2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27
#elif defined(_MSC_VER)
28
#include "config-msvc.h"
33
#ifdef ENABLE_MANAGEMENT
53
#define MANAGEMENT_ECHO_PULL_INFO 0
55
#if MANAGEMENT_ECHO_PULL_INFO
56
#define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
58
#define MANAGEMENT_ECHO_FLAGS 0
61
/* tag for blank username/password */
62
static const char blank_up[] = "[[BLANK]]";
64
struct management *management; /* GLOBAL */
66
/* static forward declarations */
67
static void man_output_standalone (struct management *man, volatile int *signal_received);
68
static void man_reset_client_socket (struct management *man, const bool exiting);
73
msg (M_CLIENT, "Management Interface for %s", title_string);
74
msg (M_CLIENT, "Commands:");
75
msg (M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
76
msg (M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
77
msg (M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
78
msg (M_CLIENT, "exit|quit : Close management session.");
79
msg (M_CLIENT, "forget-passwords : Forget passwords entered so far.");
80
msg (M_CLIENT, "help : Print this message.");
81
msg (M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or");
82
msg (M_CLIENT, " release current hold and start tunnel.");
83
msg (M_CLIENT, "kill cn : Kill the client instance(s) having common name cn.");
84
msg (M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port.");
85
msg (M_CLIENT, "load-stats : Show global server load stats.");
86
msg (M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
87
msg (M_CLIENT, " + show last N lines or 'all' for entire history.");
88
msg (M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
89
msg (M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
90
msg (M_CLIENT, " where action = 'ok' or 'cancel'.");
91
msg (M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
92
msg (M_CLIENT, " where action is reply string.");
93
msg (M_CLIENT, "net : (Windows only) Show network info and routing table.");
94
msg (M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
95
msg (M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
96
msg (M_CLIENT, "proxy type [host port flags] : Enter dynamic proxy server info.");
97
msg (M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
99
msg (M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
100
msg (M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
102
#ifdef MANAGEMENT_DEF_AUTH
103
msg (M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
104
msg (M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
105
msg (M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
106
msg (M_CLIENT, " text R and optional client reason text CR");
107
msg (M_CLIENT, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
108
msg (M_CLIENT, "env-filter [level] : Set env-var filter level");
110
msg (M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)");
113
#ifdef MANAGMENT_EXTERNAL_KEY
114
msg (M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge");
115
msg (M_CLIENT, " Enter signature base64 on subsequent lines followed by END");
117
msg (M_CLIENT, "signal s : Send signal s to daemon,");
118
msg (M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
119
msg (M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
120
msg (M_CLIENT, "status [n] : Show current daemon status info using format #n.");
121
msg (M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
122
msg (M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
123
msg (M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
124
msg (M_CLIENT, "version : Show current version number.");
125
msg (M_CLIENT, "END");
129
man_state_name (const int state)
133
case OPENVPN_STATE_INITIAL:
135
case OPENVPN_STATE_CONNECTING:
137
case OPENVPN_STATE_WAIT:
139
case OPENVPN_STATE_AUTH:
141
case OPENVPN_STATE_GET_CONFIG:
143
case OPENVPN_STATE_ASSIGN_IP:
145
case OPENVPN_STATE_ADD_ROUTES:
147
case OPENVPN_STATE_CONNECTED:
149
case OPENVPN_STATE_RECONNECTING:
150
return "RECONNECTING";
151
case OPENVPN_STATE_EXITING:
153
case OPENVPN_STATE_RESOLVE:
155
case OPENVPN_STATE_TCP_CONNECT:
156
return "TCP_CONNECT";
163
man_welcome (struct management *man)
165
msg (M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
167
if (man->persist.special_state_msg)
168
msg (M_CLIENT, "%s", man->persist.special_state_msg);
172
man_password_needed (struct management *man)
174
return man->settings.up.defined && !man->connection.password_verified;
178
man_check_password (struct management *man, const char *line)
180
if (man_password_needed (man))
182
if (streq (line, man->settings.up.password))
184
man->connection.password_verified = true;
185
msg (M_CLIENT, "SUCCESS: password is correct");
190
man->connection.password_verified = false;
191
msg (M_CLIENT, "ERROR: bad password");
192
if (++man->connection.password_tries >= MANAGEMENT_N_PASSWORD_RETRIES)
194
msg (M_WARN, "MAN: client connection rejected after %d failed password attempts",
195
MANAGEMENT_N_PASSWORD_RETRIES);
196
man->connection.halt = true;
203
man_update_io_state (struct management *man)
205
if (socket_defined (man->connection.sd_cli))
207
if (buffer_list_defined (man->connection.out))
209
man->connection.state = MS_CC_WAIT_WRITE;
213
man->connection.state = MS_CC_WAIT_READ;
219
man_output_list_push_finalize (struct management *man)
221
if (management_connected (man))
223
man_update_io_state (man);
224
if (!man->persist.standalone_disabled)
226
volatile int signal_received = 0;
227
man_output_standalone (man, &signal_received);
233
man_output_list_push_str (struct management *man, const char *str)
235
if (management_connected (man) && str)
237
buffer_list_push (man->connection.out, (const unsigned char *) str);
242
man_output_list_push (struct management *man, const char *str)
244
man_output_list_push_str (man, str);
245
man_output_list_push_finalize (man);
249
man_prompt (struct management *man)
251
if (man_password_needed (man))
252
man_output_list_push (man, "ENTER PASSWORD:");
253
#if 0 /* should we use prompt? */
255
man_output_list_push (man, ">");
260
man_delete_unix_socket (struct management *man)
262
#if UNIX_SOCK_SUPPORT
263
if ((man->settings.flags & (MF_UNIX_SOCK|MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK)
264
socket_delete_unix (&man->settings.local_unix);
269
man_close_socket (struct management *man, const socket_descriptor_t sd)
273
* Windows doesn't need this because the ne32 event is permanently
274
* enabled at struct management scope.
276
if (man->persist.callback.delete_event)
277
(*man->persist.callback.delete_event) (man->persist.callback.arg, sd);
279
openvpn_close_socket (sd);
283
virtual_output_callback_func (void *arg, const unsigned int flags, const char *str)
285
struct management *man = (struct management *) arg;
286
static int recursive_level = 0; /* GLOBAL */
288
# define AF_DID_PUSH (1<<0)
289
# define AF_DID_RESET (1<<1)
291
if (!recursive_level) /* don't allow recursion */
293
struct gc_arena gc = gc_new ();
295
const char *out = NULL;
296
unsigned int action_flags = 0;
303
e.u.msg_flags = flags;
307
man->persist.standalone_disabled = false;
309
if (flags != M_CLIENT)
310
log_history_add (man->persist.log, &e);
312
if (!man_password_needed (man))
314
if (flags == M_CLIENT)
315
out = log_entry_print (&e, LOG_PRINT_CRLF, &gc);
316
else if (man->connection.log_realtime)
317
out = log_entry_print (&e, LOG_PRINT_INT_DATE
318
| LOG_PRINT_MSG_FLAGS
319
| LOG_PRINT_LOG_PREFIX
320
| LOG_PRINT_CRLF, &gc);
323
man_output_list_push_str (man, out);
324
action_flags |= AF_DID_PUSH;
328
out = log_entry_print (&e, LOG_FATAL_NOTIFY|LOG_PRINT_CRLF, &gc);
331
man_output_list_push_str (man, out);
332
action_flags |= (AF_DID_PUSH|AF_DID_RESET);
339
if (action_flags & AF_DID_PUSH)
340
man_output_list_push_finalize (man);
341
if (action_flags & AF_DID_RESET)
342
man_reset_client_socket (man, true);
349
* Given a signal, return the signal with possible remapping applied,
350
* or -1 if the signal should be ignored.
