OpenVPN
push.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#include "push.h"
31#include "options.h"
32#include "crypto.h"
33#include "ssl.h"
34#include "ssl_verify.h"
35#include "ssl_ncp.h"
36#include "manage.h"
37
38#include "memdbg.h"
39#include "ssl_util.h"
40#include "options_util.h"
41
42static char push_reply_cmd[] = "PUSH_REPLY";
43
44/*
45 * Auth username/password
46 *
47 * Client received an authentication failed message from server.
48 * Runs on client.
49 */
50void
51receive_auth_failed(struct context *c, const struct buffer *buffer)
52{
53 msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
54 c->options.no_advance = true;
55
56 if (!c->options.pull)
57 {
58 return;
59 }
60
61 struct buffer buf = *buffer;
62
63 /* If the AUTH_FAIL message ends with a , it is an extended message that
64 * contains further flags */
65 bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,");
66
67 const char *reason = NULL;
68 if (authfail_extended && BLEN(&buf))
69 {
70 reason = BSTR(&buf);
71 }
72
74 {
75 parse_auth_failed_temp(&c->options, reason + strlen("TEMP"));
76 register_signal(c->sig, SIGUSR1, "auth-temp-failure (server temporary reject)");
77 }
78
79 /* Before checking how to react on AUTH_FAILED, first check if the
80 * failed auth might be the result of an expired auth-token.
81 * Note that a server restart will trigger a generic AUTH_FAILED
82 * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message
83 * identical for this scenario */
84 else if (ssl_clean_auth_token())
85 {
86 /* SOFT-SIGUSR1 -- Auth failure error */
87 register_signal(c->sig, SIGUSR1, "auth-failure (auth-token)");
88 c->options.no_advance = true;
89 }
90 else
91 {
92 switch (auth_retry_get())
93 {
94 case AR_NONE:
95 /* SOFT-SIGTERM -- Auth failure error */
96 register_signal(c->sig, SIGTERM, "auth-failure");
97 break;
98
99 case AR_INTERACT:
100 ssl_purge_auth(false);
101 /* Intentional [[fallthrough]]; */
102
103 case AR_NOINTERACT:
104 /* SOFT-SIGTUSR1 -- Auth failure error */
105 register_signal(c->sig, SIGUSR1, "auth-failure");
106 break;
107
108 default:
109 ASSERT(0);
110 }
111 }
112#ifdef ENABLE_MANAGEMENT
113 if (management)
114 {
116 }
117 /*
118 * Save the dynamic-challenge text even when management is defined
119 */
121 && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf))
122 {
124 }
125#endif /* ifdef ENABLE_MANAGEMENT */
126
127}
128
129/*
130 * Act on received restart message from server
131 */
132void
133server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
134{
135 if (c->options.pull)
136 {
137 struct buffer buf = *buffer;
138 const char *m = "";
139 if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
140 {
141 m = BSTR(&buf);
142 }
143
144 /* preserve cached passwords? */
145 /* advance to next server? */
146 {
147 bool purge = true;
148
149 if (m[0] == '[')
150 {
151 int i;
152 for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
153 {
154 if (m[i] == 'P')
155 {
156 purge = false;
157 }
158 else if (m[i] == 'N')
159 {
160 /* next server? */
161 c->options.no_advance = false;
162 }
163 }
164 }
165 if (purge)
166 {
167 ssl_purge_auth(true);
168 }
169 }
170
171 if (restart)
172 {
173 msg(D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
174 /* SOFT-SIGUSR1 -- server-pushed connection reset */
175 register_signal(c->sig, SIGUSR1, "server-pushed-connection-reset");
176 }
177 else
178 {
179 msg(D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
180 /* SOFT-SIGTERM -- server-pushed halt */
181 register_signal(c->sig, SIGTERM, "server-pushed-halt");
182 }
183#ifdef ENABLE_MANAGEMENT
184 if (management)
185 {
186 management_notify(management, "info", c->sig->signal_text, m);
187 }
188#endif
189 }
190}
191
192void
194{
195 dmsg(D_STREAM_ERRORS, "CC-EEN exit message received by peer");
196 /* With control channel exit notification, we want to give the session
197 * enough time to handle retransmits and acknowledgment, so that eventual
198 * retries from the client to resend the exit or ACKs will not trigger
199 * a new session (we already forgot the session but the packet's HMAC
200 * is still valid). This could happen for the entire period that the
201 * HMAC timeslot is still valid, but waiting five seconds here does not
202 * hurt much, takes care of the retransmits, and is easier code-wise.
