2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
32 #ifdef ENABLE_MANAGEMENT
54 #define MANAGEMENT_ECHO_PULL_INFO 0
56 #if MANAGEMENT_ECHO_PULL_INFO
57 #define MANAGEMENT_ECHO_FLAGS LOG_PRINT_INTVAL
59 #define MANAGEMENT_ECHO_FLAGS 0
62 /* tag for blank username/password */
63 static const char blank_up
[] = "[[BLANK]]";
65 struct management
*management
; /* GLOBAL */
67 /* static forward declarations */
68 static void man_output_standalone(struct management
*man
, volatile int *signal_received
);
70 static void man_reset_client_socket(struct management
*man
, const bool exiting
);
75 msg(M_CLIENT
, "Management Interface for %s", title_string
);
76 msg(M_CLIENT
, "Commands:");
77 msg(M_CLIENT
, "auth-retry t : Auth failure retry mode (none,interact,nointeract).");
78 msg(M_CLIENT
, "bytecount n : Show bytes in/out, update every n secs (0=off).");
79 msg(M_CLIENT
, "echo [on|off] [N|all] : Like log, but only show messages in echo buffer.");
80 msg(M_CLIENT
, "cr-response response : Send a challenge response answer via CR_RESPONSE to server");
81 msg(M_CLIENT
, "exit|quit : Close management session.");
82 msg(M_CLIENT
, "forget-passwords : Forget passwords entered so far.");
83 msg(M_CLIENT
, "help : Print this message.");
84 msg(M_CLIENT
, "hold [on|off|release] : Set/show hold flag to on/off state, or");
85 msg(M_CLIENT
, " release current hold and start tunnel.");
86 msg(M_CLIENT
, "kill cn : Kill the client instance(s) having common name cn.");
87 msg(M_CLIENT
, "kill IP:port : Kill the client instance connecting from IP:port.");
88 msg(M_CLIENT
, "load-stats : Show global server load stats.");
89 msg(M_CLIENT
, "log [on|off] [N|all] : Turn on/off realtime log display");
90 msg(M_CLIENT
, " + show last N lines or 'all' for entire history.");
91 msg(M_CLIENT
, "mute [n] : Set log mute level to n, or show level if n is absent.");
92 msg(M_CLIENT
, "needok type action : Enter confirmation for NEED-OK request of 'type',");
93 msg(M_CLIENT
, " where action = 'ok' or 'cancel'.");
94 msg(M_CLIENT
, "needstr type action : Enter confirmation for NEED-STR request of 'type',");
95 msg(M_CLIENT
, " where action is reply string.");
96 msg(M_CLIENT
, "net : (Windows only) Show network info and routing table.");
97 msg(M_CLIENT
, "password type p : Enter password p for a queried OpenVPN password.");
98 msg(M_CLIENT
, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
99 msg(M_CLIENT
, "remote-entry-count : Get number of available remote entries.");
100 msg(M_CLIENT
, "remote-entry-get i|all [j]: Get remote entry at index = i to to j-1 or all.");
101 msg(M_CLIENT
, "proxy type [host port flags] : Enter dynamic proxy server info.");
102 msg(M_CLIENT
, "pid : Show process ID of the current OpenVPN process.");
104 msg(M_CLIENT
, "pkcs11-id-count : Get number of available PKCS#11 identities.");
105 msg(M_CLIENT
, "pkcs11-id-get index : Get PKCS#11 identity at index.");
107 msg(M_CLIENT
, "client-auth CID KID : Authenticate client-id/key-id CID/KID (MULTILINE)");
108 msg(M_CLIENT
, "client-auth-nt CID KID : Authenticate client-id/key-id CID/KID");
109 msg(M_CLIENT
, "client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason");
110 msg(M_CLIENT
, " text R and optional client reason text CR");
111 msg(M_CLIENT
, "client-pending-auth CID MSG timeout : Instruct OpenVPN to send AUTH_PENDING and INFO_PRE msg");
112 msg(M_CLIENT
, " to the client and wait for a final client-auth/client-deny");
113 msg(M_CLIENT
, "client-kill CID [M] : Kill client instance CID with message M (def=RESTART)");
114 msg(M_CLIENT
, "env-filter [level] : Set env-var filter level");
115 msg(M_CLIENT
, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge");
116 msg(M_CLIENT
, " Enter signature base64 on subsequent lines followed by END");
117 msg(M_CLIENT
, "pk-sig : Enter a signature in response to >PK_SIGN challenge");
118 msg(M_CLIENT
, " Enter signature base64 on subsequent lines followed by END");
119 msg(M_CLIENT
, "certificate : Enter a client certificate in response to >NEED-CERT challenge");
120 msg(M_CLIENT
, " Enter certificate base64 on subsequent lines followed by END");
121 msg(M_CLIENT
, "signal s : Send signal s to daemon,");
122 msg(M_CLIENT
, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
123 msg(M_CLIENT
, "state [on|off] [N|all] : Like log, but show state history.");
124 msg(M_CLIENT
, "status [n] : Show current daemon status info using format #n.");
125 msg(M_CLIENT
, "test n : Produce n lines of output for testing/debugging.");
126 msg(M_CLIENT
, "username type u : Enter username u for a queried OpenVPN username.");
127 msg(M_CLIENT
, "verb [n] : Set log verbosity level to n, or show if n is absent.");
128 msg(M_CLIENT
, "version [n] : Set client's version to n or show current version of daemon.");
129 msg(M_CLIENT
, "END");
133 man_state_name(const int state
)
137 case OPENVPN_STATE_INITIAL
:
140 case OPENVPN_STATE_CONNECTING
:
143 case OPENVPN_STATE_WAIT
:
146 case OPENVPN_STATE_AUTH
:
149 case OPENVPN_STATE_GET_CONFIG
:
152 case OPENVPN_STATE_ASSIGN_IP
:
155 case OPENVPN_STATE_ADD_ROUTES
:
158 case OPENVPN_STATE_CONNECTED
:
161 case OPENVPN_STATE_RECONNECTING
:
162 return "RECONNECTING";
164 case OPENVPN_STATE_EXITING
:
167 case OPENVPN_STATE_RESOLVE
:
170 case OPENVPN_STATE_TCP_CONNECT
:
171 return "TCP_CONNECT";
173 case OPENVPN_STATE_AUTH_PENDING
:
174 return "AUTH_PENDING";
182 man_welcome(struct management
*man
)
184 msg(M_CLIENT
, ">INFO:OpenVPN Management Interface Version %d -- type 'help' for more info",
186 if (man
->persist
.special_state_msg
)
188 msg(M_CLIENT
, "%s", man
->persist
.special_state_msg
);
193 man_password_needed(struct management
*man
)
195 return man
->settings
.up
.defined
&& !man
->connection
.password_verified
;
199 man_check_password(struct management
*man
, const char *line
)
201 if (man_password_needed(man
))
203 /* This comparison is not fixed time but since strlen(time) is based on
204 * the attacker choice, it should not give any indication of the real
205 * password length, use + 1 to include the NUL byte that terminates the
207 size_t compare_len
= min_uint(strlen(line
) + 1, sizeof(man
->settings
.up
.password
));
208 if (memcmp_constant_time(line
, man
->settings
.up
.password
, compare_len
) == 0)
210 man
->connection
.password_verified
= true;
211 msg(M_CLIENT
, "SUCCESS: password is correct");
216 man
->connection
.password_verified
= false;
217 msg(M_CLIENT
, "ERROR: bad password");
218 if (++man
->connection
.password_tries
>= MANAGEMENT_N_PASSWORD_RETRIES
)
220 msg(M_WARN
, "MAN: client connection rejected after %d failed password attempts",
221 MANAGEMENT_N_PASSWORD_RETRIES
);
222 man
->connection
.halt
= true;
229 man_update_io_state(struct management
*man
)
231 if (socket_defined(man
->connection
.sd_cli
))
233 if (buffer_list_defined(man
->connection
.out
))
235 man
->connection
.state
= MS_CC_WAIT_WRITE
;
239 man
->connection
.state
= MS_CC_WAIT_READ
;
245 man_output_list_push_finalize(struct management
*man
)
247 if (management_connected(man
))
249 man_update_io_state(man
);
250 if (!man
->persist
.standalone_disabled
)
252 volatile int signal_received
= 0;
253 man_output_standalone(man
, &signal_received
);
259 man_output_list_push_str(struct management
*man
, const char *str
)
261 if (management_connected(man
) && str
)
263 buffer_list_push(man
->connection
.out
, str
);
268 man_output_list_push(struct management
*man
, const char *str
)
270 man_output_list_push_str(man
, str
);
271 man_output_list_push_finalize(man
);
275 man_prompt(struct management
*man
)
277 if (man_password_needed(man
))
279 man_output_list_push(man
, "ENTER PASSWORD:");
281 #if 0 /* should we use prompt? */
284 man_output_list_push(man
, ">");
290 man_delete_unix_socket(struct management
*man
)
292 #if UNIX_SOCK_SUPPORT
293 if ((man
->settings
.flags
& (MF_UNIX_SOCK
|MF_CONNECT_AS_CLIENT
)) == MF_UNIX_SOCK
)
295 socket_delete_unix(&man
->settings
.local_unix
);
301 man_close_socket(struct management
*man
, const socket_descriptor_t sd
)
305 * Windows doesn't need this because the ne32 event is permanently
306 * enabled at struct management scope.
308 if (man
->persist
.callback
.delete_event
)
310 (*man
->persist
.callback
.delete_event
)(man
->persist
.callback
.arg
, sd
);
313 openvpn_close_socket(sd
);
317 virtual_output_callback_func(void *arg
, const unsigned int flags
, const char *str
)
319 struct management
*man
= (struct management
*) arg
;
320 static int recursive_level
= 0; /* GLOBAL */
322 #define AF_DID_PUSH (1<<0)
323 #define AF_DID_RESET (1<<1)
324 if (recursive_level
< 5) /* limit recursion */
326 struct gc_arena gc
= gc_new();
328 const char *out
= NULL
;
329 unsigned int action_flags
= 0;
336 e
.u
.msg_flags
= flags
;
341 man
->persist
.standalone_disabled
= false;
344 if (flags
!= M_CLIENT
)
346 log_history_add(man
->persist
.log
, &e
);
349 if (!man_password_needed(man
))
351 if (flags
== M_CLIENT
)
353 out
= log_entry_print(&e
, LOG_PRINT_CRLF
, &gc
);
355 else if (man
->connection
.log_realtime
)
357 out
= log_entry_print(&e
, LOG_PRINT_INT_DATE
358 | LOG_PRINT_MSG_FLAGS
359 | LOG_PRINT_LOG_PREFIX
360 | LOG_PRINT_CRLF
, &gc
);
364 man_output_list_push_str(man
, out
);
365 action_flags
|= AF_DID_PUSH
;
369 out
= log_entry_print(&e
, LOG_FATAL_NOTIFY
|LOG_PRINT_CRLF
, &gc
);
372 man_output_list_push_str(man
, out
);
373 action_flags
|= (AF_DID_PUSH
|AF_DID_RESET
);
380 if (action_flags
& AF_DID_PUSH
)
382 man_output_list_push_finalize(man
);
384 if (action_flags
& AF_DID_RESET
)
386 man_reset_client_socket(man
, true);
393 /* cannot use msg here */
394 printf("virtual_output: message to management interface "
395 "dropped due to recursion: <%s>\n", str
);
400 * Given a signal, return the signal with possible remapping applied,
401 * or -1 if the signal should be ignored.
