diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2013-06-03 18:47:53 +0200 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2013-06-03 18:47:53 +0200 |
commit | 70b71e008cc968ee53d6b8af9f7a006f13c27e2a (patch) | |
tree | bb9c15285fe1f4751fd26bbdd4981ff7819403be /src | |
parent | fcc893c0d8d245525cfb023b6e2a8aae086304cf (diff) |
Imported Upstream version 2.3.2upstream/2.3.2
Diffstat (limited to 'src')
-rw-r--r-- | src/openvpn/common.h | 2 | ||||
-rw-r--r-- | src/openvpn/crypto_openssl.c | 6 | ||||
-rw-r--r-- | src/openvpn/init.c | 30 | ||||
-rw-r--r-- | src/openvpn/options.c | 99 | ||||
-rw-r--r-- | src/openvpn/options.h | 1 | ||||
-rw-r--r-- | src/openvpn/pf.c | 2 | ||||
-rw-r--r-- | src/openvpn/route.c | 1 | ||||
-rw-r--r-- | src/openvpn/socket.c | 11 | ||||
-rw-r--r-- | src/openvpn/ssl.c | 31 | ||||
-rw-r--r-- | src/openvpn/ssl_common.h | 2 | ||||
-rw-r--r-- | src/openvpn/ssl_openssl.c | 7 | ||||
-rw-r--r-- | src/openvpn/win32.c | 5 |
12 files changed, 109 insertions, 88 deletions
diff --git a/src/openvpn/common.h b/src/openvpn/common.h index dd2c83f..2f85bec 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -100,6 +100,6 @@ typedef unsigned long ptr_type; /* * Script security warning */ -#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info." +#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info." #endif diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 21d1762..1501bc8 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -194,7 +194,8 @@ crypto_init_lib_engine (const char *engine_name) void crypto_init_lib (void) { -#ifndef USE_SSL +#ifndef ENABLE_SSL + /* If SSL is enabled init is taken care of in ssl_openssl.c */ #ifndef ENABLE_SMALL ERR_load_crypto_strings (); #endif @@ -215,7 +216,8 @@ crypto_init_lib (void) void crypto_uninit_lib (void) { -#ifndef USE_SSL +#ifndef ENABLE_SSL + /* If SSL is enabled cleanup is taken care of in ssl_openssl.c */ EVP_cleanup (); #ifndef ENABLE_SMALL ERR_free_strings (); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 979ba23..2420216 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1145,13 +1145,14 @@ do_init_traffic_shaper (struct context *c) } /* - * Allocate a route list structure if at least one - * --route option was specified. + * Allocate route list structures for IPv4 and IPv6 + * (we do this for IPv4 even if no --route option has been seen, as other + * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP) */ static void do_alloc_route_list (struct context *c) { - if (c->options.routes && !c->c1.route_list) + if (!c->c1.route_list) c->c1.route_list = new_route_list (c->options.max_routes, &c->gc); if (c->options.routes_ipv6 && !c->c1.route_ipv6_list) c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc); @@ -2191,7 +2192,12 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.renegotiate_seconds = options->renegotiate_seconds; to.single_session = options->single_session; #ifdef ENABLE_PUSH_PEER_INFO - to.push_peer_info = options->push_peer_info; + if (options->push_peer_info) /* all there is */ + to.push_peer_info_detail = 2; + else if (options->pull) /* pull clients send some details */ + to.push_peer_info_detail = 1; + else /* default: no peer-info at all */ + to.push_peer_info_detail = 0; #endif /* should we not xmit any packets until we get an initial @@ -2480,12 +2486,16 @@ do_option_warnings (struct context *c) msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS"); #endif - if (script_security >= SSEC_SCRIPTS) - msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); - else if (script_security >= SSEC_PW_ENV) - msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); - else - msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables"); + /* If a script is used, print appropiate warnings */ + if (o->user_script_used) + { + if (script_security >= SSEC_SCRIPTS) + msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); + else if (script_security >= SSEC_PW_ENV) + msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); + else + msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); + } } static void diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ec39212..23af272 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1830,6 +1830,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne */ if (ce->proto == PROTO_TCPv4) msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); + if (ce->proto == PROTO_TCPv6) + msg (M_USAGE, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client"); /* * Sanity check on daemon/inetd modes @@ -2352,6 +2354,8 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce) { if (ce->proto == PROTO_TCPv4) ce->proto = PROTO_TCPv4_SERVER; + else if (ce->proto == PROTO_TCPv6) + ce->proto = PROTO_TCPv6_SERVER; } #endif #if P2MP @@ -2728,28 +2732,6 @@ options_postprocess_filechecks (struct options *options) errs |= check_file_access (CHKACC_FILE, options->tmp_dir, R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); - /* ** Script hooks that accept an optionally quoted and/or escaped executable path, ** */ - /* ** optionally followed by arguments ** */ - errs |= check_cmd_access (options->auth_user_pass_verify_script, - "--auth-user-pass-verify script"); - errs |= check_cmd_access (options->client_connect_script, - "--client-connect script"); - errs |= check_cmd_access (options->client_disconnect_script, - "--client-disconnect script"); - errs |= check_cmd_access (options->tls_verify, - "--tls-verify script"); - errs |= check_cmd_access (options->up_script, - "--up script"); - errs |= check_cmd_access (options->down_script, - "--down script"); - errs |= check_cmd_access (options->ipchange, - "--ipchange script"); - errs |= check_cmd_access (options->route_script, - "--route-up script"); - errs |= check_cmd_access (options->route_predown_script, - "--route-pre-down script"); - errs |= check_cmd_access (options->learn_address_script, - "--learn-address script"); #endif /* P2MP_SERVER */ if (errs) @@ -4011,11 +3993,28 @@ msglevel_forward_compatible (struct options *options, const int msglevel) } static void -warn_multiple_script (const char *script, const char *type) { - if (script) { - msg (M_WARN, "Multiple --%s scripts defined. " - "The previously configured script is overridden.", type); - } +set_user_script (struct options *options, + const char **script, + const char *new_script, + const char *type) +{ + if (*script) { + msg (M_WARN, "Multiple --%s scripts defined. " + "The previously configured script is overridden.", type); + } + *script = new_script; + options->user_script_used = true; + +#ifndef ENABLE_SMALL + { + char script_name[100]; + openvpn_snprintf (script_name, sizeof(script_name), + "--%s script", type); + + if (check_cmd_access (*script, script_name)) + msg (M_USAGE, "Please correct this error."); + } +#endif } @@ -4480,8 +4479,10 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->ipchange, "ipchange"); - options->ipchange = string_substitute (p[1], ',', ' ', &options->gc); + set_user_script (options, + &options->ipchange, + string_substitute (p[1], ',', ' ', &options->gc), + "ipchange"); } else if (streq (p[0], "float")) { @@ -4527,16 +4528,14 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->up_script, "up"); - options->up_script = p[1]; + set_user_script (options, &options->up_script, p[1], "up"); } else if (streq (p[0], "down") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->down_script, "down"); - options->down_script = p[1]; + set_user_script (options, &options->down_script, p[1], "down"); } else if (streq (p[0], "down-pre")) { @@ -5069,8 +5068,7 @@ add_option (struct options *options, #ifdef ENABLE_OCC else if (streq (p[0], "explicit-exit-notify")) { - VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -/* VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY); */ + VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); if (p[1]) { options->ce.explicit_exit_notification = positive_atoi (p[1]); @@ -5218,16 +5216,17 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->route_script, "route-up"); - options->route_script = p[1]; + set_user_script (options, &options->route_script, p[1], "route-up"); } else if (streq (p[0], "route-pre-down") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->route_predown_script, "route-pre-down"); - options->route_predown_script = p[1]; + set_user_script (options, + &options->route_predown_script, + p[1], + "route-pre-down"); } else if (streq (p[0], "route-noexec")) { @@ -5594,32 +5593,33 @@ add_option (struct options *options, msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')"); goto err; } - warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify"); - options->auth_user_pass_verify_script = p[1]; + set_user_script (options, + &options->auth_user_pass_verify_script, + p[1], "auth-user-pass-verify"); } else if (streq (p[0], "client-connect") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->client_connect_script, "client-connect"); - options->client_connect_script = p[1]; + set_user_script (options, &options->client_connect_script, + p[1], "client-connect"); } else if (streq (p[0], "client-disconnect") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->client_disconnect_script, "client-disconnect"); - options->client_disconnect_script = p[1]; + set_user_script (options, &options->client_disconnect_script, + p[1], "client-disconnect"); } else if (streq (p[0], "learn-address") && p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->learn_address_script, "learn-address"); - options->learn_address_script = p[1]; + set_user_script (options, &options->learn_address_script, + p[1], "learn-address"); } else if (streq (p[0], "tmp-dir") && p[1]) { @@ -6507,8 +6507,9 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; - warn_multiple_script (options->tls_verify, "tls-verify"); - options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc); + set_user_script (options, &options->tls_verify, + string_substitute (p[1], ',', ' ', &options->gc), + "tls-verify"); } #ifndef ENABLE_CRYPTO_POLARSSL else if (streq (p[0], "tls-export-cert") && p[1]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index d2ad94c..f80532c 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -285,6 +285,7 @@ struct options const char *writepid; const char *up_script; const char *down_script; + bool user_script_used; bool down_pre; bool up_delay; bool up_restart; diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index