summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-09-04 20:35:09 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-09-04 20:35:09 +0000
commit0a838de8adf3b06590e73cff6415275d9b1cd4fe (patch)
tree17d8ef48307d970ad53efb4e9d7f61bf62a6e292
parent4f23b71018c07ced4624481a652a53aa3bfb3f7a (diff)
downloadopenvpn-0a838de8adf3b06590e73cff6415275d9b1cd4fe.zip
openvpn-0a838de8adf3b06590e73cff6415275d9b1cd4fe.tar.gz
openvpn-0a838de8adf3b06590e73cff6415275d9b1cd4fe.tar.xz
Added --allow-pull-fqdn option which allows client to pull DNS names
from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--openvpn.810
-rw-r--r--options.c32
-rw-r--r--options.h1
-rw-r--r--socket.c11
-rw-r--r--socket.h3
5 files changed, 45 insertions, 12 deletions
diff --git a/openvpn.8 b/openvpn.8
index c9920c6..7dc1ed1 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -98,6 +98,7 @@ openvpn \- secure IP tunnel daemon.
.ti -4
.B openvpn
[\ \fB\-\-allow\-nonadmin\fR\ \fI[TAP\-adapter]\fR\ ]
+[\ \fB\-\-allow\-pull\-fqdn\fR\ ]
[\ \fB\-\-askpass\fR\ \fI[file]\fR\ ]
[\ \fB\-\-auth\-nocache\fR\ ]
[\ \fB\-\-auth\-retry\fR\ \fItype\fR\ ]
@@ -1300,6 +1301,15 @@ however note that this option still allows the server
to set the TCP/IP properties of the client's TUN/TAP interface.
.\"*********************************************************
.TP
+.B --allow-pull-fqdn
+Allow client to pull DNS names from server (rather than being limited
+to IP address) for
+.B --ifconfig,
+.B --route,
+and
+.B --route-gateway.
+.\"*********************************************************
+.TP
.B --redirect-gateway flags...
(Experimental) Automatically execute routing commands to cause all outgoing IP traffic
to be redirected over the VPN.
diff --git a/options.c b/options.c
index 69f3731..ca9b9e1 100644
--- a/options.c
+++ b/options.c
@@ -180,6 +180,8 @@ static const char usage_message[] =
" --route-up script using environmental variables.\n"
"--route-nopull : When used with --client or --pull, accept options pushed\n"
" by server EXCEPT for routes.\n"
+ "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
+ " --ifconfig, --route, and --route-gateway.\n"
"--redirect-gateway [flags]: (Experimental) Automatically execute routing\n"
" commands to redirect all outgoing IP traffic through the\n"
" VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
@@ -890,7 +892,7 @@ dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array,
}
else
{
- if (ip_addr_dotted_quad_safe (parm))
+ if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
{
bool error = false;
const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
@@ -1227,6 +1229,7 @@ show_settings (const struct options *o)
SHOW_BOOL (route_delay_defined);
SHOW_BOOL (route_nopull);
SHOW_BOOL (route_gateway_via_dhcp);
+ SHOW_BOOL (allow_pull_fqdn);
if (o->routes)
print_route_options (o->routes, D_SHOW_PARMS);
@@ -3433,7 +3436,7 @@ add_option (struct options *options,
else if (streq (p[0], "lladdr") && p[1])
{
VERIFY_PERMISSION (OPT_P_UP);
- if (ip_addr_dotted_quad_safe (p[1]))
+ if (ip_addr_dotted_quad_safe (p[1])) /* FQDN -- IP address only */
options->lladdr = p[1];
else
{
@@ -3461,14 +3464,14 @@ add_option (struct options *options,
else if (streq (p[0], "ifconfig") && p[1] && p[2])
{
VERIFY_PERMISSION (OPT_P_UP);
- if (ip_addr_dotted_quad_safe (p[1]) && ip_addr_dotted_quad_safe (p[2]))
+ if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
{
options->ifconfig_local = p[1];
options->ifconfig_remote_netmask = p[2];
}
else
{
- msg (msglevel, "ifconfig parms '%s' and '%s' must be IP addresses", p[1], p[2]);
+ msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
goto err;
}
}
@@ -4217,19 +4220,19 @@ add_option (struct options *options,
rol_check_alloc (options);
if (pull_mode)
{
- if (!ip_addr_dotted_quad_safe (p[1]) && !is_special_addr (p[1]))
+ if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
{
- msg (msglevel, "route parameter network/IP '%s' is not an IP address", p[1]);
+ msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
goto err;
}
- if (p[2] && !ip_addr_dotted_quad_safe (p[2]))
+ if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
{
- msg (msglevel, "route parameter netmask '%s' is not an IP address", p[2]);
+ msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
goto err;
}
- if (p[3] && !ip_addr_dotted_quad_safe (p[3]) && !is_special_addr (p[3]))
+ if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
{
- msg (msglevel, "route parameter gateway '%s' is not an IP address", p[3]);
+ msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
goto err;
}
}
@@ -4244,13 +4247,13 @@ add_option (struct options *options,
}
else
{
- if (ip_addr_dotted_quad_safe (p[1]) || is_special_addr (p[1]))
+ if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
{
options->route_default_gateway = p[1];
}
else
{
- msg (msglevel, "route-gateway parm '%s' must be an IP address", p[1]);
+ msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
goto err;
}
}
@@ -4294,6 +4297,11 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_GENERAL);
options->route_nopull = true;
}
+ else if (streq (p[0], "allow-pull-fqdn"))
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->allow_pull_fqdn = true;
+ }
else if (streq (p[0], "redirect-gateway"))
{
int j;
diff --git a/options.h b/options.h
index ea4d54e..30838ca 100644
--- a/options.h
+++ b/options.h
@@ -303,6 +303,7 @@ struct options
struct route_option_list *routes;
bool route_nopull;
bool route_gateway_via_dhcp;
+ bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
#ifdef ENABLE_OCC
/* Enable options consistency check between peers */
diff --git a/socket.c b/socket.c
index a7ed55f..9622637 100644
--- a/socket.c
+++ b/socket.c
@@ -294,6 +294,17 @@ ip_addr_dotted_quad_safe (const char *dotted_quad)
}
}
+bool
+ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn)
+{
+ if (ip_addr_dotted_quad_safe (dotted_quad))
+ return true;
+ else if (allow_fqdn)
+ return string_class (dotted_quad, CC_NAME|CC_DASH|CC_DOT, 0);
+ else
+ return false;
+}
+
static void
update_remote (const char* host,
struct openvpn_sockaddr *addr,
diff --git a/socket.h b/socket.h
index 8eb768d..b111764 100644
--- a/socket.h
+++ b/socket.h
@@ -396,7 +396,10 @@ void link_socket_update_buffer_sizes (struct link_socket *ls, int rcvbuf, int sn
#define OIA_IP 1
#define OIA_ERROR -1
int openvpn_inet_aton (const char *dotted_quad, struct in_addr *addr);
+
+/* integrity validation on pulled options */
bool ip_addr_dotted_quad_safe (const char *dotted_quad);
+bool ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn);
socket_descriptor_t create_socket_tcp (void);