203 *
204 * This does not affect OCC exit since the HMAC session code will
205 * ignore DATA packets
206 * */
207 if (c->options.mode == MODE_SERVER)
208 {
209 if (!schedule_exit(c))
210 {
211 /* Return early when we don't need to notify management */
212 return;
213 }
214 }
215 else
216 {
217 register_signal(c->sig, SIGUSR1, "remote-exit");
218 }
219#ifdef ENABLE_MANAGEMENT
220 if (management)
221 {
222 management_notify(management, "info", "remote-exit", "EXIT");
223 }
224#endif
225}
226
227
228void
229server_pushed_info(const struct buffer *buffer, const int adv)
230{
231 const char *m = "";
232 struct buffer buf = *buffer;
233
234 if (buf_advance(&buf, adv) && buf_read_u8(&buf) == ',' && BLEN(&buf))
235 {
236 m = BSTR(&buf);
237 }
238
239#ifdef ENABLE_MANAGEMENT
240 struct gc_arena gc;
241 if (management)
242 {
243 gc = gc_new();
244
245 /*
246 * We use >INFOMSG here instead of plain >INFO since INFO is used to
247 * for management greeting and we don't want to confuse the client
248 */
249 struct buffer out = alloc_buf_gc(256, &gc);
250 if (buf_printf(&out, ">%s:%s", "INFOMSG", m))
251 {
253 }
254 else
255 {
256 msg(D_PUSH_ERRORS, "WARNING: Received INFO command is too long, won't notify management client.");
257 }
258
259 gc_free(&gc);
260 }
261#endif
262 msg(D_PUSH, "Info command was pushed by server ('%s')", m);
263}
264
265void
267{
268 struct buffer buf = *buffer;
269 const char *m = "";
270
271 if (buf_advance(&buf, 11) && buf_read_u8(&buf) == ',' && BLEN(&buf))
272 {
273 m = BSTR(&buf);
274 }
275#ifdef ENABLE_MANAGEMENT
277 struct man_def_auth_context *mda = session->opt->mda_context;
278 struct env_set *es = session->opt->es;
279 unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id;
280
281 management_notify_client_cr_response(mda_key_id, mda, es, m);
282#endif
283#if ENABLE_PLUGIN
285#endif
287 msg(D_PUSH, "CR response was sent by client ('%s')", m);
288}
289
297static void
299 unsigned int *server_timeout)
300{
301 struct buffer buf = *buffer;
302
303 /* does the buffer start with "AUTH_PENDING," ? */
304 if (!buf_advance(&buf, strlen("AUTH_PENDING"))
305 || !(buf_read_u8(&buf) == ',') || !BLEN(&buf))
306 {
307#ifdef ENABLE_MANAGEMENT
308 if (management)
309 {
311 "", NULL, NULL, NULL, NULL);
312 }
313#endif
314
315 return;
316 }
317
318 /* parse the keywords in the same way that push options are parsed */
320
321#ifdef ENABLE_MANAGEMENT
322 /* Need to do the management notification with the keywords before
323 * buf_parse is called, as it will insert \0 bytes into the buffer */
324 if (management)
325 {
327 BSTR(&buf), NULL, NULL, NULL, NULL);
328 }
329#endif
330
331 while (buf_parse(&buf, ',', line, sizeof(line)))
332 {
333 if (sscanf(line, "timeout %u", server_timeout) != 1)
334 {
335 msg(D_PUSH, "ignoring AUTH_PENDING parameter: %s", line);
336 }
337 }
338}
339
340void
342{
343 if (!c->options.pull)
344 {
345 return;
346 }
347
348 /* Cap the increase at the maximum time we are willing stay in the
349 * pending authentication state */
350 unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
351 c->options.handshake_window);
352
353 /* try to parse parameter keywords, default to hand-winow timeout if the
354 * server does not supply a timeout */
355 unsigned int server_timeout = c->options.handshake_window;
357
358 msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
359 "to %us", c->options.handshake_window,
361
362 const struct key_state *ks = get_primary_key(c->c2.tls_multi);
363 c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
364}
365
380static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list,
381 int msglevel, const char *fmt, ...)
382#ifdef __GNUC__
383#if __USE_MINGW_ANSI_STDIO
384__attribute__ ((format(gnu_printf, 4, 5)))
385#else
386__attribute__ ((format(__printf__, 4, 5)))
387#endif
388#endif
389;
390
391/*
392 * Send auth failed message from server to client.
