,
970 (unsigned int)route->last_reference);
971 }
972 gc_free(&gc);
973 }
974 hash_iterator_free(&hi);
975
976 if (m->mbuf)
977 {
978 status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d", sep, sep,
979 mbuf_maximum_queued(m->mbuf));
980 }
981
982 status_printf(so, "GLOBAL_STATS%cdco_enabled%c%d", sep, sep,
983 dco_enabled(&m->top.options));
984 status_printf(so, "END");
985 }
986 else
987 {
988 status_printf(so, "ERROR: bad status format version number");
989 }
990
991#ifdef PACKET_TRUNCATION_CHECK
992 {
993 status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
994 hash_iterator_init(m->hash, &hi);
995 while ((he = hash_iterator_next(&hi)))
996 {
997 struct gc_arena gc = gc_new();
998 const struct multi_instance *mi = (struct multi_instance *)he->value;
999
1000 if (!mi->halt)
1001 {
1002 status_printf(so,
1003 "ERRORS,%s," counter_format "," counter_format "," counter_format
1004 "," counter_format,
1005 tls_common_name(mi->context.c2.tls_multi, false),
1006 m->top.c2.n_trunc_tun_read, mi->context.c2.n_trunc_tun_write,
1007 mi->context.c2.n_trunc_pre_encrypt,
1008 mi->context.c2.n_trunc_post_decrypt);
1009 }
1010 gc_free(&gc);
1011 }
1012 hash_iterator_free(&hi);
1013 }
1014#endif /* ifdef PACKET_TRUNCATION_CHECK */
1015
1016 status_flush(so);
1017 gc_free(&gc_top);
1018 }
1019
1020#ifdef ENABLE_ASYNC_PUSH
1021 if (m->inotify_watchers)
1022 {
1023 msg(D_MULTI_DEBUG, "inotify watchers count: %d", hash_n_elements(m->inotify_watchers));
1024 }
1025#endif
1026}
1027
1028/*
1029 * Learn a virtual address or route.
1030 * The learn will fail if the learn address
1031 * script/plugin fails. In this case the
1032 * return value may be != mi.
1033 * Return the instance which owns this route,
1034 * or NULL if none.
1035 */
1036static struct multi_instance *
1037multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr,
1038 const unsigned int flags)
1039{
1040 struct hash_element *he;
1041 const uint32_t hv = hash_value(m->vhash, addr);
1042 struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1043 struct multi_route *oldroute = NULL;
1044 struct multi_instance *owner = NULL;
1045 struct gc_arena gc = gc_new();
1046
1047 /* if route currently exists, get the instance which owns it */
1048 he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1049 if (he)
1050 {
1051 oldroute = (struct multi_route *)he->value;
1052 }
1053 if (oldroute && multi_route_defined(m, oldroute))
1054 {
1055 owner = oldroute->instance;
1056 }
1057
1058 /* do we need to add address to hash table? */
1059 if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1060 && !mroute_addr_equal(addr, &m->local))
1061 {
1062 struct multi_route *newroute;
1063 bool learn_succeeded = false;
1064
1065 ALLOC_OBJ(newroute, struct multi_route);
1066 newroute->addr = *addr;
1067 newroute->instance = mi;
1068 newroute->flags = flags;
1069 newroute->last_reference = now;
1070 newroute->cache_generation = 0;
1071
1072 /* The cache is invalidated when cache_generation is incremented */
1073 if (flags & MULTI_ROUTE_CACHE)
1074 {
1075 newroute->cache_generation = m->route_helper->cache_generation;
1076 }
1077
1078 if (oldroute) /* route already exists? */
1079 {
1080 if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1081 {
1082 learn_succeeded = true;
1083 owner = mi;
1084 multi_instance_inc_refcount(mi);
1085 route_quota_inc(mi);
1086
1087 /* delete old route */
1088 multi_route_del(oldroute);
1089
1090 /* modify hash table entry, replacing old route */
1091 he->key = &newroute->addr;
1092 he->value = newroute;
1093 }
1094 }
1095 else
1096 {
1097 if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1098 {
1099 learn_succeeded = true;
1100 owner = mi;
1101 multi_instance_inc_refcount(mi);
1102 route_quota_inc(mi);
1103
1104 /* add new route */
1105 hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1106 }
1107 }
1108
1109 msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s", learn_succeeded ? "" : " FAILED",
1110 mroute_addr_print(&newroute->addr, &gc), multi_instance_string(mi, false, &gc));
1111
1112 if (!learn_succeeded)
1113 {
1114 free(newroute);
1115 }
1116 }
1117 gc_free(&gc);
1118
1119 return owner;
1120}
1121
1122/*
1123 * Get client instance based on virtual address.
1124 */
1125static struct multi_instance *
1126multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr,
1127 bool cidr_routing)
1128{
1129 struct multi_route *route;
1130 struct multi_instance *ret = NULL;
1131
1132 /* check for local address */
1133 if (mroute_addr_equal(addr, &m->local))
1134 {
1135 return NULL;
1136 }
1137
1138 route = (struct multi_route *)hash_lookup(m->vhash, addr);
1139
1140 /* does host route (possible cached) exist? */
1141 if (route && multi_route_defined(m, route))
1142 {
1143 struct multi_instance *mi = route->instance;
1144 route->last_reference = now;
1145 ret = mi;
1146 }
1147 else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1148 {
1149 struct mroute_helper *rh = m->route_helper;
1150 struct mroute_addr tryaddr;
1151 int i;
1152
1153 /* cycle through each CIDR length */
1154 for (i = 0; i < rh->n_net_len; ++i)
1155 {
1156 tryaddr = *addr;
1157 tryaddr.type |= MR_WITH_NETBITS;
1158 tryaddr.netbits = rh->net_len[i];
1159 mroute_addr_mask_host_bits(&tryaddr);
1160
1161 /* look up a possible route with netbits netmask */
1162 route = (struct multi_route *)hash_lookup(m->vhash, &tryaddr);
1163
1164 if (route && multi_route_defined(m, route))
1165 {
1166 /* found an applicable route, cache host route */
1167 struct multi_instance *mi = route->instance;
1168 multi_learn_addr(m, mi, addr, MULTI_ROUTE_CACHE | MULTI_ROUTE_AGEABLE);
1169 ret = mi;
1170 break;
1171 }
1172 }
1173 }
1174
1175#ifdef ENABLE_DEBUG
1176 if (check_debug_level(D_MULTI_DEBUG))
1177 {
1178 struct gc_arena gc = gc_new();
1179 const char *addr_text = mroute_addr_print(addr, &gc);
1180 if (ret)
1181 {
1182 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s", addr_text,
1183 multi_instance_string(ret, false, &gc), mroute_addr_print(&route->addr, &gc));
1184 }
1185 else
1186 {
1187 dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]", addr_text);
1188 }
1189 gc_free(&gc);
1190 }
1191#endif
1192
1193 ASSERT(!(ret && ret->halt));
1194 return ret;
1195}
1196
1197/*
1198 * Helper function to multi_learn_addr().
1199 */
1200static struct multi_instance *
1201multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a,
1202 int netbits, /* -1 if host route, otherwise # of network bits in address */
1203 bool primary)
1204{
1205 struct openvpn_sockaddr remote_si;
1206 struct mroute_addr addr = { 0 };
1207
1208 CLEAR(remote_si);
1209 remote_si.addr.in4.sin_family = AF_INET;
1210 remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1211 addr.proto = 0;
1212 ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1213
1214 if (netbits >= 0)
1215 {
1216 addr.type |= MR_WITH_NETBITS;
1217 addr.netbits = (uint8_t)netbits;
1218 }
1219
1220 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1221#ifdef ENABLE_MANAGEMENT
1222 if (management && owner)
1223 {
1224 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1225 }
1226#endif
1227 if (primary && multi_check_push_ifconfig_extra_route(mi, addr.v4.addr))
1228 {
1229 /* "primary" is the VPN ifconfig address of the peer */
1230 /* if it does not fall into the network defined by ifconfig_local
1231 * we install this as extra onscope address on the interface */
1232 addr.netbits = 32;
1233 addr.type |= MR_ONLINK_DCO_ADDR;
1234
1235 dco_install_iroute(m, mi, &addr);
1236 }
1237 else if (!primary)
1238 {
1239 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1240 dco_install_iroute(m, mi, &addr);
1241 }
1242
1243 return owner;
1244}
1245
1246static struct multi_instance *
1247multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6,
1248 int netbits, /* -1 if host route, otherwise # of network bits in address */
1249 bool primary)
1250{
1251 struct mroute_addr addr = { 0 };
1252
1253 addr.len = 16;
1254 addr.type = MR_ADDR_IPV6;
1255 addr.netbits = 0;
1256 addr.v6.addr = a6;
1257
1258 if (netbits >= 0)
1259 {
1260 addr.type |= MR_WITH_NETBITS;
1261 addr.netbits = (uint8_t)netbits;
1262 mroute_addr_mask_host_bits(&addr);
1263 }
1264
1265 struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1266#ifdef ENABLE_MANAGEMENT
1267 if (management && owner)
1268 {
1269 management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1270 }
1271#endif
1272 if (primary && multi_check_push_ifconfig_ipv6_extra_route(mi, &addr.v6.addr))
1273 {
1274 /* "primary" is the VPN ifconfig address of the peer */
1275 /* if it does not fall into the network defined by ifconfig_local
1276 * we install this as extra onscope address on the interface */
1277 addr.netbits = 128;
1278 addr.type |= MR_ONLINK_DCO_ADDR;
1279
1280 dco_install_iroute(m, mi, &addr);
1281 }
1282 else if (!primary)
1283 {
1284 /* "primary" is the VPN ifconfig address of the peer and already
1285 * known to DCO, so only install "extra" iroutes (primary = false)
1286 */
1287 ASSERT(netbits >= 0); /* DCO requires populated netbits */
1288 dco_install_iroute(m, mi, &addr);
1289 }
1290
1291 return owner;
1292}
1293
1294/*
1295 * A new client has connected, add routes (server -> client)
1296 * to internal routing table.
1297 */
1298static void
1299multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
1300{
1301 struct gc_arena gc = gc_new();
1302 const struct iroute *ir;
1303 const struct iroute_ipv6 *ir6;
1304 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
1305 {
1306 mi->did_iroutes = true;
1307 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1308 {
1309 if (ir->netbits >= 0)
1310 {
1311 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1312 print_in_addr_t(ir->network, 0, &gc), ir->netbits,
1313 multi_instance_string(mi, false, &gc));
1314 }
1315 else
1316 {
1317 msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1318 print_in_addr_t(ir->network, 0, &gc), multi_instance_string(mi, false, &gc));
1319 }
1320
1321 mroute_helper_add_iroute46(m->route_helper, ir->netbits);
1322
1323 multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1324 }
1325 for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1326 {
1327 msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1328 print_in6_addr(ir6->network, 0, &gc), ir6->netbits,
1329 multi_instance_string(mi, false, &gc));
1330
1331 mroute_helper_add_iroute46(m->route_helper, ir6->netbits);
1332
1333 multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1334 }
1335 }
1336 gc_free(&gc);
1337}
1338
1339/*
1340 * Given an instance (new_mi), delete all other instances which use the
1341 * same common name.
1342 */
1343static void
1344multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
1345{
1346 if (new_mi)
1347 {
1348 const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1349 if (new_cn)
1350 {
1351 struct hash_iterator hi;
1352 struct hash_element *he;
1353 int count = 0;
1354
1355 hash_iterator_init(m->iter, &hi);
1356 while ((he = hash_iterator_next(&hi)))
1357 {
1358 struct multi_instance *mi = (struct multi_instance *)he->value;
1359 if (mi != new_mi && !mi->halt)
1360 {
1361 const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1362 if (cn && !strcmp(cn, new_cn))
1363 {
1364 mi->did_iter = false;
1365 multi_close_instance(m, mi, false);
1366 hash_iterator_delete_element(&hi);
1367 ++count;
1368 }
1369 }
1370 }
1371 hash_iterator_free(&hi);
1372
1373 if (count)
1374 {
1375 msg(D_MULTI_LOW,
1376 "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.",
1377 new_cn);
1378 }
1379 }
1380 }
1381}
1382
1383static void
1384check_stale_routes(struct multi_context *m)
1385{
1386 struct gc_arena gc = gc_new();
1387 struct hash_iterator hi;
1388 struct hash_element *he;
1389
1390 dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1391 hash_iterator_init_range(m->vhash, &hi, 0, hash_n_buckets(m->vhash));
1392 while ((he = hash_iterator_next(&hi)) != NULL)
1393 {
1394 struct multi_route *r = (struct multi_route *)he->value;
1395 if (multi_route_defined(m, r)
1396 && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1397 {
1398 dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1399 mroute_addr_print(&r->addr, &gc));
1400 learn_address_script(m, NULL, "delete", &r->addr);
1401 multi_route_del(r);
1402 hash_iterator_delete_element(&hi);
1403 }
1404 }
1405 hash_iterator_free(&hi);
1406 gc_free(&gc);
1407}
1408
1409/*
1410 * Ensure that endpoint to be pushed to client
1411 * complies with --ifconfig-push-constraint directive.
1412 */
1413static bool
1414ifconfig_push_constraint_satisfied(const struct context *c)
1415{
1416 const struct options *o = &c->options;
1417 if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1418 {
1419 return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local)
1420 == o->push_ifconfig_constraint_network;
1421 }
1422 else
1423 {
1424 return true;
1425 }
1426}
1427
1428/*
1429 * Select a virtual address for a new client instance.
1430 * Use an --ifconfig-push directive, if given (static IP).
1431 * Otherwise use an --ifconfig-pool address (dynamic IP).
1432 */
1433static void
1434multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
1435{
1436 struct gc_arena gc = gc_new();
1437
1438 /*
1439 * If ifconfig addresses were set by dynamic config file,
1440 * release pool addresses, otherwise keep them.
1441 */
1442 if (mi->context.options.push_ifconfig_defined)
1443 {
1444 /* ifconfig addresses were set statically,
1445 * release dynamic allocation */
1446 if (mi->vaddr_handle >= 0)
1447 {
1448 ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, true);
1449 mi->vaddr_handle = -1;
1450 }
1451
1452 mi->context.c2.push_ifconfig_defined = true;
1453 mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1454 mi->context.c2.push_ifconfig_remote_netmask =
1455 mi->context.options.push_ifconfig_remote_netmask;
1456 mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
1457
1458 /* the current implementation does not allow "static IPv4, pool IPv6",
1459 * (see below) so issue a warning if that happens - don't break the
1460 * session, though, as we don't even know if this client WANTS IPv6
1461 */
1462 if (mi->context.options.ifconfig_ipv6_pool_defined
1463 && !mi->context.options.push_ifconfig_ipv6_defined)
1464 {
1465 msg(M_INFO,
1466 "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then.");
1467 }
1468 }
1469 else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1470 {
1471 in_addr_t local = 0, remote = 0;
1472 struct in6_addr remote_ipv6;
1473 const char *cn = NULL;
1474
1475 if (!mi->context.options.duplicate_cn)
1476 {
1477 cn = tls_common_name(mi->context.c2.tls_multi, true);
1478 }
1479
1480 CLEAR(remote_ipv6);
1481 mi->vaddr_handle =
1482 ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1483 if (mi->vaddr_handle >= 0)
1484 {
1485 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1486 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1487
1488 msg(M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1489 (mi->context.options.ifconfig_pool_defined ? print_in_addr_t(remote, 0, &gc)
1490 : "(Not enabled)"),
1491 (mi->context.options.ifconfig_ipv6_pool_defined
1492 ? print_in6_addr(remote_ipv6, 0, &gc)
1493 : "(Not enabled)"));
1494
1495 if (mi->context.options.ifconfig_pool_defined)
1496 {
1497 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1498 mi->context.c2.push_ifconfig_local = remote;
1499 if (tunnel_type == DEV_TYPE_TAP
1500 || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1501 {
1502 mi->context.c2.push_ifconfig_remote_netmask =
1503 mi->context.options.ifconfig_pool_netmask;
1504 if (!mi->context.c2.push_ifconfig_remote_netmask)
1505 {
1506 mi->context.c2.push_ifconfig_remote_netmask =
1507 mi->context.c1.tuntap->remote_netmask;
1508 }
1509 }
1510 else if (tunnel_type == DEV_TYPE_TUN)
1511 {
1512 if (tunnel_topology == TOP_P2P)
1513 {
1514 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1515 }
1516 else if (tunnel_topology == TOP_NET30)
1517 {
1518 mi->context.c2.push_ifconfig_remote_netmask = local;
1519 }
1520 }
1521
1522 if (mi->context.c2.push_ifconfig_remote_netmask)
1523 {
1524 mi->context.c2.push_ifconfig_defined = true;
1525 }
1526 else
1527 {
1528 msg(D_MULTI_ERRORS,
1529 "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1530 multi_instance_string(mi, false, &gc));
1531 }
1532 }
1533
1534 if (mi->context.options.ifconfig_ipv6_pool_defined)
1535 {
1536 mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1537 mi->context.c2.push_ifconfig_ipv6_remote = mi->context.c1.tuntap->local_ipv6;
1538 mi->context.c2.push_ifconfig_ipv6_netbits =
1539 mi->context.options.ifconfig_ipv6_netbits;
1540 mi->context.c2.push_ifconfig_ipv6_defined = true;
1541 }
1542 }
1543 else
1544 {
1545 msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1546 }
1547 }
1548
1549 /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1550 * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1551 * will fail (because no pool will be allocated in this case).
1552 * OTOH, this doesn't make too much sense in reality - and the other
1553 * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1554 * -> and so it's implemented right now
1555 */
1556 if (mi->context.options.push_ifconfig_ipv6_defined)
1557 {
1558 mi->context.c2.push_ifconfig_ipv6_local = mi->context.options.push_ifconfig_ipv6_local;
1559 mi->context.c2.push_ifconfig_ipv6_remote = mi->context.options.push_ifconfig_ipv6_remote;
1560 mi->context.c2.push_ifconfig_ipv6_netbits = mi->context.options.push_ifconfig_ipv6_netbits;
1561 mi->context.c2.push_ifconfig_ipv6_defined = true;
1562
1563 msg(M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1564 print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc),
1565 mi->context.c2.push_ifconfig_ipv6_netbits);
1566 }
1567
1568 gc_free(&gc);
1569}
1570
1571/*
1572 * Set virtual address environmental variables.
