From 0393ba6656ce6cf679a2c4663275b3ed0f1a34b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Thu, 31 Jul 2014 12:09:49 +0200 Subject: Updated ics-openvpn to rev 859 + no 2nd notification. --- app/openvpn/README.polarssl | 4 +- app/openvpn/configure.ac | 33 +- app/openvpn/distro/rpm/openvpn.init.d.rhel | 2 +- app/openvpn/distro/rpm/openvpn.init.d.suse | 2 +- app/openvpn/doc/openvpn.8 | 57 +- app/openvpn/openvpn.sln | 76 +- app/openvpn/sample/sample-config-files/server.conf | 9 +- app/openvpn/sample/sample-keys/pkcs12.p12 | Bin 2685 -> 4756 bytes app/openvpn/src/compat/compat.vcxproj | 172 ++-- app/openvpn/src/compat/compat.vcxproj.filters | 82 +- app/openvpn/src/openvpn/crypto.c | 96 ++- app/openvpn/src/openvpn/crypto.h | 7 +- app/openvpn/src/openvpn/crypto_backend.h | 30 + app/openvpn/src/openvpn/crypto_openssl.c | 56 +- app/openvpn/src/openvpn/crypto_polarssl.c | 21 + app/openvpn/src/openvpn/helper.c | 6 +- app/openvpn/src/openvpn/init.c | 15 +- app/openvpn/src/openvpn/manage.c | 6 +- app/openvpn/src/openvpn/misc.c | 6 + app/openvpn/src/openvpn/mudp.c | 106 ++- app/openvpn/src/openvpn/multi.c | 27 +- app/openvpn/src/openvpn/multi.h | 2 + app/openvpn/src/openvpn/openvpn.vcxproj | 524 ++++++------ app/openvpn/src/openvpn/openvpn.vcxproj.filters | 914 ++++++++++----------- app/openvpn/src/openvpn/options.c | 41 +- app/openvpn/src/openvpn/options.h | 4 +- app/openvpn/src/openvpn/push.c | 8 +- app/openvpn/src/openvpn/route.c | 60 ++ app/openvpn/src/openvpn/ssl.c | 75 +- app/openvpn/src/openvpn/ssl.h | 9 +- app/openvpn/src/openvpn/ssl_common.h | 4 + app/openvpn/src/openvpn/ssl_openssl.c | 3 +- app/openvpn/src/openvpn/ssl_openssl.h | 11 + app/openvpn/src/openvpn/ssl_verify_openssl.c | 4 +- app/openvpn/src/openvpn/ssl_verify_polarssl.c | 9 +- app/openvpn/src/openvpn/syshead.h | 8 + app/openvpn/src/openvpn/tun.c | 170 ++++ app/openvpn/src/openvpnserv/openvpnserv.vcxproj | 222 ++--- .../src/openvpnserv/openvpnserv.vcxproj.filters | 68 +- app/openvpn/tests/t_client.sh.in | 6 + app/openvpn/tests/t_lpback.sh | 33 +- 41 files changed, 1828 insertions(+), 1160 deletions(-) (limited to 'app/openvpn') diff --git a/app/openvpn/README.polarssl b/app/openvpn/README.polarssl index ab7c2d78..6f1fa51a 100644 --- a/app/openvpn/README.polarssl +++ b/app/openvpn/README.polarssl @@ -7,7 +7,7 @@ To Build and Install, make make install -This version depends on at least PolarSSL v1.1. +This version depends on PolarSSL 1.3 (and requires at least 1.3.3). ************************************************************************* @@ -17,12 +17,10 @@ in the PolarSSL version of OpenVPN: * PKCS#12 file support * --capath support - Loading certificate authorities from a directory * Windows CryptoAPI support - * Management external key support * X.509 alternative username fields (must be "CN") Plugin/Script features: - * X.509 Serial number is in hex, not decimal as with OpenSSL * X.509 subject line has a different format than the OpenSSL subject line * X.509 certificate export does not work * X.509 certificate tracking diff --git a/app/openvpn/configure.ac b/app/openvpn/configure.ac index 55c40847..ffba3749 100644 --- a/app/openvpn/configure.ac +++ b/app/openvpn/configure.ac @@ -71,6 +71,13 @@ AC_ARG_ENABLE( [enable_crypto="yes"] ) +AC_ARG_ENABLE( + [ofb-cfb], + [AS_HELP_STRING([--enable-ofb-cfb], [enable support for OFB and CFB cipher modes @<:@default=yes@:>@])], + , + [enable_crypto_ofb_cfb="yes"] +) + AC_ARG_ENABLE( [ssl], [AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based key exchange @<:@default=yes@:>@])], @@ -335,6 +342,13 @@ case "$host" in AC_DEFINE([TARGET_DRAGONFLY], [1], [Are we running on DragonFlyBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["D"], [Target prefix]) ;; + *-aix*) + AC_DEFINE([TARGET_AIX], [1], [Are we running AIX?]) + AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["A"], [Target prefix]) + ROUTE="/usr/sbin/route" + have_tap_header="yes" + ac_cv_header_net_if_h="no" # exists, but breaks things + ;; *) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["X"], [Target prefix]) have_tap_header="yes" @@ -786,24 +800,6 @@ if test "${have_openssl_crypto}" = "yes"; then LIBS="${saved_LIBS}" fi -if test "${have_openssl_ssl}" = "yes"; then - saved_CPPFLAGS="${CPPFLAGS}" - CPPFLAGS="${CPPFLAGS} ${OPENSSL_CRYPTO_CFLAGS}" - AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) - AC_EGREP_CPP(have_ssl_op_no_ticket, [ - #include - #ifdef SSL_OP_NO_TICKET - have_ssl_op_no_ticket - #endif - ], [ - AC_MSG_RESULT([yes]) - ], [ - AC_MSG_RESULT([no]) - AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) - ]) - CPPFLAGS="${saved_CPPFLAGS}" -fi - AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) have_polarssl_ssl="yes" @@ -1070,6 +1066,7 @@ fi if test "${enable_crypto}" = "yes"; then test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing]) + test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}" OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}" AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library]) diff --git a/app/openvpn/distro/rpm/openvpn.init.d.rhel b/app/openvpn/distro/rpm/openvpn.init.d.rhel index 821abd58..cdf3e9de 100755 --- a/app/openvpn/distro/rpm/openvpn.init.d.rhel +++ b/app/openvpn/distro/rpm/openvpn.init.d.rhel @@ -148,7 +148,7 @@ case "$1" in for c in `/bin/ls *.conf 2>/dev/null`; do bn=${c%%.conf} if [ -f "$bn.sh" ]; then - . $bn.sh + . ./$bn.sh fi rm -f $piddir/$bn.pid $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work diff --git a/app/openvpn/distro/rpm/openvpn.init.d.suse b/app/openvpn/distro/rpm/openvpn.init.d.suse index 2bac7f32..270024e8 100644 --- a/app/openvpn/distro/rpm/openvpn.init.d.suse +++ b/app/openvpn/distro/rpm/openvpn.init.d.suse @@ -161,7 +161,7 @@ case "$1" in for c in `/bin/ls *.conf 2>/dev/null`; do bn=${c%%.conf} if [ -f "$bn.sh" ]; then - . $bn.sh + . ./$bn.sh fi rm -f $piddir/$bn.pid $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work diff --git a/app/openvpn/doc/openvpn.8 b/app/openvpn/doc/openvpn.8 index 34894e5a..aee0bc83 100644 --- a/app/openvpn/doc/openvpn.8 +++ b/app/openvpn/doc/openvpn.8 @@ -1621,7 +1621,7 @@ and in server mode configurations. The server timeout is set twice the value of the second argument. -This ensures that a timeout is dectected on client side +This ensures that a timeout is detected on client side before the server side drops the connection. For example, @@ -2502,7 +2502,7 @@ Normally, adaptive compression is enabled with .B \-\-comp-lzo. Adaptive compression tries to optimize the case where you have -compression enabled, but you are sending predominantly uncompressible +compression enabled, but you are sending predominantly incompressible (or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer of a large, compressed file. With adaptive compression, OpenVPN will periodically sample the compression process to measure its @@ -2704,7 +2704,7 @@ on sufficiently fast hardware. SSL/TLS authentication must be used in this mode. .\"********************************************************* .TP -.B \-\-server network netmask +.B \-\-server network netmask ['nopool'] A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients @@ -2739,6 +2739,9 @@ expands as follows: if !nopool: ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 push "route-gateway 10.8.0.1" + if route-gateway unset: + route-gateway 10.8.0.2 + .in -4 .ft .fi @@ -3542,7 +3545,7 @@ like this: .B /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com .IP -In addition the old behavivour was to remap any character other than +In addition the old behaviour was to remap any character other than alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject string as returned by the .B tls_id @@ -4399,7 +4402,7 @@ A different mode can be specified for each provider. Mode is encoded as hex number, and can be a mask one of the following: .B 0 -(default) \-\- Try to determind automatically. +(default) \-\- Try to determine automatically. .br .B 1 \-\- Use sign. @@ -4790,12 +4793,44 @@ the tls-verify script returns. The file name used for the certificate is available via the peer_cert environment variable. .