diff options
Diffstat (limited to 'src/openvpn')
165 files changed, 1278 insertions, 2653 deletions
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index fcc22d6..bea294b 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -27,9 +27,7 @@ AM_CFLAGS = \ $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) \ $(OPTIONAL_LZ4_CFLAGS) \ - $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ - -DPLUGIN_LIBDIR=\"${plugindir}\" - + $(OPTIONAL_PKCS11_HELPER_CFLAGS) if WIN32 # we want unicode entry point but not the macro AM_CFLAGS += -municode -UUNICODE @@ -81,7 +79,6 @@ openvpn_SOURCES = \ multi.c multi.h \ ntlm.c ntlm.h \ occ.c occ.h occ-inline.h \ - openssl_compat.h \ pkcs11.c pkcs11.h pkcs11_backend.h \ pkcs11_openssl.c \ pkcs11_mbedtls.c \ diff --git a/src/openvpn/Makefile.in b/src/openvpn/Makefile.in index ca4635b..95d4f59 100644 --- a/src/openvpn/Makefile.in +++ b/src/openvpn/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -37,17 +37,7 @@ # Required to build Windows resource file VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -110,7 +100,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ - +DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \ + $(srcdir)/Makefile.am $(top_srcdir)/depcomp # we want unicode entry point but not the macro @WIN32_TRUE@am__append_1 = -municode -UUNICODE sbin_PROGRAMS = openvpn$(EXEEXT) @@ -127,7 +118,6 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -149,21 +139,21 @@ am__openvpn_SOURCES_DIST = argv.c argv.h base64.c base64.h basic.h \ console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ - openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \ - pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \ - options.c options.h otime.c otime.h packet_id.c packet_id.h \ - perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ - ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ - proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ - reliable.h route.c route.h schedule.c schedule.h session_id.c \ - session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ - socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ - ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \ - ssl_verify.c ssl_verify.h ssl_verify_backend.h \ - ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \ - ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \ - tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \ - cryptoapi.c openvpn_win32_resources.rc block_dns.c block_dns.h + pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \ + pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \ + otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \ + pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \ + pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \ + push.h pushlist.h reliable.c reliable.h route.c route.h \ + schedule.c schedule.h session_id.c session_id.h shaper.c \ + shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \ + ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \ + ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \ + ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \ + ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \ + syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \ + cryptoapi.h cryptoapi.c openvpn_win32_resources.rc block_dns.c \ + block_dns.h @WIN32_TRUE@am__objects_1 = openvpn_win32_resources.$(OBJEXT) \ @WIN32_TRUE@ block_dns.$(OBJEXT) am_openvpn_OBJECTS = argv.$(OBJEXT) base64.$(OBJEXT) buffer.$(OBJEXT) \ @@ -263,8 +253,6 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/ltrc.inc \ - $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -313,7 +301,6 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ @@ -362,7 +349,6 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ @@ -375,14 +361,12 @@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ -SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ -TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ @@ -439,9 +423,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ -systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ -tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ @@ -462,8 +444,7 @@ AM_CPPFLAGS = \ AM_CFLAGS = $(TAP_CFLAGS) $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) $(OPTIONAL_LZ4_CFLAGS) \ - $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ - -DPLUGIN_LIBDIR=\"${plugindir}\" $(am__append_1) + $(OPTIONAL_PKCS11_HELPER_CFLAGS) $(am__append_1) openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \ buffer.h circ_list.h clinat.c clinat.h common.h comp.c comp.h \ compstub.c comp-lz4.c comp-lz4.h crypto.c crypto.h \ @@ -478,21 +459,20 @@ openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \ console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ - openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \ - pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \ - options.c options.h otime.c otime.h packet_id.c packet_id.h \ - perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ - ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ - proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ - reliable.h route.c route.h schedule.c schedule.h session_id.c \ - session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ - socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ - ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \ - ssl_verify.c ssl_verify.h ssl_verify_backend.h \ - ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \ - ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \ - tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \ - cryptoapi.c $(am__append_2) + pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \ + pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \ + otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \ + pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \ + pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \ + push.h pushlist.h reliable.c reliable.h route.c route.h \ + schedule.c schedule.h session_id.c session_id.h shaper.c \ + shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \ + ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \ + ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \ + ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \ + ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \ + syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \ + cryptoapi.h cryptoapi.c $(am__append_2) openvpn_LDADD = $(top_builddir)/src/compat/libcompat.la \ $(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) $(OPTIONAL_CRYPTO_LIBS) \ @@ -514,6 +494,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am_ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpn/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/openvpn/Makefile +.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -522,7 +503,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; -$(top_srcdir)/build/ltrc.inc $(am__empty): +$(top_srcdir)/build/ltrc.inc: $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh @@ -674,14 +655,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -903,8 +884,6 @@ uninstall-am: uninstall-sbinPROGRAMS mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS -.PRECIOUS: Makefile - .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c index a71d261..cc813ed 100644 --- a/src/openvpn/argv.c +++ b/src/openvpn/argv.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * * A printf-like function (that only recognizes a subset of standard printf @@ -59,9 +60,7 @@ argv_reset(struct argv *a) { size_t i; for (i = 0; i < a->argc; ++i) - { free(a->argv[i]); - } free(a->argv); argv_init(a); } @@ -75,9 +74,7 @@ argv_extend(struct argv *a, const size_t newcap) size_t i; ALLOC_ARRAY_CLEAR(newargv, char *, newcap); for (i = 0; i < a->argc; ++i) - { newargv[i] = a->argv[i]; - } free(a->argv); a->argv = newargv; a->capacity = newcap; @@ -107,15 +104,11 @@ argv_clone(const struct argv *a, const size_t headroom) argv_init(&r); for (i = 0; i < headroom; ++i) - { argv_append(&r, NULL); - } if (a) { for (i = 0; i < a->argc; ++i) - { argv_append(&r, string_alloc(a->argv[i], NULL)); - } } return r; } @@ -339,9 +332,7 @@ argv_parse_cmd(struct argv *a, const char *s) { int i; for (i = 0; i < nparms; ++i) - { argv_append(a, string_alloc(parms[i], NULL)); - } } else { diff --git a/src/openvpn/argv.h b/src/openvpn/argv.h index 7d0754c..1dd6dd7 100644 --- a/src/openvpn/argv.h +++ b/src/openvpn/argv.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * * A printf-like function (that only recognizes a subset of standard printf diff --git a/src/openvpn/base64.c b/src/openvpn/base64.c index 0ac65e9..c799ede 100644 --- a/src/openvpn/base64.c +++ b/src/openvpn/base64.c @@ -69,8 +69,7 @@ openvpn_base64_encode(const void *data, int size, char **str) } q = (const unsigned char *) data; i = 0; - for (i = 0; i < size; ) - { + for (i = 0; i < size; ) { c = q[i++]; c *= 256; if (i < size) @@ -108,12 +107,10 @@ pos(char c) { char *p; for (p = base64_chars; *p; p++) - { if (*p == c) { return p - base64_chars; } - } return -1; } @@ -129,8 +126,7 @@ token_decode(const char *token) { return DECODE_ERROR; } - for (i = 0; i < 4; i++) - { + for (i = 0; i < 4; i++) { val *= 64; if (token[i] == '=') { @@ -168,8 +164,7 @@ openvpn_base64_decode(const char *str, void *data, int size) { e = q + size; } - for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) - { + for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) { unsigned int val = token_decode(p); unsigned int marker = (val >> 24) & 0xff; if (val == DECODE_ERROR) diff --git a/src/openvpn/basic.h b/src/openvpn/basic.h index 3aa69ca..dac6f01 100644 --- a/src/openvpn/basic.h +++ b/src/openvpn/basic.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef BASIC_H diff --git a/src/openvpn/block_dns.c b/src/openvpn/block_dns.c index d43cbcf..e31765e 100644 --- a/src/openvpn/block_dns.c +++ b/src/openvpn/block_dns.c @@ -18,9 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -109,9 +110,6 @@ DEFINE_GUID( static WCHAR *FIREWALL_NAME = L"OpenVPN"; -VOID NETIOAPI_API_ -InitializeIpInterfaceEntry(PMIB_IPINTERFACE_ROW Row); - /* * Default msg handler does nothing */ @@ -343,79 +341,4 @@ delete_block_dns_filters(HANDLE engine_handle) return err; } -/* - * Returns interface metric value for specified interface index. - * - * Arguments: - * index : The index of TAP adapter. - * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6). - * Returns positive metric value or zero for automatic metric on success, - * a less then zero error code on failure. - */ - -int -get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family) -{ - DWORD err = 0; - MIB_IPINTERFACE_ROW ipiface; - InitializeIpInterfaceEntry(&ipiface); - ipiface.Family = family; - ipiface.InterfaceIndex = index; - err = GetIpInterfaceEntry(&ipiface); - if (err == NO_ERROR) - { - if (ipiface.UseAutomaticMetric) - { - return 0; - } - return ipiface.Metric; - } - return -err; -} - -/* - * Sets interface metric value for specified interface index. - * - * Arguments: - * index : The index of TAP adapter. - * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6). - * metric : Metric value. 0 for automatic metric. - * Returns 0 on success, a non-zero status code of the last failed action on failure. - */ - -DWORD -set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, - const ULONG metric) -{ - DWORD err = 0; - MIB_IPINTERFACE_ROW ipiface; - InitializeIpInterfaceEntry(&ipiface); - ipiface.Family = family; - ipiface.InterfaceIndex = index; - err = GetIpInterfaceEntry(&ipiface); - if (err == NO_ERROR) - { - if (family == AF_INET) - { - /* required for IPv4 as per MSDN */ - ipiface.SitePrefixLength = 0; - } - ipiface.Metric = metric; - if (metric == 0) - { - ipiface.UseAutomaticMetric = TRUE; - } - else - { - ipiface.UseAutomaticMetric = FALSE; - } - err = SetIpInterfaceEntry(&ipiface); - if (err == NO_ERROR) - { - return 0; - } - } - return err; -} - #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/block_dns.h b/src/openvpn/block_dns.h index c4b6693..a7dadc4 100644 --- a/src/openvpn/block_dns.h +++ b/src/openvpn/block_dns.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef _WIN32 @@ -26,9 +27,6 @@ #ifndef OPENVPN_BLOCK_DNS_H #define OPENVPN_BLOCK_DNS_H -/* Any value less than 5 should work fine. 3 is choosen without any real reason. */ -#define BLOCK_DNS_IFACE_METRIC 3 - typedef void (*block_dns_msg_handler_t) (DWORD err, const char *msg); DWORD @@ -38,32 +36,5 @@ DWORD add_block_dns_filters(HANDLE *engine, int iface_index, const WCHAR *exe_path, block_dns_msg_handler_t msg_handler_callback); -/** - * Returns interface metric value for specified interface index. - * - * @param index The index of TAP adapter - * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6) - * - * @return positive metric value or zero for automatic metric on success, - * a less then zero error code on failure. - */ - -int -get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family); - -/** - * Sets interface metric value for specified interface index. - * - * @param index The index of TAP adapter - * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6) - * @param metric Metric value. 0 for automatic metric - * - * @return 0 on success, a non-zero status code of the last failed action on failure. - */ - -DWORD -set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, - const ULONG metric); - #endif #endif diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 87e27ec..2defd18 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -442,9 +443,7 @@ gc_transfer(struct gc_arena *dest, struct gc_arena *src) if (e) { while (e->next != NULL) - { e = e->next; - } e->next = dest->list; dest->list = src->list; src->list = NULL; @@ -600,8 +599,7 @@ void rm_trailing_chars(char *str, const char *what_to_delete) { bool modified; - do - { + do { const int len = strlen(str); modified = false; if (len > 0) @@ -684,9 +682,7 @@ string_array_len(const char **array) if (array) { while (array[i]) - { ++i; - } } return i; } @@ -1324,9 +1320,7 @@ buffer_list_file(const char *fn, int max_line_len) { bl = buffer_list_new(0); while (fgets(line, max_line_len, fp) != NULL) - { buffer_list_push(bl, (unsigned char *)line); - } free(line); } fclose(fp); diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 8bc4428..28b224e 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef BUFFER_H @@ -403,9 +404,7 @@ secure_memzero(void *data, size_t len) #else volatile char *p = (volatile char *) data; while (len--) - { *p++ = 0; - } #endif } diff --git a/src/openvpn/circ_list.h b/src/openvpn/circ_list.h index 386e18d..ecf2a7f 100644 --- a/src/openvpn/circ_list.h +++ b/src/openvpn/circ_list.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef CIRC_LIST_H diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c index 633cec6..9158437 100644 --- a/src/openvpn/clinat.c +++ b/src/openvpn/clinat.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h index e0cfad5..cdaf2a8 100644 --- a/src/openvpn/clinat.h +++ b/src/openvpn/clinat.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #if !defined(CLINAT_H) diff --git a/src/openvpn/common.h b/src/openvpn/common.h index bb08c01..cd988d4 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef COMMON_H diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index 6e40c32..fa65f87 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -315,7 +316,6 @@ const struct compress_alg lz4v2_alg = { #else /* if defined(ENABLE_LZ4) */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_LZ4 */ diff --git a/src/openvpn/comp-lz4.h b/src/openvpn/comp-lz4.h index c256ba5..8621e93 100644 --- a/src/openvpn/comp-lz4.h +++ b/src/openvpn/comp-lz4.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OPENVPN_COMP_LZ4_H diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 4cda7e5..0182a7c 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index e56fd2b..3c0b18e 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/compstub.c b/src/openvpn/compstub.c index ca90924..5070c82 100644 --- a/src/openvpn/compstub.c +++ b/src/openvpn/compstub.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -178,7 +179,6 @@ const struct compress_alg comp_stub_alg = { #else /* if defined(USE_COMP) */ static void -dummy(void) -{ +dummy(void) { } #endif /* USE_STUB */ diff --git a/src/openvpn/console.c b/src/openvpn/console.c index eb6944d..90c8a94 100644 --- a/src/openvpn/console.c +++ b/src/openvpn/console.c @@ -18,9 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -48,8 +49,7 @@ query_user_clear() { int i; - for (i = 0; i < QUERY_USER_NUMSLOTS; i++) - { + for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { CLEAR(query_user[i]); } } @@ -68,8 +68,7 @@ query_user_add(char *prompt, size_t prompt_len, ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL ); /* Seek to the last unused slot */ - for (i = 0; i < QUERY_USER_NUMSLOTS; i++) - { + for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { if (query_user[i].prompt == NULL) { break; diff --git a/src/openvpn/console.h b/src/openvpn/console.h index aa51e6f..2c7f3e9 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -18,10 +18,11 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ #ifndef CONSOLE_H #define CONSOLE_H diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c index 7b95da9..13b9d7e 100644 --- a/src/openvpn/console_builtin.c +++ b/src/openvpn/console_builtin.c @@ -18,9 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c index 8cee8c8..1c0aa4c 100644 --- a/src/openvpn/console_systemd.c +++ b/src/openvpn/console_systemd.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5f482d0..0dba7ca 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -64,8 +65,7 @@ static void openvpn_encrypt_aead(struct buffer *buf, struct buffer work, - struct crypto_options *opt) -{ + struct crypto_options *opt) { #ifdef HAVE_AEAD_CIPHER_MODES struct gc_arena gc; int outlen = 0; @@ -332,8 +332,7 @@ openvpn_encrypt(struct buffer *buf, struct buffer work, bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, - struct gc_arena *gc) -{ + struct gc_arena *gc) { bool ret = false; packet_id_reap_test(&opt->packet_id.rec); if (packet_id_test(&opt->packet_id.rec, pin)) @@ -808,10 +807,7 @@ init_key_type(struct key_type *kt, const char *ciphername, { if (warn) { - msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " - "This means NO encryption will be performed and tunnelled " - "data WILL be transmitted in clear text over the network! " - "PLEASE DO RECONSIDER THIS SETTING!"); + msg(M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used"); } } if (strcmp(authname, "none") != 0) @@ -831,11 +827,7 @@ init_key_type(struct key_type *kt, const char *ciphername, { if (warn) { - msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " - "This means no authentication will be performed on received " - "packets, meaning you CANNOT trust that the data received by " - "the remote side have NOT been manipulated. " - "PLEASE DO RECONSIDER THIS SETTING!"); + msg(M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used"); } } } @@ -851,7 +843,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, if (kt->cipher && kt->cipher_length > 0) { - ctx->cipher = cipher_ctx_new(); + ALLOC_OBJ(ctx->cipher, cipher_ctx_t); cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length, kt->cipher, enc); @@ -875,7 +867,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, } if (kt->digest && kt->hmac_length > 0) { - ctx->hmac = hmac_ctx_new(); + ALLOC_OBJ(ctx->hmac, hmac_ctx_t); hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); msg(D_HANDSHAKE, @@ -900,13 +892,13 @@ free_key_ctx(struct key_ctx *ctx) if (ctx->cipher) { cipher_ctx_cleanup(ctx->cipher); - cipher_ctx_free(ctx->cipher); + free(ctx->cipher); ctx->cipher = NULL; } if (ctx->hmac) { hmac_ctx_cleanup(ctx->hmac); - hmac_ctx_free(ctx->hmac); + free(ctx->hmac); ctx->hmac = NULL; } ctx->implicit_iv_len = 0; @@ -1030,8 +1022,7 @@ generate_key_random(struct key *key, const struct key_type *kt) struct gc_arena gc = gc_new(); - do - { + do { CLEAR(*key); if (kt) { @@ -1807,8 +1798,7 @@ get_random() } static const cipher_name_pair * -get_cipher_name_pair(const char *cipher_name) -{ +get_cipher_name_pair(const char *cipher_name) { const cipher_name_pair *pair; size_t i = 0; @@ -1828,8 +1818,7 @@ get_cipher_name_pair(const char *cipher_name) } const char * -translate_cipher_name_from_openvpn(const char *cipher_name) -{ +translate_cipher_name_from_openvpn(const char *cipher_name) { const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); if (NULL == pair) @@ -1841,8 +1830,7 @@ translate_cipher_name_from_openvpn(const char *cipher_name) } const char * -translate_cipher_name_to_openvpn(const char *cipher_name) -{ +translate_cipher_name_to_openvpn(const char *cipher_name) { const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); if (NULL == pair) diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 8818c01..61e9b59 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -131,9 +132,9 @@ #include "packet_id.h" #include "mtu.h" -/** Wrapper struct to pass around SHA256 digests */ -struct sha256_digest { - uint8_t digest[SHA256_DIGEST_LENGTH]; +/** Wrapper struct to pass around MD5 digests */ +struct md5_digest { + uint8_t digest[MD5_DIGEST_LENGTH]; }; /* @@ -495,8 +496,7 @@ void crypto_read_openvpn_key(const struct