summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:16:46 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2017-06-22 13:16:46 +0200
commit766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (patch)
tree76932876ae57f139fa1b3f82b375e4e526b507d7 /src
parentd73f7253d939e293abf9e27b4b7f37df1ec12a39 (diff)
parent9683f890944ffb114f5f8214f694e0b339cf5a5a (diff)
Merge tag 'upstream/2.4.3'
Upstream version 2.4.3
Diffstat (limited to 'src')
-rw-r--r--src/Makefile.in28
-rw-r--r--src/compat/Makefile.in33
-rw-r--r--src/compat/compat-basename.c7
-rw-r--r--src/compat/compat-daemon.c10
-rw-r--r--src/compat/compat-dirname.c14
-rw-r--r--src/compat/compat-gettimeofday.c7
-rw-r--r--src/compat/compat-inet_ntop.c10
-rw-r--r--src/compat/compat-inet_pton.c10
-rw-r--r--src/compat/compat-versionhelpers.h36
-rw-r--r--src/compat/compat.h7
-rw-r--r--src/openvpn/Makefile.am5
-rw-r--r--src/openvpn/Makefile.in99
-rw-r--r--src/openvpn/argv.c17
-rw-r--r--src/openvpn/argv.h7
-rw-r--r--src/openvpn/base64.c11
-rw-r--r--src/openvpn/basic.h7
-rw-r--r--src/openvpn/block_dns.c85
-rw-r--r--src/openvpn/block_dns.h37
-rw-r--r--src/openvpn/buffer.c16
-rw-r--r--src/openvpn/buffer.h9
-rw-r--r--src/openvpn/circ_list.h7
-rw-r--r--src/openvpn/clinat.c7
-rw-r--r--src/openvpn/clinat.h7
-rw-r--r--src/openvpn/common.h7
-rw-r--r--src/openvpn/comp-lz4.c10
-rw-r--r--src/openvpn/comp-lz4.h7
-rw-r--r--src/openvpn/comp.c7
-rw-r--r--src/openvpn/comp.h7
-rw-r--r--src/openvpn/compstub.c10
-rw-r--r--src/openvpn/console.c13
-rw-r--r--src/openvpn/console.h9
-rw-r--r--src/openvpn/console_builtin.c7
-rw-r--r--src/openvpn/console_systemd.c7
-rw-r--r--src/openvpn/crypto.c75
-rw-r--r--src/openvpn/crypto.h16
-rw-r--r--src/openvpn/crypto_backend.h55
-rw-r--r--src/openvpn/crypto_mbedtls.c47
-rw-r--r--src/openvpn/crypto_mbedtls.h11
-rw-r--r--src/openvpn/crypto_openssl.c78
-rw-r--r--src/openvpn/crypto_openssl.h8
-rw-r--r--src/openvpn/cryptoapi.c9
-rw-r--r--src/openvpn/dhcp.c18
-rw-r--r--src/openvpn/dhcp.h7
-rw-r--r--src/openvpn/errlevel.h7
-rw-r--r--src/openvpn/error.c10
-rw-r--r--src/openvpn/error.h10
-rw-r--r--src/openvpn/event.c11
-rw-r--r--src/openvpn/event.h7
-rw-r--r--src/openvpn/fdmisc.c7
-rw-r--r--src/openvpn/fdmisc.h7
-rw-r--r--src/openvpn/forward-inline.h7
-rw-r--r--src/openvpn/forward.c14
-rw-r--r--src/openvpn/forward.h7
-rw-r--r--src/openvpn/fragment.c16
-rw-r--r--src/openvpn/fragment.h7
-rw-r--r--src/openvpn/gremlin.c22
-rw-r--r--src/openvpn/gremlin.h7
-rw-r--r--src/openvpn/helper.c7
-rw-r--r--src/openvpn/helper.h7
-rw-r--r--src/openvpn/httpdigest.c88
-rw-r--r--src/openvpn/httpdigest.h7
-rw-r--r--src/openvpn/init.c127
-rw-r--r--src/openvpn/init.h7
-rw-r--r--src/openvpn/integer.h7
-rw-r--r--src/openvpn/interval.c7
-rw-r--r--src/openvpn/interval.h10
-rw-r--r--src/openvpn/list.c13
-rw-r--r--src/openvpn/list.h7
-rw-r--r--src/openvpn/lzo.c10
-rw-r--r--src/openvpn/lzo.h7
-rw-r--r--src/openvpn/manage.c22
-rw-r--r--src/openvpn/manage.h7
-rw-r--r--src/openvpn/mbuf.c10
-rw-r--r--src/openvpn/mbuf.h7
-rw-r--r--src/openvpn/memdbg.h7
-rw-r--r--src/openvpn/misc.c88
-rw-r--r--src/openvpn/misc.h13
-rw-r--r--src/openvpn/mroute.c10
-rw-r--r--src/openvpn/mroute.h7
-rw-r--r--src/openvpn/mss.c23
-rw-r--r--src/openvpn/mss.h7
-rw-r--r--src/openvpn/mstats.c7
-rw-r--r--src/openvpn/mstats.h7
-rw-r--r--src/openvpn/mtcp.c10
-rw-r--r--src/openvpn/mtcp.h7
-rw-r--r--src/openvpn/mtu.c7
-rw-r--r--src/openvpn/mtu.h7
-rw-r--r--src/openvpn/mudp.c7
-rw-r--r--src/openvpn/mudp.h7
-rw-r--r--src/openvpn/multi.c21
-rw-r--r--src/openvpn/multi.h7
-rw-r--r--src/openvpn/ntlm.c45
-rw-r--r--src/openvpn/occ-inline.h7
-rw-r--r--src/openvpn/occ.c10
-rw-r--r--src/openvpn/occ.h7
-rw-r--r--src/openvpn/openssl_compat.h657
-rw-r--r--src/openvpn/openvpn.c13
-rw-r--r--src/openvpn/openvpn.h18
-rw-r--r--src/openvpn/openvpn.vcxproj7
-rw-r--r--src/openvpn/openvpn.vcxproj.filters26
-rw-r--r--src/openvpn/options.c127
-rw-r--r--src/openvpn/options.h12
-rw-r--r--src/openvpn/otime.c7
-rw-r--r--src/openvpn/otime.h10
-rw-r--r--src/openvpn/packet_id.c44
-rw-r--r--src/openvpn/packet_id.h43
-rw-r--r--src/openvpn/perf.c12
-rw-r--r--src/openvpn/perf.h16
-rw-r--r--src/openvpn/pf-inline.h7
-rw-r--r--src/openvpn/pf.c7
-rw-r--r--src/openvpn/pf.h7
-rw-r--r--src/openvpn/ping-inline.h7
-rw-r--r--src/openvpn/ping.c7
-rw-r--r--src/openvpn/ping.h7
-rw-r--r--src/openvpn/pkcs11.c73
-rw-r--r--src/openvpn/pkcs11.h7
-rw-r--r--src/openvpn/pkcs11_backend.h7
-rw-r--r--src/openvpn/pkcs11_mbedtls.c14
-rw-r--r--src/openvpn/pkcs11_openssl.c7
-rw-r--r--src/openvpn/platform.c7
-rw-r--r--src/openvpn/platform.h7
-rw-r--r--src/openvpn/plugin.c49
-rw-r--r--src/openvpn/plugin.h7
-rw-r--r--src/openvpn/pool.c9
-rw-r--r--src/openvpn/pool.h7
-rw-r--r--src/openvpn/proto.c7
-rw-r--r--src/openvpn/proto.h7
-rw-r--r--src/openvpn/proxy.c26
-rw-r--r--src/openvpn/proxy.h7
-rw-r--r--src/openvpn/ps.c7
-rw-r--r--src/openvpn/ps.h7
-rw-r--r--src/openvpn/push.c36
-rw-r--r--src/openvpn/push.h7
-rw-r--r--src/openvpn/pushlist.h7
-rw-r--r--src/openvpn/reliable.c14
-rw-r--r--src/openvpn/reliable.h7
-rw-r--r--src/openvpn/route.c88
-rw-r--r--src/openvpn/route.h10
-rw-r--r--src/openvpn/schedule.c11
-rw-r--r--src/openvpn/schedule.h7
-rw-r--r--src/openvpn/session_id.c10
-rw-r--r--src/openvpn/session_id.h7
-rw-r--r--src/openvpn/shaper.c10
-rw-r--r--src/openvpn/shaper.h7
-rw-r--r--src/openvpn/sig.c7
-rw-r--r--src/openvpn/sig.h7
-rw-r--r--src/openvpn/socket.c55
-rw-r--r--src/openvpn/socket.h31
-rw-r--r--src/openvpn/socks.c7
-rw-r--r--src/openvpn/socks.h7
-rw-r--r--src/openvpn/ssl.c139
-rw-r--r--src/openvpn/ssl.h17
-rw-r--r--src/openvpn/ssl_backend.h7
-rw-r--r--src/openvpn/ssl_common.h8
-rw-r--r--src/openvpn/ssl_mbedtls.c15
-rw-r--r--src/openvpn/ssl_mbedtls.h9
-rw-r--r--src/openvpn/ssl_openssl.c107
-rw-r--r--src/openvpn/ssl_openssl.h9
-rw-r--r--src/openvpn/ssl_verify.c104
-rw-r--r--src/openvpn/ssl_verify.h13
-rw-r--r--src/openvpn/ssl_verify_backend.h17
-rw-r--r--src/openvpn/ssl_verify_mbedtls.c65
-rw-r--r--src/openvpn/ssl_verify_mbedtls.h7
-rw-r--r--src/openvpn/ssl_verify_openssl.c231
-rw-r--r--src/openvpn/ssl_verify_openssl.h7
-rw-r--r--src/openvpn/status.c7
-rw-r--r--src/openvpn/status.h7
-rw-r--r--src/openvpn/syshead.h13
-rw-r--r--src/openvpn/tls_crypt.c24
-rw-r--r--src/openvpn/tls_crypt.h7
-rw-r--r--src/openvpn/tun.c48
-rw-r--r--src/openvpn/tun.h8
-rw-r--r--src/openvpn/win32.c58
-rw-r--r--src/openvpn/win32.h9
-rw-r--r--src/openvpnserv/Makefile.in36
-rw-r--r--src/openvpnserv/automatic.c10
-rw-r--r--src/openvpnserv/common.c7
-rw-r--r--src/openvpnserv/interactive.c84
-rw-r--r--src/openvpnserv/service.h7
-rw-r--r--src/openvpnserv/validate.c178
-rw-r--r--src/openvpnserv/validate.h9
-rw-r--r--src/plugins/Makefile.in28
-rw-r--r--src/plugins/auth-pam/Makefile.in34
-rw-r--r--src/plugins/auth-pam/auth-pam.c38
-rw-r--r--src/plugins/auth-pam/auth-pam.exports2
-rw-r--r--src/plugins/auth-pam/utils.c12
-rw-r--r--src/plugins/auth-pam/utils.h7
-rw-r--r--src/plugins/down-root/Makefile.in34
-rw-r--r--src/plugins/down-root/down-root.c9
189 files changed, 3231 insertions, 1508 deletions
diff --git a/src/Makefile.in b/src/Makefile.in
index b2e6c0e..526d549 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -25,7 +25,17 @@
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -89,7 +99,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = src
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -100,6 +109,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -160,6 +170,7 @@ am__define_uniq_tagged_files = \
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
+am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -233,6 +244,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -281,6 +293,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -293,12 +306,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -355,7 +370,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -378,7 +395,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -674,6 +690,8 @@ uninstall-am:
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am
+.PRECIOUS: Makefile
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/compat/Makefile.in b/src/compat/Makefile.in
index e9d589f..b264f40 100644
--- a/src/compat/Makefile.in
+++ b/src/compat/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -26,7 +26,17 @@
#
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -90,8 +100,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = src/compat
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -102,6 +110,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -177,6 +186,7 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -225,6 +235,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -273,6 +284,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -285,12 +297,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -347,7 +361,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -386,7 +402,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/compat/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/compat/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -438,14 +453,14 @@ distclean-compile:
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -664,6 +679,8 @@ uninstall-am:
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-am uninstall uninstall-am
+.PRECIOUS: Makefile
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/compat/compat-basename.c b/src/compat/compat-basename.c
index b7b5c43..e66e225 100644
--- a/src/compat/compat-basename.c
+++ b/src/compat/compat-basename.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/compat/compat-daemon.c b/src/compat/compat-daemon.c
index 5093942..4ef28fa 100644
--- a/src/compat/compat-daemon.c
+++ b/src/compat/compat-daemon.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -58,7 +57,8 @@ int
daemon(int nochdir, int noclose)
{
#if defined(HAVE_FORK) && defined(HAVE_SETSID)
- switch (fork()) {
+ switch (fork())
+ {
case -1:
return (-1);
diff --git a/src/compat/compat-dirname.c b/src/compat/compat-dirname.c
index 7687108..c1523d9 100644
--- a/src/compat/compat-dirname.c
+++ b/src/compat/compat-dirname.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -44,7 +43,8 @@ __memrchr(const char *str, int c, size_t n)
const char *end = str;
end += n - 1; /* Go to the end of the string */
- while (end >= str) {
+ while (end >= str)
+ {
if (c == *end)
{
return end;
@@ -82,10 +82,12 @@ dirname(char *path)
char *runp;
for (runp = last_slash; runp != path; --runp)
+ {
if (runp[-1] != separator)
{
break;
}
+ }
/* The '/' is the last character, we have to look further. */
if (runp != path)
@@ -100,10 +102,12 @@ dirname(char *path)
char *runp;
for (runp = last_slash; runp != path; --runp)
+ {
if (runp[-1] != separator)
{
break;
}
+ }
/* Terminate the path. */
if (runp == path)
diff --git a/src/compat/compat-gettimeofday.c b/src/compat/compat-gettimeofday.c
index d53e360..fb57f2d 100644
--- a/src/compat/compat-gettimeofday.c
+++ b/src/compat/compat-gettimeofday.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/compat/compat-inet_ntop.c b/src/compat/compat-inet_ntop.c
index dd7abb5..f2a181e 100644
--- a/src/compat/compat-inet_ntop.c
+++ b/src/compat/compat-inet_ntop.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -52,7 +51,8 @@ inet_ntop(int af, const void *src, char *dst, socklen_t size)
ZeroMemory(&ss, sizeof(ss));
ss.ss_family = af;
- switch (af) {
+ switch (af)
+ {
case AF_INET:
((struct sockaddr_in *)&ss)->sin_addr = *(struct in_addr *)src;
break;
diff --git a/src/compat/compat-inet_pton.c b/src/compat/compat-inet_pton.c
index 1e41fa2..9d451cc 100644
--- a/src/compat/compat-inet_pton.c
+++ b/src/compat/compat-inet_pton.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -59,7 +58,8 @@ inet_pton(int af, const char *src, void *dst)
if (WSAStringToAddress(src_copy, af, NULL, (struct sockaddr *)&ss, &size) == 0)
{
- switch (af) {
+ switch (af)
+ {
case AF_INET:
*(struct in_addr *)dst = ((struct sockaddr_in *)&ss)->sin_addr;
return 1;
diff --git a/src/compat/compat-versionhelpers.h b/src/compat/compat-versionhelpers.h
index a793056..251fb04 100644
--- a/src/compat/compat-versionhelpers.h
+++ b/src/compat/compat-versionhelpers.h
@@ -30,62 +30,74 @@ IsWindowsVersionOrGreater(WORD major, WORD minor, WORD servpack)
}
VERSIONHELPERAPI
-IsWindowsXPOrGreater(void) {
+IsWindowsXPOrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 0);
}
VERSIONHELPERAPI
-IsWindowsXPSP1OrGreater(void) {
+IsWindowsXPSP1OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 1);
}
VERSIONHELPERAPI
-IsWindowsXPSP2OrGreater(void) {
+IsWindowsXPSP2OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 2);
}
VERSIONHELPERAPI
-IsWindowsXPSP3OrGreater(void) {
+IsWindowsXPSP3OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINXP), LOBYTE(_WIN32_WINNT_WINXP), 3);
}
VERSIONHELPERAPI
-IsWindowsVistaOrGreater(void) {
+IsWindowsVistaOrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 0);
}
VERSIONHELPERAPI
-IsWindowsVistaSP1OrGreater(void) {
+IsWindowsVistaSP1OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 1);
}
VERSIONHELPERAPI
-IsWindowsVistaSP2OrGreater(void) {
+IsWindowsVistaSP2OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_VISTA), LOBYTE(_WIN32_WINNT_VISTA), 2);
}
VERSIONHELPERAPI
-IsWindows7OrGreater(void) {
+IsWindows7OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 0);
}
VERSIONHELPERAPI
-IsWindows7SP1OrGreater(void) {
+IsWindows7SP1OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 1);
}
VERSIONHELPERAPI
-IsWindows8OrGreater(void) {
+IsWindows8OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN8), LOBYTE(_WIN32_WINNT_WIN8), 0);
}
VERSIONHELPERAPI
-IsWindows8Point1OrGreater(void) {
+IsWindows8Point1OrGreater(void)
+{
return IsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WINBLUE), LOBYTE(_WIN32_WINNT_WINBLUE), 0);
}
VERSIONHELPERAPI
-IsWindowsServer(void) {
+IsWindowsServer(void)
+{
OSVERSIONINFOEXW vi = {sizeof(vi),0,0,0,0,{0},0,0,0,VER_NT_WORKSTATION};
return !VerifyVersionInfoW(&vi, VER_PRODUCT_TYPE, VerSetConditionMask(0, VER_PRODUCT_TYPE, VER_EQUAL));
}
diff --git a/src/compat/compat.h b/src/compat/compat.h
index 75bfaed..d522898 100644
--- a/src/compat/compat.h
+++ b/src/compat/compat.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef COMPAT_H
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index bea294b..fcc22d6 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -27,7 +27,9 @@ AM_CFLAGS = \
$(OPTIONAL_CRYPTO_CFLAGS) \
$(OPTIONAL_LZO_CFLAGS) \
$(OPTIONAL_LZ4_CFLAGS) \
- $(OPTIONAL_PKCS11_HELPER_CFLAGS)
+ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \
+ -DPLUGIN_LIBDIR=\"${plugindir}\"
+
if WIN32
# we want unicode entry point but not the macro
AM_CFLAGS += -municode -UUNICODE
@@ -79,6 +81,7 @@ openvpn_SOURCES = \
multi.c multi.h \
ntlm.c ntlm.h \
occ.c occ.h occ-inline.h \
+ openssl_compat.h \
pkcs11.c pkcs11.h pkcs11_backend.h \
pkcs11_openssl.c \
pkcs11_mbedtls.c \
diff --git a/src/openvpn/Makefile.in b/src/openvpn/Makefile.in
index 95d4f59..ca4635b 100644
--- a/src/openvpn/Makefile.in
+++ b/src/openvpn/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -37,7 +37,17 @@
# Required to build Windows resource file
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -100,8 +110,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \
- $(srcdir)/Makefile.am $(top_srcdir)/depcomp
+
# we want unicode entry point but not the macro
@WIN32_TRUE@am__append_1 = -municode -UUNICODE
sbin_PROGRAMS = openvpn$(EXEEXT)
@@ -118,6 +127,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -139,21 +149,21 @@ am__openvpn_SOURCES_DIST = argv.c argv.h base64.c base64.h basic.h \
console_builtin.c console_systemd.c mroute.c mroute.h mss.c \
mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \
mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \
- pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \
- pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \
- otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \
- pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \
- pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \
- push.h pushlist.h reliable.c reliable.h route.c route.h \
- schedule.c schedule.h session_id.c session_id.h shaper.c \
- shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \
- ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \
- ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \
- ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \
- ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \
- syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \
- cryptoapi.h cryptoapi.c openvpn_win32_resources.rc block_dns.c \
- block_dns.h
+ openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \
+ pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \
+ options.c options.h otime.c otime.h packet_id.c packet_id.h \
+ perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \
+ ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \
+ proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \
+ reliable.h route.c route.h schedule.c schedule.h session_id.c \
+ session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \
+ socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \
+ ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \
+ ssl_verify.c ssl_verify.h ssl_verify_backend.h \
+ ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \
+ ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \
+ tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \
+ cryptoapi.c openvpn_win32_resources.rc block_dns.c block_dns.h
@WIN32_TRUE@am__objects_1 = openvpn_win32_resources.$(OBJEXT) \
@WIN32_TRUE@ block_dns.$(OBJEXT)
am_openvpn_OBJECTS = argv.$(OBJEXT) base64.$(OBJEXT) buffer.$(OBJEXT) \
@@ -253,6 +263,8 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/ltrc.inc \
+ $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -301,6 +313,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -349,6 +362,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -361,12 +375,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -423,7 +439,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -444,7 +462,8 @@ AM_CPPFLAGS = \
AM_CFLAGS = $(TAP_CFLAGS) $(OPTIONAL_CRYPTO_CFLAGS) \
$(OPTIONAL_LZO_CFLAGS) $(OPTIONAL_LZ4_CFLAGS) \
- $(OPTIONAL_PKCS11_HELPER_CFLAGS) $(am__append_1)
+ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \
+ -DPLUGIN_LIBDIR=\"${plugindir}\" $(am__append_1)
openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \
buffer.h circ_list.h clinat.c clinat.h common.h comp.c comp.h \
compstub.c comp-lz4.c comp-lz4.h crypto.c crypto.h \
@@ -459,20 +478,21 @@ openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \
console_builtin.c console_systemd.c mroute.c mroute.h mss.c \
mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \
mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \
- pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \
- pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \
- otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \
- pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \
- pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \
- push.h pushlist.h reliable.c reliable.h route.c route.h \
- schedule.c schedule.h session_id.c session_id.h shaper.c \
- shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \
- ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \
- ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \
- ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \
- ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \
- syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \
- cryptoapi.h cryptoapi.c $(am__append_2)
+ openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \
+ pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \
+ options.c options.h otime.c otime.h packet_id.c packet_id.h \
+ perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \
+ ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \
+ proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \
+ reliable.h route.c route.h schedule.c schedule.h session_id.c \
+ session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \
+ socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \
+ ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \
+ ssl_verify.c ssl_verify.h ssl_verify_backend.h \
+ ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \
+ ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \
+ tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \
+ cryptoapi.c $(am__append_2)
openvpn_LDADD = $(top_builddir)/src/compat/libcompat.la \
$(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) $(OPTIONAL_LZ4_LIBS) \
$(OPTIONAL_PKCS11_HELPER_LIBS) $(OPTIONAL_CRYPTO_LIBS) \
@@ -494,7 +514,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am_
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpn/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/openvpn/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -503,7 +522,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
-$(top_srcdir)/build/ltrc.inc:
+$(top_srcdir)/build/ltrc.inc $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
@@ -655,14 +674,14 @@ distclean-compile:
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -884,6 +903,8 @@ uninstall-am: uninstall-sbinPROGRAMS
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS
+.PRECIOUS: Makefile
+
.rc.lo:
$(LTRCCOMPILE) -i "$<" -o "$@"
diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c
index cc813ed..a71d261 100644
--- a/src/openvpn/argv.c
+++ b/src/openvpn/argv.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
*
* A printf-like function (that only recognizes a subset of standard printf
@@ -60,7 +59,9 @@ argv_reset(struct argv *a)
{
size_t i;
for (i = 0; i < a->argc; ++i)
+ {
free(a->argv[i]);
+ }
free(a->argv);
argv_init(a);
}
@@ -74,7 +75,9 @@ argv_extend(struct argv *a, const size_t newcap)
size_t i;
ALLOC_ARRAY_CLEAR(newargv, char *, newcap);
for (i = 0; i < a->argc; ++i)
+ {
newargv[i] = a->argv[i];
+ }
free(a->argv);
a->argv = newargv;
a->capacity = newcap;
@@ -104,11 +107,15 @@ argv_clone(const struct argv *a, const size_t headroom)
argv_init(&r);
for (i = 0; i < headroom; ++i)
+ {
argv_append(&r, NULL);
+ }
if (a)
{
for (i = 0; i < a->argc; ++i)
+ {
argv_append(&r, string_alloc(a->argv[i], NULL));
+ }
}
return r;
}
@@ -332,7 +339,9 @@ argv_parse_cmd(struct argv *a, const char *s)
{
int i;
for (i = 0; i < nparms; ++i)
+ {
argv_append(a, string_alloc(parms[i], NULL));
+ }
}
else
{
diff --git a/src/openvpn/argv.h b/src/openvpn/argv.h
index 1dd6dd7..7d0754c 100644
--- a/src/openvpn/argv.h
+++ b/src/openvpn/argv.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
*
* A printf-like function (that only recognizes a subset of standard printf
diff --git a/src/openvpn/base64.c b/src/openvpn/base64.c
index c799ede..0ac65e9 100644
--- a/src/openvpn/base64.c
+++ b/src/openvpn/base64.c
@@ -69,7 +69,8 @@ openvpn_base64_encode(const void *data, int size, char **str)
}
q = (const unsigned char *) data;
i = 0;
- for (i = 0; i < size; ) {
+ for (i = 0; i < size; )
+ {
c = q[i++];
c *= 256;
if (i < size)
@@ -107,10 +108,12 @@ pos(char c)
{
char *p;
for (p = base64_chars; *p; p++)
+ {
if (*p == c)
{
return p - base64_chars;
}
+ }
return -1;
}
@@ -126,7 +129,8 @@ token_decode(const char *token)
{
return DECODE_ERROR;
}
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 4; i++)
+ {
val *= 64;
if (token[i] == '=')
{
@@ -164,7 +168,8 @@ openvpn_base64_decode(const char *str, void *data, int size)
{
e = q + size;
}
- for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) {
+ for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4)
+ {
unsigned int val = token_decode(p);
unsigned int marker = (val >> 24) & 0xff;
if (val == DECODE_ERROR)
diff --git a/src/openvpn/basic.h b/src/openvpn/basic.h
index dac6f01..3aa69ca 100644
--- a/src/openvpn/basic.h
+++ b/src/openvpn/basic.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef BASIC_H
diff --git a/src/openvpn/block_dns.c b/src/openvpn/block_dns.c
index e31765e..d43cbcf 100644
--- a/src/openvpn/block_dns.c
+++ b/src/openvpn/block_dns.c
@@ -18,10 +18,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -110,6 +109,9 @@ DEFINE_GUID(
static WCHAR *FIREWALL_NAME = L"OpenVPN";
+VOID NETIOAPI_API_
+InitializeIpInterfaceEntry(PMIB_IPINTERFACE_ROW Row);
+
/*
* Default msg handler does nothing
*/
@@ -341,4 +343,79 @@ delete_block_dns_filters(HANDLE engine_handle)
return err;
}
+/*
+ * Returns interface metric value for specified interface index.
+ *
+ * Arguments:
+ * index : The index of TAP adapter.
+ * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6).
+ * Returns positive metric value or zero for automatic metric on success,
+ * a less then zero error code on failure.
+ */
+
+int
+get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family)
+{
+ DWORD err = 0;
+ MIB_IPINTERFACE_ROW ipiface;
+ InitializeIpInterfaceEntry(&ipiface);
+ ipiface.Family = family;
+ ipiface.InterfaceIndex = index;
+ err = GetIpInterfaceEntry(&ipiface);
+ if (err == NO_ERROR)
+ {
+ if (ipiface.UseAutomaticMetric)
+ {
+ return 0;
+ }
+ return ipiface.Metric;
+ }
+ return -err;
+}
+
+/*
+ * Sets interface metric value for specified interface index.
+ *
+ * Arguments:
+ * index : The index of TAP adapter.
+ * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6).
+ * metric : Metric value. 0 for automatic metric.
+ * Returns 0 on success, a non-zero status code of the last failed action on failure.