\"********************************************************* .TP -.B \-\-x509-username-field fieldname -Field in x509 certificate subject to be used as username (default=CN). -.B Fieldname -will be uppercased before matching. When this option is used, the -.B \-\-verify-x509-username -option will match against the chosen fieldname instead of the CN. +.B \-\-x509-username-field [ext:\]fieldname +Field in the X.509 certificate subject to be used as the username (default=CN). +Typically, this option is specified with +.B fieldname +as either of the following: + +.B \-\-x509-username-field +emailAddress +.br +.B \-\-x509-username-field ext:\fRsubjectAltName + +The first example uses the value of the "emailAddress" attribute in the +certificate's Subject field as the username. The second example uses +the +.B ext: +prefix to signify that the X.509 extension +.B fieldname +"subjectAltName" be searched for an rfc822Name (email) field to be used +as the username. In cases where there are multiple email addresses +in +.B ext:fieldname\fR, +the last occurrence is chosen. + +When this option is used, the +.B \-\-verify-x509-name +option will match against the chosen +.B fieldname +instead of the Common Name. + +.B Please note: +This option has a feature which will convert an all-lowercase +.B fieldname +to uppercase characters, e.g., ou -> OU. A mixed-case +.B fieldname +or one having the +.B ext: +prefix will be left as-is. This automatic upcasing feature +is deprecated and will be removed in a future release. .\"********************************************************* .TP .B \-\-tls-remote name (DEPRECATED) diff --git a/app/openvpn/openvpn.sln b/app/openvpn/openvpn.sln index f832e7a4..90c01b89 100644 --- a/app/openvpn/openvpn.sln +++ b/app/openvpn/openvpn.sln @@ -1,38 +1,38 @@ - -Microsoft Visual Studio Solution File, Format Version 11.00 -# Visual C++ Express 2010 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpnserv", "src\openvpnserv\openvpnserv.vcxproj", "{9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpn", "src\openvpn\openvpn.vcxproj", "{29DF226E-4D4E-440F-ADAF-5829CFD4CA94}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "msvc-generate", "build\msvc\msvc-generate\msvc-generate.vcxproj", "{8598C2C8-34C4-47A1-99B0-7C295A890615}" -EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "compat", "src\compat\compat.vcxproj", "{4B2E2719-E661-45D7-9203-F6F456B22F19}" -EndProject -Global - GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|Win32 = Debug|Win32 - Release|Win32 = Release|Win32 - EndGlobalSection - GlobalSection(ProjectConfigurationPlatforms) = postSolution - {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Debug|Win32.ActiveCfg = Debug|Win32 - {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Debug|Win32.Build.0 = Debug|Win32 - {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Release|Win32.ActiveCfg = Release|Win32 - {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Release|Win32.Build.0 = Release|Win32 - {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Debug|Win32.ActiveCfg = Debug|Win32 - {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Debug|Win32.Build.0 = Debug|Win32 - {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Release|Win32.ActiveCfg = Release|Win32 - {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Release|Win32.Build.0 = Release|Win32 - {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.ActiveCfg = Debug|Win32 - {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.Build.0 = Debug|Win32 - {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.ActiveCfg = Release|Win32 - {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.Build.0 = Release|Win32 - {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.ActiveCfg = Debug|Win32 - {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.Build.0 = Debug|Win32 - {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.ActiveCfg = Release|Win32 - {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.Build.0 = Release|Win32 - EndGlobalSection - GlobalSection(SolutionProperties) = preSolution - HideSolutionNode = FALSE - EndGlobalSection -EndGlobal + +Microsoft Visual Studio Solution File, Format Version 11.00 +# Visual C++ Express 2010 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpnserv", "src\openvpnserv\openvpnserv.vcxproj", "{9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "openvpn", "src\openvpn\openvpn.vcxproj", "{29DF226E-4D4E-440F-ADAF-5829CFD4CA94}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "msvc-generate", "build\msvc\msvc-generate\msvc-generate.vcxproj", "{8598C2C8-34C4-47A1-99B0-7C295A890615}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "compat", "src\compat\compat.vcxproj", "{4B2E2719-E661-45D7-9203-F6F456B22F19}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Debug|Win32.ActiveCfg = Debug|Win32 + {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Debug|Win32.Build.0 = Debug|Win32 + {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Release|Win32.ActiveCfg = Release|Win32 + {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD}.Release|Win32.Build.0 = Release|Win32 + {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Debug|Win32.ActiveCfg = Debug|Win32 + {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Debug|Win32.Build.0 = Debug|Win32 + {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Release|Win32.ActiveCfg = Release|Win32 + {29DF226E-4D4E-440F-ADAF-5829CFD4CA94}.Release|Win32.Build.0 = Release|Win32 + {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.ActiveCfg = Debug|Win32 + {8598C2C8-34C4-47A1-99B0-7C295A890615}.Debug|Win32.Build.0 = Debug|Win32 + {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.ActiveCfg = Release|Win32 + {8598C2C8-34C4-47A1-99B0-7C295A890615}.Release|Win32.Build.0 = Release|Win32 + {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.ActiveCfg = Debug|Win32 + {4B2E2719-E661-45D7-9203-F6F456B22F19}.Debug|Win32.Build.0 = Debug|Win32 + {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.ActiveCfg = Release|Win32 + {4B2E2719-E661-45D7-9203-F6F456B22F19}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/app/openvpn/sample/sample-config-files/server.conf b/app/openvpn/sample/sample-config-files/server.conf index f483b6bb..467d5b8a 100644 --- a/app/openvpn/sample/sample-config-files/server.conf +++ b/app/openvpn/sample/sample-config-files/server.conf @@ -83,9 +83,16 @@ key server.key # This file should be kept secret # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using -# 2048 bit keys. +# 2048 bit keys. dh dh1024.pem +# Network topology +# Should be subnet (addressing via IP) +# unless Windows clients v2.0.9 and lower have to +# be supported (then net30, i.e. a /30 per client) +# Defaults to net30 (not recommended) +;topology subnet + # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, diff --git a/app/openvpn/sample/sample-keys/pkcs12.p12 b/app/openvpn/sample/sample-keys/pkcs12.p12 index 253d4081..8df2ccb5 100644 Binary files a/app/openvpn/sample/sample-keys/pkcs12.p12 and b/app/openvpn/sample/sample-keys/pkcs12.p12 differ diff --git a/app/openvpn/src/compat/compat.vcxproj b/app/openvpn/src/compat/compat.vcxproj index d872fa75..42979c11 100644 --- a/app/openvpn/src/compat/compat.vcxproj +++ b/app/openvpn/src/compat/compat.vcxproj @@ -1,87 +1,87 @@ - - - - - Debug - Win32 - - - Release - Win32 - - - - {4B2E2719-E661-45D7-9203-F6F456B22F19} - compat - Win32Proj - - - - StaticLibrary - MultiByte - true - - - StaticLibrary - MultiByte - - - - - - - - - - - - - <_ProjectFileVersion>10.0.30319.1 - $(SolutionDir)$(Platform)-Output\$(Configuration)\ - $(Configuration)\ - $(SolutionDir)$(Platform)-Output\$(Configuration)\ - $(Configuration)\ - - - - Disabled - $(SOURCEBASE);$(SOURCEBASE)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_LIB;$(CPPFLAGS);%(PreprocessorDefinitions) - true - EnableFastChecks - MultiThreadedDebugDLL - - - Level3 - EditAndContinue - - - - - MaxSpeed - true - $(SOURCEBASE);$(SOURCEBASE)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_LIB;$(CPPFLAGS);%(PreprocessorDefinitions) - MultiThreadedDLL - true - - - Level3 - ProgramDatabase - - - - - - - - - - - - - - - - + + + + + Debug + Win32 + + + Release + Win32 + + + + {4B2E2719-E661-45D7-9203-F6F456B22F19} + compat + Win32Proj + + + + StaticLibrary + MultiByte + true + + + StaticLibrary + MultiByte + + + + + + + + + + + + + <_ProjectFileVersion>10.0.30319.1 + $(SolutionDir)$(Platform)-Output\$(Configuration)\ + $(Configuration)\ + $(SolutionDir)$(Platform)-Output\$(Configuration)\ + $(Configuration)\ + + + + Disabled + $(SOURCEBASE);$(SOURCEBASE)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_LIB;$(CPPFLAGS);%(PreprocessorDefinitions) + true + EnableFastChecks + MultiThreadedDebugDLL + + + Level3 + EditAndContinue + + + + + MaxSpeed + true + $(SOURCEBASE);$(SOURCEBASE)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_LIB;$(CPPFLAGS);%(PreprocessorDefinitions) + MultiThreadedDLL + true + + + Level3 + ProgramDatabase + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/app/openvpn/src/compat/compat.vcxproj.filters