Commit e5caec6b authored by Alberto Gonzalez Iniesta's avatar Alberto Gonzalez Iniesta

Merge tag 'upstream/2.3.3'

Upstream version 2.3.3
parents 72eb8792 0af7f640
OpenVPN Change Log
Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net>
2014.04.08 -- Version 2.3.3
Alon Bar-Lev (1):
pkcs11: use generic evp key instead of rsa
Arne Schwabe (8):
Add support of utun devices under Mac OS X
Add support to ignore specific options.
Add a note what setenv opt does for OpenVPN < 2.3.3
Add reporting of UI version to basic push-peer-info set.
Fix compile error in ssl_openssl introduced by polar external-management patch
Fix assertion when SIGUSR1 is received while getaddrinfo is successful
Add warning for using connection block variables after connection blocks
Introduce safety check for http proxy options
David Sommerseth (5):
man page: Update man page about the tls_digest_{n} environment variable
Remove the --disable-eurephia configure option
plugin: Extend the plug-in v3 API to identify the SSL implementation used
autoconf: Fix typo
Fix file checks when --chroot is being used
Davide Brini (1):
Document authfile for socks server
Gert Doering (9):
Fix IPv6 examples in t_client.rc-sample
Fix slow memory drain on each client renegotiation.
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
Make code and documentation for --remote-random-hostname consistent.
Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
Document issue with --chroot, /dev/urandom and PolarSSL.
Rename 'struct route' to 'struct route_ipv4'
Replace copied structure elements with including <net/route.h>
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
Heikki Hannikainen (1):
Always load intermediate certificates from a PKCS#12 file
Heiko Hund (2):
Support non-ASCII TAP adapter names on Windows
Support non-ASCII characters in Windows tmp path
James Yonan (3):
TLS version negotiation
Added "setenv opt" directive prefix.
Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
Jens Wagner (1):
Fix spurious ignoring of pushed config options (trac#349).
Joachim Schipper (3):
Refactor tls_ctx_use_external_private_key()
--management-external-key for PolarSSL
external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
Josh Cepek (2):
Correct error text when no Windows TAP device is present
Require a 1.2.x PolarSSL version
Klee Dienes (1):
tls_ctx_load_ca: Improve certificate error messages
Max Muster (1):
Remove duplicate cipher entries from TLS translation table.
Peter Sagerson (1):
Fix configure interaction with static OpenSSL libraries
Steffan Karger (7):
Do not pass struct tls_session* as void* in key_state_ssl_init().
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
If --tls-cipher is supplied, make --show-tls parse the list.
Add openssl-specific common cipher list names to ssl.c.
Tamas TEVESZ (1):
Add support for client-cert-not-required for PolarSSL.
Thomas Veerman (1):
Fix "." in description of utun.
2013.05.31 -- Version 2.3.2
Arne Schwabe (3):
Only print script warnings when a script is used. Remove stray mention of script-security system.
......
......@@ -169,8 +169,6 @@ OPTIONS for ./configure:
--disable-server disable server support only (but retain client
support) [default=yes]
--disable-plugins disable plug-in support [default=yes]
--disable-eurephia disable support for the eurephia plug-in
[default=yes]
--disable-management disable management server support [default=yes]
--enable-pkcs11 enable pkcs11 support [default=no]
--disable-socks disable Socks support [default=yes]
......
......@@ -36,9 +36,6 @@
/* Enable deferred authentication */
#undef ENABLE_DEF_AUTH
/* Enable support for the eurephia plug-in */
#undef ENABLE_EUREPHIA
/* We have persist tun capability */
#undef ENABLE_FEATURE_TUN_PERSIST
......@@ -72,7 +69,7 @@
/* Enable PKCS11 */
#undef ENABLE_PKCS11
/* Enable systemd support */
/* Enable plug-in support */
#undef ENABLE_PLUGIN
/* Enable TCP Server port sharing */
......@@ -355,6 +352,9 @@
/* Define to 1 if you have the <net/if_tun.h> header file. */
#undef HAVE_NET_IF_TUN_H
/* Define to 1 if you have the <net/if_utun.h> header file. */
#undef HAVE_NET_IF_UTUN_H
/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
#undef HAVE_NET_TUN_IF_TUN_H
......@@ -481,6 +481,9 @@
/* Define to 1 if you have the <sys/ioctl.h> header file. */
#undef HAVE_SYS_IOCTL_H
/* Define to 1 if you have the <sys/kern_control.h> header file. */
#undef HAVE_SYS_KERN_CONTROL_H
/* Define to 1 if you have the <sys/mman.h> header file. */
#undef HAVE_SYS_MMAN_H
......
