aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2011-04-26Added "auth-token" client directive, which is intended to beJames Yonan11-13/+113
pushed by server, and that is used to offer a temporary session token to clients that can be used in place of a password on subsequent credential challenges. This accomplishes the security benefit of preventing caching of the real password while offering most of the advantages of password caching, i.e. not forcing the user to re-enter credentials for every TLS renegotiation or network hiccup. auth-token does two things: 1. if password caching is enabled, the token replaces the previous password, and 2. if the management interface is active, the token is output to it: >PASSWORD:Auth-Token:<token> Also made a minor change to HALT/RESTART processing when password caching is enabled. When client receives a HALT or RESTART message, and if the message text contains a flags block (i.e. [FFF]:message), if flag 'P' (preserve auth) is present in flags, don't purge the Auth password. Otherwise do purge the Auth password. Version 2.1.3o git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26win/sign.py now accepts an optional tap-dir argument.James Yonan1-4/+8
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7086 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Version 2.1.3nJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7069 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Client will now try to reconnect if no push reply receivedJames Yonan4-3/+20
within handshake-window seconds. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7066 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Extended "client-kill" management interface command (server-side)James Yonan7-19/+53
to accept an optional message string. The message string format is: RESTART|HALT,<human-readable-message> RESTART will tell the client to restart (i.e. SIGUSR1). HALT will tell the client to exit (i.e. SIGTERM). On the client, human-readable-message will be communicated via management interface: >NOTIFY,<severity>,<type>,<human-readable-message>" Version 2.1.3m git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7063 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Fixed bug introduced in r7031 that might cause this error message:James Yonan1-6/+16
PORT SHARE: sendmsg failed (unable to communicate with background process) git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7062 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Fixed issue where a client might receive multiple push replies fromJames Yonan3-2/+14
a server if it sent multiple push requests due to the server being slow to respond. This could cause the client to process pushed options twice, leading to duplicate pushed routes, among other issues. The fix, implemented server-side, is to reply only once to a push request even if multiple requests are received. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7060 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26env_filter_match now includes the serial number of all certsJames Yonan1-1/+1
in chain (as tls_serial_n vars), rather than only tls_serial_0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7055 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Reduce log verbosity at level 3, with a focus on removing excessive log ↵James Yonan6-27/+33
verbosity generated by port-share activity. Version 2.1.3k git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7033 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Added optional journal directory argument to "port-share" directive, for ↵James Yonan8-33/+131
reporting client IP origins of proxied connections. git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7031 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Added --enable-lzo-stub configure option to build an OpenVPN client without ↵James Yonan7-14/+85
LZO, but that has limited interoperability with LZO-enabled servers. Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when client was built with --enable-lzo-stub configure option. This tells the server that the client lacks LZO capabilities, so the server should turn off LZO compression for this client via "lzo no". Added "setenv PUSH_PEER_INFO" option having the same effect as "push-peer-info". Version 2.1.3j git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7023 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-18Added "client-nat" option for stateless, one-to-oneJames Yonan15-17/+490
NAT on the client side. Version 2.1.3i. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6944 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-14Properly handle certificate serial numbers > 32 bits.James Yonan2-4/+12
Version 2.1.3h git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6931 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-14Fixes to r6925.James Yonan1-3/+3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6927 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-14Implemented get_default_gateway_mac_addr for Mac OS X (previously,James Yonan3-59/+125
was only defined for Windows and Linux). This enables OS X to report the MAC address of the default gateway to the server for ID purposes when client-side --push-peer-info option is specified. Also, minor fix to OS X get_default_gateway function: * include net/route.h directly rather than selectively paste stuff from it into route.c git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6925 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-01-18Fixed minor compile issue triggered on builds whereJames Yonan1-1/+1
MANAGEMENT_DEF_AUTH is not enabled. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6830 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-01-10* added --management-up-down option to allow management interfaceJames Yonan6-21/+55
to be notified of tunnel up/down events. * pulled --ip-win32 options will be suppressed on the client if --route-nopull option is specified. Version 2.1.3f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-01-05Added --x509-track option.James Yonan10-4/+186
Version 2.1.3e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6780 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-13Misc fixes to r6708.James Yonan8-51/+72
Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-10Minor addition of logging info before and afterJames Yonan2-1/+3
execution of Windows net commands. Version 2.1.3d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6712 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-09Added "management-external-key" option. This option can be usedJames Yonan10-59/+433