key_type *key_type, * Returns 0 when data is equal, non-zero otherwise. */ static inline int -memcmp_constant_time(const void *a, const void *b, size_t size) -{ +memcmp_constant_time(const void *a, const void *b, size_t size) { const uint8_t *a1 = a; const uint8_t *b1 = b; int ret = 0; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index b7f519b..2c79baa 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -46,12 +47,6 @@ /* Maximum HMAC digest size (bytes) */ #define OPENVPN_MAX_HMAC_SIZE 64 -/** Types referencing specific message digest hashing algorithms */ -typedef enum { - MD_SHA1, - MD_SHA256 -} hash_algo_type ; - /** Struct used in cipher name translation table */ typedef struct { const char *openvpn_name; /**< Cipher name used by OpenVPN */ @@ -300,20 +295,6 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); */ /** - * Allocate a new cipher context - * - * @return a new cipher context - */ -cipher_ctx_t *cipher_ctx_new(void); - -/** - * Free a cipher context - * - * @param ctx Cipher context. - */ -void cipher_ctx_free(cipher_ctx_t *ctx); - -/** * Initialise a cipher context, based on the given key and key type. * * @param ctx Cipher context. May not be NULL @@ -521,20 +502,6 @@ int md_kt_size(const md_kt_t *kt); int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst); /* - * Allocate a new message digest context - * - * @return a new zeroed MD context - */ -md_ctx_t *md_ctx_new(void); - -/* - * Free an existing, non-null message digest context - * - * @param ctx Message digest context - */ -void md_ctx_free(md_ctx_t *ctx); - -/* * Initialises the given message digest context. * * @param ctx Message digest context @@ -583,20 +550,6 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst); */ /* - * Create a new HMAC context - * - * @return A new HMAC context - */ -hmac_ctx_t *hmac_ctx_new(void); - -/* - * Free an existing HMAC context - * - * @param ctx HMAC context to free - */ -void hmac_ctx_free(hmac_ctx_t *ctx); - -/* * Initialises the given HMAC context, using the given digest * and key. * diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 24bc315..942684c 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -508,19 +509,6 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) * */ -mbedtls_cipher_context_t * -cipher_ctx_new(void) -{ - mbedtls_cipher_context_t *ctx; - ALLOC_OBJ(ctx, mbedtls_cipher_context_t); - return ctx; -} - -void -cipher_ctx_free(mbedtls_cipher_context_t *ctx) -{ - free(ctx); -} void cipher_ctx_init(mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len, @@ -778,18 +766,6 @@ md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst) return 0 == mbedtls_md(kt, src, src_len, dst); } -mbedtls_md_context_t * -md_ctx_new(void) -{ - mbedtls_md_context_t *ctx; - ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t); - return ctx; -} - -void md_ctx_free(mbedtls_md_context_t *ctx) -{ - free(ctx); -} void md_ctx_init(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt) @@ -840,21 +816,6 @@ md_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst) /* * TODO: re-enable dmsg for crypto debug */ - -mbedtls_md_context_t * -hmac_ctx_new(void) -{ - mbedtls_md_context_t *ctx; - ALLOC_OBJ(ctx, mbedtls_md_context_t); - return ctx; -} - -void -hmac_ctx_free(mbedtls_md_context_t *ctx) -{ - free(ctx); -} - void hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, const mbedtls_md_info_t *kt) diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h index a434ce3..d9b1446 100644 --- a/src/openvpn/crypto_mbedtls.h +++ b/src/openvpn/crypto_mbedtls.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -72,7 +73,6 @@ typedef mbedtls_md_context_t hmac_ctx_t; #define MD4_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16 #define SHA_DIGEST_LENGTH 20 -#define SHA256_DIGEST_LENGTH 32 #define DES_KEY_LENGTH 8 /** @@ -122,8 +122,7 @@ bool mbed_log_func_line(unsigned int flags, int errval, const char *func, /** Wraps mbed_log_func_line() to prevent function calls for non-errors */ static inline bool mbed_log_func_line_lite(unsigned int flags, int errval, - const char *func, int line) -{ + const char *func, int line) { if (errval) { return mbed_log_func_line(flags, errval, func, line); diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a55e65c..b016d98 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -41,7 +42,6 @@ #include "integer.h" #include "crypto.h" #include "crypto_backend.h" -#include "openssl_compat.h" #include <openssl/des.h> #include <openssl/err.h> @@ -186,14 +186,14 @@ crypto_clear_error(void) } void -crypto_print_openssl_errors(const unsigned int flags) -{ +crypto_print_openssl_errors(const unsigned int flags) { size_t err = 0; while ((err = ERR_get_error())) { /* Be more clear about frequently occurring "no shared cipher" error */ - if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) + if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER)) { msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " "in common with the client. Your --tls-cipher setting might be " @@ -286,7 +286,8 @@ show_available_ciphers() size_t i; /* If we ever exceed this, we must be more selective */ - const EVP_CIPHER *cipher_list[1000]; + const size_t cipher_list_len = 1000; + const EVP_CIPHER *cipher_list[cipher_list_len]; size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" @@ -311,7 +312,7 @@ show_available_ciphers() { cipher_list[num_ciphers++] = cipher; } - if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) + if (num_ciphers == cipher_list_len) { msg(M_WARN, "WARNING: Too many ciphers, not showing all"); break; @@ -550,10 +551,8 @@ cipher_kt_iv_size(const EVP_CIPHER *cipher_kt) } int -cipher_kt_block_size(const EVP_CIPHER *cipher) -{ - /* - * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work +cipher_kt_block_size(const EVP_CIPHER *cipher) { + /* OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work * around that, try to replace the mode with 'CBC' and return the block size * reported for that cipher, if possible. If that doesn't work, just return * the value reported by OpenSSL. @@ -650,19 +649,6 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) * */ -cipher_ctx_t * -cipher_ctx_new(void) -{ - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - check_malloc_return(ctx); - return ctx; -} - -void -cipher_ctx_free(EVP_CIPHER_CTX *ctx) -{ - EVP_CIPHER_CTX_free(ctx); -} void cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, @@ -670,6 +656,8 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); + CLEAR(*ctx); + EVP_CIPHER_CTX_init(ctx); if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { @@ -681,7 +669,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, crypto_msg(M_FATAL, "EVP set key size"); } #endif - if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) + if (!EVP_CipherInit(ctx, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } @@ -734,7 +722,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { - return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); + return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1); } int @@ -855,24 +843,13 @@ md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst) return EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL); } -EVP_MD_CTX * -md_ctx_new(void) -{ - EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - check_malloc_return(ctx); - return ctx; -} - -void md_ctx_free(EVP_MD_CTX *ctx) -{ - EVP_MD_CTX_free(ctx); -} - void md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) { ASSERT(NULL != ctx && NULL != kt); + CLEAR(*ctx); + EVP_MD_CTX_init(ctx); EVP_DigestInit(ctx, kt); } @@ -880,7 +857,7 @@ md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) void md_ctx_cleanup(EVP_MD_CTX *ctx) { - EVP_MD_CTX_reset(ctx); + EVP_MD_CTX_cleanup(ctx); } int @@ -910,19 +887,6 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) * */ -HMAC_CTX * -hmac_ctx_new(void) -{ - HMAC_CTX *ctx = HMAC_CTX_new(); - check_malloc_return(ctx); - return ctx; -} - -void -hmac_ctx_free(HMAC_CTX *ctx) -{ - HMAC_CTX_free(ctx); -} void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -930,6 +894,8 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); + CLEAR(*ctx); + HMAC_CTX_init(ctx); HMAC_Init_ex(ctx, key, key_len, kt, NULL); @@ -940,7 +906,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, void hmac_ctx_cleanup(HMAC_CTX *ctx) { - HMAC_CTX_reset(ctx); + HMAC_CTX_cleanup(ctx); } int diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 60a2812..56ec6e1 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -32,7 +33,6 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> -#include <openssl/sha.h> /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index d90cc5d..69a5a32 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -281,9 +281,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i } /* and now, we have to reverse the byte-order in the result from CryptSignHash()... */ for (i = 0; i < len; i++) - { to[i] = buf[len - i - 1]; - } free(buf); CryptDestroyHash(hash); @@ -391,9 +389,7 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } hash[i] = x; /* skip any space(s) between hex numbers */ - for (p++; *p && *p == ' '; p++) - { - } + for (p++; *p && *p == ' '; p++) ; } blob.cbData = i; blob.pbData = (unsigned char *) &hash; @@ -551,8 +547,7 @@ err: #else /* ifdef ENABLE_CRYPTOAPI */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void -dummy(void) -{ +dummy(void) { } #endif #endif /* _WIN32 */ diff --git a/src/openvpn/dhcp.c b/src/openvpn/dhcp.c index a2a5454..c17a22e 100644 --- a/src/openvpn/dhcp.c +++ b/src/openvpn/dhcp.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -159,20 +160,17 @@ udp_checksum(const uint8_t *buf, /* make 16 bit words out of every two adjacent 8 bit words and */ /* calculate the sum of all 16 bit words */ - for (i = 0; i < len_udp; i += 2) - { + for (i = 0; i < len_udp; i += 2) { word16 = ((buf[i] << 8) & 0xFF00) + ((i + 1 < len_udp) ? (buf[i+1] & 0xFF) : 0); sum += word16; } /* add the UDP pseudo header which contains the IP source and destination addresses */ - for (i = 0; i < 4; i += 2) - { + for (i = 0; i < 4; i += 2) { word16 = ((src_addr[i] << 8) & 0xFF00) + (src_addr[i+1] & 0xFF); sum += word16; } - for (i = 0; i < 4; i += 2) - { + for (i = 0; i < 4; i += 2) { word16 = ((dest_addr[i] << 8) & 0xFF00) + (dest_addr[i+1] & 0xFF); sum += word16; } @@ -182,9 +180,7 @@ udp_checksum(const uint8_t *buf, /* keep only the last 16 bits of the 32 bit calculated sum and add the carries */ while (sum >> 16) - { sum = (sum & 0xFFFF) + (sum >> 16); - } /* Take the one's complement of sum */ return ((uint16_t) ~sum); diff --git a/src/openvpn/dhcp.h b/src/openvpn/dhcp.h index dc41658..d406870 100644 --- a/src/openvpn/dhcp.h +++ b/src/openvpn/dhcp.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef DHCP_H diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index 5bb043b..c4dd518 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef ERRLEVEL_H diff --git a/src/openvpn/error.c b/src/openvpn/error.c index ce50ff9..e78f272 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -835,8 +836,7 @@ strerror_win32(DWORD errnum, struct gc_arena *gc) * Posix equivalents. */ #if 1 - switch (errnum) - { + switch (errnum) { /* * When the TAP-Windows driver returns STATUS_UNSUCCESSFUL, this code * gets returned to user space. diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 14ef7e6..df4eee7 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef ERROR_H @@ -393,8 +394,7 @@ ignore_sys_error(const int err) /** Convert fatal errors to nonfatal, don't touch other errors */ static inline unsigned int -nonfatal(const unsigned int err) -{ +nonfatal(const unsigned int err) { return err & M_FATAL ? (err ^ M_FATAL) | M_NONFATAL : err; } diff --git a/src/openvpn/event.c b/src/openvpn/event.c index d123070..f4922e0 100644 --- a/src/openvpn/event.c +++ b/src/openvpn/event.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -393,13 +394,11 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return { int i; for (i = 0; i < wes->n_events; ++i) - { dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format, i, wes->events[i], wes->esr[i].rwflags, (ptr_type)wes->esr[i].arg); - } } #endif @@ -923,9 +922,7 @@ se_reset(struct event_set *es) FD_ZERO(&ses->readfds); FD_ZERO(&ses->writefds); for (i = 0; i <= ses->maxfd; ++i) - { ses->args[i] = NULL; - } ses->maxfd = -1; } diff --git a/src/openvpn/event.h b/src/openvpn/event.h index ff795f4..6a6e029 100644 --- a/src/openvpn/event.h +++ b/src/openvpn/event.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef EVENT_H diff --git a/src/openvpn/fdmisc.c b/src/openvpn/fdmisc.c index 56e2250..401069d 100644 --- a/src/openvpn/fdmisc.c +++ b/src/openvpn/fdmisc.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/fdmisc.h b/src/openvpn/fdmisc.h index b6d7101..1e84a08 100644 --- a/src/openvpn/fdmisc.h +++ b/src/openvpn/fdmisc.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FD_MISC_H diff --git a/src/openvpn/forward-inline.h b/src/openvpn/forward-inline.h index ab83ea4..97e1cd6 100644 --- a/src/openvpn/forward-inline.h +++ b/src/openvpn/forward-inline.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FORWARD_INLINE_H diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 371ddca..2f3f3c5 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 9fde5a3..ae86e7a 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index 38de62f..6fbfe08 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -43,9 +44,7 @@ fragment_list_buf_init(struct fragment_list *list, const struct frame *frame) { int i; for (i = 0; i < N_FRAG_BUF; ++i) - { list->fragments[i].buf = alloc_buf(BUF_SIZE(frame)); - } } static void @@ -53,9 +52,7 @@ fragment_list_buf_free(struct fragment_list *list) { int i; for (i = 0; i < N_FRAG_BUF; ++i) - { free_buf(&list->fragments[i].buf); - } } /* @@ -70,9 +67,7 @@ fragment_list_get_buf(struct fragment_list *list, int seq_id) { int i; for (i = 0; i < N_FRAG_BUF; ++i) - { list->fragments[i].defined = false; - } list->index = 0; list->seq_id = seq_id; diff = 0; @@ -438,7 +433,6 @@ fragment_wakeup(struct fragment_master *f, struct frame *frame) #else /* ifdef ENABLE_FRAGMENT */ static void -dummy(void) -{ +dummy(void) { } #endif /* ifdef ENABLE_FRAGMENT */ diff --git a/src/openvpn/fragment.h b/src/openvpn/fragment.h index 90ba8f7..a24b524 100644 --- a/src/openvpn/fragment.h +++ b/src/openvpn/fragment.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef FRAGMENT_H diff --git a/src/openvpn/gremlin.c b/src/openvpn/gremlin.c index e85ce9c..5bff5e8 100644 --- a/src/openvpn/gremlin.c +++ b/src/openvpn/gremlin.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -94,8 +95,7 @@ get_packet_flood_parms(int level) * Return true with probability 1/n */ static bool -flip(int n) -{ +flip(int n) { return (get_random() % n) == 0; } @@ -104,8 +104,7 @@ flip(int n) * low and high. */ static int -roll(int low, int high) -{ +roll(int low, int high) { int ret; ASSERT(low <= high); ret = low + (get_random() % (high - low + 1)); @@ -182,8 +181,7 @@ ask_gremlin(int flags) * Possibly corrupt a packet. */ void -corrupt_gremlin(struct buffer *buf, int flags) -{ +corrupt_gremlin(struct buffer *buf, int flags) { const int corrupt_level = GREMLIN_CORRUPT_LEVEL(flags); if (corrupt_level) { @@ -196,8 +194,7 @@ corrupt_gremlin(struct buffer *buf, int flags) uint8_t r = roll(0, 255); int method = roll(0, 5); - switch (method) - { + switch (method) { case 0: /* corrupt the first byte */ *BPTR(buf) = r; break; @@ -235,7 +232,6 @@ corrupt_gremlin(struct buffer *buf, int flags) #else /* ifdef ENABLE_DEBUG */ static void -dummy(void) -{ +dummy(void) { } #endif /* ifdef ENABLE_DEBUG */ diff --git a/src/openvpn/gremlin.h b/src/openvpn/gremlin.h index 8b23b34..8f41864 100644 --- a/src/openvpn/gremlin.h +++ b/src/openvpn/gremlin.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef GREMLIN_H diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 17d1528..adcc4f8 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/helper.h b/src/openvpn/helper.h index c5b438b..593d1ed 100644 --- a/src/openvpn/helper.h +++ b/src/openvpn/helper.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c index c553f93..01301c0 100644 --- a/src/openvpn/httpdigest.c +++ b/src/openvpn/httpdigest.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -43,8 +44,7 @@ CvtHex( unsigned short i; unsigned char j; - for (i = 0; i < HASHLEN; i++) - { + for (i = 0; i < HASHLEN; i++) { j = (Bin[i] >> 4) & 0xf; if (j <= 9) { @@ -80,28 +80,27 @@ DigestCalcHA1( ) { HASH HA1; - md_ctx_t *md5_ctx = md_ctx_new(); + md_ctx_t md5_ctx; const md_kt_t *md5_kt = md_kt_get("MD5"); - md_ctx_init(md5_ctx, md5_kt); - md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); - md_ctx_final(md5_ctx, HA1); + md_ctx_init(&md5_ctx, md5_kt); + md_ctx_update(&md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); + md_ctx_final(&md5_ctx, HA1); if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0) { - md_ctx_init(md5_ctx, md5_kt); - md_ctx_update(md5_ctx, HA1, HASHLEN); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); - md_ctx_final(md5_ctx, HA1); + md_ctx_init(&md5_ctx, md5_kt); + md_ctx_update(&md5_ctx, HA1, HASHLEN); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_final(&md5_ctx, HA1); } - md_ctx_cleanup(md5_ctx); - md_ctx_free(md5_ctx); + md_ctx_cleanup(&md5_ctx); CvtHex(HA1, SessionKey); } @@ -123,41 +122,40 @@ DigestCalcResponse( HASH RespHash; HASHHEX HA2Hex; - md_ctx_t *md5_ctx = md_ctx_new(); + md_ctx_t md5_ctx; const md_kt_t *md5_kt = md_kt_get("MD5"); /* calculate H(A2) */ - md_ctx_init(md5_ctx, md5_kt); - md_ctx_update(md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); + md_ctx_init(&md5_ctx, md5_kt); + md_ctx_update(&md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); if (strcasecmp(pszQop, "auth-int") == 0) { - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, HEntity, HASHHEXLEN); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, HEntity, HASHHEXLEN); } - md_ctx_final(md5_ctx, HA2); + md_ctx_final(&md5_ctx, HA2); CvtHex(HA2, HA2Hex); /* calculate response */ - md_ctx_init(md5_ctx, md5_kt); - md_ctx_update(md5_ctx, HA1, HASHHEXLEN); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_init(&md5_ctx, md5_kt); + md_ctx_update(&md5_ctx, HA1, HASHHEXLEN); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); if (*pszQop) { - md_ctx_update(md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(md5_ctx, (const uint8_t *) pszQop, strlen(pszQop)); - md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(&md5_ctx, (const uint8_t *) pszQop, strlen(pszQop)); + md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); } - md_ctx_update(md5_ctx, HA2Hex, HASHHEXLEN); - md_ctx_final(md5_ctx, RespHash); - md_ctx_cleanup(md5_ctx); - md_ctx_free(md5_ctx); + md_ctx_update(&md5_ctx, HA2Hex, HASHHEXLEN); + md_ctx_final(&md5_ctx, RespHash); + md_ctx_cleanup(&md5_ctx); CvtHex(RespHash, Response); } diff --git a/src/openvpn/httpdigest.h b/src/openvpn/httpdigest.h index aae7b8c..b074fb2 100644 --- a/src/openvpn/httpdigest.h +++ b/src/openvpn/httpdigest.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #if PROXY_DIGEST_AUTH diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0652ef4..cf4a64c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -251,42 +252,31 @@ ce_management_query_remote(struct context *c) { struct gc_arena gc = gc_new(); volatile struct connection_entry *ce = &c->options.ce; - int ce_changed = true; /* presume the connection entry will be changed */ - + int ret = true; update_time(); if (management) { struct buffer out = alloc_buf_gc(256, &gc); - - buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, - proto2ascii(ce->proto, ce->af, false)); + buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR(&out)); - - ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); - ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); - while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) - & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) + ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); + ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT); + while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) { management_event_loop_n_seconds(management, 1); if (IS_SIG(c)) { - ce_changed = false; /* connection entry have not been set */ + ret = false; break; } } } - gc_free(&gc); - - if (ce_changed) { - /* If it is likely a connection entry was modified, - * check what changed in the flags and that it was not skipped - */ - const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) - & CE_MAN_QUERY_REMOTE_MASK); - ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP); + const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); + ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); } - return ce_changed; + gc_free(&gc); + return ret; } #endif /* ENABLE_MANAGEMENT */ @@ -341,8 +331,7 @@ next_connection_entry(struct context *c) struct connection_entry *ce; int n_cycles = 0; - do - { + do { ce_defined = true; if (c->options.no_advance && l->current >= 0) { @@ -414,7 +403,11 @@ next_connection_entry(struct context *c) break; } } - else if (ce_defined && management && management_query_proxy_enabled(management)) + else +#endif + +#ifdef ENABLE_MANAGEMENT + if (ce_defined && management && management_query_proxy_enabled(management)) { ce_defined = ce_management_query_proxy(c); if (IS_SIG(c)) @@ -540,10 +533,8 @@ context_init_1(struct context *c) int i; pkcs11_initialize(true, c->options.pkcs11_pin_cache_period); for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++) - { pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); - } } #endif @@ -561,15 +552,6 @@ context_init_1(struct context *c) } #endif -#ifdef ENABLE_SYSTEMD - /* We can report the PID via getpid() to systemd here as OpenVPN will not - * do any fork due to daemon() a future call. - * See possibly_become_daemon() [init.c] for more details. - */ - sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", - (unsigned long) getpid()); -#endif - } void @@ -632,9 +614,7 @@ init_static(void) { int i; for (i = 0; i < argc; ++i) - { msg(M_INFO, "argv[%d] = '%s'", i, argv[i]); - } } #endif @@ -780,9 +760,7 @@ init_static(void) { int i; for (i = 0; i < SIZE(text); ++i) - { buffer_list_push(bl, (unsigned char *)text[i]); - } } printf("[cap=%d i=%d] *************************\n", listcap, iter); if (!