Merged Alon's branch:

svn merge -r1322:1392 https://svn.openvpn.net/projects/openvpn/contrib/alon/21rc/openvpn . Version 2.1_rc1 released git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1420 e7ae566f-a301-0410-adde-c780ea21d3b5
2026-06-10 09:22:45 -04:00 · 2006-11-01 00:07:21 +00:00 · 2006-11-01 00:07:21 +00:00 · 1d89886e00
commit 1d89886e00
parent 2345908810
7 changed files with 88 additions and 36 deletions
--- a/44
+++ b/44
@ -3,6 +3,14 @@ Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

 $Id$

+2006.10.31 -- Version 2.1_rc1
+
+* Support recovery (return to hold) from signal at
+  management password prompt.
+
+* Added workaround for OpenSC PKCS#11 bug#108
+  (Alon Bar-Lev).
+
 2006.10.01 -- Version 2.1-beta16

 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
@ -30,22 +38,26 @@ $Id$
  a blockage of tunnel packets and later time-out and
  restart the connection.

-* pkcs11 changes: 
-  1. Modified ssl.c to not FATAL and return to init.c
-     so auth-retry will work.
-  2. Modifed pkcs11-helper.c to fix some problem with
-     multiple providers.
-  3. Updated makefile.w32-vc to include lladdr.*, updated
-     linkage libraries.
-  4. Modified lladdr.c to be compiled under visual C.
-  5. Added retry counter to PKCS#11 PIN hook.
-  6. Modified PKCS#11 PIN retry loop to return correct error
-     code when PIN is incorrect.
-  7. Fix handling (ignoring) zero sized attributes.
-  8. Fix gcc-2 issues.
-  9. Fix openssl 0.9.6 (first version) issues.
-  10. easy-rsa Makefile (install) is now available so that
-      distribs will be able to install it safely.
+* easy-rsa update (Alon Bar-Lev)
+  Makefile (install) is now available so that
+  distribs will be able to install it safely.
+
+* PKCS#11 changes: (Alon Bar-Lev) 
+  - Modified ssl.c to not FATAL and return to init.c
+    so auth-retry will work.
+  - Modifed pkcs11-helper.c to fix some problem with
+    multiple providers.
+  - Added retry counter to PKCS#11 PIN hook.
+  - Modified PKCS#11 PIN retry loop to return correct error
+    code when PIN is incorrect.
+  - Fix handling (ignoring) zero sized attributes.
+  - Fix gcc-2 issues.
+  - Fix openssl 0.9.6 (first version) issues.
+
+* Minor fixes of lladdr (Alon Bar-Lev)
+  Updated makefile.w32-vc to include lladdr.*, updated
+  linkage libraries.
+  Modified lladdr.c to be compiled under visual C.

 * Added two new management states:
   OPENVPN_STATE_RESOLVE      -- DNS lookup
--- a/configure.ac
+++ b/configure.ac
@ -25,7 +25,7 @@ dnl Process this file with autoconf to produce a configure script.

 AC_PREREQ(2.50)

-AC_INIT([OpenVPN], [2.1_beta16], [openvpn-users@lists.sourceforge.net], [openvpn])
+AC_INIT([OpenVPN], [2.1_rc1], [openvpn-users@lists.sourceforge.net], [openvpn])
 AM_CONFIG_HEADER(config.h)
 AC_CONFIG_SRCDIR(syshead.h)

--- a/makefile.w32-vc
+++ b/makefile.w32-vc
@ -24,17 +24,18 @@ LZO = \src\lzo-1.08.vc

 INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include

-LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib
+LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib gdi32.lib advapi32.lib wininet.lib

 LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO)

 EXE = openvpn.exe

 CPP=cl.exe
+CPP_ARG_COMMON=/nologo /W3 /G5 /O2 -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS -D_CRT_SECURE_NO_DEPRECATE $(INCLUDE_DIRS) /FD /c
 # release:
-CPP_PROJ=/nologo /MD /W3 /G5 /O2 -DNDEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c
+CPP_PROJ=$(CPP_ARG_COMMON) /MD -DNDEBUG
 # debug:
-#CPP_PROJ=/nologo /MDd /W3 /G5 /Zi /Od -D_DEBUG -DWIN32 -DWIN32_LEAN_AND_MEAN -D_CONSOLE -D_MBCS $(INCLUDE_DIRS) /FD /c
+#CPP_PROJ=$(CPP_ARG_COMMON) /MDd /Zi /Od -D_DEBUG

