OpenVPN
push.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include "push.h"
30#include "options.h"
31#include "crypto.h"
32#include "ssl.h"
33#include "ssl_verify.h"
34#include "ssl_ncp.h"
35#include "manage.h"
36
37#include "memdbg.h"
38#include "ssl_util.h"
39#include "options_util.h"
40
41/*
42 * Auth username/password
43 *
44 * Client received an authentication failed message from server.
45 * Runs on client.
46 */
47void
48receive_auth_failed(struct context *c, const struct buffer *buffer)
49{
50 msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
51 c->options.no_advance = true;
52
53 if (!c->options.pull)
54 {
55 return;
56 }
57
58 struct buffer buf = *buffer;
59
60 /* If the AUTH_FAIL message ends with a , it is an extended message that
61 * contains further flags */
62 bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,");
63
64 const char *reason = NULL;
65 if (authfail_extended && BLEN(&buf))
66 {
67 reason = BSTR(&buf);
68 }
69
71 {
72 parse_auth_failed_temp(&c->options, reason + strlen("TEMP"));
73 register_signal(c->sig, SIGUSR1, "auth-temp-failure (server temporary reject)");
74 }
75
76 /* Before checking how to react on AUTH_FAILED, first check if the
77 * failed auth might be the result of an expired auth-token.
78 * Note that a server restart will trigger a generic AUTH_FAILED
79 * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
80 * identical for this scenario */
81 else if (ssl_clean_auth_token())
82 {
83 /* SOFT-SIGUSR1 -- Auth failure error */
84 register_signal(c->sig, SIGUSR1, "auth-failure (auth-token)");
85 c->options.no_advance = true;
86 }
87 else
88 {
89 switch (auth_retry_get())
90 {
91 case AR_NONE:
92 /* SOFT-SIGTERM -- Auth failure error */
93 register_signal(c->sig, SIGTERM, "auth-failure");
94 break;
95
96 case AR_INTERACT:
97 ssl_purge_auth(false);
98 /* Intentional [[fallthrough]]; */
99
100 case AR_NOINTERACT:
101 /* SOFT-SIGTUSR1 -- Auth failure error */
102 register_signal(c->sig, SIGUSR1, "auth-failure");
103 break;
104
105 default:
106 ASSERT(0);
107 }
108 }
109#ifdef ENABLE_MANAGEMENT
110 if (management)
111 {
113 }
114 /*
115 * Save the dynamic-challenge text even when management is defined
116 */
117 if (authfail_extended && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
118 {
120 }
121#endif /* ifdef ENABLE_MANAGEMENT */
122}
123
124/*
125 * Act on received restart message from server
126 */
127void
128server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart,
129 const int adv)
130{
131 if (c->options.pull)
132 {
133 struct buffer buf = *buffer;
134 const char *m = "";
135 if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
136 {
137 m = BSTR(&buf);
138 }
139
140 /* preserve cached passwords? */
141 /* advance to next server? */
142 {
143 bool purge = true;
144
145 if (m[0] == '[')
146 {
147 int i;
148 for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
149 {
150 if (m[i] == 'P')
151 {
152 purge = false;
153 }
154 else if (m[i] == 'N')
155 {
156 /* next server? */
157 c->options.no_advance = false;
158 }
159 }
160 }
161 if (purge)
162 {
163 ssl_purge_auth(true);
164 }
165 }
166
167 if (restart)
168 {
169 msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
170 /* SOFT-SIGUSR1 -- server-pushed connection reset */
171 register_signal(c->sig, SIGUSR1, "server-pushed-connection-reset");
172 }
173 else
174 {
175 msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
176 /* SOFT-SIGTERM -- server-pushed halt */
177 register_signal(c->sig, SIGTERM, "server-pushed-halt");
178 }
179#ifdef ENABLE_MANAGEMENT
180 if (management)
181 {
182 management_notify(management, "info", c->sig->signal_text, m);
183 }
184#endif
185 }
186}
187
188void
190{
191 dmsg(D_STREAM_ERRORS, "CC-EEN exit message received by peer");
192 /* With control channel exit notification, we want to give the session
193 * enough time to handle retransmits and acknowledgment, so that eventual
194 * retries from the client to resend the exit or ACKs will not trigger
195 * a new session (we already forgot the session but the packet's HMAC
196 * is still valid). This could happen for the entire period that the
197 * HMAC timeslot is still valid, but waiting five seconds here does not
198 * hurt much, takes care of the retransmits, and is easier code-wise.