(iter & 8)) @@ -805,9 +783,7 @@ init_static(void) int c; printf("'"); while ((c = buf_read_u8(buf)) >= 0) - { putchar(c); - } printf("'\n"); buffer_list_advance(bl, 0); } @@ -1050,6 +1026,24 @@ do_uid_gid_chroot(struct context *c, bool no_delay) { if (no_delay) { +#ifdef ENABLE_SYSTEMD + /* If OpenVPN is started by systemd, the OpenVPN process needs + * to provide a preliminary status report to systemd. This is + * needed as $NOTIFY_SOCKET will not be available inside the + * chroot, which sd_notify()/sd_notifyf() depends on. + * + * This approach is the simplest and the most non-intrusive + * solution right before the 2.4_rc2 release. + * + * TODO: Consider altnernative solutions - bind mount? + * systemd does not grok OpenVPN configuration files, thus cannot + * have a sane way to know if OpenVPN will chroot or not and to + * which subdirectory it will chroot into. + */ + sd_notifyf(0, "READY=1\n" + "STATUS=Entering chroot, most of the init completed successfully\n" + "MAINPID=%lu", (unsigned long) getpid()); +#endif platform_chroot(c->options.chroot_dir); } else if (c->first_time) @@ -1382,21 +1376,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot(c, true); - -#ifdef ENABLE_CRYPTO - /* - * In some cases (i.e. when receiving auth-token via - * push-reply) the auth-nocache option configured on the - * client is overridden; for this reason we have to wait - * for the push-reply message before attempting to wipe - * the user/pass entered by the user - */ - if (c->options.mode == MODE_POINT_TO_POINT) - { - delayed_auth_pass_purge(); - } -#endif /* ENABLE_CRYPTO */ - /* Test if errors */ if (flags & ISC_ERRORS) { @@ -1414,7 +1393,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) else { #ifdef ENABLE_SYSTEMD - sd_notifyf(0, "STATUS=%s", message); + sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid()); #endif msg(M_INFO, "%s", message); } @@ -1851,7 +1830,7 @@ do_close_tun(struct context *c, bool force) #if defined(_WIN32) if (c->options.block_outside_dns) { - if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) + if (!win_wfp_uninit(c->options.msg_channel)) { msg(M_FATAL, "Uninitialising WFP failed!"); } @@ -1891,7 +1870,7 @@ do_close_tun(struct context *c, bool force) #if defined(_WIN32) if (c->options.block_outside_dns) { - if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) + if (!win_wfp_uninit(c->options.msg_channel)) { msg(M_FATAL, "Uninitialising WFP failed!"); } @@ -1924,12 +1903,12 @@ tun_abort() * equal, or either one is all-zeroes. */ static bool -options_hash_changed_or_zero(const struct sha256_digest *a, - const struct sha256_digest *b) +options_hash_changed_or_zero(const struct md5_digest *a, + const struct md5_digest *b) { - const struct sha256_digest zero = {{0}}; - return memcmp(a, b, sizeof(struct sha256_digest)) - || !memcmp(a, &zero, sizeof(struct sha256_digest)); + const struct md5_digest zero = {{0}}; + return memcmp(a, b, sizeof(struct md5_digest)) + || !memcmp(a, &zero, sizeof(struct md5_digest)); } #endif /* P2MP */ @@ -1940,7 +1919,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) { reset_coarse_timers(c); - if (pulled_options) + if (pulled_options && option_types_found) { if (!do_deferred_options(c, option_types_found)) { @@ -2646,7 +2625,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku)); to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; - to.verify_hash_algo = options->verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME to.x509_username_field = (char *) options->x509_username_field; #else @@ -2774,10 +2752,7 @@ do_init_crypto_none(const struct context *c) { ASSERT(!c->options.test_crypto); msg(M_WARN, - "******* WARNING *******: All encryption and authentication features " - "disabled -- All data will be tunnelled as clear text and will not be " - "protected against man-in-the-middle changes. " - "PLEASE DO RECONSIDER THIS CONFIGURATION!"); + "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); } #endif /* ifdef ENABLE_CRYPTO */ @@ -3022,10 +2997,6 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } - if (o->ns_cert_type) - { - msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."); - } #endif /* ifdef ENABLE_CRYPTO */ /* If a script is used, print appropiate warnings */ diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 15feb67..3b97d84 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INIT_H diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index 240781b..bae8f16 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef INTEGER_H diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c index 1634386..99e72a0 100644 --- a/src/openvpn/interval.c +++ b/src/openvpn/interval.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h index 8095c0b..5ed64a9 100644 --- a/src/openvpn/interval.h +++ b/src/openvpn/interval.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -105,8 +106,7 @@ interval_schedule_wakeup(struct interval *top, interval_t *wakeup) * In wakeup seconds, interval_test will return true once. */ static inline void -interval_future_trigger(struct interval *top, interval_t wakeup) -{ +interval_future_trigger(struct interval *top, interval_t wakeup) { if (wakeup) { #if INTERVAL_DEBUG diff --git a/src/openvpn/list.c b/src/openvpn/list.c index edca6f7..fb9f664 100644 --- a/src/openvpn/list.c +++ b/src/openvpn/list.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -475,8 +476,7 @@ list_test(void) int inc = 0; int count = 0; - for (base = 0; base < hash_n_buckets(hash); base += inc) - { + for (base = 0; base < hash_n_buckets(hash); base += inc) { struct hash_iterator hi; struct hash_element *he; inc = (get_random() % 3) + 1; @@ -670,7 +670,6 @@ hash_func(const uint8_t *k, uint32_t length, uint32_t initval) #else /* if P2MP_SERVER */ static void -dummy(void) -{ +dummy(void) { } #endif /* P2MP_SERVER */ diff --git a/src/openvpn/list.h b/src/openvpn/list.h index c808efa..6270f88 100644 --- a/src/openvpn/list.h +++ b/src/openvpn/list.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef LIST_H diff --git a/src/openvpn/lladdr.c b/src/openvpn/lladdr.c index ff71e48..dce05ad 100644 --- a/src/openvpn/lladdr.c +++ b/src/openvpn/lladdr.c @@ -50,7 +50,7 @@ set_lladdr(const char *ifname, const char *lladdr, "%s %s lladdr %s", IFCONFIG_PATH, ifname, lladdr); -#elif defined(TARGET_FREEBSD) +#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__) argv_printf(&argv, "%s %s ether %s", IFCONFIG_PATH, diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index f754865..3d6891e 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -266,7 +267,6 @@ const struct compress_alg lzo_alg = { #else /* if defined(ENABLE_LZO) */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_LZO */ diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index deaeb8d..85937b2 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OPENVPN_LZO_H diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index c2e8dc7..763f6c6 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -1983,9 +1984,7 @@ man_process_command(struct management *man, const char *line) { int i; for (i = 0; i < nparms; ++i) - { msg(M_INFO, "[%d] '%s'", i, parms[i]); - } } #endif @@ -3089,8 +3088,7 @@ management_io(struct management *man) if (net_events & FD_READ) { while (man_read(man) > 0) - { - } + ; net_event_win32_clear_selected_events(&man->connection.ne32, FD_READ); } @@ -3313,8 +3311,7 @@ man_wait_for_client_connection(struct management *man, { msg(D_MANAGEMENT, "Need information from management interface, waiting..."); } - do - { + do { man_standalone_event_loop(man, signal_received, expire); if (signal_received && *signal_received) { @@ -3932,9 +3929,7 @@ log_history_free_contents(struct log_history *h) { int i; for (i = 0; i < h->size; ++i) - { log_entry_free_contents(&h->array[log_index(h, i)]); - } free(h->array); } @@ -3978,9 +3973,7 @@ log_history_resize(struct log_history *h, const int capacity) log_history_obj_init(&newlog, capacity); for (i = 0; i < h->size; ++i) - { log_history_add(&newlog, &h->array[log_index(h, i)]); - } log_history_free_contents(h); *h = newlog; @@ -4002,7 +3995,6 @@ log_history_ref(const struct log_history *h, const int index) #else /* ifdef ENABLE_MANAGEMENT */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_MANAGEMENT */ diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 542cc07..6e5cb9b 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MANAGE_H diff --git a/src/openvpn/mbuf.c b/src/openvpn/mbuf.c index fafbce0..7a23e59 100644 --- a/src/openvpn/mbuf.c +++ b/src/openvpn/mbuf.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -173,7 +174,6 @@ mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi) #else /* if P2MP */ static void -dummy(void) -{ +dummy(void) { } #endif /* P2MP */ diff --git a/src/openvpn/mbuf.h b/src/openvpn/mbuf.h index e0643de..cfaef58 100644 --- a/src/openvpn/mbuf.h +++ b/src/openvpn/mbuf.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MBUF_H diff --git a/src/openvpn/memdbg.h b/src/openvpn/memdbg.h index 0ba695f..ee30b15 100644 --- a/src/openvpn/memdbg.h +++ b/src/openvpn/memdbg.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MEMDBG_H diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index fbd9938..87f03be 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -18,9 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -649,8 +650,7 @@ const char * env_set_get(const struct env_set *es, const char *name) { const struct env_item *item = es->list; - while (item && !env_string_equal(item->string, name)) - { + while (item && !env_string_equal(item->string, name)) { item = item->next; } return item ? item->string : NULL; @@ -700,6 +700,57 @@ env_set_inherit(struct env_set *es, const struct env_set *src) } } +void +env_set_add_to_environment(const struct env_set *es) +{ + if (es) + { + struct gc_arena gc = gc_new(); + const struct env_item *e; + + e = es->list; + + while (e) + { + const char *name; + const char *value; + + if (deconstruct_name_value(e->string, &name, &value, &gc)) + { + setenv_str(NULL, name, value); + } + + e = e->next; + } + gc_free(&gc); + } +} + +void +env_set_remove_from_environment(const struct env_set *es) +{ + if (es) + { + struct gc_arena gc = gc_new(); + const struct env_item *e; + + e = es->list; + + while (e) + { + const char *name; + const char *value; + + if (deconstruct_name_value(e->string, &name, &value, &gc)) + { + setenv_del(NULL, name); + } + + e = e->next; + } + gc_free(&gc); + } +} /* add/modify/delete environmental strings */ @@ -1387,7 +1438,7 @@ get_user_pass_auto_userid(struct user_pass *up, const char *tag) static const uint8_t hashprefix[] = "AUTO_USERID_DIGEST"; const md_kt_t *md5_kt = md_kt_get("MD5"); - md_ctx_t *ctx; + md_ctx_t ctx; CLEAR(*up); buf_set_write(&buf, (uint8_t *)up->username, USER_PASS_LEN); @@ -1395,13 +1446,11 @@ get_user_pass_auto_userid(struct user_pass *up, const char *tag) if (get_default_gateway_mac_addr(macaddr)) { dmsg(D_AUTO_USERID, "GUPAU: macaddr=%s", format_hex_ex(macaddr, sizeof(macaddr), 0, 1, ":", &gc)); - ctx = md_ctx_new(); - md_ctx_init(ctx, md5_kt); - md_ctx_update(ctx, hashprefix, sizeof(hashprefix) - 1); - md_ctx_update(ctx, macaddr, sizeof(macaddr)); - md_ctx_final(ctx, digest); - md_ctx_cleanup(ctx); - md_ctx_free(ctx); + md_ctx_init(&ctx, md5_kt); + md_ctx_update(&ctx, hashprefix, sizeof(hashprefix) - 1); + md_ctx_update(&ctx, macaddr, sizeof(macaddr)); + md_ctx_final(&ctx, digest); + md_ctx_cleanup(&ctx) buf_printf(&buf, "%s", format_hex_ex(digest, sizeof(digest), 0, 256, " ", &gc)); } else @@ -1430,11 +1479,7 @@ purge_user_pass(struct user_pass *up, const bool force) secure_memzero(up, sizeof(*up)); up->nocache = nocache; } - /* - * don't show warning if the pass has been replaced by a token: this is an - * artificial "auth-nocache" - */ - else if (!warn_shown && (!up->tokenized)) + else if (!warn_shown) { msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); warn_shown = true; @@ -1448,7 +1493,6 @@ set_auth_token(struct user_pass *up, const char *token) { CLEAR(up->password); strncpynt(up->password, token, USER_PASS_LEN); - up->tokenized = true; } } @@ -1503,9 +1547,7 @@ make_env_array(const struct env_set *es, if (es) { for (e = es->list; e != NULL; e = e->next) - { ++n; - } } /* alloc return array */ @@ -1567,9 +1609,7 @@ make_inline_array(const char *str, struct gc_arena *gc) buf_set_read(&buf, (const uint8_t *) str, strlen(str)); while (buf_parse(&buf, '\n', line, sizeof(line))) - { ++len; - } /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, len + 1, gc); @@ -1599,9 +1639,7 @@ make_arg_copy(char **p, struct gc_arena *gc) ALLOC_ARRAY_CLEAR_GC(ret, char *, max_parms, gc); for (i = 0; i < len; ++i) - { ret[i] = p[i]; - } return (const char **)ret; } diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index ce96549..16be621 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MISC_H @@ -160,6 +161,10 @@ void env_set_print(int msglevel, const struct env_set *es); void env_set_inherit(struct env_set *es, const struct env_set *src); +void env_set_add_to_environment(const struct env_set *es); + +void env_set_remove_from_environment(const struct env_set *es); + /* Make arrays of strings */ const char **make_env_array(const struct env_set *es, @@ -201,8 +206,6 @@ struct user_pass { bool defined; bool nocache; - bool tokenized; /* true if password has been substituted by a token */ - bool wait_for_push; /* true if this object is waiting for a push-reply */ /* max length of username/password */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 7b46a6a..8b466b6 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -561,7 +562,6 @@ mroute_helper_free(struct mroute_helper *mh) #else /* if P2MP_SERVER */ static void -dummy(void) -{ +dummy(void) { } #endif /* P2MP_SERVER */ diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index e57a950..0698348 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MROUTE_H diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index c36e004..5b110d2 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -119,12 +120,8 @@ mss_fixup_ipv6(struct buffer *buf, int maxmss) return; } - /* skip IPv6 header (40 bytes), - * verify remainder is large enough to contain a full TCP header - */ newbuf = *buf; - if (buf_advance( &newbuf, 40 ) - && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr)) + if (buf_advance( &newbuf, 40 ) ) { struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) @@ -148,10 +145,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) int accumulate; struct openvpn_tcphdr *tc; - if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) - { - return; - } + ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr)); verify_align_4(buf); tc = (struct openvpn_tcphdr *) BPTR(buf); @@ -166,9 +160,8 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) for (olen = hlen - sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); - olen > 1; - olen -= optlen, opt += optlen) - { + olen > 0; + olen -= optlen, opt += optlen) { if (*opt == OPENVPN_TCPOPT_EOL) { break; diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 0de2042..afe7a32 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MSS_H diff --git a/src/openvpn/mstats.c b/src/openvpn/mstats.c index 9b09188..8ab1d02 100644 --- a/src/openvpn/mstats.c +++ b/src/openvpn/mstats.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/mstats.h b/src/openvpn/mstats.h index 486035f..f87a858 100644 --- a/src/openvpn/mstats.h +++ b/src/openvpn/mstats.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index cb940d8..b5471b1 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -586,8 +587,7 @@ multi_tcp_action(struct multi_context *m, struct multi_instance *mi, int action, { bool tun_input_pending = false; - do - { + do { dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_action a=%s p=%d", pract(action), poll); diff --git a/src/openvpn/mtcp.h b/src/openvpn/mtcp.h index 79dcb13..835b8fd 100644 --- a/src/openvpn/mtcp.h +++ b/src/openvpn/mtcp.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 44bef68..73eab21 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index d1e8c18..471e51e 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef MTU_H diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 793678d..64ce4d7 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/mudp.h b/src/openvpn/mudp.h index b9ceaf7..a98d64d 100644 --- a/src/openvpn/mudp.h +++ b/src/openvpn/mudp.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 8d3d67f..f6f3f5d 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -536,14 +537,10 @@ multi_del_iroutes(struct multi_context *m, if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) { for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next) - { mroute_helper_del_iroute46(m->route_helper, ir->netbits); - } for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next) - { mroute_helper_del_iroute46(m->route_helper, ir6->netbits); - } } } @@ -822,8 +819,7 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real) mi->did_iter = true; #ifdef MANAGEMENT_DEF_AUTH - do - { + do { mi->context.c2.mda_context.cid = m->cid_counter++; } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false)); mi->did_cid_hash = true; @@ -2953,14 +2949,10 @@ gremlin_flood_clients(struct multi_context *m) parm.packet_size); for (i = 0; i < parm.packet_size; ++i) - { ASSERT(buf_write_u8(&buf, get_random() & 0xFF)); - } for (i = 0; i < parm.n_packets; ++i) - { multi_bcast(m, &buf, NULL, NULL); - } gc_free(&gc); } @@ -3383,7 +3375,6 @@ tunnel_server(struct context *top) #else /* if P2MP_SERVER */ static void -dummy(void) -{ +dummy(void) { } #endif /* P2MP_SERVER */ diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 63afbaf..b4ffd69 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 0b1163e..e78af9e 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -15,9 +15,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -85,13 +86,13 @@ static void gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char *result) { const md_kt_t *md5_kt = md_kt_get("MD5"); - hmac_ctx_t *hmac_ctx = hmac_ctx_new(); + hmac_ctx_t hmac_ctx; + CLEAR(hmac_ctx); - hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); - hmac_ctx_update(hmac_ctx, (const unsigned char *)data, data_len); - hmac_ctx_final(hmac_ctx, (unsigned char *)result); - hmac_ctx_cleanup(hmac_ctx); - hmac_ctx_free(hmac_ctx); + hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt); + hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); + hmac_ctx_final(&hmac_ctx, (unsigned char *)result); + hmac_ctx_cleanup(&hmac_ctx); } static void @@ -123,22 +124,19 @@ gen_nonce(unsigned char *nonce) /* Generates 8 random bytes to be used as client nonce */ int i; - for (i = 0; i<8; i++) - { + for (i = 0; i<8; i++) { nonce[i] = (unsigned char)get_random(); } } -void +unsigned char * my_strupr(unsigned char *str) { /* converts string to uppercase in place */ + unsigned char *tmp = str; - while (*str) - { - *str = toupper(*str); - str++; - } + do *str = toupper(*str); while (*(++str)); + return tmp; } static int @@ -195,7 +193,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are */ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ - unsigned char buf2[128]; /* decoded reply from proxy */ + char buf2[128]; /* decoded reply from proxy */ unsigned char phase3[464]; char md4_hash[MD4_DIGEST_LENGTH+5]; @@ -301,13 +299,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are tib_len = 96; } { - char *tib_ptr; - int tib_pos = buf2[0x2c]; - if (tib_pos + tib_len > sizeof(buf2)) - { - return NULL; - } - tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ + char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ } } @@ -381,7 +373,6 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are #else /* if NTLM */ static void -dummy(void) -{ +dummy(void) { } #endif /* if NTLM */ diff --git a/src/openvpn/occ-inline.h b/src/openvpn/occ-inline.h index 68e9098..84fe1ac 100644 --- a/src/openvpn/occ-inline.h +++ b/src/openvpn/occ-inline.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OCC_INLINE_H diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 40f7e76..b4ccc4d 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -429,7 +430,6 @@ process_received_occ_msg(struct context *c) #else /* ifdef ENABLE_OCC */ static void -dummy(void) -{ +dummy(void) { } #endif /* ifdef ENABLE_OCC */ diff --git a/src/openvpn/occ.h b/src/openvpn/occ.h index 12d7bc5..843ceb2 100644 --- a/src/openvpn/occ.h +++ b/src/openvpn/occ.