393 *
394 * Does nothing if an exit is already scheduled
395 */
396void
397send_auth_failed(struct context *c, const char *client_reason)
398{
399 if (!schedule_exit(c))
400 {
401 msg(D_TLS_DEBUG, "exit already scheduled for context");
402 return;
403 }
404
405 struct gc_arena gc = gc_new();
406 static const char auth_failed[] = "AUTH_FAILED";
407 size_t len;
408
409 len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
410 if (len > PUSH_BUNDLE_SIZE)
411 {
412 len = PUSH_BUNDLE_SIZE;
413 }
414
415 {
416 struct buffer buf = alloc_buf_gc(len, &gc);
417 buf_printf(&buf, auth_failed);
418 if (client_reason)
419 {
420 buf_printf(&buf, ",%s", client_reason);
421 }
422
423 /* We kill the whole session, send the AUTH_FAILED to any TLS session
424 * that might be active */
425 send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_INITIAL],
426 BSTR(&buf), D_PUSH);
427 send_control_channel_string_dowork(&c->c2.tls_multi->session[TM_ACTIVE],
428 BSTR(&buf), D_PUSH);
429
431
432 }
433
434 gc_free(&gc);
435}
436
437
438bool
440 struct tls_session *session,
441 const char *extra, unsigned int timeout)
442{
443 struct key_state *ks = &session->key[KS_PRIMARY];
444
445 static const char info_pre[] = "INFO_PRE,";
446
447 const char *const peer_info = tls_multi->peer_info;
448 unsigned int proto = extract_iv_proto(peer_info);
449
450
451 /* Calculate the maximum timeout and subtract the time we already waited */
452 unsigned int max_timeout = max_uint(tls_multi->opt.renegotiate_seconds/2,
454 max_timeout = max_timeout - (now - ks->initial);
455 timeout = min_uint(max_timeout, timeout);
456
457 struct gc_arena gc = gc_new();
458 if ((proto & IV_PROTO_AUTH_PENDING_KW) == 0)
459 {
461 }
462 else
463 {
464 static const char auth_pre[] = "AUTH_PENDING,timeout ";
465 /* Assume a worst case of 8 byte uint64 in decimal which */
466 /* needs 20 bytes */
467 size_t len = 20 + 1 + sizeof(auth_pre);
468 struct buffer buf = alloc_buf_gc(len, &gc);
469 buf_printf(&buf, auth_pre);
470 buf_printf(&buf, "%u", timeout);
472 }
473
474 size_t len = strlen(extra) + 1 + sizeof(info_pre);
475 if (len > PUSH_BUNDLE_SIZE)
476 {
477 gc_free(&gc);
478 return false;
479 }
480
481 struct buffer buf = alloc_buf_gc(len, &gc);
482 buf_printf(&buf, info_pre);
483 buf_printf(&buf, "%s", extra);
485
486 ks->auth_deferred_expire = now + timeout;
487
488 gc_free(&gc);
489 return true;
490}
491
492/*
493 * Send restart message from server to client.
494 */
495void
496send_restart(struct context *c, const char *kill_msg)
497{
500}
501
502/*
503 * Push/Pull
504 */
505
506void
508{
509 struct gc_arena gc = gc_new();
510 unsigned int option_types_found = 0;
511
512 msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
513
516 &option_types_found);
517
518 if (status == PUSH_MSG_ERROR)
519 {
520 msg(D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
521 }
523 {
524 c->options.push_option_types_found |= option_types_found;
525
526 /* delay bringing tun/tap up until --push parms received from remote */
527 if (status == PUSH_MSG_REPLY)
528 {
530 {
531 goto error;
532 }
533 if (!do_up(c, true, c->options.push_option_types_found))
534 {
535 msg(D_PUSH_ERRORS, "Failed to open tun/tap interface");
536 goto error;
537 }
538 }
541 }
542
543 goto cleanup;
544
545error:
546 register_signal(c->sig, SIGUSR1, "process-push-msg-failed");
547cleanup:
548 gc_free(&gc);
549}
550
551bool
553{
554 const struct key_state *ks = get_primary_key(c->c2.tls_multi);
555
556 /* We timeout here under two conditions:
557 * a) we reached the hard limit of push_request_timeout
558 * b) we have not seen anything from the server in hand_window time
559 *
560 * for non auth-pending scenario, push_request_timeout is the same as
561 * hand_window timeout. For b) every PUSH_REQUEST is a acknowledged by
562 * the server by a P_ACK_V1 packet that reset the keepalive timer
563 */
564
567 {
568 return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
569 }
570 else
571 {
572 msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
573 (int)(now - ks->established));
574 /* SOFT-SIGUSR1 -- server-pushed connection reset */
575 register_signal(c->sig, SIGUSR1, "no-push-reply");
576 return false;
577 }
578}
579
586void
588 struct push_list *push_list)
589{
590 /*
591 * If server uses --auth-gen-token and we have an auth token
592 * to send to the client
593 */
595 {
596 push_option_fmt(gc, push_list, M_USAGE, "auth-token %s",
598
599 char *base64user = NULL;
601 (int)strlen(tls_multi->locked_username),
602 &base64user);
603 if (ret < USER_PASS_LEN && ret > 0)
604 {
605 push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s",
606 base64user);
607 }
608 free(base64user);
609 }
610}
611
621bool
623 struct push_list *push_list)
624{
625 struct tls_multi *tls_multi = c->c2.tls_multi;
626 struct options *o = &c->options;
627
628 /* ipv6 */
630 {
631 push_option_fmt(gc, push_list, M_USAGE, "ifconfig-ipv6 %s/%d %s",
635 0, gc));
636 }
637
638 /* ipv4 */
642 {
645 {
647 }
648 push_option_fmt(gc, push_list, M_USAGE, "ifconfig %s %s",
651 0, gc));
652 }
653
655 {
656 push_option_fmt(gc, push_list, M_USAGE, "peer-id %d",
658 }
659 /*
660 * If server uses --auth-gen-token and we have an auth token
661 * to send to the client
662 */
664
665 /*
666 * Push the selected cipher, at this point the cipher has been
667 * already negotiated and been fixed.
