From 87356242baf10c8b2a94d9013e436ed2a0dada53 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Wed, 20 Feb 2019 14:11:46 +0100 Subject: New upstream version 2.4.7 --- src/openvpn/options.c | 82 ++++++++++----------------------------------------- 1 file changed, 16 insertions(+), 66 deletions(-) (limited to 'src/openvpn/options.c') diff --git a/src/openvpn/options.c b/src/openvpn/options.c index d1adfb6..f951814 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1031,67 +1031,6 @@ get_ip_addr(const char *ip_string, int msglevel, bool *error) return ret; } -/* helper: parse a text string containing an IPv6 address + netbits - * in "standard format" (2001:dba::/32) - * "/nn" is optional, default to /64 if missing - * - * return true if parsing succeeded, modify *network and *netbits - */ -bool -get_ipv6_addr( const char *prefix_str, struct in6_addr *network, - unsigned int *netbits, int msglevel) -{ - char *sep, *endp; - int bits; - struct in6_addr t_network; - - sep = strchr( prefix_str, '/' ); - if (sep == NULL) - { - bits = 64; - } - else - { - bits = strtol( sep+1, &endp, 10 ); - if (*endp != '\0' || bits < 0 || bits > 128) - { - msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str); - return false; - } - } - - /* temporary replace '/' in caller-provided string with '\0', otherwise - * inet_pton() will refuse prefix string - * (alternative would be to strncpy() the prefix to temporary buffer) - */ - - if (sep != NULL) - { - *sep = '\0'; - } - - if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1) - { - msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str); - return false; - } - - if (sep != NULL) - { - *sep = '/'; - } - - if (netbits != NULL) - { - *netbits = bits; - } - if (network != NULL) - { - *network = t_network; - } - return true; /* parsing OK, values set */ -} - /** * Returns newly allocated string containing address part without "/nn". * @@ -1769,6 +1708,7 @@ show_settings(const struct options *o) SHOW_STR(cryptoapi_cert); #endif SHOW_STR(cipher_list); + SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); SHOW_STR(tls_export_cert); @@ -2783,6 +2723,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec MUST_BE_UNDEF(pkcs12_file); #endif MUST_BE_UNDEF(cipher_list); + MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); MUST_BE_UNDEF(tls_export_cert); @@ -3498,7 +3439,7 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) struct key_type fake_kt; init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, false); - frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead())); + frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv, o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, @@ -3787,11 +3728,15 @@ options_warning_safe_scan2(const int msglevel, const char *b1_name, const char *b2_name) { - /* we will stop sending 'proto xxx' in OCC in a future version - * (because it's not useful), and to reduce questions when - * interoperating, we start not-printing a warning about it today + /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in + * OCC in a future version (because it's not useful). To reduce questions + * when interoperating, we no longer printing a warning about it. */ - if (strncmp(p1, "proto ", 6) == 0) + if (strprefix(p1, "key-method ") + || strprefix(p1, "keydir ") + || strprefix(p1, "proto ") + || strprefix(p1, "tls-auth ") + || strprefix(p1, "tun-ipv6")) { return; } @@ -7874,6 +7819,11 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_cert_profile = p[1]; } + else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->cipher_list_tls13 = p[1]; + } else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { -- cgit v1.2.3