aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2011-02-27Added configure.h and version.m4 variable parsing to win/config.pySamuli Seppänen1-1/+3
Python-based buildsystem uses win/config.py to obtain global build parameters from various sources. Added parsing of the (fake) configure.h and version.m4 to it so that other Python build files can use them. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added command-line switch to win/build_all.py to skip TAP driver buildingSamuli Seppänen1-7/+16
Modified win/build_all.py so that by giving -n or --notap switch the TAP driver is not built. This is useful if using prebuilt TAP drivers, or when WinDDK is not installed. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added comments and made small modifications to win/msvc.mak.inSamuli Seppänen1-16/+16
The win/msvc.mak.in file is used as basis for msvc.mak file which drives openvpn.exe building. This change separates output file from LINK32_FLAGS and adds helpful comments to the win/msvc.mak.in file. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added support for viewing config-win32.h paramters to win/show.pySamuli Seppänen1-3/+3
The win/show.py tools is used to view build parameters interactively. This changes it so that it displays parameters parsed from config-win32.h in addition to those from win/settings.in. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added helper functionality to win/wb.pySamuli Seppänen1-0/+99
This change adds several helper functions to win/wb.py: - config-win32.h parser (to read build configuration options) - helper function to cd to service-win32 for openvpnserv.exe building - code to dynamically generate TAP-driver -related variables from version.m4, required by tap-win32/tapdrv.c - configure.h generator to allow viewing build options using openvpn --version - creation of temporary version.m4-based file to allow importing it's variables to the NSI installer script (win/openvpn.nsi) - helper function to rename files (used in win/make_dist.py) Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.Samuli Seppänen2-17/+13
Previously parts of TAP-driver version information were stored in win/settings.in. This patch moves all of it to version.m4. This patch also cleans up and adds comments to win/settings.in Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added a nmake makefile for openvpnserv.exe buildingSamuli Seppänen1-0/+30
This change adds a nmake makefile (service-win32/msvc.mak) which allows building openvpnserv.exe using the new Python-based buildsystem. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added ENABLE_PASSWORD_SAVE to config-win32.hSamuli Seppänen1-0/+3
This change adds ENABLE_PASSWORD_SAVE to config-win32.h. This option is also defined in win/settings.in, but it does not have any effect there. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-01-06Fix compiler warning when compiling against OpenSSL 1.0.0David Sommerseth1-1/+1
The declaration of SSL_get_current_cipher() has changed to be return a const value. And this makes compilers a little bit grumpy. gcc: ssl.c: In function ‘print_details’: ssl.c:1918: warning: assignment discards qualifiers from pointer target type Visual C: ssl.c (1918): warning C4019: '=' : different 'const' qualifiers Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 7bd3cea4c2f2aa8ed1bf548a3233ae2c3619d47d)
2010-12-20Minor addition of logging info before and afterJames Yonan1-0/+2
execution of Windows net commands. Version 2.1.3d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6712 e7ae566f-a301-0410-adde-c780ea21d3b5 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> (cherry picked from commit 7621741b480f93411928c66735d2ee9c7f69de3b)
2010-12-17Make the --x509-username-field feature an opt-in featureDavid Sommerseth4-0/+23
After some discussion [1] regarding an extension of this feature, James Yonan wanted this extension to be an opt-in feature. However, as it does not make sense to opt-in on a extension of a feature which was discussed, this patch makes the base feature an opt-in instead. The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2) and commit 935c62be9c0c8a256112 (feat_misc). [1] http://thread.gmane.org/gmane.network.openvpn.devel/4266 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net> (cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
2010-12-04Change variadic macros to C99 style.Matthias Andree1-4/+4
The macros used GCC's pre-C99 syntax, which could not be compiled with Microsoft Visual Studio 2008. Note this breaks compatibility with GCC versions before 3.0, which is deemed safe in a discussion on IRC with David Sommerseth and Samuli Seppänen on #openvpn-devel (RHEL 3 uses GCC 3.2 already). Compiled tested on VS2008 by Samuli, on Cygwin GCC 3.4 and GCC 4.3 by myself. Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> (cherry picked from commit 9469168e3abb09bd78297208a917ee4d9c025041)
2010-11-25Prepared v2.2-beta5 for releasev2.2-beta5David Sommerseth2-1/+6
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-25Merge branch 'feat_misc' into beta2.2David Sommerseth1-1/+1
2010-11-25Fixed an issue causing a build failure with MS Visual Studio 2008.Samuli Seppänen1-1/+1
The new SOCKS auth code in socks.c contained a call to sprintf instead of openvpn_sprintf. This caused build to fail if MS Visual Studio 2008 C compiler was used. This change fixes that issue. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-21Prepared for v2.2-beta4 for releasev2.2-beta4David Sommerseth2-2/+2
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Updated ChangeLog with info about last mergesDavid Sommerseth1-0/+39
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Merge branch 'feat_misc' into beta2.2David Sommerseth46-1064/+60
Conflicts: acinclude.m4 config-win32.h configure.ac misc.c thread.c thread.h - These conflicts was mainly due to feat_misc getting old and mostly caused by the pthread clean-up patches in feat_misc Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Merge branch 'bugfix2.1' into beta2.2David Sommerseth2-17/+58
2010-11-18Added command-line option parser and an unsigned build option to build_all.pySamuli Seppänen1-15/+56
Modified win/build_all.py so that it parses command-line options using getopt. Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h / --help" option. By default a signed build is generated, provided that the Python SignTool module is installed. If not, the build is interrupted. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Merged add_bypass_address() and add_host_route_if_nonlocal()David Sommerseth1-22/+12
The add_host_route_if_nonlocal() function is too simple to really benefit from calling add_bypass_address() when this function is the only caller to this function. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
2010-11-18Removed functions not being used anywhereDavid Sommerseth2-21/+0
The GNU C compiler gave warnings about these functions in the patch not being used anywhere. Doing a git grep on the code turned out there were no callers to these functions. Taking these functions out, as there is not good reason why to carry dead code. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
2010-11-18Only add some functions when really neededDavid Sommerseth2-0/+4
The GNU C compiler gave warnings about some functions not being used. These functions where only used if certian #ifdef sections was enabled. This patch encapsulates these function declarations with matching #ifdef's to make it more clear when these functions are needed. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
2010-11-18Fixed potential misinterpretation of boolean logicDavid Sommerseth1-1/+1
The GNU C compiler warned about a potential issue with an if() expression missing an extra set of parentheses. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
2010-11-18Fix compiler warnings about not used dummy() functionsDavid Sommerseth4-1/+8
It has been reported that the Microsoft Visual C compiler complains if a .c file do not contain any compilable code, which can happen if the code has been #ifdef'ed out. To avoid this, these #ifdef sections have a #else section which adds a static dummy() function which does nothing. On the other hand, the GNU C compiler complains about unused functions when it discovers this situation. This patch tries to only add these dummy() functions if the Microsoft Visual C compiler is detected, via the _MSC_VER macro. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Peter Stuge <peter@stuge.se>
2010-11-18Use stricter snprintf() formatting in socks_username_password_auth() (v3)David Sommerseth1-3/+10
commit fc1fa9ffc7e3356458ec3 added a new function which needs to have a stricter string formatting. This was detected due to a compiler warning. This patch makes sure that the length of username and password is not longer than 255 bytes. It also adds extra checks to avoid NULL pointer issues with strlen() on these two parameters. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-11-18Merge branch 'svn-BETA21' into bugfix2.1David Sommerseth2-3/+3
2010-11-16Fixes to prevent compile breakage when --disable-crypto is used.James Yonan2-5/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6656 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-11-16In verify_callback, the subject var should be freed by OPENSSL_free,James Yonan2-3/+3
not free, since it is allocated by OpenSSL. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6655 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-11-14Merge branch 'bugfix2.1' into beta2.2David Sommerseth4-9/+8
Conflicts: options.c - Disagreements about a new included file (forward.h) Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-14Fixed compiling issues when using --disable-cryptoJames Yonan2-5/+2
