Commit 2dc47c6c2a0a98ccc47f105ebf4e9a2e5d109244 - openfortivpn

New upstream version 1.8.1 Daniel Echeverry 5 years ago

9 changed file(s) with 302 addition(s) and 65 deletion(s). Raw diff Collapse all Expand all

+188

-10

CHANGELOG.md less more

3	3	Legend
4	4	------
5	5
6		* [+] new feature, improvement
	6	* [+] new feature or improvement
7	7	* [-] bug fix
8	8	* [~] change in behavior
9	9
10	10	Releases
11	11	--------
	12
	13	This high level changelog is usually updated when a release is tagged.
	14	On the master branch there may be changes that are not (yet) described here.
	15
	16	### 1.8.1
	17
	18	* [~] Support longer passowrds by allocation of a larger buffer
	19	* [-] With version 1.8.0 /etc/resolv.conf was not updated anymore in some situations.
	20	To avoid this regression the change "Rationalize DNS options" has been reverted again
	21	to restore the behavior of versions up to 1.7.1.
	22	* [-] Correctly use realm together with two factor authentication
	23	* [~] If no port is specified use standard https port similar as vendor client
	24	* [-] Fix value of Accept-Encoding request header
	25	* [-] Bugfix in url_encode for non alphanumerical characters
	26	* [-] HTML URL Encoding with uppercase characters
	27	* [-] Honor Cipher-list option
	28	* [~] Improved detection of pppd/ppp client during configure stage
12	29
13	30	### 1.8.0
14	31

16	33	* [~] On Mac OSX and FreeBSD moved netstat parsing output to higher debug level
17	34	* [~] When logging traffic also show http traffic (not only tunneled traffic)
18	35	* [~] Improve error message in case of login failure
19		* [~] Require root privileges for running. They are needed at various places.
20		Previously, just a warning was issued, but in later stage things have failed.
	36	* [~] Require root privileges for running. They are needed at various places.
	37	Previously, just a warning was issued, but in later stage things have failed.
21	38	* [-] On Mac OSX the protection of the route to the vpn gateway may have failed
22	39	* [~] Invert order of ssl libraries (this may help linking on some platforms)
23	40	* [+] Add FreeBSD support and redesigned the autoconf mechanism

