From bad745c76de0ea5e643592ece0356eb0227ecf56 Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Tue, 25 Sep 2012 01:05:41 +0200
Subject: [PATCH] Always push basic set of peer info values to server.
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/init.c | 7 ++++++-
src/openvpn/ssl.c | 43 ++++++++++++++++++++++---------------------
src/openvpn/ssl_common.h | 2 +-
3 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e700cd6..2a0ba85 100644
a
|
b
|
do_init_crypto_tls (struct context *c, const unsigned int flags) |
2213 | 2213 | to.renegotiate_seconds = options->renegotiate_seconds; |
2214 | 2214 | to.single_session = options->single_session; |
2215 | 2215 | #ifdef ENABLE_PUSH_PEER_INFO |
2216 | | to.push_peer_info = options->push_peer_info; |
| 2216 | if (options->push_peer_info) /* all there is */ |
| 2217 | to.push_peer_info_detail = 2; |
| 2218 | else if (options->pull) /* pull clients send some details */ |
| 2219 | to.push_peer_info_detail = 1; |
| 2220 | else /* default: no peer-info at all */ |
| 2221 | to.push_peer_info_detail = 0; |
2217 | 2222 | #endif |
2218 | 2223 | |
2219 | 2224 | /* should we not xmit any packets until we get an initial |
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9ca409f..85d8db2 100644
a
|
b
|
push_peer_info(struct buffer *buf, struct tls_session *session) |
1775 | 1775 | bool ret = false; |
1776 | 1776 | |
1777 | 1777 | #ifdef ENABLE_PUSH_PEER_INFO |
1778 | | if (session->opt->push_peer_info) /* write peer info */ |
| 1778 | if (session->opt->push_peer_info_detail > 0) |
1779 | 1779 | { |
1780 | 1780 | struct env_set *es = session->opt->es; |
1781 | 1781 | struct env_item *e; |
… |
… |
push_peer_info(struct buffer *buf, struct tls_session *session) |
1803 | 1803 | buf_printf (&out, "IV_PLAT=win\n"); |
1804 | 1804 | #endif |
1805 | 1805 | |
1806 | | /* push mac addr */ |
1807 | | { |
1808 | | struct route_gateway_info rgi; |
1809 | | get_default_gateway (&rgi); |
1810 | | if (rgi.flags & RGI_HWADDR_DEFINED) |
1811 | | buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); |
1812 | | } |
1813 | | |
1814 | 1806 | /* push compression status */ |
1815 | 1807 | #ifdef USE_COMP |
1816 | 1808 | comp_generate_peer_info_string(&session->opt->comp_options, &out); |
1817 | 1809 | #endif |
1818 | 1810 | |
1819 | | /* push env vars that begin with UV_ */ |
1820 | | for (e=es->list; e != NULL; e=e->next) |
1821 | | { |
1822 | | if (e->string) |
| 1811 | if (session->opt->push_peer_info_detail >= 2) |
| 1812 | { |
| 1813 | /* push mac addr */ |
| 1814 | struct route_gateway_info rgi; |
| 1815 | get_default_gateway (&rgi); |
| 1816 | if (rgi.flags & RGI_HWADDR_DEFINED) |
| 1817 | buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc)); |
| 1818 | |
| 1819 | /* push env vars that begin with UV_ */ |
| 1820 | for (e=es->list; e != NULL; e=e->next) |
1823 | 1821 | { |
1824 | | if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1)) |
1825 | | buf_printf (&out, "%s\n", e->string); |
| 1822 | if (e->string) |
| 1823 | { |
| 1824 | if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1)) |
| 1825 | buf_printf (&out, "%s\n", e->string); |
| 1826 | } |
1826 | 1827 | } |
1827 | 1828 | } |
1828 | 1829 | |
1829 | | if (!write_string(buf, BSTR(&out), -1)) |
1830 | | goto error; |
| 1830 | if (!write_string(buf, BSTR(&out), -1)) |
| 1831 | goto error; |
1831 | 1832 | } |
1832 | 1833 | else |
1833 | 1834 | #endif |
1834 | | { |
1835 | | if (!write_empty_string (buf)) /* no peer info */ |
1836 | | goto error; |
1837 | | } |
| 1835 | { |
| 1836 | if (!write_empty_string (buf)) /* no peer info */ |
| 1837 | goto error; |
| 1838 | } |
1838 | 1839 | ret = true; |
1839 | 1840 | |
1840 | 1841 | error: |
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 47dbefb..0e97487 100644
a
|
b
|
struct tls_options |
233 | 233 | bool disable_occ; |
234 | 234 | #endif |
235 | 235 | #ifdef ENABLE_PUSH_PEER_INFO |
236 | | bool push_peer_info; |
| 236 | int push_peer_info_detail; |
237 | 237 | #endif |
238 | 238 | int transition_window; |
239 | 239 | int handshake_window; |