diff options
| -rw-r--r-- | openvpn/src/openvpn/common.h | 2 | ||||
| -rw-r--r-- | openvpn/src/openvpn/init.c | 23 | ||||
| -rw-r--r-- | openvpn/src/openvpn/manage.c | 30 | ||||
| -rw-r--r-- | openvpn/src/openvpn/multi.c | 52 | ||||
| -rw-r--r-- | openvpn/src/openvpn/multi.h | 3 | ||||
| -rw-r--r-- | openvpn/src/openvpn/options.c | 95 | ||||
| -rw-r--r-- | openvpn/src/openvpn/options.h | 1 | ||||
| -rw-r--r-- | openvpn/src/openvpn/socket.c | 11 | ||||
| -rw-r--r-- | openvpn/src/openvpn/ssl.c | 61 | ||||
| -rw-r--r-- | openvpn/src/openvpn/ssl_common.h | 10 | 
10 files changed, 169 insertions, 119 deletions
| diff --git a/openvpn/src/openvpn/common.h b/openvpn/src/openvpn/common.h index dd2c83f4..2f85bec2 100644 --- a/openvpn/src/openvpn/common.h +++ b/openvpn/src/openvpn/common.h @@ -100,6 +100,6 @@ typedef unsigned long ptr_type;  /*   * Script security warning   */ -#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled.  Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.  See --help text or man page for detailed info." +#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info."  #endif diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index 335ebab1..f130cdfd 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -2221,7 +2221,12 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)    to.renegotiate_seconds = options->renegotiate_seconds;    to.single_session = options->single_session;  #ifdef ENABLE_PUSH_PEER_INFO -  to.push_peer_info = options->push_peer_info; +  if (options->push_peer_info)		/* all there is */ +    to.push_peer_info_detail = 2; +  else if (options->pull)		/* pull clients send some details */ +    to.push_peer_info_detail = 1; +  else					/* default: no peer-info at all */ +    to.push_peer_info_detail = 0;  #endif    /* should we not xmit any packets until we get an initial @@ -2545,12 +2550,16 @@ do_option_warnings (struct context *c)      msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");  #endif -  if (script_security >= SSEC_SCRIPTS) -    msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); -  else if (script_security >= SSEC_PW_ENV) -    msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); -  else -    msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables"); +  /* If a script is used, print appropiate warnings */ +  if (o->user_script_used) +   { +     if (script_security >= SSEC_SCRIPTS) +       msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); +     else if (script_security >= SSEC_PW_ENV) +       msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); +     else +       msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables"); +   }  }  static void diff --git a/openvpn/src/openvpn/manage.c b/openvpn/src/openvpn/manage.c index 4e96d07f..23e76527 100644 --- a/openvpn/src/openvpn/manage.c +++ b/openvpn/src/openvpn/manage.c @@ -2458,33 +2458,6 @@ management_notify_generic (struct management *man, const char *str)  #ifdef MANAGEMENT_DEF_AUTH -static bool -validate_peer_info_line(const char *line) -{ -  uint8_t c; -  int state = 0; -  while ((c=*line++)) -    { -      switch (state) -	{ -	case 0: -	case 1: -	  if (c == '=' && state == 1) -	    state = 2; -	  else if (isalnum(c) || c == '_') -	    state = 1; -	  else -	    return false; -	case 2: -	  if (isprint(c)) -	    ; -	  else -	    return false; -	} -    } -  return (state == 2); -} -  static void  man_output_peer_info_env (struct management *man, struct man_def_auth_context *mdac)  { @@ -2523,7 +2496,8 @@ management_notify_client_needing_auth (struct management *management,  	mode = "REAUTH";        msg (M_CLIENT, ">CLIENT:%s,%lu,%u", mode, mdac->cid, mda_key_id);        man_output_extra_env (management, "CLIENT"); -      man_output_peer_info_env(management, mdac); +      if (management->connection.env_filter_level>0) +        man_output_peer_info_env(management, mdac);        man_output_env (es, true, management->connection.env_filter_level, "CLIENT");        mdac->flags |= DAF_INITIAL_AUTH;      } diff --git a/openvpn/src/openvpn/multi.c b/openvpn/src/openvpn/multi.c index f016b149..50f398dd 100644 --- a/openvpn/src/openvpn/multi.c +++ b/openvpn/src/openvpn/multi.c @@ -1562,6 +1562,58 @@ multi_client_connect_mda (struct multi_context *m,  #endif +/* helper to parse peer_info received from multi client, validate + * (this is untrusted data) and put into environment + */ +bool +validate_peer_info_line(char *line) +{ +  uint8_t c; +  int state = 0; +  while (*line) +    { +      c = *line; +      switch (state) +	{ +	case 0: +	case 1: +	  if (c == '=' && state == 1) +	    state = 2; +	  else if (isalnum(c) || c == '_') +	    state = 1; +	  else +	    return false; +	case 2: +	  /* after the '=', replace non-printable or shell meta with '_' */ +	  if (!isprint(c) || isspace(c) || +	       c == '$' || c == '(' || c == '`' ) +	    *line = '_'; +	} +      line++; +    } +  return (state == 2); +} + +void +multi_output_peer_info_env (struct env_set *es, const char * peer_info) +{ +  char line[256]; +  struct buffer buf; +  buf_set_read (&buf, (const uint8_t *) peer_info, strlen(peer_info)); +  while (buf_parse (&buf, '\n', line, sizeof (line))) +    { +      chomp (line); +      if (validate_peer_info_line(line) && +            (strncmp(line, "IV_", 3) == 0 || strncmp(line, "UV_", 3) == 0) ) +	{ +	  msg (M_INFO, "peer info: %s", line); +	  env_set_add(es, line); +	} +      else +	msg (M_WARN, "validation failed on peer_info line received from client"); +    } +} +  static void  multi_client_connect_setenv (struct multi_context *m,  			     struct multi_instance *mi) diff --git a/openvpn/src/openvpn/multi.h b/openvpn/src/openvpn/multi.h index fc2ffb24..7b97b0d2 100644 --- a/openvpn/src/openvpn/multi.h +++ b/openvpn/src/openvpn/multi.h @@ -312,6 +312,9 @@ void multi_close_instance_on_signal (struct multi_context *m, struct multi_insta  void init_management_callback_multi (struct multi_context *m);  void uninit_management_callback_multi (struct multi_context *m); +bool validate_peer_info_line(char *line); +void multi_output_peer_info_env (struct env_set *es, const char * peer_info); +  /*   * Return true if our output queue is not full   */ diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 37909ca9..f74ad8ef 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -2714,28 +2714,6 @@ options_postprocess_filechecks (struct options *options)    errs |= check_file_access (CHKACC_FILE, options->tmp_dir,                               R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); -  /* ** Script hooks that accept an optionally quoted and/or escaped executable path, ** */ -  /* ** optionally followed by arguments ** */ -  errs |= check_cmd_access (options->auth_user_pass_verify_script, -                            "--auth-user-pass-verify script"); -  errs |= check_cmd_access (options->client_connect_script, -                            "--client-connect script"); -  errs |= check_cmd_access (options->client_disconnect_script, -                            "--client-disconnect script"); -  errs |= check_cmd_access (options->tls_verify, -                            "--tls-verify script"); -  errs |= check_cmd_access (options->up_script, -                            "--up script"); -  errs |= check_cmd_access (options->down_script, -                            "--down script"); -  errs |= check_cmd_access (options->ipchange, -                            "--ipchange script"); -  errs |= check_cmd_access (options->route_script, -                            "--route-up script"); -  errs |= check_cmd_access (options->route_predown_script, -                            "--route-pre-down script"); -  errs |= check_cmd_access (options->learn_address_script, -                            "--learn-address script");  #endif /* P2MP_SERVER */    if (errs) @@ -3995,11 +3973,28 @@ msglevel_forward_compatible (struct options *options, const int msglevel)  }  static void -warn_multiple_script (const char *script, const char *type) { -      if (script) { -	msg (M_WARN, "Multiple --%s scripts defined.  " -	     "The previously configured script is overridden.", type); -      } +set_user_script (struct options *options, +		 const char **script, +		 const char *new_script, +		 const char *type) +{ +  if (*script) { +    msg (M_WARN, "Multiple --%s scripts defined.  " +	 "The previously configured script is overridden.", type); +  } +  *script = new_script; +  options->user_script_used = true; + +#ifndef ENABLE_SMALL +  { +    char script_name[100]; +    openvpn_snprintf (script_name, sizeof(script_name), +                      "--%s script", type); + +    if (check_cmd_access (*script, script_name)) +      msg (M_USAGE, "Please correct this error."); +  } +#endif  } @@ -4442,8 +4437,10 @@ add_option (struct options *options,        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->ipchange, "ipchange"); -      options->ipchange = string_substitute (p[1], ',', ' ', &options->gc); +      set_user_script (options, +		       &options->ipchange, +		       string_substitute (p[1], ',', ' ', &options->gc), +		       "ipchange");      }    else if (streq (p[0], "float"))      { @@ -4489,16 +4486,14 @@ add_option (struct options *options,        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->up_script, "up"); -      options->up_script = p[1]; +      set_user_script (options, &options->up_script, p[1], "up");      }    else if (streq (p[0], "down") && p[1])      {        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->down_script, "down"); -      options->down_script = p[1]; +      set_user_script (options, &options->down_script, p[1], "down");      }    else if (streq (p[0], "down-pre"))      { @@ -4995,8 +4990,7 @@ add_option (struct options *options,  #ifdef ENABLE_OCC    else if (streq (p[0], "explicit-exit-notify"))      { -      VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -/*      VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY); */ +      VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);        if (p[1])  	{  	  options->ce.explicit_exit_notification = positive_atoi (p[1]); @@ -5144,16 +5138,17 @@ add_option (struct options *options,        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->route_script, "route-up"); -      options->route_script = p[1]; +      set_user_script (options, &options->route_script, p[1], "route-up");      }    else if (streq (p[0], "route-pre-down") && p[1])      {        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->route_predown_script, "route-pre-down"); -      options->route_predown_script = p[1]; +      set_user_script (options, +		       &options->route_predown_script, +		       p[1], +		       "route-pre-down");      }    else if (streq (p[0], "route-noexec"))      { @@ -5520,32 +5515,33 @@ add_option (struct options *options,  	  msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");  	  goto err;  	} -      warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify"); -      options->auth_user_pass_verify_script = p[1]; +      set_user_script (options, +		       &options->auth_user_pass_verify_script, +		       p[1], "auth-user-pass-verify");      }    else if (streq (p[0], "client-connect") && p[1])      {        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->client_connect_script, "client-connect"); -      options->client_connect_script = p[1]; +      set_user_script (options, &options->client_connect_script, +		       p[1], "client-connect");      }    else if (streq (p[0], "client-disconnect") && p[1])      {        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->client_disconnect_script, "client-disconnect"); -      options->client_disconnect_script = p[1]; +      set_user_script (options, &options->client_disconnect_script, +		       p[1], "client-disconnect");      }    else if (streq (p[0], "learn-address") && p[1])      {        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->learn_address_script, "learn-address"); -      options->learn_address_script = p[1]; +      set_user_script (options, &options->learn_address_script, +		       p[1], "learn-address");      }    else if (streq (p[0], "tmp-dir") && p[1])      { @@ -6481,8 +6477,9 @@ add_option (struct options *options,        VERIFY_PERMISSION (OPT_P_SCRIPT);        if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))  	goto err; -      warn_multiple_script (options->tls_verify, "tls-verify"); -      options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc); +      set_user_script (options, &options->tls_verify, +		       string_substitute (p[1], ',', ' ', &options->gc), +		       "tls-verify");      }  #ifndef ENABLE_CRYPTO_POLARSSL    else if (streq (p[0], "tls-export-cert") && p[1]) diff --git a/openvpn/src/openvpn/options.h b/openvpn/src/openvpn/options.h index 56359357..cc92da32 100644 --- a/openvpn/src/openvpn/options.h +++ b/openvpn/src/openvpn/options.h @@ -289,6 +289,7 @@ struct options    const char *writepid;    const char *up_script;    const char *down_script; +  bool user_script_used;    bool down_pre;    bool up_delay;    bool up_restart; diff --git a/openvpn/src/openvpn/socket.c b/openvpn/src/openvpn/socket.c index 548ea72c..115caaac 100644 --- a/openvpn/src/openvpn/socket.c +++ b/openvpn/src/openvpn/socket.c @@ -2819,6 +2819,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,    struct iovec iov;    struct msghdr mesg;    struct cmsghdr *cmsg; +  union openvpn_pktinfo opi;    iov.iov_base = BPTR (buf);    iov.iov_len = BLEN (buf); @@ -2828,11 +2829,10 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,      {      case AF_INET:        { -        struct openvpn_in4_pktinfo msgpi4;          mesg.msg_name = &to->dest.addr.sa;          mesg.msg_namelen = sizeof (struct sockaddr_in); -        mesg.msg_control = &msgpi4; -        mesg.msg_controllen = sizeof msgpi4; +        mesg.msg_control = &opi; +        mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);          mesg.msg_flags = 0;          cmsg = CMSG_FIRSTHDR (&mesg);          cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo); @@ -2857,12 +2857,11 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,        }      case AF_INET6:        { -        struct openvpn_in6_pktinfo msgpi6;          struct in6_pktinfo *pkti6;          mesg.msg_name = &to->dest.addr.sa;          mesg.msg_namelen = sizeof (struct sockaddr_in6); -        mesg.msg_control = &msgpi6; -        mesg.msg_controllen = sizeof msgpi6; +        mesg.msg_control = &opi; +        mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo);          mesg.msg_flags = 0;          cmsg = CMSG_FIRSTHDR (&mesg);          cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo); diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c