instead of "key" in client mode, and allows the client to run without the need to load the actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: >RSA_SIGN:[BASE64_DATA] The management interface client should then sign BASE64_DATA using the private key and return the signature as follows: rsa-sig [BASE64_SIG_LINE] . . . END This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-11-16Fixes to prevent compile breakage when --disable-crypto is used.James Yonan2-5/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6656 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-11-16In verify_callback, the subject var should be freed by OPENSSL_free,James Yonan2-3/+3
not free, since it is allocated by OpenSSL. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6655 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-28Version 2.1.3bJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6585 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-24Make base64.h have the same conditional compilation expression asJames Yonan1-1/+1
base64.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6569 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-24Implement challenge/response authentication support in client mode,James Yonan7-24/+229
where credentials are entered from stdin. This capability is compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled by default). Challenge/response support was previously implemented for creds that are queried via the management interface. In this case, the challenge message will be returned as a custom client-reason-text string (see management-notes.txt for more info) on auth failure. Also, see the comments in misc.c above get_auth_challenge() for info on the OpenVPN challenge/response protocol. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-10-23Fixed initialization bug in route_list_add_default_gatewayJames Yonan1-0/+2
(Gert Doering). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6566 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-09-01Added --proto-force directive.James Yonan5-2/+35
Version 2.1.3a git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6424 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-31Don't configure Linux tun/tap txqueuelen setting if OpenVPNJames Yonan1-1/+1
txqueuelen directive is set to 0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6420 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-29Allow PKCS12 file content to be included inline in configuration file,James Yonan3-10/+39
rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-20Attempt to fix issue where domake-win build system was not properlyv2.1.3James Yonan11-203/+191
signing drivers and .exe files. Added win/tap_span.py for building multiple versions of the TAP driver and tapinstall binaries using different DDK versions to span from Win2K to Win7 and beyond. Version 2.1.3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6404 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-15Windows security issue:v2.1.2James Yonan4-3/+116
Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity Version 2.1.2 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-10Added warning about tls-remote in man page.James Yonan1-0/+7
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6384 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-08-09Distribute win directory (Python/MSVC-based build system)James Yonan1-1/+2
in "make dist" tarball. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6382 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-27Added "net stop dnscache" and "net start dnscache" in frontJames Yonan6-8/+34
of existing --register-dns commands. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6352 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-27Fixed an issue where application payload transmissions on theJames Yonan6-12/+54
TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped. Version 2.1.1n git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6350 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-26Fixed typo: missing comment close.James Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6347 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-16Added win/build_exe.py script, which is similar toJames Yonan2-21/+38
win/build_all.py except that it doesn't build the TAP drivers or tapinstall. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6306 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-16Added --register-dns option for Windows.James Yonan9-11/+79
Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection. Version 2.1.1m. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6304 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-12Implemented multi-address DNS expansion on the network field of routeJames Yonan4-16/+85
commands. When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection. Version 2.1.1l git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6291 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-10Version 2.1.1kJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6285 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-10Fixed bug in proxy fallback capability where openvpn.exe couldJames Yonan2-18/+22
core dump if http-proxy-fallback-disable command was issued in response to ">PROXY:NEED_NOW management" interface notification. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6284 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-07-10Added support for MSVC debugging of openvpn.exe in settings.in:James Yonan3-7/+16
# Build debugging version of openvpn.exe !define PRODUCT_OPENVPN_DEBUG git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6283 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-06-10Fixed issue where bad creds provided by the management interfaceJames Yonan2-3/+6
for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5701 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-06-01Implemented a key/value auth channel from client to server.James Yonan14-9/+248
Version 2.1.1i git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-24Implemented http-proxy-override and http-proxy-fallback directives to make itJames Yonan14-72/+565
easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5652 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-11Minor fixes to recent HTTP proxy changes:James Yonan3-5/+5
* use strcasecmp instead of stricmp * define HASH and HASHHEX as unsigned char to avoid compiler warnings git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5629 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-11Proxy improvements:James Yonan10-101/+676
Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy. Added http-auth "auto-nct" flag to reject weak proxy auth methods. Added HTTP proxy digest authentication method. Removed extraneous openvpn_sleep calls from proxy.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5628 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-05-09Fixed issue on Windows with MSVC compiler, where TCP_NODELAY supportJames Yonan1-1/+1
