Commit c7f5b684 authored by Alberto Gonzalez Iniesta's avatar Alberto Gonzalez Iniesta

Merge tag 'upstream/2.3.2'

Upstream version 2.3.2
parents 31feacd9 70b71e00
OpenVPN Change Log
Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net>
2013.05.31 -- Version 2.3.2
Arne Schwabe (3):
Only print script warnings when a script is used. Remove stray mention of script-security system.
Move settings of user script into set_user_script function
Move checking of script file access into set_user_script
Davide Brini (1):
Provide more accurate warning message
Gert Doering (2):
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Fix problem with UDP tunneling due to mishandled pktinfo structures.
James Yonan (1):
Always push basic set of peer info values to server.
Jan Just Keijser (1):
make 'explicit-exit-notify' pullable again
Josh Cepek (2):
Fix proto tcp6 for server & non-P2MP modes
Fix Windows script execution when called from script hooks
Steffan Karger (2):
Fixed tls-cipher translation bug in openssl-build
Fixed usage of stale define USE_SSL to ENABLE_SSL
svimik (1):
Fix segfault when enabling pf plug-ins
2013.03.29 -- Version 2.3.1
Arne Schwabe (4):
Remove dead code path and putenv functionality
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.1.
# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.2.
#
# Report bugs to <openvpn-users@lists.sourceforge.net>.
#
......@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='OpenVPN'
PACKAGE_TARNAME='openvpn'
PACKAGE_VERSION='2.3.1'
PACKAGE_STRING='OpenVPN 2.3.1'
PACKAGE_VERSION='2.3.2'
PACKAGE_STRING='OpenVPN 2.3.2'
PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
PACKAGE_URL=''
......@@ -1411,7 +1411,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures OpenVPN 2.3.1 to adapt to many kinds of systems.
\`configure' configures OpenVPN 2.3.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1481,7 +1481,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of OpenVPN 2.3.1:";;
short | recursive ) echo "Configuration of OpenVPN 2.3.2:";;
esac
cat <<\_ACEOF
......@@ -1672,7 +1672,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
OpenVPN configure 2.3.1
OpenVPN configure 2.3.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2454,7 +2454,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by OpenVPN $as_me 2.3.1, which was
It was created by OpenVPN $as_me 2.3.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -2818,7 +2818,7 @@ if test -z "${htmldir}"; then
fi
$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,1,0" >>confdefs.h
$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,2,0" >>confdefs.h
ac_aux_dir=
......@@ -3292,7 +3292,7 @@ fi
# Define the identity of the package.
PACKAGE='openvpn'
VERSION='2.3.1'
VERSION='2.3.2'
cat >>confdefs.h <<_ACEOF
......@@ -16854,7 +16854,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by OpenVPN $as_me 2.3.1, which was
This file was extended by OpenVPN $as_me 2.3.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -16920,7 +16920,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
OpenVPN config.status 2.3.1
OpenVPN config.status 2.3.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
......@@ -13,7 +13,7 @@
Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Name: openvpn
Version: 2.3.1
Version: 2.3.2
Release: 1
URL: http://openvpn.net/
Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
......
......@@ -100,6 +100,6 @@ typedef unsigned long ptr_type;
/*
* Script security warning
*/
#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info."
#define SCRIPT_SECURITY_WARNING "WARNING: External program may not be called unless '--script-security 2' or higher is enabled. See --help text or man page for detailed info."
#endif
......@@ -194,7 +194,8 @@ crypto_init_lib_engine (const char *engine_name)
void
crypto_init_lib (void)
{
#ifndef USE_SSL
#ifndef ENABLE_SSL
/* If SSL is enabled init is taken care of in ssl_openssl.c */
#ifndef ENABLE_SMALL
ERR_load_crypto_strings ();
#endif
......@@ -215,7 +216,8 @@ crypto_init_lib (void)
void
crypto_uninit_lib (void)
{
#ifndef USE_SSL
#ifndef ENABLE_SSL
/* If SSL is enabled cleanup is taken care of in ssl_openssl.c */
EVP_cleanup ();
#ifndef ENABLE_SMALL
ERR_free_strings ();
......