27	44	* [+] Support systemd notification upon tunnel up
28	45	* [+] Support building in a separate directory
29	46	* [~] Change the way to read passwords such that backspace etc. should work as usual
30		* [~] Rationalize DNS options: pppd and openfortivpn were updating /etc/resolv.conf.
31		Check man page and help output for the documentation of the current behavior.
32
33		### Earlier Versions
34
35		Please see Github [commit history](https://github.com/adrienverge/openfortivpn/commits)
	47	* [~] Rationalize DNS options: pppd and openfortivpn were updating /etc/resolv.conf.
	48	Check man page and help output for the documentation of the current behavior.
	49
	50	### 1.7.1
	51
	52	* [~] Be more tolerant about white space in config file
	53	* [~] Make better usage of pkg-config
	54	* [~] Rework linking against OpenSSL
	55	* [-] Build again on Mac OSX where pthread_mutexattr_setrobust is not available
	56
	57	### 1.7.0
	58
	59	* [~] Correctly set up route to vpn gateway (add support for some particular situations)
	60	* [+] Support two factor authentication with config file (for NM-plugin)
	61	* [~] Change the ip address in the pppd call parameters by a rfc3330 test-net address
	62	* [-] Correctly report the exit status codes of pppd
	63	* [+] Add --pppd-call option
	64	* [~] Use X509_check_host instead of explicit CN match
	65	* [+] Add --persistent option
	66	* [~] Improve autoconf (check for pkg-conf before using, improve error messages, etc.)
	67
	68	### 1.6.0
	69
	70	* [-] Fix possible buffer overflow in in long requests
	71	* [~] Code improvements in terms of header inclusion and some other coverity warnings
	72	* [+] Add proxy support
	73	* [~] Use the compiled-in fixed full path to pppd
	74	* [+] Support pppd ifname option
	75	* [+] Print a clear error message at runtime if pppd does not exist
	76	* [+] Print clear text error messages of pppd upon failure
	77	* [~] Existing config file is not overwritten anymore at installation time
	78	* [~] Increase the accepted cookie size and align the error behavior according to RFCs
	79	* [-] More gracefully handle unexcpected content of resolv.conf
	80	* [~] Dynamically allocate memory for split routes and thus support larger numbers of routes
	81
	82	### 1.5.0
	83
	84	* [~] Improve error handling around the call of pppd
	85	* [+] Add half-internet-routes option
	86	* [-] realm was not recognized in the config file
	87	* [~] Switch from no-routes and no-dns to set-routes and set-dns option
	88	* [+] Add pppd-no-peerdns and pppd-log option
	89	* [~] Allow passing the otp via the config file for use with NetworkManager plugin
	90	* [-] Fix issues initializing memory and with build system
	91	* [+] Support building against Openssl 1.1
	92	* [~] use pkg-config for configuration of openssl instead of configure option
	93	* [-] Fix string handling of the command line arguments
	94
	95	### 1.4.0
	96
	97	* [+] Allow to specify openssl location via configure option
	98	* [+] Introduce autotools build script autogen.sh
	99	* [~] Further increase possible number of split routes
	100	* [-] Fix locking issues on Mac OS X
	101	* [~] Rework signal handling: Handle SIGTERM as SIGINT and ignore SIGHUP
	102
	103	### 1.3.1
	104
	105	* [~] When calling pppd allow passing an ipparam for use in pppd ip-up/down scripts
	106	* [-] Command line option -o was not recognized before
	107	* [~] Improve Mac OSX support and parse netstat output to obtain routing information
	108	* [-] Fix segmentation fault when a gateway route is added on Mac OSX
	109	* [-] Fix buffer overflow for name server entries
	110	* [~] Increase possible number of split routes
	111	* [-] Do not remove route to vpn gateway if it has existed before connecting
	112	* [~] Load OS trusted certificate stores
	113	* [~} When setting up routes protect the route to the vpn gateway
	114	* [-] Add gateway flag to routes that may not be reachable directly at the tunnel end
	115	* [-] Correctly detect if pushed routes have a gateway
	116	* [-] Correctly mark the route to the vpn gateway as a host route
	117	* [-] Clean up routing table upon termination
	118
	119	### 1.3.0
	120
	121	* [+] Support vpn connections over an already existing ppp connection
	122	* [-] Fix for diagnostic message colors invisible on light background
	123	* [-] Bugfix for building with clang
	124	* [+] Add token-based one-time password support
	125	* [+] Add Mac OSX support
	126	* [+] Support logging via syslog