+ */
+
+DWORD
+set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family,
+ const ULONG metric)
+{
+ DWORD err = 0;
+ MIB_IPINTERFACE_ROW ipiface;
+ InitializeIpInterfaceEntry(&ipiface);
+ ipiface.Family = family;
+ ipiface.InterfaceIndex = index;
+ err = GetIpInterfaceEntry(&ipiface);
+ if (err == NO_ERROR)
+ {
+ if (family == AF_INET)
+ {
+ /* required for IPv4 as per MSDN */
+ ipiface.SitePrefixLength = 0;
+ }
+ ipiface.Metric = metric;
+ if (metric == 0)
+ {
+ ipiface.UseAutomaticMetric = TRUE;
+ }
+ else
+ {
+ ipiface.UseAutomaticMetric = FALSE;
+ }
+ err = SetIpInterfaceEntry(&ipiface);
+ if (err == NO_ERROR)
+ {
+ return 0;
+ }
+ }
+ return err;
+}
+
#endif /* ifdef _WIN32 */
diff --git a/src/openvpn/block_dns.h b/src/openvpn/block_dns.h
index a7dadc4..c4b6693 100644
--- a/src/openvpn/block_dns.h
+++ b/src/openvpn/block_dns.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef _WIN32
@@ -27,6 +26,9 @@
#ifndef OPENVPN_BLOCK_DNS_H
#define OPENVPN_BLOCK_DNS_H
+/* Any value less than 5 should work fine. 3 is choosen without any real reason. */
+#define BLOCK_DNS_IFACE_METRIC 3
+
typedef void (*block_dns_msg_handler_t) (DWORD err, const char *msg);
DWORD
@@ -36,5 +38,32 @@ DWORD
add_block_dns_filters(HANDLE *engine, int iface_index, const WCHAR *exe_path,
block_dns_msg_handler_t msg_handler_callback);
+/**
+ * Returns interface metric value for specified interface index.
+ *
+ * @param index The index of TAP adapter
+ * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6)
+ *
+ * @return positive metric value or zero for automatic metric on success,
+ * a less then zero error code on failure.
+ */
+
+int
+get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family);
+
+/**
+ * Sets interface metric value for specified interface index.
+ *
+ * @param index The index of TAP adapter
+ * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6)
+ * @param metric Metric value. 0 for automatic metric
+ *
+ * @return 0 on success, a non-zero status code of the last failed action on failure.
+ */
+
+DWORD
+set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family,
+ const ULONG metric);
+
#endif
#endif
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index 2defd18..87e27ec 100644
--- a/src/openvpn/buffer.c
+++ b/src/openvpn/buffer.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -443,7 +442,9 @@ gc_transfer(struct gc_arena *dest, struct gc_arena *src)
if (e)
{
while (e->next != NULL)
+ {
e = e->next;
+ }
e->next = dest->list;
dest->list = src->list;
src->list = NULL;
@@ -599,7 +600,8 @@ void
rm_trailing_chars(char *str, const char *what_to_delete)
{
bool modified;
- do {
+ do
+ {
const int len = strlen(str);
modified = false;
if (len > 0)
@@ -682,7 +684,9 @@ string_array_len(const char **array)
if (array)
{
while (array[i])
+ {
++i;
+ }
}
return i;
}
@@ -1320,7 +1324,9 @@ buffer_list_file(const char *fn, int max_line_len)
{
bl = buffer_list_new(0);
while (fgets(line, max_line_len, fp) != NULL)
+ {
buffer_list_push(bl, (unsigned char *)line);
+ }
free(line);
}
fclose(fp);
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index 28b224e..8bc4428 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef BUFFER_H
@@ -404,7 +403,9 @@ secure_memzero(void *data, size_t len)
#else
volatile char *p = (volatile char *) data;
while (len--)
+ {
*p++ = 0;
+ }
#endif
}
diff --git a/src/openvpn/circ_list.h b/src/openvpn/circ_list.h
index ecf2a7f..386e18d 100644
--- a/src/openvpn/circ_list.h
+++ b/src/openvpn/circ_list.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef CIRC_LIST_H
diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c
index 9158437..633cec6 100644
--- a/src/openvpn/clinat.c
+++ b/src/openvpn/clinat.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h
index cdaf2a8..e0cfad5 100644
--- a/src/openvpn/clinat.h
+++ b/src/openvpn/clinat.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#if !defined(CLINAT_H)
diff --git a/src/openvpn/common.h b/src/openvpn/common.h
index cd988d4..bb08c01 100644
--- a/src/openvpn/common.h
+++ b/src/openvpn/common.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef COMMON_H
diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
index fa65f87..6e40c32 100644
--- a/src/openvpn/comp-lz4.c
+++ b/src/openvpn/comp-lz4.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -316,6 +315,7 @@ const struct compress_alg lz4v2_alg = {
#else /* if defined(ENABLE_LZ4) */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_LZ4 */
diff --git a/src/openvpn/comp-lz4.h b/src/openvpn/comp-lz4.h
index 8621e93..c256ba5 100644
--- a/src/openvpn/comp-lz4.h
+++ b/src/openvpn/comp-lz4.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OPENVPN_COMP_LZ4_H
diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c
index 0182a7c..4cda7e5 100644
--- a/src/openvpn/comp.c
+++ b/src/openvpn/comp.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h
index 3c0b18e..e56fd2b 100644
--- a/src/openvpn/comp.h
+++ b/src/openvpn/comp.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/compstub.c b/src/openvpn/compstub.c
index 5070c82..ca90924 100644
--- a/src/openvpn/compstub.c
+++ b/src/openvpn/compstub.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -179,6 +178,7 @@ const struct compress_alg comp_stub_alg = {
#else /* if defined(USE_COMP) */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* USE_STUB */
diff --git a/src/openvpn/console.c b/src/openvpn/console.c
index 90c8a94..eb6944d 100644
--- a/src/openvpn/console.c
+++ b/src/openvpn/console.c
@@ -18,10 +18,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -49,7 +48,8 @@ query_user_clear()
{
int i;
- for (i = 0; i < QUERY_USER_NUMSLOTS; i++) {
+ for (i = 0; i < QUERY_USER_NUMSLOTS; i++)
+ {
CLEAR(query_user[i]);
}
}
@@ -68,7 +68,8 @@ query_user_add(char *prompt, size_t prompt_len,
ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL );
/* Seek to the last unused slot */
- for (i = 0; i < QUERY_USER_NUMSLOTS; i++) {
+ for (i = 0; i < QUERY_USER_NUMSLOTS; i++)
+ {
if (query_user[i].prompt == NULL)
{
break;
diff --git a/src/openvpn/console.h b/src/openvpn/console.h
index 2c7f3e9..aa51e6f 100644
--- a/src/openvpn/console.h
+++ b/src/openvpn/console.h
@@ -18,11 +18,10 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
#ifndef CONSOLE_H
#define CONSOLE_H
diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c
index 13b9d7e..7b95da9 100644
--- a/src/openvpn/console_builtin.c
+++ b/src/openvpn/console_builtin.c
@@ -18,10 +18,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c
index 1c0aa4c..8cee8c8 100644
--- a/src/openvpn/console_systemd.c
+++ b/src/openvpn/console_systemd.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 7119abc..5f482d0 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -65,7 +64,8 @@
static void
openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
- struct crypto_options *opt) {
+ struct crypto_options *opt)
+{
#ifdef HAVE_AEAD_CIPHER_MODES
struct gc_arena gc;
int outlen = 0;
@@ -85,7 +85,6 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
/* Prepare IV */
{
struct buffer iv_buffer;
- struct packet_id_net pin;
uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0};
const int iv_len = cipher_ctx_iv_length(ctx->cipher);
@@ -94,8 +93,11 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
buf_set_write(&iv_buffer, iv, iv_len);
/* IV starts with packet id to make the IV unique for packet */
- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, false);
- ASSERT(packet_id_write(&pin, &iv_buffer, false, false));
+ if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false))
+ {
+ msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
+ goto err;
+ }
/* Remainder of IV consists of implicit part (unique per session) */
ASSERT(buf_write(&iv_buffer, ctx->implicit_iv, ctx->implicit_iv_len));
@@ -196,25 +198,25 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work,
}
/* Put packet ID in plaintext buffer */
- if (packet_id_initialized(&opt->packet_id))
+ if (packet_id_initialized(&opt->packet_id)
+ && !packet_id_write(&opt->packet_id.send, buf,
+ opt->flags & CO_PACKET_ID_LONG_FORM,
+ true))
{
- struct packet_id_net pin;
- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM));
- ASSERT(packet_id_write(&pin, buf, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true));
+ msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
+ goto err;
}
}
else if (cipher_kt_mode_ofb_cfb(cipher_kt))
{
- struct packet_id_net pin;
struct buffer b;
/* IV and packet-ID required for this mode. */
ASSERT(opt->flags & CO_USE_IV);
ASSERT(packet_id_initialized(&opt->packet_id));
- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true);
buf_set_write(&b, iv_buf, iv_size);
- ASSERT(packet_id_write(&pin, &b, true, false));
+ ASSERT(packet_id_write(&opt->packet_id.send, &b, true, false));
}
else /* We only support CBC, CFB, or OFB modes right now */
{
@@ -262,11 +264,12 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work,
}
else /* No Encryption */
{
- if (packet_id_initialized(&opt->packet_id))
+ if (packet_id_initialized(&opt->packet_id)
+ && !packet_id_write(&opt->packet_id.send, buf,
+ opt->flags & CO_PACKET_ID_LONG_FORM, true))
{
- struct packet_id_net pin;
- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM));
- ASSERT(packet_id_write(&pin, buf, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true));
+ msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over");
+ goto err;
}
if (ctx->hmac)
{
@@ -329,7 +332,8 @@ openvpn_encrypt(struct buffer *buf, struct buffer work,
bool
crypto_check_replay(struct crypto_options *opt,
const struct packet_id_net *pin, const char *error_prefix,
- struct gc_arena *gc) {
+ struct gc_arena *gc)
+{
bool ret = false;
packet_id_reap_test(&opt->packet_id.rec);
if (packet_id_test(&opt->packet_id.rec, pin))
@@ -804,7 +808,10 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (warn)
{
- msg(M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used");
+ msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. "
+ "This means NO encryption will be performed and tunnelled "
+ "data WILL be transmitted in clear text over the network! "
+ "PLEASE DO RECONSIDER THIS SETTING!");
}
}
if (strcmp(authname, "none") != 0)
@@ -824,7 +831,11 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (warn)
{
- msg(M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used");
+ msg(M_WARN, "******* WARNING *******: '--auth none' was specified. "
+ "This means no authentication will be performed on received "
+ "packets, meaning you CANNOT trust that the data received by "
+ "the remote side have NOT been manipulated. "
+ "PLEASE DO RECONSIDER THIS SETTING!");
}
}
}
@@ -840,7 +851,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
if (kt->cipher && kt->cipher_length > 0)
{
- ALLOC_OBJ(ctx->cipher, cipher_ctx_t);
+ ctx->cipher = cipher_ctx_new();
cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length,
kt->cipher, enc);
@@ -864,7 +875,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
}
if (kt->digest && kt->hmac_length > 0)
{
- ALLOC_OBJ(ctx->hmac, hmac_ctx_t);
+ ctx->hmac = hmac_ctx_new();
hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
msg(D_HANDSHAKE,
@@ -889,13 +900,13 @@ free_key_ctx(struct key_ctx *ctx)
if (ctx->cipher)
{
cipher_ctx_cleanup(ctx->cipher);
- free(ctx->cipher);
+ cipher_ctx_free(ctx->cipher);
ctx->cipher = NULL;
}
if (ctx->hmac)
{
hmac_ctx_cleanup(ctx->hmac);
- free(ctx->hmac);
+ hmac_ctx_free(ctx->hmac);
ctx->hmac = NULL;
}
ctx->implicit_iv_len = 0;
@@ -1019,7 +1030,8 @@ generate_key_random(struct key *key, const struct key_type *kt)
struct gc_arena gc = gc_new();
- do {
+ do
+ {
CLEAR(*key);
if (kt)
{
@@ -1795,7 +1807,8 @@ get_random()
}
static const cipher_name_pair *
-get_cipher_name_pair(const char *cipher_name) {
+get_cipher_name_pair(const char *cipher_name)
+{
const cipher_name_pair *pair;
size_t i = 0;
@@ -1815,7 +1828,8 @@ get_cipher_name_pair(const char *cipher_name) {
}
const char *
-translate_cipher_name_from_openvpn(const char *cipher_name) {
+translate_cipher_name_from_openvpn(const char *cipher_name)
+{
const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
if (NULL == pair)
@@ -1827,7 +1841,8 @@ translate_cipher_name_from_openvpn(const char *cipher_name) {
}
const char *
-translate_cipher_name_to_openvpn(const char *cipher_name) {
+translate_cipher_name_to_openvpn(const char *cipher_name)
+{
const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
if (NULL == pair)
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 61e9b59..8818c01 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -132,9 +131,9 @@
#include "packet_id.h"
#include "mtu.h"
-/** Wrapper struct to pass around MD5 digests */
-struct md5_digest {
- uint8_t digest[MD5_DIGEST_LENGTH];
+/** Wrapper struct to pass around SHA256 digests */
+struct sha256_digest {
+ uint8_t digest[SHA256_DIGEST_LENGTH];
};
/*
@@ -496,7 +495,8 @@ void crypto_read_openvpn_key(const struct key_type *key_type,
* Returns 0 when data is equal, non-zero otherwise.
*/
static inline int
-memcmp_constant_time(const void *a, const void *b, size_t size) {
+memcmp_constant_time(const void *a, const void *b, size_t size)
+{
const uint8_t *a1 = a;
const uint8_t *b1 = b;
int ret = 0;
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 2c79baa..b7f519b 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -47,6 +46,12 @@
/* Maximum HMAC digest size (bytes) */
#define OPENVPN_MAX_HMAC_SIZE 64
+/** Types referencing specific message digest hashing algorithms */
+typedef enum {
+ MD_SHA1,
+ MD_SHA256
+} hash_algo_type ;
+
/** Struct used in cipher name translation table */
typedef struct {
const char *openvpn_name; /**< Cipher name used by OpenVPN */
@@ -295,6 +300,20 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher);
*/
/**
+ * Allocate a new cipher context
+ *
+ * @return a new cipher context
+ */
+cipher_ctx_t *cipher_ctx_new(void);
+
+/**
+ * Free a cipher context
+ *
+ * @param ctx Cipher context.
+ */
+void cipher_ctx_free(cipher_ctx_t *ctx);
+
+/**
* Initialise a cipher context, based on the given key and key type.
*
* @param ctx Cipher context. May not be NULL
@@ -502,6 +521,20 @@ int md_kt_size(const md_kt_t *kt);
int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst);
/*
+ * Allocate a new message digest context
+ *
+ * @return a new zeroed MD context
+ */
+md_ctx_t *md_ctx_new(void);
+
+/*
+ * Free an existing, non-null message digest context
+ *
+ * @param ctx Message digest context
+ */
+void md_ctx_free(md_ctx_t *ctx);
+
+/*
* Initialises the given message digest context.
*
* @param ctx Message digest context
@@ -550,6 +583,20 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst);
*/
/*
+ * Create a new HMAC context
+ *
+ * @return A new HMAC context
+ */
+hmac_ctx_t *hmac_ctx_new(void);
+
+/*
+ * Free an existing HMAC context
+ *
+ * @param ctx HMAC context to free
+ */
+void hmac_ctx_free(hmac_ctx_t *ctx);
+
+/*
* Initialises the given HMAC context, using the given digest
* and key.
*
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 942684c..24bc315 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -509,6 +508,19 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher)
*
*/
+mbedtls_cipher_context_t *
+cipher_ctx_new(void)
+{
+ mbedtls_cipher_context_t *ctx;
+ ALLOC_OBJ(ctx, mbedtls_cipher_context_t);
+ return ctx;
+}
+
+void
+cipher_ctx_free(mbedtls_cipher_context_t *ctx)
+{
+ free(ctx);
+}
void
cipher_ctx_init(mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len,
@@ -766,6 +778,18 @@ md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst)
return 0 == mbedtls_md(kt, src, src_len, dst);
}
+mbedtls_md_context_t *
+md_ctx_new(void)
+{
+ mbedtls_md_context_t *ctx;
+ ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t);
+ return ctx;
+}
+
+void md_ctx_free(mbedtls_md_context_t *ctx)
+{
+ free(ctx);
+}
void
md_ctx_init(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt)
@@ -816,6 +840,21 @@ md_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst)
/*
* TODO: re-enable dmsg for crypto debug
*/
+
+mbedtls_md_context_t *
+hmac_ctx_new(void)
+{
+ mbedtls_md_context_t *ctx;
+ ALLOC_OBJ(ctx, mbedtls_md_context_t);
+ return ctx;
+}
+
+void
+hmac_ctx_free(mbedtls_md_context_t *ctx)
+{
+ free(ctx);
+}
+
void
hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len,
const mbedtls_md_info_t *kt)
diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
index d9b1446..a434ce3 100644
--- a/src/openvpn/crypto_mbedtls.h
+++ b/src/openvpn/crypto_mbedtls.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -73,6 +72,7 @@ typedef mbedtls_md_context_t hmac_ctx_t;
#define MD4_DIGEST_LENGTH 16
#define MD5_DIGEST_LENGTH 16
#define SHA_DIGEST_LENGTH 20
+#define SHA256_DIGEST_LENGTH 32
#define DES_KEY_LENGTH 8
/**
@@ -122,7 +122,8 @@ bool mbed_log_func_line(unsigned int flags, int errval, const char *func,
/** Wraps mbed_log_func_line() to prevent function calls for non-errors */
static inline bool
mbed_log_func_line_lite(unsigned int flags, int errval,
- const char *func, int line) {
+ const char *func, int line)
+{
if (errval)
{
return mbed_log_func_line(flags, errval, func, line);
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b016d98..a55e65c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -42,6 +41,7 @@
#include "integer.h"
#include "crypto.h"
#include "crypto_backend.h"
+#include "openssl_compat.h"
#include <openssl/des.h>
#include <openssl/err.h>
@@ -186,14 +186,14 @@ crypto_clear_error(void)
}
void
-crypto_print_openssl_errors(const unsigned int flags) {
+crypto_print_openssl_errors(const unsigned int flags)
+{
size_t err = 0;
while ((err = ERR_get_error()))
{
/* Be more clear about frequently occurring "no shared cipher" error */
- if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO,
- SSL_R_NO_SHARED_CIPHER))
+ if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
{
msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
"in common with the client. Your --tls-cipher setting might be "
@@ -286,8 +286,7 @@ show_available_ciphers()
size_t i;
/* If we ever exceed this, we must be more selective */
- const size_t cipher_list_len = 1000;
- const EVP_CIPHER *cipher_list[cipher_list_len];
+ const EVP_CIPHER *cipher_list[1000];
size_t num_ciphers = 0;
#ifndef ENABLE_SMALL
printf("The following ciphers and cipher modes are available for use\n"
@@ -312,7 +311,7 @@ show_available_ciphers()
{
cipher_list[num_ciphers++] = cipher;
}
- if (num_ciphers == cipher_list_len)
+ if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list)))
{
msg(M_WARN, "WARNING: Too many ciphers, not showing all");
break;
@@ -551,8 +550,10 @@ cipher_kt_iv_size(const EVP_CIPHER *cipher_kt)
}
int
-cipher_kt_block_size(const EVP_CIPHER *cipher) {
- /* OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work
+cipher_kt_block_size(const EVP_CIPHER *cipher)
+{
+ /*
+ * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work
* around that, try to replace the mode with 'CBC' and return the block size
* reported for that cipher, if possible. If that doesn't work, just return
* the value reported by OpenSSL.
@@ -649,6 +650,19 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher)
*
*/
+cipher_ctx_t *
+cipher_ctx_new(void)
+{
+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+ check_malloc_return(ctx);
+ return ctx;
+}
+
+void
+cipher_ctx_free(EVP_CIPHER_CTX *ctx)
+{
+ EVP_CIPHER_CTX_free(ctx);
+}
void
cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len,
@@ -656,8 +670,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len,
{
ASSERT(NULL != kt && NULL != ctx);
- CLEAR(*ctx);
-
EVP_CIPHER_CTX_init(ctx);
if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
{
@@ -669,7 +681,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len,
crypto_msg(M_FATAL, "EVP set key size");
}
#endif
- if (!EVP_CipherInit(ctx, NULL, key, NULL, enc))
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
{
crypto_msg(M_FATAL, "EVP cipher init #2");
}
@@ -722,7 +734,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
int
cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf)
{
- return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1);
+ return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1);
}
int
@@ -843,13 +855,24 @@ md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst)
return EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL);
}
+EVP_MD_CTX *
+md_ctx_new(void)
+{
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ check_malloc_return(ctx);
+ return ctx;
+}
+
+void md_ctx_free(EVP_MD_CTX *ctx)
+{
+ EVP_MD_CTX_free(ctx);
+}
+
void
md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
{
ASSERT(NULL != ctx && NULL != kt);
- CLEAR(*ctx);
-
EVP_MD_CTX_init(ctx);
EVP_DigestInit(ctx, kt);
}
@@ -857,7 +880,7 @@ md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
void
md_ctx_cleanup(EVP_MD_CTX *ctx)
{
- EVP_MD_CTX_cleanup(ctx);
+ EVP_MD_CTX_reset(ctx);
}
int
@@ -887,6 +910,19 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
*
*/
+HMAC_CTX *
+hmac_ctx_new(void)
+{
+ HMAC_CTX *ctx = HMAC_CTX_new();
+ check_malloc_return(ctx);
+ return ctx;
+}
+
+void
+hmac_ctx_free(HMAC_CTX *ctx)
+{
+ HMAC_CTX_free(ctx);
+}
void
hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
@@ -894,8 +930,6 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
{
ASSERT(NULL != kt && NULL != ctx);
- CLEAR(*ctx);
-
HMAC_CTX_init(ctx);
HMAC_Init_ex(ctx, key, key_len, kt, NULL);
@@ -906,7 +940,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
void
hmac_ctx_cleanup(HMAC_CTX *ctx)
{
- HMAC_CTX_cleanup(ctx);
+ HMAC_CTX_reset(ctx);
}
int
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 56ec6e1..60a2812 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -33,6 +32,7 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/md5.h>
+#include <openssl/sha.h>
/** Generic cipher key type %context. */
typedef EVP_CIPHER cipher_kt_t;
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 69a5a32..d90cc5d 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -281,7 +281,9 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
}
/* and now, we have to reverse the byte-order in the result from CryptSignHash()... */
for (i = 0; i < len; i++)
+ {
to[i] = buf[len - i - 1];
+ }
free(buf);
CryptDestroyHash(hash);
@@ -389,7 +391,9 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
}
hash[i] = x;
/* skip any space(s) between hex numbers */
- for (p++; *p && *p == ' '; p++) ;
+ for (p++; *p && *p == ' '; p++)
+ {
+ }
}
blob.cbData = i;
blob.pbData = (unsigned char *) &hash;
@@ -547,7 +551,8 @@ err:
#else /* ifdef ENABLE_CRYPTOAPI */
#ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif
#endif /* _WIN32 */
diff --git a/src/openvpn/dhcp.c b/src/openvpn/dhcp.c
index c17a22e..a2a5454 100644
--- a/src/openvpn/dhcp.c
+++ b/src/openvpn/dhcp.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -160,17 +159,20 @@ udp_checksum(const uint8_t *buf,
/* make 16 bit words out of every two adjacent 8 bit words and */
/* calculate the sum of all 16 bit words */
- for (i = 0; i < len_udp; i += 2) {
+ for (i = 0; i < len_udp; i += 2)
+ {
word16 = ((buf[i] << 8) & 0xFF00) + ((i + 1 < len_udp) ? (buf[i+1] & 0xFF) : 0);
sum += word16;
}
/* add the UDP pseudo header which contains the IP source and destination addresses */
- for (i = 0; i < 4; i += 2) {
+ for (i = 0; i < 4; i += 2)
+ {
word16 = ((src_addr[i] << 8) & 0xFF00) + (src_addr[i+1] & 0xFF);
sum += word16;
}
- for (i = 0; i < 4; i += 2) {
+ for (i = 0; i < 4; i += 2)
+ {
word16 = ((dest_addr[i] << 8) & 0xFF00) + (dest_addr[i+1] & 0xFF);
sum += word16;
}
@@ -180,7 +182,9 @@ udp_checksum(const uint8_t *buf,
/* keep only the last 16 bits of the 32 bit calculated sum and add the carries */
while (sum >> 16)
+ {
sum = (sum & 0xFFFF) + (sum >> 16);
+ }
/* Take the one's complement of sum */
return ((uint16_t) ~sum);
diff --git a/src/openvpn/dhcp.h b/src/openvpn/dhcp.h
index d406870..dc41658 100644
--- a/src/openvpn/dhcp.h
+++ b/src/openvpn/dhcp.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef DHCP_H
diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h
index c4dd518..5bb043b 100644
--- a/src/openvpn/errlevel.h
+++ b/src/openvpn/errlevel.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef ERRLEVEL_H
diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index e78f272..ce50ff9 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -836,7 +835,8 @@ strerror_win32(DWORD errnum, struct gc_arena *gc)
* Posix equivalents.
*/
#if 1
- switch (errnum) {
+ switch (errnum)
+ {
/*
* When the TAP-Windows driver returns STATUS_UNSUCCESSFUL, this code
* gets returned to user space.
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index df4eee7..14ef7e6 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef ERROR_H
@@ -394,7 +393,8 @@ ignore_sys_error(const int err)
/** Convert fatal errors to nonfatal, don't touch other errors */
static inline unsigned int
-nonfatal(const unsigned int err) {
+nonfatal(const unsigned int err)
+{
return err & M_FATAL ? (err ^ M_FATAL) | M_NONFATAL : err;
}
diff --git a/src/openvpn/event.c b/src/openvpn/event.c
index f4922e0..d123070 100644
--- a/src/openvpn/event.c
+++ b/src/openvpn/event.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -394,11 +393,13 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return
{
int i;
for (i = 0; i < wes->n_events; ++i)
+ {
dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format,
i,
wes->events[i],
wes->esr[i].rwflags,
(ptr_type)wes->esr[i].arg);
+ }
}
#endif
@@ -922,7 +923,9 @@ se_reset(struct event_set *es)
FD_ZERO(&ses->readfds);
FD_ZERO(&ses->writefds);
for (i = 0; i <= ses->maxfd; ++i)
+ {
ses->args[i] = NULL;
+ }
ses->maxfd = -1;
}
diff --git a/src/openvpn/event.h b/src/openvpn/event.h
index 6a6e029..ff795f4 100644
--- a/src/openvpn/event.h
+++ b/src/openvpn/event.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef EVENT_H
diff --git a/src/openvpn/fdmisc.c b/src/openvpn/fdmisc.c
index 401069d..56e2250 100644
--- a/src/openvpn/fdmisc.c
+++ b/src/openvpn/fdmisc.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/fdmisc.h b/src/openvpn/fdmisc.h
index 1e84a08..b6d7101 100644
--- a/src/openvpn/fdmisc.h
+++ b/src/openvpn/fdmisc.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef FD_MISC_H
diff --git a/src/openvpn/forward-inline.h b/src/openvpn/forward-inline.h
index 97e1cd6..ab83ea4 100644
--- a/src/openvpn/forward-inline.h
+++ b/src/openvpn/forward-inline.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef FORWARD_INLINE_H
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 8102e94..371ddca 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -866,9 +865,16 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo
* will load crypto_options with the correct encryption key
* and return false.
