Added --allow-pull-fqdn option which allows client to pull DNS names

from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5
2024-09-20 03:52:28 +02:00 · 2008-09-04 20:35:09 +00:00 · 2008-09-04 20:35:09 +00:00 · 0a838de8ad
commit 0a838de8ad
parent 4f23b71018
5 changed files with 45 additions and 12 deletions
--- a/openvpn.8
+++ b/openvpn.8
@ -98,6 +98,7 @@ openvpn \- secure IP tunnel daemon.
 .ti -4
 .B openvpn
 [\ \fB\-\-allow\-nonadmin\fR\ \fI[TAP\-adapter]\fR\ ]
+[\ \fB\-\-allow\-pull\-fqdn\fR\ ]
 [\ \fB\-\-askpass\fR\ \fI[file]\fR\ ]
 [\ \fB\-\-auth\-nocache\fR\ ]
 [\ \fB\-\-auth\-retry\fR\ \fItype\fR\ ]
@ -1300,6 +1301,15 @@ however note that this option still allows the server
 to set the TCP/IP properties of the client's TUN/TAP interface.
 .\"*********************************************************
 .TP
+.B --allow-pull-fqdn
+Allow client to pull DNS names from server (rather than being limited
+to IP address) for
+.B --ifconfig,
+.B --route,
+and
+.B --route-gateway.
+.\"*********************************************************
+.TP
 .B --redirect-gateway flags...
 (Experimental) Automatically execute routing commands to cause all outgoing IP traffic
 to be redirected over the VPN.
--- a/options.c
+++ b/options.c
@ -180,6 +180,8 @@ static const char usage_message[] =
  "                  --route-up script using environmental variables.\n"
  "--route-nopull  : When used with --client or --pull, accept options pushed\n"
  "                  by server EXCEPT for routes.\n"
+  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
+  "                    --ifconfig, --route, and --route-gateway.\n"
  "--redirect-gateway [flags]: (Experimental) Automatically execute routing\n"
  "                  commands to redirect all outgoing IP traffic through the\n"
  "                  VPN.  Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
@ -890,7 +892,7 @@ dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array,
    }
  else
    {
-      if (ip_addr_dotted_quad_safe (parm))
+      if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
 	{
 	  bool error = false;
 	  const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
@ -1227,6 +1229,7 @@ show_settings (const struct options *o)
  SHOW_BOOL (route_delay_defined);
  SHOW_BOOL (route_nopull);
  SHOW_BOOL (route_gateway_via_dhcp);
+  SHOW_BOOL (allow_pull_fqdn);
  if (o->routes)
    print_route_options (o->routes, D_SHOW_PARMS);

@ -3433,7 +3436,7 @@ add_option (struct options *options,
  else if (streq (p[0], "lladdr") && p[1])
    {
      VERIFY_PERMISSION (OPT_P_UP);
-      if (ip_addr_dotted_quad_safe (p[1]))
+      if (ip_addr_dotted_quad_safe (p[1])) /* FQDN -- IP address only */
 	options->lladdr = p[1];
      else
 	{
@ -3461,14 +3464,14 @@ add_option (struct options *options,
  else if (streq (p[0], "ifconfig") && p[1] && p[2])
    {
      VERIFY_PERMISSION (OPT_P_UP);
-      if (ip_addr_dotted_quad_safe (p[1]) && ip_addr_dotted_quad_safe (p[2]))
+      if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
 	{
 	  options->ifconfig_local = p[1];
 	  options->ifconfig_remote_netmask = p[2];
 	}
      else
 	{
-	  msg (msglevel, "ifconfig parms '%s' and '%s' must be IP addresses", p[1], p[2]);
+	  msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
 	  goto err;
 	}
    }
@ -4217,19 +4220,19 @@ add_option (struct options *options,
      rol_check_alloc (options);
      if (pull_mode)
 	{
-	  if (!ip_addr_dotted_quad_safe (p[1]) && !is_special_addr (p[1]))
+	  if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
 	    {
-	      msg (msglevel, "route parameter network/IP '%s' is not an IP address", p[1]);
+	      msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
 	      goto err;
 	    }
-	  if (p[2] && !ip_addr_dotted_quad_safe (p[2]))
+	  if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
 	    {
-	      msg (msglevel, "route parameter netmask '%s' is not an IP address", p[2]);
+	      msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
 	      goto err;
 	    }
-	  if (p[3] && !ip_addr_dotted_quad_safe (p[3]) && !is_special_addr (p[3]))
+	  if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
 	    {
-	      msg (msglevel, "route parameter gateway '%s' is not an IP address", p[3]);
+	      msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
 	      goto err;
 	    }
 	}
@ -4244,13 +4247,13 @@ add_option (struct options *options,
 	}
      else
 	{
-	  if (ip_addr_dotted_quad_safe (p[1]) || is_special_addr (p[1]))
+	  if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
 	    {
 	      options->route_default_gateway = p[1];
 	    }
 	  else
 	    {
-	      msg (msglevel, "route-gateway parm '%s' must be an IP address", p[1]);
+	      msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
 	      goto err;
 	    }
 	}
@ -4294,6 +4297,11 @@ add_option (struct options *options,
      VERIFY_PERMISSION (OPT_P_GENERAL);
      options->route_nopull = true;
    }
+  else if (streq (p[0], "allow-pull-fqdn"))
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->allow_pull_fqdn = true;
+    }
  else if (streq (p[0], "redirect-gateway"))
    {
      int j;
--- a/options.h
+++ b/options.h
@ -303,6 +303,7 @@ struct options
  struct route_option_list *routes;
  bool route_nopull;
  bool route_gateway_via_dhcp;
+  bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */

 #ifdef ENABLE_OCC
  /* Enable options consistency check between peers */
--- a/socket.c
+++ b/socket.c
@ -294,6 +294,17 @@ ip_addr_dotted_quad_safe (const char *dotted_quad)
  }
 }

+bool
+ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn)
+{
+  if (ip_addr_dotted_quad_safe (dotted_quad))
+    return true;
+  else if (allow_fqdn)
+    return string_class (dotted_quad, CC_NAME|CC_DASH|CC_DOT, 0);
+  else
+    return false;
+}
+
 static void
 update_remote (const char* host,
 	       struct openvpn_sockaddr *addr,
--- a/socket.h
+++ b/socket.h
@ -396,7 +396,10 @@ void link_socket_update_buffer_sizes (struct link_socket *ls, int rcvbuf, int sn
 #define OIA_IP         1
 #define OIA_ERROR     -1
 int openvpn_inet_aton (const char *dotted_quad, struct in_addr *addr);
+
+/* integrity validation on pulled options */
 bool ip_addr_dotted_quad_safe (const char *dotted_quad);
+bool ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn);

 socket_descriptor_t create_socket_tcp (void);