......@@ -1145,13 +1145,14 @@ do_init_traffic_shaper (struct context *c)
}
/*
* Allocate a route list structure if at least one
* --route option was specified.
* Allocate route list structures for IPv4 and IPv6
* (we do this for IPv4 even if no --route option has been seen, as other
* parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
*/
static void
do_alloc_route_list (struct context *c)
{
if (c->options.routes && !c->c1.route_list)
if (!c->c1.route_list)
c->c1.route_list = new_route_list (c->options.max_routes, &c->gc);
if (c->options.routes_ipv6 && !c->c1.route_ipv6_list)
c->c1.route_ipv6_list = new_route_ipv6_list (c->options.max_routes, &c->gc);
......@@ -2191,7 +2192,12 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
to.renegotiate_seconds = options->renegotiate_seconds;
to.single_session = options->single_session;
#ifdef ENABLE_PUSH_PEER_INFO
to.push_peer_info = options->push_peer_info;
if (options->push_peer_info) /* all there is */
to.push_peer_info_detail = 2;
else if (options->pull) /* pull clients send some details */
to.push_peer_info_detail = 1;
else /* default: no peer-info at all */
to.push_peer_info_detail = 0;
#endif
/* should we not xmit any packets until we get an initial
......@@ -2480,12 +2486,16 @@ do_option_warnings (struct context *c)
msg (M_WARN, "NOTE: --connect-timeout option is not supported on this OS");
#endif
if (script_security >= SSEC_SCRIPTS)
msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
else if (script_security >= SSEC_PW_ENV)
msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
else
msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables");
/* If a script is used, print appropiate warnings */
if (o->user_script_used)
{
if (script_security >= SSEC_SCRIPTS)
msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
else if (script_security >= SSEC_PW_ENV)
msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
else
msg (M_WARN, "NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
}
}
static void
......
......@@ -1830,6 +1830,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
*/
if (ce->proto == PROTO_TCPv4)
msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
if (ce->proto == PROTO_TCPv6)
msg (M_USAGE, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client");
/*
* Sanity check on daemon/inetd modes
......@@ -2352,6 +2354,8 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
{
if (ce->proto == PROTO_TCPv4)
ce->proto = PROTO_TCPv4_SERVER;
else if (ce->proto == PROTO_TCPv6)
ce->proto = PROTO_TCPv6_SERVER;
}
#endif
#if P2MP
......@@ -2728,28 +2732,6 @@ options_postprocess_filechecks (struct options *options)
errs |= check_file_access (CHKACC_FILE, options->tmp_dir,
R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
/* ** Script hooks that accept an optionally quoted and/or escaped executable path, ** */
/* ** optionally followed by arguments ** */
errs |= check_cmd_access (options->auth_user_pass_verify_script,
"--auth-user-pass-verify script");
errs |= check_cmd_access (options->client_connect_script,
"--client-connect script");
errs |= check_cmd_access (options->client_disconnect_script,
"--client-disconnect script");
errs |= check_cmd_access (options->tls_verify,
"--tls-verify script");
errs |= check_cmd_access (options->up_script,
"--up script");
errs |= check_cmd_access (options->down_script,
"--down script");
errs |= check_cmd_access (options->ipchange,
"--ipchange script");
errs |= check_cmd_access (options->route_script,
"--route-up script");
errs |= check_cmd_access (options->route_predown_script,
"--route-pre-down script");
errs |= check_cmd_access (options->learn_address_script,
"--learn-address script");
#endif /* P2MP_SERVER */
if (errs)
......@@ -4011,11 +3993,28 @@ msglevel_forward_compatible (struct options *options, const int msglevel)
}
static void
warn_multiple_script (const char *script, const char *type) {
if (script) {
msg (M_WARN, "Multiple --%s scripts defined. "
"The previously configured script is overridden.", type);
}
set_user_script (struct options *options,
const char **script,
const char *new_script,
const char *type)
{
if (*script) {
msg (M_WARN, "Multiple --%s scripts defined. "
"The previously configured script is overridden.", type);
}