*/
+ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
floated, &ad_start))
{
+ /* Restore pre-NCP frame parameters */
+ if (is_hard_reset(opcode, c->options.key_method))
+ {
+ c->c2.frame = c->c2.frame_initial;
+ }
+
interval_action(&c->c2.tmp_int);
/* reset packet received timer if TLS packet */
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index ae86e7a..9fde5a3 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c
index 6fbfe08..38de62f 100644
--- a/src/openvpn/fragment.c
+++ b/src/openvpn/fragment.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -44,7 +43,9 @@ fragment_list_buf_init(struct fragment_list *list, const struct frame *frame)
{
int i;
for (i = 0; i < N_FRAG_BUF; ++i)
+ {
list->fragments[i].buf = alloc_buf(BUF_SIZE(frame));
+ }
}
static void
@@ -52,7 +53,9 @@ fragment_list_buf_free(struct fragment_list *list)
{
int i;
for (i = 0; i < N_FRAG_BUF; ++i)
+ {
free_buf(&list->fragments[i].buf);
+ }
}
/*
@@ -67,7 +70,9 @@ fragment_list_get_buf(struct fragment_list *list, int seq_id)
{
int i;
for (i = 0; i < N_FRAG_BUF; ++i)
+ {
list->fragments[i].defined = false;
+ }
list->index = 0;
list->seq_id = seq_id;
diff = 0;
@@ -433,6 +438,7 @@ fragment_wakeup(struct fragment_master *f, struct frame *frame)
#else /* ifdef ENABLE_FRAGMENT */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ifdef ENABLE_FRAGMENT */
diff --git a/src/openvpn/fragment.h b/src/openvpn/fragment.h
index a24b524..90ba8f7 100644
--- a/src/openvpn/fragment.h
+++ b/src/openvpn/fragment.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef FRAGMENT_H
diff --git a/src/openvpn/gremlin.c b/src/openvpn/gremlin.c
index 5bff5e8..e85ce9c 100644
--- a/src/openvpn/gremlin.c
+++ b/src/openvpn/gremlin.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -95,7 +94,8 @@ get_packet_flood_parms(int level)
* Return true with probability 1/n
*/
static bool
-flip(int n) {
+flip(int n)
+{
return (get_random() % n) == 0;
}
@@ -104,7 +104,8 @@ flip(int n) {
* low and high.
*/
static int
-roll(int low, int high) {
+roll(int low, int high)
+{
int ret;
ASSERT(low <= high);
ret = low + (get_random() % (high - low + 1));
@@ -181,7 +182,8 @@ ask_gremlin(int flags)
* Possibly corrupt a packet.
*/
void
-corrupt_gremlin(struct buffer *buf, int flags) {
+corrupt_gremlin(struct buffer *buf, int flags)
+{
const int corrupt_level = GREMLIN_CORRUPT_LEVEL(flags);
if (corrupt_level)
{
@@ -194,7 +196,8 @@ corrupt_gremlin(struct buffer *buf, int flags) {
uint8_t r = roll(0, 255);
int method = roll(0, 5);
- switch (method) {
+ switch (method)
+ {
case 0: /* corrupt the first byte */
*BPTR(buf) = r;
break;
@@ -232,6 +235,7 @@ corrupt_gremlin(struct buffer *buf, int flags) {
#else /* ifdef ENABLE_DEBUG */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ifdef ENABLE_DEBUG */
diff --git a/src/openvpn/gremlin.h b/src/openvpn/gremlin.h
index 8f41864..8b23b34 100644
--- a/src/openvpn/gremlin.h
+++ b/src/openvpn/gremlin.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef GREMLIN_H
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index adcc4f8..17d1528 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/helper.h b/src/openvpn/helper.h
index 593d1ed..c5b438b 100644
--- a/src/openvpn/helper.h
+++ b/src/openvpn/helper.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c
index 01301c0..c553f93 100644
--- a/src/openvpn/httpdigest.c
+++ b/src/openvpn/httpdigest.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -44,7 +43,8 @@ CvtHex(
unsigned short i;
unsigned char j;
- for (i = 0; i < HASHLEN; i++) {
+ for (i = 0; i < HASHLEN; i++)
+ {
j = (Bin[i] >> 4) & 0xf;
if (j <= 9)
{
@@ -80,27 +80,28 @@ DigestCalcHA1(
)
{
HASH HA1;
- md_ctx_t md5_ctx;
+ md_ctx_t *md5_ctx = md_ctx_new();
const md_kt_t *md5_kt = md_kt_get("MD5");
- md_ctx_init(&md5_ctx, md5_kt);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword));
- md_ctx_final(&md5_ctx, HA1);
+ md_ctx_init(md5_ctx, md5_kt);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword));
+ md_ctx_final(md5_ctx, HA1);
if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0)
{
- md_ctx_init(&md5_ctx, md5_kt);
- md_ctx_update(&md5_ctx, HA1, HASHLEN);
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
- md_ctx_final(&md5_ctx, HA1);
+ md_ctx_init(md5_ctx, md5_kt);
+ md_ctx_update(md5_ctx, HA1, HASHLEN);
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
+ md_ctx_final(md5_ctx, HA1);
}
- md_ctx_cleanup(&md5_ctx);
+ md_ctx_cleanup(md5_ctx);
+ md_ctx_free(md5_ctx);
CvtHex(HA1, SessionKey);
}
@@ -122,40 +123,41 @@ DigestCalcResponse(
HASH RespHash;
HASHHEX HA2Hex;
- md_ctx_t md5_ctx;
+ md_ctx_t *md5_ctx = md_ctx_new();
const md_kt_t *md5_kt = md_kt_get("MD5");
/* calculate H(A2) */
- md_ctx_init(&md5_ctx, md5_kt);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri));
+ md_ctx_init(md5_ctx, md5_kt);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri));
if (strcasecmp(pszQop, "auth-int") == 0)
{
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, HEntity, HASHHEXLEN);
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, HEntity, HASHHEXLEN);
}
- md_ctx_final(&md5_ctx, HA2);
+ md_ctx_final(md5_ctx, HA2);
CvtHex(HA2, HA2Hex);
/* calculate response */
- md_ctx_init(&md5_ctx, md5_kt);
- md_ctx_update(&md5_ctx, HA1, HASHHEXLEN);
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_init(md5_ctx, md5_kt);
+ md_ctx_update(md5_ctx, HA1, HASHHEXLEN);
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
if (*pszQop)
{
- md_ctx_update(&md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
- md_ctx_update(&md5_ctx, (const uint8_t *) pszQop, strlen(pszQop));
- md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
+ md_ctx_update(md5_ctx, (const uint8_t *) pszQop, strlen(pszQop));
+ md_ctx_update(md5_ctx, (const uint8_t *) ":", 1);
}
- md_ctx_update(&md5_ctx, HA2Hex, HASHHEXLEN);
- md_ctx_final(&md5_ctx, RespHash);
- md_ctx_cleanup(&md5_ctx);
+ md_ctx_update(md5_ctx, HA2Hex, HASHHEXLEN);
+ md_ctx_final(md5_ctx, RespHash);
+ md_ctx_cleanup(md5_ctx);
+ md_ctx_free(md5_ctx);
CvtHex(RespHash, Response);
}
diff --git a/src/openvpn/httpdigest.h b/src/openvpn/httpdigest.h
index b074fb2..aae7b8c 100644
--- a/src/openvpn/httpdigest.h
+++ b/src/openvpn/httpdigest.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#if PROXY_DIGEST_AUTH
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9a3e29d..0652ef4 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -252,31 +251,42 @@ ce_management_query_remote(struct context *c)
{
struct gc_arena gc = gc_new();
volatile struct connection_entry *ce = &c->options.ce;
- int ret = true;
+ int ce_changed = true; /* presume the connection entry will be changed */
+
update_time();
if (management)
{
struct buffer out = alloc_buf_gc(256, &gc);
- buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false));
+
+ buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
+ proto2ascii(ce->proto, ce->af, false));
management_notify_generic(management, BSTR(&out));
- ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
- ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT);
- while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
+
+ ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
+ ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
+ while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
+ & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
{
management_event_loop_n_seconds(management, 1);
if (IS_SIG(c))
{
- ret = false;
+ ce_changed = false; /* connection entry have not been set */
break;
}
}
}
+ gc_free(&gc);
+
+ if (ce_changed)
{
- const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
- ret = (flags != CE_MAN_QUERY_REMOTE_SKIP);
+ /* If it is likely a connection entry was modified,
+ * check what changed in the flags and that it was not skipped
+ */
+ const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT)
+ & CE_MAN_QUERY_REMOTE_MASK);
+ ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP);
}
- gc_free(&gc);
- return ret;
+ return ce_changed;
}
#endif /* ENABLE_MANAGEMENT */
@@ -331,7 +341,8 @@ next_connection_entry(struct context *c)
struct connection_entry *ce;
int n_cycles = 0;
- do {
+ do
+ {
ce_defined = true;
if (c->options.no_advance && l->current >= 0)
{
@@ -403,11 +414,7 @@ next_connection_entry(struct context *c)
break;
}
}
- else
-#endif
-
-#ifdef ENABLE_MANAGEMENT
- if (ce_defined && management && management_query_proxy_enabled(management))
+ else if (ce_defined && management && management_query_proxy_enabled(management))
{
ce_defined = ce_management_query_proxy(c);
if (IS_SIG(c))
@@ -533,8 +540,10 @@ context_init_1(struct context *c)
int i;
pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
+ {
pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]);
+ }
}
#endif
@@ -552,6 +561,15 @@ context_init_1(struct context *c)
}
#endif
+#ifdef ENABLE_SYSTEMD
+ /* We can report the PID via getpid() to systemd here as OpenVPN will not
+ * do any fork due to daemon() a future call.
+ * See possibly_become_daemon() [init.c] for more details.
+ */
+ sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
+ (unsigned long) getpid());
+#endif
+
}
void
@@ -614,7 +632,9 @@ init_static(void)
{
int i;
for (i = 0; i < argc; ++i)
+ {
msg(M_INFO, "argv[%d] = '%s'", i, argv[i]);
+ }
}
#endif
@@ -760,7 +780,9 @@ init_static(void)
{
int i;
for (i = 0; i < SIZE(text); ++i)
+ {
buffer_list_push(bl, (unsigned char *)text[i]);
+ }
}
printf("[cap=%d i=%d] *************************\n", listcap, iter);
if (!(iter & 8))
@@ -783,7 +805,9 @@ init_static(void)
int c;
printf("'");
while ((c = buf_read_u8(buf)) >= 0)
+ {
putchar(c);
+ }
printf("'\n");
buffer_list_advance(bl, 0);
}
@@ -1026,24 +1050,6 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
{
if (no_delay)
{
-#ifdef ENABLE_SYSTEMD
- /* If OpenVPN is started by systemd, the OpenVPN process needs
- * to provide a preliminary status report to systemd. This is
- * needed as $NOTIFY_SOCKET will not be available inside the
- * chroot, which sd_notify()/sd_notifyf() depends on.
- *
- * This approach is the simplest and the most non-intrusive
- * solution right before the 2.4_rc2 release.
- *
- * TODO: Consider altnernative solutions - bind mount?
- * systemd does not grok OpenVPN configuration files, thus cannot
- * have a sane way to know if OpenVPN will chroot or not and to
- * which subdirectory it will chroot into.
- */
- sd_notifyf(0, "READY=1\n"
- "STATUS=Entering chroot, most of the init completed successfully\n"
- "MAINPID=%lu", (unsigned long) getpid());
-#endif
platform_chroot(c->options.chroot_dir);
}
else if (c->first_time)
@@ -1376,6 +1382,21 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)
/* If we delayed UID/GID downgrade or chroot, do it now */
do_uid_gid_chroot(c, true);
+
+#ifdef ENABLE_CRYPTO
+ /*
+ * In some cases (i.e. when receiving auth-token via
+ * push-reply) the auth-nocache option configured on the
+ * client is overridden; for this reason we have to wait
+ * for the push-reply message before attempting to wipe
+ * the user/pass entered by the user
+ */
+ if (c->options.mode == MODE_POINT_TO_POINT)
+ {
+ delayed_auth_pass_purge();
+ }
+#endif /* ENABLE_CRYPTO */
+
/* Test if errors */
if (flags & ISC_ERRORS)
{
@@ -1393,7 +1414,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)
else
{
#ifdef ENABLE_SYSTEMD
- sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid());
+ sd_notifyf(0, "STATUS=%s", message);
#endif
msg(M_INFO, "%s", message);
}
@@ -1830,7 +1851,7 @@ do_close_tun(struct context *c, bool force)
#if defined(_WIN32)
if (c->options.block_outside_dns)
{
- if (!win_wfp_uninit(c->options.msg_channel))
+ if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
{
msg(M_FATAL, "Uninitialising WFP failed!");
}
@@ -1870,7 +1891,7 @@ do_close_tun(struct context *c, bool force)
#if defined(_WIN32)
if (c->options.block_outside_dns)
{
- if (!win_wfp_uninit(c->options.msg_channel))
+ if (!win_wfp_uninit(adapter_index, c->options.msg_channel))
{
msg(M_FATAL, "Uninitialising WFP failed!");
}
@@ -1903,12 +1924,12 @@ tun_abort()
* equal, or either one is all-zeroes.
*/
static bool
-options_hash_changed_or_zero(const struct md5_digest *a,
- const struct md5_digest *b)
+options_hash_changed_or_zero(const struct sha256_digest *a,
+ const struct sha256_digest *b)
{
- const struct md5_digest zero = {{0}};
- return memcmp(a, b, sizeof(struct md5_digest))
- || !memcmp(a, &zero, sizeof(struct md5_digest));
+ const struct sha256_digest zero = {{0}};
+ return memcmp(a, b, sizeof(struct sha256_digest))
+ || !memcmp(a, &zero, sizeof(struct sha256_digest));
}
#endif /* P2MP */
@@ -1919,7 +1940,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
{
reset_coarse_timers(c);
- if (pulled_options && option_types_found)
+ if (pulled_options)
{
if (!do_deferred_options(c, option_types_found))
{
@@ -2625,6 +2646,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku));
to.remote_cert_eku = options->remote_cert_eku;
to.verify_hash = options->verify_hash;
+ to.verify_hash_algo = options->verify_hash_algo;
#ifdef ENABLE_X509ALTUSERNAME
to.x509_username_field = (char *) options->x509_username_field;
#else
@@ -2752,7 +2774,10 @@ do_init_crypto_none(const struct context *c)
{
ASSERT(!c->options.test_crypto);
msg(M_WARN,
- "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext");
+ "******* WARNING *******: All encryption and authentication features "
+ "disabled -- All data will be tunnelled as clear text and will not be "
+ "protected against man-in-the-middle changes. "
+ "PLEASE DO RECONSIDER THIS CONFIGURATION!");
}
#endif /* ifdef ENABLE_CRYPTO */
@@ -2997,6 +3022,10 @@ do_option_warnings(struct context *c)
{
msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
}
+ if (o->ns_cert_type)
+ {
+ msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
+ }
#endif /* ifdef ENABLE_CRYPTO */
/* If a script is used, print appropiate warnings */
@@ -4055,6 +4084,8 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f
c->c2.did_open_tun = do_open_tun(c);
}
+ c->c2.frame_initial = c->c2.frame;
+
/* print MTU info */
do_print_data_channel_mtu_parms(c);
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 3b97d84..15feb67 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef INIT_H
diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h
index bae8f16..240781b 100644
--- a/src/openvpn/integer.h
+++ b/src/openvpn/integer.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef INTEGER_H
diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c
index 99e72a0..1634386 100644
--- a/src/openvpn/interval.c
+++ b/src/openvpn/interval.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h
index 5ed64a9..8095c0b 100644
--- a/src/openvpn/interval.h
+++ b/src/openvpn/interval.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -106,7 +105,8 @@ interval_schedule_wakeup(struct interval *top, interval_t *wakeup)
* In wakeup seconds, interval_test will return true once.
*/
static inline void
-interval_future_trigger(struct interval *top, interval_t wakeup) {
+interval_future_trigger(struct interval *top, interval_t wakeup)
+{
if (wakeup)
{
#if INTERVAL_DEBUG
diff --git a/src/openvpn/list.c b/src/openvpn/list.c
index fb9f664..edca6f7 100644
--- a/src/openvpn/list.c
+++ b/src/openvpn/list.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -476,7 +475,8 @@ list_test(void)
int inc = 0;
int count = 0;
- for (base = 0; base < hash_n_buckets(hash); base += inc) {
+ for (base = 0; base < hash_n_buckets(hash); base += inc)
+ {
struct hash_iterator hi;
struct hash_element *he;
inc = (get_random() % 3) + 1;
@@ -670,6 +670,7 @@ hash_func(const uint8_t *k, uint32_t length, uint32_t initval)
#else /* if P2MP_SERVER */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* P2MP_SERVER */
diff --git a/src/openvpn/list.h b/src/openvpn/list.h
index 6270f88..c808efa 100644
--- a/src/openvpn/list.h
+++ b/src/openvpn/list.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef LIST_H
diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c
index 3d6891e..f754865 100644
--- a/src/openvpn/lzo.c
+++ b/src/openvpn/lzo.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -267,6 +266,7 @@ const struct compress_alg lzo_alg = {
#else /* if defined(ENABLE_LZO) */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_LZO */
diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h
index 85937b2..deaeb8d 100644
--- a/src/openvpn/lzo.h
+++ b/src/openvpn/lzo.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OPENVPN_LZO_H
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 763f6c6..c2e8dc7 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -1984,7 +1983,9 @@ man_process_command(struct management *man, const char *line)
{
int i;
for (i = 0; i < nparms; ++i)
+ {
msg(M_INFO, "[%d] '%s'", i, parms[i]);
+ }
}
#endif
@@ -3088,7 +3089,8 @@ management_io(struct management *man)
if (net_events & FD_READ)
{
while (man_read(man) > 0)
- ;
+ {
+ }
net_event_win32_clear_selected_events(&man->connection.ne32, FD_READ);
}
@@ -3311,7 +3313,8 @@ man_wait_for_client_connection(struct management *man,
{
msg(D_MANAGEMENT, "Need information from management interface, waiting...");
}
- do {
+ do
+ {
man_standalone_event_loop(man, signal_received, expire);
if (signal_received && *signal_received)
{
@@ -3929,7 +3932,9 @@ log_history_free_contents(struct log_history *h)
{
int i;
for (i = 0; i < h->size; ++i)
+ {
log_entry_free_contents(&h->array[log_index(h, i)]);
+ }
free(h->array);
}
@@ -3973,7 +3978,9 @@ log_history_resize(struct log_history *h, const int capacity)
log_history_obj_init(&newlog, capacity);
for (i = 0; i < h->size; ++i)
+ {
log_history_add(&newlog, &h->array[log_index(h, i)]);
+ }
log_history_free_contents(h);
*h = newlog;
@@ -3995,6 +4002,7 @@ log_history_ref(const struct log_history *h, const int index)
#else /* ifdef ENABLE_MANAGEMENT */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_MANAGEMENT */
diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h
index 6e5cb9b..542cc07 100644
--- a/src/openvpn/manage.h
+++ b/src/openvpn/manage.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MANAGE_H
diff --git a/src/openvpn/mbuf.c b/src/openvpn/mbuf.c
index 7a23e59..fafbce0 100644
--- a/src/openvpn/mbuf.c
+++ b/src/openvpn/mbuf.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -174,6 +173,7 @@ mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
#else /* if P2MP */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* P2MP */
diff --git a/src/openvpn/mbuf.h b/src/openvpn/mbuf.h
index cfaef58..e0643de 100644
--- a/src/openvpn/mbuf.h
+++ b/src/openvpn/mbuf.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MBUF_H
diff --git a/src/openvpn/memdbg.h b/src/openvpn/memdbg.h
index ee30b15..0ba695f 100644
--- a/src/openvpn/memdbg.h
+++ b/src/openvpn/memdbg.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MEMDBG_H
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 87f03be..fbd9938 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -18,10 +18,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -650,7 +649,8 @@ const char *
env_set_get(const struct env_set *es, const char *name)
{
const struct env_item *item = es->list;
- while (item && !env_string_equal(item->string, name)) {
+ while (item && !env_string_equal(item->string, name))
+ {
item = item->next;
}
return item ? item->string : NULL;
@@ -700,57 +700,6 @@ env_set_inherit(struct env_set *es, const struct env_set *src)
}
}
-void
-env_set_add_to_environment(const struct env_set *es)
-{
- if (es)
- {
- struct gc_arena gc = gc_new();
- const struct env_item *e;
-
- e = es->list;
-
- while (e)
- {
- const char *name;
- const char *value;
-
- if (deconstruct_name_value(e->string, &name, &value, &gc))
- {
- setenv_str(NULL, name, value);
- }
-
- e = e->next;
- }
- gc_free(&gc);
- }
-}
-
-void
-env_set_remove_from_environment(const struct env_set *es)
-{
- if (es)
- {
- struct gc_arena gc = gc_new();
- const struct env_item *e;
-
- e = es->list;
-
- while (e)
- {
- const char *name;
- const char *value;
-
- if (deconstruct_name_value(e->string, &name, &value, &gc))
- {
- setenv_del(NULL, name);
- }
-
- e = e->next;
- }
- gc_free(&gc);
- }
-}
/* add/modify/delete environmental strings */
@@ -1438,7 +1387,7 @@ get_user_pass_auto_userid(struct user_pass *up, const char *tag)
static const uint8_t hashprefix[] = "AUTO_USERID_DIGEST";
const md_kt_t *md5_kt = md_kt_get("MD5");
- md_ctx_t ctx;
+ md_ctx_t *ctx;
CLEAR(*up);
buf_set_write(&buf, (uint8_t *)up->username, USER_PASS_LEN);
@@ -1446,11 +1395,13 @@ get_user_pass_auto_userid(struct user_pass *up, const char *tag)
if (get_default_gateway_mac_addr(macaddr))
{
dmsg(D_AUTO_USERID, "GUPAU: macaddr=%s", format_hex_ex(macaddr, sizeof(macaddr), 0, 1, ":", &gc));
- md_ctx_init(&ctx, md5_kt);
- md_ctx_update(&ctx, hashprefix, sizeof(hashprefix) - 1);
- md_ctx_update(&ctx, macaddr, sizeof(macaddr));
- md_ctx_final(&ctx, digest);
- md_ctx_cleanup(&ctx)
+ ctx = md_ctx_new();
+ md_ctx_init(ctx, md5_kt);
+ md_ctx_update(ctx, hashprefix, sizeof(hashprefix) - 1);
+ md_ctx_update(ctx, macaddr, sizeof(macaddr));
+ md_ctx_final(ctx, digest);
+ md_ctx_cleanup(ctx);
+ md_ctx_free(ctx);
buf_printf(&buf, "%s", format_hex_ex(digest, sizeof(digest), 0, 256, " ", &gc));
}
else
@@ -1479,7 +1430,11 @@ purge_user_pass(struct user_pass *up, const bool force)
secure_memzero(up, sizeof(*up));
up->nocache = nocache;
}
- else if (!warn_shown)
+ /*
+ * don't show warning if the pass has been replaced by a token: this is an
+ * artificial "auth-nocache"
+ */
+ else if (!warn_shown && (!up->tokenized))
{
msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
warn_shown = true;
@@ -1493,6 +1448,7 @@ set_auth_token(struct user_pass *up, const char *token)
{
CLEAR(up->password);
strncpynt(up->password, token, USER_PASS_LEN);
+ up->tokenized = true;
}
}
@@ -1547,7 +1503,9 @@ make_env_array(const struct env_set *es,
if (es)
{
for (e = es->list; e != NULL; e = e->next)
+ {
++n;
+ }
}
/* alloc return array */
@@ -1609,7 +1567,9 @@ make_inline_array(const char *str, struct gc_arena *gc)
buf_set_read(&buf, (const uint8_t *) str, strlen(str));
while (buf_parse(&buf, '\n', line, sizeof(line)))
+ {
++len;
+ }
/* alloc return array */
ALLOC_ARRAY_CLEAR_GC(ret, char *, len + 1, gc);
@@ -1639,7 +1599,9 @@ make_arg_copy(char **p, struct gc_arena *gc)
ALLOC_ARRAY_CLEAR_GC(ret, char *, max_parms, gc);
for (i = 0; i < len; ++i)
+ {
ret[i] = p[i];
+ }
return (const char **)ret;
}
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 16be621..ce96549 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MISC_H
@@ -161,10 +160,6 @@ void env_set_print(int msglevel, const struct env_set *es);
void env_set_inherit(struct env_set *es, const struct env_set *src);
-void env_set_add_to_environment(const struct env_set *es);
-
-void env_set_remove_from_environment(const struct env_set *es);
-
/* Make arrays of strings */
const char **make_env_array(const struct env_set *es,
@@ -206,6 +201,8 @@ struct user_pass
{
bool defined;
bool nocache;
+ bool tokenized; /* true if password has been substituted by a token */
+ bool wait_for_push; /* true if this object is waiting for a push-reply */
/* max length of username/password */
#ifdef ENABLE_PKCS11
diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c
index 8b466b6..7b46a6a 100644
--- a/src/openvpn/mroute.c
+++ b/src/openvpn/mroute.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -562,6 +561,7 @@ mroute_helper_free(struct mroute_helper *mh)
#else /* if P2MP_SERVER */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* P2MP_SERVER */
diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h
index 0698348..e57a950 100644
--- a/src/openvpn/mroute.h
+++ b/src/openvpn/mroute.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MROUTE_H
diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c
index 5b110d2..c36e004 100644
--- a/src/openvpn/mss.c
+++ b/src/openvpn/mss.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -120,8 +119,12 @@ mss_fixup_ipv6(struct buffer *buf, int maxmss)
return;
}
+ /* skip IPv6 header (40 bytes),
+ * verify remainder is large enough to contain a full TCP header
+ */
newbuf = *buf;
- if (buf_advance( &newbuf, 40 ) )
+ if (buf_advance( &newbuf, 40 )
+ && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr))
{
struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf);
if (tc->flags & OPENVPN_TCPH_SYN_MASK)
@@ -145,7 +148,10 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)
int accumulate;
struct openvpn_tcphdr *tc;
- ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr));
+ if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr))
+ {
+ return;
+ }
verify_align_4(buf);
tc = (struct openvpn_tcphdr *) BPTR(buf);
@@ -160,8 +166,9 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss)
for (olen = hlen - sizeof(struct openvpn_tcphdr),
opt = (uint8_t *)(tc + 1);
- olen > 0;
- olen -= optlen, opt += optlen) {
+ olen > 1;
+ olen -= optlen, opt += optlen)
+ {
if (*opt == OPENVPN_TCPOPT_EOL)
{
break;
diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h
index afe7a32..0de2042 100644
--- a/src/openvpn/mss.h
+++ b/src/openvpn/mss.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MSS_H
diff --git a/src/openvpn/mstats.c b/src/openvpn/mstats.c
index 8ab1d02..9b09188 100644
--- a/src/openvpn/mstats.c
+++ b/src/openvpn/mstats.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/mstats.h b/src/openvpn/mstats.h
index f87a858..486035f 100644
--- a/src/openvpn/mstats.h
+++ b/src/openvpn/mstats.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c
index b5471b1..cb940d8 100644
--- a/src/openvpn/mtcp.c
+++ b/src/openvpn/mtcp.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -587,7 +586,8 @@ multi_tcp_action(struct multi_context *m, struct multi_instance *mi, int action,
{
bool tun_input_pending = false;
- do {
+ do
+ {
dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_action a=%s p=%d",
pract(action),
poll);
diff --git a/src/openvpn/mtcp.h b/src/openvpn/mtcp.h
index 835b8fd..79dcb13 100644
--- a/src/openvpn/mtcp.h
+++ b/src/openvpn/mtcp.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c
index 73eab21..44bef68 100644
--- a/src/openvpn/mtu.c
+++ b/src/openvpn/mtu.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h
index 471e51e..d1e8c18 100644
--- a/src/openvpn/mtu.h
+++ b/src/openvpn/mtu.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef MTU_H
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 64ce4d7..793678d 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/mudp.h b/src/openvpn/mudp.h
index a98d64d..b9ceaf7 100644
--- a/src/openvpn/mudp.h
+++ b/src/openvpn/mudp.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index f6f3f5d..8d3d67f 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -537,10 +536,14 @@ multi_del_iroutes(struct multi_context *m,
if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN)
{
for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
+ {
mroute_helper_del_iroute46(m->route_helper, ir->netbits);
+ }
for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
+ {
mroute_helper_del_iroute46(m->route_helper, ir6->netbits);
+ }
}
}
@@ -819,7 +822,8 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
mi->did_iter = true;
#ifdef MANAGEMENT_DEF_AUTH
- do {
+ do
+ {
mi->context.c2.mda_context.cid = m->cid_counter++;
} while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
mi->did_cid_hash = true;
@@ -2949,10 +2953,14 @@ gremlin_flood_clients(struct multi_context *m)
parm.packet_size);
for (i = 0; i < parm.packet_size; ++i)
+ {
ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
+ }
for (i = 0; i < parm.n_packets; ++i)
+ {
multi_bcast(m, &buf, NULL, NULL);
+ }
gc_free(&gc);
}
@@ -3375,6 +3383,7 @@ tunnel_server(struct context *top)
#else /* if P2MP_SERVER */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* P2MP_SERVER */
diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h
index b4ffd69..63afbaf 100644
--- a/src/openvpn/multi.h
+++ b/src/openvpn/multi.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index e78af9e..0b1163e 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -15,10 +15,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -86,13 +85,13 @@ static void
gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char *result)
{
const md_kt_t *md5_kt = md_kt_get("MD5");
- hmac_ctx_t hmac_ctx;
- CLEAR(hmac_ctx);
+ hmac_ctx_t *hmac_ctx = hmac_ctx_new();
- hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt);
- hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len);
- hmac_ctx_final(&hmac_ctx, (unsigned char *)result);
- hmac_ctx_cleanup(&hmac_ctx);
+ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+ hmac_ctx_update(hmac_ctx, (const unsigned char *)data, data_len);
+ hmac_ctx_final(hmac_ctx, (unsigned char *)result);
+ hmac_ctx_cleanup(hmac_ctx);
+ hmac_ctx_free(hmac_ctx);
}
static void
@@ -124,19 +123,22 @@ gen_nonce(unsigned char *nonce)
/* Generates 8 random bytes to be used as client nonce */
int i;
- for (i = 0; i<8; i++) {
+ for (i = 0; i<8; i++)
+ {
nonce[i] = (unsigned char)get_random();
}
}
-unsigned char *
+void
my_strupr(unsigned char *str)
{
/* converts string to uppercase in place */
- unsigned char *tmp = str;
- do *str = toupper(*str); while (*(++str));
- return tmp;
+ while (*str)
+ {
+ *str = toupper(*str);
+ str++;
+ }
}
static int
@@ -193,7 +195,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are
*/
char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
- char buf2[128]; /* decoded reply from proxy */
+ unsigned char buf2[128]; /* decoded reply from proxy */
unsigned char phase3[464];
char md4_hash[MD4_DIGEST_LENGTH+5];
@@ -299,7 +301,13 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are
tib_len = 96;
}
{
- char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
+ char *tib_ptr;
+ int tib_pos = buf2[0x2c];
+ if (tib_pos + tib_len > sizeof(buf2))
+ {
+ return NULL;
+ }
+ tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */
memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
}
}
@@ -373,6 +381,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are
#else /* if NTLM */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* if NTLM */
diff --git a/src/openvpn/occ-inline.h b/src/openvpn/occ-inline.h
index 84fe1ac..68e9098 100644
--- a/src/openvpn/occ-inline.h
+++ b/src/openvpn/occ-inline.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OCC_INLINE_H
diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c
index b4ccc4d..40f7e76 100644
--- a/src/openvpn/occ.c
+++ b/src/openvpn/occ.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -430,6 +429,7 @@ process_received_occ_msg(struct context *c)
#else /* ifdef ENABLE_OCC */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ifdef ENABLE_OCC */
diff --git a/src/openvpn/occ.h b/src/openvpn/occ.h
index 843ceb2..12d7bc5 100644
--- a/src/openvpn/occ.h
+++ b/src/openvpn/occ.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OCC_H
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
new file mode 100644
index 0000000..c765f0b
--- /dev/null
+++ b/src/openvpn/openssl_compat.h
@@ -0,0 +1,657 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/**
+ * @file OpenSSL compatibility stub
+ *
+ * This file provide compatibility stubs for the OpenSSL libraries
+ * prior to version 1.1. This version introduces many changes in the
+ * library interface, including the fact that various objects and
+ * structures are not fully opaque.
