Browse code
Merged Alon's branch:
svn merge -r1322:1392 https://svn.openvpn.net/projects/openvpn/contrib/alon/21rc/openvpn .
Version 2.1_rc1 released
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1420 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2006/11/01 09:07:21Showing 7 changed files
| ... | ... |
@@ -3,6 +3,14 @@ Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> |
| 3 | 3 |
|
| 4 | 4 |
$Id$ |
| 5 | 5 |
|
| 6 |
+2006.10.31 -- Version 2.1_rc1 |
|
| 7 |
+ |
|
| 8 |
+* Support recovery (return to hold) from signal at |
|
| 9 |
+ management password prompt. |
|
| 10 |
+ |
|
| 11 |
+* Added workaround for OpenSC PKCS#11 bug#108 |
|
| 12 |
+ (Alon Bar-Lev). |
|
| 13 |
+ |
|
| 6 | 14 |
2006.10.01 -- Version 2.1-beta16 |
| 7 | 15 |
|
| 8 | 16 |
* Windows installer updated with OpenSSL 0.9.7l DLLs to fix |
| ... | ... |
@@ -30,22 +38,26 @@ $Id$ |
| 30 | 30 |
a blockage of tunnel packets and later time-out and |
| 31 | 31 |
restart the connection. |
| 32 | 32 |
|
| 33 |
-* pkcs11 changes: |
|
| 34 |
- 1. Modified ssl.c to not FATAL and return to init.c |
|
| 35 |
- so auth-retry will work. |
|
| 36 |
- 2. Modifed pkcs11-helper.c to fix some problem with |
|
| 37 |
- multiple providers. |
|
| 38 |
- 3. Updated makefile.w32-vc to include lladdr.*, updated |
|
| 39 |
- linkage libraries. |
|
| 40 |
- 4. Modified lladdr.c to be compiled under visual C. |
|
| 41 |
- 5. Added retry counter to PKCS#11 PIN hook. |
|
| 42 |
- 6. Modified PKCS#11 PIN retry loop to return correct error |
|
| 43 |
- code when PIN is incorrect. |
|
| 44 |
- 7. Fix handling (ignoring) zero sized attributes. |
|
| 45 |
- 8. Fix gcc-2 issues. |
|
| 46 |
- 9. Fix openssl 0.9.6 (first version) issues. |
|
| 47 |
- 10. easy-rsa Makefile (install) is now available so that |
|
| 48 |
- distribs will be able to install it safely. |
|
| 33 |
+* easy-rsa update (Alon Bar-Lev) |
|
| 34 |
+ Makefile (install) is now available so that |
|
| 35 |
+ distribs will be able to install it safely. |
|
| 36 |
+ |
|
| 37 |
+* PKCS#11 changes: (Alon Bar-Lev) |
|
| 38 |
+ - Modified ssl.c to not FATAL and return to init.c |
|
| 39 |
+ so auth-retry will work. |
|
| 40 |
+ - Modifed pkcs11-helper.c to fix some problem with |
|
| 41 |
+ multiple providers. |
|
| 42 |
+ - Added retry counter to PKCS#11 PIN hook. |
|
| 43 |
+ - Modified PKCS#11 PIN retry loop to return correct error |
|
| 44 |
+ code when PIN is incorrect. |
|
| 45 |
+ - Fix handling (ignoring) zero sized attributes. |
|
| 46 |
+ - Fix gcc-2 issues. |
|
| 47 |
+ - Fix openssl 0.9.6 (first version) issues. |
|
| 48 |
+ |
|
| 49 |
+* Minor fixes of lladdr (Alon Bar-Lev) |
|
| 50 |
+ Updated makefile.w32-vc to include lladdr.*, updated |
|
| 51 |
+ linkage libraries. |
|
| 52 |
+ Modified lladdr.c to be compiled under visual C. |
|
| 49 | 53 |
|
| 50 | 54 |
* Added two new management states: |
| 51 | 55 |
OPENVPN_STATE_RESOLVE -- DNS lookup |
| ... | ... |
@@ -25,7 +25,7 @@ dnl Process this file with autoconf to produce a configure script. |
| 25 | 25 |
|
| 26 | 26 |
AC_PREREQ(2.50) |
| 27 | 27 |
|
| 28 |
-AC_INIT([OpenVPN], [2.1_beta16], [openvpn-users@lists.sourceforge.net], [openvpn]) |
