diff options
Diffstat (limited to 'src/openvpn')
164 files changed, 2760 insertions, 1322 deletions
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index bea294b..fcc22d6 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -27,7 +27,9 @@ AM_CFLAGS = \ $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) \ $(OPTIONAL_LZ4_CFLAGS) \ - $(OPTIONAL_PKCS11_HELPER_CFLAGS) + $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ + -DPLUGIN_LIBDIR=\"${plugindir}\" + if WIN32 # we want unicode entry point but not the macro AM_CFLAGS += -municode -UUNICODE @@ -79,6 +81,7 @@ openvpn_SOURCES = \ multi.c multi.h \ ntlm.c ntlm.h \ occ.c occ.h occ-inline.h \ + openssl_compat.h \ pkcs11.c pkcs11.h pkcs11_backend.h \ pkcs11_openssl.c \ pkcs11_mbedtls.c \ diff --git a/src/openvpn/Makefile.in b/src/openvpn/Makefile.in index 95d4f59..ca4635b 100644 --- a/src/openvpn/Makefile.in +++ b/src/openvpn/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.13.4 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -37,7 +37,17 @@ # Required to build Windows resource file VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -100,8 +110,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \ - $(srcdir)/Makefile.am $(top_srcdir)/depcomp + # we want unicode entry point but not the macro @WIN32_TRUE@am__append_1 = -municode -UUNICODE sbin_PROGRAMS = openvpn$(EXEEXT) @@ -118,6 +127,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -139,21 +149,21 @@ am__openvpn_SOURCES_DIST = argv.c argv.h base64.c base64.h basic.h \ console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ - pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \ - pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \ - otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \ - pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \ - pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \ - push.h pushlist.h reliable.c reliable.h route.c route.h \ - schedule.c schedule.h session_id.c session_id.h shaper.c \ - shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \ - ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \ - ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \ - ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \ - ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \ - syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \ - cryptoapi.h cryptoapi.c openvpn_win32_resources.rc block_dns.c \ - block_dns.h + openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \ + pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \ + options.c options.h otime.c otime.h packet_id.c packet_id.h \ + perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ + ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ + proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ + reliable.h route.c route.h schedule.c schedule.h session_id.c \ + session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ + socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ + ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \ + ssl_verify.c ssl_verify.h ssl_verify_backend.h \ + ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \ + ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \ + tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \ + cryptoapi.c openvpn_win32_resources.rc block_dns.c block_dns.h @WIN32_TRUE@am__objects_1 = openvpn_win32_resources.$(OBJEXT) \ @WIN32_TRUE@ block_dns.$(OBJEXT) am_openvpn_OBJECTS = argv.$(OBJEXT) base64.$(OBJEXT) buffer.$(OBJEXT) \ @@ -253,6 +263,8 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/ltrc.inc \ + $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -301,6 +313,7 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ @@ -349,6 +362,7 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ @@ -361,12 +375,14 @@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ +SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ +TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ @@ -423,7 +439,9 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ +tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ @@ -444,7 +462,8 @@ AM_CPPFLAGS = \ AM_CFLAGS = $(TAP_CFLAGS) $(OPTIONAL_CRYPTO_CFLAGS) \ $(OPTIONAL_LZO_CFLAGS) $(OPTIONAL_LZ4_CFLAGS) \ - $(OPTIONAL_PKCS11_HELPER_CFLAGS) $(am__append_1) + $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ + -DPLUGIN_LIBDIR=\"${plugindir}\" $(am__append_1) openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \ buffer.h circ_list.h clinat.c clinat.h common.h comp.c comp.h \ compstub.c comp-lz4.c comp-lz4.h crypto.c crypto.h \ @@ -459,20 +478,21 @@ openvpn_SOURCES = argv.c argv.h base64.c base64.h basic.h buffer.c \ console_builtin.c console_systemd.c mroute.c mroute.h mss.c \ mss.h mstats.c mstats.h mtcp.c mtcp.h mtu.c mtu.h mudp.c \ mudp.h multi.c multi.h ntlm.c ntlm.h occ.c occ.h occ-inline.h \ - pkcs11.c pkcs11.h pkcs11_backend.h pkcs11_openssl.c \ - pkcs11_mbedtls.c openvpn.c openvpn.h options.c options.h \ - otime.c otime.h packet_id.c packet_id.h perf.c perf.h pf.c \ - pf.h pf-inline.h ping.c ping.h ping-inline.h plugin.c plugin.h \ - pool.c pool.h proto.c proto.h proxy.c proxy.h ps.c ps.h push.c \ - push.h pushlist.h reliable.c reliable.h route.c route.h \ - schedule.c schedule.h session_id.c session_id.h shaper.c \ - shaper.h sig.c sig.h socket.c socket.h socks.c socks.h ssl.c \ - ssl.h ssl_backend.h ssl_openssl.c ssl_openssl.h ssl_mbedtls.c \ - ssl_mbedtls.h ssl_common.h ssl_verify.c ssl_verify.h \ - ssl_verify_backend.h ssl_verify_openssl.c ssl_verify_openssl.h \ - ssl_verify_mbedtls.c ssl_verify_mbedtls.h status.c status.h \ - syshead.h tls_crypt.c tls_crypt.h tun.c tun.h win32.h win32.c \ - cryptoapi.h cryptoapi.c $(am__append_2) + openssl_compat.h pkcs11.c pkcs11.h pkcs11_backend.h \ + pkcs11_openssl.c pkcs11_mbedtls.c openvpn.c openvpn.h \ + options.c options.h otime.c otime.h packet_id.c packet_id.h \ + perf.c perf.h pf.c pf.h pf-inline.h ping.c ping.h \ + ping-inline.h plugin.c plugin.h pool.c pool.h proto.c proto.h \ + proxy.c proxy.h ps.c ps.h push.c push.h pushlist.h reliable.c \ + reliable.h route.c route.h schedule.c schedule.h session_id.c \ + session_id.h shaper.c shaper.h sig.c sig.h socket.c socket.h \ + socks.c socks.h ssl.c ssl.h ssl_backend.h ssl_openssl.c \ + ssl_openssl.h ssl_mbedtls.c ssl_mbedtls.h ssl_common.h \ + ssl_verify.c ssl_verify.h ssl_verify_backend.h \ + ssl_verify_openssl.c ssl_verify_openssl.h ssl_verify_mbedtls.c \ + ssl_verify_mbedtls.h status.c status.h syshead.h tls_crypt.c \ + tls_crypt.h tun.c tun.h win32.h win32.c cryptoapi.h \ + cryptoapi.c $(am__append_2) openvpn_LDADD = $(top_builddir)/src/compat/libcompat.la \ $(SOCKETS_LIBS) $(OPTIONAL_LZO_LIBS) $(OPTIONAL_LZ4_LIBS) \ $(OPTIONAL_PKCS11_HELPER_LIBS) $(OPTIONAL_CRYPTO_LIBS) \ @@ -494,7 +514,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am_ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpn/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/openvpn/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -503,7 +522,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; -$(top_srcdir)/build/ltrc.inc: +$(top_srcdir)/build/ltrc.inc $(am__empty): $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh @@ -655,14 +674,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -884,6 +903,8 @@ uninstall-am: uninstall-sbinPROGRAMS mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS +.PRECIOUS: Makefile + .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" diff --git a/src/openvpn/argv.c b/src/openvpn/argv.c index cc813ed..a71d261 100644 --- a/src/openvpn/argv.c +++ b/src/openvpn/argv.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * * A printf-like function (that only recognizes a subset of standard printf @@ -60,7 +59,9 @@ argv_reset(struct argv *a) { size_t i; for (i = 0; i < a->argc; ++i) + { free(a->argv[i]); + } free(a->argv); argv_init(a); } @@ -74,7 +75,9 @@ argv_extend(struct argv *a, const size_t newcap) size_t i; ALLOC_ARRAY_CLEAR(newargv, char *, newcap); for (i = 0; i < a->argc; ++i) + { newargv[i] = a->argv[i]; + } free(a->argv); a->argv = newargv; a->capacity = newcap; @@ -104,11 +107,15 @@ argv_clone(const struct argv *a, const size_t headroom) argv_init(&r); for (i = 0; i < headroom; ++i) + { argv_append(&r, NULL); + } if (a) { for (i = 0; i < a->argc; ++i) + { argv_append(&r, string_alloc(a->argv[i], NULL)); + } } return r; } @@ -332,7 +339,9 @@ argv_parse_cmd(struct argv *a, const char *s) { int i; for (i = 0; i < nparms; ++i) + { argv_append(a, string_alloc(parms[i], NULL)); + } } else { diff --git a/src/openvpn/argv.h b/src/openvpn/argv.h index 1dd6dd7..7d0754c 100644 --- a/src/openvpn/argv.h +++ b/src/openvpn/argv.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * * A printf-like function (that only recognizes a subset of standard printf diff --git a/src/openvpn/base64.c b/src/openvpn/base64.c index c799ede..0ac65e9 100644 --- a/src/openvpn/base64.c +++ b/src/openvpn/base64.c @@ -69,7 +69,8 @@ openvpn_base64_encode(const void *data, int size, char **str) } q = (const unsigned char *) data; i = 0; - for (i = 0; i < size; ) { + for (i = 0; i < size; ) + { c = q[i++]; c *= 256; if (i < size) @@ -107,10 +108,12 @@ pos(char c) { char *p; for (p = base64_chars; *p; p++) + { if (*p == c) { return p - base64_chars; } + } return -1; } @@ -126,7 +129,8 @@ token_decode(const char *token) { return DECODE_ERROR; } - for (i = 0; i < 4; i++) { + for (i = 0; i < 4; i++) + { val *= 64; if (token[i] == '=') { @@ -164,7 +168,8 @@ openvpn_base64_decode(const char *str, void *data, int size) { e = q + size; } - for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) { + for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) + { unsigned int val = token_decode(p); unsigned int marker = (val >> 24) & 0xff; if (val == DECODE_ERROR) diff --git a/src/openvpn/basic.h b/src/openvpn/basic.h index dac6f01..3aa69ca 100644 --- a/src/openvpn/basic.h +++ b/src/openvpn/basic.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef BASIC_H diff --git a/src/openvpn/block_dns.c b/src/openvpn/block_dns.c index e31765e..d43cbcf 100644 --- a/src/openvpn/block_dns.c +++ b/src/openvpn/block_dns.c @@ -18,10 +18,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -110,6 +109,9 @@ DEFINE_GUID( static WCHAR *FIREWALL_NAME = L"OpenVPN"; +VOID NETIOAPI_API_ +InitializeIpInterfaceEntry(PMIB_IPINTERFACE_ROW Row); + /* * Default msg handler does nothing */ @@ -341,4 +343,79 @@ delete_block_dns_filters(HANDLE engine_handle) return err; } +/* + * Returns interface metric value for specified interface index. + * + * Arguments: + * index : The index of TAP adapter. + * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6). + * Returns positive metric value or zero for automatic metric on success, + * a less then zero error code on failure. + */ + +int +get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family) +{ + DWORD err = 0; + MIB_IPINTERFACE_ROW ipiface; + InitializeIpInterfaceEntry(&ipiface); + ipiface.Family = family; + ipiface.InterfaceIndex = index; + err = GetIpInterfaceEntry(&ipiface); + if (err == NO_ERROR) + { + if (ipiface.UseAutomaticMetric) + { + return 0; + } + return ipiface.Metric; + } + return -err; +} + +/* + * Sets interface metric value for specified interface index. + * + * Arguments: + * index : The index of TAP adapter. + * family : Address family (AF_INET for IPv4 and AF_INET6 for IPv6). + * metric : Metric value. 0 for automatic metric. + * Returns 0 on success, a non-zero status code of the last failed action on failure. + */ + +DWORD +set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, + const ULONG metric) +{ + DWORD err = 0; + MIB_IPINTERFACE_ROW ipiface; + InitializeIpInterfaceEntry(&ipiface); + ipiface.Family = family; + ipiface.InterfaceIndex = index; + err = GetIpInterfaceEntry(&ipiface); + if (err == NO_ERROR) + { + if (family == AF_INET) + { + /* required for IPv4 as per MSDN */ + ipiface.SitePrefixLength = 0; + } + ipiface.Metric = metric; + if (metric == 0) + { + ipiface.UseAutomaticMetric = TRUE; + } + else + { + ipiface.UseAutomaticMetric = FALSE; + } + err = SetIpInterfaceEntry(&ipiface); + if (err == NO_ERROR) + { + return 0; + } + } + return err; +} + #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/block_dns.h b/src/openvpn/block_dns.h index a7dadc4..c4b6693 100644 --- a/src/openvpn/block_dns.h +++ b/src/openvpn/block_dns.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef _WIN32 @@ -27,6 +26,9 @@ #ifndef OPENVPN_BLOCK_DNS_H #define OPENVPN_BLOCK_DNS_H +/* Any value less than 5 should work fine. 3 is choosen without any real reason. */ +#define BLOCK_DNS_IFACE_METRIC 3 + typedef void (*block_dns_msg_handler_t) (DWORD err, const char *msg); DWORD @@ -36,5 +38,32 @@ DWORD add_block_dns_filters(HANDLE *engine, int iface_index, const WCHAR *exe_path, block_dns_msg_handler_t msg_handler_callback); +/** + * Returns interface metric value for specified interface index. + * + * @param index The index of TAP adapter + * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6) + * + * @return positive metric value or zero for automatic metric on success, + * a less then zero error code on failure. + */ + +int +get_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family); + +/** + * Sets interface metric value for specified interface index. + * + * @param index The index of TAP adapter + * @param family Address family (AF_INET for IPv4 and AF_INET6 for IPv6) + * @param metric Metric value. 0 for automatic metric + * + * @return 0 on success, a non-zero status code of the last failed action on failure. + */ + +DWORD +set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, + const ULONG metric); + #endif #endif diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 2defd18..87e27ec 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -443,7 +442,9 @@ gc_transfer(struct gc_arena *dest, struct gc_arena *src) if (e) { while (e->next != NULL) + { e = e->next; + } e->next = dest->list; dest->list = src->list; src->list = NULL; @@ -599,7 +600,8 @@ void rm_trailing_chars(char *str, const char *what_to_delete) { bool modified; - do { + do + { const int len = strlen(str); modified = false; if (len > 0) @@ -682,7 +684,9 @@ string_array_len(const char **array) if (array) { while (array[i]) + { ++i; + } } return i; } @@ -1320,7 +1324,9 @@ buffer_list_file(const char *fn, int max_line_len) { bl = buffer_list_new(0); while (fgets(line, max_line_len, fp) != NULL) + { buffer_list_push(bl, (unsigned char *)line); + } free(line); } fclose(fp); diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 28b224e..8bc4428 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef BUFFER_H @@ -404,7 +403,9 @@ secure_memzero(void *data, size_t len) #else volatile char *p = (volatile char *) data; while (len--) + { *p++ = 0; + } #endif } diff --git a/src/openvpn/circ_list.h b/src/openvpn/circ_list.h index ecf2a7f..386e18d 100644 --- a/src/openvpn/circ_list.h +++ b/src/openvpn/circ_list.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef CIRC_LIST_H diff --git a/src/openvpn/clinat.c b/src/openvpn/clinat.c index 9158437..633cec6 100644 --- a/src/openvpn/clinat.c +++ b/src/openvpn/clinat.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/clinat.h b/src/openvpn/clinat.h index cdaf2a8..e0cfad5 100644 --- a/src/openvpn/clinat.h +++ b/src/openvpn/clinat.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if !defined(CLINAT_H) diff --git a/src/openvpn/common.h b/src/openvpn/common.h index cd988d4..bb08c01 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef COMMON_H diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index fa65f87..6e40c32 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -316,6 +315,7 @@ const struct compress_alg lz4v2_alg = { #else /* if defined(ENABLE_LZ4) */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_LZ4 */ diff --git a/src/openvpn/comp-lz4.h b/src/openvpn/comp-lz4.h index 8621e93..c256ba5 100644 --- a/src/openvpn/comp-lz4.h +++ b/src/openvpn/comp-lz4.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_COMP_LZ4_H diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 0182a7c..4cda7e5 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h index 3c0b18e..e56fd2b 100644 --- a/src/openvpn/comp.h +++ b/src/openvpn/comp.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/compstub.c b/src/openvpn/compstub.c index 5070c82..ca90924 100644 --- a/src/openvpn/compstub.c +++ b/src/openvpn/compstub.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -179,6 +178,7 @@ const struct compress_alg comp_stub_alg = { #else /* if defined(USE_COMP) */ static void -dummy(void) { +dummy(void) +{ } #endif /* USE_STUB */ diff --git a/src/openvpn/console.c b/src/openvpn/console.c index 90c8a94..eb6944d 100644 --- a/src/openvpn/console.c +++ b/src/openvpn/console.c @@ -18,10 +18,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -49,7 +48,8 @@ query_user_clear() { int i; - for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { + for (i = 0; i < QUERY_USER_NUMSLOTS; i++) + { CLEAR(query_user[i]); } } @@ -68,7 +68,8 @@ query_user_add(char *prompt, size_t prompt_len, ASSERT( prompt_len > 0 && prompt != NULL && resp_len > 0 && resp != NULL ); /* Seek to the last unused slot */ - for (i = 0; i < QUERY_USER_NUMSLOTS; i++) { + for (i = 0; i < QUERY_USER_NUMSLOTS; i++) + { if (query_user[i].prompt == NULL) { break; diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 2c7f3e9..aa51e6f 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -18,11 +18,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #ifndef CONSOLE_H #define CONSOLE_H diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c index 13b9d7e..7b95da9 100644 --- a/src/openvpn/console_builtin.c +++ b/src/openvpn/console_builtin.c @@ -18,10 +18,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/console_systemd.c b/src/openvpn/console_systemd.c index 1c0aa4c..8cee8c8 100644 --- a/src/openvpn/console_systemd.c +++ b/src/openvpn/console_systemd.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 7119abc..5f482d0 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -65,7 +64,8 @@ static void openvpn_encrypt_aead(struct buffer *buf, struct buffer work, - struct crypto_options *opt) { + struct crypto_options *opt) +{ #ifdef HAVE_AEAD_CIPHER_MODES struct gc_arena gc; int outlen = 0; @@ -85,7 +85,6 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, /* Prepare IV */ { struct buffer iv_buffer; - struct packet_id_net pin; uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0}; const int iv_len = cipher_ctx_iv_length(ctx->cipher); @@ -94,8 +93,11 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, buf_set_write(&iv_buffer, iv, iv_len); /* IV starts with packet id to make the IV unique for packet */ - packet_id_alloc_outgoing(&opt->packet_id.send, &pin, false); - ASSERT(packet_id_write(&pin, &iv_buffer, false, false)); + if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false)) + { + msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); + goto err; + } /* Remainder of IV consists of implicit part (unique per session) */ ASSERT(buf_write(&iv_buffer, ctx->implicit_iv, ctx->implicit_iv_len)); @@ -196,25 +198,25 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, } /* Put packet ID in plaintext buffer */ - if (packet_id_initialized(&opt->packet_id)) + if (packet_id_initialized(&opt->packet_id) + && !packet_id_write(&opt->packet_id.send, buf, + opt->flags & CO_PACKET_ID_LONG_FORM, + true)) { - struct packet_id_net pin; - packet_id_alloc_outgoing(&opt->packet_id.send, &pin, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM)); - ASSERT(packet_id_write(&pin, buf, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true)); + msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); + goto err; } } else if (cipher_kt_mode_ofb_cfb(cipher_kt)) { - struct packet_id_net pin; struct buffer b; /* IV and packet-ID required for this mode. */ ASSERT(opt->flags & CO_USE_IV); ASSERT(packet_id_initialized(&opt->packet_id)); - packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true); buf_set_write(&b, iv_buf, iv_size); - ASSERT(packet_id_write(&pin, &b, true, false)); + ASSERT(packet_id_write(&opt->packet_id.send, &b, true, false)); } else /* We only support CBC, CFB, or OFB modes right now */ { @@ -262,11 +264,12 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, } else /* No Encryption */ { - if (packet_id_initialized(&opt->packet_id)) + if (packet_id_initialized(&opt->packet_id) + && !packet_id_write(&opt->packet_id.send, buf, + opt->flags & CO_PACKET_ID_LONG_FORM, true)) { - struct packet_id_net pin; - packet_id_alloc_outgoing(&opt->packet_id.send, &pin, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM)); - ASSERT(packet_id_write(&pin, buf, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true)); + msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); + goto err; } if (ctx->hmac) { @@ -329,7 +332,8 @@ openvpn_encrypt(struct buffer *buf, struct buffer work, bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, - struct gc_arena *gc) { + struct gc_arena *gc) +{ bool ret = false; packet_id_reap_test(&opt->packet_id.rec); if (packet_id_test(&opt->packet_id.rec, pin)) @@ -804,7 +808,10 @@ init_key_type(struct key_type *kt, const char *ciphername, { if (warn) { - msg(M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used"); + msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " + "This means NO encryption will be performed and tunnelled " + "data WILL be transmitted in clear text over the network! " + "PLEASE DO RECONSIDER THIS SETTING!"); } } if (strcmp(authname, "none") != 0) @@ -824,7 +831,11 @@ init_key_type(struct key_type *kt, const char *ciphername, { if (warn) { - msg(M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used"); + msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " + "This means no authentication will be performed on received " + "packets, meaning you CANNOT trust that the data received by " + "the remote side have NOT been manipulated. " + "PLEASE DO RECONSIDER THIS SETTING!"); } } } @@ -840,7 +851,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, if (kt->cipher && kt->cipher_length > 0) { - ALLOC_OBJ(ctx->cipher, cipher_ctx_t); + ctx->cipher = cipher_ctx_new(); cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length, kt->cipher, enc); @@ -864,7 +875,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, } if (kt->digest && kt->hmac_length > 0) { - ALLOC_OBJ(ctx->hmac, hmac_ctx_t); + ctx->hmac = hmac_ctx_new(); hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); msg(D_HANDSHAKE, @@ -889,13 +900,13 @@ free_key_ctx(struct key_ctx *ctx) if (ctx->cipher) { cipher_ctx_cleanup(ctx->cipher); - free(ctx->cipher); + cipher_ctx_free(ctx->cipher); ctx->cipher = NULL; } if (ctx->hmac) { hmac_ctx_cleanup(ctx->hmac); - free(ctx->hmac); + hmac_ctx_free(ctx->hmac); ctx->hmac = NULL; } ctx->implicit_iv_len = 0; @@ -1019,7 +1030,8 @@ generate_key_random(struct key *key, const struct key_type *kt) struct gc_arena gc = gc_new(); - do { + do + { CLEAR(*key); if (kt) { @@ -1795,7 +1807,8 @@ get_random() } static const cipher_name_pair * -get_cipher_name_pair(const char *cipher_name) { +get_cipher_name_pair(const char *cipher_name) +{ const cipher_name_pair *pair; size_t i = 0; @@ -1815,7 +1828,8 @@ get_cipher_name_pair(const char *cipher_name) { } const char * -translate_cipher_name_from_openvpn(const char *cipher_name) { +translate_cipher_name_from_openvpn(const char *cipher_name) +{ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); if (NULL == pair) @@ -1827,7 +1841,8 @@ translate_cipher_name_from_openvpn(const char *cipher_name) { } const char * -translate_cipher_name_to_openvpn(const char *cipher_name) { +translate_cipher_name_to_openvpn(const char *cipher_name) +{ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); if (NULL == pair) diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 61e9b59..8818c01 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -132,9 +131,9 @@ #include "packet_id.h" #include "mtu.h" -/** Wrapper struct to pass around MD5 digests */ -struct md5_digest { - uint8_t digest[MD5_DIGEST_LENGTH]; +/** Wrapper struct to pass around SHA256 digests */ +struct sha256_digest { + uint8_t digest[SHA256_DIGEST_LENGTH]; }; /* @@ -496,7 +495,8 @@ void crypto_read_openvpn_key(const struct key_type *key_type, * Returns 0 when data is equal, non-zero otherwise. */ static inline int -memcmp_constant_time(const void *a, const void *b, size_t size) { +memcmp_constant_time(const void *a, const void *b, size_t size) +{ const uint8_t *a1 = a; const uint8_t *b1 = b; int ret = 0; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 2c79baa..b7f519b 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -47,6 +46,12 @@ /* Maximum HMAC digest size (bytes) */ #define OPENVPN_MAX_HMAC_SIZE 64 +/** Types referencing specific message digest hashing algorithms */ +typedef enum { + MD_SHA1, + MD_SHA256 +} hash_algo_type ; + /** Struct used in cipher name translation table */ typedef struct { const char *openvpn_name; /**< Cipher name used by OpenVPN */ @@ -295,6 +300,20 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); */ /** + * Allocate a new cipher context + * + * @return a new cipher context + */ +cipher_ctx_t *cipher_ctx_new(void); + +/** + * Free a cipher context + * + * @param ctx Cipher context. + */ +void cipher_ctx_free(cipher_ctx_t *ctx); + +/** * Initialise a cipher context, based on the given key and key type. * * @param ctx Cipher context. May not be NULL @@ -502,6 +521,20 @@ int md_kt_size(const md_kt_t *kt); int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst); /* + * Allocate a new message digest context + * + * @return a new zeroed MD context + */ +md_ctx_t *md_ctx_new(void); + +/* + * Free an existing, non-null message digest context + * + * @param ctx Message digest context + */ +void md_ctx_free(md_ctx_t *ctx); + +/* * Initialises the given message digest context. * * @param ctx Message digest context @@ -550,6 +583,20 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst); */ /* + * Create a new HMAC context + * + * @return A new HMAC context + */ +hmac_ctx_t *hmac_ctx_new(void); + +/* + * Free an existing HMAC context + * + * @param ctx HMAC context to free + */ +void hmac_ctx_free(hmac_ctx_t *ctx); + +/* * Initialises the given HMAC context, using the given digest * and key. * diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 942684c..24bc315 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -509,6 +508,19 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) * */ +mbedtls_cipher_context_t * +cipher_ctx_new(void) +{ + mbedtls_cipher_context_t *ctx; + ALLOC_OBJ(ctx, mbedtls_cipher_context_t); + return ctx; +} + +void +cipher_ctx_free(mbedtls_cipher_context_t *ctx) +{ + free(ctx); +} void cipher_ctx_init(mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len, @@ -766,6 +778,18 @@ md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst) return 0 == mbedtls_md(kt, src, src_len, dst); } +mbedtls_md_context_t * +md_ctx_new(void) +{ + mbedtls_md_context_t *ctx; + ALLOC_OBJ_CLEAR(ctx, mbedtls_md_context_t); + return ctx; +} + +void md_ctx_free(mbedtls_md_context_t *ctx) +{ + free(ctx); +} void md_ctx_init(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt) @@ -816,6 +840,21 @@ md_ctx_final(mbedtls_md_context_t *ctx, uint8_t *dst) /* * TODO: re-enable dmsg for crypto debug */ + +mbedtls_md_context_t * +hmac_ctx_new(void) +{ + mbedtls_md_context_t *ctx; + ALLOC_OBJ(ctx, mbedtls_md_context_t); + return ctx; +} + +void +hmac_ctx_free(mbedtls_md_context_t *ctx) +{ + free(ctx); +} + void hmac_ctx_init(mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, const mbedtls_md_info_t *kt) diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h index d9b1446..a434ce3 100644 --- a/src/openvpn/crypto_mbedtls.h +++ b/src/openvpn/crypto_mbedtls.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -73,6 +72,7 @@ typedef mbedtls_md_context_t hmac_ctx_t; #define MD4_DIGEST_LENGTH 16 #define MD5_DIGEST_LENGTH 16 #define SHA_DIGEST_LENGTH 20 +#define SHA256_DIGEST_LENGTH 32 #define DES_KEY_LENGTH 8 /** @@ -122,7 +122,8 @@ bool mbed_log_func_line(unsigned int flags, int errval, const char *func, /** Wraps mbed_log_func_line() to prevent function calls for non-errors */ static inline bool mbed_log_func_line_lite(unsigned int flags, int errval, - const char *func, int line) { + const char *func, int line) +{ if (errval) { return mbed_log_func_line(flags, errval, func, line); diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b016d98..a55e65c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -42,6 +41,7 @@ #include "integer.h" #include "crypto.h" #include "crypto_backend.h" +#include "openssl_compat.h" #include <openssl/des.h> #include <openssl/err.h> @@ -186,14 +186,14 @@ crypto_clear_error(void) } void -crypto_print_openssl_errors(const unsigned int flags) { +crypto_print_openssl_errors(const unsigned int flags) +{ size_t err = 0; while ((err = ERR_get_error())) { /* Be more clear about frequently occurring "no shared cipher" error */ - if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, - SSL_R_NO_SHARED_CIPHER)) + if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) { msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " "in common with the client. Your --tls-cipher setting might be " @@ -286,8 +286,7 @@ show_available_ciphers() size_t i; /* If we ever exceed this, we must be more selective */ - const size_t cipher_list_len = 1000; - const EVP_CIPHER *cipher_list[cipher_list_len]; + const EVP_CIPHER *cipher_list[1000]; size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" @@ -312,7 +311,7 @@ show_available_ciphers() { cipher_list[num_ciphers++] = cipher; } - if (num_ciphers == cipher_list_len) + if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) { msg(M_WARN, "WARNING: Too many ciphers, not showing all"); break; @@ -551,8 +550,10 @@ cipher_kt_iv_size(const EVP_CIPHER *cipher_kt) } int -cipher_kt_block_size(const EVP_CIPHER *cipher) { - /* OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work +cipher_kt_block_size(const EVP_CIPHER *cipher) +{ + /* + * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work * around that, try to replace the mode with 'CBC' and return the block size * reported for that cipher, if possible. If that doesn't work, just return * the value reported by OpenSSL. @@ -649,6 +650,19 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) * */ +cipher_ctx_t * +cipher_ctx_new(void) +{ + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + check_malloc_return(ctx); + return ctx; +} + +void +cipher_ctx_free(EVP_CIPHER_CTX *ctx) +{ + EVP_CIPHER_CTX_free(ctx); +} void cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, @@ -656,8 +670,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); - CLEAR(*ctx); - EVP_CIPHER_CTX_init(ctx); if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { @@ -669,7 +681,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, crypto_msg(M_FATAL, "EVP set key size"); } #endif - if (!EVP_CipherInit(ctx, NULL, key, NULL, enc)) + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } @@ -722,7 +734,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { - return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1); + return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); } int @@ -843,13 +855,24 @@ md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst) return EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL); } +EVP_MD_CTX * +md_ctx_new(void) +{ + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + check_malloc_return(ctx); + return ctx; +} + +void md_ctx_free(EVP_MD_CTX *ctx) +{ + EVP_MD_CTX_free(ctx); +} + void md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) { ASSERT(NULL != ctx && NULL != kt); - CLEAR(*ctx); - EVP_MD_CTX_init(ctx); EVP_DigestInit(ctx, kt); } @@ -857,7 +880,7 @@ md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) void md_ctx_cleanup(EVP_MD_CTX *ctx) { - EVP_MD_CTX_cleanup(ctx); + EVP_MD_CTX_reset(ctx); } int @@ -887,6 +910,19 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) * */ +HMAC_CTX * +hmac_ctx_new(void) +{ + HMAC_CTX *ctx = HMAC_CTX_new(); + check_malloc_return(ctx); + return ctx; +} + +void +hmac_ctx_free(HMAC_CTX *ctx) +{ + HMAC_CTX_free(ctx); +} void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -894,8 +930,6 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); - CLEAR(*ctx); - HMAC_CTX_init(ctx); HMAC_Init_ex(ctx, key, key_len, kt, NULL); @@ -906,7 +940,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, void hmac_ctx_cleanup(HMAC_CTX *ctx) { - HMAC_CTX_cleanup(ctx); + HMAC_CTX_reset(ctx); } int diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 56ec6e1..60a2812 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -33,6 +32,7 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> +#include <openssl/sha.h> /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 69a5a32..d90cc5d 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -281,7 +281,9 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i } /* and now, we have to reverse the byte-order in the result from CryptSignHash()... */ for (i = 0; i < len; i++) + { to[i] = buf[len - i - 1]; + } free(buf); CryptDestroyHash(hash); @@ -389,7 +391,9 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) } hash[i] = x; /* skip any space(s) between hex numbers */ - for (p++; *p && *p == ' '; p++) ; + for (p++; *p && *p == ' '; p++) + { + } } blob.cbData = i; blob.pbData = (unsigned char *) &hash; @@ -547,7 +551,8 @@ err: #else /* ifdef ENABLE_CRYPTOAPI */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void -dummy(void) { +dummy(void) +{ } #endif #endif /* _WIN32 */ diff --git a/src/openvpn/dhcp.c b/src/openvpn/dhcp.c index c17a22e..a2a5454 100644 --- a/src/openvpn/dhcp.c +++ b/src/openvpn/dhcp.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -160,17 +159,20 @@ udp_checksum(const uint8_t *buf, /* make 16 bit words out of every two adjacent 8 bit words and */ /* calculate the sum of all 16 bit words */ - for (i = 0; i < len_udp; i += 2) { + for (i = 0; i < len_udp; i += 2) + { word16 = ((buf[i] << 8) & 0xFF00) + ((i + 1 < len_udp) ? (buf[i+1] & 0xFF) : 0); sum += word16; } /* add the UDP pseudo header which contains the IP source and destination addresses */ - for (i = 0; i < 4; i += 2) { + for (i = 0; i < 4; i += 2) + { word16 = ((src_addr[i] << 8) & 0xFF00) + (src_addr[i+1] & 0xFF); sum += word16; } - for (i = 0; i < 4; i += 2) { + for (i = 0; i < 4; i += 2) + { word16 = ((dest_addr[i] << 8) & 0xFF00) + (dest_addr[i+1] & 0xFF); sum += word16; } @@ -180,7 +182,9 @@ udp_checksum(const uint8_t *buf, /* keep only the last 16 bits of the 32 bit calculated sum and add the carries */ while (sum >> 16) + { sum = (sum & 0xFFFF) + (sum >> 16); + } /* Take the one's complement of sum */ return ((uint16_t) ~sum); diff --git a/src/openvpn/dhcp.h b/src/openvpn/dhcp.h index d406870..dc41658 100644 --- a/src/openvpn/dhcp.h +++ b/src/openvpn/dhcp.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef DHCP_H diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index c4dd518..5bb043b 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef ERRLEVEL_H diff --git a/src/openvpn/error.c b/src/openvpn/error.c index e78f272..ce50ff9 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -836,7 +835,8 @@ strerror_win32(DWORD errnum, struct gc_arena *gc) * Posix equivalents. */ #if 1 - switch (errnum) { + switch (errnum) + { /* * When the TAP-Windows driver returns STATUS_UNSUCCESSFUL, this code * gets returned to user space. diff --git a/src/openvpn/error.h b/src/openvpn/error.h index df4eee7..14ef7e6 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef ERROR_H @@ -394,7 +393,8 @@ ignore_sys_error(const int err) /** Convert fatal errors to nonfatal, don't touch other errors */ static inline unsigned int -nonfatal(const unsigned int err) { +nonfatal(const unsigned int err) +{ return err & M_FATAL ? (err ^ M_FATAL) | M_NONFATAL : err; } diff --git a/src/openvpn/event.c b/src/openvpn/event.c index f4922e0..d123070 100644 --- a/src/openvpn/event.c +++ b/src/openvpn/event.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -394,11 +393,13 @@ we_wait(struct event_set *es, const struct timeval *tv, struct event_set_return { int i; for (i = 0; i < wes->n_events; ++i) + { dmsg(D_EVENT_WAIT, "[%d] ev=%p rwflags=0x%04x arg=" ptr_format, i, wes->events[i], wes->esr[i].rwflags, (ptr_type)wes->esr[i].arg); + } } #endif @@ -922,7 +923,9 @@ se_reset(struct event_set *es) FD_ZERO(&ses->readfds); FD_ZERO(&ses->writefds); for (i = 0; i <= ses->maxfd; ++i) + { ses->args[i] = NULL; + } ses->maxfd = -1; } diff --git a/src/openvpn/event.h b/src/openvpn/event.h index 6a6e029..ff795f4 100644 --- a/src/openvpn/event.h +++ b/src/openvpn/event.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef EVENT_H diff --git a/src/openvpn/fdmisc.c b/src/openvpn/fdmisc.c index 401069d..56e2250 100644 --- a/src/openvpn/fdmisc.c +++ b/src/openvpn/fdmisc.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/fdmisc.h b/src/openvpn/fdmisc.h index 1e84a08..b6d7101 100644 --- a/src/openvpn/fdmisc.h +++ b/src/openvpn/fdmisc.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef FD_MISC_H diff --git a/src/openvpn/forward-inline.h b/src/openvpn/forward-inline.h index 97e1cd6..ab83ea4 100644 --- a/src/openvpn/forward-inline.h +++ b/src/openvpn/forward-inline.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef FORWARD_INLINE_H diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 8102e94..371ddca 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -866,9 +865,16 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo * will load crypto_options with the correct encryption key * and return false. */ + uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, floated, &ad_start)) { + /* Restore pre-NCP frame parameters */ + if (is_hard_reset(opcode, c->options.key_method)) + { + c->c2.frame = c->c2.frame_initial; + } + interval_action(&c->c2.tmp_int); /* reset packet received timer if TLS packet */ diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index ae86e7a..9fde5a3 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ diff --git a/src/openvpn/fragment.c b/src/openvpn/fragment.c index 6fbfe08..38de62f 100644 --- a/src/openvpn/fragment.c +++ b/src/openvpn/fragment.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -44,7 +43,9 @@ fragment_list_buf_init(struct fragment_list *list, const struct frame *frame) { int i; for (i = 0; i < N_FRAG_BUF; ++i) + { list->fragments[i].buf = alloc_buf(BUF_SIZE(frame)); + } } static void @@ -52,7 +53,9 @@ fragment_list_buf_free(struct fragment_list *list) { int i; for (i = 0; i < N_FRAG_BUF; ++i) + { free_buf(&list->fragments[i].buf); + } } /* @@ -67,7 +70,9 @@ fragment_list_get_buf(struct fragment_list *list, int seq_id) { int i; for (i = 0; i < N_FRAG_BUF; ++i) + { list->fragments[i].defined = false; + } list->index = 0; list->seq_id = seq_id; diff = 0; @@ -433,6 +438,7 @@ fragment_wakeup(struct fragment_master *f, struct frame *frame) #else /* ifdef ENABLE_FRAGMENT */ static void -dummy(void) { +dummy(void) +{ } #endif /* ifdef ENABLE_FRAGMENT */ diff --git a/src/openvpn/fragment.h b/src/openvpn/fragment.h index a24b524..90ba8f7 100644 --- a/src/openvpn/fragment.h +++ b/src/openvpn/fragment.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef FRAGMENT_H diff --git a/src/openvpn/gremlin.c b/src/openvpn/gremlin.c index 5bff5e8..e85ce9c 100644 --- a/src/openvpn/gremlin.c +++ b/src/openvpn/gremlin.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -95,7 +94,8 @@ get_packet_flood_parms(int level) * Return true with probability 1/n */ static bool -flip(int n) { +flip(int n) +{ return (get_random() % n) == 0; } @@ -104,7 +104,8 @@ flip(int n) { * low and high. */ static int -roll(int low, int high) { +roll(int low, int high) +{ int ret; ASSERT(low <= high); ret = low + (get_random() % (high - low + 1)); @@ -181,7 +182,8 @@ ask_gremlin(int flags) * Possibly corrupt a packet. */ void -corrupt_gremlin(struct buffer *buf, int flags) { +corrupt_gremlin(struct buffer *buf, int flags) +{ const int corrupt_level = GREMLIN_CORRUPT_LEVEL(flags); if (corrupt_level) { @@ -194,7 +196,8 @@ corrupt_gremlin(struct buffer *buf, int flags) { uint8_t r = roll(0, 255); int method = roll(0, 5); - switch (method) { + switch (method) + { case 0: /* corrupt the first byte */ *BPTR(buf) = r; break; @@ -232,6 +235,7 @@ corrupt_gremlin(struct buffer *buf, int flags) { #else /* ifdef ENABLE_DEBUG */ static void -dummy(void) { +dummy(void) +{ } #endif /* ifdef ENABLE_DEBUG */ diff --git a/src/openvpn/gremlin.h b/src/openvpn/gremlin.h index 8f41864..8b23b34 100644 --- a/src/openvpn/gremlin.h +++ b/src/openvpn/gremlin.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef GREMLIN_H diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index adcc4f8..17d1528 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/helper.h b/src/openvpn/helper.h index 593d1ed..c5b438b 100644 --- a/src/openvpn/helper.h +++ b/src/openvpn/helper.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/httpdigest.c b/src/openvpn/httpdigest.c index 01301c0..c553f93 100644 --- a/src/openvpn/httpdigest.c +++ b/src/openvpn/httpdigest.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -44,7 +43,8 @@ CvtHex( unsigned short i; unsigned char j; - for (i = 0; i < HASHLEN; i++) { + for (i = 0; i < HASHLEN; i++) + { j = (Bin[i] >> 4) & 0xf; if (j <= 9) { @@ -80,27 +80,28 @@ DigestCalcHA1( ) { HASH HA1; - md_ctx_t md5_ctx; + md_ctx_t *md5_ctx = md_ctx_new(); const md_kt_t *md5_kt = md_kt_get("MD5"); - md_ctx_init(&md5_ctx, md5_kt); - md_ctx_update(&md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); - md_ctx_final(&md5_ctx, HA1); + md_ctx_init(md5_ctx, md5_kt); + md_ctx_update(md5_ctx, (const uint8_t *) pszUserName, strlen(pszUserName)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszRealm, strlen(pszRealm)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszPassword, strlen(pszPassword)); + md_ctx_final(md5_ctx, HA1); if (pszAlg && strcasecmp(pszAlg, "md5-sess") == 0) { - md_ctx_init(&md5_ctx, md5_kt); - md_ctx_update(&md5_ctx, HA1, HASHLEN); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); - md_ctx_final(&md5_ctx, HA1); + md_ctx_init(md5_ctx, md5_kt); + md_ctx_update(md5_ctx, HA1, HASHLEN); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_final(md5_ctx, HA1); } - md_ctx_cleanup(&md5_ctx); + md_ctx_cleanup(md5_ctx); + md_ctx_free(md5_ctx); CvtHex(HA1, SessionKey); } @@ -122,40 +123,41 @@ DigestCalcResponse( HASH RespHash; HASHHEX HA2Hex; - md_ctx_t md5_ctx; + md_ctx_t *md5_ctx = md_ctx_new(); const md_kt_t *md5_kt = md_kt_get("MD5"); /* calculate H(A2) */ - md_ctx_init(&md5_ctx, md5_kt); - md_ctx_update(&md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); + md_ctx_init(md5_ctx, md5_kt); + md_ctx_update(md5_ctx, (const uint8_t *) pszMethod, strlen(pszMethod)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszDigestUri, strlen(pszDigestUri)); if (strcasecmp(pszQop, "auth-int") == 0) { - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, HEntity, HASHHEXLEN); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, HEntity, HASHHEXLEN); } - md_ctx_final(&md5_ctx, HA2); + md_ctx_final(md5_ctx, HA2); CvtHex(HA2, HA2Hex); /* calculate response */ - md_ctx_init(&md5_ctx, md5_kt); - md_ctx_update(&md5_ctx, HA1, HASHHEXLEN); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_init(md5_ctx, md5_kt); + md_ctx_update(md5_ctx, HA1, HASHHEXLEN); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszNonce, strlen(pszNonce)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); if (*pszQop) { - md_ctx_update(&md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); - md_ctx_update(&md5_ctx, (const uint8_t *) pszQop, strlen(pszQop)); - md_ctx_update(&md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszNonceCount, strlen(pszNonceCount)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszCNonce, strlen(pszCNonce)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); + md_ctx_update(md5_ctx, (const uint8_t *) pszQop, strlen(pszQop)); + md_ctx_update(md5_ctx, (const uint8_t *) ":", 1); } - md_ctx_update(&md5_ctx, HA2Hex, HASHHEXLEN); - md_ctx_final(&md5_ctx, RespHash); - md_ctx_cleanup(&md5_ctx); + md_ctx_update(md5_ctx, HA2Hex, HASHHEXLEN); + md_ctx_final(md5_ctx, RespHash); + md_ctx_cleanup(md5_ctx); + md_ctx_free(md5_ctx); CvtHex(RespHash, Response); } diff --git a/src/openvpn/httpdigest.h b/src/openvpn/httpdigest.h index b074fb2..aae7b8c 100644 --- a/src/openvpn/httpdigest.h +++ b/src/openvpn/httpdigest.