summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--openvpn/doc/openvpn.86
-rw-r--r--openvpn/src/openvpn/crypto.c2
-rw-r--r--openvpn/src/openvpn/init.c1
-rw-r--r--openvpn/src/openvpn/misc.c8
-rw-r--r--openvpn/src/openvpn/options.c2
-rw-r--r--openvpn/src/openvpn/proxy.c1
-rw-r--r--openvpn/src/openvpn/route.c1
-rw-r--r--openvpn/src/openvpn/ssl.c4
-rw-r--r--openvpn/src/openvpn/ssl_backend.h6
-rw-r--r--openvpn/src/openvpn/ssl_openssl.c4
-rw-r--r--openvpn/src/openvpn/ssl_polarssl.c18
-rw-r--r--openvpn/src/openvpn/ssl_verify.c2
12 files changed, 29 insertions, 26 deletions
diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8
index 15dd3206..42c7bf6e 100644
--- a/openvpn/doc/openvpn.8
+++ b/openvpn/doc/openvpn.8
@@ -5378,7 +5378,11 @@ if no gateway is specified.
.TP
.B --route-ipv6 ipv6addr/bits [gateway] [metric]
setup IPv6 routing in the system to send the specified IPv6 network
-into OpenVPN's ``tun'' device
+into OpenVPN's ``tun''. The gateway parameter is only used for
+IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote''
+field from
+.B --ifconfig-ipv6
+is used.
.TP
.B --server-ipv6 ipv6addr/bits
convenience-function to enable a number of IPv6 related options at
diff --git a/openvpn/src/openvpn/crypto.c b/openvpn/src/openvpn/crypto.c
index d9adf5b5..c4c356dc 100644
--- a/openvpn/src/openvpn/crypto.c
+++ b/openvpn/src/openvpn/crypto.c
@@ -1028,7 +1028,6 @@ read_passphrase_hash (const char *passphrase_file,
uint8_t *output,
int len)
{
- unsigned int outlen = 0;
md_ctx_t md;
ASSERT (len >= md_kt_size(digest));
@@ -1361,7 +1360,6 @@ prng_bytes (uint8_t *output, int len)
const int md_size = md_kt_size (nonce_md);
while (len > 0)
{
- unsigned int outlen = 0;
const int blen = min_int (len, md_size);
md_full(nonce_md, nonce_data, md_size + nonce_secret_len, nonce_data);
memcpy (output, nonce_data, blen);
diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c
index f130cdfd..c288e924 100644
--- a/openvpn/src/openvpn/init.c
+++ b/openvpn/src/openvpn/init.c
@@ -1216,7 +1216,6 @@ do_init_route_ipv6_list (const struct options *options,
struct env_set *es)
{
const char *gw = NULL;
- int dev = dev_type_enum (options->dev, options->dev_type);
int metric = -1; /* no metric set */
gw = options->ifconfig_ipv6_remote; /* default GW = remote end */
diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c
index fa327f8c..1120adc4 100644
--- a/openvpn/src/openvpn/misc.c
+++ b/openvpn/src/openvpn/misc.c
@@ -701,14 +701,6 @@ env_set_remove_from_environment (const struct env_set *es)
}
}
-#ifdef HAVE_PUTENV
-
-/* companion functions to putenv */
-
-static struct env_item *global_env = NULL; /* GLOBAL */
-
-#endif
-
/* add/modify/delete environmental strings */
void
diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c
index f74ad8ef..e31f918f 100644
--- a/openvpn/src/openvpn/options.c
+++ b/openvpn/src/openvpn/options.c
@@ -219,7 +219,7 @@ static const char usage_message[] =
"--route-ipv6 network/bits [gateway] [metric] :\n"
" Add IPv6 route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
- " gateway default: taken from --route-ipv6-gateway or --ifconfig\n"
+ " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
"--max-routes n : Specify the maximum number of routes that may be defined\n"
" or pulled from a server.\n"
"--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
diff --git a/openvpn/src/openvpn/proxy.c b/openvpn/src/openvpn/proxy.c
index b4c917a8..533e747e 100644
--- a/openvpn/src/openvpn/proxy.c
+++ b/openvpn/src/openvpn/proxy.c
@@ -439,7 +439,6 @@ struct http_proxy_info *
http_proxy_new (const struct http_proxy_options *o)
{
struct http_proxy_info *p;
- struct http_proxy_options opt;
if (!o || !o->server)
msg (M_FATAL, "HTTP_PROXY: server not specified");
diff --git a/openvpn/src/openvpn/route.c b/openvpn/src/openvpn/route.c
index c5a7ba6b..f051dd3c 100644
--- a/openvpn/src/openvpn/route.c
+++ b/openvpn/src/openvpn/route.c
@@ -2881,7 +2881,6 @@ get_default_gateway (struct route_gateway_info *rgi)
{
/* get interface name */
const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
- int len = adl->sdl_nlen;
if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
{
memcpy (rgi->iface, adl->sdl_data, adl->sdl_nlen);
diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c
index f2b04488..7cf3b2e4 100644
--- a/openvpn/src/openvpn/ssl.c
+++ b/openvpn/src/openvpn/ssl.c
@@ -1735,7 +1735,6 @@ key_method_1_write (struct buffer *buf, struct tls_session *session)
{
struct key key;
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
- struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
ASSERT (session->opt->key_method == 1);
ASSERT (buf_init (buf, 0));
@@ -1852,7 +1851,6 @@ static bool
key_method_2_write (struct buffer *buf, struct tls_session *session)
{
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
- struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
ASSERT (session->opt->key_method == 2);
ASSERT (buf_init (buf, 0));
@@ -1936,7 +1934,6 @@ key_method_1_read (struct buffer *buf, struct tls_session *session)
int status;
struct key key;
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
- struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
ASSERT (session->opt->key_method == 1);
@@ -1995,7 +1992,6 @@ static bool
key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
{
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
- struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
int key_method_flags;
bool username_status, password_status;
diff --git a/openvpn/src/openvpn/ssl_backend.h b/openvpn/src/openvpn/ssl_backend.h
index f61580cf..72235ae5 100644
--- a/openvpn/src/openvpn/ssl_backend.h
+++ b/openvpn/src/openvpn/ssl_backend.h
@@ -42,6 +42,10 @@
#include "ssl_verify_polarssl.h"
#endif
+/**
+ * prototype for struct tls_session from ssl_common.h
+ */
+struct tls_session;
/**
* Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name
@@ -291,7 +295,7 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
* @param session The session associated with the given key_state
*/
void key_state_ssl_init(struct key_state_ssl *ks_ssl,
- const struct tls_root_ctx *ssl_ctx, bool is_server, void *session);
+ const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session);
/**
* Free the SSL channel part of the given key state.
diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c
index c1b19dc2..5db717df 100644
--- a/openvpn/src/openvpn/ssl_openssl.c
+++ b/openvpn/src/openvpn/ssl_openssl.c
@@ -490,7 +490,6 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
const char *priv_key_file_inline
)
{
- int status;
SSL_CTX *ssl_ctx = NULL;
BIO *in = NULL;
EVP_PKEY *pkey = NULL;
@@ -1015,7 +1014,7 @@ bio_read (BIO *bio, struct buffer *buf, int maxlen, const char *desc)
}
void
-key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, void *session)
+key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
{
ASSERT(NULL != ssl_ctx);
ASSERT(ks_ssl);
@@ -1193,7 +1192,6 @@ show_available_tls_ciphers ()
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
- const char *print_name;
const tls_cipher_name_pair *pair;
int priority = 0;
diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c
index 2b5b37ba..8a917b34 100644
--- a/openvpn/src/openvpn/ssl_polarssl.c
+++ b/openvpn/src/openvpn/ssl_polarssl.c
@@ -502,7 +502,7 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx)
}
void key_state_ssl_init(struct key_state_ssl *ks_ssl,
- const struct tls_root_ctx *ssl_ctx, bool is_server, void *session)
+ const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
{
ASSERT(NULL != ssl_ctx);
ASSERT(ks_ssl);
@@ -533,8 +533,20 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
/* Initialise SSL verification */
- ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
- ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+#if P2MP_SERVER
+ if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+ {
+ msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+ "--client-cert-not-required may accept clients which do not present "
+ "a certificate");
+ }
+ else
+#endif
+ {
+ ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
+ ssl_set_verify (ks_ssl->ctx, verify_callback, session);
+ }
+
/* TODO: PolarSSL does not currently support sending the CA chain to the client */
ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );
diff --git a/openvpn/src/openvpn/ssl_verify.c b/openvpn/src/openvpn/ssl_verify.c
index e651a8e0..b1bbc96f 100644
--- a/openvpn/src/openvpn/ssl_verify.c
+++ b/openvpn/src/openvpn/ssl_verify.c
@@ -1027,7 +1027,9 @@ static int
verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up, const char *raw_username)
{
int retval = OPENVPN_PLUGIN_FUNC_ERROR;
+#ifdef PLUGIN_DEF_AUTH
struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
+#endif
/* Is username defined? */
if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username))