Attention is currently required from: d12fk, plaisthos. Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/840?usp=email to look at the new patch set (#8). Change subject: dns: don't publish env vars to non-dns scripts ...................................................................... dns: don't publish env vars to non-dns scripts With --dns-script in place we no longer need DNS related vars in the environment for other script hooks. Code for doing that is removed and the function to set --dns stuff made static, for internal use only. Another thing: since --dns setting overrule DNS related --dhcp-options, remove the latter when we got some via --dns. Change-Id: I3fb01ab76cf3df0874ba92e08f371d17607a8369 Signed-off-by: Heiko Hund <he...@ist.eigentlich.net> --- M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/options.c 3 files changed, 133 insertions(+), 257 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/40/840/8 diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 3b3cf01..d295cec 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -350,93 +350,6 @@ } } -static void -setenv_dns_option(struct env_set *es, - const char *format, int i, int j, - const char *value) -{ - char name[64]; - bool name_ok = false; - - if (j < 0) - { - name_ok = snprintf(name, sizeof(name), format, i); - } - else - { - name_ok = snprintf(name, sizeof(name), format, i, j); - } - - if (!name_ok) - { - msg(M_WARN, "WARNING: dns option setenv name buffer overflow"); - } - - setenv_str(es, name, value); -} - -void -setenv_dns_options(const struct dns_options *o, struct env_set *es) -{ - struct gc_arena gc = gc_new(); - const struct dns_server *s; - const struct dns_domain *d; - int i, j; - - for (i = 1, d = o->search_domains; d != NULL; i++, d = d->next) - { - setenv_dns_option(es, "dns_search_domain_%d", i, -1, d->name); - } - - for (i = 1, s = o->servers; s != NULL; i++, s = s->next) - { - for (j = 0; j < s->addr_count; ++j) - { - if (s->addr[j].family == AF_INET) - { - setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, - print_in_addr_t(s->addr[j].in.a4.s_addr, IA_NET_ORDER, &gc)); - } - else - { - setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, - print_in6_addr(s->addr[j].in.a6, 0, &gc)); - } - if (s->addr[j].port) - { - setenv_dns_option(es, "dns_server_%d_port_%d", i, j + 1, - print_in_port_t(s->addr[j].port, &gc)); - } - } - - if (s->domains) - { - for (j = 1, d = s->domains; d != NULL; j++, d = d->next) - { - setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); - } - } - - if (s->dnssec) - { - setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, - dnssec_value(s->dnssec)); - } - - if (s->transport) - { - setenv_dns_option(es, "dns_server_%d_transport", i, -1, - transport_value(s->transport)); - } - if (s->sni) - { - setenv_dns_option(es, "dns_server_%d_sni", i, -1, s->sni); - } - } - - gc_free(&gc); -} - #ifdef _WIN32 static void @@ -525,6 +438,93 @@ #else /* ifdef _WIN32 */ static void +setenv_dns_option(struct env_set *es, + const char *format, int i, int j, + const char *value) +{ + char name[64]; + bool name_ok = false; + + if (j < 0) + { + name_ok = snprintf(name, sizeof(name), format, i); + } + else + { + name_ok = snprintf(name, sizeof(name), format, i, j); + } + + if (!name_ok) + { + msg(M_WARN, "WARNING: dns option setenv name buffer overflow"); + } + + setenv_str(es, name, value); +} + +static void +setenv_dns_options(const struct dns_options *o, struct env_set *es) +{ + struct gc_arena gc = gc_new(); + const struct dns_server *s; + const struct dns_domain *d; + int i, j; + + for (i = 1, d = o->search_domains; d != NULL; i++, d = d->next) + { + setenv_dns_option(es, "dns_search_domain_%d", i, -1, d->name); + } + + for (i = 1, s = o->servers; s != NULL; i++, s = s->next) + { + for (j = 0; j < s->addr_count; ++j) + { + if (s->addr[j].family == AF_INET) + { + setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, + print_in_addr_t(s->addr[j].in.a4.s_addr, IA_NET_ORDER, &gc)); + } + else + { + setenv_dns_option(es, "dns_server_%d_address_%d", i, j + 1, + print_in6_addr(s->addr[j].in.a6, 0, &gc)); + } + if (s->addr[j].port) + { + setenv_dns_option(es, "dns_server_%d_port_%d", i, j + 1, + print_in_port_t(s->addr[j].port, &gc)); + } + } + + if (s->domains) + { + for (j = 1, d = s->domains; d != NULL; j++, d = d->next) + { + setenv_dns_option(es, "dns_server_%d_resolve_domain_%d", i, j, d->name); + } + } + + if (s->dnssec) + { + setenv_dns_option(es, "dns_server_%d_dnssec", i, -1, + dnssec_value(s->dnssec)); + } + + if (s->transport) + { + setenv_dns_option(es, "dns_server_%d_transport", i, -1, + transport_value(s->transport)); + } + if (s->sni) + { + setenv_dns_option(es, "dns_server_%d_sni", i, -1, s->sni); + } + } + + gc_free(&gc); +} + +static void script_env_set(bool up, const struct dns_options *o, const struct tuntap *tt, struct env_set *es) { setenv_str(es, "dev", tt->actual_name); diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index fe00403..0696efd 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -168,14 +168,6 @@ struct dns_script_runner_info *dsri); /** - * Puts the DNS options into an environment set. - * - * @param o Pointer to the DNS options to set - * @param es Pointer to the env_set to set the options into - */ -void setenv_dns_options(const struct dns_options *o, struct env_set *es); - -/** * Prints configured DNS options. * * @param o Pointer to the DNS options to print diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8775ea3..df48763 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1043,11 +1043,6 @@ { setenv_connection_entry(es, &o->ce, 1); } - - if (!o->pull) - { - setenv_dns_options(&o->dns_options, es); - } } #ifndef _WIN32 @@ -1361,149 +1356,6 @@ } } } - -/* - * If DNS options are set use these for TUN/TAP options as well. - * Applies to DNS, DNS6 and DOMAIN-SEARCH. - * Existing options will be discarded. - */ -static void -tuntap_options_copy_dns(struct options *o) -{ - struct tuntap_options *tt = &o->tuntap_options; - struct dns_options *dns = &o->dns_options; - - if (dns->search_domains) - { - tt->domain_search_list_len = 0; - const struct dns_domain *domain = dns->search_domains; - while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN) - { - tt->domain_search_list[tt->domain_search_list_len++] = domain->name; - domain = domain->next; - } - if (domain) - { - msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option"); - } - tt->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED; - } - - if (dns->servers) - { - tt->dns_len = 0; - tt->dns6_len = 0; - bool overflow = false; - const struct dns_server *server = dns->servers; - while (server) - { - for (int i = 0; i < server->addr_count; ++i) - { - if (server->addr[i].family == AF_INET) - { - if (tt->dns_len >= N_DHCP_ADDR) - { - overflow = true; - continue; - } - tt->dns[tt->dns_len++] = ntohl(server->addr[i].in.a4.s_addr); - } - else - { - if (tt->dns6_len >= N_DHCP_ADDR) - { - overflow = true; - continue; - } - tt->dns6[tt->dns6_len++] = server->addr[i].in.a6; - } - } - server = server->next; - } - if (overflow) - { - msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option"); - } - tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL; - } -} -#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ -static void -foreign_options_copy_dns(struct options *o, struct env_set *es) -{ - const struct dns_domain *domain = o->dns_options.search_domains; - const struct dns_server *server = o->dns_options.servers; - if (!domain && !server) - { - return; - } - - /* reset the index since we're starting all over again */ - int opt_max = o->foreign_option_index; - o->foreign_option_index = 0; - - for (int i = 1; i <= opt_max; ++i) - { - char name[32]; - snprintf(name, sizeof(name), "foreign_option_%d", i); - - const char *env_str = env_set_get(es, name); - const char *value = strchr(env_str, '=') + 1; - if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value) - || (server && strstr(value, "dhcp-option DNS") == value)) - { - setenv_del(es, name); - } - else - { - setenv_foreign_option(o, &value, 1, es); - } - } - - struct gc_arena gc = gc_new(); - - while (server) - { - for (size_t i = 0; i < server->addr_count; ++i) - { - if (server->addr[i].family == AF_INET) - { - const char *argv[] = { - "dhcp-option", - "DNS", - print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc) - }; - setenv_foreign_option(o, argv, 3, es); - } - else - { - const char *argv[] = { - "dhcp-option", - "DNS6", - print_in6_addr(server->addr[i].in.a6, 0, &gc) - }; - setenv_foreign_option(o, argv, 3, es); - } - } - server = server->next; - } - while (domain) - { - const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name }; - setenv_foreign_option(o, argv, 3, es); - domain = domain->next; - } - - gc_free(&gc); - - /* remove old leftover entries */ - while (o->foreign_option_index < opt_max) - { - char name[32]; - snprintf(name, sizeof(name), "foreign_option_%d", opt_max--); - setenv_del(es, name); - } -} #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ #ifndef ENABLE_SMALL @@ -3889,14 +3741,6 @@ { dns_options_preprocess_pull(&o->dns_options); } - else - { -#if defined(_WIN32) || defined(TARGET_ANDROID) - tuntap_options_copy_dns(o); -#else - foreign_options_copy_dns(o, es); -#endif - } if (o->auth_token_generate && !o->auth_token_renewal) { o->auth_token_renewal = o->renegotiate_seconds; @@ -4267,7 +4111,6 @@ /* * Sanity check on options after more options were pulled from server. - * Also time to modify some options based on other options. */ bool options_postprocess_pull(struct options *o, struct env_set *es) @@ -4276,12 +4119,53 @@ if (success) { dns_options_postprocess_pull(&o->dns_options); - setenv_dns_options(&o->dns_options, es); + #if defined(_WIN32) || defined(TARGET_ANDROID) - tuntap_options_copy_dns(o); -#else - foreign_options_copy_dns(o, es); -#endif + /* If there's --dns servers, remove dns related --dhcp-options */ + if (o->dns_options.servers) + { + o->tuntap_options.dns_len = 0; + o->tuntap_options.dns6_len = 0; + o->tuntap_options.domain = NULL; + o->tuntap_options.domain_search_list_len = 0; + } +#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */ + /* Clean up env from overridden DNS config */ + struct gc_arena gc = gc_new(); + struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); + struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc); + + const int fo_count = o->foreign_option_index; + o->foreign_option_index = 0; + + for (int i = 1; i <= fo_count; ++i) + { + buf_clear(&name); + buf_printf(&name, "foreign_option_%d", i); + const char *env_str = env_set_get(es, BSTR(&name)); + const char *item_val = strchr(env_str, '=') + 1; + buf_clear(&value); + buf_printf(&value, "%s", item_val); + + /* Remove foreign option item from env set */ + env_set_del(es, BSTR(&name)); + + item_val = BSTR(&value); + if (strncmp(item_val, "dhcp-option ", 12) != 0 + || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0 + && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0 + && strncmp(item_val + 12, "DOMAIN ", 7) != 0 + && strncmp(item_val + 12, "DNS6 ", 5) != 0 + && strncmp(item_val + 12, "DNS ", 4) != 0)) + { + /* Re-set the item with potentially updated name */ + buf_clear(&name); + buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index); + setenv_str(es, BSTR(&name), BSTR(&value)); + } + } + gc_free(&gc); +#endif /* defined(_WIN32) || defined(TARGET_ANDROID) */ } return success; } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/840?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3fb01ab76cf3df0874ba92e08f371d17607a8369 Gerrit-Change-Number: 840 Gerrit-PatchSet: 8 Gerrit-Owner: d12fk <he...@openvpn.net> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: cron2 <g...@greenie.muc.de> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: d12fk <he...@openvpn.net> Gerrit-MessageType: newpatchset
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel