~ubuntu-branches/ubuntu/trusty/openvpn/trusty-security
» Revision
35
: .pc/jjo-ipv6-support.patch/manage.c
« back to all changes in this revision
Viewing changes to .pc/jjo-ipv6-support.patch/manage.c
- browse files at revision 35
- compare with another revision
- download diff
- download tarball
- view history from revision 35
- Committer: Bazaar Package Importer
- Author(s): Chuck Short
- Date: 2010-05-05 03:06:19 UTC
- mfrom: (10.2.6 sid)
- Revision ID: james.westby@ubuntu.com-20100505030619-cwre0snhgx1mql53
Tags: 2.1.0-2ubuntu1
* Merge from debian unstable. Remaining changes:
+ debian/openvpn.init.d:
- Do not use start-stop-daemon and use </dev/null to avoid blocking boot
- Show per-VPN result messages
- Add "--script-security 2" by default for backwards compatablitiy
+ debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
+ debian/openvpn.init.d:
- Do not use start-stop-daemon and use </dev/null to avoid blocking boot
- Show per-VPN result messages
- Add "--script-security 2" by default for backwards compatablitiy
+ debian/control: Add lsb-base >= 3.2-14 to allow status_of_proc()
- files added:
- .pc
- .pc/attemping_typo
- .pc/auth-pam_libpam_so_filename.patch
- .pc/auth-pam_libpam_so_filename.patch/plugin
- .pc/auth-pam_libpam_so_filename.patch/plugin/auth-pam
- .pc/close_socket_before_scripts.patch
- .pc/counter_type_for_bytes.patch
- .pc/debian_nogroup_for_sample_files.patch
- .pc/debian_nogroup_for_sample_files.patch/sample-config-files
- .pc/debian_openssl_vulnkeys.patch
- .pc/eurephia.patch
- .pc/jjo-ipv6-support.patch
- .pc/manpage_dash_escaping.patch
- .pc/openvpn-pkcs11warn.patch
- .pc/route_default_nil.patch
- debian/source
- files modified:
- buffer.c
added
removed
.pc/jjo-ipv6-support.patch/manage.c
1
/*
2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
6
* packet compression.
7
*
8
* Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
9
*
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
13
*
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
18
*
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23
*/
24
25
#include "syshead.h"
26
27
#ifdef ENABLE_MANAGEMENT
28
29
#include "error.h"
30
#include "fdmisc.h"
31
#include "options.h"
32
#include "sig.h"
33
#include "event.h"
34
#include "otime.h"
35
#include "integer.h"
36
#include "misc.h"
37
#include "ssl.h"
38
#include "common.h"
39
#include "manage.h"
40
41
#include "memdbg.h"
42
43
#ifdef ENABLE_PKCS11
44
#include "pkcs11.h"
45
#endif
46
47
#define MANAGEMENT_ECHO_PULL_INFO 0
48
49
#if MANAGEMENT_ECHO_PULL_INFO
50
#define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
51
#else
52
#define MANAGEMENT_ECHO_FLAGS 0
53
#endif
54
55
/* tag for blank username/password */
56
static const char blank_up[] = "[[BLANK]]";
57
58
struct management *management; /* GLOBAL */
59
60
/* static forward declarations */
61
static void man_output_standalone (struct management *man, volatile int *signal_received);
62
static void man_reset_client_socket (struct management *man, const bool exiting);
63
64
static void
65
man_help ()
66
{
67
msg (M_CLIENT, "Management Interface for %s", title_string);
68
msg (M_CLIENT, "Commands:");
69
msg (M_CLIENT, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
70
msg (M_CLIENT, "bytecount n : Show bytes in/out, update every n secs (0=off).");
71
msg (M_CLIENT, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
72
msg (M_CLIENT, "exit|quit : Close management session.");
73
msg (M_CLIENT, "forget-passwords : Forget passwords entered so far.");
74
msg (M_CLIENT, "help : Print this message.");
75
msg (M_CLIENT, "hold [on|off|release] : Set/show hold flag to on/off state, or");
76
msg (M_CLIENT, " release current hold and start tunnel.");
77
msg (M_CLIENT, "kill cn : Kill the client instance(s) having common name cn.");
78
msg (M_CLIENT, "kill IP:port : Kill the client instance connecting from IP:port.");
79
msg (M_CLIENT, "load-stats : Show global server load stats.");
80
msg (M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
81
msg (M_CLIENT, " + show last N lines or 'all' for entire history.");
82
msg (M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
83
msg (M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
84
msg (M_CLIENT, " where action = 'ok' or 'cancel'.");
85
msg (M_CLIENT, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
86
msg (M_CLIENT, " where action is reply string.");
87
msg (M_CLIENT, "net : (Windows only) Show network info and routing table.");
88
msg (M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
89
msg (M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
90
#ifdef ENABLE_PKCS11
91
msg (M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
92
msg (M_CLIENT, "pkcs11-id-get index : Get PKCS#11 identity at index.");
93
#endif
94
#ifdef MANAGEMENT_DEF_AUTH
95
msg (M_CLIENT, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
96
msg (M_CLIENT, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
97
msg (M_CLIENT, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
98
msg (M_CLIENT, " text R and optional client reason text CR");
99
msg (M_CLIENT, "client-kill CID : Kill client instance CID");
100
#ifdef MANAGEMENT_PF
101
msg (M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)");
102
#endif
103
#endif
104
msg (M_CLIENT, "signal s : Send signal s to daemon,");
105
msg (M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
106
msg (M_CLIENT, "state [on|off] [N|all] : Like log, but show state history.");
107
msg (M_CLIENT, "status [n] : Show current daemon status info using format #n.");
108
msg (M_CLIENT, "test n : Produce n lines of output for testing/debugging.");
109
msg (M_CLIENT, "username type u : Enter username u for a queried OpenVPN username.");
110
msg (M_CLIENT, "verb [n] : Set log verbosity level to n, or show if n is absent.");
111
msg (M_CLIENT, "version : Show current version number.");
112
msg (M_CLIENT, "END");
113
}
114
115
static const char *
116
man_state_name (const int state)
117
{
118
switch (state)
119
{
120
case OPENVPN_STATE_INITIAL:
121
return "INITIAL";
122
case OPENVPN_STATE_CONNECTING:
123
return "CONNECTING";
124
case OPENVPN_STATE_WAIT:
125
return "WAIT";
126
case OPENVPN_STATE_AUTH:
127
return "AUTH";
128
case OPENVPN_STATE_GET_CONFIG:
129
return "GET_CONFIG";
130
case OPENVPN_STATE_ASSIGN_IP:
131
return "ASSIGN_IP";
132
case OPENVPN_STATE_ADD_ROUTES:
133
return "ADD_ROUTES";
134
case OPENVPN_STATE_CONNECTED:
135
return "CONNECTED";
136
case OPENVPN_STATE_RECONNECTING:
137
return "RECONNECTING";
138
case OPENVPN_STATE_EXITING:
139
return "EXITING";
140
case OPENVPN_STATE_RESOLVE:
141
return "RESOLVE";
142
case OPENVPN_STATE_TCP_CONNECT:
143
return "TCP_CONNECT";
144
default:
145
return "?";
146
}
147
}
148
149
static void
150
man_welcome (struct management *man)
151
{
152
msg (M_CLIENT, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
153
MANAGEMENT_VERSION);
154
if (man->persist.special_state_msg)
155
msg (M_CLIENT, "%s", man->persist.special_state_msg);
156
}
157
158
static inline bool
159
man_password_needed (struct management *man)
160
{
161
return man->settings.up.defined && !man->connection.password_verified;
162
}
163
164
static void
165
man_check_password (struct management *man, const char *line)
166
{
167
if (man_password_needed (man))
168
{
169
if (streq (line, man->settings.up.password))
170
{
171
man->connection.password_verified = true;
172
msg (M_CLIENT, "SUCCESS: password is correct");
173
man_welcome (man);
174
}
175
else
176
{
177
man->connection.password_verified = false;
178
msg (M_CLIENT, "ERROR: bad password");
179
if (++man->connection.password_tries >= MANAGEMENT_N_PASSWORD_RETRIES)
180
{
181
msg (M_WARN, "MAN: client connection rejected after %d failed password attempts",
182
MANAGEMENT_N_PASSWORD_RETRIES);
183
man->connection.halt = true;
184
}
185
}
186
}
187
}
188
189
static void
190
man_update_io_state (struct management *man)
191
{
192
if (socket_defined (man->connection.sd_cli))
193
{
194
if (buffer_list_defined (man->connection.out))
195
{
196
man->connection.state = MS_CC_WAIT_WRITE;
197
}
198
else
199
{
200
man->connection.state = MS_CC_WAIT_READ;
201
}
202
}
203
}
204
205
static void
206
man_output_list_push (struct management *man, const char *str)
207
{
208
if (management_connected (man))
209
{
210
if (str)
211
buffer_list_push (man->connection.out, (const unsigned char *) str);
212
man_update_io_state (man);
213
if (!man->persist.standalone_disabled)
214
{
215
volatile int signal_received = 0;
216
man_output_standalone (man, &signal_received);
217
}
218
}
219
}
220
221
static void
222
man_prompt (struct management *man)
223
{
224
if (man_password_needed (man))
225
man_output_list_push (man, "ENTER PASSWORD:");
226
#if 0 /* should we use prompt? */
227
else
228
man_output_list_push (man, PACKAGE_NAME ">");
229
#endif
230
}
231
232
static void
233
man_delete_unix_socket (struct management *man)
234
{
235
#if UNIX_SOCK_SUPPORT
236
if ((man->settings.flags & (MF_UNIX_SOCK|MF_CONNECT_AS_CLIENT)) == MF_UNIX_SOCK)
237
socket_delete_unix (&man->settings.local_unix);
238
#endif
239
}
240
241
static void
242
man_close_socket (struct management *man, const socket_descriptor_t sd)
243
{
244
#ifndef WIN32
245
/*
246
* Windows doesn't need this because the ne32 event is permanently
247
* enabled at struct management scope.
248
*/
249
if (man->persist.callback.delete_event)
250
(*man->persist.callback.delete_event) (man->persist.callback.arg, sd);
251
#endif
252
openvpn_close_socket (sd);
253
}
254
255
static void
256
virtual_output_callback_func (void *arg, const unsigned int flags, const char *str)
257
{
258
static int recursive_level = 0; /* GLOBAL */
259
260
if (!recursive_level) /* don't allow recursion */
261
{
262
struct gc_arena gc = gc_new ();
263
struct management *man = (struct management *) arg;
264
struct log_entry e;
265
const char *out = NULL;
266
267
++recursive_level;
268
269
CLEAR (e);
270
update_time ();
271
e.timestamp = now;
272
e.u.msg_flags = flags;
273
e.string = str;
274
275
if (flags & M_FATAL)
276
man->persist.standalone_disabled = false;
277
278
if (flags != M_CLIENT)
279
log_history_add (man->persist.log, &e);
280
281
if (!man_password_needed (man))
282
{
283
if (flags == M_CLIENT)
284
out = log_entry_print (&e, LOG_PRINT_CRLF, &gc);
285
else if (man->connection.log_realtime)
286
out = log_entry_print (&e, LOG_PRINT_INT_DATE
287
| LOG_PRINT_MSG_FLAGS
288
| LOG_PRINT_LOG_PREFIX
289
| LOG_PRINT_CRLF, &gc);
290
if (out)
291
man_output_list_push (man, out);
292
if (flags & M_FATAL)
293
{
294
out = log_entry_print (&e, LOG_FATAL_NOTIFY|LOG_PRINT_CRLF, &gc);
295
if (out)
296
{
297
man_output_list_push (man, out);
298
man_reset_client_socket (man, true);
299
}
300
}
301
}
302
303
--recursive_level;
304
gc_free (&gc);
305
}
306
}
307
308
/*
309
* Given a signal, return the signal with possible remapping applied,
310
* or -1 if the signal should be ignored.