was not being compiled in. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5620 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-28Updated copyright date to 2010.James Yonan157-160/+160
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-22Added Python-based build system for Windows inJames Yonan24-26/+609
win directory. Fixed minor issue in TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly. Version 2.1.1g git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5577 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-17Minor change to doclean script:James Yonan1-1/+0
Don't delete config-win32.h, because this is now a true source file and no longer a generated file. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5558 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-16Management interface performance optimizations:James Yonan6-12/+161
* Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth * man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o Version 2.1.1f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5557 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-31Updated MSVC build scripts to Visual Studio 2008:James Yonan17-530/+491
python msvc\config.py nmake /f msvc\msvc.mak Version 2.1.1e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5516 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-30Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately afterJames Yonan2-4/+5
socket is created rather than waiting until after connect/listen. Version 2.1.1d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5514 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-17Version 2.1.1cJames Yonan2-2/+2
Enable exponential backoff in reliability layer retransmits. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5490 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Modified ">PASSWORD:Verification Failed" management interfaceJames Yonan4-6/+9
notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5468 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Added stub directive "remote-ip-hint".James Yonan1-0/+5
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5467 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-12Trivial fix to proxy.c -- #define proxy auth type as UP_TYPE_PROXY.James Yonan1-1/+3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5466 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-03-06Fixed an issue where if reneg-sec was set to 0 on the client,James Yonan1-2/+5
so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5464 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-02-26Fixed an issue in the Management Interface that could causeJames Yonan1-6/+15
a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5458 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-16Version 2.1.1bjames1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5371 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-16Don't advance the connection list on AUTH_FAILED errors.james1-0/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5370 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-16Fixed an issue where AUTH_FAILED was not being properly deliveredjames2-13/+35
to the client when a bad password is given for mid-session reauth. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-01-12When aborting in a non-graceful way, try to execute do_close_tun injames3-1/+20
init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5367 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Fixed some breakage in openvpn.spec (which is required to build anv2.1.1james3-2/+12
RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth). Version 2.1.1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5269 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Version 2.1.0v2.1.0james4-2/+19
* Updated ChangeLog. * Note in man page that clients connecting to a --multihome server should always use the --nobind option. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5266 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Clarified that TAP-Win32 driver is licensed under GPL 2.james19-94/+19
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5265 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-11Documented --multihome in the man page.james1-0/+9
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5264 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-12-10Fixed a couple issues in sample plugins auth-pam.c and down-root.c:james2-2/+6
1. Fail gracefully rather than segfault if calloc returns NULL. 2. The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle. (Thanks to David Sommerseth for finding this bug). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5261 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-20Version 2.1_rc22v2.1_rc22james2-1/+13
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5169 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-19Fixed a client-side bug that occurred when the "dhcp-pre-release"james7-33/+141
or "dhcp-renew" options were combined with "route-gateway dhcp". The problem is that the IP Helper functions for DHCP release and renew are blocking, and so calling them from a single-threaded client stops tunnel traffic forwarding, and hence breaks "route-gateway dhcp" which requires an active tunnel. The fix is to call the IP Helper functions for DHCP release and renew from another process. Version 2.1_rc21b. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5164 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-13Increase MAX_CERT_DEPTH to 16 (from 8), and when exceeded,james3-3/+6
make it a hard failure, rather than just a warning. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-11-12Version 2.1_rc21v2.1_rc21james3-2/+18
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5152 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25Version 2.1_rc20ajames1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5106 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25On server, lock client-provided certs against mid-session TLSjames3-5/+156
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-25Change to doval valgrind script. The openvpn command parameter is nowjames2-1/+14
implied, so new usage is: ./doval [openvpn parms] instead of: ./doval ./openvpn [openvpn parms] git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5104 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-24On server, lock session username against changes in mid-session TLSjames2-3/+31
renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-16Added "setenv GENERIC_CONFIG" directive, for generic configsjames1-0/+5