+ */
+
+#ifndef OPENSSL_COMPAT_H_
+#define OPENSSL_COMPAT_H_
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#elif defined(_MSC_VER)
+#include "config-msvc.h"
+#endif
+
+#include "buffer.h"
+
+#include <openssl/ssl.h>
+#include <openssl/x509.h>
+
+#if !defined(HAVE_EVP_MD_CTX_RESET)
+/**
+ * Reset a message digest context
+ *
+ * @param ctx The message digest context
+ * @return 1 on success, 0 on error
+ */
+static inline int
+EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
+{
+ EVP_MD_CTX_cleanup(ctx);
+ return 1;
+}
+#endif
+
+#if !defined(HAVE_EVP_MD_CTX_FREE)
+/**
+ * Free an existing message digest context
+ *
+ * @param ctx The message digest context
+ */
+static inline void
+EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+{
+ free(ctx);
+}
+#endif
+
+#if !defined(HAVE_EVP_MD_CTX_NEW)
+/**
+ * Allocate a new message digest object
+ *
+ * @return A zero'ed message digest object
+ */
+static inline EVP_MD_CTX *
+EVP_MD_CTX_new(void)
+{
+ EVP_MD_CTX *ctx = NULL;
+ ALLOC_OBJ_CLEAR(ctx, EVP_MD_CTX);
+ return ctx;
+}
+#endif
+
+#if !defined(HAVE_EVP_CIPHER_CTX_FREE)
+/**
+ * Free an existing cipher context
+ *
+ * @param ctx The cipher context
+ */
+static inline void
+EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c)
+{
+ free(c);
+}
+#endif
+
+#if !defined(HAVE_EVP_CIPHER_CTX_NEW)
+/**
+ * Allocate a new cipher context object
+ *
+ * @return A zero'ed cipher context object
+ */
+static inline EVP_CIPHER_CTX *
+EVP_CIPHER_CTX_new(void)
+{
+ EVP_CIPHER_CTX *ctx = NULL;
+ ALLOC_OBJ_CLEAR(ctx, EVP_CIPHER_CTX);
+ return ctx;
+}
+#endif
+
+#if !defined(HAVE_HMAC_CTX_RESET)
+/**
+ * Reset a HMAC context
+ *
+ * @param ctx The HMAC context
+ * @return 1 on success, 0 on error
+ */
+static inline int
+HMAC_CTX_reset(HMAC_CTX *ctx)
+{
+ HMAC_CTX_cleanup(ctx);
+ return 1;
+}
+#endif
+
+#if !defined(HAVE_HMAC_CTX_INIT)
+/**
+ * Init a HMAC context
+ *
+ * @param ctx The HMAC context
+ *
+ * Contrary to many functions in this file, HMAC_CTX_init() is not
+ * an OpenSSL 1.1 function: it comes from previous versions and was
+ * removed in v1.1. As a consequence, there is no distincting in
+ * v1.1 between a cleanup, and init and a reset. Yet, previous OpenSSL
+ * version need this distinction.
+ *
+ * In order to respect previous OpenSSL versions, we implement init
+ * as reset for OpenSSL 1.1+.
+ */
+static inline void
+HMAC_CTX_init(HMAC_CTX *ctx)
+{
+ HMAC_CTX_reset(ctx);
+}
+#endif
+
+#if !defined(HAVE_HMAC_CTX_FREE)
+/**
+ * Free an existing HMAC context
+ *
+ * @param ctx The HMAC context
+ */
+static inline void
+HMAC_CTX_free(HMAC_CTX *c)
+{
+ free(c);
+}
+#endif
+
+#if !defined(HAVE_HMAC_CTX_NEW)
+/**
+ * Allocate a new HMAC context object
+ *
+ * @return A zero'ed HMAC context object
+ */
+static inline HMAC_CTX *
+HMAC_CTX_new(void)
+{
+ HMAC_CTX *ctx = NULL;
+ ALLOC_OBJ_CLEAR(ctx, HMAC_CTX);
+ return ctx;
+}
+#endif
+
+#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA)
+/**
+ * Fetch the default password callback user data from the SSL context
+ *
+ * @param ctx SSL context
+ * @return The password callback user data
+ */
+static inline void *
+SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
+{
+ return ctx ? ctx->default_passwd_callback_userdata : NULL;
+}
+#endif
+
+#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB)
+/**
+ * Fetch the default password callback from the SSL context
+ *
+ * @param ctx SSL context
+ * @return The password callback
+ */
+static inline pem_password_cb *
+SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+{
+ return ctx ? ctx->default_passwd_callback : NULL;
+}
+#endif
+
+#if !defined(HAVE_X509_GET0_PUBKEY)
+/**
+ * Get the public key from a X509 certificate
+ *
+ * @param x X509 certificate
+ * @return The certificate public key
+ */
+static inline EVP_PKEY *
+X509_get0_pubkey(const X509 *x)
+{
+ return (x && x->cert_info && x->cert_info->key) ?
+ x->cert_info->key->pkey : NULL;
+}
+#endif
+
+#if !defined(HAVE_X509_STORE_GET0_OBJECTS)
+/**
+ * Fetch the X509 object stack from the X509 store
+ *
+ * @param store X509 object store
+ * @return the X509 object stack
+ */
+static inline STACK_OF(X509_OBJECT) *
+X509_STORE_get0_objects(X509_STORE *store)
+{
+ return store ? store->objs : NULL;
+}
+#endif
+
+#if !defined(HAVE_X509_OBJECT_FREE)
+/**
+ * Destroy a X509 object
+ *
+ * @param obj X509 object
+ */
+static inline void
+X509_OBJECT_free(X509_OBJECT *obj)
+{
+ if (obj)
+ {
+ X509_OBJECT_free_contents(obj);
+ OPENSSL_free(obj);
+ }
+}
+#endif
+
+#if !defined(HAVE_X509_OBJECT_GET_TYPE)
+/**
+ * Get the type of an X509 object
+ *
+ * @param obj X509 object
+ * @return The underlying object type
+ */
+static inline int
+X509_OBJECT_get_type(const X509_OBJECT *obj)
+{
+ return obj ? obj->type : X509_LU_FAIL;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_GET0_RSA)
+/**
+ * Get the RSA object of a public key
+ *
+ * @param pkey Public key object
+ * @return The underlying RSA object
+ */
+static inline RSA *
+EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+ return pkey ? pkey->pkey.rsa : NULL;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_ID)
+/**
+ * Get the PKEY type
+ *
+ * @param pkey Public key object
+ * @return The key type
+ */
+static inline int
+EVP_PKEY_id(const EVP_PKEY *pkey)
+{
+ return pkey ? pkey->type : EVP_PKEY_NONE;
+}
+#endif
+
+#if !defined(HAVE_EVP_PKEY_GET0_DSA)
+/**
+ * Get the DSA object of a public key
+ *
+ * @param pkey Public key object
+ * @return The underlying DSA object
+ */
+static inline DSA *
+EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+{
+ return pkey ? pkey->pkey.dsa : NULL;
+}
+#endif
+
+#if !defined(HAVE_RSA_SET_FLAGS)
+/**
+ * Set the RSA flags
+ *
+ * @param rsa The RSA object
+ * @param flags New flags value
+ */
+static inline void
+RSA_set_flags(RSA *rsa, int flags)
+{
+ if (rsa)
+ {
+ rsa->flags = flags;
+ }
+}
+#endif
+
+#if !defined(HAVE_RSA_GET0_KEY)
+/**
+ * Get the RSA parameters
+ *
+ * @param rsa The RSA object
+ * @param n The @c n parameter
+ * @param e The @c e parameter
+ * @param d The @c d parameter
+ */
+static inline void
+RSA_get0_key(const RSA *rsa, const BIGNUM **n,
+ const BIGNUM **e, const BIGNUM **d)
+{
+ if (n != NULL)
+ {
+ *n = rsa ? rsa->n : NULL;
+ }
+ if (e != NULL)
+ {
+ *e = rsa ? rsa->e : NULL;
+ }
+ if (d != NULL)
+ {
+ *d = rsa ? rsa->d : NULL;
+ }
+}
+#endif
+
+#if !defined(HAVE_RSA_SET0_KEY)
+/**
+ * Set the RSA parameters
+ *
+ * @param rsa The RSA object
+ * @param n The @c n parameter
+ * @param e The @c e parameter
+ * @param d The @c d parameter
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+{
+ if ((rsa->n == NULL && n == NULL)
+ || (rsa->e == NULL && e == NULL))
+ {
+ return 0;
+ }
+
+ if (n != NULL)
+ {
+ BN_free(rsa->n);
+ rsa->n = n;
+ }
+ if (e != NULL)
+ {
+ BN_free(rsa->e);
+ rsa->e = e;
+ }
+ if (d != NULL)
+ {
+ BN_free(rsa->d);
+ rsa->d = d;
+ }
+
+ return 1;
+}
+#endif
+
+#if !defined(HAVE_RSA_BITS)
+/**
+ * Number of significant RSA bits
+ *
+ * @param rsa The RSA object ; shall not be NULL
+ * @return The number of RSA bits or 0 on error
+ */
+static inline int
+RSA_bits(const RSA *rsa)
+{
+ const BIGNUM *n = NULL;
+ RSA_get0_key(rsa, &n, NULL, NULL);
+ return n ? BN_num_bits(n) : 0;
+}
+#endif
+
+#if !defined(HAVE_DSA_GET0_PQG)
+/**
+ * Get the DSA parameters
+ *
+ * @param dsa The DSA object
+ * @param p The @c p parameter
+ * @param q The @c q parameter
+ * @param g The @c g parameter
+ */
+static inline void
+DSA_get0_pqg(const DSA *dsa, const BIGNUM **p,
+ const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ {
+ *p = dsa ? dsa->p : NULL;
+ }
+ if (q != NULL)
+ {
+ *q = dsa ? dsa->q : NULL;
+ }
+ if (g != NULL)
+ {
+ *g = dsa ? dsa->g : NULL;
+ }
+}
+#endif
+
+#if !defined(HAVE_DSA_BITS)
+/**
+ * Number of significant DSA bits
+ *
+ * @param rsa The DSA object ; shall not be NULL
+ * @return The number of DSA bits or 0 on error
+ */
+static inline int
+DSA_bits(const DSA *dsa)
+{
+ const BIGNUM *p = NULL;
+ DSA_get0_pqg(dsa, &p, NULL, NULL);
+ return p ? BN_num_bits(p) : 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_NEW)
+/**
+ * Allocate a new RSA method object
+ *
+ * @param name The object name
+ * @param flags Configuration flags
+ * @return A new RSA method object
+ */
+static inline RSA_METHOD *
+RSA_meth_new(const char *name, int flags)
+{
+ RSA_METHOD *rsa_meth = NULL;
+ ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD);
+ rsa_meth->name = string_alloc(name, NULL);
+ rsa_meth->flags = flags;
+ return rsa_meth;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_FREE)
+/**
+ * Free an existing RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ */
+static inline void
+RSA_meth_free(RSA_METHOD *meth)
+{
+ if (meth)
+ {
+ /* OpenSSL defines meth->name to be a const pointer, yet we
+ * feed it with an allocated string (from RSA_meth_new()).
+ * Thus we are allowed to free it here. In order to avoid a
+ * "passing 'const char *' to parameter of type 'void *' discards
+ * qualifiers" warning, we force the pointer to be a non-const value.
+ */
+ free((char *)meth->name);
+ free(meth);
+ }
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET_PUB_ENC)
+/**
+ * Set the public encoding function of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param pub_enc the public encoding function
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set_pub_enc(RSA_METHOD *meth,
+ int (*pub_enc) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ if (meth)
+ {
+ meth->rsa_pub_enc = pub_enc;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET_PUB_DEC)
+/**
+ * Set the public decoding function of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param pub_dec the public decoding function
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set_pub_dec(RSA_METHOD *meth,
+ int (*pub_dec) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ if (meth)
+ {
+ meth->rsa_pub_dec = pub_dec;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET_PRIV_ENC)
+/**
+ * Set the private encoding function of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param priv_enc the private encoding function
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set_priv_enc(RSA_METHOD *meth,
+ int (*priv_enc) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ if (meth)
+ {
+ meth->rsa_priv_enc = priv_enc;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET_PRIV_DEC)
+/**
+ * Set the private decoding function of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param priv_dec the private decoding function
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set_priv_dec(RSA_METHOD *meth,
+ int (*priv_dec) (int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
+{
+ if (meth)
+ {
+ meth->rsa_priv_dec = priv_dec;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET_INIT)
+/**
+ * Set the init function of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param init the init function
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
+{
+ if (meth)
+ {
+ meth->init = init;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET_FINISH)
+/**
+ * Set the finish function of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param finish the finish function
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
+{
+ if (meth)
+ {
+ meth->finish = finish;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+#if !defined(HAVE_RSA_METH_SET0_APP_DATA)
+/**
+ * Set the application data of an RSA_METHOD object
+ *
+ * @param meth The RSA_METHOD object
+ * @param app_data Application data
+ * @return 1 on success, 0 on error
+ */
+static inline int
+RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
+{
+ if (meth)
+ {
+ meth->app_data = app_data;
+ return 1;
+ }
+ return 0;
+}
+#endif
+
+/* SSLeay symbols have been renamed in OpenSSL 1.1 */
+#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
+#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+#endif
+
+#endif /* OPENSSL_COMPAT_H_ */
diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 888acda..08c09e6 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -332,7 +331,8 @@ openvpn_main(int argc, char *argv[])
#ifdef _WIN32
int
-wmain(int argc, wchar_t *wargv[]) {
+wmain(int argc, wchar_t *wargv[])
+{
char **argv;
int ret;
int i;
@@ -361,7 +361,8 @@ wmain(int argc, wchar_t *wargv[]) {
}
#else /* ifdef _WIN32 */
int
-main(int argc, char *argv[]) {
+main(int argc, char *argv[])
+{
return openvpn_main(argc, argv);
}
#endif /* ifdef _WIN32 */
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 37edec4..9262e68 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OPENVPN_H
@@ -202,7 +201,7 @@ struct context_1
#endif
/* if client mode, hash of option strings we pulled from server */
- struct md5_digest pulled_options_digest_save;
+ struct sha256_digest pulled_options_digest_save;
/**< Hash of option strings received from the
* remote OpenVPN server. Only used in
* client-mode. */
@@ -263,7 +262,8 @@ struct context_2
struct link_socket_actual from; /* address of incoming datagram */
/* MTU frame parameters */
- struct frame frame;
+ struct frame frame; /* Active frame parameters */
+ struct frame frame_initial; /* Restored on new session */
#ifdef ENABLE_FRAGMENT
/* Object to handle advanced MTU negotiation and datagram fragmentation */
@@ -471,9 +471,9 @@ struct context_2
bool did_pre_pull_restore;
/* hash of pulled options, so we can compare when options change */
- bool pulled_options_md5_init_done;
- md_ctx_t pulled_options_state;
- struct md5_digest pulled_options_digest;
+ bool pulled_options_digest_init_done;
+ md_ctx_t *pulled_options_state;
+ struct sha256_digest pulled_options_digest;
struct event_timeout scheduled_exit;
int scheduled_exit_signal;
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
index 8dfbea5..d1c0fde 100644
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -99,13 +99,16 @@
</Link>
</ItemDefinitionGroup>
<ItemGroup>
+ <ClCompile Include="argv.c" />
<ClCompile Include="base64.c" />
+ <ClCompile Include="block_dns.c" />
<ClCompile Include="buffer.c" />
<ClCompile Include="clinat.c" />
<ClCompile Include="comp-lz4.c" />
<ClCompile Include="comp.c" />
<ClCompile Include="compstub.c" />
<ClCompile Include="console.c" />
+ <ClCompile Include="console_builtin.c" />
<ClCompile Include="crypto.c" />
<ClCompile Include="crypto_openssl.c" />
<ClCompile Include="cryptoapi.c" />
@@ -164,12 +167,15 @@
<ClCompile Include="ssl_verify.c" />
<ClCompile Include="ssl_verify_openssl.c" />
<ClCompile Include="status.c" />
+ <ClCompile Include="tls_crypt.c" />
<ClCompile Include="tun.c" />
<ClCompile Include="win32.c" />
</ItemGroup>
<ItemGroup>
+ <ClInclude Include="argv.h" />
<ClInclude Include="base64.h" />
<ClInclude Include="basic.h" />
+ <ClInclude Include="block_dns.h" />
<ClInclude Include="buffer.h" />
<ClInclude Include="circ_list.h" />
<ClInclude Include="clinat.h" />
@@ -249,6 +255,7 @@
<ClInclude Include="ssl_verify_openssl.h" />
<ClInclude Include="status.h" />
<ClInclude Include="syshead.h" />
+ <ClInclude Include="tls_crypt.h" />
<ClInclude Include="tun.h" />
<ClInclude Include="win32.h" />
</ItemGroup>
diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters
index 8b6a269..30df5ec 100644
--- a/src/openvpn/openvpn.vcxproj.filters
+++ b/src/openvpn/openvpn.vcxproj.filters
@@ -216,6 +216,18 @@
<ClCompile Include="comp-lz4.c">
<Filter>Source Files</Filter>
</ClCompile>
+ <ClCompile Include="argv.c">
+ <Filter>Source Files</Filter>
+ </ClCompile>
+ <ClCompile Include="block_dns.c">
+ <Filter>Source Files</Filter>
+ </ClCompile>
+ <ClCompile Include="console_builtin.c">
+ <Filter>Source Files</Filter>
+ </ClCompile>
+ <ClCompile Include="tls_crypt.c">
+ <Filter>Source Files</Filter>
+ </ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="base64.h">
@@ -464,10 +476,22 @@
<ClInclude Include="win32.h">
<Filter>Header Files</Filter>
</ClInclude>
+ <ClInclude Include="compstub.h">
+ <Filter>Header Files</Filter>
+ </ClInclude>
+ <ClInclude Include="argv.h">
+ <Filter>Header Files</Filter>
+ </ClInclude>
+ <ClInclude Include="block_dns.h">
+ <Filter>Header Files</Filter>
+ </ClInclude>
+ <ClInclude Include="tls_crypt.h">
+ <Filter>Header Files</Filter>
+ </ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="openvpn_win32_resources.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
-</Project>
+</Project> \ No newline at end of file
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index bfedb6a..fef5e90 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -592,7 +591,8 @@ static const char usage_message[] =
"--x509-username-field : Field in x509 certificate containing the username.\n"
" Default is CN in the Subject field.\n"
#endif
- "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
+ "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
+ " Valid algo flags are SHA1 and SHA256. \n"
#ifdef _WIN32
"--cryptoapicert select-string : Load the certificate and private key from the\n"
" Windows Certificate System Store.\n"
@@ -636,8 +636,8 @@ static const char usage_message[] =
"--verify-x509-name name: Accept connections only from a host with X509 subject\n"
" DN name. The remote host must also pass all other tests\n"
" of verification.\n"
- "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
- " nsCertType designation t = 'client' | 'server'.\n"
+ "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
+ " an explicit nsCertType designation t = 'client' | 'server'.\n"
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
@@ -716,7 +716,6 @@ static const char usage_message[] =
"--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
"--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
" startup.\n"
- "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
"--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
" on connection initiation.\n"
"--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
@@ -999,7 +998,9 @@ setenv_settings(struct env_set *es, const struct options *o)
{
int i;
for (i = 0; i < o->connection_list->len; ++i)
+ {
setenv_connection_entry(es, o->connection_list->array[i], i+1);
+ }
}
else
{
@@ -1214,7 +1215,6 @@ show_tuntap_options(const struct tuntap_options *o)
SHOW_BOOL(dhcp_options);
SHOW_BOOL(dhcp_renew);
SHOW_BOOL(dhcp_pre_release);
- SHOW_BOOL(dhcp_release);
SHOW_STR(domain);
SHOW_STR(netbios_scope);
SHOW_INT(netbios_node_type);
@@ -1761,7 +1761,9 @@ show_settings(const struct options *o)
{
int i;
for (i = 0; i<MAX_PARMS; i++)
+ {
SHOW_INT(remote_cert_ku[i]);
+ }
}
SHOW_STR(remote_cert_eku);
SHOW_INT(ssl_flags);
@@ -1789,22 +1791,30 @@ show_settings(const struct options *o)
{
int i;
for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
+ {
SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
+ }
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
+ {
SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
+ }
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
+ {
SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
+ }
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
+ {
SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
+ }
}
SHOW_INT(pkcs11_pin_cache_period);
SHOW_STR(pkcs11_id);
@@ -2939,7 +2949,9 @@ options_postprocess_verify(const struct options *o)
{
int i;
for (i = 0; i < o->connection_list->len; ++i)
+ {
options_postprocess_verify_ce(o, o->connection_list->array[i]);
+ }
}
else
{
@@ -2990,7 +3002,9 @@ options_postprocess_mutate(struct options *o)
ASSERT(o->connection_list);
for (i = 0; i < o->connection_list->len; ++i)
+ {
options_postprocess_mutate_ce(o, o->connection_list->array[i]);
+ }
#ifdef ENABLE_CRYPTO
if (o->tls_server)
@@ -3803,7 +3817,9 @@ options_warning_safe_scan1(const int msglevel,
char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
+ {
options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
+ }
gc_free(&gc);
}
@@ -4080,6 +4096,7 @@ usage(void)
fprintf(fp, usage_message,
title_string,
o.ce.connect_retry_seconds,
+ o.ce.connect_retry_seconds_max,
o.ce.local_port, o.ce.remote_port,
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
o.verbosity);
@@ -4430,7 +4447,10 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
{
char *line_ptr = line;
/* Remove leading spaces */
- while (isspace(*line_ptr)) line_ptr++;
+ while (isspace(*line_ptr))
+ {
+ line_ptr++;
+ }
if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
{
endtagfound = true;
@@ -4526,7 +4546,7 @@ read_config_file(struct options *options,
FILE *fp;
int line_num;
char line[OPTION_LINE_SIZE+1];
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
++level;
if (level <= max_recursive_levels)
@@ -4558,7 +4578,7 @@ read_config_file(struct options *options,
{
offset = 3;
}
- if (parse_line(line + offset, p, SIZE(p), file, line_num, msglevel, &options->gc))
+ if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
{
bypass_doubledash(&p[0]);
check_inline_file_via_fp(fp, p, &options->gc);
@@ -4600,10 +4620,10 @@ read_config_string(const char *prefix,
while (buf_parse(&multiline, '\n', line, sizeof(line)))
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
CLEAR(p);
++line_num;
- if (parse_line(line, p, SIZE(p), prefix, line_num, msglevel, &options->gc))
+ if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
{
bypass_doubledash(&p[0]);
check_inline_file_via_buf(&multiline, p, &options->gc);
@@ -4734,14 +4754,14 @@ apply_push_options(struct options *options,
while (buf_parse(buf, ',', line, sizeof(line)))
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
CLEAR(p);
++line_num;
if (!apply_pull_filter(options, line))
{
return false; /* Cause push/pull error and stop push processing */
}
- if (parse_line(line, p, SIZE(p), file, line_num, msglevel, &options->gc))
+ if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
{
add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
}
@@ -5147,7 +5167,7 @@ add_option(struct options *options,
}
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef ENABLE_PLUGIN
- else if (streq(p[0], "plugin") && p[1] && !p[3])
+ else if (streq(p[0], "plugin") && p[1])
{
VERIFY_PERMISSION(OPT_P_PLUGIN);
if (!options->plugin_list)
@@ -5297,12 +5317,14 @@ add_option(struct options *options,
if (!sub.ce.remote)
{
msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
+ uninit_options(&sub);
goto err;
}
e = alloc_connection_entry(options, msglevel);
if (!e)
{
+ uninit_options(&sub);
goto err;
}
*e = sub.ce;
@@ -5320,18 +5342,24 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
/* Find out how many options to be ignored */
for (i = 1; p[i]; i++)
+ {
numignored++;
+ }
/* add number of options already ignored */
for (i = 0; options->ignore_unknown_option
&& options->ignore_unknown_option[i]; i++)
+ {
numignored++;
+ }
/* Allocate array */
ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
for (i = 0; options->ignore_unknown_option
&& options->ignore_unknown_option[i]; i++)
+ {
ignore[i] = options->ignore_unknown_option[i];
+ }
options->ignore_unknown_option = ignore;
@@ -6015,7 +6043,8 @@ add_option(struct options *options,
struct http_custom_header *custom_header = NULL;
int i;
/* Find the first free header */
- for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) {
+ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
+ {
if (!ho->custom_headers[i].name)
{
custom_header = &ho->custom_headers[i];
@@ -7200,11 +7229,11 @@ add_option(struct options *options,
{
VERIFY_PERMISSION(OPT_P_IPWIN32);
options->tuntap_options.dhcp_pre_release = true;
+ options->tuntap_options.dhcp_renew = true;
}
else if (streq(p[0], "dhcp-release") && !p[1])
{
- VERIFY_PERMISSION(OPT_P_IPWIN32);
- options->tuntap_options.dhcp_release = true;
+ msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
}
else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
{
@@ -7676,10 +7705,25 @@ add_option(struct options *options,
options->extra_certs_file_inline = p[2];
}
}
- else if (streq(p[0], "verify-hash") && p[1] && !p[2])
+ else if (streq(p[0], "verify-hash") && p[1] && !p[3])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
+
+ if (!p[2] || (p[2] && streq(p[2], "SHA1")))
+ {
+ options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
+ options->verify_hash_algo = MD_SHA1;
+ }
+ else if (p[2] && streq(p[2], "SHA256"))
+ {
+ options->verify_hash = parse_hash_fingerprint(p[1], SHA256_DIGEST_LENGTH, msglevel, &options->gc);
+ options->verify_hash_algo = MD_SHA256;
+ }
+ else
+ {
+ msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]);
+ goto err;
+ }
}
#ifdef ENABLE_CRYPTOAPI
else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
@@ -7903,12 +7947,18 @@ add_option(struct options *options,
}
else if (streq(p[0], "remote-cert-ku"))
{
- int j;
-
VERIFY_PERMISSION(OPT_P_GENERAL);
+ size_t j;
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ {
sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
+ }
+ if (j == 1)
+ {
+ /* No specific KU required, but require KU to be present */
+ options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
+ }
}
else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
{
@@ -7921,15 +7971,12 @@ add_option(struct options *options,
if (streq(p[1], "server"))
{
- options->remote_cert_ku[0] = 0xa0;
- options->remote_cert_ku[1] = 0x88;
+ options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
options->remote_cert_eku = "TLS Web Server Authentication";
}
else if (streq(p[1], "client"))
{
- options->remote_cert_ku[0] = 0x80;
- options->remote_cert_ku[1] = 0x08;
- options->remote_cert_ku[2] = 0x88;
+ options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
options->remote_cert_eku = "TLS Web Client Authentication";
}
else
@@ -8037,15 +8084,25 @@ add_option(struct options *options,
if (strncmp("ext:", s, 4) != 0)
{
size_t i = 0;
- while (s[i] && !isupper(s[i])) i++;
+ while (s[i] && !isupper(s[i]))
+ {
+ i++;
+ }
if (strlen(s) == i)
{
- while ((*s = toupper(*s)) != '\0') s++;
+ while ((*s = toupper(*s)) != '\0')
+ {
+ s++;
+ }
msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
"--x509-username-field parameter to '%s'; please update your"
"configuration", p[1]);
}
}
+ else if (!x509_username_field_ext_supported(s+4))
+ {
+ msg(msglevel, "Unsupported x509-username-field extension: %s", s);
+ }
options->x509_username_field = p[1];
}
#endif /* ENABLE_X509ALTUSERNAME */
@@ -8094,7 +8151,9 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ {
options->pkcs11_providers[j-1] = p[j];
+ }
}
else if (streq(p[0], "pkcs11-protected-authentication"))
{
@@ -8103,7 +8162,9 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ {
options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
+ }
}
else if (streq(p[0], "pkcs11-private-mode") && p[1])
{
@@ -8112,7 +8173,9 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ {
sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
+ }
}
else if (streq(p[0], "pkcs11-cert-private"))
{
@@ -8121,7 +8184,9 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ {
options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
+ }
}
else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
{
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index b3ab029..67b9b94 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -42,6 +41,10 @@
#include "comp.h"
#include "pushlist.h"
#include "clinat.h"
+#ifdef ENABLE_CRYPTO
+#include "crypto_backend.h"
+#endif
+
/*
* Maximum number of parameters associated with an option,
@@ -519,6 +522,7 @@ struct options
unsigned remote_cert_ku[MAX_PARMS];
const char *remote_cert_eku;
uint8_t *verify_hash;
+ hash_algo_type verify_hash_algo;
unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
#ifdef ENABLE_PKCS11
diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c
index 22abda0..3e576cc 100644
--- a/src/openvpn/otime.c
+++ b/src/openvpn/otime.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h
index eede63d..8731472 100644
--- a/src/openvpn/otime.h
+++ b/src/openvpn/otime.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OTIME_H
@@ -289,7 +288,8 @@ tv_within_sigma(const struct timeval *t1, const struct timeval *t2, unsigned int
* called again.
