git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2008/11/18 12:22:52... | ... |
@@ -3288,6 +3288,20 @@ For a sample script that performs PAM authentication, see |
3288 | 3288 |
in the OpenVPN source distribution. |
3289 | 3289 |
.\"********************************************************* |
3290 | 3290 |
.TP |
3291 |
+.B --opt-verify |
|
3292 |
+Clients that connect with options that are incompatible |
|
3293 |
+with those of the server will be disconnected. |
|
3294 |
+ |
|
3295 |
+Options that will be compared for compatibility include |
|
3296 |
+dev-type, link-mtu, tun-mtu, proto, tun-ipv6, ifconfig, |
|
3297 |
+comp-lzo, fragment, keydir, cipher, auth, keysize, secret, |
|
3298 |
+no-replay, no-iv, tls-auth, key-method, tls-server, and tls-client. |
|
3299 |
+ |
|
3300 |
+This option requires that |
|
3301 |
+.B --disable-occ |
|
3302 |
+NOT be used. |
|
3303 |
+.\"********************************************************* |
|
3304 |
+.TP |
|
3291 | 3305 |
.B --auth-user-pass-optional |
3292 | 3306 |
Allow connections by clients that do not specify a username/password. |
3293 | 3307 |
Normally, when |
... | ... |
@@ -384,6 +384,8 @@ static const char usage_message[] = |
384 | 384 |
" run script cmd to verify. If method='via-env', pass\n" |
385 | 385 |
" user/pass via environment, if method='via-file', pass\n" |
386 | 386 |
" user/pass via temporary file.\n" |
387 |
+ "--opt-verify : Clients that connect with options that are incompatible\n" |
|
388 |
+ " with those of the server will be disconnected.\n" |
|
387 | 389 |
"--auth-user-pass-optional : Allow connections by clients that don't\n" |
388 | 390 |
" specify a username/password.\n" |
389 | 391 |
"--no-name-remapping : Allow Common Name and X509 Subject to include\n" |
... | ... |
@@ -1758,6 +1760,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne |
1758 | 1758 |
msg (M_USAGE, "--username-as-common-name requires --mode server"); |
1759 | 1759 |
if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) |
1760 | 1760 |
msg (M_USAGE, "--auth-user-pass-optional requires --mode server"); |
1761 |
+ if (options->ssl_flags & SSLF_OPT_VERIFY) |
|
1762 |
+ msg (M_USAGE, "--opt-verify requires --mode server"); |
|
1761 | 1763 |
if (options->auth_user_pass_verify_script) |
1762 | 1764 |
msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); |
1763 | 1765 |
#if PORT_SHARE |
... | ... |
@@ -4625,6 +4629,11 @@ add_option (struct options *options, |
4625 | 4625 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
4626 | 4626 |
options->ssl_flags |= SSLF_NO_NAME_REMAPPING; |
4627 | 4627 |
} |
4628 |
+ else if (streq (p[0], "opt-verify")) |
|
4629 |
+ { |
|
4630 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4631 |
+ options->ssl_flags |= SSLF_OPT_VERIFY; |
|
4632 |
+ } |
|
4628 | 4633 |
else if (streq (p[0], "auth-user-pass-verify") && p[1]) |
4629 | 4634 |
{ |
4630 | 4635 |
VERIFY_PERMISSION (OPT_P_SCRIPT); |
... | ... |
@@ -3465,6 +3465,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
3465 | 3465 |
!options_cmp_equal (options, session->opt->remote_options)) |
3466 | 3466 |
{ |
3467 | 3467 |
options_warning (options, session->opt->remote_options); |
3468 |
+ if (session->opt->ssl_flags & SSLF_OPT_VERIFY) |
|
3469 |
+ { |
|
3470 |
+ msg (D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify"); |
|
3471 |
+ ks->authenticated = false; |
|
3472 |
+ } |
|
3468 | 3473 |
} |
3469 | 3474 |
#endif |
3470 | 3475 |
|
... | ... |
@@ -469,6 +469,7 @@ struct tls_options |
469 | 469 |
# define SSLF_USERNAME_AS_COMMON_NAME (1<<1) |
470 | 470 |
# define SSLF_AUTH_USER_PASS_OPTIONAL (1<<2) |
471 | 471 |
# define SSLF_NO_NAME_REMAPPING (1<<3) |
472 |
+# define SSLF_OPT_VERIFY (1<<4) |
|
472 | 473 |
unsigned int ssl_flags; |
473 | 474 |
|
474 | 475 |
#ifdef MANAGEMENT_DEF_AUTH |