353
man_mod_signal (const struct management *man, const int signum)
355
const unsigned int flags = man->settings.mansig;
359
if (flags & MANSIG_MAP_USR1_TO_HUP)
361
if (flags & MANSIG_MAP_USR1_TO_TERM)
364
if (flags & MANSIG_IGNORE_USR1_HUP)
366
if (s == SIGHUP || s == SIGUSR1)
373
man_signal (struct management *man, const char *name)
375
const int sig = parse_signal (name);
378
const int sig_mod = man_mod_signal (man, sig);
381
throw_signal (sig_mod);
382
msg (M_CLIENT, "SUCCESS: signal %s thrown", signal_name (sig_mod, true));
386
if (man->persist.special_state_msg)
387
msg (M_CLIENT, "%s", man->persist.special_state_msg);
389
msg (M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
394
msg (M_CLIENT, "ERROR: signal '%s' is not a known signal type", name);
399
man_status (struct management *man, const int version, struct status_output *so)
401
if (man->persist.callback.status)
403
(*man->persist.callback.status) (man->persist.callback.arg, version, so);
407
msg (M_CLIENT, "ERROR: The 'status' command is not supported by the current daemon mode");
412
man_bytecount (struct management *man, const int update_seconds)
414
if (update_seconds >= 0)
415
man->connection.bytecount_update_seconds = update_seconds;
417
man->connection.bytecount_update_seconds = 0;
418
msg (M_CLIENT, "SUCCESS: bytecount interval changed");
422
man_bytecount_output_client (struct management *man)
426
/* do in a roundabout way to work around possible mingw or mingw-glibc bug */
427
openvpn_snprintf (in, sizeof (in), counter_format, man->persist.bytes_in);
428
openvpn_snprintf (out, sizeof (out), counter_format, man->persist.bytes_out);
429
msg (M_CLIENT, ">BYTECOUNT:%s,%s", in, out);
430
man->connection.bytecount_last_update = now;
433
#ifdef MANAGEMENT_DEF_AUTH
436
man_bytecount_output_server (struct management *man,
437
const counter_type *bytes_in_total,
438
const counter_type *bytes_out_total,
439
struct man_def_auth_context *mdac)
443
/* do in a roundabout way to work around possible mingw or mingw-glibc bug */
444
openvpn_snprintf (in, sizeof (in), counter_format, *bytes_in_total);
445
openvpn_snprintf (out, sizeof (out), counter_format, *bytes_out_total);
446
msg (M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out);
447
mdac->bytecount_last_update = now;
453
man_kill (struct management *man, const char *victim)
455
struct gc_arena gc = gc_new ();
457
if (man->persist.callback.kill_by_cn && man->persist.callback.kill_by_addr)
464
buf_set_read (&buf, (uint8_t*) victim, strlen (victim) + 1);
465
buf_parse (&buf, ':', p1, sizeof (p1));
466
buf_parse (&buf, ':', p2, sizeof (p2));
468
if (strlen (p1) && strlen (p2))
470
/* IP:port specified */
472
const in_addr_t addr = getaddr (GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL);
475
const int port = atoi (p2);
476
if (port > 0 && port < 65536)
478
n_killed = (*man->persist.callback.kill_by_addr) (man->persist.callback.arg, addr, port);
481
msg (M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed",
483
print_in_addr_t (addr, 0, &gc),
488
msg (M_CLIENT, "ERROR: client at address %s:%d not found",
489
print_in_addr_t (addr, 0, &gc),
495
msg (M_CLIENT, "ERROR: port number is out of range: %s", p2);
500
msg (M_CLIENT, "ERROR: error parsing IP address: %s", p1);
503
else if (strlen (p1))
505
/* common name specified */
506
n_killed = (*man->persist.callback.kill_by_cn) (man->persist.callback.arg, p1);
509
msg (M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed);
513
msg (M_CLIENT, "ERROR: common name '%s' not found", p1);
518
msg (M_CLIENT, "ERROR: kill parse");
523
msg (M_CLIENT, "ERROR: The 'kill' command is not supported by the current daemon mode");
530
* General-purpose history command handler
531
* for the log and echo commands.
534
man_history (struct management *man,
537
struct log_history *log,
539
const unsigned int lep_flags)
541
struct gc_arena gc = gc_new ();
544
if (streq (parm, "on"))
547
msg (M_CLIENT, "SUCCESS: real-time %s notification set to ON", type);
549
else if (streq (parm, "off"))
552
msg (M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type);
554
else if (streq (parm, "all") || (n = atoi (parm)) > 0)
556
const int size = log_history_size (log);
557
const int start = (n ? n : size) - 1;
560
for (i = start; i >= 0; --i)
562
const struct log_entry *e = log_history_ref (log, i);
565
const char *out = log_entry_print (e, lep_flags, &gc);
566
virtual_output_callback_func (man, M_CLIENT, out);
569
msg (M_CLIENT, "END");
573
msg (M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type);
580
man_log (struct management *man, const char *parm)
586
&man->connection.log_realtime,
587
LOG_PRINT_INT_DATE|LOG_PRINT_MSG_FLAGS);
591
man_echo (struct management *man, const char *parm)
597
&man->connection.echo_realtime,
598
LOG_PRINT_INT_DATE|MANAGEMENT_ECHO_FLAGS);
602
man_state (struct management *man, const char *parm)
608
&man->connection.state_realtime,
609
LOG_PRINT_INT_DATE|LOG_PRINT_STATE|
610
LOG_PRINT_LOCAL_IP|LOG_PRINT_REMOTE_IP);
614
man_up_finalize (struct management *man)
616
switch (man->connection.up_query_mode)
618
case UP_QUERY_USER_PASS:
619
if (!strlen (man->connection.up_query.username))
623
case UP_QUERY_NEED_OK:
624
case UP_QUERY_NEED_STR:
625
if (strlen (man->connection.up_query.password))
626
man->connection.up_query.defined = true;
628
case UP_QUERY_DISABLED:
629
man->connection.up_query.defined = false;
637
man_query_user_pass (struct management *man,
647
ASSERT (man->connection.up_query_type);
648
if (streq (man->connection.up_query_type, type))
650
strncpynt (dest, string, len);
651
man_up_finalize (man);
652
msg (M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified",
657
msg (M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
660
man->connection.up_query_type);
664
msg (M_CLIENT, "ERROR: no %s is currently needed at this time", prompt);
669
man_query_username (struct management *man, const char *type, const char *string)
671
const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
672
) && man->connection.up_query_type);
673
man_query_user_pass (man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
677
man_query_password (struct management *man, const char *type, const char *string)
679
const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
680
|| man->connection.up_query_mode == UP_QUERY_USER_PASS
681
) && man->connection.up_query_type);
682
if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
684
man_query_user_pass (man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
688
man_query_need_ok (struct management *man, const char *type, const char *action)
690
const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
691
man_query_user_pass (man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
695
man_query_need_str (struct management *man, const char *type, const char *action)
697
const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
698
man_query_user_pass (man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN);
702
man_forget_passwords (struct management *man)
704
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
705
ssl_purge_auth (false);
706
msg (M_CLIENT, "SUCCESS: Passwords were forgotten");
711
man_net (struct management *man)
713
if (man->persist.callback.show_net)
715
(*man->persist.callback.show_net) (man->persist.callback.arg, M_CLIENT);
719
msg (M_CLIENT, "ERROR: The 'net' command is not supported by the current daemon mode");
726
man_pkcs11_id_count (struct management *man)
728
msg (M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count ());
732
man_pkcs11_id_get (struct management *man, const int index)
737
if (pkcs11_management_id_get (index, &id, &base64))
738
msg (M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64);
740
msg (M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index);
751
man_hold (struct management *man, const char *cmd)
755
if (streq (cmd, "on"))
757
man->settings.flags |= MF_HOLD;
758
msg (M_CLIENT, "SUCCESS: hold flag set to ON");
760
else if (streq (cmd, "off"))
762
man->settings.flags &= ~MF_HOLD;
763
msg (M_CLIENT, "SUCCESS: hold flag set to OFF");
765
else if (streq (cmd, "release"))
767
man->persist.hold_release = true;
768
msg (M_CLIENT, "SUCCESS: hold release succeeded");
772
msg (M_CLIENT, "ERROR: bad hold command parameter");
776
msg (M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD));
779
#ifdef MANAGEMENT_IN_EXTRA
785
in_extra_reset (struct man_connection *mc, const int mode)
791
mc->in_extra_cmd = IEC_UNDEF;
792
#ifdef MANAGEMENT_DEF_AUTH
793
mc->in_extra_cid = 0;
794
mc->in_extra_kid = 0;
799
buffer_list_free (mc->in_extra);
803
mc->in_extra = buffer_list_new (0);
808
in_extra_dispatch (struct management *man)
