diff options
Diffstat (limited to 'openvpn/src/openvpn/manage.h')
-rw-r--r-- | openvpn/src/openvpn/manage.h | 567 |
1 files changed, 0 insertions, 567 deletions
diff --git a/openvpn/src/openvpn/manage.h b/openvpn/src/openvpn/manage.h deleted file mode 100644 index d2790dd4..00000000 --- a/openvpn/src/openvpn/manage.h +++ /dev/null @@ -1,567 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#ifndef MANAGE_H -#define MANAGE_H - -#ifdef ENABLE_MANAGEMENT - -#include "misc.h" -#include "event.h" -#include "socket.h" -#include "mroute.h" - -#define MANAGEMENT_VERSION 1 -#define MANAGEMENT_N_PASSWORD_RETRIES 3 -#define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 -#define MANAGEMENT_ECHO_BUFFER_SIZE 100 -#define MANAGEMENT_STATE_BUFFER_SIZE 100 - -/* - * Management-interface-based deferred authentication - */ -#ifdef MANAGEMENT_DEF_AUTH -struct man_def_auth_context { - unsigned long cid; - -#define DAF_CONNECTION_ESTABLISHED (1<<0) -#define DAF_CONNECTION_CLOSED (1<<1) -#define DAF_INITIAL_AUTH (1<<2) - unsigned int flags; - - unsigned int mda_key_id_counter; - - time_t bytecount_last_update; -}; -#endif - -/* - * Manage build-up of command line - */ -struct command_line -{ - struct buffer buf; - struct buffer residual; -}; - -struct command_line *command_line_new (const int buf_len); -void command_line_free (struct command_line *cl); - -void command_line_add (struct command_line *cl, const unsigned char *buf, const int len); -const unsigned char *command_line_get (struct command_line *cl); -void command_line_reset (struct command_line *cl); -void command_line_next (struct command_line *cl); - -/* - * Manage log file history - */ - -union log_entry_union { - unsigned int msg_flags; - int state; - int intval; -}; - -struct log_entry -{ - time_t timestamp; - const char *string; - in_addr_t local_ip; - in_addr_t remote_ip; - union log_entry_union u; -}; - -#define LOG_PRINT_LOG_PREFIX (1<<0) -#define LOG_PRINT_ECHO_PREFIX (1<<1) -#define LOG_PRINT_STATE_PREFIX (1<<2) - -#define LOG_PRINT_INT_DATE (1<<3) -#define LOG_PRINT_MSG_FLAGS (1<<4) -#define LOG_PRINT_STATE (1<<5) -#define LOG_PRINT_LOCAL_IP (1<<6) - -#define LOG_PRINT_CRLF (1<<7) -#define LOG_FATAL_NOTIFY (1<<8) - -#define LOG_PRINT_INTVAL (1<<9) - -#define LOG_PRINT_REMOTE_IP (1<<10) - -#define LOG_ECHO_TO_LOG (1<<11) - -const char *log_entry_print (const struct log_entry *e, unsigned int flags, struct gc_arena *gc); - -struct log_history -{ - int base; - int size; - int capacity; - struct log_entry *array; -}; - -struct log_history *log_history_init (const int capacity); -void log_history_close (struct log_history *h); -void log_history_add (struct log_history *h, const struct log_entry *le); -void log_history_resize (struct log_history *h, const int capacity); -const struct log_entry *log_history_ref (const struct log_history *h, const int index); - -static inline int -log_history_size (const struct log_history *h) -{ - return h->size; -} - -static inline int -log_history_capacity (const struct log_history *h) -{ - return h->capacity; -} - -/* - * Callbacks for 'status' and 'kill' commands. - * Also for management-based deferred authentication and packet filter. - */ -struct management_callback -{ - void *arg; - -# define MCF_SERVER (1<<0) /* is OpenVPN being run as a server? */ - unsigned int flags; - - void (*status) (void *arg, const int version, struct status_output *so); - void (*show_net) (void *arg, const int msglevel); - int (*kill_by_cn) (void *arg, const char *common_name); - int (*kill_by_addr) (void *arg, const in_addr_t addr, const int port); - void (*delete_event) (void *arg, event_t event); - int (*n_clients) (void *arg); -#ifdef MANAGEMENT_DEF_AUTH - bool (*kill_by_cid) (void *arg, const unsigned