that cannot directly be used as a config file. The directive will simply cause OpenVPN to exit with an error if a generic config file is used. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5077 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-07Fixed issue where some .svn directories were being inadvertentlyv2.1_rc20james1-1/+1
included in the .tar.gz file built by make dist. Re-released as Version 2.1_rc20 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5058 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01Version 2.1_rc20james2-1/+51
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5023 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01client-kill management interface command, when issued on server, willjames6-7/+41
now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5021 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01Minor fix: management interface shouldn't echo 'load-stats' commands tojames1-1/+1
log file. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5020 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-29Added the ability for the server to provide a custom reason stringjames8-14/+84
when an AUTH_FAILED message is returned to the client. This string can be set by the server-side managment interface and read by the client-side management interface. For more info, see management/management-notes.txt, and look for references to "client-reason-text". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5012 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-28Fixed a bug introduced in r4436 (2.1_rc17) where using thejames1-2/+2
redirect-gateway option by itself, without any extra parameters, would cause the option to be ignored. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5011 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-28Added --server-poll-timeout option : when polling possible remotejames8-0/+70
servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5010 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-27Eliminated the limitation on the number of options that can be pushedjames16-115/+271
to clients, including routes. Previously, all pushed options needed to fit within a 1024 byte options string. Remember that to make use of this feature to allow many routes to be pushed to clients, the client config file must specify the max-routes option, and the number of pushed routes cannot exceed this limit. Also, both server and client must include this commit. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-17The maximum number of "route" directives (specified in the configjames8-30/+86
file or pulled from a server) can now be configured via the new "max-routes" directive. Previously, the limit was set to 100 and fixed by a compile-time constant. Now the limit is dynamic and can be modified by the "max-routes" directive. If max-routes is not specified, the default limit is 100. Note that this change does not address the maximum size of the pushed options string sent from server to client, which is still controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4967 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-16Modified client to send a PUSH_REQUEST message to server 1 secondjames3-5/+14
after connection initiation rather than 0 seconds after. Successive PUSH_REQUEST messages after the first will continue to be sent at 5 second intervals until a response is received. This tends to speed up the client connection sequence by 4 seconds because the first PUSH_REQUEST message is usually sent too soon and is dropped, causing a wait of 5 seconds until the next PUSH_REQUEST message is sent. Version 2.1_rc19d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4965 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-08Updated version number to 2.1_rc19c.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4946 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-04Added "setcon" directive for interoperability with SELinuxjames6-4/+104
(Sebastien Raveau). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4932 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-24Added new ./configure flags:james3-3/+23
--disable-def-auth Disable deferred authentication --disable-pf Disable internal packet filter git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4852 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-24Added PLATFORM-SPECIFIC comment tag to platform-specific functionsjames1-4/+4
in route.c to make it easier to spot them. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4851 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-23Added "load-stats" management interface command to get globaljames2-0/+27
server load statistics. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4844 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-22Added --remote-random-hostname option.james6-10/+89
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4843 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-19Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).james1-6/+10
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4837 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-19Fixed build problem when ./configure --disable-server is used.james1-0/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4836 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-07-16OpenVPN version 2.1_rc19 releasedv2.1_rc19james2-1/+13
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4712 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-22In Windows TAP driver, refactor DHCP/ARP packet injection code tojames7-28/+154
use a DPC (deferred procedure call) to defer packet injection until IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive in the context of AdapterTransmit. This is an attempt to reduce kernel stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been observed on Vista. Updated TAP driver version number to 9.6. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4606 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-22Rename generated tapdrvr.cod to a unique name to avoid the issue wherejames1-0/+1
building for multiple architectures causes the previous tapdrvr.cod to be overwritten. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4604 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-09In configure.ac, use datadir instead of datarootdir for compatibilityjames1-1/+1
with <autoconf-2.60. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4539 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-07Version 2.1_rc18v2.1_rc18james2-2/+9
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4526 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-07Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c changejames1-0/+2
