Commit c198dbd9 authored by Parménides GV's avatar Parménides GV

Merge branch 'develop'

parents 9d346be6 4028c100
0.9.2
Bugs:
- Sign Up dialog works correctly
Features:
- Updated ics-openvpn code (thanks Arne!)
0.9.1 January 21 2015 - the "insistent reloaded" release
Bugs:
- Autostart on boot works
......
......@@ -53,7 +53,7 @@ def processFileInplace(file, Closure processText) {
}
task checkoutStrippedIcsOpenVPN ( type: Copy ) << {
task checkoutStrippedIcsOpenVPN ( type: Copy ) {
println "checkoutStrippedIcsOpenVPN"
//FIXME Checkout ics-openvpn-stripped from branch "ics-openvpn-upstream"
//grgit = Grgit.open(project.file('../'))
......@@ -62,11 +62,11 @@ task checkoutStrippedIcsOpenVPN ( type: Copy ) << {
into '../ics-openvpn-stripped'
}
task copyIcsOpenVPNClasses( type: Copy ) << {
task copyIcsOpenVPNClasses( type: Copy ) {
println "copyIcsOpenVPNClasses"
from ('../ics-openvpn-stripped/main/') {
include '**/*.java'
include '**/*.aidl'
includeEmptyDirs = false
filter {
......@@ -78,13 +78,10 @@ task copyIcsOpenVPNClasses( type: Copy ) << {
filter {
line -> line.replace('package de.blinkt.openvpn;', 'package de.blinkt.openvpn;\n\nimport se.leap.bitmaskclient.R;')
}
filter {
line -> line.replace('package de.blinkt.openvpn.fragments;', 'package de.blinkt.openvpn.fragments;\n\nimport se.leap.bitmaskclient.R;')
}
} into '.'
}
task copyIcsOpenVPNXml( type: Copy ) << {
task copyIcsOpenVPNXml( type: Copy ) {
println "copyIcsOpenVPNXml"
from ('../ics-openvpn-stripped/main/') {
include '**/strings.xml'
......@@ -105,7 +102,7 @@ task copyIcsOpenVPNXml( type: Copy ) << {
} into '.'
}
task copyIcsOpenVPNImages( type: Copy ) << {
task copyIcsOpenVPNImages( type: Copy ) {
println "copyIcsOpenVPNImages"
from ('../ics-openvpn-stripped/main/') {
include '**/ic_filter*.png'
......@@ -113,12 +110,13 @@ task copyIcsOpenVPNImages( type: Copy ) << {
include '**/ic_share*.png'
include '**/ic_close*.png'
include '**/ic_edit*.png'
include '**/ic_check*.png'
includeEmptyDirs = false
} into '.'
}
task copyIcsOpenVPNFiles( type: Copy, dependsOn: 'checkoutStrippedIcsOpenVPN' ) << {
task copyIcsOpenVPNFiles( type: Copy, dependsOn: 'checkoutStrippedIcsOpenVPN' ) {
println "copyIcsOpenVPNFiles"
copyIcsOpenVPNClasses.execute()
copyIcsOpenVPNXml.execute()
......@@ -126,9 +124,9 @@ task copyIcsOpenVPNFiles( type: Copy, dependsOn: 'checkoutStrippedIcsOpenVPN' )
}
// thanks to http://pleac.sourceforge.net/pleac_groovy/fileaccess.html
task removeDuplicatedStrings( dependsOn: 'copyIcsOpenVPNFiles' ) << {
task removeDuplicatedStrings( dependsOn: 'copyIcsOpenVPNFiles' ) {
println "removeDuplicatedStrings"
new File('app').eachFileRecurse {
new File('.').eachFileRecurse {
if(it.name.equals('strings.xml')) {
def ics_openvpn_file = file(it.absolutePath.replace('strings.xml', 'strings-icsopenvpn.xml'))
if(ics_openvpn_file.exists()) {
......@@ -145,7 +143,7 @@ task removeDuplicatedStrings( dependsOn: 'copyIcsOpenVPNFiles' ) << {
}
}
task mergeUntranslatable( type: Copy, dependsOn: 'removeDuplicatedStrings') << {
task mergeUntranslatable( type: Copy, dependsOn: 'removeDuplicatedStrings') {
println "mergeUntranslatable"
from ('../ics-openvpn-stripped/main/') {
include '**/untranslatable.xml'
......@@ -178,8 +176,8 @@ task mergeUntranslatable( type: Copy, dependsOn: 'removeDuplicatedStrings') << {
delete ics_openvpn_untranslatable
}
task updateIcsOpenVpn( type: Copy, dependsOn: 'mergeUntranslatable') << {
from('../ics-openvpn-stripped/main/src/') {
task updateIcsOpenVpn( type: Copy, dependsOn: 'mergeUntranslatable') {
from('../ics-openvpn-stripped/') {
include 'openvpn/**/*'
include 'openssl/**/*'
include 'lzo/**/**'
......@@ -196,4 +194,4 @@ task buildNative ( type: Exec ) {
commandLine 'sh', 'misc/build-native.sh', 'USE_BREAKPAD=0', '-j 8'
}
preBuild.dependsOn buildNative
\ No newline at end of file
preBuild.dependsOn buildNative
......@@ -7,7 +7,9 @@
#include "jniglue.h"
jint JNI_OnLoad(JavaVM *vm, void *reserved) {
#ifndef NDEBUG
__android_log_write(ANDROID_LOG_DEBUG,"openvpn", "Loading openvpn native library $id$ compiled on " __DATE__ " " __TIME__ );
#endif
return JNI_VERSION_1_2;
}
......