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if PROXY_DIGEST_AUTH diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9a3e29d..0652ef4 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -252,31 +251,42 @@ ce_management_query_remote(struct context *c) { struct gc_arena gc = gc_new(); volatile struct connection_entry *ce = &c->options.ce; - int ret = true; + int ce_changed = true; /* presume the connection entry will be changed */ + update_time(); if (management) { struct buffer out = alloc_buf_gc(256, &gc); - buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, ce->af, false)); + + buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, + proto2ascii(ce->proto, ce->af, false)); management_notify_generic(management, BSTR(&out)); - ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT); - ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT); - while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) + + ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); + ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); + while (((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) + & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY) { management_event_loop_n_seconds(management, 1); if (IS_SIG(c)) { - ret = false; + ce_changed = false; /* connection entry have not been set */ break; } } } + gc_free(&gc); + + if (ce_changed) { - const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK); - ret = (flags != CE_MAN_QUERY_REMOTE_SKIP); + /* If it is likely a connection entry was modified, + * check what changed in the flags and that it was not skipped + */ + const int flags = ((ce->flags >> CE_MAN_QUERY_REMOTE_SHIFT) + & CE_MAN_QUERY_REMOTE_MASK); + ce_changed = (flags != CE_MAN_QUERY_REMOTE_SKIP); } - gc_free(&gc); - return ret; + return ce_changed; } #endif /* ENABLE_MANAGEMENT */ @@ -331,7 +341,8 @@ next_connection_entry(struct context *c) struct connection_entry *ce; int n_cycles = 0; - do { + do + { ce_defined = true; if (c->options.no_advance && l->current >= 0) { @@ -403,11 +414,7 @@ next_connection_entry(struct context *c) break; } } - else -#endif - -#ifdef ENABLE_MANAGEMENT - if (ce_defined && management && management_query_proxy_enabled(management)) + else if (ce_defined && management && management_query_proxy_enabled(management)) { ce_defined = ce_management_query_proxy(c); if (IS_SIG(c)) @@ -533,8 +540,10 @@ context_init_1(struct context *c) int i; pkcs11_initialize(true, c->options.pkcs11_pin_cache_period); for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++) + { pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i], c->options.pkcs11_private_mode[i], c->options.pkcs11_cert_private[i]); + } } #endif @@ -552,6 +561,15 @@ context_init_1(struct context *c) } #endif +#ifdef ENABLE_SYSTEMD + /* We can report the PID via getpid() to systemd here as OpenVPN will not + * do any fork due to daemon() a future call. + * See possibly_become_daemon() [init.c] for more details. + */ + sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu", + (unsigned long) getpid()); +#endif + } void @@ -614,7 +632,9 @@ init_static(void) { int i; for (i = 0; i < argc; ++i) + { msg(M_INFO, "argv[%d] = '%s'", i, argv[i]); + } } #endif @@ -760,7 +780,9 @@ init_static(void) { int i; for (i = 0; i < SIZE(text); ++i) + { buffer_list_push(bl, (unsigned char *)text[i]); + } } printf("[cap=%d i=%d] *************************\n", listcap, iter); if (!(iter & 8)) @@ -783,7 +805,9 @@ init_static(void) int c; printf("'"); while ((c = buf_read_u8(buf)) >= 0) + { putchar(c); + } printf("'\n"); buffer_list_advance(bl, 0); } @@ -1026,24 +1050,6 @@ do_uid_gid_chroot(struct context *c, bool no_delay) { if (no_delay) { -#ifdef ENABLE_SYSTEMD - /* If OpenVPN is started by systemd, the OpenVPN process needs - * to provide a preliminary status report to systemd. This is - * needed as $NOTIFY_SOCKET will not be available inside the - * chroot, which sd_notify()/sd_notifyf() depends on. - * - * This approach is the simplest and the most non-intrusive - * solution right before the 2.4_rc2 release. - * - * TODO: Consider altnernative solutions - bind mount? - * systemd does not grok OpenVPN configuration files, thus cannot - * have a sane way to know if OpenVPN will chroot or not and to - * which subdirectory it will chroot into. - */ - sd_notifyf(0, "READY=1\n" - "STATUS=Entering chroot, most of the init completed successfully\n" - "MAINPID=%lu", (unsigned long) getpid()); -#endif platform_chroot(c->options.chroot_dir); } else if (c->first_time) @@ -1376,6 +1382,21 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot(c, true); + +#ifdef ENABLE_CRYPTO + /* + * In some cases (i.e. when receiving auth-token via + * push-reply) the auth-nocache option configured on the + * client is overridden; for this reason we have to wait + * for the push-reply message before attempting to wipe + * the user/pass entered by the user + */ + if (c->options.mode == MODE_POINT_TO_POINT) + { + delayed_auth_pass_purge(); + } +#endif /* ENABLE_CRYPTO */ + /* Test if errors */ if (flags & ISC_ERRORS) { @@ -1393,7 +1414,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) else { #ifdef ENABLE_SYSTEMD - sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid()); + sd_notifyf(0, "STATUS=%s", message); #endif msg(M_INFO, "%s", message); } @@ -1830,7 +1851,7 @@ do_close_tun(struct context *c, bool force) #if defined(_WIN32) if (c->options.block_outside_dns) { - if (!win_wfp_uninit(c->options.msg_channel)) + if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) { msg(M_FATAL, "Uninitialising WFP failed!"); } @@ -1870,7 +1891,7 @@ do_close_tun(struct context *c, bool force) #if defined(_WIN32) if (c->options.block_outside_dns) { - if (!win_wfp_uninit(c->options.msg_channel)) + if (!win_wfp_uninit(adapter_index, c->options.msg_channel)) { msg(M_FATAL, "Uninitialising WFP failed!"); } @@ -1903,12 +1924,12 @@ tun_abort() * equal, or either one is all-zeroes. */ static bool -options_hash_changed_or_zero(const struct md5_digest *a, - const struct md5_digest *b) +options_hash_changed_or_zero(const struct sha256_digest *a, + const struct sha256_digest *b) { - const struct md5_digest zero = {{0}}; - return memcmp(a, b, sizeof(struct md5_digest)) - || !memcmp(a, &zero, sizeof(struct md5_digest)); + const struct sha256_digest zero = {{0}}; + return memcmp(a, b, sizeof(struct sha256_digest)) + || !memcmp(a, &zero, sizeof(struct sha256_digest)); } #endif /* P2MP */ @@ -1919,7 +1940,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) { reset_coarse_timers(c); - if (pulled_options && option_types_found) + if (pulled_options) { if (!do_deferred_options(c, option_types_found)) { @@ -2625,6 +2646,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) memmove(to.remote_cert_ku, options->remote_cert_ku, sizeof(to.remote_cert_ku)); to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; + to.verify_hash_algo = options->verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME to.x509_username_field = (char *) options->x509_username_field; #else @@ -2752,7 +2774,10 @@ do_init_crypto_none(const struct context *c) { ASSERT(!c->options.test_crypto); msg(M_WARN, - "******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext"); + "******* WARNING *******: All encryption and authentication features " + "disabled -- All data will be tunnelled as clear text and will not be " + "protected against man-in-the-middle changes. " + "PLEASE DO RECONSIDER THIS CONFIGURATION!"); } #endif /* ifdef ENABLE_CRYPTO */ @@ -2997,6 +3022,10 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."); } + if (o->ns_cert_type) + { + msg(M_WARN, "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead."); + } #endif /* ifdef ENABLE_CRYPTO */ /* If a script is used, print appropiate warnings */ @@ -4055,6 +4084,8 @@ init_instance(struct context *c, const struct env_set *env, const unsigned int f c->c2.did_open_tun = do_open_tun(c); } + c->c2.frame_initial = c->c2.frame; + /* print MTU info */ do_print_data_channel_mtu_parms(c); diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 3b97d84..15feb67 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef INIT_H diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index bae8f16..240781b 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef INTEGER_H diff --git a/src/openvpn/interval.c b/src/openvpn/interval.c index 99e72a0..1634386 100644 --- a/src/openvpn/interval.c +++ b/src/openvpn/interval.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/interval.h b/src/openvpn/interval.h index 5ed64a9..8095c0b 100644 --- a/src/openvpn/interval.h +++ b/src/openvpn/interval.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -106,7 +105,8 @@ interval_schedule_wakeup(struct interval *top, interval_t *wakeup) * In wakeup seconds, interval_test will return true once. */ static inline void -interval_future_trigger(struct interval *top, interval_t wakeup) { +interval_future_trigger(struct interval *top, interval_t wakeup) +{ if (wakeup) { #if INTERVAL_DEBUG diff --git a/src/openvpn/list.c b/src/openvpn/list.c index fb9f664..edca6f7 100644 --- a/src/openvpn/list.c +++ b/src/openvpn/list.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -476,7 +475,8 @@ list_test(void) int inc = 0; int count = 0; - for (base = 0; base < hash_n_buckets(hash); base += inc) { + for (base = 0; base < hash_n_buckets(hash); base += inc) + { struct hash_iterator hi; struct hash_element *he; inc = (get_random() % 3) + 1; @@ -670,6 +670,7 @@ hash_func(const uint8_t *k, uint32_t length, uint32_t initval) #else /* if P2MP_SERVER */ static void -dummy(void) { +dummy(void) +{ } #endif /* P2MP_SERVER */ diff --git a/src/openvpn/list.h b/src/openvpn/list.h index 6270f88..c808efa 100644 --- a/src/openvpn/list.h +++ b/src/openvpn/list.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef LIST_H diff --git a/src/openvpn/lzo.c b/src/openvpn/lzo.c index 3d6891e..f754865 100644 --- a/src/openvpn/lzo.c +++ b/src/openvpn/lzo.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -267,6 +266,7 @@ const struct compress_alg lzo_alg = { #else /* if defined(ENABLE_LZO) */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_LZO */ diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index 85937b2..deaeb8d 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_LZO_H diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 763f6c6..c2e8dc7 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -1984,7 +1983,9 @@ man_process_command(struct management *man, const char *line) { int i; for (i = 0; i < nparms; ++i) + { msg(M_INFO, "[%d] '%s'", i, parms[i]); + } } #endif @@ -3088,7 +3089,8 @@ management_io(struct management *man) if (net_events & FD_READ) { while (man_read(man) > 0) - ; + { + } net_event_win32_clear_selected_events(&man->connection.ne32, FD_READ); } @@ -3311,7 +3313,8 @@ man_wait_for_client_connection(struct management *man, { msg(D_MANAGEMENT, "Need information from management interface, waiting..."); } - do { + do + { man_standalone_event_loop(man, signal_received, expire); if (signal_received && *signal_received) { @@ -3929,7 +3932,9 @@ log_history_free_contents(struct log_history *h) { int i; for (i = 0; i < h->size; ++i) + { log_entry_free_contents(&h->array[log_index(h, i)]); + } free(h->array); } @@ -3973,7 +3978,9 @@ log_history_resize(struct log_history *h, const int capacity) log_history_obj_init(&newlog, capacity); for (i = 0; i < h->size; ++i) + { log_history_add(&newlog, &h->array[log_index(h, i)]); + } log_history_free_contents(h); *h = newlog; @@ -3995,6 +4002,7 @@ log_history_ref(const struct log_history *h, const int index) #else /* ifdef ENABLE_MANAGEMENT */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_MANAGEMENT */ diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 6e5cb9b..542cc07 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MANAGE_H diff --git a/src/openvpn/mbuf.c b/src/openvpn/mbuf.c index 7a23e59..fafbce0 100644 --- a/src/openvpn/mbuf.c +++ b/src/openvpn/mbuf.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -174,6 +173,7 @@ mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi) #else /* if P2MP */ static void -dummy(void) { +dummy(void) +{ } #endif /* P2MP */ diff --git a/src/openvpn/mbuf.h b/src/openvpn/mbuf.h index cfaef58..e0643de 100644 --- a/src/openvpn/mbuf.h +++ b/src/openvpn/mbuf.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MBUF_H diff --git a/src/openvpn/memdbg.h b/src/openvpn/memdbg.h index ee30b15..0ba695f 100644 --- a/src/openvpn/memdbg.h +++ b/src/openvpn/memdbg.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MEMDBG_H diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 87f03be..fbd9938 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -18,10 +18,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -650,7 +649,8 @@ const char * env_set_get(const struct env_set *es, const char *name) { const struct env_item *item = es->list; - while (item && !env_string_equal(item->string, name)) { + while (item && !env_string_equal(item->string, name)) + { item = item->next; } return item ? item->string : NULL; @@ -700,57 +700,6 @@ env_set_inherit(struct env_set *es, const struct env_set *src) } } -void -env_set_add_to_environment(const struct env_set *es) -{ - if (es) - { - struct gc_arena gc = gc_new(); - const struct env_item *e; - - e = es->list; - - while (e) - { - const char *name; - const char *value; - - if (deconstruct_name_value(e->string, &name, &value, &gc)) - { - setenv_str(NULL, name, value); - } - - e = e->next; - } - gc_free(&gc); - } -} - -void -env_set_remove_from_environment(const struct env_set *es) -{ - if (es) - { - struct gc_arena gc = gc_new(); - const struct env_item *e; - - e = es->list; - - while (e) - { - const char *name; - const char *value; - - if (deconstruct_name_value(e->string, &name, &value, &gc)) - { - setenv_del(NULL, name); - } - - e = e->next; - } - gc_free(&gc); - } -} /* add/modify/delete environmental strings */ @@ -1438,7 +1387,7 @@ get_user_pass_auto_userid(struct user_pass *up, const char *tag) static const uint8_t hashprefix[] = "AUTO_USERID_DIGEST"; const md_kt_t *md5_kt = md_kt_get("MD5"); - md_ctx_t ctx; + md_ctx_t *ctx; CLEAR(*up); buf_set_write(&buf, (uint8_t *)up->username, USER_PASS_LEN); @@ -1446,11 +1395,13 @@ get_user_pass_auto_userid(struct user_pass *up, const char *tag) if (get_default_gateway_mac_addr(macaddr)) { dmsg(D_AUTO_USERID, "GUPAU: macaddr=%s", format_hex_ex(macaddr, sizeof(macaddr), 0, 1, ":", &gc)); - md_ctx_init(&ctx, md5_kt); - md_ctx_update(&ctx, hashprefix, sizeof(hashprefix) - 1); - md_ctx_update(&ctx, macaddr, sizeof(macaddr)); - md_ctx_final(&ctx, digest); - md_ctx_cleanup(&ctx) + ctx = md_ctx_new(); + md_ctx_init(ctx, md5_kt); + md_ctx_update(ctx, hashprefix, sizeof(hashprefix) - 1); + md_ctx_update(ctx, macaddr, sizeof(macaddr)); + md_ctx_final(ctx, digest); + md_ctx_cleanup(ctx); + md_ctx_free(ctx); buf_printf(&buf, "%s", format_hex_ex(digest, sizeof(digest), 0, 256, " ", &gc)); } else @@ -1479,7 +1430,11 @@ purge_user_pass(struct user_pass *up, const bool force) secure_memzero(up, sizeof(*up)); up->nocache = nocache; } - else if (!warn_shown) + /* + * don't show warning if the pass has been replaced by a token: this is an + * artificial "auth-nocache" + */ + else if (!warn_shown && (!up->tokenized)) { msg(M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this"); warn_shown = true; @@ -1493,6 +1448,7 @@ set_auth_token(struct user_pass *up, const char *token) { CLEAR(up->password); strncpynt(up->password, token, USER_PASS_LEN); + up->tokenized = true; } } @@ -1547,7 +1503,9 @@ make_env_array(const struct env_set *es, if (es) { for (e = es->list; e != NULL; e = e->next) + { ++n; + } } /* alloc return array */ @@ -1609,7 +1567,9 @@ make_inline_array(const char *str, struct gc_arena *gc) buf_set_read(&buf, (const uint8_t *) str, strlen(str)); while (buf_parse(&buf, '\n', line, sizeof(line))) + { ++len; + } /* alloc return array */ ALLOC_ARRAY_CLEAR_GC(ret, char *, len + 1, gc); @@ -1639,7 +1599,9 @@ make_arg_copy(char **p, struct gc_arena *gc) ALLOC_ARRAY_CLEAR_GC(ret, char *, max_parms, gc); for (i = 0; i < len; ++i) + { ret[i] = p[i]; + } return (const char **)ret; } diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 16be621..ce96549 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MISC_H @@ -161,10 +160,6 @@ void env_set_print(int msglevel, const struct env_set *es); void env_set_inherit(struct env_set *es, const struct env_set *src); -void env_set_add_to_environment(const struct env_set *es); - -void env_set_remove_from_environment(const struct env_set *es); - /* Make arrays of strings */ const char **make_env_array(const struct env_set *es, @@ -206,6 +201,8 @@ struct user_pass { bool defined; bool nocache; + bool tokenized; /* true if password has been substituted by a token */ + bool wait_for_push; /* true if this object is waiting for a push-reply */ /* max length of username/password */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/mroute.c b/src/openvpn/mroute.c index 8b466b6..7b46a6a 100644 --- a/src/openvpn/mroute.c +++ b/src/openvpn/mroute.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -562,6 +561,7 @@ mroute_helper_free(struct mroute_helper *mh) #else /* if P2MP_SERVER */ static void -dummy(void) { +dummy(void) +{ } #endif /* P2MP_SERVER */ diff --git a/src/openvpn/mroute.h b/src/openvpn/mroute.h index 0698348..e57a950 100644 --- a/src/openvpn/mroute.h +++ b/src/openvpn/mroute.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MROUTE_H diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 5b110d2..c36e004 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -120,8 +119,12 @@ mss_fixup_ipv6(struct buffer *buf, int maxmss) return; } + /* skip IPv6 header (40 bytes), + * verify remainder is large enough to contain a full TCP header + */ newbuf = *buf; - if (buf_advance( &newbuf, 40 ) ) + if (buf_advance( &newbuf, 40 ) + && BLEN(&newbuf) >= (int) sizeof(struct openvpn_tcphdr)) { struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) @@ -145,7 +148,10 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) int accumulate; struct openvpn_tcphdr *tc; - ASSERT(BLEN(buf) >= (int) sizeof(struct openvpn_tcphdr)); + if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) + { + return; + } verify_align_4(buf); tc = (struct openvpn_tcphdr *) BPTR(buf); @@ -160,8 +166,9 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) for (olen = hlen - sizeof(struct openvpn_tcphdr), opt = (uint8_t *)(tc + 1); - olen > 0; - olen -= optlen, opt += optlen) { + olen > 1; + olen -= optlen, opt += optlen) + { if (*opt == OPENVPN_TCPOPT_EOL) { break; diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index afe7a32..0de2042 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MSS_H diff --git a/src/openvpn/mstats.c b/src/openvpn/mstats.c index 8ab1d02..9b09188 100644 --- a/src/openvpn/mstats.c +++ b/src/openvpn/mstats.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/mstats.h b/src/openvpn/mstats.h index f87a858..486035f 100644 --- a/src/openvpn/mstats.h +++ b/src/openvpn/mstats.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index b5471b1..cb940d8 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -587,7 +586,8 @@ multi_tcp_action(struct multi_context *m, struct multi_instance *mi, int action, { bool tun_input_pending = false; - do { + do + { dmsg(D_MULTI_DEBUG, "MULTI TCP: multi_tcp_action a=%s p=%d", pract(action), poll); diff --git a/src/openvpn/mtcp.h b/src/openvpn/mtcp.h index 835b8fd..79dcb13 100644 --- a/src/openvpn/mtcp.h +++ b/src/openvpn/mtcp.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 73eab21..44bef68 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index 471e51e..d1e8c18 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef MTU_H diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 64ce4d7..793678d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/mudp.h b/src/openvpn/mudp.h index a98d64d..b9ceaf7 100644 --- a/src/openvpn/mudp.h +++ b/src/openvpn/mudp.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f6f3f5d..8d3d67f 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -537,10 +536,14 @@ multi_del_iroutes(struct multi_context *m, if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) { for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next) + { mroute_helper_del_iroute46(m->route_helper, ir->netbits); + } for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next) + { mroute_helper_del_iroute46(m->route_helper, ir6->netbits); + } } } @@ -819,7 +822,8 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real) mi->did_iter = true; #ifdef MANAGEMENT_DEF_AUTH - do { + do + { mi->context.c2.mda_context.cid = m->cid_counter++; } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false)); mi->did_cid_hash = true; @@ -2949,10 +2953,14 @@ gremlin_flood_clients(struct multi_context *m) parm.packet_size); for (i = 0; i < parm.packet_size; ++i) + { ASSERT(buf_write_u8(&buf, get_random() & 0xFF)); + } for (i = 0; i < parm.n_packets; ++i) + { multi_bcast(m, &buf, NULL, NULL); + } gc_free(&gc); } @@ -3375,6 +3383,7 @@ tunnel_server(struct context *top) #else /* if P2MP_SERVER */ static void -dummy(void) { +dummy(void) +{ } #endif /* P2MP_SERVER */ diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index b4ffd69..63afbaf 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index e78af9e..0b1163e 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -15,10 +15,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -86,13 +85,13 @@ static void gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char *result) { const md_kt_t *md5_kt = md_kt_get("MD5"); - hmac_ctx_t hmac_ctx; - CLEAR(hmac_ctx); + hmac_ctx_t *hmac_ctx = hmac_ctx_new(); - hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt); - hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); - hmac_ctx_final(&hmac_ctx, (unsigned char *)result); - hmac_ctx_cleanup(&hmac_ctx); + hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); + hmac_ctx_update(hmac_ctx, (const unsigned char *)data, data_len); + hmac_ctx_final(hmac_ctx, (unsigned char *)result); + hmac_ctx_cleanup(hmac_ctx); + hmac_ctx_free(hmac_ctx); } static void @@ -124,19 +123,22 @@ gen_nonce(unsigned char *nonce) /* Generates 8 random bytes to be used as client nonce */ int i; - for (i = 0; i<8; i++) { + for (i = 0; i<8; i++) + { nonce[i] = (unsigned char)get_random(); } } -unsigned char * +void my_strupr(unsigned char *str) { /* converts string to uppercase in place */ - unsigned char *tmp = str; - do *str = toupper(*str); while (*(++str)); - return tmp; + while (*str) + { + *str = toupper(*str); + str++; + } } static int @@ -193,7 +195,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are */ char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */ - char buf2[128]; /* decoded reply from proxy */ + unsigned char buf2[128]; /* decoded reply from proxy */ unsigned char phase3[464]; char md4_hash[MD4_DIGEST_LENGTH+5]; @@ -299,7 +301,13 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are tib_len = 96; } { - char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */ + char *tib_ptr; + int tib_pos = buf2[0x2c]; + if (tib_pos + tib_len > sizeof(buf2)) + { + return NULL; + } + tib_ptr = buf2 + tib_pos; /* Get Target Information block pointer */ memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */ } } @@ -373,6 +381,7 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_are #else /* if NTLM */ static void -dummy(void) { +dummy(void) +{ } #endif /* if NTLM */ diff --git a/src/openvpn/occ-inline.h b/src/openvpn/occ-inline.h index 84fe1ac..68e9098 100644 --- a/src/openvpn/occ-inline.h +++ b/src/openvpn/occ-inline.