*script = new_script;
options->user_script_used = true;
#ifndef ENABLE_SMALL
{
char script_name[100];
openvpn_snprintf (script_name, sizeof(script_name),
"--%s script", type);
if (check_cmd_access (*script, script_name))
msg (M_USAGE, "Please correct this error.");
}
#endif
}
......@@ -4480,8 +4479,10 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->ipchange, "ipchange");
options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);
set_user_script (options,
&options->ipchange,
string_substitute (p[1], ',', ' ', &options->gc),
"ipchange");
}
else if (streq (p[0], "float"))
{
......@@ -4527,16 +4528,14 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->up_script, "up");
options->up_script = p[1];
set_user_script (options, &options->up_script, p[1], "up");
}
else if (streq (p[0], "down") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->down_script, "down");
options->down_script = p[1];
set_user_script (options, &options->down_script, p[1], "down");
}
else if (streq (p[0], "down-pre"))
{
......@@ -5069,8 +5068,7 @@ add_option (struct options *options,
#ifdef ENABLE_OCC
else if (streq (p[0], "explicit-exit-notify"))
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
/* VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY); */
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
if (p[1])
{
options->ce.explicit_exit_notification = positive_atoi (p[1]);
......@@ -5218,16 +5216,17 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->route_script, "route-up");
options->route_script = p[1];
set_user_script (options, &options->route_script, p[1], "route-up");
}
else if (streq (p[0], "route-pre-down") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->route_predown_script, "route-pre-down");
options->route_predown_script = p[1];
set_user_script (options,
&options->route_predown_script,
p[1],
"route-pre-down");
}
else if (streq (p[0], "route-noexec"))
{
......@@ -5594,32 +5593,33 @@ add_option (struct options *options,
msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
goto err;
}
warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify");
options->auth_user_pass_verify_script = p[1];
set_user_script (options,
&options->auth_user_pass_verify_script,
p[1], "auth-user-pass-verify");
}
else if (streq (p[0], "client-connect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->client_connect_script, "client-connect");
options->client_connect_script = p[1];
set_user_script (options, &options->client_connect_script,
p[1], "client-connect");
}
else if (streq (p[0], "client-disconnect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->client_disconnect_script, "client-disconnect");
options->client_disconnect_script = p[1];
set_user_script (options, &options->client_disconnect_script,
p[1], "client-disconnect");
}
else if (streq (p[0], "learn-address") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->learn_address_script, "learn-address");
options->learn_address_script = p[1];
set_user_script (options, &options->learn_address_script,
p[1], "learn-address");
}
else if (streq (p[0], "tmp-dir") && p[1])
{
......@@ -6507,8 +6507,9 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
warn_multiple_script (options->tls_verify, "tls-verify");
options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
set_user_script (options, &options->tls_verify,
string_substitute (p[1], ',', ' ', &options->gc),
"tls-verify");
}
#ifndef ENABLE_CRYPTO_POLARSSL
else if (streq (p[0], "tls-export-cert") && p[1])
......
......@@ -285,6 +285,7 @@ struct options
const char *writepid;
const char *up_script;
const char *down_script;
bool user_script_used;
bool down_pre;
bool up_delay;
bool up_restart;
......
......@@ -417,7 +417,7 @@ lookup_cn_rule (struct hash *h, const char *cn, const uint32_t cn_hash)
bool
pf_cn_test (struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix)
{
if (!pfs->kill)
if (pfs && !pfs->kill)
{
const char *cn;
uint32_t cn_hash;
......
......@@ -503,6 +503,7 @@ route_list_add_vpn_gateway (struct route_list *rl,
struct env_set *es,
const in_addr_t addr)
{
ASSERT(rl);
rl->spec.remote_endpoint = addr;
rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
setenv_route_addr (es, "vpn_gateway", rl->spec.remote_endpoint, -1);
......