668 *
669 * We avoid pushing the cipher to clients not supporting NCP
670 * to avoid error messages in their logs
671 */
673 {
674 push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
675 }
676
677 struct buffer proto_flags = alloc_buf_gc(128, gc);
678
679 if (o->imported_protocol_flags & CO_USE_CC_EXIT_NOTIFY)
680 {
681 buf_printf(&proto_flags, " cc-exit");
682
683 /* if the cc exit flag is supported, pushing tls-ekm via protocol-flags
684 * is also supported */
685 if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
686 {
687 buf_printf(&proto_flags, " tls-ekm");
688 }
689 }
690 else if (o->imported_protocol_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
691 {
692 push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
693 }
694
695 if (o->imported_protocol_flags & CO_USE_DYNAMIC_TLS_CRYPT)
696 {
697 buf_printf(&proto_flags, " dyn-tls-crypt");
698 }
699
700 if (o->imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT)
701 {
702 buf_printf(&proto_flags, " aead-epoch");
703 }
704
705 if (buf_len(&proto_flags) > 0)
706 {
707 push_option_fmt(gc, push_list, M_USAGE, "protocol-flags%s", buf_str(&proto_flags));
708 }
709
710 /* Push our mtu to the peer if it supports pushable MTUs */
711 int client_max_mtu = 0;
712 const char *iv_mtu = extract_var_peer_info(tls_multi->peer_info, "IV_MTU=", gc);
713
714 if (iv_mtu && sscanf(iv_mtu, "%d", &client_max_mtu) == 1)
715 {
716 push_option_fmt(gc, push_list, M_USAGE, "tun-mtu %d", o->ce.tun_mtu);
717 if (client_max_mtu < o->ce.tun_mtu)
718 {
719 msg(M_WARN, "Warning: reported maximum MTU from client (%d) is lower "
720 "than MTU used on the server (%d). Add tun-max-mtu %d "
721 "to client configuration.", client_max_mtu,
722 o->ce.tun_mtu, o->ce.tun_mtu);
723 }
724 }
725
726 return true;
727}
728
729static bool
730send_push_options(struct context *c, struct buffer *buf,
731 struct push_list *push_list, int safe_cap,
732 bool *push_sent, bool *multi_push)
733{
734 struct push_entry *e = push_list->head;
735
736 while (e)
737 {
738 if (e->enable)
739 {
740 const int l = strlen(e->option);
741 if (BLEN(buf) + l >= safe_cap)
742 {
743 buf_printf(buf, ",push-continuation 2");
744 {
745 const bool status = send_control_channel_string(c, BSTR(buf), D_PUSH);
746 if (!status)
747 {
748 return false;
749 }
750 *push_sent = true;
751 *multi_push = true;
752 buf_reset_len(buf);
753 buf_printf(buf, "%s", push_reply_cmd);
754 }
755 }
756 if (BLEN(buf) + l >= safe_cap)
757 {
758 msg(M_WARN, "--push option is too long");
759 return false;
760 }
761 buf_printf(buf, ",%s", e->option);
762 }
763 e = e->next;
764 }
765 return true;
766}
767
768void
770{
771 struct gc_arena gc = gc_new();
772 struct push_list push_list = { 0 };
773 struct tls_session *session = &multi->session[TM_ACTIVE];
774
776
777 /* prepare auth token should always add the auth-token option */
778 struct push_entry *e = push_list.head;
779 ASSERT(e && e->enable);
780
781 /* Construct a mimimal control channel push reply message */
782 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
783 buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
785 gc_free(&gc);
786}
787
788bool
790{
791 struct gc_arena gc = gc_new();
792 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
793 bool multi_push = false;
794 const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
795 const int safe_cap = BCAP(&buf) - extra;
796 bool push_sent = false;
797
798 buf_printf(&buf, "%s", push_reply_cmd);
799
800 /* send options which are common to all clients */
801 if (!send_push_options(c, &buf, &c->options.push_list, safe_cap,
803 {
804 goto fail;
805 }
806
807 /* send client-specific options */
810 {
811 goto fail;
812 }
813
814 if (multi_push)
815 {
816 buf_printf(&buf, ",push-continuation 1");
817 }
818
819 if (BLEN(&buf) > sizeof(push_reply_cmd)-1)
820 {
821 const bool status = send_control_channel_string(c, BSTR(&buf), D_PUSH);
822 if (!status)
823 {
824 goto fail;
825 }
826 push_sent = true;
827 }
828
829 /* If nothing have been pushed, send an empty push,
830 * as the client is expecting a response
831 */
832 if (!push_sent)
833 {
834 bool status = false;
835
836 buf_reset_len(&buf);
837 buf_printf(&buf, "%s", push_reply_cmd);
839 if (!status)
840 {
841 goto fail;
842 }
843 }
844
845 gc_free(&gc);
846 return true;
847
848fail:
849 gc_free(&gc);
850 return false;
851}
852
853static void
855 const char *opt, bool enable, int msglevel)
856{
857 if (!string_class(opt, CC_ANY, CC_COMMA))
858 {
859 msg(msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
860 }
861 else
862 {
863 struct push_entry *e;
864 ALLOC_OBJ_CLEAR_GC(e, struct push_entry, gc);
865 e->enable = true;
866 e->option = opt;
867 if (push_list->head)
868 {
870 push_list->tail->next = e;
871 push_list->tail = e;
872 }
873 else
874 {
876 push_list->head = e;
877 push_list->tail = e;
878 }
879 }
880}
881
882void
883push_option(struct options *o, const char *opt, int msglevel)
884{
885 push_option_ex(&o->gc, &o->push_list, opt, true, msglevel);
886}
887
888void
890{
891 if (o->push_list.head)
892 {
893 const struct push_entry *e = o->push_list.head;
894 push_reset(o);
895 while (e)
896 {
897 push_option_ex(&o->gc, &o->push_list,
898 string_alloc(e->option, &o->gc), true, M_FATAL);
899 e = e->next;
900 }
901 }
902}
903
904void
905push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
906{
907 const char **argv = make_extended_arg_array(p, false, gc);
908 char *opt = print_argv(argv, gc, 0);
909 push_option(o, opt, msglevel);
910}
911
912static bool
914 int msglevel, const char *format, ...)