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OCC_INLINE_H diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index b4ccc4d..40f7e76 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -430,6 +429,7 @@ process_received_occ_msg(struct context *c) #else /* ifdef ENABLE_OCC */ static void -dummy(void) { +dummy(void) +{ } #endif /* ifdef ENABLE_OCC */ diff --git a/src/openvpn/occ.h b/src/openvpn/occ.h index 843ceb2..12d7bc5 100644 --- a/src/openvpn/occ.h +++ b/src/openvpn/occ.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OCC_H diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h new file mode 100644 index 0000000..c765f0b --- /dev/null +++ b/src/openvpn/openssl_compat.h @@ -0,0 +1,657 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/** + * @file OpenSSL compatibility stub + * + * This file provide compatibility stubs for the OpenSSL libraries + * prior to version 1.1. This version introduces many changes in the + * library interface, including the fact that various objects and + * structures are not fully opaque. + */ + +#ifndef OPENSSL_COMPAT_H_ +#define OPENSSL_COMPAT_H_ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "buffer.h" + +#include <openssl/ssl.h> +#include <openssl/x509.h> + +#if !defined(HAVE_EVP_MD_CTX_RESET) +/** + * Reset a message digest context + * + * @param ctx The message digest context + * @return 1 on success, 0 on error + */ +static inline int +EVP_MD_CTX_reset(EVP_MD_CTX *ctx) +{ + EVP_MD_CTX_cleanup(ctx); + return 1; +} +#endif + +#if !defined(HAVE_EVP_MD_CTX_FREE) +/** + * Free an existing message digest context + * + * @param ctx The message digest context + */ +static inline void +EVP_MD_CTX_free(EVP_MD_CTX *ctx) +{ + free(ctx); +} +#endif + +#if !defined(HAVE_EVP_MD_CTX_NEW) +/** + * Allocate a new message digest object + * + * @return A zero'ed message digest object + */ +static inline EVP_MD_CTX * +EVP_MD_CTX_new(void) +{ + EVP_MD_CTX *ctx = NULL; + ALLOC_OBJ_CLEAR(ctx, EVP_MD_CTX); + return ctx; +} +#endif + +#if !defined(HAVE_EVP_CIPHER_CTX_FREE) +/** + * Free an existing cipher context + * + * @param ctx The cipher context + */ +static inline void +EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *c) +{ + free(c); +} +#endif + +#if !defined(HAVE_EVP_CIPHER_CTX_NEW) +/** + * Allocate a new cipher context object + * + * @return A zero'ed cipher context object + */ +static inline EVP_CIPHER_CTX * +EVP_CIPHER_CTX_new(void) +{ + EVP_CIPHER_CTX *ctx = NULL; + ALLOC_OBJ_CLEAR(ctx, EVP_CIPHER_CTX); + return ctx; +} +#endif + +#if !defined(HAVE_HMAC_CTX_RESET) +/** + * Reset a HMAC context + * + * @param ctx The HMAC context + * @return 1 on success, 0 on error + */ +static inline int +HMAC_CTX_reset(HMAC_CTX *ctx) +{ + HMAC_CTX_cleanup(ctx); + return 1; +} +#endif + +#if !defined(HAVE_HMAC_CTX_INIT) +/** + * Init a HMAC context + * + * @param ctx The HMAC context + * + * Contrary to many functions in this file, HMAC_CTX_init() is not + * an OpenSSL 1.1 function: it comes from previous versions and was + * removed in v1.1. As a consequence, there is no distincting in + * v1.1 between a cleanup, and init and a reset. Yet, previous OpenSSL + * version need this distinction. + * + * In order to respect previous OpenSSL versions, we implement init + * as reset for OpenSSL 1.1+. + */ +static inline void +HMAC_CTX_init(HMAC_CTX *ctx) +{ + HMAC_CTX_reset(ctx); +} +#endif + +#if !defined(HAVE_HMAC_CTX_FREE) +/** + * Free an existing HMAC context + * + * @param ctx The HMAC context + */ +static inline void +HMAC_CTX_free(HMAC_CTX *c) +{ + free(c); +} +#endif + +#if !defined(HAVE_HMAC_CTX_NEW) +/** + * Allocate a new HMAC context object + * + * @return A zero'ed HMAC context object + */ +static inline HMAC_CTX * +HMAC_CTX_new(void) +{ + HMAC_CTX *ctx = NULL; + ALLOC_OBJ_CLEAR(ctx, HMAC_CTX); + return ctx; +} +#endif + +#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA) +/** + * Fetch the default password callback user data from the SSL context + * + * @param ctx SSL context + * @return The password callback user data + */ +static inline void * +SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) +{ + return ctx ? ctx->default_passwd_callback_userdata : NULL; +} +#endif + +#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB) +/** + * Fetch the default password callback from the SSL context + * + * @param ctx SSL context + * @return The password callback + */ +static inline pem_password_cb * +SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) +{ + return ctx ? ctx->default_passwd_callback : NULL; +} +#endif + +#if !defined(HAVE_X509_GET0_PUBKEY) +/** + * Get the public key from a X509 certificate + * + * @param x X509 certificate + * @return The certificate public key + */ +static inline EVP_PKEY * +X509_get0_pubkey(const X509 *x) +{ + return (x && x->cert_info && x->cert_info->key) ? + x->cert_info->key->pkey : NULL; +} +#endif + +#if !defined(HAVE_X509_STORE_GET0_OBJECTS) +/** + * Fetch the X509 object stack from the X509 store + * + * @param store X509 object store + * @return the X509 object stack + */ +static inline STACK_OF(X509_OBJECT) * +X509_STORE_get0_objects(X509_STORE *store) +{ + return store ? store->objs : NULL; +} +#endif + +#if !defined(HAVE_X509_OBJECT_FREE) +/** + * Destroy a X509 object + * + * @param obj X509 object + */ +static inline void +X509_OBJECT_free(X509_OBJECT *obj) +{ + if (obj) + { + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); + } +} +#endif + +#if !defined(HAVE_X509_OBJECT_GET_TYPE) +/** + * Get the type of an X509 object + * + * @param obj X509 object + * @return The underlying object type + */ +static inline int +X509_OBJECT_get_type(const X509_OBJECT *obj) +{ + return obj ? obj->type : X509_LU_FAIL; +} +#endif + +#if !defined(HAVE_EVP_PKEY_GET0_RSA) +/** + * Get the RSA object of a public key + * + * @param pkey Public key object + * @return The underlying RSA object + */ +static inline RSA * +EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +{ + return pkey ? pkey->pkey.rsa : NULL; +} +#endif + +#if !defined(HAVE_EVP_PKEY_ID) +/** + * Get the PKEY type + * + * @param pkey Public key object + * @return The key type + */ +static inline int +EVP_PKEY_id(const EVP_PKEY *pkey) +{ + return pkey ? pkey->type : EVP_PKEY_NONE; +} +#endif + +#if !defined(HAVE_EVP_PKEY_GET0_DSA) +/** + * Get the DSA object of a public key + * + * @param pkey Public key object + * @return The underlying DSA object + */ +static inline DSA * +EVP_PKEY_get0_DSA(EVP_PKEY *pkey) +{ + return pkey ? pkey->pkey.dsa : NULL; +} +#endif + +#if !defined(HAVE_RSA_SET_FLAGS) +/** + * Set the RSA flags + * + * @param rsa The RSA object + * @param flags New flags value + */ +static inline void +RSA_set_flags(RSA *rsa, int flags) +{ + if (rsa) + { + rsa->flags = flags; + } +} +#endif + +#if !defined(HAVE_RSA_GET0_KEY) +/** + * Get the RSA parameters + * + * @param rsa The RSA object + * @param n The @c n parameter + * @param e The @c e parameter + * @param d The @c d parameter + */ +static inline void +RSA_get0_key(const RSA *rsa, const BIGNUM **n, + const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + { + *n = rsa ? rsa->n : NULL; + } + if (e != NULL) + { + *e = rsa ? rsa->e : NULL; + } + if (d != NULL) + { + *d = rsa ? rsa->d : NULL; + } +} +#endif + +#if !defined(HAVE_RSA_SET0_KEY) +/** + * Set the RSA parameters + * + * @param rsa The RSA object + * @param n The @c n parameter + * @param e The @c e parameter + * @param d The @c d parameter + * @return 1 on success, 0 on error + */ +static inline int +RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + if ((rsa->n == NULL && n == NULL) + || (rsa->e == NULL && e == NULL)) + { + return 0; + } + + if (n != NULL) + { + BN_free(rsa->n); + rsa->n = n; + } + if (e != NULL) + { + BN_free(rsa->e); + rsa->e = e; + } + if (d != NULL) + { + BN_free(rsa->d); + rsa->d = d; + } + + return 1; +} +#endif + +#if !defined(HAVE_RSA_BITS) +/** + * Number of significant RSA bits + * + * @param rsa The RSA object ; shall not be NULL + * @return The number of RSA bits or 0 on error + */ +static inline int +RSA_bits(const RSA *rsa) +{ + const BIGNUM *n = NULL; + RSA_get0_key(rsa, &n, NULL, NULL); + return n ? BN_num_bits(n) : 0; +} +#endif + +#if !defined(HAVE_DSA_GET0_PQG) +/** + * Get the DSA parameters + * + * @param dsa The DSA object + * @param p The @c p parameter + * @param q The @c q parameter + * @param g The @c g parameter + */ +static inline void +DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, + const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + { + *p = dsa ? dsa->p : NULL; + } + if (q != NULL) + { + *q = dsa ? dsa->q : NULL; + } + if (g != NULL) + { + *g = dsa ? dsa->g : NULL; + } +} +#endif + +#if !defined(HAVE_DSA_BITS) +/** + * Number of significant DSA bits + * + * @param rsa The DSA object ; shall not be NULL + * @return The number of DSA bits or 0 on error + */ +static inline int +DSA_bits(const DSA *dsa) +{ + const BIGNUM *p = NULL; + DSA_get0_pqg(dsa, &p, NULL, NULL); + return p ? BN_num_bits(p) : 0; +} +#endif + +#if !defined(HAVE_RSA_METH_NEW) +/** + * Allocate a new RSA method object + * + * @param name The object name + * @param flags Configuration flags + * @return A new RSA method object + */ +static inline RSA_METHOD * +RSA_meth_new(const char *name, int flags) +{ + RSA_METHOD *rsa_meth = NULL; + ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); + rsa_meth->name = string_alloc(name, NULL); + rsa_meth->flags = flags; + return rsa_meth; +} +#endif + +#if !defined(HAVE_RSA_METH_FREE) +/** + * Free an existing RSA_METHOD object + * + * @param meth The RSA_METHOD object + */ +static inline void +RSA_meth_free(RSA_METHOD *meth) +{ + if (meth) + { + /* OpenSSL defines meth->name to be a const pointer, yet we + * feed it with an allocated string (from RSA_meth_new()). + * Thus we are allowed to free it here. In order to avoid a + * "passing 'const char *' to parameter of type 'void *' discards + * qualifiers" warning, we force the pointer to be a non-const value. + */ + free((char *)meth->name); + free(meth); + } +} +#endif + +#if !defined(HAVE_RSA_METH_SET_PUB_ENC) +/** + * Set the public encoding function of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param pub_enc the public encoding function + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set_pub_enc(RSA_METHOD *meth, + int (*pub_enc) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) +{ + if (meth) + { + meth->rsa_pub_enc = pub_enc; + return 1; + } + return 0; +} +#endif + +#if !defined(HAVE_RSA_METH_SET_PUB_DEC) +/** + * Set the public decoding function of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param pub_dec the public decoding function + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set_pub_dec(RSA_METHOD *meth, + int (*pub_dec) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) +{ + if (meth) + { + meth->rsa_pub_dec = pub_dec; + return 1; + } + return 0; +} +#endif + +#if !defined(HAVE_RSA_METH_SET_PRIV_ENC) +/** + * Set the private encoding function of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param priv_enc the private encoding function + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set_priv_enc(RSA_METHOD *meth, + int (*priv_enc) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) +{ + if (meth) + { + meth->rsa_priv_enc = priv_enc; + return 1; + } + return 0; +} +#endif + +#if !defined(HAVE_RSA_METH_SET_PRIV_DEC) +/** + * Set the private decoding function of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param priv_dec the private decoding function + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set_priv_dec(RSA_METHOD *meth, + int (*priv_dec) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) +{ + if (meth) + { + meth->rsa_priv_dec = priv_dec; + return 1; + } + return 0; +} +#endif + +#if !defined(HAVE_RSA_METH_SET_INIT) +/** + * Set the init function of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param init the init function + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) +{ + if (meth) + { + meth->init = init; + return 1; + } + return 0; +} +#endif + +#if !defined(HAVE_RSA_METH_SET_FINISH) +/** + * Set the finish function of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param finish the finish function + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) +{ + if (meth) + { + meth->finish = finish; + return 1; + } + return 0; +} +#endif + +#if !defined(HAVE_RSA_METH_SET0_APP_DATA) +/** + * Set the application data of an RSA_METHOD object + * + * @param meth The RSA_METHOD object + * @param app_data Application data + * @return 1 on success, 0 on error + */ +static inline int +RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) +{ + if (meth) + { + meth->app_data = app_data; + return 1; + } + return 0; +} +#endif + +/* SSLeay symbols have been renamed in OpenSSL 1.1 */ +#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) +#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT +#endif + +#endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 888acda..08c09e6 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -332,7 +331,8 @@ openvpn_main(int argc, char *argv[]) #ifdef _WIN32 int -wmain(int argc, wchar_t *wargv[]) { +wmain(int argc, wchar_t *wargv[]) +{ char **argv; int ret; int i; @@ -361,7 +361,8 @@ wmain(int argc, wchar_t *wargv[]) { } #else /* ifdef _WIN32 */ int -main(int argc, char *argv[]) { +main(int argc, char *argv[]) +{ return openvpn_main(argc, argv); } #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 37edec4..9262e68 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_H @@ -202,7 +201,7 @@ struct context_1 #endif /* if client mode, hash of option strings we pulled from server */ - struct md5_digest pulled_options_digest_save; + struct sha256_digest pulled_options_digest_save; /**< Hash of option strings received from the * remote OpenVPN server. Only used in * client-mode. */ @@ -263,7 +262,8 @@ struct context_2 struct link_socket_actual from; /* address of incoming datagram */ /* MTU frame parameters */ - struct frame frame; + struct frame frame; /* Active frame parameters */ + struct frame frame_initial; /* Restored on new session */ #ifdef ENABLE_FRAGMENT /* Object to handle advanced MTU negotiation and datagram fragmentation */ @@ -471,9 +471,9 @@ struct context_2 bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ - bool pulled_options_md5_init_done; - md_ctx_t pulled_options_state; - struct md5_digest pulled_options_digest; + bool pulled_options_digest_init_done; + md_ctx_t *pulled_options_state; + struct sha256_digest pulled_options_digest; struct event_timeout scheduled_exit; int scheduled_exit_signal; diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 8dfbea5..d1c0fde 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -99,13 +99,16 @@ </Link> </ItemDefinitionGroup> <ItemGroup> + <ClCompile Include="argv.c" /> <ClCompile Include="base64.c" /> + <ClCompile Include="block_dns.c" /> <ClCompile Include="buffer.c" /> <ClCompile Include="clinat.c" /> <ClCompile Include="comp-lz4.c" /> <ClCompile Include="comp.c" /> <ClCompile Include="compstub.c" /> <ClCompile Include="console.c" /> + <ClCompile Include="console_builtin.c" /> <ClCompile Include="crypto.c" /> <ClCompile Include="crypto_openssl.c" /> <ClCompile Include="cryptoapi.c" /> @@ -164,12 +167,15 @@ <ClCompile Include="ssl_verify.c" /> <ClCompile Include="ssl_verify_openssl.c" /> <ClCompile Include="status.c" /> + <ClCompile Include="tls_crypt.c" /> <ClCompile Include="tun.c" /> <ClCompile Include="win32.c" /> </ItemGroup> <ItemGroup> + <ClInclude Include="argv.h" /> <ClInclude Include="base64.h" /> <ClInclude Include="basic.h" /> + <ClInclude Include="block_dns.h" /> <ClInclude Include="buffer.h" /> <ClInclude Include="circ_list.h" /> <ClInclude Include="clinat.h" /> @@ -249,6 +255,7 @@ <ClInclude Include="ssl_verify_openssl.h" /> <ClInclude Include="status.h" /> <ClInclude Include="syshead.h" /> + <ClInclude Include="tls_crypt.h" /> <ClInclude Include="tun.h" /> <ClInclude Include="win32.h" /> </ItemGroup> diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index 8b6a269..30df5ec 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -216,6 +216,18 @@ <ClCompile Include="comp-lz4.c"> <Filter>Source Files</Filter> </ClCompile> + <ClCompile Include="argv.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="block_dns.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="console_builtin.c"> + <Filter>Source Files</Filter> + </ClCompile> + <ClCompile Include="tls_crypt.c"> + <Filter>Source Files</Filter> + </ClCompile> </ItemGroup> <ItemGroup> <ClInclude Include="base64.h"> @@ -464,10 +476,22 @@ <ClInclude Include="win32.h"> <Filter>Header Files</Filter> </ClInclude> + <ClInclude Include="compstub.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="argv.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="block_dns.h"> + <Filter>Header Files</Filter> + </ClInclude> + <ClInclude Include="tls_crypt.h"> + <Filter>Header Files</Filter> + </ClInclude> </ItemGroup> <ItemGroup> <ResourceCompile Include="openvpn_win32_resources.rc"> <Filter>Resource Files</Filter> </ResourceCompile> </ItemGroup> -</Project> +</Project>
\ No newline at end of file diff --git a/src/openvpn/options.c b/src/openvpn/options.c index bfedb6a..fef5e90 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -592,7 +591,8 @@ static const char usage_message[] = "--x509-username-field : Field in x509 certificate containing the username.\n" " Default is CN in the Subject field.\n" #endif - "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" + "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n" + " Valid algo flags are SHA1 and SHA256. \n" #ifdef _WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" @@ -636,8 +636,8 @@ static const char usage_message[] = "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" - "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" - " nsCertType designation t = 'client' | 'server'.\n" + "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n" + " an explicit nsCertType designation t = 'client' | 'server'.\n" "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 @@ -716,7 +716,6 @@ static const char usage_message[] = "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n" "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" - "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n" "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n" " on connection initiation.