summaryrefslogtreecommitdiff
path: root/src/openvpn/options.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2019-02-20 14:11:46 +0100
committerBernhard Schmidt <berni@debian.org>2019-02-20 14:11:46 +0100
commit87356242baf10c8b2a94d9013e436ed2a0dada53 (patch)
treedd8c5f9774af74c20cdae579ac0f2d352a835e9e /src/openvpn/options.c
parent2c8e4bc4f9ab94e4d0b63341820d471af7c28c6c (diff)
New upstream version 2.4.7upstream/2.4.7
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r--src/openvpn/options.c82
1 files changed, 16 insertions, 66 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index d1adfb6..f951814 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1031,67 +1031,6 @@ get_ip_addr(const char *ip_string, int msglevel, bool *error)
return ret;
}
-/* helper: parse a text string containing an IPv6 address + netbits
- * in "standard format" (2001:dba::/32)
- * "/nn" is optional, default to /64 if missing
- *
- * return true if parsing succeeded, modify *network and *netbits
- */
-bool
-get_ipv6_addr( const char *prefix_str, struct in6_addr *network,
- unsigned int *netbits, int msglevel)
-{
- char *sep, *endp;
- int bits;
- struct in6_addr t_network;
-
- sep = strchr( prefix_str, '/' );
- if (sep == NULL)
- {
- bits = 64;
- }
- else
- {
- bits = strtol( sep+1, &endp, 10 );
- if (*endp != '\0' || bits < 0 || bits > 128)
- {
- msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
- return false;
- }
- }
-
- /* temporary replace '/' in caller-provided string with '\0', otherwise
- * inet_pton() will refuse prefix string
- * (alternative would be to strncpy() the prefix to temporary buffer)
- */
-
- if (sep != NULL)
- {
- *sep = '\0';
- }
-
- if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1)
- {
- msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
- return false;
- }
-
- if (sep != NULL)
- {
- *sep = '/';
- }
-
- if (netbits != NULL)
- {
- *netbits = bits;
- }
- if (network != NULL)
- {
- *network = t_network;
- }
- return true; /* parsing OK, values set */
-}
-
/**
* Returns newly allocated string containing address part without "/nn".
*
@@ -1769,6 +1708,7 @@ show_settings(const struct options *o)
SHOW_STR(cryptoapi_cert);
#endif
SHOW_STR(cipher_list);
+ SHOW_STR(cipher_list_tls13);
SHOW_STR(tls_cert_profile);
SHOW_STR(tls_verify);
SHOW_STR(tls_export_cert);
@@ -2783,6 +2723,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
MUST_BE_UNDEF(pkcs12_file);
#endif
MUST_BE_UNDEF(cipher_list);
+ MUST_BE_UNDEF(cipher_list_tls13);
MUST_BE_UNDEF(tls_cert_profile);
MUST_BE_UNDEF(tls_verify);
MUST_BE_UNDEF(tls_export_cert);
@@ -3498,7 +3439,7 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
struct key_type fake_kt;
init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
false);
- frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead()));
+ frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv,
o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher));
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
@@ -3787,11 +3728,15 @@ options_warning_safe_scan2(const int msglevel,
const char *b1_name,
const char *b2_name)
{
- /* we will stop sending 'proto xxx' in OCC in a future version
- * (because it's not useful), and to reduce questions when
- * interoperating, we start not-printing a warning about it today
+ /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
+ * OCC in a future version (because it's not useful). To reduce questions
+ * when interoperating, we no longer printing a warning about it.
*/
- if (strncmp(p1, "proto ", 6) == 0)
+ if (strprefix(p1, "key-method ")
+ || strprefix(p1, "keydir ")
+ || strprefix(p1, "proto ")
+ || strprefix(p1, "tls-auth ")
+ || strprefix(p1, "tun-ipv6"))
{
return;
}
@@ -7874,6 +7819,11 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
options->tls_cert_profile = p[1];
}
+ else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->cipher_list_tls13 = p[1];
+ }
else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
|| (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])
{