	127	* [-] Honor sysconfdir during runtime, i.e. when loading default configuration
	128	* [~] Disable insecure openssl default protocols/ciphers
	129
	130	### 1.2.0
	131
	132	* [+] Support login with client certificate, key, and ca-file specified in config file
	133	* [~] Use more meaningful error codes when loading config fails
	134	* [-] Correctly report errors of hostname lookup
	135	* [+] Add an option not to ask ppp peer for dns servers
	136	* [-] Fix array bounds error for trusted cert string
	137	* [-] Fix compiler warning about type cast around getchar
	138	* [-] Properly initialize memory for tunnel structure to avoid undeterministic behavior
	139	* [-] Properly initialize pointer in auth_log_in to avoid crash on http_request
	140	* [-] Fix buffer overflow in parse_config
	141
	142	### 1.1.4
	143
	144	* [-] Fix new GCC 6 strict-aliasing errors
	145	* [-] For split routes use interface if no gateway address is assigned in received route
	146	* [-] Fix rewrite of resolv.conf with non null-terminated buffer
	147	* [~] Perform two factor authentication also with zero-length tokeninfo
	148
	149	### 1.1.3
	150
	151	* [~] Support set-dns and set-routes flag from config file as well
	152	* [-] Properly URL-encode values sent in http requests
	153	* [+] Add support for realm authentication
	154	* [+] Add support for two factor authentication
	155
	156	### 1.1.2
	157
	158	* [-] Fix incompatible-pointer-types compiler error for x86 architectures
	159	* [~] Increase COOKIE_SIZE (again)
	160
	161	### 1.1.1
	162
	163	* [~] Update of Makefile to treat all warnings as errors
	164	* [~] Increase COOKIE_SIZE to 240 as the SVPNCOOKIE is longer in newer FortiOS versions
	165
	166	### 1.1.0
	167
	168	* [~] Rename --plugin to --pppd-plugin for consistency with other pppd-related options
	169	* [-] NUL terminate the config buffer
	170	* [-] Fix an off-by-one error when reading a quad-dotted attribute from xml
	171	* [+] Add support for client keys and certificates
	172	* [~] Extend the split VPN support with older FortiOS servers
	173	* [+] Add a config parser to handle received non-xml content
	174	* [~] Allow ommitting the gateway for split routes
	175	* [~] Allow ommitting DNS servers
	176	* [-] Fix a memory leak in auth_get_config
	177	* [+] Support split routes
	178	* [+] Export the configuration of routes and gateway to environment
	179	* [~] Several improvements around establishing the tunnel connection and http traffic
	180	* [+] Allow using a custom CA
	181	* [-] Turn on SSL verification, check the hostname at least for the CN
	182	* [+] Add --plugin option
	183	* [-] Fix a format string warning in do_log_packet
	184	* [~] Improved debugging output
	185	* [~] Restore default route
	186
	187	### 1.0.1
	188
	189	* [~] Better error messages in /etc/resolv.conf helpers
	190	* [~] Use better colors for warnings and error messages and only if output is a tty
	191	* [-] Fix parsing of "trusted-cert" in config file
	192	* [~] Add --pedantic to CFLAGS
	193	* [+] Add ability to type password interactively
	194	* [+] Verify gateway's X509 certificate
	195	* [-] Don't delete nameservers at tear down if they were here before
	196	* [~] Set /etc/openfortivpn/config not readable by other users
	197	* [+] Add ability to use a config file
	198
	199	### 1.0.0
	200
	201	* Start tracking openfortivpn - in this version with the following features:
	202	```
	203	Usage: openfortivpn <host>:<port> -u <user> -p <pass>
	204	[--no-routes] [--no-dns] [--pppd-log=<filename>]
	205	[-v\|-q]
	206	openfortivpn --help
	207	openfortivpn --version
	208	```
	209
	210	### Details of the changes
	211
	212	This is a high level changelog meant to provide a rough overview about the version history of openfortivpn. Please see the Github [commit history](https://github.com/adrienverge/openfortivpn/commits) for more details of the individual changes listed here, and for a complete list of the internal code changes.
36	213
37	214	More Information
38	215	----------------
39	216
40		* For a list of knwon issues please check the
	217	* For a list of known issues please check the
41	218	[issues list](https://github.com/adrienverge/openfortivpn/issues) on GitHub.
	219
42	220	* We try to avoid backwards incompatible changes, but sometimes it is not
43	221	avoidable. When we are aware of compatibility issues, then we recommend to
44	222	check the documentation in the above changelog. When changes turn out to break