\n" "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n" @@ -999,7 +998,9 @@ setenv_settings(struct env_set *es, const struct options *o) { int i; for (i = 0; i < o->connection_list->len; ++i) + { setenv_connection_entry(es, o->connection_list->array[i], i+1); + } } else { @@ -1214,7 +1215,6 @@ show_tuntap_options(const struct tuntap_options *o) SHOW_BOOL(dhcp_options); SHOW_BOOL(dhcp_renew); SHOW_BOOL(dhcp_pre_release); - SHOW_BOOL(dhcp_release); SHOW_STR(domain); SHOW_STR(netbios_scope); SHOW_INT(netbios_node_type); @@ -1761,7 +1761,9 @@ show_settings(const struct options *o) { int i; for (i = 0; i<MAX_PARMS; i++) + { SHOW_INT(remote_cert_ku[i]); + } } SHOW_STR(remote_cert_eku); SHOW_INT(ssl_flags); @@ -1789,22 +1791,30 @@ show_settings(const struct options *o) { int i; for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++) + { SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s"); + } } { int i; for (i = 0; i<MAX_PARMS; i++) + { SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); + } } { int i; for (i = 0; i<MAX_PARMS; i++) + { SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x"); + } } { int i; for (i = 0; i<MAX_PARMS; i++) + { SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); + } } SHOW_INT(pkcs11_pin_cache_period); SHOW_STR(pkcs11_id); @@ -2939,7 +2949,9 @@ options_postprocess_verify(const struct options *o) { int i; for (i = 0; i < o->connection_list->len; ++i) + { options_postprocess_verify_ce(o, o->connection_list->array[i]); + } } else { @@ -2990,7 +3002,9 @@ options_postprocess_mutate(struct options *o) ASSERT(o->connection_list); for (i = 0; i < o->connection_list->len; ++i) + { options_postprocess_mutate_ce(o, o->connection_list->array[i]); + } #ifdef ENABLE_CRYPTO if (o->tls_server) @@ -3803,7 +3817,9 @@ options_warning_safe_scan1(const int msglevel, char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc); while (buf_parse(&b, delim, p, OPTION_PARM_SIZE)) + { options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name); + } gc_free(&gc); } @@ -4080,6 +4096,7 @@ usage(void) fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds, + o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, o.verbosity); @@ -4430,7 +4447,10 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) { char *line_ptr = line; /* Remove leading spaces */ - while (isspace(*line_ptr)) line_ptr++; + while (isspace(*line_ptr)) + { + line_ptr++; + } if (!strncmp(line_ptr, close_tag, strlen(close_tag))) { endtagfound = true; @@ -4526,7 +4546,7 @@ read_config_file(struct options *options, FILE *fp; int line_num; char line[OPTION_LINE_SIZE+1]; - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; ++level; if (level <= max_recursive_levels) @@ -4558,7 +4578,7 @@ read_config_file(struct options *options, { offset = 3; } - if (parse_line(line + offset, p, SIZE(p), file, line_num, msglevel, &options->gc)) + if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); check_inline_file_via_fp(fp, p, &options->gc); @@ -4600,10 +4620,10 @@ read_config_string(const char *prefix, while (buf_parse(&multiline, '\n', line, sizeof(line))) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); ++line_num; - if (parse_line(line, p, SIZE(p), prefix, line_num, msglevel, &options->gc)) + if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc)) { bypass_doubledash(&p[0]); check_inline_file_via_buf(&multiline, p, &options->gc); @@ -4734,14 +4754,14 @@ apply_push_options(struct options *options, while (buf_parse(buf, ',', line, sizeof(line))) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); ++line_num; if (!apply_pull_filter(options, line)) { return false; /* Cause push/pull error and stop push processing */ } - if (parse_line(line, p, SIZE(p), file, line_num, msglevel, &options->gc)) + if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); } @@ -5147,7 +5167,7 @@ add_option(struct options *options, } #endif /* ifdef ENABLE_MANAGEMENT */ #ifdef ENABLE_PLUGIN - else if (streq(p[0], "plugin") && p[1] && !p[3]) + else if (streq(p[0], "plugin") && p[1]) { VERIFY_PERMISSION(OPT_P_PLUGIN); if (!options->plugin_list) @@ -5297,12 +5317,14 @@ add_option(struct options *options, if (!sub.ce.remote) { msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive"); + uninit_options(&sub); goto err; } e = alloc_connection_entry(options, msglevel); if (!e) { + uninit_options(&sub); goto err; } *e = sub.ce; @@ -5320,18 +5342,24 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); /* Find out how many options to be ignored */ for (i = 1; p[i]; i++) + { numignored++; + } /* add number of options already ignored */ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) + { numignored++; + } /* Allocate array */ ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc); for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++) + { ignore[i] = options->ignore_unknown_option[i]; + } options->ignore_unknown_option = ignore; @@ -6015,7 +6043,8 @@ add_option(struct options *options, struct http_custom_header *custom_header = NULL; int i; /* Find the first free header */ - for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) { + for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) + { if (!ho->custom_headers[i].name) { custom_header = &ho->custom_headers[i]; @@ -7200,11 +7229,11 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_IPWIN32); options->tuntap_options.dhcp_pre_release = true; + options->tuntap_options.dhcp_renew = true; } else if (streq(p[0], "dhcp-release") && !p[1]) { - VERIFY_PERMISSION(OPT_P_IPWIN32); - options->tuntap_options.dhcp_release = true; + msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default"); } else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */ { @@ -7676,10 +7705,25 @@ add_option(struct options *options, options->extra_certs_file_inline = p[2]; } } - else if (streq(p[0], "verify-hash") && p[1] && !p[2]) + else if (streq(p[0], "verify-hash") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); + + if (!p[2] || (p[2] && streq(p[2], "SHA1"))) + { + options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); + options->verify_hash_algo = MD_SHA1; + } + else if (p[2] && streq(p[2], "SHA256")) + { + options->verify_hash = parse_hash_fingerprint(p[1], SHA256_DIGEST_LENGTH, msglevel, &options->gc); + options->verify_hash_algo = MD_SHA256; + } + else + { + msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); + goto err; + } } #ifdef ENABLE_CRYPTOAPI else if (streq(p[0], "cryptoapicert") && p[1] && !p[2]) @@ -7903,12 +7947,18 @@ add_option(struct options *options, } else if (streq(p[0], "remote-cert-ku")) { - int j; - VERIFY_PERMISSION(OPT_P_GENERAL); + size_t j; for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { sscanf(p[j], "%x", &(options->remote_cert_ku[j-1])); + } + if (j == 1) + { + /* No specific KU required, but require KU to be present */ + options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; + } } else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2]) { @@ -7921,15 +7971,12 @@ add_option(struct options *options, if (streq(p[1], "server")) { - options->remote_cert_ku[0] = 0xa0; - options->remote_cert_ku[1] = 0x88; + options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; options->remote_cert_eku = "TLS Web Server Authentication"; } else if (streq(p[1], "client")) { - options->remote_cert_ku[0] = 0x80; - options->remote_cert_ku[1] = 0x08; - options->remote_cert_ku[2] = 0x88; + options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED; options->remote_cert_eku = "TLS Web Client Authentication"; } else @@ -8037,15 +8084,25 @@ add_option(struct options *options, if (strncmp("ext:", s, 4) != 0) { size_t i = 0; - while (s[i] && !isupper(s[i])) i++; + while (s[i] && !isupper(s[i])) + { + i++; + } if (strlen(s) == i) { - while ((*s = toupper(*s)) != '\0') s++; + while ((*s = toupper(*s)) != '\0') + { + s++; + } msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " "--x509-username-field parameter to '%s'; please update your" "configuration", p[1]); } } + else if (!x509_username_field_ext_supported(s+4)) + { + msg(msglevel, "Unsupported x509-username-field extension: %s", s); + } options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ @@ -8094,7 +8151,9 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { options->pkcs11_providers[j-1] = p[j]; + } } else if (streq(p[0], "pkcs11-protected-authentication")) { @@ -8103,7 +8162,9 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0; + } } else if (streq(p[0], "pkcs11-private-mode") && p[1]) { @@ -8112,7 +8173,9 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1])); + } } else if (streq(p[0], "pkcs11-cert-private")) { @@ -8121,7 +8184,9 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0; + } } else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index b3ab029..67b9b94 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -42,6 +41,10 @@ #include "comp.h" #include "pushlist.h" #include "clinat.h" +#ifdef ENABLE_CRYPTO +#include "crypto_backend.h" +#endif + /* * Maximum number of parameters associated with an option, @@ -519,6 +522,7 @@ struct options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; + hash_algo_type verify_hash_algo; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index 22abda0..3e576cc 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h index eede63d..8731472 100644 --- a/src/openvpn/otime.h +++ b/src/openvpn/otime.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OTIME_H @@ -289,7 +288,8 @@ tv_within_sigma(const struct timeval *t1, const struct timeval *t2, unsigned int * called again. */ static inline void -interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) { +interval_earliest_wakeup(interval_t *wakeup, time_t at, time_t current) +{ if (at > current) { const interval_t delta = (interval_t) (at - current); diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index fe13e1d..30ae8fb 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -325,12 +324,40 @@ packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form) return true; } +static bool +packet_id_send_update(struct packet_id_send *p, bool long_form) +{ + if (!p->time) + { + p->time = now; + } + if (p->id == PACKET_ID_MAX) + { + /* Packet ID only allowed to roll over if using long form and time has + * moved forward since last roll over. + */ + if (!long_form || now <= p->time) + { + return false; + } + p->time = now; + p->id = 0; + } + p->id++; + return true; +} + bool -packet_id_write(const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend) +packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, + bool prepend) { - packet_id_type net_id = htonpid(pin->id); - net_time_t net_time = htontime(pin->time); + if (!packet_id_send_update(p, long_form)) + { + return false; + } + const packet_id_type net_id = htonpid(p->id); + const net_time_t net_time = htontime(p->time); if (prepend) { if (long_form) @@ -629,7 +656,8 @@ packet_id_interactive_test() packet_id_init(&pid, seq_backtrack, time_backtrack); - while (true) { + while (true) + { char buf[80]; if (!fgets(buf, sizeof(buf), stdin)) { diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index ecc25a6..a370936 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -50,6 +49,7 @@ * to for network transmission. */ typedef uint32_t packet_id_type; +#define PACKET_ID_MAX UINT32_MAX typedef uint32_t net_time_t; /* @@ -254,7 +254,18 @@ const char *packet_id_persist_print(const struct packet_id_persist *p, struct gc bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form); -bool packet_id_write(const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend); +/** + * Write a packet ID to buf, and update the packet ID state. + * + * @param p Packet ID state. + * @param buf Buffer to write the packet ID too + * @param long_form If true, also update and write time_t to buf + * @param prepend If true, prepend to buffer, otherwise apppend. + * + * @return true if successful, false otherwise. + */ +bool packet_id_write(struct packet_id_send *p, struct buffer *buf, + bool long_form, bool prepend); /* * Inline functions. @@ -304,28 +315,6 @@ packet_id_close_to_wrapping(const struct packet_id_send *p) return p->id >= PACKET_ID_WRAP_TRIGGER; } -/* - * Allocate an outgoing packet id. - * Sequence number ranges from 1 to 2^32-1. - * In long_form, a time_t is added as well. - */ -static inline void -packet_id_alloc_outgoing(struct packet_id_send *p, struct packet_id_net *pin, bool long_form) -{ - if (!p->time) - { - p->time = now; - } - pin->id = ++p->id; - if (!pin->id) - { - ASSERT(long_form); - p->time = now; - pin->id = p->id = 1; - } - pin->time = p->time; -} - static inline bool check_timestamp_delta(time_t remote, unsigned int max_delta) { diff --git a/src/openvpn/perf.c b/src/openvpn/perf.c index 51e051a..16cf749 100644 --- a/src/openvpn/perf.c +++ b/src/openvpn/perf.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -147,12 +146,14 @@ push_perf_index(int pindex) { int i; for (i = 0; i < sindex; ++i) + { if (perf_set.stack[i] == pindex) { perf_print_state(M_INFO); msg(M_FATAL, "PERF: push_perf_index %s failed", metric_names [pindex]); } + } perf_set.stack[sindex] = pindex; perf_set.stack_len = newlen; @@ -321,7 +322,8 @@ perf_print_state(int lev) #else /* ifdef ENABLE_PERFORMANCE_METRICS */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void -dummy(void) { +dummy(void) +{ } #endif #endif /* ifdef ENABLE_PERFORMANCE_METRICS */ diff --git a/src/openvpn/perf.h b/src/openvpn/perf.h index f0430a1..ae5ae08 100644 --- a/src/openvpn/perf.h +++ b/src/openvpn/perf.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -76,13 +75,16 @@ void perf_output_results(void); #else /* ifdef ENABLE_PERFORMANCE_METRICS */ static inline void -perf_push(int type) { +perf_push(int type) +{ } static inline void -perf_pop(void) { +perf_pop(void) +{ } static inline void -perf_output_results(void) { +perf_output_results(void) +{ } #endif /* ifdef ENABLE_PERFORMANCE_METRICS */ diff --git a/src/openvpn/pf-inline.h b/src/openvpn/pf-inline.h index a0f5cc7..ac19ac4 100644 --- a/src/openvpn/pf-inline.h +++ b/src/openvpn/pf-inline.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if defined(ENABLE_PF) && !defined(PF_INLINE_H) diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index 56b6858..5cb002b 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* packet filter functions */ diff --git a/src/openvpn/pf.h b/src/openvpn/pf.h index 3832683..414c85b 100644 --- a/src/openvpn/pf.h +++ b/src/openvpn/pf.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* packet filter functions */ diff --git a/src/openvpn/ping-inline.h b/src/openvpn/ping-inline.h index 2fa1d5c..0642b85 100644 --- a/src/openvpn/ping-inline.h +++ b/src/openvpn/ping-inline.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PING_INLINE_H diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c index 0496b72..728d6c2 100644 --- a/src/openvpn/ping.c +++ b/src/openvpn/ping.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h index e839ce7..5bd5c08 100644 --- a/src/openvpn/ping.h +++ b/src/openvpn/ping.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PING_H diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 6858846..6041828 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -45,21 +44,24 @@ static time_t -__mytime(void) { +__mytime(void) +{ return openvpn_time(NULL); } #if !defined(_WIN32) static int -__mygettimeofday(struct timeval *tv) { +__mygettimeofday(struct timeval *tv) +{ return gettimeofday(tv, NULL); } #endif static void -__mysleep(const unsigned long usec) { +__mysleep(const unsigned long usec) +{ #if defined(_WIN32) Sleep(usec/1000); #else @@ -84,10 +86,12 @@ static unsigned _pkcs11_msg_pkcs112openvpn( const unsigned flags - ) { + ) +{ unsigned openvpn_flags; - switch (flags) { + switch (flags) + { case PKCS11H_LOG_DEBUG2: openvpn_flags = D_PKCS11_DEBUG; break; @@ -124,7 +128,8 @@ static unsigned _pkcs11_msg_openvpn2pkcs11( const unsigned flags - ) { + ) +{ unsigned pkcs11_flags; if ((flags & D_PKCS11_DEBUG) != 0) @@ -166,7 +171,8 @@ _pkcs11_openvpn_log( unsigned flags, const char *const szFormat, va_list args - ) { + ) +{ char Buffer[10*1024]; (void)global_data; @@ -184,7 +190,8 @@ _pkcs11_openvpn_token_prompt( void *const user_data, const pkcs11h_token_id_t token, const unsigned retry - ) { + ) +{ struct user_pass token_resp; (void)global_data; @@ -229,7 +236,8 @@ _pkcs11_openvpn_pin_prompt( const unsigned retry, char *const pin, const size_t pin_max - ) { + ) +{ struct user_pass token_pass; char prompt[1024]; @@ -275,7 +283,8 @@ bool pkcs11_initialize( const bool protected_auth, const int nPINCachePeriod - ) { + ) +{ CK_RV rv = CKR_FUNCTION_FAILED; dmsg( @@ -347,7 +356,8 @@ cleanup: } void -pkcs11_terminate() { +pkcs11_terminate() +{ dmsg( D_PKCS11_DEBUG, "PKCS#11: pkcs11_terminate - entered" @@ -367,7 +377,8 @@ pkcs11_addProvider( const bool protected_auth, const unsigned private_mode, const bool cert_private - ) { + ) +{ CK_RV rv = CKR_OK; ASSERT(provider!=NULL); @@ -411,12 +422,14 @@ pkcs11_addProvider( } int -pkcs11_logout() { +pkcs11_logout() +{ return pkcs11h_logout() == CKR_OK; } int -pkcs11_management_id_count() { +pkcs11_management_id_count() +{ pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t t = NULL; CK_RV rv = CKR_OK; @@ -441,7 +454,8 @@ pkcs11_management_id_count() { goto cleanup; } - for (count = 0, t = id_list; t != NULL; t = t->next) { + for (count = 0, t = id_list; t != NULL; t = t->next) + { count++; } @@ -467,7 +481,8 @@ pkcs11_management_id_get( const int index, char **id, char **base64 - ) { + ) +{ pkcs11h_certificate_id_list_t id_list = NULL; pkcs11h_certificate_id_list_t entry = NULL; #if 0 /* certificate_id seems to be unused -- JY */ @@ -511,7 +526,8 @@ pkcs11_management_id_get( entry = id_list; count = 0; - while (entry != NULL && count != index) { + while (entry != NULL && count != index) + { count++; entry = entry->next; } @@ -653,7 +669,8 @@ tls_ctx_use_pkcs11( struct tls_root_ctx *const ssl_ctx, bool pkcs11_id_management, const char *const pkcs11_id - ) { + ) +{ pkcs11h_certificate_id_t certificate_id = NULL; pkcs11h_certificate_t certificate = NULL; CK_RV rv = CKR_OK; @@ -784,7 +801,8 @@ _pkcs11_openvpn_show_pkcs11_ids_pin_prompt( const unsigned retry, char *const pin, const size_t pin_max - ) { + ) +{ struct gc_arena gc = gc_new(); struct buffer pass_prompt = alloc_buf_gc(128, &gc); @@ -817,7 +835,8 @@ void show_pkcs11_ids( const char *const provider, bool cert_private - ) { + ) +{ struct gc_arena gc = gc_new(); pkcs11h_certificate_id_list_t user_certificates = NULL; pkcs11h_certificate_id_list_t current = NULL; @@ -888,7 +907,8 @@ show_pkcs11_ids( "--pkcs11-id option please remember to use single quote mark.\n" ) ); - for (current = user_certificates; current != NULL; current = current->next) { + for (current = user_certificates; current != NULL; current = current->next) + { pkcs11h_certificate_t certificate = NULL; char *dn = NULL; char serial[1024] = {0}; @@ -1006,7 +1026,8 @@ cleanup: #else /* if defined(ENABLE_PKCS11) */ #ifdef _MSC_VER /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */ static void -dummy(void) { +dummy(void) +{ } #endif #endif /* ENABLE_PKCS11 */ diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h index 3747d3a..f1722c0 100644 --- a/src/openvpn/pkcs11.h +++ b/src/openvpn/pkcs11.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef OPENVPN_PKCS11_H diff --git a/src/openvpn/pkcs11_backend.h b/src/openvpn/pkcs11_backend.h index 9606899..b47b757 100644 --- a/src/openvpn/pkcs11_backend.h +++ b/src/openvpn/pkcs11_backend.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c index bdca893..45372e4 100644 --- a/src/openvpn/pkcs11_mbedtls.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -39,6 +38,7 @@ #include "errlevel.h" #include "pkcs11_backend.h" +#include "ssl_verify_backend.h" #include <mbedtls/pkcs11.h> #include <mbedtls/x509.h> @@ -82,8 +82,6 @@ char * pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) { char *ret = NULL; - char dn[1024] = {0}; - mbedtls_x509_crt mbed_crt = {0}; if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) @@ -92,14 +90,12 @@ pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) goto cleanup; } - if (-1 == mbedtls_x509_dn_gets(dn, sizeof(dn), &mbed_crt.subject)) + if (!(ret = x509_get_subject(&mbed_crt, gc))) { msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); goto cleanup; } - ret = string_alloc(dn, gc); - cleanup: mbedtls_x509_crt_free(&mbed_crt); diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c index 6244cc7..c37425b 100644 --- a/src/openvpn/pkcs11_openssl.c +++ b/src/openvpn/pkcs11_openssl.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c index 952d633..2495523 100644 --- a/src/openvpn/platform.c +++ b/src/openvpn/platform.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h index 62396a9..cd2bbc9 100644 --- a/src/openvpn/platform.h +++ b/src/openvpn/platform.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PLATFORM_H diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 17eb2d8..557b6bc 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -234,23 +233,31 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o) #ifndef _WIN32 p->handle = NULL; -#if defined(PLUGIN_LIBDIR) - if (!absolute_pathname(p->so_pathname)) + + /* If the plug-in filename is not an absolute path, + * or beginning with '.', it should use the PLUGIN_LIBDIR + * as the base directory for loading the plug-in. + * + * This means the following scenarios are loaded from these places: + * --plugin fancyplug.so -> $PLUGIN_LIBDIR/fancyplug.so + * --plugin my/fancyplug.so -> $PLUGIN_LIBDIR/my/fancyplug.so + * --plugin ./fancyplug.so -> $CWD/fancyplug.so + * --plugin /usr/lib/my/fancyplug.so -> /usr/lib/my/fancyplug.so + * + * Please note that $CWD means the directory OpenVPN is either started from + * or the directory OpenVPN have changed into using --cd before --plugin + * was parsed. + * + */ + if (!absolute_pathname(p->so_pathname) + && p->so_pathname[0] != '.') { char full[PATH_MAX]; openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname); p->handle = dlopen(full, RTLD_NOW); -#if defined(ENABLE_PLUGIN_SEARCH) - if (!p->handle) - { - rel = true; - p->handle = dlopen(p->so_pathname, RTLD_NOW); - } -#endif } else -#endif { rel = !absolute_pathname(p->so_pathname); p->handle = dlopen(p->so_pathname, RTLD_NOW); @@ -402,7 +409,8 @@ plugin_log(openvpn_plugin_log_flags_t flags, const char *name, const char *forma static struct openvpn_plugin_callbacks callbacks = { plugin_log, - plugin_vlog + plugin_vlog, + secure_memzero /* plugin_secure_memzero */ }; @@ -745,7 +753,9 @@ plugin_common_close(struct plugin_common *pc) int i; for (i = 0; i < pc->n; ++i) + { plugin_close_item(&pc->plugins[i]); + } free(pc); } } @@ -883,7 +893,9 @@ plugin_abort(void) int i; for (i = 0; i < pc->n; ++i) + { plugin_abort_item(&pc->plugins[i]); + } } } @@ -964,7 +976,9 @@ plugin_return_get_column(const struct plugin_return *src, dest->n = 0; for (i = 0; i < src->n; ++i) + { dest->list[i] = openvpn_plugin_string_list_find(src->list[i], colname); + } dest->n = i; } @@ -973,7 +987,9 @@ plugin_return_free(struct plugin_return *pr) { int i; for (i = 0; i < pr->n; ++i) + { openvpn_plugin_string_list_free(pr->list[i]); + } pr->n = 0; } @@ -1003,6 +1019,7 @@ plugin_return_print(const int msglevel, const char *prefix, const struct plugin_ #else /* ifdef ENABLE_PLUGIN */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_PLUGIN */ diff --git a/src/openvpn/plugin.h b/src/openvpn/plugin.h index 4ded529..0cffee0 100644 --- a/src/openvpn/plugin.h +++ b/src/openvpn/plugin.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c index aa0bc2b..a8f15b9 100644 --- a/src/openvpn/pool.c +++ b/src/openvpn/pool.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -215,7 +214,9 @@ ifconfig_pool_free(struct ifconfig_pool *pool) { int i; for (i = 0; i < pool->size; ++i) + { ifconfig_pool_entry_free(&pool->list[i], true); + } free(pool->list); free(pool); } diff --git a/src/openvpn/pool.h b/src/openvpn/pool.h index c3e1190..ee91d82 100644 --- a/src/openvpn/pool.h +++ b/src/openvpn/pool.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef POOL_H diff --git a/src/openvpn/proto.c b/src/openvpn/proto.c index 40e0714..2cbea3a 100644 --- a/src/openvpn/proto.c +++ b/src/openvpn/proto.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/proto.h b/src/openvpn/proto.h index bfcb36d..57f25c9 100644 --- a/src/openvpn/proto.h +++ b/src/openvpn/proto.