......@@ -18,7 +18,6 @@
#define ENABLE_PLUGIN 1
#define ENABLE_PORT_SHARE 1
#define ENABLE_SOCKS 1
#define ENABLE_SSL 1
#define HAVE_ERRNO_H 1
#define HAVE_FCNTL_H 1
......
#define CONFIGURE_GIT_REVISION "icsopenvpn_625-af9eb9424047f9f5"
#define CONFIGURE_GIT_REVISION "icsopenvpn_627-cff5e3e9c3ac08df"
#define CONFIGURE_GIT_FLAGS ""
......@@ -78,13 +78,6 @@ AC_ARG_ENABLE(
[enable_crypto_ofb_cfb="yes"]
)
AC_ARG_ENABLE(
[ssl],
[AS_HELP_STRING([--disable-ssl], [disable SSL support for TLS-based key exchange @<:@default=yes@:>@])],
,
[enable_ssl="yes"]
)
AC_ARG_ENABLE(
[x509-alt-username],
[AS_HELP_STRING([--enable-x509-alt-username], [enable the --x509-username-field feature @<:@default=no@:>@])],
......@@ -1080,19 +1073,11 @@ case "${with_crypto_library}" in
;;
esac
if test "${enable_ssl}" = "yes"; then
test "${enable_crypto}" != "yes" && AC_MSG_ERROR([crypto must be enabled for ssl])
test "${have_crypto_ssl}" != "yes" && AC_MSG_ERROR([${with_ssl_library} ssl is required but missing])
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"
AC_DEFINE([ENABLE_SSL], [1], [Enable ssl library])
fi
if test "${enable_crypto}" = "yes"; then
test "${have_crypto_crypto}" != "yes" && AC_MSG_ERROR([${with_crypto_library} crypto is required but missing])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS}"
OPTIONAL_CRYPTO_CFLAGS="${OPTIONAL_CRYPTO_CFLAGS} ${CRYPTO_CRYPTO_CFLAGS} ${CRYPTO_SSL_CFLAGS}"
OPTIONAL_CRYPTO_LIBS="${OPTIONAL_CRYPTO_LIBS} ${CRYPTO_CRYPTO_LIBS} ${CRYPTO_SSL_LIBS}"
AC_DEFINE([ENABLE_CRYPTO], [1], [Enable crypto library])
fi
......@@ -1135,10 +1120,17 @@ fi
if test "${enable_pkcs11}" = "yes"; then
test "${have_pkcs11_helper}" != "yes" && AC_MSG_ERROR([PKCS11 enabled but libpkcs11-helper is missing])
test "${enable_ssl}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if SSL is enabled])
test "${enable_crypto}" != "yes" && AC_MSG_ERROR([PKCS11 can be enabled only if crypto is enabled])
OPTIONAL_PKCS11_HELPER_CFLAGS="${PKCS11_HELPER_CFLAGS}"
OPTIONAL_PKCS11_HELPER_LIBS="${PKCS11_HELPER_LIBS}"
AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
PKG_CHECK_MODULES(
[P11KIT],
[p11-kit-1],
[proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`"
AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
[]
)
fi
if test "${enable_pedantic}" = "yes"; then
......