199 *
200 * This does not affect OCC exit since the HMAC session code will
201 * ignore DATA packets
202 * */
203 if (c->options.mode == MODE_SERVER)
204 {
205 if (!schedule_exit(c))
206 {
207 /* Return early when we don't need to notify management */
208 return;
209 }
210 }
211 else
212 {
213 register_signal(c->sig, SIGUSR1, "remote-exit");
214 }
215#ifdef ENABLE_MANAGEMENT
216 if (management)
217 {
218 management_notify(management, "info", "remote-exit", "EXIT");
219 }
220#endif
221}
222
223
224void
225server_pushed_info(const struct buffer *buffer, const int adv)
226{
227 const char *m = "";
228 struct buffer buf = *buffer;
229
230 if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
231 {
232 m = BSTR(&buf);
233 }
234
235#ifdef ENABLE_MANAGEMENT
236 struct gc_arena gc;
237 if (management)
238 {
239 gc = gc_new();
240
241 /*
242 * We use >INFOMSG here instead of plain >INFO since INFO is used to
243 * for management greeting and we don't want to confuse the client
244 */
245 struct buffer out = alloc_buf_gc(256, &gc);
246 if (buf_printf(&out, ">%s:%s", "INFOMSG", m))
247 {
249 }
250 else
251 {
253 "WARNING: Received INFO command is too long, won't notify management client.");
254 }
255
256 gc_free(&gc);
257 }
258#endif
259 msg(D_PUSH, "Info command was pushed by server ('%s')", m);
260}
261
262void
264{
265 struct buffer buf = *buffer;
266 const char *m = "";
267
268 if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf))
269 {
270 m = BSTR(&buf);
271 }
272#ifdef ENABLE_MANAGEMENT
274 struct man_def_auth_context *mda = session->opt->mda_context;
275 struct env_set *es = session->opt->es;
276 unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id;
277
278 management_notify_client_cr_response(mda_key_id, mda, es, m);
279#endif
280#if ENABLE_PLUGIN
282#endif
284 msg(D_PUSH, "CR response was sent by client ('%s')", m);
285}
286
294static void
295parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
296{
297 struct buffer buf = *buffer;
298
299 /* does the buffer start with "AUTH_PENDING," ? */
300 if (!buf_advance(&buf, strlen("AUTH_PENDING")) || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
301 {
302#ifdef ENABLE_MANAGEMENT
303 if (management)
304 {
306 NULL);
307 }
308#endif
309
310 return;
311 }
312
313 /* parse the keywords in the same way that push options are parsed */
315
316#ifdef ENABLE_MANAGEMENT
317 /* Need to do the management notification with the keywords before
318 * buf_parse is called, as it will insert \0 bytes into the buffer */
319 if (management)
320 {
322 NULL);
323 }
324#endif
325
326 while (buf_parse(&buf, ',', line, sizeof(line)))
327 {
328 if (sscanf(line, "timeout %u", server_timeout) != 1)
329 {
330 msg(D_PUSH, "ignoring AUTH_PENDING parameter: %s", line);
331 }
332 }
333}
334
335void
337{
338 if (!c->options.pull)
339 {
340 return;
341 }
342
343 /* Cap the increase at the maximum time we are willing stay in the
344 * pending authentication state */
345 unsigned int max_timeout =
346 max_uint(c->options.renegotiate_seconds / 2, c->options.handshake_window);
347
348 /* try to parse parameter keywords, default to hand-winow timeout if the
349 * server does not supply a timeout */
350 unsigned int server_timeout = c->options.handshake_window;
352
353 msg(D_PUSH,
354 "AUTH_PENDING received, extending handshake timeout from %us "
355 "to %us",
356 c->options.handshake_window, min_uint(max_timeout, server_timeout));
357
358 const struct key_state *ks = get_primary_key(c->c2.tls_multi);
359 c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
360}
361
376static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel,
377 const char *fmt, ...)
378#ifdef __GNUC__
379#if __USE_MINGW_ANSI_STDIO
380 __attribute__((format(gnu_printf, 4, 5)))
381#else
382 __attribute__((format(__printf__, 4, 5)))
383#endif
384#endif
385 ;
386
387/*
388 * Send auth failed message from server to client.