915{
916 va_list arglist;
917 char tmp[256] = {0};
918 int len;
919 va_start(arglist, format);
920 len = vsnprintf(tmp, sizeof(tmp), format, arglist);
921 va_end(arglist);
922 if (len > sizeof(tmp)-1)
923 {
924 return false;
925 }
926 push_option_ex(gc, push_list, string_alloc(tmp, gc), true, msglevel);
927 return true;
928}
929
930void
932{
933 CLEAR(o->push_list);
934}
935
936void
937push_remove_option(struct options *o, const char *p)
938{
939 msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p);
940
941 /* ifconfig is special, as not part of the push list */
942 if (streq(p, "ifconfig"))
943 {
945 return;
946 }
947
948 /* ifconfig-ipv6 is special, as not part of the push list */
949 if (streq( p, "ifconfig-ipv6" ))
950 {
952 return;
953 }
954
955 if (o && o->push_list.head)
956 {
957 struct push_entry *e = o->push_list.head;
958
959 /* cycle through the push list */
960 while (e)
961 {
962 if (e->enable
963 && strncmp( e->option, p, strlen(p) ) == 0)
964 {
965 msg(D_PUSH_DEBUG, "PUSH_REMOVE removing: '%s'", e->option);
966 e->enable = false;
967 }
968
969 e = e->next;
970 }
971 }
972}
973
974int
976{
977 int ret = PUSH_MSG_ERROR;
978
979
982 {
983 const char *client_reason = tls_client_reason(c->c2.tls_multi);
984 send_auth_failed(c, client_reason);
986 }
989 {
990 time_t now;
991
994 {
996 }
997 else
998 {
999 /* per-client push options - peer-id, cipher, ifconfig, ipv6-ifconfig */
1000 struct push_list push_list = { 0 };
1001 struct gc_arena gc = gc_new();
1002
1004 && send_push_reply(c, &push_list))
1005 {
1006 ret = PUSH_MSG_REQUEST;
1007 c->c2.sent_push_reply_expiry = now + 30;
1008 }
1009 gc_free(&gc);
1010 }
1011 }
1012 else
1013 {
1015 }
1016
1017 return ret;
1018}
1019
1020static void
1021push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
1022{
1023 char line[OPTION_PARM_SIZE];
1024 while (buf_parse(buf, ',', line, sizeof(line)))
1025 {
1026 /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
1027 if (strprefix(line, "peer-id ")
1028 || strprefix(line, "auth-token ")
1029 || strprefix(line, "auth-token-user "))
1030 {
1031 continue;
1032 }
1033 /* tun reopen only needed if cipher change can change tun MTU */
1034 if (strprefix(line, "cipher ") && !opt->ce.tun_mtu_defined)
1035 {
1036 continue;
1037 }
1038 md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
1039 }
1040}
1041
1042static int
1044 unsigned int permission_mask,
1045 unsigned int *option_types_found,
1046 struct buffer *buf)
1047{
1048 int ret = PUSH_MSG_ERROR;
1049 const uint8_t ch = buf_read_u8(buf);
1050 if (ch == ',')
1051 {
1052 struct buffer buf_orig = (*buf);
1053 if (!c->c2.pulled_options_digest_init_done)
1054 {
1055 c->c2.pulled_options_state = md_ctx_new();
1056 md_ctx_init(c->c2.pulled_options_state, "SHA256");
1057 c->c2.pulled_options_digest_init_done = true;
1058 }
1059 if (apply_push_options(&c->options,
1060 buf,
1062 option_types_found,
1063 c->c2.es))
1064 {
1065 push_update_digest(c->c2.pulled_options_state, &buf_orig,
1066 &c->options);
1067 switch (c->options.push_continuation)
1068 {
1069 case 0:
1070 case 1:
1071 md_ctx_final(c->c2.pulled_options_state,
1072 c->c2.pulled_options_digest.digest);
1073 md_ctx_cleanup(c->c2.pulled_options_state);
1074 md_ctx_free(c->c2.pulled_options_state);
1075 c->c2.pulled_options_state = NULL;
1076 c->c2.pulled_options_digest_init_done = false;
1077 ret = PUSH_MSG_REPLY;
1078 break;
1079
1080 case 2:
1082 break;
1083 }
1084 }
1085 }
1086 else if (ch == '\0')
1087 {
1088 ret = PUSH_MSG_REPLY;
1089 }
1090 /* show_settings (&c->options); */
1091 return ret;
1092}
1093
1094int
1096 const struct buffer *buffer,
1098 unsigned int permission_mask,
1099 unsigned int *option_types_found)
1100{
1101 struct buffer buf = *buffer;
1102
1103 if (buf_string_compare_advance(&buf, "PUSH_REQUEST"))
1104 {
1105 c->c2.push_request_received = true;
1107 }
1108 else if (honor_received_options
1110 {
1112 option_types_found, &buf);
1113 }
1114 else
1115 {
1116 return PUSH_MSG_ERROR;
1117 }
1118}
1119
1120
1121/*
1122 * Remove iroutes from the push_list.