1573 */
1574static void
1575multi_set_virtual_addr_env(struct multi_instance *mi)
1576{
1577 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1578 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1579 setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1580
1581 if (mi->context.c2.push_ifconfig_defined)
1582 {
1583 const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1584 const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1585
1586 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_remote_ip",
1587 mi->context.c2.push_ifconfig_local, SA_SET_IF_NONZERO);
1588
1589 if (tunnel_type == DEV_TYPE_TAP
1590 || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1591 {
1592 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_netmask",
1593 mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO);
1594 }
1595 else if (tunnel_type == DEV_TYPE_TUN)
1596 {
1597 setenv_in_addr_t(mi->context.c2.es, "ifconfig_pool_local_ip",
1598 mi->context.c2.push_ifconfig_remote_netmask, SA_SET_IF_NONZERO);
1599 }
1600 }
1601
1602 setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1603 setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1604 setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1605
1606 if (mi->context.c2.push_ifconfig_ipv6_defined)
1607 {
1608 setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_remote",
1609 &mi->context.c2.push_ifconfig_ipv6_local, SA_SET_IF_NONZERO);
1610 setenv_in6_addr(mi->context.c2.es, "ifconfig_pool_local",
1611 &mi->context.c2.push_ifconfig_ipv6_remote, SA_SET_IF_NONZERO);
1612 setenv_int(mi->context.c2.es, "ifconfig_pool_ip6_netbits",
1613 mi->context.c2.push_ifconfig_ipv6_netbits);
1614 }
1615}
1616
1617/*
1618 * Called after client-connect script is called
1619 */
1620static void
1621multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file,
1622 unsigned int *option_types_found)
1623{
1624 /* Did script generate a dynamic config file? */
1625 if (platform_test_file(dc_file))
1626 {
1627 options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS | M_OPTERR,
1628 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
1629
1630 /*
1631 * If the --client-connect script generates a config file
1632 * with an --ifconfig-push directive, it will override any
1633 * --ifconfig-push directive from the --client-config-dir
1634 * directory or any --ifconfig-pool dynamic address.
1635 */
1636 multi_select_virtual_addr(m, mi);
1637 multi_set_virtual_addr_env(mi);
1638 }
1639}
1640
1641#ifdef ENABLE_PLUGIN
1642
1643/*
1644 * Called after client-connect plug-in is called
1645 */
1646static void
1647multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi,
1648 const struct plugin_return *pr, unsigned int *option_types_found)
1649{
1650 struct plugin_return config;
1651
1652 plugin_return_get_column(pr, &config, "config");
1653
1654 /* Did script generate a dynamic config file? */
1655 if (plugin_return_defined(&config))
1656 {
1657 int i;
1658 for (i = 0; i < config.n; ++i)
1659 {
1660 if (config.list[i] && config.list[i]->value)
1661 {
1662 options_string_import(&mi->context.options, config.list[i]->value,
1663 D_IMPORT_ERRORS | M_OPTERR, CLIENT_CONNECT_OPT_MASK,
1664 option_types_found, mi->context.c2.es);
1665 }
1666 }
1667
1668 /*
1669 * If the --client-connect script generates a config file
1670 * with an --ifconfig-push directive, it will override any
1671 * --ifconfig-push directive from the --client-config-dir
1672 * directory or any --ifconfig-pool dynamic address.
1673 */
1674 multi_select_virtual_addr(m, mi);
1675 multi_set_virtual_addr_env(mi);
1676 }
1677}
1678
1679#endif /* ifdef ENABLE_PLUGIN */
1680
1681
1682/*
1683 * Called to load management-derived client-connect config
1684 */
1685enum client_connect_return
1686multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred,
1687 unsigned int *option_types_found)
1688{
1689 /* We never return CC_RET_DEFERRED */
1690 ASSERT(!deferred);
1691 enum client_connect_return ret = CC_RET_SKIPPED;
1692#ifdef ENABLE_MANAGEMENT
1693 if (mi->cc_config)
1694 {
1695 struct buffer_entry *be;
1696 for (be = mi->cc_config->head; be != NULL; be = be->next)
1697 {
1698 const char *opt = BSTR(&be->buf);
1699 options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS | M_OPTERR,
1700 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
1701 }
1702
1703 /*
1704 * If the --client-connect script generates a config file
1705 * with an --ifconfig-push directive, it will override any
1706 * --ifconfig-push directive from the --client-config-dir
1707 * directory or any --ifconfig-pool dynamic address.
1708 */
1709 multi_select_virtual_addr(m, mi);
1710 multi_set_virtual_addr_env(mi);
1711
1712 ret = CC_RET_SUCCEEDED;
1713 }
1714#endif /* ifdef ENABLE_MANAGEMENT */
1715 return ret;
1716}
1717
1718static void
1719multi_client_connect_setenv(struct multi_instance *mi)
1720{
1721 struct gc_arena gc = gc_new();
1722
1723 /* setenv incoming cert common name for script */
1724 setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1725
1726 /* setenv client real IP address */
1727 setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
1728
1729 /* setenv client virtual IP address */
1730 multi_set_virtual_addr_env(mi);
1731
1732 /* setenv connection time */
1733 {
1734 const char *created_ascii = time_string(mi->created, 0, false, &gc);
1735 setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1736 setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1737 }
1738
1739 gc_free(&gc);
1740}
1741
1748static bool
1749multi_client_set_protocol_options(struct context *c)
1750{
1751 struct tls_multi *tls_multi = c->c2.tls_multi;
1752 const char *const peer_info = tls_multi->peer_info;
1753 struct options *o = &c->options;
1754
1755
1756 unsigned int proto = extract_iv_proto(peer_info);
1757 if (proto & IV_PROTO_DATA_V2)
1758 {
1759 tls_multi->use_peer_id = true;
1760 o->use_peer_id = true;
1761 }
1762 else if (dco_enabled(o))
1763 {
1764 msg(M_INFO, "Client does not support DATA_V2. Data channel offloading "
1765 "requires DATA_V2. Dropping client.");
1766 auth_set_client_reason(tls_multi, "Data channel negotiation "
1767 "failed (missing DATA_V2)");
1768 return false;
1769 }
1770
1771 /* Print a warning if we detect the client being in P2P mode and will
1772 * not accept our pushed ciphers */
1773 if (proto & IV_PROTO_NCP_P2P)
1774 {
1775 msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client "
1776 "option). It will not negotiate ciphers with this server. "
1777 "Expect this connection to fail.");
1778 }
1779
1780 if (proto & IV_PROTO_REQUEST_PUSH)
1781 {
1782 c->c2.push_request_received = true;
1783 }
1784
1785 if (proto & IV_PROTO_TLS_KEY_EXPORT)
1786 {
1787 o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
1788 }
1789 else if (o->force_key_material_export)
1790 {
1791 msg(M_INFO, "PUSH: client does not support TLS Keying Material "
1792 "Exporters but --force-tls-key-material-export is enabled.");
1793 auth_set_client_reason(tls_multi, "Client incompatible with this "
1794 "server. Keying Material Exporters (RFC 5705) "
1795 "support missing. Upgrade to a client that "
1796 "supports this feature (OpenVPN 2.6.0+).");
1797 return false;
1798 }
1799 if (proto & IV_PROTO_DYN_TLS_CRYPT)
1800 {
1801 o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
1802 }
1803
1804 if (proto & IV_PROTO_CC_EXIT_NOTIFY)
1805 {
1806 o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
1807 }
1808
1809 /* Select cipher if client supports Negotiable Crypto Parameters */
1810
1811 /* if we have already created our key, we cannot *change* our own
1812 * cipher -> so log the fact and push the "what we have now" cipher
1813 * (so the client is always told what we expect it to use)
1814 */
1815 if (get_primary_key(tls_multi)->crypto_options.key_ctx_bi.initialized)
1816 {
1817 msg(M_INFO,
1818 "PUSH: client wants to negotiate cipher (NCP), but "
1819 "server has already generated data channel keys, "
1820 "re-sending previously negotiated cipher '%s'",
1821 o->ciphername);
1822 return true;
1823 }
1824
1825 /*
1826 * Push the first cipher from --data-ciphers to the client that
1827 * the client announces to be supporting.
1828 */
1829 char *push_cipher =
1830 ncp_get_best_cipher(o->ncp_ciphers, peer_info, tls_multi->remote_ciphername, &o->gc);
1831 if (push_cipher)
1832 {
1833 /* Enable epoch data key format if supported and AEAD cipher in use */
1834 if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported && (proto & IV_PROTO_DATA_EPOCH)
1835 && cipher_kt_mode_aead(push_cipher))
1836 {
1837 o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
1838 }
1839
1840 o->ciphername = push_cipher;
1841 return true;
1842 }
1843
1844 /* NCP cipher negotiation failed. Try to figure out why exactly it
1845 * failed and give good error messages and potentially do a fallback
1846 * for non NCP clients */
1847 struct gc_arena gc = gc_new();
1848 bool ret = false;
1849
1850 const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc);
1851 /* If we are in a situation where we know the client ciphers, there is no
1852 * reason to fall back to a cipher that will not be accepted by the other
1853 * side, in this situation we fail the auth*/
1854 if (strlen(peer_ciphers) > 0)
1855 {
1856 msg(M_INFO,
1857 "PUSH: No common cipher between server and client. "
1858 "Server data-ciphers: '%s'%s, client supported ciphers '%s'",
1859 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), peer_ciphers);
1860 }
1861 else if (tls_multi->remote_ciphername)
1862 {
1863 msg(M_INFO,
1864 "PUSH: No common cipher between server and client. "
1865 "Server data-ciphers: '%s'%s, client supports cipher '%s'",
1866 o->ncp_ciphers_conf, ncp_expanded_ciphers(o, &gc), tls_multi->remote_ciphername);
1867 }
1868 else
1869 {
1870 msg(M_INFO, "PUSH: No NCP or OCC cipher data received from peer.");
1871
1872 if (o->enable_ncp_fallback && !tls_multi->remote_ciphername)
1873 {
1874 msg(M_INFO,
1875 "Using data channel cipher '%s' since "
1876 "--data-ciphers-fallback is set.",
1877 o->ciphername);
1878 ret = true;
1879 }
1880 else
1881 {
1882 msg(M_INFO, "Use --data-ciphers-fallback with the cipher the "
1883 "client is using if you want to allow the client to connect");
1884 }
1885 }
1886 if (!ret)
1887 {
1888 auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
1889 "failed (no shared cipher)");
1890 }
1891
1892 gc_free(&gc);
1893 return ret;
1894}
1895
1900static void
1901ccs_delete_deferred_ret_file(struct multi_instance *mi)
1902{
1903 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1904 if (!ccs->deferred_ret_file)
1905 {
1906 return;
1907 }
1908
1909 setenv_del(mi->context.c2.es, "client_connect_deferred_file");
1910 if (!platform_unlink(ccs->deferred_ret_file))
1911 {
1912 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->deferred_ret_file);
1913 }
1914 free(ccs->deferred_ret_file);
1915 ccs->deferred_ret_file = NULL;
1916}
1917
1925static bool
1926ccs_gen_deferred_ret_file(struct multi_instance *mi)
1927{
1928 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1929 struct gc_arena gc = gc_new();
1930 const char *fn;
1931
1932 /* Delete file if it already exists */
1933 ccs_delete_deferred_ret_file(mi);
1934
1935 fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc);
1936 if (!fn)
1937 {
1938 gc_free(&gc);
1939 return false;
1940 }
1941 ccs->deferred_ret_file = string_alloc(fn, NULL);
1942
1943 setenv_str(mi->context.c2.es, "client_connect_deferred_file", ccs->deferred_ret_file);
1944
1945 gc_free(&gc);
1946 return true;
1947}
1948
1957static enum client_connect_return
1958ccs_test_deferred_ret_file(struct multi_instance *mi)
1959{
1960 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
1961 FILE *fp = fopen(ccs->deferred_ret_file, "r");
1962 if (!fp)
1963 {
1964 return CC_RET_SKIPPED;
1965 }
1966
1967 enum client_connect_return ret = CC_RET_SKIPPED;
1968 const int c = fgetc(fp);
1969 switch (c)
1970 {
1971 case '0':
1972 ret = CC_RET_FAILED;
1973 break;
1974
1975 case '1':
1976 ret = CC_RET_SUCCEEDED;
1977 break;
1978
1979 case '2':
1980 ret = CC_RET_DEFERRED;
1981 break;
1982
1983 case EOF:
1984 if (feof(fp))
1985 {
1986 ret = CC_RET_SKIPPED;
1987 break;
1988 }
1989
1990 /* Not EOF but other error -> fall through to error state */
1991 default:
1992 /* We received an unknown/unexpected value. Assume failure. */
1993 msg(M_WARN, "WARNING: Unknown/unexpected value in deferred "
1994 "client-connect resultfile");
1995 ret = CC_RET_FAILED;
1996 }
1997 fclose(fp);
1998
1999 return ret;
2000}
2001
2007static void
2008ccs_delete_config_file(struct multi_instance *mi)
2009{
2010 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2011 if (ccs->config_file)
2012 {
2013 setenv_del(mi->context.c2.es, "client_connect_config_file");
2014 if (!platform_unlink(ccs->config_file))
2015 {
2016 msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", ccs->config_file);
2017 }
2018 free(ccs->config_file);
2019 ccs->config_file = NULL;
2020 }
2021}
2022
2030static bool
2031ccs_gen_config_file(struct multi_instance *mi)
2032{
2033 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2034 struct gc_arena gc = gc_new();
2035 const char *fn;
2036
2037 if (ccs->config_file)
2038 {
2039 ccs_delete_config_file(mi);
2040 }
2041
2042 fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
2043 if (!fn)
2044 {
2045 gc_free(&gc);
2046 return false;
2047 }
2048 ccs->config_file = string_alloc(fn, NULL);
2049
2050 setenv_str(mi->context.c2.es, "client_connect_config_file", ccs->config_file);
2051
2052 gc_free(&gc);
2053 return true;
2054}
2055
2056static enum client_connect_return
2057multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi,
2058 bool deferred, unsigned int *option_types_found)
2059{
2060 enum client_connect_return ret = CC_RET_SKIPPED;
2061#ifdef ENABLE_PLUGIN
2062 ASSERT(m);
2063 ASSERT(mi);
2064 ASSERT(option_types_found);
2065 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2066
2067 /* deprecated callback, use a file for passing back return info */
2068 if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
2069 {
2070 struct argv argv = argv_new();
2071 int call;
2072
2073 if (!deferred)
2074 {
2075 call = OPENVPN_PLUGIN_CLIENT_CONNECT;
2076 if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi))
2077 {
2078 ret = CC_RET_FAILED;
2079 goto cleanup;
2080 }
2081 }
2082 else
2083 {
2084 call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER;
2085 /* the initial call should have created these files */
2086 ASSERT(ccs->config_file);
2087 ASSERT(ccs->deferred_ret_file);
2088 }
2089
2090 argv_printf(&argv, "%s", ccs->config_file);
2091 int plug_ret = plugin_call(mi->context.plugins, call, &argv, NULL, mi->context.c2.es);
2092 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2093 {
2094 ret = CC_RET_SUCCEEDED;
2095 }
2096 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2097 {
2098 ret = CC_RET_DEFERRED;
2104 }
2105 else
2106 {
2107 msg(M_WARN, "WARNING: client-connect plugin call failed");
2108 ret = CC_RET_FAILED;
2109 }
2110
2111
2117 int file_ret = ccs_test_deferred_ret_file(mi);
2118
2119 if (file_ret == CC_RET_FAILED)
2120 {
2121 ret = CC_RET_FAILED;
2122 }
2123 else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED)
2124 {
2125 ret = CC_RET_DEFERRED;
2126 }
2127
2128 /* if we still think we have succeeded, do postprocessing */
2129 if (ret == CC_RET_SUCCEEDED)
2130 {
2131 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2132 }
2133cleanup:
2134 argv_free(&argv);
2135
2136 if (ret != CC_RET_DEFERRED)
2137 {
2138 ccs_delete_config_file(mi);
2139 ccs_delete_deferred_ret_file(mi);
2140 }
2141 }
2142#endif /* ifdef ENABLE_PLUGIN */
2143 return ret;
2144}
2145
2146static enum client_connect_return
2147multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi,
2148 bool deferred, unsigned int *option_types_found)
2149{
2150 enum client_connect_return ret = CC_RET_SKIPPED;
2151#ifdef ENABLE_PLUGIN
2152 ASSERT(m);
2153 ASSERT(mi);
2154 ASSERT(option_types_found);
2155
2156 int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : OPENVPN_PLUGIN_CLIENT_CONNECT_V2;
2157 /* V2 callback, use a plugin_return struct for passing back return info */
2158 if (plugin_defined(mi->context.plugins, call))
2159 {
2160 struct plugin_return pr;
2161
2162 plugin_return_init(&pr);
2163
2164 int plug_ret = plugin_call(mi->context.plugins, call, NULL, &pr, mi->context.c2.es);
2165 if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS)
2166 {
2167 multi_client_connect_post_plugin(m, mi, &pr, option_types_found);
2168 ret = CC_RET_SUCCEEDED;
2169 }
2170 else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED)
2171 {
2172 ret = CC_RET_DEFERRED;
2173 if (!(plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)))
2174 {
2175 msg(M_WARN, "A plugin that defers from the "
2176 "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also "
2177 "declare support for "
2178 "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
2179 ret = CC_RET_FAILED;
2180 }
2181 }
2182 else
2183 {
2184 msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
2185 ret = CC_RET_FAILED;
2186 }
2187
2188
2189 plugin_return_free(&pr);
2190 }
2191#endif /* ifdef ENABLE_PLUGIN */
2192 return ret;
2193}
2194
2195static enum client_connect_return
2196multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi,
2197 unsigned int *option_types_found)
2198{
2199 ASSERT(mi);
2200 ASSERT(option_types_found);
2201 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2202 enum client_connect_return ret = CC_RET_SKIPPED;
2203
2204 ret = ccs_test_deferred_ret_file(mi);
2205
2206 if (ret == CC_RET_SKIPPED)
2207 {
2208 /*
2209 * Skipped and deferred are equivalent in this context.
