diff options
22 files changed, 96 insertions, 149 deletions
diff --git a/main/openvpn/configure.ac b/main/openvpn/configure.ac index 380dcdbb..7e94280d 100644 --- a/main/openvpn/configure.ac +++ b/main/openvpn/configure.ac @@ -686,7 +686,7 @@ fi case "${with_mem_check}" in valgrind) - AC_CHECK_HEADER( + AC_CHECK_HEADERS( [valgrind/memcheck.h], [ CFLAGS="${CFLAGS} -g -fno-inline" @@ -700,7 +700,7 @@ case "${with_mem_check}" in ) ;; dmalloc) - AC_CHECK_HEADER( + AC_CHECK_HEADERS( [dmalloc.h], [AC_CHECK_LIB( [dmalloc], @@ -744,7 +744,7 @@ PKG_CHECK_MODULES( PKG_CHECK_MODULES( [OPENSSL_CRYPTO], - [libcrypto >= 0.9.6], + [libcrypto >= 0.9.8], [have_openssl_crypto="yes"], [AC_CHECK_LIB( [crypto], @@ -758,7 +758,7 @@ PKG_CHECK_MODULES( PKG_CHECK_MODULES( [OPENSSL_SSL], - [libssl >= 0.9.6], + [libssl >= 0.9.8], [have_openssl_ssl="yes"], [AC_CHECK_LIB( [ssl], @@ -793,6 +793,21 @@ if test "${have_openssl_crypto}" = "yes"; then LIBS="${saved_LIBS}" fi +if test "${have_openssl_ssl}" = "yes"; then + AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) + AC_EGREP_CPP(have_ssl_op_no_ticket, [ + #include <openssl/ssl.h> + #ifdef SSL_OP_NO_TICKET + have_ssl_op_no_ticket + #endif + ], [ + AC_MSG_RESULT([yes]) + ], [ + AC_MSG_RESULT([no]) + AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) + ]) +fi + AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) have_polarssl_ssl="yes" @@ -929,7 +944,7 @@ if test "$enable_snappy" = "yes" && test "$enable_comp_stub" = "no"; then saved_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} ${SNAPPY_CFLAGS}" - AC_CHECK_HEADER(snappy-c.h, + AC_CHECK_HEADERS(snappy-c.h, , [ AC_MSG_RESULT([Snappy headers not found.]) @@ -968,7 +983,7 @@ if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then saved_CFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" - AC_CHECK_HEADER(lz4.h, + AC_CHECK_HEADERS(lz4.h, , [ AC_MSG_RESULT([LZ4 headers not found.]) diff --git a/main/openvpn/src/openvpn/Makefile.am b/main/openvpn/src/openvpn/Makefile.am index 0b79e104..fd593c57 100644 --- a/main/openvpn/src/openvpn/Makefile.am +++ b/main/openvpn/src/openvpn/Makefile.am @@ -18,7 +18,7 @@ EXTRA_DIST = \ openvpn.vcxproj \ openvpn.vcxproj.filters -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/include \ -I$(top_srcdir)/src/compat diff --git a/main/openvpn/src/openvpn/buffer.h b/main/openvpn/src/openvpn/buffer.h index 0010c771..19fa1fa2 100644 --- a/main/openvpn/src/openvpn/buffer.h +++ b/main/openvpn/src/openvpn/buffer.h @@ -166,6 +166,7 @@ char *string_alloc_debug (const char *str, struct gc_arena *gc, const char *file struct buffer string_alloc_buf_debug (const char *str, struct gc_arena *gc, const char *file, int line); #else + struct buffer alloc_buf (size_t size); struct buffer alloc_buf_gc (size_t size, struct gc_arena *gc); /* allocate buffer with garbage collection */ struct buffer clone_buf (const struct buffer* buf); diff --git a/main/openvpn/src/openvpn/clinat.c b/main/openvpn/src/openvpn/clinat.c index af75fc9d..ddefe123 100644 --- a/main/openvpn/src/openvpn/clinat.c +++ b/main/openvpn/src/openvpn/clinat.c @@ -30,8 +30,6 @@ #include "syshead.h" -#if defined(ENABLE_CLIENT_NAT) - #include "clinat.h" #include "proto.h" #include "socket.h" @@ -265,5 +263,3 @@ client_nat_transform (const struct client_nat_option_list *list, } } } - -#endif