389 *
390 * Does nothing if an exit is already scheduled
391 */
392void
393send_auth_failed(struct context *c, const char *client_reason)
394{
395 if (!schedule_exit(c))
396 {
397 msg(D_TLS_DEBUG, "exit already scheduled for context");
398 return;
399 }
400
401 struct gc_arena gc = gc_new();
402 static const char auth_failed[] = "AUTH_FAILED";
403 size_t len;
404
405 len = (client_reason ? strlen(client_reason) + 1 : 0) + sizeof(auth_failed);
406 if (len > PUSH_BUNDLE_SIZE)
407 {
408 len = PUSH_BUNDLE_SIZE;
409 }
410
411 {
412 struct buffer buf = alloc_buf_gc(len, &gc);
413 buf_printf(&buf, auth_failed);
414 if (client_reason)
415 {
416 buf_printf(&buf, ",%s", client_reason);
417 }
418
419 /* We kill the whole session, send the AUTH_FAILED to any TLS session
420 * that might be active */
421 send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL], BSTR(&buf),
422 D_PUSH);
423 send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE], BSTR(&buf),
424 D_PUSH);
425
427 }
428
429 gc_free(&gc);
430}
431
432
433bool
435 const char *extra, unsigned int timeout)
436{
437 struct key_state *ks = &session->key[KS_PRIMARY];
438
439 static const char info_pre[] = "INFO_PRE,";
440
441 const char *const peer_info = tls_multi->peer_info;
442 unsigned int proto = extract_iv_proto(peer_info);
443
444
445 /* Calculate the maximum timeout and subtract the time we already waited */
446 unsigned int max_timeout =
448 max_timeout = max_timeout - (now - ks->initial);
449 timeout = min_uint(max_timeout, timeout);
450
451 struct gc_arena gc = gc_new();
452 if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0)
453 {
455 }
456 else
457 {
458 static const char auth_pre[] = "AUTH_PENDING,timeout ";
459 /* Assume a worst case of 8 byte uint64 in decimal which */
460 /* needs 20 bytes */
461 size_t len = 20 + 1 + sizeof(auth_pre);
462 struct buffer buf = alloc_buf_gc(len, &gc);
463 buf_printf(&buf, auth_pre);
464 buf_printf(&buf, "%u", timeout);
466 }
467
468 size_t len = strlen(extra) + 1 + sizeof(info_pre);
469 if (len > PUSH_BUNDLE_SIZE)
470 {
471 gc_free(&gc);
472 return false;
473 }
474
475 struct buffer buf = alloc_buf_gc(len, &gc);
476 buf_printf(&buf, info_pre);
477 buf_printf(&buf, "%s", extra);
479
480 ks->auth_deferred_expire = now + timeout;
481
482 gc_free(&gc);
483 return true;
484}
485
486/*
487 * Send restart message from server to client.
488 */
489void
490send_restart(struct context *c, const char *kill_msg)
491{
494}
495
496/*
497 * Push/Pull
498 */
499
500void
502{
503 struct gc_arena gc = gc_new();
504 unsigned int option_types_found = 0;
505
506 msg(D_PUSH, "PUSH: Received control message: '%s'",
508
510 &option_types_found);
511
512 if (status == PUSH_MSG_ERROR)
513 {
514 msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s",
516 }
519 {
520 c->options.push_option_types_found |= option_types_found;
521
522 /* delay bringing tun/tap up until --push parms received from remote */
524 {
526 {
527 goto error;
528 }
529 if (status == PUSH_MSG_REPLY)
530 {
531 if (!do_up(c, true, c->options.push_option_types_found))
532 {
533 msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
534 goto error;
535 }
536 }
537 else
538 {
539 if (!option_types_found)
540 {
541 msg(M_WARN, "No updatable options found in incoming PUSH_UPDATE message");
542 }
543 else if (!do_update(c, option_types_found))
544 {
545 msg(D_PUSH_ERRORS, "Failed to update options");
546 goto error;
547 }
548 }
549 }
552 }
553
554 goto cleanup;
555
556error:
557 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
558cleanup:
559 gc_free(&gc);
560}
561
562bool
564{
565 const struct key_state *ks = get_primary_key(c->c2.tls_multi);
566
567 /* We timeout here under two conditions:
568 * a) we reached the hard limit of push_request_timeout
569 * b) we have not seen anything from the server in hand_window time
570 *
571 * for non auth-pending scenario, push_request_timeout is the same as
572 * hand_window timeout. For b) every PUSH_REQUEST is a acknowledged by
573 * the server by a P_ACK_V1 packet that reset the keepalive timer
574 */
575
578 {
579 return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
580 }
581 else
582 {
583 msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
584 (int)(now - ks->established));
585 /* SOFT-SIGUSR1 -- server-pushed connection reset */
586 register_signal(c->sig, SIGUSR1, "no-push-reply");
587 return false;
588 }
589}
590
597void
599 struct push_list *push_list)
600{
601 /*
602 * If server uses --auth-gen-token and we have an auth token
603 * to send to the client
604 */
606 {
608
609 char *base64user = NULL;
611 (int)strlen(tls_multi->locked_username), &base64user);
612 if (ret < USER_PASS_LEN && ret > 0)
613 {
614 push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s", base64user);
615 }
616 free(base64user);
617 }
618}
619
629bool
631{
632 struct tls_multi *tls_multi = c->c2.tls_multi;
633 struct options *o = &c->options;
634
635 /* ipv6 */
637 {
638 push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
642 }
643
644 /* ipv4 */
647 {
650 {
652 }
653 push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
656 }
657
659 {
661 }
662 /*
663 * If server uses --auth-gen-token and we have an auth token
664 * to send to the client
665 */
667
668 /*
669 * Push the selected cipher, at this point the cipher has been
670 * already negotiated and been fixed.