 LINK32=link.exe
 # release:
--- a/misc.c
+++ b/misc.c
@ -1173,7 +1173,7 @@ get_console_input (const char *prompt, const bool echo, char *input, const int c
 * Get and store a username/password
 */

-void
+bool
 get_user_pass (struct user_pass *up,
 	       const char *auth_file,
 	       const char *prefix,
@ -1194,7 +1194,12 @@ get_user_pass (struct user_pass *up,
 	  && management_query_user_pass_enabled (management))
 	{
 	  if (!management_query_user_pass (management, up, prefix, flags))
-	    msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix);
+	    {
+	      if ((flags & GET_USER_PASS_NOFATAL) != 0)
+		return false;
+	      else
+		msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix);
+	    }
 	}
      else
 #endif
@ -1294,6 +1299,8 @@ get_user_pass (struct user_pass *up,
 #endif

  gc_free (&gc);
+
+  return true;
 }

 void
--- a/misc.h
+++ b/misc.h
@ -239,8 +239,9 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const
 #define GET_USER_PASS_SENSITIVE     (1<<1)
 #define GET_USER_PASS_PASSWORD_ONLY (1<<2)
 #define GET_USER_PASS_NEED_OK       (1<<3)
+#define GET_USER_PASS_NOFATAL       (1<<4)

-void get_user_pass (struct user_pass *up,
+bool get_user_pass (struct user_pass *up,
 		    const char *auth_file,
 		    const char *prefix,
 		    const unsigned int flags);
--- a/pkcs11-helper.c
+++ b/pkcs11-helper.c
@ -5196,6 +5196,19 @@ _pkcs11h_certificate_private_op (
 			fOpSuccess = TRUE;
 		}
 		else {
+			/*
+			 * OpenSC workaround
+			 * It still allows C_FindObjectsInit when
+			 * token is removed/inserted but fails
+			 * private key operation.
+			 * So we force logout.
+			 * bug#108 at OpenSC trac
+			 */
+			if (fLoginRetry && rv == CKR_DEVICE_REMOVED) {
+				fLoginRetry = FALSE;
+				_pkcs11h_logout (certificate->session);
+			}
+
 			if (!fLoginRetry) {
 				PKCS11H_DEBUG (
 					PKCS11H_LOG_DEBUG1,
@ -5778,7 +5791,7 @@ pkcs11h_certificate_getCertificateBlob (
 	if (certificate_blob != NULL) {
 		if (
 			rv == CKR_OK &&
-			certifiate_blob_size_max > certificate->id->certificate_blob_size
+			certifiate_blob_size_max < certificate->id->certificate_blob_size
 		) {
 			rv = CKR_BUFFER_TOO_SMALL;
 		}
--- a/pkcs11.c
+++ b/pkcs11.c
@ -166,14 +166,20 @@ _pkcs11_openvpn_token_prompt (
 		"Please insert %s token",
 		token->label
 	);
-	get_user_pass (
-		&token_resp,
-		NULL,
-		"token-insertion-request",
-		GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK
-	);

-	return strcmp (token_resp.password, "ok") == 0;
+	if (
+		!get_user_pass (
+			&token_resp,
+			NULL,
+			"token-insertion-request",
+			GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL
+		)
+	) {
+		return false;
+	}
+	else {
+		return strcmp (token_resp.password, "ok") == 0;
+	}
 }

 static
@ -195,15 +201,27 @@ _pkcs11_openvpn_pin_prompt (

 	token_pass.defined = false;
 	token_pass.nocache = true;
-	get_user_pass (&token_pass, NULL, szPrompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY);
-	strncpynt (szPIN, token_pass.password, nMaxPIN);
-	purge_user_pass (&token_pass, true);

-	if (strlen (szPIN) == 0) {
+	if (
+		!get_user_pass (
+			&token_pass,
+			NULL,
+			szPrompt,
+			GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
+		)
+	) {
 		return false;
 	}
 	else {
-		return true;
+		strncpynt (szPIN, token_pass.password, nMaxPIN);
+		purge_user_pass (&token_pass, true);
+
+		if (strlen (szPIN) == 0) {
+			return false;
+		}
+		else {
+			return true;
+		}
 	}
 }