1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24 #ifndef MANAGE_H
25 #define MANAGE_H
26
27 #ifdef ENABLE_MANAGEMENT
28
29 #include "misc.h"
30 #include "event.h"
31 #include "socket.h"
32 #include "mroute.h"
33
34 #define MANAGEMENT_VERSION 3
35 #define MANAGEMENT_N_PASSWORD_RETRIES 3
36 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100
37 #define MANAGEMENT_ECHO_BUFFER_SIZE 100
38 #define MANAGEMENT_STATE_BUFFER_SIZE 100
39
40 /*
41 * Management-interface-based deferred authentication
42 */
43 struct man_def_auth_context {
44 unsigned long cid;
45
46 #define DAF_CONNECTION_ESTABLISHED (1<<0)
47 #define DAF_CONNECTION_CLOSED (1<<1)
48 #define DAF_INITIAL_AUTH (1<<2)
49 unsigned int flags;
50
51 unsigned int mda_key_id_counter;
52
53 time_t bytecount_last_update;
54 };
55
56 /*
57 * Manage build-up of command line
58 */
59 struct command_line
60 {
61 struct buffer buf;
62 struct buffer residual;
63 };
64
65 struct command_line *command_line_new(const int buf_len);
66
67 void command_line_free(struct command_line *cl);
68
69 void command_line_add(struct command_line *cl, const unsigned char *buf, const int len);
70
71 const char *command_line_get(struct command_line *cl);
72
73 void command_line_reset(struct command_line *cl);
74
75 void command_line_next(struct command_line *cl);
76
77 /*
78 * Manage log file history
79 */
80
81 union log_entry_union {
82 unsigned int msg_flags;
83 int state;
84 int intval;
85 };
86
87 struct log_entry
88 {
89 time_t timestamp;
90 const char *string;
91 in_addr_t local_ip;
92 struct in6_addr local_ip6;
93 struct openvpn_sockaddr local_sock;
94 struct openvpn_sockaddr remote_sock;
95 union log_entry_union u;
96 };
97
98 #define LOG_PRINT_LOG_PREFIX (1<<0)
99 #define LOG_PRINT_ECHO_PREFIX (1<<1)
100 #define LOG_PRINT_STATE_PREFIX (1<<2)
101
102 #define LOG_PRINT_INT_DATE (1<<3)
103 #define LOG_PRINT_MSG_FLAGS (1<<4)
104 #define LOG_PRINT_STATE (1<<5)
105 #define LOG_PRINT_LOCAL_IP (1<<6)
106
107 #define LOG_PRINT_CRLF (1<<7)
108 #define LOG_FATAL_NOTIFY (1<<8)
109
110 #define LOG_PRINT_INTVAL (1<<9)
111
112 #define LOG_PRINT_REMOTE_IP (1<<10)
113
114 #define LOG_ECHO_TO_LOG (1<<11)
115
116 const char *log_entry_print(const struct log_entry *e, unsigned int flags, struct gc_arena *gc);
117
118 struct log_history
119 {
120 int base;
121 int size;
122 int capacity;
123 struct log_entry *array;
124 };
125
126 struct log_history *log_history_init(const int capacity);
127
128 void log_history_close(struct log_history *h);
129
130 void log_history_add(struct log_history *h, const struct log_entry *le);
131
132 void log_history_resize(struct log_history *h, const int capacity);
133
134 const struct log_entry *log_history_ref(const struct log_history *h, const int index);
135
136 static inline int
log_history_size(const struct log_history * h)137 log_history_size(const struct log_history *h)
138 {
139 return h->size;
140 }
141
142 static inline int
log_history_capacity(const struct log_history * h)143 log_history_capacity(const struct log_history *h)
144 {
145 return h->capacity;
146 }
147
148 /*
149 * Callbacks for 'status' and 'kill' commands.
150 * Also for management-based deferred authentication and packet filter.
