2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27
#elif defined(_MSC_VER)
28
#include "config-msvc.h"
43
* Auth username/password
45
* Client received an authentication failed message from server.
49
receive_auth_failed (struct context *c, const struct buffer *buffer)
51
msg (M_VERB0, "AUTH: Received control message: %s", BSTR(buffer));
52
connection_list_set_no_advance(&c->options);
55
switch (auth_retry_get ())
58
c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */
61
ssl_purge_auth (false);
63
c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */
68
c->sig->signal_text = "auth-failure";
69
#ifdef ENABLE_MANAGEMENT
72
const char *reason = NULL;
73
struct buffer buf = *buffer;
74
if (buf_string_compare_advance (&buf, "AUTH_FAILED,") && BLEN (&buf))
76
management_auth_failure (management, UP_TYPE_AUTH, reason);
80
#ifdef ENABLE_CLIENT_CR
81
struct buffer buf = *buffer;
82
if (buf_string_match_head_str (&buf, "AUTH_FAILED,CRV1:") && BLEN (&buf))
84
buf_advance (&buf, 12); /* Length of "AUTH_FAILED," substring */
85
ssl_put_auth_challenge (BSTR (&buf));
93
* Act on received restart message from server
96
server_pushed_signal (struct context *c, const struct buffer *buffer, const bool restart, const int adv)
100
struct buffer buf = *buffer;
102
if (buf_advance (&buf, adv) && buf_read_u8 (&buf) == ',' && BLEN (&buf))
105
/* preserve cached passwords? */
112
for (i = 1; m[i] != '\0' && m[i] != ']'; ++i)
119
ssl_purge_auth (true);
124
msg (D_STREAM_ERRORS, "Connection reset command was pushed by server ('%s')", m);
125
c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
126
c->sig->signal_text = "server-pushed-connection-reset";
130
msg (D_STREAM_ERRORS, "Halt command was pushed by server ('%s')", m);
131
c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- server-pushed halt */
132
c->sig->signal_text = "server-pushed-halt";
134
#ifdef ENABLE_MANAGEMENT
136
management_notify (management, "info", c->sig->signal_text, m);
144
* Send auth failed message from server to client.
147
send_auth_failed (struct context *c, const char *client_reason)
149
struct gc_arena gc = gc_new ();
150
static const char auth_failed[] = "AUTH_FAILED";
153
schedule_exit (c, c->options.scheduled_exit_interval, SIGTERM);
155
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
156
if (len > PUSH_BUNDLE_SIZE)
157
len = PUSH_BUNDLE_SIZE;
160
struct buffer buf = alloc_buf_gc (len, &gc);
161
buf_printf (&buf, auth_failed);
163
buf_printf (&buf, ",%s", client_reason);
164
send_control_channel_string (c, BSTR (&buf), D_PUSH);
171
* Send restart message from server to client.
174
send_restart (struct context *c, const char *kill_msg)
176
schedule_exit (c, c->options.scheduled_exit_interval, SIGTERM);
177
send_control_channel_string (c, kill_msg ? kill_msg : "RESTART", D_PUSH);
187
incoming_push_message (struct context *c, const struct buffer *buffer)
189
struct gc_arena gc = gc_new ();
190
unsigned int option_types_found = 0;
193
msg (D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc));
195
status = process_incoming_push_msg (c,
198
pull_permission_mask (c),
199
&option_types_found);
201
if (status == PUSH_MSG_ERROR)
202
msg (D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
203
else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
205
if (status == PUSH_MSG_REPLY)
206
do_up (c, true, option_types_found); /* delay bringing tun/tap up until --push parms received from remote */
207
event_timeout_clear (&c->c2.push_request_interval);
214
send_push_request (struct context *c)
216
const int max_push_requests = c->options.handshake_window / PUSH_REQUEST_INTERVAL;
217
if (++c->c2.n_sent_push_requests <= max_push_requests)
219
return send_control_channel_string (c, "PUSH_REQUEST", D_PUSH);
223
msg (D_STREAM_ERRORS, "No reply from server after sending %d push requests", max_push_requests);
224
c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
225
c->sig->signal_text = "no-push-reply";
233
send_push_reply (struct context *c)
235
struct gc_arena gc = gc_new ();
236
struct buffer buf = alloc_buf_gc (PUSH_BUNDLE_SIZE, &gc);
237
struct push_entry *e = c->options.push_list.head;
238
bool multi_push = false;
239
static char cmd[] = "PUSH_REPLY";
240
const int extra = 84; /* extra space for possible trailing ifconfig and push-continuation */
241
const int safe_cap = BCAP (&buf) - extra;
242
bool push_sent = false;
244
msg( M_INFO, "send_push_reply(): safe_cap=%d", safe_cap );
246
buf_printf (&buf, "%s", cmd);
248
if ( c->c2.push_ifconfig_ipv6_defined )
250
/* IPv6 is put into buffer first, could be lengthy */
251
buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s",
252
print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc),
253
c->c2.push_ifconfig_ipv6_netbits,
254
print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) );
255
if (BLEN (&buf) >= safe_cap)
257
msg (M_WARN, "--push ifconfig-ipv6 option is too long");
266
const int l = strlen (e->option);
267
if (BLEN (&buf) + l >= safe_cap)
