From 1d89886e00a36788cf16d1c5de9cca224074edcf Mon Sep 17 00:00:00 2001 From: james Date: Wed, 1 Nov 2006 00:07:21 +0000 Subject: Merged Alon's branch: svn merge -r1322:1392 https://svn.openvpn.net/projects/openvpn/contrib/alon/21rc/openvpn . Version 2.1_rc1 released git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1420 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ChangeLog | 44 ++++++++++++++++++++++++++++---------------- configure.ac | 2 +- makefile.w32-vc | 7 ++++--- misc.c | 11 +++++++++-- misc.h | 3 ++- pkcs11-helper.c | 15 ++++++++++++++- pkcs11.c | 42 ++++++++++++++++++++++++++++++------------ 7 files changed, 88 insertions(+), 36 deletions(-) diff --git a/ChangeLog b/ChangeLog index 397d7cd..ef68857 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,14 @@ Copyright (C) 2002-2005 OpenVPN Solutions LLC $Id$ +2006.10.31 -- Version 2.1_rc1 + +* Support recovery (return to hold) from signal at + management password prompt. + +* Added workaround for OpenSC PKCS#11 bug#108 + (Alon Bar-Lev). + 2006.10.01 -- Version 2.1-beta16 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix @@ -30,22 +38,26 @@ $Id$ a blockage of tunnel packets and later time-out and restart the connection. -* pkcs11 changes: - 1. Modified ssl.c to not FATAL and return to init.c - so auth-retry will work. - 2. Modifed pkcs11-helper.c to fix some problem with - multiple providers. - 3. Updated makefile.w32-vc to include lladdr.*, updated - linkage libraries. - 4. Modified lladdr.c to be compiled under visual C. - 5. Added retry counter to PKCS#11 PIN hook. - 6. Modified PKCS#11 PIN retry loop to return correct error - code when PIN is incorrect. - 7. Fix handling (ignoring) zero sized attributes. - 8. Fix gcc-2 issues. - 9. Fix openssl 0.9.6 (first version) issues. - 10. easy-rsa Makefile (install) is now available so that - distribs will be able to install it safely. +* easy-rsa update (Alon Bar-Lev) + Makefile (install) is now available so that + distribs will be able to install it safely. + +* PKCS#11 changes: (Alon Bar-Lev) + - Modified ssl.c to not FATAL and return to init.c + so auth-retry will work. + - Modifed pkcs11-helper.c to fix some problem with + multiple providers. + - Added retry counter to PKCS#11 PIN hook. + - Modified PKCS#11 PIN retry loop to return correct error + code when PIN is incorrect. + - Fix handling (ignoring) zero sized attributes. + - Fix gcc-2 issues. + - Fix openssl 0.9.6 (first version) issues. + +* Minor fixes of lladdr (Alon Bar-Lev) + Updated makefile.w32-vc to include lladdr.*, updated + linkage libraries. + Modified lladdr.c to be compiled under visual C. * Added two new management states: OPENVPN_STATE_RESOLVE -- DNS lookup diff --git a/configure.ac b/configure.ac index 2f80768..b0e5fe2 100644 --- a/configure.ac +++ b/configure.ac @@ -25,7 +25,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ(2.50) -AC_INIT([OpenVPN], [2.1_beta16], [openvpn-users@lists.sourceforge.net], [openvpn]) +AC_INIT([OpenVPN], [2.1_rc1], [openvpn-users@lists.sourceforge.net], [openvpn]) AM_CONFIG_HEADER(config.h) AC_CONFIG_SRCDIR(syshead.h) diff --git a/makefile.w32-vc b/makefile.w32-vc index d3dac0b..92f7013 100644 --- a/makefile.w32-vc +++ b/makefile.w32-vc @@ -24,17 +24,18 @@ LZO = \src\lzo-1.08.vc INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include -LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib +LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib gdi32.lib advapi32.lib wininet.lib LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO) EXE = openvpn.exe CPP=cl.exe +CPP_ARG_COMMON=/nologo /W3 /G5 /O2 -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS -D_CRT_SECURE_NO_DEPRECATE $(INCLUDE_DIRS) /FD /c # release: -CPP_PROJ=/nologo /MD /W3 /G5 /O2 -DNDEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c +CPP_PROJ=$(CPP_ARG_COMMON) /MD -DNDEBUG # debug: -#CPP_PROJ=/nologo /MDd /W3 /G5 /Zi /Od -D_DEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c +#CPP_PROJ=$(CPP_ARG_COMMON) /MDd /Zi /Od -D_DEBUG LINK32=link.exe # release: diff --git a/misc.c b/misc.c index 0c45817..fb18448 100644 --- a/misc.c +++ b/misc.c @@ -1173,7 +1173,7 @@ get_console_input (const char *prompt, const bool echo, char *input, const int c * Get and store a username/password */ -void +bool get_user_pass (struct user_pass *up, const char *auth_file, const char *prefix, @@ -1194,7 +1194,12 @@ get_user_pass (struct user_pass *up, && management_query_user_pass_enabled (management)) { if (!management_query_user_pass (management, up, prefix, flags)) - msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix); + { + if ((flags & GET_USER_PASS_NOFATAL) != 0) + return false; + else + msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix); + } } else #endif @@ -1294,6 +1299,8 @@ get_user_pass (struct user_pass *up, #endif gc_free (&gc); + + return true; } void diff --git a/misc.h b/misc.h index ae78827..b57185b 100644 --- a/misc.h +++ b/misc.h @@ -239,8 +239,9 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const #define GET_USER_PASS_SENSITIVE (1<<1) #define GET_USER_PASS_PASSWORD_ONLY (1<<2) #define GET_USER_PASS_NEED_OK (1<<3) +#define GET_USER_PASS_NOFATAL (1<<4) -void get_user_pass (struct user_pass *up, +bool get_user_pass (struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags); diff --git a/pkcs11-helper.c b/pkcs11-helper.c index 391d91f..4dd798e 100644 --- a/pkcs11-helper.c +++ b/pkcs11-helper.c @@ -5196,6 +5196,19 @@ _pkcs11h_certificate_private_op ( fOpSuccess = TRUE; } else { + /* + * OpenSC workaround + * It still allows C_FindObjectsInit when + * token is removed/inserted but fails + * private key operation. + * So we force logout. + * bug#108 at OpenSC trac + */ + if (fLoginRetry && rv == CKR_DEVICE_REMOVED) { + fLoginRetry = FALSE; + _pkcs11h_logout (certificate->session); + } + if (!fLoginRetry) { PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG1, @@ -5778,7 +5791,7 @@ pkcs11h_certificate_getCertificateBlob ( if (certificate_blob != NULL) { if ( rv == CKR_OK && - certifiate_blob_size_max > certificate->id->certificate_blob_size + certifiate_blob_size_max < certificate->id->certificate_blob_size ) { rv = CKR_BUFFER_TOO_SMALL; } diff --git a/pkcs11.c b/pkcs11.c index 9f30407..bdd2690 100644 --- a/pkcs11.c +++ b/pkcs11.c @@ -166,14 +166,20 @@ _pkcs11_openvpn_token_prompt ( "Please insert %s token", token->label ); - get_user_pass ( - &token_resp, - NULL, - "token-insertion-request", - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK - ); - return strcmp (token_resp.password, "ok") == 0; + if ( + !get_user_pass ( + &token_resp, + NULL, + "token-insertion-request", + GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL + ) + ) { + return false; + } + else { + return strcmp (token_resp.password, "ok") == 0; + } } static @@ -195,15 +201,27 @@ _pkcs11_openvpn_pin_prompt ( token_pass.defined = false; token_pass.nocache = true; - get_user_pass (&token_pass, NULL, szPrompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY); - strncpynt (szPIN, token_pass.password, nMaxPIN); - purge_user_pass (&token_pass, true); - if (strlen (szPIN) == 0) { + if ( + !get_user_pass ( + &token_pass, + NULL, + szPrompt, + GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL + ) + ) { return false; } else { - return true; + strncpynt (szPIN, token_pass.password, nMaxPIN); + purge_user_pass (&token_pass, true); + + if (strlen (szPIN) == 0) { + return false; + } + else { + return true; + } } } -- cgit