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OCC_H diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h deleted file mode 100644 index c765f0b..0000000 --- a/src/openvpn/openssl_compat.h +++ /dev/null @@ -1,657 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -/** - * @file OpenSSL compatibility stub - * - * This file provide compatibility stubs for the OpenSSL libraries - * prior to version 1.1. This version introduces many changes in the - * library interface, including the fact that various objects and - * structures are not fully opaque. - */ - -#ifndef OPENSSL_COMPAT_H_ -#define OPENSSL_COMPAT_H_ - -#ifdef HAVE_CONFIG_H -#include "config.h" -#elif defined(_MSC_VER) -#include "config-msvc.h" -#endif - -#include "buffer.h" - -#include <openssl/ssl.h> -#include <openssl/x509.h> - -#if !defined(HAVE_EVP_MD_CTX_RESET) -/** - * Reset a message digest context - * - * @param ctx The message digest context - * @return 1 on success, 0 on error - */ -static inline int -EVP_MD_CTX_reset(EVP_MD_CTX *ctx) -{ - EVP_MD_CTX_cleanup(ctx); - return 1; -} -#endif - -#if !defined(HAVE_EVP_MD_CTX_FREE) -/** - * Free an existing message digest context - * - * @param ctx The message digest context - */ -static inline void -EVP_MD_CTX_free(EVP_MD_CTX *ctx) -{ - free(ctx); -} -#endif - -#if !defined(HAVE_EVP_MD_CTX_NEW) -/** - * Allocate a new message digest object - * - * @return A zero'ed message digest object - */ -static inline EVP_MD_CTX * -EVP_MD_CTX_new(void) -{ - EVP_MD_CTX *ctx = NULL; - ALLOC_OBJ_CLEAR(ctx, EVP_MD_CTX); - return ctx; -} -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -/** - * Free an existing cipher context - * - * @param ctx The cipher context - */ -static inline void -EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c) -{ - free(c); -} -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -/** - * Allocate a new cipher context object - * - * @return A zero'ed cipher context object - */ -static inline EVP_CIPHER_CTX * -EVP_CIPHER_CTX_new(void) -{ - EVP_CIPHER_CTX *ctx = NULL; - ALLOC_OBJ_CLEAR(ctx, EVP_CIPHER_CTX); - return ctx; -} -#endif - -#if !defined(HAVE_HMAC_CTX_RESET) -/** - * Reset a HMAC context - * - * @param ctx The HMAC context - * @return 1 on success, 0 on error - */ -static inline int -HMAC_CTX_reset(HMAC_CTX *ctx) -{ - HMAC_CTX_cleanup(ctx); - return 1; -} -#endif - -#if !defined(HAVE_HMAC_CTX_INIT) -/** - * Init a HMAC context - * - * @param ctx The HMAC context - * - * Contrary to many functions in this file, HMAC_CTX_init() is not - * an OpenSSL 1.1 function: it comes from previous versions and was - * removed in v1.1. As a consequence, there is no distincting in - * v1.1 between a cleanup, and init and a reset. Yet, previous OpenSSL - * version need this distinction. - * - * In order to respect previous OpenSSL versions, we implement init - * as reset for OpenSSL 1.1+. - */ -static inline void -HMAC_CTX_init(HMAC_CTX *ctx) -{ - HMAC_CTX_reset(ctx); -} -#endif - -#if !defined(HAVE_HMAC_CTX_FREE) -/** - * Free an existing HMAC context - * - * @param ctx The HMAC context - */ -static inline void -HMAC_CTX_free(HMAC_CTX *c) -{ - free(c); -} -#endif - -#if !defined(HAVE_HMAC_CTX_NEW) -/** - * Allocate a new HMAC context object - * - * @return A zero'ed HMAC context object - */ -static inline HMAC_CTX * -HMAC_CTX_new(void) -{ - HMAC_CTX *ctx = NULL; - ALLOC_OBJ_CLEAR(ctx, HMAC_CTX); - return ctx; -} -#endif - -#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA) -/** - * Fetch the default password callback user data from the SSL context - * - * @param ctx SSL context - * @return The password callback user data - */ -static inline void * -SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) -{ - return ctx ? ctx->default_passwd_callback_userdata : NULL; -} -#endif - -#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB) -/** - * Fetch the default password callback from the SSL context - * - * @param ctx SSL context - * @return The password callback - */ -static inline pem_password_cb * -SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) -{ - return ctx ? ctx->default_passwd_callback : NULL; -} -#endif - -#if !defined(HAVE_X509_GET0_PUBKEY) -/** - * Get the public key from a X509 certificate - * - * @param x X509 certificate - * @return The certificate public key - */ -static inline EVP_PKEY * -X509_get0_pubkey(const X509 *x) -{ - return (x && x->cert_info && x->cert_info->key) ? - x->cert_info->key->pkey : NULL; -} -#endif - -#if !defined(HAVE_X509_STORE_GET0_OBJECTS) -/** - * Fetch the X509 object stack from the X509 store - * - * @param store X509 object store - * @return the X509 object stack - */ -static inline STACK_OF(X509_OBJECT) * -X509_STORE_get0_objects(X509_STORE *store) -{ - return store ? store->objs : NULL; -} -#endif - -#if !defined(HAVE_X509_OBJECT_FREE) -/** - * Destroy a X509 object - * - * @param obj X509 object - */ -static inline void -X509_OBJECT_free(X509_OBJECT *obj) -{ - if (obj) - { - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); - } -} -#endif - -#if !defined(HAVE_X509_OBJECT_GET_TYPE) -/** - * Get the type of an X509 object - * - * @param obj X509 object - * @return The underlying object type - */ -static inline int -X509_OBJECT_get_type(const X509_OBJECT *obj) -{ - return obj ? obj->type : X509_LU_FAIL; -} -#endif - -#if !defined(HAVE_EVP_PKEY_GET0_RSA) -/** - * Get the RSA object of a public key - * - * @param pkey Public key object - * @return The underlying RSA object - */ -static inline RSA * -EVP_PKEY_get0_RSA(EVP_PKEY *pkey) -{ - return pkey ? pkey->pkey.rsa : NULL; -} -#endif - -#if !defined(HAVE_EVP_PKEY_ID) -/** - * Get the PKEY type - * - * @param pkey Public key object - * @return The key type - */ -static inline int -EVP_PKEY_id(const EVP_PKEY *pkey) -{ - return pkey ? pkey->type : EVP_PKEY_NONE; -} -#endif - -#if !defined(HAVE_EVP_PKEY_GET0_DSA) -/** - * Get the DSA object of a public key - * - * @param pkey Public key object - * @return The underlying DSA object - */ -static inline DSA * -EVP_PKEY_get0_DSA(EVP_PKEY *pkey) -{ - return pkey ? pkey->pkey.dsa : NULL; -} -#endif - -#if !defined(HAVE_RSA_SET_FLAGS) -/** - * Set the RSA flags - * - * @param rsa The RSA object - * @param flags New flags value - */ -static inline void -RSA_set_flags(RSA *rsa, int flags) -{ - if (rsa) - { - rsa->flags = flags; - } -} -#endif - -#if !defined(HAVE_RSA_GET0_KEY) -/** - * Get the RSA parameters - * - * @param rsa The RSA object - * @param n The @c n parameter - * @param e The @c e parameter - * @param d The @c d parameter - */ -static inline void -RSA_get0_key(const RSA *rsa, const BIGNUM **n, - const BIGNUM **e, const BIGNUM **d) -{ - if (n != NULL) - { - *n = rsa ? rsa->n : NULL; - } - if (e != NULL) - { - *e = rsa ? rsa->e : NULL; - } - if (d != NULL) - { - *d = rsa ? rsa->d : NULL; - } -} -#endif - -#if !defined(HAVE_RSA_SET0_KEY) -/** - * Set the RSA parameters - * - * @param rsa The RSA object - * @param n The @c n parameter - * @param e The @c e parameter - * @param d The @c d parameter - * @return 1 on success, 0 on error - */ -static inline int -RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) -{ - if ((rsa->n == NULL && n == NULL) - || (rsa->e == NULL && e == NULL)) - { - return 0; - } - - if (n != NULL) - { - BN_free(rsa->n); - rsa->n = n; - } - if (e != NULL) - { - BN_free(rsa->e); - rsa->e = e; - } - if (d != NULL) - { - BN_free(rsa->d); - rsa->d = d; - } - - return 1; -} -#endif - -#if !defined(HAVE_RSA_BITS) -/** - * Number of significant RSA bits - * - * @param rsa The RSA object ; shall not be NULL - * @return The number of RSA bits or 0 on error - */ -static inline int -RSA_bits(const RSA *rsa) -{ - const BIGNUM *n = NULL; - RSA_get0_key(rsa, &n, NULL, NULL); - return n ? BN_num_bits(n) : 0; -} -#endif - -#if !defined(HAVE_DSA_GET0_PQG) -/** - * Get the DSA parameters - * - * @param dsa The DSA object - * @param p The @c p parameter - * @param q The @c q parameter - * @param g The @c g parameter - */ -static inline void -DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, - const BIGNUM **q, const BIGNUM **g) -{ - if (p != NULL) - { - *p = dsa ? dsa->p : NULL; - } - if (q != NULL) - { - *q = dsa ? dsa->q : NULL; - } - if (g != NULL) - { - *g = dsa ? dsa->g : NULL; - } -} -#endif - -#if !defined(HAVE_DSA_BITS) -/** - * Number of significant DSA bits - * - * @param rsa The DSA object ; shall not be NULL - * @return The number of DSA bits or 0 on error - */ -static inline int -DSA_bits(const DSA *dsa) -{ - const BIGNUM *p = NULL; - DSA_get0_pqg(dsa, &p, NULL, NULL); - return p ? BN_num_bits(p) : 0; -} -#endif - -#if !defined(HAVE_RSA_METH_NEW) -/** - * Allocate a new RSA method object - * - * @param name The object name - * @param flags Configuration flags - * @return A new RSA method object - */ -static inline RSA_METHOD * -RSA_meth_new(const char *name, int flags) -{ - RSA_METHOD *rsa_meth = NULL; - ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); - rsa_meth->name = string_alloc(name, NULL); - rsa_meth->flags = flags; - return rsa_meth; -} -#endif - -#if !defined(HAVE_RSA_METH_FREE) -/** - * Free an existing RSA_METHOD object - * - * @param meth The RSA_METHOD object - */ -static inline void -RSA_meth_free(RSA_METHOD *meth) -{ - if (meth) - { - /* OpenSSL defines meth->name to be a const pointer, yet we - * feed it with an allocated string (from RSA_meth_new()). - * Thus we are allowed to free it here. In order to avoid a - * "passing 'const char *' to parameter of type 'void *' discards - * qualifiers" warning, we force the pointer to be a non-const value. - */ - free((char *)meth->name); - free(meth); - } -} -#endif - -#if !defined(HAVE_RSA_METH_SET_PUB_ENC) -/** - * Set the public encoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param pub_enc the public encoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_pub_enc(RSA_METHOD *meth, - int (*pub_enc) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_pub_enc = pub_enc; - return 1; - } - return 0; -} -#endif - -#if !defined(HAVE_RSA_METH_SET_PUB_DEC) -/** - * Set the public decoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param pub_dec the public decoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_pub_dec(RSA_METHOD *meth, - int (*pub_dec) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_pub_dec = pub_dec; - return 1; - } - return 0; -} -#endif - -#if !defined(HAVE_RSA_METH_SET_PRIV_ENC) -/** - * Set the private encoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param priv_enc the private encoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_priv_enc(RSA_METHOD *meth, - int (*priv_enc) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_priv_enc = priv_enc; - return 1; - } - return 0; -} -#endif - -#if !defined(HAVE_RSA_METH_SET_PRIV_DEC) -/** - * Set the private decoding function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param priv_dec the private decoding function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_priv_dec(RSA_METHOD *meth, - int (*priv_dec) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) -{ - if (meth) - { - meth->rsa_priv_dec = priv_dec; - return 1; - } - return 0; -} -#endif - -#if !defined(HAVE_RSA_METH_SET_INIT) -/** - * Set the init function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param init the init function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) -{ - if (meth) - { - meth->init = init; - return 1; - } - return 0; -} -#endif - -#if !defined(HAVE_RSA_METH_SET_FINISH) -/** - * Set the finish function of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param finish the finish function - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) -{ - if (meth) - { - meth->finish = finish; - return 1; - } - return 0; -} -#endif - -#if !defined(HAVE_RSA_METH_SET0_APP_DATA) -/** - * Set the application data of an RSA_METHOD object - * - * @param meth The RSA_METHOD object - * @param app_data Application data - * @return 1 on success, 0 on error - */ -static inline int -RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) -{ - if (meth) - { - meth->app_data = app_data; - return 1; - } - return 0; -} -#endif - -/* SSLeay symbols have been renamed in OpenSSL 1.1 */ -#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) -#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT -#endif - -#endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 08c09e6..888acda 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -331,8 +332,7 @@ openvpn_main(int argc, char *argv[]) #ifdef _WIN32 int -wmain(int argc, wchar_t *wargv[]) -{ +wmain(int argc, wchar_t *wargv[]) { char **argv; int ret; int i; @@ -361,8 +361,7 @@ wmain(int argc, wchar_t *wargv[]) } #else /* ifdef _WIN32 */ int -main(int argc, char *argv[]) -{ +main(int argc, char *argv[]) { return openvpn_main(argc, argv); } #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 9262e68..7ea0d17 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OPENVPN_H @@ -201,7 +202,7 @@ struct context_1 #endif /* if client mode, hash of option strings we pulled from server */ - struct sha256_digest pulled_options_digest_save; + struct md5_digest pulled_options_digest_save; /**< Hash of option strings received from the * remote OpenVPN server. Only used in * client-mode. */ @@ -471,9 +472,9 @@ struct context_2 bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ - bool pulled_options_digest_init_done; - md_ctx_t *pulled_options_state; - struct sha256_digest pulled_options_digest; + bool pulled_options_md5_init_done; + md_ctx_t pulled_options_state; + struct md5_digest pulled_options_digest; struct event_timeout scheduled_exit; int scheduled_exit_signal; diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index d1c0fde..8dfbea5 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -99,16 +99,13 @@ </Link> </ItemDefinitionGroup> <ItemGroup> - <ClCompile Include="argv.c" /> <ClCompile Include="base64.c" /> - <ClCompile Include="block_dns.c" /> <ClCompile Include="buffer.c" /> <ClCompile Include="clinat.c" /> <ClCompile Include="comp-lz4.c" /> <ClCompile Include="comp.c" /> <ClCompile Include="compstub.c" /> <ClCompile Include="console.c" /> - <ClCompile Include="console_builtin.c" /> <ClCompile Include="crypto.c" /> <ClCompile Include="crypto_openssl.c" /> <ClCompile Include="cryptoapi.c" /> @@ -167,15 +164,12 @@ <ClCompile Include="ssl_verify.c" /> <ClCompile Include="ssl_verify_openssl.c" /> <ClCompile Include="status.c" /> - <ClCompile Include="tls_crypt.c" /> <ClCompile Include="tun.c" /> <ClCompile Include="win32.c" /> </ItemGroup> <ItemGroup> - <ClInclude Include="argv.h" /> <ClInclude Include="base64.h" /> <ClInclude Include="basic.h" /> - <ClInclude Include="block_dns.h" /> <ClInclude Include="buffer.h" /> <ClInclude Include="circ_list.h" /> <ClInclude Include="clinat.h" /> @@ -255,7 +249,6 @@ <ClInclude Include="ssl_verify_openssl.h" /> <ClInclude Include="status.h" /> <ClInclude Include="syshead.h" /> - <ClInclude Include="tls_crypt.h" /> <ClInclude Include="tun.h" /> <ClInclude Include="win32.h" /> </ItemGroup> diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index 30df5ec..8b6a269 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -216,18 +216,6 @@ <ClCompile Include="comp-lz4.c"> <Filter>Source Files</Filter> </ClCompile> - <ClCompile Include="argv.c"> - <Filter>Source Files</Filter> - </ClCompile> - <ClCompile Include="block_dns.c"> - <Filter>Source Files</Filter> - </ClCompile> - <ClCompile Include="console_builtin.c"> - <Filter>Source Files</Filter> - </ClCompile> - <ClCompile Include="tls_crypt.c"> - <Filter>Source Files</Filter> - </ClCompile> </ItemGroup> <ItemGroup> <ClInclude Include="base64.h"> @@ -476,22 +464,10 @@ <ClInclude Include="win32.h"> <Filter>Header Files</Filter> </ClInclude> - <ClInclude Include="compstub.h"> - <Filter>Header Files</Filter> - </ClInclude> - <ClInclude Include="argv.h"> - <Filter>Header Files</Filter> - </ClInclude> - <ClInclude Include="block_dns.h"> - <Filter>Header Files</Filter> - </ClInclude> - <ClInclude Include="tls_crypt.h"> - <Filter>Header Files</Filter> - </ClInclude> </ItemGroup> <ItemGroup> <ResourceCompile Include="openvpn_win32_resources.rc"> <Filter>Resource Files</Filter> </ResourceCompile> </ItemGroup> -</Project>
\ No newline at end of file +</Project> diff --git a/src/openvpn/options.c b/src/openvpn/options.c index fef5e90..2f1b298 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -197,7 +198,7 @@ static const char usage_message[] = " is established. Multiple routes can be specified.\n" " netmask default: 255.255.255.255\n" " gateway default: taken from --route-gateway or --ifconfig\n" - " Specify default by leaving blank or setting to \"nil\".\n" + " Specify default by leaving blank or setting to \"default\".\n" "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" @@ -591,8 +592,7 @@ static const char usage_message[] = "--x509-username-field : Field in x509 certificate containing the username.\n" " Default is CN in the Subject field.\n" #endif - "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n" - " Valid algo flags are SHA1 and SHA256. \n" + "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" #ifdef _WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" @@ -636,8 +636,8 @@ static const char usage_message[] = "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" - "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n" - " an explicit nsCertType designation t = 'client' | 'server'.\n" + "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" + " nsCertType designation t = 'client' | 'server'.\n" "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 @@ -716,6 +716,7 @@ static const char usage_message[] = "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n" "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" + "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n" "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n" " on connection initiation.