does not build on Windows on non-MINGW32. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4525 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-01Fixed compile error on ./configure --enable-smalljames1-0/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4501 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-06-01Version 2.1_rc17v2.1_rc17james2-2/+45
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4500 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30Update copyright to 2009.james157-160/+160
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30Fixed bug where the remote_X environmental variables were not beingjames1-2/+2
set correctly when the 'local' option is specifed. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4476 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30Fixed issue of symbol conflicts interfering with Windows CryptoAPIjames4-8/+7
functionality (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4475 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-24Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPNjames6-33/+119
client will examine the routing table and determine whether (a) the OpenVPN server is reachable via a locally connected interface, or (b) traffic to the server must be forwarded through the default router. Only add a special bypass route for the OpenVPN server if (b) is true. If (a) is true, behave as if the 'local' flag is specified, and do not add a bypass route. The new 'autolocal' flag depends on the non-portable test_local_addr() function in route.c, which is currently only implemented for Windows. The 'autolocal' flag will act as a no-op on platforms that have not yet defined a test_local_addr() function. Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for more option content to be pushed from server to client). Raised D_MULTI_DROPPED debug level to 4 from 3. Version 2.1_rc16b. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4446 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-23Added "redirect-private" option which allows private subnetsjames3-69/+80
to be pushed to the client in such a way that they don't accidently obscure critical local addresses such as the DHCP server address and DNS server addresses. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4436 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-21Fixed race condition in management interface recv code onjames3-5/+6
Windows, where sending a set of several commands to the management interface in quick succession might cause the latter commands in the set to be ignored. Increased management interface input command buffer size from 256 to 1024 bytes. Minor tweaks to Windows build system. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4414 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-21Reduce the debug level (--verb) at which received management interfacejames1-1/+1
commands are echoed from 7 to 3. Passwords will be filtered. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4413 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-18Version 2.1_rc16v2.1_rc16james2-1/+54
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4363 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-13Updated Windows build scripts to package openssl-0.9.8k,james4-21/+21
and to use the Server 2008 WDK (6001.18002). In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to OpenVPNCryptAcquireCertificatePrivateKey to work around a symbol conflict in MinGW-5.1.4.exe. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4318 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-04-13Added errors-to-stderr option. When enabled, fatal errorsjames3-6/+28
that result in the termination of the daemon will be written to stderr. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4131 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-04-10Allow "management-client" directive to be usedjames5-44/+91
with unix domain sockets. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4128 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-04-09Added the ability to read the configuration filejames1-2/+6
from stdin, when "stdin" is given as the config file name. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4127 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-02-13install-win32/buildinstaller will now always sign executablejames1-1/+1
if SIGNTOOL is defined, even if EXTRACT_FILES is enabled. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3976 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-27Fixed issue involving an #ifdef in a macro reference that breaks early gccjames1-2/+5
compilers. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3903 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-27Updated common.h types for _WIN64.james1-0/+8
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3902 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-27Updated configure.ac to work on MinGW.james1-53/+58
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3901 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-27Fixed some compile-time warnings.james4-5/+7
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3900 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-27Fixed some issues with C++ style comments that leaked into the code.james2-6/+6
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3899 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-21Version 2.1_rc15ejames2-1/+6
Windows installer changes: * ifdefed out the check Windows version code which is causing problems on Windows 7 * don't define SF_SELECTED if it is already defined git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3855 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-01-01In Windows installer generator, don't sign the installer .exejames1-1/+1
if EXTRACT_FILES is defined in settings.in. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3791 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-12-26Added daemon_start_time and daemon_pid environmental variables.james6-6/+22
In management interface, added new ">CLIENT:ESTABLISHED" notification. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3763 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-12-25Fixed issue where SIGUSR1 restarts would fail if privatejames3-4/+7
key was specified as an inline file. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3743 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-12-23Version 2.1_rc15bjames1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3729 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-12-18Added n_clients environmental variable to information passedjames1-4/+20
