diff options
Diffstat (limited to 'options.c')
| -rw-r--r-- | options.c | 60 |
1 files changed, 56 insertions, 4 deletions
@@ -7,6 +7,9 @@ * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> * + * Additions for eurephia plugin done by: + * David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2009 + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. @@ -45,6 +48,8 @@ #include "pool.h" #include "helper.h" #include "manage.h" +#include "configure.h" +#include <ctype.h> #include "memdbg.h" @@ -73,6 +78,9 @@ const char title_string[] = #ifdef ENABLE_PKCS11 " [PKCS11]" #endif +#ifdef ENABLE_EUREPHIA + " [eurephia]" +#endif " built on " __DATE__ ; @@ -504,6 +512,8 @@ static const char usage_message[] = "--key file : Local private key in .pem format.\n" "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" " and optionally the root CA certificate.\n" + "--x509-username-field : Field used in x509 certificat to be username.\n" + " Default is CN.\n" #ifdef WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" @@ -534,6 +544,9 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth X509_NAME_oneline')\n" + "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" + " in an openvpn temporary file in [directory]. Peer cert is \n" + " stored before tls-verify script execution and deleted after.\n" "--tls-remote x509name: Accept connections only from a host with X509 name\n" " x509name. The remote host must also pass all other tests\n" " of verification.\n" @@ -757,6 +770,7 @@ init_options (struct options *o, const bool init_gc) o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; + o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif #endif #ifdef ENABLE_PKCS11 @@ -1335,6 +1349,7 @@ show_settings (const struct options *o) #endif SHOW_STR (cipher_list); SHOW_STR (tls_verify); + SHOW_STR (tls_export_cert); SHOW_STR (tls_remote); SHOW_STR (crl_file); SHOW_INT (ns_cert_type); @@ -2063,6 +2078,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne MUST_BE_UNDEF (pkcs12_file); MUST_BE_UNDEF (cipher_list); MUST_BE_UNDEF (tls_verify); + MUST_BE_UNDEF (tls_export_cert); MUST_BE_UNDEF (tls_remote); MUST_BE_UNDEF (tls_timeout); MUST_BE_UNDEF (renegotiate_bytes); @@ -2909,6 +2925,12 @@ usage_version (void) msg (M_INFO|M_NOPREFIX, "%s", title_string); msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>"); +#ifndef ENABLE_SMALL +#ifdef CONFIGURE_CALL + msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL); +#endif + msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); +#endif openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */ } @@ -3491,6 +3513,15 @@ msglevel_forward_compatible (struct options *options, const int msglevel) } static void +warn_multiple_script (const char *script, const char *type) { + if (script) { + msg (M_WARN, "Multiple --%s scripts defined. " + "The previously configured script is overridden.", type); + } +} + + +static void add_option (struct options *options, char *p[], const char *file, @@ -3890,6 +3921,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->ipchange, "ipchange"); options->ipchange = string_substitute (p[1], ',', ' ', &options->gc); } else if (streq (p[0], "float")) @@ -3936,6 +3968,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->up_script, "up"); options->up_script = p[1]; } else if (streq (p[0], "down") && p[1]) @@ -3943,6 +3976,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->down_script, "down"); options->down_script = p[1]; } else if (streq (p[0], "down-pre")) @@ -4002,7 +4036,7 @@ add_option (struct options *options, { if (options->inetd != -1) { - msg (msglevel, opterr); + msg (msglevel, "%s", opterr); goto err; } else @@ -4012,7 +4046,7 @@ add_option (struct options *options, { if (options->inetd != -1) { - msg (msglevel, opterr); + msg (msglevel, "%s", opterr); goto err; } else @@ -4022,7 +4056,7 @@ add_option (struct options *options, { if (name != NULL) { - msg (msglevel, opterr); + msg (msglevel, "%s", opterr); goto err; } name = p[z]; @@ -4258,7 +4292,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); port = atoi (p[1]); - if (!legal_ipv4_port (port)) + if ((port != 0) && !legal_ipv4_port (port)) { msg (msglevel, "Bad local port number: %s", p[1]); goto err; @@ -4624,6 +4658,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->route_script, "route-up"); options->route_script = p[1]; } else if (streq (p[0], "route-noexec")) @@ -4953,6 +4988,7 @@ add_option (struct options *options, msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')"); goto err; } + warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify"); options->auth_user_pass_verify_script = p[1]; } else if (streq (p[0], "client-connect") && p[1]) @@ -4960,6 +4996,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->client_connect_script, "client-connect"); options->client_connect_script = p[1]; } else if (streq (p[0], "client-disconnect") && p[1]) @@ -4967,6 +5004,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->client_disconnect_script, "client-disconnect"); options->client_disconnect_script = p[1]; } else if (streq (p[0], "learn-address") && p[1]) @@ -4974,6 +5012,7 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->learn_address_script, "learn-address"); options->learn_address_script = p[1]; } else if (streq (p[0], "tmp-dir") && p[1]) @@ -5753,8 +5792,14 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_SCRIPT); if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) goto err; + warn_multiple_script (options->tls_verify, "tls-verify"); options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc); } + else if (streq (p[0], "tls-export-cert") && p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->tls_export_cert = p[1]; + } else if (streq (p[0], "tls-remote") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -5880,6 +5925,13 @@ add_option (struct options *options, } options->key_method = key_method; } + else if (streq (p[0], "x509-username-field") && p[1]) + { + char *s = p[1]; + VERIFY_PERMISSION (OPT_P_GENERAL); + while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */ + options->x509_username_field = p[1]; + } #endif /* USE_SSL */ #endif /* USE_CRYPTO */ #ifdef ENABLE_PKCS11 |