• Home
  • History
  • Annotate
  • Line#
  • Navigate
  • Raw
  • Download
  • only in /asuswrt-rt-n18u-9.0.0.4.380.2695/release/src-rt-6.x.4708/router/openvpn/src/openvpn/
1/*
2 *  OpenVPN -- An application to securely tunnel IP networks
3 *             over a single TCP/UDP port, with support for SSL/TLS-based
4 *             session authentication and key exchange,
5 *             packet encryption, packet authentication, and
6 *             packet compression.
7 *
8 *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 *  This program is free software; you can redistribute it and/or modify
11 *  it under the terms of the GNU General Public License version 2
12 *  as published by the Free Software Foundation.
13 *
14 *  This program is distributed in the hope that it will be useful,
15 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17 *  GNU General Public License for more details.
18 *
19 *  You should have received a copy of the GNU General Public License
20 *  along with this program (see the file COPYING included with this
21 *  distribution); if not, write to the Free Software Foundation, Inc.,
22 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
23 */
24
25#ifndef MANAGE_H
26#define MANAGE_H
27
28#ifdef ENABLE_MANAGEMENT
29
30#include "misc.h"
31#include "event.h"
32#include "socket.h"
33#include "mroute.h"
34
35#define MANAGEMENT_VERSION                      1
36#define MANAGEMENT_N_PASSWORD_RETRIES           3
37#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE   100
38#define MANAGEMENT_ECHO_BUFFER_SIZE           100
39#define MANAGEMENT_STATE_BUFFER_SIZE          100
40
41/*
42 * Management-interface-based deferred authentication
43 */
44#ifdef MANAGEMENT_DEF_AUTH
45struct man_def_auth_context {
46  unsigned long cid;
47
48#define DAF_CONNECTION_ESTABLISHED (1<<0)
49#define DAF_CONNECTION_CLOSED      (1<<1)
50#define DAF_INITIAL_AUTH           (1<<2)
51  unsigned int flags;
52
53  unsigned int mda_key_id_counter;
54
55  time_t bytecount_last_update;
56};
57#endif
58
59/*
60 * Manage build-up of command line
61 */
62struct command_line
63{
64  struct buffer buf;
65  struct buffer residual;
66};
67
68struct command_line *command_line_new (const int buf_len);
69void command_line_free (struct command_line *cl);
70
71void command_line_add (struct command_line *cl, const unsigned char *buf, const int len);
72const unsigned char *command_line_get (struct command_line *cl);
73void command_line_reset (struct command_line *cl);
74void command_line_next (struct command_line *cl);
75
76/*
77 * Manage log file history
78 */
79
80union log_entry_union {
81  unsigned int msg_flags;
82  int state;
83  int intval;
84};
85
86struct log_entry
87{
88  time_t timestamp;
89  const char *string;
90  in_addr_t local_ip;
91  in_addr_t remote_ip;
92  union log_entry_union u;
93};
94
95#define LOG_PRINT_LOG_PREFIX   (1<<0)
96#define LOG_PRINT_ECHO_PREFIX  (1<<1)
97#define LOG_PRINT_STATE_PREFIX (1<<2)
98
99#define LOG_PRINT_INT_DATE     (1<<3)
100#define LOG_PRINT_MSG_FLAGS    (1<<4)
101#define LOG_PRINT_STATE        (1<<5)
102#define LOG_PRINT_LOCAL_IP     (1<<6)
103
104#define LOG_PRINT_CRLF         (1<<7)
105#define LOG_FATAL_NOTIFY       (1<<8)
106
107#define LOG_PRINT_INTVAL       (1<<9)
108
109#define LOG_PRINT_REMOTE_IP    (1<<10)
110
111#define LOG_ECHO_TO_LOG        (1<<11)
112
113const char *log_entry_print (const struct log_entry *e, unsigned int flags, struct gc_arena *gc);
114
115struct log_history
116{
117  int base;
118  int size;
119  int capacity;
120  struct log_entry *array;
121};
122
123struct log_history *log_history_init (const int capacity);
124void log_history_close (struct log_history *h);
125void log_history_add (struct log_history *h, const struct log_entry *le);
126void log_history_resize (struct log_history *h, const int capacity);
127const struct log_entry *log_history_ref (const struct log_history *h, const int index);
128
129static inline int
130log_history_size (const struct log_history *h)
131{
132  return h->size;
133}
134
135static inline int
136log_history_capacity (const struct log_history *h)
137{
138  return h->capacity;
139}
140
141/*
142 * Callbacks for 'status' and 'kill' commands.