......@@ -60,12 +60,12 @@
*
* @par Settings that control this module's activity
* Whether or not the Data Channel Crypto module is active depends on the
* compile-time \c ENABLE_CRYPTO and \c ENABLE_SSL preprocessor macros. How it
* processes packets received from the \link data_control Data Channel
* Control module\endlink at runtime depends on the associated \c
* crypto_options structure. To perform cryptographic operations, the \c
* crypto_options.key_ctx_bi must contain the correct cipher and HMAC
* security parameters for the direction the packet is traveling in.
* compile-time \c ENABLE_CRYPTO preprocessor macro. How it processes packets
* received from the \link data_control Data Channel Control module\endlink at
* runtime depends on the associated \c crypto_options structure. To perform
* cryptographic operations, the \c crypto_options.key_ctx_bi must contain the
* correct cipher and HMAC security parameters for the direction the packet is
* traveling in.
*
* @par Crypto algorithms
* This module uses the crypto algorithm implementations of the external
......
......@@ -235,7 +235,7 @@ EXPAND_ONLY_PREDEF = NO
SEARCH_INCLUDES = YES
INCLUDE_PATH =
INCLUDE_FILE_PATTERNS =
PREDEFINED = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_SSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY
PREDEFINED = WIN32 NTLM USE_LZO ENABLE_FRAGMENT P2MP P2MP_SERVER ENABLE_CRYPTO ENABLE_CRYPTO_OPENSSL ENABLE_PLUGIN ENABLE_MANAGEMENT ENABLE_OCC HAVE_GETTIMEOFDAY
EXPAND_AS_DEFINED =
SKIP_FUNCTION_MACROS = YES
#---------------------------------------------------------------------------
......
......@@ -4239,13 +4239,18 @@ Not available with PolarSSL.
File containing Diffie Hellman parameters
in .pem format (required for
.B \-\-tls-server
only). Use
only).
.B openssl dhparam -out dh1024.pem 1024
Set
.B file=none
to disable Diffie Hellman key exchange (and use ECDH only). Note that this
requires peers to be using an SSL library that supports ECDH TLS cipher suites
(e.g. OpenSSL 1.0.1+, or PolarSSL 1.3+).
to generate your own, or use the existing dh1024.pem file
included with the OpenVPN distribution. Diffie Hellman parameters
may be considered public.
Use
.B openssl dhparam -out dh2048.pem 2048
to generate 2048-bit DH parameters. Diffie Hellman parameters may be considered
public.
.\"*********************************************************
.TP
.B \-\-ecdh-curve name
......@@ -4393,6 +4398,16 @@ This option can be used instead of
.B \-\-cert, \-\-key,
and
.B \-\-pkcs12.
If p11-kit is present on the system, its
.B p11-kit-proxy.so
module will be loaded by default if either the
.B \-\-pkcs11\-id
or
.B \-\-pkcs11\-id\-management
options are specified without
.B \-\-pkcs11\-provider
being given.
.\"*********************************************************
.TP
.B \-\-pkcs11-private-mode mode...
......@@ -5480,11 +5495,17 @@ adapter list.
.SS PKCS#11 Standalone Options:
.\"*********************************************************
.TP
.B \-\-show-pkcs11-ids provider [cert_private]
.B \-\-show-pkcs11-ids [provider] [cert_private]
(Standalone)
Show PKCS#11 token object list. Specify cert_private as 1
if certificates are stored as private objects.
If p11-kit is present on the system, the
.B provider
argument is optional; if omitted the default
.B p11-kit-proxy.so
module will be queried.
.B \-\-verb
option can be used BEFORE this option to produce debugging information.
.\"*********************************************************
......
......@@ -27,7 +27,7 @@
#define OPENVPN_PLUGIN_VERSION 3
#ifdef ENABLE_SSL
#ifdef ENABLE_CRYPTO
#ifdef ENABLE_CRYPTO_POLARSSL
#include <polarssl/x509_crt.h>
#ifndef __OPENVPN_X509_CERT_T_DECLARED
......@@ -358,9 +358,9 @@ struct openvpn_plugin_args_open_return
* *per_client_context : the per-client context pointer which was returned by
* openvpn_plugin_client_constructor_v1, if defined.