404 man_mod_signal(const struct management
*man
, const int signum
)
406 const unsigned int flags
= man
->settings
.mansig
;
410 if (flags
& MANSIG_MAP_USR1_TO_HUP
)
414 if (flags
& MANSIG_MAP_USR1_TO_TERM
)
419 if (flags
& MANSIG_IGNORE_USR1_HUP
)
421 if (s
== SIGHUP
|| s
== SIGUSR1
)
430 man_signal(struct management
*man
, const char *name
)
432 const int sig
= parse_signal(name
);
435 const int sig_mod
= man_mod_signal(man
, sig
);
438 throw_signal(sig_mod
);
439 msg(M_CLIENT
, "SUCCESS: signal %s thrown", signal_name(sig_mod
, true));
443 msg(M_CLIENT
, "ERROR: signal '%s' is currently ignored", name
);
444 if (man
->persist
.special_state_msg
)
446 msg(M_CLIENT
, "%s", man
->persist
.special_state_msg
);
452 msg(M_CLIENT
, "ERROR: signal '%s' is not a known signal type", name
);
457 man_command_unsupported(const char *command_name
)
459 msg(M_CLIENT
, "ERROR: The '%s' command is not supported by the current daemon mode", command_name
);
463 man_status(struct management
*man
, const int version
, struct status_output
*so
)
465 if (man
->persist
.callback
.status
)
467 (*man
->persist
.callback
.status
)(man
->persist
.callback
.arg
, version
, so
);
471 man_command_unsupported("status");
476 man_bytecount(struct management
*man
, const int update_seconds
)
478 if (update_seconds
> 0)
480 man
->connection
.bytecount_update_seconds
= update_seconds
;
481 event_timeout_init(&man
->connection
.bytecount_update_interval
,
482 man
->connection
.bytecount_update_seconds
,
487 man
->connection
.bytecount_update_seconds
= 0;
488 event_timeout_clear(&man
->connection
.bytecount_update_interval
);
490 msg(M_CLIENT
, "SUCCESS: bytecount interval changed");
494 man_bytecount_output_client(struct management
*man
,
495 counter_type dco_read_bytes
,
496 counter_type dco_write_bytes
)
501 /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
502 openvpn_snprintf(in
, sizeof(in
), counter_format
, man
->persist
.bytes_in
+ dco_read_bytes
);
503 openvpn_snprintf(out
, sizeof(out
), counter_format
, man
->persist
.bytes_out
+ dco_write_bytes
);
504 msg(M_CLIENT
, ">BYTECOUNT:%s,%s", in
, out
);
508 man_bytecount_output_server(const counter_type
*bytes_in_total
,
509 const counter_type
*bytes_out_total
,
510 struct man_def_auth_context
*mdac
)
514 /* do in a roundabout way to work around possible mingw or mingw-glibc bug */
515 openvpn_snprintf(in
, sizeof(in
), counter_format
, *bytes_in_total
);
516 openvpn_snprintf(out
, sizeof(out
), counter_format
, *bytes_out_total
);
517 msg(M_CLIENT
, ">BYTECOUNT_CLI:%lu,%s,%s", mdac
->cid
, in
, out
);
518 mdac
->bytecount_last_update
= now
;
522 man_kill(struct management
*man
, const char *victim
)
524 struct gc_arena gc
= gc_new();
526 if (man
->persist
.callback
.kill_by_cn
&& man
->persist
.callback
.kill_by_addr
)
533 buf_set_read(&buf
, (uint8_t *) victim
, strlen(victim
) + 1);
534 buf_parse(&buf
, ':', p1
, sizeof(p1
));
535 buf_parse(&buf
, ':', p2
, sizeof(p2
));
537 if (strlen(p1
) && strlen(p2
))
539 /* IP:port specified */
541 const in_addr_t addr
= getaddr(GETADDR_HOST_ORDER
|GETADDR_MSG_VIRT_OUT
, p1
, 0, &status
, NULL
);
544 const int port
= atoi(p2
);
545 if (port
> 0 && port
< 65536)
547 n_killed
= (*man
->persist
.callback
.kill_by_addr
)(man
->persist
.callback
.arg
, addr
, port
);
550 msg(M_CLIENT
, "SUCCESS: %d client(s) at address %s:%d killed",
552 print_in_addr_t(addr
, 0, &gc
),
557 msg(M_CLIENT
, "ERROR: client at address %s:%d not found",
558 print_in_addr_t(addr
, 0, &gc
),
564 msg(M_CLIENT
, "ERROR: port number is out of range: %s", p2
);
569 msg(M_CLIENT
, "ERROR: error parsing IP address: %s", p1
);
574 /* common name specified */
575 n_killed
= (*man
->persist
.callback
.kill_by_cn
)(man
->persist
.callback
.arg
, p1
);
578 msg(M_CLIENT
, "SUCCESS: common name '%s' found, %d client(s) killed", p1
, n_killed
);
582 msg(M_CLIENT
, "ERROR: common name '%s' not found", p1
);
587 msg(M_CLIENT
, "ERROR: kill parse");
592 man_command_unsupported("kill");
599 * General-purpose history command handler
600 * for the log and echo commands.
603 man_history(struct management
*man
,
606 struct log_history
*log
,
608 const unsigned int lep_flags
)
610 struct gc_arena gc
= gc_new();
613 if (streq(parm
, "on"))
616 msg(M_CLIENT
, "SUCCESS: real-time %s notification set to ON", type
);
618 else if (streq(parm
, "off"))
621 msg(M_CLIENT
, "SUCCESS: real-time %s notification set to OFF", type
);
623 else if (streq(parm
, "all") || (n
= atoi(parm
)) > 0)
625 const int size
= log_history_size(log
);
626 const int start
= (n
? n
: size
) - 1;
629 for (i
= start
; i
>= 0; --i
)
631 const struct log_entry
*e
= log_history_ref(log
, i
);
634 const char *out
= log_entry_print(e
, lep_flags
, &gc
);
635 virtual_output_callback_func(man
, M_CLIENT
, out
);
638 msg(M_CLIENT
, "END");
642 msg(M_CLIENT
, "ERROR: %s parameter must be 'on' or 'off' or some number n or 'all'", type
);
649 man_log(struct management
*man
, const char *parm
)
655 &man
->connection
.log_realtime
,
656 LOG_PRINT_INT_DATE
|LOG_PRINT_MSG_FLAGS
);
660 man_echo(struct management
*man
, const char *parm
)
666 &man
->connection
.echo_realtime
,
667 LOG_PRINT_INT_DATE
|MANAGEMENT_ECHO_FLAGS
);
671 man_state(struct management
*man
, const char *parm
)
677 &man
->connection
.state_realtime
,
678 LOG_PRINT_INT_DATE
|LOG_PRINT_STATE
679 |LOG_PRINT_LOCAL_IP
|LOG_PRINT_REMOTE_IP
);
683 man_up_finalize(struct management
*man
)
685 switch (man
->connection
.up_query_mode
)
687 case UP_QUERY_USER_PASS
:
688 if (!strlen(man
->connection
.up_query
.username
))
695 case UP_QUERY_NEED_OK
:
696 case UP_QUERY_NEED_STR
:
697 if (strlen(man
->connection
.up_query
.password
))
699 man
->connection
.up_query
.defined
= true;
703 case UP_QUERY_DISABLED
:
704 man
->connection
.up_query
.defined
= false;
713 man_query_user_pass(struct management
*man
,
723 ASSERT(man
->connection
.up_query_type
);
724 if (streq(man
->connection
.up_query_type
, type
))
726 strncpynt(dest
, string
, len
);
727 man_up_finalize(man
);
728 msg(M_CLIENT
, "SUCCESS: '%s' %s entered, but not yet verified",
734 msg(M_CLIENT
, "ERROR: %s of type '%s' entered, but we need one of type '%s'",
737 man
->connection
.up_query_type
);
742 msg(M_CLIENT
, "ERROR: no %s is currently needed at this time", prompt
);
747 man_query_username(struct management
*man
, const char *type
, const char *string
)
749 const bool needed
= ((man
->connection
.up_query_mode
== UP_QUERY_USER_PASS
750 ) && man
->connection
.up_query_type
);
751 man_query_user_pass(man
, type
, string
, needed
, "username", man
->connection
.up_query
.username
, USER_PASS_LEN
);
755 man_query_password(struct management
*man
, const char *type
, const char *string
)
757 const bool needed
= ((man
->connection
.up_query_mode
== UP_QUERY_PASS
758 || man
->connection
.up_query_mode
== UP_QUERY_USER_PASS
759 ) && man
->connection
.up_query_type
);
760 if (!string
[0]) /* allow blank passwords to be passed through using the blank_up tag */
764 man_query_user_pass(man
, type
, string
, needed
, "password", man
->connection
.up_query
.password
, USER_PASS_LEN
);
768 man_query_need_ok(struct management
*man
, const char *type
, const char *action
)
770 const bool needed
= ((man
->connection
.up_query_mode
== UP_QUERY_NEED_OK
) && man
->connection
.up_query_type
);
771 man_query_user_pass(man
, type
, action
, needed
, "needok-confirmation", man
->connection
.up_query
.password
, USER_PASS_LEN
);
775 man_query_need_str(struct management
*man
, const char *type
, const char *action
)
777 const bool needed
= ((man
->connection
.up_query_mode
== UP_QUERY_NEED_STR
) && man
->connection
.up_query_type
);
778 man_query_user_pass(man
, type
, action
, needed
, "needstr-string", man
->connection
.up_query
.password
, USER_PASS_LEN
);
782 man_forget_passwords(struct management
*man
)
784 ssl_purge_auth(false);
785 (void)ssl_clean_auth_token();
786 msg(M_CLIENT
, "SUCCESS: Passwords were forgotten");
790 man_net(struct management
*man
)
792 if (man
->persist
.callback
.show_net
)
794 (*man
->persist
.callback
.show_net
)(man
->persist
.callback
.arg
, M_CLIENT
);
798 man_command_unsupported("net");
803 man_send_cc_message(struct management
*man
, const char *message
, const char *parameters
)
805 if (man
->persist
.callback
.send_cc_message
)
807 const bool status
= (*man
->persist
.callback
.send_cc_message
)
808 (man
->persist
.callback
.arg
, message
, parameters
);
811 msg(M_CLIENT
, "SUCCESS: command succeeded");
815 msg(M_CLIENT
, "ERROR: command failed");
820 man_command_unsupported("cr-repsonse");
826 man_pkcs11_id_count(struct management
*man
)
828 msg(M_CLIENT
, ">PKCS11ID-COUNT:%d", pkcs11_management_id_count());
832 man_pkcs11_id_get(struct management
*man
, const int index
)
837 if (pkcs11_management_id_get(index
, &id
, &base64
))
839 msg(M_CLIENT
, ">PKCS11ID-ENTRY:'%d', ID:'%s', BLOB:'%s'", index
, id
, base64
);
843 msg(M_CLIENT
, ">PKCS11ID-ENTRY:'%d'", index
);
850 #endif /* ifdef ENABLE_PKCS11 */
853 man_remote_entry_count(struct management
*man
)
856 if (man
->persist
.callback
.remote_entry_count
)
858 count
= (*man
->persist
.callback
.remote_entry_count
)(man
->persist
.callback
.arg
);
859 msg(M_CLIENT
, "%u", count
);
860 msg(M_CLIENT
, "END");
864 man_command_unsupported("remote-entry-count");
869 man_remote_entry_get(struct management
*man
, const char *p1
, const char *p2
)
873 if (man
->persist
.callback
.remote_entry_get
874 && man
->persist
.callback
.remote_entry_count
)
876 unsigned int count
= (*man
->persist
.callback
.remote_entry_count
)(man
->persist
.callback
.arg
);
878 unsigned int from
= (unsigned int) atoi(p1
);
879 unsigned int to
= p2
? (unsigned int) atoi(p2
) : from
+ 1;
881 if (!strcmp(p1
, "all"))
887 for (unsigned int i
= from
; i
< min_uint(to
, count
); i
++)
890 bool res
= (*man
->persist
.callback
.remote_entry_get
)(man
->persist
.callback
.arg
, i
, &remote
);
893 msg(M_CLIENT
, "%u,%s", i
, remote
);
897 msg(M_CLIENT
, "END");
901 man_command_unsupported("remote-entry-get");
906 man_hold(struct management
*man
, const char *cmd
)
910 if (streq(cmd
, "on"))
912 man
->settings
.flags
|= MF_HOLD
;
913 msg(M_CLIENT
, "SUCCESS: hold flag set to ON");
915 else if (streq(cmd
, "off"))
917 man
->settings
.flags
&= ~MF_HOLD
;
918 msg(M_CLIENT
, "SUCCESS: hold flag set to OFF");
920 else if (streq(cmd
, "release"))
922 man
->persist
.hold_release
= true;
923 msg(M_CLIENT
, "SUCCESS: hold release succeeded");
927 msg(M_CLIENT
, "ERROR: bad hold command parameter");
932 msg(M_CLIENT
, "SUCCESS: hold=%d", BOOL_CAST(man
->settings
.flags
& MF_HOLD
));
940 in_extra_reset(struct man_connection
*mc
, const int mode
)
946 mc
->in_extra_cmd
= IEC_UNDEF
;
947 mc
->in_extra_cid
= 0;
948 mc
->in_extra_kid
= 0;
952 buffer_list_free(mc
->in_extra
);
957 mc
->in_extra
= buffer_list_new();
963 in_extra_dispatch(struct management
*man
)
965 switch (man
->connection
.in_extra_cmd
)
967 case IEC_CLIENT_AUTH
:
968 if (man
->persist
.callback
.client_auth
)
970 const bool status
= (*man
->persist
.callback
.client_auth
)
971 (man
->persist
.callback
.arg
,
972 man
->connection
.in_extra_cid
,
973 man
->connection
.in_extra_kid
,
977 man
->connection
.in_extra
);
978 man
->connection
.in_extra
= NULL
;
981 msg(M_CLIENT
, "SUCCESS: client-auth command succeeded");
985 msg(M_CLIENT
, "ERROR: client-auth command failed");
990 man_command_unsupported("client-auth");
995 man
->connection
.ext_key_state
= EKS_READY
;
996 buffer_list_free(man
->connection
.ext_key_input
);
997 man
->connection
.ext_key_input
= man
->connection
.in_extra
;
998 man
->connection
.in_extra
= NULL
;
1001 case IEC_CERTIFICATE
:
1002 man
->connection
.ext_cert_state
= EKS_READY
;
1003 buffer_list_free(man
->connection
.ext_cert_input
);
1004 man
->connection
.ext_cert_input
= man
->connection
.in_extra
;
1005 man
->connection
.in_extra
= NULL
;
1008 in_extra_reset(&man
->connection
, IER_RESET
);
1012 parse_cid(const char *str
, unsigned long *cid
)
1014 if (sscanf(str
, "%lu", cid
) == 1)
1020 msg(M_CLIENT
, "ERROR: cannot parse CID");
1026 parse_uint(const char *str
, const char *what
, unsigned int *uint
)
1028 if (sscanf(str
, "%u", uint
) == 1)
1034 msg(M_CLIENT
, "ERROR: cannot parse %s", what
);
1040 * Will send a notification to the client that succesful authentication
1041 * will require an additional step (web based SSO/2-factor auth/etc)
1043 * @param man The management interface struct
1044 * @param cid_str The CID in string form
1045 * @param extra The string to be send to the client containing
1046 * the information of the additional steps
1049 man_client_pending_auth(struct management
*man
, const char *cid_str
,
1050 const char *extra
, const char *timeout_str
)
1052 unsigned long cid
= 0;
1053 unsigned int timeout
= 0;
1054 if (parse_cid(cid_str
, &cid
)
1055 && parse_uint(timeout_str
, "TIMEOUT", &timeout
))
1057 if (man
->persist
.callback
.client_pending_auth
)
1059 bool ret
= (*man
->persist
.callback
.client_pending_auth
)
1060 (man
->persist
.callback
.arg
, cid
, extra
, timeout
);
1064 msg(M_CLIENT
, "SUCCESS: client-pending-auth command succeeded");
1068 msg(M_CLIENT
, "ERROR: client-pending-auth command failed."