311
*/
312
static int
313
man_mod_signal (const struct management *man, const int signum)
314
{
315
const unsigned int flags = man->settings.mansig;
316
int s = signum;
317
if (s == SIGUSR1)
318
{
319
if (flags & MANSIG_MAP_USR1_TO_HUP)
320
s = SIGHUP;
321
if (flags & MANSIG_MAP_USR1_TO_TERM)
322
s = SIGTERM;
323
}
324
if (flags & MANSIG_IGNORE_USR1_HUP)
325
{
326
if (s == SIGHUP || s == SIGUSR1)
327
s = -1;
328
}
329
return s;
330
}
331
332
static void
333
man_signal (struct management *man, const char *name)
334
{
335
const int sig = parse_signal (name);
336
if (sig >= 0)
337
{
338
const int sig_mod = man_mod_signal (man, sig);
339
if (sig_mod >= 0)
340
{
341
throw_signal (sig_mod);
342
msg (M_CLIENT, "SUCCESS: signal %s thrown", signal_name (sig_mod, true));
343
}
344
else
345
{
346
if (man->persist.special_state_msg)
347
msg (M_CLIENT, "%s", man->persist.special_state_msg);
348
else
349
msg (M_CLIENT, "ERROR: signal '%s' is currently ignored", name);
350
}
351
}
352
else
353
{
354
msg (M_CLIENT, "ERROR: signal '%s' is not a known signal type", name);
355
}
356
}
357
358
static void
359
man_status (struct management *man, const int version, struct status_output *so)
360
{
361
if (man->persist.callback.status)
362
{
363
(*man->persist.callback.status) (man->persist.callback.arg, version, so);
364
}
365
else
366
{
367
msg (M_CLIENT, "ERROR: The 'status' command is not supported by the current daemon mode");
368
}
369
}
370
371
static void
372
man_bytecount (struct management *man, const int update_seconds)
373
{
374
if (update_seconds >= 0)
375
man->connection.bytecount_update_seconds = update_seconds;
376
else
377
man->connection.bytecount_update_seconds = 0;
378
msg (M_CLIENT, "SUCCESS: bytecount interval changed");
379
}
380
381
void
382
man_bytecount_output_client (struct management *man)
383
{
384
char in[32];
385
char out[32];
386
/* do in a roundabout way to work around possible mingw or mingw-glibc bug */
387
openvpn_snprintf (in, sizeof (in), counter_format, man->persist.bytes_in);
388
openvpn_snprintf (out, sizeof (out), counter_format, man->persist.bytes_out);
389
msg (M_CLIENT, ">BYTECOUNT:%s,%s", in, out);
390
man->connection.bytecount_last_update = now;
391
}
392
393
#ifdef MANAGEMENT_DEF_AUTH
394
395
void
396
man_bytecount_output_server (struct management *man,
397
const counter_type *bytes_in_total,
398
const counter_type *bytes_out_total,
399
struct man_def_auth_context *mdac)
400
{
401
char in[32];
402
char out[32];
403
/* do in a roundabout way to work around possible mingw or mingw-glibc bug */
404
openvpn_snprintf (in, sizeof (in), counter_format, *bytes_in_total);
405
openvpn_snprintf (out, sizeof (out), counter_format, *bytes_out_total);
406
msg (M_CLIENT, ">BYTECOUNT_CLI:%lu,%s,%s", mdac->cid, in, out);
407
mdac->bytecount_last_update = now;
408
}
409
410
#endif
411
412
static void
413
man_kill (struct management *man, const char *victim)
414
{
415
struct gc_arena gc = gc_new ();
416
417
if (man->persist.callback.kill_by_cn && man->persist.callback.kill_by_addr)
418
{
419
struct buffer buf;
420
char p1[128];
421
char p2[128];
422
int n_killed;
423
424
buf_set_read (&buf, (uint8_t*) victim, strlen (victim) + 1);
425
buf_parse (&buf, ':', p1, sizeof (p1));
426
buf_parse (&buf, ':', p2, sizeof (p2));
427
428
if (strlen (p1) && strlen (p2))
429
{
430
/* IP:port specified */
431
bool status;
432
const in_addr_t addr = getaddr (GETADDR_HOST_ORDER|GETADDR_MSG_VIRT_OUT, p1, 0, &status, NULL);
433
if (status)
434
{
435
const int port = atoi (p2);
436
if (port > 0 && port < 65536)
437
{
438
n_killed = (*man->persist.callback.kill_by_addr) (man->persist.callback.arg, addr, port);
439
if (n_killed > 0)
440
{
441
msg (M_CLIENT, "SUCCESS: %d client(s) at address %s:%d killed",
442
n_killed,
443
print_in_addr_t (addr, 0, &gc),
444
port);
445
}
446
else
447
{
448
msg (M_CLIENT, "ERROR: client at address %s:%d not found",
449
print_in_addr_t (addr, 0, &gc),
450
port);
451
}
452
}
453
else
454
{
455
msg (M_CLIENT, "ERROR: port number is out of range: %s", p2);
456
}
457
}
458
else
459
{
460
msg (M_CLIENT, "ERROR: error parsing IP address: %s", p1);
461
}
462
}
463
else if (strlen (p1))
464
{
465
/* common name specified */
466
n_killed = (*man->persist.callback.kill_by_cn) (man->persist.callback.arg, p1);
467
if (n_killed > 0)
468
{
469
msg (M_CLIENT, "SUCCESS: common name '%s' found, %d client(s) killed", p1, n_killed);
470
}
471
else
472
{
473
msg (M_CLIENT, "ERROR: common name '%s' not found", p1);
474
}
475
}
476
else
477
{
478
msg (M_CLIENT, "ERROR: kill parse");
479
}
480
}
481
else
482
{
483
msg (M_CLIENT, "ERROR: The 'kill' command is not supported by the current daemon mode");
484
}
485
486
gc_free (&gc);
487
}
488
489
/*
490
* General-purpose history command handler
491
* for the log and echo commands.
492
*/
493
static void
494
man_history (struct management *man,
495
const char *parm,
496
const char *type,
497
struct log_history *log,
498
bool *realtime,
499
const unsigned int lep_flags)
500
{
501
struct gc_arena gc = gc_new ();
502
int n = 0;
503
504
if (streq (parm, "on"))
505
{
506
*realtime = true;
507
msg (M_CLIENT, "SUCCESS: real-time %s notification set to ON", type);
508
}
509
else if (streq (parm, "off"))
510
{
511
*realtime = false;
512
msg (M_CLIENT, "SUCCESS: real-time %s notification set to OFF", type);
513
}
514
else if (streq (parm, "all") || (n = atoi (parm)) > 0)
515
{
516
const int size = log_history_size (log);
517
const int start = (n ? n : size) - 1;
518
int i;
519
520
for (i = start; i >= 0; --i)
521
{
522
const struct log_entry *e = log_history_ref (log, i);
523
if (e)
524
{
525
const char *out = log_entry_print (e, lep_flags, &gc);
526
virtual_output_callback_func (man, M_CLIENT, out);
527
}
528
}
529
msg (M_CLIENT, "END");
530
}
531
else
532
{
533
msg (M_CLIENT, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type);
534
}
535
536
gc_free (&gc);
537
}
538
539
static void
540
man_log (struct management *man, const char *parm)
541
{
542
man_history (man,
543
parm,
544
"log",
545
man->persist.log,
546
&man->connection.log_realtime,
547
LOG_PRINT_INT_DATE|LOG_PRINT_MSG_FLAGS);
548
}
549
550
static void
551
man_echo (struct management *man, const char *parm)
552
{
553
man_history (man,
554
parm,
555
"echo",
556
man->persist.echo,
557
&man->connection.echo_realtime,
558
LOG_PRINT_INT_DATE|MANAGEMENT_ECHO_FLAGS);
559
}
560
561
static void
562
man_state (struct management *man, const char *parm)
563
{
564
man_history (man,
565
parm,
566
"state",
567
man->persist.state,
568
&man->connection.state_realtime,
569
LOG_PRINT_INT_DATE|LOG_PRINT_STATE|
570
LOG_PRINT_LOCAL_IP|LOG_PRINT_REMOTE_IP);
571
}
572
573
static void
574
man_up_finalize (struct management *man)
575
{
576
switch (man->connection.up_query_mode)
577
{
578
case UP_QUERY_DISABLED:
579
man->connection.up_query.defined = false;
580
break;
581
case UP_QUERY_USER_PASS:
582
if (strlen (man->connection.up_query.username) && strlen (man->connection.up_query.password))
583
man->connection.up_query.defined = true;
584
break;
585
case UP_QUERY_PASS:
586
if (strlen (man->connection.up_query.password))
587
man->connection.up_query.defined = true;
588
break;
589
case UP_QUERY_NEED_OK:
590
if (strlen (man->connection.up_query.password))
591
man->connection.up_query.defined = true;
592
break;
593
case UP_QUERY_NEED_STR:
594
if (strlen (man->connection.up_query.password))
595
man->connection.up_query.defined = true;
596
break;
597
default:
598
ASSERT (0);
599
}
600
}
601
602
static void
603
man_query_user_pass (struct management *man,
604
const char *type,
605
const char *string,
606
const bool needed,
607
const char *prompt,
608
char *dest,
609
int len)
610
{
611
if (needed)
612
{
613
ASSERT (man->connection.up_query_type);
614
if (streq (man->connection.up_query_type, type))
615
{
616
strncpynt (dest, string, len);
617
man_up_finalize (man);
618
msg (M_CLIENT, "SUCCESS: '%s' %s entered, but not yet verified",
619
type,
620
prompt);
621
}
622
else
623
msg (M_CLIENT, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
624
prompt,
625
type,
626
man->connection.up_query_type);
627
}
628
else
629
{
630
msg (M_CLIENT, "ERROR: no %s is currently needed at this time", prompt);
631
}
632
}
633
634
static void
635
man_query_username (struct management *man, const char *type, const char *string)
636
{
637
const bool needed = (man->connection.up_query_mode == UP_QUERY_USER_PASS && man->connection.up_query_type);
638
man_query_user_pass (man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
639
}
640
641
static void
642
man_query_password (struct management *man, const char *type, const char *string)
643
{
644
const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
645
|| man->connection.up_query_mode == UP_QUERY_PASS)
646
&& man->connection.up_query_type);
647
if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
648
string = blank_up;
649
man_query_user_pass (man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
650
}
651
652
static void
653