This diff is collapsed.
......@@ -95,13 +95,6 @@ AC_ARG_ENABLE(
[enable_plugins="yes"]
)
AC_ARG_ENABLE(
[eurephia],
[AS_HELP_STRING([--disable-eurephia], [disable support for the eurephia plug-in @<:@default=yes@:>@])],
,
[enable_eurephia="yes"]
)
AC_ARG_ENABLE(
[management],
[AS_HELP_STRING([--disable-management], [disable management server support @<:@default=yes@:>@])],
......@@ -454,7 +447,7 @@ SOCKET_INCLUDES="
"
AC_CHECK_HEADERS(
[net/if.h netinet/ip.h netinet/if_ether.h resolv.h sys/un.h],
[net/if.h netinet/ip.h netinet/if_ether.h resolv.h sys/un.h net/if_utun.h sys/kern_control.h],
,
,
[[${SOCKET_INCLUDES}]]
......@@ -727,7 +720,7 @@ esac
PKG_CHECK_MODULES(
[PKCS11_HELPER],
[libpkcs11-helper-1 >= 1.02],
[libpkcs11-helper-1 >= 1.11],
[have_pkcs11_helper="yes"],
[]
)
......@@ -756,7 +749,9 @@ PKG_CHECK_MODULES(
[
have_openssl_ssl="yes"
OPENSSL_SSL_LIBS="-lssl"
]
],
[],
[-lcrypto]
)]
)
......@@ -814,13 +809,13 @@ if test "${with_crypto_library}" = "polarssl" ; then
#include <polarssl/version.h>
]],
[[
#if POLARSSL_VERSION_NUMBER < 0x01020500
#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
#error invalid version
#endif
]]
)],
[AC_MSG_RESULT([ok])],
[AC_MSG_ERROR([PolarSSL 1.2.5 or newer required])]
[AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
)
polarssl_with_pkcs11="no"
......@@ -974,8 +969,7 @@ fi
if test "${enable_plugins}" = "yes"; then
OPTIONAL_DL_LIBS="${DL_LIBS}"
AC_DEFINE([ENABLE_PLUGIN], [1], [Enable systemd support])
test "${enable_eurephia}" = "yes" && AC_DEFINE([ENABLE_EUREPHIA], [1], [Enable support for the eurephia plug-in])
AC_DEFINE([ENABLE_PLUGIN], [1], [Enable plug-in support])
else
enable_plugin_auth_pam="no"
enable_plugin_down_root="no"
......
......@@ -13,7 +13,7 @@
Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan.
Name: openvpn
Version: 2.3.2
Version: 2.3.3
Release: 1
URL: http://openvpn.net/
Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz
......
......@@ -271,7 +271,7 @@ failover capability.
.\"*********************************************************
.TP
.B \-\-remote-random-hostname
Add a random string (6 characters) to first DNS label of hostname to prevent
Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent
DNS caching. For example, "foo.bar.gov" would be modified to
"<random-chars>.foo.bar.gov".
.\"*********************************************************
......@@ -554,12 +554,15 @@ Set HTTP "User-Agent" string to
.B user-agent.
.\"*********************************************************
.TP
.B \-\-socks-proxy server [port]
.B \-\-socks-proxy server [port] [authfile]
Connect to remote host through a Socks5 proxy at address
.B server
and port
.B port
(default=1080).
.B authfile
(optional) is a file containing a username and password on 2 lines, or
"stdin" to prompt from console.
.\"*********************************************************
.TP
.B \-\-socks-proxy-retry
......@@ -805,6 +808,17 @@ also specify
or
.B \-\-dev-type tap.
