summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2014-03-28 21:27:21 +0100
committerArne Schwabe <arne@rfc2549.org>2014-03-28 21:27:21 +0100
commit900695c917b075acae3afea2ad1e695322857da5 (patch)
treed9c96ad13fd485172d23741a8e4b71a1426b2fc3
parent4833dd29088c0268faae46fc6720aa8b28c229ce (diff)
Update openvpn/master
-rw-r--r--main/openvpn/configure.ac27
-rw-r--r--main/openvpn/src/openvpn/Makefile.am2
-rw-r--r--main/openvpn/src/openvpn/buffer.h1
-rw-r--r--main/openvpn/src/openvpn/clinat.c4
-rw-r--r--main/openvpn/src/openvpn/clinat.h2
-rw-r--r--main/openvpn/src/openvpn/crypto_openssl.c27
-rw-r--r--main/openvpn/src/openvpn/forward.c12
-rw-r--r--main/openvpn/src/openvpn/init.c5
-rw-r--r--main/openvpn/src/openvpn/manage.c9
-rw-r--r--main/openvpn/src/openvpn/multi.c2
-rw-r--r--main/openvpn/src/openvpn/openvpn.h2
-rw-r--r--main/openvpn/src/openvpn/options.c27
-rw-r--r--main/openvpn/src/openvpn/options.h7
-rw-r--r--main/openvpn/src/openvpn/push.c4
-rw-r--r--main/openvpn/src/openvpn/socket.c74
-rw-r--r--main/openvpn/src/openvpn/socket.h2
-rw-r--r--main/openvpn/src/openvpn/ssl.c13
-rw-r--r--main/openvpn/src/openvpn/ssl_openssl.c8
-rw-r--r--main/openvpn/src/openvpn/ssl_verify.c4
-rw-r--r--main/openvpn/src/openvpn/ssl_verify_backend.h4
-rw-r--r--main/openvpn/src/openvpn/ssl_verify_openssl.c4
-rw-r--r--main/openvpn/src/openvpn/syshead.h5
22 files changed, 96 insertions, 149 deletions
diff --git a/main/openvpn/configure.ac b/main/openvpn/configure.ac
index 380dcdbb..7e94280d 100644
--- a/main/openvpn/configure.ac
+++ b/main/openvpn/configure.ac
@@ -686,7 +686,7 @@ fi
case "${with_mem_check}" in
valgrind)
- AC_CHECK_HEADER(
+ AC_CHECK_HEADERS(
[valgrind/memcheck.h],
[
CFLAGS="${CFLAGS} -g -fno-inline"
@@ -700,7 +700,7 @@ case "${with_mem_check}" in
)
;;
dmalloc)
- AC_CHECK_HEADER(
+ AC_CHECK_HEADERS(
[dmalloc.h],
[AC_CHECK_LIB(
[dmalloc],
@@ -744,7 +744,7 @@ PKG_CHECK_MODULES(
PKG_CHECK_MODULES(
[OPENSSL_CRYPTO],
- [libcrypto >= 0.9.6],
+ [libcrypto >= 0.9.8],
[have_openssl_crypto="yes"],
[AC_CHECK_LIB(
[crypto],
@@ -758,7 +758,7 @@ PKG_CHECK_MODULES(
PKG_CHECK_MODULES(
[OPENSSL_SSL],
- [libssl >= 0.9.6],
+ [libssl >= 0.9.8],
[have_openssl_ssl="yes"],
[AC_CHECK_LIB(
[ssl],
@@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then
LIBS="${saved_LIBS}"
fi
+if test "${have_openssl_ssl}" = "yes"; then
+ AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL])
+ AC_EGREP_CPP(have_ssl_op_no_ticket, [
+ #include <openssl/ssl.h>
+ #ifdef SSL_OP_NO_TICKET
+ have_ssl_op_no_ticket
+ #endif
+ ], [
+ AC_MSG_RESULT([yes])
+ ], [
+ AC_MSG_RESULT([no])
+ AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL])
+ ])
+fi
+
AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl])
AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl])
have_polarssl_ssl="yes"
@@ -929,7 +944,7 @@ if test "$enable_snappy" = "yes" && test "$enable_comp_stub" = "no"; then
saved_CFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} ${SNAPPY_CFLAGS}"
- AC_CHECK_HEADER(snappy-c.h,
+ AC_CHECK_HEADERS(snappy-c.h,
,
[
AC_MSG_RESULT([Snappy headers not found.])