671 *
672 * We avoid pushing the cipher to clients not supporting NCP
673 * to avoid error messages in their logs
674 */
676 {
677 push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
678 }
679
680 struct buffer proto_flags = alloc_buf_gc(128, gc);
681
682 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
683 {
684 buf_printf(&proto_flags, " cc-exit");
685
686 /* if the cc exit flag is supported, pushing tls-ekm via protocol-flags
687 * is also supported */
688 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
689 {
690 buf_printf(&proto_flags, " tls-ekm");
691 }
692 }
693 else if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
694 {
695 push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
696 }
697
698 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
699 {
700 buf_printf(&proto_flags, " dyn-tls-crypt");
701 }
702
703 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
704 {
705 buf_printf(&proto_flags, " aead-epoch");
706 }
707
708 if (buf_len(&proto_flags) > 0)
709 {
710 push_option_fmt(gc, push_list, M_USAGE, "protocol-flags%s", buf_str(&proto_flags));
711 }
712
713 /* Push our mtu to the peer if it supports pushable MTUs */
714 int client_max_mtu = 0;
715 const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc);
716
717 if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1)
718 {
719 push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu);
720 if (client_max_mtu < o->ce.tun_mtu)
721 {
722 msg(M_WARN,
723 "Warning: reported maximum MTU from client (%d) is lower "
724 "than MTU used on the server (%d). Add tun-mtu-max %d "
725 "to client configuration.",
726 client_max_mtu, o->ce.tun_mtu, o->ce.tun_mtu);
727 }
728 }
729
730 return true;
731}
732
733static bool
734send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap,
735 bool *push_sent, bool *multi_push)
736{
737 struct push_entry *e = push_list->head;
738
739 while (e)
740 {
741 if (e->enable)
742 {
743 const int l = strlen(e->option);
744 if (BLEN(buf) + l >= safe_cap)
745 {
746 buf_printf(buf, ",push-continuation 2");
747 {
748 const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
749 if (!status)
750 {
751 return false;
752 }
753 *push_sent = true;
754 *multi_push = true;
755 buf_reset_len(buf);
756 buf_printf(buf, "%s", push_reply_cmd);
757 }
758 }
759 if (BLEN(buf) + l >= safe_cap)
760 {
761 msg(M_WARN, "--push option is too long");
762 return false;
763 }
764 buf_printf(buf, ",%s", e->option);
765 }
766 e = e->next;
767 }
768 return true;
769}
770
771void
773{
774 struct gc_arena gc = gc_new();
775 struct push_list push_list = { 0 };
776 struct tls_session *session = &multi->session[TM_ACTIVE];
777
779
780 /* prepare auth token should always add the auth-token option */
781 struct push_entry *e = push_list.head;
782 ASSERT(e && e->enable);
783
784 /* Construct a mimimal control channel push reply message */
785 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
786 buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
788 gc_free(&gc);
789}
790
791bool
793{
794 struct gc_arena gc = gc_new();
795 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
796 bool multi_push = false;
797 const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
798 const int safe_cap = BCAP(&buf) - extra;
799 bool push_sent = false;
800
801 buf_printf(&buf, "%s", push_reply_cmd);
802
803 /* send options which are common to all clients */
804 if (!send_push_options(c, &buf, &c->options.push_list, safe_cap, &push_sent, &multi_push))
805 {
806 goto fail;
807 }
808
809 /* send client-specific options */
811 {
812 goto fail;
813 }
814
815 if (multi_push)
816 {
817 buf_printf(&buf, ",push-continuation 1");
818 }
819
820 if (BLEN(&buf) > sizeof(push_reply_cmd) - 1)
821 {
822 const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
823 if (!status)
824 {
825 goto fail;
826 }
827 push_sent = true;
828 }
829
830 /* If nothing have been pushed, send an empty push,
831 * as the client is expecting a response
832 */
833 if (!push_sent)
834 {
835 bool status = false;
836
837 buf_reset_len(&buf);
838 buf_printf(&buf, "%s", push_reply_cmd);
840 if (!status)
841 {
842 goto fail;
843 }
844 }
845
846 gc_free(&gc);
847 return true;
848
849fail:
850 gc_free(&gc);
851 return false;
852}
853
854static void
855push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable,
856 int msglevel)
857{
858 if (!string_class(opt, CC_ANY, CC_COMMA))