1069 " Extra parameter might be too long");
1074 man_command_unsupported("client-pending-auth");
1080 man_client_auth(struct management
*man
, const char *cid_str
, const char *kid_str
, const bool extra
)
1082 struct man_connection
*mc
= &man
->connection
;
1083 mc
->in_extra_cid
= 0;
1084 mc
->in_extra_kid
= 0;
1085 if (parse_cid(cid_str
, &mc
->in_extra_cid
)
1086 && parse_uint(kid_str
, "KID", &mc
->in_extra_kid
))
1088 mc
->in_extra_cmd
= IEC_CLIENT_AUTH
;
1089 in_extra_reset(mc
, IER_NEW
);
1092 in_extra_dispatch(man
);
1098 man_client_deny(struct management
*man
, const char *cid_str
, const char *kid_str
, const char *reason
, const char *client_reason
)
1100 unsigned long cid
= 0;
1101 unsigned int kid
= 0;
1102 if (parse_cid(cid_str
, &cid
) && parse_uint(kid_str
, "KID", &kid
))
1104 if (man
->persist
.callback
.client_auth
)
1106 const bool status
= (*man
->persist
.callback
.client_auth
)
1107 (man
->persist
.callback
.arg
,
1116 msg(M_CLIENT
, "SUCCESS: client-deny command succeeded");
1120 msg(M_CLIENT
, "ERROR: client-deny command failed");
1125 man_command_unsupported("client-deny");
1131 man_client_kill(struct management
*man
, const char *cid_str
, const char *kill_msg
)
1133 unsigned long cid
= 0;
1134 if (parse_cid(cid_str
, &cid
))
1136 if (man
->persist
.callback
.kill_by_cid
)
1138 const bool status
= (*man
->persist
.callback
.kill_by_cid
)(man
->persist
.callback
.arg
, cid
, kill_msg
);
1141 msg(M_CLIENT
, "SUCCESS: client-kill command succeeded");
1145 msg(M_CLIENT
, "ERROR: client-kill command failed");
1150 man_command_unsupported("client-kill");
1156 man_client_n_clients(struct management
*man
)
1158 if (man
->persist
.callback
.n_clients
)
1160 const int nclients
= (*man
->persist
.callback
.n_clients
)(man
->persist
.callback
.arg
);
1161 msg(M_CLIENT
, "SUCCESS: nclients=%d", nclients
);
1165 man_command_unsupported("nclients");
1170 man_env_filter(struct management
*man
, const int level
)
1172 man
->connection
.env_filter_level
= level
;
1173 msg(M_CLIENT
, "SUCCESS: env_filter_level=%d", level
);
1178 man_pk_sig(struct management
*man
, const char *cmd_name
)
1180 struct man_connection
*mc
= &man
->connection
;
1181 if (mc
->ext_key_state
== EKS_SOLICIT
)
1183 mc
->ext_key_state
= EKS_INPUT
;
1184 mc
->in_extra_cmd
= IEC_PK_SIGN
;
1185 in_extra_reset(mc
, IER_NEW
);
1189 msg(M_CLIENT
, "ERROR: The %s command is not currently available", cmd_name
);
1194 man_certificate(struct management
*man
)
1196 struct man_connection
*mc
= &man
->connection
;
1197 if (mc
->ext_cert_state
== EKS_SOLICIT
)
1199 mc
->ext_cert_state
= EKS_INPUT
;
1200 mc
->in_extra_cmd
= IEC_CERTIFICATE
;
1201 in_extra_reset(mc
, IER_NEW
);
1205 msg(M_CLIENT
, "ERROR: The certificate command is not currently available");
1210 man_load_stats(struct management
*man
)
1212 extern counter_type link_read_bytes_global
;
1213 extern counter_type link_write_bytes_global
;
1216 if (man
->persist
.callback
.n_clients
)
1218 nclients
= (*man
->persist
.callback
.n_clients
)(man
->persist
.callback
.arg
);
1220 msg(M_CLIENT
, "SUCCESS: nclients=%d,bytesin=" counter_format
",bytesout=" counter_format
,
1222 link_read_bytes_global
,
1223 link_write_bytes_global
);
1226 #define MN_AT_LEAST (1<<0)
1228 * Checks if the correct number of arguments to a management command are present
1229 * and otherwise prints an error and returns false.
1231 * @param p pointer to the parameter array
1232 * @param n number of arguments required
1233 * @param flags if MN_AT_LEAST require at least n parameters and not exactly n
1234 * @return Return whether p has n (or at least n) parameters
1237 man_need(struct management
*man
, const char **p
, const int n
, unsigned int flags
)
1241 for (i
= 1; i
<= n
; ++i
)
1245 msg(M_CLIENT
, "ERROR: the '%s' command requires %s%d parameter%s",
1247 (flags
& MN_AT_LEAST
) ? "at least " : "",
1257 man_proxy(struct management
*man
, const char **p
)
1259 if (man
->persist
.callback
.proxy_cmd
)
1261 const bool status
= (*man
->persist
.callback
.proxy_cmd
)(man
->persist
.callback
.arg
, p
);
1264 msg(M_CLIENT
, "SUCCESS: proxy command succeeded");
1268 msg(M_CLIENT
, "ERROR: proxy command failed");
1273 man_command_unsupported("proxy");
1278 man_remote(struct management
*man
, const char **p
)
1280 if (man
->persist
.callback
.remote_cmd
)
1282 const bool status
= (*man
->persist
.callback
.remote_cmd
)(man
->persist
.callback
.arg
, p
);
1285 msg(M_CLIENT
, "SUCCESS: remote command succeeded");
1289 msg(M_CLIENT
, "ERROR: remote command failed");
1294 man_command_unsupported("remote");
1298 #ifdef TARGET_ANDROID
1300 man_network_change(struct management
*man
, bool samenetwork
)
1302 /* Called to signal the OpenVPN that the network configuration has changed and
1303 * the client should either float or reconnect.
1305 * The code is currently only used by ics-openvpn
1307 if (man
->persist
.callback
.network_change
)
1309 int fd
= (*man
->persist
.callback
.network_change
)
1310 (man
->persist
.callback
.arg
, samenetwork
);
1311 man
->connection
.fdtosend
= fd
;
1312 msg(M_CLIENT
, "PROTECTFD: fd '%d' sent to be protected", fd
);
1315 man_signal(man
, "SIGUSR1");
1322 set_client_version(struct management
*man
, const char *version
)
1326 man
->connection
.client_version
= atoi(version
);
1331 man_dispatch_command(struct management
*man
, struct status_output
*so
, const char **p
, const int nparms
)
1333 struct gc_arena gc
= gc_new();
1336 if (streq(p
[0], "exit") || streq(p
[0], "quit"))
1338 man
->connection
.halt
= true;
1341 else if (streq(p
[0], "help"))
1345 else if (streq(p
[0], "version") && p
[1])
1347 set_client_version(man
, p
[1]);
1349 else if (streq(p
[0], "version"))
1351 msg(M_CLIENT
, "OpenVPN Version: %s", title_string
);
1352 msg(M_CLIENT
, "Management Version: %d", MANAGEMENT_VERSION
);
1353 msg(M_CLIENT
, "END");
1355 else if (streq(p
[0], "pid"))
1357 msg(M_CLIENT
, "SUCCESS: pid=%d", platform_getpid());
1359 else if (streq(p
[0], "nclients"))
1361 man_client_n_clients(man
);
1363 else if (streq(p
[0], "env-filter"))
1370 man_env_filter(man
, level
);
1372 else if (streq(p
[0], "signal"))
1374 if (man_need(man
, p
, 1, 0))
1376 man_signal(man
, p
[1]);
1379 #ifdef TARGET_ANDROID
1380 else if (streq(p
[0], "network-change"))
1382 bool samenetwork
= false;
1383 if (p
[1] && streq(p
[1], "samenetwork"))
1388 man_network_change(man
, samenetwork
);
1391 else if (streq(p
[0], "load-stats"))
1393 man_load_stats(man
);
1395 else if (streq(p
[0], "status"))
1400 version
= atoi(p
[1]);
1402 man_status(man
, version
, so
);
1404 else if (streq(p
[0], "kill"))
1406 if (man_need(man
, p
, 1, 0))
1408 man_kill(man
, p
[1]);
1411 else if (streq(p
[0], "verb"))
1415 const int level
= atoi(p
[1]);
1416 if (set_debug_level(level
, 0))
1418 msg(M_CLIENT
, "SUCCESS: verb level changed");
1422 msg(M_CLIENT
, "ERROR: verb level is out of range");
1427 msg(M_CLIENT
, "SUCCESS: verb=%d", get_debug_level());
1430 else if (streq(p
[0], "mute"))
1434 const int level
= atoi(p
[1]);
1435 if (set_mute_cutoff(level
))
1437 msg(M_CLIENT
, "SUCCESS: mute level changed");
1441 msg(M_CLIENT
, "ERROR: mute level is out of range");
1446 msg(M_CLIENT
, "SUCCESS: mute=%d", get_mute_cutoff());
1449 else if (streq(p
[0], "auth-retry"))
1453 if (auth_retry_set(M_CLIENT
, p
[1]))
1455 msg(M_CLIENT
, "SUCCESS: auth-retry parameter changed");
1459 msg(M_CLIENT
, "ERROR: bad auth-retry parameter");
1464 msg(M_CLIENT
, "SUCCESS: auth-retry=%s", auth_retry_print());
1467 else if (streq(p
[0], "state"))
1471 man_state(man
, "1");
1477 man_state(man
, p
[1]);
1481 man_state(man
, p
[2]);
1485 else if (streq(p
[0], "log"))
1487 if (man_need(man
, p
, 1, MN_AT_LEAST
))
1499 else if (streq(p
[0], "echo"))
1501 if (man_need(man
, p
, 1, MN_AT_LEAST
))
1505 man_echo(man
, p
[1]);
1509 man_echo(man
, p
[2]);
1513 else if (streq(p
[0], "username"))
1515 if (man_need(man
, p
, 2, 0))
1517 man_query_username(man
, p
[1], p
[2]);
1520 else if (streq(p
[0], "password"))
1522 if (man_need(man
, p
, 2, 0))
1524 man_query_password(man
, p
[1], p
[2]);
1527 else if (streq(p
[0], "forget-passwords"))
1529 man_forget_passwords(man
);
1531 else if (streq(p
[0], "needok"))
1533 if (man_need(man
, p
, 2, 0))
1535 man_query_need_ok(man
, p
[1], p
[2]);
1538 else if (streq(p
[0], "needstr"))
1540 if (man_need(man
, p
, 2, 0))
1542 man_query_need_str(man
, p
[1], p
[2]);
1545 else if (streq(p
[0], "cr-response"))
1547 if (man_need(man
, p
, 1, 0))
1549 man_send_cc_message(man
, "CR_RESPONSE", p
[1]);
1552 else if (streq(p
[0], "net"))
1556 else if (streq(p
[0], "hold"))
1558 man_hold(man
, p
[1]);
1560 else if (streq(p
[0], "bytecount"))
1562 if (man_need(man
, p
, 1, 0))
1564 man_bytecount(man
, atoi(p
[1]));
1567 else if (streq(p
[0], "client-kill"))
1569 if (man_need(man
, p
, 1, MN_AT_LEAST
))
1571 man_client_kill(man
, p
[1], p
[2]);
1574 else if (streq(p
[0], "client-deny"))
1576 if (man_need(man
, p
, 3, MN_AT_LEAST
))
1578 man_client_deny(man
, p
[1], p
[2], p
[3], p
[4]);
1581 else if (streq(p
[0], "client-auth-nt"))
1583 if (man_need(man
, p
, 2, 0))
1585 man_client_auth(man
, p
[1], p
[2], false);
1588 else if (streq(p
[0], "client-auth"))
1590 if (man_need(man
, p
, 2, 0))
1592 man_client_auth(man
, p
[1], p
[2], true);
1595 else if (streq(p
[0], "client-pending-auth"))
1597 if (man_need(man
, p
, 3, 0))
1599 man_client_pending_auth(man
, p
[1], p
[2], p
[3]);
1602 else if (streq(p
[0], "rsa-sig"))
1604 man_pk_sig(man
, "rsa-sig");
1606 else if (streq(p
[0], "pk-sig"))
1608 man_pk_sig(man
, "pk-sig");
1610 else if (streq(p
[0], "certificate"))
1612 man_certificate(man
);
1614 #ifdef ENABLE_PKCS11
1615 else if (streq(p
[0], "pkcs11-id-count"))
1617 man_pkcs11_id_count(man
);
1619 else if (streq(p
[0], "pkcs11-id-get"))
1621 if (man_need(man
, p
, 1, 0))
1623 man_pkcs11_id_get(man
, atoi(p
[1]));
1627 else if (streq(p
[0], "remote-entry-count"))
1629 man_remote_entry_count(man
);
1631 else if (streq(p
[0], "remote-entry-get"))
1633 if (man_need(man
, p
, 1, MN_AT_LEAST
))
1635 man_remote_entry_get(man
, p
[1], p
[2]);
1638 else if (streq(p
[0], "proxy"))
1640 if (man_need(man
, p
, 1, MN_AT_LEAST
))
1645 else if (streq(p
[0], "remote"))
1647 if (man_need(man
, p
, 1, MN_AT_LEAST
))
1653 else if (streq(p
[0], "test"))
1655 if (man_need(man
, p
, 1, 0))
1658 const int n
= atoi(p
[1]);
1659 for (i
= 0; i
< n
; ++i
)
1661 msg(M_CLIENT
, "[%d] The purpose of this command is to generate large amounts of output.", i
);
1668 msg(M_CLIENT
, "ERROR: unknown command, enter 'help' for more options");