*
* current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_SSL defined)
* current_cert_depth : Certificate depth of the certificate being passed over (only if compiled with ENABLE_CRYPTO defined)
*
* *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_SSL defined)
* *current_cert : X509 Certificate object received from the client (only if compiled with ENABLE_CRYPTO defined)
*
*/
struct openvpn_plugin_args_func_in
......@@ -370,7 +370,7 @@ struct openvpn_plugin_args_func_in
const char ** const envp;
openvpn_plugin_handle_t handle;
void *per_client_context;
#ifdef ENABLE_SSL
#ifdef ENABLE_CRYPTO
int current_cert_depth;
openvpn_x509_cert_t *current_cert;
#else
......
......@@ -36,7 +36,7 @@
#include <string.h>
#include <stdlib.h>
#define ENABLE_SSL
#define ENABLE_CRYPTO
#include "openvpn-plugin.h"
......
......@@ -726,8 +726,6 @@ test_crypto (const struct crypto_options *co, struct frame* frame)
gc_free (&gc);
}
#ifdef ENABLE_SSL
void
get_tls_handshake_key (const struct key_type *key_type,
struct key_ctx_bi *ctx,
......@@ -799,7 +797,6 @@ get_tls_handshake_key (const struct key_type *key_type,
CLEAR (*ctx);
}
}
#endif
/* header and footer for static key file */
static const char static_key_head[] = "-----BEGIN OpenVPN Static key V1-----";
......@@ -1322,23 +1319,6 @@ get_random()
return l;
}
#ifndef ENABLE_SSL
void
init_ssl_lib (void)
{
crypto_init_lib ();
}
void
free_ssl_lib (void)
{
crypto_uninit_lib ();
prng_uninit();
}
#endif /* ENABLE_SSL */
/*
* md5 functions
*/
......
......@@ -413,8 +413,6 @@ void key2_print (const struct key2* k,
const char* prefix0,
const char* prefix1);
#ifdef ENABLE_SSL
#define GHK_INLINE (1<<0)
void get_tls_handshake_key (const struct key_type *key_type,
struct key_ctx_bi *ctx,
......@@ -422,13 +420,6 @@ void get_tls_handshake_key (const struct key_type *key_type,
const int key_direction,
const unsigned int flags);
#else
void init_ssl_lib (void);
void free_ssl_lib (void);
#endif /* ENABLE_SSL */
/*
* md5 functions
*/
......
......@@ -42,9 +42,12 @@
#include "integer.h"
#include "crypto.h"
#include "crypto_backend.h"
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/des.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/ssl.h>
/*
* Check for key size creepage.
......@@ -100,13 +103,15 @@ setup_engine (const char *engine)
if ((e = ENGINE_by_id (engine)) == NULL
&& (e = try_load_engine (engine)) == NULL)
{
msg (M_FATAL, "OpenSSL error: cannot load engine '%s'", engine);
crypto_msg (M_FATAL, "OpenSSL error: cannot load engine '%s'",
engine);
}
if (!ENGINE_set_default (e, ENGINE_METHOD_ALL))
{
msg (M_FATAL, "OpenSSL error: ENGINE_set_default failed on engine '%s'",
engine);
crypto_msg (M_FATAL,
"OpenSSL error: ENGINE_set_default failed on engine '%s'",
engine);
}
msg (M_INFO, "Initializing OpenSSL support for engine '%s'",
......@@ -142,14 +147,6 @@ crypto_init_lib_engine (const char *engine_name)
void
crypto_init_lib (void)
{
#ifndef ENABLE_SSL
/* If SSL is enabled init is taken care of in ssl_openssl.c */
#ifndef ENABLE_SMALL
ERR_load_crypto_strings ();
#endif
OpenSSL_add_all_algorithms ();
#endif
/*
* If you build the OpenSSL library and OpenVPN with
* CRYPTO_MDEBUG, you will get a listing of OpenSSL
......@@ -164,14 +161,6 @@ crypto_init_lib (void)
void
crypto_uninit_lib (void)
{
#ifndef ENABLE_SSL
/* If SSL is enabled cleanup is taken care of in ssl_openssl.c */
EVP_cleanup ();
#ifndef ENABLE_SMALL
ERR_free_strings ();
#endif
#endif
#ifdef CRYPTO_MDEBUG
FILE* fp = fopen ("sdlog", "w");
ASSERT (fp);
......@@ -195,6 +184,26 @@ crypto_clear_error (void)
ERR_clear_error ();
}
void
crypto_print_openssl_errors(const unsigned int flags) {
size_t err = 0;
while ((err = ERR_get_error ()))