859 {
860 msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
861 }
862 else
863 {
864 struct push_entry *e;
865 ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
866 e->enable = true;
867 e->option = opt;
868 if (push_list->head)
869 {
871 push_list->tail->next = e;
872 push_list->tail = e;
873 }
874 else
875 {
877 push_list->head = e;
878 push_list->tail = e;
879 }
880 }
881}
882
883void
884push_option(struct options *o, const char *opt, int msglevel)
885{
886 push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
887}
888
889void
891{
892 if (o->push_list.head)
893 {
894 const struct push_entry *e = o->push_list.head;
895 push_reset(o);
896 while (e)
897 {
898 push_option_ex(&o->gc, &o->push_list, string_alloc(e->option, &o->gc), true, M_FATAL);
899 e = e->next;
900 }
901 }
902}
903
904void
905push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
906{
907 const char **argv = make_extended_arg_array(p, false, gc);
908 char *opt = print_argv(argv, gc, 0);
909 push_option(o, opt, msglevel);
910}
911
912static bool
913push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *format,
914 ...)
915{
916 va_list arglist;
917 char tmp[256] = { 0 };
918 int len;
919 va_start(arglist, format);
920 len = vsnprintf(tmp, sizeof(tmp), format, arglist);
921 va_end(arglist);
922 if (len > sizeof(tmp) - 1)
923 {
924 return false;
925 }
926 push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
927 return true;
928}
929
930void
932{
933 CLEAR(o->push_list);
934}
935
936void
937push_remove_option(struct options *o, const char *p)
938{
939 msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
940
941 /* ifconfig is special, as not part of the push list */
942 if (streq(p, "ifconfig"))
943 {
945 return;
946 }
947
948 /* ifconfig-ipv6 is special, as not part of the push list */
949 if (streq(p, "ifconfig-ipv6"))
950 {
952 return;
953 }
954
955 if (o && o->push_list.head)
956 {
957 struct push_entry *e = o->push_list.head;
958
959 /* cycle through the push list */
960 while (e)
961 {
962 if (e->enable && strncmp(e->option, p, strlen(p)) == 0)
963 {
964 msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
965 e->enable = false;
966 }
967
968 e = e->next;
969 }
970 }
971}
972
973int
975{
976 int ret = PUSH_MSG_ERROR;
977
978
981 {
982 const char *client_reason = tls_client_reason(c->c2.tls_multi);
983 send_auth_failed(c, client_reason);
985 }
988 {
989 time_t now;
990
993 {
995 }
996 else
997 {
998 /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
999 struct push_list push_list = { 0 };
1000 struct gc_arena gc = gc_new();
1001
1003 {
1004 ret = PUSH_MSG_REQUEST;
1005 c->c2.sent_push_reply_expiry = now + 30;
1006 }
1007 gc_free(&gc);
1008 }
1009 }
1010 else
1011 {
1013 }
1014
1015 return ret;
1016}
1017
1018static void
1019push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
1020{
1021 char line[OPTION_PARM_SIZE];
1022 while (buf_parse(buf, ',', line, sizeof(line)))
1023 {
1024 /* peer-id and auth-token might change on restart and this should not trigger reopening tun
1025 */
1026 if (strprefix(line, "peer-id ") || strprefix(line, "auth-token ")
1027 || strprefix(line, "auth-token-user "))
1028 {
1029 continue;
1030 }
1031 /* tun reopen only needed if cipher change can change tun MTU */
1032 if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
1033 {
1034 continue;
1035 }
1036 md_ctx_update(ctx, (const uint8_t *)line, strlen(line) + 1);
1037 }
1038}
1039
1040static int
1041process_incoming_push_reply(struct context *c, unsigned int permission_mask,
1042 unsigned int *option_types_found, struct buffer *buf)
1043{
1044 int ret = PUSH_MSG_ERROR;
1045 const uint8_t ch = buf_read_u8(buf);
1046 if (ch == ',')
1047 {
1048 struct buffer buf_orig = (*buf);
1049 if (!c->c2.pulled_options_digest_init_done)
1050 {
1051 c->c2.pulled_options_state = md_ctx_new();
1052 md_ctx_init(c->c2.pulled_options_state, "SHA256");
1053 c->c2.pulled_options_digest_init_done = true;
1054 }
1055 if (apply_push_options(c, &c->options, buf, permission_mask, option_types_found, c->c2.es,
1056 false))
1057 {
1058 push_update_digest(c->c2.pulled_options_state, &buf_orig, &c->options);
1059 switch (c->options.push_continuation)
1060 {
1061 case 0:
1062 case 1:
1063 md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest);
1064 md_ctx_cleanup(c->c2.pulled_options_state);
1065 md_ctx_free(c->c2.pulled_options_state);