151 */
152 struct management_callback
153 {
154 void *arg;
155
156 #define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */
157 unsigned int flags;
158
159 void (*status) (void *arg, const int version, struct status_output *so);
160 void (*show_net) (void *arg, const int msglevel);
161 int (*kill_by_cn) (void *arg, const char *common_name);
162 int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port);
163 void (*delete_event) (void *arg, event_t event);
164 int (*n_clients) (void *arg);
165 bool (*send_cc_message) (void *arg, const char *message, const char *parameter);
166 bool (*kill_by_cid)(void *arg, const unsigned long cid, const char *kill_msg);
167 bool (*client_auth) (void *arg,
168 const unsigned long cid,
169 const unsigned int mda_key_id,
170 const bool auth,
171 const char *reason,
172 const char *client_reason,
173 struct buffer_list *cc_config); /* ownership transferred */
174 bool (*client_pending_auth) (void *arg,
175 const unsigned long cid,
176 const char *extra,
177 unsigned int timeout);
178 char *(*get_peer_info) (void *arg, const unsigned long cid);
179 #ifdef MANAGEMENT_PF
180 bool (*client_pf)(void *arg,
181 const unsigned long cid,
182 struct buffer_list *pf_config); /* ownership transferred */
183 #endif
184 bool (*proxy_cmd)(void *arg, const char **p);
185 bool (*remote_cmd) (void *arg, const char **p);
186 #ifdef TARGET_ANDROID
187 int (*network_change)(void *arg, bool samenetwork);
188 #endif
189 };
190
191 /*
192 * Management object, split into three components:
193 *
194 * struct man_persist : Data elements which are persistent across
195 * man_connection open and close.
196 *
197 * struct man_settings : management parameters.
198 *
199 * struct man_connection : created on socket binding and listen,
200 * deleted on socket unbind, may
201 * handle multiple sequential client
202 * connections.
203 */
204
205 struct man_persist {
206 bool defined;
207
208 struct log_history *log;
209 struct virtual_output vout;
210
211 bool standalone_disabled;
212 struct management_callback callback;
213
214 struct log_history *echo; /* saved --echo strings */
215 struct log_history *state;
216
217 bool hold_release;
218
219 const char *special_state_msg;
220
221 counter_type bytes_in;
222 counter_type bytes_out;
223 };
224
225 struct man_settings {
226 bool defined;
227 unsigned int flags; /* MF_x flags */
228 struct addrinfo *local;
229 #if UNIX_SOCK_SUPPORT
230 struct sockaddr_un local_unix;
231 #endif
232 bool management_over_tunnel;
233 struct user_pass up;
234 int log_history_cache;
235 int echo_buffer_size;
236 int state_buffer_size;
237 char *write_peer_info_file;
238 int client_uid;
239 int client_gid;
240
241 /* flags for handling the management interface "signal" command */
242 #define MANSIG_IGNORE_USR1_HUP (1<<0)
243 #define MANSIG_MAP_USR1_TO_HUP (1<<1)
244 #define MANSIG_MAP_USR1_TO_TERM (1<<2)
245 unsigned int mansig;
246 };
247
248 /* up_query modes */
249 #define UP_QUERY_DISABLED 0
250 #define UP_QUERY_USER_PASS 1
251 #define UP_QUERY_PASS 2
252 #define UP_QUERY_NEED_OK 3
253 #define UP_QUERY_NEED_STR 4
254
255 /* states */
256 #define MS_INITIAL 0 /* all sockets are closed */
257 #define MS_LISTEN 1 /* no client is connected */
258 #define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */
259 #define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */
260
261 struct man_connection {
262 int state;
263
264 socket_descriptor_t sd_top;
265 socket_descriptor_t sd_cli;
266 struct openvpn_sockaddr remote;
267
268 #ifdef _WIN32
269 struct net_event_win32 ne32;
270 #endif
271
272 bool halt;
273 bool password_verified;
274 int password_tries;
275
276 struct command_line *in;
277 struct buffer_list *out;
278
279 #define IEC_UNDEF 0
280 #define IEC_CLIENT_AUTH 1
281 #define IEC_CLIENT_PF 2
282 #define IEC_RSA_SIGN 3
283 #define IEC_CERTIFICATE 4
284 #define IEC_PK_SIGN 5
285 int in_extra_cmd;
286 struct buffer_list *in_extra;
287 unsigned long in_extra_cid;
288 unsigned int in_extra_kid;
289 #define EKS_UNDEF 0
290 #define EKS_SOLICIT 1
291 #define EKS_INPUT 2
292 #define EKS_READY 3
293 int ext_key_state;
294 struct buffer_list *ext_key_input;
295 int ext_cert_state;
296 struct buffer_list *ext_cert_input;
297 struct event_set *es;
298 int env_filter_level;
299
300 bool state_realtime;
301 bool log_realtime;
302 bool echo_realtime;
303 int bytecount_update_seconds;
304 time_t bytecount_last_update;
305
306 const char *up_query_type;
307 int up_query_mode;
308 struct user_pass up_query;
309
310 #ifdef TARGET_ANDROID
311 int fdtosend;
312 int lastfdreceived;
313 #endif
314 int client_version;
315 };
316
317 struct management
318 {
319 struct man_persist persist;
320 struct man_settings settings;
321 struct man_connection connection;
322 };
323
324 extern struct management *management;
325
326 struct user_pass;