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling with --disable-crypto activated. He suggested a patch, which only partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a new feature which further made it impossible to compile without crypto. This patch fixes both issues, based on Peter Korsgaard's patch. [1] <http://sourceforge.net/mailarchive/forum.php?thread_name=87fwx08bod.fsf%40macbook.be.48ers.dk&forum_name=openvpn-devel> Signed-off-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-14Remove hardcoded path to resolvconfJesse Young2-4/+6
Signed-off-by: Jesse Young <jesse.young@gmail.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-14Clean-up: Removing useless code - hash related functionsDavid Sommerseth6-49/+20
Removed even more function which where practically empty and took away some function arguments which were not used. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-11-14Clean-up: Remove more dead and inactive code pathsDavid Sommerseth11-52/+5
These code paths was practically not needed with no locking mechanisms enabled and was just bloating the source code. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-11-14Clean-up: Remove pthread and mutex locking codeDavid Sommerseth32-921/+1
This code was not activated at all, and hard coded as disabled in syshead.h with this code snippet: /* * Pthread support is currently experimental (and quite unfinished). */ #if 1 /* JYFIXME -- if defined, disable pthread */ #undef USE_PTHREAD #endif So no matter if --enable-pthread when running ./configure or not, this feature was never enabled in reality. Further, by removing the blocker code above made OpenVPN uncompilable in the current state. As the threading part needs to be completely rewritten and pthreading will not be supported in OpenVPN 2.x, removing this code seems most reasonable. In addition, a lot of mutex locking code was also removed, as they were practically NOP functions, due to pthreading being forcefully disabled Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-11-14Merge branch 'feat_misc' into beta2.2David Sommerseth1-0/+2
2010-11-14Added check for variable CONFIGURE_DEFINES into options.cSamuli Seppänen1-0/+2
The file containing CONFIGURE_DEFINES variable, configure.h, is not present if openvpn is built using the Python + Visual C -based buildsystem. This causes the build to fail. This patch adds a check to see if variable exists before trying to use it. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-13Merge branch 'feat_misc' into beta2.2David Sommerseth7-39/+266
Conflicts: Makefile.am openvpn.8 options.c socket.c ssl.c - feat_misc is missing a lot of bugfix2.1 changes Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-13Merge branch 'bugfix2.1' into beta2.2David Sommerseth2-4/+9
2010-11-13Merge branch 'svn-BETA21' into beta2.2David Sommerseth9-26/+231
Conflicts: version.m4 - Reset version.m4 to a more neutral version number Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-13Merge branch 'svn-BETA21' into bugfix2.1David Sommerseth9-26/+231
2010-11-12Clarified --explicit-exit-notify man page entryDavid Sommerseth1-2/+3
Reformulated parts of this entry to clarify that the OpenVPN will not attempt notifying the server unless this option is used. This misunderstanding was reported anonymously to the old SF.net tracker. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Trac-ticket: 40
2010-11-12Improved man page entry for script_typeGert Doering1-2/+2
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-12Add HTTP/1.1 Host headerLars Hupel1-0/+4
OpenVPN should send a Host: header to comply with the HTTP/1.1 specification. Full discussion of this patch can be found here: <http://thread.gmane.org/gmane.network.openvpn.devel/4039> Signed-off-by: Lars Hupel <hupel@in.tum.de> Acked-by: Peter Stuge <peter@stuge.se> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Trac-ticket: 63
2010-11-12Make "topology subnet" work on Solaris (ifconfig + route metric changes by ↵Gert Doering2-5/+30
Kazuyoshi Aizawa, adding of local "connected subnet" route by me) Tested on OpenSolaris/i386, no impact for other TARGETs. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kazuyoshi Aizawa <admin2@whiteboard.ne.jp> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-12Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa ↵Gert Doering1-22/+98
<admin2@whiteboard.ne.jp>. See also http://www.whiteboard.ne.jp/~admin2/tuntap/ Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Kazuyoshi Aizawa <admin2@whiteboard.ne.jp> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-12Adding support for SOCKS plain text authenticationPierre Bourdon5-12/+138
This patch adds support for SOCKS plain text (username/password) authentication as described in RFC 1929. It adds an optional third parameter to the socks-proxy option, which is a file containing the login credentials. I've been using this patch for two weeks now and it does not seem to cause any problem. The only modifications are in the SOCKS handshake handling and the options parser. Signed-Off-By: Pierre Bourdon <delroth@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-28Version 2.1.3bJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6585 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-24Make base64.h have the same conditional compilation expression asJames Yonan1-1/+1
base64.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6569 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-24Implement challenge/response authentication support in client mode,James Yonan7-24/+229
where credentials are entered from stdin. This capability is compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled by default). Challenge/response support was previously implemented for creds that are queried via the management interface. In this case, the challenge message will be returned as a custom client-reason-text string (see management-notes.txt for more info) on auth failure. Also, see the comments in misc.c above get_auth_challenge() for info on the OpenVPN challenge/response protocol. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-23Fixed initialization bug in route_list_add_default_gatewayJames Yonan1-0/+2
(Gert Doering). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6566 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-21Preparing for v2.2-beta3David Sommerseth2-2/+25
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixed compiler warning in ssl.cDavid Sommerseth1-2/+2
James Yonan noticed a couple of compiler warnings when compiling with --enable-strict configured. This patch was sent directly to him for review and got accepted. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Solved hidden merge conflict between feat_misc and bugfix2.1David Sommerseth1-1/+1
The OCSP patch (commit a3982181e284f8c5c8f, feat_misc) introduced a new function which was calling create_temp_filename(). When merging in bugfix2.1 into allmerged, create_temp_filename() got renamed to create_temp_file() in commit 5d30273a8741d2c141. This patch only changes create_temp_filename() to create_temp_file() in the new function introduced by commit a3982181e284f8c5c8f. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> (cherry picked from commit 926d1662e4d9e14b50eddec993b2f4e0209c0646)
2010-10-21Fixed static defined length check to use sizeof()Emilien Mantel1-1/+1
This comes in addition to commit 935c62be9c0c8a256112d after some additional review comments. Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Choose a different field in X509 to be usernameEmilien Mantel4-14/+36
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be username (few people can have the same "CN"). In our case, we only use the UID. With my patch, you can choose another field to be username with a new option called --x509-username-field, the default value is "CN". Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21ssl.c: fix use of openvpn_run_script()'s return valueFabian Knittel1-13/+5
This patch fixes two bugs introduced in commit 339f2a4d4b487afa53fa99d72c35b16f31e417d3 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Thu Apr 29 23:35:45 2010 +0200 David's patch replaced openvpn_execve() with openvpn_run_script() in two places, but didn't adjust the return value handling. openvpn_run_script() returns true or false, while openvpn_execve() returns the program's exit code. Without the fix, the --tls-verify script and the --auth-user-pass-verify script fail to run. (I noticed the latter, but haven't actually tested the former.) The return value handling is fine for the other places where openvpn_run_script() is used, because those places previously used openvpn_execve_check() (notice the "_check" suffix). Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Revamped the script-security warning logging (version 2)David Sommerseth8-11/+27
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING over and over again, in addition to not show this warning when it should not be a problem. This general warning should now only appear once, and only when --script-security is not set, 0 or 1. In all other cases this warning should not appear. In addition, this warning will come close to the script-hook which most probably will fail. It will also give a little bit more concrete hint on which script-hook which failed. If --script-security is 2 or 3, only the execve failure itself will be shown. This message will on the other hand be shown repeatedly. This is a new rewritten version which simplifies the implementaion of the new openvpn_run_script() function. It was considered to remove it completely, but due to code clearity and easy of use it was decided to make this function a static inline function instead. Anyhow, this function will enforce openvpn_execve_check() to be called with the S_SCRIPT flag. Patch ACKed on the developers meeting 2009-04-29. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Don't add compile time information if --enable-small is usedDavid Sommerseth1-0/+2