long cid, const char *kill_msg); - bool (*client_auth) (void *arg, - const unsigned long cid, - const unsigned int mda_key_id, - const bool auth, - const char *reason, - const char *client_reason, - struct buffer_list *cc_config); /* ownership transferred */ - char *(*get_peer_info) (void *arg, const unsigned long cid); -#endif -#ifdef MANAGEMENT_PF - bool (*client_pf) (void *arg, - const unsigned long cid, - struct buffer_list *pf_config); /* ownership transferred */ -#endif - bool (*proxy_cmd) (void *arg, const char **p); - bool (*remote_cmd) (void *arg, const char **p); -}; - -/* - * Management object, split into three components: - * - * struct man_persist : Data elements which are persistent across - * man_connection open and close. - * - * struct man_settings : management parameters. - * - * struct man_connection : created on socket binding and listen, - * deleted on socket unbind, may - * handle multiple sequential client - * connections. - */ - -struct man_persist { - bool defined; - - struct log_history *log; - struct virtual_output vout; - - bool standalone_disabled; - struct management_callback callback; - - struct log_history *echo; /* saved --echo strings */ - struct log_history *state; - - bool hold_release; - - const char *special_state_msg; - - counter_type bytes_in; - counter_type bytes_out; -}; - -struct man_settings { - bool defined; - unsigned int flags; /* MF_x flags */ - struct addrinfo* local; -#if UNIX_SOCK_SUPPORT - struct sockaddr_un local_unix; -#endif - bool management_over_tunnel; - struct user_pass up; - int log_history_cache; - int echo_buffer_size; - int state_buffer_size; - char *write_peer_info_file; - int client_uid; - int client_gid; - -/* flags for handling the management interface "signal" command */ -# define MANSIG_IGNORE_USR1_HUP (1<<0) -# define MANSIG_MAP_USR1_TO_HUP (1<<1) -# define MANSIG_MAP_USR1_TO_TERM (1<<2) - unsigned int mansig; -}; - -/* up_query modes */ -#define UP_QUERY_DISABLED 0 -#define UP_QUERY_USER_PASS 1 -#define UP_QUERY_PASS 2 -#define UP_QUERY_NEED_OK 3 -#define UP_QUERY_NEED_STR 4 - -/* states */ -#define MS_INITIAL 0 /* all sockets are closed */ -#define MS_LISTEN 1 /* no client is connected */ -#define MS_CC_WAIT_READ 2 /* client is connected, waiting for read on socket */ -#define MS_CC_WAIT_WRITE 3 /* client is connected, waiting for ability to write to socket */ - -struct man_connection { - int state; - - socket_descriptor_t sd_top; - socket_descriptor_t sd_cli; - struct openvpn_sockaddr remote; - -#ifdef WIN32 - struct net_event_win32 ne32; -#endif - - bool halt; - bool password_verified; - int password_tries; - - struct command_line *in; - struct buffer_list *out; - -#ifdef MANAGEMENT_IN_EXTRA -# define IEC_UNDEF 0 -# define IEC_CLIENT_AUTH 1 -# define IEC_CLIENT_PF 2 -# define IEC_RSA_SIGN 3 - int in_extra_cmd; - struct buffer_list *in_extra; -#ifdef MANAGEMENT_DEF_AUTH - unsigned long in_extra_cid; - unsigned int in_extra_kid; -#endif -#ifdef MANAGMENT_EXTERNAL_KEY -# define EKS_UNDEF 0 -# define EKS_SOLICIT 1 -# define EKS_INPUT 2 -# define EKS_READY 3 - int ext_key_state; - struct buffer_list *ext_key_input; -#endif -#endif - struct event_set *es; - int env_filter_level; - - bool state_realtime; - bool log_realtime; - bool echo_realtime; - int bytecount_update_seconds; - time_t bytecount_last_update; - - const char *up_query_type; - int up_query_mode; - struct user_pass up_query; - -#ifdef MANAGMENT_EXTERNAL_KEY - struct buffer_list *rsa_sig; -#endif -#ifdef TARGET_ANDROID - int fdtosend; - int lastfdreceived; -#endif -}; - -struct management -{ - struct man_persist persist; - struct man_settings settings; - struct man_connection connection; -}; - -extern struct management *management; - -struct