b/app/openvpn/src/compat/compat.vcxproj.filters index 9576c512..00bb0ffa 100644 --- a/app/openvpn/src/compat/compat.vcxproj.filters +++ b/app/openvpn/src/compat/compat.vcxproj.filters @@ -1,42 +1,42 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hpp;hxx;hm;inl;inc;xsd - - - {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} - rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav - - - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - - - Header Files - - + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav + + + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + + + Header Files + + \ No newline at end of file diff --git a/app/openvpn/src/openvpn/crypto.c b/app/openvpn/src/openvpn/crypto.c index c4c356dc..62c4ab28 100644 --- a/app/openvpn/src/openvpn/crypto.c +++ b/app/openvpn/src/openvpn/crypto.c @@ -100,10 +100,10 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, { uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH]; const int iv_size = cipher_ctx_iv_length (ctx->cipher); - const unsigned int mode = cipher_ctx_mode (ctx->cipher); + const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); int outlen; - if (mode == OPENVPN_MODE_CBC) + if (cipher_kt_mode_cbc(cipher_kt)) { CLEAR (iv_buf); @@ -119,7 +119,7 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, ASSERT (packet_id_write (&pin, buf, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM), true)); } } - else if (mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB) + else if (cipher_kt_mode_ofb_cfb(cipher_kt)) { struct packet_id_net pin; struct buffer b; @@ -171,7 +171,10 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, /* Flush the encryption buffer */ ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen)); work.len += outlen; - ASSERT (outlen == iv_size); + + /* For all CBC mode ciphers, check the last block is complete */ + ASSERT (cipher_kt_mode (cipher_kt) != OPENVPN_MODE_CBC || + outlen == iv_size); /* prepend the IV to the ciphertext */ if (opt->flags & CO_USE_IV) @@ -272,8 +275,8 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, if (ctx->cipher) { - const unsigned int mode = cipher_ctx_mode (ctx->cipher); const int iv_size = cipher_ctx_iv_length (ctx->cipher); + const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH]; int outlen; @@ -320,7 +323,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, /* Get packet ID from plaintext buffer or IV, depending on cipher mode */ { - if (mode == OPENVPN_MODE_CBC) + if (cipher_kt_mode_cbc(cipher_kt)) { if (opt->packet_id) { @@ -329,7 +332,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, have_pin = true; } } - else if (mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB) + else if (cipher_kt_mode_ofb_cfb(cipher_kt)) { struct buffer b; @@ -388,6 +391,60 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, return false; } +/* + * This verifies if a packet and its HMAC fit to a crypto context. + * + * On success true is returned. + */ +bool +crypto_test_hmac (struct buffer *buf, const struct crypto_options *opt) +{ + struct gc_arena gc; + gc_init (&gc); + int offset = 4; /* 1 byte opcode + 3 bytes session-id */ + + if (buf->len > 0 && opt->key_ctx_bi) + { + struct key_ctx *ctx = &opt->key_ctx_bi->decrypt; + + /* Verify the HMAC */ + if (ctx->hmac) + { + int hmac_len; + uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */ + + hmac_ctx_reset(ctx->hmac); + + /* Assume the length of the input HMAC */ + hmac_len = hmac_ctx_size (ctx->hmac); + + /* Authentication fails if insufficient data in packet for HMAC */ + if ((buf->len - offset) < hmac_len) + { + gc_free (&gc); + return false; + } + + hmac_ctx_update (ctx->hmac, BPTR (buf) + offset + hmac_len, + BLEN (buf) - offset - hmac_len); + hmac_ctx_final (ctx->hmac, local_hmac); + + /* Compare locally computed HMAC with packet HMAC */ + if (memcmp (local_hmac, BPTR (buf) + offset, hmac_len)) + { + gc_free (&gc); + return false; + } + + gc_free (&gc); + return true; + } + } + + gc_free (&gc); + return false; +} + /* * How many bytes will we add to frame buffer for a given * set of crypto options? @@ -426,17 +483,12 @@ init_key_type (struct key_type *kt, const char *ciphername, /* check legal cipher mode */ { - const unsigned int mode = cipher_kt_mode (kt->cipher); - if (!(mode == OPENVPN_MODE_CBC -#ifdef ALLOW_NON_CBC_CIPHERS - || (cfb_ofb_allowed && (mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB)) + if (!(cipher_kt_mode_cbc(kt->cipher) +#ifdef ENABLE_OFB_CFB_MODE + || (cfb_ofb_allowed && cipher_kt_mode_ofb_cfb(kt->cipher)) #endif )) -#ifdef ENABLE_SMALL msg (M_FATAL, "Cipher '%s' mode not supported", ciphername); -#else - msg (M_FATAL, "Cipher '%s' uses a mode not supported by " PACKAGE_NAME " in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when " PACKAGE_NAME " has been built with ALLOW_NON_CBC_CIPHERS.", ciphername); -#endif } } else @@ -606,18 +658,10 @@ fixup_key (struct key *key, const struct key_type *kt) void check_replay_iv_consistency (const struct key_type *kt, bool packet_id, bool use_iv) { - if (cfb_ofb_mode (kt) && !(packet_id && use_iv)) - msg (M_FATAL, "--no-replay or --no-iv cannot be used with a CFB or OFB mode cipher"); -} + ASSERT(kt); -bool -cfb_ofb_mode (const struct key_type* kt) -{ - if (kt && kt->cipher) { - const unsigned int mode = cipher_kt_mode (kt->cipher); - return mode == OPENVPN_MODE_CFB || mode == OPENVPN_MODE_OFB; - } - return false; + if (cipher_kt_mode_ofb_cfb(kt->cipher) && !(packet_id && use_iv)) + msg (M_FATAL, "--no-replay or --no-iv cannot be used with a CFB or OFB mode cipher"); } /* diff --git a/app/openvpn/src/openvpn/crypto.h b/app/openvpn/src/openvpn/crypto.h index 3b4b88ea..3c4e59d7 100644 --- a/app/openvpn/src/openvpn/crypto.h +++ b/app/openvpn/src/openvpn/crypto.h @@ -32,8 +32,6 @@ #ifdef ENABLE_CRYPTO -#define ALLOW_NON_CBC_CIPHERS - #include "crypto_backend.h" #include "basic.h" #include "buffer.h" @@ -189,8 +187,6 @@ bool write_key (const struct key *key, const struct key_type *kt, int read_key (struct key *key, const struct key_type *kt, struct buffer *buf); -bool cfb_ofb_mode (const struct key_type* kt); - void init_key_type (struct key_type *kt, const char *ciphername, bool ciphername_defined, const char *authname, bool authname_defined, int keysize, bool cfb_ofb_allowed, bool warn); @@ -279,6 +275,9 @@ bool openvpn_decrypt (struct buffer *buf, struct buffer work, const struct crypto_options *opt, const struct frame* frame); + +bool crypto_test_hmac (struct buffer *buf, const struct crypto_options *opt); + /** @} name Functions for performing security operations on data channel packets */ void crypto_adjust_frame_parameters(struct frame *frame, diff --git a/app/openvpn/src/openvpn/crypto_backend.h b/app/openvpn/src/openvpn/crypto_backend.h index 5ae47e6c..a48ad6c5 100644 --- a/app/openvpn/src/openvpn/crypto_backend.h +++ b/app/openvpn/src/openvpn/crypto_backend.h @@ -230,6 +230,26 @@ int cipher_kt_block_size (const cipher_kt_t *cipher_kt); */ int cipher_kt_mode (const cipher_kt_t *cipher_kt); +/** + * Check of the supplied cipher is a supported CBC mode cipher. + * + * @param cipher Static cipher parameters. May not be NULL. + * + * @return true iff the cipher is a CBC mode cipher. + */ +bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) + __attribute__((nonnull)); + +/** + * Check of the supplied cipher is a supported OFB or CFB mode cipher. + * + * @param cipher Static cipher parameters. May not be NULL. + * + * @return true iff the cipher is a OFB or CFB mode cipher. + */ +bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) + __attribute__((nonnull)); + /** * @@ -287,6 +307,16 @@ int cipher_ctx_block_size (const cipher_ctx_t *ctx); */ int cipher_ctx_mode (const cipher_ctx_t *ctx); +/** + * Returns the static cipher parameters for this context. + * + * @param ctx Cipher's context. May not be NULL. + * + * @return Static cipher parameters for the supplied context. + */ +const cipher_kt_t *cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) + __attribute__((nonnull)); + /** * Resets the given cipher context, setting the IV to the specified value. * Preserves the associated key information. diff --git a/app/openvpn/src/openvpn/crypto_openssl.c b/app/openvpn/src/openvpn/crypto_openssl.c index c3480e02..0ac89a19 100644 --- a/app/openvpn/src/openvpn/crypto_openssl.c +++ b/app/openvpn/src/openvpn/crypto_openssl.c @@ -40,6 +40,7 @@ #include "basic.h" #include "buffer.h" #include "integer.h" +#include "crypto.h" #include "crypto_backend.h" #include #include @@ -253,7 +254,7 @@ show_available_ciphers () "used as a parameter to the --cipher option. The default\n" "key size is shown as well as whether or not it can be\n" "changed with the --keysize directive. Using a CBC mode\n" - "is recommended.