mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
Added --remote-random-hostname option.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4843 e7ae566f-a301-0410-adde-c780ea21d3b5
This commit is contained in:
parent
b69d5cc8f5
commit
8e9666d575
38
misc.c
38
misc.c
@ -1186,6 +1186,44 @@ create_temp_filename (const char *directory, const char *prefix, struct gc_arena
|
||||
return gen_path (directory, BSTR (&fname), gc);
|
||||
}
|
||||
|
||||
/*
|
||||
* Add a random string to first DNS label of hostname to prevent DNS caching.
|
||||
* For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
|
||||
* Of course, this requires explicit support in the DNS server.
|
||||
*/
|
||||
const char *
|
||||
hostname_randomize(const char *hostname, struct gc_arena *gc)
|
||||
{
|
||||
const int n_rnd_bytes = 6;
|
||||
|
||||
char *hst = string_alloc(hostname, gc);
|
||||
char *dot = strchr(hst, '.');
|
||||
|
||||
if (dot)
|
||||
{
|
||||
uint8_t rnd_bytes[n_rnd_bytes];
|
||||
const char *rnd_str;
|
||||
struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
|
||||
|
||||
*dot++ = '\0';
|
||||
prng_bytes (rnd_bytes, sizeof (rnd_bytes));
|
||||
rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
|
||||
buf_printf(&hname, "%s-0x%s.%s", hst, rnd_str, dot);
|
||||
return BSTR(&hname);
|
||||
}
|
||||
else
|
||||
return hostname;
|
||||
}
|
||||
|
||||
#else
|
||||
|
||||
const char *
|
||||
hostname_randomize(const char *hostname, struct gc_arena *gc)
|
||||
{
|
||||
msg (M_WARN, "WARNING: hostname randomization disabled when crypto support is not compiled");
|
||||
return hostname;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
3
misc.h
3
misc.h
@ -230,6 +230,9 @@ bool delete_file (const char *filename);
|
||||
/* return true if pathname is absolute */
|
||||
bool absolute_pathname (const char *pathname);
|
||||
|
||||
/* prepend a random prefix to hostname (need USE_CRYPTO) */
|
||||
const char *hostname_randomize(const char *hostname, struct gc_arena *gc);
|
||||
|
||||
/*
|
||||
* Get and store a username/password
|
||||
*/
|
||||
|
13
options.c
13
options.c
@ -90,6 +90,7 @@ static const char usage_message[] =
|
||||
"--local host : Local host name or ip address. Implies --bind.\n"
|
||||
"--remote host [port] : Remote host name or ip address.\n"
|
||||
"--remote-random : If multiple --remote options specified, choose one randomly.\n"
|
||||
"--remote-random-hostname : Add a random string to remote DNS name.\n"
|
||||
"--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
|
||||
"--proto p : Use protocol p for communicating with peer.\n"
|
||||
" p = udp (default), tcp-server, or tcp-client\n"
|
||||
@ -4420,9 +4421,20 @@ add_option (struct options *options,
|
||||
}
|
||||
options->routes->flags |= RG_ENABLE;
|
||||
}
|
||||
else if (streq (p[0], "remote-random-hostname"))
|
||||
{
|
||||
VERIFY_PERMISSION (OPT_P_GENERAL);
|
||||
options->sockflags |= SF_HOST_RANDOMIZE;
|
||||
}
|
||||
else if (streq (p[0], "setenv") && p[1])
|
||||
{
|
||||
VERIFY_PERMISSION (OPT_P_GENERAL);
|
||||
if (streq (p[1], "REMOTE_RANDOM_HOSTNAME"))
|
||||
{
|
||||
options->sockflags |= SF_HOST_RANDOMIZE;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
|
||||
{
|
||||
options->forward_compatible = true;
|
||||
@ -4430,6 +4442,7 @@ add_option (struct options *options,
|
||||
}
|
||||
setenv_str (es, p[1], p[2] ? p[2] : "");
|
||||
}
|
||||
}
|
||||
else if (streq (p[0], "setenv-safe") && p[1])
|
||||
{
|
||||
VERIFY_PERMISSION (OPT_P_SETENV);
|
||||
|
33
socket.c
33
socket.c
@ -32,6 +32,7 @@
|
||||
#include "plugin.h"
|
||||
#include "ps.h"
|
||||
#include "manage.h"
|
||||
#include "misc.h"
|
||||
|
||||
#include "memdbg.h"
|
||||
|
||||
@ -42,6 +43,19 @@ const int proto_overhead[] = { /* indexed by PROTO_x */
|
||||
IPv4_TCP_HEADER_SIZE
|
||||
};
|
||||
|
||||
/*
|
||||
* Convert sockflags/getaddr_flags into getaddr_flags
|
||||
*/
|
||||
static unsigned int
|
||||
sf2gaf(const unsigned int getaddr_flags,
|
||||
const unsigned int sockflags)
|
||||
{
|
||||
if (sockflags & SF_HOST_RANDOMIZE)
|
||||
return getaddr_flags | GETADDR_RANDOMIZE;
|
||||
else
|
||||
return getaddr_flags;
|
||||
}
|
||||
|
||||
/*
|
||||
* Functions related to the translation of DNS names to IP addresses.