-3

README.md less more

23	23
24	24	* Don't set IP routes and don't add VPN nameservers to `/etc/resolv.conf`:
25	25	```
26		openfortivpn vpn-gateway:8443 -u foo -p bar --no-routes --no-dns
	26	openfortivpn vpn-gateway:8443 -u foo -p bar --no-routes --no-dns --pppd-no-peerdns
27	27	```
28	28	* Using a config file:
29	29	```

38	38	password = bar
39	39	set-routes = 0
40	40	set-dns = 0
	41	pppd-use-peerdns = 0
41	42	# X509 certificate sha256 sum, trust only this one!
42	43	trusted-cert = e46d4aff08ba6914e64daa85bc6112a422fa7ce16631bff0b592a28556f993db
43	44	```

50	51	### Installing existing packages
51	52
52	53	Some Linux distibutions provide `openfortivpn` packages:
53		* [Fedora](https://admin.fedoraproject.org/pkgdb/package/rpms/openfortivpn/)
	54	* [Fedora](https://apps.fedoraproject.org/packages/openfortivpn)
54	55	* [openSUSE / SLE](https://software.opensuse.org/package/openfortivpn)
55	56	* [Gentoo](https://packages.gentoo.org/packages/net-vpn/openfortivpn)
56	57	* [NixOS](https://github.com/NixOS/nixpkgs/tree/master/pkgs/tools/networking/openfortivpn)

83	84
84	85	1. Install build dependencies.
85	86
86		* RHEL/CentOS/Fedora: `gcc` `automake` `autoconf` `openssl-devel` `pkg-config`
	87	* RHEL/CentOS/Fedora: `gcc` `automake` `autoconf` `openssl-devel` `make` `pkg-config`
87	88	* Debian/Ubuntu: `gcc` `automake` `autoconf` `libssl-dev` `make` `pkg-config`
88	89	* Arch Linux: `gcc` `automake` `autoconf` `openssl` `pkg-config`
89	90	* Gentoo Linux: `net-dialup/ppp` `pkg-config`

122	123	If you need to specify the openssl location you can set the
123	124	`$PKG_CONFIG_PATH` environment variable.
124	125
	126	Finally, install runtime dependency `ppp` or `pppd`.
125	127
126	128	----------------
127	129	Running as root?

+49

-9

configure.ac less more

1	1	# Process this file with autoconf to produce a configure script.
2	2
3	3	AC_PREREQ([2.63])
4		AC_INIT([openfortivpn], [1.8.0])
	4	AC_INIT([openfortivpn], [1.8.1])
5	5	AC_CONFIG_SRCDIR([src/main.c])
6	6	AM_INIT_AUTOMAKE([foreign subdir-objects])
7	7

88	88	AC_FUNC_MALLOC
89	89	AC_FUNC_REALLOC
90	90	AC_CHECK_FUNCS([ \
	91	access \
91	92	atoi \
92	93	close \
93	94	connect \

97	98	fclose \
98	99	fcntl \
99	100	fflush \
	101	fileno \
100	102	fopen \
101	103	forkpty \
102	104	fprintf \
	105	fputc \
103	106	fputs \
	107	fread \
104	108	free \
105	109	freeaddrinfo \
106	110	freeifaddrs \
107	111	freopen \
108	112	fwrite \
	113	gai_strerror \
109	114	getaddrinfo \
110	115	getchar \
111	116	getenv \
	117	geteuid \
	118	getifaddrs \
112	119	getopt_long \
113	120	htons \
114	121	index \
115	122	inet_addr \
116	123	inet_ntoa \
	124	ioctl \
117	125	isatty \
118	126	isdigit \
119	127	isspace \
120	128	malloc \
	129	memcmp \
121	130	memcpy \
122	131	memmem \
123	132	memmove \

125	134	ntohs \
126	135	open \
127	136	openlog \
	137	optarg \
	138	optind \
128	139	pclose \
129	140	popen \
130	141	printf \