810
switch (man->connection.in_extra_cmd)
812
#ifdef MANAGEMENT_DEF_AUTH
813
case IEC_CLIENT_AUTH:
814
if (man->persist.callback.client_auth)
816
const bool status = (*man->persist.callback.client_auth)
817
(man->persist.callback.arg,
818
man->connection.in_extra_cid,
819
man->connection.in_extra_kid,
823
man->connection.in_extra);
824
man->connection.in_extra = NULL;
827
msg (M_CLIENT, "SUCCESS: client-auth command succeeded");
831
msg (M_CLIENT, "ERROR: client-auth command failed");
836
msg (M_CLIENT, "ERROR: The client-auth command is not supported by the current daemon mode");
842
if (man->persist.callback.client_pf)
844
const bool status = (*man->persist.callback.client_pf)
845
(man->persist.callback.arg,
846
man->connection.in_extra_cid,
847
man->connection.in_extra);
848
man->connection.in_extra = NULL;
851
msg (M_CLIENT, "SUCCESS: client-pf command succeeded");
855
msg (M_CLIENT, "ERROR: client-pf command failed");
860
msg (M_CLIENT, "ERROR: The client-pf command is not supported by the current daemon mode");
864
#ifdef MANAGMENT_EXTERNAL_KEY
866
man->connection.ext_key_state = EKS_READY;
867
buffer_list_free (man->connection.ext_key_input);
868
man->connection.ext_key_input = man->connection.in_extra;
869
man->connection.in_extra = NULL;
873
in_extra_reset (&man->connection, IER_RESET);
876
#endif /* MANAGEMENT_IN_EXTRA */
878
#ifdef MANAGEMENT_DEF_AUTH
881
parse_cid (const char *str, unsigned long *cid)
883
if (sscanf (str, "%lu", cid) == 1)
887
msg (M_CLIENT, "ERROR: cannot parse CID");
893
parse_kid (const char *str, unsigned int *kid)
895
if (sscanf (str, "%u", kid) == 1)
899
msg (M_CLIENT, "ERROR: cannot parse KID");
905
man_client_auth (struct management *man, const char *cid_str, const char *kid_str, const bool extra)
907
struct man_connection *mc = &man->connection;
908
mc->in_extra_cid = 0;
909
mc->in_extra_kid = 0;
910
if (parse_cid (cid_str, &mc->in_extra_cid)
911
&& parse_kid (kid_str, &mc->in_extra_kid))
913
mc->in_extra_cmd = IEC_CLIENT_AUTH;
914
in_extra_reset (mc, IER_NEW);
916
in_extra_dispatch (man);
921
man_client_deny (struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
923
unsigned long cid = 0;
924
unsigned int kid = 0;
925
if (parse_cid (cid_str, &cid) && parse_kid (kid_str, &kid))
927
if (man->persist.callback.client_auth)
929
const bool status = (*man->persist.callback.client_auth)
930
(man->persist.callback.arg,
939
msg (M_CLIENT, "SUCCESS: client-deny command succeeded");
943
msg (M_CLIENT, "ERROR: client-deny command failed");
948
msg (M_CLIENT, "ERROR: The client-deny command is not supported by the current daemon mode");
954
man_client_kill (struct management *man, const char *cid_str, const char *kill_msg)
956
unsigned long cid = 0;
957
if (parse_cid (cid_str, &cid))
959
if (man->persist.callback.kill_by_cid)
961
const bool status = (*man->persist.callback.kill_by_cid) (man->persist.callback.arg, cid, kill_msg);
964
msg (M_CLIENT, "SUCCESS: client-kill command succeeded");
968
msg (M_CLIENT, "ERROR: client-kill command failed");
973
msg (M_CLIENT, "ERROR: The client-kill command is not supported by the current daemon mode");
979
man_client_n_clients (struct management *man)
981
if (man->persist.callback.n_clients)
983
const int nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg);
984
msg (M_CLIENT, "SUCCESS: nclients=%d", nclients);
988
msg (M_CLIENT, "ERROR: The nclients command is not supported by the current daemon mode");
993
man_env_filter (struct management *man, const int level)
995
man->connection.env_filter_level = level;
996
msg (M_CLIENT, "SUCCESS: env_filter_level=%d", level);
1002
man_client_pf (struct management *man, const char *cid_str)
1004
struct man_connection *mc = &man->connection;
1005
mc->in_extra_cid = 0;
1006
mc->in_extra_kid = 0;
1007
if (parse_cid (cid_str, &mc->in_extra_cid))
1009
mc->in_extra_cmd = IEC_CLIENT_PF;
1010
in_extra_reset (mc, IER_NEW);
1014
#endif /* MANAGEMENT_PF */
1015
#endif /* MANAGEMENT_DEF_AUTH */
1017
#ifdef MANAGMENT_EXTERNAL_KEY
1020
man_rsa_sig (struct management *man)
1022
struct man_connection *mc = &man->connection;
1023
if (mc->ext_key_state == EKS_SOLICIT)
1025
mc->ext_key_state = EKS_INPUT;
1026
mc->in_extra_cmd = IEC_RSA_SIGN;
1027
in_extra_reset (mc, IER_NEW);
1030
msg (M_CLIENT, "ERROR: The rsa-sig command is not currently available");
1036
man_load_stats (struct management *man)
1038
extern counter_type link_read_bytes_global;
1039
extern counter_type link_write_bytes_global;
1042
if (man->persist.callback.n_clients)
1043
nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg);
1044
msg (M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
1046
link_read_bytes_global,
1047
link_write_bytes_global);
1050
#define MN_AT_LEAST (1<<0)
1053
man_need (struct management *man, const char **p, const int n, unsigned int flags)
1057
for (i = 1; i <= n; ++i)
1061
msg (M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s",
1063
(flags & MN_AT_LEAST) ? "at least " : "",
1073
man_proxy (struct management *man, const char **p)
1075
if (man->persist.callback.proxy_cmd)
1077
const bool status = (*man->persist.callback.proxy_cmd)(man->persist.callback.arg, p);
1079
msg (M_CLIENT, "SUCCESS: proxy command succeeded");
1081
msg (M_CLIENT, "ERROR: proxy command failed");
1084
msg (M_CLIENT, "ERROR: The proxy command is not supported by the current daemon mode");
1088
man_remote (struct management *man, const char **p)
1090
if (man->persist.callback.remote_cmd)
1092
const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);
1095
msg (M_CLIENT, "SUCCESS: remote command succeeded");
1099
msg (M_CLIENT, "ERROR: remote command failed");
1104
msg (M_CLIENT, "ERROR: The remote command is not supported by the current daemon mode");
1109
man_dispatch_command (struct management *man, struct status_output *so, const char **p, const int nparms)
1111
struct gc_arena gc = gc_new ();
1114
if (streq (p[0], "exit") || streq (p[0], "quit"))
1116
man->connection.halt = true;
1119
else if (streq (p[0], "help"))
1123
else if (streq (p[0], "version"))
1125
msg (M_CLIENT, "OpenVPN Version: %s", title_string);
1126
msg (M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION);
1127
msg (M_CLIENT, "END");
1129
else if (streq (p[0], "pid"))
1131
msg (M_CLIENT, "SUCCESS: pid=%d", platform_getpid ());
1133
#ifdef MANAGEMENT_DEF_AUTH
1134
else if (streq (p[0], "nclients"))
1136
man_client_n_clients (man);
1138
else if (streq (p[0], "env-filter"))
1142
level = atoi (p[1]);
1143
man_env_filter (man, level);
1146
else if (streq (p[0], "signal"))
1148
if (man_need (man, p, 1, 0))
1149
man_signal (man, p[1]);
1151
else if (streq (p[0], "load-stats"))
1153
man_load_stats (man);
1155
else if (streq (p[0], "status"))
1159
version = atoi (p[1]);
1160
man_status (man, version, so);
1162
else if (streq (p[0], "kill"))
1164
if (man_need (man, p, 1, 0))
1165
man_kill (man, p[1]);
1167
else if (streq (p[0], "verb"))
1171
const int level = atoi(p[1]);
1172
if (set_debug_level (level, 0))
1173
msg (M_CLIENT, "SUCCESS: verb level changed");
1175
msg (M_CLIENT, "ERROR: verb level is out of range");
1178
msg (M_CLIENT, "SUCCESS: verb=%d", get_debug_level ());
1180
else if (streq (p[0], "mute"))
1184
const int level = atoi(p[1]);
1185
if (set_mute_cutoff (level))
1186
msg (M_CLIENT, "SUCCESS: mute level changed");
1188
msg (M_CLIENT, "ERROR: mute level is out of range");
1191
msg (M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff ());
1193
else if (streq (p[0], "auth-retry"))
1198
if (auth_retry_set (M_CLIENT, p[1]))
1199
msg (M_CLIENT, "SUCCESS: auth-retry parameter changed");
1201
msg (M_CLIENT, "ERROR: bad auth-retry parameter");
1204
msg (M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print ());
1206
msg (M_CLIENT, "ERROR: auth-retry feature is unavailable");
1209
else if (streq (p[0], "state"))
1213
man_state (man, "1");
1218
man_state (man, p[1]);
1220
man_state (man, p[2]);
1223
else if (streq (p[0], "log"))
1225
if (man_need (man, p, 1, MN_AT_LEAST))
1228
man_log (man, p[1]);
1230
man_log (man, p[2]);
1233
else if (streq (p[0], "echo"))
1235
if (man_need (man, p, 1, MN_AT_LEAST))
1238
man_echo (man, p[1]);
1240
man_echo (man, p[2]);
1243
else if (streq (p[0], "username"))
1245
if (man_need (man, p, 2, 0))
1246
man_query_username (man, p[1], p[2]);
1248
else if (streq (p[0], "password"))
1250
if (man_need (man, p, 2, 0))
1251
man_query_password (man, p[1], p[2]);
1253
else if (streq (p[0], "forget-passwords"))
1255
man_forget_passwords (man);
1257
else if (streq (p[0], "needok"))
1259
if (man_need (man, p, 2, 0))
1260
man_query_need_ok (man, p[1], p[2]);
1262
else if (streq (p[0], "needstr"))
1264
