aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-11-18 03:22:52 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-11-18 03:22:52 +0000
commit09cc9c81c8e57a21395de4848baaa8213627d3c6 (patch)
tree4d17f28cb5eaf0c24168282dd742c2da1c6b95cf
parentAdded --prng option to control PRNG (pseudo-random (diff)
downloadopenvpn-09cc9c81c8e57a21395de4848baaa8213627d3c6.tar.xz
Added server-side --opt-verify option: clients that connect
with options that are incompatible with those of the server will be disconnected. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--openvpn.814
-rw-r--r--options.c9
-rw-r--r--ssl.c5
-rw-r--r--ssl.h1
4 files changed, 29 insertions, 0 deletions
diff --git a/openvpn.8 b/openvpn.8
index bbec354..c78ad4b 100644
--- a/openvpn.8
+++ b/openvpn.8
@@ -3288,6 +3288,20 @@ For a sample script that performs PAM authentication, see
in the OpenVPN source distribution.
.\"*********************************************************
.TP
+.B --opt-verify
+Clients that connect with options that are incompatible
+with those of the server will be disconnected.
+
+Options that will be compared for compatibility include
+dev-type, link-mtu, tun-mtu, proto, tun-ipv6, ifconfig,
+comp-lzo, fragment, keydir, cipher, auth, keysize, secret,
+no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client.
+
+This option requires that
+.B --disable-occ
+NOT be used.
+.\"*********************************************************
+.TP
.B --auth-user-pass-optional
Allow connections by clients that do not specify a username/password.
Normally, when
diff --git a/options.c b/options.c
index 5a78c70..2bb5fc2 100644
--- a/options.c
+++ b/options.c
@@ -384,6 +384,8 @@ static const char usage_message[] =
" run script cmd to verify. If method='via-env', pass\n"
" user/pass via environment, if method='via-file', pass\n"
" user/pass via temporary file.\n"
+ "--opt-verify : Clients that connect with options that are incompatible\n"
+ " with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
"--no-name-remapping : Allow Common Name and X509 Subject to include\n"
@@ -1758,6 +1760,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--username-as-common-name requires --mode server");
if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
+ if (options->ssl_flags & SSLF_OPT_VERIFY)
+ msg (M_USAGE, "--opt-verify requires --mode server");
if (options->auth_user_pass_verify_script)
msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
#if PORT_SHARE
@@ -4625,6 +4629,11 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
}
+ else if (streq (p[0], "opt-verify"))
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->ssl_flags |= SSLF_OPT_VERIFY;
+ }
else if (streq (p[0], "auth-user-pass-verify") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
diff --git a/ssl.c b/ssl.c
index f289af0..c6caf2a 100644
--- a/ssl.c
+++ b/ssl.c
@@ -3465,6 +3465,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi
!options_cmp_equal (options, session->opt->remote_options))
{
options_warning (options, session->opt->remote_options);
+ if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
+ {
+ msg (D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
+ ks->authenticated = false;
+ }
}
#endif
diff --git a/ssl.h b/ssl.h
index 41df175..6dedac1 100644
--- a/ssl.h
+++ b/ssl.h
@@ -469,6 +469,7 @@ struct tls_options
# define SSLF_USERNAME_AS_COMMON_NAME (1<<1)
# define SSLF_AUTH_USER_PASS_OPTIONAL (1<<2)
# define SSLF_NO_NAME_REMAPPING (1<<3)
+# define SSLF_OPT_VERIFY (1<<4)
unsigned int ssl_flags;
#ifdef MANAGEMENT_DEF_AUTH