1123 */
1124void
1126{
1127 if (o && o->push_list.head && (o->iroutes || o->iroutes_ipv6))
1128 {
1129 struct gc_arena gc = gc_new();
1130 struct push_entry *e = o->push_list.head;
1131
1132 /* cycle through the push list */
1133 while (e)
1134 {
1135 char *p[MAX_PARMS+1];
1136 bool enable = true;
1137
1138 /* parse the push item */
1139 CLEAR(p);
1140 if (e->enable
1141 && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
1142 {
1143 /* is the push item a route directive? */
1144 if (p[0] && !strcmp(p[0], "route") && !p[3] && o->iroutes)
1145 {
1146 /* get route parameters */
1147 bool status1, status2;
1148 const in_addr_t network = getaddr(GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
1149 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
1150
1151 /* did route parameters parse correctly? */
1152 if (status1 && status2)
1153 {
1154 const struct iroute *ir;
1155
1156 /* does route match an iroute? */
1157 for (ir = o->iroutes; ir != NULL; ir = ir->next)
1158 {
1159 if (network == ir->network && netmask == netbits_to_netmask(ir->netbits >= 0 ? ir->netbits : 32))
1160 {
1161 enable = false;
1162 break;
1163 }
1164 }
1165 }
1166 }
1167 else if (p[0] && !strcmp(p[0], "route-ipv6") && !p[2]
1168 && o->iroutes_ipv6)
1169 {
1170 /* get route parameters */
1171 struct in6_addr network;
1172 unsigned int netbits;
1173
1174 /* parse route-ipv6 arguments */
1175 if (get_ipv6_addr(p[1], &network, &netbits, D_ROUTE_DEBUG))
1176 {
1177 struct iroute_ipv6 *ir;
1178
1179 /* does this route-ipv6 match an iroute-ipv6? */
1180 for (ir = o->iroutes_ipv6; ir != NULL; ir = ir->next)
1181 {
1182 if (!memcmp(&network, &ir->network, sizeof(network))
1183 && netbits == ir->netbits)
1184 {
1185 enable = false;
1186 break;
1187 }
1188 }
1189 }
1190 }
1191
1192 /* should we copy the push item? */
1193 e->enable = enable;
1194 if (!enable)
1195 {
1196 msg(D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);
1197 }
1198 }
1199
1200 e = e->next;
1201 }
1202
1203 gc_free(&gc);
1204 }
1205}
bool buf_string_compare_advance(struct buffer *src, const char *match)
Definition buffer.c:789
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive)
Definition buffer.c:1023
char * print_argv(const char **p, struct gc_arena *gc, const unsigned int flags)
Definition buffer.c:717
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
bool buf_string_match_head_str(const struct buffer *src, const char *match)
Definition buffer.c:778
#define CC_COMMA
comma
Definition buffer.h:904
#define BSTR(buf)
Definition buffer.h:129
#define CC_ANY
any character
Definition buffer.h:883
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:790
#define BLEN(buf)
Definition buffer.h:127
static void buf_reset_len(struct buffer *buf)
Definition buffer.h:312
#define BCAP(buf)
Definition buffer.h:130
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
static char * buf_str(const struct buffer *buf)
Definition buffer.h:297
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:977
static struct gc_arena gc_new(void)
Definition buffer.h:1025
#define PUSH_BUNDLE_SIZE
Definition common.h:88
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:368
md_ctx_t * md_ctx_new(void)
void md_ctx_update(md_ctx_t *ctx, const uint8_t *src, int src_len)
void md_ctx_cleanup(md_ctx_t *ctx)
void md_ctx_final(md_ctx_t *ctx, uint8_t *dst)
void md_ctx_init(md_ctx_t *ctx, const char *mdname)
Initialises the given message digest context.
void md_ctx_free(md_ctx_t *ctx)
mbedtls_md_context_t md_ctx_t
Generic message digest context.
#define D_PUSH
Definition errlevel.h:83
#define M_VERB0
Definition errlevel.h:53
#define D_ROUTE_DEBUG
Definition errlevel.h:133
#define D_PUSH_DEBUG
Definition errlevel.h:150
#define D_STREAM_ERRORS
Definition errlevel.h:63
#define D_PUSH_ERRORS
Definition errlevel.h:67
#define D_TLS_DEBUG
Definition errlevel.h:165
void reschedule_multi_process(struct context *c)
Reschedule tls_multi_process.
