summaryrefslogtreecommitdiff
path: root/src/openvpn
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff.email>2018-07-29 13:59:02 +0200
committerJörg Frings-Fürst <debian@jff.email>2018-07-29 13:59:02 +0200
commit2c8e4bc4f9ab94e4d0b63341820d471af7c28c6c (patch)
treefa0ea07bdd1ac4caab9a9642631f2b2450834894 /src/openvpn
parent4afa7ed562410a1170223a7bc06efb3708af6a36 (diff)
New upstream version 2.4.6upstream/2.4.6
Diffstat (limited to 'src/openvpn')
-rw-r--r--src/openvpn/interval.c8
-rw-r--r--src/openvpn/interval.h2
-rw-r--r--src/openvpn/openssl_compat.h4
-rw-r--r--src/openvpn/options.c9
-rw-r--r--src/openvpn/ssl.c3
-rw-r--r--src/openvpn/ssl_mbedtls.c6
-rw-r--r--src/openvpn/ssl_openssl.c4
-rw-r--r--src/openvpn/tun.c6
8 files changed, 30 insertions, 12 deletions
diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c
index 00ee627..b728560 100644
--- a/src/openvpn/interval.c
+++ b/src/openvpn/interval.c
@@ -51,11 +51,12 @@ event_timeout_trigger(struct event_timeout *et,
if (et->defined)
{
- int wakeup = (int) et->last + et->n - local_now;
+ time_t wakeup = et->last - local_now + et->n;
if (wakeup <= 0)
{
#if INTERVAL_DEBUG
- dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry);
+ dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n,
+ et_const_retry);
#endif
if (et_const_retry < 0)
{
@@ -72,7 +73,8 @@ event_timeout_trigger(struct event_timeout *et,
if (tv && wakeup < tv->tv_sec)
{
#if INTERVAL_DEBUG
- dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", wakeup, et->n, et_const_retry);
+ dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d",
+ (int) wakeup, et->n, et_const_retry);
#endif
tv->tv_sec = wakeup;
tv->tv_usec = 0;
diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h
index 826a08b..5623f3a 100644
--- a/src/openvpn/interval.h
+++ b/src/openvpn/interval.h
@@ -196,7 +196,7 @@ event_timeout_modify_wakeup(struct event_timeout *et, interval_t n)
static inline interval_t
event_timeout_remaining(struct event_timeout *et)
{
- return (int) et->last + et->n - now;
+ return (interval_t) (et->last - now + et->n);
}
/*
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index c3152d0..9f53069 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -672,14 +672,18 @@ SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
{
return TLS1_VERSION;
}
+#ifdef SSL_OP_NO_TLSv1_1
if (!(sslopt & SSL_OP_NO_TLSv1_1))
{
return TLS1_1_VERSION;
}
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
if (!(sslopt & SSL_OP_NO_TLSv1_2))
{
return TLS1_2_VERSION;
}
+#endif
return 0;
}
#endif /* SSL_CTX_get_min_proto_version */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3f9164c..d1adfb6 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2189,6 +2189,15 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
{
msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
}
+
+ if (options->management_addr
+ && !(options->management_flags & MF_UNIX_SOCK)
+ && (!options->management_user_pass))
+ {
+ msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+ "passwords is STRONGLY discouraged and considered insecure");
+ }
+
#endif
/*
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index effb8b2..ab42f0c 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2946,6 +2946,9 @@ tls_process(struct tls_multi *multi,
{
state_change = true;
dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
+
+ /* More data may be available, wake up again asap to check. */
+ *wakeup = 0;
}
}
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 74b4726..3f579e1 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -630,7 +630,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
if (ctx->crt_chain == NULL)
{
- return 0;
+ return 1;
}
ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context);
@@ -640,10 +640,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key,
NULL, external_pkcs1_sign, external_key_len)))
{
- return 0;
+ return 1;
}
- return 1;
+ return 0;
}
#endif /* ifdef MANAGMENT_EXTERNAL_KEY */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index f23d246..e57b6d2 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1168,7 +1168,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
X509_free(cert);
RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */
- return 1;
+ return 0;
err:
if (cert)
@@ -1187,7 +1187,7 @@ err:
}
}
crypto_msg(M_FATAL, "Cannot enable SSL external private key capability");
- return 0;
+ return 1;
}
#endif /* ifdef MANAGMENT_EXTERNAL_KEY */
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index b071823..0e44e9b 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -6185,6 +6185,9 @@ close_tun(struct tuntap *tt)
{
if (tt->did_ifconfig_ipv6_setup)
{
+ /* remove route pointing to interface */
+ delete_route_connected_v6_net(tt, NULL);
+
if (tt->options.msg_channel)
{
do_address_service(false, AF_INET6, tt);
@@ -6198,9 +6201,6 @@ close_tun(struct tuntap *tt)
const char *ifconfig_ipv6_local;
struct argv argv = argv_new();
- /* remove route pointing to interface */
- delete_route_connected_v6_net(tt, NULL);
-
/* "store=active" is needed in Windows 8(.1) to delete the
* address we added (pointed out by Cedric Tabary).
*/