143 * Also for management-based deferred authentication and packet filter.
144 */
145struct management_callback
146{
147  void *arg;
148
149# define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */
150  unsigned int flags;
151
152  void (*status) (void *arg, const int version, struct status_output *so);
153  void (*show_net) (void *arg, const int msglevel);
154  int (*kill_by_cn) (void *arg, const char *common_name);
155  int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port);
156  void (*delete_event) (void *arg, event_t event);
157  int (*n_clients) (void *arg);
158#ifdef MANAGEMENT_DEF_AUTH
159  bool (*kill_by_cid) (void *arg, const unsigned long cid, const char *kill_msg);
160  bool (*client_auth) (void *arg,
161		       const unsigned long cid,
162		       const unsigned int mda_key_id,
163		       const bool auth,
164		       const char *reason,
165		       const char *client_reason,
166		       struct buffer_list *cc_config); /* ownership transferred */
167  char *(*get_peer_info) (void *arg, const unsigned long cid);
168#endif
169#ifdef MANAGEMENT_PF
170  bool (*client_pf) (void *arg,
171		     const unsigned long cid,
172		     struct buffer_list *pf_config);   /* ownership transferred */
173#endif
174  bool (*proxy_cmd) (void *arg, const char **p);
175  bool (*remote_cmd) (void *arg, const char **p);
176};
177
178/*
179 * Management object, split into three components:
180 *
181 * struct man_persist : Data elements which are persistent across
182 *                      man_connection open and close.
183 *
184 * struct man_settings : management parameters.
185 *
186 * struct man_connection : created on socket binding and listen,
187 *                         deleted on socket unbind, may
188 *                         handle multiple sequential client
189 *                         connections.
190 */
191
192struct man_persist {
193  bool defined;
194
195  struct log_history *log;
196  struct virtual_output vout;
197
198  bool standalone_disabled;
199  struct management_callback callback;
200
201  struct log_history *echo; /* saved --echo strings */
202  struct log_history *state;
203
204  bool hold_release;
205
206  const char *special_state_msg;
207
208  counter_type bytes_in;
209  counter_type bytes_out;
210};
211
212struct man_settings {
213  bool defined;
214  unsigned int flags; /* MF_x flags */
215  struct openvpn_sockaddr local;
216#if UNIX_SOCK_SUPPORT
217  struct sockaddr_un local_unix;
218#endif
219  bool management_over_tunnel;
220  struct user_pass up;
221  int log_history_cache;
222  int echo_buffer_size;
223  int state_buffer_size;
224  char *write_peer_info_file;
225  int client_uid;
226  int client_gid;
227
228/* flags for handling the management interface "signal" command */
229# define MANSIG_IGNORE_USR1_HUP  (1<<0)
230# define MANSIG_MAP_USR1_TO_HUP  (1<<1)
231# define MANSIG_MAP_USR1_TO_TERM (1<<2)
232  unsigned int mansig;
233};
234
235/* up_query modes */
236#define UP_QUERY_DISABLED  0
237#define UP_QUERY_USER_PASS 1
238#define UP_QUERY_PASS      2
239#define UP_QUERY_NEED_OK   3
240#define UP_QUERY_NEED_STR  4
241
242/* states */
243#define MS_INITIAL          0  /* all sockets are closed */
244#define MS_LISTEN           1  /* no client is connected */
245#define MS_CC_WAIT_READ     2  /* client is connected, waiting for read on socket */
246#define MS_CC_WAIT_WRITE    3  /* client is connected, waiting for ability to write to socket */
247
248struct man_connection {
249  int state;
250
251  socket_descriptor_t sd_top;
252  socket_descriptor_t sd_cli;
253  struct openvpn_sockaddr remote;
254
255#ifdef WIN32
256  struct net_event_win32 ne32;
257#endif
258
259  bool halt;
260  bool password_verified;
261  int password_tries;
262
263  struct command_line *in;
264  struct buffer_list *out;
265
266#ifdef MANAGEMENT_IN_EXTRA
267# define IEC_UNDEF       0
268# define IEC_CLIENT_AUTH 1
269# define IEC_CLIENT_PF   2
270# define IEC_RSA_SIGN    3
271  int in_extra_cmd;
272  struct buffer_list *in_extra;
273#ifdef MANAGEMENT_DEF_AUTH
274  unsigned long in_extra_cid;
275  unsigned int in_extra_kid;
276#endif
277#ifdef MANAGMENT_EXTERNAL_KEY
278# define EKS_UNDEF   0
279# define EKS_SOLICIT 1
280# define EKS_INPUT   2
281# define EKS_READY   3
282  int ext_key_state;
283  struct buffer_list *ext_key_input;
284#endif
285#endif
286  struct event_set *es;
287  int env_filter_level;
288
289  bool state_realtime;
