summaryrefslogtreecommitdiff
path: root/src/openvpn/init.c
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
commit749384a154025e268b53cf3cc79eaeddde2b3ceb (patch)
tree27baa9e6aec76635d750405d90cd461440a656d1 /src/openvpn/init.c
parentdb4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff)
initial stretch branch release 2.4.0-6
Diffstat (limited to 'src/openvpn/init.c')
-rw-r--r--src/openvpn/init.c125
1 files changed, 48 insertions, 77 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 0652ef4..cf4a64c 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -16,9 +16,10 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifdef HAVE_CONFIG_H
@@ -251,42 +252,31 @@ ce_management_query_remote(struct context *c)
{
struct gc_arena gc = gc_new();
volatile struct connection_entry *ce = &c->options.ce;
- int ce_changed = true; /* presume the connection entry will be changed */
-
+ int ret = true;
update_time();
if (management)
{
struct buffer out = alloc_buf_gc(256, &gc);
-
- buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
- proto2ascii(ce->proto, ce->af, false));
+ buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false));
management_notify_generic(management, BSTR(&out));
-
- ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
- ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
- while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
- & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
+ ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
+ ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT);
+ while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
{
management_event_loop_n_seconds(management, 1);
if (IS_SIG(c))
{
- ce_changed = false; /* connection entry have not been set */
+ ret = false;
break;
}
}
}
- gc_free(&gc);
-
- if (ce_changed)
{
- /* If it is likely a connection entry was modified,
- * check what changed in the flags and that it was not skipped
- */
- const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
- & CE_MAN_QUERY_REMOTE_MASK);
- ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
+ const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
+ ret = (flags != CE_MAN_QUERY_REMOTE_SKIP);
}
- return ce_changed;
+ gc_free(&gc);
+ return ret;
}
#endif /* ENABLE_MANAGEMENT */
@@ -341,8 +331,7 @@ next_connection_entry(struct context *c)
struct connection_entry *ce;
int n_cycles = 0;
- do
- {
+ do {
ce_defined = true;
if (c->options.no_advance && l->current >= 0)
{
@@ -414,7 +403,11 @@ next_connection_entry(struct context *c)
break;
}
}
- else if (ce_defined && management && management_query_proxy_enabled(management))
+ else
+#endif
+
+#ifdef ENABLE_MANAGEMENT
+ if (ce_defined && management && management_query_proxy_enabled(management))
{
ce_defined = ce_management_query_proxy(c);
if (IS_SIG(c))
@@ -540,10 +533,8 @@ context_init_1(struct context *c)
int i;
pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
- {
pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
- }
}
#endif
@@ -561,15 +552,6 @@ context_init_1(struct context *c)
}
#endif
-#ifdef ENABLE_SYSTEMD
- /* We can report the PID via getpid() to systemd here as OpenVPN will not
- * do any fork due to daemon() a future call.
- * See possibly_become_daemon() [init.c] for more details.
- */
- sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
- (unsigned long) getpid());
-#endif
-
}
void
@@ -632,9 +614,7 @@ init_static(void)
{
int i;
for (i = 0; i < argc; ++i)
- {
msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
- }
}
#endif
@@ -780,9 +760,7 @@ init_static(void)
{
int i;
for (i = 0; i < SIZE(text); ++i)
- {
buffer_list_push(bl, (unsigned char *)text[i]);
- }
}
printf("[cap=%d i=%d] *************************\n", listcap, iter);
if (!(iter & 8))
@@ -805,9 +783,7 @@ init_static(void)
int c;
printf("'");
while ((c = buf_read_u8(buf)) >= 0)
- {
putchar(c);
- }
printf("'\n");
buffer_list_advance(bl, 0);
}
@@ -1050,6 +1026,24 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
{
if (no_delay)
{
+#ifdef ENABLE_SYSTEMD
+ /* If OpenVPN is started by systemd, the OpenVPN process needs
+ * to provide a preliminary status report to systemd. This is
+ * needed as $NOTIFY_SOCKET will not be available inside the
+ * chroot, which sd_notify()/sd_notifyf() depends on.
