2026-02-10 00:37:00 +08:00 · 2019-01-19 19:29:12 +00:00
parent bfa7682d3f 8ba3987f4c
commit a1d5ec1e1c
3 changed files with 21 additions and 11 deletions
							
							
							
						
@@ -1,5 +1,7 @@
* Version 0.12.3 (unreleased)
- Prevented crash when no DTLS ciphersuite is negotiated
- occtl: print the TLS session information, even if the DTLS channel
  is not established.
* Version 0.12.2 (released 2019-01-10)
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -226,18 +226,18 @@ static int setup_dtls_psk_keys(gnutls_session_t session, struct worker_st *ws)
	gnutls_psk_set_server_credentials_function(WSCREDS(ws)->pskcred, get_psk_key);
	if (ws->session && WSCONFIG(ws)->match_dtls_and_tls) {
	if (!ws->session) {
		oclog(ws, LOG_ERR, "cannot setup PSK keys without an encrypted CSTP channel");
		return -1;
	}
	if (WSCONFIG(ws)->match_dtls_and_tls) {
		cipher = gnutls_cipher_get(ws->session);
		mac = gnutls_mac_get(ws->session);
		snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-CIPHER-ALL:-MAC-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL:+%s:+%s",
			 WSCONFIG(ws)->priorities, gnutls_mac_get_name(mac), gnutls_cipher_get_name(cipher));
	} else {
		if (WSCONFIG(ws)->match_dtls_and_tls) {
			oclog(ws, LOG_ERR, "cannot determine ciphersuite from CSTP channel (unset match-tls-dtls-ciphers)");
			return -1;
		}
		/* if we haven't an associated session, enable all ciphers we would have enabled
		 * otherwise for TLS. */
		snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-KX-ALL:+PSK:+VERS-DTLS-ALL",
							
								
							
							
								
							
							
						
@@ -801,6 +801,8 @@ void vpn_server(struct worker_st *ws)
		oclog(ws, LOG_DEBUG, "Accepted unix connection");
	}
	ws->session = session;
	session_info_send(ws);
	memset(&settings, 0, sizeof(settings));
							
							
							
								
							
						
@@ -823,7 +825,6 @@ void vpn_server(struct worker_st *ws)
		oclog(ws, LOG_DEBUG, "proxy-hdr: peer is %s\n", ws->remote_ip_str);
	}
	ws->session = session;
	ws->parser = &parser;
 restart:
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -137,7 +137,7 @@ if test $? != 0;then
	exit 1
fi
grep "Username: ${USERNAME}" ${OUTFILE}
grep "Username: ${USERNAME}" ${OUTFILE} >/dev/null
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "occtl show user didn't find connected user!"
							
							
							
								
							
						
@@ -145,14 +145,14 @@ if test $? != 0;then
fi
if test -z "${GNUTLS_NAME}";then
	grep "DTLS cipher:" ${OUTFILE}
	grep "DTLS cipher:" ${OUTFILE} >/dev/null
	if test $? = 0;then
		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
		echo "occtl show user did show a cipher!"
		exit 1
	fi
else
	grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE}
	grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE} >/dev/null
	if test $? != 0;then
		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
		echo "occtl show user didn't show cipher!"
							
							
							
								
							
						
@@ -160,7 +160,14 @@ else
	fi
fi
grep ${CLI_ADDRESS} ${OUTFILE}
grep -E '[[:space:]]+TLS ciphersuite:' ${OUTFILE} >/dev/null
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "occtl show user did not show a TLS cipher!"
	exit 1
fi
grep ${CLI_ADDRESS} ${OUTFILE} >/dev/null
if test $? != 0;then
	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
	echo "occtl show user didn't find client address!"