From 9a526dbc926ad43073016c8bf4634f781391acff Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 24 Feb 2015 21:20:30 +0100 Subject: Update OpenVPN to -master --- main/openvpn/config-version.h | 2 +- main/openvpn/sample/sample-config-files/client.conf | 2 +- .../sample/sample-config-files/loopback-client | 1 + .../sample/sample-config-files/loopback-server | 1 + main/openvpn/sample/sample-config-files/server.conf | 2 +- main/openvpn/sample/sample-keys/gen-sample-keys.sh | 3 +++ main/openvpn/sample/sample-keys/ta.key | 21 +++++++++++++++++++++ main/openvpn/src/openvpn/mroute.c | 12 ++++++++++-- main/openvpn/src/openvpn/socket.c | 16 +++++++++++++--- main/openvpn/src/openvpn/ssl_openssl.c | 4 ++++ 10 files changed, 56 insertions(+), 8 deletions(-) create mode 100644 main/openvpn/sample/sample-keys/ta.key diff --git a/main/openvpn/config-version.h b/main/openvpn/config-version.h index 6044ed8e..eb75eff4 100644 --- a/main/openvpn/config-version.h +++ b/main/openvpn/config-version.h @@ -1,2 +1,2 @@ -#define CONFIGURE_GIT_REVISION "icsopenvpn_629-3976c7f5f4d39f06" +#define CONFIGURE_GIT_REVISION "icsopenvpn_629-4c6f7f0d16e1a6b3" #define CONFIGURE_GIT_FLAGS "" diff --git a/main/openvpn/sample/sample-config-files/client.conf b/main/openvpn/sample/sample-config-files/client.conf index 050ef600..fedcbd6e 100644 --- a/main/openvpn/sample/sample-config-files/client.conf +++ b/main/openvpn/sample/sample-config-files/client.conf @@ -105,7 +105,7 @@ remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. -;tls-auth ta.key 1 +tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server diff --git a/main/openvpn/sample/sample-config-files/loopback-client b/main/openvpn/sample/sample-config-files/loopback-client index ebbd1cf4..7117307d 100644 --- a/main/openvpn/sample/sample-config-files/loopback-client +++ b/main/openvpn/sample/sample-config-files/loopback-client @@ -21,5 +21,6 @@ remote-cert-tls server ca sample-keys/ca.crt key sample-keys/client.key cert sample-keys/client.crt +tls-auth sample-keys/ta.key 1 ping 1 inactive 120 10000000 diff --git a/main/openvpn/sample/sample-config-files/loopback-server b/main/openvpn/sample/sample-config-files/loopback-server index 8cb97be0..8e1f39cd 100644 --- a/main/openvpn/sample/sample-config-files/loopback-server +++ b/main/openvpn/sample/sample-config-files/loopback-server @@ -21,5 +21,6 @@ dh sample-keys/dh2048.pem ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt +tls-auth sample-keys/ta.key 0 ping 1 inactive 120 10000000 diff --git a/main/openvpn/sample/sample-config-files/server.conf b/main/openvpn/sample/sample-config-files/server.conf index 701be3cc..c85ca0ff 100644 --- a/main/openvpn/sample/sample-config-files/server.conf +++ b/main/openvpn/sample/sample-config-files/server.conf @@ -241,7 +241,7 @@ keepalive 10 120 # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret +tls-auth ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to diff --git a/main/openvpn/sample/sample-keys/gen-sample-keys.sh b/main/openvpn/sample/sample-keys/gen-sample-keys.sh index 414687eb..725cfc97 100755 --- a/main/openvpn/sample/sample-keys/gen-sample-keys.sh +++ b/main/openvpn/sample/sample-keys/gen-sample-keys.sh @@ -14,6 +14,9 @@ then exit 1 fi +# Generate static key for tls-auth (or static key mode) +$(dirname ${0})/../../src/openvpn/openvpn --genkey --secret ta.key + # Create required