1066 c->c2.pulled_options_state = NULL;
1067 c->c2.pulled_options_digest_init_done = false;
1068 ret = PUSH_MSG_REPLY;
1069 break;
1070
1071 case 2:
1073 break;
1074 }
1075 }
1076 else
1077 {
1078 throw_signal_soft(SIGUSR1, "Offending option received from server");
1079 }
1080 }
1081 else if (ch == '\0')
1082 {
1083 ret = PUSH_MSG_REPLY;
1084 }
1085 /* show_settings (&c->options); */
1086 return ret;
1087}
1088
1089int
1091 bool honor_received_options, unsigned int permission_mask,
1092 unsigned int *option_types_found)
1093{
1094 struct buffer buf = *buffer;
1095
1096 if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
1097 {
1098 c->c2.push_request_received = true;
1100 }
1102 {
1103 return process_incoming_push_reply(c, permission_mask, option_types_found, &buf);
1104 }
1106 {
1107 return process_incoming_push_update(c, permission_mask, option_types_found, &buf, false);
1108 }
1109 else
1110 {
1111 return PUSH_MSG_ERROR;
1112 }
1113}
1114
1115
1116/*
1117 * Remove iroutes from the push_list.
1118 */
1119void
1121{
1122 if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6))
1123 {
1124 struct gc_arena gc = gc_new();
1125 struct push_entry *e = o->push_list.head;
1126
1127 /* cycle through the push list */
1128 while (e)
1129 {
1130 char *p[MAX_PARMS + 1];
1131 bool enable = true;
1132
1133 /* parse the push item */
1134 CLEAR(p);
1135 if (e->enable
1136 && parse_line(e->option, p, SIZE(p) - 1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG,
1137 &gc))
1138 {
1139 /* is the push item a route directive? */
1140 if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)
1141 {
1142 /* get route parameters */
1143 bool status1, status2;
1144 const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
1145 const in_addr_t netmask = getaddr(
1146 GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
1147
1148 /* did route parameters parse correctly? */
1149 if (status1 && status2)
1150 {
1151 const struct iroute *ir;
1152
1153 /* does route match an iroute? */
1154 for (ir = o->iroutes; ir != NULL; ir = ir->next)
1155 {
1156 if (network == ir->network
1157 && netmask
1158 == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
1159 {
1160 enable = false;
1161 break;
1162 }
1163 }
1164 }
1165 }
1166 else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2] && o->iroutes_ipv6)
1167 {
1168 /* get route parameters */
1169 struct in6_addr network;
1170 unsigned int netbits;
1171
1172 /* parse route-ipv6 arguments */
1173 if (get_ipv6_addr(p[1], &network, &netbits, D_ROUTE_DEBUG))
1174 {
1175 struct iroute_ipv6 *ir;
1176
1177 /* does this route-ipv6 match an iroute-ipv6? */
1178 for (ir = o->iroutes_ipv6; ir != NULL; ir = ir->next)
1179 {
1180 if (!memcmp(&network, &ir->network, sizeof(network))
1181 && netbits == ir->netbits)
1182 {
1183 enable = false;
1184 break;
1185 }
1186 }
1187 }
1188 }
1189
1190 /* should we copy the push item? */
1191 e->enable = enable;
1192 if (!enable)
1193 {
1194 msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
1195 }
1196 }
1197
1198 e = e->next;
1199 }
1200
1201 gc_free(&gc);
1202 }
1203}
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition buffer.c:789
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition buffer.c:1022
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition buffer.c:717
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition buffer.c:778
#define CC_COMMA
comma
Definition buffer.h:888
#define BSTR(buf)
Definition buffer.h:128
#define CC_ANY
any character
Definition buffer.h:867
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:616
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:774
#define BLEN(buf)
Definition buffer.h:126
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:312
#define BCAP(buf)
Definition buffer.h:129
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static char * buf_str(const struct buffer *buf)
Definition buffer.h:297
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:959
static struct gc_arena gc_new(void)
Definition buffer.h:1007
#define PUSH_BUNDLE_SIZE
Definition common.h:87
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
md_ctx_t * md_ctx_new(void)
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
void md_ctx_cleanup(md_ctx_t *ctx)
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
void md_ctx_init(md_ctx_t *ctx, const char *mdname)
Initialises the given message digest context.
