From 0a838de8adf3b06590e73cff6415275d9b1cd4fe Mon Sep 17 00:00:00 2001 From: james Date: Thu, 4 Sep 2008 20:35:09 +0000 Subject: [PATCH] Added --allow-pull-fqdn option which allows client to pull DNS names from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5 --- openvpn.8 | 10 ++++++++++ options.c | 32 ++++++++++++++++++++------------ options.h | 1 + socket.c | 11 +++++++++++ socket.h | 3 +++ 5 files changed, 45 insertions(+), 12 deletions(-) diff --git a/openvpn.8 b/openvpn.8 index c9920c64..7dc1ed18 100644 --- a/openvpn.8 +++ b/openvpn.8 @@ -98,6 +98,7 @@ openvpn \- secure IP tunnel daemon. .ti -4 .B openvpn [\ \fB\-\-allow\-nonadmin\fR\ \fI[TAP\-adapter]\fR\ ] +[\ \fB\-\-allow\-pull\-fqdn\fR\ ] [\ \fB\-\-askpass\fR\ \fI[file]\fR\ ] [\ \fB\-\-auth\-nocache\fR\ ] [\ \fB\-\-auth\-retry\fR\ \fItype\fR\ ] @@ -1300,6 +1301,15 @@ however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. .\"********************************************************* .TP +.B --allow-pull-fqdn +Allow client to pull DNS names from server (rather than being limited +to IP address) for +.B --ifconfig, +.B --route, +and +.B --route-gateway. +.\"********************************************************* +.TP .B --redirect-gateway flags... (Experimental) Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. diff --git a/options.c b/options.c index 69f37315..ca9b9e1b 100644 --- a/options.c +++ b/options.c @@ -180,6 +180,8 @@ static const char usage_message[] = " --route-up script using environmental variables.\n" "--route-nopull : When used with --client or --pull, accept options pushed\n" " by server EXCEPT for routes.\n" + "--allow-pull-fqdn : Allow client to pull DNS names from server for\n" + " --ifconfig, --route, and --route-gateway.\n" "--redirect-gateway [flags]: (Experimental) Automatically execute routing\n" " commands to redirect all outgoing IP traffic through the\n" " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n" @@ -890,7 +892,7 @@ dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, } else { - if (ip_addr_dotted_quad_safe (parm)) + if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */ { bool error = false; const in_addr_t addr = get_ip_addr (parm, msglevel, &error); @@ -1227,6 +1229,7 @@ show_settings (const struct options *o) SHOW_BOOL (route_delay_defined); SHOW_BOOL (route_nopull); SHOW_BOOL (route_gateway_via_dhcp); + SHOW_BOOL (allow_pull_fqdn); if (o->routes) print_route_options (o->routes, D_SHOW_PARMS); @@ -3433,7 +3436,7 @@ add_option (struct options *options, else if (streq (p[0], "lladdr") && p[1]) { VERIFY_PERMISSION (OPT_P_UP); - if (ip_addr_dotted_quad_safe (p[1])) + if (ip_addr_dotted_quad_safe (p[1])) /* FQDN -- IP address only */ options->lladdr = p[1]; else { @@ -3461,14 +3464,14 @@ add_option (struct options *options, else if (streq (p[0], "ifconfig") && p[1] && p[2]) { VERIFY_PERMISSION (OPT_P_UP); - if (ip_addr_dotted_quad_safe (p[1]) && ip_addr_dotted_quad_safe (p[2])) + if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ { options->ifconfig_local = p[1]; options->ifconfig_remote_netmask = p[2]; } else { - msg (msglevel, "ifconfig parms '%s' and '%s' must be IP addresses", p[1], p[2]); + msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]); goto err; } } @@ -4217,19 +4220,19 @@ add_option (struct options *options, rol_check_alloc (options); if (pull_mode) { - if (!ip_addr_dotted_quad_safe (p[1]) && !is_special_addr (p[1])) + if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */ { - msg (msglevel, "route parameter network/IP '%s' is not an IP address", p[1]); + msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]); goto err; } - if (p[2] && !ip_addr_dotted_quad_safe (p[2])) + if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */ { - msg (msglevel, "route parameter netmask '%s' is not an IP address", p[2]); + msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]); goto err; } - if (p[3] && !ip_addr_dotted_quad_safe (p[3]) && !is_special_addr (p[3])) + if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */ { - msg (msglevel, "route parameter gateway '%s' is not an IP address", p[3]); + msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]); goto err; } } @@ -4244,13 +4247,13 @@ add_option (struct options *options, } else { - if (ip_addr_dotted_quad_safe (p[1]) || is_special_addr (p[1])) + if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */ { options->route_default_gateway = p[1]; } else { - msg (msglevel, "route-gateway parm '%s' must be an IP address", p[1]); + msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]); goto err; } } @@ -4294,6 +4297,11 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->route_nopull = true; } + else if (streq (p[0], "allow-pull-fqdn")) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->allow_pull_fqdn = true; + } else if (streq (p[0], "redirect-gateway")) { int j; diff --git a/options.h b/options.h index ea4d54e5..30838ca7 100644 --- a/options.h +++ b/options.h @@ -303,6 +303,7 @@ struct options struct route_option_list *routes; bool route_nopull; bool route_gateway_via_dhcp; + bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */ #ifdef ENABLE_OCC /* Enable options consistency check between peers */ diff --git a/socket.c b/socket.c index a7ed55f3..96226376 100644 --- a/socket.c +++ b/socket.c @@ -294,6 +294,17 @@ ip_addr_dotted_quad_safe (const char *dotted_quad) } } +bool +ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn) +{ + if (ip_addr_dotted_quad_safe (dotted_quad)) + return true; + else if (allow_fqdn) + return string_class (dotted_quad, CC_NAME|CC_DASH|CC_DOT, 0); + else + return false; +} + static void update_remote (const char* host, struct openvpn_sockaddr *addr, diff --git a/socket.h b/socket.h index 8eb768d4..b1117648 100644 --- a/socket.h +++ b/socket.h @@ -396,7 +396,10 @@ void link_socket_update_buffer_sizes (struct link_socket *ls, int rcvbuf, int sn #define OIA_IP 1 #define OIA_ERROR -1 int openvpn_inet_aton (const char *dotted_quad, struct in_addr *addr); + +/* integrity validation on pulled options */ bool ip_addr_dotted_quad_safe (const char *dotted_quad); +bool ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn); socket_descriptor_t create_socket_tcp (void);