index 9ca409f1..f2b04488 100644 --- a/openvpn/src/openvpn/ssl.c +++ b/openvpn/src/openvpn/ssl.c @@ -67,6 +67,7 @@  #include "ssl.h"  #include "ssl_verify.h"  #include "ssl_backend.h" +#include "multi.h"  #include "memdbg.h" @@ -1106,6 +1107,8 @@ tls_multi_free (struct tls_multi *multi, bool clear)  #ifdef MANAGEMENT_DEF_AUTH    man_def_auth_set_client_reason(multi, NULL);   +#endif +#if P2MP_SERVER    free (multi->peer_info);  #endif @@ -1775,7 +1778,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session)    bool ret = false;  #ifdef ENABLE_PUSH_PEER_INFO -  if (session->opt->push_peer_info) /* write peer info */ +  if (session->opt->push_peer_info_detail > 0)      {        struct env_set *es = session->opt->es;        struct env_item *e; @@ -1803,25 +1806,28 @@ push_peer_info(struct buffer *buf, struct tls_session *session)        buf_printf (&out, "IV_PLAT=win\n");  #endif -      /* push mac addr */ -      { -	struct route_gateway_info rgi; -	get_default_gateway (&rgi); -	if (rgi.flags & RGI_HWADDR_DEFINED) -	  buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); -      } -        /* push compression status */  #ifdef USE_COMP        comp_generate_peer_info_string(&session->opt->comp_options, &out);  #endif -      /* push env vars that begin with UV_ */ +      if (session->opt->push_peer_info_detail >= 2) +        { +	  /* push mac addr */ +	  struct route_gateway_info rgi; +	  get_default_gateway (&rgi); +	  if (rgi.flags & RGI_HWADDR_DEFINED) +	    buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); +        } + +      /* push env vars that begin with UV_ and IV_OPENVPN_GUI_VERSION*/        for (e=es->list; e != NULL; e=e->next)  	{  	  if (e->string)  	    { -	      if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1)) +	      if (((strncmp(e->string, "UV_", 3)==0 && session->opt->push_peer_info_detail >= 2) +		   || (strncmp(e->string,"IV_OPENVPN_GUI_VERSION=",sizeof("IV_OPENVPN_GUI_VERSION=")-1)==0)) +		  && buf_safe(&out, strlen(e->string)+1))  		buf_printf (&out, "%s\n", e->string);  	    }  	} @@ -1996,6 +2002,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi    struct gc_arena gc = gc_new ();    char *options; +  struct user_pass *up;    /* allocate temporary objects */    ALLOC_ARRAY_CLEAR_GC (options, char, TLS_OPTIONS_LEN, &gc); @@ -2031,15 +2038,25 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi    ks->authenticated = false; +  /* always extract username + password fields from buf, even if not +   * authenticating for it, because otherwise we can't get at the +   * peer_info data which follows behind +   */ +  ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc); +  username_status = read_string (buf, up->username, USER_PASS_LEN); +  password_status = read_string (buf, up->password, USER_PASS_LEN); + +#if P2MP_SERVER +  /* get peer info from control channel */ +  free (multi->peer_info); +  multi->peer_info = read_string_alloc (buf); +  if ( multi->peer_info ) +      multi_output_peer_info_env (session->opt->es, multi->peer_info); +#endif +    if (verify_user_pass_enabled(session))      {        /* Perform username/password authentication */ -      struct user_pass *up; - -      ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc); -      username_status = read_string (buf, up->username, USER_PASS_LEN); -      password_status = read_string (buf, up->password, USER_PASS_LEN); -        if (!username_status || !password_status)  	{  	  CLEAR (*up); @@ -2050,14 +2067,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi  	    }  	} -#ifdef MANAGEMENT_DEF_AUTH -      /* get peer info from control channel */ -      free (multi->peer_info); -      multi->peer_info = read_string_alloc (buf); -#endif -        verify_user_pass(up, multi, session); -      CLEAR (*up);      }    else      { @@ -2071,6 +2081,9 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi        ks->authenticated = true;      } +  /* clear username and password from memory */ +  CLEAR (*up); +    /* Perform final authentication checks */    if (ks->authenticated)      { diff --git a/openvpn/src/openvpn/ssl_common.h b/openvpn/src/openvpn/ssl_common.h index 47dbefbe..7e52f9a2 100644 --- a/openvpn/src/openvpn/ssl_common.h +++ b/openvpn/src/openvpn/ssl_common.h @@ -233,7 +233,7 @@ struct tls_options    bool disable_occ;  #endif  #ifdef ENABLE_PUSH_PEER_INFO -  bool push_peer_info; +  int push_peer_info_detail;  #endif    int transition_window;    int handshake_window; @@ -481,14 +481,16 @@ struct tls_multi     */    char *client_reason; +  /* Time of last call to tls_authentication_status */ +  time_t tas_last; +#endif + +#if P2MP_SERVER    /*     * A multi-line string of general-purpose info received from peer     * over control channel.     */    char *peer_info; - -  /* Time of last call to tls_authentication_status */ -  time_t tas_last;  #endif    /* | 