132	143	pthread_cond_init \
133	144	pthread_cond_signal \
134	145	pthread_cond_wait \
	146	pthread_create \
135	147	pthread_join \
136	148	pthread_mutexattr_init \
137	149	pthread_mutex_destroy \
138	150	pthread_mutex_init \
139	151	pthread_mutex_lock \
140	152	pthread_mutex_unlock \
	153	pthread_self \
141	154	pthread_sigmask \
	155	putchar \
142	156	puts \
143	157	read \
144	158	realloc \
145	159	rewind \
146	160	select \
	161	sem_destroy \
	162	sem_init \
	163	sem_post \
	164	sem_wait \
147	165	setenv \
	166	setsockopt \
148	167	sigaddset \
149	168	sigemptyset \
150	169	signal \
	170	sleep \
151	171	snprintf \
152	172	socket \
153	173	sprintf \
	174	sscanf \
	175	strcasecmp \
154	176	strcasestr \
155	177	strcat \
156	178	strchr \

161	183	strlen \
162	184	strncasecmp \
163	185	strncat \
	186	strncmp \
164	187	strncpy \
165	188	strsignal \
166	189	strstr \

169	192	strtol \
170	193	syslog \
171	194	system \
	195	tcgetattr \
172	196	tcsetattr \
173	197	usleep \
174	198	vprintf \
175	199	vsnprintf \
176	200	vsyslog \
	201	waitpid \
177	202	write \
178	203	], [], AC_MSG_ERROR([Required function not found]))
179	204

260	285	])
261	286	])
262	287
263		AC_CHECK_FILE(/usr/sbin/ppp,[
	288	# check for ppp user space client
	289	AC_PATH_PROG(PPP, [ppp], [/usr/sbin/ppp], "$PATH:/sbin:/usr/sbin")
	290	AC_CHECK_FILE([$PPP], [
264	291	AS_IF([test "x$PPP_PATH" = "x" ], [
265		PPP_PATH="/usr/sbin/ppp"
	292	PPP_PATH="$PPP"
266	293	])
267	294	AS_IF([test "x$with_ppp" = "x" ], [
268	295	with_ppp="yes"
269	296	])
270	297	],[])
271		AC_CHECK_FILE(/usr/sbin/pppd,[
	298
	299	# check for pppd
	300	AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], "$PATH:/sbin:/usr/sbin")
	301	AC_CHECK_FILE([$PPPD], [
272	302	AS_IF([test "x$PPP_PATH" = "x" ], [
273		PPP_PATH="/usr/sbin/pppd"
	303	PPP_PATH="$PPPD"
274	304	])
275	305	AS_IF([test "x$with_pppd" = "x" ], [
276	306	with_pppd="yes"
277	307	])
278	308	],[])
279	309
	310	# replace empty settings with "no"
	311	AS_IF([test "x$with_ppp" = "x" ], [
	312	with_ppp="no"
	313	])
	314	AS_IF([test "x$with_pppd" = "x" ], [
	315	with_pppd="no"
	316	])
280	317
281	318	# when neither ppp nor pppd are enabled, assume the previous behavior (for travis)
282	319	AS_IF([test "x$with_ppp" = "xno" -a "x$with_pppd" = "xno" ], [
283		with_pppd="yes"
284		])
285		AS_IF([test "x$with_ppp" = "x" -a "x$with_pppd" = "x" ], [
286		with_pppd="yes"
	320	AS_IF([test "x$uname" = "xFreeBSD" ], [
	321	PPP_PATH="/usr/sbin/ppp"
	322	with_ppp="yes"
	323	], [
	324	with_pppd="yes"
	325	PPP_PATH="/usr/sbin/pppd"
	326	])
287	327	])
288	328
289	329	# when both are enabled, give pppd the higher priority (we can only use one of them)

-2

doc/openfortivpn.1.in less more

118	118	(default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4)
119	119	.TP
120	120	\fB\-\-pppd-no-peerdns\fR
121		Deprecated; do not ask peer ppp server for DNS server addresses and do not make
122		pppd rewrite /etc/resolv.conf.
	121	Do not ask peer ppp server for DNS server addresses and do not make pppd
	122	rewrite /etc/resolv.conf.
123	123	.TP
124	124	\fB\-\-pppd-log=\fI<file>\fR
125	125	Set pppd in debug mode and save its logs into \fI<file>\fR.

235	235	.br
236	236	half-internet-routes = 0
237	237	.br
	238	pppd-use-peerdns = 1
	239	.br
238	240	# alternatively, use a specific pppd plugin instead
239	241	.br
240	242	# pppd-plugin = /usr/lib/pppd/default/some-plugin.so

-5

src/config.c less more

29	29	.gateway_host = {'\0'},
30	30	.gateway_port = 0,
31	31	.username = {'\0'},
32		.password = {'\0'},
	32	.password = NULL,
33	33	.otp = {'\0'},
34	34	.realm = {'\0'},
35	35	.set_routes = -1,

200	200	strncpy(cfg->username, val, FIELD_SIZE - 1);
201	201	cfg->username[FIELD_SIZE] = '\0';
202	202	} else if (strcmp(key, "password") == 0) {
203		strncpy(cfg->password, val, FIELD_SIZE - 1);
204		cfg->password[FIELD_SIZE] = '\0';
	203	cfg->password = strdup(val);
205	204	} else if (strcmp(key, "otp") == 0) {
206	205	strncpy(cfg->otp, val, FIELD_SIZE - 1);
207	206	cfg->otp[FIELD_SIZE] = '\0';

329	328
330	329	void destroy_vpn_config(struct vpn_config *cfg)
331	330	{
	331	free(cfg->password);
332	332	#if HAVE_USR_SBIN_PPPD
333	333	free(cfg->pppd_log);
334	334	free(cfg->pppd_plugin);

358	358	dst->gateway_port = src->gateway_port;
359	359	if (src->username[0])
360	360	strcpy(dst->username, src->username);
361		if (src->password[0])
362		strcpy(dst->password, src->password);
	361	if (src->password != NULL && src->password[0])
	362	dst->password = strdup(src->password);
363	363	if (src->otp[0])
364	364	strcpy(dst->otp, src->otp);
365	365	if (src->realm[0])

-1

src/config.h less more

63	63	struct in_addr gateway_ip;
64	64	uint16_t gateway_port;
65	65	char username[FIELD_SIZE + 1];
66		char password[FIELD_SIZE + 1];
	66	char *password;
67	67	char otp[FIELD_SIZE + 1];
68	68	char realm[FIELD_SIZE + 1];
69	69

+16

-6

src/http.c less more

46	46	else if (*str == ' ')
47	47	*dest++ = '+';
48	48	else {
49		static const char hex[] = "0123456789abcdef";
	49	static const char hex[] = "0123456789ABCDEF";
50	50
51	51	*dest++ = '%';
52		dest++ = hex[str >> 4];
53		dest++ = hex[str & 15];
	52	dest++ = hex[(unsigned char)str >> 4];
	53	dest++ = hex[(unsigned char)str & 15];
54	54	}
55	55	str++;
56	56	}

80	80	else if (length >= BUFSZ)
81	81	return ERR_HTTP_TOO_LONG;
82	82
83		log_debug_details("http_send : \n%s\n", buffer);
	83	log_debug_details("%s: \n%s\n", __func__, buffer);
84	84
85	85	while (n == 0)
86	86	n = safe_ssl_write(tunnel->ssl_handle, (uint8_t *) buffer,

148	148	(uint8_t *) buffer + bytes_read,
149	149	BUFSZ - 1 - bytes_read);
150	150	if (n > 0) {
151		log_debug_details("http_receive : \n%s\n", buffer);
	151	log_debug_details("%s: \n%s\n", __func__, buffer);
152	152	const char *eoh;
153	153
154	154	bytes_read += n;