Definition forward.c:403
bool send_control_channel_string_dowork(struct tls_session *session, const char *str, int msglevel)
Definition forward.c:381
bool schedule_exit(struct context *c)
Definition forward.c:533
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition forward.c:410
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition ssl_common.h:539
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:459
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:538
bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
Definition init.c:2464
unsigned int pull_permission_mask(const struct context *c)
Definition init.c:2601
static unsigned int min_uint(unsigned int x, unsigned int y)
Definition integer.h:63
static unsigned int max_uint(unsigned int x, unsigned int y)
Definition integer.h:50
static SERVICE_STATUS status
Definition interactive.c:52
static void event_timeout_clear(struct event_timeout *et)
Clears the timeout and reset all values to 0.
Definition interval.h:155
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3093
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2750
void management_notify_generic(struct management *man, const char *str)
Definition manage.c:2907
void management_notify_client_cr_response(unsigned mda_key_id, const struct man_def_auth_context *mdac, const struct env_set *es, const char *response)
Definition manage.c:2964
void management_notify(struct management *man, const char *severity, const char *type, const char *text)
Definition manage.c:2901
#define OPENVPN_STATE_AUTH_PENDING
Definition manage.h:483
const char ** make_extended_arg_array(char **p, bool is_inline, struct gc_arena *gc)
Definition misc.c:640
const char * sanitize_control_message(const char *src, struct gc_arena *gc)
Definition misc.c:670
#define CLEAR(x)
Definition basic.h:33
#define SIZE(x)
Definition basic.h:30
#define M_USAGE
Definition error.h:106
#define M_FATAL
Definition error.h:89
#define dmsg(flags,...)
Definition error.h:148
#define msg(flags,...)
Definition error.h:144
#define ASSERT(x)
Definition error.h:195
#define M_WARN
Definition error.h:91
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4298
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5567
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:5030
int auth_retry_get(void)
Definition options.c:4837
#define MODE_SERVER
Definition options.h:260
#define streq(x, y)
Definition options.h:726
#define AR_INTERACT
Definition options.h:905
#define OPTION_PARM_SIZE
Definition options.h:57
#define AR_NONE
Definition options.h:904
#define AR_NOINTERACT
Definition options.h:906
#define MAX_PARMS
Definition options.h:52
#define OPTION_LINE_SIZE
Definition options.h:58
const char * parse_auth_failed_temp(struct options *o, const char *reason)
time_t now
Definition otime.c:34
static time_t openvpn_time(time_t *t)
Definition otime.h:90
int process_incoming_push_request(struct context *c)
Definition push.c:975
void receive_auth_pending(struct context *c, const struct buffer *buffer)
Parses an AUTH_PENDING message and if in pull mode extends the timeout.
Definition push.c:341
static bool push_option_fmt(struct gc_arena *gc, struct push_list *push_list, int msglevel, const char *fmt,...)
Add an option to the given push list by providing a format string.
Definition push.c:913
void receive_auth_failed(struct context *c, const struct buffer *buffer)
Definition push.c:51
void send_restart(struct context *c, const char *kill_msg)
Definition push.c:496
void push_option(struct options *o, const char *opt, int msglevel)
Definition push.c:883
void server_pushed_signal(struct context *c, const struct buffer *buffer, const bool restart, const int adv)
Definition push.c:133
void push_reset(struct options *o)
Definition push.c:931
void receive_cr_response(struct context *c, const struct buffer *buffer)
Definition push.c:266
void send_auth_failed(struct context *c, const char *client_reason)
Definition push.c:397
static char push_reply_cmd[]
Definition push.c:42
void clone_push_list(struct options *o)
Definition push.c:889
void receive_exit_message(struct context *c)
Definition push.c:193
void prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, struct push_list *push_list)
Prepare push option for auth-token.
Definition push.c:587
static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, unsigned int *option_types_found, struct buffer *buf)
Definition push.c:1043
bool send_push_request(struct context *c)
Definition push.c:552
static void push_option_ex(struct gc_arena *gc, struct push_list *push_list, const char *opt, bool enable, int msglevel)
Definition push.c:854
bool send_auth_pending_messages(struct tls_multi *tls_multi, struct tls_session *session, const char *extra, unsigned int timeout)
Sends the auth pending control messages to a client.
Definition push.c:439
void push_remove_option(struct options *o, const char *p)
Definition push.c:937
void incoming_push_message(struct context *c, const struct buffer *buffer)
Definition push.c:507
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition push.c:905
bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list)
Prepare push options, based on local options.
Definition push.c:622
static void push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
Definition push.c:1021
static bool send_push_options(struct context *c, struct buffer *buf, struct push_list *push_list, int safe_cap, bool *push_sent, bool *multi_push)
Definition push.c:730
void remove_iroutes_from_push_route_list(struct options *o)
Definition push.c:1125
static void parse_auth_pending_keywords(const struct buffer *buffer, unsigned int *server_timeout)
Parse the keyword for the AUTH_PENDING request.
Definition push.c:298
int process_incoming_push_msg(struct context *c, const struct buffer *buffer, bool honor_received_options, unsigned int permission_mask, unsigned int *option_types_found)
Definition push.c:1095
bool send_push_reply(struct context *c, struct push_list *per_client_push_list)
Definition push.c:789
void server_pushed_info(const struct buffer *buffer, const int adv)
Definition push.c:229
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client.
Definition push.c:769
#define PUSH_MSG_REQUEST
Definition push.h:30
#define PUSH_MSG_REQUEST_DEFERRED
Definition push.h:32
#define PUSH_MSG_ERROR
Definition push.h:29
#define PUSH_MSG_REPLY
Definition push.h:31
#define PUSH_MSG_AUTH_FAILURE
Definition push.h:33
#define PUSH_MSG_CONTINUATION
Definition push.h:34
#define PUSH_MSG_ALREADY_REPLIED
Definition push.h:35
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:401
void register_signal(struct signal_info *si, int signum, const char *signal_text)
Register a soft signal in the signal_info struct si respecting priority.
Definition sig.c:231
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:226
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3027
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3007
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
#define GETADDR_HOST_ORDER
Definition socket.h:519
int openvpn_base64_encode(const void *data, int size, char **str)
Definition base64.c:52
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:392
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:417
bool ssl_clean_auth_token(void)
Definition ssl.c:381
Control Channel SSL/Data channel negotiation module.
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
@ CAS_CONNECT_DONE
Definition ssl_common.h:586
@ CAS_FAILED
Option import failed or explicitly denied the client.
Definition ssl_common.h:578
#define UP_TYPE_AUTH
Definition ssl_common.h:42
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:748
bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.
Definition ssl_ncp.c:80
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
char * extract_var_peer_info(const char *peer_info, const char *var, struct gc_arena *gc)
Extracts a variable from peer info, the returned string will be allocated using the supplied gc_arena...
Definition ssl_util.c:32
unsigned int extract_iv_proto(const char *peer_info)
Extracts the IV_PROTO variable and returns its value or 0 if it cannot be extracted.
Definition ssl_util.c:62
SSL utility functions.
void verify_crresponse_plugin(struct tls_multi *multi, const char *cr_response)
Call the plugin OPENVPN_PLUGIN_CLIENT_CRRESPONSE.
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
void verify_crresponse_script(struct tls_multi *multi, const char *cr_response)
Runs the –client-crresponse script if one is defined.
Control Channel Verification Module.
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:74
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:75
static const char * tls_client_reason(struct tls_multi *multi)
Definition ssl_verify.h:282
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
bool tun_mtu_defined
Definition options.h:129
bool push_ifconfig_ipv6_defined
Definition openvpn.h:436
bool push_ifconfig_defined
Definition openvpn.h:430
struct env_set * es
Definition openvpn.h:422
time_t push_request_timeout
Definition openvpn.h:442
struct event_timeout wait_for_connect
Definition openvpn.h:284
struct event_timeout push_request_interval
Definition openvpn.h:441
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:325
time_t sent_push_reply_expiry
Definition openvpn.h:431
struct in6_addr push_ifconfig_ipv6_remote
Definition openvpn.h:439
int push_ifconfig_ipv6_netbits
Definition openvpn.h:438
struct in6_addr push_ifconfig_ipv6_local
Definition openvpn.h:437
in_addr_t push_ifconfig_local_alias
Definition openvpn.h:434
in_addr_t push_ifconfig_remote_netmask
Definition openvpn.h:433
in_addr_t push_ifconfig_local
Definition openvpn.h:432
Contains all state information for one tunnel.
Definition openvpn.h:476
struct signal_info * sig
Internal error signaling object.
Definition openvpn.h:502
struct context_2 c2
Level 2 context.
Definition openvpn.h:516
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:477
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
struct iroute_ipv6 * next
Definition route.h:255
unsigned int netbits
Definition route.h:254
struct in6_addr network
Definition route.h:253
in_addr_t network
Definition route.h:247
int netbits
Definition route.h:248
struct iroute * next
Definition route.h:249
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:203
time_t established
Definition ssl_common.h:223
unsigned int mda_key_id
Definition ssl_common.h:258
time_t initial
Definition ssl_common.h:222
time_t peer_last_packet
Definition ssl_common.h:226
time_t auth_deferred_expire
Definition ssl_common.h:255
unsigned int push_option_types_found
Definition options.h:560
bool push_ifconfig_ipv6_blocked
Definition options.h:527
int handshake_window
Definition options.h:654
const char * ifconfig_local
Definition options.h:322
struct connection_entry ce
Definition options.h:289
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:514
struct push_list push_list
Definition options.h:489
const char * ciphername
Definition options.h:575
bool pull
Definition options.h:558
struct gc_arena gc
Definition options.h:252
struct iroute * iroutes
Definition options.h:513
bool no_advance
Definition options.h:294
bool push_ifconfig_ipv4_blocked
Definition options.h:522
Definition pushlist.h:29
struct push_entry * next
Definition pushlist.h:30
bool enable
Definition pushlist.h:31
const char * option
Definition pushlist.h:32
struct push_entry * head
Definition pushlist.h:36
struct push_entry * tail
Definition pushlist.h:37
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:604
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:665
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:642
enum multi_status multi_state
Definition ssl_common.h:625
struct tls_options opt
Definition ssl_common.h:609
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:704
uint32_t peer_id
Definition ssl_common.h:692
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition ssl_common.h:671
bool use_peer_id
Definition ssl_common.h:693
interval_t renegotiate_seconds
Definition ssl_common.h:342
int handshake_window
Definition ssl_common.h:335
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:483
__attribute__((unused))
Definition test.c:42
struct env_set * es
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:155