327
328 struct management *management_init(void);
329
330 /* management_open flags */
331 #define MF_SERVER (1<<0)
332 #define MF_QUERY_PASSWORDS (1<<1)
333 #define MF_HOLD (1<<2)
334 #define MF_SIGNAL (1<<3)
335 #define MF_FORGET_DISCONNECT (1<<4)
336 #define MF_CONNECT_AS_CLIENT (1<<5)
337 #define MF_CLIENT_AUTH (1<<6)
338 #ifdef MANAGEMENT_PF
339 #define MF_CLIENT_PF (1<<7)
340 #endif
341 #define MF_UNIX_SOCK (1<<8)
342 #define MF_EXTERNAL_KEY (1<<9)
343 #define MF_EXTERNAL_KEY_NOPADDING (1<<10)
344 #define MF_EXTERNAL_KEY_PKCS1PAD (1<<11)
345 #define MF_UP_DOWN (1<<12)
346 #define MF_QUERY_REMOTE (1<<13)
347 #define MF_QUERY_PROXY (1<<14)
348 #define MF_EXTERNAL_CERT (1<<15)
349
350 bool management_open(struct management *man,
351 const char *addr,
352 const char *port,
353 const char *pass_file,
354 const char *client_user,
355 const char *client_group,
356 const int log_history_cache,
357 const int echo_buffer_size,
358 const int state_buffer_size,
359 const char *write_peer_info_file,
360 const int remap_sigusr1,
361 const unsigned int flags);
362
363 void management_close(struct management *man);
364
365 void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip);
366
367 void management_pre_tunnel_close(struct management *man);
368
369 void management_socket_set(struct management *man,
370 struct event_set *es,
371 void *arg,
372 unsigned int *persistent);
373
374 void management_io(struct management *man);
375
376 void management_set_callback(struct management *man,
377 const struct management_callback *cb);
378
379 void management_clear_callback(struct management *man);
380
381 bool management_query_user_pass(struct management *man,
382 struct user_pass *up,
383 const char *type,
384 const unsigned int flags,
385 const char *static_challenge);
386
387 #ifdef TARGET_ANDROID
388 bool management_android_control(struct management *man, const char *command, const char *msg);
389
390 #define ANDROID_KEEP_OLD_TUN 1
391 #define ANDROID_OPEN_AFTER_CLOSE 2
392 #define ANDROID_OPEN_BEFORE_CLOSE 3
393 int managment_android_persisttun_action(struct management *man);
394
395 #endif
396
397 bool management_should_daemonize(struct management *man);
398
399 bool management_would_hold(struct management *man);
400
401 bool management_hold(struct management *man, int holdtime);
402
403 void management_event_loop_n_seconds(struct management *man, int sec);
404
405 void management_up_down(struct management *man, const char *updown, const struct env_set *es);
406
407 void management_notify(struct management *man, const char *severity, const char *type, const char *text);
408
409 void management_notify_generic(struct management *man, const char *str);
410
411 void management_notify_client_needing_auth(struct management *management,
412 const unsigned int auth_id,
413 struct man_def_auth_context *mdac,
414 const struct env_set *es);
415
416 void management_connection_established(struct management *management,
417 struct man_def_auth_context *mdac,
418 const struct env_set *es);
419
420 void management_notify_client_close(struct management *management,
421 struct man_def_auth_context *mdac,
422 const struct env_set *es);
423
424 void management_learn_addr(struct management *management,
425 struct man_def_auth_context *mdac,
426 const struct mroute_addr *addr,
427 const bool primary);
428
429 void management_notify_client_cr_response(unsigned mda_key_id,
430 const struct man_def_auth_context *mdac,
431 const struct env_set *es,
432 const char *response);
433
434 char *management_query_pk_sig(struct management *man, const char *b64_data,
435 const char *algorithm);
436
437 char *management_query_cert(struct management *man, const char *cert_name);
438
439 static inline bool
management_connected(const struct management * man)440 management_connected(const struct management *man)
441 {
442 return man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE;
443 }
444
445 static inline bool
management_query_user_pass_enabled(const struct management * man)446 management_query_user_pass_enabled(const struct management *man)
447 {
448 return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS);
449 }
450
451 static inline bool
management_query_remote_enabled(const struct management * man)452 management_query_remote_enabled(const struct management *man)
453 {
454 return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE);
455 }
456
457 static inline bool
management_query_proxy_enabled(const struct management * man)458 management_query_proxy_enabled(const struct management *man)
459 {
460 return BOOL_CAST(man->settings.flags & MF_QUERY_PROXY);
461 }
462
463 #ifdef MANAGEMENT_PF
464 static inline bool
management_enable_pf(const struct management * man)465 management_enable_pf(const struct management *man)
466 {
467 return man && BOOL_CAST(man->settings.flags & MF_CLIENT_PF);