2210 * skipped means that the called program has not yet
2211 * written a return status implicitly needing more time
2212 * while deferred is the explicit notification that it
2213 * needs more time
2214 */
2215 ret = CC_RET_DEFERRED;
2216 }
2217
2218 if (ret == CC_RET_SUCCEEDED)
2219 {
2220 ccs_delete_deferred_ret_file(mi);
2221 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2222 ccs_delete_config_file(mi);
2223 }
2224 if (ret == CC_RET_FAILED)
2225 {
2226 msg(M_INFO, "MULTI: deferred --client-connect script returned CC_RET_FAILED");
2227 ccs_delete_deferred_ret_file(mi);
2228 ccs_delete_config_file(mi);
2229 }
2230 return ret;
2231}
2232
2236static enum client_connect_return
2237multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred,
2238 unsigned int *option_types_found)
2239{
2240 if (deferred)
2241 {
2242 return multi_client_connect_script_deferred(m, mi, option_types_found);
2243 }
2244 ASSERT(m);
2245 ASSERT(mi);
2246
2247 enum client_connect_return ret = CC_RET_SKIPPED;
2248 struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state);
2249
2250 if (mi->context.options.client_connect_script)
2251 {
2252 struct argv argv = argv_new();
2253 struct gc_arena gc = gc_new();
2254
2255 setenv_str(mi->context.c2.es, "script_type", "client-connect");
2256
2257 if (!ccs_gen_config_file(mi) || !ccs_gen_deferred_ret_file(mi))
2258 {
2259 ret = CC_RET_FAILED;
2260 goto cleanup;
2261 }
2262
2263 argv_parse_cmd(&argv, mi->context.options.client_connect_script);
2264 argv_printf_cat(&argv, "%s", ccs->config_file);
2265
2266 if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
2267 {
2268 if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED)
2269 {
2270 ret = CC_RET_DEFERRED;
2271 }
2272 else
2273 {
2274 multi_client_connect_post(m, mi, ccs->config_file, option_types_found);
2275 ret = CC_RET_SUCCEEDED;
2276 }
2277 }
2278 else
2279 {
2280 ret = CC_RET_FAILED;
2281 }
2282cleanup:
2283 if (ret != CC_RET_DEFERRED)
2284 {
2285 ccs_delete_config_file(mi);
2286 ccs_delete_deferred_ret_file(mi);
2287 }
2288 argv_free(&argv);
2289 gc_free(&gc);
2290 }
2291 return ret;
2292}
2293
2294static bool
2295multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi,
2296 struct gc_arena *gc)
2297{
2298 if (!dco_enabled(&mi->context.options))
2299 {
2300 /* DCO not enabled, nothing to do, return sucess */
2301 return true;
2302 }
2303 int ret = dco_multi_add_new_peer(m, mi);
2304 if (ret < 0)
2305 {
2306 msg(D_DCO, "Cannot add peer to DCO for %s: %s (%d)", multi_instance_string(mi, false, gc),
2307 strerror(-ret), ret);
2308 return false;
2309 }
2310
2311 return true;
2312}
2313
2317static bool
2318multi_client_generate_tls_keys(struct context *c)
2319{
2320 struct frame *frame_fragment = NULL;
2321#ifdef ENABLE_FRAGMENT
2322 if (c->options.ce.fragment)
2323 {
2324 frame_fragment = &c->c2.frame_fragment;
2325 }
2326#endif
2327 struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
2328 if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame,
2329 frame_fragment, get_link_socket_info(c),
2330 &c->c1.tuntap->dco))
2331 {
2332 msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
2333 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
2334 return false;
2335 }
2336
2337 return true;
2338}
2339
2340static void
2341multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi,
2342 const unsigned int option_types_found)
2343{
2344 ASSERT(m);
2345 ASSERT(mi);
2346
2347 struct gc_arena gc = gc_new();
2348 /*
2349 * Process sourced options.
2350 */
2351 do_deferred_options(&mi->context, option_types_found, false);
2352
2353 /*
2354 * make sure we got ifconfig settings from somewhere
2355 */
2356 if (!mi->context.c2.push_ifconfig_defined)
2357 {
2358 msg(D_MULTI_ERRORS,
2359 "MULTI: no dynamic or static remote "
2360 "--ifconfig address is available for %s",
2361 multi_instance_string(mi, false, &gc));
2362 }
2363
2364 /*
2365 * make sure that ifconfig settings comply with constraints
2366 */
2367 if (!ifconfig_push_constraint_satisfied(&mi->context))
2368 {
2369 const char *ifconfig_constraint_network =
2370 print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc);
2371 const char *ifconfig_constraint_netmask =
2372 print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc);
2373
2374 /* JYFIXME -- this should cause the connection to fail */
2375 msg(D_MULTI_ERRORS,
2376 "MULTI ERROR: primary virtual IP for %s (%s) "
2377 "violates tunnel network/netmask constraint (%s/%s)",
2378 multi_instance_string(mi, false, &gc),
2379 print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc),
2380 ifconfig_constraint_network, ifconfig_constraint_netmask);
2381 }
2382
2383 /* set our client's VPN endpoint for status reporting purposes */
2384 mi->reporting_addr = mi->context.c2.push_ifconfig_local;
2385 mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
2386
2387 /* set context-level authentication flag */
2388 mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE;
2389
2390 /* Since dco-win maintains iroute routing table (subnet -> peer),
2391 * peer must be added before iroutes. For other platforms it doesn't matter. */
2392
2393 /* authentication complete, calculate dynamic client specific options */
2394 if (!multi_client_set_protocol_options(&mi->context))
2395 {
2396 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2397 }
2398 /* only continue if setting protocol options worked */
2399 else if (!multi_client_setup_dco_initial(m, mi, &gc))
2400 {
2401 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2402 }
2403 /* Generate data channel keys only if setting protocol options
2404 * and DCO initial setup has not failed */
2405 else if (!multi_client_generate_tls_keys(&mi->context))
2406 {
2407 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2408 }
2409
2410 /* dco peer has been added, it is now safe for Windows to add iroutes */
2411
2412 /*
2413 * For routed tunnels, set up internal route to endpoint
2414 * plus add all iroute routes.
2415 */
2416 if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
2417 {
2418 if (mi->context.c2.push_ifconfig_defined)
2419 {
2420 multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
2421 msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2422 multi_instance_string(mi, false, &gc),
2423 print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc));
2424 }
2425
2426 if (mi->context.c2.push_ifconfig_ipv6_defined)
2427 {
2428 multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true);
2429 /* TODO: find out where addresses are "unlearned"!! */
2430 const char *ifconfig_local_ipv6 =
2431 print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc);
2432 msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2433 multi_instance_string(mi, false, &gc), ifconfig_local_ipv6);
2434 }
2435
2436 /* add routes locally, pointing to new client, if
2437 * --iroute options have been specified */
2438 multi_add_iroutes(m, mi);
2439
2440 /*
2441 * iroutes represent subnets which are "owned" by a particular
2442 * client. Therefore, do not actually push a route to a client
2443 * if it matches one of the client's iroutes.
2444 */
2445 remove_iroutes_from_push_route_list(&mi->context.options);
2446 }
2447 else if (mi->context.options.iroutes)
2448 {
2449 msg(D_MULTI_ERRORS,
2450 "MULTI: --iroute options rejected for %s -- iroute "
2451 "only works with tun-style tunnels",
2452 multi_instance_string(mi, false, &gc));
2453 }
2454
2455 /* send push reply if ready */
2456 if (mi->context.c2.push_request_received)
2457 {
2458 process_incoming_push_request(&mi->context);
2459 }
2460 gc_free(&gc);
2461}
2462
2463static void
2464multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
2465{
2466 ASSERT(mi->context.c1.tuntap);
2467 /*
2468 * lock down the common name and cert hashes so they can't change
2469 * during future TLS renegotiations
2470 */
2471 tls_lock_common_name(mi->context.c2.tls_multi);
2472 tls_lock_cert_hash_set(mi->context.c2.tls_multi);
2473
2474 /* generate a msg() prefix for this client instance */
2475 generate_prefix(mi);
2476
2477 /* delete instances of previous clients with same common-name */
2478 if (!mi->context.options.duplicate_cn)
2479 {
2480 multi_delete_dup(m, mi);
2481 }
2482
2483 /* reset pool handle to null */
2484 mi->vaddr_handle = -1;
2485
2486 /* do --client-connect setenvs */
2487 multi_select_virtual_addr(m, mi);
2488
2489 multi_client_connect_setenv(mi);
2490}
2491
2498static enum client_connect_return
2499multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi,
2500 bool deferred, unsigned int *option_types_found)
2501{
2502#ifdef USE_COMP
2503 struct options *o = &mi->context.options;
2504 const char *const peer_info = mi->context.c2.tls_multi->peer_info;
2505
2506 if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
2507 {
2508 if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
2509 {
2510 push_option(o, "compress stub-v2", M_USAGE);
2511 }
2512 else
2513 {
2514 /* Client is old and does not support STUBv2 but since it
2515 * announced comp-lzo via OCC we assume it uses comp-lzo, so
2516 * switch to that and push the uncompressed variant. */
2517 push_option(o, "comp-lzo no", M_USAGE);
2518 o->comp.alg = COMP_ALG_STUB;
2519 *option_types_found |= OPT_P_COMP;
2520 }
2521 }
2522#endif
2523 return CC_RET_SUCCEEDED;
2524}
2525
2530static enum client_connect_return
2531multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred,
2532 unsigned int *option_types_found)
2533{
2534 /* Since we never return a CC_RET_DEFERRED, this indicates a serious
2535 * problem */
2536 ASSERT(!deferred);
2537 enum client_connect_return ret = CC_RET_SKIPPED;
2538 if (mi->context.options.client_config_dir)
2539 {
2540 struct gc_arena gc = gc_new();
2541 const char *ccd_file = NULL;
2542
2543 const char *ccd_client =
2544 platform_gen_path(mi->context.options.client_config_dir,
2545 tls_common_name(mi->context.c2.tls_multi, false), &gc);
2546
2547 const char *ccd_default =
2548 platform_gen_path(mi->context.options.client_config_dir, CCD_DEFAULT, &gc);
2549
2550
2551 /* try common-name file */
2552 if (platform_test_file(ccd_client))
2553 {
2554 ccd_file = ccd_client;
2555 }
2556 /* try default file */
2557 else if (platform_test_file(ccd_default))
2558 {
2559 ccd_file = ccd_default;
2560 }
2561
2562 if (ccd_file)
2563 {
2564 options_server_import(&mi->context.options, ccd_file, D_IMPORT_ERRORS | M_OPTERR,
2565 CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es);
2566 /*
2567 * Select a virtual address from either --ifconfig-push in
2568 * --client-config-dir file or --ifconfig-pool.
2569 */
2570 multi_select_virtual_addr(m, mi);
2571
2572 multi_client_connect_setenv(mi);
2573
2574 ret = CC_RET_SUCCEEDED;
2575 }
2576 gc_free(&gc);
2577 }
2578 return ret;
2579}
2580
2581typedef enum client_connect_return (*multi_client_connect_handler)(
2582 struct multi_context *m, struct multi_instance *mi, bool from_deferred,
2583 unsigned int *option_types_found);
2584
2594
2599static bool
2600override_locked_username(struct multi_instance *mi)
2601{
2602 struct tls_multi *multi = mi->context.c2.tls_multi;
2603 struct options *options = &mi->context.options;
2604 struct tls_session *session = &multi->session[TM_ACTIVE];
2605
2606 if (!multi->locked_username)
2607 {
2608 msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
2609 "user/password method is enabled. Enable "
2610 "--management-client-auth, --auth-user-pass-verify, or a "
2611 "plugin with user/password verify capability.");
2612 return false;
2613 }
2614
2615 if (!multi->locked_original_username
2616 && strcmp(multi->locked_username, options->override_username) != 0)
2617 {
2618 /* Check if the username length is acceptable */
2619 if (!ssl_verify_username_length(session, options->override_username))
2620 {
2621 return false;
2622 }
2623
2624 multi->locked_original_username = multi->locked_username;
2625 multi->locked_username = strdup(options->override_username);
2626
2627 /* Override also the common name if username should be set as common
2628 * name */
2629 if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
2630 {
2631 set_common_name(session, multi->locked_username);
2632 free(multi->locked_cn);
2633 multi->locked_cn = NULL;
2634 tls_lock_common_name(multi);
2635 }
2636
2637 /* Regenerate the auth-token if enabled */
2638 if (multi->auth_token_initial)
2639 {
2640 struct user_pass up;
2641 CLEAR(up);
2642 strncpynt(up.username, multi->locked_username, sizeof(up.username));
2643
2644 generate_auth_token(&up, multi);
2645 }
2646
2647 msg(D_MULTI_LOW,
2648 "MULTI: Note, override-username changes username "
2649 "from '%s' to '%s'",
2650 multi->locked_original_username, multi->locked_username);
2651 }
2652 return true;
2653}
2654/*
2655 * Called as soon as the SSL/TLS connection is authenticated.
2656 *
2657 * Will collect the client specific configuration from the different
2658 * sources like ccd files, connect plugins and management interface.
2659 *
2660 * This method starts with cas_context CAS_PENDING and will move the
2661 * state machine to either CAS_SUCCEEDED on success or
2662 * CAS_FAILED/CAS_PARTIAL on failure.
2663 *
2664 * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK)
2665 * include:
2666 *
2667 * iroute start-ip end-ip
2668 * ifconfig-push local remote-netmask
2669 * push
2670 *
2671 *
2672 */
2673static void
2674multi_connection_established(struct multi_context *m, struct multi_instance *mi)
2675{
2676 /* We are only called for the CAS_PENDING_x states, so we
2677 * can ignore other states here */
2678 bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
2679
2680 int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index;
2681 unsigned int *option_types_found = &mi->client_connect_defer_state.option_types_found;
2682
2683 /* We are called for the first time */
2684 if (!from_deferred)
2685 {
2686 *cur_handler_index = 0;
2687 *option_types_found = 0;
2688 /* Initially we have no handler that has returned a result */
2689 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED;
2690
2691 multi_client_connect_early_setup(m, mi);
2692 }
2693
2694 bool cc_succeeded = true;
2695
2696 while (cc_succeeded && client_connect_handlers[*cur_handler_index] != NULL)
2697 {
2698 enum client_connect_return ret;
2699 ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, option_types_found);
2700
2701 from_deferred = false;
2702
2703 switch (ret)
2704 {
2705 case CC_RET_SUCCEEDED:
2706 /*
2707 * Remember that we already had at least one handler
2708 * returning a result should we go to into deferred state
2709 */
2710 mi->context.c2.tls_multi->multi_state = CAS_PENDING_DEFERRED_PARTIAL;
2711 break;
2712
2713 case CC_RET_SKIPPED:
2714 /*
2715 * Move on with the next handler without modifying any
2716 * other state
2717 */
2718 break;
2719
2720 case CC_RET_DEFERRED:
2721 /*
2722 * we already set multi_status to DEFERRED_RESULT or
2723 * DEFERRED_NO_RESULT. We just return
2724 * from the function as having multi_status
2725 */
2726 return;
2727
2728 case CC_RET_FAILED:
2729 /*
2730 * One handler failed. We abort the chain and set the final
2731 * result to failed
2732 */
2733 cc_succeeded = false;
2734 break;
2735
2736 default:
2737 ASSERT(0);
2738 }
2739
2740 /*
2741 * Check for "disable" directive in client-config-dir file
2742 * or config file generated by --client-connect script.
2743 */
2744 if (mi->context.options.disable)
2745 {
2746 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to "
2747 "'disable' directive");
2748 cc_succeeded = false;
2749 }
2750
2751 (*cur_handler_index)++;
2752 }
2753
2754 if (mi->context.options.override_username)
2755 {
2756 if (!override_locked_username(mi))
2757 {
2758 cc_succeeded = false;
2759 }
2760 }
2761
2762 /* Check if we have forbidding options in the current mode */
2763 if (dco_enabled(&mi->context.options)
2764 && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
2765 {
2766 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
2767 cc_succeeded = false;
2768 }
2769
2770 if (!check_compression_settings_valid(&mi->context.options.comp, D_MULTI_ERRORS))
2771 {
2772 msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to invalid compression options");
2773 cc_succeeded = false;
2774 }
2775
2776 if (cc_succeeded)
2777 {
2778 multi_client_connect_late_setup(m, mi, *option_types_found);
2779 }
2780 else
2781 {
2782 /* run the disconnect script if we had a connect script that
2783 * did not fail */
2784 if (mi->context.c2.tls_multi->multi_state == CAS_PENDING_DEFERRED_PARTIAL)
2785 {
2786 multi_client_disconnect_script(m, mi);
2787 }
2788
2789 mi->context.c2.tls_multi->multi_state = CAS_FAILED;
2790 }
2791
2792 /* increment number of current authenticated clients */
2793 ++m->n_clients;
2794 --mi->n_clients_delta;
2795
2796#ifdef ENABLE_MANAGEMENT
2797 if (management)
2798 {
2799 management_connection_established(management, &mi->context.c2.mda_context,
2800 mi->context.c2.es);
2801 }
2802#endif
2803}
2804
2805#ifdef ENABLE_ASYNC_PUSH
2806/*
2807 * Called when inotify event is fired, which happens when acf
2808 * or connect-status file is closed or deleted.
2809 * Continues authentication and sends push_reply
2810 * (or be deferred again by client-connect)
2811 */
2812void
2813multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2814{
2815 char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2816 ssize_t buffer_i = 0;
2817 ssize_t r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2818 if (r < 0)
2819 {
2820 msg(M_WARN | M_ERRNO, "MULTI: multi_process_file_closed error");
2821 return;
2822 }
2823
2824 while (buffer_i < r)
2825 {
2826 /* parse inotify events */
2827 struct inotify_event *pevent = (struct inotify_event *)&buffer[buffer_i];
2828 size_t event_size = sizeof(struct inotify_event) + pevent->len;
2829 buffer_i += event_size;
2830
2831 msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2832
2833 struct multi_instance *mi =
2834 hash_lookup(m->inotify_watchers, (void *)(uintptr_t)pevent->wd);
2835
2836 if (pevent->mask & IN_CLOSE_WRITE)
2837 {
2838 if (mi)
2839 {
2840 /* continue authentication, perform NCP negotiation and send push_reply */
2841 multi_process_post(m, mi, mpp_flags);
2842 }
2843 else
2844 {
2845 msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2846 }
2847 }
2848 else if (pevent->mask & IN_IGNORED)
2849 {
2850 /* this event is _always_ fired when watch is removed or file is deleted */
2851 if (mi)
2852 {
2853 hash_remove(m->inotify_watchers, (void *)(uintptr_t)pevent->wd);
2854 mi->inotify_watch = -1;
2855 }
2856 }
2857 else
2858 {
2859 msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2860 }
2861 }
2862}
2863#endif /* ifdef ENABLE_ASYNC_PUSH */
2864
2865/*
2866 * Add a mbuf buffer to a particular
2867 * instance.
2868 */
2869void
2870multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
2871{
2872 if (multi_output_queue_ready(m, mi))
2873 {
2874 struct mbuf_item item;
2875 item.buffer = mb;
2876 item.instance = mi;
2877 mbuf_add_item(m->mbuf, &item);
2878 }
2879 else
2880 {
2881 msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2882 }
2883}
2884
2885/*
2886 * Add a packet to a client instance output queue.
2887 */
2888static inline void
2889multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
2890{
2891 struct mbuf_buffer *mb;
2892
2893 if (BLEN(buf) > 0)
2894 {
2895 mb = mbuf_alloc_buf(buf);
2896 mb->flags = MF_UNICAST;
2897 multi_add_mbuf(m, mi, mb);
2898 mbuf_free_buf(mb);
2899 }
2900}
2901
2902/*
2903 * Broadcast a packet to all clients.