if (man_need (man, p, 2, 0))
1265
man_query_need_str (man, p[1], p[2]);
1267
else if (streq (p[0], "net"))
1271
else if (streq (p[0], "hold"))
1273
man_hold (man, p[1]);
1275
else if (streq (p[0], "bytecount"))
1277
if (man_need (man, p, 1, 0))
1278
man_bytecount (man, atoi(p[1]));
1280
#ifdef MANAGEMENT_DEF_AUTH
1281
else if (streq (p[0], "client-kill"))
1283
if (man_need (man, p, 1, MN_AT_LEAST))
1284
man_client_kill (man, p[1], p[2]);
1286
else if (streq (p[0], "client-deny"))
1288
if (man_need (man, p, 3, MN_AT_LEAST))
1289
man_client_deny (man, p[1], p[2], p[3], p[4]);
1291
else if (streq (p[0], "client-auth-nt"))
1293
if (man_need (man, p, 2, 0))
1294
man_client_auth (man, p[1], p[2], false);
1296
else if (streq (p[0], "client-auth"))
1298
if (man_need (man, p, 2, 0))
1299
man_client_auth (man, p[1], p[2], true);
1301
#ifdef MANAGEMENT_PF
1302
else if (streq (p[0], "client-pf"))
1304
if (man_need (man, p, 1, 0))
1305
man_client_pf (man, p[1]);
1309
#ifdef MANAGMENT_EXTERNAL_KEY
1310
else if (streq (p[0], "rsa-sig"))
1315
#ifdef ENABLE_PKCS11
1316
else if (streq (p[0], "pkcs11-id-count"))
1318
man_pkcs11_id_count (man);
1320
else if (streq (p[0], "pkcs11-id-get"))
1322
if (man_need (man, p, 1, 0))
1323
man_pkcs11_id_get (man, atoi(p[1]));
1326
else if (streq (p[0], "proxy"))
1328
if (man_need (man, p, 1, MN_AT_LEAST))
1331
else if (streq (p[0], "remote"))
1333
if (man_need (man, p, 1, MN_AT_LEAST))
1334
man_remote (man, p);
1337
else if (streq (p[0], "test"))
1339
if (man_need (man, p, 1, 0))
1342
const int n = atoi (p[1]);
1343
for (i = 0; i < n; ++i)
1345
msg (M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i);
1352
msg (M_CLIENT, "ERROR: unknown command, enter 'help' for more options");
1362
man_start_ne32 (struct management *man)
1364
switch (man->connection.state)
1367
net_event_win32_start (&man->connection.ne32, FD_ACCEPT, man->connection.sd_top);
1369
case MS_CC_WAIT_READ:
1370
case MS_CC_WAIT_WRITE:
1371
net_event_win32_start (&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli);
1379
man_stop_ne32 (struct management *man)
1381
net_event_win32_stop (&man->connection.ne32);
1387
man_record_peer_info (struct management *man)
1389
struct gc_arena gc = gc_new ();
1390
if (man->settings.write_peer_info_file)
1392
bool success = false;
1393
#ifdef HAVE_GETSOCKNAME
1394
if (socket_defined (man->connection.sd_cli))
1396
struct sockaddr_in addr;
1397
socklen_t addrlen = sizeof (addr);
1401
status = getsockname (man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen);
1402
if (!status && addrlen == sizeof (addr))
1404
const in_addr_t a = ntohl (addr.sin_addr.s_addr);
1405
const int p = ntohs (addr.sin_port);
1406
FILE *fp = platform_fopen (man->settings.write_peer_info_file, "w");
1409
fprintf (fp, "%s\n%d\n", print_in_addr_t (a, 0, &gc), p);
1418
msg (D_MANAGEMENT, "MANAGEMENT: failed to write peer info to file %s",
1419
man->settings.write_peer_info_file);
1420
throw_signal_soft (SIGTERM, "management-connect-failed");
1427
man_connection_settings_reset (struct management *man)
1429
man->connection.state_realtime = false;
1430
man->connection.log_realtime = false;
1431
man->connection.echo_realtime = false;
1432
man->connection.bytecount_update_seconds = 0;
1433
man->connection.password_verified = false;
1434
man->connection.password_tries = 0;
1435
man->connection.halt = false;
1436
man->connection.state = MS_CC_WAIT_WRITE;
1440
man_new_connection_post (struct management *man, const char *description)
1442
struct gc_arena gc = gc_new ();
1444
set_nonblock (man->connection.sd_cli);
1445
set_cloexec (man->connection.sd_cli);
1447
man_connection_settings_reset (man);
1450
man_start_ne32 (man);
1453
#if UNIX_SOCK_SUPPORT
1454
if (man->settings.flags & MF_UNIX_SOCK)
1456
msg (D_MANAGEMENT, "MANAGEMENT: %s %s",
1458
sockaddr_unix_name (&man->settings.local_unix, "NULL"));
1462
msg (D_MANAGEMENT, "MANAGEMENT: %s %s",
1464
print_sockaddr (&man->settings.local, &gc));
1466
buffer_list_reset (man->connection.out);
1468
if (!man_password_needed (man))
1471
man_update_io_state (man);
1476
#if UNIX_SOCK_SUPPORT
1478
man_verify_unix_peer_uid_gid (struct management *man, const socket_descriptor_t sd)
1480
if (socket_defined (sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
1482
static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --";
1484
if (unix_socket_get_peer_uid_gid (man->connection.sd_cli, &uid, &gid))
1486
if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
1488
msg (D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1489
err_prefix, uid, man->settings.client_uid);
1492
if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
1494
msg (D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1495
err_prefix, gid, man->settings.client_gid);
1501
msg (D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix);
1510
man_accept (struct management *man)
1512
struct link_socket_actual act;
1516
* Accept the TCP or Unix domain socket client.
1518
#if UNIX_SOCK_SUPPORT
1519
if (man->settings.flags & MF_UNIX_SOCK)
1521
struct sockaddr_un remote;
1522
man->connection.sd_cli = socket_accept_unix (man->connection.sd_top, &remote);
1523
if (!man_verify_unix_peer_uid_gid (man, man->connection.sd_cli))
1524
sd_close (&man->connection.sd_cli);
1528
man->connection.sd_cli = socket_do_accept (man->connection.sd_top, &act, false);
1530
if (socket_defined (man->connection.sd_cli))
1532
man->connection.remote = act.dest;
1534
if (socket_defined (man->connection.sd_top))
1537
man_stop_ne32 (man);
1541
man_new_connection_post (man, "Client connected from");
1546
man_listen (struct management *man)
1548
struct gc_arena gc = gc_new ();
1553
man->connection.state = MS_LISTEN;
1554
man->connection.sd_cli = SOCKET_UNDEFINED;
1557
* Initialize listening socket
1559
if (man->connection.sd_top == SOCKET_UNDEFINED)
1561
#if UNIX_SOCK_SUPPORT
1562
if (man->settings.flags & MF_UNIX_SOCK)
1564
man_delete_unix_socket (man);
1565
man->connection.sd_top = create_socket_unix ();
1566
socket_bind_unix (man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT");
1571
man->connection.sd_top = create_socket_tcp (AF_INET);
1572
socket_bind (man->connection.sd_top, &man->settings.local, "MANAGEMENT");
1576
* Listen for connection
1578
if (listen (man->connection.sd_top, 1))
1579
msg (M_ERR, "MANAGEMENT: listen() failed");
1582
* Set misc socket properties
1584
set_nonblock (man->connection.sd_top);
1585
set_cloexec (man->connection.sd_top);
1587
#if UNIX_SOCK_SUPPORT
1588
if (man->settings.flags & MF_UNIX_SOCK)
1590
msg (D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s",
1591
sockaddr_unix_name (&man->settings.local_unix, "NULL"));
1595
msg (D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
1596
print_sockaddr (&man->settings.local, &gc));
1600
man_start_ne32 (man);
1607
man_connect (struct management *man)
1609
struct gc_arena gc = gc_new ();
1611
int signal_received = 0;
1616
man->connection.state = MS_INITIAL;
1617
man->connection.sd_top = SOCKET_UNDEFINED;
1619
#if UNIX_SOCK_SUPPORT
1620
if (man->settings.flags & MF_UNIX_SOCK)
1622
man->connection.sd_cli = create_socket_unix ();
1623
status = socket_connect_unix (man->connection.sd_cli, &man->settings.local_unix);
1624
if (!status && !man_verify_unix_peer_uid_gid (man, man->connection.sd_cli))
1631
sd_close (&man->connection.sd_cli);
1637
man->connection.sd_cli = create_socket_tcp (AF_INET);
1638
status = openvpn_connect (man->connection.sd_cli,
1639
&man->settings.local,
1644
if (signal_received)
1646
throw_signal (signal_received);
1652
#if UNIX_SOCK_SUPPORT
1653
if (man->settings.flags & MF_UNIX_SOCK)
1656
"MANAGEMENT: connect to unix socket %s failed: %s",
1657
sockaddr_unix_name (&man->settings.local_unix, "NULL"),
1658
strerror_ts (status, &gc));
1663
"MANAGEMENT: connect to %s failed: %s",
1664
print_sockaddr (&man->settings.local, &gc),
1665
strerror_ts (status, &gc));
1666
throw_signal_soft (SIGTERM, "management-connect-failed");
1670
man_record_peer_info (man);
1671
man_new_connection_post (man, "Connected to management server at");
1678
man_reset_client_socket (struct management *man, const bool exiting)
1680
if (socket_defined (man->connection.sd_cli))
1683
man_stop_ne32 (man);
1685
man_close_socket (man, man->connection.sd_cli);
1686
man->connection.sd_cli = SOCKET_UNDEFINED;
1687
man->connection.state = MS_INITIAL;
1688
command_line_reset (man->connection.in);
1689
buffer_list_reset (man->connection.out);
1690
#ifdef MANAGEMENT_IN_EXTRA
1691
in_extra_reset (&man->connection, IER_RESET);
1693
msg (D_MANAGEMENT, "MANAGEMENT: Client disconnected");
1697
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
1698
if (man->settings.flags & MF_FORGET_DISCONNECT)