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PROTO_H diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index dd327a2..7a737ea 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -318,6 +317,7 @@ get_proxy_authenticate(socket_descriptor_t sd, { if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) { + free(*data); *data = NULL; return HTTP_AUTH_NONE; } @@ -381,7 +381,9 @@ get_key_value(const char *str, /* source string */ bool escape = false; for (c = max_key_len-1; (*str && (*str != '=') && c--); ) + { *key++ = *str++; + } *key = '\0'; if ('=' != *str++) @@ -475,7 +477,9 @@ get_pa_var(const char *key, const char *pa, struct gc_arena *gc) ++content; } while (*content && isspace(*content)) + { ++content; + } } } @@ -774,7 +778,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, /* receive and discard everything else */ while (recv_line(sd, NULL, 0, 2, true, NULL, signal_received)) - ; + { + } /* now send the phase 3 reply */ @@ -870,6 +875,13 @@ establish_http_proxy_passthru(struct http_proxy_info *p, const char *algor = get_pa_var("algorithm", pa, &gc); const char *opaque = get_pa_var("opaque", pa, &gc); + if ( !realm || !nonce ) + { + msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response " + "from server: realm= or nonce= missing" ); + goto error; + } + /* generate a client nonce */ ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw))); cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc); @@ -986,6 +998,7 @@ establish_http_proxy_passthru(struct http_proxy_info *p, if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC) { msg(D_PROXY, "HTTP proxy: support for basic auth and other cleartext proxy auth methods is disabled"); + free(pa); goto error; } p->auth_method = method; @@ -1041,7 +1054,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, * start of the OpenVPN data stream (put it in lookahead). */ while (recv_line(sd, NULL, 0, 2, false, lookahead, signal_received)) - ; + { + } /* reset queried_creds so that we don't think that the next creds request is due to an auth error */ p->queried_creds = false; diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index c20a676..3ce79de 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PROXY_H diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 21b12ca..c2b05cd 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h index 0fc1ee4..b8c6853 100644 --- a/src/openvpn/ps.h +++ b/src/openvpn/ps.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PS_H diff --git a/src/openvpn/push.c b/src/openvpn/push.c index f515475..5947a31 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -372,15 +371,17 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, /* Push cipher if client supports Negotiable Crypto Parameters */ if (tls_peer_info_ncp_ver(peer_info) >= 2 && o->ncp_enabled) { - /* if we have already created our key, we cannot change our own - * cipher, so disable NCP and warn = explain why + /* if we have already created our key, we cannot *change* our own + * cipher -> so log the fact and push the "what we have now" cipher + * (so the client is always told what we expect it to use) */ const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " "server has already generated data channel keys, " - "ignoring client request" ); + "re-sending previously negotiated cipher '%s'", + o->ciphername ); } else { @@ -388,8 +389,8 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, * TODO: actual negotiation, instead of server dictatorship. */ char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc); o->ciphername = strtok(push_cipher, ":"); - push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } + push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); } else if (o->ncp_enabled) { @@ -692,8 +693,8 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) { continue; } + md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); } - md_ctx_update(ctx, (const uint8_t *) line, strlen(line)+1); } int @@ -720,10 +721,11 @@ process_incoming_push_msg(struct context *c, if (ch == ',') { struct buffer buf_orig = buf; - if (!c->c2.pulled_options_md5_init_done) + if (!c->c2.pulled_options_digest_init_done) { - md_ctx_init(&c->c2.pulled_options_state, md_kt_get("MD5")); - c->c2.pulled_options_md5_init_done = true; + c->c2.pulled_options_state = md_ctx_new(); + md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256")); + c->c2.pulled_options_digest_init_done = true; } if (!c->c2.did_pre_pull_restore) { @@ -736,15 +738,17 @@ process_incoming_push_msg(struct context *c, option_types_found, c->c2.es)) { - push_update_digest(&c->c2.pulled_options_state, &buf_orig, + push_update_digest(c->c2.pulled_options_state, &buf_orig, &c->options); switch (c->options.push_continuation) { case 0: case 1: - md_ctx_final(&c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); - md_ctx_cleanup(&c->c2.pulled_options_state); - c->c2.pulled_options_md5_init_done = false; + md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); + md_ctx_cleanup(c->c2.pulled_options_state); + md_ctx_free(c->c2.pulled_options_state); + c->c2.pulled_options_state = NULL; + c->c2.pulled_options_digest_init_done = false; ret = PUSH_MSG_REPLY; break; diff --git a/src/openvpn/push.h b/src/openvpn/push.h index 86900c8..4d42e81 100644 --- a/src/openvpn/push.h +++ b/src/openvpn/push.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef PUSH_H diff --git a/src/openvpn/pushlist.h b/src/openvpn/pushlist.h index 58fc870..57216b2 100644 --- a/src/openvpn/pushlist.h +++ b/src/openvpn/pushlist.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if !defined(PUSHLIST_H) && P2MP && P2MP_SERVER diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index 57cdd78..93541a9 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -112,10 +111,12 @@ reliable_ack_packet_id_present(struct reliable_ack *ack, packet_id_type pid) { int i; for (i = 0; i < ack->len; ++i) + { if (ack->packet_id[i] == pid) { return true; } + } return false; } @@ -242,7 +243,9 @@ reliable_ack_write(struct reliable_ack *ack, ASSERT(session_id_defined(sid)); ASSERT(session_id_write(sid, &sub)); for (i = 0, j = n; j < ack->len; ) + { ack->packet_id[i++] = ack->packet_id[j++]; + } ack->len = i; } @@ -802,6 +805,7 @@ reliable_debug_print(const struct reliable *rel, char *desc) #else /* ifdef ENABLE_CRYPTO */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/reliable.h b/src/openvpn/reliable.h index 455168a..aa34b02 100644 --- a/src/openvpn/reliable.h +++ b/src/openvpn/reliable.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 0c93dcd..a1811f4 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -986,11 +985,19 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un if (rl && rl->flags & RG_ENABLE) { + bool local = rl->flags & RG_LOCAL; + if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW)) { msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err); } - else if (!(rl->rgi.flags & RGI_ADDR_DEFINED)) + /* + * check if a default route is defined, unless: + * - we are connecting to a remote host in our network + * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6) + */ + else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local + && (rl->spec.remote_host != IPV4_INVALID_ADDR)) { msg(M_WARN, "%s Cannot read current default gateway from system", err); } @@ -1001,7 +1008,6 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un else { #ifndef TARGET_ANDROID - bool local = BOOL_CAST(rl->flags & RG_LOCAL); if (rl->flags & RG_AUTO_LOCAL) { const int tla = rl->spec.remote_host_local; @@ -1066,14 +1072,13 @@ redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, un } else { - /* delete default route */ - del_route3(0, - 0, - rl->rgi.gateway.addr, - tt, - flags | ROUTE_REF_GW, - &rl->rgi, - es); + /* don't try to remove the def route if it does not exist */ + if (rl->rgi.flags & RGI_ADDR_DEFINED) + { + /* delete default route */ + del_route3(0, 0, rl->rgi.gateway.addr, tt, + flags | ROUTE_REF_GW, &rl->rgi, es); + } /* add new default route */ add_route3(0, @@ -1145,15 +1150,12 @@ undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *t flags, &rl->rgi, es); - - /* restore original default route */ - add_route3(0, - 0, - rl->rgi.gateway.addr, - tt, - flags | ROUTE_REF_GW, - &rl->rgi, - es); + /* restore original default route if there was any */ + if (rl->rgi.flags & RGI_ADDR_DEFINED) + { + add_route3(0, 0, rl->rgi.gateway.addr, tt, + flags | ROUTE_REF_GW, &rl->rgi, es); + } } } @@ -1196,6 +1198,15 @@ add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tunt if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) ) { struct route_ipv6 *r; + + if (!tt->did_ifconfig_ipv6_setup) + { + msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 " + "route over %s. However, no IPv6 has been configured for " + "this interface, therefore the route installation may " + "fail or may not work as expected.", tt->actual_name); + } + for (r = rl6->routes_ipv6; r; r = r->next) { if (flags & ROUTE_DELETE_FIRST) @@ -1281,7 +1292,9 @@ print_route_options(const struct route_option_list *rol, (rol->flags & RG_LOCAL) != 0); } for (ro = rol->routes; ro; ro = ro->next) + { print_route_option(ro, level); + } } void @@ -1375,7 +1388,9 @@ print_routes(const struct route_list *rl, int level) { struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) + { print_route(r, level); + } } static void @@ -1404,7 +1419,9 @@ setenv_routes(struct env_set *es, const struct route_list *rl) int i = 1; struct route_ipv4 *r; for (r = rl->routes; r; r = r->next) + { setenv_route(es, r, i++); + } } static void @@ -1433,7 +1450,9 @@ setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6) int i = 1; struct route_ipv6 *r6; for (r6 = rl6->routes_ipv6; r6; r6 = r6->next) + { setenv_route_ipv6(es, r6, i++); + } } /* @@ -1874,14 +1893,6 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flag } #endif - if (!tt->did_ifconfig_ipv6_setup) - { - msg( M_INFO, "add_route_ipv6(): not adding %s/%d: " - "no IPv6 address been configured on interface %s", - network, r6->netbits, device); - return; - } - msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway, r6->metric, device ); @@ -2623,7 +2634,9 @@ test_routes(const struct route_list *rl, const struct tuntap *tt) { struct route_ipv4 *r; for (r = rl->routes, len = 0; r; r = r->next, ++len) + { test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway); + } if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)) { @@ -3047,8 +3060,10 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t /* In TUN mode we use a special link-local address as the next hop. * The tapdrvr knows about it and will answer neighbor discovery packets. + * (only do this for routes actually using the tun/tap device) */ - if (tt->type == DEV_TYPE_TUN) + if (tt->type == DEV_TYPE_TUN + && msg.iface.index == tt->adapter_index ) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); } @@ -3581,6 +3596,9 @@ get_default_gateway(struct route_gateway_info *rgi) rtm.rtm_flags = RTF_UP | RTF_GATEWAY; rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; +#ifdef TARGET_OPENBSD + rtm.rtm_tableid = getrtable(); +#endif rtm.rtm_addrs = rtm_addrs; so_dst.sa_family = AF_INET; @@ -3608,7 +3626,8 @@ get_default_gateway(struct route_gateway_info *rgi) msg(M_WARN, "GDG: problem writing to routing socket"); goto done; } - do { + do + { l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg)); } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid)); close(sockfd); @@ -3795,6 +3814,9 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, rtm.rtm_flags = RTF_UP; rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; +#ifdef TARGET_OPENBSD + rtm.rtm_tableid = getrtable(); +#endif so_dst.sin6_family = AF_INET6; so_mask.sin6_family = AF_INET6; diff --git a/src/openvpn/route.h b/src/openvpn/route.h index 03ee8cd..6414d6c 100644 --- a/src/openvpn/route.h +++ b/src/openvpn/route.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -354,7 +353,8 @@ bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt); #else /* ifdef _WIN32 */ static inline bool -test_routes(const struct route_list *rl, const struct tuntap *tt) { +test_routes(const struct route_list *rl, const struct tuntap *tt) +{ return true; } #endif diff --git a/src/openvpn/schedule.c b/src/openvpn/schedule.c index 610bfa4..b1ba5d4 100644 --- a/src/openvpn/schedule.c +++ b/src/openvpn/schedule.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -377,7 +376,9 @@ schedule_add_modify(struct schedule *s, struct schedule_entry *e) * keeps the tree balanced. Move the node up the tree until * its own priority is greater than that of its parent */ while (e->parent && e->parent->pri > e->pri) + { schedule_rotate_up(s, e); + } } /* @@ -623,7 +624,9 @@ schedule_print_work(struct schedule_entry *e, int indent) struct gc_arena gc = gc_new(); int i; for (i = 0; i < indent; ++i) + { printf(" "); + } if (e) { printf("%s [%u] e=" ptr_format ", p=" ptr_format " lt=" ptr_format " gt=" ptr_format "\n", diff --git a/src/openvpn/schedule.h b/src/openvpn/schedule.h index f2a6813..e6c1b7e 100644 --- a/src/openvpn/schedule.h +++ b/src/openvpn/schedule.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SCHEDULE_H diff --git a/src/openvpn/session_id.c b/src/openvpn/session_id.c index b23f0f4..dce42e7 100644 --- a/src/openvpn/session_id.c +++ b/src/openvpn/session_id.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -64,6 +63,7 @@ session_id_print(const struct session_id *sid, struct gc_arena *gc) #else /* ifdef ENABLE_CRYPTO */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/session_id.h b/src/openvpn/session_id.h index 2b0ceb8..6611a3c 100644 --- a/src/openvpn/session_id.h +++ b/src/openvpn/session_id.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c index eb459ef..19dd54d 100644 --- a/src/openvpn/shaper.c +++ b/src/openvpn/shaper.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -98,6 +97,7 @@ shaper_msg(struct shaper *s) #else /* ifdef ENABLE_FEATURE_SHAPER */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_FEATURE_SHAPER */ diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h index d97221a..6fac16d 100644 --- a/src/openvpn/shaper.h +++ b/src/openvpn/shaper.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SHAPER_H diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index 9f4841a..87cef71 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/sig.h b/src/openvpn/sig.h index 5783731..7c41070 100644 --- a/src/openvpn/sig.h +++ b/src/openvpn/sig.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SIG_H diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index ae12832..4e7e3f9 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -205,7 +204,9 @@ do_preresolve_host(struct context *c, { struct cached_dns_entry *prev = c->c1.dns_cache; while (prev->next) + { prev = prev->next; + } prev->next = ph; } @@ -336,20 +337,6 @@ openvpn_getaddrinfo(unsigned int flags, ASSERT(hostname || servname); ASSERT(!(flags & GETADDR_HOST_ORDER)); - if (hostname && (flags & GETADDR_RANDOMIZE)) - { - hostname = hostname_randomize(hostname, &gc); - } - - if (hostname) - { - print_hostname = hostname; - } - else - { - print_hostname = "undefined"; - } - if (servname) { print_servname = servname; @@ -400,6 +387,20 @@ openvpn_getaddrinfo(unsigned int flags, const char *fmt; int level = 0; + if (hostname && (flags & GETADDR_RANDOMIZE)) + { + hostname = hostname_randomize(hostname, &gc); + } + + if (hostname) + { + print_hostname = hostname; + } + else + { + print_hostname = "undefined"; + } + fmt = "RESOLVE: Cannot resolve host address: %s:%s (%s)"; if ((flags & GETADDR_MENTION_RESOLVE_RETRY) && !resolve_retry_seconds) @@ -510,6 +511,10 @@ openvpn_getaddrinfo(unsigned int flags, else { /* IP address parse succeeded */ + if (flags & GETADDR_RANDOMIZE) + { + msg(M_WARN, "WARNING: ignoring --remote-random-hostname because the hostname is an IP address"); + } } done: @@ -1144,7 +1149,7 @@ tcp_connection_established(const struct link_socket_actual *act) gc_free(&gc); } -static int +static socket_descriptor_t socket_listen_accept(socket_descriptor_t sd, struct link_socket_actual *act, const char *remote_dynamic, @@ -1156,7 +1161,7 @@ socket_listen_accept(socket_descriptor_t sd, struct gc_arena gc = gc_new(); /* struct openvpn_sockaddr *remote = &act->dest; */ struct openvpn_sockaddr remote_verify = act->dest; - int new_sd = SOCKET_UNDEFINED; + socket_descriptor_t new_sd = SOCKET_UNDEFINED; CLEAR(*act); socket_do_listen(sd, local, do_listen, true); @@ -2008,7 +2013,8 @@ static void phase2_tcp_client(struct link_socket *sock, struct signal_info *sig_info) { bool proxy_retry = false; - do { + do + { socket_connect(&sock->sd, sock->info.lsa->current_remote->ai_addr, get_server_poll_remaining_time(sock->server_poll_timeout), @@ -2364,7 +2370,8 @@ link_socket_bad_incoming_addr(struct buffer *buf, (int)from_addr->dest.addr.sa.sa_family, print_sockaddr_ex(info->lsa->remote_list->ai_addr,":",PS_SHOW_PORT, &gc)); /* print additional remote addresses */ - for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) { + for (ai = info->lsa->remote_list->ai_next; ai; ai = ai->ai_next) + { msg(D_LINK_ERRORS,"or from peer address: %s", print_sockaddr_ex(ai->ai_addr,":",PS_SHOW_PORT, &gc)); } @@ -3053,10 +3060,12 @@ ascii2proto(const char *proto_name) { int i; for (i = 0; i < SIZE(proto_names); ++i) + { if (!strcmp(proto_name, proto_names[i].short_form)) { return proto_names[i].proto; } + } return -1; } @@ -3065,10 +3074,12 @@ ascii2af(const char *proto_name) { int i; for (i = 0; i < SIZE(proto_names); ++i) + { if (!strcmp(proto_name, proto_names[i].short_form)) { return proto_names[i].proto_af; } + } return 0; } diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 63e601e..2d7f218 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SOCKET_H @@ -623,7 +622,8 @@ addr_defined(const struct openvpn_sockaddr *addr) { return 0; } - switch (addr->addr.sa.sa_family) { + switch (addr->addr.sa.sa_family) + { case AF_INET: return addr->addr.in4.sin_addr.s_addr != 0; case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(&addr->addr.in6.sin6_addr); @@ -639,7 +639,8 @@ addr_local(const struct sockaddr *addr) { return false; } - switch (addr->sa_family) { + switch (addr->sa_family) + { case AF_INET: return ((const struct sockaddr_in *)addr)->sin_addr.s_addr == htonl(INADDR_LOOPBACK); @@ -660,7 +661,8 @@ addr_defined_ipi(const struct link_socket_actual *lsa) { return 0; } - switch (lsa->dest.addr.sa.sa_family) { + switch (lsa->dest.addr.sa.sa_family) + { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0; @@ -687,7 +689,8 @@ link_socket_actual_defined(const struct link_socket_actual *act) static inline bool addr_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { - switch (a1->addr.sa.sa_family) { + switch (a1->addr.sa.sa_family) + { case AF_INET: return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr; @@ -781,7 +784,8 @@ addrlist_port_match(const struct openvpn_sockaddr *a1, const struct addrinfo *a2 static inline bool addr_port_match(const struct openvpn_sockaddr *a1, const struct openvpn_sockaddr *a2) { - switch (a1->addr.sa.sa_family) { + switch (a1->addr.sa.sa_family) + { case AF_INET: return a1->addr.in4.sin_addr.s_addr == a2->addr.in4.sin_addr.s_addr && a1->addr.in4.sin_port == a2->addr.in4.sin_port; @@ -818,7 +822,8 @@ addrlist_match_proto(const struct openvpn_sockaddr *a1, static inline void addr_zero_host(struct openvpn_sockaddr *addr) { - switch (addr->addr.sa.sa_family) { + switch (addr->addr.sa.sa_family) + { case AF_INET: addr->addr.in4.sin_addr.s_addr = 0; break; @@ -846,7 +851,8 @@ int addr_guess_family(sa_family_t af,const char *name); static inline int af_addr_size(sa_family_t af) { - switch (af) { + switch (af) + { case AF_INET: return sizeof(struct sockaddr_in); case AF_INET6: return sizeof(struct sockaddr_in6); @@ -919,7 +925,8 @@ link_socket_verify_incoming_addr(struct buffer *buf, { if (buf->len > 0) { - switch (from_addr->dest.addr.sa.sa_family) { + switch (from_addr->dest.addr.sa.sa_family) + { case AF_INET6: case AF_INET: if (!link_socket_actual_defined(from_addr)) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index b50cac3..92747ec 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/socks.h b/src/openvpn/socks.h index 17e75e1..39b96c5 100644 --- a/src/openvpn/socks.h +++ b/src/openvpn/socks.