Under Mac OS X this option can be used to specify the default tun
implementation. Using
.B \-\-dev\-node utun
forces usage of the native Darwin tun kernel support. Use
.B \-\-dev\-node utunN
to select a specific utun instance. To force using the tun.kext (/dev/tunX) use
.B \-\-dev\-node tun\fR.
When not specifying a
.B \-\-dev\-node
option openvpn will first try to open utun, and fall back to tun.kext.
On Windows systems, select the TAP-Win32 adapter which
is named
.B node
......@@ -1880,6 +1894,18 @@ reasons for having OpenVPN fail if it detects problems in a
config file. Having said that, there are valid reasons for wanting
new software features to gracefully degrade when encountered by
older software versions.
It is also possible to tag a single directive so as not to trigger
a fatal error if the directive isn't recognized. To do this,
prepend the following before the directive:
.B setenv opt
Versions prior to OpenVPN 2.3.3 will always ignore options set with the
.B setenv opt
directive.
See also
.B \-\-ignore-unknown-option
.\"*********************************************************
.TP
.B \-\-setenv-safe name value
......@@ -1893,6 +1919,25 @@ is a safety precaution to prevent a LD_PRELOAD style attack
from a malicious or compromised server.
.\"*********************************************************
.TP
.B \-\-ignore-unknown-option opt1 opt2 opt3 ... optN
When one of options
.B opt1 ... optN
is encountered in the configuration file the configuration
file parsing does not fail if this OpenVPN version does not
support the option. Multiple
.B \-\-ignore-unknown-option
options can be given to support a larger number of options to ignore.
This option should be used with caution, as there are good security
reasons for having OpenVPN fail if it detects problems in a
config file. Having said that, there are valid reasons for wanting
new software features to gracefully degrade when encountered by
older software versions.
.B \-\-ignore-unknown-option
is available since OpenVPN 2.3.3.
.\"*********************************************************
.TP
.B \-\-script-security level
This directive offers policy-level control over OpenVPN's usage of external programs
and scripts. Lower
......@@ -2037,6 +2082,16 @@ In many cases, the
parameter can point to an empty directory, however
complications can result when scripts or restarts
are executed after the chroot operation.
Note: if OpenVPN is built using the PolarSSL SSL
library,
.B \-\-chroot
will only work if a /dev/urandom device node is available
inside the chroot directory
.B dir.
This is due to the way PolarSSL works (it wants to open
/dev/urandom every time randomness is needed, not just once
at startup) and nothing OpenVPN can influence.
.\"*********************************************************
.TP
.B \-\-setcon context
......@@ -4214,6 +4269,15 @@ when you built your peer's certificate (see
above).
.\"*********************************************************
.TP
.B \-\-tls-version-min version ['or-highest']
Sets the minimum
TLS version we will accept from the peer (default is "1.0").
Examples for version
include "1.0", "1.1", or "1.2". If 'or-highest' is specified
and version is not recognized, we will only accept the highest TLS
version supported by the local SSL implementation.
.\"*********************************************************
.TP
.B \-\-pkcs12 file
Specify a PKCS #12 file containing local private key,
local certificate, and root CA certificate.
......@@ -5941,6 +6005,16 @@ Set prior to execution of the
script.
.\"*********************************************************
.TP
.B tls_digest_{n}
Contains the certificate SHA1 fingerprint/digest hash value,
where
.B n
is the verification level. Only set for TLS connections. Set prior
to execution of
.B \-\-tls-verify
script.
.\"*********************************************************
.TP
.B tls_id_{n}
A series of certificate fields from the remote peer,
where
......
......@@ -201,10 +201,15 @@ struct openvpn_plugin_string_list
*
* Version Comment
* 1 Initial plugin v3 structures providing the same API as
* the v2 plugin interface + X509 certificate information.
* the v2 plugin interface, X509 certificate information +
* a logging API for plug-ins.
*
* 2 Added ssl_api member in struct openvpn_plugin_args_open_in
* which identifies the SSL implementation OpenVPN is compiled
* against.
*
*/
#define OPENVPN_PLUGINv3_STRUCTVER 1
#define OPENVPN_PLUGINv3_STRUCTVER 2
/**
* Definitions needed for the plug-in callback functions.
