6fbf66fa |
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
* |
49979459 |
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> |
6fbf66fa |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* |
caa54ac3 |
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
6fbf66fa |
*/
#ifndef MISC_H
#define MISC_H
|
698e268a |
#include "argv.h" |
6fbf66fa |
#include "basic.h"
#include "common.h"
#include "integer.h"
#include "buffer.h" |
14a131ac |
#include "platform.h" |
6fbf66fa |
/* socket descriptor passed by inetd/xinetd server to us */
#define INETD_SOCKET_DESCRIPTOR 0
/* forward declarations */
struct plugin_list;
/*
* Handle environmental variable lists
*/
struct env_item { |
81d882d5 |
char *string;
struct env_item *next; |
6fbf66fa |
};
struct env_set { |
81d882d5 |
struct gc_arena *gc;
struct env_item *list; |
6fbf66fa |
};
/* system flags */
#define S_SCRIPT (1<<0)
#define S_FATAL (1<<1)
|
81d882d5 |
const char *system_error_message(int, struct gc_arena *gc); |
6fbf66fa |
|
5a2e9a25 |
/* wrapper around the execve() call */ |
81d882d5 |
int openvpn_popen(const struct argv *a, const struct env_set *es);
int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags);
bool openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message);
bool openvpn_execve_allowed(const unsigned int flags); |
6fbf66fa |
|
c2533d18 |
static inline bool |
81d882d5 |
openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook) |
c2533d18 |
{ |
81d882d5 |
char msg[256]; |
c2533d18 |
|
81d882d5 |
openvpn_snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook);
return openvpn_execve_check(a, es, flags | S_SCRIPT, msg); |
68c7df22 |
} |
c2533d18 |
|
71bbbd76 |
|
6fbf66fa |
/* Set standard file descriptors to /dev/null */ |
81d882d5 |
void set_std_files_to_null(bool stdin_only); |
6fbf66fa |
/* dup inetd/xinetd socket descriptor and save */
extern int inetd_socket_descriptor; |
81d882d5 |
void save_inetd_socket_descriptor(void); |
6fbf66fa |
/* set/delete environmental variable */ |
81d882d5 |
void setenv_str_ex(struct env_set *es,
const char *name,
const char *value,
const unsigned int name_include,
const unsigned int name_exclude,
const char name_replace,
const unsigned int value_include,
const unsigned int value_exclude,
const char value_replace);
void setenv_counter(struct env_set *es, const char *name, counter_type value);
void setenv_int(struct env_set *es, const char *name, int value);
|
6c69693a |
void setenv_long_long(struct env_set *es, const char *name, long long value); |
81d882d5 |
void setenv_str(struct env_set *es, const char *name, const char *value);
void setenv_str_safe(struct env_set *es, const char *name, const char *value);
void setenv_del(struct env_set *es, const char *name); |
6fbf66fa |
|
13b585e8 |
/**
* Store the supplied name value pair in the env_set. If the variable with the
* supplied name already exists, append _N to the name, starting at N=1.
*/
void setenv_str_incr(struct env_set *es, const char *name, const char *value);
|
81d882d5 |
void setenv_int_i(struct env_set *es, const char *name, const int value, const int i);
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i); |
4e9a51d7 |
|
6fbf66fa |
/* struct env_set functions */
|
81d882d5 |
struct env_set *env_set_create(struct gc_arena *gc);
void env_set_destroy(struct env_set *es);
bool env_set_del(struct env_set *es, const char *str); |
6fbf66fa |
|
81d882d5 |
void env_set_add(struct env_set *es, const char *str); |
6fbf66fa |
|
81d882d5 |
const char *env_set_get(const struct env_set *es, const char *name); |
6fbf66fa |
|
81d882d5 |
void env_set_print(int msglevel, const struct env_set *es);
void env_set_inherit(struct env_set *es, const struct env_set *src);
|
6fbf66fa |
/* Make arrays of strings */
|
81d882d5 |
const char **make_env_array(const struct env_set *es,
const bool check_allowed,
struct gc_arena *gc);
const char **make_arg_array(const char *first, const char *parms, struct gc_arena *gc); |
5a2e9a25 |
|
81d882d5 |
const char **make_extended_arg_array(char **p, struct gc_arena *gc); |
6fbf66fa |
/* an analogue to the random() function, but use OpenSSL functions if available */
long int get_random(void); |
81d882d5 |
|
6fbf66fa |
/* return true if filename can be opened for read */ |
81d882d5 |
bool test_file(const char *filename); |
6fbf66fa |
|
4e1cc5f6 |
/* create a temporary file in directory, returns the filename of the created file */ |
81d882d5 |
const char *create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc); |
6fbf66fa |
/* put a directory and filename together */ |
81d882d5 |
const char *gen_path(const char *directory, const char *filename, struct gc_arena *gc); |
6fbf66fa |
|
d1dcc3e7 |
/* return true if pathname is absolute */ |
81d882d5 |
bool absolute_pathname(const char *pathname); |
d1dcc3e7 |
|
c7ca9133 |
/* prepend a random prefix to hostname */ |
8e9666d5 |
const char *hostname_randomize(const char *hostname, struct gc_arena *gc);
|
6fbf66fa |
/*
* Get and store a username/password
*/
struct user_pass
{ |
81d882d5 |
bool defined;
bool nocache; |
57116536 |
bool tokenized; /* true if password has been substituted by a token */
bool wait_for_push; /* true if this object is waiting for a push-reply */ |
6fbf66fa |
/* max length of username/password */ |
81d882d5 |
#ifdef ENABLE_PKCS11
#define USER_PASS_LEN 4096
#else
#define USER_PASS_LEN 128
#endif
char username[USER_PASS_LEN];
char password[USER_PASS_LEN]; |
6fbf66fa |
};
|
3cf9dd88 |
#ifdef ENABLE_CLIENT_CR
/*
* Challenge response info on client as pushed by server.
