1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 12 * as published by the Free Software Foundation. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (see the file COPYING included with this 21 * distribution); if not, write to the Free Software Foundation, Inc., 22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifndef MANAGE_H 26#define MANAGE_H 27 28#ifdef ENABLE_MANAGEMENT 29 30#include "misc.h" 31#include "event.h" 32#include "socket.h" 33#include "mroute.h" 34 35#define MANAGEMENT_VERSION 1 36#define MANAGEMENT_N_PASSWORD_RETRIES 3 37#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 38#define MANAGEMENT_ECHO_BUFFER_SIZE 100 39#define MANAGEMENT_STATE_BUFFER_SIZE 100 40 41/* 42 * Management-interface-based deferred authentication 43 */ 44#ifdef MANAGEMENT_DEF_AUTH 45struct man_def_auth_context { 46 unsigned long cid; 47 48#define DAF_CONNECTION_ESTABLISHED (1<<0) 49#define DAF_CONNECTION_CLOSED (1<<1) 50#define DAF_INITIAL_AUTH (1<<2) 51 unsigned int flags; 52 53 unsigned int mda_key_id_counter; 54 55 time_t bytecount_last_update; 56}; 57#endif 58 59/* 60 * Manage build-up of command line 61 */ 62struct command_line 63{ 64 struct buffer buf; 65 struct buffer residual; 66}; 67 68struct command_line *command_line_new (const int buf_len); 69void command_line_free (struct command_line *cl); 70 71void command_line_add (struct command_line *cl, const unsigned char *buf, const int len); 72const unsigned char *command_line_get (struct command_line *cl); 73void command_line_reset (struct command_line *cl); 74void command_line_next (struct command_line *cl); 75 76/* 77 * Manage log file history 78 */ 79 80union log_entry_union { 81 unsigned int msg_flags; 82 int state; 83 int intval; 84}; 85 86struct log_entry 87{ 88 time_t timestamp; 89 const char *string; 90 in_addr_t local_ip; 91 in_addr_t remote_ip; 92 union log_entry_union u; 93}; 94 95#define LOG_PRINT_LOG_PREFIX (1<<0) 96#define LOG_PRINT_ECHO_PREFIX (1<<1) 97#define LOG_PRINT_STATE_PREFIX (1<<2) 98 99#define LOG_PRINT_INT_DATE (1<<3) 100#define LOG_PRINT_MSG_FLAGS (1<<4) 101#define LOG_PRINT_STATE (1<<5) 102#define LOG_PRINT_LOCAL_IP (1<<6) 103 104#define LOG_PRINT_CRLF (1<<7) 105#define LOG_FATAL_NOTIFY (1<<8) 106 107#define LOG_PRINT_INTVAL (1<<9) 108 109#define LOG_PRINT_REMOTE_IP (1<<10) 110 111#define LOG_ECHO_TO_LOG (1<<11) 112 113const char *log_entry_print (const struct log_entry *e, unsigned int flags, struct gc_arena *gc); 114 115struct log_history 116{ 117 int base; 118 int size; 119 int capacity; 120 struct log_entry *array; 121}; 122 123struct log_history *log_history_init (const int capacity); 124void log_history_close (struct log_history *h); 125void log_history_add (struct log_history *h, const struct log_entry *le); 126void log_history_resize (struct log_history *h, const int capacity); 127const struct log_entry *log_history_ref (const struct log_history *h, const int index); 128 129static inline int 130log_history_size (const struct log_history *h) 131{ 132 return h->size; 133} 134 135static inline int 136log_history_capacity (const struct log_history *h) 137{ 138 return h->capacity; 139} 140 141/* 142 * Callbacks for 'status' and 'kill' commands. 143 * Also for management-based deferred authentication and packet filter. 144 */ 145struct management_callback 146{ 147 void *arg; 148 149# define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */ 150 unsigned int flags; 151 152 void (*status) (void *arg, const int version, struct status_output *so); 153 void (*show_net) (void *arg, const int msglevel); 154 int (*kill_by_cn) (void *arg, const char *common_name); 155 int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); 156 void (*delete_event) (void *arg, event_t event); 157 int (*n_clients) (void *arg); 158#ifdef MANAGEMENT_DEF_AUTH 159 bool (*kill_by_cid) (void *arg, const unsigned long cid, const char *kill_msg); 160 bool (*client_auth) (void *arg, 161 const unsigned long cid, 162 const unsigned int mda_key_id, 163 const bool auth, 164 const char *reason, 165 const char *client_reason, 166 struct buffer_list *cc_config); /* ownership transferred */ 167 char *(*get_peer_info) (void *arg, const unsigned long cid); 168#endif 169#ifdef MANAGEMENT_PF 170 bool (*client_pf) (void *arg, 171 const unsigned long cid, 172 struct buffer_list *pf_config); /* ownership transferred */ 173#endif 174 bool (*proxy_cmd) (void *arg, const char **p); 175 bool (*remote_cmd) (void *arg, const char **p); 176}; 177 178/* 179 * Management object, split into three components: 180 * 181 * struct man_persist : Data elements which are persistent across 182 * man_connection open and close. 183 * 184 * struct man_settings : management parameters. 185 * 186 * struct man_connection : created on socket binding and listen, 187 * deleted on socket unbind, may 188 * handle multiple sequential client 189 * connections. 190 */ 191 192struct man_persist { 193 bool defined; 194 195 struct log_history *log; 196 struct virtual_output vout; 197 198 bool standalone_disabled; 199 struct management_callback callback; 200 201 struct log_history *echo; /* saved --echo strings */ 202 struct log_history *state; 203 204 bool hold_release; 205 206 const char *special_state_msg; 207 208 counter_type bytes_in; 209 counter_type bytes_out; 210}; 211 212struct man_settings { 213 bool defined; 214 unsigned int flags; /* MF_x flags */ 215 struct openvpn_sockaddr local; 216#if UNIX_SOCK_SUPPORT 217 struct sockaddr_un local_unix; 218#endif 219 bool management_over_tunnel; 220 struct user_pass up; 221 int log_history_cache; 222 int echo_buffer_size; 223 int state_buffer_size; 224 char *write_peer_info_file; 225 int client_uid; 226 int client_gid; 227 228/* flags for handling the management interface "signal" command */ 229# define MANSIG_IGNORE_USR1_HUP (1<<0) 230# define MANSIG_MAP_USR1_TO_HUP (1<<1) 231# define MANSIG_MAP_USR1_TO_TERM (1<<2) 232 unsigned int mansig; 233}; 234 235/* up_query modes */ 236#define UP_QUERY_DISABLED 0 237#define UP_QUERY_USER_PASS 1 238#define UP_QUERY_PASS 2 239#define UP_QUERY_NEED_OK 3 240#define UP_QUERY_NEED_STR 4 241 242/* states */ 243#define MS_INITIAL 0 /* all sockets are closed */ 244#define MS_LISTEN 1 /* no client is connected */ 245#define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */ 246#define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */ 247 248struct man_connection { 249 int state; 250 251 socket_descriptor_t sd_top; 252 socket_descriptor_t sd_cli; 253 struct openvpn_sockaddr remote; 254 255#ifdef WIN32 256 struct net_event_win32 ne32; 257#endif 258 259 bool halt; 260 bool password_verified; 261 int password_tries; 262 263 struct command_line *in; 264 struct buffer_list *out; 265 266#ifdef MANAGEMENT_IN_EXTRA 267# define IEC_UNDEF 0 268# define IEC_CLIENT_AUTH 1 269# define IEC_CLIENT_PF 2 270# define IEC_RSA_SIGN 3 271 int in_extra_cmd; 272 struct buffer_list *in_extra; 273#ifdef MANAGEMENT_DEF_AUTH 274 unsigned long in_extra_cid; 275 unsigned int in_extra_kid; 276#endif 277#ifdef MANAGMENT_EXTERNAL_KEY 278# define EKS_UNDEF 0 279# define EKS_SOLICIT 1 280# define EKS_INPUT 2 281# define EKS_READY 3 282 int ext_key_state; 283 struct buffer_list *ext_key_input; 284#endif 285#endif 286 struct event_set *es; 287 int env_filter_level; 288 289 bool state_realtime; 290 bool log_realtime; 291 bool echo_realtime; 292 int bytecount_update_seconds; 293 time_t bytecount_last_update; 294 295 const char *up_query_type; 296 int up_query_mode; 297 struct user_pass up_query; 298 299#ifdef MANAGMENT_EXTERNAL_KEY 300 struct buffer_list *rsa_sig; 301#endif 302}; 303 304struct management 305{ 306 struct man_persist persist; 307 struct man_settings settings; 308 struct man_connection connection; 309}; 310 311extern struct management *management; 312 313struct user_pass; 314 315struct management *management_init (void); 316 317/* management_open flags */ 318# define MF_SERVER (1<<0) 319# define MF_QUERY_PASSWORDS (1<<1) 320# define MF_HOLD (1<<2) 321# define MF_SIGNAL (1<<3) 322# define MF_FORGET_DISCONNECT (1<<4) 323# define MF_CONNECT_AS_CLIENT (1<<5) 324#ifdef MANAGEMENT_DEF_AUTH 325# define MF_CLIENT_AUTH (1<<6) 326#endif 327#ifdef MANAGEMENT_PF 328# define MF_CLIENT_PF (1<<7) 329#endif 330# define MF_UNIX_SOCK (1<<8) 331#ifdef MANAGMENT_EXTERNAL_KEY 332# define MF_EXTERNAL_KEY (1<<9) 333#endif 334#define MF_UP_DOWN (1<<10) 335#define MF_QUERY_REMOTE (1<<11) 336#define MF_QUERY_PROXY (1<<12) 337 338bool management_open (struct management *man, 339 const char *addr, 340 const int port, 341 const char *pass_file, 342 const char *client_user, 343 const char *client_group, 344 const int log_history_cache, 345 const int echo_buffer_size, 346 const int state_buffer_size, 347 const char *write_peer_info_file, 348 const int remap_sigusr1, 349 const unsigned int flags); 350 351void management_close (struct management *man); 352 353void management_post_tunnel_open (struct management *man, const in_addr_t tun_local_ip); 354 355void management_pre_tunnel_close (struct management *man); 356 357void management_socket_set (struct management *man, 358 struct event_set *es, 359 void *arg, 360 unsigned int *persistent); 361 362void management_io (struct management *man); 363 364void management_set_callback (struct management *man, 365 const struct management_callback *cb); 366 367void management_clear_callback (struct management *man); 368 369bool management_query_user_pass (struct management *man, 370 struct user_pass *up, 371 const char *type, 372 const unsigned int flags, 373 const char *static_challenge); 374 375bool management_should_daemonize (struct management *man); 376bool management_would_hold (struct management *man); 377bool management_hold (struct management *man); 378 379void management_event_loop_n_seconds (struct management *man, int sec); 380 381void management_up_down(struct management *man, const char *updown, const struct env_set *es); 382 383void management_notify(struct management *man, const char *severity, const char *type, const char *text); 384 385void management_notify_generic (struct management *man, const char *str); 386 387#ifdef MANAGEMENT_DEF_AUTH 388void management_notify_client_needing_auth (struct management *management, 389 const unsigned int auth_id, 390 struct man_def_auth_context *mdac, 391 const struct env_set *es); 392 393void management_connection_established (struct management *management, 394 struct man_def_auth_context *mdac, 395 const struct env_set *es); 396 397void management_notify_client_close (struct management *management, 398 struct man_def_auth_context *mdac, 399 const struct env_set *es); 400 401void management_learn_addr (struct management *management, 402 struct man_def_auth_context *mdac, 403 const struct mroute_addr *addr, 404 const bool primary); 405#endif 406 407#ifdef MANAGMENT_EXTERNAL_KEY 408 409char *management_query_rsa_sig (struct management *man, const char *b64_data); 410 411#endif 412 413static inline bool 414management_connected (const struct management *man) 415{ 416 return man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE; 417} 418 419static inline bool 420management_query_user_pass_enabled (const struct management *man) 421{ 422 return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS); 423} 424 425static inline bool 426management_query_remote_enabled (const struct management *man) 427{ 428 return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE); 429} 430 431static inline bool 432management_query_proxy_enabled (const struct management *man) 433{ 434 return BOOL_CAST(man->settings.flags & MF_QUERY_PROXY); 435} 436 437#ifdef MANAGEMENT_PF 438static inline bool 439management_enable_pf (const struct management *man) 440{ 441 return man && BOOL_CAST(man->settings.flags & MF_CLIENT_PF); 442} 443#endif 444 445#ifdef MANAGEMENT_DEF_AUTH 446static inline bool 447management_enable_def_auth (const struct management *man) 448{ 449 return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH); 450} 451#endif 452 453/* 454 * OpenVPN tells the management layer what state it's in 455 */ 456 457/* client/server states */ 458#define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */ 459#define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */ 460#define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */ 461#define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */ 462#define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */ 463#define OPENVPN_STATE_RECONNECTING 5 /* Restart */ 464#define OPENVPN_STATE_EXITING 6 /* Exit */ 465 466/* client-only states */ 467#define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */ 468#define OPENVPN_STATE_AUTH 8 /* Authenticating with server */ 469#define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */ 470#define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */ 471#define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */ 472 473#define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */ 474 475void management_set_state (struct management *man, 476 const int state, 477 const char *detail, 478 const in_addr_t tun_local_ip, 479 const in_addr_t tun_remote_ip); 480 481/* 482 * The management object keeps track of OpenVPN --echo 483 * parameters. 484 */ 485void management_echo (struct management *man, const char *string, const bool pull); 486 487/* 488 * OpenVPN calls here to indicate a password failure 489 */ 490 491void management_auth_failure (struct management *man, const char *type, const char *reason); 492 493/* 494 * Echo an authentication token to management interface 495 */ 496void management_auth_token (struct management *man, const char *token); 497 498/* 499 * These functions drive the bytecount in/out counters. 500 */ 501 502void man_bytecount_output_client (struct management *man); 503 504static inline void 505man_bytecount_possible_output_client (struct management *man) 506{ 507 if (man->connection.bytecount_update_seconds > 0 508 && now >= man->connection.bytecount_last_update 509 + man->connection.bytecount_update_seconds) 510 man_bytecount_output_client (man); 511} 512 513static inline void 514management_bytes_out_client (struct management *man, const int size) 515{ 516 man->persist.bytes_out += size; 517 man_bytecount_possible_output_client (man); 518} 519 520static inline void 521management_bytes_in_client (struct management *man, const int size) 522{ 523 man->persist.bytes_in += size; 524 man_bytecount_possible_output_client (man); 525} 526 527static inline void 528management_bytes_out (struct management *man, const int size) 529{ 530 if (!(man->persist.callback.flags & MCF_SERVER)) 531 management_bytes_out_client (man, size); 532} 533 534static inline void 535management_bytes_in (struct management *man, const int size) 536{ 537 if (!(man->persist.callback.flags & MCF_SERVER)) 538 management_bytes_in_client (man, size); 539} 540 541#ifdef MANAGEMENT_DEF_AUTH 542 543static inline void 544management_bytes_server (struct management *man, 545 const counter_type *bytes_in_total, 546 const counter_type *bytes_out_total, 547 struct man_def_auth_context *mdac) 548{ 549 void man_bytecount_output_server (struct management *man, 550 const counter_type *bytes_in_total, 551 const counter_type *bytes_out_total, 552 struct man_def_auth_context *mdac); 553 554 if (man->connection.bytecount_update_seconds > 0 555 && now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds 556 && (mdac->flags & (DAF_CONNECTION_ESTABLISHED|DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED) 557 man_bytecount_output_server (man, bytes_in_total, bytes_out_total, mdac); 558} 559 560#endif /* MANAGEMENT_DEF_AUTH */ 561 562#endif 563#endif 564