1699
ssl_purge_auth (false);
1701
if (man->settings.flags & MF_SIGNAL) {
1702
int mysig = man_mod_signal (man, SIGUSR1);
1705
msg (D_MANAGEMENT, "MANAGEMENT: Triggering management signal");
1706
throw_signal_soft (mysig, "management-disconnect");
1710
if (man->settings.flags & MF_CONNECT_AS_CLIENT)
1712
msg (D_MANAGEMENT, "MANAGEMENT: Triggering management exit");
1713
throw_signal_soft (SIGTERM, "management-exit");
1721
man_process_command (struct management *man, const char *line)
1723
struct gc_arena gc = gc_new ();
1724
struct status_output *so;
1726
char *parms[MAX_PARMS+1];
1729
so = status_open (NULL, 0, -1, &man->persist.vout, 0);
1730
#ifdef MANAGEMENT_IN_EXTRA
1731
in_extra_reset (&man->connection, IER_RESET);
1734
if (man_password_needed (man))
1736
man_check_password (man, line);
1740
nparms = parse_line (line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc);
1741
if (parms[0] && streq (parms[0], "password"))
1742
msg (D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'");
1743
else if (!streq (line, "load-stats"))
1744
msg (D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line);
1747
/* DEBUGGING -- print args */
1750
for (i = 0; i < nparms; ++i)
1751
msg (M_INFO, "[%d] '%s'", i, parms[i]);
1756
man_dispatch_command (man, so, (const char **)parms, nparms);
1765
man_io_error (struct management *man, const char *prefix)
1767
const int err = openvpn_errno ();
1769
if (!ignore_sys_error (err))
1771
struct gc_arena gc = gc_new ();
1772
msg (D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s",
1774
strerror_ts (err, &gc));
1783
man_read (struct management *man)
1786
* read command line from socket
1788
unsigned char buf[256];
1791
len = recv (man->connection.sd_cli, buf, sizeof (buf), MSG_NOSIGNAL);
1794
man_reset_client_socket (man, false);
1798
bool processed_command = false;
1800
ASSERT (len <= (int) sizeof (buf));
1801
command_line_add (man->connection.in, buf, len);
1804
* Reset output object
1806
buffer_list_reset (man->connection.out);
1809
* process command line if complete
1812
const unsigned char *line;
1813
while ((line = command_line_get (man->connection.in)))
1815
#ifdef MANAGEMENT_IN_EXTRA
1816
if (man->connection.in_extra)
1818
if (!strcmp ((char *)line, "END"))
1819
in_extra_dispatch (man);
1821
buffer_list_push (man->connection.in_extra, line);
1825
man_process_command (man, (char *) line);
1826
if (man->connection.halt)
1828
command_line_next (man->connection.in);
1829
processed_command = true;
1834
* Reset output state to MS_CC_WAIT_(READ|WRITE)
1836
if (man->connection.halt)
1838
man_reset_client_socket (man, false);
1843
if (processed_command)
1845
man_update_io_state (man);
1850
if (man_io_error (man, "recv"))
1851
man_reset_client_socket (man, false);
1857
man_write (struct management *man)
1859
const int size_hint = 1024;
1861
const struct buffer *buf;
1863
buffer_list_aggregate(man->connection.out, size_hint);
1864
buf = buffer_list_peek (man->connection.out);
1865
if (buf && BLEN (buf))
1867
const int len = min_int (size_hint, BLEN (buf));
1868
sent = send (man->connection.sd_cli, BPTR (buf), len, MSG_NOSIGNAL);
1871
buffer_list_advance (man->connection.out, sent);
1875
if (man_io_error (man, "send"))
1876
man_reset_client_socket (man, false);
1881
* Reset output state to MS_CC_WAIT_(READ|WRITE)
1883
man_update_io_state (man);
1889
man_connection_clear (struct man_connection *mc)
1893
/* set initial state */
1894
mc->state = MS_INITIAL;
1896
/* clear socket descriptors */
1897
mc->sd_top = SOCKET_UNDEFINED;
1898
mc->sd_cli = SOCKET_UNDEFINED;
1902
man_persist_init (struct management *man,
1903
const int log_history_cache,
1904
const int echo_buffer_size,
1905
const int state_buffer_size)
1907
struct man_persist *mp = &man->persist;
1912
/* initialize log history store */
1913
mp->log = log_history_init (log_history_cache);
1916
* Initialize virtual output object, so that functions
1917
* which write to a virtual_output object can be redirected
1918
* here to the management object.
1920
mp->vout.func = virtual_output_callback_func;
1922
mp->vout.flags_default = M_CLIENT;
1923
msg_set_virtual_output (&mp->vout);
1926
* Initialize --echo list
1928
man->persist.echo = log_history_init (echo_buffer_size);
1931
* Initialize --state list
1933
man->persist.state = log_history_init (state_buffer_size);
1940
man_persist_close (struct man_persist *mp)
1944
msg_set_virtual_output (NULL);
1945
log_history_close (mp->log);
1949
log_history_close (mp->echo);
1952
log_history_close (mp->state);
1958
man_settings_init (struct man_settings *ms,
1961
const char *pass_file,
1962
const char *client_user,
1963
const char *client_group,
1964
const int log_history_cache,
1965
const int echo_buffer_size,
1966
const int state_buffer_size,
1967
const char *write_peer_info_file,
1968
const int remap_sigusr1,
1969
const unsigned int flags)
1976
ms->client_uid = -1;
1977
ms->client_gid = -1;
1980
* Get username/password
1983
get_user_pass (&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
1986
* lookup client UID/GID if specified
1990
struct platform_state_user s;
1991
platform_user_get (client_user, &s);
1992
ms->client_uid = platform_state_user_uid (&s);
1993
msg (D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid);
1994
ASSERT (ms->client_uid >= 0);
1998
struct platform_state_group s;
1999
platform_group_get (client_group, &s);
2000
ms->client_gid = platform_state_group_gid (&s);
2001
msg (D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid);
2002
ASSERT (ms->client_gid >= 0);
2005
ms->write_peer_info_file = string_alloc (write_peer_info_file, NULL);
2007
#if UNIX_SOCK_SUPPORT
2008
if (ms->flags & MF_UNIX_SOCK)
2009
sockaddr_unix_init (&ms->local_unix, addr);
2014
* Initialize socket address
2016
ms->local.addr.in4.sin_family = AF_INET;
2017
ms->local.addr.in4.sin_addr.s_addr = 0;
2018
ms->local.addr.in4.sin_port = htons (port);
2021
* Run management over tunnel, or
2024
if (streq (addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT))
2026
ms->management_over_tunnel = true;
2030
ms->local.addr.in4.sin_addr.s_addr = getaddr
2031
(GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL, addr, 0, NULL, NULL);
2036
* Log history and echo buffer may need to be resized
2038
ms->log_history_cache = log_history_cache;
2039
ms->echo_buffer_size = echo_buffer_size;
2040
ms->state_buffer_size = state_buffer_size;
2043
* Set remap sigusr1 flags
2045
if (remap_sigusr1 == SIGHUP)
2046
ms->mansig |= MANSIG_MAP_USR1_TO_HUP;
2047
else if (remap_sigusr1 == SIGTERM)
2048
ms->mansig |= MANSIG_MAP_USR1_TO_TERM;
2055
man_settings_close (struct man_settings *ms)
2057
free (ms->write_peer_info_file);
2063
man_connection_init (struct management *man)
2065
if (man->connection.state == MS_INITIAL)
2069
* This object is a sort of TCP/IP helper
2072
net_event_win32_init (&man->connection.ne32);
2076
* Allocate helper objects for command line input and
2077
* command output from/to the socket.
2079
man->connection.in = command_line_new (1024);
2080
man->connection.out = buffer_list_new (0);
2083
* Initialize event set for standalone usage, when we are
2084
* running outside of the primary event loop.
2088
man->connection.es = event_set_init (&maxevents, EVENT_METHOD_FAST);
2092
* Listen/connect socket
2094
if (man->settings.flags & MF_CONNECT_AS_CLIENT)
2102
man_connection_close (struct management *man)
2104
struct man_connection *mc = &man->connection;
2107
event_free (mc->es);
2109
net_event_win32_close (&mc->ne32);
2111
if (socket_defined (mc->sd_top))
2113
man_close_socket (man, mc->sd_top);
2114
man_delete_unix_socket (man);
2116
if (socket_defined (mc->sd_cli))
2117
man_close_socket (man, mc->sd_cli);
2119
command_line_free (mc->in);
2121
buffer_list_free (mc->out);
2122
#ifdef MANAGEMENT_IN_EXTRA
2123
in_extra_reset (&man->connection, IER_RESET);
2125
#ifdef MANAGMENT_EXTERNAL_KEY
2126
buffer_list_free (mc->ext_key_input);
2128
man_connection_clear (mc);
2132
management_init (void)
2134
struct management *man;
2135
ALLOC_OBJ_CLEAR (man, struct management);
2137
man_persist_init (man,
2138
MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2139
MANAGEMENT_ECHO_BUFFER_SIZE,
2140
MANAGEMENT_STATE_BUFFER_SIZE);
2142
man_connection_clear (&man->connection);
2148
management_open (struct management *man,
2151
const char *pass_file,
2152
const char *client_user,
2153
const char *client_group,
2154
const int log_history_cache,
2155
const int echo_buffer_size,
2156
const int state_buffer_size,
2157
const char *write_peer_info_file,
2158
const int remap_sigusr1,
2159
const unsigned int flags)
2164
* Save the settings only if they have not
2165
* been saved before.