*/
struct auth_challenge_info { |
81d882d5 |
#define CR_ECHO (1<<0) /* echo response when typed by user */
#define CR_RESPONSE (1<<1) /* response needed */
unsigned int flags; |
3cf9dd88 |
|
81d882d5 |
const char *user;
const char *state_id;
const char *challenge_text; |
3cf9dd88 |
};
|
81d882d5 |
struct auth_challenge_info *get_auth_challenge(const char *auth_challenge, struct gc_arena *gc); |
3cf9dd88 |
|
eab3e22f |
/*
* Challenge response info on client as pushed by server.
*/
struct static_challenge_info { |
81d882d5 |
#define SC_ECHO (1<<0) /* echo response when typed by user */
unsigned int flags; |
eab3e22f |
|
81d882d5 |
const char *challenge_text; |
eab3e22f |
};
|
81d882d5 |
#else /* ifdef ENABLE_CLIENT_CR */ |
3cf9dd88 |
struct auth_challenge_info {}; |
eab3e22f |
struct static_challenge_info {}; |
81d882d5 |
#endif /* ifdef ENABLE_CLIENT_CR */ |
3cf9dd88 |
|
984cf003 |
/*
* Flags for get_user_pass and management_query_user_pass
*/
#define GET_USER_PASS_MANAGEMENT (1<<0) |
9ffd00e7 |
/* GET_USER_PASS_SENSITIVE (1<<1) not used anymore */ |
984cf003 |
#define GET_USER_PASS_PASSWORD_ONLY (1<<2)
#define GET_USER_PASS_NEED_OK (1<<3) |
1d89886e |
#define GET_USER_PASS_NOFATAL (1<<4) |
1bda73a7 |
#define GET_USER_PASS_NEED_STR (1<<5) |
3cf6c932 |
#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6) |
6fbf66fa |
|
eab3e22f |
#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /* CRV1 protocol -- dynamic challenge */
#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */
|
c9a35a20 |
#define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */
|
81d882d5 |
bool get_user_pass_cr(struct user_pass *up,
const char *auth_file,
const char *prefix,
const unsigned int flags,
const char *auth_challenge); |
3cf9dd88 |
static inline bool |
81d882d5 |
get_user_pass(struct user_pass *up,
const char *auth_file,
const char *prefix,
const unsigned int flags) |
3cf9dd88 |
{ |
81d882d5 |
return get_user_pass_cr(up, auth_file, prefix, flags, NULL); |
3cf9dd88 |
} |
6fbf66fa |
|
81d882d5 |
void fail_user_pass(const char *prefix,
const unsigned int flags,
const char *reason); |
3cf6c932 |
|
81d882d5 |
void purge_user_pass(struct user_pass *up, const bool force); |
6fbf66fa |
|
81d882d5 |
void set_auth_token(struct user_pass *up, const char *token); |
0db046f2 |
|
6fbf66fa |
/*
* Process string received by untrusted peer before
* printing to console or log file.
* Assumes that string has been null terminated.
*/ |
81d882d5 |
const char *safe_print(const char *str, struct gc_arena *gc); |
6fbf66fa |
|
093e7eba |
/* returns true if environmental variable safe to print to log */ |
81d882d5 |
bool env_safe_to_print(const char *str); |
093e7eba |
|
5a2e9a25 |
/* returns true if environmental variable may be passed to an external program */ |
81d882d5 |
bool env_allowed(const char *str); |
5a2e9a25 |
|
81d882d5 |
void configure_path(void); |
c67d59cd |
|
0db046f2 |
const char *sanitize_control_message(const char *str, struct gc_arena *gc);
|
5f31881e |
#if AUTO_USERID |
81d882d5 |
void get_user_pass_auto_userid(struct user_pass *up, const char *tag);
|
5f31881e |
#endif
|
0aee9ca7 |
/*
* /sbin/ip path, may be overridden
*/ |
51bd56f4 |
#ifdef ENABLE_IPROUTE |
0aee9ca7 |
extern const char *iproute_path;
#endif
|
c2533d18 |
/* Script security */ |
5a2e9a25 |
#define SSEC_NONE 0 /* strictly no calling of external programs */
#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/
#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */
#define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */
extern int script_security; /* GLOBAL */
|
b8fb090c |
|
e7412ca3 |
#define COMPAT_FLAG_QUERY 0 /** compat_flags operator: Query for a flag */
#define COMPAT_FLAG_SET (1<<0) /** compat_flags operator: Set a compat flag */
#define COMPAT_NAMES (1<<1) /** compat flag: --compat-names set */
#define COMPAT_NO_NAME_REMAPPING (1<<2) /** compat flag: --compat-names without char remapping */ |
81d882d5 |
bool compat_flag(unsigned int flag); |
e7412ca3 |
|
46e02127 |
#if P2MP_SERVER
/* helper to parse peer_info received from multi client, validate
* (this is untrusted data) and put into environment */
bool validate_peer_info_line(char *line); |
81d882d5 |
void output_peer_info_env(struct env_set *es, const char *peer_info);
|
46e02127 |
#endif /* P2MP_SERVER */
|
81d882d5 |
#endif /* ifndef MISC_H */ |