man_query_need_ok (struct management *man, const char *type, const char *action)
654
{
655
const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
656
man_query_user_pass (man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
657
}
658
659
static void
660
man_query_need_str (struct management *man, const char *type, const char *action)
661
{
662
const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_STR) && man->connection.up_query_type);
663
man_query_user_pass (man, type, action, needed, "needstr-string", man->connection.up_query.password, USER_PASS_LEN);
664
}
665
666
static void
667
man_forget_passwords (struct management *man)
668
{
669
#if defined(USE_CRYPTO) && defined(USE_SSL)
670
ssl_purge_auth ();
671
msg (M_CLIENT, "SUCCESS: Passwords were forgotten");
672
#endif
673
}
674
675
static void
676
man_net (struct management *man)
677
{
678
if (man->persist.callback.show_net)
679
{
680
(*man->persist.callback.show_net) (man->persist.callback.arg, M_CLIENT);
681
}
682
else
683
{
684
msg (M_CLIENT, "ERROR: The 'net' command is not supported by the current daemon mode");
685
}
686
}
687
688
#ifdef ENABLE_PKCS11
689
690
static void
691
man_pkcs11_id_count (struct management *man)
692
{
693
msg (M_CLIENT, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count ());
694
}
695
696
static void
697
man_pkcs11_id_get (struct management *man, const int index)
698
{
699
char *id = NULL;
700
char *base64 = NULL;
701
702
if (pkcs11_management_id_get (index, &id, &base64))
703
msg (M_CLIENT, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index, id, base64);
704
else
705
msg (M_CLIENT, ">PKCS11ID-ENTRY:'%d'", index);
706
707
if (id != NULL)
708
free (id);
709
if (base64 != NULL)
710
free (base64);
711
}
712
713
#endif
714
715
static void
716
man_hold (struct management *man, const char *cmd)
717
{
718
if (cmd)
719
{
720
if (streq (cmd, "on"))
721
{
722
man->settings.flags |= MF_HOLD;
723
msg (M_CLIENT, "SUCCESS: hold flag set to ON");
724
}
725
else if (streq (cmd, "off"))
726
{
727
man->settings.flags &= ~MF_HOLD;
728
msg (M_CLIENT, "SUCCESS: hold flag set to OFF");
729
}
730
else if (streq (cmd, "release"))
731
{
732
man->persist.hold_release = true;
733
msg (M_CLIENT, "SUCCESS: hold release succeeded");
734
}
735
else
736
{
737
msg (M_CLIENT, "ERROR: bad hold command parameter");
738
}
739
}
740
else
741
msg (M_CLIENT, "SUCCESS: hold=%d", BOOL_CAST(man->settings.flags & MF_HOLD));
742
}
743
744
#ifdef MANAGEMENT_DEF_AUTH
745
746
static bool
747
parse_cid (const char *str, unsigned long *cid)
748
{
749
if (sscanf (str, "%lu", cid) == 1)
750
return true;
751
else
752
{
753
msg (M_CLIENT, "ERROR: cannot parse CID");
754
return false;
755
}
756
}
757
758
static bool
759
parse_kid (const char *str, unsigned int *kid)
760
{
761
if (sscanf (str, "%u", kid) == 1)
762
return true;
763
else
764
{
765
msg (M_CLIENT, "ERROR: cannot parse KID");
766
return false;
767
}
768
}
769
770
static void
771
in_extra_reset (struct man_connection *mc, const bool new)
772
{
773
if (mc)
774
{
775
if (!new)
776
{
777
mc->in_extra_cmd = IEC_UNDEF;
778
mc->in_extra_cid = 0;
779
mc->in_extra_kid = 0;
780
}
781
if (mc->in_extra)
782
{
783
buffer_list_free (mc->in_extra);
784
mc->in_extra = NULL;
785
}
786
if (new)
787
mc->in_extra = buffer_list_new (0);
788
}
789
}
790
791
static void
792
in_extra_dispatch (struct management *man)
793
{
794
switch (man->connection.in_extra_cmd)
795
{
796
case IEC_CLIENT_AUTH:
797
if (man->persist.callback.client_auth)
798
{
799
const bool status = (*man->persist.callback.client_auth)
800
(man->persist.callback.arg,
801
man->connection.in_extra_cid,
802
man->connection.in_extra_kid,
803
true,
804
NULL,
805
NULL,
806
man->connection.in_extra);
807
man->connection.in_extra = NULL;
808
if (status)
809
{
810
msg (M_CLIENT, "SUCCESS: client-auth command succeeded");
811
}
812
else
813
{
814
msg (M_CLIENT, "ERROR: client-auth command failed");
815
}
816
}
817
else
818
{
819
msg (M_CLIENT, "ERROR: The client-auth command is not supported by the current daemon mode");
820
}
821
break;
822
#ifdef MANAGEMENT_PF
823
case IEC_CLIENT_PF:
824
if (man->persist.callback.client_pf)
825
{
826
const bool status = (*man->persist.callback.client_pf)
827
(man->persist.callback.arg,
828
man->connection.in_extra_cid,
829
man->connection.in_extra);
830
man->connection.in_extra = NULL;
831
if (status)
832
{
833
msg (M_CLIENT, "SUCCESS: client-pf command succeeded");
834
}
835
else
836
{
837
msg (M_CLIENT, "ERROR: client-pf command failed");
838
}
839
}
840
else
841
{
842
msg (M_CLIENT, "ERROR: The client-pf command is not supported by the current daemon mode");
843
}
844
break;
845
#endif
846
}
847
in_extra_reset (&man->connection, false);
848
}
849
850
static void
851
man_client_auth (struct management *man, const char *cid_str, const char *kid_str, const bool extra)
852
{
853
struct man_connection *mc = &man->connection;
854
mc->in_extra_cid = 0;
855
mc->in_extra_kid = 0;
856
if (parse_cid (cid_str, &mc->in_extra_cid)
857
&& parse_kid (kid_str, &mc->in_extra_kid))
858
{
859
mc->in_extra_cmd = IEC_CLIENT_AUTH;
860
in_extra_reset (mc, true);
861
if (!extra)
862
in_extra_dispatch (man);
863
}
864
}
865
866
static void
867
man_client_deny (struct management *man, const char *cid_str, const char *kid_str, const char *reason, const char *client_reason)
868
{
869
unsigned long cid = 0;
870
unsigned int kid = 0;
871
if (parse_cid (cid_str, &cid) && parse_kid (kid_str, &kid))
872
{
873
if (man->persist.callback.client_auth)
874
{
875
const bool status = (*man->persist.callback.client_auth)
876
(man->persist.callback.arg,
877
cid,
878
kid,
879
false,
880
reason,
881
client_reason,
882
NULL);
883
if (status)
884
{
885
msg (M_CLIENT, "SUCCESS: client-deny command succeeded");
886
}
887
else
888
{
889
msg (M_CLIENT, "ERROR: client-deny command failed");
890
}
891
}
892
else
893
{
894
msg (M_CLIENT, "ERROR: The client-deny command is not supported by the current daemon mode");
895
}
896
}
897
}
898
899
static void
900
man_client_kill (struct management *man, const char *cid_str)
901
{
902
unsigned long cid = 0;
903
if (parse_cid (cid_str, &cid))
904
{
905
if (man->persist.callback.kill_by_cid)
906
{
907
const bool status = (*man->persist.callback.kill_by_cid) (man->persist.callback.arg, cid);
908
if (status)
909
{
910
msg (M_CLIENT, "SUCCESS: client-kill command succeeded");
911
}
912
else
913
{
914
msg (M_CLIENT, "ERROR: client-kill command failed");
915
}
916
}
917
else
918
{
919
msg (M_CLIENT, "ERROR: The client-kill command is not supported by the current daemon mode");
920
}
921
}
922
}
923
924
static void
925
man_client_n_clients (struct management *man)
926
{
927
if (man->persist.callback.n_clients)
928
{
929
const int nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg);
930
msg (M_CLIENT, "SUCCESS: nclients=%d", nclients);
931
}
932
else
933
{
934
msg (M_CLIENT, "ERROR: The nclients command is not supported by the current daemon mode");
935
}
936
}
937
938
#ifdef MANAGEMENT_PF
939
940
static void
941
man_client_pf (struct management *man, const char *cid_str)
942
{
943
struct man_connection *mc = &man->connection;
944
mc->in_extra_cid = 0;
945
mc->in_extra_kid = 0;
946
if (parse_cid (cid_str, &mc->in_extra_cid))
947
{
948
mc->in_extra_cmd = IEC_CLIENT_PF;
949
in_extra_reset (mc, true);
950
}
951
}
952
953
#endif
954
#endif
955
956
static void
957
man_load_stats (struct management *man)
958
{
959
extern counter_type link_read_bytes_global;
960
extern counter_type link_write_bytes_global;
961
int nclients = 0;
962
963
if (man->persist.callback.n_clients)
964
nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg);
965
msg (M_CLIENT, "SUCCESS: nclients=%d,bytesin=" counter_format ",bytesout=" counter_format,
966
nclients,
967
link_read_bytes_global,
968
link_write_bytes_global);
969
}
970
971
#define MN_AT_LEAST (1<<0)
972
973
static bool
974
man_need (struct management *man, const char **p, const int n, unsigned int flags)
975
{
976
int i;
977
ASSERT (p[0]);
978
for (i = 1; i <= n; ++i)
979
{
980
if (!p[i])
981
{
982
msg (M_CLIENT, "ERROR: the '%s' command requires %s%d parameter%s",
983
p[0],
984
(flags & MN_AT_LEAST) ? "at least " : "",
985
n,
986
n > 1 ? "s" : "");
987
return false;
988
}
989
}
990
return true;
991
}
992
993
static void
994
man_dispatch_command (struct management *man, struct status_output *so, const char **p, const int nparms)
995
{
996
struct gc_arena gc = gc_new ();
997
998
ASSERT (p[0]);
999
if (streq (p[0], "exit") || streq (p[0], "quit"))
1000
{
1001
man->connection.halt = true;
1002
goto done;
1003
}
1004
else if (streq (p[0], "help"))
1005
{
1006
man_help ();
1007
}
1008
else if (streq (p[0], "version"))
1009
{
1010
msg (M_CLIENT, "OpenVPN Version: %s", title_string);
1011
msg (M_CLIENT, "Management Version: %d", MANAGEMENT_VERSION);
1012
msg (M_CLIENT, "END");
1013
}
1014
else if (streq (p[0], "pid"))
1015
{
1016
msg (M_CLIENT, "SUCCESS: pid=%d", openvpn_getpid ());
1017
}
1018
#ifdef MANAGEMENT_DEF_AUTH
1019