user_pass; - -struct management *management_init (void); - -/* management_open flags */ -# define MF_SERVER (1<<0) -# define MF_QUERY_PASSWORDS (1<<1) -# define MF_HOLD (1<<2) -# define MF_SIGNAL (1<<3) -# define MF_FORGET_DISCONNECT (1<<4) -# define MF_CONNECT_AS_CLIENT (1<<5) -#ifdef MANAGEMENT_DEF_AUTH -# define MF_CLIENT_AUTH (1<<6) -#endif -#ifdef MANAGEMENT_PF -# define MF_CLIENT_PF (1<<7) -#endif -# define MF_UNIX_SOCK (1<<8) -#ifdef MANAGMENT_EXTERNAL_KEY -# define MF_EXTERNAL_KEY (1<<9) -#endif -#define MF_UP_DOWN (1<<10) -#define MF_QUERY_REMOTE (1<<11) -#define MF_QUERY_PROXY (1<<12) - -bool management_open (struct management *man, - const char *addr, - const char *port, - const char *pass_file, - const char *client_user, - const char *client_group, - const int log_history_cache, - const int echo_buffer_size, - const int state_buffer_size, - const char *write_peer_info_file, - const int remap_sigusr1, - const unsigned int flags); - -void management_close (struct management *man); - -void management_post_tunnel_open (struct management *man, const in_addr_t tun_local_ip); - -void management_pre_tunnel_close (struct management *man); - -void management_socket_set (struct management *man, - struct event_set *es, - void *arg, - unsigned int *persistent); - -void management_io (struct management *man); - -void management_set_callback (struct management *man, - const struct management_callback *cb); - -void management_clear_callback (struct management *man); - -bool management_query_user_pass (struct management *man, - struct user_pass *up, - const char *type, - const unsigned int flags, - const char *static_challenge); - -bool management_should_daemonize (struct management *man); -bool management_would_hold (struct management *man); -bool management_hold (struct management *man); - -void management_event_loop_n_seconds (struct management *man, int sec); - -void management_up_down(struct management *man, const char *updown, const struct env_set *es); - -void management_notify(struct management *man, const char *severity, const char *type, const char *text); - -void management_notify_generic (struct management *man, const char *str); - -#ifdef MANAGEMENT_DEF_AUTH -void management_notify_client_needing_auth (struct management *management, - const unsigned int auth_id, - struct man_def_auth_context *mdac, - const struct env_set *es); - -void management_connection_established (struct management *management, - struct man_def_auth_context *mdac, - const struct env_set *es); - -void management_notify_client_close (struct management *management, - struct man_def_auth_context *mdac, - const struct env_set *es); - -void management_learn_addr (struct management *management, - struct man_def_auth_context *mdac, - const struct mroute_addr *addr, - const bool primary); -#endif - -#ifdef MANAGMENT_EXTERNAL_KEY - -char *management_query_rsa_sig (struct management *man, const char *b64_data); - -#endif - -static inline bool -management_connected (const struct management *man) -{ - return man->connection.state == MS_CC_WAIT_READ || man->connection.state == MS_CC_WAIT_WRITE; -} - -static inline bool -management_query_user_pass_enabled (const struct management *man) -{ - return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS); -} - -static inline bool -management_query_remote_enabled (const struct management *man) -{ - return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE); -} - -static inline bool -management_query_proxy_enabled (const struct management *man) -{ - return BOOL_CAST(man->settings.flags & MF_QUERY_PROXY); -} - -#ifdef MANAGEMENT_PF -static inline bool -management_enable_pf (const struct management *man) -{ - return man && BOOL_CAST(man->settings.flags & MF_CLIENT_PF); -} -#endif - -#ifdef MANAGEMENT_DEF_AUTH -static inline bool -management_enable_def_auth (const struct management *man) -{ - return man && BOOL_CAST(man->settings.flags & MF_CLIENT_AUTH); -} -#endif - -/* - * OpenVPN tells the management layer what state it's in - */ - -/* client/server states */ -#define OPENVPN_STATE_INITIAL 0 /* Initial, undefined state */ -#define OPENVPN_STATE_CONNECTING 1 /* Management interface has been initialized */ -#define OPENVPN_STATE_ASSIGN_IP 2 /* Assigning IP address to virtual network interface */ -#define OPENVPN_STATE_ADD_ROUTES 3 /* Adding routes to system */ -#define OPENVPN_STATE_CONNECTED 4 /* Initialization sequence completed */ -#define OPENVPN_STATE_RECONNECTING 5 /* Restart */ -#define OPENVPN_STATE_EXITING 6 /* Exit */ - -/* client-only states */ -#define OPENVPN_STATE_WAIT 7 /* Waiting for initial response from server */ -#define OPENVPN_STATE_AUTH 8 /* Authenticating with server */ -#define OPENVPN_STATE_GET_CONFIG 9 /* Downloading configuration from server */ -#define OPENVPN_STATE_RESOLVE 10 /* DNS lookup */ -#define OPENVPN_STATE_TCP_CONNECT 11 /* Connecting to TCP server */ - -#define OPENVPN_STATE_CLIENT_BASE 7 /* Base index of client-only states */ - -void management_set_state (struct management *man, - const int state, - const char *detail, - const in_addr_t tun_local_ip, - const in_addr_t tun_remote_ip); - -/* - * The management object keeps track of OpenVPN --echo - * parameters. - */ -void management_echo (struct management *man, const char *string, const bool pull); - -/* - * OpenVPN calls here to indicate a password failure - */ - -void management_auth_failure (struct management *man, const char *type, const char *reason); - -/* - * Echo an authentication token to management interface - */ -void management_auth_token (struct management *man, const char *token); - -/* - * These functions drive the bytecount in/out counters. - */ - -void man_bytecount_output_client (struct management *man); - -static inline void -man_bytecount_possible_output_client (struct management *man) -{ - if (man->connection.bytecount_update_seconds > 0 - && now >= man->connection.bytecount_last_update - + man->connection.bytecount_update_seconds) - man_bytecount_output_client (man); -} - -static inline void -management_bytes_out_client (struct management *man, const int size) -{ - man->persist.bytes_out += size; - man_bytecount_possible_output_client (man); -} - -static inline void -management_bytes_in_client (struct management *man, const int size) -{ - man->persist.bytes_in += size; - man_bytecount_possible_output_client (man); -} - -static inline void -management_bytes_out (struct management *man, const int size) -{ - if (!(man->persist.callback.flags & MCF_SERVER)) - management_bytes_out_client (man, size); -} - -static inline void -management_bytes_in (struct management *man, const int size) -{ - if (!(man->persist.callback.flags & MCF_SERVER)) - management_bytes_in_client (man, size); -} - -#ifdef MANAGEMENT_DEF_AUTH - -static inline void -management_bytes_server (struct management *man, - const counter_type *bytes_in_total, - const counter_type *bytes_out_total, - struct man_def_auth_context *mdac) -{ - void man_bytecount_output_server (struct management *man, - const counter_type *bytes_in_total, - const counter_type *bytes_out_total, - struct man_def_auth_context *mdac); - - if (man->connection.bytecount_update_seconds > 0 - && now >= mdac->bytecount_last_update + man->connection.bytecount_update_seconds - && (mdac->flags & (DAF_CONNECTION_ESTABLISHED|DAF_CONNECTION_CLOSED)) == DAF_CONNECTION_ESTABLISHED) - man_bytecount_output_server (man, bytes_in_total, bytes_out_total, mdac); -} - -#endif /* MANAGEMENT_DEF_AUTH */ - -#endif -#endif |