summaryrefslogtreecommitdiff
path: root/src/openvpn
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2013-06-03 18:47:53 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2013-06-03 18:47:53 +0200
commit70b71e008cc968ee53d6b8af9f7a006f13c27e2a (patch)
treebb9c15285fe1f4751fd26bbdd4981ff7819403be /src/openvpn
parentfcc893c0d8d245525cfb023b6e2a8aae086304cf (diff)
Imported Upstream version 2.3.2upstream/2.3.2
Diffstat (limited to 'src/openvpn')
-rw-r--r--src/openvpn/common.h2
-rw-r--r--src/openvpn/crypto_openssl.c6
-rw-r--r--src/openvpn/init.c30
-rw-r--r--src/openvpn/options.c99
-rw-r--r--src/openvpn/options.h1
-rw-r--r--src/openvpn/pf.c2
-rw-r--r--src/openvpn/route.c1
-rw-r--r--src/openvpn/socket.c11
-rw-r--r--src/openvpn/ssl.c31
-rw-r--r--src/openvpn/ssl_common.h2
-rw-r--r--src/openvpn/ssl_openssl.c7
-rw-r--r--src/openvpn/win32.c5
12 files changed, 109 insertions, 88 deletions
diff --git a/src/openvpn/common.h b/src/openvpn/common.h
index dd2c83f..2f85bec 100644
--- a/src/openvpn/common.h
+++ b/src/openvpn/common.h
@@ -100,6 +100,6 @@ typedef unsigned long ptr_type;
/*
* Script security warning
*/
-#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info."
+#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info."
#endif
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 21d1762..1501bc8 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -194,7 +194,8 @@ crypto_init_lib_engine (const char *engine_name)
void
crypto_init_lib (void)
{
-#ifndef USE_SSL
+#ifndef ENABLE_SSL
+ /* If SSL is enabled init is taken care of in ssl_openssl.c */
#ifndef ENABLE_SMALL
ERR_load_crypto_strings ();
#endif
@@ -215,7 +216,8 @@ crypto_init_lib (void)
void
crypto_uninit_lib (void)
{
-#ifndef USE_SSL
+#ifndef ENABLE_SSL
+ /* If SSL is enabled cleanup is taken care of in ssl_openssl.c */
EVP_cleanup ();
#ifndef ENABLE_SMALL
ERR_free_strings ();
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 979ba23..2420216 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1145,13 +1145,14 @@ do_init_traffic_shaper (struct context *c)
}
/*
- * Allocate a route list structure if at least one
- * --route option was specified.
+ * Allocate route list structures for IPv4 and IPv6
+ * (we do this for IPv4 even if no --route option has been seen, as other
+ * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
*/
static void
do_alloc_route_list (struct context *c)
{
- if (c->options.routes && !c->c1.route_list)
+ if (!c->c1.route_list)
c->c1.route_list = new_route_list (c->options.max_routes, &c->gc);
if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc);
@@ -2191,7 +2192,12 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
to.renegotiate_seconds = options->renegotiate_seconds;
to.single_session = options->single_session;
#ifdef ENABLE_PUSH_PEER_INFO
- to.push_peer_info = options->push_peer_info;
+ if (options->push_peer_info) /* all there is */
+ to.push_peer_info_detail = 2;
+ else if (options->pull) /* pull clients send some details */
+ to.push_peer_info_detail = 1;
+ else /* default: no peer-info at all */
+ to.push_peer_info_detail = 0;
#endif
/* should we not xmit any packets until we get an initial
@@ -2480,12 +2486,16 @@ do_option_warnings (struct context *c)
msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
#endif
- if (script_security >= SSEC_SCRIPTS)
- msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
- else if (script_security >= SSEC_PW_ENV)
- msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
- else
- msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");
+ /* If a script is used, print appropiate warnings */
+ if (o->user_script_used)
+ {
+ if (script_security >= SSEC_SCRIPTS)
+ msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
+ else if (script_security >= SSEC_PW_ENV)
+ msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
+ else
+ msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
+ }
}
static void
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index ec39212..23af272 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1830,6 +1830,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
*/
if (ce->proto == PROTO_TCPv4)
msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
+ if (ce->proto == PROTO_TCPv6)
+ msg (M_USAGE, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client");
/*
* Sanity check on daemon/inetd modes
@@ -2352,6 +2354,8 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
{
if (ce->proto == PROTO_TCPv4)
ce->proto = PROTO_TCPv4_SERVER;
+ else if (ce->proto == PROTO_TCPv6)
+ ce->proto = PROTO_TCPv6_SERVER;
}
#endif
#if P2MP
@@ -2728,28 +2732,6 @@ options_postprocess_filechecks (struct options *options)
errs |= check_file_access (CHKACC_FILE, options->tmp_dir,
R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
- /* ** Script hooks that accept an optionally quoted and/or escaped executable path, ** */
- /* ** optionally followed by arguments ** */
- errs |= check_cmd_access (options->auth_user_pass_verify_script,
- "--auth-user-pass-verify script");
- errs |= check_cmd_access (options->client_connect_script,
- "--client-connect script");
- errs |= check_cmd_access (options->client_disconnect_script,