@@ -968,7 +983,7 @@ if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
saved_CFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
- AC_CHECK_HEADER(lz4.h,
+ AC_CHECK_HEADERS(lz4.h,
,
[
AC_MSG_RESULT([LZ4 headers not found.])
diff --git a/main/openvpn/src/openvpn/Makefile.am b/main/openvpn/src/openvpn/Makefile.am
index 0b79e104..fd593c57 100644
--- a/main/openvpn/src/openvpn/Makefile.am
+++ b/main/openvpn/src/openvpn/Makefile.am
@@ -18,7 +18,7 @@ EXTRA_DIST = \
openvpn.vcxproj \
openvpn.vcxproj.filters
-INCLUDES = \
+AM_CPPFLAGS = \
-I$(top_srcdir)/include \
-I$(top_srcdir)/src/compat
diff --git a/main/openvpn/src/openvpn/buffer.h b/main/openvpn/src/openvpn/buffer.h
index 0010c771..19fa1fa2 100644
--- a/main/openvpn/src/openvpn/buffer.h
+++ b/main/openvpn/src/openvpn/buffer.h
@@ -166,6 +166,7 @@ char *string_alloc_debug (const char *str, struct gc_arena *gc, const char *file
struct buffer string_alloc_buf_debug (const char *str, struct gc_arena *gc, const char *file, int line);
#else
+
struct buffer alloc_buf (size_t size);
struct buffer alloc_buf_gc (size_t size, struct gc_arena *gc); /* allocate buffer with garbage collection */
struct buffer clone_buf (const struct buffer* buf);
diff --git a/main/openvpn/src/openvpn/clinat.c b/main/openvpn/src/openvpn/clinat.c
index af75fc9d..ddefe123 100644
--- a/main/openvpn/src/openvpn/clinat.c
+++ b/main/openvpn/src/openvpn/clinat.c
@@ -30,8 +30,6 @@
#include "syshead.h"
-#if defined(ENABLE_CLIENT_NAT)
-
#include "clinat.h"
#include "proto.h"
#include "socket.h"
@@ -265,5 +263,3 @@ client_nat_transform (const struct client_nat_option_list *list,
}
}
}
-
-#endif
diff --git a/main/openvpn/src/openvpn/clinat.h b/main/openvpn/src/openvpn/clinat.h
index d55a727a..a5779e15 100644
--- a/main/openvpn/src/openvpn/clinat.h
+++ b/main/openvpn/src/openvpn/clinat.h
@@ -22,7 +22,7 @@
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
-#if !defined(CLINAT_H) && defined(ENABLE_CLIENT_NAT)
+#if !defined(CLINAT_H)
#define CLINAT_H
#include "buffer.h"
diff --git a/main/openvpn/src/openvpn/crypto_openssl.c b/main/openvpn/src/openvpn/crypto_openssl.c
index 1501bc86..6199e618 100644
--- a/main/openvpn/src/openvpn/crypto_openssl.c
+++ b/main/openvpn/src/openvpn/crypto_openssl.c
@@ -57,33 +57,6 @@
#warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH
#endif
-/*
- *
- * Workarounds for incompatibilites between OpenSSL libraries.
- * Right now we accept OpenSSL libraries from 0.9.5 to 0.9.7.