1678 man_start_ne32(struct management
*man
)
1680 switch (man
->connection
.state
)
1683 net_event_win32_start(&man
->connection
.ne32
, FD_ACCEPT
, man
->connection
.sd_top
);
1686 case MS_CC_WAIT_READ
:
1687 case MS_CC_WAIT_WRITE
:
1688 net_event_win32_start(&man
->connection
.ne32
, FD_READ
|FD_WRITE
|FD_CLOSE
, man
->connection
.sd_cli
);
1697 man_stop_ne32(struct management
*man
)
1699 net_event_win32_stop(&man
->connection
.ne32
);
1702 #endif /* ifdef _WIN32 */
1705 man_connection_settings_reset(struct management
*man
)
1707 man
->connection
.state_realtime
= false;
1708 man
->connection
.log_realtime
= false;
1709 man
->connection
.echo_realtime
= false;
1710 man
->connection
.bytecount_update_seconds
= 0;
1711 man
->connection
.password_verified
= false;
1712 man
->connection
.password_tries
= 0;
1713 man
->connection
.halt
= false;
1714 man
->connection
.state
= MS_CC_WAIT_WRITE
;
1718 man_new_connection_post(struct management
*man
, const char *description
)
1720 struct gc_arena gc
= gc_new();
1722 set_nonblock(man
->connection
.sd_cli
);
1724 man_connection_settings_reset(man
);
1727 man_start_ne32(man
);
1730 #if UNIX_SOCK_SUPPORT
1731 if (man
->settings
.flags
& MF_UNIX_SOCK
)
1733 msg(D_MANAGEMENT
, "MANAGEMENT: %s %s",
1735 sockaddr_unix_name(&man
->settings
.local_unix
, "NULL"));
1739 if (man
->settings
.flags
& MF_CONNECT_AS_CLIENT
)
1741 msg(D_MANAGEMENT
, "MANAGEMENT: %s %s",
1743 print_sockaddr(man
->settings
.local
->ai_addr
, &gc
));
1747 struct sockaddr_storage addr
;
1748 socklen_t addrlen
= sizeof(addr
);
1749 if (!getpeername(man
->connection
.sd_cli
, (struct sockaddr
*) &addr
,
1752 msg(D_MANAGEMENT
, "MANAGEMENT: %s %s", description
,
1753 print_sockaddr((struct sockaddr
*) &addr
, &gc
));
1757 msg(D_MANAGEMENT
, "MANAGEMENT: %s %s", description
, "unknown");
1761 buffer_list_reset(man
->connection
.out
);
1763 if (!man_password_needed(man
))
1768 man_update_io_state(man
);
1773 #if UNIX_SOCK_SUPPORT
1775 man_verify_unix_peer_uid_gid(struct management
*man
, const socket_descriptor_t sd
)
1777 if (socket_defined(sd
) && (man
->settings
.client_uid
!= -1 || man
->settings
.client_gid
!= -1))
1779 static const char err_prefix
[] = "MANAGEMENT: unix domain socket client connection rejected --";
1781 if (unix_socket_get_peer_uid_gid(man
->connection
.sd_cli
, &uid
, &gid
))
1783 if (man
->settings
.client_uid
!= -1 && man
->settings
.client_uid
!= uid
)
1785 msg(D_MANAGEMENT
, "%s UID of socket peer (%d) doesn't match required value (%d) as given by --management-client-user",
1786 err_prefix
, uid
, man
->settings
.client_uid
);
1789 if (man
->settings
.client_gid
!= -1 && man
->settings
.client_gid
!= gid
)
1791 msg(D_MANAGEMENT
, "%s GID of socket peer (%d) doesn't match required value (%d) as given by --management-client-group",
1792 err_prefix
, gid
, man
->settings
.client_gid
);
1798 msg(D_MANAGEMENT
, "%s cannot get UID/GID of socket peer", err_prefix
);
1804 #endif /* if UNIX_SOCK_SUPPORT */
1807 man_accept(struct management
*man
)
1809 struct link_socket_actual act
;
1813 * Accept the TCP or Unix domain socket client.
1815 #if UNIX_SOCK_SUPPORT
1816 if (man
->settings
.flags
& MF_UNIX_SOCK
)
1818 struct sockaddr_un remote
;
1819 man
->connection
.sd_cli
= socket_accept_unix(man
->connection
.sd_top
, &remote
);
1820 if (!man_verify_unix_peer_uid_gid(man
, man
->connection
.sd_cli
))
1822 sd_close(&man
->connection
.sd_cli
);
1827 man
->connection
.sd_cli
= socket_do_accept(man
->connection
.sd_top
, &act
, false);
1829 if (socket_defined(man
->connection
.sd_cli
))
1831 man
->connection
.remote
= act
.dest
;
1833 if (socket_defined(man
->connection
.sd_top
))
1840 man_new_connection_post(man
, "Client connected from");
1845 man_listen(struct management
*man
)
1847 struct gc_arena gc
= gc_new();
1852 man
->connection
.state
= MS_LISTEN
;
1853 man
->connection
.sd_cli
= SOCKET_UNDEFINED
;
1856 * Initialize listening socket
1858 if (man
->connection
.sd_top
== SOCKET_UNDEFINED
)
1860 #if UNIX_SOCK_SUPPORT
1861 if (man
->settings
.flags
& MF_UNIX_SOCK
)
1863 man_delete_unix_socket(man
);
1864 man
->connection
.sd_top
= create_socket_unix();
1865 socket_bind_unix(man
->connection
.sd_top
, &man
->settings
.local_unix
, "MANAGEMENT");
1870 man
->connection
.sd_top
= create_socket_tcp(man
->settings
.local
);
1871 socket_bind(man
->connection
.sd_top
, man
->settings
.local
,
1872 man
->settings
.local
->ai_family
, "MANAGEMENT", false);
1876 * Listen for connection
1878 if (listen(man
->connection
.sd_top
, 1))
1880 msg(M_ERR
, "MANAGEMENT: listen() failed");
1884 * Set misc socket properties
1886 set_nonblock(man
->connection
.sd_top
);
1888 #if UNIX_SOCK_SUPPORT
1889 if (man
->settings
.flags
& MF_UNIX_SOCK
)
1891 msg(D_MANAGEMENT
, "MANAGEMENT: unix domain socket listening on %s",
1892 sockaddr_unix_name(&man
->settings
.local_unix
, "NULL"));
1897 const struct sockaddr
*man_addr
= man
->settings
.local
->ai_addr
;
1898 struct sockaddr_storage addr
;
1899 socklen_t addrlen
= sizeof(addr
);
1900 if (!getsockname(man
->connection
.sd_top
, (struct sockaddr
*) &addr
, &addrlen
))
1902 man_addr
= (struct sockaddr
*) &addr
;
1907 "Failed to get the management socket address");
1909 msg(D_MANAGEMENT
, "MANAGEMENT: TCP Socket listening on %s",
1910 print_sockaddr(man_addr
, &gc
));
1915 man_start_ne32(man
);
1922 man_connect(struct management
*man
)
1924 struct gc_arena gc
= gc_new();
1926 int signal_received
= 0;
1931 man
->connection
.state
= MS_INITIAL
;
1932 man
->connection
.sd_top
= SOCKET_UNDEFINED
;
1934 #if UNIX_SOCK_SUPPORT
1935 if (man
->settings
.flags
& MF_UNIX_SOCK
)
1937 man
->connection
.sd_cli
= create_socket_unix();
1938 status
= socket_connect_unix(man
->connection
.sd_cli
, &man
->settings
.local_unix
);
1939 if (!status
&& !man_verify_unix_peer_uid_gid(man
, man
->connection
.sd_cli
))
1946 sd_close(&man
->connection
.sd_cli
);
1952 man
->connection
.sd_cli
= create_socket_tcp(man
->settings
.local
);
1953 status
= openvpn_connect(man
->connection
.sd_cli
,
1954 man
->settings
.local
->ai_addr
,
1959 if (signal_received
)
1961 throw_signal(signal_received
);
1967 #if UNIX_SOCK_SUPPORT
1968 if (man
->settings
.flags
& MF_UNIX_SOCK
)
1970 msg(D_LINK_ERRORS
| M_ERRNO
,
1971 "MANAGEMENT: connect to unix socket %s failed",
1972 sockaddr_unix_name(&man
->settings
.local_unix
, "NULL"));
1976 msg(D_LINK_ERRORS
| M_ERRNO
,
1977 "MANAGEMENT: connect to %s failed",
1978 print_sockaddr(man
->settings
.local
->ai_addr
, &gc
));
1979 throw_signal_soft(SIGTERM
, "management-connect-failed");
1983 man_new_connection_post(man
, "Connected to management server at");
1990 man_reset_client_socket(struct management
*man
, const bool exiting
)
1992 if (socket_defined(man
->connection
.sd_cli
))
1997 man_close_socket(man
, man
->connection
.sd_cli
);
1998 man
->connection
.sd_cli
= SOCKET_UNDEFINED
;
1999 man
->connection
.state
= MS_INITIAL
;
2000 command_line_reset(man
->connection
.in
);
2001 buffer_list_reset(man
->connection
.out
);
2002 in_extra_reset(&man
->connection
, IER_RESET
);
2003 msg(D_MANAGEMENT
, "MANAGEMENT: Client disconnected");
2007 if (man
->settings
.flags
& MF_FORGET_DISCONNECT
)
2009 ssl_purge_auth(false);
2010 (void)ssl_clean_auth_token();
2013 if (man
->settings
.flags
& MF_SIGNAL
)
2015 int mysig
= man_mod_signal(man
, SIGUSR1
);
2018 msg(D_MANAGEMENT
, "MANAGEMENT: Triggering management signal");
2019 throw_signal_soft(mysig
, "management-disconnect");
2023 if (man
->settings
.flags
& MF_CONNECT_AS_CLIENT
)
2025 msg(D_MANAGEMENT
, "MANAGEMENT: Triggering management exit");
2026 throw_signal_soft(SIGTERM
, "management-exit");
2036 man_process_command(struct management
*man
, const char *line
)
2038 struct gc_arena gc
= gc_new();
2039 struct status_output
*so
;
2041 char *parms
[MAX_PARMS
+1];
2044 so
= status_open(NULL
, 0, -1, &man
->persist
.vout
, 0);
2045 in_extra_reset(&man
->connection
, IER_RESET
);
2047 if (man_password_needed(man
))
2049 man_check_password(man
, line
);
2053 nparms
= parse_line(line
, parms
, MAX_PARMS
, "TCP", 0, M_CLIENT
, &gc
);
2054 if (parms
[0] && streq(parms
[0], "password"))
2056 msg(D_MANAGEMENT_DEBUG
, "MANAGEMENT: CMD 'password [...]'");
2058 else if (!streq(line
, "load-stats"))
2060 msg(D_MANAGEMENT_DEBUG
, "MANAGEMENT: CMD '%s'", line
);
2064 /* DEBUGGING -- print args */
2067 for (i
= 0; i
< nparms
; ++i
)
2069 msg(M_INFO
, "[%d] '%s'", i
, parms
[i
]);
2076 man_dispatch_command(man
, so
, (const char **)parms
, nparms
);
2086 man_io_error(struct management
*man
, const char *prefix
)
2088 bool crt_error
= false;
2089 int err
= openvpn_errno_maybe_crt(&crt_error
);
2091 if (!ignore_sys_error(err
, crt_error
))
2093 struct gc_arena gc
= gc_new();
2094 msg(D_MANAGEMENT
, "MANAGEMENT: TCP %s error: %s", prefix
,
2105 #ifdef TARGET_ANDROID
2107 man_send_with_fd(int fd
, void *ptr
, size_t nbytes
, int flags
, int sendfd
)
2109 struct msghdr msg
= { 0 };
2110 struct iovec iov
[1];
2114 char control
[CMSG_SPACE(sizeof(int))];
2116 struct cmsghdr
*cmptr
;
2118 msg
.msg_control
= control_un
.control
;
2119 msg
.msg_controllen
= sizeof(control_un
.control
);
2121 cmptr
= CMSG_FIRSTHDR(&msg
);
2122 cmptr
->cmsg_len
= CMSG_LEN(sizeof(int));
2123 cmptr
->cmsg_level
= SOL_SOCKET
;
2124 cmptr
->cmsg_type
= SCM_RIGHTS
;
2125 *((int *) CMSG_DATA(cmptr
)) = sendfd
;
2127 msg
.msg_name
= NULL
;
2128 msg
.msg_namelen
= 0;
2130 iov
[0].iov_base
= ptr
;
2131 iov
[0].iov_len
= nbytes
;
2135 return (sendmsg(fd
, &msg
, flags
));
2139 man_recv_with_fd(int fd
, void *ptr
, size_t nbytes
, int flags
, int *recvfd
)
2141 struct msghdr msghdr
= { 0 };
2142 struct iovec iov
[1];
2147 char control
[CMSG_SPACE(sizeof(int))];
2149 struct cmsghdr
*cmptr
;
2151 msghdr
.msg_control
= control_un
.control
;
2152 msghdr
.msg_controllen
= sizeof(control_un
.control
);
2154 msghdr
.msg_name
= NULL
;
2155 msghdr
.msg_namelen
= 0;
2157 iov
[0].iov_base
= ptr
;
2158 iov
[0].iov_len
= nbytes
;
2159 msghdr
.msg_iov
= iov
;
2160 msghdr
.msg_iovlen
= 1;
2162 if ( (n
= recvmsg(fd
, &msghdr
, flags
)) <= 0)
2167 if ( (cmptr
= CMSG_FIRSTHDR(&msghdr
)) != NULL
2168 && cmptr
->cmsg_len
== CMSG_LEN(sizeof(int)))
2170 if (cmptr
->cmsg_level
!= SOL_SOCKET
)
2172 msg(M_ERR
, "control level != SOL_SOCKET");
2174 if (cmptr
->cmsg_type
!= SCM_RIGHTS
)
2176 msg(M_ERR
, "control type != SCM_RIGHTS");
2178 *recvfd
= *((int *) CMSG_DATA(cmptr
));
2182 *recvfd
= -1; /* descriptor was not passed */
2189 * The android control method will instruct the GUI part of openvpn to do
2190 * the route/ifconfig/open tun command. See doc/android.txt for details.