void md_ctx_free(md_ctx_t *ctx)
mbedtls_md_context_t md_ctx_t
Generic message digest context.
#define D_PUSH
Definition errlevel.h:82
#define M_VERB0
Definition errlevel.h:52
#define D_ROUTE_DEBUG
Definition errlevel.h:132
#define D_PUSH_DEBUG
Definition errlevel.h:149
#define D_STREAM_ERRORS
Definition errlevel.h:62
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_TLS_DEBUG
Definition errlevel.h:164
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:391
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition forward.c:371
bool schedule_exit(struct context *c)
Definition forward.c:521
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:398
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:546
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
bool do_update(struct context *c, unsigned int option_types_found)
A simplified version of the do_up() function.
Definition init.c:2486
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2351
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2539
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition integer.h:66
static unsigned int max_uint(unsigned int x, unsigned int y)
Definition integer.h:53
static SERVICE_STATUS status
Definition interactive.c:51
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:153
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3106
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2778
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2929
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition manage.c:2985
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition manage.c:2923
#define OPENVPN_STATE_AUTH_PENDING
Definition manage.h:462
const char ** make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc)
Definition misc.c:621
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition misc.c:651
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
#define M_USAGE
Definition error.h:105
#define M_FATAL
Definition error.h:88
#define dmsg(flags,...)
Definition error.h:170
#define msg(flags,...)
Definition error.h:150
#define ASSERT(x)
Definition error.h:217
#define M_WARN
Definition error.h:90
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4285
bool apply_push_options(struct context *c, struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, bool is_update)
Definition options.c:5453
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:4968
int auth_retry_get(void)
Definition options.c:4782
#define MODE_SERVER
Definition options.h:261
#define streq(x, y)
Definition options.h:727
#define AR_INTERACT
Definition options.h:915
#define OPTION_PARM_SIZE
Definition options.h:56
#define AR_NONE
Definition options.h:914
#define AR_NOINTERACT
Definition options.h:916
#define MAX_PARMS
Definition options.h:51
#define OPTION_LINE_SIZE
Definition options.h:57
const char * parse_auth_failed_temp(struct options *o, const char *reason)
time_t now
Definition otime.c:33
static time_t openvpn_time(time_t *t)
Definition otime.h:89
int process_incoming_push_request(struct context *c)
Definition push.c:974
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition push.c:336
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition push.c:913
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition push.c:48
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:490
void push_option(struct options *o, const char *opt, int msglevel)
Definition push.c:884
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition push.c:128
void push_reset(struct options *o)
Definition push.c:931
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition push.c:263
void send_auth_failed(struct context *c, const char *client_reason)
Definition push.c:393
void clone_push_list(struct options *o)
Definition push.c:890
void receive_exit_message(struct context *c)
Definition push.c:189
void prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, struct push_list *push_list)
Prepare push option for auth-token.
Definition push.c:598
static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf)
Definition push.c:1041
bool send_push_request(struct context *c)
Definition push.c:563
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition push.c:855
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:434
void push_remove_option(struct options *o, const char *p)
Definition push.c:937
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition push.c:501
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition push.c:905
bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options.
Definition push.c:630
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition push.c:1019
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition push.c:734
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1120
static void parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
Parse the keyword for the AUTH_PENDING request.