aafe9ff..461beed 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -417,7 +417,7 @@ lookup_cn_rule (struct hash *h, const char *cn, const uint32_t cn_hash) bool pf_cn_test (struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix) { - if (!pfs->kill) + if (pfs && !pfs->kill) { const char *cn; uint32_t cn_hash; diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 4c1e14e..044e6ac 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -503,6 +503,7 @@ route_list_add_vpn_gateway (struct route_list *rl, struct env_set *es, const in_addr_t addr) { + ASSERT(rl); rl->spec.remote_endpoint = addr; rl->spec.flags |= RTSA_REMOTE_ENDPOINT; setenv_route_addr (es, "vpn_gateway", rl->spec.remote_endpoint, -1); diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 8eb112b..85f783a 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2786,6 +2786,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, struct iovec iov; struct msghdr mesg; struct cmsghdr *cmsg; + union openvpn_pktinfo opi; iov.iov_base = BPTR (buf); iov.iov_len = BLEN (buf); @@ -2795,11 +2796,10 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, { case AF_INET: { - struct openvpn_in4_pktinfo msgpi4; mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof (struct sockaddr_in); - mesg.msg_control = &msgpi4; - mesg.msg_controllen = sizeof msgpi4; + mesg.msg_control = &opi; + mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo); mesg.msg_flags = 0; cmsg = CMSG_FIRSTHDR (&mesg); cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo); @@ -2824,12 +2824,11 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock, } case AF_INET6: { - struct openvpn_in6_pktinfo msgpi6; struct in6_pktinfo *pkti6; mesg.msg_name = &to->dest.addr.sa; mesg.msg_namelen = sizeof (struct sockaddr_in6); - mesg.msg_control = &msgpi6; - mesg.msg_controllen = sizeof msgpi6; + mesg.msg_control = &opi; + mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo); mesg.msg_flags = 0; cmsg = CMSG_FIRSTHDR (&mesg); cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 43b3980..8b864c8 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1775,7 +1775,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session) bool ret = false; #ifdef ENABLE_PUSH_PEER_INFO - if (session->opt->push_peer_info) /* write peer info */ + if (session->opt->push_peer_info_detail > 0) { struct env_set *es = session->opt->es; struct env_item *e; @@ -1801,26 +1801,27 @@ push_peer_info(struct buffer *buf, struct tls_session *session) buf_printf (&out, "IV_PLAT=win\n"); #endif - /* push mac addr */ - { - struct route_gateway_info rgi; - get_default_gateway (&rgi); - if (rgi.flags & RGI_HWADDR_DEFINED) - buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); - } - /* push LZO status */ #ifdef ENABLE_LZO_STUB buf_printf (&out, "IV_LZO_STUB=1\n"); #endif - /* push env vars that begin with UV_ */ - for (e=es->list; e != NULL; e=e->next) - { - if (e->string) + if (session->opt->push_peer_info_detail >= 2) + { + /* push mac addr */ + struct route_gateway_info rgi; + get_default_gateway (&rgi); + if (rgi.flags & RGI_HWADDR_DEFINED) + buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); + + /* push env vars that begin with UV_ */ + for (e=es->list; e != NULL; e=e->next) { - if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1)) - buf_printf (&out, "%s\n", e->string); + if (e->string) + { + if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1)) + buf_printf (&out, "%s\n", e->string); + } } } diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index c62294f..0d818ab 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -233,7 +233,7 @@ struct tls_options bool disable_occ; #endif #ifdef ENABLE_PUSH_PEER_INFO - bool push_peer_info; + int push_peer_info_detail; #endif int transition_window; int handshake_window; diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 1006617..79cc056 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -217,8 +217,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) ASSERT(NULL != ctx); // Translate IANA cipher suite names to OpenSSL names - for (begin_of_cipher = 0; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher+1) { - end_of_cipher = strcspn(&ciphers[begin_of_cipher], ":"); + begin_of_cipher = end_of_cipher = 0; + for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { + end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); if (NULL == cipher_pair) @@ -257,6 +258,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) openssl_ciphers_len += current_cipher_len; openssl_ciphers[openssl_ciphers_len] = ':'; openssl_ciphers_len++; + + end_of_cipher++; } if (openssl_ciphers_len > 0) diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 2db96a8..178e2c3 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -879,7 +879,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i start_info.dwFlags = STARTF_USESHOWWINDOW; start_info.wShowWindow = SW_HIDE; - if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info)) + /* this allows console programs to run, and is ignored otherwise */ + DWORD proc_flags = CREATE_NO_WINDOW; + + if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info)) { DWORD exit_status = 0; CloseHandle (proc_info.hThread); |