From patchwork Fri Jul 10 06:42:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Just Keijser X-Patchwork-Id: 1224 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id KFrnE7WaCF8afwAAIUCqbw for ; Fri, 10 Jul 2020 12:43:33 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id KDmuE7WaCF/KGAAAfY0hYg ; Fri, 10 Jul 2020 12:43:33 -0400 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id QJsgE7WaCF9/TQAAtEH5vw ; Fri, 10 Jul 2020 12:43:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=nikhef.nl X-Suspicious-Flag: YES X-Classification-ID: 7d26a89c-c2cc-11ea-a81f-525400d73c44-1-1 Received: from [216.105.38.7] ([216.105.38.7:52370] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8C/E9-03043-4BA980F5; Fri, 10 Jul 2020 12:43:32 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtw6l-0001kA-Jf; Fri, 10 Jul 2020 16:42:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtw6k-0001k3-No for openvpn-devel@lists.sourceforge.net; Fri, 10 Jul 2020 16:42:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8oyPMNzslX9+LX0CzGbHIcLRG5z+gRaTydM/NzCr2OE=; b=O1w2AtBrq1FozHN1cPxektcrH NZ68cT80s4MzUjoWB5GluVjSUnBPJn7v+EKohLdwRU52GQtatsvvjfIUxwU8HIvbdaiucfHSO3joq hjziKQWPDIvx/32HqtolFa2tvnWnaRXjNEJ5807tOxQByF+FRlJJv6LRkiDUbYBO6XOXE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc: To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8oyPMNzslX9+LX0CzGbHIcLRG5z+gRaTydM/NzCr2OE=; b=h9JFfaGI/TCM8/TnIMEv0lGLLa jO+QhN178nAcqll8/W8x005dVxO8HiYq5lAW0Z3z+xuoYNzBTsCQL8/czPgXy6y0wHRP6s8uUoL8X p48kdOrYgqR+FNM48o8qmExF/E/drU8q0qzqvoYCwTAlg97PyD5xBpfN+m+5uZD+cCPw=; Received: from out24-ams.mf.surf.net ([145.0.1.24]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1jtw6g-00DKAQ-RO for openvpn-devel@lists.sourceforge.net; Fri, 10 Jul 2020 16:42:42 +0000 Received: from velino.nikhef.nl (velino.nikhef.nl [192.16.199.156]) by outgoing1-ams.mf.surf.net (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id 06AGgMi6016543; Fri, 10 Jul 2020 18:42:22 +0200 Received: from localhost (localhost [127.0.0.1]) by velino.nikhef.nl (Postfix) with ESMTP id 8D582100D09D; Fri, 10 Jul 2020 18:42:22 +0200 (CEST) Received: from velino.nikhef.nl ([127.0.0.1]) by localhost (tardes.nikhef.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id G7onvSz-cpVq; Fri, 10 Jul 2020 18:42:16 +0200 (CEST) Received: from [127.0.0.1] (solnan.nikhef.nl [IPv6:2001:610:120:1001::185:173]) by velino.nikhef.nl (Postfix) with ESMTP id 8632E100D098; Fri, 10 Jul 2020 18:42:16 +0200 (CEST) To: Gert Doering References: <20200621111403.GP1431@greenie.muc.de> <20200624102804.GM1431@greenie.muc.de> <50ad64e7-b75c-e40b-5d5e-9e89e90db45d@nikhef.nl> <20200630141103.GY1431@greenie.muc.de> <67f23584-07bd-7f0a-de1d-6ac285342e46@nikhef.nl> <20200706161532.GH1431@greenie.muc.de> <20200708082428.GT1431@greenie.muc.de> From: Jan Just Keijser Message-ID: <198ea3c8-a306-6a52-eaf6-e88aca10812b@nikhef.nl> Date: Fri, 10 Jul 2020 18:42:18 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20200708082428.GT1431@greenie.muc.de> Content-Language: nl-NL X-Bayes-Prob: 0.0001 (Score 0, tokens from: nikhef-out:default, nikhef:default, base:default, @@RPTN) X-CanIt-Geo: ip=192.16.199.156; country=NL; latitude=52.3824; longitude=4.8995; http://maps.google.com/maps?q=52.3824,4.8995&z=6 X-CanItPRO-Stream: nikhef-out:default (inherits from nikhef:default, base:default) X-Canit-Stats-ID: 0u31sGmAC - f1a243040e71 - 20200710 (trained as not-spam) X-Scanned-By: CanIt (www . roaringpenguin . com) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [145.0.1.24 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1jtw6g-00DKAQ-RO Subject: [Openvpn-devel] [PATCH] [V4] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN as well. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "openvpn-devel@lists.sourceforge.net" Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox On 08/07/20 10:24, Gert Doering wrote: > Can I have a v4, please? :-) V4: From fe0592df3235f3eb9bc9820586651ba8fc8bade0 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Fri, 10 Jul 2020 18:40:43 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix list) for Windows. As of Windows 10 1809 Windows finally supports this so it makes sense to add support to OpenVPN as well. Signed-off-by: Jan Just Keijser --- src/openvpn/options.c | 27 +++++++++++++++++++ src/openvpn/tun.