Definition push.c:295
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition push.c:1090
bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition push.c:792
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition push.c:225
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client.
Definition push.c:772
#define PUSH_MSG_REQUEST
Definition push.h:29
#define PUSH_MSG_REQUEST_DEFERRED
Definition push.h:31
#define PUSH_MSG_ERROR
Definition push.h:28
#define PUSH_MSG_REPLY
Definition push.h:30
#define PUSH_MSG_UPDATE
Definition push.h:35
#define push_update_cmd
Definition push.h:38
#define push_reply_cmd
Definition push.h:37
#define PUSH_MSG_AUTH_FAILURE
Definition push.h:32
#define PUSH_MSG_CONTINUATION
Definition push.h:33
int process_incoming_push_update(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf, bool msg_sender)
Handles the receiving of a push-update message and applies updates to the specified options.
Definition push_util.c:13
#define PUSH_MSG_ALREADY_REPLIED
Definition push.h:34
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:399
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition sig.c:204
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:228
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:214
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:187
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
#define GETADDR_HOST_ORDER
int openvpn_base64_encode(const void *data, int size, char **str)
Definition base64.c:51
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:382
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:407
bool ssl_clean_auth_token(void)
Definition ssl.c:371
Control Channel SSL/Data channel negotiation module.
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:586
#define UP_TYPE_AUTH
Definition ssl_common.h:41
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:756
bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.
Definition ssl_ncp.c:79
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
char * extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
Extracts a variable from peer info, the returned string will be allocated using the supplied gc_arena...
Definition ssl_util.c:31
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:60
SSL utility functions.
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Control Channel Verification Module.
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:75
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:76
static const char * tls_client_reason(struct tls_multi *multi)
Definition ssl_verify.h:278
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
bool tun_mtu_defined
Definition options.h:128
bool push_ifconfig_ipv6_defined
Definition openvpn.h:434
bool push_ifconfig_defined
Definition openvpn.h:428
struct env_set * es
Definition openvpn.h:420
time_t push_request_timeout
Definition openvpn.h:440
struct event_timeout wait_for_connect
Definition openvpn.h:282
struct event_timeout push_request_interval
Definition openvpn.h:439
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
time_t sent_push_reply_expiry
Definition openvpn.h:429
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:437
int push_ifconfig_ipv6_netbits
Definition openvpn.h:436
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:435
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:432
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:431
in_addr_t push_ifconfig_local
Definition openvpn.h:430
Contains all state information for one tunnel.
Definition openvpn.h:474
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:503
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
struct iroute_ipv6 * next
Definition route.h:269
unsigned int netbits
Definition route.h:268
struct in6_addr network
Definition route.h:267
in_addr_t network
Definition route.h:260
int netbits
Definition route.h:261
struct iroute * next
Definition route.h:262
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
time_t established
Definition ssl_common.h:228
unsigned int mda_key_id
Definition ssl_common.h:263
time_t initial
Definition ssl_common.h:227
time_t peer_last_packet
Definition ssl_common.h:231
time_t auth_deferred_expire
Definition ssl_common.h:260
unsigned int push_option_types_found
Definition options.h:561
bool push_ifconfig_ipv6_blocked
Definition options.h:528
int handshake_window
Definition options.h:655
const char * ifconfig_local
Definition options.h:323
struct connection_entry ce
Definition options.h:290
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:515
struct push_list push_list
Definition options.h:490
const char * ciphername
Definition options.h:576
bool pull
Definition options.h:559
struct gc_arena gc
Definition options.h:253
struct iroute * iroutes
Definition options.h:514
bool no_advance
Definition options.h:295
bool push_ifconfig_ipv4_blocked
Definition options.h:523
Definition pushlist.h:29
struct push_entry * next
Definition pushlist.h:30
bool enable
Definition pushlist.h:31
const char * option
Definition pushlist.h:32
struct push_entry * head
Definition pushlist.h:37
struct push_entry * tail
Definition pushlist.h:38
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:650
enum multi_status multi_state
Definition ssl_common.h:633
struct tls_options opt
Definition ssl_common.h:617
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
uint32_t peer_id
Definition ssl_common.h:700
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition ssl_common.h:679
bool use_peer_id
Definition ssl_common.h:701
interval_t renegotiate_seconds
Definition ssl_common.h:348
int handshake_window
Definition ssl_common.h:341
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
__attribute__((unused))
Definition test.c:42
struct env_set * es
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:154