2193 management_android_control(struct management
*man
, const char *command
, const char *msg
)
2195 struct user_pass up
;
2197 strncpy(up
.username
, msg
, sizeof(up
.username
)-1);
2199 management_query_user_pass(management
, &up
, command
, GET_USER_PASS_NEED_OK
, (void *) 0);
2200 return strcmp("ok", up
.password
)==0;
2204 * In Android 4.4 it is not possible to open a new tun device and then close the
2205 * old tun device without breaking the whole VPNService stack until the device
2206 * is rebooted. This management method ask the UI what method should be taken to
2207 * ensure the optimal solution for the situation
2210 managment_android_persisttun_action(struct management
*man
)
2212 struct user_pass up
;
2214 strcpy(up
.username
, "tunmethod");
2215 management_query_user_pass(management
, &up
, "PERSIST_TUN_ACTION",
2216 GET_USER_PASS_NEED_OK
, (void *) 0);
2217 if (!strcmp("NOACTION", up
.password
))
2219 return ANDROID_KEEP_OLD_TUN
;
2221 else if (!strcmp("OPEN_BEFORE_CLOSE", up
.password
))
2223 return ANDROID_OPEN_BEFORE_CLOSE
;
2227 msg(M_ERR
, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up
.password
);
2231 return ANDROID_OPEN_BEFORE_CLOSE
;
2235 #endif /* ifdef TARGET_ANDROID */
2238 man_read(struct management
*man
)
2241 * read command line from socket
2243 unsigned char buf
[256];
2246 #ifdef TARGET_ANDROID
2248 len
= man_recv_with_fd(man
->connection
.sd_cli
, buf
, sizeof(buf
), MSG_NOSIGNAL
, &fd
);
2251 man
->connection
.lastfdreceived
= fd
;
2253 #else /* ifdef TARGET_ANDROID */
2254 len
= recv(man
->connection
.sd_cli
, buf
, sizeof(buf
), MSG_NOSIGNAL
);
2259 man_reset_client_socket(man
, false);
2263 bool processed_command
= false;
2265 ASSERT(len
<= (int) sizeof(buf
));
2266 command_line_add(man
->connection
.in
, buf
, len
);
2269 * Reset output object
2271 buffer_list_reset(man
->connection
.out
);
2274 * process command line if complete
2278 while ((line
= command_line_get(man
->connection
.in
)))
2280 if (man
->connection
.in_extra
)
2282 if (!strcmp(line
, "END"))
2284 in_extra_dispatch(man
);
2288 buffer_list_push(man
->connection
.in_extra
, line
);
2293 man_process_command(man
, (char *) line
);
2295 if (man
->connection
.halt
)
2299 command_line_next(man
->connection
.in
);
2300 processed_command
= true;
2305 * Reset output state to MS_CC_WAIT_(READ|WRITE)
2307 if (man
->connection
.halt
)
2309 man_reset_client_socket(man
, false);
2314 if (processed_command
)
2318 man_update_io_state(man
);
2323 if (man_io_error(man
, "recv"))
2325 man_reset_client_socket(man
, false);
2332 man_write(struct management
*man
)
2334 const int size_hint
= 1024;
2336 const struct buffer
*buf
;
2338 buffer_list_aggregate(man
->connection
.out
, size_hint
);
2339 buf
= buffer_list_peek(man
->connection
.out
);
2340 if (buf
&& BLEN(buf
))
2342 const int len
= min_int(size_hint
, BLEN(buf
));
2343 #ifdef TARGET_ANDROID
2344 if (man
->connection
.fdtosend
> 0)
2346 sent
= man_send_with_fd(man
->connection
.sd_cli
, BPTR(buf
), len
, MSG_NOSIGNAL
, man
->connection
.fdtosend
);
2347 man
->connection
.fdtosend
= -1;
2351 sent
= send(man
->connection
.sd_cli
, BPTR(buf
), len
, MSG_NOSIGNAL
);
2354 buffer_list_advance(man
->connection
.out
, sent
);
2358 if (man_io_error(man
, "send"))
2360 man_reset_client_socket(man
, false);
2366 * Reset output state to MS_CC_WAIT_(READ|WRITE)
2368 man_update_io_state(man
);
2374 man_connection_clear(struct man_connection
*mc
)
2378 /* set initial state */
2379 mc
->state
= MS_INITIAL
;
2381 /* clear socket descriptors */
2382 mc
->sd_top
= SOCKET_UNDEFINED
;
2383 mc
->sd_cli
= SOCKET_UNDEFINED
;
2387 man_persist_init(struct management
*man
,
2388 const int log_history_cache
,
2389 const int echo_buffer_size
,
2390 const int state_buffer_size
)
2392 struct man_persist
*mp
= &man
->persist
;
2397 /* initialize log history store */
2398 mp
->log
= log_history_init(log_history_cache
);
2401 * Initialize virtual output object, so that functions
2402 * which write to a virtual_output object can be redirected
2403 * here to the management object.
2405 mp
->vout
.func
= virtual_output_callback_func
;
2407 mp
->vout
.flags_default
= M_CLIENT
;
2408 msg_set_virtual_output(&mp
->vout
);
2411 * Initialize --echo list
2413 man
->persist
.echo
= log_history_init(echo_buffer_size
);
2416 * Initialize --state list
2418 man
->persist
.state
= log_history_init(state_buffer_size
);
2425 man_persist_close(struct man_persist
*mp
)
2429 msg_set_virtual_output(NULL
);
2430 log_history_close(mp
->log
);
2435 log_history_close(mp
->echo
);
2440 log_history_close(mp
->state
);
2447 man_settings_init(struct man_settings
*ms
,
2450 const char *pass_file
,
2451 const char *client_user
,
2452 const char *client_group
,
2453 const int log_history_cache
,
2454 const int echo_buffer_size
,
2455 const int state_buffer_size
,
2456 const int remap_sigusr1
,
2457 const unsigned int flags
)
2464 ms
->client_uid
= -1;
2465 ms
->client_gid
= -1;
2468 * Get username/password
2472 get_user_pass(&ms
->up
, pass_file
, "Management", GET_USER_PASS_PASSWORD_ONLY
);
2476 * lookup client UID/GID if specified
2480 struct platform_state_user s
;
2481 platform_user_get(client_user
, &s
);
2482 ms
->client_uid
= platform_state_user_uid(&s
);
2483 msg(D_MANAGEMENT
, "MANAGEMENT: client_uid=%d", ms
->client_uid
);
2484 ASSERT(ms
->client_uid
>= 0);
2488 struct platform_state_group s
;
2489 platform_group_get(client_group
, &s
);
2490 ms
->client_gid
= platform_state_group_gid(&s
);
2491 msg(D_MANAGEMENT
, "MANAGEMENT: client_gid=%d", ms
->client_gid
);
2492 ASSERT(ms
->client_gid
>= 0);
2495 #if UNIX_SOCK_SUPPORT
2496 if (ms
->flags
& MF_UNIX_SOCK
)
2498 sockaddr_unix_init(&ms
->local_unix
, addr
);
2505 * Run management over tunnel, or
2508 if (streq(addr
, "tunnel") && !(flags
& MF_CONNECT_AS_CLIENT
))
2510 ms
->management_over_tunnel
= true;
2515 int resolve_flags
= GETADDR_RESOLVE
|GETADDR_WARN_ON_SIGNAL
|GETADDR_FATAL
;
2517 if (!(flags
& MF_CONNECT_AS_CLIENT
))
2519 resolve_flags
|= GETADDR_PASSIVE
;
2522 status
= openvpn_getaddrinfo(resolve_flags
, addr
, port
, 0,
2523 NULL
, AF_UNSPEC
, &ms
->local
);
2529 * Log history and echo buffer may need to be resized
2531 ms
->log_history_cache
= log_history_cache
;
2532 ms
->echo_buffer_size
= echo_buffer_size
;
2533 ms
->state_buffer_size
= state_buffer_size
;
2536 * Set remap sigusr1 flags
2538 if (remap_sigusr1
== SIGHUP
)
2540 ms
->mansig
|= MANSIG_MAP_USR1_TO_HUP
;
2542 else if (remap_sigusr1
== SIGTERM
)
2544 ms
->mansig
|= MANSIG_MAP_USR1_TO_TERM
;
2552 man_settings_close(struct man_settings
*ms
)
2556 freeaddrinfo(ms
->local
);
2563 man_connection_init(struct management
*man
)
2565 if (man
->connection
.state
== MS_INITIAL
)
2569 * This object is a sort of TCP/IP helper
2572 net_event_win32_init(&man
->connection
.ne32
);
2576 * Allocate helper objects for command line input and
2577 * command output from/to the socket.
2579 man
->connection
.in
= command_line_new(1024);
2580 man
->connection
.out
= buffer_list_new();
2583 * Initialize event set for standalone usage, when we are
2584 * running outside of the primary event loop.
