summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-01-20 12:01:07 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-01-20 12:01:07 +0100
commit19eab1fe2df20e38ea64d7a642d3e21c957082b8 (patch)
treefad602b603321d3e0e45807f8abb4f6c670a6cf2 /src/openvpn/ssl.c
parent35807e5652390e8b2fd66b9051f3b41c9488302e (diff)
parent9653b1bffea4e96c1eb7c1814e8bed21fea62321 (diff)
Merge tag 'upstream/2.3.10'
Upstream version 2.3.10
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r--src/openvpn/ssl.c20
1 files changed, 14 insertions, 6 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index a17c738..0679890 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -43,6 +43,7 @@
#endif
#include "syshead.h"
+#include "win32.h"
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
@@ -301,8 +302,9 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame
reliable_ack_adjust_frame_parameters (frame, CONTROL_SEND_ACK_MAX);
frame_add_to_extra_frame (frame, SID_SIZE + sizeof (packet_id_type));
- /* set dynamic link MTU to minimum value */
- frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN);
+ /* set dynamic link MTU to cap control channel packets at 1250 bytes */
+ ASSERT (TUN_LINK_DELTA (frame) < min_int (frame->link_mtu, 1250));
+ frame->link_mtu_dynamic = min_int (frame->link_mtu, 1250) - TUN_LINK_DELTA (frame);
}
void
@@ -333,7 +335,7 @@ void
pem_password_setup (const char *auth_file)
{
if (!strlen (passbuf.password))
- get_user_pass (&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE|GET_USER_PASS_PASSWORD_ONLY);
+ get_user_pass (&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY);
}
int
@@ -376,11 +378,11 @@ auth_user_pass_setup (const char *auth_file, const struct static_challenge_info
get_user_pass_cr (&auth_user_pass,
auth_file,
UP_TYPE_AUTH,
- GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE|GET_USER_PASS_DYNAMIC_CHALLENGE,
+ GET_USER_PASS_MANAGEMENT|GET_USER_PASS_DYNAMIC_CHALLENGE,
auth_challenge);
else if (sci) /* static challenge response */
{
- int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE|GET_USER_PASS_STATIC_CHALLENGE;
+ int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_STATIC_CHALLENGE;
if (sci->flags & SC_ECHO)
flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
get_user_pass_cr (&auth_user_pass,
@@ -391,7 +393,7 @@ auth_user_pass_setup (const char *auth_file, const struct static_challenge_info
}
else
# endif
- get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
+ get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT);
#endif
}
}
@@ -555,6 +557,9 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
}
+ /* Check certificate notBefore and notAfter */
+ tls_ctx_check_cert_time(new_ctx);
+
/* Allowable ciphers */
if (options->cipher_list)
{
@@ -1844,6 +1849,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
if (rgi.flags & RGI_HWADDR_DEFINED)
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
buf_printf (&out, "IV_SSL=%s\n", get_ssl_library_version() );
+#if defined(WIN32)
+ buf_printf (&out, "IV_PLAT_VER=%s\n", win32_version_string (&gc, false));
+#endif
}
/* push env vars that begin with UV_ and IV_GUI_VER */