to management interface client when management-client-auth is enabled. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3718 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-12-18Added "nclients" command to management interface tojames4-0/+37
display the current number of authenticated clients connected to the server. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3717 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-12-01Added MultiFileExtract capability to Windows Installer.james4-128/+16
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3620 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-30Added ExtractAuxFile capability to Windows Installer.james4-2/+136
Changed Windows installer to use LZMA instead of BZIP2 compression. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3616 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-20Added new management interface command "pid" to show thejames2-0/+10
process ID of the current OpenVPN process (Angelo Laub). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3552 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-20Added optional "nogw" (no gateway) flag to --server-bridgejames5-84/+101
to inhibit the pushing of the route-gateway parameter to clients. Miscellaneous man page edits, fixed some formatting issues. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3550 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-19Version 2.1_rc15v2.1_rc15james2-1/+28
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3525 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-19Fixed issue introduced in 2.1_rc14 that may cause ajames1-1/+1
segfault when a --plugin module is used. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3524 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-18Added --tcp-nodelay option: Macro that sets TCP_NODELAY socketjames5-0/+76
flag on the server as well as pushes it to connecting clients. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3513 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-18Cleaned up man page synopsis.james1-273/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3507 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-18Minor options check fix: --no-name-remapping is ajames1-0/+2
server-only option and should therefore generate an error when used on the client. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3506 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-18Added server-side --opt-verify option: clients that connectjames4-0/+29
with options that are incompatible with those of the server will be disconnected. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-18Added --prng option to control PRNG (pseudo-randomjames9-21/+136
number generator) parameters. In previous OpenVPN versions, the PRNG was hardcoded to use the SHA1 hash. Now any OpenSSL hash may be used. This is part of an effort to remove hardcoded references to a specific cipher or cryptographic hash algorithm. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3503 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-17Version 2.1_rc14v2.1_rc14james2-8/+8
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3496 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-17* Added additional method parameter to --script-security to preservejames14-105/+383
backward compatibility with system() call semantics used in OpenVPN 2.1_rc8 and earlier. To preserve backward compatibility use: script-security 3 system git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3495 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-16Interim release.james2-1/+87
Version 2.1_rc13b git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3494 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-05Minor fix to previous commit (r3476).james1-3/+3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3477 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-04Added config file option "setenv FORWARD_COMPATIBLE 1" to relaxjames3-3/+33
config file syntax checking to allow directives for future OpenVPN versions to be ignored. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3476 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-03Fixed revoke-full to deal with issue arising from additionjames1-1/+2
of KEY_NAME environmental variable parameter to openssl.cnf git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3472 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-11-03Fixed some ifconfig-pool issues that precludedjames3-10/+12
it from being combined with --server directive. Now, for example, we can configure thusly: server 10.8.0.0 255.255.255.0 nopool ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0 to have ifconfig-pool manage only a subset of the VPN subnet. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3471 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-31Updated docs to reflect the addition ofjames3-3/+4
--status-version 3. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3468 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-31Added --no-name-remapping option to allow Common Name, X509 Subject,james4-3/+42
and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-31Added --status-version 3 which is the same as version 2james2-25/+28
except tabs are used as delimiters instead of commas. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3466 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Modified pkitool to allow flexibility in separatingjames1-14/+20
the Common Name convention from the cert/key filename convention. For example: KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james will crete a client certificate/key pair of james.crt/james.key having a Common Name of "James's Laptop" and a Name of "james". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3463 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Added man page entry for new environmental variable setjames1-0/+37
X509_{n}_{subject_field}. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3462 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Added server-side --auth-user-pass-optional directive, to allowjames6-21/+57
connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Change to pkitool/openssl.cnf so that calling scripts canjames2-1/+16
set the KEY_NAME environmental variable to set the "name" X509 subject field in generated certificates. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3460 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-28Save X509 Subject fields to environment, using the naming convention:james1-0/+54
X509_{cert_depth}_{name}={value} git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3459 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-27Fixed informational message in ssl.c to properly indicatejames1-1/+5