2588 man
->connection
.es
= event_set_init(&maxevents
, EVENT_METHOD_FAST
);
2591 man
->connection
.client_version
= 1; /* default version */
2594 * Listen/connect socket
2596 if (man
->settings
.flags
& MF_CONNECT_AS_CLIENT
)
2608 man_connection_close(struct management
*man
)
2610 struct man_connection
*mc
= &man
->connection
;
2614 net_event_win32_close(&mc
->ne32
);
2616 if (socket_defined(mc
->sd_top
))
2618 man_close_socket(man
, mc
->sd_top
);
2619 man_delete_unix_socket(man
);
2621 if (socket_defined(mc
->sd_cli
))
2623 man_close_socket(man
, mc
->sd_cli
);
2626 command_line_free(mc
->in
);
2627 buffer_list_free(mc
->out
);
2629 event_timeout_clear(&mc
->bytecount_update_interval
);
2631 in_extra_reset(&man
->connection
, IER_RESET
);
2632 buffer_list_free(mc
->ext_key_input
);
2633 man_connection_clear(mc
);
2637 management_init(void)
2639 struct management
*man
;
2640 ALLOC_OBJ_CLEAR(man
, struct management
);
2642 man_persist_init(man
,
2643 MANAGEMENT_LOG_HISTORY_INITIAL_SIZE
,
2644 MANAGEMENT_ECHO_BUFFER_SIZE
,
2645 MANAGEMENT_STATE_BUFFER_SIZE
);
2647 man_connection_clear(&man
->connection
);
2653 management_open(struct management
*man
,
2656 const char *pass_file
,
2657 const char *client_user
,
2658 const char *client_group
,
2659 const int log_history_cache
,
2660 const int echo_buffer_size
,
2661 const int state_buffer_size
,
2662 const int remap_sigusr1
,
2663 const unsigned int flags
)
2668 * Save the settings only if they have not
2669 * been saved before.
2671 man_settings_init(&man
->settings
,
2684 * The log is initially sized to MANAGEMENT_LOG_HISTORY_INITIAL_SIZE,
2685 * but may be changed here. Ditto for echo and state buffers.
2687 log_history_resize(man
->persist
.log
, man
->settings
.log_history_cache
);
2688 log_history_resize(man
->persist
.echo
, man
->settings
.echo_buffer_size
);
2689 log_history_resize(man
->persist
.state
, man
->settings
.state_buffer_size
);
2692 * If connection object is uninitialized and we are not doing
2693 * over-the-tunnel management, then open (listening) connection.
2695 if (man
->connection
.state
== MS_INITIAL
)
2697 if (!man
->settings
.management_over_tunnel
)
2699 man_connection_init(man
);
2708 management_close(struct management
*man
)
2710 man_output_list_push_finalize(man
); /* flush output queue */
2711 man_connection_close(man
);
2712 man_settings_close(&man
->settings
);
2713 man_persist_close(&man
->persist
);
2718 management_set_callback(struct management
*man
,
2719 const struct management_callback
*cb
)
2721 man
->persist
.standalone_disabled
= true;
2722 man
->persist
.callback
= *cb
;
2726 management_clear_callback(struct management
*man
)
2728 man
->persist
.standalone_disabled
= false;
2729 man
->persist
.hold_release
= false;
2730 CLEAR(man
->persist
.callback
);
2731 man_output_list_push_finalize(man
); /* flush output queue */
2735 management_set_state(struct management
*man
,
2738 const in_addr_t
*tun_local_ip
,
2739 const struct in6_addr
*tun_local_ip6
,
2740 const struct openvpn_sockaddr
*local
,
2741 const struct openvpn_sockaddr
*remote
)
2743 if (man
->persist
.state
&& (!(man
->settings
.flags
& MF_SERVER
) || state
< OPENVPN_STATE_CLIENT_BASE
))
2745 struct gc_arena gc
= gc_new();
2747 const char *out
= NULL
;
2756 e
.local_ip
= *tun_local_ip
;
2760 e
.local_ip6
= *tun_local_ip6
;
2764 e
.local_sock
= *local
;
2768 e
.remote_sock
= *remote
;
2771 log_history_add(man
->persist
.state
, &e
);
2773 if (man
->connection
.state_realtime
)
2775 out
= log_entry_print(&e
, LOG_PRINT_STATE_PREFIX
2776 | LOG_PRINT_INT_DATE
2778 | LOG_PRINT_LOCAL_IP
2779 | LOG_PRINT_REMOTE_IP
2781 | LOG_ECHO_TO_LOG
, &gc
);
2786 man_output_list_push(man
, out
);
2794 env_filter_match(const char *env_str
, const int env_filter_level
)
2796 static const char *env_names
[] = {
2803 "ifconfig_netmask=",
2804 "daemon_start_time=",
2807 "ifconfig_pool_remote_ip=",
2808 "ifconfig_pool_netmask=",
2816 if (env_filter_level
== 0)
2820 else if (env_filter_level
<= 1 && !strncmp(env_str
, "X509_", 5))
2824 else if (env_filter_level
<= 2)
2827 for (i
= 0; i
< SIZE(env_names
); ++i
)
2829 const char *en
= env_names
[i
];
2830 const size_t len
= strlen(en
);
2831 if (!strncmp(env_str
, en
, len
))
2842 man_output_env(const struct env_set
*es
, const bool tail
, const int env_filter_level
, const char *prefix
)
2847 for (e
= es
->list
; e
!= NULL
; e
= e
->next
)
2849 if (e
->string
&& (!env_filter_level
|| env_filter_match(e
->string
, env_filter_level
)))
2851 msg(M_CLIENT
, ">%s:ENV,%s", prefix
, e
->string
);
2857 msg(M_CLIENT
, ">%s:ENV,END", prefix
);
2862 man_output_extra_env(struct management
*man
, const char *prefix
)
2864 struct gc_arena gc
= gc_new();
2865 struct env_set
*es
= env_set_create(&gc
);
2866 if (man
->persist
.callback
.n_clients
)
2868 const int nclients
= (*man
->persist
.callback
.n_clients
)(man
->persist
.callback
.arg
);
2869 setenv_int(es
, "n_clients", nclients
);
2871 man_output_env(es
, false, man
->connection
.env_filter_level
, prefix
);
2876 management_up_down(struct management
*man
, const char *updown
, const struct env_set
*es
)
2878 if (man
->settings
.flags
& MF_UP_DOWN
)
2880 msg(M_CLIENT
, ">UPDOWN:%s", updown
);
2881 man_output_env(es
, true, 0, "UPDOWN");
2886 management_notify(struct management
*man
, const char *severity
, const char *type
, const char *text
)
2888 msg(M_CLIENT
, ">NOTIFY:%s,%s,%s", severity
, type
, text
);
2892 management_notify_generic(struct management
*man
, const char *str
)
2894 msg(M_CLIENT
, "%s", str
);
2898 man_output_peer_info_env(struct management
*man
, const struct man_def_auth_context
*mdac
)
2901 if (man
->persist
.callback
.get_peer_info
)
2903 const char *peer_info
= (*man
->persist
.callback
.get_peer_info
)(man
->persist
.callback
.arg
, mdac
->cid
);
2907 buf_set_read(&buf
, (const uint8_t *) peer_info
, strlen(peer_info
));
2908 while (buf_parse(&buf
, '\n', line
, sizeof(line
)))
2911 if (validate_peer_info_line(line
))
2913 msg(M_CLIENT
, ">CLIENT:ENV,%s", line
);
2917 msg(D_MANAGEMENT
, "validation failed on peer_info line received from client");
2925 management_notify_client_needing_auth(struct management
*management
,
2926 const unsigned int mda_key_id
,
2927 struct man_def_auth_context
*mdac
,
2928 const struct env_set
*es
)
2930 if (!(mdac
->flags
& DAF_CONNECTION_CLOSED
))
2932 const char *mode
= "CONNECT";
2933 if (mdac
->flags
& DAF_CONNECTION_ESTABLISHED
)
2937 msg(M_CLIENT
, ">CLIENT:%s,%lu,%u", mode
, mdac
->cid
, mda_key_id
);
2938 man_output_extra_env(management
, "CLIENT");
2939 if (management
->connection
.env_filter_level
>0)
2941 man_output_peer_info_env(management
, mdac
);
2943 man_output_env(es
, true, management
->connection
.env_filter_level
, "CLIENT");
2944 mdac
->flags
|= DAF_INITIAL_AUTH
;
2949 management_notify_client_cr_response(unsigned mda_key_id
,
2950 const struct man_def_auth_context
*mdac
,
2951 const struct env_set
*es
,
2952 const char *response
)
2959 msg(M_CLIENT
, ">CLIENT:CR_RESPONSE,%lu,%u,%s",
2960 mdac
->cid
, mda_key_id
, response
);
2961 man_output_extra_env(management
, "CLIENT");
2962 if (management
->connection
.env_filter_level
> 0)
2964 man_output_peer_info_env(management
, mdac
);
2966 man_output_env(es
, true, management
->connection
.env_filter_level
, "CLIENT");
2972 management_connection_established(struct management
*management
,
2973 struct man_def_auth_context
*mdac
,
2974 const struct env_set
*es
)
2976 mdac
->flags
|= DAF_CONNECTION_ESTABLISHED
;
2977 msg(M_CLIENT
, ">CLIENT:ESTABLISHED,%lu", mdac
->cid
);
2978 man_output_extra_env(management
, "CLIENT");
2979 man_output_env(es
, true, management
->connection
.env_filter_level
, "CLIENT");
2983 management_notify_client_close(struct management
*management
,
2984 struct man_def_auth_context
*mdac
,
2985 const struct env_set
*es
)
2987 if ((mdac
->flags
& DAF_INITIAL_AUTH
) && !(mdac
->flags
& DAF_CONNECTION_CLOSED
))
2989 msg(M_CLIENT
, ">CLIENT:DISCONNECT,%lu", mdac
->cid
);
2990 man_output_env(es
, true, management
->connection
.env_filter_level
, "CLIENT");
2991 mdac
->flags
|= DAF_CONNECTION_CLOSED
;
2996 management_learn_addr(struct management
*management
,
2997 struct man_def_auth_context
*mdac
,
2998 const struct mroute_addr
*addr
,
3001 struct gc_arena gc
= gc_new();
3002 if ((mdac
->flags
& DAF_INITIAL_AUTH
) && !(mdac
->flags
& DAF_CONNECTION_CLOSED
))
3004 msg(M_CLIENT
, ">CLIENT:ADDRESS,%lu,%s,%d",
3006 mroute_addr_print_ex(addr
, MAPF_SUBNET
, &gc
),
3007 BOOL_CAST(primary
));
3013 management_echo(struct management
*man
, const char *string
, const bool pull
)
3015 if (man
->persist
.echo
)
3017 struct gc_arena gc
= gc_new();
3019 const char *out
= NULL
;
3025 e
.u
.intval
= BOOL_CAST(pull
);
3027 log_history_add(man
->persist
.echo
, &e
);
3029 if (man
->connection
.echo_realtime
)
3031 out
= log_entry_print(&e
, LOG_PRINT_INT_DATE
|LOG_PRINT_ECHO_PREFIX
|LOG_PRINT_CRLF
|MANAGEMENT_ECHO_FLAGS
, &gc
);
3036 man_output_list_push(man
, out
);
3044 management_post_tunnel_open(struct management
*man
, const in_addr_t tun_local_ip
)
3047 * If we are running management over the tunnel,
3048 * this is the place to initialize the connection.