This is to satisfy those wanting to build openvpn for embedded devices where every bytes matters. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Make use of automake CLEANFILES variable instead of clean-local ruleDavid Sommerseth1-4/+1
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Fix dependency checking for configure.h (v2)David Sommerseth3-8/+11
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c was missing proper dependency checking. This patch corrects this and fixes an issue when creating configure.h via make distcheck. This is an enhanced version of the one sent to the openvpn-devel mailing list April 13, 2010 [1], after having received some feedback from Gert Doering, cleaning up configure_log.awk further. [1] <http://thread.gmane.org/gmane.network.openvpn.devel/3410/focus=3491> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Add comile time information/settings from ./configure to --versionDavid Sommerseth4-0/+85
This patch will create ./configure.h which will contain two new #define strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the complete ./configure line which was used when configuring the package for building. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21pkitool lacks expected option "--help"Wil Cooley1-0/+6
The pkitool script lacks the "--help" parameter to actually display the usage statement; most people are conditioned to try that before running the command without options. This patch adds that and "--version" to display just the program name and version. sf.net tracker: <https://sourceforge.net/tracker/?func=detail&atid=454721&aid=1705407&group_id=48978> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
2010-10-21Several updates to openvpn.8 (man page updates)Karl O. Pinc1-9/+13
This is a collection of 4 patches sent to the -devel mailing list: * [PATCH] Frob the openvpn(8) man page tls-verify section to clarify * [PATCH] More improvments to openvpn(8) --tls-verify * [PATCH] Yet another tweak of openvpn(8) --tls-verify * [PATCH] Final frobbing of openvpn(8) --tls-verify Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21enhance tls-verify possibilityMathieu GIANNECCHINI6-0/+87
It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new "tls-export-cert" option which allow to get peer certificate in PEM format and to store it in an openvpn temporary file. Peer certificate is stored before tls-script execution and deleted after. The name of the related temporary file is available under tls-verify script by an environment variable "peer_cert". The patch was made from OpenVPN svn Beta21 branches. Here is a very simple exemple of Tls-verify script which provide OCSP support to OpenVPN (with tls-export-cert option) without any OpenVPN "core" modification : X509=$2 openssl ocsp \ -issuer /etc/openvpn/ssl.crt/RootCA.pem \ -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \ -cert $peer_cert \ -url http://your-ocsp-url if [ $? -ne 0 ] then echo "error : OCSP check failed for ${X509}" | logger -t "tls-verify" exit 1 fi This has been discussed here: <http://thread.gmane.org/gmane.network.openvpn.devel/2492> <http://thread.gmane.org/gmane.network.openvpn.devel/3150> <http://thread.gmane.org/gmane.network.openvpn.devel/3217> This patch has been modified by David Sommerseth, by fixing a few issues which came up to during the code review process. The man page has been updated and tmp_file in ssl.c is checked for not being NULL before calling delete_file(). Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Reworked the eurephia patch for inclusion to the openvpn-testing treeDavid Sommerseth3-0/+29
Addedd configure option (--disable-eurephia) to disable the code which the eurephia plug-in depends on. It was chosen to use --disable-eurephia, as this patch is not much intrusive. It just enables a SHA1 fingerprint environment variable for each certificate being used for the connection. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix problem with special case route targets ('remote_host')Gert Doering1-0/+2
The init_route() function will leave &netlist untouched for get_special_addr() routes ("remote_host" being one of them). netlist is on stack, contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from netlist.data[] until the route_list is full. This issue has been reported several places lately: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600166 http://thread.gmane.org/gmane.network.openvpn.devel/4083 https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8168 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixed compiler warnings reported on Ubuntu 10.04David Sommerseth4-10/+11
The warnings reported where: -------------------------------------------------------- misc.c:158: warning: ignoring return value of ‘nice’, declared with attribute warn_unused_result options.c:4033: warning: format not a string literal and no format arguments options.c:4043: warning: format not a string literal and no format arguments options.c:4053: warning: format not a string literal and no format arguments push.c:182: warning: format not a string literal and no format arguments push.c:199: warning: format not a string literal and no format arguments push.c:235: warning: format not a string literal and no format arguments status.c:171: warning: ignoring return value of ‘ftruncate’, declared with attribute warn_unused_result -------------------------------------------------------- Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Peter Stuge <peter@stuge.se>
2010-10-21More t_client.sh updates - exit with SKIP when we want to skipDavid Sommerseth1-3/+3
Several places we exited with 0 instead of 77 when we want to indicate that we should skip this test. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Test framework improvment - Do not FAIL if t_client.rc is missingDavid Sommerseth1-10/+10
This is to avoid 'make check' fail if this extra test case is not configured. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Build t_client.sh by configure at run-time.Gert Doering2-14/+22
This is now built using "configure", knows how to find "ip", "ifconfig" and "netstat" (configure does the work :-) ), *and* has been tested on Solaris (works!). extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh" Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21full "VPN client connect" test framework for OpenVPNGert Doering3-1/+382
Run from "make check" if "t_client.rc" is found in workdir or srcdir (copy t_client.rc-sample, fill in specifics for your test server) How does it work? - you run "sudo make check" (needs root access to configure tun if!) - t_client.sh reads t_client.rc from current dir or ${srcdir} - t_client.rc defines a number of "test suffixes" to run (could be "1" "2" "3" or "p2m", "p2p", "special" or whatever you like), and for each suffix, there's config variables to specify - how to call OpenVPN - which hosts to ping for IPv4 and IPv6 when OpenVPN is up (and actually before starting OpenVPN - to make the test more meaningful, I have decided that the test hosts must not ping before the tests starts) - which addresses must show up in the output of "ifconfig" after OpenVPN has started - all variables except OPENVPN_CONF_<x> are optional (this should all be fairly obvious from looking at t_client.rc-sample) - the script wants to connect to a well-defined OpenVPN server that will assign well-known IPv4 (and IPv6) addresses, have well-defined pingable addresse, etc. - so you need to setup the test server before the script is useful for you. (Whether you use certificates or username/password is up to you, you could even mix and match - run one test with certs, and one with user/pass against different target ports... :-) ) [we *could* run a "reference server" somewhere and ship a sample t_client.rc + cert so that users could use this right away, but I do not currently have the resources to run such a public server] - whatever the script does is logged to a newly created directory below the current directory (openvpn output, ifconfig+route before starting OpenVPN, while running it, after ending it) - important: at least on NetBSD and OpenBSD, the script will print one failure, because the tun0 interface created is not destroyed after openvpn ends. For OpenBSD, I have changed close_tun() to do so ("ifconfig tun0 destroy"), for NetBSD I have not yet changed anything - but I strongly believe that the output of "ifconfig+route" should be reverted to exactly how it looked like before OpenVPN was started, so I consider this a bug in the NetBSD-specific bits of OpenVPN (and will look into this). - the test framework has been tested on Linux, NetBSD and OpenBSD. It *should* work fine on FreeBSD and Solaris. It works on MacOS X (but the output looks funny, because /bin/sh does not implement "echo -e" - need to add configure trickery) It will *not* work on Windows yet - I haven't looked into what's needed to make it work (background processes and signals in mingw bash?), maybe it's as easy as adding the necessary "ipconfig" and "netsh" commands to print interface + routing config... - I have only tested "connect via IPv4 transport, use IPv4+IPv6 payload", but the framework is generic enough that "connect via IPv6 transport" should work just fine (just setup OPENVPN_CONF_x accordingly in the t_client.rc). - this is neither finished nor pretty, but it helps me a *lot* in quickly testing whether I broke anything when fiddling system-dependent code (tun.c, route.c) across multiple build hosts - so I hope this is going to be fairly useful to Samuli and the buildbot :-) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixes openssl-1.0.0 compilation warningchantra1-3/+3