diff --git a/main/openvpn/src/openvpn/clinat.h b/main/openvpn/src/openvpn/clinat.h index d55a727a..a5779e15 100644 --- a/main/openvpn/src/openvpn/clinat.h +++ b/main/openvpn/src/openvpn/clinat.h @@ -22,7 +22,7 @@ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#if !defined(CLINAT_H) && defined(ENABLE_CLIENT_NAT) +#if !defined(CLINAT_H) #define CLINAT_H #include "buffer.h" diff --git a/main/openvpn/src/openvpn/crypto_openssl.c b/main/openvpn/src/openvpn/crypto_openssl.c index 1501bc86..6199e618 100644 --- a/main/openvpn/src/openvpn/crypto_openssl.c +++ b/main/openvpn/src/openvpn/crypto_openssl.c @@ -57,33 +57,6 @@ #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH #endif -/* - * - * Workarounds for incompatibilites between OpenSSL libraries. - * Right now we accept OpenSSL libraries from 0.9.5 to 0.9.7. - * - */ - -#if SSLEAY_VERSION_NUMBER < 0x00907000L - -/* Workaround: EVP_CIPHER_mode is defined wrong in OpenSSL 0.9.6 but is fixed in 0.9.7 */ -#undef EVP_CIPHER_mode -#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) - -#define DES_cblock des_cblock -#define DES_is_weak_key des_is_weak_key -#define DES_check_key_parity des_check_key_parity -#define DES_set_odd_parity des_set_odd_parity - -#define HMAC_CTX_init(ctx) CLEAR (*ctx) -#define HMAC_Init_ex(ctx,sec,len,md,impl) HMAC_Init(ctx, sec, len, md) -#define HMAC_CTX_cleanup(ctx) HMAC_cleanup(ctx) -#define EVP_MD_CTX_cleanup(md) CLEAR (*md) - -#define INFO_CALLBACK_SSL_CONST - -#endif - static inline int EVP_CipherInit_ov (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, uint8_t *key, uint8_t *iv, int enc) { diff --git a/main/openvpn/src/openvpn/forward.c b/main/openvpn/src/openvpn/forward.c index 0ec00f34..43e2d3d1 100644 --- a/main/openvpn/src/openvpn/forward.c +++ b/main/openvpn/src/openvpn/forward.c @@ -1017,6 +1017,8 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) if (!c->options.passtos) flags &= ~PIPV4_PASSTOS; #endif + if (!c->options.client_nat) + flags &= ~PIPV4_CLIENT_NAT; if (!c->options.route_gateway_via_dhcp) flags &= ~PIPV4_EXTRACT_DHCP_ROUTER; @@ -1026,11 +1028,13 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) * The --passtos and --mssfix options require * us to examine the IPv4 header. */ + + if (flags & (PIP_MSSFIX #if PASSTOS_CAPABILITY - if (flags & (PIPV4_PASSTOS|PIP_MSSFIX)) -#else - if (flags & PIP_MSSFIX) + | PIPV4_PASSTOS #endif + | PIPV4_CLIENT_NAT + )) { struct buffer ipbuf = *buf; if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) @@ -1045,14 +1049,12 @@ process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) if (flags & PIP_MSSFIX) mss_fixup_ipv4 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); -#ifdef ENABLE_CLIENT_NAT /* possibly do NAT on packet */ if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat) { const int direction = (flags & PIPV4_OUTGOING) ? CN_INCOMING : CN_OUTGOING; client_nat_transform (c->options.client_nat, &ipbuf, direction); } -#endif /* possibly extract a DHCP router message */ if (flags & PIPV4_EXTRACT_DHCP_ROUTER) { diff --git a/main/openvpn/src/openvpn/init.c b/main/openvpn/src/openvpn/init.c index a866b7d6..4e79bfcf 100644 --- a/main/openvpn/src/openvpn/init.c +++ b/main/openvpn/src/openvpn/init.c @@ -1,4 +1,4 @@ - /* +/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, @@ -131,7 +131,8 @@ management_callback_proxy_cmd (void *arg, const char **p) msg (M_WARN, "HTTP proxy support is not available"); #else struct http_proxy_options *ho; - if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT ) { + if (ce->proto != PROTO_TCP && ce->proto != PROTO_TCP_CLIENT ) + { msg (M_WARN, "HTTP proxy support only works for TCP based connections"); return false; } diff --git a/main/openvpn/src/openvpn/manage.c b/main/openvpn/src/openvpn/manage.c index a6433178..e7a7fe85 100644 --- a/main/openvpn/src/openvpn/manage.c +++ b/main/openvpn/src/openvpn/manage.c @@ -1589,7 +1589,7 @@ man_listen (struct management *man) { man->connection.sd_top = create_socket_tcp (man->settings.local); socket_bind (man->connection.sd_top, man->settings.local, - man->settings.local->ai_family, "MANAGEMENT", false); + man->settings.local->ai_family, "MANAGEMENT", false); } /* @@ -1887,7 +1887,7 @@ bool management_android_control (struct management *man, const char *command, co /* * In Android 4.4 it is not possible to open a new tun device and then close the * old tun device without breaking the whole VPNService stack until the device - * is reported. This management method ask the UI what method should be taken to + * is rebooted. This management method ask the UI what method should be taken to * ensure the optimal solution for the situation */ int managment_android_persisttun_action (struct management *man) @@ -1904,7 +1904,10 @@ int managment_android_persisttun_action (struct management *man) else if (!strcmp ("OPEN_BEFORE_CLOSE", up.password)) return ANDROID_OPEN_BEFORE_CLOSE; else - ASSERT (0); + msg (M_ERR, "Got unrecognised '%s' from management for PERSIST_TUN_ACTION query", up.password); + + ASSERT(0); + return ANDROID_OPEN_AFTER_CLOSE; } diff --git a/main/openvpn/src/openvpn/multi.c b/main/openvpn/src/openvpn/multi.c index 2839b30d..b0119181 100644 --- a/main/openvpn/src/openvpn/multi.c +++ b/main/openvpn/src/openvpn/multi.c @@ -1295,9 +1295,7 @@ multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi) mi->context.c2.push_ifconfig_defined = true; mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local; mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask; -#ifdef ENABLE_CLIENT_NAT mi->context.c2.push_ifconfig_local_alias = mi->context.options.push_ifconfig_local_alias; -#endif /* the current implementation does not allow "static IPv4, pool IPv6", * (see below) so issue a warning if that happens - don't break the diff --git a/main/openvpn/src/openvpn/openvpn.h b/main/openvpn/src/openvpn/openvpn.h index 7ad6c55c..4f9c4d11 100644 --- a/main/openvpn/src/openvpn/openvpn.h +++ b/main/openvpn/src/openvpn/openvpn.h @@ -454,9 +454,7 @@ struct context_2 time_t sent_push_reply_expiry; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; -#ifdef ENABLE_CLIENT_NAT in_addr_t push_ifconfig_local_alias; -#endif bool push_ifconfig_ipv6_defined; struct in6_addr push_ifconfig_ipv6_local; diff --git a/main/openvpn/src/openvpn/options.c b/main/openvpn/src/openvpn/options.c index eea906b3..b5fbb13e 100644 --- a/main/openvpn/src/openvpn/options.c +++ b/main/openvpn/src/openvpn/options.c @@ -242,9 +242,7 @@ static const char usage_message[] = " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n" " the default gateway. Useful when pushing private subnets.