3050 if (man
->settings
.management_over_tunnel
3051 && man
->connection
.state
== MS_INITIAL
)
3053 /* listen on our local TUN/TAP IP address */
3057 ia
.s_addr
= htonl(tun_local_ip
);
3058 ret
= openvpn_getaddrinfo(GETADDR_PASSIVE
, inet_ntoa(ia
), NULL
, 0, NULL
,
3059 AF_INET
, &man
->settings
.local
);
3061 man_connection_init(man
);
3067 management_pre_tunnel_close(struct management
*man
)
3069 if (man
->settings
.management_over_tunnel
)
3071 man_connection_close(man
);
3076 management_auth_failure(struct management
*man
, const char *type
, const char *reason
)
3080 msg(M_CLIENT
, ">PASSWORD:Verification Failed: '%s' ['%s']", type
, reason
);
3084 msg(M_CLIENT
, ">PASSWORD:Verification Failed: '%s'", type
);
3089 management_auth_token(struct management
*man
, const char *token
)
3091 msg(M_CLIENT
, ">PASSWORD:Auth-Token:%s", token
);
3095 man_persist_state(unsigned int *persistent
, const int n
)
3099 if (*persistent
== (unsigned int)n
)
3111 management_socket_set(struct management
*man
,
3112 struct event_set
*es
,
3114 unsigned int *persistent
)
3116 if (man
->connection
.state
!= MS_INITIAL
)
3118 event_t ev
= net_event_win32_get_event(&man
->connection
.ne32
);
3119 net_event_win32_reset_write(&man
->connection
.ne32
);
3121 switch (man
->connection
.state
)
3124 if (man_persist_state(persistent
, 1))
3126 event_ctl(es
, ev
, EVENT_READ
, arg
);
3130 case MS_CC_WAIT_READ
:
3131 if (man_persist_state(persistent
, 2))
3133 event_ctl(es
, ev
, EVENT_READ
, arg
);
3137 case MS_CC_WAIT_WRITE
:
3138 if (man_persist_state(persistent
, 3))
3140 event_ctl(es
, ev
, EVENT_READ
|EVENT_WRITE
, arg
);
3151 management_io(struct management
*man
)
3153 if (man
->connection
.state
!= MS_INITIAL
)
3156 net_event_win32_reset(&man
->connection
.ne32
);
3157 net_events
= net_event_win32_get_event_mask(&man
->connection
.ne32
);
3159 if (net_events
& FD_CLOSE
)
3161 man_reset_client_socket(man
, false);
3165 if (man
->connection
.state
== MS_LISTEN
)
3167 if (net_events
& FD_ACCEPT
)
3170 net_event_win32_clear_selected_events(&man
->connection
.ne32
, FD_ACCEPT
);
3173 else if (man
->connection
.state
== MS_CC_WAIT_READ
|| man
->connection
.state
== MS_CC_WAIT_WRITE
)
3175 if (net_events
& FD_READ
)
3177 while (man_read(man
) > 0)
3180 net_event_win32_clear_selected_events(&man
->connection
.ne32
, FD_READ
);
3183 if (net_events
& FD_WRITE
)
3186 status
= man_write(man
);
3187 if (status
< 0 && WSAGetLastError() == WSAEWOULDBLOCK
)
3189 net_event_win32_clear_selected_events(&man
->connection
.ne32
, FD_WRITE
);
3197 #else /* ifdef _WIN32 */
3200 management_socket_set(struct management
*man
,
3201 struct event_set
*es
,
3203 unsigned int *persistent
)
3205 switch (man
->connection
.state
)
3208 if (man_persist_state(persistent
, 1))
3210 event_ctl(es
, man
->connection
.sd_top
, EVENT_READ
, arg
);
3214 case MS_CC_WAIT_READ
:
3215 if (man_persist_state(persistent
, 2))
3217 event_ctl(es
, man
->connection
.sd_cli
, EVENT_READ
, arg
);
3221 case MS_CC_WAIT_WRITE
:
3222 if (man_persist_state(persistent
, 3))
3224 event_ctl(es
, man
->connection
.sd_cli
, EVENT_WRITE
, arg
);
3237 management_io(struct management
*man
)
3239 switch (man
->connection
.state
)
3245 case MS_CC_WAIT_READ
:
3249 case MS_CC_WAIT_WRITE
:
3261 #endif /* ifdef _WIN32 */
3264 man_standalone_ok(const struct management
*man
)
3266 return !man
->settings
.management_over_tunnel
&& man
->connection
.state
!= MS_INITIAL
;
3270 man_check_for_signals(volatile int *signal_received
)
3272 if (signal_received
)
3274 get_signal(signal_received
);
3275 if (*signal_received
)
3284 * Wait for socket I/O when outside primary event loop
3287 man_block(struct management
*man
, volatile int *signal_received
, const time_t expire
)
3290 struct event_set_return esr
;
3293 if (man_standalone_ok(man
))
3295 /* expire time can be already overdue, for this case init zero
3296 * timeout to avoid waiting first time and exit loop early with
3297 * either obtained event or timeout.
3304 event_reset(man
->connection
.es
);
3305 management_socket_set(man
, man
->connection
.es
, NULL
, NULL
);
3306 if (man_check_for_signals(signal_received
))
3311 status
= event_wait(man
->connection
.es
, &tv
, &esr
, 1);
3313 if (man_check_for_signals(signal_received
))
3323 else if (expire
&& now
>= expire
)
3325 /* set SIGINT signal if expiration time exceeded */
3327 if (signal_received
)
3329 *signal_received
= SIGINT
;
3334 /* wait one second more */
3343 * Perform management socket output outside primary event loop
3346 man_output_standalone(struct management
*man
, volatile int *signal_received
)
3348 if (man_standalone_ok(man
))
3350 while (man
->connection
.state
== MS_CC_WAIT_WRITE
)
3353 if (man
->connection
.state
== MS_CC_WAIT_WRITE
)
3355 man_block(man
, signal_received
, 0);
3357 if (signal_received
&& *signal_received
)
3366 * Process management event loop outside primary event loop
3369 man_standalone_event_loop(struct management
*man
, volatile int *signal_received
, const time_t expire
)
3372 if (man_standalone_ok(man
))
3374 status
= man_block(man
, signal_received
, expire
);
3383 #define MWCC_PASSWORD_WAIT (1<<0)
3384 #define MWCC_HOLD_WAIT (1<<1)
3385 #define MWCC_OTHER_WAIT (1<<2)
3388 * Block until client connects
3391 man_wait_for_client_connection(struct management
*man
,
3392 volatile int *signal_received
,
3393 const time_t expire
,
3396 ASSERT(man_standalone_ok(man
));
3397 if (man
->connection
.state
== MS_LISTEN
)
3399 if (flags
& MWCC_PASSWORD_WAIT
)
3401 msg(D_MANAGEMENT
, "Need password(s) from management interface, waiting...");
3403 if (flags
& MWCC_HOLD_WAIT
)
3405 msg(D_MANAGEMENT
, "Need hold release from management interface, waiting...");
3407 if (flags
& MWCC_OTHER_WAIT
)
3409 msg(D_MANAGEMENT
, "Need information from management interface, waiting...");
3413 man_standalone_event_loop(man
, signal_received
, expire
);
3414 if (signal_received
&& *signal_received
)
3418 } while (man
->connection
.state
== MS_LISTEN
|| man_password_needed(man
));
3423 * Process the management event loop for sec seconds
3426 management_event_loop_n_seconds(struct management
*man
, int sec
)
3428 if (man_standalone_ok(man
))
3430 volatile int signal_received
= 0;
3431 const bool standalone_disabled_save
= man
->persist
.standalone_disabled
;
3434 man
->persist
.standalone_disabled
= false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3436 /* set expire time */
3443 /* if no client connection, wait for one */
3444 man_wait_for_client_connection(man
, &signal_received
, expire
, 0);
3445 if (signal_received
)
3450 /* run command processing event loop */
3453 man_standalone_event_loop(man
, &signal_received
, expire
);
3454 if (!signal_received
)
3456 man_check_for_signals(&signal_received
);
3458 if (signal_received
)
3463 } while (expire
&& expire
> now
);
3466 man
->persist
.standalone_disabled
= standalone_disabled_save
;
3475 * Get a username/password from management channel in standalone mode.
3478 management_query_user_pass(struct management
*man
,
3479 struct user_pass
*up
,
3481 const unsigned int flags
,
3482 const char *static_challenge
)
3484 struct gc_arena gc
= gc_new();
3487 if (man_standalone_ok(man
))
3489 volatile int signal_received
= 0;
3490 const bool standalone_disabled_save
= man
->persist
.standalone_disabled
;
3491 struct buffer alert_msg
= alloc_buf_gc(128, &gc
);
3492 const char *alert_type
= NULL
;
3493 const char *prefix
= NULL
;
3494 unsigned int up_query_mode
= 0;
3495 const char *sc
= NULL
;
3497 man
->persist
.standalone_disabled
= false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3498 man
->persist
.special_state_msg
= NULL
;
3500 CLEAR(man
->connection
.up_query
);
3502 if (flags
& GET_USER_PASS_NEED_OK
)
3504 up_query_mode
= UP_QUERY_NEED_OK
;
3506 alert_type
= "confirmation";
3508 else if (flags
& GET_USER_PASS_NEED_STR
)
3510 up_query_mode
= UP_QUERY_NEED_STR
;
3511 prefix
= "NEED-STR";
3512 alert_type
= "string";
3514 else if (flags
& GET_USER_PASS_PASSWORD_ONLY
)
3516 up_query_mode
= UP_QUERY_PASS
;
3517 prefix
= "PASSWORD";
3518 alert_type
= "password";
3522 up_query_mode
= UP_QUERY_USER_PASS
;
3523 prefix
= "PASSWORD";
3524 alert_type
= "username/password";
3525 if (static_challenge
)
3527 sc
= static_challenge
;
3530 buf_printf(&alert_msg
, ">%s:Need '%s' %s",
3535 if (flags
& (GET_USER_PASS_NEED_OK
| GET_USER_PASS_NEED_STR
))
3537 buf_printf(&alert_msg
, " MSG:%s", up
->username
);
3542 buf_printf(&alert_msg
, " SC:%d,%s",
3543 BOOL_CAST(flags
& GET_USER_PASS_STATIC_CHALLENGE_ECHO
),
3547 man_wait_for_client_connection(man
, &signal_received
, 0, MWCC_PASSWORD_WAIT
);
3548 if (signal_received
)
3555 man
->persist
.special_state_msg
= BSTR(&alert_msg
);
3556 msg(M_CLIENT
, "%s", man
->persist
.special_state_msg
);
3558 /* tell command line parser which info we need */
3559 man
->connection
.up_query_mode
= up_query_mode
;
3560 man
->connection
.up_query_type
= type
;
3562 /* run command processing event loop until we get our username/password/response */
3565 man_standalone_event_loop(man
, &signal_received
, 0);
3566 if (!signal_received
)
3568 man_check_for_signals(&signal_received
);
3570 if (signal_received
)
3575 } while (!man
->connection
.up_query
.defined
);
3579 man
->connection
.up_query_mode
= UP_QUERY_DISABLED
;
3580 man
->connection
.up_query_type
= NULL
;
3581 man
->persist
.standalone_disabled
= standalone_disabled_save
;
3582 man
->persist
.special_state_msg
= NULL
;
3584 /* pass through blank passwords */
3585 if (!strcmp(man
->connection
.up_query
.password
, blank_up
))
3587 CLEAR(man
->connection
.up_query
.password
);
3591 * Transfer u/p to return object, zero any record
3592 * we hold in the management object.