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index cff4052..15cd94a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -18,10 +18,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -269,10 +268,12 @@ static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len); const tls_cipher_name_pair * -tls_get_cipher_name_pair(const char *cipher_name, size_t len) { +tls_get_cipher_name_pair(const char *cipher_name, size_t len) +{ const tls_cipher_name_pair *pair = tls_cipher_name_translation_table; - while (pair->openssl_name != NULL) { + while (pair->openssl_name != NULL) + { if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len)) || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len))) { @@ -450,6 +451,8 @@ ssl_set_auth_nocache(void) { passbuf.nocache = true; auth_user_pass.nocache = true; + /* wait for push-reply, because auth-token may invert nocache */ + auth_user_pass.wait_for_push = true; } /* @@ -458,6 +461,14 @@ ssl_set_auth_nocache(void) void ssl_set_auth_token(const char *token) { + if (auth_user_pass.nocache) + { + msg(M_INFO, + "auth-token received, disabling auth-nocache for the " + "authentication token"); + auth_user_pass.nocache = false; + } + set_auth_token(&auth_user_pass, token); } @@ -569,12 +580,12 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, * Note: Windows does not support tv_nsec. */ if ((ssl_ctx->crl_last_size == crl_stat.st_size) - && (ssl_ctx->crl_last_mtime.tv_sec == crl_stat.st_mtime)) + && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime)) { return; } - ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime; + ssl_ctx->crl_last_mtime = crl_stat.st_mtime; ssl_ctx->crl_last_size = crl_stat.st_size; backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline); } @@ -830,14 +841,7 @@ print_key_id(struct tls_multi *multi, struct gc_arena *gc) return BSTR(&out); } -/* - * Given a key_method, return true if op - * represents the required form of hard_reset. - * - * If key_method = 0, return true if any - * form of hard reset is used. - */ -static bool +bool is_hard_reset(int op, int key_method) { if (!key_method || key_method == 1) @@ -1068,7 +1072,9 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) /* Randomize session # if it is 0 */ while (!session_id_defined(&session->session_id)) + { session_id_random(&session->session_id); + } /* Are we a TLS server or client? */ ASSERT(session->opt->key_method >= 1); @@ -1130,7 +1136,9 @@ tls_session_free(struct tls_session *session, bool clear) free_buf(&session->tls_wrap.work); for (i = 0; i < KS_SIZE; ++i) + { key_state_free(&session->key[i], false); + } if (session->common_name) { @@ -1187,7 +1195,8 @@ reset_session(struct tls_multi *multi, struct tls_session *session) * called again. */ static inline void -compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) { +compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) +{ if (seconds_from_now < *earliest) { *earliest = seconds_from_now; @@ -1357,7 +1366,9 @@ tls_multi_free(struct tls_multi *multi, bool clear) free(multi->remote_ciphername); for (i = 0; i < TM_SIZE; ++i) + { tls_session_free(&multi->session[i], false); + } if (clear) { @@ -1605,8 +1616,8 @@ tls1_P_hash(const md_kt_t *md_kt, { struct gc_arena gc = gc_new(); int chunk; - hmac_ctx_t ctx; - hmac_ctx_t ctx_tmp; + hmac_ctx_t *ctx; + hmac_ctx_t *ctx_tmp; uint8_t A1[MAX_HMAC_KEY_LENGTH]; unsigned int A1_len; @@ -1615,8 +1626,8 @@ tls1_P_hash(const md_kt_t *md_kt, const uint8_t *out_orig = out; #endif - CLEAR(ctx); - CLEAR(ctx_tmp); + ctx = hmac_ctx_new(); + ctx_tmp = hmac_ctx_new(); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc)); @@ -1624,36 +1635,38 @@ tls1_P_hash(const md_kt_t *md_kt, chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); - hmac_ctx_init(&ctx, sec, sec_len, md_kt); - hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); + hmac_ctx_init(ctx, sec, sec_len, md_kt); + hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); - hmac_ctx_update(&ctx,seed,seed_len); - hmac_ctx_final(&ctx, A1); + hmac_ctx_update(ctx,seed,seed_len); + hmac_ctx_final(ctx, A1); for (;; ) { - hmac_ctx_reset(&ctx); - hmac_ctx_reset(&ctx_tmp); - hmac_ctx_update(&ctx,A1,A1_len); - hmac_ctx_update(&ctx_tmp,A1,A1_len); - hmac_ctx_update(&ctx,seed,seed_len); + hmac_ctx_reset(ctx); + hmac_ctx_reset(ctx_tmp); + hmac_ctx_update(ctx,A1,A1_len); + hmac_ctx_update(ctx_tmp,A1,A1_len); + hmac_ctx_update(ctx,seed,seed_len); if (olen > chunk) { - hmac_ctx_final(&ctx, out); + hmac_ctx_final(ctx, out); out += chunk; olen -= chunk; - hmac_ctx_final(&ctx_tmp, A1); /* calc the next A1 value */ + hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */ } else /* last one */ { - hmac_ctx_final(&ctx, A1); + hmac_ctx_final(ctx, A1); memcpy(out,A1,olen); break; } } - hmac_ctx_cleanup(&ctx); - hmac_ctx_cleanup(&ctx_tmp); + hmac_ctx_cleanup(ctx); + hmac_ctx_free(ctx); + hmac_ctx_cleanup(ctx_tmp); + hmac_ctx_free(ctx_tmp); secure_memzero(A1, sizeof(A1)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc)); @@ -1705,7 +1718,9 @@ tls1_PRF(const uint8_t *label, tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); for (i = 0; i<olen; i++) + { out1[i] ^= out2[i]; + } secure_memzero(out2, olen); @@ -1855,7 +1870,8 @@ exit: } static void -key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) { +key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) +{ const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */ @@ -1954,6 +1970,12 @@ tls_session_update_crypto_params(struct tls_session *session, return false; } + if (strcmp(options->ciphername, session->opt->config_ciphername)) + { + msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'", + options->ciphername); + } + init_key_type(&session->opt->key_type, options->ciphername, options->authname, options->keysize, true, true); @@ -2371,7 +2393,21 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) { goto error; } - purge_user_pass(&auth_user_pass, false); + /* if auth-nocache was specified, the auth_user_pass object reaches + * a "complete" state only after having received the push-reply + * message. + * This is the case because auth-token statement in a push-reply would + * invert its nocache. + * + * For this reason, skip the purge operation here if no push-reply + * message has been received yet. + * + * This normally happens upon first negotiation only. + */ + if (!auth_user_pass.wait_for_push) + { + purge_user_pass(&auth_user_pass, false); + } } else { @@ -2487,7 +2523,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio struct gc_arena gc = gc_new(); char *options; - struct user_pass *up; + struct user_pass *up = NULL; /* allocate temporary objects */ ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc); @@ -2649,6 +2685,10 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio error: secure_memzero(ks->key_src, sizeof(*ks->key_src)); + if (up) + { + secure_memzero(up, sizeof(*up)); + } buf_clear(buf); gc_free(&gc); return false; @@ -2810,6 +2850,9 @@ tls_process(struct tls_multi *multi, session->opt->crl_file, session->opt->crl_file_inline); } + /* New connection, remove any old X509 env variables */ + tls_x509_clear_env(session->opt->es); + dmsg(D_TLS_DEBUG_MED, "STATE S_START"); } @@ -3708,7 +3751,12 @@ tls_pre_decrypt(struct tls_multi *multi, /* Save incoming ciphertext packet to reliable buffer */ struct buffer *in = reliable_get_buf(ks->rec_reliable); ASSERT(in); - ASSERT(buf_copy(in, buf)); + if(!buf_copy(in, buf)) + { + msg(D_MULTI_DROPPED, + "Incoming control channel packet too big, dropping."); + goto error; + } reliable_mark_active_incoming(ks->rec_reliable, in, id, op); } @@ -4058,7 +4106,8 @@ tls_peer_info_ncp_ver(const char *peer_info) } bool -tls_check_ncp_cipher_list(const char *list) { +tls_check_ncp_cipher_list(const char *list) +{ bool unsupported_cipher_found = false; ASSERT(list); @@ -4201,8 +4250,16 @@ done: return BSTR(&out); } +void +delayed_auth_pass_purge(void) +{ + auth_user_pass.wait_for_push = false; + purge_user_pass(&auth_user_pass, false); +} + #else /* if defined(ENABLE_CRYPTO) */ static void -dummy(void) { +dummy(void) +{ } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index ed1344e..56ea601 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -591,6 +590,16 @@ void show_tls_performance_stats(void); /*#define EXTRACT_X509_FIELD_TEST*/ void extract_x509_field_test(void); +/** + * Given a key_method, return true if opcode represents the required form of + * hard_reset. + * + * If key_method == 0, return true if any form of hard reset is used. + */ +bool is_hard_reset(int op, int key_method); + +void delayed_auth_pass_purge(void); + #endif /* ENABLE_CRYPTO */ #endif /* ifndef OPENVPN_SSL_H */ diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 206400f..a738f0f 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 9a16d77..25bffd5 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -271,6 +270,7 @@ struct tls_options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; + hash_algo_type verify_hash_algo; char *x509_username_field; /* allow openvpn config info to be diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 5c84e30..ef583e6 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -18,10 +18,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -185,7 +184,8 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) } static const char * -tls_translate_cipher_name(const char *cipher_name) { +tls_translate_cipher_name(const char *cipher_name) +{ const tls_cipher_name_pair *pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name)); if (NULL == pair) @@ -222,10 +222,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) /* Get number of ciphers */ for (i = 0, cipher_count = 1; i < ciphers_len; i++) + { if (ciphers[i] == ':') { cipher_count++; } + } /* Allocate an array for them */ ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1) @@ -833,7 +835,8 @@ tls_version_max(void) * Must be a valid pointer. */ static void -tls_version_to_major_minor(int tls_ver, int *major, int *minor) { +tls_version_to_major_minor(int tls_ver, int *major, int *minor) +{ ASSERT(major); ASSERT(minor); diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 1bc53ce..f69b610 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -74,7 +73,7 @@ struct tls_root_ctx { mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ mbedtls_pk_context *priv_key; /**< Local private key */ mbedtls_x509_crl *crl; /**< Certificate Revocation List */ - struct timespec crl_last_mtime; /**< CRL last modification time */ + time_t crl_last_mtime; /**< CRL last modification time */ off_t crl_last_size; /**< size of last loaded CRL */ #if defined(ENABLE_PKCS11) mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index eae1e22..e589dcd 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -45,6 +44,7 @@ #include "ssl_backend.h" #include "ssl_common.h" #include "base64.h" +#include "openssl_compat.h" #ifdef ENABLE_CRYPTOAPI #include "cryptoapi.h" @@ -321,7 +321,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) /* Translate IANA cipher suite names to OpenSSL names */ begin_of_cipher = end_of_cipher = 0; - for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { + for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) + { end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); @@ -353,7 +354,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } /* Make sure new cipher name fits in cipher string */ - if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) + if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len + || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len)) { msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", @@ -507,10 +509,18 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + pkey = SSL_CTX_get0_privatekey(ctx->ctx); +#else /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ - SSL ssl; - ssl.cert = ctx->ctx->cert; - pkey = SSL_get_privatekey(&ssl); + SSL *ssl = SSL_new(ctx->ctx); + if (!ssl) + { + crypto_msg(M_FATAL, "SSL_new failed"); + } + pkey = SSL_get_privatekey(ssl); + SSL_free(ssl); +#endif msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); @@ -649,7 +659,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, { for (i = 0; i < sk_X509_num(ca); i++) { - if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i))) + X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); + if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i))) { crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)"); } @@ -751,8 +762,9 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx, goto end; } - x = PEM_read_bio_X509(in, NULL, ctx->ctx->default_passwd_callback, - ctx->ctx->default_passwd_callback_userdata); + x = PEM_read_bio_X509(in, NULL, + SSL_CTX_get_default_passwd_cb(ctx->ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB); @@ -834,8 +846,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, } pkey = PEM_read_bio_PrivateKey(in, NULL, - ssl_ctx->default_passwd_callback, - ssl_ctx->default_passwd_callback_userdata); + SSL_CTX_get_default_passwd_cb(ctx->ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (!pkey) { goto end; @@ -888,15 +900,15 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, /* Always start with a cleared CRL list, for that we * we need to manually find the CRL object from the stack * and remove it */ - for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) + STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); + for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) { - X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); + X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); ASSERT(obj); - if (obj->type == X509_LU_CRL) + if (X509_OBJECT_get_type(obj) == X509_LU_CRL) { - sk_X509_OBJECT_delete(store->objs, i); - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); + sk_X509_OBJECT_delete(objs, i); + X509_OBJECT_free(obj); } } @@ -964,10 +976,13 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i /* called at RSA_free */ static int -rsa_finish(RSA *rsa) +openvpn_extkey_rsa_finish(RSA *rsa) { - free((void *)rsa->meth); - rsa->meth = NULL; + /* meth was allocated in tls_ctx_use_external_private_key() ; since + * this function is called when the parent RSA object is destroyed, + * it is no longer used after this point so kill it. */ + const RSA_METHOD *meth = RSA_get_method(rsa); + RSA_meth_free((RSA_METHOD *)meth); return 1; } @@ -983,7 +998,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i if (padding != RSA_PKCS1_PADDING) { - RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); goto done; } @@ -1041,16 +1056,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, ASSERT(NULL != cert); /* allocate custom RSA method object */ - ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); - rsa_meth->name = "OpenVPN external private key RSA Method"; - rsa_meth->rsa_pub_enc = rsa_pub_enc; - rsa_meth->rsa_pub_dec = rsa_pub_dec; - rsa_meth->rsa_priv_enc = rsa_priv_enc; - rsa_meth->rsa_priv_dec = rsa_priv_dec; - rsa_meth->init = NULL; - rsa_meth->finish = rsa_finish; - rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK; - rsa_meth->app_data = NULL; + rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", + RSA_METHOD_FLAG_NO_CHECK); + check_malloc_return(rsa_meth); + RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); + RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); + RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc); + RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec); + RSA_meth_set_init(rsa_meth, NULL); + RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish); + RSA_meth_set0_app_data(rsa_meth, NULL); /* allocate RSA object */ rsa = RSA_new(); @@ -1061,12 +1076,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, } /* get the public key */ - ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */ - pub_rsa = cert->cert_info->key->pkey->pkey.rsa; + EVP_PKEY *pkey = X509_get0_pubkey(cert); + ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ + pub_rsa = EVP_PKEY_get0_RSA(pkey); /* initialize RSA object */ - rsa->n = BN_dup(pub_rsa->n); - rsa->flags |= RSA_FLAG_EXT_PKEY; + const BIGNUM *n = NULL; + const BIGNUM *e = NULL; + RSA_get0_key(pub_rsa, &n, &e, NULL); + RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); + RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); if (!RSA_set_method(rsa, rsa_meth)) { goto err; @@ -1667,17 +1686,17 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { - if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL - && pkey->pkey.rsa->n != NULL) + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) != NULL) { + RSA *rsa = EVP_PKEY_get0_RSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA", - BN_num_bits(pkey->pkey.rsa->n)); + RSA_bits(rsa)); } - else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL - && pkey->pkey.dsa->p != NULL) + else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL) { + DSA *dsa = EVP_PKEY_get0_DSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA", - BN_num_bits(pkey->pkey.dsa->p)); + DSA_bits(dsa)); } EVP_PKEY_free(pkey); } diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index c64c65f..db4e1da 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -49,7 +48,7 @@ */ struct tls_root_ctx { SSL_CTX *ctx; - struct timespec crl_last_mtime; + time_t crl_last_mtime; off_t crl_last_size; }; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 334eb29..9cd36d7 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -80,6 +79,28 @@ setenv_untrusted(struct tls_session *session) setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT); } + +/** + * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags + * + * @param multi Pointer to a multi object holding the auth_token variables + */ +static void +wipe_auth_token(struct tls_multi *multi) +{ + if(multi) + { + if (multi->auth_token) + { + secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); + free(multi->auth_token); + } + multi->auth_token = NULL; + multi->auth_token_sent = false; + } +} + + /* * Remove authenticated state from all sessions in the given tunnel */ @@ -88,10 +109,14 @@ tls_deauthenticate(struct tls_multi *multi) { if (multi) { - int i, j; - for (i = 0; i < TM_SIZE; ++i) - for (j = 0; j < KS_SIZE; ++j) + wipe_auth_token(multi); + for (int i = 0; i < TM_SIZE; ++i) + { + for (int j = 0; j < KS_SIZE; ++j) + { multi->session[i].key[j].authenticated = false; + } + } } } @@ -248,7 +273,9 @@ cert_hash_free(struct cert_hash_set *chs) { int i; for (i = 0; i < MAX_CERT_DEPTH; ++i) + { free(chs->ch[i]); + } free(chs); } } @@ -690,8 +717,31 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* verify level 1 cert, i.e. the CA that signed our leaf cert */ if (cert_depth == 1 && opt->verify_hash) { - struct buffer sha1_hash = x509_get_sha1_fingerprint(cert, &gc); - if (memcmp(BPTR(&sha1_hash), opt->verify_hash, BLEN(&sha1_hash))) + struct buffer ca_hash = {0}; + + switch (opt->verify_hash_algo) + { + case MD_SHA1: + ca_hash = x509_get_sha1_fingerprint(cert, &gc); + break; + + case MD_SHA256: + ca_hash = x509_get_sha256_fingerprint(cert, &gc); + break; + + default: + /* This should normally not happen at all; the algorithm used + * is parsed by add_option() [options.c] and set to a predefined + * value in an enumerated type. So if this unlikely scenario + * happens, consider this a failure + */ + msg(M_WARN, "Unexpected invalid algorithm used with " + "--verify-hash (%i)", opt->verify_hash_algo); + ret = FAILURE; + goto cleanup; + } + + if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash))) { msg(D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); goto cleanup; @@ -1213,21 +1263,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass } #endif /* ifdef MANAGEMENT_DEF_AUTH */ -/** - * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags - * - * @param multi Pointer to a multi object holding the auth_token variables - */ -static void -wipe_auth_token(struct tls_multi *multi) -{ - secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); - free(multi->auth_token); - multi->auth_token = NULL; - multi->auth_token_sent = false; -} - - /* * Main username/password verification entry point */ @@ -1279,7 +1314,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, /* Ensure that the username has not changed */ if (!tls_lock_username(multi, up->username)) { - wipe_auth_token(multi); + /* auth-token cleared in tls_lock_username() on failure */ ks->authenticated = false; goto done; } @@ -1300,7 +1335,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (memcmp_constant_time(multi->auth_token, up->password, strlen(multi->auth_token)) != 0) { - wipe_auth_token(multi); ks->authenticated = false; tls_deauthenticate(multi); @@ -1472,6 +1506,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path)) { ks->authenticated = false; + wipe_auth_token(multi); msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", session->common_name, path ? path : "UNDEF"); @@ -1480,4 +1515,21 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } } + +void +tls_x509_clear_env(struct env_set *es) +{ + struct env_item *item = es->list; + while (item) + { + struct env_item *next = item->next; + if (item->string + && 0 == strncmp("X509_", item->string, strlen("X509_"))) + { + env_set_del(es, item->string); + } + item = next; + } +} + #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index ffab218..f2d0d6c 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -218,6 +217,9 @@ struct x509_track /** Do not perform Netscape certificate type verification */ #define NS_CERT_CHECK_CLIENT (1<<1) +/** Require keyUsage to be present in cert (0xFFFF is an invalid KU value) */ +#define OPENVPN_KU_REQUIRED (0xFFFF) + /* * TODO: document */ @@ -238,6 +240,9 @@ tls_client_reason(struct tls_multi *multi) #endif } +/** Remove any X509_ env variables from env_set es */ +void tls_x509_clear_env(struct env_set *es); + #endif /* ENABLE_CRYPTO */ #endif /* SSL_VERIFY_H_ */ diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index c4330ba..e8eaabe 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -125,6 +124,14 @@ struct buffer x509_get_sha256_fingerprint(openvpn_x509_cert_t *cert, result_t backend_x509_get_username(char *common_name, int cn_len, char *x509_username_field, openvpn_x509_cert_t *peer_cert); +#ifdef ENABLE_X509ALTUSERNAME +/** + * Return true iff the supplied extension field is supported by the + * --x509-username-field option. + */ +bool x509_username_field_ext_supported(const char *extname); +#endif + /* * Return the certificate's serial number in decimal string representation. * @@ -211,7 +218,7 @@ void x509_setenv_track(const struct x509_track *xt, struct env_set *es, * the expected bit set. \c FAILURE if the certificate does * not have NS cert type verification or the wrong bit set. */ -result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage); +result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage); /* * Verify X.509 key usage extension field. diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index f01569f..838c217 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -209,7 +208,7 @@ x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, { const size_t md_size = mbedtls_md_get_size(md_info); struct buffer fingerprint = alloc_buf_gc(md_size, gc); - mbedtls_md(md_info, cert->raw.p, cert->tbs.len, BPTR(&fingerprint)); + mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint)); ASSERT(buf_inc_len(&fingerprint, md_size)); return fingerprint; } @@ -268,11 +267,21 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) size_t i; char *val; + if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING + || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING + || orig->tag == MBEDTLS_ASN1_IA5_STRING)) + { + /* Only support C-string compatible types */ + return string_alloc("ERROR: unsupported ASN.1 string type", gc); + } + for (i = 0; i < orig->len; ++i) + { if (orig->p[i] == '\0') { - return "ERROR: embedded null value"; + return string_alloc("ERROR: embedded null value", gc); } + } val = gc_malloc(orig->len+1, false, gc); memcpy(val, orig->p, orig->len); val[orig->len] = '\0'; @@ -409,7 +418,7 @@ x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) } result_t -x509_verify_ns_cert_type(const mbedtls_x509_crt *cert, const int usage) +x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { @@ -435,32 +444,42 @@ result_t x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len) { - result_t fFound = FAILURE; + msg(D_HANDSHAKE, "Validating certificate key usage"); if (!