|
| 28 |
+AC_INIT([OpenVPN], [2.1_rc1], [openvpn-users@lists.sourceforge.net], [openvpn]) |
|
| 29 | 29 |
AM_CONFIG_HEADER(config.h) |
| 30 | 30 |
AC_CONFIG_SRCDIR(syshead.h) |
| 31 | 31 |
|
| ... | ... |
@@ -24,17 +24,18 @@ LZO = \src\lzo-1.08.vc |
| 24 | 24 |
|
| 25 | 25 |
INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include |
| 26 | 26 |
|
| 27 |
-LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib |
|
| 27 |
+LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib gdi32.lib advapi32.lib wininet.lib |
|
| 28 | 28 |
|
| 29 | 29 |
LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO) |
| 30 | 30 |
|
| 31 | 31 |
EXE = openvpn.exe |
| 32 | 32 |
|
| 33 | 33 |
CPP=cl.exe |
| 34 |
+CPP_ARG_COMMON=/nologo /W3 /G5 /O2 -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS -D_CRT_SECURE_NO_DEPRECATE $(INCLUDE_DIRS) /FD /c |
|
| 34 | 35 |
# release: |
| 35 |
-CPP_PROJ=/nologo /MD /W3 /G5 /O2 -DNDEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c |
|
| 36 |
+CPP_PROJ=$(CPP_ARG_COMMON) /MD -DNDEBUG |
|
| 36 | 37 |
# debug: |
| 37 |
-#CPP_PROJ=/nologo /MDd /W3 /G5 /Zi /Od -D_DEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c |
|
| 38 |
+#CPP_PROJ=$(CPP_ARG_COMMON) /MDd /Zi /Od -D_DEBUG |
|
| 38 | 39 |
|
| 39 | 40 |
LINK32=link.exe |
| 40 | 41 |
# release: |
| ... | ... |
@@ -1173,7 +1173,7 @@ get_console_input (const char *prompt, const bool echo, char *input, const int c |
| 1173 | 1173 |
* Get and store a username/password |
| 1174 | 1174 |
*/ |
| 1175 | 1175 |
|
| 1176 |
-void |
|
| 1176 |
+bool |
|
| 1177 | 1177 |
get_user_pass (struct user_pass *up, |
| 1178 | 1178 |
const char *auth_file, |
| 1179 | 1179 |
const char *prefix, |
| ... | ... |
@@ -1194,7 +1194,12 @@ get_user_pass (struct user_pass *up, |
| 1194 | 1194 |
&& management_query_user_pass_enabled (management)) |
| 1195 | 1195 |
{
|
| 1196 | 1196 |
if (!management_query_user_pass (management, up, prefix, flags)) |
| 1197 |
- msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix); |
|
| 1197 |
+ {
|
|
| 1198 |
+ if ((flags & GET_USER_PASS_NOFATAL) != 0) |
|
| 1199 |
+ return false; |
|
| 1200 |
+ else |
|
| 1201 |
+ msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix); |
|
| 1202 |
+ } |
|
| 1198 | 1203 |
} |
| 1199 | 1204 |
else |
| 1200 | 1205 |
#endif |
| ... | ... |
@@ -1294,6 +1299,8 @@ get_user_pass (struct user_pass *up, |
| 1294 | 1294 |
#endif |
| 1295 | 1295 |
|
| 1296 | 1296 |
gc_free (&gc); |
| 1297 |
+ |
|
| 1298 |
+ return true; |
|
| 1297 | 1299 |
} |
| 1298 | 1300 |
|
| 1299 | 1301 |
void |
| ... | ... |
@@ -239,8 +239,9 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const |
| 239 | 239 |
#define GET_USER_PASS_SENSITIVE (1<<1) |
| 240 | 240 |
#define GET_USER_PASS_PASSWORD_ONLY (1<<2) |
| 241 | 241 |
#define GET_USER_PASS_NEED_OK (1<<3) |
| 242 |
+#define GET_USER_PASS_NOFATAL (1<<4) |
|
| 242 | 243 |
|
| 243 |
-void get_user_pass (struct user_pass *up, |
|
| 244 |
+bool get_user_pass (struct user_pass *up, |
|
| 244 | 245 |
const char *auth_file, |
| 245 | 246 |
const char *prefix, |
| 246 | 247 |
const unsigned int flags); |
| ... | ... |