290  bool log_realtime;
291  bool echo_realtime;
292  int bytecount_update_seconds;
293  time_t bytecount_last_update;
294
295  const char *up_query_type;
296  int up_query_mode;
297  struct user_pass up_query;
298
299#ifdef MANAGMENT_EXTERNAL_KEY
300  struct buffer_list *rsa_sig;
301#endif
302};
303
304struct management
305{
306  struct man_persist persist;
307  struct man_settings settings;
308  struct man_connection connection;
309};
310
311extern struct management *management;
312
313struct user_pass;
314
315struct management *management_init (void);
316
317/* management_open flags */
318# define MF_SERVER            (1<<0)
319# define MF_QUERY_PASSWORDS   (1<<1)
320# define MF_HOLD              (1<<2)
321# define MF_SIGNAL            (1<<3)
322# define MF_FORGET_DISCONNECT (1<<4)
323# define MF_CONNECT_AS_CLIENT (1<<5)
324#ifdef MANAGEMENT_DEF_AUTH
325# define MF_CLIENT_AUTH       (1<<6)
326#endif
327#ifdef MANAGEMENT_PF
328# define MF_CLIENT_PF         (1<<7)
329#endif
330# define MF_UNIX_SOCK       (1<<8)
331#ifdef MANAGMENT_EXTERNAL_KEY
332# define MF_EXTERNAL_KEY    (1<<9)
333#endif
334#define MF_UP_DOWN          (1<<10)
335#define MF_QUERY_REMOTE     (1<<11)
336#define MF_QUERY_PROXY      (1<<12)
337
338bool management_open (struct management *man,
339		      const char *addr,
340		      const int port,
341		      const char *pass_file,
342		      const char *client_user,
343		      const char *client_group,
344		      const int log_history_cache,
345		      const int echo_buffer_size,
346		      const int state_buffer_size,
347		      const char *write_peer_info_file,
348		      const int remap_sigusr1,
349		      const unsigned int flags);
350
351void management_close (struct management *man);
352
353void management_post_tunnel_open (struct management *man, const in_addr_t tun_local_ip);
354
355void management_pre_tunnel_close (struct management *man);
356
357void management_socket_set (struct management *man,
358			    struct event_set *es,
359			    void *arg,
360			    unsigned int *persistent);
361
362void management_io (struct management *man);
363
364void management_set_callback (struct management *man,
365			      const struct management_callback *cb);
366
367void management_clear_callback (struct management *man);
368
369bool management_query_user_pass (struct management *man,
370				 struct user_pass *up,
371				 const char *type,
372				 const unsigned int flags,
373				 const char *static_challenge);
374
375bool management_should_daemonize (struct management *man);
376bool management_would_hold (struct management *man);
377bool management_hold (struct management *man);
378
379void management_event_loop_n_seconds (struct management *man, int sec);
380
381void management_up_down(struct management *man, const char *updown, const struct env_set *es);
382
383void management_notify(struct management *man, const char *severity, const char *type, const char *text);
384
385void management_notify_generic (struct management *man, const char *str);
386
387#ifdef MANAGEMENT_DEF_AUTH
388void management_notify_client_needing_auth (struct management *management,
389					    const unsigned int auth_id,
390					    struct man_def_auth_context *mdac,
391					    const struct env_set *es);
392
393void management_connection_established (struct management *management,
394					struct man_def_auth_context *mdac,
395					const struct env_set *es);
396
397void management_notify_client_close (struct management *management,
398				     struct man_def_auth_context *mdac,
399				     const struct env_set *es);
400
401void management_learn_addr (struct management *management,
402			    struct man_def_auth_context *mdac,
403			    const struct mroute_addr *addr,
404			    const bool primary);
405#endif
406
407#ifdef MANAGMENT_EXTERNAL_KEY
408
409char *management_query_rsa_sig (struct management *man, const char *b64_data);
410
411#endif
412
413static inline bool
414management_connected (const struct management *man)
415{
416  return man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE;
417}
418
419static inline bool
420management_query_user_pass_enabled (const struct management *man)
421{
422  return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS);
423}
424
425static inline bool
426management_query_remote_enabled (const struct management *man)
427{
428  return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE);
429}
430
431static inline bool