directories and files mkdir -p sample-ca rm -f sample-ca/index.txt diff --git a/main/openvpn/sample/sample-keys/ta.key b/main/openvpn/sample/sample-keys/ta.key new file mode 100644 index 00000000..16690368 --- /dev/null +++ b/main/openvpn/sample/sample-keys/ta.key @@ -0,0 +1,21 @@ +# +# 2048 bit OpenVPN static key +# +-----BEGIN OpenVPN Static key V1----- +a863b1cbdb911ff4ef3360ce135157e7 +241a465f5045f51cf9a92ebc24da34fd +5fc48456778c977e374d55a8a7298aef +40d0ab0c60b5e09838510526b73473a0 +8da46a8c352572dd86d4a871700a915b +6aaa58a9dac560db2dfdd7ef15a202e1 +fca6913d7ee79c678c5798fbf7bd920c +caa7a64720908da7254598b052d07f55 +5e31dc5721932cffbdd8965d04107415 +46c86823da18b66aab347e4522cc05ff +634968889209c96b1024909cd4ce574c +f829aa9c17d5df4a66043182ee23635d +8cabf5a7ba02345ad94a3aa25a63d55c +e13f4ad235a0825e3fe17f9419baff1c +e73ad1dd652f1e48c7102fe8ee181e54 +10a160ae255f63fd01db1f29e6efcb8e +-----END OpenVPN Static key V1----- diff --git a/main/openvpn/src/openvpn/mroute.c b/main/openvpn/src/openvpn/mroute.c index ba4ef46f..972f1dd5 100644 --- a/main/openvpn/src/openvpn/mroute.c +++ b/main/openvpn/src/openvpn/mroute.c @@ -426,8 +426,16 @@ mroute_addr_print_ex (const struct mroute_addr *ma, break; case MR_ADDR_IPV6: { - buf_printf (&out, "%s", - print_in6_addr( *(struct in6_addr*)&maddr.addr, 0, gc)); + if ( IN6_IS_ADDR_V4MAPPED( (struct in6_addr*)&maddr.addr ) ) + { + buf_printf (&out, "%s", + print_in_addr_t( *(in_addr_t*)(&maddr.addr[12]), IA_NET_ORDER, gc)); + } + else + { + buf_printf (&out, "%s", + print_in6_addr( *(struct in6_addr*)&maddr.addr, 0, gc)); + } if (maddr.type & MR_WITH_NETBITS) { buf_printf (&out, "/%d", maddr.netbits); diff --git a/main/openvpn/src/openvpn/socket.c b/main/openvpn/src/openvpn/socket.c index 331a9d9f..f5c740d8 100644 --- a/main/openvpn/src/openvpn/socket.c +++ b/main/openvpn/src/openvpn/socket.c @@ -2573,9 +2573,19 @@ setenv_sockaddr (struct env_set *es, const char *name_prefix, const struct openv } break; case AF_INET6: - openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip6", name_prefix); - getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6), - buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); + if ( IN6_IS_ADDR_V4MAPPED( &addr->addr.in6.sin6_addr )) + { + struct in_addr ia; + ia.s_addr = *(in_addr_t *)&addr->addr.in6.sin6_addr.s6_addr[12] ; + openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip", name_prefix); + openvpn_snprintf (buf, sizeof(buf), "%s", inet_ntoa(ia) ); + } + else + { + openvpn_snprintf (name_buf, sizeof (name_buf), "%s_ip6", name_prefix); + getnameinfo(&addr->addr.sa, sizeof (struct sockaddr_in6), + buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); + } setenv_str (es, name_buf, buf); if ((flags & SA_IP_PORT) && addr->addr.in6.sin6_port) diff --git a/main/openvpn/src/openvpn/ssl_openssl.c b/main/openvpn/src/openvpn/ssl_openssl.c index 48c05715..d9abc6ea 100644 --- a/main/openvpn/src/openvpn/ssl_openssl.c +++ b/main/openvpn/src/openvpn/ssl_openssl.c @@ -202,6 +202,10 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) #ifdef SSL_OP_NO_TLSv1_2 if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2) sslopt |= SSL_OP_NO_TLSv1_2; +#endif +#ifdef SSL_OP_NO_COMPRESSION + /* Disable compression - flag not available in OpenSSL 0.9.8 */ + sslopt |= SSL_OP_NO_COMPRESSION; #endif SSL_CTX_set_options (ctx->ctx, sslopt); } -- cgit v1.2.3