else if (streq (p[0], "nclients"))
1020
{
1021
man_client_n_clients (man);
1022
}
1023
#endif
1024
else if (streq (p[0], "signal"))
1025
{
1026
if (man_need (man, p, 1, 0))
1027
man_signal (man, p[1]);
1028
}
1029
else if (streq (p[0], "load-stats"))
1030
{
1031
man_load_stats (man);
1032
}
1033
else if (streq (p[0], "status"))
1034
{
1035
int version = 0;
1036
if (p[1])
1037
version = atoi (p[1]);
1038
man_status (man, version, so);
1039
}
1040
else if (streq (p[0], "kill"))
1041
{
1042
if (man_need (man, p, 1, 0))
1043
man_kill (man, p[1]);
1044
}
1045
else if (streq (p[0], "verb"))
1046
{
1047
if (p[1])
1048
{
1049
const int level = atoi(p[1]);
1050
if (set_debug_level (level, 0))
1051
msg (M_CLIENT, "SUCCESS: verb level changed");
1052
else
1053
msg (M_CLIENT, "ERROR: verb level is out of range");
1054
}
1055
else
1056
msg (M_CLIENT, "SUCCESS: verb=%d", get_debug_level ());
1057
}
1058
else if (streq (p[0], "mute"))
1059
{
1060
if (p[1])
1061
{
1062
const int level = atoi(p[1]);
1063
if (set_mute_cutoff (level))
1064
msg (M_CLIENT, "SUCCESS: mute level changed");
1065
else
1066
msg (M_CLIENT, "ERROR: mute level is out of range");
1067
}
1068
else
1069
msg (M_CLIENT, "SUCCESS: mute=%d", get_mute_cutoff ());
1070
}
1071
else if (streq (p[0], "auth-retry"))
1072
{
1073
#if P2MP
1074
if (p[1])
1075
{
1076
if (auth_retry_set (M_CLIENT, p[1]))
1077
msg (M_CLIENT, "SUCCESS: auth-retry parameter changed");
1078
else
1079
msg (M_CLIENT, "ERROR: bad auth-retry parameter");
1080
}
1081
else
1082
msg (M_CLIENT, "SUCCESS: auth-retry=%s", auth_retry_print ());
1083
#else
1084
msg (M_CLIENT, "ERROR: auth-retry feature is unavailable");
1085
#endif
1086
}
1087
else if (streq (p[0], "state"))
1088
{
1089
if (!p[1])
1090
{
1091
man_state (man, "1");
1092
}
1093
else
1094
{
1095
if (p[1])
1096
man_state (man, p[1]);
1097
if (p[2])
1098
man_state (man, p[2]);
1099
}
1100
}
1101
else if (streq (p[0], "log"))
1102
{
1103
if (man_need (man, p, 1, MN_AT_LEAST))
1104
{
1105
if (p[1])
1106
man_log (man, p[1]);
1107
if (p[2])
1108
man_log (man, p[2]);
1109
}
1110
}
1111
else if (streq (p[0], "echo"))
1112
{
1113
if (man_need (man, p, 1, MN_AT_LEAST))
1114
{
1115
if (p[1])
1116
man_echo (man, p[1]);
1117
if (p[2])
1118
man_echo (man, p[2]);
1119
}
1120
}
1121
else if (streq (p[0], "username"))
1122
{
1123
if (man_need (man, p, 2, 0))
1124
man_query_username (man, p[1], p[2]);
1125
}
1126
else if (streq (p[0], "password"))
1127
{
1128
if (man_need (man, p, 2, 0))
1129
man_query_password (man, p[1], p[2]);
1130
}
1131
else if (streq (p[0], "forget-passwords"))
1132
{
1133
man_forget_passwords (man);
1134
}
1135
else if (streq (p[0], "needok"))
1136
{
1137
if (man_need (man, p, 2, 0))
1138
man_query_need_ok (man, p[1], p[2]);
1139
}
1140
else if (streq (p[0], "needstr"))
1141
{
1142
if (man_need (man, p, 2, 0))
1143
man_query_need_str (man, p[1], p[2]);
1144
}
1145
else if (streq (p[0], "net"))
1146
{
1147
man_net (man);
1148
}
1149
else if (streq (p[0], "hold"))
1150
{
1151
man_hold (man, p[1]);
1152
}
1153
else if (streq (p[0], "bytecount"))
1154
{
1155
if (man_need (man, p, 1, 0))
1156
man_bytecount (man, atoi(p[1]));
1157
}
1158
#ifdef MANAGEMENT_DEF_AUTH
1159
else if (streq (p[0], "client-kill"))
1160
{
1161
if (man_need (man, p, 1, 0))
1162
man_client_kill (man, p[1]);
1163
}
1164
else if (streq (p[0], "client-deny"))
1165
{
1166
if (man_need (man, p, 3, MN_AT_LEAST))
1167
man_client_deny (man, p[1], p[2], p[3], p[4]);
1168
}
1169
else if (streq (p[0], "client-auth-nt"))
1170
{
1171
if (man_need (man, p, 2, 0))
1172
man_client_auth (man, p[1], p[2], false);
1173
}
1174
else if (streq (p[0], "client-auth"))
1175
{
1176
if (man_need (man, p, 2, 0))
1177
man_client_auth (man, p[1], p[2], true);
1178
}
1179
#ifdef MANAGEMENT_PF
1180
else if (streq (p[0], "client-pf"))
1181
{
1182
if (man_need (man, p, 1, 0))
1183
man_client_pf (man, p[1]);
1184
}
1185
#endif
1186
#endif
1187
#ifdef ENABLE_PKCS11
1188
else if (streq (p[0], "pkcs11-id-count"))
1189
{
1190
man_pkcs11_id_count (man);
1191
}
1192
else if (streq (p[0], "pkcs11-id-get"))
1193
{
1194
if (man_need (man, p, 1, 0))
1195
man_pkcs11_id_get (man, atoi(p[1]));
1196
}
1197
#endif
1198
#if 1
1199
else if (streq (p[0], "test"))
1200
{
1201
if (man_need (man, p, 1, 0))
1202
{
1203
int i;
1204
const int n = atoi (p[1]);
1205
for (i = 0; i < n; ++i)
1206
{
1207
msg (M_CLIENT, "[%d] The purpose of this command is to generate large amounts of output.", i);
1208
}
1209
}
1210
}
1211
#endif
1212
else
1213
{
1214
msg (M_CLIENT, "ERROR: unknown command, enter 'help' for more options");
1215
}
1216
1217
done:
1218
gc_free (&gc);
1219
}
1220
1221
#ifdef WIN32
1222
1223
static void
1224
man_start_ne32 (struct management *man)
1225
{
1226
switch (man->connection.state)
1227
{
1228
case MS_LISTEN:
1229
net_event_win32_start (&man->connection.ne32, FD_ACCEPT, man->connection.sd_top);
1230
break;
1231
case MS_CC_WAIT_READ:
1232
case MS_CC_WAIT_WRITE:
1233
net_event_win32_start (&man->connection.ne32, FD_READ|FD_WRITE|FD_CLOSE, man->connection.sd_cli);
1234
break;
1235
default:
1236
ASSERT (0);
1237
}
1238
}
1239
1240
static void
1241
man_stop_ne32 (struct management *man)
1242
{
1243
net_event_win32_stop (&man->connection.ne32);
1244
}
1245
1246
#endif
1247
1248
static void
1249
man_record_peer_info (struct management *man)
1250
{
1251
struct gc_arena gc = gc_new ();
1252
if (man->settings.write_peer_info_file)
1253
{
1254
bool success = false;
1255
#ifdef HAVE_GETSOCKNAME
1256
if (socket_defined (man->connection.sd_cli))
1257
{
1258
struct sockaddr_in addr;
1259
socklen_t addrlen = sizeof (addr);
1260
int status;
1261
1262
CLEAR (addr);
1263
status = getsockname (man->connection.sd_cli, (struct sockaddr *)&addr, &addrlen);
1264
if (!status && addrlen == sizeof (addr))
1265
{
1266
const in_addr_t a = ntohl (addr.sin_addr.s_addr);
1267
const int p = ntohs (addr.sin_port);
1268
FILE *fp = fopen (man->settings.write_peer_info_file, "w");
1269
if (fp)
1270
{
1271
fprintf (fp, "%s\n%d\n", print_in_addr_t (a, 0, &gc), p);
1272
if (!fclose (fp))
1273
success = true;
1274
}
1275
}
1276
}
1277
#endif
1278
if (!success)
1279
{
1280
msg (D_MANAGEMENT, "MANAGEMENT: failed to write peer info to file %s",
1281
man->settings.write_peer_info_file);
1282
throw_signal_soft (SIGTERM, "management-connect-failed");
1283
}
1284
}
1285
gc_free (&gc);
1286
}
1287
1288
static void
1289
man_connection_settings_reset (struct management *man)
1290
{
1291
man->connection.state_realtime = false;
1292
man->connection.log_realtime = false;
1293
man->connection.echo_realtime = false;
1294
man->connection.bytecount_update_seconds = 0;
1295
man->connection.password_verified = false;
1296
man->connection.password_tries = 0;
1297
man->connection.halt = false;
1298
man->connection.state = MS_CC_WAIT_WRITE;
1299
}
1300
1301
static void
1302
man_new_connection_post (struct management *man, const char *description)
1303
{
1304
struct gc_arena gc = gc_new ();
1305
1306
set_nonblock (man->connection.sd_cli);
1307
set_cloexec (man->connection.sd_cli);
1308
1309
man_connection_settings_reset (man);
1310
1311
#ifdef WIN32
1312
man_start_ne32 (man);
1313
#endif
1314
1315
#if UNIX_SOCK_SUPPORT
1316
if (man->settings.flags & MF_UNIX_SOCK)
1317
{
1318
msg (D_MANAGEMENT, "MANAGEMENT: %s %s",
1319
description,
1320
sockaddr_unix_name (&man->settings.local_unix, "NULL"));
1321
}
1322
else
1323
#endif
1324
msg (D_MANAGEMENT, "MANAGEMENT: %s %s",
1325
description,
1326
print_sockaddr (&man->settings.local, &gc));
1327
1328
buffer_list_reset (man->connection.out);
1329
1330
if (!man_password_needed (man))
1331
man_welcome (man);
1332
man_prompt (man);
1333
man_update_io_state (man);
1334
1335
gc_free (&gc);
1336
}
1337
1338
#if UNIX_SOCK_SUPPORT
1339
static bool
1340
man_verify_unix_peer_uid_gid (struct management *man, const socket_descriptor_t sd)
1341
{
1342
if (socket_defined (sd) && (man->settings.client_uid != -1 || man->settings.client_gid != -1))
1343
{
1344
static const char err_prefix[] = "MANAGEMENT: unix domain socket client connection rejected --";
1345
int uid, gid;
1346
if (unix_socket_get_peer_uid_gid (man->connection.sd_cli, &uid, &gid))
1347
{
1348
if (man->settings.client_uid != -1 && man->settings.client_uid != uid)
1349
{
1350
msg (D_MANAGEMENT, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1351
err_prefix, uid, man->settings.client_uid);
1352
return false;
1353
}
1354
if (man->settings.client_gid != -1 && man->settings.client_gid != gid)
1355
{
1356
msg (D_MANAGEMENT, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1357
err_prefix, gid, man->settings.client_gid);
1358
return false;
1359
}
1360
}
1361
else
1362
{
1363
msg (D_MANAGEMENT, "%s cannot get UID/GID of socket peer", err_prefix);
1364
return false;
1365
}
1366
}
1367
return true;
1368
}
1369
#endif
1370
1371
static void
1372
man_accept (struct management *man)
1373
{
1374
struct link_socket_actual act;
1375
CLEAR (act);
1376
1377
/*
1378
* Accept the TCP or Unix domain socket client.