3596 /* preserve caller's settings */
3597 man
->connection
.up_query
.nocache
= up
->nocache
;
3598 *up
= man
->connection
.up_query
;
3600 secure_memzero(&man
->connection
.up_query
, sizeof(man
->connection
.up_query
));
3608 management_query_multiline(struct management
*man
,
3609 const char *b64_data
, const char *prompt
, const char *cmd
, int *state
, struct buffer_list
**input
)
3611 struct gc_arena gc
= gc_new();
3613 volatile int signal_received
= 0;
3614 struct buffer alert_msg
= clear_buf();
3615 const bool standalone_disabled_save
= man
->persist
.standalone_disabled
;
3616 struct man_connection
*mc
= &man
->connection
;
3618 if (man_standalone_ok(man
))
3620 man
->persist
.standalone_disabled
= false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3621 man
->persist
.special_state_msg
= NULL
;
3623 *state
= EKS_SOLICIT
;
3627 alert_msg
= alloc_buf_gc(strlen(b64_data
)+strlen(prompt
)+3, &gc
);
3628 buf_printf(&alert_msg
, ">%s:%s", prompt
, b64_data
);
3632 alert_msg
= alloc_buf_gc(strlen(prompt
)+3, &gc
);
3633 buf_printf(&alert_msg
, ">%s", prompt
);
3636 man_wait_for_client_connection(man
, &signal_received
, 0, MWCC_OTHER_WAIT
);
3638 if (signal_received
)
3643 man
->persist
.special_state_msg
= BSTR(&alert_msg
);
3644 msg(M_CLIENT
, "%s", man
->persist
.special_state_msg
);
3646 /* run command processing event loop until we get our signature */
3649 man_standalone_event_loop(man
, &signal_received
, 0);
3650 if (!signal_received
)
3652 man_check_for_signals(&signal_received
);
3654 if (signal_received
)
3658 } while (*state
!= EKS_READY
);
3664 if (*state
== EKS_READY
&& ret
)
3666 msg(M_CLIENT
, "SUCCESS: %s command succeeded", cmd
);
3668 else if (*state
== EKS_INPUT
|| *state
== EKS_READY
)
3670 msg(M_CLIENT
, "ERROR: %s command failed", cmd
);
3674 man
->persist
.standalone_disabled
= standalone_disabled_save
;
3675 man
->persist
.special_state_msg
= NULL
;
3676 in_extra_reset(mc
, IER_RESET
);
3684 /* returns allocated base64 signature */
3685 management_query_multiline_flatten_newline(struct management
*man
,
3686 const char *b64_data
, const char *prompt
, const char *cmd
, int *state
, struct buffer_list
**input
)
3689 char *result
= NULL
;
3692 ok
= management_query_multiline(man
, b64_data
, prompt
, cmd
, state
, input
);
3693 if (ok
&& buffer_list_defined(*input
))
3695 buffer_list_aggregate_separator(*input
, 10000, "\n");
3696 buf
= buffer_list_peek(*input
);
3697 if (buf
&& BLEN(buf
) > 0)
3699 result
= (char *) malloc(BLEN(buf
)+1);
3700 check_malloc_return(result
);
3701 memcpy(result
, buf
->data
, BLEN(buf
));
3702 result
[BLEN(buf
)] = '\0';
3706 buffer_list_free(*input
);
3713 /* returns allocated base64 signature */
3714 management_query_multiline_flatten(struct management
*man
,
3715 const char *b64_data
, const char *prompt
, const char *cmd
, int *state
, struct buffer_list
**input
)
3718 char *result
= NULL
;
3721 ok
= management_query_multiline(man
, b64_data
, prompt
, cmd
, state
, input
);
3722 if (ok
&& buffer_list_defined(*input
))
3724 buffer_list_aggregate(*input
, 2048);
3725 buf
= buffer_list_peek(*input
);
3726 if (buf
&& BLEN(buf
) > 0)
3728 result
= (char *) malloc(BLEN(buf
)+1);
3729 check_malloc_return(result
);
3730 memcpy(result
, buf
->data
, BLEN(buf
));
3731 result
[BLEN(buf
)] = '\0';
3735 buffer_list_free(*input
);
3742 /* returns allocated base64 signature */
3743 management_query_pk_sig(struct management
*man
, const char *b64_data
,
3744 const char *algorithm
)
3746 const char *prompt
= "PK_SIGN";
3747 const char *desc
= "pk-sign";
3748 struct buffer buf_data
= alloc_buf(strlen(b64_data
) + strlen(algorithm
) + 20);
3750 if (man
->connection
.client_version
<= 1)
3752 prompt
= "RSA_SIGN";
3756 buf_write(&buf_data
, b64_data
, (int) strlen(b64_data
));
3757 if (man
->connection
.client_version
> 2)
3759 buf_write(&buf_data
, ",", (int) strlen(","));
3760 buf_write(&buf_data
, algorithm
, (int) strlen(algorithm
));
3762 char *ret
= management_query_multiline_flatten(man
,
3763 (char *)buf_bptr(&buf_data
), prompt
, desc
,
3764 &man
->connection
.ext_key_state
, &man
->connection
.ext_key_input
);
3765 free_buf(&buf_data
);
3770 management_query_cert(struct management
*man
, const char *cert_name
)
3772 const char prompt_1
[] = "NEED-CERTIFICATE:";
3773 struct buffer buf_prompt
= alloc_buf(strlen(cert_name
) + 20);
3774 buf_write(&buf_prompt
, prompt_1
, strlen(prompt_1
));
3775 buf_write(&buf_prompt
, cert_name
, strlen(cert_name
)+1); /* +1 for \0 */
3778 result
= management_query_multiline_flatten_newline(management
,
3779 NULL
, (char *)buf_bptr(&buf_prompt
), "certificate",
3780 &man
->connection
.ext_cert_state
, &man
->connection
.ext_cert_input
);
3781 free_buf(&buf_prompt
);
3786 * Return true if management_hold() would block
3789 management_would_hold(struct management
*man
)
3791 return (man
->settings
.flags
& MF_HOLD
) && !man
->persist
.hold_release
&& man_standalone_ok(man
);
3795 * Return true if (from the management interface's perspective) OpenVPN should
3799 management_should_daemonize(struct management
*man
)
3801 return management_would_hold(man
) || (man
->settings
.flags
& MF_QUERY_PASSWORDS
);
3805 * If the hold flag is enabled, hibernate until a management client releases the hold.
3806 * Return true if the caller should not sleep for an additional time interval.
3809 management_hold(struct management
*man
, int holdtime
)
3811 if (management_would_hold(man
))
3813 volatile int signal_received
= 0;
3814 const bool standalone_disabled_save
= man
->persist
.standalone_disabled
;
3815 struct gc_arena gc
= gc_new();
3817 man
->persist
.standalone_disabled
= false; /* This is so M_CLIENT messages will be correctly passed through msg() */
3818 man
->persist
.special_state_msg
= NULL
;
3819 man
->settings
.mansig
|= MANSIG_IGNORE_USR1_HUP
;
3821 man_wait_for_client_connection(man
, &signal_received
, 0, MWCC_HOLD_WAIT
);
3823 if (!signal_received
)
3825 struct buffer out
= alloc_buf_gc(128, &gc
);
3826 buf_printf(&out
, ">HOLD:Waiting for hold release:%d", holdtime
);
3827 man
->persist
.special_state_msg
= BSTR(&out
);
3828 msg(M_CLIENT
, "%s", man
->persist
.special_state_msg
);
3830 /* run command processing event loop until we get our username/password */
3833 man_standalone_event_loop(man
, &signal_received
, 0);
3834 if (!signal_received
)
3836 man_check_for_signals(&signal_received
);
3838 if (signal_received
)
3842 } while (!man
->persist
.hold_release
);
3846 man
->persist
.standalone_disabled
= standalone_disabled_save
;
3847 man
->persist
.special_state_msg
= NULL
;
3848 man
->settings
.mansig
&= ~MANSIG_IGNORE_USR1_HUP
;
3857 * struct command_line
3860 struct command_line
*
3861 command_line_new(const int buf_len
)
3863 struct command_line
*cl
;
3864 ALLOC_OBJ_CLEAR(cl
, struct command_line
);
3865 cl
->buf
= alloc_buf(buf_len
);
3866 cl
->residual
= alloc_buf(buf_len
);
3871 command_line_reset(struct command_line
*cl
)
3873 buf_clear(&cl
->buf
);
3874 buf_clear(&cl
->residual
);
3878 command_line_free(struct command_line
*cl
)
3884 command_line_reset(cl
);
3886 free_buf(&cl
->residual
);
3891 command_line_add(struct command_line
*cl
, const unsigned char *buf
, const int len
)
3894 for (i
= 0; i
< len
; ++i
)
3896 if (buf
[i
] && char_class(buf
[i
], (CC_PRINT
|CC_NEWLINE
)))
3898 if (!buf_write_u8(&cl
->buf
, buf
[i
]))
3900 buf_clear(&cl
->buf
);
3907 command_line_get(struct command_line
*cl
)
3910 const char *ret
= NULL
;
3912 i
= buf_substring_len(&cl
->buf
, '\n');
3915 buf_copy_excess(&cl
->residual
, &cl
->buf
, i
);
3916 buf_chomp(&cl
->buf
);
3917 ret
= BSTR(&cl
->buf
);
3923 command_line_next(struct command_line
*cl
)
3925 buf_clear(&cl
->buf
);
3926 buf_copy(&cl
->buf
, &cl
->residual
);
3927 buf_clear(&cl
->residual
);
3935 log_entry_print(const struct log_entry
*e
, unsigned int flags
, struct gc_arena
*gc
)
3937 struct buffer out
= alloc_buf_gc(ERR_BUF_SIZE
, gc
);
3938 if (flags
& LOG_FATAL_NOTIFY
)
3940 buf_printf(&out
, ">FATAL:");
3942 if (flags
& LOG_PRINT_LOG_PREFIX
)
3944 buf_printf(&out
, ">LOG:");
3946 if (flags
& LOG_PRINT_ECHO_PREFIX
)
3948 buf_printf(&out
, ">ECHO:");
3950 if (flags
& LOG_PRINT_STATE_PREFIX
)
3952 buf_printf(&out
, ">STATE:");
3954 if (flags
& LOG_PRINT_INT_DATE
)
3956 buf_printf(&out
, "%u,", (unsigned int)e
->timestamp
);
3958 if (flags
& LOG_PRINT_MSG_FLAGS
)
3960 buf_printf(&out
, "%s,", msg_flags_string(e
->u
.msg_flags
, gc
));
3962 if (flags
& LOG_PRINT_STATE
)
3964 buf_printf(&out
, "%s,", man_state_name(e
->u
.state
));
3966 if (flags
& LOG_PRINT_INTVAL
)
3968 buf_printf(&out
, "%d,", e
->u
.intval
);
3972 buf_printf(&out
, "%s", e
->string
);
3974 if (flags
& LOG_PRINT_LOCAL_IP
)
3976 buf_printf(&out
, ",%s", print_in_addr_t(e
->local_ip
, IA_EMPTY_IF_UNDEF
, gc
));
3978 if (flags
& LOG_PRINT_REMOTE_IP
)
3980 buf_printf(&out
, ",%s", (!addr_defined(&e
->remote_sock
) ? "," :
3981 print_sockaddr_ex(&e
->remote_sock
.addr
.sa
, ",", PS_DONT_SHOW_FAMILY
|PS_SHOW_PORT
, gc
)));
3982 buf_printf(&out
, ",%s", (!addr_defined(&e
->local_sock
) ? "," :
3983 print_sockaddr_ex(&e
->local_sock
.addr
.sa
, ",", PS_DONT_SHOW_FAMILY
|PS_SHOW_PORT
, gc
)));
3985 if (flags
& LOG_PRINT_LOCAL_IP
&& !IN6_IS_ADDR_UNSPECIFIED(&e
->local_ip6
))
3987 buf_printf(&out
, ",%s", print_in6_addr(e
->local_ip6
, IA_EMPTY_IF_UNDEF
, gc
));
3989 if (flags
& LOG_ECHO_TO_LOG
)
3991 msg(D_MANAGEMENT
, "MANAGEMENT: %s", BSTR(&out
));
3993 if (flags
& LOG_PRINT_CRLF
)
3995 buf_printf(&out
, "\r\n");
4001 log_entry_free_contents(struct log_entry
*e
)
4003 /* Cast away constness of const char* */
4004 free((char *)e
->string
);
4009 * struct log_history
4013 log_index(const struct log_history
*h
, int i
)
4015 return modulo_add(h
->base
, i
, h
->capacity
);
4019 log_history_obj_init(struct log_history
*h
, int capacity
)
4022 h
->capacity
= capacity
;
4023 ALLOC_ARRAY_CLEAR(h
->array
, struct log_entry
, capacity
);
4026 struct log_history
*
4027 log_history_init(const int capacity
)
4029 struct log_history
*h
;
4030 ASSERT(capacity
> 0);
4031 ALLOC_OBJ(h
, struct log_history
);
4032 log_history_obj_init(h
, capacity
);
4037 log_history_free_contents(struct log_history
*h
)
4040 for (i
= 0; i
< h
->size
; ++i
)
4042 log_entry_free_contents(&h
->array
[log_index(h
, i
)]);
4048 log_history_close(struct log_history
*h
)
4050 log_history_free_contents(h
);
4055 log_history_add(struct log_history
*h
, const struct log_entry
*le
)
4057 struct log_entry
*e
;
4058 ASSERT(h
->size
>= 0 && h
->size
<= h
->capacity
);
4059 if (h
->size
== h
->capacity
)
4061 e
= &h
->array
[h
->base
];
4062 log_entry_free_contents(e
);
4063 h
->base
= log_index(h
, 1);
4067 e
= &h
->array
[log_index(h
, h
->size
)];
4072 e
->string
= string_alloc(le
->string
, NULL
);
4076 log_history_resize(struct log_history
*h
, const int capacity
)
4078 if (capacity
!= h
->capacity
)
4080 struct log_history newlog
;
4083 ASSERT(capacity
> 0);
4084 log_history_obj_init(&newlog
, capacity
);
4086 for (i
= 0; i
< h
->size
; ++i
)
4088 log_history_add(&newlog
, &h
->array
[log_index(h
, i
)]);
4091 log_history_free_contents(h
);
4096 const struct log_entry
*
4097 log_history_ref(const struct log_history
*h
, const int index
)
4099 if (index
>= 0 && index
< h
->size
)
4101 return &h
->array
[log_index(h
, (h
->size
- 1) - index
)];
4110 management_sleep(const int n
)
4116 else if (management
)
4118 management_event_loop_n_seconds(management
, n
);
4127 management_check_bytecount(struct context
*c
, struct management
*man
, struct timeval
*timeval
)
4129 if (event_timeout_trigger(&man
->connection
.bytecount_update_interval
,
4130 timeval
, ETT_DEFAULT
))
4132 counter_type dco_read_bytes
= 0;
4133 counter_type dco_write_bytes
= 0;
4135 if (dco_enabled(&c
->options
) && (dco_get_peer_stats(c
) == 0))
4137 dco_read_bytes
= c
->c2
.dco_read_bytes
;
4138 dco_write_bytes
= c
->c2
.dco_write_bytes
;
4141 if (!(man
->persist
.callback
.flags
& MCF_SERVER
))
4143 man_bytecount_output_client(man
, dco_read_bytes
, dco_write_bytes
);
4148 /* DCO resets stats on reconnect. Since client expects stats
4149 * to be preserved across reconnects, we need to save DCO
4150 * stats before tearing the tunnel down.
4153 man_persist_client_stats(struct management
*man
, struct context
*c
)
4155 if (dco_enabled(&c
->options
) && (dco_get_peer_stats(c
) == 0))
4157 management_bytes_client(man
, c
->c2
.dco_read_bytes
, c
->c2
.dco_write_bytes
);
4161 #else /* ifdef ENABLE_MANAGEMENT */
4164 management_sleep(const int n
)
4172 #endif /* ENABLE_MANAGEMENT */