\n" "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n" @@ -998,9 +999,7 @@ setenv_settings(struct env_set *es, const struct options *o) { int i; for (i = 0; i < o->connection_list->len; ++i) - { setenv_connection_entry(es, o->connection_list->array[i], i+1); - } } else { @@ -1215,6 +1214,7 @@ show_tuntap_options(const struct tuntap_options *o) SHOW_BOOL(dhcp_options); SHOW_BOOL(dhcp_renew); SHOW_BOOL(dhcp_pre_release); + SHOW_BOOL(dhcp_release); SHOW_STR(domain); SHOW_STR(netbios_scope); SHOW_INT(netbios_node_type); @@ -1761,9 +1761,7 @@ show_settings(const struct options *o) { int i; for (i = 0; i<MAX_PARMS; i++) - { SHOW_INT(remote_cert_ku[i]); - } } SHOW_STR(remote_cert_eku); SHOW_INT(ssl_flags); @@ -1791,30 +1789,22 @@ show_settings(const struct options *o) { int i; for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++) - { SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s"); - } } { int i; for (i = 0; i<MAX_PARMS; i++) - { SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); - } } { int i; for (i = 0; i<MAX_PARMS; i++) - { SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x"); - } } { int i; for (i = 0; i<MAX_PARMS; i++) - { SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); - } } SHOW_INT(pkcs11_pin_cache_period); SHOW_STR(pkcs11_id); @@ -2949,9 +2939,7 @@ options_postprocess_verify(const struct options *o) { int i; for (i = 0; i < o->connection_list->len; ++i) - { options_postprocess_verify_ce(o, o->connection_list->array[i]); - } } else { @@ -3002,9 +2990,7 @@ options_postprocess_mutate(struct options *o) ASSERT(o->connection_list); for (i = 0; i < o->connection_list->len; ++i) - { options_postprocess_mutate_ce(o, o->connection_list->array[i]); - } #ifdef ENABLE_CRYPTO if (o->tls_server) @@ -3817,9 +3803,7 @@ options_warning_safe_scan1(const int msglevel, char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc); while (buf_parse(&b, delim, p, OPTION_PARM_SIZE)) - { options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name); - } gc_free(&gc); } @@ -4096,7 +4080,6 @@ usage(void) fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds, - o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, o.verbosity); @@ -4447,10 +4430,7 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) { char *line_ptr = line; /* Remove leading spaces */ - while (isspace(*line_ptr)) - { - line_ptr++; - } + while (isspace(*line_ptr)) line_ptr++; if (!strncmp(line_ptr, close_tag, strlen(close_tag))) { endtagfound = true; @@ -4546,7 +4526,7 @@ read_config_file(struct options *options, FILE *fp; int line_num; char line[OPTION_LINE_SIZE+1]; - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS]; ++level; if (level <= max_recursive_levels) @@ -4578,7 +4558,7 @@ read_config_file(struct options *options, { offset = 3; } - if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) + if (parse_line(line + offset, p, SIZE(p), file, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); check_inline_file_via_fp(fp, p, &options->gc); @@ -4620,10 +4600,10 @@ read_config_string(const char *prefix, while (buf_parse(&multiline, '\n', line, sizeof(line))) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS]; CLEAR(p); ++line_num; - if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc)) + if (parse_line(line, p, SIZE(p), prefix, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); check_inline_file_via_buf(&multiline, p, &options->gc); @@ -4754,14 +4734,14 @@ apply_push_options(struct options *options, while (buf_parse(buf, ',', line, sizeof(line))) { - char *p[MAX_PARMS+1]; + char *p[MAX_PARMS]; CLEAR(p); ++line_num; if (!apply_pull_filter(options, line)) { return false; /* Cause push/pull error and stop push processing */ } - if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) + if (parse_line(line, p, SIZE(p), file, line_num, msglevel, &options->gc)) { add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); } @@ -5167,7 +5147,7 @@ add_option(struct options *options, } #endif /* ifdef ENABLE_MANAGEMENT */ #ifdef ENABLE_PLUGIN - else if (streq(p[0], "plugin") && p[1]) + else if (streq(p[0], "plugin") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_PLUGIN); if (!options->plugin_list) @@ -5317,14 +5297,12 @@ add_option(struct options *options, if (!sub.ce.remote) { msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive"); - uninit_options(&sub); goto err; } e = alloc_connection_entry(options, msglevel); if (!e) { - uninit_options(&sub); goto err; } *e = sub.ce; @@ -5342,24 +5320,18 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); /* Find out how many options to be ignored */ for (i = 1; p[i]; i++) - { numignored++; - } /* add number of options already ignored */ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) - { numignored++; - } /* Allocate array */ ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc); for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) - { ignore[i] = options->ignore_unknown_option[i]; - } options->ignore_unknown_option = ignore; @@ -6043,8 +6015,7 @@ add_option(struct options *options, struct http_custom_header *custom_header = NULL; int i; /* Find the first free header */ - for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) - { + for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) { if (!ho->custom_headers[i].name) { custom_header = &ho->custom_headers[i]; @@ -6818,6 +6789,20 @@ add_option(struct options *options, options->port_share_port = p[2]; options->port_share_journal_dir = p[3]; } + else if (streq (p[0], "pkcs11-id-type") || + streq (p[0], "pkcs11-sign-mode") || + streq (p[0], "pkcs11-slot") || + streq (p[0], "pkcs11-slot-type") || + streq (p[0], "show-pkcs11-objects") || + streq (p[0], "show-pkcs11-slots")) + { + if (file) + msg (msglevel, "You are using an obsolete parameter in %s:%d: %s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.", + file, line, p[0], PACKAGE_VERSION); + else + msg (msglevel, "You are using an obsolete parameter: --%s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.", + p[0], PACKAGE_VERSION); + } #endif else if (streq(p[0], "client-to-client") && !p[1]) { @@ -7229,11 +7214,11 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_IPWIN32); options->tuntap_options.dhcp_pre_release = true; - options->tuntap_options.dhcp_renew = true; } else if (streq(p[0], "dhcp-release") && !p[1]) { - msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default"); + VERIFY_PERMISSION(OPT_P_IPWIN32); + options->tuntap_options.dhcp_release = true; } else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */ { @@ -7705,25 +7690,10 @@ add_option(struct options *options, options->extra_certs_file_inline = p[2]; } } - else if (streq(p[0], "verify-hash") && p[1] && !p[3]) + else if (streq(p[0], "verify-hash") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); - - if (!p[2] || (p[2] && streq(p[2], "SHA1"))) - { - options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); - options->verify_hash_algo = MD_SHA1; - } - else if (p[2] && streq(p[2], "SHA256")) - { - options->verify_hash = parse_hash_fingerprint(p[1], SHA256_DIGEST_LENGTH, msglevel, &options->gc); - options->verify_hash_algo = MD_SHA256; - } - else - { - msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); - goto err; - } + options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); } #ifdef ENABLE_CRYPTOAPI else if (streq(p[0], "cryptoapicert") && p[1] && !p[2]) @@ -7947,18 +7917,12 @@ add_option(struct options *options, } else if (streq(p[0], "remote-cert-ku")) { + int j; + VERIFY_PERMISSION(OPT_P_GENERAL); - size_t j; for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) - { sscanf(p[j], "%x", &(options->remote_cert_ku[j-1])); - } - if (j == 1) - { - /* No specific KU required, but require KU to be present */ - options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; - } } else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2]) { @@ -7971,12 +7935,15 @@ add_option(struct options *options, if (streq(p[1], "server")) { - options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; + options->remote_cert_ku[0] = 0xa0; + options->remote_cert_ku[1] = 0x88; options->remote_cert_eku = "TLS Web Server Authentication"; } else if (streq(p[1], "client")) { - options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; + options->remote_cert_ku[0] = 0x80; + options->remote_cert_ku[1] = 0x08; + options->remote_cert_ku[2] = 0x88; options->remote_cert_eku = "TLS Web Client Authentication"; } else @@ -8084,25 +8051,15 @@ add_option(struct options *options, if (strncmp("ext:", s, 4) != 0) { size_t i = 0; - while (s[i] && !isupper(s[i])) - { - i++; - } + while (s[i] && !isupper(s[i])) i++; if (strlen(s) == i) { - while ((*s = toupper(*s)) != '\0') - { - s++; - } + while ((*s = toupper(*s)) != '\0') s++; msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " "--x509-username-field parameter to '%s'; please update your" "configuration", p[1]); } } - else if (!x509_username_field_ext_supported(s+4)) - { - msg(msglevel, "Unsupported x509-username-field extension: %s", s); - } options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ @@ -8151,9 +8108,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) - { options->pkcs11_providers[j-1] = p[j]; - } } else if (streq(p[0], "pkcs11-protected-authentication")) { @@ -8162,9 +8117,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) - { options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0; - } } else if (streq(p[0], "pkcs11-private-mode") && p[1]) { @@ -8173,9 +8126,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) - { sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1])); - } } else if (streq(p[0], "pkcs11-cert-private")) { @@ -8184,9 +8135,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) - { options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0; - } } else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 67b9b94..b3ab029 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -41,10 +42,6 @@ #include "comp.h" #include "pushlist.h" #include "clinat.h" -#ifdef ENABLE_CRYPTO -#include "crypto_backend.h" -#endif - /* * Maximum number of parameters associated with an option, @@ -522,7 +519,6 @@ struct options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; - hash_algo_type verify_hash_algo; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index 3e576cc..22abda0 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h index 8731472..eede63d 100644 --- a/src/openvpn/otime.h +++ b/src/openvpn/otime.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OTIME_H @@ -288,8 +289,7 @@ tv_within_sigma(const struct timeval *t1, const struct timeval *t2, unsigned int * called again. */ static inline void -interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) -{ +interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) { if (at > current) { const interval_t delta = (interval_t) (at - current); diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index 30ae8fb..6f70c5d 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -656,8 +657,7 @@ packet_id_interactive_test() packet_id_init(&pid, seq_backtrack, time_backtrack); - while (true) - { + while (true) { char buf[80]; if (!fgets(buf, sizeof(buf), stdin)) { diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index a370936..aceacf8 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/perf.c b/src/openvpn/perf.c index 16cf749..51e051a 100644 --- a/src/openvpn/perf.c +++ b/src/openvpn/perf.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -146,14 +147,12 @@ push_perf_index(int pindex) { int i; for (i = 0; i < sindex; ++i) - { if (perf_set.stack[i] == pindex) { perf_print_state(M_INFO); msg(M_FATAL, "PERF: push_perf_index %s failed", metric_names [pindex]); } - } perf_set.stack[sindex] = pindex; perf_set.stack_len = newlen; @@ -322,8 +321,7 @@ perf_print_state(int lev) #else /* ifdef ENABLE_PERFORMANCE_METRICS */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void -dummy(void) -{ +dummy(void) { } #endif #endif /* ifdef ENABLE_PERFORMANCE_METRICS */ diff --git a/src/openvpn/perf.h b/src/openvpn/perf.h index ae5ae08..f0430a1 100644 --- a/src/openvpn/perf.h +++ b/src/openvpn/perf.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -75,16 +76,13 @@ void perf_output_results(void); #else /* ifdef ENABLE_PERFORMANCE_METRICS */ static inline void -perf_push(int type) -{ +perf_push(int type) { } static inline void -perf_pop(void) -{ +perf_pop(void) { } static inline void -perf_output_results(void) -{ +perf_output_results(void) { } #endif /* ifdef ENABLE_PERFORMANCE_METRICS */ diff --git a/src/openvpn/pf-inline.h b/src/openvpn/pf-inline.h index ac19ac4..a0f5cc7 100644 --- a/src/openvpn/pf-inline.h +++ b/src/openvpn/pf-inline.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #if defined(ENABLE_PF) && !defined(PF_INLINE_H) diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index 5cb002b..56b6858 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* packet filter functions */ diff --git a/src/openvpn/pf.h b/src/openvpn/pf.h index 414c85b..3832683 100644 --- a/src/openvpn/pf.h +++ b/src/openvpn/pf.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* packet filter functions */ diff --git a/src/openvpn/ping-inline.h b/src/openvpn/ping-inline.h index 0642b85..2fa1d5c 100644 --- a/src/openvpn/ping-inline.h +++ b/src/openvpn/ping-inline.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PING_INLINE_H diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c index 728d6c2..0496b72 100644 --- a/src/openvpn/ping.c +++ b/src/openvpn/ping.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h index 5bd5c08..e839ce7 100644 --- a/src/openvpn/ping.h +++ b/src/openvpn/ping.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PING_H diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 6041828..6858846 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -44,24 +45,21 @@ static time_t -__mytime(void) -{ +__mytime(void) { return openvpn_time(NULL); } #if !defined(_WIN32) static int -__mygettimeofday(struct timeval *tv) -{ +__mygettimeofday(struct timeval *tv) { return gettimeofday(tv, NULL); } #endif static void -__mysleep(const unsigned long usec) -{ +__mysleep(const unsigned long usec) { #if defined(_WIN32) Sleep(usec/1000); #else @@ -86,12 +84,10 @@ static unsigned _pkcs11_msg_pkcs112openvpn( const unsigned flags - ) -{ + ) { unsigned openvpn_flags; - switch (flags) - { + switch (flags) { case PKCS11H_LOG_DEBUG2: openvpn_flags = D_PKCS11_DEBUG; break; @@ -128,8 +124,7 @@ static unsigned _pkcs11_msg_openvpn2pkcs11( const unsigned flags - ) -{ + ) { unsigned pkcs11_flags; if ((flags & D_PKCS11_DEBUG) != 0) @@ -171,8 +166,7 @@ _pkcs11_openvpn_log( unsigned flags, const char *const szFormat, va_list args - ) -{ + ) { char Buffer[10*1024]; (void)global_data; @@ -190,8 +184,7 @@ _pkcs11_openvpn_token_prompt( void *const user_data, const pkcs11h_token_id_t token, const unsigned retry - ) -{ + ) { struct user_pass token_resp; (void)global_data; @@ -236,8 +229,7 @@ _pkcs11_openvpn_pin_prompt( const unsigned retry, char *const pin, const size_t pin_max - ) -{ + ) { struct user_pass token_pass; char prompt[1024]; @@ -283,8 +275,7 @@ bool pkcs11_initialize( const bool protected_auth, const int nPINCachePeriod - ) -{ + ) { CK_RV rv = CKR_FUNCTION_FAILED; dmsg( @@ -356,8 +347,7 @@ cleanup: } void -pkcs11_terminate() -{ +pkcs11_terminate() { dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - entered" @@ -377,8 +367,7 @@ pkcs11_addProvider( const bool protected_auth, const unsigned private_mode, const bool cert_private - ) -{ + ) { CK_RV rv = CKR_OK; ASSERT(provider!=NULL); @@ -422,14 +411,12 @@ pkcs11_addProvider( } int -pkcs11_logout() -{ +pkcs11_logout() { return pkcs11h_logout() == CKR_OK; } int -pkcs11_management_id_count() -{ +pkcs11_management_id_count() { pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t t = NULL; CK_RV rv = CKR_OK; @@ -454,8 +441,7 @@ pkcs11_management_id_count() goto cleanup; } - for (count = 0, t = id_list; t != NULL; t = t->next) - { + for (count = 0, t = id_list; t != NULL; t = t->next) { count++; } @@ -481,8 +467,7 @@ pkcs11_management_id_get( const int index, char **id, char **base64 - ) -{ + ) { pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t entry = NULL; #if 0 /* certificate_id seems to be unused -- JY */ @@ -526,8 +511,7 @@ pkcs11_management_id_get( entry = id_list; count = 0; - while (entry != NULL && count != index) - { + while (entry != NULL && count != index) { count++; entry = entry->next; } @@ -669,8 +653,7 @@ tls_ctx_use_pkcs11( struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management, const char *const pkcs11_id - ) -{ + ) { pkcs11h_certificate_id_t certificate_id = NULL; pkcs11h_certificate_t certificate = NULL; CK_RV rv = CKR_OK; @@ -801,8 +784,7 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prompt( const unsigned retry, char *const pin, const size_t pin_max - ) -{ + ) { struct gc_arena gc = gc_new(); struct buffer pass_prompt = alloc_buf_gc(128, &gc); @@ -835,8 +817,7 @@ void show_pkcs11_ids( const char *const provider, bool cert_private - ) -{ + ) { struct gc_arena gc = gc_new(); pkcs11h_certificate_id_list_t user_certificates = NULL; pkcs11h_certificate_id_list_t current = NULL; @@ -907,8 +888,7 @@ show_pkcs11_ids( "--pkcs11-id option please remember to use single quote mark.\n" ) ); - for (current = user_certificates; current != NULL; current = current->next) - { + for (current = user_certificates; current != NULL; current = current->next) { pkcs11h_certificate_t certificate = NULL; char *dn = NULL; char serial[1024] = {0}; @@ -1026,8 +1006,7 @@ cleanup: #else /* if defined(ENABLE_PKCS11) */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void -dummy(void) -{ +dummy(void) { } #endif #endif /* ENABLE_PKCS11 */ diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index f1722c0..3747d3a 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef OPENVPN_PKCS11_H diff --git a/src/openvpn/pkcs11_backend.h b/src/openvpn/pkcs11_backend.h index b47b757..9606899 100644 --- a/src/openvpn/pkcs11_backend.h +++ b/src/openvpn/pkcs11_backend.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c index 45372e4..bdca893 100644 --- a/src/openvpn/pkcs11_mbedtls.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -38,7 +39,6 @@ #include "errlevel.h" #include "pkcs11_backend.h" -#include "ssl_verify_backend.h" #include <mbedtls/pkcs11.h> #include <mbedtls/x509.h> @@ -82,6 +82,8 @@ char * pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) { char *ret = NULL; + char dn[1024] = {0}; + mbedtls_x509_crt mbed_crt = {0}; if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) @@ -90,12 +92,14 @@ pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) goto cleanup; } - if (!(ret = x509_get_subject(&mbed_crt, gc))) + if (-1 == mbedtls_x509_dn_gets(dn, sizeof(dn), &mbed_crt.subject)) { msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); goto cleanup; } + ret = string_alloc(dn, gc); + cleanup: mbedtls_x509_crt_free(&mbed_crt); diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c index c37425b..6244cc7 100644 --- a/src/openvpn/pkcs11_openssl.c +++ b/src/openvpn/pkcs11_openssl.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 2495523..952d633 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index cd2bbc9..62396a9 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PLATFORM_H diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 557b6bc..17eb2d8 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -233,31 +234,23 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) #ifndef _WIN32 p->handle = NULL; - - /* If the plug-in filename is not an absolute path, - * or beginning with '.', it should use the PLUGIN_LIBDIR - * as the base directory for loading the plug-in. - * - * This means the following scenarios are loaded from these places: - * --plugin fancyplug.so -> $PLUGIN_LIBDIR/fancyplug.so - * --plugin my/fancyplug.so -> $PLUGIN_LIBDIR/my/fancyplug.so - * --plugin ./fancyplug.so -> $CWD/fancyplug.so - * --plugin /usr/lib/my/fancyplug.so -> /usr/lib/my/fancyplug.so - * - * Please note that $CWD means the directory OpenVPN is either started from - * or the directory OpenVPN have changed into using --cd before --plugin - * was parsed. - * - */ - if (!absolute_pathname(p->so_pathname) - && p->so_pathname[0] != '.') +#if defined(PLUGIN_LIBDIR) + if (!absolute_pathname(p->so_pathname)) { char full[PATH_MAX]; openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname); p->handle = dlopen(full, RTLD_NOW); +#if defined(ENABLE_PLUGIN_SEARCH) + if (!p->handle) + { + rel = true; + p->handle = dlopen(p->so_pathname, RTLD_NOW); + } +#endif } else +#endif { rel = !absolute_pathname(p->so_pathname); p->handle = dlopen(p->so_pathname, RTLD_NOW); @@ -409,8 +402,7 @@ plugin_log(openvpn_plugin_log_flags_t flags, const char *name, const char *forma static struct openvpn_plugin_callbacks callbacks = { plugin_log, - plugin_vlog, - secure_memzero /* plugin_secure_memzero */ + plugin_vlog }; @@ -753,9 +745,7 @@ plugin_common_close(struct plugin_common *pc) int i; for (i = 0; i < pc->n; ++i) - { plugin_close_item(&pc->plugins[i]); - } free(pc); } } @@ -893,9 +883,7 @@ plugin_abort(void) int i; for (i = 0; i < pc->n; ++i) - { plugin_abort_item(&pc->plugins[i]); - } } } @@ -976,9 +964,7 @@ plugin_return_get_column(const struct plugin_return *src, dest->n = 0; for (i = 0; i < src->n; ++i) - { dest->list[i] = openvpn_plugin_string_list_find(src->list[i], colname); - } dest->n = i; } @@ -987,9 +973,7 @@ plugin_return_free(struct plugin_return *pr) { int i; for (i = 0; i < pr->n; ++i) - { openvpn_plugin_string_list_free(pr->list[i]); - } pr->n = 0; } @@ -1019,7 +1003,6 @@ plugin_return_print(const int msglevel, const char *prefix, const struct plugin_ #else /* ifdef ENABLE_PLUGIN */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_PLUGIN */ diff --git a/src/openvpn/plugin.h b/src/openvpn/plugin.h index 0cffee0..4ded529 100644 --- a/src/openvpn/plugin.h +++ b/src/openvpn/plugin.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c index a8f15b9..aa0bc2b 100644 --- a/src/openvpn/pool.c +++ b/src/openvpn/pool.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -214,9 +215,7 @@ ifconfig_pool_free(struct ifconfig_pool *pool) { int i; for (i = 0; i < pool->size; ++i) - { ifconfig_pool_entry_free(&pool->list[i], true); - } free(pool->list); free(pool); } diff --git a/src/openvpn/pool.h b/src/openvpn/pool.h index ee91d82..c3e1190 100644 --- a/src/openvpn/pool.h +++ b/src/openvpn/pool.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef POOL_H diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c index 2cbea3a..40e0714 100644 --- a/src/openvpn/proto.c +++ b/src/openvpn/proto.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h index 57f25c9..bfcb36d 100644 --- a/src/openvpn/proto.h +++ b/src/openvpn/proto.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PROTO_H diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 7a737ea..dd327a2 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -317,7 +318,6 @@ get_proxy_authenticate(socket_descriptor_t sd, { if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) { - free(*data); *data = NULL; return HTTP_AUTH_NONE; } @@ -381,9 +381,7 @@ get_key_value(const char *str, /* source string */ bool escape = false; for (c = max_key_len-1; (*str && (*str != '=') && c--); ) - { *key++ = *str++; - } *key = '\0'; if ('=' != *str++) @@ -477,9 +475,7 @@ get_pa_var(const char *key, const char *pa, struct gc_arena *gc) ++content; } while (*content && isspace(*content)) - { ++content; - } } } @@ -778,8 +774,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, /* receive and discard everything else */ while (recv_line(sd, NULL, 0, 2, true, NULL, signal_received)) - { - } + ; /* now send the phase 3 reply */ @@ -875,13 +870,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p, const char *algor = get_pa_var("algorithm", pa, &gc); const char *opaque = get_pa_var("opaque", pa, &gc); - if ( !realm || !nonce ) - { - msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response " - "from server: realm= or nonce= missing" ); - goto error; - } - /* generate a client nonce */ ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw))); cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc); @@ -998,7 +986,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p, if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC) { msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled"); - free(pa); goto error; } p->auth_method = method; @@ -1054,8 +1041,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, * start of the OpenVPN data stream (put it in lookahead). */ while (recv_line(sd, NULL, 0, 2, false, lookahead, signal_received)) - { - } + ; /* reset queried_creds so that we don't think that the next creds request is due to an auth error */ p->queried_creds = false; diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index 3ce79de..c20a676 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PROXY_H diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index c2b05cd..21b12ca 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h index b8c6853..0fc1ee4 100644 --- a/src/openvpn/ps.h +++ b/src/openvpn/ps.