......@@ -259,6 +264,18 @@ struct openvpn_plugin_callbacks
plugin_vlog_t plugin_vlog;
};
/**
* Used by the openvpn_plugin_open_v3() function to indicate to the
* plug-in what kind of SSL implementation OpenVPN uses. This is
* to avoid SEGV issues when OpenVPN is complied against PolarSSL
* and the plug-in against OpenSSL.
*/
typedef enum {
SSLAPI_NONE,
SSLAPI_OPENSSL,
SSLAPI_POLARSSL
} ovpnSSLAPI;
/**
* Arguments used to transport variables to the plug-in.
* The struct openvpn_plugin_args_open_in is only used
......@@ -286,6 +303,7 @@ struct openvpn_plugin_args_open_in
const char ** const argv;
const char ** const envp;
struct openvpn_plugin_callbacks *callbacks;
const ovpnSSLAPI ssl_api;
};
......@@ -557,7 +575,8 @@ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_func_v2)
* ARGUMENTS
*
* version : fixed value, defines the API version of the OpenVPN plug-in API. The plug-in
* should validate that this value is matching the OPENVPN_PLUGIN_VERSION value.
* should validate that this value is matching the OPENVPN_PLUGINv3_STRUCTVER
* value.
*
* arguments : Structure with all arguments available to the plug-in.
*
......
......@@ -70,7 +70,7 @@
# compiler: $LTCC
# compiler flags: $LTCFLAGS
# linker: $LD (gnu? $with_gnu_ld)
# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu2
# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1.1
# automake: $automake_version
# autoconf: $autoconf_version
#
......@@ -80,7 +80,7 @@
PROGRAM=libtool
PACKAGE=libtool
VERSION="2.4.2 Debian-2.4.2-1ubuntu2"
VERSION="2.4.2 Debian-2.4.2-1.1"
TIMESTAMP=""
package_revision=1.3337
......
......@@ -2512,17 +2512,6 @@ freebsd* | dragonfly*)
esac
;;
gnu*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
hardcode_into_libs=yes
;;
haiku*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
......@@ -2639,7 +2628,7 @@ linux*oldld* | linux*aout* | linux*coff*)
;;
# This must be glibc/ELF.
linux* | k*bsd*-gnu | kopensolaris*-gnu)
linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
......@@ -3255,10 +3244,6 @@ freebsd* | dragonfly*)
fi
;;
gnu*)
lt_cv_deplibs_check_method=pass_all
;;
haiku*)
lt_cv_deplibs_check_method=pass_all
;;
......@@ -3297,7 +3282,7 @@ irix5* | irix6* | nonstopux*)
;;
# This must be glibc/ELF.
linux* | k*bsd*-gnu | kopensolaris*-gnu)
linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
lt_cv_deplibs_check_method=pass_all
;;
......@@ -4049,7 +4034,7 @@ m4_if([$1], [CXX], [
;;
esac
;;
linux* | k*bsd*-gnu | kopensolaris*-gnu)
linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
case $cc_basename in
KCC*)
# KAI C++ Compiler
......@@ -4348,7 +4333,7 @@ m4_if([$1], [CXX], [
_LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
;;
linux* | k*bsd*-gnu | kopensolaris*-gnu)
linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
case $cc_basename in
# old Intel for x86_64 which still supported -KPIC.
ecc*)
......@@ -6241,9 +6226,6 @@ if test "$_lt_caught_CXX_error" != yes; then
_LT_TAGVAR(ld_shlibs, $1)=yes
;;
gnu*)
;;
haiku*)
_LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
_LT_TAGVAR(link_all_deplibs, $1)=yes
......@@ -6405,7 +6387,7 @@ if test "$_lt_caught_CXX_error" != yes; then
_LT_TAGVAR(inherit_rpath, $1)=yes
;;
linux* | k*bsd*-gnu | kopensolaris*-gnu)
linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
case $cc_basename in
KCC*)
# Kuck and Associates, Inc. (KAI) C++ Compiler
......
