Ticket #268: 0001-Always-push-basic-set-of-peer-info-values-to-server-v2.patch

File 0001-Always-push-basic-set-of-peer-info-values-to-server-v2.patch, 4.3 KB (added by Gert Döring, 8 years ago)

new version of the patch that does not leak data server->client

  • src/openvpn/init.c

    From bad745c76de0ea5e643592ece0356eb0227ecf56 Mon Sep 17 00:00:00 2001
    From: James Yonan <james@openvpn.net>
    Date: Tue, 25 Sep 2012 01:05:41 +0200
    Subject: [PATCH] Always push basic set of peer info values to server.
    
    On the client, allow certain peer info fields to be pushed even if
    push-peer-info isn't specified in the config.
    
    This is needed to allow the compression handshake to work correctly
    (i.e. where the client indicates its support for LZO and/or Snappy).
    
    Fields that have privacy implications such as Mac Address and UV_*
    environment variables will not be pushed to the server as before unless
    push-peer-info is specified by client config.
    
    v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
    
    v2: distinguish 3 levels of peer-info detail
    
      --push-peer-info specified --> send all we have
      --pull           specified --> send basic set, as per r8225
      default                    --> send nothing (do not leak from server)
    
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    ---
     src/openvpn/init.c       |  7 ++++++-
     src/openvpn/ssl.c        | 43 ++++++++++++++++++++++---------------------
     src/openvpn/ssl_common.h |  2 +-
     3 files changed, 29 insertions(+), 23 deletions(-)
    
    diff --git a/src/openvpn/init.c b/src/openvpn/init.c
    index e700cd6..2a0ba85 100644
    a b do_init_crypto_tls (struct context *c, const unsigned int flags) 
    22132213  to.renegotiate_seconds = options->renegotiate_seconds;
    22142214  to.single_session = options->single_session;
    22152215#ifdef ENABLE_PUSH_PEER_INFO
    2216   to.push_peer_info = options->push_peer_info;
     2216  if (options->push_peer_info)          /* all there is */
     2217    to.push_peer_info_detail = 2;
     2218  else if (options->pull)               /* pull clients send some details */
     2219    to.push_peer_info_detail = 1;
     2220  else                                  /* default: no peer-info at all */
     2221    to.push_peer_info_detail = 0;
    22172222#endif
    22182223
    22192224  /* should we not xmit any packets until we get an initial
  • src/openvpn/ssl.c

    diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
    index 9ca409f..85d8db2 100644
    a b push_peer_info(struct buffer *buf, struct tls_session *session) 
    17751775  bool ret = false;
    17761776
    17771777#ifdef ENABLE_PUSH_PEER_INFO
    1778   if (session->opt->push_peer_info) /* write peer info */
     1778  if (session->opt->push_peer_info_detail > 0)
    17791779    {
    17801780      struct env_set *es = session->opt->es;
    17811781      struct env_item *e;
    push_peer_info(struct buffer *buf, struct tls_session *session) 
    18031803      buf_printf (&out, "IV_PLAT=win\n");
    18041804#endif
    18051805
    1806       /* push mac addr */
    1807       {
    1808         struct route_gateway_info rgi;
    1809         get_default_gateway (&rgi);
    1810         if (rgi.flags & RGI_HWADDR_DEFINED)
    1811           buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
    1812       }
    1813 
    18141806      /* push compression status */
    18151807#ifdef USE_COMP
    18161808      comp_generate_peer_info_string(&session->opt->comp_options, &out);
    18171809#endif
    18181810
    1819       /* push env vars that begin with UV_ */
    1820       for (e=es->list; e != NULL; e=e->next)
    1821         {
    1822           if (e->string)
     1811      if (session->opt->push_peer_info_detail >= 2)
     1812        {
     1813          /* push mac addr */
     1814          struct route_gateway_info rgi;
     1815          get_default_gateway (&rgi);
     1816          if (rgi.flags & RGI_HWADDR_DEFINED)
     1817            buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
     1818
     1819          /* push env vars that begin with UV_ */
     1820          for (e=es->list; e != NULL; e=e->next)
    18231821            {
    1824               if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
    1825                 buf_printf (&out, "%s\n", e->string);
     1822              if (e->string)
     1823                {
     1824                  if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
     1825                    buf_printf (&out, "%s\n", e->string);
     1826                }
    18261827            }
    18271828        }
    18281829
    1829       if (!write_string(buf, BSTR(&out), -1))
    1830         goto error;
     1830        if (!write_string(buf, BSTR(&out), -1))
     1831          goto error;
    18311832    }
    18321833  else
    18331834#endif
    1834     {
    1835       if (!write_empty_string (buf)) /* no peer info */
    1836         goto error;
    1837     }
     1835  {
     1836    if (!write_empty_string (buf)) /* no peer info */
     1837      goto error;
     1838  }
    18381839  ret = true;
    18391840
    18401841 error:
  • src/openvpn/ssl_common.h

    diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
    index 47dbefb..0e97487 100644
    a b struct tls_options 
    233233  bool disable_occ;
    234234#endif
    235235#ifdef ENABLE_PUSH_PEER_INFO
    236   bool push_peer_info;
     236  int push_peer_info_detail;
    237237#endif
    238238  int transition_window;
    239239  int handshake_window;