- "--client-disconnect script");
- errs |= check_cmd_access (options->tls_verify,
- "--tls-verify script");
- errs |= check_cmd_access (options->up_script,
- "--up script");
- errs |= check_cmd_access (options->down_script,
- "--down script");
- errs |= check_cmd_access (options->ipchange,
- "--ipchange script");
- errs |= check_cmd_access (options->route_script,
- "--route-up script");
- errs |= check_cmd_access (options->route_predown_script,
- "--route-pre-down script");
- errs |= check_cmd_access (options->learn_address_script,
- "--learn-address script");
#endif /* P2MP_SERVER */
if (errs)
@@ -4011,11 +3993,28 @@ msglevel_forward_compatible (struct options *options, const int msglevel)
}
static void
-warn_multiple_script (const char *script, const char *type) {
- if (script) {
- msg (M_WARN, "Multiple --%s scripts defined. "
- "The previously configured script is overridden.", type);
- }
+set_user_script (struct options *options,
+ const char **script,
+ const char *new_script,
+ const char *type)
+{
+ if (*script) {
+ msg (M_WARN, "Multiple --%s scripts defined. "
+ "The previously configured script is overridden.", type);
+ }
+ *script = new_script;
+ options->user_script_used = true;
+
+#ifndef ENABLE_SMALL
+ {
+ char script_name[100];
+ openvpn_snprintf (script_name, sizeof(script_name),
+ "--%s script", type);
+
+ if (check_cmd_access (*script, script_name))
+ msg (M_USAGE, "Please correct this error.");
+ }
+#endif
}
@@ -4480,8 +4479,10 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->ipchange, "ipchange");
- options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);
+ set_user_script (options,
+ &options->ipchange,
+ string_substitute (p[1], ',', ' ', &options->gc),
+ "ipchange");
}
else if (streq (p[0], "float"))
{
@@ -4527,16 +4528,14 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->up_script, "up");
- options->up_script = p[1];
+ set_user_script (options, &options->up_script, p[1], "up");
}
else if (streq (p[0], "down") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->down_script, "down");
- options->down_script = p[1];
+ set_user_script (options, &options->down_script, p[1], "down");
}
else if (streq (p[0], "down-pre"))
{
@@ -5069,8 +5068,7 @@ add_option (struct options *options,
#ifdef ENABLE_OCC
else if (streq (p[0], "explicit-exit-notify"))
{
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
-/* VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY); */
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
if (p[1])
{
options->ce.explicit_exit_notification = positive_atoi (p[1]);
@@ -5218,16 +5216,17 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->route_script, "route-up");
- options->route_script = p[1];
+ set_user_script (options, &options->route_script, p[1], "route-up");
}
else if (streq (p[0], "route-pre-down") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->route_predown_script, "route-pre-down");
- options->route_predown_script = p[1];
+ set_user_script (options,
+ &options->route_predown_script,
+ p[1],
+ "route-pre-down");
}
else if (streq (p[0], "route-noexec"))
{
@@ -5594,32 +5593,33 @@ add_option (struct options *options,
msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
goto err;
}
- warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify");
- options->auth_user_pass_verify_script = p[1];
+ set_user_script (options,
+ &options->auth_user_pass_verify_script,
+ p[1], "auth-user-pass-verify");
}
else if (streq (p[0], "client-connect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->client_connect_script, "client-connect");
- options->client_connect_script = p[1];
+ set_user_script (options, &options->client_connect_script,
+ p[1], "client-connect");
}
else if (streq (p[0], "client-disconnect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->client_disconnect_script, "client-disconnect");
- options->client_disconnect_script = p[1];
+ set_user_script (options, &options->client_disconnect_script,
+ p[1], "client-disconnect");
}
else if (streq (p[0], "learn-address") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->learn_address_script, "learn-address");
- options->learn_address_script = p[1];
+ set_user_script (options, &options->learn_address_script,
+ p[1], "learn-address");
}
else if (streq (p[0], "tmp-dir") && p[1])
{
@@ -6507,8 +6507,9 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
- warn_multiple_script (options->tls_verify, "tls-verify");
- options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
+ set_user_script (options, &options->tls_verify,
+ string_substitute (p[1], ',', ' ', &options->gc),
+ "tls-verify");
}
#ifndef ENABLE_CRYPTO_POLARSSL
else if (streq (p[0], "tls-export-cert") && p[1])
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index d2ad94c..f80532c 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -285,6 +285,7 @@ struct options
const char *writepid;
const char *up_script;
const char *down_script;
+ bool user_script_used;
bool down_pre;
bool up_delay;
bool up_restart;
diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c
index aafe9ff..461beed 100644
--- a/src/openvpn/pf.c