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PS_H diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 5947a31..f515475 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -371,17 +372,15 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, /* Push cipher if client supports Negotiable Crypto Parameters */ if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled) { - /* if we have already created our key, we cannot *change* our own - * cipher -> so log the fact and push the "what we have now" cipher - * (so the client is always told what we expect it to use) + /* if we have already created our key, we cannot change our own + * cipher, so disable NCP and warn = explain why */ const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " "server has already generated data channel keys, " - "re-sending previously negotiated cipher '%s'", - o->ciphername ); + "ignoring client request" ); } else { @@ -389,8 +388,8 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, * TODO: actual negotiation, instead of server dictatorship. */ char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); o->ciphername = strtok(push_cipher, ":"); + push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } - push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } else if (o->ncp_enabled) { @@ -693,8 +692,8 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) { continue; } - md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); } + md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); } int @@ -721,11 +720,10 @@ process_incoming_push_msg(struct context *c, if (ch == ',') { struct buffer buf_orig = buf; - if (!c->c2.pulled_options_digest_init_done) + if (!c->c2.pulled_options_md5_init_done) { - c->c2.pulled_options_state = md_ctx_new(); - md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256")); - c->c2.pulled_options_digest_init_done = true; + md_ctx_init(&c->c2.pulled_options_state, md_kt_get("MD5")); + c->c2.pulled_options_md5_init_done = true; } if (!c->c2.did_pre_pull_restore) { @@ -738,17 +736,15 @@ process_incoming_push_msg(struct context *c, option_types_found, c->c2.es)) { - push_update_digest(c->c2.pulled_options_state, &buf_orig, + push_update_digest(&c->c2.pulled_options_state, &buf_orig, &c->options); switch (c->options.push_continuation) { case 0: case 1: - md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); - md_ctx_cleanup(c->c2.pulled_options_state); - md_ctx_free(c->c2.pulled_options_state); - c->c2.pulled_options_state = NULL; - c->c2.pulled_options_digest_init_done = false; + md_ctx_final(&c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); + md_ctx_cleanup(&c->c2.pulled_options_state); + c->c2.pulled_options_md5_init_done = false; ret = PUSH_MSG_REPLY; break; diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 4d42e81..86900c8 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef PUSH_H diff --git a/src/openvpn/pushlist.h b/src/openvpn/pushlist.h index 57216b2..58fc870 100644 --- a/src/openvpn/pushlist.h +++ b/src/openvpn/pushlist.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #if !defined(PUSHLIST_H) && P2MP && P2MP_SERVER diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 93541a9..57cdd78 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -111,12 +112,10 @@ reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid) { int i; for (i = 0; i < ack->len; ++i) - { if (ack->packet_id[i] == pid) { return true; } - } return false; } @@ -243,9 +242,7 @@ reliable_ack_write(struct reliable_ack *ack, ASSERT(session_id_defined(sid)); ASSERT(session_id_write(sid, &sub)); for (i = 0, j = n; j < ack->len; ) - { ack->packet_id[i++] = ack->packet_id[j++]; - } ack->len = i; } @@ -805,7 +802,6 @@ reliable_debug_print(const struct reliable *rel, char *desc) #else /* ifdef ENABLE_CRYPTO */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index aa34b02..455168a 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ diff --git a/src/openvpn/route.c b/src/openvpn/route.c index a1811f4..ea09d71 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -985,19 +986,11 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un if (rl && rl->flags & RG_ENABLE) { - bool local = rl->flags & RG_LOCAL; - if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW)) { msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err); } - /* - * check if a default route is defined, unless: - * - we are connecting to a remote host in our network - * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6) - */ - else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local - && (rl->spec.remote_host != IPV4_INVALID_ADDR)) + else if (!(rl->rgi.flags & RGI_ADDR_DEFINED)) { msg(M_WARN, "%s Cannot read current default gateway from system", err); } @@ -1008,6 +1001,7 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un else { #ifndef TARGET_ANDROID + bool local = BOOL_CAST(rl->flags & RG_LOCAL); if (rl->flags & RG_AUTO_LOCAL) { const int tla = rl->spec.remote_host_local; @@ -1072,13 +1066,14 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un } else { - /* don't try to remove the def route if it does not exist */ - if (rl->rgi.flags & RGI_ADDR_DEFINED) - { - /* delete default route */ - del_route3(0, 0, rl->rgi.gateway.addr, tt, - flags | ROUTE_REF_GW, &rl->rgi, es); - } + /* delete default route */ + del_route3(0, + 0, + rl->rgi.gateway.addr, + tt, + flags | ROUTE_REF_GW, + &rl->rgi, + es); /* add new default route */ add_route3(0, @@ -1150,12 +1145,15 @@ undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *t flags, &rl->rgi, es); - /* restore original default route if there was any */ - if (rl->rgi.flags & RGI_ADDR_DEFINED) - { - add_route3(0, 0, rl->rgi.gateway.addr, tt, - flags | ROUTE_REF_GW, &rl->rgi, es); - } + + /* restore original default route */ + add_route3(0, + 0, + rl->rgi.gateway.addr, + tt, + flags | ROUTE_REF_GW, + &rl->rgi, + es); } } @@ -1198,15 +1196,6 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tunt if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) { struct route_ipv6 *r; - - if (!tt->did_ifconfig_ipv6_setup) - { - msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 " - "route over %s. However, no IPv6 has been configured for " - "this interface, therefore the route installation may " - "fail or may not work as expected.", tt->actual_name); - } - for (r = rl6->routes_ipv6; r; r = r->next) { if (flags & ROUTE_DELETE_FIRST) @@ -1292,9 +1281,7 @@ print_route_options(const struct route_option_list *rol, (rol->flags & RG_LOCAL) != 0); } for (ro = rol->routes; ro; ro = ro->next) - { print_route_option(ro, level); - } } void @@ -1388,9 +1375,7 @@ print_routes(const struct route_list *rl, int level) { struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) - { print_route(r, level); - } } static void @@ -1419,9 +1404,7 @@ setenv_routes(struct env_set *es, const struct route_list *rl) int i = 1; struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) - { setenv_route(es, r, i++); - } } static void @@ -1450,9 +1433,7 @@ setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6) int i = 1; struct route_ipv6 *r6; for (r6 = rl6->routes_ipv6; r6; r6 = r6->next) - { setenv_route_ipv6(es, r6, i++); - } } /* @@ -1689,7 +1670,7 @@ add_route(struct route_ipv4 *r, argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed"); -#elif defined(TARGET_FREEBSD) +#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__) argv_printf(&argv, "%s add", ROUTE_PATH); @@ -1875,7 +1856,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); -#if defined(TARGET_DARWIN) \ +#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) @@ -1893,6 +1874,14 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag } #endif + if (!tt->did_ifconfig_ipv6_setup) + { + msg( M_INFO, "add_route_ipv6(): not adding %s/%d: " + "no IPv6 address been configured on interface %s", + network, r6->netbits, device); + return; + } + msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway, r6->metric, device ); @@ -2043,7 +2032,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag argv_msg(D_ROUTE, &argv); status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed"); -#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) +#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__) argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, @@ -2227,7 +2216,7 @@ delete_route(struct route_ipv4 *r, argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed"); -#elif defined(TARGET_FREEBSD) +#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__) argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, @@ -2334,7 +2323,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned network = print_in6_addr( r6->network, 0, &gc); gateway = print_in6_addr( r6->gateway, 0, &gc); -#if defined(TARGET_DARWIN) \ +#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) @@ -2469,7 +2458,7 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned argv_msg(D_ROUTE, &argv); openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed"); -#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) +#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__) argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, @@ -2634,9 +2623,7 @@ test_routes(const struct route_list *rl, const struct tuntap *tt) { struct route_ipv4 *r; for (r = rl->routes, len = 0; r; r = r->next, ++len) - { test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway); - } if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)) { @@ -3060,10 +3047,8 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t /* In TUN mode we use a special link-local address as the next hop. * The tapdrvr knows about it and will answer neighbor discovery packets. - * (only do this for routes actually using the tun/tap device) */ - if (tt->type == DEV_TYPE_TUN - && msg.iface.index == tt->adapter_index ) + if (tt->type == DEV_TYPE_TUN) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); } @@ -3514,7 +3499,8 @@ done: #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \ || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ - || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) + || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) \ + || defined(__FreeBSD_kernel__) #include <sys/types.h> #include <sys/socket.h> @@ -3596,9 +3582,6 @@ get_default_gateway(struct route_gateway_info *rgi) rtm.rtm_flags = RTF_UP | RTF_GATEWAY; rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; -#ifdef TARGET_OPENBSD - rtm.rtm_tableid = getrtable(); -#endif rtm.rtm_addrs = rtm_addrs; so_dst.sa_family = AF_INET; @@ -3626,8 +3609,7 @@ get_default_gateway(struct route_gateway_info *rgi) msg(M_WARN, "GDG: problem writing to routing socket"); goto done; } - do - { + do { l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg)); } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); close(sockfd); @@ -3814,9 +3796,6 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, rtm.rtm_flags = RTF_UP; rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; -#ifdef TARGET_OPENBSD - rtm.rtm_tableid = getrtable(); -#endif so_dst.sin6_family = AF_INET6; so_mask.sin6_family = AF_INET6; diff --git a/src/openvpn/route.h b/src/openvpn/route.h index 6414d6c..03ee8cd 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -353,8 +354,7 @@ bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt); #else /* ifdef _WIN32 */ static inline bool -test_routes(const struct route_list *rl, const struct tuntap *tt) -{ +test_routes(const struct route_list *rl, const struct tuntap *tt) { return true; } #endif diff --git a/src/openvpn/schedule.c b/src/openvpn/schedule.c index b1ba5d4..610bfa4 100644 --- a/src/openvpn/schedule.c +++ b/src/openvpn/schedule.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -376,9 +377,7 @@ schedule_add_modify(struct schedule *s, struct schedule_entry *e) * keeps the tree balanced. Move the node up the tree until * its own priority is greater than that of its parent */ while (e->parent && e->parent->pri > e->pri) - { schedule_rotate_up(s, e); - } } /* @@ -624,9 +623,7 @@ schedule_print_work(struct schedule_entry *e, int indent) struct gc_arena gc = gc_new(); int i; for (i = 0; i < indent; ++i) - { printf(" "); - } if (e) { printf("%s [%u] e=" ptr_format ", p=" ptr_format " lt=" ptr_format " gt=" ptr_format "\n", diff --git a/src/openvpn/schedule.h b/src/openvpn/schedule.h index e6c1b7e..f2a6813 100644 --- a/src/openvpn/schedule.h +++ b/src/openvpn/schedule.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef SCHEDULE_H diff --git a/src/openvpn/session_id.c b/src/openvpn/session_id.c index dce42e7..b23f0f4 100644 --- a/src/openvpn/session_id.c +++ b/src/openvpn/session_id.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -63,7 +64,6 @@ session_id_print(const struct session_id *sid, struct gc_arena *gc) #else /* ifdef ENABLE_CRYPTO */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/session_id.h b/src/openvpn/session_id.h index 6611a3c..2b0ceb8 100644 --- a/src/openvpn/session_id.h +++ b/src/openvpn/session_id.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c index 19dd54d..eb459ef 100644 --- a/src/openvpn/shaper.c +++ b/src/openvpn/shaper.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -97,7 +98,6 @@ shaper_msg(struct shaper *s) #else /* ifdef ENABLE_FEATURE_SHAPER */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_FEATURE_SHAPER */ diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h index 6fac16d..d97221a 100644 --- a/src/openvpn/shaper.h +++ b/src/openvpn/shaper.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef SHAPER_H diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index 87cef71..9f4841a 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/sig.h b/src/openvpn/sig.h index 7c41070..5783731 100644 --- a/src/openvpn/sig.h +++ b/src/openvpn/sig.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef SIG_H diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 4e7e3f9..ae12832 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -204,9 +205,7 @@ do_preresolve_host(struct context *c, { struct cached_dns_entry *prev = c->c1.dns_cache; while (prev->next) - { prev = prev->next; - } prev->next = ph; } @@ -337,6 +336,20 @@ openvpn_getaddrinfo(unsigned int flags, ASSERT(hostname || servname); ASSERT(!(flags & GETADDR_HOST_ORDER)); + if (hostname && (flags & GETADDR_RANDOMIZE)) + { + hostname = hostname_randomize(hostname, &gc); + } + + if (hostname) + { + print_hostname = hostname; + } + else + { + print_hostname = "undefined"; + } + if (servname) { print_servname = servname; @@ -387,20 +400,6 @@ openvpn_getaddrinfo(unsigned int flags, const char *fmt; int level = 0; - if (hostname && (flags & GETADDR_RANDOMIZE)) - { - hostname = hostname_randomize(hostname, &gc); - } - - if (hostname) - { - print_hostname = hostname; - } - else - { - print_hostname = "undefined"; - } - fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)"; if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds) @@ -511,10 +510,6 @@ openvpn_getaddrinfo(unsigned int flags, else { /* IP address parse succeeded */ - if (flags & GETADDR_RANDOMIZE) - { - msg(M_WARN, "WARNING: ignoring --remote-random-hostname because the hostname is an IP address"); - } } done: @@ -1149,7 +1144,7 @@ tcp_connection_established(const struct link_socket_actual *act) gc_free(&gc); } -static socket_descriptor_t +static int socket_listen_accept(socket_descriptor_t sd, struct link_socket_actual *act, const char *remote_dynamic, @@ -1161,7 +1156,7 @@ socket_listen_accept(socket_descriptor_t sd, struct gc_arena gc = gc_new(); /* struct openvpn_sockaddr *remote = &act->dest; */ struct openvpn_sockaddr remote_verify = act->dest; - socket_descriptor_t new_sd = SOCKET_UNDEFINED; + int new_sd = SOCKET_UNDEFINED; CLEAR(*act); socket_do_listen(sd, local, do_listen, true); @@ -2013,8 +2008,7 @@ static void phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info) { bool proxy_retry = false; - do - { + do { socket_connect(&sock->sd, sock->info.lsa->current_remote->ai_addr, get_server_poll_remaining_time(sock->server_poll_timeout), @@ -2370,8 +2364,7 @@ link_socket_bad_incoming_addr(struct buffer *buf, (int)from_addr->dest.addr.sa.sa_family, print_sockaddr_ex(info->lsa->remote_list->ai_addr,":",PS_SHOW_PORT, &gc)); /* print additional remote addresses */ - for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) - { + for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) { msg(D_LINK_ERRORS,"or from peer address: %s", print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc)); } @@ -3060,12 +3053,10 @@ ascii2proto(const char *proto_name) { int i; for (i = 0; i < SIZE(proto_names); ++i) - { if (!strcmp(proto_name, proto_names[i].short_form)) { return proto_names[i].proto; } - } return -1; } @@ -3074,12 +3065,10 @@ ascii2af(const char *proto_name) { int i; for (i = 0; i < SIZE(proto_names); ++i) - { if (!strcmp(proto_name, proto_names[i].short_form)) { return proto_names[i].proto_af; } - } return 0; } diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 2d7f218..63e601e 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef SOCKET_H @@ -622,8 +623,7 @@ addr_defined(const struct openvpn_sockaddr *addr) { return 0; } - switch (addr->addr.sa.sa_family) - { + switch (addr->addr.sa.sa_family) { case AF_INET: return addr->addr.in4.sin_addr.s_addr != 0; case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr); @@ -639,8 +639,7 @@ addr_local(const struct sockaddr *addr) { return false; } - switch (addr->sa_family) - { + switch (addr->sa_family) { case AF_INET: return ((const struct sockaddr_in *)addr)->sin_addr.s_addr == htonl(INADDR_LOOPBACK); @@ -661,8 +660,7 @@ addr_defined_ipi(const struct link_socket_actual *lsa) { return 0; } - switch (lsa->dest.addr.sa.sa_family) - { + switch (lsa->dest.addr.sa.sa_family) { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0; @@ -689,8 +687,7 @@ link_socket_actual_defined(const struct link_socket_actual *act) static inline bool addr_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { - switch (a1->addr.sa.sa_family) - { + switch (a1->addr.sa.sa_family) { case AF_INET: return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; @@ -784,8 +781,7 @@ addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2 static inline bool addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { - switch (a1->addr.sa.sa_family) - { + switch (a1->addr.sa.sa_family) { case AF_INET: return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr && a1->addr.in4.sin_port == a2->addr.in4.sin_port; @@ -822,8 +818,7 @@ addrlist_match_proto(const struct openvpn_sockaddr *a1, static inline void addr_zero_host(struct openvpn_sockaddr *addr) { - switch (addr->addr.sa.sa_family) - { + switch (addr->addr.sa.sa_family) { case AF_INET: addr->addr.in4.sin_addr.s_addr = 0; break; @@ -851,8 +846,7 @@ int addr_guess_family(sa_family_t af,const char *name); static inline int af_addr_size(sa_family_t af) { - switch (af) - { + switch (af) { case AF_INET: return sizeof(struct sockaddr_in); case AF_INET6: return sizeof(struct sockaddr_in6); @@ -925,8 +919,7 @@ link_socket_verify_incoming_addr(struct buffer *buf, { if (buf->len > 0) { - switch (from_addr->dest.addr.sa.sa_family) - { + switch (from_addr->dest.addr.sa.sa_family) { case AF_INET6: case AF_INET: if (!link_socket_actual_defined(from_addr)) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 92747ec..b50cac3 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index 39b96c5..17e75e1 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 15cd94a..d94a421 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -18,9 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -268,12 +269,10 @@ static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len); const tls_cipher_name_pair * -tls_get_cipher_name_pair(const char *cipher_name, size_t len) -{ +tls_get_cipher_name_pair(const char *cipher_name, size_t len) { const tls_cipher_name_pair *pair = tls_cipher_name_translation_table; - while (pair->openssl_name != NULL) - { + while (pair->openssl_name != NULL) { if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len)) || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len))) { @@ -451,8 +450,6 @@ ssl_set_auth_nocache(void) { passbuf.nocache = true; auth_user_pass.nocache = true; - /* wait for push-reply, because auth-token may invert nocache */ - auth_user_pass.wait_for_push = true; } /* @@ -461,14 +458,6 @@ ssl_set_auth_nocache(void) void ssl_set_auth_token(const char *token) { - if (auth_user_pass.nocache) - { - msg(M_INFO, - "auth-token received, disabling auth-nocache for the " - "authentication token"); - auth_user_pass.nocache = false; - } - set_auth_token(&auth_user_pass, token); } @@ -580,12 +569,12 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, * Note: Windows does not support tv_nsec. */ if ((ssl_ctx->crl_last_size == crl_stat.st_size) - && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime)) + && (ssl_ctx->crl_last_mtime.tv_sec == crl_stat.st_mtime)) { return; } - ssl_ctx->crl_last_mtime = crl_stat.st_mtime; + ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime; ssl_ctx->crl_last_size = crl_stat.st_size; backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline); } @@ -1072,9 +1061,7 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) /* Randomize session # if it is 0 */ while (!session_id_defined(&session->session_id)) - { session_id_random(&session->session_id); - } /* Are we a TLS server or client? */ ASSERT(session->opt->key_method >= 1); @@ -1136,9 +1123,7 @@ tls_session_free(struct tls_session *session, bool clear) free_buf(&session->tls_wrap.work); for (i = 0; i < KS_SIZE; ++i) - { key_state_free(&session->key[i], false); - } if (session->common_name) { @@ -1195,8 +1180,7 @@ reset_session(struct tls_multi *multi, struct tls_session *session) * called again. */ static inline void -compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) -{ +compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) { if (seconds_from_now < *earliest) { *earliest = seconds_from_now; @@ -1366,9 +1350,7 @@ tls_multi_free(struct tls_multi *multi, bool clear) free(multi->remote_ciphername); for (i = 0; i < TM_SIZE; ++i) - { tls_session_free(&multi->session[i], false); - } if (clear) { @@ -1616,8 +1598,8 @@ tls1_P_hash(const md_kt_t *md_kt, { struct gc_arena gc = gc_new(); int chunk; - hmac_ctx_t *ctx; - hmac_ctx_t *ctx_tmp; + hmac_ctx_t ctx; + hmac_ctx_t ctx_tmp; uint8_t A1[MAX_HMAC_KEY_LENGTH]; unsigned int A1_len; @@ -1626,8 +1608,8 @@ tls1_P_hash(const md_kt_t *md_kt, const uint8_t *out_orig = out; #endif - ctx = hmac_ctx_new(); - ctx_tmp = hmac_ctx_new(); + CLEAR(ctx); + CLEAR(ctx_tmp); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc)); @@ -1635,38 +1617,36 @@ tls1_P_hash(const md_kt_t *md_kt, chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); - hmac_ctx_init(ctx, sec, sec_len, md_kt); - hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); + hmac_ctx_init(&ctx, sec, sec_len, md_kt); + hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); - hmac_ctx_update(ctx,seed,seed_len); - hmac_ctx_final(ctx, A1); + hmac_ctx_update(&ctx,seed,seed_len); + hmac_ctx_final(&ctx, A1); for (;; ) { - hmac_ctx_reset(ctx); - hmac_ctx_reset(ctx_tmp); - hmac_ctx_update(ctx,A1,A1_len); - hmac_ctx_update(ctx_tmp,A1,A1_len); - hmac_ctx_update(ctx,seed,seed_len); + hmac_ctx_reset(&ctx); + hmac_ctx_reset(&ctx_tmp); + hmac_ctx_update(&ctx,A1,A1_len); + hmac_ctx_update(&ctx_tmp,A1,A1_len); + hmac_ctx_update(&ctx,seed,seed_len); if (olen > chunk) { - hmac_ctx_final(ctx, out); + hmac_ctx_final(&ctx, out); out += chunk; olen -= chunk; - hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */ + hmac_ctx_final(&ctx_tmp, A1); /* calc the next A1 value */ } else /* last one */ { - hmac_ctx_final(ctx, A1); + hmac_ctx_final(&ctx, A1); memcpy(out,A1,olen); break; } } - hmac_ctx_cleanup(ctx); - hmac_ctx_free(ctx); - hmac_ctx_cleanup(ctx_tmp); - hmac_ctx_free(ctx_tmp); + hmac_ctx_cleanup(&ctx); + hmac_ctx_cleanup(&ctx_tmp); secure_memzero(A1, sizeof(A1)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc)); @@ -1718,9 +1698,7 @@ tls1_PRF(const uint8_t *label, tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); for (i = 0; i<olen; i++) - { out1[i] ^= out2[i]; - } secure_memzero(out2, olen); @@ -1870,8 +1848,7 @@ exit: } static void -key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) -{ +key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) { const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */ @@ -1970,12 +1947,6 @@ tls_session_update_crypto_params(struct tls_session *session, return false; } - if (strcmp(options->ciphername, session->opt->config_ciphername)) - { - msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", - options->ciphername); - } - init_key_type(&session->opt->key_type, options->ciphername, options->authname, options->keysize, true, true); @@ -2269,7 +2240,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session) buf_printf(&out, "IV_PLAT=mac\n"); #elif defined(TARGET_NETBSD) buf_printf(&out, "IV_PLAT=netbsd\n"); -#elif defined(TARGET_FREEBSD) +#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__) buf_printf(&out, "IV_PLAT=freebsd\n"); #elif defined(TARGET_ANDROID) buf_printf(&out, "IV_PLAT=android\n"); @@ -2393,21 +2364,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) { goto error; } - /* if auth-nocache was specified, the auth_user_pass object reaches - * a "complete" state only after having received the push-reply - * message. - * This is the case because auth-token statement in a push-reply would - * invert its nocache. - * - * For this reason, skip the purge operation here if no push-reply - * message has been received yet. - * - * This normally happens upon first negotiation only. - */ - if (!auth_user_pass.wait_for_push) - { - purge_user_pass(&auth_user_pass, false); - } + purge_user_pass(&auth_user_pass, false); } else { @@ -2523,7 +2480,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio struct gc_arena gc = gc_new(); char *options; - struct user_pass *up = NULL; + struct user_pass *up; /* allocate temporary objects */ ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc); @@ -2685,10 +2642,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio error: secure_memzero(ks->key_src, sizeof(*ks->key_src)); - if (up) - { - secure_memzero(up, sizeof(*up)); - } buf_clear(buf); gc_free(&gc); return false; @@ -2850,9 +2803,6 @@ tls_process(struct tls_multi *multi, session->opt->crl_file, session->opt->crl_file_inline); } - /* New connection, remove any old X509 env variables */ - tls_x509_clear_env(session->opt->es); - dmsg(D_TLS_DEBUG_MED, "STATE S_START"); } @@ -4106,8 +4056,7 @@ tls_peer_info_ncp_ver(const char *peer_info) } bool -tls_check_ncp_cipher_list(const char *list) -{ +tls_check_ncp_cipher_list(const char *list) { bool unsupported_cipher_found = false; ASSERT(list); @@ -4250,16 +4199,8 @@ done: return BSTR(&out); } -void -delayed_auth_pass_purge(void) -{ - auth_user_pass.wait_for_push = false; - purge_user_pass(&auth_user_pass, false); -} - #else /* if defined(ENABLE_CRYPTO) */ static void -dummy(void) -{ +dummy(void) { } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 56ea601..03688ca 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -598,8 +599,6 @@ void extract_x509_field_test(void); */ bool is_hard_reset(int op, int key_method); -void delayed_auth_pass_purge(void); - #endif /* ENABLE_CRYPTO */ #endif /* ifndef OPENVPN_SSL_H */ diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index a738f0f..206400f 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 25bffd5..9a16d77 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -270,7 +271,6 @@ struct tls_options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; - hash_algo_type verify_hash_algo; char *x509_username_field; /* allow openvpn config info to be diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ef583e6..5c84e30 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -18,9 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -184,8 +185,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) } static const char * -tls_translate_cipher_name(const char *cipher_name) -{ +tls_translate_cipher_name(const char *cipher_name) { const tls_cipher_name_pair *pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name)); if (NULL == pair) @@ -222,12 +222,10 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) /* Get number of ciphers */ for (i = 0, cipher_count = 1; i < ciphers_len; i++) - { if (ciphers[i] == ':') { cipher_count++; } - } /* Allocate an array for them */ ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1) @@ -835,8 +833,7 @@ tls_version_max(void) * Must be a valid pointer. */ static void -tls_version_to_major_minor(int tls_ver, int *major, int *minor) -{ +tls_version_to_major_minor(int tls_ver, int *major, int *minor) { ASSERT(major); ASSERT(minor); diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index f69b610..1bc53ce 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -73,7 +74,7 @@ struct tls_root_ctx { mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ mbedtls_pk_context *priv_key; /**< Local private key */ mbedtls_x509_crl *crl; /**< Certificate Revocation List */ - time_t crl_last_mtime; /**< CRL last modification time */ + struct timespec crl_last_mtime; /**< CRL last modification time */ off_t crl_last_size; /**< size of last loaded CRL */ #if defined(ENABLE_PKCS11) mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index e589dcd..eae1e22 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -44,7 +45,6 @@ #include "ssl_backend.h" #include "ssl_common.h" #include "base64.h" -#include "openssl_compat.h" #ifdef ENABLE_CRYPTOAPI #include "cryptoapi.h" @@ -321,8 +321,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) /* Translate IANA cipher suite names to OpenSSL names */ begin_of_cipher = end_of_cipher = 0; - for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) - { + for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); @@ -354,8 +353,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } /* Make sure new cipher name fits in cipher string */ - if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len - || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len)) + if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) { msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", @@ -509,18 +507,10 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - pkey = SSL_CTX_get0_privatekey(ctx->ctx); -#else /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ - SSL *ssl = SSL_new(ctx->ctx); - if (!ssl) - { - crypto_msg(M_FATAL, "SSL_new failed"); - } - pkey = SSL_get_privatekey(ssl); - SSL_free(ssl); -#endif + SSL ssl; + ssl.cert = ctx->ctx->cert; + pkey = SSL_get_privatekey(&ssl); msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); @@ -659,8 +649,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, { for (i = 0; i < sk_X509_num(ca); i++) { - X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); - if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i))) + if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i))) { crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)"); } @@ -762,9 +751,8 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx, goto end; } - x = PEM_read_bio_X509(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), - SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); + x = PEM_read_bio_X509(in, NULL, ctx->ctx->default_passwd_callback, + ctx->ctx->default_passwd_callback_userdata); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB); @@ -846,8 +834,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, } pkey = PEM_read_bio_PrivateKey(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), - SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); + ssl_ctx->default_passwd_callback, + ssl_ctx->default_passwd_callback_userdata); if (!pkey) { goto end; @@ -900,15 +888,15 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, /* Always start with a cleared CRL list, for that we * we need to manually find the CRL object from the stack * and remove it */ - STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); - for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) + for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { - X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); + X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); ASSERT(obj); - if (X509_OBJECT_get_type(obj) == X509_LU_CRL) + if (obj->type == X509_LU_CRL) { - sk_X509_OBJECT_delete(objs, i); - X509_OBJECT_free(obj); + sk_X509_OBJECT_delete(store->objs, i); + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); } } @@ -976,13 +964,10 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i /* called at RSA_free */ static int -openvpn_extkey_rsa_finish(RSA *rsa) +rsa_finish(RSA *rsa) { - /* meth was allocated in tls_ctx_use_external_private_key() ; since - * this function is called when the parent RSA object is destroyed, - * it is no longer used after this point so kill it. */ - const RSA_METHOD *meth = RSA_get_method(rsa); - RSA_meth_free((RSA_METHOD *)meth); + free((void *)rsa->meth); + rsa->meth = NULL; return 1; } @@ -998,7 +983,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i if (padding != RSA_PKCS1_PADDING) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); goto done; } @@ -1056,16 +1041,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, ASSERT(NULL != cert); /* allocate custom RSA method object */ - rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", - RSA_METHOD_FLAG_NO_CHECK); - check_malloc_return(rsa_meth); - RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); - RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); - RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc); - RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec); - RSA_meth_set_init(rsa_meth, NULL); - RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish); - RSA_meth_set0_app_data(rsa_meth, NULL); + ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); + rsa_meth->name = "OpenVPN external private key RSA Method"; + rsa_meth->rsa_pub_enc = rsa_pub_enc; + rsa_meth->rsa_pub_dec = rsa_pub_dec; + rsa_meth->rsa_priv_enc = rsa_priv_enc; + rsa_meth->rsa_priv_dec = rsa_priv_dec; + rsa_meth->init = NULL; + rsa_meth->finish = rsa_finish; + rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK; + rsa_meth->app_data = NULL; /* allocate RSA object */ rsa = RSA_new(); @@ -1076,16 +1061,12 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, } /* get the public key */ - EVP_PKEY *pkey = X509_get0_pubkey(cert); - ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ - pub_rsa = EVP_PKEY_get0_RSA(pkey); + ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */ + pub_rsa = cert->cert_info->key->pkey->pkey.rsa; /* initialize RSA object */ - const BIGNUM *n = NULL; - const BIGNUM *e = NULL; - RSA_get0_key(pub_rsa, &n, &e, NULL); - RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); - RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); + rsa->n = BN_dup(pub_rsa->n); + rsa->flags |= RSA_FLAG_EXT_PKEY; if (!RSA_set_method(rsa, rsa_meth)) { goto err; @@ -1686,17 +1667,17 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { - if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) != NULL) + if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL + && pkey->pkey.rsa->n != NULL) { - RSA *rsa = EVP_PKEY_get0_RSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA", - RSA_bits(rsa)); + BN_num_bits(pkey->pkey.rsa->n)); } - else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL) + else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL + && pkey->pkey.dsa->p != NULL) { - DSA *dsa = EVP_PKEY_get0_DSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA", - DSA_bits(dsa)); + BN_num_bits(pkey->pkey.dsa->p)); } EVP_PKEY_free(pkey); } diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index db4e1da..c64c65f 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -48,7 +49,7 @@ */ struct tls_root_ctx { SSL_CTX *ctx; - time_t crl_last_mtime; + struct timespec crl_last_mtime; off_t crl_last_size; }; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 9cd36d7..c553484 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -273,9 +274,7 @@ cert_hash_free(struct cert_hash_set *chs) { int i; for (i = 0; i < MAX_CERT_DEPTH; ++i) - { free(chs->ch[i]); - } free(chs); } } @@ -717,31 +716,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* verify level 1 cert, i.e. the CA that signed our leaf cert */ if (cert_depth == 1 && opt->verify_hash) { - struct buffer ca_hash = {0}; - - switch (opt->verify_hash_algo) - { - case MD_SHA1: - ca_hash = x509_get_sha1_fingerprint(cert, &gc); - break; - - case MD_SHA256: - ca_hash = x509_get_sha256_fingerprint(cert, &gc); - break; - - default: - /* This should normally not happen at all; the algorithm used - * is parsed by add_option() [options.c] and set to a predefined - * value in an enumerated type. So if this unlikely scenario - * happens, consider this a failure - */ - msg(M_WARN, "Unexpected invalid algorithm used with " - "--verify-hash (%i)", opt->verify_hash_algo); - ret = FAILURE; - goto cleanup; - } - - if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash))) + struct buffer sha1_hash = x509_get_sha1_fingerprint(cert, &gc); + if (memcmp(BPTR(&sha1_hash), opt->verify_hash, BLEN(&sha1_hash))) { msg(D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); goto cleanup; @@ -1515,21 +1491,4 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } } - -void -tls_x509_clear_env(struct env_set *es) -{ - struct env_item *item = es->list; - while (item) - { - struct env_item *next = item->next; - if (item->string - && 0 == strncmp("X509_", item->string, strlen("X509_"))) - { - env_set_del(es, item->string); - } - item = next; - } -} - #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index f2d0d6c..ffab218 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -217,9 +218,6 @@ struct x509_track /** Do not perform Netscape certificate type verification */ #define NS_CERT_CHECK_CLIENT (1<<1) -/** Require keyUsage to be present in cert (0xFFFF is an invalid KU value) */ -#define OPENVPN_KU_REQUIRED (0xFFFF) - /* * TODO: document */ @@ -240,9 +238,6 @@ tls_client_reason(struct tls_multi *multi) #endif } -/** Remove any X509_ env variables from env_set es */ -void tls_x509_clear_env(struct env_set *es); - #endif /* ENABLE_CRYPTO */ #endif /* SSL_VERIFY_H_ */ diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index e8eaabe..c4330ba 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -124,14 +125,6 @@ struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert); -#ifdef ENABLE_X509ALTUSERNAME -/** - * Return true iff the supplied extension field is supported by the - * --x509-username-field option. - */ -bool x509_username_field_ext_supported(const char *extname); -#endif - /* * Return the certificate's serial number in decimal string representation. * @@ -218,7 +211,7 @@ void x509_setenv_track(const struct x509_track *xt, struct env_set *es, * the expected bit set. \c FAILURE if the certificate does * not have NS cert type verification or the wrong bit set. */ -result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage); +result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage); /* * Verify X.509 key usage extension field. diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 838c217..f01569f 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -208,7 +209,7 @@ x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, { const size_t md_size = mbedtls_md_get_size(md_info); struct buffer fingerprint = alloc_buf_gc(md_size, gc); - mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint)); + mbedtls_md(md_info, cert->raw.p, cert->tbs.len, BPTR(&fingerprint)); ASSERT(buf_inc_len(&fingerprint, md_size)); return fingerprint; } @@ -267,21 +268,11 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) size_t i; char *val; - if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING - || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING - || orig->tag == MBEDTLS_ASN1_IA5_STRING)) - { - /* Only support C-string compatible types */ - return string_alloc("ERROR: unsupported ASN.1 string type", gc); - } - for (i = 0; i < orig->len; ++i) - { if (orig->p[i] == '\0') { - return string_alloc("ERROR: embedded null value", gc); + return "ERROR: embedded null value"; } - } val = gc_malloc(orig->len+1, false, gc); memcpy(val, orig->p, orig->len); val[orig->len] = '\0'; @@ -418,7 +409,7 @@ x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) } result_t -x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage) +x509_verify_ns_cert_type(const mbedtls_x509_crt *cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { @@ -444,42 +435,32 @@ result_t x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len) { - msg(D_HANDSHAKE, "Validating certificate key usage"); + result_t fFound = FAILURE; if (!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE)) { - msg(D_TLS_ERRORS, - "ERROR: Certificate does not have key usage extension"); - return FAILURE; + msg(D_HANDSHAKE, "Certificate does not have key usage extension"); } - - if (expected_ku[0] == OPENVPN_KU_REQUIRED) + else { - /* Extension required, value checked by TLS library */ - return SUCCESS; - } + int i; + unsigned nku = cert->key_usage; - result_t fFound = FAILURE; - for (size_t i = 0; SUCCESS != fFound && i<expected_len; i++) - { - if (expected_ku[i] != 0 - && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i])) + msg(D_HANDSHAKE, "Validating certificate key usage"); + for (i = 0; SUCCESS != fFound && i<expected_len; i++) { - fFound = SUCCESS; - } - } + if (expected_ku[i] != 0) + { + msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects " + "%04x", nku, expected_ku[i]); - if (fFound != SUCCESS) - { - msg(D_TLS_ERRORS, - "ERROR: Certificate has key usage %04x, expected one of:", - cert->key_usage); - for (size_t i = 0; i < expected_len && expected_ku[i]; i++) - { - msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); + if (nku == expected_ku[i]) + { + fFound = SUCCESS; + } + } } } - return fFound; } diff --git a/src/openvpn/ssl_verify_mbedtls.h b/src/openvpn/ssl_verify_mbedtls.h index 8b0a5ae..3c71073 100644 --- a/src/openvpn/ssl_verify_mbedtls.h +++ b/src/openvpn/ssl_verify_mbedtls.