\n" -#ifdef ENABLE_CLIENT_NAT "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" -#endif #ifdef ENABLE_PUSH_PEER_INFO "--push-peer-info : (client only) push client info to server.\n" #endif @@ -567,12 +565,7 @@ static const char usage_message[] = " root certificate.\n" #ifndef ENABLE_CRYPTO_POLARSSL "--capath dir : A directory of trusted certificates (CAs" -#if OPENSSL_VERSION_NUMBER >= 0x00907000L " and CRLs).\n" -#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ - ").\n" - " WARNING: no support of CRL available with this version.\n" -#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ #endif /* ENABLE_CRYPTO_POLARSSL */ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" @@ -635,7 +628,6 @@ static const char usage_message[] = "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #endif -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" @@ -645,7 +637,6 @@ static const char usage_message[] = "--remote-cert-tls t: Require that peer certificate was signed with explicit\n" " key usage and extended key usage based on RFC3280 TLS rules.\n" " t = 'client' | 'server'.\n" -#endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */ #endif /* ENABLE_SSL */ #ifdef ENABLE_PKCS11 "\n" @@ -1327,9 +1318,7 @@ options_detach (struct options *o) { gc_detach (&o->gc); o->routes = NULL; -#ifdef ENABLE_CLIENT_NAT o->client_nat = NULL; -#endif #if P2MP_SERVER clone_push_list(o); #endif @@ -1349,14 +1338,12 @@ rol6_check_alloc (struct options *options) options->routes_ipv6 = new_route_ipv6_option_list (&options->gc); } -#ifdef ENABLE_CLIENT_NAT static void cnol_check_alloc (struct options *options) { if (!options->client_nat) options->client_nat = new_client_nat_list (&options->gc); } -#endif #ifndef ENABLE_SMALL static void @@ -1558,11 +1545,9 @@ show_settings (const struct options *o) SHOW_BOOL (allow_pull_fqdn); if (o->routes) print_route_options (o->routes, D_SHOW_PARMS); - -#ifdef ENABLE_CLIENT_NAT + if (o->client_nat) print_client_nat_list(o->client_nat, D_SHOW_PARMS); -#endif #ifdef ENABLE_MANAGEMENT SHOW_STR (management_addr); @@ -2828,13 +2813,11 @@ pre_pull_save (struct options *o) o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc); o->pre_pull->routes_ipv6_defined = true; } -#ifdef ENABLE_CLIENT_NAT if (o->client_nat) { o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc); o->pre_pull->client_nat_defined = true; } -#endif } } @@ -2864,7 +2847,6 @@ pre_pull_restore (struct options *o, struct gc_arena *gc) else o->routes_ipv6 = NULL; -#ifdef ENABLE_CLIENT_NAT if (pp->client_nat_defined) { cnol_check_alloc (o); @@ -2872,7 +2854,6 @@ pre_pull_restore (struct options *o, struct gc_arena *gc) } else o->client_nat = NULL; -#endif o->foreign_option_index = pp->foreign_option_index; } @@ -5200,14 +5181,12 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_PERSIST_IP); options->persist_remote_ip = true; } -#ifdef ENABLE_CLIENT_NAT else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4]) { VERIFY_PERMISSION (OPT_P_ROUTE); cnol_check_alloc (options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } -#endif else if (streq (p[0], "route") && p[1]) { VERIFY_PERMISSION (OPT_P_ROUTE); @@ -5795,10 +5774,8 @@ add_option (struct options *options, options->push_ifconfig_defined = true; options->push_ifconfig_local = local; options->push_ifconfig_remote_netmask = remote_netmask; -#ifdef ENABLE_CLIENT_NAT if (p[3]) options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL); -#endif } else { @@ -6786,7 +6763,6 @@ add_option (struct options *options, goto err; } } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL else if (streq (p[0], "remote-cert-ku")) { int j; @@ -6824,7 +6800,6 @@ add_option (struct options *options, goto err; } } -#endif /* OPENSSL_VERSION_NUMBER */ else if (streq (p[0], "tls-timeout") && p[1]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); diff --git a/main/openvpn/src/openvpn/options.h b/main/openvpn/src/openvpn/options.h index ec1d0911..7bc8d1f0 100644 --- a/main/openvpn/src/openvpn/options.h +++ b/main/openvpn/src/openvpn/options.h @@ -71,10 +71,8 @@ struct options_pre_pull bool routes_ipv6_defined; struct route_ipv6_option_list *routes_ipv6; -#ifdef ENABLE_CLIENT_NAT bool client_nat_defined; struct client_nat_option_list *client_nat; -#endif int foreign_option_index; }; @@ -351,10 +349,7 @@ struct options bool route_nopull; bool route_gateway_via_dhcp; bool allow_pull_fqdn; /* as a client, allow server to push a FQDN for certain parameters */ - -#ifdef ENABLE_CLIENT_NAT struct client_nat_option_list *client_nat; -#endif #ifdef ENABLE_OCC /* Enable options consistency check between peers */ @@ -435,9 +430,7 @@ struct options bool push_ifconfig_defined; in_addr_t push_ifconfig_local; in_addr_t push_ifconfig_remote_netmask; -#ifdef ENABLE_CLIENT_NAT in_addr_t push_ifconfig_local_alias; -#endif bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; diff --git a/main/openvpn/src/openvpn/push.c b/main/openvpn/src/openvpn/push.c index 606bb05d..26f59987 100644 --- a/main/openvpn/src/openvpn/push.c +++ b/main/openvpn/src/openvpn/push.c @@ -67,7 +67,6 @@ receive_auth_failed (struct context *c, const struct buffer *buffer) ASSERT (0); } c->sig->signal_text = "auth-failure"; -#ifdef ENABLE_MANAGEMENT if (management) { const char *reason = NULL; @@ -76,7 +75,6 @@ receive_auth_failed (struct context *c, const struct buffer *buffer) reason = BSTR (&buf); management_auth_failure (management, UP_TYPE_AUTH, reason); } else -#endif { #ifdef ENABLE_CLIENT_CR struct buffer buf = *buffer; @@ -293,10 +291,8 @@ send_push_reply (struct context *c) if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local && c->c2.push_ifconfig_remote_netmask) { in_addr_t ifconfig_local = c->c2.push_ifconfig_local; -#ifdef ENABLE_CLIENT_NAT if (c->c2.push_ifconfig_local_alias) ifconfig_local = c->c2.push_ifconfig_local_alias; -#endif buf_printf (&buf, ",ifconfig %s %s", print_in_addr_t (ifconfig_local, 0, &gc), print_in_addr_t (c->c2.push_ifconfig_remote_netmask, 0, &gc)); diff --git a/main/openvpn/src/openvpn/socket.c b/main/openvpn/src/openvpn/socket.c index f024c0a4..b769171c 100644 --- a/main/openvpn/src/openvpn/socket.c +++ b/main/openvpn/src/openvpn/socket.c @@ -129,6 +129,10 @@ streqnull (const char* a, const char* b) return streq (a, b); } +/* + get_cached_dns_entry return 0 on success and -1 + otherwise. (like getaddrinfo) + */ static int get_cached_dns_entry (struct cached_dns_entry* dns_cache, const char* hostname, @@ -166,47 +170,46 @@ do_preresolve_host (struct context *c, const int flags) { struct addrinfo *ai; + int status; + if (get_cached_dns_entry(c->c1.dns_cache, hostname, - servname, - af, - flags, - &ai)) + servname, + af, + flags, + &ai) == 