1379
*/
1380
#if UNIX_SOCK_SUPPORT
1381
if (man->settings.flags & MF_UNIX_SOCK)
1382
{
1383
struct sockaddr_un remote;
1384
man->connection.sd_cli = socket_accept_unix (man->connection.sd_top, &remote);
1385
if (!man_verify_unix_peer_uid_gid (man, man->connection.sd_cli))
1386
sd_close (&man->connection.sd_cli);
1387
}
1388
else
1389
#endif
1390
man->connection.sd_cli = socket_do_accept (man->connection.sd_top, &act, false);
1391
1392
if (socket_defined (man->connection.sd_cli))
1393
{
1394
man->connection.remote = act.dest;
1395
1396
if (socket_defined (man->connection.sd_top))
1397
{
1398
#ifdef WIN32
1399
man_stop_ne32 (man);
1400
#endif
1401
}
1402
1403
man_new_connection_post (man, "Client connected from");
1404
}
1405
}
1406
1407
static void
1408
man_listen (struct management *man)
1409
{
1410
struct gc_arena gc = gc_new ();
1411
1412
/*
1413
* Initialize state
1414
*/
1415
man->connection.state = MS_LISTEN;
1416
man->connection.sd_cli = SOCKET_UNDEFINED;
1417
1418
/*
1419
* Initialize listening socket
1420
*/
1421
if (man->connection.sd_top == SOCKET_UNDEFINED)
1422
{
1423
#if UNIX_SOCK_SUPPORT
1424
if (man->settings.flags & MF_UNIX_SOCK)
1425
{
1426
man_delete_unix_socket (man);
1427
man->connection.sd_top = create_socket_unix ();
1428
socket_bind_unix (man->connection.sd_top, &man->settings.local_unix, "MANAGEMENT");
1429
}
1430
else
1431
#endif
1432
{
1433
man->connection.sd_top = create_socket_tcp ();
1434
socket_bind (man->connection.sd_top, &man->settings.local, "MANAGEMENT");
1435
}
1436
1437
/*
1438
* Listen for connection
1439
*/
1440
if (listen (man->connection.sd_top, 1))
1441
msg (M_SOCKERR, "MANAGEMENT: listen() failed");
1442
1443
/*
1444
* Set misc socket properties
1445
*/
1446
set_nonblock (man->connection.sd_top);
1447
set_cloexec (man->connection.sd_top);
1448
1449
#if UNIX_SOCK_SUPPORT
1450
if (man->settings.flags & MF_UNIX_SOCK)
1451
{
1452
msg (D_MANAGEMENT, "MANAGEMENT: unix domain socket listening on %s",
1453
sockaddr_unix_name (&man->settings.local_unix, "NULL"));
1454
}
1455
else
1456
#endif
1457
msg (D_MANAGEMENT, "MANAGEMENT: TCP Socket listening on %s",
1458
print_sockaddr (&man->settings.local, &gc));
1459
}
1460
1461
#ifdef WIN32
1462
man_start_ne32 (man);
1463
#endif
1464
1465
gc_free (&gc);
1466
}
1467
1468
static void
1469
man_connect (struct management *man)
1470
{
1471
struct gc_arena gc = gc_new ();
1472
int status;
1473
int signal_received = 0;
1474
1475
/*
1476
* Initialize state
1477
*/
1478
man->connection.state = MS_INITIAL;
1479
man->connection.sd_top = SOCKET_UNDEFINED;
1480
1481
#if UNIX_SOCK_SUPPORT
1482
if (man->settings.flags & MF_UNIX_SOCK)
1483
{
1484
man->connection.sd_cli = create_socket_unix ();
1485
status = socket_connect_unix (man->connection.sd_cli, &man->settings.local_unix);
1486
if (!status && !man_verify_unix_peer_uid_gid (man, man->connection.sd_cli))
1487
{
1488
#ifdef EPERM
1489
status = EPERM;
1490
#else
1491
status = 1;
1492
#endif
1493
sd_close (&man->connection.sd_cli);
1494
}
1495
}
1496
else
1497
#endif
1498
{
1499
man->connection.sd_cli = create_socket_tcp ();
1500
status = openvpn_connect (man->connection.sd_cli,
1501
&man->settings.local,
1502
5,
1503
&signal_received);
1504
}
1505
1506
if (signal_received)
1507
{
1508
throw_signal (signal_received);
1509
goto done;
1510
}
1511
1512
if (status)
1513
{
1514
#if UNIX_SOCK_SUPPORT
1515
if (man->settings.flags & MF_UNIX_SOCK)
1516
{
1517
msg (D_LINK_ERRORS,
1518
"MANAGEMENT: connect to unix socket %s failed: %s",
1519
sockaddr_unix_name (&man->settings.local_unix, "NULL"),
1520
strerror_ts (status, &gc));
1521
}
1522
else
1523
#endif
1524
msg (D_LINK_ERRORS,
1525
"MANAGEMENT: connect to %s failed: %s",
1526
print_sockaddr (&man->settings.local, &gc),
1527
strerror_ts (status, &gc));
1528
throw_signal_soft (SIGTERM, "management-connect-failed");
1529
goto done;
1530
}
1531
1532
man_record_peer_info (man);
1533
man_new_connection_post (man, "Connected to management server at");
1534
1535
done:
1536
gc_free (&gc);
1537
}
1538
1539
static void
1540
man_reset_client_socket (struct management *man, const bool exiting)
1541
{
1542
if (socket_defined (man->connection.sd_cli))
1543
{
1544
msg (D_MANAGEMENT, "MANAGEMENT: Client disconnected");
1545
#ifdef WIN32
1546
man_stop_ne32 (man);
1547
#endif
1548
man_close_socket (man, man->connection.sd_cli);
1549
man->connection.sd_cli = SOCKET_UNDEFINED;
1550
command_line_reset (man->connection.in);
1551
buffer_list_reset (man->connection.out);
1552
#ifdef MANAGEMENT_DEF_AUTH
1553
in_extra_reset (&man->connection, false);
1554
#endif
1555
}
1556
if (!exiting)
1557
{
1558
#if defined(USE_CRYPTO) && defined(USE_SSL)
1559
if (man->settings.flags & MF_FORGET_DISCONNECT)
1560
ssl_purge_auth ();
1561
#endif
1562
if (man->settings.flags & MF_SIGNAL) {
1563
int mysig = man_mod_signal (man, SIGUSR1);
1564
if (mysig >= 0)
1565
{
1566
msg (D_MANAGEMENT, "MANAGEMENT: Triggering management signal");
1567
throw_signal_soft (mysig, "management-disconnect");
1568
}
1569
}
1570
1571
if (man->settings.flags & MF_CONNECT_AS_CLIENT)
1572
{
1573
msg (D_MANAGEMENT, "MANAGEMENT: Triggering management exit");
1574
throw_signal_soft (SIGTERM, "management-exit");
1575
}
1576
else
1577
man_listen (man);
1578
}
1579
}
1580
1581
static void
1582
man_process_command (struct management *man, const char *line)
1583
{
1584
struct gc_arena gc = gc_new ();
1585
struct status_output *so;
1586
int nparms;
1587
char *parms[MAX_PARMS+1];
1588
1589
CLEAR (parms);
1590
so = status_open (NULL, 0, -1, &man->persist.vout, 0);
1591
#ifdef MANAGEMENT_DEF_AUTH
1592
in_extra_reset (&man->connection, false);
1593
#endif
1594
1595
if (man_password_needed (man))
1596
{
1597
man_check_password (man, line);
1598
}
1599
else
1600
{
1601
nparms = parse_line (line, parms, MAX_PARMS, "TCP", 0, M_CLIENT, &gc);
1602
if (parms[0] && streq (parms[0], "password"))
1603
msg (D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD 'password [...]'");
1604
else if (!streq (line, "load-stats"))
1605
msg (D_MANAGEMENT_DEBUG, "MANAGEMENT: CMD '%s'", line);
1606
1607
#if 0
1608
/* DEBUGGING -- print args */
1609
{
1610
int i;
1611
for (i = 0; i < nparms; ++i)
1612
msg (M_INFO, "[%d] '%s'", i, parms[i]);
1613
}
1614
#endif
1615
1616
if (nparms > 0)
1617
man_dispatch_command (man, so, (const char **)parms, nparms);
1618
}
1619
1620
CLEAR (parms);
1621
status_close (so);
1622
gc_free (&gc);
1623
}
1624
1625
static bool
1626
man_io_error (struct management *man, const char *prefix)
1627
{
1628
const int err = openvpn_errno_socket ();
1629
1630
if (!ignore_sys_error (err))
1631
{
1632
struct gc_arena gc = gc_new ();
1633
msg (D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s",
1634
prefix,
1635
strerror_ts (err, &gc));
1636
gc_free (&gc);
1637
return true;
1638
}
1639
else
1640
return false;
1641
}
1642
1643
static int
1644
man_read (struct management *man)
1645
{
1646
/*
1647
* read command line from socket
1648
*/
1649
unsigned char buf[256];
1650
int len = 0;
1651
1652
len = recv (man->connection.sd_cli, buf, sizeof (buf), MSG_NOSIGNAL);
1653
if (len == 0)
1654
{
1655
man_reset_client_socket (man, false);
1656
}
1657
else if (len > 0)
1658
{
1659
bool processed_command = false;
1660
1661
ASSERT (len <= (int) sizeof (buf));
1662
command_line_add (man->connection.in, buf, len);
1663
1664
/*
1665
* Reset output object
1666
*/
1667
buffer_list_reset (man->connection.out);
1668
1669
/*
1670
* process command line if complete
1671
*/
1672
{
1673
const unsigned char *line;
1674
while ((line = command_line_get (man->connection.in)))
1675
{
1676
#ifdef MANAGEMENT_DEF_AUTH
1677
if (man->connection.in_extra)
1678
{
1679
if (!strcmp ((char *)line, "END"))
1680
{
1681
in_extra_dispatch (man);
1682
in_extra_reset (&man->connection, false);
1683
}
1684
else
1685
{
1686
buffer_list_push (man->connection.in_extra, line);
1687
}
1688
}
1689
else
1690
#endif
1691
man_process_command (man, (char *) line);
1692
if (man->connection.halt)
1693
break;
1694
command_line_next (man->connection.in);
1695
processed_command = true;
1696
}
1697
}
1698
1699
/*
1700
* Reset output state to MS_CC_WAIT_(READ|WRITE)
1701
*/
1702
if (man->connection.halt)
1703
{
1704
man_reset_client_socket (man, false);
1705
len = 0;
1706
}
1707
else
1708
{
1709
if (processed_command)
1710
man_prompt (man);
1711
man_update_io_state (man);
1712
}
1713
}
1714
else /* len < 0 */
1715
{
1716
if (man_io_error (man, "recv"))
1717
man_reset_client_socket (man, false);
1718
}
1719
return len;
1720
}
1721
1722
static int
1723
man_write (struct management *man)
1724
{
1725
const int max_send = 256;
1726
int sent = 0;
1727
1728
const struct buffer *buf = buffer_list_peek (man->connection.out);
1729
if (buf && BLEN (buf))
1730
{
1731
const int len = min_int (max_send, BLEN (buf));
1732
sent = send (man->connection.sd_cli, BPTR (buf), len, MSG_NOSIGNAL);
1733
if (sent >= 0)
1734
{
1735
buffer_list_advance (man->connection.out, sent);
1736
}
1737
else if (sent < 0)
1738
{
1739
if (man_io_error (man, "send"))
1740
man_reset_client_socket (man, false);
1741
}
1742
}
1743
1744
/*
1745
* Reset output state to MS_CC_WAIT_(READ|WRITE)
1746
*/
1747
man_update_io_state (man);
1748
1749
return sent;
1750
}
1751
1752
static void
1753
man_connection_clear (struct man_connection *mc)
1754
{
1755
CLEAR (*mc);
1756
1757
/* set initial state */
1758
mc->state = MS_INITIAL;
1759
1760
/* clear socket descriptors */
1761
mc->sd_top = SOCKET_UNDEFINED;
1762
mc->sd_cli = SOCKET_UNDEFINED;
1763
}
1764
1765
static void
1766
man_persist_init (struct management *man,
1767
const int log_history_cache,
1768
const int echo_buffer_size,
1769
const int state_buffer_size)
1770
{
1771
struct man_persist *mp = &man->persist;
1772
if (!mp->defined)
1773
{
1774
CLEAR (*mp);
1775
1776
/* initialize log history store */
1777
mp->log = log_history_init (log_history_cache);
1778
1779
/*
1780
* Initialize virtual output object, so that functions
1781
* which write to a virtual_output object can be redirected
1782
* here to the management object.
1783
*/
1784
mp->vout.func = virtual_output_callback_func;
1785
mp->vout.arg = man;
1786
mp->vout.flags_default = M_CLIENT;
1787
msg_set_virtual_output (&mp->vout);
1788
1789
/*
1790
* Initialize --echo list
1791
*/
1792
man->persist.echo = log_history_init (echo_buffer_size);
1793
1794
/*
1795
* Initialize --state list
1796
*/
1797
man->persist.state = log_history_init (state_buffer_size);
1798
1799
mp->defined = true;
1800
}
1801
}
1802
1803
static void
1804
man_persist_close (struct man_persist *mp)
1805
{
1806
if (mp->log)
1807
{
1808
msg_set_virtual_output (NULL);
1809
log_history_close (mp->log);
1810
}
1811
1812
if (mp->echo)
1813
log_history_close (mp->echo);
1814
1815
if (mp->state)
1816
log_history_close (mp->state);
1817
1818
CLEAR (*mp);
1819
}
1820
1821
static void
1822
man_settings_init (struct man_settings *ms,
1823
const char *addr,
1824
const int port,
1825
const char *pass_file,
1826
const char *client_user,
1827
const char *client_group,
1828
const int log_history_cache,
1829
const int echo_buffer_size,
1830
const int state_buffer_size,
1831
const char *write_peer_info_file,
1832
const int remap_sigusr1,
1833
const unsigned int flags)
1834
{
1835
if (!ms->defined)
1836
{
1837
CLEAR (*ms);
1838
1839
ms->flags = flags;
1840
ms->client_uid = -1;
1841
ms->client_gid = -1;
1842
1843
/*
1844
* Get username/password
1845
*/
1846
if (pass_file)
1847
get_user_pass (&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
1848
1849
/*
1850
* lookup client UID/GID if specified
1851
*/
1852
if (client_user)
1853
{
1854
struct user_state s;
1855
get_user (client_user, &s);
1856
ms->client_uid = user_state_uid (&s);
1857
msg (D_MANAGEMENT, "MANAGEMENT: client_uid=%d", ms->client_uid);
1858
ASSERT (ms->client_uid >= 0);
1859
}
1860
if (client_group)
1861
{
1862
struct group_state s;
1863
get_group (client_group, &s);
1864
ms->client_gid = group_state_gid (&s);
1865
msg (D_MANAGEMENT, "MANAGEMENT: client_gid=%d", ms->client_gid);
1866
ASSERT (ms->client_gid >= 0);
1867
}
1868
1869
ms->write_peer_info_file = string_alloc (write_peer_info_file, NULL);
1870
1871
#if UNIX_SOCK_SUPPORT
1872
if (ms->flags & MF_UNIX_SOCK)
1873
sockaddr_unix_init (&ms->local_unix, addr);
1874
else
1875
#endif
1876
{
1877
/*
1878
* Initialize socket address
1879
*/
1880
ms->local.sa.sin_family = AF_INET;
1881
ms->local.sa.sin_addr.s_addr = 0;
1882
ms->local.sa.sin_port = htons (port);
1883
1884
/*
1885
* Run management over tunnel, or
1886
* separate channel?
