1/* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 12 * as published by the Free Software Foundation. 13 * 14 * This program is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU General Public License for more details. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program (see the file COPYING included with this 21 * distribution); if not, write to the Free Software Foundation, Inc., 22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23 */ 24 25#ifndef MISC_H 26#define MISC_H 27 28#include "basic.h" 29#include "common.h" 30#include "integer.h" 31#include "buffer.h" 32#include "platform.h" 33 34/* socket descriptor passed by inetd/xinetd server to us */ 35#define INETD_SOCKET_DESCRIPTOR 0 36 37/* forward declarations */ 38struct plugin_list; 39 40/* used by argv_x functions */ 41struct argv { 42 size_t capacity; 43 size_t argc; 44 char **argv; 45 char *system_str; 46}; 47 48/* 49 * Handle environmental variable lists 50 */ 51 52struct env_item { 53 char *string; 54 struct env_item *next; 55}; 56 57struct env_set { 58 struct gc_arena *gc; 59 struct env_item *list; 60}; 61 62void run_up_down (const char *command, 63 const struct plugin_list *plugins, 64 int plugin_type, 65 const char *arg, 66 const char *dev_type, 67 int tun_mtu, 68 int link_mtu, 69 const char *ifconfig_local, 70 const char* ifconfig_remote, 71 const char *context, 72 const char *signal_text, 73 const char *script_type, 74 struct env_set *es); 75 76/* workspace for get_pid_file/write_pid */ 77struct pid_state { 78 FILE *fp; 79 const char *filename; 80}; 81 82void get_pid_file (const char* filename, struct pid_state *state); 83void write_pid (const struct pid_state *state); 84 85/* check file protections */ 86void warn_if_group_others_accessible(const char* filename); 87 88/* system flags */ 89#define S_SCRIPT (1<<0) 90#define S_FATAL (1<<1) 91 92const char *system_error_message (int, struct gc_arena *gc); 93 94/* wrapper around the execve() call */ 95int openvpn_popen (const struct argv *a, const struct env_set *es); 96int openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags); 97bool openvpn_execve_check (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message); 98bool openvpn_execve_allowed (const unsigned int flags); 99 100static inline bool 101openvpn_run_script (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook) 102{ 103 char msg[256]; 104 105 openvpn_snprintf(msg, sizeof(msg), "WARNING: Failed running command (%s)", hook); 106 return openvpn_execve_check(a, es, flags | S_SCRIPT, msg); 107} 108 109 110#ifdef HAVE_STRERROR 111/* a thread-safe version of strerror */ 112const char* strerror_ts (int errnum, struct gc_arena *gc); 113#endif 114 115/* Set standard file descriptors to /dev/null */ 116void set_std_files_to_null (bool stdin_only); 117 118/* dup inetd/xinetd socket descriptor and save */ 119extern int inetd_socket_descriptor; 120void save_inetd_socket_descriptor (void); 121 122/* init random() function, only used as source for weak random numbers, when !ENABLE_CRYPTO */ 123void init_random_seed(void); 124 125/* set/delete environmental variable */ 126void setenv_str_ex (struct env_set *es, 127 const char *name, 128 const char *value, 129 const unsigned int name_include, 130 const unsigned int name_exclude, 131 const char name_replace, 132 const unsigned int value_include, 133 const unsigned int value_exclude, 134 const char value_replace); 135 136void setenv_counter (struct env_set *es, const char *name, counter_type value); 137void setenv_int (struct env_set *es, const char *name, int value); 138void setenv_unsigned (struct env_set *es, const char *name, unsigned int value); 139void setenv_str (struct env_set *es, const char *name, const char *value); 140void setenv_str_safe (struct env_set *es, const char *name, const char *value); 141void setenv_del (struct env_set *es, const char *name); 