deferred authentication. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3457 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-24Extended Management Interface "bytecount" commandjames5-29/+153
to work when OpenVPN is running as a server. Documented Management Interface "bytecount" command in management/management-notes.txt. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3452 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-24Added optional files SAMPCONF_CONF2 (second sample configurationjames2-0/+14
file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows build system, and may be defined in settings.in. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3450 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-17Modified Windows domake-win build system to write all openvpn.nsijames5-49/+94
input files to gen, so that gen can be disconnected from the rest of the source tree and makensis openvpn.nsi will still function correctly. Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in (commented out by default). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3439 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-15Added additional warning messages about --script-security 2james4-3/+10
or higher being required to execute user-defined scripts or executables. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3436 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-14Added AC_GNU_SOURCE to configure.ac to enable struct ucred,james3-59/+324
with the goal of fixing a build issue on Fedora 9 that was introduced in 2.1_rc13. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3434 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-08Version 2.1_rc13v2.1_rc13james10-30/+43
Minor fixes to Windows build scripts. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3417 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-06Copyright notice changed to reflect change in name ofjames157-198/+194
Telethra to OpenVPN Technologies. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-30Management interface can now listen on a unixjames16-45/+693
domain socket, for example: management /tmp/openvpn unix Also added management-client-user and management-client-group directives to control which processes are allowed to connect to the socket. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3396 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-23Version 2.1_rc12v2.1_rc12james2-1/+10
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3349 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-19Fixed --lladdr bug introduced in 2.1-rc9 where input validation codejames3-2/+42
was incorrectly expecting the lladdr parameter to be an IP address when it is actually a MAC address (HoverHell). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3339 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-15Patched Makefile.am so that the new t_cltsrv-down.sh script becomesjames2-2/+3
part of the tarball (Matthias Andree). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3332 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-15Version 2.1_rc11v2.1_rc11james4-10/+38
Fixed a bug that can cause SSL/TLS negotiations in UDP mode to fail if UDP packets are dropped. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3330 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-10Version 2.1_rc10v2.1_rc10james2-1/+94
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3323 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-08Version 2.1_rc9bjames1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3318 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-08Fixed bug in intra-session TLS key rollover that was introduced withjames3-18/+68
deferred authentication features in 2.1_rc8. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3316 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-06Modified ip_or_dns_addr_safe, which validates pulled DNS names,james2-4/+16
to more closely conform to RFC 3696: * DNS name length must not exceed 255 characters * DNS name characters must be limited to alphanumeric, dash ('-'), and dot ('.') git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3312 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-062.1_rc8 and earlier did implicit shell expansion on scriptjames9-363/+350
arguments since all scripts were called by system(). The security hardening changes made to 2.1_rc9 no longer use system(), but rather use the safer execve or CreateProcess system calls. The security hardening also introduced a backward incompatibility with 2.1_rc8 and earlier in that script parameters were no longer shell-expanded, so for example: client-connect "docc CLIENT-CONNECT" would fail to work because execve would try to execute a script called "docc CLIENT-CONNECT" instead of "docc" with "CLIENT-CONNECT" as the first argument. This patch fixes the issue, bringing the script argument semantics back to pre 2.1_rc9 behavior in order to preserve backward compatibility while still using execve or CreateProcess to execute the script/executable. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-04Added --allow-pull-fqdn option which allows client to pull DNS namesjames5-12/+45
from server (rather than only IP address) for --ifconfig, --route, and --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names for these options to be pulled and translated to IP addresses by default. Now --allow-pull-fqdn will be explicitly required on the client to enable DNS-name-to-IP-address translation of pulled options. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-11Fixed minor compile issue in ntlm.c (mid-block declaration).james1-2/+4
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3222 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-11LZO compression buffer overflow errors will now invalidatejames1-1/+7
the packet rather than trigger a fatal assertion. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3221 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-10Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, whichjames2-5/+2
the new implementation of extract_x509_field_ssl depends on. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3220 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-10Fixed build issue with ./configure --disable-socks --disable-http.james3-4/+4
Fixed separate compile errors in options.c and ntlm.c that occur on strict C compilers (such as old versions of gcc) that require that C variable declarations occur at the start of a {} block, not in the middle. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3219 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-10Tagged security fix in 2.1-rc9 as CVE-2008-3459.james1-0/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3218 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-10Updated openvpn/t_cltsrv.sh (used by "make check") to conform to newjames2-14/+44