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/tun.h | 6 +++++ 3 files changed, 107 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index b93fd4f..ff3a116 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -732,6 +732,7 @@ static const char usage_message[] = " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" + " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n" " WINS addr : Set WINS server address(es)\n" " NBT type : Set NetBIOS over TCP/IP Node type\n" " 1: B, 2: P, 4: M, 8: H\n" @@ -1145,6 +1146,19 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren #ifndef ENABLE_SMALL static void +show_dhcp_option_list(const char *name, const char * const*array, int len) +{ + int i; + for (i = 0; i < len; ++i) + { + msg(D_SHOW_PARMS, " %s[%d] = %s", + name, + i, + array[i] ); + } +} + +static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len) { struct gc_arena gc = gc_new(); @@ -1179,6 +1193,7 @@ show_tuntap_options(const struct tuntap_options *o) show_dhcp_option_addrs("WINS", o->wins, o->wins_len); show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len); show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len); + show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len); } #endif /* ifndef ENABLE_SMALL */ @@ -7460,6 +7475,18 @@ add_option(struct options *options, { dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel); } + else if (streq(p[1], "DOMAIN-SEARCH") && p[2]) + { + if (o->domain_search_list_len < N_SEARCH_LIST_LEN) + { + o->domain_search_list[o->domain_search_list_len++] = p[2]; + } + else + { + msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified", + p[1], N_SEARCH_LIST_LEN); + } + } else if (streq(p[1], "DISABLE-NBT") && !p[2]) { o->disable_nbt = 1; diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 2a2df27..75d5b04 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -5673,6 +5673,72 @@ write_dhcp_str(struct buffer *buf, const int type, const char *str, bool *error) buf_write(buf, str, len); } +/* + * RFC3397 states that multiple searchdomains are encoded as follows: + * - at start the length of the entire option is given + * - each subdomain is preceded by its length + * - each searchdomain is separated by a NUL character + * e.g. if you want "openvpn.net" and "duckduckgo.com" then you end up with + * 0x13 0x7 openvpn 0x3 net 0x00 0x0A duckduckgo 0x3 com 0x00 + */ +static void +write_dhcp_search_str(struct buffer *buf, const int type, const char * const *str_array, + int array_len, bool *error) +{ + char tmp_buf[256]; + int i; + int len = 0; + + for (i=0; i < array_len; i++) + { + const char *ptr = str_array[i], *dotptr = str_array[i]; + int j, k; + + msg(M_INFO, "Processing '%s'", ptr); + + if (strlen(ptr) + len + 1 > sizeof(tmp_buf)) + { + *error = true; + msg(M_WARN, "write_dhcp_search_str: temp buffer overflow building DHCP options"); + return; + } + /* Loop over all subdomains separated by a dot and replace the dot + with the length of the subdomain */ + while ((dotptr = strchr(ptr, '.')) != NULL) + { + j = dotptr - ptr; + tmp_buf[len++] = j; + for (k=0; k < j; k++) tmp_buf[len++] = ptr[k]; + ptr = dotptr + 1; + } + + /* Now do the remainder after the last dot */ + j = strlen(ptr); + tmp_buf[len++] = j; + for (k=0; k < j; k++) tmp_buf[len++] = ptr[k]; + + /* And close off with an extra NUL char */ + tmp_buf[len++] = 0; + } + + if (!buf_safe(buf, 2 + len)) + { + *error = true; + msg(M_WARN, "write_search_dhcp_str: buffer overflow building DHCP options"); + return; + } + if (len > 255) + { + *error = true; + msg(M_WARN, "write_dhcp_search_str: search domain string must be <= 255 bytes"); + return; + } + + buf_write_u8(buf, type); + buf_write_u8(buf, len); + for (i=0; i < len; i++) buf_write_u8(buf, tmp_buf[i]); +} + static bool build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) { @@ -5697,6 +5763,14 @@ build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) write_dhcp_u32_array(buf, 42, (uint32_t *)o->ntp, o->ntp_len, &error); write_dhcp_u32_array(buf, 45, (uint32_t *)o->nbdd, o->nbdd_len, &error); + if (o->domain_search_list_len > 0) + { + write_dhcp_search_str(buf, 119, o->domain_search_list, + o->domain_search_list_len, + &error); + } + + /* the MS DHCP server option 'Disable Netbios-over-TCP/IP * is implemented as vendor option 001, value 002. * A value of 001 means 'leave NBT alone' which is the default */ diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index b38e7e9..99826cf 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -112,6 +112,12 @@ struct tuntap_options { in_addr_t nbdd[N_DHCP_ADDR]; int nbdd_len; +#define N_SEARCH_LIST_LEN 10 /* Max # of entries in domin-search list */ + + /* SEARCH (119), MacOS, Linux, Win10 1809+ */ + const char *domain_search_list[N_SEARCH_LIST_LEN]; + int domain_search_list_len; + /* DISABLE_NBT (43, Vendor option 001) */ bool disable_nbt; -- 1.8.3.1