0 ) { - int status; - status = openvpn_getaddrinfo (flags, hostname, servname, - c->options.resolve_retry_seconds, NULL, - af, &ai); - if (status == 0) - { - struct cached_dns_entry *ph; - - ALLOC_OBJ_CLEAR_GC (ph, struct cached_dns_entry, &c->gc); - ph->ai = ai; - ph->hostname = hostname; - ph->servname = servname; - ph->flags = flags & GETADDR_CACHE_MASK; + /* entry already cached, return success */ + return 0; + } - if (!c->c1.dns_cache) - c->c1.dns_cache = ph; - else - { - struct cached_dns_entry *prev = c->c1.dns_cache; - while (prev->next) - prev = prev->next; - prev->next = ph; - } + status = openvpn_getaddrinfo (flags, hostname, servname, + c->options.resolve_retry_seconds, NULL, + af, &ai); + if (status == 0) + { + struct cached_dns_entry *ph; - gc_addspecial (ai, &gc_freeaddrinfo_callback, &c->gc); + ALLOC_OBJ_CLEAR_GC (ph, struct cached_dns_entry, &c->gc); + ph->ai = ai; + ph->hostname = hostname; + ph->servname = servname; + ph->flags = flags & GETADDR_CACHE_MASK; + if (!c->c1.dns_cache) + c->c1.dns_cache = ph; + else + { + struct cached_dns_entry *prev = c->c1.dns_cache; + while (prev->next) + prev = prev->next; + prev->next = ph; } - return status; - } - else - { - /* already in cached dns list, return success */ - return 0; + + gc_addspecial (ai, &gc_freeaddrinfo_callback, &c->gc); + } + return status; } void @@ -869,7 +872,8 @@ create_socket (struct link_socket* sock, struct addrinfo* addr) * currently resolve two remote addresses is not supported, * TODO: Rewrite the whole resolve_remote */ struct addrinfo addrinfo_tmp = *addr; - addr->ai_protocol = IPPROTO_TCP; + addrinfo_tmp.ai_socktype = SOCK_STREAM; + addrinfo_tmp.ai_protocol = IPPROTO_TCP; sock->ctrl_sd = create_socket_tcp (&addrinfo_tmp); } #endif @@ -2925,7 +2929,7 @@ link_socket_read_udp_posix_recvmsg (struct link_socket *sock, } else if (cmsg != NULL) { - msg(M_WARN, "CMSG received that cannot be parsed"); + msg(M_WARN, "CMSG received that cannot be parsed (cmsg_level=%d, cmsg_type=%d, cmsg=len=%d)", (int)cmsg->cmsg_level, (int)cmsg->cmsg_type, (int)cmsg->cmsg_len ); } } diff --git a/main/openvpn/src/openvpn/socket.h b/main/openvpn/src/openvpn/socket.h index 51329534..f27e9a9a 100644 --- a/main/openvpn/src/openvpn/socket.h +++ b/main/openvpn/src/openvpn/socket.h @@ -917,7 +917,7 @@ link_socket_set_outgoing_addr (const struct buffer *buf, && /* address undef or address == remote or --float */ (info->remote_float || - (!lsa->remote_list || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto)) + (!lsa->remote_list || addrlist_match_proto (&act->dest, lsa->remote_list, info->proto)) ) ) { diff --git a/main/openvpn/src/openvpn/ssl.c b/main/openvpn/src/openvpn/ssl.c index c61701a7..d4acc0fc 100644 --- a/main/openvpn/src/openvpn/ssl.c +++ b/main/openvpn/src/openvpn/ssl.c @@ -235,6 +235,19 @@ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, +#ifdef ENABLE_CRYPTO_OPENSSL + {"DEFAULT", "DEFAULT"}, + {"ALL", "ALL"}, + {"HIGH", "HIGH"}, + {"MEDIUM", "MEDIUM"}, + {"LOW", "LOW"}, + {"ECDH", "ECDH"}, + {"ECDSA", "ECDSA"}, + {"EDH", "EDH"}, + {"EXP", "EXP"}, + {"RSA", "RSA"}, + {"SRP", "SRP"}, +#endif {NULL, NULL} }; diff --git a/main/openvpn/src/openvpn/ssl_openssl.c b/main/openvpn/src/openvpn/ssl_openssl.c index 68a1d591..0b63e260 100644 --- a/main/openvpn/src/openvpn/ssl_openssl.c +++ b/main/openvpn/src/openvpn/ssl_openssl.c @@ -219,8 +219,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { if (ciphers == NULL) { - /* Use sane default */ - if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP")) + /* Use sane default (disable export, and unsupported cipher modes) */ + if(!SSL_CTX_set_cipher_list(ctx->ctx, "DEFAULT:!EXP:!PSK:!SRP")) msg(M_SSLERR, "Failed to set default TLS cipher list."); return; } @@ -848,11 +848,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, msg(M_WARN, "WARNING: experimental option --capath %s", ca_path); else msg(M_SSLERR, "Cannot add lookup at --capath %s", ca_path); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); -#else - msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath"); -#endif } } diff --git a/main/openvpn/src/openvpn/ssl_verify.c b/main/openvpn/src/openvpn/ssl_verify.c index 4dd3aa2d..765b8860 100644 --- a/main/openvpn/src/openvpn/ssl_verify.c +++ b/main/openvpn/src/openvpn/ssl_verify.c @@ -337,8 +337,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, } } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL - /* verify certificate ku */ if (opt->remote_cert_ku[0] != 0) { @@ -367,8 +365,6 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, } } -#endif /* OPENSSL_VERSION_NUMBER */ - /* verify X509 name or username against --verify-x509-[user]name */ if (opt->verify_x509_type != VERIFY_X509_NONE) { diff --git a/main/openvpn/src/openvpn/ssl_verify_backend.h b/main/openvpn/src/openvpn/ssl_verify_backend.h index 1658cc02..7d2aae62 100644 --- a/main/openvpn/src/openvpn/ssl_verify_backend.h +++ b/main/openvpn/src/openvpn/ssl_verify_backend.h @@ -189,8 +189,6 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es, */ result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int usage); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL - /* * Verify X.509 key usage extension field. * @@ -219,8 +217,6 @@ result_t x509_verify_cert_ku (openvpn_x509_cert_t *x509, const unsigned * const */ result_t x509_verify_cert_eku (openvpn_x509_cert_t *x509, const char * const expected_oid); -#endif - /* * Store the given certificate in pem format in a temporary file in tmp_dir * diff --git a/main/openvpn/src/openvpn/ssl_verify_openssl.c b/main/openvpn/src/openvpn/ssl_verify_openssl.c index 658f5f33..cd2006fb 100644 --- a/main/openvpn/src/openvpn/ssl_verify_openssl.c +++ b/main/openvpn/src/openvpn/ssl_verify_openssl.c @@ -459,8 +459,6 @@ x509_verify_ns_cert_type(const openvpn_x509_cert_t *peer_cert, const int usage) return FAILURE; } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - result_t x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) @@ -566,8 +564,6 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) return SUCCESS; } -#endif /* OPENSSL_VERSION_NUMBER */ - /* * check peer cert against CRL */ diff --git a/main/openvpn/src/openvpn/syshead.h b/main/openvpn/src/openvpn/syshead.h index 4050d548..7f17bf0e 100644 --- a/main/openvpn/src/openvpn/syshead.h +++ b/main/openvpn/src/openvpn/syshead.h @@ -715,11 +715,6 @@ socket_defined (const socket_descriptor_t sd) #endif /* - * Do we support internal client-side NAT? - */ -#define ENABLE_CLIENT_NAT - -/* * Compression support */ #if defined(ENABLE_SNAPPY) || defined(ENABLE_LZO) || defined(ENABLE_LZ4) || \ |