Added --allow-pull-fqdn option which allows client to pull DNS names

from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway.  OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by default.
Now --allow-pull-fqdn will be explicitly required on the client to enable
DNS-name-to-IP-address translation of pulled options.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/openvpn.8 b/openvpn.8
index c9920c64be6c8eefbb7901ed8db5f9bdf1549070..7dc1ed18ee1aea8e3c0b43999f7f1f495f64435a 100644 (file)
--- a/openvpn.8
+++ b/openvpn.8
@@ -98,6 +98,7 @@ openvpn \- secure IP tunnel daemon.
 .ti -4
 .B openvpn
 [\ \fB\-\-allow\-nonadmin\fR\ \fI[TAP\-adapter]\fR\ ]
+[\ \fB\-\-allow\-pull\-fqdn\fR\ ]
 [\ \fB\-\-askpass\fR\ \fI[file]\fR\ ]
 [\ \fB\-\-auth\-nocache\fR\ ]
 [\ \fB\-\-auth\-retry\fR\ \fItype\fR\ ]
@@ -1300,6 +1301,15 @@ however note that this option still allows the server
 to set the TCP/IP properties of the client's TUN/TAP interface.
 .\"*********************************************************
 .TP
+.B --allow-pull-fqdn
+Allow client to pull DNS names from server (rather than being limited
+to IP address) for
+.B --ifconfig,
+.B --route,
+and
+.B --route-gateway.
+.\"*********************************************************
+.TP
 .B --redirect-gateway flags...
 (Experimental) Automatically execute routing commands to cause all outgoing IP traffic
 to be redirected over the VPN.

diff --git a/options.c b/options.c
index 69f3731575a628ce935a4a5084208f62ba9782d0..ca9b9e1bae56f6a6be7399a4698148bc4f20bdb4 100644 (file)
--- a/options.c
+++ b/options.c
@@ -180,6 +180,8 @@ static const char usage_message[] =
   "                  --route-up script using environmental variables.\n"
   "--route-nopull  : When used with --client or --pull, accept options pushed\n"
   "                  by server EXCEPT for routes.\n"
+  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
+  "                    --ifconfig, --route, and --route-gateway.\n"
   "--redirect-gateway [flags]: (Experimental) Automatically execute routing\n"
   "                  commands to redirect all outgoing IP traffic through the\n"
   "                  VPN.  Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
@@ -890,7 +892,7 @@ dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array,
     }
   else
     {
-      if (ip_addr_dotted_quad_safe (parm))
+      if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
        {
          bool error = false;
          const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
@@ -1227,6 +1229,7 @@ show_settings (const struct options *o)
   SHOW_BOOL (route_delay_defined);
   SHOW_BOOL (route_nopull);
   SHOW_BOOL (route_gateway_via_dhcp);
+  SHOW_BOOL (allow_pull_fqdn);
   if (o->routes)
     print_route_options (o->routes, D_SHOW_PARMS);
 
@@ -3433,7 +3436,7 @@ add_option (struct options *options,
   else if (streq (p[0], "lladdr") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_UP);
-      if (ip_addr_dotted_quad_safe (p[1]))
+      if (ip_addr_dotted_quad_safe (p[1])) /* FQDN -- IP address only */
        options->lladdr = p[1];
       else
        {
@@ -3461,14 +3464,14 @@ add_option (struct options *options,
   else if (streq (p[0], "ifconfig") && p[1] && p[2])
     {
       VERIFY_PERMISSION (OPT_P_UP);
-      if (ip_addr_dotted_quad_safe (p[1]) && ip_addr_dotted_quad_safe (p[2]))
+      if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
        {
          options->ifconfig_local = p[1];
          options->ifconfig_remote_netmask = p[2];
        }
       else
        {
-         msg (msglevel, "ifconfig parms '%s' and '%s' must be IP addresses", p[1], p[2]);
+         msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
          goto err;
        }
     }
@@ -4217,19 +4220,19 @@ add_option (struct options *options,
       rol_check_alloc (options);
       if (pull_mode)
        {
-         if (!ip_addr_dotted_quad_safe (p[1]) && !is_special_addr (p[1]))
+         if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
            {
-             msg (msglevel, "route parameter network/IP '%s' is not an IP address", p[1]);
+             msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
              goto err;
            }
-         if (p[2] && !ip_addr_dotted_quad_safe (p[2]))
+         if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
            {
-             msg (msglevel, "route parameter netmask '%s' is not an IP address", p[2]);
+             msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
              goto err;
            }
-         if (p[3] && !ip_addr_dotted_quad_safe (p[3]) && !is_special_addr (p[3]))
+         if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
            {
-             msg (msglevel, "route parameter gateway '%s' is not an IP address", p[3]);
+             msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
              goto err;
            }
        }
@@ -4244,13 +4247,13 @@ add_option (struct options *options,
        }
       else
        {
-         if (ip_addr_dotted_quad_safe (p[1]) || is_special_addr (p[1]))
+         if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
            {
              options->route_default_gateway = p[1];
            }
          else
            {
-             msg (msglevel, "route-gateway parm '%s' must be an IP address", p[1]);
+             msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
              goto err;
            }
        }
@@ -4294,6 +4297,11 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->route_nopull = true;
     }
+  else if (streq (p[0], "allow-pull-fqdn"))
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->allow_pull_fqdn = true;
+    }
   else if (streq (p[0], "redirect-gateway"))
     {
       int j;

diff --git a/options.h b/options.h
index ea4d54e51be04ef0604f99c1ebfd3aeb8f415027..30838ca74bcc5e719011e58ce6e0a511e34eda1f 100644 (file)
--- a/options.h
+++ b/options.h
@@ -303,6 +303,7 @@ struct options
   struct route_option_list *routes;
   bool route_nopull;
   bool route_gateway_via_dhcp;
+  bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
 
 #ifdef ENABLE_OCC
   /* Enable options consistency check between peers */

diff --git a/socket.c b/socket.c
index a7ed55f3e03ae1e9a625e6b6c39a645b6ebd02a6..9622637603a59323108a43841ff89fbb7c53f653 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -294,6 +294,17 @@ ip_addr_dotted_quad_safe (const char *dotted_quad)
   }
 }
 
+bool
+ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn)
+{
+  if (ip_addr_dotted_quad_safe (dotted_quad))
+    return true;
+  else if (allow_fqdn)
+    return string_class (dotted_quad, CC_NAME|CC_DASH|CC_DOT, 0);
+  else
+    return false;
+}
+
 static void
 update_remote (const char* host,
               struct openvpn_sockaddr *addr,

diff --git a/socket.h b/socket.h
index 8eb768d47d895bb239fac718984703999677d9ca..b111764885537ad1eb79e87ed7983ca100930b7a 100644 (file)
--- a/socket.h
+++ b/socket.h
@@ -396,7 +396,10 @@ void link_socket_update_buffer_sizes (struct link_socket *ls, int rcvbuf, int sn
 #define OIA_IP         1
 #define OIA_ERROR     -1
 int openvpn_inet_aton (const char *dotted_quad, struct in_addr *addr);
+
+/* integrity validation on pulled options */
 bool ip_addr_dotted_quad_safe (const char *dotted_quad);
+bool ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn);
 
 socket_descriptor_t create_socket_tcp (void);