From 3ae7e2a9cb06f5ddd67b1a9d8a57f8f662028422 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 23 Jun 2013 22:36:17 +0200 Subject: Sync OpenVPN to master --- openvpn/doc/openvpn.8 | 6 +++++- openvpn/src/openvpn/crypto.c | 2 -- openvpn/src/openvpn/init.c | 1 - openvpn/src/openvpn/misc.c | 8 -------- openvpn/src/openvpn/options.c | 2 +- openvpn/src/openvpn/proxy.c | 1 - openvpn/src/openvpn/route.c | 1 - openvpn/src/openvpn/ssl.c | 4 ---- openvpn/src/openvpn/ssl_backend.h | 6 +++++- openvpn/src/openvpn/ssl_openssl.c | 4 +--- openvpn/src/openvpn/ssl_polarssl.c | 18 +++++++++++++++--- openvpn/src/openvpn/ssl_verify.c | 2 ++ 12 files changed, 29 insertions(+), 26 deletions(-) diff --git a/openvpn/doc/openvpn.8 b/openvpn/doc/openvpn.8 index 15dd3206..42c7bf6e 100644 --- a/openvpn/doc/openvpn.8 +++ b/openvpn/doc/openvpn.8 @@ -5378,7 +5378,11 @@ if no gateway is specified. .TP .B --route-ipv6 ipv6addr/bits [gateway] [metric] setup IPv6 routing in the system to send the specified IPv6 network -into OpenVPN's ``tun'' device +into OpenVPN's ``tun''. The gateway parameter is only used for +IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' +field from +.B --ifconfig-ipv6 +is used. .TP .B --server-ipv6 ipv6addr/bits convenience-function to enable a number of IPv6 related options at diff --git a/openvpn/src/openvpn/crypto.c b/openvpn/src/openvpn/crypto.c index d9adf5b5..c4c356dc 100644 --- a/openvpn/src/openvpn/crypto.c +++ b/openvpn/src/openvpn/crypto.c @@ -1028,7 +1028,6 @@ read_passphrase_hash (const char *passphrase_file, uint8_t *output, int len) { - unsigned int outlen = 0; md_ctx_t md; ASSERT (len >= md_kt_size(digest)); @@ -1361,7 +1360,6 @@ prng_bytes (uint8_t *output, int len) const int md_size = md_kt_size (nonce_md); while (len > 0) { - unsigned int outlen = 0; const int blen = min_int (len, md_size); md_full(nonce_md, nonce_data, md_size + nonce_secret_len, nonce_data); memcpy (output, nonce_data, blen); diff --git a/openvpn/src/openvpn/init.c b/openvpn/src/openvpn/init.c index f130cdfd..c288e924 100644 --- a/openvpn/src/openvpn/init.c +++ b/openvpn/src/openvpn/init.c @@ -1216,7 +1216,6 @@ do_init_route_ipv6_list (const struct options *options, struct env_set *es) { const char *gw = NULL; - int dev = dev_type_enum (options->dev, options->dev_type); int metric = -1; /* no metric set */ gw = options->ifconfig_ipv6_remote; /* default GW = remote end */ diff --git a/openvpn/src/openvpn/misc.c b/openvpn/src/openvpn/misc.c index fa327f8c..1120adc4 100644 --- a/openvpn/src/openvpn/misc.c +++ b/openvpn/src/openvpn/misc.c @@ -701,14 +701,6 @@ env_set_remove_from_environment (const struct env_set *es) } } -#ifdef HAVE_PUTENV - -/* companion functions to putenv */ - -static struct env_item *global_env = NULL; /* GLOBAL */ - -#endif - /* add/modify/delete environmental strings */ void diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index f74ad8ef..e31f918f 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -219,7 +219,7 @@ static const char usage_message[] = "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" - " gateway default: taken from --route-ipv6-gateway or --ifconfig\n" + " gateway default: taken from 'remote' in --ifconfig-ipv6\n" "--max-routes n : Specify the maximum number of routes that may be defined\n" " or pulled from a server.\n" "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n" diff --git a/openvpn/src/openvpn/proxy.c b/openvpn/src/openvpn/proxy.c index b4c917a8..533e747e 100644 --- a/openvpn/src/openvpn/proxy.c +++ b/openvpn/src/openvpn/proxy.c @@ -439,7 +439,6 @@ struct http_proxy_info * http_proxy_new (const struct http_proxy_options *o) { struct http_proxy_info *p; - struct http_proxy_options opt; if (!o || !o->server) msg (M_FATAL, "HTTP_PROXY: server not specified"); diff --git a/openvpn/src/openvpn/route.c b/openvpn/src/openvpn/route.c index c5a7ba6b..f051dd3c 100644 --- a/openvpn/src/openvpn/route.c +++ b/openvpn/src/openvpn/route.c @@ -2881,7 +2881,6 @@ get_default_gateway (struct route_gateway_info *rgi) { /* get interface name */ const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp; - int len = adl->sdl_nlen; if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface)) { memcpy (rgi->iface, adl->sdl_data, adl->sdl_nlen); diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c index f2b04488..7cf3b2e4 100644 --- a/openvpn/src/openvpn/ssl.c +++ b/openvpn/src/openvpn/ssl.c @@ -1735,7 +1735,6 @@ key_method_1_write (struct buffer *buf, struct tls_session *session) { struct key key; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ASSERT (session->opt->key_method == 1); ASSERT (buf_init (buf, 0)); @@ -1852,7 +1851,6 @@ static bool key_method_2_write (struct buffer *buf, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ASSERT (session->opt->key_method == 2); ASSERT (buf_init (buf, 0)); @@ -1936,7 +1934,6 @@ key_method_1_read (struct buffer *buf, struct tls_session *session) int status; struct key key; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ ASSERT (session->opt->key_method == 1); @@ -1995,7 +1992,6 @@ static bool key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_session *session) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ int key_method_flags; bool username_status, password_status; diff --git a/openvpn/src/openvpn/ssl_backend.h b/openvpn/src/openvpn/ssl_backend.h index f61580cf..72235ae5 100644 --- a/openvpn/src/openvpn/ssl_backend.h +++ b/openvpn/src/openvpn/ssl_backend.h @@ -42,6 +42,10 @@ #include "ssl_verify_polarssl.h" #endif +/** + * prototype for struct tls_session from ssl_common.h + */ +struct tls_session; /** * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name @@ -291,7 +295,7 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx); * @param session The session associated with the given key_state */ void key_state_ssl_init(struct key_state_ssl *ks_ssl, - const struct tls_root_ctx *ssl_ctx, bool is_server, void *session); + const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session); /** * Free the SSL channel part of the given key state. diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c index c1b19dc2..5db717df 100644 --- a/openvpn/src/openvpn/ssl_openssl.c +++ b/openvpn/src/openvpn/ssl_openssl.c @@ -490,7 +490,6 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline ) { - int status; SSL_CTX *ssl_ctx = NULL; BIO *in = NULL; EVP_PKEY *pkey = NULL; @@ -1015,7 +1014,7 @@ bio_read (BIO *bio, struct buffer *buf, int maxlen, const char *desc) } void -key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, void *session) +key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) { ASSERT(NULL != ssl_ctx); ASSERT(ks_ssl); @@ -1193,7 +1192,6 @@ show_available_tls_ciphers () SSL_CTX *ctx; SSL *ssl; const char *cipher_name; - const char *print_name; const tls_cipher_name_pair *pair; int priority = 0; diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c index 2b5b37ba..8a917b34 100644 --- a/openvpn/src/openvpn/ssl_polarssl.c +++ b/openvpn/src/openvpn/ssl_polarssl.c @@ -502,7 +502,7 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx) } void key_state_ssl_init(struct key_state_ssl *ks_ssl, - const struct tls_root_ctx *ssl_ctx, bool is_server, void *session) + const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) { ASSERT(NULL != ssl_ctx); ASSERT(ks_ssl); @@ -533,8 +533,20 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl, ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); /* Initialise SSL verification */ - ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED); - ssl_set_verify (ks_ssl->ctx, verify_callback, session); +#if P2MP_SERVER + if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) + { + msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " + "--client-cert-not-required may accept clients which do not present " + "a certificate"); + } + else +#endif + { + ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED); + ssl_set_verify (ks_ssl->ctx, verify_callback, session); + } + /* TODO: PolarSSL does not currently support sending the CA chain to the client */ ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL ); diff --git a/openvpn/src/openvpn/ssl_verify.c b/openvpn/src/openvpn/ssl_verify.c index e651a8e0..b1bbc96f 100644 --- a/openvpn/src/openvpn/ssl_verify.c +++ b/openvpn/src/openvpn/ssl_verify.c @@ -1027,7 +1027,9 @@ static int verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up, const char *raw_username) { int retval = OPENVPN_PLUGIN_FUNC_ERROR; +#ifdef PLUGIN_DEF_AUTH struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ +#endif /* Is username defined? */ if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) || strlen (up->username)) -- cgit v1.2.3