|
||||
*/
|
||||
@ -79,6 +93,10 @@ getaddr (unsigned int flags,
|
||||
int status;
|
||||
int sigrec = 0;
|
||||
int msglevel = (flags & GETADDR_FATAL) ? M_FATAL : D_RESOLVE_ERRORS;
|
||||
struct gc_arena gc = gc_new ();
|
||||
|
||||
if (flags & GETADDR_RANDOMIZE)
|
||||
hostname = hostname_randomize(hostname, &gc);
|
||||
|
||||
if (flags & GETADDR_MSG_VIRT_OUT)
|
||||
msglevel |= M_MSG_VIRT_OUT;
|
||||
@ -225,6 +243,7 @@ getaddr (unsigned int flags,
|
||||
msg (level, "RESOLVE: signal received during DNS resolution attempt");
|
||||
}
|
||||
|
||||
gc_free (&gc);
|
||||
return (flags & GETADDR_HOST_ORDER) ? ntohl (ia.s_addr) : ia.s_addr;
|
||||
}
|
||||
|
||||
@ -359,12 +378,13 @@ mac_addr_safe (const char *mac_addr)
|
||||
static void
|
||||
update_remote (const char* host,
|
||||
struct openvpn_sockaddr *addr,
|
||||
bool *changed)
|
||||
bool *changed,
|
||||
const unsigned int sockflags)
|
||||
{
|
||||
if (host && addr)
|
||||
{
|
||||
const in_addr_t new_addr = getaddr (
|
||||
GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE,
|
||||
sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sockflags),
|
||||
host,
|
||||
1,
|
||||
NULL,
|
||||
@ -728,7 +748,7 @@ socket_listen_accept (socket_descriptor_t sd,
|
||||
|
||||
if (socket_defined (new_sd))
|
||||
{
|
||||
update_remote (remote_dynamic, &remote_verify, remote_changed);
|
||||
update_remote (remote_dynamic, &remote_verify, remote_changed, 0);
|
||||
if (addr_defined (&remote_verify)
|
||||
&& !addr_match (&remote_verify, &act->dest))
|
||||
{
|
||||
@ -858,6 +878,7 @@ socket_connect (socket_descriptor_t *sd,
|
||||
const int connect_retry_seconds,
|
||||
const int connect_timeout,
|
||||
const int connect_retry_max,
|
||||
const unsigned int sockflags,
|
||||
volatile int *signal_received)
|
||||
{
|
||||
struct gc_arena gc = gc_new ();
|
||||
@ -919,7 +940,7 @@ socket_connect (socket_descriptor_t *sd,
|
||||
*sd = create_socket_tcp ();
|
||||
if (bind_local)
|
||||
socket_bind (*sd, local, "TCP Client");
|
||||
update_remote (remote_dynamic, remote, remote_changed);
|
||||
update_remote (remote_dynamic, remote, remote_changed, sockflags);
|
||||
}
|
||||
|
||||
msg (M_INFO, "TCP connection established with %s",
|
||||
@ -1023,7 +1044,7 @@ resolve_remote (struct link_socket *sock,
|
||||
|
||||
if (sock->remote_host)
|
||||
{
|
||||
unsigned int flags = GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE;
|
||||
unsigned int flags = sf2gaf(GETADDR_RESOLVE|GETADDR_UPDATE_MANAGEMENT_STATE, sock->sockflags);
|
||||
int retry = 0;
|
||||
bool status = false;
|
||||
|
||||
@ -1384,6 +1405,7 @@ link_socket_init_phase2 (struct link_socket *sock,
|
||||
sock->connect_retry_seconds,
|
||||
sock->connect_timeout,
|
||||
sock->connect_retry_max,
|
||||
sock->sockflags,
|
||||
signal_received);
|
||||
|
||||
if (*signal_received)
|
||||
@ -1432,6 +1454,7 @@ link_socket_init_phase2 (struct link_socket *sock,
|
||||
sock->connect_retry_seconds,
|
||||
sock->connect_timeout,
|
||||
sock->connect_retry_max,
|
||||
sock->sockflags,
|
||||
signal_received);
|
||||
|
||||
if (*signal_received)
|
||||
|
2
socket.h
2
socket.h
@ -198,6 +198,7 @@ struct link_socket
|
||||
# define SF_USE_IP_PKTINFO (1<<0)
|
||||
# define SF_TCP_NODELAY (1<<1)
|
||||
# define SF_PORT_SHARE (1<<2)
|
||||
# define SF_HOST_RANDOMIZE (1<<3)
|
||||
unsigned int sockflags;
|
||||
|
||||
/* for stream sockets */
|
||||
@ -447,6 +448,7 @@ bool unix_socket_get_peer_uid_gid (const socket_descriptor_t sd, int *uid, int *
|
||||
#define GETADDR_MSG_VIRT_OUT (1<<6)
|
||||
#define GETADDR_TRY_ONCE (1<<7)
|
||||
#define GETADDR_UPDATE_MANAGEMENT_STATE (1<<8)
|
||||
#define GETADDR_RANDOMIZE (1<<9)
|
||||
|
||||
in_addr_t getaddr (unsigned int flags,
|
||||
const char *hostname,
|
||||
|
@ -1,5 +1,5 @@
|
||||
dnl define the OpenVPN version
|
||||
define(PRODUCT_VERSION,[2.1_rc19])
|
||||
define(PRODUCT_VERSION,[2.1_rc19a])
|
||||
dnl define the TAP version
|
||||
define(PRODUCT_TAP_ID,[tap0901])
|
||||
define(PRODUCT_TAP_WIN32_MIN_MAJOR,[9])
|
||||
|
Loading…
Reference in New Issue
Block a user