+ *
+ * This approach is the simplest and the most non-intrusive
+ * solution right before the 2.4_rc2 release.
+ *
+ * TODO: Consider altnernative solutions - bind mount?
+ * systemd does not grok OpenVPN configuration files, thus cannot
+ * have a sane way to know if OpenVPN will chroot or not and to
+ * which subdirectory it will chroot into.
+ */
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Entering chroot, most of the init completed successfully\n"
+ "MAINPID=%lu", (unsigned long) getpid());
+#endif
platform_chroot(c->options.chroot_dir);
}
else if (c->first_time)
@@ -1382,21 +1376,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)
/* If we delayed UID/GID downgrade or chroot, do it now */
do_uid_gid_chroot(c, true);
-
-#ifdef ENABLE_CRYPTO
- /*
- * In some cases (i.e. when receiving auth-token via
- * push-reply) the auth-nocache option configured on the
- * client is overridden; for this reason we have to wait
- * for the push-reply message before attempting to wipe
- * the user/pass entered by the user
- */
- if (c->options.mode == MODE_POINT_TO_POINT)
- {
- delayed_auth_pass_purge();
- }
-#endif /* ENABLE_CRYPTO */
-
/* Test if errors */
if (flags & ISC_ERRORS)
{
@@ -1414,7 +1393,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)
else
{
#ifdef ENABLE_SYSTEMD
- sd_notifyf(0, "STATUS=%s", message);
+ sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid());
#endif
msg(M_INFO, "%s", message);
}
@@ -1851,7 +1830,7 @@ do_close_tun(struct context *c, bool force)
#if defined(_WIN32)
if (c->options.block_outside_dns)
{
- if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
+ if (!win_wfp_uninit(c->options.msg_channel))
{
msg(M_FATAL, "Uninitialising WFP failed!");
}
@@ -1891,7 +1870,7 @@ do_close_tun(struct context *c, bool force)
#if defined(_WIN32)
if (c->options.block_outside_dns)
{
- if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
+ if (!win_wfp_uninit(c->options.msg_channel))
{
msg(M_FATAL, "Uninitialising WFP failed!");
}
@@ -1924,12 +1903,12 @@ tun_abort()
* equal, or either one is all-zeroes.
*/
static bool
-options_hash_changed_or_zero(const struct sha256_digest *a,
- const struct sha256_digest *b)
+options_hash_changed_or_zero(const struct md5_digest *a,
+ const struct md5_digest *b)
{
- const struct sha256_digest zero = {{0}};
- return memcmp(a, b, sizeof(struct sha256_digest))
- || !memcmp(a, &zero, sizeof(struct sha256_digest));
+ const struct md5_digest zero = {{0}};
+ return memcmp(a, b, sizeof(struct md5_digest))
+ || !memcmp(a, &zero, sizeof(struct md5_digest));
}
#endif /* P2MP */
@@ -1940,7 +1919,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
{
reset_coarse_timers(c);
- if (pulled_options)
+ if (pulled_options && option_types_found)
{
if (!do_deferred_options(c, option_types_found))
{
@@ -2646,7 +2625,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
to.remote_cert_eku = options->remote_cert_eku;
to.verify_hash = options->verify_hash;
- to.verify_hash_algo = options->verify_hash_algo;
#ifdef ENABLE_X509ALTUSERNAME
to.x509_username_field = (char *) options->x509_username_field;
#else
@@ -2774,10 +2752,7 @@ do_init_crypto_none(const struct context *c)
{
ASSERT(!c->options.test_crypto);
msg(M_WARN,
- "******* WARNING *******: All encryption and authentication features "
- "disabled -- All data will be tunnelled as clear text and will not be "
- "protected against man-in-the-middle changes. "
- "PLEASE DO RECONSIDER THIS CONFIGURATION!");
+ "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
}
#endif /* ifdef ENABLE_CRYPTO */
@@ -3022,10 +2997,6 @@ do_option_warnings(struct context *c)
{
msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
}
- if (o->ns_cert_type)
- {
- msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
- }
#endif /* ifdef ENABLE_CRYPTO */
/* If a script is used, print appropiate warnings */