--script-security rules. Also adds retrying if the addresses are in use (Matthias Andree). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3217 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-05Reverted r3181, accomplish the same thing via a special casejames3-21/+16
for Windows stdcall functions in configure.ac (Alon Bar-Lev). Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO and USE_SSL flags are enabled (Alon Bar-Lev). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3183 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-05Workaround for MinGW autoconf issue where HAVE_SETSOCKOPT,james1-0/+12
HAVE_GETSOCKOPT, and HAVE_POLL are undefined even though the underlying functions are present. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3181 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-05Added additional warnings to flag common gotchas:james5-27/+133
* Warn when ethernet bridging that the IP address of the bridge adapter is probably not the same address that the LAN adapter was set to previously. * When running as a server, warn if the LAN network address is the all-popular 192.168.[0|1].x, since this condition commonly leads to subnet conflicts down the road. * Primarily on the client, check for subnet conflicts between the local LAN and the VPN subnet. Added a 'netmask' parameter to get_default_gateway, to return the netmask of the adapter containing the default gateway. Only implemented on Windows so far. Other platforms will return 255.255.255.0. Currently the netmask information is only used to warn about subnet conflicts. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3179 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-04Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dnsjames1-1/+1
on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255, ignore it. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3177 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-02Added "--server-bridge" (without parameters) to enablejames14-34/+427
DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses. Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN. Modified client.conf and server.conf to reflect new option modes. Incremented version to 2.1_rc9a. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3164 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-01Version 2.1_rc9v2.1_rc9james1-2/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3155 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-31In Windows build, package a statically linked openssl.exe to work aroundjames4-13/+6
observed instabilities in the dynamic build since the migration to OpenSSL 0.9.8h. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3149 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-31Updated ChangeLog and version number.james2-1/+22
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3147 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-27Added additional warnings for:james1-0/+7
* --tls-remote -- some people misunderstand the semantics * --script-security -- warn if script-security will allow user-defined scripts to be called, and also warn separately if passwords may be passed to scripts via the environment git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3129 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-27Added additional defensive programming to buffer.[ch] functions.james2-26/+118
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3128 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-27Added a warning message when passwords are cached in memory.james1-0/+4
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3127 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-26Perform additional input validation on options pulledjames7-64/+230
by client from server. Fixes --iproute vulnerability. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3126 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-26Fixed compiler warnings in Windows build (MinGW).james6-5/+8
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3125 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-26Completely revamped the system for calling external programs and scripts:james23-420/+1098
* All external programs and scripts are now called by execve() on unix and CreateProcess on Windows. * The system() function is no longer used. * Argument lists for external programs and scripts are now built by the new argv_printf function which natively outputs to string arrays (i.e. char *argv[] lists), never truncates its output, and eliminates the security issues inherent in formatting and parsing command lines, and dealing with argument quoting. * The --script-security directive has been added to offer policy controls on OpenVPN's execution of external programs and scripts. Also added a new plugin example (openvpn/plugin/examples/log.c) that logs information to stdout for every plugin method called by OpenVPN. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3122 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-23Added argv_x functions to buffer.[ch] to be used to safely buildjames3-0/+265
up argv strings for execve without the possibility of truncation or misinterpretation of mid-argument spacing. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3107 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19buf_printf will now return false on errors, such as truncationjames2-3/+8
due to overflow. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3085 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19Modified extract_x509_field_ssl to return a status value indicatingjames1-37/+41
success/error, and any truncation of output due to an insufficiently large output buffer will be cause for error. In verify_callback, read X509 Subject Name without truncation. In verify_callback, rather than silently truncating Common Name at 64 bytes, throw an error if Common Name is larger than 64 bytes. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3084 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-19Replace leading dash ('-') characters in an X509 name with underbars ('_')james3-0/+19
before calling user-defined scripts, to preclude the chance of a leading dash being interpreted as an option prefix. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3083 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-18Added a warning when plugins are specified withoutjames3-1/+28
an absolute pathname. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3082 e7ae566f-a301-0410-adde-c780ea21d3b5
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-10 08:58:34 +0000