@@ -5196,6 +5196,19 @@ _pkcs11h_certificate_private_op ( |
| 5196 | 5196 |
fOpSuccess = TRUE; |
| 5197 | 5197 |
} |
| 5198 | 5198 |
else {
|
| 5199 |
+ /* |
|
| 5200 |
+ * OpenSC workaround |
|
| 5201 |
+ * It still allows C_FindObjectsInit when |
|
| 5202 |
+ * token is removed/inserted but fails |
|
| 5203 |
+ * private key operation. |
|
| 5204 |
+ * So we force logout. |
|
| 5205 |
+ * bug#108 at OpenSC trac |
|
| 5206 |
+ */ |
|
| 5207 |
+ if (fLoginRetry && rv == CKR_DEVICE_REMOVED) {
|
|
| 5208 |
+ fLoginRetry = FALSE; |
|
| 5209 |
+ _pkcs11h_logout (certificate->session); |
|
| 5210 |
+ } |
|
| 5211 |
+ |
|
| 5199 | 5212 |
if (!fLoginRetry) {
|
| 5200 | 5213 |
PKCS11H_DEBUG ( |
| 5201 | 5214 |
PKCS11H_LOG_DEBUG1, |
| ... | ... |
@@ -5778,7 +5791,7 @@ pkcs11h_certificate_getCertificateBlob ( |
| 5778 | 5778 |
if (certificate_blob != NULL) {
|
| 5779 | 5779 |
if ( |
| 5780 | 5780 |
rv == CKR_OK && |
| 5781 |
- certifiate_blob_size_max > certificate->id->certificate_blob_size |
|
| 5781 |
+ certifiate_blob_size_max < certificate->id->certificate_blob_size |
|
| 5782 | 5782 |
) {
|
| 5783 | 5783 |
rv = CKR_BUFFER_TOO_SMALL; |
| 5784 | 5784 |
} |
| ... | ... |
@@ -166,14 +166,20 @@ _pkcs11_openvpn_token_prompt ( |
| 166 | 166 |
"Please insert %s token", |
| 167 | 167 |
token->label |
| 168 | 168 |
); |
| 169 |
- get_user_pass ( |
|
| 170 |
- &token_resp, |
|
| 171 |
- NULL, |
|
| 172 |
- "token-insertion-request", |
|
| 173 |
- GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK |
|
| 174 |
- ); |
|
| 175 | 169 |
|
| 176 |
- return strcmp (token_resp.password, "ok") == 0; |
|
| 170 |
+ if ( |
|
| 171 |
+ !get_user_pass ( |
|
| 172 |
+ &token_resp, |
|
| 173 |
+ NULL, |
|
| 174 |
+ "token-insertion-request", |
|
| 175 |
+ GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL |
|
| 176 |
+ ) |
|
| 177 |
+ ) {
|
|
| 178 |
+ return false; |
|
| 179 |
+ } |
|
| 180 |
+ else {
|
|
| 181 |
+ return strcmp (token_resp.password, "ok") == 0; |
|
| 182 |
+ } |
|
| 177 | 183 |
} |
| 178 | 184 |
|
| 179 | 185 |
static |
| ... | ... |
@@ -195,15 +201,27 @@ _pkcs11_openvpn_pin_prompt ( |
| 195 | 195 |
|
| 196 | 196 |
token_pass.defined = false; |
| 197 | 197 |
token_pass.nocache = true; |
| 198 |
- get_user_pass (&token_pass, NULL, szPrompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY); |
|
| 199 |
- strncpynt (szPIN, token_pass.password, nMaxPIN); |
|
| 200 |
- purge_user_pass (&token_pass, true); |
|
| 201 | 198 |
|
| 202 |
- if (strlen (szPIN) == 0) {
|
|
| 199 |
+ if ( |
|
| 200 |
+ !get_user_pass ( |
|
| 201 |
+ &token_pass, |
|
| 202 |
+ NULL, |
|
| 203 |
+ szPrompt, |
|
| 204 |
+ GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL |
|
| 205 |
+ ) |
|
| 206 |
+ ) {
|
|
| 203 | 207 |
return false; |
| 204 | 208 |
} |
| 205 | 209 |
else {
|
| 206 |
- return true; |
|
| 210 |
+ strncpynt (szPIN, token_pass.password, nMaxPIN); |
|
| 211 |
+ purge_user_pass (&token_pass, true); |
|
| 212 |
+ |
|
| 213 |
+ if (strlen (szPIN) == 0) {
|
|
| 214 |
+ return false; |
|
| 215 |
+ } |
|
| 216 |
+ else {
|
|
| 217 |
+ return true; |
|
| 218 |
+ } |
|
| 207 | 219 |
} |
| 208 | 220 |
} |
| 209 | 221 |
|