2904 */
2905static void
2906multi_bcast(struct multi_context *m, const struct buffer *buf,
2907 const struct multi_instance *sender_instance, uint16_t vid)
2908{
2909 struct hash_iterator hi;
2910 struct hash_element *he;
2911 struct multi_instance *mi;
2912 struct mbuf_buffer *mb;
2913
2914 if (BLEN(buf) > 0)
2915 {
2916#ifdef MULTI_DEBUG_EVENT_LOOP
2917 printf("BCAST len=%d\n", BLEN(buf));
2918#endif
2919 mb = mbuf_alloc_buf(buf);
2920 hash_iterator_init(m->iter, &hi);
2921
2922 while ((he = hash_iterator_next(&hi)))
2923 {
2924 mi = (struct multi_instance *)he->value;
2925 if (mi != sender_instance && !mi->halt)
2926 {
2927 if (vid != 0 && vid != mi->context.options.vlan_pvid)
2928 {
2929 continue;
2930 }
2931 multi_add_mbuf(m, mi, mb);
2932 }
2933 }
2934
2935 hash_iterator_free(&hi);
2936 mbuf_free_buf(mb);
2937 }
2938}
2939
2940/*
2941 * Given a time delta, indicating that we wish to be
2942 * awoken by the scheduler at time now + delta, figure
2943 * a sigma parameter (in microseconds) that represents
2944 * a sort of fuzz factor around delta, so that we're
2945 * really telling the scheduler to wake us up any time
2946 * between now + delta - sigma and now + delta + sigma.
2947 *
2948 * The sigma parameter helps the scheduler to run more efficiently.
2949 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2950 */
2951static inline unsigned int
2952compute_wakeup_sigma(const struct timeval *delta)
2953{
2954 ASSERT(delta->tv_sec >= 0);
2955 ASSERT(delta->tv_usec >= 0);
2956 if (delta->tv_sec < 1)
2957 {
2958 /* if < 1 sec, fuzz = # of microseconds / 8 */
2959 return (unsigned int)(delta->tv_usec >> 3);
2960 }
2961 else
2962 {
2963 /* if < 10 minutes, fuzz = 13.1% of timeout */
2964 if (delta->tv_sec < 600)
2965 {
2966 return (unsigned int)(delta->tv_sec << 17);
2967 }
2968 else
2969 {
2970 return 120 * 1000000; /* if >= 10 minutes, fuzz = 2 minutes */
2971 }
2972 }
2973}
2974
2975static void
2976multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
2977{
2978 /* calculate an absolute wakeup time */
2979 ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2980 tv_add(&mi->wakeup, &mi->context.c2.timeval);
2981
2982 /* tell scheduler to wake us up at some point in the future */
2983 schedule_add_entry(m->schedule, (struct schedule_entry *)mi, &mi->wakeup,
2984 compute_wakeup_sigma(&mi->context.c2.timeval));
2985}
2986
2987#if defined(ENABLE_ASYNC_PUSH)
2988static void
2989add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, int inotify_fd,
2990 const char *file)
2991{
2992 /* watch acf file */
2993 int watch_descriptor = inotify_add_watch(inotify_fd, file, IN_CLOSE_WRITE | IN_ONESHOT);
2994 if (watch_descriptor >= 0)
2995 {
2996 if (mi->inotify_watch != -1)
2997 {
2998 hash_remove(m->inotify_watchers, (void *)(uintptr_t)mi->inotify_watch);
2999 }
3000 hash_add(m->inotify_watchers, (void *)(uintptr_t)watch_descriptor, mi, true);
3001 mi->inotify_watch = watch_descriptor;
3002 }
3003 else
3004 {
3005 msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
3006 }
3007}
3008#endif /* if defined(ENABLE_ASYNC_PUSH) */
3009
3010/*
3011 * Figure instance-specific timers, convert
3012 * earliest to absolute time in mi->wakeup,
3013 * call scheduler with our future wakeup time.
3014 *
3015 * Also close context on signal.
3016 */
3017bool
3018multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
3019{
3020 bool ret = true;
3021
3022 if (!IS_SIG(&mi->context)
3023 && ((flags & MPP_PRE_SELECT)))
3024 {
3025#if defined(ENABLE_ASYNC_PUSH)
3026 bool was_unauthenticated = true;
3027 struct key_state *ks = NULL;
3028 if (mi->context.c2.tls_multi)
3029 {
3030 ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
3031 was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE);
3032 }
3033#endif
3034
3035 /* figure timeouts and fetch possible outgoing
3036 * to_link packets (such as ping or TLS control) */
3037 pre_select(&mi->context);
3038
3039#if defined(ENABLE_ASYNC_PUSH)
3040 /*
3041 * if we see the state transition from unauthenticated to deferred
3042 * and an auth_control_file, we assume it got just added and add
3043 * inotify watch to that file
3044 */
3045 if (ks && ks->plugin_auth.auth_control_file && was_unauthenticated
3046 && (ks->authenticated == KS_AUTH_DEFERRED))
3047 {
3048 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->plugin_auth.auth_control_file);
3049 }
3050 if (ks && ks->script_auth.auth_control_file && was_unauthenticated
3051 && (ks->authenticated == KS_AUTH_DEFERRED))
3052 {
3053 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, ks->script_auth.auth_control_file);
3054 }
3055#endif
3056
3057 if (!IS_SIG(&mi->context))
3058 {
3059 /* connection is "established" when SSL/TLS key negotiation succeeds
3060 * and (if specified) auth user/pass succeeds */
3061
3062 if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
3063 {
3064 multi_connection_established(m, mi);
3065 }
3066#if defined(ENABLE_ASYNC_PUSH)
3067 if (is_cas_pending(mi->context.c2.tls_multi->multi_state)
3068 && mi->client_connect_defer_state.deferred_ret_file)
3069 {
3070 add_inotify_file_watch(m, mi, m->top.c2.inotify_fd,
3071 mi->client_connect_defer_state.deferred_ret_file);
3072 }
3073#endif
3074 /* tell scheduler to wake us up at some point in the future */
3075 multi_schedule_context_wakeup(m, mi);
3076 }
3077 }
3078
3079 if (IS_SIG(&mi->context))
3080 {
3081 if (flags & MPP_CLOSE_ON_SIGNAL)
3082 {
3083 multi_close_instance_on_signal(m, mi);
3084 ret = false;
3085 }
3086 }
3087 else
3088 {
3089 /* continue to pend on output? */
3090 multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
3091
3092#ifdef MULTI_DEBUG_EVENT_LOOP
3093 printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", id(mi), (int)(mi == m->pending),
3094 mi ? mi->context.c2.to_tun.len : -1, mi ? mi->context.c2.to_link.len : -1,
3095 (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
3096 (int64_t)mi->context.c2.timeval.tv_sec, (long)mi->context.c2.timeval.tv_usec);
3097#endif
3098 }
3099
3100 if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
3101 {
3102 *m->mpp_touched = mi;
3103 }
3104
3105 return ret;
3106}
3107
3116static void
3117multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
3118{
3119 struct mroute_addr real = { 0 };
3120 struct hash *hash = m->hash;
3121 struct gc_arena gc = gc_new();
3122
3123 if (mi->real.type & MR_WITH_PROTO)
3124 {
3125 real.type |= MR_WITH_PROTO;
3126 real.proto = sock->info.proto;
3127 }
3128
3129 if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
3130 {
3131 goto done;
3132 }
3133
3134 const uint32_t hv = hash_value(hash, &real);
3135 struct hash_bucket *bucket = hash_bucket(hash, hv);
3136
3137 /* make sure that we don't float to an address taken by another client */
3138 struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
3139 if (he)
3140 {
3141 struct multi_instance *ex_mi = (struct multi_instance *)he->value;
3142
3143 struct tls_multi *m1 = mi->context.c2.tls_multi;
3144 struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
3145
3146 /* do not float if target address is taken by client with another cert */
3147 if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
3148 {
3149 msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
3150 multi_instance_string(ex_mi, false, &gc));
3151
3152 mi->context.c2.buf.len = 0;
3153
3154 goto done;
3155 }
3156
3157 /* It doesn't make sense to let a peer float to the address it already
3158 * has, so we disallow it. This can happen if a DCO netlink notification
3159 * gets lost and we miss a floating step.
3160 */
3161 if (m1->peer_id == m2->peer_id)
3162 {
3163 msg(M_WARN,
3164 "disallowing peer %" PRIu32 " (%s) from floating to "
3165 "its own address (%s)",
3166 m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
3167 mroute_addr_print(&mi->real, &gc));
3168 goto done;
3169 }
3170
3171 msg(D_MULTI_LOW,
3172 "closing instance %s due to float collision with %s "
3173 "using the same certificate",
3174 multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc));
3175 multi_close_instance(m, ex_mi, false);
3176 }
3177
3178 msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
3179 mi->context.c2.tls_multi->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
3180 mroute_addr_print_ex(&mi->real, MAPF_SHOW_FAMILY, &gc),
3181 mroute_addr_print_ex(&real, MAPF_SHOW_FAMILY, &gc));
3182
3183 /* remove old address from hash table before changing address */
3184 ASSERT(hash_remove(m->hash, &mi->real));
3185 ASSERT(hash_remove(m->iter, &mi->real));
3186
3187 /* change external network address of the remote peer */
3188 mi->real = real;
3189 generate_prefix(mi);
3190
3191 mi->context.c2.from = m->top.c2.from;
3192 mi->context.c2.to_link_addr = &mi->context.c2.from;
3193
3194 /* inherit parent link_socket and link_socket_info */
3195 mi->context.c2.link_sockets[0] = sock;
3196 mi->context.c2.link_socket_infos[0]->lsa->actual = m->top.c2.from;
3197
3198 tls_update_remote_addr(mi->context.c2.tls_multi, &mi->context.c2.from);
3199
3200 ASSERT(hash_add(m->hash, &mi->real, mi, false));
3201 ASSERT(hash_add(m->iter, &mi->real, mi, false));
3202
3203#ifdef ENABLE_MANAGEMENT
3204 ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
3205#endif
3206
3207done:
3208 gc_free(&gc);
3209}
3210
3211/*
3212 * Called when an instance should be closed due to the
3213 * reception of a soft signal.
3214 */
3215void
3216multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
3217{
3218 remap_signal(&mi->context);
3219 set_prefix(mi);
3220 print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3221 clear_prefix();
3222 multi_close_instance(m, mi, false);
3223}
3224
3225#if (defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD))) \
3226 || defined(ENABLE_MANAGEMENT)
3227static void
3228multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3229{
3230 mi->context.sig->signal_received = sig;
3231 multi_close_instance_on_signal(m, mi);
3232}
3233#endif
3234
3235#if defined(ENABLE_DCO)
3236static void
3237process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, dco_context_t *dco)
3238{
3239 const char *reason = "ovpn-dco: unknown reason";
3240 switch (dco->dco_del_peer_reason)
3241 {
3242 case OVPN_DEL_PEER_REASON_EXPIRED:
3243 reason = "ovpn-dco: ping expired";
3244 break;
3245
3246 case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR:
3247 reason = "ovpn-dco: transport error";
3248 break;
3249
3250 case OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT:
3251 reason = "ovpn-dco: transport disconnected";
3252 break;
3253
3254 case OVPN_DEL_PEER_REASON_USERSPACE:
3255 /* We assume that is ourselves. Unfortunately, sometimes these
3256 * events happen with enough delay that they can have an order of
3257 *
3258 * dco_del_peer x
3259 * [new client connecting]
3260 * dco_new_peer x
3261 * event from dco_del_peer arrives.
3262 *
3263 * if we do not ignore this we get desynced with the kernel
3264 * since we assume the peer-id is free again. The other way would
3265 * be to send a dco_del_peer again
3266 */
3267 return;
3268 }
3269
3270 /* When kernel already deleted the peer, the socket is no longer
3271 * installed, and we do not need to clean up the state in the kernel */
3272 mi->context.c2.tls_multi->dco_peer_id = -1;
3273 mi->context.sig->signal_text = reason;
3274 multi_signal_instance(m, mi, SIGTERM);
3275}
3276
3277void
3278multi_process_incoming_dco(dco_context_t *dco)
3279{
3280 ASSERT(dco->c->multi);
3281
3282 struct multi_context *m = dco->c->multi;
3283
3284 int peer_id = dco->dco_message_peer_id;
3285
3286 /* no peer-specific message delivered -> nothing to process.
3287 * bail out right away
3288 */
3289 if (peer_id < 0)
3290 {
3291 return;
3292 }
3293
3294 if ((peer_id < m->max_clients) && (m->instances[peer_id]))
3295 {
3296 struct multi_instance *mi = m->instances[peer_id];
3297 set_prefix(mi);
3298 if (dco->dco_message_type == OVPN_CMD_DEL_PEER)
3299 {
3300 process_incoming_del_peer(m, mi, dco);
3301 }
3302 else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
3303 {
3304 ASSERT(mi->context.c2.link_sockets[0]);
3305 extract_dco_float_peer_addr(mi->context.c2.link_sockets[0]->info.af,
3306 &m->top.c2.from.dest,
3307 (struct sockaddr *)&dco->dco_float_peer_ss);
3308 multi_process_float(m, mi, mi->context.c2.link_sockets[0]);
3309 CLEAR(dco->dco_float_peer_ss);
3310 }
3311 else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
3312 {
3313 tls_session_soft_reset(mi->context.c2.tls_multi);
3314 }
3315 clear_prefix();
3316 }
3317 else
3318 {
3319 msglvl_t msglevel = D_DCO;
3320 if (dco->dco_message_type == OVPN_CMD_DEL_PEER
3321 && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
3322 {
3323 /* we receive OVPN_CMD_DEL_PEER message with reason USERSPACE
3324 * after we kill the peer ourselves. This peer may have already
3325 * been deleted, so we end up here.
3326 * In this case, print the following debug message with DCO_DEBUG
3327 * level only to avoid polluting the standard DCO level with this
3328 * harmless event.
3329 */
3330 msglevel = D_DCO_DEBUG;
3331 }
3332 msg(msglevel,
3333 "Received DCO message for unknown peer-id: %d, "
3334 "type %d, del_peer_reason %d",
3335 peer_id, dco->dco_message_type, dco->dco_del_peer_reason);
3336 }
3337}
3338#endif /* if defined(ENABLE_DCO) */
3339
3340/*
3341 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
3342 * i.e. client -> server direction.
3343 */
3344bool
3345multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance,
3346 const unsigned int mpp_flags, struct link_socket *sock)
3347{
3348 struct gc_arena gc = gc_new();
3349
3350 struct context *c;
3351 struct mroute_addr src, dest;
3352 unsigned int mroute_flags;
3353 struct multi_instance *mi;
3354 bool ret = true;
3355 bool floated = false;
3356
3357 if (m->pending)
3358 {
3359 return true;
3360 }
3361
3362 if (!instance)
3363 {
3364#ifdef MULTI_DEBUG_EVENT_LOOP
3365 printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
3366#endif
3367 multi_set_pending(m, multi_get_create_instance_udp(m, &floated, sock));
3368 }
3369 else
3370 {
3371 multi_set_pending(m, instance);
3372 }
3373
3374 if (m->pending)
3375 {
3376 set_prefix(m->pending);
3377
3378 /* get instance context */
3379 c = &m->pending->context;
3380
3381 if (!instance)
3382 {
3383 /* transfer packet pointer from top-level context buffer to instance */
3384 c->c2.buf = m->top.c2.buf;
3385
3386 /* transfer from-addr from top-level context buffer to instance */
3387 if (!floated)
3388 {
3389 c->c2.from = m->top.c2.from;
3390 }
3391 }
3392
3393 if (BLEN(&c->c2.buf) > 0)
3394 {
3395 struct link_socket_info *lsi;
3396 const uint8_t *orig_buf;
3397
3398 /* decrypt in instance context */
3399
3400 lsi = &sock->info;
3401 orig_buf = c->c2.buf.data;
3402 if (process_incoming_link_part1(c, lsi, floated))
3403 {
3404 /* nonzero length means that we have a valid, decrypted packed */
3405 if (floated && c->c2.buf.len > 0)
3406 {
3407 multi_process_float(m, m->pending, sock);
3408 }
3409
3410 process_incoming_link_part2(c, lsi, orig_buf);
3411 }
3412
3413 if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
3414 {
3415 /* extract packet source and dest addresses */
3416 mroute_flags =
3417 mroute_extract_addr_from_packet(&src, &dest, 0, &c->c2.to_tun, DEV_TYPE_TUN);
3418
3419 /* drop packet if extract failed */
3420 if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
3421 {
3422 c->c2.to_tun.len = 0;
3423 }
3424 /* make sure that source address is associated with this client */
3425 else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
3426 {
3427 /* IPv6 link-local address (fe80::xxx)? */
3428 if ((src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
3429 && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr))
3430 {
3431 /* do nothing, for now. TODO: add address learning */
3432 }
3433 else
3434 {
3435 msg(D_MULTI_DROPPED,
3436 "MULTI: bad source address from client [%s], packet dropped",
3437 mroute_addr_print(&src, &gc));
3438 }
3439 c->c2.to_tun.len = 0;
3440 }
3441 /* client-to-client communication enabled? */
3442 else if (m->enable_c2c)
3443 {
3444 /* multicast? */
3445 if (mroute_flags & MROUTE_EXTRACT_MCAST)
3446 {
3447 /* for now, treat multicast as broadcast */
3448 multi_bcast(m, &c->c2.to_tun, m->pending, 0);
3449 }
3450 else /* possible client to client routing */
3451 {
3452 ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
3453 mi = multi_get_instance_by_virtual_addr(m, &dest, true);
3454
3455 /* if dest addr is a known client, route to it */
3456 if (mi)
3457 {
3458 {
3459 multi_unicast(m, &c->c2.to_tun, mi);
3460 register_activity(c, BLEN(&c->c2.to_tun));
3461 }
3462 c->c2.to_tun.len = 0;
3463 }
3464 }
3465 }
3466 }
3467 else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
3468 {
3469 uint16_t vid = 0;
3470
3471 if (m->top.options.vlan_tagging)
3472 {
3473 if (vlan_is_tagged(&c->c2.to_tun))
3474 {
3475 /* Drop VLAN-tagged frame. */
3476 msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
3477 c->c2.to_tun.len = 0;
3478 }
3479 else
3480 {
3481 vid = c->options.vlan_pvid;
3482 }
3483 }
3484 /* extract packet source and dest addresses */
3485 mroute_flags =
3486 mroute_extract_addr_from_packet(&src, &dest, vid, &c->c2.to_tun, DEV_TYPE_TAP);
3487
3488 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3489 {
3490 if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
3491 {
3492 /* check for broadcast */
3493 if (m->enable_c2c)
3494 {
3495 if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
3496 {
3497 multi_bcast(m, &c->c2.to_tun, m->pending, vid);
3498 }
3499 else /* try client-to-client routing */
3500 {
3501 mi = multi_get_instance_by_virtual_addr(m, &dest, false);
3502
3503 /* if dest addr is a known client, route to it */
3504 if (mi)
3505 {
3506 multi_unicast(m, &c->c2.to_tun, mi);
3507 register_activity(c, BLEN(&c->c2.to_tun));
3508 c->c2.to_tun.len = 0;
3509 }
3510 }
3511 }
3512 }
3513 else
3514 {
3515 msg(D_MULTI_DROPPED,
3516 "MULTI: bad source address from client [%s], packet dropped",
3517 mroute_addr_print(&src, &gc));
3518 c->c2.to_tun.len = 0;
3519 }
3520 }
3521 else
3522 {
3523 c->c2.to_tun.len = 0;
3524 }
3525 }
3526 }
3527
3528 /* postprocess and set wakeup */
3529 ret = multi_process_post(m, m->pending, mpp_flags);
3530
3531 clear_prefix();
3532 }
3533
3534 gc_free(&gc);
3535 return ret;
3536}
3537
3538/*
3539 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
3540 * i.e. server -> client direction.