468 }
469 #endif
470
471 static inline bool
management_enable_def_auth(const struct management * man)472 management_enable_def_auth(const struct management *man)
473 {
474 return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH);
475 }
476
477 /*
478 * OpenVPN tells the management layer what state it's in
479 */
480
481 /* client/server states */
482 #define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */
483 #define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */
484 #define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */
485 #define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */
486 #define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */
487 #define OPENVPN_STATE_RECONNECTING 5 /* Restart */
488 #define OPENVPN_STATE_EXITING 6 /* Exit */
489
490 /* client-only states */
491 #define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */
492 #define OPENVPN_STATE_AUTH 8 /* Authenticating with server */
493 #define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */
494 #define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */
495 #define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */
496 #define OPENVPN_STATE_AUTH_PENDING 12 /* Waiting in auth-pending mode
497 * technically variant of GET_CONFIG */
498
499 #define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */
500
501 void management_set_state(struct management *man,
502 const int state,
503 const char *detail,
504 const in_addr_t *tun_local_ip,
505 const struct in6_addr *tun_local_ip6,
506 const struct openvpn_sockaddr *local_addr,
507 const struct openvpn_sockaddr *remote_addr);
508
509 /*
510 * The management object keeps track of OpenVPN --echo
511 * parameters.
512 */
513 void management_echo(struct management *man, const char *string, const bool pull);
514
515 /*
516 * OpenVPN calls here to indicate a password failure
517 */
518
519 void management_auth_failure(struct management *man, const char *type, const char *reason);
520
521 /*
522 * Echo an authentication token to management interface
523 */
524 void management_auth_token(struct management *man, const char *token);
525
526 /*
527 * These functions drive the bytecount in/out counters.
528 */
529
530 void man_bytecount_output_client(struct management *man);
531
532 static inline void
man_bytecount_possible_output_client(struct management * man)533 man_bytecount_possible_output_client(struct management *man)
534 {
535 if (man->connection.bytecount_update_seconds > 0
536 && now >= man->connection.bytecount_last_update
537 + man->connection.bytecount_update_seconds)
538 {
539 man_bytecount_output_client(man);
540 }
541 }
542
543 static inline void
management_bytes_out_client(struct management * man,const int size)544 management_bytes_out_client(struct management *man, const int size)
545 {
546 man->persist.bytes_out += size;
547 man_bytecount_possible_output_client(man);
548 }
549
550 static inline void
management_bytes_in_client(struct management * man,const int size)551 management_bytes_in_client(struct management *man, const int size)
552 {
553 man->persist.bytes_in += size;
554 man_bytecount_possible_output_client(man);
555 }
556
557 static inline void
management_bytes_out(struct management * man,const int size)558 management_bytes_out(struct management *man, const int size)
559 {
560 if (!(man->persist.callback.flags & MCF_SERVER))
561 {
562 management_bytes_out_client(man, size);
563 }
564 }
565
566 static inline void
management_bytes_in(struct management * man,const int size)567 management_bytes_in(struct management *man, const int size)
568 {
569 if (!(man->persist.callback.flags & MCF_SERVER))
570 {
571 management_bytes_in_client(man, size);
572 }
573 }
574
575 void man_bytecount_output_server(struct management *man,
576 const counter_type *bytes_in_total,
577 const counter_type *bytes_out_total,
578 struct man_def_auth_context *mdac);
579
580 static inline void
management_bytes_server(struct management * man,const counter_type * bytes_in_total,const counter_type * bytes_out_total,struct man_def_auth_context * mdac)581 management_bytes_server(struct management *man,
582 const counter_type *bytes_in_total,
583 const counter_type *bytes_out_total,
584 struct man_def_auth_context *mdac)
585 {
586 if (man->connection.bytecount_update_seconds > 0
587 && now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds
588 && (mdac->flags & (DAF_CONNECTION_ESTABLISHED|DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED)
589 {
590 man_bytecount_output_server(man, bytes_in_total, bytes_out_total, mdac);
591 }
592 }
593
594 #endif /* ifdef ENABLE_MANAGEMENT */
595
596 /**
597 * A sleep function that services the management layer for n seconds rather
598 * than doing nothing.
599 */
600 void management_sleep(const int n);
601
602 #endif /* ifndef MANAGE_H */
603