diff options
Diffstat (limited to 'src/openvpn/options.c')
| -rw-r--r-- | src/openvpn/options.c | 192 |
1 files changed, 84 insertions, 108 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8dee5d1..f951814 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5,7 +5,7 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net> * * This program is free software; you can redistribute it and/or modify @@ -600,6 +600,8 @@ static const char usage_message[] = #endif "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" " : Use --show-tls to see a list of supported TLS ciphers.\n" + "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" + " (default=legacy).\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" @@ -705,8 +707,7 @@ static const char usage_message[] = " which allow multiple addresses,\n" " --dhcp-option must be repeated.\n" " DOMAIN name : Set DNS suffix\n" - " DNS addr : Set domain name server address(es) (IPv4)\n" - " DNS6 addr : Set domain name server address(es) (IPv6)\n" + " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" " WINS addr : Set WINS server address(es)\n" @@ -874,6 +875,7 @@ init_options(struct options *o, const bool init_gc) o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; + o->tls_cert_profile = NULL; o->ecdh_curve = NULL; #ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; @@ -1029,67 +1031,6 @@ get_ip_addr(const char *ip_string, int msglevel, bool *error) return ret; } -/* helper: parse a text string containing an IPv6 address + netbits - * in "standard format" (2001:dba::/32) - * "/nn" is optional, default to /64 if missing - * - * return true if parsing succeeded, modify *network and *netbits - */ -bool -get_ipv6_addr( const char *prefix_str, struct in6_addr *network, - unsigned int *netbits, int msglevel) -{ - char *sep, *endp; - int bits; - struct in6_addr t_network; - - sep = strchr( prefix_str, '/' ); - if (sep == NULL) - { - bits = 64; - } - else - { - bits = strtol( sep+1, &endp, 10 ); - if (*endp != '\0' || bits < 0 || bits > 128) - { - msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str); - return false; - } - } - - /* temporary replace '/' in caller-provided string with '\0', otherwise - * inet_pton() will refuse prefix string - * (alternative would be to strncpy() the prefix to temporary buffer) - */ - - if (sep != NULL) - { - *sep = '\0'; - } - - if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1) - { - msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str); - return false; - } - - if (sep != NULL) - { - *sep = '/'; - } - - if (netbits != NULL) - { - *netbits = bits; - } - if (network != NULL) - { - *network = t_network; - } - return true; /* parsing OK, values set */ -} - /** * Returns newly allocated string containing address part without "/nn". * @@ -1232,6 +1173,20 @@ show_tuntap_options(const struct tuntap_options *o) #if defined(_WIN32) || defined(TARGET_ANDROID) static void +dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel) +{ + struct in6_addr addr; + if (*len >= N_DHCP_ADDR) + { + msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified", + N_DHCP_ADDR); + } + else if (get_ipv6_addr(parm, &addr, NULL, msglevel)) + { + dns6_list[(*len)++] = addr; + } +} +static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel) { if (*len >= N_DHCP_ADDR) @@ -1700,7 +1655,7 @@ show_settings(const struct options *o) #ifdef ENABLE_CRYPTO SHOW_STR(shared_secret_file); - SHOW_INT(key_direction); + SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s"); SHOW_STR(ciphername); SHOW_BOOL(ncp_enabled); SHOW_STR(ncp_ciphers); @@ -1753,6 +1708,8 @@ show_settings(const struct options *o) SHOW_STR(cryptoapi_cert); #endif SHOW_STR(cipher_list); + SHOW_STR(cipher_list_tls13); + SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); @@ -2172,6 +2129,15 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } + + if (options->management_addr + && !(options->management_flags & MF_UNIX_SOCK) + && (!options->management_user_pass)) + { + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " + "passwords is STRONGLY discouraged and considered insecure"); + } + #endif /* @@ -2539,6 +2505,18 @@ options_postprocess_verify_ce(const struct options *options, const struct connec "in the configuration file, which is the recommended approach."); } + const int tls_version_max = + (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) + & SSLF_TLS_VERSION_MAX_MASK; + const int tls_version_min = + (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) + & SSLF_TLS_VERSION_MIN_MASK; + + if (tls_version_max > 0 && tls_version_max < tls_version_min) + { + msg(M_USAGE, "--tls-version-min bigger than --tls-version-max"); + } + if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11 @@ -2745,6 +2723,8 @@ options_postprocess_verify_ce(const struct options *options, const struct connec MUST_BE_UNDEF(pkcs12_file); #endif MUST_BE_UNDEF(cipher_list); + MUST_BE_UNDEF(cipher_list_tls13); + MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); @@ -3052,24 +3032,6 @@ options_postprocess_mutate(struct options *o) } #endif -#ifdef ENABLE_CRYPTOAPI - if (o->cryptoapi_cert) - { - const int tls_version_max = - (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) - &SSLF_TLS_VERSION_MAX_MASK; - - if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1) - { - msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS " - "version to 1.1."); - o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK - <<SSLF_TLS_VERSION_MAX_SHIFT); - o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT); - } - } -#endif /* ENABLE_CRYPTOAPI */ - #if P2MP /* * Save certain parms before modifying options via --pull @@ -3477,7 +3439,7 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) struct key_type fake_kt; init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, false); - frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead())); + frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv, o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, @@ -3624,7 +3586,7 @@ options_string(const struct options *o, * Key direction */ { - const char *kd = keydirection2ascii(o->key_direction, remote); + const char *kd = keydirection2ascii(o->key_direction, remote, false); if (kd) { buf_printf(&out, ",keydir %s", kd); @@ -3766,11 +3728,15 @@ options_warning_safe_scan2(const int msglevel, const char *b1_name, const char *b2_name) { - /* we will stop sending 'proto xxx' in OCC in a future version - * (because it's not useful), and to reduce questions when - * interoperating, we start not-printing a warning about it today + /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in + * OCC in a future version (because it's not useful). To reduce questions + * when interoperating, we no longer printing a warning about it. */ - if (strncmp(p1, "proto ", 6) == 0) + if (strprefix(p1, "key-method ") + || strprefix(p1, "keydir ") + || strprefix(p1, "proto ") + || strprefix(p1, "tls-auth ") + || strprefix(p1, "tun-ipv6")) { return; } @@ -4171,7 +4137,7 @@ usage_version(void) show_windows_version( M_INFO|M_NOPREFIX ); #endif msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); - msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>"); + msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>"); #ifndef ENABLE_SMALL #ifdef CONFIGURE_DEFINES msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); @@ -4586,7 +4552,7 @@ read_config_file(struct options *options, ++line_num; if (strlen(line) == OPTION_LINE_SIZE) { - msg(msglevel, "In %s:%d: Maximum optione line length (%d) exceeded, line starts with %s", + msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s", file, line_num, OPTION_LINE_SIZE, line); } @@ -4845,11 +4811,13 @@ verify_permission(const char *name, #ifndef ENABLE_SMALL /* Check if this options is allowed in connection block, * but we are currently not in a connection block + * unless this is a pushed option. * Parsing a connection block uses a temporary options struct without * connection_list */ - if ((type & OPT_P_CONNECTION) && options->connection_list) + if ((type & OPT_P_CONNECTION) && options->connection_list + && !(allowed & OPT_P_PULL_MODE)) { if (file) { @@ -5252,8 +5220,10 @@ add_option(struct options *options, } else if (streq(p[0], "tun-ipv6") && !p[1]) { - VERIFY_PERMISSION(OPT_P_UP); - msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); + if (!pull_mode) + { + msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); + } } #ifdef ENABLE_IPROUTE else if (streq(p[0], "iproute") && p[1] && !p[2]) @@ -5902,7 +5872,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.remote_port = p[1]; } - else if (streq(p[0], "bind") && !p[1]) + else if (streq(p[0], "bind") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_defined = true; @@ -7138,6 +7108,7 @@ add_option(struct options *options, { struct tuntap_options *o = &options->tuntap_options; VERIFY_PERMISSION(OPT_P_IPWIN32); + bool ipv6dns = false; if (streq(p[1], "DOMAIN") && p[2]) { @@ -7158,22 +7129,17 @@ add_option(struct options *options, } o->netbios_node_type = t; } - else if (streq(p[1], "DNS") && p[2]) - { - dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel); - } - else if (streq(p[1], "DNS6") && p[2] && ipv6_addr_safe(p[2])) + else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && (!strstr(p[2], ":") || ipv6_addr_safe(p[2]))) { - struct in6_addr addr; - foreign_option(options, p, 3, es); - if (o->dns6_len >= N_DHCP_ADDR) + if (strstr(p[2], ":")) { - msg(msglevel, "--dhcp-option DNS6: maximum of %d dns servers can be specified", - N_DHCP_ADDR); + ipv6dns=true; + foreign_option(options, p, 3, es); + dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel); } - else if (get_ipv6_addr(p[2], &addr, NULL, msglevel)) + else { - o->dns6[o->dns6_len++] = addr; + dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel); } } else if (streq(p[1], "WINS") && p[2]) @@ -7201,7 +7167,7 @@ add_option(struct options *options, /* flag that we have options to give to the TAP driver's DHCPv4 server * - skipped for "DNS6", as that's not a DHCPv4 option */ - if (!streq(p[1], "DNS6")) + if (!ipv6dns) { o->dhcp_options = true; } @@ -7848,6 +7814,16 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->cipher_list = p[1]; } + else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->tls_cert_profile = p[1]; + } + else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->cipher_list_tls13 = p[1]; + } else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { |