← Back to branch summary

~ubuntu-branches/ubuntu/oneiric/openvpn/oneiric

« back to all changes in this revision

Viewing changes to ssl.c

  • Committer: Bazaar Package Importer
  • Author(s): Thierry Carrez
  • Date: 2008-10-07 16:30:44 UTC
  • mfrom: (1.1.11 upstream) (10.1.1 lenny)
  • Revision ID: james.westby@ubuntu.com-20081007163044-ixx04wg588z1972e
Tags: 2.1~rc11-1ubuntu1
https://launchpad.net/bugs/279655
https://launchpad.net/bugs/277447
* Merge with Debian (LP: #279655), remaining diffs:
  - debian/openvpn.init.d: Added 'status' action to init script, show
    per-VPN result messages and add "--script-security 2" by default for
    backwards compatibility
  - debian/control: Added lsb-base>=3.2-14 depend to allow status_of_proc()
* Fixes regression when calling commands with arguments (LP: #277447)

Show diffs side-by-side

added added

removed removed

Lines of Context:
ssl.c
358
358
  int tmp = -1;
359
359
  X509_NAME_ENTRY *x509ne = 0;
360
360
  ASN1_STRING *asn1 = 0;
361
 
  unsigned char *buf = 0;
362
 
  int nid = OBJ_txt2nid(field_name);
 
361
  unsigned char *buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
 
362
  int nid = OBJ_txt2nid((char *)field_name);
363
363
 
364
364
  ASSERT (size > 0);
365
365
  *out = '\0';
718
718
 
719
719
      setenv_str (opt->es, "script_type", "tls-verify");
720
720
 
721
 
      argv_printf (&argv, "%s %d %s",
 
721
      argv_printf (&argv, "%sc %d %s",
722
722
                   opt->verify_command,
723
723
                   ctx->error_depth,
724
724
                   subject);
2937
2937
      setenv_untrusted (session);
2938
2938
 
2939
2939
      /* format command line */
2940
 
      argv_printf (&argv, "%s %s", session->opt->auth_user_pass_verify_script, tmp_file);
 
2940
      argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file);
2941
2941
      
2942
2942
      /* call command */
2943
2943
      retval = openvpn_execve (&argv, session->opt->es, S_SCRIPT);
3439
3439
  return false;
3440
3440
}
3441
3441
 
 
3442
static int
 
3443
auth_deferred_expire_window (const struct tls_options *o)
 
3444
{
 
3445
  const int hw = o->handshake_window;
 
3446
  const int r2 = o->renegotiate_seconds / 2;
 
3447
  return min_int (hw, r2);
 
3448
}
 
3449
 
3442
3450
/*
3443
3451
 * This is the primary routine for processing TLS stuff inside the
3444
3452
 * the main event loop.  When this routine exits
3519
3527
              buf = reliable_get_buf_output_sequenced (ks->send_reliable);
3520
3528
              if (buf)
3521
3529
                {
3522
 
                  ks->auth_deferred_expire = ks->must_negotiate = now + session->opt->handshake_window;
 
3530
                  ks->must_negotiate = now + session->opt->handshake_window;
 
3531
                  ks->auth_deferred_expire = now + auth_deferred_expire_window (session->opt);
3523
3532
 
3524
3533
                  /* null buffer */
3525
3534
                  reliable_mark_active_outgoing (ks->send_reliable, buf, ks->initial_opcode);
4084
4093
                  ASSERT (buf_advance (buf, 1));
4085
4094
                  ++ks->n_packets;
4086
4095
                  ks->n_bytes += buf->len;
4087
 
                  dmsg (D_TLS_DEBUG,
4088
 
                       "TLS: data channel, key_id=%d, IP=%s",
 
4096
                  dmsg (D_TLS_KEYSELECT,
 
4097
                       "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
4089
4098
                       key_id, print_link_socket_actual (from, &gc));
4090
4099
                  gc_free (&gc);
4091
4100
                  return ret;
4592
4601
  if (buf->len > 0)
4593
4602
    {
4594
4603
      int i;
 
4604
      struct key_state *ks_select = NULL;
4595
4605
      for (i = 0; i < KEY_SCAN_SIZE; ++i)
4596
4606
        {
4597
4607
          struct key_state *ks = multi->key_scan[i];
4600
4610
#ifdef ENABLE_DEF_AUTH
4601
4611
              && !ks->auth_deferred
4602
4612
#endif
4603
 
              && (!ks->key_id || now >= ks->auth_deferred_expire))
 
4613
              )
4604
4614
            {
4605
 
              opt->key_ctx_bi = &ks->key;
4606
 
              opt->packet_id = multi->opt.replay ? &ks->packet_id : NULL;
4607
 
              opt->pid_persist = NULL;
4608
 
              opt->flags &= multi->opt.crypto_flags_and;
4609
 
              opt->flags |= multi->opt.crypto_flags_or;
4610
 
              multi->save_ks = ks;
4611
 
              dmsg (D_TLS_DEBUG, "TLS: tls_pre_encrypt: key_id=%d", ks->key_id);
4612
 
              return;
 
4615
              if (!ks_select)
 
4616
                ks_select = ks;
 
4617
              if (now >= ks->auth_deferred_expire)
 
4618
                {
 
4619
                  ks_select = ks;
 
4620
                  break;
 
4621
                }
4613
4622
            }
4614
4623
        }
4615
4624
 
4616
 
      {
4617
 
        struct gc_arena gc = gc_new ();
4618
 
        dmsg (D_TLS_NO_SEND_KEY, "TLS Warning: no data channel send key available: %s",
4619
 
             print_key_id (multi, &gc));
4620
 
        gc_free (&gc);
4621
 
      }
 
4625
      if (ks_select)
 
4626
        {
 
4627
          opt->key_ctx_bi = &ks_select->key;
 
4628
          opt->packet_id = multi->opt.replay ? &ks_select->packet_id : NULL;
 
4629
          opt->pid_persist = NULL;
 
4630
          opt->flags &= multi->opt.crypto_flags_and;
 
4631
          opt->flags |= multi->opt.crypto_flags_or;
 
4632
          multi->save_ks = ks_select;
 
4633
          dmsg (D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
 
4634
          return;
 
4635
        }
 
4636
      else
 
4637
        {
 
4638
          struct gc_arena gc = gc_new ();
 
4639
          dmsg (D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
 
4640
                print_key_id (multi, &gc));
 
4641
          gc_free (&gc);
 
4642
        }
4622
4643
    }
4623
4644
 
4624
4645
  buf->len = 0;