*/
static inline void
-interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) {
+interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current)
+{
if (at > current)
{
const interval_t delta = (interval_t) (at - current);
diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c
index fe13e1d..30ae8fb 100644
--- a/src/openvpn/packet_id.c
+++ b/src/openvpn/packet_id.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -325,12 +324,40 @@ packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
return true;
}
+static bool
+packet_id_send_update(struct packet_id_send *p, bool long_form)
+{
+ if (!p->time)
+ {
+ p->time = now;
+ }
+ if (p->id == PACKET_ID_MAX)
+ {
+ /* Packet ID only allowed to roll over if using long form and time has
+ * moved forward since last roll over.
+ */
+ if (!long_form || now <= p->time)
+ {
+ return false;
+ }
+ p->time = now;
+ p->id = 0;
+ }
+ p->id++;
+ return true;
+}
+
bool
-packet_id_write(const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend)
+packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form,
+ bool prepend)
{
- packet_id_type net_id = htonpid(pin->id);
- net_time_t net_time = htontime(pin->time);
+ if (!packet_id_send_update(p, long_form))
+ {
+ return false;
+ }
+ const packet_id_type net_id = htonpid(p->id);
+ const net_time_t net_time = htontime(p->time);
if (prepend)
{
if (long_form)
@@ -629,7 +656,8 @@ packet_id_interactive_test()
packet_id_init(&pid, seq_backtrack, time_backtrack);
- while (true) {
+ while (true)
+ {
char buf[80];
if (!fgets(buf, sizeof(buf), stdin))
{
diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h
index ecc25a6..a370936 100644
--- a/src/openvpn/packet_id.h
+++ b/src/openvpn/packet_id.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -50,6 +49,7 @@
* to for network transmission.
*/
typedef uint32_t packet_id_type;
+#define PACKET_ID_MAX UINT32_MAX
typedef uint32_t net_time_t;
/*
@@ -254,7 +254,18 @@ const char *packet_id_persist_print(const struct packet_id_persist *p, struct gc
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form);
-bool packet_id_write(const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend);
+/**
+ * Write a packet ID to buf, and update the packet ID state.
+ *
+ * @param p Packet ID state.
+ * @param buf Buffer to write the packet ID too
+ * @param long_form If true, also update and write time_t to buf
+ * @param prepend If true, prepend to buffer, otherwise apppend.
+ *
+ * @return true if successful, false otherwise.
+ */
+bool packet_id_write(struct packet_id_send *p, struct buffer *buf,
+ bool long_form, bool prepend);
/*
* Inline functions.
@@ -304,28 +315,6 @@ packet_id_close_to_wrapping(const struct packet_id_send *p)
return p->id >= PACKET_ID_WRAP_TRIGGER;
}
-/*
- * Allocate an outgoing packet id.
- * Sequence number ranges from 1 to 2^32-1.
- * In long_form, a time_t is added as well.
- */
-static inline void
-packet_id_alloc_outgoing(struct packet_id_send *p, struct packet_id_net *pin, bool long_form)
-{
- if (!p->time)
- {
- p->time = now;
- }
- pin->id = ++p->id;
- if (!pin->id)
- {
- ASSERT(long_form);
- p->time = now;
- pin->id = p->id = 1;
- }
- pin->time = p->time;
-}
-
static inline bool
check_timestamp_delta(time_t remote, unsigned int max_delta)
{
diff --git a/src/openvpn/perf.c b/src/openvpn/perf.c
index 51e051a..16cf749 100644
--- a/src/openvpn/perf.c
+++ b/src/openvpn/perf.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -147,12 +146,14 @@ push_perf_index(int pindex)
{
int i;
for (i = 0; i < sindex; ++i)
+ {
if (perf_set.stack[i] == pindex)
{
perf_print_state(M_INFO);
msg(M_FATAL, "PERF: push_perf_index %s failed",
metric_names [pindex]);
}
+ }
perf_set.stack[sindex] = pindex;
perf_set.stack_len = newlen;
@@ -321,7 +322,8 @@ perf_print_state(int lev)
#else /* ifdef ENABLE_PERFORMANCE_METRICS */
#ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif
#endif /* ifdef ENABLE_PERFORMANCE_METRICS */
diff --git a/src/openvpn/perf.h b/src/openvpn/perf.h
index f0430a1..ae5ae08 100644
--- a/src/openvpn/perf.h
+++ b/src/openvpn/perf.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -76,13 +75,16 @@ void perf_output_results(void);
#else /* ifdef ENABLE_PERFORMANCE_METRICS */
static inline void
-perf_push(int type) {
+perf_push(int type)
+{
}
static inline void
-perf_pop(void) {
+perf_pop(void)
+{
}
static inline void
-perf_output_results(void) {
+perf_output_results(void)
+{
}
#endif /* ifdef ENABLE_PERFORMANCE_METRICS */
diff --git a/src/openvpn/pf-inline.h b/src/openvpn/pf-inline.h
index a0f5cc7..ac19ac4 100644
--- a/src/openvpn/pf-inline.h
+++ b/src/openvpn/pf-inline.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#if defined(ENABLE_PF) && !defined(PF_INLINE_H)
diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c
index 56b6858..5cb002b 100644
--- a/src/openvpn/pf.c
+++ b/src/openvpn/pf.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/* packet filter functions */
diff --git a/src/openvpn/pf.h b/src/openvpn/pf.h
index 3832683..414c85b 100644
--- a/src/openvpn/pf.h
+++ b/src/openvpn/pf.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/* packet filter functions */
diff --git a/src/openvpn/ping-inline.h b/src/openvpn/ping-inline.h
index 2fa1d5c..0642b85 100644
--- a/src/openvpn/ping-inline.h
+++ b/src/openvpn/ping-inline.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PING_INLINE_H
diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c
index 0496b72..728d6c2 100644
--- a/src/openvpn/ping.c
+++ b/src/openvpn/ping.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h
index e839ce7..5bd5c08 100644
--- a/src/openvpn/ping.h
+++ b/src/openvpn/ping.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PING_H
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 6858846..6041828 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -45,21 +44,24 @@
static
time_t
-__mytime(void) {
+__mytime(void)
+{
return openvpn_time(NULL);
}
#if !defined(_WIN32)
static
int
-__mygettimeofday(struct timeval *tv) {
+__mygettimeofday(struct timeval *tv)
+{
return gettimeofday(tv, NULL);
}
#endif
static
void
-__mysleep(const unsigned long usec) {
+__mysleep(const unsigned long usec)
+{
#if defined(_WIN32)
Sleep(usec/1000);
#else
@@ -84,10 +86,12 @@ static
unsigned
_pkcs11_msg_pkcs112openvpn(
const unsigned flags
- ) {
+ )
+{
unsigned openvpn_flags;
- switch (flags) {
+ switch (flags)
+ {
case PKCS11H_LOG_DEBUG2:
openvpn_flags = D_PKCS11_DEBUG;
break;
@@ -124,7 +128,8 @@ static
unsigned
_pkcs11_msg_openvpn2pkcs11(
const unsigned flags
- ) {
+ )
+{
unsigned pkcs11_flags;
if ((flags & D_PKCS11_DEBUG) != 0)
@@ -166,7 +171,8 @@ _pkcs11_openvpn_log(
unsigned flags,
const char *const szFormat,
va_list args
- ) {
+ )
+{
char Buffer[10*1024];
(void)global_data;
@@ -184,7 +190,8 @@ _pkcs11_openvpn_token_prompt(
void *const user_data,
const pkcs11h_token_id_t token,
const unsigned retry
- ) {
+ )
+{
struct user_pass token_resp;
(void)global_data;
@@ -229,7 +236,8 @@ _pkcs11_openvpn_pin_prompt(
const unsigned retry,
char *const pin,
const size_t pin_max
- ) {
+ )
+{
struct user_pass token_pass;
char prompt[1024];
@@ -275,7 +283,8 @@ bool
pkcs11_initialize(
const bool protected_auth,
const int nPINCachePeriod
- ) {
+ )
+{
CK_RV rv = CKR_FUNCTION_FAILED;
dmsg(
@@ -347,7 +356,8 @@ cleanup:
}
void
-pkcs11_terminate() {
+pkcs11_terminate()
+{
dmsg(
D_PKCS11_DEBUG,
"PKCS#11: pkcs11_terminate - entered"
@@ -367,7 +377,8 @@ pkcs11_addProvider(
const bool protected_auth,
const unsigned private_mode,
const bool cert_private
- ) {
+ )
+{
CK_RV rv = CKR_OK;
ASSERT(provider!=NULL);
@@ -411,12 +422,14 @@ pkcs11_addProvider(
}
int
-pkcs11_logout() {
+pkcs11_logout()
+{
return pkcs11h_logout() == CKR_OK;
}
int
-pkcs11_management_id_count() {
+pkcs11_management_id_count()
+{
pkcs11h_certificate_id_list_t id_list = NULL;
pkcs11h_certificate_id_list_t t = NULL;
CK_RV rv = CKR_OK;
@@ -441,7 +454,8 @@ pkcs11_management_id_count() {
goto cleanup;
}
- for (count = 0, t = id_list; t != NULL; t = t->next) {
+ for (count = 0, t = id_list; t != NULL; t = t->next)
+ {
count++;
}
@@ -467,7 +481,8 @@ pkcs11_management_id_get(
const int index,
char **id,
char **base64
- ) {
+ )
+{
pkcs11h_certificate_id_list_t id_list = NULL;
pkcs11h_certificate_id_list_t entry = NULL;
#if 0 /* certificate_id seems to be unused -- JY */
@@ -511,7 +526,8 @@ pkcs11_management_id_get(
entry = id_list;
count = 0;
- while (entry != NULL && count != index) {
+ while (entry != NULL && count != index)
+ {
count++;
entry = entry->next;
}
@@ -653,7 +669,8 @@ tls_ctx_use_pkcs11(
struct tls_root_ctx *const ssl_ctx,
bool pkcs11_id_management,
const char *const pkcs11_id
- ) {
+ )
+{
pkcs11h_certificate_id_t certificate_id = NULL;
pkcs11h_certificate_t certificate = NULL;
CK_RV rv = CKR_OK;
@@ -784,7 +801,8 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prompt(
const unsigned retry,
char *const pin,
const size_t pin_max
- ) {
+ )
+{
struct gc_arena gc = gc_new();
struct buffer pass_prompt = alloc_buf_gc(128, &gc);
@@ -817,7 +835,8 @@ void
show_pkcs11_ids(
const char *const provider,
bool cert_private
- ) {
+ )
+{
struct gc_arena gc = gc_new();
pkcs11h_certificate_id_list_t user_certificates = NULL;
pkcs11h_certificate_id_list_t current = NULL;
@@ -888,7 +907,8 @@ show_pkcs11_ids(
"--pkcs11-id option please remember to use single quote mark.\n"
)
);
- for (current = user_certificates; current != NULL; current = current->next) {
+ for (current = user_certificates; current != NULL; current = current->next)
+ {
pkcs11h_certificate_t certificate = NULL;
char *dn = NULL;
char serial[1024] = {0};
@@ -1006,7 +1026,8 @@ cleanup:
#else /* if defined(ENABLE_PKCS11) */
#ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif
#endif /* ENABLE_PKCS11 */
diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
index 3747d3a..f1722c0 100644
--- a/src/openvpn/pkcs11.h
+++ b/src/openvpn/pkcs11.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef OPENVPN_PKCS11_H
diff --git a/src/openvpn/pkcs11_backend.h b/src/openvpn/pkcs11_backend.h
index 9606899..b47b757 100644
--- a/src/openvpn/pkcs11_backend.h
+++ b/src/openvpn/pkcs11_backend.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c
index bdca893..45372e4 100644
--- a/src/openvpn/pkcs11_mbedtls.c
+++ b/src/openvpn/pkcs11_mbedtls.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -39,6 +38,7 @@
#include "errlevel.h"
#include "pkcs11_backend.h"
+#include "ssl_verify_backend.h"
#include <mbedtls/pkcs11.h>
#include <mbedtls/x509.h>
@@ -82,8 +82,6 @@ char *
pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc)
{
char *ret = NULL;
- char dn[1024] = {0};
-
mbedtls_x509_crt mbed_crt = {0};
if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert))
@@ -92,14 +90,12 @@ pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc)
goto cleanup;
}
- if (-1 == mbedtls_x509_dn_gets(dn, sizeof(dn), &mbed_crt.subject))
+ if (!(ret = x509_get_subject(&mbed_crt, gc)))
{
msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject");
goto cleanup;
}
- ret = string_alloc(dn, gc);
-
cleanup:
mbedtls_x509_crt_free(&mbed_crt);
diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
index 6244cc7..c37425b 100644
--- a/src/openvpn/pkcs11_openssl.c
+++ b/src/openvpn/pkcs11_openssl.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 952d633..2495523 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h
index 62396a9..cd2bbc9 100644
--- a/src/openvpn/platform.h
+++ b/src/openvpn/platform.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PLATFORM_H
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 17eb2d8..557b6bc 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -234,23 +233,31 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o)
#ifndef _WIN32
p->handle = NULL;
-#if defined(PLUGIN_LIBDIR)
- if (!absolute_pathname(p->so_pathname))
+
+ /* If the plug-in filename is not an absolute path,
+ * or beginning with '.', it should use the PLUGIN_LIBDIR
+ * as the base directory for loading the plug-in.
+ *
+ * This means the following scenarios are loaded from these places:
+ * --plugin fancyplug.so -> $PLUGIN_LIBDIR/fancyplug.so
+ * --plugin my/fancyplug.so -> $PLUGIN_LIBDIR/my/fancyplug.so
+ * --plugin ./fancyplug.so -> $CWD/fancyplug.so
+ * --plugin /usr/lib/my/fancyplug.so -> /usr/lib/my/fancyplug.so
+ *
+ * Please note that $CWD means the directory OpenVPN is either started from
+ * or the directory OpenVPN have changed into using --cd before --plugin
+ * was parsed.
+ *
+ */
+ if (!absolute_pathname(p->so_pathname)
+ && p->so_pathname[0] != '.')
{
char full[PATH_MAX];
openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname);
p->handle = dlopen(full, RTLD_NOW);
-#if defined(ENABLE_PLUGIN_SEARCH)
- if (!p->handle)
- {
- rel = true;
- p->handle = dlopen(p->so_pathname, RTLD_NOW);
- }
-#endif
}
else
-#endif
{
rel = !absolute_pathname(p->so_pathname);
p->handle = dlopen(p->so_pathname, RTLD_NOW);
@@ -402,7 +409,8 @@ plugin_log(openvpn_plugin_log_flags_t flags, const char *name, const char *forma
static struct openvpn_plugin_callbacks callbacks = {
plugin_log,
- plugin_vlog
+ plugin_vlog,
+ secure_memzero /* plugin_secure_memzero */
};
@@ -745,7 +753,9 @@ plugin_common_close(struct plugin_common *pc)
int i;
for (i = 0; i < pc->n; ++i)
+ {
plugin_close_item(&pc->plugins[i]);
+ }
free(pc);
}
}
@@ -883,7 +893,9 @@ plugin_abort(void)
int i;
for (i = 0; i < pc->n; ++i)
+ {
plugin_abort_item(&pc->plugins[i]);
+ }
}
}
@@ -964,7 +976,9 @@ plugin_return_get_column(const struct plugin_return *src,
dest->n = 0;
for (i = 0; i < src->n; ++i)
+ {
dest->list[i] = openvpn_plugin_string_list_find(src->list[i], colname);
+ }
dest->n = i;
}
@@ -973,7 +987,9 @@ plugin_return_free(struct plugin_return *pr)
{
int i;
for (i = 0; i < pr->n; ++i)
+ {
openvpn_plugin_string_list_free(pr->list[i]);
+ }
pr->n = 0;
}
@@ -1003,6 +1019,7 @@ plugin_return_print(const int msglevel, const char *prefix, const struct plugin_
#else /* ifdef ENABLE_PLUGIN */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_PLUGIN */
diff --git a/src/openvpn/plugin.h b/src/openvpn/plugin.h
index 4ded529..0cffee0 100644
--- a/src/openvpn/plugin.h
+++ b/src/openvpn/plugin.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
index aa0bc2b..a8f15b9 100644
--- a/src/openvpn/pool.c
+++ b/src/openvpn/pool.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -215,7 +214,9 @@ ifconfig_pool_free(struct ifconfig_pool *pool)
{
int i;
for (i = 0; i < pool->size; ++i)
+ {
ifconfig_pool_entry_free(&pool->list[i], true);
+ }
free(pool->list);
free(pool);
}
diff --git a/src/openvpn/pool.h b/src/openvpn/pool.h
index c3e1190..ee91d82 100644
--- a/src/openvpn/pool.h
+++ b/src/openvpn/pool.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef POOL_H
diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c
index 40e0714..2cbea3a 100644
--- a/src/openvpn/proto.c
+++ b/src/openvpn/proto.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h
index bfcb36d..57f25c9 100644
--- a/src/openvpn/proto.h
+++ b/src/openvpn/proto.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PROTO_H
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index dd327a2..7a737ea 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -318,6 +317,7 @@ get_proxy_authenticate(socket_descriptor_t sd,
{
if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received))
{
+ free(*data);
*data = NULL;
return HTTP_AUTH_NONE;
}
@@ -381,7 +381,9 @@ get_key_value(const char *str, /* source string */
bool escape = false;
for (c = max_key_len-1; (*str && (*str != '=') && c--); )
+ {
*key++ = *str++;
+ }
*key = '\0';
if ('=' != *str++)
@@ -475,7 +477,9 @@ get_pa_var(const char *key, const char *pa, struct gc_arena *gc)
++content;
}
while (*content && isspace(*content))
+ {
++content;
+ }
}
}
@@ -774,7 +778,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
/* receive and discard everything else */
while (recv_line(sd, NULL, 0, 2, true, NULL, signal_received))
- ;
+ {
+ }
/* now send the phase 3 reply */
@@ -870,6 +875,13 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
const char *algor = get_pa_var("algorithm", pa, &gc);
const char *opaque = get_pa_var("opaque", pa, &gc);
+ if ( !realm || !nonce )
+ {
+ msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response "
+ "from server: realm= or nonce= missing" );
+ goto error;
+ }
+
/* generate a client nonce */
ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw)));
cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc);
@@ -986,6 +998,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC)
{
msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled");
+ free(pa);
goto error;
}
p->auth_method = method;
@@ -1041,7 +1054,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
* start of the OpenVPN data stream (put it in lookahead).