When compiling against OpenSSL v1.0.0, the following compiler warnings appears. ssl.c: In function ‘verify_callback’: ssl.c:944: warning: passing argument 1 of ‘sk_num’ from incompatible pointer type /usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’ but argument is of type ‘struct stack_st_X509_REVOKED *’ ssl.c:947: warning: passing argument 1 of ‘sk_value’ from incompatible pointer type /usr/include/openssl/stack.h:80: note: expected ‘const struct _STACK *’ but argument is of type ‘struct stack_st_X509_REVOKED *’ ssl.c: In function ‘init_ssl’: ssl.c:1565: warning: passing argument 1 of ‘sk_num’ from incompatible pointer type /usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’ but argument is of type ‘struct stack_st_X509 *’ ssl.c: In function ‘print_details’: ssl.c:1766: warning: assignment discards qualifiers from pointer target type Trac ticket #5 https://community.openvpn.net/openvpn/ticket/5 Signed-off-by: chantra <chantra@debuntu.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix <net/if.h> compile time problems on OpenBSD for goodGert Doering1-4/+4
Previous fix (commit eb973e055bc249948) fixed NetBSD but not OpenBSD (include <sys/socket.h> *after* <sys/types.h>) Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix compile problems on NetBSD and OpenBSDGert Doering1-0/+3
Configure will not find <net/if.h> due to missing <sys/types.h> in the test program, and thus, tun.c will fail to compile with missing symbol IFF_MULTICAST. Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix multiple configured scripts conflicts issue (version 2)David Sommerseth1-0/+18
This is a fix for trac ticket #20, <https://community.openvpn.net/openvpn/ticket/20> which was started in the sf.net bug tracker: <http://sourceforge.net/tracker/?func=detail&aid=2078470&group_id=48978&atid=454719> The implemented solution is to give a warning for each of the different script hooks available. The last configured script will override any earlier configured scripts, to ensure that the command line can override the configuration file. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Exclude ping and control packets from activityDavide Brini3-7/+20
Problem: using --ping and --inactive together partially defeats the point of using --inactive as periodic ping packets are counted as activity. Here is the original discussion: http://article.gmane.org/gmane.network.openvpn.devel/3676 It turns out that "activity" is detected and recorded in two places in the code, both in forward.c: in process_outgoing_tun() for received packets, after they've been decrypted and sent to the TUN device; and in process_outgoing_link(), after they've been encrypted and written to the network socket. In the first case we can be sure that packets that get so far are really due to user activity, whereas in the second case there can be non-user packets (like OpenVPN's internal ping packets, and TLS control packets), and those should not be counted as activity as they are not coming from the user. So a need arises to detect those control packets and not count them as activity for the purposes of --inactive. Unfortunately, at that stage packets are already compressed and encrypted, so it's not possible to look into them to see what they are. However, there seems to be a convention in the code that packets whose buffer length in the context_2 structure is 0 should be ignored for certain purposes. TLS control packets follow that convention already, so this patch makes a small change in the code that generates the ping packets to set their buffer length to 0 as well. Finally, the call to register_activity() in process_outgoing_link() is made conditional to the buffer length being > 0. According to my tests, now --inactive behaves correctly according to the configured parameters (time or time+bytes) even when --ping is being used. forward.c: Call register_activity() in process_outgoing_link() only if the packet is not a ping or TLS control packet. openvpn.8: Updated the description of --inactive to describe the new semantics. ping.c: Set c->c2.buf.len = 0 after the ping packet has been generated and encrypted. Test routine is described here: <https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6> Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix errors in openvpn-plugin.h documentationchantra1-1/+2
Just minor updates to comments in openvpn-plugin.h Signed-off-by: chantra <chantra@debuntu.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixed client hang when server don't PUSH (aka the NO_SOUP_FOR_YOU patch)David Sommerseth1-0/+17
Solves bug ticket 13 <https://community.openvpn.net/openvpn/ticket/13> When the client sends PUSH_REQUESTS, it waits until the server sends PUSH_REPLY. If the server do not have anything to push to the client nothing happens. The client will then regularly send new PUSH_REQUESTS until it gets an answer, which results in not completing the connection negotiation. This patch makes the server send an empty PUSH_REPLY when it has nothing to more to push to the client. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Handle non standard subnets in PF grammarchantra1-0/+5
Allow subnets for like 192.168.100.8/28 to be understood. A warning will be logged when subnet is incorrect and is being corrected to what is assumed to be correct. Signed-off-by: chantra <chantra@debuntu.org> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21OCSP_check.sh: new check logicDavid Sommerseth1-10/+32
contrib/OCSP_check/OCSP_check.sh: I discovered that, quite surprisingly, the exit status of "openssl ocsp" is 0 even if the certificate status is "revoked". This means that the logic of the script needs to be rewritten so that it parses the output returned by the query and explicitly looks for a "0x<serial number>: good" line, and exit if either the command has a non-zero exit status, or the above line is not found. Doing that portably without bashisms requires some juggling around, so perhaps the code is slightly less clean now, but it does have many comments. Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Avoid repetition of "this config may cache passwords in memory" (v2)David Sommerseth1-1/+3
For OpenVPN clients with long living connections, this message is repeated everytime the connection is renegotiated. This patch removes this behaviour and will only show this warning once. Patch ACKed on the developers meeting 2009-04-29. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Fix certificate serial number exportDavide Brini3-4/+119
contrib/OCSP_check/OCSP_check.sh: New barebone script to demonstrate how to use $tls_serial_{n} to perform simple OCSP queries using OpenSSL command line "openssl ocsp". Minimal sanity checks to fail if user tries to use it without customizing. openvpn.8: Added some notes about $tls_serial_{n} format and usage to the existing description. ssl.c: correctly manage and export serial numbers of any size (as parsed by OpenSSL) into the environment. Set to empty string in case of errors, as 0 and negative numbers are all possible (although illegal) certificate serial numbers. Use an OpenSSL BIO object to do the job. Conforms to coding style guidelines. See the discussion at http://article.gmane.org/gmane.network.openvpn.devel/3588 for more details. Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix missing /bin/bash -> /bin/shDavide Brini1-1/+1
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the client.{up,down} scripts where overhauled and bashism was removed. During that process, a #! change was missing. Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Enhance contrib/pull-resolv-conf/client.{up,down} scriptsDavide Brini2-69/+64
Patch arrived from Davide Brini: - No more bashisms (AFAICT). Should work with any POSIX-compatible shell (which means "almost all reasonably recent shells"), though I've only tested with bash and dash. - Unnecessary calls to external tools (sed) removed - Manages multiple DNS and DOMAIN options. Each DNS option becomes a "nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise, all the domains are listed in a "search" line in resolv.conf (eg "search foo.com example.net"). - Client.up renames the existing resolv.conf and creates a brand new one; client.down restores it from the saved copy when the VPN terminates (the usual rules about running as root apply). This is how Gentoo does that; the old scripts instead added/removed some lines at the beginning of the file, which looks a less clean approach to me. The rename approach also dramatically simplifies and shortens client.down, as you'll see. - Uses resolvconf if it's available (detected by the presence of /sbin/resolvconf) rather than writing to resolv.conf directly. Not sure whether this is a Linux-only thing or other systems use it though. Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without the resolvconf package , and in addition Debian Lenny with OpenVPN 2.1_rc11 according to the patch. Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21The man page does not mention that the default value of "mssfix" is 1450.Davide Brini1-1/+2
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fixed potential NULL pointer issueDavid Sommerseth1-1/+1
If create_temp_file() returns NULL, this strlen() check would cause a SEGV. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Removed no longer needed delete_file() callDavid Sommerseth1-1/+0