......@@ -2786,6 +2786,7 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
struct iovec iov;
struct msghdr mesg;
struct cmsghdr *cmsg;
union openvpn_pktinfo opi;
iov.iov_base = BPTR (buf);
iov.iov_len = BLEN (buf);
......@@ -2795,11 +2796,10 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
{
case AF_INET:
{
struct openvpn_in4_pktinfo msgpi4;
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof (struct sockaddr_in);
mesg.msg_control = &msgpi4;
mesg.msg_controllen = sizeof msgpi4;
mesg.msg_control = &opi;
mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
mesg.msg_flags = 0;
cmsg = CMSG_FIRSTHDR (&mesg);
cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
......@@ -2824,12 +2824,11 @@ link_socket_write_udp_posix_sendmsg (struct link_socket *sock,
}
case AF_INET6:
{
struct openvpn_in6_pktinfo msgpi6;
struct in6_pktinfo *pkti6;
mesg.msg_name = &to->dest.addr.sa;
mesg.msg_namelen = sizeof (struct sockaddr_in6);
mesg.msg_control = &msgpi6;
mesg.msg_controllen = sizeof msgpi6;
mesg.msg_control = &opi;
mesg.msg_controllen = sizeof (struct openvpn_in6_pktinfo);
mesg.msg_flags = 0;
cmsg = CMSG_FIRSTHDR (&mesg);
cmsg->cmsg_len = sizeof (struct openvpn_in6_pktinfo);
......
......@@ -1775,7 +1775,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
bool ret = false;
#ifdef ENABLE_PUSH_PEER_INFO
if (session->opt->push_peer_info) /* write peer info */
if (session->opt->push_peer_info_detail > 0)
{
struct env_set *es = session->opt->es;
struct env_item *e;
......@@ -1801,26 +1801,27 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
buf_printf (&out, "IV_PLAT=win\n");
#endif
/* push mac addr */
{
struct route_gateway_info rgi;
get_default_gateway (&rgi);
if (rgi.flags & RGI_HWADDR_DEFINED)
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
}
/* push LZO status */
#ifdef ENABLE_LZO_STUB
buf_printf (&out, "IV_LZO_STUB=1\n");
#endif
/* push env vars that begin with UV_ */
for (e=es->list; e != NULL; e=e->next)
{
if (e->string)
if (session->opt->push_peer_info_detail >= 2)
{
/* push mac addr */
struct route_gateway_info rgi;
get_default_gateway (&rgi);
if (rgi.flags & RGI_HWADDR_DEFINED)
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
/* push env vars that begin with UV_ */
for (e=es->list; e != NULL; e=e->next)
{
if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
buf_printf (&out, "%s\n", e->string);
if (e->string)
{
if (!strncmp(e->string, "UV_", 3) && buf_safe(&out, strlen(e->string)+1))
buf_printf (&out, "%s\n", e->string);
}
}
}
......
......@@ -233,7 +233,7 @@ struct tls_options
bool disable_occ;
#endif
#ifdef ENABLE_PUSH_PEER_INFO
bool push_peer_info;
int push_peer_info_detail;
#endif
int transition_window;
int handshake_window;
......
......@@ -217,8 +217,9 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
ASSERT(NULL != ctx);
// Translate IANA cipher suite names to OpenSSL names
for (begin_of_cipher = 0; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher+1) {
end_of_cipher = strcspn(&ciphers[begin_of_cipher], ":");
begin_of_cipher = end_of_cipher = 0;
for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
if (NULL == cipher_pair)
......@@ -257,6 +258,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
openssl_ciphers_len += current_cipher_len;
openssl_ciphers[openssl_ciphers_len] = ':';
openssl_ciphers_len++;
end_of_cipher++;
}
if (openssl_ciphers_len > 0)
......
......@@ -879,7 +879,10 @@ openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
start_info.dwFlags = STARTF_USESHOWWINDOW;
start_info.wShowWindow = SW_HIDE;
if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info))
/* this allows console programs to run, and is ignored otherwise */
DWORD proc_flags = CREATE_NO_WINDOW;
if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info))
{
DWORD exit_status = 0;
CloseHandle (proc_info.hThread);
......
dnl define the OpenVPN version
define([PRODUCT_NAME], [OpenVPN])
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION], [2.3.1])
define([PRODUCT_VERSION], [2.3.2])
define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
define([PRODUCT_VERSION_RESOURCE], [2,3,1,0])
define([PRODUCT_VERSION_RESOURCE], [2,3,2,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment