summaryrefslogtreecommitdiff
path: root/src/openvpnserv/validate.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpnserv/validate.c')
-rw-r--r--src/openvpnserv/validate.c124
1 files changed, 67 insertions, 57 deletions
diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 7458d75..c9c3855 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -29,41 +29,41 @@
#include <lm.h>
static const WCHAR *white_list[] =
- {
- L"auth-retry",
- L"config",
- L"log",
- L"log-append",
- L"management",
- L"management-forget-disconnect",
- L"management-hold",
- L"management-query-passwords",
- L"management-query-proxy",
- L"management-signal",
- L"management-up-down",
- L"mute",
- L"setenv",
- L"service",
- L"verb",
-
- NULL /* last value */
- };
+{
+ L"auth-retry",
+ L"config",
+ L"log",
+ L"log-append",
+ L"management",
+ L"management-forget-disconnect",
+ L"management-hold",
+ L"management-query-passwords",
+ L"management-query-proxy",
+ L"management-signal",
+ L"management-up-down",
+ L"mute",
+ L"setenv",
+ L"service",
+ L"verb",
+
+ NULL /* last value */
+};
/*
* Check workdir\fname is inside config_dir
* The logic here is simple: we may reject some valid paths if ..\ is in any of the strings
*/
static BOOL
-CheckConfigPath (const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
+CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
{
WCHAR tmp[MAX_PATH];
const WCHAR *config_file = NULL;
const WCHAR *config_dir = NULL;
/* convert fname to full path */
- if (PathIsRelativeW (fname) )
+ if (PathIsRelativeW(fname) )
{
- snwprintf (tmp, _countof(tmp), L"%s\\%s", workdir, fname);
+ snwprintf(tmp, _countof(tmp), L"%s\\%s", workdir, fname);
tmp[_countof(tmp)-1] = L'\0';
config_file = tmp;
}
@@ -75,17 +75,19 @@ CheckConfigPath (const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
#ifdef UNICODE
config_dir = s->config_dir;
#else
- if (MultiByteToWideChar (CP_UTF8, 0, s->config_dir, -1, widepath, MAX_PATH) == 0)
+ if (MultiByteToWideChar(CP_UTF8, 0, s->config_dir, -1, widepath, MAX_PATH) == 0)
{
- MsgToEventLog (M_SYSERR, TEXT("Failed to convert config_dir name to WideChar"));
+ MsgToEventLog(M_SYSERR, TEXT("Failed to convert config_dir name to WideChar"));
return FALSE;
}
config_dir = widepath;
#endif
- if (wcsncmp (config_dir, config_file, wcslen(config_dir)) == 0 &&
- wcsstr (config_file + wcslen(config_dir), L"..") == NULL )
+ if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0
+ && wcsstr(config_file + wcslen(config_dir), L"..") == NULL)
+ {
return TRUE;
+ }
return FALSE;
}
@@ -96,14 +98,16 @@ CheckConfigPath (const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
* Returns index to the item if found, -1 otherwise.
*/
static int
-OptionLookup (const WCHAR *name, const WCHAR *white_list[])
+OptionLookup(const WCHAR *name, const WCHAR *white_list[])
{
int i;
- for (i = 0 ; white_list[i]; i++)
+ for (i = 0; white_list[i]; i++)
{
- if ( wcscmp(white_list[i], name) == 0 )
+ if (wcscmp(white_list[i], name) == 0)
+ {
return i;
+ }
}
return -1;
@@ -114,7 +118,7 @@ OptionLookup (const WCHAR *name, const WCHAR *white_list[])
* Get the local name of the group using the SID.