Fabian Knittel noticed that this delete_file() calls should have been removed in commit 5d30273a8741d2c1410bfdbc08b341398bf39b40 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Updated the man page to reflect the behavioural change of create_temp_file()David Sommerseth1-1/+1
As this function now creates the temp file, it is no longer 'not-yet-created', but 'freshly created'. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Renamed all calls to create_temp_filename()David Sommerseth4-37/+53
All places where create_temp_filename() was called are now calling create_temp_file(). Extra checks on the result of create_temp_file() is added in addition. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Harden create_temp_filename() (version 2)David Sommerseth2-16/+48
By hardening the create_temp_filename() function to check if the generated filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit files set before calling the script, it should become even more difficult to exploit such a scenario. After a discussion on the mailing list, Fabian Knittel provided an enhanced version of the inital patch which is added to this patch. This patch also renames create_temp_filename() to create_temp_file(), as this patch also creates the temporary file. The function returns the filename of the created file, or NULL on error. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21Make use of counter_type instead of int when counting bytes and network packetsDavid Sommerseth2-3/+4
This is in response to a reported Debian bug, where the connection counter overflows. <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576827> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21The man page needs dash escaping in UTF-8 environmentsJan Brinkmann1-1/+1
There was a debian bugreport which was filed in 2005 . It was patched but it seems that nobody forwarded the patch to the openvpn project itself. The problem is quite simple: The dashes for options (the double dashes) are not escaped. This causes trouble in relationship with utf-8 . Since the bugreport was closed it was patched within the debian/ubuntu packages itself. I've attached the patch to get it atleast reviewed by the openvpn project itself. See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details. sf.net tracker: <https://sourceforge.net/tracker/?func=detail&aid=2935611&group_id=48978&atid=454721> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
2010-10-21When I began testing OpenVPN v2.1_rc9 I was having trouble authenticating to ↵Daniel Johnson1-7/+35
the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course): plugin /opt/openvpn/openvpn-auth-pam.so "openvpn login OURDOMAIN+USERNAME password PASSWORD" Finally I turned on more verbose logging and found that the plugin did not recognize "USERNAME" as something to replace, because it expected the string to be surrounded by whitespace. I wrote the following patch to correct this. I hope you find it useful, Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Debian patch: Fix spelling in log messageAlberto Gonzalez Iniesta1-1/+1
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21Fix autotools cross-compiling supportDavid Sommerseth2-22/+21
This is a modified version of a patch sent to the sf.net patch tracker: <http://sourceforge.net/tracker/?func=detail&aid=2491190&group_id=48978&atid=454721> After having disucssed this patch on IRC (#openvpn-discussions) March 4, 2010, it was decided to accept this patch when not modifying TARGET_* defines through out the code. Further, in a mail comment Alon Bar-Lev had some other comments of what would be needed to be done. Mail reference: <http://thread.gmane.org/gmane.network.openvpn.devel/3176> This patch has been tested by bootstrapping the code on a RHEL4.6 box. with the following autotools packages installed: autoconf-2.59-5 automake-1.9.2-3 libtool-1.5.6-4.EL4.2 It builds cleanly and 'make check' passes. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
2010-10-21On TARGET_LINUX define _GNU_SOURCE if not definedDavid Sommerseth1-0/+4
This is to include peercred support on hosts where _GNU_SOURCE is not defined by default. This issue has been found on Gentoo with glibc-2.8. The solution was discussed on the IRC meeting March 4, 2010 in #openvpn-discussions. <http://thread.gmane.org/gmane.network.openvpn.devel/3242> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21The man page needs dash escaping in UTF-8 environmentsJan Brinkmann1-807/+807
There was a debian bugreport which was filed in 2005 . It was patched but it seems that nobody forwarded the patch to the openvpn project itself. The problem is quite simple: The dashes for options (the double dashes) are not escaped. This causes trouble in relationship with utf-8 . Since the bugreport was closed it was patched within the debian/ubuntu packages itself. I've attached the patch to get it atleast reviewed by the openvpn project itself. See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details. sf.net tracker: <https://sourceforge.net/tracker/?func=detail&aid=2935611&group_id=48978&atid=454721> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
2010-10-21bash->bourne script cleanupDan Nelson17-17/+17
Many of the scripts in the openvpn source have their shell set to /bin/bash, but only two use bash features. The attached patch (against openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for better portability. The only scripts that actually require bash are contrib/pull-resolv-conf/client.{up,down} ; they use the ${!var} variable indirection feature. sf.net tracker: <https://sourceforge.net/tracker/?func=detail&aid=2040296&group_id=48978&atid=454721> Discussed on the IRC meeting March 4, 2010 in #openvpn-discussions. <http://thread.gmane.org/gmane.network.openvpn.devel/3242> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Allow 'lport 0' setup for random port bindingEnrico Scholz1-1/+1
I am running a multihomed host where 'local <extip>' must be specified for proper operation. Unfortunately, this implies 'lport 1194' or another static port. This causes problems with stateful firewalls which register the host/port pairs in the internal connection tracking table. On ungraceful reconnects, the new TCP connection will have same the host/port pairs but unexpected sequence numbers. The new connection will be assumed as invalid hence and be dropped. It would be nice when local port can be configured to be bound to a random port number. After reading code, | else if (streq (p[0], "lport") && p[1]) | ... | port = atoi (p[1]); |- if (!legal_ipv4_port (port)) |+ if (port != 0 && !legal_ipv4_port (port)) | { in options.c seems to be the only required change. This has been discussed here: <http://thread.gmane.org/gmane.network.openvpn.user/28622> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21remove duplicate code in FREEBSD+DRAGONFLY system-dependent ifconfigGert Doering1-14/+3
(ACKed by Eric F Crist and David Sommerseth) (cherry picked from commit dd66b12647852e3f1267be70b0fb3b11deedf377) Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Gert Doering <gert@greenie.muc.de>
2010-10-21verb 5 logging wrongly reports received bytesDavid Sommerseth1-2/+2
With --verb 5, openvpn logs a single letter (rwRW) for each package received or sent. I recently ran into a problem with the tun device on Linux where the read from that device returned 0. Unfortunately this was also logged as "r", which made me assume that openvpn had received something, while it actually hadn't. (See https://dev.openwrt.org/ticket/6650 for the bug that made me find out about this problem with openvpn.) I'm attaching a patch which prevents openvpn from logging "r" or "R" when it didn't actually read anything. This is against openvpn 2.1-rc20, but probably still applies to the most recent version. This patch was received anonymously via the sf.net bug tracker: <http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-10-21[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config fileKarl O. Pinc1-15/+27
This patch should be easy to process. A resubmission of the patch sent to this list on 04/23/2009. The patch changes the verify-cn script sample to be used with --tls-verify so that instead of having to hardcode a cn to verify in the OpenVPN configuration file the allowed cns may be written into a separate file. This makes the process of verifying cns a whole lot more dynamic, to the point where it is useful in the real world. One problem with this patch is that it is backwards incompatible. I did not bother keeping the original calling interface as A) it's a sample script, and B) the original's functionality seems useless and equalivant functionality is easily available with the new script. The problem with the original is that there seems little point in verifying a client's cn when all the clients share one cn, as would have to be the case when the cn is hardcoded into the openvpn config file. This patch applies against the testing allmiscs branch, and should apply against any of the other testing branches as well. It works for me. I've tested it throughly but not used it extensively in production. Regards, Karl <kop@meme.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
2010-10-21Added mapping files from SVN commit ID to more descriptive commit IDs.David Sommerseth2-0/+2
Unfortunately, this will not rewrite the commit history. So all commits done by james@e7ae566f-a301-0410-adde-c780ea21d3b5 is James Yonans commits. It was considered to risky to use git tools to rewrite the commit history, as it could influence those already using this git tree.
