aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog44
-rw-r--r--configure.ac2
-rw-r--r--makefile.w32-vc7
-rw-r--r--misc.c11
-rw-r--r--misc.h3
-rw-r--r--pkcs11-helper.c15
-rw-r--r--pkcs11.c42
7 files changed, 88 insertions, 36 deletions
diff --git a/ChangeLog b/ChangeLog
index 397d7cd..ef68857 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,14 @@ Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
$Id$
+2006.10.31 -- Version 2.1_rc1
+
+* Support recovery (return to hold) from signal at
+ management password prompt.
+
+* Added workaround for OpenSC PKCS#11 bug#108
+ (Alon Bar-Lev).
+
2006.10.01 -- Version 2.1-beta16
* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
@@ -30,22 +38,26 @@ $Id$
a blockage of tunnel packets and later time-out and
restart the connection.
-* pkcs11 changes:
- 1. Modified ssl.c to not FATAL and return to init.c
- so auth-retry will work.
- 2. Modifed pkcs11-helper.c to fix some problem with
- multiple providers.
- 3. Updated makefile.w32-vc to include lladdr.*, updated
- linkage libraries.
- 4. Modified lladdr.c to be compiled under visual C.
- 5. Added retry counter to PKCS#11 PIN hook.
- 6. Modified PKCS#11 PIN retry loop to return correct error
- code when PIN is incorrect.
- 7. Fix handling (ignoring) zero sized attributes.
- 8. Fix gcc-2 issues.
- 9. Fix openssl 0.9.6 (first version) issues.
- 10. easy-rsa Makefile (install) is now available so that
- distribs will be able to install it safely.
+* easy-rsa update (Alon Bar-Lev)
+ Makefile (install) is now available so that
+ distribs will be able to install it safely.
+
+* PKCS#11 changes: (Alon Bar-Lev)
+ - Modified ssl.c to not FATAL and return to init.c
+ so auth-retry will work.
+ - Modifed pkcs11-helper.c to fix some problem with
+ multiple providers.
+ - Added retry counter to PKCS#11 PIN hook.
+ - Modified PKCS#11 PIN retry loop to return correct error
+ code when PIN is incorrect.
+ - Fix handling (ignoring) zero sized attributes.
+ - Fix gcc-2 issues.
+ - Fix openssl 0.9.6 (first version) issues.
+
+* Minor fixes of lladdr (Alon Bar-Lev)
+ Updated makefile.w32-vc to include lladdr.*, updated
+ linkage libraries.
+ Modified lladdr.c to be compiled under visual C.
* Added two new management states:
OPENVPN_STATE_RESOLVE -- DNS lookup
diff --git a/configure.ac b/configure.ac
index 2f80768..b0e5fe2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -25,7 +25,7 @@ dnl Process this file with autoconf to produce a configure script.
AC_PREREQ(2.50)
-AC_INIT([OpenVPN], [2.1_beta16], [openvpn-users@lists.sourceforge.net], [openvpn])
+AC_INIT([OpenVPN], [2.1_rc1], [openvpn-users@lists.sourceforge.net], [openvpn])
AM_CONFIG_HEADER(config.h)
AC_CONFIG_SRCDIR(syshead.h)
diff --git a/makefile.w32-vc b/makefile.w32-vc
index d3dac0b..92f7013 100644
--- a/makefile.w32-vc
+++ b/makefile.w32-vc
@@ -24,17 +24,18 @@ LZO = \src\lzo-1.08.vc
INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include
-LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib
+LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib gdi32.lib advapi32.lib wininet.lib
LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO)
EXE = openvpn.exe
CPP=cl.exe
+CPP_ARG_COMMON=/nologo /W3 /G5 /O2 -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS -D_CRT_SECURE_NO_DEPRECATE $(INCLUDE_DIRS) /FD /c
# release:
-CPP_PROJ=/nologo /MD /W3 /G5 /O2 -DNDEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c
+CPP_PROJ=$(CPP_ARG_COMMON) /MD -DNDEBUG
# debug:
-#CPP_PROJ=/nologo /MDd /W3 /G5 /Zi /Od -D_DEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c