*/
static BOOL
-GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen)
+GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
{
BOOL b = FALSE;
PSID admin_sid = NULL;
@@ -126,15 +130,17 @@ GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen)
admin_sid = malloc(sid_size);
if (!admin_sid)
+ {
return FALSE;
+ }
b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
- if(b)
+ if (b)
{
b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu);
}
- free (admin_sid);
+ free(admin_sid);
return b;
}
@@ -144,7 +150,7 @@ GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen)
* the group specified in s->ovpn_admin_group
*/
BOOL
-IsAuthorizedUser (SID *sid, settings_t *s)
+IsAuthorizedUser(SID *sid, settings_t *s)
{
LOCALGROUP_USERS_INFO_0 *groups = NULL;
DWORD nread;
@@ -160,19 +166,19 @@ IsAuthorizedUser (SID *sid, settings_t *s)
SID_NAME_USE sid_type;
/* Get username */
- if (!LookupAccountSidW (NULL, sid, username, &len, domain, &len, &sid_type))
+ if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type))
{
- MsgToEventLog (M_SYSERR, TEXT("LookupAccountSid"));
+ MsgToEventLog(M_SYSERR, TEXT("LookupAccountSid"));
goto out;
}
/* Get an array of groups the user is member of */
- err = NetUserGetLocalGroups (NULL, username, 0, LG_INCLUDE_INDIRECT, (LPBYTE *) &groups,
- MAX_PREFERRED_LENGTH, &nread, &nmax);
+ err = NetUserGetLocalGroups(NULL, username, 0, LG_INCLUDE_INDIRECT, (LPBYTE *) &groups,
+ MAX_PREFERRED_LENGTH, &nread, &nmax);
if (err && err != ERROR_MORE_DATA)
{
- SetLastError (err);
- MsgToEventLog (M_SYSERR, TEXT("NetUserGetLocalGroups"));
+ SetLastError(err);
+ MsgToEventLog(M_SYSERR, TEXT("NetUserGetLocalGroups"));
goto out;
}
@@ -182,7 +188,7 @@ IsAuthorizedUser (SID *sid, settings_t *s)
}
else
{
- MsgToEventLog (M_SYSERR, TEXT("Failed to get the name of Administrators group. Using the default."));
+ MsgToEventLog(M_SYSERR, TEXT("Failed to get the name of Administrators group. Using the default."));
/* use the default value */
admin_group[0] = SYSTEM_ADMIN_GROUP;
}
@@ -191,25 +197,25 @@ IsAuthorizedUser (SID *sid, settings_t *s)
admin_group[1] = s->ovpn_admin_group;
#else
tmp = NULL;
- len = MultiByteToWideChar (CP_UTF8, 0, s->ovpn_admin_group, -1, NULL, 0);
- if (len == 0 || (tmp = malloc (len*sizeof(WCHAR))) == NULL)
+ len = MultiByteToWideChar(CP_UTF8, 0, s->ovpn_admin_group, -1, NULL, 0);
+ if (len == 0 || (tmp = malloc(len*sizeof(WCHAR))) == NULL)
{
- MsgToEventLog (M_SYSERR, TEXT("Failed to convert admin group name to WideChar"));
+ MsgToEventLog(M_SYSERR, TEXT("Failed to convert admin group name to WideChar"));
goto out;
}
- MultiByteToWideChar (CP_UTF8, 0, s->ovpn_admin_group, -1, tmp, len);
+ MultiByteToWideChar(CP_UTF8, 0, s->ovpn_admin_group, -1, tmp, len);
admin_group[1] = tmp;
#endif
/* Check if user's groups include any of the admin groups */
for (i = 0; i < nread; i++)
{
- if ( wcscmp (groups[i].lgrui0_name, admin_group[0]) == 0 ||
- wcscmp (groups[i].lgrui0_name, admin_group[1]) == 0
- )
+ if (wcscmp(groups[i].lgrui0_name, admin_group[0]) == 0
+ || wcscmp(groups[i].lgrui0_name, admin_group[1]) == 0
+ )
{
- MsgToEventLog (M_INFO, TEXT("Authorizing user %s by virtue of membership in group %s"),
- username, groups[i].lgrui0_name);
+ MsgToEventLog(M_INFO, TEXT("Authorizing user %s by virtue of membership in group %s"),
+ username, groups[i].lgrui0_name);
ret = TRUE;
break;
}
@@ -217,8 +223,10 @@ IsAuthorizedUser (SID *sid, settings_t *s)
out:
if (groups)
- NetApiBufferFree (groups);
- free (tmp);
+ {
+ NetApiBufferFree(groups);
+ }
+ free(tmp);
return ret;
}
@@ -229,21 +237,23 @@ out:
* The caller should set argc to the number of valid elements in argv[] array.
*/
BOOL
-CheckOption (const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
+CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
{
/* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/
- if ( wcscmp (argv[0], L"--config") == 0 &&
- argc > 1 &&
- !CheckConfigPath (workdir, argv[1], s)
- )
+ if (wcscmp(argv[0], L"--config") == 0
+ && argc > 1
+ && !CheckConfigPath(workdir, argv[1], s)
+ )
{
return FALSE;
}
/* option name starts at 2 characters from argv[i] */
- if (OptionLookup (argv[0] + 2, white_list) == -1) /* not found */
+ if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */
+ {
return FALSE;
+ }
return TRUE;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-10 07:33:21 +0000