......@@ -6,7 +6,7 @@
#
# This directory is where we will look for openvpn-plugin.h
CPPFLAGS="${CPPFLAGS:--I../../..}"
CPPFLAGS="${CPPFLAGS:--I../../../include}"
CC="${CC:-gcc}"
CFLAGS="${CFLAGS:--O2 -Wall -g}"
......
......@@ -85,6 +85,11 @@ openvpn_plugin_open_v3 (const int v3structver,
return OPENVPN_PLUGIN_FUNC_ERROR;
}
if( args->ssl_api != SSLAPI_OPENSSL ) {
printf("This plug-in can only be used against OpenVPN with OpenSSL\n");
return OPENVPN_PLUGIN_FUNC_ERROR;
}
/* Which callbacks to intercept. */
ret->type_mask =
OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_UP) |
......
......@@ -327,19 +327,28 @@ gc_malloc (size_t size, bool clear, struct gc_arena *a)
#endif
{
void *ret;
struct gc_entry *e;
ASSERT (NULL != a);
if (a)
{
struct gc_entry *e;
#ifdef DMALLOC
e = (struct gc_entry *) openvpn_dmalloc (file, line, size + sizeof (struct gc_entry));
e = (struct gc_entry *) openvpn_dmalloc (file, line, size + sizeof (struct gc_entry));
#else
e = (struct gc_entry *) malloc (size + sizeof (struct gc_entry));
e = (struct gc_entry *) malloc (size + sizeof (struct gc_entry));
#endif
check_malloc_return (e);
ret = (char *) e + sizeof (struct gc_entry);
e->next = a->list;
a->list = e;
check_malloc_return (e);
ret = (char *) e + sizeof (struct gc_entry);
e->next = a->list;
a->list = e;
}
else
{
#ifdef DMALLOC
ret = openvpn_dmalloc (file, line, size);
#else
ret = malloc (size);
#endif
check_malloc_return (ret);
}
#ifndef ZERO_BUFFER_ON_ALLOC
if (clear)
#endif
......
......@@ -866,7 +866,7 @@ print_openssl_info (const struct options *options)
show_available_engines ();
#ifdef ENABLE_SSL
if (options->show_tls_ciphers)
show_available_tls_ciphers ();
show_available_tls_ciphers (options->cipher_list);
#endif
return true;
}
......@@ -2973,7 +2973,7 @@ do_close_ifconfig_pool_persist (struct context *c)
static void
do_inherit_env (struct context *c, const struct env_set *src)
{
c->c2.es = env_set_create (&c->c2.gc);
c->c2.es = env_set_create (NULL);
c->c2.es_owned = true;
env_set_inherit (c->c2.es, src);
}
......
......@@ -934,32 +934,23 @@ create_temp_file (const char *directory, const char *prefix, struct gc_arena *gc
}
/*
* Add a random string to first DNS label of hostname to prevent DNS caching.
* Prepend a random string to hostname to prevent DNS caching.
* For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
* Of course, this requires explicit support in the DNS server.
* Of course, this requires explicit support in the DNS server (wildcard).
*/
const char *
hostname_randomize(const char *hostname, struct gc_arena *gc)
{
# define n_rnd_bytes 6
char *hst = string_alloc(hostname, gc);
char *dot = strchr(hst, '.');
uint8_t rnd_bytes[n_rnd_bytes];
const char *rnd_str;
struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
if (dot)
{
uint8_t rnd_bytes[n_rnd_bytes];
const char *rnd_str;
struct buffer hname = alloc_buf_gc (strlen(hostname)+sizeof(rnd_bytes)*2+4, gc);
*dot++ = '\0';
prng_bytes (rnd_bytes, sizeof (rnd_bytes));
rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
buf_printf(&hname, "%s-0x%s.%s", hst, rnd_str, dot);
return BSTR(&hname);
}
else
return hostname;
prng_bytes (rnd_bytes, sizeof (rnd_bytes));
rnd_str = format_hex_ex (rnd_bytes, sizeof (rnd_bytes), 40, 0, NULL, gc);
buf_printf(&hname, "%s.%s", rnd_str, hostname);
return BSTR(&hname);
# undef n_rnd_bytes
}
......