432management_query_proxy_enabled (const struct management *man)
433{
434  return BOOL_CAST(man->settings.flags & MF_QUERY_PROXY);
435}
436
437#ifdef MANAGEMENT_PF
438static inline bool
439management_enable_pf (const struct management *man)
440{
441  return man && BOOL_CAST(man->settings.flags & MF_CLIENT_PF);
442}
443#endif
444
445#ifdef MANAGEMENT_DEF_AUTH
446static inline bool
447management_enable_def_auth (const struct management *man)
448{
449  return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH);
450}
451#endif
452
453/*
454 * OpenVPN tells the management layer what state it's in
455 */
456
457/* client/server states */
458#define OPENVPN_STATE_INITIAL       0  /* Initial, undefined state */
459#define OPENVPN_STATE_CONNECTING    1  /* Management interface has been initialized */
460#define OPENVPN_STATE_ASSIGN_IP     2  /* Assigning IP address to virtual network interface */
461#define OPENVPN_STATE_ADD_ROUTES    3  /* Adding routes to system */
462#define OPENVPN_STATE_CONNECTED     4  /* Initialization sequence completed */
463#define OPENVPN_STATE_RECONNECTING  5  /* Restart */
464#define OPENVPN_STATE_EXITING       6  /* Exit */
465
466/* client-only states */
467#define OPENVPN_STATE_WAIT          7  /* Waiting for initial response from server */
468#define OPENVPN_STATE_AUTH          8  /* Authenticating with server */
469#define OPENVPN_STATE_GET_CONFIG    9  /* Downloading configuration from server */
470#define OPENVPN_STATE_RESOLVE       10 /* DNS lookup */
471#define OPENVPN_STATE_TCP_CONNECT   11 /* Connecting to TCP server */
472
473#define OPENVPN_STATE_CLIENT_BASE   7  /* Base index of client-only states */
474
475void management_set_state (struct management *man,
476			   const int state,
477			   const char *detail,
478			   const in_addr_t tun_local_ip,
479			   const in_addr_t tun_remote_ip);
480
481/*
482 * The management object keeps track of OpenVPN --echo
483 * parameters.
484 */
485void management_echo (struct management *man, const char *string, const bool pull);
486
487/*
488 * OpenVPN calls here to indicate a password failure
489 */
490
491void management_auth_failure (struct management *man, const char *type, const char *reason);
492
493/*
494 * Echo an authentication token to management interface
495 */
496void management_auth_token (struct management *man, const char *token);
497
498/*
499 * These functions drive the bytecount in/out counters.
500 */
501
502void man_bytecount_output_client (struct management *man);
503
504static inline void
505man_bytecount_possible_output_client (struct management *man)
506{
507  if (man->connection.bytecount_update_seconds > 0
508      && now >= man->connection.bytecount_last_update
509      + man->connection.bytecount_update_seconds)
510    man_bytecount_output_client (man);
511}
512
513static inline void
514management_bytes_out_client (struct management *man, const int size)
515{
516  man->persist.bytes_out += size;
517  man_bytecount_possible_output_client (man);
518}
519
520static inline void
521management_bytes_in_client (struct management *man, const int size)
522{
523  man->persist.bytes_in += size;
524  man_bytecount_possible_output_client (man);
525}
526
527static inline void
528management_bytes_out (struct management *man, const int size)
529{
530  if (!(man->persist.callback.flags & MCF_SERVER))
531    management_bytes_out_client (man, size);
532}
533
534static inline void
535management_bytes_in (struct management *man, const int size)
536{
537  if (!(man->persist.callback.flags & MCF_SERVER))
538    management_bytes_in_client (man, size);
539}
540
541#ifdef MANAGEMENT_DEF_AUTH
542
543static inline void
544management_bytes_server (struct management *man,
545			 const counter_type *bytes_in_total,
546			 const counter_type *bytes_out_total,
547			 struct man_def_auth_context *mdac)
548{
549  void man_bytecount_output_server (struct management *man,
550				    const counter_type *bytes_in_total,
551				    const counter_type *bytes_out_total,
552				    struct man_def_auth_context *mdac);
553
554  if (man->connection.bytecount_update_seconds > 0
555      && now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds
556      && (mdac->flags & (DAF_CONNECTION_ESTABLISHED|DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED)
557    man_bytecount_output_server (man, bytes_in_total, bytes_out_total, mdac);
558}
559
560#endif /* MANAGEMENT_DEF_AUTH */
561
562#endif
563#endif
564