2010-09-01Added --proto-force directive.James Yonan5-2/+35
Version 2.1.3a git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6424 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-31Don't configure Linux tun/tap txqueuelen setting if OpenVPNJames Yonan1-1/+1
txqueuelen directive is set to 0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6420 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-29Allow PKCS12 file content to be included inline in configuration file,James Yonan3-10/+39
rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-20Attempt to fix issue where domake-win build system was not properlyv2.1.3James Yonan11-203/+191
signing drivers and .exe files. Added win/tap_span.py for building multiple versions of the TAP driver and tapinstall binaries using different DDK versions to span from Win2K to Win7 and beyond. Version 2.1.3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6404 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-15Windows security issue:v2.1.2James Yonan4-3/+116
Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity Version 2.1.2 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-10Added warning about tls-remote in man page.James Yonan1-0/+7
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6384 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-09Distribute win directory (Python/MSVC-based build system)James Yonan1-1/+2
in "make dist" tarball. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6382 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-27Added "net stop dnscache" and "net start dnscache" in frontJames Yonan6-8/+34
of existing --register-dns commands. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6352 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-27Fixed an issue where application payload transmissions on theJames Yonan6-12/+54
TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. Version 2.1.1n git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6350 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-26Fixed typo: missing comment close.James Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6347 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-16Added win/build_exe.py script, which is similar toJames Yonan2-21/+38
win/build_all.py except that it doesn't build the TAP drivers or tapinstall. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6306 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-16Added --register-dns option for Windows.James Yonan9-11/+79
Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection. Version 2.1.1m. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6304 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-12Implemented multi-address DNS expansion on the network field of routeJames Yonan4-16/+85
commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection. Version 2.1.1l git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6291 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-10Version 2.1.1kJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6285 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-10Fixed bug in proxy fallback capability where openvpn.exe couldJames Yonan2-18/+22
core dump if http-proxy-fallback-disable command was issued in response to ">PROXY:NEED_NOW management" interface notification. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6284 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-10Added support for MSVC debugging of openvpn.exe in settings.in:James Yonan3-7/+16
# Build debugging version of openvpn.exe !define PRODUCT_OPENVPN_DEBUG git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6283 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-06-26Fixed static defined length check to use sizeof()Emilien Mantel1-1/+1
This comes in addition to commit 935c62be9c0c8a256112d after some additional review comments. Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: Peter Stuge <peter@stuge.se> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-06-17Choose a different field in X509 to be usernameEmilien Mantel4-14/+36
For my company, we use a PKI (linked to a LDAP) with OpenVPN. We can't use "CN" to be username (few people can have the same "CN"). In our case, we only use the UID. With my patch, you can choose another field to be username with a new option called --x509-username-field, the default value is "CN". Signed-off-by: Emilien Mantel <emilien.mantel@businessdecision.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-06-10Fixed issue where bad creds provided by the management interfaceJames Yonan2-3/+6
for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5701 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-06-01Implemented a key/value auth channel from client to server.James Yonan14-9/+248
Version 2.1.1i git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-24Implemented http-proxy-override and http-proxy-fallback directives to make itJames Yonan14-72/+565
easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5652 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-11Minor fixes to recent HTTP proxy changes:James Yonan3-5/+5
* use strcasecmp instead of stricmp * define HASH and HASHHEX as unsigned char to avoid compiler warnings git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5629 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-11Proxy improvements:James Yonan10-101/+676
Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy. Added http-auth "auto-nct" flag to reject weak proxy auth methods. Added HTTP proxy digest authentication method. Removed extraneous openvpn_sleep calls from proxy.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5628 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-09Fixed issue on Windows with MSVC compiler, where TCP_NODELAY supportJames Yonan1-1/+1
was not being compiled in. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5620 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-04ssl.c: fix use of openvpn_run_script()'s return valueFabian Knittel1-13/+5
This patch fixes two bugs introduced in commit 339f2a4d4b487afa53fa99d72c35b16f31e417d3 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Thu Apr 29 23:35:45 2010 +0200 David's patch replaced openvpn_execve() with openvpn_run_script() in two places, but didn't adjust the return value handling. openvpn_run_script() returns true or false, while openvpn_execve() returns the program's exit code. Without the fix, the --tls-verify script and the --auth-user-pass-verify script fail to run. (I noticed the latter, but haven't actually tested the former.) The return value handling is fine for the other places where openvpn_run_script() is used, because those places previously used openvpn_execve_check() (notice the "_check" suffix). Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-04-29Revamped the script-security warning logging (version 2)David Sommerseth8-11/+27
The main task of this patch is to avoid reporting the SCRIPT_SECURITY_WARNING over and over again, in addition to not show this warning when it should not be a problem. This general warning should now only appear once, and only when --script-security is not set, 0 or 1. In all other cases this warning should not appear. In addition, this warning will come close to the script-hook which most probably will fail. It will also give a little bit more concrete hint on which script-hook which failed. If --script-security is 2 or 3, only the execve failure itself will be shown. This message will on the other hand be shown repeatedly. This is a new rewritten version which simplifies the implementaion of the new openvpn_run_script() function. It was considered to remove it completely, but due to code clearity and easy of use it was decided to make this function a static inline function instead. Anyhow, this function will enforce openvpn_execve_check() to be called with the S_SCRIPT flag. Patch ACKed on the developers meeting 2009-04-29. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-04-28Updated copyright date to 2010.James Yonan157-160/+160