\n\n"); + "is recommended. In static key mode only CBC mode is allowed.\n\n"); #endif for (nid = 0; nid < 10000; ++nid) /* is there a better way to get the size of the nid list? */ @@ -261,17 +262,22 @@ show_available_ciphers () const EVP_CIPHER *cipher = EVP_get_cipherbynid (nid); if (cipher) { - const unsigned int mode = EVP_CIPHER_mode (cipher); - if (mode == EVP_CIPH_CBC_MODE -#ifdef ALLOW_NON_CBC_CIPHERS - || mode == EVP_CIPH_CFB_MODE || mode == EVP_CIPH_OFB_MODE + if (cipher_kt_mode_cbc(cipher) +#ifdef ENABLE_OFB_CFB_MODE + || cipher_kt_mode_ofb_cfb(cipher) #endif ) - printf ("%s %d bit default key (%s)\n", - OBJ_nid2sn (nid), - EVP_CIPHER_key_length (cipher) * 8, - ((EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? - "variable" : "fixed")); + { + const char *var_key_size = + (EVP_CIPHER_flags (cipher) & EVP_CIPH_VARIABLE_LENGTH) ? + "variable" : "fixed"; + const char *ssl_only = cipher_kt_mode_ofb_cfb(cipher) ? + " (TLS client/server mode)" : ""; + + printf ("%s %d bit default key (%s)%s\n", OBJ_nid2sn (nid), + EVP_CIPHER_key_length (cipher) * 8, var_key_size, + ssl_only); + } } } printf ("\n"); @@ -483,6 +489,29 @@ cipher_kt_mode (const EVP_CIPHER *cipher_kt) return EVP_CIPHER_mode (cipher_kt); } +bool +cipher_kt_mode_cbc(const cipher_kt_t *cipher) +{ + return cipher_kt_mode(cipher) == OPENVPN_MODE_CBC +#ifdef EVP_CIPH_FLAG_AEAD_CIPHER + /* Exclude AEAD cipher modes, they require a different API */ + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) +#endif + ; +} + +bool +cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) +{ + return (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || + cipher_kt_mode(cipher) == OPENVPN_MODE_CFB) +#ifdef EVP_CIPH_FLAG_AEAD_CIPHER + /* Exclude AEAD cipher modes, they require a different API */ + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) +#endif + ; +} + /* * * Generic cipher context functions @@ -536,6 +565,13 @@ cipher_ctx_mode (const EVP_CIPHER_CTX *ctx) return EVP_CIPHER_CTX_mode (ctx); } +const cipher_kt_t * +cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) +{ + return EVP_CIPHER_CTX_cipher(ctx); +} + + int cipher_ctx_reset (EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { diff --git a/app/openvpn/src/openvpn/crypto_polarssl.c b/app/openvpn/src/openvpn/crypto_polarssl.c index 7dc8aa5b..1a986dbd 100644 --- a/app/openvpn/src/openvpn/crypto_polarssl.c +++ b/app/openvpn/src/openvpn/crypto_polarssl.c @@ -416,6 +416,19 @@ cipher_kt_mode (const cipher_info_t *cipher_kt) return cipher_kt->mode; } +bool +cipher_kt_mode_cbc(const cipher_kt_t *cipher) +{ + return cipher_kt_mode(cipher) == OPENVPN_MODE_CBC; +} + +bool +cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) +{ + return (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || + cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); +} + /* * @@ -464,6 +477,14 @@ int cipher_ctx_mode (const cipher_context_t *ctx) return cipher_kt_mode(ctx->cipher_info); } +const cipher_kt_t * +cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) +{ + ASSERT(NULL != ctx); + + return ctx->cipher_info; +} + int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) { int retval = cipher_reset(ctx); diff --git a/app/openvpn/src/openvpn/helper.c b/app/openvpn/src/openvpn/helper.c index d9eef03b..0ed0b2ba 100644 --- a/app/openvpn/src/openvpn/helper.c +++ b/app/openvpn/src/openvpn/helper.c @@ -232,6 +232,8 @@ helper_client_server (struct options *o) * if !nopool: * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 * push "route-gateway 10.8.0.1" + * if route-gateway unset: + * route-gateway 10.8.0.2 */ if (o->server_defined) @@ -311,8 +313,10 @@ helper_client_server (struct options *o) ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); } o->ifconfig_pool_netmask = o->server_netmask; - + push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE); + if (!o->route_default_gateway) + o->route_default_gateway = print_in_addr_t (o->server_network + 2, 0, &o->gc); } else ASSERT (0); diff --git a/app/openvpn/src/openvpn/init.c b/app/openvpn/src/openvpn/init.c index ede955a1..6137588d 100644 --- a/app/openvpn/src/openvpn/init.c +++ b/app/openvpn/src/openvpn/init.c @@ -2150,7 +2150,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) options->use_iv); /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ - packet_id_long_form = cfb_ofb_mode (&c->c1.ks.key_type); + packet_id_long_form = cipher_kt_mode_ofb_cfb (c->c1.ks.key_type.cipher); /* Compute MTU parameters */ crypto_adjust_frame_parameters (&c->c2.frame, @@ -3165,13 +3165,24 @@ management_show_net_callback (void *arg, const int msglevel) int managmenet_callback_network_change (void *arg) { + int socketfd=-1; struct context *c = (struct context *) arg; if (!c->c2.link_socket) return -1; if (c->c2.link_socket->sd == SOCKET_UNDEFINED) return -1; - return c->c2.link_socket->sd; + /* Check if the client should translate the network change to a SIGUSR1 to + reestablish the connection or just reprotect the socket */ + + /* At the moment just assume that, for all settings that use pull + reestablishing the connection is required */ + + socketfd = c->c2.link_socket->sd; + if (!c->options.pull || c->c2.tls_multi->use_session_id) + return socketfd; + else + return -2; } #endif diff --git a/app/openvpn/src/openvpn/manage.c b/app/openvpn/src/openvpn/manage.c index e7a7fe85..9913197b 100644 --- a/app/openvpn/src/openvpn/manage.c +++ b/app/openvpn/src/openvpn/manage.c @@ -1113,7 +1113,9 @@ man_network_change (struct management *man) { int fd = (*man->persist.callback.network_change)(man->persist.callback.arg); man->connection.fdtosend = fd; - msg (M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); + msg (M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); + if (fd == -2) + man_signal (man, "USR1"); } } #endif @@ -1164,7 +1166,7 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch #ifdef TARGET_ANDROID else if (streq (p[0], "network-change")) { - man_network_change(man); + man_network_change(man); } #endif else if (streq (p[0], "load-stats")) diff --git a/app/openvpn/src/openvpn/misc.c b/app/openvpn/src/openvpn/misc.c index 7483184f..63b4c1cf 100644 --- a/app/openvpn/src/openvpn/misc.c +++ b/app/openvpn/src/openvpn/misc.c @@ -861,6 +861,12 @@ test_file (const char *filename) fclose (fp); ret = true; } + else + { + if( openvpn_errno () == EACCES ) { + msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); + } + } } dmsg (D_TEST_FILE, "TEST FILE '%s' [%d]", diff --git a/app/openvpn/src/openvpn/mudp.c b/app/openvpn/src/openvpn/mudp.c index 3468dab5..f7ab6253 100644 --- a/app/openvpn/src/openvpn/mudp.c +++ b/app/openvpn/src/openvpn/mudp.c @@ -37,6 +37,55 @@ #include "memdbg.h" +/* + * Update instance with new peer address + */ +void +update_floated(struct multi_context *m, struct multi_instance *mi, + struct mroute_addr real, uint32_t hv) +{ + struct mroute_addr real_old; + + real_old = mi->real; + generate_prefix (mi); + + /* remove before modifying mi->real, since it also modifies key in hash */ + hash_remove(m->hash, &real_old); + hash_remove(m->iter, &real_old); + + /* update address */ + memcpy(&mi->real, &real, sizeof(real)); + + mi->context.c2.from = m->top.c2.from; + mi->context.c2.to_link_addr = &mi->context.c2.from; + + /* switch to new log prefix */ + generate_prefix (mi); + /* inherit buffers */ + mi->context.c2.buffers = m->top.c2.buffers; + + /* inherit parent link_socket and link_socket_info */ + mi->context.c2.link_socket = m->top.c2.link_socket; + mi->context.c2.link_socket_info->lsa->actual = m->top.c2.from; + + /* fix remote_addr in tls structure */ + tls_update_remote_addr (mi->context.c2.tls_multi, &mi->context.c2.from); + mi->did_open_context = true; + + hash_add(m->hash, &mi->real, mi, false); + hash_add(m->iter, &mi->real, mi, false); + + mi->did_real_hash = true; +#ifdef MANAGEMENT_DEF_AUTH + hash_remove (m->cid_hash, &mi->context.c2.mda_context.cid); + hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, false); +#endif + +#ifdef MANAGEMENT_DEF_AUTH + mi->did_cid_hash = true; +#endif +} + /* * Get a client instance based on real address. If * the instance doesn't exist, create it while @@ -56,14 +105,46 @@ multi_get_create_instance_udp (struct multi_context *m) struct hash_element *he; const uint32_t hv = hash_value (hash, &real); struct hash_bucket *bucket = hash_bucket (hash, hv); - - he = hash_lookup_fast (hash, bucket, &real, hv); + uint8_t* ptr = BPTR(&m->top.c2.buf); + uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + uint32_t sess_id; + bool session_forged = false; - if (he) + if (op == P_DATA_V2) { - mi = (struct multi_instance *) he->value; + sess_id = (*(uint32_t*)ptr) >> 8; + if ((sess_id < m->max_clients) && (m->instances[sess_id])) + { + mi = m->instances[sess_id]; + + if (!link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from)) + { + msg(D_MULTI_MEDIUM, "floating detected from %s to %s", + print_link_socket_actual (&mi->context.c2.from, &gc), print_link_socket_actual (&m->top.c2.from, &gc)); + + /* session-id is not trusted, so check hmac */ + session_forged = !(crypto_test_hmac(&m->top.c2.buf, &mi->context.c2.crypto_options)); + if (session_forged) + { + mi = NULL; + msg (D_MULTI_MEDIUM, "hmac verification failed, session forge detected!"); + } + else + { + update_floated(m, mi, real, hv); + } + } + } } else + { + he = hash_lookup_fast (hash, bucket, &real, hv); + if (he) + { + mi = (struct multi_instance *) he->value; + } + } + if (!mi && !session_forged) { if (!m->top.c2.tls_auth_standalone || tls_pre_decrypt_lite (m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) @@ -75,6 +156,17 @@ multi_get_create_instance_udp (struct multi_context *m) { hash_add_fast (hash, bucket, &mi->real, hv, mi); mi->did_real_hash = true; + + int i; + for (i = 0; i < m->max_clients; ++ i) + { + if (!m->instances[i]) + { + mi->context.c2.tls_multi->vpn_session_id = i; + m->instances[i] = mi; + break; + } + } } } else @@ -89,15 +181,17 @@ multi_get_create_instance_udp (struct multi_context *m) #ifdef ENABLE_DEBUG if (check_debug_level (D_MULTI_DEBUG)) { - const char *status; + const char *status = mi ? "[ok]" : "[failed]"; + /* if (he && mi) status = "[succeeded]"; else if (!he && mi) status = "[created]"; else status = "[failed]"; - + */ + dmsg (D_MULTI_DEBUG, "GET INST BY REAL: %s %s", mroute_addr_print (&real, &gc), status); diff --git a/app/openvpn/src/openvpn/multi.c b/app/openvpn/src/openvpn/multi.c index 16250dc2..a4289ac7 100644 --- a/app/openvpn/src/openvpn/multi.c +++ b/app/openvpn/src/openvpn/multi.c @@ -303,6 +303,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa cid_compare_function); #endif + /* * This is our scheduler, for time-based wakeup * events. @@ -373,6 +374,13 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa */ m->max_clients = t->options.max_clients; + int i; + m->instances = malloc(sizeof(struct multi_instance*) * m->max_clients); + for (i = 0; i < m->max_clients; ++ i) + { + m->instances[i] = NULL; + } + /* * Initialize multi-socket TCP I/O wait object */ @@ -553,6 +561,8 @@ multi_close_instance (struct multi_context *m, } #endif + m->instances[mi->context.c2.tls_multi->vpn_session_id] = NULL; + schedule_remove_entry (m->schedule, (struct schedule_entry *) mi); ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, false); @@ -629,6 +639,8 @@ multi_uninit (struct multi_context *m) #endif m->hash = NULL; + free(m->instances); + schedule_free (m->schedule); mbuf_free (m->mbuf); ifconfig_pool_free (m->ifconfig_pool); @@ -652,8 +664,6 @@ multi_create_instance (struct multi_context *m, const struct mroute_addr *real) perf_push (PERF_MULTI_CREATE_INSTANCE); - msg (D_MULTI_MEDIUM, "MULTI: multi_create_instance called"); - ALLOC_OBJ_CLEAR (mi, struct multi_instance); mi->gc = gc_new (); @@ -2159,8 +2169,17 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins /* make sure that source address is associated with this client */ else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending) { - msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", - mroute_addr_print (&src, &gc)); + /* IPv6 link-local address (fe80::xxx)? */ + if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6 && + src.addr[0] == 0xfe && src.addr[1] == 0x80 ) + { + /* do nothing, for now. TODO: add address learning */ + } + else + { + msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped", + mroute_addr_print (&src, &gc)); + } c->c2.to_tun.len = 0; } /* client-to-client communication enabled? */ diff --git a/app/openvpn/src/openvpn/multi.h b/app/openvpn/src/openvpn/multi.h index fc2ffb24..0446fbfc 100644 --- a/app/openvpn/src/openvpn/multi.h +++ b/app/openvpn/src/openvpn/multi.h @@ -125,6 +125,8 @@ struct multi_context { # define MC_WORK_THREAD (MC_MULTI_THREADED_WORKER|MC_MULTI_THREADED_SCHEDULER) int thread_mode; + struct multi_instance** instances; + struct hash *hash; /**< VPN tunnel instances indexed by real * address of the remote peer. */ struct hash *vhash; /**< VPN tunnel instances indexed by diff --git a/app/openvpn/src/openvpn/openvpn.vcxproj b/app/openvpn/src/openvpn/openvpn.vcxproj index 452876fc..3b2340ee 100755 --- a/app/openvpn/src/openvpn/openvpn.vcxproj +++ b/app/openvpn/src/openvpn/openvpn.vcxproj @@ -1,263 +1,263 @@ - - - - - Debug - Win32 - - - Release - Win32 - - - - {29DF226E-4D4E-440F-ADAF-5829CFD4CA94} - openvpn - Win32Proj - - - - Application - true - Unicode - - - Application - Unicode - - - - - - - - - - - - - <_ProjectFileVersion>10.0.30319.1 - $(SolutionDir)$(Platform)-Output\$(Configuration)\ - $(Configuration)\ - true - $(SolutionDir)$(Platform)-Output\$(Configuration)\ - $(Configuration)\ - false - - - - Disabled - $(SOURCEBASE);$(SOURCEBASE)/src/compat;$(SOURCEBASE)/include;$(TAP_WINDOWS_HOME)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) - true - EnableFastChecks - MultiThreadedDebugDLL - - - Level3 - EditAndContinue - UNICODE - - - $(SOURCEBASE);%(AdditionalIncludeDirectories) - - - libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies) - $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) - true - Console - MachineX86 - - - - - MaxSpeed - true - $(SOURCEBASE);$(SOURCEBASE)/src/compat;$(SOURCEBASE)/include;$(TAP_WINDOWS_HOME)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) - MultiThreadedDLL - true - - - Level3 - ProgramDatabase - UNICODE - - - $(SOURCEBASE);%(AdditionalIncludeDirectories) - - - libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies) - $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) - true - Console - true - true - MachineX86 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {8598c2c8-34c4-47a1-99b0-7c295a890615} - false - - - {4b2e2719-e661-45d7-9203-f6f456b22f19} - false - - - - - + + + + + Debug + Win32 + + + Release + Win32 + + + + {29DF226E-4D4E-440F-ADAF-5829CFD4CA94} + openvpn + Win32Proj + + + + Application + true + Unicode + + + Application + Unicode + + + + + + + + + + + + + <_ProjectFileVersion>10.0.30319.1 + $(SolutionDir)$(Platform)-Output\$(Configuration)\ + $(Configuration)\ + true + $(SolutionDir)$(Platform)-Output\$(Configuration)\ + $(Configuration)\ + false + + + + Disabled + $(SOURCEBASE);$(SOURCEBASE)/src/compat;$(SOURCEBASE)/include;$(TAP_WINDOWS_HOME)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) + true + EnableFastChecks + MultiThreadedDebugDLL + + + Level3 + EditAndContinue + UNICODE + + + $(SOURCEBASE);%(AdditionalIncludeDirectories) + + + libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies) + $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) + true + Console + MachineX86 + + + + + MaxSpeed + true + $(SOURCEBASE);$(SOURCEBASE)/src/compat;$(SOURCEBASE)/include;$(TAP_WINDOWS_HOME)/include;$(OPENSSL_HOME)/include;$(LZO_HOME)/include;$(PKCS11H_HOME)/include;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) + MultiThreadedDLL + true + + + Level3 + ProgramDatabase + UNICODE + + + $(SOURCEBASE);%(AdditionalIncludeDirectories) + + + libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies) + $(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories) + true + Console + true + true + MachineX86 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + {8598c2c8-34c4-47a1-99b0-7c295a890615} + false + + + {4b2e2719-e661-45d7-9203-f6f456b22f19} + false + + + + + \ No newline at end of file diff --git a/app/openvpn/src/openvpn/openvpn.vcxproj.filters b/app/openvpn/src/openvpn/openvpn.vcxproj.filters index ec5e676c..40336ba8 100644 --- a/app/openvpn/src/openvpn/openvpn.vcxproj.filters +++ b/app/openvpn/src/openvpn/openvpn.vcxproj.filters @@ -1,458 +1,458 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hpp;hxx;hm;inl;inc;xsd - - - {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} - rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav - - - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - Source Files - - - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - - - Resource Files - - + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav + + + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + + + Resource Files + + \ No newline at end of file diff --git a/app/openvpn/src/openvpn/options.c b/app/openvpn/src/openvpn/options.c index fc764616..9ff2db5a 100644 --- a/app/openvpn/src/openvpn/options.c +++ b/app/openvpn/src/openvpn/options.c @@ -575,8 +575,8 @@ static const char usage_message[] = " and optionally the root CA certificate.\n" #endif #ifdef ENABLE_X509ALTUSERNAME - "--x509-username-field : Field used in x509 certificate to be username.\n" - " Default is CN.\n" + "--x509-username-field : Field in x509 certificate containing the username.\n" + " Default is CN in the Subject field.\n" #endif "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" #ifdef WIN32 @@ -3898,7 +3898,8 @@ apply_push_options (struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, - struct env_set *es) + struct env_set *es, + struct tls_multi *tls_multi) { char line[OPTION_PARM_SIZE]; int line_num = 0; @@ -3912,7 +3913,17 @@ apply_push_options (struct options *options, ++line_num; if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc)) { - add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); + if (streq(p[0], "session_id")) + { + /* Server supports P_DATA_V2 */ + tls_multi->vpn_session_id = atoi(p[1]); + tls_multi->use_session_id = true; + msg(D_PUSH, "session id: %d", tls_multi->vpn_session_id); + } + else + { + add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); + } } } return true; @@ -6870,10 +6881,28 @@ add_option (struct options *options, #ifdef ENABLE_X509ALTUSERNAME else if (streq (p[0], "x509-username-field") && p[1]) { + /* This option used to automatically upcase the fieldname passed as the + * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is + * fine-tuned by only upcasing Subject field attribute names which consist + * of all lower-case characters. Mixed-case attributes such as + * "emailAddress" are left as-is. An option parameter having the "ext:" + * prefix for matching X.509v3 extended fields will also remain unchanged. + */ char *s = p[1]; + VERIFY_PERMISSION (OPT_P_GENERAL); - if( strncmp ("ext:",s,4) != 0 ) - while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */ + if (strncmp("ext:", s, 4) != 0) + { + size_t i = 0; + while (s[i] && !isupper(s[i])) i++; + if (strlen(s) == i) + { + while ((*s = toupper(*s)) != '\0') s++; + msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the " + "--x509-username-field parameter to '%s'; please update your" + "configuration", p[1]); + } + } options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ diff --git a/app/openvpn/src/openvpn/options.h b/app/openvpn/src/openvpn/options.h index 21c210ee..77c942ca 100644 --- a/app/openvpn/src/openvpn/options.h +++ b/app/openvpn/src/openvpn/options.h @@ -712,11 +712,13 @@ void options_postprocess (struct options *options); void pre_pull_save (struct options *o); void pre_pull_restore (struct options *o, struct gc_arena *gc); +struct tls_multi; bool apply_push_options (struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, - struct env_set *es); + struct env_set *es, + struct tls_multi* tls_multi); void options_detach (struct options *o); diff --git a/app/openvpn/src/openvpn/push.c b/app/openvpn/src/openvpn/push.c index 24d12c7b..028d838e 100644 --- a/app/openvpn/src/openvpn/push.c +++ b/app/openvpn/src/openvpn/push.c @@ -303,6 +303,11 @@ send_push_reply (struct context *c) if (multi_push) buf_printf (&buf, ",push-continuation 1"); + /* Send session_id if client supports it */ + if (c->c2.tls_multi->peer_info && strstr(c->c2.tls_multi->peer_info, "IV_PROTO=2")) { + buf_printf(&buf, ",session_id %d", c->c2.tls_multi->vpn_session_id); + } + if (BLEN (&buf) > sizeof(cmd)-1) { const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH); @@ -462,7 +467,8 @@ process_incoming_push_msg (struct context *c, &buf, permission_mask, option_types_found, - c->c2.es)) + c->c2.es, + c->c2.tls_multi)) switch (c->options.push_continuation) { case 0: diff --git a/app/openvpn/src/openvpn/route.c b/app/openvpn/src/openvpn/route.c index bcc6fcee..562af9fe 100644 --- a/app/openvpn/src/openvpn/route.c +++ b/app/openvpn/src/openvpn/route.c @@ -1535,6 +1535,17 @@ add_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); +#elif defined(TARGET_AIX) + + { + int netbits = netmask_to_netbits2(r->netmask); + argv_printf (&argv, "%s add -net %s/%d %s", + ROUTE_PATH, + network, netbits, gateway); + argv_msg (D_ROUTE, &argv); + status = openvpn_execve_check (&argv, es, 0, "ERROR: AIX route add command failed"); + } + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif @@ -1754,6 +1765,14 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed"); +#elif defined(TARGET_AIX) + + argv_printf (&argv, "%s add -inet6 %s/%d %s", + ROUTE_PATH, + network, r6->netbits, gateway); + argv_msg (D_ROUTE, &argv); + status = openvpn_execve_check (&argv, es, 0, "ERROR: AIX route add command failed"); + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script"); #endif @@ -1912,8 +1931,21 @@ delete_route (struct route_ipv4 *r, argv_msg (D_ROUTE, &argv); openvpn_execve_check (&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed"); + #elif defined(TARGET_ANDROID) msg (M_NONFATAL, "Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only."); + +#elif defined(TARGET_AIX) + + { + int netbits = netmask_to_netbits2(r->netmask); + argv_printf (&argv, "%s delete -net %s/%d %s", + ROUTE_PATH, + network, netbits, gateway); + argv_msg (D_ROUTE, &argv); + openvpn_execve_check (&argv, es, 0, "ERROR: AIX route delete command failed"); + } + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif @@ -2084,6 +2116,14 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigne argv_msg (D_ROUTE, &argv); openvpn_execve_check (&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed"); +#elif defined(TARGET_AIX) + + argv_printf (&argv, "%s delete -inet6 %s/%d %s", + ROUTE_PATH, + network, r6->netbits, gateway); + argv_msg (D_ROUTE, &argv); + openvpn_execve_check (&argv, es, 0, "ERROR: AIX route add command failed"); + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script"); #endif @@ -2921,6 +2961,26 @@ netmask_to_netbits (const in_addr_t network, const in_addr_t netmask, int *netbi return false; } +/* similar to netmask_to_netbits(), but don't mess with base address + * etc., just convert to netbits - non-mappable masks are returned as "-1" + */ +int netmask_to_netbits2 (in_addr_t netmask) +{ + int i; + const int addrlen = sizeof (in_addr_t) * 8; + + for (i = 0; i <= addrlen; ++i) + { + in_addr_t mask = netbits_to_netmask (i); + if (mask == netmask) + { + return i; + } + } + return -1; +} + + /* * get_bypass_addresses() is used by the redirect-gateway bypass-x * functions to build a route bypass to selected DHCP/DNS servers, diff --git a/app/openvpn/src/openvpn/ssl.c b/app/openvpn/src/openvpn/ssl.c index 95bbb277..929f95fa 100644 --- a/app/openvpn/src/openvpn/ssl.c +++ b/app/openvpn/src/openvpn/ssl.c @@ -624,6 +624,8 @@ packet_opcode_name (int op) return "P_ACK_V1"; case P_DATA_V1: return "P_DATA_V1"; + case P_DATA_V2: + return "P_DATA_V2"; default: return "P_???"; } @@ -996,22 +998,6 @@ reset_session (struct tls_multi *multi, struct tls_session *session) tls_session_init (multi, session); } -#if 0 -/* - * Transmit a TLS reset on our untrusted channel. - */ -static void -initiate_untrusted_session (struct tls_multi *multi, struct sockaddr_in *to) -{ - struct tls_session *session = &multi->session[TM_UNTRUSTED]; - struct key_state *ks = &session->key[KS_PRIMARY]; - - reset_session (multi, session); - ks->remote_addr = *to; - msg (D_TLS_DEBUG_LOW, "TLS: initiate_untrusted_session: addr=%s", print_sockaddr (to)); -} -#endif - /* * Used to determine in how many seconds we should be * called again. @@ -1069,6 +1055,9 @@ tls_multi_init (struct tls_options *tls_options) ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK]; ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK]; + /* By default not use P_DATA_V2 */ + ret->use_session_id = false; + return ret; } @@ -1842,6 +1831,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) buf_printf (&out, "IV_PLAT=win\n"); #endif + /* support for P_DATA_V2 */ + buf_printf(&out, "IV_PROTO=2\n"); + /* push compression status */ #ifdef USE_COMP comp_generate_peer_info_string(&session->opt->comp_options, &out); @@ -2799,8 +2791,9 @@ tls_pre_decrypt (struct tls_multi *multi, key_id = c & P_KEY_ID_MASK; } - if (op == P_DATA_V1) - { /* data channel packet */ + if ((op == P_DATA_V1) || (op == P_DATA_V2)) + { + /* data channel packet */ for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; @@ -2832,7 +2825,9 @@ tls_pre_decrypt (struct tls_multi *multi, opt->pid_persist = NULL; opt->flags &= multi->opt.crypto_flags_and; opt->flags |= multi->opt.crypto_flags_or; - ASSERT (buf_advance (buf, 1)); + + ASSERT (buf_advance (buf, op == P_DATA_V1 ? 1 : 4)); + ++ks->n_packets; ks->n_bytes += buf->len; dmsg (D_TLS_KEYSELECT, @@ -3329,6 +3324,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, return ret; error: + tls_clear_error(); gc_free (&gc); return ret; @@ -3397,14 +3393,24 @@ tls_post_encrypt (struct tls_multi *multi, struct buffer *buf) { struct key_state *ks; uint8_t *op; + uint32_t sess; ks = multi->save_ks; multi->save_ks = NULL; if (buf->len > 0) { ASSERT (ks); - ASSERT (op = buf_prepend (buf, 1)); - *op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; + + if (!multi->opt.server && multi->use_session_id) + { + sess = ((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) | (multi->vpn_session_id << 8); + ASSERT (buf_write_prepend (buf, &sess, 4)); + } + else + { + ASSERT (op = buf_prepend (buf, 1)); + *op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; + } ++ks->n_packets; ks->n_bytes += buf->len; } @@ -3477,6 +3483,31 @@ tls_rec_payload (struct tls_multi *multi, return ret; } +/* Update the remote_addr, needed if a client floats. */ +void +tls_update_remote_addr (struct tls_multi *multi, +const struct link_socket_actual *from) +{ + struct gc_arena gc = gc_new (); + int i; + + for (i = 0; i < KEY_SCAN_SIZE; ++i) + { + struct key_state *ks = multi->key_scan[i]; + if (DECRYPT_KEY_ENABLED (multi, ks) && ks->authenticated && link_socket_actual_defined(&ks->remote_addr)) + { + if (link_socket_actual_match (from, &ks->remote_addr)) + continue; + dmsg (D_TLS_KEYSELECT, + "TLS: tls_update_remote_addr from IP=%s to IP=%s", + print_link_socket_actual (&ks->remote_addr, &gc), + print_link_socket_actual (from, &gc)); + memcpy(&ks->remote_addr, from, sizeof(*from)); + } + } + gc_free (&gc); +} + /* * Dump a human-readable rendition of an openvpn packet * into a garbage collectable string which is returned. @@ -3511,7 +3542,7 @@ protocol_dump (struct buffer *buffer, unsigned int flags, struct gc_arena *gc) key_id = c & P_KEY_ID_MASK; buf_printf (&out, "%s kid=%d", packet_opcode_name (op), key_id); - if (op == P_DATA_V1) + if ((op == P_DATA_V1) || (op == P_DATA_V2)) goto print_data; /* diff --git a/app/openvpn/src/openvpn/ssl.h b/app/openvpn/src/openvpn/ssl.h index aaecff43..9bdd641f 100644 --- a/app/openvpn/src/openvpn/ssl.h +++ b/app/openvpn/src/openvpn/ssl.h @@ -60,6 +60,7 @@ #define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */ #define P_ACK_V1 5 /* acknowledgement for packets received */ #define P_DATA_V1 6 /* data channel packet */ +#define P_DATA_V2 9 /* data channel packet with session_id */ /* indicates key_method >= 2 */ #define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */ @@ -67,7 +68,7 @@ /* define the range of legal opcodes */ #define P_FIRST_OPCODE 1 -#define P_LAST_OPCODE 8 +#define P_LAST_OPCODE 9 /* Should we aggregate TLS * acknowledgements, and tack them onto @@ -430,6 +431,12 @@ bool tls_send_payload (struct tls_multi *multi, bool tls_rec_payload (struct tls_multi *multi, struct buffer *buf); +/* + * Update remote address of a tls_multi structure + */ +void tls_update_remote_addr (struct tls_multi *multi, + const struct link_socket_actual *from); + #ifdef MANAGEMENT_DEF_AUTH static inline char * tls_get_peer_info(const struct tls_multi *multi) diff --git a/app/openvpn/src/openvpn/ssl_common.h b/app/openvpn/src/openvpn/ssl_common.h index 04ba7892..2fc72aa6 100644 --- a/app/openvpn/src/openvpn/ssl_common.h +++ b/app/openvpn/src/openvpn/ssl_common.h @@ -495,6 +495,10 @@ struct tls_multi char *peer_info; #endif + /* For P_DATA_V2 */ + uint32_t vpn_session_id; + int use_session_id; + /* * Our session objects. */ diff --git a/app/openvpn/src/openvpn/ssl_openssl.c b/app/openvpn/src/openvpn/ssl_openssl.c index c9d2d26d..adf3ae6f 100644 --- a/app/openvpn/src/openvpn/ssl_openssl.c +++ b/app/openvpn/src/openvpn/ssl_openssl.c @@ -270,7 +270,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) current_cipher_len = strlen(current_cipher); if (end_of_cipher - begin_of_cipher == current_cipher_len && - 0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher)) + 0 != memcmp (&ciphers[begin_of_cipher], cipher_pair->iana_name, + end_of_cipher - begin_of_cipher)) { // Non-IANA name used, show warning msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); diff --git a/app/openvpn/src/openvpn/ssl_openssl.h b/app/openvpn/src/openvpn/ssl_openssl.h index fc2052cb..97dc7422 100644 --- a/app/openvpn/src/openvpn/ssl_openssl.h +++ b/app/openvpn/src/openvpn/ssl_openssl.h @@ -32,6 +32,17 @@ #include +/** + * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", + * as this is something we do not want nor need, but could potentially be + * used for a future attack. For compatibility reasons we keep building if the + * OpenSSL version is too old (pre-0.9.8f) to support stateless session + * resumption (and the accompanying SSL_OP_NO_TICKET flag). + */ +#ifndef SSL_OP_NO_TICKET +# define SSL_OP_NO_TICKET 0 +#endif + /** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. diff --git a/app/openvpn/src/openvpn/ssl_verify_openssl.c b/app/openvpn/src/openvpn/ssl_verify_openssl.c index 2482eaa4..cbcff022 100644 --- a/app/openvpn/src/openvpn/ssl_verify_openssl.c +++ b/app/openvpn/src/openvpn/ssl_verify_openssl.c @@ -591,12 +591,12 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) in = BIO_new_file (crl_file, "r"); if (in == NULL) { - msg (M_ERR, "CRL: cannot read: %s", crl_file); + msg (M_WARN, "CRL: cannot read: %s", crl_file); goto end; } crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); if (crl == NULL) { - msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); + msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); goto end; } diff --git a/app/openvpn/src/openvpn/ssl_verify_polarssl.c b/app/openvpn/src/openvpn/ssl_verify_polarssl.c index 71d38a9d..2b7c214f 100644 --- a/app/openvpn/src/openvpn/ssl_verify_polarssl.c +++ b/app/openvpn/src/openvpn/ssl_verify_polarssl.c @@ -337,7 +337,7 @@ x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) } } - if (0 == x509_oid_get_numeric_string( oid_num_str, + if (0 < x509_oid_get_numeric_string( oid_num_str, sizeof (oid_num_str), oid)) { msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", @@ -371,9 +371,12 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject) result_t retval = FAILURE; x509_crl crl = {0}; - if (x509_crl_parse_file(&crl, crl_file) != 0) + int polar_retval = x509_crl_parse_file(&crl, crl_file); + if (polar_retval != 0) { - msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); + char errstr[128]; + polarssl_strerror(polar_retval, errstr, sizeof(errstr)); + msg (M_WARN, "CRL: cannot read CRL from file %s (%s)", crl_file, errstr); goto end; } diff --git a/app/openvpn/src/openvpn/syshead.h b/app/openvpn/src/openvpn/syshead.h index 771c4fc1..dc511cbc 100644 --- a/app/openvpn/src/openvpn/syshead.h +++ b/app/openvpn/src/openvpn/syshead.h @@ -349,6 +349,14 @@ #endif /* TARGET_DRAGONFLY */ +#ifdef TARGET_DARWIN + +#ifdef HAVE_NETINET_TCP_H +#include +#endif + +#endif /* TARGET_DARWIN */ + #ifdef WIN32 #include #include diff --git a/app/openvpn/src/openvpn/tun.c b/app/openvpn/src/openvpn/tun.c index 482f6402..e92edc2f 100644 --- a/app/openvpn/src/openvpn/tun.c +++ b/app/openvpn/src/openvpn/tun.c @@ -1194,6 +1194,43 @@ do_ifconfig (struct tuntap *tt, openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed"); } +#elif defined(TARGET_AIX) + { + /* AIX ifconfig will complain if it can't find ODM path in env */ + struct env_set *aix_es = env_set_create (NULL); + env_set_add( aix_es, "ODMDIR=/etc/objrepos" ); + + if (tun) + msg(M_FATAL, "no tun support on AIX (canthappen)"); + + /* example: ifconfig tap0 172.30.1.1 netmask 255.255.254.0 up */ + argv_printf (&argv, + "%s %s %s netmask %s mtu %d up", + IFCONFIG_PATH, + actual, + ifconfig_local, + ifconfig_remote_netmask, + tun_mtu + ); + + argv_msg (M_INFO, &argv); + openvpn_execve_check (&argv, aix_es, S_FATAL, "AIX ifconfig failed"); + tt->did_ifconfig = true; + + if ( do_ipv6 ) + { + argv_printf (&argv, + "%s %s inet6 %s/%d", + IFCONFIG_PATH, + actual, + ifconfig_ipv6_local, + tt->netbits_ipv6 + ); + argv_msg (M_INFO, &argv); + openvpn_execve_check (&argv, aix_es, S_FATAL, "AIX ifconfig inet6 failed"); + } + env_set_destroy (aix_es); + } #elif defined (WIN32) { /* @@ -2825,6 +2862,139 @@ read_tun (struct tuntap* tt, uint8_t *buf, int len) return read (tt->fd, buf, len); } +#elif defined(TARGET_AIX) + +void +open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt) +{ + char tunname[256]; + char dynamic_name[20]; + const char *p; + struct argv argv; + + if (tt->type == DEV_TYPE_NULL) + { + open_null (tt); + return; + } + + if ( tt->type == DEV_TYPE_TUN) + { + msg(M_FATAL, "no support for 'tun' devices on AIX" ); + } + + if ( strncmp( dev, "tap", 3 ) != 0 || dev_node ) + { + msg(M_FATAL, "'--dev %s' and/or '--dev-node' not supported on AIX, use '--dev tap0', 'tap1', etc.", dev ); + } + + if ( strcmp( dev, "tap" ) == 0 ) /* find first free tap dev */ + { /* (= no /dev/tapN node) */ + int i; + for (i=0; i<99; i++ ) + { + openvpn_snprintf (tunname, sizeof (tunname), "/dev/tap%d", i); + if ( access( tunname, F_OK ) < 0 && errno == ENOENT ) + { break; } + } + if ( i >= 99 ) + msg( M_FATAL, "cannot find unused tap device" ); + + openvpn_snprintf( dynamic_name, sizeof(dynamic_name), "tap%d", i ); + dev = dynamic_name; + } + else /* name given, sanity check */ + { + /* ensure that dev name is "tap+" *only* */ + p = &dev[3]; + while( isdigit(*p) ) p++; + if ( *p != '\0' ) + msg( M_FATAL, "TAP device name must be '--dev tapNNNN'" ); + + openvpn_snprintf (tunname, sizeof (tunname), "/dev/%s", dev); + } + + /* pre-existing device? + */ + if ( access( tunname, F_OK ) < 0 && errno == ENOENT ) + { + + /* tunnel device must be created with 'ifconfig tapN create' + */ + struct env_set *es = env_set_create (NULL); + argv_init (&argv); + argv_printf (&argv, "%s %s create", IFCONFIG_PATH, dev); + argv_msg (M_INFO, &argv); + env_set_add( es, "ODMDIR=/etc/objrepos" ); + openvpn_execve_check (&argv, es, S_FATAL, "AIX 'create tun interface' failed"); + env_set_destroy (es); + } + else + { + /* we didn't make it, we're not going to break it */ + tt->persistent_if = TRUE; + } + + if ((tt->fd = open (tunname, O_RDWR)) < 0) + { + msg (M_ERR, "Cannot open TAP device '%s'", tunname); + } + + set_nonblock (tt->fd); + set_cloexec (tt->fd); /* don't pass fd to scripts */ + msg (M_INFO, "TUN/TAP device %s opened", tunname); + + /* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */ + tt->actual_name = string_alloc(dev, NULL); +} + +/* tap devices need to be manually destroyed on AIX + */ +void +close_tun (struct tuntap* tt) +{ + struct gc_arena gc = gc_new (); + struct argv argv; + struct env_set *es = env_set_create (NULL); + + if (!tt) return; + + /* persistent devices need IP address unconfig, others need destroyal + */ + argv_init (&argv); + + if (tt->persistent_if) + { + argv_printf (&argv, "%s %s 0.0.0.0 down", + IFCONFIG_PATH, tt->actual_name); + } + else + { + argv_printf (&argv, "%s %s destroy", + IFCONFIG_PATH, tt->actual_name); + } + + close_tun_generic (tt); + argv_msg (M_INFO, &argv); + env_set_add( es, "ODMDIR=/etc/objrepos" ); + openvpn_execve_check (&argv, es, 0, "AIX 'destroy tap interface' failed (non-critical)"); + + free(tt); + env_set_destroy (es); +} + +int +write_tun (struct tuntap* tt, uint8_t *buf, int len) +{ + return write (tt->fd, buf, len); +} + +int +read_tun (struct tuntap* tt, uint8_t *buf, int len) +{ + return read (tt->fd, buf, len); +} + #elif defined(WIN32) int diff --git a/app/openvpn/src/openvpnserv/openvpnserv.vcxproj b/app/openvpn/src/openvpnserv/openvpnserv.vcxproj index f2c00718..0b75ed01 100644 --- a/app/openvpn/src/openvpnserv/openvpnserv.vcxproj +++ b/app/openvpn/src/openvpnserv/openvpnserv.vcxproj @@ -1,112 +1,112 @@ - - - - - Debug - Win32 - - - Release - Win32 - - - - {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD} - openvpnserv - Win32Proj - - - - Application - MultiByte - true - - - Application - MultiByte - - - - - - - - - - - - - <_ProjectFileVersion>10.0.30319.1 - $(SolutionDir)$(Platform)-Output\$(Configuration)\ - $(Configuration)\ - true - $(SolutionDir)$(Platform)-Output\$(Configuration)\ - $(Configuration)\ - false - - - - Disabled - $(SOURCEBASE);%(AdditionalIncludeDirectories) - WIN32;_DEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) - true - EnableFastChecks - MultiThreadedDebugDLL - - - Level3 - EditAndContinue - - - $(SOURCEBASE);%(AdditionalIncludeDirectories) - - - true - Console - MachineX86 - - - - - MaxSpeed - true - $(SOURCEBASE);%(AdditionalIncludeDirectories) - WIN32;NDEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) - MultiThreadedDLL - true - - - Level3 - ProgramDatabase - - - $(SOURCEBASE);%(AdditionalIncludeDirectories) - - - true - Console - true - true - MachineX86 - - - - - - - - - - - - - - - {8598c2c8-34c4-47a1-99b0-7c295a890615} - false - - - - - + + + + + Debug + Win32 + + + Release + Win32 + + + + {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD} + openvpnserv + Win32Proj + + + + Application + MultiByte + true + + + Application + MultiByte + + + + + + + + + + + + + <_ProjectFileVersion>10.0.30319.1 + $(SolutionDir)$(Platform)-Output\$(Configuration)\ + $(Configuration)\ + true + $(SolutionDir)$(Platform)-Output\$(Configuration)\ + $(Configuration)\ + false + + + + Disabled + $(SOURCEBASE);%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) + true + EnableFastChecks + MultiThreadedDebugDLL + + + Level3 + EditAndContinue + + + $(SOURCEBASE);%(AdditionalIncludeDirectories) + + + true + Console + MachineX86 + + + + + MaxSpeed + true + $(SOURCEBASE);%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_CONSOLE;$(CPPFLAGS);%(PreprocessorDefinitions) + MultiThreadedDLL + true + + + Level3 + ProgramDatabase + + + $(SOURCEBASE);%(AdditionalIncludeDirectories) + + + true + Console + true + true + MachineX86 + + + + + + + + + + + + + + + {8598c2c8-34c4-47a1-99b0-7c295a890615} + false + + + + + \ No newline at end of file diff --git a/app/openvpn/src/openvpnserv/openvpnserv.vcxproj.filters b/app/openvpn/src/openvpnserv/openvpnserv.vcxproj.filters index a6f8ecc6..0c89b4f4 100644 --- a/app/openvpn/src/openvpnserv/openvpnserv.vcxproj.filters +++ b/app/openvpn/src/openvpnserv/openvpnserv.vcxproj.filters @@ -1,35 +1,35 @@ - - - - - {4FC737F1-C7A5-4376-A066-2A32D752A2FF} - cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx - - - {93995380-89BD-4b04-88EB-625FBE52EBFB} - h;hpp;hxx;hm;inl;inc;xsd - - - {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} - rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav - - - - - Source Files - - - Source Files - - - - - Header Files - - - - - Resource Files - - + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav + + + + + Source Files + + + Source Files + + + + + Header Files + + + + + Resource Files + + \ No newline at end of file diff --git a/app/openvpn/tests/t_client.sh.in b/app/openvpn/tests/t_client.sh.in index 52c5ed1a..d4f7c4ab 100755 --- a/app/openvpn/tests/t_client.sh.in +++ b/app/openvpn/tests/t_client.sh.in @@ -134,6 +134,12 @@ get_ifconfig_route() @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' return ;; + AIX) + echo "-- AIX --" + @IFCONFIG@ -a | egrep "(flags=|inet)" + @NETSTAT@ -rn | awk '$3 !~ /^UHL/ { print $1,$2,$3,$6 }' + return + ;; esac echo "get_ifconfig_route(): no idea how to get info on your OS. FAIL." >&2 diff --git a/app/openvpn/tests/t_lpback.sh b/app/openvpn/tests/t_lpback.sh index 40767a1b..8f88ad92 100755 --- a/app/openvpn/tests/t_lpback.sh +++ b/app/openvpn/tests/t_lpback.sh @@ -2,6 +2,7 @@ # # t_lpback.sh - script to test OpenVPN's crypto loopback # Copyright (C) 2005 Matthias Andree +# Copyright (C) 2014 Steffan Karger # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -18,15 +19,39 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301, USA. -set -e +set -eu top_builddir="${top_builddir:-..}" trap "rm -f key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15 trap "rm -f key.$$ log.$$ ; exit 1" 0 3 + +# Get list of supported ciphers from openvpn --show-ciphers output +CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \ + sed -e '1,/^$/d' -e s'/ .*//' -e '/^\s*$/d' | sort) + +# SK, 2014-06-04: currently the DES-EDE3-CFB1 implementation of OpenSSL is +# broken (see http://rt.openssl.org/Ticket/Display.html?id=2867), so exclude +# that cipher from this test. +# GD, 2014-07-06 so is DES-CFB1 +# GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5) +CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' ) + "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ set +e -( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ ) >log.$$ 2>&1 -e=$? -if [ $e != 0 ] ; then cat log.$$ ; fi + +e=0 +for cipher in ${CIPHERS} +do + echo -n "Testing cipher ${cipher}... " + ( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ --cipher ${cipher} ) >log.$$ 2>&1 + if [ $? != 0 ] ; then + echo "FAILED" + cat log.$$ + e=1 + else + echo "OK" + fi +done + rm key.$$ log.$$ trap 0 exit $e -- cgit v1.2.3