From: James Yonan <ja...@openvpn.net>
On the client, allow certain peer info fields to be pushed even if
push-peer-info isn't specified in the config.
This is needed to allow the compression handshake to work correctly
(i.e. where the client indicates its support for LZO and/or Snappy).
Fields that have privacy implications such as Mac Address and UV_*
environment variables will not be pushed to the server as before unless
push-peer-info is specified by client config.
v1: equivalent to OpenVPN SVN r8225 (2.1.21c)
v2: distinguish 3 levels of peer-info detail
--push-peer-info specified --> send all we have
--pull specified --> send basic set, as per r8225
default --> send nothing (do not leak from server)
Signed-off-by: Gert Doering <g...@greenie.muc.de>
---
src/openvpn/init.c | 7 ++++++-
src/openvpn/ssl.c | 43 ++++++++++++++++++++++---------------------
src/openvpn/ssl_common.h | 2 +-
3 files changed, 29 insertions(+), 23 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e700cd6..2a0ba85 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2213,7 +2213,12 @@ do_init_crypto_tls (struct context *c, const unsigned
int flags)
to.renegotiate_seconds = options->renegotiate_seconds;
to.single_session = options->single_session;
#ifdef ENABLE_PUSH_PEER_INFO
- to.push_peer_info = options->push_peer_info;
+ if (options->push_peer_info) /* all there is */
+ to.push_peer_info_detail = 2;
+ else if (options->pull) /* pull clients send some details */
+ to.push_peer_info_detail = 1;
+ else /* default: no peer-info at all */
+ to.push_peer_info_detail = 0;
#endif
/* should we not xmit any packets until we get an initial
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9ca409f..85d8db2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1775,7 +1775,7 @@ push_peer_info(struct buffer *buf, struct tls_session
*session)
bool ret = false;
#ifdef ENABLE_PUSH_PEER_INFO
- if (session->opt->push_peer_info) /* write peer info */
+ if (session->opt->push_peer_info_detail > 0)
{
struct env_set *es = session->opt->es;
struct env_item *e;
@@ -1803,38 +1803,39 @@ push_peer_info(struct buffer *buf, struct tls_session
*session)
buf_printf (&out, "IV_PLAT=win\n");
#endif
- /* push mac addr */
- {
- struct route_gateway_info rgi;
- get_default_gateway (&rgi);
- if (rgi.flags & RGI_HWADDR_DEFINED)
- buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0,
1, ":", &gc));
- }
-
/* push compression status */
#ifdef USE_COMP
comp_generate_peer_info_string(&session->opt->comp_options, &out);
#endif
- /* push env vars that begin with UV_ */
- for (e=es->list; e != NULL; e=e->next)
- {
- if (e->string)
+ if (session->opt->push_peer_info_detail >= 2)
+ {
+ /* push mac addr */
+ struct route_gateway_info rgi;
+ get_default_gateway (&rgi);
+ if (rgi.flags & RGI_HWADDR_DEFINED)
+ buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6,
0, 1, ":", &gc));
+
+ /* push env vars that begin with UV_ */
+ for (e=es->list; e != NULL; e=e->next)
{
- if (!strncmp(e->string, "UV_", 3) && buf_safe(&out,
strlen(e->string)+1))
- buf_printf (&out, "%s\n", e->string);
+ if (e->string)
+ {
+ if (!strncmp(e->string, "UV_", 3) && buf_safe(&out,
strlen(e->string)+1))
+ buf_printf (&out, "%s\n", e->string);
+ }
}
}
- if (!write_string(buf, BSTR(&out), -1))
- goto error;
+ if (!write_string(buf, BSTR(&out), -1))
+ goto error;
}
else
#endif
- {
- if (!write_empty_string (buf)) /* no peer info */
- goto error;
- }
+ {
+ if (!write_empty_string (buf)) /* no peer info */
+ goto error;
+ }
ret = true;
error:
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 47dbefb..0e97487 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -233,7 +233,7 @@ struct tls_options
bool disable_occ;
#endif
#ifdef ENABLE_PUSH_PEER_INFO
- bool push_peer_info;
+ int push_peer_info_detail;
#endif
int transition_window;
int handshake_window;
--
1.8.1.5