3541 */
3542bool
3543multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
3544{
3545 bool ret = true;
3546
3547 if (BLEN(&m->top.c2.buf) > 0)
3548 {
3549 unsigned int mroute_flags;
3550 struct mroute_addr src = { 0 }, dest = { 0 };
3551 const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
3552 int16_t vid = 0;
3553
3554#ifdef MULTI_DEBUG_EVENT_LOOP
3555 printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
3556#endif
3557
3558 if (m->pending)
3559 {
3560 return true;
3561 }
3562
3563 if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
3564 {
3565 vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
3566 if (vid < 0)
3567 {
3568 return false;
3569 }
3570 }
3571
3572 /*
3573 * Route an incoming tun/tap packet to
3574 * the appropriate multi_instance object.
3575 */
3576
3577 mroute_flags = mroute_extract_addr_from_packet(&src, &dest, vid, &m->top.c2.buf, dev_type);
3578
3579 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
3580 {
3581 struct context *c;
3582
3583 /* broadcast or multicast dest addr? */
3584 if (mroute_flags & (MROUTE_EXTRACT_BCAST | MROUTE_EXTRACT_MCAST))
3585 {
3586 /* for now, treat multicast as broadcast */
3587 multi_bcast(m, &m->top.c2.buf, NULL, vid);
3588 }
3589 else
3590 {
3591 multi_set_pending(
3592 m, multi_get_instance_by_virtual_addr(m, &dest, dev_type == DEV_TYPE_TUN));
3593
3594 if (m->pending)
3595 {
3596 /* get instance context */
3597 c = &m->pending->context;
3598
3599 set_prefix(m->pending);
3600
3601 {
3602 if (multi_output_queue_ready(m, m->pending))
3603 {
3604 /* transfer packet pointer from top-level context buffer to instance */
3605 c->c2.buf = m->top.c2.buf;
3606 }
3607 else
3608 {
3609 /* drop packet */
3610 msg(D_MULTI_DROPPED,
3611 "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
3612 buf_reset_len(&c->c2.buf);
3613 }
3614 }
3615
3616 /* encrypt in instance context */
3617 process_incoming_tun(c, c->c2.link_sockets[0]);
3618
3619 /* postprocess and set wakeup */
3620 ret = multi_process_post(m, m->pending, mpp_flags);
3621
3622 clear_prefix();
3623 }
3624 }
3625 }
3626 }
3627 return ret;
3628}
3629
3630/*
3631 * Process a possible client-to-client/bcast/mcast message in the
3632 * queue.
3633 */
3634struct multi_instance *
3635multi_get_queue(struct mbuf_set *ms)
3636{
3637 struct mbuf_item item;
3638
3639 if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
3640 {
3641 unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_ICMP_NOHOST_SERVER;
3642
3643 set_prefix(item.instance);
3644 item.instance->context.c2.buf = item.buffer->buf;
3645 if (item.buffer->flags
3646 & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
3647 {
3648 pip_flags |= PIP_MSSFIX;
3649 }
3650 process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf,
3651 item.instance->context.c2.link_sockets[0]);
3652 encrypt_sign(&item.instance->context, true);
3653 mbuf_free_buf(item.buffer);
3654
3655 dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
3656
3657 clear_prefix();
3658 return item.instance;
3659 }
3660 else
3661 {
3662 return NULL;
3663 }
3664}
3665
3666/*
3667 * Called when an I/O wait times out. Usually means that a particular
3668 * client instance object needs timer-based service.
3669 */
3670bool
3671multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
3672{
3673 bool ret = true;
3674
3675#ifdef MULTI_DEBUG_EVENT_LOOP
3676 printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
3677#endif
3678
3679 /* instance marked for wakeup? */
3680 if (m->earliest_wakeup)
3681 {
3682 if (m->earliest_wakeup == (struct multi_instance *)&m->deferred_shutdown_signal)
3683 {
3684 schedule_remove_entry(m->schedule,
3685 (struct schedule_entry *)&m->deferred_shutdown_signal);
3686 throw_signal(m->deferred_shutdown_signal.signal_received);
3687 }
3688 else
3689 {
3690 set_prefix(m->earliest_wakeup);
3691 ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
3692 clear_prefix();
3693 }
3694 m->earliest_wakeup = NULL;
3695 }
3696 return ret;
3697}
3698
3699/*
3700 * Drop a TUN/TAP outgoing packet..
3701 */
3702void
3703multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
3704{
3705 struct multi_instance *mi = m->pending;
3706
3707 ASSERT(mi);
3708
3709 set_prefix(mi);
3710
3711 msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
3712 mi->context.c2.to_tun.len);
3713
3714 buf_reset(&mi->context.c2.to_tun);
3715
3716 multi_process_post(m, mi, mpp_flags);
3717 clear_prefix();
3718}
3719
3720/*
3721 * Per-client route quota management
3722 */
3723
3724void
3725route_quota_exceeded(const struct multi_instance *mi)
3726{
3727 struct gc_arena gc = gc_new();
3728 msg(D_ROUTE_QUOTA,
3729 "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
3730 mi->context.options.max_routes_per_client, multi_instance_string(mi, false, &gc));
3731 gc_free(&gc);
3732}
3733
3734#ifdef ENABLE_DEBUG
3735/*
3736 * Flood clients with random packets
3737 */
3738static void
3739gremlin_flood_clients(struct multi_context *m)
3740{
3741 const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
3742 if (level)
3743 {
3744 struct gc_arena gc = gc_new();
3745 struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
3746 struct packet_flood_parms parm = get_packet_flood_parms(level);
3747 int i;
3748
3749 ASSERT(buf_init(&buf, m->top.c2.frame.buf.headroom));
3750 parm.packet_size = min_int(parm.packet_size, m->top.c2.frame.buf.payload_size);
3751
3752 msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3753 parm.n_packets, parm.packet_size);
3754
3755 for (i = 0; i < parm.packet_size; ++i)
3756 {
3757 ASSERT(buf_write_u8(&buf, (uint8_t)(get_random() & 0xFF)));
3758 }
3759
3760 for (i = 0; i < parm.n_packets; ++i)
3761 {
3762 multi_bcast(m, &buf, NULL, 0);
3763 }
3764
3765 gc_free(&gc);
3766 }
3767}
3768#endif /* ifdef ENABLE_DEBUG */
3769
3770static bool
3771stale_route_check_trigger(struct multi_context *m)
3772{
3773 struct timeval null;
3774 CLEAR(null);
3775 return event_timeout_trigger(&m->stale_routes_check_et, &null, ETT_DEFAULT);
3776}
3777
3778/*
3779 * Process timers in the top-level context
3780 */
3781void
3782multi_process_per_second_timers_dowork(struct multi_context *m)
3783{
3784 /* possibly reap instances/routes in vhash */
3785 multi_reap_process(m);
3786
3787 /* possibly print to status log */
3788 if (m->top.c1.status_output)
3789 {
3790 if (status_trigger(m->top.c1.status_output))
3791 {
3792 multi_print_status(m, m->top.c1.status_output, m->status_file_version);
3793 }
3794 }
3795
3796 /* possibly flush ifconfig-pool file */
3797 multi_ifconfig_pool_persist(m, false);
3798
3799#ifdef ENABLE_DEBUG
3800 gremlin_flood_clients(m);
3801#endif
3802
3803 /* Should we check for stale routes? */
3804 if (m->top.options.stale_routes_check_interval && stale_route_check_trigger(m))
3805 {
3806 check_stale_routes(m);
3807 }
3808}
3809
3810static void
3811multi_top_init(struct context *top)
3812{
3813 inherit_context_top(&top->multi->top, top);
3814 top->multi->top.c2.buffers = init_context_buffers(&top->c2.frame);
3815}
3816
3817static void
3823
3824static bool
3825is_exit_restart(int sig)
3826{
3827 return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3828}
3829
3830static void
3831multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
3832{
3833 struct hash_iterator hi;
3834 struct hash_element *he;
3835
3836 /* tell all clients to restart */
3837 hash_iterator_init(m->iter, &hi);
3838 while ((he = hash_iterator_next(&hi)))
3839 {
3840 struct multi_instance *mi = (struct multi_instance *)he->value;
3841 if (!mi->halt && proto_is_dgram(mi->context.c2.link_sockets[0]->info.proto))
3842 {
3843 send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART",
3844 D_PUSH);
3845 multi_schedule_context_wakeup(m, mi);
3846 }
3847 }
3848 hash_iterator_free(&hi);
3849
3850 /* reschedule signal */
3851 ASSERT(!openvpn_gettimeofday(&m->deferred_shutdown_signal.wakeup, NULL));
3852 struct timeval tv = { .tv_sec = 2, .tv_usec = 0 };
3853 tv_add(&m->deferred_shutdown_signal.wakeup, &tv);
3854
3855 m->deferred_shutdown_signal.signal_received = m->top.sig->signal_received;
3856
3857 schedule_add_entry(m->schedule, (struct schedule_entry *)&m->deferred_shutdown_signal,
3858 &m->deferred_shutdown_signal.wakeup,
3859 compute_wakeup_sigma(&tv));
3860
3861 signal_reset(m->top.sig, 0);
3862}
3863
3864/*
3865 * Return true if event loop should break,
3866 * false if it should continue.
3867 */
3868bool
3869multi_process_signal(struct multi_context *m)
3870{
3871 if (signal_reset(m->top.sig, SIGUSR2) == SIGUSR2)
3872 {
3873 struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3874 multi_print_status(m, so, m->status_file_version);
3875 status_close(so);
3876 return false;
3877 }
3878 else if (has_udp_in_local_list(&m->top.options) && is_exit_restart(m->top.sig->signal_received)
3879 && (m->deferred_shutdown_signal.signal_received == 0)
3880 && m->top.options.ce.explicit_exit_notification != 0)
3881 {
3882 multi_push_restart_schedule_exit(m, m->top.options.ce.explicit_exit_notification == 2);
3883 return false;
3884 }
3885 return true;
3886}
3887
3888/*
3889 * Management subsystem callbacks
3890 */
3891#ifdef ENABLE_MANAGEMENT
3892
3893static void
3894management_callback_status(void *arg, const int version, struct status_output *so)
3895{
3896 struct multi_context *m = (struct multi_context *)arg;
3897
3898 if (!version)
3899 {
3900 multi_print_status(m, so, m->status_file_version);
3901 }
3902 else
3903 {
3904 multi_print_status(m, so, version);
3905 }
3906}
3907
3908static int
3909management_callback_n_clients(void *arg)
3910{
3911 struct multi_context *m = (struct multi_context *)arg;
3912 return m->n_clients;
3913}
3914
3915static int
3916management_callback_kill_by_cn(void *arg, const char *del_cn)
3917{
3918 struct multi_context *m = (struct multi_context *)arg;
3919 struct hash_iterator hi;
3920 struct hash_element *he;
3921 int count = 0;
3922
3923 hash_iterator_init(m->iter, &hi);
3924 while ((he = hash_iterator_next(&hi)))
3925 {
3926 struct multi_instance *mi = (struct multi_instance *)he->value;
3927 if (!mi->halt)
3928 {
3929 const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3930 if (cn && !strcmp(cn, del_cn))
3931 {
3932 multi_signal_instance(m, mi, SIGTERM);
3933 ++count;
3934 }
3935 }
3936 }
3937 hash_iterator_free(&hi);
3938 return count;
3939}
3940
3941static int
3942management_callback_kill_by_addr(void *arg, const in_addr_t addr, const uint16_t port, const uint8_t proto)
3943{
3944 struct multi_context *m = (struct multi_context *)arg;
3945 struct hash_iterator hi;
3946 struct hash_element *he;
3947 struct openvpn_sockaddr saddr;
3948 struct mroute_addr maddr;
3949 int count = 0;
3950
3951 CLEAR(saddr);
3952 saddr.addr.in4.sin_family = AF_INET;
3953 saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3954 saddr.addr.in4.sin_port = htons(port);
3955 maddr.proto = proto;
3956 if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3957 {
3958 hash_iterator_init(m->iter, &hi);
3959 while ((he = hash_iterator_next(&hi)))
3960 {
3961 struct multi_instance *mi = (struct multi_instance *)he->value;
3962 if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3963 {
3964 multi_signal_instance(m, mi, SIGTERM);
3965 ++count;
3966 }
3967 }
3968 hash_iterator_free(&hi);
3969 }
3970 return count;
3971}
3972
3973static void
3974management_delete_event(void *arg, event_t event)
3975{
3976 struct multi_context *m = (struct multi_context *)arg;
3977 if (m->multi_io)
3978 {
3979 multi_tcp_delete_event(m->multi_io, event);
3980 }
3981}
3982
3983struct multi_instance *
3984lookup_by_cid(struct multi_context *m, const unsigned long cid)
3985{
3986 if (m)
3987 {
3988 struct multi_instance *mi = (struct multi_instance *)hash_lookup(m->cid_hash, &cid);
3989 if (mi && !mi->halt)
3990 {
3991 return mi;
3992 }
3993 }
3994 return NULL;
3995}
3996
3997static bool
3998management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3999{
4000 struct multi_context *m = (struct multi_context *)arg;
4001 struct multi_instance *mi = lookup_by_cid(m, cid);
4002 if (mi)
4003 {
4004 send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
4005 multi_schedule_context_wakeup(m, mi);
4006 return true;
4007 }
4008 else
4009 {
4010 return false;
4011 }
4012}
4013
4014static bool
4015management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
4016 const char *extra, unsigned int timeout)
4017{
4018 struct multi_context *m = (struct multi_context *)arg;
4019 struct multi_instance *mi = lookup_by_cid(m, cid);
4020
4021 if (mi)
4022 {
4023 struct tls_multi *multi = mi->context.c2.tls_multi;
4024 struct tls_session *session;
4025
4026 if (multi->session[TM_INITIAL].key[KS_PRIMARY].mda_key_id == mda_key_id)
4027 {
4028 session = &multi->session[TM_INITIAL];
4029 }
4030 else if (multi->session[TM_ACTIVE].key[KS_PRIMARY].mda_key_id == mda_key_id)
4031 {
4032 session = &multi->session[TM_ACTIVE];
4033 }
4034 else
4035 {
4036 return false;
4037 }
4038
4039 /* sends INFO_PRE and AUTH_PENDING messages to client */
4040 bool ret = send_auth_pending_messages(multi, session, extra, timeout);
4041 reschedule_multi_process(&mi->context);
4042 multi_schedule_context_wakeup(m, mi);
4043 return ret;
4044 }
4045 return false;
4046}
4047
4048
4049static bool
4050management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id,
4051 const bool auth, const char *reason, const char *client_reason,
4052 struct buffer_list *cc_config) /* ownership transferred */
4053{
4054 struct multi_context *m = (struct multi_context *)arg;
4055 struct multi_instance *mi = lookup_by_cid(m, cid);
4056 bool cc_config_owned = true;
4057 bool ret = false;
4058
4059 if (mi)
4060 {
4061 ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
4062 if (ret)
4063 {
4064 if (auth)
4065 {
4066 if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
4067 {
4068 set_cc_config(mi, cc_config);
4069 cc_config_owned = false;
4070 }
4071 }
4072 else if (reason)
4073 {
4074 msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason,
4075 np(client_reason));
4076 }
4077 }
4078 }
4079 if (cc_config_owned && cc_config)
4080 {
4081 buffer_list_free(cc_config);
4082 }
4083 return ret;
4084}
4085
4086static char *
4087management_get_peer_info(void *arg, const unsigned long cid)
4088{
4089 struct multi_context *m = (struct multi_context *)arg;
4090 struct multi_instance *mi = lookup_by_cid(m, cid);
4091 char *ret = NULL;
4092
4093 if (mi)
4094 {
4095 ret = mi->context.c2.tls_multi->peer_info;
4096 }
4097
4098 return ret;
4099}
4100
4101#endif /* ifdef ENABLE_MANAGEMENT */
4102
4103
4104void
4130
4131#if defined(__GNUC__) || defined(__clang__)
4132#pragma GCC diagnostic push
4133#pragma GCC diagnostic ignored "-Wsign-compare"
4134#endif
4135
4136void
4137multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
4138{
4139 /* max_clients must be less then max peer-id value */
4140 ASSERT(m->max_clients < MAX_PEER_ID);
4141
4142 for (int i = 0; i < m->max_clients; ++i)
4143 {
4144 if (!m->instances[i])
4145 {
4146 mi->context.c2.tls_multi->peer_id = i;
4147 m->instances[i] = mi;
4148 break;
4149 }
4150 }
4151
4152 /* should not really end up here, since multi_create_instance returns null
4153 * if amount of clients exceeds max_clients */
4154 ASSERT(mi->context.c2.tls_multi->peer_id < m->max_clients);
4155}
4156
4157#if defined(__GNUC__) || defined(__clang__)
4158#pragma GCC diagnostic pop
4159#endif
4160
4171static void
4172multi_get_timeout(struct multi_context *multi, struct timeval *timeval)
4173{
4174 multi_get_timeout_instance(multi, timeval);
4175
4176#ifdef ENABLE_MANAGEMENT
4177 if (management)
4178 {
4179 management_check_bytecount_server(multi, timeval);
4180 }
4181#endif /* ENABLE_MANAGEMENT */
4182}
4183
4184/**************************************************************************/
4191static void
4192tunnel_server_loop(struct multi_context *multi)
4193{
4194 int status;
4195
4196 while (true)
4197 {
4198 /* wait on tun/socket list */
4199 multi_get_timeout(multi, &multi->top.c2.timeval);
4200 status = multi_io_wait(multi);
4201 MULTI_CHECK_SIG(multi);
4202
4203 /* check on status of coarse timers */
4204 multi_process_per_second_timers(multi);
4205
4206 /* timeout? */
4207 if (status > 0)
4208 {
4209 /* process the I/O which triggered select */
4210 multi_io_process_io(multi);
4211 }
4212 else if (status == 0)
4213 {
4214 multi_io_action(multi, NULL, TA_TIMEOUT, false);
4215 }
4216
4217 MULTI_CHECK_SIG(multi);
4218 }
4219}
4220
4221/*
4222 * Top level event loop.
4223 */
4224void
4225tunnel_server(struct context *top)
4226{
4227 ASSERT(top->options.mode == MODE_SERVER);
4228
4229 struct multi_context multi;
4230
4231 top->mode = CM_TOP;
4232 top->multi = &multi;
4233 context_clear_2(top);
4234
4235 /* initialize top-tunnel instance */
4236 init_instance_handle_signals(top, top->es, CC_HARD_USR1_TO_HUP);
4237 if (IS_SIG(top))
4238 {
4239 return;
4240 }
4241
4242 /* initialize global multi_context object */
4243 multi_init(top);
4244
4245 /* initialize our cloned top object */
4246 multi_top_init(top);
4247
4248 /* initialize management interface */
4249 init_management_callback_multi(&multi);
4250
4251 /* finished with initialization */
4252 initialization_sequence_completed(top, ISC_SERVER); /* --mode server --proto tcp-server */
4253
4254#ifdef ENABLE_ASYNC_PUSH
4255 multi.top.c2.inotify_fd = inotify_init();
4256 if (multi.top.c2.inotify_fd < 0)
4257 {
4258 msg(D_MULTI_ERRORS | M_ERRNO, "MULTI: inotify_init error");
4259 }
4260#endif
4261
4262 tunnel_server_loop(&multi);
4263
4264#ifdef ENABLE_ASYNC_PUSH
4265 msg(D_LOW, "%s: close multi.top.c2.inotify_fd (%d)",
4266 __func__, multi.top.c2.inotify_fd);
4267 close(multi.top.c2.inotify_fd);
4268#endif
4269
4270 /* shut down management interface */
4271 uninit_management_callback();
4272
4273 /* save ifconfig-pool */
4274 multi_ifconfig_pool_persist(&multi, true);
4275
4276 /* tear down tunnel instance (unless --persist-tun) */
4277 multi_uninit(&multi);
4278 multi_top_free(&multi);
4279 close_instance(top);
4280}
4281
4282/* Searches for the address and deletes it if it is owned by the multi_instance */
4283static void
4284multi_unlearn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr)
4285{
4286 struct hash_element *he;
4287 const uint32_t hv = hash_value(m->vhash, addr);
4288 struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
4289 struct multi_route *r = NULL;
4290
4291 /* if route currently exists, get the instance which owns it */
4292 he = hash_lookup_fast(m->vhash, bucket, addr, hv);
4293 if (he)
4294 {
4295 r = (struct multi_route *)he->value;
4296 }
4297
4298 /* if the route does not exist or exists but is not owned by the current instance, return */
4299 if (!r || r->instance != mi)
4300 {
4301 return;
4302 }
4303
4304 struct gc_arena gc = gc_new();
4305 msg(D_MULTI_LOW, "MULTI: Unlearn: %s -> %s", mroute_addr_print(&r->addr, &gc), multi_instance_string(mi, false, &gc));
4306 learn_address_script(m, NULL, "delete", &r->addr);
4307 hash_remove_by_value(m->vhash, r);
4308 multi_route_del(r);
4309
4310 gc_free(&gc);
4311}
4312
4318static void
4319multi_unlearn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a)
4320{
4321 struct mroute_addr addr;
4322 CLEAR(addr);
4323
4324 addr.type = MR_ADDR_IPV4;
4325 addr.len = 4;
4326 addr.v4.addr = a;
4327
4328 multi_unlearn_addr(m, mi, &addr);
4329}
4330
4336static void
4337multi_unlearn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6)
4338{
4339 struct mroute_addr addr;
4340 CLEAR(addr);
4341
4342 addr.type = MR_ADDR_IPV6;
4343 addr.len = 16;
4344 addr.v6.addr = a6;
4345
4346 multi_unlearn_addr(m, mi, &addr);
4347}
4348
4349/* Function to unlearn previous ifconfig of a client in the server multi_context after a PUSH_UPDATE */
4350void
4360
4361/* Function to unlearn previous ifconfig-ipv6 of a client in the server multi_context after a PUSH_UPDATE */
4362void
4363unlearn_ifconfig_ipv6(struct multi_context *m, struct multi_instance *mi)
4364{
4365 struct in6_addr old_addr6;
4366 CLEAR(old_addr6);
4367 old_addr6 = mi->context.c2.push_ifconfig_ipv6_local;
4368 multi_unlearn_in6_addr(m, mi, old_addr6);
4369 mi->context.c2.push_ifconfig_ipv6_defined = false;
4370 CLEAR(mi->context.c2.push_ifconfig_ipv6_local);
4371 CLEAR(mi->reporting_addr_ipv6);
4372}
4373
4384void
4385update_vhash(struct multi_context *m, struct multi_instance *mi, const char *new_ip, const char *new_ipv6)
4386{
4387 if (new_ip)
4388 {
4389 /* Remove old IP */
4390 if (mi->context.c2.push_ifconfig_defined)
4391 {
4392 unlearn_ifconfig(m, mi);
4393 }
4394
4395 /* Add new IP */
4396 struct in_addr new_addr;
4397 CLEAR(new_addr);
4398 if (inet_pton(AF_INET, new_ip, &new_addr) == 1
4399 && multi_learn_in_addr_t(m, mi, ntohl(new_addr.s_addr), -1, true))
4400 {
4401 mi->context.c2.push_ifconfig_defined = true;
4402 mi->context.c2.push_ifconfig_local = ntohl(new_addr.s_addr);
4403 /* set our client's VPN endpoint for status reporting purposes */
4404 mi->reporting_addr = mi->context.c2.push_ifconfig_local;
4405 }
4406 }
4407
4408 if (new_ipv6)
4409 {
4410 /* Remove old IPv6 */
4411 if (mi->context.c2.push_ifconfig_ipv6_defined)
4412 {
4413 unlearn_ifconfig_ipv6(m, mi);
4414 }
4415
4416 /* Add new IPv6 */
4417 struct in6_addr new_addr6;
4418 CLEAR(new_addr6);
4419 if (inet_pton(AF_INET6, new_ipv6, &new_addr6) == 1
4420 && multi_learn_in6_addr(m, mi, new_addr6, -1, true))
4421 {
4422 mi->context.c2.push_ifconfig_ipv6_defined = true;
4423 mi->context.c2.push_ifconfig_ipv6_local = new_addr6;
4424 /* set our client's VPN endpoint for status reporting purposes */
4425 mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local;
4426 }
4427 }
4428}
4429
4430bool
4431multi_check_push_ifconfig_extra_route(struct multi_instance *mi, in_addr_t dest)
4432{
4433 struct options *o = &mi->context.options;
4434 in_addr_t local_addr, local_netmask;
4435
4436 if (!o->ifconfig_local || !o->ifconfig_remote_netmask)
4437 {
4438 /* If we do not have a local address, we just return false as
4439 * this check doesn't make sense. */
4440 return false;
4441 }
4442
4443 /* if it falls into the network defined by ifconfig_local we assume
4444 * it is already known to DCO and only install "extra" iroutes */
4445 inet_pton(AF_INET, o->ifconfig_local, &local_addr);
4446 inet_pton(AF_INET, o->ifconfig_remote_netmask, &local_netmask);
4447
4448 return (local_addr & local_netmask) != (dest & local_netmask);
4449}
4450
4451bool
4452multi_check_push_ifconfig_ipv6_extra_route(struct multi_instance *mi,
4453 struct in6_addr *dest)
4454{
4455 struct options *o = &mi->context.options;
4456
4457 if (!o->ifconfig_ipv6_local || !o->ifconfig_ipv6_netbits)
4458 {
4459 /* If we do not have a local address, we just return false as
4460 * this check doesn't make sense. */
4461 return false;
4462 }
4463
4464 /* if it falls into the network defined by ifconfig_local we assume
4465 * it is already known to DCO and only install "extra" iroutes */
4466 struct in6_addr ifconfig_local;
4467 if (inet_pton(AF_INET6, o->ifconfig_ipv6_local, &ifconfig_local) != 1)
4468 {
4469 return false;
4470 }
4471
4472 return (!ipv6_net_contains_host(&ifconfig_local, o->ifconfig_ipv6_netbits,
4473 dest));
4474}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
generate_auth_token
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition auth_token.c:161
auth_token.h
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1187
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:653
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1083
BSTR
#define BSTR(buf)
Definition buffer.h:129
buf_reset
static void buf_reset(struct buffer *buf)
Definition buffer.h:304
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:685
BLEN
#define BLEN(buf)
Definition buffer.h:126
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:313
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:362
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1088
buf_init
#define buf_init(buf, offset)
Definition buffer.h:210
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1041
key1
static const char *const key1
Definition cert_data.h:55
CCD_DEFAULT
#define CCD_DEFAULT
Definition common.h:63
counter_format
#define counter_format
Definition common.h:32
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
get_random
long int get_random(void)
Definition crypto.c:1745
translate_cipher_name_to_openvpn
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition crypto.c:1819
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:375
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:379
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:371
crypto_backend.h
Data Channel Cryptography SSL library-specific backend interface.
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:812
dco_get_peer_stats_multi
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco.h:369
dco_install_iroute
static void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *addr)
Definition dco.h:359
dco_check_option
static bool dco_check_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:274
dco_context_t
void * dco_context_t
Definition dco.h:259
dco_multi_add_new_peer
static int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:353
dco_delete_iroutes
static void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition dco.h:364
setenv_counter
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition env_set.c:283
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition env_set.c:156
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_MULTI_ERRORS
#define D_MULTI_ERRORS
Definition errlevel.h:64
D_VLAN_DEBUG
#define D_VLAN_DEBUG
Definition errlevel.h:153
D_IMPORT_ERRORS
#define D_IMPORT_ERRORS
Definition errlevel.h:63
D_ROUTE_QUOTA
#define D_ROUTE_QUOTA
Definition errlevel.h:89
D_MULTI_MEDIUM
#define D_MULTI_MEDIUM
Definition errlevel.h:101
D_DCO
#define D_DCO
Definition errlevel.h:93
D_MULTI_DEBUG
#define D_MULTI_DEBUG
Definition errlevel.h:126
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:100
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition errlevel.h:117
D_MULTI_LOW
#define D_MULTI_LOW
Definition errlevel.h:85
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
D_LOW
#define D_LOW
Definition errlevel.h:96
M_INFO
#define M_INFO
Definition errlevel.h:54
D_GREMLIN
#define D_GREMLIN
Definition errlevel.h:77
EVENT_ARG_MULTI_INSTANCE
@ EVENT_ARG_MULTI_INSTANCE
Definition event.h:134
reschedule_multi_process
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:391
send_control_channel_string
bool send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
Definition forward.c:398
pre_select
void pre_select(struct context *c)
Definition forward.c:1966
process_ip_header
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf, struct link_socket *sock)
Definition forward.c:1662
extract_dco_float_peer_addr
void extract_dco_float_peer_addr(const sa_family_t socket_family, struct openvpn_sockaddr *out_osaddr, const struct sockaddr *float_sa)
Transfers float_sa data extracted from an incoming DCO PEER_FLOAT_NTF to out_osaddr for later process...
Definition forward.c:1213
forward.h
Interface functions to the internal and external multiplexers.
PIP_MSSFIX
#define PIP_MSSFIX
Definition forward.h:323
register_activity
static void register_activity(struct context *c, const int64_t size)
Definition forward.h:350
PIPV6_ICMP_NOHOST_SERVER
#define PIPV6_ICMP_NOHOST_SERVER
Definition forward.h:328
get_link_socket_info
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition forward.h:337
ANY_OUT
#define ANY_OUT(c)
Definition forward.h:39
PIPV4_PASSTOS
#define PIPV4_PASSTOS
Definition forward.h:322
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:545
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:464
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:544
encrypt_sign
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition forward.c:621
tunnel_server
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition multi.c:4225
tunnel_server_loop
static void tunnel_server_loop(struct multi_context *multi)
Main event loop for OpenVPN in point-to-multipoint server mode.
Definition multi.c:4192
process_incoming_link_part1
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition forward.c:987
process_incoming_link_part2
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition forward.c:1120
multi_process_incoming_link
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags, struct link_socket *sock)
Demultiplex and process a packet received over the external network interface.
Definition multi.c:3345
multi_get_create_instance_udp
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock)
Get, and if necessary create, the multi_instance associated with a packet's source address.
Definition mudp.c:195
process_incoming_tun
void process_incoming_tun(struct context *c, struct link_socket *out_sock)
Process a packet read from the virtual tun/tap network interface.
Definition forward.c:1479
multi_process_incoming_tun
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition multi.c:3543
uninit_management_callback
void uninit_management_callback(void)
Definition init.c:4413
initialization_sequence_completed
void initialization_sequence_completed(struct context *c, const unsigned int flags)
Definition init.c:1538
close_instance
void close_instance(struct context *c)
Definition init.c:4747
inherit_context_top
void inherit_context_top(struct context *dest, const struct context *src)
Definition init.c:4908
free_context_buffers
void free_context_buffers(struct context_buffers *b)
Definition init.c:3711
init_instance_handle_signals
void init_instance_handle_signals(struct context *c, const struct env_set *env, const unsigned int flags)
Definition init.c:4725
do_deferred_options
bool do_deferred_options(struct context *c, const unsigned int found, const bool is_update)
Definition init.c:2591
inherit_context_child
void inherit_context_child(struct context *dest, const struct context *src, struct link_socket *sock)
Definition init.c:4820
context_clear_2
void context_clear_2(struct context *c)
Definition init.c:87
close_context
void close_context(struct context *c, int sig, unsigned int flags)
Definition init.c:4954
init_context_buffers
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition init.c:3686
management_show_net_callback
void management_show_net_callback(void *arg, const msglvl_t msglevel)
Definition init.c:4263
CC_GC_FREE
#define CC_GC_FREE
Definition init.h:109
CC_HARD_USR1_TO_HUP
#define CC_HARD_USR1_TO_HUP
Definition init.h:111
ISC_SERVER
#define ISC_SERVER
Definition init.h:121
constrain_uint
static unsigned int constrain_uint(unsigned int x, unsigned int min, unsigned int max)
Definition integer.h:139
min_int
static int min_int(int x, int y)
Definition integer.h:105
status
static SERVICE_STATUS status
Definition interactive.c:51
route
@ route
Definition interactive.c:85
read
@ read
Definition interactive.c:212
event_timeout_trigger
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
This is the principal function for testing and triggering recurring timers.
Definition interval.c:42
ETT_DEFAULT
#define ETT_DEFAULT
Definition interval.h:222
event_timeout_init
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t last)
Initialises a timer struct.
Definition interval.h:172
hash_iterator_free
void hash_iterator_free(struct hash_iterator *hi)
Definition list.c:270
hash_iterator_next
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition list.c:276
hash_iterator_delete_element
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition list.c:308
hash_lookup_fast
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition list.c:79
hash_iterator_init
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition list.c:234
hash_init
struct hash * hash_init(const uint32_t n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition list.c:37
hash_free
void hash_free(struct hash *hash)
Definition list.c:60
hash_add
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition list.c:137
hash_remove_by_value
void hash_remove_by_value(struct hash *hash, void *value)
Definition list.c:165
hash_iterator_init_range
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, uint32_t start_bucket, uint32_t end_bucket)
Definition list.c:213
hash_remove
static bool hash_remove(struct hash *hash, const void *key)
Definition list.h:161
hash_lookup
static void * hash_lookup(struct hash *hash, const void *key)
Definition list.h:128
hash_n_elements
static uint32_t hash_n_elements(const struct hash *hash)
Definition list.h:110
hash_n_buckets
static uint32_t hash_n_buckets(const struct hash *hash)
Definition list.h:116
hash_value
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition list.h:104
hash_add_fast
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition list.h:146
management_check_bytecount_server
void management_check_bytecount_server(struct multi_context *multi, struct timeval *timeval)
Definition manage.c:4192
management_notify_client_close
void management_notify_client_close(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3032
management_learn_addr
void management_learn_addr(struct management *management, struct man_def_auth_context *mdac, const struct mroute_addr *addr, const bool primary)
Definition manage.c:3044
management_connection_established
void management_connection_established(struct management *management, struct man_def_auth_context *mdac, const struct env_set *es)
Definition manage.c:3022
management_set_callback
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition manage.c:2779
MCF_SERVER
#define MCF_SERVER
Definition manage.h:175
mbuf_add_item
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition mbuf.c:99
mbuf_alloc_buf
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition mbuf.c:75
mbuf_free_buf
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition mbuf.c:86
mbuf_dereference_instance
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition mbuf.c:163
mbuf_extract_item
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition mbuf.c:121
mbuf_free
void mbuf_free(struct mbuf_set *ms)
Definition mbuf.c:59
mbuf_init
struct mbuf_set * mbuf_init(unsigned int size)
Definition mbuf.c:43
MF_UNICAST
#define MF_UNICAST
Definition mbuf.h:47
mbuf_maximum_queued
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition mbuf.h:93
mroute_addr_mask_host_bits
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition mroute.c:318
mroute_helper_add_iroute46
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:520
mroute_addr_print_ex
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition mroute.c:377
mroute_extract_openvpn_sockaddr
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition mroute.c:254
mroute_addr_print
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition mroute.c:371
mroute_addr_hash_function
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition mroute.c:358
mroute_helper_del_iroute46
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition mroute.c:535
mroute_learnable_address
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition mroute.c:63
mroute_addr_compare_function
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition mroute.c:365
mroute_helper_init
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition mroute.c:482
mroute_addr_init
void mroute_addr_init(struct mroute_addr *addr)
Definition mroute.c:38
mroute_helper_free
void mroute_helper_free(struct mroute_helper *mh)
Definition mroute.c:551
MROUTE_EXTRACT_SUCCEEDED
#define MROUTE_EXTRACT_SUCCEEDED
Definition mroute.h:38
MROUTE_EXTRACT_MCAST
#define MROUTE_EXTRACT_MCAST
Definition mroute.h:40
mroute_extract_addr_from_packet
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition mroute.h:183
MR_WITH_NETBITS
#define MR_WITH_NETBITS
Definition mroute.h:70
MR_WITH_PROTO
#define MR_WITH_PROTO
Definition mroute.h:76
mroute_extract_in_addr_t
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition mroute.h:244
MR_ADDR_IPV4
#define MR_ADDR_IPV4
Definition mroute.h:62
MR_ONLINK_DCO_ADDR
#define MR_ONLINK_DCO_ADDR
Definition mroute.h:79
mroute_addr_equal
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition mroute.h:209
MAPF_SHOW_FAMILY
#define MAPF_SHOW_FAMILY
Definition mroute.h:158
MROUTE_EXTRACT_BCAST
#define MROUTE_EXTRACT_BCAST
Definition mroute.h:39
MR_ADDR_IPV6
#define MR_ADDR_IPV6
Definition mroute.h:63
MR_ADDR_MASK
#define MR_ADDR_MASK
Definition mroute.h:64
multi_tcp_instance_specific_free
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition mtcp.c:124
multi_tcp_delete_event
void multi_tcp_delete_event(struct multi_io *multi_io, event_t event)
Definition mtcp.c:130
multi_tcp_instance_specific_init
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition mtcp.c:102
multi_tcp_dereference_instance
void multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance *mi)
Definition mtcp.c:139
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:183
np
static const char * np(const char *str)
Definition multi-auth.c:146
multi_learn_addr
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition multi.c:1037
multi_schedule_context_wakeup
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2976
multi_unlearn_in_addr_t
static void multi_unlearn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a)
Definition multi.c:4319
multi_client_connect_early_setup
static void multi_client_connect_early_setup(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2464
multi_reap_free
static void multi_reap_free(struct multi_reap *mr)
Definition multi.c:215
ccs_gen_deferred_ret_file
static bool ccs_gen_deferred_ret_file(struct multi_instance *mi)
Create a temporary file for the return value of client connect and puts it into the client_connect_de...
