OpenVPN
Functions | Variables
validate.c File Reference
#include "validate.h"
#include <lmaccess.h>
#include <shlwapi.h>
#include <lm.h>
Include dependency graph for validate.c:

Go to the source code of this file.

Functions

static BOOL IsUserInGroup (PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name)
 User is in group if the token groups contain the SID of the group of if the user is a direct member of the group. More...
 
static PTOKEN_GROUPS GetTokenGroups (const HANDLE token)
 Get a list of groups in token. More...
 
static BOOL CheckConfigPath (const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
 
static int OptionLookup (const WCHAR *name, const WCHAR *white_list[])
 
static BOOL GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen)
 
BOOL IsAuthorizedUser (PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
 
static BOOL LookupSID (const WCHAR *name, PSID sid, DWORD sid_size)
 
BOOL CheckOption (const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
 

Variables

static const WCHAR * white_list []
 

Function Documentation

◆ CheckConfigPath()

static BOOL CheckConfigPath ( const WCHAR *  workdir,
const WCHAR *  fname,
const settings_t s 
)
static

Definition at line 62 of file validate.c.

References settings_t::config_dir, M_SYSERR, MsgToEventLog(), and openvpn_swprintf().

Referenced by CheckOption().

◆ CheckOption()

BOOL CheckOption ( const WCHAR *  workdir,
int  argc,
WCHAR *  argv[],
const settings_t s 
)

Definition at line 329 of file validate.c.

References CheckConfigPath(), OptionLookup(), and white_list.

Referenced by ValidateOptions().

◆ GetBuiltinAdminGroupName()

static BOOL GetBuiltinAdminGroupName ( WCHAR *  name,
DWORD  nlen 
)
static

Definition at line 128 of file validate.c.

References free, malloc, and MAX_NAME.

Referenced by IsAuthorizedUser().

◆ GetTokenGroups()

static PTOKEN_GROUPS GetTokenGroups ( const HANDLE  token)
static

Get a list of groups in token.

Returns a pointer to TOKEN_GROUPS struct or NULL on error. The caller should free the returned pointer.

Definition at line 214 of file validate.c.

References free, M_SYSERR, malloc, and MsgToEventLog().

Referenced by IsAuthorizedUser().

◆ IsAuthorizedUser()

BOOL IsAuthorizedUser ( PSID  sid,
const HANDLE  token,
const WCHAR *  ovpn_admin_group 
)

◆ IsUserInGroup()

static BOOL IsUserInGroup ( PSID  sid,
const PTOKEN_GROUPS  token_groups,
const WCHAR *  group_name 
)
static

User is in group if the token groups contain the SID of the group of if the user is a direct member of the group.

The latter check catches dynamic changes in group membership in the local user database not reflected in the token. If token_groups or sid is NULL the corresponding check is skipped.

Using sid and list of groups in token avoids reference to domains so that this could be completed without access to a Domain Controller.

Returns true if the user is in the group, false otherwise.

Definition at line 270 of file validate.c.

References LookupSID(), M_SYSERR, and MsgToEventLog().

Referenced by IsAuthorizedUser().

◆ LookupSID()

static BOOL LookupSID ( const WCHAR *  name,
PSID  sid,
DWORD  sid_size 
)
static

Definition at line 244 of file validate.c.

References MAX_NAME.

Referenced by IsUserInGroup().

◆ OptionLookup()

static int OptionLookup ( const WCHAR *  name,
const WCHAR *  white_list[] 
)
static

Definition at line 108 of file validate.c.

Referenced by CheckOption().

Variable Documentation

◆ white_list

const WCHAR* white_list[]
static
Initial value:
=
{
L"auth-retry",
L"config",
L"log",
L"log-append",
L"management",
L"management-forget-disconnect",
L"management-hold",
L"management-query-passwords",
L"management-query-proxy",
L"management-signal",
L"management-up-down",
L"mute",
L"setenv",
L"service",
L"verb",
L"pull-filter",
L"script-security",
NULL
}

Definition at line 30 of file validate.c.

Referenced by CheckOption().