Added server-side --opt-verify option: clients that connect

with options that are incompatible with those of the server
will be disconnected.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5

4 files changed, 29 insertions, 0 deletions

diff --git a/openvpn.8 b/openvpn.8
index bbec354..c78ad4b 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -3288,6 +3288,20 @@ For a sample script that performs PAM authentication, see
 in the OpenVPN source distribution.
 .\"*********************************************************
 .TP
+.B --opt-verify
+Clients that connect with options that are incompatible
+with those of the server will be disconnected.
+
+Options that will be compared for compatibility include
+dev-type, link-mtu, tun-mtu, proto, tun-ipv6, ifconfig,
+comp-lzo, fragment, keydir, cipher, auth, keysize, secret,
+no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client.
+
+This option requires that
+.B --disable-occ
+NOT be used.
+.\"*********************************************************
+.TP
 .B --auth-user-pass-optional
 Allow connections by clients that do not specify a username/password.
 Normally, when
diff --git a/options.c b/options.c
index 5a78c70..2bb5fc2 100644
--- a/options.c
+++ b/options.c
@@ -384,6 +384,8 @@ static const char usage_message[] =
   "                  run script cmd to verify.  If method='via-env', pass\n"
   "                  user/pass via environment, if method='via-file', pass\n"
   "                  user/pass via temporary file.\n"
+  "--opt-verify    : Clients that connect with options that are incompatible\n"
+  "                  with those of the server will be disconnected.\n"
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
   "                  specify a username/password.\n"
   "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
@@ -1758,6 +1760,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
 	msg (M_USAGE, "--username-as-common-name requires --mode server");
       if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
 	msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
+      if (options->ssl_flags & SSLF_OPT_VERIFY)
+	msg (M_USAGE, "--opt-verify requires --mode server");
       if (options->auth_user_pass_verify_script)
 	msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
 #if PORT_SHARE
@@ -4625,6 +4629,11 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
     }
+  else if (streq (p[0], "opt-verify"))
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->ssl_flags |= SSLF_OPT_VERIFY;
+    }
   else if (streq (p[0], "auth-user-pass-verify") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_SCRIPT);
diff --git a/ssl.c b/ssl.c
index f289af0..c6caf2a 100644
--- a/ssl.c
+++ b/ssl.c
@@ -3465,6 +3465,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
       !options_cmp_equal (options, session->opt->remote_options))
     {
       options_warning (options, session->opt->remote_options);
+      if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
+	{
+	  msg (D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
+	  ks->authenticated = false;
+	}
     }
 #endif
 
diff --git a/ssl.h b/ssl.h
index 41df175..6dedac1 100644
--- a/ssl.h
+++ b/ssl.h
@@ -469,6 +469,7 @@ struct tls_options
 # define SSLF_USERNAME_AS_COMMON_NAME  (1<<1)
 # define SSLF_AUTH_USER_PASS_OPTIONAL  (1<<2)
 # define SSLF_NO_NAME_REMAPPING        (1<<3)
+# define SSLF_OPT_VERIFY               (1<<4)
   unsigned int ssl_flags;
 
 #ifdef MANAGEMENT_DEF_AUTH