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 468b495..e9692a0 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -42,7 +43,6 @@ #include "ssl_openssl.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" -#include "openssl_compat.h" #include <openssl/x509v3.h> #include <openssl/err.h> @@ -61,15 +61,14 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); ASSERT(session); - X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); - struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc); - cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); + struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); + cert_hash_remember(session, ctx->error_depth, &cert_hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) { /* get the X509 name */ - char *subject = x509_get_subject(current_cert, &gc); + char *subject = x509_get_subject(ctx->current_cert, &gc); if (!subject) { @@ -77,11 +76,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } /* Log and ignore missing CRL errors */ - if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) + if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) { msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", - X509_STORE_CTX_get_error_depth(ctx), - X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), + ctx->error_depth, + X509_verify_cert_error_string(ctx->error), subject); ret = 1; goto cleanup; @@ -89,8 +88,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* Remote site specified a certificate, but it's not correct */ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", - X509_STORE_CTX_get_error_depth(ctx), - X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), + ctx->error_depth, + X509_verify_cert_error_string(ctx->error), subject); ERR_clear_error(); @@ -99,7 +98,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) goto cleanup; } - if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) + if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) { goto cleanup; } @@ -113,29 +112,16 @@ cleanup: } #ifdef ENABLE_X509ALTUSERNAME -bool x509_username_field_ext_supported(const char *fieldname) -{ - int nid = OBJ_txt2nid(fieldname); - return nid == NID_subject_alt_name || nid == NID_issuer_alt_name; -} - static bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) { bool retval = false; char *buf = 0; - - if (!x509_username_field_ext_supported(fieldname)) - { - msg(D_TLS_ERRORS, - "ERROR: --x509-alt-username field 'ext:%s' not supported", - fieldname); - return false; - } - + GENERAL_NAMES *extensions; int nid = OBJ_txt2nid(fieldname); - GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL); + + extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL); if (extensions) { int numalts; @@ -156,10 +142,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) switch (name->type) { case GEN_EMAIL: - if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) - { - continue; - } + ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5); if (strlen(buf) != name->d.ia5->length) { msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); @@ -179,7 +162,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) break; } } - GENERAL_NAMES_free(extensions); + sk_GENERAL_NAME_free(extensions); } return retval; } @@ -206,24 +189,15 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, X509_NAME_ENTRY *x509ne = 0; ASN1_STRING *asn1 = 0; unsigned char *buf = NULL; - ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0); - - if (field_name_obj == NULL) - { - msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name); - return FAILURE; - } + int nid = OBJ_txt2nid(field_name); ASSERT(size > 0); *out = '\0'; - do - { + do { lastpos = tmp; - tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos); + tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos); } while (tmp > -1); - ASN1_OBJECT_free(field_name_obj); - /* Nothing found */ if (lastpos == -1) { @@ -241,7 +215,8 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, { return FAILURE; } - if (ASN1_STRING_to_UTF8(&buf, asn1) < 0) + tmp = ASN1_STRING_to_UTF8(&buf, asn1); + if (tmp <= 0) { return FAILURE; } @@ -308,20 +283,18 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc) struct buffer x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc) { - const EVP_MD *sha1 = EVP_sha1(); - struct buffer hash = alloc_buf_gc(EVP_MD_size(sha1), gc); - X509_digest(cert, EVP_sha1(), BPTR(&hash), NULL); - ASSERT(buf_inc_len(&hash, EVP_MD_size(sha1))); + struct buffer hash = alloc_buf_gc(sizeof(cert->sha1_hash), gc); + memcpy(BPTR(&hash), cert->sha1_hash, sizeof(cert->sha1_hash)); + ASSERT(buf_inc_len(&hash, sizeof(cert->sha1_hash))); return hash; } struct buffer x509_get_sha256_fingerprint(X509 *cert, struct gc_arena *gc) { - const EVP_MD *sha256 = EVP_sha256(); - struct buffer hash = alloc_buf_gc(EVP_MD_size(sha256), gc); + struct buffer hash = alloc_buf_gc((EVP_sha256())->md_size, gc); X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL); - ASSERT(buf_inc_len(&hash, EVP_MD_size(sha256))); + ASSERT(buf_inc_len(&hash, (EVP_sha256())->md_size)); return hash; } @@ -331,6 +304,7 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO *subject_bio = NULL; BUF_MEM *subject_mem; char *subject = NULL; + int maxlen = 0; /* * Generate the subject string in OpenSSL proprietary format, @@ -361,10 +335,11 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO_get_mem_ptr(subject_bio, &subject_mem); - subject = gc_malloc(subject_mem->length + 1, false, gc); + maxlen = subject_mem->length + 1; + subject = gc_malloc(maxlen, false, gc); - memcpy(subject, subject_mem->data, subject_mem->length); - subject[subject_mem->length] = '\0'; + memcpy(subject, subject_mem->data, maxlen); + subject[maxlen - 1] = '\0'; err: if (subject_bio) @@ -482,7 +457,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); unsigned char *buf; buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8(&buf, val) >= 0) + if (ASN1_STRING_to_UTF8(&buf, val) > 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); OPENSSL_free(buf); @@ -570,7 +545,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) continue; } buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8(&buf, val) < 0) + if (ASN1_STRING_to_UTF8(&buf, val) <= 0) { continue; } @@ -588,7 +563,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) } result_t -x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) +x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { @@ -596,59 +571,13 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) } if (usage == NS_CERT_CHECK_CLIENT) { - /* - * Unfortunately, X509_check_purpose() does some weird thing that - * prevent it to take a const argument - */ - result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? - SUCCESS : FAILURE; - - /* - * old versions of OpenSSL allow us to make the less strict check we used to - * do. If this less strict check pass, warn user that this might not be the - * case when its distribution will update to OpenSSL 1.1 - */ - if (result == FAILURE) - { - ASN1_BIT_STRING *ns; - ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; - if (result == SUCCESS) - { - msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " - "cannot be verified (check may fail in the future)"); - } - ASN1_BIT_STRING_free(ns); - } - return result; + return ((peer_cert->ex_flags & EXFLAG_NSCERT) + && (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; } if (usage == NS_CERT_CHECK_SERVER) { - /* - * Unfortunately, X509_check_purpose() does some weird thing that - * prevent it to take a const argument - */ - result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? - SUCCESS : FAILURE; - - /* - * old versions of OpenSSL allow us to make the less strict check we used to - * do. If this less strict check pass, warn user that this might not be the - * case when its distribution will update to OpenSSL 1.1 - */ - if (result == FAILURE) - { - ASN1_BIT_STRING *ns; - ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); - result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; - if (result == SUCCESS) - { - msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose " - "cannot be verified (check may fail in the future)"); - } - ASN1_BIT_STRING_free(ns); - } - return result; + return ((peer_cert->ex_flags & EXFLAG_NSCERT) + && (peer_cert->ex_nscert & NS_SSL_SERVER)) ? SUCCESS : FAILURE; } return FAILURE; @@ -658,59 +587,54 @@ result_t x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len) { - ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL); - - if (ku == NULL) - { - msg(D_TLS_ERRORS, "Certificate does not have key usage extension"); - return FAILURE; - } + ASN1_BIT_STRING *ku = NULL; + result_t fFound = FAILURE; - if (expected_ku[0] == OPENVPN_KU_REQUIRED) + if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i(x509, NID_key_usage, NULL, + NULL)) == NULL) { - /* Extension required, value checked by TLS library */ - ASN1_BIT_STRING_free(ku); - return SUCCESS; + msg(D_HANDSHAKE, "Certificate does not have key usage extension"); } - - unsigned nku = 0; - for (size_t i = 0; i < 8; i++) + else { - if (ASN1_BIT_STRING_get_bit(ku, i)) + unsigned nku = 0; + int i; + for (i = 0; i < 8; i++) { - nku |= 1 << (7 - i); + if (ASN1_BIT_STRING_get_bit(ku, i)) + { + nku |= 1 << (7 - i); + } } - } - - /* - * Fixup if no LSB bits - */ - if ((nku & 0xff) == 0) - { - nku >>= 8; - } - msg(D_HANDSHAKE, "Validating certificate key usage"); - result_t fFound = FAILURE; - for (size_t i = 0; fFound != SUCCESS && i < expected_len; i++) - { - if (expected_ku[i] != 0 && (nku & expected_ku[i]) == expected_ku[i]) + /* + * Fixup if no LSB bits + */ + if ((nku & 0xff) == 0) { - fFound = SUCCESS; + nku >>= 8; } - } - if (fFound != SUCCESS) - { - msg(D_TLS_ERRORS, - "ERROR: Certificate has key usage %04x, expected one of:", nku); - for (size_t i = 0; i < expected_len && expected_ku[i]; i++) + msg(D_HANDSHAKE, "Validating certificate key usage"); + for (i = 0; fFound != SUCCESS && i < expected_len; i++) { - msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); + if (expected_ku[i] != 0) + { + msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects " + "%04x", nku, expected_ku[i]); + + if (nku == expected_ku[i]) + { + fFound = SUCCESS; + } + } } } - ASN1_BIT_STRING_free(ku); + if (ku != NULL) + { + ASN1_BIT_STRING_free(ku); + } return fFound; } @@ -790,12 +714,11 @@ tls_verify_crl_missing(const struct tls_options *opt) crypto_msg(M_FATAL, "Cannot get certificate store"); } - STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); - for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) + for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { - X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); + X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); ASSERT(obj); - if (X509_OBJECT_get_type(obj) == X509_LU_CRL) + if (obj->type == X509_LU_CRL) { return false; } diff --git a/src/openvpn/ssl_verify_openssl.h b/src/openvpn/ssl_verify_openssl.h index 4c8dbeb..1db6fe6 100644 --- a/src/openvpn/ssl_verify_openssl.h +++ b/src/openvpn/ssl_verify_openssl.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/status.c b/src/openvpn/status.c index a163408..e47f35c 100644 --- a/src/openvpn/status.c +++ b/src/openvpn/status.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/status.h b/src/openvpn/status.h index 8199935..590ae41 100644 --- a/src/openvpn/status.h +++ b/src/openvpn/status.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef STATUS_H diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 2973b5a..078ed3a 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef SYSHEAD_H @@ -287,17 +288,13 @@ #include <netinet/ip.h> #endif -#ifdef HAVE_NETINET_TCP_H -#include <netinet/tcp.h> -#endif - #ifdef HAVE_NET_IF_TUN_H #include <net/if_tun.h> #endif #endif /* TARGET_OPENBSD */ -#ifdef TARGET_FREEBSD +#if defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__) #ifdef HAVE_SYS_UIO_H #include <sys/uio.h> @@ -592,7 +589,9 @@ socket_defined(const socket_descriptor_t sd) /* * Should we include OCC (options consistency check) code? */ +#ifndef ENABLE_SMALL #define ENABLE_OCC +#endif /* * Should we include NTLM proxy functionality diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index e13bb4e..4c7170f 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef HAVE_CONFIG_H @@ -43,14 +44,15 @@ tls_crypt_buf_overhead(void) void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, - const char *key_inline, bool tls_server) -{ + const char *key_inline, bool tls_server) { const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_type kt; kt.cipher = cipher_kt_get("AES-256-CTR"); + kt.cipher_length = cipher_kt_key_size(kt.cipher); kt.digest = md_kt_get("SHA256"); + kt.hmac_length = md_kt_size(kt.digest); if (!kt.cipher) { @@ -61,9 +63,6 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); } - kt.cipher_length = cipher_kt_key_size(kt.cipher); - kt.hmac_length = md_kt_size(kt.digest); - crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, "Control Channel Encryption", "tls-crypt"); } @@ -80,8 +79,7 @@ tls_crypt_adjust_frame_parameters(struct frame *frame) bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt) -{ + struct crypto_options *opt) { const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; struct gc_arena gc; diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index e8080df..47f75d0 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 75a156c..a4f7779 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -559,9 +560,7 @@ is_tun_p2p(const struct tuntap *tt) { bool tun = false; - if (tt->type == DEV_TYPE_TAP - || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) - || tt->type == DEV_TYPE_NULL ) + if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) { tun = false; } @@ -695,8 +694,7 @@ init_tun(const char *dev, /* --dev option */ * make sure they do not clash with our virtual subnet. */ - for (curele = local_public; curele; curele = curele->ai_next) - { + for (curele = local_public; curele; curele = curele->ai_next) { if (curele->ai_family == AF_INET) { check_addr_clash("local", @@ -707,8 +705,7 @@ init_tun(const char *dev, /* --dev option */ } } - for (curele = remote_public; curele; curele = curele->ai_next) - { + for (curele = remote_public; curele; curele = curele->ai_next) { if (curele->ai_family == AF_INET) { check_addr_clash("remote", @@ -843,7 +840,7 @@ delete_route_connected_v6_net(struct tuntap *tt, #endif /* if defined(_WIN32) || defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD) */ #if defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \ - || defined(TARGET_OPENBSD) + || defined(TARGET_OPENBSD) || defined(__FreeBSD_kernel__) /* we can't use true subnet mode on tun on all platforms, as that * conflicts with IPv6 (wants to use ND then, which we don't do), * but the OSes want "a remote address that is different from ours" @@ -1039,8 +1036,7 @@ do_ifconfig(struct tuntap *tt, struct buffer out = alloc_buf_gc(64, &gc); char *top; - switch (tt->topology) - { + switch (tt->topology) { case TOP_NET30: top = "net30"; break; @@ -1412,7 +1408,7 @@ do_ifconfig(struct tuntap *tt, add_route_connected_v6_net(tt, es); } -#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) +#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__) in_addr_t remote_end; /* for "virtual" subnet topology */ @@ -1653,11 +1649,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int len) { u_int32_t type; struct iovec iv[2]; - struct openvpn_iphdr *iph; + struct ip *iph; - iph = (struct openvpn_iphdr *) buf; + iph = (struct ip *) buf; - if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) + if (iph->ip_v == 6) { type = htonl(AF_INET6); } @@ -1839,14 +1835,12 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun /* Prefer IPv6 DNS servers, * Android will use the DNS server in the order we specify*/ - for (int i = 0; i < tt->options.dns6_len; i++) - { + for (int i = 0; i < tt->options.dns6_len; i++) { management_android_control(management, "DNS6SERVER", print_in6_addr(tt->options.dns6[i], 0, &gc)); } - for (int i = 0; i < tt->options.dns_len; i++) - { + for (int i = 0; i < tt->options.dns_len; i++) { management_android_control(management, "DNSSERVER", print_in_addr_t(tt->options.dns[i], 0, &gc)); } @@ -2260,9 +2254,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun { ptr = dev; while (*ptr && !isdigit((int) *ptr)) - { ptr++; - } ppa = atoi(ptr); } @@ -2770,7 +2762,7 @@ read_tun(struct tuntap *tt, uint8_t *buf, int len) } } -#elif defined(TARGET_FREEBSD) +#elif defined(TARGET_FREEBSD)||defined(__FreeBSD_kernel__) static inline int freebsd_modify_read_write_return(int len) @@ -3285,10 +3277,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun { /* ensure that dev name is "tap+<digits>" *only* */ p = &dev[3]; - while (isdigit(*p) ) - { - p++; - } + while (isdigit(*p) ) p++; if (*p != '\0') { msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" ); @@ -5466,9 +5455,7 @@ write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, c buf_write_u8(buf, type); buf_write_u8(buf, size); for (i = 0; i < len; ++i) - { buf_write_u32(buf, data[i]); - } } } @@ -6237,7 +6224,10 @@ close_tun(struct tuntap *tt) } #endif - dhcp_release(tt); + if (tt->options.dhcp_release) + { + dhcp_release(tt); + } if (tt->hand != NULL) { @@ -6297,12 +6287,10 @@ ascii2ipset(const char *name) int i; ASSERT(IPW32_SET_N == SIZE(ipset_names)); for (i = 0; i < IPW32_SET_N; ++i) - { if (!strcmp(name, ipset_names[i].short_form)) { return i; } - } return -1; } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 8782d69..f4b600c 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef TUN_H @@ -103,6 +104,7 @@ struct tuntap_options { bool dhcp_renew; bool dhcp_pre_release; + bool dhcp_release; bool register_dns; diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index d0b10ba..e26f54d 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -60,12 +61,6 @@ static HANDLE m_hEngineHandle = NULL; /* GLOBAL */ /* - * TAP adapter original metric value - */ -static int tap_metric_v4 = -1; /* GLOBAL */ -static int tap_metric_v6 = -1; /* GLOBAL */ - -/* * Windows internal socket API state (opaque). */ static struct WSAData wsa_state; /* GLOBAL */ @@ -574,8 +569,7 @@ win32_keyboard_get(struct win32_signal *ws) if (HANDLE_DEFINED(ws->in.read)) { INPUT_RECORD ir; - do - { + do { DWORD n; if (!keyboard_input_available(ws)) { @@ -687,8 +681,7 @@ win32_pause(struct win32_signal *ws) { int status; msg(M_INFO|M_NOPREFIX, "Press any key to continue..."); - do - { + do { status = WaitForSingleObject(ws->in.read, INFINITE); } while (!win32_keyboard_get(ws)); } @@ -991,9 +984,7 @@ env_block(const struct env_set *es) bool path_seen = false; for (e = es->list; e != NULL; e = e->next) - { nchars += strlen(e->string) + 1; - } nchars += strlen(force_path)+1; @@ -1333,8 +1324,8 @@ win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel) goto out; } - status = GetModuleFileNameW(NULL, openvpnpath, _countof(openvpnpath)); - if (status == 0 || status == _countof(openvpnpath)) + status = GetModuleFileNameW(NULL, openvpnpath, sizeof(openvpnpath)); + if (status == 0 || status == sizeof(openvpnpath)) { msg(M_WARN|M_ERRNO, "block_dns: cannot get executable path"); goto out; @@ -1342,27 +1333,6 @@ win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel) status = add_block_dns_filters(&m_hEngineHandle, index, openvpnpath, block_dns_msg_handler); - if (status == 0) - { - tap_metric_v4 = get_interface_metric(index, AF_INET); - tap_metric_v6 = get_interface_metric(index, AF_INET6); - if (tap_metric_v4 < 0) - { - /* error, should not restore metric */ - tap_metric_v4 = -1; - } - if (tap_metric_v6 < 0) - { - /* error, should not restore metric */ - tap_metric_v6 = -1; - } - status = set_interface_metric(index, AF_INET, BLOCK_DNS_IFACE_METRIC); - if (!status) - { - set_interface_metric(index, AF_INET6, BLOCK_DNS_IFACE_METRIC); - } - } - ret = (status == 0); out: @@ -1371,27 +1341,19 @@ out: } bool -win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel) +win_wfp_uninit(const HANDLE msg_channel) { dmsg(D_LOW, "Uninitializing WFP"); if (msg_channel) { msg(D_LOW, "Using service to delete block dns filters"); - win_block_dns_service(false, index, msg_channel); + win_block_dns_service(false, -1, msg_channel); } else { delete_block_dns_filters(m_hEngineHandle); m_hEngineHandle = NULL; - if (tap_metric_v4 >= 0) - { - set_interface_metric(index, AF_INET, tap_metric_v4); - } - if (tap_metric_v6 >= 0) - { - set_interface_metric(index, AF_INET6, tap_metric_v6); - } } return true; diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 21a1021..4ee44fd 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifdef _WIN32 @@ -292,7 +293,7 @@ WCHAR *wide_string(const char *utf8, struct gc_arena *gc); bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel); -bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel); +bool win_wfp_uninit(const HANDLE msg_channel); #define WIN_XP 0 #define WIN_VISTA 1 |