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE)) { - msg(D_HANDSHAKE, "Certificate does not have key usage extension"); + msg(D_TLS_ERRORS, + "ERROR: Certificate does not have key usage extension"); + return FAILURE; } - else + + if (expected_ku[0] == OPENVPN_KU_REQUIRED) { - int i; - unsigned nku = cert->key_usage; + /* Extension required, value checked by TLS library */ + return SUCCESS; + } - msg(D_HANDSHAKE, "Validating certificate key usage"); - for (i = 0; SUCCESS != fFound && i<expected_len; i++) + result_t fFound = FAILURE; + for (size_t i = 0; SUCCESS != fFound && i<expected_len; i++) + { + if (expected_ku[i] != 0 + && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i])) { - if (expected_ku[i] != 0) - { - msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects " - "%04x", nku, expected_ku[i]); + fFound = SUCCESS; + } + } - if (nku == expected_ku[i]) - { - fFound = SUCCESS; - } - } + if (fFound != SUCCESS) + { + msg(D_TLS_ERRORS, + "ERROR: Certificate has key usage %04x, expected one of:", + cert->key_usage); + for (size_t i = 0; i < expected_len && expected_ku[i]; i++) + { + msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); } } + return fFound; } diff --git a/src/openvpn/ssl_verify_mbedtls.h b/src/openvpn/ssl_verify_mbedtls.h index 3c71073..8b0a5ae 100644 --- a/src/openvpn/ssl_verify_mbedtls.h +++ b/src/openvpn/ssl_verify_mbedtls.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index e9692a0..468b495 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** @@ -43,6 +42,7 @@ #include "ssl_openssl.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" +#include "openssl_compat.h" #include <openssl/x509v3.h> #include <openssl/err.h> @@ -61,14 +61,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index); ASSERT(session); - struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc); - cert_hash_remember(session, ctx->error_depth, &cert_hash); + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); + struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc); + cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ if (!preverify_ok) { /* get the X509 name */ - char *subject = x509_get_subject(ctx->current_cert, &gc); + char *subject = x509_get_subject(current_cert, &gc); if (!subject) { @@ -76,11 +77,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) } /* Log and ignore missing CRL errors */ - if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) { msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s", - ctx->error_depth, - X509_verify_cert_error_string(ctx->error), + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ret = 1; goto cleanup; @@ -88,8 +89,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* Remote site specified a certificate, but it's not correct */ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", - ctx->error_depth, - X509_verify_cert_error_string(ctx->error), + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), subject); ERR_clear_error(); @@ -98,7 +99,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) goto cleanup; } - if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth)) + if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx))) { goto cleanup; } @@ -112,16 +113,29 @@ cleanup: } #ifdef ENABLE_X509ALTUSERNAME +bool x509_username_field_ext_supported(const char *fieldname) +{ + int nid = OBJ_txt2nid(fieldname); + return nid == NID_subject_alt_name || nid == NID_issuer_alt_name; +} + static bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) { bool retval = false; char *buf = 0; - GENERAL_NAMES *extensions; - int nid = OBJ_txt2nid(fieldname); - extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL); + if (!x509_username_field_ext_supported(fieldname)) + { + msg(D_TLS_ERRORS, + "ERROR: --x509-alt-username field 'ext:%s' not supported", + fieldname); + return false; + } + + int nid = OBJ_txt2nid(fieldname); + GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL); if (extensions) { int numalts; @@ -142,7 +156,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) switch (name->type) { case GEN_EMAIL: - ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5); + if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) + { + continue; + } if (strlen(buf) != name->d.ia5->length) { msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); @@ -162,7 +179,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) break; } } - sk_GENERAL_NAME_free(extensions); + GENERAL_NAMES_free(extensions); } return retval; } @@ -189,15 +206,24 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, X509_NAME_ENTRY *x509ne = 0; ASN1_STRING *asn1 = 0; unsigned char *buf = NULL; - int nid = OBJ_txt2nid(field_name); + ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0); + + if (field_name_obj == NULL) + { + msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name); + return FAILURE; + } ASSERT(size > 0); *out = '\0'; - do { + do + { lastpos = tmp; - tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos); + tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos); } while (tmp > -1); + ASN1_OBJECT_free(field_name_obj); + /* Nothing found */ if (lastpos == -1) { @@ -215,8 +241,7 @@ extract_x509_field_ssl(X509_NAME *x509, const char *field_name, char *out, { return FAILURE; } - tmp = ASN1_STRING_to_UTF8(&buf, asn1); - if (tmp <= 0) + if (ASN1_STRING_to_UTF8(&buf, asn1) < 0) { return FAILURE; } @@ -283,18 +308,20 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc) struct buffer x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc) { - struct buffer hash = alloc_buf_gc(sizeof(cert->sha1_hash), gc); - memcpy(BPTR(&hash), cert->sha1_hash, sizeof(cert->sha1_hash)); - ASSERT(buf_inc_len(&hash, sizeof(cert->sha1_hash))); + const EVP_MD *sha1 = EVP_sha1(); + struct buffer hash = alloc_buf_gc(EVP_MD_size(sha1), gc); + X509_digest(cert, EVP_sha1(), BPTR(&hash), NULL); + ASSERT(buf_inc_len(&hash, EVP_MD_size(sha1))); return hash; } struct buffer x509_get_sha256_fingerprint(X509 *cert, struct gc_arena *gc) { - struct buffer hash = alloc_buf_gc((EVP_sha256())->md_size, gc); + const EVP_MD *sha256 = EVP_sha256(); + struct buffer hash = alloc_buf_gc(EVP_MD_size(sha256), gc); X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL); - ASSERT(buf_inc_len(&hash, (EVP_sha256())->md_size)); + ASSERT(buf_inc_len(&hash, EVP_MD_size(sha256))); return hash; } @@ -304,7 +331,6 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO *subject_bio = NULL; BUF_MEM *subject_mem; char *subject = NULL; - int maxlen = 0; /* * Generate the subject string in OpenSSL proprietary format, @@ -335,11 +361,10 @@ x509_get_subject(X509 *cert, struct gc_arena *gc) BIO_get_mem_ptr(subject_bio, &subject_mem); - maxlen = subject_mem->length + 1; - subject = gc_malloc(maxlen, false, gc); + subject = gc_malloc(subject_mem->length + 1, false, gc); - memcpy(subject, subject_mem->data, maxlen); - subject[maxlen - 1] = '\0'; + memcpy(subject, subject_mem->data, subject_mem->length); + subject[subject_mem->length] = '\0'; err: if (subject_bio) @@ -457,7 +482,7 @@ x509_setenv_track(const struct x509_track *xt, struct env_set *es, const int dep ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); unsigned char *buf; buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8(&buf, val) > 0) + if (ASN1_STRING_to_UTF8(&buf, val) >= 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); OPENSSL_free(buf); @@ -545,7 +570,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) continue; } buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ - if (ASN1_STRING_to_UTF8(&buf, val) <= 0) + if (ASN1_STRING_to_UTF8(&buf, val) < 0) { continue; } @@ -563,7 +588,7 @@ x509_setenv(struct env_set *es, int cert_depth, openvpn_x509_cert_t *peer_cert) } result_t -x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) +x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { @@ -571,13 +596,59 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) } if (usage == NS_CERT_CHECK_CLIENT) { - return ((peer_cert->ex_flags & EXFLAG_NSCERT) - && (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + /* + * Unfortunately, X509_check_purpose() does some weird thing that + * prevent it to take a const argument + */ + result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? + SUCCESS : FAILURE; + + /* + * old versions of OpenSSL allow us to make the less strict check we used to + * do. If this less strict check pass, warn user that this might not be the + * case when its distribution will update to OpenSSL 1.1 + */ + if (result == FAILURE) + { + ASN1_BIT_STRING *ns; + ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); + result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + if (result == SUCCESS) + { + msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " + "cannot be verified (check may fail in the future)"); + } + ASN1_BIT_STRING_free(ns); + } + return result; } if (usage == NS_CERT_CHECK_SERVER) { - return ((peer_cert->ex_flags & EXFLAG_NSCERT) - && (peer_cert->ex_nscert & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + /* + * Unfortunately, X509_check_purpose() does some weird thing that + * prevent it to take a const argument + */ + result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? + SUCCESS : FAILURE; + + /* + * old versions of OpenSSL allow us to make the less strict check we used to + * do. If this less strict check pass, warn user that this might not be the + * case when its distribution will update to OpenSSL 1.1 + */ + if (result == FAILURE) + { + ASN1_BIT_STRING *ns; + ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); + result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + if (result == SUCCESS) + { + msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose " + "cannot be verified (check may fail in the future)"); + } + ASN1_BIT_STRING_free(ns); + } + return result; } return FAILURE; @@ -587,55 +658,60 @@ result_t x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len) { - ASN1_BIT_STRING *ku = NULL; - result_t fFound = FAILURE; + ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL); - if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i(x509, NID_key_usage, NULL, - NULL)) == NULL) + if (ku == NULL) { - msg(D_HANDSHAKE, "Certificate does not have key usage extension"); + msg(D_TLS_ERRORS, "Certificate does not have key usage extension"); + return FAILURE; } - else + + if (expected_ku[0] == OPENVPN_KU_REQUIRED) { - unsigned nku = 0; - int i; - for (i = 0; i < 8; i++) - { - if (ASN1_BIT_STRING_get_bit(ku, i)) - { - nku |= 1 << (7 - i); - } - } + /* Extension required, value checked by TLS library */ + ASN1_BIT_STRING_free(ku); + return SUCCESS; + } - /* - * Fixup if no LSB bits - */ - if ((nku & 0xff) == 0) + unsigned nku = 0; + for (size_t i = 0; i < 8; i++) + { + if (ASN1_BIT_STRING_get_bit(ku, i)) { - nku >>= 8; + nku |= 1 << (7 - i); } + } - msg(D_HANDSHAKE, "Validating certificate key usage"); - for (i = 0; fFound != SUCCESS && i < expected_len; i++) - { - if (expected_ku[i] != 0) - { - msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects " - "%04x", nku, expected_ku[i]); + /* + * Fixup if no LSB bits + */ + if ((nku & 0xff) == 0) + { + nku >>= 8; + } - if (nku == expected_ku[i]) - { - fFound = SUCCESS; - } - } + msg(D_HANDSHAKE, "Validating certificate key usage"); + result_t fFound = FAILURE; + for (size_t i = 0; fFound != SUCCESS && i < expected_len; i++) + { + if (expected_ku[i] != 0 && (nku & expected_ku[i]) == expected_ku[i]) + { + fFound = SUCCESS; } } - if (ku != NULL) + if (fFound != SUCCESS) { - ASN1_BIT_STRING_free(ku); + msg(D_TLS_ERRORS, + "ERROR: Certificate has key usage %04x, expected one of:", nku); + for (size_t i = 0; i < expected_len && expected_ku[i]; i++) + { + msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); + } } + ASN1_BIT_STRING_free(ku); + return fFound; } @@ -714,11 +790,12 @@ tls_verify_crl_missing(const struct tls_options *opt) crypto_msg(M_FATAL, "Cannot get certificate store"); } - for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) + STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); + for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) { - X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); + X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); ASSERT(obj); - if (obj->type == X509_LU_CRL) + if (X509_OBJECT_get_type(obj) == X509_LU_CRL) { return false; } diff --git a/src/openvpn/ssl_verify_openssl.h b/src/openvpn/ssl_verify_openssl.h index 1db6fe6..4c8dbeb 100644 --- a/src/openvpn/ssl_verify_openssl.h +++ b/src/openvpn/ssl_verify_openssl.h @@ -17,10 +17,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/status.c b/src/openvpn/status.c index e47f35c..a163408 100644 --- a/src/openvpn/status.c +++ b/src/openvpn/status.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H diff --git a/src/openvpn/status.h b/src/openvpn/status.h index 590ae41..8199935 100644 --- a/src/openvpn/status.h +++ b/src/openvpn/status.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef STATUS_H diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index a1b6047..2973b5a 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef SYSHEAD_H @@ -288,6 +287,10 @@ #include <netinet/ip.h> #endif +#ifdef HAVE_NETINET_TCP_H +#include <netinet/tcp.h> +#endif + #ifdef HAVE_NET_IF_TUN_H #include <net/if_tun.h> #endif @@ -589,9 +592,7 @@ socket_defined(const socket_descriptor_t sd) /* * Should we include OCC (options consistency check) code? */ -#ifndef ENABLE_SMALL #define ENABLE_OCC -#endif /* * Should we include NTLM proxy functionality diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index c227b09..e13bb4e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -44,15 +43,14 @@ tls_crypt_buf_overhead(void) void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, - const char *key_inline, bool tls_server) { + const char *key_inline, bool tls_server) +{ const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_type kt; kt.cipher = cipher_kt_get("AES-256-CTR"); - kt.cipher_length = cipher_kt_key_size(kt.cipher); kt.digest = md_kt_get("SHA256"); - kt.hmac_length = md_kt_size(kt.digest); if (!kt.cipher) { @@ -63,6 +61,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); } + kt.cipher_length = cipher_kt_key_size(kt.cipher); + kt.hmac_length = md_kt_size(kt.digest); + crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, "Control Channel Encryption", "tls-crypt"); } @@ -79,7 +80,8 @@ tls_crypt_adjust_frame_parameters(struct frame *frame) bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt) { + struct crypto_options *opt) +{ const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; struct gc_arena gc; @@ -95,10 +97,10 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst, format_hex(BPTR(src), BLEN(src), 80, &gc)); /* Get packet ID */ + if (!packet_id_write(&opt->packet_id.send, dst, true, false)) { - struct packet_id_net pin; - packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true); - packet_id_write(&pin, dst, true, false); + msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over."); + goto err; } dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index 47f75d0..e8080df 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /** diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index f812844..75a156c 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -560,7 +559,9 @@ is_tun_p2p(const struct tuntap *tt) { bool tun = false; - if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)) + if (tt->type == DEV_TYPE_TAP + || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) + || tt->type == DEV_TYPE_NULL ) { tun = false; } @@ -694,7 +695,8 @@ init_tun(const char *dev, /* --dev option */ * make sure they do not clash with our virtual subnet. */ - for (curele = local_public; curele; curele = curele->ai_next) { + for (curele = local_public; curele; curele = curele->ai_next) + { if (curele->ai_family == AF_INET) { check_addr_clash("local", @@ -705,7 +707,8 @@ init_tun(const char *dev, /* --dev option */ } } - for (curele = remote_public; curele; curele = curele->ai_next) { + for (curele = remote_public; curele; curele = curele->ai_next) + { if (curele->ai_family == AF_INET) { check_addr_clash("remote", @@ -1036,7 +1039,8 @@ do_ifconfig(struct tuntap *tt, struct buffer out = alloc_buf_gc(64, &gc); char *top; - switch (tt->topology) { + switch (tt->topology) + { case TOP_NET30: top = "net30"; break; @@ -1649,11 +1653,11 @@ write_tun_header(struct tuntap *tt, uint8_t *buf, int len) { u_int32_t type; struct iovec iv[2]; - struct ip *iph; + struct openvpn_iphdr *iph; - iph = (struct ip *) buf; + iph = (struct openvpn_iphdr *) buf; - if (iph->ip_v == 6) + if (OPENVPN_IPH_GET_VER(iph->version_len) == 6) { type = htonl(AF_INET6); } @@ -1835,12 +1839,14 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun /* Prefer IPv6 DNS servers, * Android will use the DNS server in the order we specify*/ - for (int i = 0; i < tt->options.dns6_len; i++) { + for (int i = 0; i < tt->options.dns6_len; i++) + { management_android_control(management, "DNS6SERVER", print_in6_addr(tt->options.dns6[i], 0, &gc)); } - for (int i = 0; i < tt->options.dns_len; i++) { + for (int i = 0; i < tt->options.dns_len; i++) + { management_android_control(management, "DNSSERVER", print_in_addr_t(tt->options.dns[i], 0, &gc)); } @@ -2254,7 +2260,9 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun { ptr = dev; while (*ptr && !isdigit((int) *ptr)) + { ptr++; + } ppa = atoi(ptr); } @@ -3277,7 +3285,10 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun { /* ensure that dev name is "tap+<digits>" *only* */ p = &dev[3]; - while (isdigit(*p) ) p++; + while (isdigit(*p) ) + { + p++; + } if (*p != '\0') { msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" ); @@ -5455,7 +5466,9 @@ write_dhcp_u32_array(struct buffer *buf, const int type, const uint32_t *data, c buf_write_u8(buf, type); buf_write_u8(buf, size); for (i = 0; i < len; ++i) + { buf_write_u32(buf, data[i]); + } } } @@ -6224,10 +6237,7 @@ close_tun(struct tuntap *tt) } #endif - if (tt->options.dhcp_release) - { - dhcp_release(tt); - } + dhcp_release(tt); if (tt->hand != NULL) { @@ -6287,10 +6297,12 @@ ascii2ipset(const char *name) int i; ASSERT(IPW32_SET_N == SIZE(ipset_names)); for (i = 0; i < IPW32_SET_N; ++i) + { if (!strcmp(name, ipset_names[i].short_form)) { return i; } + } return -1; } diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index f4b600c..8782d69 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifndef TUN_H @@ -104,7 +103,6 @@ struct tuntap_options { bool dhcp_renew; bool dhcp_pre_release; - bool dhcp_release; bool register_dns; diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index e26f54d..d0b10ba 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ /* @@ -61,6 +60,12 @@ static HANDLE m_hEngineHandle = NULL; /* GLOBAL */ /* + * TAP adapter original metric value + */ +static int tap_metric_v4 = -1; /* GLOBAL */ +static int tap_metric_v6 = -1; /* GLOBAL */ + +/* * Windows internal socket API state (opaque). */ static struct WSAData wsa_state; /* GLOBAL */ @@ -569,7 +574,8 @@ win32_keyboard_get(struct win32_signal *ws) if (HANDLE_DEFINED(ws->in.read)) { INPUT_RECORD ir; - do { + do + { DWORD n; if (!keyboard_input_available(ws)) { @@ -681,7 +687,8 @@ win32_pause(struct win32_signal *ws) { int status; msg(M_INFO|M_NOPREFIX, "Press any key to continue..."); - do { + do + { status = WaitForSingleObject(ws->in.read, INFINITE); } while (!win32_keyboard_get(ws)); } @@ -984,7 +991,9 @@ env_block(const struct env_set *es) bool path_seen = false; for (e = es->list; e != NULL; e = e->next) + { nchars += strlen(e->string) + 1; + } nchars += strlen(force_path)+1; @@ -1324,8 +1333,8 @@ win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel) goto out; } - status = GetModuleFileNameW(NULL, openvpnpath, sizeof(openvpnpath)); - if (status == 0 || status == sizeof(openvpnpath)) + status = GetModuleFileNameW(NULL, openvpnpath, _countof(openvpnpath)); + if (status == 0 || status == _countof(openvpnpath)) { msg(M_WARN|M_ERRNO, "block_dns: cannot get executable path"); goto out; @@ -1333,6 +1342,27 @@ win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel) status = add_block_dns_filters(&m_hEngineHandle, index, openvpnpath, block_dns_msg_handler); + if (status == 0) + { + tap_metric_v4 = get_interface_metric(index, AF_INET); + tap_metric_v6 = get_interface_metric(index, AF_INET6); + if (tap_metric_v4 < 0) + { + /* error, should not restore metric */ + tap_metric_v4 = -1; + } + if (tap_metric_v6 < 0) + { + /* error, should not restore metric */ + tap_metric_v6 = -1; + } + status = set_interface_metric(index, AF_INET, BLOCK_DNS_IFACE_METRIC); + if (!status) + { + set_interface_metric(index, AF_INET6, BLOCK_DNS_IFACE_METRIC); + } + } + ret = (status == 0); out: @@ -1341,19 +1371,27 @@ out: } bool -win_wfp_uninit(const HANDLE msg_channel) +win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel) { dmsg(D_LOW, "Uninitializing WFP"); if (msg_channel) { msg(D_LOW, "Using service to delete block dns filters"); - win_block_dns_service(false, -1, msg_channel); + win_block_dns_service(false, index, msg_channel); } else { delete_block_dns_filters(m_hEngineHandle); m_hEngineHandle = NULL; + if (tap_metric_v4 >= 0) + { + set_interface_metric(index, AF_INET, tap_metric_v4); + } + if (tap_metric_v6 >= 0) + { + set_interface_metric(index, AF_INET6, tap_metric_v6); + } } return true; diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 4ee44fd..21a1021 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef _WIN32 @@ -293,7 +292,7 @@ WCHAR *wide_string(const char *utf8, struct gc_arena *gc); bool win_wfp_block_dns(const NET_IFINDEX index, const HANDLE msg_channel); -bool win_wfp_uninit(const HANDLE msg_channel); +bool win_wfp_uninit(const NET_IFINDEX index, const HANDLE msg_channel); #define WIN_XP 0 #define WIN_VISTA 1 |