*/
while (recv_line(sd, NULL, 0, 2, false, lookahead, signal_received))
- ;
+ {
+ }
/* reset queried_creds so that we don't think that the next creds request is due to an auth error */
p->queried_creds = false;
diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h
index c20a676..3ce79de 100644
--- a/src/openvpn/proxy.h
+++ b/src/openvpn/proxy.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PROXY_H
diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c
index 21b12ca..c2b05cd 100644
--- a/src/openvpn/ps.c
+++ b/src/openvpn/ps.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h
index 0fc1ee4..b8c6853 100644
--- a/src/openvpn/ps.h
+++ b/src/openvpn/ps.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PS_H
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index f515475..5947a31 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -372,15 +371,17 @@ prepare_push_reply(struct context *c, struct gc_arena *gc,
/* Push cipher if client supports Negotiable Crypto Parameters */
if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled)
{
- /* if we have already created our key, we cannot change our own
- * cipher, so disable NCP and warn = explain why
+ /* if we have already created our key, we cannot *change* our own
+ * cipher -> so log the fact and push the "what we have now" cipher
+ * (so the client is always told what we expect it to use)
*/
const struct tls_session *session = &tls_multi->session[TM_ACTIVE];
if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
{
msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
"server has already generated data channel keys, "
- "ignoring client request" );
+ "re-sending previously negotiated cipher '%s'",
+ o->ciphername );
}
else
{
@@ -388,8 +389,8 @@ prepare_push_reply(struct context *c, struct gc_arena *gc,
* TODO: actual negotiation, instead of server dictatorship. */
char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
o->ciphername = strtok(push_cipher, ":");
- push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
}
+ push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
}
else if (o->ncp_enabled)
{
@@ -692,8 +693,8 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
{
continue;
}
+ md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
}
- md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1);
}
int
@@ -720,10 +721,11 @@ process_incoming_push_msg(struct context *c,
if (ch == ',')
{
struct buffer buf_orig = buf;
- if (!c->c2.pulled_options_md5_init_done)
+ if (!c->c2.pulled_options_digest_init_done)
{
- md_ctx_init(&c->c2.pulled_options_state, md_kt_get("MD5"));
- c->c2.pulled_options_md5_init_done = true;
+ c->c2.pulled_options_state = md_ctx_new();
+ md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256"));
+ c->c2.pulled_options_digest_init_done = true;
}
if (!c->c2.did_pre_pull_restore)
{
@@ -736,15 +738,17 @@ process_incoming_push_msg(struct context *c,
option_types_found,
c->c2.es))
{
- push_update_digest(&c->c2.pulled_options_state, &buf_orig,
+ push_update_digest(c->c2.pulled_options_state, &buf_orig,
&c->options);
switch (c->options.push_continuation)
{
case 0:
case 1:
- md_ctx_final(&c->c2.pulled_options_state, c->c2.pulled_options_digest.digest);
- md_ctx_cleanup(&c->c2.pulled_options_state);
- c->c2.pulled_options_md5_init_done = false;
+ md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest);
+ md_ctx_cleanup(c->c2.pulled_options_state);
+ md_ctx_free(c->c2.pulled_options_state);
+ c->c2.pulled_options_state = NULL;
+ c->c2.pulled_options_digest_init_done = false;
ret = PUSH_MSG_REPLY;
break;
diff --git a/src/openvpn/push.h b/src/openvpn/push.h
index 86900c8..4d42e81 100644
--- a/src/openvpn/push.h
+++ b/src/openvpn/push.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef PUSH_H
diff --git a/src/openvpn/pushlist.h b/src/openvpn/pushlist.h
index 58fc870..57216b2 100644
--- a/src/openvpn/pushlist.h
+++ b/src/openvpn/pushlist.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#if !defined(PUSHLIST_H) && P2MP && P2MP_SERVER
diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c
index 57cdd78..93541a9 100644
--- a/src/openvpn/reliable.c
+++ b/src/openvpn/reliable.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -112,10 +111,12 @@ reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid)
{
int i;
for (i = 0; i < ack->len; ++i)
+ {
if (ack->packet_id[i] == pid)
{
return true;
}
+ }
return false;
}
@@ -242,7 +243,9 @@ reliable_ack_write(struct reliable_ack *ack,
ASSERT(session_id_defined(sid));
ASSERT(session_id_write(sid, &sub));
for (i = 0, j = n; j < ack->len; )
+ {
ack->packet_id[i++] = ack->packet_id[j++];
+ }
ack->len = i;
}
@@ -802,6 +805,7 @@ reliable_debug_print(const struct reliable *rel, char *desc)
#else /* ifdef ENABLE_CRYPTO */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_CRYPTO */
diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h
index 455168a..aa34b02 100644
--- a/src/openvpn/reliable.h
+++ b/src/openvpn/reliable.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 0c93dcd..a1811f4 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -986,11 +985,19 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un
if (rl && rl->flags & RG_ENABLE)
{
+ bool local = rl->flags & RG_LOCAL;
+
if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
{
msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
}
- else if (!(rl->rgi.flags & RGI_ADDR_DEFINED))
+ /*
+ * check if a default route is defined, unless:
+ * - we are connecting to a remote host in our network
+ * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
+ */
+ else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
+ && (rl->spec.remote_host != IPV4_INVALID_ADDR))
{
msg(M_WARN, "%s Cannot read current default gateway from system", err);
}
@@ -1001,7 +1008,6 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un
else
{
#ifndef TARGET_ANDROID
- bool local = BOOL_CAST(rl->flags & RG_LOCAL);
if (rl->flags & RG_AUTO_LOCAL)
{
const int tla = rl->spec.remote_host_local;
@@ -1066,14 +1072,13 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un
}
else
{
- /* delete default route */
- del_route3(0,
- 0,
- rl->rgi.gateway.addr,
- tt,
- flags | ROUTE_REF_GW,
- &rl->rgi,
- es);
+ /* don't try to remove the def route if it does not exist */
+ if (rl->rgi.flags & RGI_ADDR_DEFINED)
+ {
+ /* delete default route */
+ del_route3(0, 0, rl->rgi.gateway.addr, tt,
+ flags | ROUTE_REF_GW, &rl->rgi, es);
+ }
/* add new default route */
add_route3(0,
@@ -1145,15 +1150,12 @@ undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *t
flags,
&rl->rgi,
es);
-
- /* restore original default route */
- add_route3(0,
- 0,
- rl->rgi.gateway.addr,
- tt,
- flags | ROUTE_REF_GW,
- &rl->rgi,
- es);
+ /* restore original default route if there was any */
+ if (rl->rgi.flags & RGI_ADDR_DEFINED)
+ {
+ add_route3(0, 0, rl->rgi.gateway.addr, tt,
+ flags | ROUTE_REF_GW, &rl->rgi, es);
+ }
}
}
@@ -1196,6 +1198,15 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tunt
if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
{
struct route_ipv6 *r;
+
+ if (!tt->did_ifconfig_ipv6_setup)
+ {
+ msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 "
+ "route over %s. However, no IPv6 has been configured for "
+ "this interface, therefore the route installation may "
+ "fail or may not work as expected.", tt->actual_name);
+ }
+
for (r = rl6->routes_ipv6; r; r = r->next)
{
if (flags & ROUTE_DELETE_FIRST)
@@ -1281,7 +1292,9 @@ print_route_options(const struct route_option_list *rol,
(rol->flags & RG_LOCAL) != 0);
}
for (ro = rol->routes; ro; ro = ro->next)
+ {
print_route_option(ro, level);
+ }
}
void
@@ -1375,7 +1388,9 @@ print_routes(const struct route_list *rl, int level)
{
struct route_ipv4 *r;
for (r = rl->routes; r; r = r->next)
+ {
print_route(r, level);
+ }
}
static void
@@ -1404,7 +1419,9 @@ setenv_routes(struct env_set *es, const struct route_list *rl)
int i = 1;
struct route_ipv4 *r;
for (r = rl->routes; r; r = r->next)
+ {
setenv_route(es, r, i++);
+ }
}
static void
@@ -1433,7 +1450,9 @@ setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
int i = 1;
struct route_ipv6 *r6;
for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
+ {
setenv_route_ipv6(es, r6, i++);
+ }
}
/*
@@ -1874,14 +1893,6 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag
}
#endif
- if (!tt->did_ifconfig_ipv6_setup)
- {
- msg( M_INFO, "add_route_ipv6(): not adding %s/%d: "
- "no IPv6 address been configured on interface %s",
- network, r6->netbits, device);
- return;
- }
-
msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
network, r6->netbits, gateway, r6->metric, device );
@@ -2623,7 +2634,9 @@ test_routes(const struct route_list *rl, const struct tuntap *tt)
{
struct route_ipv4 *r;
for (r = rl->routes, len = 0; r; r = r->next, ++len)
+ {
test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
+ }
if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
{
@@ -3047,8 +3060,10 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t
/* In TUN mode we use a special link-local address as the next hop.
* The tapdrvr knows about it and will answer neighbor discovery packets.
+ * (only do this for routes actually using the tun/tap device)
*/
- if (tt->type == DEV_TYPE_TUN)
+ if (tt->type == DEV_TYPE_TUN
+ && msg.iface.index == tt->adapter_index )
{
inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
}
@@ -3581,6 +3596,9 @@ get_default_gateway(struct route_gateway_info *rgi)
rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
rtm.rtm_version = RTM_VERSION;
rtm.rtm_seq = ++seq;
+#ifdef TARGET_OPENBSD
+ rtm.rtm_tableid = getrtable();
+#endif
rtm.rtm_addrs = rtm_addrs;
so_dst.sa_family = AF_INET;
@@ -3608,7 +3626,8 @@ get_default_gateway(struct route_gateway_info *rgi)
msg(M_WARN, "GDG: problem writing to routing socket");
goto done;
}
- do {
+ do
+ {
l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
} while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
close(sockfd);
@@ -3795,6 +3814,9 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
rtm.rtm_flags = RTF_UP;
rtm.rtm_version = RTM_VERSION;
rtm.rtm_seq = ++seq;
+#ifdef TARGET_OPENBSD
+ rtm.rtm_tableid = getrtable();
+#endif
so_dst.sin6_family = AF_INET6;
so_mask.sin6_family = AF_INET6;
diff --git a/src/openvpn/route.h b/src/openvpn/route.h
index 03ee8cd..6414d6c 100644
--- a/src/openvpn/route.h
+++ b/src/openvpn/route.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -354,7 +353,8 @@ bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
#else /* ifdef _WIN32 */
static inline bool
-test_routes(const struct route_list *rl, const struct tuntap *tt) {
+test_routes(const struct route_list *rl, const struct tuntap *tt)
+{
return true;
}
#endif
diff --git a/src/openvpn/schedule.c b/src/openvpn/schedule.c
index 610bfa4..b1ba5d4 100644
--- a/src/openvpn/schedule.c
+++ b/src/openvpn/schedule.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -377,7 +376,9 @@ schedule_add_modify(struct schedule *s, struct schedule_entry *e)
* keeps the tree balanced. Move the node up the tree until
* its own priority is greater than that of its parent */
while (e->parent && e->parent->pri > e->pri)
+ {
schedule_rotate_up(s, e);
+ }
}
/*
@@ -623,7 +624,9 @@ schedule_print_work(struct schedule_entry *e, int indent)
struct gc_arena gc = gc_new();
int i;
for (i = 0; i < indent; ++i)
+ {
printf(" ");
+ }
if (e)
{
printf("%s [%u] e=" ptr_format ", p=" ptr_format " lt=" ptr_format " gt=" ptr_format "\n",
diff --git a/src/openvpn/schedule.h b/src/openvpn/schedule.h
index f2a6813..e6c1b7e 100644
--- a/src/openvpn/schedule.h
+++ b/src/openvpn/schedule.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef SCHEDULE_H
diff --git a/src/openvpn/session_id.c b/src/openvpn/session_id.c
index b23f0f4..dce42e7 100644
--- a/src/openvpn/session_id.c
+++ b/src/openvpn/session_id.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -64,6 +63,7 @@ session_id_print(const struct session_id *sid, struct gc_arena *gc)
#else /* ifdef ENABLE_CRYPTO */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_CRYPTO */
diff --git a/src/openvpn/session_id.h b/src/openvpn/session_id.h
index 2b0ceb8..6611a3c 100644
--- a/src/openvpn/session_id.h
+++ b/src/openvpn/session_id.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c
index eb459ef..19dd54d 100644
--- a/src/openvpn/shaper.c
+++ b/src/openvpn/shaper.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -98,6 +97,7 @@ shaper_msg(struct shaper *s)
#else /* ifdef ENABLE_FEATURE_SHAPER */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_FEATURE_SHAPER */
diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h
index d97221a..6fac16d 100644
--- a/src/openvpn/shaper.h
+++ b/src/openvpn/shaper.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef SHAPER_H
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
index 9f4841a..87cef71 100644
--- a/src/openvpn/sig.c
+++ b/src/openvpn/sig.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/sig.h b/src/openvpn/sig.h
index 5783731..7c41070 100644
--- a/src/openvpn/sig.h
+++ b/src/openvpn/sig.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef SIG_H
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index ae12832..4e7e3f9 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -205,7 +204,9 @@ do_preresolve_host(struct context *c,
{
struct cached_dns_entry *prev = c->c1.dns_cache;
while (prev->next)
+ {
prev = prev->next;
+ }
prev->next = ph;
}
@@ -336,20 +337,6 @@ openvpn_getaddrinfo(unsigned int flags,
ASSERT(hostname || servname);
ASSERT(!(flags & GETADDR_HOST_ORDER));
- if (hostname && (flags & GETADDR_RANDOMIZE))
- {
- hostname = hostname_randomize(hostname, &gc);
- }
-
- if (hostname)
- {
- print_hostname = hostname;
- }
- else
- {
- print_hostname = "undefined";
- }
-
if (servname)
{
print_servname = servname;
@@ -400,6 +387,20 @@ openvpn_getaddrinfo(unsigned int flags,
const char *fmt;
int level = 0;
+ if (hostname && (flags & GETADDR_RANDOMIZE))
+ {
+ hostname = hostname_randomize(hostname, &gc);
+ }
+
+ if (hostname)
+ {
+ print_hostname = hostname;
+ }
+ else
+ {
+ print_hostname = "undefined";
+ }
+
fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)";
if ((flags & GETADDR_MENTION_RESOLVE_RETRY)
&& !resolve_retry_seconds)
@@ -510,6 +511,10 @@ openvpn_getaddrinfo(unsigned int flags,
else
{
/* IP address parse succeeded */
+ if (flags & GETADDR_RANDOMIZE)
+ {
+ msg(M_WARN, "WARNING: ignoring --remote-random-hostname because the hostname is an IP address");
+ }
}
done:
@@ -1144,7 +1149,7 @@ tcp_connection_established(const struct link_socket_actual *act)
gc_free(&gc);
}
-static int
+static socket_descriptor_t
socket_listen_accept(socket_descriptor_t sd,
struct link_socket_actual *act,
const char *remote_dynamic,
@@ -1156,7 +1161,7 @@ socket_listen_accept(socket_descriptor_t sd,
struct gc_arena gc = gc_new();
/* struct openvpn_sockaddr *remote = &act->dest; */
struct openvpn_sockaddr remote_verify = act->dest;
- int new_sd = SOCKET_UNDEFINED;
+ socket_descriptor_t new_sd = SOCKET_UNDEFINED;
CLEAR(*act);
socket_do_listen(sd, local, do_listen, true);
@@ -2008,7 +2013,8 @@ static void
phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info)
{
bool proxy_retry = false;
- do {
+ do
+ {
socket_connect(&sock->sd,
sock->info.lsa->current_remote->ai_addr,
get_server_poll_remaining_time(sock->server_poll_timeout),
@@ -2364,7 +2370,8 @@ link_socket_bad_incoming_addr(struct buffer *buf,
(int)from_addr->dest.addr.sa.sa_family,
print_sockaddr_ex(info->lsa->remote_list->ai_addr,":",PS_SHOW_PORT, &gc));
/* print additional remote addresses */
- for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) {
+ for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next)
+ {
msg(D_LINK_ERRORS,"or from peer address: %s",
print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc));
}
@@ -3053,10 +3060,12 @@ ascii2proto(const char *proto_name)
{
int i;
for (i = 0; i < SIZE(proto_names); ++i)
+ {
if (!strcmp(proto_name, proto_names[i].short_form))
{
return proto_names[i].proto;
}
+ }
return -1;
}
@@ -3065,10 +3074,12 @@ ascii2af(const char *proto_name)
{
int i;
for (i = 0; i < SIZE(proto_names); ++i)
+ {
if (!strcmp(proto_name, proto_names[i].short_form))
{
return proto_names[i].proto_af;
}
+ }
return 0;
}
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 63e601e..2d7f218 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef SOCKET_H
@@ -623,7 +622,8 @@ addr_defined(const struct openvpn_sockaddr *addr)
{
return 0;
}
- switch (addr->addr.sa.sa_family) {
+ switch (addr->addr.sa.sa_family)
+ {
case AF_INET: return addr->addr.in4.sin_addr.s_addr != 0;
case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr);
@@ -639,7 +639,8 @@ addr_local(const struct sockaddr *addr)
{
return false;
}
- switch (addr->sa_family) {
+ switch (addr->sa_family)
+ {
case AF_INET:
return ((const struct sockaddr_in *)addr)->sin_addr.s_addr == htonl(INADDR_LOOPBACK);
@@ -660,7 +661,8 @@ addr_defined_ipi(const struct link_socket_actual *lsa)
{
return 0;
}
- switch (lsa->dest.addr.sa.sa_family) {
+ switch (lsa->dest.addr.sa.sa_family)
+ {
#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0;
@@ -687,7 +689,8 @@ link_socket_actual_defined(const struct link_socket_actual *act)
static inline bool
addr_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2)
{
- switch (a1->addr.sa.sa_family) {
+ switch (a1->addr.sa.sa_family)
+ {
case AF_INET:
return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr;
@@ -781,7 +784,8 @@ addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2
static inline bool
addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2)
{
- switch (a1->addr.sa.sa_family) {
+ switch (a1->addr.sa.sa_family)
+ {
case AF_INET:
return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr
&& a1->addr.in4.sin_port == a2->addr.in4.sin_port;
@@ -818,7 +822,8 @@ addrlist_match_proto(const struct openvpn_sockaddr *a1,
static inline void
addr_zero_host(struct openvpn_sockaddr *addr)
{
- switch (addr->addr.sa.sa_family) {
+ switch (addr->addr.sa.sa_family)
+ {
case AF_INET:
addr->addr.in4.sin_addr.s_addr = 0;
break;
@@ -846,7 +851,8 @@ int addr_guess_family(sa_family_t af,const char *name);
static inline int
af_addr_size(sa_family_t af)
{
- switch (af) {
+ switch (af)
+ {
case AF_INET: return sizeof(struct sockaddr_in);
case AF_INET6: return sizeof(struct sockaddr_in6);
@@ -919,7 +925,8 @@ link_socket_verify_incoming_addr(struct buffer *buf,
{
if (buf->len > 0)
{
- switch (from_addr->dest.addr.sa.sa_family) {
+ switch (from_addr->dest.addr.sa.sa_family)
+ {
case AF_INET6:
case AF_INET:
if (!link_socket_actual_defined(from_addr))
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index b50cac3..92747ec 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h
index 17e75e1..39b96c5 100644
--- a/src/openvpn/socks.h
+++ b/src/openvpn/socks.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index cff4052..15cd94a 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -18,10 +18,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -269,10 +268,12 @@ static void
key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
const tls_cipher_name_pair *
-tls_get_cipher_name_pair(const char *cipher_name, size_t len) {
+tls_get_cipher_name_pair(const char *cipher_name, size_t len)
+{
const tls_cipher_name_pair *pair = tls_cipher_name_translation_table;
- while (pair->openssl_name != NULL) {
+ while (pair->openssl_name != NULL)
+ {
if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
|| (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
{
@@ -450,6 +451,8 @@ ssl_set_auth_nocache(void)
{
passbuf.nocache = true;
auth_user_pass.nocache = true;
+ /* wait for push-reply, because auth-token may invert nocache */
+ auth_user_pass.wait_for_push = true;
}
/*
@@ -458,6 +461,14 @@ ssl_set_auth_nocache(void)
void
ssl_set_auth_token(const char *token)
{
+ if (auth_user_pass.nocache)
+ {
+ msg(M_INFO,
+ "auth-token received, disabling auth-nocache for the "
+ "authentication token");
+ auth_user_pass.nocache = false;
+ }
+
set_auth_token(&auth_user_pass, token);
}
@@ -569,12 +580,12 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
* Note: Windows does not support tv_nsec.
*/
if ((ssl_ctx->crl_last_size == crl_stat.st_size)
- && (ssl_ctx->crl_last_mtime.tv_sec == crl_stat.st_mtime))
+ && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
{
return;
}
- ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime;
+ ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
ssl_ctx->crl_last_size = crl_stat.st_size;
backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
}
@@ -830,14 +841,7 @@ print_key_id(struct tls_multi *multi, struct gc_arena *gc)
return BSTR(&out);
}
-/*
- * Given a key_method, return true if op
- * represents the required form of hard_reset.
- *
- * If key_method = 0, return true if any
- * form of hard reset is used.
- */
-static bool
+bool
is_hard_reset(int op, int key_method)
{
if (!key_method || key_method == 1)
@@ -1068,7 +1072,9 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session)
/* Randomize session # if it is 0 */
while (!session_id_defined(&session->session_id))
+ {
session_id_random(&session->session_id);
+ }
/* Are we a TLS server or client? */
ASSERT(session->opt->key_method >= 1);
@@ -1130,7 +1136,9 @@ tls_session_free(struct tls_session *session, bool clear)
free_buf(&session->tls_wrap.work);
for (i = 0; i < KS_SIZE; ++i)
+ {
key_state_free(&session->key[i], false);
+ }
if (session->common_name)
{
@@ -1187,7 +1195,8 @@ reset_session(struct tls_multi *multi, struct tls_session *session)
* called again.
*/
static inline void
-compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) {
+compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
+{
if (seconds_from_now < *earliest)
{
*earliest = seconds_from_now;
@@ -1357,7 +1366,9 @@ tls_multi_free(struct tls_multi *multi, bool clear)
free(multi->remote_ciphername);
for (i = 0; i < TM_SIZE; ++i)
+ {
tls_session_free(&multi->session[i], false);
+ }
if (clear)
{
@@ -1605,8 +1616,8 @@ tls1_P_hash(const md_kt_t *md_kt,
{
struct gc_arena gc = gc_new();
int chunk;
- hmac_ctx_t ctx;
- hmac_ctx_t ctx_tmp;
+ hmac_ctx_t *ctx;
+ hmac_ctx_t *ctx_tmp;
uint8_t A1[MAX_HMAC_KEY_LENGTH];
unsigned int A1_len;
@@ -1615,8 +1626,8 @@ tls1_P_hash(const md_kt_t *md_kt,
const uint8_t *out_orig = out;
#endif
- CLEAR(ctx);
- CLEAR(ctx_tmp);
+ ctx = hmac_ctx_new();
+ ctx_tmp = hmac_ctx_new();
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
@@ -1624,36 +1635,38 @@ tls1_P_hash(const md_kt_t *md_kt,
chunk = md_kt_size(md_kt);
A1_len = md_kt_size(md_kt);
- hmac_ctx_init(&ctx, sec, sec_len, md_kt);
- hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt);
+ hmac_ctx_init(ctx, sec, sec_len, md_kt);
+ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
- hmac_ctx_update(&ctx,seed,seed_len);
- hmac_ctx_final(&ctx, A1);
+ hmac_ctx_update(ctx,seed,seed_len);
+ hmac_ctx_final(ctx, A1);
for (;; )
{
- hmac_ctx_reset(&ctx);
- hmac_ctx_reset(&ctx_tmp);
- hmac_ctx_update(&ctx,A1,A1_len);
- hmac_ctx_update(&ctx_tmp,A1,A1_len);
- hmac_ctx_update(&ctx,seed,seed_len);
+ hmac_ctx_reset(ctx);
+ hmac_ctx_reset(ctx_tmp);
+ hmac_ctx_update(ctx,A1,A1_len);
+ hmac_ctx_update(ctx_tmp,A1,A1_len);
+ hmac_ctx_update(ctx,seed,seed_len);
if (olen > chunk)
{
- hmac_ctx_final(&ctx, out);
+ hmac_ctx_final(ctx, out);
out += chunk;
olen -= chunk;
- hmac_ctx_final(&ctx_tmp, A1); /* calc the next A1 value */
+ hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
}
else /* last one */
{
- hmac_ctx_final(&ctx, A1);
+ hmac_ctx_final(ctx, A1);
memcpy(out,A1,olen);
break;
}
}
- hmac_ctx_cleanup(&ctx);
- hmac_ctx_cleanup(&ctx_tmp);
+ hmac_ctx_cleanup(ctx);
+ hmac_ctx_free(ctx);
+ hmac_ctx_cleanup(ctx_tmp);
+ hmac_ctx_free(ctx_tmp);
secure_memzero(A1, sizeof(A1));
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
@@ -1705,7 +1718,9 @@ tls1_PRF(const uint8_t *label,
tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
for (i = 0; i<olen; i++)
+ {
out1[i] ^= out2[i];
+ }
secure_memzero(out2, olen);
@@ -1855,7 +1870,8 @@ exit:
}
static void
-key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) {
+key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
+{
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
/* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
@@ -1954,6 +1970,12 @@ tls_session_update_crypto_params(struct tls_session *session,
return false;
}
+ if (strcmp(options->ciphername, session->opt->config_ciphername))
+ {
+ msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
+ options->ciphername);
+ }
+
init_key_type(&session->opt->key_type, options->ciphername,
options->authname, options->keysize, true, true);
@@ -2371,7 +2393,21 @@ key_method_2_write(struct buffer *buf, struct tls_session *session)
{
goto error;
}
- purge_user_pass(&auth_user_pass, false);
+ /* if auth-nocache was specified, the auth_user_pass object reaches
+ * a "complete" state only after having received the push-reply
+ * message.
+ * This is the case because auth-token statement in a push-reply would
+ * invert its nocache.
+ *
+ * For this reason, skip the purge operation here if no push-reply
+ * message has been received yet.
+ *
+ * This normally happens upon first negotiation only.
+ */
+ if (!auth_user_pass.wait_for_push)
+ {
+ purge_user_pass(&auth_user_pass, false);
+ }
}
else
{
@@ -2487,7 +2523,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio
struct gc_arena gc = gc_new();
char *options;
- struct user_pass *up;
+ struct user_pass *up = NULL;
/* allocate temporary objects */
ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
@@ -2649,6 +2685,10 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio
error:
secure_memzero(ks->key_src, sizeof(*ks->key_src));
+ if (up)
+ {
+ secure_memzero(up, sizeof(*up));
+ }
buf_clear(buf);
gc_free(&gc);
return false;
@@ -2810,6 +2850,9 @@ tls_process(struct tls_multi *multi,
session->opt->crl_file, session->opt->crl_file_inline);
}
+ /* New connection, remove any old X509 env variables */
+ tls_x509_clear_env(session->opt->es);
+
dmsg(D_TLS_DEBUG_MED, "STATE S_START");
}
@@ -3708,7 +3751,12 @@ tls_pre_decrypt(struct tls_multi *multi,
/* Save incoming ciphertext packet to reliable buffer */
struct buffer *in = reliable_get_buf(ks->rec_reliable);
ASSERT(in);
- ASSERT(buf_copy(in, buf));
+ if(!buf_copy(in, buf))
+ {
+ msg(D_MULTI_DROPPED,
+ "Incoming control channel packet too big, dropping.");
+ goto error;
+ }
reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
}
@@ -4058,7 +4106,8 @@ tls_peer_info_ncp_ver(const char *peer_info)
}
bool
-tls_check_ncp_cipher_list(const char *list) {
+tls_check_ncp_cipher_list(const char *list)
+{
bool unsupported_cipher_found = false;
ASSERT(list);
@@ -4201,8 +4250,16 @@ done:
return BSTR(&out);
}
+void
+delayed_auth_pass_purge(void)
+{
+ auth_user_pass.wait_for_push = false;
+ purge_user_pass(&auth_user_pass, false);
+}
+
#else /* if defined(ENABLE_CRYPTO) */
static void
-dummy(void) {
+dummy(void)
+{
}
#endif /* ENABLE_CRYPTO */
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index ed1344e..56ea601 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -591,6 +590,16 @@ void show_tls_performance_stats(void);
/*#define EXTRACT_X509_FIELD_TEST*/
void extract_x509_field_test(void);
+/**
+ * Given a key_method, return true if opcode represents the required form of
+ * hard_reset.
+ *
+ * If key_method == 0, return true if any form of hard reset is used.
+ */
+bool is_hard_reset(int op, int key_method);
+
+void delayed_auth_pass_purge(void);
+
#endif /* ENABLE_CRYPTO */
#endif /* ifndef OPENVPN_SSL_H */
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 206400f..a738f0f 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 9a16d77..25bffd5 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -271,6 +270,7 @@ struct tls_options
unsigned remote_cert_ku[MAX_PARMS];
const char *remote_cert_eku;
uint8_t *verify_hash;
+ hash_algo_type verify_hash_algo;
char *x509_username_field;
/* allow openvpn config info to be
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 5c84e30..ef583e6 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -18,10 +18,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -185,7 +184,8 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
}
static const char *
-tls_translate_cipher_name(const char *cipher_name) {
+tls_translate_cipher_name(const char *cipher_name)
+{
const tls_cipher_name_pair *pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
if (NULL == pair)
@@ -222,10 +222,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
/* Get number of ciphers */
for (i = 0, cipher_count = 1; i < ciphers_len; i++)
+ {
if (ciphers[i] == ':')
{
cipher_count++;
}
+ }
/* Allocate an array for them */
ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1)
@@ -833,7 +835,8 @@ tls_version_max(void)
* Must be a valid pointer.
