int c;
const unsigned char *q;
+ if (size < 0)
+ return -1;
p = s = (char *) malloc(size * 4 / 3 + 4);
if (p == NULL)
return -1;
}
else if (tmp_status == TLSMP_KILL)
{
- c->sig->signal_received = SIGTERM;
- c->sig->signal_text = "auth-control-exit";
+ register_signal (c, SIGTERM, "auth-control-exit");
}
interval_future_trigger (&c->c2.tmp_int, wakeup);
check_tls_errors_co (struct context *c)
{
msg (D_STREAM_ERRORS, "Fatal TLS error (check_tls_errors_co), restarting");
- c->sig->signal_received = c->c2.tls_exit_signal; /* SOFT-SIGUSR1 -- TLS error */
- c->sig->signal_text = "tls-error";
+ register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
}
void
check_tls_errors_nco (struct context *c)
{
- c->sig->signal_received = c->c2.tls_exit_signal; /* SOFT-SIGUSR1 -- TLS error */
- c->sig->signal_text = "tls-error";
+ register_signal (c, c->c2.tls_exit_signal, "tls-error"); /* SOFT-SIGUSR1 -- TLS error */
}
#endif
{
if (!tun_standby (c->c1.tuntap))
{
- c->sig->signal_received = SIGHUP;
- c->sig->signal_text = "ip-fail";
+ register_signal (c, SIGHUP, "ip-fail");
c->persist.restart_sleep_seconds = 10;
#ifdef WIN32
show_routes (M_INFO|M_NOPREFIX);
check_inactivity_timeout_dowork (struct context *c)
{
msg (M_INFO, "Inactivity timeout (--inactive), exiting");
- c->sig->signal_received = SIGTERM;
- c->sig->signal_text = "inactive";
+ register_signal (c, SIGTERM, "inactive");
}
#if P2MP
if (!tls_initial_packet_received (c->c2.tls_multi))
{
msg (M_INFO, "Server poll timeout, restarting");
- c->sig->signal_received = SIGUSR1;
- c->sig->signal_text = "server_poll";
+ register_signal (c, SIGUSR1, "server_poll");
c->persist.restart_sleep_seconds = -1;
}
}
void
check_scheduled_exit_dowork (struct context *c)
{
- c->sig->signal_received = c->c2.scheduled_exit_signal;
- c->sig->signal_text = "delayed-exit";
+ register_signal (c, c->c2.scheduled_exit_signal, "delayed-exit");
}
#endif
const struct buffer *fbuf = socket_foreign_protocol_head (c->c2.link_socket);
const int sd = socket_foreign_protocol_sd (c->c2.link_socket);
port_share_redirect (port_share, fbuf, sd);
- c->sig->signal_received = SIGTERM;
- c->sig->signal_text = "port-share-redirect";
+ register_signal (c, SIGTERM, "port-share-redirect");
}
else
#endif
/* received a disconnect from a connection-oriented protocol */
if (c->options.inetd)
{
- c->sig->signal_received = SIGTERM;
- c->sig->signal_text = "connection-reset-inetd";
+ register_signal (c, SIGTERM, "connection-reset-inetd");
msg (D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
}
else
else
#endif
{
- c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- TCP connection reset */
- c->sig->signal_text = "connection-reset";
+ register_signal (c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
msg (D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
}
}
if (!decrypt_status && link_socket_connection_oriented (c->c2.link_socket))
{
/* decryption errors are fatal in TCP mode */
- c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- decryption error in TCP mode */
- c->sig->signal_text = "decryption-error";
+ register_signal (c, SIGUSR1, "decryption-error"); /* SOFT-SIGUSR1 -- decryption error in TCP mode */
msg (D_STREAM_ERRORS, "Fatal decryption error (process_incoming_link), restarting");
goto done;
}
/* Was TUN/TAP interface stopped? */
if (tuntap_stop (c->c2.buf.len))
{
- c->sig->signal_received = SIGTERM;
- c->sig->signal_text = "tun-stop";
+ register_signal (c, SIGTERM, "tun-stop");
msg (M_INFO, "TUN/TAP interface has been stopped, exiting");
perf_pop ();
return;
management_post_tunnel_open (management, tun_local);
}
#endif
-
}
/*
#define IER_RESET 0
#define IER_NEW 1
-#define IER_CONDRESET 2
static void
in_extra_reset (struct man_connection *mc, const int mode)
{
- if (mc && (mc->in_extra_cmd < IEC_STATEFUL_BASE || mode != IER_CONDRESET))
+ if (mc)
{
if (mode != IER_NEW)
{
#endif
#ifdef MANAGMENT_EXTERNAL_KEY
case IEC_RSA_SIGN:
- man->connection.in_extra_cmd = IEC_RSA_SIGN_FINAL;
+ man->connection.ext_key_state = EKS_READY;
+ buffer_list_free (man->connection.ext_key_input);
+ man->connection.ext_key_input = man->connection.in_extra;
+ man->connection.in_extra = NULL;
return;
#endif
}
man_rsa_sig (struct management *man)
{
struct man_connection *mc = &man->connection;
- if (mc->in_extra_cmd == IEC_RSA_SIGN_PRE)
+ if (mc->ext_key_state == EKS_SOLICIT)
{
- in_extra_reset (&man->connection, IER_NEW);
+ mc->ext_key_state = EKS_INPUT;
mc->in_extra_cmd = IEC_RSA_SIGN;
+ in_extra_reset (mc, IER_NEW);
}
else
msg (M_CLIENT, "ERROR: The rsa-sig command is not currently available");
CLEAR (parms);
so = status_open (NULL, 0, -1, &man->persist.vout, 0);
#ifdef MANAGEMENT_IN_EXTRA
- in_extra_reset (&man->connection, IER_CONDRESET);
+ in_extra_reset (&man->connection, IER_RESET);
#endif
if (man_password_needed (man))
buffer_list_free (mc->out);
#ifdef MANAGEMENT_IN_EXTRA
in_extra_reset (&man->connection, IER_RESET);
+#endif
+#ifdef MANAGMENT_EXTERNAL_KEY
+ buffer_list_free (mc->ext_key_input);
#endif
man_connection_clear (mc);
}
struct buffer alert_msg = clear_buf();
struct buffer *buf;
const bool standalone_disabled_save = man->persist.standalone_disabled;
+ struct man_connection *mc = &man->connection;
if (man_standalone_ok (man))
{
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
man->persist.special_state_msg = NULL;
- in_extra_reset (&man->connection, IER_RESET);
- man->connection.in_extra_cmd = IEC_RSA_SIGN_PRE;
+ mc->ext_key_state = EKS_SOLICIT;
alert_msg = alloc_buf_gc (strlen(b64_data)+64, &gc);
buf_printf (&alert_msg, ">RSA_SIGN:%s", b64_data);
man_check_for_signals (&signal_received);
if (signal_received)
goto done;
- } while (man->connection.in_extra_cmd != IEC_RSA_SIGN_FINAL);
+ } while (mc->ext_key_state != EKS_READY);
- if (buffer_list_defined(man->connection.in_extra))
+ if (buffer_list_defined(mc->ext_key_input))
{
- buffer_list_aggregate (man->connection.in_extra, 2000);
- buf = buffer_list_peek (man->connection.in_extra);
+ buffer_list_aggregate (mc->ext_key_input, 2048);
+ buf = buffer_list_peek (mc->ext_key_input);
if (buf && BLEN(buf) > 0)
{
ret = (char *) malloc(BLEN(buf)+1);
}
done:
+ if (mc->ext_key_state == EKS_READY && ret)
+ msg (M_CLIENT, "SUCCESS: rsa-sig command succeeded");
+ else if (mc->ext_key_state == EKS_INPUT || mc->ext_key_state == EKS_READY)
+ msg (M_CLIENT, "ERROR: rsa-sig command failed");
+
/* revert state */
man->persist.standalone_disabled = standalone_disabled_save;
man->persist.special_state_msg = NULL;
- in_extra_reset (&man->connection, IER_RESET);
+ in_extra_reset (mc, IER_RESET);
+ mc->ext_key_state = EKS_UNDEF;
+ buffer_list_free (mc->ext_key_input);
+ mc->ext_key_input = NULL;
gc_free (&gc);
return ret;
# define IEC_UNDEF 0
# define IEC_CLIENT_AUTH 1
# define IEC_CLIENT_PF 2
-
-# define IEC_STATEFUL_BASE 16
-# define IEC_RSA_SIGN_PRE 16
-# define IEC_RSA_SIGN 17
-# define IEC_RSA_SIGN_FINAL 18
+# define IEC_RSA_SIGN 3
int in_extra_cmd;
struct buffer_list *in_extra;
#ifdef MANAGEMENT_DEF_AUTH
unsigned int in_extra_kid;
int env_filter_level;
#endif
+#ifdef MANAGMENT_EXTERNAL_KEY
+# define EKS_UNDEF 0
+# define EKS_SOLICIT 1
+# define EKS_INPUT 2
+# define EKS_READY 3
+ int ext_key_state;
+ struct buffer_list *ext_key_input;
+#endif
#endif
struct event_set *es;
}
return ret;
}
+
+void
+register_signal (struct context *c, int sig, const char *text)
+{
+ if (c->sig->signal_received != SIGTERM)
+ c->sig->signal_received = sig;
+ c->sig->signal_text = text;
+}
bool process_signal (struct context *c);
+void register_signal (struct context *c, int sig, const char *text);
+
#ifdef ENABLE_OCC
void process_explicit_exit_notification_timer_wakeup (struct context *c);
#endif
BIO_free(in);
if (x509)
*x509 = x;
+ else if (x)
+ X509_free (x);
return(ret);
}
ret = SSL_CTX_use_certificate(ctx, x);
end:
- if (x)
- X509_free (x);
if (in)
BIO_free (in);
if (x509)
*x509 = x;
+ else if (x)
+ X509_free (x);
return ret;
}
msg (M_SSLERR, "Problem with cipher list: %s", options->cipher_list);
}
+ done:
ERR_clear_error ();
-
+ if (my_cert)
+ X509_free(my_cert);
return ctx;
err:
- ERR_clear_error ();
- if (my_cert)
- X509_free(my_cert);
if (ctx)
- SSL_CTX_free (ctx);
- return NULL;
+ {
+ SSL_CTX_free (ctx);
+ ctx = NULL;
+ }
+ goto done;
}
/*
projects / thirdparty / openvpn.git / commitdiff