1887
*/
1888
if (streq (addr, "tunnel") && !(flags & MF_CONNECT_AS_CLIENT))
1889
{
1890
ms->management_over_tunnel = true;
1891
}
1892
else
1893
{
1894
ms->local.sa.sin_addr.s_addr = getaddr
1895
(GETADDR_RESOLVE|GETADDR_WARN_ON_SIGNAL|GETADDR_FATAL, addr, 0, NULL, NULL);
1896
}
1897
}
1898
1899
/*
1900
* Log history and echo buffer may need to be resized
1901
*/
1902
ms->log_history_cache = log_history_cache;
1903
ms->echo_buffer_size = echo_buffer_size;
1904
ms->state_buffer_size = state_buffer_size;
1905
1906
/*
1907
* Set remap sigusr1 flags
1908
*/
1909
if (remap_sigusr1 == SIGHUP)
1910
ms->mansig |= MANSIG_MAP_USR1_TO_HUP;
1911
else if (remap_sigusr1 == SIGTERM)
1912
ms->mansig |= MANSIG_MAP_USR1_TO_TERM;
1913
1914
ms->defined = true;
1915
}
1916
}
1917
1918
static void
1919
man_settings_close (struct man_settings *ms)
1920
{
1921
free (ms->write_peer_info_file);
1922
CLEAR (*ms);
1923
}
1924
1925
1926
static void
1927
man_connection_init (struct management *man)
1928
{
1929
if (man->connection.state == MS_INITIAL)
1930
{
1931
#ifdef WIN32
1932
/*
1933
* This object is a sort of TCP/IP helper
1934
* for Windows.
1935
*/
1936
net_event_win32_init (&man->connection.ne32);
1937
#endif
1938
1939
/*
1940
* Allocate helper objects for command line input and
1941
* command output from/to the socket.
1942
*/
1943
man->connection.in = command_line_new (1024);
1944
man->connection.out = buffer_list_new (0);
1945
1946
/*
1947
* Initialize event set for standalone usage, when we are
1948
* running outside of the primary event loop.
1949
*/
1950
{
1951
int maxevents = 1;
1952
man->connection.es = event_set_init (&maxevents, EVENT_METHOD_FAST);
1953
}
1954
1955
/*
1956
* Listen/connect socket
1957
*/
1958
if (man->settings.flags & MF_CONNECT_AS_CLIENT)
1959
man_connect (man);
1960
else
1961
man_listen (man);
1962
}
1963
}
1964
1965
static void
1966
man_connection_close (struct management *man)
1967
{
1968
struct man_connection *mc = &man->connection;
1969
1970
if (mc->es)
1971
event_free (mc->es);
1972
#ifdef WIN32
1973
net_event_win32_close (&mc->ne32);
1974
#endif
1975
if (socket_defined (mc->sd_top))
1976
{
1977
man_close_socket (man, mc->sd_top);
1978
man_delete_unix_socket (man);
1979
}
1980
if (socket_defined (mc->sd_cli))
1981
man_close_socket (man, mc->sd_cli);
1982
if (mc->in)
1983
command_line_free (mc->in);
1984
if (mc->out)
1985
buffer_list_free (mc->out);
1986
#ifdef MANAGEMENT_DEF_AUTH
1987
in_extra_reset (&man->connection, false);
1988
#endif
1989
man_connection_clear (mc);
1990
}
1991
1992
struct management *
1993
management_init (void)
1994
{
1995
struct management *man;
1996
ALLOC_OBJ_CLEAR (man, struct management);
1997
1998
man_persist_init (man,
1999
MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2000
MANAGEMENT_ECHO_BUFFER_SIZE,
2001
MANAGEMENT_STATE_BUFFER_SIZE);
2002
2003
man_connection_clear (&man->connection);
2004
2005
return man;
2006
}
2007
2008
bool
2009
management_open (struct management *man,
2010
const char *addr,
2011
const int port,
2012
const char *pass_file,
2013
const char *client_user,
2014
const char *client_group,
2015
const int log_history_cache,
2016
const int echo_buffer_size,
2017
const int state_buffer_size,
2018
const char *write_peer_info_file,
2019
const int remap_sigusr1,
2020
const unsigned int flags)
2021
{
2022
bool ret = false;
2023
2024
/*
2025
* Save the settings only if they have not
2026
* been saved before.
2027
*/
2028
man_settings_init (&man->settings,
2029
addr,
2030
port,
2031
pass_file,
2032
client_user,
2033
client_group,
2034
log_history_cache,
2035
echo_buffer_size,
2036
state_buffer_size,
2037
write_peer_info_file,
2038
remap_sigusr1,
2039
flags);
2040
2041
/*
2042
* The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2043
* but may be changed here. Ditto for echo and state buffers.
2044
*/
2045
log_history_resize (man->persist.log, man->settings.log_history_cache);
2046
log_history_resize (man->persist.echo, man->settings.echo_buffer_size);
2047
log_history_resize (man->persist.state, man->settings.state_buffer_size);
2048
2049
/*
2050
* If connection object is uninitialized and we are not doing
2051
* over-the-tunnel management, then open (listening) connection.
2052
*/
2053
if (man->connection.state == MS_INITIAL)
2054
{
2055
if (!man->settings.management_over_tunnel)
2056
{
2057
man_connection_init (man);
2058
ret = true;
2059
}
2060
}
2061
2062
return ret;
2063
}
2064
2065
void
2066
management_close (struct management *man)
2067
{
2068
man_connection_close (man);
2069
man_settings_close (&man->settings);
2070
man_persist_close (&man->persist);
2071
free (man);
2072
}
2073
2074
void
2075
management_set_callback (struct management *man,
2076
const struct management_callback *cb)
2077
{
2078
man->persist.standalone_disabled = true;
2079
man->persist.callback = *cb;
2080
}
2081
2082
void
2083
management_clear_callback (struct management *man)
2084
{
2085
man->persist.standalone_disabled = false;
2086
man->persist.hold_release = false;
2087
CLEAR (man->persist.callback);
2088
man_output_list_push (man, NULL); /* flush output queue */
2089
}
2090
2091
void
2092
management_set_state (struct management *man,
2093
const int state,
2094
const char *detail,
2095
const in_addr_t tun_local_ip,
2096
const in_addr_t tun_remote_ip)
2097
{
2098
if (man->persist.state && (!(man->settings.flags & MF_SERVER) || state < OPENVPN_STATE_CLIENT_BASE))
2099
{
2100
struct gc_arena gc = gc_new ();
2101
struct log_entry e;
2102
const char *out = NULL;
2103
2104
update_time ();
2105
CLEAR (e);
2106
e.timestamp = now;
2107
e.u.state = state;
2108
e.string = detail;
2109
e.local_ip = tun_local_ip;
2110
e.remote_ip = tun_remote_ip;
2111
2112
log_history_add (man->persist.state, &e);
2113
2114
if (man->connection.state_realtime)
2115
out = log_entry_print (&e, LOG_PRINT_STATE_PREFIX
2116
| LOG_PRINT_INT_DATE
2117
| LOG_PRINT_STATE
2118
| LOG_PRINT_LOCAL_IP
2119
| LOG_PRINT_REMOTE_IP
2120
| LOG_PRINT_CRLF
2121
| LOG_ECHO_TO_LOG, &gc);
2122
2123
if (out)
2124
man_output_list_push (man, out);
2125
2126
gc_free (&gc);
2127
}
2128
}
2129
2130
#ifdef MANAGEMENT_DEF_AUTH
2131
2132
static void
2133
man_output_env (const struct env_set *es, const bool tail)
2134
{
2135
if (es)
2136
{
2137
struct env_item *e;
2138
for (e = es->list; e != NULL; e = e->next)
2139
{
2140
if (e->string)
2141
msg (M_CLIENT, ">CLIENT:ENV,%s", e->string);
2142
}
2143
}
2144
if (tail)
2145
msg (M_CLIENT, ">CLIENT:ENV,END");
2146
}
2147
2148
static void
2149
man_output_extra_env (struct management *man)
2150
{
2151
struct gc_arena gc = gc_new ();
2152
struct env_set *es = env_set_create (&gc);
2153
if (man->persist.callback.n_clients)
2154
{
2155
const int nclients = (*man->persist.callback.n_clients) (man->persist.callback.arg);
2156
setenv_int (es, "n_clients", nclients);
2157
}
2158
man_output_env (es, false);
2159
gc_free (&gc);
2160
}
2161
2162
void
2163
management_notify_client_needing_auth (struct management *management,
2164
const unsigned int mda_key_id,
2165
struct man_def_auth_context *mdac,
2166
const struct env_set *es)
2167
{
2168
if (!(mdac->flags & DAF_CONNECTION_CLOSED))
2169
{
2170
const char *mode = "CONNECT";
2171
if (mdac->flags & DAF_CONNECTION_ESTABLISHED)
2172
mode = "REAUTH";
2173
msg (M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);
2174
man_output_extra_env (management);
2175
man_output_env (es, true);
2176
mdac->flags |= DAF_INITIAL_AUTH;
2177
}
2178
}
2179
2180
void
2181
management_connection_established (struct management *management,
2182
struct man_def_auth_context *mdac,
2183
const struct env_set *es)
2184
{
2185
mdac->flags |= DAF_CONNECTION_ESTABLISHED;
2186
msg (M_CLIENT, ">CLIENT:ESTABLISHED,%lu", mdac->cid);
2187
man_output_extra_env (management);
2188
man_output_env (es, true);
2189
}
2190
2191
void
2192
management_notify_client_close (struct management *management,
2193
struct man_def_auth_context *mdac,
2194
const struct env_set *es)
2195
{
2196
if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2197
{
2198
msg (M_CLIENT, ">CLIENT:DISCONNECT,%lu", mdac->cid);
2199
man_output_env (es, true);
2200
mdac->flags |= DAF_CONNECTION_CLOSED;
2201
}
2202
}
2203
2204
void
2205
management_learn_addr (struct management *management,
2206
struct man_def_auth_context *mdac,
2207
const struct mroute_addr *addr,
2208
const bool primary)
2209
{
2210
struct gc_arena gc = gc_new ();
2211
if ((mdac->flags & DAF_INITIAL_AUTH) && !(mdac->flags & DAF_CONNECTION_CLOSED))
2212
{
2213
msg (M_CLIENT, ">CLIENT:ADDRESS,%lu,%s,%d",
2214
mdac->cid,
2215
mroute_addr_print_ex (addr, MAPF_SUBNET, &gc),
2216
BOOL_CAST (primary));
2217
}
2218
gc_free (&gc);
2219
}
2220
2221
#endif
2222
2223
void
2224
management_echo (struct management *man, const char *string, const bool pull)
2225
{
2226
if (man->persist.echo)
2227
{
2228
struct gc_arena gc = gc_new ();
2229
struct log_entry e;
2230
const char *out = NULL;
2231
2232
update_time ();
2233
CLEAR (e);
2234
e.timestamp = now;
2235
e.string = string;
2236
e.u.intval = BOOL_CAST (pull);
2237
2238
log_history_add (man->persist.echo, &e);
2239
2240
if (man->connection.echo_realtime)
2241
out = log_entry_print (&e, LOG_PRINT_INT_DATE|LOG_PRINT_ECHO_PREFIX|LOG_PRINT_CRLF|MANAGEMENT_ECHO_FLAGS, &gc);
2242
2243
if (out)
2244
man_output_list_push (man, out);
2245
2246
gc_free (&gc);
2247
}
2248
}
2249
2250
void
2251
management_post_tunnel_open (struct management *man, const in_addr_t tun_local_ip)
2252
{
2253
/*
2254
* If we are running management over the tunnel,
2255
* this is the place to initialize the connection.