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-22Don't add compile time information if --enable-small is usedDavid Sommerseth1-0/+2
This is to satisfy those wanting to build openvpn for embedded devices where every bytes matters. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-04-22Make use of automake CLEANFILES variable instead of clean-local ruleDavid Sommerseth1-4/+1
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-04-22Fix dependency checking for configure.h (v2)David Sommerseth3-8/+11
Alon Bar-Lev indicated commit f27bf509315a48b0070294c3993a718df0c2626c was missing proper dependency checking. This patch corrects this and fixes an issue when creating configure.h via make distcheck. This is an enhanced version of the one sent to the openvpn-devel mailing list April 13, 2010 [1], after having received some feedback from Gert Doering, cleaning up configure_log.awk further. [1] <http://thread.gmane.org/gmane.network.openvpn.devel/3410/focus=3491> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-04-22Added Python-based build system for Windows inJames Yonan24-26/+609
win directory. Fixed minor issue in TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly. Version 2.1.1g git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5577 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-17Minor change to doclean script:James Yonan1-1/+0
Don't delete config-win32.h, because this is now a true source file and no longer a generated file. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5558 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-16Management interface performance optimizations:James Yonan6-12/+161
* Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth * man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o Version 2.1.1f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5557 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-08Add comile time information/settings from ./configure to --versionDavid Sommerseth4-0/+85
This patch will create ./configure.h which will contain two new #define strings. CONFIGURE_DEFINES will contain all USE, ENABLED, DISABLED and DEPRECATED defines from ./config.h. CONFIGURE_CALL will contain the complete ./configure line which was used when configuring the package for building. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-03-31Updated MSVC build scripts to Visual Studio 2008:James Yonan17-530/+491
python msvc\config.py nmake /f msvc\msvc.mak Version 2.1.1e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5516 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-30Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately afterJames Yonan2-4/+5
socket is created rather than waiting until after connect/listen. Version 2.1.1d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5514 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-17Version 2.1.1cJames Yonan2-2/+2
Enable exponential backoff in reliability layer retransmits. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5490 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Modified ">PASSWORD:Verification Failed" management interfaceJames Yonan4-6/+9
notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5468 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Added stub directive "remote-ip-hint".James Yonan1-0/+5
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5467 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Trivial fix to proxy.c -- #define proxy auth type as UP_TYPE_PROXY.James Yonan1-1/+3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5466 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-06Fixed an issue where if reneg-sec was set to 0 on the client,James Yonan1-2/+5
so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5464 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-02pkitool lacks expected option "--help"Wil Cooley1-0/+6
The pkitool script lacks the "--help" parameter to actually display the usage statement; most people are conditioned to try that before running the command without options. This patch adds that and "--version" to display just the program name and version. sf.net tracker: <https://sourceforge.net/tracker/?func=detail&atid=454721&aid=1705407&group_id=48978> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
2010-03-02Several updates to openvpn.8 (man page updates)Karl O. Pinc1-9/+13
This is a collection of 4 patches sent to the -devel mailing list: * [PATCH] Frob the openvpn(8) man page tls-verify section to clarify * [PATCH] More improvments to openvpn(8) --tls-verify * [PATCH] Yet another tweak of openvpn(8) --tls-verify * [PATCH] Final frobbing of openvpn(8) --tls-verify Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
2010-03-02enhance tls-verify possibilityMathieu GIANNECCHINI6-0/+87
It should be nice to enhance tls-verify check possibilities against peer cert during a pending TLS connection like : - OCSP verification - check any X509 extensions of the peer certificate - delta CRL verification - ... This patch add a new "tls-export-cert" option which allow to get peer certificate in PEM format and to store it in an openvpn temporary file. Peer certificate is stored before tls-script execution and deleted after. The name of the related temporary file is available under tls-verify script by an environment variable "peer_cert". The patch was made from OpenVPN svn Beta21 branches. Here is a very simple exemple of Tls-verify script which provide OCSP support to OpenVPN (with tls-export-cert option) without any OpenVPN "core" modification : X509=$2 openssl ocsp \ -issuer /etc/openvpn/ssl.crt/RootCA.pem \ -CAfile /etc/openvpn/ssl.capath/OpenVPNServeur-cafile.pem \ -cert $peer_cert \ -url http://your-ocsp-url if [ $? -ne 0 ] then echo "error : OCSP check failed for ${X509}" | logger -t "tls-verify" exit 1 fi This has been discussed here: <http://thread.gmane.org/gmane.network.openvpn.devel/2492> <http://thread.gmane.org/gmane.network.openvpn.devel/3150> <http://thread.gmane.org/gmane.network.openvpn.devel/3217> This patch has been modified by David Sommerseth, by fixing a few issues which came up to during the code review process. The man page has been updated and tmp_file in ssl.c is checked for not being NULL before calling delete_file(). Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-03-01Allow 'lport 0' setup for random port bindingEnrico Scholz1-1/+1
I am running a multihomed host where 'local <extip>' must be specified for proper operation. Unfortunately, this implies 'lport 1194' or another static port. This causes problems with stateful firewalls which register the host/port pairs in the internal connection tracking table. On ungraceful reconnects, the new TCP connection will have same the host/port pairs but unexpected sequence numbers. The new connection will be assumed as invalid hence and be dropped. It would be nice when local port can be configured to be bound to a random port number. After reading code, | else if (streq (p[0], "lport") && p[1]) | ... | port = atoi (p[1]); |- if (!legal_ipv4_port (port)) |+ if (port != 0 && !legal_ipv4_port (port)) | { in options.c seems to be the only required change. This has been discussed here: <http://thread.gmane.org/gmane.network.openvpn.user/28622> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-02-28remove duplicate code in FREEBSD+DRAGONFLY system-dependent ifconfigGert Doering1-14/+3
(ACKed by Eric F Crist and David Sommerseth) (cherry picked from commit dd66b12647852e3f1267be70b0fb3b11deedf377) Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Gert Doering <gert@greenie.muc.de>
2010-02-26Merge branch 'master' into bugfix2.1David Sommerseth1-6/+15
2010-02-26Added mapping files from SVN commit ID to more descriptive commit IDs.David Sommerseth2-0/+2
Unfortunately, this will not rewrite the commit history. So all commits done by james@e7ae566f-a301-0410-adde-c780ea21d3b5 is James Yonans commits. It was considered to risky to use git tools to rewrite the commit history, as it could influence those already using this git tree.
