summaryrefslogtreecommitdiff
path: root/src/openvpn/options.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2021-02-24 19:54:12 +0100
committerBernhard Schmidt <berni@debian.org>2021-02-24 19:54:12 +0100
commit4ee98f284a93c3b855092d35ac21371d9dcad65b (patch)
treedc5a9759b8165b50d028db416367767b82f42f49 /src/openvpn/options.c
parent0816f633cec4254ccfd98901252eefe84b0e2648 (diff)
New upstream version 2.5.1upstream/2.5.1
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r--src/openvpn/options.c100
1 files changed, 49 insertions, 51 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 658ca53..0d99e99 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1983,6 +1983,23 @@ connection_entry_load_re(struct connection_entry *ce, const struct remote_entry
}
static void
+connection_entry_preload_key(const char **key_file, bool *key_inline,
+ struct gc_arena *gc)
+{
+ if (key_file && *key_file && !(*key_inline))
+ {
+ struct buffer in = buffer_read_from_file(*key_file, gc);
+ if (!buf_valid(&in))
+ {
+ msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
+ }
+
+ *key_file = (const char *) in.data;
+ *key_inline = true;
+ }
+}
+
+static void
options_postprocess_verify_ce(const struct options *options,
const struct connection_entry *ce)
{
@@ -2933,36 +2950,17 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
}
- /* pre-cache tls-auth/crypt key file if persist-key was specified and keys
- * were not already embedded in the config file
+ /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
+ * keys were not already embedded in the config file.
*/
if (o->persist_key)
{
- if (ce->tls_auth_file && !ce->tls_auth_file_inline)
- {
- struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc);
- if (!buf_valid(&in))
- {
- msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
- ce->tls_auth_file);
- }
-
- ce->tls_auth_file = (char *)in.data;
- ce->tls_auth_file_inline = true;
- }
-
- if (ce->tls_crypt_file && !ce->tls_crypt_file_inline)
- {
- struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc);
- if (!buf_valid(&in))
- {
- msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
- ce->tls_crypt_file);
- }
-
- ce->tls_crypt_file = (char *)in.data;
- ce->tls_crypt_file_inline = true;
- }
+ connection_entry_preload_key(&ce->tls_auth_file,
+ &ce->tls_auth_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_file,
+ &ce->tls_crypt_file_inline, &o->gc);
+ connection_entry_preload_key(&ce->tls_crypt_v2_file,
+ &ce->tls_crypt_v2_file_inline, &o->gc);
}
}
@@ -3966,7 +3964,7 @@ options_warning_safe_scan2(const int msglevel,
if (strprefix(p1, "key-method ")
|| strprefix(p1, "keydir ")
|| strprefix(p1, "proto ")
- || strprefix(p1, "tls-auth ")
+ || streq(p1, "tls-auth")
|| strprefix(p1, "tun-ipv6")
|| strprefix(p1, "cipher "))
{
@@ -4661,7 +4659,8 @@ in_src_get(const struct in_src *is, char *line, const int size)
}
static char *
-read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
+read_inline_file(struct in_src *is, const char *close_tag,
+ int *num_lines, struct gc_arena *gc)
{
char line[OPTION_LINE_SIZE];
struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
@@ -4670,6 +4669,7 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
while (in_src_get(is, line, sizeof(line)))
{
+ (*num_lines)++;
char *line_ptr = line;
/* Remove leading spaces */
while (isspace(*line_ptr))
@@ -4703,10 +4703,10 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
return ret;
}
-static bool
+static int
check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
{
- bool is_inline = false;
+ int num_inline_lines = 0;
if (p[0] && !p[1])
{
@@ -4719,16 +4719,15 @@ check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
p[0] = string_alloc(arg + 1, gc);
close_tag = alloc_buf(strlen(p[0]) + 4);
buf_printf(&close_tag, "</%s>", p[0]);
- p[1] = read_inline_file(is, BSTR(&close_tag), gc);
+ p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
p[2] = NULL;
free_buf(&close_tag);
- is_inline = true;
}
}
- return is_inline;
+ return num_inline_lines;
}
-static bool
+static int
check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
{
struct in_src is;
@@ -4737,7 +4736,7 @@ check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
return check_inline_file(&is, p, gc);
}
-static bool
+static int
check_inline_file_via_buf(struct buffer *multiline, char *p[],
struct gc_arena *gc)
{
@@ -4808,13 +4807,12 @@ read_config_file(struct options *options,
}
if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
{
- bool is_inline;
-
bypass_doubledash(&p[0]);
- is_inline = check_inline_file_via_fp(fp, p, &options->gc);
- add_option(options, p, is_inline, file, line_num, level,
+ int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
+ add_option(options, p, lines_inline, file, line_num, level,
msglevel, permission_mask, option_types_found,
es);
+ line_num += lines_inline;
}
}
if (fp != stdin)
@@ -4857,12 +4855,11 @@ read_config_string(const char *prefix,
++line_num;
if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
{
- bool is_inline;
-
bypass_doubledash(&p[0]);
- is_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
- add_option(options, p, is_inline, prefix, line_num, 0, msglevel,
+ int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
+ add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
permission_mask, option_types_found, es);
+ line_num += lines_inline;
}
CLEAR(p);
}
@@ -5311,13 +5308,14 @@ add_option(struct options *options,
}
if (good)
{
-#if 0
- /* removed for now since ECHO can potentially include
- * security-sensitive strings */
- msg(M_INFO, "%s:%s",
- pull_mode ? "ECHO-PULL" : "ECHO",
- BSTR(&string));
-#endif
+ /* only message-related ECHO are logged, since other ECHOs
+ * can potentially include security-sensitive strings */
+ if (strncmp(p[1], "msg", 3) == 0)
+ {
+ msg(M_INFO, "%s:%s",
+ pull_mode ? "ECHO-PULL" : "ECHO",
+ BSTR(&string));
+ }
#ifdef ENABLE_MANAGEMENT
if (management)
{