Definition multi.c:1926
multi_process_float
static void multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock)
Handles peer floating.
Definition multi.c:3117
multi_reap_range
static void multi_reap_range(const struct multi_context *m, uint32_t start_bucket, uint32_t end_bucket)
Definition multi.c:161
multi_create_instance
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real, struct link_socket *sock)
Definition multi.c:716
multi_add_iroutes
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1299
multi_ifconfig_pool_persist
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition multi.c:150
multi_top_free
static void multi_top_free(struct multi_context *m)
Definition multi.c:3818
multi_signal_instance
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition multi.c:3228
multi_reap_process_dowork
void multi_reap_process_dowork(const struct multi_context *m)
Definition multi.c:202
override_locked_username
static bool override_locked_username(struct multi_instance *mi)
Overrides the locked username with the username of –override-username.
Definition multi.c:2600
management_callback_n_clients
static int management_callback_n_clients(void *arg)
Definition multi.c:3909
multi_process_signal
bool multi_process_signal(struct multi_context *m)
Definition multi.c:3869
multi_select_virtual_addr
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:1434
multi_client_connect_call_script
static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Runs the –client-connect script if one is defined.
Definition multi.c:2237
multi_get_timeout
static void multi_get_timeout(struct multi_context *multi, struct timeval *timeval)
Determines the earliest wakeup interval based on periodic operations.
Definition multi.c:4172
multi_close_instance_on_signal
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:3216
multi_process_post
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition multi.c:3018
multi_connection_established
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:2674
multi_process_per_second_timers_dowork
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition multi.c:3782
multi_set_virtual_addr_env
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition multi.c:1575
multi_client_connect_setenv
static void multi_client_connect_setenv(struct multi_instance *mi)
Definition multi.c:1719
multi_get_queue
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition multi.c:3635
multi_process_timeout
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3671
multi_unlearn_addr
static void multi_unlearn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr)
Definition multi.c:4284
management_callback_kill_by_cn
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition multi.c:3916
multi_check_push_ifconfig_ipv6_extra_route
bool multi_check_push_ifconfig_ipv6_extra_route(struct multi_instance *mi, struct in6_addr *dest)
Determines if the ifconfig_ipv6_local address falls into the range of the local IP addresses of the V...
Definition multi.c:4452
stale_route_check_trigger
static bool stale_route_check_trigger(struct multi_context *m)
Definition multi.c:3771
lookup_by_cid
struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid)
Definition multi.c:3984
management_kill_by_cid
static bool management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
Definition multi.c:3998
multi_init
static void multi_init(struct context *t)
Definition multi.c:269
generate_prefix
static void generate_prefix(struct multi_instance *mi)
Definition multi.c:456
multi_del_iroutes
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:485
multi_check_push_ifconfig_extra_route
bool multi_check_push_ifconfig_extra_route(struct multi_instance *mi, in_addr_t dest)
Determines if the ifconfig_push_local address falls into the range of the local IP addresses of the V...
Definition multi.c:4431
management_delete_event
static void management_delete_event(void *arg, event_t event)
Definition multi.c:3974
multi_client_setup_dco_initial
static bool multi_client_setup_dco_initial(struct multi_context *m, struct multi_instance *mi, struct gc_arena *gc)
Definition multi.c:2295
multi_uninit
static void multi_uninit(struct multi_context *m)
Definition multi.c:663
multi_instance_string
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition multi.c:426
multi_client_connect_late_setup
static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, const unsigned int option_types_found)
Definition multi.c:2341
compute_wakeup_sigma
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition multi.c:2952
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:83
multi_unicast
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition multi.c:2889
multi_close_instance
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition multi.c:566
management_client_pending_auth
static bool management_client_pending_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const char *extra, unsigned int timeout)
Definition multi.c:4015
multi_client_connect_handler
enum client_connect_return(* multi_client_connect_handler)(struct multi_context *m, struct multi_instance *mi, bool from_deferred, unsigned int *option_types_found)
Definition multi.c:2581
multi_push_restart_schedule_exit
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition multi.c:3831
multi_top_init
static void multi_top_init(struct context *top)
Definition multi.c:3811
multi_client_disconnect_script
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:535
ccs_gen_config_file
static bool ccs_gen_config_file(struct multi_instance *mi)
Create a temporary file for the config directives of the client connect script and puts it into the c...
Definition multi.c:2031
check_stale_routes
static void check_stale_routes(struct multi_context *m)
Definition multi.c:1384
management_client_auth
static bool management_client_auth(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition multi.c:4050
multi_bcast
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, uint16_t vid)
Definition multi.c:2906
multi_client_connect_compress_migrate
static enum client_connect_return multi_client_connect_compress_migrate(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Do the necessary modification for doing the compress migrate.
Definition multi.c:2499
management_callback_kill_by_addr
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const uint16_t port, const uint8_t proto)
Definition multi.c:3942
multi_reap_all
static void multi_reap_all(const struct multi_context *m)
Definition multi.c:185
multi_add_mbuf
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition multi.c:2870
multi_print_status
static void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition multi.c:812
route_quota_exceeded
void route_quota_exceeded(const struct multi_instance *mi)
Definition multi.c:3725
ungenerate_prefix
void ungenerate_prefix(struct multi_instance *mi)
Definition multi.c:473
multi_assign_peer_id
void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
Assigns a peer-id to a a client and adds the instance to the the instances array of the multi_context...
Definition multi.c:4137
multi_client_connect_call_plugin_v2
static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2147
multi_reap_new
static struct multi_reap * multi_reap_new(uint32_t buckets_per_pass)
Definition multi.c:191
multi_client_connect_source_ccd
static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Try to source a dynamic config file from the –client-config-dir directory.
Definition multi.c:2531
multi_client_connect_call_plugin_v1
static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:2057
multi_client_connect_post
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int *option_types_found)
Definition multi.c:1621
multi_delete_dup
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition multi.c:1344
multi_get_instance_by_virtual_addr
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition multi.c:1126
init_management_callback_multi
void init_management_callback_multi(struct multi_context *m)
Definition multi.c:4105
multi_unlearn_in6_addr
static void multi_unlearn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6)
Definition multi.c:4337
ccs_test_deferred_ret_file
static enum client_connect_return ccs_test_deferred_ret_file(struct multi_instance *mi)
Tests whether the deferred return value file exists and returns the contained return value.
Definition multi.c:1958
reap_buckets_per_pass
static uint32_t reap_buckets_per_pass(uint32_t n_buckets)
Definition multi.c:224
management_get_peer_info
static char * management_get_peer_info(void *arg, const unsigned long cid)
Definition multi.c:4087
multi_client_connect_script_deferred
static enum client_connect_return multi_client_connect_script_deferred(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found)
Definition multi.c:2196
multi_client_set_protocol_options
static bool multi_client_set_protocol_options(struct context *c)
Calculates the options that depend on the client capabilities based on local options and available pe...
Definition multi.c:1749
unlearn_ifconfig_ipv6
void unlearn_ifconfig_ipv6(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:4363
multi_client_connect_post_plugin
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int *option_types_found)
Definition multi.c:1647
multi_learn_in_addr_t
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition multi.c:1201
is_exit_restart
static bool is_exit_restart(int sig)
Definition multi.c:3825
ifconfig_push_constraint_satisfied
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition multi.c:1414
set_cc_config
static void set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
Definition multi.c:75
multi_process_drop_outgoing_tun
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition multi.c:3703
cid_compare_function
static bool cid_compare_function(const void *key1, const void *key2)
Definition multi.c:239
unlearn_ifconfig
void unlearn_ifconfig(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:4351
update_vhash
void update_vhash(struct multi_context *m, struct multi_instance *mi, const char *new_ip, const char *new_ipv6)
Update the vhash with new IP/IPv6 addresses in the multi_context when a push-update message containin...
Definition multi.c:4385
multi_client_connect_mda
enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, bool deferred, unsigned int *option_types_found)
Definition multi.c:1686
multi_client_generate_tls_keys
static bool multi_client_generate_tls_keys(struct context *c)
Generates the data channel keys.
Definition multi.c:2318
multi_learn_in6_addr
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition multi.c:1247
setenv_stats
static void setenv_stats(struct multi_context *m, struct context *c)
Definition multi.c:507
cid_hash_function
static uint32_t cid_hash_function(const void *key, uint32_t iv)
Definition multi.c:232
management_callback_status
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition multi.c:3894
ccs_delete_config_file
static void ccs_delete_config_file(struct multi_instance *mi)
Deletes the temporary file for the config directives of the client connect script and removes it into...
Definition multi.c:2008
ccs_delete_deferred_ret_file
static void ccs_delete_deferred_ret_file(struct multi_instance *mi)
Delete the temporary file for the return value of client connect It also removes it from client_conne...
Definition multi.c:1901
client_connect_handlers
static const multi_client_connect_handler client_connect_handlers[]
Definition multi.c:2585
multi_client_disconnect_setenv
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition multi.c:522
multi.h
Header file for server-mode related structures and functions.
client_connect_return
client_connect_return
Return values used by the client connect call-back functions.
Definition multi.h:226
CC_RET_DEFERRED
@ CC_RET_DEFERRED
Definition multi.h:229
CC_RET_FAILED
@ CC_RET_FAILED
Definition multi.h:227
CC_RET_SKIPPED
@ CC_RET_SKIPPED
Definition multi.h:230
CC_RET_SUCCEEDED
@ CC_RET_SUCCEEDED
Definition multi.h:228
multi_output_queue_ready
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition multi.h:392
MULTI_PREFIX_MAX_LENGTH
#define MULTI_PREFIX_MAX_LENGTH
Definition multi.h:44
MULTI_CHECK_SIG
#define MULTI_CHECK_SIG(m)
Definition multi.h:703
REAP_MIN
#define REAP_MIN
Definition multi.h:555
set_prefix
static void set_prefix(struct multi_instance *mi)
Definition multi.h:524
multi_route_del
static void multi_route_del(struct multi_route *route)
Definition multi.h:483
multi_reap_process
static void multi_reap_process(const struct multi_context *m)
Definition multi.h:569
route_quota_inc
static void route_quota_inc(struct multi_instance *mi)
Definition multi.h:436
multi_process_incoming_dco
void multi_process_incoming_dco(dco_context_t *dco)
Process an incoming DCO message (from kernel space).
MULTI_ROUTE_CACHE
#define MULTI_ROUTE_CACHE
Definition multi.h:241
clear_prefix
static void clear_prefix(void)
Definition multi.h:536
multi_route_defined
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition multi.h:492
REAP_DIVISOR
#define REAP_DIVISOR
Definition multi.h:554
MULTI_CACHE_ROUTE_TTL
#define MULTI_CACHE_ROUTE_TTL
Definition multi.h:562
MPP_CLOSE_ON_SIGNAL
#define MPP_CLOSE_ON_SIGNAL
Definition multi.h:275
REAP_MAX
#define REAP_MAX
Definition multi.h:556
multi_instance_dec_refcount
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition multi.h:473
multi_instance_inc_refcount
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition multi.h:467
multi_get_timeout_instance
static void multi_get_timeout_instance(struct multi_context *m, struct timeval *dest)
Definition multi.h:597
CLIENT_CONNECT_OPT_MASK
#define CLIENT_CONNECT_OPT_MASK
Definition multi.h:657
multi_set_pending
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition multi.h:706
MULTI_ROUTE_AGEABLE
#define MULTI_ROUTE_AGEABLE
Definition multi.h:242
MPP_RECORD_TOUCH
#define MPP_RECORD_TOUCH
Definition multi.h:276
MPP_PRE_SELECT
#define MPP_PRE_SELECT
Definition multi.h:274
multi_process_per_second_timers
static void multi_process_per_second_timers(struct multi_context *m)
Definition multi.h:578
route_quota_test
static bool route_quota_test(const struct multi_instance *mi)
Definition multi.h:449
multi_io_init
struct multi_io * multi_io_init(const int maxclients)
Definition multi_io.c:116
multi_io_process_io
void multi_io_process_io(struct multi_context *m)
Definition multi_io.c:418
multi_io_free
void multi_io_free(struct multi_io *multi_io)
Definition multi_io.c:155
multi_io_wait
int multi_io_wait(struct multi_context *m)
Definition multi_io.c:166
multi_io_action
void multi_io_action(struct multi_context *m, struct multi_instance *mi, int action, bool poll)
Definition multi_io.c:543
TA_TIMEOUT
#define TA_TIMEOUT
Definition multi_io.h:45
CLEAR
#define CLEAR(x)
Definition basic.h:32
M_OPTERR
#define M_OPTERR
Definition error.h:101
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:251
M_USAGE
#define M_USAGE
Definition error.h:107
M_NONFATAL
#define M_NONFATAL
Definition error.h:91
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
is_cas_pending
static bool is_cas_pending(enum multi_status cas)
Definition openvpn.h:209
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:550
CM_TOP
#define CM_TOP
Definition openvpn.h:480
title_string
const char title_string[]
Definition options.c:72
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9278
MODE_SERVER
#define MODE_SERVER
Definition options.h:263
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:986
options_string_import
void options_string_import(struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:590
options_server_import
void options_server_import(struct options *o, const char *filename, msglvl_t msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:580
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:735
time_string
const char * time_string(time_t t, tv_usec_t usec, bool show_usec, struct gc_arena *gc)
Definition otime.c:104
frequency_limit_init
struct frequency_limit * frequency_limit_init(int max, int per)
Definition otime.c:137
now
time_t now
Definition otime.c:33
frequency_limit_free
void frequency_limit_free(struct frequency_limit *f)
Definition otime.c:152
openvpn_gettimeofday
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition otime.h:71
tv_add
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition otime.h:140
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition ovpn_dco_linux.h:23
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
@ OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT
Definition ovpn_dco_linux.h:25
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
@ OVPN_DEL_PEER_REASON_TRANSPORT_ERROR
Definition ovpn_dco_linux.h:24
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition ovpn_dco_linux.h:22
OVPN_CMD_FLOAT_PEER
@ OVPN_CMD_FLOAT_PEER
Definition ovpn_dco_win.h:167
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition ovpn_dco_win.h:166
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
Definition ovpn_dco_win.h:165
platform_test_file
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition platform.c:655
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition platform.c:540
platform_gen_path
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition platform.c:591
platform_unlink
bool platform_unlink(const char *filename)
Definition platform.c:487
plugin_return_free
void plugin_return_free(struct plugin_return *pr)
Definition plugin.c:986
plugin_return_get_column
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition plugin.c:972
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_return_init
static void plugin_return_init(struct plugin_return *pr)
Definition plugin.h:163
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
plugin_return_defined
static bool plugin_return_defined(const struct plugin_return *pr)
Definition plugin.h:157
ifconfig_pool_acquire
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition pool.c:297
ifconfig_pool_release
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition pool.c:349
ifconfig_pool_write
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition pool.c:712
ifconfig_pool_write_trigger
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition pool.c:573
ifconfig_pool_free
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition pool.c:281
ifconfig_pool_read
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition pool.c:586
ifconfig_pool_init
struct ifconfig_pool * ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition pool.c:140
pool_type
pool_type
Definition pool.h:35
IFCONFIG_POOL_30NET
@ IFCONFIG_POOL_30NET
Definition pool.h:36
IFCONFIG_POOL_INDIV
@ IFCONFIG_POOL_INDIV
Definition pool.h:37
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:34
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
process_incoming_push_request
int process_incoming_push_request(struct context *c)
Definition push.c:986
push_option
void push_option(struct options *o, const char *opt, msglvl_t msglevel)
Definition push.c:896
send_restart
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:494
send_auth_pending_messages
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:438
remove_iroutes_from_push_route_list
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1148
management_callback_send_push_update_by_cid
bool management_callback_send_push_update_by_cid(void *arg, unsigned long cid, const char *options)
Definition push_util.c:371
management_callback_send_push_update_broadcast
bool management_callback_send_push_update_broadcast(void *arg, const char *options)
Definition push_util.c:363
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition reflect_filter.c:103
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition reflect_filter.c:87
reflect_filter.h
ipv6_net_contains_host
bool ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
check whether an IPv6 host address is covered by a given network/bits
Definition route.c:718
run_command.h
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition run_command.h:89
schedule_remove_entry
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition schedule.c:421
schedule_init
struct schedule * schedule_init(void)
Definition schedule.c:406
schedule_free
void schedule_free(struct schedule *s)
Definition schedule.c:415
schedule_add_entry
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Add a struct schedule_entry to the scheduler btree or update an existing entry with a new wakeup time...
Definition schedule.h:106
signal_reset
int signal_reset(struct signal_info *si, int signum)
Clear the signal if its current value equals signum.
Definition sig.c:262
remap_signal
void remap_signal(struct context *c)
Definition sig.c:588
throw_signal
void throw_signal(const int signum)
Throw a hard signal.
Definition sig.c:175
print_signal
void print_signal(const struct signal_info *si, const char *title, msglvl_t msglevel)
Definition sig.c:290
register_signal
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
IS_SIG
#define IS_SIG(c)
Definition sig.h:47
setenv_trusted
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition socket.c:1848
setenv_in_addr_t
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition socket_util.c:316
setenv_in6_addr
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition socket_util.c:330
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IA_EMPTY_IF_UNDEF
#define IA_EMPTY_IF_UNDEF
Definition socket_util.h:89
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
SA_SET_IF_NONZERO
#define SA_SET_IF_NONZERO
Definition socket_util.h:100
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4081
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1767
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1639
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:593
CAS_PENDING_DEFERRED
@ CAS_PENDING_DEFERRED
Waiting on an async option import handler.
