From 4ee98f284a93c3b855092d35ac21371d9dcad65b Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Wed, 24 Feb 2021 19:54:12 +0100 Subject: New upstream version 2.5.1 --- src/openvpn/options.c | 100 +++++++++++++++++++++++++------------------------- 1 file changed, 49 insertions(+), 51 deletions(-) (limited to 'src/openvpn/options.c') diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 658ca53..0d99e99 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1982,6 +1982,23 @@ connection_entry_load_re(struct connection_entry *ce, const struct remote_entry } } +static void +connection_entry_preload_key(const char **key_file, bool *key_inline, + struct gc_arena *gc) +{ + if (key_file && *key_file && !(*key_inline)) + { + struct buffer in = buffer_read_from_file(*key_file, gc); + if (!buf_valid(&in)) + { + msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file); + } + + *key_file = (const char *) in.data; + *key_inline = true; + } +} + static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce) @@ -2933,36 +2950,17 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* pre-cache tls-auth/crypt key file if persist-key was specified and keys - * were not already embedded in the config file + /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + * keys were not already embedded in the config file. */ if (o->persist_key) { - if (ce->tls_auth_file && !ce->tls_auth_file_inline) - { - struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc); - if (!buf_valid(&in)) - { - msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)", - ce->tls_auth_file); - } - - ce->tls_auth_file = (char *)in.data; - ce->tls_auth_file_inline = true; - } - - if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) - { - struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc); - if (!buf_valid(&in)) - { - msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)", - ce->tls_crypt_file); - } - - ce->tls_crypt_file = (char *)in.data; - ce->tls_crypt_file_inline = true; - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); } } @@ -3966,7 +3964,7 @@ options_warning_safe_scan2(const int msglevel, if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ") - || strprefix(p1, "tls-auth ") + || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher ")) { @@ -4661,7 +4659,8 @@ in_src_get(const struct in_src *is, char *line, const int size) } static char * -read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) +read_inline_file(struct in_src *is, const char *close_tag, + int *num_lines, struct gc_arena *gc) { char line[OPTION_LINE_SIZE]; struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE); @@ -4670,6 +4669,7 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) while (in_src_get(is, line, sizeof(line))) { + (*num_lines)++; char *line_ptr = line; /* Remove leading spaces */ while (isspace(*line_ptr)) @@ -4703,10 +4703,10 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) return ret; } -static bool +static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc) { - bool is_inline = false; + int num_inline_lines = 0; if (p[0] && !p[1]) { @@ -4719,16 +4719,15 @@ check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc) p[0] = string_alloc(arg + 1, gc); close_tag = alloc_buf(strlen(p[0]) + 4); buf_printf(&close_tag, "", p[0]); - p[1] = read_inline_file(is, BSTR(&close_tag), gc); + p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc); p[2] = NULL; free_buf(&close_tag); - is_inline = true; } } - return is_inline; + return num_inline_lines; } -static bool +static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc) { struct in_src is; @@ -4737,7 +4736,7 @@ check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc) return check_inline_file(&is, p, gc); } -static bool +static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc) { @@ -4808,13 +4807,12 @@ read_config_file(struct options *options, } if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { - bool is_inline; - bypass_doubledash(&p[0]); - is_inline = check_inline_file_via_fp(fp, p, &options->gc); - add_option(options, p, is_inline, file, line_num, level, + int lines_inline = check_inline_file_via_fp(fp, p, &options->gc); + add_option(options, p, lines_inline, file, line_num, level, msglevel, permission_mask, option_types_found, es); + line_num += lines_inline; } } if (fp != stdin) @@ -4857,12 +4855,11 @@ read_config_string(const char *prefix, ++line_num; if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc)) { - bool is_inline; - bypass_doubledash(&p[0]); - is_inline = check_inline_file_via_buf(&multiline, p, &options->gc); - add_option(options, p, is_inline, prefix, line_num, 0, msglevel, + int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc); + add_option(options, p, lines_inline, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es); + line_num += lines_inline; } CLEAR(p); } @@ -5311,13 +5308,14 @@ add_option(struct options *options, } if (good) { -#if 0 - /* removed for now since ECHO can potentially include - * security-sensitive strings */ - msg(M_INFO, "%s:%s", - pull_mode ? "ECHO-PULL" : "ECHO", - BSTR(&string)); -#endif + /* only message-related ECHO are logged, since other ECHOs + * can potentially include security-sensitive strings */ + if (strncmp(p[1], "msg", 3) == 0) + { + msg(M_INFO, "%s:%s", + pull_mode ? "ECHO-PULL" : "ECHO", + BSTR(&string)); + } #ifdef ENABLE_MANAGEMENT if (management) { -- cgit v1.2.3