2167
man_settings_init (&man->settings,
2176
write_peer_info_file,
2181
* The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2182
* but may be changed here. Ditto for echo and state buffers.
2184
log_history_resize (man->persist.log, man->settings.log_history_cache);
2185
log_history_resize (man->persist.echo, man->settings.echo_buffer_size);
2186
log_history_resize (man->persist.state, man->settings.state_buffer_size);
2189
* If connection object is uninitialized and we are not doing
2190
* over-the-tunnel management, then open (listening) connection.
2192
if (man->connection.state == MS_INITIAL)
2194
if (!man->settings.management_over_tunnel)
2196
man_connection_init (man);
2205
management_close (struct management *man)
2207
man_output_list_push_finalize (man); /* flush output queue */
2208
man_connection_close (man);
2209
man_settings_close (&man->settings);
2210
man_persist_close (&man->persist);
2215
management_set_callback (struct management *man,
2216
const struct management_callback *cb)
2218
man->persist.standalone_disabled = true;
2219
man->persist.callback = *cb;
2223
management_clear_callback (struct management *man)
2225
man->persist.standalone_disabled = false;
2226
man->persist.hold_release = false;
2227
CLEAR (man->persist.callback);
2228
man_output_list_push_finalize (man); /* flush output queue */
2232
management_set_state (struct management *man,
2235
const in_addr_t tun_local_ip,
2236
const in_addr_t tun_remote_ip)
2238
if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
2240
struct gc_arena gc = gc_new ();
2242
const char *out = NULL;
2249
e.local_ip = tun_local_ip;
2250
e.remote_ip = tun_remote_ip;
2252
log_history_add (man->persist.state, &e);
2254
if (man->connection.state_realtime)
2255
out = log_entry_print (&e, LOG_PRINT_STATE_PREFIX
2256
| LOG_PRINT_INT_DATE
2258
| LOG_PRINT_LOCAL_IP
2259
| LOG_PRINT_REMOTE_IP
2261
| LOG_ECHO_TO_LOG, &gc);
2264
man_output_list_push (man, out);
2271
env_filter_match (const char *env_str, const int env_filter_level)
2273
static const char *env_names[] = {
2280
"ifconfig_netmask=",
2281
"daemon_start_time=",
2284
"ifconfig_pool_remote_ip=",
2285
"ifconfig_pool_netmask=",
2291
if (env_filter_level == 0)
2293
else if (env_filter_level <= 1 && !strncmp(env_str, "X509_", 5))
2295
else if (env_filter_level <= 2)
2298
for (i = 0; i < SIZE(env_names); ++i)
2300
const char *en = env_names[i];
2301
const size_t len = strlen(en);
2302
if (!strncmp(env_str, en, len))
2311
man_output_env (const struct env_set *es, const bool tail, const int env_filter_level, const char *prefix)
2316
for (e = es->list; e != NULL; e = e->next)
2318
if (e->string && (!env_filter_level || env_filter_match(e->string, env_filter_level)))
2319
msg (M_CLIENT, ">%s:ENV,%s", prefix, e->string);
2323
msg (M_CLIENT, ">%s:ENV,END", prefix);
2327
man_output_extra_env (struct management *man, const char *prefix)
2329
struct gc_arena gc = gc_new ();
2330
struct env_set *es = env_set_create (&gc);
2331
if (man->persist.callback.n_clients)
2333
const int nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg);
2334
setenv_int (es, "n_clients", nclients);
2336
man_output_env (es, false, man->connection.env_filter_level, prefix);
2341
management_up_down(struct management *man, const char *updown, const struct env_set *es)
2343
if (man->settings.flags & MF_UP_DOWN)
2345
msg (M_CLIENT, ">UPDOWN:%s", updown);
2346
man_output_env (es, true, 0, "UPDOWN");
2351
management_notify(struct management *man, const char *severity, const char *type, const char *text)
2353
msg (M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);
2357
management_notify_generic (struct management *man, const char *str)
2359
msg (M_CLIENT, "%s", str);
2362
#ifdef MANAGEMENT_DEF_AUTH
2365
validate_peer_info_line(const char *line)
2375
if (c == '=' && state == 1)
2377
else if (isalnum(c) || c == '_')
2388
return (state == 2);
2392
man_output_peer_info_env (struct management *man, struct man_def_auth_context *mdac)
2395
if (man->persist.callback.get_peer_info)
2397
const char *peer_info = (*man->persist.callback.get_peer_info) (man->persist.callback.arg, mdac->cid);
2401
buf_set_read (&buf, (const uint8_t *) peer_info, strlen(peer_info));
2402
while (buf_parse (&buf, '\n', line, sizeof (line)))
2405
if (validate_peer_info_line(line))
2407
msg (M_CLIENT, ">CLIENT:ENV,%s", line);
2410
msg (D_MANAGEMENT, "validation failed on peer_info line received from client");
2417
management_notify_client_needing_auth (struct management *management,
2418
const unsigned int mda_key_id,
2419
struct man_def_auth_context *mdac,
2420
const struct env_set *es)
2422
if (!(mdac->flags & DAF_CONNECTION_CLOSED))
2424
const char *mode = "CONNECT";
2425
if (mdac->flags & DAF_CONNECTION_ESTABLISHED)
2427
msg (M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
2428
man_output_extra_env (management, "CLIENT");
2429
man_output_peer_info_env(management, mdac);
2430
man_output_env (es, true, management->connection.env_filter_level, "CLIENT");
2431
mdac->flags |= DAF_INITIAL_AUTH;
2436
management_connection_established (struct management *management,
2437
struct man_def_auth_context *mdac,
2438
const struct env_set *es)
2440
mdac->flags |= DAF_CONNECTION_ESTABLISHED;
2441
msg (M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid);
2442
man_output_extra_env (management, "CLIENT");
2443
man_output_env (es, true, management->connection.env_filter_level, "CLIENT");
2447
management_notify_client_close (struct management *management,
2448
struct man_def_auth_context *mdac,
2449
const struct env_set *es)
2451
if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2453
msg (M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
2454
man_output_env (es, true, management->connection.env_filter_level, "CLIENT");
2455
mdac->flags |= DAF_CONNECTION_CLOSED;
2460
management_learn_addr (struct management *management,
2461
struct man_def_auth_context *mdac,
2462
const struct mroute_addr *addr,
2465
struct gc_arena gc = gc_new ();
2466
if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2468
msg (M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
2470
mroute_addr_print_ex (addr, MAPF_SUBNET, &gc),
2471
BOOL_CAST (primary));
2476
#endif /* MANAGEMENT_DEF_AUTH */
2479
management_echo (struct management *man, const char *string, const bool pull)
2481
if (man->persist.echo)
2483
struct gc_arena gc = gc_new ();
2485
const char *out = NULL;
2491
e.u.intval = BOOL_CAST (pull);
2493
log_history_add (man->persist.echo, &e);
2495
if (man->connection.echo_realtime)
2496
out = log_entry_print (&e, LOG_PRINT_INT_DATE|LOG_PRINT_ECHO_PREFIX|LOG_PRINT_CRLF|MANAGEMENT_ECHO_FLAGS, &gc);
2499
man_output_list_push (man, out);
2506
management_post_tunnel_open (struct management *man, const in_addr_t tun_local_ip)
2509
* If we are running management over the tunnel,
2510
* this is the place to initialize the connection.
2512
if (man->settings.management_over_tunnel
2513
&& man->connection.state == MS_INITIAL)
2515
/* listen on our local TUN/TAP IP address */
2516
man->settings.local.addr.in4.sin_addr.s_addr = htonl (tun_local_ip);
2517
man_connection_init (man);
2523
management_pre_tunnel_close (struct management *man)
2525
if (man->settings.management_over_tunnel)
2526
man_connection_close (man);
2530
management_auth_failure (struct management *man, const char *type, const char *reason)
2533
msg (M_CLIENT, ">PASSWORD:Verification Failed: '%s' ['%s']", type, reason);
2535
msg (M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type);
2539
management_auth_token (struct management *man, const char *token)
2541
msg (M_CLIENT, ">PASSWORD:Auth-Token:%s", token);
2545
man_persist_state (unsigned int *persistent, const int n)
2549
if (*persistent == (unsigned int)n)
2559
management_socket_set (struct management *man,
2560
struct event_set *es,
2562
unsigned int *persistent)
2564
if (man->connection.state != MS_INITIAL)
2566
event_t ev = net_event_win32_get_event (&man->connection.ne32);
2567
net_event_win32_reset_write (&man->connection.ne32);
2569
switch (man->connection.state)
2572
if (man_persist_state (persistent, 1))
2573
event_ctl (es, ev, EVENT_READ, arg);
2575
case MS_CC_WAIT_READ:
2576
if (man_persist_state (persistent, 2))
2577
event_ctl (es, ev, EVENT_READ, arg);
2579
case MS_CC_WAIT_WRITE:
2580
if (man_persist_state (persistent, 3))
2581
event_ctl (es, ev, EVENT_READ|EVENT_WRITE, arg);
2590
management_io (struct management *man)
2592
if (man->connection.state != MS_INITIAL)
2595
net_event_win32_reset (&man->connection.ne32);
2596
net_events = net_event_win32_get_event_mask (&man->connection.ne32);
2598
if (net_events & FD_CLOSE)
2600
man_reset_client_socket (man, false);
2604
if (man->connection.state == MS_LISTEN)
2606
if (net_events & FD_ACCEPT)
2609
net_event_win32_clear_selected_events (&man->connection.ne32, FD_ACCEPT);
2612
else if (man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE)
2614
if (net_events & FD_READ)
2616
while (man_read (man) > 0)
2618
net_event_win32_clear_selected_events (&man->connection.ne32, FD_READ);
2621
if (net_events & FD_WRITE)
2624
status = man_write (man);
2625
if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK)
2627
net_event_win32_clear_selected_events (&man->connection.ne32, FD_WRITE);
2638
management_socket_set (struct management *man,
2639
struct event_set *es,
2641
unsigned int *persistent)
2643
switch (man->connection.state)
2646
if (man_persist_state (persistent, 1))
2647
event_ctl (es, man->connection.sd_top, EVENT_READ, arg);
2649
case MS_CC_WAIT_READ:
2650
if (man_persist_state (persistent, 2))
2651
event_ctl (es, man->connection.sd_cli, EVENT_READ, arg);
2653
case MS_CC_WAIT_WRITE:
2654
if (man_persist_state (persistent, 3))
2655
event_ctl (es, man->connection.sd_cli, EVENT_WRITE, arg);
2665
management_io (struct management *man)
2667
switch (man->connection.state)
2672
case MS_CC_WAIT_READ:
2675
case MS_CC_WAIT_WRITE:
2688
man_standalone_ok (const struct management *man)
2690
return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL;
2694
man_check_for_signals (volatile int *signal_received)
2696
if (signal_received)
2698
get_signal (signal_received);
2699
if (*signal_received)
2706
* Wait for socket I/O when outside primary event loop
2709
man_block (struct management *man, volatile int *signal_received, const time_t expire)
2712
struct event_set_return esr;
2715
if (man_standalone_ok (man))
2719
event_reset (man->connection.es);
2720
management_socket_set (man, man->connection.es, NULL, NULL);
2723
if (man_check_for_signals (signal_received))
2728
status = event_wait (man->connection.es, &tv, &esr, 1);
2730
if (man_check_for_signals (signal_received))
2738
else if (expire && now >= expire)
2740
/* set SIGINT signal if expiration time exceeded */
2742
if (signal_received)
2743
*signal_received = SIGINT;
2752
* Perform management socket output outside primary event loop
2755
man_output_standalone (struct management *man, volatile int *signal_received)
2757
if (man_standalone_ok (man))
2759
while (man->connection.state == MS_CC_WAIT_WRITE)
2761
management_io (man);
2762
if (man->connection.state == MS_CC_WAIT_WRITE)
2763
man_block (man, signal_received, 0);
2764
if (signal_received && *signal_received)
2771
* Process management event loop outside primary event loop
2774
man_standalone_event_loop (struct management *man, volatile int *signal_received, const time_t expire)
2777
if (man_standalone_ok (man))
2779
status = man_block (man, signal_received, expire);
2781
management_io (man);
2786
#define MWCC_PASSWORD_WAIT (1<<0)
2787
#define MWCC_HOLD_WAIT (1<<1)
2788
#define MWCC_OTHER_WAIT (1<<2)
2791
* Block until client connects
2794
man_wait_for_client_connection (struct management *man,
2795
volatile int *signal_received,
2796
const time_t expire,
2799
ASSERT (man_standalone_ok (man));
2800
if (man->connection.state == MS_LISTEN)
2802
if (flags & MWCC_PASSWORD_WAIT)
2803
msg (D_MANAGEMENT, "Need password(s) from management interface, waiting...");
2804
if (flags & MWCC_HOLD_WAIT)
2805
msg (D_MANAGEMENT, "Need hold release from management interface, waiting...");
2806
if (flags & MWCC_OTHER_WAIT)
2807
msg (D_MANAGEMENT, "Need information from management interface, waiting...");
2809
man_standalone_event_loop (man, signal_received, expire);
2810
if (signal_received && *signal_received)
2812
} while (man->connection.state == MS_LISTEN || man_password_needed (man));
2817
* Process the management event loop for sec seconds
2820
management_event_loop_n_seconds (struct management *man, int sec)
2822
if (man_standalone_ok (man))
2824
volatile int signal_received = 0;
2825
const bool standalone_disabled_save = man->persist.standalone_disabled;
2828
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
2830
/* set expire time */
2835
/* if no client connection, wait for one */
2836
man_wait_for_client_connection (man, &signal_received, expire, 0);
2837
if (signal_received)
2840
/* run command processing event loop */
2843
man_standalone_event_loop (man, &signal_received, expire);
2844
if (!signal_received)
2845
man_check_for_signals (&signal_received);
2846
if (signal_received)
2851
man->persist.standalone_disabled = standalone_disabled_save;
2860
* Get a username/password from management channel in standalone mode.
2863
management_query_user_pass (struct management *man,
2864
struct user_pass *up,
2866
const unsigned int flags,
2867
const char *static_challenge)
2869
struct gc_arena gc = gc_new ();
2872
if (man_standalone_ok (man))
2874
volatile int signal_received = 0;
2875
const bool standalone_disabled_save = man->persist.standalone_disabled;
2876
struct buffer alert_msg = alloc_buf_gc (128, &gc);
2877
const char *alert_type = NULL;
2878
const char *prefix = NULL;
2879
unsigned int up_query_mode = 0;
2880
#ifdef ENABLE_CLIENT_CR
2881
const char *sc = NULL;
2884
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
2885
man->persist.special_state_msg = NULL;
2887
CLEAR (man->connection.up_query);
2889
if (flags & GET_USER_PASS_NEED_OK)
2891
up_query_mode = UP_QUERY_NEED_OK;
2893
alert_type = "confirmation";
2895
else if (flags & GET_USER_PASS_NEED_STR)
2897
up_query_mode = UP_QUERY_NEED_STR;
2899
alert_type = "string";
2901
else if (flags & GET_USER_PASS_PASSWORD_ONLY)
2903
up_query_mode = UP_QUERY_PASS;
2904
prefix = "PASSWORD";
2905
alert_type = "password";
2909
up_query_mode = UP_QUERY_USER_PASS;
2910
prefix = "PASSWORD";
2911
alert_type = "username/password";
2912
#ifdef ENABLE_CLIENT_CR
2913
if (static_challenge)
2914
sc = static_challenge;
2917
buf_printf (&alert_msg, ">%s:Need '%s' %s",
2922
if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR))
2923
buf_printf (&alert_msg, " MSG:%s", up->username);
2925
#ifdef ENABLE_CLIENT_CR
2927
buf_printf (&alert_msg, " SC:%d,%s",
2928
BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO),
2932
man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);
2933
if (signal_received)
2938
man->persist.special_state_msg = BSTR (&alert_msg);
2939
msg (M_CLIENT, "%s", man->persist.special_state_msg);
2941
/* tell command line parser which info we need */
2942
man->connection.up_query_mode = up_query_mode;
2943
man->connection.up_query_type = type;
2945
/* run command processing event loop until we get our username/password/response */
2948
man_standalone_event_loop (man, &signal_received, 0);
2949
if (!signal_received)
2950
man_check_for_signals (&signal_received);
2951
if (signal_received)
2956
} while (!man->connection.up_query.defined);
2960
man->connection.up_query_mode = UP_QUERY_DISABLED;
2961
man->connection.up_query_type = NULL;
2962
man->persist.standalone_disabled = standalone_disabled_save;
2963
man->persist.special_state_msg = NULL;
2965
/* pass through blank passwords */
2966
if (!strcmp (man->connection.up_query.password, blank_up))
2967
CLEAR (man->connection.up_query.password);
2970
* Transfer u/p to return object, zero any record
2971
* we hold in the management object.
2975
man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */
2976
*up = man->connection.up_query;
2978
CLEAR (man->connection.up_query);
2985
#ifdef MANAGMENT_EXTERNAL_KEY
2987
char * /* returns allocated base64 signature */
2988
management_query_rsa_sig (struct management *man,
2989
const char *b64_data)
2991
struct gc_arena gc = gc_new ();
2993
volatile int signal_received = 0;
2994
struct buffer alert_msg = clear_buf();
2996
const bool standalone_disabled_save = man->persist.standalone_disabled;
2997
struct man_connection *mc = &man->connection;
2999
if (man_standalone_ok (man))
3001
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3002
man->persist.special_state_msg = NULL;
3004
mc->ext_key_state = EKS_SOLICIT;
3006
alert_msg = alloc_buf_gc (strlen(b64_data)+64, &gc);
3007
buf_printf (&alert_msg, ">RSA_SIGN:%s", b64_data);
3009
man_wait_for_client_connection (man, &signal_received, 0, MWCC_OTHER_WAIT);
3011
if (signal_received)
3014
man->persist.special_state_msg = BSTR (&alert_msg);
3015
msg (M_CLIENT, "%s", man->persist.special_state_msg);
3017
/* run command processing event loop until we get our signature */
3020
man_standalone_event_loop (man, &signal_received, 0);
3021
if (!signal_received)
3022
man_check_for_signals (&signal_received);
3023
if (signal_received)
3025
} while (mc->ext_key_state != EKS_READY);
3027
if (buffer_list_defined(mc->ext_key_input))
3029
buffer_list_aggregate (mc->ext_key_input, 2048);
3030
buf = buffer_list_peek (mc->ext_key_input);
3031
if (buf && BLEN(buf) > 0)
3033
ret = (char *) malloc(BLEN(buf)+1);
3034
check_malloc_return(ret);
3035
memcpy(ret, buf->data, BLEN(buf));
3036
ret[BLEN(buf)] = '\0';
3042
if (mc->ext_key_state == EKS_READY && ret)
3043
msg (M_CLIENT, "SUCCESS: rsa-sig command succeeded");
3044
else if (mc->ext_key_state == EKS_INPUT || mc->ext_key_state == EKS_READY)
3045
msg (M_CLIENT, "ERROR: rsa-sig command failed");
3048
man->persist.standalone_disabled = standalone_disabled_save;
3049
man->persist.special_state_msg = NULL;
3050
in_extra_reset (mc, IER_RESET);
3051
mc->ext_key_state = EKS_UNDEF;
3052
buffer_list_free (mc->ext_key_input);
3053
mc->ext_key_input = NULL;
3062
* Return true if management_hold() would block
3065
management_would_hold (struct management *man)
3067
return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok (man);
3071
* Return true if (from the management interface's perspective) OpenVPN should
3075
management_should_daemonize (struct management *man)
3077
return management_would_hold (man) || (man->settings.flags & MF_QUERY_PASSWORDS);
3081
* If the hold flag is enabled, hibernate until a management client releases the hold.
3082
* Return true if the caller should not sleep for an additional time interval.
3085
management_hold (struct management *man)
3087
if (management_would_hold (man))
3089
volatile int signal_received = 0;
3090
const bool standalone_disabled_save = man->persist.standalone_disabled;
3092
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3093
man->persist.special_state_msg = NULL;
3094
man->settings.mansig |= MANSIG_IGNORE_USR1_HUP;
3096
man_wait_for_client_connection (man, &signal_received, 0, MWCC_HOLD_WAIT);
3098
if (!signal_received)
3100
man->persist.special_state_msg = ">HOLD:Waiting for hold release";
3101
msg (M_CLIENT, "%s", man->persist.special_state_msg);
3103
/* run command processing event loop until we get our username/password */
3106
man_standalone_event_loop (man, &signal_received, 0);
3107
if (!signal_received)
3108
man_check_for_signals (&signal_received);
3109
if (signal_received)
3111
} while (!man->persist.hold_release);
3115
man->persist.standalone_disabled = standalone_disabled_save;
3116
man->persist.special_state_msg = NULL;
3117
man->settings.mansig &= ~MANSIG_IGNORE_USR1_HUP;
3125
* struct command_line
3128
struct command_line *
3129
command_line_new (const int buf_len)
3131
struct command_line *cl;
3132
ALLOC_OBJ_CLEAR (cl, struct command_line);
3133
cl->buf = alloc_buf (buf_len);
3134
cl->residual = alloc_buf (buf_len);
3139
command_line_reset (struct command_line *cl)
3141
buf_clear (&cl->buf);
3142
buf_clear (&cl->residual);
3146
command_line_free (struct command_line *cl)
3148
command_line_reset (cl);
3149
free_buf (&cl->buf);
3150
free_buf (&cl->residual);
3155
command_line_add (struct command_line *cl, const unsigned char *buf, const int len)
3158
for (i = 0; i < len; ++i)
3160
if (buf[i] && char_class(buf[i], (CC_PRINT|CC_NEWLINE)))
3162
if (!buf_write_u8 (&cl->buf, buf[i]))
3163
buf_clear (&cl->buf);
3168
const unsigned char *
3169
command_line_get (struct command_line *cl)
3172
const unsigned char *ret = NULL;
3174
i = buf_substring_len (&cl->buf, '\n');
3177
buf_copy_excess (&cl->residual, &cl->buf, i);
3178
buf_chomp (&cl->buf);
3179
ret = (const unsigned char *) BSTR (&cl->buf);
3185
command_line_next (struct command_line *cl)
3187
buf_clear (&cl->buf);
3188
buf_copy (&cl->buf, &cl->residual);
3189
buf_clear (&cl->residual);
3197
log_entry_print (const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
3199
struct buffer out = alloc_buf_gc (ERR_BUF_SIZE, gc);
3200
if (flags & LOG_FATAL_NOTIFY)
3201
buf_printf (&out, ">FATAL:");
3202
if (flags & LOG_PRINT_LOG_PREFIX)
3203
buf_printf (&out, ">LOG:");
3204
if (flags & LOG_PRINT_ECHO_PREFIX)
3205
buf_printf (&out, ">ECHO:");
3206
if (flags & LOG_PRINT_STATE_PREFIX)
3207
buf_printf (&out, ">STATE:");
3208
if (flags & LOG_PRINT_INT_DATE)
3209
buf_printf (&out, "%u,", (unsigned int)e->timestamp);
3210
if (flags & LOG_PRINT_MSG_FLAGS)
3211
buf_printf (&out, "%s,", msg_flags_string (e->u.msg_flags, gc));
3212
if (flags & LOG_PRINT_STATE)
3213
buf_printf (&out, "%s,", man_state_name (e->u.state));
3214
if (flags & LOG_PRINT_INTVAL)
3215
buf_printf (&out, "%d,", e->u.intval);
3217
buf_printf (&out, "%s", e->string);
3218
if (flags & LOG_PRINT_LOCAL_IP)
3219
buf_printf (&out, ",%s", print_in_addr_t (e->local_ip, IA_EMPTY_IF_UNDEF, gc));
3220
if (flags & LOG_PRINT_REMOTE_IP)
3221
buf_printf (&out, ",%s", print_in_addr_t (e->remote_ip, IA_EMPTY_IF_UNDEF, gc));
3222
if (flags & LOG_ECHO_TO_LOG)
3223
msg (D_MANAGEMENT, "MANAGEMENT: %s", BSTR (&out));
3224
if (flags & LOG_PRINT_CRLF)
3225
buf_printf (&out, "\r\n");
3230
log_entry_free_contents (struct log_entry *e)
3233
free ((char *)e->string);
3238
* struct log_history
3242
log_index (const struct log_history *h, int i)
3244
return modulo_add (h->base, i, h->capacity);
3248
log_history_obj_init (struct log_history *h, int capacity)
3251
h->capacity = capacity;
3252
ALLOC_ARRAY_CLEAR (h->array, struct log_entry, capacity);
3255
struct log_history *
3256
log_history_init (const int capacity)
3258
struct log_history *h;
3259
ASSERT (capacity > 0);
3260
ALLOC_OBJ (h, struct log_history);
3261
log_history_obj_init (h, capacity);
3266
log_history_free_contents (struct log_history *h)
3269
for (i = 0; i < h->size; ++i)
3270
log_entry_free_contents (&h->array[log_index(h, i)]);
3275
log_history_close (struct log_history *h)
3277
log_history_free_contents (h);
3282
log_history_add (struct log_history *h, const struct log_entry *le)
3284
struct log_entry *e;
3285
ASSERT (h->size >= 0 && h->size <= h->capacity);
3286
if (h->size == h->capacity)
3288
e = &h->array[h->base];
3289
log_entry_free_contents (e);
3290
h->base = log_index (h, 1);
3294
e = &h->array[log_index(h, h->size)];
3299
e->string = string_alloc (le->string, NULL);
3303
log_history_resize (struct log_history *h, const int capacity)
3305
if (capacity != h->capacity)
3307
struct log_history newlog;
3310
ASSERT (capacity > 0);
3311
log_history_obj_init (&newlog, capacity);
3313
for (i = 0; i < h->size; ++i)
3314
log_history_add (&newlog, &h->array[log_index(h, i)]);
3316
log_history_free_contents (h);
3321
const struct log_entry *
3322
log_history_ref (const struct log_history *h, const int index)
3324
if (index >= 0 && index < h->size)
3325
return &h->array[log_index(h, (h->size - 1) - index)];
3331
static void dummy(void) {}
3332
#endif /* ENABLE_MANAGEMENT */
added
removed
src/openvpn/manage.c