+++ b/src/openvpn/pf.c
@@ -417,7 +417,7 @@ lookup_cn_rule (struct hash *h, const char *cn, const uint32_t cn_hash)
bool
pf_cn_test (struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix)
{
- if (!pfs->kill)
+ if (pfs && !pfs->kill)
{
const char *cn;
uint32_t cn_hash;
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 4c1e14e..044e6ac 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -503,6 +503,7 @@ route_list_add_vpn_gateway (struct route_list *rl,
struct env_set *es,
const in_addr_t addr)
{
+ ASSERT(rl);
rl->spec.remote_endpoint = addr;
rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
setenv_route_addr (es, "vpn_gateway", rl->spec.remote_endpoint, -1);
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 8eb112b..85f783a 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2786,6 +2786,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
struct iovec iov;
struct msghdr mesg;
struct cmsghdr *cmsg;
+ union openvpn_pktinfo opi;
iov.iov_base = BPTR (buf);
iov.iov_len = BLEN (buf);
@@ -2795,11 +2796,10 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
{
case AF_INET:
{
- struct openvpn_in4_pktinfo msgpi4;
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof (struct sockaddr_in);
- mesg.msg_control = &msgpi4;
- mesg.msg_controllen = sizeof msgpi4;
+ mesg.msg_control = &opi;
+ mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
mesg.msg_flags = 0;
cmsg = CMSG_FIRSTHDR (&mesg);
cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
@@ -2824,12 +2824,11 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
}
case AF_INET6:
{
- struct openvpn_in6_pktinfo msgpi6;
struct in6_pktinfo *pkti6;
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof (struct sockaddr_in6);
- mesg.msg_control = &msgpi6;
- mesg.msg_controllen = sizeof msgpi6;
+ mesg.msg_control = &opi;
+ mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo);
mesg.msg_flags = 0;
cmsg = CMSG_FIRSTHDR (&mesg);
cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo);
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 43b3980..8b864c8 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1775,7 +1775,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
bool ret = false;
#ifdef ENABLE_PUSH_PEER_INFO
- if (session->opt->push_peer_info) /* write peer info */
+ if (session->opt->push_peer_info_detail > 0)
{
struct env_set *es = session->opt->es;
struct env_item *e;
@@ -1801,26 +1801,27 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
buf_printf (&out, "IV_PLAT=win\n");
#endif
- /* push mac addr */
- {
- struct route_gateway_info rgi;
- get_default_gateway (&rgi);
- if (rgi.flags & RGI_HWADDR_DEFINED)
- buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
- }
-
/* push LZO status */
#ifdef ENABLE_LZO_STUB
buf_printf (&out, "IV_LZO_STUB=1\n");
#endif
- /* push env vars that begin with UV_ */
- for (e=es->list; e != NULL; e=e->next)
- {
- if (e->string)
+ if (session->opt->push_peer_info_detail >= 2)
+ {
+ /* push mac addr */
+ struct route_gateway_info rgi;
+ get_default_gateway (&rgi);
+ if (rgi.flags & RGI_HWADDR_DEFINED)
+ buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
+
+ /* push env vars that begin with UV_ */
+ for (e=es->list; e != NULL; e=e->next)
{
- if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
- buf_printf (&out, "%s\n", e->string);
+ if (e->string)
+ {
+ if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
+ buf_printf (&out, "%s\n", e->string);
+ }
}
}
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index c62294f..0d818ab 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -233,7 +233,7 @@ struct tls_options
bool disable_occ;
#endif
#ifdef ENABLE_PUSH_PEER_INFO
- bool push_peer_info;
+ int push_peer_info_detail;
#endif
int transition_window;
int handshake_window;
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 1006617..79cc056 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -217,8 +217,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
ASSERT(NULL != ctx);
// Translate IANA cipher suite names to OpenSSL names
- for (begin_of_cipher = 0; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher+1) {
- end_of_cipher = strcspn(&ciphers[begin_of_cipher], ":");
+ begin_of_cipher = end_of_cipher = 0;
+ for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
+ end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
if (NULL == cipher_pair)
@@ -257,6 +258,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
openssl_ciphers_len += current_cipher_len;
openssl_ciphers[openssl_ciphers_len] = ':';
openssl_ciphers_len++;
+
+ end_of_cipher++;
}
if (openssl_ciphers_len > 0)
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 2db96a8..178e2c3 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -879,7 +879,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
start_info.dwFlags = STARTF_USESHOWWINDOW;
start_info.wShowWindow = SW_HIDE;
- if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info))
+ /* this allows console programs to run, and is ignored otherwise */
+ DWORD proc_flags = CREATE_NO_WINDOW;
+
+ if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info))
{
DWORD exit_status = 0;
CloseHandle (proc_info.hThread);