243	243	"Host: %s:%d\r\n"
244	244	"User-Agent: Mozilla/5.0 SV1\r\n"
245	245	"Accept: text/plain\r\n"
246		"Accept-Encoding: identify\r\n"
	246	"Accept-Encoding: identity\r\n"
247	247	"Content-Type: application/x-www-form-urlencoded\r\n"
248	248	"Cookie: %s\r\n"
249	249	"Content-Length: %d\r\n"

499	499	return -1;
500	500	url_encode(d, cfg->otp);
501	501	d += strlen(d);
	502	/* realm workaround */
	503	if (cfg->realm[0] != '\0') {
	504	l = strlen(cfg->realm);
	505	if (!SPACE_AVAILABLE(3 * l + 8))
	506	return -1;
	507	strcat(d, "&realm=");
	508	d += strlen(d);
	509	url_encode(d, cfg->realm);
	510	d += strlen(d);
	511	}
502	512	} else if (strncmp(t, "submit", 6) == 0) {
503	513	/* avoid adding another '&' */
504	514	n = v = e = NULL;

+25

-23

src/main.c less more

26	26	#include <string.h>
27	27	#include <limits.h>
28	28
	29	#define PWD_BUFSIZ 4096
	30
	31
29	32	#if HAVE_USR_SBIN_PPPD
30	33	#define PPPD_USAGE \
31	34	" [--pppd-no-peerdns] [--pppd-log=<file>]\n" \

33	36	" [--pppd-call=<name>] [--pppd-plugin=<file>]\n"
34	37
35	38	#define PPPD_HELP \
36		" --pppd-no-peerdns Deprecated; do not ask peer ppp server for DNS server\n" \
37		" addresses and do not make pppd rewrite /etc/resolv.conf\n" \
	39	" --pppd-no-peerdns Do not ask peer ppp server for DNS server addresses\n" \
	40	" and do not make pppd rewrite /etc/resolv.conf\n" \
38	41	" --pppd-log=<file> Set pppd in debug mode and save its logs into\n" \
39	42	" <file>.\n" \
40	43	" --pppd-plugin=<file> Use specified pppd plugin instead of configuring\n" \

55	58	#endif
56	59
57	60	#define usage \
58		"Usage: openfortivpn [<host>:<port>] [-u <user>] [-p <pass>]\n" \
	61	"Usage: openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>]\n" \
59	62	" [--realm=<realm>] [--otp=<otp>] [--set-routes=<0\|1>]\n" \
60	63	" [--half-internet-routes=<0\|1>] [--set-dns=<0\|1>]\n" \
61	64	PPPD_USAGE \

147	150	const char *config_file = SYSCONFDIR"/openfortivpn/config";
148	151	const char *host;
149	152	char *port_str;
150		long int port;
151	153
152	154	struct vpn_config cfg = {
153	155	.gateway_host = {'\0'},
154		.gateway_port = 0,
	156	.gateway_port = 443,
155	157	.username = {'\0'},
156		.password = {'\0'},
	158	.password = NULL,
157	159	.otp = {'\0'},
158	160	.realm = {'\0'},
159	161	.set_routes = 1,

376	378	cli_cfg.username[FIELD_SIZE] = '\0';
377	379	break;
378	380	case 'p':
379		strncpy(cli_cfg.password, optarg, FIELD_SIZE);
380		cli_cfg.password[FIELD_SIZE] = '\0';
	381	cli_cfg.password = strdup(optarg);
381	382	break;
382	383	case 'o':
383	384	strncpy(cli_cfg.otp, optarg, FIELD_SIZE);

391	392	if (optind < argc - 1 \|\| optind > argc)
392	393	goto user_error;
393	394
394		if (cli_cfg.password[0] != '\0')
	395	if (cli_cfg.password != NULL && cli_cfg.password[0] != '\0')
395	396	log_warn("You should not pass the password on the command line. Type it interactively or use a config file instead.\n");
396	397
397	398	log_debug("openfortivpn " VERSION "\n", config_file);

413	414	if (optind == argc - 1) {
414	415	host = argv[optind++];
415	416	port_str = strchr(host, ':');
416		if (port_str == NULL) {
417		log_error("Specify a valid host:port couple.\n");
418		goto user_error;
	417	if (port_str != NULL) {
	418	port_str[0] = '\0';
	419	port_str++;
	420	cfg.gateway_port = strtol(port_str, NULL, 0);
	421	if (cfg.gateway_port <= 0 \|\| cfg.gateway_port > 65535) {
	422	log_error("Specify a valid port.\n");
	423	goto user_error;
	424	}
419	425	}
420		port_str[0] = '\0';
421	426	strncpy(cfg.gateway_host, host, FIELD_SIZE);
422	427	cfg.gateway_host[FIELD_SIZE] = '\0';
423		port_str++;
424		port = strtol(port_str, NULL, 0);
425		if (port <= 0 \|\| port > 65535) {
426		log_error("Specify a valid port.\n");
427		goto user_error;
428		}
429		cfg.gateway_port = port;
430	428	}
431	429
432	430	// Check host and port

440	438	goto user_error;
441	439	}
442	440	// If no password given, interactively ask user
443		if (cfg.password[0] == '\0')
444		read_password("VPN account password: ", cfg.password,
445		FIELD_SIZE);
	441	if (cfg.password == NULL \|\| cfg.password[0] == '\0') {
	442	free(cfg.password);
	443	char *tmp_password = malloc(PWD_BUFSIZ); // allocate large buffer
	444	read_password("VPN account password: ", tmp_password, PWD_BUFSIZ);
	445	cfg.password = strdup(tmp_password); // copy string of correct size
	446	free(tmp_password);
	447	}
446	448	// Check password
447	449	if (cfg.password[0] == '\0') {
448	450	log_error("Specify a password.\n");

-6

src/tunnel.c less more

97	97	}
98	98	}
99	99
100		if (tunnel->config->set_dns && !tunnel->config->pppd_use_peerdns) {
	100	if (tunnel->config->set_dns) {
101	101	log_info("Adding VPN nameservers...\n");
102	102	ipv4_add_nameservers_to_resolv_conf(tunnel);
103	103	}

120	120	ipv4_restore_routes(tunnel);
121	121	}
122	122
123		if (tunnel->config->set_dns && !tunnel->config->pppd_use_peerdns) {
	123	if (tunnel->config->set_dns) {
124	124	log_info("Removing VPN nameservers...\n");
125	125	ipv4_del_nameservers_from_resolv_conf(tunnel);
126	126	}

198	198	for (unsigned i = 0; i < ARRAY_SIZE(v); i++)
199	199	ofv_append_varr(&pppd_args, v[i]);
200	200	}
201		if (tunnel->config->set_dns && tunnel->config->pppd_use_peerdns)
	201	if (tunnel->config->pppd_use_peerdns)
202	202	ofv_append_varr(&pppd_args, "usepeerdns");
203	203	if (tunnel->config->pppd_log) {
204	204	ofv_append_varr(&pppd_args, "debug");

787	787	if (!tunnel->config->insecure_ssl && !tunnel->config->cipher_list) {
788	788	const char *cipher_list = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
789	789
790		if (tunnel->config->cipher_list)
791		cipher_list = tunnel->config->cipher_list;
792		if (!SSL_set_cipher_list(tunnel->ssl_handle, cipher_list)) {
	790	tunnel->config->cipher_list = strdup(cipher_list);
	791	}
	792
	793	if (tunnel->config->cipher_list) {
	794	if (!SSL_set_cipher_list(tunnel->ssl_handle,
	795	tunnel->config->cipher_list)) {
793	796	log_error("SSL_set_cipher_list failed: %s\n",
794	797	ERR_error_string(ERR_peek_last_error(), NULL));
795	798	return 1;