diff options
author | Jörg Frings-Fürst <debian@jff.email> | 2018-07-29 13:59:02 +0200 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff.email> | 2018-07-29 13:59:02 +0200 |
commit | 2c8e4bc4f9ab94e4d0b63341820d471af7c28c6c (patch) | |
tree | fa0ea07bdd1ac4caab9a9642631f2b2450834894 /src/openvpn | |
parent | 4afa7ed562410a1170223a7bc06efb3708af6a36 (diff) |
New upstream version 2.4.6upstream/2.4.6
Diffstat (limited to 'src/openvpn')
-rw-r--r-- | src/openvpn/interval.c | 8 | ||||
-rw-r--r-- | src/openvpn/interval.h | 2 | ||||
-rw-r--r-- | src/openvpn/openssl_compat.h | 4 | ||||
-rw-r--r-- | src/openvpn/options.c | 9 | ||||
-rw-r--r-- | src/openvpn/ssl.c | 3 | ||||
-rw-r--r-- | src/openvpn/ssl_mbedtls.c | 6 | ||||
-rw-r--r-- | src/openvpn/ssl_openssl.c | 4 | ||||
-rw-r--r-- | src/openvpn/tun.c | 6 |
8 files changed, 30 insertions, 12 deletions
diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c index 00ee627..b728560 100644 --- a/src/openvpn/interval.c +++ b/src/openvpn/interval.c @@ -51,11 +51,12 @@ event_timeout_trigger(struct event_timeout *et, if (et->defined) { - int wakeup = (int) et->last + et->n - local_now; + time_t wakeup = et->last - local_now + et->n; if (wakeup <= 0) { #if INTERVAL_DEBUG - dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, et_const_retry); + dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, + et_const_retry); #endif if (et_const_retry < 0) { @@ -72,7 +73,8 @@ event_timeout_trigger(struct event_timeout *et, if (tv && wakeup < tv->tv_sec) { #if INTERVAL_DEBUG - dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", wakeup, et->n, et_const_retry); + dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", + (int) wakeup, et->n, et_const_retry); #endif tv->tv_sec = wakeup; tv->tv_usec = 0; diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h index 826a08b..5623f3a 100644 --- a/src/openvpn/interval.h +++ b/src/openvpn/interval.h @@ -196,7 +196,7 @@ event_timeout_modify_wakeup(struct event_timeout *et, interval_t n) static inline interval_t event_timeout_remaining(struct event_timeout *et) { - return (int) et->last + et->n - now; + return (interval_t) (et->last - now + et->n); } /* diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c3152d0..9f53069 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -672,14 +672,18 @@ SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { return TLS1_VERSION; } +#ifdef SSL_OP_NO_TLSv1_1 if (!(sslopt & SSL_OP_NO_TLSv1_1)) { return TLS1_1_VERSION; } +#endif +#ifdef SSL_OP_NO_TLSv1_2 if (!(sslopt & SSL_OP_NO_TLSv1_2)) { return TLS1_2_VERSION; } +#endif return 0; } #endif /* SSL_CTX_get_min_proto_version */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3f9164c..d1adfb6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2189,6 +2189,15 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } + + if (options->management_addr + && !(options->management_flags & MF_UNIX_SOCK) + && (!options->management_user_pass)) + { + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " + "passwords is STRONGLY discouraged and considered insecure"); + } + #endif /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index effb8b2..ab42f0c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2946,6 +2946,9 @@ tls_process(struct tls_multi *multi, { state_change = true; dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext"); + + /* More data may be available, wake up again asap to check. */ + *wakeup = 0; } } diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 74b4726..3f579e1 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -630,7 +630,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, if (ctx->crt_chain == NULL) { - return 0; + return 1; } ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context); @@ -640,10 +640,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key, NULL, external_pkcs1_sign, external_key_len))) { - return 0; + return 1; } - return 1; + return 0; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index f23d246..e57b6d2 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1168,7 +1168,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, X509_free(cert); RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ - return 1; + return 0; err: if (cert) @@ -1187,7 +1187,7 @@ err: } } crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); - return 0; + return 1; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index b071823..0e44e9b 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -6185,6 +6185,9 @@ close_tun(struct tuntap *tt) { if (tt->did_ifconfig_ipv6_setup) { + /* remove route pointing to interface */ + delete_route_connected_v6_net(tt, NULL); + if (tt->options.msg_channel) { do_address_service(false, AF_INET6, tt); @@ -6198,9 +6201,6 @@ close_tun(struct tuntap *tt) const char *ifconfig_ipv6_local; struct argv argv = argv_new(); - /* remove route pointing to interface */ - delete_route_connected_v6_net(tt, NULL); - /* "store=active" is needed in Windows 8(.1) to delete the * address we added (pointed out by Cedric Tabary). */ |