2256
*/
2257
if (man->settings.management_over_tunnel
2258
&& man->connection.state == MS_INITIAL)
2259
{
2260
/* listen on our local TUN/TAP IP address */
2261
man->settings.local.sa.sin_addr.s_addr = htonl (tun_local_ip);
2262
man_connection_init (man);
2263
}
2264
2265
}
2266
2267
void
2268
management_pre_tunnel_close (struct management *man)
2269
{
2270
if (man->settings.management_over_tunnel)
2271
man_connection_close (man);
2272
}
2273
2274
void
2275
management_auth_failure (struct management *man, const char *type)
2276
{
2277
msg (M_CLIENT, ">PASSWORD:Verification Failed: '%s'", type);
2278
}
2279
2280
static inline bool
2281
man_persist_state (unsigned int *persistent, const int n)
2282
{
2283
if (persistent)
2284
{
2285
if (*persistent == (unsigned int)n)
2286
return false;
2287
*persistent = n;
2288
}
2289
return true;
2290
}
2291
2292
#ifdef WIN32
2293
2294
void
2295
management_socket_set (struct management *man,
2296
struct event_set *es,
2297
void *arg,
2298
unsigned int *persistent)
2299
{
2300
if (man->connection.state != MS_INITIAL)
2301
{
2302
event_t ev = net_event_win32_get_event (&man->connection.ne32);
2303
net_event_win32_reset_write (&man->connection.ne32);
2304
2305
switch (man->connection.state)
2306
{
2307
case MS_LISTEN:
2308
if (man_persist_state (persistent, 1))
2309
event_ctl (es, ev, EVENT_READ, arg);
2310
break;
2311
case MS_CC_WAIT_READ:
2312
if (man_persist_state (persistent, 2))
2313
event_ctl (es, ev, EVENT_READ, arg);
2314
break;
2315
case MS_CC_WAIT_WRITE:
2316
if (man_persist_state (persistent, 3))
2317
event_ctl (es, ev, EVENT_READ|EVENT_WRITE, arg);
2318
break;
2319
default:
2320
ASSERT (0);
2321
}
2322
}
2323
}
2324
2325
void
2326
management_io (struct management *man)
2327
{
2328
if (man->connection.state != MS_INITIAL)
2329
{
2330
long net_events;
2331
net_event_win32_reset (&man->connection.ne32);
2332
net_events = net_event_win32_get_event_mask (&man->connection.ne32);
2333
2334
if (net_events & FD_CLOSE)
2335
{
2336
man_reset_client_socket (man, false);
2337
}
2338
else
2339
{
2340
if (man->connection.state == MS_LISTEN)
2341
{
2342
if (net_events & FD_ACCEPT)
2343
{
2344
man_accept (man);
2345
net_event_win32_clear_selected_events (&man->connection.ne32, FD_ACCEPT);
2346
}
2347
}
2348
else if (man->connection.state == MS_CC_WAIT_READ)
2349
{
2350
if (net_events & FD_READ)
2351
{
2352
while (man_read (man) > 0)
2353
;
2354
net_event_win32_clear_selected_events (&man->connection.ne32, FD_READ);
2355
}
2356
}
2357
2358
if (man->connection.state == MS_CC_WAIT_WRITE)
2359
{
2360
if (net_events & FD_WRITE)
2361
{
2362
int status;
2363
/* dmsg (M_INFO, "FD_WRITE set"); */
2364
status = man_write (man);
2365
if (status < 0 && WSAGetLastError() == WSAEWOULDBLOCK)
2366
{
2367
/* dmsg (M_INFO, "FD_WRITE cleared"); */
2368
net_event_win32_clear_selected_events (&man->connection.ne32, FD_WRITE);
2369
}
2370
}
2371
}
2372
}
2373
}
2374
}
2375
2376
#else
2377
2378
void
2379
management_socket_set (struct management *man,
2380
struct event_set *es,
2381
void *arg,
2382
unsigned int *persistent)
2383
{
2384
switch (man->connection.state)
2385
{
2386
case MS_LISTEN:
2387
if (man_persist_state (persistent, 1))
2388
event_ctl (es, man->connection.sd_top, EVENT_READ, arg);
2389
break;
2390
case MS_CC_WAIT_READ:
2391
if (man_persist_state (persistent, 2))
2392
event_ctl (es, man->connection.sd_cli, EVENT_READ, arg);
2393
break;
2394
case MS_CC_WAIT_WRITE:
2395
if (man_persist_state (persistent, 3))
2396
event_ctl (es, man->connection.sd_cli, EVENT_WRITE, arg);
2397
break;
2398
case MS_INITIAL:
2399
break;
2400
default:
2401
ASSERT (0);
2402
}
2403
}
2404
2405
void
2406
management_io (struct management *man)
2407
{
2408
switch (man->connection.state)
2409
{
2410
case MS_LISTEN:
2411
man_accept (man);
2412
break;
2413
case MS_CC_WAIT_READ:
2414
man_read (man);
2415
break;
2416
case MS_CC_WAIT_WRITE:
2417
man_write (man);
2418
break;
2419
case MS_INITIAL:
2420
break;
2421
default:
2422
ASSERT (0);
2423
}
2424
}
2425
2426
#endif
2427
2428
static inline bool
2429
man_standalone_ok (const struct management *man)
2430
{
2431
return !man->settings.management_over_tunnel && man->connection.state != MS_INITIAL;
2432
}
2433
2434
static bool
2435
man_check_for_signals (volatile int *signal_received)
2436
{
2437
if (signal_received)
2438
{
2439
get_signal (signal_received);
2440
if (*signal_received)
2441
return true;
2442
}
2443
return false;
2444
}
2445
2446
/*
2447
* Wait for socket I/O when outside primary event loop
2448
*/
2449
static int
2450
man_block (struct management *man, volatile int *signal_received, const time_t expire)
2451
{
2452
struct timeval tv;
2453
struct event_set_return esr;
2454
int status = -1;
2455
2456
if (man_standalone_ok (man))
2457
{
2458
do
2459
{
2460
event_reset (man->connection.es);
2461
management_socket_set (man, man->connection.es, NULL, NULL);
2462
tv.tv_usec = 0;
2463
tv.tv_sec = 1;
2464
if (man_check_for_signals (signal_received))
2465
{
2466
status = -1;
2467
break;
2468
}
2469
status = event_wait (man->connection.es, &tv, &esr, 1);
2470
update_time ();
2471
if (man_check_for_signals (signal_received))
2472
{
2473
status = -1;
2474
break;
2475
}
2476
/* set SIGINT signal if expiration time exceeded */
2477
if (expire && now >= expire)
2478
{
2479
status = 0;
2480
if (signal_received)
2481
*signal_received = SIGINT;
2482
break;
2483
}
2484
} while (status != 1);
2485
}
2486
return status;
2487
}
2488
2489
/*
2490
* Perform management socket output outside primary event loop
2491
*/
2492
static void
2493
man_output_standalone (struct management *man, volatile int *signal_received)
2494
{
2495
if (man_standalone_ok (man))
2496
{
2497
while (man->connection.state == MS_CC_WAIT_WRITE)
2498
{
2499
management_io (man);
2500
if (man->connection.state == MS_CC_WAIT_WRITE)
2501
man_block (man, signal_received, 0);
2502
if (signal_received && *signal_received)
2503
break;
2504
}
2505
}
2506
}
2507
2508
/*
2509
* Process management event loop outside primary event loop
2510
*/
2511
static int
2512
man_standalone_event_loop (struct management *man, volatile int *signal_received, const time_t expire)
2513
{
2514
int status;
2515
ASSERT (man_standalone_ok (man));
2516
status = man_block (man, signal_received, expire);
2517
if (status > 0)
2518
management_io (man);
2519
return status;
2520
}
2521
2522
#define MWCC_PASSWORD_WAIT (1<<0)
2523
#define MWCC_HOLD_WAIT (1<<1)
2524
2525
/*
2526
* Block until client connects
2527
*/
2528
static void
2529
man_wait_for_client_connection (struct management *man,
2530
volatile int *signal_received,
2531
const time_t expire,
2532
unsigned int flags)
2533
{
2534
ASSERT (man_standalone_ok (man));
2535
if (man->connection.state == MS_LISTEN)
2536
{
2537
if (flags & MWCC_PASSWORD_WAIT)
2538
msg (D_MANAGEMENT, "Need password(s) from management interface, waiting...");
2539
if (flags & MWCC_HOLD_WAIT)
2540
msg (D_MANAGEMENT, "Need hold release from management interface, waiting...");
2541
do {
2542
man_standalone_event_loop (man, signal_received, expire);
2543
if (signal_received && *signal_received)
2544
break;
2545
} while (man->connection.state == MS_LISTEN || man_password_needed (man));
2546
}
2547
}
2548
2549
/*
2550
* Process the management event loop for sec seconds
2551
*/
2552
void
2553
management_event_loop_n_seconds (struct management *man, int sec)
2554
{
2555
if (man_standalone_ok (man))
2556
{
2557
volatile int signal_received = 0;
2558
const bool standalone_disabled_save = man->persist.standalone_disabled;
2559
time_t expire;
2560
2561
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
2562
2563
/* set expire time */
2564
update_time ();
2565
expire = now + sec;
2566
2567
/* if no client connection, wait for one */
2568
man_wait_for_client_connection (man, &signal_received, expire, 0);
2569
if (signal_received)
2570
return;
2571
2572
/* run command processing event loop until we get our username/password */
2573
while (true)
2574
{
2575
man_standalone_event_loop (man, &signal_received, expire);
2576
if (signal_received)
2577
return;
2578
}
2579
2580
/* revert state */
2581
man->persist.standalone_disabled = standalone_disabled_save;
2582
}
2583
else
2584
{
2585
sleep (sec);
2586
}
2587
}
2588
2589
/*
2590
* Get a username/password from management channel in standalone mode.