Definition ssl_common.h:583
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:581
CAS_PENDING_DEFERRED_PARTIAL
@ CAS_PENDING_DEFERRED_PARTIAL
at least handler succeeded but another is still pending
Definition ssl_common.h:584
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:582
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:580
CAS_FAILED
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:585
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:755
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:425
ncp_get_best_cipher
char * ncp_get_best_cipher(const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition ssl_ncp.c:246
tls_peer_ncp_list
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition ssl_ncp.c:225
ncp_expanded_ciphers
const char * ncp_expanded_ciphers(struct options *o, struct gc_arena *gc)
returns the o->ncp_ciphers in brackets, e.g.
Definition ssl_ncp.c:619
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
extract_iv_proto
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:60
ssl_util.h
SSL utility functions.
ssl_verify_username_length
bool ssl_verify_username_length(struct tls_session *session, const char *username)
Checks if the username length is valid to use.
Definition ssl_verify.c:1570
tls_authenticate_key
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition ssl_verify.c:1236
cert_hash_compare
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition ssl_verify.c:229
tls_lock_cert_hash_set
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition ssl_verify.c:286
tls_lock_common_name
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition ssl_verify.c:132
tls_username
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition ssl_verify.c:172
set_common_name
void set_common_name(struct tls_session *session, const char *common_name)
Sets the common name field for the given tunnel.
Definition ssl_verify.c:85
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
tls_common_name
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition ssl_verify.c:107
ssl_verify.h
Control Channel Verification Module.
status_trigger
bool status_trigger(struct status_output *so)
Definition status.c:123
status_printf
void status_printf(struct status_output *so, const char *format,...)
Definition status.c:212
status_open
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition status.c:59
status_flush
void status_flush(struct status_output *so)
Definition status.c:147
status_reset
void status_reset(struct status_output *so)
Definition status.c:138
status_close
bool status_close(struct status_output *so)
Definition status.c:178
argv
Definition argv.h:35
auth_deferred_status::auth_control_file
char * auth_control_file
Definition ssl_common.h:166
buffer_entry
Definition buffer.h:1143
buffer_entry::next
struct buffer_entry * next
Definition buffer.h:1145
buffer_entry::buf
struct buffer buf
Definition buffer.h:1144
buffer_list
Definition buffer.h:1149
buffer_list::head
struct buffer_entry * head
Definition buffer.h:1150
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
client_connect_defer_state
Detached client connection state.
Definition multi.h:71
client_connect_defer_state::cur_handler_index
int cur_handler_index
Definition multi.h:73
client_connect_defer_state::config_file
char * config_file
The temporary file name that contains the config directives returned by the client-connect script.
Definition multi.h:88
client_connect_defer_state::option_types_found
unsigned int option_types_found
Definition multi.h:76
client_connect_defer_state::deferred_ret_file
char * deferred_ret_file
The temporary file name that contains the return status of the client-connect script if it exits with...
Definition multi.h:82
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:150
connection_entry::fragment
int fragment
Definition options.h:141
context_1::ifconfig_pool_persist
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition openvpn.h:197
context_1::status_output
struct status_output * status_output
Definition openvpn.h:185
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::push_request_received
bool push_request_received
Definition openvpn.h:424
context_2::link_read_bytes
counter_type link_read_bytes
Definition openvpn.h:266
context_2::link_write_bytes
counter_type link_write_bytes
Definition openvpn.h:269
context_2::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition openvpn.h:431
context_2::fragment
struct fragment_master * fragment
Definition openvpn.h:252
context_2::push_ifconfig_defined
bool push_ifconfig_defined
Definition openvpn.h:425
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition openvpn.h:267
context_2::mda_context
struct man_def_auth_context mda_context
Definition openvpn.h:450
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition openvpn.h:270
context_2::es
struct env_set * es
Definition openvpn.h:420
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context_2::frame
struct frame frame
Definition openvpn.h:248
context_2::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:434
context_2::from
struct link_socket_actual from
Definition openvpn.h:245
context_2::frame_fragment
struct frame frame_fragment
Definition openvpn.h:253
context_2::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition openvpn.h:433
context_2::to_link
struct buffer to_link
Definition openvpn.h:377
context_2::to_tun
struct buffer to_tun
Definition openvpn.h:376
context_2::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:432
context_2::link_sockets
struct link_socket ** link_sockets
Definition openvpn.h:237
context_2::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:429
context_2::link_socket_infos
struct link_socket_info ** link_socket_infos
Definition openvpn.h:238
context_2::to_link_addr
struct link_socket_actual * to_link_addr
Definition openvpn.h:244
context_2::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:428
context_2::buf
struct buffer buf
Definition openvpn.h:375
context_2::timeval
struct timeval timeval
Time to next event of timers and similar.
Definition openvpn.h:396
context_2::event_set
struct event_set * event_set
Definition openvpn.h:230
context_2::buffers
struct context_buffers * buffers
Definition openvpn.h:367
context_2::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition openvpn.h:427
context
Contains all state information for one tunnel.
Definition openvpn.h:471
context::mode
int mode
Role of this context within the OpenVPN process.
Definition openvpn.h:484
context::multi
struct multi_context * multi
Pointer to the main P2MP context.
Definition openvpn.h:489
context::sig
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:500
context::plugins
struct plugin_list * plugins
List of plug-ins.
Definition openvpn.h:502
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
context::es
struct env_set * es
Set of environment variables.
Definition openvpn.h:496
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:472
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:293
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
deferred_signal_schedule_entry::signal_received
int signal_received
Definition multi.h:62
deferred_signal_schedule_entry::wakeup
struct timeval wakeup
Definition multi.h:63
env_set
Definition env_set.h:43
event_arg::mi
struct multi_instance * mi
Definition event.h:144
event_arg::u
union event_arg::@1 u
event_arg::type
event_arg_t type
Definition event.h:141
fragment_master::outgoing
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition fragment.h:172
frame
Packet geometry parameters.
Definition mtu.h:108
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:113
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:119
frame::buf
struct frame::@8 buf
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
hash_bucket
Definition list.h:48
hash_element
Definition list.h:40
hash_element::value
void * value
Definition list.h:41
hash_element::key
const void * key
Definition list.h:42
hash_iterator
Definition list.h:79
hash
Definition list.h:53
iroute_ipv6
Definition route.h:268
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:271
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:270
iroute_ipv6::network
struct in6_addr network
Definition route.h:269
iroute::network
in_addr_t network
Definition route.h:262
iroute::netbits
int netbits
Definition route.h:263
iroute::next
struct iroute * next
Definition route.h:264
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
key_ctx_bi::initialized
bool initialized
Definition crypto.h:285
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:263
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:269
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:259
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
link_socket_actual::dest
struct openvpn_sockaddr dest
Definition socket_util.h:53
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_info
Definition socket.h:86
link_socket_info::af
sa_family_t af
Definition socket.h:93
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
link_socket_info::proto
uint8_t proto
Definition socket.h:92
link_socket
Definition socket.h:166
link_socket::info
struct link_socket_info info
Definition socket.h:167
man_def_auth_context::cid
unsigned long cid
Definition manage.h:64
management_callback
Definition manage.h:172
management_callback::get_peer_info
char *(* get_peer_info)(void *arg, const unsigned long cid)
Definition manage.h:191
management_callback::client_auth
bool(* client_auth)(void *arg, const unsigned long cid, const unsigned int mda_key_id, const bool auth, const char *reason, const char *client_reason, struct buffer_list *cc_config)
Definition manage.h:186
management_callback::kill_by_addr
int(* kill_by_addr)(void *arg, const in_addr_t addr, const uint16_t port, const uint8_t proto)
Definition manage.h:181
management_callback::delete_event
void(* delete_event)(void *arg, event_t event)
Definition manage.h:182
management_callback::arg
void * arg
Definition manage.h:173
management_callback::push_update_broadcast
bool(* push_update_broadcast)(void *arg, const char *options)
Definition manage.h:199
management_callback::push_update_by_cid
bool(* push_update_by_cid)(void *arg, unsigned long cid, const char *options)
Definition manage.h:200
management_callback::client_pending_auth
bool(* client_pending_auth)(void *arg, const unsigned long cid, const unsigned int kid, const char *extra, unsigned int timeout)
Definition manage.h:189
management_callback::n_clients
int(* n_clients)(void *arg)
Definition manage.h:183
management_callback::status
void(* status)(void *arg, const int version, struct status_output *so)
Definition manage.h:178
management_callback::show_net
void(* show_net)(void *arg, const msglvl_t msglevel)
Definition manage.h:179
management_callback::flags
unsigned int flags
Definition manage.h:176
management_callback::kill_by_cn
int(* kill_by_cn)(void *arg, const char *common_name)
Definition manage.h:180
management_callback::kill_by_cid
bool(* kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg)
Definition manage.h:185
mbuf_buffer
Definition mbuf.h:43
mbuf_buffer::flags
unsigned int flags
Definition mbuf.h:48
mbuf_buffer::buf
struct buffer buf
Definition mbuf.h:44
mbuf_item
Definition mbuf.h:52
mbuf_item::buffer
struct mbuf_buffer * buffer
Definition mbuf.h:53
mbuf_item::instance
struct multi_instance * instance
Definition mbuf.h:54
mbuf_set
Definition mbuf.h:58
mroute_addr
Definition mroute.h:82
mroute_addr::vid
uint16_t vid
Definition mroute.h:94
mroute_addr::v6
struct mroute_addr::@2::@6 v6
mroute_addr::addr
uint8_t addr[OPENVPN_ETH_ALEN]
Definition mroute.h:93
mroute_addr::v4
struct mroute_addr::@2::@5 v4
mroute_addr::proto
uint8_t proto
Definition mroute.h:84
mroute_addr::type
uint8_t type
Definition mroute.h:85
mroute_addr::port
in_port_t port
Definition mroute.h:99
mroute_addr::len
uint8_t len
Definition mroute.h:83
mroute_addr::netbits
uint8_t netbits
Definition mroute.h:86
mroute_helper
Definition mroute.h:132
mroute_helper::cache_generation
unsigned int cache_generation
Definition mroute.h:133
multi_context
Main OpenVPN server state structure.
Definition multi.h:163
multi_context::n_clients
int n_clients
Definition multi.h:189
multi_context::local
struct mroute_addr local
Definition multi.h:184
multi_context::schedule
struct schedule * schedule
Definition multi.h:174
multi_context::mbuf
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition multi.h:175
multi_context::initial_rate_limiter
struct initial_packet_rate_limit * initial_rate_limiter
Definition multi.h:181
multi_context::deferred_shutdown_signal
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition multi.h:219
multi_context::max_clients
int max_clients
Definition multi.h:186
multi_context::reaper
struct multi_reap * reaper
Definition multi.h:183
multi_context::multi_io
struct multi_io * multi_io
I/O state and events tracker.
Definition multi.h:178
multi_context::hash
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition multi.h:167
multi_context::cid_hash
struct hash * cid_hash
Definition multi.h:192
multi_context::cid_counter
unsigned long cid_counter
Definition multi.h:193
multi_context::stale_routes_check_et
struct event_timeout stale_routes_check_et
Definition multi.h:212
multi_context::tcp_queue_limit
int tcp_queue_limit
Definition multi.h:187
multi_context::ifconfig_pool
struct ifconfig_pool * ifconfig_pool
Definition multi.h:179
multi_context::new_connection_limiter
struct frequency_limit * new_connection_limiter
Definition multi.h:180
multi_context::top
struct context top
Storage structure for process-wide configuration.
Definition multi.h:202
multi_context::status_file_version
int status_file_version
Definition multi.h:188
multi_context::pending
struct multi_instance * pending
Definition multi.h:196
multi_context::vhash
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition multi.h:169
multi_context::iter
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition multi.h:171
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:164
multi_context::mpp_touched
struct multi_instance ** mpp_touched
Definition multi.h:198
multi_context::enable_c2c
bool enable_c2c
Definition multi.h:185
multi_context::earliest_wakeup
struct multi_instance * earliest_wakeup
Definition multi.h:197
multi_context::route_helper
struct mroute_helper * route_helper
Definition multi.h:182
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition multi.h:102
multi_instance::cc_config
struct buffer_list * cc_config
Definition multi.h:138
multi_instance::client_connect_defer_state
struct client_connect_defer_state client_connect_defer_state
Definition multi.h:145
multi_instance::did_cid_hash
bool did_cid_hash
Definition multi.h:137
multi_instance::created
time_t created
Time at which a VPN tunnel instance was created.
Definition multi.h:116
multi_instance::reporting_addr
in_addr_t reporting_addr
Definition multi.h:131
multi_instance::msg_prefix
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition multi.h:124
multi_instance::real
struct mroute_addr real
External network address of the remote peer.
Definition multi.h:121
multi_instance::did_iroutes
bool did_iroutes
Definition multi.h:140
multi_instance::vaddr_handle
ifconfig_pool_handle vaddr_handle
Definition multi.h:123
multi_instance::did_real_hash
bool did_real_hash
Definition multi.h:134
multi_instance::gc
struct gc_arena gc
Definition multi.h:112
multi_instance::reporting_addr_ipv6
struct in6_addr reporting_addr_ipv6
Definition multi.h:132
multi_instance::wakeup
struct timeval wakeup
Definition multi.h:120
multi_instance::halt
bool halt
Definition multi.h:113
multi_instance::ev_arg
struct event_arg ev_arg
this struct will store a pointer to either mi or link_socket, depending on the event type,...
Definition multi.h:107
multi_instance::did_iter
bool did_iter
Definition multi.h:135
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:143
multi_instance::n_clients_delta
int n_clients_delta
Definition multi.h:141
multi_reap
Definition multi.h:52
multi_reap::last_call
time_t last_call
Definition multi.h:55
multi_reap::buckets_per_pass
uint32_t buckets_per_pass
Definition multi.h:54
multi_reap::bucket_base
uint32_t bucket_base
Definition multi.h:53
multi_route
Definition multi.h:237
multi_route::addr
struct mroute_addr addr
Definition multi.h:238
multi_route::last_reference
time_t last_reference
Definition multi.h:246
multi_route::cache_generation
unsigned int cache_generation
Definition multi.h:245
multi_route::flags
unsigned int flags
Definition multi.h:243
multi_route::instance
struct multi_instance * instance
Definition multi.h:239
openvpn_sockaddr
Definition socket_util.h:38
openvpn_sockaddr::addr
union openvpn_sockaddr::@27 addr
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition socket_util.h:43
options::comp
struct compress_options comp
Definition options.h:408
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:521
options::max_routes_per_client
int max_routes_per_client
Definition options.h:534
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:576
options::status_file_version
int status_file_version
Definition options.h:405
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:516
options::tmp_dir
const char * tmp_dir
Definition options.h:464
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:717
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:536
options::duplicate_cn
bool duplicate_cn
Definition options.h:525
options::real_hash_size
uint32_t real_hash_size
Definition options.h:497
options::use_peer_id
bool use_peer_id
Definition options.h:697
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:489
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:327
options::cf_max
int cf_max
Definition options.h:527
options::dev_type
const char * dev_type
Definition options.h:321
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:511
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:486
options::vlan_tagging
bool vlan_tagging
Definition options.h:706
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:488
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:493
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:500
options::n_bcast_buf
int n_bcast_buf
Definition options.h:507
options::ifconfig_local
const char * ifconfig_local
Definition options.h:325
options::ce
struct connection_entry ce
Definition options.h:292
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:510
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:514
options::topology
int topology
Definition options.h:324
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:577
options::virtual_hash_size
uint32_t virtual_hash_size
Definition options.h:498
options::learn_address_script
const char * learn_address_script
Definition options.h:501
options::ciphername
const char * ciphername
Definition options.h:572
options::cf_initial_max
int cf_initial_max
Definition options.h:530
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:535
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:708
options::mode
int mode
Definition options.h:264
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:495
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:517
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:573
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:512
options::gc
struct gc_arena gc
Definition options.h:256
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:515
options::cf_initial_per
int cf_initial_per
Definition options.h:531
options::force_key_material_export
bool force_key_material_export
Definition options.h:704
options::iroutes
struct iroute * iroutes
Definition options.h:509
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:522
options::client_connect_script
const char * client_connect_script
Definition options.h:499
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:519
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:508
options::override_username
const char * override_username
Definition options.h:506
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:520
options::max_clients
int max_clients
Definition options.h:533
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:326
options::enable_c2c
bool enable_c2c
Definition options.h:524
options::cf_per
int cf_per
Definition options.h:528
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:487
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:513
options::dev
const char * dev
Definition options.h:320
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:494
options::client_config_dir
const char * client_config_dir
Definition options.h:503
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:328
plugin_list
Definition plugin.h:97
plugin_return
Definition plugin.h:104
plugin_return::n
int n
Definition plugin.h:105
plugin_return::list
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition plugin.h:106
rw_handle
Definition win32.h:80
schedule_entry
Definition schedule.h:44
signal_info::signal_text
const char * signal_text
Definition sig.h:44
signal_info::signal_received
volatile int signal_received
Definition sig.h:42
status_output
Definition status.h:49
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:611
tls_multi::auth_token_initial
char * auth_token_initial
The first auth-token we sent to a client.
Definition ssl_common.h:683
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:703
tls_multi::dco
dco_context_t * dco
Definition ssl_common.h:725
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:672
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:702
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:649
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:632
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:711
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:655
tls_multi::locked_cn
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:644
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:699
tls_multi::use_peer_id
bool use_peer_id
Definition ssl_common.h:700
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:653
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:723
tls_options::data_epoch_supported
bool data_epoch_supported
whether our underlying data channel supports new data channel features (epoch keys with AEAD tag at t...
Definition ssl_common.h:380
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:489
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:524
tls_session::opt
struct tls_options * opt
Definition ssl_common.h:491
tuntap::local
in_addr_t local
Definition tun.h:208
tuntap::local_ipv6
struct in6_addr local_ipv6
Definition tun.h:211
tuntap::dco
dco_context_t dco
Definition tun.h:247
tuntap::remote_netmask
in_addr_t remote_netmask
Definition tun.h:209
user_pass
Definition misc.h:52
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
SIGHUP
#define SIGHUP
Definition syshead.h:55
SIGINT
#define SIGINT
Definition syshead.h:56
SIGTERM
#define SIGTERM
Definition syshead.h:59
SIGUSR1
#define SIGUSR1
Definition syshead.h:57
in_addr_t
uint32_t in_addr_t
Definition syshead.h:52
SIGUSR2
#define SIGUSR2
Definition syshead.h:58
es
struct env_set * es
Definition test_pkcs11.c:138
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
gc
struct gc_arena gc
Definition test_ssl.c:131
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:521
TUNNEL_TOPOLOGY
#define TUNNEL_TOPOLOGY(tt)
Definition tun.h:185
TUNNEL_TYPE
#define TUNNEL_TYPE(tt)
Definition tun.h:182
vlan_decapsulate
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition vlan.c:81
vlan_is_tagged
bool vlan_is_tagged(const struct buffer *buf)
Definition vlan.c:261
Generated by doxygen 1.9.8