- *
- */
-
-#if SSLEAY_VERSION_NUMBER < 0x00907000L
-
-/* Workaround: EVP_CIPHER_mode is defined wrong in OpenSSL 0.9.6 but is fixed in 0.9.7 */
-#undef EVP_CIPHER_mode
-#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE)
-
-#define DES_cblock des_cblock
-#define DES_is_weak_key des_is_weak_key
-#define DES_check_key_parity des_check_key_parity
-#define DES_set_odd_parity des_set_odd_parity
-
-#define HMAC_CTX_init(ctx) CLEAR (*ctx)
-#define HMAC_Init_ex(ctx,sec,len,md,impl) HMAC_Init(ctx, sec, len, md)
-#define HMAC_CTX_cleanup(ctx) HMAC_cleanup(ctx)
-#define EVP_MD_CTX_cleanup(md) CLEAR (*md)
-
-#define INFO_CALLBACK_SSL_CONST
-
-#endif
-
static inline int
EVP_CipherInit_ov (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, uint8_t *key, uint8_t *iv, int enc)
{
diff --git a/main/openvpn/src/openvpn/forward.c b/main/openvpn/src/openvpn/forward.c
index 0ec00f34..43e2d3d1 100644
--- a/main/openvpn/src/openvpn/forward.c
+++ b/main/openvpn/src/openvpn/forward.c
@@ -1017,6 +1017,8 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf)
if (!c->options.passtos)
flags &= ~PIPV4_PASSTOS;
#endif
+ if (!c->options.client_nat)
+ flags &= ~PIPV4_CLIENT_NAT;
if (!c->options.route_gateway_via_dhcp)
flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
@@ -1026,11 +1028,13 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf)
* The --passtos and --mssfix options require
* us to examine the IPv4 header.
*/
+
+ if (flags & (PIP_MSSFIX
#if PASSTOS_CAPABILITY
- if (flags & (PIPV4_PASSTOS|PIP_MSSFIX))
-#else
- if (flags & PIP_MSSFIX)
+ | PIPV4_PASSTOS
#endif
+ | PIPV4_CLIENT_NAT
+ ))
{
struct buffer ipbuf = *buf;
if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf))
@@ -1045,14 +1049,12 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf)
if (flags & PIP_MSSFIX)
mss_fixup_ipv4 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame)));
-#ifdef ENABLE_CLIENT_NAT
/* possibly do NAT on packet */
if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
{
const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING;
client_nat_transform (c->options.client_nat, &ipbuf, direction);
}
-#endif
/* possibly extract a DHCP router message */
if (flags & PIPV4_EXTRACT_DHCP_ROUTER)
{
diff --git a/main/openvpn/src/openvpn/init.c b/main/openvpn/src/openvpn/init.c
index a866b7d6..4e79bfcf 100644
--- a/main/openvpn/src/openvpn/init.c
+++ b/main/openvpn/src/openvpn/init.c
@@ -1,4 +1,4 @@
- /*
+/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
@@ -131,7 +131,8 @@ management_callback_proxy_cmd (void *arg, const char **p)
msg (M_WARN, "HTTP proxy support is not available");
#else
struct http_proxy_options *ho;
- if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT ) {
+ if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT )
+ {
msg (M_WARN, "HTTP proxy support only works for TCP based connections");
return false;
}
diff --git a/main/openvpn/src/openvpn/manage.c b/main/openvpn/src/openvpn/manage.c
index a6433178..e7a7fe85 100644
--- a/main/openvpn/src/openvpn/manage.c
+++ b/main/openvpn/src/openvpn/manage.c
@@ -1589,7 +1589,7 @@ man_listen (struct management *man)
{
man->connection.sd_top = create_socket_tcp (man->settings.local);
socket_bind (man->connection.sd_top, man->settings.local,
- man->settings.local->ai_family, "MANAGEMENT", false);
+ man->settings.local->ai_family, "MANAGEMENT", false);
}
/*
@@ -1887,7 +1887,7 @@ bool management_android_control (struct management *man, const char *command, co
/*
* In Android 4.4 it is not possible to open a new tun device and then close the
* old tun device without breaking the whole VPNService stack until the device
- * is reported. This management method ask the UI what method should be taken to
+ * is rebooted. This management method ask the UI what method should be taken to
* ensure the optimal solution for the situation
*/
int managment_android_persisttun_action (struct management *man)
@@ -1904,7 +1904,10 @@ int managment_android_persisttun_action (struct management *man)
else if (!strcmp ("OPEN_BEFORE_CLOSE", up.password))
return ANDROID_OPEN_BEFORE_CLOSE;
else
- ASSERT (0);
+ msg (M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password);
+
+ ASSERT(0);
+ return ANDROID_OPEN_AFTER_CLOSE;
}
diff --git a/main/openvpn/src/openvpn/multi.c b/main/openvpn/src/openvpn/multi.c
index 2839b30d..b0119181 100644
--- a/main/openvpn/src/openvpn/multi.c
+++ b/main/openvpn/src/openvpn/multi.c
@@ -1295,9 +1295,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi)
mi->context.c2.push_ifconfig_defined = true;
mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
-#ifdef ENABLE_CLIENT_NAT
mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias;
-#endif
/* the current implementation does not allow "static IPv4, pool IPv6",
* (see below) so issue a warning if that happens - don't break the
diff --git a/main/openvpn/src/openvpn/openvpn.h b/main/openvpn/src/openvpn/openvpn.h
index 7ad6c55c..4f9c4d11 100644
--- a/main/openvpn/src/openvpn/openvpn.h
+++ b/main/openvpn/src/openvpn/openvpn.h
@@ -454,9 +454,7 @@ struct context_2
time_t sent_push_reply_expiry;
in_addr_t push_ifconfig_local;
in_addr_t push_ifconfig_remote_netmask;
-#ifdef ENABLE_CLIENT_NAT
in_addr_t push_ifconfig_local_alias;
-#endif
bool push_ifconfig_ipv6_defined;
struct in6_addr push_ifconfig_ipv6_local;
diff --git a/main/openvpn/src/openvpn/options.c b/main/openvpn/src/openvpn/options.c
index eea906b3..b5fbb13e 100644
--- a/main/openvpn/src/openvpn/options.c
+++ b/main/openvpn/src/openvpn/options.c
@@ -242,9 +242,7 @@ static const char usage_message[] =
" Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
"--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
" the default gateway. Useful when pushing private subnets.\n"
-#ifdef ENABLE_CLIENT_NAT
"--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
-#endif
#ifdef ENABLE_PUSH_PEER_INFO
"--push-peer-info : (client only) push client info to server.\n"
#endif
@@ -567,12 +565,7 @@ static const char usage_message[] =
" root certificate.\n"
#ifndef ENABLE_CRYPTO_POLARSSL
"--capath dir : A directory of trusted certificates (CAs"
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
" and CRLs).\n"
-#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
- ").\n"
- " WARNING: no support of CRL available with this version.\n"
-#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
#endif /* ENABLE_CRYPTO_POLARSSL */
"--dh file : File containing Diffie Hellman parameters\n"
" in .pem format (for --tls-server only).\n"
@@ -635,7 +628,6 @@ static const char usage_message[] =
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
" explicit key usage, you can specify more than one value.\n"
" value should be given in hex format.\n"
@@ -645,7 +637,6 @@ static const char usage_message[] =
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
" key usage and extended key usage based on RFC3280 TLS rules.\n"
" t = 'client' | 'server'.\n"
-#endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */
#endif /* ENABLE_SSL */
#ifdef ENABLE_PKCS11
"\n"
@@ -1327,9 +1318,7 @@ options_detach (struct options *o)
{
gc_detach (&o->gc);
o->routes = NULL;
-#ifdef ENABLE_CLIENT_NAT
o->client_nat = NULL;
-#endif
#if P2MP_SERVER
clone_push_list(o);
#endif
@@ -1349,14 +1338,12 @@ rol6_check_alloc (struct options *options)
options->routes_ipv6 = new_route_ipv6_option_list (&options->gc);
}
-#ifdef ENABLE_CLIENT_NAT
static void
cnol_check_alloc (struct options *options)
{
if (!options->client_nat)
options->client_nat = new_client_nat_list (&options->gc);
}
-#endif
#ifndef ENABLE_SMALL
static void
@@ -1558,11 +1545,9 @@ show_settings (const struct options *o)
SHOW_BOOL (allow_pull_fqdn);
if (o->routes)
print_route_options (o->routes, D_SHOW_PARMS);
-
-#ifdef ENABLE_CLIENT_NAT
+
if (o->client_nat)
print_client_nat_list(o->client_nat, D_SHOW_PARMS);
-#endif
#ifdef ENABLE_MANAGEMENT
SHOW_STR (management_addr);
@@ -2828,13 +2813,11 @@ pre_pull_save (struct options *o)
o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
o->pre_pull->routes_ipv6_defined = true;
}
-#ifdef ENABLE_CLIENT_NAT
if (o->client_nat)
{
o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
o->pre_pull->client_nat_defined = true;
}
-#endif
}
}
@@ -2864,7 +2847,6 @@ pre_pull_restore (struct options *o, struct gc_arena *gc)
else
o->routes_ipv6 = NULL;
-#ifdef ENABLE_CLIENT_NAT
if (pp->client_nat_defined)
{
cnol_check_alloc (o);
@@ -2872,7 +2854,6 @@ pre_pull_restore (struct options *o, struct gc_arena *gc)
}
else
o->client_nat = NULL;
-#endif
o->foreign_option_index = pp->foreign_option_index;
}
@@ -5200,14 +5181,12 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
options->persist_remote_ip = true;
}
-#ifdef ENABLE_CLIENT_NAT
else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4])
{
VERIFY_PERMISSION (OPT_P_ROUTE);
cnol_check_alloc (options);
add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
}
-#endif
else if (streq (p[0], "route") && p[1])
{
VERIFY_PERMISSION (OPT_P_ROUTE);
@@ -5795,10 +5774,8 @@ add_option (struct options *options,
options->push_ifconfig_defined = true;
options->push_ifconfig_local = local;
options->push_ifconfig_remote_netmask = remote_netmask;
-#ifdef ENABLE_CLIENT_NAT
if (p[3])
options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
-#endif
}
else
{
@@ -6786,7 +6763,6 @@ add_option (struct options *options,
goto err;
}
}
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
else if (streq (p[0], "remote-cert-ku"))
{
int j;
@@ -6824,7 +6800,6 @@ add_option (struct options *options,
goto err;
}
}
-#endif /* OPENSSL_VERSION_NUMBER */
else if (streq (p[0], "tls-timeout") && p[1])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
diff --git a/main/openvpn/src/openvpn/options.h b/main/openvpn/src/openvpn/options.h
index ec1d0911..7bc8d1f0 100644
--- a/main/openvpn/src/openvpn/options.h
+++ b/main/openvpn/src/openvpn/options.h
@@ -71,10 +71,8 @@ struct options_pre_pull
bool routes_ipv6_defined;
struct route_ipv6_option_list *routes_ipv6;
-#ifdef ENABLE_CLIENT_NAT
bool client_nat_defined;
struct client_nat_option_list *client_nat;
-#endif
int foreign_option_index;
};
@@ -351,10 +349,7 @@ struct options
bool route_nopull;
bool route_gateway_via_dhcp;
bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */
-
-#ifdef ENABLE_CLIENT_NAT
struct client_nat_option_list *client_nat;
-#endif
#ifdef ENABLE_OCC
/* Enable options consistency check between peers */
@@ -435,9 +430,7 @@ struct options
bool push_ifconfig_defined;
in_addr_t push_ifconfig_local;
in_addr_t push_ifconfig_remote_netmask;
-#ifdef ENABLE_CLIENT_NAT
in_addr_t push_ifconfig_local_alias;
-#endif
bool push_ifconfig_constraint_defined;
in_addr_t push_ifconfig_constraint_network;
in_addr_t push_ifconfig_constraint_netmask;
diff --git a/main/openvpn/src/openvpn/push.c b/main/openvpn/src/openvpn/push.c
index 606bb05d..26f59987 100644
--- a/main/openvpn/src/openvpn/push.c
+++ b/main/openvpn/src/openvpn/push.c
@@ -67,7 +67,6 @@ receive_auth_failed (struct context *c, const struct buffer *buffer)
ASSERT (0);
}
c->sig->signal_text = "auth-failure";
-#ifdef ENABLE_MANAGEMENT
if (management)
{
const char *reason = NULL;
@@ -76,7 +75,6 @@ receive_auth_failed (struct context *c, const struct buffer *buffer)
reason = BSTR (&buf);
management_auth_failure (management, UP_TYPE_AUTH, reason);
} else
-#endif
{
#ifdef ENABLE_CLIENT_CR
struct buffer buf = *buffer;
@@ -293,10 +291,8 @@ send_push_reply (struct context *c)
if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && c->c2.push_ifconfig_remote_netmask)
{
in_addr_t ifconfig_local = c->c2.push_ifconfig_local;
-#ifdef ENABLE_CLIENT_NAT
if (c->c2.push_ifconfig_local_alias)
ifconfig_local = c->c2.push_ifconfig_local_alias;
-#endif
buf_printf (&buf, ",ifconfig %s %s",
print_in_addr_t (ifconfig_local, 0, &gc),
print_in_addr_t (c->c2.push_ifconfig_remote_netmask, 0, &gc));
diff --git a/main/openvpn/src/openvpn/socket.c b/main/openvpn/src/openvpn/socket.c
index f024c0a4..b769171c 100644
--- a/main/openvpn/src/openvpn/socket.c
+++ b/main/openvpn/src/openvpn/socket.c
@@ -129,6 +129,10 @@ streqnull (const char* a, const char* b)
return streq (a, b);
}
+/*
+ get_cached_dns_entry return 0 on success and -1
+ otherwise. (like getaddrinfo)
+ */
static int
get_cached_dns_entry (struct cached_dns_entry* dns_cache,
const char* hostname,
@@ -166,47 +170,46 @@ do_preresolve_host (struct context *c,
const int flags)
{
struct addrinfo *ai;
+ int status;
+
if (get_cached_dns_entry(c->c1.dns_cache,
hostname,
- servname,
- af,
- flags,
- &ai))
+ servname,
+ af,
+ flags,
+ &ai) == 0 )
{
- int status;
- status = openvpn_getaddrinfo (flags, hostname, servname,
- c->options.resolve_retry_seconds, NULL,
- af, &ai);
- if (status == 0)
- {
- struct cached_dns_entry *ph;
-
- ALLOC_OBJ_CLEAR_GC (ph, struct cached_dns_entry, &c->gc);
- ph->ai = ai;
- ph->hostname = hostname;
- ph->servname = servname;
- ph->flags = flags & GETADDR_CACHE_MASK;
+ /* entry already cached, return success */
+ return 0;
+ }
- if (!c->c1.dns_cache)
- c->c1.dns_cache = ph;
- else
- {
- struct cached_dns_entry *prev = c->c1.dns_cache;
- while (prev->next)
- prev = prev->next;
- prev->next = ph;
- }
+ status = openvpn_getaddrinfo (flags, hostname, servname,
+ c->options.resolve_retry_seconds, NULL,
+ af, &ai);
+ if (status == 0)
+ {
+ struct cached_dns_entry *ph;
- gc_addspecial (ai, &gc_freeaddrinfo_callback, &c->gc);
+ ALLOC_OBJ_CLEAR_GC (ph, struct cached_dns_entry, &c->gc);
+ ph->ai = ai;
+ ph->hostname = hostname;
+ ph->servname = servname;
+ ph->flags = flags & GETADDR_CACHE_MASK;
+ if (!c->c1.dns_cache)
+ c->c1.dns_cache = ph;
+ else
+ {
+ struct cached_dns_entry *prev = c->c1.dns_cache;
+ while (prev->next)
+ prev = prev->next;
+ prev->next = ph;
}
- return status;
- }
- else
- {
- /* already in cached dns list, return success */
- return 0;
+
+ gc_addspecial (ai, &gc_freeaddrinfo_callback, &c->gc);
+
}
+ return status;
}
void
@@ -869,7 +872,8 @@ create_socket (struct link_socket* sock, struct addrinfo* addr)
* currently resolve two remote addresses is not supported,
* TODO: Rewrite the whole resolve_remote */
struct addrinfo addrinfo_tmp = *addr;
- addr->ai_protocol = IPPROTO_TCP;
+ addrinfo_tmp.ai_socktype = SOCK_STREAM;
+ addrinfo_tmp.ai_protocol = IPPROTO_TCP;
sock->ctrl_sd = create_socket_tcp (&addrinfo_tmp);
}
#endif
@@ -2925,7 +2929,7 @@ link_socket_read_udp_posix_recvmsg (struct link_socket *sock,
}
else if (cmsg != NULL)
{
- msg(M_WARN, "CMSG received that cannot be parsed");
+ msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len );
}
}
diff --git a/main/openvpn/src/openvpn/socket.h b/main/openvpn/src/openvpn/socket.h
index 51329534..f27e9a9a 100644
--- a/main/openvpn/src/openvpn/socket.h
+++ b/main/openvpn/src/openvpn/socket.h
@@ -917,7 +917,7 @@ link_socket_set_outgoing_addr (const struct buffer *buf,
&&
/* address undef or address == remote or --float */
(info->remote_float ||
- (!lsa->remote_list || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto))
+ (!lsa->remote_list || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto))
)
)
{
diff --git a/main/openvpn/src/openvpn/ssl.c b/main/openvpn/src/openvpn/ssl.c
index c61701a7..d4acc0fc 100644
--- a/main/openvpn/src/openvpn/ssl.c
+++ b/main/openvpn/src/openvpn/ssl.c
@@ -235,6 +235,19 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
{"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
{"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
{"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
+#ifdef ENABLE_CRYPTO_OPENSSL
+ {"DEFAULT", "DEFAULT"},
+ {"ALL", "ALL"},
+ {"HIGH", "HIGH"},
+ {"MEDIUM", "MEDIUM"},
+ {"LOW", "LOW"},
+ {"ECDH", "ECDH"},
+ {"ECDSA", "ECDSA"},
+ {"EDH", "EDH"},
+ {"EXP", "EXP"},
+ {"RSA", "RSA"},
+ {"SRP", "SRP"},
+#endif
{NULL, NULL}
};
diff --git a/main/openvpn/src/openvpn/ssl_openssl.c b/main/openvpn/src/openvpn/ssl_openssl.c
index 68a1d591..0b63e260 100644
--- a/main/openvpn/src/openvpn/ssl_openssl.c
+++ b/main/openvpn/src/openvpn/ssl_openssl.c
@@ -219,8 +219,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
{
if (ciphers == NULL)
{
- /* Use sane default */
- if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP"))
+ /* Use sane default (disable export, and unsupported cipher modes) */
+ if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP:!PSK:!SRP"))
msg(M_SSLERR, "Failed to set default TLS cipher list.");
return;
}
@@ -848,11 +848,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
msg(M_WARN, "WARNING: experimental option --capath %s", ca_path);
else
msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
- msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
-#endif
}
}
diff --git a/main/openvpn/src/openvpn/ssl_verify.c b/main/openvpn/src/openvpn/ssl_verify.c
index 4dd3aa2d..765b8860 100644
--- a/main/openvpn/src/openvpn/ssl_verify.c
+++ b/main/openvpn/src/openvpn/ssl_verify.c
@@ -337,8 +337,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,
}
}
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
-
/* verify certificate ku */
if (opt->remote_cert_ku[0] != 0)
{
@@ -367,8 +365,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,
}
}
-#endif /* OPENSSL_VERSION_NUMBER */
-
/* verify X509 name or username against --verify-x509-[user]name */
if (opt->verify_x509_type != VERIFY_X509_NONE)
{
diff --git a/main/openvpn/src/openvpn/ssl_verify_backend.h b/main/openvpn/src/openvpn/ssl_verify_backend.h
index 1658cc02..7d2aae62 100644
--- a/main/openvpn/src/openvpn/ssl_verify_backend.h
+++ b/main/openvpn/src/openvpn/ssl_verify_backend.h
@@ -189,8 +189,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
*/
result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
-
/*
* Verify X.509 key usage extension field.
*
@@ -219,8 +217,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const
*/
result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid);
-#endif
-
/*
* Store the given certificate in pem format in a temporary file in tmp_dir
*
diff --git a/main/openvpn/src/openvpn/ssl_verify_openssl.c b/main/openvpn/src/openvpn/ssl_verify_openssl.c
index 658f5f33..cd2006fb 100644
--- a/main/openvpn/src/openvpn/ssl_verify_openssl.c
+++ b/main/openvpn/src/openvpn/ssl_verify_openssl.c
@@ -459,8 +459,6 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage)
return FAILURE;
}
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
result_t
x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
int expected_len)
@@ -566,8 +564,6 @@ x509_write_pem(FILE *peercert_file, X509 *peercert)
return SUCCESS;
}
-#endif /* OPENSSL_VERSION_NUMBER */
-
/*
* check peer cert against CRL
*/
diff --git a/main/openvpn/src/openvpn/syshead.h b/main/openvpn/src/openvpn/syshead.h
index 4050d548..7f17bf0e 100644
--- a/main/openvpn/src/openvpn/syshead.h
+++ b/main/openvpn/src/openvpn/syshead.h
@@ -715,11 +715,6 @@ socket_defined (const socket_descriptor_t sd)
#endif
/*
- * Do we support internal client-side NAT?
- */
-#define ENABLE_CLIENT_NAT
-
-/*
* Compression support
*/
#if defined(ENABLE_SNAPPY) || defined(ENABLE_LZO) || defined(ENABLE_LZ4) || \