*/
static void
-tls_version_to_major_minor(int tls_ver, int *major, int *minor) {
+tls_version_to_major_minor(int tls_ver, int *major, int *minor)
+{
ASSERT(major);
ASSERT(minor);
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
index 1bc53ce..f69b610 100644
--- a/src/openvpn/ssl_mbedtls.h
+++ b/src/openvpn/ssl_mbedtls.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -74,7 +73,7 @@ struct tls_root_ctx {
mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */
mbedtls_pk_context *priv_key; /**< Local private key */
mbedtls_x509_crl *crl; /**< Certificate Revocation List */
- struct timespec crl_last_mtime; /**< CRL last modification time */
+ time_t crl_last_mtime; /**< CRL last modification time */
off_t crl_last_size; /**< size of last loaded CRL */
#if defined(ENABLE_PKCS11)
mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index eae1e22..e589dcd 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -45,6 +44,7 @@
#include "ssl_backend.h"
#include "ssl_common.h"
#include "base64.h"
+#include "openssl_compat.h"
#ifdef ENABLE_CRYPTOAPI
#include "cryptoapi.h"
@@ -321,7 +321,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
/* Translate IANA cipher suite names to OpenSSL names */
begin_of_cipher = end_of_cipher = 0;
- for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
+ for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
+ {
end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
@@ -353,7 +354,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
}
/* Make sure new cipher name fits in cipher string */
- if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len)
+ if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
+ || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len))
{
msg(M_FATAL,
"Failed to set restricted TLS cipher list, too long (>%d).",
@@ -507,10 +509,18 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
const EC_GROUP *ecgrp = NULL;
EVP_PKEY *pkey = NULL;
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ pkey = SSL_CTX_get0_privatekey(ctx->ctx);
+#else
/* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
- SSL ssl;
- ssl.cert = ctx->ctx->cert;
- pkey = SSL_get_privatekey(&ssl);
+ SSL *ssl = SSL_new(ctx->ctx);
+ if (!ssl)
+ {
+ crypto_msg(M_FATAL, "SSL_new failed");
+ }
+ pkey = SSL_get_privatekey(ssl);
+ SSL_free(ssl);
+#endif
msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
@@ -649,7 +659,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
{
for (i = 0; i < sk_X509_num(ca); i++)
{
- if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
+ X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
+ if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i)))
{
crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)");
}
@@ -751,8 +762,9 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx,
goto end;
}
- x = PEM_read_bio_X509(in, NULL, ctx->ctx->default_passwd_callback,
- ctx->ctx->default_passwd_callback_userdata);
+ x = PEM_read_bio_X509(in, NULL,
+ SSL_CTX_get_default_passwd_cb(ctx->ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
if (x == NULL)
{
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
@@ -834,8 +846,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
}
pkey = PEM_read_bio_PrivateKey(in, NULL,
- ssl_ctx->default_passwd_callback,
- ssl_ctx->default_passwd_callback_userdata);
+ SSL_CTX_get_default_passwd_cb(ctx->ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
if (!pkey)
{
goto end;
@@ -888,15 +900,15 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
/* Always start with a cleared CRL list, for that we
* we need to manually find the CRL object from the stack
* and remove it */
- for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)
+ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
+ for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
{
- X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i);
+ X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
ASSERT(obj);
- if (obj->type == X509_LU_CRL)
+ if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
{
- sk_X509_OBJECT_delete(store->objs, i);
- X509_OBJECT_free_contents(obj);
- OPENSSL_free(obj);
+ sk_X509_OBJECT_delete(objs, i);
+ X509_OBJECT_free(obj);
}
}
@@ -964,10 +976,13 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
/* called at RSA_free */
static int
-rsa_finish(RSA *rsa)
+openvpn_extkey_rsa_finish(RSA *rsa)
{
- free((void *)rsa->meth);
- rsa->meth = NULL;
+ /* meth was allocated in tls_ctx_use_external_private_key() ; since
+ * this function is called when the parent RSA object is destroyed,
+ * it is no longer used after this point so kill it. */
+ const RSA_METHOD *meth = RSA_get_method(rsa);
+ RSA_meth_free((RSA_METHOD *)meth);
return 1;
}
@@ -983,7 +998,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
if (padding != RSA_PKCS1_PADDING)
{
- RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
goto done;
}
@@ -1041,16 +1056,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
ASSERT(NULL != cert);
/* allocate custom RSA method object */
- ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD);
- rsa_meth->name = "OpenVPN external private key RSA Method";
- rsa_meth->rsa_pub_enc = rsa_pub_enc;
- rsa_meth->rsa_pub_dec = rsa_pub_dec;
- rsa_meth->rsa_priv_enc = rsa_priv_enc;
- rsa_meth->rsa_priv_dec = rsa_priv_dec;
- rsa_meth->init = NULL;
- rsa_meth->finish = rsa_finish;
- rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
- rsa_meth->app_data = NULL;
+ rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
+ RSA_METHOD_FLAG_NO_CHECK);
+ check_malloc_return(rsa_meth);
+ RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
+ RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
+ RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc);
+ RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec);
+ RSA_meth_set_init(rsa_meth, NULL);
+ RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish);
+ RSA_meth_set0_app_data(rsa_meth, NULL);
/* allocate RSA object */
rsa = RSA_new();
@@ -1061,12 +1076,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
}
/* get the public key */
- ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */
- pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
+ EVP_PKEY *pkey = X509_get0_pubkey(cert);
+ ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
+ pub_rsa = EVP_PKEY_get0_RSA(pkey);
/* initialize RSA object */
- rsa->n = BN_dup(pub_rsa->n);
- rsa->flags |= RSA_FLAG_EXT_PKEY;
+ const BIGNUM *n = NULL;
+ const BIGNUM *e = NULL;
+ RSA_get0_key(pub_rsa, &n, &e, NULL);
+ RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
+ RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
if (!RSA_set_method(rsa, rsa_meth))
{
goto err;
@@ -1667,17 +1686,17 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
EVP_PKEY *pkey = X509_get_pubkey(cert);
if (pkey != NULL)
{
- if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
- && pkey->pkey.rsa->n != NULL)
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) != NULL)
{
+ RSA *rsa = EVP_PKEY_get0_RSA(pkey);
openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
- BN_num_bits(pkey->pkey.rsa->n));
+ RSA_bits(rsa));
}
- else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
- && pkey->pkey.dsa->p != NULL)
+ else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL)
{
+ DSA *dsa = EVP_PKEY_get0_DSA(pkey);
openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
- BN_num_bits(pkey->pkey.dsa->p));
+ DSA_bits(dsa));
}
EVP_PKEY_free(pkey);
}
diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index c64c65f..db4e1da 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -49,7 +48,7 @@
*/
struct tls_root_ctx {
SSL_CTX *ctx;
- struct timespec crl_last_mtime;
+ time_t crl_last_mtime;
off_t crl_last_size;
};
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 334eb29..9cd36d7 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -80,6 +79,28 @@ setenv_untrusted(struct tls_session *session)
setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
}
+
+/**
+ * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
+ *
+ * @param multi Pointer to a multi object holding the auth_token variables
+ */
+static void
+wipe_auth_token(struct tls_multi *multi)
+{
+ if(multi)
+ {
+ if (multi->auth_token)
+ {
+ secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
+ free(multi->auth_token);
+ }
+ multi->auth_token = NULL;
+ multi->auth_token_sent = false;
+ }
+}
+
+
/*
* Remove authenticated state from all sessions in the given tunnel
*/
@@ -88,10 +109,14 @@ tls_deauthenticate(struct tls_multi *multi)
{
if (multi)
{
- int i, j;
- for (i = 0; i < TM_SIZE; ++i)
- for (j = 0; j < KS_SIZE; ++j)
+ wipe_auth_token(multi);
+ for (int i = 0; i < TM_SIZE; ++i)
+ {
+ for (int j = 0; j < KS_SIZE; ++j)
+ {
multi->session[i].key[j].authenticated = false;
+ }
+ }
}
}
@@ -248,7 +273,9 @@ cert_hash_free(struct cert_hash_set *chs)
{
int i;
for (i = 0; i < MAX_CERT_DEPTH; ++i)
+ {
free(chs->ch[i]);
+ }
free(chs);
}
}
@@ -690,8 +717,31 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
/* verify level 1 cert, i.e. the CA that signed our leaf cert */
if (cert_depth == 1 && opt->verify_hash)
{
- struct buffer sha1_hash = x509_get_sha1_fingerprint(cert, &gc);
- if (memcmp(BPTR(&sha1_hash), opt->verify_hash, BLEN(&sha1_hash)))
+ struct buffer ca_hash = {0};
+
+ switch (opt->verify_hash_algo)
+ {
+ case MD_SHA1:
+ ca_hash = x509_get_sha1_fingerprint(cert, &gc);
+ break;
+
+ case MD_SHA256:
+ ca_hash = x509_get_sha256_fingerprint(cert, &gc);
+ break;
+
+ default:
+ /* This should normally not happen at all; the algorithm used
+ * is parsed by add_option() [options.c] and set to a predefined
+ * value in an enumerated type. So if this unlikely scenario
+ * happens, consider this a failure
+ */
+ msg(M_WARN, "Unexpected invalid algorithm used with "
+ "--verify-hash (%i)", opt->verify_hash_algo);
+ ret = FAILURE;
+ goto cleanup;
+ }
+
+ if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash)))
{
msg(D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed");
goto cleanup;
@@ -1213,21 +1263,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass
}
#endif /* ifdef MANAGEMENT_DEF_AUTH */
-/**
- * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
- *
- * @param multi Pointer to a multi object holding the auth_token variables
- */
-static void
-wipe_auth_token(struct tls_multi *multi)
-{
- secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
- free(multi->auth_token);
- multi->auth_token = NULL;
- multi->auth_token_sent = false;
-}
-
-
/*
* Main username/password verification entry point
*/
@@ -1279,7 +1314,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
/* Ensure that the username has not changed */
if (!tls_lock_username(multi, up->username))
{
- wipe_auth_token(multi);
+ /* auth-token cleared in tls_lock_username() on failure */
ks->authenticated = false;
goto done;
}
@@ -1300,7 +1335,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
if (memcmp_constant_time(multi->auth_token, up->password,
strlen(multi->auth_token)) != 0)
{
- wipe_auth_token(multi);
ks->authenticated = false;
tls_deauthenticate(multi);
@@ -1472,6 +1506,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path))
{
ks->authenticated = false;
+ wipe_auth_token(multi);
msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
session->common_name,
path ? path : "UNDEF");
@@ -1480,4 +1515,21 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
gc_free(&gc);
}
}
+
+void
+tls_x509_clear_env(struct env_set *es)
+{
+ struct env_item *item = es->list;
+ while (item)
+ {
+ struct env_item *next = item->next;
+ if (item->string
+ && 0 == strncmp("X509_", item->string, strlen("X509_")))
+ {
+ env_set_del(es, item->string);
+ }
+ item = next;
+ }
+}
+
#endif /* ENABLE_CRYPTO */
diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
index ffab218..f2d0d6c 100644
--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -218,6 +217,9 @@ struct x509_track
/** Do not perform Netscape certificate type verification */
#define NS_CERT_CHECK_CLIENT (1<<1)
+/** Require keyUsage to be present in cert (0xFFFF is an invalid KU value) */
+#define OPENVPN_KU_REQUIRED (0xFFFF)
+
/*
* TODO: document
*/
@@ -238,6 +240,9 @@ tls_client_reason(struct tls_multi *multi)
#endif
}
+/** Remove any X509_ env variables from env_set es */
+void tls_x509_clear_env(struct env_set *es);
+
#endif /* ENABLE_CRYPTO */
#endif /* SSL_VERIFY_H_ */
diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index c4330ba..e8eaabe 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -125,6 +124,14 @@ struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert,
result_t backend_x509_get_username(char *common_name, int cn_len,
char *x509_username_field, openvpn_x509_cert_t *peer_cert);
+#ifdef ENABLE_X509ALTUSERNAME
+/**
+ * Return true iff the supplied extension field is supported by the
+ * --x509-username-field option.
+ */
+bool x509_username_field_ext_supported(const char *extname);
+#endif
+
/*
* Return the certificate's serial number in decimal string representation.
*
@@ -211,7 +218,7 @@ void x509_setenv_track(const struct x509_track *xt, struct env_set *es,
* the expected bit set. \c FAILURE if the certificate does
* not have NS cert type verification or the wrong bit set.
*/
-result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage);
+result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage);
/*
* Verify X.509 key usage extension field.
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index f01569f..838c217 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -209,7 +208,7 @@ x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert,
{
const size_t md_size = mbedtls_md_get_size(md_info);
struct buffer fingerprint = alloc_buf_gc(md_size, gc);
- mbedtls_md(md_info, cert->raw.p, cert->tbs.len, BPTR(&fingerprint));
+ mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint));
ASSERT(buf_inc_len(&fingerprint, md_size));
return fingerprint;
}
@@ -268,11 +267,21 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc)
size_t i;
char *val;
+ if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING
+ || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING
+ || orig->tag == MBEDTLS_ASN1_IA5_STRING))
+ {
+ /* Only support C-string compatible types */
+ return string_alloc("ERROR: unsupported ASN.1 string type", gc);
+ }
+
for (i = 0; i < orig->len; ++i)
+ {
if (orig->p[i] == '\0')
{
- return "ERROR: embedded null value";
+ return string_alloc("ERROR: embedded null value", gc);
}
+ }
val = gc_malloc(orig->len+1, false, gc);
memcpy(val, orig->p, orig->len);
val[orig->len] = '\0';
@@ -409,7 +418,7 @@ x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert)
}
result_t
-x509_verify_ns_cert_type(const mbedtls_x509_crt *cert, const int usage)
+x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage)
{
if (usage == NS_CERT_CHECK_NONE)
{
@@ -435,32 +444,42 @@ result_t
x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku,
int expected_len)
{
- result_t fFound = FAILURE;
+ msg(D_HANDSHAKE, "Validating certificate key usage");
if (!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE))
{
- msg(D_HANDSHAKE, "Certificate does not have key usage extension");
+ msg(D_TLS_ERRORS,
+ "ERROR: Certificate does not have key usage extension");
+ return FAILURE;
}
- else
+
+ if (expected_ku[0] == OPENVPN_KU_REQUIRED)
{
- int i;
- unsigned nku = cert->key_usage;
+ /* Extension required, value checked by TLS library */
+ return SUCCESS;
+ }
- msg(D_HANDSHAKE, "Validating certificate key usage");
- for (i = 0; SUCCESS != fFound && i<expected_len; i++)
+ result_t fFound = FAILURE;
+ for (size_t i = 0; SUCCESS != fFound && i<expected_len; i++)
+ {
+ if (expected_ku[i] != 0
+ && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i]))
{
- if (expected_ku[i] != 0)
- {
- msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects "
- "%04x", nku, expected_ku[i]);
+ fFound = SUCCESS;
+ }
+ }
- if (nku == expected_ku[i])
- {
- fFound = SUCCESS;
- }
- }
+ if (fFound != SUCCESS)
+ {
+ msg(D_TLS_ERRORS,
+ "ERROR: Certificate has key usage %04x, expected one of:",
+ cert->key_usage);
+ for (size_t i = 0; i < expected_len && expected_ku[i]; i++)
+ {
+ msg(D_TLS_ERRORS, " * %04x", expected_ku[i]);
}
}
+
return fFound;
}
diff --git a/src/openvpn/ssl_verify_mbedtls.h b/src/openvpn/ssl_verify_mbedtls.h
index 3c71073..8b0a5ae 100644
--- a/src/openvpn/ssl_verify_mbedtls.h
+++ b/src/openvpn/ssl_verify_mbedtls.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index e9692a0..468b495 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
@@ -43,6 +42,7 @@
#include "ssl_openssl.h"
#include "ssl_verify.h"
#include "ssl_verify_backend.h"
+#include "openssl_compat.h"
#include <openssl/x509v3.h>
#include <openssl/err.h>
@@ -61,14 +61,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index);
ASSERT(session);
- struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc);
- cert_hash_remember(session, ctx->error_depth, &cert_hash);
+ X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
+ struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc);
+ cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash);
/* did peer present cert which was signed by our root cert? */
if (!preverify_ok)
{
/* get the X509 name */
- char *subject = x509_get_subject(ctx->current_cert, &gc);
+ char *subject = x509_get_subject(current_cert, &gc);
if (!subject)
{
@@ -76,11 +77,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
}
/* Log and ignore missing CRL errors */
- if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
{
msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s",
- ctx->error_depth,
- X509_verify_cert_error_string(ctx->error),
+ X509_STORE_CTX_get_error_depth(ctx),
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
subject);
ret = 1;
goto cleanup;
@@ -88,8 +89,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
/* Remote site specified a certificate, but it's not correct */
msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
- ctx->error_depth,
- X509_verify_cert_error_string(ctx->error),
+ X509_STORE_CTX_get_error_depth(ctx),
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
subject);
ERR_clear_error();
@@ -98,7 +99,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
goto cleanup;
}
- if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth))
+ if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx)))
{
goto cleanup;
}
@@ -112,16 +113,29 @@ cleanup:
}
#ifdef ENABLE_X509ALTUSERNAME
+bool x509_username_field_ext_supported(const char *fieldname)
+{
+ int nid = OBJ_txt2nid(fieldname);
+ return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
+}
+
static
bool
extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
{
bool retval = false;
char *buf = 0;
- GENERAL_NAMES *extensions;
- int nid = OBJ_txt2nid(fieldname);
- extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
+ if (!x509_username_field_ext_supported(fieldname))
+ {
+ msg(D_TLS_ERRORS,
+ "ERROR: --x509-alt-username field 'ext:%s' not supported",
+ fieldname);
+ return false;
+ }
+
+ int nid = OBJ_txt2nid(fieldname);
+ GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL);
if (extensions)
{
int numalts;
@@ -142,7 +156,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
switch (name->type)
{
case GEN_EMAIL:
- ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5);
+ if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0)
+ {
+ continue;
+ }
if (strlen(buf) != name->d.ia5->length)
{
msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
@@ -162,7 +179,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
break;
}
}
- sk_GENERAL_NAME_free(extensions);
+ GENERAL_NAMES_free(extensions);
}
return retval;
}
@@ -189,15 +206,24 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out,
X509_NAME_ENTRY *x509ne = 0;
ASN1_STRING *asn1 = 0;
unsigned char *buf = NULL;
- int nid = OBJ_txt2nid(field_name);
+ ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
+
+ if (field_name_obj == NULL)
+ {
+ msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name);
+ return FAILURE;
+ }
ASSERT(size > 0);
*out = '\0';
- do {
+ do
+ {
lastpos = tmp;
- tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos);
+ tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos);
} while (tmp > -1);
+ ASN1_OBJECT_free(field_name_obj);
+
/* Nothing found */
if (lastpos == -1)
{
@@ -215,8 +241,7 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out,
{
return FAILURE;
}
- tmp = ASN1_STRING_to_UTF8(&buf, asn1);
- if (tmp <= 0)
+ if (ASN1_STRING_to_UTF8(&buf, asn1) < 0)
{
return FAILURE;
}
@@ -283,18 +308,20 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
struct buffer
x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc)
{
- struct buffer hash = alloc_buf_gc(sizeof(cert->sha1_hash), gc);
- memcpy(BPTR(&hash), cert->sha1_hash, sizeof(cert->sha1_hash));
- ASSERT(buf_inc_len(&hash, sizeof(cert->sha1_hash)));
+ const EVP_MD *sha1 = EVP_sha1();
+ struct buffer hash = alloc_buf_gc(EVP_MD_size(sha1), gc);
+ X509_digest(cert, EVP_sha1(), BPTR(&hash), NULL);
+ ASSERT(buf_inc_len(&hash, EVP_MD_size(sha1)));
return hash;
}
struct buffer
x509_get_sha256_fingerprint(X509 *cert, struct gc_arena *gc)
{
- struct buffer hash = alloc_buf_gc((EVP_sha256())->md_size, gc);
+ const EVP_MD *sha256 = EVP_sha256();
+ struct buffer hash = alloc_buf_gc(EVP_MD_size(sha256), gc);
X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL);
- ASSERT(buf_inc_len(&hash, (EVP_sha256())->md_size));
+ ASSERT(buf_inc_len(&hash, EVP_MD_size(sha256)));
return hash;
}
@@ -304,7 +331,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc)
BIO *subject_bio = NULL;
BUF_MEM *subject_mem;
char *subject = NULL;
- int maxlen = 0;
/*
* Generate the subject string in OpenSSL proprietary format,
@@ -335,11 +361,10 @@ x509_get_subject(X509 *cert, struct gc_arena *gc)
BIO_get_mem_ptr(subject_bio, &subject_mem);
- maxlen = subject_mem->length + 1;
- subject = gc_malloc(maxlen, false, gc);
+ subject = gc_malloc(subject_mem->length + 1, false, gc);
- memcpy(subject, subject_mem->data, maxlen);
- subject[maxlen - 1] = '\0';
+ memcpy(subject, subject_mem->data, subject_mem->length);
+ subject[subject_mem->length] = '\0';
err:
if (subject_bio)
@@ -457,7 +482,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep
ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
unsigned char *buf;
buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
- if (ASN1_STRING_to_UTF8(&buf, val) > 0)
+ if (ASN1_STRING_to_UTF8(&buf, val) >= 0)
{
do_setenv_x509(es, xt->name, (char *)buf, depth);
OPENSSL_free(buf);
@@ -545,7 +570,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
continue;
}
buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
- if (ASN1_STRING_to_UTF8(&buf, val) <= 0)
+ if (ASN1_STRING_to_UTF8(&buf, val) < 0)
{
continue;
}
@@ -563,7 +588,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert)
}
result_t
-x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage)
+x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
{
if (usage == NS_CERT_CHECK_NONE)
{
@@ -571,13 +596,59 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage)
}
if (usage == NS_CERT_CHECK_CLIENT)
{
- return ((peer_cert->ex_flags & EXFLAG_NSCERT)
- && (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
+ /*
+ * Unfortunately, X509_check_purpose() does some weird thing that
+ * prevent it to take a const argument
+ */
+ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ?
+ SUCCESS : FAILURE;
+
+ /*
+ * old versions of OpenSSL allow us to make the less strict check we used to
+ * do. If this less strict check pass, warn user that this might not be the
+ * case when its distribution will update to OpenSSL 1.1
+ */
+ if (result == FAILURE)
+ {
+ ASN1_BIT_STRING *ns;
+ ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
+ result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
+ if (result == SUCCESS)
+ {
+ msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
+ "cannot be verified (check may fail in the future)");
+ }
+ ASN1_BIT_STRING_free(ns);
+ }
+ return result;
}
if (usage == NS_CERT_CHECK_SERVER)
{
- return ((peer_cert->ex_flags & EXFLAG_NSCERT)
- && (peer_cert->ex_nscert & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
+ /*
+ * Unfortunately, X509_check_purpose() does some weird thing that
+ * prevent it to take a const argument
+ */
+ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ?
+ SUCCESS : FAILURE;
+
+ /*
+ * old versions of OpenSSL allow us to make the less strict check we used to
+ * do. If this less strict check pass, warn user that this might not be the
+ * case when its distribution will update to OpenSSL 1.1
+ */
+ if (result == FAILURE)
+ {
+ ASN1_BIT_STRING *ns;
+ ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
+ result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
+ if (result == SUCCESS)
+ {
+ msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
+ "cannot be verified (check may fail in the future)");
+ }
+ ASN1_BIT_STRING_free(ns);
+ }
+ return result;
}
return FAILURE;
@@ -587,55 +658,60 @@ result_t
x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku,
int expected_len)
{
- ASN1_BIT_STRING *ku = NULL;
- result_t fFound = FAILURE;
+ ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL);
- if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i(x509, NID_key_usage, NULL,
- NULL)) == NULL)
+ if (ku == NULL)
{
- msg(D_HANDSHAKE, "Certificate does not have key usage extension");
+ msg(D_TLS_ERRORS, "Certificate does not have key usage extension");
+ return FAILURE;
}
- else
+
+ if (expected_ku[0] == OPENVPN_KU_REQUIRED)
{
- unsigned nku = 0;
- int i;
- for (i = 0; i < 8; i++)
- {
- if (ASN1_BIT_STRING_get_bit(ku, i))
- {
- nku |= 1 << (7 - i);
- }
- }
+ /* Extension required, value checked by TLS library */
+ ASN1_BIT_STRING_free(ku);
+ return SUCCESS;
+ }
- /*
- * Fixup if no LSB bits
- */
- if ((nku & 0xff) == 0)
+ unsigned nku = 0;
+ for (size_t i = 0; i < 8; i++)
+ {
+ if (ASN1_BIT_STRING_get_bit(ku, i))
{
- nku >>= 8;
+ nku |= 1 << (7 - i);
}
+ }
- msg(D_HANDSHAKE, "Validating certificate key usage");
- for (i = 0; fFound != SUCCESS && i < expected_len; i++)
- {
- if (expected_ku[i] != 0)
- {
- msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects "
- "%04x", nku, expected_ku[i]);
+ /*
+ * Fixup if no LSB bits
+ */
+ if ((nku & 0xff) == 0)
+ {
+ nku >>= 8;
+ }
- if (nku == expected_ku[i])
- {
- fFound = SUCCESS;
- }
- }
+ msg(D_HANDSHAKE, "Validating certificate key usage");
+ result_t fFound = FAILURE;
+ for (size_t i = 0; fFound != SUCCESS && i < expected_len; i++)
+ {
+ if (expected_ku[i] != 0 && (nku & expected_ku[i]) == expected_ku[i])
+ {
+ fFound = SUCCESS;
}
}
- if (ku != NULL)
+ if (fFound != SUCCESS)
{
- ASN1_BIT_STRING_free(ku);
+ msg(D_TLS_ERRORS,
+ "ERROR: Certificate has key usage %04x, expected one of:", nku);
+ for (size_t i = 0; i < expected_len && expected_ku[i]; i++)
+ {
+ msg(D_TLS_ERRORS, " * %04x", expected_ku[i]);
+ }
}
+ ASN1_BIT_STRING_free(ku);
+
return fFound;
}
@@ -714,11 +790,12 @@ tls_verify_crl_missing(const struct tls_options *opt)
crypto_msg(M_FATAL, "Cannot get certificate store");
}
- for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)
+ STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
+ for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
{
- X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i);
+ X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
ASSERT(obj);
- if (obj->type == X509_LU_CRL)
+ if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
{
return false;
}
diff --git a/src/openvpn/ssl_verify_openssl.h b/src/openvpn/ssl_verify_openssl.h
index 1db6fe6..4c8dbeb 100644
--- a/src/openvpn/ssl_verify_openssl.h
+++ b/src/openvpn/ssl_verify_openssl.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/status.c b/src/openvpn/status.c
index e47f35c..a163408 100644
--- a/src/openvpn/status.c
+++ b/src/openvpn/status.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
diff --git a/src/openvpn/status.h b/src/openvpn/status.h
index 590ae41..8199935 100644
--- a/src/openvpn/status.h
+++ b/src/openvpn/status.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef STATUS_H
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index a1b6047..2973b5a 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef SYSHEAD_H
@@ -288,6 +287,10 @@
#include <netinet/ip.h>
#endif
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
#ifdef HAVE_NET_IF_TUN_H
#include <net/if_tun.h>
#endif
@@ -589,9 +592,7 @@ socket_defined(const socket_descriptor_t sd)
/*
* Should we include OCC (options consistency check) code?
*/
-#ifndef ENABLE_SMALL
#define ENABLE_OCC
-#endif
/*
* Should we include NTLM proxy functionality
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index c227b09..e13bb4e 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -44,15 +43,14 @@ tls_crypt_buf_overhead(void)
void
tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
- const char *key_inline, bool tls_server) {
+ const char *key_inline, bool tls_server)
+{
const int key_direction = tls_server ?
KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
struct key_type kt;
kt.cipher = cipher_kt_get("AES-256-CTR");
- kt.cipher_length = cipher_kt_key_size(kt.cipher);
kt.digest = md_kt_get("SHA256");
- kt.hmac_length = md_kt_size(kt.digest);
if (!kt.cipher)
{
@@ -63,6 +61,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
}
+ kt.cipher_length = cipher_kt_key_size(kt.cipher);
+ kt.hmac_length = md_kt_size(kt.digest);
+
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
"Control Channel Encryption", "tls-crypt");
}
@@ -79,7 +80,8 @@ tls_crypt_adjust_frame_parameters(struct frame *frame)
bool
tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
- struct crypto_options *opt) {
+ struct crypto_options *opt)
+{
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
struct gc_arena gc;
@@ -95,10 +97,10 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
format_hex(BPTR(src), BLEN(src), 80, &gc));
/* Get packet ID */
+ if (!packet_id_write(&opt->packet_id.send, dst, true, false))
{
- struct packet_id_net pin;
- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true);
- packet_id_write(&pin, dst, true, false);
+ msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
+ goto err;
}
dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h
index 47f75d0..e8080df 100644
--- a/src/openvpn/tls_crypt.h
+++ b/src/openvpn/tls_crypt.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index f812844..75a156c 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -560,7 +559,9 @@ is_tun_p2p(const struct tuntap *tt)
{
bool tun = false;
- if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
+ if (tt->type == DEV_TYPE_TAP
+ || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
+ || tt->type == DEV_TYPE_NULL )
{
tun = false;
}
@@ -694,7 +695,8 @@ init_tun(const char *dev, /* --dev option */
* make sure they do not clash with our virtual subnet.