+#CPP_PROJ=$(CPP_ARG_COMMON) /MDd /Zi /Od -D_DEBUG
LINK32=link.exe
# release:
diff --git a/misc.c b/misc.c
index 0c45817..fb18448 100644
--- a/misc.c
+++ b/misc.c
@@ -1173,7 +1173,7 @@ get_console_input (const char *prompt, const bool echo, char *input, const int c
* Get and store a username/password
*/
-void
+bool
get_user_pass (struct user_pass *up,
const char *auth_file,
const char *prefix,
@@ -1194,7 +1194,12 @@ get_user_pass (struct user_pass *up,
&& management_query_user_pass_enabled (management))
{
if (!management_query_user_pass (management, up, prefix, flags))
- msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix);
+ {
+ if ((flags & GET_USER_PASS_NOFATAL) != 0)
+ return false;
+ else
+ msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix);
+ }
}
else
#endif
@@ -1294,6 +1299,8 @@ get_user_pass (struct user_pass *up,
#endif
gc_free (&gc);
+
+ return true;
}
void
diff --git a/misc.h b/misc.h
index ae78827..b57185b 100644
--- a/misc.h
+++ b/misc.h
@@ -239,8 +239,9 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const
#define GET_USER_PASS_SENSITIVE (1<<1)
#define GET_USER_PASS_PASSWORD_ONLY (1<<2)
#define GET_USER_PASS_NEED_OK (1<<3)
+#define GET_USER_PASS_NOFATAL (1<<4)
-void get_user_pass (struct user_pass *up,
+bool get_user_pass (struct user_pass *up,
const char *auth_file,
const char *prefix,
const unsigned int flags);
diff --git a/pkcs11-helper.c b/pkcs11-helper.c
index 391d91f..4dd798e 100644
--- a/pkcs11-helper.c
+++ b/pkcs11-helper.c
@@ -5196,6 +5196,19 @@ _pkcs11h_certificate_private_op (
fOpSuccess = TRUE;
}
else {
+ /*
+ * OpenSC workaround
+ * It still allows C_FindObjectsInit when
+ * token is removed/inserted but fails
+ * private key operation.
+ * So we force logout.
+ * bug#108 at OpenSC trac
+ */
+ if (fLoginRetry && rv == CKR_DEVICE_REMOVED) {
+ fLoginRetry = FALSE;
+ _pkcs11h_logout (certificate->session);
+ }
+
if (!fLoginRetry) {
PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG1,
@@ -5778,7 +5791,7 @@ pkcs11h_certificate_getCertificateBlob (
if (certificate_blob != NULL) {
if (
rv == CKR_OK &&
- certifiate_blob_size_max > certificate->id->certificate_blob_size
+ certifiate_blob_size_max < certificate->id->certificate_blob_size
) {
rv = CKR_BUFFER_TOO_SMALL;
}
diff --git a/pkcs11.c b/pkcs11.c
index 9f30407..bdd2690 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -166,14 +166,20 @@ _pkcs11_openvpn_token_prompt (
"Please insert %s token",
token->label
);
- get_user_pass (
- &token_resp,
- NULL,
- "token-insertion-request",
- GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK
- );
- return strcmp (token_resp.password, "ok") == 0;
+ if (
+ !get_user_pass (
+ &token_resp,
+ NULL,
+ "token-insertion-request",
+ GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL
+ )
+ ) {
+ return false;
+ }
+ else {
+ return strcmp (token_resp.password, "ok") == 0;
+ }
}
static
@@ -195,15 +201,27 @@ _pkcs11_openvpn_pin_prompt (
token_pass.defined = false;
token_pass.nocache = true;
- get_user_pass (&token_pass, NULL, szPrompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY);
- strncpynt (szPIN, token_pass.password, nMaxPIN);
- purge_user_pass (&token_pass, true);
- if (strlen (szPIN) == 0) {
+ if (
+ !get_user_pass (
+ &token_pass,
+ NULL,
+ szPrompt,
+ GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
+ )
+ ) {
return false;
}
else {
- return true;
+ strncpynt (szPIN, token_pass.password, nMaxPIN);
+ purge_user_pass (&token_pass, true);
+
+ if (strlen (szPIN) == 0) {
+ return false;
+ }
+ else {
+ return true;
+ }
}
}