diff options
| author | Arne Schwabe <arne@rfc2549.org> | 2014-06-30 19:07:05 +0200 | 
|---|---|---|
| committer | Arne Schwabe <arne@rfc2549.org> | 2014-06-30 19:07:05 +0200 | 
| commit | 65e33310863d46816bd1edbccf6d3fb0ab45cdee (patch) | |
| tree | f1af2b761c391aed6dee223d0e05857f6a0cda70 | |
| parent | 68e19d426ba6d9f048ebfdf337b93a85dc4d5b4c (diff) | |
Update OpenVPN version
--HG--
extra : rebase_source : 1f565a4e8a582d6884fea818d91ded15114dd06b
| -rw-r--r-- | main/openvpn/README.polarssl | 4 | ||||
| -rw-r--r-- | main/openvpn/config-version.h | 4 | ||||
| -rw-r--r-- | main/openvpn/configure.ac | 3 | ||||
| -rw-r--r-- | main/openvpn/doc/openvpn.8 | 8 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/crypto.c | 54 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/crypto.h | 3 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/init.c | 13 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/manage.c | 7 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/misc.c | 6 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/mudp.c | 106 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/multi.c | 14 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/multi.h | 2 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/options.c | 15 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/options.h | 4 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/push.c | 8 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/ssl.c | 59 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/ssl.h | 9 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/ssl_common.h | 4 | ||||
| -rw-r--r-- | main/openvpn/src/openvpn/ssl_verify_polarssl.c | 2 | 
19 files changed, 292 insertions, 33 deletions
| diff --git a/main/openvpn/README.polarssl b/main/openvpn/README.polarssl index ab7c2d78..6f1fa51a 100644 --- a/main/openvpn/README.polarssl +++ b/main/openvpn/README.polarssl @@ -7,7 +7,7 @@ To Build and Install,  	make  	make install -This version depends on at least PolarSSL v1.1. +This version depends on PolarSSL 1.3 (and requires at least 1.3.3).  ************************************************************************* @@ -17,12 +17,10 @@ in the PolarSSL version of OpenVPN:   * PKCS#12 file support   * --capath support - Loading certificate authorities from a directory   * Windows CryptoAPI support - * Management external key support   * X.509 alternative username fields (must be "CN")  Plugin/Script features: - * X.509 Serial number is in hex, not decimal as with OpenSSL   * X.509 subject line has a different format than the OpenSSL subject line   * X.509 certificate export does not work   * X.509 certificate tracking diff --git a/main/openvpn/config-version.h b/main/openvpn/config-version.h index 9770e100..1aa13baf 100644 --- a/main/openvpn/config-version.h +++ b/main/openvpn/config-version.h @@ -1,2 +1,2 @@ -#define CONFIGURE_GIT_REVISION "icsopenvpn_615-c430ab0e0cef9994" -#define CONFIGURE_GIT_FLAGS "" +#define CONFIGURE_GIT_REVISION "icsopenvpn_618-e6d7d8f4b3274d1f" +#define CONFIGURE_GIT_FLAGS "+" diff --git a/main/openvpn/configure.ac b/main/openvpn/configure.ac index 55c40847..cb7a5d33 100644 --- a/main/openvpn/configure.ac +++ b/main/openvpn/configure.ac @@ -786,7 +786,8 @@ if test "${have_openssl_crypto}" = "yes"; then  	LIBS="${saved_LIBS}"  fi -if test "${have_openssl_ssl}" = "yes"; then +if test "${enable_ssl}" = "yes" && test "${with_crypto_library}" = "openssl"; +then      saved_CPPFLAGS="${CPPFLAGS}"      CPPFLAGS="${CPPFLAGS} ${OPENSSL_CRYPTO_CFLAGS}"      AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) diff --git a/main/openvpn/doc/openvpn.8 b/main/openvpn/doc/openvpn.8 index 34894e5a..76b7bfd4 100644 --- a/main/openvpn/doc/openvpn.8 +++ b/main/openvpn/doc/openvpn.8 @@ -1621,7 +1621,7 @@ and  in server mode configurations.  The server timeout is set twice the value of the second argument. -This ensures that a timeout is dectected on client side +This ensures that a timeout is detected on client side  before the server side drops the connection.  For example, @@ -2502,7 +2502,7 @@ Normally, adaptive compression is enabled with  .B \-\-comp-lzo.  Adaptive compression tries to optimize the case where you have -compression enabled, but you are sending predominantly uncompressible +compression enabled, but you are sending predominantly incompressible  (or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer  of a large, compressed file.  With adaptive compression,  OpenVPN will periodically sample the compression process to measure its @@ -3542,7 +3542,7 @@ like this:  .B  /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com  .IP -In addition the old behavivour was to remap any character other than +In addition the old behaviour was to remap any character other than  alphanumeric, underscore ('_'), dash ('-'), dot ('.'), and slash ('/') to  underscore ('_').  The X.509 Subject string as returned by the  .B tls_id @@ -4399,7 +4399,7 @@ A different mode can be specified for each provider.  Mode is encoded as hex number, and can be a mask one of the following:  .B 0 -(default) \-\- Try to determind automatically. +(default) \-\- Try to determine automatically.  .br  .B 1  \-\- Use sign. diff --git a/main/openvpn/src/openvpn/crypto.c b/main/openvpn/src/openvpn/crypto.c index d0dc069a..8201708a 100644 --- a/main/openvpn/src/openvpn/crypto.c +++ b/main/openvpn/src/openvpn/crypto.c @@ -389,6 +389,60 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,  }  /* + * This verifies if a packet and its HMAC fit to a crypto context. + * + * On success true is returned. + */ +bool +crypto_test_hmac (struct buffer *buf, const struct crypto_options *opt) +{ +  struct gc_arena gc; +  gc_init (&gc); +  int offset = 4; /* 1 byte opcode + 3 bytes session-id */ + +  if (buf->len > 0 && opt->key_ctx_bi) +    { +      struct key_ctx *ctx = &opt->key_ctx_bi->decrypt; + +      /* Verify the HMAC */ +      if (ctx->hmac) +	{ +	  int hmac_len; +	  uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */ + +	  hmac_ctx_reset(ctx->hmac); + +	  /* Assume the length of the input HMAC */ +	  hmac_len = hmac_ctx_size (ctx->hmac); + +	  /* Authentication fails if insufficient data in packet for HMAC */ +	  if ((buf->len - offset) < hmac_len) +	    { +	      gc_free (&gc); +	      return false; +	    } + +	  hmac_ctx_update (ctx->hmac, BPTR (buf) + offset + hmac_len, +			   BLEN (buf) - offset - hmac_len); +	  hmac_ctx_final (ctx->hmac, local_hmac); + +	  /* Compare locally computed HMAC with packet HMAC */ +	  if (memcmp (local_hmac, BPTR (buf) + offset, hmac_len)) +	    { +	      gc_free (&gc); +	      return false; +	    } + +	  gc_free (&gc); +	  return true; +	} +    } + +  gc_free (&gc); +  return false; +} + +/*   * How many bytes will we add to frame buffer for a given   * set of crypto options?   */ diff --git a/main/openvpn/src/openvpn/crypto.h b/main/openvpn/src/openvpn/crypto.h index 3b4b88ea..68cdf162 100644 --- a/main/openvpn/src/openvpn/crypto.h +++ b/main/openvpn/src/openvpn/crypto.h @@ -279,6 +279,9 @@ bool openvpn_decrypt (struct buffer *buf, struct buffer work,  		      const struct crypto_options *opt,  		      const struct frame* frame); + +bool crypto_test_hmac (struct buffer *buf, const struct crypto_options *opt); +  /** @} name Functions for performing security operations on data channel packets */  void crypto_adjust_frame_parameters(struct frame *frame, diff --git a/main/openvpn/src/openvpn/init.c b/main/openvpn/src/openvpn/init.c index ede955a1..7dd61a20 100644 --- a/main/openvpn/src/openvpn/init.c +++ b/main/openvpn/src/openvpn/init.c @@ -3165,13 +3165,24 @@ management_show_net_callback (void *arg, const int msglevel)  int  managmenet_callback_network_change (void *arg)  { +  int socketfd=-1;    struct context *c = (struct context *) arg;    if (!c->c2.link_socket)      return -1;    if (c->c2.link_socket->sd == SOCKET_UNDEFINED)      return -1; -  return c->c2.link_socket->sd; +  /* Check if the client should translate the network change to a SIGUSR1 to  +     reestablish the connection or just reprotect the socket */ + +  /* At the moment just assume that, for all settings that use pull  +     reestablishing the connection is required */ + +  socketfd = c->c2.link_socket->sd; +  if (!c->options.pull || c->c2.tls_multi->use_session_id) +    return socketfd; +  else +    return -2;  }  #endif diff --git a/main/openvpn/src/openvpn/manage.c b/main/openvpn/src/openvpn/manage.c index e7a7fe85..386718d4 100644 --- a/main/openvpn/src/openvpn/manage.c +++ b/main/openvpn/src/openvpn/manage.c @@ -1113,7 +1113,9 @@ man_network_change (struct management *man)      {        int fd = (*man->persist.callback.network_change)(man->persist.callback.arg);        man->connection.fdtosend = fd; -        msg (M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); +      msg (M_CLIENT, "PROTECTFD: fd '%d' sent to be protected", fd); +      if (fd == -2) +	man_signal (man, "USR1");      }  }  #endif @@ -1164,7 +1166,8 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch  #ifdef TARGET_ANDROID    else if (streq (p[0], "network-change"))      { -        man_network_change(man); +      if (man_need (man, p, 1, 0)) +	man_network_change(man);      }  #endif    else if (streq (p[0], "load-stats")) diff --git a/main/openvpn/src/openvpn/misc.c b/main/openvpn/src/openvpn/misc.c index 7483184f..63b4c1cf 100644 --- a/main/openvpn/src/openvpn/misc.c +++ b/main/openvpn/src/openvpn/misc.c @@ -861,6 +861,12 @@ test_file (const char *filename)  	  fclose (fp);  	  ret = true;  	} +      else +	{ +	  if( openvpn_errno () == EACCES ) { +	    msg( M_WARN | M_ERRNO, "Could not access file '%s'", filename); +	  } +	}      }    dmsg (D_TEST_FILE, "TEST FILE '%s' [%d]", diff --git a/main/openvpn/src/openvpn/mudp.c b/main/openvpn/src/openvpn/mudp.c index 3468dab5..f7ab6253 100644 --- a/main/openvpn/src/openvpn/mudp.c +++ b/main/openvpn/src/openvpn/mudp.c @@ -38,6 +38,55 @@  #include "memdbg.h"  /* + * Update instance with new peer address + */ +void +update_floated(struct multi_context *m, struct multi_instance *mi, +	       struct mroute_addr real, uint32_t hv) +{ +  struct mroute_addr real_old; + +  real_old = mi->real; +  generate_prefix (mi); + +  /* remove before modifying mi->real, since it also modifies key in hash */ +  hash_remove(m->hash, &real_old); +  hash_remove(m->iter, &real_old); + +  /* update address */ +  memcpy(&mi->real, &real, sizeof(real)); + +  mi->context.c2.from = m->top.c2.from; +  mi->context.c2.to_link_addr = &mi->context.c2.from; + +  /* switch to new log prefix */ +  generate_prefix (mi); +  /* inherit buffers */ +  mi->context.c2.buffers = m->top.c2.buffers; + +  /* inherit parent link_socket and link_socket_info */ +  mi->context.c2.link_socket = m->top.c2.link_socket; +  mi->context.c2.link_socket_info->lsa->actual = m->top.c2.from; + +  /* fix remote_addr in tls structure */ +  tls_update_remote_addr (mi->context.c2.tls_multi, &mi->context.c2.from); +  mi->did_open_context = true; + +  hash_add(m->hash, &mi->real, mi, false); +  hash_add(m->iter, &mi->real, mi, false); + +  mi->did_real_hash = true; +#ifdef MANAGEMENT_DEF_AUTH +  hash_remove (m->cid_hash, &mi->context.c2.mda_context.cid); +  hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, false); +#endif + +#ifdef MANAGEMENT_DEF_AUTH +  mi->did_cid_hash = true; +#endif +} + +/*   * Get a client instance based on real address.  If   * the instance doesn't exist, create it while   * maintaining real address hash table atomicity. @@ -56,15 +105,47 @@ multi_get_create_instance_udp (struct multi_context *m)        struct hash_element *he;        const uint32_t hv = hash_value (hash, &real);        struct hash_bucket *bucket = hash_bucket (hash, hv); -   -      he = hash_lookup_fast (hash, bucket, &real, hv); +      uint8_t* ptr  = BPTR(&m->top.c2.buf); +      uint8_t op = ptr[0] >> P_OPCODE_SHIFT; +      uint32_t sess_id; +      bool session_forged = false; -      if (he) +      if (op == P_DATA_V2)  	{ -	  mi = (struct multi_instance *) he->value; +	  sess_id = (*(uint32_t*)ptr) >> 8; +	  if ((sess_id < m->max_clients) && (m->instances[sess_id])) +	    { +	      mi = m->instances[sess_id]; + +	      if (!link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from)) +		{ +		  msg(D_MULTI_MEDIUM, "floating detected from %s to %s", +		      print_link_socket_actual (&mi->context.c2.from, &gc), print_link_socket_actual (&m->top.c2.from, &gc)); + +		  /* session-id is not trusted, so check hmac */ +		  session_forged = !(crypto_test_hmac(&m->top.c2.buf, &mi->context.c2.crypto_options)); +		  if (session_forged) +		    { +		      mi = NULL; +		      msg (D_MULTI_MEDIUM, "hmac verification failed, session forge detected!"); +		    } +		  else +		    { +		      update_floated(m, mi, real, hv); +		    } +		} +	    }  	}        else  	{ +	  he = hash_lookup_fast (hash, bucket, &real, hv); +	  if (he) +	    { +	      mi = (struct multi_instance *) he->value; +	    } +	} +      if (!mi && !session_forged) +	{  	  if (!m->top.c2.tls_auth_standalone  	      || tls_pre_decrypt_lite (m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf))  	    { @@ -75,6 +156,17 @@ multi_get_create_instance_udp (struct multi_context *m)  		    {  		      hash_add_fast (hash, bucket, &mi->real, hv, mi);  		      mi->did_real_hash = true; + +		      int i; +		      for (i = 0; i < m->max_clients; ++ i) +			{ +			  if (!m->instances[i]) +			    { +			      mi->context.c2.tls_multi->vpn_session_id = i; +			      m->instances[i] = mi; +			      break; +			    } +			}  		    }  		}  	      else @@ -89,15 +181,17 @@ multi_get_create_instance_udp (struct multi_context *m)  #ifdef ENABLE_DEBUG        if (check_debug_level (D_MULTI_DEBUG))  	{ -	  const char *status; +	  const char *status = mi ? "[ok]" : "[failed]"; +	  /*  	  if (he && mi)  	    status = "[succeeded]";  	  else if (!he && mi)  	    status = "[created]";  	  else  	    status = "[failed]"; -	 +	  */ +  	  dmsg (D_MULTI_DEBUG, "GET INST BY REAL: %s %s",  	       mroute_addr_print (&real, &gc),  	       status); diff --git a/main/openvpn/src/openvpn/multi.c b/main/openvpn/src/openvpn/multi.c index 9a2b0237..a4289ac7 100644 --- a/main/openvpn/src/openvpn/multi.c +++ b/main/openvpn/src/openvpn/multi.c @@ -303,6 +303,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa  			   cid_compare_function);  #endif +    /*     * This is our scheduler, for time-based wakeup     * events. @@ -373,6 +374,13 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa     */    m->max_clients = t->options.max_clients; +  int i; +  m->instances = malloc(sizeof(struct multi_instance*) * m->max_clients); +  for (i = 0; i < m->max_clients; ++ i) +    { +      m->instances[i] = NULL; +    } +    /*     * Initialize multi-socket TCP I/O wait object     */ @@ -553,6 +561,8 @@ multi_close_instance (struct multi_context *m,  	}  #endif +      m->instances[mi->context.c2.tls_multi->vpn_session_id] = NULL; +        schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);        ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, false); @@ -629,6 +639,8 @@ multi_uninit (struct multi_context *m)  #endif  	  m->hash = NULL; +	  free(m->instances); +  	  schedule_free (m->schedule);  	  mbuf_free (m->mbuf);  	  ifconfig_pool_free (m->ifconfig_pool); @@ -652,8 +664,6 @@ multi_create_instance (struct multi_context *m, const struct mroute_addr *real)    perf_push (PERF_MULTI_CREATE_INSTANCE); -  msg (D_MULTI_MEDIUM, "MULTI: multi_create_instance called"); -    ALLOC_OBJ_CLEAR (mi, struct multi_instance);    mi->gc = gc_new (); diff --git a/main/openvpn/src/openvpn/multi.h b/main/openvpn/src/openvpn/multi.h index fc2ffb24..0446fbfc 100644 --- a/main/openvpn/src/openvpn/multi.h +++ b/main/openvpn/src/openvpn/multi.h @@ -125,6 +125,8 @@ struct multi_context {  # define MC_WORK_THREAD                (MC_MULTI_THREADED_WORKER|MC_MULTI_THREADED_SCHEDULER)    int thread_mode; +  struct multi_instance** instances; +    struct hash *hash;            /**< VPN tunnel instances indexed by real                                   *   address of the remote peer. */    struct hash *vhash;           /**< VPN tunnel instances indexed by diff --git a/main/openvpn/src/openvpn/options.c b/main/openvpn/src/openvpn/options.c index fc764616..addca14a 100644 --- a/main/openvpn/src/openvpn/options.c +++ b/main/openvpn/src/openvpn/options.c @@ -3898,7 +3898,8 @@ apply_push_options (struct options *options,  		    struct buffer *buf,  		    unsigned int permission_mask,  		    unsigned int *option_types_found, -		    struct env_set *es) +		    struct env_set *es, +		    struct tls_multi *tls_multi)  {    char line[OPTION_PARM_SIZE];    int line_num = 0; @@ -3912,7 +3913,17 @@ apply_push_options (struct options *options,        ++line_num;        if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))  	{ -	  add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); +	  if (streq(p[0], "session_id")) +	    { +	      /* Server supports P_DATA_V2 */ +	      tls_multi->vpn_session_id = atoi(p[1]); +	      tls_multi->use_session_id = true; +	      msg(D_PUSH, "session id: %d", tls_multi->vpn_session_id); +	    } +	  else +	    { +	      add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); +	    }  	}      }    return true; diff --git a/main/openvpn/src/openvpn/options.h b/main/openvpn/src/openvpn/options.h index 21c210ee..77c942ca 100644 --- a/main/openvpn/src/openvpn/options.h +++ b/main/openvpn/src/openvpn/options.h @@ -712,11 +712,13 @@ void options_postprocess (struct options *options);  void pre_pull_save (struct options *o);  void pre_pull_restore (struct options *o, struct gc_arena *gc); +struct tls_multi;  bool apply_push_options (struct options *options,  			 struct buffer *buf,  			 unsigned int permission_mask,  			 unsigned int *option_types_found, -			 struct env_set *es); +			 struct env_set *es, +			 struct tls_multi* tls_multi);  void options_detach (struct options *o); diff --git a/main/openvpn/src/openvpn/push.c b/main/openvpn/src/openvpn/push.c index 24d12c7b..028d838e 100644 --- a/main/openvpn/src/openvpn/push.c +++ b/main/openvpn/src/openvpn/push.c @@ -303,6 +303,11 @@ send_push_reply (struct context *c)    if (multi_push)      buf_printf (&buf, ",push-continuation 1"); +  /* Send session_id if client supports it */ +  if (c->c2.tls_multi->peer_info && strstr(c->c2.tls_multi->peer_info, "IV_PROTO=2")) { +      buf_printf(&buf, ",session_id %d", c->c2.tls_multi->vpn_session_id); +  } +    if (BLEN (&buf) > sizeof(cmd)-1)      {        const bool status = send_control_channel_string (c, BSTR (&buf), D_PUSH); @@ -462,7 +467,8 @@ process_incoming_push_msg (struct context *c,  				  &buf,  				  permission_mask,  				  option_types_found, -				  c->c2.es)) +				  c->c2.es, +				  c->c2.tls_multi))  	    switch (c->options.push_continuation)  	      {  	      case 0: diff --git a/main/openvpn/src/openvpn/ssl.c b/main/openvpn/src/openvpn/ssl.c index 95bbb277..44f50808 100644 --- a/main/openvpn/src/openvpn/ssl.c +++ b/main/openvpn/src/openvpn/ssl.c @@ -624,6 +624,8 @@ packet_opcode_name (int op)        return "P_ACK_V1";      case P_DATA_V1:        return "P_DATA_V1"; +    case P_DATA_V2: +      return "P_DATA_V2";      default:        return "P_???";      } @@ -1069,6 +1071,9 @@ tls_multi_init (struct tls_options *tls_options)    ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK];    ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK]; +  /* By default not use P_DATA_V2 */ +  ret->use_session_id = false; +    return ret;  } @@ -1842,6 +1847,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session)        buf_printf (&out, "IV_PLAT=win\n");  #endif +      /* support for P_DATA_V2 */ +      buf_printf(&out, "IV_PROTO=2\n"); +        /* push compression status */  #ifdef USE_COMP        comp_generate_peer_info_string(&session->opt->comp_options, &out); @@ -2799,8 +2807,9 @@ tls_pre_decrypt (struct tls_multi *multi,  	key_id = c & P_KEY_ID_MASK;        } -      if (op == P_DATA_V1) -	{			/* data channel packet */ +      if ((op == P_DATA_V1) || (op == P_DATA_V2)) +	{ +	  /* data channel packet */  	  for (i = 0; i < KEY_SCAN_SIZE; ++i)  	    {  	      struct key_state *ks = multi->key_scan[i]; @@ -2832,7 +2841,9 @@ tls_pre_decrypt (struct tls_multi *multi,  		  opt->pid_persist = NULL;  		  opt->flags &= multi->opt.crypto_flags_and;  		  opt->flags |= multi->opt.crypto_flags_or; -		  ASSERT (buf_advance (buf, 1)); + +		  ASSERT (buf_advance (buf, op == P_DATA_V1 ? 1 : 4)); +  		  ++ks->n_packets;  		  ks->n_bytes += buf->len;  		  dmsg (D_TLS_KEYSELECT, @@ -3329,6 +3340,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,    return ret;   error: +    tls_clear_error();    gc_free (&gc);    return ret; @@ -3397,14 +3409,24 @@ tls_post_encrypt (struct tls_multi *multi, struct buffer *buf)  {    struct key_state *ks;    uint8_t *op; +  uint32_t sess;    ks = multi->save_ks;    multi->save_ks = NULL;    if (buf->len > 0)      {        ASSERT (ks); -      ASSERT (op = buf_prepend (buf, 1)); -      *op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; + +      if (!multi->opt.server && multi->use_session_id) +	{ +	  sess = ((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) | (multi->vpn_session_id << 8); +	  ASSERT (buf_write_prepend (buf, &sess, 4)); +	} +      else +	{ +	  ASSERT (op = buf_prepend (buf, 1)); +	  *op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id; +	}        ++ks->n_packets;        ks->n_bytes += buf->len;      } @@ -3477,6 +3499,31 @@ tls_rec_payload (struct tls_multi *multi,    return ret;  } +/* Update the remote_addr, needed if a client floats. */ +void +tls_update_remote_addr (struct tls_multi *multi, +const struct link_socket_actual *from) +{ +  struct gc_arena gc = gc_new (); +  int i; + +  for (i = 0; i < KEY_SCAN_SIZE; ++i) +    { +      struct key_state *ks = multi->key_scan[i]; +      if (DECRYPT_KEY_ENABLED (multi, ks) && ks->authenticated && link_socket_actual_defined(&ks->remote_addr)) +       { +	 if (link_socket_actual_match (from, &ks->remote_addr)) +	   continue; +	 dmsg (D_TLS_KEYSELECT, +		"TLS: tls_update_remote_addr from IP=%s to IP=%s", +	       print_link_socket_actual (&ks->remote_addr, &gc), +	       print_link_socket_actual (from, &gc)); +	 memcpy(&ks->remote_addr, from, sizeof(*from)); +       } +    } +  gc_free (&gc); +} +  /*   * Dump a human-readable rendition of an openvpn packet   * into a garbage collectable string which is returned. @@ -3511,7 +3558,7 @@ protocol_dump (struct buffer *buffer, unsigned int flags, struct gc_arena *gc)    key_id = c & P_KEY_ID_MASK;    buf_printf (&out, "%s kid=%d", packet_opcode_name (op), key_id); -  if (op == P_DATA_V1) +  if ((op == P_DATA_V1) || (op == P_DATA_V2))      goto print_data;    /* diff --git a/main/openvpn/src/openvpn/ssl.h b/main/openvpn/src/openvpn/ssl.h index aaecff43..9bdd641f 100644 --- a/main/openvpn/src/openvpn/ssl.h +++ b/main/openvpn/src/openvpn/ssl.h @@ -60,6 +60,7 @@  #define P_CONTROL_V1                   4     /* control channel packet (usually TLS ciphertext) */  #define P_ACK_V1                       5     /* acknowledgement for packets received */  #define P_DATA_V1                      6     /* data channel packet */ +#define P_DATA_V2                      9     /* data channel packet with session_id */  /* indicates key_method >= 2 */  #define P_CONTROL_HARD_RESET_CLIENT_V2 7     /* initial key from client, forget previous state */ @@ -67,7 +68,7 @@  /* define the range of legal opcodes */  #define P_FIRST_OPCODE                 1 -#define P_LAST_OPCODE                  8 +#define P_LAST_OPCODE                  9  /* Should we aggregate TLS   * acknowledgements, and tack them onto @@ -430,6 +431,12 @@ bool tls_send_payload (struct tls_multi *multi,  bool tls_rec_payload (struct tls_multi *multi,  		      struct buffer *buf); +/* + * Update remote address of a tls_multi structure + */ +void tls_update_remote_addr (struct tls_multi *multi, +			     const struct link_socket_actual *from); +  #ifdef MANAGEMENT_DEF_AUTH  static inline char *  tls_get_peer_info(const struct tls_multi *multi) diff --git a/main/openvpn/src/openvpn/ssl_common.h b/main/openvpn/src/openvpn/ssl_common.h index 04ba7892..2fc72aa6 100644 --- a/main/openvpn/src/openvpn/ssl_common.h +++ b/main/openvpn/src/openvpn/ssl_common.h @@ -495,6 +495,10 @@ struct tls_multi    char *peer_info;  #endif +  /* For P_DATA_V2 */ +  uint32_t vpn_session_id; +  int use_session_id; +    /*     * Our session objects.     */ diff --git a/main/openvpn/src/openvpn/ssl_verify_polarssl.c b/main/openvpn/src/openvpn/ssl_verify_polarssl.c index 71d38a9d..7e8b5179 100644 --- a/main/openvpn/src/openvpn/ssl_verify_polarssl.c +++ b/main/openvpn/src/openvpn/ssl_verify_polarssl.c @@ -337,7 +337,7 @@ x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid)  		}  	    } -	  if (0 == x509_oid_get_numeric_string( oid_num_str, +	  if (0 < x509_oid_get_numeric_string( oid_num_str,  	      sizeof (oid_num_str), oid))  	    {  	      msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", | 