*/
- for (curele = local_public; curele; curele = curele->ai_next) {
+ for (curele = local_public; curele; curele = curele->ai_next)
+ {
if (curele->ai_family == AF_INET)
{
check_addr_clash("local",
@@ -705,7 +707,8 @@ init_tun(const char *dev, /* --dev option */
}
}
- for (curele = remote_public; curele; curele = curele->ai_next) {
+ for (curele = remote_public; curele; curele = curele->ai_next)
+ {
if (curele->ai_family == AF_INET)
{
check_addr_clash("remote",
@@ -1036,7 +1039,8 @@ do_ifconfig(struct tuntap *tt,
struct buffer out = alloc_buf_gc(64, &gc);
char *top;
- switch (tt->topology) {
+ switch (tt->topology)
+ {
case TOP_NET30:
top = "net30";
break;
@@ -1649,11 +1653,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int len)
{
u_int32_t type;
struct iovec iv[2];
- struct ip *iph;
+ struct openvpn_iphdr *iph;
- iph = (struct ip *) buf;
+ iph = (struct openvpn_iphdr *) buf;
- if (iph->ip_v == 6)
+ if (OPENVPN_IPH_GET_VER(iph->version_len) == 6)
{
type = htonl(AF_INET6);
}
@@ -1835,12 +1839,14 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
/* Prefer IPv6 DNS servers,
* Android will use the DNS server in the order we specify*/
- for (int i = 0; i < tt->options.dns6_len; i++) {
+ for (int i = 0; i < tt->options.dns6_len; i++)
+ {
management_android_control(management, "DNS6SERVER",
print_in6_addr(tt->options.dns6[i], 0, &gc));
}
- for (int i = 0; i < tt->options.dns_len; i++) {
+ for (int i = 0; i < tt->options.dns_len; i++)
+ {
management_android_control(management, "DNSSERVER",
print_in_addr_t(tt->options.dns[i], 0, &gc));
}
@@ -2254,7 +2260,9 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
{
ptr = dev;
while (*ptr && !isdigit((int) *ptr))
+ {
ptr++;
+ }
ppa = atoi(ptr);
}
@@ -3277,7 +3285,10 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
{
/* ensure that dev name is "tap+<digits>" *only* */
p = &dev[3];
- while (isdigit(*p) ) p++;
+ while (isdigit(*p) )
+ {
+ p++;
+ }
if (*p != '\0')
{
msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" );
@@ -5455,7 +5466,9 @@ write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, c
buf_write_u8(buf, type);
buf_write_u8(buf, size);
for (i = 0; i < len; ++i)
+ {
buf_write_u32(buf, data[i]);
+ }
}
}
@@ -6224,10 +6237,7 @@ close_tun(struct tuntap *tt)
}
#endif
- if (tt->options.dhcp_release)
- {
- dhcp_release(tt);
- }
+ dhcp_release(tt);
if (tt->hand != NULL)
{
@@ -6287,10 +6297,12 @@ ascii2ipset(const char *name)
int i;
ASSERT(IPW32_SET_N == SIZE(ipset_names));
for (i = 0; i < IPW32_SET_N; ++i)
+ {
if (!strcmp(name, ipset_names[i].short_form))
{
return i;
}
+ }
return -1;
}
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index f4b600c..8782d69 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef TUN_H
@@ -104,7 +103,6 @@ struct tuntap_options {
bool dhcp_renew;
bool dhcp_pre_release;
- bool dhcp_release;
bool register_dns;
diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index e26f54d..d0b10ba 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -61,6 +60,12 @@
static HANDLE m_hEngineHandle = NULL; /* GLOBAL */
/*
+ * TAP adapter original metric value
+ */
+static int tap_metric_v4 = -1; /* GLOBAL */
+static int tap_metric_v6 = -1; /* GLOBAL */
+
+/*
* Windows internal socket API state (opaque).
*/
static struct WSAData wsa_state; /* GLOBAL */
@@ -569,7 +574,8 @@ win32_keyboard_get(struct win32_signal *ws)
if (HANDLE_DEFINED(ws->in.read))
{
INPUT_RECORD ir;
- do {
+ do
+ {
DWORD n;
if (!keyboard_input_available(ws))
{
@@ -681,7 +687,8 @@ win32_pause(struct win32_signal *ws)
{
int status;
msg(M_INFO|M_NOPREFIX, "Press any key to continue...");
- do {
+ do
+ {
status = WaitForSingleObject(ws->in.read, INFINITE);
} while (!win32_keyboard_get(ws));
}
@@ -984,7 +991,9 @@ env_block(const struct env_set *es)
bool path_seen = false;
for (e = es->list; e != NULL; e = e->next)
+ {
nchars += strlen(e->string) + 1;
+ }
nchars += strlen(force_path)+1;
@@ -1324,8 +1333,8 @@ win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel)
goto out;
}
- status = GetModuleFileNameW(NULL, openvpnpath, sizeof(openvpnpath));
- if (status == 0 || status == sizeof(openvpnpath))
+ status = GetModuleFileNameW(NULL, openvpnpath, _countof(openvpnpath));
+ if (status == 0 || status == _countof(openvpnpath))
{
msg(M_WARN|M_ERRNO, "block_dns: cannot get executable path");
goto out;
@@ -1333,6 +1342,27 @@ win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel)
status = add_block_dns_filters(&m_hEngineHandle, index, openvpnpath,
block_dns_msg_handler);
+ if (status == 0)
+ {
+ tap_metric_v4 = get_interface_metric(index, AF_INET);
+ tap_metric_v6 = get_interface_metric(index, AF_INET6);
+ if (tap_metric_v4 < 0)
+ {
+ /* error, should not restore metric */
+ tap_metric_v4 = -1;
+ }
+ if (tap_metric_v6 < 0)
+ {
+ /* error, should not restore metric */
+ tap_metric_v6 = -1;
+ }
+ status = set_interface_metric(index, AF_INET, BLOCK_DNS_IFACE_METRIC);
+ if (!status)
+ {
+ set_interface_metric(index, AF_INET6, BLOCK_DNS_IFACE_METRIC);
+ }
+ }
+
ret = (status == 0);
out:
@@ -1341,19 +1371,27 @@ out:
}
bool
-win_wfp_uninit(const HANDLE msg_channel)
+win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel)
{
dmsg(D_LOW, "Uninitializing WFP");
if (msg_channel)
{
msg(D_LOW, "Using service to delete block dns filters");
- win_block_dns_service(false, -1, msg_channel);
+ win_block_dns_service(false, index, msg_channel);
}
else
{
delete_block_dns_filters(m_hEngineHandle);
m_hEngineHandle = NULL;
+ if (tap_metric_v4 >= 0)
+ {
+ set_interface_metric(index, AF_INET, tap_metric_v4);
+ }
+ if (tap_metric_v6 >= 0)
+ {
+ set_interface_metric(index, AF_INET6, tap_metric_v6);
+ }
}
return true;
diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h
index 4ee44fd..21a1021 100644
--- a/src/openvpn/win32.h
+++ b/src/openvpn/win32.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef _WIN32
@@ -293,7 +292,7 @@ WCHAR *wide_string(const char *utf8, struct gc_arena *gc);
bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel);
-bool win_wfp_uninit(const HANDLE msg_channel);
+bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel);
#define WIN_XP 0
#define WIN_VISTA 1
diff --git a/src/openvpnserv/Makefile.in b/src/openvpnserv/Makefile.in
index e113fee..234a927 100644
--- a/src/openvpnserv/Makefile.in
+++ b/src/openvpnserv/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -37,7 +37,17 @@
# Required to build Windows resource file
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -100,8 +110,6 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \
- $(srcdir)/Makefile.am $(top_srcdir)/depcomp
@WIN32_TRUE@sbin_PROGRAMS = openvpnserv$(EXEEXT)
subdir = src/openvpnserv
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -114,6 +122,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -196,6 +205,8 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/ltrc.inc \
+ $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -244,6 +255,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -292,6 +304,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -304,12 +317,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -366,7 +381,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -413,7 +430,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am_
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpnserv/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/openvpnserv/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -422,7 +438,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
-$(top_srcdir)/build/ltrc.inc:
+$(top_srcdir)/build/ltrc.inc $(am__empty):
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
@@ -504,14 +520,14 @@ distclean-compile:
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -817,6 +833,8 @@ uninstall-am: uninstall-sbinPROGRAMS
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS
+.PRECIOUS: Makefile
+
.rc.lo:
$(LTRCCOMPILE) -i "$<" -o "$@"
diff --git a/src/openvpnserv/automatic.c b/src/openvpnserv/automatic.c
index 6be6c6d..4123d0f 100644
--- a/src/openvpnserv/automatic.c
+++ b/src/openvpnserv/automatic.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -293,7 +292,8 @@ ServiceStartAutomatic(DWORD dwArgc, LPTSTR *lpszArgv)
/*
* Loop over each config file
*/
- do {
+ do
+ {
HANDLE log_handle = NULL;
STARTUPINFO start_info;
PROCESS_INFORMATION proc_info;
diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c
index 3b9b396..0c9098f 100644
--- a/src/openvpnserv/common.c
+++ b/src/openvpnserv/common.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <service.h>
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index dbe2b9b..607c8a9 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
@@ -94,6 +93,13 @@ typedef enum {
} undo_type_t;
typedef list_item_t *undo_lists_t[_undo_type_max];
+typedef struct {
+ HANDLE engine;
+ int index;
+ int metric_v4;
+ int metric_v6;
+} block_dns_data_t;
+
static DWORD
AddListItem(list_item_t **pfirst, LPVOID data)
@@ -215,7 +221,9 @@ AsyncPipeOp(async_op_t op, HANDLE pipe, LPVOID buffer, DWORD size, DWORD count,
handles[0] = io_event;
for (i = 0; i < count; i++)
+ {
handles[i + 1] = events[i];
+ }
res = WaitForMultipleObjects(count + 1, handles, FALSE,
op == peek ? INFINITE : IO_TIMEOUT);
@@ -883,6 +891,7 @@ static DWORD
HandleBlockDNSMessage(const block_dns_message_t *msg, undo_lists_t *lists)
{
DWORD err = 0;
+ block_dns_data_t *interface_data;
HANDLE engine = NULL;
LPCWSTR exe_path;
@@ -899,16 +908,57 @@ HandleBlockDNSMessage(const block_dns_message_t *msg, undo_lists_t *lists)
err = add_block_dns_filters(&engine, msg->iface.index, exe_path, BlockDNSErrHandler);
if (!err)
{
- err = AddListItem(&(*lists)[block_dns], engine);
+ interface_data = malloc(sizeof(block_dns_data_t));
+ if (!interface_data)
+ {
+ return ERROR_OUTOFMEMORY;
+ }
+ interface_data->engine = engine;
+ interface_data->index = msg->iface.index;
+ interface_data->metric_v4 = get_interface_metric(msg->iface.index,
+ AF_INET);
+ if (interface_data->metric_v4 < 0)
+ {
+ interface_data->metric_v4 = -1;
+ }
+ interface_data->metric_v6 = get_interface_metric(msg->iface.index,
+ AF_INET6);
+ if (interface_data->metric_v6 < 0)
+ {
+ interface_data->metric_v6 = -1;
+ }
+ err = AddListItem(&(*lists)[block_dns], interface_data);
+ if (!err)
+ {
+ err = set_interface_metric(msg->iface.index, AF_INET,
+ BLOCK_DNS_IFACE_METRIC);
+ if (!err)
+ {
+ set_interface_metric(msg->iface.index, AF_INET6,
+ BLOCK_DNS_IFACE_METRIC);
+ }
+ }
}
}
else
{
- engine = RemoveListItem(&(*lists)[block_dns], CmpEngine, NULL);
- if (engine)
+ interface_data = RemoveListItem(&(*lists)[block_dns], CmpEngine, NULL);
+ if (interface_data)
{
+ engine = interface_data->engine;
err = delete_block_dns_filters(engine);
engine = NULL;
+ if (interface_data->metric_v4 >= 0)
+ {
+ set_interface_metric(msg->iface.index, AF_INET,
+ interface_data->metric_v4);
+ }
+ if (interface_data->metric_v6 >= 0)
+ {
+ set_interface_metric(msg->iface.index, AF_INET6,
+ interface_data->metric_v6);
+ }
+ free(interface_data);
}
else
{
@@ -1323,6 +1373,7 @@ static VOID
Undo(undo_lists_t *lists)
{
undo_type_t type;
+ block_dns_data_t *interface_data;
for (type = 0; type < _undo_type_max; type++)
{
list_item_t **pnext = &(*lists)[type];
@@ -1348,8 +1399,18 @@ Undo(undo_lists_t *lists)
break;
case block_dns:
- delete_block_dns_filters(item->data);
- item->data = NULL;
+ interface_data = (block_dns_data_t*)(item->data);
+ delete_block_dns_filters(interface_data->engine);
+ if (interface_data->metric_v4 >= 0)
+ {
+ set_interface_metric(interface_data->index, AF_INET,
+ interface_data->metric_v4);
+ }
+ if (interface_data->metric_v6 >= 0)
+ {
+ set_interface_metric(interface_data->index, AF_INET6,
+ interface_data->metric_v6);
+ }
break;
}
@@ -1475,7 +1536,7 @@ RunOpenvpn(LPVOID p)
}
/* Check user is authorized or options are white-listed */
- if (!IsAuthorizedUser(ovpn_user->User.Sid, &settings)
+ if (!IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group)
&& !ValidateOptions(pipe, sud.directory, sud.options))
{
goto out;
@@ -1840,7 +1901,8 @@ ServiceStartInteractive(DWORD dwArgc, LPTSTR *lpszArgv)
PHANDLE handles = NULL;
DWORD handle_count;
BOOL
- CmpHandle(LPVOID item, LPVOID hnd) {
+ CmpHandle(LPVOID item, LPVOID hnd)
+ {
return item == hnd;
}
diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h
index b1130c9..9fe573e 100644
--- a/src/openvpnserv/service.h
+++ b/src/openvpnserv/service.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef _SERVICE_H
diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index c9c3855..f6a97e9 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "validate.h"
@@ -49,6 +48,9 @@ static const WCHAR *white_list[] =
NULL /* last value */
};
+static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name);
+static PTOKEN_GROUPS GetTokenGroups(const HANDLE token);
+
/*
* Check workdir\fname is inside config_dir
* The logic here is simple: we may reject some valid paths if ..\ is in any of the strings
@@ -147,21 +149,16 @@ GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
/*
* Check whether user is a member of Administrators group or
- * the group specified in s->ovpn_admin_group
+ * the group specified in ovpn_admin_group
*/
BOOL
-IsAuthorizedUser(SID *sid, settings_t *s)
+IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
{
- LOCALGROUP_USERS_INFO_0 *groups = NULL;
- DWORD nread;
- DWORD nmax;
- WCHAR *tmp = NULL;
const WCHAR *admin_group[2];
WCHAR username[MAX_NAME];
WCHAR domain[MAX_NAME];
WCHAR sysadmin_group[MAX_NAME];
- DWORD err, len = MAX_NAME;
- int i;
+ DWORD len = MAX_NAME;
BOOL ret = FALSE;
SID_NAME_USE sid_type;
@@ -169,17 +166,9 @@ IsAuthorizedUser(SID *sid, settings_t *s)
if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type))
{
MsgToEventLog(M_SYSERR, TEXT("LookupAccountSid"));
- goto out;
- }
-
- /* Get an array of groups the user is member of */
- err = NetUserGetLocalGroups(NULL, username, 0, LG_INCLUDE_INDIRECT, (LPBYTE *) &groups,
- MAX_PREFERRED_LENGTH, &nread, &nmax);
- if (err && err != ERROR_MORE_DATA)
- {
- SetLastError(err);
- MsgToEventLog(M_SYSERR, TEXT("NetUserGetLocalGroups"));
- goto out;
+ /* not fatal as this is now used only for logging */
+ username[0] = '\0';
+ domain[0] = '\0';
}
if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
@@ -192,41 +181,136 @@ IsAuthorizedUser(SID *sid, settings_t *s)
/* use the default value */
admin_group[0] = SYSTEM_ADMIN_GROUP;
}
+ admin_group[1] = ovpn_admin_group;
-#ifdef UNICODE
- admin_group[1] = s->ovpn_admin_group;
-#else
- tmp = NULL;
- len = MultiByteToWideChar(CP_UTF8, 0, s->ovpn_admin_group, -1, NULL, 0);
- if (len == 0 || (tmp = malloc(len*sizeof(WCHAR))) == NULL)
+ PTOKEN_GROUPS token_groups = GetTokenGroups(token);
+ for (int i = 0; i < 2; ++i)
{
- MsgToEventLog(M_SYSERR, TEXT("Failed to convert admin group name to WideChar"));
- goto out;
+ ret = IsUserInGroup(sid, token_groups, admin_group[i]);
+ if (ret)
+ {
+ MsgToEventLog(M_INFO, TEXT("Authorizing user '%s@%s' by virtue of membership in group '%s'"),
+ username, domain, admin_group[i]);
+ goto out;
+ }
}
- MultiByteToWideChar(CP_UTF8, 0, s->ovpn_admin_group, -1, tmp, len);
- admin_group[1] = tmp;
-#endif
- /* Check if user's groups include any of the admin groups */
- for (i = 0; i < nread; i++)
+out:
+ free(token_groups);
+ return ret;
+}
+
+/**
+ * Get a list of groups in token.
+ * Returns a pointer to TOKEN_GROUPS struct or NULL on error.
+ * The caller should free the returned pointer.
+ */
+static PTOKEN_GROUPS
+GetTokenGroups(const HANDLE token)
+{
+ PTOKEN_GROUPS groups = NULL;
+ DWORD buf_size = 0;
+
+ if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size)
+ && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
+ {
+ groups = malloc(buf_size);
+ }
+ if (!groups)
+ {
+ MsgToEventLog(M_SYSERR, L"GetTokenGroups");
+ }
+ else if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size))
{
- if (wcscmp(groups[i].lgrui0_name, admin_group[0]) == 0
- || wcscmp(groups[i].lgrui0_name, admin_group[1]) == 0
- )
+ MsgToEventLog(M_SYSERR, L"GetTokenInformation");
+ free(groups);
+ }
+ return groups;
+}
+
+/*
+ * Find SID from name
+ *
+ * On input sid buffer should have space for at least sid_size bytes.
+ * Returns true on success, false on failure.
+ * Suggest: in caller allocate sid to hold SECURITY_MAX_SID_SIZE bytes
+ */
+static BOOL
+LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
+{
+ SID_NAME_USE su;
+ WCHAR domain[MAX_NAME];
+ DWORD dlen = _countof(domain);
+
+ if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su))
+ {
+ return FALSE; /* not fatal as the group may not exist */
+ }
+ return TRUE;
+}
+
+/**
+ * User is in group if the token groups contain the SID of the group
+ * of if the user is a direct member of the group. The latter check
+ * catches dynamic changes in group membership in the local user
+ * database not reflected in the token.
+ * If token_groups or sid is NULL the corresponding check is skipped.
+ *
+ * Using sid and list of groups in token avoids reference to domains so that
+ * this could be completed without access to a Domain Controller.
+ *
+ * Returns true if the user is in the group, false otherwise.
+ */
+static BOOL
+IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name)
+{
+ BOOL ret = FALSE;
+ DWORD_PTR resume = 0;
+ DWORD err;
+ BYTE grp_sid[SECURITY_MAX_SID_SIZE];
+ int nloop = 0; /* a counter used to not get stuck in the do .. while() */
+
+ /* first check in the token groups */
+ if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid)))
+ {
+ for (DWORD i = 0; i < token_groups->GroupCount; ++i)
{
- MsgToEventLog(M_INFO, TEXT("Authorizing user %s by virtue of membership in group %s"),
- username, groups[i].lgrui0_name);
- ret = TRUE;
- break;
+ if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid))
+ {
+ return TRUE;
+ }
}
}
-out:
- if (groups)
+ /* check user's SID is a member of the group */
+ if (!sid)
+ {
+ return FALSE;
+ }
+ do
+ {
+ DWORD nread, nmax;
+ LOCALGROUP_MEMBERS_INFO_0 *members = NULL;
+ err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members,
+ MAX_PREFERRED_LENGTH, &nread, &nmax, &resume);
+ if ((err != NERR_Success && err != ERROR_MORE_DATA))
+ {
+ break;
+ }
+ /* If a match is already found, ret == TRUE and the loop is skipped */
+ for (int i = 0; i < nread && !ret; ++i)
+ {
+ ret = EqualSid(members[i].lgrmi0_sid, sid);
+ }
+ NetApiBufferFree(members);
+ /* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */
+ } while (err == ERROR_MORE_DATA && nloop++ < 100);
+
+ if (err != NERR_Success && err != NERR_GroupNotFound)
{
- NetApiBufferFree(groups);
+ SetLastError(err);
+ MsgToEventLog(M_SYSERR, TEXT("In NetLocalGroupGetMembers for group '%s'"), group_name);
}
- free(tmp);
return ret;
}
diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h
index ece8704..cc443e6 100644
--- a/src/openvpnserv/validate.h
+++ b/src/openvpnserv/validate.h
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef VALIDATE_H
@@ -34,7 +33,7 @@
/* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */
BOOL
-IsAuthorizedUser(SID *sid, settings_t *s);
+IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group);
BOOL
CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s);
diff --git a/src/plugins/Makefile.in b/src/plugins/Makefile.in
index 4f7a821..d63b407 100644
--- a/src/plugins/Makefile.in
+++ b/src/plugins/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -25,7 +25,17 @@
# Copyright (C) 2006-2012 Alon Bar-Lev <alon.barlev@gmail.com>
#
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -89,7 +99,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = src/plugins
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -100,6 +109,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -160,6 +170,7 @@ am__define_uniq_tagged_files = \
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
+am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -233,6 +244,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -281,6 +293,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -293,12 +306,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -355,7 +370,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -378,7 +395,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/plugins/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -674,6 +690,8 @@ uninstall-am:
mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
ps ps-am tags tags-am uninstall uninstall-am
+.PRECIOUS: Makefile
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/plugins/auth-pam/Makefile.in b/src/plugins/auth-pam/Makefile.in
index 90d5058..50b7523 100644
--- a/src/plugins/auth-pam/Makefile.in
+++ b/src/plugins/auth-pam/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -22,7 +22,17 @@
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -86,8 +96,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = src/plugins/auth-pam
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/depcomp $(am__dist_doc_DATA_DIST)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -98,6 +106,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_doc_DATA_DIST) \
+ $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -209,6 +219,7 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -257,6 +268,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -305,6 +317,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -317,12 +330,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -379,7 +394,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -422,7 +439,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/auth-pam/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/plugins/auth-pam/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -494,14 +510,14 @@ distclean-compile:
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -746,6 +762,8 @@ uninstall-am: uninstall-dist_docDATA uninstall-pluginLTLIBRARIES
tags tags-am uninstall uninstall-am uninstall-dist_docDATA \
uninstall-pluginLTLIBRARIES
+.PRECIOUS: Makefile
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index d3e2c89..ae514d7 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -63,6 +62,9 @@
#define RESPONSE_VERIFY_SUCCEEDED 12
#define RESPONSE_VERIFY_FAILED 13
+/* Pointers to functions exported from openvpn */
+static plugin_secure_memzero_t plugin_secure_memzero = NULL;
+
/*
* Plugin state, used by foreground
*/
@@ -274,8 +276,10 @@ name_value_match(const char *query, const char *match)
return strncasecmp(match, query, strlen(match)) == 0;
}
-OPENVPN_EXPORT openvpn_plugin_handle_t
-openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *envp[])
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3(const int v3structver,
+ struct openvpn_plugin_args_open_in const *args,
+ struct openvpn_plugin_args_open_return *ret)
{
pid_t pid;
int fd[2];
@@ -285,6 +289,16 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
const int base_parms = 2;
+ const char **argv = args->argv;
+ const char **envp = args->envp;
+
+ /* Check API compatibility -- struct version 4 or higher needed */
+ if (v3structver < 4)
+ {
+ fprintf(stderr, "AUTH-PAM: This plugin is incompatible with the running version of OpenVPN\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+
/*
* Allocate our context
*/
@@ -298,7 +312,10 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
/*
* Intercept the --auth-user-pass-verify callback.
*/
- *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+ ret->type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+
+ /* Save global pointers to functions exported from openvpn */
+ plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
/*
* Make sure we have two string arguments: the first is the .so name,
@@ -386,7 +403,8 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
if (status == RESPONSE_INIT_SUCCEEDED)
{
context->foreground_fd = fd[0];
- return (openvpn_plugin_handle_t) context;
+ ret->handle = (openvpn_plugin_handle_t *) context;
+ return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
}
else
@@ -420,7 +438,7 @@ error:
{
free(context);
}
- return NULL;
+ return OPENVPN_PLUGIN_FUNC_ERROR;
}
OPENVPN_EXPORT int
@@ -785,6 +803,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
goto done;
}
}
+ plugin_secure_memzero(up.password, sizeof(up.password));
break;
case COMMAND_EXIT:
@@ -802,6 +821,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
}
done:
+ plugin_secure_memzero(up.password, sizeof(up.password));
#ifdef USE_PAM_DLOPEN
dlclose_pam();
#endif
diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports
index b07937c..597e33f 100644
--- a/src/plugins/auth-pam/auth-pam.exports
+++ b/src/plugins/auth-pam/auth-pam.exports
@@ -1,4 +1,4 @@
-openvpn_plugin_open_v1
+openvpn_plugin_open_v3
openvpn_plugin_func_v1
openvpn_plugin_close_v1
openvpn_plugin_abort_v1
diff --git a/src/plugins/auth-pam/utils.c b/src/plugins/auth-pam/utils.c
index 4f8fb0a..4b900c7 100644
--- a/src/plugins/auth-pam/utils.c
+++ b/src/plugins/auth-pam/utils.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -78,7 +77,8 @@ searchandreplace(const char *tosearch, const char *searchfor, const char *replac
return strdup(tosearch);
}
- while (scratch) {
+ while (scratch)
+ {
strncat(temp,searching,scratch-searching);
strcat(temp,replacewith);
@@ -117,7 +117,9 @@ string_array_len(const char *array[])
if (array)
{
while (array[i])
+ {
++i;
+ }
}
return i;
}
diff --git a/src/plugins/auth-pam/utils.h b/src/plugins/auth-pam/utils.h
index fbc9705..c0b4b10 100644
--- a/src/plugins/auth-pam/utils.h
+++ b/src/plugins/auth-pam/utils.h
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef _PLUGIN_AUTH_PAM_UTILS__H
diff --git a/src/plugins/down-root/Makefile.in b/src/plugins/down-root/Makefile.in
index e5c0ad5..f1a840a 100644
--- a/src/plugins/down-root/Makefile.in
+++ b/src/plugins/down-root/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -22,7 +22,17 @@
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -86,8 +96,6 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = src/plugins/down-root
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/depcomp $(am__dist_doc_DATA_DIST)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/m4/ax_socklen_t.m4 \
@@ -98,6 +106,8 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_doc_DATA_DIST) \
+ $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h \
$(top_builddir)/include/openvpn-plugin.h
@@ -208,6 +218,7 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -256,6 +267,7 @@ LIBTOOL = @LIBTOOL@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
LZ4_CFLAGS = @LZ4_CFLAGS@
LZ4_LIBS = @LZ4_LIBS@
LZO_CFLAGS = @LZO_CFLAGS@
@@ -304,6 +316,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
RANLIB = @RANLIB@
@@ -316,12 +329,14 @@ SHELL = @SHELL@
SOCKETS_LIBS = @SOCKETS_LIBS@
STRIP = @STRIP@
SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
TAP_CFLAGS = @TAP_CFLAGS@
TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
TEST_CFLAGS = @TEST_CFLAGS@
TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@
VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@
VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@
@@ -378,7 +393,9 @@ sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@@ -415,7 +432,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/plugins/down-root/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign src/plugins/down-root/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
@@ -485,14 +501,14 @@ distclean-compile:
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -737,6 +753,8 @@ uninstall-am: uninstall-dist_docDATA uninstall-pluginLTLIBRARIES
tags tags-am uninstall uninstall-am uninstall-dist_docDATA \
uninstall-pluginLTLIBRARIES
+.PRECIOUS: Makefile
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c
index ae85ecb..4198184 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
@@ -17,10 +17,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
@@ -116,7 +115,9 @@ string_array_len(const char *array[])
if (array)
{
while (array[i])
+ {
++i;
+ }
}
return i;
}