{
/* Be more clear about frequently occurring "no shared cipher" error */
if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO,
SSL_R_NO_SHARED_CIPHER))
{
msg (D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
"in common with the client. Your --tls-cipher setting might be "
"too restrictive.");
}
msg (flags, "OpenSSL: %s", ERR_error_string (err, NULL));
}
}
/*
*
* OpenSSL memory debugging. If dmalloc debugging is enabled, tell
......@@ -386,17 +395,20 @@ key_des_check (uint8_t *key, int key_len, int ndc)
DES_cblock *dc = (DES_cblock*) buf_read_alloc (&b, sizeof (DES_cblock));
if (!dc)
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material");
crypto_msg (D_CRYPT_ERRORS,
"CRYPTO INFO: check_key_DES: insufficient key material");
goto err;
}
if (DES_is_weak_key(dc))
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected");
crypto_msg (D_CRYPT_ERRORS,
"CRYPTO INFO: check_key_DES: weak key detected");
goto err;
}
if (!DES_check_key_parity (dc))
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected");
crypto_msg (D_CRYPT_ERRORS,
"CRYPTO INFO: check_key_DES: bad parity detected");
goto err;
}
}
......@@ -445,7 +457,7 @@ cipher_kt_get (const char *ciphername)
cipher = EVP_get_cipherbyname (ciphername);
if (NULL == cipher)
msg (M_SSLERR, "Cipher algorithm '%s' not found", ciphername);
crypto_msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername);
if (EVP_CIPHER_key_length (cipher) > MAX_CIPHER_KEY_LENGTH)
msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)",
......@@ -529,13 +541,13 @@ cipher_ctx_init (EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len,
EVP_CIPHER_CTX_init (ctx);
if (!EVP_CipherInit (ctx, kt, NULL, NULL, enc))
msg (M_SSLERR, "EVP cipher init #1");
crypto_msg (M_FATAL, "EVP cipher init #1");
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
if (!EVP_CIPHER_CTX_set_key_length (ctx, key_len))
msg (M_SSLERR, "EVP set key size");
crypto_msg (M_FATAL, "EVP set key size");
#endif
if (!EVP_CipherInit (ctx, NULL, key, NULL, enc))
msg (M_SSLERR, "EVP cipher init #2");
crypto_msg (M_FATAL, "EVP cipher init #2");
/* make sure we used a big enough key */
ASSERT (EVP_CIPHER_CTX_key_length (ctx) <= key_len);
......@@ -582,7 +594,9 @@ int
cipher_ctx_update (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
uint8_t *src, int src_len)
{
return EVP_CipherUpdate (ctx, dst, dst_len, src, src_len);
if (!EVP_CipherUpdate (ctx, dst, dst_len, src, src_len))
crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__);
return 1;
}
int
......@@ -617,12 +631,14 @@ md_kt_get (const char *digest)
ASSERT (digest);
md = EVP_get_digestbyname (digest);
if (!md)
msg (M_SSLERR, "Message hash algorithm '%s' not found", digest);
crypto_msg (M_FATAL, "Message hash algorithm '%s' not found", digest);
if (EVP_MD_size (md) > MAX_HMAC_KEY_LENGTH)
msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)",
digest,
EVP_MD_size (md),
MAX_HMAC_KEY_LENGTH);
{
crypto_msg (M_FATAL, "Message hash algorithm '%s' uses a default hash "
"size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
"maximum hash size (%d bytes)",
digest, EVP_MD_size (md), MAX_HMAC_KEY_LENGTH);
}
return md;
}
......
......@@ -70,4 +70,29 @@ typedef HMAC_CTX hmac_ctx_t;
#define DES_KEY_LENGTH 8
#define MD4_DIGEST_LENGTH 16
/**
* Retrieve any occurred OpenSSL errors and print those errors.
*
* Note that this function uses the not thread-safe OpenSSL error API.
*
* @param flags Flags to indicate error type and priority.
*/
void crypto_print_openssl_errors(const unsigned int flags);
/**
* Retrieve any OpenSSL errors, then print the supplied error message.
*
* This is just a convenience wrapper for often occurring situations.
*
* @param flags Flags to indicate error type and priority.
* @param format Format string to print.
* @param format args (optional) arguments for the format string.
*/
# define crypto_msg(flags, ...) \
do { \
crypto_print_openssl_errors(nonfatal(flags)); \
msg((flags), __VA_ARGS__); \
} while (false)
#endif /* CRYPTO_OPENSSL_H_ */
......@@ -43,13 +43,6 @@
#include "ps.h"
#include "mstats.h"
#ifdef ENABLE_CRYPTO
#ifdef ENABLE_CRYPTO_OPENSSL
#include <openssl/err.h>
#endif
#endif
#include "memdbg.h"
#if SYSLOG_CAPABILITY
#ifndef LOG_OPENVPN
......@@ -269,28 +262,6 @@ void x_msg_va (const unsigned int flags, const char *format, va_list arglist)
SWAP;
}
#ifdef ENABLE_CRYPTO
#ifdef ENABLE_CRYPTO_OPENSSL
if (flags & M_SSL)
{
int nerrs = 0;
size_t err;
while ((err = ERR_get_error ()))
{
openvpn_snprintf (m2, ERR_BUF_SIZE, "%s: %s",
m1, ERR_error_string (err, NULL));
SWAP;
++nerrs;
}
if (!nerrs)
{
openvpn_snprintf (m2, ERR_BUF_SIZE, "%s (OpenSSL)", m1);
SWAP;
}
}
#endif
#endif
if (flags & M_OPTERR)
{
openvpn_snprintf (m2, ERR_BUF_SIZE, "Options error: %s", m1);
......
......@@ -93,10 +93,6 @@ extern int x_msg_line_num;
#define M_ERRNO (1<<8) /* show errno description */
#ifdef ENABLE_CRYPTO_OPENSSL
# define M_SSL (1<<10) /* show SSL error */
#endif
#define M_NOMUTE (1<<11) /* don't do mute processing */
#define M_NOPREFIX (1<<12) /* don't show date/time prefix */
#define M_USAGE_SMALL (1<<13) /* fatal options error, call usage_small */
......@@ -107,7 +103,6 @@ extern int x_msg_line_num;
/* flag combinations which are frequently used */
#define M_ERR (M_FATAL | M_ERRNO)
#define M_SSLERR (M_FATAL | M_SSL)
#define M_USAGE (M_USAGE_SMALL | M_NOPREFIX | M_OPTERR)
#define M_CLIENT (M_MSG_VIRT_OUT | M_NOMUTE | M_NOIPREFIX)
......@@ -354,6 +349,12 @@ ignore_sys_error (const int err)
return false;
}
/** Convert fatal errors to nonfatal, don't touch other errors */
static inline const unsigned int
nonfatal(const unsigned int err) {
return err & M_FATAL ? (err ^ M_FATAL) | M_NONFATAL : err;
}
#include "errlevel.h"
#endif
......@@ -35,7 +35,7 @@
static inline void
check_tls (struct context *c)
{
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
#if defined(ENABLE_CRYPTO)
void check_tls_dowork (struct context *c);
if (c->c2.tls_multi)
check_tls_dowork (c);
......@@ -49,7 +49,7 @@ check_tls (struct context *c)
static inline void
check_tls_errors (struct context *c)
{
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
#if defined(ENABLE_CRYPTO)
void check_tls_errors_co (struct context *c);
void check_tls_errors_nco (struct context *c);
if (c->c2.tls_multi && c->c2.tls_exit_signal)
......
......@@ -88,7 +88,7 @@ show_wait_status (struct context *c)
* traffic on the control-channel.
*
*/
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
#ifdef ENABLE_CRYPTO
void
check_tls_dowork (struct context *c)
{
......@@ -117,9 +117,6 @@ check_tls_dowork (struct context *c)
if (wakeup)
context_reschedule_sec (c, wakeup);
}
#endif
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
void
check_tls_errors_co (struct context *c)
......@@ -133,8 +130,7 @@ check_tls_errors_nco (struct context *c)
{
register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
}
#endif
#endif /* ENABLE_CRYPTO */
#if P2MP
......@@ -239,7 +235,7 @@ check_connection_established_dowork (struct context *c)
bool
send_control_channel_string (struct context *c, const char *str, int msglevel)
{
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
#ifdef ENABLE_CRYPTO