2010-02-26Fixed an issue in the Management Interface that could causeJames Yonan1-6/+15
a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5458 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-02-26Fixed an issue in the Management Interface that could causejames1-6/+15
a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5458 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-02-19verb 5 logging wrongly reports received bytesDavid Sommerseth1-2/+2
With --verb 5, openvpn logs a single letter (rwRW) for each package received or sent. I recently ran into a problem with the tun device on Linux where the read from that device returned 0. Unfortunately this was also logged as "r", which made me assume that openvpn had received something, while it actually hadn't. (See https://dev.openwrt.org/ticket/6650 for the bug that made me find out about this problem with openvpn.) I'm attaching a patch which prevents openvpn from logging "r" or "R" when it didn't actually read anything. This is against openvpn 2.1-rc20, but probably still applies to the most recent version. This patch was received anonymously via the sf.net bug tracker: <http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-02-18[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config fileKarl O. Pinc1-15/+27
This patch should be easy to process. A resubmission of the patch sent to this list on 04/23/2009. The patch changes the verify-cn script sample to be used with --tls-verify so that instead of having to hardcode a cn to verify in the OpenVPN configuration file the allowed cns may be written into a separate file. This makes the process of verifying cns a whole lot more dynamic, to the point where it is useful in the real world. One problem with this patch is that it is backwards incompatible. I did not bother keeping the original calling interface as A) it's a sample script, and B) the original's functionality seems useless and equalivant functionality is easily available with the new script. The problem with the original is that there seems little point in verifying a client's cn when all the clients share one cn, as would have to be the case when the cn is hardcoded into the openvpn config file. This patch applies against the testing allmiscs branch, and should apply against any of the other testing branches as well. It works for me. I've tested it throughly but not used it extensively in production. Regards, Karl <kop@meme.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
2010-02-18Do not randomize resolving of IP addresses in getaddr()David Sommerseth1-3/+2
Based on a discussion on the mailing list and in the IRC meeting Feb 18, it was decided to remove get_random() from the getaddr() function as that can conflict with round-robin/randomization done by DNS servers. This change must be documented in the release notes. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-02-16Added mapping files from SVN commit ID to more descriptive commit IDs.David Sommerseth2-0/+2
Unfortunately, this will not rewrite the commit history. So all commits done by james@e7ae566f-a301-0410-adde-c780ea21d3b5 is James Yonans commits. It was considered to risky to use git tools to rewrite the commit history, as it could influence those already using this git tree.
2010-01-16Version 2.1.1bjames1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5371 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-16Don't advance the connection list on AUTH_FAILED errors.james1-0/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5370 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-16Fixed an issue where AUTH_FAILED was not being properly deliveredjames2-13/+35
to the client when a bad password is given for mid-session reauth. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-12When aborting in a non-graceful way, try to execute do_close_tun injames3-1/+20
init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5367 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Fixed some breakage in openvpn.spec (which is required to build anv2.1.1james3-2/+12
RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth). Version 2.1.1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5269 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Version 2.1.0v2.1.0james4-2/+19
* Updated ChangeLog. * Note in man page that clients connecting to a --multihome server should always use the --nobind option. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5266 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Clarified that TAP-Win32 driver is licensed under GPL 2.james19-94/+19
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5265 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Documented --multihome in the man page.james1-0/+9
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5264 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-10Fixed a couple issues in sample plugins auth-pam.c and down-root.c:james2-2/+6
1. Fail gracefully rather than segfault if calloc returns NULL. 2. The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle. (Thanks to David Sommerseth for finding this bug). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5261 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-20Version 2.1_rc22v2.1_rc22james2-1/+13
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5169 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-19Fixed a client-side bug that occurred when the "dhcp-pre-release"james7-33/+141
or "dhcp-renew" options were combined with "route-gateway dhcp". The problem is that the IP Helper functions for DHCP release and renew are blocking, and so calling them from a single-threaded client stops tunnel traffic forwarding, and hence breaks "route-gateway dhcp" which requires an active tunnel. The fix is to call the IP Helper functions for DHCP release and renew from another process. Version 2.1_rc21b. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5164 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-13Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,james3-3/+6
make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-12Version 2.1_rc21v2.1_rc21james3-2/+18
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5152 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25Version 2.1_rc20ajames1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5106 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25On server, lock client-provided certs against mid-session TLSjames3-5/+156
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25Change to doval valgrind script. The openvpn command parameter is nowjames2-1/+14
implied, so new usage is: ./doval [openvpn parms] instead of: ./doval ./openvpn [openvpn parms] git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5104 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-24On server, lock session username against changes in mid-session TLSjames2-3/+31
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-16Added "setenv GENERIC_CONFIG" directive, for generic configsjames1-0/+5
that cannot directly be used as a config file. The directive will simply cause OpenVPN to exit with an error if a generic config file is used. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5077 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-07Fixed issue where some .svn directories were being inadvertentlyv2.1_rc20james1-1/+1
included in the .tar.gz file built by make dist. Re-released as Version 2.1_rc20 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5058 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01Version 2.1_rc20james2-1/+51
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5023 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01client-kill management interface command, when issued on server, willjames6-7/+41
now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5021 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01Minor fix: management interface shouldn't echo 'load-stats' commands tojames1-1/+1
log file. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5020 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-29Added the ability for the server to provide a custom reason stringjames8-14/+84
when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. For more info, see management/management-notes.txt, and look for references to "client-reason-text". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5012 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-28Fixed a bug introduced in r4436 (2.1_rc17) where using thejames1-2/+2
redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5011 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-28Added --server-poll-timeout option : when polling possible remotejames8-0/+70
servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5010 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-27Eliminated the limitation on the number of options that can be pushedjames16-115/+271
to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. Remember that to make use of this feature to allow many routes to be pushed to clients, the client config file must specify the max-routes option, and the number of pushed routes cannot exceed this limit. Also, both server and client must include this commit. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-17The maximum number of "route" directives (specified in the configjames8-30/+86
file or pulled from a server) can now be configured via the new "max-routes" directive. Previously, the limit was set to 100 and fixed by a compile-time constant. Now the limit is dynamic and can be modified by the "max-routes" directive. If max-routes is not specified, the default limit is 100. Note that this change does not address the maximum size of the pushed options string sent from server to client, which is still controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4967 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-16Modified client to send a PUSH_REQUEST message to server 1 secondjames3-5/+14
after connection initiation rather than 0 seconds after. Successive PUSH_REQUEST messages after the first will continue to be sent at 5 second intervals until a response is received. This tends to speed up the client connection sequence by 4 seconds because the first PUSH_REQUEST message is usually sent too soon and is dropped, causing a wait of 5 seconds until the next PUSH_REQUEST message is sent. Version 2.1_rc19d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4965 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-08Updated version number to 2.1_rc19c.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4946 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-04Added "setcon" directive for interoperability with SELinuxjames6-4/+104
(Sebastien Raveau). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4932 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-24Added new ./configure flags:james3-3/+23
--disable-def-auth Disable deferred authentication --disable-pf Disable internal packet filter git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4852 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-24Added PLATFORM-SPECIFIC comment tag to platform-specific functionsjames1-4/+4
in route.c to make it easier to spot them. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4851 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-23Added "load-stats" management interface command to get globaljames2-0/+27
server load statistics. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4844 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-22Added --remote-random-hostname option.james6-10/+89
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4843 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-19Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).james1-6/+10
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4837 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-19Fixed build problem when ./configure --disable-server is used.james1-0/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4836 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-07-16OpenVPN version 2.1_rc19 releasedv2.1_rc19james2-1/+13
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4712 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-22In Windows TAP driver, refactor DHCP/ARP packet injection code tojames7-28/+154
use a DPC (deferred procedure call) to defer packet injection until IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive in the context of AdapterTransmit. This is an attempt to reduce kernel stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been observed on Vista. Updated TAP driver version number to 9.6. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4606 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-22Rename generated tapdrvr.cod to a unique name to avoid the issue wherejames1-0/+1
building for multiple architectures causes the previous tapdrvr.cod to be overwritten. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4604 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-09In configure.ac, use datadir instead of datarootdir for compatibilityjames1-1/+1
with <autoconf-2.60. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4539 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-07Version 2.1_rc18v2.1_rc18james2-2/+9
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4526 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-07Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c changejames1-0/+2
does not build on Windows on non-MINGW32. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4525 e7ae566f-a301-0410-adde-c780ea21d3b5