2591
*/
2592
bool
2593
management_query_user_pass (struct management *man,
2594
struct user_pass *up,
2595
const char *type,
2596
const unsigned int flags)
2597
{
2598
struct gc_arena gc = gc_new ();
2599
bool ret = false;
2600
2601
if (man_standalone_ok (man))
2602
{
2603
volatile int signal_received = 0;
2604
const bool standalone_disabled_save = man->persist.standalone_disabled;
2605
struct buffer alert_msg = alloc_buf_gc (128, &gc);
2606
const char *alert_type = NULL;
2607
const char *prefix = NULL;
2608
unsigned int up_query_mode = 0;
2609
2610
ret = true;
2611
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
2612
man->persist.special_state_msg = NULL;
2613
2614
CLEAR (man->connection.up_query);
2615
2616
if (flags & GET_USER_PASS_NEED_OK)
2617
{
2618
up_query_mode = UP_QUERY_NEED_OK;
2619
prefix= "NEED-OK";
2620
alert_type = "confirmation";
2621
}
2622
else if (flags & GET_USER_PASS_NEED_STR)
2623
{
2624
up_query_mode = UP_QUERY_NEED_STR;
2625
prefix= "NEED-STR";
2626
alert_type = "string";
2627
}
2628
else if (flags & GET_USER_PASS_PASSWORD_ONLY)
2629
{
2630
up_query_mode = UP_QUERY_PASS;
2631
prefix = "PASSWORD";
2632
alert_type = "password";
2633
}
2634
else
2635
{
2636
up_query_mode = UP_QUERY_USER_PASS;
2637
prefix = "PASSWORD";
2638
alert_type = "username/password";
2639
}
2640
buf_printf (&alert_msg, ">%s:Need '%s' %s",
2641
prefix,
2642
type,
2643
alert_type);
2644
2645
if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR))
2646
buf_printf (&alert_msg, " MSG:%s", up->username);
2647
2648
man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);
2649
if (signal_received)
2650
ret = false;
2651
2652
if (ret)
2653
{
2654
man->persist.special_state_msg = BSTR (&alert_msg);
2655
msg (M_CLIENT, "%s", man->persist.special_state_msg);
2656
2657
/* tell command line parser which info we need */
2658
man->connection.up_query_mode = up_query_mode;
2659
man->connection.up_query_type = type;
2660
2661
/* run command processing event loop until we get our username/password */
2662
do
2663
{
2664
man_standalone_event_loop (man, &signal_received, 0);
2665
if (signal_received)
2666
{
2667
ret = false;
2668
break;
2669
}
2670
} while (!man->connection.up_query.defined);
2671
}
2672
2673
/* revert state */
2674
man->connection.up_query_mode = UP_QUERY_DISABLED;
2675
man->connection.up_query_type = NULL;
2676
man->persist.standalone_disabled = standalone_disabled_save;
2677
man->persist.special_state_msg = NULL;
2678
2679
/* pass through blank passwords */
2680
if (!strcmp (man->connection.up_query.password, blank_up))
2681
CLEAR (man->connection.up_query.password);
2682
2683
/*
2684
* Transfer u/p to return object, zero any record
2685
* we hold in the management object.
2686
*/
2687
if (ret)
2688
{
2689
man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */
2690
*up = man->connection.up_query;
2691
}
2692
CLEAR (man->connection.up_query);
2693
}
2694
2695
gc_free (&gc);
2696
return ret;
2697
}
2698
2699
/*
2700
* Return true if management_hold() would block
2701
*/
2702
bool
2703
management_would_hold (struct management *man)
2704
{
2705
return (man->settings.flags & MF_HOLD) && !man->persist.hold_release && man_standalone_ok (man);
2706
}
2707
2708
/*
2709
* Return true if (from the management interface's perspective) OpenVPN should
2710
* daemonize.
2711
*/
2712
bool
2713
management_should_daemonize (struct management *man)
2714
{
2715
return management_would_hold (man) || (man->settings.flags & MF_QUERY_PASSWORDS);
2716
}
2717
2718
/*
2719
* If the hold flag is enabled, hibernate until a management client releases the hold.
2720
* Return true if the caller should not sleep for an additional time interval.
2721
*/
2722
bool
2723
management_hold (struct management *man)
2724
{
2725
if (management_would_hold (man))
2726
{
2727
volatile int signal_received = 0;
2728
const bool standalone_disabled_save = man->persist.standalone_disabled;
2729
2730
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
2731
man->persist.special_state_msg = NULL;
2732
man->settings.mansig |= MANSIG_IGNORE_USR1_HUP;
2733
2734
man_wait_for_client_connection (man, &signal_received, 0, MWCC_HOLD_WAIT);
2735
2736
if (!signal_received)
2737
{
2738
man->persist.special_state_msg = ">HOLD:Waiting for hold release";
2739
msg (M_CLIENT, "%s", man->persist.special_state_msg);
2740
2741
/* run command processing event loop until we get our username/password */
2742
do
2743
{
2744
man_standalone_event_loop (man, &signal_received, 0);
2745
if (signal_received)
2746
break;
2747
} while (!man->persist.hold_release);
2748
}
2749
2750
/* revert state */
2751
man->persist.standalone_disabled = standalone_disabled_save;
2752
man->persist.special_state_msg = NULL;
2753
man->settings.mansig &= ~MANSIG_IGNORE_USR1_HUP;
2754
2755
return true;
2756
}
2757
return false;
2758
}
2759
2760
/*
2761
* struct command_line
2762
*/
2763
2764
struct command_line *
2765
command_line_new (const int buf_len)
2766
{
2767
struct command_line *cl;
2768
ALLOC_OBJ_CLEAR (cl, struct command_line);
2769
cl->buf = alloc_buf (buf_len);
2770
cl->residual = alloc_buf (buf_len);
2771
return cl;
2772
}
2773
2774
void
2775
command_line_reset (struct command_line *cl)
2776
{
2777
buf_clear (&cl->buf);
2778
buf_clear (&cl->residual);
2779
}
2780
2781
void
2782
command_line_free (struct command_line *cl)
2783
{
2784
command_line_reset (cl);
2785
free_buf (&cl->buf);
2786
free_buf (&cl->residual);
2787
free (cl);
2788
}
2789
2790
void
2791
command_line_add (struct command_line *cl, const unsigned char *buf, const int len)
2792
{
2793
int i;
2794
for (i = 0; i < len; ++i)
2795
{
2796
if (buf[i] && (isprint(buf[i]) || buf[i] == '\n'))
2797
{
2798
if (!buf_write_u8 (&cl->buf, buf[i]))
2799
buf_clear (&cl->buf);
2800
}
2801
}
2802
}
2803
2804
const unsigned char *
2805
command_line_get (struct command_line *cl)
2806
{
2807
int i;
2808
const unsigned char *ret = NULL;
2809
2810
i = buf_substring_len (&cl->buf, '\n');
2811
if (i >= 0)
2812
{
2813
buf_copy_excess (&cl->residual, &cl->buf, i);
2814
buf_chomp (&cl->buf);
2815
ret = (const unsigned char *) BSTR (&cl->buf);
2816
}
2817
return ret;
2818
}
2819
2820
void
2821
command_line_next (struct command_line *cl)
2822
{
2823
buf_clear (&cl->buf);
2824
buf_copy (&cl->buf, &cl->residual);
2825
buf_clear (&cl->residual);
2826
}
2827
2828
/*
2829
* struct log_entry
2830
*/
2831
2832
const char *
2833
log_entry_print (const struct log_entry *e, unsigned int flags, struct gc_arena *gc)
2834
{
2835
struct buffer out = alloc_buf_gc (ERR_BUF_SIZE, gc);
2836
if (flags & LOG_FATAL_NOTIFY)
2837
buf_printf (&out, ">FATAL:");
2838
if (flags & LOG_PRINT_LOG_PREFIX)
2839
buf_printf (&out, ">LOG:");
2840
if (flags & LOG_PRINT_ECHO_PREFIX)
2841
buf_printf (&out, ">ECHO:");
2842
if (flags & LOG_PRINT_STATE_PREFIX)
2843
buf_printf (&out, ">STATE:");
2844
if (flags & LOG_PRINT_INT_DATE)
2845
buf_printf (&out, "%u,", (unsigned int)e->timestamp);
2846
if (flags & LOG_PRINT_MSG_FLAGS)
2847
buf_printf (&out, "%s,", msg_flags_string (e->u.msg_flags, gc));
2848
if (flags & LOG_PRINT_STATE)
2849
buf_printf (&out, "%s,", man_state_name (e->u.state));
2850
if (flags & LOG_PRINT_INTVAL)
2851
buf_printf (&out, "%d,", e->u.intval);
2852
if (e->string)
2853
buf_printf (&out, "%s", e->string);
2854
if (flags & LOG_PRINT_LOCAL_IP)
2855
buf_printf (&out, ",%s", print_in_addr_t (e->local_ip, IA_EMPTY_IF_UNDEF, gc));
2856
if (flags & LOG_PRINT_REMOTE_IP)
2857
buf_printf (&out, ",%s", print_in_addr_t (e->remote_ip, IA_EMPTY_IF_UNDEF, gc));
2858
if (flags & LOG_ECHO_TO_LOG)
2859
msg (D_MANAGEMENT, "MANAGEMENT: %s", BSTR (&out));
2860
if (flags & LOG_PRINT_CRLF)
2861
buf_printf (&out, "\r\n");
2862
return BSTR (&out);
2863
}
2864
2865
static void
2866
log_entry_free_contents (struct log_entry *e)
2867
{
2868
if (e->string)
2869
free ((char *)e->string);
2870
CLEAR (*e);
2871
}
2872
2873
/*
2874
* struct log_history
2875
*/
2876
2877
static inline int
2878
log_index (const struct log_history *h, int i)
2879
{
2880
return modulo_add (h->base, i, h->capacity);
2881
}
2882
2883
static void
2884
log_history_obj_init (struct log_history *h, int capacity)
2885
{
2886
CLEAR (*h);
2887
h->capacity = capacity;
2888
ALLOC_ARRAY_CLEAR (h->array, struct log_entry, capacity);
2889
}
2890
2891
struct log_history *
2892
log_history_init (const int capacity)
2893
{
2894
struct log_history *h;
2895
ASSERT (capacity > 0);
2896
ALLOC_OBJ (h, struct log_history);
2897
log_history_obj_init (h, capacity);
2898
return h;
2899
}
2900
2901
static void
2902
log_history_free_contents (struct log_history *h)
2903
{
2904
int i;
2905
for (i = 0; i < h->size; ++i)
2906
log_entry_free_contents (&h->array[log_index(h, i)]);
2907
free (h->array);
2908
}
2909
2910
void
2911
log_history_close (struct log_history *h)
2912
{
2913
log_history_free_contents (h);
2914
free (h);
2915
}
2916
2917
void
2918
log_history_add (struct log_history *h, const struct log_entry *le)
2919
{
2920
struct log_entry *e;
2921
ASSERT (h->size >= 0 && h->size <= h->capacity);
2922
if (h->size == h->capacity)
2923
{
2924
e = &h->array[h->base];
2925
log_entry_free_contents (e);
2926
h->base = log_index (h, 1);
2927
}
2928
else
2929
{
2930
e = &h->array[log_index(h, h->size)];
2931
++h->size;
2932
}
2933
2934
*e = *le;
2935
e->string = string_alloc (le->string, NULL);
2936
}
2937
2938
void
2939
log_history_resize (struct log_history *h, const int capacity)
2940
{
2941
if (capacity != h->capacity)
2942
{
2943
struct log_history newlog;
2944
int i;
2945
2946
ASSERT (capacity > 0);
2947
log_history_obj_init (&newlog, capacity);
2948
2949
for (i = 0; i < h->size; ++i)
2950
log_history_add (&newlog, &h->array[log_index(h, i)]);
2951
2952
log_history_free_contents (h);
2953
*h = newlog;
2954
}
2955
}
2956
2957
const struct log_entry *
2958
log_history_ref (const struct log_history *h, const int index)
2959
{
2960
if (index >= 0 && index < h->size)
2961
return &h->array[log_index(h, (h->size - 1) - index)];
2962
else
2963
return NULL;
2964
}
2965
2966
#else
2967
static void dummy(void) {}
2968
#endif /* ENABLE_MANAGEMENT */
Loggerhead is a web-based interface for Breezy
Version: 2.0.1