......@@ -171,7 +171,7 @@ openvpn_main (int argc, char *argv[])
gc_init (&c.gc);
/* initialize environmental variable store */
c.es = env_set_create (&c.gc);
c.es = env_set_create (NULL);
#ifdef WIN32
set_win_sys_path_via_env (c.es);
#endif
......
This diff is collapsed.
......@@ -186,6 +186,8 @@ struct options
/* enable forward compatibility for post-2.1 features */
bool forward_compatible;
/* list of options that should be ignored even if unkown */
const char ** ignore_unknown_option;
/* persist parms */
bool persist_config;
......@@ -458,6 +460,7 @@ struct options
bool client;
bool pull; /* client pull of config options from server */
int push_continuation;
unsigned int push_option_types_found;
const char *auth_user_pass_file;
struct options_pre_pull *pre_pull;
......
......@@ -49,7 +49,7 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
int ret = 1;
X509 *x509 = NULL;
RSA *rsa = NULL;
EVP_PKEY *evp = NULL;
pkcs11h_openssl_session_t openssl_session = NULL;
if ((openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL)
......@@ -63,9 +63,9 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
*/
certificate = NULL;
if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL)
if ((evp = pkcs11h_openssl_session_getEVP (openssl_session)) == NULL)
{
msg (M_WARN, "PKCS#11: Unable get rsa object");
msg (M_WARN, "PKCS#11: Unable get evp object");
goto cleanup;
}
......@@ -75,7 +75,7 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
goto cleanup;
}
if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx->ctx, rsa))
if (!SSL_CTX_use_PrivateKey (ssl_ctx->ctx, evp))
{
msg (M_WARN, "PKCS#11: Cannot set private key for openssl");
goto cleanup;
......@@ -108,10 +108,10 @@ cleanup:
x509 = NULL;
}
if (rsa != NULL)
if (evp != NULL)
{
RSA_free (rsa);
rsa = NULL;
EVP_PKEY_free (evp);
evp = NULL;
}
if (openssl_session != NULL)
......
......@@ -40,8 +40,8 @@
#include "error.h"
#include "misc.h"
#include "plugin.h"
#include "ssl_backend.h"
#include "win32.h"
#include "memdbg.h"
#define PLUGIN_SYMBOL_REQUIRED (1<<0)
......@@ -374,7 +374,8 @@ plugin_open_item (struct plugin *p,
struct openvpn_plugin_args_open_in args = { p->plugin_type_mask,
(const char ** const) o->argv,
(const char ** const) envp,
&callbacks };
&callbacks,
SSLAPI };
struct openvpn_plugin_args_open_return retargs;
CLEAR(retargs);
......
......@@ -202,8 +202,10 @@ incoming_push_message (struct context *c, const struct buffer *buffer)
msg (D_PUSH_ERRORS, "WARNING: Received bad push/pull message: %s", sanitize_control_message(BSTR(buffer), &gc));
else if (status == PUSH_MSG_REPLY || status == PUSH_MSG_CONTINUATION)
{
c->options.push_option_types_found |= option_types_found;
if (status == PUSH_MSG_REPLY)
do_up (c, true, option_types_found); /* delay bringing tun/tap up until --push parms received from remote */
do_up (c, true, c->options.push_option_types_found ); /* delay bringing tun/tap up until --push parms received from remote */
event_timeout_clear (&c->c2.push_request_interval);
}
......
......@@ -49,7 +49,7 @@
#define METRIC_NOT_USED ((DWORD)-1)
#endif
static void delete_route (struct route *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es);
static void delete_route (struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es);
static void get_bypass_addresses (struct route_bypass *rb, const unsigned int flags);
......@@ -150,7 +150,7 @@ struct route_list *
new_route_list (const int max_routes, struct gc_arena *a)
{
struct route_list *ret;
ALLOC_VAR_ARRAY_CLEAR_GC (ret, struct route_list, struct route, max_routes, a);
ALLOC_VAR_ARRAY_CLEAR_GC (ret, struct route_list, struct route_ipv4, max_routes, a);
ret->capacity = max_routes;
return ret;
}
......@@ -165,7 +165,7 @@ new_route_ipv6_list (const int max_routes, struct gc_arena *a)
}