269
buf_printf (&buf, ",push-continuation 2");
271
const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH);
276
buf_reset_len (&buf);
277
buf_printf (&buf, "%s", cmd);
280
if (BLEN (&buf) + l >= safe_cap)
282
msg (M_WARN, "--push option is too long");
285
buf_printf (&buf, ",%s", e->option);
290
if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && c->c2.push_ifconfig_remote_netmask)
292
in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
293
#ifdef ENABLE_CLIENT_NAT
294
if (c->c2.push_ifconfig_local_alias)
295
ifconfig_local = c->c2.push_ifconfig_local_alias;
297
buf_printf (&buf, ",ifconfig %s %s",
298
print_in_addr_t (ifconfig_local, 0, &gc),
299
print_in_addr_t (c->c2.push_ifconfig_remote_netmask, 0, &gc));
302
buf_printf (&buf, ",push-continuation 1");
304
if (BLEN (&buf) > sizeof(cmd)-1)
306
const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH);
312
/* If nothing have been pushed, send an empty push,
313
* as the client is expecting a response
319
buf_reset_len (&buf);
320
buf_printf (&buf, "%s", cmd);
321
status = send_control_channel_string (c, BSTR(&buf), D_PUSH);
335
push_option_ex (struct options *o, const char *opt, bool enable, int msglevel)
337
if (!string_class (opt, CC_ANY, CC_COMMA))
339
msg (msglevel, "PUSH OPTION FAILED (illegal comma (',') in string): '%s'", opt);
343
struct push_entry *e;
344
ALLOC_OBJ_CLEAR_GC (e, struct push_entry, &o->gc);
347
if (o->push_list.head)
349
ASSERT(o->push_list.tail);
350
o->push_list.tail->next = e;
351
o->push_list.tail = e;
355
ASSERT(!o->push_list.tail);
356
o->push_list.head = e;
357
o->push_list.tail = e;
363
push_option (struct options *o, const char *opt, int msglevel)
365
push_option_ex (o, opt, true, msglevel);
369
clone_push_list (struct options *o)
371
if (o->push_list.head)
373
const struct push_entry *e = o->push_list.head;
377
push_option_ex (o, string_alloc (e->option, &o->gc), true, M_FATAL);
384
push_options (struct options *o, char **p, int msglevel, struct gc_arena *gc)
386
const char **argv = make_extended_arg_array (p, gc);
387
char *opt = print_argv (argv, gc, 0);
388
push_option (o, opt, msglevel);
392
push_reset (struct options *o)
394
CLEAR (o->push_list);
399
process_incoming_push_msg (struct context *c,
400
const struct buffer *buffer,
401
bool honor_received_options,
402
unsigned int permission_mask,
403
unsigned int *option_types_found)
405
int ret = PUSH_MSG_ERROR;
406
struct buffer buf = *buffer;
409
if (buf_string_compare_advance (&buf, "PUSH_REQUEST"))
411
if (tls_authentication_status (c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED)
413
const char *client_reason = tls_client_reason (c->c2.tls_multi);
414
send_auth_failed (c, client_reason);
415
ret = PUSH_MSG_AUTH_FAILURE;
417
else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
422
if (c->c2.sent_push_reply_expiry > now)
424
ret = PUSH_MSG_ALREADY_REPLIED;
428
if (send_push_reply (c))
430
ret = PUSH_MSG_REQUEST;
431
c->c2.sent_push_reply_expiry = now + 30;
437
ret = PUSH_MSG_REQUEST_DEFERRED;
443
if (honor_received_options && buf_string_compare_advance (&buf, "PUSH_REPLY"))
445
const uint8_t ch = buf_read_u8 (&buf);
448
struct buffer buf_orig = buf;
449
if (!c->c2.pulled_options_md5_init_done)
451
md5_state_init (&c->c2.pulled_options_state);
452
c->c2.pulled_options_md5_init_done = true;
454
if (!c->c2.did_pre_pull_restore)
456
pre_pull_restore (&c->options);
457
c->c2.did_pre_pull_restore = true;
459
if (apply_push_options (&c->options,
464
switch (c->options.push_continuation)
468
md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
469
md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
470
c->c2.pulled_options_md5_init_done = false;
471
ret = PUSH_MSG_REPLY;
474
md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
475
ret = PUSH_MSG_CONTINUATION;
481
ret = PUSH_MSG_REPLY;
483
/* show_settings (&c->options); */
491
* Remove iroutes from the push_list.
494
remove_iroutes_from_push_route_list (struct options *o)
496
if (o && o->push_list.head && o->iroutes)
498
struct gc_arena gc = gc_new ();
499
struct push_entry *e = o->push_list.head;
501
/* cycle through the push list */
507
/* parse the push item */
509
if (parse_line (e->option, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
511
/* is the push item a route directive? */
512
if (p[0] && !strcmp (p[0], "route") && !p[3])
514
/* get route parameters */
515
bool status1, status2;
516
const in_addr_t network = getaddr (GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
517
const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
519
/* did route parameters parse correctly? */
520
if (status1 && status2)
522
const struct iroute *ir;
524
/* does route match an iroute? */
525
for (ir = o->iroutes; ir != NULL; ir = ir->next)
527
if (network == ir->network && netmask == netbits_to_netmask (ir->netbits >= 0 ? ir->netbits : 32))
537
/* should we copy the push item? */
540
msg (D_PUSH, "REMOVE PUSH ROUTE: '%s'", e->option);