142 143void setenv_int_i (struct env_set *es, const char *name, const int value, const int i); 144void setenv_str_i (struct env_set *es, const char *name, const char *value, const int i); 145 146/* struct env_set functions */ 147 148struct env_set *env_set_create (struct gc_arena *gc); 149void env_set_destroy (struct env_set *es); 150bool env_set_del (struct env_set *es, const char *str); 151void env_set_add (struct env_set *es, const char *str); 152 153void env_set_print (int msglevel, const struct env_set *es); 154 155void env_set_inherit (struct env_set *es, const struct env_set *src); 156 157void env_set_add_to_environment (const struct env_set *es); 158void env_set_remove_from_environment (const struct env_set *es); 159 160/* Make arrays of strings */ 161 162const char **make_env_array (const struct env_set *es, 163 const bool check_allowed, 164 struct gc_arena *gc); 165 166const char **make_arg_array (const char *first, const char *parms, struct gc_arena *gc); 167const char **make_extended_arg_array (char **p, struct gc_arena *gc); 168 169/* convert netmasks for iproute2 */ 170int count_netmask_bits(const char *); 171unsigned int count_bits(unsigned int ); 172 173/* an analogue to the random() function, but use OpenSSL functions if available */ 174#ifdef ENABLE_CRYPTO 175long int get_random(void); 176#else 177#define get_random random 178#endif 179 180/* return true if filename can be opened for read */ 181bool test_file (const char *filename); 182 183/* create a temporary file in directory, returns the filename of the created file */ 184const char *create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc); 185 186/* put a directory and filename together */ 187const char *gen_path (const char *directory, const char *filename, struct gc_arena *gc); 188 189/* return true if pathname is absolute */ 190bool absolute_pathname (const char *pathname); 191 192/* prepend a random prefix to hostname (need ENABLE_CRYPTO) */ 193const char *hostname_randomize(const char *hostname, struct gc_arena *gc); 194 195/* 196 * Get and store a username/password 197 */ 198 199struct user_pass 200{ 201 bool defined; 202 bool nocache; 203 204/* max length of username/password */ 205# ifdef ENABLE_PKCS11 206# define USER_PASS_LEN 4096 207# else 208# define USER_PASS_LEN 128 209# endif 210 char username[USER_PASS_LEN]; 211 char password[USER_PASS_LEN]; 212}; 213 214#ifdef ENABLE_CLIENT_CR 215/* 216 * Challenge response info on client as pushed by server. 217 */ 218struct auth_challenge_info { 219# define CR_ECHO (1<<0) /* echo response when typed by user */ 220# define CR_RESPONSE (1<<1) /* response needed */ 221 unsigned int flags; 222 223 const char *user; 224 const char *state_id; 225 const char *challenge_text; 226}; 227 228struct auth_challenge_info *get_auth_challenge (const char *auth_challenge, struct gc_arena *gc); 229 230/* 231 * Challenge response info on client as pushed by server. 232 */ 233struct static_challenge_info { 234# define SC_ECHO (1<<0) /* echo response when typed by user */ 235 unsigned int flags; 236 237 const char *challenge_text; 238}; 239 240#else 241struct auth_challenge_info {}; 242struct static_challenge_info {}; 243#endif 244 245/* 246 * Flags for get_user_pass and management_query_user_pass 247 */ 248#define GET_USER_PASS_MANAGEMENT (1<<0) 249#define GET_USER_PASS_SENSITIVE (1<<1) 250#define GET_USER_PASS_PASSWORD_ONLY (1<<2) 251#define GET_USER_PASS_NEED_OK (1<<3) 252#define GET_USER_PASS_NOFATAL (1<<4) 253#define GET_USER_PASS_NEED_STR (1<<5) 254#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6) 255 256#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /* CRV1 protocol -- dynamic challenge */ 257#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */ 258#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */ 259 260bool get_user_pass_cr (struct user_pass *up, 261 const char *auth_file, 262 const char *prefix, 263 const unsigned int flags, 264 const char *auth_challenge); 265 266static inline bool 267get_user_pass (struct user_pass *up, 268 const char *auth_file, 269 const char *prefix, 270 const unsigned int flags) 271{ 272 return get_user_pass_cr (up, auth_file, prefix, flags, NULL); 273} 274 275void fail_user_pass (const char *prefix, 276 const unsigned int flags, 277 const char *reason); 278 279void purge_user_pass (struct user_pass *up, const bool force); 280 281void set_auth_token (struct user_pass *up, const char *token); 282 283/* 284 * Process string received by untrusted peer before 285 * printing to console or log file. 286 * Assumes that string has been null terminated. 287 */ 288const char *safe_print (const char *str, struct gc_arena *gc); 289 290/* returns true if environmental variable safe to print to log */ 291bool env_safe_to_print (const char *str); 292 293/* returns true if environmental variable may be passed to an external program */ 294bool env_allowed (const char *str); 295 296/* 297 * A sleep function that services the management layer for n 298 * seconds rather than doing nothing. 299 */ 300void openvpn_sleep (const int n); 301 302void configure_path (void); 303 304const char *sanitize_control_message(const char *str, struct gc_arena *gc); 305 306#if AUTO_USERID 307void get_user_pass_auto_userid (struct user_pass *up, const char *tag); 308#endif 309 310/* 311 * /sbin/ip path, may be overridden 312 */ 313#ifdef ENABLE_IPROUTE 314extern const char *iproute_path; 315#endif 316 317/* Script security */ 318#define SSEC_NONE 0 /* strictly no calling of external programs */ 319#define SSEC_BUILT_IN 1 /* only call built-in programs such as ifconfig, route, netsh, etc.*/ 320#define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */ 321#define SSEC_PW_ENV 3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */ 322extern int script_security; /* GLOBAL */ 323 324/* return the next largest power of 2 */ 325size_t adjust_power_of_2 (size_t u); 326 327/* 328 * A printf-like function (that only recognizes a subset of standard printf 329 * format operators) that prints arguments to an argv list instead 330 * of a standard string. This is used to build up argv arrays for passing 331 * to execve. 332 */ 333void argv_init (struct argv *a); 334struct argv argv_new (void); 335void argv_reset (struct argv *a); 336char *argv_term (const char **f); 337const char *argv_str (const struct argv *a, struct gc_arena *gc, const unsigned int flags); 338struct argv argv_insert_head (const struct argv *a, const char *head); 339void argv_msg (const int msglev, const struct argv *a); 340void argv_msg_prefix (const int msglev, const struct argv *a, const char *prefix); 341const char *argv_system_str (const struct argv *a); 342 343#define APA_CAT (1<<0) /* concatentate onto existing struct argv list */ 344void argv_printf_arglist (struct argv *a, const char *format, const unsigned int flags, va_list arglist); 345 346void argv_printf (struct argv *a, const char *format, ...) 347#ifdef __GNUC__ 348#if __USE_MINGW_ANSI_STDIO 349 __attribute__ ((format (gnu_printf, 2, 3))) 350#else 351 __attribute__ ((format (__printf__, 2, 3))) 352#endif 353#endif 354 ; 355 356void argv_printf_cat (struct argv *a, const char *format, ...) 357#ifdef __GNUC__ 358#if __USE_MINGW_ANSI_STDIO 359 __attribute__ ((format (gnu_printf, 2, 3))) 360#else 361 __attribute__ ((format (__printf__, 2, 3))) 362#endif 363#endif 364 ; 365 366#define COMPAT_FLAG_QUERY 0 /** compat_flags operator: Query for a flag */ 367#define COMPAT_FLAG_SET (1<<0) /** compat_flags operator: Set a compat flag */ 368#define COMPAT_NAMES (1<<1) /** compat flag: --compat-names set */ 369#define COMPAT_NO_NAME_REMAPPING (1<<2) /** compat flag: --compat-names without char remapping */ 370bool compat_flag (unsigned int flag); 371 372#endif 373